2016 may be the year of free SSL, and AWS ACM (AWS Certificate Manager) is a great offering for Cloudfront & ELB users (most web apps).

Not only is it free, but it’s also the simplest certificate management platform

  • request a new certificate in minutes
  • no server config needed
  • no certificate , chain or private key management
  • automatic certificate rotation

Here’s how to create a certificate and then install it onto your cloudfront distribution.

Requesting a New Certificate

aws acm request-certificate --domain-name \*.mydomain.com --subject-alternative-names  mydomain.com
{
    "CertificateArn": "arn:aws:acm:us-east-1:OOOOOOOOOOOO:certificate/c3d15000-230c-4000-8000-a600000"
}

Activating the Certificate on Cloudfront

This part requires a few steps:

1. Get the configuration skeleton

# show just the first few lines for example
aws cloudfront update-distribution --generate-cli-skeleton|head -n 5
{
    "DistributionConfig": {
        "CallerReference": "", 
        "Aliases": {
            "Quantity": 0,

Save this to a file and update the ViewerCertificate with this block

2. Update The Viewer Certificate

Make sure the “Certifcate” param is your ACM Certificate ARN from above.

"ViewerCertificate": {
                    "SSLSupportMethod": "sni-only", 
                    "MinimumProtocolVersion": "TLSv1", 
                    "Certificate": "arn:aws:acm:us-east-1:OOOOOOOOOOOO:certificate/c3d15000-230c-4000-8000-a600000" ,
                    "CertificateSource": "acm"
                },

3. Update your DistributionConfig

$ aws cloudfront update-distribution --id DISTRIBUTION_ID --cli-input-json file://CONFIG_FILE.json

At this point you can test using https://mydomain.com:443 and make sure the certificates look good. A great testing tool is the Symantec Tool

See the ACM docs for more info