Amazon CloudFront
Developer Guide (API Version 2016-09-29)

Rotating SSL/TLS Certificates

If you're using certificates provided by AWS Certificate Manager, you don't need to rotate SSL/TLS certificates. ACM manages certificate renewals for you. For more information, see Managed Renewal in the AWS Certificate Manager User Guide.


ACM does not manage certificate renewals for certificates that you acquire from third-party certificate authorities and import into ACM.

If you're using a third-party certificate authority and you imported certificates into ACM or uploaded them to the IAM certificate store, you'll occasionally need to replace one certificate with another because, for example, the expiration date is approaching. The process depends on whether you have associated your SSL/TLS certificate with one or more CloudFront distributions under the same AWS account:

  • SSL/TLS certificate associated with one distribution: You can just update your distribution and replace the old certificate with the new one. For more information, see Listing, Viewing, and Updating CloudFront Distributions.

  • SSL/TLS certificate associated with two or more distributions under the same AWS account: By default, you can associate only two SSL/TLS certificates with the CloudFront distributions under one AWS account. Typically, you'll use the second certificate only when you have more than one distribution and you need to rotate certificates. One certificate is associated with distributions that you haven't updated yet, and the other certificate is associated with distributions that you have updated.


    While you're rotating certificates, you might incur an additional, pro-rated charge for using the second certificate. We recommend that you update your distributions promptly to minimize the additional charge.

Viewers can continue to access your content while you rotate certificates as well as after the process is complete.

To rotate SSL/TLS certificates for two or more CloudFront distributions

  1. If you configured CloudFront to use dedicated IP addresses to serve HTTPS requests and you have already associated the maximum number of SSL/TLS certificates permitted by AWS for your account, request permission to associate an additional certificate. Go to the Support Center and create a case. Indicate how many certificates you need permission to use, and explain that you're rotating certificates. We'll update your account as soon as possible.

  2. Import the new certificate into ACM or upload it to the IAM certificate store. For more information, see Importing an SSL/TLS Certificate.

  3. Update your distributions one at a time to use the new certificate.

    If you submitted a request to AWS in step 1, wait until you receive notification that your AWS account has been updated.

    For more information, see Listing, Viewing, and Updating CloudFront Distributions.

  4. (Optional) After you have updated all of your CloudFront distributions, you can delete the old certificate from ACM or from the IAM certificate store.


    Do not delete an SSL/TLS certificate until you remove it from all distributions and until the status of the distributions that you have updated has changed to Deployed.