mattmanuel90/gist:7be9fc509856aa409672e0bc7b46cdaf Secret

## gistfile1.txt
SSL Configuration Notes that I haven't scrapped.

---
You can purchase a single certificate for your main domain or a wildcard certificate SSL.
For our purposes, we will be using a single domain SSL. Configuring an SSL can be a bit tricky, especially as different vendors provide certificates in different formats that skip a few steps.
Whatever cert you purchase, you are required to perform a Certificate Signing Request. This request is a formal way to indicate your organisation owns your domain name. Generally this process would involve verifying through an email with your domain name. However if you don’t have email hosting setup on your domain, you can get verified through either the Registrant Contact or Administrative Contact.

So we'll need to generate an RSA key and an CSR. We can do both in one command via

openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.pem -out csr.pem

You will be prompted to input fields regarding your organisation:

----------------------------
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []: mydomain.com
Email Address []:
---------------------------

What’s important here is Common Name, which is your domain (or subdomain) that you want to be SSL-certified.
This is what links your CSR to your domain.

If the -nodes flag is passed, the key will not be encrypted with a DES pass phrase.
yourdomain.pem will be your private key, keep it safely and do not share it with anyone.

Your pem file looks like.

-----BEGIN CERTIFICATE REQUEST-----
MIIDwgaQxCzAJBgNVdAYTAkdCMQswCQCDCCAfAxAQAYDVQQIEwJ
...
BCIP1SIOR3o2hd8NeYvLXBvrNxWVK2B3s9ZdAD4RoT7UuZNeBrmZt
-----END CERTIFICATE REQUEST——

Submit your CSR file to the SSL authority you’ve purchased your SSL certificate to start the process of verifying your certificate request. (On GoDaddy, that would be New Certificates Manage -> Provide a CSR, you would paste the contents of your CSR file in here.)
The verification process of domain ownership involves emails being sent to the contacts listed in the domain’s public WHOIS database record or through these email addresses of your domain name (admin@, adminstrator@, hostmaster@, postmaster@ and webmaster@) and clicking on the verification link.
After the approval is done we should be able to dowload SSL certificates that are ready for production use.

We will need to upload them to AWS, but before that, we have to make sure the certificates are ready to be bundled.
Some vendors will you bundled certificates which are ready to be uploaded to AWS , other vendors give you multiple certificates that you must bundle together to make up a certificate chain.
You can check by observing the contents of the file you downloaded and seeing which of the certificates has already been bundled. (It may have the word "_bundle_" within the filename, but its better to observe the file itself.)
A bundled cert should have multiple blocks of certificate.

-----BEGIN CERTIFICATE-----
…
-----END CERTIFICATE——
-----BEGIN CERTIFICATE-----
…
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
…
-----END CERTIFICATE-----

This leaves the other file as your public key certificate aka the certificate body, which should contain a single certificate.

If you find that you dont have a bundled certificate chain. You can bundle manually through. Follow the first guide in this link.
https://www.digicert.com/ssl-support/pem-ssl-creation.htm

We now have now prepared the 3 files we'll need to upload a server certificate for AWS.

a) A certificate body aka public key certificate
b) A certificate chain. The file that has certificates concatenated together
c) Private key. We will generate one when creating a CSR.

We will upload these to create an SSL certificate to be uploaded to AWS CloudFront.

------------------
aws iam upload-server-certificate
--server-certificate-name <yourdomain.com>
--certificate-body file://<public_certificate>.crt
--private-key file://<yourdomain>.pem
--certificate-chain file://<bundled_certficate>.crt
--path /cloudfront/
------------------

Running the above command (through the AWS CLI) will upload your SSL certificate to be used by AWS CloudFront.
Select the uploaded Custom SSL Certificate in your CloudFront’s distribution settings.

Once set, you should be able to visit your domain using the https prefix i.e https://yourdomain.com and your site should appear. It’ll appear with a secure icon on Google Chrome.
	SSL Configuration Notes that I haven't scrapped.

	---
	You can purchase a single certificate for your main domain or a wildcard certificate SSL.
	For our purposes, we will be using a single domain SSL. Configuring an SSL can be a bit tricky, especially as different vendors provide certificates in different formats that skip a few steps.
	Whatever cert you purchase, you are required to perform a Certificate Signing Request. This request is a formal way to indicate your organisation owns your domain name. Generally this process would involve verifying through an email with your domain name. However if you don’t have email hosting setup on your domain, you can get verified through either the Registrant Contact or Administrative Contact.

	So we'll need to generate an RSA key and an CSR. We can do both in one command via

	openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.pem -out csr.pem

	You will be prompted to input fields regarding your organisation:

	----------------------------
	Country Name (2 letter code) [AU]:
	State or Province Name (full name) [Some-State]:
	Locality Name (eg, city) []:
	Organization Name (eg, company) [Internet Widgits Pty Ltd]:
	Organizational Unit Name (eg, section) []:
	Common Name (eg, YOUR name) []: mydomain.com
	Email Address []:
	---------------------------

	What’s important here is Common Name, which is your domain (or subdomain) that you want to be SSL-certified.
	This is what links your CSR to your domain.

	If the -nodes flag is passed, the key will not be encrypted with a DES pass phrase.
	yourdomain.pem will be your private key, keep it safely and do not share it with anyone.

	Your pem file looks like.

	-----BEGIN CERTIFICATE REQUEST-----
	MIIDwgaQxCzAJBgNVdAYTAkdCMQswCQCDCCAfAxAQAYDVQQIEwJ
	...
	BCIP1SIOR3o2hd8NeYvLXBvrNxWVK2B3s9ZdAD4RoT7UuZNeBrmZt
	-----END CERTIFICATE REQUEST——

	Submit your CSR file to the SSL authority you’ve purchased your SSL certificate to start the process of verifying your certificate request. (On GoDaddy, that would be New Certificates Manage -> Provide a CSR, you would paste the contents of your CSR file in here.)
	The verification process of domain ownership involves emails being sent to the contacts listed in the domain’s public WHOIS database record or through these email addresses of your domain name (admin@, adminstrator@, hostmaster@, postmaster@ and webmaster@) and clicking on the verification link.
	After the approval is done we should be able to dowload SSL certificates that are ready for production use.

	We will need to upload them to AWS, but before that, we have to make sure the certificates are ready to be bundled.
	Some vendors will you bundled certificates which are ready to be uploaded to AWS , other vendors give you multiple certificates that you must bundle together to make up a certificate chain.
	You can check by observing the contents of the file you downloaded and seeing which of the certificates has already been bundled. (It may have the word "_bundle_" within the filename, but its better to observe the file itself.)
	A bundled cert should have multiple blocks of certificate.

	-----BEGIN CERTIFICATE-----
	…
	-----END CERTIFICATE——
	-----BEGIN CERTIFICATE-----
	…
	-----END CERTIFICATE-----
	-----BEGIN CERTIFICATE-----
	…
	-----END CERTIFICATE-----

	This leaves the other file as your public key certificate aka the certificate body, which should contain a single certificate.

	If you find that you dont have a bundled certificate chain. You can bundle manually through. Follow the first guide in this link.
	https://www.digicert.com/ssl-support/pem-ssl-creation.htm

	We now have now prepared the 3 files we'll need to upload a server certificate for AWS.

	a) A certificate body aka public key certificate
	b) A certificate chain. The file that has certificates concatenated together
	c) Private key. We will generate one when creating a CSR.

	We will upload these to create an SSL certificate to be uploaded to AWS CloudFront.

	------------------
	aws iam upload-server-certificate
	--server-certificate-name <yourdomain.com>
	--certificate-body file://<public_certificate>.crt
	--private-key file://<yourdomain>.pem
	--certificate-chain file://<bundled_certficate>.crt
	--path /cloudfront/
	------------------

	Running the above command (through the AWS CLI) will upload your SSL certificate to be used by AWS CloudFront.
	Select the uploaded Custom SSL Certificate in your CloudFront’s distribution settings.

	Once set, you should be able to visit your domain using the https prefix i.e https://yourdomain.com and your site should appear. It’ll appear with a secure icon on Google Chrome.