Share your ACM Private CA cross-account

A few weeks ago aws launched a new feature to share a Private CA with any AWS account or within your organization. This feature helps you to save costs because you just need to deploy one CA per organization. Since the one Private CA costs $400 per month this is a huge saving. Additionally this feature helps you secure certificates because each account the Private CA is shared with creates it's own certificate and remains in full control of said certificate. The key "lives" in the certificate-creation-account and is fully protected there.
In this post I will show you how to automate the sharing of the Private CA plus how to use it in the shared accounts.

Architecture

❗️ The shared ACM-PCA is also working for Amazon Managed Streaming for Apache Kafka (Amazon MSK) - but only via API - the shared ACM-PCA is not shown in the AWS Console.

Prerequisites

1. ACM-PCA must be deployed
2. All Features of your AWS Organizations must be enabled
3. RAM sharing within your AWS Organization must be enabled How to enable this:
   1. Log in to the Organization Master Account with a role or user with permissions to perform ACM and AWS RAM operations in both the central and shared accounts.
   2. Navigate to the AWS Resource Access Manager service.
   3. Click on Settings on the left menu option.
   4. Enable the feature by checking the Enable sharing within your AWS Organization option.

Deployment of the RAM resource in the central AWS Account

1. Log in to the MPA and switch to the account where the ACM-PCA is deployed.
2. Switch to the Region (e.g.: eu-central-1)
3. Open the CloudFormation service console
4. Select Create Stack - Upload a template file; Click Choose file and pick the following file: 001-aws-shared_acm-pca.json
5. Click Next; Enter the following parameters:

1. Click Next; Check: "I acknowledge that AWS CloudFormation might create IAM resources." and Submit

⚠️ Side note: If you are sharing a resource using RAM with the whole Organization you don't need to accept the invation in the target Account.

How to request a new certificate from the shared private CA using console

1. Log in to an Organization account where the ACM-PCA is being shared with and go to the Certificate Manager console
2. Choose Request a certificate.
3. Select the option Request a private certificate, then choose Request a certificate.
4. For CA, select Shared-Private-CA, and then click Next.
5. For Add domain names, add the domain www.privatedomain.com , and click Next.
6. Choose Review and request, confirm it and then click Confirm and request.
7. You can now see your new ACM certificate, issued by the Shared-Private-CA in your account.

How to request a new certificate from the shared private CA using cli

1. Request certificate

aws acm request-certificate –-domain-name www.privatedomain.com --certificate-authority-arn arn:aws:acm-pca:region:111122223333:certificate-authority/123456-xyz123 --validation-method DNS