How to Export a Certificate from AWS Certificate Manager and why you probably don't need to

The Problem

Recently I thought I needed to export a my certificate from AWS, which was created and managed by the AWS Certificate Manager.  This was due to a requirement that I didn't fully understand for a salesforce dual two way ssl handshake.  

Technically the reason behind this was flawed but since I did all the work and research this may help you if it fits your use case.  See the "Why this didn't work - things to know" at the end of this post.

 

The process of finding the (failed) solution

But let's first talk about the process. Like any failed solution, there's always a process that got us there right?  Even in this failure, I learned something new.

I spent a few hours trying to figure this out and nothing in the Salesforce documentation or the AWS documentation was pointing me in the right direction (spoiler alert - there was a good reason since this wasn't the correct solution).

However before I learned that, the search went on.

I read every article I could find and nothing seemed like it would work. It appeared that the only way you could export a certificate in AWS is if it was a private one, but the salesforce documentation indicates the certificate must be public and from a predefined list of approved CNs (common names) - yes hindsight this should have raised some red flags.  AWS is listed as one of them, so the search continues.

Finally, I stumbled on a thread on serverfault.com.  The approved (most voted uptick) answer indicated that it can't be done, however, the second most voted answer (and probably the most update to date) showed that it was possible by using the AWS CLI AWS CLI get-certificate yay! I thought I found the gold!

The (flawed) Solutions

Granted this solution was flawed in my case but you never know when this will come in handy... so read on!

You can use aws acm list-certificates to get/list your certificates and then aws acm get-certificate --certificate-arn YOUR_CERT_ARN to get the cert.  You can also export it to a file like aws acm get-certificate --certificate-arn YOUR_CERT_ARN > mycert.txt

Why this didn't work - Things to know

 

When you export your cert, it does not include the root cert, so depending on your use case it may not work for you. At this point I'm not even sure if it's useful - other than possibly making a backup of your cert.   

If you check the cert for its validity you will quickly find that it's not in a valid form.  For example if you check the cert with openssl verify mycert.txt you will see that it only contains an error. 

>openssl verify mycert.txt

FILE_NAME.txt CN = some-domain.com
error 20 at 0 depth lookup:unable to get local issuer certificate

What is the (correct) solution?

 

What salesforce really needs is the public key that is linked to our cert created in AWS. So at the end of the day, they simply wanted the root certificate which is provided by AWS which can be found here: https://www.amazontrust.com/repository/AmazonRootCA1.pem

NOTE: that there are other public root certs that AWS provides, so be sure to use the one that matches your cert. https://www.amazontrust.com/repository

This is what you need to install in the salesforce Keystore. 🎉