Comodo, the leading Internet Security Provider offers Free Antivirus, SSL Certificate and other Internet Security related products with complete protection. In this post I will walk you through the setup of SSL in Amazon CloudFront (the process is common to all Amazon services)

AWS need that all your certificates are in PEM format. They are two main of encoding certificate:

  • DER: is a binary encoding of a certificate. Typically these use the file extension of .crt or .cert.
  • PEM: is a Base64 encoding of a certificate represented in ASCII therefore it is readable as a block of text. This is very useful as you can open it in a text editor work with the data more easily.

Comodo certificate are delivered in DER format .crt, so we need to convert them to PEM.

Certificates Setup

Convert crt to PEM

Amazon AWS need:

  • Your issued certificate
  • Your private key
  • The CAChain certificate that include all intermediate and Root CA certificate.

Comodo send you 4 certificates:

  • AddTrustExternalCARoot.crt
  • <your_issued_certificate_name>.crt: for instance cdn_guillaumemaka_com.crt in my case.
  • COMODORSAAddTrustCA.crt
  • COMODORSADomainValidationSecureServerCA.crt

First cding to the folder containning all your certificates:

Terminal
1
2
$ cd /path/to/certificates/folder
$ mkdir pem

Then convert all certificates:

Terminal
1
2
3
4
openssl x509 -in ./AddTrustExternalCARoot.crt -outform pem -out ./pem/AddTrustExternalCARoot.pem
openssl x509 -in ./COMODORSAAddTrustCA.crt -outform pem -out ./pem/COMODORSAAddTrustCA.pem
openssl x509 -in ./COMODORSADomainValidationSecureServerCA.crt -outform pem -out ./pem/COMODORSADomainValidationSecureServerCA.pem
openssl x509 -in ./cdn_guillaumemaka_com.crt -outform pem -out ./pem/cdn_guillaumemaka_com.pem
  • x509: The x509 command is a multi purpose certificate utility. It can be used to display certificate information, convert certificates to various forms, sign certificate requests like a “mini CA” or edit certificate trust settings.
  • -in <filename>: This specifies the input filename to read a certificate from or standard input if this option is not specified.
  • -outform PEM: This specifies the output format. In this case PEM.
  • -out filename : This specifies the output filename to write to or standard output by default.

Convert the private key:

Terminal
1
openssl rsa -in ./private.key -outform PEM -out private.key.pem
  • rsa: The rsa command processes RSA keys.

Create a CAChain

Terminal
1
2
3
$ cat ./pem/COMODORSADomainValidationSecureServerCA.pem > ./pem/CAChain.pem
$ cat ./pem/COMODORSAAddTrustCA.pem >> ./pem/CAChain.pem
$ cat ./pem/AddTrustExternalCARoot.pem >> ./pem/CAChain.pem

  • Warning: You must construct the CAChain in descending order. Z->A

Now you should have a folder structure like this:

1
2
3
4
5
6
7
8
9
10
11
12
├── AddTrustExternalCARoot.crt
├── COMODORSAAddTrustCA.crt
├── COMODORSADomainValidationSecureServerCA.crt
├── cdn_guillaumemaka_com.crt
├── private.key
└── pem
    ├── AddTrustExternalCARoot.pem
    ├── CAChain.pem
    ├── COMODORSAAddTrustCA.pem
    ├── COMODORSADomainValidationSecureServerCA.pem
    ├── cdn_guillaumemaka_com.pem
    └── private.key.pem

Upload

1
aws iam upload-server-certificate --server-certificate-name CDNServerCertificate --certificate-body file://cdn_guillaumemaka_com.pem --private-key file://private.key.pem --certificate-chain file://CAChain.pem --path /cloudfront/production/

  • Notice: --path /cloudfront/production options specify that we the certificate to be available only in the CloudFront service.

Bonus: Setup CloudFront HTTPS End Point

1) Login to your Amazon AWS Account

2) Go to the CloudFront console.

3) Click on the id of your cloudfront instance.

4) Click Edit.

5) Select the option Custom SSL Certificate and select the certificate previously uploaded. Go to the bottom of the page and click Save.

6) On the main page got to the Behaviors tab then click Create Behavior.

7) Configure the behavior:

  • Path pattern: the sub path of the url you want to add a behavior.
  • Viewer Policy: select Redirect HTTP to HTTPS.
  • Allow HTTP Method: select GET, HEAD (I configuring a CDN, so I just need GET and HEAD request).

8) Click Create.

That’s it ! Open the url in your browser and check if the HTTP url redirect to HTTPS.

1
2
3
4
5
6
7
8
9
10
11
$ curl -I http://cdn.example.com/images/animage.png
HTTP/1.1 301 Moved Permanently
Server: CloudFront
Date: Sun, 10 May 2015 13:42:36 GMT
Content-Type: text/html
Content-Length: 183
Connection: keep-alive
Location: https://cdn.example.com/images/animage.png
X-Cache: Redirect from cloudfront
Via: 1.1 <id>.cloudfront.net (CloudFront)
X-Amz-Cf-Id: EGQVJRkntlSPRf4MxSBWMlt86EW6s29JekUah6fj6kMmMJFj8ugMIw==

Resources

Facebook makes open source Parse SDKs

Now here two years that Facebook has acquired Parse, the cloud platform aiming to facilitate the development of applications for mobile, …… Continue reading