ToCopyableBuilder<ViewerCertificate.Builder,ViewerCertificate>
@Generated("software.amazon.awssdk:codegen") public class ViewerCertificate extends Object implements ToCopyableBuilder<ViewerCertificate.Builder,ViewerCertificate>
A complex type that specifies the following:
Which SSL/TLS certificate to use when viewers request objects using HTTPS
Whether you want CloudFront to use dedicated IP addresses or SNI when you're using alternate domain names in your object names
The minimum protocol version that you want CloudFront to use when communicating with viewers
For more information, see Using an HTTPS Connection to Access Your Objects in the Amazon Amazon CloudFront Developer Guide.
Modifier and Type | Class | Description |
---|---|---|
static interface |
ViewerCertificate.Builder |
Modifier and Type | Method | Description |
---|---|---|
String |
acmCertificateArn() |
|
static ViewerCertificate.Builder |
builder() |
|
String |
certificate() |
Include one of these values to specify the following:
|
String |
certificateSource() |
|
Boolean |
cloudFrontDefaultCertificate() |
|
boolean |
equals(Object obj) |
|
int |
hashCode() |
|
String |
iamCertificateId() |
|
String |
minimumProtocolVersion() |
Specify the minimum version of the SSL/TLS protocol that you want CloudFront to use for HTTPS connections between
viewers and CloudFront:
SSLv3 or TLSv1 . |
static Class<? extends ViewerCertificate.Builder> |
serializableBuilderClass() |
|
String |
sslSupportMethod() |
If you specify a value for
ACMCertificateArn or for IAMCertificateId , you must also
specify how you want CloudFront to serve HTTPS requests: using a method that works for all clients or one that
works for most clients: |
ViewerCertificate.Builder |
toBuilder() |
Take this object and create a builder that contains all of the current property values of this object.
|
String |
toString() |
public Boolean cloudFrontDefaultCertificate()
public String iamCertificateId()
public String acmCertificateArn()
public String sslSupportMethod()
If you specify a value for ACMCertificateArn
or for IAMCertificateId
, you must also
specify how you want CloudFront to serve HTTPS requests: using a method that works for all clients or one that
works for most clients:
vip
: CloudFront uses dedicated IP addresses for your content and can respond to HTTPS requests from
any viewer. However, you will incur additional monthly charges.
sni-only
: CloudFront can respond to HTTPS requests from viewers that support Server Name Indication
(SNI). All modern browsers support SNI, but some browsers still in use don't support SNI. If some of your users'
browsers don't support SNI, we recommend that you do one of the following:
Use the vip
option (dedicated IP addresses) instead of sni-only
.
Use the CloudFront SSL/TLS certificate instead of a custom certificate. This requires that you use the CloudFront
domain name of your distribution in the URLs for your objects, for example,
https://d111111abcdef8.cloudfront.net/logo.png
.
If you can control which browser your users use, upgrade the browser to one that supports SNI.
Use HTTP instead of HTTPS.
Do not specify a value for SSLSupportMethod
if you specified
<CloudFrontDefaultCertificate>true<CloudFrontDefaultCertificate>
.
For more information, see Using Alternate Domain Names and HTTPS in the Amazon CloudFront Developer Guide.
ACMCertificateArn
or for IAMCertificateId
, you must
also specify how you want CloudFront to serve HTTPS requests: using a method that works for all clients
or one that works for most clients:
vip
: CloudFront uses dedicated IP addresses for your content and can respond to HTTPS
requests from any viewer. However, you will incur additional monthly charges.
sni-only
: CloudFront can respond to HTTPS requests from viewers that support Server Name
Indication (SNI). All modern browsers support SNI, but some browsers still in use don't support SNI. If
some of your users' browsers don't support SNI, we recommend that you do one of the following:
Use the vip
option (dedicated IP addresses) instead of sni-only
.
Use the CloudFront SSL/TLS certificate instead of a custom certificate. This requires that you use the
CloudFront domain name of your distribution in the URLs for your objects, for example,
https://d111111abcdef8.cloudfront.net/logo.png
.
If you can control which browser your users use, upgrade the browser to one that supports SNI.
Use HTTP instead of HTTPS.
Do not specify a value for SSLSupportMethod
if you specified
<CloudFrontDefaultCertificate>true<CloudFrontDefaultCertificate>
.
For more information, see Using Alternate Domain Names and HTTPS in the Amazon CloudFront Developer Guide.
SSLSupportMethod
public String minimumProtocolVersion()
Specify the minimum version of the SSL/TLS protocol that you want CloudFront to use for HTTPS connections between
viewers and CloudFront: SSLv3
or TLSv1
. CloudFront serves your objects only to viewers
that support SSL/TLS version that you specify and later versions. The TLSv1
protocol is more secure,
so we recommend that you specify SSLv3
only if your users are using browsers or devices that don't
support TLSv1
. Note the following:
If you specify <CloudFrontDefaultCertificate>true<CloudFrontDefaultCertificate>, the minimum SSL
protocol version is TLSv1
and can't be changed.
If you're using a custom certificate (if you specify a value for ACMCertificateArn
or for
IAMCertificateId
) and if you're using SNI (if you specify sni-only
for
SSLSupportMethod
), you must specify TLSv1
for MinimumProtocolVersion
.
SSLv3
or TLSv1
. CloudFront serves your objects
only to viewers that support SSL/TLS version that you specify and later versions. The TLSv1
protocol is more secure, so we recommend that you specify SSLv3
only if your users are using
browsers or devices that don't support TLSv1
. Note the following:
If you specify <CloudFrontDefaultCertificate>true<CloudFrontDefaultCertificate>, the minimum
SSL protocol version is TLSv1
and can't be changed.
If you're using a custom certificate (if you specify a value for ACMCertificateArn
or for
IAMCertificateId
) and if you're using SNI (if you specify sni-only
for
SSLSupportMethod
), you must specify TLSv1
for
MinimumProtocolVersion
.
MinimumProtocolVersion
public String certificate()
Include one of these values to specify the following:
Whether you want viewers to use HTTP or HTTPS to request your objects.
If you want viewers to use HTTPS, whether you're using an alternate domain name such as example.com or the
CloudFront domain name for your distribution, such as d111111abcdef8.cloudfront.net
.
If you're using an alternate domain name, whether AWS Certificate Manager (ACM) provided the certificate, or you purchased a certificate from a third-party certificate authority and imported it into ACM or uploaded it to the IAM certificate store.
You must specify one (and only one) of the three values. Do not specify false
for
CloudFrontDefaultCertificate
.
If you want viewers to use HTTP to request your objects: Specify the following value:
<CloudFrontDefaultCertificate>true<CloudFrontDefaultCertificate>
In addition, specify allow-all
for ViewerProtocolPolicy
for all of your cache
behaviors.
If you want viewers to use HTTPS to request your objects: Choose the type of certificate that you want to use based on whether you're using an alternate domain name for your objects or the CloudFront domain name:
If you're using an alternate domain name, such as example.com: Specify one of the following values, depending on whether ACM provided your certificate or you purchased your certificate from third-party certificate authority:
<ACMCertificateArn>ARN for ACM SSL/TLS certificate<ACMCertificateArn>
where ARN for ACM
SSL/TLS certificate is the ARN for the ACM SSL/TLS certificate that you want to use for this distribution.
<IAMCertificateId>IAM certificate ID<IAMCertificateId>
where IAM certificate ID is the
ID that IAM returned when you added the certificate to the IAM certificate store.
If you specify ACMCertificateArn
or IAMCertificateId
, you must also specify a value for
SSLSupportMethod
.
If you choose to use an ACM certificate or a certificate in the IAM certificate store, we recommend that you use
only an alternate domain name in your object URLs (https://example.com/logo.jpg
). If you use the
domain name that is associated with your CloudFront distribution (
https://d111111abcdef8.cloudfront.net/logo.jpg
) and the viewer supports SNI
, then
CloudFront behaves normally. However, if the browser does not support SNI, the user's experience depends on the
value that you choose for SSLSupportMethod
:
vip
: The viewer displays a warning because there is a mismatch between the CloudFront domain name
and the domain name in your SSL/TLS certificate.
sni-only
: CloudFront drops the connection with the browser without returning the object.
If you're using the CloudFront domain name for your distribution, such as
d111111abcdef8.cloudfront.net
: Specify the following value:
<CloudFrontDefaultCertificate>true<CloudFrontDefaultCertificate>
If you want viewers to use HTTPS, you must also specify one of the following values in your cache behaviors:
<ViewerProtocolPolicy>https-only<ViewerProtocolPolicy>
<ViewerProtocolPolicy>redirect-to-https<ViewerProtocolPolicy>
You can also optionally require that CloudFront use HTTPS to communicate with your origin by specifying one of the following values for the applicable origins:
<OriginProtocolPolicy>https-only<OriginProtocolPolicy>
<OriginProtocolPolicy>match-viewer<OriginProtocolPolicy>
For more information, see Using Alternate Domain Names and HTTPS in the Amazon CloudFront Developer Guide.
Whether you want viewers to use HTTP or HTTPS to request your objects.
If you want viewers to use HTTPS, whether you're using an alternate domain name such as example.com or
the CloudFront domain name for your distribution, such as d111111abcdef8.cloudfront.net
.
If you're using an alternate domain name, whether AWS Certificate Manager (ACM) provided the certificate, or you purchased a certificate from a third-party certificate authority and imported it into ACM or uploaded it to the IAM certificate store.
You must specify one (and only one) of the three values. Do not specify false
for
CloudFrontDefaultCertificate
.
If you want viewers to use HTTP to request your objects: Specify the following value:
<CloudFrontDefaultCertificate>true<CloudFrontDefaultCertificate>
In addition, specify allow-all
for ViewerProtocolPolicy
for all of your cache
behaviors.
If you want viewers to use HTTPS to request your objects: Choose the type of certificate that you want to use based on whether you're using an alternate domain name for your objects or the CloudFront domain name:
If you're using an alternate domain name, such as example.com: Specify one of the following values, depending on whether ACM provided your certificate or you purchased your certificate from third-party certificate authority:
<ACMCertificateArn>ARN for ACM SSL/TLS certificate<ACMCertificateArn>
where ARN
for ACM SSL/TLS certificate is the ARN for the ACM SSL/TLS certificate that you want to use for this
distribution.
<IAMCertificateId>IAM certificate ID<IAMCertificateId>
where IAM certificate ID
is the ID that IAM returned when you added the certificate to the IAM certificate store.
If you specify ACMCertificateArn
or IAMCertificateId
, you must also specify a
value for SSLSupportMethod
.
If you choose to use an ACM certificate or a certificate in the IAM certificate store, we recommend that
you use only an alternate domain name in your object URLs (https://example.com/logo.jpg
). If
you use the domain name that is associated with your CloudFront distribution (
https://d111111abcdef8.cloudfront.net/logo.jpg
) and the viewer supports SNI
,
then CloudFront behaves normally. However, if the browser does not support SNI, the user's experience
depends on the value that you choose for SSLSupportMethod
:
vip
: The viewer displays a warning because there is a mismatch between the CloudFront domain
name and the domain name in your SSL/TLS certificate.
sni-only
: CloudFront drops the connection with the browser without returning the object.
If you're using the CloudFront domain name for your distribution, such as
d111111abcdef8.cloudfront.net
: Specify the following value:
<CloudFrontDefaultCertificate>true<CloudFrontDefaultCertificate>
If you want viewers to use HTTPS, you must also specify one of the following values in your cache behaviors:
<ViewerProtocolPolicy>https-only<ViewerProtocolPolicy>
<ViewerProtocolPolicy>redirect-to-https<ViewerProtocolPolicy>
You can also optionally require that CloudFront use HTTPS to communicate with your origin by specifying one of the following values for the applicable origins:
<OriginProtocolPolicy>https-only<OriginProtocolPolicy>
<OriginProtocolPolicy>match-viewer<OriginProtocolPolicy>
For more information, see Using Alternate Domain Names and HTTPS in the Amazon CloudFront Developer Guide.
public String certificateSource()
This field is deprecated. You can use one of the following: [ACMCertificateArn
,
IAMCertificateId
, or CloudFrontDefaultCertificate]
.
This field is deprecated. You can use one of the following: [ACMCertificateArn
,
IAMCertificateId
, or CloudFrontDefaultCertificate]
.
CertificateSource
public ViewerCertificate.Builder toBuilder()
ToCopyableBuilder
toBuilder
in interface ToCopyableBuilder<ViewerCertificate.Builder,ViewerCertificate>
public static ViewerCertificate.Builder builder()
public static Class<? extends ViewerCertificate.Builder> serializableBuilderClass()
Copyright © 2017 Amazon Web Services, Inc. All Rights Reserved.