All alternate domain names (CNAMEs) must be lowercase.

To add an alternate domain name (CNAME) to a CloudFront distribution, you must attach to yourdistribution a trusted, valid SSL/TLS certificate that covers thealternate domain name. This ensures that only people with access to yourdomain鈥檚 certificate can associate with CloudFront a CNAME related to yourdomain.

A trusted certificate is one that is issued by AWS Certificate Manager (ACM) or by another validcertificate authority (CA). You can use a self-signed certificate tovalidate an existing CNAME, but not for a newCNAME. CloudFront supports the same certificate authorities as Mozilla. Forthe current list, see MozillaIncluded CA Certificate List.

To verify an alternate domain name by using the certificate that you attach, includingalternate domain names that include wildcards, CloudFront checks the subjectalternative name (SAN) on the certificate. The alternate domain namethat you鈥檙e adding must be covered by the SAN.

Only one certificate can be attached to a CloudFront distribution at a time.

You prove that you are authorized to add a specific alternate domain name to your distribution by doing one of the following:

Attaching a certificate that includes the alternate domain name, likeproduct-name.example.com.

Attaching a certificate that includes a * wildcard at the beginning of a domain name, to cover multiple subdomains with one certificate. When you specify a wildcard, you can add multiple subdomains as alternate domain names in CloudFront.

The following examples illustrate how using wildcards in domain names in a certificate work to authorize you to add specific alternate domain names in CloudFront.

You want to add marketing.example.com as an alternate domain name. You list in yourcertificate the following domain name: *.example.com. When youattach this certificate to CloudFront, you can add any alternatedomain name for your distribution that replaces the wildcard atthat level, including marketing.example.com. You can also, forexample, add the following alternate domain names:

product.example.com

api.example.com

However, you can鈥檛 add alternate domain names that are at levels higher or lower thanthe wildcard. For example, you can鈥檛 add the alternate domainnames example.com or marketing.product.example.com.

You want to add example.com as an alternate domain name. To do this, you must list the domainname example.com itself on the certificate that you attach toyour distribution.

You want to add marketing.product.example.com as an alternate domain name. To do this, you canlist *.product.example.com on the certificate, or you can listmarketing.product.example.com itself on the certificate.

When you add alternate domain names, you must create CNAME records to route DNS queriesfor the alternate domain names to your CloudFront distribution. To do this,you must have permission to create CNAME records with the DNS serviceprovider for the alternate domain names that you鈥檙e using. Typically,this means that you own the domains, but you might be developing anapplication for the domain owner.

If you want viewers to use HTTPS with an alternate domain name, you must complete someadditional configuration. For more information, see Use alternate domain names andHTTPS.