Uploading an SSL Certificate to IAM for use with ELB or Cloudfront using PowerShell

Because I only do this once or twice a year, I can never quite remember how to get it done. So consider this post an aide-memoire of sorts.

Generally, your SSL cert will turn up as one or (preferably) more *.crt files – one the actual certificate, and the other the verification chain – and you should also have a private key, probably as a *.key file.

Step one: convert these to PEM format using openssl.exe at the PowerShell prompt. Don’t have openssl? Download it here or use chocolatey, as follows

cinst openssl -y

Now, down to the business of conversion. Hopefully, you have an x509 format cert and chain. Convert them into the AWS-friendly PEM format like so:

openssl x509 -in mycertificate.crt -outform pem | out-file mycertificate.pem
openssl x509 -in mychain.crt -outform pem | out-file mychain.pem

Next, we do the same to the Private Key

openssl rsa -in mykey.key -outform pem | out-file mykey.pem

Now, how do we get these into AWS?

We use the Publish-IAMServerCertificate cmdlet, of course

For use in ELBs, we use this

Publish-IAMServerCertificate `
       -ServerCertificateName my-certificate-name `
       -Path / `
       -CertificateBody (gc .\mycertificate.pem -raw) `
       -CertificateChain (gc .\mychain.pem -raw) `
       -PrivateKey (gc .\mykey.pem -raw)

And to do the same for AWS CloudFront, well you need the /cloudfront/ path, like so

Publish-IAMServerCertificate `
       -ServerCertificateName my-certificate-name `
       -Path /cloudfront/ `
       -CertificateBody (gc .\mycertificate.pem -raw) `
       -CertificateChain (gc .\mychain.pem -raw) `
       -PrivateKey (gc .\mykey.pem -raw)

And your certificates will be uploaded to IAM and squirrelled away in the certificate store. You can check that it’s there by using

Get-IAMServerCertificates

Or

Get-IAMServerCertificate -ServerCertificateName <your new cert name>

Side Note: There’s a command called Get-IAMServerCertificate and another called Get-IAMServerCertificates – note the ‘s’. This breaks the powershell convention of a single command to operate on singular or multiple values. I would hope AWS would eventually fix this flaw and bring the SDK into line with published PowerShell conventions, but we will see.

Now, when you go to your CloudFront distribution or your ELB’s listeners tab, you should be presented your new Certificate in the dropdown for available certs, and you’ll have your content nicely secured.

Leave a Reply

Your email address will not be published. Required fields are marked *