Whether you're taking your first steps with Kubernetes or you're an experienced practitioner looking to sharpen your skills, our Amazon EKS workshop series delivers practical, real-world experience that moves you forward. Learn directly from AWS solutions architects and EKS specialists through hands-on sessions designed to build your confidence with Kubernetes. Register now and start building with Amazon EKS!
Why can't I choose a custom SSL/TLS certificate for my CloudFront distribution?
I want to use a custom SSL/TLS certificate when I set up my Amazon CloudFront distribution, but I don't have the option to choose it.
Short description
You might not see the custom SSL/TLS certificate option for your CloudFront distribution in the following scenarios:
- Your certificate is stored in a different AWS Region.
- AWS Certificate Manager (ACM) certificate validation failed.
- The certificate expired.
- You don't have the required AWS Identity and Access Management (IAM) permissions to view or select certificates.
Resolution
Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.
Check your certificate configuration
Take the following troubleshooting actions based on your CloudFront distribution configuration.
ACM certificates
If you use a certificate requested from or imported to ACM, then confirm that your certificate meets the following requirements:
- To assign an ACM certificate to a CloudFront distribution, request or import the certificate in the US East (N. Virginia) Region. If you use the ACM console, then check the navigation bar to confirm that you selected US East (N. Virginia) before you request or import the certificate.
Note: After you assign an ACM certificate to a CloudFront distribution, CloudFront distributes the certificate to all edge locations in the CloudFront distribution's price class. - After you use DNS validation or email validation to validate your ACM certificate, confirm that the certificate's status is Issued.
Note: The status must be Issued before you can assign the certificate to a CloudFront distribution. - You can use a self-signed certificate to validate only an existing CNAME record, not a new CNAME record. CloudFront supports the same certificate authorities as Mozilla. For more information, see Requirements for using alternate domain names.
- For imported certificates, confirm that the certificate meets the certificate import prerequisites. For more information, see How do I import a third-party issued TLS/SSL certificate to ACM?
- Use an RSA certificate key size that CloudFront supports, such as 1024-bit, 2048-bit, 3072-bit, or 4096-bit.
For more information, see Why can't I find my imported ACM certificate for my load balancer or CloudFront distribution?
Certificates imported to IAM
If you imported your SSL/TLS certificate to IAM, then verify that you used the correct CloudFront path. Run the following upload-server-certificate AWS CLI command to upload your certificate with a specific CloudFront path:
aws iam upload-server-certificate --server-certificate-name CertificateName --certificate-body file://public_key_certificate_file.pem --private-key file://privatekey.pem --certificate-chain file://certificate_chain_file.pem --path /cloudfront/DistributionName/
Note: Replace CertificateName with your certificate name, file://public_key_certificate_file with your public key, and file://privatekey.pem with your private key. Also, replace file://certificate_chain_file with your certificate chain and DistributionName with your CloudFront distribution name.
If you didn't upload your certificate with the CloudFront path, then run the following update-server-certificate command to update your certificate with the path:
aws iam update-server-certificate --server-certificate-name CertificateName --new-path /cloudfront/DistributionName/
Note: Replace CertificateName with your certificate name and DistributionName with your CloudFront distribution name. After you add a certificate to a CloudFront distribution, the distribution status changes from Deployed to In Progress. After CloudFront deploys the changes to all edge locations, the distribution status changes back to Deployed. The typical deployment time is 5 minutes.
Check your certificate permissions
Confirm that you have the required permissions when you assign a certificate from ACM or IAM to the CloudFront distribution.
The IAM user or role that you use to assign the certificate to must have the following permissions:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "acm:ListCertificates", "Resource": "*" }, { "Effect": "Allow", "Action": [ "cloudfront:ListDistributions", "cloudfront:ListStreamingDistributions" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "cloudfront:List*", "cloudfront:Get*", "cloudfront:Update*" ], "Resource": "arn:aws:cloudfront::account-id:distribution/distribution-id" }, { "Effect": "Allow", "Action": "iam:ListServerCertificates", "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:GetServerCertificate", "iam:UpdateServerCertificate" ], "Resource": "arn:aws:iam::account-id:server-certificate/certificate-name-with-path" } ] }
Additional troubleshooting
If you imported your SSL/TLS certificate to IAM, then confirm that the certificate chain is in the correct order and that the certificate isn't expired. For more information, see How do I upload and import an SSL certificate to IAM?
To use multiple domain names in your CloudFront distribution, request or generate a single SSL/TLS certificate that includes all the required domains. By default, ACM supports up to 100 domains for each certificate.
Note: You can't associate more than one SSL/TLS certificate with an individual CloudFront distribution.
Related information
- Language
- English
Docs state 4096 bits certs are supported: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-and-https-requirements.html#https-requirements-private-key
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
