Controlling access to a private CA

Any user with the necessary permissions on a private CA from Amazon Private CA can use that CA to sign other certificates. The CA owner can issue certificates or delegate the required permissions for issuing certificates to an Amazon Identity and Access Management (IAM) user that resides in the same Amazon Web Services account. A user that resides in a different Amazon account can also issue certificates if authorized by the CA owner through a resource-based policy.

Authorized users, whether single-account or cross-account, can use Amazon Private CA or Amazon Certificate Manager resources when issuing certificates. Certificates that are issued from the Amazon Private CA IssueCertificate API or issue-certificate CLI command are unmanaged. Such certificates require manual installation on target devices and manual renewal when they expire. Certificates issued from the ACM console, the ACM RequestCertificate API, or the request-certificate CLI command are managed. Such certificates can easily be installed in services that are integrated with ACM. If the CA administrator permits it and the issuer's account has a service-linked role in place for ACM, managed certificates are renewed automatically when they expire.

Topics

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Installing CA certificate

Create single-account permissions for an IAM user