Currently Amazon AWS only allows Base-64 encoded certificates to be used as an EC2 credential. Further when creating a user in IAM, Amazon doesn’t provide a convenient certificate generator which it does allow for the root user. If you want to create these type of certificates on Windows you will find that it is not easy to get the certificate out of a binary (DER) format. Many will point you to OpenSSL to do the conversion and that is fantastic however some may not be able to use OpenSSL.
I am going to lay out some steps that will help you quickly create an X.509 certificate and private key using the Windows SDK makecert.exe utility and Powershell.
First download the Windows SDK. When installing, only the Tools option is necessary. Usually the SDK installs to C:\Program Files\Windows SDK\version\bin. I would suggest that you modify your path to include the SDK bin directory if you are going to make a lot of these certificates. These instructions assume that makecert is in your path.
Makecert has a number of functions, but the feature we are interested in is its ability to generate self signed certificates with a straightforward command. All certificates output are in a DER binary format so they are currently unsuitable for AWS consumption. We will use powershell to convert from a binary object to a Base-64 string. Note that makecert normally creates a single file containing both the private key and the public key. Since we want these elements in separate files, we use the -sv toggle which saves the private key to a .pvk file. One last gotcha to note is that the tool seems to want you to specify the resulting files with the extensions as show in the help and examples. If you don’t use the .pvk and .cer extensions it might not output the file.
Assuming that you have the SDK install and can run makecert, here are the steps to get your certificate AWS ready.
Create the self signed certificate and corresponding private key file using makecert:
makecert -sv privatekey.pvk certificate.cer
Next we are going to use powershell and some .NET magic to process the binary files into a text friendly BASE-64 format (PEM).
Process the certificate first:
[byte] $x = get-content -encoding byte -path .\certificate.cer
[System.Convert]::ToBase64String($x) > .\cer-ec2creds.PEM
Next Process the private key:
[byte] $x = get-content -encoding byte -path .\privatekey.pvk
[System.Convert]::ToBase64String($x) > .\pk-ec2creds.PEM
You can now examine the resulting files in notepad to confirm that they are indeed in a BASE-64 format.
The files should work fine even if they are missing the proper headers and footers. If you want to include them, they should be as follows. Remember to add an end line character to the file as well.
For the certificate PEM file:
For the private key PEM file:
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
I hope this is useful. Please feel free to comment and share other methods.
Here are some references:
- .NET Convert Class
- Makecert.exe (Certificate Creation Tool)
- RFC 5958 Asymmetric Key Packages
- SANS Windows Security Blog: PowerShell Byte Array And Hex Functions