aws-acm-pca

Create a private certificate authority

$ aws acm-pca create-certificate-authority --certificate-authority-configuration [file://config.json] --certificate-authority-type ROOT

$ aws acm-pca list-certificate-authorities

$ aws acm-pca describe-certificate-authority --certificate-authority-arn [arn]

$ aws acm-pca issue-certificate --certificate-authority-arn [ca_arn] --csr [file://csr.pem] --signing-algorithm SHA256WITHRSA --validity [value]

$ aws acm-pca revoke-certificate --certificate-authority-arn [ca_arn] --certificate-serial [serial] --revocation-reason KEY_COMPROMISE

$ aws acm-pca delete-certificate-authority --certificate-authority-arn [arn]

aws acm-pca command [options]

AWS Certificate Manager Private Certificate Authority (ACM PCA) is a managed service that enables creation and management of private certificate authorities (CAs) for your organization. It provides a secure, scalable infrastructure for issuing and managing private SSL/TLS certificates without the overhead of operating your own CA infrastructure.
Unlike public certificates from ACM, private certificates from ACM PCA are used for internal applications, microservices, VPNs, IoT devices, and other resources within your private networks. The service supports both root CAs and subordinate CAs, allowing you to build a complete public key infrastructure (PKI) hierarchy.
ACM PCA handles the cryptographic operations and certificate lifecycle management, including certificate issuance, revocation via Certificate Revocation Lists (CRL) and Online Certificate Status Protocol (OCSP), and audit reporting. It integrates with AWS CloudTrail for comprehensive logging of all API calls and certificate operations.
The service provides API-driven access through AWS SDKs, enabling automation of certificate issuance and management workflows. It supports various signing algorithms including RSA and ECDSA with different key sizes and hash functions.

create-certificate-authority

Create a new private or subordinate certificate authority

Permanently delete a certificate authority (must be disabled first)

Retrieve detailed information about a specific CA

Issue a private certificate from a CA using a CSR

Retrieve an issued certificate in PEM format

Revoke a certificate and add it to the CRL

List all CAs in your account with optional filtering

Generate an audit report for CA activity

Grant ACM permission to use the CA for certificate renewal

Attach a resource-based policy to a CA

Add metadata tags to a CA for organization

Modify CA configuration including CRL and OCSP settings

Wait for CA state changes (active, created, deleted)

Operations have API rate limits; exceeding them returns ThrottlingException errors. Deleted CAs cannot be restored after the restoration period expires. Certificate issuance requires a valid CSR (Certificate Signing Request). Private certificates are not trusted by public browsers and are intended for internal use only.

AWS Certificate Manager Private Certificate Authority was launched in April 2018 to provide managed private CA services on AWS. It eliminated the need for organizations to operate their own certificate authority infrastructure, offering a scalable and secure alternative for private PKI management.

aws-acm(1), aws-iot(1), aws-cloudtrail(1), aws(1)