Certificate administration

This page was generated from content adapted from the AWS Developer Guide

Issuing private end-entity certificates

  • Note Certificates created with the procedure below, using the issue-certificate command, or with the IssueCertificate API action, cannot be exported for use outside AWS. However, you can use your private CA to sign certificates issued through ACM, and those certificates can be exported along with their secret keys. For more information, see Requesting a private certificate and Exporting a private certificate in the ACM User Guide.

  • Note AWS Private CA immediately returns an ARN with a serial number when it receives the issue-certificate command. However, certificate processing happens asynchronously and can still fail. If this happens, a get-certificate command using the new ARN will also fail.

  • Note It is also possible to create a private CA that passes custom attributes to each certificate it issues.

Retrieving a private certificate

  • Note If you want to revoke a certificate, you can use the get-certificate command to retrieve the serial number in hexadecimal format. You can also create an audit report to retrieve the hex serial number. For more information, see Using audit reports with your private CA.

Revoking a private certificate

  • Note Cross-account certificate issuers need additional permissions to revoke the certificates that they issue; otherwise, the CA owner must perform revocation. To enable revocation by cross-account issuers, the CA administrator must create two RAM shares, both pointing at the same CA: A share with the AWSRAMRevokeCertificateCertificateAuthority permission. A share with the AWSRAMDefaultPermissionCertificateAuthority permission.

Certificate templates

Last updated