top of page

How to create SSL certificates from a 3rd party— and not fail in the process


During the last days of the past year, I received the request of updating SSL certificates, probably, like most of you. As we know sometimes it is automated via AWS but on other occasions is necessary to get your hands dirty ;-)

This time I first needed to create a CSR (Certificate Signing Request) with a private key to provide the client, so he could request a third party for the new certificate.

I made this by running the following command:

openssl req -new -out <csr_name>.csr -newkey rsa:2048 -nodes -sha256 -keyout <key_toencrypt_csr>.key -config citi.conf

Notice that I passed to the command a conf file where I set all details:


default_bits = 2048

prompt = no

default_md = sha256

req_extensions = req_ext

distinguished_name = req_distinguished_name

[ req_distinguished_name ]


ST=New York


O=End Point

OU=Testing Domain

CN =

[ req_ext ]

subjectAltName = @alt_names

[ alt_names ]

DNS.1 =

DNS.2 =


Check that your Certificate Signing Request (CSR) has the correct signature by running the following.

openssl req -in CSR.csr -noout -text

To define if it has been created for all the domains you need

openssl req -in CSR.csr -noout -text | grep DNS

A new certificate will be generated from the CSR, and you can just copy them from the site or download them.

" "

If you choose to download them, be sure to choose as File Type Indivudual .crts (zipped) [According to the provider is possible that some steps be different].

The last step is to import the certificate to AWS Certificate Manager, you will find the following fields:

" "

  • On the Certificate Body, you must paste the first individual cert, name as your domain site.

  • Certificate private key refers to the key you generated for creating the CSR certificate.

  • Finally, the Certificate chain is the intermediate certificate you have on the Digicert page. Check that the name has a “CA”.

After filling in the three fields and clicking on Next you can add a tag to identify your new Certificate and that’s it! You’re ready to update it on your load balancer, Cloudfront distribution, etc.

Lourdes Dorado

DevOps Engineer


If you are interested in learning more about our TeraTips or our blog's content, we invite you to see all the content entries that we have created for you and your needs.


Entradas recientes
Buscar por tags
  • Twitter Basic Square
bottom of page