Newbie needs help: Tutorial "Vault as an Intermediate CA with AWS Certificate Manager as the Root CA" does not work for me

Hello :slight_smile: I am a newbie :slight_smile:

I am trying to follow tutorial

but it does not work for me.

I can create the CSR with Basic Constraint “CA: true” just fine, but when I try to run

aws acm-pca issue-certificate \
 --certificate-authority-arn ${AWS_CA_ARN} \
 --csr fileb://cert1.csr \
 --signing-algorithm "SHA256WITHRSA" \
 --validity Value=365,Type="DAYS" \
 --template-arn arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen0/V1 \
 --region=eu-central-1

I get response

An error occurred (ValidationException) when calling the IssueCertificate operation: Path length check failed for CA 'arn:aws:acm-pca:eu-central-1:X:certificate-authority/X' and selected template 'arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen0/V1'.

Since the CA cert at AWS is not a root cert itself but also an intermediate (the actual root CA cert is offline) i also tried to use template SubordinateCACertificate_PathLen1/V1 instead of SubordinateCACertificate_PathLen0/V1 but this leads to the same error message.

I did not find any further hints how to solve this issue when doing some googling so I try to ask here. Can somebody maybe point me in the right direction?

Thanks and best regards, Sebatian

Based on this and the error you quote, it sounds rather like this intermediate is constrained to not be able to issue further CA certificates itself.