AWS and setting up a custom SSL certificate


Instructions may be outdated and no longer working.


I spent the morning setting up verified SSL certificates (to support “green” https requests) for some of my web-apps, assets and media on Amazon Web Services.

Here’s a step-by-step guide of sort, to ease the PAIN of setting this hodgepodge up.


I use a lot of subdomains for most apps, as I like to separate configuration, delivery of content, assets, multimedia and build smaller services around the same domain.

So I went with a wildcard certificate even though it’s a bit more expensive, it’s as flexible as it gets.

I decided to go with the SSL Certificate provider DigiCert.


When you buy a SSL certificate, before the seller validates your purchase, and signs your certificate, you need to validate the domain; In my case they sent an e-mail to my domains with an activation link.

On top of that you also need to provide a CSR you generate.

Generating and Uploading CSR

If you don’t have access to the command-line tool openssl, there should be guides on the providers website with alternate methods.

Generating the CSR files, input:

openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr

Fill out the form in the interactive output:

Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []: 
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

You should now have two files:

  • server.key (Used later for generating PEM files for AWS)
  • server.csr (Upload or paste the ENTIRE contents of this file to the provider)

When this is done you just have to wait for a download link or a download to start.

After Receiving the SSL Certificate

You should have the following files

  • DigiCertCA.crt
  • TrustedRoot.crt
  • star_yourdomain_com.crt
  • server.key
  • server.csr

Elastic Compute Cloud (EC2)

Don’t try to set up SSL certificates directly on your servers.

Elastic Load Balancer (ELB)

If you don’t use the ELB service, you better off using it, all there is to installing a SSL certificate.. is some AWESOME copy-paste action.

You add a SSL certificate by selecting an existing ELB over at the ELB Dashboard and going to the Listeners tab.

There you press ‘Edit’, then ‘Add’, choosing the ‘HTTPS (Secure HTTP)’ protocol and then clicking ‘Change’ in the ‘SSL Certificate’ column.

Certificate Name Field

Anything that is unique for your AWS account

Private Key Field

Paste the output of the following command, from and including “-----BEGIN RSA PRIVATE KEY-----” to and including “-----END RSA PRIVATE KEY-----”:

openssl rsa -in server.key -text

Public Key Certificate Field

Paste the output of the following command, from and including “-----BEGIN CERTIFICATE-----” to and including “-----END CERTIFICATE-----”:

openssl x509 -inform PEM -in star_yourdomain_com.crt

Certificate Chain Field

Paste the output of the following command, from and including the first “-----BEGIN CERTIFICATE-----” to and including the last “-----END CERTIFICATE-----”:

(openssl x509 -inform PEM -in DigiCertCA.crt; openssl x509 -inform PEM -in TrustedRoot.crt)

CloudFront (Custom Domain Name)

You can either pay at least $600 per month to support SSL for all browsers, or go with the SNI setup that “non-modern” browser don’t support.

I went for the, a bit limited, SNI option.

There’s no GUI to set this up, so you have to do it with the AWS command-line tools.

AWS API Access

SSH onto an EC2 instance and install the aws-cli package:

sudo yum install aws-cli.noarch

Configuring aws-cli

There was an “unknown locale” error for me so I had to do a couple of exports.


export LC_ALL=en_US.UTF-8
export LANG=en_US.UTF-8
aws configure

NOTE: You need to set up a IAM User in the IAM Dashboard and attach the ‘ IAM Full Access’ user policy to it.

Interactive output (explained below the output):

AWS Access Key ID []:
AWS Secret Access Key []: 
Default region name []:
Default output format [None]:

AWS Access Key ID

Displayed after you’ve created an IAM User, copy and paste.

AWS Secret Access Key

Displayed after you’ve created an IAM User, copy and paste.

Default Region Name

Doesn’t matter for this use-case, but it might be a good idea to default to your preferred region.

  • Ireland: eu-west
  • N. Virginia: us-east-1
  • N. California: us-west-1
  • Oregon: us-west-2
  • Singapore: ap-southeast-1
  • Tokyo: ap-northeast-1
  • Sydney: ap-southeast-2
  • São Paulo: sa-east-1

Default Output Format

Leave as is [None], just press enter.


Giving CloudFront Access to Your SSL Certificate

You need to generate some files locally and upload them to the EC2 instance where you access the AWS command-line tools.

Generate PEM Files


openssl rsa -in server.key -text > aws_private.pem
openssl x509 -inform PEM -in star_yourdomain_com.crt > aws_public.pem
(openssl x509 -inform PEM -in DigiCertCA.crt; openssl x509 -inform PEM -in TrustedRoot.crt) >> aws_chain.pem

You should now have the THREE files:

  • aws_private.pem
  • aws_public.pem
  • aws_chain.pem

Upload them to the EC2 instance (HINT: ‘scp’ or ‘rsync’).

Upload SSL Certificate (Reference Documentation)

aws iam upload-server-certificate --server-certificate-name star_yourdomain_com \
--certificate-body file://aws_public.pem --private-key file://aws_private.pem \
--certificate-chain file://aws_chain.pem --path /cloudfront/yourdomain_com/


Anything that is unique for your AWS account, for example: ‘star_yourdomain_com’.


The ‘file://’ has to be included.

--certificate-body file://aws_public.pem


The ‘file://’ has to be included.

--private-key file://aws_private.pem


The ‘file://’ has to be included.

--certificate-chain file://aws_chain.pem


The “yourdomain_com” part can be any combination of letters, doesn’t really matter.

The trailing slash is important though.

--path /cloudfront/yourdomain_com/

Activate SSL Certificate for CloudFront

Edit your distribution or create a new one over at the CloudFront Dashboard.

You should now be able to select the SSL Certificate ‘star_yourdomain_com’.

Custom SSL Certificate (Stored in AWS IAM)

Select ‘star_yourdomain_com’.

Custom SSL Client Support

Select ‘Only Clients that Support Server Name Indication (SNI)’.

After you press ‘Yes, Edit’ it will take “a while” before the SSL propagate to all the edge locations.

There you have it

Hopefully everything went smooth for you, leave a comment if you have any questions or corrections.

Have a good one!


Instructions may be outdated and no longer working.