RFC compliance - AWS Certificate Manager Private Certificate Authority

RFC compliance

ACM Private CA does not enforce certain constraints defined in RFC 5280. The reverse situation is also true: Certain additional constraints appropriate to a private CA are enforced.


  • Not After date. In conformity with RFC 5280, ACM Private CA prevents the issuance of certificates bearing a Not After date later than the Not After date of the issuing CA's certificate.

  • Basic constraints. ACM Private CA enforces basic constraints and path length in imported CA certificates.

    Basic constraints indicate whether or not the resource identified by the certificate is a CA and can issue certificates. CA certificates imported to ACM Private CA must include the basic constraints extension, and the extension must be marked critical. In addition to the critical flag, CA=true must be set. ACM Private CA enforces basic constraints by failing with a validation exception for the following reasons:

    • The extension is not included in the CA certificate.

    • The extension is not marked critical.

    Path length determines the maximum depth of valid certification paths below the imported CA certificate in the validation chain. ACM Private CA enforces path length by failing with a validation exception for the following reasons:

    • Importing a CA certificate would violate the path length constraint in the CA certificate or in any CA certificate in the chain.

    • Issuing a certificate would violate a path length constraint.

  • Name constraints. These constraints on a CA govern what subject names are valid for downstream certificates. For more information, see (Optional) Enforcing name constraints on an externally signed private CA.

Not enforced

  • Policy constraints. These constraints limit a CA's capacity to issue subordinate CA certificates.

  • Subject Key Identifier (SKI) and Authority Key Identifier (AKI). The RFC requires a CA certificate to contain the SKI extension. Certificates issued by the CA must contain an AKI extension matching the CA certificate's SKI. AWS does not enforce these requirements. If your CA Certificate does not contain an SKI, the issued end-entity or subordinate CA certificate AKI will be the SHA-1 hash of the issuer public key instead.

  • SubjectPublicKeyInfo and Subject Alternative Name (SAN). When issuing a certificate, ACM Private CA copies the SubjectPublicKeyInfo and SAN extensions from the provided CSR without performing validation.