# Troubleshoot AWS Private Certificate Authority exception messages
An AWS Private CA command might fail for several reasons. For information on each exception and recommendations for resolving them, see the table below.
**AWS Private CA Exceptions**
| Exception Returned by AWS Private CA | Description | Remediation |
| --- | --- | --- |
| `AccessDeniedException` | The permissions required to use the given command have not been delegated by a private CA to the calling account. | For information on delegating permissions in AWS Private CA, see [Assign certificate renewal permissions to ACM](assign-permissions.md#PcaPermissions). |
| `InvalidArgsException` | A certificate creation or renewal request was made with invalid parameters. | Check the command's individual documentation to make sure that your input parameters are valid. If you are creating a new certificate, make sure that the requested signing algorithm can be used with the CA's key type. |
| `InvalidStateException` | The associated private CA cannot renew the certificate because it is not in the ACTIVE state. | Attempt to [restore the private CA](PCARestoreCA.md). If the private CA is outside of its restoration period, the CA cannot be restored and the certificate cannot be renewed. |
| `LimitExceededException` | Each certificate authority (CA) has a quota of certificates that it can issue. The private CA that is associated with the designated certificate has reached its quota. For more information, see [Service Quotas](https://docs.aws.amazon.com/general/latest/gr/pca.html#limits_pca) in the AWS General Reference Guide. | Contact the [AWS Support Center](https://aws.amazon.com/premiumsupport/) to request a quota increase. |
| `MalformedCSRException` | The certificate signing request (CSR) that was submitted to AWS Private CA cannot be verified or validated. | Confirm that your CSR was properly generated and configured. |
| `OtherException` | An internal error has caused the request to fail. | Attempt to run the command again. If the problem persists, contact the [AWS Support Center](https://aws.amazon.com/premiumsupport/). |
| `RequestFailedException` | A networking problem in your AWS environment caused the request to fail. | Retry the request. If the failure persists, check your [Amazon VPC (VPC) configuration](https://docs.aws.amazon.com/vpc/latest/userguide/what-is-amazon-vpc.html). |
| `ResourceNotFoundException` | The private CA that issued the certificate was deleted and no longer exists. | Request a new certificate from another active CA. |
| `ThrottlingException` | A requested API action failed because it exceeded a quota. | Confirm that you are not issuing more calls than allowed by AWS Private CA.
A `ThrottlingException` error may also occur because you have encountered a transient condition rather than from an exceeded quota. If you encounter the error and you have not been making calls in excess of the quota, try your request again.
If you are running up against a quota, you may be able to request an increase. For more information, see [Service Quotas](https://docs.aws.amazon.com/general/latest/gr/pca.html#limits_pca) in the AWS General Reference Guide. |
| `ValidationException` | The request's input parameters were incorrectly formatted, or the validity period of the root certificate ends before the validity period of the requested certificate. | Check the syntax requirements of the command's input parameters as well as the validity period of your CA's root certificate. For information about changing the validity period, see [Update a private CA in AWS Private Certificate Authority](PCAUpdateCA.md). |