We recommend that you use ACM to provision, manage, and deploy your server certificates. With ACM you can request a certificate, deploy it to AWS resources, and let ACM handle certificate renewals for you. Certificates provided by ACM are free. For more information about using ACM, see the AWS Certificate Manager User Guide.
To use a certificate that you obtained from an external provider with your website or application on AWS, you must upload the certificate to IAM or import it into ACM. We recommend that you import your certificates into ACM. You can use ACM to manage all of your AWS server certificates—those provided by ACM and those that you obtained from an external provider for use with AWS. You can use certificates stored in ACM for the same AWS services that support certificates stored in IAM (Elastic Load Balancing, Amazon CloudFront, and AWS Elastic Beanstalk). With ACM, you can use a single certificate for more than one of these services simultaneously. You can import certificates into ACM using the AWS Management Console, which you cannot do with IAM.
For more information about importing certificates into ACM, see Importing Certificates in the AWS Certificate Manager User Guide.
For more information about uploading certificates to IAM, see the following topics.
Topics
- Uploading a Server Certificate (IAM API)
- Retrieving a Server Certificate (IAM API)
- Listing Server Certificates (IAM API)
- Renaming a Server Certificate or Updating its Path (IAM API)
- Deleting a Server Certificate (IAM API)
- Troubleshooting
Uploading a Server Certificate (IAM API)
To upload a server certificate to IAM, you must provide the certificate and its matching private key. When the certificate is not self-signed, you must also provide a certificate chain. (You don't need a certificate chain when uploading a self-signed certificate.) Before you upload a certificate, ensure that you have all these items and that they meet the following criteria:
- The certificate must be valid at the time of upload. You cannot upload a certificate before its validity period begins (the certificate's
NotBeforedate) or after it expires (the certificate'sNotAfterdate). - The private key must be unencrypted. You cannot upload a private key that is protected by a password or passphrase. For help decrypting an encrypted private key, see Troubleshooting.
- The certificate, private key, and certificate chain must all be PEM-encoded. For help converting these items to PEM format, see Troubleshooting.
To use the IAM API to upload a certificate, send an UploadServerCertificate request. The following example shows how to do this with the AWS Command Line Interface (AWS CLI). The example assumes the following:
- The PEM-encoded certificate is stored in a file named
Certificate.pem. - The PEM-encoded certificate chain is stored in a file named
CertificateChain.pem. - The PEM-encoded, unencrypted private key is stored in a file named
PrivateKey.pem.
To use the following example command, replace these file names with your own and replace
ExampleCertificate with a name for your uploaded certificate. Type the command on one continuous line. The following example includes line breaks and extra spaces to make it easier to read.$ aws iam upload-server-certificate --server-certificate-name ExampleCertificate --certificate-body file://Certificate.pem --certificate-chain file://CertificateChain.pem --private-key file://PrivateKey.pemWhen the preceding command is successful, it returns metadata about the uploaded certificate, including its Amazon Resource Name (ARN), its friendly name, its identifier (ID), its expiration date, and more.
Note
If you are uploading a server certificate to use with Amazon CloudFront, you must specify a path using the
--path option. The path must begin with /cloudfront and must include a trailing slash (for example, /cloudfront/test/).To use the AWS Tools for Windows PowerShell to upload a certificate, use Publish-IAMServerCertificate.
Retrieving a Server Certificate (IAM API)
To use the IAM API to retrieve a certificate, send a GetServerCertificate request. The following example shows how to do this with the AWS CLI. Replace
ExampleCertificatewith the name of the certificate to retrieve.Copy
$ aws iam get-server-certificate --server-certificate-name ExampleCertificateWhen the preceding command is successful, it returns the certificate, the certificate chain (if one was uploaded), and metadata about the certificate.
Note
You cannot download or retrieve a private key from IAM after you upload it.
To use the AWS Tools for Windows PowerShell to retrieve a certificate, use Get-IAMServerCertificate.
Listing Server Certificates (IAM API)
To use the IAM API to list your uploaded server certificates, send a ListServerCertificatesrequest. The following example shows how to do this with the AWS CLI.
Copy
$ aws iam list-server-certificatesWhen the preceding command is successful, it returns a list that contains metadata about each certificate.
To use the AWS Tools for Windows PowerShell to list your uploaded server certificates, use Get-IAMServerCertificates.
Renaming a Server Certificate or Updating its Path (IAM API)
To use the IAM API to rename a server certificate or update its path, send an UpdateServerCertificate request. The following example shows how to do this with the AWS CLI.
To use the following example command, replace the old and new certificate names and the certificate path, and type the command on one continuous line. The following example includes line breaks and extra spaces to make it easier to read.
Copy
$ aws iam update-server-certificate --server-certificate-name ExampleCertificate --new-server-certificate-name CloudFrontCertificate --new-path /cloudfront/When the preceding command is successful, it does not return any output.
To use the AWS Tools for Windows PowerShell to rename a server certificate or update its path, use Update-IAMServerCertificate.
Deleting a Server Certificate (IAM API)
To use the IAM API to delete a server certificate, send a DeleteServerCertificate request. The following example shows how to do this with the AWS CLI.
To use the following example command, replace
ExampleCertificate with the name of the certificate to delete.Copy
$ aws iam delete-server-certificate --server-certificate-name ExampleCertificateWhen the preceding command is successful, it does not return any output.
To use the AWS Tools for Windows PowerShell to delete a server certificate, use Remove-IAMServerCertificate.
Troubleshooting
Before you can upload a certificate to IAM, you must make sure that the certificate, private key, and certificate chain are all PEM-encoded. You must also ensure that the private key is unencrypted. See the following examples.
Example PEM-encoded certificate
Copy
-----BEGIN CERTIFICATE-----
Base64-encoded certificate -----END CERTIFICATE-----Example PEM-encoded, unencrypted private key
Copy
-----BEGIN RSA PRIVATE KEY-----
Base64-encoded private key -----END RSA PRIVATE KEY-----Example PEM-encoded certificate chain
A certificate chain contains one or more certificates. The following example contains three certificates, but your certificate chain might contain more or fewer.
Copy
-----BEGIN CERTIFICATE-----
Base64-encoded certificate -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- Base64-encoded certificate -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- Base64-encoded certificate -----END CERTIFICATE-----If these items are not in the right format for uploading to IAM, you can use OpenSSL to convert them to the right format.
To convert a certificate or certificate chain from DER to PEM
- Use the OpenSSL x509 command, as in the following example. In the following example command, replace
Certificate.derwith the name of the file that contains your DER-encoded certificate. ReplaceCertificate.pemwith the desired name of the output file to contain the PEM-encoded certificate.Copy
$openssl x509 -inform DER -inCertificate.der-outform PEM -outCertificate.pem
To convert a private key from DER to PEM - Use the OpenSSL rsa command, as in the following example. In the following example command, replace
PrivateKey.derwith the name of the file that contains your DER-encoded private key. ReplacePrivateKey.pemwith the desired name of the output file to contain the PEM-encoded private key.Copy
$openssl rsa -inform DER -inPrivateKey.der-outform PEM -outPrivateKey.pem
To decrypt an encrypted private key (remove the password or passphrase) - Use the OpenSSL rsa command, as in the following example. To use the following example command, replace
EncryptedPrivateKey.pemwith the name of the file that contains your encrypted private key. ReplacePrivateKey.pemwith the desired name of the output file to contain the PEM-encoded unencrypted private key.Copy
$openssl rsa -inEncryptedPrivateKey.pem-outPrivateKey.pem
To convert a certificate bundle from PKCS#12 (PFX) to PEM - Use the OpenSSL pkcs12 command, as in the following example. In the following example command, replace
CertificateBundle.p12with the name of the file that contains your PKCS#12-encoded certificate bundle. ReplaceCertificateBundle.pemwith the desired name of the output file to contain the PEM-encoded certificate bundle.Copy$openssl pkcs12 -inCertificateBundle.p12-outCertificateBundle.pem-nodes
To convert a certificate bundle from PKCS#7 to PEM - Use the OpenSSL pkcs7 command, as in the following example. In the following example command, replace
CertificateBundle.p7bwith the name of the file that contains your PKCS#7-encoded certificate bundle. ReplaceCertificateBundle.pemwith the desired name of the output file to contain the PEM-encoded certificate bundle.Copy$openssl pkcs7 -inCertificateBundle.p7b-print_certs -outCertificateBundle.pe
amazon aws ec2 ssl certificate, amazon ec2 apache ssl certificate, amazon ec2 ssl certificate installation
Source: http://docphy.com/technology/computers/software/working-server-certificates.html
No comments:
Post a Comment