Amazon API Gateway
Developer Guide

Get Certificates Ready in AWS Certificate Manager

Before setting up a custom domain name for an API, you must have an SSL/TLS certificate ready in AWS Certificate Manager. The following steps describe how to get this done. For more information, see the AWS Certificate Manager User Guide.


To use an ACM Certificate with an API Gateway edge-optimized custom domain name, you must request or import the certificate in the US East (N. Virginia) (us-east-1) Region. For an API Gateway regional custom domain name, you must request or import the certificate in the same region as your API.

To get a certificate for a given domain name issued by or imported into ACM

  1. Register your Internet domain; e.g., You can use either Amazon Route 53 or a third-party accredited domain registrar. For a list of such registrar, see Accredited Registrar Directory at the ICANN website.

  2. To create in or import into ACM an SSL/TLS certificate for a domain name, do one of the following:

    To request a certificate provided by ACM for a domain name

    1. Sign in to the AWS Certificate Manager console.

    2. Choose Request a certificate.

    3. Type a custom domain name for your API; e.g.,, in Domain name.

    4. Optionally, choose Add another name to this certificate.

    5. Choose Review and request.

    6. Choose Confirm and request.

    7. For a valid request, a registered owner of the Internet domain must consent to the request before ACM issues the certificate.

    To import into ACM a certificate for a domain name

    1. Get a PEM-encoded SSL/TLS certificate for your custom domain name from a certificate authority. For a partial list of such CAs, see the Mozilla Included CA List

      1. Generate a private key for the certificate and save the output to a file, using the OpenSSL toolkit at the OpenSSL website:

        openssl genrsa -out private-key-file 2048


        Amazon API Gateway leverages Amazon CloudFront to support certificates for custom domain names. As such, the requirements and constraints of a custom domain name SSL/TLS certificate are dictated by CloudFront. For example, the maximum size of the public key is 2048 and the private key size can be 1024, 2048, and 4096. The public key size is determined by the certificate authority you use. Ask your certificate authority to return keys of a size different from the default length. For more information, see Secure access to your objects and Create signed URLs and signed cookies.

      2. Generate a certificate signing request (CSR) with the previously generated private key, using OpenSSL:

        openssl req -new -sha256 -key private-key-file -out CSR-file
      3. Submit the CSR to the certificate authority and save the resulting certificate.

      4. Download the certificate chain from the certificate authority.


      If you obtain the private key in another way and the key is encrypted, you can use the following command to decrypt the key before submitting it to API Gateway for setting up a custom domain name.

      openssl pkcs8 -topk8 -inform pem -in MyEncryptedKey.pem -outform pem -nocrypt -out MyDecryptedKey.pem
    2. Upload the certificate to AWS Certificate Manager:

      1. Sign in to the AWS Certificate Manager console.

      2. Choose Import a certificate.

      3. For Certificate body, type or paste the body of the PEM-formatted server certificate from your certificate authority. The following shows an abbreviated example of such a certificate.

      4. For Certificate private key, type or paste your PEM-formatted certificate's private key. The following shows an abbreviated example of such a key.

      5. For Certificate chain, type or paste the PEM-formatted intermediate certificates and, optionally, the root certificate, one after the other without any blank lines. If you include the root certificate, your certificate chain must start with intermediate certificates and end with the root certificate. Use the intermediate certificates provided by your certificate authority. Do not include any intermediaries that are not in the chain of trust path. The following shows an abbreviated example.

        -----BEGIN CERTIFICATE----- EXAMPLECA4ugAwIBAgIQWrYdrB5NogYUx1U9Pamy3DANBgkqhkiG9w0BAQUFADCB ... 8/ifBlIK3se2e4/hEfcEejX/arxbx1BJCHBvlEPNnsdw8EXAMPLE -----END CERTIFICATE-----

        Here is another example.

        -----BEGIN CERTIFICATE----- Intermediate certificate 2 -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- Intermediate certificate 1 -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- Optional: Root certificate -----END CERTIFICATE-----
      6. Choose Review and import.

  3. After the certificate is successfully created or imported, make note of the certificate ARN. You need it when setting up the custom domain name, next.