With Amazon Private Certificate Authority (Amazon Private CA), you pay a monthly fee for the operation of each private certificate authority (CA) and the private certificates you issue each month.
Private certificate authority operation
There are two operating modes in Amazon Private CA. General-purpose mode can issue certificates with any validity period. Short-lived certificate mode can only issue certificates valid for up to 7 days.
The charge for operating a private CA is as follows:
- 2,760 CNY per private CA per month for general-purpose mode
- 345 CNY per private CA per month for short-lived certificate mode
Private CA operation is pro-rated for partial months based on when you create and delete the CA. You are not charged for a private CA after you delete it. However, if you restore a deleted CA, you are charged for the time between deleting it and restoring it (CA restoration is only available for 30 days after deletion).
Amazon Private CA 30-day free trial
Any Amazon Web Services account can try Amazon Private CA with no CA operation charge for the first 30 days for the first private CA created in the account in each Region. You pay for the certificates you issue during the trial period. If you wish to terminate the trial, then you must delete the CA, if you do not you will start to incur CA operation charges after the trial period expires.
Private certificates
For certificates you issue directly from a private CA, you are charged when you issue a certificate. You pay a one-time fee for each private certificate issued by Amazon Private CA. This fee is incurred in the Amazon Web Services account from which you issue the certificate. Private certificate pricing is based on the number of certificates issued in the calendar month in each Region (as indicated in the table below).
For certificates requested through Amazon Certificate Manager, you are charged for a certificate the first time you export the private key and certificate. You are not charged for additional exports of the same private key and certificate. Renewed certificates have a new key pair, so you are charged the first time you export a renewed certificate.
If you use Amazon Organizations and consolidated billing, fees are aggregated by the payer account. If you move your account to an organization under a different payer account, certificates will be priced according to the pricing tiers applicable to that payer account during that billing cycle.
| Number of certificates issued in the month / per Region | Price (per certificate) |
|---|---|
| 1 - 1,000 certificates | 5.17 CNY |
| 1,001 - 10,000 certificates | 2.41 CNY |
| 10,001+ certificates | 0.0069 CNY |
| Number of certificates issued in the month / per Region | Price (per certificate) |
|---|---|
| 1+ certificates |
0.40 CNY |
Connectors
Connectors are an Amazon Private CA feature that allow you to replace existing CAs with Amazon Private CA in environments that have an established native certificate distribution solution. Amazon Private CA offers Connector for Kubernetes. Certificates issued through connectors count toward your total number of private certificates each month. The Connector for Kubernetes is offered at no additional charge; you only pay for the Amazon Private CAs and the certificates issued from them.
Pricing examples
Certificate issuance
Example 1: Two general-purpose mode private CAs in the same Region (Beijing)
Two general-purpose mode private CAs both in the same Region are used to issue a total of 20,000 certificates in a month.
2 x 2,760 CNY (general-purpose mode private CA operation)
1,000 x 5.17 CNY (first 1,000 general-purpose mode certificates)
9,000 x 2.41 CNY (next 1,001 up to 10,000 general-purpose mode certificates)
10,000 x 0.0069 CNY (above 10,000 general-purpose mode certificates)
Total = 32,449 CNY
Example 2: One short-lived certificate mode private CA
One short-lived certificate mode private CA which issues 17,000 short-lived certificates in a month.
1 x 345 CNY (short-lived certificate mode private CA operation)
17,000 x 0.40 CNY (short-lived certificate mode certificates)
Total = 7,145 CNY
Example 3: Two general-purpose mode private CAs in two Regions
Two general-purpose mode private CAs; one in CN North 1 (Beijing), the other in CN Northwest 1 (Ningxia). The general-purpose mode private CA in Beijing issues 12,000 certificates in a month, the general-purpose mode private CA in Ningxia issues 8,000 certificates in a month.
2 x 2,760 CNY (general-purpose mode private CA operation)
1,000 x 5.17 CNY (first 1,000 general-purpose mode certificates Beijing)
9,000 x 2.41 CNY (next 1,001 up to 10,000 general-purpose mode certificates Beijing)
2,000 x 0.0069 CNY (above 10,000 general-purpose mode certificates Beijing)
1,000 x 5.17 (first 1,000 general-purpose mode certificates Ningxia)
7,000 x 2.41 (next 1,001 up to 10,000 general-purpose mode certificates Ningxia)
Total = 54,433.80 CNY
Example 4: 17,000 short-lived certificates and 2,000 certificates with a validity period of over 7 days (for a total of 19,000 certificates) in the same Region
One general-purpose mode private CA or one general-purpose and one short-lived certificate mode private CA.
One general-purpose mode private CA in the same Region:
1 x 2,760 CNY (general-purpose mode private CA operation)
1,000 x 5.17 CNY (general-purpose mode certificates)
9,000 x 2.41 CNY (general-purpose mode certificates)
9,000 x 0.0069 CNY (general-purpose mode certificates)
Total = 29,682.10 CNY
One general-purpose mode private CA and one short-lived certificate mode private CA in the same Region:
1 x 2,760 CNY (general-purpose mode private CA operation)
1 x 345 CNY (short-lived certificate mode private CA operation)
1,000 x 5.17 CNY (general-purpose mode certificates)
1,000 x 2.41 CNY (general-purpose mode certificates)
17,000 x 0.40 CNY (short-lived certificate mode certificates)
Total = 17,485 CNY
Example 5: Billing example for 12,000 certificates and 8,000 certificates with a single payer account or two separate payer accounts in the same Region.
Two Amazon Web Services accounts each with one general-purpose mode private CA in the same Region. In a month, one CA issues 12,000 certificates and the second CA issues 8,000 certificates.
One payer account for both Amazon Web Services accounts:
2 x 2,760 CNY (general-purpose mode private CA operation)
1,000 x 5.17 CNY (first 1,000 general-purpose mode certificates)
9,000 x 2.41 CNY (next 1,001 up to 10,000 general-purpose mode certificates)
10,000 x 0.0069 CNY (above 10,000 general-purpose mode certificates)
Total = 32,449 CNY
Separate payer accounts for both Amazon Web Services accounts:
1 x 2,760 CNY (general-purpose mode private CA operation)
1,000 x 5.17 CNY (first 1,000 general-purpose mode certificates)
9,000 x 2.41 CNY (next 1,001 up to 10,000 general-purpose mode certificates)
2,000 x 0.0069 (above 10,000 general-purpose mode certificates)
Total for first payer account (CA issues 12,000 certificates) = 29,633.8 CNY
1 x 2,760 CNY (general-purpose mode private CA operation)
1,000 x 5.17 CNY (first 1,000 general-purpose mode certificates)
7,000 x 2.41 CNY (next 1,001 up to 10,000 general-purpose mode certificates)
Total for second payer account (CA issues 8,000 certificates) = 24,800 CNY
Grand total for both Amazon Web Services accounts = 54,433.80 CNY
Connectors
Example 6: Billing example for 12,000 certificates for Kubernetes issued from a general-purpose mode private CA in one Region.
One general-purpose mode private CA issues 12,000 certificates through connectors in one month in one Region.
1 x 2,760 CNY (general-purpose mode private CA operation)
1,000 x 5.17 CNY (first 1,000 general-purpose mode certificates)
9,000 x 2.41 CNY (next 1,001 up to 10,000 general-purpose mode certificates)
2,000 x 0.0069 CNY (above 10,000 general-purpose mode certificates)
Total = 29,633.80 CNY
Start to Build for Free with Amazon Web Services
Start to Build for Free with Amazon Web Services
