AWSAWS Private CASecurity

`aws_acmpca_certificate_authority` cost estimation

A managed private certificate authority. Priced as a flat monthly CA fee by mode, plus a per-certificate issuance charge.

An aws_acmpca_certificate_authority runs a private CA for issuing TLS certificates inside your organization (mTLS, internal services, IoT) without operating your own PKI. The cost is a flat monthly fee for the CA itself, plus a charge per certificate issued.

The CA fee depends on the usage mode. General-purpose mode is about $400/month per CA, billed for as long as the CA exists (even partial months are prorated daily). The short-lived-certificate mode is about $50/month per CA, intended for certs valid 7 days or less (service meshes, mTLS). On top of the CA fee, issued certificates bill per certificate on a steeply tiered scale, cheap at low volume, fractions of a cent at high volume.

c3x prices the CA fee from the usage_mode and treats certificate issuance as a usage-based dimension supplied in c3x-usage.yml. The ~$400/month general-purpose CA is the surprise: it's a significant standing cost, so for short-lived-cert workloads the $50 mode, or consolidating onto fewer CAs, is the main lever.

Terraform example

A minimal but realistic configuration that C3X can estimate.

resource "aws_acmpca_certificate_authority" "internal" {
  type       = "ROOT"
  usage_mode = "GENERAL_PURPOSE"

  certificate_authority_configuration {
    key_algorithm     = "RSA_2048"
    signing_algorithm = "SHA256WITHRSA"

    subject {
      common_name = "internal.example.com"
    }
  }
}

Pricing dimensions

What you actually pay for when you provision aws_acmpca_certificate_authority.

Dimension	Unit	What's being charged
CA fee	per month	Flat monthly fee per CA by usage mode, prorated daily. c3x reads usage_mode and prices the CA. $400/month general-purpose, $50/month short-lived
Certificates issued	per certificate	Per-certificate issuance on a steeply tiered scale (cheaper at volume). Usage-based; define monthly issuance in c3x-usage.yml. $0.75/cert (first tier), much lower at scale

Sample C3X output

Example output from c3x estimate (general-purpose CA, CA fee only):

aws_acmpca_certificate_authority.internal
└─ CA fee (general-purpose)    1  month    $400.00

OVERALL TOTAL                             $400.00
(certificate issuance usage-based)

Optimization tips

Common ways to reduce aws_acmpca_certificate_authority cost without changing the workload.

Use short-lived mode for mTLS / service meshes

~$350/month per CA

If your certs are valid 7 days or less (common for mTLS and service meshes), the short-lived-certificate mode is ~$50/month vs ~$400 for general-purpose. An 8x reduction for the right workload.

Consolidate onto fewer CAs

Per avoided CA

Each CA carries the monthly fee. A subordinate-CA hierarchy under one root, or sharing a CA across environments where policy allows, avoids paying $400 multiple times.

Delete CAs you've stopped using

Full CA fee

The fee accrues daily until the CA is deleted (not just disabled). Decommission CAs from retired projects rather than leaving them to bill.

FAQ

How does c3x estimate Private CA cost?

It reads usage_mode and prices the flat monthly CA fee (~$400 general-purpose, ~$50 short-lived). Certificate issuance is a usage-based, tiered dimension supplied in c3x-usage.yml.

Why does a Private CA cost ~$400/month?

General-purpose mode bills a flat monthly fee for the CA itself, prorated daily, independent of how many certificates you issue. It's a real standing cost, which is why short-lived mode and consolidation matter.

What is short-lived-certificate mode?

A cheaper CA mode (~$50/month) for certificates valid 7 days or less, designed for mTLS and service meshes that rotate certs frequently. If your certs are short-lived, it's an 8x saving over general-purpose.

Are public ACM certificates the same cost?

No. Public certificates from ACM (aws_acm_certificate) are free. Private CA is for issuing your own private certificates and carries the monthly CA fee plus per-cert charges.