What is AWS Private CA? - AWS Private Certificate Authority

What is AWS Private CA?

AWS Private CA enables creation of private certificate authority (CA) hierarchies, including root and subordinate CAs, without the investment and maintenance costs of operating an on-premises CA. Your private CAs can issue end-entity X.509 certificates useful in scenarios including:

  • Creating encrypted TLS communication channels

  • Authenticating users, computers, API endpoints, and IoT devices

  • Cryptographically signing code

  • Implementing Online Certificate Status Protocol (OCSP) for obtaining certificate revocation status

AWS Private CA operations can be accessed from the AWS Management Console, using the AWS Private CA API, or using the AWS CLI.

What is the best certificate service for my needs?

There are two AWS services for issuing and deploying X.509 certificates. Choose the one that best fits your needs. Considerations include whether you need public- or private-facing certificates, customized certificates, certificates you want to deploy into other AWS services, or automated certificate management and renewal.

  1. AWS Private CA—This service is for enterprise customers building a public key infrastructure (PKI) inside the AWS cloud and intended for private use within an organization. With AWS Private CA, you can create your own CA hierarchy and issue certificates with it for authenticating internal users, computers, applications, services, servers, and other devices, and for signing computer code. Certificates issued by a private CA are trusted only within your organization, not on the internet.

    After creating a private CA, you have the ability to issue certificates directly (that is, without obtaining validation from a third-party CA) and to customize them to meet your organization's internal needs. For example, you may want to:

    • Create certificates with any subject name.

    • Create certificates with any expiration date.

    • Use any supported private key algorithm and key length.

    • Use any supported signing algorithm.

    • Control certificate issuance using templates.

    You are in the right place for this service. To get started, sign into the https://console.aws.amazon.com/acm-pca/ console.

  2. AWS Certificate Manager (ACM)—This service manages certificates for enterprise customers who need a publicly trusted secure web presence using TLS. You can deploy ACM certificates into AWS Elastic Load Balancing, Amazon CloudFront, Amazon API Gateway, and other integrated services. The most common application of this kind is a secure public website with significant traffic requirements.

    With this service, you can use public certificates provided by ACM (ACM certificates) or certificates that you import into ACM. If you use AWS Private CA to create a CA, ACM can manage certificate issuance from that private CA and automate certificate renewals.

    For more information, see the AWS Certificate Manager User Guide.



    Integrated services


    RFC compliance