Using the Amazon CoudFront as a CDN is a great way to accelerate your website. If you run with HTTPS enabled, you will also want to reference the files you have hosted on CloudFront over HTTPS to avoid error messages from the web browser. You can install an SSL certificate of your own onto the CloudFront edge servers very easily by following the process below.
Prerequisite: Install the AWS CLI following these instructions
Upload New Certificate and CA Bundle
[root@www2 jross.org]# aws iam upload-server-certificate --path=/cloudfront/ --server-certificate-name jross.org-20150929 --certificate-body file:
The AWS API will repond with a JSON blob describing the new certificate that was installed.
Switch CloudFront to the NEW Certificate using the WebConsole. This will take a while to take effect as the certificate needs to propagate to all AWS CloudFront edge servers.
First, determine the name to be used for the key. For a webserver, use the fully qualified domain name. For a more general key (*.mydomain.com), just use the domain. The following example creates a general purpose 2048-bit key for jross.org that is valid for 10 years. Generate a private key and secure it with a passphrase. This passphrase will be temporarily.
openssl genrsa -des3 -out jross.org.key 2048
Generate the certificate signing request.
openssl req -new -key jross.org.key -out jross.org.csr
Answer the questions as prompted
- Country Name: US
- State or Province Name: Michigan
- Locality Name (eg, city) [Default City]:Detroit
- Organization Name: Jonathan E. Ross
- Organizational Unit Name: JRoss.org
- Common Name: *.jross.org
- Email Address: email@example.com
- A challenge password: (leave blank)
- An optional company name: (leave blank)
Remove the temporary passphrase from the private key.
cp jross.org.key jross.org.key.org
openssl rsa -in jross.org.key.org -out jross.org.key
Sign the certificate signing request ourselves.
openssl x509 -req -days 3650 -in jross.org.csr -signkey jross.org.key -out jross.org.crt