Cloudfront serving over own SSL certificate

ssl https amazon-web-services amazon-s3 amazon-cloudfront

23,203

Solution 1

I looked into this extensively, and no, currently it's not possible to use HTTPS with CNAMEs unless you're able to ignore cert name mismatches on the client side. HTTPS works with "simple" bucket names, but CNAMEs only work with bucket names that are fully-qualified domains.

~~AWS is always adding new features, so I can see them being able to serve up custom certificates at some point, but there's no support for that yet.~~

~~See: http://stackoverflow.com/questions/3048236/amazon-s3-https-ssl-is-it-possible~~

edit: Still not possible for direct access to S3, but it is possible through CloudFront: http://aws.amazon.com/cloudfront/custom-ssl-domains/

Solution 2

PLEASE NOTE THE EDITS & UPDATES BELOW ~~I am resurrecting this because Amazon is running a survey (as of this writing) which asks customers on feedback for their produce roadmap.~~

~~See the post on this survey being available: https://forums.aws.amazon.com/thread.jspa?threadID=26488&tstart=30~~

and the direct survey link: http://aws.qualtrics.com/SE/?SID=SV_9yvAN5PK8abJIFK

~~EDIT: Noticed a post from June 11, 2012 that AWS had updated the survey link:~~

~~See the post on this survey being available: https://forums.aws.amazon.com/thread.jspa?messageID=363869~~

~~New Survey Link: http://aws.qualtrics.com/SE/?SID=SV_e4eM1cRblPaccFS~~

~~I think it is worth the time to provide them feedback about making CNAME + SSL a supported feature.~~

EDIT: Announced on June 11, 2013, custom SSL Certs with dedicated IPs are now supported with CloudFront on AWS:

See the feature announcement on the AWS Blog: http://aws.typepad.com/aws/2013/06/custom-ssl-domain-names-root-domain-hosting-for-amazon-cloudfront.html

One item of consideration before counting on going this route, you need to see significant value from deviating from the https://[distribution].cloudfront.net route as the pricing is $600 USD per month for hosting custom SSL certs.

EDIT: Announced on March 5, 2014, custom SSL Certs using Server Name Indication (SNI) are now supported with CloudFront on AWS -- NO ADDITIONAL CHARGE:

As wikichen noted below, AWS now supports custom SSL Certs via SNI. This is HUGE as it opens the possibility of leveraging AWS' existing infrastructure (IP addresses). As such, AWS does not charge extra for this service! To learn more, read about it on the AWS blog post: http://aws.typepad.com/aws/2014/03/server-name-indication-sni-and-http-redirection-for-amazon-cloudfront.html

One item that should be noted though, Server Name Indication (SNI) does have some drawbacks that should be considered before relying on it completely. In particular it is not supported by some older browsers. If want to understand this better, see: Is SNI actually used and supported in browsers?

EDIT: AWS announced on January 21, 2016, they supply custom SSL Certs for FREE!

To read about the full announcement on the AWS site: https://aws.amazon.com/blogs/aws/new-aws-certificate-manager-deploy-ssltls-based-apps-on-aws/

Amazon has announced a new service called AWS Certificate Manager, offering free SSL/TLS certificates for AWS resources.

These certificates are usually purchased from third-party certificate providers like Symantec, Comodo and RapidSSL and can cost anywhere from $50 to hundreds of dollars, depending on the level of identity verification performed.

The process of obtaining a new certificate has always been a bit messy, requiring the generation of a Certificate Signing Request on the server being protected, sending that request to a certificate provider, and then installing the certificate once it is received. Since Amazon is managing the whole process, all of that goes away and certificates can be quickly issued and provisioned on AWS resources automatically.

There are a few limitations to the certificates. Amazon only provides domain validated certificates, a simple verification where domain validation takes place via email. If you want an Extended Validation certificate, you may stick with their current certificate providers. In addition, the certificates cannot be used for code signing or email encryption.

Solution 3

Starting today, you can use your own SSL certificate with AWS CloudFront http://aws.typepad.com/aws/2013/06/custom-ssl-domain-names-root-domain-hosting-for-amazon-cloudfront.html

~~but~~

AWS must approve your request
You pay $600 per month (!) for each SSL certificate associated with one or more CloudFront distributions.

Solution 4

Just want to update this question with the latest AWS news. You can now use HTTPS with CNAMEs on CloudFront as it now supports custom SSL certificates using Server Name Indication (SNI).

http://aws.typepad.com/aws/2014/03/server-name-indication-sni-and-http-redirection-for-amazon-cloudfront.html

Managed to set up a free Class 1 StartSSL cert for my CloudFront distributed static site on S3 without too much trouble (see: CloudFront error when serving over HTTPS using SNI).

Solution 5

It's now possible to use your own SSL certificate for Cloudfront with no additional costs. So the 600$/m charge is gone.

From AWS newsletter:

You can now use your own SSL certificates with Amazon CloudFront at no additional charge with Server Name Indication (SNI) Custom SSL. SNI is supported by most modern browsers, and provides an efficient way to deliver content over HTTPS using your own domain and SSL certificate. You can use this feature with no additional charge for certificate management; you simply pay normal Amazon CloudFront rates for data transfer and HTTPS requests.

View more solutions

23,203

Author by

Toby

Updated on March 12, 2020

Comments

Toby about 4 years

does anyone know if its possible to serve with cloudfront over https with your own certificate while using your own CNAME? i can't even find a way to set up my own SSL cert over S3... so im not sure if this is even possible.

UPDATE: if someone is interested in an update about this issue - maxcdn.com offers to host your SSL cert on your domain for only $59 flat fee a month.

it's not amazon but it even supports pulling from your server and hosting forever or if you send a cache control header for whatever time you specify until it fetches the original url again.

the whole offer is pretty neat. :D
William Denniss over 12 years

survey completed. CNAME + SSL highlighted as my most important requested feature. Hope others can do this too.
Matthew O'Riordan about 12 years

Done the survey too. Good spot.
John Mark Mitchell almost 12 years

I updated the URLs to the survey above. As I took the survey myself I noted that they added a feature ranking exercise. 1 of the 13 suggested features is "CNAME support over HTTPS (custom SSL certificates) - Ability to use custom CNAMEs for SSL traffic delivered over HTTPS." We are on the radar...NOW GET VOTING.
John Mark Mitchell almost 11 years

See the edit about where it was announced on June 11, 2013 that AWS CloudFront would start supporting custom SSL Certs.
John Mark Mitchell about 10 years

Tim, I suggest you edit your post as this is definitely no longer true and because your post is ranked very high it might draw people to the wrong conclusion.
Oskar Kjellin over 9 years

The $600 is only if you use dedicated ips