Amazon Private CA template varieties - Amazon Private Certificate Authority
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon Private CA template varieties

Amazon Private CA supports four varieties of template.

  • Base templates

    Pre-defined templates in which no passthrough parameters are allowed.

  • CSRPassthrough templates

    Templates that extend their corresponding base template versions by allowing CSR passthrough. Extensions in the CSR that is used to issue the certificate are copied over to the issued certificate. In cases where the CSR contains extension values that conflict with the template definition, the template definition will always have the higher priority. For more details about priority, see Amazon Private CA template order of operations.

  • APIPassthrough templates

    Templates that extend their corresponding base template versions by allowing API passthrough. Dynamic values that are known to the administrator or other intermediate systems may not be known by the entity requesting the certificate, may be impossible to define in a template, and may not be available in the CSR. The CA administrator, however, can retrieve additional information from another data source, such as an Active Directory, to complete the request. For example, if a machine doesn't know what organization unit it belongs to, the administrator can look up the information in Active Directory and add it to the certificate request by including the information in a JSON structure.

    Values in the ApiPassthrough parameter of the IssueCertificate action are copied over to the issued certificate. In cases where the ApiPassthrough parameter contains information that conflicts with the template definition, the template definition will always have the higher priority. For more details about priority, see Amazon Private CA template order of operations.

  • APICSRPassthrough templates

    Templates that extend their corresponding base template versions by allowing both API and CSR passthrough. Extensions in the CSR used to issue the certificate are copied over to the issued certificate, and values in the ApiPassthrough parameter of the IssueCertificate action are also copied over . In cases where the template definition, API passthrough values, and CSR passthrough extensions exhibit a conflict, the template definition has highest priority, followed by the API passthrough values, followed by the CSR passthrough extensions. For more details about priority, see Amazon Private CA template order of operations.

The tables below list all of the template types supported by Amazon Private CA with links to their definitions.

Note

For information about template ARNs in GovCloud regions, see Amazon Private Certificate Authority in the Amazon GovCloud (US) User Guide.

Base templates

Template Name

Template ARN

Certificate Type

CodeSigningCertificate/V1

arn:aws:acm-pca:::template/CodeSigningCertificate/V1

Code signing

EndEntityCertificate/V1

arn:aws:acm-pca:::template/EndEntityCertificate/V1

End-entity

EndEntityClientAuthCertificate/V1

arn:aws:acm-pca:::template/EndEntityClientAuthCertificate/V1

End-entity

EndEntityServerAuthCertificate/V1

arn:aws:acm-pca:::template/EndEntityServerAuthCertificate/V1

End-entity

OCSPSigningCertificate/V1

arn:aws:acm-pca:::template/OCSPSigningCertificate/V1

OCSP signing

RootCACertificate/V1

arn:aws:acm-pca:::template/RootCACertificate/V1

CA

SubordinateCACertificate_PathLen0/V1

arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen0/V1

CA

SubordinateCACertificate_PathLen1/V1

arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen1/V1

CA

SubordinateCACertificate_PathLen2/V1

arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen2/V1

CA

SubordinateCACertificate_PathLen3/V1

arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen3/V1

CA

CSRPassthrough templates

Template Name

Template ARN

Certificate Type

BlankEndEntityCertificate_CSRPassthrough/V1

arn:aws:acm-pca:::template/BlankEndEntityCertificate_CSRPassthrough/V1

End-entity

BlankEndEntityCertificate_CriticalBasicConstraints_CSRPassthrough/V1

arn:aws:acm-pca:::template/BlankEndEntityCertificate_CriticalBasicConstraints_CSRPassthrough/V1

End-entity

BlankSubordinateCACertificate_PathLen0_CSRPassthrough/V1

arn:aws:acm-pca:::template/BlankSubordinateCACertificate_PathLen0_CSRPassthrough/V1

CA

BlankSubordinateCACertificate_PathLen1_CSRPassthrough/V1

arn:aws:acm-pca:::template/BlankSubordinateCACertificate_PathLen1_CSRPassthrough/V1

CA

BlankSubordinateCACertificate_PathLen2_CSRPassthrough/V1

arn:aws:acm-pca:::template/BlankSubordinateCACertificate_PathLen2_CSRPassthrough/V1

CA

BlankSubordinateCACertificate_PathLen3_CSRPassthrough/V1

arn:aws:acm-pca:::template/BlankSubordinateCACertificate_PathLen3_CSRPassthrough/V1

CA

CodeSigningCertificate_CSRPassthrough/V1

arn:aws:acm-pca:::template/CodeSigningCertificate_CSRPassthrough/V1

Code signing

EndEntityCertificate_CSRPassthrough/V1

arn:aws:acm-pca:::template/EndEntityCertificate_CSRPassthrough/V1

End-entity

EndEntityClientAuthCertificate_CSRPassthrough/V1

arn:aws:acm-pca:::template/EndEntityClientAuthCertificate_CSRPassthrough/V1

End-entity

EndEntityServerAuthCertificate_CSRPassthrough/V1

arn:aws:acm-pca:::template/EndEntityServerAuthCertificate_CSRPassthrough/V1

End-entity

OCSPSigningCertificate_CSRPassthrough/V1

arn:aws:acm-pca:::template/OCSPSigningCertificate_CSRPassthrough/V1

OCSP signing

SubordinateCACertificate_PathLen0_CSRPassthrough/V1

arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen0_CSRPassthrough/V1

CA

SubordinateCACertificate_PathLen1_CSRPassthrough/V1

arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen1_CSRPassthrough/V1

CA

SubordinateCACertificate_PathLen2_CSRPassthrough/V1

arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen2_CSRPassthrough/V1

CA

SubordinateCACertificate_PathLen3_CSRPassthrough/V1

arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen3_CSRPassthrough/V1

CA

APIPassthrough templates

Template Name

Template ARN

Certificate Type

BlankEndEntityCertificate_APIPassthrough/V1

arn:aws:acm-pca:::template/BlankEndEntityCertificate_APIPassthrough/V1

End-entity

BlankEndEntityCertificate_CriticalBasicConstraints_APIPassthrough/V1

arn:aws:acm-pca:::template/BlankEndEntityCertificate_CriticalBasicConstraints_APIPassthrough/V1

End-entity

CodeSigningCertificate_APIPassthrough/V1

arn:aws:acm-pca:::template/CodeSigningCertificate_APIPassthrough/V1

Code signing

EndEntityCertificate_APIPassthrough/V1

arn:aws:acm-pca:::template/EndEntityCertificate_APIPassthrough/V1

End-entity

EndEntityClientAuthCertificate_APIPassthrough/V1

arn:aws:acm-pca:::template/EndEntityClientAuthCertificate_APIPassthrough/V1

End-entity

EndEntityServerAuthCertificate_APIPassthrough/V1

arn:aws:acm-pca:::template/EndEntityServerAuthCertificate_APIPassthrough/V1

End-entity

OCSPSigningCertificate_APIPassthrough/V1

arn:aws:acm-pca:::template/OCSPSigningCertificate_APIPassthrough/V1

OCSP signing

RootCACertificate_APIPassthrough/V1

arn:aws:acm-pca:::template/RootCACertificate_APIPassthrough/V1

CA

BlankRootCACertificate_APIPassthrough/V1

arn:aws:acm-pca:::template/BlankRootCACertificate_APIPassthrough/V1

CA

BlankRootCACertificate_PathLen0_APIPassthrough/V1

arn:aws:acm-pca:::template/BlankRootCACertificate_PathLen0_APIPassthrough/V1

CA

BlankRootCACertificate_PathLen1_APIPassthrough/V1

arn:aws:acm-pca:::template/BlankRootCACertificate_PathLen1_APIPassthrough/V1

CA

BlankRootCACertificate_PathLen2_APIPassthrough/V1

arn:aws:acm-pca:::template/BlankRootCACertificate_PathLen2_APIPassthrough/V1

CA

BlankRootCACertificate_PathLen3_APIPassthrough/V1

arn:aws:acm-pca:::template/BlankRootCACertificate_PathLen3_APIPassthrough/V1

CA

SubordinateCACertificate_PathLen0_APIPassthrough/V1

arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen0_APIPassthrough/V1

CA

BlankSubordinateCACertificate_PathLen0_APIPassthrough/V1

arn:aws:acm-pca:::template/BlankSubordinateCACertificate_PathLen0_APIPassthrough/V1

CA

SubordinateCACertificate_PathLen1_APIPassthrough/V1

arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen1_APIPassthrough/V1

CA

BlankSubordinateCACertificate_PathLen1_APIPassthrough/V1

arn:aws:acm-pca:::template/BlankSubordinateCACertificate_PathLen1_APIPassthrough/V1

CA

SubordinateCACertificate_PathLen2_APIPassthrough/V1

arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen2_APIPassthrough/V1

CA

BlankSubordinateCACertificate_PathLen2_APIPassthrough/V1

arn:aws:acm-pca:::template/BlankSubordinateCACertificate_PathLen2_APIPassthrough/V1

CA

SubordinateCACertificate_PathLen3_APIPassthrough/V1

arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen3_APIPassthrough/V1

CA

BlankSubordinateCACertificate_PathLen3_APIPassthrough/V1

arn:aws:acm-pca:::template/BlankSubordinateCACertificate_PathLen3_APIPassthrough/V1

CA

APICSRPassthrough templates

Template Name

Template ARN

Certificate Type

BlankEndEntityCertificate_APICSRPassthrough/V1

arn:aws:acm-pca:::template/BlankEndEntityCertificate_APICSRPassthrough/V1

End-entity

BlankEndEntityCertificate_CriticalBasicConstraints_APICSRPassthrough/V1

arn:aws:acm-pca:::template/BlankEndEntityCertificate_CriticalBasicConstraints_APICSRPassthrough/V1

End-entity

CodeSigningCertificate_APICSRPassthrough/V1

arn:aws:acm-pca:::template/CodeSigningCertificate_APICSRPassthrough/V1

Code signing

EndEntityCertificate_APICSRPassthrough/V1

arn:aws:acm-pca:::template/EndEntityCertificate_APICSRPassthrough/V1

End-entity

EndEntityClientAuthCertificate_APICSRPassthrough/V1

arn:aws:acm-pca:::template/EndEntityClientAuthCertificate_APICSRPassthrough/V1

End-entity

EndEntityServerAuthCertificate_APICSRPassthrough/V1

arn:aws:acm-pca:::template/EndEntityServerAuthCertificate_APICSRPassthrough/V1

End-entity

OCSPSigningCertificate_APICSRPassthrough/V1

arn:aws:acm-pca:::template/OCSPSigningCertificate_APICSRPassthrough/V1

OCSP signing

SubordinateCACertificate_PathLen0_APICSRPassthrough/V1

arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen0_APICSRPassthrough/V1

CA

BlankSubordinateCACertificate_PathLen0_APICSRPassthrough/V1

arn:aws:acm-pca:::template/BlankSubordinateCACertificate_PathLen0_APICSRPassthrough/V1

CA

SubordinateCACertificate_PathLen1_APICSRPassthrough/V1

arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen1_APICSRPassthrough/V1

CA

BlankSubordinateCACertificate_PathLen1_APICSRPassthrough/V1

arn:aws:acm-pca:::template/BlankSubordinateCACertificate_PathLen1_APICSRPassthrough/V1

CA

SubordinateCACertificate_PathLen2_APICSRPassthrough/PathLen3_APIPassthroughV1

arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen2_APICSRPassthrough/V1

CA

BlankSubordinateCACertificate_PathLen2_APICSRPassthrough/V1

arn:aws:acm-pca:::template/BlankSubordinateCACertificate_PathLen2_APICSRPassthrough/V1

CA

SubordinateCACertificate_PathLen3_APICSRPassthrough/V1

arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen3_APICSRPassthrough/V1

CA

BlankSubordinateCACertificate_PathLen3_APICSRPassthrough/V1

arn:aws:acm-pca:::template/BlankSubordinateCACertificate_PathLen3_APICSRPassthrough/V1

CA