Using SSL/TLS certificates

An SSL/TLS certificate is a digital document that allows web browsers to identify and establish encrypted network connections to web sites using the secure SSL/TLS protocol. When you set up your custom domain, you can use the default managed certificate that Amplify provisions for you or you can use your own custom certificate.

With a managed certificate, Amplify issues an SSL/TLS certificate for all domains connected to your app so that all traffic is secured through HTTPS/2. The default certificate generated by AWS Certificate Manager (ACM) is valid for 13 months and renews automatically as long as your app is hosted with Amplify.

Warning

Amplify can't renew the certificate if the CNAME verification record has been modified or deleted in the DNS settings with your domain provider. You must delete and add the domain again in the Amplify console.

To use a custom certificate, you must first obtain a certificate from the third-party certificate authority of your choice. Amplify Hosting supports two types of certificates: RSA (Rivest-Shamir-Adleman) and ECDSA (Elliptic Curve Digital Signature Algorithm). Each certificate type must conform to the following requirements.

RSA certificates

Amplify Hosting supports 1024-bit, 2048-bit, 3072-bit, and 4096-bit RSA keys.
AWS Certificate Manager (ACM) issues RSA certificates with up to 2048-bit keys.
To use a 3072-bit or 4096-bit RSA certificate, obtain the certificate externally and import it into ACM. It will then be available for use with Amplify Hosting.

ECDSA certificates

Amplify Hosting supports 256-bit keys.
Use the prime256v1 elliptic curve to obtain an ECDSA certificate for Amplify Hosting.

After you obtain a certificate, import it into AWS Certificate Manager. ACM is a service that lets you easily provision, manage, and deploy public and private SSL/TLS certificates for use with AWS services and your internal connected resources. Make sure you request or import the certificate in the US East (N. Virginia) (us-east-1) Region.

Ensure that your custom certificate covers all of the subdomains you plan to add. You can use a wildcard at the beginning of your domain name to cover multiple subdomains. For example, if your domain is example.com, you can include the wildcard domain *.example.com. This will cover subdomains such as product.example.com and api.example.com.

After your custom certificate is available in ACM, you will be able to select it during the domain set up process. For instructions on importing certificates into AWS Certificate Manager, see Importing certificates into AWS Certificate Manager in the AWS Certificate Manager User Guide.

If you renew or reimport your custom certificate in ACM, Amplify refreshes the certificate data associated with your custom domain. In the case of imported certificates, ACM doesn't manage the renewals automatically. You are responsible for renewing your custom certificates and importing them again.

You can change the certificate in use for a domain at any time. For example, you can switch from the default managed certificate to a custom certificate or change from a custom certificate to a managed certificate. In addition, you can change the custom certificate in use to a different custom certificate. For instructions on updating certificates, see Update the SSL/TLS certificate for a domain.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Understanding DNS terminology and concepts

Adding a custom domain managed by Amazon Route 53