Every piece of data in the cloud faces threats: unauthorized access, insider threats, compliance requirements, and data breaches. Encryption is the last line of defense — even if someone gains access to your storage, encrypted data is useless without the key.

AWS encryption operates in two domains:

A critical mental model shift:

What KMS actually provides:

• Key generation — creates cryptographic keys inside FIPS 140-2 Level 2 hardware security modules (HSMs)
• Key storage — keys never leave the HSM unencrypted
• Key rotation — automatically rotates keys annually (you keep using the same key ID)
• Access control — key policies + IAM policies determine who can encrypt/decrypt
• Audit trail — every key usage logged in CloudTrail
• Envelope encryption — generates data keys for local encryption (the real workhorse)

They work together: IAM might grant you access to an S3 bucket, but if the objects are encrypted with a KMS key you don't have permission to use, you still can't read the data.

Three AWS services handle encryption-related tasks, but they serve very different purposes:

Service	Purpose	Key Characteristic	Typical Use Case
KMS	Manage encryption keys for AWS services	Keys never leave HSMs (FIPS 140-2 Level 2)	S3, EBS, RDS encryption at rest
CloudHSM	Dedicated, single-tenant HSM	You control the HSM (FIPS 140-2 Level 3)	Regulatory requiring dedicated hardware
ACM	Manage TLS/SSL certificates	Automates certificate provisioning & renewal	HTTPS for CloudFront, ALB, API Gateway

KMS has three categories of keys based on who manages them and who owns them. Understanding this distinction is critical for exams and architecture decisions.

When you create a Customer Managed Key, you choose where the key material comes from:

Every KMS key can be referenced in multiple ways:

Aliases decouple your application from specific key versions. This is critical for zero-downtime key rotation:

1. Create alias: alias/prod-database-key

   Point it to your current CMK (my-key-v1). All application code references the alias, never the key ID.
2. When rotating: create my-key-v2

   Generate a new CMK alongside the old one. Both exist in parallel.
3. Update alias to point to v2

   Call UpdateAlias — the alias now resolves to the new key. Application code doesn't change.
4. Old key remains for decryption

   Existing ciphertext still encrypted with v1. Keep v1 enabled until all data is re-encrypted or expired.

A KMS key goes through distinct states during its lifecycle:

Rotation replaces the backing key (the actual cryptographic material) while keeping the same Key ID and ARN. Old backing keys are retained forever so old ciphertext can still be decrypted.

The key API calls you'll encounter constantly:

Grants are an alternative to key policies for temporary, programmatic permission delegation:

Encryption context is a set of key-value pairs (non-secret) that are cryptographically bound to the ciphertext. Think of it as an additional authentication check.

1. Encrypt with context

   kms:Encrypt(plaintext, keyId, {"department": "finance", "project": "payroll"})

2. Context is bound to ciphertext

   The context is included as Additional Authenticated Data (AAD). It's NOT encrypted — but it IS required for decryption.

3. Decrypt must provide same context

   kms:Decrypt(ciphertext, {"department": "finance", "project": "payroll"}) — if context doesn't match, decryption FAILS.

4. Logged in CloudTrail

   Encryption context appears in CloudTrail logs — perfect for auditing WHO encrypted WHAT for WHICH purpose.

Encryption context is cryptographically bound to the ciphertext AND logged in CloudTrail. Here's how production teams use it:

When creating a KMS key, you specify what it can do:

By default, KMS keys are regional. Multi-Region keys are replicas of the same key in multiple regions — same key material, same key ID (with mrk- prefix).

KMS supports two fundamental cryptographic key types — symmetric (one shared secret) and asymmetric (public + private key pair). Understanding when and why to choose each is critical for every AWS architecture decision.

A symmetric KMS key generates a single 256-bit AES-GCM key. The same key encrypts and decrypts data. The plaintext key never leaves KMS unencrypted — all encrypt/decrypt operations happen inside the HSM boundary.

An asymmetric KMS key creates a mathematically linked pair: a private key (stays in HSM) and a public key (downloadable). Different algorithms serve different purposes.

Key Spec	Algorithm	Use Case	Max Data Size
RSA_2048	RSAES_OAEP_SHA_256	Encrypt / Decrypt	214 bytes
RSA_3072	RSAES_OAEP_SHA_256	Encrypt / Decrypt	342 bytes
RSA_4096	RSAES_OAEP_SHA_256	Encrypt / Decrypt	470 bytes
RSA_2048	RSASSA_PSS / PKCS1	Sign / Verify	—
ECC_NIST_P256	ECDSA_SHA_256	Sign / Verify	—
ECC_NIST_P384	ECDSA_SHA_384	Sign / Verify	—
ECC_NIST_P521	ECDSA_SHA_512	Sign / Verify	—
ECC_SECG_P256K1	ECDSA_SHA_256	Sign / Verify (blockchain)	—
SM2 (China)	SM2DSA / SM2PKE	Sign or Encrypt	—

When creating an asymmetric key, you must choose its KeyUsage. A key can only be used for one purpose — this is immutable after creation.

KMS supports symmetric HMAC keys for generating and verifying Hash-based Message Authentication Codes. Unlike encryption, HMAC doesn't hide data — it proves integrity and authenticity.

Use cases for KMS HMAC: validating API tokens, verifying webhook signatures, secure session cookies, license key validation — anywhere you need "was this data produced by someone who has the key?" without encrypting the data itself.

Scenario	Key Type	Key Spec	Why
S3 server-side encryption	Symmetric	SYMMETRIC_DEFAULT	AWS service integration — only option
EBS volume encryption	Symmetric	SYMMETRIC_DEFAULT	Data at rest — envelope encryption
IoT device sending encrypted data	Asymmetric	RSA_2048	Device has public key, no AWS creds
JWT token signing (Lambda)	Asymmetric	ECC_NIST_P256	Fast signing, external verification
Code artifact signing	Asymmetric	RSA_4096	Wide compatibility, strong security
API webhook validation	HMAC	HMAC_SHA_256	Prove origin without encryption
Cross-account data sharing	Symmetric	SYMMETRIC_DEFAULT	Grant decrypt access to other account
Blockchain transaction signing	Asymmetric	ECC_SECG_P256K1	secp256k1 standard for crypto chains
TLS certificate private key	Asymmetric	RSA_2048	ACM integration with custom key store

A common production pattern combines symmetric keys for bulk encryption with asymmetric keys for signing artifacts:

1. Build system produces artifact

   CI/CD pipeline compiles code, generates container image or deployment package.
2. Sign artifact hash with asymmetric key

   Call kms:Sign with artifact SHA-256 digest. KMS uses private ECC/RSA key inside HSM.
3. Store artifact + signature

   Upload artifact to S3 (encrypted with symmetric CMK via SSE-KMS) and attach signature as metadata.
4. Consumer downloads & verifies

   Deployment system downloads artifact, retrieves public key, verifies signature locally — no KMS API call needed.
5. Deploy with confidence

   Verified artifact is decrypted (KMS Decrypt via IAM role) and deployed. Tamper-proof supply chain.

Envelope encryption is the single most important concept in KMS. It's how AWS encrypts terabytes of data while only using KMS for a tiny 256-bit key. Master this and you understand every AWS encryption integration.

If KMS can only encrypt 4 KB at a time, how does AWS encrypt a 1 TB EBS volume? Sending every block to KMS would be:

The solution: Don't send the data to KMS. Instead, ask KMS for a key, then encrypt the data locally. This is envelope encryption.

1. GenerateDataKey

   Your app calls kms:GenerateDataKey with a CMK ID. KMS returns TWO things: a plaintext data key + an encrypted copy of that same key.
2. Encrypt data locally

   Use the plaintext data key with AES-256 to encrypt your file/volume/database locally — no network call, no size limit, blazing fast.
3. Discard plaintext key from memory

   Immediately delete the plaintext data key. It existed only for the duration of the encrypt operation. Zero it out.
4. Store encrypted key alongside data

   Store the encrypted data key (the "envelope") with the ciphertext. It's safe — the encrypted key is useless without KMS.
5. Decrypt: retrieve encrypted key → call KMS

   To decrypt, read the encrypted data key, call kms:Decrypt to get the plaintext key back, then decrypt locally.

API	Returns Plaintext?	When to Use
GenerateDataKey	Yes — plaintext + encrypted copy	When you need to encrypt data immediately
GenerateDataKeyWithoutPlaintext	No — encrypted copy only	When you'll encrypt later (pre-generate keys, store for future use)

GenerateDataKeyWithoutPlaintext is used when you want to prepare encrypted data keys in advance. For example, a key management system generates keys for future messages — the plaintext key is only recovered (via kms:Decrypt) when actually needed.

AWS services often use multiple layers of envelope encryption for performance and key management:

S3 Bucket Keys are the most important optimization for SSE-KMS at scale:

Aspect	Without Bucket Key	With Bucket Key
KMS calls per object	1 GenerateDataKey per PUT	1 call per bucket key rotation (~few minutes)
Cost (1M objects/day)	~$3/day in KMS charges	~$0.01/day
CloudTrail events	1 per object operation	1 per bucket key generation
Throttling risk	High at scale	Virtually eliminated
Encryption context	Object ARN	Bucket ARN (less granular)

The AWS Encryption SDK supports data key caching — reusing a data key for multiple encrypt operations instead of calling GenerateDataKey every time.

Service	Data Key Scope	Key Hierarchy
S3 (SSE-KMS)	Per object (or bucket key)	CMK → Bucket Key → Object Key → Object
EBS	Per volume	CMK → Volume Key → Each I/O block
RDS	Per instance	CMK → Instance Key → Tablespace files
DynamoDB	Per table	CMK → Table Key → Per-item encryption
Lambda (env vars)	Per function version	CMK → Function Key → Environment variables
Secrets Manager	Per secret version	CMK → Data Key → Secret value
EFS	Per file system	CMK → FS Key → Per-file data key

KMS has its own authorization model that is different from standard IAM. Every KMS key has a key policy — a resource-based policy that is the primary access control mechanism. Without it, even the root account can be locked out.

Every KMS key has exactly one key policy (up to 32 KB). It determines who can use and manage the key. The default key policy contains one critical statement:

Access to a KMS key is the union of three layers (all must align for access to be granted):

Statement Purpose	Principal	Actions	Why
Enable IAM	arn:aws:iam::ACCT:root	kms:*	Lets IAM policies manage access (default)
Key Administrator	arn:aws:iam::ACCT:role/Admin	kms:Create*, kms:Describe*, kms:Enable*, kms:List*, kms:Put*, kms:Update*, kms:Revoke*, kms:Disable*, kms:Delete*, kms:Tag*, kms:UntagResource, kms:ScheduleKeyDeletion, kms:CancelKeyDeletion	Manage key lifecycle (cannot use for crypto)
Key User	arn:aws:iam::ACCT:role/AppRole	kms:Encrypt, kms:Decrypt, kms:ReEncrypt*, kms:GenerateDataKey*, kms:DescribeKey	Use key for cryptographic operations
Grant Delegation	arn:aws:iam::ACCT:role/AppRole	kms:CreateGrant, kms:ListGrants, kms:RevokeGrant	Allow role to delegate access to AWS services
Cross-Account	arn:aws:iam::OTHER-ACCT:root	kms:Encrypt, kms:Decrypt, kms:GenerateDataKey*, kms:DescribeKey	Allow other account to use key (they also need IAM policy)

A critical security pattern: the person who manages a key should NOT be the person who uses it for encryption:

Sharing a KMS key across accounts requires both sides to grant permission:

1. Key policy in Account A (key owner)

   Add a statement allowing arn:aws:iam::ACCOUNT-B:root to use the key (kms:Encrypt, kms:Decrypt, kms:GenerateDataKey*, kms:DescribeKey).
2. IAM policy in Account B (key user)

   Attach an IAM policy to the role/user in Account B allowing the same KMS actions on the key ARN in Account A.
3. Both must align

   Missing either side = access denied. This is the same dual-authorization model as S3 cross-account access.

Grants provide temporary, scoped access to a KMS key without modifying the key policy. AWS services use grants internally when you select "encrypt with CMK":

KMS supports powerful condition keys for both key policies and IAM policies:

Condition Key	Controls	Example Use
kms:ViaService	Which AWS service is making the call	Allow only S3 to use this key
kms:CallerAccount	AWS account of the caller	Restrict cross-account usage
kms:EncryptionContext:key	Require specific encryption context	Only decrypt if context matches
kms:GrantIsForAWSResource	Grant must be for AWS service use	Prevent grants to arbitrary principals
kms:KeyOrigin	Where key material came from	Only allow KMS-generated keys
kms:KeySpec	Key algorithm specification	Only allow symmetric keys
kms:RequestAlias	Alias used in request	ABAC — control by alias name pattern
aws:SourceVpce	VPC endpoint ID	Only allow from specific VPC endpoint

Error	Symptom	Common Cause	Fix
AccessDeniedException	"User is not authorized to perform kms:Decrypt"	Key policy missing IAM delegation OR IAM policy missing kms: action	Add root account to key policy + kms:Decrypt to IAM policy
ValidationException	"Ciphertext is larger than 4096 bytes"	Direct Encrypt API called with >4 KB data	Use GenerateDataKey + local AES encryption (envelope encryption)
ThrottlingException	"Rate exceeded" / "Request was throttled"	Exceeded regional KMS quota	S3 Bucket Keys, data key caching, request quota increase
NotFoundException	"Key ARN does not exist"	Wrong region, deleted key, or typo in ARN	Verify region (keys are regional). Check key state. Use correct ARN format.
InvalidKeyUsageException	"Operation not supported for this key usage"	Asymmetric key used for symmetric op (or vice versa)	Check KeySpec. Create separate keys for different purposes.
DependencyTimeoutException	"Custom key store is unavailable"	CloudHSM cluster unreachable	Check CloudHSM health. Ensure kmsuser logged in. Verify VPC connectivity.
KMSInvalidStateException	"Key is pending deletion/disabled"	Key was disabled or scheduled for deletion	EnableKey or CancelKeyDeletion if within waiting period

KMS integrates with 100+ AWS services. Understanding how each service uses KMS — what encryption options exist, what permissions are needed, and what CloudTrail events are generated — is essential for both architecture and security.

Option	Key Management	Who Manages Key	Cost	Audit (CloudTrail)
SSE-S3	AES-256, S3-managed	AWS (invisible)	Free	No KMS events
SSE-KMS	KMS CMK	You (key policy)	$1/mo + API calls	Full audit trail
SSE-KMS + Bucket Key	KMS CMK + cached key	You (key policy)	$1/mo + minimal API	Reduced granularity
SSE-C	Customer-provided key	You (full lifecycle)	Free	No KMS events
DSSE-KMS	Dual-layer KMS encryption	You (key policy)	$1/mo + API calls	Full audit trail

Option	Key	Cost	Rotation	Control
AWS Owned (default)	AWS-managed, invisible	Free	Automatic (varies)	None
AWS Managed (aws/dynamodb)	Visible in KMS console	Free	Yearly (automatic)	View only
Customer Managed	Your CMK	$1/mo + usage	Configurable	Full (policy, disable, delete)

Key point: DynamoDB encryption is always on — you only choose which key type. Client-side encryption (using the DynamoDB Encryption Client) adds field-level encryption on top.

Every KMS API call is logged in CloudTrail. This provides a complete audit trail of who accessed which key, when, and from which service:

Event Field	What It Shows	Example Value
eventName	KMS API action	Decrypt, GenerateDataKey
userIdentity	Who made the call	Role ARN, assumed-role session
requestParameters.keyId	Which key was used	Key ARN or alias
requestParameters.encryptionContext	Context key-value pairs	aws:s3:arn, aws:ebs:id
sourceIPAddress	Caller origin	IP or service name (e.g., s3.amazonaws.com)
vpcEndpointId	VPC endpoint used	vpce-0abc123...

Operation Type	Default Quota (per second)	Increasable?	Applies To
Cryptographic operations (symmetric)	5,500 – 30,000 (varies by region)	Yes (via Support)	Encrypt, Decrypt, GenerateDataKey, ReEncrypt
Cryptographic operations (asymmetric RSA)	500	Yes	RSA Sign, Encrypt, Decrypt
Cryptographic operations (asymmetric ECC)	300	Yes	ECC Sign
Management operations	5 – 50	No	CreateKey, PutKeyPolicy, ScheduleKeyDeletion

What happens when exceeded: KMS returns ThrottlingException. AWS SDKs automatically implement exponential backoff with jitter. Set CloudWatch alarm on ThrottledRequests metric at >100/minute.

Component	Cost	Notes
Customer Managed Key (CMK)	$1/month per key	Charged even when not in use
AWS Managed Key	$0 (free)	No monthly fee, only API charges
API calls (Encrypt, Decrypt, GenerateDataKey)	$0.03 per 10,000 requests	Biggest cost driver at scale
S3 Bucket Keys	$0	Free feature that reduces API costs 99%

Typical monthly costs by workload:

Workload	Without Optimization	With Optimization	Strategy
S3 bucket (1M objects/day, SSE-KMS)	~$90/month	~$1/month	Enable Bucket Keys
100 EBS volumes + daily snapshots	~$104/month	~$100/month	Consolidate CMKs
Lambda (10M invocations, env vars encrypted)	~$30/month	~$30/month	Use AWS managed key if no cross-account need
High-throughput messaging (100K msg/sec)	~$26K/month	~$50/month	Data key caching + reuse period

Beyond standard KMS usage, AWS offers advanced key management options for organizations with strict compliance, data sovereignty, or hybrid-cloud requirements. These options trade convenience for greater control.

A Custom Key Store connects KMS to your own AWS CloudHSM cluster. Key material is generated and stored in HSMs you control — not in the shared KMS HSM fleet.

1. Create CloudHSM Cluster

   Deploy at least 2 HSMs across AZs for high availability. Initialize the cluster and set crypto officer credentials.
2. Create Custom Key Store in KMS

   Link KMS to your CloudHSM cluster. KMS authenticates as a crypto user (kmsuser) on the HSMs.
3. Create CMKs in Custom Key Store

   Keys created here have Origin: AWS_CLOUDHSM. Key material lives exclusively in your HSM cluster.
4. Use like any other CMK

   All KMS APIs work the same. AWS services integrate seamlessly. The difference is where key material lives.

XKS (launched 2022) lets you store and use key material in an HSM entirely outside of AWS — in your own data center or another cloud. KMS proxies requests to your external key manager.

You can import your own symmetric key material into a KMS key instead of letting KMS generate it. This gives you control over key generation but adds significant operational burden.

1. Create CMK with no key material

   Specify Origin: EXTERNAL. KMS creates the key metadata and policy but leaves the key material empty.
2. Download wrapping key & import token

   KMS provides an RSA public key (wrapping key) and an import token. These expire in 24 hours.
3. Encrypt your key material

   Wrap your 256-bit symmetric key with the RSA wrapping key using RSAES_OAEP_SHA_256.
4. Import into KMS

   Upload the wrapped key + import token. Optionally set an expiration date (key auto-deletes material when expired).

Multi-Region keys share the same key material across multiple AWS regions. They look like independent keys but can decrypt each other's ciphertext.

Key Type	Rotation	Period	Behavior
AWS Managed	Automatic (mandatory)	Every year (365 days)	Cannot disable or change period
Customer Managed (KMS material)	Optional (configurable)	90–2560 days	You choose period, can disable
Customer Managed (imported)	Manual only	—	Must create new key + re-import
Asymmetric keys	Manual only	—	Create new key + distribute public key
HMAC keys	Manual only	—	Create new key + update applications
Custom Key Store	Manual only	—	Rotation not supported automatically

IAM Roles Anywhere lets on-premises workloads obtain temporary AWS credentials using X.509 certificates. Combined with KMS, this enables:

Nitro Enclaves create isolated virtual machines with no persistent storage, no network, and no operator access. KMS can be configured to only release keys to a specific enclave:

This final chapter ties everything together with real-world architecture patterns that combine KMS concepts into production-ready solutions. These are the patterns that appear in architecture reviews, certification exams, and enterprise deployments.

Enterprise organizations with multiple AWS accounts need a centralized encryption strategy. The recommended approach:

A data lake encryption pattern that uses different CMKs per data classification:

Classification	S3 Prefix	KMS Key	Access
Public	s3://lake/public/	SSE-S3 (no KMS)	Anyone with bucket access
Internal	s3://lake/internal/	CMK: internal-data-key	All data team roles
Confidential	s3://lake/confidential/	CMK: confidential-key	Restricted analysts only
Restricted/PII	s3://lake/restricted/	CMK: pii-key	DPO + specific approved roles

Key insight: Even if someone has s3:GetObject on the entire bucket, they cannot read restricted data without kms:Decrypt permission on the PII key. KMS becomes your secondary access control layer.

1. Create Multi-Region KMS key

   Primary in us-east-1, replica in us-west-2. Same key material in both regions.
2. Encrypt data in primary region

   S3 objects, EBS snapshots, RDS automated backups — all encrypted with the multi-region key.
3. Replicate to DR region

   S3 Cross-Region Replication, EBS snapshot copy, RDS cross-region read replica.
4. Failover — decrypt immediately

   Data is decryptable immediately in DR region using the local replica key. No re-encryption needed. No cross-region KMS calls.
5. Promote replica if primary fails

   If primary region is permanently lost, promote the replica to primary. Full control maintained in DR region.

Defense-in-depth using KMS condition keys to build a zero-trust encryption layer:

1. Store secrets in Secrets Manager (CMK-encrypted)

   Database passwords, API keys, certificates stored encrypted with a dedicated CI/CD CMK.
2. Pipeline role gets temporary access via grant

   CodePipeline/CodeBuild assume role with kms:Decrypt permission. Grant auto-retires after pipeline completes.
3. Encryption context ties secret to pipeline

   Key policy requires encryption context: {"pipeline": "prod-deploy", "stage": "build"}. Wrong context = denied.
4. CloudTrail captures every access

   Full audit: who accessed which secret, when, from which pipeline. Alert on unexpected access patterns.

The AWS Encryption SDK implements envelope encryption client-side with best practices built in: authenticated encryption, data key caching, multiple master key support, and message format that stores encrypted data keys alongside ciphertext.

Scenario	Pattern	Key Chapter
Encrypt large files	Envelope encryption + GenerateDataKey	Ch04
S3 encryption at scale	SSE-KMS + Bucket Keys enabled	Ch06
Cross-account data sharing	Key policy + IAM policy (dual auth)	Ch05
Global application DR	Multi-Region keys	Ch07
External client encrypts	Asymmetric RSA key (public key distributed)	Ch03
CI/CD secrets	Secrets Manager + CMK + grants	Ch08
Regulatory single-tenant HSM	Custom Key Store (CloudHSM)	Ch07
Data sovereignty	External Key Store (XKS)	Ch07
Prevent accidental deletion	SCP deny + separate admin role	Ch05
Audit all key usage	CloudTrail + CloudWatch alarms	Ch06

Term	Definition
CMK	Customer Master Key — the logical KMS key resource you create and manage
Key Material	The actual cryptographic bytes used for encryption/decryption
Backing Key	The underlying key material (multiple exist over time with rotation)
Data Key	A key generated by KMS for local envelope encryption (not stored in KMS)
Envelope Encryption	Pattern: encrypt data key with CMK, then use data key to encrypt data locally
Encryption Context	Key-value pairs cryptographically bound to ciphertext; required for decryption
Key Policy	Resource-based JSON policy attached to each KMS key (mandatory, max 32 KB)
Grant	Temporary, programmatic permission delegation for KMS key access
Alias	Friendly name pointer to a CMK (e.g., alias/prod-key); updateable without code changes
Custom Key Store	KMS key backed by your own dedicated CloudHSM cluster
XKS	External Key Store — key material stored outside AWS entirely (via XKS Proxy)
BYOK	Bring Your Own Key — import externally-generated key material into KMS
Multi-Region Key	Key replicated across regions with same material (mrk- prefix)
FIPS 140-2	US government security standard for cryptographic modules (Level 2 = KMS, Level 3 = CloudHSM)
HSM	Hardware Security Module — tamper-resistant hardware for key storage and operations
S3 Bucket Key	Intermediate cached key that reduces KMS API calls by 99% for S3 SSE-KMS

Service	Relationship to KMS	When to Use
AWS CloudHSM	Alternative (dedicated HSM for KMS custom key store)	Regulatory requiring single-tenant HSM / FIPS Level 3
AWS Certificate Manager (ACM)	Different purpose (TLS certificates, not data-at-rest)	HTTPS termination at ALB, CloudFront, API Gateway
AWS Secrets Manager	Uses KMS for envelope encryption of secrets	Store and rotate database passwords, API keys
SSM Parameter Store	Uses KMS for SecureString encryption	Application configuration with optional encryption
AWS Nitro Enclaves	Uses KMS with attestation conditions	Process sensitive data with hardware-level isolation
AWS Encryption SDK	Client-side library that wraps KMS for envelope encryption	Encrypt before sending to AWS; multi-key, caching built in
ACM Private CA	Different purpose (internal X.509 certificates)	Internal mTLS, code signing, IoT device identity