With AWS Private Certificate Authority (AWS Private CA), you pay a monthly fee for the operation of each private certificate authority (CA), the private certificates you issue each month, and the use of the Online Certificate Status Protocol (OCSP).
Private certificate authority operation
There are two operating modes in AWS Private CA. General-purpose mode can issue certificates with any validity period. Short-lived certificate mode can only issue certificates valid for up to 7 days.
The charge for operating a private CA is as follows:
- $400 per private CA per month for general-purpose mode
- $50 per private CA per month for short-lived certificate mode
Private CA operation is pro-rated for partial months based on when you create and delete the CA. You are not charged for a private CA after you delete it. However, if you restore a deleted CA, you are charged for the time between deleting it and restoring it (CA restoration is only available for 30 days after deletion).
AWS Private CA 30-day free trial
Any AWS account can try AWS Private CA with no CA operation charge for the first 30 days for the first private CA created in the account in each Region. You pay for the certificates you issue during the trial period. If you wish to terminate the trial, then you must delete the CA, if you do not you will start to incur CA operation charges after the trial period expires.
Start a free trial of AWS Private CA »
Private certificates
For certificates you issue directly from a private CA, you are charged when you issue a certificate. You pay a one-time fee for each private certificate issued by AWS Private CA. This fee is incurred in the AWS account from which you issue the certificate. Private certificate pricing is based on the number of certificates issued in the calendar month in each Region (as indicated in the table below).
For certificates requested through AWS Certificate Manager, you are charged for a certificate the first time you export the private key and certificate. You are not charged for additional exports of the same private key and certificate. Renewed certificates have a new key pair, so you are charged the first time you export a renewed certificate.
If you use AWS Organizations and consolidated billing, fees are aggregated by the payer account. If you move your account to an organization under a different payer account, certificates will be priced according to the pricing tiers applicable to that payer account during that billing cycle.
Number of certificates issued in the month / per Region | Price (per certificate) |
---|---|
1 - 1,000 certificates |
$0.75 |
1,001 - 10,000 certificates |
$0.35 |
10,001+ certificates |
$0.001 |
Number of certificates issued in the month / per Region | Price (per certificate) |
---|---|
1+ certificates |
$0.058 |
Connectors
Connectors are an AWS Private CA feature that allow you to replace existing CAs with AWS Private CA in environments that have an established native certificate distribution solution. AWS Private CA offers 3 connector types: Connector for Kubernetes, Connector for Active Directory, and Connector for SCEP. Certificates issued through connectors count toward your total number of private certificates each month. The Connector for Kubernetes, Connector for Active Directory, and Connector for SCEP are offered at no additional charge; you only pay for the AWS Private CAs and the certificates issued from them.
Online Certificate Status Protocol (OCSP)
- $0.06 per certificate per month if private CA generated an OCSP response for that certificate. If there were no queries for a certificate during a month, there is no charge.
- $0.20 per 100,000 OCSP queries, billed on a per-CA basis.
Pricing examples
Certificate issuance
Example 1: Two general-purpose mode private CAs in the same Region
Two general-purpose mode private CAs both in the same Region are used to issue a total of 20,000 certificates in a month.
2 x $400 (general-purpose mode private CA operation)
1,000 x $0.75 (first 1,000 general-purpose mode certificates)
9,000 x $0.35 (next 1,001 up to 10,000 general-purpose mode certificates)
10,000 x $0.001 (above 10,000 general-purpose mode certificates)
Total = $4,710
Example 2: One short-lived certificate mode private CA
One short-lived certificate mode private CA which issues 17,000 short-lived certificates in a month.
1 x $50 (short-lived certificate mode private CA operation)
17,000 x $0.058 (short-lived certificate mode certificates)
Total = $1,036
Example 3: Two general-purpose mode private CAs in two Regions
Two general-purpose mode private CAs; one in US East 1 (Northern Virginia), the other in EU West 1 (Dublin). The general-purpose mode private CA in Virginia issues 12,000 certificates in a month, the general-purpose mode private CA in Dublin issues 8,000 certificates in a month.
2 x $400 (general-purpose mode private CA operation)
1,000 x $0.75 (first 1,000 general-purpose mode certificates Virginia)
9,000 x $0.35 (next 1,001 up to 10,000 general-purpose mode certificates Virginia)
2,000 x $0.001 (above 10,000 general-purpose mode certificates Virginia)
1,000 x $0.75 (first 1,000 general-purpose mode certificates Dublin)
7,000 x $0.35 (next 1,001 up to 10,000 general-purpose mode certificates Dublin)
Total = $7,902
Example 4: 17,000 short-lived certificates and 2,000 certificates with a validity period of over 7 days (for a total of 19,000 certificates) in the same Region
One general-purpose mode private CA or one general-purpose and one short-lived certificate mode private CA.
One general-purpose mode private CA in the same Region:
1 x $400 (general-purpose mode private CA operation)
1,000 x $0.75 (general-purpose mode certificates)
9,000 x $0.35 (general-purpose mode certificates)
9,000 x $0.001 (general-purpose mode certificates)
Total = $4309
One general-purpose mode private CA and one short-lived certificate mode private CA in the same Region:
1 x $400 (general-purpose mode private CA operation)
1 x $50 (short-lived certificate mode private CA operation)
1,000 x $0.75 (general-purpose mode certificates)
1,000 x $0.35 (general-purpose mode certificates)
17,000 x $0.058 (short-lived certificate mode certificates)
Total = $2,536
Example 5: Billing example for 12,000 certificates and 8,000 certificates with a single payer account or two separate payer accounts in the same Region.
Two AWS accounts each with one general-purpose mode private CA in the same Region. In a month, one CA issues 12,000 certificates and the second CA issues 8,000 certificates.
One payer account for both AWS accounts:
2 x $400 (general-purpose mode private CA operation)
1,000 x $0.75 (first 1,000 general-purpose mode certificates)
9,000 x $0.35 (next 1,001 up to 10,000 general-purpose mode certificates)
10,000 x $0.001 (above 10,000 general-purpose mode certificates)
Total = $4,710
Separate payer accounts for both AWS accounts:
1 x $400 (general-purpose mode private CA operation)
1,000 x $0.75 (first 1,000 general-purpose mode certificates)
9,000 x $0.35 (next 1,001 up to 10,000 general-purpose mode certificates)
2,000 x 0.001 (above 10,000 general-purpose mode certificates)
Total for first payer account (CA issues 12,000 certificates) = $4,302
1 x $400 (general-purpose mode private CA operation)
1,000 x $0.75 (first 1,000 general-purpose mode certificates)
7,000 x $0.35 (next 1,001 up to 10,000 general-purpose mode certificates)
Total for second payer account (CA issues 8,000 certificates) = $3,600
Grand total for both AWS accounts = $7,902
OSCP
Example 6: OCSP Use
Two general-purpose mode private CAs. The first is a root and the second is a subordinate. The subordinate had previously issued 100 client and 5 server certificates for mutual TLS. Each of the clients connects to a server once an hour. Both client and server check the status of the entire chain including the root on each connection using OCSP. Therefore, there are 2400 mutual TLS sessions per day and each session generates 4 OCSP queries. This results in 288,000 queries per month.
2 x $400 (general-purpose mode private CA operation)
106 x $0.06 (certificates queried by OCSP)
288,000 x $ 0.000002 (OCSP queries)
Total = $806.94
Connectors
Example 7: Billing example for 8,000 certificates for Active Directory and 4,000 certificates for Kubernetes issued from a general-purpose mode private CA in one Region.
One general-purpose mode private CA issues 12,000 certificates through connectors in one month in one Region.
1 x $400 (general-purpose mode private CA operation)
1,000 x $0.75 (first 1,000 general-purpose mode certificates)
9,000 x $0.35 (next 1,001 up to 10,000 general-purpose mode certificates)
2,000 x $0.001 (above 10,000 general-purpose mode certificates)
Total = $4,302
Additional pricing resources
Easily calculate your monthly costs with AWS.
Contact AWS specialists to get a personalized quote.
Get started building with AWS Private CA in the AWS Management Console.