Certificate management with AWS Certificate Manager - Amazon CloudFront
Certificate Authority supportCertificate requirements and specifications

Certificate management with AWS Certificate Manager

AWS Certificate Manager (ACM) stores the client certificates that CloudFront presents to your origin servers during mutual TLS (origin) authentication.

Certificate Authority support

CloudFront Mutual TLS (origin) requires client certificates with Extended Key Usage (EKU) for TLS Client Authentication. Due to this requirement, you must issue certificates from your Certificate Authority and import them into AWS Certificate Manager. ACM's automatic certificate provisioning and renewal features are not available for mutual TLS (origin) client certificates. CloudFront Mutual TLS (origin) supports client certificates from two sources:

  • AWS Private Certificate Authority: You can issue certificates from AWS Private CA using certificate templates that include TLS Client Authentication in the Extended Key Usage field (such as the EndEntityClientAuthCertificate template). After issuing the certificate from AWS Private CA, you must import it into ACM in the US East (N. Virginia) Region (us-east-1). This approach provides the security benefits of AWS Private CA while giving you control over certificate lifecycle management.

  • Third-party private Certificate Authorities: You can also issue certificates from your existing private Certificate Authority infrastructure and import them into ACM. This allows you to maintain your current certificate management processes while leveraging CloudFront's mutual TLS (origin) capabilities. Certificates must include TLS Client Authentication in the Extended Key Usage field and must be in PEM format with the certificate, private key, and certificate chain.

Important

For both AWS Private CA and third-party CAs, you are responsible for monitoring certificate expiration dates and importing renewed certificates into ACM before expiration. ACM's automatic renewal feature does not apply to imported certificates used for mutual TLS (origin).

Certificate requirements and specifications

Client certificate requirements

  • Format: PEM (Privacy Enhanced Mail) format

  • Components: Certificate, private key, and certificate chain

  • Maximum certificate chain depth: 3 (leaf certificate + intermediate certificate + root certificate)

  • Maximum certificate chain size: 64 KB

  • Certificate size: Cannot exceed 96 KB

  • Maximum private key size: 5 KB (ACM restriction)

  • Maximum unique origin mTLS certificate ARNs that can be added or modified per CloudFront distribution create or update API call: 5

  • Region: Certificates must be stored in ACM in the US East (N. Virginia) Region (us-east-1)

Supported certificate specifications

  • Certificate type: X.509v3

  • Public key algorithms:

    • RSA: 2048-bit

    • ECDSA: P-256

  • Signature algorithms:

    • SHA256, SHA384, SHA512 with RSA

    • SHA256, SHA384, SHA512 with ECDSA

    • SHA256, SHA384, SHA512 with RSASSA-PSS with MGF1

  • Extended Key Usage (required): The certificate requires the Extended Key Usage (EKU) extension set to TLS Client Authentication, ensuring it is authorized for mTLS purposes

Server certificate requirements

Your origin servers must present certificates from publicly trusted Certificate Authorities during the mutual TLS handshake. For complete details on origin server certificate requirements, see Requirements for using SSL/TLS certificates with CloudFront.

Request or import a certificate

Before enabling mutual TLS (origin), you must have a client certificate available in ACM.

Request and import a certificate from AWS Private CA

Prerequisites:

  • An AWS Private Certificate Authority configured in your account

  • Permission to issue certificates from AWS Private CA

  • Permission to import certificates into ACM

  • A certificate template ARN with Extended key usage:TLS web client authentication which suits your use-case

  • Install OpenSSL, AWS CLI, and jq (for parsing JSON).

To request a certificate from PCA and import into ACM (AWS CLI)

  1. Set your Private CA ARN in a variable for easier reuse.

    PCA_ARN="arn:aws:acm-pca:region:account:certificate-authority/12345678..."

  2. Use OpenSSL to generate an ECDSA P-256 private key (prime256v1 curve) and Certificate Signing Request (CSR), ensuring the -nodes flag is used to keep the private key unencrypted as required for ACM import.

    openssl req -new -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -nodes \
    -keyout private.key \
    -out request.csr \
    -subj "/CN=client.example.com"

  3. Submit the CSR to your AWS Private CA to issue a certificate, which returns the ARN of the newly issued certificate.

    CERT_ARN=$(aws acm-pca issue-certificate \
    --certificate-authority-arn "$PCA_ARN" \
    --csr fileb://request.csr \
    --signing-algorithm "SHA256WITHECDSA" \
    --validity Value=365,Type="DAYS" \
    --template-arn arn:aws:acm-pca:::template/EndEntityCertificate/V1 \
    --query 'CertificateArn' --output text)

  4. Retrieve the certificate bundle from AWS PCA using the get-certificate command, which returns both the leaf certificate and chain, then use jq to separate them into distinct files.

    # Retrieve the full certificate bundle in JSON format
aws acm-pca get-certificate \
    --certificate-authority-arn "$PCA_ARN" \
    --certificate-arn "$CERT_ARN" \
    --output json > full_cert.json

# Split into Leaf and Chain
jq -r '.Certificate' full_cert.json > leaf_cert.pem
jq -r '.CertificateChain' full_cert.json > cert_chain.pem

  5. Import the unencrypted private key, leaf certificate, and certificate chain into AWS ACM, using the fileb:// protocol to correctly handle binary file data in the CLI.

    aws acm import-certificate \
    --certificate fileb://leaf_cert.pem \
    --private-key fileb://private.key \
    --certificate-chain fileb://cert_chain.pem \
    --region us-east-1 \
    --query 'CertificateArn' \
    --output text

Import a certificate from a third-party CA

Prerequisites:

  • A certificate, unencrypted private key, and certificate chain from your Certificate Authority in PEM format

  • The certificate must include Extended Key Usage for TLS Client Authentication

  • Permissions to import certificates into ACM

To import a certificate into ACM (AWS CLI)
aws acm import-certificate \
  --certificate fileb://certificate.pem \
  --private-key fileb://private-key.pem \
  --certificate-chain fileb://certificate-chain.pem \
  --region us-east-1 \
  --query 'CertificateArn' \
  --output text

Next steps

After obtaining or importing your client certificate in ACM, you can configure your origin server to require mutual TLS authentication and enable mutual TLS (origin) on your CloudFront distribution. For instructions on enabling mutual TLS (origin) in CloudFront, see the next section "Enable mutual TLS (origin) for CloudFront distributions."