Handling exceptions

An AWS Certificate Manager command might fail for several reasons. For information about each exception, see the table below.

Private certificate exception handling

The following exceptions can occur when you attempt to renew a private PKI certificate issued by AWS Private CA.

Note

AWS Private CA is not supported in the China (Beijing) Region and the China (Ningxia) Region.

ACM failure code	Comment
`PCA_ACCESS_DENIED`	The private CA has not granted ACM permissions. This triggers a AWS Private CA `AccessDeniedException` failure code. To remedy the problem, grant the necessary permissions to the ACM service principal using the AWS Private CA CreatePermission operation.
`PCA_INVALID_DURATION`	The validity period of the requested certificate exceeds the validity period of the issuing private CA. This triggers a AWS Private CA `ValidationException` failure code. To remedy the problem, install a new CA certificate with an appropriate validity period.
`PCA_INVALID_STATE`	The private CA being called is not in the correct state to perform the requested ACM operation. This triggers a AWS Private CA `InvalidStateException` failure code. Resolve the issue as follows: If the CA has the status `CREATING`, wait for creation to finish and then install the CA certificate. If the CA has status `PENDING_CERTIFICATE`, install the CA certificate. If the CA has status `DISABLED`, update it to `ACTIVE` status. If the CA has status `DELETED`, restore it. If the CA has status `EXPIRED`, install a new certificate If the CA has status `FAILED`, and you cannot resolve the issue, contact AWS Support.
`PCA_LIMIT_EXCEEDED`	The private CA has reached an issuance quota. This triggers a AWS Private CA `LimitExceededException` failure code. Try repeating your request before proceeding with this help. If the error persists, contact AWS Support to request a quota increase.
`PCA_REQUEST_FAILED`	A network or system error occurred. This triggers a AWS Private CA `RequestFailedException` failure code. Try repeating your request before proceeding with this help. If the error persists, contact AWS Support.
`PCA_RESOURCE_NOT_FOUND`	The private CA has been permanently deleted. This triggers a AWS Private CA `ResourceNotFoundException` failure code. Verify that you used the correct ARN. If that fails, you won't be able to use this CA. To remedy the problem, create a new CA.
`SLR_NOT_FOUND`	In order to renew a certificate signed by a private CA that resides in another account, ACM requires a Service Linked Role (SLR) on the account where the certificate resides. If you need to recreate a deleted SLR, see Creating the SLR for ACM.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Problems with the ACM service-linked role (SLR)

Concepts