Configure a Certificate Authority (Optional)

• None -- creates only a key pair with no certificate
• Built-in CA -- requires no configuration and is suitable for internal trust use cases, such as development builds. Certificates issued by the Built-in CA are not implicitly trusted by browsers or operating systems.
• Microsoft AD CS, DigiCert, and Zero Touch PKI -- require certificate authority connectors to be configured before use

• If you plan to obtain a certificate from a public certificate authority, you must select AWS KMS as the key storage type when creating the Signing Key. Public CAs will not sign a CSR for a key that is not stored on a hardware HSM.
• Certificate authority connectors must be configured in the parent TSG. Once configured, the CA is available for selection when creating a Signing Key in any child TSG.
• While Next-Gen Trust Security supports additional certificate authorities for issuing TLS certificates, only the CAs listed above are supported for issuing code signing certificates through the code signing capability.