Can you automate cross-account private CA certificate renewal through AWS RAM and ACM Private CA?


We're planning to use AWS RAM and ACM Private CA for central private certificate authority (CA) management across multiple AWS accounts. If we were to use AWS RAM in one account (account A) to share a private CA with a second account (account B), and then account B uses the private CA from account A in ELB and CloudFront, would the private CA in account B also be renewed automatically when the private CA in account A is renewed? Or would we need to do that manually?

asked 2 years ago187 views
1 Answer
Accepted Answer

CA certificates aren't automatically renewed through ACM Private CA, so you'll have to manually reimport a certificate in account A's private CA. The private CA in account A will automatically come back to its previous state (ACTIVE) and be shared with account B without changing the ARN or ID of the private CA. If your services are exposing the whole certificate chain, then those will have to be updated to match the new shared private CA certificate. For more information, see Updating your private CA in the ACM Private CA user guide.

Note: AWS Certificate Manager (ACM) provides managed renewal for Amazon-issued SSL/TLS certificates. This means that ACM will either renew your certificates automatically (if you're using DNS validation), or it will send you email notices when your certificate expirations are approaching.

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions