Restore a private CA - Amazon Private Certificate Authority
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Restore a private CA

You can restore a private CA that has been deleted as long as the CA remains within the restoration period that you specified upon deletion. The restoration period is from 7-30 days. At the end of that period, the private CA is permanently deleted. For more information, see Delete your private CA. You cannot restore a private CA that has been permanently deleted.

Note

You are not charged for a private CA after it has been deleted. However, if a deleted CA is restored, you are charged for the time between deletion and restoration. For more information, see Pricing for Amazon Private Certificate Authority.

Restoring a private CA (console)

You can use the Amazon Web Services Management Console to restore a private CA.

To restore a private CA (console)
  1. Sign in to your Amazon account and open the Amazon Private CA console at https://console.amazonaws.cn/acm-pca/home.

  2. On the Private certificate authorities page, choose your deleted private CA from the list.

  3. On the Actions menu, choose Restore.

  4. On the Restore CA page, choose Restore again.

  5. If successful, the status of the private CA is set to its pre-deletion state. Choose Actions, Enable, and Enable again to change its status to ACTIVE. If the private CA was in the PENDING_CERTIFICATE state at the time of deletion, you must import a CA certificate into the private CA before you can activate it.

Restore a private CA (Amazon CLI)

Use the restore-certificate-authority command to restore a deleted private CA that is in the DELETED state. The following steps discuss the entire process required to delete, restore, and then reactivate a private CA.

To delete, restore, and reactivate a private CA (Amazon CLI)
  1. Delete the private CA.

    Run the delete-certificate-authority command to delete the private CA. If the private CA's status is DISABLED or PENDING_CERTIFICATE, you can set the --permanent-deletion-time-in-days parameter to specify the private CA's restoration period from 7 -30 days. If you do not specify a restoration period, the default is 30 days. If successful, this command sets the status of the private CA to DELETED.

    Note

    To be restorable, the private CA's status at the time of deletion must be DISABLED or PENDING_CERTIFICATE.

    $ aws acm-pca delete-certificate-authority \ --certificate-authority-arn arn:aws:acm-pca:region:account:certificate-authority/CA_ID \ --permanent-deletion-time-in-days 16
  2. Restore the private CA.

    Run the restore-certificate-authority command to restore the private CA. You must run the command before the restoration period that you set with the delete-certificate-authority command expires. If successful, the command sets the status of the private CA to its pre-deletion status.

    $ aws acm-pca restore-certificate-authority \ --certificate-authority-arn arn:aws:acm-pca:region:account:certificate-authority/CA_ID
  3. Make the private CA ACTIVE.

    Run the update-certificate-authority command to change the status of the private CA to ACTIVE.

    $ aws acm-pca update-certificate-authority \ --certificate-authority-arn arn:aws:acm-pca:region:account:certificate-authority/CA_ID \ --status ACTIVE