Unable to select Custom SSL Certificate (stored in AWS IAM)

104
votes

I am going to create a new distribution at CloudFront. Already I have uploaded my SSL certificate at AWS IAM using AWS CLI. That certificate appears in the Custom SSL Certificate dropdown on new distribution page but it is DISABLED.

Can someone tell me why is it so ? How to select my custom SSL certificate for this distribution ?

17
sslamazon-web-servicesamazon-cloudfrontamazon-iamaws-cli
did you upload the cert using root account?mohamnag

17 Answers

133
votes

It took a whole day to AWS to propagate the new certificate to all of its nodes. Next day when I logged in to my AWS console, the certificate appeared in the dropdown and was enabled as well and I could configure distribution successfully.

Also, be sure to select us-east-1 (N. Virginia) when you make the certificate request; it's the only region that supports it at this time (even if your bucket / asset is in another region)

43
votes

Only certificates registered in AWS Certificate Manager (ACM) in the US East (N. Virginia) Region will be enabled for use in CloudFront

37
votes

  • Import cert into IAM or create one through ACM in us-east-1 as mentioned in the other comments.

  • Wait for the validation to be complete i.e. not orange.

  • Load the cloudfront distribution setting edit page.
  • If the Custom SSL option is greyed, logout of the console and log back in. After this step the greyed out option came alive for me. I imagine it being cached somehow and the logout-login refreshing it.
19
votes

Just wait a few minutes and reload the distribution settings page to see the custom SSL option ENABLED.

I had the same problem, didn't use my AWS root account and the IAM path was correctly set to /cloudfront/.

16
votes

Sign in to the console and use this URL: https://console.aws.amazon.com/acm/home?region=us-east-1#/wizard/ and it will work. The key is the region.

14
votes

I had similar issues, and it worked more smoothly for me to import the cert into AWS Certificate Manager.

If you are using AWS Certificate Manager with an S3 bucket, make sure you are importing the cert into the US East (N. Virginia) region. As of today, that is the only region in ACM that supports S3. See https://docs.aws.amazon.com/acm/latest/userguide/acm-services.html

13
votes

Go back to the cloudfront homepage after the certificate get issued and refresh the page. It worked for me

7
votes

The reason it is not now showing up is probably that the iam path you have set is not /cloudfront/[1]. You can use the same cli you used to upload the certificate to change the default path of / or you could upload the certificate again. Let me know if that doesn't fix it.

  1. http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/SecureConnections.html#CNAMEsAndHTTPS
4
votes

Make sure that you're not uploading the certificate using an AWS root account. If you use a root account, the certificate will be visible but you won't be able to select it.

Instead, create a new IAM user with adequate rights (I used an account with an administrative policy assigned) and upload the certificate using those credentials. The certificate should then be available.

3
votes

If you are requesting a certificate in another region (not us-east-1), set your region to us-east-1 and request a certificate again. I just request same domain name in ap-northeast-2 and it works immediately.

2
votes

There seems to be an error in the front-end.

Try this, it worked for me:

  • Go into the HTML using your browser's inspection tool.
  • Delete the "disabled" attributes from both the radio button and the textbox that are currently greyed out.
  • Then insert the ARN of your certificate.
  • Complete your form.
1
votes

Use this:

{
"Effect": "Allow",
"Action": [
    "iam:DeleteServerCertificate",
    "iam:UploadServerCertificate",
    "iam:ListServerCertificates",
    "iam:GetServerCertificate"
],
    "Resource": "*"
}
1
votes

In my case it was not request the ACM in N.Virginia region, after the ACM status turns green, I need to log out and log in for the button to enable.

1
votes

I got same issue. So I read this

But for me, it was still disabled as it can take a whole day for the same.

So, I inspected the html and removed the disabled property and selected the certificate.

0
votes

I see there are many good answers already, and any of them may be the reason your Custon SSL Certificate section is disabled. I think I just found another one and this was the case for me:

For many "integrated services", that includes CloudFront, only few algorithms and key sizes are supported. I was trying to use my RSA 4096-bit certificate, and a key of adequate length.

As of right now for the use with the "integrated services" AWS only accepts key lengths of 1024 or 2048 bits.

Mentioned here: https://docs.aws.amazon.com/acm/latest/userguide/import-certificate-prerequisites.html

0
votes

If the certificate is not showing in the drop down list you can copy and paste the full ARN for the certificate. The ARN is found in Certificate Manager by selecting the certificate you want to use.

-1
votes

AWS root account can not able to select a custom certificate in CloudFront.

Please create a new IAM user with the below policy and create CloudFront distribution with that user and you can able to select a custom SSL certificate.

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": ["*"],
    "Resource": ["*"]
  }]
}