# Troubleshoot issues with AWS Private Certificate Authority
Troubleshoot

Consult the following topics if you have problems using AWS Private Certificate Authority.

**Topics**
+ [Certificate revocation issues](troubleshoot-certificate-revocation.md)
+ [Exception messages](PCATsExceptions.md)
+ [Matter-compliant certificate errors](TroubleshootPcaMatter.md)

# Troubleshoot AWS Private CA certificate revocation issues
Certificate revocation issues

## OCSP response latency
OCSP response latency

OCSP responsiveness may be slower if the caller is geographically distant from a regional edge cache or from the Region of the issuing CA. For more information about regional edge cache availability, see [Global Edge Network](https://aws.amazon.com/cloudfront/details#Global_Edge_Network). We recommend issuing certificates in a Region near where they will be used.

## Revocation of self-signed certificates
Revocation of self-signed certificates

You can't revoke a self-signed CA certificate. To functionally revoke the certificate, delete the CA.

# Troubleshoot AWS Private Certificate Authority exception messages
Exception messages

An AWS Private CA command might fail for several reasons. For information on each exception and recommendations for resolving them, see the table below.


**AWS Private CA Exceptions**  

|  Exception Returned by AWS Private CA  | Description | Remediation | 
| --- | --- | --- | 
|  <a name="AccessDeniedException"></a>`AccessDeniedException`  | The permissions required to use the given command have not been delegated by a private CA to the calling account. |  For information on delegating permissions in AWS Private CA, see [Assign certificate renewal permissions to ACM](assign-permissions.md#PcaPermissions).  | 
|  <a name="InvalidArgsException"></a>`InvalidArgsException`  | A certificate creation or renewal request was made with invalid parameters. | Check the command's individual documentation to make sure that your input parameters are valid. If you are creating a new certificate, make sure that the requested signing algorithm can be used with the CA's key type. | 
|  <a name="InvalidStateException"></a>`InvalidStateException`  | The associated private CA cannot renew the certificate because it is not in the ACTIVE state. | Attempt to [restore the private CA](PCARestoreCA.md). If the private CA is outside of its restoration period, the CA cannot be restored and the certificate cannot be renewed. | 
|  <a name="LimitExceededException"></a>`LimitExceededException`  | Each certificate authority (CA) has a quota of certificates that it can issue. The private CA that is associated with the designated certificate has reached its quota. For more information, see [Service Quotas](https://docs.aws.amazon.com/general/latest/gr/pca.html#limits_pca) in the AWS General Reference Guide. | Contact the [AWS Support Center](https://aws.amazon.com/premiumsupport/) to request a quota increase. | 
|  <a name="MalformedCSRException"></a>`MalformedCSRException`  | The certificate signing request (CSR) that was submitted to AWS Private CA cannot be verified or validated. | Confirm that your CSR was properly generated and configured.  | 
|  `OtherException`  | An internal error has caused the request to fail. | Attempt to run the command again. If the problem persists, contact the [AWS Support Center](https://aws.amazon.com/premiumsupport/). | 
|  <a name="RequestFailedException"></a>`RequestFailedException`  |  A networking problem in your AWS environment caused the request to fail.  |  Retry the request. If the failure persists, check your [Amazon VPC (VPC) configuration](https://docs.aws.amazon.com/vpc/latest/userguide/what-is-amazon-vpc.html).  | 
|  <a name="ResourceNotFoundException"></a>`ResourceNotFoundException`  |  The private CA that issued the certificate was deleted and no longer exists.  |  Request a new certificate from another active CA.  | 
|  <a name="ThrottlingException"></a>`ThrottlingException`  | A requested API action failed because it exceeded a quota. |  Confirm that you are not issuing more calls than allowed by AWS Private CA. A `ThrottlingException` error may also occur because you have encountered a transient condition rather than from an exceeded quota. If you encounter the error and you have not been making calls in excess of the quota, try your request again. If you are running up against a quota, you may be able to request an increase. For more information, see [Service Quotas](https://docs.aws.amazon.com/general/latest/gr/pca.html#limits_pca) in the AWS General Reference Guide.  | 
|  <a name="ValidationException"></a>`ValidationException`  |  The request's input parameters were incorrectly formatted, or the validity period of the root certificate ends before the validity period of the requested certificate.  |  Check the syntax requirements of the command's input parameters as well as the validity period of your CA's root certificate. For information about changing the validity period, see [Update a private CA in AWS Private Certificate Authority](PCAUpdateCA.md).  | 

# Troubleshoot AWS Private CA Matter-compliant certificate errors
Matter-compliant certificate errors

The [Matter connectivity standard](https://github.com/project-chip/connectedhomeip) specifies certificate configurations that improve the security and consistency of internet of things (IoT) devices. Java samples for creating Matter-compliant root CA, intermediate CA, and end-entity certificates can be found at [Use AWS Private CA to implement Matter certificates](API-CBR-intro.md).

To assist with troubleshooting, the Matter developers provide a certificate verification tool called [chip-cert](https://github.com/project-chip/connectedhomeip/tree/master/src/tools/chip-cert). Errors that the tool reports are listed in the following table with remediations.


****  

| Error code | Meaning | Remediation | 
| --- | --- | --- | 
|  0x00000305   |  `BasicConstraints`, `KeyUsage`, and `ExtensionKeyUsage` extensions must be marked critical.  | Ensure that you have selected the correct template for your use case. | 
|  0x00000050  |  The authority key identifier extension must be present.  | AWS Private CA does not set the authority key identifier extension on root certificates. You must generate a Base64-encoded AuthorityKeyIdentifier value using the CSR and then pass it through a [CustomExtension](https://docs.aws.amazon.com/privateca/latest/APIReference/API_CustomExtension.html). For more information, see [Activate a Root CA for Node Operational Certificates (NOC).](JavaApiCBC-ActivateRootCA.md) and [Activate a Product Attestation Authority (PAA)](JavaApiCBC-ProductAttestationAuthorityActivation.md). | 
| 0x0000004E | Certificate is expired. | Ensure that the certificate you use is unexpired. | 
| 0x00000014 | Certificate chain validation failure. |  This error may be encountered if you attempt to create a Matter-compliant end-entity certificate without using the provided [Java examples](API-CBR-intro.md), which use the AWS Private CA API to pass a properly configured KeyUsage.  By default, AWS Private CA generates nine-bit KeyUsage extension values, with the ninth bit resulting in an extra byte. Matter ignores the extra byte during format conversions, causing chain-validation failures. However, a [CustomExtension](https://docs.aws.amazon.com/privateca/latest/APIReference/API_CustomExtension.html) in the `APIPassthrough` template can be used to set the exact number of bytes in the `KeyUsage` value. For an example, see [Create a Node Operational Certificate (NOC)](JavaApiCBC-NodeOperatingCertificate.md). If you modify the sample code or use an alternative X.509 utility such as OpenSSL, you need to perform manual verification in order to avoid chain validation errors. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/privateca/latest/userguide/TroubleshootPcaMatter.html)  |