Amazon Certificate Manager (ACM) is a service that allows you to easily provision, manage, and deploy SSL/TLS certificates on AWS managed resources. You can either request a certificate directly from Amazon or upload a third party certificate, including self-signed. In this guide we’ll show you how to import a 3rd party SSL certificate to ACM from Windows.
Preparing the Certificate
There are some pre-requisites required when uploading an SSL certificate to AWS, either in Certificate Manager or IAM.
The certificate must be in three parts:
- Server certificate
- Private key (unencrypted)
- Certificate Chain (not required if uploading a self-signed certificate)
You will most likely be required to split these out from a certificate bundle. Below is an example of how to do this with a PKCS#12 (pfx) bundle.
Firstly, you will need to install openssl on your system. For Windows, you can install it from here – 32bit and 64bit are available.
Once installed, you can add an environment variable to Windows to make it easier to use openssl in CMD or Powershell terminals. You will just need to add the following for PATH – C:\Program Files\OpenSSL-Win64\bin (note, this is for the 64bit installation, the value will vary for 32-bit). Once you have done that, you can now proceed to splitting up the certificate bundle.
To do so, navigate to the directory where you have the certificate bundle in either CMD or Powershell (for our example the bundle is named certificate.pfx). You will need to run the following set of openssl commands in the same order as set below to extract each part of the bundle:
Extracting the private key
openssl pkcs12 -in [certificate.pfx] -nocerts -out [keyfile-encrypted.key]
Extracting the private key into PEM format
openssl rsa -in [keyfile-encrypted.key] -outform PEM -out [keyfile-encrypted-pem.key]
Extracting an unencrypted private key
openssl rsa -in [keyfile-encrypted.key] -out [private-key.pem]
Extracting the certificate
openssl pkcs12 -in [certificate.pfx] -clcerts -nokeys -out [certificate.pem]
N.B. You should be asked for a password at this point.
Extracting the certificate chain
openssl pkcs12 -in [certificate.pfx] -cacerts -nokeys -out [cert-chain.pem]
You will now have the three individual PEM-encoded files that are required to upload the certificate to ACM – certificate.pem, private-key.pem and cert-chain.pem. Below you can see examples each of these.
Upload the Certificate
We are now ready to upload our third-party SSL certificate to ACM. This can be done in the ACM console or with the AWS CLI and we will cover both methods.
To upload the certificate through the console you will first need to open each of your PEM-encoded files in a text editor. From there, simply copy the body of each file in to the appropriate field in the console, which you can see below.
Finally, review the details of the certificate and upload.
Command Line (CLI)
Firstly, you must have the AWS CLI installed and configured on your system. The AWS documentation will show you how to do this on Windows, Linux and MacOS.
In CMD or Powershell navigate to the directory where your PEM files are located. Once there you need run the following command:
aws acm import-certificate –certificate file://certificate.pem –certificate-chain file://cert-chain.pem –private-key file://private-key.pem
Ensure each file name matches those that you created earlier. Once successfully uploaded you will be able to see the details of the certificate by running the following command:
aws acm list-certificates
You will also be able to see the details of this certificate in the ACM console.
This certificate will now be available to use with the AWS services that are integrated with ACM.