How to Fix “Unable to Parse Certificate” Error When Uploading SSL Cert to AWS IAM


2 views

AWS IAM requires certificates to be in proper PEM format. The common mistake is assuming any file with .pem or .crt extension automatically qualifies. A valid PEM file should:

-----BEGIN CERTIFICATE-----
[Base64-encoded certificate data]
-----END CERTIFICATE-----

Before uploading, verify your files with OpenSSL:

openssl x509 -in mysite.crt -text -noout  # Check certificate
openssl rsa -in mysite.pem -check        # Verify private key
openssl verify -CAfile COMODOSSLCA.crt mysite.crt  # Validate chain

Try these conversion commands if validation fails:

# Convert DER to PEM
openssl x509 -inform der -in certificate.der -out certificate.pem

# Fix line endings (especially if generated on Windows)
dos2unix mysite.pem

# Combine certificate and chain (if required)
cat mysite.crt COMODOSSLCA.crt > combined.pem

The correct command structure should be:

aws iam upload-server-certificate \
  --server-certificate-name MysiteCertificate \
  --certificate-body file://mysite.crt \
  --private-key file://mysite.pem \
  --certificate-chain file://COMODOSSLCA.crt

Note the file:// prefix which explicitly indicates local file paths.

Use AWS CLI's debug mode for more details:

AWS_DEBUG=1 aws iam upload-server-certificate [your params]

This outputs the exact certificate content being sent to AWS for inspection.

If CLI continues to fail, try:

AWS Management Console:
Navigate to IAM > Certificates and use the visual uploader which provides better error messages.

AWS SDK (Python example):

import boto3
client = boto3.client('iam')

response = client.upload_server_certificate(
    ServerCertificateName='MysiteCertificate',
    CertificateBody=open('mysite.crt').read(),
    PrivateKey=open('mysite.pem').read(),
    CertificateChain=open('COMODOSSLCA.crt').read()
)

Ensure your chain file contains intermediate certificates in correct order (end-entity first, then intermediates):

-----BEGIN CERTIFICATE-----
[Your certificate]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[Intermediate CA 1]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[Intermediate CA 2]
-----END CERTIFICATE-----

AWS requires RSA private keys without passphrase. Convert if needed:

openssl rsa -in encrypted.pem -out decrypted.pem

For EC keys, ensure they're in PKCS#8 format:

openssl pkcs8 -topk8 -nocrypt -in ec_key.pem -out pkcs8_key.pem

AWS IAM strictly requires certificates to be in PEM format. The error message MalformedCertificate: Unable to parse certificate typically indicates one of these common issues:

-----BEGIN CERTIFICATE-----
Base64-encoded certificate data
-----END CERTIFICATE-----

First, verify all files are properly formatted using OpenSSL:

openssl x509 -in mysite.crt -text -noout  # Check certificate
openssl rsa -in mysite.pem -check        # Validate private key
openssl x509 -in COMODOSSLCA.crt -text -noout  # Check chain

If your files are in different formats, convert them:

# Convert DER to PEM
openssl x509 -inform der -in certificate.cer -out certificate.pem

# Convert PKCS#7 to PEM
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.pem

# Convert PKCS#12 to PEM
openssl pkcs12 -in certificate.pfx -out certificate.pem -nodes

The complete working command should look like:

aws iam upload-server-certificate \
  --server-certificate-name MysiteCertificate \
  --certificate-body file://mysite.pem \
  --private-key file://mysite.key \
  --certificate-chain file://COMODOSSLCA.pem \
  --path /cloudfront/
  • Use absolute file paths to avoid permission issues
  • Ensure no extra whitespace or invisible characters in files
  • Verify the certificate chain order (server cert first, intermediates next)
  • Check file permissions (readable by AWS CLI user)

If CLI continues to fail, try the AWS Management Console:

  1. Navigate to IAM > Certificates
  2. Click "Upload Certificate"
  3. Paste contents directly into text boxes