Table Of Contents


User Guide

First time using the AWS CLI? See the User Guide for help getting started.

[ aws . acm-pca ]



Deletes a private certificate authority (CA). You must provide the ARN (Amazon Resource Name) of the private CA that you want to delete. You can find the ARN by calling the ListCertificateAuthorities operation. Before you can delete a CA, you must disable it. Call the UpdateCertificateAuthority operation and set the CertificateAuthorityStatus parameter to DISABLED .

Additionally, you can delete a CA if you are waiting for it to be created (the Status field of the CertificateAuthority is CREATING ). You can also delete it if the CA has been created but you haven't yet imported the signed certificate (the Status is PENDING_CERTIFICATE ) into ACM PCA.

If the CA is in one of the aforementioned states and you call DeleteCertificateAuthority , the CA's status changes to DELETED . However, the CA won't be permentantly deleted until the restoration period has passed. By default, if you do not set the PermanentDeletionTimeInDays parameter, the CA remains restorable for 30 days. You can set the parameter from 7 to 30 days. The DescribeCertificateAuthority operation returns the time remaining in the restoration window of a Private CA in the DELETED state. To restore an eligable CA, call the RestoreCertificateAuthority operation.

See also: AWS API Documentation

See 'aws help' for descriptions of global parameters.


--certificate-authority-arn <value>
[--permanent-deletion-time-in-days <value>]
[--cli-input-json <value>]
[--generate-cli-skeleton <value>]


--certificate-authority-arn (string)

The Amazon Resource Name (ARN) that was returned when you called CreateCertificateAuthority . This must have the following form:

``arn:aws:acm-pca:region :account :certificate-authority/12345678-1234-1234-1234-123456789012 `` .

--permanent-deletion-time-in-days (integer)

The number of days to make a CA restorable after it has been deleted. This can be anywhere from 7 to 30 days, with 30 being the default.

--cli-input-json (string) Performs service operation based on the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton. If other arguments are provided on the command line, the CLI values will override the JSON-provided values. It is not possible to pass arbitrary binary values using a JSON-provided value as the string will be taken literally.

--generate-cli-skeleton (string) Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input, prints a sample input JSON that can be used as an argument for --cli-input-json. If provided with the value output, it validates the command inputs and returns a sample output JSON for that command.

See 'aws help' for descriptions of global parameters.


To delete a private certificate authority

The delete-certificate-authority command

aws acm-pca delete-certificate-authority --certificate-authority-arn arn:aws:acm-pca:us-east-1:account:certificate-authority/12345678-1234-1234-1234-123456789012