Why can't I find my imported certificate for my load balancer or CloudFront distribution?

Last updated: 2020-01-07

I requested or imported a certificate using AWS Certificate Manager (ACM). I'm configuring a load balancer or Amazon CloudFront distribution, but I can't find the certificate.  

Short Description

If you don't have a certificate issued for your domain name, you can request a public certificate using ACM. To use a third-party certificate with a load balancer, you can either import the certificate into ACM or upload a certificate to AWS Identity and Access Management (IAM).

Note: ACM certificates can be used only with services integrated with ACM.

You won't find the imported certificate or ACM certificate if:

  • The certificate imported into ACM is using an algorithm other that 1024-bit RSA or 2048-bit RSA.
  • The ACM certificate wasn't requested in the same AWS Region as your load balancer or CloudFront distribution.

Resolution

The certificate imported into ACM is using algorithms other than 1024-bit RSA or 2048-bit RSA

Although ACM allows you to import certificates with a key algorithm of 4096-bit RSA and EC, these certificates can't be associated with load balancers through integration with ACM. The following imported key algorithms can be used with Classic Load Balancer and Application Load Balancer:

Algorithm

ACM (Preferred)

IAM

1024-bit RSA (RSA_1024) Yes Yes
2048-bit RSA (RSA_2048) Yes Yes
RSA (up to 16384 bits)   Yes
Elliptic Curve (ECDSA)   Yes

Note: Network Load Balancers don't allow certificates with RSA keys larger than 2048-bit or EC keys.

To install an SSL certificate, follow these instructions for your load balancer type:

If the imported certificate isn't supported by ACM, follow the instructions to import an SSL certificate to IAM. Then, associate the imported certificate with the load balancer. For more information, see Uploading a Server Certificate (AWS API).

For CloudFront distributions, the certificate’s key algorithms must be 1024 bit-RSA or 2048-bit RSA. For more information, see Size of the Public Key.

To install the SSL certificate on CloudFront distribution, see Using HTTPS with CloudFront.

The ACM certificate wasn't requested in the same AWS Region as your load balancer or CloudFront distribution

ACM certificates must be requested or imported in the same AWS Region as your Classic Load Balancer or Application Load Balancer.

To use the ACM certificates with Amazon CloudFront, the certificates must be imported or requested in the US East (N. Virginia) Region. For more information, see AWS Region that You Request a Certificate In (for AWS Certificate Manager).