random .NET and web development musings

Take your pkcs12 (pfx) that you exported from Windows MMC or wherever, get yourself OpenSSL and run:

Public key:

openssl pkcs12 -in mycert.pfx -clcerts -nokeys -out publickey.txt

Open up publickey.txt and trim anything before the line:


Private key:

openssl pkcs12 -in mycert.pfx -nocerts -nodes -out privatekey.txt

Open up privatekey.txt and trim anything before the line:



openssl pkcs12 -in mycert.pfx -nodes -nokeys -cacerts -out chain.txt

Open up chain.txt and trim anything outside the lines:


then if you have multiple certificates, reverse the order of the certificate blocks (i.e. move the top certificate to the bottom).

Next you need to use the AWS CLI to upload your certificate:

with the CLI in your PATH, from the same dir (important) as the three certificate files, run:

aws iam upload-server-certificate --server-certificate-name --certificate-body file://publickey.txt --private-key file://privatekey.txt --certificate-chain file://chain.txt --path /cloudfront/

You can add --debug for mildly useful error messages

Check out this blog post:


Essentially you need to create a scheduled task that runs

W32tm.exe /resync

As often as you deem necessary (I have chosen hourly).

Here is an exported scheduled task that you can use:

<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.3" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
    <Principal id="Author">
  <Actions Context="Author">
      <Arguments>start w32time task_started</Arguments>

Three simple steps:

openssl pkcs12 -in mycert.pfx -out mycert.txt -nodes

Then, to generate your encrypted private key

openssl rsa -in mycert.txt -text -out mycert.key

And your certificate:

openssl x509 -inform PEM -in mycert.txt -out mycert.cer


Here is a great post on troubleshooting your AWS ELB.

The point that caught me out for about 10 hours today was that if you have your ELB configured for multiple Availability Zones, it doesnt matter if your assigned instance list doesn’t contain any instances from some of the AZs, it will still route traffic to those zones, which will get lost and result in a 503 (or 504/324).

So, DONT assign AZs that dont have any in-service instances running.