How do I use the ACM console to request a private certificate when the AWS Private CA validity is less than 13 months?

3 minute read
0

I requested an AWS Certificate Manager (ACM) private certificate but I received a "Failed" error or the certificate status is "Failed".

Short description

You can use the ACM console to issue and manage certificates with a validity period of exactly 395 days (13 months). If you use the ACM console to request a certificate with a period that's not exactly 395 days, you receive a "Failed" error.

To resolve this error, use the IssueCertificate API, a feature of AWS Private Certificate Authority, to request a private certificate with a shorter validity period. Then, import the certificate into ACM for use with integrated services.

Note: Certificates aren't visible in the ACM console if you used the IssueCertificate API to request a certificate.

Resolution

Use the IssueCertificate API to issue a new private certificate with a validity period less than the CAs validity period

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

Use the issue-certificate command to issue a private certificate with an expiry date less than the CAs validity period:

aws acm-pca issue-certificate --certificate-authority-arn arn:aws:acm-pca:us-west-2:123456789012:certificate-authority/12345678-1234-1234-1234-123456789012 --csr fileb://cert_1.csr --signing-algorithm "SHA256WITHRSA" --validity Value=300,Type="DAYS" --idempotency-token 1234

Note: You must generate your own CSR and private key for the private certificate.

Get the private certificate body and chain from AWS Private CA and import them into ACM

  1. Use the get-certificate command to get the private certificate's body and chain:

    aws acm-pca get-certificate \--certificate-authority-arn arn:aws:acm-pca:region:account:\
    certificate-authority/12345678-1234-1234-1234-123456789012 \
    --certificate-arn arn:aws:acm-pca:region:account:\
    certificate-authority/12345678-1234-1234-1234-123456789012/\
    certificate/6707447683a9b7f4055627ffd55cebcc \
    --output text

    The get-certificate command shows the base64-encoded PEM format certificate and the certificate chain:

    -----BEGIN CERTIFICATE-----...base64-encoded certificate...
    -----END CERTIFICATE----
    -----BEGIN CERTIFICATE-----
    ...base64-encoded certificate...
    -----END CERTIFICATE----
    -----BEGIN CERTIFICATE-----
    ...base64-encoded certificate...
    -----END CERTIFICATE----
  2. Use the following commands to save the certificate body and certificate chain as .pem files:

    Certificate chain:

    aws acm-pca get-certificate --certificate-authority-arn  arn:aws:acm-pca:Region:Account:certificate-authority/12345678-1234-1234-1234-123456789012 --certificate-arn arn:aws:acm-pca:Region:Account:certificate-authority/12345678-1234-1234-1234-123456789012/certificate/66506378eb4e296c59b41bbb7b8dd068 --output text --query CertificateChain > certchain.pem

    Certificate body:

    aws acm-pca get-certificate --certificate-authority-arn  arn:aws:acm-pca:Region:Account:certificate-authority/12345678-1234-1234-1234-123456789012 --certificate-arn arn:aws:acm-pca:Region:Account:certificate-authority/12345678-1234-1234-1234-123456789012/certificate/66506378eb4e296c59b41bbb7b8dd068 --output text --query Certificate > certfile.pem
  3. Use the import-certificate command to import the certificate to ACM:

    Note: Replace certfile.pem, privately.key, and certchain.pem with your file names.

    aws acm import-certificate --certificate fileb://certfile.pem --private-key fileb://privatekey.key --certificate-chain fileb://certchain.pem

The imported certificate Amazon Resource Name (ARN) is returned successfully.

Related information

How do I resolve errors when issuing a new ACM-PCA certificate?

Why can't I import a third-party public SSL/TLS certificate into ACM?

Issuing private end-entity certificates