# Issue and manage certificates in Amazon Private CA Issue and manage certificates After you have created and activated a private certificate authority (CA) and configured access to it, you or your authorized users can issue and manage certificates. If you have not yet set up Amazon Identity and Access Management (IAM) policies for the CA, you can learn more about configuring them in the [Identity and Access Management](https://docs.amazonaws.cn/privateca/latest/userguide/security-iam.html) section of this guide. For information about configuring CA access in single-account and cross-account scenarios, see [Control access to the private CA](granting-ca-access.md). **Topics** + [ # Issue private end-entity certificates ](PcaIssueCert.md) + [ # Retrieve a private certificate ](PcaGetCert.md) + [ # List private certificates ](PcaListCerts.md) + [ # Export a private certificate and its secret key ](export-in-acm.md) + [ # Revoke a private certificate ](PcaRevokeCert.md) + [ # Automate export of a renewed certificate ](auto-export.md) + [ # Use Amazon Private CA certificate templates ](UsingTemplates.md) # Issue private end-entity certificates Issue private end-entity certificates With a private CA in place, you can request private end-entity certificates from either Amazon Certificate Manager (ACM) or Amazon Private CA. The capabilities of both services are compared in the following table. **** | Capability | ACM | Amazon Private CA | | --- | --- | --- | | Issue end-entity certificates | ✓ (using [RequestCertificate](https://docs.amazonaws.cn/acm/latest/APIReference/API_RequestCertificate.html) or the console) | ✓ (using [IssueCertificate](https://docs.amazonaws.cn/privateca/latest/APIReference/API_IssueCertificate.html)) | | Association with load balancers and internet-facing Amazon services | ✓ | Not supported | | Managed certificate renewal | ✓ | Indirectly [supported](https://docs.amazonaws.cn/acm/latest/userguide/managed-renewal.html) through ACM | | Console support | ✓ | Not supported | | API support | ✓ | ✓ | | CLI support | ✓ | ✓ | When Amazon Private CA creates a certificate, it follows a template that specifies the certificate type and path length. If no template ARN is supplied to the API or CLI statement creating the certificate, the [EndEntityCertificate/V1](template-definitions.md#EndEntityCertificate-V1) template is applied by default. For more information about available certificate templates, see [Use Amazon Private CA certificate templates](UsingTemplates.md). While ACM certificates are designed around public trust, Amazon Private CA serves the needs of your private PKI. Consequently, you can configure certificates using the Amazon Private CA API and CLI in ways not permitted by ACM. These include the following: + Creating a certificate with any Subject name. + Using any of the [supported private key algorithms and key lengths](https://docs.amazonaws.cn/privateca/latest/userguide/supported-algorithms.html). + Using any of the [supported signing algorithms](https://docs.amazonaws.cn/privateca/latest/userguide/supported-algorithms.html). + Specifying any validity period for your private [CA](PcaCreateCa.html) and private [certificates](PcaIssueCert.html). After creating a private TLS certificate using Amazon Private CA, you can [import](https://docs.amazonaws.cn/acm/latest/userguide/import-certificate-api-cli.html) it into ACM and use it with a supported Amazon service. **Note** Certificates created with the procedure below, using the **issue-certificate** command, or with the [IssueCertificate](https://docs.amazonaws.cn/privateca/latest/APIReference/API_IssueCertificate.html) API action, cannot be directly exported for use outside Amazon. However, you can use your private CA to sign certificates issued through ACM, and those certificates can be exported along with their secret keys. For more information, see [Requesting a private certificate](https://docs.amazonaws.cn/acm/latest/userguide/gs-acm-request-private.html) and [Exporting a private certificate](https://docs.amazonaws.cn/acm/latest/userguide/export-private.html) in the *ACM User Guide*. ## Issue a standard certificate (Amazon CLI) You can use the Amazon Private CA CLI command [issue-certificate](https://docs.amazonaws.cn/cli/latest/reference/acm-pca/issue-certificate.html) or the API action [IssueCertificate](https://docs.amazonaws.cn/privateca/latest/APIReference/API_IssueCertificate.html) to request an end-entity certificate. This command requires the Amazon Resource Name (ARN) of the private CA that you want to use to issue the certificate. You must also generate a certificate signing request (CSR) using a program such as [OpenSSL](https://www.openssl.org/). If you use the Amazon Private CA API or Amazon CLI to issue a private certificate, the certificate is unmanaged, meaning that you cannot use the ACM console, ACM CLI, or ACM API to view or export it, and the certificate is not automatically renewed. However, you can use the PCA [get-certificate](https://docs.amazonaws.cn/cli/latest/reference/acm-pca/get-certificate.html) command to retrieve the certificate details, and if you own the CA, you can create an [audit report](PcaAuditReport.md). **Considerations when creating certificates** + In compliance with [RFC 5280](https://datatracker.ietf.org/doc/html/rfc5280), the length of the domain name (technically, the Common Name) that you provide cannot exceed 64 octets (characters), including periods. To add a longer domain name, specify it in the Subject Alternative Name field, which supports names up to 253 octets in length. + If you are using Amazon CLI version 1.6.3 or later, use the prefix `fileb://` when specifying base64-encoded input files such as CSRs. This ensures that Amazon Private CA parses the data correctly. The following OpenSSL command generates a CSR and a private key for a certificate: ``` $ openssl req -out csr.pem -new -newkey rsa:2048 -nodes -keyout private-key.pem ``` You can inspect the content of the CSR as follows: ``` $ openssl req -in csr.pem -text -noout ``` The resulting output should resemble the following abbreviated example: ``` Certificate Request: Data: Version: 0 (0x0) Subject: C=US, O=Big Org, CN=example.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:ca:85:f4:3a:b7:5f:e2:66:be:fc:d8:97:65:3d: a4:3d:30:c6:02:0a:9e:1c:ca:bb:15:63:ca:22:81: 00:e1:a9:c0:69:64:75:57:56:53:a1:99:ee:e1:cd: ... aa:38:73:ff:3d:b7:00:74:82:8e:4a:5d:da:5f:79: 5a:89:52:e7:de:68:95:e0:16:9b:47:2d:57:49:2d: 9b:41:53:e2:7f:e1:bd:95:bf:eb:b3:a3:72:d6:a4: d3:63 Exponent: 65537 (0x10001) Attributes: a0:00 Signature Algorithm: sha256WithRSAEncryption 74:18:26:72:33:be:ef:ae:1d:1e:ff:15:e5:28:db:c1:e0:80: 42:2c:82:5a:34:aa:1a:70:df:fa:4f:19:e2:5a:0e:33:38:af: 21:aa:14:b4:85:35:9c:dd:73:98:1c:b7:ce:f3:ff:43:aa:11: .... 3c:b2:62:94:ad:94:11:55:c2:43:e0:5f:3b:39:d3:a6:4b:47: 09:6b:9d:6b:9b:95:15:10:25:be:8b:5c:cc:f1:ff:7b:26:6b: fa:81:df:e4:92:e5:3c:e5:7f:0e:d8:d9:6f:c5:a6:67:fb:2b: 0b:53:e5:22 ``` The following command creates a certificate. Because no template is specified, a base end-entity certificate is issued by default. ``` $ aws acm-pca issue-certificate \ --certificate-authority-arn arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566 \ --csr fileb://csr.pem \ --signing-algorithm "SHA256WITHRSA" \ --validity Value=365,Type="DAYS" ``` The ARN of the issued certificate is returned: ``` { "CertificateArn":"arn:aws:acm-pca:region:account:certificate-authority/CA_ID/certificate/certificate_ID" } ``` **Note** Amazon Private CA immediately returns an ARN with a serial number when it receives the **issue-certificate** command. However, certificate processing happens asynchronously and can still fail. If this happens, a **get-certificate** command using the new ARN will also fail. ## Issue a certificate with a custom subject name using an APIPassthrough template In this example, a certificate is issued containing customized subject name elements. In addition to supplying a CSR like the one in [Issue a standard certificate (Amazon CLI)](#IssueCertCli), you pass two additional arguments to the **issue-certificate** command: the ARN of an APIPassthrough template, and a JSON configuration file that specifies the custom attributes and their object identifiers (OIDs). You cannot use `StandardAttributes` in conjunction with `CustomAttributes`. however, you can pass standard OIDs as part of `CustomAttributes`. The default subject name OIDs are listed in the following table (information from [RFC 4519](https://www.rfc-editor.org/rfc/rfc4519) and [Global OID reference database](https://oidref.com)): | Subject name | Abbreviation | Object ID | | --- | --- | --- | | countryName | c | 2.5.4.6 | | commonName | cn | 2.5.4.3 | | dnQualifier [distinguished name qualifier] | | 2.5.4.46 | | generationQualifier | | 2.5.4.44 | | givenName | | 2.5.4.42 | | initials | | 2.5.4.43 | | locality | l | 2.5.4.7 | | organizationName | o | 2.5.4.10 | | organizationalUnitName | ou | 2.5.4.11 | | pseudonym | | 2.5.4.65 | | serialNumber | | 2.5.4.5 | | st [state] | | 2.5.4.8 | | surname | sn | 2.5.4.4 | | title | | 2.5.4.12 | | domainComponent | dc | 0.9.2342.19200300.100.1.25 | | userid | | 0.9.2342.19200300.100.1.1 | The sample configuration file `api_passthrough_config.txt` contains the following code: ``` { "Subject": { "CustomAttributes": [ { "ObjectIdentifier": "2.5.4.6", "Value": "US" }, { "ObjectIdentifier": "1.3.6.1.4.1.37244.1.1", "Value": "BCDABCDA12341234" }, { "ObjectIdentifier": "1.3.6.1.4.1.37244.1.5", "Value": "CDABCDAB12341234" } ] } } ``` Use the following command to issue the certificate: ``` $ aws acm-pca issue-certificate \ --validity Type=DAYS,Value=10 --signing-algorithm "SHA256WITHRSA" \ --csr fileb://csr.pem \ --api-passthrough file://api_passthrough_config.txt \ --template-arn arn:aws:acm-pca:::template/BlankEndEntityCertificate_APIPassthrough/V1 \ --certificate-authority-arn arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566 ``` The ARN of the issued certificate is returned: ``` { "CertificateArn":"arn:aws:acm-pca:region:account:certificate-authority/CA_ID/certificate/certificate_ID" } ``` Retrieve the certificate locally as follows: ``` $ aws acm-pca get-certificate \ --certificate-authority-arn arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566 \ --certificate-arn arn:aws:acm-pca:region:account:certificate-authority/CA_ID/certificate/certificate_ID | \ jq -r .'Certificate' > cert.pem ``` You can inspect the certificate's contents using OpenSSL: ``` $ openssl x509 -in cert.pem -text -noout ``` **Note** It is also possible to create a private CA that passes custom attributes to each certificate it issues. ## Issue a certificate with custom extensions using an APIPassthrough template In this example, a certificate is issued that contains customized extensions. For this you need to pass three arguments to the **issue-certificate** command: the ARN of an APIPassthrough template, and a JSON configuration file that specifies the custom extensions, and a CSR like the one shown in [Issue a standard certificate (Amazon CLI)](#IssueCertCli). The sample configuration file `api_passthrough_config.txt` contains the following code: ``` { "Extensions": { "CustomExtensions": [ { "ObjectIdentifier": "2.5.29.30", "Value": "MBWgEzARgg8ucGVybWl0dGVkLnRlc3Q=", "Critical": true } ] } } ``` The customized certificate is issued as follows: ``` $ aws acm-pca issue-certificate \ --validity Type=DAYS,Value=10 --signing-algorithm "SHA256WITHRSA" \ --csr fileb://csr.pem \ --api-passthrough file://api_passthrough_config.txt \ --template-arn arn:aws:acm-pca:::template/EndEntityCertificate_APIPassthrough/V1 \ --certificate-authority-arn arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566 ``` The ARN of the issued certificate is returned: ``` { "CertificateArn":"arn:aws:acm-pca:region:account:certificate-authority/CA_ID/certificate/certificate_ID" } ``` Retrieve the certificate locally as follows: ``` $ aws acm-pca get-certificate \ --certificate-authority-arn arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566 \ --certificate-arn arn:aws:acm-pca:region:account:certificate-authority/CA_ID/certificate/certificate_ID | \ jq -r .'Certificate' > cert.pem ``` You can inspect the certificate's contents using OpenSSL: ``` $ openssl x509 -in cert.pem -text -noout ``` # Retrieve a private certificate Retrieve a private certificate You can use the Amazon Private CA API and Amazon CLI to issue a private certificate. If you do, you can use the Amazon CLI or Amazon Private CA API to retrieve that certificate. If you used ACM to create your private CA and to request certificates, you must use ACM to export the certificate and the encrypted private key. For more information, see [Exporting a private certificate](https://docs.amazonaws.cn/acm/latest/userguide/export-private.html). **To retrieve an end-entity certificate** Use the [get-certificate](https://docs.amazonaws.cn/cli/latest/reference/acm-pca/get-certificate.html) Amazon CLI command to retrieve a private end-entity certificate. You can also use the [GetCertificate](https://docs.amazonaws.cn/privateca/latest/APIReference/API_GetCertificate.html) API operation. We recommend formatting the output with [jq](https://stedolan.github.io/jq/), a sed-like parser. **Note** If you want to revoke a certificate, you can use the **get-certificate** command to retrieve the serial number in hexadecimal format. You can also create an audit report to retrieve the hex serial number. For more information, see [Use audit reports with your private CA](PcaAuditReport.md). ``` $ aws acm-pca get-certificate \ --certificate-arn arn:aws:acm-pca:region:account:certificate-authority/CA_ID/certificate/certificate_ID \ --certificate-authority-arn arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566 | \ jq -r '.Certificate, .CertificateChain' ``` This command outputs the certificate and certificate chain in the following standard format. ``` -----BEGIN CERTIFICATE----- ...base64-encoded certificate... -----END CERTIFICATE---- -----BEGIN CERTIFICATE----- ...base64-encoded certificate... -----END CERTIFICATE---- -----BEGIN CERTIFICATE----- ...base64-encoded certificate... -----END CERTIFICATE---- ``` **To retrieve a CA certificate** You can use the Amazon Private CA API and Amazon CLI to retrieve the certificate authority (CA) certificate for your private CA. Run the [get-certificate-authority-certificate](https://docs.amazonaws.cn/cli/latest/reference/acm-pca/get-certificate-authority-certificate.html) command. You can also call the [GetCertificateAuthorityCertificate](https://docs.amazonaws.cn/privateca/latest/APIReference/API_GetCertificateAuthorityCertificate.html) operation. We recommend formatting the output with [jq](https://stedolan.github.io/jq/), a sed-like parser. ``` $ aws acm-pca get-certificate-authority-certificate \ --certificate-authority-arn arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566 \ | jq -r '.Certificate' ``` This command outputs the CA certificate in the following standard format. ``` -----BEGIN CERTIFICATE----- ...base64-encoded certificate... -----END CERTIFICATE---- ``` # List private certificates List private certificates To list your private certificates, generate an audit report, retrieve it from its S3 bucket, and parse the report contents as needed. For information about creating Amazon Private CA audit reports, see [Use audit reports with your private CA](PcaAuditReport.md). For information about retrieving an object from an S3 bucket, see [Downloading an object](https://docs.amazonaws.cn/AmazonS3/latest/userguide/download-objects.html) in the *Amazon Simple Storage Service User Guide*. The following examples illustrate approaches to creating audit reports and parsing them for useful data. Results are formatted in JSON, and data is filtered using [jq](https://stedolan.github.io/jq/), a sed-like parser. **1. Create an audit report.** The following command generates an audit report for a specified CA. ``` $ aws acm-pca create-certificate-authority-audit-report \ --region region \ --certificate-authority-arn arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566 \ --s3-bucket-name bucket_name \ --audit-report-response-format JSON ``` When successful, the command returns the ID and location of the new audit report. ``` { "AuditReportId":"audit_report_ID", "S3Key":"audit-report/CA_ID/audit_report_ID.json" } ``` **2. Retrieve and format an audit report.** This command retrieves an audit report, displays its contents in standard output, and filters the results to show only certificates issued on or after 2020-12-01. ``` $ aws s3api get-object \ --region region \ --bucket bucket_name \ --key audit-report/CA_ID/audit_report_ID.json \ /dev/stdout | jq '.[] | select(.issuedAt >= "2020-12-01")' ``` The returned items resemble the following: ``` { "awsAccountId":"account", "certificateArn":"arn:aws:acm-pca:region:account:certificate-authority/CA_ID/certificate/certificate_ID", "serial":"serial_number", "subject":"CN=pca.alpha.root2.leaf5", "notBefore":"2020-12-21T21:28:09+0000", "notAfter":"9999-12-31T23:59:59+0000", "issuedAt":"2020-12-21T22:28:09+0000", "templateArn":"arn:aws:acm-pca:::template/EndEntityCertificate/V1" } ``` **3. Save an audit report locally.** If you want to perform multiple queries, it is convenient to save an audit report to a local file. ``` $ aws s3api get-object \ --region region \ --bucket bucket_name \ --key audit-report/CA_ID/audit_report_ID.json > my_local_audit_report.json ``` The same filter as before yields the same output: ``` $ cat my_local_audit_report.json | jq '.[] | select(.issuedAt >= "2020-12-01")' { "awsAccountId":"account", "certificateArn":"arn:aws:acm-pca:region:account:certificate-authority/CA_ID/certificate/certificate_ID", "serial":"serial_number", "subject":"CN=pca.alpha.root2.leaf5", "notBefore":"2020-12-21T21:28:09+0000", "notAfter":"9999-12-31T23:59:59+0000", "issuedAt":"2020-12-21T22:28:09+0000", "templateArn":"arn:aws:acm-pca:::template/EndEntityCertificate/V1" } ``` **4. Query within a date range** You can query for certificates issued within a date range as follows: ``` $ cat my_local_audit_report.json | jq '.[] | select(.issuedAt >= "2020-11-01" and .issuedAt <= "2020-11-10")' ``` The filtered content is displayed in standard output: ``` { "awsAccountId": "account", "certificateArn": "arn:aws:acm-pca:region:account:certificate-authority/CA_ID/certificate/certificate_ID", "serial": "serial_number", "subject": "CN=pca.alpha.root2.leaf1", "notBefore": "2020-11-06T19:18:21+0000", "notAfter": "9999-12-31T23:59:59+0000", "issuedAt": "2020-11-06T20:18:22+0000", "templateArn": "arn:aws:acm-pca:::template/EndEntityCertificate/V1" } { "awsAccountId": "account", "certificateArn": "arn:aws:acm-pca:region:account:certificate-authority/CA_ID/certificate/certificate_ID", "serial": "serial_number", "subject": "CN=pca.alpha.root2.rsa2048sha256", "notBefore": "2020-11-06T19:15:46+0000", "notAfter": "9999-12-31T23:59:59+0000", "issuedAt": "2020-11-06T20:15:46+0000", "templateArn": "arn:aws:acm-pca:::template/RootCACertificate/V1" } { "awsAccountId": "account", "certificateArn": "arn:aws:acm-pca:region:account:certificate-authority/CA_ID/certificate/certificate_ID", "serial": "serial_number", "subject": "CN=pca.alpha.root2.leaf2", "notBefore": "2020-11-06T20:04:39+0000", "notAfter": "9999-12-31T23:59:59+0000", "issuedAt": "2020-11-06T21:04:39+0000", "templateArn": "arn:aws:acm-pca:::template/EndEntityCertificate/V1" } ``` **5. Search for certificates following a specified template.** The following command filters the report content using a template ARN: ``` $ cat my_local_audit_report.json | jq '.[] | select(.templateArn == "arn:aws:acm-pca:::template/RootCACertificate/V1")' ``` The output displays matching certificate records: ``` { "awsAccountId": "account", "certificateArn": "arn:aws:acm-pca:region:account:certificate-authority/CA_ID/certificate/certificate_ID", "serial": "serial_number", "subject": "CN=pca.alpha.root2.rsa2048sha256", "notBefore": "2020-11-06T19:15:46+0000", "notAfter": "9999-12-31T23:59:59+0000", "issuedAt": "2020-11-06T20:15:46+0000", "templateArn": "arn:aws:acm-pca:::template/RootCACertificate/V1" } ``` **6. Filter for revoked certificates** To find all revoked certificates, use the following command: ``` $ cat my_local_audit_report.json | jq '.[] | select(.revokedAt != null)' ``` A revoked certificate is displayed as follows: ``` { "awsAccountId": "account", "certificateArn": "arn:aws:acm-pca:region:account:certificate-authority/CA_ID/certificate/certificate_ID", "serial": "serial_number", "subject": "CN=pca.alpha.root2.leaf2", "notBefore": "2020-11-06T20:04:39+0000", "notAfter": "9999-12-31T23:59:59+0000", "issuedAt": "2020-11-06T21:04:39+0000", "revokedAt": "2021-05-27T18:57:32+0000", "revocationReason": "UNSPECIFIED", "templateArn": "arn:aws:acm-pca:::template/EndEntityCertificate/V1" } ``` **7. Filter using a regular expression.** The following command searches for subject names that contain the string "leaf": ``` $ cat my_local_audit_report.json | jq '.[] | select(.subject|test("leaf"))' ``` Matching certificate records are returned as follows: ``` { "awsAccountId": "account", "certificateArn": "arn:aws:acm-pca:region:account:certificate-authority/CA_ID/certificate/certificate_ID", "serial": "serial_number", "subject": "CN=pca.alpha.roo2.leaf4", "notBefore": "2020-11-16T18:17:10+0000", "notAfter": "9999-12-31T23:59:59+0000", "issuedAt": "2020-11-16T19:17:12+0000", "templateArn": "arn:aws:acm-pca:::template/EndEntityCertificate/V1" } { "awsAccountId": "account", "certificateArn": "arn:aws:acm-pca:region:account:certificate-authority/CA_ID/certificate/certificate_ID", "serial": "serial_number", "subject": "CN=pca.alpha.root2.leaf5", "notBefore": "2020-12-21T21:28:09+0000", "notAfter": "9999-12-31T23:59:59+0000", "issuedAt": "2020-12-21T22:28:09+0000", "templateArn": "arn:aws:acm-pca:::template/EndEntityCertificate/V1" } { "awsAccountId": "account", "certificateArn": "arn:aws:acm-pca:region:account:certificate-authority/CA_ID/certificate/certificate_ID", "serial": "serial_number", "subject": "CN=pca.alpha.root2.leaf1", "notBefore": "2020-11-06T19:18:21+0000", "notAfter": "9999-12-31T23:59:59+0000", "issuedAt": "2020-11-06T20:18:22+0000", "templateArn": "arn:aws:acm-pca:::template/EndEntityCertificate/V1" } ``` # Export a private certificate and its secret key Export a certificate Amazon Private CA cannot directly export a private certificate that it has signed and issued. However, you can use Amazon Certificate Manager to export such a certificate along with its encrypted secret key. The certificate is then completely portable for deployment anywhere in your private PKI. For more information, see [Exporting a private certificate](https://docs.amazonaws.cn/acm/latest/userguide/export-private.html) in the Amazon Certificate Manager User Guide. As an added benefit, Amazon Certificate Manager provides managed renewal for private certificates that were issued using the ACM console, the `RequestCertificate` action of the ACM API, or the **request-certificate** command in the ACM section of the Amazon CLI. For more information about renewals, see [Renewing certificates in a private PKI.](https://docs.amazonaws.cn/acm/latest/userguide/renew-private-cert.html) # Revoke a private certificate Revoke a private certificate You can revoke an Amazon Private CA certificate using the [revoke-certificate](https://docs.amazonaws.cn/cli/latest/reference/acm-pca/revoke-certificate.html) Amazon CLI command or the [RevokeCertificate](https://docs.amazonaws.cn/privateca/latest/APIReference/API_RevokeCertificate.html) API action. A certificate may need to be revoked before its scheduled expiration if, for example, its secret key is compromised or its associated domain becomes invalid. For revocation to be effective, the client using the certificate needs a way to check revocation status whenever it attempts to build a secure network connection. Amazon Private CA provides two fully managed mechanisms to support revocation status checking: Online Certificate Status Protocol (OCSP) and certificate revocation lists (CRLs). With OCSP, the client queries an authoritative revocation database that returns a status in real-time. With a CRL, the client checks the certificate against a list of revoked certificates that it periodically downloads and stores. Clients refuse to accept certificates that have been revoked. Both OCSP and CRLs depend on validation information embedded in certificates. For this reason, an issuing CA must be configured to support either or both of these mechanisms prior to issuance. For information about selecting and implementing managed revocation through Amazon Private CA, see [Plan your Amazon Private CA certificate revocation method](revocation-setup.md). Revoked certificates are always recorded in Amazon Private CA audit reports. **Note** For cross-account callers, revocation permissions are not included in `AWSRAMDefaultPermissionCertificateAuthority`. To enable revocation by cross-account issuers, the CA administrator can use either of the following approaches: **Customer managed permission (recommended)** – Create a RAM customer managed permission that includes the `acm-pca:RevokeCertificate` action along with other required actions in a single resource share. For more information, see [Customer managed permissions in RAM](pca-cmp.md). **Amazon managed permissions** – Create two RAM shares, both pointing at the same CA: A share with the `AWSRAMRevokeCertificateCertificateAuthority` permission. A share with the `AWSRAMDefaultPermissionCertificateAuthority` permission. **To revoke a certificate** Use the [RevokeCertificate](https://docs.amazonaws.cn/privateca/latest/APIReference/API_RevokeCertificate.html) API action or [revoke-certificate](https://docs.amazonaws.cn/cli/latest/reference/acm-pca/revoke-certificate.html) command to revoke a private PKI certificate. The serial number must be in hexadecimal format. You can retrieve the serial number by calling the [get-certificate](https://docs.amazonaws.cn/cli/latest/reference/acm-pca/get-certificate.html) command. The `revoke-certificate` command does not return a response. ``` $ aws acm-pca revoke-certificate \ --certificate-authority-arn arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566 \ --certificate-serial serial_number \ --revocation-reason "KEY_COMPROMISE" ``` ## Revoked certificates and OCSP OCSP responses may take up to 60 minutes to reflect the new status when you revoke a certificate. In general, OCSP tends to support faster distribution of revocation information because, unlike CRLs which can be cached by clients for days, OCSP responses are typically not cached by clients. ## Revoked certificates in a CRL A CRL is typically updated approximately 30 minutes after a certificate is revoked. If for any reason a CRL update fails, Amazon Private CA makes further attempts every 15 minutes. With Amazon CloudWatch, you can create alarms for the metrics `CRLGenerated` and `MisconfiguredCRLBucket`. For more information, see [Supported CloudWatch Metrics](https://docs.amazonaws.cn/privateca/latest/userguide/PcaCloudWatch.html). For more information about creating and configuring CRLs, see [Set up a CRL for Amazon Private CA](crl-planning.md). The following example shows a revoked certificate in a certificate revocation list (CRL). ``` Certificate Revocation List (CRL): Version 2 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: /C=US/ST=WA/L=Seattle/O=Examples LLC/OU=Corporate Office/CN=www.example.com Last Update: Jan 10 19:28:47 2018 GMT Next Update: Jan 8 20:28:47 2028 GMT CRL extensions: X509v3 Authority key identifier: keyid:3B:F0:04:6B:51:54:1F:C9:AE:4A:C0:2F:11:E6:13:85:D8:84:74:67 X509v3 CRL Number: 1515616127629 Revoked Certificates: Serial Number: B17B6F9AE9309C51D5573BCA78764C23 Revocation Date: Jan 9 17:19:17 2018 GMT CRL entry extensions: X509v3 CRL Reason Code: Key Compromise Signature Algorithm: sha256WithRSAEncryption 21:2f:86:46:6e:0a:9c:0d:85:f6:b6:b6:db:50:ce:32:d4:76: 99:3e:df:ec:6f:c7:3b:7e:a3:6b:66:a7:b2:83:e8:3b:53:42: f0:7a:bc:ba:0f:81:4d:9b:71:ee:14:c3:db:ad:a0:91:c4:9f: 98:f1:4a:69:9a:3f:e3:61:36:cf:93:0a:1b:7d:f7:8d:53:1f: 2e:f8:bd:3c:7d:72:91:4c:36:38:06:bf:f9:c7:d1:47:6e:8e: 54:eb:87:02:33:14:10:7f:b2:81:65:a1:62:f5:fb:e1:79:d5: 1d:4c:0e:95:0d:84:31:f8:5d:59:5d:f9:2b:6f:e4:e6:60:8b: 58:7d:b2:a9:70:fd:72:4f:e7:5b:e4:06:fc:e7:23:e7:08:28: f7:06:09:2a:a1:73:31:ec:1c:32:f8:dc:03:ea:33:a8:8e:d9: d4:78:c1:90:4c:08:ca:ba:ec:55:c3:00:f4:2e:03:b2:dd:8a: 43:13:fd:c8:31:c9:cd:8d:b3:5e:06:c6:cc:15:41:12:5d:51: a2:84:61:16:a0:cf:f5:38:10:da:a5:3b:69:7f:9c:b0:aa:29: 5f:fc:42:68:b8:fb:88:19:af:d9:ef:76:19:db:24:1f:eb:87: 65:b2:05:44:86:21:e0:b4:11:5c:db:f6:a2:f9:7c:a6:16:85: 0e:81:b2:76 ``` ## Revoked certificates in an audit report All certificates, including revoked certificates, are included in the audit report for a private CA. The following example shows an audit report with one issued and one revoked certificate. For more information, see [Use audit reports with your private CA](PcaAuditReport.md). ``` [ { "awsAccountId":"account", "certificateArn":"arn:aws:acm-pca:region:account:certificate-authority/CA_ID/certificate/certificate_ID", "serial":"serial_number", "Subject":"1.2.840.113549.1.9.1=#161173616c6573406578616d706c652e636f6d,CN=www.example1.com,OU=Sales,O=Example Company,L=Seattle,ST=Washington,C=US", "notBefore":"2018-02-26T18:39:57+0000", "notAfter":"2019-02-26T19:39:57+0000", "issuedAt":"2018-02-26T19:39:58+0000", "revokedAt":"2018-02-26T20:00:36+0000", "revocationReason":"KEY_COMPROMISE" }, { "awsAccountId":"account", "certificateArn":"arn:aws:acm-pca:region:account:certificate-authority/CA_ID/certificate/certificate_ID", "serial":"serial_number", "Subject":"1.2.840.113549.1.9.1=#161970726f64407777772e70616c6f75736573616c65732e636f6d,CN=www.example3.com.com,OU=Sales,O=Example Company,L=Seattle,ST=Washington,C=US", "notBefore":"2018-01-22T20:10:49+0000", "notAfter":"2019-01-17T21:10:49+0000", "issuedAt":"2018-01-22T21:10:49+0000" } ] ``` # Automate export of a renewed certificate Automate export When you use Amazon Private CA to create a CA, you can import that CA into Amazon Certificate Manager and let ACM manage certificate issuance and renewal. If a certificate being renewed is associated with an [integrated service](https://docs.amazonaws.cn/acm/latest/userguide/acm-services.html), the service seamlessly applies the new certificate. However, if the certificate was originally [exported](https://docs.amazonaws.cn/acm/latest/userguide/export-private.html) for use elsewhere in your PKI environment (for example, in an on-premises server or appliance), you need to export it again after renewal. For a sample solution that automates the ACM export process using Amazon EventBridge and Amazon Lambda, see [Automating export of renewed certificates](https://docs.amazonaws.cn/acm/latest/userguide/renew-private-cert.html#automating-export). # Use Amazon Private CA certificate templates Certificate templates Amazon Private CA uses configuration templates to issue both CA certificates and end-entity certificates. When you issue a CA certificate from the PCA console, the appropriate root or subordinate CA certificate template is applied automatically. If you use the CLI or API to issue a certificate, you can supply a template ARN as a parameter to the `IssueCertificate` action. If you provide no ARN, then the `EndEntityCertificate/V1` template is applied by default. For more information, see the [IssueCertificate](https://docs.amazonaws.cn/privateca/latest/APIReference/API_IssueCertificate.html) API and [issue-certificate](https://docs.amazonaws.cn/cli/latest/reference/acm-pca/issue-certificate.html) command documentation. **Note** Amazon Certificate Manager (ACM) users with cross-account shared access to a private CA can issue managed certificates that are signed by the CA. When you grant permission to the `IssueCertificate` action, you can restrict the certificate templates used for certificate issuance by adding a `acm-pca:TemplateArn` Condition to the policy. For more information, see [Resource-based policies](pca-rbp.md). **Topics** + [ # Amazon Private CA template varieties ](template-varieties.md) + [ # Amazon Private CA template order of operations ](template-order-of-operations.md) + [ # Amazon Private CA template definitions ](template-definitions.md) # Amazon Private CA template varieties Template varieties Amazon Private CA supports four varieties of template. + **Base templates** Pre-defined templates in which no passthrough parameters are allowed. + **CSRPassthrough templates** Templates that extend their corresponding base template versions by allowing CSR passthrough. Extensions in the CSR that is used to issue the certificate are copied over to the issued certificate. In cases where the CSR contains extension values that conflict with the template definition, the template definition will always have the higher priority. For more details about priority, see [Amazon Private CA template order of operationsTemplate order of operations](template-order-of-operations.md). + **APIPassthrough templates** Templates that extend their corresponding base template versions by allowing API passthrough. Dynamic values that are known to the administrator or other intermediate systems may not be known by the entity requesting the certificate, may be impossible to define in a template, and may not be available in the CSR. The CA administrator, however, can retrieve additional information from another data source, such as an Active Directory, to complete the request. For example, if a machine doesn't know what organization unit it belongs to, the administrator can look up the information in Active Directory and add it to the certificate request by including the information in a JSON structure. Values in the `ApiPassthrough` parameter of the `IssueCertificate` action ``are copied over to the issued certificate. In cases where the `ApiPassthrough` parameter contains information that conflicts with the template definition, the template definition will always have the higher priority. For more details about priority, see [Amazon Private CA template order of operationsTemplate order of operations](template-order-of-operations.md). + **APICSRPassthrough templates** Templates that extend their corresponding base template versions by allowing both API and CSR passthrough. Extensions in the CSR used to issue the certificate are copied over to the issued certificate, and values in the `ApiPassthrough` parameter of the `IssueCertificate` action are also copied over . In cases where the template definition, API passthrough values, and CSR passthrough extensions exhibit a conflict, the template definition has highest priority, followed by the API passthrough values, followed by the CSR passthrough extensions. For more details about priority, see [Amazon Private CA template order of operationsTemplate order of operations](template-order-of-operations.md). The tables below list all of the template types supported by Amazon Private CA with links to their definitions. **Note** For information about template ARNs in GovCloud regions, see [Amazon Private Certificate Authority](https://docs.amazonaws.cn/govcloud-us/latest/UserGuide/using-govcloud-arns.html#using-govcloud-arn-syntax-acmpca) in the *Amazon GovCloud (US) User Guide*. **Base templates** | Template Name | Template ARN | Certificate Type | | --- | --- | --- | | [CodeSigningCertificate/V1](template-definitions.md#CodeSigningCertificate-V1) | `arn:aws:acm-pca:::template/CodeSigningCertificate/V1` | Code signing | | [EndEntityCertificate/V1](template-definitions.md#EndEntityCertificate-V1) | `arn:aws:acm-pca:::template/EndEntityCertificate/V1` | End-entity | | [EndEntityClientAuthCertificate/V1](template-definitions.md#EndEntityClientAuthCertificate-V1) | `arn:aws:acm-pca:::template/EndEntityClientAuthCertificate/V1` | End-entity | | [EndEntityServerAuthCertificate/V1](template-definitions.md#EndEntityServerAuthCertificate-V1) | `arn:aws:acm-pca:::template/EndEntityServerAuthCertificate/V1` | End-entity | | [OCSPSigningCertificate/V1](template-definitions.md#OCSPSigningCertificate-V1) | `arn:aws:acm-pca:::template/OCSPSigningCertificate/V1` | OCSP signing | | [RootCACertificate/V1](template-definitions.md#RootCACertificate-V1) | `arn:aws:acm-pca:::template/RootCACertificate/V1` | CA | | [SubordinateCACertificate\$1PathLen0/V1](template-definitions.md#SubordinateCACertificate_PathLen0-V1) | `arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen0/V1` | CA | | [SubordinateCACertificate\$1PathLen1/V1](template-definitions.md#SubordinateCACertificate_PathLen1-V1) | `arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen1/V1` | CA | | [SubordinateCACertificate\$1PathLen2/V1](template-definitions.md#SubordinateCACertificate_PathLen2-V1) | `arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen2/V1` | CA | | [SubordinateCACertificate\$1PathLen3/V1](template-definitions.md#SubordinateCACertificate_PathLen3-V1) | `arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen3/V1` | CA | **CSRPassthrough templates** | Template Name | Template ARN | Certificate Type | | --- | --- | --- | | [BlankEndEntityCertificate\$1CSRPassthrough/V1](template-definitions.md#BlankEndEntityCertificate_CSRPassthrough) | `arn:aws:acm-pca:::template/BlankEndEntityCertificate_CSRPassthrough/V1` | End-entity | | [BlankEndEntityCertificate\$1CriticalBasicConstraints\$1CSRPassthrough/V1](template-definitions.md#BlankEndEntityCertificate_CriticalBasicConstraints_CSRPassthrough) | `arn:aws:acm-pca:::template/BlankEndEntityCertificate_CriticalBasicConstraints_CSRPassthrough/V1` | End-entity | | [BlankSubordinateCACertificate\$1PathLen0\$1CSRPassthrough/V1](template-definitions.md#BlankSubordinateCACertificate_PathLen0_CSRPassthrough) | `arn:aws:acm-pca:::template/BlankSubordinateCACertificate_PathLen0_CSRPassthrough/V1` | CA | | [BlankSubordinateCACertificate\$1PathLen1\$1CSRPassthrough/V1](template-definitions.md#BlankSubordinateCACertificate_PathLen1_CSRPassthrough) | `arn:aws:acm-pca:::template/BlankSubordinateCACertificate_PathLen1_CSRPassthrough/V1` | CA | | [BlankSubordinateCACertificate\$1PathLen2\$1CSRPassthrough/V1](template-definitions.md#BlankSubordinateCACertificate_PathLen2_CSRPassthrough) | `arn:aws:acm-pca:::template/BlankSubordinateCACertificate_PathLen2_CSRPassthrough/V1` | CA | | [BlankSubordinateCACertificate\$1PathLen3\$1CSRPassthrough/V1](template-definitions.md#BlankSubordinateCACertificate_PathLen3_CSRPassthrough) | `arn:aws:acm-pca:::template/BlankSubordinateCACertificate_PathLen3_CSRPassthrough/V1` | CA | | [CodeSigningCertificate\$1CSRPassthrough/V1](template-definitions.md#CodeSigningCertificate_CSRPassthrough-V1) | `arn:aws:acm-pca:::template/CodeSigningCertificate_CSRPassthrough/V1` | Code signing | | [EndEntityCertificate\$1CSRPassthrough/V1](template-definitions.md#EndEntityCertificate_CSRPassthrough-V1) | `arn:aws:acm-pca:::template/EndEntityCertificate_CSRPassthrough/V1` | End-entity | | [EndEntityClientAuthCertificate\$1CSRPassthrough/V1](template-definitions.md#EndEntityClientAuthCertificate_CSRPassthrough-V1) | `arn:aws:acm-pca:::template/EndEntityClientAuthCertificate_CSRPassthrough/V1` | End-entity | | [EndEntityServerAuthCertificate\$1CSRPassthrough/V1](template-definitions.md#EndEntityServerAuthCertificate_CSRPassthrough-V1) | `arn:aws:acm-pca:::template/EndEntityServerAuthCertificate_CSRPassthrough/V1` | End-entity | | [OCSPSigningCertificate\$1CSRPassthrough/V1](template-definitions.md#OCSPSigningCertificate_CSRPassthrough-V1) | `arn:aws:acm-pca:::template/OCSPSigningCertificate_CSRPassthrough/V1` | OCSP signing | | [SubordinateCACertificate\$1PathLen0\$1CSRPassthrough/V1](template-definitions.md#SubordinateCACertificate_PathLen0_CSRPassthrough-V1) | `arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen0_CSRPassthrough/V1` | CA | | [SubordinateCACertificate\$1PathLen1\$1CSRPassthrough/V1](template-definitions.md#SubordinateCACertificate_PathLen1_CSRPassthrough-V1) | `arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen1_CSRPassthrough/V1` | CA | | [SubordinateCACertificate\$1PathLen2\$1CSRPassthrough/V1](template-definitions.md#SubordinateCACertificate_PathLen2_CSRPassthrough-V1) | `arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen2_CSRPassthrough/V1` | CA | | [SubordinateCACertificate\$1PathLen3\$1CSRPassthrough/V1](template-definitions.md#SubordinateCACertificate_PathLen3_CSRPassthrough-V1) | `arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen3_CSRPassthrough/V1` | CA | **APIPassthrough templates** | Template Name | Template ARN | Certificate Type | | --- | --- | --- | | [BlankEndEntityCertificate\$1APIPassthrough/V1](template-definitions.md#BlankEndEntityCertificate_APIPassthrough) | `arn:aws:acm-pca:::template/BlankEndEntityCertificate_APIPassthrough/V1` | End-entity | | [BlankEndEntityCertificate\$1CriticalBasicConstraints\$1APIPassthrough/V1](template-definitions.md#BlankEndEntityCertificate_CriticalBasicConstraints_APIPassthrough) | `arn:aws:acm-pca:::template/BlankEndEntityCertificate_CriticalBasicConstraints_APIPassthrough/V1` | End-entity | | [CodeSigningCertificate\$1APIPassthrough/V1](template-definitions.md#CodeSigningCertificate_APIPassthrough) | `arn:aws:acm-pca:::template/CodeSigningCertificate_APIPassthrough/V1` | Code signing | | [EndEntityCertificate\$1APIPassthrough/V1](template-definitions.md#EndEntityCertificate_APIPassthrough) | `arn:aws:acm-pca:::template/EndEntityCertificate_APIPassthrough/V1` | End-entity | | [EndEntityClientAuthCertificate\$1APIPassthrough/V1](template-definitions.md#EndEntityClientAuthCertificate_APIPassthrough) | `arn:aws:acm-pca:::template/EndEntityClientAuthCertificate_APIPassthrough/V1` | End-entity | | [EndEntityServerAuthCertificate\$1APIPassthrough/V1](template-definitions.md#EndEntityServerAuthCertificate_APIPassthrough) | `arn:aws:acm-pca:::template/EndEntityServerAuthCertificate_APIPassthrough/V1` | End-entity | | [OCSPSigningCertificate\$1APIPassthrough/V1](template-definitions.md#OCSPSigningCertificate_APIPassthrough) | `arn:aws:acm-pca:::template/OCSPSigningCertificate_APIPassthrough/V1` | OCSP signing | | [RootCACertificate\$1APIPassthrough/V1](template-definitions.md#RootCACertificate_APIPassthrough) | `arn:aws:acm-pca:::template/RootCACertificate_APIPassthrough/V1` | CA | | [BlankRootCACertificate\$1APIPassthrough/V1](template-definitions.md#BlankRootCACertificate_APIPassthrough) | `arn:aws:acm-pca:::template/BlankRootCACertificate_APIPassthrough/V1` | CA | | [BlankRootCACertificate\$1PathLen0\$1APIPassthrough/V1](template-definitions.md#BlankRootCACertificate_PathLen0_APIPassthrough) | `arn:aws:acm-pca:::template/BlankRootCACertificate_PathLen0_APIPassthrough/V1` | CA | | [BlankRootCACertificate\$1PathLen1\$1APIPassthrough/V1](template-definitions.md#BlankRootCACertificate_PathLen1_APIPassthrough) | `arn:aws:acm-pca:::template/BlankRootCACertificate_PathLen1_APIPassthrough/V1` | CA | | [BlankRootCACertificate\$1PathLen2\$1APIPassthrough/V1](template-definitions.md#BlankRootCACertificate_PathLen2_APIPassthrough) | `arn:aws:acm-pca:::template/BlankRootCACertificate_PathLen2_APIPassthrough/V1` | CA | | [BlankRootCACertificate\$1PathLen3\$1APIPassthrough/V1](template-definitions.md#BlankRootCACertificate_PathLen3_APIPassthrough) | `arn:aws:acm-pca:::template/BlankRootCACertificate_PathLen3_APIPassthrough/V1` | CA | | [SubordinateCACertificate\$1PathLen0\$1APIPassthrough/V1](template-definitions.md#SubordinateCACertificate_PathLen0_APIPassthrough) | `arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen0_APIPassthrough/V1` | CA | | [BlankSubordinateCACertificate\$1PathLen0\$1APIPassthrough/V1](template-definitions.md#BlankSubordinateCACertificate_PathLen0_APIPassthrough) | `arn:aws:acm-pca:::template/BlankSubordinateCACertificate_PathLen0_APIPassthrough/V1` | CA | | [SubordinateCACertificate\$1PathLen1\$1APIPassthrough/V1](template-definitions.md#SubordinateCACertificate_PathLen1_APIPassthrough) | `arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen1_APIPassthrough/V1` | CA | | [BlankSubordinateCACertificate\$1PathLen1\$1APIPassthrough/V1](template-definitions.md#BlankSubordinateCACertificate_PathLen1_APIPassthrough) | `arn:aws:acm-pca:::template/BlankSubordinateCACertificate_PathLen1_APIPassthrough/V1` | CA | | [SubordinateCACertificate\$1PathLen2\$1APIPassthrough/V1](template-definitions.md#SubordinateCACertificate_PathLen2_APIPassthrough) | `arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen2_APIPassthrough/V1` | CA | | [BlankSubordinateCACertificate\$1PathLen2\$1APIPassthrough/V1](template-definitions.md#BlankSubordinateCACertificate_PathLen2_APIPassthrough) | `arn:aws:acm-pca:::template/BlankSubordinateCACertificate_PathLen2_APIPassthrough/V1` | CA | | [SubordinateCACertificate\$1PathLen3\$1APIPassthrough/V1](template-definitions.md#SubordinateCACertificate_PathLen3_APIPassthrough) | `arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen3_APIPassthrough/V1` | CA | | [BlankSubordinateCACertificate\$1PathLen3\$1APIPassthrough/V1](template-definitions.md#BlankSubordinateCACertificate_PathLen3_APIPassthrough) | `arn:aws:acm-pca:::template/BlankSubordinateCACertificate_PathLen3_APIPassthrough/V1` | CA | **APICSRPassthrough templates** | Template Name | Template ARN | Certificate Type | | --- | --- | --- | | [BlankEndEntityCertificate\$1APICSRPassthrough/V1](template-definitions.md#BlankEndEntityCertificate_APICSRPassthrough) | `arn:aws:acm-pca:::template/BlankEndEntityCertificate_APICSRPassthrough/V1` | End-entity | | | | | | [BlankEndEntityCertificate\$1CriticalBasicConstraints\$1APICSRPassthrough/V1](template-definitions.md#BlankEndEntityCertificate_CriticalBasicConstraints_APICSRPassthrough) | `arn:aws:acm-pca:::template/BlankEndEntityCertificate_CriticalBasicConstraints_APICSRPassthrough/V1` | End-entity | | [CodeSigningCertificate\$1APICSRPassthrough/V1](template-definitions.md#CodeSigningCertificate_APICSRPassthrough) | `arn:aws:acm-pca:::template/CodeSigningCertificate_APICSRPassthrough/V1` | Code signing | | [EndEntityCertificate\$1APICSRPassthrough/V1](template-definitions.md#EndEntityCertificate_APICSRPassthrough) | `arn:aws:acm-pca:::template/EndEntityCertificate_APICSRPassthrough/V1` | End-entity | | [EndEntityClientAuthCertificate\$1APICSRPassthrough/V1](template-definitions.md#EndEntityClientAuthCertificate_APICSRPassthrough) | `arn:aws:acm-pca:::template/EndEntityClientAuthCertificate_APICSRPassthrough/V1` | End-entity | | [EndEntityServerAuthCertificate\$1APICSRPassthrough/V1](template-definitions.md#EndEntityServerAuthCertificate_APICSRPassthrough) | arn:aws:acm-pca:::template/EndEntityServerAuthCertificate\$1APICSRPassthrough/V1 | End-entity | | [OCSPSigningCertificate\$1APICSRPassthrough/V1](template-definitions.md#OCSPSigningCertificate_APICSRPassthrough) | `arn:aws:acm-pca:::template/OCSPSigningCertificate_APICSRPassthrough/V1` | OCSP signing | | [SubordinateCACertificate\$1PathLen0\$1APICSRPassthrough/V1](template-definitions.md#SubordinateCACertificate_PathLen0_APICSRPassthrough) | `arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen0_APICSRPassthrough/V1` | CA | | [BlankSubordinateCACertificate\$1PathLen0\$1APICSRPassthrough/V1](template-definitions.md#BlankSubordinateCACertificate_PathLen0_APICSRPassthrough) | `arn:aws:acm-pca:::template/BlankSubordinateCACertificate_PathLen0_APICSRPassthrough/V1` | CA | | [SubordinateCACertificate\$1PathLen1\$1APICSRPassthrough/V1](template-definitions.md#SubordinateCACertificate_PathLen1_APICSRPassthrough) | `arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen1_APICSRPassthrough/V1` | CA | | [BlankSubordinateCACertificate\$1PathLen1\$1APICSRPassthrough/V1](template-definitions.md#BlankSubordinateCACertificate_PathLen1_APICSRPassthrough) | `arn:aws:acm-pca:::template/BlankSubordinateCACertificate_PathLen1_APICSRPassthrough/V1` | CA | | [SubordinateCACertificate\$1PathLen2\$1APICSRPassthrough/PathLen3\$1APIPassthroughV1](template-definitions.md#SubordinateCACertificate_PathLen2_APICSRPassthrough) | `arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen2_APICSRPassthrough/V1` | CA | | [BlankSubordinateCACertificate\$1PathLen2\$1APICSRPassthrough/V1](template-definitions.md#BlankSubordinateCACertificate_PathLen2_APICSRPassthrough) | `arn:aws:acm-pca:::template/BlankSubordinateCACertificate_PathLen2_APICSRPassthrough/V1` | CA | | [SubordinateCACertificate\$1PathLen3\$1APICSRPassthrough/V1](template-definitions.md#SubordinateCACertificate_PathLen3_APICSRPassthrough) | `arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen3_APICSRPassthrough/V1` | CA | | [BlankSubordinateCACertificate\$1PathLen3\$1APICSRPassthrough/V1](template-definitions.md#BlankSubordinateCACertificate_PathLen3_APICSRPassthrough) | `arn:aws:acm-pca:::template/BlankSubordinateCACertificate_PathLen3_APICSRPassthrough/V1` | CA | # Amazon Private CA template order of operations Template order of operations Information contained in an issued certificate can come from four sources: the template definition, API passthrough, CSR passthrough, and the CA configuration. API passthrough values are only respected when you use an API passthrough or APICSR passthrough template. CSR passthrough is only respected when you use a CSRPassthrough or APICSR passthrough template. When these sources of information are in conflict, a general rule usually applies: For each extension value, the template definition has highest priority, followed by API passthrough values, followed by CSR passthrough extensions. **Examples** 1. The template definition for [EndEntityClientAuthCertificate\$1APIPassthrough](template-definitions.md#EndEntityClientAuthCertificate_APIPassthrough) defines the ExtendedKeyUsage extension with a value of "TLS web server authentication, TLS web client authentication". If ExtendedKeyUsage is defined in the CSR or in the `IssueCertificate` `ApiPassthrough` parameter, the `ApiPassthrough` value for ExtendedKeyUsage will be ignored because the template definition takes priority, and the CSR value for ExtendedKeyUsage value will be ignored because the template is not a CSR passthrough variety. **Note** The template definition nonetheless copies over other values from the CSR, such as Subject and Subject Alternative Name. These values are still taken from the CSR even though the template is not a CSR passthrough variety, because the template definition always takes highest priority. 1. The template definition for [EndEntityClientAuthCertificate\$1APICSRPassthrough](template-definitions.md#EndEntityClientAuthCertificate_APICSRPassthrough) defines the Subject Alternative Name (SAN) extension as being copied from the API or CSR. If the SAN extension is defined in the CSR and provided in the `IssueCertificate`` ApiPassthrough` parameter, the API passthrough value will take priority because API passthrough values take priority over CSR passthrough values. # Amazon Private CA template definitions Template definitions The following sections provide configuration details about supported Amazon Private CA certificate templates. ## BlankEndEntityCertificate\$1APIPassthrough/V1 definition With blank end-entity certificate templates, you can issue end-entity certificates with only X.509 Basic constraints present. This is the simplest end-entity certificate that Amazon Private CA can issue, but it can be customized using the API structure. The Basic constraints extension defines whether or not the certificate is a CA certificate. A blank end-entity certificate template enforces a value of FALSE for Basic constraints to ensure that an end-entity certificate is issued and not a CA certificate. You can use blank passthrough templates to issue smart card certificates that require specific values for Key usage (KU) and Extended key usage (EKU). For example, Extended key usage may require Client Authentication and Smart Card Logon, and Key usage may require Digital Signature, Non Repudiation, and Key Encipherment. Unlike other passthrough templates, blank end-entity certificate templates allow the configuration of KU and EKU extensions, where KU can be any of the nine supported values (digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign, cRLSign, encipherOnly, and decipherOnly) and EKU can be any of the supported values (serverAuth, clientAuth, codesigning, emailProtection, timestamping, and OCSPSigning) plus custom extensions. **BlankEndEntityCertificate\$1APIPassthrough/V1** | X509v3 Parameter | Value | | --- | --- | | Subject alternative name | [Passthrough from API or CSR] | | Subject | [Passthrough from API or CSR] | | Basic constraints | CA:FALSE | | Authority key identifier | [SKI from CA certificate] | | Subject key identifier | [Derived from CSR] | | CRL distribution points\$1 | [Passthrough from CA configuration] | \$1 CRL distribution points are included in the template only if the CA is configured with CRL generation enabled. ## BlankEndEntityCertificate\$1APICSRPassthrough/V1 definition For general information about blank templates, see [BlankEndEntityCertificate\$1APIPassthrough/V1 definition](#BlankEndEntityCertificate_APIPassthrough). **BlankEndEntityCertificate\$1APICSRPassthrough/V1** | X509v3 Parameter | Value | | --- | --- | | Subject alternative name | [Passthrough from API or CSR] | | Subject | [Passthrough from API or CSR] | | Basic constraints | CA:FALSE | | Authority key identifier | [SKI from CA certificate] | | Subject key identifier | [Derived from CSR] | | CRL distribution points\$1 | [Passthrough from CA configuration or CSR] | \$1 CRL distribution points are included in the template only if the CA is configured with CRL generation enabled. ## BlankEndEntityCertificate\$1CriticalBasicConstraints\$1APICSRPassthrough/V1 definition For general information about blank templates, see [BlankEndEntityCertificate\$1APIPassthrough/V1 definition](#BlankEndEntityCertificate_APIPassthrough). **BlankEndEntityCertificate\$1CriticalBasicConstraints\$1APICSRPassthrough/V1** | X509v3 Parameter | Value | | --- | --- | | Subject alternative name | [Passthrough from API or CSR] | | Subject | [Passthrough from API or CSR] | | Basic constraints | Critical, CA:FALSE | | Authority key identifier | [SKI from CA certificate] | | Subject key identifier | [Derived from CSR] | | CRL distribution points\$1 | [Passthrough from CA configuration, API, or CSR] | \$1 CRL distribution points are included in the template only if the CA is configured with CRL generation enabled. ### BlankEndEntityCertificate\$1CriticalBasicConstraints\$1APIPassthrough/V1 definition For general information about blank templates, see [BlankEndEntityCertificate\$1APIPassthrough/V1 definition](#BlankEndEntityCertificate_APIPassthrough). **BlankEndEntityCertificate\$1CriticalBasicConstraints\$1APIPassthrough/V1** | X509v3 Parameter | Value | | --- | --- | | Subject alternative name | [Passthrough from API or CSR] | | Subject | [Passthrough from API or CSR] | | Basic constraints | Critical, CA:FALSE | | Authority key identifier | [SKI from CA certificate] | | Subject key identifier | [Derived from CSR] | | CRL distribution points\$1 | [Passthrough from CA configuration or API] | \$1 CRL distribution points are included in the template only if the CA is configured with CRL generation enabled. ### BlankEndEntityCertificate\$1CriticalBasicConstraints\$1CSRPassthrough/V1 definition For general information about blank templates, see [BlankEndEntityCertificate\$1APIPassthrough/V1 definition](#BlankEndEntityCertificate_APIPassthrough). **BlankEndEntityCertificate\$1CriticalBasicConstraints\$1CSRPassthrough/V1** | X509v3 Parameter | Value | | --- | --- | | Subject alternative name | [Passthrough from API or CSR] | | Subject | [Passthrough from API or CSR] | | Basic constraints | Critical, CA:FALSE | | Authority key identifier | [SKI from CA certificate] | | Subject key identifier | [Derived from CSR] | | CRL distribution points\$1 | [Passthrough from CA configuration or CSR] | \$1 CRL distribution points are included in the template only if the CA is configured with CRL generation enabled. ### BlankEndEntityCertificate\$1CSRPassthrough/V1 definition For general information about blank templates, see [BlankEndEntityCertificate\$1APIPassthrough/V1 definition](#BlankEndEntityCertificate_APIPassthrough). **BlankEndEntityCertificate\$1CSRPassthrough/V1** | X509v3 Parameter | Value | | --- | --- | | Subject alternative name | [Passthrough from CSR] | | Subject | [Passthrough from CSR] | | Basic constraints | CA:FALSE | | Authority key identifier | [SKI from CA certificate] | | Subject key identifier | [Derived from CSR] | | CRL distribution points\$1 | [Passthrough from CA configuration or CSR] | \$1 CRL distribution points are included in the template only if the CA is configured with CRL generation enabled. ### BlankSubordinateCACertificate\$1PathLen0\$1CSRPassthrough/V1 definition For general information about blank templates, see [BlankEndEntityCertificate\$1APIPassthrough/V1 definition](#BlankEndEntityCertificate_APIPassthrough). **BlankSubordinateCACertificate\$1PathLen0\$1CSRPassthrough/V1** | X509v3 Parameter | Value | | --- | --- | | Subject alternative name | [Passthrough from CSR] | | Subject | [Passthrough from CSR] | | Basic constraints | Critical, `CA:TRUE`, `pathlen: 0` | | Authority key identifier | [SKI from CA Certificate] | | Subject key identifier | [Derived from CSR] | | CRL distribution points\$1 | [Passthrough from CA configuration or CSR] | \$1 CRL distribution points are included in the template only if the CA is configured with CRL generation enabled. ### BlankSubordinateCACertificate\$1PathLen0\$1APICSRPassthrough/V1 definition For general information about blank templates, see [BlankEndEntityCertificate\$1APIPassthrough/V1 definition](#BlankEndEntityCertificate_APIPassthrough). **BlankSubordinateCACertificate\$1PathLen0\$1APICSRPassthrough/V1** | X509v3 Parameter | Value | | --- | --- | | Subject alternative name | [Passthrough from API or CSR] | | Subject | [Passthrough from API or CSR] | | Basic constraints | Critical, `CA:TRUE`, `pathlen: 0` | | Authority key identifier | [SKI from CA Certificate] | | Subject key identifier | [Derived from CSR] | | CRL distribution points\$1 | [Passthrough from CA configuration or CSR] | \$1 CRL distribution points are included in the template only if the CA is configured with CRL generation enabled. ### BlankSubordinateCACertificate\$1PathLen0\$1APIPassthrough/V1 definition For general information about blank templates, see [BlankEndEntityCertificate\$1APIPassthrough/V1 definition](#BlankEndEntityCertificate_APIPassthrough). **BlankSubordinateCACertificate\$1PathLen0\$1APIPassthrough/V1** | X509v3 Parameter | Value | | --- | --- | | Subject alternative name | [Passthrough from API or CSR] | | Subject | [Passthrough from API or CSR] | | Basic constraints | Critical, `CA:TRUE`, `pathlen: 0` | | Authority key identifier | [SKI from CA Certificate] | | Subject key identifier | [Derived from CSR] | | CRL distribution points\$1 | [Passthrough from CA configuration] | ### BlankSubordinateCACertificate\$1PathLen1\$1APIPassthrough/V1 definition For general information about blank templates, see [BlankEndEntityCertificate\$1APIPassthrough/V1 definition](#BlankEndEntityCertificate_APIPassthrough). **BlankSubordinateCACertificate\$1PathLen1\$1APIPassthrough/V1** | X509v3 Parameter | Value | | --- | --- | | Subject alternative name | [Passthrough from API or CSR] | | Subject | [Passthrough from API or CSR] | | Basic constraints | Critical, `CA:TRUE`, `pathlen: 1` | | Authority key identifier | [SKI from CA Certificate] | | Subject key identifier | [Derived from CSR] | | CRL distribution points\$1 | [Passthrough from CA configuration] | \$1 CRL distribution points are included in the template only if the CA is configured with CRL generation enabled. ### BlankSubordinateCACertificate\$1PathLen1\$1CSRPassthrough/V1 definition For general information about blank templates, see [BlankEndEntityCertificate\$1APIPassthrough/V1 definition](#BlankEndEntityCertificate_APIPassthrough). **BlankSubordinateCACertificate\$1PathLen1\$1CSRPassthrough/V1** | X509v3 Parameter | Value | | --- | --- | | Subject alternative name | [Passthrough from CSR] | | Subject | [Passthrough from CSR] | | Basic constraints | Critical, `CA:TRUE`, `pathlen: 1` | | Authority key identifier | [SKI from CA Certificate] | | Subject key identifier | [Derived from CSR] | | CRL distribution points\$1 | [Passthrough from CA configuration or CSR] | \$1 CRL distribution points are included in the template only if the CA is configured with CRL generation enabled. ### BlankSubordinateCACertificate\$1PathLen1\$1APICSRPassthrough/V1 definition For general information about blank templates, see [BlankEndEntityCertificate\$1APIPassthrough/V1 definition](#BlankEndEntityCertificate_APIPassthrough). **BlankSubordinateCACertificate\$1PathLen1\$1APICSRPassthrough/V1** | X509v3 Parameter | Value | | --- | --- | | Subject alternative name | [Passthrough from API or CSR] | | Subject | [Passthrough from API or CSR] | | Basic constraints | Critical, `CA:TRUE`, `pathlen: 1` | | Authority key identifier | [SKI from CA Certificate] | | Subject key identifier | [Derived from CSR] | | CRL distribution points\$1 | [Passthrough from CA configuration or CSR] | \$1 CRL distribution points are included in the template only if the CA is configured with CRL generation enabled. ### BlankSubordinateCACertificate\$1PathLen2\$1APIPassthrough/V1 definition For general information about blank templates, see [BlankEndEntityCertificate\$1APIPassthrough/V1 definition](#BlankEndEntityCertificate_APIPassthrough). **BlankSubordinateCACertificate\$1PathLen2\$1APIPassthrough/V1** | X509v3 Parameter | Value | | --- | --- | | Subject alternative name | [Passthrough from API or CSR] | | Subject | [Passthrough from API or CSR] | | Basic constraints | Critical, `CA:TRUE`, `pathlen: 2` | | Authority key identifier | [SKI from CA Certificate] | | Subject key identifier | [Derived from CSR] | | CRL distribution points\$1 | [Passthrough from CA configuration] | \$1 CRL distribution points are included in the template only if the CA is configured with CRL generation enabled. ### BlankSubordinateCACertificate\$1PathLen2\$1CSRPassthrough/V1 definition For general information about blank templates, see [BlankEndEntityCertificate\$1APIPassthrough/V1 definition](#BlankEndEntityCertificate_APIPassthrough). **BlankSubordinateCACertificate\$1PathLen2\$1CSRPassthrough/V1** | X509v3 Parameter | Value | | --- | --- | | Subject alternative name | [Passthrough from CSR] | | Subject | [Passthrough from CSR] | | Basic constraints | Critical, `CA:TRUE`, `pathlen: 2` | | Authority key identifier | [SKI from CA Certificate] | | Subject key identifier | [Derived from CSR] | | CRL distribution points\$1 | [Passthrough from CA configuration or CSR] | \$1 CRL distribution points are included in the template only if the CA is configured with CRL generation enabled. ### BlankSubordinateCACertificate\$1PathLen2\$1APICSRPassthrough/V1 definition For general information about blank templates, see [BlankEndEntityCertificate\$1APIPassthrough/V1 definition](#BlankEndEntityCertificate_APIPassthrough). **BlankSubordinateCACertificate\$1PathLen2\$1APICSRPassthrough/V1** | X509v3 Parameter | Value | | --- | --- | | Subject alternative name | [Passthrough from API or CSR] | | Subject | [Passthrough from API or CSR] | | Basic constraints | Critical, `CA:TRUE`, `pathlen: 2` | | Authority key identifier | [SKI from CA Certificate] | | Subject key identifier | [Derived from CSR] | | CRL distribution points\$1 | [Passthrough from CA configuration or CSR] | \$1 CRL distribution points are included in the template only if the CA is configured with CRL generation enabled. ### BlankSubordinateCACertificate\$1PathLen3\$1APIPassthrough/V1 definition For general information about blank templates, see [BlankEndEntityCertificate\$1APIPassthrough/V1 definition](#BlankEndEntityCertificate_APIPassthrough). **BlankSubordinateCACertificate\$1PathLen3\$1APIPassthrough/V1** | X509v3 Parameter | Value | | --- | --- | | Subject alternative name | [Passthrough from API or CSR] | | Subject | [Passthrough from API or CSR] | | Basic constraints | Critical, `CA:TRUE`, `pathlen: 3` | | Authority key identifier | [SKI from CA Certificate] | | Subject key identifier | [Derived from CSR] | | CRL distribution points\$1 | [Passthrough from CA configuration] | \$1 CRL distribution points are included in the template only if the CA is configured with CRL generation enabled. ### BlankSubordinateCACertificate\$1PathLen3\$1CSRPassthrough/V1 definition For general information about blank templates, see [BlankEndEntityCertificate\$1APIPassthrough/V1 definition](#BlankEndEntityCertificate_APIPassthrough). **BlankSubordinateCACertificate\$1PathLen3\$1CSRPassthrough/V1** | X509v3 Parameter | Value | | --- | --- | | Subject alternative name | [Passthrough from CSR] | | Subject | [Passthrough from CSR] | | Basic constraints | Critical, `CA:TRUE`, `pathlen: 3` | | Authority key identifier | [SKI from CA Certificate] | | Subject key identifier | [Derived from CSR] | | CRL distribution points\$1 | [Passthrough from CA configuration or CSR] | \$1 CRL distribution points are included in the template only if the CA is configured with CRL generation enabled. ### BlankSubordinateCACertificate\$1PathLen3\$1APICSRPassthrough/V1 definition For general information about blank templates, see [BlankEndEntityCertificate\$1APIPassthrough/V1 definition](#BlankEndEntityCertificate_APIPassthrough). **BlankSubordinateCACertificate\$1PathLen3\$1APICSRPassthrough** | X509v3 Parameter | Value | | --- | --- | | Subject alternative name | [Passthrough from API or CSR] | | Subject | [Passthrough from API or CSR] | | Basic constraints | Critical, `CA:TRUE`, `pathlen: 3` | | Authority key identifier | [SKI from CA Certificate] | | Subject key identifier | [Derived from CSR] | | CRL distribution points\$1 | [Passthrough from CA configuration or CSR] | \$1 CRL distribution points are included in the template only if the CA is configured with CRL generation enabled. ### CodeSigningCertificate/V1 definition This template is used to create certificates for code signing. You can use code-signing certificates from Amazon Private CA with any code-signing solution that is based on a private CA infrastructure. For example, customers using Code Signing for Amazon IoT can generate a code-signing certificate with Amazon Private CA and import it to Amazon Certificate Manager. For more information, see [What Is Code Signing for Amazon IoT?](https://docs.aws.amazon.com/signer/latest/developerguide/Welcome.html) and [Obtain and Import a Code Signing Certificate](https://docs.amazonaws.cn/signer/latest/developerguide/obtain-cert.html). **CodeSigningCertificate/V1** | X509v3 Parameter | Value | | --- | --- | | Subject alternative name | [Passthrough from CSR] | | Subject | [Passthrough from CSR] | | Basic constraints | `CA:FALSE` | | Authority key identifier | [SKI from CA Certificate] | | Subject key identifier | [Derived from CSR] | | Key usage | Critical, digital signature | | Extended key usage | Critical, code signing | | CRL distribution points\$1 | [Passthrough from CA configuration] | \$1CRL distribution points are included in the template only if the CA is configured with CRL generation enabled. ### CodeSigningCertificate\$1APICSRPassthrough/V1 definition This template extends CodeSigningCertificate/V1 to support API and CSR passthrough values. **CodeSigningCertificate\$1APICSRPassthrough/V1** | X509v3 Parameter | Value | | --- | --- | | Subject alternative name | [Passthrough from API or CSR] | | Subject | [Passthrough from API or CSR] | | Basic constraints | `CA:FALSE` | | Authority key identifier | [SKI from CA Certificate] | | Subject key identifier | [Derived from CSR] | | Key usage | Critical, digital signature | | Extended key usage | Critical, code signing | | CRL distribution points\$1 | [Passthrough from CA configuration or CSR] | \$1 CRL distribution points are included in the template only if the CA is configured with CRL generation enabled. ### CodeSigningCertificate\$1APIPassthrough/V1 definition This template is identical to the `CodeSigningCertificate` template with one difference: In this template, Amazon Private CA passes additional extensions through the API to the certificate if the extensions are not specified in the template. Extensions specified in the template always override extensions in the API. **CodeSigningCertificate\$1APIPassthrough/V1** | X509v3 Parameter | Value | | --- | --- | | Subject alternative name | [Passthrough from API or CSR] | | Subject | [Passthrough from API or CSR] | | Basic constraints | `CA:FALSE` | | Authority key identifier | [SKI from CA Certificate] | | Subject key identifier | [Derived from CSR] | | Key usage | Critical, digital signature | | Extended key usage | Critical, code signing | | CRL distribution points\$1 | [Passthrough from CA configuration] | \$1 CRL distribution points are included in the template only if the CA is configured with CRL generation enabled. ### CodeSigningCertificate\$1CSRPassthrough/V1 definition This template is identical to the `CodeSigningCertificate` template with one difference: In this template, Amazon Private CA passes additional extensions from the certificate signing request (CSR) into the certificate if the extensions are not specified in the template. Extensions specified in the template always override extensions in the CSR. **CodeSigningCertificate\$1CSRPassthrough/V1** | X509v3 Parameter | Value | | --- | --- | | Subject alternative name | [Passthrough from CSR] | | Subject | [Passthrough from CSR] | | Basic constraints | `CA:FALSE` | | Authority key identifier | [SKI from CA Certificate] | | Subject key identifier | [Derived from CSR] | | Key usage | Critical, digital signature | | Extended key usage | Critical, code signing | | CRL distribution points\$1 | [Passthrough from CA configuration or CSR] | \$1CRL distribution points are included in the template only if the CA is configured with CRL generation enabled. ### EndEntityCertificate/V1 definition This template is used to create certificates for end entities such as operating systems or web servers. **EndEntityCertificate/V1** | X509v3 Parameter | Value | | --- | --- | | Subject alternative name | [Passthrough from CSR] | | Subject | [Passthrough from CSR] | | Basic constraints | CA:`FALSE` | | Authority key identifier | [SKI from CA certificate] | | Subject key identifier | [Derived from CSR] | | Key usage | Critical, digital signature, key encipherment | | Extended key usage | TLS web server authentication, TLS web client authentication | | CRL distribution points\$1 | [Passthrough from CA configuration] | \$1CRL distribution points are included in the template only if the CA is configured with CRL generation enabled. ### EndEntityCertificate\$1APICSRPassthrough/V1 definition This template extends EndEntityCertificate/V1 to support API and CSR passthrough values. **EndEntityCertificate\$1APICSRPassthrough/V1** | X509v3 Parameter | Value | | --- | --- | | Subject alternative name | [Passthrough from API or CSR] | | Subject | [Passthrough from API or CSR] | | Basic constraints | CA:`FALSE` | | Authority key identifier | [SKI from CA certificate] | | Subject key identifier | [Derived from CSR] | | Key usage | Critical, digital signature, key encipherment | | Extended key usage | TLS web server authentication, TLS web client authentication | | CRL distribution points\$1 | [Passthrough from CA configuration or CSR] | \$1 CRL distribution points are included in the template only if the CA is configured with CRL generation enabled. ### EndEntityCertificate\$1APIPassthrough/V1 definition This template is identical to the `EndEntityCertificate` template with one difference: In this template, Amazon Private CA passes additional extensions through the API to the certificate if the extensions are not specified in the template. Extensions specified in the template always override extensions in the API. **EndEntityCertificate\$1APIPassthrough/V1** | X509v3 Parameter | Value | | --- | --- | | Subject alternative name | [Passthrough from API or CSR] | | Subject | [Passthrough from API or CSR] | | Basic constraints | CA:`FALSE` | | Authority key identifier | [SKI from CA certificate] | | Subject key identifier | [Derived from CSR] | | Key usage | Critical, digital signature, key encipherment | | Extended key usage | TLS web server authentication, TLS web client authentication | | CRL distribution points\$1 | [Passthrough from CA configuration] | \$1 CRL distribution points are included in the template only if the CA is configured with CRL generation enabled. ### EndEntityCertificate\$1CSRPassthrough/V1 definition This template is identical to the `EndEntityCertificate` template with one difference: In this template, Amazon Private CA passes additional extensions from the certificate signing request (CSR) into the certificate if the extensions are not specified in the template. Extensions specified in the template always override extensions in the CSR. **EndEntityCertificate\$1CSRPassthrough/V1** | X509v3 Parameter | Value | | --- | --- | | Subject alternative name | [Passthrough from CSR] | | Subject | [Passthrough from CSR] | | Basic constraints | CA:`FALSE` | | Authority key identifier | [SKI from CA certificate] | | Subject key identifier | [Derived from CSR] | | Key usage | Critical, digital signature, key encipherment | | Extended key usage | TLS web server authentication, TLS web client authentication | | CRL distribution points\$1 | [Passthrough from CA configuration or CSR] | \$1CRL distribution points are included in the template only if the CA is configured with CRL generation enabled. ### EndEntityClientAuthCertificate/V1 definition This template differs from the `EndEntityCertificate` only in the Extended key usage value, which restricts it to TLS web client authentication. **EndEntityClientAuthCertificate/V1** | X509v3 Parameter | Value | | --- | --- | | Subject alternative name | [Passthrough from CSR] | | Subject | [Passthrough from CSR] | | Basic constraints | CA:`FALSE` | | Authority key identifier | [SKI from CA certificate] | | Subject key identifier | [Derived from CSR] | | Key usage | Critical, digital signature, key encipherment | | Extended key usage | TLS web client authentication | | CRL distribution points\$1 | [Passthrough from CA configuration or CSR] | \$1CRL distribution points are included in the template only if the CA is configured with CRL generation enabled. ### EndEntityClientAuthCertificate\$1APICSRPassthrough/V1 definition This template extends EndEntityClientAuthCertificate/V1 to support API and CSR passthrough values. **EndEntityClientAuthCertificate\$1APICSRPassthrough/V1** | X509v3 Parameter | Value | | --- | --- | | Subject alternative name | [Passthrough from API or CSR] | | Subject | [Passthrough from API or CSR] | | Basic constraints | CA:`FALSE` | | Authority key identifier | [SKI from CA certificate] | | Subject key identifier | [Derived from CSR] | | Key usage | Critical, digital signature, key encipherment | | Extended key usage | TLS web client authentication | | CRL distribution points\$1 | [Passthrough from CA configuration or CSR] | \$1 CRL distribution points are included in the template only if the CA is configured with CRL generation enabled. ### EndEntityClientAuthCertificate\$1APIPassthrough/V1 definition This template is identical to the `EndEntityClientAuthCertificate` template with one difference. In this template, Amazon Private CA passes additional extensions through the API into the certificate if the extensions are not specified in the template. Extensions specified in the template always override extensions in the API. **EndEntityClientAuthCertificate\$1APIPassthrough/V1** | X509v3 Parameter | Value | | --- | --- | | Subject alternative name | [Passthrough from API or CSR] | | Subject | [Passthrough from API or CSR] | | Basic constraints | CA:`FALSE` | | Authority key identifier | [SKI from CA certificate] | | Subject key identifier | [Derived from CSR] | | Key usage | Critical, digital signature, key encipherment | | Extended key usage | TLS web client authentication | | CRL distribution points\$1 | [Passthrough from CA configuration] | \$1 CRL distribution points are included in the template only if the CA is configured with CRL generation enabled. ### EndEntityClientAuthCertificate\$1CSRPassthrough/V1 definition This template is identical to the `EndEntityClientAuthCertificate` template with one difference. In this template, Amazon Private CA passes additional extensions from the certificate signing request (CSR) into the certificate if the extensions are not specified in the template. Extensions specified in the template always override extensions in the CSR. **EndEntityClientAuthCertificate\$1CSRPassthrough/V1** | X509v3 Parameter | Value | | --- | --- | | Subject alternative name | [Passthrough from CSR] | | Subject | [Passthrough from CSR] | | Basic constraints | CA:`FALSE` | | Authority key identifier | [SKI from CA certificate] | | Subject key identifier | [Derived from CSR] | | Key usage | Critical, digital signature, key encipherment | | Extended key usage | TLS web client authentication | | CRL distribution points\$1 | [Passthrough from CA configuration or CSR] | \$1CRL distribution points are included in the template only if the CA is configured with CRL generation enabled. ### EndEntityServerAuthCertificate/V1 definition This template differs from the `EndEntityCertificate` only in the Extended key usage value, which restricts it to TLS web server authentication. **EndEntityServerAuthCertificate/V1** | X509v3 Parameter | Value | | --- | --- | | Subject alternative name | [Passthrough from CSR] | | Subject | [Passthrough from CSR] | | Basic constraints | CA:`FALSE` | | Authority key identifier | [SKI from CA certificate] | | Subject key identifier | [Derived from CSR] | | Key usage | Critical, digital signature, key encipherment | | Extended key usage | TLS web server authentication | | CRL distribution points\$1 | [Passthrough from CA configuration] | \$1CRL distribution points are included in the template only if the CA is configured with CRL generation enabled. ### EndEntityServerAuthCertificate\$1APICSRPassthrough/V1 definition This template extends EndEntityServerAuthCertificate/V1 to support API and CSR passthrough values. **EndEntityServerAuthCertificate\$1APICSRPassthrough/V1** | X509v3 Parameter | Value | | --- | --- | | Subject alternative name | [Passthrough from API or CSR] | | Subject | [Passthrough from API or CSR] | | Basic constraints | CA:`FALSE` | | Authority key identifier | [SKI from CA certificate] | | Subject key identifier | [Derived from CSR] | | Key usage | Critical, digital signature, key encipherment | | Extended key usage | TLS web server authentication | | CRL distribution points\$1 | [Passthrough from CA configuration or CSR] | \$1 CRL distribution points are included in the template only if the CA is configured with CRL generation enabled. ### EndEntityServerAuthCertificate\$1APIPassthrough/V1 definition This template is identical to the `EndEntityServerAuthCertificate` template with one difference. In this template, Amazon Private CA passes additional extensions through the API into the certificate if the extensions are not specified in the template. Extensions specified in the template always override extensions in the API. **EndEntityServerAuthCertificate\$1APIPassthrough/V1** | X509v3 Parameter | Value | | --- | --- | | Subject alternative name | [Passthrough from API or CSR] | | Subject | [Passthrough from API or CSR] | | Basic constraints | CA:`FALSE` | | Authority key identifier | [SKI from CA certificate] | | Subject key identifier | [Derived from CSR] | | Key usage | Critical, digital signature, key encipherment | | Extended key usage | TLS web server authentication | | CRL distribution points\$1 | [Passthrough from CA configuration] | \$1 CRL distribution points are included in the template only if the CA is configured with CRL generation enabled. ### EndEntityServerAuthCertificate\$1CSRPassthrough/V1 definition This template is identical to the `EndEntityServerAuthCertificate` template with one difference. In this template, Amazon Private CA passes additional extensions from the certificate signing request (CSR) into the certificate if the extensions are not specified in the template. Extensions specified in the template always override extensions in the CSR. **EndEntityServerAuthCertificate\$1CSRPassthrough/V1** | X509v3 Parameter | Value | | --- | --- | | Subject alternative name | [Passthrough from CSR] | | Subject | [Passthrough from CSR] | | Basic constraints | CA:`FALSE` | | Authority key identifier | [SKI from CA certificate] | | Subject key identifier | [Derived from CSR] | | Key usage | Critical, digital signature, key encipherment | | Extended key usage | TLS web server authentication | | CRL distribution points\$1 | [Passthrough from CA configuration or CSR] | \$1CRL distribution points are included in the template only if the CA is configured with CRL generation enabled. ### OCSPSigningCertificate/V1 definition This template is used to create certificates for signing OCSP responses. The template is identical to the `CodeSigningCertificate` template, except that the Extended key usage value specifies OCSP signing instead of code signing. **OCSPSigningCertificate/V1** | X509v3 Parameter | Value | | --- | --- | | Subject alternative name | [Passthrough from CSR] | | Subject | [Passthrough from CSR] | | Basic constraints | `CA:FALSE` | | Authority key identifier | [SKI from CA certificate] | | Subject key identifier | [Derived from CSR] | | Key usage | Critical, digital signature | | Extended key usage | Critical, OCSP signing | | CRL distribution points\$1 | [Passthrough from CA configuration] | \$1CRL distribution points are included in the template only if the CA is configured with CRL generation enabled. ### OCSPSigningCertificate\$1APICSRPassthrough/V1 definition This template extends the OCSPSigningCertificate/V1 to support API and CSR passthrough values. **OCSPSigningCertificate\$1APICSRPassthrough/V1** | X509v3 Parameter | Value | | --- | --- | | Subject alternative name | [Passthrough from API or CSR] | | Subject | [Passthrough from API or CSR] | | Basic constraints | `CA:FALSE` | | Authority key identifier | [SKI from CA certificate] | | Subject key identifier | [Derived from CSR] | | Key usage | Critical, digital signature | | Extended key usage | Critical, OCSP signing | | CRL distribution points\$1 | [Passthrough from CA configuration or CSR] | \$1 CRL distribution points are included in the template only if the CA is configured with CRL generation enabled. ### OCSPSigningCertificate\$1APIPassthrough/V1 definition This template is identical to the `OCSPSigningCertificate` template with one difference. In this template, Amazon Private CA passes additional extensions through the API into the certificate if the extensions are not specified in the template. Extensions specified in the template always override extensions in the API. **OCSPSigningCertificate\$1APIPassthrough/V1** | X509v3 Parameter | Value | | --- | --- | | Subject alternative name | [Passthrough from API or CSR] | | Subject | [Passthrough from API or CSR] | | Basic constraints | `CA:FALSE` | | Authority key identifier | [SKI from CA certificate] | | Subject key identifier | [Derived from CSR] | | Key usage | Critical, digital signature | | Extended key usage | Critical, OCSP signing | | CRL distribution points\$1 | [Passthrough from CA configuration] | \$1 CRL distribution points are included in the template only if the CA is configured with CRL generation enabled. ### OCSPSigningCertificate\$1CSRPassthrough/V1 definition This template is identical to the `OCSPSigningCertificate` template with one difference. In this template, Amazon Private CA passes additional extensions from the certificate signing request (CSR) into the certificate if the extensions are not specified in the template. Extensions specified in the template always override extensions in the CSR. **OCSPSigningCertificate\$1CSRPassthrough/V1** | X509v3 Parameter | Value | | --- | --- | | Subject alternative name | [Passthrough from CSR] | | Subject | [Passthrough from CSR] | | Basic constraints | `CA:FALSE` | | Authority key identifier | [SKI from CA certificate] | | Subject key identifier | [Derived from CSR] | | Key usage | Critical, digital signature | | Extended key usage | Critical, OCSP signing | | CRL distribution points\$1 | [Passthrough from CA configuration or CSR] | \$1CRL distribution points are included in the template only if the CA is configured with CRL generation enabled. ### RootCACertificate/V1 definition This template is used to issue self-signed root CA certificates. CA certificates include a critical basic constraints extension with the CA field set to `TRUE` to designate that the certificate can be used to issue CA certificates. The template does not specify a path length ([pathLenConstraint](PcaTerms.md#terms-pathlength)) because this could inhibit future expansion of the hierarchy. Extended key usage is excluded to prevent use of the CA certificate as a TLS client or server certificate. No CRL information is specified because a self-signed certificate cannot be revoked. **RootCACertificate/V1** | X509v3 Parameter | Value | | --- | --- | | Subject alternative name | [Passthrough from CSR] | | Subject | [Passthrough from CSR] | | Basic constraints | Critical, `CA:TRUE` | | Subject key identifier | [Derived from CSR] | | Key usage | Critical, digital signature, keyCertSign, CRL sign | | CRL distribution points | N/A | ### RootCACertificate\$1APIPassthrough/V1 definition This template extends RootCACertificate/V1 to support API passthrough values. **RootCACertificate\$1APIPassthrough/V1** | X509v3 Parameter | Value | | --- | --- | | Subject alternative name | [Passthrough from API or CSR] | | Subject | [Passthrough from API or CSR] | | Basic constraints | Critical, `CA:TRUE` | | Authority key identifier | [Passthrough from API] | | Subject key identifier | [Derived from CSR] | | Key usage | Critical, digital signature, keyCertSign, CRL sign | | CRL distribution points\$1 | N/A | ### BlankRootCACertificate\$1APIPassthrough/V1 definition With blank root certificate templates, you can issue root certificates with only X.509 basic constraints present. This is the simplest root certificate that Amazon Private CA can issue, but it can be customized using the API structure. The basic constraints extension defines whether or not the certificate is a CA certificate. A blank root certificate template enforces a value of `TRUE` for basic constraints to ensure that a root CA certificate is issued. You can use blank passthrough root templates to issue root certificates that require specific values for key usage (KU). For example, key usage might require `keyCertSign` and `cRLSign`, but not `digitalSignature`. Unlike the other non-blank root passthrough certificate template, blank root certificate templates allow the configuration of the KU extension, where KU can be any of the nine supported values (`digitalSignature`, `nonRepudiation`, `keyEncipherment`, `dataEncipherment`, `keyAgreement`, `keyCertSign`, `cRLSign`, `encipherOnly`, and `decipherOnly`). **BlankRootCACertificate\$1APIPassthrough/V1** | X509v3 Parameter | Value | | --- | --- | | Subject alternative name | [Passthrough from API or CSR] | | Subject | [Passthrough from API or CSR] | | Basic constraints | Critical, `CA:TRUE` | | Subject key identifier | [Derived from CSR] | ### BlankRootCACertificate\$1PathLen0\$1APIPassthrough/V1 definition For general information about blank root CA templates, see [BlankRootCACertificate\$1APIPassthrough/V1 definition](#BlankRootCACertificate_APIPassthrough). **BlankRootCACertificate\$1PathLen0\$1APIPassthrough/V1** | X509v3 Parameter | Value | | --- | --- | | Subject alternative name | [Passthrough from API or CSR] | | Subject | [Passthrough from API or CSR] | | Basic constraints | Critical, `CA:TRUE`, `pathlen: 0` | | Subject key identifier | [Derived from CSR] | ### BlankRootCACertificate\$1PathLen1\$1APIPassthrough/V1 definition For general information about blank root CA templates, see [BlankRootCACertificate\$1APIPassthrough/V1 definition](#BlankRootCACertificate_APIPassthrough). **BlankRootCACertificate\$1PathLen1\$1APIPassthrough/V1** | X509v3 Parameter | Value | | --- | --- | | Subject alternative name | [Passthrough from API or CSR] | | Subject | [Passthrough from API or CSR] | | Basic constraints | Critical, `CA:TRUE`, `pathlen: 1` | | Subject key identifier | [Derived from CSR] | ### BlankRootCACertificate\$1PathLen2\$1APIPassthrough/V1 definition For general information about blank root CA templates, see [BlankRootCACertificate\$1APIPassthrough/V1 definition](#BlankRootCACertificate_APIPassthrough). **BlankRootCACertificate\$1PathLen2\$1APIPassthrough/V1** | X509v3 Parameter | Value | | --- | --- | | Subject alternative name | [Passthrough from API or CSR] | | Subject | [Passthrough from API or CSR] | | Basic constraints | Critical, `CA:TRUE`, `pathlen: 2` | | Subject key identifier | [Derived from CSR] | ### BlankRootCACertificate\$1PathLen3\$1APIPassthrough/V1 definition For general information about blank root CA templates, see [BlankRootCACertificate\$1APIPassthrough/V1 definition](#BlankRootCACertificate_APIPassthrough). **BlankRootCACertificate\$1PathLen3\$1APIPassthrough/V1** | X509v3 Parameter | Value | | --- | --- | | Subject alternative name | [Passthrough from API or CSR] | | Subject | [Passthrough from API or CSR] | | Basic constraints | Critical, `CA:TRUE`, `pathlen: 3` | | Subject key identifier | [Derived from CSR] | ### SubordinateCACertificate\$1PathLen0/V1 definition This template is used to issue subordinate CA certificates with a path length of `0`. CA certificates include a critical basic constraints extension with the CA field set to `TRUE` to designate that the certificate can be used to issue CA certificates. Extended key usage is not included, which prevents the CA certificate from being used as a TLS client or server certificate. For more information about certification paths, see [Setting Length Constraints on the Certification Path](https://docs.amazonaws.cn/privateca/latest/userguide/ca-hierarchy.html#length-constraints). **SubordinateCACertificate\$1PathLen0/V1** | X509v3 Parameter | Value | | --- | --- | | Subject alternative name | [Passthrough from CSR] | | Subject | [Passthrough from CSR] | | Basic constraints | Critical, `CA:TRUE`, `pathlen: 0` | | Authority key identifier | [SKI from CA Certificate] | | Subject key identifier | [Derived from CSR] | | Key usage | Critical, digital signature, `keyCertSign`, CRL sign | | CRL distribution points\$1 | [Passthrough from CA configuration] | \$1CRL distribution points are included in certificates that are issued with this template only if the CA is configured with CRL generation enabled. ### SubordinateCACertificate\$1PathLen0\$1APICSRPassthrough/V1 definition This template extends SubordinateCACertificate\$1PathLen0/V1 to support API and CSR passthrough values. **SubordinateCACertificate\$1PathLen0\$1APICSRPassthrough/V1** | X509v3 Parameter | Value | | --- | --- | | Subject alternative name | [Passthrough from API or CSR] | | Subject | [Passthrough from API or CSR] | | Basic constraints | Critical, `CA:TRUE`, `pathlen: 0` | | Authority key identifier | [SKI from CA Certificate] | | Subject key identifier | [Derived from CSR] | | Key usage | Critical, digital signature, `keyCertSign`, CRL sign | | CRL distribution points\$1 | [Passthrough from CA configuration or CSR] | \$1 CRL distribution points are included in the template only if the CA is configured with CRL generation enabled. ### SubordinateCACertificate\$1PathLen0\$1APIPassthrough/V1 definition This template extends SubordinateCACertificate\$1PathLen0/V1 to support API passthrough values. **SubordinateCACertificate\$1PathLen0\$1APIPassthrough/V1** | X509v3 Parameter | Value | | --- | --- | | Subject alternative name | [Passthrough from API or CSR] | | Subject | [Passthrough from API or CSR] | | Basic constraints | Critical, `CA:TRUE`, `pathlen: 0` | | Authority key identifier | [SKI from CA Certificate] | | Subject key identifier | [Derived from CSR] | | Key usage | Critical, digital signature, `keyCertSign`, CRL sign | | CRL distribution points\$1 | [Passthrough from CA configuration] | \$1 CRL distribution points are included in the template only if the CA is configured with CRL generation enabled. ### SubordinateCACertificate\$1PathLen0\$1CSRPassthrough/V1 definition This template is identical to the `SubordinateCACertificate_PathLen0` template with one difference: In this template, Amazon Private CA passes additional extensions from the certificate signing request (CSR) into the certificate if the extensions are not specified in the template. Extensions specified in the template always override extensions in the CSR. **Note** A CSR that contains custom additional extensions must be created outside of Amazon Private CA. **SubordinateCACertificate\$1PathLen0\$1CSRPassthrough/V1** | X509v3 Parameter | Value | | --- | --- | | Subject alternative name | [Passthrough from CSR] | | Subject | [Passthrough from CSR] | | Basic constraints | Critical, `CA:TRUE`, `pathlen: 0` | | Authority key identifier | [SKI from CA Certificate] | | Subject key identifier | [Derived from CSR] | | Key usage | Critical, digital signature, `keyCertSign`, CRL sign | | CRL distribution points\$1 | [Passthrough from CA configuration or CSR] | \$1CRL distribution points are included in certificates issued with this template only if the CA is configured with CRL generation enabled. ### SubordinateCACertificate\$1PathLen1/V1 definition This template is used to issue subordinate CA certificates with a path length of `1`. CA certificates include a critical Basic constraints extension with the CA field set to `TRUE` to designate that the certificate can be used to issue CA certificates. Extended key usage is not included, which prevents the CA certificate from being used as a TLS client or server certificate. For more information about certification paths, see [Setting Length Constraints on the Certification Path](https://docs.amazonaws.cn/privateca/latest/userguide/ca-hierarchy.html#length-constraints). **SubordinateCACertificate\$1PathLen1/V1** | X509v3 Parameter | Value | | --- | --- | | Subject alternative name | [Passthrough from CSR] | | Subject | [Passthrough from CSR] | | Basic constraints | Critical, `CA:TRUE`, `pathlen: 1` | | Authority key identifier | [SKI from CA Certificate] | | Subject key identifier | [Derived from CSR] | | Key usage | Critical, digital signature, `keyCertSign`, CRL sign | | CRL distribution points\$1 | [Passthrough from CA configuration] | \$1CRL distribution points are included in certificates issued with this template only if the CA is configured with CRL generation enabled. ### SubordinateCACertificate\$1PathLen1\$1APICSRPassthrough/V1 definition This template extends SubordinateCACertificate\$1PathLen1/V1 to support API and CSR passthrough values. **SubordinateCACertificate\$1PathLen1\$1APICSRPassthrough/V1** | X509v3 Parameter | Value | | --- | --- | | Subject alternative name | [Passthrough from API or CSR] | | Subject | [Passthrough from API or CSR] | | Basic constraints | Critical, `CA:TRUE`, `pathlen: 1` | | Authority key identifier | [SKI from CA Certificate] | | Subject key identifier | [Derived from CSR] | | Key usage | Critical, digital signature, `keyCertSign`, CRL sign | | CRL distribution points\$1 | [Passthrough from CA configuration or CSR] | \$1 CRL distribution points are included in the template only if the CA is configured with CRL generation enabled. ### SubordinateCACertificate\$1PathLen1\$1APIPassthrough/V1 definition This template extends SubordinateCACertificate\$1PathLen0/V1 to support API passthrough values. **SubordinateCACertificate\$1PathLen1\$1APIPassthrough/V1** | X509v3 Parameter | Value | | --- | --- | | Subject alternative name | [Passthrough from API or CSR] | | Subject | [Passthrough from API or CSR] | | Basic constraints | Critical, `CA:TRUE`, `pathlen: 1` | | Authority key identifier | [SKI from CA Certificate] | | Subject key identifier | [Derived from CSR] | | Key usage | Critical, digital signature, `keyCertSign`, CRL sign | | CRL distribution points\$1 | [Passthrough from CA configuration] | \$1 CRL distribution points are included in the template only if the CA is configured with CRL generation enabled. ### SubordinateCACertificate\$1PathLen1\$1CSRPassthrough/V1 definition This template is identical to the `SubordinateCACertificate_PathLen1` template with one difference: In this template, Amazon Private CA passes additional extensions from the certificate signing request (CSR) into the certificate if the extensions are not specified in the template. Extensions specified in the template always override extensions in the CSR. **Note** A CSR that contains custom additional extensions must be created outside of Amazon Private CA. **SubordinateCACertificate\$1PathLen1\$1CSRPassthrough/V1** | X509v3 Parameter | Value | | --- | --- | | Subject alternative name | [Passthrough from CSR] | | Subject | [Passthrough from CSR] | | Basic constraints | Critical, `CA:TRUE`, `pathlen: 1` | | Authority key identifier | [SKI from CA Certificate] | | Subject key identifier | [Derived from CSR] | | Key usage | Critical, digital signature, `keyCertSign`, CRL sign | | CRL distribution points\$1 | [Passthrough from CA configuration or CSR] | \$1CRL distribution points are included in certificates issued with this template only if the CA is configured with CRL generation enabled. ### SubordinateCACertificate\$1PathLen2/V1 definition This template is used to issue subordinate CA certificates with a path length of 2. CA certificates include a critical Basic constraints extension with the CA field set to `TRUE` to designate that the certificate can be used to issue CA certificates. Extended key usage is not included, which prevents the CA certificate from being used as a TLS client or server certificate. For more information about certification paths, see [Setting Length Constraints on the Certification Path](https://docs.amazonaws.cn/privateca/latest/userguide/ca-hierarchy.html#length-constraints). **SubordinateCACertificate\$1PathLen2/V1** | X509v3 Parameter | Value | | --- | --- | | Subject alternative name | [Passthrough from CSR] | | Subject | [Passthrough from CSR] | | Basic constraints | Critical, `CA:TRUE`, `pathlen: 2` | | Authority key identifier | [SKI from CA Certificate] | | Subject key identifier | [Derived from CSR] | | Key usage | Critical, digital signature, `keyCertSign`, CRL sign | | CRL distribution points\$1 | [Passthrough from CA configuration] | \$1CRL distribution points are included in certificates issued with this template only if the CA is configured with CRL generation enabled. ### SubordinateCACertificate\$1PathLen2\$1APICSRPassthrough/V1 definition This template extends SubordinateCACertificate\$1PathLen2/V1 to support API and CSR passthrough values. **SubordinateCACertificate\$1PathLen2\$1APICSRPassthrough/V1** | X509v3 Parameter | Value | | --- | --- | | Subject alternative name | [Passthrough from API or CSR] | | Subject | [Passthrough from API or CSR] | | Basic constraints | Critical, `CA:TRUE`, `pathlen: 2` | | Authority key identifier | [SKI from CA Certificate] | | Subject key identifier | [Derived from CSR] | | Key usage | Critical, digital signature, `keyCertSign`, CRL sign | | CRL distribution points\$1 | [Passthrough from CA configuration or CSR] | \$1 CRL distribution points are included in the template only if the CA is configured with CRL generation enabled. ### SubordinateCACertificate\$1PathLen2\$1APIPassthrough/V1 definition This template extends SubordinateCACertificate\$1PathLen2/V1 to support API passthrough values. **SubordinateCACertificate\$1PathLen2\$1APIPassthrough/V1** | X509v3 Parameter | Value | | --- | --- | | Subject alternative name | [Passthrough from API or CSR] | | Subject | [Passthrough from API or CSR] | | Basic constraints | Critical, `CA:TRUE`, `pathlen: 2` | | Authority key identifier | [SKI from CA Certificate] | | Subject key identifier | [Derived from CSR] | | Key usage | Critical, digital signature, `keyCertSign`, CRL sign | | CRL distribution points\$1 | [Passthrough from CA configuration] | \$1 CRL distribution points are included in the template only if the CA is configured with CRL generation enabled. ### SubordinateCACertificate\$1PathLen2\$1CSRPassthrough/V1 definition This template is identical to the `SubordinateCACertificate_PathLen2` template with one difference: In this template, Amazon Private CA passes additional extensions from the certificate signing request (CSR) into the certificate if the extensions are not specified in the template. Extensions specified in the template always override extensions in the CSR. **Note** A CSR that contains custom additional extensions must be created outside of Amazon Private CA. **SubordinateCACertificate\$1PathLen2\$1CSRPassthrough/V1** | X509v3 Parameter | Value | | --- | --- | | Subject alternative name | [Passthrough from CSR] | | Subject | [Passthrough from CSR] | | Basic constraints | Critical, `CA:TRUE`, `pathlen: 2` | | Authority key identifier | [SKI from CA Certificate] | | Subject key identifier | [Derived from CSR] | | Key usage | Critical, digital signature, `keyCertSign`, CRL sign | | CRL distribution points\$1 | [Passthrough from CA configuration or CSR] | \$1CRL distribution points are included in certificates issued with this template only if the CA is configured with CRL generation enabled. ### SubordinateCACertificate\$1PathLen3/V1 definition This template is used to issue subordinate CA certificates with a path length of 3. CA certificates include a critical Basic constraints extension with the CA field set to `TRUE` to designate that the certificate can be used to issue CA certificates. Extended key usage is not included, which prevents the CA certificate from being used as a TLS client or server certificate. For more information about certification paths, see [Setting Length Constraints on the Certification Path](https://docs.amazonaws.cn/privateca/latest/userguide/ca-hierarchy.html#length-constraints). **SubordinateCACertificate\$1PathLen3/V1** | X509v3 Parameter | Value | | --- | --- | | Subject alternative name | [Passthrough from CSR] | | Subject | [Passthrough from CSR] | | Basic constraints | Critical, `CA:TRUE`, `pathlen: 3` | | Authority key identifier | [SKI from CA Certificate] | | Subject key identifier | [Derived from CSR] | | Key usage | Critical, digital signature, `keyCertSign`, CRL sign | | CRL distribution points\$1 | [Passthrough from CA configuration] | \$1CRL distribution points are included in certificates issued with this template only if the CA is configured with CRL generation enabled. ### SubordinateCACertificate\$1PathLen3\$1APICSRPassthrough/V1 definition This template extends SubordinateCACertificate\$1PathLen3/V1 to support API and CSR passthrough values. **SubordinateCACertificate\$1PathLen3\$1APICSRPassthrough/V1** | X509v3 Parameter | Value | | --- | --- | | Subject alternative name | [Passthrough from API or CSR] | | Subject | [Passthrough from API or CSR] | | Basic constraints | Critical, `CA:TRUE`, `pathlen: 3` | | Authority key identifier | [SKI from CA Certificate] | | Subject key identifier | [Derived from CSR] | | Key usage | Critical, digital signature, `keyCertSign`, CRL sign | | CRL distribution points\$1 | [Passthrough from CA configuration or CSR] | \$1 CRL distribution points are included in the template only if the CA is configured with CRL generation enabled. ### SubordinateCACertificate\$1PathLen3\$1APIPassthrough/V1 definition This template extends SubordinateCACertificate\$1PathLen3/V1 to support API passthrough values. **SubordinateCACertificate\$1PathLen3\$1APIPassthrough/V1** | X509v3 Parameter | Value | | --- | --- | | Subject alternative name | [Passthrough from API or CSR] | | Subject | [Passthrough from API or CSR] | | Basic constraints | Critical, `CA:TRUE`, `pathlen: 3` | | Authority key identifier | [SKI from CA Certificate] | | Subject key identifier | [Derived from CSR] | | Key usage | Critical, digital signature, `keyCertSign`, CRL sign | | CRL distribution points\$1 | [Passthrough from CA configuration] | \$1 CRL distribution points are included in the template only if the CA is configured with CRL generation enabled. ### SubordinateCACertificate\$1PathLen3\$1CSRPassthrough/V1 definition This template is identical to the `SubordinateCACertificate_PathLen3` template with one difference: In this template, Amazon Private CA passes additional extensions from the certificate signing request (CSR) into the certificate if the extensions are not specified in the template. Extensions specified in the template always override extensions in the CSR. **Note** A CSR that contains custom additional extensions must be created outside of Amazon Private CA. **SubordinateCACertificate\$1PathLen3\$1CSRPassthrough/V1** | X509v3 Parameter | Value | | --- | --- | | Subject alternative name | [Passthrough from CSR] | | Subject | [Passthrough from CSR] | | Basic constraints | Critical, `CA:TRUE`, `pathlen: 3` | | Authority key identifier | [SKI from CA Certificate] | | Subject key identifier | [Derived from CSR] | | Key usage | Critical, digital signature, `keyCertSign`, CRL sign | | CRL distribution points\$1 | [Passthrough from CA configuration or CSR] | \$1CRL distribution points are included in certificates issued with this template only if the CA is configured with CRL generation enabled.