AWS Certified Solutions Architect - Professional 2020

Sign Up Free or Log In to participate!

Upload (third party issuer) Certificate to IAM vs. ACM

In this lesson, Scott mentioned: upload the certificate to IAM. But, according to AWS, it’s a best practice that you upload SSL certificates to ACM. If you’re using certificate algorithms and key sizes that aren’t currently supported by ACM or the associated AWS resources, then you can also upload an SSL certificate to IAM using AWS Command Line Interface (AWS CLI). So, I understand, by default, we should use ACM and not IAM for importing those certificates.
With that being said, I would like to know if there are any differences or caveats to using the (same) certificate on Elastic Load Balancer to provide HTTPS, for instance. Any difference between using the (imported) certificate on CloudFront vs. ELB?

2 Answers

Hi Franca, 

I don’t believe I specifically say IAM is the ONLY place to import certificates.  In Chapter 4.7, I cover ACM and that we can import certs there.

With regard to your quesiton, you might try over at the AWS Support forums for more responses but as you’re citing an AWS knowledgebase answer, I’m sure you’ve read this one too that kind of answers some of your question:


Hey Fran,

Indeed, by default AWS will recommend you to use ACM to upload your certificates, as it is integrated with most of the services around and will be the Certificate Store accessed by default. Anyhow, for ALBs, you might find that there are certain types of certificate that needs to be uploaded directly into IAM as they are not supported in ACM. Then, you will be forced to upload them there.

I am leaving a snippet of code here that I’ve used to import the certificates to IAM [as I’ve faced this same issue for one customer], and might be useful for someone looking for an answer on this topic:

aws iam upload-server-certificate –server-certificate-name ExampleCertificate –certificate-body file://certificate.crt –certificate-chain file://certificate.cpem –private-key file://certificate.key

Hope I was of some help.



Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?