Skip to main content

AWS Private Certificate Authority Documentation

AWS Private Certificate Authority

With AWS Private CA, you can create private certificates to help identify resources and protect data. AWS Private CA is designed to help you avoid outages and improve uptime by helping with CA and certificate management using API calls, AWS CLI commands, or AWS CloudFormation templates.

The service’s APIs enable developers to customize and deploy private certificates, and administrators can use AWS Private CA to create a cloud-based CA hierarchy or a hybrid hierarchy combining cloud and on-premises CAs. AWS Private CA is designed to be a cryptographically agile service with different key algorithms and key sizes, in addition to hardware-protected private keys. 

Secure root CA and CA hierarchy management

An AWS Private CA hierarchy is designed to support security and access controls for CAs at the top of the trust chain, while allowing more permissive access and bulk certificate issuance for subordinate CAs lower on the chain. The private keys for your CA hierarchy are designed to be protected by hardware.

Modes

AWS Private CA is designed to offer modes with different capabilities and pricing for all your use cases.  All modes of AWS Private CA are designed to help administrators, builders, and developers to set up and manage a private CA.

  • short-lived certificate mode for certificates with a limited validity period
  • general-purpose mode for certificates with any validity period

Connectors

Connectors enable you to replace your existing CAs with AWS Private CA in environments that have an established native certificate distribution solution. AWS Private CA is designed to offer three connector types. Using the portfolio of connectors, you can use AWS Private CA as the CA solution for your organization.

  • Connector for Active Directory (AD): The Connector for AD allows you to use AWS Private CA as a drop-in replacement for your self-managed enterprise Cas. Enterprises that use AD to manage Windows environments can simplify their private CA. You can issue certificates to your domain-joined objects that enroll using AD auto-enrollment and group policy features.
  • Connector for Kubernetes: You can use the Connector for Kubernetes to issue certificates for Kubernetes clusters at scale. This connector is designed to integrate with Kubernetes to assist with configuration of end-to-end encryption for Amazon Elastic Kubernetes Service (Amazon EKS).
  • Connector for SCEP (Preview): The Connector for SCEP enables you to use a managed, cloud CA to enroll mobile devices and networking gear. Simple Certificate Enrollment Protocol (SCEP) is a protocol used by mobile device management (MDM) solutions for getting digital identity certificates from a CA and enrolling mobile devices.

Secure Hardware Security Module (HSM) key storage

AWS Private CA is designed to protect and manage the keys used by the CA to sign your certificates.

Certificate revocation with CRL and OCSP

When establishing an encrypted TLS connection, a revocation infrastructure is designed to alert the endpoint that the certificate should not be trusted. AWS Private CA customers can choose Online Certificate Status Protocol (OCSP), certificate revocation lists (CRLs), or both to distribute revocation information for their private certificates.

Cross-account CA Sharing

You can use AWS Private CA to share CAs across your organization or AWS accounts. You can create resource shares through AWS Resource Access Manager (RAM) that include your private CAs and are associated with a set of accounts or AWS Organizations. This capability enables the included accounts to issue private certificates from the shared CA through an integration with AWS Certificate Manager (ACM).

Customizable certificates

AWS Private CA is designed to help you to customize private certificates to the needs of your organization’s identity or data protection security requirements. By using customizable names, you can support identities for computers, web services, containers, users, IoT devices, and more. Standard certificate extensions are designed to be natively supported, and you can use Private CA’s custom extension capability, which is designed to create certificates with non-standard extensions.

Certificate management

You can write code for certificate management in the programming language of your choice using AWS Private CA. AWS SDKs is designed to assist with authentication and integrate with your development environment. You can also write scripts or one-off commands using command line tools to interact with the service.

Additional Information

For additional information about service controls, security features and functionalities, including, as applicable, information about storing, retrieving, modifying, restricting, and deleting data, please see https://docs.aws.amazon.com/index.html. This additional information does not form part of the Documentation for purposes of the AWS Customer Agreement available at http://aws.amazon.com/agreement, or other agreement between you and AWS governing your use of AWS’s services.