How to Change an AWS ACM Certificate on Amazon CloudFront Distribution

This article was written by Irene Bonso, who is currently thriving as a Junior Software Engineer at Tutorials Dojo and is also an active member of the AWS Community Builder Program. She is focused on gaining knowledge and making it accessible to a broader audience through her contributions and insights.

Before going into the steps for replacing an SSL Certificate generated by AWS ACM, it's essential to grasp the fundamentals and advantages of this service. A clear understanding will offer context for the upcoming actions and highlight the value AWS Certificate Manager (ACM) provides.

What is the AWS Certificate Manager (ACM)?

AWS Certificate Manager (ACM) is a service that facilitates the easy provisioning, management, and deployment of SSL/TLS certificates, both public and private. These certificates are crucial for securing network communications and validating the identity of websites on the Internet and resources within private networks.

Validating the AWS ACM Certificate Domain Ownership

Before the Amazon Certificate Authority (CA) can issue a certificate for your site, AWS Certificate Manager (ACM) must verify that you own or control the domain names specified in your request. When submitting a certificate request, You can validate ownership through either Domain Name System (DNS) or email validation.

• DNS Validation – This method is especially recommended if you're using Amazon Route 53, as ACM can automatically renew DNS-validated certificates.

• Email Validation – This method requires manual intervention for certificate renewal. Renewal notices are sent 45 days before expiration to WHOIS contacts and standard administrative email addresses. You can also view these notices in AWS Updates. It's important to note that AWS Certificate Manager is immutable, meaning once you choose email validation for a certificate, you cannot switch to DNS validation. An email-validated SSL certificate cannot be converted to a DNS-based validation.

Changing the AWS ACM Certificate on Amazon CloudFront Distribution

Step 1: Go to AWS CloudFront and click on Distributions.

Step 2: Select the distribution that uses the SSL Certificate you wish to update, then click Edit.

Step 3: Select the newly created DNS certificate from the dropdown menu.

Step 4: Click Save Changes.

The distribution settings have been successfully updated.

Verifying the New AWS ACM Certificate

Step 1: Navigate to the domain. i.e., media.tutorialsdojo.com

Step 2: Click the left icon beside the domain and select Connection is secure; then, select Certification is valid.

Step 3: Navigate to the Details tab to view the serial number.

Step 4: Since we now have the serial number, let us navigate to the DNS Certificate to check if the serial number matches.

In summary, we have successfully demonstrated the process of updating an AWS ACM-generated SSL Certificate for a CloudFront distribution. We began by discussing how AWS Certificate Manager (ACM) simplifies the provisioning, management, and deployment of SSL/TLS certificates, emphasizing their critical role in securing network communications and verifying the identity of websites and other resources.

We covered the two methods for validating domain ownership: DNS validation, highly recommended due to its automatic renewal capabilities, particularly with Amazon Route 53, and email validation, which requires manual renewal and cannot be switched to DNS validation once configured.

Next, we walked through a step-by-step guide to updating the SSL certificate in AWS CloudFront. Lastly, we covered the verification process to ensure the new certificate is properly applied, including checking the details and matching the serial number with the DNS certificate. Following these steps, the SSL certificate for the CloudFront distribution was successfully updated and verified, securing the domain and ensuring authenticated network communications.

* This newsletter was sourced from this Tutorials Dojo article.