Issuing a private end-entity certificate - AWS Certificate Manager Private Certificate Authority

Issuing a private end-entity certificate

With a private CA in place, you can request private end-entity certificates from either AWS Certificate Manager (ACM) or ACM Private CA. The capabilities of both services are compared in the following table.

Capability

ACM

ACM Private CA

Issue end-entity certificates

✓ (using RequestCertificate + GetCertificate or the console)

✓ (using IssueCertificate)

Association with internet-facing AWS services

Not supported

Managed certificate renewal Indirectly supported though ACM

Console support

Not supported

API support

CLI support

When ACM Private CA creates a certificate, it follows a template that specifies the certificate type and path length. If no template ARN is supplied to the API or CLI statement creating the certificate, the EndEntityCertificate/V1 template is applied by default. For more information about available certificate templates, see Understanding certificate templates.

While ACM certificates are designed around public trust, ACM Private CA serves the needs of your private PKI. Consequently, you can configure certificates using the ACM Private CA API and CLI in ways not permitted by ACM. These include the following:

After creating a private certificate using ACM Private CA, you can import it into ACM and use it with a supported AWS service.

Issuing a certificate (AWS CLI)

You can use the ACM Private CA CLI command issue-certificate or the API action IssueCertificate to request an end-entity certificate. This command requires the Amazon Resource Name (ARN) of the private CA that you want to use to issue the certificate.

If you use the ACM Private CA API or AWS CLI to issue a private certificate, the certificate is unmanaged, meaning that you cannot use the ACM console, ACM CLI, or ACM API to view or export it, and the certificate is not automatically renewed. However, you can use the PCA get-certificate command to retrieve the certificate details, and if you own the CA, you can create an audit report.

The following command specifies no template, so an end-entity certificate is issued by default.

$ aws acm-pca issue-certificate \ --certificate-authority-arn arn:aws:acm-pca:region:account:certificate-authority/CA_ID \ --csr fileb://cert_1.csr \ --signing-algorithm "SHA256WITHRSA" \ --validity Value=365,Type="DAYS" \ --idempotency-token 1234

The ARN of the issued certificate is returned:

{ "CertificateArn": "arn:aws:acm-pca:region:account:\ certificate-authority/CA_ID/certificate/certificate_ID" }