Here I will explain the steps to upload the custom SSL certificate to Amazon Web Service (AWS) Identity and Access Management (IAM) using Amazon Command Line interface.
Step 1: First use should install the command line interface to your machine. Below the URL, you can get the setup for Windows both 64 and 32 bits.
Note: Linux also available.
Step 2: .MSI setup file will be downloaded from the above link. After downloaded, install the setup by clicking on the it.
Note the installed location which marked in below screenshot.
Once installation done, you should configure the command line window to connect with your AWS account.
Step 3: Open the AWS command line interface from the installed location which is above step you noted down.
Here open command prompt in administrator mode. You can simply type “cmd” in run window.
You need to change the root path to command line interface installed path.
The installed path is “C:\Program Files\Amazon\AWSCLI\bin”, this path you noted down in step 2.
To change the path in command window, use below command
Example: cd C:\Program Files\Amazon\AWSCLI\bin
To check this working fine, you can use aws help command. This will explain about all the commands.
To exit help, type “q” – quit
Step 4: Now you should configure the command line to connect with your AWS account. To configure this, you need the below information. Shown dummy keys,
AWS Access Key ID: AKIXXXXXXXXXXXXXXXE
AWS Secret Access Key: wsDTfgeTUSsdf/K7MDWCF/bPxRfiCYWERSARDFQX
Default region name: us-east-1
Default output format: json
To create new Access key, you can refer this post,
Use below command to configure it
This will ask above four values one by one; you should enter each. Once all details enter, then you aws account will be configured.
Note: You can get your AWS access and secret key from AWS IAM by login to your console.
Step 5: Now you can upload your certificate you IAM using the required command.
First you can use the below command to list the already uploaded certificates,
List all Uploaded Server Certificates
aws iam list-server-certificates
To upload the new certificate, use the below comments,
aws iam upload-server-certificate --server-certificate-name www.mydomain.com --certificate-body file://mycertificate_file.pem --private-key file://myprivate_key.pem --certificate-chain file://mycertificate_chain_file.pem --path /cloudfront/
–server-certificate-name: This can be any name to refer this uploaded certificate. Use some meaningful and your domain related name
–certificate-body: This will actual certificate file location. Certificate should be in PEM format. Certificate only has main certificate, no need of intermediate and root inside the certificate file.
–private-key: This will be the private key file location of your certificates private key. This needs to be in PEM format.
—–BEGIN RSA PRIVATE KEY—–
—–END RSA PRIVATE KEY—–
–certificate-chain file: This will intermediate certificate file location. Certificate should be in PEM format. A certificate chain contains one or more intermediate certificates. No need to include main and root certificates in chain certificate.
Intermediate Certificate 1
Intermediate Certificate 2
Note: If you have only one intermediate certificate, you keep that one alone.
Note: You can copy and paste all certificate files inside the folder path “C:\Program Files\Amazon\AWSCLI\bin”, so no need to give full path in command. So, the file location can be simply file://mycertificate_file.pem
–path: We are uploading the server certificate to use with AWS CloudFront, so we must specify a path using the
--path option. The path must begin with /cloudfront and must include a trailing slash (for example, /cloudfront/test/). Once we executed the command, you certificate has been uploaded to AWS IAM. You will see the certificate details after successful upload, else error will be thrown.
Delete the Uploaded Certificate
You can delete the certificate using below command.
aws iam delete-server-certificate --server-certificate-name <certificate-name>
aws iam delete-server-certificate --server-certificate-name www.test.com