AWS: Custom SSL certificate option is disabled in CloudFront, but I created a SSL certificate using AWS Certificate Manager

14
votes

I am creating a SSL certificate for my amazon S3 static website. I created a SSL certificate using Certificate Manager for my domain and its status is 'Issued'. I am creating a CloudFront Distribution, but the Custom SSL Certificate option is disabled.

Will it take some time (a day or more) before I can see my custom SSL certificate? Or am I doing something wrong?

4
amazon-web-servicessslamazon-s3httpsssl-certificate
Did you create the certificate in the us-east-1 region of Certificate Manager?Michael - sqlbot
Yes, you were correct. Earlier, I created the certificate in Asia region. Now, after creating the certificate in us-east-1 region, I can see the certificate when I am creating a CloudFront. Should we create certificate only in us-east-1 region? You can write the above comment as an answer and I will accept it.black_blood

4 Answers

21
votes

Certificates that will be used with an Application Load Balancer (ELB/2.0) need to be created in ACM in the same region as the balancer.

Certificates that will be used with CloudFront always need to be created in us-east-1.

To use an ACM Certificate with Amazon CloudFront, you must request or import the certificate in the US East (N. Virginia) region. ACM Certificates in this region that are associated with a CloudFront distribution are distributed to all the geographic locations configured for that distribution.

http://docs.aws.amazon.com/acm/latest/userguide/acm-regions.html

The reason for this is that CloudFront doesn't follow the regional boundary model in AWS. CloudFront edge locations are all over the globe, but are configured and managed out of us-east-1 -- think of it as CloudFront's home region. Once a distribution reaches the Deployed state, it is not operationally dependent on us-east-1, but during provisioning, everything originates from that region, so that's the only ACM region that CloudFront can access.

5
votes

I was getting this exact behavior but with the certificated correctly imported at us-east-1 and figured out that the problem was the key size of my certificate (4096 bits).

AWS CloudFront only accept keys up to 2048 bits, as stated here: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-and-https-requirements.html#https-requirements-size-of-public-key

Size of the Public Key

The length of the public key for a certificate depends on where you're storing it.

Importing a certificate into AWS Certificate Manager (ACM): public key length must be 1024 or 2048 bits. The limit for a certificate that you use with CloudFront is 2048 bits, even though ACM supports larger keys.

Uploading a certificate to the AWS Identity and Access Management (IAM) certificate store: maximum size of the public key is 2048 bits.

We recommend using 2048 bits.

2
votes

When replacing a cert, make sure you clear out the name of the existing cert in the 'Custom SSL Certificate (example.com)' text box. If you leave it uncleared, other certs are not selectable.

0
votes

Had thesame experience while trying to create a cloudFront distribution. I initially created the certificate in the us-west-2 region but the checkbox was greyed out. What resolved it was creating the certificate in the us-east-1 region. Checkbox immediately became selectable.