How do I share my ACM Private Certificate Authority with another AWS account?

2 minute read
0

I created an AWS Certificate Manager (ACM) Private Certificate Authority (ACM PCA) in one AWS account. Can I share it with a different AWS account to issue certificates?

Short description

You can create a resource share using AWS Resource Access Manager (AWS RAM) to share an ACM PCA with another AWS account. In addition, you can share an ACM PCA with:

  • Other principals, such as AWS Identify and Access Management (IAM) users and IAM roles.
  • Organizational units (OUs).
  • The entire AWS organization that your account is a member of.

Sharing your ACM PCA allows users and roles in other accounts to issue private x509 certificates signed by the shared PCA.

Resolution

Create an AWS RAM share in the account where your ACM PCA resides.

Example

You have an existing ACM PCA in Account A. You want to share it with Account B.

  1. In Account A, create a resource share in AWS RAM. For detailed instructions, see the Console instructions in Creating a resource share.
    Note: In Step 2: Associate a permission with each resource type, choose the permission for the type of certificates that you want to issue. For example:
    To issue end-entity certificates with the default certificate template arn:aws:acm-pca:::template/EndEntityCertificate/V1: choose the default permission AWSRAMDefaultPermissionCertificateAuthority.
    To issue a subordinate certificate (PathLen0) using the certificate template arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen0/V1: choose AWSRAMSubordinateCACertificatePathLen0IssuanceCertificateAuthority.
  2. Accept the shared resource in your shared account (Account B, in this example). If you share with AWS Organizations (with resource sharing within AWS Organization turned on), you can skip to step 6.
  3. In the shared account (Account B, in this example), open the AWS RAM console in the same Region as step 1.
  4. Under Shared with me, select Resource shares. You see the pending share invitation.
  5. Select the name of the shared resource, and then choose Accept resource share. After accepting the share, the share is listed as Active.
  6. In the shared account (Account B, in this example), open the ACM PCA console in the Region where the PCA is located. You see the shared PCA in your account. You can begin to issue private x509 certificates using the shared PCA.

Related information

How to use AWS RAM to share your ACM Private CA cross-account

Creating a resource share in AWS RAM

AWS OFFICIAL
AWS OFFICIALUpdated 2 years ago