Issuing a private end-entity certificate - AWS Certificate Manager Private Certificate Authority

Issuing a private end-entity certificate

With a private CA in place, you can request private end-entity certificates from either AWS Certificate Manager (ACM) or ACM Private CA. The capabilities of both services are compared in the following table.



ACM Private CA

Issue end-entity certificates

✓ (using RequestCertificate + GetCertificate or the console)

✓ (using IssueCertificate)

Association with internet-facing AWS services

Not supported

Managed certificate renewal Indirectly supported though ACM

Console support

Not supported

API support

CLI support

When ACM Private CA creates a certificate, it follows a template that specifies the certificate type and path length. If no template ARN is supplied to the API or CLI statement creating the certificate, the EndEntityCertificate/V1 template is applied by default. For more information about available certificate templates, see Understanding certificate templates.

While ACM certificates are designed around public trust, ACM Private CA serves the needs of your private PKI. Consequently, you can configure certificates using the ACM Private CA API and CLI in ways not permitted by ACM. These include the following:

After creating a private certificate using ACM Private CA, you can import it into ACM and use it with a supported AWS service.


Certificates created with the procedure below, using the issue-certificate command, or with the IssueCertificate API action, cannot be exported for use outside AWS. However, you can use your private CA to sign certificates issued through ACM, and those certificates can be exported along with their secret keys. For more information, see Requesting a private certificate and Exporting a private certificate in the ACM User Guide.

Issuing a certificate (AWS CLI)

You can use the ACM Private CA CLI command issue-certificate or the API action IssueCertificate to request an end-entity certificate. This command requires the Amazon Resource Name (ARN) of the private CA that you want to use to issue the certificate.

If you use the ACM Private CA API or AWS CLI to issue a private certificate, the certificate is unmanaged, meaning that you cannot use the ACM console, ACM CLI, or ACM API to view or export it, and the certificate is not automatically renewed. However, you can use the PCA get-certificate command to retrieve the certificate details, and if you own the CA, you can create an audit report.

Considerations when creating certificates

  • In compliance with RFC 5280, the length of the domain name (technically, the Common Name) that you provide cannot exceed 64 octets (characters), including periods. To add a longer domain name, specify it in the Subject Alternative Name field, which supports names up to 253 octets in length.

  • If you are using AWS CLI version 1.6.3 or later, use the prefix fileb:// when specifying the required input file. This ensures that ACM Private CA parses the Base64-encoded data correctly.

The following command specifies no template, so an end-entity certificate is issued by default.

$ aws acm-pca issue-certificate \ --certificate-authority-arn arn:aws:acm-pca:region:account:certificate-authority/CA_ID \ --csr fileb://cert_1.csr \ --signing-algorithm "SHA256WITHRSA" \ --validity Value=365,Type="DAYS" \ --idempotency-token 1234

The ARN of the issued certificate is returned:

{ "CertificateArn":"arn:aws:acm-pca:region:account:certificate-authority/CA_ID/certificate/certificate_ID" }