How to attach pre-uploaded SSL cert to ELB in CloudFormation template?

Question

I've been trying to attach a SSL certificate that I'm currently using for one of my Elastic Load Balancing Instances on a new Cloud Formation Template but each time I get:
Server Certificate not found for the key
And then the Cloudformation template starts to roll back at that point.

            "Listeners" : [ 
         {
          "LoadBalancerPort" : "443",
          "InstancePort" : "80",
          "SSLCertificateId" : "start_certname_com",
          "Protocol" : "HTTPS"
         },...

Amazon is asking for the The ARN of the SSL certificate to use. and I believe this is correct since this is the exact string which appears in the dropdown of the current set up ELB which takes 443 to port 80 on the instances.

Am I missing something on my Listener?

Answer 1

I've actually figured out how to do this while waiting for the answer, you need to use the IAM CLI tools provided by amazon and then use the command
iam-servercertgetattributes -s certname

This will provide you a string like:

arn:aws:iam::123456789123:server-certificate/start_certname_com

This is the value you place in the "SSLCertificateId" value pair field

The setup instructions for the IAM command line tools (CLI) can be found at:
http://docs.aws.amazon.com/IAM/latest/CLIReference/Setup.html

Download the tool kit from aws here
http://aws.amazon.com/developertools/AWS-Identity-and-Access-Management/4143

All in all your final block will look like:

 "Listeners" : [ 
    {  
      "LoadBalancerPort" : "443",  
      "InstancePort" : "80",  
      "SSLCertificateId" : "arn:aws:iam::123456789123:server-certificate/start_certname_com",  
      "Protocol" : "HTTPS"  
     },...  

Answer 2

You can derive the ARN for a certificate in CloudFormation with only the certificate name. No need to run a command line tool and hard code the value into your CloudFormation template.

    "Parameters":{
      "Path":{
         "Description":"AWS Path",
         "Default":"/",
         "Type":"String"
      }
    }
     ...
        "Listeners" : [ 
     {
      "LoadBalancerPort" : "443",
      "InstancePort" : "80",
      "SSLCertificateId" : {
        "Fn::Join":[
           "",
           [
              "arn:aws:iam::",
              {
                 "Ref":"AWS::AccountId"
              },
              ":server-certificate",
              {
                 "Ref":"Path"
              },
              "start_certname_com"
           ]
        ]
      },
      "Protocol" : "HTTPS"
     },...

This determines your account id with the {"Ref":"AWS::AccountId"} pseudo parameter and combines it with the other elements needed to form the ARN. Note that I'm using a variable called Path in case you've set a path for your certificate. If not the default of "/" works fine.

This solution was mentioned by @Tristan and is an extension of merrix143243's solution

Answer 3

Here's how you get the long cert name with the latest AWS CLI:

pip install awscli
aws iam list-server-certificates