Can I use ACM to issue private certificates when the AWS Private CA validity is less than 13 months?

3 minute read
0

I requested an AWS Certificate Manager (ACM) private certificate, and I received a "Failed" error. Or, the certificate status is "Failed."

Short description

Private certificates that you request in the ACM console are valid for 13 months. ACM can't issue private certificates if the AWS Private Certificate Authority validity period is less than 13 months. If you used the ACM console to request a private certificate and the CA validity period is less than 13 months, then the request fails.

To resolve this error, use the IssueCertificate API to request a private certificate with a shorter validity period. Then, import the certificate into ACM so that you can use the certificate with integrated services.

Resolution

Use the IssueCertificate API to issue a new private certificate with a shorter validity period

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

Run the issue-certificate AWS CLI command to issue a private certificate with an expiry date that's less than the CAs validity period:

aws acm-pca issue-certificate --certificate-authority-arn arn:aws:acm-pca:us-west-2:123456789012:certificate-authority/12345678-1234-1234-1234-123456789012 --csr fileb://cert_1.csr --signing-algorithm "SHA256WITHRSA" --validity Value=300,Type="DAYS" --idempotency-token 1234

Note: You must generate your own certificate signing request (CSR) and private key for the private certificate.

Get the private certificate body and chain from AWS Private CA , and then import them into ACM

  1. Run the get-certificate command to get the private certificate's body and chain:

    aws acm-pca get-certificate \--certificate-authority-arn arn:aws:acm-pca:region:account:\
    certificate-authority/12345678-1234-1234-1234-123456789012 \
    --certificate-arn arn:aws:acm-pca:region:account:\
    certificate-authority/12345678-1234-1234-1234-123456789012/\
    certificate/6707447683a9b7f4055627ffd55cebcc \
    --output text

     Example output with the base64-encoded PEM format certificate and the certificate chain:

    -----BEGIN CERTIFICATE-----...base64-encoded certificate...
    -----END CERTIFICATE----
    -----BEGIN CERTIFICATE-----
    ...base64-encoded certificate...
    -----END CERTIFICATE----
    -----BEGIN CERTIFICATE-----
    ...base64-encoded certificate...
    -----END CERTIFICATE----
  2. Run the following commands to save the certificate body and certificate chain as .pem files:

    Certificate chain:

    aws acm-pca get-certificate --certificate-authority-arn  arn:aws:acm-pca:Region:Account:certificate-authority/12345678-1234-1234-1234-123456789012 --certificate-arn arn:aws:acm-pca:Region:Account:certificate-authority/12345678-1234-1234-1234-123456789012/certificate/66506378eb4e296c59b41bbb7b8dd068 --output text --query CertificateChain > certchain.pem

    Certificate body:

    aws acm-pca get-certificate --certificate-authority-arn  arn:aws:acm-pca:Region:Account:certificate-authority/12345678-1234-1234-1234-123456789012 --certificate-arn arn:aws:acm-pca:Region:Account:certificate-authority/12345678-1234-1234-1234-123456789012/certificate/66506378eb4e296c59b41bbb7b8dd068 --output text --query Certificate > certfile.pem
    
  3. To use the private certificate with integrated services, run the import-certificate AWS CLI command to import the certificate:
    Note: Replace certfile.pem, privately.key, and certchain.pem with your file names.

    aws acm import-certificate --certificate fileb://certfile.pem --private-key fileb://privatekey.key --certificate-chain fileb://certchain.pem
    
AWS OFFICIAL
AWS OFFICIALUpdated 4 months ago