Menu
AWS Identity and Access Management
User Guide

Working with Server Certificates

To enable HTTPS connections to your website or application on AWS, you need an SSL/TLS server certificate. You can use a server certificate provided by AWS Certificate Manager (ACM) or one that you obtained from an external provider.

We recommend that you use ACM to provision, manage, and deploy your server certificates. With ACM you can request a certificate, deploy it to AWS resources, and let ACM handle certificate renewals for you. Certificates provided by ACM are free. For more information about using ACM, see the AWS Certificate Manager User Guide.

To use a certificate that you obtained from an external provider with your website or application on AWS, you must upload the certificate to IAM or import it into ACM. We recommend that you import your certificates into ACM. You can use ACM to manage all of your AWS server certificates—those provided by ACM and those that you obtained from an external provider for use with AWS. You can use certificates stored in ACM for the same AWS services that support certificates stored in IAM (Elastic Load Balancing, Amazon CloudFront, and AWS Elastic Beanstalk). With ACM, you can use a single certificate for more than one of these services simultaneously. You can import certificates into ACM using the AWS Management Console, which you cannot do with IAM.

For more information about importing certificates into ACM, see Importing Certificates in the AWS Certificate Manager User Guide.

For more information about uploading certificates to IAM, see the following topics.

Uploading a Server Certificate (IAM API)

To upload a server certificate to IAM, you must provide the certificate and its matching private key. When the certificate is not self-signed, you must also provide a certificate chain. (You don't need a certificate chain when uploading a self-signed certificate.) Before you upload a certificate, ensure that you have all these items and that they meet the following criteria:

  • The certificate must be valid at the time of upload. You cannot upload a certificate before its validity period begins (the certificate's NotBefore date) or after it expires (the certificate's NotAfter date).

  • The private key must be unencrypted. You cannot upload a private key that is protected by a password or passphrase. For help decrypting an encrypted private key, see Troubleshooting.

  • The certificate, private key, and certificate chain must all be PEM-encoded. For help converting these items to PEM format, see Troubleshooting.

To use the IAM API to upload a certificate, send an UploadServerCertificate request. The following example shows how to do this with the AWS Command Line Interface (AWS CLI). The example assumes the following:

  • The PEM-encoded certificate is stored in a file named Certificate.pem.

  • The PEM-encoded certificate chain is stored in a file named CertificateChain.pem.

  • The PEM-encoded, unencrypted private key is stored in a file named PrivateKey.pem.

To use the following example command, replace these file names with your own and replace ExampleCertificate with a name for your uploaded certificate. Type the command on one continuous line. The following example includes line breaks and extra spaces to make it easier to read.

$ aws iam upload-server-certificate --server-certificate-name ExampleCertificate
                                    --certificate-body file://Certificate.pem
                                    --certificate-chain file://CertificateChain.pem
                                    --private-key file://PrivateKey.pem

When the preceding command is successful, it returns metadata about the uploaded certificate, including its Amazon Resource Name (ARN), its friendly name, its identifier (ID), its expiration date, and more.

Note

If you are uploading a server certificate to use with Amazon CloudFront, you must specify a path using the --path option. The path must begin with /cloudfront and must include a trailing slash (for example, /cloudfront/test/).

To use the AWS Tools for Windows PowerShell to upload a certificate, use Publish-IAMServerCertificate.

Retrieving a Server Certificate (IAM API)

To use the IAM API to retrieve a certificate, send a GetServerCertificate request. The following example shows how to do this with the AWS CLI. Replace ExampleCertificate with the name of the certificate to retrieve.

$ aws iam get-server-certificate --server-certificate-name ExampleCertificate

When the preceding command is successful, it returns the certificate, the certificate chain (if one was uploaded), and metadata about the certificate.

Note

You cannot download or retrieve a private key from IAM after you upload it.

To use the AWS Tools for Windows PowerShell to retrieve a certificate, use Get-IAMServerCertificate.

Listing Server Certificates (IAM API)

To use the IAM API to list your uploaded server certificates, send a ListServerCertificates request. The following example shows how to do this with the AWS CLI.

$ aws iam list-server-certificates

When the preceding command is successful, it returns a list that contains metadata about each certificate.

To use the AWS Tools for Windows PowerShell to list your uploaded server certificates, use Get-IAMServerCertificates.

Renaming a Server Certificate or Updating its Path (IAM API)

To use the IAM API to rename a server certificate or update its path, send an UpdateServerCertificate request. The following example shows how to do this with the AWS CLI.

To use the following example command, replace the old and new certificate names and the certificate path, and type the command on one continuous line. The following example includes line breaks and extra spaces to make it easier to read.

$ aws iam update-server-certificate --server-certificate-name ExampleCertificate
                                    --new-server-certificate-name CloudFrontCertificate
                                    --new-path /cloudfront/

When the preceding command is successful, it does not return any output.

To use the AWS Tools for Windows PowerShell to rename a server certificate or update its path, use Update-IAMServerCertificate.

Deleting a Server Certificate (IAM API)

To use the IAM API to delete a server certificate, send a DeleteServerCertificate request. The following example shows how to do this with the AWS CLI.

To use the following example command, replace ExampleCertificate with the name of the certificate to delete.

$ aws iam delete-server-certificate --server-certificate-name ExampleCertificate

When the preceding command is successful, it does not return any output.

To use the AWS Tools for Windows PowerShell to delete a server certificate, use Remove-IAMServerCertificate.

Troubleshooting

Before you can upload a certificate to IAM, you must make sure that the certificate, private key, and certificate chain are all PEM-encoded. You must also ensure that the private key is unencrypted. See the following examples.

Example PEM-encoded certificate

-----BEGIN CERTIFICATE-----
Base64-encoded certificate
-----END CERTIFICATE-----

Example PEM-encoded, unencrypted private key

-----BEGIN RSA PRIVATE KEY-----
Base64-encoded private key
-----END RSA PRIVATE KEY-----

Example PEM-encoded certificate chain

A certificate chain contains one or more certificates. The following example contains three certificates, but your certificate chain might contain more or fewer.

-----BEGIN CERTIFICATE-----
Base64-encoded certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Base64-encoded certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Base64-encoded certificate
-----END CERTIFICATE-----

If these items are not in the right format for uploading to IAM, you can use OpenSSL to convert them to the right format.

To convert a certificate or certificate chain from DER to PEM

Use the OpenSSL x509 command, as in the following example. In the following example command, replace Certificate.der with the name of the file that contains your DER-encoded certificate. Replace Certificate.pem with the desired name of the output file to contain the PEM-encoded certificate.

$ openssl x509 -inform DER -in Certificate.der -outform PEM -out Certificate.pem

 

To convert a private key from DER to PEM

Use the OpenSSL rsa command, as in the following example. In the following example command, replace PrivateKey.der with the name of the file that contains your DER-encoded private key. Replace PrivateKey.pem with the desired name of the output file to contain the PEM-encoded private key.

$ openssl rsa -inform DER -in PrivateKey.der -outform PEM -out PrivateKey.pem

 

To decrypt an encrypted private key (remove the password or passphrase)

Use the OpenSSL rsa command, as in the following example. To use the following example command, replace EncryptedPrivateKey.pem with the name of the file that contains your encrypted private key. Replace PrivateKey.pem with the desired name of the output file to contain the PEM-encoded unencrypted private key.

$ openssl rsa -in EncryptedPrivateKey.pem -out PrivateKey.pem

 

To convert a certificate bundle from PKCS#12 (PFX) to PEM

Use the OpenSSL pkcs12 command, as in the following example. In the following example command, replace CertificateBundle.p12 with the name of the file that contains your PKCS#12-encoded certificate bundle. Replace CertificateBundle.pem with the desired name of the output file to contain the PEM-encoded certificate bundle.

$ openssl pkcs12 -in CertificateBundle.p12 -out CertificateBundle.pem -nodes

 

To convert a certificate bundle from PKCS#7 to PEM

Use the OpenSSL pkcs7 command, as in the following example. In the following example command, replace CertificateBundle.p7b with the name of the file that contains your PKCS#7-encoded certificate bundle. Replace CertificateBundle.pem with the desired name of the output file to contain the PEM-encoded certificate bundle.

$ openssl pkcs7 -in CertificateBundle.p7b -print_certs -out CertificateBundle.pem