Menu
does anyone know if its possible to serve with cloudfront over https with your own certificate while using your own CNAME? i can't even find a way to set up my own SSL cert over S3... so im not sure if this is even possible.
UPDATE: if someone is interested in an update about this issue - maxcdn.com offers to host your SSL cert on your domain for only $59 flat fee a month.
it's not amazon but it even supports pulling from your server and hosting forever or if you send a cache control header for whatever time you specify until it fetches the original url again.
the whole offer is pretty neat. :D
605
You can't use a self-signed certificate for HTTPS communication between CloudFront and your origin.
You can't associate more than one SSL or Transport Layer Security (TLS) certificate to an individual CloudFront distribution. However, certificates provided by AWS Certificate Manager (ACM) support up to 10 subject alternative names, including wildcards.
Sign in to the AWS Management Console and open the CloudFront console at https://console.aws.amazon.com/cloudfront/v3/home . Choose the ID for the distribution that you want to update. On the General tab, choose Edit. Add your alternate domain names.
I looked into this extensively, and no, currently it's not possible to use HTTPS with CNAMEs unless you're able to ignore cert name mismatches on the client side. HTTPS works with "simple" bucket names, but CNAMEs only work with bucket names that are fully-qualified domains.
AWS is always adding new features, so I can see them being able to serve up custom certificates at some point, but there's no support for that yet.
edit: Still not possible for direct access to S3, but it is possible through CloudFront: http://aws.amazon.com/cloudfront/custom-ssl-domains/
148
PLEASE NOTE THE EDITS & UPDATES BELOW I am resurrecting this because Amazon is running a survey (as of this writing) which asks customers on feedback for their produce roadmap.
See the post on this survey being available: https://forums.aws.amazon.com/thread.jspa?threadID=26488&tstart=30
and the direct survey link: http://aws.qualtrics.com/SE/?SID=SV_9yvAN5PK8abJIFK
EDIT: Noticed a post from June 11, 2012 that AWS had updated the survey link:
See the post on this survey being available: https://forums.aws.amazon.com/thread.jspa?messageID=363869
New Survey Link: http://aws.qualtrics.com/SE/?SID=SV_e4eM1cRblPaccFS
I think it is worth the time to provide them feedback about making CNAME + SSL a supported feature.
EDIT: Announced on June 11, 2013, custom SSL Certs with dedicated IPs are now supported with CloudFront on AWS:
See the feature announcement on the AWS Blog: http://aws.typepad.com/aws/2013/06/custom-ssl-domain-names-root-domain-hosting-for-amazon-cloudfront.html
One item of consideration before counting on going this route, you need to see significant value from deviating from the https://[distribution].cloudfront.net route as the pricing is $600 USD per month for hosting custom SSL certs.
EDIT: Announced on March 5, 2014, custom SSL Certs using Server Name Indication (SNI) are now supported with CloudFront on AWS -- NO ADDITIONAL CHARGE:
As wikichen noted below, AWS now supports custom SSL Certs via SNI. This is HUGE as it opens the possibility of leveraging AWS' existing infrastructure (IP addresses). As such, AWS does not charge extra for this service! To learn more, read about it on the AWS blog post: http://aws.typepad.com/aws/2014/03/server-name-indication-sni-and-http-redirection-for-amazon-cloudfront.html
One item that should be noted though, Server Name Indication (SNI) does have some drawbacks that should be considered before relying on it completely. In particular it is not supported by some older browsers. If want to understand this better, see: Is SNI actually used and supported in browsers?
EDIT: AWS announced on January 21, 2016, they supply custom SSL Certs for FREE!
To read about the full announcement on the AWS site: https://aws.amazon.com/blogs/aws/new-aws-certificate-manager-deploy-ssltls-based-apps-on-aws/
Amazon has announced a new service called AWS Certificate Manager, offering free SSL/TLS certificates for AWS resources.
These certificates are usually purchased from third-party certificate providers like Symantec, Comodo and RapidSSL and can cost anywhere from $50 to hundreds of dollars, depending on the level of identity verification performed.
The process of obtaining a new certificate has always been a bit messy, requiring the generation of a Certificate Signing Request on the server being protected, sending that request to a certificate provider, and then installing the certificate once it is received. Since Amazon is managing the whole process, all of that goes away and certificates can be quickly issued and provisioned on AWS resources automatically.
There are a few limitations to the certificates. Amazon only provides domain validated certificates, a simple verification where domain validation takes place via email. If you want an Extended Validation certificate, you may stick with their current certificate providers. In addition, the certificates cannot be used for code signing or email encryption.
42
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
