I tried to delete my ACM certificate but received an error that it is in use with other AWS resources
Last updated: 2020-08-10
I tried to delete an AWS Certificate Manager (ACM) certificate, but I received an error similar to "The certificate is in use (associated with other AWS resources) and cannot be deleted. Disassociate the certificate from each resource in the list and try again."
Deploying an edge-optimized API endpoint creates an Amazon CloudFront distribution by Amazon API Gateway. Deploying a Regional API endpoint creates an Application Load Balancer (ALB) by API Gateway. The CloudFront distribution or ALB is owned by API Gateway, not your account. The ACM certificate provided to deploy API Gateway is associated with the CloudFront distribution or ALB.
Similarly, adding a custom domain to your Amazon Cognito user pool creates a CloudFront distribution. The CloudFront distribution is owned by the Amazon Cognito service, not by your account. The ACM certificate provided creating the custom domain is associated with the CloudFront distribution.
Note: You can check the resource that the ACM certificate is associated with by running the describe-certificate command with AWS Command Line Interface (AWS CLI).
To remove the association of the ACM certificate with the CloudFront distribution or ALB, you must replace the ACM certificate associated with the custom domain, or delete the custom domain.
To remove the association of the ACM certificate, do one of the following:
- To replace the ACM certificate for API Gateway, follow the instructions to rotate a certificate imported into ACM.
- To replace the ACM certificate for Amazon Cognito, follow the instructions for changing the SSL certificate for your custom domain.
- To delete the custom domain name for API Gateway, run the AWS command delete-domain-name.
- To delete the custom domain name for Amazon Cognito, run the AWS command delete-user-pool-domain.
Then, delete the ACM certificate.