How can I import a third-party issued TLS/SSL certificate to ACM?

3 minute read

I want to import a third-party issued TLS/SSL certificate into AWS Certificate Manager (ACM).

Resolution

To import third-party issued TLS/SSL certificate into ACM, you must provide the certificate, its private key, and the certificate chain. Your certificate must also include the prerequisites for importing certificates.

You need the following files to import in PEM-encoded format similar to the following:

PEM–encoded certificate:

-----BEGIN CERTIFICATE-----
Base64–encoded certificate
-----END CERTIFICATE-----

PEM–encoded certificate chain: (This example shows a chain where two Subordinate / Intermediate CAs are present. The order given here is to keep the Root CA as the last entry):

PEM–encoded private keys:

-----BEGIN RSA PRIVATE KEY-----
Base64–encoded private key
-----END RSA PRIVATE KEY-----

For more information and examples, see Certificate and key format for importing.

Convert the certificate bundle from PKCS#12 (PFX) to PEM using OpenSSL

1. Copy the PFX or P12 file to the same location as your OpenSSL tool, or specify the location in the command line.

2. Enter the following OpenSSL command and replace PKCS12file with your certificate file:

$openssl pkcs12 -in PKCS12file -out Cert_Chain_Key.txt

You receive prompts similar to the following:

Enter Import Password:(this is the password that was used when the PKCS12 file was created)

Enter PEM pass phrase:(this is the private key password)

Verifying - Enter PEM pass phrase: (confirm the private key password)

3. Enter the required password and pass phrase. The certificate, private key, and certificate chain (root or intermediate) are parsed and placed into the Cert_Chain_Key.txt file.

Note: The private key is still encrypted in the following format:

-----BEGIN ENCRYPTED PRIVATE KEY-----
Base64–encoded private key
-----END ENCRYPTED PRIVATE KEY-----

Decrypt the private key

1. Copy the private key from the Cert_Chain_Key.txt file into your OpenSSL directory, or specify the location in the command line.

2. Enter the following OpenSSL command and replace Encrypted.key with your encrypted private key file:

$openssl rsa -in Encrypted.key -out UnEncrypted.key

3. Enter the pass phrase. The UnEncrypted.key is now the decrypted private key. To verify this, open the UnEncrypted.key file using a text editor and view the headers similar to the following format:

-----BEGIN RSA PRIVATE KEY-----
Base64–encoded private key
-----END RSA PRIVATE KEY-----

You can now import the certificate successfully into ACM. For instructions, see Importing a certificate.

Related information

Why can't I import a third-party public SSL/TLS certificate into AWS Certificate Manager (ACM)?

How to import PFX-formatted certificates into AWS Certificate Manager using OpenSSL

Topics

Security, Identity, & Compliance

Relevant content

Need help to import multiple certificates to ACM
rePost-User-4201735
asked a year ago
Can I reimport an AWS ACM certificate with a different certificate provider?
Accepted Answer
Alejandro Lozano
asked 3 months ago
ACM import certificate error - The certificate chain provided is not in a valid PEM format.
rePost-User-7437082
asked 2 years ago
Amazon Certificate Manager (ACM) certificate re-import
Accepted Answer
AWS-User-9422387
asked 5 years ago
Import cert to ACM: certificate field contains more than one certificate
jbaptiste
asked 4 years ago
How can I be notified when my ACM imported certificates are near expiration?
AWS OFFICIALUpdated a year ago
Can I use ACM to issue private certificates when the AWS Private CA validity is less than 13 months?
AWS OFFICIALUpdated 4 months ago
Why can't I import a third-party public SSL/TLS certificate into AWS Certificate Manager (ACM)?
AWS OFFICIALUpdated 2 years ago
How can I revoke my ACM private certificate?
AWS OFFICIALUpdated 2 years ago
Discounts on AWS Certification Exams
EXPERT
kentrad
published 8 months ago