Updating your private CA - AWS Private Certificate Authority

Updating your private CA

You can update the status of a private CA or change its revocation configuration after creating it. This topic provides details about CA status and the CA lifecycle, along with examples of console and CLI updates to CAs.

Updating CA status

The status of a CA that is managed by AWS Private CA results from a user action or, in some cases, from a service action. For example, a CA status changes when it expires. The status options available to CA administrators vary depending on the current status of the CA.

AWS Private CA can report the following status values. The table shows the CA capabilities available in each state.


For all status values except DELETED and FAILED, you are billed for the CA.

Status Issue certificates Validate certs with OCSP Generate CRLs Generate audits You can update the CA cert Certificates can be revoked You are billed for the CA
CREATING – The CA is being created. No No No No No No Yes

PENDING_CERTIFICATE – The CA has been created and needs a certificate to be operational.*

No No No No No No Yes
ACTIVE Yes Yes Yes Yes Yes Yes Yes
DISABLED – You have manually disabled the CA. No Yes Yes Yes No Yes Yes
EXPIRED – The CA certificate has expired.** No No No No Yes No Yes
FAILED The CreateCertificateAuthority action failed. This can occur because of a network outage, backend AWS failure, or other errors. A failed CA cannot be recovered. Delete the CA and create a new one. No
DELETED Your CA is within the restoration period, which can have a length of 7-30 days. After this period, it is permanently deleted.
  • If you call the RestoreCertificateAuthority API on a CA with DELETED status and an expired certificate, the CA will be set to EXPIRED.

  • For more information about deleting a CA, see Deleting your private CA.


* To complete activation, you need to generate a CSR, get a signed CA certificate from a CA, and import the certificate into AWS Private CA. The CSR can be submitted either to your new CA (for self-signing), or to an on-premises root or subordinate CA. For more information, see Creating and installing the CA certificate.

** You cannot directly change the status of an expired CA. If you import a new certificate for the CA, AWS Private CA resets the status to ACTIVE unless it was set to DISABLED before the certificate expired.

Additional considerations about expired CA certificates:

  • CA certificates are not automatically renewed. For information about automating renewal through AWS Certificate Manager, see Assign certificate renewal permissions to ACM.

  • If you attempt to issue a new certificate with an expired CA, the IssueCertificate API returns InvalidStateException. An expired root CA must self-sign a new root CA certificate before it can issue new subordinate certificates.

  • The ListCertificate Authorities and DescribeCertificateAuthority APIs return a status of EXPIRED if the CA certificate is expired, regardless of whether the CA status is set to ACTIVE or DISABLED. However, if the expired CA has been set to DELETED, the status returned is DELETED.

  • The UpdateCertificateAuthority API cannot update the status of an expired CA.

  • The RevokeCertificate API cannot be used to revoke any expired certificate, including a CA certificate.

CA status and CA lifecycle

The following diagram illustrates the CA lifecycle as an interaction of management actions with CA status.

					Interaction of CA management actions and status.

Management action

CA status

Action results in a state change

New state enables new action

At the top of the diagram, management actions are applied through the AWS Private CA console, CLI, or API. The actions take the CA through creation, activation, expiration and renewal. The CA status changes in response (as shown by the solid lines) to manual actions or automated updates. In most cases, a new status leads to a new possible action (shown by a dotted line) that the CA administrator can apply. The lower-right inset shows the possible status values permitting delete and restore actions.