SYSTEM Cited by 2 sources
AWS Private CA (AWS Certificate Manager Private Certificate Authority)¶
AWS Private CA (AWS Certificate Manager Private Certificate Authority, AWS PCA) is AWS's managed private certificate authority. Used for issuing TLS certificates to internal services (not publicly-trusted web-PKI certs), including the TLS / mTLS certificates used by App Mesh and ECS Service Connect to encrypt service-to-service traffic.
Stub page.
Two certificate modes relevant to service meshes¶
- General-purpose certificates — standard long-lived certs, used by App Mesh.
- Short-lived certificates — automated rotation, much lower per-cert cost, used by Service Connect. Short cert lifetimes reduce the blast radius of key compromise and eliminate most manual rotation work.
Role in service-mesh migration¶
Service Connect's adoption of PCA short-lived certificates is cited as a cost win in the App Mesh → Service Connect migration guide. One of the quiet architectural shifts: the managed data plane doesn't just manage the sidecar — it also narrows the PKI surface.
Related¶
- systems/aws-app-mesh — uses PCA general-purpose certs
- systems/aws-ecs-service-connect — uses PCA short-lived certs
- concepts/mutual-tls — the feature that App Mesh supports via PCA but Service Connect (as of 2025-01-18) does not
Cross-partition PKI (2026-01-30 Sovereign Failover)¶
AWS Private CA is per-partition — a CA provisioned in the standard AWS partition is not reachable from AWS GovCloud or AWS European Sovereign Cloud. This forces a design choice for cross-partition mTLS: deploy separate PKIs per partition (no cross- trust), manually transfer private keys (violates partition isolation), or cross-sign root CAs across partitions (double-signed certificates).
The sovereign-failover post endorses cross-signing for regulated cross-partition workloads: "Root CAs in each partition cross-sign each other's certificates, creating a bidirectional chain of trust. Implementing this requires setting up root CAs with AWS Certificate Manager Private CA, establishing cross-signing agreements, managing trust stores across partitions, and handling complex certificate validation and revocation checks." (Source: sources/2026-01-30-aws-sovereign-failover-design-digital-sovereignty)
Seen in¶
- sources/2025-01-18-aws-app-mesh-discontinuation-service-connect-migration — named as the TLS certificate substrate for both meshes; short- lived-cert cost advantage called out for Service Connect.
- sources/2026-01-30-aws-sovereign-failover-design-digital-sovereignty — named as the per-partition CA substrate requiring cross-signed root CAs for cross-partition authenticated mTLS.