ACMPCA / Client / get_certificate



Retrieves a certificate from your private CA or one that has been shared with you. The ARN of the certificate is returned when you call the IssueCertificate action. You must specify both the ARN of your private CA and the ARN of the issued certificate when calling the GetCertificate action. You can retrieve the certificate if it is in the ISSUED state. You can call the CreateCertificateAuthorityAuditReport action to create a report that contains information about all of the certificates issued and revoked by your private CA.

See also: AWS API Documentation

Request Syntax

response = client.get_certificate(
  • CertificateAuthorityArn (string) –


    The Amazon Resource Name (ARN) that was returned when you called CreateCertificateAuthority. This must be of the form:

    ``arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012 ``.

  • CertificateArn (string) –


    The ARN of the issued certificate. The ARN contains the certificate serial number and must be in the following form:


Return type:



Response Syntax

    'Certificate': 'string',
    'CertificateChain': 'string'

Response Structure

  • (dict) –

    • Certificate (string) –

      The base64 PEM-encoded certificate specified by the CertificateArn parameter.

    • CertificateChain (string) –

      The base64 PEM-encoded certificate chain that chains up to the root CA certificate that you used to sign your private CA certificate.