I needed to create a wildcard SSL cer­tifi­cate and upload it to AWS CloudFront today.

First, generate a 2048-bit private key. This will prompt you for a passphrase:

$ openssl genrsa -des3 -out example.key 2048

Check which signature algorithm was used (SHA-256 is rec­om­mend­ed):

$ openssl req -in example.csr -noout -text

Transform the private key to PEM format:

$ openssl rsa -outform PEM -in example.key -out example.pem

Generate a Cer­tifi­cate Signing Request. Note the * in the server FQDN:

$ openssl req -new -key example.key -out example.csr

Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Washington
Locality Name (eg, city) []:Seattle
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example GmbH
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:*.example.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Upload the CSR to your Cer­tifi­cate Authority and generate a signed cer­tifi­cate. We used SSL.com.

Be sure to save the keys and cer­tifi­cates in a secure place. The private key is a secret: treat it as such.

Finally, upload the cer­tifi­cate to IAM (AWS Identity and Access Management):

$ aws iam upload-server-certificate \
    --server-certificate-name 'Example_Wildcard_Cert' \
    --certificate-body file://STAR_example_com.crt \
    --private-key file://example.pem \
    --certificate-chain file://ca-chain-amazon.crt \
    --path /cloudfront/production/

Note the --path argument, which is required for CloudFront dis­tri­b­u­tions.

Bryce Fisher-Fleig has more. (I wish I had discovered his post this morning.)