Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Upgrading SSL certificate on Cloudfront

Upgrading SSL certificate on Cloudfront

Last year I set up jessebuchanan.ca with an SSL certificate on Amazon S3 / CloudFront.

Now, it's time to renew the certificate.

The first time was fraught with peril, but I eventually got it working.

This time I will document the steps to renew the cert. Most steps for a new installation would be omitted.

References

https://bryce.fisher-fleig.org/blog/setting-up-ssl-on-aws-cloudfront-and-s3/

http://www.michaelgallego.fr/blog/2013/08/27/static-website-on-s3-cloudfront-and-route-53-the-right-way/

Generating the certificate signing request

openssl req \
  -nodes \
  -sha256 \
  -newkey rsa:2048 \
  -keyout jessebuchanan.ca.private-key \
  -out jessebuchanan.ca.csr \
  -subj '/C=CA/ST=Ontario/L=Toronto/O=Jesse Buchanan/CN=jessebuchanan.ca'

WARNING: If using multi-domain certs (e.g. SAN) you may need to do it at CSR time. Currently, StartSSL (and many others) ignore SAN fields in the CSR, and auto-generates them at signing time. For StartSSL, it will make www.jessebuchanan.ca the CN and use the bare name jessebuchanan.ca as the sole SAN. More than one SAN is not available on the StartSSL free tier.

Send it to the CA (e.g. StartSSL). Wait.

From the CA, download the signed leaf certificate (*.cer) and any intermediate certificates needed for chaining (for StartSSL this is sub.class1.server.ca.pem)

Uploading to AWS/CloudFront

Install the AWS tools:

brew update
brew install aws-cfn-tools awscli

Configure the AWS tools to use the IAM role for the website in question:

aws configure
# (now, enter your Access Key ID and Secret Access Key)

Upload the certificate. Make sure you're in the right directory (aws-cli uses arcane file:// paths).

aws --debug iam upload-server-certificate \
  --path /cloudfront/jessebuchanan.ca/ \
  --server-certificate-name jessebuchanan_ca_201505 \
  --certificate-body file://www.jessebuchanan.ca.cer \
  --private-key file://jessebuchanan.ca.private-key \
  --certificate-chain file://sub.class1.server.ca.pem

The cloudfront path is important. It will let you upload "anywhere" but Cloudfront can only see it if it's there.

Here is the response:

{
    "ServerCertificateMetadata": {
        "ServerCertificateId": "ASCAJNS6IQ43WQW4GUNUO",
        "ServerCertificateName": "jessebuchanan_ca_201505",
        "Expiration": "2016-05-05T12:04:16Z",
        "Path": "/cloudfront/jessebuchanan.ca/",
        "Arn": "arn:aws:iam::474896336961:server-certificate/cloudfront/jessebuchanan.ca/jessebuchanan_ca_201505",
        "UploadDate": "2015-05-05T20:06:41.335Z"
    }
}

Activate on CloudFront

Sign into the AWS CloudFront console:

https://console.aws.amazon.com/cloudfront/home?region=us-east-1#

Pick the appropriate distribution. On the General tab, click Edit.

Under SSL Certificate, there is a dropdown under Custom SSL Certificate (stored in AWS IAM).

There, you can choose the newly uploaded certificate (jessebuchanan_ca_201505).

Click Yes, Edit.

The status of your distribution will change to In Progress. Wait a while.

Then you're done!

@adewaguru

This comment has been minimized.

Copy link

adewaguru commented Nov 26, 2015

I've got my SSL certificate expired. My CA is godaddy. I've recived two crt files (ffexxxxxxx.crt and gd_bundle-g2-g1.crt) from godaddy when I requested for the renewed certificate. I'm trying to run the "upload-server-certificate" command I'm bit confused on what to use as the parameter for below arguments

--certificate-body
--private-key
--certificate-chain

Since this is a certificate renewel, I already have the private key and the certificate chain in my hand. Can I use them as input for above parameters?

@kongakong

This comment has been minimized.

Copy link

kongakong commented May 15, 2018

Is it possible to automate the last step i.e. activate the new ssl on cloudfront?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.