AWS CloudFront SSL Install

Using the Amazon CoudFront as a CDN is a great way to accelerate your website. If you run with HTTPS enabled, you will also want to reference the files you have hosted on CloudFront over HTTPS to avoid error messages from the web browser. You can install an SSL certificate of your own onto the CloudFront edge servers very easily by following the process below.

Prerequisite: Install the AWS CLI following these instructions

  1. Upload New Certificate and CA Bundle

    [root@www2 jross.org]# aws iam upload-server-certificate --path=/cloudfront/ --server-certificate-name jross.org-20150929 --certificate-body file://jross.org-20150929.crt --certificate-chain file://jross.org-20150929.ca-bundle --private-key file://jross.org-20150929.key
    

    The AWS API will repond with a JSON blob describing the new certificate that was installed.

    "ServerCertificateMetadata": {
        "ServerCertificateId": "ASCAIAL7ABZ47NPIXXDG6",
        "ServerCertificateName": "jross.org-20150929",
        "Expiration": "2016-10-12T23:59:59Z",
        "Path": "/cloudfront/",
        "Arn": "arn:aws:iam::116215659343:server-certificate/cloudfront/jross.org-20150929",
        "UploadDate": "2015-10-09T18:03:10.749Z"
    }
    
  2. Switch CloudFront to the NEW Certificate using the WebConsole. This will take a while to take effect as the certificate needs to propagate to all AWS CloudFront edge servers.

Generate a Self-Signed SSL Certificate

First, determine the name to be used for the key. For a webserver, use the fully qualified domain name. For a more general key (*.mydomain.com), just use the domain. The following example creates a general purpose 2048-bit key for jross.org that is valid for 10 years. Generate a private key and secure it with a passphrase. This passphrase will be temporarily.

openssl genrsa -des3 -out jross.org.key 2048

Generate the certificate signing request.

openssl req -new -key jross.org.key -out jross.org.csr

Answer the questions as prompted

  • Country Name: US
  • State or Province Name: Michigan
  • Locality Name (eg, city) [Default City]:Detroit
  • Organization Name: Jonathan E. Ross
  • Organizational Unit Name: JRoss.org
  • Common Name: *.jross.org
  • Email Address: something@jross.org
  • A challenge password: (leave blank)
  • An optional company name: (leave blank)

Remove the temporary passphrase from the private key.

cp jross.org.key jross.org.key.org

openssl rsa -in jross.org.key.org -out jross.org.key

rm jross.org.key.org

Sign the certificate signing request ourselves.

openssl x509 -req -days 3650 -in jross.org.csr -signkey jross.org.key -out jross.org.crt