What is AWS Private CA?
AWS Private CA enables creation of private certificate authority (CA) hierarchies, including root and subordinate CAs, without the investment and maintenance costs of operating an on-premises CA. Your private CAs can issue end-entity X.509 certificates useful in scenarios including:
-
Creating encrypted TLS communication channels
-
Authenticating users, computers, API endpoints, and IoT devices
-
Cryptographically signing code
-
Implementing Online Certificate Status Protocol (OCSP) for obtaining certificate revocation status
AWS Private CA operations can be accessed from the AWS Management Console, using the AWS Private CA API, or using the AWS CLI.
Topics
- Regional availability for AWS Private Certificate Authority
- Services integrated with AWS Private Certificate Authority
- Supported cryptographic algorithms in AWS Private Certificate Authority
- RFC 5280 compliance in AWS Private Certificate Authority
- Pricing for AWS Private Certificate Authority
- Terms and concepts for AWS Private CA
Regional availability for AWS Private Certificate Authority
Like most AWS resources, private certificate authorities (CAs) are Regional
resources. To use private CAs in more than one Region, you must create your CAs in those
Regions. You cannot copy private CAs between Regions. Visit AWS Regions and Endpoints in the
AWS General Reference or the AWS Region Table
Note
ACM is currently available in some regions that AWS Private CA is not.
Services integrated with AWS Private Certificate Authority
If you use AWS Certificate Manager to request a private certificate, you can associate that certificate with any service that is integrated with ACM. This applies both to certificates chained to a AWS Private CA root and to certificates chained to an external root. For more information, see Integrated Services in the AWS Certificate Manager User Guide.
You can also integrate private CAs into Amazon Elastic Kubernetes Service to provide certificate issuance inside a Kubernetes cluster. For more information, see Secure Kubernetes with AWS Private CA.
Note
Amazon Elastic Kubernetes Service is not an ACM integrated service.
If you use the AWS Private CA API or AWS CLI to issue a certificate or to export a private certificate from ACM, you can install the certificate anywhere you want.
Supported cryptographic algorithms in AWS Private Certificate Authority
AWS Private CA supports the following cryptographic algorithms for private key generation and certificate signing.
Supported algorithm | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Private key algorithms | Signing algorithms | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
RSA_2048 RSA_4096 EC_prime256v1 EC_secp384r1 SM2 (China Regions only) |
SHA256WITHECDSA SHA384WITHECDSA SHA512WITHECDSA SHA256WITHRSA SHA384WITHRSASHA512WITHRSA SM3WITHSM2 |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
This list applies only to certificates issued directly by AWS Private CA through its console, API, or command line. When AWS Certificate Manager issues certificates using a CA from AWS Private CA, it supports some but not all of these algorithms. For more information, see Request a Private Certificate in the AWS Certificate Manager User Guide.
Note
In all cases, the specified signing algorithm family (RSA or ECDSA) must match the algorithm family of the CA's private key.
RFC 5280 compliance in AWS Private Certificate Authority
AWS Private CA does not enforce certain constraints defined in RFC 5280
Enforced
-
Not After date
. In conformity with RFC 5280 , AWS Private CA prevents the issuance of certificates bearing a Not Afterdate later than theNot Afterdate of the issuing CA's certificate. -
Basic constraints
. AWS Private CA enforces basic constraints and path length in imported CA certificates. Basic constraints indicate whether or not the resource identified by the certificate is a CA and can issue certificates. CA certificates imported to AWS Private CA must include the basic constraints extension, and the extension must be marked
critical. In addition to thecriticalflag,CA=truemust be set. AWS Private CA enforces basic constraints by failing with a validation exception for the following reasons:-
The extension is not included in the CA certificate.
-
The extension is not marked
critical.
Path length (pathLenConstraint) determines how many subordinate CAs may exist downstream from the imported CA certificate. AWS Private CA enforces path length by failing with a validation exception for the following reasons:
-
Importing a CA certificate would violate the path length constraint in the CA certificate or in any CA certificate in the chain.
-
Issuing a certificate would violate a path length constraint.
-
-
Name constraints
indicate a name space within which all subject names in subsequent certificates in a certification path must be located. Restrictions apply to the subject distinguished name and subject alternative names.
Not enforced
-
Certificate policies
. Certificate policies regulate the conditions under which a CA issue certificates. -
Inhibit anyPolicy
. Used in certificates issued to CAs. -
Issuer Alternative Name
. Allows additional identities to be associated with the issuer of the CA certificate. -
Policy Constraints
. These constraints limit a CA's capacity to issue subordinate CA certificates. -
Policy Mappings
. Used in CA certificates. Lists one or more pairs of OIDs; each pair includes an issuerDomainPolicy and a subjectDomainPolicy. -
Subject Directory Attributes
. Used to convey identification attributes of the subject. -
Subject Information Access
. How to access information and services for the subject of the certificate in which the extension appears. -
Subject Key Identifier (SKI)
and Authority Key Identifier (AKI) . The RFC requires a CA certificate to contain the SKI extension. Certificates issued by the CA must contain an AKI extension matching the CA certificate's SKI. AWS does not enforce these requirements. If your CA Certificate does not contain an SKI, the issued end-entity or subordinate CA certificate AKI will be the SHA-1 hash of the issuer public key instead. -
SubjectPublicKeyInfo
and Subject Alternative Name (SAN) . When issuing a certificate, AWS Private CA copies the SubjectPublicKeyInfo and SAN extensions from the provided CSR without performing validation.
Pricing for AWS Private Certificate Authority
Your account is charged a monthly price for each private CA starting from the time that you create it. You are also charged for each certificate that you issue. This charge includes certificates that you export from ACM and certificates that you create from the AWS Private CA API or AWS Private CA CLI. You are not charged for a private CA after it has been deleted. However, if you restore a private CA, you are charged for the time between deletion and restoration. Private certificates whose private key you cannot access are free. These include certificates that are used with Integrated Services such as Elastic Load Balancing, CloudFront, and API Gateway.
For the latest AWS Private CA pricing information, see AWS Private Certificate Authority Pricing
