AWS：导入的SSL证书未显示在CloudFront中

Question

I had imported a SSL certificate into AWS long time ago. It is currently installed on the ELB, and it is going to expire in 15 days. I am trying to get AWS to issue a new certificate but it is stuck waiting validation:

Currently Route53 is pointing to the ELB. If I enter " https://eyecloud.net.au " it works fine.

Now, I tried to create a CloudFront, so that I can redirect HTTP to HTTPS. But the imported SSL certificate does not show up:

I deleted the ELB, and the imported certificate becomes not in use , but it still doesn't show up on CloudFront.

Answer 1

There is no problem using a certificate with multiple endpoints, whether they're ELBs, ALBs, or Cloudfront distributions.

However, if you want to use an ACM cert for Cloudfront, the cert must be issued in us-east-1.

Note

To use an ACM Certificate with CloudFront, you must request or import the certificate in the US East (N. Virginia) region.

http://docs.aws.amazon.com/acm/latest/userguide/acm-services.html

Answer 2

I had a case where I already had an SSL certificate selected, and when I clicked on the dropdown it only showed the selected one.

Turns out that Amazon doesn't like UX because it is not a normal dropdown it is a "searchable" dropdown. Meaning if you have a certificate selected, it will only show that specific certificate because it is also searching it in the dropdown.

Clicking on it and deleting the name reveals the rest of the certificates.

See below examples:

UX.

Where are my certificates?

Oh...

Answer 3

I have applied the same certificate to multiple endpoints or on multiple cloudfront distributions.

Also if you notice you cannot apply the cname to mutiple endpoints as well. You can use the cname it only in one place.

Only issue I have seen is your conversion from custom certificates to ACM certificate. There could be a bug with that. You might need to file a support ticket to resolve the issue.

Hope it helps.

Answer 4

My problem was, that I got generated a 4096 bit certificate, but Cloud Front only allows for 2048 bit certificates

CloudFront [...] with ACM support a maximum of 2048-bit RSA certificates

I created my certificate with ZeroSSL and I didn't manage to create a 2048 bit one. To do that, I installed Ubuntu on my Windows machine (needed to install the Windows Subsystem for Linux in the 'Turn Windows features on or off' section) and used Certbot for Ubuntu with this command to create a 2048 bit certificate while using dns validation:

certbot -d yourdomain -d www.yourdomain --manual --preferred-challenges dns certonly

The 4096 bit certificate didn't show up, but the new 2048 bit certificate did, after deleting the contents of the drop-down menu, like stated by @Gopgop. You can see what kind of encryption rate your certificate has when importing the certificate into AWS Certificate Manager, on the review and import page, "Public key info". If you create a new certificate with ACM, that one automatically has a 2048 bit encryption and can be used right away in Cloud Front.