w3hello.com logo
Home PHP C# C++ Android Java Javascript Python IOS SQL HTML videos Categories
Auto-deploy certificates to Windows certificate store in AWS Elastic Beanstalk deployments?

Did you get this resolved?

Could you do something like what is described here https://forums.aws.amazon.com/thread.jspa?messageID=591375, ignoring the web binding pieces and adding the permissions for the IIS_IUSR.

I thought I'd update with what we ended up doing.

We set up an ebextension to load the cert from s3 and then assign the required permissions. I realize we did not have the .cer file to deal with so this may not work for you.

---
files:  
  "c:\init_scripts\install_cert.ps1":  
   content: |  
    $env = $args[0]   
    $pwd = $args[1]
    $securePwd = ConvertTo-SecureString -String $pwd -Force -asplaintext
    $certName="$($env).auth.cert.pfx"
    $certFilePath = "C:$($certName)"
    Read-S3Object -BucketName ourcertsbucket -Key $certName -File
$certFilePath
    $cert = Import-PfxCertificate -FilePath $certFilePath
cert:localmachinemy -Password $securePwd
    # Now that we have the cert we need to grant access to the IIS user for
the cert
    Try
    {
      $WorkingCert = Get-ChildItem CERT:LocalMachineMy |where {$_.Subject
-match $env} | sort $_.NotAfter -Descending | select -first 1 -erroraction
STOP
      $TPrint = $WorkingCert.Thumbprint
      $rsaFile =
$WorkingCert.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName
    }
    Catch
    {
      "        Error: unable to locate certificate for $($env)"
      Exit
    }
    $keyPath = "C:ProgramDataMicrosoftCryptoRSAMachineKeys"
    $fullPath=$keyPath+$rsaFile
    $acl=Get-Acl -Path $fullPath
    $permission="IIS_IUSRS","Read","Allow"
    $accessRule=new-object
System.Security.AccessControl.FileSystemAccessRule $permission
    $acl.AddAccessRule($accessRule)
    Try 
    {
     Set-Acl $fullPath $acl
      "        Success: ACL set on certificate"
    }
    Catch
    {
      "        Error: unable to set ACL on certificate"
        Exit
    }
container_commands:  
  01_install_cert:  
   command: powershell -ExecutionPolicy RemoteSigned -File
.\install_cert.ps1 %Environment% %CertPassword% 
   cwd: c:\init_scripts  
   waitAfterCompletion: 0

Thanks to this link for the power shell permissions script





© Copyright 2018 w3hello.com Publishing Limited. All rights reserved.