Creating a Certificate Chain for AWS

GitHub Pages doesn’t (yet) allow an SSL certificate for a custom domain, so I’ve moved this blog to S3.

Uploading the certificate to AWS requires the CA certificate chain. This isn’t always always provided by the CA, but can be generated from the command line. For example, Comodo provides the certificates in the chain, so all that’s necessary to create the file is to concatenate the certs in PEM format into one file:

(openssl x509 -inform PEM -in COMODORSADomainValidationSecureServerCA.crt; 
openssl x509 -inform PEM -in COMODORSAAddTrustCA.crt; 
openssl x509 -inform PEM -in AddTrustExternalCARoot.crt) > ca_chain.pem

This will provide a file that is suitable for the --certificate-chain parameter of aws iam upload-server-certificate:

aws iam upload-server-certificate \
  --server-certificate-name mycert \
  --certificate-body file://mycert.crt \
  --private-key file://mycert.key \
  --certificate-chain file://ca_chain.pem \
  --path /cloudfront/