One of the great aspects of using Amazon’s Web Services (AWS) is that Amazon continually works towards making things easier and cheaper for their customers. Their Simple Storage Service (S3) has had multiple price decreases in the last several years, they continually improve their existing products and introduce new products (Glacier, RedShift) to match their customers needs.
However, there are a handful of exceptions that send developers back to the command line in order to accomplish their goals. One of these exceptions is setting up AWS Cloudfront CDN service with SSL.
The warning alone might be enough to convince your customer to shop elsewhere. In order to keep the customer in the checkout flow and checkout securely, you need to serve your content from the CDN over https as well.
Amazon does not currently provide an GUI to upload an SSL certificate to Cloudfront, in order to upload a certificate you’ll need the AWS Cloudfront API tools to upload the relevant certificate files through the command line to an IAM store, and then associate the certificate with your Cloudfront distribution through the AWS console.
Step 1: Download and install the AWS Command line tools API - the tools are very helpful if you’re comfortable on the command line, you can run scripts like ‘ec2-describe-instances’ and get a list of all or your EC2 instances. (Also very handy for pulling in AWS information into subsequent bash scripts for automation).
Step 2: Download a copy of your SSL certificate and relevant certificate chain files. If you have multiple intermediary certificates, you’ll need to manually copy and paste them together into a single file.
Step 3: Using the newly installed AWS CLI tools, you’ll run the following command from the command line:
aws iam upload-server-certificate --server-certificate-name CertificateName --certificate-body file://public_key_certificate_file --private-key file://privatekey.pem --certificate-chain file://certificate_chain_file --path /cloudfront/
Step 4: Once you’ve successfully uploaded the certificate, go to your Cloudfront distribution in the AWS Management Console, click on the distribution’s settings, and select ‘Edit Distribution’ Within the ‘Edit Distribution’ page is a section called ‘SSL Certificate’ - if the upload of the certificate was successful, you’ll see the certificate name specified above in the dropdown. Select the certificate and click ‘Save’ to associate your SSL certificate with the Cloudfront distribution:
Step 5: AWS may take a few minutes to configure the certificate to the distribution, once it has, you should verify that the certificate is correctly set up using a free online SSL verification service like SSL Shopper. If the certificate is valid, the verifier will display the full list of the certificate chain, when it expires, and additional information.
Step 6: If the certificate validation looks good, do a final sanity check - take a file that would normally be served over http from the cdn (like your store logo) and change the path to https. If the image comes through with a bright green lock in the url, your SSL certificate is set up properly. You can now switch your secure skin, media and js base urls on your Magento site (System > Configuration > Web) to use the path to the https version of your Cloudfront distribution:
Troubleshooting: If you run across issues configuring the SSL, you can always refer to Amazon’s official documentation.
Congratulations! You’ve set up a Cloudfront distribution for your Magento store, set it to clear the cache when you update code, and configured it to use SSL, providing a secure checkout flow for your customers.