HowTo: Generate an X.509 Certificate for an Amazon IAM User

X.509 certificates are one type of security credential for use with Amazon Web Services; they are used for making SOAP requests to AWS service APIs. If our account is not an IAM user, Amazon can generate one for us on their Security Credentials page. If our account is an IAM user, we will have to generate our own X.509 certificate; this article shows how to do that.

Create the Certificate

Make the directory the certificate and private key will be stored in.

Console - user@hostname ~ $

1 mkdir -p ~/.aws/credentials/sample

Generate the private key.

Console - user@hostname ~ $

1 openssl genrsa 1024 > ~/.aws/credentials/sample/pk.pem

Output

1
2
3
4 Generating RSA private key, 1024 bit long modulus
.......++++++
......++++++
e is 65537 (0x10001)

Generate the certificate.

Console - user@hostname ~ $

1
2
3
4
5
6
7
8 yes "" | openssl req \
-new \
-x509 \
-nodes \
-sha1 \
-days 3650 \
-key ~/.aws/credentials/sample/pk.pem \
-outform PEM > ~/.aws/credentials/sample/cert.pem

Output

1
2
3
4
5
6
7
8
9
10
11
12
13
14 You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:

Upload the certificate.

Make sure to use POST instead of GET with this call because CertificateBody is so big.

Example API Request

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24 POST / HTTP/1.1
Host: iam.amazonaws.com
Content-Type: application/x-www-form-urlencoded

Action=UploadSigningCertificate
&UserName=Bob
&CertificateBody=-----BEGIN CERTIFICATE-----
    MIICdzCCAeCgAwIBAgIGANc+Ha2wMA0GCSqGSIb3DQEBBQUAMFMxCzAJBgNVBAYT
    AlVTMRMwEQYDVQQKEwpBbWF6b24uY29tMQwwCgYDVQQLEwNBV1MxITAfBgNVBAMT
    GEFXUyBMaW1pdGVkLUFzc3VyYW5jZSBDQTAeFw0wOTAyMDQxNzE5MjdaFw0xMDAy
    MDQxNzE5MjdaMFIxCzAJBgNVBAYTAlVTMRMwEQYDVQQKEwpBbWF6b24uY29tMRcw
    FQYDVQQLEw5BV1MtRGV2ZWxvcGVyczEVMBMGA1UEAxMMNTdxNDl0c3ZwYjRtMIGf
    MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpB/vsOwmT/O0td1RqzKjttSBaPjbr
    dqwNe9BrOyB08fw2+Ch5oonZYXfGUrT6mkYXH5fQot9HvASrzAKHO596FdJA6DmL
    ywdWe1Oggk7zFSXO1Xv+3vPrJtaYxYo3eRIp7w80PMkiOv6M0XK8ubcTouODeJbf
    suDqcLnLDxwsvwIDAQABo1cwVTAOBgNVHQ8BAf8EBAMCBaAwFgYDVR0lAQH/BAww
    CgYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQULGNaBphBumaKbDRK
    CAi0mH8B3mowDQYJKoZIhvcNAQEFBQADgYEAuKxhkXaCLGcqDuweKtO/AEw9ZePH
    wr0XqsaIK2HZboqruebXEGsojK4Ks0WzwgrEynuHJwTn760xe39rSqXWIOGrOBaX
    wFpWHVjTFMKk+tSDG1lssLHyYWWdFFU4AnejRGORJYNaRHgVTKjHphc5jEhHm0BX
    AEaHzTpmEXAMPLE=
    -----END CERTIFICATE-----
&Version=2010-05-08
&*AUTHPARAMS*

Example API Request - (curl)

1
2
3
4
5
6
7 curl "https://iam.amazonaws.com" \
--request POST \
--form "Action=UploadSigningCertificate" \
--form "UserName=iam_user" \
--form "CertificateBody=@~/.aws/credentials/sample/cert.pem" \
--form "Version=2010-05-08" \
--form "*AUTHPARAMS*"

AWS CLI

Using AWS CLI

Console - user@hostname ~ $

1
2
3
4 aws iam \
upload-signing-certificate \
--user-name "iam_user" \
--certificate-body "file://$HOME/.aws/credentials/sample/cert.pem"

Output

1
2
3
4
5
6
7
8
9 {
    "Certificate": {
        "UserName": "iam_user",
        "Status": "Active",
        "CertificateBody": "-----BEGIN CERTIFICATE-----\nMIICdzCCAeCgAwIBAgIGANc+Ha2wMA0GCSqGSIb3DQEBBQUAMFMxCzAJBgNVBAYT\nAlVTMRMwEQYDVQQKEwpBbWF6b24uY29tMQwwCgYDVQQLEwNBV1MxITAfBgNVBAMT\nGEFXUyBMaW1pdGVkLUFzc3VyYW5jZSBDQTAeFw0wOTAyMDQxNzE5MjdaFw0xMDAy\nMDQxNzE5MjdaMFIxCzAJBgNVBAYTAlVTMRMwEQYDVQQKEwpBbWF6b24uY29tMRcw\nFQYDVQQLEw5BV1MtRGV2ZWxvcGVyczEVMBMGA1UEAxMMNTdxNDl0c3ZwYjRtMIGf\nMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpB/vsOwmT/O0td1RqzKjttSBaPjbr\ndqwNe9BrOyB08fw2+Ch5oonZYXfGUrT6mkYXH5fQot9HvASrzAKHO596FdJA6DmL\nywdWe1Oggk7zFSXO1Xv+3vPrJtaYxYo3eRIp7w80PMkiOv6M0XK8ubcTouODeJbf\nsuDqcLnLDxwsvwIDAQABo1cwVTAOBgNVHQ8BAf8EBAMCBaAwFgYDVR0lAQH/BAww\nCgYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQULGNaBphBumaKbDRK\nCAi0mH8B3mowDQYJKoZIhvcNAQEFBQADgYEAuKxhkXaCLGcqDuweKtO/AEw9ZePH\nwr0XqsaIK2HZboqruebXEGsojK4Ks0WzwgrEynuHJwTn760xe39rSqXWIOGrOBaX\nwFpWHVjTFMKk+tSDG1lssLHyYWWdFFU4AnejRGORJYNaRHgVTKjHphc5jEhHm0BX\nAEaHzTpmEXAMPLE=\n-----END CERTIFICATE-----",
        "CertificateId": "A3AEQAOPYZHJOW6AMSPXZ2IDMFHXHUWZ",
        "UploadDate": "2014-07-01T07:45:21.429Z"
    }
}

IAM Command Line Toolkit

Using the IAM Command Line Toolkit

Console - user@hostname ~ $

1 iam-useraddcert -u iam_user -f ~/.aws/credentials/sample/cert.pem

Output

1 LH77Z5ZGLAB2I47HSVA744GJMUOCLX74

Set Environment Variables

Set EC2_CERT and EC2_PRIVATE_KEY.

Console - user@hostname ~ $

1
2
3
4 cat <<'EOF'>> ~/.bashrc
export EC2_CERT=~/.aws/credentials/sample/cert.pem
export EC2_PRIVATE_KEY=~/.aws/credentials/sample/pk.pem
EOF

Create the Certificate

Console - user@hostname ~ $

Console - user@hostname ~ $

Output

Console - user@hostname ~ $

Output

Upload the certificate.

Example API Request

Example API Request - (curl)

AWS CLI

Console - user@hostname ~ $

Output

IAM Command Line Toolkit

Console - user@hostname ~ $

Output

Set Environment Variables

Console - user@hostname ~ $

References