Issue : unable to upload a new ssl certifcate in AWS via IAM(console)

Hello,

 

Thank you for contacting AWS Support. Below is a summary of our conversation today.

 

You contacted us because you were attaching a certificate to your ELB but you were getting an error of “Private key was in an unrecognized format”.

 

You had a certificate from a 3rd party Certificate Authority which was in .pfx format from which you had extracted the needed files: the private key, the certificate and the certificate chain. However, we checked the format of the private key and I noticed that it was in a format different than the required format which is RSA. Your certificate was in this format:

 

—–BEGIN ENCRYPTED PRIVATE KEY—–

—–END ENCRYPTED PRIVATE KEY—–

 

It should be in the format

 

—–BEGIN RSA PRIVATE KEY—–

—–END RSA PRIVATE KEY—–

 

comments used :

  1. Extract private key without password. First commant will request password and require password. Don’t use empty, it does not work. Second command asks for password created for 1st command.

openssl pkcs12 -in cert.pfx -nocerts -out key.pem
openssl rsa -in key.pem -out server.key

  1. Extract certificate:

openssl pkcs12 -in cert.pfx -clcerts -nokeys -out cert.pem

  1. Extract certificate chain:

openssl pkcs12 -in cert.pfx -nodes -nokeys -out chain.pem

  1. Certificate chain contains several items. You may need to remove item that refers to your certificate, it’s on top and it’s not needed. Give a try with/without removing top item. After that the other items should be placed in reverse order.
  2. server.key is private key in ELB, cert.pem is certificate in ELB, output #4 is certificate chain.

Good luck!

 

I recommended the following command to convert to the appropriate format:

 

openssl rsa -in key.pem -out key-rsa.pem

 

After that, you tried again to upload the certificate directly to the ELB. You pasted the private key, the certificate body and the certificate chain and now you weren’t getting the unrecognized format error but a different error: “Server Certificate not found for the key”. We have seen an issue, where the certificate upload to IAM fails if you try to do this during ELB creation time using AWS Console. Potential cause is due to the fact it takes a while for the uploaded certificate to propagate internally through the IAM database. If the ELB tries to fetch the certificate in this timeframe, it will be thrown an error as you received due to the inconsistency.

 

If you find this error again in the future, instead you can follow this workaround:

 

  1. Upload the certificate in IAM via AWS CLI before running the ELB creation process in AWS Console using the following example command:

$ aws iam upload-server-certificate –server-certificate-name ExampleCertificate –certificate-body file://Certificate.pem –certificate-chain file://CertificateChain.pem –private-key file://PrivateKey.pem

 

  1. Once uploaded, please run the folllowing command to verify your certificate is uploaded in IAM:

$ aws iam list-server-certificates

 

  1. Now go to your ELB AWS Console and select the option ‘Choose an existing certificate from AWS Identity and Access Management (IAM)’ on the step of selecting certificate and select your certificate.

 

After that error error was cleared you were able to attach the certificate to the ELB. Next, you had another certificate in a .pfx file for which you had to do the same process:

 

You extracted the key with this command:

openssl pkcs12 -in cert.pfx -nocerts -out key.pem

 

Then you converted the key to rsa format with:

openssl rsa -in key.pem -out key-rsa.pem

 

To extract the certificate:

openssl pkcs12 -in cert.pfx -clcerts -nokeys -out cert.pem

 

To extract the certificate chain:

openssl pkcs12 -in cert.pfx -nodes -nokeys -out chain.pem

 

Then you were able to upload the attach the certificate to the ELB using the same procedure used for the first certificate.

 

Finally, we verified the validity of both certificates using the Certificate Decoder tool in:

 

https://www.sslshopper.com/certificate-decoder.html

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s