amazon-web-servicessslaws-cliaws-certificate-manager

AWS ACM Certificate Management Delete Certificate In Use


I want to delete an in-use AWS certificate in my AWS Certificate Manager. To do this, I am using the suggested AWS CLI with the following command:

aws iam delete-server-certificate --server-certificate-name <name>

The problem is, the certificate in question that I trying to delete does not have a 'name', and there is no other flag that I can use to delete it, such as using its ID.

jake@serenity ~ $ aws iam   list-server-certificates
{
    "ServerCertificateMetadataList": []
}

Is there anyway I can delete this certificate?


Solution

  • The command delete-server-certificate is for a different set of certificates -- IAM Server Certificates -- that predates ACM. So this is the wrong command for ACM certificates.

    Use aws acm delete-certificate instead, after detaching the certificate from any associated resources (such as an ALB or ELB).

    Example: Find ELBs associated with your ACM Cert

    ACM Certificates can only be associated with Application Load Balancers, Elastic Load Balancers, or CloudFront Distributions. You can use the AWS CLI to list your resources and search the results for your ACM Cert's arn.

    Since you mentioned this was using ELB, we can go through the workflow for finding and removing the certificate on ELB. This example lists all of your load balancers, and finds the ones containing a listener that is using your certificate arn:

    aws elb describe-load-balancers --query "LoadBalancerDescriptions[? ListenerDescriptions [? Listener.SSLCertificateId =='ACMArnHere' ]]"
    

    Example: Remove certificate from ELB

    Once you find the associated resource, simply replace/detach the certificate, or just delete the resource if you're done with it. The easiest way to detach the certificate from an ELB is to delete the associated listener and recreate it later with a new or different certificate.

    Here is an example where the HTTPS listener on the specified load balancer will be removed:

    aws elb delete-load-balancer-listeners --load-balancer-name my-load-balancer --load-balancer-ports 443
    

    Example: List ACM Certs and delete cert by ARN

    aws acm list-certificates                             # List certificates to get ARN
    
    aws acm delete-certificate --certificate-arn <value>  # Delete certificate with ARN
    

    Further Reading