Search code examples
opensslssl-certificateamazon-cloudfrontpemamazon-iam

Can't craft valid IAM SSL Certificate for Cloudfront

I created a CSR by running the good ole 

$ openssl req -nodes -newkey rsa:4096 -keyout example.key -out example.csr

This yielded an example.csr and example.key

Then, I got it signed and received back 4 .crt files. My domain .crt, 2 intermediates, and the root.

From this: http://docs.aws.amazon.com/IAM/latest/APIReference/API_UploadServerCertificate.html, I gather that Amazon wants that my private-key be PEM encoded, so I ran

$ openssl rsa -in example.key -text > example.pem

Cloudfront also wants what they call a CertificateChain, and from https://bryce.fisher-fleig.org/blog/setting-up-ssl-on-aws-cloudfront-and-s3/ and http://docs.aws.amazon.com/IAM/latest/UserGuide/InstallCert.html#SampleCert, it seems that the file should be the 2 intermediate certs concatenated together. So I made that file using a text editor and called it example.crt.chain

Finally, with all that in hand, I ran

$ aws iam upload-server-certificate --server-certificate-name star-assets-example-com --certificate-body file://STAR_assets_example_com.crt --private-key file://example.pem --certificate-chain file://example.crt.chain --path /cloudfront/assets/

That returned to me the "ServerCertificateMetadata". Finally, I went to the Cloudfront console and tried to set that certificate as the "Custom SSL Certificate" for cloudfront. But, it tells me that 

AWS Error Code: InvalidViewerCertificate, AWS Error Message: The specified SSL certificate doesn't exist in the IAM certificate store, isn't valid, or doesn't include a valid certificate chain.

Modifications I have tried.

  1. Including and not including the root certificate in the chain. Both upload but neither work.
  2. I have tried removing the "modulus", "privateExponent", "prime1", etc from the head of my PEM file so that it only contains the "-----BEGIN RSA PRIVATE KEY-----...-----END RSA PRIVATE KEY-----" stuff, like the AWS article suggests. Both upload but neither work.
  3. Changing the ordering of certificates in my chain file results in an invalid error from the uploader tool.
  4. Not including the certificate chain, but that clearly goes against what cloudfront says I need.
  5. Using my original example.key file instead of the openssl rsa encoded PEM file. That produces errors from the uploader tool. This file is of the form "-----BEGIN PRIVATE KEY-----...-----END PRIVATE KEY-----"
Solution

  • So it turns out that my error was simply that my certificate size was too long. The maximum length is 2048, while mine was 4096! I found my issue by reading about similar issue here Having trouble associated SSL cert with Amazon Cloudfront

    I guess that's what the obscure 'invalid' meant. I really wish there was more validation with better error messages!!!!