What? SSL Certificate for CDN? Yes, indeed. Your web admin might forget that too!

– using https link, you got missing images in a post (image not being displayed)
– then when you copy and paste the image’s URL in a browser (Firefox, Chrome and the like) , you get SSL warning

SSL Certificate produces warning

Missing SSL certificate can produce a nasty warning that can put doubt in your reputation

So, with https become the new standard for any website, we all become quite familiar with the importance of an SSL certificate.

While the utmost important function is to provide a key to encrypt/decrypt the content of our website to the visitor’s browser, we usually more worry if the visitor gets that SSL Warning saying that the connection is not secure. Which implied not to trust our website. Oh, no, no, no. Our website is of-course trustworthy, right?

Thanks for the goodness of Let’s Encrypt movement and the magic of Cloudflare‘s one-click SSL we should be able to get the basic SSL certificate for free and your visitor will never get that warning no more.

Your CDN need SSL Certificate too

Yes, your website may have already implement end-to-end encryption like the illustration below. But now that you have put all your static file in your CDN, Content Delivery Network such as Amazon CloudFront –  the https delivery from that end would require an SSL certificate too.

[Flow Of Content]

Your static contents come directly from CDN, so if it is in https, it needs an SSL certificate.

Well, of course, unless you deliberately did not put an https link in that cool picture on your blog post, for example.

But if that’s the case, you will get a different problem, called a “Mixed Content Warning” – which basically said that the content from your website is not thoroughly secured (i.e: the posting is secured, but the picture is not)

SSL Certificate for your CDN Bucket

In order to get an SSL Certificate for your CDN distribution, you need to know all the domain name/sub-domain name that is used for that particular bucket.  For example, in Amazon CloudFront example, it usually comes as

[distribution name].cloudfront.net

Then, you can use other sub-domain, such as static.yourwebsite.com – or totally different domain name as an alias (entered as CNAME record on DNS system).

Having another domain that is different with your main domain name (i.e not the sub-domain) will allow you to deliver the static file without a cookie. This will speed up the website delivery.

SSL Certificate from Amazon CloudFront

Amazon CloudFront provides a free SSL Certificate for this very purpose. And it will be renewed automatically as well. Let’s go through the actual step in order to setup it once and for all.

  • Login to your AWS Console https://aws.amazon.com/console/.
  • Click the service “Networking & Content Delivery” => CloudFront
  • Click the particular distribution that you want. And you should get into a screen as illustrated below. See the highlighted part. They are the domain names to deliver the content.
  • Click the “Edit” Button.
    Make sure you include http/2 version for faster delivery and enable IPv6.
  • Then click that “Request or Import Certificate with ACM” button in the middle, under “SSL Certificate” field.
  • Then it will bring you to the step to request the certificate. See below picture.
    Fill up all the domain name and click “Next”

    • Note: you do not need to include the CloudFront’s subdomain, just all the additional domains. If you add the CloudFront domain, the request will be failed straight away. I guess because you will never know how to prove the *.cloudfront.net ownership.

Domain Validation

  • After that, you have 2 choices to validate the ownership of your domain
    • DNS Validation: basically just need to add a CNAME record on the official DNS of the domain./li>
      • Note: if you use Cloudflare, make sure you did not activate the orange cloud (not cache) otherwise it will never get resolved.
    • Email Validation: Amazon will email the whois record for Domain registrant, Technical contact, Administrative contact. If your email address is hidden under privacy feature, then this will not work. Just use the DNS validation above.
  • Go to your DNS record and add the additional CNAME record as displayed. Once resolved Amazon will automatically assign the certificate to your distribution.
    • Note: be careful with the extra dot at the end of the CNAME field. Do not include the dot when adding the record.
    • And also do not repeat the domain name. In this case for example, put “_79175a06c884de2f2c2f5014ea8b6be8.imbm” (without “b4g.info.”) as the additional record in the DNS.
  • It will take some time (few minutes up to few hours) until the DNS propagated and the DNS validation done. When it is, the status of the certificate will change from “Pending Validation” to “Issued“.
  • Now, go back to the screen where you press the button to request the certificate (Edit distribution’s property screen). If you just click the text area above that button, now you can select that new certificate. Choose it and then save the properties.
  • The final step would be just tested the certificate to display an image using https on your browser. You should not be getting any warning message. And some of those “missing” images may have suddenly re-appeared as the SSL warning is no longer lurking.


  • If you use https, your CDN need to have an SSL certificate as well.
  • Your CDN provider should already have a solution to handle this problem.
    • For Amazon CloudFront, automated SSL certificate can be requested whenever needed. And it is free and relatively easy..
    • Check with your CDN company for their own solution for issuing SSL Certificate for the content of the distribution.

Thank you for reading.
Follow Us on Twitter. @imbm.