Anath shows you how to
upload an SSL certificate
for your load balancer

load-balancer-certificate-ananth

A client SSL/TLS connection to your Classic Load Balancer fails with an error message similar to the following:

  • "The security certificate presented by this website was not issued by a trusted certificate authority."
  • "example.com uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown."
  • "example.com uses an invalid security certificate. The certificate is not trusted because it is self signed."

Additionally, you might encounter errors when attempting to upload SSL/TLS certificates to your Classic Load Balancer.

If you use HTTPS/SSL listeners for your Classic Load Balancer, you must install an SSL certificate so your Classic Load Balancer can terminate SSL/TLS client connections.

The SSL certificate has a validity period. You must replace the certificate before its validity period ends. To replace the certificate, you must create and upload a new certificate.

If an intermediate certificate chain is not uploaded for use by your load balancer, the web client might fail to validate your certificate. You can use the openssl s_client command to identify if the intermediate certificate chain was uploaded correctly to the IAM service for this ELB. The s_client command implements a generic SSL/TLS client which connects to a remote host using SSL/TLS. If the command openssl s_client -showcerts -connect www.domain.com:443 returns "Verify return code: 21 (unable to verify the first certificate)", then this indicates that intermediate certificate chain is missing.

If the command openssl s_client -showcerts -connect www.domain.com:443 returns "Verify return code: 0 (ok)” instead, then this indicates that the certificate upload was successful.

Errors you might encounter uploading SSL certificates typically fall into one of the following categories:

  • Uploading certificate files or copying and pasting certificates that contain extra white space.
  • Uploading certificate files or copying and pasting certificates that do not start with " -----BEGIN CERTIFICATE----- " and end with " -----END CERTIFICATE----- ".
  • Invalid public key errors.
  • Invalid private key errors.
  • Cipher suite / key issues.

To resolve "untrusted certificate" errors on clients that initiate SSL/TLS connections to a load balancer, upload an SSL certificate for use by your load balancer as described at SSL Certificates for Elastic Load Balancing. Additionally, you must replace the certificate before its validity period ends as described at Update the SSL Certificate for Your Load Balancer.

AWS Certificate Manager (ACM) allows you to create, import and manage SSL/TLS certificates. AWS Identity and Access Management (IAM) supports importing and deploying server certificates. ACM is the preferred tool to provision, manage, and deploy your server certificates.

To resolve problems uploading signed server certificates to ACM or IAM

To troubleshoot errors encountered when uploading SSL certificates, follow these guidelines:

  • Be sure that you follow all requirements for uploading signed server certificates described at Upload a signed server certificate to IAM and Prerequisites for Importing Certificates.
  • Be sure that the certificate does not contain extra white space.
  • Be sure that the certificate starts with " -----BEGIN CERTIFICATE----- " and ends with " -----END CERTIFICATE----- ".
  • If an error message indicates that the public key certificate is invalid, then it is likely that either the public key certificate or the certificate chain is invalid. If the certificate uploads successfully without the certificate chain, then the certificate chain is invalid. Otherwise, the public key certificate is invalid.

If the public key certificate is invalid

  • Verify that the public key certificate is in the X.509 PEM format. See Sample Certificates for examples of valid certificate formats.

If the certificate chain is invalid

  • Verify that the certificate chain does not contain your public key certificate.
  • Verify that the certificate chain uses the correct order. The certificate chain must include all the intermediate certificates from your Certificate Authority (CA) that lead to the root certificate. The certificate chain starts with the certificate that was generated by your CA and ends with your CA's root certificate. Typically, both intermediate and root certificates are provided by a CA in a bundled file with the proper chained order. Use the intermediate certificates that were provided by your CA. Any intermediate certificates that are not involved in the chain of trust path must not be included.
  • If an error is returned indicating that the private key certificate is invalid, then it is likely that the private key certificate is in the wrong format or that the private key certificate is encrypted. Be sure that the private key certificate follows the format of the private key example at Sample Certificates, and also be sure that the private key certificate is not password-protected. Requirements for signed server certificates are described at Upload a signed server certificate to IAM and Prerequisites for Importing Certificates.

Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center.

Published: 2015-05-18

Updated: 2018-02-22