The PEM-encoded certificate for a private CA. This may be a self-signed certificate in the case of a root CA, or it may be signed by another CA that you control.
The Amazon Resource Name (ARN) that was returned when you called CreateCertificateAuthority. This must be of the form:
A PEM-encoded file that contains all of your certificates, other than the certificate you're importing, chaining up to your root CA. Your ACM Private CA-hosted or on-premises root certificate is the last in the chain, and each certificate in the chain signs the one preceding.
This parameter must be supplied when you import a subordinate CA. When you import a root CA, there is no chain.