AWS Certificate Manager Private Certificate Authority
User Guide (Version latest)

Import Your Private CA Certificate into ACM PCA

After you create your private CA and sign the CA certificate, you must import the certificate into ACM PCA. Signing affirms the identity of your private CA within your organization. After signing and importing the certificate, you can use your private CA to issue and revoke trusted private SSL/TLS certificates. These enable trusted communication between users, applications, computers, and other devices internal to your organization. The certificates cannot be publicly trusted.

You must have a certificate chain to complete this procedure. Your chain must not include the private CA certificate that you are importing. Your chain must be PEM formatted. Concatenate your root certificate, if available, and any subordinate certificates you might have into a single PEM file. You can use the OpenSSL cat command to do so. Each certificate must directly certify the one preceding it. The following example contains three certificates, but your PKI infrastructure might have more or fewer.

-----BEGIN CERTIFICATE----- Base64-encoded intermediate CA certificate -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- Base64-encoded intermediate CA certificate -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- Base64-encoded root or intermediate CA certificate -----END CERTIFICATE-----

Import using the console


The following procedure assumes that you have a signed certificate authority certificate If you do not, you must retrieve the certificate signing request (CSR) for your private CA, take it to your organization's X.509 infrastructure, create the private CA certificate, and sign it.

  1. Sign in to your AWS account and open the ACM PCA console at

  2. Choose Private CAs.

  3. Select your private CA from the list.

  4. On the Actions menu, choose Import CA certificate.

  5. Choose Next.

  6. For Certificate body, copy your signed private CA certificate into the textbox or import it from a file.

  7. For Certificate chain, copy the certificate chain into the textbox or import it from a file.

  8. Choose Next.

  9. Choose Confirm and Import to import the private CA certificate, Previous to return to the preceding page, or Cancel to quit.

Import using the CLI

Save your signed CA certificate and your certificate chain in PEM formatted files. Use the import-certificate-authority-certificate command to import the private CA certificate into ACM PCA.

aws acm-pca import-certificate-authority-certificate \ --certificate-authority-arn arn:aws:acm-pca:region:account:\ certificate-authority/12345678-1234-1234-1234-123456789012 \ --certificate file://C:\example_ca_cert.pem \ --certificate-chain file://C:\example_ca_cert_chain.pem