ACM / Client / export_certificate



Exports a private certificate issued by a private certificate authority (CA) for use anywhere. The exported file contains the certificate, the certificate chain, and the encrypted private 2048-bit RSA key associated with the public key that is embedded in the certificate. For security, you must assign a passphrase for the private key when exporting it.

For information about exporting and formatting a certificate using the ACM console or CLI, see Export a Private Certificate.

See also: AWS API Documentation

Request Syntax

response = client.export_certificate(
  • CertificateArn (string) –


    An Amazon Resource Name (ARN) of the issued certificate. This must be of the form:


  • Passphrase (bytes) –


    Passphrase to associate with the encrypted exported private key.


    When creating your passphrase, you can use any ASCII character except #, $, or %.

    If you want to later decrypt the private key, you must have the passphrase. You can use the following OpenSSL command to decrypt a private key. After entering the command, you are prompted for the passphrase.

    openssl rsa -in encrypted_key.pem -out decrypted_key.pem

Return type:



Response Syntax

    'Certificate': 'string',
    'CertificateChain': 'string',
    'PrivateKey': 'string'

Response Structure

  • (dict) –

    • Certificate (string) –

      The base64 PEM-encoded certificate.

    • CertificateChain (string) –

      The base64 PEM-encoded certificate chain. This does not include the certificate that you are exporting.

    • PrivateKey (string) –

      The encrypted private key associated with the public key in the certificate. The key is output in PKCS #8 format and is base64 PEM-encoded.