I have installed private key (pem encoded) and public key certificate (pem encoded) on Amazon Load Balancer. However, when I check the SSL with site test tool, I get the following error:

Error while checking the SSL Certificate!! Unable to get the local issuer of the certificate. The issuer of a locally looked up certificate could not be found. Normally this indicates that not all intermediate certificates are installed on the server.

I converted crt file to pem using these commands from this tutorial:

openssl x509 -in input.crt -out input.der -outform DER
openssl x509 -in input.der -inform DER -out output.pem -outform PEM

During setup of Amazon Load Balancer, the only option I left out was certificate chain. (pem encoded) However, this was optional. Could this be cause of my issue? And if so; How do I create certificate chain?


If you make request to VeriSign they will give you a certificate chain. This chain includes public crt, intermediate crt and root crt. Make sure to remove the public crt from your certificate chain (which is the top most certificate) before adding it to your certification chain box of your Amazon Load Balancer.

If you are making HTTPS requests from an Android app, then above instruction may not work for older Android OS such as 2.1 and 2.2. To make it work on older Android OS:

  • go here
  • click on "retail ssl" tab and then click on "secure site" > "CA Bundle for Apache Server"
  • copy and past these intermediate certs into certificate chain box. just incase if you have not found it here is the direct link.

If you are using geo trust certificates then the solution is much the same for Android devices, however, you need to copy and paste their intermediate certs for Android.

Aaron Copley
  • 12,345
  • 5
  • 46
  • 67
  • 583
  • 1
  • 5
  • 13
  • Intermediate Certificate == Chain Certificate – Chris S May 30 '12 at 04:49
  • thanks @chris, can you tell me how i can create chain certificate. i have tried googling however i'm really confused how to create this chain certificate. any suggestions or links to tutorial is much appreciated – getmizanur May 30 '12 at 04:55
  • @getmizanur Where's this certificate from? The CA provider should be able to provide you with the PEM-encoded chain. – Shane Madden May 30 '12 at 04:57

5 Answers5


concatenate the files provided manually, in the following order:

  • site.com.crt
  • intermediate.crt (one or more, the order of these doesn't matter)
  • ROOT.crt

you can do this from a shell with the cat command

cat site.com intermediate.crt ROOT.crt > site.chain.pem

or copy/paste them, no whitespace between, make sure certificates are on different lines

site cert
intermediate cert
root cert
Eric Fortis
  • 378
  • 2
  • 6
  • thanks @eric, i only have two files signed .crt and .key. can you tell me how i can get intermediate and root crt files? – getmizanur May 30 '12 at 05:43
  • https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR1735 – Eric Fortis May 30 '12 at 05:49
  • 3
    concatenate the site cert with those intermediates, without root cert. – Eric Fortis May 30 '12 at 05:51
  • @EricFortis If the AWS load balancer wants a separate certificate file and chain file, it might just want the intermediate(s) and root, without the subject cert - not sure! – Shane Madden May 30 '12 at 15:28

I had issues w/ my rapid-ssl cert; as per


I could fix it by reversing the certificates in in the CA bundle:


When installing an SSL certificate into Amazon Web Service (AWS) - Amazon EC2 device, you may receive the following error message.

Error: Invalid Public Key Certificate. Cause This problem may occur on Amazon Web Service (AWS) - Amazon EC2 device when any of the following conditions are true.

RapidSSL Intermediate CA bundle certificate is not installed on Amazon Web Service (AWS) - > Amazon EC2 device
RapidSSL Intermediate CA bundle certificate is installed on Amazon Web Service (AWS) - Amazon > EC2 device but the CA bundle required needs to be installed in reversed order


To resolve the error from installing RapidSSL certificate using Amazon Web Service (AWS) - Amazon EC2 device, perform the following steps.

Step 1: Download Intermediate CA Bundle Certificate

To download the Intermediate CA bundle certificate, refer to article AR1548

When viewing the CA bundle you will see two certificates stacked on top of each other. These two certificates will need to be switched. The top certificate needs to be placed on the bottom and the bottom certificate needs to be placed on top.


  • 71
  • 1
  • 1

I had to go through the same issue. Just by uploading a pem file with the following seem to resolve the problem. It did not like site cert at the top

intermediate cert
root cert
Stu Thompson
  • 3,339
  • 6
  • 30
  • 47
  • 61
  • 1
  • 1
  • 2
    Your answer is not very clear but looks very similar to the already given and accepted one. Is it really another answer to the question? – Læti Mar 15 '13 at 02:15
  • this answer worked for me. I followed the accepted answer by including the site cert but that didnt work. Just by putting the intermediate cert and root cert as mentioned in this answer worked great! – user1258600 Sep 16 '14 at 05:00

For Comodo issued certs

    Private Key: private_key.text
    Public Key Certificate: yourdomain.crt
    Certificate Chain: combine these 2
    cat COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt > certchain.txt
    (or paste in COMODORSADomainValidationSecureServerCA.crt first followd by COMODORSAAddTrustCA.crt) 
  • 141
  • 2

I, too, have purhcased a RapidSSL certificate and have been struggling with the "Invalid Public Key Certificate" error. I tried everything listed here, including reversing the chain certificates, ommitting them, appending them to the main server certificate, etc...

In the end, I just couldn't get the error to go away. So I found another way to upload a certificate to Amazon for use with the Load Balancer (Elastic Beanstalk): There is actually a GUI that allows uploading certificates!

It's located in EC2 -> Load Balancers -> Select your load balancer -> Listnerers (tab) -> Select HTTPS in the dropdown menu -> Click Select under the SSL certificate tab and a form pops up that allows you to upload your certificate!


Once I pasted the files in there, it worked like a charm!

Elad Nava
  • 293
  • 3
  • 10
  • Also, make sure you are trying to upload an "RSA Private Key". http://stackoverflow.com/questions/17733536/how-do-i-convert-a-private-key-to-an-rsa-private-key – Elad Nava Jan 17 '14 at 14:30