An X.509 certificate is a security device designed to carry a public key and bind that key to an identity. X.509 certificates are used in public key cryptography. For more information about public key cryptography and X.509 certificates, go to the techencyclopedia.com entries for "digital signature" and "public key cryptography".
To use SOAP to access the License Service, you must have a private key and a related X.509 certificate, and you must associate that X.509 certificate with your AWS developer account. You use the private key instead of your AWS Secret Access Key to sign SOAP requests (for information about your Secret Access Key, see Your AWS Access Credentials ). For information about obtaining an X.509 certificate from AWS or using an X.509 certificate you obtained elsewhere, see the following sections.
AWS does not implement a full public key infrastructure. The certificate information is used only to authenticate requests to AWS. AWS uses X.509 certificates only as carriers for public keys and does not trust or use in any way any identity binding that might be included in an X.509 certificate.
1.0 specification requires you to sign the SOAP message with your private key and include the X.509 certificate in the SOAP message header. Specifically, you must represent the X.509 certificate as a BinarySecurityToken as described in the WS-Security X.509 token profile (also available if you go to the OASIS-Open web site ).
Using Your Own X.509 Certificate
If you have an X.509 certificate you want to use, you can upload the certificate to AWS (without the private key value). This associates the certificate with your AWS account.
AWS accepts any syntactically and cryptographically valid X.509 certificate. Certificates can be self-signed or signed by any key. The certificate must be in Privacy Enhanced Mail (PEM) format and include a base64 encoded Distinguished Encoding Rules (DER) certificate body.
When you upload the certificate, AWS checks the certificate's contents to confirm that the certificate has not expired. AWS doesn't check certificate revocation lists (CRLs) to determine if the certificate has been revoked, nor does AWS validate the certificate with a certificate authority (CA) or any trusted third parties.
To upload your own X.509 certificateSource: docs.aws.amazon.com