# Secure Kubernetes with Amazon Private Certificate Authority
<a name="PcaKubernetes"></a>

You can use Amazon Private Certificate Authority to provide certificates for secure authentication and encryption over TLS and mTLS. Amazon Private CA provides an open source plugin, [Amazon Private CA Connector for Kubernetes](https://github.com/cert-manager/aws-privateca-issuer), (`aws-privateca-issuer`) for the widely adopted [cert-manager](https://cert-manager.io/docs/) add-on to Kubernetes that requests certificates, distributes them to Kubernetes secrets, and automates certificate renewal.

The `aws-privateca-issuer` plugin allows you to issue Amazon Private CA certificates through `cert-manager`. You can use the plugin with Amazon Elastic Kubernetes Service (Amazon EKS), a self-managed Kubernetes cluster on Amazon, or in an on-premise Kubernetes cluster. The plugin works on both x86 and ARM architectures.

Amazon Private CA has HSM backed keys that can't be exported. If you have regulatory requirements for controlling access and auditing your CA operations, you can use Amazon Private CA to improve auditability and to support compliance.

**Note**  
If you are running on Amazon EKS, we recommend that you use the `cert-manager` and `aws-privateca-connector-for-kubernetes` add-ons for a managed installation experience. For more information, refer to [Amazon add-ons](https://docs.amazonaws.cn/eks/latest/userguide/workloads-add-ons-available-eks.html#add-ons-aws-privateca-connector).