You work in a large organization as an AWS engineer. You create a private Certificate Authority in ACM which is used by multiple teams. The certificates issued from the private CA are for different entities such as web servers, VPN users and internal API endpoints. You need to quickly manage these certificates and get the details including the ARN, subject name and expiration date. Which of the below options is the easiest one?

Answer options:

A.Create a shell script to use AWS CLI acm-pca list-certificates to get the required certificate information for this particular private CA.B.In the AWS ACM console, you can easily get the certificates’ details for each private Certificate Authority. Make sure the IAM user has the list-certificates permissions. 
C.Edit a Python script to use Boto3 to retrieve the certificate details including the subject name, expiration date, etc.
D.Create an audit report to list all of the certificates that the private CA has issued or revoked. Download the JSON-formatted report from the S3 bucket.

Correct Answer – D
Users can create an audit report for a private CA. The report is saved in an S3 bucket and contains the required information. The reference is in
https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaAuditReport.html.
Option A is incorrect: Because there is no list-certificates CLI for acm-pca. Check https://docs.aws.amazon.com/cli/latest/reference/acm-pca/index.html#cli-aws-acm-pca.
Option B is incorrect: Because there is no IAM permission for list-certificates. And you cannot easily get all the certificate details from the AWS console.
Option C is incorrect: This option may work. However, it is not as straightforward as option
D. You have to maintain the Python script and use AWS SDK.
Option D is CORRECT: The audit report is the easiest way. The report contains the required details of CA issued or revoked certificates. Take the below as an example:
{
"awsAccountId": "123456789012",
"certificateArn": "arn:aws:acm-pca:region:account:certificate-authority/CA_ID/certificate/e8cbd2bedb122329f97706bcfec990f8",
"serial": "e8:cb:d2:be:db:12:23:29:f9:77:06:bc:fe:c9:90:f8",
"subject": "1.2.840.113549.1.9.1=#161173616c6573406578616d706c652e636f6d,CN=www.example1.com,OU=Sales,O=Example Company,L=Seattle,ST=Washington,C=US",
"notBefore": "2018-02-26T18:39:57+0000",
"notAfter": "2019-02-26T19:39:57+0000",
"issuedAt": "2018-02-26T19:39:58+0000",
"revokedAt": "2018-02-26T20:00:36+0000",
"revocationReason": "KEY_COMPROMISE"
}