Getting certificates ready in Amazon Certificate Manager - Amazon API Gateway
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Getting certificates ready in Amazon Certificate Manager

Before setting up a custom domain name for an API, you must have an SSL/TLS certificate ready in Amazon Certificate Manager. The following steps describe how to get this done. For more information, see the Amazon Certificate Manager User Guide.


To use an ACM certificate with an API Gateway edge-optimized custom domain name, you must request or import the certificate in the US East (N. Virginia) (us-east-1) Region. For an API Gateway Regional custom domain name, you must request or import the certificate in the same Region as your API. The certificate must be signed by a publicly trusted Certificate Authority and cover the custom domain name.

First, register your internet domain, for example, You can use either Amazon Route 53 or a third-party accredited domain registrar. For a list of such registrars, see Accredited Registrar Directory at the ICANN website.

To create in or import into ACM an SSL/TLS certificate for a domain name, do one of the following:

To request a certificate provided by ACM for a domain name
  1. Sign in to the Amazon Certificate Manager console.

  2. Choose Request a certificate.

  3. Enter a custom domain name for your API, for example,, in Domain name.

  4. Optionally, choose Add another name to this certificate.

  5. Choose Review and request.

  6. Choose Confirm and request.

  7. For a valid request, a registered owner of the internet domain must consent to the request before ACM issues the certificate.

To import into ACM a certificate for a domain name
  1. Get a PEM-encoded SSL/TLS certificate for your custom domain name from a certificate authority. For a partial list of such CAs, see the Mozilla Included CA List

    1. Generate a private key for the certificate and save the output to a file, using the OpenSSL toolkit at the OpenSSL website:

      openssl genrsa -out private-key-file 2048

      Amazon API Gateway leverages Amazon CloudFront to support certificates for custom domain names. As such, the requirements and constraints of a custom domain name SSL/TLS certificate are dictated by CloudFront. For example, the maximum size of the public key is 2048 and the private key size can be 1024, 2048, and 4096. The public key size is determined by the certificate authority you use. Ask your certificate authority to return keys of a size different from the default length. For more information, see Secure access to your objects and Create signed URLs and signed cookies.

    2. Generate a certificate signing request (CSR) with the previously generated private key, using OpenSSL:

      openssl req -new -sha256 -key private-key-file -out CSR-file
    3. Submit the CSR to the certificate authority and save the resulting certificate.

    4. Download the certificate chain from the certificate authority.


    If you obtain the private key in another way and the key is encrypted, you can use the following command to decrypt the key before submitting it to API Gateway for setting up a custom domain name.

    openssl pkcs8 -topk8 -inform pem -in MyEncryptedKey.pem -outform pem -nocrypt -out MyDecryptedKey.pem
  2. Upload the certificate to Amazon Certificate Manager:

    1. Sign in to the Amazon Certificate Manager console.

    2. Choose Import a certificate.

    3. For Certificate body, enter or paste the body of the PEM-formatted server certificate from your certificate authority. The following shows an abbreviated example of such a certificate.

    4. For Certificate private key, enter or paste your PEM-formatted certificate's private key. The following shows an abbreviated example of such a key.

    5. For Certificate chain, enter or paste the PEM-formatted intermediate certificates and, optionally, the root certificate, one after the other without any blank lines. If you include the root certificate, your certificate chain must start with intermediate certificates and end with the root certificate. Use the intermediate certificates provided by your certificate authority. Do not include any intermediaries that are not in the chain of trust path. The following shows an abbreviated example.

      -----BEGIN CERTIFICATE----- EXAMPLECA4ugAwIBAgIQWrYdrB5NogYUx1U9Pamy3DANBgkqhkiG9w0BAQUFADCB ... 8/ifBlIK3se2e4/hEfcEejX/arxbx1BJCHBvlEPNnsdw8EXAMPLE -----END CERTIFICATE-----

      Here is another example.

      -----BEGIN CERTIFICATE----- Intermediate certificate 2 -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- Intermediate certificate 1 -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- Optional: Root certificate -----END CERTIFICATE-----
    6. Choose Review and import.

After the certificate is successfully created or imported, make note of the certificate ARN. You need it when setting up the custom domain name.