Why can't I find my imported certificate for my load balancer or CloudFront distribution?
Last updated: 2020-09-24
I requested or imported a certificate using AWS Certificate Manager (ACM). I'm configuring a load balancer or Amazon CloudFront distribution, but I can't find the certificate.
Short description
If you don't have a certificate issued for your domain name, you can request a public certificate using ACM. To use a third-party certificate with a load balancer, you can either import the certificate into ACM or upload a certificate to AWS Identity and Access Management (IAM).
Important:
- It's a best practice to use IAM as a certificate manager only when you must support HTTPS connections in a Region that isn't supported by ACM. For more information, see Managing server certificates in IAM.
- ACM certificates can be used only with services integrated with ACM.
You won't find the imported certificate or ACM certificate if:
- The certificate imported into ACM is using an algorithm other that 1024-bit RSA or 2048-bit RSA.
- The ACM certificate wasn't requested in the same AWS Region as your load balancer or CloudFront distribution.
Resolution
The certificate imported into ACM is using algorithms other than 1024-bit RSA or 2048-bit RSA
Although ACM allows you to import certificates with a key algorithm of 4096-bit RSA and EC, these certificates can't be associated with load balancers through integration with ACM. The following imported key algorithms can be used with a Classic Load Balancer and Application Load Balancer:
| Algorithm | ACM (Preferred) | IAM |
| 1024-bit RSA (RSA_1024) | Yes | Yes |
| 2048-bit RSA (RSA_2048) | Yes | Yes |
| RSA (up to 16384 bits) | Yes | |
| Elliptic Curve (ECDSA) | Yes |
Note: Network Load Balancers don't allow certificates with RSA keys larger than 2048-bit or EC keys.
To install an SSL certificate, follow these instructions for your load balancer type:
- Configure an HTTPS listener for your Classic Load Balancer
- Create an HTTP listener for your Application Load Balancer
- Create a listener for your Network Load Balancer
If the imported certificate isn't supported by ACM, follow the instructions to import an SSL certificate to IAM. Then, associate the imported certificate with the load balancer. For more information, see Uploading a server certificate (AWS API).
For CloudFront distributions, the certificate’s key algorithms must be 1024 bit-RSA or 2048-bit RSA. For more information, see Size of the public key.
To install the SSL certificate on CloudFront distribution, see Using HTTPS with CloudFront.
The ACM certificate wasn't requested in the same AWS Region as your load balancer or CloudFront distribution
ACM certificates must be requested or imported in the same AWS Region as your Classic Load Balancer or Application Load Balancer.
To use the ACM certificates with Amazon CloudFront, the certificates must be imported or requested in the US East (N. Virginia) Region. For more information, see AWS Region that you request a certificate in (for AWS Certificate Manager).
Related information
Did this article help?
Do you need billing or technical support?