How to choose a PKI service - AWS cryptography services

How to choose a PKI service

AWS offers two primary PKI services, AWS Certificate Manager (ACM) and AWS Private CA. Use the guidance here to help you decide which service to use for a given scenario.

When to use ACM

A public SSL/TLS certificate is required to authenticate the identity of your web server and establish a secure connection with any trustworthy host it might interact with. With ACM, you can easily create and manage public and private SSL/TLS certificates or import an external public certificate into your AWS environment.

When Do I Use It?

Use ACM when you need to create a new public certificate, renew a public certificate created with ACM, or import an existing public certificate into your AWS environment.

Use ACM to generate a private certificate and manage it within the same environment as your public certificates. You must first use AWS Private CA to establish a private CA from which private certificates can be validated. Private certificates created in ACM are bound by the following restrictions:

When to use AWS Private CA

Private certificates are issued by a private CA and are exclusively used for authentication between entities within your organization. As a result, private certificates cannot be publically trusted. AWS Private CA lets you establish a private CA and use it to create and manage private certificates under its authority. Private certificates can be managed by AWS Private CA as a standalone service or in conjunction with ACM.

  • Use AWS Private CA if you need to create an internal CA for further authentication operations.

  • Use AWS Private CA if you need to generate a private certificate for internal entity authentication.


    ACM can also generate private certificates once a private CA has been established. But AWS Private CA gives you more control over the management and encryption protocols of those private certificates.