# Import certificates into AWS Certificate Manager Imported certificatesChange to re-importing certificates[https://docs.aws.amazon.com/acm/latest/userguide/import-certificate-prerequisites.html](https://docs.aws.amazon.com/acm/latest/userguide/import-certificate-prerequisites.html) ACM allows re-import of a certificate into the same ARN only when the ClientAuth EKU is missing from the previous certificate. This accommodates industry changes where certificate authorities no longer issue certificates with ClientAuth EKU to comply with Chrome's root program requirements. In addition to requesting SSL/TLS certificates provided by AWS Certificate Manager (ACM), you can import certificates that you obtained outside of AWS. You might do this because you already have a certificate from a third-party certificate authority (CA), or because you have application-specific requirements that are not met by ACM issued certificates. You can use an imported certificate with any [AWS service that is integrated with ACM](acm-services.md). The certificates that you import work the same as those provided by ACM, with one important exception: ACM does not provide [managed renewal](managed-renewal.md) for imported certificates. To renew an imported certificate, you can obtain a new certificate from your certificate issuer and then manually [reimport](https://docs.aws.amazon.com/acm/latest/userguide/import-reimport.html#reimport-certificate-api) it into ACM. This action preserves the certificate's association and its Amazon Resource name (ARN). Alternatively, you can import a completely new certificate. Multiple certificates with the same domain name can be imported, but they must be imported one at a time. **Important** You are responsible for monitoring the expiration date of your imported certificates and for renewing them before they expire. You can simplify this task by using Amazon CloudWatch Events to send notices when your imported certificates approach expiration. For more information, see [Using Amazon EventBridge](cloudwatch-events.md). All certificates in ACM are regional resources, including the certificates that you import. To use the same certificate with Elastic Load Balancing load balancers in different AWS Regions, you must import the certificate into each Region where you want to use it. To use a certificate with Amazon CloudFront, you must import it into the US East (N. Virginia) Region. For more information, see [Supported Regions](acm-overview.md#acm-regions). For information about how to import certificates into ACM, see the following topics. If you encounter problems importing a certificate, see [Certificate import problems](troubleshoot-import.md). **Topics** + [ # Prerequisites for importing ACM certificates ](import-certificate-prerequisites.md) + [ # Certificate and key format for importing ](import-certificate-format.md) + [ # Import a certificate ](import-certificate-api-cli.md) + [ # Reimport a certificate ](import-reimport.md) # Prerequisites for importing ACM certificates Prerequisites To import a self–signed SSL/TLS certificate into ACM, you must provide both the certificate and its private key. To import a certificate signed by a non-AWS certificate authority (CA), you must also include the private and public keys of certificate. Your certificate must satisfy all of the criteria described in this topic. For all imported certificates, you must specify a cryptographic algorithm and a key size. ACM supports the following algorithms (API name in parentheses): + RSA 1024 bit (`RSA_1024`) + RSA 2048 bit (`RSA_2048`) + RSA 3072 bit (`RSA_3072`) + RSA 4096 bit (`RSA_4096`) + ECDSA 256 bit (`EC_prime256v1`) + ECDSA 384 bit (`EC_secp384r1`) + ECDSA 521 bit (`EC_secp521r1`) Note also the following additional requirements: + ACM [integrated services](https://docs.aws.amazon.com/acm/latest/userguide/acm-services.html) allow only the algorithms and key sizes that they support to be associated with their resources. For example, CloudFront only supports 1024-bit RSA, 2048-bit RSA, 3072-bit RSA, 4096-bit RSA, and Elliptic Prime Curve 256-bit keys, while Application Load Balancer supports all of the algorithms available from ACM. For more information, see the documentation for the service you are using. + A certificate must be an SSL/TLS X.509 version 3 certificate. It must contain a public key, the fully qualified domain name (FQDN) or IP address for your website, and information about the issuer. + A certificate can be self-signed by a private key that you own, or signed by the private key of an issuing CA. You must provide the private key, which may be no larger than 5 KB (5,120 bytes) and must be unencrypted. + If the certificate is signed by a CA, and you choose to provide the certificate chain, the chain must be PEM–encoded. + A certificate must be valid at the time of import. You cannot import a certificate before its validity period begins or after it expires. The `NotBefore` certificate field contains the validity start date, and the `NotAfter` field contains the end date. + All of the required certificate materials (certificate, private key, and certificate chain) must be PEM–encoded. Uploading DER–encoded materials results in an error. For more information and examples, see [Certificate and key format for importing](import-certificate-format.md). + When you renew (reimport) a certificate, you cannot remove a `KeyUsage` or `ExtendedKeyUsage` extension that was present in the previously imported certificate. The following exceptions apply: + You can reimport a certificate missing the Client Authentication ExtendedKeyUsage when compared to the previous certificate. This accommodates industry changes where certificate authorities no longer issue certificates with ClientAuth EKU to comply with Chrome's root program requirements. + You can remove the `keyEncipherment` Key Usage from ECDSA certificates. This accommodates [RFC 5480 Section 3](https://www.rfc-editor.org/rfc/rfc5480#section-3), which does not include `keyEncipherment` as a permitted Key Usage for ECDSA keys. **Important** If you require Client Authentication functionality, you must implement additional validations on your side, as ACM does not support rollback to previously imported certificates. + AWS CloudFormation does not support the import of certificates into ACM. # Certificate and key format for importing Certificate format ACM requires you to separately import the certificate, certificate chain, and private key (if any), and to encode each component in PEM format. PEM stands for Privacy Enhanced Mail. The PEM format is often used to represent certificates, certificate requests, certificate chains, and keys. The typical extension for a PEM–formatted file is `.pem`, but it doesn't need to be. **Note** AWS does not provide utilities for manipulating PEM files or other certificate formats. The following examples rely on a generic text editor for simple operations. If you need to perform more complex tasks (such as converting file formats or extracting keys), free and open-source tools such as [OpenSSL](https://www.openssl.org/docs/) are readily available. The following examples illustrate the format of the files to be imported. If the components come to you in a single file, use a text editor (carefully) to separate them into three files. Note that if you edit any of the characters in a PEM file incorrectly or if you add one or more spaces to the end of any line, the certificate, certificate chain, or private key will be invalid. **Example 1. PEM–encoded certificate** ``` -----BEGIN CERTIFICATE----- Base64–encoded certificate -----END CERTIFICATE----- ``` **Example 2. PEM–encoded certificate chain** A certificate chain contains one or more certificates. You can use a text editor, the `copy` command in Windows, or the Linux `cat` command to concatenate your certificate files into a chain. The certificates must be concatenated in order so that each directly certifies the one preceding. If importing a private certificate, copy the root certificate last. The following example contains three certificates, but your certificate chain might contain more or fewer. Do not copy your certificate into the certificate chain. ``` -----BEGIN CERTIFICATE----- Base64–encoded certificate -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- Base64–encoded certificate -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- Base64–encoded certificate -----END CERTIFICATE----- ``` **Example 3. PEM–encoded private keys** X.509 version 3 certificates use public key algorithms. When you create an X.509 certificate or certificate request, you specify the algorithm and the key bit size that must be used to create the private–public key pair. The public key is placed in the certificate or request. You must keep the associated private key secret. Specify the private key when you import the certificate. The key must be unencrypted. The following example shows an RSA private key. ``` -----BEGIN PRIVATE KEY----- Base64–encoded private key -----END PRIVATE KEY----- ``` The next example shows a PEM–encoded elliptic curve private key. Depending on how you create the key, the parameters block might not be included. If the parameters block is included, ACM removes it before using the key during the import process. ``` -----BEGIN EC PARAMETERS----- Base64–encoded parameters -----END EC PARAMETERS----- -----BEGIN EC PRIVATE KEY----- Base64–encoded private key -----END EC PRIVATE KEY----- ``` # Import a certificate Import certificate You can import an externally obtained certificate (that is, one provided by a third-party trust services provider) into ACM by using the AWS Management Console, the AWS CLI, or the ACM API. The following topics show you how to use the AWS Management Console and the AWS CLI. Procedures for obtaining a certificate from a non-AWS issuer are outside the scope of this guide. **Important** Your selected signature algorithm must meet the [Prerequisites for importing ACM certificates](import-certificate-prerequisites.md). **Topics** + [ ## Import (console) ](#import-certificate-api) + [ ## Import (AWS CLI) ](#import-certificate-cli) ## Import (console) The following example shows how to import a certificate using the AWS Management Console. 1. Open the ACM console at [https://console.aws.amazon.com/acm/home](https://console.aws.amazon.com/acm/home). If this is your first time using ACM, look for the **AWS Certificate Manager** heading and choose the **Get started** button under it. 1. Choose **Import a certificate**. 1. Do the following: 1. For **Certificate body**, paste the PEM-encoded certificate to import. It should begin with `-----BEGIN CERTIFICATE-----` and end with `-----END CERTIFICATE-----`. 1. For **Certificate private key**, paste the certificate's PEM-encoded, unencrypted private key. It should begin with `-----BEGIN PRIVATE KEY-----` and end with `-----END PRIVATE KEY-----`. 1. (Optional) For **Certificate chain**, paste the PEM-encoded certificate chain. 1. (Optional) To add tags to your imported certificate, choose **Tags**. A tag is a label that you assign to an AWS resource. Each tag consists of a key and an optional value, both of which you define. You can use tags to organize your resources or track your AWS costs. 1. Choose **Import**. ## Import (AWS CLI) The following example shows how to import a certificate using the [AWS Command Line Interface (AWS CLI)](https://aws.amazon.com/cli/). The example assumes the following: + The PEM-encoded certificate is stored in a file named `Certificate.pem`. + The PEM-encoded certificate chain is stored in a file named `CertificateChain.pem`. + The PEM-encoded, unencrypted private key is stored in a file named `PrivateKey.pem`. To use the following example, replace the file names with your own and type the command on one continuous line. The following example includes line breaks and extra spaces to make it easier to read. ``` $ aws acm import-certificate --certificate fileb://Certificate.pem \ --certificate-chain fileb://CertificateChain.pem \ --private-key fileb://PrivateKey.pem ``` If the `import-certificate` command is successful, it returns the [Amazon Resource Name (ARN)](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) of the imported certificate. # Reimport a certificate Reimport certificate If you imported a certificate and associated it with other AWS services, you can reimport that certificate before it expires while preserving the AWS service associations of the original certificate. For more information about AWS services integrated with ACM, see [Services integrated with ACM](acm-services.md). The following conditions apply when you reimport a certificate: + You can add or remove domain names. + You cannot remove all of the domain names from a certificate. + If **Key Usage** extensions are present in the originally imported certificate, you can add new extension values, but you cannot remove existing values. **Exception:** You can remove the `keyEncipherment` Key Usage from ECDSA certificates. This accommodates [RFC 5480 Section 3](https://www.rfc-editor.org/rfc/rfc5480#section-3), which does not include `keyEncipherment` as a permitted Key Usage for ECDSA keys. + If **Extended Key Usage** extensions are present in the originally imported certificate, you can add new extension values, but you cannot remove existing values. **Exception:** You can remove the Client Authentication Extended Key Usage. This accommodates industry changes where certificate authorities no longer issue certificates with ClientAuth EKU to comply with Chrome's root program requirements. **Important** If you require Client Authentication functionality, you must implement additional validations on your side, as ACM does not support rollback to previously imported certificates. + The key type and size cannot be changed. + You cannot apply resource tags when reimporting a certificate. **Topics** + [ ## Reimport (console) ](#reimport-certificate-api) + [ ## Reimport (AWS CLI) ](#reimport-certificate-cli) ## Reimport (console) The following example shows how to reimport a certificate using the AWS Management Console. 1. Open the ACM console at [https://console.aws.amazon.com/acm/home](https://console.aws.amazon.com/acm/home). 1. Select or expand the certificate to reimport. 1. Open the details pane of the certificate and choose the **Reimport certificate** button. If you selected the certificate by checking the box beside its name, choose **Reimport certificate** on the **Actions** menu. 1. For **Certificate body**, paste the PEM-encoded end-entity certificate. 1. For **Certificate private key**, paste the unencrypted PEM-encoded private key associated with the certificate's public key. 1. (Optional) For **Certificate chain**, paste the PEM-encoded certificate chain. The certificate chain includes one or more certificates for all intermediate issuing certification authorities, and the root certificate. If the certificate to be imported is self-assigned, no certificate chain is necessary. 1. Review the information about your certificate. If there are no errors, choose **Reimport**. ## Reimport (AWS CLI) The following example shows how to reimport a certificate using the [AWS Command Line Interface (AWS CLI)](https://aws.amazon.com/cli/). The example assumes the following: + The PEM-encoded certificate is stored in a file named `Certificate.pem`. + The PEM-encoded certificate chain is stored in a file named `CertificateChain.pem`. + (Private certificates only) The PEM-encoded, unencrypted private key is stored in a file named `PrivateKey.pem`. + You have the ARN of the certificate you want to reimport. To use the following example, replace the file names and the ARN with your own and type the command on one continuous line. The following example includes line breaks and extra spaces to make it easier to read. **Note** To reimport a certificate, you must specify the certificate ARN. ``` $ aws acm import-certificate --certificate fileb://Certificate.pem \ --certificate-chain fileb://CertificateChain.pem \ --private-key fileb://PrivateKey.pem \ --certificate-arn arn:aws:acm:region:123456789012:certificate/12345678-1234-1234-1234-12345678901 ``` If the `import-certificate` command is successful, it returns the [Amazon Resource Name (ARN)](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) of the certificate.