AWS - Cloudfront - Upload SSL Certificate

Owned by Arnaud Lachaume (Unlicensed)
Last updated: Jul 12, 2017 by Bruno Chauvet (Unlicensed)

This article explains how to use a custom HTTPS domain with AWS CloudFront to expose static assets under your own domain.





1 - Context

By default AWS CloudFront provides its own domain and its own SSL certificate. Your CloudFront URL will look like this https://d111111abcdef8.cloudfront.net/some/asset.png

If you want to serve static assets under HTTP and HTTPS you need to setup a CNAME to this CloudFront URL and upload an SSL certificate to CloudFront matching the desired CNAME that AWS can use to serve your assets.

Note that uploading a custom SSL certificate is only required if you wish to serve assets through HTTPS.

2 - Upload your SSL certificate

In order to upload an SSL certificate you need:

  • your certificate public key in pem format (e.g. mydomain.com.crt)
  • your certificate private key in pem format (e.g. mydomain.com.key.pem)
  • your Certificate Authority (CA) certificate chain (e.g. gd_bundle-g2-g1.crt for GoDaddy)

With this in hand you run the command below to upload your certificate to CloudFront. 

aws --profile MY-AWS-PROFILE iam upload-server-certificate --server-certificate-name mydomain.com --certificate-body file://mydomain.com.crt --private-key file://mydomain.com.key.pem --certificate-chain file://gd_bundle-g2-g1.crt --path /cloudfront/

The option "–profile MY-AWS-PROFILE" is required by the aws CLI to properly set your keys. See the AWS CLI documentation for more details.

3 - Using your cloudfront certificate

Once your certificate has been uploaded you can go into the AWS CloudFront portal, edit your CloudFront distribution and configure to use your custom domain and certificate. Following the example above your certificate will be named mydomain.com (certificate name)