When setting up AWS Load Balancers (Classic Load Balancers or Application Load Balancers), after adding a HTTPS transport, an SSL Certificate should be added so that SSL termination can be done at the Load Balancer. Here, for development purposes, the certificate added can be a self-signed one.

However if you try to upload a self-signed SSL Certificate to IAM or ACM using the AWS Web Console during Load Balancer creation, you will frequently come across an error similar to the following.

Could not add listener. Server Certificate not found for the key: arn:aws:iam::xxxxxxxx:server-certificate/xxxxxxx

Due to unknown reasons, this error is notorious for appearing from time to time, and I have been personally plagued by it countless times. The AWS Discussion forum is filled with similar queries and possible one-off solutions for this error.

After a few hours spanning through two days I had enough and had to find a better consistent way to upload a self-signed SSL certificate that worked always. Following is the gist of what I managed to scrape of the web and try myself.

Following are the steps to generate a temporary self-signed certificate and to add it to AWS Certificate Manager.

Note that these commands were verified in Ubuntu 16.04.

  1. Generate a private key. Be sure to provide valid (even though false) domain names when needed.
openssl genrsa 2048 > my-aws-private.key
  1. Generate the certificate providing the key generated in #1
openssl req -new -x509 -nodes -sha1 -days 3650 -extensions v3_ca -key my-aws-private.key > my-aws-public.crt
  1. Compile both of the above into a PKCS12 bundle (EDIT: Add correct command after Rodrigo pointed out an error below)
openssl pkcs12 -inkey my-aws-private.key -in my-aws-public.crt -export -out my-aws-public.p12

  1. Install AWS CLI and setup credentials.

  2. Upload the generated certificate (my-aws-public.crt) and the private key (my-aws-private.key) to AWS Certificate Manager.

aws acm import-certificate — certificate file://my-aws-public.crt — private-key file://my-aws-private.key — region us-east-2
  1. Now this certificate will be available in the Load Balancer creation Wizard under “Choose a certificate from ACM (recommended)” option.

Written on October 17, 2017 by chamila de alwis.

Originally published on Medium