Update AWS Cloudfront Certificate
- Create a Jira ticket to service desk to request creating a DNS entry for a new vanity domain that never done the DNS domain validation before (ignore this step if we already did the DNS validation for our Cloudfront domain). Ticket we created last time for AWS tools Cloudfront is here
- Go to AWS Certificate Manager
- Change Area to "us-east-1"
- Click "Request", and request a public certificate
- Enter the information:
- domain name depends on which environment we are in, it's our FAM frontend domain
- validation method we choose "DNS validation"
- key algorithm we choose "ECDSA P 256", because Cloudfront does not support "ECDSA P 384" yet
- And then click "Request" to make the request
- If we already done the DNS validation before, then the certificate request should be successful within 1 min, no need to get in touch with service desk
- If this is the first time we request the certificate for a new domain, then we need to get in touch with the service desk support. We met with Kris Clarke. View the certification and send the "CNAME name" and "CNAME value" to them in order to set up the DNS entry on their side.
On their side, the hostname is the CNAME name without the domain and no period ‘.’ at the end. The domain is the last part of the CNAME name, which is our FAM domain. The target DNS name is the CNAME value, and it ends with the period ‘.’
It could take 10-20 mins to get approval for the first time.
Some notes:
- AWS won’t allow SSL certificate for our Cloudfront domain unless we approve we own the domain, that’s through DNS validation (Kris help with that), so AWS can see that and approve for us.
- When we need the new key algorithm for the certificate, we request a new certificate, can't edit on the existing one. And if we already done the DNS validation before for the old certificate, it should get auto approved.
- We don't remove the old certificate until we update our terraform to use the new certificate, and the “In use” column will be yes for the new certificate