AWS Certificate Manager Private Certificate Authority
User Guide (Version latest)

Assigning Certificate Renewal Permissions to ACM

With Managed renewal in AWS Certificate Manager (ACM), you can automate the certificate renewal process across both public and private certificate authorities. In order for ACM to automatically renew the certificates generated by a private CA, the ACM service principal must be given all possible permission by the CA itself. If these renewal permissions are not given to ACM, the CA's owner (or an authorized representative) must manually renew each private certificate.

Renewal permissions can be delegated during private CA creation or altered anytime after as long as the CA is in the ACTIVE state.

You can manage private CA permissions from the ACM Private CA Console, the AWS Command Line Interface (AWS CLI), or the ACM Private CA API:

To assign private CA permissions (console)

  1. Sign in to your AWS account and open the ACM Private CA console at

  2. Choose Private CAs.

  3. Choose your private CA from the list.

  4. Choose the Permission tab.

  5. Select Authorize ACM to use this CA for renewals.

  6. Choose Save.

To manage permissions in ACM Private CA (AWS CLI)

Use the create-permission command to assign permissions to ACM. You must assign all possible permissions (IssueCertificate, GetCertificate, and ListPermissions) in order for ACM to automatically renew your certificates.

aws acm-pca create-permission \ --certificate-authority-arn arn:aws:acm-pca:region:account:\ certificate-authority/12345678-1234-1234-1234-123456789012 \ --actions IssueCertificate, GetCertificate, ListPermissions \ --principal

Use the list-permissions command to list the permissions delegated by a CA.

aws acm-pca list-permissions \ --certificate-authority-arn arn:aws:acm-pca:region:account:\ certificate-authority/123455678-1234-1234-1234-123456789012

Use the delete-permission command to revoke permissions assigned by a CA to an AWS service principal.

aws acm-pca delete-permission \ --certificate-authority-arn arn:aws:acm-pca:region:account:\ certificate-authority/12345678-1234-1234-1234-123456789012 \ --principal