How to import a Custom Certificate to ACM regardless of PEM or PFX

How to import a Custom Certificate to ACM regardless of PEM or PFX

ACM which is also known as AWS Certificate Manager is a Free of Charge Service which is provided by the AWS to Manage your Certificate that will be used in your AWS virtual datacenter. This service allows you to create Public SSL Certificates at no additional costs and Private Certificates for a cost depending on your configurations.

Published Oct 27, 2024
Last Modified Oct 28, 2024
ACM which is also known as AWS Certificate Manager is a Free of Charge Service which is provided by the AWS to Manage your Certificate that will be used in your AWS virtual datacenter. This service allows you to create Public SSL Certificates at no additional costs and Private Certificates for a cost depending on your configurations. Once you have your SSL/TLS Certificates in the ACM, you can easily integrate them with your AWS Services. It even provides the auto-renewal of certificates for the ACM generated ones. This makes the creation, management and the usage of SSL/TLS certificates much easier, especially when you have a large infrastructure.
However, there is a small caveat with ACM when comes to the Public Certificates generated by ACM itself. You cannot export the full public certificate (both Key and Cert) of the Public Certificate from the ACM. Since this is provided completely free we actually cannot complain right !. But this can be a requirement for some users as they might want to configure the public certificate in their internal servers or other outside services.
In those scenarios, you can create your own certificate from another provider or self-signed (do not recommend using self-signed in production environments) and import it to the AWS ACM to be used by your AWS resources. The following guide shows you, how to import the Certificates to AWS ACM by yourself.

Pre-requisites

  • Both Certificate and the Private Key should be in PEM encoded format.
  • If encrypted, you should have the password required for the decryption.
  • If you have the PFX file, make sure you have the password for the PFX as well.

If you have PEM Format

Step by step guide

Import a Certificate to ACM
Import a Certificate to ACM
Decrypted Private Key
Decrypted Private Key
  1. Navigate to AWS ACM and select Import Certificate.
  2. Extract and copy the content of the certificate file.
  3. Copy the Content to Certificate section.
  4. Next, get the decrypted private key. Decrypted Private key should be starting with “ — — BEGIN RSA PRIVATE KEY — ”. If you do not have the decrypted key, you can use the below command at the end of steps to decrypt it.
  5. Copy the content in the decrypted file and paste it in the Private Key section of the ACM import certificate page.
  6. If you have a certificate chain also which need to be imported, you can add the chain in the last text box.
  7. Once done you can add the tags required (always good to have tags !!!), and then click on “Import Certificate”.
  8. If you have provided correct values, it will be successfully imported.
Command to decrypt the private key:

If you have the PFX file (Keystore)

Step by step guide

  • First, we need to extract the private key from the .pfx file. You can use the below command to extract the key.
  • You’ll be prompted to enter the .pfx file’s password and a passphrase for the private key.
  • Then, you need to extract the certificate from the .pfx file. For this you can use the following command.
  • Now you have the certificate and the encrypted private key in PEM format. Next you can use the same above command to decrypt the private key.
  • The next steps are the same as above. Copy the content and paste them in their respective fields in the “Import Certificate” window in the AWS ACM.
  • Provide the necessary tags and click on “Import Certificate”.

Considerations

  • Since it’s an imported certificate, the “Renewal Eligibility” will be Ineligible.
  • You have to manually re-import the new certificate when the current imported one is near expiry and delete the old one.
  • If you are getting errors when importing, make sure its PEM encoded, no spaces or special characters got copied when copying the content, private key is decrypted.

I hope this guide will help you all, if yo have any issues when importing Custom Certificates to AWS ACM. Please do share this with others as you benefited from this article or with anyone who might benefit from this.
The following Video also, illustrates the same steps I talked above as a demo.
 

Comments