Try it now and let us know what you think. Switch to the new look >>
You can return to the original look by selecting English in the language selector above.
DeleteCertificateAuthority
Deletes a private certificate authority (CA). You must provide the Amazon Resource Name (ARN) of the private CA that you want to delete. You can find the ARN by calling the ListCertificateAuthorities action.
Note
Deleting a CA will invalidate other CAs and certificates below it in your CA hierarchy.
Before you can delete a CA that you have created and activated, you must disable it.
To do this, call the UpdateCertificateAuthority action and set the
CertificateAuthorityStatus parameter to
DISABLED.
Additionally, you can delete a CA if you are waiting for it to be created (that is,
the status of the CA is CREATING). You can also delete it if the CA has
been created but you haven't yet imported the signed certificate into ACM Private
CA (that is,
the status of the CA is PENDING_CERTIFICATE).
When you successfully call DeleteCertificateAuthority, the CA's
status changes to DELETED. However, the CA won't be permanently deleted
until the restoration period has passed. By default, if you do not set the
PermanentDeletionTimeInDays parameter, the CA remains restorable for 30
days. You can set the parameter from 7 to 30 days. The DescribeCertificateAuthority action returns the time remaining in the
restoration window of a private CA in the DELETED state. To restore an
eligible CA, call the RestoreCertificateAuthority action.
Request Syntax
{ "CertificateAuthorityArn": "string", "PermanentDeletionTimeInDays":number}
Request Parameters
For information about the parameters that are common to all actions, see Common Parameters.
The request accepts the following data in JSON format.
- CertificateAuthorityArn
-
The Amazon Resource Name (ARN) that was returned when you called CreateCertificateAuthority. This must have the following form:
arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012.Type: String
Length Constraints: Minimum length of 5. Maximum length of 200.
Pattern:
arn:[\w+=/,.@-]+:[\w+=/,.@-]+:[\w+=/,.@-]*:[0-9]*:[\w+=,.@-]+(/[\w+=/,.@-]+)*Required: Yes
- PermanentDeletionTimeInDays
-
The number of days to make a CA restorable after it has been deleted. This can be anywhere from 7 to 30 days, with 30 being the default.
Type: Integer
Valid Range: Minimum value of 7. Maximum value of 30.
Required: No
Response Elements
If the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.
Errors
For information about the errors that are common to all actions, see Common Errors.
- ConcurrentModificationException
-
A previous update to your private CA is still ongoing.
HTTP Status Code: 400
- InvalidArnException
-
The requested Amazon Resource Name (ARN) does not refer to an existing resource.
HTTP Status Code: 400
- InvalidStateException
-
The private CA is in a state during which a report or certificate cannot be generated.
HTTP Status Code: 400
- ResourceNotFoundException
-
A resource such as a private CA, S3 bucket, certificate, or audit report cannot be found.
HTTP Status Code: 400
Examples
Example
Sample Request
POST / HTTP/1.1 Host: acm-pca.amazonaws.com Accept-Encoding: identity Content-Length: 163 X-Amz-Target: ACMPrivateCA.DeleteCertificateAuthority X-Amz-Date: 20180515T160248Z User-Agent: aws-cli/1.15.4 Python/2.7.9 Windows/8 botocore/1.10.4 Content-Type: application/x-amz-json-1.1 Authorization: AWS4-HMAC-SHA256 Credential=AWS_Access_Key_ID/20180515/AWS_Region/acm-pca/aws4_request, SignedHeaders=content-type;host;x-amz-date;x-amz-target, Signature=8f7e5b799989c607156141bc6856eb48acd45def7eecd2b2b7fbaa11f34d7bd1 {"PermanentDeletionTimeInDays": 17, "CertificateAuthorityArn": "arn:aws:acm-pca:us-west-2:493619779192:certificate-authority/4ce5e894-a076-4ed8-9d5c-42afbd4cbf88"}
Example
Sample Response
This function does not return a value.
See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
