Troubleshoot Certificate Import Problems

You can import third-party certificates into ACM and associate them with integrated services. If you encounter problems, review the prerequisites and certificate format topics. In particular, note the following:

You can import only X.509 version 3 SSL/TLS certificates.
Your certificate can be self–signed or it can be signed by a certificate authority (CA).
If your certificate is signed by a CA, you must include an intermediate certificate chain that provides a path to the root of authority.
If your certificate is self-signed, you may need to include an intermediate certificate chain, and you must include the secret key.
Each certificate in the chain must directly certify the one preceding.
Do not include your end-entity certificate in the intermediate certificate chain.
Your certificate, certificate chain, and private key (if any) must be PEM–encoded.
Your private key (if any) must not be encrypted.
Services integrated with ACM must use ACM-supported algorithms and key sizes. See the AWS Certificate Manager User Guide and the documentation for each service to make sure that your certificate will work.
Certificate support by integrated services might differ depending on whether the certificate is imported into IAM or into ACM.
The certificate must be valid when it is imported.
Detail information for all of your certificates is displayed in the console. By default, however, if you call the ListCertificates API or the list-certificates AWS CLI command without specifying the keyTypes filter, only RSA_1024 or RSA_2048 certificates are displayed.

Warning Javascript is disabled or is unavailable in your browser.

To use the AWS Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Troubleshooting Other Problems

Certificate Pinning