AWS Certificate Manager Private Certificate Authority
User Guide (Version latest)

Retrieve a Private Certificate

If you used the standalone ACM PCA service to issue a private certificate, you can use the ACM PCA CLI or API to retrieve it. If you used ACM to create your private CA and to request certificates, you must use ACM to export the certificate and the encrypted private key. For more information, see Exporting a Private Certificate.

Use the get-certificate command to retrieve a private certificate in the standalone ACM PCA service. You can also use the GetCertificate API. You can call get-certificate, or examine the CA audit report, before calling the revoke-certificate command to get the hexadecimal certificate serial number. Use the --output text option to output the certificate without <CR><LF> pairs.

aws acm-pca get-certificate \ --certificate-authority-arn arn:aws:acm-pca:region:account:\ certificate-authority/12345678-1234-1234-1234-123456789012 \ --certificate-arn arn:aws:acm-pca:region:account:\ certificate-authority/12345678-1234-1234-1234-123456789012/\ certificate/6707447683a9b7f4055627ffd55cebcc \ --output text

This command outputs the base64 encoded PEM format certificate and the certificate chain.

-----BEGIN CERTIFICATE----- ...Base64-encoded certificate... -----END CERTIFICATE---- -----BEGIN CERTIFICATE----- ...Base64-encoded certificate... -----END CERTIFICATE---- -----BEGIN CERTIFICATE----- ...Base64-encoded certificate... -----END CERTIFICATE----