Private CA Certificates in wrong format (extra tab)

[tedivm]

I have a PrivateCA which has a "RootCA" that is in my control and the "Intermediary CA" that is run on the AWS hardware (a pretty standard setup).

When running this command the output is (as expected) a certificate chain file-

aws acm-pca get-certificate  
  --certificate-authority-arn ""   
  --certificate-arn ""
   --output text > example.crt

The actual certificates themselves are fine, however there's an extra "tab" between the end of the first certificate and the start of the second one.

-----BEGIN CERTIFICATE-----
MIIFqDCCA5KgAwIBAgIRAL+jWvEn+XbyVX0EOUEISrYwCwYJKoZIhvcNAQELMHkx
~~truncated~~
DWnQAr/HgulUZ3J8
-----END CERTIFICATE-----
	-----BEGIN CERTIFICATE-----
MIIF/jCCA+agAwIBAgICEAQwDQYJKoZIhvcNAQELBQAwgaIxCzAJBgNVBAYTAlVT
~~truncated~~
AH2v4FTwHfLXYElaP1tTgxsKxBUHVY5M9bhTy9ju/bO121BNv3nLutw7GuG0vac8
6Is=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIGLDCCBBSgAwIBAgIJAL/pftR0fQM1MA0GCSqGSIb3DQEBCwUAMIGiMQswCQYD
~~truncated~~
2Q4jYfYtRqSrGTzOMn5Dq1A4DhGlFcCx5ZPgioZpb1mCe0Qsn1glYJECwuDK9P7i
-----END CERTIFICATE-----

This tab is consistently there with all of the certificates I sign and retrieve, and it breaks the certificate chain formatting. While this bug persists it's impossible to get a working chain file directly from the AWS CLI- instead the output has to be filtered to remove the random tab or applications like nginx will choke on the certificate chain.

[justnance]

@tedivm - Thanks for reaching out and for your patience. I am not able to reproduce this behavior under CLI version 1.16.21 through 1.16.24. Is this still an issue and what version is or was in use at the time. (aws --version). If you use the --debug option, there is a line starting with MainThread - botocore.parsers - DEBUG - Response body:.

Do you see any white space or an extra tab displayed after the Response body:, if so that is an indicator it is coming from the service and not the CLI.

[justnance]

@tedivm - I worked with our Premium Support Security team and we were able to reproduce the behavior you are seeing here. This behavior is expected when using --output text. As per our online documentation, the text format organizes the AWS CLI's output into tab-delimited lines which results in the tab when making a single call.

Another example that shows tabs is the following command:

aws kms list-keys --output text

Basically when text output is used and there are more than one Key Value pair in the JSON object, the results return a tab between the values. The CLI does not have any control over this behavior as it is only echoing the results from the API.

To eliminate the tab and still use text output, you may need to pull one value at a time as using JSON format would return invalid certificate format.

It might also be possible to use --query. similar to the following:

aws acm-pca get-certificate --certificate-authority-arn ARNHere --certificate-arn ARNHere --query 'Certificate' --output text

aws acm-pca get-certificate --certificate-authority-arn ARNHere --certificate-arn ARNHere --query 'CertificateChain' --output text

[tedivm]

Are you sure this is expected behavior? Literally all the documentation on this says that you're outputting a properly formatted PEM certificate chain-

This command outputs the base64 encoded PEM format certificate and the certificate chain.

https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaGetCert.html

The example output on that page even shows a properly formatted (ie, no tabs) certificate chain.

This really seems like a bug. If it isn't then you should You should update the documentation to reflect that you are not actually outputting the proper PEM chain like you're advertising and displaying.

[tedivm]

Even with that "text output uses tab delimiters" this seems like a bug, as the tab it at the start of the line (not separating multiple fields), and there isn't a separate field available anyways.

[justnance]

@tedivm - Thank you for your feedback. The tab-delimited formatting is expected output for the CLI when using --output text. I have collaborated with our documentation writers to update and clarify the expected output and have escalated this issue to our ACM service team for review and improvement. Because this issue is not controlled by the CLI, follow up with the ACM service team can be done via the their forums or via a case with AWS Support.

[tedivm]

When is the documentation going to be updated? It's still showing it with no tab, and it's still claiming that it's outputting in PEM formatting despite you saying that it isn't the case.

[tedivm]

Here's a screenshot showing the claim that it follows PEM format, combined with the example showing no tab.

[tedivm]

I've gone ahead and opened a ticket on the forums- hopefully someone there will take this issue seriously.