Rotating SSL/TLS certificates - Amazon CloudFront
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Rotating SSL/TLS certificates

If you're using certificates provided by Amazon Certificate Manager (ACM), you don't need to rotate SSL/TLS certificates. ACM manages certificate renewals for you. For more information, see Managed Renewal in the Amazon Certificate Manager User Guide.


ACM does not manage certificate renewals for certificates that you acquire from third-party certificate authorities and import into ACM.

If you're using a third-party certificate authority and you imported certificates into ACM (recommended) or uploaded them to the IAM certificate store, you must occasionally replace one certificate with another. For example, you must replace a certificate when the expiration date on the certificate approaches.


If you configured CloudFront to serve HTTPS requests by using dedicated IP addresses, you might incur an additional, pro-rated charge for using one or more additional certificates while you're rotating certificates. We recommend that you update your distributions promptly to minimize the additional charge.

To rotate certificates, perform the following procedure. Viewers can continue to access your content while you rotate certificates as well as after the process is complete.

To rotate SSL/TLS certificates

  1. Increasing the quotas for SSL/TLS certificates to determine whether you need permission to use more SSL certificates. If so, request permission and wait until permission is granted before you continue with step 2.

  2. Import the new certificate into ACM or upload it to IAM. For more information, see Importing an SSL/TLS Certificate in the Amazon CloudFront Developer Guide.

  3. Update your distributions one at a time to use the new certificate. For more information, see Listing, Viewing, and Updating CloudFront Distributions in the Amazon CloudFront Developer Guide.

  4. (Optional) After you have updated all of your CloudFront distributions, you can delete the old certificate from ACM or from IAM.


    Do not delete an SSL/TLS certificate until you remove it from all distributions and until the status of the distributions that you have updated has changed to Deployed.