Automate SSL Certificate with AWS ACM and CloudFront

As we all know that AWS Certificate Manager now supports importing of custom SSL/TLS certificates. Also, Let’s Encrypt is another service to generate SSL certificates for small time bloggers like me. Even I have set this blog with Let’s Encrypt SSL certificate, which is pretty neat.

In this blog, I’ll be writing on how to automate:

  • generating Let’s Encrypt SSL certificate
  • uploading the certificate to AWS Certificate Manager
  • Using the uploaded certificate to use in AWS Cloudfront

Generating Let’s Encrypt SSL certificate:

Let’s start by creating the certificate files using letsencrypt command line tool.

  1. Clone letsencrypt git repo:

    1
    sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
  2. Generate certificate for your domain (domain.com)

    1
    2
    cd /opt/letsencrypt
    sudo -H ./letsencrypt-auto certonly --standalone -d domain.com -d www.domain.com

Note:

  • Enter the values while prompted (email ID, etc)
  • The domain must be valid and pointed to a resource.

This will create the key, cert and chain files in /etc/letsencrypt/live/<domain_name>/ folder.

Screenshot:


Uploading SSL certs and Keys to AWS Certificate Manager

As we have generated the certificate and keys, it’s time to import them in AWS Certificate Manager. Certificates imported (uploaded) in us-east-1 only can be used in AWS CloudFront.

Using the GUI

  1. Login to AWS Console and go to Certificate Manager.
  2. If we are importing a new certificate, then click on Import Certificate
  3. Copy the contents of PEM files as follows:
    cert.pem file contents go in Certificate Body
    privkey.pem file contents go in Certificate Private Key
    fullchain.pem file contents go in Certificate Chain
  4. Clicking Import will bring you to next screen, which means the certificate is imported successfully.

Using AWS CLI

  1. The following command will upload your certificate to us-east-1 region:

    1
    2
    3
    4
    5
    aws acm import-certificate \
    --region us-east-1 \
    --certificate file:///etc/letsencrypt/live/<domain_name>/cert.pem \
    --private-key file:///etc/letsencrypt/live/<domain_name>/privkey.pem \
    --certificate-chain file:///etc/letsencrypt/live/<domain_name>/fullchain.pem
  2. If the certificate is already imported, you can specify --certificate-arn in the above command.

    1
    2
    3
    4
    5
    6
    aws acm import-certificate \
    --region us-east-1 \
    --certificate-arn arn:aws:acm:us-east-1:12345678901:certificate/ev45v24v-2fd6-49f1-9aba-62dfc48w5g6ergt34 \
    --certificate file:///etc/letsencrypt/live/<domain_name>/cert.pem \
    --private-key file:///etc/letsencrypt/live/<domain_name>/privkey.pem \
    --certificate-chain file:///etc/letsencrypt/live/<domain_name>/fullchain.pem
  3. The certificate and Key will be uploaded to ACM. Make note of the output Certificate ARN generated so that you can use it for renewal.

You can now use this certificate in Load Balancer and/or CloudFront.

amazon web services aws awscli linux acm cloudfront letsencrypt