AWS ACM Certificate Import

Here’s how to import a SSL certificate into AWS Certificate Manager.

aws acm import-certificate \
--certificate file://example.crt \
--private-key file://example.key \
--certificate-chain file://example-bundle.crt

Certbot AWS Renewals

Here are the instructions for renewing Certbot SSL certificates in AWS Certificate Manager. Certbot provides SSL certificates for free for 60 days and are auto-renewed before they expire. If you are using Certbot SSL certificates with CloudFront, you will need to reimport them to AWS Certificate Manager before expiration.

  1. Get the latest SSL certificate by running “certbot certificates.”
  2. Reimport the certificate in 3 parts.
    • Certificate Body – the root or top portion of the full chain
    • Certificate Private key – the private key
    • Certificate chain – the entire full chain containing multiple certificates
  3. Click Save. Check expiration.

You’ll need to update the certificate before the next expiration date.

Convert PFX to PEM format

SSL certificates comes in multiple formats. Some providers will hand you over certificates in PFX format which comes in a single file. If you need to import it to AWS Certificate Manager, you will need to convert it from PFX to PEM format. The following set of commands uses OpenSSL and pkcs12 to convert a SSL certificate from PFX to PEM format.

openssl pkcs12 -in cert.pfx -nocerts -out key.pem
openssl rsa -in key.pem -out server.key
openssl pkcs12 -in cert.pfx -clcerts -nokeys -out cert.pem
openssl pkcs12 -in cert.pfx -nodes -nokeys -out chain.pem

It result in 3 files.

  • server.key is the private key
  • cert.pem is the certificate
  • cert.pem and chain.pem are the full chain.

Once you have them, you can the proceed to import it to ACM.

SSL Certificate Import

SSL Certificates Explained

If you’re confused about the different formats and files that the Certificate Manager will accept in AWS, this site explains it fairly well. The Certificate Manager contains 3 fields during the import process. Certificate body, Certificate private key, and Certificate chain.

  • Server certificate > Intermediate certificate > Root certificate
  • Private RSA Key
  • Chain consists of Root and Intermediate

Certificate Management Import

My previous post lightly talked about about adding SSL certificates via the AWS Console. This post talks about adding your own SSL certificate to Certificate Manager via the AWS CLI. The CLI which makes it super simple to manage. It also allows for automation as well.

aws acm import-certificate \
--certificate file://Certificate.pem \
--certificate-chain file://CertificateChain.pem \
--private-key file://PrivateKey.pem

If successful, it will return ARN or Amazon Resource Name.