IAM is one of two services in AWS that allow you to manage SSL/TLS certificates, the other being ACM. Why two services? Good question. There are differences between how each integrates with other AWS services, such as Elastic load balancers and Cloudfront. We won’t go into detail on those here, but it’s important to know that you may be required to use either depending on your use case. We have already covered how to upload SSL certificates to ACM so in this guide we’ll go through the same process for IAM.
CLI and Console?
There are two ways to import certificates to IAM; the first is to use the AWS CLI, the second is to upload through the AWS console, albeit in a roundabout way. Unlike ACM, there is no option within the IAM console specifically to upload certificates (this could change), however, this can be done in EC2, which we’ll see later.
To upload a certificate to IAM it must be split in to three parts:
- Server certificate
- Private key (unencrypted)
- Certificate Chain (not required if uploading a self-signed certificate)
Uploading with CLI
To start with you must have the AWS CLI installed and configured on your system. The AWS documentation will show you how to do this on Windows, Linux and MacOS.
Once that is done, navigate to the directory where your certificate files are located in your terminal of choice. Once there run the following command to upload your certificate:
aws iam upload-server-certificate –certificate-name mySSLCertificate –certificate-body file://certificate.pem –certificate-chain file://cert-chain.pem –private-key file://private-key.pem
Make sure the name you choose easily identifies the certificate. Also ensure each file name matches those that you created earlier. Once successfully uploaded you will be able to see the details of the certificate by running the following command:
aws iam list-server-certificates
If you have read our guide on uploading certificates to ACM you will notice that the commands are very similar, though not identical. For example, ACM doesn’t use the certificate-name parameter.
Uploading with the Console
The first method to upload a certificate to IAM through the console is to do so whilst creating a new load balancer. When you specify an HTTPS listener for your load balancer you will be asked to assign a certificate for it. At this point you can either chose from SSL certificates you already have provisioned or upload a new one. As you can see below you have the option to upload directly to IAM from here.
The second method is very similar, but this time we are using a load balancer that is already in place. You can either add a certificate to an existing HTTPS listener, or create a new HTTPS listener and upload the certificate in this process. Below is what you will see when uploading a new certificate to an existing listener.
This is console view when uploading a certificate whilst creating a new HTTPS listener.
As you can see both methods also allow you to upload to ACM. At the time of writing these are the only methods to upload certificates to IAM through the console.