Skip to main content

Amazon Private Certificate Authority

Amazon Private CA Features

Overview

Amazon Private Certificate Authority (Amazon Private CA) is a highly available, managed private certificate authority (CA) service. With Amazon Private CA, you can you can create private certificates to identify resources and protect data. You can create versatile certificate and CA configurations to identify and protect your resources, including servers, applications, users, devices, and containers. Amazon Private CA allows you to create a solid foundation which you can use to protect your data, identify resources, and help meet your regulatory and compliance needs. Using Amazon Private CA can help you avoid outages and improve uptime by automating CA and certificate management using API calls, Amazon CLI commands, or Amazon CloudFormation templates.

The service’s APIs allow developers to customize and deploy private certificates, and administrators can use Amazon Private CA to create a fully cloud-based CA hierarchy or a hybrid hierarchy combining cloud and on-premises CAs. Amazon Private CA is a cryptographically agile service with different key algorithms and key sizes, in addition to hardware-protected private keys.

Page topics

Key product features

Open all

An Amazon Private CA hierarchy provides strong security and restrictive access controls for the most-trusted root CA at the top of the trust chain, while allowing more permissive access and bulk certificate issuance for subordinate CAs lower on the chain. You can control who can create a new CA or restrict access to existing CAs using Amazon IAM policies. The private keys for your CA hierarchy are protected by government-approved hardware security modules (HSMs).

Amazon Private CA offers modes with different capabilities and pricing for all your use cases.  All modes of Amazon Private CA make it easy for administrators, builders, and developers with no background in private key infrastructure (PKI) to quickly and easily set up and manage a private CA.

  • short-lived certificate mode for certificates with a validity of up to 7 days
  • general-purpose mode for certificates with any validity period

For information on mode pricing, visit the Amazon Private CA pricing page.

Connectors allow you to replace existing CAs with Amazon Private CA in environments that have an established native certificate distribution solution. Amazon Private CA offers a Connector for Kubernetes that you can use to issue certificates for Kubernetes clusters at scale. Integrate with Kubernetes to more easily automate and configure end-to-end encryption for Amazon Elastic Kubernetes Service (EKS). You can download the Connector for Kubernetes from the GitHub repository.

Keys used by a CA to sign certificates are highly sensitive. Amazon Private CA secures these keys with Amazon-managed hardware security modules (HSMs). The service uses government-approved HSMs to protect the confidentiality and integrity of CA keys.

You can control access to Amazon Private CA with IAM policies. For example, you can create a policy to grant IT administrators who are responsible for CA management full access to create and configure private CAs, while granting limited access to developers and users who need only to issue and revoke certificates.

When establishing an encrypted TLS connection, a revocation infrastructure alerts the endpoint that the certificate should not be trusted. Amazon Private CA customers can choose certificate revocation lists (CRLs) to distribute revocation information for their private certificates.

Sharing CAs across your organization or Amazon Web Services accounts avoids the cost and complexity of creating and managing multiple CAs in your Amazon Web Services accounts. You can create resource shares through Amazon Resource Access Manager (RAM) that include your private CAs and are associated with a set of accounts or Amazon Organizations. This capability allows the included accounts to issue private certificates from the shared CA. You can then use Amazon Certificate Manager (ACM) to issue private certificates from a shared CA, the certificate is generated locally in the requesting account, and ACM provides full lifecycle management and renewal for certificates created with general-purpose mode. ACM cannot issue short-lived certificates.

Amazon Private CA allows you to fully customize private certificates to the specific needs of your organization’s identity or data protection security requirements. By using customizable names, you can support identities for computers, web services, containers, users, IoT devices, and more. Standard certificate extensions are natively supported, and you can use Private CA’s custom extension capability to create certificates with non-standard extensions.

Write code to automate certificate management in the programming language of your choice using Amazon Private CA. Amazon SDKs make authentication more streamlined and integrate efficiently with your development environment. You can also write scripts or one-off commands using command line tools to interact with the service.

Amazon Private CA provides you and your auditors with visibility into the activity of your private CAs. You can create audit reports that include the status of all the certificates issued from the CA. Amazon Private CA is integrated with Amazon CloudTrail. CloudTrail captures API calls from the Amazon Private CA console, the Amazon Commands Line Interface (CLI), or your code and delivers the log files to your Amazon Simple Storage Service (S3) bucket. Using the information collected by CloudTrail, you can determine the request that was made, the IP address from which the request came, when it was made, and so on.