Retrieving a private certificate - AWS Private Certificate Authority

Retrieving a private certificate

You can use the AWS Private CA API and AWS CLI to issue a private certificate. If you do, you can use the AWS CLI or AWS Private CA API to retrieve that certificate. If you used ACM to create your private CA and to request certificates, you must use ACM to export the certificate and the encrypted private key. For more information, see Exporting a private certificate.

To retrieve an end-entity certificate

Use the get-certificate AWS CLI command to retrieve a private end-entity certificate. You can also use the GetCertificate API operation. We recommend formatting the output with jq, a sed-like parser.

Note

If you want to revoke a certificate, you can use the get-certificate command to retrieve the serial number in hexadecimal format. You can also create an audit report to retrieve the hex serial number. For more information, see Using audit reports with your private CA.

$ aws acm-pca get-certificate \ --certificate-arn arn:aws:acm-pca:region:account:certificate-authority/CA_ID/certificate/certificate_ID \ --certificate-authority-arn arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566 | \ jq -r '.Certificate, .CertificateChain'

This command outputs the certificate and certificate chain in the following standard format.

-----BEGIN CERTIFICATE----- ...base64-encoded certificate... -----END CERTIFICATE---- -----BEGIN CERTIFICATE----- ...base64-encoded certificate... -----END CERTIFICATE---- -----BEGIN CERTIFICATE----- ...base64-encoded certificate... -----END CERTIFICATE----
To retrieve a CA certificate

You can use the AWS Private CA API and AWS CLI to retrieve the certificate authority (CA) certificate for your private CA. Run the get-certificate-authority-certificate command. You can also call the GetCertificateAuthorityCertificate operation. We recommend formatting the output with jq, a sed-like parser.

$ aws acm-pca get-certificate-authority-certificate \ --certificate-authority-arn arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566 \ | jq -r '.Certificate'

This command outputs the CA certificate in the following standard format.

-----BEGIN CERTIFICATE----- ...base64-encoded certificate... -----END CERTIFICATE----