By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Import cert to ACM: certificate field contains more than one certificate

0

Hi,

I'm trying to import some ssl certificates in PEM format into AWS ACM via aws cli. The certificates import fine when using the aws web console, but when trying to import the same files with aws cli using the following command:

aws acm import-certificate --certificate ssl.website.com.crt --private-key ssl.website.com.key --certificate-chain ssl.website.com.ca --region us-east-2 --profile default

I get this error:

An error occurred (ValidationException) when calling the ImportCertificate operation: The certificate field contains more than one certificate. You can specify only one certificate in this field.

I'm no expert with openssl, but AFAICS there's only one certificate on the pem file, there's only one BEGIN/END CERTIFICATE section. I found this command on this stackoverflow post to print the certificates on a pem file, and I only see one certificate in its output:

openssl crl2pkcs7 -nocrl -certfile ssl.website.com.crt | openssl pkcs7 -print_certs -noout
subject=OU = Domain Control Validated, CN = website.com

issuer=C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2

So why I cannot import this this certificate via cli ?

Topics
Management & Governance
Tags
AWS Command Line Interface
Language
English
jbaptiste
asked 4 years ago2859 views
3 Answers
0

This can happen if you are submitting a pem that contains the complete certificate chain in the certificate body. Do you have any options when you are doing the CSR generation about excluding the certificate chain (and intermediate and root certs) from the certificate? This should ensure that they are only listed in the certificate chain.

AWS-User-7137110
answered 4 years ago
0

Unfortunately I don't have access to the CSR files, we are receiving an existing infrastructure developed by another contractor. I only have access to the certificate files on the web server.

But why the same files work on the web console and they fail with the cli ? is this limitation present only on the cli tool ?

And how can I check the list of certificates inside my pem cert file ? I'm no openssl expert, but I only see one CERTIFICATE BEGIN/END section on the file, if there were multiple certificates in the file shouldn't there be multiple CERTIFICATE BEGIN/END sections ?

Thanks.

jbaptiste
answered 4 years ago
0

The issue was solved with the help of aws support. The certificate file was fine, the issue was that not all aws cli documentation is consistent. I was looking at:

https://docs.aws.amazon.com/cli/latest/reference/acm/import-certificate.html

Where it does not mention that parameters values must be preceded by "file://"

aws acm import-certificate --certificate file://ssl.website.com.crt --private-key file://ssl.website.com.key --certificate-chain file://ssl.website.com.ca --region us-east-2 --profile default
jbaptiste
answered 4 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content