Remove ACM Certificate used for deleted VPN connection



i have deleted a VPN connection which was established by using ACM private certificates, but i cannot delete the certificates used for this connection:

Command: aws acm delete-certificate --certificate-arn arn:aws:acm:eu-central-1:41xxxxxxxx39:certificate/7ef2226a-515b-4f90-aca7-72fefddb9a86

Output: An error occurred (ResourceInUseException) when calling the DeleteCertificate operation: Certificate...

In the documentation it is mentioned as follows:

"For certificate-based authentication, delete all Certificate Manager (ACM) private certificates used for the Amazon Web Services-side tunnel endpoints for the VPN connection before deleting the VPN connection."

" You cannot delete an ACM certificate that is being used by another Amazon Web Services service. To delete a certificate that is in use, the certificate association must first be removed."

So far i understand my mistake, but i am not able to remove this certificate association via WebUI or CLI.

The list certificates gives output as follows: "CertificateArn": "arn:aws:acm:eu-central-1:41xxxxxxxx39:certificate/7ef2226a-515b-4f90-aca7-72fefddb9a86", "DomainName": "vpn-0ea809fb052c8c149.endpoint-0"

Where DomainName is the certificate association, which i have to delete first (i guess) in order to delete the certificate, but i didn't find a way to do this.

Can you help me to sort this problem out?

Kind Regards

asked 2 years ago495 views
2 Answers

If you look at your AWS console please navigate to VPC -> Virtual Private Network (VPN) -> Site-to-Site VPN Connections. The error message points to a connection with the ID vpn-0ea809fb052c8c149 which is still defined there.

If you can find it you have the possibility to select it and use different certificates via the menu entry Actions -> Modify Tunnel certificate. The certificate vpn-0ea809fb052c8c149.endpoint-0 indicates that it is the first tunnel in use.

Theoretically the certificate can also be assigned on a different service by mistake. Can you try to get the full error message? If you navigate to AWS Certificate Manager -> Certificates and select the certificate in question you will see the Associated Resources section, which will point you to the right direction.

If you can't find any VPN connections defined I would recommend to open a support ticket to have the case investigated.

answered 2 years ago
  • Hi Andreas,

    yes, there isn't any VPN connection defined, as i have deleted it. It is just ACM which is still claiming it is there. It was my mistake, because i deleted it and later i saw that certificates have to be deleted previously which leaded to my current problem. The full error message is: An error occurred (ResourceInUseException) when calling the DeleteCertificate operation: Certificate arn:aws:acm:eu-central-1:411581576539:certificate/7ef2226a-515b-4f90-aca7-72fefddb9a86 in account 41xxxxxxxx39 is in use.

    The vpn connecetion has been deleted but still shows up in ACM as associated ressource.

    Thank you


Hi Ian,

I'm sorry but in this case I can only recommend you to open a support request. The service team will be able to remove this association and you can delete the certificate afterwards.

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions