AWS Certificate Manager Private Certificate Authority
User Guide (Version latest)

Create a Private Certificate Authority

A private certificate authority (CA) enables you to issue and revoke private certificates within an organization. You can issue certificates for users, applications, computers, servers and other devices. The certificates are SSL/TLS public key certificates based on the ISO X.509 standard.

Create a CA using the console

  1. Sign in: Sign in to your AWS account and open the ACM PCA console at If the introductory page appears, choose Get Started. Otherwise, choose Private CAs and then choose Create CA.

  2. Choose the CA Type: Choose the type of the private certificate authority that you want to create. Currently, you must choose Subordinate.

    Your private subordinate CA certificate must be authenticated and then signed by an intermediate or root CA that is higher in your organization’s CA hierarchy than the CA you are creating. For more information, see Create and Sign Your Private CA Certificate. Subordinate CAs are typically used to issue end-entity certificates to users, computers, and applications. This enables you to protect your root by removing it from the network and perhaps physically isolating it when you are not using it to commission new subordinate CAs.

  3. Enter a name: Type a name for your private CA. Use the X.500 Distinguished Name format. For more information, see X.500 Distinguished Name.

  4. Choose a private key algorithm: Choose the private key algorithm and the bit size of the key. The default value is an RSA algorithm with a 2048 bit key length. If you expand the Advanced options, you can choose one of the following combinations.

    • RSA 4096

    • ECDSA P256

    • ECDSA P384

  5. Configure a CRL: Configure a certificate revocation list (CRL) if you want ACM PCA to maintain one for the certificates revoked by your private CA. Clients such as web browsers query CRLs to determine whether a certificate can be trusted. For more information, see Create a Certificate Revocation List (CRL). If you want to create a CRL, do the following:

    1. Choose Enable CRL distribution

    2. To create a new S3 bucket for your CRL entries, choose Yes for the Create a new S3 bucket option and enter a unique bucket name. Otherwise, choose No and select an existing bucket from the list.

      If you choose Yes, ACM PCA creates the necessary bucket policy for you. If you choose No, make sure the following policy is attached to your bucket.

      { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "" }, "Action": [ "s3:PutObject", "s3:PutObjectAcl", "s3:GetBucketAcl", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::your-bucket-name/*", "arn:aws:s3:::your-bucket-name" ] } ] }
    3. Choose Advanced if you want to specify more about your CRL.

      • Add a Custom CRL Name to hide the name of your S3 bucket from public view.

      • Type the number of days your CRL will remain valid. For online CRLs, a validity period of 2 to 7 days is common. ACM PCA triesto regenerate the CRL at 1/2 of the specified period.

  6. Choose Update.

Create a CA using the CLI

Use the create-certificate-authority command to create a private CA. You must specify the CA configuration, the revocation configuration, the CA type, and an optional idempotency token. The CA configuration specifies the name of the algorithm and key size to be used to create the CA private key, the type of signing algorithm that the CA uses to sign, and X.500 subject information. The CRL configuration specifies the CRL expiration period in days (the validity period of the CRL), the Amazon S3 bucket that will contain the CRL, and a CNAME alias for the S3 bucket that is included in certificates issued by the CA. If successful, this function returns the Amazon Resource Name (ARN) of the CA.

You can modify the following example files to use with this command.

C:\ca_config.txt { "KeyType": "RSA_2048", "SigningAlgorithm": "SHA256WITHRSA", "Subject": {"Country": "US", "Organization": "Example Corp", "OrganizationalUnit": "Sales", "State": "WA", "Locality": "Seattle", "CommonName": ""} }
C:\revoke_config.txt { "CrlConfiguration": {"Enabled": true, "ExpirationInDays": 7, "CustomCname": "some_name.crl", "S3BucketName": "your-bucket-name"} }
aws acm-pca create-certificate-authority \ --certificate-authority-configuration file://C:\ca_config.txt \ --revocation-configuration file://C:\revoke_config.txt \ --certificate-authority-type "SUBORDINATE" \ --idempotency-token 98256344

If successful, this command outputs the ARN (Amazon Resource Name) of the CA.

{ "CertificateAuthorityArn": "arn:aws:acm-pca:region:account: certificate-authority/12345678-1234-1234-123456789012" }