Implementing SSL on AWS S3

Well this was a bit of a pain, since I’m unfamiliar with the matter. AWS S3 does not support HTTPS directly, but it can be done via Cloudfront.

So I’m using Mac OS X, and wanted to use HTTPS on my site and blog which are hosted on AWS S3. The domain was purchased from Namecheap.

This is what I did.

Step 1: Preparation.

First up, install the AWS command line interface, and set it up. The setup is straight forward. You’ll need your AWS key and secret, and answer a few questions. Open up a terminal and enter the following:

brew install awscli
aws configure

This’ll bring up a few questions from Amazon, make sure to have your ID and Key nearby.

Step 2: Generate the key and secret

Then, generate an SSL key and secret. On OSX this was once again reasonably straight forward once I figured it out. Once again in the terminal.

This is the key:

openssl genrsa 2048 > key.pem

And this is how you use it to generate the secret:

openssl req -new -key key.pem -out key-secret.pem

Step 3: Submit them for verification

Submit this, in my case via namecheap. they want the content of key-secret.pem. I chose apache/nginx/cpanel.

Verify by email is the quickest. Follow the steps in the email.

Step 4: Activation on AWS

Once the requesting body sends you your actual certificates, you’re ready to upload them to AWS. Inside the ZIP file that - in my case comodo sent me, there were two files, one crt and one ca-bundle. You’ll need that, and the key, to activate the certificate. Use the following command:

aws iam upload-server-certificate 
    --server-certificate-name thuijls.net 
    --certificate-body file://www_thuijls_net.crt 
    --private-key file://key.pem 
    --certificate-chain file://www_thuijls_net.ca-bundle
    --path /cloudfront/

–server-certificate-name is just a name. Call it what you want, this is how you’ll recognise that particular certificate on AWS when activating it on cloudfront.

–certificate-body is the certiciate that was in the ZIP file.

–certificate-key is the key generated by the openssl command in the second part of Step 1.

–path is for AWS, it means you’re uploading them to cloudfront instead of some other part of their service.

You can verify which certificates are installed with the following, once again in the terminal:

aws iam list-server-certificates

Step 5: Create a Cloudfront Distribution

Head over to AWS Cloudfront and create a WEB based distribution.

Origin Domain Name: do not pick a bucket, but enter the S3 endpoint instead. You can find this on the bucket properties, and you’ve probably pointed a CNAME record to it. Once you paste it in, a few more options become available. Make sure to set the Origin Protocol Policy to HTTP Only, S3 can’t have it any other way.

Viewer Protocol Policy: make sure to pick Direct HTTP to HTTPS. Kind of pointless otherwise.

Alternate Domain Names (CNAMES): Enter the hostnames you intend to use with the Distribution.

SSL certificate: Pick the one you uploaded. You can recognise it by name. In the example in Step 4, you’ll see I called mine thuijls.net, so that’s what’ll appear in the dropdown box.

Now sit back and relax. The creation of the distrubtion can take a little while, depending on the size of your bucket. Mine is tiny and it took 10, 15 minutes.

Step 6: DNS settings

Once the Cloudfront Distribution is created, you’ll need to move your www DNS setting from S3 to Cloudfront. You can find the Distribution URL in the overview.

I also redirected my root domain to www: dns settings


Jorg Thuijls

Jorg is a SAP and UI5 developer.