AWS Private Certificate Authority Documentation

AWS Private Certificate Authority

AWS Private Certificate Authority (Private CA) is a highly available, managed private certificate authority (CA) service. With AWS Private CA, you can create private certificates to identify resources and protect data. Using AWS Private CA can help you avoid outages and improve uptime by automating CA and certificate management using API calls, AWS CLI commands, or AWS CloudFormation templates.

The service’s APIs allow developers to customize and deploy private certificates, and administrators can use AWS Private CA to create a fully cloud-based CA hierarchy or a hybrid hierarchy combining cloud and on-premises CAs. AWS Private CA is a cryptographically agile service with different key algorithms and key sizes, in addition to hardware-protected private keys. 

Modes

AWS Private CA offers modes with different capabilities and pricing for your use cases. AWS Private CA’s modes are described here. Current pricing for AWS Private CA’s modes is available at the AWS Private CA pricing page.

Secure Hardware Security Module (HSM) key storage

AWS Private CA is designed to protect and manage the keys used by the CA to sign your certificates. AWS Private CA uses HSMs that adhere to FIPS 140-2 security standards to help protect your private CA against key compromises.

IAM integration

You can control access to AWS Private CA with IAM policies. You can create a policy to grant IT administrators who are responsible for CA management full access to create and configure private CAs, while granting limited access to developers and users who need only to issue and revoke certificates.

Customizable certificates

AWS Private CA allows you to customize private certificates to the needs of your organization’s identity or data protection security requirements. AWS Private CA supports customizable names, as well as standard and non-standard extensions.

Cross-account CA Sharing

You can use AWS Private CA to share CAs across your organization or AWS accounts to avoid the cost and complexity of creating and managing multiple CAs in each of your AWS accounts. You can create resource shares through AWS Resource Access Manager (RAM) that include your private CAs and are associated with a set of accounts or AWS Organizations. This capability allows the included accounts to issue private certificates from the shared CA through an integration with AWS Certificate Manager (ACM). Note: ACM cannot issue short-lived certificates.

Auditing and Logging

With AWS Private CA’s integration with AWS CloudTrail, you can create audit reports that include the status of all the certificates issued from the CA. CloudTrail captures API calls from the AWS Private CA console, the AWS Command Line Interface (CLI), or your code and delivers the log files to your Amazon Simple Storage Service (S3) bucket.

Additional Information

For additional information about service controls, security features and functionalities, including, as applicable, information about storing, retrieving, modifying, restricting, and deleting data, please see https://docs.aws.amazon.com/index.html. This additional information does not form part of the Documentation for purposes of the AWS Customer Agreement available at http://aws.amazon.com/agreement, or other agreement between you and AWS governing your use of AWS’s services.