1

I just got an Thawte 123 SSL Certificate and have problems uploading it to AWS to use it with CloudFront as Custom SNI SSL Certificate. AWS refuses the CA Chain. I'm using the Thawte Intermediate CA bundle for SSL Web Server and Thawte Wildcard certificates.

To be able to use my private key I converted it to an RSA key with: 

openssl rsa -in private.key -out private-rsa-key.pem`

And tried to upload it with:

aws iam upload-server-certificate --server-certificate-name example.com-certificate --certificate-body file://certificate.pem --private-key file://private.pem --certificate-chain https://search.thawte.com/library/VERISIGN/ALL_OTHER/thawte%20ca/SSL_CA_Bundle.pem --path /cloudfront/example.com/

Resulting in the following error:

A client error (MalformedCertificate) occurred when calling the UploadServerCertificate operation: Unable to validate certificate chain. The certificate chain must start with the immediate signing certificate, followed by any intermediaries in order. The index within the chain of the invalid certificate is: 0

Even Inserting the thawte_Primary_Root_CA.pem into the certificate chain as first immediate signing certificate, doesn't resolve the problem.

A client error (MalformedCertificate) occurred when calling the UploadServerCertificate operation: Unable to validate certificate chain. The certificate chain must start with the immediate signing certificate, followed by any intermediaries in order. The index within the chain of the invalid certificate is: 1

Is the Thawte CA Chain not compatible to AWS?

Manuel
  • 9,112
  • 13
  • 70
  • 110

4 Answers4

1

I am having the same issue right now, and tried everything. Using SSL123 certificate (My rsa key and pem are ok)

I can't get to work the primary and secondary certs provided by Thawte, in any order. I tried primary alone, secondary alone, primary+secondary, secondary+primary, also tried with the root cert and also tried with the primary&secondary from:

https://search.thawte.com/library/VERISIGN/ALL_OTHER/thawte%20ca/SSL123_SecondaryCA.pem

https://search.thawte.com/library/VERISIGN/ALL_OTHER/thawte%20ca/SSL123_PrimaryCA.pem

The only thing I can get from ELB is:

Unable to validate certificate chain. The certificate chain must start with the immediate signing certificate, followed by any intermediaries in order. The index within the chain of the invalid certificate is: 0

Where the index is not always -1, but also 0,1 and 2 depending on the order and the number of certs included.

[SOLVED FOR ME]

Apparently, the EC2 instance from which you create the certificate affects. I used a standard EBS instance with default AMI, and transformed the certificate provided by Thwate again, and it did work.

Here the steps:

CSR:

keytool -genkey -keysize 2048 -keyalg RSA -alias mycertificate -keystore keystore.jks

Once Thatwe responds: (Primary is the second certificate in the chain of the email).

Import the three certificates in the keystore.jks

keytool -import -alias Primary -trustcacerts -file Primary.crt -keystore keystore.jks
keytool -import -alias Secondary -trustcacerts -file Secondary.crt -keystore keystore.jks
keytool -import -alias mycertificate -trustcacerts -file mycertificate.cer -keystore keystore.jks

JSK > P12 - Transform keystore.jks into p12 format

keytool -importkeystore -srckeystore keystore.jsk -destkeystore keystore.p12 -srcstoretype jks -deststoretype pkcs12

P12 > PEM - Transform p12 format into pem format

openssl pkcs12 -in keystore.p12 -out keystore.pem -nodes

PEM > RSA PRIVATE KEY - Export the private key in RSA format

openssl rsa -in keystore.pem -text > keystore_rsa.pem

And it did work this time.

Juan Carrey
  • 696
  • 1
  • 6
  • 13
1
  1. you must make sure that the certificate, private key, and certificate chain are all PEM-encoded as following: 
-----BEGIN CERTIFICATE----- << -This is my Intermediate CA which signed my CSR 
Base64-encoded certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE----- << -This is my Root CA which signed my Intermediate CA
Base64-encoded certificate
-----END CERTIFICATE-----
  1. You don't need to put your signed certificate in the chain.
    Just add the intermediate and root ca in the Chain files should be enough.
star
  • 691
  • 7
  • 12
0

Using the folliowing as ca chain certificate solves the problem:

https://ssltools.thawte.com/chainTester/webservice/validatecerts/certificate?certKey=issuer.intermediate.cert.57&fileName=thawte%20DV%20SSL%20CA%20-%20G2&fileExtension=txt

Manuel
  • 9,112
  • 13
  • 70
  • 110
0

It is important to note that the intermediate certificates are not specific to your domain or certificate. So, every certificate issued that is like yours, has the exact same intermediate certificates.

You can think of them a bit like the routing number on your checks. The routing number is needed, but really says more about your bank than it does about you. Your account number, or your certificate in this case, is what is unique to you.

Because of the generic nature of the intermediate certificates there are websites like this one:

https://www.ssl2buy.com/wiki/ssl-intermediate-and-root-ca-bundle

That have all of the intermediate certificates pre-bundled (and in the correct order) for different certificate issuers.

Beachhouse
  • 4,972
  • 3
  • 25
  • 39