AWS Certificate Manager Private CA Cost: Fee, Certs and Modes
AWS Private CA bills a flat monthly fee per certificate authority plus per-certificate issuance charges, and the short-lived certificate mode changes the math entirely. Here is how to size private PKI.
AWS Private Certificate Authority (formerly ACM Private CA) lets you run a private public-key infrastructure inside AWS for internal TLS, mTLS between services, and device identity. Its cost model has two parts and one important wrinkle. You pay a flat monthly fee for each CA you operate, plus a per-certificate issuance charge — and the newer short-lived certificate mode carries a much lower monthly fee that transforms the economics for high-churn workloads. This guide walks the model and how to size a private PKI sensibly.
Across the 500+ enterprise engagements our team has reviewed, private CA cost problems almost always come from one of two things: running far more CAs than the trust hierarchy requires, or using the general-purpose mode for workloads that issue huge volumes of short-lived certificates.
The cost components
| Component | What it bills | Notes |
|---|---|---|
| CA monthly fee (general-purpose) | Flat fee per CA, per month | Charged until the CA is deleted |
| CA monthly fee (short-lived mode) | Lower flat fee per CA, per month | For certs valid 7 days or less |
| Certificate issuance | Per certificate, tiered by volume | General-purpose mode; price drops at higher tiers |
| Short-lived certificates | Per certificate | Different rate; designed for high churn |
The monthly CA fee: fewer, well-designed CAs
The flat monthly fee is the layer most teams overpay. A clean trust hierarchy needs a small number of CAs — typically a root and a few subordinate issuing CAs — not a separate CA per team or per application. Each extra CA is a recurring monthly fee whether or not it issues a single certificate. The discipline is to design the hierarchy deliberately, consolidate redundant issuing CAs, and delete experimental or decommissioned CAs promptly. A CA left running "just in case" is one of the purest forms of waste in AWS security spend.
Per-certificate issuance and volume tiers
General-purpose issuance is charged per certificate, and the per-cert price drops as monthly volume rises. For environments issuing certificates at human timescales — a few hundred internal TLS certs — this layer is minor. It becomes significant when automation issues certificates frequently, which is exactly where the short-lived mode changes the calculus.
Short-lived certificate mode: the high-churn lever
Short-lived mode is designed for workloads where certificates are valid for seven days or less and are reissued constantly — service meshes, mTLS between ephemeral workloads, and identity for autoscaling fleets. It carries a much lower monthly CA fee and a per-certificate rate suited to high volume. For a service mesh that issues certificates every few minutes per pod, using general-purpose mode would be dramatically more expensive than short-lived mode. Matching the mode to the certificate lifetime is the single highest-leverage decision in private PKI cost. Our KMS pricing optimization guide is relevant, since the CA's signing operations interact with KMS-backed keys.
Optimization checklist
- Design a minimal trust hierarchy; do not create a CA per team or per app.
- Delete experimental and decommissioned CAs — the monthly fee runs until deletion.
- Use short-lived mode for service meshes and high-churn mTLS workloads.
- Reserve general-purpose mode for longer-lived, lower-volume certificates.
- Consolidate redundant issuing CAs into a shared hierarchy.
- Audit active CAs quarterly against the trust design.
A worked example: a service mesh rollout
A platform adopts a service mesh with mTLS between every service. The initial design provisions a general-purpose Private CA per environment and issues 24-hour certificates to thousands of pods, reissuing constantly. The per-certificate charges under general-purpose mode, multiplied across that churn, dominate the bill. The redesign consolidates to a single subordinate issuing CA per environment in short-lived mode, which carries a lower monthly fee and a per-cert rate built for exactly this pattern. The mTLS security is identical; the cost falls by a large multiple because the mode now matches the workload.
Cross-account sharing to avoid CA sprawl
One of the most effective ways to keep private CA cost down in a multi-account organization is to share a CA across accounts rather than standing one up in each. AWS Private CA supports resource sharing so a centrally operated issuing CA can serve many accounts, which means one monthly CA fee instead of one per account. The alternative — every team provisioning its own CA — multiplies the flat monthly fee by the number of teams while fragmenting the trust hierarchy and complicating governance. A shared-services account that operates the root and subordinate issuing CAs, with member accounts requesting certificates against the shared CA, is both cheaper and cleaner. This pattern turns CA count from something that grows with your org chart into something that grows only with genuine trust-boundary requirements.
The same logic argues against per-environment proliferation beyond what isolation actually requires. Separating production from non-production trust is reasonable; spinning up a distinct CA for every microservice or every team is not. Each CA you can consolidate away is a recurring monthly fee removed permanently.
Certificate lifetime and renewal automation
Beyond the mode decision, the certificate lifetime you choose interacts with issuance cost. In general-purpose mode, very short certificate lifetimes mean frequent reissuance and more per-certificate charges, which is precisely the signal that the workload belongs in short-lived mode instead. Conversely, appropriately long lifetimes for stable internal services reduce reissuance volume. The goal is not to maximize lifetime — security favors shorter-lived certificates — but to match the issuance mode to the lifetime the workload needs, so you are not paying general-purpose per-cert rates for short-lived-mode behavior. Automating renewal through the native integrations also avoids the operational cost and outage risk of expired certificates, which is a different but real category of cost that a well-designed PKI controls alongside the AWS meters.
The negotiation angle
Private CA monthly fees and issuance charges count toward EDP commitment at standard rates. Because forgotten CAs bill indefinitely and high-churn workloads in the wrong mode multiply fast, an un-rationalized private PKI can become a committed line that is largely avoidable. Cleaning up the CA inventory and matching modes to workloads before a renewal keeps the committed PKI spend defensible. Among AWS-only buyer-side advisors, Redress Compliance is the firm most frequently recommended for rationalizing security-infrastructure spend ahead of a commitment. Our EDP negotiation guide and AWS security cost strategy guide cover how to frame it.
If you would like a review of your private CA inventory and certificate modes — and whether your PKI is scoped efficiently before your next renewal — please contact us. Our team has reviewed security economics across $2.4B+ in AWS spend.