How can I upload and import an SSL certificate to AWS Identity and Access Management (IAM)?

We recommend that you upload SSL certificates to AWS Certificate Manager (ACM), but if you're using certificate algorithms and key sizes that are not currently supported by ACM or the associated AWS resources, then you can also upload an SSL certificate to IAM using AWS Command Line Interface (AWS CLI).

Before you can import an SSL certificate to IAM:

  • The certificate must be valid at the time of upload. You can't upload a certificate before its validity period begins or after expires.
  • The certificate, private key, and the certificate chain must be PEM-encoded. For more information, see Working with Server Certificates >> Troubleshooting.

After you confirm that your certificate meets these criteria, be sure that the certificate chain is in the correct order, and then upload the certificate.

Confirm that the certificate chain is in the correct order

The certificate chain must begin with the certificate that is generated by your certificate authority (CA) and end with your CA's root certificate. If the certificate chain isn't in the correct order, you might receive the following error message: "An error occurred (MalformedCertificate) when calling the UploadServerCertificate operation: Unable to validate certificate chain. The certificate chain must start with the immediate signing certificate, followed by any intermediaries in order. The index within the chain of the invalid certificate is: -1"

The certificate chain must begin with "-----BEGIN CERTIFICATE-----" and end with "-----END CERTIFICATE-----". See the following PEM-encoded certificate chain examples:

Base64-encoded Intermediate certificate 2
Base64-encoded Intermediate certificate 1
Optional: Base64-encoded Root certificate

Note: Be sure that the certificate doesn't contain leading or trailing spaces.

Upload the certificate

Upload the certificate by running the following command:  

$ aws iam upload-server-certificate --server-certificate-name ExampleCertificate --certificate-body file://Certificate.pem --certificate-chain file://CertificateChain.pem --private-key file://PrivateKey.pem

Note: Replace the file names and ExampleCertificate with the names for your uploaded files and certificate. For more information, see upload-server-certificate.

After the certificate is uploaded, the command returns metadata about the uploaded certificate, including the certificate's Amazon Resource Name (ARN), friendly name, identifier (ID), and expiration date. You can view the uploaded certificate by running the following command:

aws iam list-server-certificates

Note: If you upload a server certificate to be used with Amazon CloudFront, you must specify a path using --path. The path must begin with /cloudfront and the path must include a trailing slash, for example, /cloudfront/test/. For more information, see How do I make sure that the certificate I upload for use with Amazon CloudFront is accessible from the AWS console?

Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center.

Published: 2018-05-11