I am trying to upload a public key on AWS CloudFront. I generate the key as follows

ssh-keygen -t ecdsa -b 521

I have also tried

ssh-keygen -b 4096

When I upload it through the console, I get the following error: com.amazonaws.services.cloudfront.model.InvalidArgumentException: Your request contains empty/invalid/out of limits RSA Encoded Key (Service: AmazonCloudFront; Status Code: 400; Error Code: InvalidArgument; Request ID: 08fa98af-0c02-11ea-b06e-d771d01bbfcb)

The result of ssh -V is "OpenSSH_7.7p1, OpenSSL 1.0.2p 14 Aug 2018".

Any help would be appreciated. Thanks.

This is because CloudFront doesn't support keys with length 4096 bits. When you run command openssl rsa -pubout -in key.pem -out pubkey.pem it by default generates 2048 bit keys which it accepts.

The length of the public key for a certificate depends on where you're storing it.

Importing a certificate into AWS Certificate Manager (ACM): public key length must be 1024 or 2048 bits. The limit for a certificate that you use with CloudFront is 2048 bits, even though ACM supports larger keys.

Uploading a certificate to the AWS Identity and Access Management (IAM) certificate store: maximum size of the public key is 2048 bits.

CloudFront SSL

I solved it by generating a key this way:

openssl genrsa -out key.pem

openssl rsa -pubout -in key.pem -out pubkey.pem

And uploading the resulting pubkey.pem. I am still not sure the specific reason why my previous method did not work.

This is because CloudFront doesn't support keys with length 4096 bits. When you run command openssl rsa -pubout -in key.pem -out pubkey.pem it by default generates 2048 bit keys which it accepts.

The length of the public key for a certificate depends on where you're storing it.

Importing a certificate into AWS Certificate Manager (ACM): public key length must be 1024 or 2048 bits. The limit for a certificate that you use with CloudFront is 2048 bits, even though ACM supports larger keys.

Uploading a certificate to the AWS Identity and Access Management (IAM) certificate store: maximum size of the public key is 2048 bits.

CloudFront SSL

This is the bash script I wrote that can create RSA key and do the upload cloudfront public key as well as create cloudfront key group.

openssl genrsa -out cloudfront_private_key.pem 2048
openssl rsa -pubout -in cloudfront_private_key.pem -out cloudfront_public_key.pem
EncodedKey="$(cat ./cloudfront_public_key.pem)"

sed \
-e "s%TEPMLATE_ENCODED_PUBLIC_KEY%$(echo $EncodedKey)%g" \
./cloudfront_key_config.json.tmpl > ./cloudfront_key_config.json
sed -i 's/- /-\\n/ ; s/ -/\\n-/' ./cloudfront_key_config.json
CloudfrontKeyID=$(aws cloudfront create-public-key --public-key-config file://cloudfront_key_config.json --query 'PublicKey'.'Id' --output text)
echo "CloudFront public key created! now creating cloudfront key group ..."


sleep 10s
sed \
-e "s%TEMPLATE_KEY_ID%$(echo $CloudfrontKeyID)%g" \
./cloudfront_key_group_config.json.tmpl > ./cloudfront_key_group_config.json
CloudFrontKeyGroup=$(aws cloudfront create-key-group --key-group-config file://cloudfront_key_group_config.json --query 'KeyGroup'.'Id' --output text)
echo $CloudFrontKeyGroup

And the 2 tmpl files looks like below

# cat cloudfront_key_config.json.tmpl 
{
    "CallerReference": "cloudfront-public-key",
    "Name": "CloudFront-Public-Key",
    "EncodedKey": "TEPMLATE_ENCODED_PUBLIC_KEY",
    "Comment": "CloudFront public key"
}

# cat cloudfront_key_group_config.json.tmpl 
{
  "Name": "CloudFront-key-group",
  "Items": ["TEMPLATE_KEY_ID"],
  "Comment": "Cloudfront key group"
}

In my case, AWS rejected a malformed (ie raw string, instead of .pem format) RSA 2048 bits, and I had to format it properly (in javascript):

          '-----BEGIN PUBLIC KEY-----\n' +
          pkey.publicKey
            .split(/(.{64})/)
            .filter((s) => s)
            .join('\n') +
          '\n-----END PUBLIC KEY-----\n',