Not sure if I am missing something, but it seems Ryan is saying you cannot use the same SSL certificate on your CloudFront distribution as on your ELB.
Unless I am misunderstanding what is being said, this is not correct. All of my CloudFront distributions use the same SSL certificate as the ELB they forward to. I double checked this just to be sure, the canonical IDs of the SSL certificates in my CloudFront match 100% those used for my corresponding ELBs.
However in order to use any custom SSL certificate in CloudFront, the custom SSL certificate does have to be in N. Virginia. So if your ELB is outside of N. Virginia then you would need to use two certificates, one in N. Virginia and the other in whatever region your ELB is in.
But I am running all my sites out of N. Virginia and I am definitely using the same SSL certificate on CloudFront and ELB at the same time.
2 Answers
It is a misleading statement. Once a certificate is created or imported in ACM, it can be used for both CloudFront and ELB. Sure they are configured in different places, but of course they are, once in CloudFront and once in ELB. But as far as ACM is concerned, it is the exact same cert used in two different places.
See "Associated Resources" in this screenshot: https://s3.amazonaws.com/my-acg-discussion-files/Screen_Shot_2019-04-05_21.43.22.png
It’s s semantic thing on Ryan’s part. I think that lecture needs to be re-recorded to clear that up. He just needs to state that CloudFront and ELB can use the same cert, but that both services need to make their own requests to ingest that cert. He should also mention that there is a growing list of AWS services that integrate with ACM (CloudFront, ELB, API Gateway, Elastic Beanstalk, CloudFormation).
He also needs to state that a custom cert for CloudFront MUST be in the N. Virginia region. While this last bit might not be on the exam it’s good to know that at this time (early 2019) this is still a requirement for custom certs for CloudFront.
From my recent experience (nov 2019), custom cert for CloudFront could be in other regions and not necessarily N.Virginia. So, that restriction does not apply any more.
No, he said that you have to use separate certificates, they can be the same, but configured separately.