2

I'm trying to import my certificate from (DigiCert) to AWS. Where I following the instruction from AWS (link) to convert my pfx to pem format.

But I get empty file when I use the command

openssl pkcs12 -in website.xyz.com.pfx -cacerts -nokeys -chain -out ca-chain.pem

to extract CA chain from pfx file. I just get an empty ca-chain.pem file.

When I try to import the certificate into ACM in AWS the shows the error Provided certificate is not a valid self signed. Please provide either a valid self-signed certificate or certificate chain.

According to the AWS article we need certificate chain to import non-AWScertificate.

How can I get my certificate chain correctly?

My OpenSSL version is OpenSSL 1.1.1m 14 Dec 2021

James
  • 31
  • 3

1 Answers1

0

This isn't specific to AWS, but an empty ca-chain.pem file seems to suggest that the PFX file doesn't contain the certificate chain at all. You may need to get a new PFX file that includes the chain.

If you're in a rush you can potentially copy the certificate chain from an existing public certificate that uses the same issuer. Try something like:

openssl s_client -showcerts -servername www.example.com -connect www.example.com:443 </dev/null

Ignore the first -----BEGIN CERTIFICATE----- block, but copy the following certificate blocks to your ca-chain.pem.

See: Using openssl to get the certificate from a server

Ben Sturmfels
  • 1,303
  • 13
  • 22