How can I import a third-party issued TLS/SSL certificate to ACM?

Last updated: 2022-06-24

I want to import a third-party issued TLS/SSL certificate into AWS Certificate Manager (ACM).

Resolution

To import third-party issued TLS/SSL certificate into ACM, you must provide the certificate, its private key, and the certificate chain. Your certificate must also include the prerequisites for importing certificates.

You need the following files to import in PEM-encoded format similar to the following:

PEM–encoded certificate:

-----BEGIN CERTIFICATE-----
Base64–encoded certificate
-----END CERTIFICATE-----

PEM–encoded certificate chain: (This example shows a chain where two Subordinate / Intermediate CAs are present. The order given here is to keep the Root CA as the last entry):

-----BEGIN CERTIFICATE-----
Base64–encoded certificate of SubordinateCA2
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Base64–encoded certificate of SubordinateCA1
----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Base64–encoded certificate of Root CA
-----END CERTIFICATE-----

PEM–encoded private keys:

-----BEGIN RSA PRIVATE KEY-----
Base64–encoded private key
-----END RSA PRIVATE KEY-----

For more information and examples, see Certificate and key format for importing.

Convert the certificate bundle from PKCS#12 (PFX) to PEM using OpenSSL

1.    Copy the PFX or P12 file to the same location as your OpenSSL tool, or specify the location in the command line.

2.    Enter the following OpenSSL command and replace PKCS12file with your certificate file:

$openssl pkcs12 -in PKCS12file -out Cert_Chain_Key.txt

You receive prompts similar to the following:

Enter Import Password:(this is the password that was used when the PKCS12 file was created)

Enter PEM pass phrase:(this is the private key password)

Verifying - Enter PEM pass phrase: (confirm the private key password)

3.    Enter the required password and pass phrase. The certificate, private key, and certificate chain (root or intermediate) are parsed and placed into the Cert_Chain_Key.txt file.

Note: The private key is still encrypted in the following format:

-----BEGIN ENCRYPTED PRIVATE KEY-----
Base64–encoded private key
-----END ENCRYPTED PRIVATE KEY-----

Decrypt the private key

1.    Copy the private key from the Cert_Chain_Key.txt file into your OpenSSL directory, or specify the location in the command line.

2.    Enter the following OpenSSL command and replace Encrypted.key with your encrypted private key file:

$openssl rsa -in Encrypted.key -out UnEncrypted.key

3.    Enter the pass phrase. The UnEncrypted.key is now the decrypted private key. To verify this, open the UnEncrypted.key file using a text editor and view the headers similar to the following format:

-----BEGIN RSA PRIVATE KEY-----
Base64–encoded private key
-----END RSA PRIVATE KEY-----

You can now import the certificate successfully into ACM. For instructions, see Importing a certificate.