A simple guide of the steps to follow for updating an SSL/TLS certificate PROGRAMMATICALLY using AWS CLI.
Because the official documentation about it is a whole mess when is something rather easy and I'd like to share with others and possibly save some time.
Once you generate your custom certificate using, for example, Let's Encrypt, you may run these AWS CLI commands to update it using bash:
# Use any name but prefer to use one based on a timestamp since they cannot be repeated on every update AWS_MY_CERT_NAME=my-cert-$(date +%Y%m%d) # Set the CloudFront distribution we want to update (found at AWS console) MY_CLOUDFRONT_ID=EV40L17AXPTKC # Upload the custom certificate to IAM (using ACM does not work) aws iam upload-server-certificate --server-certificate-name $AWS_MY_CERT_NAME --certificate-body file://my-cert.pem --private-key file://my-cert-privkey.pem --certificate-chain file://my-cert-chain.pem --path /cloudfront/ # Get certificate ID for the update AWS_MY_CERT_ID=$(aws iam get-server-certificate --server-certificate-name $AWS_MY_CERT_NAME --query "ServerCertificate.ServerCertificateMetadata.ServerCertificateId" --output text) # Here the trick: load the current configuration to patch it on the fly (AWS has no other option currently) aws cloudfront get-distribution-config --id $MY_CLOUDFRONT_ID --query DistributionConfig > config.json sed -i.bak "s/.*\"IAMCertificateId\".*/\"IAMCertificateId\": \"$AWS_MY_CERT_ID\",/g" config.json sed -i.bak "s/.*\"Certificate\".*/\"Certificate\": \"$AWS_MY_CERT_ID\",/g" config.json aws cloudfront update-distribution --id $MY_CLOUDFRONT_ID --distribution-config file://config.json
NOTE: using the
/cloudfront/ path is important for making the certificate available for CloudFront usage.
You can add these commands to a bash script file to run it using cron configuration every month (or sooner depending on the frequency of your updates)
These commands are based on these blogs and references: