How can I request a private certificate using the ACM Console when ACM-PCA validity period is less than 13 months?

Last updated: 2019-10-31

I requested an AWS Certificate Manager (ACM) private certificate and received a "Failed" error or the certificate status is "Failed". How can I resolve this?

Short Description

ACM certificates are valid for 13 months. ACM Private CAs can't issue a private certificate if the validity specified exceeds the CA validity period.

Resolution

Issue a new private certificate from an ACM Private CA with the expiry date greater than 13 months. Then, get the private certificate body and chain, and import to ACM.

Important: Before you begin, you must have the AWS CLI installed and configured.

1. Use the issue-certificate command to issue a private certificate from a CA with an expiry date greater than 13 months similar to the following:

aws acm-pca issue-certificate --certificate-authority-arn arn:aws:acm-pca:us-west-2:123456789012:certificate-authority/12345678-1234-1234-1234-123456789012 --csr file://C:\cert_1.csr --signing-algorithm "SHA256WITHRSA" --validity Value=365,Type="DAYS" --idempotency-token 1234

In this example, 365 days are used, because the root CA validity must be a year or more. Use the same validity period as your root CA.

2. Use the get-certificate command to get the private certificate's body and chain similar to the following:

aws acm-pca get-certificate \
--certificate-authority-arn arn:aws:acm-pca:region:account:\
certificate-authority/12345678-1234-1234-1234-123456789012 \
--certificate-arn arn:aws:acm-pca:region:account:\
certificate-authority/12345678-1234-1234-1234-123456789012/\
certificate/6707447683a9b7f4055627ffd55cebcc \
--output text

The get-certificate command outputs the base64-encoded PEM format certificate and the certificate chain similar to the following:

-----BEGIN CERTIFICATE-----
...base64-encoded certificate...
-----END CERTIFICATE----
-----BEGIN CERTIFICATE-----
...base64-encoded certificate...
-----END CERTIFICATE----
-----BEGIN CERTIFICATE-----
...base64-encoded certificate...
-----END CERTIFICATE----

Save the certificate body and certificate chain as .pem files using the following commands:

Certificate chain:

aws acm-pca get-certificate --certificate-authority-arn  arn:aws:acm-pca:Region:Account:certificate-authority/12345678-1234-1234-1234-123456789012 --certificate-arn arn:aws:acm-pca:Region:Account:certificate-authority/12345678-1234-1234-1234-123456789012/certificate/66506378eb4e296c59b41bbb7b8dd068 --output text --query CertificateChain > certchain.pem

Certificate body:

aws acm-pca get-certificate --certificate-authority-arn  arn:aws:acm-pca:Region:Account:certificate-authority/12345678-1234-1234-1234-123456789012 --certificate-arn arn:aws:acm-pca:Region:Account:certificate-authority/12345678-1234-1234-1234-123456789012/certificate/66506378eb4e296c59b41bbb7b8dd068 --output text --query Certificate > certfile.pem

3. Then, follow the instructions for Importing Certificates into AWS Certificate Manager using the import-certificate command similar to the following:

Note: Replace certfile.pem, certchain.pem, and PrivateKey.pem with your file names.

aws acm import-certificate --certificate file://certfile.pem --certificate-chain file://certchain.pem --private-key file://PrivateKey.pem

Related Information

Creating and Installing the Certificate for a Private CA

Did this article help you?

Yes

Anything we could improve?

Let us know

Need more help?

Contact AWS Support