Posted On: Oct 29, 2019

AWS Certificate Manager (ACM) Private Certificate Authority (CA) now enforces name constraints in imported CA certificates. Name constraints are defined in the Internet public key infrastructure (PKI) standard RFC 5280 and provide a way for CA administrators to restrict subject names in certificates.

Administrators can now control which names are allowed or prohibited in certificates issued from their private CAs. Customers use private CAs to issue certificates that identify resources within their organizations, such as API endpoints with names like api-example.corp, or server names such as server1.project1.corp. Administrators can allow names they want to be used such as project1.corp, and deny names, including public DNS domain names, such as or *.com or private domain names reserved for other internal projects, such as project2.corp. With these name constraints policies in place, CA administrators can ensure their CA will be used to issue private certificates only for approved resource names. To learn more about name constraints see the ACM Private CA documentation.

For a list of regions where ACM Private CA is available, see AWS Regions and Endpoints

To get started, first time ACM Private CA customers can try the service for 30 days with no charge for the operation of their first CA. Visit the ACM Private CA website to learn more about ACM Private CA.