How do I configure my CloudFront distribution to use an SSL/TLS certificate?

3 minute read

I want to configure my Amazon CloudFront distribution to use an SSL/TLS certificate.


CloudFront assigns a default domain name to your distribution. This domain name looks similar to If you use the default domain name, then you can also use the default SSL/TLS certificate that CloudFront selected for your distribution. If you use a different domain name, then it's a best practice to complete one of the following steps:

This helps you avoid certificate warnings about your domain name.

If you use an Amazon issued certificate, then note the following prerequisites:

  • You must request the certificate in the US East (N. Virginia) AWS Region.
  • You must have permission to use and request the ACM certificate.

If you use an imported certificate with CloudFront, then note the following prerequisites:

  • Your key length must be 1024 bits, 2048 bits, or 3072 bits, and can't exceed 3072 bits.
    Note: ACM issues RSA certificates with up to 2048-bit keys. To use a 3072-bit RSA certificate, you must get it externally and then import it into ACM. After you do this, the certificate is available for you to use with CloudFront.
  • You must import the certificate in the US East (N. Virginia) Region.
  • You must have permission to use and import the SSL/TLS certificate.

Note: If you're missing permissions, then the CloudFront console shows Missing permission acm:ListCertificates in the Custom SSL Certificate settings. If you don't have a US East (N. Virginia) certificate or your key size exceeds 3072 bits, then Custom SSL Certificate is grayed out.
For more information, see Requirements for using SSL/TLS certificates with CloudFront.

Then, configure your CloudFront distribution to use the new certificate and require HTTPS between viewers and CloudFront. For more information, see Updating a distribution.

After you save the changes to your CloudFront distribution configuration, CloudFront propagates the changes to all edge locations. When propagation completes, the status of your CloudFront distribution in the CloudFront console changes from InProgress to Deployed .
If you require HTTPS for communication between CloudFront and your custom origin, then you can also use SSL/TLS certificates on a custom origin.

To update settings for your CloudFront distribution, see Updating your CloudFront distribution.

Related information

Issuing and managing certificates

How can I troubleshoot issues with using a custom SSL certificate for my CloudFront distribution?

Clients are receiving certificate error messages when trying to access my website using HTTPS connections. How do I resolve this?

AWS OFFICIALUpdated 2 months ago