AWS Certificate Manager Private Certificate Authority
User Guide (Version latest)

RFC Compliance

ACM Private CA does not enforce certain constraints defined in RFC 5280. The reverse situation is also true – certain additional constraints appropriate to a private CA are enforced.


  • Not After date. In conformity with RFC 5280, ACM Private CA prevents the issuance of certificates bearing a Not After date later than the Not After date of the issuing CA's certificate.

Not enforced

  • Name constraints. These constraints on a CA govern what subject names are valid for downstream certificates. ACM Private CA does not require this information.

  • Policy constraints. These constraints limit a CA's capacity to issue subordinate CA certificates.

  • Basic constraints. These constraints specify whether a certificate defines a CA, and how many intermediate certificates are allowed in the chain of trust for subordinate CAs.