- Newest
- Most votes
- Most comments
You should request the certificate from Amazon Certificate Manager, ACM, in the us-east-1 region, and then attach the certificate to your CloudFront distribution. You shouldn't import privately issued certificates to ACM. Note that if you issue a wildcard certificate, like *.example.com, it won't work for subdomains, such as app1.prod.example.com. You'll need a wildcard for each subdomain level you intend to use, such as *.prod.example.com.
Just to be sure, if by "private" you meant that you've set up an Amazon Private CA (Certificate Authority), that you almost certainly won't want to do. Its pricing starts at $400/month and is meant for a completely different purpose: https://docs.aws.amazon.com/acm/latest/userguide/service-options.html. You may want to delete the Private CA immediately to stop accruing charges you don't need.
It sounds like you are using an imported certificate in ACM than a private certificate. Only certificates/chain in which is signed by one of the following Root CAs in this list which mozilla uses are supported https://wiki.mozilla.org/CA/Included_Certificates
Hi,
You may want to read this Knowledge Center article: https://repost.aws/knowledge-center/cloudfront-invalid-viewer-certificate
"The certificate that is attached to your distribution was not issued by a trusted
Certificate Authority."
Issue a certificate from a trusted CA for CloudFront to allow you to use an CNAME
record. If your current CA doesn't support this scenario, then you can use ACM to request a public certificate.
For that see, https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-request-public.html
Best,
Didier
Relevant content
- Accepted Answerasked 2 years ago
- Can I use ACM to issue private certificates when the AWS Private CA validity is less than 13 months?AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 3 months ago
I did this process already and added AWS private certificate which is secured one but eventhough it's showing the following error: "The certificate that is attached to your distribution was not issued by a trusted Certificate Authority. For more details, see: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/CNAMEs.html#alternate-domain-names-requirements"
What do you mean by "private"? ACM is a public certificate authority, and the certificates it issues are trusted globally. You can, however, issue certificates yourself, outside ACM, and import them into ACM. A self-signed or privately issued certificate wouldn't be accepted either by CloudFront or by regular client computers on the internet, so that would match the error message you saw.