Skip to content

Instantly share code, notes, and snippets.

@jbinto

jbinto/ssl-cert-upgrade-cloudfront.md

Last active February 20, 2020 08:28
Show Gist options
  • Save jbinto/5a5bc10963820cb9ca5a to your computer and use it in GitHub Desktop.
Save jbinto/5a5bc10963820cb9ca5a to your computer and use it in GitHub Desktop.
Download ZIP
Upgrading SSL certificate on Cloudfront
Raw
ssl-cert-upgrade-cloudfront.md

Upgrading SSL certificate on Cloudfront

Last year I set up jessebuchanan.ca with an SSL certificate on Amazon S3 / CloudFront.

Now, it's time to renew the certificate.

The first time was fraught with peril, but I eventually got it working.

This time I will document the steps to renew the cert. Most steps for a new installation would be omitted.

References

https://bryce.fisher-fleig.org/blog/setting-up-ssl-on-aws-cloudfront-and-s3/

http://www.michaelgallego.fr/blog/2013/08/27/static-website-on-s3-cloudfront-and-route-53-the-right-way/

Generating the certificate signing request

openssl req \
  -nodes \
  -sha256 \
  -newkey rsa:2048 \
  -keyout jessebuchanan.ca.private-key \
  -out jessebuchanan.ca.csr \
  -subj '/C=CA/ST=Ontario/L=Toronto/O=Jesse Buchanan/CN=jessebuchanan.ca'

WARNING: If using multi-domain certs (e.g. SAN) you may need to do it at CSR time. Currently, StartSSL (and many others) ignore SAN fields in the CSR, and auto-generates them at signing time. For StartSSL, it will make www.jessebuchanan.ca the CN and use the bare name jessebuchanan.ca as the sole SAN. More than one SAN is not available on the StartSSL free tier.

Send it to the CA (e.g. StartSSL). Wait.

From the CA, download the signed leaf certificate (*.cer) and any intermediate certificates needed for chaining (for StartSSL this is sub.class1.server.ca.pem)

Uploading to AWS/CloudFront

Install the AWS tools:

brew update
brew install aws-cfn-tools awscli

Configure the AWS tools to use the IAM role for the website in question:

aws configure
# (now, enter your Access Key ID and Secret Access Key)

Upload the certificate. Make sure you're in the right directory (aws-cli uses arcane file:// paths).

aws --debug iam upload-server-certificate \
  --path /cloudfront/jessebuchanan.ca/ \
  --server-certificate-name jessebuchanan_ca_201505 \
  --certificate-body file://www.jessebuchanan.ca.cer \
  --private-key file://jessebuchanan.ca.private-key \
  --certificate-chain file://sub.class1.server.ca.pem

The cloudfront path is important. It will let you upload "anywhere" but Cloudfront can only see it if it's there.

Here is the response:

{
    "ServerCertificateMetadata": {
        "ServerCertificateId": "ASCAJNS6IQ43WQW4GUNUO",
        "ServerCertificateName": "jessebuchanan_ca_201505",
        "Expiration": "2016-05-05T12:04:16Z",
        "Path": "/cloudfront/jessebuchanan.ca/",
        "Arn": "arn:aws:iam::474896336961:server-certificate/cloudfront/jessebuchanan.ca/jessebuchanan_ca_201505",
        "UploadDate": "2015-05-05T20:06:41.335Z"
    }
}

Activate on CloudFront

Sign into the AWS CloudFront console:

https://console.aws.amazon.com/cloudfront/home?region=us-east-1#

Pick the appropriate distribution. On the General tab, click Edit.

Under SSL Certificate, there is a dropdown under Custom SSL Certificate (stored in AWS IAM).

There, you can choose the newly uploaded certificate (jessebuchanan_ca_201505).

Click Yes, Edit.

The status of your distribution will change to In Progress. Wait a while.

Then you're done!

@kongakong
Copy link

Is it possible to automate the last step i.e. activate the new ssl on cloudfront?

@ivankennethwang
Copy link

@kongakong did you manage to do that?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment