Renewing GoDaddy SSL on AWS Elastic Beanstalk

We previously wrote about installing a GoDaddy SSL on AWS Elastic Beanstalk. Now it’s time to renew our certificate. You will need the file decrypted-private-key.pem from when we installed the certificate the first time.

1. Go to the GoDaddy Manage Certificates page, and renew the certificate. Once the certificate is ready, download the certificate. Unzip the downloaded file and you will get gd_bundle.crt and yourdomain.crt.

2. Last time, we used iam-servercertupload to upload the certificate. This time, we will use the AWS Management Console to upload, and make active, our renewed certificate. Go to Amazon EC2 Dashboard -> Load Balancers. Select your load balancer and go to the Listeners tab. Click Change in the SSL Certificate column and upload a new SSL certificate.

3. Enter the certificate name, private key, certificate and certificate chain. The certificate name should be unique, and since we called it yourcertificatename last time, we can now call it yourcertificatename2013. The private key is the contents of decrypted-private-key.pem. The certificate is the contents of yourdomain.crt. The certificate chain is the contents of gd_bundle.crt.


4. Save and choose the newly uploaded certificate.

That’s should be it. Verify the new certificate in your browser or use SSL Shopper’s SSL Checker.

AWS Elastic Beanstalk Zone Apex

1. Go to your AWS Management Console and click on the Amazon EC2 tab. Click on Load Balancers and look for the load balancer your Elastic Beanstalk instance is using. Note down the Load Balancer DNS Name (A Record) and Hosted Zone ID. You will need these 2 values later.

2. Now click on the Amazon Route 53 tab. Double click on the existing hosted zone or create one if it doesn’t exist.

3. Click on Create Record Set and select Type A – IPv4 address with Alias set to Yes. Use the values you noted down in step 1 for Alias Hosted Zone ID and Alias DNS Name. Note we initially tried this step on Chrome but that didn’t work. It worked fine when we did step this on Firefox.

4. Try your new configuration by going to

AWS Elastic Beanstalk with GoDaddy SSL

This is a step by step walk-though on how to install an SSL certificate on AWS Elastic Beanstalk. We will use a GoDaddy SSL certificate. The official documentation is on the AIM Creating and Uploading Server Certificates page, but that example is only for a 1024 bit certificate. This post also assumes you already have a CNAME for your Elastic Beanstalk instance.

1. You need OpenSSL. Our Amazon EC2 image already has OpenSSL by default. Try running openssl version on the command line to verify if you have OpenSSL installed.

2. You will need the IAM Command Line Toolkit to be able to upload the SSL certificate. We will be using the iam-servercertupload command later in the process. You will also need to create an file with the keys AWSAccessKeyId and AWSSecretKey populated with your AWS keys.

3. Now generate the CSR (Certificate Signing Request) by running the following command. This will generate a 2048 bit CSR.

openssl req -new -newkey rsa:2048 -nodes -out csr.pem -keyout private-key.pem -subj "/C=yourcountry/ST=yourstate/L=yourcity/O=yourcompany/OU=yourdepartment/CN=yourdomain"

Replace yourcountry, yourstate, yourcity, yourcompany, yourdepartment, yourdomain with the appropriate values. You should get two files from this step, csr.pem and private-key.pem.

4. Go to the GoDaddy Manage Certificates page, and copy paste the CSR. Once the certificate is ready, download the certificate. Unzip the downloaded file and you will get gd_bundle.crt and yourdomain.crt.

5. Before uploading the certificate, we need to decrypt our private key by running the following openssl command.

openssl rsa -in private-key.pem -out decrypted-private-key.pem

6. Now we are ready to upload our certificate. Run the following command.

iam-servercertupload --aws-credential-file -b yourdomain.crt -c gd_bundle.crt -k decrypted-private-key.pem -s yourcertificatename

Make sure the file paths are correct. yourcertificatename is the name of the certificate that you specify.

7. To get your SSL Certificate ID, which you need to enable SSL on Elastic Beanstalk, run the following command

iam-servercertgetattributes --aws-credential-file -s yourcertificatename

Take note of your certificate ID, which starts with arn:aws:iam::.

8. Go to the AWS Elastic Beanstalk Management Console and edit the environment configuration. Go to the Load Balancer tab and set the HTTPS Listener Port to 443, and the SSL Certificate Id. If you have a wildcard SSL, you can repeat this step on every Elastic Beanstalk application on different subdomains.

9. Test your new configuration by going to https://yourdomain.