Menu
I want to delete an in-use AWS certificate in my AWS Certificate Manager. To do this, I am using the suggested AWS CLI with the following command:
aws iam delete-server-certificate --server-certificate-name <name>
The problem is, the certificate in question that I trying to delete does not have a 'name', and there is no other flag that I can use to delete it, such as using its ID.
jake@serenity ~ $ aws iam list-server-certificates
{
"ServerCertificateMetadataList": []
}
Is there anyway I can delete this certificate?
806
To delete a certificate that is in use, you must first remove the certificate association. This is done using the console or CLI for the associated service. Open the ACM console at https://console.aws.amazon.com/acm/ . In the list of certificates, select the check box for an ACM certificate, then choose Delete.
Press Windows Key + R Key together, type certmgr. msc, and hit enter. You will get a new window with the list of Certificates installed on your computer. Locate the certificate you want to delete and then click on the Action button then, click on Delete.
To remove the association of the ACM certificate with the CloudFront distribution or Application Load Balancer, you must replace the ACM certificate associated with the custom domain, or delete the custom domain.
Select the load balancer and choose Listeners. For the listener to update, choose View/edit certificates, which displays the default certificate followed by any other certificates that you've added to the listener. Choose the Remove certificates icon (the minus sign) in the menu bar.
The command delete-server-certificate is for a different set of certificates -- IAM Server Certificates -- that predates ACM. So this is the wrong command for ACM certificates.
Use aws acm delete-certificate instead, after detaching the certificate from any associated resources (such as an ALB or ELB).
ACM Certificates can only be associated with Application Load Balancers, Elastic Load Balancers, or CloudFront Distributions. You can use the AWS CLI to list your resources and search the results for your ACM Cert's arn.
Since you mentioned this was using ELB, we can go through the workflow for finding and removing the certificate on ELB. This example lists all of your load balancers, and finds the ones containing a listener that is using your certificate arn:
aws elb describe-load-balancers --query "LoadBalancerDescriptions[? ListenerDescriptions [? Listener.SSLCertificateId =='ACMArnHere' ]]"
Once you find the associated resource, simply replace/detach the certificate, or just delete the resource if you're done with it. The easiest way to detach the certificate from an ELB is to delete the associated listener and recreate it later with a new or different certificate.
Here is an example where the HTTPS listener on the specified load balancer will be removed:
aws elb delete-load-balancer-listeners --load-balancer-name my-load-balancer --load-balancer-ports 443
aws acm list-certificates # List certificates to get ARN
aws acm delete-certificate --certificate-arn <value> # Delete certificate with ARN
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
