Import cert to ACM: certificate field contains more than one certificate

Question

Hi,  
  
I'm trying to import some ssl certificates in PEM format into AWS ACM via aws cli. The certificates import fine when using the aws web console, but when trying to import the same files with aws cli using the following command:

```
aws acm import-certificate --certificate ssl.website.com.crt --private-key ssl.website.com.key --certificate-chain ssl.website.com.ca --region us-east-2 --profile default
```

I get this error:

```
An error occurred (ValidationException) when calling the ImportCertificate operation: The certificate field contains more than one certificate. You can specify only one certificate in this field.
```

I'm no expert with openssl, but AFAICS there's only one certificate on the pem file, there's only one BEGIN/END CERTIFICATE section. I found this command on this stackoverflow post to print the certificates on a pem file, and I only see one certificate in its output:

```
openssl crl2pkcs7 -nocrl -certfile ssl.website.com.crt | openssl pkcs7 -print_certs -noout
subject=OU = Domain Control Validated, CN = website.com

issuer=C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
```

So why I cannot import this this certificate via cli ?

Answer

Unfortunately I don't have access to the CSR files, we are receiving an existing infrastructure developed by another contractor. I only have access to the certificate files on the web server.  
  
But why the same files work on the web console and they fail with the cli ? is this limitation present only on the cli tool ?  
  
And how can I check the list of certificates inside my pem cert file ? I'm no openssl expert, but I only see one CERTIFICATE BEGIN/END section on the file, if there were multiple certificates in the file shouldn't there be multiple CERTIFICATE BEGIN/END sections ?  
  
Thanks.

Answer

This can happen if you are submitting a pem that contains the complete certificate chain in the certificate body.  Do you have any options when you are doing the CSR generation about excluding the certificate chain (and intermediate and root certs) from the certificate?  This should ensure that they are only listed in the certificate chain.

Answer

The issue was solved with the help of aws support. The certificate file was fine, the issue was that not all aws cli documentation is consistent. I was looking at:  
  
https://docs.aws.amazon.com/cli/latest/reference/acm/import-certificate.html  
  
Where it does not mention that parameters values must be preceded by "file://"

```
aws acm import-certificate --certificate file://ssl.website.com.crt --private-key file://ssl.website.com.key --certificate-chain file://ssl.website.com.ca --region us-east-2 --profile default
```

Import cert to ACM: certificate field contains more than one certificate

관련 콘텐츠