Certificate authorities in Amazon Private CA
Using Amazon Private Certificate Authority, you can create an entirely Amazon hosted hierarchy of root and subordinate certificate authorities (CAs) for internal use by your organization. To manage certificate revocation, you can enable Online Certificate Status Protocol (OCSP), certificate revocation lists (CRLs), or both. Amazon Private CA stores and manages your CA certificates, CRLs, and OCSP responses, and the private keys for your root authorities are securely stored by Amazon.
Note
The OCSP implementation in Amazon Private CA does not support OCSP request extensions. If you submit an OCSP batch query containing multiple certificates, the Amazon OCSP responder processes only the first certificate in the queue and drops the others. A revocation might take up to an hour to appear in OCSP responses.
You can access Amazon Private CA using the Amazon Web Services Management Console, the Amazon CLI, and the Amazon Private CA API. The following topics show you how to use the console and the CLI. To learn more about the API, see the Amazon Private Certificate Authority API Reference. For Java examples that show you how to use the API, see Use Amazon Private CA with the Amazon SDK for Java.
After you create an active private CA and configured access to it, you can issue and retrieve certificates, as described in Issue and manage certificates in Amazon Private CA.
Topics
- Set up to use Amazon Private CA
- Create a private CA in Amazon Private CA
- Installing the CA certificate
- Control access to the private CA
- List private CAs
- View a private CA
- Add tags for your private CA
- Understand Amazon Private CA CA status
- Update a private CA in Amazon Private Certificate Authority
- Delete your private CA
- Restore a private CA
- Use externally signed private CA certificates