Amazon CloudFront
Developer Guide (API Version 2016-09-29)

Configuring Alternate Domain Names and HTTPS

To use alternate domain names in the URLs for your objects and to use HTTPS between viewers and CloudFront, perform the applicable procedures.

Requesting Permission to Use Three or More SSL/TLS Certificates

If you need permission to permanently associate three or more SSL/TLS certificates with a distribution, perform the following procedure.

To request permission to use three or more certificates with a CloudFront distribution

  1. Go to the Support Center and create a case.

  2. Indicate how many certificates you need permission to use, and describe the circumstances in your request. We'll update your account as soon as possible.

  3. Continue with the next procedure.

Getting an SSL/TLS Certificate

Get an SSL/TLS certificate if you don't already have one. For more information, see the applicable documentation:

  • To use a certificate provided by AWS Certificate Manager (ACM), see AWS Certificate Manager User Guide. Then skip to Updating Your CloudFront Distribution.

  • To get a certificate from a third-party certificate authority, see the documentation provided by the certificate authority. When you have the certificate, continue with the next procedure.

  • To create a self-signed certificate, see the documentation for the application that you're using to create and sign the certificate. Then continue with the next procedure.

Importing an SSL/TLS Certificate

If you got your certificate from a third-party CA, import the certificate into ACM or upload it to the IAM certificate store:


ACM lets you import certificates by using the ACM console, as well as programmatically. For information about importing a certificate to ACM, see Importing Certificates into AWS Certificate Manager in the AWS Certificate Manager User Guide.

IAM certificate store

Use the following AWS CLI command to upload your SSL/TLS certificate to the IAM certificate store:

aws iam upload-server-certificate --server-certificate-name CertificateName --certificate-body file://public_key_certificate_file --private-key file://privatekey.pem --certificate-chain file://certificate_chain_file --path /cloudfront/path/

Note the following:

  • AWS Account – You must upload the certificate to the IAM certificate store using the same AWS account that you used to create your CloudFront distribution.

  • --path Parameter – When you upload the certificate to IAM, the value of the -path parameter (certificate path) must start with /cloudfront/, for example, /cloudfront/production/ or /cloudfront/test/. The path must end with a /.

  • Existing certificates – You must specify values for the --server-certificate-name and --path parameters that are different from the values that are associated with existing certificates.

  • Using the CloudFront Console – If you plan to use the CloudFront console to create or update your distribution, the value that you specify for the --server-certificate-name parameter in the AWS CLI, for example, myServerCertificate, is the value that will appear in the SSL Certificate list in the CloudFront console.

  • Using the CloudFront API – If you plan to use the CloudFront API to create or update your distribution, make note of the alphanumeric string that the AWS CLI returns, for example, AS1A2M3P4L5E67SIIXR3J. This is the value that you will specify in the IAMCertificateId element. You don't need the IAM ARN, which is also returned by the CLI.

For more information about the AWS CLI, see the AWS Command Line Interface User Guide and the AWS Command Line Interface Reference.

Updating Your CloudFront Distribution

To update settings for your distribution, perform the following procedure:

To configure your CloudFront distribution for alternate domain names

  1. Sign in to the AWS Management Console and open the CloudFront console at

  2. Choose the ID for the distribution that you want to update.

  3. On the General tab, choose Edit.

  4. Update the following values:

    Alternate Domain Names (CNAMEs)

    Add the applicable alternate domain names. Separate domain names with commas, or type each domain name on a new line.

    SSL Certificate (Web Distributions Only)

    Choose Custom SSL Certificate, and choose a certificate from the list.

    If you uploaded a certificate to the IAM certificate store but it doesn't appear in the list, review the procedure Importing an SSL/TLS Certificate to confirm that you correctly uploaded the certificate.


    After you associate your SSL/TLS certificate with your CloudFront distribution, do not delete the certificate from ACM or the IAM certificate store until you remove the certificate from all distributions and until the status of the distributions has changed to Deployed.

    Clients Supported (Web Distributions Only)

    Choose the applicable option:

    • All Clients: CloudFront serves your HTTPS content using dedicated IP addresses. If you select this option, you incur additional charges when you associate your SSL/TLS certificate with a distribution that is enabled. For more information, see Amazon CloudFront Pricing.

    • Only Clients that Support Server Name Indication (SNI): Older browsers or other clients that don't support SNI must use another method to access your content.

    For more information, see Choosing How CloudFront Serves HTTPS Requests.

  5. Choose Yes, Edit.

  6. Configure CloudFront to require HTTPS between viewers and CloudFront:

    1. On the Behaviors tab, choose the cache behavior that you want to update, and choose Edit.

    2. Specify one of the following values for Viewer Protocol Policy:

      Redirect HTTP to HTTPS

      Viewers can use both protocols, but HTTP requests are automatically redirected to HTTPS requests. CloudFront returns HTTP status code 301 (Moved Permanently) along with the new HTTPS URL. The viewer then resubmits the request to CloudFront using the HTTPS URL.


      CloudFront doesn't redirect DELETE, OPTIONS, PATCH, POST, or PUT requests from HTTP to HTTPS. If you configure a cache behavior to redirect to HTTPS, CloudFront responds to HTTP DELETE, OPTIONS, PATCH, POST, or PUT requests for that cache behavior with HTTP status code 403 (Forbidden).

      When a viewer makes an HTTP request that is redirected to an HTTPS request, CloudFront charges for both requests. For the HTTP request, the charge is only for the request and for the headers that CloudFront returns to the viewer. For the HTTPS request, the charge is for the request, and for the headers and the object returned by your origin.

      HTTPS Only

      Viewers can access your content only if they're using HTTPS. If a viewer sends an HTTP request instead of an HTTPS request, CloudFront returns HTTP status code 403 (Forbidden) and does not return the object.

    3. Choose Yes, Edit.

    4. Repeat steps a through c for each additional cache behavior that you want to require HTTPS for between viewers and CloudFront.

  7. Confirm the following before you use the updated configuration in a production environment:

    • The path pattern in each cache behavior applies only to the requests that you want viewers to use HTTPS for.

    • The cache behaviors are listed in the order that you want CloudFront to evaluate them in. For more information, see Path Pattern.

    • The cache behaviors are routing requests to the correct origins.