Certificate Chain with AWS ELB & GoDaddy Certs
Solution 1
So the problem was several mistakes along the way for me. First, I took the -----BEGIN CERTIFICATE-----
section from the PEM generated from my keytool
keystore. Second, I was trying to convert the gd_bundle-g2-g1.crt
file - it already contained exactly what I needed to use.
To start from the beginning - I used Digicert's Java Keytool to generate my commands to get my keystore and CSR using keytool
. From there, I got a wildcard SSL certificate through GoDaddy and downloaded my certificate which was in a ZIP file along with gdig.crt
and gd_bundle-g2-g1.crt
. After this, I follwed to steps to get the private key from my keystore following this StackOverflow answer. However, the foo.pem
file from this command required one more command, openssl rsa -in foo.pem -out foo.rsa
to get the final form accepted by the AWS panel.
Now to fill in the SSL form on AWS:
- Private Key: The contents of the
foo.rsa
file from the previous step. - Public Key Certificate: The contents of the
<your_cert>.crt
file provided by GoDaddy - Certificate Chain: The contents of the
gd_bundle-g2-g1.crt
file provided by GoDaddy
This has given me a successful SSL certificate setup for my AWS ELB, with the proper certificate path, giving me a trusted certificate.
Solution 2
It's not a trivial process, and the documentation isn't great.
This version of the process using Gandi.net SSL certificates might help you work though it, it's much better than the official docs
http://lexical.scopely.com/2015/03/11/uploading-an-ssl-cert-from-gandi-net-to-iam/
Related videos on Youtube
![Admin](/assets/logo_square_200-5d0d61d6853298bd2a4fe063103715b4daf2819fc21225efa21dfb93e61952ea.png)
Admin
Updated on September 18, 2022Comments
-
Admin almost 2 years
I'm trying to setup SSL on my AWS ELB, but I am thus far unable to figure out what goes into the "Certificate Chain" field. I receive the following error:
Unable to validate certificate chain. The certificate chain must start with the immediate signing certificate, followed by any intermediaries in order. The index within the chain of the invalid certificate is: -1
I have my private key & certificate in PEM format and uploaded. If I use these without the "optional" chain, it works untrusted. I have been poking around, trying to find an answer on what to put into the field, and this answer suggests downloading the gd_bundle-g2.crt - I have done this and converted it into PEM by running
openssl x509 -inform PEM -in gd_bundle-g2.crt
but the error remains. When I downloaded my certificate from GoDaddy, I was given a ZIP with my SSL certificate along withgdig2.crt
andgd_bundle-g2-g1.crt
. I have tried using these files in various combinations, and alone, but again, nothing.What certificates go into the Certificate Chain, in what order, and in what format?
-
Admin over 9 yearsThought not directly helpful, it gave me some ideas to try that led me to the correct answer. Thanks for the links!
-
John almost 9 yearsThanks, wasn't sure what to use as the chain in amazon , simply put the text from the crt file as you said and it worked .
-
Nick Howard over 8 yearsYep, gd_bundle-g2-g1.crt works for me
-
Alex Egli about 7 yearsThis is a link-only answer. Please include the relevant parts in the answer here.
-
equivalent8 about 3 yearsgoddady
gd_bundle-g2-g1.crt
certs can be found here certs.godaddy.com/repository