AWS Certificate Manager
User Guide (Version 1.0)

Prerequisites for Importing Certificates

To import an SSL/TLS certificate into ACM, you must provide the certificate and its private key. If the certificate is not self-signed, you must also provide a certificate chain. If the ticket is self-signed, you can optionally provide a chain. Also, your certificate must satisfy the following criteria:

  • The certificate must contain a 1024-bit or 2048-bit RSA public key. The RSA algorithm uses two different but mathematically related keys, one public and the other private. The public key can be shared with anyone. The private key must be kept secret. When purchasing an SSL/TLS certificate from a certification authority (CA), you typically create a certificate request that contains your public key and that you sign by using your private key. You also use your private key when creating a self-signed certificate.

  • The certificate must be an SSL/TLS X.509 version 3 certificate. You cannot import a certificate for code signing, email encryption, or any other use. The certificate must contain an RSA public key, the fully qualified domain name (FQDN) for your website, and information about the issuing authority. The certificate can be self-signed by the private key related to your public key or by the private key of an issuing CA. You install an SSL/TLS certificate on your web server to enable secure connections between your server and a web browser.

  • The certificate must be valid at the time of import. You cannot import a certificate before its validity period begins or after it expires. The NotBefore certificate field contains the validity start date, and the NotAfter field contains the end date.

  • The private key must be unencrypted. You cannot import a private key that is protected by a password or passphrase.

  • The certificate, private key, and certificate chain must all be PEM-encoded. PEM stands for Privacy Enhanced Mail but was never widely adopted an Internet mail standard. Instead, the PEM format is often used to represent a certificate or certificate request. It is base64-encoded and placed between a -----BEGIN CERTIFICATE----- header and an -----END CERTIFICATE----- footer.

    -----BEGIN CERTIFICATE----- Base64-encoded certificate -----END CERTIFICATE-----