By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Cant attach certificate in cloudfront

0

I already imported my SSL cert but when attaching to cloudfront it gives me an error message. My SSL cert was issued by globalsign and a wildcard cert

The certificate that is attached to your distribution was not issued by a trusted Certificate Authority. For more details, see: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/CNAMEs.html#alternate-domain-names-requirements

Topics
Networking & Content DeliverySecurity, Identity, & Compliance
Tags
Amazon CloudFrontAWS Certificate Manager
Language
English
Robby
asked 10 months ago597 views
3 Answers
1

Hii Robby,

CloudFront isn't recognizing your GlobalSign wildcard certificate as trusted. Here's a solution:

Double-check Certificate Chain: Ensure you uploaded the entire certificate chain, including intermediate certificates from GlobalSign, not just the main certificate.

Verify Region: CloudFront requires certificates to be uploaded in the US-east-1 region. Check if you uploaded it there.

Double-Check Region: CloudFront is picky! It requires certificates to be uploaded in the US East (N. Virginia) Region (https://baxtel.com/data-center/aws-us-east-n-virginia).

profile picture
EXPERT
NARRAVULA MUNISAI TEJA
answered 10 months ago
profile pictureAWS
EXPERT
Didier_Durand
reviewed 10 months ago
  • Robby
    10 months ago

    This is the steps I've done to help anyone in the future.

    1. Got the pfx file from GlobalSign
    2. Converted PEM file as required by ACM
    3. Paste the Private Key and Cer string to ACM(N. Virginia)
    4. ACM verified and with status = Issued
    5. At ACM, is Cert details it's mentioned "Can be used with CloudFront, Elastic Load Balancing, API Gateway and other integrated services."
    6. At Cloudfront, Cert is available to be used, but when saving I got an error
0
Accepted Answer

Hello,

You can refer this article: https://repost.aws/knowledge-center/cloudfront-invalid-viewer-certificate

This error message indicates that the certificate wasn't issued by a trusted certificate authority (CA). Issue a certificate from a trusted CA for CloudFront to allow you to use an alternate domain name (CNAME). If your current CA doesn't support this, you can use ACM to issue a free valid certificate. Note: Self-signed certificates aren't supported.

profile picture
EXPERT
Sivaraman Selvam
answered 10 months ago
profile picture
EXPERT
Adeleke Adebowale Julius
reviewed 9 months ago
0

I agree with the other responses that the immediate issue is clear. I'd like to point out, though, that if you have the option, you'd both eliminate this issue and gain other benefits from using a certificate issued by ACM (AWS Certificate Manager) instead of one issued by an external certificate authority, like GlobalSign.

If you authorise ACM to issue the certificate by adding the CNAME record it requires in your domain to do so (and don't have a conflicting CAA record blocking ACM as an issuing authority or adjust it to allow ACM), ACM will issue the certificate for you free of charge, and you can use the certificate with CloudFront without paying AWS anything more than you would with a GlobalSign-issued certificate. That eliminates the cost for the externally issued certificate. Note that for CloudFront, the certificate request must be created in the us-east-1 region.

As long as the authorisation records remain in place in the DNS zone, ACM will automatically renew the certificate without requiring any manual action or monitoring for certificate expiration. If an issue arises trying to renew it automatically, such as the CNAME authorisation record getting removed or your entire domain expiring, ACM will raise a warning of failing to renew the certificate well in advance in the account-level health events. It also reports in CloudWatch Metrics how long it will be until the certificate expires, so you can effortlessly set your own monitoring alarms, if you'd like.

From a security point of view, the private key for the ACM-issued certificate will be generated internally by ACM and never saved on your laptop or servers. The private key cannot be exported from ACM in any situation even with administrative permissions, which ensures that the private key for your certificate cannot be stolen.

EXPERT
Leo K
answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content