當 cloudfront 要自訂 ssl ，需要透過 aws-cli 把 ssl certificate 傳到 iam 上面。

1. 設定某個使用者 iam 的帳號可以 upload/list/delete certificate，然後先更新一下 aws-cli

$ sudo yum install aws-cli

2. 設定 aws iam 帳號，用來傳 certificate

$ aws configure
region = us-west-1
aws_access_key_id = 
aws_secret_access_key = 

3. 轉換 key 成 pem

$ openssl rsa -in myserver.key -text > private.pem
$ openssl x509 -inform PEM -in STAR_mlwmlw_org.crt >  public.pem

4. 透過 aws-cli 上傳 key，path 要指定 cloudfront 才能被 cloudfront 使用。

$ aws iam upload-server-certificate 
--server-certificate-name mlwmlw 
--certificate-body file://public.pem 
--private-key file://private.pem 
--certificate-chain file://STAR_mlwmlw_org.ca-bundle 
--path /cloudfront/production/

{
    "ServerCertificateMetadata": {
        "ServerCertificateId": "xxxxxxxxxxxxxxx",
        "ServerCertificateName": "mlwmlw",
        "Expiration": "2014-10-23T23:59:59Z",
        "Path": "/cloudfront/production/",
        "Arn": "arn:aws:iam::1122335566663:server-certificate/cloudfront/production/mlwmlw",
        "UploadDate": "2014-08-05T07:34:50.709Z"
    }
}