Import Your Private CA Certificate into ACM Private CA - AWS Certificate Manager Private Certificate Authority

Import Your Private CA Certificate into ACM Private CA

After you create your private subordinate CA, retrieve the certificate signing request (CSR), and have your external root or intermediate authority sign the CA certificate, you must import the certificate into ACM Private CA. After signing and importing the certificate, you can use your private subordinate CA to issue and revoke trusted private SSL/TLS certificates. These enable trusted communication between users, applications, computers, and other devices internal to your organization. The certificates cannot be publicly trusted.

You must also retrieve the certificate chain that contains the certificate of the intermediate or root CA used to sign your private CA certificate and any preceding certificates. To create the chain, concatenate your root certificate, if available, and any subordinate certificates that you might have into a single file. You can use the cat command (Linux) to do so. Each certificate must directly certify the one preceding, and the entire chain must be PEM-formatted. The following example contains three certificates, but your PKI infrastructure might have more or fewer.

-----BEGIN CERTIFICATE----- Base64-encoded intermediate CA certificate -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- Base64-encoded intermediate CA certificate -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- Base64-encoded root or intermediate CA certificate -----END CERTIFICATE-----
Note

ACM Private CA securely generates and stores your certificate's private key. You never import an externally generated secret key.

Importing the Private CA Certificate (Console)

You can import a private CA certificate using the AWS Management Console.

To import the CA certificate (console)

  1. If your console is still open to the Import a signed certificate authority (CA) certificate page, skip to step 8. Otherwise, continue.

  2. Sign in to your AWS account and open the ACM Private CA console at https://console.aws.amazon.com/acm-pca/home.

  3. Choose Private CAs.

  4. Choose your private subordinate CA from the list of CAs. In the details panel below the list, an Action required! box displays.

  5. In the Action required! box, choose Import a CA certificate.

  6. Choose External private CA and Next.

  7. On the Export a certificate signing request (CSR) page, choose Next.

  8. On the Import a signed certificate authority (CA) certificate page, provide the required information.

    • For Certificate body, copy your signed private CA certificate into the textbox or import it from a file.

    • For Certificate chain, copy the certificate chain into the textbox or import it from a file.

    Then choose Next.

  9. Choose Confirm and install to import the private CA certificate.

Importing the Private CA Certificate (AWS CLI)

Before beginning, make sure that you have your signed CA certificate and your certificate chain in PEM formatted files.

To import the CA certificate (AWS CLI)

Use the import-certificate-authority-certificate command to import the private CA certificate into ACM Private CA.

aws acm-pca import-certificate-authority-certificate \ --certificate-authority-arn arn:aws:acm-pca:region:account:\ certificate-authority/12345678-1234-1234-1234-123456789012 \ --certificate file://C:\example_ca_cert.pem \ --certificate-chain file://C:\example_ca_cert_chain.pem