[rswail]

Having just gone through that for the company I work for, a cloud based HSM that is compliant and attested for the key storage and an API around issuing/revoking/auditing certificates would cost a lot more.

So you're not paying for the private key storage, you could do that in AWS KMS for like $1/month. You're paying for the CA API.

[9dev]

But what if I don’t even need a HSM, but just somebody to store a CA certificate for me? Even if they just put it onto some storage and encrypt it with a KMS key, that’s more than enough for a vast amount of use cases. I don’t need government grade security. I just have some internal services that need to use a trusted certificate, and don’t want to maintain a server with storage myself, just for that.

I could build that service in a weekend(tm)!

[rswail]

So encrypt it with KMS and store it in S3.