AWS Certificate Manager Private Certificate Authority
User Guide (Version latest)

Private Certificate Authority Security

AWS Certificate Manager Private Certificate Authority is a managed private CA service that enables you to easily and securely manage your certificate authority infrastructure and your private certificates. ACM PCA provides a highly available private CA service without the investment and maintenance costs of operating your own certificate authority. ACM PCA extends ACM certificate management to private certificates, enabling you to manage public and private certificates in one console.

The private keys for your private CAs are stored in AWS managed hardware security modules (HSMs). These adhere to FIPS 140-2 Level 3 security standards. You can control access to your CAs by setting AWS Identity and Access Management (IAM) policies on users, groups, and roles in your organization.

Your private CA can automatically create certificate revocation lists (CRLs). Client applications can query a CRL to determine whether a certificate has been revoked. You can generate audit reports that list the certificates that your private CA has issued and revoked. You can turn on CloudTrail to log AWS and ACM PCA access.

For more information about AWS and ACM PCA features that you can use to help secure your private CA, see the following topics: