I have a certificate in IAM, registered to the hostname azb.hostname.com. Then I have 2 cloudfront distributions, with auto hostnames, something like d727.cloudfront.net and d838.cloudfront.net.
By default the certificate provided by cloudfront does not support TLSv1.1+ so I have to assign a custom certificate. I tried to use my certificate on one of them and...it works!
What I can't understand is why the cloudfront is still available on its default hostname *.cloudfront.net: shouldn't it have become azb.hostname.com? And can I assign the same certificate to both of them? Will they keep working?
CloudFront will be available with *.cloudfront.net even though you have added your own cert and has added your domain in Alternate domain filed, this is expected. if you don't want that , you probably need to add a WAF to read HOST header and if it's d1234xxx.cloudfront.net, block it.
You can use IAM/Cert with multiple distributions, it will not cause any problem.
Also, accessing d123.cloudfront.net supports tls1.1 and tls1.2 and I think recently, you can also restrict tls version as well.