Menu
I am creating a SSL certificate for my amazon S3 static website. I created a SSL certificate using Certificate Manager for my domain and its status is 'Issued'. I am creating a CloudFront Distribution, but the Custom SSL Certificate option is disabled.
Will it take some time (a day or more) before I can see my custom SSL certificate? Or am I doing something wrong?
248
The certificate you requested is displayed so that you can see the status of your request. After you write the DNS record or have ACM write the record for you, it typically takes DNS 30 minutes to propagate the record, and it might take several hours for Amazon to validate it and issue the certificate.
To replace the SSL certificate for an HTTPS load balancerOpen the Amazon EC2 console at https://console.aws.amazon.com/ec2/ . On the navigation pane, under Load Balancing, choose Load Balancers. Select your load balancer. On the Listeners tab, for SSL Certificate, choose Change.
Certificates that will be used with an Application Load Balancer (ELB/2.0) need to be created in ACM in the same region as the balancer.
Certificates that will be used with CloudFront always need to be created in us-east-1.
To use an ACM Certificate with Amazon CloudFront, you must request or import the certificate in the US East (N. Virginia) region. ACM Certificates in this region that are associated with a CloudFront distribution are distributed to all the geographic locations configured for that distribution.
– http://docs.aws.amazon.com/acm/latest/userguide/acm-regions.html
The reason for this is that CloudFront doesn't follow the regional boundary model in AWS. CloudFront edge locations are all over the globe, but are configured and managed out of us-east-1 -- think of it as CloudFront's home region. Once a distribution reaches the Deployed state, it is not operationally dependent on us-east-1, but during provisioning, everything originates from that region, so that's the only ACM region that CloudFront can access.
153
I was getting this exact behavior but with the certificated correctly imported at us-east-1 and figured out that the problem was the key size of my certificate (4096 bits).
AWS CloudFront only accept keys up to 2048 bits, as stated here: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-and-https-requirements.html#https-requirements-size-of-public-key
Size of the Public Key
The length of the public key for a certificate depends on where you're storing it.
Importing a certificate into AWS Certificate Manager (ACM): public key length must be 1024 or 2048 bits. The limit for a certificate that you use with CloudFront is 2048 bits, even though ACM supports larger keys.
Uploading a certificate to the AWS Identity and Access Management (IAM) certificate store: maximum size of the public key is 2048 bits.
We recommend using 2048 bits.
36
When replacing a cert, make sure you clear out the name of the existing cert in the 'Custom SSL Certificate (example.com)' text box. If you leave it uncleared, other certs are not selectable.
23
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
