← Week 2: ACM Private CA — architecture + API

Day 8: ACM Private CA Overview — CA Hierarchy Design

Phase 5 · September 2, 2026

← Week 2: ACM Private CA — architecture + API

Agenda (2–3 hours)

  • Read (60 min): ACM PCA User Guide — "What is ACM Private CA"; "CA hierarchy best practices"
  • Study (60 min): Three-tier hierarchy design; ACM PCA CA types
  • Write (45 min): Design your provisioning service CA hierarchy
← Week 2: ACM Private CA — architecture + API

What Is ACM Private CA?

AWS Certificate Manager Private CA (ACM PCA) is a managed CA service that:

  • Manages the CA private key (in an AWS-managed FIPS 140-2 L3 HSM)
  • Issues X.509 certificates for private networks (not browser-trusted)
  • Provides an API for certificate issuance, revocation, and audit
  • Integrates with ACM for automatic cert renewal on AWS services
  • Supports custom certificate templates
  • Manages CRL and OCSP infrastructure

What ACM PCA does NOT do:

  • Issue publicly-trusted TLS certs (use ACM + public CA for that)
  • Run SPIRE agent or workload attestation (that's Phase 4)
  • Manage the certificate lifecycle on your devices (that's your provisioning service)
← Week 2: ACM Private CA — architecture + API

ACM PCA CA Types

ACM PCA supports two CA types:

CA type Purpose Can issue
Root CA Self-signed root; top of your private hierarchy Subordinate CA certs
Subordinate CA Signed by a root (internal or external); operational tier Leaf certs + subordinate CAs

When to use each:

Use a Root CA in ACM PCA when:

  • You want AWS to manage the entire hierarchy
  • You don't need a parent root outside AWS

Use a Subordinate CA in ACM PCA when:

  • Your root is offline (best practice) and you sign the sub CA cert offline
  • You chain to an external PKI (partner, device OEM, etc.)
← Week 2: ACM Private CA — architecture + API
Tier 1: Root CA
├── Purpose: Trust anchor
├── Validity: 10–20 years
├── Location: Offline HSM (vault) or ACM PCA Root CA
├── Operations: Sign subordinate CA certs once per year (maximum)
└── Policy: Never connects to the internet

    Tier 2: Subordinate / Policy CA
    ├── Purpose: Intermediate; enforce naming/policy constraints
    ├── Validity: 5–10 years
    ├── Location: ACM PCA Subordinate CA
    ├── Operations: Sign issuance CA certs
    └── Policy: Constrained to specific path lengths and naming

        Tier 3: Issuance CA
        ├── Purpose: Issue leaf certificates
        ├── Validity: 1–3 years
        ├── Location: ACM PCA Subordinate CA (configured for issuance)
        ├── Operations: Issue device/service/SVID leaf certs
        └── Policy: Constrained by certificate templates
← Week 2: ACM Private CA — architecture + API

Why Three Tiers?

Containment at each level:

  • If the issuance CA is compromised → revoke it; create a new one; re-issue leaf certs
    Impact: all leaf certs issued by that CA must be re-issued (bounded set)

  • If the subordinate CA is compromised → revoke it; create a new one from root
    Impact: all issuance CAs under it must be replaced (larger, but bounded)

  • If the root CA is compromised → your entire PKI is untrusted
    Impact: catastrophic; trust anchor must be rebuilt

Separating root from issuance means the root is rarely used,
reducing its attack surface to near zero.

← Week 2: ACM Private CA — architecture + API

Designing Your Hierarchy

For the Leo Provisioning Service, propose a concrete hierarchy:

Leo Root CA
├── Validity: 15 years (offline, or ACM PCA Root)
├── Subject: CN=Leo Root CA, O=Amazon, C=US
│
└── Leo Provisioning Subordinate CA
    ├── Validity: 5 years (ACM PCA)
    ├── Subject: CN=Leo Provisioning CA, O=Amazon, C=US
    ├── nameConstraints: permitted=leo.amazon.com (optional)
    │
    ├── Leo Device Issuance CA  (Validity: 2 years)
    │   └── Issues: satellite terminal device certs
    │
    └── Leo Service Issuance CA  (Validity: 2 years)
        └── Issues: service-to-service TLS / SVID-like certs

Consider: do devices and services need the same issuance CA?
Having separate issuance CAs means you can revoke one without affecting the other.

← Week 2: ACM Private CA — architecture + API

ACM PCA Pricing (as of 2026)

Item Cost
Private CA per month $400/mo per CA (first 12 months) → $200/mo after
Certificate issuance (private PKI) $0.75 per cert
Certificate issued via ACM (auto-renewal) $0 per cert (included with ACM)
OCSP responses $0.001 per 1,000 OCSP requests
CRL storage S3 cost (negligible)

For a 3-tier hierarchy (root + sub + 2 issuance): 4 CAs × $400/mo = $1,600/mo initial.
For 10,000 device certs/month: 10,000 × $0.75 = $7,500/mo additional.

Total rough estimate: $9,000–$10,000/month for a full hierarchy at moderate scale.

← Week 2: ACM Private CA — architecture + API

Challenge Assignment

Design your provisioning service CA hierarchy in acm-pca-design.md §1:

## §1. CA Hierarchy Design

### 1.1 Hierarchy Diagram
<diagram: tiers, subjects, validity periods, ACM PCA vs. offline>

### 1.2 Root CA Decision
<offline HSM vs. ACM PCA Rootwhich and why>

### 1.3 Naming and Policy Constraints
<Subject DNs, nameConstraints (if any), path length constraints>

### 1.4 Validity Period Rationale
<Why each tier has the validity period you chose>

### 1.5 Cost Estimate
<Number of CAs × ACM PCA price + estimated cert volume × $0.75>
← Week 2: ACM Private CA — architecture + API

Resources

  • ACM PCA User Guide: docs.aws.amazon.com/privateca/latest/userguide
  • CA hierarchy best practices: docs.aws.amazon.com/privateca/latest/userguide/ca-hierarchy.html
  • ACM PCA pricing: aws.amazon.com/private-ca/pricing
  • RFC 5280 §4.2.1.9: Basic Constraints (path length)
  • NIST SP 800-57 Part 1 §5.3: CA hierarchy design