Purchasing EV CertificateWhat you need to know
First things first. Let's go purchase our certificate at Comodo.
Don't be shocked by the price, you really can't get a better deal than this.
Pro Tip: Start a chat session and tell them you are interested in an EV certificate. They will get you a deal on the price and add a few months for free. We like free.
The person you are on chat with will send you a link with the lowered cost, click this to proceed (you'll see they add a tracking number to the URL). Add the EV certificate to your cart and then click on checkout.
You'll be brought to a screen where you fill out information about your business, and how you want your information seen within the certificate content.
Don't worry about the 'Web Server Software' part, just choose OTHER/I don't know.
Other than the regular information, you'll have a few optional selections at the end.
Now we are ready to move onto the next step - setting up our Certificate Signing Request.
Certificate Signing Request (CSR)We'll use OpenSSL for this
"Wait ... What is OpenSSL?".
Taken verbatim from their Github repository "The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, fully featured, and Open Source toolkit implementing the Transport Layer Security (TLS) protocols (including SSLv3) as well as a full-strength general purpose cryptographic library."
In other words, it's a free tool to assist with things like creating .csr files and private RSA keys.
If you are on a Mac, there is no need to install OpenSSL.
If you are a Windows user (shame on you) you can skip this section and I'll go through the install with you.
Mac/Linux users - run these commands to create a private key in your home directory (replace 'domain' with your actual domain):
cd ~ && mkdir domain_com.ssl && cd domain_com.ssl openssl genrsa -out ~/domain_com.ssl/domain_com.key 2048
Then run this command to create a CSR:
openssl req -new -sha256 -key ~/domain_com.ssl/domain_com.key -out ~/domain_com.ssl/domain_com.csr
Time for Installation.
CSR on Windows
OpenSSL on Windows is a bit different. The official OpenSSL website only offers Linux sources, so we'll have to get a bit clever.
Instead of compiling our own Windows binary version, we'll just depend on a third party for this. Click here to get started.
Don't worry about the overbearing red wall of text, just scroll down past that until you find "Win64_OpenSSL_v1.1.0h". Do NOT download an older version than 1.1.0.
Once downloaded, find and right-click the openssl.exe file and choose 'Run as administrator'. Click through the install and make sure you choose "The OpenSSL binaries (/bin) directory".
Open a command prompt and run these commands:
cd c:\OpenSSL-Win64 set OPENSSL_CONF=c:\OpenSSL-Win32\bin\openssl.cfg
Then Reboot your computer. This won't work until rebooted.
Once back, run these commands to get back into the directory and create your private key:
cd c:\OpenSSL-Win64\bin openssl genrsa -out domain_com.key 2048
Then run this command to create a CSR:
openssl req -new -sha256 -key domain_com.key -out domain_com.csr
You will then be asked a set of questions. Here is my example:
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Idaho Locality Name (eg, city) :Boise Organization Name (eg, company) [Internet Widgits Pty Ltd]:fencepencil, Inc. Organizational Unit Name (eg, section) : Common Name (e.g. server FQDN or YOUR name) :fencepencil.com Email Address :firstname.lastname@example.org Please enter the following 'extra' attributes to be sent with your certificate request A challenge password : An optional company name :fencepencil, Inc.
Here's what all that means:
Country Name - Use the two-letter code without punctuation for country, for example: US or CA.
State or Province - Spell out the state completely; do not abbreviate the state or province name.
Locality or City - The Locality field is the city or town name, for example: Berkeley. Do not abbreviate.
Company - If the company or department has an &, @, or any other symbol using the shift key in its name, the symbol must be spelled out or omitted, in order to enroll.
Organizational Unit - The Organizational Unit (OU) field is the name of the department or organization unit making the request. To skip the OU field, press Enter on the keyboard.
Common Name - The Common Name is the Host + Domain Name. It looks like "www.symantec.com" or "symantec.com".
All done - and now you'll have two new files in that directory; let's go install this puppy.
Certificate InstallationAnd all the stuff in-between
At this point in time, you'll have two files which you've created in that directory, a domain_com.key file and a domain_com.csr file.
Note: Do not lose your private key (domain_com.key). Just to be safe, I'd make a copy of it and save it somewhere else (Dropbox, external drive etc...).
You'll get an email from Comodo with a green sentence and a link to click on, followed by a validation code.
Copy the code to your clipboard, click the link and paste the information into the field. This verification is for domain ownership purposes.
Open up your CSR file in a text editor and copy the ENTIRE THING to your clipboard.
Now it's time to upload it to Comodo.
Head over to their portal and login with the username and password you setup when you went through checkout.
There will be an "upload your csr" link or something similar, choose that and paste in your certificate signing request (include begin and end lines).
They will use this CSR in combination with their CA to create your EV certificate.
By this time they might have called you on the phone for the final verification. FYI, it comes from a blocked number so be sure to pick up.
Note: they may send you an email stating your certificate is ready. This is likely a temporary certificate until they actually verify via phone call ...
You'll notice the difference when you get an email with "COMODO EV SSL" in the subject line. The temporary certificate's email will just have "COMODO SSL" without the "EV".
It will look like this:
Unless you'd like to go through the OpenSSL step again, it's best to wait for the final email (which could take up to 2 days).
Attached to the email is a .zip with 4 files included.
Here is what they represent:
AddTrustExternalCAROOT.crt - this is the Root CA.
COMODORSAAddTrustCA.crt - this is the first Intermediate CA.
COMODORSAExtendedValidationSecureServerCA.crt - this is the second Intermediate CA.
yourdomain_com.crt - This is your EV Certificate.
A little clarification on the above information. The Root CA and any Intermediate CA's act as the Certificate Chain. You may hear this term used, all it's referring to is just that - Root CA and any other Intermediates, creating a chain of trust.
Download the .zip to the same directory and uncompress/extract the files from it.
We are now ready to finalize this and import to AWS.
AWS InstallationCertificate Manager and Cloudfront
First we need to import this bad boy into AWS Certificate Manager, then we can use it for Cloudfront.
IMPORTANT: Make sure you are in the us-east-1 region (N. Virginia). Otherwise it won't work with Cloudfront.
Click on the 'Import a certificate' button (it's blue).
Open up 5 files in a text editor - all 4 from Comodo as well as your private key file (they'll all look like a bunch of jumble text, that's ok).
Let's walk through the 3 fields on this page.
Certificate body* is referring to the 4th certificate up above, the yourdomain_com.crt. Your actual EV Certificate.
Certificate private key* is referring to the .key file which we created with OpenSSL.
Certificate chain is referring to the other 3 files. Just paste them one-by-one and hit enter for each one (they should all start on their own line).
Then click Review and import.
It should look something like this ...
Optional: Add a name (tags) to the certificate, so you know it's the official EV certificate from Comodo.
Almost done, just a couple more things.
Scroll open the certificate with the arrow on the left and make note of the first 3-4 characters of the Identifier (in blue text).
Head over to Cloudfront and edit the general settings of your distribution.
Highlight and delete the contents of your current custom SSL and then choose from the list the certificate that matches those first 3-4 characters of the identifier from before.
Save your changes and wait about 10 minutes. Your new certificate will show up in the browser URL field.