Uploading SSL certificates TO IAM

Question

I have 4 certificates which i received from CA (SSL) :

Root CA Certificate - 123.crt

Intermediate CA Certificate - 456.crt

Intermediate CA Certificate - 789.crt

Your PositiveSSL Certificate - 654.crt

I have generated circuit.pem -private key and csr.pem through which I got these certificates.

Now, i want to upload these certificates to IAM using

    aws iam upload-server-certificate --server-certificate-name certificate_object_name --certificate-body file://public_key_certificate_file --private-key file://privatekey.pem --certificate-chain file://certificate_chain_file 

AWS -Working with Server Certificates

But I am not able to gauge which is my server certificate and how can I upload my all certificates.

Please help me with the above command for my above certificates.

I tried :

    aws iam upload-server-certificate --server-certificate-name MyServerCertificate --certificate-body file://www_advisorcircuit_com.crt --private-key file://circuit.pem --certificate-chain file://COMODORSAAddTrustCA.crt

I am getting this error:

A client error (InvalidClientTokenId) occurred when calling the UploadServerCertificate operation: The security token included in the request is invalid.

Answer 1

I have to say, getting this to work was a huge pain in the ass. Basically you are missing the user configuration details. You have to create a user on Amazon using the IAM service here https://console.aws.amazon.com/iam/home. Pay attention to what your region is in the url, you'll need that later. So create a user, attach a policy (I attached AdministratorAccess), "Create Access Key", download credentials for the user and use them to run:

$ aws configure
AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE
AWS Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Default region name [None]: us-west-2
Default output format [None]: json

Some caveats on getting the certificate install command to work. Make sure the file's have readable permissions....I think I specified 664. I specified the .pem extension on all the files...I believe AWS prefers the old school style key files, so I had to run

openssl rsa -in my_key.key -text > new_key.pem  

Answer 2

An additional hint (because that's what happened to me)

Run echo $AWS_ACCESS_KEY_ID and echo $AWS_SECRET_ACCESS_KEY to check if these ENV variables are set.

No matter what you pass to aws configure, the ENV variables will override it.

Configuration Settings and Precedence