Cant attach certificate in cloudfront


I already imported my SSL cert but when attaching to cloudfront it gives me an error message. My SSL cert was issued by globalsign and a wildcard cert

The certificate that is attached to your distribution was not issued by a trusted Certificate Authority. For more details, see:

3 Answers

Hii Robby,

CloudFront isn't recognizing your GlobalSign wildcard certificate as trusted. Here's a solution:

Double-check Certificate Chain: Ensure you uploaded the entire certificate chain, including intermediate certificates from GlobalSign, not just the main certificate.

Verify Region: CloudFront requires certificates to be uploaded in the US-east-1 region. Check if you uploaded it there.

Double-Check Region: CloudFront is picky! It requires certificates to be uploaded in the US East (N. Virginia) Region (

profile picture
answered 22 days ago
profile pictureAWS
reviewed 22 days ago
  • This is the steps I've done to help anyone in the future.

    1. Got the pfx file from GlobalSign
    2. Converted PEM file as required by ACM
    3. Paste the Private Key and Cer string to ACM(N. Virginia)
    4. ACM verified and with status = Issued
    5. At ACM, is Cert details it's mentioned "Can be used with CloudFront, Elastic Load Balancing, API Gateway and other integrated services."
    6. At Cloudfront, Cert is available to be used, but when saving I got an error
Accepted Answer


You can refer this article:

This error message indicates that the certificate wasn't issued by a trusted certificate authority (CA). Issue a certificate from a trusted CA for CloudFront to allow you to use an alternate domain name (CNAME). If your current CA doesn't support this, you can use ACM to issue a free valid certificate. Note: Self-signed certificates aren't supported.

profile picture
answered 22 days ago

I agree with the other responses that the immediate issue is clear. I'd like to point out, though, that if you have the option, you'd both eliminate this issue and gain other benefits from using a certificate issued by ACM (AWS Certificate Manager) instead of one issued by an external certificate authority, like GlobalSign.

If you authorise ACM to issue the certificate by adding the CNAME record it requires in your domain to do so (and don't have a conflicting CAA record blocking ACM as an issuing authority or adjust it to allow ACM), ACM will issue the certificate for you free of charge, and you can use the certificate with CloudFront without paying AWS anything more than you would with a GlobalSign-issued certificate. That eliminates the cost for the externally issued certificate. Note that for CloudFront, the certificate request must be created in the us-east-1 region.

As long as the authorisation records remain in place in the DNS zone, ACM will automatically renew the certificate without requiring any manual action or monitoring for certificate expiration. If an issue arises trying to renew it automatically, such as the CNAME authorisation record getting removed or your entire domain expiring, ACM will raise a warning of failing to renew the certificate well in advance in the account-level health events. It also reports in CloudWatch Metrics how long it will be until the certificate expires, so you can effortlessly set your own monitoring alarms, if you'd like.

From a security point of view, the private key for the ACM-issued certificate will be generated internally by ACM and never saved on your laptop or servers. The private key cannot be exported from ACM in any situation even with administrative permissions, which ensures that the private key for your certificate cannot be stolen.

Leo K
answered 22 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions