AWS Private Certificate Authority のアイコン

AWS Private Certificate Authority Specialized2018年〜

A managed certificate authority service for issuing and managing private certificates

About 2 min read

What It Does

AWS Private Certificate Authority (Private CA) is a managed service for issuing and managing private SSL/TLS certificates used within your organization. It lets you issue private certificates for internal applications, IoT devices, VPNs, and container-to-container communication without building your own CA infrastructure.

Use Cases

HTTPS for internal web applications, mTLS (mutual TLS) authentication between microservices, certificate-based authentication for IoT devices, and issuing VPN client certificates.

Everyday Analogy

Think of an in-house ID card office. Public IDs (ACM public certificates) are issued by government agencies (public CAs), but employee badges (private certificates) are issued by your internal office (Private CA). They're only valid within the company but can authenticate access to internal systems.

What Is Private CA?

AWS Private CA provides a managed private PKI (Public Key Infrastructure). While ACM (AWS Certificate Manager) issues free public certificates, Private CA issues private certificates trusted within your organization. You can build a hierarchy of root and subordinate CAs, and it also provides certificate revocation management (CRL, OCSP).

Issuing and Managing Certificates

Certificates issued by Private CA integrate with ACM and can be deployed directly to AWS services like ELB, CloudFront, and API Gateway. Certificate templates let you specify the purpose - server certificates, client certificates, code signing certificates, and more. Certificate lifecycle management and automatic renewal are also available through ACM integration. For a structured overview of certificate issuance and management, reference books on Amazon are a handy resource.

Getting Started

In the Private CA console, create a CA and configure the CA type (root / subordinate), key algorithm, and validity period. Once the CA is activated, request private certificates from the ACM console or API. Choosing short-lived certificate mode reduces the monthly fee.

Things to Watch Out For

  • Each CA incurs a fixed monthly fee of $400 (short-lived certificate mode is $50/month). Per-certificate issuance charges also apply
  • For HTTPS on public websites, use ACM's free public certificates. Private CA is for internal systems
共有するXB!

Related Services

AWS Certificate Manager iconAWS Certificate ManagerA service that automates provisioning, management, and deployment of SSL/TLS certificatesAWS IoT Core iconAWS IoT CoreA managed service for securely connecting IoT devices to the cloud and processing messagesElastic Load Balancing iconElastic Load BalancingA service that automatically distributes traffic across multiple servers for high availability and fault toleranceAmazon API Gateway iconAmazon API GatewayA fully managed service for creating, publishing, managing, and monitoring APIs

Related Articles

Dedicated Key Management with AWS CloudHSM - FIPS 140-2 Level 3 Compliant EncryptionAchieve FIPS 140-2 Level 3 compliant key management with dedicated HSM instances. Learn when to choose CloudHSM over KMS and how to integrate both through KMS custom key stores.Building a Private PKI with AWS Private CA - Automated Certificate Issuance and RotationBuild a private certificate authority and automatically issue mTLS certificates for internal service-to-service communication. Learn about certificate lifecycle management and CRL design.

More in This Category

IAM Access Analyzer iconIAM Access Analyzer SpecializedA service that detects externally accessible resources and unused access permissionsAWS Certificate Manager iconAWS Certificate Manager EssentialA service that automates provisioning, management, and deployment of SSL/TLS certificatesAWS Artifact iconAWS Artifact SpecializedA service for on-demand access to AWS compliance reports and agreementsAWS Audit Manager iconAWS Audit Manager SpecializedA service that automates evidence collection and assessment for compliance auditsAWS CloudHSM iconAWS CloudHSM SpecializedA service for managing encryption keys using dedicated hardware security modulesAmazon Cognito iconAmazon Cognito PopularA service that provides authentication, authorization, and user management for web and mobile applicationsAmazon Detective iconAmazon Detective SpecializedA service that automatically analyzes security findings and investigates root causesAWS Directory Service iconAWS Directory Service SpecializedA service that provides managed Active Directory on AWS

Similar Articles and Services

Building a Private PKI with AWS Private CA - Automated Certificate Issuance and RotationBuild a private certificate authority and automatically issue mTLS certificates for internal service-to-service communication. Learn about certificate lifecycle management and CRL design.AWS Private Certificate AuthorityA managed certificate authority that issues and manages private certificates for internal organizational useCertificate Management and HTTPS - Automated TLS Certificate Operations with AWS Certificate ManagerLearn about TLS/SSL certificate issuance, automatic renewal, and deployment using AWS Certificate Manager (ACM). Covers integration with CloudFront, ALB, and API Gateway, DNS validation, and Private CA usage.Automating SSL/TLS Certificate Management with AWS Certificate Manager - From Issuance to RotationLearn how ACM handles free public certificate issuance, DNS validation, automatic renewal, and deployment to ALB and CloudFront.AWS Certificate ManagerA service that provisions, manages, and auto-renews SSL/TLS certificates, enabling free HTTPS on CloudFront and ALB