Is it possible to use a custom certificate issued by a private certificate authority with custom origin behind CloudFront?
One day an engineer in my team came up with this question.
There was no quick answer available, so I started digging and here's what I found.
CloudFront's docs on CNAMEs and HTTPS requirements say:
CloudFront supports all types of certificates issued by a trusted certificate authority.
CloudFront to Custom Origin setup can only work with trusted third-party CAs:
For origins other than Elastic Load Balancing load balancers, you must use a certificate that is signed by a trusted third-party certificate authority (CA), for example, Comodo, DigiCert, or Symantec.
And in more details CloudFront docs explain that they support the same CAs that Mozilla supports:
When CloudFront uses HTTPS to communicate with your origin, CloudFront verifies that the certificate was issued by a trusted certificate authority. CloudFront supports the same certificate authorities that Mozilla does. For the current list, see Mozilla Included CA Certificate List. You can’t use a self-signed certificate for HTTPS communication between CloudFront and your origin.
AWS also emphasizes in the docs that:
Important
If the origin server returns an expired certificate, an invalid certificate, or a self-signed certificate, or if the origin server returns the certificate chain in the wrong order, CloudFront drops the TCP connection, returns HTTP status code 502 (Bad Gateway) to the viewer, and sets the X-Cache header to Error from cloudfront. Also, if the full chain of certificates, including the intermediate certificate, is not present, CloudFront drops the TCP connection.
Summarising the above - No, it is not possible to set up CloudFront with Custom Origin using a certificate issued by a private Certificate Authority or Self Signed Certificate.
But why do I need to know that?
Because large enterprise companies may have internal CAs for internal purposes and they can be trusted on the company devices and you might be instructed to use a certificate issued by such CA by someone that is not aware of the above.
This short article can help you easily provide required documentation for others in case you are asked if that's possible or requested to implement own certificate in such scenario.