Amazon CloudFront
Developer Guide (API Version 2016-09-29)

Requirements for Using SSL/TLS Certificates with CloudFront

The following requirements for SSL/TLS certificates apply both to the certificates for using HTTPS between viewers and CloudFront and for using HTTPS between CloudFront and your origin, except as noted.

Certificate Issuer

Requirements for the certificate issuer depend on whether you want to require HTTPS between viewers and CloudFront or between CloudFront and your origin:

  • HTTPS between viewers and CloudFront – You can use a certificate that was issued by a trusted certificate authority (CA) such as Comodo, DigiCert, or Symantec; you can use a certificate provided by AWS Certificate Manager (ACM); or you can use a self-signed certificate.

  • HTTPS between CloudFront and a custom origin – If the origin is not an ELB load balancer, the certificate must be issued by a trusted CA such as Comodo, DigiCert, or Symantec. If your origin is an ELB load balancer, you can also use a certificate provided by ACM.


    When CloudFront uses HTTPS to communicate with your origin, CloudFront verifies that the certificate was issued by a trusted CA. CloudFront supports the same certificate authorities as Mozilla; for the current list, see Mozilla Included CA Certificate List. You cannot use a self-signed certificate for HTTPS communication between CloudFront and your origin.

    For more information about getting and installing an SSL/TLS certificate, refer to the documentation for your HTTP server software and to the documentation for the certificate authority. For information about ACM, see the AWS Certificate Manager User Guide.

AWS Certificate Manager: AWS Region that You Request a Certificate In

If you want to require HTTPS between viewers and CloudFront, you must change the AWS region to US East (N. Virginia) before you request or import a certificate.

If you want to require HTTPS between CloudFront and your origin, and you're using an ELB load balancer as your origin, you can request or import a certificate in any region.

Certificate Format

The certificate must be in X.509 PEM format. This is the default format if you're using ACM.

Intermediate Certificates

If you're using a third-party CA, in the .pem file, list all of the intermediate certificates in the certificate chain, beginning with one for the CA that signed the certificate for your domain. Typically, you'll find a file on your CA's website that lists intermediate and root certificates in the proper chained order.


Do not include the root certificate, intermediate certificates that are not in the trust path, or your CA's public key certificate.

Here's an example:

-----BEGIN CERTIFICATE----- Intermediate certificate 2 -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- Intermediate certificate 1 -----END CERTIFICATE-----
Key Type

CloudFront supports only RSA public/private key pairs.

Private Key

If you're using a certificate from a third-party CA, note the following:

  • The private key must match the public key that is in the certificate.

  • The private key also must be an RSA private key in PEM format, where the PEM header is BEGIN RSA PRIVATE KEY and the footer is END RSA PRIVATE KEY.

  • The private key cannot be encrypted with a password.

If ACM provided the certificate, ACM doesn't release the private key. The private key is stored in ACM for use by AWS services that are integrated with ACM.


You must have permission to use and import the SSL/TLS certificate, including permission from the CA that issued the certificate to import it to a content delivery network (CDN).

If you're using ACM, we recommend that you use IAM permissions to restrict access to the certificates. For more information, see Permissions and Policies in the AWS Certificate Manager User Guide.

Size of the Public Key

If you're importing a certificate into ACM, the length of the public key must be 1024 or 2048 bits.

If you're uploading a certificate to the IAM certificate store, the maximum size of the public key is 2048 bits.

For information about the public keys for certificates provided by ACM, see ACM Certificate Characteristics in the AWS Certificate Manager User Guide.

For information about how to determine the size of the public key, see Determining the Size of the Public Key in an SSL/TLS Certificate.

Supported Types of Certificates

CloudFront supports all types of certificates including domain-validated certificates, extended validation (EV) certificates, high-assurance certificates, wildcard certificates (*, subject alternative name (SAN) certificates ( and, and so on.

Certificate Expiration Date and Renewal

If you're using certificates that you get from a third-party CA, you're responsible for monitoring certificate expiration dates and for renewing SSL/TLS certificates that you import into ACM or upload to the IAM certificate store.

If you're using ACM-provided certificates, ACM manages certificate renewals for you. For more information, see Managed Renewal in the AWS Certificate Manager User Guide.

Domain Names in the CloudFront Distribution and in the Certificate

When you're using a custom origin, the SSL/TLS certificate on your origin includes a domain name in the Common Name field and possibly several more in the Subject Alternative Names field. (CloudFront supports wildcard characters in certificate domain names.) One of the domain names in the certificate must match the domain name that you specify for Origin Domain Name. If the domain names don't match, CloudFront returns HTTP status code 502 (Bad Gateway) to the viewer.

Minimum SSL Protocol Version

If you're using dedicated IP addresses, you can choose the minimum SSL protocol version for the connection between viewers and CloudFront: SSLv3 or TLSv1. For more information, see Minimum SSL Protocol Version in the topic Values that You Specify When You Create or Update a Web Distribution.

Supported HTTP Versions

If you associate the same certificate with more than one CloudFront distribution, all distributions must use the same option for Supported HTTP Versions.