Unable to select Custom SSL Certificate (stored in AWS IAM)

Question

I am going to create a new distribution at CloudFront. Already I have uploaded my SSL certificate at AWS IAM using AWS CLI. That certificate appears in the Custom SSL Certificate dropdown on new distribution page but it is DISABLED.

Can someone tell me why is it so ? How to select my custom SSL certificate for this distribution ?

did you upload the cert using root account? – mohamnag Jul 21 '15 at 16:32 — mohamnag, Jul 21 '15 at 16:32

score 134 · Answer 1 · edited Apr 25 '17 at 18:46

134

It took a whole day to AWS to propagate the new certificate to all of its nodes. Next day when I logged in to my AWS console, the certificate appeared in the dropdown and was enabled as well and I could configure distribution successfully.

Also, be sure to select us-east-1 (N. Virginia) when you make the certificate request; it's the only region that supports it at this time (even if your bucket / asset is in another region)

edited Apr 25 '17 at 18:46

iwasrobbed

46,496
21
150
195

answered Feb 26 '15 at 06:20

theGeekster

6,081
12
35
47

3

Been waiting for 3 days now, unfortunately – elsurudo Jun 05 '16 at 21:57
13

Redo the certificate in N. Virginia solved my problem. It's weird certificated actually has different issue status in different regions...lol – Neekey Jul 27 '17 at 09:37
3

When creating a new CloudFront distribution, Amazon specifically states "You can use a certificate stored in AWS Certificate Manager (ACM) in the US East (N. Virginia) Region, or you can use a certificate stored in IAM." – Shea Dec 29 '17 at 01:17
6

According to both https://docs.aws.amazon.com/acm/latest/userguide/acm-services.html and https://aws.amazon.com/certificate-manager/faqs/, "to use an ACM certificate with CloudFront, you must request or import the certificate in the US East (N. Virginia) region". – Big Pumpkin Apr 17 '18 at 19:39
i created a certificate using N.Virginia region in ACM, and DNS validation. It was working in 10 minutes. – Deepan Prabhu Babu Oct 20 '19 at 18:11
I inspected the html and removed the disabled property and selected the certificate lol – Abhishek Pankar Jan 24 '21 at 12:50
Luckily I got within an hour, exactly after I read this thread. – Dev Utkarsh Jul 10 '21 at 20:26

score 44 · Answer 2 · answered Jul 30 '18 at 21:37

44

Only certificates registered in AWS Certificate Manager (ACM) in the US East (N. Virginia) Region will be enabled for use in CloudFront

answered Jul 30 '18 at 21:37

Reinaldo Almeida

486
4
3

4

Nice that it was documented somewhere :D – williamsandonz May 21 '19 at 18:01
They give a small text just above in certificate section in cloudFront these days. This info we tend to miss. – instinct Feb 23 '22 at 19:15

score 37 · Answer 3 · answered Jul 18 '18 at 16:29

37

Import cert into IAM or create one through ACM in us-east-1 as mentioned in the other comments.
Wait for the validation to be complete i.e. not orange.
Load the cloudfront distribution setting edit page.
If the Custom SSL option is greyed, logout of the console and log back in. After this step the greyed out option came alive for me. I imagine it being cached somehow and the logout-login refreshing it.

answered Jul 18 '18 at 16:29

neo01124

1,038
1
9
5

6

What?! It's 2020 now, this actually is still the fix. – Josh Hibschman Mar 31 '20 at 15:32
4

Yes, lost an hour of my life to figure out you need to log out and log in ... – peter_v Apr 12 '20 at 10:55
2

This is the best answer. It was log out / log in that ultimately fixed this for me after registered my ACM certificate. – MillerMedia May 29 '20 at 21:24
1

it worked :-) thanks for the tip saved me so much time – LiorH Nov 30 '20 at 09:32

score 19 · Answer 4 · answered Aug 31 '15 at 06:30

19

Just wait a few minutes and reload the distribution settings page to see the custom SSL option ENABLED.

I had the same problem, didn't use my AWS root account and the IAM path was correctly set to /cloudfront/.

answered Aug 31 '15 at 06:30

Jonathan Maim

776
1
6
14

score 16 · Answer 5 · answered Apr 23 '17 at 15:15

16

Sign in to the console and use this URL: https://console.aws.amazon.com/acm/home?region=us-east-1#/wizard/ and it will work. The key is the region.

answered Apr 23 '17 at 15:15

Philip

6,827
13
75
104

2

Yes, this worked immediately for me also. (I then went back and simply deleted the certificate I made under region=us-west-2) – Terje Dahl Dec 13 '17 at 08:03

score 14 · Answer 6 · answered Nov 03 '16 at 19:35

14

I had similar issues, and it worked more smoothly for me to import the cert into AWS Certificate Manager.

If you are using AWS Certificate Manager with an S3 bucket, make sure you are importing the cert into the US East (N. Virginia) region. As of today, that is the only region in ACM that supports S3. See https://docs.aws.amazon.com/acm/latest/userguide/acm-services.html

answered Nov 03 '16 at 19:35

Ryan Walls

6,962
1
39
42

2

Spot on! This is the solution for this problem - Thanks Ryan – EdsonF Dec 07 '16 at 10:19
3

This is the solution! More relevant link: https://docs.aws.amazon.com/acm/latest/userguide/acm-regions.html: *To use an ACM Certificate with Amazon CloudFront, you must request or import the certificate in the US East (N. Virginia) region. ACM Certificates in this region that are associated with a CloudFront distribution are distributed to all the geographic locations configured for that distribution.* – illagrenan Jan 11 '18 at 22:10

score 13 · Answer 7 · answered May 13 '19 at 07:53

13

Go back to the cloudfront homepage after the certificate get issued and refresh the page. It worked for me

answered May 13 '19 at 07:53

MrAAAAaaaahhhhHHHHHH

139
1
3

2

Whan an embarrassing situation and who would know this is the solution :D – Ariful Haque Oct 09 '19 at 08:09

score 7 · Answer 8 · answered Feb 22 '15 at 01:48

The reason it is not now showing up is probably that the iam path you have set is not /cloudfront/[1]. You can use the same cli you used to upload the certificate to change the default path of / or you could upload the certificate again. Let me know if that doesn't fix it.

http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/SecureConnections.html#CNAMEsAndHTTPS

score 4 · Answer 9 · answered Feb 25 '15 at 15:56

4

Make sure that you're not uploading the certificate using an AWS root account. If you use a root account, the certificate will be visible but you won't be able to select it.

Instead, create a new IAM user with adequate rights (I used an account with an administrative policy assigned) and upload the certificate using those credentials. The certificate should then be available.

answered Feb 25 '15 at 15:56

Kristopher

435
5
8

This worked for me, I created the cert as a root user but the custom SSL setting was disabled when editing the distribution even though I could see the cert as an option in the drop-down. After creating an administrator user and signing in as that account the option was no longer disabled. – Simon L. Brazell Feb 11 '18 at 07:28

score 3 · Answer 10 · answered Jan 30 '17 at 02:11

3

If you are requesting a certificate in another region (not us-east-1), set your region to us-east-1 and request a certificate again. I just request same domain name in ap-northeast-2 and it works immediately.

answered Jan 30 '17 at 02:11

user1035957

327
1
3
9

score 2 · Answer 11 · answered Feb 11 '21 at 01:20

There seems to be an error in the front-end.

Try this, it worked for me:

Go into the HTML using your browser's inspection tool.
Delete the "disabled" attributes from both the radio button and the textbox that are currently greyed out.
Then insert the ARN of your certificate.
Complete your form.

score 1 · Answer 12 · edited Oct 09 '18 at 12:14

1

Use this:

{
"Effect": "Allow",
"Action": [
    "iam:DeleteServerCertificate",
    "iam:UploadServerCertificate",
    "iam:ListServerCertificates",
    "iam:GetServerCertificate"
],
    "Resource": "*"
}

edited Oct 09 '18 at 12:14

Mike Doe

16,349
11
65
88

answered Oct 09 '18 at 11:19

d.balu

11
2

1

Hi @d.balu, could you please provide some more explanation to your answer? – toti08 Oct 09 '18 at 11:42

score 1 · Answer 13 · answered Dec 17 '19 at 15:22

I see there are many good answers already, and any of them may be the reason your Custon SSL Certificate section is disabled. I think I just found another one and this was the case for me:

For many "integrated services", that includes CloudFront, only few algorithms and key sizes are supported. I was trying to use my RSA 4096-bit certificate, and a key of adequate length.

As of right now for the use with the "integrated services" AWS only accepts key lengths of 1024 or 2048 bits.

Mentioned here: https://docs.aws.amazon.com/acm/latest/userguide/import-certificate-prerequisites.html

score 1 · Answer 14 · answered Sep 21 '20 at 02:59

1

In my case it was not request the ACM in N.Virginia region, after the ACM status turns green, I need to log out and log in for the button to enable.

answered Sep 21 '20 at 02:59

Minh Chau

91
2

score 1 · Answer 15 · answered Jan 24 '21 at 12:49

1

I got same issue. So I read this

But for me, it was still disabled as it can take a whole day for the same.

So, I inspected the html and removed the disabled property and selected the certificate.

answered Jan 24 '21 at 12:49

Abhishek Pankar

723
8
26

score 0 · Answer 16 · answered Feb 02 '20 at 22:42

0

If the certificate is not showing in the drop down list you can copy and paste the full ARN for the certificate. The ARN is found in Certificate Manager by selecting the certificate you want to use.

answered Feb 02 '20 at 22:42

user2531882

1
1

score -1 · Answer 17 · answered Jul 12 '20 at 07:33

AWS root account can not able to select a custom certificate in CloudFront.

Please create a new IAM user with the below policy and create CloudFront distribution with that user and you can able to select a custom SSL certificate.

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": ["*"],
    "Resource": ["*"]
  }]
}

Unable to select Custom SSL Certificate (stored in AWS IAM)

17 Answers17