Posted On: Jan 19, 2021
AWS Certificate Manager (ACM) Private Certificate Authority (CA) now supports additional customization options for issuing CA and end entity certificates to meet additional use cases such as identity certificates, including smart card certificates. Customers can now include certificate attributes via API calls at the time of issuance in addition to inclusion in the certificate signing request (CSR). Additionally, with this launch, customers can configure the certificate start date and time to account for clock skew and other situations in which IoT or other devices reset to a specific date in the past when they lose power.
ACM Private CA provides you a highly-available private CA service without the upfront investment and ongoing maintenance costs of operating your own private CA. With this release, customers can now pass in any X.509v3 certificate extensions either through the certificate signing request (CSR), which is the information passed to the CA when making a request to issue a certificate, or supply them when making a certificate request using the API. This gives CA administrators the ability to add information to be included in certificates that is not present in the certificate request. For example, a CA administrator can programmatically add subject information to a certificate that the client requesting the certificate doesn't have access to, such as job or role information from an enterprise directory. Customers can now configure both end entity certificates and subordinate CA certificates in this manner. For example, customers can now passthrough custom values from the API or CSR to the issued certificate for Smart Card logon, or configure the certificate start date and time to account for clock skew. Customers can also provide certain extension values from information stored in Active Directory (AD) using the API. With the help of a 3rd party proxy to connect AD and Private CA, customers can use these private certificates with Active Directory and AD-connected devices using autoenrollment.
Visit the ACM Private CA documentation to learn more about these new methods.
For a list of regions where ACM Private CA is available, see AWS Regions and Endpoints.