CloudFront alternate domain name Certificates

Question

My custmer uses Cloudfront to run shops for customers under their own subdomain but also under the mobile subdomain of the customer, which they don't manage themselves.

Before this [CloudFront security change][1] they were able to add the alternate domain using only their certificate and then use it to validate and get a Let's Encrypt certificate for the customer subdomain.

Is this still possible through some other means?

[1]: https://aws.amazon.com/about-aws/whats-new/2019/04/amazon-cloudfront-enhances-the-security-for-adding-alternate-domain-names-to-a-distribution/

Accepted Answer

I understand that this company (for example `shops.com`) creates a distribution covering two CNAMEs for each of their customers (`customer.shops.com` and `m.customer.com`).  Then they ask their customer to point `m.customer.com` to the created distribution, then they use Lets Encrypt with HTTP validation to issue a certificate covering both domain, and finally they attach the certificate to this distribution using ACM.

That will not work any more with the new security enhancements in CloudFront. I suggest that the customer first issue a certificate using ACM and DNS validation covering both domains (first action from their customer), then creates the distribution with this certificate and finally ask the customer to create the necessary CNAME in their DNS configuration.

CloudFront alternate domain name Certificates

関連するコンテンツ