AWS Certificate Manager Private Certificate Authority
User Guide (Version latest)

Set Up a Certificate Authority

You must have a certificate authority (CA) available to sign your private CA certificate. This can be a commercial or an on-premises CA. It can be a root or an intermediate CA. You can use OpenSSL to create a test certificate authority. We recommend, however, that you use a production CA rather than a test CA. You use the certificate authority to sign your private CA certificate. Signing the certificate is part of the process that you must follow to create your CA and get it ready to use: