Posted on 2015-01-07
Amazon (AWS) CloudFront now supports using a custom SSL certificate so you can use your own domain name for HTTPS requests instead of
having to use the gibberish.cloundfront.net. Setup via the CloudFront console is easy: just pick the appropriate key
from the list of keys you have uploaded to AWS IAM.
However, the IAM web console has no way to upload the key. You have to use the AWS CLI. Not hard, just a lot of parameters.
The command line blows up with a cryptic error:
A client error (EntityAlreadyExists) occurred when calling the UploadServerCertificate operation: The Server Certificate with name test.example.com already exists.
Run it through openssl:
openssl rsa -in example.key -text > example.aws
Then delete everything up to the line -----BEGIN RSA PRIVATE KEY----- and save as example-aws.key
Generate a key and certificate request.
openssl req -newkey rsa:2048 -nodes -sha256 -keyout example.key -out example.csr
You should now have two files: example.key and example.csr.
Upload to StartSSL and go through their certificates wizard. Save the result as example.crt
Transform the result to a format acceptable to AWS:
openssl rsa -in example.key -text > example.aws
Strip out everything from the example.aws except the RSA key. The following is a sed command line that
will do it for you, but any text editor will work.
sed '/-----BEGIN RSA PRIVATE KEY-----/,$!d' example.aws >example.aws.key
Make the certificate chain. Download the appropriate intermediate and root certificates and merge them (just with each other, not with your new cert):
cat sub.class1.server.ca.pem ca.pem >chain.crt
Upload to AWS IAM
aws iam upload-server-certificate --path /cloudfront/example/ --server-certificate-name example --certificate-body file://example.crt --private-key file://example.aws.key --certificate-chain file://chain.crt
Extracted from a long thread in the AWS support forum.
Tags: aws ssl certificate aws-iam https StartSSL openssl