24

Someone purchased a wildcard certificate via AWS Certificate Manager for their domain name and I need to transfer it to Heroku for an app that uses a sub-domain of the domain name.

I can't figure out, either through the AWS Console or through their CLI, how I would get the private key used to generate the CSR for this certificate? Can anyone on here help me?

sameers
  • 4,855
  • 3
  • 35
  • 44
  • I have the same problem now, do you solve it? can you help me now or answer this question? – Desarrollo Desafio de Guerrero Aug 31 '17 at 16:08
  • I don't know for sure, but I think after a lot of searching, I found that the private key cannot be exported. You can only get the CRT file itself, and the bundle. For example, see [this discussion on Reddit](https://www.reddit.com/r/aws/comments/1cystt/downloading_arn_ssl_certificates_after_they_have/) – sameers Sep 01 '17 at 05:29
  • 1
    It is not possible to retrieve the cert key for usage in EC2, and you cannot use Elastic loadbalancing which is supported by ACM, but does not allow single targets. Thanks AWS for making a simple task very hard.. – whirlwin Oct 06 '20 at 19:59

1 Answers1

43

You can't. That's one of the points of using AWS Certificate Manager: the private keys won't leave AWS infrastructure. You can't even use AWS Certificate Manager certs on EC2 today, only on specific services. More information here and here.

Edit: You can now use private certificates issued with ACM Private CA with EC2 instances, see more info here. However, that is only useful for private networks, as major browsers won't recognize ACM Private CA by default.

Viccari
  • 9,029
  • 4
  • 43
  • 77
  • 1
    Is this answer still true? AWS docs says you can export private certificate and use with ec2 instance: https://aws.amazon.com/certificate-manager/faqs/. – Andrew Feng Nov 11 '21 at 11:43
  • @AndrewFeng good catch. I've edited my answer. – Viccari Nov 17 '21 at 07:28
  • 1
    Just wanted to highlight the edit says private certificates can be exported only for those issued by **ACM Private CA**. I missed that context the first time reading this. – Jason Capriotti Apr 04 '23 at 17:22