SSL cert preparation
there are few things you need to prepare:-
1. Private key (.pem)
2. public key (.pem)
3. certificate chain file (.pem)
If you have yours private.key & public.crt from CA,
you can use below command to change it to .pem format
openssl rsa -in Private.key -text > Private.pem
openssl x509 -inform PEM -in Public.crt > Public.pem
For the Certificate Chain file,
once you deploy your SSL cert to your server/web
you can use this link to check how is the chain file look like as different provider have different chain
https://ssltools.thawte.com/checker/views/certCheck.jsp
https://ssltools.thawte.com/checker/views/certCheck.jsp
Example 1
For Facebook, there is only 1 Intermediate Cert in chain
Example 2
For this one, it got 2 intermediate cert inside the chain
From AWS documentation, the sample certificate chain will be look like this
-----BEGIN CERTIFICATE-----Intermediate certificate 2-----END CERTIFICATE----- -----BEGIN CERTIFICATE-----Intermediate certificate 1-----END CERTIFICATE----- -----BEGIN CERTIFICATE-----Optional: Root certificate-----END CERTIFICATE-----
So after you check hows your certificate chain look like, all you need is find that cert and combine it
for example 1 which is Facebook, it only got 1 intermediate cert in chain and thus DigiCert High Assurance CA-3 can directly use as certificate chain
for example 2 which is Gardenbythebay, it got 2 intermediate cert in the chain, then you need to copy and paste follow the sequence like below and save it as certificate_chain.pem
-----BEGIN CERTIFICATE-----
< Thawte SSL CA - G2 > -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- < thawte Primary Root CA > -----END CERTIFICATE-----
NOTE,
I am using Thawte as well, so here i provide the link for the both intermediate cert
Thawte SSL CA - G2
Thawte Primary Root CA
Upload into the IAM store
Now you have all 3 file you needed, is time to upload it to the IAM store
I just go to EC2 and launch a micro instance for this purpose.
please choose Amazon linux as your instance for this because it already install with the amazon command. If you use other distro, you need to manual install
1. once you done launch your amazon instance, upload all 3 file into the server.
FOR WINDOWS, you can use winscp to upload, but before that, please go to /etc/sshd_config and enable password authentication and reload the service
2. use this command to upload your file
aws iam upload-server-certificate --server-certificate-name CertificateName --certificate-body file://public_key_certificate_file --private-key file://privatekey.pem --certificate-chain file://certificate_chain_file --path /cloudfront/path/
example:
aws iam upload-server-certificate --server-certificate-name Facebook2015 --certificate-body file://~/Public.pem --private-key file://~/Private.pem --certificate-chain file://~/certificate_chain.pem --path /cloudfront/Facebook/
once done, you should see something like this as output
{
"ServerCertificateMetadata": {
"ServerCertificateId": "ASCAJR5WQNL4PIB4GMMNE",
"ServerCertificateName": "Facebook2015",
"Expiration": "2017-04-23T23:59:59Z",
"Path": "/cloudfront/Facebook/",
"Arn": "arn:aws:iam::337660227660:server-certificate/cloudfront/Facebook/Facebook2015",
"UploadDate": "2015-02-11T03:36:56.032Z"
}
}
example:
Now you should be able to choose custom SSL at your CLoudFront
OTHER COMMAND
delete certificate object:
aws iam delete-server-certificate --server-certificate-name certificate_object_nameexample:
aws iam delete-server-certificate --server-certificate-name Facebook2015
View Certificate object:
aws iam get-server-certificate --server-certificate-name certificate_object_name
example:
aws iam get-server-certificate --server-certificate-name certificate_object_name
example:
aws iam get-server-certificate --server-certificate-name Facebook2015
