Use DescribeCertificate with an AWS SDK or CLI - AWS SDK Code Examples

There are more AWS SDK examples available in the AWS Doc SDK Examples GitHub repo.

Use DescribeCertificate with an AWS SDK or CLI

The following code examples show how to use DescribeCertificate.

Action examples are code excerpts from larger programs and must be run in context. You can see this action in context in the following code example:

.NET
AWS SDK for .NET
Note

There's more on GitHub. Find the complete example and learn how to set up and run in the AWS Code Examples Repository.

using System; using System.Threading.Tasks; using Amazon; using Amazon.CertificateManager; using Amazon.CertificateManager.Model; namespace DescribeCertificate { class DescribeCertificate { // The following example retrieves and displays the metadata for a // certificate using the AWS Certificate Manager (ACM) service. // Specify your AWS Region (an example Region is shown). private static readonly RegionEndpoint ACMRegion = RegionEndpoint.USEast1; private static AmazonCertificateManagerClient _client; static void Main(string[] args) { _client = new Amazon.CertificateManager.AmazonCertificateManagerClient(ACMRegion); var describeCertificateReq = new DescribeCertificateRequest(); // The ARN used here is just an example. Replace it with the ARN of // a certificate that exists on your account. describeCertificateReq.CertificateArn = "arn:aws:acm:us-east-1:123456789012:certificate/8cfd7dae-9b6a-2d07-92bc-1c309EXAMPLE"; var certificateDetailResp = DescribeCertificateResponseAsync(client: _client, request: describeCertificateReq); var certificateDetail = certificateDetailResp.Result.Certificate; if (certificateDetail is not null) { DisplayCertificateDetails(certificateDetail); } } /// <summary> /// Displays detailed metadata about a certificate retrieved /// using the ACM service. /// </summary> /// <param name="certificateDetail">The object that contains details /// returned from the call to DescribeCertificateAsync.</param> static void DisplayCertificateDetails(CertificateDetail certificateDetail) { Console.WriteLine("\nCertificate Details: "); Console.WriteLine($"Certificate Domain: {certificateDetail.DomainName}"); Console.WriteLine($"Certificate Arn: {certificateDetail.CertificateArn}"); Console.WriteLine($"Certificate Subject: {certificateDetail.Subject}"); Console.WriteLine($"Certificate Status: {certificateDetail.Status}"); foreach (var san in certificateDetail.SubjectAlternativeNames) { Console.WriteLine($"Certificate SubjectAlternativeName: {san}"); } } /// <summary> /// Retrieves the metadata associated with the ACM service certificate. /// </summary> /// <param name="client">An AmazonCertificateManagerClient object /// used to call DescribeCertificateResponse.</param> /// <param name="request">The DescribeCertificateRequest object that /// will be passed to the method call.</param> /// <returns></returns> static async Task<DescribeCertificateResponse> DescribeCertificateResponseAsync( AmazonCertificateManagerClient client, DescribeCertificateRequest request) { var response = new DescribeCertificateResponse(); try { response = await client.DescribeCertificateAsync(request); } catch (InvalidArnException) { Console.WriteLine($"Error: The ARN specified is invalid."); } catch (ResourceNotFoundException) { Console.WriteLine($"Error: The specified certificate could not be found."); } return response; } } }
C++
SDK for C++
Note

There's more on GitHub. Find the complete example and learn how to set up and run in the AWS Code Examples Repository.

//! Describe an AWS Certificate Manager (ACM) certificate. /*! \param certificateArn: The Amazon Resource Name (ARN) of a certificate. \param clientConfiguration: AWS client configuration. \return bool: Function succeeded. */ bool AwsDoc::ACM::describeCertificate(const Aws::String &certificateArn, const Aws::Client::ClientConfiguration &clientConfiguration) { Aws::ACM::ACMClient acm_client(clientConfiguration); Aws::ACM::Model::DescribeCertificateRequest request; request.WithCertificateArn(certificateArn); Aws::ACM::Model::DescribeCertificateOutcome outcome = acm_client.DescribeCertificate(request); if (!outcome.IsSuccess()) { std::cerr << "Error: DescribeCertificate: " << outcome.GetError().GetMessage() << std::endl; } else { Aws::ACM::Model::CertificateDetail certificate = outcome.GetResult().GetCertificate(); std::cout << "Success: Information about certificate " "with ARN '" << certificateArn << "':" << std::endl << std::endl; std::cout << "ARN: " << certificate.GetCertificateArn() << std::endl; std::cout << "Authority ARN: " << certificate.GetCertificateAuthorityArn() << std::endl; std::cout << "Created at (GMT): " << certificate.GetCreatedAt().ToGmtString( Aws::Utils::DateFormat::ISO_8601) << std::endl; std::cout << "Domain name: " << certificate.GetDomainName() << std::endl; Aws::Vector<Aws::ACM::Model::DomainValidation> options = certificate.GetDomainValidationOptions(); if (!options.empty()) { std::cout << std::endl << "Domain validation information: " << std::endl << std::endl; for (auto &validation: options) { std::cout << " Domain name: " << validation.GetDomainName() << std::endl; const Aws::ACM::Model::ResourceRecord &record = validation.GetResourceRecord(); std::cout << " Resource record name: " << record.GetName() << std::endl; Aws::ACM::Model::RecordType recordType = record.GetType(); Aws::String type; switch (recordType) { case Aws::ACM::Model::RecordType::CNAME: type = "CNAME"; break; case Aws::ACM::Model::RecordType::NOT_SET: type = "Not set"; break; default: type = "Cannot determine."; break; } std::cout << " Resource record type: " << type << std::endl; std::cout << " Resource record value: " << record.GetValue() << std::endl; std::cout << " Validation domain: " << validation.GetValidationDomain() << std::endl; Aws::Vector<Aws::String> emails = validation.GetValidationEmails(); if (!emails.empty()) { std::cout << " Validation emails:" << std::endl << std::endl; for (auto &email: emails) { std::cout << " " << email << std::endl; } std::cout << std::endl; } Aws::ACM::Model::ValidationMethod validationMethod = validation.GetValidationMethod(); Aws::String method; switch (validationMethod) { case Aws::ACM::Model::ValidationMethod::DNS: method = "DNS"; break; case Aws::ACM::Model::ValidationMethod::EMAIL: method = "Email"; break; case Aws::ACM::Model::ValidationMethod::NOT_SET: method = "Not set"; break; default: method = "Cannot determine"; } std::cout << " Validation method: " << method << std::endl; Aws::ACM::Model::DomainStatus domainStatus = validation.GetValidationStatus(); Aws::String status; switch (domainStatus) { case Aws::ACM::Model::DomainStatus::FAILED: status = "Failed"; break; case Aws::ACM::Model::DomainStatus::NOT_SET: status = "Not set"; break; case Aws::ACM::Model::DomainStatus::PENDING_VALIDATION: status = "Pending validation"; break; case Aws::ACM::Model::DomainStatus::SUCCESS: status = "Success"; break; default: status = "Cannot determine"; } std::cout << " Domain validation status: " << status << std::endl << std::endl; } } Aws::Vector<Aws::ACM::Model::ExtendedKeyUsage> usages = certificate.GetExtendedKeyUsages(); if (!usages.empty()) { std::cout << std::endl << "Extended key usages:" << std::endl << std::endl; for (auto &usage: usages) { Aws::ACM::Model::ExtendedKeyUsageName usageName = usage.GetName(); Aws::String name; switch (usageName) { case Aws::ACM::Model::ExtendedKeyUsageName::ANY: name = "Any"; break; case Aws::ACM::Model::ExtendedKeyUsageName::CODE_SIGNING: name = "Code signing"; break; case Aws::ACM::Model::ExtendedKeyUsageName::CUSTOM: name = "Custom"; break; case Aws::ACM::Model::ExtendedKeyUsageName::EMAIL_PROTECTION: name = "Email protection"; break; case Aws::ACM::Model::ExtendedKeyUsageName::IPSEC_END_SYSTEM: name = "IPSEC end system"; break; case Aws::ACM::Model::ExtendedKeyUsageName::IPSEC_TUNNEL: name = "IPSEC tunnel"; break; case Aws::ACM::Model::ExtendedKeyUsageName::IPSEC_USER: name = "IPSEC user"; break; case Aws::ACM::Model::ExtendedKeyUsageName::NONE: name = "None"; break; case Aws::ACM::Model::ExtendedKeyUsageName::NOT_SET: name = "Not set"; break; case Aws::ACM::Model::ExtendedKeyUsageName::OCSP_SIGNING: name = "OCSP signing"; break; case Aws::ACM::Model::ExtendedKeyUsageName::TIME_STAMPING: name = "Time stamping"; break; case Aws::ACM::Model::ExtendedKeyUsageName::TLS_WEB_CLIENT_AUTHENTICATION: name = "TLS web client authentication"; break; case Aws::ACM::Model::ExtendedKeyUsageName::TLS_WEB_SERVER_AUTHENTICATION: name = "TLS web server authentication"; break; default: name = "Cannot determine"; } std::cout << " Name: " << name << std::endl; std::cout << " OID: " << usage.GetOID() << std::endl << std::endl; } std::cout << std::endl; } Aws::ACM::Model::CertificateStatus certificateStatus = certificate.GetStatus(); Aws::String status; switch (certificateStatus) { case Aws::ACM::Model::CertificateStatus::EXPIRED: status = "Expired"; break; case Aws::ACM::Model::CertificateStatus::FAILED: status = "Failed"; break; case Aws::ACM::Model::CertificateStatus::INACTIVE: status = "Inactive"; break; case Aws::ACM::Model::CertificateStatus::ISSUED: status = "Issued"; break; case Aws::ACM::Model::CertificateStatus::NOT_SET: status = "Not set"; break; case Aws::ACM::Model::CertificateStatus::PENDING_VALIDATION: status = "Pending validation"; break; case Aws::ACM::Model::CertificateStatus::REVOKED: status = "Revoked"; break; case Aws::ACM::Model::CertificateStatus::VALIDATION_TIMED_OUT: status = "Validation timed out"; break; default: status = "Cannot determine"; } std::cout << "Status: " << status << std::endl; if (certificate.GetStatus() == Aws::ACM::Model::CertificateStatus::FAILED) { Aws::ACM::Model::FailureReason failureReason = certificate.GetFailureReason(); Aws::String reason; switch (failureReason) { case Aws::ACM::Model::FailureReason::ADDITIONAL_VERIFICATION_REQUIRED: reason = "Additional verification required"; break; case Aws::ACM::Model::FailureReason::CAA_ERROR: reason = "CAA error"; break; case Aws::ACM::Model::FailureReason::DOMAIN_NOT_ALLOWED: reason = "Domain not allowed"; break; case Aws::ACM::Model::FailureReason::DOMAIN_VALIDATION_DENIED: reason = "Domain validation denied"; break; case Aws::ACM::Model::FailureReason::INVALID_PUBLIC_DOMAIN: reason = "Invalid public domain"; break; case Aws::ACM::Model::FailureReason::NOT_SET: reason = "Not set"; break; case Aws::ACM::Model::FailureReason::NO_AVAILABLE_CONTACTS: reason = "No available contacts"; break; case Aws::ACM::Model::FailureReason::OTHER: reason = "Other"; break; case Aws::ACM::Model::FailureReason::PCA_ACCESS_DENIED: reason = "PCA access denied"; break; case Aws::ACM::Model::FailureReason::PCA_INVALID_ARGS: reason = "PCA invalid args"; break; case Aws::ACM::Model::FailureReason::PCA_INVALID_ARN: reason = "PCA invalid ARN"; break; case Aws::ACM::Model::FailureReason::PCA_INVALID_DURATION: reason = "PCA invalid duration"; break; case Aws::ACM::Model::FailureReason::PCA_INVALID_STATE: reason = "PCA invalid state"; break; case Aws::ACM::Model::FailureReason::PCA_LIMIT_EXCEEDED: reason = "PCA limit exceeded"; break; case Aws::ACM::Model::FailureReason::PCA_NAME_CONSTRAINTS_VALIDATION: reason = "PCA name constraints validation"; break; case Aws::ACM::Model::FailureReason::PCA_REQUEST_FAILED: reason = "PCA request failed"; break; case Aws::ACM::Model::FailureReason::PCA_RESOURCE_NOT_FOUND: reason = "PCA resource not found"; break; default: reason = "Cannot determine"; } std::cout << "Failure reason: " << reason << std::endl; } if (certificate.GetStatus() == Aws::ACM::Model::CertificateStatus::REVOKED) { std::cout << "Revoked at (GMT): " << certificate.GetRevokedAt().ToGmtString( Aws::Utils::DateFormat::ISO_8601) << std::endl; Aws::ACM::Model::RevocationReason revocationReason = certificate.GetRevocationReason(); Aws::String reason; switch (revocationReason) { case Aws::ACM::Model::RevocationReason::AFFILIATION_CHANGED: reason = "Affiliation changed"; break; case Aws::ACM::Model::RevocationReason::A_A_COMPROMISE: reason = "AA compromise"; break; case Aws::ACM::Model::RevocationReason::CA_COMPROMISE: reason = "CA compromise"; break; case Aws::ACM::Model::RevocationReason::CERTIFICATE_HOLD: reason = "Certificate hold"; break; case Aws::ACM::Model::RevocationReason::CESSATION_OF_OPERATION: reason = "Cessation of operation"; break; case Aws::ACM::Model::RevocationReason::KEY_COMPROMISE: reason = "Key compromise"; break; case Aws::ACM::Model::RevocationReason::NOT_SET: reason = "Not set"; break; case Aws::ACM::Model::RevocationReason::PRIVILEGE_WITHDRAWN: reason = "Privilege withdrawn"; break; case Aws::ACM::Model::RevocationReason::REMOVE_FROM_CRL: reason = "Revoke from CRL"; break; case Aws::ACM::Model::RevocationReason::SUPERCEDED: reason = "Superceded"; break; case Aws::ACM::Model::RevocationReason::UNSPECIFIED: reason = "Unspecified"; break; default: reason = "Cannot determine"; } std::cout << "Revocation reason: " << reason << std::endl; } if (certificate.GetType() == Aws::ACM::Model::CertificateType::IMPORTED) { std::cout << "Imported at (GMT): " << certificate.GetImportedAt().ToGmtString( Aws::Utils::DateFormat::ISO_8601) << std::endl; } Aws::Vector<Aws::String> inUseBys = certificate.GetInUseBy(); if (!inUseBys.empty()) { std::cout << std::endl << "In use by:" << std::endl << std::endl; for (auto &in_use_by: inUseBys) { std::cout << " " << in_use_by << std::endl; } std::cout << std::endl; } if (certificate.GetType() == Aws::ACM::Model::CertificateType::AMAZON_ISSUED && certificate.GetStatus() == Aws::ACM::Model::CertificateStatus::ISSUED) { std::cout << "Issued at (GMT): " << certificate.GetIssuedAt().ToGmtString( Aws::Utils::DateFormat::ISO_8601) << std::endl; } std::cout << "Issuer: " << certificate.GetIssuer() << std::endl; Aws::ACM::Model::KeyAlgorithm keyAlgorithm = certificate.GetKeyAlgorithm(); Aws::String algorithm; switch (keyAlgorithm) { case Aws::ACM::Model::KeyAlgorithm::EC_prime256v1: algorithm = "P-256 (secp256r1, prime256v1)"; break; case Aws::ACM::Model::KeyAlgorithm::EC_secp384r1: algorithm = "P-384 (secp384r1)"; break; case Aws::ACM::Model::KeyAlgorithm::EC_secp521r1: algorithm = "P-521 (secp521r1)"; break; case Aws::ACM::Model::KeyAlgorithm::NOT_SET: algorithm = "Not set"; break; case Aws::ACM::Model::KeyAlgorithm::RSA_1024: algorithm = "RSA 1024"; break; case Aws::ACM::Model::KeyAlgorithm::RSA_2048: algorithm = "RSA 2048"; break; case Aws::ACM::Model::KeyAlgorithm::RSA_4096: algorithm = "RSA 4096"; break; default: algorithm = "Cannot determine"; } std::cout << "Key algorithm: " << algorithm << std::endl; if (certificate.GetStatus() == Aws::ACM::Model::CertificateStatus::ISSUED) { std::cout << "Not valid after (GMT): " << certificate.GetNotAfter().ToGmtString( Aws::Utils::DateFormat::ISO_8601) << std::endl; std::cout << "Not valid before (GMT): " << certificate.GetNotBefore().ToGmtString( Aws::Utils::DateFormat::ISO_8601) << std::endl; } Aws::ACM::Model::CertificateTransparencyLoggingPreference loggingPreference = certificate.GetOptions().GetCertificateTransparencyLoggingPreference(); Aws::String preference; switch (loggingPreference) { case Aws::ACM::Model::CertificateTransparencyLoggingPreference::DISABLED: preference = "Disabled"; break; case Aws::ACM::Model::CertificateTransparencyLoggingPreference::ENABLED: preference = "Enabled"; break; case Aws::ACM::Model::CertificateTransparencyLoggingPreference::NOT_SET: preference = "Not set"; break; default: preference = "Cannot determine"; } std::cout << "Logging preference: " << preference << std::endl; std::cout << "Serial: " << certificate.GetSerial() << std::endl; std::cout << "Signature algorithm: " << certificate.GetSignatureAlgorithm() << std::endl; std::cout << "Subject: " << certificate.GetSubject() << std::endl; Aws::ACM::Model::CertificateType certificateType = certificate.GetType(); Aws::String type; switch (certificateType) { case Aws::ACM::Model::CertificateType::AMAZON_ISSUED: type = "Amazon issued"; break; case Aws::ACM::Model::CertificateType::IMPORTED: type = "Imported"; break; case Aws::ACM::Model::CertificateType::NOT_SET: type = "Not set"; break; case Aws::ACM::Model::CertificateType::PRIVATE_: type = "Private"; break; default: type = "Cannot determine"; } std::cout << "Type: " << type << std::endl; Aws::Vector<Aws::String> altNames = certificate.GetSubjectAlternativeNames(); if (!altNames.empty()) { std::cout << std::endl << "Alternative names:" << std::endl << std::endl; for (auto &alt_name: altNames) { std::cout << " " << alt_name << std::endl; } std::cout << std::endl; } } return outcome.IsSuccess(); }
CLI
AWS CLI

To retrieve the fields contained in an ACM certificate

The following describe-certificate command retrieves all of the fields for the certificate with the specified ARN:

aws acm describe-certificate --certificate-arn arn:aws:acm:region:account:certificate/12345678-1234-1234-1234-123456789012

Output similar to the following is displayed:

{ "Certificate": { "CertificateArn": "arn:aws:acm:region:account:certificate/12345678-1234-1234-1234-123456789012", "CreatedAt": 1446835267.0, "DomainName": "www.example.com", "DomainValidationOptions": [ { "DomainName": "www.example.com", "ValidationDomain": "www.example.com", "ValidationEmails": [ "hostmaster@example.com", "admin@example.com", "owner@example.com.whoisprivacyservice.org", "tech@example.com.whoisprivacyservice.org", "admin@example.com.whoisprivacyservice.org", "postmaster@example.com", "webmaster@example.com", "administrator@example.com" ] }, { "DomainName": "www.example.net", "ValidationDomain": "www.example.net", "ValidationEmails": [ "postmaster@example.net", "admin@example.net", "owner@example.net.whoisprivacyservice.org", "tech@example.net.whoisprivacyservice.org", "admin@example.net.whoisprivacyservice.org", "hostmaster@example.net", "administrator@example.net", "webmaster@example.net" ] } ], "InUseBy": [], "IssuedAt": 1446835815.0, "Issuer": "Amazon", "KeyAlgorithm": "RSA-2048", "NotAfter": 1478433600.0, "NotBefore": 1446768000.0, "Serial": "0f:ac:b0:a3:8d:ea:65:52:2d:7d:01:3a:39:36:db:d6", "SignatureAlgorithm": "SHA256WITHRSA", "Status": "ISSUED", "Subject": "CN=www.example.com", "SubjectAlternativeNames": [ "www.example.com", "www.example.net" ] } }
Java
SDK for Java 2.x
Note

There's more on GitHub. Find the complete example and learn how to set up and run in the AWS Code Examples Repository.

/** * Before running this Java V2 code example, set up your development * environment, including your credentials. * <p> * For more information, see the following documentation topic: * <p> * https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html */ public class DescribeCert { public static void main(String[] args) { final String usage = """ Usage: <certArn> Where: certArn - the ARN of the certificate. """; if (args.length != 1) { System.out.println(usage); return; } String certArn = args[0]; describeCertificate(certArn); } /** * Describes the details of an SSL/TLS certificate. * * @param certArn the Amazon Resource Name (ARN) of the certificate to describe * @throws AcmException if an error occurs while describing the certificate */ public static void describeCertificate(String certArn) { AcmClient acmClient = AcmClient.create(); DescribeCertificateRequest req = DescribeCertificateRequest.builder() .certificateArn(certArn) .build(); try { DescribeCertificateResponse response = acmClient.describeCertificate(req); // Print the certificate details. System.out.println("Certificate ARN: " + response.certificate().certificateArn()); System.out.println("Domain Name: " + response.certificate().domainName()); System.out.println("Issued By: " + response.certificate().issuer()); System.out.println("Issued On: " + response.certificate().issuedAt()); System.out.println("Status: " + response.certificate().status()); } catch (AcmException e) { System.out.println(e.getMessage()); } } }
PowerShell
Tools for PowerShell

Example 1: Returns details of the specified certificate.

Get-ACMCertificateDetail -CertificateArn "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"

Output:

CertificateArn : arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012 CreatedAt : 1/21/2016 5:55:59 PM DomainName : www.example.com DomainValidationOptions : {www.example.com} InUseBy : {} IssuedAt : 1/1/0001 12:00:00 AM Issuer : KeyAlgorithm : RSA-2048 NotAfter : 1/1/0001 12:00:00 AM NotBefore : 1/1/0001 12:00:00 AM RevocationReason : RevokedAt : 1/1/0001 12:00:00 AM Serial : SignatureAlgorithm : SHA256WITHRSA Status : PENDING_VALIDATION Subject : CN=www.example.com SubjectAlternativeNames : {www.example.net}
Python
SDK for Python (Boto3)
Note

There's more on GitHub. Find the complete example and learn how to set up and run in the AWS Code Examples Repository.

class AcmCertificate: """ Encapsulates ACM functions. """ def __init__(self, acm_client): """ :param acm_client: A Boto3 ACM client. """ self.acm_client = acm_client def describe(self, certificate_arn): """ Gets certificate metadata. :param certificate_arn: The Amazon Resource Name (ARN) of the certificate. :return: Metadata about the certificate. """ try: response = self.acm_client.describe_certificate( CertificateArn=certificate_arn ) certificate = response["Certificate"] logger.info( "Got metadata for certificate for domain %s.", certificate["DomainName"] ) except ClientError: logger.exception("Couldn't get data for certificate %s.", certificate_arn) raise else: return certificate