How do I configure my CloudFront distribution to use an SSL/TLS certificate?

3 minute read

I want to configure my Amazon CloudFront distribution to use an SSL/TLS certificate.

Resolution

CloudFront assigns a default domain name to your distribution. This domain name looks similar to d111111abcdef8.cloudfront.net. If you use the default domain name, then you can also use the default SSL/TLS certificate that CloudFront selected for your distribution. If you use a different domain name, then it's a best practice to complete one of the following steps:

Request a public certificate from AWS Certificate Manager (ACM).
Import certificates into ACM.

This helps you avoid certificate warnings about your domain name.

If you use an Amazon issued certificate, then note the following prerequisites:

You must request the certificate in the US East (N. Virginia) AWS Region.
You must have permission to use and request the ACM certificate.

If you use an imported certificate with CloudFront, then note the following prerequisites:

Your key length must be 1024 bits, 2048 bits, or 3072 bits, and can't exceed 3072 bits.
Note: ACM issues RSA certificates with up to 2048-bit keys. To use a 3072-bit RSA certificate, you must get it externally and then import it into ACM. After you do this, the certificate is available for you to use with CloudFront.
You must import the certificate in the US East (N. Virginia) Region.
You must have permission to use and import the SSL/TLS certificate.

Note: If you're missing permissions, then the CloudFront console shows Missing permission acm:ListCertificates in the Custom SSL Certificate settings. If you don't have a US East (N. Virginia) certificate or your key size exceeds 3072 bits, then Custom SSL Certificate is grayed out.
For more information, see Requirements for using SSL/TLS certificates with CloudFront.

Then, configure your CloudFront distribution to use the new certificate and require HTTPS between viewers and CloudFront. For more information, see Updating a distribution.

After you save the changes to your CloudFront distribution configuration, CloudFront propagates the changes to all edge locations. When propagation completes, the status of your CloudFront distribution in the CloudFront console changes from InProgress to Deployed .
If you require HTTPS for communication between CloudFront and your custom origin, then you can also use SSL/TLS certificates on a custom origin.

To update settings for your CloudFront distribution, see Updating your CloudFront distribution.

Related information

Issuing and managing certificates

How can I troubleshoot issues with using a custom SSL certificate for my CloudFront distribution?

Clients are receiving certificate error messages when trying to access my website using HTTPS connections. How do I resolve this?

Topics

Security, Identity, & Compliance

Relevant content

Migrate distribution domain name to different CloudFront
rePost-User-4824776
asked 5 months ago
Creating CloudFront Distribution, where do I enter my domain name?
Accepted Answer
newbie
asked a year ago
Restrict Cloudfront Distribution domain name
bgbs
asked 4 months ago
Adding Domain Name to CloudFront Distribution
Accepted Answer
sharpedgewv
asked 2 years ago
How to add domain alias to existing CloudFront distribution using CDK
Accepted Answer
petrabarus
asked 2 years ago
How can I configure a custom domain endpoint for multiple API Gateway APIs behind a CloudFront web distribution?
AWS OFFICIALUpdated a year ago
How can I configure CloudFront to serve my content using an alternate domain name over HTTPS?
AWS OFFICIALUpdated a year ago
Why isn't CloudFront serving my domain name over HTTPS?
AWS OFFICIALUpdated a year ago
How do I find out what AWS account a CloudFront distribution belongs to?
AWS OFFICIALUpdated a year ago
Configure CORS in Amazon S3
EXPERT
Gayathri Krishnamoorthy
published 8 months ago

How do I configure my CloudFront distribution to use an SSL/TLS certificate?

Resolution

Related information

Related videos

Relevant content