AWS Certificate Manager Private Certificate Authority
User Guide (Version latest)

GetCertificateAuthorityCsr

The following Java sample shows how to use the GetCertificateAuthorityCsr function.

This function retrieves the certificate signing request (CSR) for your private certificate authority (CA). The CSR is created when you call the CreateCertificateAuthority function. Take the CSR to your on-premises X.509 infrastructure and sign it by using your root or a subordinate CA. Then import the signed certificate back into ACM PCA by calling the ImportCertificateAuthorityCertificate action. The CSR is returned as a base64 PEM–encoded string.

package com.amazonaws.samples; import com.amazonaws.auth.AWSCredentials; import com.amazonaws.auth.profile.ProfileCredentialsProvider; import com.amazonaws.client.builder.AwsClientBuilder; import com.amazonaws.client.builder.AwsClientBuilder.EndpointConfiguration; import com.amazonaws.auth.AWSStaticCredentialsProvider; import com.amazonaws.services.acmpca.AWSACMPCA; import com.amazonaws.services.acmpca.AWSACMPCAClientBuilder; import com.amazonaws.services.acmpca.model.GetCertificateAuthorityCsrRequest; import com.amazonaws.services.acmpca.model.GetCertificateAuthorityCsrResult; import com.amazonaws.AmazonClientException; import com.amazonaws.services.acmpca.model.ResourceNotFoundException; import com.amazonaws.services.acmpca.model.InvalidArnException; import com.amazonaws.services.acmpca.model.RequestInProgressException; import com.amazonaws.services.acmpca.model.RequestFailedException; public class GetCertificateAuthorityCsr { public static void main(String[] args) throws Exception { // Retrieve your credentials from the C:\Users\name\.aws\credentials file // in Windows or the .aws/credentials file in Linux. AWSCredentials credentials = null; try{ credentials = new ProfileCredentialsProvider("default").getCredentials(); } catch (Exception e) { throw new AmazonClientException("Cannot load your credentials from disk", e); } // Define the endpoint for your sample. String endpointProtocol = "https://acm-pca.region.amazonaws.com/"; String endpointRegion = "region"; EndpointConfiguration endpoint = new AwsClientBuilder.EndpointConfiguration(endpointProtocol, endpointRegion); // Create a client that you can use to make requests. AWSACMPCA client = AWSACMPCAClientBuilder.standard() .withEndpointConfiguration(endpoint) .withCredentials(new AWSStaticCredentialsProvider(credentials)) .build(); // Create waiter to wait on successful creation of the CSR. Waiter<GetCertificateAuthorityCsrRequest> waiter = client.waiters().certificateAuthorityCSRCreated(); try { waiter.run(new WaiterParameters<>(new GetCertificateAuthorityCsrRequest())); } catch(WaiterUnrecoverableException e) { //Explicit short circuit when the recourse transitions into //an undesired state. } catch(WaiterTimedOutException e) { //Failed to transition into desired state even after polling. } catch(PrivateCAException e) { //Unexpected service exception. } // Create the request object and set the CA ARN. GetCertificateAuthorityCsrRequest req = new GetCertificateAuthorityCsrRequest(); req.withCertificateAuthorityArn("arn:aws:acm-pca:region:account: " + "certificate-authority/12345678-1234-1234-1234-123456789012"); // Retrieve the CSR. GetCertificateAuthorityCsrResult result = null; try { result = client.getCertificateAuthorityCsr(req); } catch (RequestInProgressException ex) { throw ex; } catch (ResourceNotFoundException ex) { throw ex; } catch (InvalidArnException ex) { throw ex; } catch (RequestFailedException ex) { throw ex; } // Retrieve and display the CSR; String Csr = result.getCsr(); System.out.println(Csr); } }

Your output should be similar to the following for the certificate authority (CA) that you specify. The certificate signing request (CSR) is base64-encoded in PEM format. Save it to a local file, take it to your on-premises X.509 infrastructure and sign it by using your root or a subordinate CA.

-----BEGIN CERTIFICATE REQUEST----- base64-encoded request -----END CERTIFICATE REQUEST-----