本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
Renewing certificates in a private PKI
ACM certificates that were signed by a private CA from ACM Private CA are eligible for managed renewal. Unlike publicly trusted ACM certificates, a certificate for a private PKI requires no validation. Trust is established when an administrator installs the appropriate root CA certificate in client trust stores.
Only certificates obtained using the ACM console or the RequestCertificate
action of the ACM API are eligible for managed renewal. Certificates issued directly
from ACM Private CA using the IssueCertificate
action of the PCA API are not managed by ACM.
When a certificate is 60 days away from expiration, ACM automatically attempts to
renew it. This includes certificates that were exported and installed manually (for
example, in an on-premises data center). Customers can also force renewal at any time
using the RenewCertificate
action of the ACM API. For a sample Java implementation of forced renewal, see 续订证书.
After renewal, a certificate's deployment into service occurs in one of the following ways:
-
If the certificate is associated with an ACM integrated service, the new certificate replaces the old one without additional customer action.
-
If the certificate is not associated with an ACM integrated service, customer action is required to export and install the renewed certificate. You can perform these actions manually, or with assistance from AWS 运行状况, Amazon EventBridge, and AWS Lambda as follows:
-
Create a rule in EventBridge to listen for ACM health events. ACM writes to a health event each time it attempts to renew a certificate. For more information about these notices, see Check the status using Personal Health Dashboard (PHD).
-
In the EventBridge rule, add a target to invoke Lambda.
-
In the Lambda function, call the
ExportCertificate
action of the ACM API. -
Complete the renewal process by manually installing the certificate on the target system.
-