Certificate Magic! helps make it easy create and install certificates.
To set up a new certificate in AWS perform the following steps
run the create command to generate a CSR and encrypted private key
(IRL) get the certificate issued using your provider
run the install command with the certificate you get back from (2.)
(IRL) set up the certificate for your application and test it is working
run tidy to delete the temporary files
Installing Certificate Magic!
You can then run Certificate Magic! directly using
java -jar <path to>/cert-magic.jar <args>
but it’s usually simpler to create an executable script you can use
To create a script to run the jar, create a file at
with the following contents. Be sure to replace
with the path to your downloaded
unless you put the jar in the same folder as the script.
#!/bin/bash java -jar $(dirname $0)/cert-magic.jar "$@"
Make the script executable:
chmod u+x ~/bin/cert-magic
(Make sure your
bin directory is on your path)
Create a new CSR for your domain, using your configured AWS profile
cert-magic create -d www.example.com -p my-aws-profile
Create a CSR for a wildcard domain, specifying the region
cert-magic create -d *.example.com -p my-profile -r eu-west-1
Install a certificate into AWS
cert-magic install --certificate <path to cert> --chain <path to chain/bundle> -p aws-profile
Install a certificate into a second (different) AWS account
cert-magic install --certificate <path to cert> --chain <path to chain/bundle> -p aws-profile --installProfile different-aws-profile
Delete the files associated with a domain (to clear up after installation)
cert-magic tidy -d www.example.com
Once a certificate has been installed, check it using the SSL Labs server test, making sure 'Do not show the results on the boards' is checked.
Anything less than an 'A' grade is worth investigating.
Here is a little more detail on each command
This creates a keypair and certificate signing request for the given domain. The private key is encrypted using AWS KMS and stored under ~/.certmagic in your home directory. The CSR is displayed (and also saved to a file) so that you can send the CSR to a CA for signing.
When you get your certificate back, use the install mode to validate and upload your certificate into IAM. The private key will be decrypted appropriately and installed alongside the certificate and certificate chain.
If you are uploading the same certificate to multiple AWS accounts
you’ll need to use the optional
installProfile flag. This allows you
to specify a profile to use for the certificate installation. You’ll
still need to provide the same profile you used to create the
certificate so that the private key can be correctly decrypted. In
this way you can install the certificate in multiple accounts by
running the command with different install profiles provided.
List the private keys and CSRs that are outstanding.
Deletes the files associated with a domain to remove any access to the private key. This should be done after a domain is installed and has been tested.