0

I am trying to enable HTTPS on our backend server hosted on an EC2 instance by importing a Cloudflare client certificate (NOT Cloudflare's Origin certificate) into the Amazon Certificate Manager. I made this decision in part because our backend does not currently have a domain, only a public IP address.

When importing the certificate, I cannot find what I am supposed to input for the "Certificate Chain" field, since creating the client certificate did not give me the certificate chain. I have tried following this solution on Cloudflare's discussion forum, but ACM gave another error, saying: Could not validate the certificate with the certificate chain.

Is what I am trying to do possible?

gorilla_glue
  • 315
  • 2
  • 13

1 Answers1

1

The certificate chain, also known as the certification path , is a list of certificates used to authenticate an entity. You need that so ACM can check the validity of your certificate.

When importing a certificate into ACM, don't include the certificate in the certificate chain. The certificate chain must contain only the intermediate and root certificates. The certificate chain must be in order, starting with the intermediate certificates, and then ending with the root certificate.

You can find cloudflare root certificate on point 4 in this document: https://developers.cloudflare.com/ssl/origin-configuration/origin-ca

Sources: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-and-https-requirements.html

https://aws.amazon.com/premiumsupport/knowledge-center/acm-import-troubleshooting/

Lucasz
  • 1,150
  • 9
  • 19
  • 1
    Your first link is regarding origin-ca certificates, which is why I think ACM did not accept either of the root certificates. Creating the client certificate only gave me the certificate itself and the private key. – gorilla_glue Jan 09 '22 at 03:12
  • You cannot use client certificates for ACM. You have to have a domain to use it. Client certificates are not used for HTTPS but for authentication. – Lucasz Jan 09 '22 at 10:29
  • Use Cloudflare public key infrastructure (PKI) to create client certificates. You can use these certificates with Cloudflare API Shield™ to enforce mutual Transport Layer security (mTLS) encryption. – Lucasz Jan 09 '22 at 10:29
  • If you want to make your website https you have to use origin certificates. – Lucasz Jan 09 '22 at 10:31