client cert creation ACM PCA issue-certificate vs AWS IoT issue create-certificate-from-csr


Goal : Create client certificate based on CSR request

Our device is capable of generating a self signed cert and can returns CSR for the certificate in base64 encoded DER blob.

With CSR (base64 encoded DER blob) we are able to successfully generate the client certificate using AWS IoT API as below and use to connect to AWS MQTT test client

aws iot create-certificate-from-csr --certificate-signing-request=file://certificate.csr

But if we use the same CSR (base64 encoded DER blob) AWS ACM PCA API as below, we get a CSR validation error

aws acm-pca issue-certificate --certificate-authority-arn “arn:aws:acm-pca:us-east-...” --csr file://certificate.csr --signing-algorithm SHA384WITHECDSA --template-arn arn:aws:acm-pca:::template/EndEntityCertificate/V1 --validity Value=9,Type="YEARS" --idempotency-token 1234

From my understanding, AWS ACM PCA, in issue-certificate API call, expects the CSR to be in format

  • Why is there such a difference between AWS own services?
  • What's the standard and recommended way so that we do not have 2 different formats across services?
  • Is there any configuration on AWS IoT/PCA services to make them respond similarly?
2 Answers


We get the same error even with the option you suggested with AWS CLI version 2.9 Any other suggestions?

Regards Sriram

answered a year ago
  • Can you provide the exact error message that you get?

  • error occurred (ValidationException) when calling the IssueCertificate operation: 1 validation error detected: Value at 'csr' failed to satisfy constraint: Member must satisfy regular expression pattern: -----BEGIN CERTIFICATE REQUEST-----\r?\n([A-Za-z0-9/+]{64}\r?\n)*[A-Za-z0-9/+]{1,64}={0,2}\r?\n-----END CERTIFICATE REQUEST-----(\r?\n)?.

    As mentioned in my original question, CSR content sent to either API calls is same but one throws validation error and the other doesn't.

  • Can you try fileb://... instead of file://...

  • We already tried that with similar response, we believe the issue is with expecting the line length to be of size 64? We referred to the issue discussion while trying that

  • Can you share the (openssl) commands to create the key pair and csr? (Not the content of your files).


Hi bsriramprasad,

are you using the AWS CLI version 2? If yes try to add --cli-binary-format raw-in-base64-out to your command to issue the certificate.


answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions