AWS Certificate Manager Private Certificate Authority
User Guide (Version latest)

Using Templates

ACM Private CA uses templates to create both CA certificates and end-entity certificates that identify users, hosts, resources, and devices. When you create a certificate in the console, a template is applied automatically. The template that is applied is based on the type of certificate that you have chosen and the path-length that you specify. If you use the CLI or API to create a certificate, you manually provide the ARN of the template that you want to apply. (The EndEntityCertificate template is applied if you provide no ARN.)

The following links provide information about creating a certificate with ACM Private CA.

The table below lists template types supported by ACM Private CA and links to their definitions.

Template Name

Template ARN

Certificate Type

Path Length

CodeSigningCertificate/V1

arn:aws:acm-pca:::template/CodeSigningCertificate/V1

Code signing

Not applicable

CodeSigningCertificate_CSRPassthrough/V1

arn:aws:acm-pca:::template/CodeSigningCertificate_CSRPassthrough/V1

Code signing

Not applicable

EndEntityCertificate/V1

arn:aws:acm-pca:::template/EndEntityCertificate/V1

End-entity

Not applicable

EndEntityCertificate_CSRPassthrough/V1

arn:aws:acm-pca:::template/EndEntityCertificate_CSRPassthrough/V1

End-entity/passthrough

Not applicable

EndEntityClientAuthCertificate/V1

arn:aws:acm-pca:::template/EndEntityClientAuthCertificate/V1

End-entity

Not applicable

EndEntityClientAuthCertificate_CSRPassthrough/V1

arn:aws:acm-pca:::template/EndEntityClientAuthCertificate_CSRPassthrough/V1

End-entity/passthrough

Not applicable

EndEntityServerAuthCertificate/V1

arn:aws:acm-pca:::template/EndEntityServerAuthCertificate/V1

End-entity

Not applicable

EndEntityServerAuthCertificate_CSRPassthrough/V1

arn:aws:acm-pca:::template/EndEntityServerAuthCertificate_CSRPassthrough/V1

End-entity/passthrough

Not applicable

OCSPSigningCertificate/V1

arn:aws:acm-pca:::template/OCSPSigningCertificate/V1

OCSP signing

Not applicable

OCSPSigningCertificate_CSRPassthrough/V1

arn:aws:acm-pca:::template/OCSPSigningCertificate_CSRPassthrough/V1

OCSP signing

Not applicable

RootCACertificate/V1

arn:aws:acm-pca:::template/RootCACertificate/V1

CA Unconstrained

SubordinateCACertificate_PathLen0/V1

arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen0/V1

CA

0

SubordinateCACertificate_PathLen1/V1

arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen1/V1

CA

1

SubordinateCACertificate_PathLen2/V1

arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen2/V1

CA

2

SubordinateCACertificate_PathLen3/V1

arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen3/V1

CA

3

For information about template ARNs in GovCloud regions, see AWS Certificate Manager Private Certificate Authority in the AWS GovCloud (US) User Guide.

CodeSigningCertificate/V1 Definition

This template is used to create certificates for code signing. You can use code-signing certificates from ACM Private CA with any code-signing solution that is based on a private CA infrastructure. For example, customers using Code Signing for AWS IoT can generate a code-signing certificate with ACM Private CA and import it to AWS Certificate Manager. For more information, see What Is Code Signing for AWS IoT? and Obtain and Import a Code Signing Certificate.

Parameter

Value

X509v3 subject alternative name

[copy from CSR]

X509v3 basic constraints

CA:FALSE

X509v3 authority key identifier

[AKI]

X509v3 subject key identifier

[SKI]

X509v3 key usage

critical, digital signature

X509v3 extended key usage

critical, code signing

X509v3 CRL distribution points*

[CRL distribution point]

*CRL distribution points are included in the template only if the CA is configured with CRL generation enabled.

CodeSigningCertificate_CSRPassthrough/V1 Definition

This template is identical to the CodeSigningCertificate template with one difference: In this template, ACM Private CA passes additional extensions from the certificate signing request (CSR) into the certificate if the extensions are not specified in the template. Extensions specified in the template always override extensions in the CSR.

Parameter

Value

X509v3 subject alternative name

[copy from CSR]

X509v3 basic constraints

CA:FALSE

X509v3 authority key identifier

[AKI]

X509v3 subject key identifier

[SKI]

X509v3 key usage

critical, digital signature

X509v3 extended key usage

critical, code signing

X509v3 CRL distribution points*

[CRL distribution point]

*CRL distribution points are included in the template only if the CA is configured with CRL generation enabled.

EndEntityCertificate/V1 Definition

This template is used to create certificates for end entities such as operating systems or web servers.

Parameter

Value

X509v3 subject alternative name

[copy from CSR]

X509v3 basic constraints

CA:FALSE

X509v3 authority key identifier

[AKI]

X509v3 subject key identifier

[SKI]

X509v3 key usage

critical, digital signature, key encipherment

X509v3 extended key usage

TLS web server authentication, TLS web client authentication

X509v3 CRL distribution points*

[CRL distribution point]

*CRL distribution points are included in the template only if the CA is configured with CRL generation enabled.

EndEntityCertificate_CSRPassthrough/V1 Definition

This template is identical to the EndEntityCertificate template with one difference: In this template, ACM Private CA passes additional extensions from the certificate signing request (CSR) into the certificate if the extensions are not specified in the template. Extensions specified in the template always override extensions in the CSR.

Parameter

Value

X509v3 subject alternative name

[copy from CSR]

X509v3 basic constraints

CA:FALSE

X509v3 authority key identifier

[AKI]

X509v3 subject key identifier

[SKI]

X509v3 key usage

critical, digital signature, key encipherment

X509v3 extended key usage

TLS web server authentication, TLS web client authentication

X509v3 CRL distribution points*

[CRL distribution point]

*CRL distribution points are included in the template only if the CA is configured with CRL generation enabled.

EndEntityClientAuthCertificate/V1 Definition

This template differs from the EndEntityCertificate only in the extended key usage value, which restricts it to TLS web client authentication.

Parameter

Value

X509v3 subject alternative name

[copy from CSR]

X509v3 basic constraints

CA:FALSE

X509v3 authority key identifier

[AKI]

X509v3 subject key identifier

[SKI]

X509v3 key usage

critical, digital signature, key encipherment

X509v3 extended key usage

TLS web client authentication

X509v3 CRL distribution points*

[CRL distribution point]

*CRL distribution points are included in the template only if the CA is configured with CRL generation enabled.

EndEntityClientAuthCertificate_CSRPassthrough/V1 Definition

This template is identical to the EndEntityClientAuthCertificate template with one difference. In this template, ACM Private CA passes additional extensions from the certificate signing request (CSR) into the certificate if the extensions are not specified in the template. Extensions specified in the template always override extensions in the CSR.

Parameter

Value

X509v3 subject alternative name

[copy from CSR]

X509v3 basic constraints

CA:FALSE

X509v3 authority key identifier

[AKI]

X509v3 subject key identifier

[SKI]

X509v3 key usage

critical, digital signature, key encipherment

X509v3 extended key usage

TLS web client authentication

X509v3 CRL distribution points*

[CRL distribution point]

*CRL distribution points are included in the template only if the CA is configured with CRL generation enabled.

EndEntityServerAuthCertificate/V1 Definition

This template differs from the EndEntityCertificate only in the extended key usage value, which restricts it to TLS web server authentication.

Parameter

Value

X509v3 subject alternative name

[copy from CSR]

X509v3 basic constraints

CA:FALSE

X509v3 authority key identifier

[AKI]

X509v3 subject key identifier

[SKI]

X509v3 key usage

critical, digital signature, key encipherment

X509v3 extended key usage

TLS web server authentication

X509v3 CRL distribution points*

[CRL distribution point]

*CRL distribution points are included in the template only if the CA is configured with CRL generation enabled.

EndEntityServerAuthCertificate_CSRPassthrough/V1 Definition

This template is identical to the EndEntityServerAuthCertificate template with one difference. In this template, ACM Private CA passes additional extensions from the certificate signing request (CSR) into the certificate if the extensions are not specified in the template. Extensions specified in the template always override extensions in the CSR.

Parameter

Value

X509v3 subject alternative name

[copy from CSR]

X509v3 basic constraints

CA:FALSE

X509v3 authority key identifier

[AKI]

X509v3 subject key identifier

[SKI]

X509v3 key usage

critical, digital signature, key encipherment

X509v3 extended key usage

TLS web server authentication

X509v3 CRL distribution points*

[CRL distribution point]

*CRL distribution points are included in the template only if the CA is configured with CRL generation enabled.

OCSPSigningCertificate/V1 Definition

This template is used to create certificates for signing OCSP responses. The template is identical to the CodeSigningCertificate template, except that the extended key usage value specifies OCSP signing instead of code signing.

Parameter

Value

X509v3 subject alternative name

[copy from CSR]

X509v3 basic constraints

CA:FALSE

X509v3 authority key identifier [AKI]

X509v3 subject key identifier

[SKI]

X509v3 key usage

critical, digital signature

X509v3 extended key usage

critical, OCSP signing

X509v3 CRL distribution points*

[CRL distribution point]

*CRL distribution points are included in the template only if the CA is configured with CRL generation enabled.

OCSPSigningCertificate_CSRPassthrough/V1 Definition

This template is identical to the OCSPSigningCertificate template with one difference. In this template, ACM Private CA passes additional extensions from the certificate signing request (CSR) into the certificate if the extensions are not specified in the template. Extensions specified in the template always override extensions in the CSR.

Parameter

Value

X509v3 subject alternative name

[copy from CSR]

X509v3 basic constraints

CA:FALSE

X509v3 authority key identifier [AKI]

X509v3 subject key identifier

[SKI]

X509v3 key usage

critical, digital signature

X509v3 extended key usage

critical, OCSP signing

X509v3 CRL distribution points*

[CRL distribution point]

*CRL distribution points are included in the template only if the CA is configured with CRL generation enabled.

RootCACertificate/V1 Definition

This template is used to issue self-signed root CA certificates. CA certificates include a critical basic constraints extension with the CA field set to TRUE to designate that the certificate can be used to issue CA certificates. This template does not specify a path length because the path length constrains the maximum length of the CA chain (CA certification depth). A constrained chain length could inhibit future expansion of the hierarchy. Extended key usage is excluded to prevent use of the CA certificate as a TLS client or server certificate.

Parameter

Value

X509v3 subject alternative name

[copy from CSR]

X509v3 basic constraints

critical, CA:TRUE

X509v3 authority key identifier

[AKI]

X509v3 subject key identifier

[SKI]

SubordinateCACertificate_PathLen0/V1 Definition

This template is used to issue subordinate CA certificates with a path length of 0. CA certificates include a critical basic constraints extension with the CA field set to TRUE to designate that the certificate can be used to issue CA certificates. Extended key usage is not included, which prevents the CA certificate from being used as a TLS client or server certificate.

For more information about certification paths, see Setting Length Constraints on the Certification Path.

Parameter

Value
X509v3 subject alternative name

[copy from CSR]

X509v3 basic constraints

Critical, CA:TRUE, pathlen: 0

X509v3 authority key identifier

[AKI]

X509v3 subject key identifier

[SKI]

X509v3 key usage

critical, digital signature, keyCertSign, CRL sign

X509v3 extended key usage

X509v3 CRL distribution points*

[CRL distribution point]

*CRL distribution points are included in certificates issued with this template only if the CA is configured with CRL generation enabled.

SubordinateCACertificate_PathLen1/V1 Definition

This template is used to issue subordinate CA certificates with a path length of 1. CA certificates include a critical basic constraints extension with the CA field set to TRUE to designate that the certificate can be used to issue CA certificates. Extended key usage is not included, which prevents the CA certificate from being used as a TLS client or server certificate.

For more information about certification paths, see Setting Length Constraints on the Certification Path.

Parameter

Value
X509v3 subject alternative name

[copy from CSR]

X509v3 basic constraints

Critical, CA:TRUE, pathlen: 1

X509v3 authority key identifier

[AKI]

X509v3 subject key identifier

[SKI]

X509v3 key usage

critical, digital signature, keyCertSign, CRL sign

X509v3 CRL distribution points*

[CRL distribution point]

*CRL distribution points are included in certificates issued with this template only if the CA is configured with CRL generation enabled.

SubordinateCACertificate_PathLen2/V1 Definition

This template is used to issue subordinate CA certificates with a path length of 2. CA certificates include a critical basic constraints extension with the CA field set to TRUE to designate that the certificate can be used to issue CA certificates. Extended key usage is not included, which prevents the CA certificate from being used as a TLS client or server certificate.

For more information about certification paths, see Setting Length Constraints on the Certification Path.

Parameter

Value
X509v3 subject alternative name

[copy from CSR]

X509v3 basic constraints

Critical, CA:TRUE, pathlen: 2

X509v3 authority key identifier

[AKI]

X509v3 subject ky identifier

[SKI]

X509v3 key usage

critical, digital signature, keyCertSign, CRL sign

X509v3 CRL distribution points*

[CRL distribution point]

*CRL distribution points are included in certificates issued with this template only if the CA is configured with CRL generation enabled.

SubordinateCACertificate_PathLen3/V1 Definition

This template is used to issue subordinate CA certificates with a path length of 3. CA certificates include a critical basic constraints extension with the CA field set to TRUE to designate that the certificate can be used to issue CA certificates. Extended key usage is not included, which prevents the CA certificate from being used as a TLS client or server certificate.

For more information about certification paths, see Setting Length Constraints on the Certification Path.

Parameter

Value
X509v3 subject alternative name

[copy from CSR]

X509v3 basic constraints

Critical, CA:TRUE, pathlen: 3

X509v3 authority key identifier

[AKI]

X509v3 subject key identifier

[SKI]

X509v3 key usage

critical, digital signature, keyCertSign, CRL sign

X509v3 CRL distribution points*

[CRL distribution point]

*CRL distribution points are included in certificates issued with this template only if the CA is configured with CRL generation enabled.