How do I resolve errors when a private CA issues a new certificate?

4 minute read
0

I tried to request a new private end-entity certificate or subordinate certificate authority (CA) for AWS Private Certificate Authority, and the request failed.

Short description

To troubleshoot failed private CA certificate requests, check the following variables:

  • The pathLenConstraint parameter of the private CA
  • The status of the private CA
  • The signing algorithm family of the private CA
  • The validity period of the requested certificate
  • The AWS Identity and Access Management (IAM) permissions
  • The AWS account
  • The AWS Private CA exception error messages

Resolution

The pathLenConstraint parameter of the private CA

When the subordinate CA's path length is greater than or equal to the issuing private CA's path length, you receive the following error message:

"Path length check failed for CA"

To resolve this issue, create a pathLenConstraint for the subordinate CA that's less than the path length of the private CA. For more information, see Plan the structure of a CA hierarchy.

The status of the private CA

If you used the IssueCertificate API to issue a new private CA certificate with an expired or deleted private CA, then you receive the following error:

"An error occurred (InvalidStateException) when calling the IssueCertificate operation: The certificate authority is not in a valid state for issuing certificates"

If the signing CA is deleted, then you can still restore the private CA within the 7-30 day restoration period. If the restoration period passed, then the private CA is permanently deleted and you can't restore it.

If the signing CA is expired, then reissue the CA with a new expiration date or replace the expired CA. It's a best practice to replace an expired CA with a new CA. To replace the expired CA, create a new CA and then chain it to the same parent CA. For more information, see Manage CA succession.

The signing algorithm family of the private CA

The signing algorithm family for RSA or ECDSA must match the algorithm family of the CA's private key. For more information, see Supported cryptographic algorithms in AWS Private CA.

The validity period of the requested certificate

Private end-entity certificates that AWS Certificate Manager (ACM) issues and manages are valid for 13 months (395 days). When the validity period of the parent CA is less than 13 months, private end-entity certificate requests that are issued from the ACM console fail. You receive the following error message:

"The signing certificate for the CA you specified in the request has expired."

Note: ACM can't issue certificates signed by a private CA with short-lived mode.

If the validity period of the signing certificate is less than 13 months, then use the IssueCertificate API to specify a custom validity period.

When AWS Private CA tries to issue a certificate with a validity period that's greater than the parent CA, you receive the following error message:

"An error occurred (ValidationException) when calling the IssueCertificate operation: The certificate validity specified exceeds the certificate authority validity"

To resolve this issue, make the end-entity certificate or child CA certificate validity period shorter than or equal to the validity period of parent CA.

For more information, see Update a private CA in AWS Private CA.

IAM permissions

To make IssueCertificate and RequestCertificate API calls, grant the required permissions to your IAM identity that requests private CA certificates. Otherwise, the request fails with an AccessDenied error. It's a best practice to apply least-privilege permissions. For more information, see IAM for AWS Private CA.

AWS Account

When AWS Private CA tries to issue a CA certificate from another account, you receive an error message similar to the following one:

"An error occurred (AccessDeniedException) when calling IssueCertificate because no resource-based policy allows the acm-pca:IssueCertificate action"

To resolve this issue, attach a resource-based policy to the CA certificate. You can also use AWS Resource Access Manager (AWS RAM) to share an ACM Private CA with another account. For more information, see How do I share my ACM Private CA with another AWS account?

AWS Private CA exception error messages

AWS Private CA might return exception errors for several reasons. To troubleshoot AWS Private CA exception errors, see Troubleshoot AWS Private CA exception messages.

Related information

How do I create a CRL for my AWS Private CA?

How do I install AWS Private CA root and subordinate CAs in different accounts or AWS Regions?

AWS OFFICIAL
AWS OFFICIALUpdated 2 months ago
2 Comments

Unfortunately, Terraform AWS provider has a bug that prevents using shared PCAs across AWS accounts to issue certificates. There is a PR with the fix, which needs attention from Hashicorp maintainers: https://github.com/hashicorp/terraform-provider-aws/pull/39952

replied 3 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied 3 months ago