# Enable origin mutual TLS for CloudFront distributions
<a name="origin-enable-mtls-distributions"></a>

After obtaining a client certificate through AWS Certificate Manager and configuring your origin server to require mutual TLS, you can enable origin mTLS on your CloudFront distribution.

## Prerequisites and requirements
<a name="origin-mtls-prerequisites-requirements"></a>

Before enabling origin mTLS on a CloudFront distribution, ensure you have:
+ A client certificate stored in AWS Certificate Manager in the US East (N. Virginia) Region (us-east-1)
+ Origin servers configured to require mutual TLS authentication and validate client certificates
+ Origin servers presenting certificates from publicly trusted Certificate Authorities
+ Permissions to modify CloudFront distributions
+ Origin mTLS is only available on Business, Premium plans or Pay as you go pricing plans.

**Note**  
Origin mTLS can be configured for custom origins (including origins hosted outside AWS) and AWS origins that support mutual TLS such as Application Load Balancer and API Gateway.

**Important**  
The following CloudFront features are not supported with origin mTLS:  
**gRPC traffic:** gRPC protocol is not supported for origins with origin mTLS enabled
**WebSocket connections:** WebSocket protocol is not supported for origins with origin mTLS enabled
**VPC origins:** origin mTLS cannot be used with VPC origins
**Origin request and origin response triggers with Lambda@Edge:** Lambda@Edge functions in origin request and origin response positions are not supported with origin mTLS
**Embedded POPs:** origin mTLS is not supported for embedded POPs

## Enable origin mTLS
<a name="origin-enable-mtls-per-origin"></a>

Per-origin configuration allows you to specify different client certificates for different origins within the same distribution. This approach provides maximum flexibility when your origins have different authentication requirements.

### For new distributions (Console)
<a name="origin-enable-mtls-new-distributions"></a>

1. Sign in to the AWS Management Console and open the CloudFront console at [https://console.aws.amazon.com/cloudfront/v4/home](https://console.aws.amazon.com/cloudfront/v4/home).

1. Choose **Create distribution**

1. Select a pricing plan: Choose either **Business** or **Premium** or **Pay As You Go** (Origin mTLS is not available on the Free plan)

1. In the Origin settings section, choose Origin Type as Other

1. In the **Origin settings** section, choose **Customize origin settings**

1. Configure your first origin (domain name, protocol, etc.)

1. In the origin configuration, find **mTLS**

1. Toggle **mTLS** to On

1. For **Client certificate**, select your certificate from AWS Certificate Manager

1. (Optional) Add additional origins with their own origin mTLS configurations

1. Complete the remaining distribution settings and choose **Create distribution**

### For existing distributions (Console)
<a name="origin-enable-mtls-existing-distributions"></a>

1. Sign in to the AWS Management Console and open the CloudFront console at [https://console.aws.amazon.com/cloudfront/v4/home](https://console.aws.amazon.com/cloudfront/v4/home).

1. From the distribution list, select the distribution you want to modify. (Note: Ensure your distribution is on a **Pro or Premium or Pay As You Go** pricing plan. If not, you must upgrade your pricing plan before enabling origin mTLS)

1. Choose the **Origins** tab

1. Select the origin you want to configure and choose **Edit**

1. In the origin settings, find **mTLS**

1. Toggle **mTLS** to On

1. For **Client certificate**, select your certificate from AWS Certificate Manager. (Note: Only client certificates with the EKU (Extended Key Usage) property set to "TLS Client Authentication" will be listed)

1. Choose **Save changes**

1. Repeat for additional origins as needed

## Using AWS CLI
<a name="origin-enable-mtls-cli"></a>

For per-origin configuration, specify the origin mTLS settings within each origin's configuration:

```
{
  "Origins": {
    "Quantity": 2,
    "Items": [
      {
        "Id": "origin-1",
        "DomainName": "api.example.com",
        "CustomOriginConfig": {
          "HTTPSPort": 443,
          "OriginProtocolPolicy": "https-only"
        },
        "OriginMtlsConfig": {
          "ClientCertificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/cert-1"
        }
      },
      {
        "Id": "origin-2",
        "DomainName": "backend.example.com",
        "CustomOriginConfig": {
          "HTTPSPort": 443,
          "OriginProtocolPolicy": "https-only"
        },
        "OriginMtlsConfig": {
          "CertificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/cert-2"
        }
      }
    ]
  }
}
```

**Note**  
CloudFront will not provide the client certificate if the server does not request it, allowing the connection to proceed normally.

## Next steps
<a name="origin-enable-mtls-next-steps"></a>

After enabling origin mTLS on your CloudFront distribution, you can monitor authentication events using CloudFront access logs.