Working with AWS Certificate Manager Private Certificate Authorities
Start course
1h 27m

This course covers the core learning objective to meet the requirements of the 'Designing Compute solutions in AWS - Level 3' skill

Learning Objectives:

  • Evaluate and enforce secure communications when using AWS elastic load balancers using HTTPS/SSL listeners
  • Evaluate when to use a serverless architecture compared to Amazon EC2 based upon workload performance optimization
  • Evaluate how to implement fully managed container orchestration services to deploy, manage, and scale containerized applications

AWS Certificate Manager is ready and able to issue public certificates without any additional configuration. If you want AWS Certificate Manager to issue private certificates, then you must first create a Private Certificate Authority. AWS Certificate Manager Private Certificate Authority is a managed service. AWS will take on the day-to-day responsibility for the certificate authority infrastructure, its high availability, and its backups. 

To use AWS Certificate Manager Private Certificate Authority, you must create a certificate hierarchy, you must configure a root certificate authority, and a subordinate certificate authority. A root certificate authority is the start of the chain of trust. When you create a root certificate authority, a self-signed certificate is created. This self-signed certificate can be imported to a device's root certificate store so that the device trusts any certificates issued by a certificate authority that is digitally signed by the root authority's self-signed certificate.

Root certificate authorities don't issue certificates to devices or services. Instead, certificates are issued from subordinate certificate authorities. Subordinate certificate authorities have a certificate digitally signed by the root certificate authority's private key. They in turn sign any certificates they issue with their private key. By verifying the signatures of the subordinate CA and the root CA, you can be confident that the certificates issued by the subordinate CA can be trusted and used to establish a secure connection. So, why do we need AWS Certificate Manager Private Certificate Authorities?

Well, if you have internal applications hosted in AWS or on-premise that require SSL or TLS certificates, then you will need digital certificates issued by a CA. These certificates might be for internal domains and name spaces that we can't or do not want to validate when requested a public certificate. And we probably want to simplify certificate for a management, giving day-to-day responsibility of running the certificate for AWS. AWS Certificate Manager Private Certificate Authority is a paid-for service. You pay monthly fees for each certificate authority you create and you pay one-off fees for each private certificate that is issued by your Private Certificate Authority.


About the Author
Carlos Rivas
Sr. AWS Content Creator
Learning Paths

Software Development has been my craft for over 2 decades. In recent years, I was introduced to the world of "Infrastructure as Code" and Cloud Computing.
I loved it! -- it re-sparked my interest in staying on the cutting edge of technology.

Colleagues regard me as a mentor and leader in my areas of expertise and also as the person to call when production servers crash and we need the App back online quickly.

My primary skills are:
★ Software Development ( Java, PHP, Python and others )
★ Cloud Computing Design and Implementation
★ DevOps: Continuous Delivery and Integration