What is Amazon Private CA?
Amazon Private CA enables creation of private certificate authority (CA) hierarchies, including root and subordinate CAs, without the investment and maintenance costs of operating an on-premises CA. Your private CAs can issue end-entity X.509 certificates useful in scenarios including:
-
Creating encrypted TLS communication channels
-
Authenticating users, computers, API endpoints, and IoT devices
-
Cryptographically signing code
-
Implementing Online Certificate Status Protocol (OCSP) for obtaining certificate revocation status
Amazon Private CA operations can be accessed from the Amazon Web Services Management Console, using the Amazon Private CA API, or using the Amazon CLI.
Topics
- Regional availability for Amazon Private Certificate Authority
- Services integrated with Amazon Private Certificate Authority
- Supported cryptographic algorithms in Amazon Private Certificate Authority
- RFC 5280 compliance in Amazon Private Certificate Authority
- Pricing for Amazon Private Certificate Authority
- Terms and concepts for Amazon Private CA
Regional availability for Amazon Private Certificate Authority
Like most Amazon resources, private certificate authorities (CAs) are Regional
resources. To use private CAs in more than one Region, you must create your CAs in those
Regions. You cannot copy private CAs between Regions. Visit Amazon Regions and Endpoints in the
Amazon Web Services General Reference or the Amazon Region Table
Note
ACM is currently available in some regions that Amazon Private CA is not.
Services integrated with Amazon Private Certificate Authority
If you use Amazon Certificate Manager to request a private certificate, you can associate that certificate with any service that is integrated with ACM. This applies both to certificates chained to a Amazon Private CA root and to certificates chained to an external root. For more information, see Integrated Services in the Amazon Certificate Manager User Guide.
You can also integrate private CAs into Amazon Elastic Kubernetes Service to provide certificate issuance inside a Kubernetes cluster. For more information, see Secure Kubernetes with Amazon Private CA.
Note
Amazon Elastic Kubernetes Service is not an ACM integrated service.
If you use the Amazon Private CA API or Amazon CLI to issue a certificate or to export a private certificate from ACM, you can install the certificate anywhere you want.
Supported cryptographic algorithms in Amazon Private Certificate Authority
Amazon Private CA supports the following cryptographic algorithms for private key generation and certificate signing.
Private key algorithms | Signing algorithms |
---|---|
RSA_2048 RSA_4096 EC_prime256v1 EC_secp384r1 SM2 (China Regions only) |
SHA256WITHECDSA SHA384WITHECDSA SHA512WITHECDSA SHA256WITHRSA SHA384WITHRSASHA512WITHRSA SM3WITHSM2 |
This list applies only to certificates issued directly by Amazon Private CA through its console, API, or command line. When Amazon Certificate Manager issues certificates using a CA from Amazon Private CA, it supports some but not all of these algorithms. For more information, see Request a Private Certificate in the Amazon Certificate Manager User Guide.
Note
In all cases, the specified signing algorithm family (RSA or ECDSA) must match the algorithm family of the CA's private key.
RFC 5280 compliance in Amazon Private Certificate Authority
Amazon Private CA does not enforce certain constraints defined in RFC 5280
Enforced
-
Not After date
. In conformity with RFC 5280 , Amazon Private CA prevents the issuance of certificates bearing a Not After
date later than theNot After
date of the issuing CA's certificate. -
Basic constraints
. Amazon Private CA enforces basic constraints and path length in imported CA certificates. Basic constraints indicate whether or not the resource identified by the certificate is a CA and can issue certificates. CA certificates imported to Amazon Private CA must include the basic constraints extension, and the extension must be marked
critical
. In addition to thecritical
flag,CA=true
must be set. Amazon Private CA enforces basic constraints by failing with a validation exception for the following reasons:-
The extension is not included in the CA certificate.
-
The extension is not marked
critical
.
Path length (pathLenConstraint) determines how many subordinate CAs may exist downstream from the imported CA certificate. Amazon Private CA enforces path length by failing with a validation exception for the following reasons:
-
Importing a CA certificate would violate the path length constraint in the CA certificate or in any CA certificate in the chain.
-
Issuing a certificate would violate a path length constraint.
-
-
Name constraints
indicate a name space within which all subject names in subsequent certificates in a certification path must be located. Restrictions apply to the subject distinguished name and subject alternative names.
Not enforced
-
Certificate policies
. Certificate policies regulate the conditions under which a CA issue certificates. -
Inhibit anyPolicy
. Used in certificates issued to CAs. -
Issuer Alternative Name
. Allows additional identities to be associated with the issuer of the CA certificate. -
Policy Constraints
. These constraints limit a CA's capacity to issue subordinate CA certificates. -
Policy Mappings
. Used in CA certificates. Lists one or more pairs of OIDs; each pair includes an issuerDomainPolicy and a subjectDomainPolicy. -
Subject Directory Attributes
. Used to convey identification attributes of the subject. -
Subject Information Access
. How to access information and services for the subject of the certificate in which the extension appears. -
Subject Key Identifier (SKI)
and Authority Key Identifier (AKI) . The RFC requires a CA certificate to contain the SKI extension. Certificates issued by the CA must contain an AKI extension matching the CA certificate's SKI. Amazon does not enforce these requirements. If your CA Certificate does not contain an SKI, the issued end-entity or subordinate CA certificate AKI will be the SHA-1 hash of the issuer public key instead. -
SubjectPublicKeyInfo
and Subject Alternative Name (SAN) . When issuing a certificate, Amazon Private CA copies the SubjectPublicKeyInfo and SAN extensions from the provided CSR without performing validation.
Pricing for Amazon Private Certificate Authority
Your account is charged a monthly price for each private CA starting from the time that you create it. You are also charged for each certificate that you issue. This charge includes certificates that you export from ACM and certificates that you create from the Amazon Private CA API or Amazon Private CA CLI. You are not charged for a private CA after it has been deleted. However, if you restore a private CA, you are charged for the time between deletion and restoration. Private certificates whose private key you cannot access are free. These include certificates that are used with Integrated Services such as Elastic Load Balancing, CloudFront, and API Gateway.
For the latest Amazon Private CA pricing information, see Amazon Private Certificate Authority Pricing