What I understood yet (though not sure) is
- ACM is free but ACM PCA charges to generate each certificate.
- ACM can be used to generate certificated for ELB or CloudFront level while ACM PCA can generate certificates for other public-facing services.
I'm not able to understand exactly what is the difference between AWS Certificate Manager Private Certificate Authority (ACM PCA) and AWS Certificate Manager (ACM). Do I need to buy a paid certificate for the web services hosting on AWS?
Best Answer
ACM generates public certificates for use by AWS managed services like ELB and others. It uses AWS' Public Certificate Authority for certificate signing. If your web service hosting is fronted by ELB, Cloudfront or other ACM supported service (see: Services Integrated with AWS Certificate Manager), then you do not need to purchase a paid certificate from a 3rd party - although there is nothing stopping you using a 3rd party and importing their certificate into ACM for use by AWS services if you so choose.
If however you wish to have a service hosted directly to an EC2 instance that uses a public certificate for example, then you do need to purchase a certificate from a 3rd party provider as you cannot export public certificates from ACM for use in that manner.
ACM PCA is a private certificate authority and does allow you to export certificates for any use case - including EC2 instances or even on premises services. The primary use case is for internal wiring in an application that needs certificates in order to use TLS to communicate between components or potentially a corporate web application whereby client devices accessing the service have trusted the private certificate authority. Ultimately it saves the hassle of having to setup, configure and maintain your own internal certificate authority for such use cases. It does not however allow you to configure a public trusted certificate authority, any users/clients wanting to validate certificates issued by ACM PCA will need to have explicitly trusted your private certificate authority first.
A more complete description is available here: What Is ACM PCA?