GENERAL_PURPOSE (default)SHORT_LIVED_CERTIFICATE

Certificate authority modes

AWS Private CA supports the creation of a CA in either of two modes. The modes, GENERAL_PURPOSE and SHORT_LIVED_CERTIFICATE, affect the allowed validity period of the certificates issued by the CA.

Note

AWS Private CA does not perform validity checks on root CA certificates.

GENERAL_PURPOSE (default)

This mode permits the CA to issue certificates with any validity period. Most applications use certificates of this type. Typically, the CA also specifies a revocation mechanism.

SHORT_LIVED_CERTIFICATE

This mode defines a CA that exclusively issues certificates with a maximum validity period of seven days. These short-lived certificates expire so quickly that they can be deployed without a revocation mechanism in place. For some applications, it makes more sense to frequently deploy short-lived certificates than to incur the network and processing overhead of revocation.

CAs with SHORT_LIVED_CERTIFICATE mode cost less than general-purpose CAs. For more informtion, see AWS Private Certificate Authority Pricing.

To create a CA that issues short-lived certificates, set the UsageMode parameter to SHORT_LIVED_CERTIFICATE using the AWS CLI procedure for creating a CA.

Note

AWS Certificate Manager cannot issue certificates signed by a private CA with short-lived mode.

Use of short-lived certificates is supported by the following AWS services:

Amazon AppStream

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

OCSP customization

Resilience