AWS Certificate Manager (ACM): Import third party certificates in Certificate Manager
This article delves into the reasons ‘why’ and the methods ‘how’ a customer can import and leverage third-party certificates with AWS resources. We will also explore the process of renewing (reimporting) a certificate in ACM, along with troubleshooting common errors that may arise during the certificate import process.
Import
Why would a customer import a third-party certificate in ACM?
Certificates issued by the AWS ACM do not meet the customer’s requirements.
Some of the common reasons are:
- CX prefer third-party CA
- Cx want to use different CA for their trust store
- Support EV/OV certificates
- Support for site seals and trust logos
- Support self signed certificate
- Supports extended validity
- Supports a higher number of SANs
- Specific key type and size currently not supported
Prerequisites for importing a third-part certificate in ACM? I would encourage you to please review the following AWS documentation which list the prerequisites for importing a third-part certificate in ACM. [1] https://docs.aws.amazon.com/acm/latest/userguide/import-certificate-prerequisites.html
Reimport
How to reimport a certificate?
If you imported a certificate and associated it with other AWS services, you can reimport (renew) that certificate before it expires while preserving the AWS service associations of the original certificate..
The following conditions apply when you reimport a certificate:
- You can add or remove domain names.
- You cannot remove all of the domain names from a certificate.
- If Key Usage extensions are present in the originally imported certificate, you can add new extension values, but you cannot remove existing values.
- If Extended Key Usage extensions are present in the originally imported certificate, you can add new extension values, but you cannot remove existing values.
- The key type and size cannot be changed.
- You cannot apply resource tags when reimporting a certificate.
I would encourage you to please review the following AWS documentation which list the prerequisites for importing a third-part certificate in ACM. [2] https://docs.aws.amazon.com/acm/latest/userguide/import-reimport.html
Troubleshooting
- The certificate has expired.
2. The key size does not match
3. Private key is encrypted while importing the certificate.
To decrypt an encrypted private key (remove the password or passphrase), please run the below OpenSSL command.
openssl rsa -in EncryptedPrivateKey.pem -out PrivateKey.pem4. Incorrect certificate format
As per the prerequisite documentation, the certificate, certificate chain, and private key (if any) must be PEM–encoded.
To convert a certificate or certificate chain from DER to PEM
openssl x509 -inform DER -in Certificate.der -outform PEM -out Certificate.pemTo convert a private key from DER to PEM
openssl rsa -inform DER -in PrivateKey.der -outform PEM -out PrivateKey.pemReplace PrivateKey.der with the name of the file that contains your DER-encoded private key, and replace PrivateKey.pem with the desired name of the output file to contain the PEM-encoded private key.
Replace EncryptedPrivateKey.pem with the name of the file that contains your encrypted private key, and replace PrivateKey.pem with the desired name of the output file to contain the PEM-encoded unencrypted private key.
5. The private and public key do not match
Run the below command to compare and verify the Certificate’s modulus checksum and the private key’s checksum to verify that the private key matches the certificate
Certificate
openssl x509 -modulus -noout -in cert-2.pem | openssl sha256Private key
openssl rsa -modulus -noout -in valid-private-key.pem | openssl sha2566. Extracting the Certificate body and certificate chain from CloudTrail event.
Find the respective CloudTrail event and copy JSON format event in a TXT file. In this case I have copied the log event in “ct-event.txt” file. Then run the below commands:
Extract the Certificate body from the Cloudtrail event
cat ct-event.txt | jq '.requestParameters.certificate.hb[]' | python3 -c 'import sys;sys.stdout.write("".join([chr(int(i))for i in sys.stdin.readlines()]))' > cert-body.pemExtract the Certificate chain from the CloudTrail event
cat ct-event.txt | jq '.requestParameters.certificateChain.hb[]' | python3 -c 'import sys;sys.stdout.write("".join([chr(int(i))for i in sys.stdin.readlines()]))’ > cert-chain.pemReferences
[1] Prerequisites for importing certificates https://docs.aws.amazon.com/acm/latest/userguide/import-certificate-prerequisites.html
[2] Reimporting a certificate https://docs.aws.amazon.com/acm/latest/userguide/import-reimport.html
[3] Certificate import problems https://docs.aws.amazon.com/acm/latest/userguide/troubleshoot-import.html
