43

Can I use a certificate from AWS Certificate Manager to use it with API Gateway and my Custom Domain Name?

How do I get the certificate body, private key and chain out of the certificate from the AWS Certificate Manager?

Christine
  • 3,014
  • 2
  • 24
  • 34
  • You can't do this at this time without creating another CloudFront distribution in addition to the one created behind the scenes by API Gateway. – Mark B Apr 08 '16 at 13:47
  • 2
    @MarkB does that mean there is a workaround using "another CloudFront distribution" as you say? – Christine Apr 10 '16 at 19:53
  • Cloudfront workaround appears possible in the docs, but the option is grayed out for me so far ++ See "To use alternate domain names with HTTPS" ++ http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/SecureConnections.html#CNAMEsAndHTTPS – here Sep 12 '16 at 01:44
  • A second cloudfront distro in front of API gateway will work as @MarkB suggested. You have to whitelist headers and prevent the `Host` header from forwarding to API gateway as it uses SNI. – Dave Maple Jan 05 '17 at 11:46

1 Answers1

37

As you saw in the forum post, it's not possible now. ACM integration is something we want to do and it's on our backlog, but I don't have an ETA for you at the moment.

ACM is now integrated with API Gateway!

jackko
  • 6,998
  • 26
  • 38
  • 5
    Thank you. Please keep us updated here too once it will be available. – Christine Apr 10 '16 at 19:54
  • Related, is there any way to *update* an expired cert? You can't edit it in the web UI and the cloudfront distribution isn't visible for updating. – Chris Heald Apr 12 '16 at 16:46
  • 2
    Yep, we're working on getting support out to update certificates in-place. Right now you can either delete the domain and recreate it (takes 40 minutes), or if you require zero down time we can do an in-place cert rotation if you open a support ticket and tell them that's what you need. – jackko Apr 13 '16 at 01:46
  • 3
    @JackKohn-AWS this just bit our team really hard and it seems that we messed up by using AWS to register our domain/cert ... seems like this is a HUGE fail on AWS's end by making their own services incompatible with each other... Is there any update on this? – Chad Grant Nov 13 '16 at 18:56
  • 4
    I'd like to add my voice to this as a highly desirable feature/improvement. Is there an official place to add a vote etc? – adamneilson Nov 17 '16 at 11:39
  • 2
    Yet another AWS half-baked release. If AWS were a restaurant all the food would be served raw. – AJB Nov 26 '16 at 23:22
  • 1
    Absolutely stunned this isn't available for API gateway. How are we supposed to use Route 53 domains in this case? – Alex Dec 21 '16 at 15:40
  • 1
    I was honestly so confused by this and am grateful that this question was posted. This seems like a pretty large oversight and will indeed be aa problem for us too. Please Amazon, make this one happen soon! – Fotis Gimian Mar 02 '17 at 23:41