Amazon Private CA examples using Amazon CLI - Amazon Command Line Interface
Actions
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

This documentation is for Version 1 of the Amazon CLI only. For documentation related to Version 2 of the Amazon CLI, see the Version 2 User Guide.

Amazon Private CA examples using Amazon CLI

The following code examples show you how to perform actions and implement common scenarios by using the Amazon Command Line Interface with Amazon Private CA.

Actions are code excerpts from larger programs and must be run in context. While actions show you how to call individual service functions, you can see actions in context in their related scenarios.

Each example includes a link to the complete source code, where you can find instructions on how to set up and run the code in context.

Topics

Actions

The following code example shows how to use create-certificate-authority-audit-report.

Amazon CLI

To create a certificate authority audit report

The following create-certificate-authority-audit-report command creates an audit report for the private CA identified by the ARN.

aws acm-pca create-certificate-authority-audit-report --certificate-authority-arn arn:aws:acm-pca:us-east-1:accountid:certificate-authority/12345678-1234-1234-1234-123456789012 --s3-bucket-name your-bucket-name --audit-report-response-format JSON

The following code example shows how to use create-certificate-authority.

Amazon CLI

To create a private certificate authority

The following create-certificate-authority command creates a private certificate authority in your Amazon account.

aws acm-pca create-certificate-authority --certificate-authority-configuration file://C:\ca_config.txt --revocation-configuration file://C:\revoke_config.txt --certificate-authority-type "SUBORDINATE" --idempotency-token 98256344

The following code example shows how to use delete-certificate-authority.

Amazon CLI

To delete a private certificate authority

The following delete-certificate-authority command deletes the certificate authority identified by the ARN.

aws acm-pca delete-certificate-authority --certificate-authority-arn arn:aws:acm-pca:us-west-2:123456789012:certificate-authority/12345678-1234-1234-1234-123456789012

The following code example shows how to use describe-certificate-authority-audit-report.

Amazon CLI

To describe an audit report for a certificate authority

The following describe-certificate-authority-audit-report command lists information about the specified audit report for the CA identified by the ARN.

aws acm-pca describe-certificate-authority-audit-report --certificate-authority-arn arn:aws:acm-pca:us-west-2:123456789012:certificate-authority/99999999-8888-7777-6666-555555555555 --audit-report-id 11111111-2222-3333-4444-555555555555

The following code example shows how to use describe-certificate-authority.

Amazon CLI

To describe a private certificate authority

The following describe-certificate-authority command lists information about the private CA identified by the ARN.

aws acm-pca describe-certificate-authority --certificate-authority-arn arn:aws:acm-pca:us-west-2:123456789012:certificate-authority/12345678-1234-1234-1234-123456789012

The following code example shows how to use get-certificate-authority-certificate.

Amazon CLI

To retrieve a certificate authority (CA) certificate

The following get-certificate-authority-certificate command retrieves the certificate and certificate chain for the private CA specified by the ARN.

aws acm-pca get-certificate-authority-certificate --certificate-authority-arn arn:aws:acm-pca:us-west-2:123456789012:certificate-authority/12345678-1234-1234-1234-123456789012 --output text

The following code example shows how to use get-certificate-authority-csr.

Amazon CLI

To retrieve the certificate signing request for a certificate authority

The following get-certificate-authority-csr command retrieves the CSR for the private CA specified by the ARN.

aws acm-pca get-certificate-authority-csr --certificate-authority-arn arn:aws:acm-pca:us-west-2:123456789012:certificate-authority/12345678-1234-1234-1234-123456789012 --output text

The following code example shows how to use get-certificate.

Amazon CLI

To retrieve an issued certificate

The following get-certificate example retrieves a certificate from the specified private CA.

aws acm-pca get-certificate \
    --certificate-authority-arn arn:aws:acm-pca:us-west-2:123456789012:certificate-authority/12345678-1234-1234-1234-123456789012 \
    --certificate-arn arn:aws:acm-pca:us-west-2:123456789012:certificate-authority/12345678-1234-1234-1234-123456789012/certificate/6707447683a9b7f4055627ffd55cebcc \
    --output text

Output:

-----BEGIN CERTIFICATE-----
MIIEDzCCAvegAwIBAgIRAJuJ8f6ZVYL7gG/rS3qvrZMwDQYJKoZIhvcNAQELBQAw
cTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1Nl
    ....certificate body truncated for brevity....
tKCSglgZZrd4FdLw1EkGm+UVXnodwMtJEQyy3oTfZjURPIyyaqskTu/KSS7YDjK0
KQNy73D6LtmdOEbAyq10XiDxqY41lvKHJ1eZrPaBmYNABxU=
-----END CERTIFICATE---- -----BEGIN CERTIFICATE-----
MIIDrzCCApegAwIBAgIRAOskdzLvcj1eShkoyEE693AwDQYJKoZIhvcNAQELBQAw
cTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1Nl
    ...certificate body truncated for brevity....
kdRGB6P2hpxstDOUIwAoCbhoaWwfA4ybJznf+jOQhAziNlRdKQRR8nODWpKt7H9w
dJ5nxsTk/fniJz86Ddtp6n8s82wYdkN3cVffeK72A9aTCOU=
-----END CERTIFICATE-----

The first part of the output is the certificate itself. The second part is the certificate chain that chains to the root CA certificate. Note that when you use the --output text option, a TAB character is inserted between the two certificate pieces (that is the cause of the indented text). If you intend to take this output and parse the certificates with other tools, you might need to remove the TAB character so it is processed correctly.

  • For API details, see GetCertificate in Amazon CLI Command Reference.

The following code example shows how to use import-certificate-authority-certificate.

Amazon CLI

To import your certificate authority certificate into ACM PCA

The following import-certificate-authority-certificate command imports the signed private CA certificate for the CA specified by the ARN into ACM PCA.

aws acm-pca import-certificate-authority-certificate --certificate-authority-arn arn:aws:acm-pca:us-west-2:123456789012:certificate-authority/12345678-1234-1234-1234-123456789012 --certificate file://C:\ca_cert.pem --certificate-chain file://C:\ca_cert_chain.pem

The following code example shows how to use issue-certificate.

Amazon CLI

To issue a private certificate

The following issue-certificate command uses the private CA specified by the ARN to issue a private certificate.

aws acm-pca issue-certificate --certificate-authority-arn arn:aws:acm-pca:us-west-2:123456789012:certificate-authority/12345678-1234-1234-1234-123456789012 --csr file://C:\cert_1.csr --signing-algorithm "SHA256WITHRSA" --validity Value=365,Type="DAYS" --idempotency-token 1234

The following code example shows how to use list-certificate-authorities.

Amazon CLI

To list your private certificate authorities

The following list-certificate-authorities command lists information about all of the private CAs in your account.

aws acm-pca list-certificate-authorities --max-results 10

The following code example shows how to use list-tags.

Amazon CLI

To list the tags for your certificate authority

The following list-tags command lists the tags associated with the private CA specified by the ARN.

aws acm-pca list-tags --certificate-authority-arn arn:aws:acm-pca:us-west-2:123456789012:certificate-authority/123455678-1234-1234-1234-123456789012 --max-results 10

  • For API details, see ListTags in Amazon CLI Command Reference.

The following code example shows how to use revoke-certificate.

Amazon CLI

To revoke a private certificate

The following revoke-certificate command revokes a private certificate from the CA identified by the ARN.

aws acm-pca revoke-certificate --certificate-authority-arn arn:aws:acm-pca:us-west-2:1234567890:certificate-authority/12345678-1234-1234-1234-123456789012 --certificate-serial 67:07:44:76:83:a9:b7:f4:05:56:27:ff:d5:5c:eb:cc --revocation-reason "KEY_COMPROMISE"

The following code example shows how to use tag-certificate-authority.

Amazon CLI

To attach tags to a private certificate authority

The following tag-certificate-authority command attaches one or more tags to your private CA.

aws acm-pca tag-certificate-authority --certificate-authority-arn arn:aws:acm-pca:us-west-2:123456789012:certificate-authority/12345678-1234-1234-1234-123456789012 --tags Key=Admin,Value=Alice

The following code example shows how to use untag-certificate-authority.

Amazon CLI

To remove one or more tags from your private certificate authority

The following untag-certificate-authority command removes tags from the private CA identified by the ARN.

aws acm-pca untag-certificate-authority --certificate-authority-arn arn:aws:acm-pca:us-west-2:123456789012:certificate-authority/12345678-1234-1234-1234-123456789012 --tags Key=Purpose,Value=Website

The following code example shows how to use update-certificate-authority.

Amazon CLI

To update the configuration of your private certificate authority

The following update-certificate-authority command updates the status and configuration of the private CA identified by the ARN.

aws acm-pca update-certificate-authority --certificate-authority-arn arn:aws:acm-pca:us-west-2:123456789012:certificate-authority/12345678-1234-1234-1234-1232456789012 --revocation-configuration file://C:\revoke_config.txt --status "DISABLED"