AWS Certificate Manager Private Certificate Authority now supports Private CA sharing

Posted on: Aug 17, 2020

AWS Certificate Manager (ACM) Private Certificate Authority (CA) now supports sharing a Private CA with any AWS account or within your organization. Customers manage a Private CA in a central account and use AWS Resource Access Manager (RAM) to share the CA with other accounts or organizations where SSL/TLS certificates will be issued. This eliminates the need to provision duplicate resources in every account in a multi-account environment, reducing the cost and complexity of managing those resources in every account.

Utilizing RAM, customers can share CAs to an account or an AWS Organization. CA sharing works with AWS Certificate Manager to allow the designated account owners to easily provision, manage, and deploy private certificates from the shared Private CA. AWS Certificate Manager can automate renewal and deployment of private certificates when used with ACM-integrated services, such as Elastic Load Balancing and API Gateway. ACM Private CA provides APIs to automate creation and renewal of private certificates for on-premises resources, EC2 instances, and IoT devices.Alternatively, customers can call Private CA directly from the designated accounts to issue certificates. Customers can follow security best practices by keeping the CA in a central, secure account and only sharing the ability to issue certificates to others. This creates separation between CA administrator functions like configuration, audit, and management of the CA from operator actions that only need access to issue certificates. Cross Account sharing reduces the cost of CA ownership for cross account deployments through the use of a single CA shared across the organization. This feature works with integrated services like AWS App Mesh and Amazon Managed Streaming for Apache Kafka

ACM Private CA is a managed private CA service that helps you easily and securely manage the lifecycle of your private certificates. ACM Private CA provides you a highly-available private CA service without the upfront investment and ongoing maintenance costs of operating your own private CA. ACM Private CA extends ACM’s certificate management capabilities to private certificates, enabling you to manage public and private certificates centrally.

For a list of regions where ACM Private CA is available, see AWS Regions and Endpoints.

Visit the ACM Private CA documentation to learn more about sharing Private CAs. Read this AWS Security blog on configuring cross account CA sharing for step by step configuration. To get started, first time ACM Private CA customers can try the service for 30 days with no charge for the operation of their first CA. Visit the ACM Private CA website to learn more about ACM Private CA.