feat(pki): add AWS PCA external CA integration

[saifsmailbox98]

Context

This PR adds support for AWS Private CA integration as an external CA

Screenshots

Steps to verify the change

Type

• Fix
• Feature
• Improvement
• Breaking
• Docs
• Chore

Checklist

• Title follows the conventional commit format: type(scope): short description (scope is optional, e.g., fix: prevent crash on sync or fix(api): handle null response).
• Tested locally
• Updated docs (if needed)
• Read the contributing guide

[linear]

PKI-126 Add AWS PCA integration for PKI similar to ADCS

[maidul98]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[greptile-apps]

Greptile Summary

Adds AWS Private CA (PCA) integration as a new external CA type, enabling certificate issuance through AWS Certificate Manager Private Certificate Authority. Implementation includes backend service layer with credential management via AWS app connections, certificate ordering with CSR passthrough template, polling-based certificate retrieval, and revocation support. Frontend adds UI for configuring AWS PCA with connection selection, ARN input, and region selection. Certificate subject DN fields (organization, OU, country, state, locality) are now passed through the issuance queue and renewal workflows.

• Core AWS PCA service implements certificate issuance using IssueCertificateCommand with exponential backoff polling
• Certificate authority validation ensures PCA is in ACTIVE status before use
• Revocation maps internal CRL reasons to AWS revocation reasons
• Subject DN fields added to certificate order DTOs and queue processing
• Frontend modal extended with AWS PCA configuration form
• Uses RE2 for TTL parsing but has one instance of unsafe native regex on line 85

Confidence Score: 3/5

• Safe to merge with one regex safety fix required
• Implementation follows established patterns for external CA integrations (ACME, Azure AD CS). Proper input validation with Zod schemas, permission checks, and AWS credential management. One critical regex safety violation needs fixing (line 85 uses native .match() instead of RE2). No database migrations, no breaking API changes. Missing documentation for the new feature.
• backend/src/services/certificate-authority/aws-pca/aws-pca-certificate-authority-fns.ts - fix regex safety issue on line 85

Important Files Changed

Filename	Overview
backend/src/services/certificate-authority/aws-pca/aws-pca-certificate-authority-fns.ts	Core AWS PCA implementation with certificate issuance, revocation, and CA management. Uses RE2 for regex safety. Contains unsafe native regex in line 85.
backend/src/services/certificate-authority/certificate-authority-service.ts	Extended service to integrate AWS PCA CA type alongside existing ACME, Azure AD CS, and internal CA types
backend/src/services/certificate-authority/certificate-issuance-queue.ts	Queue processor extended to handle AWS PCA certificate issuance jobs with subject DN fields
backend/src/services/certificate-v3/certificate-v3-service.ts	Certificate service extended with AWS PCA support for ordering, renewal, and subject DN handling
frontend/src/pages/cert-manager/CertificateAuthoritiesPage/components/ExternalCaModal.tsx	Modal UI extended with AWS PCA configuration form including AWS connection, ARN, and region selection

_{Last reviewed commit: 54ff4ca}

[greptile-apps]

_{33 files reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[saifsmailbox98]

Also, added the override of SANs via API passthrough

As we were getting an error when using ACME (certbot)

Certificate issuance failed: CSR must mark the SAN extension critical when it has an empty subject.

[saifsmailbox98]

adding a suggestion that I can accept