If you want to use your own domain name in the URLs for your files and you want your viewers to use HTTPS, you must complete the additional steps that are described in this topic.
If you want your viewers to use HTTPS and to use alternate domain names for your files, you need to choose one of the following options for how CloudFront serves HTTPS requests:
Server Name Indication (SNI) is an extension to the TLS protocol that is supported by browsers and clients released after 2010. If you configure CloudFront to serve HTTPS requests using SNI, CloudFront associates your alternate domain name with an IP address for each edge location. When a viewer submits an HTTPS request for your content, DNS routes the request to the IP address for the correct edge location. The IP address to your domain name is determined during the SSL/TLS handshake negotiation; the IP address isn’t dedicated to your distribution.
The requirements for SSL/TLS certificates are described in this topic. They apply, except as noted, to both of the following:
The certificate issuer you must use depends on whether you want to require HTTPS between viewers and CloudFront or between CloudFront and your origin:
You can use a certificate that was issued by a trusted certificate authority (CA) such as Comodo, DigiCert, or Symantec, or you can use a certificate provided by AWS Certificate Manager (ACM).
If the origin is not an ELB load balancer, such as Amazon EC2, the certificate must be issued by a trusted CA such as Comodo, DigiCert, or Symantec. If your origin is an ELB load balancer, you can also use a certificate provided by ACM.
If you want to require HTTPS between viewers and CloudFront, you must change the AWS region to US East (N. Virginia) in the AWS Certificate Manager console before you request or import a certificate.
If you want to require HTTPS between CloudFront and your origin, and you’re using an ELB load balancer as your origin, you can request or import a certificate in any region.
The certificate must be in X.509 PEM format. This is the default format if you’re using AWS Certificate Manager.
CloudFront supports only RSA public/private key pairs.
To use alternate domain names in the URLs for your files and to use HTTPS between viewers and CloudFront, perform the applicable procedures.
Get an SSL/TLS certificate if you don’t already have one.
To use a certificate provided by AWS Certificate Manager (ACM), see the AWS Certificate Manager User Guide. We recommend that you use ACM to provision, manage, and deploy SSL/TLS certificates on AWS managed resources.
To update settings for your distribution, perform the following procedure:
Configure CloudFront to require HTTPS between viewers and CloudFront: