AWS Certificate Manager Private Certificate Authority
User Guide (Version latest)

Add Tags to your Private Certificate Authority

Tags are words or phrases that act as metadata for identifying and organizing AWS resources. Each tag consists of a key and a value. You can use the ACM PCA console, AWS Command Line Interface (AWS CLI), or the PCA API to add, view, or remove tags for private CAs.

You can create custom tags that suit your needs. For example, you could tag private CAs with the key-value pairs of Environment=Prod or Environment=Beta to identify which environment the CA is intended for. You can add tags to a CA at creation or any time after. For more information, see Create a Private CA

Other AWS resources also support tagging. You can assign the same tag to different resources to indicate whether those resources are related. For example, you can assign a tag such as to your CA, the Elastic Load Balancing load balancer, and other related resources. For more information on tagging AWS resources, see Tagging your Amazon EC2 Resources in the Amazon EC2 User Guide for Linux Instances.

The following basic restrictions apply to ACM PCA tags:

  • The maximum number of tags per private CA is 50.

  • The maximum length of a tag key is 128 characters.

  • The maximum length of a tag value is 256 characters.

  • The tag key and value can contain the following characters: A-Z, a-z, and .:+=@_%-(hyphen).

  • Tag keys and values are case sensitive.

  • The aws: and rds: prefixes are reserved for AWS use; you cannot add, edit, or delete tags whose key begins with aws: or rds:. Default tags that begin with aws: and rds: do not count against your tags-per-resource limit.

  • If you plan to use your tagging schema across multiple services and resources, remember that other services may have different restrictions for allowed characters. Refer to the documentation for that service.

  • ACM PCA tags are not available for use in the AWS Management Console's Resource Groups and Tag Editor.

You can tag a private CA from the ACM PCA Console, the AWS Command Line Interface (AWS CLI), or the ACM PCA API:

To tag a private CA (console)

  1. Sign in to your AWS account and open the ACM PCA console at

  2. Choose Private CAs.

  3. Choose your private CA from the list.

  4. Choose the Tags tab.

  5. Choose Edit.

  6. Type a key and value pair.

  7. Choose Add Tag.

To tag a private CA (AWS CLI)

Use the tag-certificate-authority command to add tags to your private CA.

aws acm-pca tag-certificate-authority \ --certificate-authority-arn arn:aws:acm-pca:region:account:\ certificate-authority/12345678-1234-1234-1234-123456789012 \ --tags Key=Admin,Value=Alice

Use the list-tags command to list the tags for a private CA.

aws acm-pca list-tags \ --certificate-authority-arn arn:aws:acm-pca:region:account:\ certificate-authority/123455678-1234-1234-1234-123456789012 \ --max-results 10

Use the untag-certificate-authority command to remove tags from a private CA.

aws acm-pca untag-certificate-authority \ --certificate-authority-arn arn:aws:acm-pca:region:account:\ certificate-authority/12345678-1234-1234-1234-123456789012 \ --tags Key=Purpose,Value=Website

To tag a private CA (ACM PCA API)

  • Send a TagCertificateAuthority request, specifying the ARN of the CA you're tagging and the tags to be added to it.