AWS private certificate issue

0

Hi team,

I have added AWS private certificate my subdomain to register it in cloudfront distribution, eventhough it's showing an error "The certificate that is attached to your distribution was not issued by a trusted Certificate Authority. For more details, see: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/CNAMEs.html#alternate-domain-names-requirements"

Can anyone help me ?

3 Answers
2

You should request the certificate from Amazon Certificate Manager, ACM, in the us-east-1 region, and then attach the certificate to your CloudFront distribution. You shouldn't import privately issued certificates to ACM. Note that if you issue a wildcard certificate, like *.example.com, it won't work for subdomains, such as app1.prod.example.com. You'll need a wildcard for each subdomain level you intend to use, such as *.prod.example.com.

Just to be sure, if by "private" you meant that you've set up an Amazon Private CA (Certificate Authority), that you almost certainly won't want to do. Its pricing starts at $400/month and is meant for a completely different purpose: https://docs.aws.amazon.com/acm/latest/userguide/service-options.html. You may want to delete the Private CA immediately to stop accruing charges you don't need.

EXPERT
Leo K
answered a month ago
profile picture
EXPERT
reviewed a month ago
profile picture
EXPERT
reviewed a month ago
  • I did this process already and added AWS private certificate which is secured one but eventhough it's showing the following error: "The certificate that is attached to your distribution was not issued by a trusted Certificate Authority. For more details, see: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/CNAMEs.html#alternate-domain-names-requirements"

  • What do you mean by "private"? ACM is a public certificate authority, and the certificates it issues are trusted globally. You can, however, issue certificates yourself, outside ACM, and import them into ACM. A self-signed or privately issued certificate wouldn't be accepted either by CloudFront or by regular client computers on the internet, so that would match the error message you saw.

1

It sounds like you are using an imported certificate in ACM than a private certificate. Only certificates/chain in which is signed by one of the following Root CAs in this list which mozilla uses are supported https://wiki.mozilla.org/CA/Included_Certificates

profile picture
EXPERT
answered a month ago
EXPERT
Leo K
reviewed a month ago
1

Hi,

You may want to read this Knowledge Center article: https://repost.aws/knowledge-center/cloudfront-invalid-viewer-certificate

"The certificate that is attached to your distribution was not issued by a trusted 
Certificate Authority."

Issue a certificate from a trusted CA for CloudFront to allow you to use an CNAME 
record. If your current CA doesn't support this scenario, then you can use ACM to request a public certificate.

For that see, https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-request-public.html

Best,

Didier

profile pictureAWS
EXPERT
answered a month ago
profile picture
EXPERT
reviewed a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions