How do I upload SSL certificates for my Classic Load Balancer to prevent clients from receiving “untrusted certificate” errors?

Last updated: 2020-12-03

A client SSL/TLS connection to my Classic Load Balancer fails with an error message similar to the following:

  • "The security certificate presented by this website was not issued by a trusted certificate authority."
  • "example.com uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown."
  • "example.com uses an invalid security certificate. The certificate is not trusted because it is self signed."

I also encounter errors when attempting to upload SSL/TLS certificates to my Classic Load Balancer. How can I fix this?

Short description

If you use HTTPS/SSL listeners for your Classic Load Balancer, you must install an SSL certificate. Installing an SSL certificate allows your Classic Load Balancer to terminate SSL/TLS client connections.

The SSL certificate has a validity period. You must replace the certificate before its validity period ends. To replace the certificate, you must create and upload a new certificate.

If an intermediate certificate chain isn't uploaded for use by your load balancer, then the web client might fail to validate your certificate. You can use the openssl s_client command to identify if the intermediate certificate chain is uploaded to the AWS Identity and Access Management (IAM) service. The s_client command implements a generic SSL/TLS client that connects to a remote host using SSL/TLS. If the command openssl s_client -showcerts -connect www.domain.com:443 returns "Verify return code: 21 (unable to verify the first certificate)", then the intermediate certificate chain is missing.

If the command openssl s_client -showcerts -connect www.domain.com:443 returns "Verify return code: 0 (ok)”, then the certificate upload is successful.

Errors you might encounter when uploading SSL certificates typically fall into one of the following categories:

  • Uploading certificate files or copying and pasting certificates that contain extra white space
  • Uploading certificate files or copying and pasting certificates that don't start with " -----BEGIN CERTIFICATE----- " and end with " -----END CERTIFICATE----- "
  • Invalid public key errors
  • Invalid private key errors
  • Cipher suite or key issues

Resolution

To resolve untrusted certificate errors, upload an SSL certificate for your load balancer. Also, be sure to replace the certificate before its validity period ends.

With AWS Certificate Manager (ACM), you can create, import, and manage SSL/TLS certificates. IAM supports importing and deploying server certificates. ACM is the preferred tool to provision, manage, and deploy your server certificates.

To troubleshoot errors encountered when uploading SSL certificates, follow these guidelines:

  • Complete the prerequisites for importing certificates.
  • If you're using IAM to upload the certificate, follow the steps to upload a server certificate (AWS API).
  • If you're using ACM to import the certificate, follow the steps to import a certificate.
  • Confirm that the certificate does not contain extra white space.
  • Confirm that the certificate starts with " -----BEGIN CERTIFICATE----- " and ends with " -----END CERTIFICATE----- ".
  • If an error message indicates that the public key certificate is invalid, then it's likely that either the public key certificate or the certificate chain is invalid. If the certificate uploads successfully without the certificate chain, then the certificate chain is invalid. Otherwise, the public key certificate is invalid.

If the public key certificate is invalid:

  • Confirm that the public key certificate is in the X.509 PEM format.
  • For examples of valid certificate formats, see Troubleshooting.

If the certificate chain is invalid:

  • Confirm that the certificate chain doesn't contain your public key certificate.
  • Confirm that the certificate chain uses the correct order. The certificate chain must include all intermediate certificates from your Certificate Authority (CA) that lead to the root certificate. The certificate chain starts with the certificate that was generated by your CA and ends with your CA's root certificate. Typically, both intermediate and root certificates are provided by a CA in a bundled file with the proper chained order. Use the intermediate certificates that are provided by your CA. Don't include any intermediate certificates that aren't involved in the chain of trust path.
  • If an error indicates that the private key certificate is invalid, then it's likely that the private key certificate isn't in the correct format or the private key certificate is encrypted. Be sure that the private key certificate follows the format of the private key example in Troubleshooting. Also, confirm that the private key certificate isn't password-protected. For more information, see: