How can I request a private certificate using the ACM console when ACM-PCA validity period is less than 13 months?
I requested an AWS Certificate Manager (ACM) private certificate but I received a "Failed" error or the certificate status is "Failed". How can I resolve this?
Short description
Private certificates requested with the ACM console are valid for 13 months. ACM private CAs can't issue a private certificate if the validity exceeds the CA validity period. If the CA validity period is less than 13 months, you receive a "Failed" error requesting a private certificate with the ACM console.
To resolve this error, request a private certificate with a shorter validity period by using the IssueCertificate API. Then, import the certificate into ACM to be used with integrated services.
Resolution
Use the IssueCertificate API to issue a new private certificate with a validity period less than the CAs validity period
Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.
Use the issue-certificate command to issue a private certificate with an expiry date less than the CAs validity period:
aws acm-pca issue-certificate --certificate-authority-arn arn:aws:acm-pca:us-west-2:123456789012:certificate-authority/12345678-1234-1234-1234-123456789012 --csr file://cert_1.csr --signing-algorithm "SHA256WITHRSA" --validity Value=300,Type="DAYS" --idempotency-token 1234
Note: You must generate your own CSR and private key for the private certificate.
Get the private certificate body and chain from ACM PCA, and then import them into ACM
1. Use the get-certificate command to get the private certificate's body and chain:
aws acm-pca get-certificate \ --certificate-authority-arn arn:aws:acm-pca:region:account:\ certificate-authority/12345678-1234-1234-1234-123456789012 \ --certificate-arn arn:aws:acm-pca:region:account:\ certificate-authority/12345678-1234-1234-1234-123456789012/\ certificate/6707447683a9b7f4055627ffd55cebcc \ --output text
The get-certificate command outputs the base64-encoded PEM format certificate and the certificate chain:
-----BEGIN CERTIFICATE----- ...base64-encoded certificate... -----END CERTIFICATE---- -----BEGIN CERTIFICATE----- ...base64-encoded certificate... -----END CERTIFICATE---- -----BEGIN CERTIFICATE----- ...base64-encoded certificate... -----END CERTIFICATE----
2. Save the certificate body and certificate chain as .pem files using the following commands:
Certificate chain:
aws acm-pca get-certificate --certificate-authority-arn arn:aws:acm-pca:Region:Account:certificate-authority/12345678-1234-1234-1234-123456789012 --certificate-arn arn:aws:acm-pca:Region:Account:certificate-authority/12345678-1234-1234-1234-123456789012/certificate/66506378eb4e296c59b41bbb7b8dd068 --output text --query CertificateChain > certchain.pem
Certificate body:
aws acm-pca get-certificate --certificate-authority-arn arn:aws:acm-pca:Region:Account:certificate-authority/12345678-1234-1234-1234-123456789012 --certificate-arn arn:aws:acm-pca:Region:Account:certificate-authority/12345678-1234-1234-1234-123456789012/certificate/66506378eb4e296c59b41bbb7b8dd068 --output text --query Certificate > certfile.pem
3. To use the private certificate with integrated services, follow the instructions to import a certificate using the import-certificate command:
Note: Replace certfile.pem, privately.key, and certchain.pem with your file names.
aws acm import-certificate --certificate fileb://certfile.pem --private-key file://privatekey.key --certificate-chain file://certchain.pem
Relevant content
- asked 6 months ago
- asked a year ago
- Accepted Answerasked 5 months ago
- Accepted Answerasked a year ago
- AWS OFFICIALUpdated 2 years ago
- Can I use ACM to issue private certificates when the AWS Private CA validity is less than 13 months?AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
