Preparing an SSL certificate for use with AWS Elastic Load Balancer

Today I was tasked with re-keying our SSL certificate in preparation for the implementation of Amazon Web Service’s Elastic Load Balancer service.  In order to properly implement the load balancer into our existing architecture, it must be able to handle SSL connections.  We current employ GoDaddy’s Premium SSL Certificate, which gives you the familiar green bar in the address bar of your browser.  After copying and pasting the private key, certificate, and certificate chain data into the provided inputs, Amazon returned the following message: “Invalid private key.”

When I generate SSL certificate signing requests, I generally use the following command:

openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr

Unfortunately, the resultant format is not compatible with AWS’s Elastic Load Balancer.  In order to counter the “Invalid private key” error, I issued the following commands:

openssl genrsa -des3 -out yourdomain.key 2048
openssl req -new -key yourdomain.key -out yourdomain.csr

After that, copy and paste the CSR contents into the CSR input provided by GoDaddy.  After doing this, I attempted to restart Apache HTTP Server, and noticed the following errors in /etc/httpd/logs/error_log.

[Mon Oct 07 17:55:24.779930 2013] [ssl:emerg] [pid 23786] AH02204: Init: Pass phrase incorrect for key of yourdomain:443
[Mon Oct 07 17:55:24.779981 2013] [ssl:emerg] [pid 23786] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag

[Mon Oct 07 17:55:24.780076 2013] [ssl:emerg] [pid 23786] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Mon Oct 07 17:55:24.780093 2013] [ssl:emerg] [pid 23786] SSL Library Error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error (Type=PKCS8_PRIV_KEY_INFO)

Unfortunately, the new private key required a passphrase and Apache didn’t like that. While there are a number of approaches to resolve the issue between Apache and private key passphrases, I chose to remove it, both for the sake of simplicity, and because the Elastic Load Balancer will not accept a private key containing a passphrase. To remove the passphrase, use the following command:

openssl rsa -in yourdomain.key -out yourdomain.key.nopass

At this point, the HTTP server can be restarted, and the SSL certificate’s private key will work with Amazon Web Service’s Elastic Load Balancer.