Note: I’m no longer maintaining these renewal notes, as I now have the whole process pretty much automated via Ansible (I just run a script to generate a new CSR, then dump the signed certificate from the CA into my Ansible configs repo and tell Ansible to install it).
I didn’t do a very good job of taking notes on this one (actually, I took notes, but then mistakenly trashed the file).
The main point to note here was the need to produce a new certificate bundle, replacing the old root cert. (Chrome was fine without the bundle, but Amazon Cloudfront was not.) The order matters.
From this page:
- Server certificate
- Primary intermediate CA cert
- Secondary intermediate CA cert
- Root CA cert
For more detail, see the similar notes from "SSL certificate renewal notes 2010".