I renewed my Amazon-issued SSL certificate or reimported my certificate to ACM. Why does CloudFront still show the old certificate?

Last updated: 2022-01-12

I renewed my Amazon-issued SSL certificate on AWS Certificate Manager (ACM). Or, I reimported my SSL certificate to ACM. Why does Amazon CloudFront still show the previous version of the certificate?

Resolution

CloudFront might still use the previous certificate because the certificate renewal or reimport process is not yet complete. Renewing or reimporting a certificate is an asynchronous process, so several hours can elapse before CloudFront shows changes to the certificate.

To avoid certificate expiration issues, renew or reimport your certificate at least 24 hours before the NotAfter value of your current certificate. If you're within 24 hours of the certificate expiration, request a new certificate from ACM, or import a new certificate to ACM. Then, associate the new certificate to the CloudFront distribution.