Private certificates in Amazon Certificate Manager
If you have access to an existing private CA created by Amazon Private CA, Amazon Certificate Manager (ACM) can request a certificate suited for use in your private key infrastructure (PKI). The CA may either reside in your account or be shared with you by a different account. For information about creating a private CA, see Create a Private Certificate Authority.
Certificates signed by a private CA are not trusted by default, and ACM does not support any form of validation for them. Consequently, an administrator must take action to install them in your organizations's client trust stores.
Private ACM certificates follow the X.509 standard and are subject to the following restrictions:
-
Names: You must use DNS-compliant subject names. For more information, see Domain Names.
-
Algorithm: For encryption, the certificate private key algorithm must be either 2048-bit RSA, 256-bit ECDSA, or 384-bit ECDSA.
Note
The specified signing algorithm family (RSA or ECDSA) must match the algorithm family of the CA's secret key.
-
Expiration: Each certificate is valid for 13 months (395 days). The end date of the signing CA certificate must exceed the end date of the requested certificate, or else the certificate request will fail.
-
Renewal: ACM attempts to renew a private certificate automatically after 11 months.
The private CA used to sign the end-entity certificates is subject to its own restrictions:
-
The CA must have a status of Active.
-
The CA private key algorithm must be RSA 2048 or RSA 4096.
Note
Unlike publicly trusted certificates, certificates signed by a private CA do not require validation.