How can I request a private certificate using the ACM Console when ACM-PCA validity period is less than 13 months?
Last updated: 2019-10-31
I requested an AWS Certificate Manager (ACM) private certificate and received a "Failed" error or the certificate status is "Failed". How can I resolve this?
Short Description
ACM certificates are valid for 13 months. ACM Private CAs can't issue a private certificate if the validity specified exceeds the CA validity period.
Resolution
Issue a new private certificate from an ACM Private CA with the expiry date greater than 13 months. Then, get the private certificate body and chain, and import to ACM.
Important: Before you begin, you must have the AWS CLI installed and configured.
1. Use the issue-certificate command to issue a private certificate from a CA with an expiry date greater than 13 months similar to the following:
aws acm-pca issue-certificate --certificate-authority-arn arn:aws:acm-pca:us-west-2:123456789012:certificate-authority/12345678-1234-1234-1234-123456789012 --csr file://C:\cert_1.csr --signing-algorithm "SHA256WITHRSA" --validity Value=365,Type="DAYS" --idempotency-token 1234
In this example, 365 days are used, because the root CA validity must be a year or more. Use the same validity period as your root CA.
2. Use the get-certificate command to get the private certificate's body and chain similar to the following:
aws acm-pca get-certificate \
--certificate-authority-arn arn:aws:acm-pca:region:account:\
certificate-authority/12345678-1234-1234-1234-123456789012 \
--certificate-arn arn:aws:acm-pca:region:account:\
certificate-authority/12345678-1234-1234-1234-123456789012/\
certificate/6707447683a9b7f4055627ffd55cebcc \
--output text
The get-certificate command outputs the base64-encoded PEM format certificate and the certificate chain similar to the following:
-----BEGIN CERTIFICATE-----
...base64-encoded certificate...
-----END CERTIFICATE----
-----BEGIN CERTIFICATE-----
...base64-encoded certificate...
-----END CERTIFICATE----
-----BEGIN CERTIFICATE-----
...base64-encoded certificate...
-----END CERTIFICATE----
Save the certificate body and certificate chain as .pem files using the following commands:
Certificate chain:
aws acm-pca get-certificate --certificate-authority-arn arn:aws:acm-pca:Region:Account:certificate-authority/12345678-1234-1234-1234-123456789012 --certificate-arn arn:aws:acm-pca:Region:Account:certificate-authority/12345678-1234-1234-1234-123456789012/certificate/66506378eb4e296c59b41bbb7b8dd068 --output text --query CertificateChain > certchain.pem
Certificate body:
aws acm-pca get-certificate --certificate-authority-arn arn:aws:acm-pca:Region:Account:certificate-authority/12345678-1234-1234-1234-123456789012 --certificate-arn arn:aws:acm-pca:Region:Account:certificate-authority/12345678-1234-1234-1234-123456789012/certificate/66506378eb4e296c59b41bbb7b8dd068 --output text --query Certificate > certfile.pem
3. Then, follow the instructions for Importing Certificates into AWS Certificate Manager using the import-certificate command similar to the following:
Note: Replace certfile.pem, certchain.pem, and PrivateKey.pem with your file names.
aws acm import-certificate --certificate file://certfile.pem --certificate-chain file://certchain.pem --private-key file://PrivateKey.pem
Related Information
Did this article help you?
Anything we could improve?
Need more help?