How do I configure my CloudFront distribution to use an SSL/TLS certificate?

Last updated: 2019-12-31

I want to configure my Amazon CloudFront distribution to use an SSL/TLS certificate.

Resolution

CloudFront assigns a default domain name to your distribution, for example, d111111abcdef8.cloudfront.net. If you use this domain name, then you can use the CloudFront default SSL/TLS certificate already selected for your distribution. If you use a different domain name for your distribution, it's a best practice to do one of the following to avoid domain name related certificate warnings:

Note: CloudFront Adobe Real-Time Messaging Protocol (RTMP) distributions can't use SSL/TLS certificates.

If you use an Amazon issued certificate:

  • You must request the certificate in the US East (N. Virginia) Region.
  • You must have permission to use and request the ACM certificate.

If you use an imported certificate with CloudFront:

Note: If you are missing permissions, the CloudFront console displays Missing permission acm:ListCertificates in the Custom SSL Certificate settings. If you don't have a certificate in the US East (N. Virginia) Region, or if your key size exceeds 2048 bits, the setting for Custom SSL Certificate is grayed out.

For more information, see Requirements for Using SSL/TLS Certificates with CloudFront.

Then, configure your CloudFront distribution to use the new certificate and require HTTPS between viewers and CloudFront. For more information, see viewing and updating CloudFront distributions.

After you save the changes to your CloudFront distribution configuration, CloudFront propagates the changes to all edge locations. The status of your CloudFront distribution in the CloudFront console changes from InProgress to Deployed when propagation is complete.

You can also use SSL/TLS certificates on a custom origin if you require HTTPS for communication between CloudFront and your custom origin.

To update settings for your CloudFront distribution, see Updating Your CloudFront Distribution.