8

I need the Certificate name, Certificate body, Certificate private key and Certificate chain to use a domain name in the API Gateway.

I have the certificate for *.domainready.com in Amazon's Certificate Manager. And I'd like to use that cert info. I can't find any access to it from the dashboard interface. Is there any way to get the information regarding the cert out of AWS?

ThomasReggi
  • 55,053
  • 85
  • 237
  • 424

2 Answers2

8

As of March 9th 2017 certificates created in the us-east-1 region are available to be used by API Gateway.

The AWS API Gateway is not a service integrated with the AWS Certificate Manager. This limits its use to those services (CloudFront and Elastic Load Balancing) only.

To install an SSL certificate on the API Gateway, you need the public certificate, the private key, and a root CA certificate chain. The ACM itself never lets you see the private key, as this is managed entirely within the service. This is the limiting factor: you cannot export the certificate in a useable format for later importing to another SSL endpoint e.g. API Gateway.

You will need to purchase an SSL Certificate from the major providers, use a free service (StartSSL), or a self-signed certificate - if you are testing.

With any of those certificates you can configure them in the API Gateway Create Custom Domain page.

Community
  • 1
  • 1
Rodrigo Murillo
  • 13,080
  • 2
  • 29
  • 50
  • ...Or put the ACM cert on a CloudFront distribution and then point CF to the API Gateway endpoint? Seems legit. – Michael - sqlbot Jun 17 '16 at 01:41
  • @Michael-sqlbot since API Gateway already creates a CF distribution behind the scenes, wouldn't that be stacking two CF distributions? Would that cause any issues? – Mark B Jun 17 '16 at 02:28
  • It shouldn't, as long as you don't configure the CF distribution to whitelist-forward the incoming `Host:` header (or all headers) to the back-end, which would create a nifty infinite loop. Haven't tested it, but I *think* I've seen that discussed here as viable by an API-GW insider. – Michael - sqlbot Jun 17 '16 at 02:38
  • @MarkB I found it. [Discussed here](http://stackoverflow.com/a/36430581/1695906) as "should work" in the context of using Web Application Firewall (WAF) with API Gateway. A second distribution is required since the CF distribution created directly/implicitly by API Gateway isn't one of "your" CF distributions, so you can't configure it with WAF. – Michael - sqlbot Jun 17 '16 at 02:44
-1

Certificate chain is intermediate certificates(中级证书)

For Certificate chain, type or paste the PEM-formatted intermediate certificates and, optionally, the root certificate, one after the other without any blank lines. If you include the root certificate, your certificate chain must start with intermediate certificates and end with the root certificate. Use the intermediate certificates provided by your certificate authority. Do not include any intermediaries that are not in the chain of trust path. The following shows an abbreviated example.

-----BEGIN CERTIFICATE-----
EXAMPLECA4ugAwIBAgIQWrYdrB5NogYUx1U9Pamy3DANBgkqhkiG9w0BAQUFADCB
...
8/ifBlIK3se2e4/hEfcEejX/arxbx1BJCHBvlEPNnsdw8EXAMPLE
-----END CERTIFICATE-----
Here is another example.

-----BEGIN CERTIFICATE-----
Intermediate certificate 2
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Intermediate certificate 1
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Optional: Root certificate
-----END CERTIFICATE-----

For more details check amazon developer guide

Ponnarasu
  • 635
  • 1
  • 11
  • 24
Cheng.Tang
  • 1