How can I request a private certificate using the ACM console when ACM-PCA validity period is less than 13 months?

Last updated: 2020-10-28

I requested an AWS Certificate Manager (ACM) private certificate and received a "Failed" error or the certificate status is "Failed". How can I resolve this?

Short description

Private certificates requested with the ACM console are valid for 13 months. ACM private CAs can't issue a private certificate if the validity exceeds the CA validity period. If the CA validity period is less than 13 months, you receive a "Failed" error requesting a private certificate with the ACM console.

To resolve this error, request a private certificate with a shorter validity period by using the IssueCertificate API. The certificate can then be imported into ACM to be used with integrated services.

Resolution

Use the IssueCertificate API to issue a new private certificate with a validity period less than the CAs validity period

Important:

Use the issue-certificate command to issue a private certificate with an expiry date less than the CAs validity period:

aws acm-pca issue-certificate --certificate-authority-arn arn:aws:acm-pca:us-west-2:123456789012:certificate-authority/12345678-1234-1234-1234-123456789012 --csr file://cert_1.csr --signing-algorithm "SHA256WITHRSA" --validity Value=300,Type="DAYS" --idempotency-token 1234

Note: You must generate your own CSR and private key for the private certificate.

Get the private certificate body and chain from ACM PCA, and then import them into ACM

1.    Use the get-certificate command to get the private certificate's body and chain:

aws acm-pca get-certificate \
--certificate-authority-arn arn:aws:acm-pca:region:account:\
certificate-authority/12345678-1234-1234-1234-123456789012 \
--certificate-arn arn:aws:acm-pca:region:account:\
certificate-authority/12345678-1234-1234-1234-123456789012/\
certificate/6707447683a9b7f4055627ffd55cebcc \
--output text

The get-certificate command outputs the base64-encoded PEM format certificate and the certificate chain:

-----BEGIN CERTIFICATE-----
...base64-encoded certificate...
-----END CERTIFICATE----
-----BEGIN CERTIFICATE-----
...base64-encoded certificate...
-----END CERTIFICATE----
-----BEGIN CERTIFICATE-----
...base64-encoded certificate...
-----END CERTIFICATE----

2.    Save the certificate body and certificate chain as .pem files using the following commands:

Certificate chain:

aws acm-pca get-certificate --certificate-authority-arn  arn:aws:acm-pca:Region:Account:certificate-authority/12345678-1234-1234-1234-123456789012 --certificate-arn arn:aws:acm-pca:Region:Account:certificate-authority/12345678-1234-1234-1234-123456789012/certificate/66506378eb4e296c59b41bbb7b8dd068 --output text --query CertificateChain > certchain.pem

Certificate body:

aws acm-pca get-certificate --certificate-authority-arn  arn:aws:acm-pca:Region:Account:certificate-authority/12345678-1234-1234-1234-123456789012 --certificate-arn arn:aws:acm-pca:Region:Account:certificate-authority/12345678-1234-1234-1234-123456789012/certificate/66506378eb4e296c59b41bbb7b8dd068 --output text --query Certificate > certfile.pem

3.    To use the private certificate with integrated services, follow the instructions to import a certificate using the import-certificate command:

Note: Replace certfile.pem, privately.key, and certchain.pem with your file names.

aws acm import-certificate --certificate file://certfile.pem --private-key file://privatekey.key --certificate-chain file://certchain.pem

Did this article help?


Do you need billing or technical support?