AWS: Custom SSL certificate option is disabled in CloudFront, but I created a SSL certificate using AWS Certificate Manager

前端 未结 3 344
我在风中等你
我在风中等你 2021-01-11 09:09

I am creating a SSL certificate for my amazon S3 static website. I created a SSL certificate using Certificate Manager for my domain and its status is \'Issued\'. I am creat

相关标签:
3条回答
  • 2021-01-11 09:55

    I was getting this exact behavior but with the certificated correctly imported at us-east-1 and figured out that the problem was the key size of my certificate (4096 bits).

    AWS CloudFront only accept keys up to 2048 bits, as stated here: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-and-https-requirements.html#https-requirements-size-of-public-key

    Size of the Public Key

    The length of the public key for a certificate depends on where you're storing it.

    Importing a certificate into AWS Certificate Manager (ACM): public key length must be 1024 or 2048 bits. The limit for a certificate that you use with CloudFront is 2048 bits, even though ACM supports larger keys.

    Uploading a certificate to the AWS Identity and Access Management (IAM) certificate store: maximum size of the public key is 2048 bits.

    We recommend using 2048 bits.

    0 讨论(0)
  • 2021-01-11 10:03

    Certificates that will be used with an Application Load Balancer (ELB/2.0) need to be created in ACM in the same region as the balancer.

    Certificates that will be used with CloudFront always need to be created in us-east-1.

    To use an ACM Certificate with Amazon CloudFront, you must request or import the certificate in the US East (N. Virginia) region. ACM Certificates in this region that are associated with a CloudFront distribution are distributed to all the geographic locations configured for that distribution.

    – http://docs.aws.amazon.com/acm/latest/userguide/acm-regions.html

    The reason for this is that CloudFront doesn't follow the regional boundary model in AWS. CloudFront edge locations are all over the globe, but are configured and managed out of us-east-1 -- think of it as CloudFront's home region. Once a distribution reaches the Deployed state, it is not operationally dependent on us-east-1, but during provisioning, everything originates from that region, so that's the only ACM region that CloudFront can access.

    0 讨论(0)
  • 2021-01-11 10:08

    When replacing a cert, make sure you clear out the name of the existing cert in the 'Custom SSL Certificate (example.com)' text box. If you leave it uncleared, other certs are not selectable.

    0 讨论(0)
提交回复
热议问题