July 6, 2021 . 4 MIN READ
https://aws.amazon.com/premiumsupport/knowledge-center/associate-ssl-certificates-cloudfront/
I’m serving multiple CNAMEs (alternate domain names) through my Amazon CloudFront distribution, and I want to enable Secure Sockets Layer (SSL) or HTTPS for all the associated CNAMEs. Do I need to associate multiple SSL certificates to the CloudFront distribution, using one certificate for each CNAME?
You can’t associate more than one SSL or Transport Layer Security (TLS) certificate to an individual CloudFront distribution. However, certificates provided by AWS Certificate Manager (ACM) support up to 10 subject alternative names, including wildcards. To enable SSL or HTTPS for multiple domains served through one CloudFront distribution, assign a certificate from ACM that includes all the required domains.
To use your own SSL certificate for multiple domain names with CloudFront, import your certificate into ACM or the AWS Identity and Access Management (IAM) certificate store. For instructions, see Importing an SSL/TLS Certificate.
https://aws.amazon.com/premiumsupport/knowledge-center/multiple-domains-https-cloudfront/
Thomas shows you how to
serve multiple domains with SSL
using Amazon CloudFront
I want to serve multiple domains from an Amazon CloudFront distribution over HTTPS. How can I do that?
To serve multiple domains from CloudFront over HTTPS, you must add the following values to the settings of your distribution:
https://aws.amazon.com/cloudfront/custom-ssl-domains/
Amazon CloudFront gives you three options for accelerating your entire website while delivering your content securely over HTTPS from all of CloudFront’s edge locations. In addition to delivering securely from the edge, you can also configure the CDN to use HTTPS connections for origin fetches so that your data is encrypted end-to-end from your origin to your end users.
By default, you can deliver your content to viewers over HTTPS by using your CloudFront distribution domain name in your URLs, for example, https://dxxxxx.cloudfront.net/image.jpg. If you want to deliver your content over HTTPS using your own domain name and your own SSL certificate, you can use one of our Custom SSL certificate support features.
SNI Custom SSL
Server Name Indication (SNI) Custom SSL relies on the SNI extension of the Transport Layer Security protocol, which allows multiple domains to serve SSL traffic over the same IP address. Amazon CloudFront delivers your content from each edge location and offers the same security as the Dedicated IP Custom SSL feature (see below).
When you use SNI Custom SSL, some users may not be able to access your content because some older browsers do not support SNI and will not be able to establish a connection with CloudFront to load the HTTPS version of your content. For more information on SNI, including a list of supported browsers, please visit our FAQ page.
There is no separate pricing for this feature. You can use SNI Custom SSL with no upfront or monthly fees for certificate management; you simply pay normal Amazon CloudFront rates for data transfer and HTTPS requests.
Set up is easy: simply follow the instructions outlined in the CloudFront Developer Guide and start serving your content quickly and securely.
Dedicated IP Custom SSL
If you need to deliver content to browsers that don’t support SNI, you can use the Dedicated IP Custom SSL feature. For this feature the Amazon content delivery network allocates dedicated IP addresses to serve your SSL content at each Edge location.
To use Dedicated IP Custom SSL certificate support, upload a SSL certificate and use the AWS Management Console to associate it with your CloudFront distributions. If you need to associate more than two custom SSL certificate with your AWS Account, please include details about your use case and the number of custom SSL certificates you intend to use in the CloudFront Limit Increase Form.
Pricing for Dedicated IP Custom SSL is simple. Because of the added cost associated with dedicating IP addresses per SSL certificate, we charge a fixed monthly fee of $600 for each custom SSL certificate you associate with your content delivery network distributions, pro-rated by the hour. For example, if you had your custom SSL certificate associated with at least one CloudFront distribution for just 24 hours (i.e. 1 day) in the month of June, your total charge for using the custom SSL certificate feature in June will be (1 day / 30 days) * $600 = $20. Detailed pricing information for the Custom SSL Certificate feature is available on the CloudFront Pricing Page.
