AWS CloudFront SSL Install

Using the Amazon CoudFront as a CDN is a great way to accelerate your website. If you run with HTTPS enabled, you will also want to reference the files you have hosted on CloudFront over HTTPS to avoid error messages from the web browser. You can install an SSL certificate of your own onto the CloudFront edge servers very easily by following the process below.

Prerequisite: Install the AWS CLI following these instructions

  1. Upload New Certificate and CA Bundle

    [root@www2]# aws iam upload-server-certificate --path=/cloudfront/ --server-certificate-name --certificate-body file:// --certificate-chain file:// --private-key file://

    The AWS API will repond with a JSON blob describing the new certificate that was installed.

    "ServerCertificateMetadata": {
        "ServerCertificateId": "ASCAIAL7ABZ47NPIXXDG6",
        "ServerCertificateName": "",
        "Expiration": "2016-10-12T23:59:59Z",
        "Path": "/cloudfront/",
        "Arn": "arn:aws:iam::116215659343:server-certificate/cloudfront/",
        "UploadDate": "2015-10-09T18:03:10.749Z"
  2. Switch CloudFront to the NEW Certificate using the WebConsole. This will take a while to take effect as the certificate needs to propagate to all AWS CloudFront edge servers.

Generate a Self-Signed SSL Certificate

First, determine the name to be used for the key. For a webserver, use the fully qualified domain name. For a more general key (*, just use the domain. The following example creates a general purpose 2048-bit key for that is valid for 10 years. Generate a private key and secure it with a passphrase. This passphrase will be temporarily.

openssl genrsa -des3 -out 2048

Generate the certificate signing request.

openssl req -new -key -out

Answer the questions as prompted

  • Country Name: US
  • State or Province Name: Michigan
  • Locality Name (eg, city) [Default City]:Detroit
  • Organization Name: Jonathan E. Ross
  • Organizational Unit Name:
  • Common Name: *
  • Email Address:
  • A challenge password: (leave blank)
  • An optional company name: (leave blank)

Remove the temporary passphrase from the private key.


openssl rsa -in -out


Sign the certificate signing request ourselves.

openssl x509 -req -days 3650 -in -signkey -out