AWS Private Certificate Authority
A managed certificate authority that issues and manages private certificates for internal organizational use
Overview
AWS Private Certificate Authority (Private CA) is a managed service that issues and manages private X.509 certificates for internal organizational use. Without going through a public certificate authority, you can issue certificates from your own CA for internal system TLS communication, mTLS authentication, IoT device identification, code signing, and more. AWS handles HSM-protected CA private key management, automatic certificate renewal, and certificate revocation list (CRL) distribution, significantly reducing the burden of building and maintaining an on-premises CA.
CA Hierarchy Design and Root CA Operations
Private CA allows you to build a hierarchical structure of root CAs and subordinate CAs. A typical design places a root CA at the top with subordinate CAs created for specific purposes (server certificates, client certificates, IoT devices, etc.). The root CA's private key is stored in AWS-managed FIPS 140-2 Level 3 certified HSMs and cannot be extracted. The best practice is to use the root CA only for signing subordinate CAs, not for directly issuing certificates. When creating a CA, you specify the key algorithm (RSA 2048/4096, ECDSA P256/P384) and validity period. A typical validity period is around 10 years for root CAs and 3-5 years for subordinate CAs. Since all certificates under a CA become invalid when the CA expires, monitoring expiration dates and planning renewals is essential. It is recommended to monitor CA expiration days remaining via CloudWatch metrics and trigger alerts when they fall below a threshold. Pricing is $400 USD per month per CA, with a short-lived certificate mode available at $50 USD per month.
Certificate Templates and Automated Issuance
Private CA provides templates tailored to different certificate use cases. By simply selecting a template with pre-configured X.509 extension fields - such as EndEntityServerAuthCertificate for server authentication, EndEntityClientAuthCertificate for client authentication, CodeSigningCertificate for code signing, and OCSP signing - you can issue certificates appropriate for each purpose. Custom templates created via API passthrough allow certificates with Subject Alternative Names (SANs) and custom extension fields. Integration with ACM (AWS Certificate Manager) enables automatic certificate renewal. Certificates issued by Private CA through ACM are automatically renewed 60 days before expiration, and certificates applied to ELB, CloudFront, and API Gateway are rotated with zero downtime. For high-volume certificate issuance, prepare scripts that call the IssueCertificate API in batch to automate the certificate lifecycle.
mTLS and IoT Device Certificate Use Cases
A flagship use case for Private CA is mTLS (mutual TLS authentication). Both server and client present certificates for mutual authentication, enabling zero-trust communication without relying on API keys or passwords. A typical configuration enables mTLS on an API Gateway custom domain, accepting only requests bearing client certificates issued by Private CA. The CA certificate chain is registered in a trust store, and certificate verification is delegated to API Gateway. For IoT device certificate management, Private CA is combined with AWS IoT Core's Just-in-Time Provisioning (JITP). Certificates issued by Private CA are embedded in devices during manufacturing, and when a device connects for the first time, IoT Core verifies the certificate and automatically registers the device. Certificate revocation is managed through CRLs (Certificate Revocation Lists) or OCSP, with a common configuration distributing CRL files placed in S3 via CloudFront.