All Products
Search

This Product

    Certificate Management Service:PCA certificate billing

    Document Center

    Certificate Management Service:PCA certificate billing

    Last Updated:Mar 31, 2026

    Private Certificate Authority (PCA) lets you build a private CA hierarchy for your organization to manage identity authentication, data encryption, and decryption for internal applications. This document covers billable items, pricing tiers, expiration behavior, and renewal steps for PCA.

    Billing items

    Important

    The prices below are for reference only. For current prices, see the purchase page.

    Service typeBilling methodPriceBilling rule
    Private root CASubscriptionUSD 760/monthUnit price (USD/month) × subscription duration
    Private intermediate CASubscriptionUSD 380/monthUnit price (USD/month) × subscription duration
    Private certificateUpfrontTiered. See below.Unit price per certificate (USD) × quantity

    Private root CA

    Each root CA instance includes one root CA, one intermediate CA, and a quota of 10 free private certificates.

    Free quota rules:

    • Usage window: Issue certificates within 30 days from the purchase date. Unused quota expires and is purged at the end of this window.

    • Certificate validity: Certificates issued using the free quota are valid for 30 days from the date of issuance. This validity period does not extend when you renew the root CA.

    For separately purchased private certificates, set a custom validity period at the time of purchase.

    Private certificate pricing

    Certificate pricing is tiered based on the cumulative number of certificates purchased within a calendar year (January 1 to December 31).

    Quantity (cumulative per calendar year)Price per certificate
    1–1,000USD 0.7
    1,001–10,000USD 0.3

    After the cumulative number of purchased certificates reaches 120,000 in a calendar year, any additional certificates are free of charge. The cumulative count resets on January 1 of the following year.

    Expiration

    When a root CA or intermediate CA expires, you can no longer enable it or request new certificates from it. To avoid service disruptions, renew your CAs within 30 calendar days before they expire.

    If a CA has already expired, you cannot renew it. You must reactivate it instead.

    Renew a CA

    Renew a root CA or an intermediate CA up to 30 calendar days before it expires.

    Important

    Renewal is only available within the 30-day window before expiration. After a CA expires, use the Reactivate a CA procedure instead.

    1. Log in to the Certificate Management Service console.

    2. In the left navigation pane, choose Certificate Management > Private Certificate Management. Select the region where the PCA service is located.

    3. On the Private CAs tab, locate the CA. In the Actions column, click Renew. The renewal scope depends on how the CA was originally created:

      • Root CA and intermediate CA created together: Renew only the root CA. This extends the service period for both the root CA and the intermediate CA created with it.

      • Intermediate CA purchased separately: Renew the root CA first to keep it valid, then renew the intermediate CA separately.

      4. purchase page

    4. On the renewal page, confirm the current configuration. Select the Subscription Duration, accept the Terms of Service, and click Buy Now to complete payment.

    After payment, the updated Expire On date appears on the Private CAs page of the Certificate Management Service console.

    Reactivate a CA

    If a root CA or intermediate CA has expired, reactivate it to resume the private certificate service. Reactivate the root CA and the intermediate CA separately.

    1. Log in to the Certificate Management Service console.

    2. In the left navigation pane, choose Certificate Management > Private Certificate Management. Select the region where the PCA service is located.

    3. On the Private CAs tab, locate the CA. In the Actions column, click Reactivate.

    4. On the Certificate Management Service page, select the CA configuration: Accept the Terms of Service and click Buy Now to complete payment.

      • Root CA: Select the Certificate Algorithm and Duration.

      • Intermediate CA: Select the Duration only.

    5. After reactivation, check the CA status:

      • If the CA status was Disabled before reactivation, enable the CA to resume the PCA service. See Enable a private CA.

      • If the CA status was Enabled before reactivation, the PCA service is available immediately.

    6. (Optional) Return to the Private CAs page to confirm the expiration date of the reactivated CA.