Extract, import/reimport of SSL certificate in AWS Certificate Manager
This article explains about the extract of the third party SSL certificates from pfx file, then import/reimport it in AWS Certificate Manager.
Prerequisites:
1. OpenSSL generally available at below location in Windows. If not available download it.
C:\Program Files\Git\usr\bin\openssl.exe
2. Get the certificate in .pfx format(It should be generated using pkcs12) and its password.
Extract encrypted Private Key from pfx file:
At command prompt,
“C:\Program Files\Git\usr\bin\openssl.exe” pkcs12 -in {cerfitifcate.pfx} -nocerts -out private-encrypted.key
Note: Remove any unwanted info in the above output file. You should just keep from <BEGIN …> to <END …> like below:
-----BEGIN RSA PRIVATE KEY-----
Base64-encoded private
-----END RSA PRIVATE KEY-----Extract Body from pfx file:
“C:\Program Files\Git\usr\bin\openssl.exe” pkcs12 -in {cerfitifcate.pfx} -clcerts -nokeys -out cert-body.crt
Note: Remove any unwanted info from the above output file. You should just keep from <BEGIN …> to <END …> like below:
-----BEGIN CERTIFICATE-----
Base64-encoded certificate
-----END CERTIFICATE-----Extract Chain from pfx file
“C:\Program Files\Git\usr\bin\openssl.exe” pkcs12 -in {cerfitifcate.pfx} -cacerts -nokeys -chain -out cert-chain.crt
Note: Remove any unwanted info in the above output file. You should just keep <BEGIN …> to <END …> for each certificate and also remove the spaces between the <END …> and <BEGIN …> certificates. The format of the chain should be like below:
-----BEGIN CERTIFICATE-----
Base64-encoded certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Base64-encoded certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Base64-encoded certificate
-----END CERTIFICATE-----Unencrypt private key:
AWS certificate manager accepts only unencrypted private key. Unencrypt the private key generated at first step.
“C:\Program Files\Git\usr\bin\openssl.exe” rsa -in private-encrypted.key -out private-un-encrypted.key
Import new certificate from Console:
Go to AWS Certificate manager
- Click Import
- In body section, copy and paste the body of the certificate
- In Private key section, copy and paste the un-encrypted private key
- In chain section, copy and paste the chain of the certificateModify/Reimport certificate from Console:
This will replace the existing certificate but will keep the same ARN of the certificate and there will be no impact to the existing resources which are using this certificate.
Go to AWS Certificate manager
- Select your certificate from certificate manager and click reimport
- In body section, copy and paste the body of the certificate
- In Private key section, copy and paste the un-encrypted private key
- In chain section, copy and paste the chain of the certificateImport using Boto3:
import boto3
client = boto3.client('acm')response = client.import_certificate(
Certificate=open('cert-body.crt', 'rb').read(),
PrivateKey=open('private-un-encrypted.key', 'rb').read(),
CertificateChain=open('cert-chain.crt', 'rb').read(),
Tags=[
{
'Key': 'string',
'Value': 'string'
}
]
)
To reimport/replace existing certificate with new one use CertificateArn=’<ARN of your certificate>’ in above API call.
Import using aws command:
aws acm import-certificate –certificate file://cert-body.crt –private-key file://private-un-encrypted.key –certificate-chain file://cert-chain.crtTo reimport/replace existing certificate with a new one, the command above should be invoked with the –certificate-arn parameter following the ARN value of the certificate which is to be replaced.