How to issue use-case bound certificates with AWS Private CA

Security Blog

This article provides a guide on using AWS Private Certificate Authority (AWS Private CA) to issue X.509 certificates tailored for specific use cases by defining the intended purpose within the certificate Key Usage and Extended Key Usage extensions.

Specifically, the article covers:

Background on AWS Private CA, Key Usage, and Extended Key Usage extensions
Certificate templates and use cases supported by AWS Private CA
How to use blank certificate templates with API Passthrough and CSR Passthrough to define custom Key Usage and Extended Key Usage values
Step-by-step examples of issuing certificates bound for email protection and smart card authentication use cases using the AWS CLI
How to retrieve and decode the issued certificates to verify the defined extensions

Go to article

The AWS News Feed is currently looking for gold sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.

Nov 10
2025

AWS Private CA now supports post-quantum digital certificates

Jul 18
2025

AWS Private CA now supports issuing up to 100 million certificates per CA

Aug 15
2025

AWS Certificate Manager supports AWS PrivateLink

Jun 17
2025

AWS Certificate Manager introduces public certificates you can use anywhere

The AWS News Feed is currently looking for silver sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.

How to issue use-case bound certificates with AWS Private CA

Related articles