Get a certificate signing request (CSR) from ACM Private CA - AWS Certificate Manager Private Certificate Authority
How to retrieve a CSR (console): Method 1How to retrieve a CSR (console): Method 2Retrieving a CSR (AWS CLI)

Get a certificate signing request (CSR) from ACM Private CA

If you have created a private subordinate CA that you want to sign with an external CA, you must retrieve a certificate signing request (CSR). Then save it to a file. You can do this using the AWS Management Console or the AWS CLI as discussed in the procedures that follow. If you want to inspect the CSR, use the following OpenSSL command: 

openssl req -in path_to_CSR_file -text -noout

This command generates output similar to the following. Notice that the CA extension is TRUE, indicating that the CSR is for a CA certificate. 

Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: O=ExampleCompany, OU=Corporate Office, CN=Example CA 1
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:d4:23:51:b3:dd:01:09:01:0b:4c:59:e4:ea:81:
                    1d:7f:48:36:ef:2a:e9:45:82:ec:95:1d:c6:d7:c9:
                    7f:19:06:73:c5:cd:63:43:14:eb:c8:03:82:f8:7b:
                    c7:89:e6:8d:03:eb:b6:76:58:70:f2:cb:c3:4c:67:
                    ea:50:fd:b9:17:84:b8:60:2c:64:9d:2e:d5:7d:da:
                    46:56:38:34:a9:0d:57:77:85:f1:6f:b8:ce:73:eb:
                    f7:62:a7:8e:e6:35:f5:df:0c:f7:3b:f5:7f:bd:f4:
                    38:0b:95:50:2c:be:7d:bf:d9:ad:91:c3:81:29:23:
                    b2:5e:a6:83:79:53:f3:06:12:20:7e:a8:fa:18:d6:
                    a8:f3:a3:89:a5:a3:6a:76:da:d0:97:e5:13:bc:84:
                    a6:5c:d6:54:1a:f0:80:16:dd:4e:79:7b:ff:6d:39:
                    b5:67:56:cb:02:6b:14:c3:17:06:0e:7d:fb:d2:7e:
                    1c:b8:7d:1d:83:13:59:b2:76:75:5e:d1:e3:23:6d:
                    8a:5e:f5:85:ca:d7:e9:a3:f1:9b:42:9f:ed:8a:3c:
                    14:4d:1f:fc:95:2b:51:6c:de:8f:ee:02:8c:0c:b6:
                    3e:2d:68:e5:f8:86:3f:4f:52:ec:a6:f0:01:c4:7d:
                    68:f3:09:ae:b9:97:d6:fc:e4:de:58:58:37:09:9a:
                    f6:27
                Exponent: 65537 (0x10001)
        Attributes:
        Requested Extensions:
            X509v3 Basic Constraints:
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         c5:64:0e:6c:cf:11:03:0b:b7:b8:9e:48:e1:04:45:a0:7f:cc:
         a7:fd:e9:4d:c9:00:26:c5:6e:d0:7e:69:7a:fb:17:1f:f3:5d:
         ac:f3:65:0a:96:5a:47:3c:c1:ee:45:84:46:e3:e6:05:73:0c:
         ce:c9:a0:5e:af:55:bb:89:46:21:92:7b:10:96:92:1b:e6:75:
         de:02:13:2d:98:72:47:bd:b1:13:1a:3d:bb:71:ae:62:86:1a:
         ee:ae:4e:f4:29:2e:d6:fc:70:06:ac:ca:cf:bb:ee:63:68:14:
         8e:b2:8f:e3:8d:e8:8f:e0:33:74:d6:cf:e2:e9:41:ad:b6:47:
         f8:2e:7d:0a:82:af:c6:d8:53:c2:88:a0:32:05:09:e0:04:8f:
         79:1c:ac:0d:d4:77:8e:a6:b2:5f:07:f8:1b:e3:98:d4:12:3d:
         28:32:82:b5:50:92:a4:b2:4c:28:fc:d2:73:75:75:ff:10:33:
         2c:c0:67:4b:de:fd:e6:69:1c:a8:bb:e8:31:93:07:35:69:b7:
         d6:53:37:53:d5:07:dd:54:35:74:50:50:f9:99:7d:38:b7:b6:
         7f:bd:6c:b8:e4:2a:38:e5:04:00:a8:a3:d9:e5:06:38:e0:38:
         4c:ca:a9:3c:37:6d:ba:58:38:11:9c:30:08:93:a5:62:00:18:
         d1:83:66:40

How to retrieve a CSR (console): Method 1

Use this procedure if you followed the steps to create a private CA in ACM Private CA and left the Success dialog box open. These procedures assume that while creating the CA, you specified that it was a subordinate CA.

To retrieve a CSR (console): Method 1

  1. Immediately after ACM Private CA has successfully created your private CA, in the Success window, choose Get started.

  2. Choose External private CA and Next.

  3. The console returns the CSR. Choose Export CSR to a file and save it locally.

  4. If you cannot immediately perform the offline steps to obtain a signed certificate from your external signing authority, choose Cancel. Once you possess a signed certificate and a certificate chain, you can use the How to retrieve a CSR (console): Method 2 procedure to import them into ACM Private CA.

    Otherwise, if you are ready, choose Next.

  5. Follow the instructions in Sign your private CA certificate.

How to retrieve a CSR (console): Method 2

Use this procedure if you followed the steps to create a private CA in ACM Private CA and closed the Success dialog box.

To retrieve a CSR (console): Method 2

  1. When you are ready to continue, open the AWS Certificate Manager console and choose Private CAs in the left navigation pane.

  2. Choose your private CA from the list.

  3. From the Actions menu, choose Install CA certificate.

  4. Choose External private CA and Next.

  5. The ACM Private CA console returns the CSR. Choose Export CSR to a file and save it locally.

  6. Choose Next.

  7. Follow the instructions in Sign your private CA certificate.

Retrieving a CSR (AWS CLI)

Use this procedure to retrieve a CSR using the AWS Command Line Interface.

To retrieve a CSR (AWS CLI)

  1. Use the get-certificate-authority-csr command to retrieve the certificate signing request (CSR) for your private CA. If you want to send the CSR to your display, use the --output text option to eliminate CR/LF characters from the end of each line. To send the CSR to a file, use the redirect option (>) followed by a file name. 

    aws acm-pca get-certificate-authority-csr \
--certificate-authority-arn arn:aws:acm-pca:region:account:\
certificate-authority/12345678-1234-1234-1234-123456789012 \
--output text

  2. Follow the instructions in Sign your private CA certificate.