AWS Certificate Manager Private Certificate Authority
User Guide (Version latest)

Updating Your Private CA

After creating a private CA, you can update its status or its revocation configuration.

Updating CA Status

ACM Private CA automatically updates the status of your private CA at regular intervals. You can also change the status manually, but you can only change it from ACTIVE to DISABLED and back. For example, if you want to delete your CA, you must disable it 30 days before deletion.

At various times, ACM Private CA can set the following values:

  • CREATING – ACM Private CA is trying to create your private CA.

  • PENDING_CERTIFICATE – Your private CA has been created but you must import the signed CA certificate.

  • ACTIVE – Your private CA has been created and is functioning normally.

  • EXPIRED – The CA certificate for your private CA has expired.

  • FAILED – Your private CA is not functioning properly and has been placed in a failed state.

If the CA certificate for your private CA expires, ACM Private CA sets the status to EXPIRED. You can set the status to DISABLED at this point, but you cannot set it to ENABLED. You might want to set the status to DISABLED if you want to delete the CA in 30 days. If you import a new CA certificate for your private CA, ACM Private CA resets the status to ACTIVE unless you set it to DISABLED after the CA certificate expired. Only you can set the status to DISABLED.

To update CA status using the AWS console

  1. Sign in to your AWS account and open the ACM Private CA console at https://console.aws.amazon.com/acm-pca/home.

  2. Choose Private CAs.

  3. Choose your private CA from the list.

  4. On the Actions menu, choose Disable to disable a private CA that's currently active or choose Enable to set a CA active.

To update your private CA status using the AWS CLI

Use the update-certificate-authority command. You can use a file similar to the following to specify the CRL configuration.

{ "CrlConfiguration": {"Enabled": true, "ExpirationInDays": 7, "CustomCname": "https://www.somename.crl", "S3BucketName": "your-crl-bucket-name"} }

The following command uses the preceding file to configure revocation and sets the status of the private CA to ACTIVE.

aws acm-pca update-certificate-authority \ --certificate-authority-arn arn:aws:acm-pca:region:account:\ certificate-authority/12345678-1234-1234-1234-1232456789012 \ --revocation-configuration file://C:\revoke_config.txt \ --status "ACTIVE"

Updating the CRL Configuration

You can update the Certificate Revocation List (CRL) configuration for your private CA to change any of the following values:

  • Whether the private CA generates a certificate revocation list (CRL)

  • The number of days before a CRL expires. Note that ACM Private CA begins trying to regenerate the CRL at ½ the number of days you specify.

  • The name of the Amazon S3 bucket where your CRL is saved.

  • An alias to hide the name of your S3 bucket from public view.

Important

Changing any of the preceding parameters can have negative consequences. For example, disabling CRL generation, changing the validity period, or changing the S3 bucket after you have placed your private CA in production could break existing certificates that depend on the CRL and the current CRL configuration. Changing the alias can be done safely as long as the old alias remains linked to the correct bucket.

To update the CRL configuration using the AWS console

  1. Sign in to your AWS account and open the ACM Private CA console at https://console.aws.amazon.com/acm-pca/home.

  2. Choose Private CAs.

  3. Choose your private CA from the list.

  4. On the Actions menu, choose Update CA revocation.

  5. Select Enable CRL distribution to generate certificate revocation lists (CRLs).

  6. For Create a new S3 bucket, choose Yes and type a unique bucket name or choose No and choose an existing bucket from the list.

  7. For Custom CRL Name, type an alias to hide your S3 bucket name from public view.

  8. For Valid for, type a validity period in days.

  9. Choose Update.

Add Tags to your Private Certificate Authority

Tags are words or phrases that act as metadata for identifying and organizing AWS resources. Each tag consists of a key and a value. You can use the ACM Private CA console, AWS Command Line Interface (AWS CLI), or the PCA API to add, view, or remove tags for private CAs.

You can create custom tags that suit your needs. For example, you could tag private CAs with the key-value pairs of Environment=Prod or Environment=Beta to identify which environment the CA is intended for. You can add tags to a CA at creation or any time after. For more information, see Create a Private CA

Other AWS resources also support tagging. You can assign the same tag to different resources to indicate whether those resources are related. For example, you can assign a tag such as Website=example.com to your CA, the Elastic Load Balancing load balancer, and other related resources. For more information on tagging AWS resources, see Tagging your Amazon EC2 Resources in the Amazon EC2 User Guide for Linux Instances.

The following basic restrictions apply to ACM Private CA tags:

  • The maximum number of tags per private CA is 50.

  • The maximum length of a tag key is 128 characters.

  • The maximum length of a tag value is 256 characters.

  • The tag key and value can contain the following characters: A-Z, a-z, and .:+=@_%-(hyphen).

  • Tag keys and values are case sensitive.

  • The aws: and rds: prefixes are reserved for AWS use; you cannot add, edit, or delete tags whose key begins with aws: or rds:. Default tags that begin with aws: and rds: do not count against your tags-per-resource limit.

  • If you plan to use your tagging schema across multiple services and resources, remember that other services may have different restrictions for allowed characters. Refer to the documentation for that service.

  • ACM Private CA tags are not available for use in the AWS Management Console's Resource Groups and Tag Editor.

You can tag a private CA from the ACM Private CA Console, the AWS Command Line Interface (AWS CLI), or the ACM Private CA API.

To tag a private CA (console)

  1. Sign in to your AWS account and open the ACM Private CA console at https://console.aws.amazon.com/acm-pca/home.

  2. Choose Private CAs.

  3. Choose your private CA from the list.

  4. Choose the Tags tab.

  5. Choose Edit.

  6. Type a key and value pair.

  7. Choose Add Tag.

To tag a private CA (AWS CLI)

Use the tag-certificate-authority command to add tags to your private CA.

aws acm-pca tag-certificate-authority \ --certificate-authority-arn arn:aws:acm-pca:region:account:\ certificate-authority/12345678-1234-1234-1234-123456789012 \ --tags Key=Admin,Value=Alice

Use the list-tags command to list the tags for a private CA.

aws acm-pca list-tags \ --certificate-authority-arn arn:aws:acm-pca:region:account:\ certificate-authority/123455678-1234-1234-1234-123456789012 \ --max-results 10

Use the untag-certificate-authority command to remove tags from a private CA.

aws acm-pca untag-certificate-authority \ --certificate-authority-arn arn:aws:acm-pca:region:account:\ certificate-authority/12345678-1234-1234-1234-123456789012 \ --tags Key=Purpose,Value=Website