Using AWS Certificate Manager to Secure Your Website

I was pretty excited by AWS's announcement of AWS Certificate Manager - basically, I like to operate pretty cheaply and this is essentially just free wildcard SSL certificates. Don't get me wrong - regular certificate authorities still have an active role to play. Currently AWS supplied certificates only work on Elastic Load Balancers and Cloudfront distributions.

Still super excited. I basically went and immediately upgraded my blog... which you're currently reading.

So to continue on my S3 website hosting train: today we're going to make a website https only.

Certificate Manager

Currently I'm of the opinion that anything that can be, should be encrypted and protected. This just adds a tool for doing so. Having a secure website has never been so easy. Or cheap. Cheap being free. Except for your traffic. You pay for that.

Literally every CA that charges huge money for certificates can go die by fire. Lots and lots of purifying fire. Okay, maybe a bit of hate there.

To start you'll need to go to the AWS Certificate Manager console. If it's your first time you'll be greeted by a "get started" button. Otherwise you'll click "Request a certificate".

On the next page you'll be greeted by some information - currently as of this writing use of the certificates is supported only on Elastic Load Balancers and CloudFront. I hope they support it the API Gateway soon. You'll also be able to specify the domain names you want the certificate to cover. Since I use this blog as an endpoint for multiple domains I specified the following:

  • justinfox.me
  • *.justinfox.me
  • 666jfox777.com
  • *.666jfox777.com
  • dreamfiretechnologies.com
  • *.dreamfiretechnologies.com
  • foxcorporations.com
  • *.foxcorporations.com

Click "review and request" and then "confirm and request". An email will be sent to the domain owner.

Greetings from Amazon Web Services,

We received a request to issue an SSL/TLS certificate for *.justinfox.me.

Verify that the domain, AWS account ID, and certificate identifier below correspond to a request from you or someone in your organization.

Domain: justinfox.me AWS account number: [REDACTED] Certificate identifier: [REDACTED]

To approve this request, go to Amazon Certificate Approvals ([REDACTED]) and follow the instructions on the page.

If you choose not to approve this request, you do not need to do anything.

This email is intended solely for authorized individuals for justinfox.me. To express any concerns about this email or if this email has reached you in error, forward it along with a brief explanation of your concern to validation-questions@amazon.com.

Sincerely, Amazon Web Services

It’s a simple click click to verify.

Updating CloudFront

If you’ve seen my previous article on CloudFront you’ll be in good shape for this part. Otherwise check it out here. You’ll need a CloudFront distribution for this part.

Now go to the CloudFront console. Next click on the desired CloudFront distribution. In the general tab, click edit. Scroll down the the SSL certificate selection dropdown. Pick the newly created certificate and save your selection.

It’ll take sometime for your distribution to finish deploying.

Optionally: On the behaviors tab, edit the default behavior.

Modifying an ELB is much simpler. Anyways, that’s all today!