Why does CloudFront show my old Amazon-issued SSL certificate, even after I renew or reimport the certificate?

1 minute read

I renewed my Amazon-issued SSL certificate on AWS Certificate Manager (ACM), or I reimported my SSL certificate to ACM. However, Amazon CloudFront still shows the previous version of the certificate.


If the certificate renewal or reimport process isn't yet complete, CloudFront might still use the previous certificate. Renewing or reimporting a certificate is an asynchronous process, and it can take up to 24 hours until CloudFront shows those changes.

To avoid certificate expiration issues, renew or reimport your certificate at least 24 hours before the NotAfter value of your current certificate. If you're within 24 hours of the certificate expiration, then request a new certificate from ACM or import a new certificate to ACM. Then, associate the new certificate to the CloudFront distribution.

Related information

Managed renewal for ACM certificates

Reimporting a certificate

Check a certificate's renewal status

Troubleshooting managed certificate renewal


Need more elaborate on term "several hours". If the max waiting time required is 24 hours before seeking help from AWS support, please address it in this doc. Thanks.

replied a year ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
replied a year ago