Skip to content

DigiCert SSL Cert for AWS CloudFront Distribution

Jump to bottom
mliukis edited this page Mar 15, 2024 · 9 revisions

How to provision an Entrust Cert for AWS CloudFront Distribution

Since its-live.jpl.nasa.gov is a public facing site, we need to have a Public Cert from Entrust.

The certificate belongs to the its-live AWS account.

Brand New Certificate

Please follow JPL Cloud Help instructions on how to create CSR. It links to the CSR tool which makes it very easy.

In order to provision a brand new Entrust Cert, we need to provide the following:

  • SSL cert common name: its-live.jpl.nasa.gov
  • Additional SAN's
    • Skip as this is only needed if there are additional hostnames exist for the its-live.jpl.nasa.gov
  • UCS Project Number & UCS Task Number for billing purposes
    • Provide Project and Task Numbers for billing
  • LDAP Group Name: for cert responsibility and contact purposes
    • If LDAP (mailing) group does not exist, log in to dir.jpl.nasa.gov to create one
    • Currently use newly created its_live LDAP group
    • To manage LDAP group (to add/delete members, to change member roles) please use the same dir.jpl.nasa.gov site

Attention: Please keep a record of the private key used to generate the certificate request as it will be required in order to upload the certificate (or later renewed certificate) into AWS Certificate Manager (ACM).

Certificate Details

Per JPL SSL instructions, input certificate details are as follows:

  • under Certificate body, copy and paste the content of the first portion of certificate generated by the JPL's self-serve portal (.pem format) until the first "-----END CERTIFICATE-----"
  • under Certificate private key, copy and paste the private key
  • under Certificate chain, copy and paste the content of the remaining portion of the generated certificate

Re-new Existing Certificate

If renewing existing SSL certificate, please login to the JPL SSL certificates and renew existing certificate. The same private key, that was used to generate original SSL certificate, is used for renewed certificate, but it won't be required at the time of the renewal.

We follow the practice of importing renewed certificate as brand new certificate into ACM. This way you can switch back and forth in case there are issues.

Once new SSL certificate is imported into ACM, edit the CloudFormation distribution settings to use the new certificate (AWS docs).

Clone this wiki locally