## Step 3: Create CloudFront Key Group In this step you will create a trusted [CloudFront key group](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-trusted-signers.html#choosing-key-groups-or-AWS-accounts). First you will create a public-private key pair. The key pair must meet the following requirements: - It must be an SSH-2 RSA key pair. - It must be in base64-encoded PEM format. - It must be a 2048-bit key pair. ### Create Key Pair There are different ways to create an RSA key pair. The following steps use OpenSSL to create a key pair. 1. The following example command uses OpenSSL to generate an RSA key pair with a length of 2048 bits and save to the file named `private_key.pem`. ``` $ openssl genrsa -out private_key.pem 2048 ``` 2. The resulting file contains both the public and the private key. The following example command extracts the public key from the file named `private_key.pem` and save to the file named `public_key.pem`. ``` $ openssl rsa -pubout -in private_key.pem -out public_key.pem ``` ### Upload Public Key 1. On [Amazon CloudFront Management Console](https://console.aws.amazon.com/cloudfront) 2. In the navigation menu, choose **Public keys**. 3. Choose **Add public key**. 4. In the **Add public key** window, complete the following and choose **Add**. - For **Key name**, type a name to identify the public key. - For **Key value**, copy and paste the contents of the public key. If you followed the steps in the preceding procedure, the public key is in the file named `public_key.pem`. - (Optional) For **Comment**, add a comment to describe the public key. 5. Record the public key ID. You will use it later section. ### Create Key group 1. In the navigation menu, choose **Key groups**. 2. Choose **Add key group**. 3. On the **Create key group** page, do the following: - For **Key group name**, type a name to identify the key group. - (Optional) For **Comment**, type a comment to describe the key group. - For **Public keys**, select the public key to add to the key group, then choose **Add**. 4. Choose **Create key group**. ### Associate Key group 1. In the navigation menu, choose **Distributions**. 2. Choose the **Distribution ID** link you created in Step 2. 3. Choose the **Behaviors** tab. 4. Select the cache behavior and then choose **Edit**. 5. On the **Edit Behavior** page, do the following: - For **Trusted Key Groups or Trusted Signer**, choose **Trusted Key Groups**. - For **Trusted Key Groups**, choose the key group to add, and then choose **Add**. 6. Choose **Yes, Edit** to update the cache behavior. In this step you generated a public-private key pair, created a CloudFront Key group with a public key, and associated the Key group to your CloudFront distribution. In [Step 4](../4-Create_Secrets_Manager/README.md) we will create a secret in **AWS Secrets Managers**.