Import cert into AWS ACM: ValidationException when calling the ImportCertificate operation: The certificate field contains more than one certificate

Question

I'm trying to import some ssl certificates in PEM format into AWS ACM via aws cli. The certificates come from an nginx installation, when trying to import them with the following command:

aws acm import-certificate --certificate ssl.website.com.crt --private-key ssl.website.com.key --region us-east-2 --profile default

I get this error:

An error occurred (ValidationException) when calling the ImportCertificate operation: The certificate field contains more than one certificate. You can specify only one certificate in this field.

I'm no expert with openssl, but AFAICS there's only one certificate on the pem file, there's only one BEGIN/END CERTIFICATE section. I found this command on this stackoverflow post to print the certificates on a pem file, and I only see one certificate in its output:

openssl crl2pkcs7 -nocrl -certfile ssl.website.com.crt | openssl pkcs7 -print_certs -noout
subject=OU = Domain Control Validated, CN = website.com

issuer=C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2

So why is ACM rejecting this certificate ? or I'm I (very probably) doing my checks in the wrong way and there's indeed a second certificate inside that pem file ?

Answer 1

Solved it, you must prefix the value of all parameters with 'file://', like this:

aws acm import-certificate --certificate file://ssl.website.com.crt --private-key file://ssl.website.com.key --certificate-chain file://ssl.website.com.ca --region us-east-2 --profile default

I was following this documentation which does not mention this.

Answer 2

The documentation says that. May be you missed it.

When you import a certificate by using the CLI, you must specify the certificate, the certificate chain, and the private key by their file names preceded by fileb://. For example, you can specify a certificate saved in the C:\temp folder as fileb://C:\temp\certificate_to_import.pem. If you are making an HTTP or HTTPS Query request, include these arguments as BLOBs.

Answer 3

In my case the certificate file contained multiple -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- sections - I needed to use the first one and the following ones were the certificate chain.

Answer 4

I had the same issue, and finally got the solution.

This is a bug in AWS CLI because the certificate is valid. However, in my case, the cert file had an extra space at the end of each line (I don't know why our certificate authority - Sectigo in that case - generated such weird certificates by the way). Removing these extra space did fix the issue.

This is as easy as :

$ perl -i -pe 's/ $//gm' certificate_file.crt

Answer 5

I had this error in the AWS console, the problem was an extra space at the end of the first line (after -----BEGIN CERTIFICATE-----)