certificate

Adding Domains in Certbot

by Ulysses · Jan 25, 2021

You can register multiple domains to a single SSL certificate. This is particularly useful if you are hosting multiple domains on one server. This command adds more domains to your existing certificate.

certbot --expand -d existing.com -d newdomain1.com -d newdomain2.com

Check if the domains were added.

certbot certificates

Certbot certificates are valid for 90 days, but they automatically renew themselves if expiration is less than 30 days. If you need to renew manually for some odd reason, you can run this command. You can also perform a dry-run before renewing.

certbot renew
certbot renew --dry-run

AWS Update ACM Certs

by Ulysses · Oct 4, 2020

Here’s how to update AWS Certificate Manager SSL Cert.

#!/bin/bash
cd /etc/letsencrypt/live/domain.com/
 
arn='arn:aws:acm:us-east-1:xxxxxxxxxxxx:certificate/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'
 
aws acm import-certificate \
--certificate fileb://cert.pem \
--certificate-chain fileb://chain.pem \
--private-key fileb://privkey.pem \
--certificate-arn $arn \
--region us-east-1

You can run this every time certbot updates your certificate. Or you can schedule it in crontab.

AWS ACM Certificate Import

by Ulysses · Aug 11, 2019

Here’s how to import a SSL certificate into AWS Certificate Manager.

aws acm import-certificate \
--certificate file://example.crt \
--private-key file://example.key \
--certificate-chain file://example-bundle.crt

Convert PFX to PEM format

by Ulysses · Apr 3, 2019

SSL certificates comes in multiple formats. Some providers will hand you over certificates in PFX format which comes in a single file. If you need to import it to AWS Certificate Manager, you will need to convert it from PFX to PEM format. The following set of commands uses OpenSSL and pkcs12 to convert a SSL certificate from PFX to PEM format.

openssl pkcs12 -in cert.pfx -nocerts -out key.pem
openssl rsa -in key.pem -out server.key
openssl pkcs12 -in cert.pfx -clcerts -nokeys -out cert.pem
openssl pkcs12 -in cert.pfx -nodes -nokeys -out chain.pem

It result in 3 files.

server.key is the private key
cert.pem is the certificate
cert.pem and chain.pem are the full chain.

Once you have them, you can the proceed to import it to ACM.

Certificate Management Import

by Ulysses · Jan 4, 2019

My previous post lightly talked about about adding SSL certificates via the AWS Console. This post talks about adding your own SSL certificate to Certificate Manager via the AWS CLI. The CLI which makes it super simple to manage. It also allows for automation as well.

aws acm import-certificate \
--certificate file://Certificate.pem \
--certificate-chain file://CertificateChain.pem \
--private-key file://PrivateKey.pem

If successful, it will return ARN or Amazon Resource Name.

CloudFront SSL Certificates

by Ulysses · Jan 4, 2019

If you have SSL on your website, you can import your own SSL certificates into CloudFront, which is a content delivery network service by AWS. You will need to work a few AWS services to get it working.

CloudFront – create a distribution
Route 53 – create a hosted zone and add a CNAME
Certificate Manager – import your SSL certificate

Finally, on the WordPress side, enable the use CloudFront in your SuperCache plugin.

Seems simple, but you’ll need some patience to get it working.

Look at your HTML source to see if your CDN is really working.

SSL Expiry

by Ulysses · Oct 30, 2018

It’s not always clear how to find out when your SSL certificate is expiring. Openssl should be able to tell you.

$ openssl x509 -enddate -noout -in certificate.crt