6

I want to delete an in-use AWS certificate in my AWS Certificate Manager. To do this, I am using the suggested AWS CLI with the following command:

aws iam delete-server-certificate --server-certificate-name <name>

The problem is, the certificate in question that I trying to delete does not have a 'name', and there is no other flag that I can use to delete it, such as using its ID.

jake@serenity ~ $ aws iam   list-server-certificates
{
    "ServerCertificateMetadataList": []
}

Is there anyway I can delete this certificate?

djdavies7
  • 137
  • 2
  • 12
  • Sanity check: Can you `aws iam list-server-certificates` and confirm that this certificate does not have a value for `ServerCertificateName`? – Anthony Neace Apr 03 '17 at 15:35
  • I had just edited my post to include this :-) Confirmation: in the management console, I *do* have a listed certificate, but not in the output of this command. – djdavies7 Apr 03 '17 at 15:37
  • 1
    Interesting. Can you confirm if this a certificate in IAM, or in ACM? If it is in ACM, this is the wrong set of commands. Can you try `aws acm list-certificates` and see if it is present there? – Anthony Neace Apr 03 '17 at 15:38
  • I can confirm this is ACM. Running aws acm list-certificates returns a JSON response including values for CertificateArn and DomainName (nothing else). – djdavies7 Apr 03 '17 at 15:41

2 Answers2

6

The command delete-server-certificate is for a different set of certificates -- IAM Server Certificates -- that predates ACM. So this is the wrong command for ACM certificates.

Use aws acm delete-certificate instead, after detaching the certificate from any associated resources (such as an ALB or ELB).

Example: Find ELBs associated with your ACM Cert

ACM Certificates can only be associated with Application Load Balancers, Elastic Load Balancers, or CloudFront Distributions. You can use the AWS CLI to list your resources and search the results for your ACM Cert's arn.

Since you mentioned this was using ELB, we can go through the workflow for finding and removing the certificate on ELB. This example lists all of your load balancers, and finds the ones containing a listener that is using your certificate arn:

aws elb describe-load-balancers --query "LoadBalancerDescriptions[? ListenerDescriptions [? Listener.SSLCertificateId =='ACMArnHere' ]]"

Example: Remove certificate from ELB

Once you find the associated resource, simply replace/detach the certificate, or just delete the resource if you're done with it. The easiest way to detach the certificate from an ELB is to delete the associated listener and recreate it later with a new or different certificate.

Here is an example where the HTTPS listener on the specified load balancer will be removed:

aws elb delete-load-balancer-listeners --load-balancer-name my-load-balancer --load-balancer-ports 443

Example: List ACM Certs and delete cert by ARN

aws acm list-certificates                             # List certificates to get ARN

aws acm delete-certificate --certificate-arn <value>  # Delete certificate with ARN

Further Reading

Anthony Neace
  • 25,013
  • 7
  • 114
  • 129
  • I have tried this, and for the flag I have used `aws acm delete-certificate --certificate-arn ` which tells me the certificate is in use (and does not delete it). – djdavies7 Apr 03 '17 at 15:46
  • 1
    @djdavies7 Detach this from any resources (ELB/ALB/etc.) that are using it first, and try again. – Anthony Neace Apr 03 '17 at 15:49
  • Apologies, I had updated it because of the misuse of IAM/ACM. I suggest you prefix the deletion command with `aws acm list-certificates` to get the ARN from ACM. – djdavies7 Apr 03 '17 at 15:51
  • @djdavies7 Updated answer. – Anthony Neace Apr 03 '17 at 16:00
  • it is the detaching the association that I am struggling with. Could you point me in the right direction? – djdavies7 Apr 03 '17 at 16:01
  • @djdavies7 I'm not following -- are you saying you're not aware of which resources you attached your own cert to? If so, this is getting into a bit of a different question, but you would generally want to list your ELB/ALB/Cloudfront to look for your cert, and detach from there. Don't do this on something that is still in prod use, make sure everything is decommissioned on your end first. How to do that specifically depends on what type of resource it is attached to. – Anthony Neace Apr 03 '17 at 16:04
  • I am not entirely sure what resource (ELB/EC2 instance) this is attached to as 1. I did not create it and 2. the cert in ACM shows the ARN as an associated resource, but my ELB instance doesn't show an ARN at all for me to cross-reference them). The main problem I have is what is the process for removing the associated cert from my instance resource? The ACM delete-certificate documentation says "To delete a certificate that is in use, the certificate association must first be removed." OK, how do I go about removing the certificate association? – djdavies7 Apr 03 '17 at 16:12
  • @djdavies7 Gotcha. An ACM cert can only be attached to a Load Balancer (ELB/ALB) or Cloudfront distribution, so that simplifies it a bit by limiting what you need to search. I can point you in the right direction, will update answer in a moment. – Anthony Neace Apr 03 '17 at 16:17
  • @djdavies7 I've updated with examples for how to do this with ELB. – Anthony Neace Apr 03 '17 at 16:35
0

You simply need to

  1. select your ELB
  2. Select your HTTPS Listener
  3. Then Select the Certificates Tab, this will show the "Listener certificates for SNI"
  4. Remove the Certificate ID
  5. Go back to ACM and you'll be able to Delete
Agave
  • 1
  • 1