Testing the managed renewal of your private PKI certificates - AWS Certificate Manager
AWS 文档中描述的 AWS 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 AWS 服务入门


Testing the managed renewal of your private PKI certificates

您可以使用 ACM API 或 AWS CLI 手动测试 ACM 托管续订工作流的配置。By doing so, you can confirm that your certificates will be renewed automatically by ACM prior to expiration.


You can only test the renewal of certificates issued by ACM Private CA.

When you use API actions or CLI commands described below, ACM attempts to renew the certificate. If the renewal succeeds, ACM updates the certificate metadata displayed in the management console or in API output. If the certificate is associated with an ACM integrated services, the new certificate is deployed and a renewal event is generated in Amazon CloudWatch Events. If the renewal fails, ACM returns a error and suggests remedial action. (You can view this information using the describe-certificate command.) If the certificate is not deployed through an integrated service, you still need to export it and manually install it on your resource.


要使用 ACM Private CA 续订您的 ACM 证书,您必须先向 ACM 服务委托人授予执行此操作的权限。有关更多信息,请参阅将证书续订权限分配给 ACM

手动测试证书续订 (AWS CLI)

  1. 使用 renew-certificate 证书续订导出的私有证书。

    aws acm renew-certificate --certificate-arn arn:aws:acm-pca:region:account:\ certificate/12345678-1234-1234-1234-123456789012
  2. 然后,使用 describe-certificate 命令确认已更新该证书的续订详细信息。

    aws acm describe-certificate --certificate-arn arn:aws:acm-pca:region:account:\ certificate/12345678-1234-1234-1234-123456789012

手动测试证书续订 (ACM API)