Why can't I use my custom SSL certificate for my CloudFront distribution?

Last updated: 2019-04-19

I have an SSL certificate on AWS Certificate Manager (ACM) or AWS Identity and Access Management (IAM) that I want to use for my Amazon CloudFront distribution. When setting up my distribution, I don't have the option to choose my custom SSL certificate. I can't choose the SSL certificate even though I might be able to use the same certificate with my load balancer. Or, I receive this error message:

The specified SSL certificate doesn't exist, isn't in us-east-1 region, isn't valid, or doesn't include a valid certificate chain.

How can I use my SSL certificate on ACM or IAM with CloudFront? 

Resolution

To use an SSL certificate either on ACM or IAM with your CloudFront distribution, be sure that you've met the following requirements:

If using a certificate requested from or imported to ACM

  • To assign an ACM certificate to a CloudFront distribution, you must request or import the certificate in the US East (N. Virginia) Region. If you're using the ACM console, check the Region selector in the navigation bar and confirm that US East (N. Virginia) is selected before you request or import the certificate.
    Note: After you assign an ACM certificate to a CloudFront distribution, the certificate is distributed to all edge locations for the CloudFront distribution's price class.
  • After you validate your ACM certificate using either DNS validation or email validation, be sure that the status of the certificate is Issued. The status must be Issued before you can assign the certificate to a CloudFront distribution.
  • The certificate must be a 2048-bit RSA certificate or smaller. Though ACM supports 1024-bit through 4096-bit RSA certificates, services such as CloudFront that are integrated with ACM support a maximum of 2048-bit RSA certificates.
  • For imported certificates, you must be sure that the certificate meets the prerequisites for importing a certificate.

If using a certificate imported to IAM

When you import your SSL certificate to IAM, you must provide the correct path so that CloudFront can use the certificate. Run the following AWS Command Line Interface (AWS CLI) command to upload your certificate with a specified CloudFront path:

Note: Before you run this command, be sure to replace all values with the details for your certificate and CloudFront distribution.

aws iam upload-server-certificate --server-certificate-name CertificateName
--certificate-body file://public_key_certificate_file --private-key file://privatekey.pem 
--certificate-chain file://certificate_chain_file --path /cloudfront/DistributionName/

If you didn't upload your certificate with the CloudFront path, run this command to update your certificate with the path: 

aws iam update-server-certificate --server-certificate-name CertificateName 
--new-path /cloudfront/DistributionName/

Required permissions

To assign a certificate from ACM or IAM to the CloudFront distribution, the IAM user or role you use to assign the certificate must, at minimum, have the following permissions: 

{
    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Allow",
        "Action": [
            "acm:ListCertificates",
            "cloudfront:List*",
            "cloudfront:Get*",
            "cloudfront:Update*",
            "iam:GetServerCertificate",
            "iam:ListServerCertificates",
            "iam:UpdateServerCertificate"
        ],
        "Resource": "*"
    }
}

Did this article help you?

Anything we could improve?


Need more help?