# Add tags for your private CA Tags are words or phrases that act as metadata for identifying and organizing Amazon resources. Each tag consists of a **key** and a **value**. You can use the Amazon Private CA console, Amazon Command Line Interface (Amazon CLI), or the PCA API to add, view, or remove tags for private CAs. You can add or remove custom tags for your private CA at any time. For example, you could tag private CAs with key-value pairs like `Environment=Prod` or `Environment=Beta` to identify which environment the CA is intended for. For more information, see [Create a Private CA](create-CA.md). **Note** To attach tags to a private CA during the creation procedure, a CA administrator must first associate an inline IAM policy with the `CreateCertificateAuthority` action and explicitly allow tagging. For more information, see [Tag-on-create: Attaching tags to a CA at the time of creation](auth-InlinePolicies.md#tag-on-create). Other Amazon resources also support tagging. You can assign the same tag to different resources to indicate that those resources are related. For example, you can assign a tag such as `Website=example.com` to your CA, the Elastic Load Balancing load balancer, and other related resources. For more information on tagging Amazon resources, see [Tagging your Amazon EC2 Resources](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html) in the [Amazon EC2 User Guide](https://docs.aws.amazon.com/ec2/index.html#lang/en_us). The following basic restrictions apply to Amazon Private CA tags: + The maximum number of tags per private CA is 50. + The maximum length of a tag key is 128 characters. + The maximum length of a tag value is 256 characters. + The tag key and value can contain the following characters: A-Z, a-z, and .:\$1=@\$1%-(hyphen). + Tag keys and values are case-sensitive. + The `aws:` and `rds:` prefixes are reserved for Amazon use; you cannot add, edit, or delete tags whose key begins with `aws:` or `rds:`. Default tags that begin with `aws:` and `rds:` do not count against your tags-per-resource quota. + If you plan to use your tagging schema across multiple services and resources, remember that other services might have different restrictions for allowed characters. Refer to the documentation for that service. + Amazon Private CA tags are not available for use in the [Resource Groups and Tag Editor](http://www.amazonaws.cn/blogs/aws/resource-groups-and-tagging/) in the Amazon Web Services Management Console. You can tag a private CA from the [Amazon Private CA Console](https://console.amazonaws.cn/acm-pca), the [Amazon Command Line Interface (Amazon CLI)](https://docs.amazonaws.cn/cli/latest/reference/), or the [Amazon Private CA API](https://docs.amazonaws.cn/privateca/latest/APIReference/). **To tag a private CA (console)** 1. Sign in to your Amazon account and open the Amazon Private CA console at [https://console.amazonaws.cn/acm-pca/home](https://console.amazonaws.cn/acm-pca/home). 1. On the **Private certificate authorities page**, choose your private CA from the list. 1. In the details area below the list, choose the **Tags** tab. A list of existing tags is displayed. 1. Choose **Manage tags**. 1. Choose **Add new tag**. 1. Type a key and value pair. 1. Choose **Save**. **To tag a private CA (Amazon CLI)** Use the [tag-certificate-authority](https://docs.amazonaws.cn/cli/latest/reference/acm-pca/tag-certificate-authority.html) command to add tags to your private CA. ``` $ aws acm-pca tag-certificate-authority \ --certificate-authority-arn arn:aws:acm-pca:region:account:certificate-authority/CA_ID \ --tags Key=Admin,Value=Alice ``` Use the [list-tags](https://docs.amazonaws.cn/cli/latest/reference/acm-pca/list-tags.html) command to list the tags for a private CA. ``` $ aws acm-pca list-tags \ --certificate-authority-arn arn:aws:acm-pca:region:account:certificate-authority/CA_ID \ --max-results 10 ``` Use the [untag-certificate-authority](https://docs.amazonaws.cn/cli/latest/reference/acm-pca/untag-certificate-authority.html) command to remove tags from a private CA. ``` $ aws acm-pca untag-certificate-authority \ --certificate-authority-arn arn:aws:acm-pca:aregion:account:certificate-authority/CA_ID \ --tags Key=Purpose,Value=Website ```