PEM Certificate description & Import

 While we try to upload the PEM Certificate to ACM or Listener Certificate for LB

We need to upload the Private Key and Certificate Body to the Certificate manager

We can easily identify the Private Key from the PEM file whereas for Certificate Body we need to use PTI-Intermediate Certificate.

# Private key of the SSL certificate
-----BEGIN PRIVATE KEY-----
Blah Blah Blah

-----END PRIVATE KEY-----

# Public key of the SSL certificate (the server certificate)
-----BEGIN CERTIFICATE-----
Blah Blah Blah
-----END CERTIFICATE-----

# Trust chain intermediate certificate
-----BEGIN CERTIFICATE-----
Blah Blah Blah
-----END CERTIFICATE-----

# Trust chain root certificate
-----BEGIN CERTIFICATE-----
Blah Blah Blah
-----END CERTIFICATE-----

We can extract the private key form a PFX to a PEM file with this command:
# openssl pkcs12 -in filename.pfx -nocerts -out key.pem
Exporting the certificate only:
# openssl pkcs12 -in filename.pfx -clcerts -nokeys -out cert.pem
Removing the password from the extracted private key:
# openssl rsa -in key.pem -out server.key

Import (AWS CLI) - [Credits to AWS Doc]
The following example shows how to import a certificate using the AWS Command Line Interface (AWS CLI). The example assumes the following:
The PEM-encoded certificate is stored in a file named Certificate.pem.
The PEM-encoded certificate chain is stored in a file named CertificateChain.pem.
The PEM-encoded, unencrypted private key is stored in a file named PrivateKey.pem.
To use the following example, replace the file names with your own and type the command on one continuous line. The following example includes line breaks and extra spaces to make it easier to read.
$ aws acm import-certificate --certificate fileb://Certificate.pem \
      --certificate-chain fileb://CertificateChain.pem \
      --private-key fileb://PrivateKey.pem 

# To check the contents of the pfx file
openssl pkcs12 -info -in <PFX File>
WORKING SOLUTION :
To extract the certificates in PEM format from a PFX file, follow the below procedure:
Copy the PFX file to a Linux system with the OpenSSL utility installed.
Log on to that Linux system and navigate to the directory where the PFX file was copied in the previous step.
Execute the below commands to extract the certificates:
Extract the RSA Key from the PFX file:
$ openssl pkcs12 -in <PFX_file> -nocerts -nodes -out nutanix-key-pfx.pem
Extract the Public Certificate from the PFX file:
$ openssl pkcs12 -in <PFX_file> -clcerts -nokeys -out nutanix-cert-pfx.pem
Extract the CA Chain from the PFX file:
$ openssl pkcs12 -in <PFX_file> -cacerts -nokeys -chain -out ca-pfx.pem
Convert the RSA Key from PFX format to PEM:
$ openssl rsa -in nutanix-key-pfx.pem -out nutanix-key.pem
Convert the x509 Public Certificate and CA Chain from PFX to PEM format:
$ openssl x509 -in nutanix-cert-pfx.pem -out nutanix-cert.pem
$ openssl x509 -in ca-pfx.pem -out ca.pem
Download nutanix-key.pem, nutanix-cert.pem and ca.pem from the Linux system to a local desktop.
After following the steps above, the needed certificates and keys will be generated in preset working directory and it can be used as follows.
Private Key Type: RSA 2048-bit
Private Key: nutanix-key.pem
Public Certificate: nutanix-cert.pem
CA Certificate/Chain: ca.pem
openssl pkcs12 -in dsc-shop-uat.se.com.pfx -nocerts -nodes -out key-pfx.pem
openssl pkcs12 -in dsc-shop-uat.se.com.pfx -clcerts -nokeys -out cert-pfx.pem
openssl pkcs12 -in dsc-shop-uat.se.com.pfx -cacerts -nokeys -chain -out ca-pfx.pem
openssl rsa -in key-pfx.pem -out key.pem
openssl x509 -in cert-pfx.pem -out uat-wildcard.pem
openssl x509 -in ca-pfx.pem -out chain.pem
cat UAT\ Chain/UAT-SUBCA-01.cer > cert-chain.pem
cat chain.pem >> cert-chain.pem
cat cert-chain.pem


While import the Certificate: (Select IAM as import to)
Paste key.pem for Certificate private key (PEM encoded)
Paste uat-wildcard.pem to Certificate body (PEM encoded)
Paste cert-chain.pem to the Certificate chain (PEM encoded) - optional

##################
To Find the Expiry date for the certificate
##################
openssl x509 -in uat-wildcard.pem -noout -enddate
Incase if you face the below issue while try to extract
Error outputting keys and certificates
00DE31EC01000000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:341:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()
Please use legacy as on option,
$ openssl pkcs12 -in dsc-shop-uat.se.com.pfx -nocerts -nodes -legacy -out key-pfx.pem
$ openssl pkcs12 -in dsc-shop-uat.se.com.pfx -clcerts -nokeys -legacy -out cert-pfx.pem