Inspired? No home

Wildcard SSL-certificate on Heroku and CloudFront

  1. Purchase SSL.
    I use Comodo PositiveSSL Wildcard from SSLs.

  2. Activate certificate
    Generate private key: openssl genrsa -aes256 -out server.pass.key 2048
    While you can use a 4096 key on Heroku the max key length on CloudFront is 2048.
    Save passphrase to password manager.
    Strip away password: openssl rsa -in server.pass.key -out server.key
    Generate CSR: openssl req -nodes -new -key server.key -out server.csr
    FQDN: *
    Challenge password: only digits and letters
    Save challenge password to password manager
    Enter CSR at SSL reseller: cat server.csr|pbcopy
    Approve via link in received email.

  3. Receive certificate by email
    Save webserver.crt: pbpaste > webserver.crt
    Save intermediate: pbpaste > intermediate_ca.crt

  4. Create SSL certificate
    cp bundle.crt
    cat STAR_example_org.crt bundle.crt > ssl.crt
    cp webserver.crt ssl.crt
    cat intermediate_ca.crt >> ssl.crt
    Verify cert is generated correctly: openssl x509 -in ssl.crt -text -noout

  5. Update Heroku certificate
    heroku certs:update ssl.crt server.key -a your-app

  6. Create new CloudFront certificate
    aws iam upload-server-certificate --server-certificate-name --certificate-body file://STAR_example_org.crt --private-key file://server.key --certificate-chain file://bundle.crt --path /cloudfront/

  7. Update references from CloudFront distributions to new CloudFront certificate

  8. Delete old CloudFront certificate
    aws iam delete-server-certificate --server-certificate-name

  9. Rename new CloudFront certificate
    aws iam update-server-certificate --server-certificate-name --new-server-certificate-name

  10. Delete certificate emails.

  11. Save all files to password manager and delete them on disk.

Written on 26 May 2021.
blog comments powered by Disqus