Rotating SSL/TLS Certificates
If you're using certificates provided by AWS Certificate Manager, you don't need to rotate SSL/TLS certificates. ACM manages certificate renewals for you. For more information, see Managed Renewal in the AWS Certificate Manager User Guide.
ACM does not manage certificate renewals for certificates that you acquire from third-party certificate authorities and import into ACM.
If you're using a third-party certificate authority and you imported certificates into ACM or uploaded them to the IAM certificate store, you'll occasionally need to replace one certificate with another because, for example, the expiration date is approaching.
If you configured CloudFront to serve HTTPS requests by using dedicated IP addresses, you might incur an additional, pro-rated charge for using one or more additional certificates while you're rotating certificates. We recommend that you update your distributions promptly to minimize the additional charge.
To rotate certificates, perform the following procedure. Viewers can continue to access your content while you rotate certificates as well as after the process is complete.
To rotate SSL/TLS certificates
Increasing the Limit for SSL/TLS Certificates to determine whether you need permission to use more SSL certificates. If so, request permission and wait until permission is granted before you continue with step 2.
Import the new certificate into ACM or upload it to IAM. For more information, see Importing an SSL/TLS Certificate in the Amazon CloudFront Developer Guide
Update your distributions one at a time to use the new certificate. For more information, see Listing, Viewing, and Updating CloudFront Distributions in the Amazon CloudFront Developer Guide.
(Optional) After you have updated all of your CloudFront distributions, you can delete the old certificate from ACM or from IAM.
Do not delete an SSL/TLS certificate until you remove it from all distributions and until the status of the distributions that you have updated has changed to