Certificate authority modes
AWS Private CA supports the creation of a CA in either of two modes. The modes, GENERAL_PURPOSE and SHORT_LIVED_CERTIFICATE, affect the allowed validity period of the certificates issued by the CA.
Note
AWS Private CA does not perform validity checks on root CA certificates.
GENERAL_PURPOSE (default)
This mode permits the CA to issue certificates with any validity period. Most applications use certificates of this type. Typically, the CA also specifies a revocation mechanism.
SHORT_LIVED_CERTIFICATE
This mode defines a CA that exclusively issues certificates with a maximum validity period of seven days. These short-lived certificates expire so quickly that they can be deployed without a revocation mechanism in place. For some applications, it makes more sense to frequently deploy short-lived certificates than to incur the network and processing overhead of revocation.
CAs with SHORT_LIVED_CERTIFICATE mode cost less than general-purpose CAs. For more
informtion, see AWS Private Certificate Authority
Pricing
To create a CA that issues short-lived certificates, set the
UsageMode parameter to SHORT_LIVED_CERTIFICATE using the
AWS CLI procedure
for creating a CA.
Note
AWS Certificate Manager cannot issue certificates signed by a private CA with short-lived mode.
Use of short-lived certificates is supported by the following AWS services:
