AWS: "Unable to parse certificate. Please ensure the certificate is in PEM format."

Question

I am trying to update a wildcard certificate for EC2 instances on AWS. The service these servers belong to consists of a single server and a set of servers behind AWS ELB.

The certificate has been successfully updated and verified on the single server.

The same is true for an instance pulled up from the image the ELB uses for AutoScaling.

However, when trying to add a new certificate to the load-balancer, I get the above error. I'm sure the certificate is correct and is in PEM format. I first tried via the web console, then using the aws aim command line tools with the same result.

Anyone came across similar issue recently?

Answer 1

Just ran into the same exact issue: web console and AWS CLI reporting the same error in not being able to parse the certificate.

The error's root cause turned out to be in the private key -- converting my private key to a "RSA PRIVATE KEY" fixed the issue:

openssl rsa -in server.key -out server.key.rsa

Then, use the server.key.rsa in the private key field and leave the public cert as is.

Answer 2

The AWS CLI requires file:// prefix for local files. For example file://private.key, file://cert_file, etc.

Answer 3

I just spent the last hour struggling with this issue, on the web console. For sake of documenting, I would like to share what fixed the problem for me:

1. Ensure all keys and certs to be in RSA (as is demonstrated in Vikram's answer)
2. Ensure the ---- TEXT HERE ---- start and end labels are included in what you are uploading/copy-pasting into the web-console
3. My issue was: The RapidSSL certificates I'd purchased on Name.com, when copy-pasted into an Evernote, resulted in the conversion of newlines into spaces. I only realized this when I inputted the text into Vim, and the monospaced text wasn't aligned properly. After a series of f, [space], a, [return], I'd fixed the file in Vi and it now seems to be working. AWS' interface should be smart enough to recover from common errors such as this - nevertheless, this fixed the issue for me.

Hope this helps save an hour for somebody else :)

Answer 4

According to installation steps of ZeroSSL you have to copy all the content of the private.key after opening it in notepad.

The private key must start with -----BEGIN RSA PRIVATE KEY----- and end with -----END RSA PRIVATE KEY-----

I did that also with certificate.crt and the problem solved and saved successfully

Answer 5

You might get this or a similar error if you get ahead of yourself and paste the CSR (Certificate Signing Request) .pem file into the AWS certificate console where you should be pasting a certificate .pem file.

The CSR file typically includes REQUEST in the first line:

-----BEGIN CERTIFICATE REQUEST-----

The certificate file does not:

-----BEGIN CERTIFICATE-----