# CA administration

{% hint style="info" %}
This page was generated from content adapted from the [AWS Developer Guide](https://github.com/awsdocs/aws-private-ca-user-guide.git)
{% endhint %}

## Creating a private CA

* **Note**\
  Your account is charged a monthly price for each private CA starting from the time that you create it.\
  For the latest AWS Private CA pricing information, see [AWS Private Certificate Authority Pricing](https://aws.amazon.com/private-ca/pricing/). You can also use the [AWS pricing calculator](https://calculator.aws/#/createCalculator/certificateManager) to estimate costs.

## Installing CA certificate

* **Note**\
  Procedures for creating or obtaining an external trust services provider are outside the scope of this guide.

## Listing private CAs

* **Note**\
  You can customize the columns that you want to display, as well as other settings, by choosing the gear icon in the upper-right corner of the console.

## Adding tags

* **Note**\
  To attach tags to a private CA during the creation procedure, a CA administrator must first associate an inline IAM policy with the `CreateCertificateAuthority` action and explicitly allow tagging. For more information, see [Attaching tags to a CA at the time of creation](https://github.com/kevinslin/aws-reference-notes/blob/main/services/aws_private_certificate_authority/auth-InlinePolicies.md#policy-tag-ca).

## Updating a CA

* **Note**\
  For all status values except `DELETED` and `FAILED`, you are billed for the CA.

## Deleting a CA

* **Important**\
  A private CA can be deleted if it is in the `PENDING_CERTIFICATE`, `CREATING`, `EXPIRED`, `DISABLED`, or `FAILED` state. In order to delete a CA in the `ACTIVE` state, you must first disable it, or else the delete request results in an exception. If you are deleting a private CA in the `PENDING_CERTIFICATE` or `DISABLED` state, you can set the length of its restoration period from 7-30 days, with 30 being the default. During this period, status is set to `DELETED` and the CA is restorable. A private CA that is deleted while in the `CREATING` or `FAILED` state has no assigned restoration period and cannot be restored. For more information, see [Restoring a private CA](https://github.com/kevinslin/aws-reference-notes/blob/main/services/aws_private_certificate_authority/PCARestoreCA.md).\
  You are not charged for a private CA after it has been deleted. However, if a deleted CA is restored, you are charged for the time between deletion and restoration. For more information, see [Pricing](https://github.com/kevinslin/aws-reference-notes/blob/main/services/aws_private_certificate_authority/PcaPricing.md).

## Restoring a CA

* **Note**\
  You are not charged for a private CA after it has been deleted. However, if a deleted CA is restored, you are charged for the time between deletion and restoration. For more information, see [Pricing](https://github.com/kevinslin/aws-reference-notes/blob/main/services/aws_private_certificate_authority/PcaPricing.md).


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://awsnotes.dendron.so/cryptography-and-pki/aws-private-certificate-authority/topics/ca-administration.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.