Certificate authorities in Amazon Private CA - Amazon Private Certificate Authority
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Certificate authorities in Amazon Private CA

Using Amazon Private Certificate Authority, you can create an entirely Amazon hosted hierarchy of root and subordinate certificate authorities (CAs) for internal use by your organization. To manage certificate revocation, you can enable Online Certificate Status Protocol (OCSP), certificate revocation lists (CRLs), or both. Amazon Private CA stores and manages your CA certificates, CRLs, and OCSP responses, and the private keys for your root authorities are securely stored by Amazon.

Note

The OCSP implementation in Amazon Private CA does not support OCSP request extensions. If you submit an OCSP batch query containing multiple certificates, the Amazon OCSP responder processes only the first certificate in the queue and drops the others. A revocation might take up to an hour to appear in OCSP responses.

You can access Amazon Private CA using the Amazon Web Services Management Console, the Amazon CLI, and the Amazon Private CA API. The following topics show you how to use the console and the CLI. To learn more about the API, see the Amazon Private Certificate Authority API Reference. For Java examples that show you how to use the API, see Use Amazon Private CA with the Amazon SDK for Java.

After you create an active private CA and configured access to it, you can issue and retrieve certificates, as described in Issue and manage certificates in Amazon Private CA.