Key Insight
AWS doesn't let you modify the key for server-credentials, forcing you to create new ones and then update CloudFront(CF) and Elastic Load Balancer(ELB) configurations to use the new cert.
My corporate https/ssl certificate is expiring. I need to renew it and get it pushed to AWS IAM for use in S3 and CloudFront. If you're in the same boat, I hope these instructions help you out.
PS. Hi Future me, I'll see you in about a year when this round of certs expires.
Materials Needed:
- CSR and private key file.
- The current set is preferred.
- If you don't have the original files, you can create a new pair.
- If you are changing the CSR, your certificate authority may need to spend time re-validating you.
- account & password to your certificate authority.
- aws credentials and access to modify IAM certificates
- aws command line tools installed.
Basic Steps:
- Renew the certificate:
- Connect to certificate authority. For me this is GeoTrust:
- Click the big [renew] button by your current certificate.
- pick the new certificate term,
- confirm admin and billing contacts
- update the CSR for confirmation
- pay.
- wait for confirmation
- Download and prep the certificate files:
- Download the certificate bundle. Choose type "other" which will provide a zipped bundle of files. Unzip and enter the directory.
- Create a certificate bundle from the root and intermediate file:
- Copy the original secure key to the local dir. For me this is company.rsa.key. This must be a RSA key in x509 format.
- Create a new AWS IAM server-certificate.
- AWS doesn't support modifying the keyfile in existing server-certificates, we need to create new ones.
- CloudFront requires a separate server-certificate with a path starting with 'cloudfront/', so we'll upload the key twice to create two server-c
- Update AWS to use the new server-certificates
- Cloudfront:
- For each CloudFront distribution using the expiring server-certificate:
- In the console: Console -> CloudFront -> Distribution Name -> [General] -> [Edit]
- Then choose the new certificate from the drop-down.
- ELB:
- Console -> EC2 -> (pick region) -> Load Balancers
- For each load balancer that uses HTTPS with the old cert:
- right-click -> 'edit listeners'
- Use the "change" link in the SSL Certificate column.
- Certificate Type: Choose an existing certificate
- Certificate Name: choose new certiicate from the drop-down
crossRootCA.cer
getting_started.txt
IntermediateCA.cer
ssl_certificate.cer
cat IntermediateCA.cer crossRootCA.cer > geotrust-chain.pem
cp secret_files/company.rsa.key ./
aws iam upload-server-certif
icate \ --server-certifica te-name company-test \ --certificate-body file://ssl_certifica te.cer \ --private-key file://company.rsa.key \ --certificate-chai n file://geotrust-chai n.pem \ --path / aws iam upload-server-certif
icate \ --server-certifica te-name company-test-cf \ --certificate-body file://ssl_certifica te.cer \ --private-key file://company.rsa.key \ --certificate-chai n file://geotrust-chai n.pem \ --path /cloudfront/
aws iam *-server-certificate*
commands. Next steps would be bypassing the console and automating detection and updates of ELB and CF entries.
Links
- ELB: Update an SSL Certificate for a Load Balancer
- IAM: Creating, Uploading, and Deleting Server Certificates
- AWS: Rotating SSL Certificates
- IAM: Actions on Server Certificates
- CLI: upload-server-certificate
- CLI: update-server-certificate
- SSL Checker
- Blog: Setting up SSL on AWS Cloudfront and S3
- GeoTrust Payments FAQ