How do I share the private CA that I created in AWS Private CA with another account?

2 minute read

I used AWS Private Certificate Authority to create a private certificate authority (CA) in one AWS account. I want to share the private CA with another account to issue certificates.

Short description

To share a private CA with another account, use AWS Resource Access Manager (AWS RAM) to create a resource share.

You can also share a private CA with the following entities:

Other principals, such as AWS Identity and Access Management (IAM) users and roles
Organizational units (OUs)
Your entire AWS Organizations organization

When you share your private CA, users and roles in other accounts can issue private x509 certificates that the shared private CA signs.

Resolution

Create an AWS RAM resource share in the account where your private CA is located.

Note: AWS RAM is an AWS Regional service, and a resource share is Regional. You must access the private CA resource share from the same Region where you created it.

To share a private CA with another account, complete the following steps:

In the account that has the private CA, create a resource share in AWS RAM.
Note: When you create the resource share, choose the correct permission for the certificate type that you want to issue. For example, to issue end-entity certificates with the default certificate template arn:aws:acm-pca:::template/EndEntityCertificate/V1, choose the default permission AWSRAMDefaultPermissionCertificateAuthority. To issue a subordinate certificate (PathLen0) with the certificate template arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen0/V1, choose AWSRAMSubordinateCACertificatePathLen0IssuanceCertificateAuthority.
Accept the shared resource in the other account. If you use Organizations to share and turned on resource sharing within Organizations, then skip to step 6.
In the other account, open the AWS RAM console in the same Region where the private CA is located.
Under Shared with me, choose Resource shares to view the invitation.
Select the name of the shared resource, and then choose Accept resource share.
Note: After you accept the share, the status becomes Active.
In the other account, open the AWS Private CA console in the Region where the private CA is located to view the shared private CA in your account.

Related information

How to use AWS RAM to share your AWS Certificate Manager (ACM) AWS Private CA cross-account

Topics: Security, Identity, & Compliance
Tags: AWS Private Certificate Authority
Language: English

AWS OFFICIALUpdated 6 months ago

No comments

Relevant content

AWS Private CA shared with another account via AWS RAM not available for selection in the target service (ECS)
Adrian Keith
asked a year ago
migrate the existing AWS PCA Root and Intermediate CA to another account
kv
asked 2 years ago
Can you automate cross-account private CA certificate renewal through AWS RAM and ACM Private CA?
Accepted Answer
EXPERT
AWS-User-7512058
asked 5 years ago
How to export a certificate for AWS Private CA in Short-Lived mode
Accepted Answer
kylelsm
asked 2 years ago
Using ACM Private CA as Microsoft enterprise CA server
rePost-User-7216757
asked 4 years ago
Why can't I see my shared CA when I install a subordinate CA certificate in the AWS Private CA console?
AWS OFFICIALUpdated a year ago
How do I resolve errors when a private CA issues a new certificate?
AWS OFFICIALUpdated a year ago
How do I install AWS Private CA root and subordinate CAs in different accounts or Regions?
AWS OFFICIALUpdated 2 years ago
How do I create a CRL for my AWS Private CA?
AWS OFFICIALUpdated a year ago
Integrating External PKI with AWS Private CA and cert-manager for Dynamic Cert Management in EKS
EXPERT
Andreas Lindh
published 6 months ago