How can I import a third-party issued TLS/SSL certificate to ACM?
I want to import a third-party issued TLS/SSL certificate into AWS Certificate Manager (ACM).
Resolution
To import third-party issued TLS/SSL certificate into ACM, make sure that you provide the certificate, its private key, and the certificate chain. Your certificate must also include the prerequisites for importing certificates.
You need the following files to import in PEM-encoded format:
PEM-encoded certificate:
-----BEGIN CERTIFICATE----- Base64-encoded certificate -----END CERTIFICATE-----
PEM-encoded certificate chain: This example shows a chain where two Subordinate / Intermediate CAs are present. The order given here is to keep the Root CA as the last entry:
-----BEGIN CERTIFICATE----- Base64-encoded certificate of SubordinateCA2 -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- Base64-encoded certificate of SubordinateCA1 ----END CERTIFICATE----- -----BEGIN CERTIFICATE----- Base64-encoded certificate of Root CA -----END CERTIFICATE-----
PEM-encoded private key:
-----BEGIN RSA PRIVATE KEY----- Base64-encoded private key -----END RSA PRIVATE KEY-----
For more information and examples, see Certificate and key format for importing.
Use OpenSSL to convert the certificate bundle from PKCS#12 (PFX) to PEM
If your certificate is in PKCS#12 (PFX) format, first follow these steps to convert the certificate bundle from PFX to PEM. Then, import the PEM encoded certificate to ACM.
-
Copy the PFX or P12 file to the same location as your OpenSSL tool, or specify the location in the command line.
-
Enter the following OpenSSL command and replace PKCS12file with your certificate file name:
$openssl pkcs12 -in PKCS12file -out Cert_Chain_Key.txtYou receive prompts similar to the following:
Enter Import Password:(this is the password that was used when the PKCS12 file was created) Enter PEM pass phrase:(this is the private key password) Verifying - Enter PEM pass phrase: (confirm the private key password) -
Enter the required password and pass phrase. The certificate, private key, and certificate chain (root or intermediate) are parsed and placed into the Cert_Chain_Key.txt file.
Note: The private key is still encrypted in the following format:-----BEGIN ENCRYPTED PRIVATE KEY----- Base64-encoded private key -----END ENCRYPTED PRIVATE KEY-----
Decrypt the private key
To decrypt the private key, complete the following steps:
-
Copy the private key from the Cert_Chain_Key.txt file into your OpenSSL directory, or specify the location in the command line.
-
Enter the following OpenSSL command and replace Encrypted.key with your encrypted private key file:
$openssl rsa -in Encrypted.key -out UnEncrypted.key -
Enter the pass phrase. The UnEncrypted.key is now the decrypted private key. To verify this, use a text editor to open the UnEncrypted.key file and view the headers similar to the following format:
You can now import the certificate successfully into ACM. For instructions, see Importing a certificate.
Related information
Why can't I import a third-party public SSL/TLS certificate into AWS Certificate Manager (ACM)?
How to import PFX-formatted certificates into AWS Certificate Manager using OpenSSL
Relevant content
- asked a year ago
- asked 2 years ago
- Accepted Answer
asked 5 years ago - AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 2 years ago
