Working with AWS Certificate Manager Private Certificate Authorities
Start course
1h 39m

This section of the Solution Architect Associate learning path introduces you to the core encryption concepts and services relevant to the SAA-C03 exam. We overview the AWS encryption options and how to select and apply AWS encryption services to meet relevant situations and scenarios. 

Want more? Try a lab playground or do a Lab Challenge!

Learning Objectives

  • Learn the fundamentals of Amazon's Key Management Service (KMS), including permissions, key policies, and key management
  • Learn how the AWS Secrets Manager is used to implement security best practices by protecting secrets such as database credentials and API keys
  • Learn the fundamentals of CloudHSM, how it's implemented, and how to use it as a Custom Key Store in KMS
  • Learn how to implement server-side and client-side encryption

AWS Certificate Manager is ready and able to issue public certificates without any additional configuration. If you want AWS Certificate Manager to issue private certificates, then you must first create a Private Certificate Authority. AWS Certificate Manager Private Certificate Authority is a managed service. AWS will take on the day-to-day responsibility for the certificate authority infrastructure, its high availability, and its backups. 

To use AWS Certificate Manager Private Certificate Authority, you must create a certificate hierarchy, you must configure a root certificate authority, and a subordinate certificate authority. A root certificate authority is the start of the chain of trust. When you create a root certificate authority, a self-signed certificate is created. This self-signed certificate can be imported to a device's root certificate store so that the device trusts any certificates issued by a certificate authority that is digitally signed by the root authority's self-signed certificate.

Root certificate authorities don't issue certificates to devices or services. Instead, certificates are issued from subordinate certificate authorities. Subordinate certificate authorities have a certificate digitally signed by the root certificate authority's private key. They in turn sign any certificates they issue with their private key. By verifying the signatures of the subordinate CA and the root CA, you can be confident that the certificates issued by the subordinate CA can be trusted and used to establish a secure connection. So, why do we need AWS Certificate Manager Private Certificate Authorities?

Well, if you have internal applications hosted in AWS or on-premise that require SSL or TLS certificates, then you will need digital certificates issued by a CA. These certificates might be for internal domains and name spaces that we can't or do not want to validate when requested a public certificate. And we probably want to simplify certificate for a management, giving day-to-day responsibility of running the certificate for AWS. AWS Certificate Manager Private Certificate Authority is a paid-for service. You pay monthly fees for each certificate authority you create and you pay one-off fees for each private certificate that is issued by your Private Certificate Authority.


About the Author
Learning Paths

Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.

To date, Stuart has created 150+ courses relating to Cloud reaching over 180,000 students, mostly within the AWS category and with a heavy focus on security and compliance.

Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.

He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.

In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.

Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.