I tried to delete my ACM certificate but received an error that it's in use with other AWS resources
Last updated: 2021-09-15
I tried to delete an AWS Certificate Manager (ACM) certificate. However, I received an error similar to "The certificate is in use (associated with other AWS resources) and cannot be deleted. Disassociate the certificate from each resource in the list and try again."
Deploying an edge-optimized API endpoint creates an Amazon CloudFront distribution by Amazon API Gateway. Deploying a Regional API endpoint creates an Application Load Balancer by API Gateway. The CloudFront distribution or Application Load Balancer is owned by API Gateway, not your account. The ACM certificate provided to deploy API Gateway is associated with the CloudFront distribution or Application Load Balancer.
Similarly, adding a custom domain to your Amazon Cognito user pool creates a CloudFront distribution. The CloudFront distribution is owned by the Amazon Cognito service, not by your account. The ACM certificate provided creating the custom domain is associated with the CloudFront distribution.
Defining a custom endpoint for your domain in Amazon Elasticsearch Service (Amazon ES) creates an Application Load Balancer. The Application Load Balancer is owned by the ElasticSearch service, not by your account. The ACM certificate provided with creating the custom endpoint is associated with the Application Load Balancer.
Note: You can check the resource that the ACM certificate is associated with by running the describe-certificate command with AWS Command Line Interface (AWS CLI).
To remove the association of the ACM certificate with the CloudFront distribution or Application Load Balancer, you must replace the ACM certificate associated with the custom domain, or delete the custom domain.
- Before you begin, be sure that you have installed and configured the AWS CLI.
- If you receive errors when running AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI.
To remove the association of the ACM certificate, do one of the following:
- To replace the ACM certificate for API Gateway, follow the instructions to rotate a certificate imported into ACM.
- To replace the ACM certificate for Amazon Cognito, follow the instructions for changing the SSL certificate for your custom domain.
- To delete the custom domain name for API Gateway, run the AWS command delete-domain-name.
- To delete the custom domain name for Amazon Cognito, run the AWS command delete-user-pool-domain.
- To update the ACM certificate for Amazon ES, follow the instructions to customize your endpoint.
Then, delete the ACM certificate.