Which combination of steps is required to ensure availability of the certificate in the CloudFront console?

By:
In: SCS-C01
Tagged:
With: 1 Comment
A Web Administrator for the website example.com has created an Amazon CloudFront distribution for dev.example.com, with a requirement to configure HTTPS using a custom TLS certificate imported to AWS Certificate Manager.

Which combination of steps is required to ensure availability of the certificate in the CloudFront console?

(Choose two.)

Call UploadServerCertificate with /cloudfront/dev/ in the path parameter.

Import the certificate with a 4,096-bit RSA public key.

Ensure that the certificate, private key, and certificate chain are PKCS #12-encoded.

Import the certificate in the us-east-1 (N. Virginia) Region.

Ensure that the certificate, private key, and certificate chain are PEM-encoded.

Explanations:

The UploadServerCertificate API is not used for CloudFront distributions; it is used for AWS IAM.

CloudFront supports certificates with RSA keys up to 2048-bit; 4096-bit is not necessary.

CloudFront does not require the certificate, private key, and chain to be PKCS #12-encoded. PEM encoding is standard.

CloudFront requires that the custom TLS certificate be imported into the us-east-1 region, regardless of the distribution’s location.

The certificate, private key, and certificate chain must be PEM-encoded for CloudFront to work with the AWS Certificate Manager.

2025-10-13

1 Comment

  1. Amy
    Author

    I appraise that the answer is:
    Import the certificate in the us-east-1 (N. Virginia) Region.

Leave a Reply

Your email address will not be published. Required fields are marked *

twenty − nine =