I requested an AWS Certificate Manager (ACM) private certificate but I received a "Failed" error or the certificate status is "Failed".
Short description
You can use the ACM console to issue and manage certificates with a validity period of exactly 395 days (13 months). If you use the ACM console to request a certificate with a period that's not exactly 395 days, you receive a "Failed" error.
To resolve this error, use the IssueCertificate API, a feature of AWS Private Certificate Authority, to request a private certificate with a shorter validity period. Then, import the certificate into ACM for use with integrated services.
Note: Certificates aren't visible in the ACM console if you used the IssueCertificate API to request a certificate.
Resolution
Use the IssueCertificate API to issue a new private certificate with a validity period less than the CAs validity period
Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.
Use the issue-certificate command to issue a private certificate with an expiry date less than the CAs validity period:
aws acm-pca issue-certificate --certificate-authority-arn arn:aws:acm-pca:us-west-2:123456789012:certificate-authority/12345678-1234-1234-1234-123456789012 --csr fileb://cert_1.csr --signing-algorithm "SHA256WITHRSA" --validity Value=300,Type="DAYS" --idempotency-token 1234
Note: You must generate your own CSR and private key for the private certificate.
Get the private certificate body and chain from AWS Private CA and import them into ACM
-
Use the get-certificate command to get the private certificate's body and chain:
aws acm-pca get-certificate \--certificate-authority-arn arn:aws:acm-pca:region:account:\
certificate-authority/12345678-1234-1234-1234-123456789012 \
--certificate-arn arn:aws:acm-pca:region:account:\
certificate-authority/12345678-1234-1234-1234-123456789012/\
certificate/6707447683a9b7f4055627ffd55cebcc \
--output text
The get-certificate command shows the base64-encoded PEM format certificate and the certificate chain:
-----BEGIN CERTIFICATE-----...base64-encoded certificate...
-----END CERTIFICATE----
-----BEGIN CERTIFICATE-----
...base64-encoded certificate...
-----END CERTIFICATE----
-----BEGIN CERTIFICATE-----
...base64-encoded certificate...
-----END CERTIFICATE----
-
Use the following commands to save the certificate body and certificate chain as .pem files:
Certificate chain:
aws acm-pca get-certificate --certificate-authority-arn arn:aws:acm-pca:Region:Account:certificate-authority/12345678-1234-1234-1234-123456789012 --certificate-arn arn:aws:acm-pca:Region:Account:certificate-authority/12345678-1234-1234-1234-123456789012/certificate/66506378eb4e296c59b41bbb7b8dd068 --output text --query CertificateChain > certchain.pem
Certificate body:
aws acm-pca get-certificate --certificate-authority-arn arn:aws:acm-pca:Region:Account:certificate-authority/12345678-1234-1234-1234-123456789012 --certificate-arn arn:aws:acm-pca:Region:Account:certificate-authority/12345678-1234-1234-1234-123456789012/certificate/66506378eb4e296c59b41bbb7b8dd068 --output text --query Certificate > certfile.pem
-
Use the import-certificate command to import the certificate to ACM:
Note: Replace certfile.pem, privately.key, and certchain.pem with your file names.
aws acm import-certificate --certificate fileb://certfile.pem --private-key fileb://privatekey.key --certificate-chain fileb://certchain.pem
The imported certificate Amazon Resource Name (ARN) is returned successfully.
Related information
How do I resolve errors when issuing a new ACM-PCA certificate?
Why can't I import a third-party public SSL/TLS certificate into ACM?
Issuing private end-entity certificates