How do I configure my CloudFront distribution to use an SSL/TLS certificate?
Last updated: 2021-03-17
I want to configure my Amazon CloudFront distribution to use an SSL/TLS certificate.
CloudFront assigns a default domain name to your distribution, for example, d111111abcdef8.cloudfront.net. If you use this domain name, then you can use the CloudFront default SSL/TLS certificate already selected for your distribution. If you use a different domain name for your distribution, then it's a best practice to do one of the following to avoid domain-name-related certificate warnings:
- Request a public certificate from AWS Certificate Manager.
- Import certificates into AWS Certificate Manager.
If you use an Amazon issued certificate:
- You must request the certificate in the US East (N. Virginia) Region.
- You must have permission to use and request the ACM certificate.
If you use an imported certificate with CloudFront:
- Your key length must be 1024 or 2048 bits and cannot exceed 2048 bits.
- You must import the certificate in the US East (N. Virginia) Region.
- You must have permission to use and import the SSL/TLS certificate.
Note: If you are missing permissions, the CloudFront console displays Missing permission acm:ListCertificates in the Custom SSL Certificate settings. If you don't have a certificate in the US East (N. Virginia) Region, or if your key size exceeds 2048 bits, the setting for Custom SSL Certificate is grayed out.
For more information, see requirements for using SSL/TLS certificates with CloudFront.
After you save the changes to your CloudFront distribution configuration, CloudFront propagates the changes to all edge locations. The status of your CloudFront distribution in the CloudFront console changes from InProgress to Deployed when propagation is complete.
If you require HTTPS for communication between CloudFront and your custom origin, then you can also use SSL/TLS certificates on a custom origin
To update settings for your CloudFront distribution, see updating your CloudFront distribution.