Menu
AWS Certificate Manager
User Guide (Version 1.0)

Troubleshooting

Before you can import a certificate into ACM, you must make sure that the certificate, private key, and certificate chain are all PEM-encoded. You must also ensure that the private key is unencrypted. See the following examples.

Example PEM-encoded certificate

Copy
-----BEGIN CERTIFICATE----- Base64-encoded certificate -----END CERTIFICATE-----

Example PEM-encoded, unencrypted private key

Copy
-----BEGIN RSA PRIVATE KEY----- Base64-encoded private key -----END RSA PRIVATE KEY-----

Example PEM-encoded certificate chain

A certificate chain contains one or more certificates. The following example contains three certificates, but your certificate chain might contain more or fewer.

Copy
-----BEGIN CERTIFICATE----- Base64-encoded certificate -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- Base64-encoded certificate -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- Base64-encoded certificate -----END CERTIFICATE-----

If these items are not in the right format for importing into ACM, you can use OpenSSL to convert them to the right format.

To convert a certificate or certificate chain from DER to PEM

Use the OpenSSL x509 command, as in the following example. In the following example command, replace Certificate.der with the name of the file that contains your DER-encoded certificate. Replace Certificate.pem with the desired name of the output file to contain the PEM-encoded certificate.

Copy
$ openssl x509 -inform DER -in Certificate.der -outform PEM -out Certificate.pem

 

To convert a private key from DER to PEM

Use the OpenSSL rsa command, as in the following example. In the following example command, replace PrivateKey.der with the name of the file that contains your DER-encoded private key. Replace PrivateKey.pem with the desired name of the output file to contain the PEM-encoded private key.

Copy
$ openssl rsa -inform DER -in PrivateKey.der -outform PEM -out PrivateKey.pem

 

To decrypt an encrypted private key (remove the password or passphrase)

Use the OpenSSL rsa command, as in the following example. To use the following example command, replace EncryptedPrivateKey.pem with the name of the file that contains your encrypted private key. Replace PrivateKey.pem with the desired name of the output file to contain the PEM-encoded unencrypted private key.

Copy
$ openssl rsa -in EncryptedPrivateKey.pem -out PrivateKey.pem

 

To convert a certificate bundle from PKCS#12 (PFX) to PEM

Use the OpenSSL pkcs12 command, as in the following example. In the following example command, replace CertificateBundle.p12 with the name of the file that contains your PKCS#12-encoded certificate bundle. Replace CertificateBundle.pem with the desired name of the output file to contain the PEM-encoded certificate bundle.

Copy
$ openssl pkcs12 -in CertificateBundle.p12 -out CertificateBundle.pem -nodes

 

To convert a certificate bundle from PKCS#7 to PEM

Use the OpenSSL pkcs7 command, as in the following example. In the following example command, replace CertificateBundle.p7b with the name of the file that contains your PKCS#7-encoded certificate bundle. Replace CertificateBundle.pem with the desired name of the output file to contain the PEM-encoded certificate bundle.

Copy
$ openssl pkcs7 -in CertificateBundle.p7b -print_certs -out CertificateBundle.pem