AWS Certificate Manager
User Guide (Version 1.0)

Prerequisites for Importing Certificates

To import a certificate into ACM, you must provide the certificate and its matching private key. When the certificate is not self-signed, you must also provide a certificate chain. (You don't need a certificate chain when importing a self-signed certificate.) Before you import a certificate, ensure that you have all these items and that they meet the following criteria:

  • The certificate must contain a 1024-bit or 2048-bit RSA public key.

  • The certificate must be an SSL/TLS certificate with at least one fully qualified domain name. You cannot import a certificate for code signing, email encryption, or other uses.

  • The certificate must be valid at the time of import. You cannot import a certificate before its validity period begins (the certificate's NotBefore date) or after it expires (the certificate's NotAfter date).

  • The private key must be unencrypted. You cannot import a private key that is protected by a password or passphrase. For help decrypting an encrypted private key, see Troubleshooting.

  • The certificate, private key, and certificate chain must all be PEM-encoded. For help converting these items to PEM format, see Troubleshooting.