@Generated(value="software.amazon.awssdk:codegen") public class ViewerCertificate extends Object implements ToCopyableBuilder<ViewerCertificate.Builder,ViewerCertificate>
A complex type that specifies the following:
Whether you want viewers to use HTTP or HTTPS to request your objects.
If you want viewers to use HTTPS, whether you're using an alternate domain name such as example.com
or
the CloudFront domain name for your distribution, such as d111111abcdef8.cloudfront.net
.
If you're using an alternate domain name, whether AWS Certificate Manager (ACM) provided the certificate, or you purchased a certificate from a third-party certificate authority and imported it into ACM or uploaded it to the IAM certificate store.
You must specify only one of the following values:
Don't specify false
for CloudFrontDefaultCertificate
.
If you want viewers to use HTTP instead of HTTPS to request your objects: Specify the following value:
<CloudFrontDefaultCertificate>true<CloudFrontDefaultCertificate>
In addition, specify allow-all
for ViewerProtocolPolicy
for all of your cache behaviors.
If you want viewers to use HTTPS to request your objects: Choose the type of certificate that you want to use based on whether you're using an alternate domain name for your objects or the CloudFront domain name:
If you're using an alternate domain name, such as example.com: Specify one of the following values, depending on whether ACM provided your certificate or you purchased your certificate from third-party certificate authority:
<ACMCertificateArn>ARN for ACM SSL/TLS certificate<ACMCertificateArn>
where
ARN for ACM SSL/TLS certificate
is the ARN for the ACM SSL/TLS certificate that you want to use
for this distribution.
<IAMCertificateId>IAM certificate ID<IAMCertificateId>
where
IAM certificate ID
is the ID that IAM returned when you added the certificate to the IAM
certificate store.
If you specify ACMCertificateArn
or IAMCertificateId
, you must also specify a value for
SSLSupportMethod
.
If you choose to use an ACM certificate or a certificate in the IAM certificate store, we recommend that you use only
an alternate domain name in your object URLs (https://example.com/logo.jpg
). If you use the domain name
that is associated with your CloudFront distribution (such as
https://d111111abcdef8.cloudfront.net/logo.jpg
) and the viewer supports SNI
, then
CloudFront behaves normally. However, if the browser does not support SNI, the user's experience depends on the value
that you choose for SSLSupportMethod
:
vip
: The viewer displays a warning because there is a mismatch between the CloudFront domain name and
the domain name in your SSL/TLS certificate.
sni-only
: CloudFront drops the connection with the browser without returning the object.
If you're using the CloudFront domain name for your distribution, such as
d111111abcdef8.cloudfront.net
: Specify the following value:
<CloudFrontDefaultCertificate>true<CloudFrontDefaultCertificate>
If you want viewers to use HTTPS, you must also specify one of the following values in your cache behaviors:
<ViewerProtocolPolicy>https-only<ViewerProtocolPolicy>
<ViewerProtocolPolicy>redirect-to-https<ViewerProtocolPolicy>
You can also optionally require that CloudFront use HTTPS to communicate with your origin by specifying one of the following values for the applicable origins:
<OriginProtocolPolicy>https-only<OriginProtocolPolicy>
<OriginProtocolPolicy>match-viewer<OriginProtocolPolicy>
For more information, see Using Alternate Domain Names and HTTPS in the Amazon CloudFront Developer Guide.
Modifier and Type | Class and Description |
---|---|
static interface |
ViewerCertificate.Builder |
Modifier and Type | Method and Description |
---|---|
String |
acmCertificateArn()
For information about how and when to use
ACMCertificateArn , see ViewerCertificate. |
static ViewerCertificate.Builder |
builder() |
String |
certificate()
This field has been deprecated.
|
CertificateSource |
certificateSource()
This field has been deprecated.
|
String |
certificateSourceString()
This field has been deprecated.
|
Boolean |
cloudFrontDefaultCertificate()
For information about how and when to use
CloudFrontDefaultCertificate , see
ViewerCertificate. |
boolean |
equals(Object obj) |
<T> Optional<T> |
getValueForField(String fieldName,
Class<T> clazz) |
int |
hashCode() |
String |
iamCertificateId()
For information about how and when to use
IAMCertificateId , see ViewerCertificate. |
MinimumProtocolVersion |
minimumProtocolVersion()
Specify the security policy that you want CloudFront to use for HTTPS connections.
|
String |
minimumProtocolVersionString()
Specify the security policy that you want CloudFront to use for HTTPS connections.
|
static Class<? extends ViewerCertificate.Builder> |
serializableBuilderClass() |
SSLSupportMethod |
sslSupportMethod()
If you specify a value for ViewerCertificate$ACMCertificateArn or for
ViewerCertificate$IAMCertificateId, you must also specify how you want CloudFront to serve HTTPS requests:
using a method that works for all clients or one that works for most clients:
|
String |
sslSupportMethodString()
If you specify a value for ViewerCertificate$ACMCertificateArn or for
ViewerCertificate$IAMCertificateId, you must also specify how you want CloudFront to serve HTTPS requests:
using a method that works for all clients or one that works for most clients:
|
ViewerCertificate.Builder |
toBuilder()
Take this object and create a builder that contains all of the current property values of this object.
|
String |
toString() |
copy
public Boolean cloudFrontDefaultCertificate()
For information about how and when to use CloudFrontDefaultCertificate
, see
ViewerCertificate.
CloudFrontDefaultCertificate
, see
ViewerCertificate.public String iamCertificateId()
For information about how and when to use IAMCertificateId
, see ViewerCertificate.
IAMCertificateId
, see ViewerCertificate.public String acmCertificateArn()
For information about how and when to use ACMCertificateArn
, see ViewerCertificate.
ACMCertificateArn
, see ViewerCertificate.public SSLSupportMethod sslSupportMethod()
If you specify a value for ViewerCertificate$ACMCertificateArn or for ViewerCertificate$IAMCertificateId, you must also specify how you want CloudFront to serve HTTPS requests: using a method that works for all clients or one that works for most clients:
vip
: CloudFront uses dedicated IP addresses for your content and can respond to HTTPS requests from
any viewer. However, you will incur additional monthly charges.
sni-only
: CloudFront can respond to HTTPS requests from viewers that support Server Name Indication
(SNI). All modern browsers support SNI, but some browsers still in use don't support SNI. If some of your users'
browsers don't support SNI, we recommend that you do one of the following:
Use the vip
option (dedicated IP addresses) instead of sni-only
.
Use the CloudFront SSL/TLS certificate instead of a custom certificate. This requires that you use the CloudFront
domain name of your distribution in the URLs for your objects, for example,
https://d111111abcdef8.cloudfront.net/logo.png
.
If you can control which browser your users use, upgrade the browser to one that supports SNI.
Use HTTP instead of HTTPS.
Don't specify a value for SSLSupportMethod
if you specified
<CloudFrontDefaultCertificate>true<CloudFrontDefaultCertificate>
.
For more information, see Using Alternate Domain Names and HTTPS in the Amazon CloudFront Developer Guide.
If the service returns an enum value that is not available in the current SDK version, sslSupportMethod
will return SSLSupportMethod.UNKNOWN_TO_SDK_VERSION
. The raw value returned by the service is available
from sslSupportMethodString()
.
vip
: CloudFront uses dedicated IP addresses for your content and can respond to HTTPS
requests from any viewer. However, you will incur additional monthly charges.
sni-only
: CloudFront can respond to HTTPS requests from viewers that support Server Name
Indication (SNI). All modern browsers support SNI, but some browsers still in use don't support SNI. If
some of your users' browsers don't support SNI, we recommend that you do one of the following:
Use the vip
option (dedicated IP addresses) instead of sni-only
.
Use the CloudFront SSL/TLS certificate instead of a custom certificate. This requires that you use the
CloudFront domain name of your distribution in the URLs for your objects, for example,
https://d111111abcdef8.cloudfront.net/logo.png
.
If you can control which browser your users use, upgrade the browser to one that supports SNI.
Use HTTP instead of HTTPS.
Don't specify a value for SSLSupportMethod
if you specified
<CloudFrontDefaultCertificate>true<CloudFrontDefaultCertificate>
.
For more information, see Using Alternate Domain Names and HTTPS in the Amazon CloudFront Developer Guide.
SSLSupportMethod
public String sslSupportMethodString()
If you specify a value for ViewerCertificate$ACMCertificateArn or for ViewerCertificate$IAMCertificateId, you must also specify how you want CloudFront to serve HTTPS requests: using a method that works for all clients or one that works for most clients:
vip
: CloudFront uses dedicated IP addresses for your content and can respond to HTTPS requests from
any viewer. However, you will incur additional monthly charges.
sni-only
: CloudFront can respond to HTTPS requests from viewers that support Server Name Indication
(SNI). All modern browsers support SNI, but some browsers still in use don't support SNI. If some of your users'
browsers don't support SNI, we recommend that you do one of the following:
Use the vip
option (dedicated IP addresses) instead of sni-only
.
Use the CloudFront SSL/TLS certificate instead of a custom certificate. This requires that you use the CloudFront
domain name of your distribution in the URLs for your objects, for example,
https://d111111abcdef8.cloudfront.net/logo.png
.
If you can control which browser your users use, upgrade the browser to one that supports SNI.
Use HTTP instead of HTTPS.
Don't specify a value for SSLSupportMethod
if you specified
<CloudFrontDefaultCertificate>true<CloudFrontDefaultCertificate>
.
For more information, see Using Alternate Domain Names and HTTPS in the Amazon CloudFront Developer Guide.
If the service returns an enum value that is not available in the current SDK version, sslSupportMethod
will return SSLSupportMethod.UNKNOWN_TO_SDK_VERSION
. The raw value returned by the service is available
from sslSupportMethodString()
.
vip
: CloudFront uses dedicated IP addresses for your content and can respond to HTTPS
requests from any viewer. However, you will incur additional monthly charges.
sni-only
: CloudFront can respond to HTTPS requests from viewers that support Server Name
Indication (SNI). All modern browsers support SNI, but some browsers still in use don't support SNI. If
some of your users' browsers don't support SNI, we recommend that you do one of the following:
Use the vip
option (dedicated IP addresses) instead of sni-only
.
Use the CloudFront SSL/TLS certificate instead of a custom certificate. This requires that you use the
CloudFront domain name of your distribution in the URLs for your objects, for example,
https://d111111abcdef8.cloudfront.net/logo.png
.
If you can control which browser your users use, upgrade the browser to one that supports SNI.
Use HTTP instead of HTTPS.
Don't specify a value for SSLSupportMethod
if you specified
<CloudFrontDefaultCertificate>true<CloudFrontDefaultCertificate>
.
For more information, see Using Alternate Domain Names and HTTPS in the Amazon CloudFront Developer Guide.
SSLSupportMethod
public MinimumProtocolVersion minimumProtocolVersion()
Specify the security policy that you want CloudFront to use for HTTPS connections. A security policy determines two settings:
The minimum SSL/TLS protocol that CloudFront uses to communicate with viewers
The cipher that CloudFront uses to encrypt the content that it returns to viewers
On the CloudFront console, this setting is called Security policy.
We recommend that you specify TLSv1.1_2016
unless your users are using browsers or devices that do
not support TLSv1.1 or later.
When both of the following are true, you must specify TLSv1
or later for the security policy:
You're using a custom certificate: you specified a value for ACMCertificateArn
or for
IAMCertificateId
You're using SNI: you specified sni-only
for SSLSupportMethod
If you specify true
for CloudFrontDefaultCertificate
, CloudFront automatically sets the
security policy to TLSv1
regardless of the value that you specify for
MinimumProtocolVersion
.
For information about the relationship between the security policy that you choose and the protocols and ciphers that CloudFront uses to communicate with viewers, see Supported SSL/TLS Protocols and Ciphers for Communication Between Viewers and CloudFront in the Amazon CloudFront Developer Guide.
If the service returns an enum value that is not available in the current SDK version,
minimumProtocolVersion
will return MinimumProtocolVersion.UNKNOWN_TO_SDK_VERSION
. The raw value
returned by the service is available from minimumProtocolVersionString()
.
The minimum SSL/TLS protocol that CloudFront uses to communicate with viewers
The cipher that CloudFront uses to encrypt the content that it returns to viewers
On the CloudFront console, this setting is called Security policy.
We recommend that you specify TLSv1.1_2016
unless your users are using browsers or devices
that do not support TLSv1.1 or later.
When both of the following are true, you must specify TLSv1
or later for the security
policy:
You're using a custom certificate: you specified a value for ACMCertificateArn
or for
IAMCertificateId
You're using SNI: you specified sni-only
for SSLSupportMethod
If you specify true
for CloudFrontDefaultCertificate
, CloudFront automatically
sets the security policy to TLSv1
regardless of the value that you specify for
MinimumProtocolVersion
.
For information about the relationship between the security policy that you choose and the protocols and ciphers that CloudFront uses to communicate with viewers, see Supported SSL/TLS Protocols and Ciphers for Communication Between Viewers and CloudFront in the Amazon CloudFront Developer Guide.
MinimumProtocolVersion
public String minimumProtocolVersionString()
Specify the security policy that you want CloudFront to use for HTTPS connections. A security policy determines two settings:
The minimum SSL/TLS protocol that CloudFront uses to communicate with viewers
The cipher that CloudFront uses to encrypt the content that it returns to viewers
On the CloudFront console, this setting is called Security policy.
We recommend that you specify TLSv1.1_2016
unless your users are using browsers or devices that do
not support TLSv1.1 or later.
When both of the following are true, you must specify TLSv1
or later for the security policy:
You're using a custom certificate: you specified a value for ACMCertificateArn
or for
IAMCertificateId
You're using SNI: you specified sni-only
for SSLSupportMethod
If you specify true
for CloudFrontDefaultCertificate
, CloudFront automatically sets the
security policy to TLSv1
regardless of the value that you specify for
MinimumProtocolVersion
.
For information about the relationship between the security policy that you choose and the protocols and ciphers that CloudFront uses to communicate with viewers, see Supported SSL/TLS Protocols and Ciphers for Communication Between Viewers and CloudFront in the Amazon CloudFront Developer Guide.
If the service returns an enum value that is not available in the current SDK version,
minimumProtocolVersion
will return MinimumProtocolVersion.UNKNOWN_TO_SDK_VERSION
. The raw value
returned by the service is available from minimumProtocolVersionString()
.
The minimum SSL/TLS protocol that CloudFront uses to communicate with viewers
The cipher that CloudFront uses to encrypt the content that it returns to viewers
On the CloudFront console, this setting is called Security policy.
We recommend that you specify TLSv1.1_2016
unless your users are using browsers or devices
that do not support TLSv1.1 or later.
When both of the following are true, you must specify TLSv1
or later for the security
policy:
You're using a custom certificate: you specified a value for ACMCertificateArn
or for
IAMCertificateId
You're using SNI: you specified sni-only
for SSLSupportMethod
If you specify true
for CloudFrontDefaultCertificate
, CloudFront automatically
sets the security policy to TLSv1
regardless of the value that you specify for
MinimumProtocolVersion
.
For information about the relationship between the security policy that you choose and the protocols and ciphers that CloudFront uses to communicate with viewers, see Supported SSL/TLS Protocols and Ciphers for Communication Between Viewers and CloudFront in the Amazon CloudFront Developer Guide.
MinimumProtocolVersion
public String certificate()
This field has been deprecated. Use one of the following fields instead:
public CertificateSource certificateSource()
This field has been deprecated. Use one of the following fields instead:
If the service returns an enum value that is not available in the current SDK version, certificateSource
will return CertificateSource.UNKNOWN_TO_SDK_VERSION
. The raw value returned by the service is available
from certificateSourceString()
.
CertificateSource
public String certificateSourceString()
This field has been deprecated. Use one of the following fields instead:
If the service returns an enum value that is not available in the current SDK version, certificateSource
will return CertificateSource.UNKNOWN_TO_SDK_VERSION
. The raw value returned by the service is available
from certificateSourceString()
.
CertificateSource
public ViewerCertificate.Builder toBuilder()
ToCopyableBuilder
toBuilder
in interface ToCopyableBuilder<ViewerCertificate.Builder,ViewerCertificate>
public static ViewerCertificate.Builder builder()
public static Class<? extends ViewerCertificate.Builder> serializableBuilderClass()
Copyright © 2017 Amazon Web Services, Inc. All Rights Reserved.