How to choose a PKI service
AWS offers two primary PKI services, ACM and AWS Private CA. Use the guidance here to help you decide which service to use for a given scenario.
When to use ACM
A public SSL/TLS certificate is required to authenticate the identity of your web server and establish a secure connection with any trustworthy host it might interact with. With ACM, you can easily create and manage public and private SSL/TLS certificates or import an external public certificate into your AWS environment.
When Do I Use It?
Use ACM when you need to create a new public certificate, renew a public certificate created with ACM, or import an existing public certificate into your AWS environment.
Use ACM to generate a private certificate and manage it within the same environment as your public certificates. You must first use AWS Private CA to establish a private CA from which private certificates can be validated. Private certificates created in ACM are bound by the following restrictions:
-
They must use RSA-2048 keys
and SHA-256 hashing . -
They must be renewed after 13 months.
-
Their subject must be a DNS name.
When to use AWS Private CA
Private certificates are issued by a private CA and are exclusively used for authentication between entities within your organization. As a result, private certificates cannot be publically trusted. AWS Private CA lets you establish a private CA and use it to create and manage private certificates under its authority. Private certificates can be managed by AWS Private CA as a standalone service or in conjunction with ACM.
-
Use AWS Private CA if you need to create an internal CA for further authentication operations.
-
Use AWS Private CA if you need to generate a private certificate for internal entity authentication.
Note
ACM can also generate private certificates once a private CA has been established. But AWS Private CA gives you more control over the management and encryption protocols of those private certificates.