How can I revoke an AWS Certificate Manager (ACM) private certificate?
Short description
You can revoke an ACM private certificate using the revoke-certificate AWS Command Line Interface (AWS CLI) command.
Resolution
Follow these instructions depending on whether the ACM private certificate was created with the IssueCertificate API or in the AWS Management Console with the RequestCertificate API.
Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI.
Revoke an ACM private certificate that was created using the IssueCertificate API
Step 1: Get the certificates serial number
The following AWS CLI command get-certificate outputs the base64-encoded PEM format certificate and saves it in the certificate.pem file:
Note: Replace the ARN in these examples with your ARN.
aws acm-pca get-certificate --certificate-authority-arn
arn:aws:acm-pca:eu-west-1:111111111111:certificate-authority/12345678-1234-1234-1234-123456789012
\ --certificate-arn
arn:aws:acm-pca:eu-west-1:111111111111:certificate-authority/12345678-1234-1234-1234-123456789012/certificate/3d295f5691637e577f3c192acd79d401
\ --query 'Certificate' > certificate.pem --output text
Step 2: Decode the certificate with OpenSSL to get the serial number
openssl x509 -in certificate.pem -noout -text
Example output:
Serial Number: 3d:29:5f:56:91:63:7e:57:7f:3c:19:2a:cd:79:d4:01 \
Step 3: Revoke the certificate
Run the AWS CLI command revoke-certificate similar to the following:
Note: Replace the serial number example with your serial number output from step 2.
aws acm-pca revoke-certificate \
--certificate-authority-arn arn:aws:acm-pca:eu-west-1:111111111111:certificate-authority/12345678-1234-1234-1234-123456789012 \
--certificate-serial 3d:29:5f:56:91:63:7e:57:7f:3c:19:2a:cd:79:d4:01 \
--revocation-reason "KEY_COMPROMISE"
Use one of the following values to specify why you revoked the certificate:
- UNSPECIFIED
- KEY_COMPROMISE
- CERTIFICATE_AUTHORITY_COMPROMISE
- AFFILIATION_CHANGED
- SUPERSEDED
- CESSATION_OF_OPERATION
- PRIVILEGE_WITHDRAWN
- A_A_COMPROMISE
Note: The revoke-certificate command doesn't return a response.
Revoke an ACM private certificate that was created using the AWS Management Console or RequestCertificate API
Step 1: Get the certificate's serial number
Run the AWS CLI command describe-certificate similar to the following:
aws acm describe-certificate --certificate-arn arn:aws:acm:region:account:certificate/12345678-1234-1234-1234-123456789012
Example output:
"Serial" : "3d:29:5f:56:91:63:7e:57:7f:3c:19:2a:cd:79:d4:01"
Step 2: Revoke the certificate
Run the AWS CLI command revoke-certificate similar to the following:
Note: Replace the serial number example with your serial number output from step 1.
aws acm-pca revoke-certificate \
--certificate-authority-arn
arn:aws:acm-pca:eu-west-1:111111111111:certificate-authority/12345678-1234-1234-1234-123456789012
\
--certificate-serial 3d:29:5f:56:91:63:7e:57:7f:3c:19:2a:cd:79:d4:01 \
--revocation-reason "KEY_COMPROMISE"
Use one of the following values to specify why you revoked the certificate:
- A_A_COMPROMISE
- PRIVILEGE_WITHDRAWN
- CESSATION_OF_OPERATION
- SUPERSEDED
- AFFILIATION_CHANGED
- CERTIFICATE_AUTHORITY_COMPROMISE
- KEY_COMPROMISE
- UNSPECIFIED
Note: The revoke-certificate command doesn't return a response.
Confirm that the ACM private certificate was revoked
Create an audit report using the AWS CLI
To create an audit report that lists every time that your CA private key is used, run the AWS CLI command create-certificate-authority-audit-report:
aws acm-pca create-certificate-authority-audit-report \
--certificate-authority-arn arn:aws:acm-pca:eu-west-1:111111111111:certificate-authority/12345678-1234-1234-1234-123456789012 \
--s3-bucket-name acmcrl2 \
--audit-report-response-format JSON
Example output:
{
"AuditReportId": "10e5767f-6259-4a23-90bb-628f5a5e1fee",
"S3Key": "audit-report/12345678-1234-1234-1234-123456789012/10e5767f-6259-4a23-90bb-628f5a5e1fee.json"
}
Note the Amazon Simple Storage Service (Amazon S3) key ID.
Get the Amazon S3 object with the AWS CLI command get-object:
aws s3api get-object --bucket acmcrl2 --key
audit-report/12345678-1234-1234-1234-123456789012/10e5767f-6259-4a23-90bb-628f5a5e1fee.json
revoked.txt
Example output:
"revokedAt": "2021-01-30T15:24:55+0000"
Note the timestamp in the revokedAt value. The revokedAt value exists only when the certificate status is REVOKED.
Create an audit report using the AWS Management Console
Follow the instructions to create an audit report using the AWS Management Console.
For more information, see Revoking a private certificate.
Related information
ACM Private CA best practices