With AWS Private Certificate Authority (AWS Private CA), you pay a monthly fee for the operation of each private certificate authority (CA), the private certificates you issue each month, and the use of the Online Certificate Status Protocol (OCSP).

Private certificate authority operation

There are two operating modes in AWS Private CA. General-purpose mode can issue certificates with any validity period. Short-lived certificate mode can only issue certificates valid for up to 7 days.

The charge for operating a private CA is as follows:

  • $400 per private CA per month for general-purpose mode
  • $50 per private CA per month for short-lived certificate mode

Private CA operation is pro-rated for partial months based on when you create and delete the CA. You are not charged for a private CA after you delete it. However, if you restore a deleted CA, you are charged for the time between deleting it and restoring it (CA restoration is only available for 30 days after deletion).

AWS Private CA 30-day free trial

Any AWS account can try AWS Private CA with no CA operation charge for the first 30 days for the first private CA created in the account in each Region. You pay for the certificates you issue during the trial period. If you wish to terminate the trial, then you must delete the CA, if you do not you will start to incur CA operation charges after the trial period expires.
Start a free trial of AWS Private CA »

Private certificates

For certificates you issue directly from a private CA, you are charged when you issue a certificate. You pay a one-time fee for each private certificate issued by AWS Private CA. This fee is incurred in the AWS account from which you issue the certificate. Private certificate pricing is based on the number of certificates issued in the calendar month in each Region (as indicated in the table below).

For certificates requested through AWS Certificate Manager, you are charged for a certificate the first time you export the private key and certificate. You are not charged for additional exports of the same private key and certificate. Renewed certificates have a new key pair, so you are charged the first time you export a renewed certificate. 

If you use AWS Organizations and consolidated billing, fees are aggregated by the payer account. If you move your account to an organization under a different payer account, certificates will be priced according to the pricing tiers applicable to that payer account during that billing cycle.

Certificates from a general-purpose mode private CA
Number of certificates issued in the month / per Region  Price (per certificate) 
1 - 1,000 certificates
$0.75 
1,001 - 10,000 certificates
$0.35 
10,001+ certificates
$0.001 
Certificates from a short-lived certificate mode private CA
Number of certificates issued in the month / per Region Price (per certificate) 
1+ certificates
$0.058 

Connectors

Connectors are an AWS Private CA feature that allow you to replace existing CAs with AWS Private CA in environments that have an established native certificate distribution solution. AWS Private CA offers 2 connector types: Connector for Kubernetes and Connector for Active Directory. Certificates issued through connectors count toward your total number of private certificates each month. The Connector for Kubernetes and Connector for Active Directory are offered at no additional charge; you only pay for the AWS Private CAs and the certificates issued from them.

Online Certificate Status Protocol (OCSP)

When you enable the Online Certificate Status Protocol (OCSP) feature, you pay a monthly fee for OCSP response generation per certificate per month and the total number of OCSP queries made for your certificates each month.
 
  • $0.06 per certificate per month if private CA generated an OCSP response for that certificate. If there were no queries for a certificate during a month, there is no charge.
  • $0.20 per 100,000 OCSP queries, billed on a per-CA basis.

Pricing examples

Certificate issuance

Example 1: Two general-purpose mode private CAs in the same Region

Two general-purpose mode private CAs both in the same Region are used to issue a total of 20,000 certificates in a month.

2 x $400 (general-purpose mode private CA operation)
1,000 x $0.75 (first 1,000 general-purpose mode certificates)
9,000 x $0.35 (next 1,001 up to 10,000 general-purpose mode certificates)
10,000 x $0.001 (above 10,000 general-purpose mode certificates)
Total = $4,710

Example 2: One short-lived certificate mode private CA

One short-lived certificate mode private CA which issues 17,000 short-lived certificates in a month.

1 x $50 (short-lived certificate mode private CA operation)
17,000 x $0.058 (short-lived certificate mode certificates)
Total = $1,036

Example 3: Two general-purpose mode private CAs in two Regions

Two general-purpose mode private CAs; one in US East 1 (Northern Virginia), the other in EU West 1 (Dublin). The general-purpose mode private CA in Virginia issues 12,000 certificates in a month, the general-purpose mode private CA in Dublin issues 8,000 certificates in a month.

2 x $400 (general-purpose mode private CA operation)
1,000 x $0.75 (first 1,000 general-purpose mode certificates Virginia)
9,000 x $0.35 (next 1,001 up to 10,000 general-purpose mode certificates Virginia)
2,000 x $0.001 (above 10,000 general-purpose mode certificates Virginia)
1,000 x $0.75 (first 1,000 general-purpose mode certificates Dublin)
7,000 x $0.35 (next 1,001 up to 10,000 general-purpose mode certificates Dublin)
Total = $7,902

Example 4: 17,000 short-lived certificates and 2,000 certificates with a validity period of over 7 days (for a total of 19,000 certificates) in the same Region

One general-purpose mode private CA or one general-purpose and one short-lived certificate mode private CA.

One general-purpose mode private CA in the same Region:
1 x $400 (general-purpose mode private CA operation)
1,000 x $0.75 (general-purpose mode certificates)
9,000 x $0.35 (general-purpose mode certificates)
9,000 x $0.001 (general-purpose mode certificates)
Total = $4309

One general-purpose mode private CA and one short-lived certificate mode private CA in the same Region:
1 x $400 (general-purpose mode private CA operation)
1 x $50 (short-lived certificate mode private CA operation)
1,000 x $0.75 (general-purpose mode certificates)
1,000 x $0.35 (general-purpose mode certificates)
17,000 x $0.058 (short-lived certificate mode certificates)
Total = $2,536

Example 5: Billing example for 12,000 certificates and 8,000 certificates with a single payer account or two separate payer accounts in the same Region.

Two AWS accounts each with one general-purpose mode private CA in the same Region. In a month, one CA issues 12,000 certificates and the second CA issues 8,000 certificates.

One payer account for both AWS accounts:
2 x $400 (general-purpose mode private CA operation)
1,000 x $0.75 (first 1,000 general-purpose mode certificates)
9,000 x $0.35 (next 1,001 up to 10,000 general-purpose mode certificates)
10,000 x $0.001 (above 10,000 general-purpose mode certificates)
Total = $4,710


Separate payer accounts for both AWS accounts:
1 x $400 (general-purpose mode private CA operation)
1,000 x $0.75 (first 1,000 general-purpose mode certificates)
9,000 x $0.35 (next 1,001 up to 10,000 general-purpose mode certificates)
2,000 x 0.001 (above 10,000 general-purpose mode certificates)
Total for first payer account (CA issues 12,000 certificates) = $4,302

1 x $400 (general-purpose mode private CA operation)
1,000 x $0.75 (first 1,000 general-purpose mode certificates)
7,000 x $0.35 (next 1,001 up to 10,000 general-purpose mode certificates)
Total for second payer account (CA issues 8,000 certificates) = $3,600

Grand total for both AWS accounts = $7,902

OSCP

Example 6: OCSP Use

Two general-purpose mode private CAs. The first is a root and the second is a subordinate. The subordinate had previously issued 100 client and 5 server certificates for mutual TLS. Each of the clients connects to a server once an hour. Both client and server check the status of the entire chain including the root on each connection using OCSP. Therefore, there are 2400 mutual TLS sessions per day and each session generates 4 OCSP queries. This results in 288,000 queries per month.

2 x $400 (general-purpose mode private CA operation)
106 x $0.06 (certificates queried by OCSP)
288,000 x $ 0.000002 (OCSP queries)
Total = $806.94

Connectors

Example 7: Billing example for 8,000 certificates for Active Directory and 4,000 certificates for Kubernetes issued from a general-purpose mode private CA in one Region.

One general-purpose mode private CA issues 12,000 certificates through connectors in one month in one Region.

1 x $400 (general-purpose mode private CA operation)
1,000 x $0.75 (first 1,000 general-purpose mode certificates)
9,000 x $0.35 (next 1,001 up to 10,000 general-purpose mode certificates)
2,000 x $0.001 (above 10,000 general-purpose mode certificates)
Total = $4,302

Additional pricing resources

AWS Pricing Calculator

Easily calculate your monthly costs with AWS.

Get pricing assistance

Contact AWS specialists to get a personalized quote.

Check out additional product-related resources

Visit the resources page.

Learn more 
Sign up for a free account

Instantly get access to the AWS Free Tier. 

Sign up 
Start building in the console

Get started building with AWS Private CA in the AWS Management Console.

Sign in