Private Certificate Authority (ACM PCA)

Get started with Private Certificate Authority (ACM PCA) on LocalStack


AWS Private Certificate Authority (ACM PCA) is a managed private Certificate Authority (CA) service that manages the lifecycle of your private certificates. ACM PCA extends ACM’s certificate management capabilities to private certificates, enabling you to manage public and private certificates centrally.

LocalStack allows you to use the ACM PCA APIs to create, list, and delete private certificates. You can creating, describing, tagging, and listing tags for a CA using ACM PCA. The supported APIs are available on our API coverage page, which provides information on the extent of ACM PCA’s integration with LocalStack.

Getting started

This guide is designed for users who are new to ACM PCA and assumes basic knowledge of the AWS CLI and our awslocal wrapper script.

Create a Certificate Authority (CA)

Start by creating a new Certificate Authority with ACM PCA using the CreateCertificateAuthority API. This command sets up a new CA with specified configurations for key algorithm, signing algorithm, and subject information.

$ awslocal acm-pca create-certificate-authority \
     --certificate-authority-configuration '{
            "Organization":"Example Corp",
     }' \
     --revocation-configuration '{
     }' \
     --certificate-authority-type "ROOT" \
     --tags  Key=Name,Value=MyPCA
{ "CertificateAuthorityArn": "arn:aws:acm-pca:us-east-1:000000000000:certificate-authority/f38ee966-bc23-40f8-8143-e981aee73600" }

Note the CertificateAuthorityArn from the output as it will be needed for subsequent commands.

Describe the Certificate Authority

To retrieve the detailed information about the created Certificate Authority, use the DescribeCertificateAuthority API. This command returns the detailed information about the CA, including the CA’s ARN, status, and configuration.

$ awslocal acm-pca describe-certificate-authority \
    --certificate-authority-arn arn:aws:acm-pca:us-east-1:000000000000:certificate-authority/f38ee966-bc23-40f8-8143-e981aee73600
{ "CertificateAuthority": { "Arn": "arn:aws:acm-pca:us-east-1:000000000000:certificate-authority/f38ee966-bc23-40f8-8143-e981aee73600", "OwnerAccount": "000000000000", "CreatedAt": "2023-12-23T20:52:20.917796+05:30", "Type": "ROOT", "Status": "PENDING_CERTIFICATE", "CertificateAuthorityConfiguration": { "KeyAlgorithm": "RSA_2048", "SigningAlgorithm": "SHA256WITHRSA", "Subject": { "Country": "US", "Organization": "Example Corp", "OrganizationalUnit": "Sales", "State": "WA", "CommonName": "", "Locality": "Seattle" } }, "RevocationConfiguration": { "OcspConfiguration": { "Enabled": true } }, "KeyStorageSecurityStandard": "FIPS_140_2_LEVEL_3_OR_HIGHER", "UsageMode": "SHORT_LIVED_CERTIFICATE" } }

Tag the Certificate Authority

Tagging resources in AWS helps in managing and identifying them. Use the TagCertificateAuthority API to tag the created Certificate Authority. This command adds the specified tags to the specified CA.

$ awslocal acm-pca tag-certificate-authority \
    --certificate-authority-arn arn:aws:acm-pca:us-east-1:000000000000:certificate-authority/f38ee966-bc23-40f8-8143-e981aee73600 \
    --tags Key=Admin,Value=Alice

After tagging your Certificate Authority, you may want to view these tags. You can use the ListTags API to list all the tags associated with the specified CA.

$ awslocal acm-pca list-tags \
    --certificate-authority-arn arn:aws:acm-pca:us-east-1:000000000000:certificate-authority/f38ee966-bc23-40f8-8143-e981aee73600 \
    --max-results 10
{ "Tags": [ { "Key": "Name", "Value": "MyPCA" }, { "Key": "Admin", "Value": "Alice" } ] }