AWS Certificate Manager Private Certificate Authority
User Guide (Version latest)

Getting Started with ACM Private CA

This section describes tasks to perform before you use ACM Private CA.

Optionally, if your organization prefers to host its private root CA credentials on-premises rather than with AWS, you need to set up and secure a self-managed private PKI before using ACM Private CA. In this scenario, you then create a subordinate CA in ACM Private CA backed by a parent CA outside of ACM Private CA. For more information, see Using a Root Authority Outside ACM Private CA.

Sign Up for AWS

If you're not already an Amazon Web Services (AWS) customer, you must sign up to be able to use ACM Private CA. Your account automatically has access to all available services, but you are charged only for services that you use. Also, if you are a new AWS customer, some services are available for free during a limited period. For more information, see AWS Free Tier.


ACM Private CA is not available in the free tier.

To sign up for an AWS account

  1. Go to and choose Sign Up.

  2. Follow the on-screen instructions.


Part of the sign-up procedure includes receiving an automated telephone call and entering the supplied PIN on the telephone keypad. You must also supply a credit card number.

Install the AWS Command Line Interface (Optional)

If you have not installed the AWS CLI but want to use it, follow the directions at AWS Command Line Interface. If you are using Windows, you can download and run a 64-bit or 32-bit Windows installer. If you are using Linux or macOS, you can install the AWS CLI using pip.

If you already have the AWS CLI installed, check the version number by typing aws --version in a command window or on the command line. Compare the version number to the most recent available on GitHub. If your version is old, update the CLI.

On the command line, type aws configure. You'll need your access key ID and secret access key to complete the following steps. For more information, see Access Keys.

  • Type your access key ID when prompted.

  • Type your secret access key.

  • Choose your default region. See Regions for a list of those available.

  • Accept json as the default output format.

Type aws acm-pca on the command line followed by the ACM Private CA command that you want to run. For example, if you want to list all of your private certificate authorities, type the following command.

aws acm-pca list-certificate-authorities --max-results 10