HOW to create SSL certificates from a third party, import them to AWS and don’t fail in the process
During the last days of the past year, I received the request of updating SSL certificates, probably, like most of you. As we know sometimes it is automated via AWS but on other occasions is necessary to get your hands dirty ;-)
This time I first needed to create a CSR (Certificate Signing Request) with a private key to provide the client, so he could request a third party for the new certificate.
I made this by running the following command:
openssl req -new -out <csr_name>.csr -newkey rsa:2048 -nodes -sha256 -keyout <key_toencrypt_csr>.key -config citi.conf
Notice that I passed to the command a conf file where I set all details:
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
CN = www.your-new-domain.com
[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = your-new-domain.com
DNS.2 = www.your-new-domain.com
Check that your Certificate Signing Request (CSR) has the correct signature by running the following.
openssl req -in CSR.csr -noout -text
To define if it has been created for all the domains you need
openssl req -in CSR.csr -noout -text | grep DNS
A new certificate will be generated from the CSR, and you can just copy them from the site or download them.
If you choose to download them, be sure to choose as File Type Indivudual .crts (zipped) [According to the provider is possible that some steps be different].
The last step is to import the certificate to AWS Certificate Manager, you will find the following fields:
On the Certificate Body, you must paste the first individual cert, name as your domain site.
Certificate private key refers to the key you generated for creating the CSR certificate.
Finally, the Certificate chain is the intermediate certificate you have on the Digicert page. Check that the name has a “CA”.
After filling in the three fields and clicking on Next you can add a tag to identify your new Certificate and that’s it! You’re ready to update it on your load balancer, Cloudfront distribution, etc.
If you are interested in learning more about our #TeraTips or our blog's content, we invite you to see all the content entries that we have created for you and your needs.