Trust stores and certificate management - Amazon CloudFront
What is a trust store?Certificate Authority supportCertificate requirements and specificationsCreate a trust storeAssociate trust store with distributionsManage trust stores

Trust stores and certificate management

Creating and configuring a trust store is a mandatory requirement for implementing mutual TLS authentication with CloudFront. Trust stores contain the Certificate Authority (CA) certificates that CloudFront uses to validate client certificates during the authentication process.

What is a trust store?

A trust store is a repository of CA certificates that CloudFront uses to validate client certificates during mutual TLS authentication. Trust stores contain the root and intermediate CA certificates that form the chain of trust for authenticating client certificates.

When you implement mutual TLS with CloudFront, the trust store defines which Certificate Authorities you trust to issue valid client certificates. CloudFront validates each client certificate against your trust store during the TLS handshake. Only clients presenting certificates that chain to one of the CAs in your trust store will be authenticated successfully.

Trust stores in CloudFront are account-level resources that you can associate with multiple distributions. This allows you to maintain consistent certificate validation policies across your entire CloudFront deployment while simplifying CA certificate management.

Certificate Authority support

CloudFront supports certificates issued by both AWS Private Certificate Authority and third-party private Certificate Authorities. This flexibility allows you to use your existing certificate infrastructure or leverage AWS managed certificate services based on your organizational requirements.

  • AWS Private Certificate Authority: You can use certificates issued by AWS Private CA, which provides a managed private certificate authority service. This integration simplifies certificate lifecycle management and provides seamless integration with other AWS services.

  • Third-party private Certificate Authorities: You can also use certificates from your existing private Certificate Authority infrastructure, including enterprise CAs or other third-party certificate providers. This allows you to maintain your current certificate management processes while adding CloudFront's mTLS capabilities.

Certificate requirements and specifications

Trust stores have specific requirements for the CA certificates they contain:

CA certificate format requirements

  • Format: PEM (Privacy Enhanced Mail) format

  • Content boundaries: Certificates must be enclosed within the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- boundaries

  • Comments: Must be preceded by a # character and cannot contain any - characters

  • Line breaks: No blank lines are allowed between certificates

Supported certificate specifications

  • Certificate type: X.509v3

  • Public key types:

    • RSA 2048, RSA 4096

    • ECDSA: secp256r1, secp384r1

  • Signature algorithms:

    • SHA256, SHA384, SHA512 with RSA

    • SHA256, SHA384, SHA512 with EC

    • SHA256, SHA384, SHA512 with RSASSA-PSS with MGF1

Example certificate bundle format

Multiple certificates (PEM-encoded):

# Root CA Certificate
-----BEGIN CERTIFICATE-----
MIIDXTCCAkWgAwIBAgIJAKoK/OvD/XqiMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV
BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
aWRnaXRzIFB0eSBMdGQwHhcNMTcwNzEyMTU0NzQ4WhcNMjcwNzEwMTU0NzQ4WjBF
MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50
ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAuuExKvY1xzHFylsHiuowqpmzs7rEcuuylOuEszpFp+BtXh0ZuEtts9LP
-----END CERTIFICATE-----
# Intermediate CA Certificate
-----BEGIN CERTIFICATE-----
MIIDXTCCAkWgAwIBAgIJAKoK/OvD/XqjMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV
BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
aWRnaXRzIFB0eSBMdGQwHhcNMTcwNzEyMTU0NzQ4WhcNMjcwNzEwMTU0NzQ4WjBF
MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50
ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAuuExKvY1xzHFylsHiuowqpmzs7rEcuuylOuEszpFp+BtXh0ZuEtts9LP
-----END CERTIFICATE-----

Create a trust store

Before creating a trust store, you must upload your CA certificate bundle in PEM format to an Amazon S3 bucket. The certificate bundle should contain all the trusted root and intermediate CA certificates needed to validate your client certificates.

The CA certificate bundle is only read once from S3 when creating a trust store. If future changes are made to the CA certificate bundle, then the trust store will have to be manually updated. No sync is maintained between the trust store and the S3 CA certificate bundle.

Prerequisites

  • A certificate bundle from your Certificate Authority (CA) uploaded to an Amazon S3 bucket

  • The necessary permissions to create CloudFront resources

To create a trust store (Console)

  1. Sign in to the AWS Management Console and open the CloudFront console at https://console.aws.amazon.com/cloudfront/v4/home.

  2. In the navigation pane, choose Trust stores.

  3. Choose Create trust store.

  4. For Trust store name, enter a name for your trust store.

  5. For Certificate authority (CA) bundle, enter the Amazon S3 path to your PEM-format CA certificate bundle.

  6. Choose Create trust store.

To create a trust store (AWS CLI)

aws cloudfront create-trust-store \
  --name MyTrustStore \
  --certificate-authority-bundle-s3-location Bucket=my-bucket,Key=ca-bundle.pem \
  --tags Items=[{Key=Environment,Value=Production}]

Associate trust store with distributions

After creating a trust store, you must associate it with a CloudFront distribution to enable mutual TLS authentication.

Prerequisites

  • An existing CloudFront distribution with HTTPS-only viewer protocol policy enabled and HTTP3 support disabled.

To associate a trust store (Console)

There are two avenues to associate a trust store within the CloudFront console: through the trust store details page or through the distribution settings page.

Associating a trust store through the trust store details page:

  1. Sign in to the AWS Management Console and open the CloudFront console at https://console.aws.amazon.com/cloudfront/v4/home.

  2. In the navigation pane, choose Trust stores.

  3. Choose the name of the trust store you want to associate.

  4. Choose Associate to distribution.

  5. Configure the available Viewer mTLS options:

    • Client certificate validation mode: Choose between Required and Optional mode. In required mode, all clients are required to present certificates. In optional mode, clients that present certificates are validated, while clients that do not present certificates are permitted access.

    • Advertise trust store CA names: Choose whether to advertise the CA names in your trust store to clients during TLS handshake.

    • Ignore certificate expiration date: Choose whether to allow connections with expired certificates (other validation criteria still apply).

    • Connection Function: An optional Connection Function can be associated to allow/deny connections based on other custom criteria.

  6. Select one or more distributions to associate with the trust store. Only distributions with HTTP3 disabled and with HTTPS-only cache behaviors can support Viewer mTLS.

  7. Choose Associate.

Associating a trust store through the distribution settings page:

  1. Sign in to the AWS Management Console and open the CloudFront console at https://console.aws.amazon.com/cloudfront/v4/home.

  2. Select the distribution that you want to associate

  3. Under the General tab, within the Settings container, choose Edit in the top right corner

  4. Scroll down to the bottom of the page, within the Connectivity container, toggle the Viewer mTLS switch on

  5. Configure the available Viewer mTLS options:

    • Client certificate validation mode: Choose between Required and Optional mode. In required mode, all clients are required to present certificates. In optional mode, clients that present certificates are validated, while clients that do not present certificates are permitted access.

    • Advertise trust store CA names: Choose whether to advertise the CA names in your trust store to clients during TLS handshake.

    • Ignore certificate expiration date: Choose whether to allow connections with expired certificates (other validation criteria still apply).

    • Connection Function: An optional Connection Function can be associated to allow/deny connections based on other custom criteria.

  6. Choose Save changes in the bottom right corner.

To associate a trust store (AWS CLI)

Trust stores can be associated to distributions via the DistributionConfig.ViewerMtlsConfig property. This means we first need to fetch the distribution config and then provide the ViewerMtlsConfig in a subsequent UpdateDistribution request.

// First fetch the distribution
aws cloudfront get-distribution {DISTRIBUTION_ID}

// Update the distribution config, for example:
Distribution config, file://distConf.json: 
{
  ...other fields,
  ViewerMtlsConfig: {
    Mode: 'required',
    TrustStoreConfig: {
        AdvertiseTrustStoreCaNames: false,
        IgnoreCertificateExpiry: true,
        TrustStoreId: {TRUST_STORE_ID}
    }
  }
}

aws cloudfront update-distribution \
   --id {DISTRIBUTION_ID} \
   --if-match {ETAG} \
   --distribution-config file://distConf.json

Manage trust stores

View trust store details

  1. Sign in to the AWS Management Console and open the CloudFront console at https://console.aws.amazon.com/cloudfront/v4/home.

  2. In the navigation pane, choose Trust stores.

  3. Choose the name of the trust store to view its details page.

The details page shows:

  • Trust store name and ID

  • Number of CA certificates

  • Creation date and last modified date

  • Associated distributions

  • Tags

Modify a trust store

To replace the CA certificate bundle:

  1. Sign in to the AWS Management Console and open the CloudFront console at https://console.aws.amazon.com/cloudfront/v4/home.

  2. In the navigation pane, choose Trust stores.

  3. Choose the name of the trust store.

  4. Choose Actions, then Edit.

  5. For Certificate authority (CA) bundle, enter the Amazon S3 location of the updated CA bundle PEM file.

  6. Choose Update trust store.

Delete a trust store

Prerequisites: You must first disassociate the trust store from all CloudFront distributions.

  1. Sign in to the AWS Management Console and open the CloudFront console at https://console.aws.amazon.com/cloudfront/v4/home.

  2. In the navigation pane, choose Trust stores.

  3. Choose the name of the trust store.

  4. Choose Delete trust store.

  5. Choose Delete to confirm.

Next steps

After creating and associating your trust store with a CloudFront distribution, you can proceed to enable mutual TLS authentication on your distribution and configure additional settings such as forwarding certificate headers to your origins. For detailed instructions on enabling mTLS on your distributions, see Enable mutual TLS for CloudFront distributions.