AWS Certificate Manager Private Certificate Authority
User Guide (Version latest)

Assign Certificate Renewal Permissions to ACM

With Managed renewal in AWS Certificate Manager (ACM), you can automate the certificate renewal process across both public and private certificate authorities. In order for ACM to automatically renew the certificates generated by a private CA, the ACM service principal must be given all possible permission by the CA itself. If these renewal permissions are not given to ACM, the CA's owner (or an authorized representative) must manually renew each private certificate.

Renewal permissions can be delegated during private CA creation or altered anytime after as long as the CA is in the ACTIVE state.

You can manage private CA permissions from the ACM PCA Console, the AWS Command Line Interface (AWS CLI), or the ACM PCA API:

To assign private CA permissions (console)

  1. Sign in to your AWS account and open the ACM PCA console at

  2. Choose Private CAs.

  3. Choose your private CA from the list.

  4. Choose the Permission tab.

  5. Select Authorize ACM to use this CA for renewals.

  6. Choose Save.

To manage permissions in ACM PCA (AWS CLI)

Use the create-permission command to assign permissions to ACM. You must assign all possible permissions (IssueCertificate, GetCertificate, and ListPermissions) in order for ACM to automatically renew your certificates.

aws acm-pca create-permission \ --certificate-authority-arn arn:aws:acm-pca:region:account:\ certificate-authority/12345678-1234-1234-1234-123456789012 \ --actions IssueCertificate, GetCertificate, ListPermissions \ --principal

Use the list-permissions command to list the permissions delegated by a CA.

aws acm-pca list-permissions \ --certificate-authority-arn arn:aws:acm-pca:region:account:\ certificate-authority/123455678-1234-1234-1234-123456789012

Use the delete-permission command to revoke permissions assigned by a CA to an AWS service principal.

aws acm-pca delete-permission \ --certificate-authority-arn arn:aws:acm-pca:region:account:\ certificate-authority/12345678-1234-1234-1234-123456789012 \ --principal

To manage permissions in ACM PCA (ACM PCA API)

  1. Send a CreatePermission request to create a permission. Specify the service principal that will receive the permission and the ARN of the CA from which you're delegating the permission.

  2. Send a ListPermissions request to inspect the permissions delegated by a CA, specifying the CA's ARN.

  3. Send a DeletePermission request to revoke permissions from a service principal, specifying the ARN of the CA that assigned the permissions.