AWS Certificate Manager Private Certificate Authority
AWS Private Certificate Authority Documentation (API Version 2017-08-22)

IssueCertificate

Uses your private certificate authority (CA) to issue a client certificate. This operation returns the Amazon Resource Name (ARN) of the certificate. You can retrieve the certificate by calling the GetCertificate operation and specifying the ARN.

Note

You cannot use the ACM ListCertificateAuthorities operation to retrieve the ARNs of the certificates that you issue by using ACM PCA.

Request Syntax

{ "CertificateAuthorityArn": "string", "Csr": blob, "IdempotencyToken": "string", "SigningAlgorithm": "string", "Validity": { "Type": "string", "Value": number } }

Request Parameters

For information about the parameters that are common to all actions, see Common Parameters.

The request accepts the following data in JSON format.

CertificateAuthorityArn

The Amazon Resource Name (ARN) that was returned when you called CreateCertificateAuthority. This must be of the form:

arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012

Type: String

Length Constraints: Minimum length of 5. Maximum length of 200.

Pattern: arn:[\w+=/,.@-]+:[\w+=/,.@-]+:[\w+=/,.@-]*:[0-9]+:[\w+=,.@-]+(/[\w+=/,.@-]+)*

Required: Yes

Csr

The certificate signing request (CSR) for the certificate you want to issue. You can use the following OpenSSL command to create the CSR and a 2048 bit RSA private key.

openssl req -new -newkey rsa:2048 -days 365 -keyout private/test_cert_priv_key.pem -out csr/test_cert_.csr

If you have a configuration file, you can use the following OpenSSL command. The usr_cert block in the configuration file contains your X509 version 3 extensions.

openssl req -new -config openssl_rsa.cnf -extensions usr_cert -newkey rsa:2048 -days -365 -keyout private/test_cert_priv_key.pem -out csr/test_cert_.csr

Type: Base64-encoded binary data object

Length Constraints: Minimum length of 1. Maximum length of 32768.

Required: Yes

IdempotencyToken

Custom string that can be used to distinguish between calls to the IssueCertificate operation. Idempotency tokens time out after one hour. Therefore, if you call IssueCertificate multiple times with the same idempotency token within 5 minutes, ACM PCA recognizes that you are requesting only one certificate and will issue only one. If you change the idempotency token for each call, PCA recognizes that you are requesting multiple certificates.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 36.

Pattern: [\u0009\u000A\u000D\u0020-\u00FF]*

Required: No

SigningAlgorithm

The name of the algorithm that will be used to sign the certificate to be issued.

Type: String

Valid Values: SHA256WITHECDSA | SHA384WITHECDSA | SHA512WITHECDSA | SHA256WITHRSA | SHA384WITHRSA | SHA512WITHRSA

Required: Yes

Validity

The type of the validity period.

Type: Validity object

Required: Yes

Response Syntax

{ "CertificateArn": "string" }

Response Elements

If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

CertificateArn

The Amazon Resource Name (ARN) of the issued certificate and the certificate serial number. This is of the form:

arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012/certificate/286535153982981100925020015808220737245

Type: String

Length Constraints: Minimum length of 5. Maximum length of 200.

Pattern: arn:[\w+=/,.@-]+:[\w+=/,.@-]+:[\w+=/,.@-]*:[0-9]+:[\w+=,.@-]+(/[\w+=/,.@-]+)*

Errors

For information about the errors that are common to all actions, see Common Errors.

InvalidArgsException

One or more of the specified arguments was not valid.

HTTP Status Code: 400

InvalidArnException

The requested Amazon Resource Name (ARN) does not refer to an existing resource.

HTTP Status Code: 400

InvalidStateException

The private CA is in a state during which a report or certificate cannot be generated.

HTTP Status Code: 400

LimitExceededException

An ACM PCA limit has been exceeded. See the exception message returned to determine the limit that was exceeded.

HTTP Status Code: 400

MalformedCSRException

The certificate signing request is invalid.

HTTP Status Code: 400

ResourceNotFoundException

A resource such as a private CA, S3 bucket, certificate, or audit report cannot be found.

HTTP Status Code: 400

Examples

Example

Sample Request

POST / HTTP/1.1 Host: acm-pca.amazonaws.com Accept-Encoding: identity Content-Length: 1680 X-Amz-Target: ACMPrivateCA.IssueCertificate X-Amz-Date: 20180226T193956Z User-Agent: aws-cli/1.14.28 Python/2.7.9 Windows/8 botocore/1.8.32 Content-Type: application/x-amz-json-1.1 Authorization: AWS4-HMAC-SHA256 Credential=AWS_Key_ID/20180226/AWS_Region/acm-pca/aws4_request, SignedHeaders=content-type;host;x-amz-date;x-amz-target, Signature=c6cac56b2eac254d53616072c55d2c2c1f24f4670aa16911c76ae492a92fdd00 { "IdempotencyToken": "1234", "SigningAlgorithm": "SHA256WITHRSA", "Validity": { "Type": "DAYS", "Value": 365 }, "CertificateAuthorityArn": "arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012", "Csr": "LS0tL...tLS0K" }

Example

Sample Response

HTTP/1.1 200 OK Date: Tue, 15 May 2018 18:08:50 GMT Content-Type: application/x-amz-json-1.1 Content-Length: 163 x-amzn-RequestId: 629173f2-4697-44fa-a599-b757a8da6c7e Connection: keep-alive { "CertificateArn": "arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012/certificate/e8cbd2bedb122329f97706bcfec990f8" }

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: