Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Upgrading SSL certificate on Cloudfront

Upgrading SSL certificate on Cloudfront

Last year I set up with an SSL certificate on Amazon S3 / CloudFront.

Now, it's time to renew the certificate.

The first time was fraught with peril, but I eventually got it working.

This time I will document the steps to renew the cert. Most steps for a new installation would be omitted.


Generating the certificate signing request

openssl req \
  -nodes \
  -sha256 \
  -newkey rsa:2048 \
  -keyout \
  -out \
  -subj '/C=CA/ST=Ontario/L=Toronto/O=Jesse Buchanan/'

WARNING: If using multi-domain certs (e.g. SAN) you may need to do it at CSR time. Currently, StartSSL (and many others) ignore SAN fields in the CSR, and auto-generates them at signing time. For StartSSL, it will make the CN and use the bare name as the sole SAN. More than one SAN is not available on the StartSSL free tier.

Send it to the CA (e.g. StartSSL). Wait.

From the CA, download the signed leaf certificate (*.cer) and any intermediate certificates needed for chaining (for StartSSL this is

Uploading to AWS/CloudFront

Install the AWS tools:

brew update
brew install aws-cfn-tools awscli

Configure the AWS tools to use the IAM role for the website in question:

aws configure
# (now, enter your Access Key ID and Secret Access Key)

Upload the certificate. Make sure you're in the right directory (aws-cli uses arcane file:// paths).

aws --debug iam upload-server-certificate \
  --path /cloudfront/ \
  --server-certificate-name jessebuchanan_ca_201505 \
  --certificate-body file:// \
  --private-key file:// \
  --certificate-chain file://

The cloudfront path is important. It will let you upload "anywhere" but Cloudfront can only see it if it's there.

Here is the response:

    "ServerCertificateMetadata": {
        "ServerCertificateId": "ASCAJNS6IQ43WQW4GUNUO",
        "ServerCertificateName": "jessebuchanan_ca_201505",
        "Expiration": "2016-05-05T12:04:16Z",
        "Path": "/cloudfront/",
        "Arn": "arn:aws:iam::474896336961:server-certificate/cloudfront/",
        "UploadDate": "2015-05-05T20:06:41.335Z"

Activate on CloudFront

Sign into the AWS CloudFront console:

Pick the appropriate distribution. On the General tab, click Edit.

Under SSL Certificate, there is a dropdown under Custom SSL Certificate (stored in AWS IAM).

There, you can choose the newly uploaded certificate (jessebuchanan_ca_201505).

Click Yes, Edit.

The status of your distribution will change to In Progress. Wait a while.

Then you're done!


This comment has been minimized.

Copy link

@adewaguru adewaguru commented Nov 26, 2015

I've got my SSL certificate expired. My CA is godaddy. I've recived two crt files (ffexxxxxxx.crt and gd_bundle-g2-g1.crt) from godaddy when I requested for the renewed certificate. I'm trying to run the "upload-server-certificate" command I'm bit confused on what to use as the parameter for below arguments


Since this is a certificate renewel, I already have the private key and the certificate chain in my hand. Can I use them as input for above parameters?


This comment has been minimized.

Copy link

@kongakong kongakong commented May 15, 2018

Is it possible to automate the last step i.e. activate the new ssl on cloudfront?


This comment has been minimized.

Copy link

@ivankennethwang ivankennethwang commented Feb 20, 2020

@kongakong did you manage to do that?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment