AWS Certificate Manager Private Certificate Authority
User Guide (Version latest)


The following Java sample shows how to use the GetCertificate function.

The function retrieves a certificate from your private CA. The ARN of the certificate is returned when you call the IssueCertificate function. You must specify both the ARN of your private CA and the ARN of the issued certificate when calling the GetCertificate function. You can retrieve the certificate if it is in the ISSUED state. You can call the CreateCertificateAuthorityAuditReport function to create a report that contains information about all of the certificates issued and revoked by your private CA.

package com.amazonaws.samples; import com.amazonaws.auth.AWSCredentials; import com.amazonaws.auth.profile.ProfileCredentialsProvider; import com.amazonaws.client.builder.AwsClientBuilder; import com.amazonaws.client.builder.AwsClientBuilder.EndpointConfiguration; import com.amazonaws.auth.AWSStaticCredentialsProvider; import; import; import; import; import com.amazonaws.AmazonClientException; import; import ; import; import; import; public class GetCertificate { public static void main(String[] args) throws Exception{ // Retrieve your credentials from the C:\Users\name\.aws\credentials file // in Windows or the .aws/credentials file in Linux. AWSCredentials credentials = null; try{ credentials = new ProfileCredentialsProvider("default").getCredentials(); } catch (Exception e) { throw new AmazonClientException("Cannot load your credentials from disk", e); } // Define the endpoint for your sample. String endpointProtocol = ""; String endpointRegion = "region"; EndpointConfiguration endpoint = new AwsClientBuilder.EndpointConfiguration(endpointProtocol, endpointRegion); // Create a client. AWSACMPCA client = AWSACMPCAClientBuilder.standard() .withEndpointConfiguration(endpoint) .withCredentials(new AWSStaticCredentialsProvider(credentials)) .build(); // Create a request object. GetCertificateRequest req = new GetCertificateRequest(); // Set the certificate ARN. req.withCertificateArn("arn:aws:acm-pca:region:account:" + "certificate-authority/12345678-1234-1234-1234-123456789012" + "/certificate/793f0d5b6a04125e2c9cfb52373598fe"); // Set the certificate authority ARN. req.withCertificateAuthorityArn("arn:aws:acm-pca:region:account:" + "certificate-authority/12345678-1234-1234-1234-123456789012"); // Retrieve the certificate and certificate chain. GetCertificateResult result = null; try { result = client.getCertificate(req); } catch (RequestInProgressException ex) { throw ex; } catch (RequestFailedException ex) { throw ex; } catch (ResourceNotFoundException ex) { throw ex; } catch (InvalidArnException ex) { throw ex; } catch (InvalidStateException ex) { throw ex; } // Get the certificate and certificate chain and display the result. String strCert = result.getCertificate(); System.out.println(strCert); } }

Your output should be a certificate chain similar to the following for the certificate authority (CA) and certificate that you specified.

-----BEGIN CERTIFICATE----- base64-encoded certificate -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- base64-encoded certificate -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- base64-encoded certificate -----END CERTIFICATE-----