Warning: Creating default object from empty value in /home2/craigw/public_html/typemismatch.com/wp-content/themes/overeasy/functions/admin-hooks.php on line 160
follow the code @manicasteroid

Multiple SSL Certs with 1 IP on Amazon EC2

Posted on March 5, 2011

Amazon is by far becoming one of the biggest dedicated server hosts with their EC2 offerings. As many of you already know they currently do not offer more than a single IP per server instance. Why? who knows – it would seem to be an easy obstacle for them to fix but users have been asking for that feature for over 5 years and still nothing and no word on if it will ever be supported.

Now the issue is that IIS 7+ only supports a single certificate per IP. Yes you can use host headers for multiple sites but all those sites must use the same certificate. You cannot hack, cheat or tweak your way around this.

One solution is to use a new server for each client that needs a dedicated IP with SSL but of course the costs here get a little expensive. There is a much cheaper solution!

Since the Amazon Elastic Load Balancer now supports SSL termination you can setup a load balancer to handle the SSL, install your certificate via the EC2 control panel and then internally forward your request on port 80 without SSL.

To do this when you’re setting up the load balancer use HTTP (80) to HTTP (80) and the new HTTPS (443) to HTTP(80) – upload your certificate in pem format. If you don’t have the certificate in PEM format and let’s be honest, since you’re running on IIS you won’t. Follow these steps to get it

  • Export your certificate from IIS as a PFX, set your password.
  • Make sure you have openssl installed.
  • Type, openssl pkcs12 -in yourExport.pfx -nocerts -out privateKey.pem
  • Type, openssl pkcs12 -in yourExpport.pfx -clcerts -nokeys -out publicCert.pem
  • Type, openssl rsa -in privateKey.pem -out privateKey.pem

At each of the openssl steps you’ll need to enter the PFX export password. The last step will remove the password from the private key to be compatible with Amazon. Now copy and paste the contents of the privateKey.pem and publicCert.pem into the load balancer certificate setup screen and you’ll be set.

Update your DNS CName entry for your site or customer site and you’ll have SSL.


Tags: ,

  • Brian

    Curious how did you handle the health check on the ELB? If you have 20 sites on IIS you can’t tell it to point to the specific site you added SSL for.

  • Brian

    I ended up setting up new site with default ip and got this going. so far so good .. on 2 add my second SSL.

    Thanks for writing this.

  • Scheme

    this is exactly what I need, but do you still need setup only http header for each website?

    please give me some detail .


  • Anonymous

    Well on EC2 this allows you to have 2 sites and 2 separate SSL certs but that is the max. (unless you’re on a wildcart cert. and *.whatever is what you need). So yes just an HTTP header for the site that responds to the request from the ELB is ok.