Menu
AWS Certificate Manager
User Guide (Version 1.0)

Importing Certificates into AWS Certificate Manager

In addition to requesting SSL/TLS certificates provided by AWS Certificate Manager (ACM), you can import certificates that you obtained outside of AWS. You might do this because you already obtained a certificate from a third-party issuer, or because the certificates provided by ACM do not meet your requirements.

After you import a certificate, you can use it with the AWS services that are integrated with ACM. The certificates that you import work the same as those provided by ACM, with one important exception: ACM does not provide managed renewal for imported certificates.

Important

You are responsible for monitoring the expiration date of your imported certificates and for renewing them before they expire.

The ACM console displays a warning when an imported certificate is nearing its expiration date. To renew an imported certificate, you can obtain a new certificate from your certificate issuer and then import it to ACM. Or, you can request a new certificate from ACM.

All certificates in ACM are regional resources, including the certificates that you import. To use the same certificate with Elastic Load Balancing load balancers in different AWS regions, you must import the certificate into each region where you want to use it. To use a certificate with Amazon CloudFront, you must import it into the US East (N. Virginia) region. For more information, see Supported Regions.

For information about how to import certificates into ACM, see the following topics.

Prerequisites for Importing Certificates

To import a certificate into ACM, you must provide the certificate and its matching private key. When the certificate is not self-signed, you must also provide a certificate chain. (You don't need a certificate chain when importing a self-signed certificate.) Before you import a certificate, ensure that you have all these items and that they meet the following criteria:

  • The certificate must contain a 1024-bit or 2048-bit RSA public key.

  • The certificate must be an SSL/TLS certificate with at least one fully qualified domain name. You cannot import a certificate for code signing, email encryption, or other uses.

  • The certificate must be valid at the time of import. You cannot import a certificate before its validity period begins (the certificate's NotBefore date) or after it expires (the certificate's NotAfter date).

  • The private key must be unencrypted. You cannot import a private key that is protected by a password or passphrase. For help decrypting an encrypted private key, see Troubleshooting.

  • The certificate, private key, and certificate chain must all be PEM-encoded. For help converting these items to PEM format, see Troubleshooting.

Importing Certificates (AWS Management Console)

To import a certificate to ACM (console)

  1. Open the ACM console at https://console.aws.amazon.com/acm/home.

  2. Choose Import a certificate.

  3. Do the following:

    1. For Certificate body, paste the PEM-encoded certificate to import.

    2. For Certificate private key, paste the PEM-encoded, unencrypted private key that matches the certificate's public key.

    3. (Optional) For Certificate chain, paste the PEM-encoded certificate chain.

  4. Choose Review and import.

  5. Review the information about your certificate, then choose Import.

Importing Certificates (ACM API)

To use the ACM API to import a certificate, send an ImportCertificate request. The following example shows how to do this with the AWS Command Line Interface (AWS CLI). The example assumes the following:

  • The PEM-encoded certificate is stored in a file named Certificate.pem.

  • The PEM-encoded certificate chain is stored in a file named CertificateChain.pem.

  • The PEM-encoded, unencrypted private key is stored in a file named PrivateKey.pem.

To use the following example command, replace these file names with your own and type the command on one continuous line. The following example includes line breaks and extra spaces to make it easier to read.

$ aws acm import-certificate --certificate file://Certificate.pem
                             --certificate-chain file://CertificateChain.pem
                             --private-key file://PrivateKey.pem

When the preceding command is successful, it returns the Amazon Resource Name (ARN) of the imported certificate.

Troubleshooting

Before you can import a certificate into ACM, you must make sure that the certificate, private key, and certificate chain are all PEM-encoded. You must also ensure that the private key is unencrypted. See the following examples.

Example PEM-encoded certificate

-----BEGIN CERTIFICATE-----
Base64-encoded certificate
-----END CERTIFICATE-----

Example PEM-encoded, unencrypted private key

-----BEGIN RSA PRIVATE KEY-----
Base64-encoded private key
-----END RSA PRIVATE KEY-----

Example PEM-encoded certificate chain

A certificate chain contains one or more certificates. The following example contains three certificates, but your certificate chain might contain more or fewer.

-----BEGIN CERTIFICATE-----
Base64-encoded certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Base64-encoded certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Base64-encoded certificate
-----END CERTIFICATE-----

If these items are not in the right format for importing into ACM, you can use OpenSSL to convert them to the right format.

To convert a certificate or certificate chain from DER to PEM

Use the OpenSSL x509 command, as in the following example. In the following example command, replace Certificate.der with the name of the file that contains your DER-encoded certificate. Replace Certificate.pem with the desired name of the output file to contain the PEM-encoded certificate.

$ openssl x509 -inform DER -in Certificate.der -outform PEM -out Certificate.pem

 

To convert a private key from DER to PEM

Use the OpenSSL rsa command, as in the following example. In the following example command, replace PrivateKey.der with the name of the file that contains your DER-encoded private key. Replace PrivateKey.pem with the desired name of the output file to contain the PEM-encoded private key.

$ openssl rsa -inform DER -in PrivateKey.der -outform PEM -out PrivateKey.pem

 

To decrypt an encrypted private key (remove the password or passphrase)

Use the OpenSSL rsa command, as in the following example. To use the following example command, replace EncryptedPrivateKey.pem with the name of the file that contains your encrypted private key. Replace PrivateKey.pem with the desired name of the output file to contain the PEM-encoded unencrypted private key.

$ openssl rsa -in EncryptedPrivateKey.pem -out PrivateKey.pem

 

To convert a certificate bundle from PKCS#12 (PFX) to PEM

Use the OpenSSL pkcs12 command, as in the following example. In the following example command, replace CertificateBundle.p12 with the name of the file that contains your PKCS#12-encoded certificate bundle. Replace CertificateBundle.pem with the desired name of the output file to contain the PEM-encoded certificate bundle.

$ openssl pkcs12 -in CertificateBundle.p12 -out CertificateBundle.pem -nodes

 

To convert a certificate bundle from PKCS#7 to PEM

Use the OpenSSL pkcs7 command, as in the following example. In the following example command, replace CertificateBundle.p7b with the name of the file that contains your PKCS#7-encoded certificate bundle. Replace CertificateBundle.pem with the desired name of the output file to contain the PEM-encoded certificate bundle.

$ openssl pkcs7 -in CertificateBundle.p7b -print_certs -out CertificateBundle.pem