Understand Amazon Private CA CA modes
Amazon Private CA supports the creation of a certificate authority (CA) in either of two modes. The modes, general-purpose and short-lived certificate, affect the allowed validity period of the certificates issued by the CA.
Note
Amazon Private CA does not perform validity checks on root CA certificates.
General-purpose (default)
This mode permits the CA to issue certificates with any validity period. Most applications use certificates of this type. Typically, the CA also specifies a revocation mechanism.
Short-lived certificate
This mode defines a CA that exclusively issues certificates with a maximum validity period of seven days. These short-lived certificates expire so quickly that they can be deployed without a revocation mechanism in place. For some applications, it makes more sense to frequently deploy short-lived certificates than to incur the network and processing overhead of revocation.
CAs with short-lived certificate mode cost less than general-purpose CAs. For more
informtion, see Amazon Private Certificate Authority
Pricing
To create a CA that issues short-lived certificates, set the
UsageMode
parameter to short-lived certificate using the create a CA procedure
for creating a CA.
Note
Amazon Certificate Manager cannot issue certificates signed by a private CA with short-lived mode.
Use of short-lived certificates is supported by the following Amazon services: