Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Preferences
Contact Us
Feedback
AWS Documentation
Create an AWS Account

Handling exceptions

PDF
RSS
Focus mode
Handling exceptions - AWS Certificate Manager
Private certificate exception handling

An AWS Certificate Manager command might fail for several reasons. For information about each exception, see the table below.

Private certificate exception handling

The following exceptions can occur when you attempt to renew a private PKI certificate issued by AWS Private CA.

Note

AWS Private CA is not supported in the China (Beijing) Region and the China (Ningxia) Region.

ACM failure code

Comment

PCA_ACCESS_DENIED

The private CA has not granted ACM permissions. This triggers a AWS Private CA AccessDeniedException failure code.

To remedy the problem, grant the necessary permissions to the ACM service principal using the AWS Private CA CreatePermission operation.

PCA_INVALID_DURATION

The validity period of the requested certificate exceeds the validity period of the issuing private CA. This triggers a AWS Private CA ValidationException failure code.

To remedy the problem, install a new CA certificate with an appropriate validity period.

PCA_INVALID_STATE

The private CA being called is not in the correct state to perform the requested ACM operation. This triggers a AWS Private CA InvalidStateException failure code.

Resolve the issue as follows:

  • If the CA has the status CREATING, wait for creation to finish and then install the CA certificate.

  • If the CA has status PENDING_CERTIFICATE, install the CA certificate.

  • If the CA has status DISABLED, update it to ACTIVE status.

  • If the CA has status DELETED, restore it.

  • If the CA has status EXPIRED, install a new certificate

  • If the CA has status FAILED, and you cannot resolve the issue, contact Support.

PCA_LIMIT_EXCEEDED

The private CA has reached an issuance quota. This triggers a AWS Private CA LimitExceededException failure code. Try repeating your request before proceeding with this help.

If the error persists, contact Support to request a quota increase.

PCA_REQUEST_FAILED

A network or system error occurred. This triggers a AWS Private CA RequestFailedException failure code. Try repeating your request before proceeding with this help.

If the error persists, contact Support.

PCA_RESOURCE_NOT_FOUND

The private CA has been permanently deleted. This triggers a AWS Private CA ResourceNotFoundException failure code. Verify that you used the correct ARN. If that fails, you won't be able to use this CA.

To remedy the problem, create a new CA.
SLR_NOT_FOUND In order to renew a certificate signed by a private CA that resides in another account, ACM requires a Service Linked Role (SLR) on the account where the certificate resides. If you need to recreate a deleted SLR, see Creating the SLR for ACM.

On this page

PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.