Controlling Access to a Private CA - AWS Certificate Manager Private Certificate Authority

Controlling Access to a Private CA

A private CA from ACM Private CA can be used to sign certificates by any user with the necessary permissions on the CA. The CA owner can issue certificates or delegate the required permissions for issuing certificates to an AWS Identity and Access Management (IAM) user residing in the same AWS account. A user residing in a different AWS account can also issue certificates if authorized by the CA owner through a resource-based policy.

Authorized users, whether single-account or cross-account, have a choice of ACM Private CA or AWS Certificate Manager resources when issuing certificates. Certificates issued by using the ACM Private CA IssueCertificate API or issue-certificate CLI command are unmanaged, requiring manual installation on target devices and manual renewal when they expire. Certificates issued by using the ACM console, the ACM RequestCertificate API, or the request-certificate CLI command are managed, allowing them to be installed easily in services integrated with ACM. If the CA administrator permits it and the issuer's account has a service-linked role in place for ACM, managed certificates are renewed automatically when they expire.