How can I upload and import an SSL certificate to AWS Identity and Access Management (IAM)?

Last updated: 2021-09-23

How can I upload and import an SSL certificate to AWS Identity and Access Management (IAM)?

Short description

It's a best practice that you upload SSL certificates to AWS Certificate Manager (ACM). If you're using certificate algorithms and key sizes that aren't currently supported by ACM or the associated AWS resources, then you can also upload an SSL certificate to IAM using AWS Command Line Interface (AWS CLI).

Before you can import an SSL certificate to IAM:

  • The certificate must be valid at the time of upload. You can't upload a certificate before its validity period begins or after it expires.
  • The certificate, private key, and the certificate chain must be PEM-encoded. For more information, see the Example PEM–encoded certificate chain section in working with server certificates.

After you confirm that your certificate meets these criteria, be sure that the certificate chain is in the correct order, and then upload the certificate.


Confirm that the certificate chain is in the correct order

Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI.

The certificate chain must begin with the certificate that is generated by your certificate authority (CA) and end with the root certificate of your CA.

Note: If the certificate chain isn't in the correct order, you can receive the following error message: "An error occurred (MalformedCertificate) when calling the UploadServerCertificate operation: Unable to validate certificate chain. The certificate chain must start with the immediate signing certificate, followed by any intermediaries in order. The index within the chain of the non-valid certificate is: -1"

The PEM-encoded certificate chain must begin with "-----BEGIN CERTIFICATE-----" and end with "-----END CERTIFICATE-----", similar to the following:

Base64-encoded Intermediate certificate 2
Base64-encoded Intermediate certificate 1
Optional: Base64-encoded Root certificate

Note: Be sure that the certificate has no leading or trailing spaces.

Upload the certificate

Upload the certificate by running the following command:

$ aws iam upload-server-certificate --server-certificate-name ExampleCertificate --certificate-body file://Certificate.pem --certificate-chain file://CertificateChain.pem --private-key file://PrivateKey.pem

Note: Replace the file names and ExampleCertificate with the names for your uploaded files and certificate. For more information, see upload-server-certificate.

After the certificate is uploaded, the command returns metadata about the uploaded certificate, including the certificate's Amazon Resource Name (ARN), friendly name, identifier (ID), and expiration date. You can view the uploaded certificate by running the following command:

aws iam list-server-certificates

Note: If you upload a server certificate to be used with Amazon CloudFront, you must specify a path using --path. The path must begin with /cloudfront and the path must include a trailing slash, for example, /cloudfront/test/. For more information, see How can I troubleshoot issues with using a custom SSL certificate for my CloudFront distribution?

Did this article help?

Do you need billing or technical support?