5

I am using AWS and I have used ACM to generate a certificate. (This process is different than I am used to where I generate a certificate signing request and give it to a signing authority.) I requested a certificate: AWS Certificate

Now I am trying to install it using the instructions from AWS:

aws iam get-server-certificate --server-certificate-name <<ExampleCertificate>>

Only, when I replace <<ExampleCertificate>> with the name of my certificate, I am not sure what I am supposed to replace it with. Notice that in the picture above, the Name column for my AWS certificate is blank. (Note: I made sure to give the IAM user that is configured with API IAMFullAccess temporarily to do this so there aren't permission issues.) If I try to use the domain name xxxxx.com as the name, I am told this message:

A client error (NoSuchEntity) occurred when calling the GetServerCertificate operation: 
The Server Certificate with name xxxxxxxx.com cannot be found.

This happens when I use the identifier and the ARN also.

My end goal is to have a signed SSL certificate on NGINX to serve the web content of my EC2 instance.

A: Is this the right track? (Are these the right preliminary steps?)

B: If so, what do I use to reference the certificate? Or do I use a different API?

Michael Plautz
  • 3,578
  • 4
  • 27
  • 40
  • Have you tried to run `aws iam` with the list certificate options. That may give you the name that you need. – Akber Choudhry Aug 27 '17 at 19:44
  • 1
    *"My end goal is to have a signed SSL certificate on NGINX"* That isn't a supported use for ACM certificates. The question, though it isn't initially apparent, is actually a duplicate of [How to add SSL certificate to AWS EC2 with the help of new AWS Certificate Manager service](https://stackoverflow.com/a/34947410/1695906). – Michael - sqlbot Aug 28 '17 at 03:10
  • @Michael-sqlbot thanks. It always kills me that after hours of searching (and even writing up this question!!) that I could not find that question first. I certainly would've avoided asking if I had seen that one. – Michael Plautz Aug 28 '17 at 11:10
  • 1
    Understood. Sometimes it helps to take a step back and search for what you are trying to ultimately accomplish, rather than where you are stuck in your attempt at trying to solve it. As of right now, googling `use acm certificate on ec2 instance` yields 4 hits to AWS pages, then the linked Stack Overflow Question and Answer is hit #5. – Michael - sqlbot Aug 29 '17 at 01:43

1 Answers1

9

You have to use AWS ACM API (IAM certificate and ACM certificate are different). Equivalent API is GetCertificate in ACM

aws acm get-certificate --certificate-arn arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012

Now, I think you are trying to get the certificate and the chain to use it on your instance, but Amazon issued certificate cannot be used with EC2 instances as you can't get the private key. You have to use the certificate with ELB.

If you want to install SSL certificate in your instance, you can get certificate from other CA or can use Let's Encrypt certificate (which is free as well).

MCWhitaker
  • 178
  • 6
sudo
  • 2,237
  • 1
  • 9
  • 14
  • 1
    Thank goodness for SO, because it is always very difficult to get conceptual questions like "can I use an ACM certificate for NGINX SSL?" answered from documentation. This is why I rely on community experts to steer me in the right direction, and this is the answer I was looking for. – Michael Plautz Aug 28 '17 at 11:12