I want to revoke an AWS Private Certificate Authority (CA) private certificate.
Resolution
Note: If you receive errors when you run the AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.
An AWS Private CA private certificate can be created with either the IssueCertificate API action or with the RequestCertificate API action. Complete the appropriate steps for your AWS Private CA private certificate type.
To revoke an AWS Private CA private certificate, use the AWS CLI command revoke-certificate.
AWS Private CA private certificate created with the IssueCertificate API
Complete the following steps:
-
To get the serial number for the certificate, run the get-certificate command. This command returns the base64-encoded PEM format certificate and saves it in the certificate.pem file:
aws acm-pca get-certificate --certificate-authority-arn arn:aws:acm-pca:eu-west-1:111111111111:certificate-authority/12345678-1234-1234-1234-123456789012
\ --certificate-arn
arn:aws:acm-pca:eu-west-1:111111111111:certificate-authority/12345678-1234-1234-1234-123456789012/certificate/3d295f5691637e577f3c192acd79d401
\ --query 'Certificate' > certificate.pem --output text
Note: Replace the --certificate-authority-arn value with your Amazon Resource Number (ARN) value.
-
To get the serial number, decode the certificate with OpenSSL:
openssl x509 -in certificate.pem -noout -text
The following is an example output:
Serial Number: 3d:29:5f:56:91:63:7e:57:7f:3c:19:2a:cd:79:d4:01 \<.code>
-
Run the revoke-certificate command and enter a reason for why you want to revoke the certificate:
Note: The revoke-certificate command doesn't return a response.
aws acm-pca revoke-certificate \
--certificate-authority-arn arn:aws:acm-pca:eu-west-1:111111111111:certificate-authority/12345678-1234-1234-1234-123456789012 \
--certificate-serial 3d:29:5f:56:91:63:7e:57:7f:3c:19:2a:cd:79:d4:01 \
--revocation-reason "KEY_COMPROMISE"
Use one of the following values to specify why you want to revoke the certificate
UNSPECIFIED
KEY_COMPROMISE
CERTIFICATE_AUTHORITY_COMPROMISE
AFFILIATION_CHANGED
SUPERSEDED
CESSATION_OF_OPERATION
PRIVILEGE_WITHDRAWN
A_A_COMPROMISE
Note: Replace the --certificate-serial value with the serial number for your certificate. Replace the --revocation-reason value with the appropriate reason.
AWS Private CA private certificate created with the RequestCertificate API
Complete the following steps:
-
Run the describe-certificate command to get the serial number for your certificate:
aws acm describe-certificate --certificate-arn arn:aws:acm:region:account:certificate/12345678-1234-1234-1234-123456789012
Note: Replace the --certificate-arn value with your ARN value.
The following is an example output:
"Serial" : "3d:29:5f:56:91:63:7e:57:7f:3c:19:2a:cd:79:d4:01"
-
To revoke the certificate, run the revoke-certificate command:
Note: The revoke-certificate command doesn't return a response.
aws acm-pca revoke-certificate \
--certificate-authority-arn
arn:aws:acm-pca:eu-west-1:111111111111:certificate-authority/12345678-1234-1234-1234-123456789012
\
--certificate-serial 3d:29:5f:56:91:63:7e:57:7f:3c:19:2a:cd:79:d4:01 \
--revocation-reason "KEY_COMPROMISE"
Use one of the following values to specify why you want to revoke the certificate:
A_A_COMPROMISE
PRIVILEGE_WITHDRAWN
CESSATION_OF_OPERATION
SUPERSEDED
AFFILIATION_CHANGED
CERTIFICATE_AUTHORITY_COMPROMISE
KEY_COMPROMISE
UNSPECIFIED
Note: Replace the --certificate-serial value with the serial number for your certificate. Replace the --revocation-reason value with the appropriate reason.
Confirm that the AWS Private CA private certificate is revoked
Create an audit report with the AWS CLI
-
To create an audit report that lists every use of your certificate authority (CA) private key, run the AWS CLI command create-certificate-authority-audit-report:
aws acm-pca create-certificate-authority-audit-report \
--certificate-authority-arn arn:aws:acm-pca:eu-west-1:111111111111:certificate-authority/12345678-1234-1234-1234-123456789012 \
--s3-bucket-name acmcrl2 \
--audit-report-response-format JSON>/code>
Note: Replace the --certificate-authority-arn value with your ARN value.
The following is an example output:
{
"AuditReportId": "10e5767f-6259-4a23-90bb-628f5a5e1fee",
"S3Key": "audit-report/12345678-1234-1234-1234-123456789012/10e5767f-6259-4a23-90bb-628f5a5e1fee.json"
}
Copy the Amazon Simple Storage Service (Amazon S3) key ID.
-
Get the Amazon S3 object with the AWS CLI command get-object:
aws s3api get-object --bucket acmcrl2 --key audit-report/12345678-1234-1234-1234-123456789012/10e5767f-6259-4a23-90bb-628f5a5e1fee.json
revoked.txt
Note: Replace the --key value with the S3Key value from the previous step.
The following is an example output:
"revokedAt": "2021-01-30T15:24:55+0000"
revokedAt has a timestamp value for when the AWS Private CA private certificate was revoked. The revokedAt value exists only when the certificate status is REVOKED.
Create an audit report with the AWS Management Console
To use the AWS Management Console to create an audit report, see Create an audit report.
Related information
AWS Private CA best practices
Revoke a private certificate