Why can't I import a third-party public SSL/TLS certificate into ACM?

4 minute read
0

I received an error message when I tried to import a third-party SSL/TLS certificate into AWS Certificate Manager (ACM).

Short description

I tried to import a third-party SSL/TLS certificate into ACM and I received an error message similar to one of the following:

  • "You have reached the maximum number of certificates. Delete certificates that aren't in use, or contact AWS Support to request an increase."
  • "The certificate field contains more than one certificate. You can specify only one certificate in this field."
  • "The private key length isn't supported for key algorithm."
  • "The certificate body/chain provided isn't in a valid PEM format", "InternalFailure", or "Unable to parse certificate. Be sure that the certificate is in PEM format."
  • "The private key isn't supported."
  • "Your private key should not be encrypted."

Resolution

Follow the instructions that match the error message that you received.

Note:

"You have reached the maximum number of certificates. Delete certificates that are not in use, or contact AWS Support to request an increase."

By default, you can import up to 1000 certificates into ACM, but new AWS accounts might start with a lower limit. If you exceed this limit, request an ACM quota increase.

If you receive this error message and you haven't exceeded 1000 certificates, then you might have exceeded the yearly import limit. By default, you can import two times the value of your account limit per year. For example, if your limit is 100 certificates, then you can import up to 200 certificates per year. This includes certificates that you imported and deleted within the last 365 days. If you reach your limit, contact AWS Support to request a limit increase. For more information, see Quotas.

"The certificate field contains more than one certificate. You can specify only one certificate in this field."

If you are importing a certificate, don't upload the complete certificate chain for the Certificate body field. If you receive a certificate bundle, that bundle might contain the server certificate and the certificate chain from the certificate authority (CA).

Separate each file that's created at the time of the certificate signing request (CSR) generation from the bundle. This includes the certificate, the certificate chain with the intermediate and root certificates, and the private key. Then, change the file to a PEM format, and upload them individually to ACM. To convert a certificate bundle to a PEM format, see Troubleshooting.

"The private key length is not supported for key algorithm."

For X.509 certificate or certificate requests, you specify the algorithm and the key bit size that's used to create the private-public key pair. Be sure that your certificate key meets the prerequisites for importing certificates. If your key doesn't meet the prerequisites for the key size or algorithm, then ask your certificate provider to re-issue the certificate. Be sure to ask your certificate provider for a supported key size and algorithm.

"The certificate body/chain provided is not in a valid PEM format.", "internalFailure", or "Unable to parse certificate. Please ensure the certificate is in PEM format."

If the certificate body, private key, or certificate chain isn't in the PEM format, then you must convert the file. If the certificate file doesn't contain the correct certificate body, then you must convert the file. To convert a certificate or certificate chain from DER to a PEM format, see Troubleshooting.

"The private key is not supported."

If you used the AWS CLI to import a certificate, then you pass the contents of your certificate files as a string. For example, the certificate body, private key, and certificate chain. You must specify the certificate, the certificate chain, and the private key by their file names preceded by fileb://. For more information, see import-certificate.

Note: Be sure to use the file path fileb://key.pem for your key and fileb://certificate.pem for your certificate. If you don't include the file path, then you might receive the error message "The private key is not supported or valid".

"Your private key should not be encrypted."

The private key must be decrypted before importing it. For more information, see Certificate and key format for importing and Troubleshooting.

Related information

Importing certificates into AWS Certificate Manager

Certificate import problems

AWS OFFICIAL
AWS OFFICIALUpdated 3 months ago