AWS Identity and Access Management
Using IAM (API Version 2010-05-08)
Did this page help you?  Yes | No |  Tell us about it...
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Go to the Kindle Store to download this guide in Kindle format.

Creating, Uploading, and Deleting Server Certificates

This section describes the process of generating a server certificate and preparing it to use with AWS products through IAM. To create a certificate, you perform the following series of tasks.

Prerequisites

Creating and uploading a certificate requires the following command-line tools:

  • OpenSSL. You use this tool to generate a public/private key pair and a certificate signing request. Instructions for installing OpenSSL are provided under Install and Configure OpenSSL.

  • The AWS command-line interface (CLI). You use a CLI command to upload the certificate to AWS. For information about installing the CLI, see Installing the AWS Command Line Interface.

Install and Configure OpenSSL

Creating and uploading a certificate requires a tool that supports the SSL and TLS protocols. OpenSSL is an open-source tool that provides the basic cryptographic functions necessary to create an RSA token and sign it with your private key. If you don't already have OpenSSL installed, follow the instructions in this section.

To install OpenSSL on Linux and UNIX

  1. Go to OpenSSL: Source, Tarballs (http://www.openssl.org/source/).

  2. Download the latest source and build the package.

To install OpenSSL on Windows

  1. Go to OpenSSL: Binary Distributions (http://www.openssl.org/related/binaries.html).

  2. Click OpenSSL for Windows.

    A new page displays with links to the Windows downloads.

  3. If it is not already installed on your system, select the Microsoft Visual C++ 2008 Redistributables link appropriate for your environment and click Download. Follow the instructions provided by the Microsoft Visual C++ 2008 Redistributable Setup Wizard.

  4. After you have installed the Microsoft Visual C++ 2008 Redistributables, select the appropriate version of the OpenSSL binaries for your environment and save the file locally. The OpenSSL Setup Wizard launches.

  5. Follow the instructions described in the OpenSSL Setup Wizard. Save the OpenSSL binaries to a folder in your working directory.

Before you use OpenSSL commands, you must configure the operating system so that it has information about the location of the OpenSSL install point.

To configure OpenSSL on Linux and UNIX

  1. At the command line, set the OpenSSL_HOME variable to the location of the OpenSSL installation:

    export OpenSSL_HOME=path_to_your_OpenSSL_installation
  2. Set the path to the OpenSSL installation:

    export PATH=$PATH:$OpenSSL_HOME/bin

To configure OpenSSL on Windows

  1. Open a Command Prompt window.

  2. Set the OpenSSL_HOME variable to the location of the OpenSSL installation:

    set OpenSSL_HOME=path_to_your_OpenSSL_installation
  3. Set the OpenSSL_CONF variable to the location of the configuration file in your OpenSSL installation:

    set OpenSSL_CONF=path_to_your_OpenSSL_installation\bin\openssl.cfg
  4. Set the path to the OpenSSL installation:

    set Path=%Path%;%OpenSSL_HOME%\bin

    Note

    Any changes you make to Windows environment variables in a Command Prompt window are valid only for the current command line session. You can make persistent changes to the environment variables by setting them as system properties. The exact procedures depends on what version of Windows you're using. (For example, in Windows 7, open Control Panel > System and Security > System. Then choose Advanced system settings > Advanced tab > Environment Variables.) For more information, see the Windows documentation.

Create a Private Key

You need a unique private key to create your Certificate Signing Request (CSR).

To create a private key

  • At the command line, use the openssl genrsa command and the following syntax:

    openssl genrsa 2048 > private-key.pem

    For private-key.pem, specify your own file name. In the example, 2048 represents 2048-bit encryption. AWS also supports 1024-bit and 4096-bit encryption. We recommend you create an RSA key that is 2048 bits.

Create a Certificate Signing Request

The next step is to create a Certificate Signing Request (CSR). This is a file that you can send to a certificate authority (CA) to apply for a server certificate.

To create a CSR

  • Use the openssl req command to create a CSR and the following syntax:

    openssl req -new -key private-key.pem -out csr.pem

    The output will look similar to the following example:

    You are about to be asked to enter information that will be incorporated 
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank.
    For some fields there will be a default value.
    If you enter '.', the field will be left blank.

The following table can help you create your certificate request.

NameDescriptionExample
Country NameThe two-letter ISO abbreviation for your country.US = United States
State or ProvinceThe name of the state or province where your organization is located. This name cannot be abbreviated.Washington
Locality NameThe name of the city where your organization is located.Seattle
Organization NameThe full legal name of your organization. Do not abbreviate your organization name.Example Corp.
Organizational UnitOptional, for additional organization information.Marketing
Common NameThe fully qualified domain name for your CNAME. You will receive a certificate name check warning if this is not an exact match.www.example.com
Email addressThe server administrator's email addresssomeone@example.com

Note

The Common Name field is often misunderstood and is completed incorrectly. The common name is typically your host plus domain name. It will look like "www.example.com" or "example.com". You need to create a CSR using your correct common name.

Submit the CSR to a Certificate Authority

Your CSR contains information identifying you. To apply for a server certificate, send your CSR to a certificate authority (CA). The CA might require other credentials or proofs of identity.

If the request for a certificate is successful, the CA returns an identity certificate (and possibly a chain certificate) that is digitally signed.

AWS does not recommend a specific CA. For a partial listing of available CAs, see Third-Party Certificate Authorities.

Upload the Signed Certificate

When you receive your server certificate from the certificate authority (CA), you can upload the certificate to IAM along with the private certificate and a certificate chain. After you upload the certificates to IAM, the certificates are available for other AWS services to use.

To upload server certificates on IAM, you use the AWS command line interface. For more information, see the AWS Command Line Interface User Guide.

Note

A certificate authority might return a certificate in a format that is not supported by IAM. You can convert the certificate to the correct format (X.509 PEM) by using OpenSSL. The specific command depends on the current format of your certificate.

To upload your certificate, you need three files:

  • Your server certificate in PEM format.

  • Your private key in PEM format.

  • A certificate chain file. This contains all the intermediate certificates and the root certificate of the CA. The certificate chain lets an end user's browser build a certificate chain to a root certificate it trusts. As a result, the browser can implicitly trust your certificate.

You can upload all three files from the command line with one command.

To upload a server certificate

  • Use the aws iam upload-server-certificate command to upload a signed certificate:

    aws iam upload-server-certificate --server-certificate-name certificate_object_name --certificate-body file://public_key_certificate_file --private-key file://privatekey.pem --certificate-chain file://certificate_chain_file

    Note

    Notice that when you specify a file as a parameter (for example, for the certificate-body and private-key parameters), you include file:// as part of the file name.

    If you are uploading a self-signed certificate and it's not important that browsers implicitly accept the certificate, you can omit the --certificate-chain option and upload just the server certificate and private key, as shown in the following example:

    aws iam upload-server-certificate --server-certificate-name certificate_object_name --certificate-body file://public_key_certificate_file --private-key file://privatekey.pem

    CloudFront: If you are uploading a server certificate specifically for use with Amazon CloudFront distributions, you must specify a path using the --path option. The path must begin with /cloudfront and must include a trailing slash (for example, /cloudfront/test/). Enter the following command:

    aws iam upload-server-certificate --server-certificate-name certificate_object_name --certificate-body file://public_key_certificate_file --private-key file://privatekey.pem --certificate-chain file://certificate_chain_file --path /cloudfront/path/

You assign your own name to the certificate (the certificate_object_name parameter in the preceding commands). For information about limitations on server certificate names, see Limitations on IAM Entities.

For the Amazon CloudFront example, the command displays the ARN and unique ID of the uploaded certificate. If you use the CloudFront API to add a certificate to a distribution, you need the certificate ID. (If you use the CloudFront console for this task, the console displays the certificate name that you specified in the --server-certificate-name option.) For more information about using server certificates with CloudFront, see Using an HTTPS Connection to Access Your Objects in the Amazon CloudFront Developer Guide.

When you upload your certificates, IAM validates the certificates with the following criteria:

  • Certificates must follow the X.509 PEM format.

  • The current date must be between the certificate’s start and end date.

  • Public and private certificate files must contain only a single certificate.

  • The private key must match the public key that is in the certificate.

  • The private key must be an RSA private key in PEM format, where the PEM header is BEGIN RSA PRIVATE KEY and the footer is END RSA PRIVATE KEY (as shown in Sample Certificates).

  • The private key cannot be encrypted with a password.

  • The certificate chain must include all of your CA’s intermediary certificates that lead to the root certificate, and ends with your CA’s root certificate. Typically, both intermediary and root certificates are provided by a CA in a bundled file with the proper chained order. If a certificate bundle is not available or not available in the required order, you can create your own file similar to the sample certificate chain in Sample Certificates. Use the intermediary certificates that were provided by your CA. Any intermediaries that are not involved in the chain of trust path must not be included.

    After you upload your certificate chain to AWS, you can use SSL Checker to verify it.

    Note

    • The order of intermediary certificates should be documented by the CA. AWS does not recommend any one CA. For a listing of some CAs, see Third-Party Certificate Authorities.

    • Although the root certificate is optional, you can include it so that you can run full chain of trust verifications, such as SSL Checker.

If you have certificates that result in an error when you upload them, ensure that they meet the criteria, and then try uploading them again.

To see sample certificates that are valid with IAM, see Sample Certificates.

Note

If you are having difficulties uploading a server certificate, you might find it helpful to follow the steps outlined in the following blog post: Setting up SSL on an Amazon Elastic Load Balancer.

Verify the Certificate Object

After the server certificate is uploaded, you can verify that the information is stored in IAM. Each certificate object has a unique Amazon Resource Name (ARN) and ID. You can request these details for a specific certificate object by referencing the name of the certificate object.

To view the certificate object's ARN and ID

  • Use the aws iam get-server-certificate command to verify the certificate object:

    aws iam get-server-certificate --server-certificate-name certificate_object_name

    The output will look similar to the following example.

    arn:aws:iam::Your_AWS_Account_ID:server-certificate/Your_Certificate_Object_Name Certificate_Object_GUID

You have now completed the process for creating and uploading a signed certificate. For information about setting up a load balancer using Amazon ELB's HTTPS support, see the command line interface (CLI) examples in the How to Set Up a Load Balancer with HTTPS Support section of the Elastic Load Balancing Developer Guide.

Delete a Certificate Object

If you no longer need a certificate, you can delete it.

To delete a certificate object

  • Use the aws iam delete-server-certificate command to remove an individual certificate.

    aws iam delete-server-certificate --server-certificate-name certificate_object_name

    If the command is successful, no output is displayed.

Sample Certificates

The following certificates show the valid format that IAM accepts for server certificates and their associated private key and certificate chain.

The server certificate associates your public key with your identity. When you submit your Certificate Signing Request (CSR) to a certificate authority (CA), a server certificate is returned to you by the CA. The following example shows the format of a server certificate:

-----BEGIN CERTIFICATE-----
your-certificate-here
-----END CERTIFICATE-----

The private key allows you to decrypt messages that are encrypted with your public key. The following example shows the format of a key:

-----BEGIN RSA PRIVATE KEY-----
your-key-here
-----END RSA PRIVATE KEY-----

The certificate chain includes all intermediary certificates that lead to the root certificate, as shown in the following example. Intermediaries that are not involved in the trust path must not be included. The chain ends with your CA’s root certificate. Typically, both intermediary and root certificates are provided by a CA in a bundled file with the proper chained order.

Sample certificate chain

-----BEGIN CERTIFICATE-----
Intermediate certificate 2
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Intermediate certificate 1
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Optional: Root certificate
-----END CERTIFICATE-----