Metriport's Infrastructure as Code (IaC) is an AWS CDK project that uses TypeScript.
The cdk.json file tells the CDK Toolkit how to execute the app.
npm run buildcompile typescript to jsnpm run watchwatch for changes and compilenpm run testperform the jest unit testscdk deploydeploy this stack to your default AWS account/regioncdk diffcompare deployed stack with current statecdk synthemits the synthesized CloudFormation template
-
Download Certificate and Private Key
- Download your certificate (for example,
ihe.staging.metriport.com.pem) and private key (for example,PRIVATEKEY.key).
- Download your certificate (for example,
-
Decrypt the Key
- Decrypt the key using OpenSSL. You will be prompted to enter the pascode.
openssl rsa -in PRIVATEKEY.key -out decrypted_private_key.key
- Decrypt the key using OpenSSL. You will be prompted to enter the pascode.
-
Download the Production/Validation Bundle
- Download the Production / Validation bundle from the Sequoia Project: Sequoia Project Trust Chains
- Run the following OpenSSL command to convert the file from a pkcs7 file to a pem file:
openssl pkcs7 -in sequoiaProject"<Val_or_Prod">TrustBundle.p7b -print_certs -out SubCA2.pem
-
Extract Certificates
-
There will be several different Intermediate Certs inside the file.
-
First, identify the cert that corresponds to the intermediate cert that
<your_domain_name>.pempoints to. You can check this by pasting the cert into SSL Checker. Choose the correct cert and store it inintermediate_cert.pem. The format should look like this:-----BEGIN CERTIFICATE----- ABCDEFGH... -----END CERTIFICATE----- -
Second, examine the intermediate cert you chose and note the issuer listed for it. Then select that cert and store it into
root_cert.pem.
-
-
Validate Issued Certificate
-
Concatenate your certs and validate that it is good by copy and pasting it into SSL Checker:
cat <your_domain_name>.pem intermediate_cert.pem root_cert.pem > chain.pem -
When you concatenate your certs, make sure they look like this:
-----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----and that they don't look like this:
-----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----------BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- -
Alternatively, you can verify your certs by concatenating your cert and the intermediate cert into
chained_no_root.pem:cat <your_domain_name>.pem intermediate_cert.pem > chained_no_root.pem -
Fill in the your path to
privateKeyandcertificateChainintest/run-cert.tsand then run:npm run run-cert -
Then, use OpenSSL to connect to your server:
openssl s_client -connect localhost:3000 -servername localhost --CAfile root_cert.pem -
If you see `Verify return code: 0 (ok)``, then you know the cert is valid.
-
-
Import Certificate into AWS ACM
- Finally, you are ready to import the certificate into AWS ACM with the following command:
aws acm import-certificate --region <your-aws-region> \ --certificate fileb://<your_domain_name>.pem \ --private-key fileb://decrypted_private_key.key \ --certificate-chain fileb://intermediate_cert.pem
- Finally, you are ready to import the certificate into AWS ACM with the following command: