8/29/22, 4:32 PM How to import PFX-formatted certificates into AWS Certificate Manager using OpenSSL | AWS Security Blog

AWS Security Blog

How to import PFX-formatted certificates into AWS Certificate

Manager using OpenSSL
by Praveen Kumar Jeyarajan and Viyoma Sachdeva | on 24 AUG 2020 | in Advanced (300), AWS Certificate Manager, Security, Identity, &
Compliance | Permalink |  Comments |  Share

In this blog post, we show you how to import PFX-formatted certificates into AWS Certificate Manager (ACM) using
OpenSSL tools.

Secure Sockets Layer and Transport Layer Security (SSL/TLS) certificates are small data files that digitally bind a
cryptographic key pair to an organization’s details. The key pair is used to secure network communications and
establish the identity of websites over the internet and on private networks. These certificates are usually issued by a
trusted certificate authority (CA). A CA acts as a trusted third party—trusted both by the subject (owner) of the
certificate and by the party relying upon the certificate. The format of these certificates is specified by the X.509 or
Europay, Mastercard, and Visa (EMV) standards. SSL/TLS certificates issued by a trusted CA are usually encoded in
Personal Information Exchange (PFX) or Privacy-Enhanced Mail (PEM) format.

ACM lets you easily provision, manage, and deploy public and private SSL/TLS certificates for use with Amazon Web
Services (AWS) and your internal connected resources. Certificates can be imported from outside AWS, or created
using AWS tools. Certificates can be used to help with ACM-integrated AWS resources, such as Elastic Load
Balancing, Amazon CloudFront distributions, and Amazon API Gateway.

To import a self–signed SSL/TLS certificate into ACM, you must provide the certificate and its private key in PEM
format. To import a signed certificate, you must also include the certificate chain in PEM format. Prerequisites for
Importing Certificates provides more detail.

Sometimes, the trusted CA issues the certificate, private key, and certificate chain details in PFX format. In this post,
we show you how to convert a PFX-encoded certificate into PEM format and then import it into ACM.

Solution

The following solution converts a PFX-encoded certificate to PEM format using the OpenSSL command line tool. The
certificate is then imported into ACM.

Figure 1: Use the OpenSSL Toolkit to convert the certificate, then

import the certificate into ACM

The solution has two parts, shown in the preceding figure:

1. Use the OpenSSL Toolkit to convert the PFX-encoded certificate into PEM format.
2. Import the PEM certificate into ACM.

https://aws.amazon.com/blogs/security/how-to-import-pfx-formatted-certificates-into-aws-certificate-manager-using-openssl/ 1/5
8/29/22, 4:32 PM How to import PFX-formatted certificates into AWS Certificate Manager using OpenSSL | AWS Security Blog

Prerequisites

We use the OpenSSL toolkit to convert a PFX encoded certificate to PEM format. OpenSSL is an open source toolkit
for manipulating cryptographic files. It’s also a general-purpose cryptography library.

For this post, we use a password protected PFX-encoded file—website.xyz.com.pfx—with an X.509 standard CA
signed certificate and 2048-bit RSA private key data.

1. Download and install the OpenSSL toolkit.

If you’re using Linux, download and install the latest TAR file from OpenSSL Downloads.
If you’re using Windows, use the file available from Shining Light Productions.
2. Add the OpenSSL binaries location to your system PATH variable, so that the binaries are available for
command line use.

Convert the PFX encoded certificate into PEM format

Run the following commands to convert a PFX-encoded SSL certificate into PEM format. The procedure requires the
PFX-encoded certificate and the passphrase used for encrypting it.

The procedure converts the PFX-encoded signed certificate file into three files in PEM format.

cert-file.pem – PEM file containing the SSL/TLS certificate for the resource.
withoutpw-privatekey.pem – PEM file containing the private key of the certificate with no password
protection.
ca-chain.pem – PEM file containing the root certificate of the CA.

To convert the PFX encoded certificate

1. Use the following command to extract the certificate private key from the PFX file. If your certificate is
secured with a password, enter it when prompted. The command generates a PEM-encoded private key file
named privatekey.pem. Enter a passphrase to protect the private key file when prompted to Enter a PEM
pass phrase.

openssl pkcs12 -in website.xyz.com.pfx -nocerts -out privatekey.pem

Figure 2: Prompt to enter a PEM pass phrase

https://aws.amazon.com/blogs/security/how-to-import-pfx-formatted-certificates-into-aws-certificate-manager-using-openssl/ 2/5
8/29/22, 4:32 PM How to import PFX-formatted certificates into AWS Certificate Manager using OpenSSL | AWS Security Blog

2. The previous step generates a password-protected private key. To remove the password, run the following
command. When prompted, provide the passphrase created in step 1. If successful, you will see writing RSA
key.

openssl rsa -in privatekey.pem -out withoutpw-privatekey.pem

Figure 3: Writing RSA key

3. Use the following command to transfer the certificate from the PFX file to a PEM file. This creates the PEM-
encoded certificate file named cert-file.pem. If successful, you will see MAC verified OK.

openssl pkcs12 -in website.xyz.com.pfx -clcerts -nokeys -out cert-file.pem

Figure 4: MAC verified OK

4. Finally, use the following command to extract the CA chain from the PFX file. This creates the CA chain file
named ca-chain.pem. If successful, you will see MAC verified OK.

openssl pkcs12 -in website.xyz.com.pfx -cacerts -nokeys -chain -out ca-chain.pem

Figure 5: MAC verified OK

When the preceding steps are complete, the PFX-encoded signed certificate file is split and returned as three files in
PEM format, shown in the following figure. To view the list of files in a directory, enter the command dir in
Windows or type the command ls -l in Linux.

https://aws.amazon.com/blogs/security/how-to-import-pfx-formatted-certificates-into-aws-certificate-manager-using-openssl/ 3/5
8/29/22, 4:32 PM How to import PFX-formatted certificates into AWS Certificate Manager using OpenSSL | AWS Security Blog

cert-file.pem
withoutpw-privatekey.pem
ca-chain.pem

Figure 6: PEM-formatted files

Import the PEM certificates into ACM

Use the ACM console to import the PEM-encoded SSL certificate. You need the PEM files containing the SSL
certificate (cert-file.pem), the private key (withoutpw-privatekey.pem), and the root certificate of the CA
(ca-chain.pem) that you created in the previous procedure.

To import the certificates

1. Open the ACM console. If this is your first time using ACM, look for the AWS Certificate Manager heading and
select the Get started button.
2. Select Import a certificate.
3. Add the files you created in the previous procedure:
a. Use a text-editing tool such as Notepad to open cert-file.pem. Copy the lines beginning at –BEGIN
CERTIFICATE– and ending with –END CERTIFICATE–. Paste them into the Certificate body text box.
b. Open withoutpw-privatekey.pem. Copy the lines beginning at –BEGIN RSA PRIVATE KEY– and
ending with –END RSA PRIVATE KEY–. Paste them into the Certificate private key, text box.
c. For Certificate chain, copy and paste the lines starting –BEGIN CERTIFICATE– and ending with –END
CERTIFICATE– in the file ca-chain.pem.

https://aws.amazon.com/blogs/security/how-to-import-pfx-formatted-certificates-into-aws-certificate-manager-using-openssl/ 4/5
8/29/22, 4:32 PM How to import PFX-formatted certificates into AWS Certificate Manager using OpenSSL | AWS Security Blog

Figure 7: Add the files to import the certificate

4. Select Next and add tags for the certificate. Each tag is a label consisting of a key and value that you define.
Tags help you manage, identify, organize, search for, and filter resources.
5. Select Review and import.
6. Review the information about your certificate, then select Import.

Conclusion

In this post, we discussed how you can use OpenSSL tools to import a PFX-encoded SSL/TLS certificate into ACM.
You can use the imported certificate with any ACM-integrated AWS service. ACM makes it easier to set up SSL/TLS
for a website or application on AWS. ACM can replace many of the manual processes usually associated with using
and managing SSL/TLS certificates. ACM can also manage renewals, which can help you avoid downtime due to
misconfigured, revoked, or expired certificates. You can renew an imported certificate by obtaining and importing a
new certificate from your certificate issuer, or you can request a new certificate from ACM.

If you have feedback about this post, submit comments in the Comments section below.

Want more AWS Security how-to content, news, and feature announcements? Follow us on Twitter.

TAGS: ACM, Security Blog, SSL certificate

https://aws.amazon.com/blogs/security/how-to-import-pfx-formatted-certificates-into-aws-certificate-manager-using-openssl/ 5/5