AWS – Error Importing Certificate Private Key

In order to use AWS application load balancers for HTTPS traffic, you’ll need to import your certificate into AWS using the AWS Certificate Manager (ACM).

My certificate was originally installed onto a Windows IIS server and was exported as a PFX file.  Naturally this is not the right format for importing into ACM so this first step is to convert from the PFX to PEM format….I used OpenSSL for Windows to accomplish this task.

The commands are pretty straight forward and should be run from a command window in the directory to which OpenSSL was installed, by default C:\Program Files (x86\GnuWin32\bin.  Additionally, my certificate (SSLCert.pfx) was exported to the C:\Support directory.

  • To export the Certificate body
    • openssl pkcs12 -in C:\Support\SSLCert.pfx -clcerts -nokeys -out CertBody.pem
  • To export the Private key
    • openssl pkcs12 -in C:\Support\SSLCert.pfx -nocerts -out PrivateKey.pem

With the certificate body and private key exported to the PEM format, you can now import the certificate using ACM to paste the contents of each file into their respective sections.  Thus I proceeded to paste the PEM data within their proper sections but when I clicked Review and import, I received the error that the certificate private key was not in a valid PEM format as shown below:


I had a brief Happy Gilmore moment where I admonished openssl ….”Come on OpenSSL, go to your home!!  Don’t you want to create the private key file in a valid PEM format!!!”  It turns out, as these things often do, that the problem had nothing to do with openssl but with the keyboard operator.  After searching and searching to find the appropriate command for extracting the private key, I re-skimmed the AWS doc Prerequisites for Importing Certificates and saw this very enlightening bullet point:

The private key must be unencrypted. You cannot import a private key that is protected by a password or passphrase.

My private key was encrypted and protected by a password as shown when viewing the file contents using NotePad++:


To unencrypt and remove any password information from the private key, a third OpenSSL command is required:

  • openssl rsa -in PrivateKey.pem -out PrivateKeyNoPW.pem

With that done, copy and paste the contents of unencrypted/unpassworded (is this even a word?) PrivateKeyNoPW into the CertificatePrivateKey section when importing the certificate using ACM and the Import process should complete.


Leave a Reply

Your email address will not be published. Required fields are marked *