I received an error message when I tried to import a third-party SSL/TLS certificate into AWS Certificate Manager (ACM). Why can't I import my certificate into ACM?

You can import third-party SSL/TLS certificates, and you can integrate certificates with AWS services. If your certificate meets the Prerequisites for Importing Certificates, but you receive an error message when importing the certificate, see the troubleshooting steps for the following errors:

"You have reached the maximum number of certificates. Delete certificates that are not in use, or contact AWS Support to request an increase."

By default, you can import up to 100 certificates into ACM, but new AWS accounts might start with a lower limit. If you exceed this limit, contact AWS Support to request a limit increase.

If you receive this error message and you haven't exceeded 100 certificates for your account, you might have exceeded the limit for certificates that you can import in a year. By default, you can import twice your account limit per year. For example, if your limit is 100 certificates, you can import up to 200 certificates per year. This includes certificates that you imported and deleted within the last 365 days. If you reach this limit, contact AWS Support to request a limit increase. For more information, see AWS Certificate Manager Limits.

"The certificate field contains more than one certificate. You can specify only one certificate in this field."

If you are importing a certificate, do not upload the complete certificate chain for the Certificate body field. If you receive a certificate bundle, it might contain the server certificate and the certificate chain from the certificate authority (CA). Separate each file (the certificate, the certificate chain with the intermediate and root certificates, and the private key) that is created at the time of the certificate signing request (CSR) generation from the bundle, change the file to a PEM format, and upload them individually to ACM. To convert a certificate bundle to a PEM format, see Server Certificates Troubleshooting.

"Unable to validate certificate chain. The certificate chain must start with the immediate signing certificate, followed by any intermediaries in order. The index within the chain of the invalid certificate is: 0"

When importing a certificate into ACM, do not include the certificate in the certificate chain. The certificate chain should contain only the intermediate and root certificates, and the certificate chain must be in order—starting with the intermediate certificates, and then ending with the root certificate.

"Could not validate the certificate with the certificate chain."

If ACM is unable to match the certificate to the certificate chain provided, verify that the certificate chain is associated to your certificate. You might need to contact your certificate provider for further assistance.

"The private key length <key_length> is not supported for key algorithm."

When you create an x.509 certificate or certificate request, you specify the algorithm and the key bit size that must be used to create the private-public key pair. Be sure that your certificate key meets the Prerequisites for Importing Certificates. If your key does meet the requirements for key size or algorithm, reach out to your certificate provider to re-issue the certificate with a supported key size and algorithm.

"The certificate body/chain provided is not in a valid PEM format," "InternalFailure," or "Unable to parse certificate. Please ensure the certificate is in PEM format."

If the certificate body, private key, or certificate chain is not in the PEM format, or if the certificate file does not contain the appropriate certificate body, you must convert the file. To convert a certificate or certificate chain from DER to a PEM format, see Server Certificates Troubleshooting.

"The private key is not supported."

If you import a certificate into ACM using the AWS Command Line Interface (AWS CLI), you pass the contents of your certificate files (certificate body, private key, and certificate chain) as a string. You must specify the certificate, the certificate chain, and the private key by their file names preceded by file:// . For more information, see import-certificate.

Note: Be sure to use the file path "file://key.pem" for your key and "file://certificate.pem" for your certificate. If you don't include the file path, you might receive the following error messages: "The private key is not supported" or "The certificate is not valid."


Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center.

Published: 2018-05-09