loading...
Cover image for How to reduce EC2 Data Transfer using ECC certificates into AWS

How to reduce EC2 Data Transfer using ECC certificates into AWS

siaresgf profile image Gian Franco Siares ・3 min read

What is ECC?

The ECC’s main advantage is that you can have the smaller key size for the same level of security, in particular at high levels of security AES-256 ~ ECC-512 ~ RSA-15424 (algorithms for factoring, like the Number Field Sieve).

ECC is the latest encryption method. It stands for Elliptic Curve Cryptography and promises stronger security, increased performance, yet shorter key lengths. This makes it ideal for the increasingly mobile world.


How to reduce 20% Data Transfer in EC2 step by step and not die trying


Install Certbot:
Alt text of image
Certbot is a fully-featured, extensible client for the Let’s Encrypt CA (or any other CA that speaks the ACME protocol) that can automate the tasks of obtaining certificates and configuring webservers to use them. This client runs on Unix-based operating systems.


First, go to measure the size of our RSA Certificate with the following command:

Alt Text


Step 1: generate ECC key

mkdir ecc
cd ecc
openssl ecparam -name prime256v1 -genkey > key

Step 2: create a copy of OpenSSL config file

cp /etc/ssl/openssl.cnf domains.cnf

Step 3: editing config file

nano domains.cnf

Look for [ req ] section. Find add uncomment following line:

req_extensions = v3_req

If you don’t find a line like above, you can add one.
In [ v3_req ] section, add following line:

subjectAltName = @alt_names

It will look like:

[ v3_req ]

# Extensions to add to a certificate request

basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

Finally add a new section called [ alt_names ] towards end of file listing all domain variation you are planning to use.

[ alt_names ]
DNS.1 = *.example.com

Now you have your OpenSSL config file ready.

Step 4: generate Certificate Signing Request

Next, we will generate CSR using private key above AND site-specific copy of OpenSSL config file.

openssl req -new -sha256 -key key -out csr -config domains.cnf

Step 5: use Certbot to deploying Let’s Encrypt certificates.

sudo certbot certonly --manual --key key --csr csr --preferred-challenges=dns --register-unsafely-without-email -d *.example.com

and it looks like:

Alt Text

 Step 6: SSL Challenge

Now, go to Route 53, and find the Hosted Zone “application”. And then paste the value as TXT record:

Alt Text

Finally, they will see something like this:

Alt Text

The next step is to convert the key into a .pem:

openssl ec -in key -out key.pem

They should have this:

Alt Text

Now, go to AWS Console => Load Balancers => Listeners => Upload a certificate to IAM.

Paste the following keys:

Alt Text

Click to save and Enjoy!


Finally, we can check the size of ECC Certificate with the following command:

Alt Text

SSL Certificate has been reduced 56%

Posted on by:

siaresgf profile

Gian Franco Siares

@siaresgf

Node.JS Ninja and Amazon Web Services Evangelist

Discussion

pic
Editor guide