Thursday, February 12, 2015

Amazon AWS CloudFront setup Custom SSL Certificate

Here i will show how i enable the custom ssl certificate option in CloudFront.

SSL cert preparation
there are few things you need to prepare:-
1. Private key (.pem)
2. public key (.pem)
3. certificate chain file (.pem)

If you have yours private.key & public.crt from CA,
you can use below command to change it to .pem format

openssl rsa -in Private.key -text > Private.pem

openssl x509 -inform PEM -in Public.crt > Public.pem

For the Certificate Chain file,
once you deploy your SSL cert to your server/web
you can use this link to check how is the chain file look like as different provider have different chain

Example 1

For Facebook, there is only 1 Intermediate Cert in chain

Example 2

For this one, it got 2 intermediate cert inside the chain

From AWS documentation, the sample certificate chain will be look like this

Intermediate certificate 2
Intermediate certificate 1
Optional: Root certificate

So after you check hows your certificate chain look like,
all you need is find that cert and combine it

for example 1 which is Facebook, it only got 1 intermediate cert in chain and thus DigiCert High Assurance CA-3 can directly use as certificate chain

for example 2 which is Gardenbythebay, it got 2 intermediate cert in the chain, then you need to copy and paste follow the sequence like below and save it as certificate_chain.pem 

< Thawte SSL CA - G2 >
< thawte Primary Root CA >

I am using Thawte as well, so here i provide the link for the both intermediate cert 
Thawte SSL CA - G2
Thawte Primary Root CA

Upload into the IAM store

Now you have all 3 file you needed, is time to upload it to the IAM store
I just go to EC2 and launch a micro instance for this purpose.
please choose Amazon linux as your instance for this because it already install with the amazon command. If you use other distro, you need to manual install

1. once you done launch your amazon instance, upload all 3 file into the server.
FOR WINDOWS, you can use winscp to upload, but before that, please go to /etc/sshd_config and enable password authentication and reload the service

2. use this command to upload your file
aws iam upload-server-certificate --server-certificate-name CertificateName --certificate-body file://public_key_certificate_file --private-key file://privatekey.pem --certificate-chain file://certificate_chain_file --path /cloudfront/path/

aws iam upload-server-certificate --server-certificate-name Facebook2015 --certificate-body file://~/Public.pem --private-key file://~/Private.pem --certificate-chain file://~/certificate_chain.pem --path /cloudfront/Facebook/

once done, you should see something like this as output


  "ServerCertificateMetadata": {
     "ServerCertificateId": "ASCAJR5WQNL4PIB4GMMNE",
     "ServerCertificateName": "Facebook2015",
     "Expiration": "2017-04-23T23:59:59Z",
     "Path": "/cloudfront/Facebook/",
     "Arn": "arn:aws:iam::337660227660:server-certificate/cloudfront/Facebook/Facebook2015",
     "UploadDate": "2015-02-11T03:36:56.032Z"

Now you should be able to choose custom SSL at your CLoudFront


delete certificate object:

aws iam delete-server-certificate --server-certificate-name certificate_object_name

aws iam delete-server-certificate --server-certificate-name Facebook2015

View Certificate object:

aws iam get-server-certificate --server-certificate-name certificate_object_name

aws iam get-server-certificate --server-certificate-name Facebook2015


  1. Thanks for providing this informative information you may also refer.

  2. Awesome post presented by you..your writing style is fabulous and keep update with your blogs
    AWS Online Training