Use Amazon Private CA certificate templates
Amazon Private CA uses configuration templates to issue both CA certificates and end-entity certificates. When you issue a CA certificate from the PCA console, the appropriate root or subordinate CA certificate template is applied automatically.
If you use the CLI or API to issue a certificate, you can supply a template ARN as a
parameter to the IssueCertificate
action. If you provide no ARN, then the
EndEntityCertificate/V1
template is applied by default. For more
information, see the IssueCertificate API and issue-certificate command documentation.
Note
Amazon Certificate Manager (ACM) users with cross-account shared access to a private CA can issue managed certificates that are signed by the CA. Cross-account issuers are constrained by a resource-based policy and have access only to the following end-entity certificate templates:
For more information, see Resource-based policies.