Skip to content

SYSTEM Cited by 2 sources

AWS Private CA (AWS Certificate Manager Private Certificate Authority)

AWS Private CA (AWS Certificate Manager Private Certificate Authority, AWS PCA) is AWS's managed private certificate authority. Used for issuing TLS certificates to internal services (not publicly-trusted web-PKI certs), including the TLS / mTLS certificates used by App Mesh and ECS Service Connect to encrypt service-to-service traffic.

Stub page.

Two certificate modes relevant to service meshes

  • General-purpose certificates — standard long-lived certs, used by App Mesh.
  • Short-lived certificates — automated rotation, much lower per-cert cost, used by Service Connect. Short cert lifetimes reduce the blast radius of key compromise and eliminate most manual rotation work.

Role in service-mesh migration

Service Connect's adoption of PCA short-lived certificates is cited as a cost win in the App Mesh → Service Connect migration guide. One of the quiet architectural shifts: the managed data plane doesn't just manage the sidecar — it also narrows the PKI surface.

Cross-partition PKI (2026-01-30 Sovereign Failover)

AWS Private CA is per-partition — a CA provisioned in the standard AWS partition is not reachable from AWS GovCloud or AWS European Sovereign Cloud. This forces a design choice for cross-partition mTLS: deploy separate PKIs per partition (no cross- trust), manually transfer private keys (violates partition isolation), or cross-sign root CAs across partitions (double-signed certificates).

The sovereign-failover post endorses cross-signing for regulated cross-partition workloads: "Root CAs in each partition cross-sign each other's certificates, creating a bidirectional chain of trust. Implementing this requires setting up root CAs with AWS Certificate Manager Private CA, establishing cross-signing agreements, managing trust stores across partitions, and handling complex certificate validation and revocation checks." (Source: sources/2026-01-30-aws-sovereign-failover-design-digital-sovereignty)

Seen in

Last updated · 200 distilled / 1,178 read