Quotas - AWS Certificate Manager Private Certificate Authority


AWS Certificate Manager Private Certificate Authority assigns quotas to your allowed number of certificates and certificate authorities as well as the API rate.

Quotas on CAs and Certificates

The following ACM Private CA certificate quotas apply to each Region and each account. To request higher quotas, create a case at the AWS Support Center.

Item Default Quota
Number of private certificate authorities (CAs) 200*
Number of private certificates per private CA (lifetime) 1,000,000*
Number of unexpired revoked private certificates per CA** 1,000,000

* You can request a quota increase for this item. Visit the AWS Support Center, choose Create case, and choose Service limit increase.

** This quota reflects the number of unexpired certificates that can be included in the Certificate Revocation List (CRL), based on the maximum CRL size that can be processed by clients consuming CRLs. This quota cannot be increased.


A private CA that has been deleted counts towards your certificate quota until the end of its restoration period. For more information, see Delete Your Private CA.

ACM Private CA is integrated with ACM. You can use the ACM console, AWS CLI, or ACM API to request private certificates from an existing private certificate authority (CA). The certificates are managed by ACM and have the same restrictions as public certificates that are issued by ACM. For a list of the restrictions, see Request a Private Certificate. You can also issue private certificates with the ACM Private CA API or AWS CLI. For more information, see Issuing a Private End-Entity Certificate. Regardless of which method you use, you can create 10 private CAs, request 1,000,000 private certificates, and revoke 1,000,000 certificate per account per Region. ACM places quotas on public and imported certificates. For more information, see ACM Quotas.

Quotas on API Requests

The following quotas apply to the ACM Private CA API for each Region and account. ACM Private CA throttles API requests at different rates depending on the API operation. Throttling means that ACM Private CA rejects an otherwise valid request because the request exceeds the operation's quota for the number of requests per second. When a request is throttled, ACM Private CA returns a ThrottlingException error. The following table lists each API operation and the rate at which ACM Private CA throttles requests for that operation. ACM Private CA does not guarantee a minimum request rate for APIs.


If you encounter a ThrottlingException error, we recommend that you retry the operation before contacting support.

* You can request a rate increase for this item. Visit the AWS Support Center, choose Create case, and choose Service limit increase.