Updated on 2024-06-25 GMT+08:00

Overview

Introduction

The Private Certificate Management service in CCM allows you to share private CAs of account A with all member accounts in the same organization unit. These member accounts, such as accounts B and C, can use the shared CA to issue certificates.

  • Account A is the private CA owner (owner for short).
  • Accounts B and C are private CA recipients.

Private CA Owner and Recipient Permissions

Owners can perform all operations on private CAs, while recipients can only perform certain operations. For details, see Table 1.

Table 1 Operations supported for private CA recipients

Role

Operation Supported

Description

Recipient

pca:ca:export

Access through the console or API

pca:ca:get

Access through the console or API

pca:ca:listTags

Access through the console or API

pca:ca:issueCert

Access through the console or API

pca:ca:issueCertByCsr

Access through the console or API

pca:ca:revokeCert

Access through the console or API

Supported Resource Types and Regions

Table 2 lists the resource types and regions can be shared in PCA.

Table 2 Resources and regions supported by PCA

Cloud Service

Resource Type

Supported Region

PCA

ca: private CA

ALL

Billing Description

For details about PCA billing, see Billing Items.

The owner of a shared private CA pays for the CA. So, only the resource owner will be charged for shared resources.