Posted On: Jul 14, 2021
Starting today, you can use Elliptic Curve Digital Signature Algorithm (ECDSA) P256 certificates to negotiate HTTPS connections between your viewers and Amazon CloudFront. As noted by NIST, ECDSA certificates can provide comparable security strength with smaller key sizes than RSA. As a result, conducting TLS handshakes with ECDSA certificates requires less networking and computing resources making them a good option for IoT devices that have limited storage and processing capabilities.
You can configure your CloudFront distribution to use an ECDSA certificate after importing the certificate into either AWS Certificate Manager (ACM) or AWS Identity and Access Management (IAM). To use an ECDSA certificate on CloudFront for viewer connections, the curve must be P256 (prime256v1). To learn more about which ECDSA ciphers are supported, refer to Supported protocols and ciphers between viewers and CloudFront in the CloudFront Developer Guide. There is no additional fee for using ECDSA P256 certificates for your CloudFront distribution. Get started with CloudFront by visiting the CloudFront Getting Started page.