Renew SSL certificate host at Cloutfrond using AWS Route53, ACM
This blog introduce how to create / renew the SSL certificate for your web app host in AWS ACM
When you buy a domain, nowadays SSL is always required to let your customer trust your web app. Thus, after you bought your domain you always buy a SSL certificate for your website.
Reissue certificate
SSL certificate always issued for a year, so after a year, you need to reissue certificate.
This example is using Gandi registrar.
Login to your Gandi account, click left menu SSL Certificate, you can see the list of your SSL certificate
Click Reissue button, it navigates to certificate generation page.
Generate new CSR
openssl req -new -newkey rsa:2048 -sha256 -nodes -out '*.example.com.csr' -keyout '*.example.com.key' -subj '/CN=*.example.com'
Paste to the text input in Gandi console
Domain control validation
A validation step is needed to prove that you have the necessary permissions needed to secure the domain. This is automatic when the domain is at Gandi and you are one of its authorised contacts.
Click Validation method > By DNS record, it shows DNS record to your domain and we need to paste it at Route53
Click submit button at Gandi and wait for validate result
After validate succeed, go back to SSL Certificate page, you can now download certificate and Intermediate certificate.
You can read the certificate detail by below command
openssl x509 -in _.example.com.crt -text
Next, change format of private key from .key to .pem
openssl rsa -in *.example.com.key -text > example_com_private.pem
Download certificate and change format from .crt to .pem
openssl x509 -inform PEM -in _.example.com.crt > example_com_public.pem
Download Intermediate certificate and change format from to .pem (if not in .pem format)
openssl x509 -inform PEM -in _.example.com.p12 >> example_com_ca.pem
Upload to AWS ACM
Now you have 3 files, in this section is about upload your certificate using aws cli.
Provided that you have setup your aws profile locally in your mac, you can try this command to list your existing certificate
#show cert name
aws iam list-server-certificates
To upload your certificate, you need to use all 3 files, public key, private key and Intermediate certificate in previous section.
aws iam --profile {your_aws_profile_name} upload-server-certificate --server-certificate-name example_com_202212 --certificate-body file://example_com_public.pem --private-key file://example_com_private.pem --certificate-chain file://GandiStandardSSLCA2.pem --path /cloudfront/example_com/
Update Cloudfront distribution
Login to your AWS account, and navigate to Cloudfront
Click Distribution Settings, then it redirects to edit Distribution form
In SSL Certificate section, you can see the certificate you just uploaded in the dropdown
Click save.
Invalidate CloudFront Distributions (Optional)
This step is for clear cache which ensure SSL certificate applied
Go back to CloudFront Distributions
Choose your target distribution and click Invalidate
Input the path you want to invalidate, for example, if whole distribution you want to invalidate, then input
/*
Click OK, wait for process complete
Then you can check your website in browser by using inspector to check the SSL certificate.
Remove old certificate
// command to delete certificate
$ aws iam delete-server-certificate \
--server-certificate-name <value>// command to delete certificate name as example.com_old
$ aws iam delete-server-certificate — server-certificate-name example.com.old
Convert the certificate to p12 format
You can use below command to convert you SSL certificate by using certificate (.crt) and private key (.key)
openssl pkcs12 -export -out _.example.com.202212.p12 -inkey *.example.com.key -in _.example.com.crt
Prompt to ask you enter password to protect certificate
Windows Server renew SSL certificate example
Transfer certificate file to AWS
To transfer the _.example.com.p12 you made in previous step web server.
One of method is use AWS cli to upload / download your certificate to private s3 bucket.
Use the DigiCert tool and import the new cert. Below is the tutorial for reference
Then on IIS, configure the 443 bindings to use the new cert.
Restart IIS.
Done.