2

I created an SSL Certificate using AWS Certificate manager to use on our EB Load Balancer.

We have a device that needs the public certificate to communicate over HTTPS. I know AWS holds the private key, is it possible to download the public key?

hummmingbear
  • 2,294
  • 5
  • 25
  • 42

1 Answers1

11

The AWS ACM does not provide an API to download the public key of an ACM SSL certificate.

However, once you have your ACM certificate setup on an ELB or CloudFront, the public key will be served when you connect to it via HTTPS. From there, you may be able to save the public key.

Try using OpenSSL to get and save the key:

openssl s_client -connect the.host.name:443 | openssl x509 -pubkey -noout

Source: https://security.stackexchange.com/questions/16085/how-to-get-public-key-of-a-secure-webpage

Matt Houser
  • 33,983
  • 6
  • 70
  • 88
  • 1
    Or, start with `true | openssl s_client ...` so that s_client sees an EOF on STDIN and drops the connection after the handshake is complete. – Michael - sqlbot Sep 19 '17 at 23:48
  • 1
    Actually, the *public* certificate **can** be fetched from the using [`GetCertificate`](http://docs.aws.amazon.com/acm/latest/APIReference/API_GetCertificate.html) action (and the public key extracted if needed), but s_client is probably just as easy. What they may actually be looking for is simply the cert, rather than the actual public key, for use as a means of validating that they are connecting to the correct target. The server's certificate can be used as a "ca-file" at the client side when normal chain-based validation isn't desirable, for whatever reason. – Michael - sqlbot Sep 19 '17 at 23:55