Cloudfront rejecting my DigiCert Certificate

0

I have a wildcard cert from Digicert (A trusted CA) with all of the subdomains I want to use in the SANs. I have imported this cert to AWS CM. When I try to use it with CloudFront I am unable to add the subdomains to my CF distribution I get the error message "The certificate that is attached to your distribution was not issued by a trusted Certificate Authority.". Everything seems to be correct, but I get this message and I am at a loss. Thank you in advance.

1 Answer
0
Accepted Answer

The error message you're encountering suggests that CloudFront is not recognizing your DigiCert wildcard certificate as trusted, despite DigiCert being a well-known trusted Certificate Authority. There are a few potential reasons for this issue and steps you can take to resolve it:

  1. Certificate Chain: Ensure that you've uploaded the entire certificate chain, including any intermediate certificates from DigiCert, not just the main certificate. CloudFront requires the complete chain to validate the certificate's trust.

  2. Region: CloudFront is particular about the region where certificates are uploaded. Make sure you've imported the certificate into AWS Certificate Manager (ACM) in the US East (N. Virginia) region, also known as us-east-1. This is a requirement for using custom SSL certificates with CloudFront.

  3. Certificate Format: Verify that the certificate is correctly formatted and not corrupted during the import process.

  4. Expiration: Check that the certificate is not expired and is still valid.

If you've confirmed all of these points and are still experiencing issues, you might consider using AWS Certificate Manager (ACM) to issue a new certificate for your domains. ACM-issued certificates are automatically trusted by CloudFront, are free of charge, and offer benefits like automatic renewal.

To use an ACM-issued certificate:

  1. Request a new certificate through ACM in the us-east-1 region.
  2. Validate domain ownership by adding the required CNAME records to your DNS.
  3. Once issued, attach the ACM certificate to your CloudFront distribution.

If you prefer to use your DigiCert certificate and the above steps don't resolve the issue, you may need to contact AWS Support for further assistance in diagnosing the problem with your specific certificate.

Sources
Cant attach certificate in cloudfront | AWS re:Post
Troubleshooting distribution issues - Amazon CloudFront
AWS private certificate issue | AWS re:Post

profile picture
answered 2 months ago
profile picture
EXPERT
reviewed 2 months ago
profile picture
EXPERT
reviewed 2 months ago
  • This helped, it was the first item about the cert chain. I didn't realize I could include the whole chain in the "Certificate chain - optional" field when imported the certificate.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions