April 19, 2015

Setup Amazon AWS wildcard SSL certificate

Wildcard certificates allow you to use unlimited sub-domains with HTTPS/SSL.   Typically if you have 5 or more sub-domains it is cheaper to buy the wildcard certificate then individual subdomain SSL certificates.

Setting up Amazon AWS wildcard certificate requires purchasing a wildcard certificate.   The resulting files are converted to PEM format using openssl command line tool.   To upload the certificates to Amazon AWS you need to using the AWS command line tool.   Once the certificates are on AWS you can use them for Elastic Beanstalk, Elastic Load Balancers and serving S3 assets through CloudFront using your own alternate subdomain.

Purchase a wildcard SSL certificate

Make sure you have an admin email user for the domain (ex. admin@geoffcorey.com)

  • Order certificate from COMODO
  • Validate you own the domain by checking email for a validation code

Create a private key

$ openssl req -key geoffcorey.com.key -out geoffcorey.com.csr -new

Create a CSR

    openssl req -key geoffcorey.com.key -out geoffcorey.com.csr -new
    Enter pass phrase for geoffcorey.com.key:
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:US
    State or Province Name (full name) [Some-State]:North Carolina
    Locality Name (eg, city) []:Fuquay Varina
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:Geoff Corey
    Organizational Unit Name (eg, section) []:
    Common Name (e.g. server FQDN or YOUR name) []:*.geoffcorey.com
    Email Address []:admin@geoffcorey.com

    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:

To complete your purchase of the wildcard, copy the contents of geoffcorey.com.csr to Comodo order and you will get emailed a zip file containing the following files:

  • STAR_geoffcorey_com.ca-bundle
  • STAR_geoffcorey_com.pem
  • STAR_geoffcorey_com.crt

Convert to PEM format

Now we need the public and private key in PEM format.

$ openssl rsa -in geoffcorey.com.key -outform PEM >private.pem
$ openssl x509 -inform PEM -in STAR_geoffcorey_com.crt >public.pem

Setup Amazon AWS wildcard SSL certificate

Amazon Web Services

Now that we have a wildcard certificate we need to add it to our Amazon AWS account and make 2 versions.   The first version is what we will use for Amazon Elastic Beanstalk and Elastic Load Balancers.    The second version is uploaded slightly different and use for Amazon CloudFront to serve S3 assets using our domain with SSL.

Install AWS CLI

There are various ways to install Amazon Command Line tool.   I am using linux with python pip.

$ sudo pip install --upgrade awscli

Create IAM credentials on AWS and get your access key and secret access key.  Configure awscli tool to use your IAM credentials via

$ aws configure

Upload certificates

First copy is for server use such as Elastic Beanstalk or Elastic Load Balancers

$ aws iam upload-servercertificate --server-certificate-name geoffcorey.com --certificate-body file://STAR_geoffcorey_com.pem --private-key file://geoffcorey_com.pem --certificate-chain STAR_geoffcorey_com.ca-bundle

This copy is used if you want to have an alternate domain name with Amazon Cloudfront to serve your S3 assest under your domain name.  Note the use of the –path option.

$ aws iam upload-servercertificate --server-certificate-name geoffcorey.com-cloudfront --certificate-body file://STAR_geoffcorey_com.pem --private-key file://geoffcorey_com.pem --certificate-chain STAR_geoffcorey_com.ca-bundle --path /cloudfront/

Setup Amazon Elastic Beanstalk wildcard SSL certificate

Go to your Elastic Beanstalk app and click Configuration->Load Balancing.

Set your Secure Listener Port as 443 and Protocol HTTPS and SSL Certificate ID to geoffcorey.com.

Setup Amazon CloudFront wildcard SSL certificate

Go to AWS Cloudfront Manager and click your CloudFront distribution and edit General.

Set your Alternate Domain Name to the sub-domain you setup in Route 53.  In my case I will say media.geoffcorey.com then for the SSL Certificate select geoffcorey.com-cloudfront.    It is very important that you select Only Clients that Support Server Name Indication (SNI) or Amazon will charge you an additional $600/mo.

Details can be found in the developer documentation.