The process of installing a GoDaddy SSL certificate on to Amazon’s Cloudfront CDN network is briefly explained here and meant to be a quickstart guide for those that might need a leg up. We found little GoDaddy specific instructions for Cloudfront. So let’s correct that now.
This is intended for someone who is already familiar with the process of obtaining and installing SSL certificates, but not familiar with Cloudfront SSL, or is new to using GoDaddy certificates on AWS’s Cloudfront.
You only need your own certificate for Cloudfront if using CNAMEs, otherwise you can use Amazon’s own certificates (and save a potential headache or two).
And, if you have an existing Cloudfront distribution, it’s not possible to convert it to SSL. It indeed sucks big time, but you’ll have to create a new distribution (and thus a new CNAME too).
# Step by step ... no smoking and fasten seat belts ... # Generate the server key and csr file for a 2048 bit key on a local # Apache server just as you would for any ordinary GoDaddy cert. Nginx # should work too. The fact that Amazon Cloudfront might be using # something else is OK. openssl req -new -newkey rsa:2048 -nodes -keyout example.key -out example.csr # Purchase the cert from GoDaddy using the csr file. The approved # certificate files will all be used "as is". Download, unzip and put # them in a folder with a copy of the key file. In the example below, # all the required files are in /tmp. The GoDaddy *crt file is PEM # formatted, so no worries there. # It is necessary to create an rsa version of the server key for AWS. openssl rsa -in /tmp/example.key -out /tmp/example.key.rsa # Get an AWS IAM account set up, if you don't have one already. You will # need to create a group and user, and assign permissions. See: # http://docs.aws.amazon.com/IAM/latest/UserGuide/Welcome.html # That user will do the eventual uploading. # Uploading the cert can only be done via command line. Get the AWS # command line tool set installed. See http://aws.amazon.com/cli/ or # https://github.com/aws/aws-cli. # Ubuntu packages: http://alestic.com/2012/05/aws-command-line-packages. # Almost ready ... now we'll upload the cert. If this is your first time # using aws-cli, you will be prompted for your credentials. If you # have existing credentials, be sure they are for this AWS account. # Upload command: aws iam upload-server-certificate --server-certificate-name example.com --certificate-body file:///tmp/47f2505xxxxx.crt --private-key file:///tmp/example.key.rsa --certificate-chain file:///tmp/gd_bundle-g2-g1.crt --path /cloudfront/example.com/ # All done. You either get a (cryptic) error message and we have let you # down, or you get some small JSON output on success and can pat yourself on # back. Then you can configure your AWS Cloudfront distribution for SSL.
Renewing a Godaddy SSL Certificates on AWS Cloudfront
Renewal is going to essentially include the same steps. The new certificate and chain file will need to be uploaded using aws-cli tools. The one gotcha is that the “server-certificate-name” and “path” cannot be the same (the “certificate name” is just an internal AWS identifier, NOT the common name). Just alter both of these, then re-upload, wait a few minutes, and then go into your CloudFront distribution Settings and change the SSL Certificate to the one you just uploaded (it should be there in the dropdown if everything went well). Then save changes, and wait a few minutes for the distribution to update.
aws iam upload-server-certificate --server-certificate-name example.com-renewed --certificate-body file:///tmp/47f2505xxxxx.crt --private-key file:///tmp/example.key.rsa --certificate-chain file:///tmp/gd_bundle-g2-g1.crt --path /cloudfront/example.com-renewed/
