Menu
Amazon DevPay
Developer Guide (API Version 2007-12-01)

X.509 Certificates

An X.509 certificate is a security device designed to carry a public key and bind that key to an identity. X.509 certificates are used in public key cryptography. For more information about public key cryptography and X.509 certificates, go to the techencyclopedia.com entries for "digital signature" and "public key cryptography".

To use SOAP to access the License Service, you must have a private key and a related X.509 certificate, and you must associate that X.509 certificate with your AWS developer account. You use the private key instead of your AWS Secret Access Key to sign SOAP requests (for information about your Secret Access Key, see Your AWS Access Credentials). For information about obtaining an X.509 certificate from AWS or using an X.509 certificate you obtained elsewhere, see the following sections.

Note

AWS does not implement a full public key infrastructure. The certificate information is used only to authenticate requests to AWS. AWS uses X.509 certificates only as carriers for public keys and does not trust or use in any way any identity binding that might be included in an X.509 certificate.

The WS-Security 1.0 specification requires you to sign the SOAP message with your private key and include the X.509 certificate in the SOAP message header. Specifically, you must represent the X.509 certificate as a BinarySecurityToken as described in the WS-Security X.509 token profile (also available if you go to the OASIS-Open web site).

Using Your Own X.509 Certificate

If you have an X.509 certificate you want to use, you can upload the certificate to AWS (without the private key value). This associates the certificate with your AWS account.

AWS accepts any syntactically and cryptographically valid X.509 certificate. Certificates can be self-signed or signed by any key. The certificate must be in Privacy Enhanced Mail (PEM) format and include a base64 encoded Distinguished Encoding Rules (DER) certificate body.

Important

When you upload the certificate, AWS checks the certificate's contents to confirm that the certificate has not expired. AWS doesn't check certificate revocation lists (CRLs) to determine if the certificate has been revoked, nor does AWS validate the certificate with a certificate authority (CA) or any trusted third parties.

To upload your own X.509 certificate

  1. Go to the Amazon Web Services web site at http://aws.amazon.com.

  2. Point to your account name (the dropdown menu in the upper right) and click Security Credentials.

  3. Log in to your AWS account.

    The Security Credentials page is displayed.

  4. In the Access Credentials section of the page, click the X.509 Certificates tab.

  5. Click Upload Your Own Certificate.

  6. Follow the instructions presented to upload your certificate.

Using an X.509 Certificate Generated by AWS

If you don't already have an X.509 certificate, or if you want a new certificate to use with AWS, you can have AWS generate one and automatically associate it with your AWS account. Certificates generated by AWS are signed by an AWS internal certificate authority.

To have AWS create an X.509 certificate for you

  1. Go to the Amazon Web Services web site at http://aws.amazon.com.

  2. Point to your account name (the dropdown menu in the upper right) and click Security Credentials.

  3. Log in to your AWS account.

    The Security Credentials page is displayed.

  4. In the Access Credentials section of the page, click the X.509 Certificates tab.

  5. Click Create a New Certificate.

    Your X.509 certificate and corresponding private key are generated.

  6. From the dialog box, download your private key file and X.509 certificate file.