Free Trial
Contact Us

Knowledge Base

Knowledge Base

How to Install and Bind a Server Certificate on AWS CloudFront? 

Updated on March 11, 2026

How to Install and Bind a Server Certificate on AWS CloudFront? 

 
Overview: 

This guide provides the step-by-step process for installing or importing an SSL/TLS server certificate into AWS Certificate Manager (ACM) and binding it to an Amazon CloudFront distribution. This ensures that your CloudFront‑served website is accessible securely over HTTPS. 

 

Prerequisites 

Before you begin, ensure you have the following: 

  • Access to the AWS Management Console with permissions to manage ACM and CloudFront 

  • A valid SSL/TLS certificate (imported or requested via ACM) 

  • Domain ownership verification completed (if using ACM-issued certificates) 

  • Custom domain names (CNAMEs) added/planned for the CloudFront distribution 

Procedure 

To install and bind a server certificate on AWS CloudFront via ACM, you must first ensure the certificate is in the US East (N. Virginia) region (us-east-1), as CloudFront can only access certificates from this specific region. Once the certificate is issued, you can configure your CloudFront distribution to use it.  

 

Step 1: Request or Import a Certificate in AWS ACM 

You need a valid SSL/TLS certificate for your domain(s).  

  1. Sign in to the AWS Management Console. 

  1. Switch your region to US East (N. Virginia) in the top right corner of the console. 

 

 

  1. Navigate to AWS Certificate Manager (ACM). 

 

 

  1. Import a third-party certificate. 

  • For an imported certificate, you will provide the certificate body, private key, and certificate chain. 

 

 

  1. Ensure the certificate status changes to "Issued" before proceeding.  

 

 

Step 2: Bind the Certificate to Your CloudFront Distribution  

Once the certificate is successfully issued or imported in us-east-1, you can associate it with your CloudFront distribution.  

  1. Navigate to the Amazon CloudFront console in the same US East (N. Virginia) region. 

 

 

 

  1. Select the Distribution ID you wish to update. 

 

 

  1. Go to the Generaltab and choose Edit. 

 

 

 

  1. Scroll down to the Alternate Domain Names (CNAMEs) section and ensure your custom domain names are listed. 

 

 

  1. In the Custom SSL Certificate (or Viewer Certificate) section, select the newly issued or imported ACM certificate from the dropdown menu. 

 

 

Note: The certificate will only appear in the dropdown if it is in the us-east-1 region and as the correct domain names listed in its Subject Alternative Names (SANs). 

 

  1. Choose your desired security policy (e.g., TLSv1.2_2021). 

 

 

  1. Choose Save changes.  

 

 

The changes will take some time to propagate across the CloudFront edge locations. The distribution status will change to InProgress during this time. Once deployed, your website will be accessible via HTTPS using the new certificate.  
 
 
Related Articles:  
Tags: 

 

Need help?

Need help making a purchase? Contact us today to get your certificate issued right away.

Live chat

Click the button below or click "Chat with an Expert" to start chatting with us now!

Start Chat

Call us today

United States
+1 888 266 6361
France
+33 3 66 72 95 95
Italy
+39 02 4792 1708
Spain
+34 900 838 451
Germany
+49 800 1002328
International
+1 914 732 844

Resources