Amazon CloudFront
Developer Guide (API Version 2016-09-29)

Switching from a Custom SSL/TLS Certificate with Dedicated IP Addresses to SNI

If you configured CloudFront to use a custom SSL/TLS certificate with dedicated IP addresses, you can switch to using a custom SSL/TLS certificate with SNI instead and eliminate the charge that is associated with dedicated IP addresses. The following procedure shows you how.


This update to your CloudFront configuration has no effect on viewers that support SNI; they can access your content before and after the change, as well as while the change is propagating to CloudFront edge locations. Viewers that don't support SNI cannot access your content after the change. For more information, see Choosing How CloudFront Serves HTTPS Requests.

To switch from a custom SSL/TLS certificate with dedicated IP addresses to SNI

  1. Sign in to the AWS Management Console and open the CloudFront console at

  2. Choose the ID of the distribution that you want to view or update.

  3. Choose Distribution Settings.

  4. On the General tab, choose Edit.

  5. Change the setting of Custom SSL Client Support to Only Clients that Support Server Name Indication (SNI).

  6. Choose Yes, Edit.