- Newest
- Most votes
- Most comments
AWS Certificate Manager (ACM) issues certificates with a validity of 13 months i.e. 395 days. This validity period can't be changed. Now, when a CA is created using the SHORT_LIVED_CERTIFICATE mode in AWS Private CA, the CA can only issue certificates with a maximum validity of 7 days. Therefore, ACM will fail to issue private certificates from a PCA created with the SHORT_LIVED_CERTIFICATE mode. This is mentioned in our AWS PCA user guide at https://docs.aws.amazon.com/privateca/latest/userguide/short-lived-certificates.html#short.
To get certificates from a PCA created with the SHORT_LIVED_CERTIFICATE mode, you must use the AWS PCA API IssueCertificate or CLI command issue-certificate where you can specify the validity of the certificate requested as 7 days or less. Please check the API at https://docs.aws.amazon.com/privateca/latest/APIReference/API_IssueCertificate.html and the CLI command at https://docs.aws.amazon.com/cli/latest/reference/acm-pca/issue-certificate.html.
This API or CLI command would need to be run by an IAM principal in the account where your shared PCA exists. Please note that this IAM principal must have the required AWS PCA permissions attached as the IAM permission policy in addition to the resource based policy provisioned by RAM.
Thanks @AWS-User-4837236. This means, we cannot use an AWS native service for automated renewal with short-lived private certs but would e .g. need to write lambda function(s) doing the job via api, does it? Thanks :)
Yes, that is correct. Only ACM issued private certificates are eligible for automatic renewal. Now, since ACM can not issue private certificates from a PCA with SHORT_LIVED_CERTIFICATE mode, the certificates are issued by using the AWS PCA API/CLI (IssueCertificate). And these certificates can not be renewed. You will need to request a new private certificate using the API/CLI when the previous certificate expires.
And yes, you can write lambda functions to invoke the AWS PCA APIs to issue and manage your certificates.
Relevant content
- asked 2 years ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated 5 months ago