How to create SSL certificates from a 3rd party— and not fail in the process
Updated: Jul 11
During the last days of the past year, I received the request of updating SSL certificates, probably, like most of you. As we know sometimes it is automated via AWS but on other occasions is necessary to get your hands dirty ;-)
This time I first needed to create a CSR (Certificate Signing Request) with a private key to provide the client, so he could request a third party for the new certificate.
I made this by running the following command:
openssl req -new -out <csr_name>.csr -newkey rsa:2048 -nodes -sha256 -keyout <key_toencrypt_csr>.key -config citi.conf
Notice that I passed to the command a conf file where I set all details:
[req]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
C=US
ST=New York
L=Rochester
O=End Point
OU=Testing Domain
emailAddress=your-administrative-address@your-awesome-existing-domain.com
CN = www.your-new-domain.com
[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = your-new-domain.com
DNS.2 = www.your-new-domain.com
EOF
Check that your Certificate Signing Request (CSR) has the correct signature by running the following.
openssl req -in CSR.csr -noout -text
To define if it has been created for all the domains you need
openssl req -in CSR.csr -noout -text | grep DNS
A new certificate will be generated from the CSR, and you can just copy them from the site or download them.
If you choose to download them, be sure to choose as File Type Indivudual .crts (zipped) [According to the provider is possible that some steps be different].
The last step is to import the certificate to AWS Certificate Manager, you will find the following fields:
On the Certificate Body, you must paste the first individual cert, name as your domain site.
Certificate private key refers to the key you generated for creating the CSR certificate.
Finally, the Certificate chain is the intermediate certificate you have on the Digicert page. Check that the name has a “CA”.
After filling in the three fields and clicking on Next you can add a tag to identify your new Certificate and that’s it! You’re ready to update it on your load balancer, Cloudfront distribution, etc.
Lourdes Dorado
DevOps Engineer
Teracloud
If you are interested in learning more about our TeraTips or our blog's content, we invite you to see all the content entries that we have created for you and your needs.