SSL with AWS Elastic Load Balancing - Static IP?

Question

I've asked my provider for a SSL certificate. They said the CSR must be generated from a host having the ip address which blongs to the certificate. Otherwise it will not be vaild later. As far as I know one can only assign a CNAME to a load balancer and it is not possible to generate the CSR on the load balancer. Apart from that the lb ip might change. So do you get your valid certificates?

Regards, Jim

Answer 1

Jim, I had the very same question as you. This is my first foray into the realm of multi-server deployments with SSL.

I found this: http://www.martfox.com/customer/knowledgebase/140/Why-a-SSL-Requires-Dedicated-IP.html

It looks like it is commonly said that you must have a static IP address to run ssl, but it really looks like you don't need a Static IP as much as an IP that you are the only one using at the time. The IP address is not needed when signing a certificate, or creating a signing request. It is not attached to your keys in any way, so you change Static IP addresses or even move hosting providers without reissuing your SSL cert.

It appears that the limitation is because VHOSTS and other server aliasing methods don't have access to the HTTP request string before they have to connect the SSL layer, so they aren't able to route it like they do unauthenticated requests.

Answer 2

You don't have to generate the CSR on the load balancer. You only have to generate it with a name consisting of the required domain name. You can do that anywhere.