Signing private CA certificates with an external CA - AWS Certificate Manager Private Certificate Authority

Signing private CA certificates with an external CA

If your private CA hierarchy's root of trust must be a CA outside of ACM Private CA, you can create and self-sign your own root CA. Alternatively, you can obtain a private CA certificate that is signed by an external private CA operated by your organization. Use this externally obtained CA to sign a private subordinate CA certificate that ACM Private CA manages.


Procedures for creating or obtaining an externally signed CA are outside the scope of this guide.

Using an external parent CA with ACM Private CA also allows you to enforce CA name constraints. Name constraints are defined in the internet public key infrastructure (PKI) standard RFC 5280. The constraints provide a way for CA administrators to restrict subject names in certificates. For more information, see the Name Constraints section of RFC 5280.