Restore a private CA
You can restore a private CA that has been deleted as long as the CA remains within the restoration period that you specified upon deletion. The restoration period is from 7-30 days. At the end of that period, the private CA is permanently deleted. For more information, see Delete your private CA. You cannot restore a private CA that has been permanently deleted.
Note
You are not charged for a private CA after it has been deleted. However, if a deleted CA is restored, you are charged for the time between deletion and restoration. For more information, see Pricing for Amazon Private Certificate Authority.
Restoring a private CA (console)
You can use the Amazon Web Services Management Console to restore a private CA.
To restore a private CA (console)
-
Sign in to your Amazon account and open the Amazon Private CA console at https://console.amazonaws.cn/acm-pca/home
. -
On the Private certificate authorities page, choose your deleted private CA from the list.
-
On the Actions menu, choose Restore.
-
On the Restore CA page, choose Restore again.
-
If successful, the status of the private CA is set to its pre-deletion state. Choose Actions, Enable, and Enable again to change its status to
ACTIVE
. If the private CA was in thePENDING_CERTIFICATE
state at the time of deletion, you must import a CA certificate into the private CA before you can activate it.
Restore a private CA (Amazon CLI)
Use the restore-certificate-authority command to restore a deleted private CA
that is in the DELETED
state. The following steps discuss the entire
process required to delete, restore, and then reactivate a private CA.
To delete, restore, and reactivate a private CA (Amazon CLI)
-
Delete the private CA.
Run the delete-certificate-authority command to delete the private CA. If the private CA's status is
DISABLED
orPENDING_CERTIFICATE
, you can set the--permanent-deletion-time-in-days
parameter to specify the private CA's restoration period from 7 -30 days. If you do not specify a restoration period, the default is 30 days. If successful, this command sets the status of the private CA toDELETED
.Note
To be restorable, the private CA's status at the time of deletion must be
DISABLED
orPENDING_CERTIFICATE
.$
aws acm-pca delete-certificate-authority \ --certificate-authority-arn arn:aws:acm-pca:region
:account
:certificate-authority/CA_ID
\ --permanent-deletion-time-in-days 16 -
Restore the private CA.
Run the restore-certificate-authority command to restore the private CA. You must run the command before the restoration period that you set with the delete-certificate-authority command expires. If successful, the command sets the status of the private CA to its pre-deletion status.
$
aws acm-pca restore-certificate-authority \ --certificate-authority-arn arn:aws:acm-pca:region
:account
:certificate-authority/CA_ID
-
Make the private CA
ACTIVE
.Run the update-certificate-authority command to change the status of the private CA to
ACTIVE
.$
aws acm-pca update-certificate-authority \ --certificate-authority-arn arn:aws:acm-pca:
region
:account
:certificate-authority/CA_ID
\ --status ACTIVE