AWS Certificate Manager (ACM) Private Certificate Authority (CA) is a private CA service that extends ACM’s certificate management capabilities to both public and private certificates. ACM Private CA provides you a highly-available private CA service without the upfront investment and ongoing maintenance costs of operating your own private CA. ACM Private CA allows developers to be more agile by providing them APIs to create and deploy private certificates programmatically. You also have the flexibility to create private certificates for applications that require custom certificate lifetimes or resource names. With ACM Private CA, you can create and manage private certificates for your connected resources in one place with a secure, pay as you go, managed private CA service.
CA administrators can use ACM Private CA to create a complete CA hierarchy, including online root and subordinate CAs, with no need for external CAs. ACM Private CA also allows a hybrid hierarchy with offline and online CAs. A CA hierarchy provides strong security and restrictive access controls for the most-trusted root CA at the top of the trust chain, while allowing more permissive access and bulk certificate issuance for subordinate CAs lower in the chain. You can create secure and highly available CAs without building and maintaining your own on-premises CA infrastructure.
Secure and Managed Private Certificate Authority
ACM Private CA provides you an easier and secure way to create a private CA and use it to create and manage your private certificates. ACM Private CA is secured with AWS-managed hardware security modules (HSMs). These HSMs adhere to FIPS 140-2 Level 3 security standards to securely store the keys for your private CA. Private CA administrators can control access to the service using AWS Identity and Access Management (IAM) policies. ACM Private CA provides you visibility into private certificate activity and allows you to create reports. You can audit private CA activity using AWS CloudTrail logging and monitoring service. ACM Private CA also publishes and updates certificate revocation lists (CRLs) to Amazon S3 automatically to help prevent the use of revoked certificates. For instance, an IoT application can check if the private certificate for a sensor is valid before accepting data from the sensor.
Manage Certificates Centrally
ACM Private CA enables you to manage the lifecycle of your private and public certificates. With ACM Private CA you can choose to delegate certificate management to ACM for certificates used with ACM-integrated services, such as Elastic Load Balancing and API Gateway. You can easily create and deploy private certificates using the AWS Management console or the AWS APIs. ACM can automate renewal and deployment of these certificates. ACM Private CA also provides you with APIs to automate creation and renewal of private certificates for on-premises resources, EC2 instances, and IoT devices. ACM Private CA gives you the flexibility to manage private certificates on your own without ACM certificate management.
COMPLETE CA HIERARCHIES
ACM Private CA enables CA administrators to create a flexible CA hierarchy, including root and subordinate CAs, with no need for external CAs. Customers can create secure and highly available CAs in any of the AWS Regions in which ACM Private CA is available, without building and maintaining their own on-premises CA infrastructure. Alternatively, CA hierarchies can be built in a hybrid mode, combining online and on-premises CAs. In addition to simple management, ACM Private CA provides essential security for operating a CA in accordance with customers’ internal compliance rules and security best practices.
Enable Developer Agility
ACM Private CA provides you the agility to create and deploy certificates with just a few API calls. ACM Private CA allows you to delegate management of private certificates to developers by allowing them to request certificates from private CAs linked to their AWS accounts. You can also automate certificate creation for use cases that require a high-volume of short-lived certificates. For instance, you can automatically create and deploy certificates to identify new EC2 instances and containers in auto-scaling environments, or to authenticate event notification messages sent from AWS Lambda functions.
Flexibility to Customize Private Certificates
ACM Private CA can be used as a standalone service, without ACM certificate management, to create and deploy customized private certificates, such as certificates with custom resource names or lifetimes. This flexibility is helpful in use cases that need to identify resources by a specific name, for instance identifying a device by its serial number, or when certificates cannot be rotated easily, such as certificates embedded into hardware devices during the manufacturing process.
Pay As You Go Pricing
ACM Private CA is more cost-effective compared to the traditional, commercially available options. ACM Private CA provides you the ability to pay monthly for the service and certificates you create and deploy. You pay less as you use more certificates. Learn more about pricing here.
AWS-managed Certificate Authority
ACM Private CA is a managed service that automates time-consuming administrative tasks, such as hardware provisioning, software patching, high availability, and backups. ACM Private CA provides security, configuration, management, and monitoring of a highly available private CA. ACM Private CA allows you to choose among several CA key algorithms and key sizes, including RSA 2048 or 4096 and ECDSA P256 or P384. ACM
Certificate Lifecycle Management
ACM Private CA is integrated with ACM to allow you to manage both public and private certificates from a single console interface. When you use ACM to request certificates from your Private CA, ACM generates and manages the private keys, renews certificates automatically, and deploys certificates to resources on ACM-integrated services, including Elastic Load Balancing load balancers and API Gateway endpoints. ACM also makes it easy for you to export and deploy private certificates anywhere using API-based automation.
SECURE ROOT CA AND CA HIERARCHY MANAGMENT
An ACM Private CA hierarchy provides strong security and restrictive access controls for the most-trusted root CA at the top of the trust chain, while allowing more permissive access and bulk certificate issuance for subordinate CAs lower in the chain. You can control who can create a new CA or restrict access to existing CAs using AWS Identity and Access Management (IAM) policies. All ACM Private CAs in a hierarchy protect your CA private keys in FIPS 140-2 level 3 hardware
Secure HSM-backed Key Storage for CA Keys
The keys used by a certificate authority to sign certificates are highly sensitive. ACM Private CA secures CA keys with AWS-managed hardware security modules, also known as HSMs. These HSMs adhere to FIPS 140-2 Level 3 security standards to help protect your Private CA against key compromises.
You can control access to the Private CA service with AWS IAM policies. For example, you can create a policy to grant IT administrators who are responsible for CA management full access to create and configure Private CAs, while granting limited access to developers and users who need only to issue and revoke certificates.
Certificate Revocation List (CRL) Generation
ACM Private CA automatically publishes and updates certificate revocation lists to your Amazon S3 bucket. Applications, services, and devices use CRLs to evaluate the status of a certificate each time a connection is made between two resources. For instance, an IoT application can check if the private certificate for a sensor is valid before accepting data from the sensor.
You can write code to automate certificate management in your programming language of your choice using the ACM Private CA and ACM APIs. The AWS SDKs make authentication simpler and integrate efficiently with your development environment. You can also write scripts or one-off commands using command line tools to interact with the service.
ACM Private CA can be used as a standalone service to issue certificates directly without using ACM for certificate and private key management. When used this way, you can create certificates with any subject name you want, with any of the supported key algorithms, key sizes, signing algorithms, and any validity period, including days, months, or years from the present time, or a specific end date.
Auditing and Logging
ACM Private CA provides you and your auditors with visibility into the activity of your Private CAs. You can create audit reports that include the status of all of the certificates issued from the CA. ACM Private CA is integrated with AWS CloudTrail. CloudTrail captures API calls from the ACM Private CA console, from the CLI, or from your code, and delivers the log files to your S3 bucket. Using the information collected by CloudTrail, you can determine the request that was made, the IP address from which the request came, when it was made, and so on.
Arctic Wolf Networks (AWN) is an industry leading SOC-as-a-service provider that offers 24x7 monitoring and managed threat detection and response for on-premise and cloud applications and infrastructure. We use ACM Private Certificate Authority (CA) to issue certificates to ensure secure connections from our sensors to our purpose-built Security Operations Center platform that runs in AWS. ACM Private CA gives us a secure and managed CA that we can integrate into our infrastructure using familiar AWS APIs.
Help meet compliance requirements
By making it easy to enable SSL/TLS, AWS Certificate Manager can help your organization meet regulatory and compliance requirements for encryption of data in transit. For specific information about compliance, refer to the AWS Cloud Compliance site.
AWS Certificate Manager helps manage the challenges of maintaining SSL/TLS certificates, including certificate renewals so you don’t have to worry about expiring certificates.
Set up and log into your AWS account
Request an SSL/TLS certificate