aws-acm-pca

Create a private certificate authority

$ aws acm-pca create-certificate-authority --certificate-authority-configuration [ca_config] --idempotency-token [token] --permanent-deletion-time-in-days [number]

$ aws acm-pca describe-certificate-authority --certificate-authority-arn [ca_arn]

$ aws acm-pca list-certificate-authorities

$ aws acm-pca update-certificate-authority --certificate-authority-arn [ca_arn] --certificate-authority-configuration [ca_config] --status [status]

$ aws acm-pca delete-certificate-authority --certificate-authority-arn [ca_arn]

$ aws acm-pca issue-certificate --certificate-authority-arn [ca_arn] --certificate-signing-request [cert_signing_request] --signing-algorithm [algorithm] --validity [validity]

$ aws acm-pca revoke-certificate --certificate-authority-arn [ca_arn] --certificate-serial [serial] --reason [reason]

$ aws acm-pca get-certificate --certificate-authority-arn [ca_arn] --certificate-arn [cert_arn]

The `aws acm-pca` command is invoked as a subcommand of the main `aws` command, followed by a specific action and its respective parameters.

Syntax:
aws acm-pca <action> [options] [global-options]

Examples of common actions:
  `aws acm-pca create-certificate-authority --type ROOT --key-algorithm RSA_2048 ...`
  `aws acm-pca issue-certificate --certificate-authority-arn <ARN> --csr <CSR_path> ...`
  `aws acm-pca list-certificate-authorities`

create-certificate-authority
    Creates a new private certificate authority (CA) in ACM PCA. Requires specifying CA type (ROOT or SUBORDINATE), key algorithm, signing algorithm, and subject information.

describe-certificate-authority
    Retrieves detailed information about a specific private certificate authority, identified by its ARN.

list-certificate-authorities
    Lists all private certificate authorities associated with your AWS account, along with their status and ARNs.

issue-certificate
    Issues a private X.509 certificate using a specified CA. Requires a Certificate Signing Request (CSR), validity period, and certificate usage details.

revoke-certificate
    Revokes a previously issued private certificate, effectively invalidating it from its associated Certificate Authority Revocation List (CRL).

get-certificate
    Retrieves an issued certificate or its certificate chain by its ARN.

update-certificate-authority
    Modifies the configuration of an existing private certificate authority, such as its revocation configuration or status.

The `aws-acm-pca` command, more accurately referred to as `aws acm-pca`, is a subcommand within the AWS Command Line Interface (CLI). It serves as the primary interface for programmatically interacting with AWS Certificate Manager Private Certificate Authority (ACM PCA). ACM PCA is a fully managed service that allows organizations to create, deploy, and manage their own private certificate authorities (CAs) without the operational overhead of maintaining on-premises PKI infrastructure.

Through `aws acm-pca`, users can perform a wide range of operations, including creating and configuring private CAs, issuing and revoking X.509 certificates for internal use (e.g., for internal servers, applications, or devices), and managing certificate templates and permissions. It integrates seamlessly with other AWS services that require private trust, enabling automated certificate lifecycle management within the AWS ecosystem. Proper functioning requires the AWS CLI to be installed and configured with appropriate AWS credentials and IAM permissions.

Using `aws acm-pca` requires a correctly installed and configured AWS Command Line Interface (CLI). Operations performed via this command interact with cloud resources and may incur AWS service charges. Users must have appropriate AWS Identity and Access Management (IAM) permissions to execute specific ACM PCA actions. Network connectivity to the AWS endpoint is essential for all operations. A fundamental understanding of Public Key Infrastructure (PKI) concepts, such as Certificate Authorities, X.509 certificates, and revocation, is highly beneficial for effective use.

All `aws acm-pca` commands require valid AWS credentials, typically configured via `aws configure` or environment variables. Access to specific ACM PCA actions is governed by AWS Identity and Access Management (IAM) policies. Users must ensure their IAM roles or users have the necessary permissions (e.g., `acm-pca:IssueCertificate`, `acm-pca:CreateCertificateAuthority`) to perform desired operations on private CAs.

The `aws` CLI, including `aws acm-pca` subcommands, supports various output formats using the global `--output` option. Common formats include `json` (default for programmatic use), `text` (tab-separated values, useful for scripting), and `yaml`. This flexibility allows users to easily integrate `aws acm-pca` command outputs into scripts and automation workflows.

AWS Certificate Manager Private Certificate Authority (ACM PCA) was launched by AWS in July 2018, providing a fully managed service for private CAs. The `aws acm-pca` subcommand was subsequently integrated into the AWS Command Line Interface (CLI) as part of its continuous development to support new AWS services. Its evolution is directly tied to the development of the ACM PCA service itself, with regular updates to the AWS CLI ensuring compatibility with the latest features, API versions, and best practices for managing private trust infrastructure within AWS environments.

aws(1), aws configure(1), openssl(1SSL)