How can I upload and import an SSL certificate to AWS Identity and Access Management (IAM)?

4 minute read

How can I upload and import an SSL certificate to AWS Identity and Access Management (IAM)?

Short description

It's a best practice that you upload SSL certificates to AWS Certificate Manager (ACM). If you're using certificate algorithms and key sizes that aren't currently supported by ACM or the associated AWS resources, then you can also upload an SSL certificate to IAM using the AWS Command Line Interface (AWS CLI).

Before you can import an SSL certificate to IAM:

  • The certificate must be valid at the time of upload. You can't upload a certificate before its validity period begins or after it expires.
  • The certificate, private key, and the certificate chain must be PEM-encoded. For more information, see the Example PEM–encoded certificate chain section in working with server certificates.

After you confirm that your certificate meets the criteria, be sure that the certificate chain is in the correct order, and then upload the certificate.


Confirm that the certificate chain is in the correct order

Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI.

The certificate chain must begin with the certificate that is generated by your certificate authority (CA) and end with the root certificate of your CA.

Note: If the certificate chain isn't in the correct order, you can receive the following error message: "An error occurred (MalformedCertificate) when calling the UploadServerCertificate operation: Unable to validate certificate chain. The certificate chain must start with the immediate signing certificate, followed by any intermediaries in order. The index within the chain of the non-valid certificate is: -1"

The PEM-encoded certificate chain must begin with "-----BEGIN CERTIFICATE-----" and end with "-----END CERTIFICATE-----", similar to the following:

Base64-encoded Intermediate certificate 2
Base64-encoded Intermediate certificate 1
Optional: Base64-encoded Root certificate

Note: Be sure that the certificate has no leading or trailing spaces and doesn't contain a prefix or suffix besides the BEGIN and END block.

The PEM encoded key must use the following format to avoid the "MalformedCertificate: Unable to parse private key" error message:

Base64-encoded private key

Upload the certificate

Upload the certificate by running the AWS CLI command upload-server-certificate similar to the following:

$ aws iam upload-server-certificate --server-certificate-name YourCertificate --certificate-body file://Certificate.pem --certificate-chain file://CertificateChain.pem --private-key file://PrivateKey.pem


  • Replace the file names and YourCertificate with the names for your uploaded files and certificate.
  • You must specify the "file://" prefix in the certificate-body, certificate-chain and private-key parameters in the API request. Otherwise, the request fails with a "MalformedCertificate: Unknown" error message.

After the certificate is uploaded, the AWS command upload-server-certificate returns metadata for the uploaded certificate, including the certificate's Amazon Resource Name (ARN), friendly name, identifier (ID), and expiration date.

To view the uploaded certificate, run the AWS CLI command list-server-certificates:

aws iam list-server-certificates

Note: If you upload a server certificate for use with Amazon CloudFront, you must specify a path using --path. The path must begin with /cloudfront and the path must include a trailing slash, for example, /cloudfront/test/. For more information, see How can I troubleshoot issues with using a custom SSL certificate for my CloudFront distribution?

To delete the certificate, run the AWS CLI command delete-server-certificate similar to the following:

$ aws iam delete-server-certificate --server-certificate-name YourCertificate

Related information

Services integrated with AWS Certificate Manager

Certificate and key format for Importing