Anath shows you how to
upload an SSL certificate
for your load balancer

load-balancer-certificate-ananth

An SSL/TLS connection to my Elastic Load Balancing (ELB) load balancer displays an error message similar to the following:

  • "The security certificate presented by this website was not issued by a trusted certificate authority."
  • "www.testsite.com uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown."
  • "www.testsite.com uses an invalid security certificate. The certificate is not trusted because it is self signed."

If you use HTTPS/SSL listeners for your load balancer, you must install an SSL certificate so your load balancer can process SSL/TLS client connections. The load balancer uses the certificate to authenticate users or for encrypted connections.

The SSL certificate has a validity period. You must replace the certificate before its validity period ends. To replace the certificate, you must create and upload a new certificate.

If an intermediate certificate chain is not uploaded for use by your load balancer, the web client might try to validate what is provided in the 'Authority Information Access' field of your certificate.

Errors you may encounter errors when uploading SSL certificates typically fall into one of the following categories:

  • Uploading certificate files or copying and pasting certificates that contain extra white space.
  • Uploading certificate files or copying and pasting certificates that do not start with "-----BEGIN CERTIFICATE-----" and end with "-----END CERTIFICATE-----".
  • Invalid public key errors.
  • Invalid private key errors.
  • Cipher suite / key issues.

To resolve "untrusted certificate" errors on clients that initiate SSL/TLS connections to a load balancer, upload an SSL certificate for use by your load balancer as described at SSL Certificates for Elastic Load Balancing. Additionally, you must replace the certificate before its validity period ends as described at Update the SSL Certificate for Your Load Balancer.

To troubleshoot errors encountered when uploading SSL certificates, follow these guidelines:

  • Ensure that you follow all requirements for uploading signed server certificates described at Upload a signed server certificate to IAM and Upload the Signed Certificate.
  • Ensure that the certificate does not contain extra white space.
  • Ensure that the certificate starts with "-----BEGIN CERTIFICATE-----" and ends with "-----END CERTIFICATE-----".
  • If an error message indicates that the public key certificate is invalid, it is likely that either the public key certificate or the certificate chain is invalid. If the certificate uploads successfully without the certificate chain, the certificate chain is invalid; otherwise, the public key certificate is invalid.

If the public key certificate is invalid

• Verify that the public key certificate is in the X.509 PEM format. See Sample Certificates for examples of valid certificate formats.

If the certificate chain is invalid

• Verify that the certificate chain does not contain your public key certificate.

• Verify that the certificate chain uses the correct order: The certificate chain must include all of your CA's intermediate certificates that lead to the root certificate. The certificate chain starts with the certificate that was generated by your CA and ends with your CA's root certificate. Typically, both intermediate and root certificates are provided by a CA in a bundled file with the proper chained order. Use the intermediate certificates that were provided by your CA. Any intermediate certificates that are not involved in the chain of trust path must not be included.

  • If an error message indicates that the private key certificate is invalid, it is likely that the private key certificate is in the wrong format or that the private key certificate is encrypted. Ensure that the private key certificate follows the format of the private key example at Sample Certificates and ensure that the private key certificate is not password protected.

Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center.

Published: 2015-05-18