Menu
AWS Certificate Manager Private Certificate Authority
User Guide (Version latest)

Issue a Private Certificate

You can request a private certificate by using ACM or by using the standalone ACM PCA service. For more information about using ACM, see Request a Private Certificate. The benefits of ACM are:

  • You can use the AWS Management Console to request certificates.

  • You to use the console to deploy your private certificates with integrated services.

  • ACM stores the CA private keys in an AWS hardware security module (HSM) and uses AWS KMS to manage the keys.

  • ACM can renew private certificates that it manages.

You can use the ACM PCA CLI or API to issue a certificate. Private certificates that you issue by using the standalone ACM PCA service are not subject to the same restrictions as private certificates issued by ACM You can use ACM PCA to do the following:

  • Create a certificate with any subject name.

  • Use any of the supported private key algorithms and key lengths.

  • Use any of the signing algorithms that are currently supported.

  • Specify any validity period for your private CA and private certificates.

  • Import your private certificates into ACM and IAM.

Create a certificate signing request (CSR)

Before you can issue a private certificate, you must have a certificate signing request (CSR). If you are using the standalone ACM PCA service, you can use the following OpenSSL command to create one. The command asks for a passphrase for the private key and for details about your organization.

openssl req –new –newkey rsa:2048 –days 365 –keyout my_private_key.pem –out my_csr.csr
Generating a 2048 bit RSA private key .......................+++ ..............+++ writing new private key to 'private/my_private_key.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:US State or Province Name (full name) []:Washington Locality Name (eg, city) [Default City]:Seattle Organization Name (eg, company) [Default Company Ltd]:Example Organizational Unit Name (eg, section) []:Corporate Offices Common Name (eg, your name or your server's hostname) []:Example Company Email Address []:corp@www.example.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:

Issue a certificate using the CLI

If you want to use the standalone ACM PCA service to issue a private certificate, you must use the AWS CLI or the PCA API. For more information about the API, see IssueCertificate. You can use the issue-certificate command to request a private certificate. This command requires the Amazon Resource Name (ARN) of the private CA that you want to use to issue the certificate and the CSR for the certificate that you want to issue.

Note

If you use the standalone ACM PCA service to issue a certificate, you cannot use the ACM console, CLI, or API to view or export it. You already have the private key because you needed one to create the CSR (see above). You can use the get-certificate command to retrieve the certificate details. You can also create an audit report to make sure your certificate was issued.

aws acm-pca issue-certificate \ --certificate-authority-arn arn:aws:acm-pca:region:account:\ certificate-authority/12345678-1234-1234-1234-123456789012 \ --csr file://C:\cert_1.csr \ --signing-algorithm "SHA256WITHRSA" \ --validity Value=365,Type="DAYS" \ --idempotency-token 1234

This command outputs the ARN of the issued certificate.

{ "CertificateArn": "arn:aws:acm-pca:region:account:\ certificate-authority/12345678-1234-1234-1234-123456789012/certificate/a2b95975ec6e1cd85a21c2104c5be129" }