AWS Certificate Manager Private Certificate Authority
User Guide (Version latest)

Delete Your Private CA

You can delete a private CA permanently. You might want to delete one, for example, to replace it with a new CA that has a new private key. You cannot update the key by importing an updated CA certificate that is associated with a new key. We recommend that if you want to replace a CA, you create the replacement before you delete. Once the new private CA is in production, disable the old one but do not immediately delete it. Keep the old CA disabled until all of the certificates issued by it have expired. Then delete the CA. ACM PCA does not check that all of the issued certificates have expired before it processes your delete request. You can generate an audit report to determine which certificates have expired. While the CA is disabled, you can revoke certificates but you cannot issue new ones.

If you must delete a private CA before all of the certificates it has issued have expired, we recommend that you also revoke the CA certificate. The CA certificate will be listed in the CRL of the parent CA, and the private CA will be untrusted by clients.


A private CA must be disabled for 30 days before it can be deleted.

Delete a private CA using the console

  1. Sign in to your AWS account and open the ACM PCA console at

  2. Choose Private CAs.

  3. Select your private CA from the list.

  4. On the Actions menu, choose Delete.

  5. If your private CA has been disabled for at least 30 days and you are certain that you want to delete it, choose Delete. Deletion cannot be reversed.

Delete a private CA using the CLI

Use the delete-certificate-authority command to delete a private CA.

aws acm-pca delete-certificate-authority \ --certificate-authority-arn arn:aws:acm-pca:region:accountaccount:\ certificate-authority/12345678-1234-1234-1234-123456789012