Thursday, February 12, 2015

Amazon AWS CloudFront setup Custom SSL Certificate

Here i will show how i enable the custom ssl certificate option in CloudFront.

SSL cert preparation
there are few things you need to prepare:-
1. Private key (.pem)
2. public key (.pem)
3. certificate chain file (.pem)

If you have yours private.key & public.crt from CA,
you can use below command to change it to .pem format

openssl rsa -in Private.key -text > Private.pem

openssl x509 -inform PEM -in Public.crt > Public.pem

For the Certificate Chain file,
once you deploy your SSL cert to your server/web
you can use this link to check how is the chain file look like as different provider have different chain
https://ssltools.thawte.com/checker/views/certCheck.jsp

Example 1


For Facebook, there is only 1 Intermediate Cert in chain


Example 2


For this one, it got 2 intermediate cert inside the chain


From AWS documentation, the sample certificate chain will be look like this

-----BEGIN CERTIFICATE-----
Intermediate certificate 2
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Intermediate certificate 1
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Optional: Root certificate
-----END CERTIFICATE-----


So after you check hows your certificate chain look like,
all you need is find that cert and combine it

for example 1 which is Facebook, it only got 1 intermediate cert in chain and thus DigiCert High Assurance CA-3 can directly use as certificate chain

for example 2 which is Gardenbythebay, it got 2 intermediate cert in the chain, then you need to copy and paste follow the sequence like below and save it as certificate_chain.pem 

-----BEGIN CERTIFICATE-----
< Thawte SSL CA - G2 >
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
< thawte Primary Root CA >
-----END CERTIFICATE-----

NOTE, 
I am using Thawte as well, so here i provide the link for the both intermediate cert 
Thawte SSL CA - G2
Thawte Primary Root CA


Upload into the IAM store

Now you have all 3 file you needed, is time to upload it to the IAM store
I just go to EC2 and launch a micro instance for this purpose.
please choose Amazon linux as your instance for this because it already install with the amazon command. If you use other distro, you need to manual install


1. once you done launch your amazon instance, upload all 3 file into the server.
FOR WINDOWS, you can use winscp to upload, but before that, please go to /etc/sshd_config and enable password authentication and reload the service


2. use this command to upload your file
aws iam upload-server-certificate --server-certificate-name CertificateName --certificate-body file://public_key_certificate_file --private-key file://privatekey.pem --certificate-chain file://certificate_chain_file --path /cloudfront/path/

example:
aws iam upload-server-certificate --server-certificate-name Facebook2015 --certificate-body file://~/Public.pem --private-key file://~/Private.pem --certificate-chain file://~/certificate_chain.pem --path /cloudfront/Facebook/

once done, you should see something like this as output

{

  "ServerCertificateMetadata": {
     "ServerCertificateId": "ASCAJR5WQNL4PIB4GMMNE",
     "ServerCertificateName": "Facebook2015",
     "Expiration": "2017-04-23T23:59:59Z",
     "Path": "/cloudfront/Facebook/",
     "Arn": "arn:aws:iam::337660227660:server-certificate/cloudfront/Facebook/Facebook2015",
     "UploadDate": "2015-02-11T03:36:56.032Z"
  } 
}

Now you should be able to choose custom SSL at your CLoudFront


OTHER COMMAND

delete certificate object:

aws iam delete-server-certificate --server-certificate-name certificate_object_name

example:
aws iam delete-server-certificate --server-certificate-name Facebook2015


View Certificate object:

aws iam get-server-certificate --server-certificate-name certificate_object_name

example:
aws iam get-server-certificate --server-certificate-name Facebook2015