I have an SSL certificate on AWS Certificate Manager (ACM) or AWS Identity and Access Management (IAM) that I want to use for my Amazon CloudFront distribution. When setting up my distribution, I don't have the option to choose my custom SSL certificate. I can't choose the SSL certificate even though I might be able to use the same certificate with my load balancer. How can I use my SSL certificate on ACM or IAM with CloudFront?

To use an SSL certificate either on ACM or IAM with your CloudFront distribution, be sure that you've met the following requirements:

If using a certificate requested from or imported to ACM

Note: If your imported certificate does not meet certain requirements, you might receive this error:

The specified SSL certificate doesn't exist, isn't in us-east-1 region, isn't valid, or doesn't include a valid certificate chain.

This error message indicates that your imported certificate is one or more of the following:

  • Imported to an AWS Region other than US East (N. Virginia)
  • Larger than 2048 bits
  • Not PEM-encoded
  • Password-protected

If using a certificate imported to IAM

When you import your SSL certificate to IAM, you must provide the correct path so that CloudFront can use the certificate. Run the following AWS Command Line Interface (AWS CLI) commands to upload your certificate with a specified CloudFront path.

Note: Before you run these commands, be sure to replace all values with the details for your certificate and CloudFront distribution. 

aws iam upload-server-certificate --server-certificate-name CertificateName
--certificate-body file://public_key_certificate_file --private-key file://privatekey.pem 
--certificate-chain file://certificate_chain_file --path /cloudfront/DistributionName/

If you did not upload your certificate with the CloudFront path, run the following AWS CLI commands to update your certificate with the path:

aws iam update-server-certificate --server-certificate-name CertificateName 
--new-path /cloudfront/DistributionName/

Required permissions

To assign a certificate from ACM or IAM to the CloudFront distribution, the IAM user or role you use to assign the certificate must have the following permissions at minimum:

{
    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Allow",
        "Action": [
            "acm:ListCertificates",
            "cloudfront:List*",
            "cloudfront:Get*",
            "cloudfront:Update*",
            "iam:GetServerCertificate",
            "iam:ListServerCertificates",
            "iam:UpdateServerCertificate"
        ],
        "Resource": "*"
    }
}

Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2018-06-15