Wildcard SSL Certificate on Multiple ELBs in VPC

https ssl ssl-certificate amazon-elb amazon-vpc

What I want is that all the communication between my ELBs and the external world should be over HTTPS. How can I achieve this ?

Completely disabling plain HTTP is usually not on option, but can configure your webservers to (permanently) redirect any unencrypted request from http://... to https://...

Can I install the one wild card certificate that I have on all the three ELBs?

There is no technical reason why you couldn't.

Also since it is a wild card certificate that I have, I would not be able to use it for api.example.com but not for example.com itself (as per my understanding).
However, what is visible to the external world is example.com for now (and not really api.example.com) So do I need to purchase another certificate for the above scenario ?

Yes a wild-card for *.example.com is only valid for <valid_hostnames>.example.com and neither for plain/naked example.com nor *.*.example.com will work. See this Q&A for the details.

Technically it's possible to also include the plain domain with the wildcard certificate via a Subject Alternative Name extension, making the certificate valid for both *.example.com and example.com but which SSL resellers do that automatically I don't know. So you may not need another (replacement) certificate at all.

You can check with openssl x509 -in certificate.crt -text -noout which will yield something similar to when SubjectAltNames are present:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
           ....
        Subject: ..., CN=*.example.com
           ...
        X509v3 extensions:
           ...
           X509v3 Subject Alternative Name:
                DNS:*.example.com, DNS:example.com

If that is not the case you may need another certificate to be able to use the bare domain in addition to your current wildcard. Server Name Indication (SNI) is what would be required to use two different SSL certificates and have them to work correctly on a single ELB instance.

ELB supports multiple TLS certificates using SNI -
ALB supports mutiple TLS certs using SNI
NLB now supports multiple TLS certs using SNI


If Wildcard SSL certificate issued to *.example.com then you can secure example.com, api.example.com and any other sub-domains with a single wildcard SSL certificate. Comodo Wildcard SSL offers unlimited server licenses and you should install certificate on your all 3 ELBs to set up secure environment on your sub-domains.

If you want secure different domain names which refer different TLDs like example.com, example.in and example.anytld then you should go with UCC SSL certificate. You can add or edit subject alternative names (SAN) anytime during the certificate lifespan.

If your requirement is securing multiple websites and its all sub-domains, then you can go with Comodo Multi Domain Wildcard SSL.

Related

Force to apply changes through puppet on a puppet agent, through master?
How to fix, ubuntu not getting ip address on hyper-v?
How can I stop OS X from switching Spaces when the mouse cursor is at the edge of the screen?
Anyone know of a Finder replacement?
Is there a Mac OSX equivalent of zenity?
How to use find and replace to replace a character with new line
How to fill down in Numbers without dragging?
How do I hyperlink 'text' within a note in the macOS Notes app?
List of (activated) fonts with shell command in os x
How do I see version numbers of my apps on iOS?
Using rsync to backup
How can I see what bandwidth each App or process is using?