How can I troubleshoot certificate chain and self-signed certificate issues for Amazon API Gateway with custom domains and mutual TLS enabled?

3 minute read

I am using mutual Transport Layer Security (TLS) authentication with Amazon API Gateway with a custom domain name. I am getting certificate chain or self-signed certificate errors. How can I troubleshoot this?

Short description

Before you begin, make sure that you have:


For a list of specific error messages when invoking your Amazon API Gateway API, run a curl command similar to the following:

$ curl -v --key self-signed.key --cert self-signed.pem:"example"

Client errors

"curl: (58) could not load PEM client certificate, OpenSSL error error:02001002:system library:fopen:No such file or directory, (no key found, wrong pass phrase, or wrong file format?"

This error means that the PEM file has the wrong name, location, or file format. For example, the certificate file format stored locally is .crt , but the .pem file was used instead in the API request. To resolve this, make sure that the local client certificate has the correct format and name.

"curl: (6) Could not resolve host:"

The client wasn't able to resolve the domain name. Make sure that the domain name and configuration are correct.

"url: (58) schannel: Failed to import cert file self-signed.pem, last error is 0x80092002"

This error means that there is an issue with the local client .pem file. Make sure that the .pem file includes the correct name and format.

"curl: (58) unable to set private key file: 'self-signed.key' type PEM"

This error means that there is an issue with the local client file. Make sure that the private key provided in the HTTP request is not missing and correct.

Server errors

"Access denied. Reason: self-signed certificate."

Verify that the self-signed client certificate in the API request isn't altered or corrupted.

The following must match exactly:

  • The modulus of the private key (private.key ) used to sign the self-signed certificate within the truststore in Amazon S3 (bundle.crt or bundle.pem ).
  • The modulus from the client's certificate passed in the API request (client.crt ).

To compare the two modulus, run the following OpenSSL commands:

$ openssl rsa -noout -modulus -in private.key
$ openssl x509 -noout -modulus -in bundle.crt
$ openssl x509 -noout -modulus -in client.crt

Note: To produce a shorter hash value for easier comparison, you can use PIPE to send the output modulus into a cryptographic hash function. For example: openssl sha1 .

$ openssl [operation] -noout -modulus -in [data] | openssl sha1

Valid command output examples:


To confirm data integrity, verify that there wasn't any data modification at the content level by running the following diff command:

$ diff client.crt bundle.crt

Related information

Introducing mutual TLS authentication for Amazon API Gateway

How do I troubleshoot HTTP 403 Forbidden errors from an API Gateway custom domain name that requires mutual TLS?

AWS OFFICIALUpdated 5 months ago