AWS Certificate Manager Private Certificate Authority
User Guide (Version latest)

The AWS Documentation website is getting a new look!
Try it now and let us know what you think. Switch to the new look >>

You can return to the original look by selecting English in the language selector above.


AWS Certificate Manager Private Certificate Authority limits the number of certificates and certificate authorities as well as the API rate.

Limits on Certificates

The following ACM Private CA certificate limits apply to each Region and each account. To request higher limits, create a case at the AWS Support Center. New AWS accounts might start with limits that are lower than those that are described here.

Item Default Limit
Number of private certificate authorities (CAs) 10
Number of private certificates per private CA (lifetime) 1,000,000
Number of revoked private certificates per private CA (lifetime) 1,000,000


A private CA that has been deleted counts towards your certificate limit until the end of its restoration period. For more information, see Delete Your Private CA.

ACM Private CA is integrated with ACM. You can use the ACM console, AWS CLI, or ACM API to request private certificates from an existing private certificate authority (CA). The certificates are managed by ACM and have the same restrictions as public certificates that are issued by ACM. For a list of the restrictions, see Request a Private Certificate. You can also issue private certificates with the ACM Private CA API or AWS CLI. For more information, see Issuing a Private End-Entity Certificate. Regardless of which method you use, you can create 10 private CAs, request 1,000,000 private certificates, and revoke 1,000,000 certificate per account per Region. ACM places limits on public and imported certificates. For more information, see ACM Limits.

API Rate Limits

The following limits apply to the ACM Private CA API for each Region and account. ACM Private CA throttles API requests at different limits depending on the API operation. Throttling means that ACM Private CA rejects an otherwise valid request because the request exceeds the operation's limit for the number of requests per second. When a request is throttled, ACM Private CA returns a ThrottlingException error. The following table lists each API operation and the limit at which ACM Private CA throttles requests for that operation.


At this time, ACM Private CA does not support individual API rate limit increases per customer.