In this step you will create a trusted CloudFront key group. First you will create a public-private key pair. The key pair must meet the following requirements:
- It must be an SSH-2 RSA key pair.
- It must be in base64-encoded PEM format.
- It must be a 2048-bit key pair.
There are different ways to create an RSA key pair. The following steps use OpenSSL to create a key pair.
- The following example command uses OpenSSL to generate an RSA key pair with a length of 2048 bits and save to the file named
private_key.pem
.
$ openssl genrsa -out private_key.pem 2048
- The resulting file contains both the public and the private key. The following example command extracts the public key from the file named
private_key.pem
and save to the file namedpublic_key.pem
.
$ openssl rsa -pubout -in private_key.pem -out public_key.pem
- On Amazon CloudFront Management Console
- In the navigation menu, choose Public keys.
- Choose Add public key.
- In the Add public key window, complete the following and choose Add.
- For Key name, type a name to identify the public key.
- For Key value, copy and paste the contents of the public key. If you followed the steps in the preceding procedure, the public key is in the file named
public_key.pem
. - (Optional) For Comment, add a comment to describe the public key.
- Record the public key ID. You will use it later section.
- In the navigation menu, choose Key groups.
- Choose Add key group.
- On the Create key group page, do the following:
- For Key group name, type a name to identify the key group.
- (Optional) For Comment, type a comment to describe the key group.
- For Public keys, select the public key to add to the key group, then choose Add.
- Choose Create key group.
- In the navigation menu, choose Distributions.
- Choose the Distribution ID link you created in Step 2.
- Choose the Behaviors tab.
- Select the cache behavior and then choose Edit.
- On the Edit Behavior page, do the following:
- For Trusted Key Groups or Trusted Signer, choose Trusted Key Groups.
- For Trusted Key Groups, choose the key group to add, and then choose Add.
- Choose Yes, Edit to update the cache behavior.
In this step you generated a public-private key pair, created a CloudFront Key group with a public key, and associated the Key group to your CloudFront distribution.
In Step 4 we will create a secret in AWS Secrets Managers.