AWS Certificate Manager Private Certificate Authority
AWS Private Certificate Authority Documentation (API Version 2017-08-22)


Lists information about your private certificate authority (CA). You specify the private CA on input by its ARN (Amazon Resource Name). The output contains the status of your CA. This can be any of the following:

  • CREATING: ACM PCA is creating your private certificate authority.

  • PENDING_CERTIFICATE: The certificate is pending. You must use your on-premises root or subordinate CA to sign your private CA CSR and then import it into PCA.

  • ACTIVE: Your private CA is active.

  • DISABLED: Your private CA has been disabled.

  • EXPIRED: Your private CA certificate has expired.

  • FAILED: Your private CA has failed. Your CA can fail for problems such a network outage or backend AWS failure or other errors. A failed CA can never return to the pending state. You must create a new CA.

Request Syntax

{ "CertificateAuthorityArn": "string" }

Request Parameters

For information about the parameters that are common to all actions, see Common Parameters.

The request accepts the following data in JSON format.


The Amazon Resource Name (ARN) that was returned when you called CreateCertificateAuthority. This must be of the form:

arn:aws:acm:region:account:certificate-authority/12345678-1234-1234-1234-123456789012 .

Type: String

Length Constraints: Minimum length of 5. Maximum length of 200.

Pattern: arn:[\w+=/,.@-]+:[\w+=/,.@-]+:[\w+=/,.@-]*:[0-9]+:[\w+=,.@-]+(/[\w+=/,.@-]+)*

Required: Yes

Response Syntax

{ "CertificateAuthority": { "Arn": "string", "CertificateAuthorityConfiguration": { "KeyAlgorithm": "string", "SigningAlgorithm": "string", "Subject": { "CommonName": "string", "Country": "string", "DistinguishedNameQualifier": "string", "GenerationQualifier": "string", "GivenName": "string", "Initials": "string", "Locality": "string", "Organization": "string", "OrganizationalUnit": "string", "Pseudonym": "string", "SerialNumber": "string", "State": "string", "Surname": "string", "Title": "string" } }, "CreatedAt": number, "FailureReason": "string", "LastStateChangeAt": number, "NotAfter": number, "NotBefore": number, "RevocationConfiguration": { "CrlConfiguration": { "CustomCname": "string", "Enabled": boolean, "ExpirationInDays": number, "S3BucketName": "string" } }, "Serial": "string", "Status": "string", "Type": "string" } }

Response Elements

If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.


A CertificateAuthority structure that contains information about your private CA.

Type: CertificateAuthority object


For information about the errors that are common to all actions, see Common Errors.


The requested Amazon Resource Name (ARN) does not refer to an existing resource.

HTTP Status Code: 400


A resource such as a private CA, S3 bucket, certificate, or audit report cannot be found.

HTTP Status Code: 400



Sample Request

POST / HTTP/1.1 Host: Accept-Encoding: identity Content-Length: 128 X-Amz-Target: ACMPrivateCA.DescribeCertificateAuthority X-Amz-Date: 20180226T175919Z User-Agent: aws-cli/1.14.28 Python/2.7.9 Windows/8 botocore/1.8.32 Content-Type: application/x-amz-json-1.1 Authorization: AWS4-HMAC-SHA256 Credential=Access_Key_ID/20180226/AWS_Region/acm-pca/aws4_request, SignedHeaders=content-type;host;x-amz-date;x-amz-target, Signature=953a014106627a76d91f55fd86bb1149bf65d578886bf2371aa4c73c56e16a1d {"CertificateAuthorityArn": "arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012"}


Sample Response

{ "CertificateAuthority": { "Arn": "arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012", "CertificateAuthorityConfiguration": { "KeyAlgorithm": "RSA_2048", "SigningAlgorithm": "SHA256WITHRSA", "Subject": { "CommonName": "", "Country": "US", "Locality": "Seattle", "Organization": "Example Company", "OrganizationalUnit": "Corporate", "State": "WA" } }, "CreatedAt": 1.516130652887E9, "LastStateChangeAt": 1.516130652887E9, "NotAfter": 1.831494803E9, "NotBefore": 1.516134803E9, "RevocationConfiguration": { "CrlConfiguration": { "CustomCname": "http://somename.crl", "Enabled": true, "ExpirationInDays": 3650, "S3BucketName": "your-bucket-name" } }, "Serial": "4118", "Status": "ACTIVE", "Type": "SUBORDINATE" } }

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: