List private certificates
To list your private certificates, generate an audit report, retrieve it from its S3 bucket, and parse the report contents as needed. For information about creating Amazon Private CA audit reports, see Use audit reports with your private CA. For information about retrieving an object from an S3 bucket, see Downloading an object in the Amazon Simple Storage Service User Guide.
The following examples illustrate approaches to creating audit reports and parsing them
for useful data. Results are formatted in JSON, and data is filtered using jq
1. Create an audit report.
The following command generates an audit report for a specified CA.
$
aws acm-pca create-certificate-authority-audit-report \ --region
region
\ --certificate-authority-arn arn:aws
:acm-pca:us-east-1
:111122223333
:certificate-authority/11223344-1234-1122-2233-112233445566
\ --s3-bucket-namebucket_name
\ --audit-report-response-format JSON
When successful, the command returns the ID and location of the new audit report.
{
"AuditReportId":"audit_report_ID
",
"S3Key":"audit-report/CA_ID
/audit_report_ID.json
"
}
2. Retrieve and format an audit report.
This command retrieves an audit report, displays its contents in standard output, and filters the results to show only certificates issued on or after 2020-12-01.
$
aws s3api get-object \ --region
region
\ --bucketbucket_name
\ --key audit-report/CA_ID
/audit_report_ID.json
\ /dev/stdout | jq '.[] | select(.issuedAt >= "2020-12-01")'
The returned items resemble the following:
{
"awsAccountId":"account
",
"certificateArn":"arn:aws:acm-pca:region
:account
:certificate-authority/CA_ID
/certificate/certificate_ID
",
"serial":"serial_number
",
"subject":"CN=pca.alpha.root2.leaf5",
"notBefore":"2020-12-21T21:28:09+0000",
"notAfter":"9999-12-31T23:59:59+0000",
"issuedAt":"2020-12-21T22:28:09+0000",
"templateArn":"arn:aws:acm-pca:::template/EndEntityCertificate/V1"
}
3. Save an audit report locally.
If you want to perform multiple queries, it is convenient to save an audit report to a local file.
$
aws s3api get-object \ --region
region
\ --bucketbucket_name
\ --key audit-report/CA_ID
/audit_report_ID.json
>my_local_audit_report.json
The same filter as before yields the same output:
$
cat my_local_audit_report.json | jq '.[] | select(.issuedAt >= "2020-12-01")'
{
"awsAccountId":"account
",
"certificateArn":"arn:aws:acm-pca:region
:account
:certificate-authority/CA_ID
/certificate/certificate_ID
",
"serial":"serial_number
",
"subject":"CN=pca.alpha.root2.leaf5",
"notBefore":"2020-12-21T21:28:09+0000",
"notAfter":"9999-12-31T23:59:59+0000",
"issuedAt":"2020-12-21T22:28:09+0000",
"templateArn":"arn:aws:acm-pca:::template/EndEntityCertificate/V1"
}
4. Query within a date range
You can query for certificates issued within a date range as follows:
$
cat my_local_audit_report.json | jq '.[] | select(.issuedAt >= "2020-11-01" and .issuedAt <= "2020-11-10")'
The filtered content is displayed in standard output:
{
"awsAccountId": "account
",
"certificateArn": "arn:aws:acm-pca:region
:account
:certificate-authority/CA_ID
/certificate/certificate_ID
",
"serial": "serial_number
",
"subject": "CN=pca.alpha.root2.leaf1",
"notBefore": "2020-11-06T19:18:21+0000",
"notAfter": "9999-12-31T23:59:59+0000",
"issuedAt": "2020-11-06T20:18:22+0000",
"templateArn": "arn:aws:acm-pca:::template/EndEntityCertificate/V1"
}
{
"awsAccountId": "account
",
"certificateArn": "arn:aws:acm-pca:region
:account
:certificate-authority/CA_ID
/certificate/certificate_ID
",
"serial": "serial_number
",
"subject": "CN=pca.alpha.root2.rsa2048sha256",
"notBefore": "2020-11-06T19:15:46+0000",
"notAfter": "9999-12-31T23:59:59+0000",
"issuedAt": "2020-11-06T20:15:46+0000",
"templateArn": "arn:aws:acm-pca:::template/RootCACertificate/V1"
}
{
"awsAccountId": "account
",
"certificateArn": "arn:aws:acm-pca:region
:account
:certificate-authority/CA_ID
/certificate/certificate_ID
",
"serial": "serial_number
",
"subject": "CN=pca.alpha.root2.leaf2",
"notBefore": "2020-11-06T20:04:39+0000",
"notAfter": "9999-12-31T23:59:59+0000",
"issuedAt": "2020-11-06T21:04:39+0000",
"templateArn": "arn:aws:acm-pca:::template/EndEntityCertificate/V1"
}
5. Search for certificates following a specified template.
The following command filters the report content using a template ARN:
$
cat my_local_audit_report.json | jq '.[] | select(.templateArn == "arn:aws:acm-pca:::template/RootCACertificate/V1")'
The output displays matching certificate records:
{
"awsAccountId": "account
",
"certificateArn": "arn:aws:acm-pca:region
:account
:certificate-authority/CA_ID
/certificate/certificate_ID
",
"serial": "serial_number
",
"subject": "CN=pca.alpha.root2.rsa2048sha256",
"notBefore": "2020-11-06T19:15:46+0000",
"notAfter": "9999-12-31T23:59:59+0000",
"issuedAt": "2020-11-06T20:15:46+0000",
"templateArn": "arn:aws:acm-pca:::template/RootCACertificate/V1"
}
6. Filter for revoked certificates
To find all revoked certificates, use the following command:
$
cat my_local_audit_report.json | jq '.[] | select(.revokedAt != null)'
A revoked certificate is displayed as follows:
{
"awsAccountId": "account
",
"certificateArn": "arn:aws:acm-pca:region
:account
:certificate-authority/CA_ID
/certificate/certificate_ID
",
"serial": "serial_number
",
"subject": "CN=pca.alpha.root2.leaf2",
"notBefore": "2020-11-06T20:04:39+0000",
"notAfter": "9999-12-31T23:59:59+0000",
"issuedAt": "2020-11-06T21:04:39+0000",
"revokedAt": "2021-05-27T18:57:32+0000",
"revocationReason": "UNSPECIFIED",
"templateArn": "arn:aws:acm-pca:::template/EndEntityCertificate/V1"
}
7. Filter using a regular expression.
The following command searches for subject names that contain the string "leaf":
$
cat my_local_audit_report.json | jq '.[] | select(.subject|test("leaf"))'
Matching certificate records are returned as follows:
{
"awsAccountId": "account
",
"certificateArn": "arn:aws:acm-pca:region
:account
:certificate-authority/CA_ID
/certificate/certificate_ID
",
"serial": "serial_number
",
"subject": "CN=pca.alpha.roo2.leaf4",
"notBefore": "2020-11-16T18:17:10+0000",
"notAfter": "9999-12-31T23:59:59+0000",
"issuedAt": "2020-11-16T19:17:12+0000",
"templateArn": "arn:aws:acm-pca:::template/EndEntityCertificate/V1"
}
{
"awsAccountId": "account
",
"certificateArn": "arn:aws:acm-pca:region
:account
:certificate-authority/CA_ID
/certificate/certificate_ID
",
"serial": "serial_number
",
"subject": "CN=pca.alpha.root2.leaf5",
"notBefore": "2020-12-21T21:28:09+0000",
"notAfter": "9999-12-31T23:59:59+0000",
"issuedAt": "2020-12-21T22:28:09+0000",
"templateArn": "arn:aws:acm-pca:::template/EndEntityCertificate/V1"
}
{
"awsAccountId": "account
",
"certificateArn": "arn:aws:acm-pca:region
:account
:certificate-authority/CA_ID
/certificate/certificate_ID
",
"serial": "serial_number
",
"subject": "CN=pca.alpha.root2.leaf1",
"notBefore": "2020-11-06T19:18:21+0000",
"notAfter": "9999-12-31T23:59:59+0000",
"issuedAt": "2020-11-06T20:18:22+0000",
"templateArn": "arn:aws:acm-pca:::template/EndEntityCertificate/V1"
}