Can you automate cross-account private CA certificate renewal through AWS RAM and ACM Private CA?

Question

We're planning to use AWS RAM and ACM Private CA for central private certificate authority (CA) management across multiple AWS accounts. If we were to use AWS RAM in one account (account A) to share a private CA with a second account (account B), and then account B uses the private CA from account A in ELB and CloudFront, would the private CA in account B also be renewed automatically when the private CA in account A is renewed? Or would we need to do that manually?

Accepted Answer

CA certificates aren't automatically renewed through ACM Private CA, so you'll have to manually reimport a certificate in account A's private CA. The private CA in account A will automatically come back to its previous state (ACTIVE) and be shared with account B without changing the ARN or ID of the private CA. If your services are exposing the whole certificate chain, then those will have to be updated to match the new shared private CA certificate. For more information, see Updating your private CA in the ACM Private CA user guide.

Note: AWS Certificate Manager (ACM) provides managed renewal for Amazon-issued SSL/TLS certificates. This means that ACM will either renew your certificates automatically (if you're using DNS validation), or it will send you email notices when your certificate expirations are approaching.

**Note:** AWS Certificate Manager (ACM) provides [managed renewal for Amazon-issued SSL/TLS certificates](https://docs.aws.amazon.com/acm/latest/userguide/managed-renewal.html). This means that ACM will either renew your certificates automatically (if you're using DNS validation), or it will send you email notices when your certificate expirations are approaching.

Can you automate cross-account private CA certificate renewal through AWS RAM and ACM Private CA?

関連するコンテンツ