CODEWITHSUNDEEP
amazon-web-servicessslamazon-cloudfront
sebamontini
sebamontini

Reputation: 360

Can't use AWS cloudfront with custom SSL cert from IAM

I have a CloudFront distribution that I want to setup with SSL using a custom certificate.

We want to use a SSL cert that we already have uploaded to IAM (and we're currently using for a few ELBs), but it won't let us even select the option (the drop-down where the certs are supposed to be is empty).

Any ideas? According to the official doc this is supposed to be a valid option

PS: we do not want to use an cert provided by the aws cert manager

Upvotes: 6

Views: 990

Answers (3)

eblackey
eblackey

Reputation: 11

From my experience, if you upload an IAM certificate to the /cloudfront directory, you can then use it on ELBs. But, you cannot use an IAM certificate on CloudFront that is not in the /cloudfront directory.

Upvotes: 1

Kalyanaraman Prasad
Kalyanaraman Prasad

Reputation: 51

You have to upload with the cloudfront path

aws iam upload-server-certificate --server-certificate-name CertificateName --certificate-body file://public_key_certificate_file --private-key file://privatekey.pem --certificate-chain file://certificate_chain_file --path /cloudfront/path/

--path Parameter – When you upload the certificate to IAM, the value of the -path parameter (certificate path) must start with /cloudfront/, for example, /cloudfront/production/ or /cloudfront/test/. The path also must end with a /.

details are here http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/SecureConnections.html

Upvotes: 2

Matt Houser
Matt Houser

Reputation: 36113

Custom certificates uploaded for ELB cannot be used for CloudFront.

So you need to upload the SSL certificate (it can be the same certificate) a second time, but slightly differently.

aws iam upload-server-certificate \
  --server-certificate-name CertificateName \
  --certificate-body file://public_key_certificate_file \
  --private-key file://privatekey.pem \
  --certificate-chain file://certificate_chain_file \
  --path /cloudfront/DistributionName/

Source: https://aws.amazon.com/premiumsupport/knowledge-center/cloudfront-custom-certificate/

Note the /cloudfront/ at the start of the --path parameter.

So, in the end, you will have two certificates stored, one to be used by ELB, one to be used by CloudFront. But they can come from the same certificate source files.

Upvotes: 2

Related Questions