I want to delete an in-use AWS certificate in my AWS Certificate Manager. To do this, I am using the suggested AWS CLI with the following command:
aws iam delete-server-certificate --server-certificate-name <name>
The problem is, the certificate in question that I trying to delete does not have a 'name', and there is no other flag that I can use to delete it, such as using its ID.
jake@serenity ~ $ aws iam list-server-certificates
{
"ServerCertificateMetadataList": []
}
Is there anyway I can delete this certificate?
The command delete-server-certificate
is for a different set of certificates -- IAM Server Certificates -- that predates ACM. So this is the wrong command for ACM certificates.
Use aws acm delete-certificate
instead, after detaching the certificate from any associated resources (such as an ALB or ELB).
ACM Certificates can only be associated with Application Load Balancers, Elastic Load Balancers, or CloudFront Distributions. You can use the AWS CLI to list your resources and search the results for your ACM Cert's arn.
Since you mentioned this was using ELB, we can go through the workflow for finding and removing the certificate on ELB. This example lists all of your load balancers, and finds the ones containing a listener that is using your certificate arn:
aws elb describe-load-balancers --query "LoadBalancerDescriptions[? ListenerDescriptions [? Listener.SSLCertificateId =='ACMArnHere' ]]"
Once you find the associated resource, simply replace/detach the certificate, or just delete the resource if you're done with it. The easiest way to detach the certificate from an ELB is to delete the associated listener and recreate it later with a new or different certificate.
Here is an example where the HTTPS listener on the specified load balancer will be removed:
aws elb delete-load-balancer-listeners --load-balancer-name my-load-balancer --load-balancer-ports 443
aws acm list-certificates # List certificates to get ARN
aws acm delete-certificate --certificate-arn <value> # Delete certificate with ARN