Certificate import problems - Amazon Certificate Manager
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Certificate import problems

You can import third-party certificates into ACM and associate them with integrated services. If you encounter problems, review the prerequisites and certificate format topics. In particular, note the following:

  • You can import only X.509 version 3 SSL/TLS certificates.

  • Your certificate can be self–signed or it can be signed by a certificate authority (CA).

  • If your certificate is signed by a CA, you must include an intermediate certificate chain that provides a path to the root of authority.

  • If your certificate is self-signed, you must include the private key in plaintext.

  • Each certificate in the chain must directly certify the one preceding.

  • Do not include your end-entity certificate in the intermediate certificate chain.

  • Your certificate, certificate chain, and private key (if any) must be PEM–encoded. In general, PEM encoding consists of blocks of Base64-encoded ASCII text that begin and end with plaintext header and footer lines. You must not add lines or spaces or make any other changes to a PEM file while copying or uploading it. You can verify certificate chains using the OpenSSL verify utility.

  • Your private key (if any) must not be encrypted. (Tip: if it has a passphrase, it's encrypted.)

  • Services integrated with ACM must use ACM-supported algorithms and key sizes. See the Amazon Certificate Manager User Guide and the documentation for each service to make sure that your certificate will work.

  • Certificate support by integrated services might differ depending on whether the certificate is imported into IAM or into ACM.

  • The certificate must be valid when it is imported.

  • Detail information for all of your certificates is displayed in the console. By default, however, if you call the ListCertificates API or the list-certificates Amazon CLI command without specifying the keyTypes filter, only RSA_1024 or RSA_2048 certificates are displayed.