# The certificate specified is not in the us-east-1 region. The certificate must be in the us-east-1 region to use with CloudFront.

- **ID:** `policy/cloudfront-custom-ssl-certificate-must-be-in-us-east-1`
- **Domain:** policy
- **Category:** config_error
- **Verification:** ai_generated
- **Fix Rate:** 85%

## Root Cause

CloudFront requires all custom SSL/TLS certificates to be provisioned in the us-east-1 region, even if the origin is in a different region.

## Version Compatibility

| Version | Status | Introduced | Deprecated |
|---------|--------|------------|------------|
| CloudFront | active | — | — |
| ACM | active | — | — |
| AWS Console 2023-2025 | active | — | — |

## Workarounds

1. **Request or import the SSL certificate in ACM in the us-east-1 region. Use the AWS CLI: aws acm request-certificate --domain-name example.com --validation-method DNS --region us-east-1** (90% success)
   ```
   Request or import the SSL certificate in ACM in the us-east-1 region. Use the AWS CLI: aws acm request-certificate --domain-name example.com --validation-method DNS --region us-east-1
   ```
2. **If the certificate is already in another region, export it and re-import to ACM in us-east-1: aws acm import-certificate --certificate fileb://cert.pem --private-key fileb://privkey.pem --certificate-chain fileb://chain.pem --region us-east-1** (85% success)
   ```
   If the certificate is already in another region, export it and re-import to ACM in us-east-1: aws acm import-certificate --certificate fileb://cert.pem --private-key fileb://privkey.pem --certificate-chain fileb://chain.pem --region us-east-1
   ```

## Dead Ends

- **** — CloudFront's edge network is global and only ACM certificates in us-east-1 are supported for custom SSL. Other regions are rejected. (95% fail)
- **** — CloudFront only accepts certificates from ACM or IAM, but IAM certificates are deprecated and ACM is the recommended path. Self-signed certificates are not trusted by browsers. (80% fail)