Download SSL certificate from aws certificate manager

Question

I am using aws certificate manager for managing SSL. Recently I purchased a wildcard ssl *.example-private.com Now I need that SSL certificate to deploy on enterprise git instance on aws.

How can i download ssl from aws?

Side note: If you really **purchased** a certificate, it wasn't from Amazon. Theirs are free. — ceejayoz, Dec 21 '16 at 13:12
@ceejayoz I mean I requested wild card ssl certificate in aws certificate manager and I deployed it on ELB that i have in account. — Shailesh Sutar, Dec 21 '16 at 13:56
@ceejayoz lets say I've git instance with url `git.example-private.com` and I want to deploy ssl over it. what should I do in that case? and forget about the wildcard ssl i.e. `*.example-private.com` — Shailesh Sutar, Dec 21 '16 at 14:07
Put an ELB or CloudFront in front of the instance. Otherwise, you'll need to get an SSL from someone else (Let's Encrypt is free and highly recommended). ACM certificates can't be downloaded for use outside of AWS's built-in integrations like ELBs and CF. — ceejayoz, Dec 21 '16 at 14:58
@ceejayoz Thanks for the suggestion. It worked with few tweaks according to my production environment. — Shailesh Sutar, Dec 21 '16 at 17:14

score 65 · Accepted Answer · answered Dec 21 '16 at 13:12

65

You cannot download a SSL certificate from ACM.

answered Dec 21 '16 at 13:12

ceejayoz

32,469
7
81
105

15

Specifically, from the [ACM FAQ](https://aws.amazon.com/certificate-manager/faqs/): You can use ACM with the following AWS services: Elastic Load Balancing, Amazon CloudFront, Amazon API Gateway, AWS Elastic Beanstalk. I was hoping to use a ACM cert on an EC2 instance... but that's not possible at this time. – geerlingguy Jul 26 '17 at 18:56
1

You now can. https://serverfault.com/a/878274/325277 – minnymauer Jun 06 '20 at 23:12
4

@rangeme No, you can't. See my comment on that answer. (To clarify: You can get the cert, but so can anyone who visits your site. The cert is public. What OP needs is the *private key*, which you still can't download.) – ceejayoz Jun 07 '20 at 02:53
@ceejayoz Ah yes, my apologies. – minnymauer Jun 08 '20 at 23:52
4

This answer is incorrect no matter what OP meant. You absolutely **can** download TLS (aka SSL) certificate from ACM, as well as the entire CA certificate chain. But indeed you cannot download its associated *private key*. People would be running into this question and see absolutely incorrect accepted answer. It should be re-phrased like `You can download SSL cert, but you cannot download its private key, therefore ACM certs cannot be used in third-party applications, like enterprise git in your case` – Dmitry Kankalovich Sep 07 '21 at 13:59
Bear in mind, that people might want to download TLS certs for purposes different from OPs, say, putting them in the local trust stores. Completely valid case of downloading certs which has nothing to do with the inability to download the private key. – Dmitry Kankalovich Sep 07 '21 at 14:02

score 21 · Answer 2 · edited Feb 20 '18 at 19:06

21

Note: While this can be used to fetch the (already public) certificate, it does not download the private key necessary to use that certificate outside Amazon's systems.

It is now possible to download the certificate with the following command:

aws acm list-certificates / aws acm get-certificate

Ref:http://docs.aws.amazon.com/cli/latest/reference/acm/get-certificate.html

edited Feb 20 '18 at 19:06

ceejayoz

32,469
7
81
105

answered Oct 13 '17 at 06:46

Muhammad Shoaib Irtaza

359
2
3

Where does this document states that one can download certificate? I didn't see any such option in that document. Could you please share the exact link? – Shailesh Sutar Oct 13 '17 at 16:24
SO you are right Shailesh, i mistakenly pasted the wrong URL... url updated. – Muhammad Shoaib Irtaza Oct 14 '17 at 17:46
27

This gets you the *certificate*, but you can get that with cURL or just by going to the website - it is 100% public information. It does **not** get the *private key*, which means this is useless for OP's purposes. – ceejayoz Oct 16 '17 at 13:34
3

@ceejayoz is right. When I want to download SSL that means I want to download its private key so that I can deploy aws acm ssl to any server I want. I think that it's not possible to do it in anyway. – Shailesh Sutar Oct 24 '17 at 18:17
command is `aws acm get-certificate --certificate-arn --output text` – Akhil Nov 09 '21 at 11:29

score 10 · Answer 3 · edited Jun 11 '20 at 10:02

10

You cannot download from ACM. from the FAQ:

Q: Can I use certificates on Amazon EC2 instances or on my own servers?

A: No. At this time, certificates provided by ACM can only be used with specific AWS services

edited Jun 11 '20 at 10:02

Community

1

answered Aug 28 '17 at 12:29

AstroTom

578
6
6

9

Why are you re-answering an old question with the same answer that's been already provided to and accepted by the OP? – ceejayoz Aug 28 '17 at 13:03
3

this answer provided more info and context so i'm upvoting it – FireDragon Mar 20 '18 at 02:15

score 7 · Answer 4 · answered Feb 25 '18 at 18:09

7

You can't, but you can get a free one from https://letsencrypt.org/certificates/.

Letsencrypt also offers an API backed by open source code to automatically update.

answered Feb 25 '18 at 18:09

Michael Cole

452
4
13

Download SSL certificate from aws certificate manager

4 Answers4

Linked

Related