Complete Guide to Importing SSL/TLS Certificates in AWS

🌏 閱讀中文版本

Managing SSL/TLS certificates on AWS is a critical aspect of ensuring secure application communications. This article provides an in-depth guide on importing certificates using AWS Certificate Manager (ACM) and explains the regional requirements for different AWS services.

Table of Contents

Why Proper SSL/TLS Certificate Management Matters on AWS

1. Ensuring Data Transmission Security

SSL/TLS certificates form the foundation of network security, providing these critical protections:

Encrypted Communications: Prevents man-in-the-middle (MITM) attacks and protects sensitive data during transmission
Authentication: Verifies server identity, preventing users from connecting to fraudulent websites
Data Integrity: Ensures data hasn’t been tampered with during transmission

2. Regulatory and Compliance Requirements

Multiple regulations mandate SSL/TLS encryption:

PCI DSS: Websites processing credit card transactions must use TLS 1.2 or higher
GDPR: EU General Data Protection Regulation requires encryption when transmitting personal data
HIPAA: US Health Insurance Portability and Accountability Act requires protection of health information

3. AWS Service Regional Specificity

Different AWS services have specific regional requirements for certificates due to:

CloudFront Global Distribution Architecture: CloudFront is a global CDN with its control plane in us-east-1, requiring all certificates to be imported there
Regional Services: Services like ELB and API Gateway are regional, requiring certificates in the same region to minimize latency
Disaster Recovery: Proper certificate regional configuration is fundamental to multi-region DR strategies

Part 1: Basic Certificate Import Steps

Prerequisites

Before importing a certificate, ensure you have the following files:

Certificate body: Your domain certificate in PEM format
Certificate private key: The private key paired with your certificate (must be kept confidential)
Certificate chain: Intermediate and root certificates (recommended to ensure complete trust chain)

Step 1: Verify Working Directory

Ensure you’re working in the correct directory to avoid file location issues:

cd /Users/username/Downloads/ssl
ls -la

Step 2: Convert Certificate Format (If Needed)

AWS ACM only accepts PEM format certificates. If your certificate is in DER format (.cer or .der extension), convert it:

# Convert DER format certificate to PEM
openssl x509 -inform der -in certfile.cer -out certfile.pem

# Verify certificate content
openssl x509 -in certfile.pem -text -noout

Common Format Guide:

Format	Extensions	Characteristics	Conversion Method
PEM	.pem, .crt, .key	Base64 encoded with BEGIN/END markers	AWS native support
DER	.cer, .der	Binary format	Use openssl to convert
PKCS#7	.p7b, .p7c	Contains certificate chain	openssl pkcs7 command
PKCS#12	.pfx, .p12	Contains certificate and private key	openssl pkcs12 command

Step 3: Build Complete Certificate Chain

The certificate chain should include intermediate and root certificates, order matters:

# Correct order: intermediate first, root certificate last
cat intermediate.crt root.crt > chain.pem

# Verify certificate chain integrity
openssl verify -CAfile chain.pem certfile.pem

Certificate Chain Validation Points:

Ensure intermediate and root certificates are from the same CA
Check certificate validity period (notBefore and notAfter)
Confirm no expired certificates in the chain

Step 4: Import Certificate Using AWS CLI

Method 1: Using AWS Management Console

Log into AWS Console, select the correct region
Navigate to AWS Certificate Manager (ACM)
Click “Import Certificate”
Paste certificate content:
- Certificate body: Copy entire certfile.pem content
- Certificate private key: Copy entire private key content
- Certificate chain: Copy entire chain.pem content
Click “Next” and review

Method 2: Using AWS CLI (Recommended, Automatable)

# Import certificate to us-east-1 (for CloudFront)
aws acm import-certificate 
  --certificate fileb://certfile.pem 
  --private-key fileb://private.key 
  --certificate-chain fileb://chain.pem 
  --region us-east-1

# Import certificate to other regions (for ELB)
aws acm import-certificate 
  --certificate fileb://certfile.pem 
  --private-key fileb://private.key 
  --certificate-chain fileb://chain.pem 
  --region ap-northeast-1

Automation Script Example:

#!/bin/bash
# Batch import certificates to multiple regions

REGIONS=("us-east-1" "ap-northeast-1" "eu-west-1")
CERT_FILE="certfile.pem"
KEY_FILE="private.key"
CHAIN_FILE="chain.pem"

for region in "${REGIONS[@]}"; do
  echo "Importing certificate to $region..."
  aws acm import-certificate 
    --certificate fileb://$CERT_FILE 
    --private-key fileb://$KEY_FILE 
    --certificate-chain fileb://$CHAIN_FILE 
    --region $region 
    --tags Key=Environment,Value=Production
done

Part 2: Certificate Requirements for Different AWS Services (Complete Guide)

Services Requiring Certificates in us-east-1

1. Amazon CloudFront

Service Description:

CloudFront is AWS’s global Content Delivery Network (CDN)
Used to distribute static and dynamic content to global users with low latency

Certificate Requirements:

⚠️ ALL custom SSL certificates for CloudFront MUST be imported to us-east-1 region
This is a fixed AWS requirement and cannot be changed
Even if your CloudFront distribution serves global users, certificates must be in us-east-1

CloudFront SSL Configuration Example:

# 1. Import certificate to us-east-1
ACM_ARN=$(aws acm import-certificate 
  --certificate fileb://cert.pem 
  --private-key fileb://key.pem 
  --certificate-chain fileb://chain.pem 
  --region us-east-1 
  --query 'CertificateArn' 
  --output text)

# 2. Update CloudFront distribution to use new certificate
aws cloudfront update-distribution 
  --id E1234EXAMPLE 
  --viewer-certificate 
    ACMCertificateArn=$ACM_ARN,SSLSupportMethod=sni-only,MinimumProtocolVersion=TLSv1.2_2021

2. Amazon API Gateway (Edge-Optimized Mode)

Service Description:

API Gateway’s Edge-Optimized endpoint type distributes API requests through CloudFront
Suitable for APIs serving global users
Relies on CloudFront edge locations

Certificate Requirements:

⚠️ Edge-Optimized custom domain certificates MUST be in us-east-1 region
Reason: Edge-Optimized APIs use CloudFront as frontend, inheriting CloudFront’s certificate requirements
Important: Even if your API Gateway is created in ap-northeast-1, custom domain certificates must be in us-east-1

Configuration Example:

# 1. Import certificate in us-east-1 (Edge-Optimized specific)
aws acm import-certificate 
  --certificate fileb://cert.pem 
  --private-key fileb://key.pem 
  --certificate-chain fileb://chain.pem 
  --region us-east-1

# 2. Create API Gateway in any region (e.g., ap-northeast-1)
aws apigateway create-rest-api 
  --name "My API" 
  --endpoint-configuration types=EDGE 
  --region ap-northeast-1

# 3. Configure custom domain (using us-east-1 certificate)
aws apigateway create-domain-name 
  --domain-name api.example.com 
  --endpoint-configuration types=EDGE 
  --certificate-arn arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012 
  --region ap-northeast-1

How to Identify API Gateway Type:

# Check API Gateway endpoint type
aws apigateway get-rest-api 
  --rest-api-id abc123def4 
  --region ap-northeast-1 
  --query 'endpointConfiguration.types' 
  --output text

# Output: EDGE (requires us-east-1 certificate)
# Output: REGIONAL (requires local region certificate)

3. AWS Amplify Console

Service Description:

Used to build and deploy static websites and single-page applications (SPA)
Uses CloudFront for global distribution

Certificate Requirements:

⚠️ Custom domain certificates MUST be in us-east-1 region
Amplify Console automatically integrates with CloudFront, therefore certificate requirements match CloudFront’s

Services That Can Use Certificates in Any Region

1. Elastic Load Balancing (ELB)

Service Types:

Application Load Balancer (ALB): HTTP/HTTPS traffic with advanced routing
Network Load Balancer (NLB): TCP/UDP traffic with ultra-high performance
Classic Load Balancer (CLB): Legacy load balancer, not recommended for new projects

Certificate Requirements:

Certificates must be imported to the same region as the load balancer
Example: If ALB is in ap-northeast-1 (Tokyo), certificate must also be in Tokyo region

# Import certificate to ALB region
aws acm import-certificate 
  --certificate fileb://cert.pem 
  --private-key fileb://key.pem 
  --certificate-chain fileb://chain.pem 
  --region ap-northeast-1

# Attach certificate to ALB
aws elbv2 add-listener-certificates 
  --listener-arn arn:aws:elasticloadbalancing:ap-northeast-1:123456789012:listener/app/my-alb/50dc6c495c0c9188/f2f7dc8efc522ab2 
  --certificates CertificateArn=arn:aws:acm:ap-northeast-1:123456789012:certificate/12345678-1234-1234-1234-123456789012

2. Amazon API Gateway (Regional Mode)

Service Description:

API Gateway’s Regional endpoint type serves requests only in a single AWS region
Suitable for APIs serving users in specific regions, or used with your own CDN
Does not use CloudFront, connects directly to regional endpoint

Certificate Requirements:

✅ Regional custom domain certificates MUST be in the same region as the API Gateway
Example: If API is in eu-west-1 (Ireland), certificate must also be in eu-west-1

Configuration Example:

# 1. Import certificate in API region (e.g., eu-west-1)
aws acm import-certificate 
  --certificate fileb://cert.pem 
  --private-key fileb://key.pem 
  --certificate-chain fileb://chain.pem 
  --region eu-west-1

# 2. Create Regional API Gateway
aws apigateway create-rest-api 
  --name "My Regional API" 
  --endpoint-configuration types=REGIONAL 
  --region eu-west-1

# 3. Configure custom domain (using same region certificate)
aws apigateway create-domain-name 
  --domain-name api.example.com 
  --endpoint-configuration types=REGIONAL 
  --regional-certificate-arn arn:aws:acm:eu-west-1:123456789012:certificate/12345678-1234-1234-1234-123456789012 
  --region eu-west-1

⚠️ Edge-Optimized vs Regional Quick Comparison:

Item	Edge-Optimized	Regional
Certificate Region	Must be `us-east-1`	API region
Architecture	Uses CloudFront distribution	Direct regional endpoint connection
Use Case	Global users	Specific region users
Latency	Global low latency	Regional low latency
Certificate Check Command	`certificateArn`	`regionalCertificateArn`

3. AWS Elastic Beanstalk

Service Description:

Quickly deploy and scale web applications and services
Automatically handles capacity provisioning, load balancing, and auto-scaling

Certificate Requirements:

Certificates should be imported to the Elastic Beanstalk environment region
Elastic Beanstalk uses ELB, therefore certificate requirements match ELB’s

4. Amazon EC2 Instances (Direct Use)

Use Cases:

Running NGINX, Apache, or other web servers on EC2
Handling SSL/TLS directly at application layer

Certificate Handling:

Does not use ACM, certificates directly installed on EC2 instances
Uses traditional PEM files configured to web server
No region restriction, certificates managed at filesystem level

# NGINX example configuration
server {
    listen 443 ssl;
    server_name www.example.com;

    ssl_certificate /etc/nginx/ssl/cert.pem;
    ssl_certificate_key /etc/nginx/ssl/private.key;
    ssl_trusted_certificate /etc/nginx/ssl/chain.pem;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;
}

5. AWS App Runner

Service Description:

Fully managed containerized application service
Automatically handles load balancing, scaling, and HTTPS

Certificate Requirements:

Custom domain certificates should be imported to App Runner service region
Supported regions: us-east-1, us-west-2, eu-west-1, ap-northeast-1, etc.

6. AWS Transfer Family

Service Description:

Fully managed SFTP, FTPS, FTP file transfer service
Supports custom domain names

Certificate Requirements:

Certificates must be imported to Transfer Family server region

Hybrid Architecture Certificate Configuration

1. CloudFront + ELB (Common Architecture)

This is the most common high-availability architecture, requiring certificates in two regions:

# 1. Import certificate to us-east-1 (for CloudFront)
aws acm import-certificate 
  --certificate fileb://cert.pem 
  --private-key fileb://key.pem 
  --certificate-chain fileb://chain.pem 
  --region us-east-1

# 2. Import same certificate to ELB region (e.g., ap-northeast-1)
aws acm import-certificate 
  --certificate fileb://cert.pem 
  --private-key fileb://key.pem 
  --certificate-chain fileb://chain.pem 
  --region ap-northeast-1

Architecture Explanation:

CloudFront serves as global CDN using us-east-1 certificate
CloudFront origins to ELB, ELB uses local region certificate
End users only see CloudFront’s certificate
CloudFront to origin can also use HTTPS encryption (recommended)

2. CloudFront + Regional API Gateway

This architecture also requires certificates in two regions:

# 1. Import certificate to us-east-1 (for CloudFront)
aws acm import-certificate 
  --certificate fileb://cert.pem 
  --private-key fileb://key.pem 
  --certificate-chain fileb://chain.pem 
  --region us-east-1

# 2. Import certificate to API Gateway region (e.g., eu-west-1)
aws acm import-certificate 
  --certificate fileb://cert.pem 
  --private-key fileb://key.pem 
  --certificate-chain fileb://chain.pem 
  --region eu-west-1

Why Two Certificates Needed:

CloudFront needs us-east-1 certificate for custom domain
Regional API Gateway needs local region certificate for custom domain
CloudFront distribution layer uses one certificate, API endpoint layer uses another

3. Multi-Region Disaster Recovery Architecture

For multi-region deployments, certificates needed in each region:

#!/bin/bash
# Multi-region certificate deployment script

REGIONS=("us-east-1" "eu-west-1" "ap-northeast-1" "ap-southeast-1")

for region in "${REGIONS[@]}"; do
  echo "Deploying certificate to $region..."

  aws acm import-certificate 
    --certificate fileb://cert.pem 
    --private-key fileb://private.key 
    --certificate-chain fileb://chain.pem 
    --region $region 
    --tags Key=Environment,Value=Production Key=Region,Value=$region

  echo "Certificate deployed to $region successfully"
done

echo "All certificates deployed. Summary:"
for region in "${REGIONS[@]}"; do
  echo "$region: $(aws acm list-certificates --region $region --query 'CertificateSummaryList[0].CertificateArn' --output text)"
done

Quick Reference: AWS Service Certificate Region Requirements

AWS Service	Certificate Region Requirement	Reason
CloudFront	Must be `us-east-1`	Global service, control plane in us-east-1
API Gateway (Edge-Optimized)	Must be `us-east-1`	Uses CloudFront
Amplify Console	Must be `us-east-1`	Uses CloudFront
API Gateway (Regional)	API region	Regional service
Application Load Balancer	ALB region	Regional service
Network Load Balancer	NLB region	Regional service
Elastic Beanstalk	Environment region	Uses regional ELB
App Runner	Service region	Regional service
Transfer Family	Server region	Regional service
EC2 (Direct Use)	Does not use ACM	Certificates in filesystem

Common Misconfigurations and Solutions

Error 1: Mixed Up API Gateway Types

Wrong Example:

# Creating Edge-Optimized API but using eu-west-1 certificate
aws apigateway create-domain-name 
  --domain-name api.example.com 
  --endpoint-configuration types=EDGE 
  --certificate-arn arn:aws:acm:eu-west-1:123456789012:certificate/xxx   # ❌ Wrong!
  --region eu-west-1

Error Message:

An error occurred (BadRequestException) when calling the CreateDomainName operation:
The certificate must be in us-east-1 Region.

Correct Approaches:

# Option 1: Change to Regional API
aws apigateway create-domain-name 
  --domain-name api.example.com 
  --endpoint-configuration types=REGIONAL   # ✅ Change to REGIONAL
  --regional-certificate-arn arn:aws:acm:eu-west-1:123456789012:certificate/xxx 
  --region eu-west-1

# Option 2: Use us-east-1 certificate
aws apigateway create-domain-name 
  --domain-name api.example.com 
  --endpoint-configuration types=EDGE 
  --certificate-arn arn:aws:acm:us-east-1:123456789012:certificate/xxx   # ✅ Use us-east-1
  --region eu-west-1

Error 2: Missing Certificate in Multi-Region Deployment

Problem: Created ALB in ap-northeast-1 but certificate only imported to us-east-1

Check Method:

# List certificates in all regions
for region in us-east-1 eu-west-1 ap-northeast-1; do
  echo "=== $region ==="
  aws acm list-certificates --region $region --query 'CertificateSummaryList[].DomainName' --output table
done

Solution:

# Import to missing region
aws acm import-certificate 
  --certificate fileb://cert.pem 
  --private-key fileb://private.key 
  --certificate-chain fileb://chain.pem 
  --region ap-northeast-1

Part 3: Generating New Private Key and CSR (Lost Private Key Recovery)

When You Need to Regenerate Private Key

Private key lost: Cannot locate original private key file
Private key compromised: Suspicion that unauthorized parties have obtained the key
Certificate expired: Need to request new certificate
Security upgrade: Upgrading from RSA 2048 to RSA 4096 or ECC

Step 1: Generate New Private Key

RSA Private Key (Traditional, Best Compatibility):

# Generate 2048-bit RSA private key (minimum recommended)
openssl genpkey -algorithm RSA -out private.key -pkeyopt rsa_keygen_bits:2048

# Generate 4096-bit RSA private key (higher security, slightly lower performance)
openssl genpkey -algorithm RSA -out private.key -pkeyopt rsa_keygen_bits:4096

# Password-protect private key (optional, recommended)
openssl rsa -aes256 -in private.key -out private_encrypted.key

ECC Private Key (Modern, Better Performance):

# Generate P-256 curve private key
openssl ecparam -name prime256v1 -genkey -noout -out private_ecc.key

# Generate P-384 curve private key (higher security)
openssl ecparam -name secp384r1 -genkey -noout -out private_ecc.key

Step 2: Generate Certificate Signing Request (CSR)

# Generate CSR
openssl req -new -key private.key -out request.csr

# Interactive prompt for information:
# Country Name (2 letter code) [AU]: US
# State or Province Name (full name) [Some-State]: California
# Locality Name (eg, city) []: San Francisco
# Organization Name (eg, company) [Internet Widgits Pty Ltd]: My Company Inc
# Organizational Unit Name (eg, section) []: IT Department
# Common Name (e.g. server FQDN or YOUR name) []: www.example.com
# Email Address []: admin@example.com

Automated CSR Generation Using Config File:

# Create CSR configuration file (csr.conf)
cat > csr.conf <<EOF
[req]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn
req_extensions = v3_req

[dn]
C = US
ST = California
L = San Francisco
O = My Company Inc
OU = IT Department
CN = www.example.com

[v3_req]
subjectAltName = @alt_names

[alt_names]
DNS.1 = www.example.com
DNS.2 = example.com
DNS.3 = api.example.com
EOF

# Generate CSR using configuration file
openssl req -new -key private.key -out request.csr -config csr.conf

Step 3: Verify CSR Content

# View CSR details
openssl req -text -noout -verify -in request.csr

# Confirm Common Name and Subject Alternative Names are correct

Step 4: Submit CSR to CA for New Certificate

Submit the generated request.csr to your Certificate Authority (CA):

Commercial CAs: DigiCert, GlobalSign, Sectigo, etc.
Free CAs: Let’s Encrypt (can use certbot for automation)
Internal Enterprise CA: Company’s self-built PKI system

Step 5: Import New Certificate and Private Key to AWS

After new certificate is issued, import to AWS:

aws acm import-certificate 
  --certificate fileb://new_certificate.pem 
  --private-key fileb://private.key 
  --certificate-chain fileb://chain.pem 
  --region us-east-1

Security Best Practices

1. Private Key Protection

Strictly limit access permissions:

# Set private key file permissions to owner read-only
chmod 400 private.key

# Verify permissions
ls -la private.key
# Output should be: -r-------- 1 user group 1675 Dec 10 10:00 private.key

Encrypted storage: Store private keys encrypted using AWS Secrets Manager or Parameter Store
Regular rotation: Recommend updating certificates and private keys every 12-24 months
Never commit to version control: Add *.key, *.pem to .gitignore

2. Using AWS Secrets Manager for Private Key Management

# Store private key in Secrets Manager
aws secretsmanager create-secret 
  --name production/ssl/private-key 
  --description "SSL private key for www.example.com" 
  --secret-string file://private.key 
  --region us-east-1

# Retrieve private key from Secrets Manager
aws secretsmanager get-secret-value 
  --secret-id production/ssl/private-key 
  --query SecretString 
  --output text > private.key

3. Enable TLS Best Practices

Use TLS 1.2 or higher: Disable TLS 1.0 and 1.1
Choose secure cipher suites: Prioritize ECDHE and AES-GCM
Enable HSTS: Force browsers to use HTTPS

# CloudFront configuration example
{
  "MinimumProtocolVersion": "TLSv1.2_2021",
  "SSLSupportMethod": "sni-only"
}

4. Monitor Certificate Expiration

# Check certificate expiration date
openssl x509 -in certificate.pem -noout -enddate

# Use AWS CLI to list soon-to-expire certificates
aws acm list-certificates 
  --region us-east-1 
  --query 'CertificateSummaryList[?NotAfter<`2025-12-31`]'

Frequently Asked Questions (FAQ)

1. Why must CloudFront use certificates from us-east-1?

Technical Reasons:

CloudFront is a global service with its control plane located in us-east-1
All CloudFront distribution configurations are centrally managed in us-east-1
This is AWS’s architectural design ensuring global consistency

Practical Impact:

Even if your users are in Asia, CloudFront certificates must still be in us-east-1
If certificate is mistakenly imported to other regions, CloudFront cannot use it

2. How do I verify a certificate has been correctly imported to AWS?

# List all certificates
aws acm list-certificates --region us-east-1

# View specific certificate details
aws acm describe-certificate 
  --certificate-arn arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012 
  --region us-east-1

# Check certificate validation status
aws acm describe-certificate 
  --certificate-arn YOUR_CERTIFICATE_ARN 
  --query 'Certificate.Status' 
  --output text

3. Can I delete local files after importing certificates?

Recommended Practice:

✅ Retain encrypted backups of private key and certificate stored in secure location (like AWS Secrets Manager)
✅ Can delete plaintext files from working directory to avoid accidental exposure
❌ Don’t delete all backups completely, in case you need to import to other regions or services

# Securely delete local private key (overwrite then delete)
shred -u -n 3 private.key

# Or use srm (requires installation)
srm private.key

4. How do I handle incomplete certificate chain errors?

Error Message Example:

Certificate validation failed: The certificate chain is incomplete

Solutions:

Verify certificate chain order: Intermediate certificate first, root certificate last
Download complete chain from CA: Some CAs provide complete bundle files
Use online tools for validation: SSL Labs Server Test can check certificate chains

# Verify certificate chain using OpenSSL
openssl verify -CAfile chain.pem -untrusted intermediate.crt certificate.pem

# Output should be: certificate.pem: OK

5. What’s the difference between ACM-issued and imported certificates?

Feature	ACM-Issued Certificates	Imported Certificates
Cost	Free	Must purchase from CA
Auto-Renewal	✅ Automatic	❌ Manual update
Private Key Export	❌ Cannot export	✅ Can retain local copy
Usage Scope	AWS services only	Can use inside and outside AWS
Domain Validation	DNS or Email	CA follows its validation process

Selection Recommendations:

✅ Prefer ACM-issued: If all services are on AWS, using ACM is most effortless
✅ Import certificate use cases: Need to use same certificate outside AWS, enterprise has unified CA, need EV certificate, etc.

6. How do I share certificates across multiple AWS accounts?

Problem: ACM certificates cannot be directly shared between different AWS accounts.

Solutions:

Use imported certificate approach: Import the same certificate and private key in each account
Use AWS Secrets Manager cross-account sharing:

# Account A: Create Secret and authorize Account B access
aws secretsmanager put-resource-policy 
  --secret-id production/ssl/private-key 
  --resource-policy '{
    "Version": "2012-10-17",
    "Statement": [{
      "Effect": "Allow",
      "Principal": {"AWS": "arn:aws:iam::ACCOUNT_B_ID:root"},
      "Action": "secretsmanager:GetSecretValue",
      "Resource": "*"
    }]
  }'

# Account B: Read Account A's Secret
aws secretsmanager get-secret-value 
  --secret-id arn:aws:secretsmanager:us-east-1:ACCOUNT_A_ID:secret:production/ssl/private-key

Troubleshooting Guide

Issue 1: Certificate Import Failed – “Format Error”

Possible Causes:

Certificate is not in PEM format
File contains extra blank lines or characters
Incomplete BEGIN/END markers

Solution:

# Check certificate format
cat certificate.pem

# Ensure certificate is in this format:
# -----BEGIN CERTIFICATE-----
# [Base64 encoded content]
# -----END CERTIFICATE-----

# Remove excess whitespace
sed '/^$/d' certificate.pem > certificate_clean.pem

Issue 2: CloudFront Cannot Use Certificate – “Certificate Not in us-east-1”

Solution:

# Verify certificate region
aws acm list-certificates --region us-east-1
aws acm list-certificates --region ap-northeast-1

# If certificate is in wrong region, re-import to us-east-1
aws acm import-certificate 
  --certificate fileb://cert.pem 
  --private-key fileb://key.pem 
  --certificate-chain fileb://chain.pem 
  --region us-east-1

Issue 3: Browser Shows “Certificate Not Trusted”

Possible Causes:

Incomplete certificate chain (most common)
Certificate has expired
Common Name or SAN doesn’t match domain

Diagnostic Methods:

# Test SSL connection using OpenSSL
openssl s_client -connect www.example.com:443 -servername www.example.com

# Check certificate chain depth (should be 2 or 3)
echo | openssl s_client -connect www.example.com:443 -servername www.example.com 2>/dev/null | grep -A 2 "Certificate chain"

Summary

Proper SSL/TLS certificate management on AWS requires understanding different service regional requirements:

✅ CloudFront: Certificates must be imported to us-east-1
✅ ELB, API Gateway, Elastic Beanstalk: Certificates imported to service region
✅ Hybrid architectures: May need to import same certificate to multiple regions

Key Takeaways:

Use correct certificate format (PEM)
Ensure certificate chain is complete
Properly protect private keys, use Secrets Manager for storage
Regularly monitor certificate expiration dates
Follow TLS security best practices

Following the detailed guidance in this article, you should be able to successfully import and manage SSL/TLS certificates on AWS. For any issues, consult AWS official documentation or contact AWS Support.

Why Proper SSL/TLS Certificate Management Matters on AWS

1. Ensuring Data Transmission Security

2. Regulatory and Compliance Requirements

3. AWS Service Regional Specificity

Part 1: Basic Certificate Import Steps

Prerequisites

Step 1: Verify Working Directory

Step 2: Convert Certificate Format (If Needed)

Step 3: Build Complete Certificate Chain

Step 4: Import Certificate Using AWS CLI

Part 2: Certificate Requirements for Different AWS Services (Complete Guide)

Services Requiring Certificates in us-east-1

1. Amazon CloudFront

2. Amazon API Gateway (Edge-Optimized Mode)

3. AWS Amplify Console

Services That Can Use Certificates in Any Region

1. Elastic Load Balancing (ELB)

2. Amazon API Gateway (Regional Mode)

3. AWS Elastic Beanstalk

4. Amazon EC2 Instances (Direct Use)

5. AWS App Runner

6. AWS Transfer Family

Hybrid Architecture Certificate Configuration

1. CloudFront + ELB (Common Architecture)

2. CloudFront + Regional API Gateway

3. Multi-Region Disaster Recovery Architecture

Quick Reference: AWS Service Certificate Region Requirements

Common Misconfigurations and Solutions

Error 1: Mixed Up API Gateway Types

Error 2: Missing Certificate in Multi-Region Deployment

Part 3: Generating New Private Key and CSR (Lost Private Key Recovery)

When You Need to Regenerate Private Key

Step 1: Generate New Private Key

Step 2: Generate Certificate Signing Request (CSR)

Step 3: Verify CSR Content

Step 4: Submit CSR to CA for New Certificate

Step 5: Import New Certificate and Private Key to AWS

Security Best Practices

1. Private Key Protection

2. Using AWS Secrets Manager for Private Key Management

3. Enable TLS Best Practices

4. Monitor Certificate Expiration

Frequently Asked Questions (FAQ)

1. Why must CloudFront use certificates from us-east-1?

2. How do I verify a certificate has been correctly imported to AWS?

3. Can I delete local files after importing certificates?

4. How do I handle incomplete certificate chain errors?

5. What’s the difference between ACM-issued and imported certificates?

6. How do I share certificates across multiple AWS accounts?

Troubleshooting Guide

Issue 1: Certificate Import Failed – “Format Error”

Issue 2: CloudFront Cannot Use Certificate – “Certificate Not in us-east-1”

Issue 3: Browser Shows “Certificate Not Trusted”

Summary

Related Articles

Related posts:

Leave a Comment Cancel reply