Setup an Comodo positive SSL cert on AWS Cloudfront

  1. Buy Comodo positive SSL cert via namecheap
  2. Inspect last years cert:

    openssl req -noout -text -in tylercipriani_com.csr
  3. Generate private key and signing request

  • You can generate a new key as a separate step, or as part of the req command
  • To generate a new key manually use:

    openssl genrsa -out /path/to/output.key 2048
    mkdir -p ~/Projects/Certs/com.tylercipriani/2015-11-24
    cd ~/Projects/Certs/com.tylercipriani/2015-11-24
  • To generate a new key as part of a signing reuest use:

    openssl req -sha256 -new -newkey rsa:2048 -nodes -keyout /path/to/output.key -out /path/to/output.csr
         ensures output key is not encrypted ────┘
  • Answer lots of questions

    Country Name (2 letter code) [XX]:US
    State or Province Name (full name) []:Colorado
    Locality Name (eg, city) [Default City]:Longmont
    Organization Name (eg, company) [Default Company Ltd]:Tyler Cipriani
    Organizational Unit Name (eg, section) []:.
    Common Name (eg, your name or your server's hostname) []:tylercipriani.com
    Email Address []:spam@tylercipriani.com
    A challenge password []:
    • What is a challenge password: https://tools.ietf.org/html/rfc2985#page-16
  1. Should now have a tylercipriani_com.csr and an tylercipriani_com.key
  2. Do the namecheap needful:
  • Login to namecheap and activate your certificate
  • xsel -p < tylercipriani_com.csr then paste in the “Enter CSR” field
  • Choose, “Apache, Nginx, or Other” as the server type
  • Verify the domain, click “Next”
  • Verify CSR info, click “Next”
  • Select “Email-based” Domain Control Validation (DCV) method
  • Company contacts page, “NA” as company name, my address in address, tyler@tylercipriani.com in admin email
  1. You’ll get an email that asks you to enter a validation into a Comodo site, do that
  2. You’ll get an email with tylercipriani_com.zip
  3. aws configure to ensure that your awscli is setup
  4. Use awscli to upload

    awscli iam upload-server-certificate \
      --server-certificate-name tylercipriani_com_2015-11-24 \
      --certificate-body file://tylercipriani_com.crt \
      --private-key file://tylercipriani_com.key \
      --certificate-chain file://tylercipriani_com.ca-bundle \
      --path /cloudfront/
  5. Login to your aws dashboard, click cloudfront, go do Distribution Settings, click edit, find the new ssl key name in the dropdown and click, “Yes, edit”
  6. Should work…