Uploading a Server Certificate

You can upload a server certificate in Elastic Identity Management (EIM) that you can then use with a load balancer listener to enable SSL termination.

This certificate must be in the x509 format. You need to provide:

  • The certificate itself

  • The chain of intermediate certification autorities if your certificate is not signed by a root one

  • The corresponding private key, which must not be protected by a password or a passphrase

All these elements must be PEM-encoded.

Uploading a Server Certificate Using OSC CLI

The CreateServerCertificate command creates a server certificate and its matching private key.

These elements can be used with other services (for example, to configure SSL termination on load balancers).

You can also specify the chain of intermediate certification authorities if your certificate is not directly signed by a root one. You can specify multiple intermediate certification authorities in the CertificateChain parameter. To do so, concatenate all certificates in the correct order (the first certificate must be the authority of your certificate, the second must be the authority of the first one, and so on).

The private key must be a RSA key in PKCS1 form. To check this, open the PEM file and ensure its header reads as follows: BEGIN RSA PRIVATE KEY.

This private key must not be protected by a password or a passphrase.

For more information, see About Server Certificates in EIM.

Request sample
$ osc-cli api CreateServerCertificate --profile "default" \
    --Name "server-cert-example" \
    --Body="$(cat certificate.pem)" \
    --Chain="$(cat certificate-chain.pem)" \
    --PrivateKey="$(cat private-key.pem)" \
    --Path "/example/"

This command contains the following attributes that you need to specify:

  • Body: The PEM-encoded X509 certificate.
    With OSC CLI, use the following syntax to make sure your certificate file is correctly parsed: --Body="$(cat FILENAME)".

  • Chain: (optional) The PEM-encoded intermediate certification authorities.
    With OSC CLI, use the following syntax to make sure your certificate chain file is correctly parsed: --Chain="$(cat FILENAME)".

  • DryRun: (optional) If true, checks whether you have the required permissions to perform the action.

  • Name: A unique name for the certificate. Constraints: 1-128 alphanumeric characters, pluses (+), equals (=), commas (,), periods (.), at signs (@), minuses (-), or underscores (_).

  • Path: (optional) The path to the server certificate, set to a slash (/) if not specified.

  • PrivateKey: The PEM-encoded private key matching the certificate.
    With OSC CLI, use the following syntax to make sure your key file is correctly parsed: --PrivateKey="$(cat FILENAME)".

The CreateServerCertificate command returns the following elements:

  • ResponseContext: Information about the context of the response.

    • RequestId: The ID of the request.

  • ServerCertificate: Information about the server certificate.

    • ExpirationDate: The date on which the server certificate expires.

    • Id: The ID of the server certificate.

    • Name: The name of the server certificate.

    • Orn: The OUTSCALE Resource Name (ORN) of the server certificate. For more information, see Resource Identifiers > OUTSCALE Resource Names (ORNs).

    • Path: The path to the server certificate.

    • UploadDate: The date on which the server certificate has been uploaded.

Result sample
{
  "ServerCertificate": {
    "Path": "/example/",
    "Id": "ABCDEFGHIJKLMNOPQRSTUVWXYZ1234",
    "Orn": "orn:ows:idauth::012345678910:server-certificate/example/server-cert-example",
    "Name": "server-cert-example"
  },
  "ResponseContext": {
    "RequestId": "0475ca1e-d0c5-441d-712a-da55a4175157"
  }
}

Uploading a Server Certificate Using oapi-cli

The CreateServerCertificate command creates a server certificate and its matching private key.

These elements can be used with other services (for example, to configure SSL termination on load balancers).

You can also specify the chain of intermediate certification authorities if your certificate is not directly signed by a root one. You can specify multiple intermediate certification authorities in the CertificateChain parameter. To do so, concatenate all certificates in the correct order (the first certificate must be the authority of your certificate, the second must be the authority of the first one, and so on).

The private key must be a RSA key in PKCS1 form. To check this, open the PEM file and ensure its header reads as follows: BEGIN RSA PRIVATE KEY.

This private key must not be protected by a password or a passphrase.

For more information, see About Server Certificates in EIM.

Request sample
$ oapi-cli --profile "default" CreateServerCertificate \
    --Name "server-cert-example" \
    --Body --file "certificate.pem" \
    --Chain --file "certificate-chain.pem" \
    --PrivateKey --file "private-key.pem" \
    --Path "/example/"

This command contains the following attributes that you need to specify:

  • Body: The PEM-encoded X509 certificate.
    With OSC CLI, use the following syntax to make sure your certificate file is correctly parsed: --Body="$(cat FILENAME)".

  • Chain: (optional) The PEM-encoded intermediate certification authorities.
    With OSC CLI, use the following syntax to make sure your certificate chain file is correctly parsed: --Chain="$(cat FILENAME)".

  • DryRun: (optional) If true, checks whether you have the required permissions to perform the action.

  • Name: A unique name for the certificate. Constraints: 1-128 alphanumeric characters, pluses (+), equals (=), commas (,), periods (.), at signs (@), minuses (-), or underscores (_).

  • Path: (optional) The path to the server certificate, set to a slash (/) if not specified.

  • PrivateKey: The PEM-encoded private key matching the certificate.
    With OSC CLI, use the following syntax to make sure your key file is correctly parsed: --PrivateKey="$(cat FILENAME)".

The CreateServerCertificate command returns the following elements:

  • ResponseContext: Information about the context of the response.

    • RequestId: The ID of the request.

  • ServerCertificate: Information about the server certificate.

    • ExpirationDate: The date on which the server certificate expires.

    • Id: The ID of the server certificate.

    • Name: The name of the server certificate.

    • Orn: The OUTSCALE Resource Name (ORN) of the server certificate. For more information, see Resource Identifiers > OUTSCALE Resource Names (ORNs).

    • Path: The path to the server certificate.

    • UploadDate: The date on which the server certificate has been uploaded.

Result sample
{
  "ServerCertificate": {
    "Path": "/example/",
    "Id": "ABCDEFGHIJKLMNOPQRSTUVWXYZ1234",
    "Orn": "orn:ows:idauth::012345678910:server-certificate/example/server-cert-example",
    "Name": "server-cert-example"
  },
  "ResponseContext": {
    "RequestId": "0475ca1e-d0c5-441d-712a-da55a4175157"
  }
}

Uploading a Server Certificate Using AWS CLI

Before you begin: Install and configure AWS CLI. For more information, see Installing and Configuring AWS CLI.

To upload a server certificate in EIM, use the upload-server-certificate command following this syntax:

Request sample
$ aws iam upload-server-certificate \
    --profile YOUR_PROFILE \
    --certificate-body file://certificate.pem \
    --certificate-chain file://certificate_chain.pem \
    --path /division/subdivision \
    --private-key file://private_key.pem \
    --server-certificate-name my-server-certificate \
    --endpoint https://eim.eu-west-2.outscale.com

This command contains the following attributes that you need to specify:

  • (optional) profile: The named profile you want to use, created when configuring AWS CLI. For more information, see Installing and Configuring AWS CLI.

  • certificate-body: The PEM-encoded X509 certificate.

  • (optional) certificate-chain: The PEM-encoded chain of intermediate certification authorities.

  • (optional) path: The path to the server certificate, set to a slash (/) if not specified.

  • private-key: The PEM-encoded private key matching the certificate.

  • server-certificate-name: The name for the certificate, which must be unique.

  • endpoint: The endpoint corresponding to the Region you want to send the request to. For more information, see Installing and Configuring AWS CLI.

The upload-server-certificate command returns the following elements:

  • ServerCertificateMetadata: The metadata of the uploaded server certificate. This element contains the following information:

    • Arn: The OUTSCALE Resource Name (ORN) of the server certificate.

    • Path: The path to the server certificate.

    • ServerCertificateId: The ID of the server certificate, generated by EIM.

    • ServerCertificateName: The name of the server certificate.

Result sample
{
    "ServiceCertificateMetadata":
                               {
                                "Arn": "my_load_balancer_1234567890.lbu.eu-west-2.outscale.com",
                                "Path": "/division/subdivision",
                                "ServerCertificateId": "ABCDEFGHIJK1L2MNOPQRS",
                                "ServerCertificateName": "my-server-certificate",
                               }
}

The server certificate is uploaded

Related Pages

Corresponding API Method

AWS™ and Amazon Web Services™ are trademarks of Amazon Technologies, Inc or its affiliates in the United States and/or other countries.