Amazon AWS SSL Certificate Import Foo

Using Amazon’s Elastic Load Balancer (ELB) with SSL is supposedly an easy thing to set up. And for the most part it is. You can use the command line tools or the web interface and all is good.

But it seems Amazon messed up a little bit the error messaging. When uploading our SSL certificate I got the nice error message Invalid Public Certificate. After double and triple checking the public certificate and not finding anything I asked the beloved oracle called Google.

One of the first things that came up that the intermediate certificate might be in the wrong order, or the root certificate is missing in the chain. Not helping in my case. I had only one certificate in the chain and the root is added automatically according to Amazon’s documentation.

While digging through the AWS documentation I found the little hint, that the private key has to be in RSA format. In other words your file should look like this:

-----BEGIN RSA PRIVATE KEY-----
(tons of text)
-----END RSA PRIVATE KEY-----

and not like this:

-----BEGIN PRIVATE KEY-----
(tons of text)
-----END PRIVATE KEY-----

OpenSSL can do the conversion in one easy step:

openssl rsa -in my_private.key -outform PEM -out my_private.key.pem

After using that version of the private Amazon was accepting the public key as well, despite the error telling me that the public key is invalid. Can now somebody please explain the difference between public and private to Amazon?