Handling Exceptions - AWS Certificate Manager

Handling Exceptions

An AWS Certificate Manager command might fail for several reasons. For information about each exception, see the table below.

Private Certificate Exception Handling

The following exceptions can occur when you attempt to renew a private PKI certificate issued by ACM Private CA.

ACM failure code

Comment

PCA_ACCESS_DENIED

The private CA has not granted ACM permissions. This triggers a PCA AccessDeniedException failure code.

To remedy the problem, grant the necessary permissions to the ACM service principal using the PCA CreatePermission operation.

PCA_INVALID_STATE

The private CA being called is not in the correct state to perform the requested ACM operation. This triggers a PCA InvalidStateException failure code.

Resolve the issue as follows:

  • If the CA has the status CREATING, wait for creation to finish and then install the CA certificate.

  • If the CA has status PENDING_CERTIFICATE, install the CA certificate.

  • If the CA has status DISABLED, update it to ACTIVE status.

  • If the CA has status DELETED, restore it.

  • If the CA has status EXPIRED, install a new certificate

  • If the CA has status FAILED, and you cannot resolve the issue, contact AWS Support.

PCA_LIMIT_EXCEEDED

The private CA has reached an issuance quota. This triggers a PCA LimitExceededException failure code. Try repeating your request before proceeding with this help.

If the error persists, contact AWS Support to request a quota increase.

PCA_REQUEST_FAILED

A network or system error occurred. This triggers a PCA RequestFailedException failure code. Try repeating your request before proceeding with this help.

If the error persists, contact AWS Support.

PCA_RESOURCE_NOT_FOUND

The private CA has been permanently deleted. This triggers a PCA ResourceNotFoundException failure code. Verify that you used the correct ARN. If that fails, you won't be able to use this CA.

To remedy the problem, create a new CA.

PCA_INVALID_DURATION

The validity period of the requested certificate excedes the validity period of the issuing private CA. This triggers a PCA ValidationException failure code.

To remedy the problem, install a new CA certificate with an appropriate validity period.