To add a custom domain to an Amazon CloudFront distribution you will need to request a domain name from the hostmaster using this template. 

To: hostmaster@doit.wisc.edu

Subject: CNAME DNS Request for AWS hosted website

We recently set up a website hosted with AWS CloudFront and would like to set it up with the DNS name <yourDNSName.wisc.edu>. We are asking for a CNAME record to map <yourDNSName.wisc.edu> to <yourCloudFrontID>.cloudfront.net. Please let me know if you need any other information. 

Once you have received a response from the hostmaster that your domain has been made, you will need to get a certificate. Here is how you can do that:

1. You will need to have OpenSSL installed on your machine. If you have a Mac it is already installed, on Windows you can run openssl from Git BASH. 
2. Create a CSR with this generator here.
   • Common Name:  the same DNS name that you sent to the hostmaster (e.g., <yourDNSName.wisc.edu>)
   • Organization: University of Wisconsin-Madison
   • Key Size: 2048
     • Note - CloudFront does not support a key size of 4096
   • Click Generate and copy the contents.
3. Open a Terminal on Mac or Git BASH on Windows and paste in the CSR command you copied from step 2 and hit enter. This will generate the private key and .csr file in the directory you ran the command in.
   • Copy the contents of the .csr file 
4. Go to this SSL Enrollment Form to request the certificate 
   • Fill in your name and email
   • Server Type: Other
   • Certificate: Single Domain
   • Term: 1 year
   • CSR: <Paste the contents of the .csr file you copied in step 3>
   • Common Name:  <Common Name should auto-populate the after pasting in the CSR>
   • Comment: <optional>
   • And click Submit
5. You will receive an email with download links to the certificate, You will need 2 of these links and the private key from step 3 to continue. 
6. Login to the AWS console and open the CloudFront service
7. In the account that you have your CloudFront distribution set up, open the AWS Certificate Manager.
   • In the top right of your screen where you can select the region, Choose us-east-1. Note - you must use us-east-1 for CloudFront certificates
   • On the left navigation pane click "Import Certificate" 
   • You will see 3 boxes that you need to paste information into. Listed below is how you should fill them in. 
     • Certificate body: From the email in step 5 click the download link for "Certificate only, PEM encoded" and paste the contents into this box.
     • Certificate private key: Paste the contents of the .key file that was generated from step 3 into this box. 
     • Certificate chain:  From the email in step 5 click the download link for "Certificate (w/ chain), PEM encoded" and paste the contents into this box.
   • Click next and give tags if you want then continue to review and import. 
   • After importing the certificate you should see it has the correct URL you have requested the certificate for. 
8. Next, go to the CloudFront distribution you want to apply the custom domain to. 
   • In the middle of the screen, there is a setting section with an edit button on the right, click edit. 
   • In the "Alternate domain name (CNAME)" section, click add item and enter the custom domain name you requested.
   • In the "Custom SSL certificate" section, click the drop-down and select the certificate you just imported.
     • If you do not see it make sure you used 2048 as the key size for your certificate in step 2 and imported it into us-east-1 in step 6. It will not show up if these 2 things are not done correctly. 
   • Click save changes, and wait about 10 minutes for it to deploy the changes. 
9. After waiting you should be able to use the new domain name to go to your website that is hosted on CloudFront.