Posted On: Jun 15, 2021

AWS Certificate Manager (ACM) Private Certificate Authority (CA) has extended support for sharing CAs via Resource Access Manager (RAM). Customers can now share CAs across accounts to issue certificates defined as client only TLS and server only TLS, as well as fully customizable certificates. Customer’s can also choose to share a CA to allow issuance of CA certificates and provide the revocation function to other accounts.

AWS Certificate Manager (ACM) Private Certificate Authority (CA) supports sharing a Private CA with any AWS account or within your organization. Customers manage a Private CA in a central account and use AWS Resource Access Manager (RAM) to share the CA with other accounts or organizations where SSL/TLS certificates will be issued. This eliminates the need to provision duplicate resources in every account in a multi-account environment, reducing the cost and complexity of managing those resources in every account.

Customers issue certificates for a range of use cases including TLS certificates, identity certificates, and code signing. Previously, when a CA administrator shared a Private CA to a certificate issuer via RAM, the issuer could only issue one type of certificate, TLS Server and TLS Client. This limited customers who had other use cases for their certificates or customers who needed to customize their certificates. With the launch of the three new end entity managed permissions options customers can now issue certificates for TLS ClientTLS Server, and blank certificate request with both API and CSR passthrough to support the full range of end entity certificates.

This launch also provides customers with two additional managed permissions to enable their infrastructure. The first new RAM managed permission option allows customers to share CAs for issuing subordinate CA certificates. The second managed permission options allows customers to share the ability to revoke certificates issued by that CA.

ACM Private CA is a managed private CA service that helps you easily and securely manage the lifecycle of your private certificates. ACM Private CA provides you a highly-available private CA service without the upfront investment and ongoing maintenance costs of operating your own private CA. ACM Private CA extends ACM’s certificate management capabilities to private certificates, enabling you to manage public and private certificates centrally.

For a list of regions where ACM Private CA is available, see AWS Regions and Endpoints

To get started visit the ACM Private CA page to learn more about ACM Private CA.