aws-acm-pca

Create a private certificate authority

$ aws acm-pca create-certificate-authority --certificate-authority-configuration [ca_config] --idempotency-token [token] --permanent-deletion-time-in-days [number]

$ aws acm-pca describe-certificate-authority --certificate-authority-arn [ca_arn]

$ aws acm-pca list-certificate-authorities

$ aws acm-pca update-certificate-authority --certificate-authority-arn [ca_arn] --certificate-authority-configuration [ca_config] --status [status]

$ aws acm-pca delete-certificate-authority --certificate-authority-arn [ca_arn]

$ aws acm-pca issue-certificate --certificate-authority-arn [ca_arn] --certificate-signing-request [cert_signing_request] --signing-algorithm [algorithm] --validity [validity]

$ aws acm-pca revoke-certificate --certificate-authority-arn [ca_arn] --certificate-serial [serial] --reason [reason]

$ aws acm-pca get-certificate --certificate-authority-arn [ca_arn] --certificate-arn [cert_arn]

aws acm-pca SUBCOMMAND [--options] [args]

--ca-bundle
    Path to CA bundle for SSL verification

--cli-auto-prompt
    Automatically prompt for missing CLI inputs

--cli-binary-format
    CLI binary format (raw-in-base64-out)

--cli-connect-timeout
    Connection timeout in seconds

--cli-input-json
    Perform operation using JSON input

--cli-read-timeout
    Read timeout in seconds

--debug
    Enable debug logging

--endpoint-url
    Override default service endpoint URL

--log-stream-name
    CloudWatch log stream name

--no-cli-auto-prompt
    Disable automatic prompting

--no-cli-pager
    Disable cli pager

--no-paginate
    Disable automatic pagination

--no-sign-request
    Do not sign requests

--no-verify-ssl
    Disable SSL certificate verification

--output
    Output format (json|text|table)

--profile
    Use specific profile from credentials file

--query
    JMESPath expression to filter output

--region
    AWS Region to use (e.g., us-east-1)

--version
    Show version and exit

--help
    Display help information

The aws acm-pca command is part of the AWS Command Line Interface (CLI) for interacting with AWS Certificate Manager Private Certificate Authority (ACM PCA). This service enables creation and management of private certificate authorities (CAs) to issue digital certificates for securing internal networks, applications, IoT devices, and more.

Use it to perform operations like creating root or subordinate CAs, issuing and revoking end-entity certificates, generating CSRs, retrieving certificates, managing permissions, tags, and audit reports. Supports X.509 standards, various key specs (RSA, ECDSA), and templates for code signing, client auth, etc.

ACM PCA integrates with AWS services like IAM for access control, CloudTrail for auditing, and S3 for CRL/OCSP storage. Certificates issued are trusted only within your organization unless imported to public CAs.

Requires AWS CLI installed (pip install awscli or package manager), configured credentials (aws configure), and IAM permissions (e.g., acm-pca:CreateCertificateAuthority). Costs apply per CA and API calls; delete unused CAs to avoid charges. Ideal for enterprises needing scalable private PKI without hardware appliances.

Incurs AWS costs for active CAs (~$400/month root CA); delete promptly. Requires IAM permissions per action. CLI v2 preferred over v1. Not for public CAs (use aws acm). Limited to 5 root CAs/account by default.

create-certificate-authority, delete-certificate-authority, issue-certificate, list-certificate-authorities, revoke-certificate, get-certificate-authority-csr
Full list: aws acm-pca help

Attach policy:
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": ["acm-pca:*"],
"Resource": "*"
}]
}

Introduced October 2017 with ACM PCA general availability. Integrated into AWS CLI v1.11+; enhanced in v2 (2019+) with better pagination, binary support. Evolves with features like key storage in AWS CloudHSM (2020).

aws(1), openssl(1), keytool(1)