Conditions for using Amazon Private CA to sign ACM private certificates - Amazon Certificate Manager
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Conditions for using Amazon Private CA to sign ACM private certificates

You can use Amazon Private CA to sign your ACM certificates in either of two cases:

  • Single account: The signing CA and the Amazon Certificate Manager (ACM) certificate that is issued reside in the same Amazon account.

    For single-account issuance and renewals to be enabled, the Amazon Private CA administrator must grant permission to the ACM service principal to create, retrieve, and list certificates. This is done using the Amazon Private CA API action CreatePermission or the Amazon CLI command create-permission. The account owner assigns these permissions to an IAM user, group, or role that is responsible for issuing certificates.

  • Cross-account: The signing CA and the ACM certificate that is issued reside in different Amazon accounts, and access to the CA has been granted to the account where the certificate resides.

    To enable cross-account issuance and renewals, the Amazon Private CA administrator must attach a resource-based policy to the CA using the Amazon Private CA API action PutPolicy or the Amazon CLI command put-policy. The policy specifies principals in other accounts that are allowed limited access to the CA. For more information, see Using a Resource Based Policy with ACM Private CA.

    The cross-account scenario also requires ACM to set up a service-linked role (SLR) to interact as a principal with the PCA policy. ACM creates the SLR automatically while issuing the first certificate.

    ACM might alert you that it cannot determine whether an SLR exists on your account. If the required iam:GetRole permission has already been granted to the ACM SLR for your account, then the alert will not recur after the SLR is created. If it does recur, then you or your account administrator might need to grant the iam:GetRole permission to ACM, or associate your account with the ACM-managed policy AWSCertificateManagerFullAccess.

    For more information, see Using a Service Linked Role with ACM.

Important

Your ACM certificate must be actively associated with a supported Amazon service before it can be automatically renewed. For information about the resources that ACM supports, see Services integrated with ACM.