Architect your solution for Amazon Private CA
Amazon Private CA gives you complete, cloud-based control over your organization's private PKI (public key infrastructure), extending from a root certificate authority (CA), through subordinate CAs, to end-entity certificates. Thorough planning is essential for a PKI that is secure, maintainable, extensible, and suited to your organization's needs. This section provides guidance on designing a CA hierarchy, managing your private CA and private end-entity certificate lifecycles, and applying best practices for security.
This section describes how to prepare Amazon Private CA for use before you create a private certificate authority (CA). It also explains the option to add revocation support through Online Certificate Status Protocol (OCSP) or a certificate revocation list (CRL).
In addition, you should determine whether your organization prefers to host its private root CA credentials on premises rather than with Amazon. In that case, you need to set up and secure a self-managed private PKI before using Amazon Private CA. In this scenario, you then create a subordinate CA in Amazon Private CA backed by a parent CA outside of Amazon Private CA. For more information, see Installing a subordinate CA certificate signed by an external parent CA.