How can I upload and import an SSL certificate to AWS Identity and Access Management (IAM)?

Last updated: 2019-07-08

How can I upload and import an SSL certificate to AWS Identity and Access Management (IAM)?

Short Description

It's a best practice that you upload SSL certificates to AWS Certificate Manager (ACM). If you're using certificate algorithms and key sizes that aren't currently supported by ACM or the associated AWS resources, then you can also upload an SSL certificate to IAM using AWS Command Line Interface (AWS CLI).

Before you can import an SSL certificate to IAM:

  • The certificate must be valid at the time of upload. You can't upload a certificate before its validity period begins or after it expires.
  • The certificate, private key, and the certificate chain must be PEM-encoded. For more information, see the Example PEM–encoded certificate chain section in Working with Server Certificates.

After you confirm that your certificate meets these criteria, be sure that the certificate chain is in the correct order, and then upload the certificate.

Resolution

Confirm that the certificate chain is in the correct order

The certificate chain must begin with the certificate that is generated by your certificate authority (CA) and end with your CA's root certificate.

Note: If the certificate chain isn't in the correct order, you can receive the following error message: "An error occurred (MalformedCertificate) when calling the UploadServerCertificate operation: Unable to validate certificate chain. The certificate chain must start with the immediate signing certificate, followed by any intermediaries in order. The index within the chain of the invalid certificate is: -1"

The PEM-encoded certificate chain must begin with "-----BEGIN CERTIFICATE-----" and end with "-----END CERTIFICATE-----", similar to the following:  

-----BEGIN CERTIFICATE-----
Base64-encoded Intermediate certificate 2
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Base64-encoded Intermediate certificate 1
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Optional: Base64-encoded Root certificate
-----END CERTIFICATE-----

Note: Be sure that the certificate doesn't contain leading or trailing spaces.

Upload the certificate

Upload the certificate by running the following command:  

$ aws iam upload-server-certificate --server-certificate-name ExampleCertificate --certificate-body file://Certificate.pem --certificate-chain file://CertificateChain.pem --private-key file://PrivateKey.pem

Note: Replace the file names and ExampleCertificate with the names for your uploaded files and certificate. For more information, see upload-server-certificate.

After the certificate is uploaded, the command returns metadata about the uploaded certificate, including the certificate's Amazon Resource Name (ARN), friendly name, identifier (ID), and expiration date. You can view the uploaded certificate by running the following command:

aws iam list-server-certificates

Note: If you upload a server certificate to be used with Amazon CloudFront, you must specify a path using --path. The path must begin with /cloudfront and the path must include a trailing slash, for example, /cloudfront/test/. For more information, see Why can't I use my custom SSL certificate for my CloudFront distribution?