Understand AWS Private CA CA status - AWS Private Certificate Authority
Relation between CA status and CA lifecycle

Understand AWS Private CA CA status

The status of a CA that is managed by AWS Private CA results from a user action or, in some cases, from a service action. For example, a CA status changes when it expires. The status options available to CA administrators vary depending on the current status of the CA.

AWS Private CA can report the following status values. The table shows the CA capabilities available in each state.

Note

For all status values except DELETED and FAILED, you are billed for the CA.

Status Issue certificates Validate certs with OCSP Generate CRLs Generate audits You can update the CA cert Certificates can be revoked You are billed for the CA
CREATING – The CA is being created. No No No No No No Yes

PENDING_CERTIFICATE – The CA has been created and needs a certificate to be operational.*

 No No No No No No Yes
ACTIVE Yes Yes Yes Yes Yes Yes Yes
DISABLED – You have manually disabled the CA. No Yes Yes Yes No Yes Yes
EXPIRED – The CA certificate has expired.** No No No No Yes No Yes
FAILED The CreateCertificateAuthority action failed. This can occur because of a network outage, backend AWS failure, or other errors. A failed CA cannot be recovered. Delete the CA and create a new one. No
DELETED Your CA is within the restoration period, which can have a length of 7-30 days. After this period, it is permanently deleted.

  • If you call the RestoreCertificateAuthority API on a CA with DELETED status and an expired certificate, the CA will be set to EXPIRED.

  • For more information about deleting a CA, see Delete your private CA.

 No

To complete activation, you need to generate a CSR, get a signed CA certificate from a CA, and import the certificate into AWS Private CA. The CSR can be submitted either to your new CA (for self-signing), or to an on-premises root or subordinate CA. For more information, see Installing the CA certificate.

You cannot directly change the status of an expired CA. If you import a new certificate for the CA, AWS Private CA resets the status to ACTIVE unless it was set to DISABLED before the certificate expired.

Additional considerations about expired CA certificates:

  • CA certificates are not automatically renewed. For information about automating renewal through AWS Certificate Manager, see Assign certificate renewal permissions to ACM.

  • If you attempt to issue a new certificate with an expired CA, the IssueCertificate API returns InvalidStateException. An expired root CA must self-sign a new root CA certificate before it can issue new subordinate certificates.

  • The ListCertificateAuthorities and DescribeCertificateAuthority APIs return a status of EXPIRED if the CA certificate is expired, regardless of whether the CA status is set to ACTIVE or DISABLED. However, if the expired CA has been set to DELETED, the status returned is DELETED.

  • The UpdateCertificateAuthority API cannot update the status of an expired CA.

  • The RevokeCertificate API cannot be used to revoke any expired certificate, including a CA certificate.

Relation between CA status and CA lifecycle

The following diagram illustrates the CA lifecycle as an interaction of management actions with CA status.

Interaction of CA management actions and status.
Diagram key
Blue fabric swatch with a repeating pattern of white polka dots.

Management action
Blue parallelogram shape with angled sides and sharp corners.
CA status
Blue arrow pointing to the right, indicating direction or progression.

Action results in a state change
Blue arrow pointing right, composed of five dots increasing in size from left to right.

New state enables new action

At the top of the diagram, management actions are applied through the AWS Private CA console, CLI, or API. The actions take the CA through creation, activation, expiration and renewal. The CA status changes in response (as shown by the solid lines) to manual actions or automated updates. In most cases, a new status leads to a new possible action (shown by a dotted line) that the CA administrator can apply. The lower-right inset shows the possible status values permitting delete and restore actions.

Topics