Building a Private PKI with AWS Private CA - Automated Certificate Issuance and Rotation

Build a private certificate authority and automatically issue mTLS certificates for internal service-to-service communication. Learn about certificate lifecycle management and CRL design.

Overview of Private CA

Private CA is a managed certificate authority service that automates the issuance and management of private certificates. While ACM (AWS Certificate Manager) issues public certificates for free, Private CA issues private certificates for use within an organization. It is used for use cases that public certificates cannot address, such as mTLS between microservices, VPN client authentication, and IoT device authentication. Private CA supports RSA 2048/4096 and ECDSA P256/P384 key algorithms, issuing certificates with X.509 v3 extensions. All operations from CA creation to certificate issuance are available via API, eliminating manual operational errors and automatically recording audit trails in CloudTrail.

Certificate Issuance and mTLS

Using certificates issued by Private CA for mTLS between services provides both communication encryption and client authentication. Using short-lived certificates (valid for hours to days) eliminates the need to manage Certificate Revocation Lists (CRLs). Because the certificate validity period is short, the time window for exploiting a compromised certificate is extremely small. Integration with ACM enables automatic deployment of private certificates to ALBs, achieving HTTPS for internal ALBs. In EKS environments, cert-manager combined with the Private CA Issuer plugin is commonly used to automatically issue and rotate certificates per Pod. For designs that automatically distribute mTLS certificates to sidecar proxies in App Mesh or Service Connect, setting certificate validity to 24 hours or less and completely eliminating CRL management is recommended.

Certificate Templates and Automation

Private CA issues purpose-specific certificates using certificate templates for server certificates, client certificates, code signing certificates, and more. ACM integration enables automatic deployment and renewal of Private CA-issued certificates to ALBs and API Gateway. Short-lived certificates (valid for 7 days or less) simplify CRL management by eliminating the need for certificate revocation processing. An OCSP (Online Certificate Status Protocol) responder configuration can verify certificate validity in real time. CA creation and certificate issuance can be automated with CloudFormation or Terraform, managing PKI infrastructure as IaC. For a systematic guide to certificate management from basics to advanced topics, see related books on Amazon.

Use Case Design Patterns

For microservice mTLS, issue short-lived certificates per service and include the service name in the certificate's SAN (Subject Alternative Name) to integrate with service discovery. For IoT device authentication, pre-issue certificates from Private CA during device manufacturing and integrate with AWS IoT Core's Just-in-Time Registration (JITR) for automatic provisioning on first device connection. For VPN client authentication, issue both server and client certificates from Private CA for AWS Client VPN to configure mutual authentication. For code signing, integrate Private CA certificates into CI/CD pipelines to sign build artifacts (such as Lambda function deployment packages) and detect tampering.

Design Best Practices and Pitfalls

Configure the CA hierarchy with 2 tiers (root CA + subordinate CA) or 3 tiers (root CA + policy CA + issuing CA), setting the root CA validity period to 10 years or more. Disable the root CA immediately after certificate issuance and operate only the subordinate CA to reduce the risk of root key misuse. CRL distribution is typically configured to auto-publish to an S3 bucket, but misconfigured bucket access policies can cause service-wide certificate validation failures, so manage S3 bucket policies carefully. Enabling the OCSP responder eliminates CRL downloads and improves validation speed, but OCSP endpoint availability affects the entire service, requiring high-availability design. A common failure pattern is services going down because CA expiration goes unnoticed. Design CloudWatch alarms to monitor remaining CA validity and alert 6 months before expiration.

Private CA Pricing

Private CA costs approximately $400 per month per CA, with additional charges based on the number of certificates issued. The first 1,000 certificates cost $0.75 each, and up to 10,000 cost $0.35 each. Short-lived certificate mode reduces the monthly CA fee to approximately $50, improving cost efficiency in microservices environments that issue large volumes of short-lived certificates. A CA hierarchy (root CA -> subordinate CA) where the root CA is kept offline and only the subordinate CA is operational is a security best practice.

Summary

Private CA is a service that provides managed issuance and management of private certificates within an organization. Short-lived certificates (7 days or less) simplify CRL management, and ACM integration automates certificate deployment and renewal. mTLS enables mutual authentication between services, and a CA hierarchy (root CA + subordinate CA) builds a PKI that follows security best practices.