# Set up the Amazon EC2 AMI tools You can use the AMI tools to create and manage Amazon S3-backed Linux AMIs. To use the tools, you must install them on your Linux instance. The AMI tools are available as both an RPM and as a .zip file for Linux distributions that don't support RPM. **To set up the AMI tools using the RPM** 1. Install Ruby using the package manager for your Linux distribution, such as yum. For example: ``` [ec2-user ~]$ sudo yum install -y ruby ``` 1. Download the RPM file using a tool such as wget or curl. For example: ``` [ec2-user ~]$ wget https://s3.amazonaws.com/ec2-downloads/ec2-ami-tools.noarch.rpm ``` 1. Verify the RPM file's signature using the following command: ``` [ec2-user ~]$ rpm -K ec2-ami-tools.noarch.rpm ``` The command above should indicate that the file's SHA1 and MD5 hashes are `OK.` If the command indicates that the hashes are `NOT OK`, use the following command to view the file's Header SHA1 and MD5 hashes: ``` [ec2-user ~]$ rpm -Kv ec2-ami-tools.noarch.rpm ``` Then, compare your file's Header SHA1 and MD5 hashes with the following verified AMI tools hashes to confirm the file's authenticity: + Header SHA1: a1f662d6f25f69871104e6a62187fa4df508f880 + MD5: 9faff05258064e2f7909b66142de6782 If your file's Header SHA1 and MD5 hashes match the verified AMI tools hashes, continue to the next step. 1. Install the RPM using the following command: ``` [ec2-user ~]$ sudo yum install ec2-ami-tools.noarch.rpm ``` 1. Verify your AMI tools installation using the [ec2-ami-tools-version](ami-tools-commands.md#ami-tools-version) command. ``` [ec2-user ~]$ ec2-ami-tools-version ``` **Note** If you receive a load error such as "cannot load such file -- ec2/amitools/version (LoadError)", complete the next step to add the location of your AMI tools installation to your `RUBYLIB` path. 1. (Optional) If you received an error in the previous step, add the location of your AMI tools installation to your `RUBYLIB` path. 1. Run the following command to determine the paths to add. ``` [ec2-user ~]$ rpm -qil ec2-ami-tools | grep ec2/amitools/version /usr/lib/ruby/site_ruby/ec2/amitools/version.rb /usr/lib64/ruby/site_ruby/ec2/amitools/version.rb ``` In the above example, the missing file from the previous load error is located at `/usr/lib/ruby/site_ruby` and `/usr/lib64/ruby/site_ruby`. 1. Add the locations from the previous step to your `RUBYLIB` path. ``` [ec2-user ~]$ export RUBYLIB=$RUBYLIB:{{/usr/lib/ruby/site_ruby}}:{{/usr/lib64/ruby/site_ruby}} ``` 1. Verify your AMI tools installation using the [ec2-ami-tools-version](ami-tools-commands.md#ami-tools-version) command. ``` [ec2-user ~]$ ec2-ami-tools-version ``` **To set up the AMI tools using the .zip file** 1. Install Ruby and unzip using the package manager for your Linux distribution, such as **apt-get**. For example: ``` [ec2-user ~]$ sudo apt-get update -y && sudo apt-get install -y ruby unzip ``` 1. Download the .zip file using a tool such as wget or curl. For example: ``` [ec2-user ~]$ wget https://s3.amazonaws.com/ec2-downloads/ec2-ami-tools.zip ``` 1. Unzip the files into a suitable installation directory, such as `/usr/local/ec2`. ``` [ec2-user ~]$ sudo mkdir -p /usr/local/ec2 $ sudo unzip ec2-ami-tools.zip -d /usr/local/ec2 ``` Notice that the .zip file contains a folder ec2-ami-tools-{{x}}.{{x}}.{{x}}, where {{x}}.{{x}}.{{x}} is the version number of the tools (for example, `ec2-ami-tools-1.5.7`). 1. Set the `EC2_AMITOOL_HOME` environment variable to the installation directory for the tools. For example: ``` [ec2-user ~]$ export EC2_AMITOOL_HOME=/usr/local/ec2/ec2-ami-tools-{{x}}.{{x}}.{{x}} ``` 1. Add the tools to your `PATH` environment variable. For example: ``` [ec2-user ~]$ export PATH=$EC2_AMITOOL_HOME/bin:$PATH ``` 1. You can verify your AMI tools installation using the [ec2-ami-tools-version](ami-tools-commands.md#ami-tools-version) command. ``` [ec2-user ~]$ ec2-ami-tools-version ``` ## Manage signing certificates Certain commands in the AMI tools require a signing certificate (also known as X.509 certificate). You must create the certificate and then upload it to AWS. For example, you can use a third-party tool such as OpenSSL to create the certificate. **To create a signing certificate** 1. Install and configure OpenSSL. 1. Create a private key using the `openssl genrsa` command and save the output to a `.pem` file. We recommend that you create a 2048- or 4096-bit RSA key. ``` openssl genrsa 2048> {{private-key.pem}} ``` 1. Generate a certificate using the `openssl req` command. ``` openssl req -new -x509 -nodes -sha256 -days 365 -key {{private-key.pem}} -outform PEM -out {{certificate.pem}} ``` To upload the certificate to AWS, use the [upload-signing-certificate](https://docs.aws.amazon.com/cli/latest/reference/iam/upload-signing-certificate.html) command. ``` aws iam upload-signing-certificate --user-name {{user-name}} --certificate-body file://{{path/to/certificate}}.pem ``` To list the certificates for a user, use the [list-signing-certificates](https://docs.aws.amazon.com/cli/latest/reference/iam/list-signing-certificates.html) command: ``` aws iam list-signing-certificates --user-name {{user-name}} ``` To disable or re-enable a signing certificate for a user, use the [update-signing-certificate](https://docs.aws.amazon.com/cli/latest/reference/iam/update-signing-certificate.html) command. The following command disables the certificate: ``` aws iam update-signing-certificate --certificate-id {{OFHPLP4ZULTHYPMSYEX7O4BEXAMPLE}} --status {{Inactive}} --user-name {{user-name}} ``` To delete a certificate, use the [delete-signing-certificate](https://docs.aws.amazon.com/cli/latest/reference/iam/delete-signing-certificate.html) command: ``` aws iam delete-signing-certificate --user-name {{user-name}} --certificate-id {{OFHPLP4ZULTHYPMSYEX7O4BEXAMPLE}} ```