Request certificates for your CloudFront distribution tenant
When you create a distribution tenant, the tenant inherits the shared AWS Certificate Manager (ACM) certificate from the multi-tenant distribution. This shared certificate provides HTTPS for all tenants associated with the multi-tenant distribution.
When you create or update a CloudFront distribution tenant to add domains, you can add a managed CloudFront certificate from ACM. CloudFront then gets an HTTP-validated certificate from ACM on your behalf. You can use this tenant-level ACM certificate for custom domain configurations. CloudFront streamlines the renewal workflow to help keep certificates up-to-date and secure content delivery uninterrupted.
Note
You own the certificate, but it can only be used with CloudFront resources and the private key cannot be exported.
You can request the certificate when you create or update the distribution tenant.
Topics
Add a domain and certificate (distribution tenant)
The following procedure shows you how to add a domain and update the certificate for a distribution tenant.
To add a domain and certificate (distribution tenant)
Sign in to the AWS Management Console and open the CloudFront console at https://console.aws.amazon.com/cloudfront/v4/home
. -
Under SaaS, choose Distribution tenants.
-
Search for the distribution tenant. Use the dropdown menu in the search bar to filter by domain, name, distribution ID, certificate ID, connection group ID, or web ACL ID.
-
Choose the distribution tenant name.
For Domains, choose Manage domain.
-
For Certificate, choose if you want a Custom TLS certificate for your distribution tenant. The certificate verifies whether you're authorized to use the domain name. The certificate must exist in the US East (N. Virginia) Region.
-
For Domains, choose Add domain and enter the domain name. Depending on your domain, the following messages will appear under the domain name that you enter.
-
This domain is covered by the certificate.
-
This domain is covered by the certificate, pending validation.
-
This domain isn't covered by a certificate. (This means you must verify domain ownership.)
-
-
Choose Update distribution tenant.
On the tenant details page, under Domains, you can see the following fields:
-
Domain ownership – The status of domain ownership. Before CloudFront can serve content, your domain ownership must be verified by using TLS certificate validation.
-
DNS status – Your domain's DNS records must point to CloudFront to route traffic correctly.
-
-
If your domain ownership isn't verified, on the tenant details page, under Domains, choose Complete domain setup and then complete the following procedure to point the DNS record to your CloudFront domain name.
Complete domain setup
Follow these procedures to verify that you own the domain for your distribution tenants. Depending on your domain, choose one of the following procedures.
Note
If your domain is already pointed to CloudFront with an Amazon Route 53 alias record, you must
add your DNS TXT record with _cf-challenge.
in front of the domain
name. This TXT record verifies that your domain name is linked to CloudFront. Repeat this
step for each domain. The following shows how to update your TXT record:
-
Record name:
_cf-challenge.
DomainName
-
Record type:
TXT
-
Record value:
CloudFrontRoutingEndpoint
For example, your TXT record might look like: _cf-challenge.example.com TXT
d111111abcdef8.cloudfront.net
You can find your CloudFront routing endpoint in the console on the distribution tenant detail page or use the ListConnectionGroups API action in the Amazon CloudFront API Reference to find it.
Point domains to CloudFront
Update your DNS records to route traffic from each domain to the CloudFront routing endpoint. You can have multiple domain names, but they must resolve to this endpoint.
To point domains to CloudFront
-
Copy the CloudFront routing endpoint value, such as d111111abcdef8.cloudfront.net.
-
Update your DNS records to route traffic from each domain to the CloudFront routing endpoint.
Sign in to your domain registrar or DNS provider management console.
Navigate to the DNS management section for your domain.
For subdomains – Create a CNAME record. For example:
Name – Your subdomain (such as
www
orapp
)Value / Target – The CloudFront routing endpoint
Record type – CNAME
TTL – 3600 (or whatever is appropriate for your use case)
For apex/root domains – Create an ALIAS record (Route 53) or similar functionality from your DNS provider that allows apex domain redirection. For example, in Route 53:
Name – Your apex domain (such as
example.com
)Record type – A
Alias – Yes
Alias target – Your CloudFront routing endpoint
Routing policy – Simple (or whatever is appropriate for your use case)
Verify that the DNS change has propagated. (This can take 24-48 hours.) Use a tool like
dig
ornslookup
.dig www.example.com # Should eventually return a CNAME pointing to your CloudFront routing endpoint
-
Return to the CloudFront console and choose Submit. This returns you to the distribution tenant page. When your domain is active, CloudFront updates the domain status to indicate that your domain is ready to serve traffic.
Domain considerations (distribution tenant)
When a domain is active, domain control has been established and CloudFront will respond to all viewer requests to this domain. Once activated, a domain can't be deactivated or changed to an inactive status. The domain can't be associated with another CloudFront resource while it's already in use. To associate the domain with another distribution, use the UpdateDomainAssociation request to move the domain from one CloudFront resource to another.
When a domain is inactive, CloudFront won't respond to viewer requests to the domain. While the domain is inactive, note the following:
-
If you have a pending certificate request, CloudFront will respond to requests for the well-known path. While the request is pending, the domain can't be associated with any other CloudFront resources.
-
If you don't have a pending certificate request, CloudFront won't respond to requests for the domain. You can associate the domain with other CloudFront resources.
-
You can only have one pending certificate request per distribution tenant. Before you can request another certificate for additional domains, you must cancel the existing pending request. Canceling an existing certificate request does not delete the associated ACM certificate. You can delete that by using the ACM API.
-
If you apply a new certificate to your distribution tenant, this will disassociate the previous certificate. You can reuse the certificate to cover the domain for another distribution tenant.
As with renewals for DNS-validated certificates, you will be notified when the certificate renewal succeeds. However, you don't need to do anything else. CloudFront will manage the certificate renewal for your domain automatically.
Note
You don't need to call the ACM API operations to create or update your certificate resources. You can manage your certificates by using the CreateDistributionTenant and UpdateDistributionTenant API operations to specify the details for your managed certificate request.