What is Amazon Private CA? - Amazon Private Certificate Authority
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

What is Amazon Private CA?

Amazon Private CA enables creation of private certificate authority (CA) hierarchies, including root and subordinate CAs, without the investment and maintenance costs of operating an on-premises CA. Your private CAs can issue end-entity X.509 certificates useful in scenarios including:

  • Creating encrypted TLS communication channels

  • Authenticating users, computers, API endpoints, and IoT devices

  • Cryptographically signing code

  • Implementing Online Certificate Status Protocol (OCSP) for obtaining certificate revocation status

Amazon Private CA operations can be accessed from the Amazon Web Services Management Console, using the Amazon Private CA API, or using the Amazon CLI.

Regional availability for Amazon Private Certificate Authority

Like most Amazon resources, private certificate authorities (CAs) are Regional resources. To use private CAs in more than one Region, you must create your CAs in those Regions. You cannot copy private CAs between Regions. Visit Amazon Regions and Endpoints in the Amazon Web Services General Reference or the Amazon Region Table to see the Regional availability for Amazon Private CA.

Note

ACM is currently available in some regions that Amazon Private CA is not.

Services integrated with Amazon Private Certificate Authority

If you use Amazon Certificate Manager to request a private certificate, you can associate that certificate with any service that is integrated with ACM. This applies both to certificates chained to a Amazon Private CA root and to certificates chained to an external root. For more information, see Integrated Services in the Amazon Certificate Manager User Guide.

You can also integrate private CAs into Amazon Elastic Kubernetes Service to provide certificate issuance inside a Kubernetes cluster. For more information, see Secure Kubernetes with Amazon Private CA.

Note

Amazon Elastic Kubernetes Service is not an ACM integrated service.

If you use the Amazon Private CA API or Amazon CLI to issue a certificate or to export a private certificate from ACM, you can install the certificate anywhere you want.

Supported cryptographic algorithms in Amazon Private Certificate Authority

Amazon Private CA supports the following cryptographic algorithms for private key generation and certificate signing.

Supported algorithm
Private key algorithms Signing algorithms

RSA_2048

RSA_4096

EC_prime256v1

EC_secp384r1

SM2 (China Regions only)

SHA256WITHECDSA

SHA384WITHECDSA

SHA512WITHECDSA

SHA256WITHRSA

SHA384WITHRSA

SHA512WITHRSA

SM3WITHSM2

This list applies only to certificates issued directly by Amazon Private CA through its console, API, or command line. When Amazon Certificate Manager issues certificates using a CA from Amazon Private CA, it supports some but not all of these algorithms. For more information, see Request a Private Certificate in the Amazon Certificate Manager User Guide.

Note

In all cases, the specified signing algorithm family (RSA or ECDSA) must match the algorithm family of the CA's private key.

RFC 5280 compliance in Amazon Private Certificate Authority

Amazon Private CA does not enforce certain constraints defined in RFC 5280. The reverse situation is also true: Certain additional constraints appropriate to a private CA are enforced.

Enforced

  • Not After date. In conformity with RFC 5280, Amazon Private CA prevents the issuance of certificates bearing a Not After date later than the Not After date of the issuing CA's certificate.

  • Basic constraints. Amazon Private CA enforces basic constraints and path length in imported CA certificates.

    Basic constraints indicate whether or not the resource identified by the certificate is a CA and can issue certificates. CA certificates imported to Amazon Private CA must include the basic constraints extension, and the extension must be marked critical. In addition to the critical flag, CA=true must be set. Amazon Private CA enforces basic constraints by failing with a validation exception for the following reasons:

    • The extension is not included in the CA certificate.

    • The extension is not marked critical.

    Path length (pathLenConstraint) determines how many subordinate CAs may exist downstream from the imported CA certificate. Amazon Private CA enforces path length by failing with a validation exception for the following reasons:

    • Importing a CA certificate would violate the path length constraint in the CA certificate or in any CA certificate in the chain.

    • Issuing a certificate would violate a path length constraint.

  • Name constraints indicate a name space within which all subject names in subsequent certificates in a certification path must be located. Restrictions apply to the subject distinguished name and subject alternative names.

Not enforced

  • Certificate policies. Certificate policies regulate the conditions under which a CA issue certificates.

  • Inhibit anyPolicy. Used in certificates issued to CAs.

  • Issuer Alternative Name. Allows additional identities to be associated with the issuer of the CA certificate.

  • Policy Constraints. These constraints limit a CA's capacity to issue subordinate CA certificates.

  • Policy Mappings. Used in CA certificates. Lists one or more pairs of OIDs; each pair includes an issuerDomainPolicy and a subjectDomainPolicy.

  • Subject Directory Attributes. Used to convey identification attributes of the subject.

  • Subject Information Access. How to access information and services for the subject of the certificate in which the extension appears.

  • Subject Key Identifier (SKI) and Authority Key Identifier (AKI). The RFC requires a CA certificate to contain the SKI extension. Certificates issued by the CA must contain an AKI extension matching the CA certificate's SKI. Amazon does not enforce these requirements. If your CA Certificate does not contain an SKI, the issued end-entity or subordinate CA certificate AKI will be the SHA-1 hash of the issuer public key instead.

  • SubjectPublicKeyInfo and Subject Alternative Name (SAN). When issuing a certificate, Amazon Private CA copies the SubjectPublicKeyInfo and SAN extensions from the provided CSR without performing validation.

Pricing for Amazon Private Certificate Authority

Your account is charged a monthly price for each private CA starting from the time that you create it. You are also charged for each certificate that you issue. This charge includes certificates that you export from ACM and certificates that you create from the Amazon Private CA API or Amazon Private CA CLI. You are not charged for a private CA after it has been deleted. However, if you restore a private CA, you are charged for the time between deletion and restoration. Private certificates whose private key you cannot access are free. These include certificates that are used with Integrated Services such as Elastic Load Balancing, CloudFront, and API Gateway.

For the latest Amazon Private CA pricing information, see Amazon Private Certificate Authority Pricing. You can also use the Amazon pricing calculator to estimate costs.