Installing SSL on Amazon CloudFront

We have just installed SSL on our Amazon CloudFront. We followed this blog post from Bryce which I think it’s really good already. However, I was stuck on the last part where you have to upload the certificate to IAM. The difference is that I had to concatenate the crt files myself and I didn’t know how to do it. So I spent quite a long time to figure it out. I thought I would write this so it might help save sometime for anybody.

If your SSL providers gave you the chained certificate already, then you don’t have to do anything else. However, when I downloaded my crt files I found this

1
2
3
4
my_domain.crt
AddTrustExternalCARoot.crt
TrustedSecureCertificateAuthority5.crt
USERTrustRSAAddTrustCA.rt

And I’m shocked. So, I thought I would need to upload all of them three times which I did but only one got through and I thought the others must have been backup or some kind (I know I’m pretty stupid). So, I used SSL Checker to check and the site said my trust is broken. I thought how could it be I did everything right.

It turned out that I didn’t upload all of the chained certificate. So, I went again and I tried to upload the second file which I got a nice error from Amazon that my certificate is malformed. I’m stumped again.

After a lot of digging and reading. I have to figured out the order of certificates and concatenate all the certificates in the right order until the root. You can ask your SSL provider if you want a quicker answer but I went the hard way.

You can run this command

1
openssl x509 -text -noout -in your_domain.crt

You should start with your domain.crt file which will be something like this

1
2
3
4
5
6
7
8
9
10
11
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            xxxxxx
        Signature Algorithm: xxxxx
        Issuer: C=US, ST=DE, L=Wilmington, O=Corporation Service Company, CN=Trusted Secure Certificate Authority 5
        Validity
            Not Before:
            Not After :
        Subject: C=US/postalCode=x, ST=xx, L=xxx, O=xxx, LLC, OU=xxx, OU=xxx, CN=xxx

You just need to look for Issuer which will tell you what is your next immediate certificate. In this case Trusted Secure Certificate Authority 5 is my first certificate and then you go on and do the next one.

1
openssl x509 -text -noout -in TrustedSecureCertificateAuthority5.crt

You will get something like this

1
2
3
4
5
6
7
8
9
10
11
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            xxxxx
        Signature Algorithm: xxxx
        Issuer: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority
        Validity
            Not Before: Sep 10 00:00:00 2014 GMT
            Not After : Sep  9 23:59:59 2024 GMT
        Subject: C=US, ST=DE, L=Wilmington, O=Corporation Service Company, CN=Trusted Secure Certificate Authority 5

It means USERTrust is the next certificate then repeat the process again until you see this.

1
2
3
4
5
6
7
8
9
10
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: xxxx
        Signature Algorithm: xxxxx
        Issuer: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root
        Validity
            Not Before: May 30 10:48:38 2000 GMT
            Not After : May 30 10:48:38 2020 GMT
        Subject: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root

If Issuer is the same as Subject that means this certificate is the root which is going to be the last. Now, what you can do is to concatenate in the correct order of all the certificates.

You can use this command or you can use your favourite editor to do as well.

1
cat first_crt second_crt third_crt > your_pem_file

Then when you’re ready to upload the certificate to Amazon you can just do this.

1
2
3
4
5
aws iam upload-server-certificate --server-certificate-name your_domain \
--certificate-body file://your_domain.crt \
--private-key file://your_domain.private \
--certificate-chain file://your_pem_file \
--path /cloudfront/

The –certificate-chain should be your concatenated certificates.

The format of the pem should be something like this.

1
2
3
4
5
6
-----BEGIN CERTIFICATE-----
Intermediate certificate 2
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Intermediate certificate 1
-----END CERTIFICATE-----
May 22nd, 2015

Comments