AWSCloud.WorksServerlessApril 24, 20190Managing Certificates in Cloudfront Distribution

Managing SSL/TLS certificates for any web or mobile App platform is an essential part of the overall solution delivery these days. Ensuring that the communication within the App or across the network is encrypted and brings the necessary compliance into the overall product architecture is very much required for any enterprise be it in services or for a product-based company.

Now, With the increasing penetration of Containers and the rise of distributed architectures of products the requirements of having SSL certificates is now not limited to customer-facing applications.

The question is How do we solve the need of having SSL-based certificates when we deliver Serverless Applications or any services with Amazon Web Services(AWS). We are in this blog would be talking about the integration of SSL-based certificates into CloudFront distributions.

There are two ways CloudFront allows to manage the certificates of its distribution, either using Amazon Certificate Manager(ACM) or using custom SSL certificates. For Custom SSL certificates we would be evaluating Let’s Encrypt a Free SSL certificate initiative.

Managing Certificates with ACM(Amazon Certificate Manager)

  • Goto CloudFront Distribution and under General click “Edit”.
  • Click on “Request of Import a certificate with ACM”
  • Enter the Domain Name for which Certificate needs to be validated and Click Next.
  • Select the mode of Validation. You can validate the authority of that domain either by adding a DNS record or by Email Validation. In our case, we would be going ahead with DNS validation and click on Review.
  • In the next step, you would be given the DNS record which needs to be added to your domain’s DNS. In case you are using Route53, it can be done automatically in ACM.
  • Once the Certificate Status is in ISSUED mode. You can go back to CloudFront Distribution and update the Certificate under the ‘SSL Certificate’ section.

ACM is a free service and it doesn’t charge anything to manage the certificates. The charges would incur on the services like Cloudfront or ELB on which you would be deploying these certificates. One advantage of using ACM if you are using CloudFront is that you would be able to renew the certificates easily and at ease.

Managing Certificates with Let’s Encrypt

  • Start the Ubuntu Docker image locally
  • Install certbot using the following command
    $ sudo apt-get update
    $ sudo apt-get install software-properties-common
    $ sudo add-apt-repository universe
    $ sudo add-apt-repository ppa:certbot/certbot
    $ sudo apt-get update
    $ sudo apt-get install certbot
  • Create a new certificate
    root@1e6e13dc47f3:/# certbot certonly --manual --preferred-challenges dns -d
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Plugins selected: Authenticator manual, Installer None
    Obtaining a new certificate
    Performing the following challenges:
    dns-01 challenge for
    NOTE: The IP of this machine will be publicly logged as having requested this
    certificate. If you're running certbot in manual mode on a machine that is not
    your server, please ensure you're okay with that.
    Are you OK with your IP being logged?
    (Y)es/(N)o: y
    Please deploy a DNS TXT record under the name with the following value:
    <<Some Code>>
    Before continuing, verify the record is deployed.   
    Press Enter to Continue
    Waiting for verification...
    Cleaning up challenges
    - Congratulations! Your certificate and chain have been saved at:
    Your key file has been saved at:
    Your cert will expire on 2019-07-20. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot
    again. To non-interactively renew *all* of your certificates, run
    "certbot renew"
    - If you like Certbot, please consider supporting our work by:
    Donating to ISRG / Let's Encrypt:
    Donating to EFF:          
  • Copy the generated certificates from docker image to local machine
    $ root@1e6e13dc47f3:/# cd /etc/letsencrypt/live/
    $ root@1e6e13dc47f3:/etc/letsencrypt/live/ ls -l
        total 4
        -rw-r--r-- 1 root root 543 Apr 21 10:46 README
        lrwxrwxrwx 1 root root  35 Apr 21 10:46 cert.pem -> ../../archive/
        lrwxrwxrwx 1 root root  36 Apr 21 10:46 chain.pem -> ../../archive/
        lrwxrwxrwx 1 root root  40 Apr 21 10:46 fullchain.pem -> ../../archive/
        lrwxrwxrwx 1 root root  38 Apr 21 10:46 privkey.pem -> ../../archive/
    $ ankitsmacbook$ docker cp 1e6e13dc47f3:/etc/       letsencrypt/archive/ .
    $ ankitsmacbook$ ls -l
        total 8
        -rw-r--r--  1 ankitsmacbook  staff  543 Apr 21 16:16 README
        drwxr-xr-x  6 ankitsmacbook  staff  192 Apr 21 16:16
    $ ankitsmacbook$ cd
    $ ankitsmacbook$ ls
    cert1.pem    chain1.pem    fullchain1.pem    privkey1.pem
  • Uploading certificate into IAM Certificate Store on AWS.
    $ ankitsmacbook$ aws iam upload-server-certificate  --server-certificate-name datavizz_in_April --certificate-body file://cert1.pem     --private-key file://privkey1.pem --certificate-chain file://chain1.pem --path /cloudfront/<<CDNID>>/ --profile=DV
    "ServerCertificateMetadata": {
        "ServerCertificateId": "<<SOME ID>>", 
        "ServerCertificateName": "datavizz_in_April", 
        "Expiration": "2019-07-20T09:46:51Z", 
        "Path": "/cloudfront/<<CDNID>>/", 
        "Arn": "<<ARN>>", 
        "UploadDate": "2019-04-21T11:24:32Z"
  • Goto CloudFront and update the Certificate by removing the existing one and use the new certificate Name.

Let’s Encrypt is also a free service available to manage SSL certificates for your applications.

If you’re looking to see how Serverless Application design could make an impact in your organization, We are a Cloud-Native Application Development Company, we’d love to talk.


Leave a Reply

Your email address will not be published. Required fields are marked *