AWS Certificate Manager Private Certificate Authority
User Guide (Version latest)

What Is ACM PCA?

Welcome to the AWS Certificate Manager Private Certificate Authority service. You can use this service to create a secure private certificate authority (CA). You can use your CA to issue, revoke, and retrieve private certificates. Private certificates identify resources within an organization such as clients, servers, applications, services, devices, and users. In establishing a secure encrypted communications channel, each resource endpoint uses a certificate and cryptographic techniques to prove its identity to another endpoint. Internal API endpoints, web servers, VPN users, IoT devices, and many other applications use private certificates to establish encrypted communication channels that are necessary for their secure operation.

Both public and private certificates help customers identify resources on networks and secure communication between these resources. Public certificates identify resources on the public Internet whereas private certificates do so for private networks. One key difference is that applications and browsers trust public certificates by default whereas an administrator must explicitly configure applications to trust private certificates. Public CAs, the entities that issue public certificates, must follow strict rules, provide operational visibility, and meet security standards imposed by the browser and operating system vendors. Private CAs are managed by private organizations, and private CA administrators can make their own rules for issuing private certificates. These include practices for issuing certificates and what information a certificate can include.

You can use ACM PCA to do the following:

  • Create a private subordinate certificate authority (CA).

  • Retrieve your private CA certificate.

  • Change the status of your private CA.

  • Delete your private CA.

  • Create a certificate revocation list (CRL) that the private CA will maintain.

  • Update the CRL configuration.

  • Use your private CA to issue certificates.

  • Revoke issued certificates.

  • Retrieve issued or revoked certificates.

  • Create audit reports that contain issuance and revocation information.

  • Add tags to your private CA.

  • List and delete your tags.

  • List your private CAs.

To get started, you must have an intermediate or root CA available for your organization. This might be an on–premises CA, or one that is in the cloud, or one that is commercially available. Use your organization's CA to create and sign the private CA certificate. For more information about the steps you must follow to create a private CA, see Getting Started.

ACM PCA is integrated with AWS Certificate Manager. You can use the ACM console, CLI, or API to issue private certificates or you can use the standalone ACM PCA to do so. Private certificates issued by using ACM closely resemble public ACM certificates.

The benefits of using ACM are:

  • Provides a console for you to use to request and manage private certificates.

  • Manages the private keys associated with your certificates.

  • Renews private certificates that ACM manages.

  • Enables you to export your certificates for use anywhere.

  • Enables you to deploy your certificate with other integrated AWS services.

The benefits of using standalone ACM PCA are:

  • You can create a certificate with any subject name to identify anything you want.

  • You can use any of the supported private key algorithms and key lengths.

  • You can use any of the signing algorithms that are currently supported.

  • Avoid constraints imposed on public certificates and CAs.

  • You can import your private certificates into ACM and IAM.