How can I revoke my ACM private certificate?

Last updated: 2022-06-22

How can I revoke an AWS Certificate Manager (ACM) private certificate?

Short description

You can revoke an ACM private certificate using the revoke-certificate AWS Command Line Interface (AWS CLI) command.

Resolution

Follow these instructions depending on whether the ACM private certificate was created with the IssueCertificate API or in the AWS Management Console with the RequestCertificate API.

Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI.

Revoke an ACM private certificate that was created using the IssueCertificate API

Step 1: Get the certificates serial number

The following AWS CLI command get-certificate outputs the base64-encoded PEM format certificate and saves it in the certificate.pem file:

Note: Replace the ARN in these examples with your ARN.

aws acm-pca get-certificate --certificate-authority-arn 
arn:aws:acm-pca:eu-west-1:111111111111:certificate-authority/12345678-1234-1234-1234-123456789012
 \ --certificate-arn 
arn:aws:acm-pca:eu-west-1:111111111111:certificate-authority/12345678-1234-1234-1234-123456789012/certificate/3d295f5691637e577f3c192acd79d401
 \ --query 'Certificate' > certificate.pem --output text

Step 2: Decode the certificate with OpenSSL to get the serial number

openssl x509 -in certificate.pem -noout -text

Example output:

Serial Number: 3d:29:5f:56:91:63:7e:57:7f:3c:19:2a:cd:79:d4:01 \

Step 3: Revoke the certificate

Run the AWS CLI command revoke-certificate similar to the following:

Note: Replace the serial number example with your serial number output from step 2.

aws acm-pca revoke-certificate \ 

--certificate-authority-arn arn:aws:acm-pca:eu-west-1:111111111111:certificate-authority/12345678-1234-1234-1234-123456789012 \ 

--certificate-serial 3d:29:5f:56:91:63:7e:57:7f:3c:19:2a:cd:79:d4:01 \ 

--revocation-reason "KEY_COMPROMISE"

Use one of the following values to specify why you revoked the certificate:

  • UNSPECIFIED
  • KEY_COMPROMISE
  • CERTIFICATE_AUTHORITY_COMPROMISE
  • AFFILIATION_CHANGED
  • SUPERSEDED
  • CESSATION_OF_OPERATION
  • PRIVILEGE_WITHDRAWN
  • A_A_COMPROMISE

Note: The revoke-certificate command doesn't return a response.

Revoke an ACM private certificate that was created using the AWS Management Console or RequestCertificate API

Step 1: Get the certificate's serial number

Run the AWS CLI command describe-certificate similar to the following:

aws acm describe-certificate --certificate-arn arn:aws:acm:region:account:certificate/12345678-1234-1234-1234-123456789012

Example output:

"Serial" : "3d:29:5f:56:91:63:7e:57:7f:3c:19:2a:cd:79:d4:01"

Step 2: Revoke the certificate

Run the AWS CLI command revoke-certificate similar to the following:

Note: Replace the serial number example with your serial number output from step 1.

aws acm-pca revoke-certificate \    

--certificate-authority-arn 
arn:aws:acm-pca:eu-west-1:111111111111:certificate-authority/12345678-1234-1234-1234-123456789012
 \    

--certificate-serial 3d:29:5f:56:91:63:7e:57:7f:3c:19:2a:cd:79:d4:01 \  

--revocation-reason "KEY_COMPROMISE"

Use one of the following values to specify why you revoked the certificate:

  • A_A_COMPROMISE
  • PRIVILEGE_WITHDRAWN
  • CESSATION_OF_OPERATION
  • SUPERSEDED
  • AFFILIATION_CHANGED
  • CERTIFICATE_AUTHORITY_COMPROMISE
  • KEY_COMPROMISE
  • UNSPECIFIED

Note: The revoke-certificate command doesn't return a response.

Confirm that the ACM private certificate was revoked

Create an audit report using the AWS CLI

To create an audit report that lists every time that your CA private key is used, run the AWS CLI command create-certificate-authority-audit-report:

aws acm-pca create-certificate-authority-audit-report \ 

--certificate-authority-arn arn:aws:acm-pca:eu-west-1:111111111111:certificate-authority/12345678-1234-1234-1234-123456789012 \ 

--s3-bucket-name acmcrl2 \ 

--audit-report-response-format JSON

Example output:

{     

"AuditReportId": "10e5767f-6259-4a23-90bb-628f5a5e1fee",     

"S3Key": "audit-report/12345678-1234-1234-1234-123456789012/10e5767f-6259-4a23-90bb-628f5a5e1fee.json" 

}

Note the Amazon Simple Storage Service (Amazon S3) key ID.

Get the Amazon S3 object with the AWS CLI command get-object:

aws s3api get-object --bucket acmcrl2 --key 
audit-report/12345678-1234-1234-1234-123456789012/10e5767f-6259-4a23-90bb-628f5a5e1fee.json
 revoked.txt

Example output:

"revokedAt": "2021-01-30T15:24:55+0000"

Note the timestamp in the revokedAt value. The revokedAt value exists only when the certificate status is REVOKED.

Create an audit report using the AWS Management Console

Follow the instructions to create an audit report using the AWS Management Console.

For more information, see Revoking a private certificate.


Did this article help?


Do you need billing or technical support?