By using AWS re:Post, you agree to the AWS re:Post Terms of Use

How do I share my ACM Private Certificate Authority with another AWS account?

3 minute read
0

I created an AWS Certificate Manager (ACM) Private Certificate Authority (ACM PCA) in one AWS account. I want to know if I can share that ACM PCA with another AWS account to issue certificates.

Short description

You can use AWS Resource Access Manager (AWS RAM) to share an ACM PCA to create a resource share with another AWS account. You can also share an ACM PCA with other entities such as the following:

  • Other principals, such as AWS Identify and Access Management (IAM) users and IAM roles.
  • Organizational units (OUs).
  • The entire AWS organization that your account is a member of.

Your ACM PCA share allows users and roles in other accounts to issue private x509 certificates signed by the shared PCA.

Resolution

Create an AWS RAM share in the account where your ACM PCA resides.

Example use case

You have an existing ACM PCA in Account A and you want to share it with Account B.

Note: AWS RAM is a Regional service, and a resource share is Regional. ACM PCA resource shares with principals in other AWS account must access resources from the same AWS Region where it was created.

  1. In Account A, create a resource share in AWS RAM. For instructions, see the Console instructions in Creating a resource share in AWS RAM.

    Note: In Step 2: Associate a managed permission with each resource type, choose the permission for the type of certificates that you want to issue. For example:
    To issue end-entity certificates with the default certificate template arn:aws:acm-pca:::template/EndEntityCertificate/V1: choose the default permission AWSRAMDefaultPermissionCertificateAuthority.
    To issue a subordinate certificate (PathLen0) with the certificate template arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen0/V1: choose AWSRAMSubordinateCACertificatePathLen0IssuanceCertificateAuthority.

  2. Accept the shared resource in your shared account (Account B, in this example). If you share with AWS Organizations (with resource sharing within AWS Organization turned on), you can skip to step 6.

  3. In the shared account (Account B, in this example), open the AWS RAM console in the same Region as step 1.

  4. Under Shared with me, select Resource shares. You see the pending share invitation.

  5. Select the name of the shared resource, and then choose Accept resource share. After you accept the share, the share appears as Active.

  6. In the shared account (Account B, in this example), open the ACM PCA console in the Region where the PCA is located. You see the shared PCA in your account. You can use the shared PCA to issue private x509 certificates.

Related information

How to use AWS RAM to share your ACM Private CA cross-account

AWS OFFICIAL
AWS OFFICIALUpdated 6 months ago