Secure Kubernetes with Amazon Private Certificate Authority - Amazon Private Certificate Authority
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Secure Kubernetes with Amazon Private Certificate Authority

You can use Amazon Private Certificate Authority to provide certificates for secure authentication and encryption over TLS and mTLS. Amazon Private CA provides an open source plugin, Amazon Private CA Connector for Kubernetes, (aws-privateca-issuer) for the widely adopted cert-manager add-on to Kubernetes that requests certificates, distributes them to Kubernetes secrets, and automates certificate renewal.

The aws-privateca-issuer plugin allows you to issue Amazon Private CA certificates through cert-manager. You can use the plugin with Amazon Elastic Kubernetes Service (Amazon EKS), a self-managed Kubernetes cluster on Amazon, or in an on-premise Kubernetes cluster. The plugin works on both x86 and ARM architectures.

Amazon Private CA has HSM backed keys that can't be exported. If you have regulatory requirements for controlling access and auditing your CA operations, you can use Amazon Private CA to improve auditability and to support compliance.

Note

If you are running on Amazon EKS, we recommend that you use the cert-manager and aws-privateca-connector-for-kubernetes add-ons for a managed installation experience. For more information, refer to Amazon add-ons.