AWS Certificate Manager Private Certificate Authority
User Guide (Version latest)


The following Java sample shows how to use the ImportCertificateAuthorityCertificate function.

This function imports your signed private CA certificate into ACM PCA. Before you can call this function, you must create the private certificate authority by calling the CreateCertificateAuthority function. You must then generate a certificate signing request (CSR) by calling the GetCertificateAuthorityCsr function. Take the CSR to your on-premises CA and use your root certificate or a subordinate certificate to sign it. Create a certificate chain and copy the signed certificate and the certificate chain to your working directory.

package com.amazonaws.samples; import com.amazonaws.auth.AWSCredentials; import com.amazonaws.auth.profile.ProfileCredentialsProvider; import com.amazonaws.client.builder.AwsClientBuilder; import com.amazonaws.client.builder.AwsClientBuilder.EndpointConfiguration; import com.amazonaws.auth.AWSStaticCredentialsProvider; import; import; import; import com.amazonaws.AmazonClientException; import; import; import; import; import; import; import; import java.nio.ByteBuffer; import java.nio.charset.StandardCharsets; import java.util.Objects; public class ImportCertificateAuthorityCertificate { public static ByteBuffer stringToByteBuffer(final String string) { if (Objects.isNull(string)) { return null; } byte[] bytes = string.getBytes(StandardCharsets.UTF_8); return ByteBuffer.wrap(bytes); } public static void main(String[] args) throws Exception { // Retrieve your credentials from the C:\Users\name\.aws\credentials file // in Windows or the .aws/credentials file in Linux. AWSCredentials credentials = null; try{ credentials = new ProfileCredentialsProvider("default").getCredentials(); } catch (Exception e) { throw new AmazonClientException("Cannot load your credentials from disk", e); } // Define the endpoint for your sample. String endpointProtocol = ""; String endpointRegion = "region"; EndpointConfiguration endpoint = new AwsClientBuilder.EndpointConfiguration(endpointProtocol, endpointRegion); // Create a client that you can use to make requests. AWSACMPCA client = AWSACMPCAClientBuilder.standard() .withEndpointConfiguration(endpoint) .withCredentials(new AWSStaticCredentialsProvider(credentials)) .build(); // Create the request object and set the signed certificate, chain and CA ARN. ImportCertificateAuthorityCertificateRequest req = new ImportCertificateAuthorityCertificateRequest(); // Set the signed certificate. String strCertificate = "-----BEGIN CERTIFICATE-----" + "base64-encoded certificate" + "-----END CERTIFICATE-----"; ByteBuffer certByteBuffer = stringToByteBuffer(strCertificate); req.setCertificate(certByteBuffer); // Set the certificate chain. String strCertificateChain = "-----BEGIN CERTIFICATE-----" + "base64-encoded certificate" + "-----END CERTIFICATE-----"; ByteBuffer chainByteBuffer = stringToByteBuffer(strCertificateChain); req.setCertificateChain(chainByteBuffer); // Set the certificate ARN. req.withCertificateAuthorityArn("arn:aws:acm-pca:region:account: " + "certificate-authority/12345678-1234-1234-1234-123456789012"); // Import the certificate. try { client.importCertificateAuthorityCertificate(req); } catch(CertificateMismatchException ex) { throw ex; } catch(MalformedCertificateException ex) { throw ex; } catch(InvalidArnException ex) { throw ex; } catch(ResourceNotFoundException ex) { throw ex; } catch(RequestInProgressException ex) { throw ex; } catch(ConcurrentModificationException ex) { throw ex; } catch(RequestFailedException ex) { throw ex; } } }