# Installing the CA certificate
Complete the following procedures to create and install your private CA certificate. Your CA will then be ready to use.
AWS Private CA supports three scenarios for installing a CA certificate:
+ Installing a certificate for a root CA hosted by AWS Private CA
+ Installing a subordinate CA certificate whose parent authority is hosted by AWS Private CA
+ Installing a subordinate CA certificate whose parent authority is externally hosted
The following sections describe procedures for each scenario. The console procedures begin on the console page **Private CAs**.
## Compatible signing algorithms
Signing algorithm support for CA certificates depends on the signing algorithm of the parent CA and on the AWS Region. The following constraints apply to both console and AWS CLI operations.
+ A parent CA with the RSA key algorithm can issue certificates with the following signing algorithms:
+ SHA256 RSA
+ SHA384 RSA
+ SHA512 RSA
+ In a legacy AWS Region, a parent CA with the EDCSA key algorithm can issue certificates with the following signing algorithms:
+ SHA256 ECDSA
+ SHA384 ECDSA
+ SHA512 ECDSA
Legacy AWS Regions include:
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/privateca/latest/userguide/PCACertInstall.html)
+ In a non-legacy AWS Region, the following rules apply for EDCSA:
+ A parent CA with the EC\$1prime256v1 signing algorithm can issue certificates with ECDSA P256.
+ A parent CA with the EC\$1secp384r1 signing algorithm can issue certificates with ECDSA P384.
+ In every AWS Region, the following rules apply for EDCSA:
+ A parent CA with the EC\$1secp521r1 signing algorithm can issue certificates with ECDSA P521.
## Install a root CA certificate
You can install a root CA certificate from the AWS Management Console or the AWS CLI.
**To create and install a certificate for your private root CA (console)**
1. (Optional) If you are not already on the CA's details page, open the AWS Private CA console at [https://console.aws.amazon.com/acm-pca/home](https://console.aws.amazon.com/acm-pca/home). On the **Private certificate authorities** page, choose a root CA with status **Pending certificate** or **Active**.
1. Choose **Actions**, **Install CA certificate** to open the **Install root CA certificate** page.
1. Under **Specify the root CA certificate parameters**, specify the following certificate parameters:
+ **Validity** — Specifies the expiration date and time for the CA certificate. The AWS Private CA default validity period for a root CA certificate is 10 years.
+ **Signature algorithm** — Specifies the signing algorithm to use when the root CA issues new certificates. Available options vary according to the AWS Region where you are creating the CA. For more information, see [Compatible signing algorithms](#signing_algorithms), [Supported cryptographic algorithms in AWS Private Certificate Authority](PcaWelcome.md#supported-algorithms), and **SigningAlgorithm** in [CertificateAuthorityConfiguration](https://docs.aws.amazon.com/privateca/latest/APIReference/API_CertificateAuthorityConfiguration.html#API_CertificateAuthorityConfiguration_Contents).
+ SHA256 RSA
+ SHA384 RSA
+ SHA512 RSA
Review your settings for correctness, then choose **Confirm and install**. AWS Private CA exports a CSR for your CA, generates a certificate using a root CA certificate [template](UsingTemplates.md), and self-signs the certificate. AWS Private CA then imports the self-signed root CA certificate.
1. The details page for the CA displays the status of the installation (success or failure) at the top. If the installation was successful, the newly completed root CA displays a status of **Active** in the **General** pane.
**To create and install a certificate for your private root CA (AWS CLI)**
1. Generate a certificate signing request (CSR).
```
$ aws acm-pca get-certificate-authority-csr \
--certificate-authority-arn arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566 \
--output text \
--region region > ca.csr
```
The resulting file `ca.csr`, a PEM file encoded in base64 format, has the following appearance.
```
-----BEGIN CERTIFICATE REQUEST-----
MIIC1DCCAbwCAQAwbTELMAkGA1UEBhMCVVMxFTATBgNVBAoMDEV4YW1wbGUgQ29y
cDEOMAwGA1UECwwFU2FsZXMxCzAJBgNVBAgMAldBMRgwFgYDVQQDDA93d3cuZXhh
bXBsZS5jb20xEDAOBgNVBAcMB1NlYXR0bGUwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQDD+7eQChWUO2m6pHslI7AVSFkWvbQofKIHvbvy7wm8VO9/BuI7
LE/jrnd1jGoyI7jaMHKXPtEP3uNlCzv+oEza07OjgjqPZVehtA6a3/3vdQ1qCoD2
rXpv6VIzcq2onx2X7m+Zixwn2oY1l1ELXP7I5g0GmUStymq+pY5VARPy3vTRMjgC
JEiz8w7VvC15uIsHFAWa2/NvKyndQMPaCNft238wesV5s2cXOUS173jghIShg99o
ymf0TRUgvAGQMCXvsW07MrP5VDmBU7k/AZ9ExsUfMe2OB++fhfQWr2N7/lpC4+DP
qJTfXTEexLfRTLeLuGEaJL+c6fMyG+Yk53tZAgMBAAGgIjAgBgkqhkiG9w0BCQ4x
EzARMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAA7xxLVI5s1B
qmXMMT44y1DZtQx3RDPanMNGLGO1TmLtyqqnUH49Tla+2p7nrl0tojUf/3PaZ52F
QN09SrFk8qtYSKnMGd5PZL0A+NFsNW+w4BAQNKlg9m617YEsnkztbfKRloaJNYoA
HZaRvbA0lMQ/tU2PKZR2vnao444Ugm0O/t3jx5rj817b31hQcHHQ0lQuXV2kyTrM
ohWeLf2fL+K0xJ9ZgXD4KYnY0zarpreA5RBeO5xs3Ms+oGWc13qQfMBx33vrrz2m
dw5iKjg71uuUUmtDV6ewwGa/VO5hNinYAfogdu5aGuVbnTFT3n45B8WHz2+9r0dn
bA7xUel1SuQ=
-----END CERTIFICATE REQUEST-----
```
You can use [OpenSSL](https://www.openssl.org/) to view and verify the contents of the CSR.
```
openssl req -text -noout -verify -in ca.csr
```
This yields output similar to the following.
```
verify OK
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=US, O=Example Corp, OU=Sales, ST=WA, CN=www.example.com, L=Seattle
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c3:fb:b7:90:0a:15:94:3b:69:ba:a4:7b:25:23:
b0:15:48:59:16:bd:b4:28:7c:a2:07:bd:bb:f2:ef:
09:bc:54:ef:7f:06:e2:3b:2c:4f:e3:ae:77:75:8c:
6a:32:23:b8:da:30:72:97:3e:d1:0f:de:e3:65:0b:
3b:fe:a0:4c:da:d3:b3:a3:82:3a:8f:65:57:a1:b4:
0e:9a:df:fd:ef:75:0d:6a:0a:80:f6:ad:7a:6f:e9:
52:33:72:ad:a8:9f:1d:97:ee:6f:99:8b:1c:27:da:
86:35:97:51:0b:5c:fe:c8:e6:0d:06:99:44:ad:ca:
6a:be:a5:8e:55:01:13:f2:de:f4:d1:32:38:02:24:
48:b3:f3:0e:d5:bc:2d:79:b8:8b:07:14:05:9a:db:
f3:6f:2b:29:dd:40:c3:da:08:d7:ed:db:7f:30:7a:
c5:79:b3:67:17:39:44:b5:ef:78:e0:84:84:a1:83:
df:68:ca:67:f4:4d:15:20:bc:01:90:30:25:ef:b1:
6d:3b:32:b3:f9:54:39:81:53:b9:3f:01:9f:44:c6:
c5:1f:31:ed:8e:07:ef:9f:85:f4:16:af:63:7b:fe:
5a:42:e3:e0:cf:a8:94:df:5d:31:1e:c4:b7:d1:4c:
b7:8b:b8:61:1a:24:bf:9c:e9:f3:32:1b:e6:24:e7:
7b:59
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
0e:f1:c4:b5:48:e6:cd:41:aa:65:cc:31:3e:38:cb:50:d9:b5:
0c:77:44:33:da:9c:c3:46:2c:63:b5:4e:62:ed:ca:aa:a7:50:
7e:3d:4e:56:be:da:9e:e7:ae:5d:2d:a2:35:1f:ff:73:da:67:
9d:85:40:dd:3d:4a:b1:64:f2:ab:58:48:a9:cc:19:de:4f:64:
bd:00:f8:d1:6c:35:6f:b0:e0:10:10:34:a9:60:f6:6e:b5:ed:
81:2c:9e:4c:ed:6d:f2:91:96:86:89:35:8a:00:1d:96:91:bd:
b0:34:94:c4:3f:b5:4d:8f:29:94:76:be:76:a8:e3:8e:14:82:
6d:0e:fe:dd:e3:c7:9a:e3:f3:5e:db:df:58:50:70:71:d0:d2:
54:2e:5d:5d:a4:c9:3a:cc:a2:15:9e:2d:fd:9f:2f:e2:b4:c4:
9f:59:81:70:f8:29:89:d8:d3:36:ab:a6:b7:80:e5:10:5e:3b:
9c:6c:dc:cb:3e:a0:65:9c:d7:7a:90:7c:c0:71:df:7b:eb:af:
3d:a6:77:0e:62:2a:38:3b:d6:eb:94:52:6b:43:57:a7:b0:c0:
66:bf:54:ee:61:36:29:d8:01:fa:20:76:ee:5a:1a:e5:5b:9d:
31:53:de:7e:39:07:c5:87:cf:6f:bd:af:47:67:6c:0e:f1:51:
e9:75:4a:e4
```
1. Using the CSR from the previous step as the argument for the `--csr` parameter, issue the root certificate.
**Note**
The examples below use the prefix `fileb://` to load required input files, ensuring that AWS Private CA parses Base64-encoded data correctly. If you are using AWS CLI version older than 1.6.3, use `file://` instead.
```
$ aws acm-pca issue-certificate \
--certificate-authority-arn arn:aws:acm-pca:region:account:certificate-authority/CA_ID \
--csr fileb://ca.csr \
--signing-algorithm SHA256WITHRSA \
--template-arn arn:aws:acm-pca:::template/RootCACertificate/V1 \
--validity Value=365,Type=DAYS
```
1. Retrieve the root certificate.
```
$ aws acm-pca get-certificate \
--certificate-authority-arn arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566 \
--certificate-arn arn:aws:acm-pca:region:account:certificate-authority/CA_ID/certificate/certificate_ID \
--output text > cert.pem
```
The resulting file `cert.pem`, a PEM file encoded in base64 format, has the following appearance.
```
-----BEGIN CERTIFICATE-----
MIIDpzCCAo+gAwIBAgIRAIIuOarlQETlUQEOZJGZYdIwDQYJKoZIhvcNAQELBQAw
bTELMAkGA1UEBhMCVVMxFTATBgNVBAoMDEV4YW1wbGUgQ29ycDEOMAwGA1UECwwF
U2FsZXMxCzAJBgNVBAgMAldBMRgwFgYDVQQDDA93d3cuZXhhbXBsZS5jb20xEDAO
BgNVBAcMB1NlYXR0bGUwHhcNMjEwMzA4MTU0NjI3WhcNMjIwMzA4MTY0NjI3WjBt
MQswCQYDVQQGEwJVUzEVMBMGA1UECgwMRXhhbXBsZSBDb3JwMQ4wDAYDVQQLDAVT
YWxlczELMAkGA1UECAwCV0ExGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbTEQMA4G
A1UEBwwHU2VhdHRsZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMP7
t5AKFZQ7abqkeyUjsBVIWRa9tCh8oge9u/LvCbxU738G4jssT+Oud3WMajIjuNow
cpc+0Q/e42ULO/6gTNrTs6OCOo9lV6G0Dprf/e91DWoKgPatem/pUjNyraifHZfu
b5mLHCfahjWXUQtc/sjmDQaZRK3Kar6ljlUBE/Le9NEyOAIkSLPzDtW8LXm4iwcU
BZrb828rKd1Aw9oI1+3bfzB6xXmzZxc5RLXveOCEhKGD32jKZ/RNFSC8AZAwJe+x
bTsys/lUOYFTuT8Bn0TGxR8x7Y4H75+F9BavY3v+WkLj4M+olN9dMR7Et9FMt4u4
YRokv5zp8zIb5iTne1kCAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4E
FgQUaW3+r328uTLokog2TklmoBK+yt4wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3
DQEBCwUAA4IBAQAXjd/7UZ8RDE+PLWSDNGQdLemOBTcawF+tK+PzA4Evlmn9VuNc
g+x3oZvVZSDQBANUz0b9oPeo54aE38dW1zQm2qfTab8822aqeWMLyJ1dMsAgqYX2
t9+u6w3NzRCw8Pvz18V69+dFE5AeXmNP0Z5/gdz8H/NSpctjlzopbScRZKCSlPid
Rf3ZOPm9QP92YpWyYDkfAU04xdDo1vR0MYjKPkl4LjRqSU/tcCJnPMbJiwq+bWpX
2WJoEBXB/p15Kn6JxjI0ze2SnSI48JZ8it4fvxrhOo0VoLNIuCuNXJOwU17Rdl1W
YJidaq7je6k18AdgPA0Kh8y1XtfUH3fTaVw4
-----END CERTIFICATE-----
```
You can use [OpenSSL](https://www.openssl.org/) to view and verify the contents of the certificate.
```
openssl x509 -in cert.pem -text -noout
```
This yields output similar to the following.
```
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
82:2e:39:aa:e5:40:44:e5:51:01:0e:64:91:99:61:d2
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Example Corp, OU=Sales, ST=WA, CN=www.example.com, L=Seattle
Validity
Not Before: Mar 8 15:46:27 2021 GMT
Not After : Mar 8 16:46:27 2022 GMT
Subject: C=US, O=Example Corp, OU=Sales, ST=WA, CN=www.example.com, L=Seattle
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c3:fb:b7:90:0a:15:94:3b:69:ba:a4:7b:25:23:
b0:15:48:59:16:bd:b4:28:7c:a2:07:bd:bb:f2:ef:
09:bc:54:ef:7f:06:e2:3b:2c:4f:e3:ae:77:75:8c:
6a:32:23:b8:da:30:72:97:3e:d1:0f:de:e3:65:0b:
3b:fe:a0:4c:da:d3:b3:a3:82:3a:8f:65:57:a1:b4:
0e:9a:df:fd:ef:75:0d:6a:0a:80:f6:ad:7a:6f:e9:
52:33:72:ad:a8:9f:1d:97:ee:6f:99:8b:1c:27:da:
86:35:97:51:0b:5c:fe:c8:e6:0d:06:99:44:ad:ca:
6a:be:a5:8e:55:01:13:f2:de:f4:d1:32:38:02:24:
48:b3:f3:0e:d5:bc:2d:79:b8:8b:07:14:05:9a:db:
f3:6f:2b:29:dd:40:c3:da:08:d7:ed:db:7f:30:7a:
c5:79:b3:67:17:39:44:b5:ef:78:e0:84:84:a1:83:
df:68:ca:67:f4:4d:15:20:bc:01:90:30:25:ef:b1:
6d:3b:32:b3:f9:54:39:81:53:b9:3f:01:9f:44:c6:
c5:1f:31:ed:8e:07:ef:9f:85:f4:16:af:63:7b:fe:
5a:42:e3:e0:cf:a8:94:df:5d:31:1e:c4:b7:d1:4c:
b7:8b:b8:61:1a:24:bf:9c:e9:f3:32:1b:e6:24:e7:
7b:59
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
69:6D:FE:AF:7D:BC:B9:32:E8:92:88:36:4E:49:66:A0:12:BE:CA:DE
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
Signature Algorithm: sha256WithRSAEncryption
17:8d:df:fb:51:9f:11:0c:4f:8f:2d:64:83:34:64:1d:2d:e9:
8e:05:37:1a:c0:5f:ad:2b:e3:f3:03:81:2f:96:69:fd:56:e3:
5c:83:ec:77:a1:9b:d5:65:20:d0:04:03:54:cf:46:fd:a0:f7:
a8:e7:86:84:df:c7:56:d7:34:26:da:a7:d3:69:bf:3c:db:66:
aa:79:63:0b:c8:9d:5d:32:c0:20:a9:85:f6:b7:df:ae:eb:0d:
cd:cd:10:b0:f0:fb:f3:d7:c5:7a:f7:e7:45:13:90:1e:5e:63:
4f:d1:9e:7f:81:dc:fc:1f:f3:52:a5:cb:63:97:3a:29:6d:27:
11:64:a0:92:94:f8:9d:45:fd:d9:38:f9:bd:40:ff:76:62:95:
b2:60:39:1f:01:4d:38:c5:d0:e8:d6:f4:74:31:88:ca:3e:49:
78:2e:34:6a:49:4f:ed:70:22:67:3c:c6:c9:8b:0a:be:6d:6a:
57:d9:62:68:10:15:c1:fe:9d:79:2a:7e:89:c6:32:34:cd:ed:
92:9d:22:38:f0:96:7c:8a:de:1f:bf:1a:e1:3a:8d:15:a0:b3:
48:b8:2b:8d:5c:93:b0:53:5e:d1:76:5d:56:60:98:9d:6a:ae:
e3:7b:a9:35:f0:07:60:3c:0d:0a:87:cc:b5:5e:d7:d4:1f:77:
d3:69:5c:38
```
1. Import the root CA certificate to install it on the CA.
**Note**
The examples below use the prefix `fileb://` to load required input files, ensuring that AWS Private CA parses Base64-encoded data correctly. If you are using AWS CLI version older than 1.6.3, use `file://` instead.
```
$ aws acm-pca import-certificate-authority-certificate \
--certificate-authority-arn arn:aws:acm-pca:region:account:certificate-authority/CA_ID \
--certificate fileb://cert.pem
```
Inspect the new status of the CA.
```
$ aws acm-pca describe-certificate-authority \
--certificate-authority-arn arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566 \
--output json
```
The status now appears as ACTIVE.
```
{
"CertificateAuthority": {
"Arn": "arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566",
"CreatedAt": "2021-03-05T14:24:12.867000-08:00",
"LastStateChangeAt": "2021-03-08T12:37:14.235000-08:00",
"Type": "ROOT",
"Serial": "serial_number",
"Status": "ACTIVE",
"NotBefore": "2021-03-08T07:46:27-08:00",
"NotAfter": "2022-03-08T08:46:27-08:00",
"CertificateAuthorityConfiguration": {
"KeyAlgorithm": "RSA_2048",
"SigningAlgorithm": "SHA256WITHRSA",
"Subject": {
"Country": "US",
"Organization": "Example Corp",
"OrganizationalUnit": "Sales",
"State": "WA",
"CommonName": "www.example.com",
"Locality": "Seattle"
}
},
"RevocationConfiguration": {
"CrlConfiguration": {
"Enabled": true,
"ExpirationInDays": 7,
"CustomCname": "alternative.example.com",
"S3BucketName": "amzn-s3-demo-bucket"
},
"OcspConfiguration": {
"Enabled": false
}
}
}
}
```
## Install a subordinate CA certificate hosted by AWS Private CA
You can use the AWS Management Console to create and install a certificate for your AWS Private CA hosted subordinate CA.
**To create and install a certificate for your AWS Private CA hosted subordinate CA**
1. (Optional) If you are not already on the CA's details page, open the AWS Private CA console at [https://console.aws.amazon.com/acm-pca/home](https://console.aws.amazon.com/acm-pca/home). On the **Private certificate authorities** page, choose a subordinate CA with status **Pending certificate** or **Active**.
1. Choose **Actions**, **Install CA Certificate** to open the **Install subordinate CA certificate** page.
1. On the **Install subordinate CA certificate** page, under **Select CA type**, choose **AWS Private CA** to install a certificate that is managed by AWS Private CA.
1. Under **Select parent CA**, choose a CA from the **Parent private CA** list. The list is filtered to display CAs that meet the following criteria:
+ You have permission to use the CA.
+ The CA would not be signing itself.
+ The CA is in state `ACTIVE`.
+ The CA mode is `GENERAL_PURPOSE`.
1. Under **Specify the subordinate CA certificate parameters**, specify the following certificate parameters:
+ **Validity** — Specifies the expiration date and time for the CA certificate.
+ **Signature algorithm** — Specifies the signing algorithm to use when the root CA issues new certificates. Options are:
+ SHA256 RSA
+ SHA384 RSA
+ SHA512 RSA
+ **Path length** — The number of trust layers that the subordinate CA can add when signing new certificates. A path length of zero (the default) means that only end-entity certificates, and not CA certificates, can be created. A path length of one or more means that the subordinate CA may issue certificates to create additional CAs subordinate to it.
+ **Template ARN** — Displays the ARN of the configuration template for this CA certificate. The template changes if you change the specified **Path length**. If you create a certificate using the CLI [issue-certificate](https://docs.aws.amazon.com/cli/latest/reference/acm-pca/issue-certificate.html) command or API [IssueCertificate](https://docs.aws.amazon.com/privateca/latest/APIReference/API_IssueCertificate.html) action, you must specify the ARN manually. For information about available CA certificate templates, see [Use AWS Private CA certificate templates](UsingTemplates.md).
1. Review your settings for correctness, then choose **Confirm and install**. AWS Private CA exports a CSR, generates a certificate using a subordinate CA certificate [template](UsingTemplates.md), and signs the certificate it with the selected parent CA. AWS Private CA then imports the signed subordinate CA certificate.
1. The details page for the CA displays the status of the installation (success or failure) at the top. If the installation was successful, the newly completed subordinate CA displays a status of **Active** in the **General** pane.
## Install a subordinate CA certificate signed by an external parent CA
After you create a subordinate private CA as described in [Create a private CA in AWS Private CA](create-CA.md), you have the option of activating it by installing a CA certificate signed by an external signing authority. Signing your subordinate CA certificate with an external CA requires that you first set up an external trust services provider as your signing authority, or arrange for the use of a third-party provider.
**Note**
Procedures for creating or obtaining an external trust services provider are outside the scope of this guide.
After you have created a subordinate CA and you have access to an external signing authority, complete the following tasks:
1. Obtain a certificate signing request (CSR) from AWS Private CA.
1. Submit the CSR to your external signing authority and obtain a signed CA certificate along with any chain certificates.
1. Import the CA certificate and chain into AWS Private CA to activate your subordinate CA.
For detailed procedures, see [Use externally signed private CA certificates](PcaExternalRoot.md).