How to configure my Elastic Load Balancer to balance SSL traffic?
Solution 1:
The advantage of doing SSL termination on your load balancer is that you relieve your back-end nodes of having to perform SSL encryption/decryption.
As such, just deploy your SSL private key and signed cert to the ELB. That will take care of SSL termination, and can then proxy traffic unencrypted to your back-end instances. If you want traffic between the ELB and your back-end instances to be encrypted, that's fine, but you will still need the ELB to have your private key and signed cert.
In regards to getting your certificates and keys out of the java keystore, that's certainly possible. This Q&A over on Stackoverflow has the details.
Solution 2:
The ELB can be used in one of two ways:
-
SSL termination at the ELB.
In this mode, you'll give the ELB the cert and key. It will unencrypt the request and pass it to your servers unencrypted. The benefit of this is that you can reduce the CPU load of your servers.
-
The ELB just acts as a passthrough.
The ELB can act as a dumb passthrough. It won't need the cert or key. In order to set it up this way, instead of using the HTTPS option, set it as TCP port.
Solution 3:
ELB is the endpoint as far as the client is concerned. It adds metadata headers, etc. ELB can't currently serve SSL without a certificate.
ELB must have the certificate that you want outward facing, but certificates on the actual instances do not have to match. They can be self-signed. You don't even need to install certificates on your instances, but data will travel in the clear over AWS's infrastructure between the instances and ELB. You can create the certificate in any way you like, so long as it's valid.