How to Properly Install Intermediate SSL Certificates on AWS Load Balancer


1 views

When setting up SSL on AWS Elastic Load Balancer (ELB), many developers encounter the "Unable to get local issuer certificate" error. This typically occurs when intermediate certificates aren't properly configured in the certificate chain.

SSL certificates operate in a chain of trust:

Root Certificate
│
└── Intermediate Certificate
    │
    └── Your Domain Certificate

AWS ELB requires you to provide both your domain certificate AND the intermediate certificates in the chain (but not the root).

For VeriSign/Symantec certificates, you'll typically receive multiple files. Here's how to combine them:

# Combine intermediate certificates (order matters!)
cat your_domain.crt intermediate1.crt intermediate2.crt > certificate_chain.pem

Important notes:

  • Do NOT include the root certificate
  • Do NOT include your private key
  • The order should be: domain cert → intermediate certs (from leaf to root)

When creating or updating your load balancer:

  1. Private Key: Your .key or .pem private key file
  2. Public Key Certificate: Your domain certificate
  3. Certificate Chain: The combined intermediate certificates

After configuration, verify with:

openssl s_client -connect yourdomain.com:443 -showcerts

Or use online tools like SSL Labs' SSL Test for comprehensive verification.

For older Android versions (2.1-2.2), you may need to include additional intermediates. For VeriSign certificates:

# Get the Apache bundle from VeriSign
wget https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR1409
# Append to your existing chain
cat your_chain.pem verisign_android_bundle.crt > full_chain.pem

If you still see errors:

  • Check certificate expiration dates
  • Verify the chain is in correct order
  • Ensure no extra whitespace or characters in PEM files
  • Confirm the private key matches the certificate

For frequent renewals, consider this AWS CLI command:

aws elb set-load-balancer-listener-ssl-certificate \
    --load-balancer-name your-lb \
    --load-balancer-port 443 \
    --ssl-certificate-id arn:aws:iam::123456789012:server-certificate/new-cert

When configuring SSL/TLS on AWS Application Load Balancer (ALB), many developers encounter the "Unable to get local issuer certificate" error during SSL validation checks. This typically occurs because:

  • The certificate chain is incomplete
  • Intermediate certificates are missing
  • The certificate bundle is improperly formatted

Here's the proper way to configure your certificate chain in AWS ALB:

# Convert your primary certificate if needed
openssl x509 -in your_domain.crt -out your_domain.pem -outform PEM

# Download intermediate certificates from your CA
# For VeriSign/Symantec certificates:
wget https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR1409 -O intermediate.crt

# Combine certificates in correct order
cat your_domain.pem intermediate.crt > full_chain.pem

For backward compatibility with older Android versions (2.1-2.2), you need additional intermediate certificates:

# For VeriSign certificates on Android:
curl -O https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR657
# Extract the Retail SSL section for Apache servers

After uploading to AWS ALB, verify your configuration:

openssl s_client -connect yourdomain.com:443 -showcerts
# Check the complete chain is presented

Key points when troubleshooting:

  • Never include your primary certificate in the chain field
  • The chain should only contain intermediate and root certificates
  • Certificates must be PEM encoded with proper line endings

For GeoTrust certificates, the process is similar but requires different intermediate certificates:

# GeoTrust intermediate certificates can be obtained from:
# https://www.geotrust.com/resources/root-certificates/