Workaround for AWS IAM SSL certificate upload error for StartSSL cert

Posted on 2015-01-07


Amazon (AWS) CloudFront now supports using a custom SSL certificate so you can use your own domain name for HTTPS requests instead of having to use the Setup via the CloudFront console is easy: just pick the appropriate key from the list of keys you have uploaded to AWS IAM.

However, the IAM web console has no way to upload the key. You have to use the AWS CLI. Not hard, just a lot of parameters.


The command line blows up with a cryptic error:

A client error (EntityAlreadyExists) occurred when calling the UploadServerCertificate operation: The Server Certificate with name already exists.


Run it through openssl:

openssl rsa -in example.key -text >

Then delete everything up to the line -----BEGIN RSA PRIVATE KEY----- and save as example-aws.key

Step-by-Step Example

Generate a key and certificate request.

openssl req -newkey rsa:2048 -nodes -sha256 -keyout example.key -out example.csr

You should now have two files: example.key and example.csr.

Upload to StartSSL and go through their certificates wizard. Save the result as example.crt

Transform the result to a format acceptable to AWS:

openssl rsa -in example.key -text >

Strip out everything from the except the RSA key. The following is a sed command line that will do it for you, but any text editor will work.

sed '/-----BEGIN RSA PRIVATE KEY-----/,$!d' >

Make the certificate chain. Download the appropriate intermediate and root certificates and merge them (just with each other, not with your new cert):

cat ca.pem >chain.crt

Upload to AWS IAM

aws iam upload-server-certificate --path /cloudfront/example/ --server-certificate-name example --certificate-body file://example.crt --private-key file:// --certificate-chain file://chain.crt


Extracted from a long thread in the AWS support forum.

Tags: aws ssl certificate aws-iam https StartSSL openssl