By using AWS re:Post, you agree to the AWS re:Post Terms of Use

How do I revoke an AWS Private CA private certificate?

4 minute read
0

I want to revoke an AWS Private Certificate Authority (CA) private certificate.

Resolution

Note: If you receive errors when you run the AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

An AWS Private CA private certificate can be created with either the IssueCertificate API action or with the RequestCertificate API action. Complete the appropriate steps for your AWS Private CA private certificate type.

To revoke an AWS Private CA private certificate, use the AWS CLI command revoke-certificate.

AWS Private CA private certificate created with the IssueCertificate API

Complete the following steps:

  1. To get the serial number for the certificate, run the get-certificate command. This command returns the base64-encoded PEM format certificate and saves it in the certificate.pem file:

    aws acm-pca get-certificate --certificate-authority-arn arn:aws:acm-pca:eu-west-1:111111111111:certificate-authority/12345678-1234-1234-1234-123456789012
     \ --certificate-arn 
    arn:aws:acm-pca:eu-west-1:111111111111:certificate-authority/12345678-1234-1234-1234-123456789012/certificate/3d295f5691637e577f3c192acd79d401
     \ --query 'Certificate' > certificate.pem --output text

    Note: Replace the --certificate-authority-arn value with your Amazon Resource Number (ARN) value.

  2. To get the serial number, decode the certificate with OpenSSL:

    openssl x509 -in certificate.pem -noout -text

    The following is an example output:

    Serial Number: 3d:29:5f:56:91:63:7e:57:7f:3c:19:2a:cd:79:d4:01 \<.code>
  3. Run the revoke-certificate command and enter a reason for why you want to revoke the certificate:

    Note: The revoke-certificate command doesn't return a response.

    aws acm-pca revoke-certificate \ 
    --certificate-authority-arn arn:aws:acm-pca:eu-west-1:111111111111:certificate-authority/12345678-1234-1234-1234-123456789012 \ 
    --certificate-serial 3d:29:5f:56:91:63:7e:57:7f:3c:19:2a:cd:79:d4:01 \ 
    --revocation-reason "KEY_COMPROMISE"

    Use one of the following values to specify why you want to revoke the certificate
    UNSPECIFIED
    KEY_COMPROMISE
    CERTIFICATE_AUTHORITY_COMPROMISE
    AFFILIATION_CHANGED
    SUPERSEDED
    CESSATION_OF_OPERATION
    PRIVILEGE_WITHDRAWN
    A_A_COMPROMISE

    Note: Replace the --certificate-serial value with the serial number for your certificate. Replace the --revocation-reason value with the appropriate reason.

AWS Private CA private certificate created with the RequestCertificate API

Complete the following steps:

  1. Run the describe-certificate command to get the serial number for your certificate:

    aws acm describe-certificate --certificate-arn arn:aws:acm:region:account:certificate/12345678-1234-1234-1234-123456789012

    Note: Replace the --certificate-arn value with your ARN value.

    The following is an example output:

    "Serial" : "3d:29:5f:56:91:63:7e:57:7f:3c:19:2a:cd:79:d4:01"
  2. To revoke the certificate, run the revoke-certificate command:

    Note: The revoke-certificate command doesn't return a response.

    aws acm-pca revoke-certificate \    
    --certificate-authority-arn 
    arn:aws:acm-pca:eu-west-1:111111111111:certificate-authority/12345678-1234-1234-1234-123456789012
     \    
    
    --certificate-serial 3d:29:5f:56:91:63:7e:57:7f:3c:19:2a:cd:79:d4:01 \  
    
    --revocation-reason "KEY_COMPROMISE"

    Use one of the following values to specify why you want to revoke the certificate:
    A_A_COMPROMISE
    PRIVILEGE_WITHDRAWN
    CESSATION_OF_OPERATION
    SUPERSEDED
    AFFILIATION_CHANGED
    CERTIFICATE_AUTHORITY_COMPROMISE
    KEY_COMPROMISE
    UNSPECIFIED

    Note: Replace the --certificate-serial value with the serial number for your certificate. Replace the --revocation-reason value with the appropriate reason.

Confirm that the AWS Private CA private certificate is revoked

Create an audit report with the AWS CLI

  1. To create an audit report that lists every use of your certificate authority (CA) private key, run the AWS CLI command create-certificate-authority-audit-report:

    aws acm-pca create-certificate-authority-audit-report \ 
    --certificate-authority-arn arn:aws:acm-pca:eu-west-1:111111111111:certificate-authority/12345678-1234-1234-1234-123456789012 \ 
    
    --s3-bucket-name acmcrl2 \ 
    
    --audit-report-response-format JSON>/code>

    Note: Replace the --certificate-authority-arn value with your ARN value.

    The following is an example output:

    {     
    "AuditReportId": "10e5767f-6259-4a23-90bb-628f5a5e1fee",     
    
    "S3Key": "audit-report/12345678-1234-1234-1234-123456789012/10e5767f-6259-4a23-90bb-628f5a5e1fee.json" 
    
    }

    Copy the Amazon Simple Storage Service (Amazon S3) key ID.

  2. Get the Amazon S3 object with the AWS CLI command get-object:

    aws s3api get-object --bucket acmcrl2 --key audit-report/12345678-1234-1234-1234-123456789012/10e5767f-6259-4a23-90bb-628f5a5e1fee.json
     revoked.txt

    Note: Replace the --key value with the S3Key value from the previous step.

    The following is an example output:

    "revokedAt": "2021-01-30T15:24:55+0000"

    revokedAt has a timestamp value for when the AWS Private CA private certificate was revoked. The revokedAt value exists only when the certificate status is REVOKED.

Create an audit report with the AWS Management Console

To use the AWS Management Console to create an audit report, see Create an audit report.

Related information

AWS Private CA best practices

Revoke a private certificate

AWS OFFICIAL
AWS OFFICIALUpdated 2 months ago