I made an application in an AWS region different than us-east-1. I already applied for and received an SSL certificate for a custom domain, and it is stored as ACM Certificate in a region differenet than us-east-1.
To my surprise, when I tried to use this certificate on CloudFront, I was met with this:
"Associate a certificate from AWS Certificate Manager. The certificate must be in the US East (N. Virginia) Region (us-east-1)."
A quick search informed me that:
"You can't export an ACM certificate from one AWS Region to another or from one AWS account to another. This is because the default AWS Key Management Service (AWS KMS) key used to encrypt the private key of the certificate is unique for each AWS Region and AWS account.
Resolution: You can create multiple ACM certificates with the same domain name across different AWS Regions and accounts. "
How do I solve this, can I just request a new ACM certificate for a new region (ie. us-east-1)? Will this impact my certificate that is already in use for the original region?
Yes, you need to provision the same certificate (for a given domain) in US-EAST-1 region and use it for your global CloudFront distribution. Your regional certificate (outside the global region) will not be impacted. Usually, regional certificates are attached to your ALB and Cloudfront distribution utilizes a certificate from North Virginia region (global region).
Related
I have a question related to Cloud Front.
If I have CF enabled with s3 origin in Account A, and then I create a Route 53 DNS records in Account B and point to the CF.
I will need to add alternate domain name in CF which in Account A and a certificate as well. Will ACM generate a certificate in the Account A when DNS entry hello.example.com is in another account ?
Yes ACM will be happy to generate any certificate you ask it to, but to verify the certificate to complete the creation process you will have to create a DNS entry in whatever DNS service you are using. You don't even need to be using Amazon's Route53 DNS service, you can use ACM with any DNS service.
ou can do the following steps
Create ACM in us-east-1 region of Account A.
Once step 1 is done, you will copy the CNAME record of that ACM and go to Account B to create the DNS record for that CNAME values and use DNS validation. Please keep in mind, e.g hello.example.com is your public domain and hosted in Route53.
Back to account A and wait a few seconds, then you will see the status of ACM is issued and you can attach that ACM to your CF in Account A.
I'm trying to import the certificate of domain from AWS certificate manager (ACM) on one account to another ... How can I do that ?
You can't export an ACM certificate from one AWS Region to another or from one AWS account to another. This is because the default AWS Key Management Service (AWS KMS) key used to encrypt the private key of the certificate is unique for each AWS Region and AWS account. For more information, see ACM private key security.
You can create multiple ACM certificates with the same domain name across different AWS Regions and accounts. You can then use these certificates with services that run on AWS Certificate Manager.
useful link: https://aws.amazon.com/premiumsupport/knowledge-center/acm-export-certificate/
Actually i have a AWS SSH certificate in N.virginia and i have all the setup for the environment in oregon.
What,which type and why the region matters & not matters in some AWS services?
I am working in a govcloud account for client work and CANNOT use us-east-1 as it does not exist in govcloud.
In the API Gateway console -> Custom Domain Names page the following text appears:
"To use an ACM certificate with API Gateway, you must request or import the certificate in the US East (N. Virginia) region."
How would I go about importing or creating a cert in ACM in us-east-1 as govcloud does not interact with that region?
How can I configure / script a custom domain name with api gateway in govcloud?
Actually that message only applies to 'Edge Optimized' APIs which are not available in govcloud anyway. You can use a govcloud ACM cert with a Regional endpoint type.
I already have a certificate from AWS Certificate Manager (ACM) when only the 1 region was available (think the US-West-1 region?) and currently being used with Cloudfront to host a website for the Australian market.
Now that ACM is available in more regions, would using a certificate created from the Sydney region have any improvements in performance?
ACM now supports multiple regions, but that doesn't have any implications for certificates for use with CloudFront.
To use an ACM certificate with Amazon CloudFront, you must request or import the certificate in the US East (N. Virginia) region. ACM certificates in this region that are associated with a CloudFront distribution are distributed to all the geographic locations configured for that distribution.
https://docs.aws.amazon.com/acm/latest/userguide/acm-regions.html
The reason for this is that CloudFront, unlike most AWS services, where the regional implementation of the service is independent of all other regions, has all of its provisioning/administrative infrastructure based in us-east-1.
The operational infrastructure is globally distributed and independent, so the centralized management of CloudFront doesn't have performance implications. If you have performance issues, those should be investigated separately.
The announcement of new regions for ACM doesn't apply to CloudFront. It's applicable to the other service integrated with ACM, Elastic Load Balancer, which previously only supported ACM certificates in us-east-1 because that was the only region in which they were available, and ELB regions are fully independent of each other.
Follow-up: This answer was reviewed in May, 2018, two years after it was originally posted, and then again in the summer of 2020. It is still accurate, as written. Certificates for CloudFront (as well as for Edge-Optimized deployments in API Gateway, which have a somewhat hidden dependency on CloudFront) are always provisioned in the us-east-1 region of ACM. There is no compelling reason to expect this to change, as CloudFront's control plane runs in us-east-1.