Implementing SSL on AWS S3
Well this was a bit of a pain, since I’m unfamiliar with the matter. AWS S3 does not support HTTPS directly, but it can be done via Cloudfront.
So I’m using Mac OS X, and wanted to use HTTPS on my site and blog which are hosted on AWS S3. The domain was purchased from Namecheap.
This is what I did.
Step 1: Preparation.
First up, install the AWS command line interface, and set it up. The setup is straight forward. You’ll need your AWS key and secret, and answer a few questions. Open up a terminal and enter the following:
This’ll bring up a few questions from Amazon, make sure to have your ID and Key nearby.
Step 2: Generate the key and secret
Then, generate an SSL key and secret. On OSX this was once again reasonably straight forward once I figured it out. Once again in the terminal.
This is the key:
And this is how you use it to generate the secret:
Step 3: Submit them for verification
Submit this, in my case via namecheap. they want the content of key-secret.pem. I chose apache/nginx/cpanel.
Verify by email is the quickest. Follow the steps in the email.
Step 4: Activation on AWS
Once the requesting body sends you your actual certificates, you’re ready to upload them to AWS. Inside the ZIP file that - in my case comodo sent me, there were two files, one
crt and one
ca-bundle. You’ll need that, and the key, to activate the certificate. Use the following command:
–server-certificate-name is just a name. Call it what you want, this is how you’ll recognise that particular certificate on AWS when activating it on cloudfront.
–certificate-body is the certiciate that was in the ZIP file.
–certificate-key is the key generated by the
openssl command in the second part of Step 1.
–path is for AWS, it means you’re uploading them to cloudfront instead of some other part of their service.
You can verify which certificates are installed with the following, once again in the terminal:
Step 5: Create a Cloudfront Distribution
Head over to AWS Cloudfront and create a WEB based distribution.
Origin Domain Name: do not pick a bucket, but enter the S3 endpoint instead. You can find this on the bucket properties, and you’ve probably pointed a CNAME record to it. Once you paste it in, a few more options become available. Make sure to set the Origin Protocol Policy to
HTTP Only, S3 can’t have it any other way.
Viewer Protocol Policy: make sure to pick
Direct HTTP to HTTPS. Kind of pointless otherwise.
Alternate Domain Names (CNAMES): Enter the hostnames you intend to use with the Distribution.
SSL certificate: Pick the one you uploaded. You can recognise it by name. In the example in Step 4, you’ll see I called mine
thuijls.net, so that’s what’ll appear in the dropdown box.
Now sit back and relax. The creation of the distrubtion can take a little while, depending on the size of your bucket. Mine is tiny and it took 10, 15 minutes.
Step 6: DNS settings
Once the Cloudfront Distribution is created, you’ll need to move your
www DNS setting from S3 to Cloudfront. You can find the Distribution URL in the overview.
I also redirected my root domain to
Jorg is a SAP and UI5 developer.