Extended Validation SSL Certificate

And how to install them for use with AWS S3 and Cloudfront.

Let's Begin

Extended Validation (EV) Certificates

An Extended Validation Certificate (EV) is a certificate used for HTTPS websites and proves the legal entity controlling the website. Obtaining an EV certificate requires verification of the requesting entity's identity by a certificate authority (CA).

Web browsers show the verified legal identity prominently in their user interface, either before, or instead of, the domain name.

EV certificates use the same encryption as organization validated certificates and domain validated (DV) certificates: the increase in security is due to the identity validation process, which is indicated within the certificate by the policy identifier.

But here's the best part:

Pretty sweet, eh? Well let's go getcha one!

Purchasing EV Certificate

What you need to know

First things first. Let's go purchase our certificate at Comodo.

Don't be shocked by the price, you really can't get a better deal than this.

Pro Tip: Start a chat session and tell them you are interested in an EV certificate. They will get you a deal on the price and add a few months for free. We like free.

The person you are on chat with will send you a link with the lowered cost, click this to proceed (you'll see they add a tracking number to the URL). Add the EV certificate to your cart and then click on checkout.

You'll be brought to a screen where you fill out information about your business, and how you want your information seen within the certificate content.

Don't worry about the 'Web Server Software' part, just choose OTHER/I don't know.

Other than the regular information, you'll have a few optional selections at the end.

Now we are ready to move onto the next step - setting up our Certificate Signing Request.

Certificate Signing Request (CSR)

We'll use OpenSSL for this

"Wait ... What is OpenSSL?".

Taken verbatim from their Github repository "The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, fully featured, and Open Source toolkit implementing the Transport Layer Security (TLS) protocols (including SSLv3) as well as a full-strength general purpose cryptographic library."

In other words, it's a free tool to assist with things like creating .csr files and private RSA keys.

If you are on a Mac, there is no need to install OpenSSL.

If you are a Windows user (shame on you) you can skip this section and I'll go through the install with you.

Mac/Linux users - run these commands to create a private key in your home directory (replace 'domain' with your actual domain):

cd ~ && mkdir domain_com.ssl && cd domain_com.ssl
openssl genrsa -out ~/domain_com.ssl/domain_com.key 2048

Then run this command to create a CSR:

openssl req -new -sha256 -key ~/domain_com.ssl/domain_com.key -out ~/domain_com.ssl/domain_com.csr

Time for Installation.

CSR on Windows

Click here to skip the Windows version

OpenSSL on Windows is a bit different. The official OpenSSL website only offers Linux sources, so we'll have to get a bit clever.

Instead of compiling our own Windows binary version, we'll just depend on a third party for this. Click here to get started.

Don't worry about the overbearing red wall of text, just scroll down past that until you find "Win64_OpenSSL_v1.1.0h". Do NOT download an older version than 1.1.0.

Once downloaded, find and right-click the openssl.exe file and choose 'Run as administrator'. Click through the install and make sure you choose "The OpenSSL binaries (/bin) directory".

Open a command prompt and run these commands:

cd c:\OpenSSL-Win64
set OPENSSL_CONF=c:\OpenSSL-Win32\bin\openssl.cfg


Then Reboot your computer. This won't work until rebooted.

Once back, run these commands to get back into the directory and create your private key:

cd c:\OpenSSL-Win64\bin
openssl genrsa -out domain_com.key 2048

Then run this command to create a CSR:

openssl req -new -sha256 -key domain_com.key -out domain_com.csr

You will then be asked a set of questions. Here is my example:

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Idaho
Locality Name (eg, city) []:Boise
Organization Name (eg, company) [Internet Widgits Pty Ltd]:fencepencil, Inc.
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:fencepencil.com
Email Address []:shawn@fencepencil.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:fencepencil, Inc.

Here's what all that means:
Country Name - Use the two-letter code without punctuation for country, for example: US or CA.
State or Province - Spell out the state completely; do not abbreviate the state or province name.
Locality or City - The Locality field is the city or town name, for example: Berkeley. Do not abbreviate.
Company - If the company or department has an &, @, or any other symbol using the shift key in its name, the symbol must be spelled out or omitted, in order to enroll.
Organizational Unit - The Organizational Unit (OU) field is the name of the department or organization unit making the request. To skip the OU field, press Enter on the keyboard.
Common Name - The Common Name is the Host + Domain Name. It looks like "www.symantec.com" or "symantec.com".

All done - and now you'll have two new files in that directory; let's go install this puppy.

Certificate Installation

And all the stuff in-between

At this point in time, you'll have two files which you've created in that directory, a domain_com.key file and a domain_com.csr file.

Note: Do not lose your private key (domain_com.key). Just to be safe, I'd make a copy of it and save it somewhere else (Dropbox, external drive etc...).

You'll get an email from Comodo with a green sentence and a link to click on, followed by a validation code.

Copy the code to your clipboard, click the link and paste the information into the field. This verification is for domain ownership purposes.

Open up your CSR file in a text editor and copy the ENTIRE THING to your clipboard.

Now it's time to upload it to Comodo.

Head over to their portal and login with the username and password you setup when you went through checkout.

There will be an "upload your csr" link or something similar, choose that and paste in your certificate signing request (include begin and end lines).

They will use this CSR in combination with their CA to create your EV certificate.

By this time they might have called you on the phone for the final verification. FYI, it comes from a blocked number so be sure to pick up.

Note: they may send you an email stating your certificate is ready. This is likely a temporary certificate until they actually verify via phone call ...

You'll notice the difference when you get an email with "COMODO EV SSL" in the subject line. The temporary certificate's email will just have "COMODO SSL" without the "EV".

It will look like this:

Unless you'd like to go through the OpenSSL step again, it's best to wait for the final email (which could take up to 2 days).

Attached to the email is a .zip with 4 files included.

Here is what they represent:
AddTrustExternalCAROOT.crt - this is the Root CA.
COMODORSAAddTrustCA.crt - this is the first Intermediate CA.
COMODORSAExtendedValidationSecureServerCA.crt - this is the second Intermediate CA.
yourdomain_com.crt - This is your EV Certificate.

A little clarification on the above information. The Root CA and any Intermediate CA's act as the Certificate Chain. You may hear this term used, all it's referring to is just that - Root CA and any other Intermediates, creating a chain of trust.

Download the .zip to the same directory and uncompress/extract the files from it.

We are now ready to finalize this and import to AWS.

AWS Installation

Certificate Manager and Cloudfront

First we need to import this bad boy into AWS Certificate Manager, then we can use it for Cloudfront.

IMPORTANT: Make sure you are in the us-east-1 region (N. Virginia). Otherwise it won't work with Cloudfront.

Click on the 'Import a certificate' button (it's blue).

Open up 5 files in a text editor - all 4 from Comodo as well as your private key file (they'll all look like a bunch of jumble text, that's ok).

Let's walk through the 3 fields on this page.

Certificate body* is referring to the 4th certificate up above, the yourdomain_com.crt. Your actual EV Certificate.

Certificate private key* is referring to the .key file which we created with OpenSSL.

Certificate chain is referring to the other 3 files. Just paste them one-by-one and hit enter for each one (they should all start on their own line).

Then click Review and import.

It should look something like this ...

Optional: Add a name (tags) to the certificate, so you know it's the official EV certificate from Comodo.

Almost done, just a couple more things.

Scroll open the certificate with the arrow on the left and make note of the first 3-4 characters of the Identifier (in blue text).

Head over to Cloudfront and edit the general settings of your distribution.

Highlight and delete the contents of your current custom SSL and then choose from the list the certificate that matches those first 3-4 characters of the identifier from before.

Save your changes and wait about 10 minutes. Your new certificate will show up in the browser URL field.