How do I resolve errors when issuing a new ACM-PCA certificate?

Last updated: 2022-07-07

I tried requesting a new private end-entity certificate or subordinate CA for AWS Certificate Manager (ACM) and the request failed.

Short description

To troubleshoot failed private certificate requests, check the following:

  • The pathLenConstraint parameter of the issuing certificate authority.
  • The status of the issuing certificate authority.
  • The signing algorithm family of the issuing certificate authority.
  • The validity period of the requested certificate.
  • AWS Identity and Access Management (IAM) permissions.

Resolution

The "pathLenConstraint" parameter of the issuing certificate authority

Creating a CA with a path length greater than or equal to the path length of its issuing CA certificate returns a ValidationException error. Make sure that the pathLenConstraint for issuing an ACM subordinate CA is less than the path length of the issuing CA.

The status of the issuing certificate authority

Issuing a new PCA certificate using the IssueCertificate API with an expired a CA (which isn't in Active status) returns a InvalidStateException failure code.

If the signing CA is expired, make sure that you renew it first before issuing new subordinate CA certificates or ACM private certificates.

The signing algorithm family of the issuing certificate authority

The AWS Management Console doesn't support issuing private ECDSA certificates, and so the issuing CA is unavailable. This occurs even if an ECDSA private subordinate certificate authority was already created. You can use the IssueCertificate API call and specify the ECDSA variant with the --signing-algorithm flag.

The validity period of the requested certificate

Certificates issued and managed by ACM (those certificates that ACM generates the private key for) have a validity period of 13 months (395 days).

For ACM Private CA, you can use the IssueCertificate API to apply any validity period. However, if you specify the certificate validity period longer than the issuing certificate authority, the certificate issuance fails.

It's a best practice to set the CA certificate validity period to a value that's two to five times as large as the period of child or end-entity certificates. For more information, see Choosing validity periods.

IAM permissions

Private certificates issued with IAM identities must have the required permissions, or the request fails with an "AccessDenied" error. It's a best practice to grant your IAM identities permission to issue private certificates while adhering to the principle of granting least privilege.

For more information, see Identity and Access Management for AWS Certificate Manager Private Certificate Authority.