Create a private CA in Amazon Private CA
You can use the procedures in this section to create either root CAs or subordinate CAs, resulting in an auditable hierarchy of trust relationships that matches your organizational needs. You can create a CA using the Amazon Web Services Management Console, the PCA portion of the Amazon CLI, or Amazon CloudFormation.
For information about updating the configuration of a CA that you have already created, see Update a private CA in Amazon Private Certificate Authority.
For information about using a CA to sign end-entity certificates for your users, devices, and applications, see Issue private end-entity certificates.
Note
Your account is charged a monthly price for each private CA starting from the time that you create it.
For the latest Amazon Private CA pricing information, see Amazon Private Certificate Authority Pricing
CLI examples for creating a private CA
The following examples assume that you have set up your .aws
configuration directory with a valid default Region, endpoint, and credentials. For
information about configuring your Amazon CLI environment, see Configuration and credential file
settings. For readability, we supply the CA configuration and revocation
input as JSON files in the example commands. Modify the example files as needed for
your use.
All of the examples use the following ca_config.txt
configuration
file unless otherwise stated.
File: ca_config.txt
{ "KeyAlgorithm":"RSA_2048", "SigningAlgorithm":"SHA256WITHRSA", "Subject":{ "Country":"
US
", "Organization":"Example Corp
", "OrganizationalUnit":"Sales
", "State":"WA
", "Locality":"Seattle
", "CommonName":"www.example.com
" } }
Example 1: Create a CA with OCSP enabled
In this example, the revocation file enables default OCSP support, which uses the Amazon Private CA responder to check certificate status.
File: revoke_config.txt for OCSP
{ "OcspConfiguration":{ "Enabled":true } }
Command
$
aws acm-pca create-certificate-authority \ --certificate-authority-configuration file://
ca_config.txt
\ --revocation-configuration file://revoke_config.txt
\ --certificate-authority-type "ROOT" \ --idempotency-token01234567
\ --tags Key=Name
,Value=MyPCA
If successful, this command outputs the Amazon Resource Name (ARN) of the new CA.
{
"CertificateAuthorityArn":"arn:aws:acm-pca:region
:account
:
certificate-authority/CA_ID
"
}
Command
$
aws acm-pca create-certificate-authority \ --certificate-authority-configuration file://
ca_config.txt
\ --revocation-configuration file://revoke_config.txt
\ --certificate-authority-type "ROOT" \ --idempotency-token01234567
\ --tags Key=Name
,Value=MyPCA-2
If successful, this command outputs the Amazon Resource Name (ARN) of the CA.
{
"CertificateAuthorityArn":"arn:aws
:acm-pca:us-east-1
:111122223333
:certificate-authority/11223344-1234-1122-2233-112233445566
"
}
Use the following command to inspect the configuration of your CA.
$
aws acm-pca describe-certificate-authority \ --certificate-authority-arn "arn:
aws
:acm-pca:us-east-1
:111122223333
:certificate-authority/11223344-1234-1122-2233-112233445566
" \ --output json
This description should contain the following section.
"RevocationConfiguration": {
...
"OcspConfiguration": {
"Enabled": true
}
...
}
Example 2: Create a CA with OCSP and a custom CNAME enabled
In this example, the revocation file enables customized OCSP support. The
OcspCustomCname
parameter takes a fully qualified domain name
(FQDN) as its value.
When you provide an FQDN in this field, Amazon Private CA inserts the FQDN into the Authority Information Access extension of each issued certificate in place of the default URL for the Amazon OCSP responder. When an endpoint receives a certificate containing the custom FQDN, it queries that address for an OCSP response. For this mechanism to work, you need to take two additional actions:
-
Use a proxy server to forward traffic that arrives at your custom FQDN to the Amazon OCSP responder.
-
Add a corresponding CNAME record to your DNS database.
Tip
For more information about implementing a complete OCSP solution using a custom CNAME, see Customize OCSP URL for Amazon Private CA.
For example, here is a CNAME record for customized OCSP as it would appear in Amazon Route 53.
Record name | Type | Routing policy | Differentiator | Value/Route traffic to |
---|---|---|---|---|
alternative.example.com |
CNAME | Simple | - | proxy.example.com |
Note
The value of the CNAME must not include a protocol prefix such as "http://" or "https://".
File: revoke_config.txt for OCSP
{ "OcspConfiguration":{ "Enabled":true, "OcspCustomCname":"
alternative.example.com
" } }
Command
$
aws acm-pca create-certificate-authority \ --certificate-authority-configuration file://
ca_config.txt
\ --revocation-configuration file://revoke_config.txt
\ --certificate-authority-type "ROOT" \ --idempotency-token01234567
\ --tags Key=Name
,Value=MyPCA-3
If successful, this command outputs the Amazon Resource Name (ARN) of the CA.
{
"CertificateAuthorityArn":"arn:aws
:acm-pca:us-east-1
:111122223333
:certificate-authority/11223344-1234-1122-2233-112233445566
"
}
Use the following command to inspect the configuration of your CA.
$
aws acm-pca describe-certificate-authority \ --certificate-authority-arn "arn:
aws
:acm-pca:us-east-1
:111122223333
:certificate-authority/11223344-1234-1122-2233-112233445566
" \ --output json
This description should contain the following section.
"RevocationConfiguration": {
...
"OcspConfiguration": {
"Enabled": true,
"OcspCustomCname": "alternative.example.com
"
}
...
}
Example 3: Create a CA with an attached CRL
In this example, the revocation configuration defines CRL parameters.
File: revoke_config.txt
{ "CrlConfiguration":{ "Enabled":true, "ExpirationInDays":
7
, "S3BucketName":"amzn-s3-demo-bucket
" } }
Command
$
aws acm-pca create-certificate-authority \ --certificate-authority-configuration file://
ca_config.txt
\ --revocation-configuration file://revoke_config.txt
\ --certificate-authority-type "ROOT" \ --idempotency-token01234567
\ --tags Key=Name
,Value=MyPCA-1
If successful, this command outputs the Amazon Resource Name (ARN) of the CA.
{
"CertificateAuthorityArn":"arn:aws
:acm-pca:us-east-1
:111122223333
:certificate-authority/11223344-1234-1122-2233-112233445566
"
}
Use the following command to inspect the configuration of your CA.
$
aws acm-pca describe-certificate-authority \ --certificate-authority-arn "arn:
aws
:acm-pca:us-east-1
:111122223333
:certificate-authority/11223344-1234-1122-2233-112233445566
" \ --output json
This description should contain the following section.
"RevocationConfiguration": {
...
"CrlConfiguration": {
"Enabled": true,
"ExpirationInDays": 7,
"S3BucketName": "amzn-s3-demo-bucket
"
},
...
}
Example 4: Create a CA with an attached CRL and a custom CNAME enabled
In this example, the revocation configuration defines CRL parameters that include a custom CNAME.
File: revoke_config.txt
{ "CrlConfiguration":{ "Enabled":true, "ExpirationInDays":
7
, "CustomCname": "alternative.example.com
", "S3BucketName":"amzn-s3-demo-bucket
" } }
Command
$
aws acm-pca create-certificate-authority \ --certificate-authority-configuration file://
ca_config.txt
\ --revocation-configuration file://revoke_config.txt
\ --certificate-authority-type "ROOT" \ --idempotency-token01234567
\ --tags Key=Name
,Value=MyPCA-1
If successful, this command outputs the Amazon Resource Name (ARN) of the CA.
{
"CertificateAuthorityArn":"arn:aws
:acm-pca:us-east-1
:111122223333
:certificate-authority/11223344-1234-1122-2233-112233445566
"
}
Use the following command to inspect the configuration of your CA.
$
aws acm-pca describe-certificate-authority \ --certificate-authority-arn "arn:
aws
:acm-pca:us-east-1
:111122223333
:certificate-authority/11223344-1234-1122-2233-112233445566
" \ --output json
This description should contain the following section.
"RevocationConfiguration": {
...
"CrlConfiguration": {
"Enabled": true,
"ExpirationInDays": 7,
"CustomCname": "alternative.example.com
",
"S3BucketName": "amzn-s3-demo-bucket
",
...
}
}
Example 5: Create a CA and specify the usage mode
In this example, the CA usage mode is specified when creating a CA. If unspecified, the usage mode parameter defaults to GENERAL_PURPOSE. In this example, the parameter is set to SHORT_LIVED_CERTIFICATE, which means that the CA will issue certificates with a maximum validity period of seven days. In situations where it is inconvenient to configure revocation, a short-lived certificate that has been compromised quickly expires as part of normal operations. Consequently, this example CA lacks a revocation mechanism.
Note
Amazon Private CA does not perform validity checks on root CA certificates.
$
aws acm-pca create-certificate-authority \ --certificate-authority-configuration file://
ca_config.txt
\ --certificate-authority-type "ROOT" \ --usage-mode SHORT_LIVED_CERTIFICATE \ --tags Key=usageMode,Value=SHORT_LIVED_CERTIFICATE
Use the describe-certificate-authority command in the Amazon CLI to display details about the resulting CA, as shown in the following command:
$
aws acm-pca describe-certificate-authority \ --certificate-authority-arn arn:aws:acm:region
:account
:certificate-authority/CA_ID
{ "CertificateAuthority":{ "Arn":"arn:aws:acm-pca:
region
:account
:certificate-authority/CA_ID
", "CreatedAt":"2022-09-30T09:53:42.769000-07:00", "LastStateChangeAt":"2022-09-30T09:53:43.784000-07:00", "Type":"ROOT", "UsageMode":"SHORT_LIVED_CERTIFICATE", "Serial":"serial_number
", "Status":"PENDING_CERTIFICATE", "CertificateAuthorityConfiguration":{ "KeyAlgorithm":"RSA_2048", "SigningAlgorithm":"SHA256WITHRSA", "Subject":{ "Country":"US
", "Organization":"Example Corp
", "OrganizationalUnit":"Sales
", "State":"WA
", "Locality":"Seattle
", "CommonName":"www.example.com
" } }, "RevocationConfiguration":{ "CrlConfiguration":{ "Enabled":false }, "OcspConfiguration":{ "Enabled":false } }, ...
Example 6: Create a CA for Active Directory login
You can create a private CA suitable for use in the Enterprise NTAuth store of
Microsoft Active Directory (AD), where it can issue card-logon or
domain-controller certificates. For information about importing a CA certificate
into AD, see How to import third-party certification authority (CA) certificates into
the Enterprise NTAuth store
The Microsoft certutil
This example uses the following ca_config_AD.txt
configuration
file.
File: ca_config_AD.txt
{ "KeyAlgorithm":"RSA_2048", "SigningAlgorithm":"SHA256WITHRSA", "Subject":{ "CustomAttributes":[ { "ObjectIdentifier":"2.5.4.3", "Value":"root CA" }, { "ObjectIdentifier":"0.9.2342.19200300.100.1.25", "Value":"example" }, { "ObjectIdentifier":"0.9.2342.19200300.100.1.25", "Value":"com" } ] } }
Command
$
aws acm-pca create-certificate-authority \ --certificate-authority-configuration file://
ca_config_AD.txt
\ --certificate-authority-type "ROOT" \ --tags Key=application,Value=ActiveDirectory
If successful, this command outputs the Amazon Resource Name (ARN) of the CA.
{
"CertificateAuthorityArn":"arn:aws
:acm-pca:us-east-1
:111122223333
:certificate-authority/11223344-1234-1122-2233-112233445566
"
}
Use the following command to inspect the configuration of your CA.
$
aws acm-pca describe-certificate-authority \ --certificate-authority-arn "arn:
aws
:acm-pca:us-east-1
:111122223333
:certificate-authority/11223344-1234-1122-2233-112233445566
" \ --output json
This description should contain the following section.
... "Subject":{ "CustomAttributes":[ { "ObjectIdentifier":"2.5.4.3", "Value":"root CA" }, { "ObjectIdentifier":"0.9.2342.19200300.100.1.25", "Value":"example" }, { "ObjectIdentifier":"0.9.2342.19200300.100.1.25", "Value":"com" } ] } ...
Example 7: Create a Matter CA with an attached CRL and the CDP extension omitted from issued certificates
You can create a private CA suitable for issuing certificates for the Matter smart home standard. In this example, the CA configuration in ca_config_PAA.txt
defines a Matter Product Attestation Authority (PAA)
with the Vendor ID (VID) set to FFF1.
File: ca_config_PAA.txt
{ "KeyAlgorithm":"EC_prime256v1", "SigningAlgorithm":"SHA256WITHECDSA", "Subject":{ "Country":"
US
", "Organization":"Example Corp
", "OrganizationalUnit":"SmartHome
", "State":"WA
", "Locality":"Seattle
", "CommonName":"Example Corp Matter PAA
", "CustomAttributes":[ { "ObjectIdentifier":"1.3.6.1.4.1.37244.2.1", "Value":"FFF1"
} ] } }
The revocation configuration enables CRLs, and configures the CA to omit the default CDP URL from any issued certificates.
File: revoke_config.txt
{ "CrlConfiguration":{ "Enabled":true, "ExpirationInDays":
7
, "S3BucketName":"amzn-s3-demo-bucket
", "CrlDistributionPointExtensionConfiguration":{ "OmitExtension":true } } }
Command
$
aws acm-pca create-certificate-authority \ --certificate-authority-configuration file://
ca_config_PAA.txt
\ --revocation-configuration file://revoke_config.txt
\ --certificate-authority-type "ROOT" \ --idempotency-token01234567
\ --tags Key=Name
,Value=MyPCA-1
If successful, this command outputs the Amazon Resource Name (ARN) of the CA.
{
"CertificateAuthorityArn":"arn:aws
:acm-pca:us-east-1
:111122223333
:certificate-authority/11223344-1234-1122-2233-112233445566
"
}
Use the following command to inspect the configuration of your CA.
$
aws acm-pca describe-certificate-authority \ --certificate-authority-arn "arn:
aws
:acm-pca:us-east-1
:111122223333
:certificate-authority/11223344-1234-1122-2233-112233445566
" \ --output json
This description should contain the following section.
"RevocationConfiguration": {
...
"CrlConfiguration": {
"Enabled": true,
"ExpirationInDays": 7,
"S3BucketName": "amzn-s3-demo-bucket
",
"CrlDistributionPointExtensionConfiguration":{
"OmitExtension":true
}
},
...
}
...