Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

AWS: Custom SSL certificate option is disabled in CloudFront, but I created a SSL certificate using AWS Certificate Manager

I am creating a SSL certificate for my amazon S3 static website. I created a SSL certificate using Certificate Manager for my domain and its status is 'Issued'. I am creating a CloudFront Distribution, but the Custom SSL Certificate option is disabled.

Will it take some time (a day or more) before I can see my custom SSL certificate? Or am I doing something wrong?

like image 248
black_blood Avatar asked Apr 02 '17 08:04

black_blood


People also ask

How long does it take for an SSL certificate to take effect AWS?

The certificate you requested is displayed so that you can see the status of your request. After you write the DNS record or have ACM write the record for you, it typically takes DNS 30 minutes to propagate the record, and it might take several hours for Amazon to validate it and issue the certificate.

How do I change my AWS SSL certificate?

To replace the SSL certificate for an HTTPS load balancerOpen the Amazon EC2 console at https://console.aws.amazon.com/ec2/ . On the navigation pane, under Load Balancing, choose Load Balancers. Select your load balancer. On the Listeners tab, for SSL Certificate, choose Change.


3 Answers

Certificates that will be used with an Application Load Balancer (ELB/2.0) need to be created in ACM in the same region as the balancer.

Certificates that will be used with CloudFront always need to be created in us-east-1.

To use an ACM Certificate with Amazon CloudFront, you must request or import the certificate in the US East (N. Virginia) region. ACM Certificates in this region that are associated with a CloudFront distribution are distributed to all the geographic locations configured for that distribution.

– http://docs.aws.amazon.com/acm/latest/userguide/acm-regions.html

The reason for this is that CloudFront doesn't follow the regional boundary model in AWS. CloudFront edge locations are all over the globe, but are configured and managed out of us-east-1 -- think of it as CloudFront's home region. Once a distribution reaches the Deployed state, it is not operationally dependent on us-east-1, but during provisioning, everything originates from that region, so that's the only ACM region that CloudFront can access.

like image 153
Michael - sqlbot Avatar answered Oct 05 '22 17:10

Michael - sqlbot


I was getting this exact behavior but with the certificated correctly imported at us-east-1 and figured out that the problem was the key size of my certificate (4096 bits).

AWS CloudFront only accept keys up to 2048 bits, as stated here: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-and-https-requirements.html#https-requirements-size-of-public-key

Size of the Public Key

The length of the public key for a certificate depends on where you're storing it.

Importing a certificate into AWS Certificate Manager (ACM): public key length must be 1024 or 2048 bits. The limit for a certificate that you use with CloudFront is 2048 bits, even though ACM supports larger keys.

Uploading a certificate to the AWS Identity and Access Management (IAM) certificate store: maximum size of the public key is 2048 bits.

We recommend using 2048 bits.

like image 36
Vinicius Avatar answered Oct 05 '22 16:10

Vinicius


When replacing a cert, make sure you clear out the name of the existing cert in the 'Custom SSL Certificate (example.com)' text box. If you leave it uncleared, other certs are not selectable.

like image 23
Sander van Burken Avatar answered Oct 05 '22 15:10

Sander van Burken