Using CloudFlare SSL with AWS and Azure

After a period of time of creating resources in either AWS or azure you will come to the point where you will need to use a SSL certificate. In this post, i will talk about how to use cloudflare's wildcard cert and how to import it into AWS and Azure for use in the respective clouds.

Cloudflare SSL setup

This is the easiest step of this process.

For a shared SSL cloudflare provides 1 free SSL cert per account. To claim your free ssl cert.

  1. login to Cloudflare

  2. Head to crypto, Scroll down to Origin Certificates and click create certificates.

  3. From here generate an Origin certificate with private key of type PEM and continue with the setup

  4. you will be present with a screen with an Origin certificate and Private Key. Copy these keys and treat them as passwords. once you hit ok on this screen you will not be able to get the data.

  5. Open up a terminal ( Use Windows Subsytem for Linux or just upload the files and do this on a linux box)

    openssl pkcs12 -export -inkey privatekey.key -in Origincert.pem -name wildcard -out wildcard_withchain.pfx -certfile certificatechain_Cloudflare_origin.pem 
    

Enter a password to have greater security.

  1. copy wildcard_withchain.pfx to the same directory as the other files above.

    note

    moving forward all sites that need the SSL key will need to have the cloud icon enabled in cloudflare. this allows cloudflare to verify and ssl Chain.

AWS import Certificate

  1. Open up Aws in the browser and head to Certificate manager (https://console.aws.amazon.com/acm/home)
  2. click on Import Certificate
    • for Certificate body copy the contents of Origincert.pem and paste in the field
    • for Certificate Private Key Copy the contents of privatekey.key and paste in the field
    • for certificate chain copy the contents of cloudflare_certificatechain.pem and paste in the field
  3. Hit Review and Import.

Once verified you will see your certificate in the certificate manager and this can be used by your Load-balancer and other AWS resources

Azure

There are 2 ways to use certificates in Azure as of 8/23/2017 . The easy way and the harder way.

Easy way

  1. Find the appservice of the WebApplication you want to Protect in the portal (Portal.azure.com)
  2. Go to settings -> Custom domains
  3. Click the + next to hostname and Associate the service with a custom domain name, and hit validate
  4. Close the blade and go to settings -> SSL Certificates
  5. Click upload certificate.
  6. upload wildcard_withchain.pfx
  7. click + next to Add binding
  8. Select the hostname needed and the Certificate you just uploaded. Leave SSL type as SNI SSL

Hard Way

In this scenario We will be using the Azure Key vault. This allows us to do SSL key rotation. If the Newly uploaded ssl cert is the same name as the one already existing,all new deployments and existing deployment will pull down the new certificate. This allows you to change your SSL in one place instead of many.