AWS Certified Solutions Architect - Professional 2020

Sign Up Free or Log In to participate!

Wildcard cert and SNI in cloudfront

In cloudfront lecture, it’s stated that one needs to use SNI if a custom wildcard SSL cert is used. I am a bit confused with this statement as i think SNI is unnecessary in this situation since wildcard cert is valid for any of my hosts. So long as they all shared the same parent domain. 

Please advise

thanks

1 Answers

Hi David,

SNI is required for any cert that you want to put in front of CloudFront unless you opt for the static IP deployment.  The reason is that the CloudFront systems have their own DNS names, usually something like hfdushoewifeofh.cloudfront.net, and your domain is really just CNAMEed to that CloudFront domain.  Thus, it would not validate against your mydomain.com certificate.  Hence, SNI is needed to permit that certificate to work with multiple domain names.

If in doubt, try it out by creating a CloudFront deployment for some S3 docs and use ACM to create some certs….try it with and without SNI.

–Scott

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?