Using Comodo SSL Certificates in Amazon API Gateway

How to install Comodo SSL Certificates in Amazon API Gateway

If you want to host your REST API in Amazon API Gateway with a Comodo SSL Certificate you will have to a few things in order to correctly setup the SSL Certificate Chain for your domain.

When creating the domain by clicking in Custom Domain Name in your API Gateway Console, you will notice these options used to setup SSL:

  • Certificate name
  • Certificate body
  • Certificate private key
  • Certificate chain

Certificate name needs no further explanation, it's just a name that you can use to identify this specific certificate installation.

Certificate private key is the private key you generated when creating the Certificate Signing Request, so just paste your private key here, including the headers -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY-----. This is needed so Amazon can actually serve your API with your certificate.

The other two options are the reason for this article and are related to the files that you get from Comodo once your certificate is ready. You probably got these files separately or packed altogether in a ZIP file:

  • STAR_domain_com.crt (where domain_com is actually YOUR domain)
  • COMODORSADomainValidationSecureServerCA.crt
  • COMODORSAAddTrustCA.crt
  • AddTrustExternalCARoot.crt

Certificate body can be filled with literally the contents of the STAR_domain_com.crt file, including the headers -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----.

Certificate chain is the tricky one and is the result of concatenating the files COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt in that order and pasting the result literally. This command can get you the full contents:

As a result, you can paste the contents of the file full.crt directly into the Certificate chain field. Amazon API Gateway should be then able to pickup your brand new Comodo SSL Certificate.