Prerequisites for importing certificates - AWS Certificate Manager

Prerequisites for importing certificates

To import a self–signed SSL/TLS certificate into ACM, you must provide the certificate and its private key. To import a certificate signed by a certificate authority (CA), you must also include the certificate chain. Your certificate must satisfy the following criteria:

  • The certificate must specify a cryptographic algorithm and a key size. ACM supports the following algorithms (API name in parentheses):

    • 1024-bit RSA (RSA_1024)

    • 2048-bit RSA (RSA_2048)

    • 3072-bit RSA (RSA_3072)

    • 4096-bit RSA (RSA_4096)

    • Elliptic Prime Curve 256 bit (EC_prime256v1)

    • Elliptic Prime Curve 384 bit (EC_secp384r1)

    • Elliptic Prime Curve 521 bit (EC_secp521r1)

  • ACM integrated services allow only the algorithms and key sizes that they support to be associated with their resources. For example, CloudFront supports 1024-bit RSA, 2048-bit RSA, and Elliptic Prime Curve 256-bit keys only, while Application Load Balancer supports all of the algorithms available from ACM. For more information, see the documentation for the service you are using.

  • The certificate must be an SSL/TLS X.509 version 3 certificate. It must contain a public key, the fully qualified domain name (FQDN) or IP address for your website, and information about the issuer. The certificate can be self-signed by your private key or by the private key of an issuing CA. If your certificate is signed by a CA, you must include the certificate chain when you import your certificate.

  • The certificate must be valid at the time of import. You cannot import a certificate before its validity period begins or after it expires. The NotBefore certificate field contains the validity start date, and the NotAfter field contains the end date.

  • The private key must be unencrypted. You cannot import a private key that is protected by a password or passphrase.

  • The private key of an imported certificate must be no larger than 5 KB (5,120 bytes).

  • The certificate, private key, and certificate chain must be PEM–encoded. For more information and examples, see Certificate and key format for importing.

  • The cryptographic algorithm of an imported certificate must match the algorithm of the signing CA. For example, if the signing CA key type is RSA, then the certificate key type must also be RSA.

  • You cannot add the KeyUsage extension if it is not present in the previously imported certificate.

  • You cannot add the ExtendedKeyUsage extension if it is not present in the previously imported certificate.