AWS Private CA

What Is This Service?

Managed AWS private Public Key Infrastructure (PKI) service for issuing and managing private X.509 certificates.

Mental model:

AWS Private CA = Establish Trust → Issue Certificates → Authenticate → Rotate → Revoke

Primary purpose:

Provide scalable internal certificate issuance and lifecycle management for private environments without operating PKI infrastructure.

Typical use cases:

• internal TLS
• mutual TLS (mTLS)
• workload identity
• service mesh identity
• private APIs
• internal applications
• enterprise PKI
• Kubernetes certificates
• IoT device certificates

Historical naming:

ACM Private CA
↓
AWS Private CA

Exam questions may still reference either name.

---

Why It Matters for Security

Modern environments require machine identity.

Passwords and static secrets do not scale.

AWS Private CA exists to:

• establish trust boundaries
• automate certificate issuance
• centralize PKI governance
• reduce certificate sprawl
• simplify lifecycle operations
• support encryption in transit

Security outcomes:

• strong workload identity
• authenticated communications
• automated certificate management
• reduced operational risk

MOST TESTED:

Private CA establishes private trust.

It is not internet browser trust.

---

Architecture Example

Enterprise Internal PKI

flowchart LR

Users --> ALB
Users --> PrivateAPI
Users --> InternalServices

subgraph PKI
RootCA[Offline Root CA]
SubCA[AWS Private CA]
end

subgraph CertificateManagement
ACM[ACM]
KMS[KMS]
CloudTrail[CloudTrail]
end

RootCA --> SubCA

SubCA --> ACM

ACM --> ALB
ACM --> PrivateAPI
ACM --> InternalServices

SubCA --> IoT[IoT Devices]

SubCA --> KMS

SubCA --> CloudTrail

Architecture goals:

• centralized trust
• automated issuance
• strong separation of authority
• operational scalability

---

Workflow(s)

Certificate Issuance

sequenceDiagram

participant Service
participant ACM
participant PrivateCA
participant HSM

Service->>ACM: Request certificate

ACM->>PrivateCA: Issue request

PrivateCA->>HSM: Sign request

HSM->>PrivateCA: Signed certificate

PrivateCA->>ACM: Return certificate

ACM->>Service: Deploy certificate

---

Mutual TLS Authentication

sequenceDiagram

participant Client
participant Server
participant PrivateCA

Client->>Server: TLS handshake

Server->>Client: Server certificate

Client->>PrivateCA: Validate trust

Client->>Server: Present client certificate

Server->>PrivateCA: Validate identity

Server->>Client: Establish encrypted session

---

Revocation Validation

sequenceDiagram

participant Client
participant Service
participant Revocation
participant PrivateCA

Client->>Service: Present certificate

Service->>Revocation: Check status

Revocation->>PrivateCA: Validate

PrivateCA->>Service: Good / Revoked

Service->>Client: Allow / Reject

---

Core Concepts

Public Certificates vs Private Certificates

Capability	Public	Private
Browser trusted	Yes	No
Internal trust	Limited	Yes
Domain ownership validation	Required	Not required
Enterprise PKI	Limited	Yes

Public certificates:

www.company.com

Private certificates:

internal-api.corp

MASSIVE EXAM TRAP:

Private CA does not perform DNS validation.

---

Certificate Authority Hierarchy

Recommended design:

Offline Root CA
↓
AWS Private CA (Subordinate)
↓
Applications

Benefits:

• reduced blast radius
• simpler revocation
• operational separation

Avoid:

Root CA directly issuing certificates

---

Root CA

Trust anchor.

Characteristics:

• self-signed
• highest sensitivity
• rarely used

Best practices:

• isolate
• minimize access
• protect aggressively

---

Subordinate CA

Operational issuing authority.

Benefits:

• delegated trust
• easier recovery
• regional isolation

Common model:

Root
↓
Regional subordinate
↓
Environment

---

Certificate Templates

HIGH VALUE

Templates define:

• key usage
• extended key usage
• constraints
• path length
• issuance permissions

Examples:

• server authentication
• client authentication
• subordinate CA
• code signing

Purpose:

Prevent certificate misuse.

---

Certificate Subject and SAN Flexibility

MOST TESTED

Unlike public ACM certificates:

AWS Private CA supports:

• custom Subject DNs
• custom Subject Alternative Names
• URI identities

Examples:

CN=payments-service

OU=security

URI=spiffe://cluster.local/ns/default/sa/backend

Use cases:

• EKS service mesh
• SPIFFE identities
• workload authentication

Exam trap:

Private trust does not require public namespace ownership.

---

ACM Integration

MOST TESTED

Private CA integrates directly with ACM.

Flow:

ACM
↓
AWS Private CA
↓
Issue
↓
Deploy
↓
Renew

Supported examples:

• ALB
• NLB TLS
• API Gateway
• internal services

Exam trap:

CloudFront requires publicly trusted certificates.

Private CA certificates cannot terminate CloudFront.

---

Important Integrations

Service	Purpose
ACM	Certificate lifecycle
KMS	Key protection
IAM	Authorization
CloudTrail	Auditing
ALB	TLS termination
API Gateway	Private APIs
EKS	Service identity
IoT Core	Device certificates
Secrets Manager	Certificate storage patterns
Organizations	Governance
RAM	Cross-account CA sharing

---

Security Features

Hardware-Protected Keys

MOST TESTED

CA private keys are protected using:

FIPS 140-2 Level 3 validated HSMs

Benefits:

• non-exportable keys
• managed hardware
• compliance alignment

Exam trap:

Private CA is managed.

You do not manage HSM infrastructure.

---

Certificate Revocation

Supported methods:

• CRL
• OCSP

Purpose:

Invalidate compromised certificates.

Revocation does not delete certificates.

---

Short-Lived Certificates

Best practice:

Issue shorter validity periods.

Benefits:

• reduced compromise window
• less dependency on revocation

---

Fine-Grained Authorization

Access controls:

• IAM
• resource policies

Common permissions:

acm-pca:IssueCertificate

acm-pca:GetCertificate

acm-pca:DescribeCertificateAuthority

MASSIVE EXAM TRAP:

Private CA authorization relies on IAM.

Not DNS validation.

---

Cross-Account Issuance

HIGH VALUE

Pattern:

Security Account
↓
Private CA
↓
RAM Share
↓
Application Accounts

Benefits:

• centralized trust
• reduced operational burden

---

Advanced Security and Operational Concepts

Control Plane vs Data Plane

Control Plane:

• create CA
• configure templates
• issue
• revoke

Data Plane:

• certificate presentation
• TLS validation
• mTLS handshake

Exam trap:

Private CA does not terminate TLS.

Consumers terminate TLS.

---

Multi-Region Architecture

HIGH VALUE

Private CA is regional.

Pattern:

Offline Root
↓
Regional subordinate CAs

Benefits:

• isolation
• lower blast radius
• local operations

Exam trap:

Private CA does not automatically replicate.

---

Cross-Account Governance

MOST TESTED

flowchart LR

Organizations

Organizations --> SecurityAccount

SecurityAccount --> PrivateCA

PrivateCA --> AppAccount1

PrivateCA --> AppAccount2

PrivateCA --> AppAccount3

Benefits:

• centralized PKI
• organizational trust
• delegated operations

---

Revocation: CRL vs OCSP

MOST TESTED

Capability	CRL	OCSP
Validation	Download list	Real-time lookup
Scale	Lower	Higher
Latency	Higher	Lower
Best for	Enterprise	IoT / Service mesh

CRL:

Download revoked certificates
↓
Local validation

OCSP:

Query certificate
↓
Receive live status

Exam rule:

Millions of clients → OCSP

Traditional enterprise → CRL

---

mTLS Architecture

HIGH VALUE

flowchart LR

Client --> ClientCert

ClientCert --> PrivateCA

Server --> ServerCert

ServerCert --> PrivateCA

Client --> Server

Benefits:

• bidirectional authentication
• encrypted east-west traffic
• workload identity

Common uses:

• EKS
• service mesh
• private APIs

---

Private CA vs ACM

Capability	Private CA	ACM
Manage PKI	Yes	No
Issue certificates	Yes	Public/private
Renewal	Via ACM	Yes
CA hierarchy	Yes	No

Rule:

Need PKI → Private CA

Need certificate consumption → ACM

---

Private CA vs CloudHSM

MASSIVE EXAM TRAP

Capability	Private CA	CloudHSM
Managed PKI	Yes	No
Dedicated HSM	No	Yes
Certificate issuance	Yes	No
Customer crypto ownership	Limited	Full

Rule:

Need internal PKI → Private CA

Need full HSM ownership → CloudHSM

---

Cost Model

Primary drivers:

• active certificate authorities
• certificates issued

Optimization:

• centralize issuing CAs
• avoid unnecessary subordinate hierarchies

Exam trap:

Charges apply even if CA is idle.

---

Comparisons

Service	Primary Role
AWS Private CA	Private PKI
ACM	Certificate lifecycle
KMS	Key management
CloudHSM	Dedicated cryptography
Secrets Manager	Secret lifecycle

---

Common Exam Traps

1. AWS Private CA was formerly ACM Private CA.

2. Private CA is not browser trusted.

3. Private CA does not perform DNS validation.

4. IAM authorizes issuance.

5. CloudFront requires public certificates.

6. Private CA integrates with ACM.

7. Private CA is regional.

8. Root CA should not issue directly.

9. OCSP scales better than CRL.

10. Revocation does not remove certificates.

11. Private CA does not terminate TLS.

12. RAM enables cross-account sharing.

13. FIPS 140-2 Level 3 is the compliance keyword.

14. Custom Subject/SAN identities are supported.

15. mTLS is a major use case.

---

5-Second Recall

• AWS Private CA = managed private PKI
• Formerly ACM Private CA
• Offline Root → Subordinate → Certificates
• IAM controls issuance
• ACM consumes certificates
• OCSP scales
• FIPS 140-2 Level 3 protection
• Private trust, not browser trust

---

Quick Revision Notes

• Build internal PKI
• Use subordinate CA architecture
• Integrate with ACM
• Share via RAM
• Prefer short-lived certificates
• Use OCSP at scale
• Protect roots aggressively
• Support custom identities
• CloudFront requires public certs
• Private CA establishes machine trust