AWS Certificate Manager
User Guide (Version 1.0)

Troubleshoot Certificate Importing Problems

You can import third party certificates into ACM and associate them with integrated services. If you encounter problems, review the prerequisites and certificate format topics. In particular, note the following:

  • You can import only X.509 version 3 SSL/TLS certificates.

  • Your certificate can be self–signed or it can be signed by a certificate authority (CA).

  • If your certificate is signed by a CA, you must include a certificate chain that chains up to the root of authority.

  • Do not include your certificate in the certificate chain.

  • Each certificate in the chain must directly certify the one preceding.

  • Your certificate, private key, and certificate chain must be PEM–encoded.

  • Your private key must not be encrypted.

  • Services integrated with ACM allow only algorithms and key sizes they support to be associated with their resources. Support can change. See the documentation for each service to make sure your certificate will work.

  • Certificate support by integrated services might differ depending on whether the certificate is imported into IAM or into ACM.

  • The certificate must be valid when it is imported.

  • Detail information for all of your certificates is displayed in the console. By default, however, if you call the ListCertificates API or the list-certificates AWS CLI command without specifying the keyTypes filter, only RSA_1024 or RSA_2048 certificates are displayed.