diff --git a/acmpca/README.md b/acmpca/README.md
new file mode 100644
index 0000000..59902fc
--- /dev/null
+++ b/acmpca/README.md
@@ -0,0 +1,122 @@
+<!-- BEGIN_TF_DOCS -->
+# About : aws-certificate/acmpca
+
+This module creates an ACM certificate, using the general purpose (ca1) ACM-PCA or short term (ca2) in the local region. It will automatically
+include the DNS name in the SAN.  You may add additonal SAN fully qualified domain names, URIs, or
+in the SAN for an ACM certificate. The [CLI documentation](https://docs.aws.amazon.com/cli/latest/reference/acm-pca/issue-certificate.html) indicates
+you can use any of the standard types for a SAN (DNS, URI, email, DNS, etc.) along with the [API](https://docs.aws.amazon.com/privateca/latest/APIReference/API_IssueCertificate.html)
+reference.  Other documentation states otherwise (TBD -- find link).
+
+It expects an SSM parameter `/enterprise/pki/ca1` for general purpose and `/enterprise/pki/ca2` for short term CA to exist in the account (distributed to all OUs from a central account).
+If this parameter does not exist, this module will fail.
+
+It returns:
+
+# Usage
+This shows the module call with how you would use it.
+
+```hcl
+module "cert" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-certificates//acm"
+
+  certificate_dns      = "test.domain.census.gov"
+  contact_email        = "cio.engineering.alert.list@census.gov"
+
+  ## optional
+  ## add additional names to SAN
+  # certificate_san    = [ "otherdomain.domain.census.gov" ]
+}
+
+# associating it with the ALB listener
+resource "aws_lb_listener" "app_443" {
+  count             = module.cert.certificate_arn != null ? 1 : 0
+  load_balancer_arn = aws_lb.app.arn
+  port              = 443
+  protocol          = "HTTPS"
+  ssl_policy        = "ELBSecurityPolicy-TLS-1-2-2017-01"
+  certificate_arn   = module.cert.certificate_arn
+
+  default_action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.app.arn
+  }
+}
+```
+
+The output value to look at is `certificate_arn`.  This is null if the certificate is incomplete or failed to load into ACM, or
+the ARN if completed.   You'll use the ARN for an AWS LB Listener.
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.14 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.0 |
+| <a name="requirement_local"></a> [local](#requirement\_local) | >= 2.1.0 |
+| <a name="requirement_null"></a> [null](#requirement\_null) | >= 3.1.0 |
+| <a name="requirement_tls"></a> [tls](#requirement\_tls) | >= 3.1.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.0 |
+| <a name="provider_local"></a> [local](#provider\_local) | >= 2.1.0 |
+| <a name="provider_null"></a> [null](#provider\_null) | >= 3.1.0 |
+| <a name="provider_tls"></a> [tls](#provider\_tls) | >= 3.1.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_acmpca_certificate.certificate](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acmpca_certificate) | resource |
+| [local_sensitive_file.certificate_cert](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/sensitive_file) | resource |
+| [local_sensitive_file.certificate_cert_chain](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/sensitive_file) | resource |
+| [local_sensitive_file.certificate_csr](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/sensitive_file) | resource |
+| [local_sensitive_file.certificate_key](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/sensitive_file) | resource |
+| [null_source.output_directory](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/source) | resource |
+| [tls_cert_request.certificate](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/cert_request) | resource |
+| [tls_private_key.certificate](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
+| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+| [aws_ssm_parameter.ca_longterm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
+| [aws_ssm_parameter.ca_shortterm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_account_alias"></a> [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no |
+| <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no |
+| <a name="input_certificate_authority_mode"></a> [certificate\_authority\_mode](#input\_certificate\_authority\_mode) | String indicating whether to use the general purpose (general) or short lived (short) CA (general is ca1, short lived is ca2) | `string` | `"general"` | no |
+| <a name="input_certificate_authority_template"></a> [certificate\_authority\_template](#input\_certificate\_authority\_template) | String indicating which specific ACMPCA template to use | `string` | `null` | no |
+| <a name="input_certificate_cn"></a> [certificate\_cn](#input\_certificate\_cn) | CommonName (CN) to use for certificate, defaults in c=US,o=U.S. Census Bureau,ou=Servers. This will typically be the DNS name.  Uses certificate\_dns if not provided. | `string` | `null` | no |
+| <a name="input_certificate_dns"></a> [certificate\_dns](#input\_certificate\_dns) | DNS Name to be used for the certificate.  For ACM certificate, the subject and CN may not be customized. | `string` | n/a | yes |
+| <a name="input_certificate_filename"></a> [certificate\_filename](#input\_certificate\_filename) | Filename for Certificate. Defaults to {certificate\_dns}.crt | `string` | `null` | no |
+| <a name="input_certificate_san"></a> [certificate\_san](#input\_certificate\_san) | The Subject Alternate Names (SAN), a list of FQDNs to include in the ACM Certificate. Only DNS names are supported.  See docs at https://docs.aws.amazon.com/cli/latest/reference/acm/request-certificate.html | `list(string)` | `[]` | no |
+| <a name="input_certificate_subject_overrides"></a> [certificate\_subject\_overrides](#input\_certificate\_subject\_overrides) | Map of c, o, and ou to override certificate signing request settings.  Note that only a single OU is permitted. | `map(string)` | `{}` | no |
+| <a name="input_certificate_type"></a> [certificate\_type](#input\_certificate\_type) | Selection of type of certificate, either end-entity or subordinate-ca.  Note that the subordinate-ca type is not available for the short lived CA mode | `string` | `"end-entity"` | no |
+| <a name="input_contact_email"></a> [contact\_email](#input\_contact\_email) | Email address in @census.gov of contact for the certificate.  This is strongly recommended to be a group email address. | `string` | n/a | yes |
+| <a name="input_create_files"></a> [create\_files](#input\_create\_files) | Flag controlling the creation of output files for the key, CSR, and certificate and bundle. | `bool` | `false` | no |
+| <a name="input_csr_filename"></a> [csr\_filename](#input\_csr\_filename) | Filename for Certificate Signing Request (CSR). Defaults to {certificate\_dns}.csr | `string` | `null` | no |
+| <a name="input_key_filename"></a> [key\_filename](#input\_key\_filename) | Filename for RSA private key. Defaults to {certificate\_dns}.key | `string` | `null` | no |
+| <a name="input_output_file_directory"></a> [output\_file\_directory](#input\_output\_file\_directory) | File path for resultant files when create\_files is used. Defaults to path.root/certs | `string` | `null` | no |
+| <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources | `map(string)` | `{}` | no |
+| <a name="input_validity_days"></a> [validity\_days](#input\_validity\_days) | Number of days for which the certificate is valid. For the short lived certificate, this must be <= 7 | `number` | `365` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_certificate"></a> [certificate](#output\_certificate) | PEM format for signed certificate |
+| <a name="output_certificate_chain"></a> [certificate\_chain](#output\_certificate\_chain) | PEM format for certificate chain (issuer through root) |
+| <a name="output_certificate_csr"></a> [certificate\_csr](#output\_certificate\_csr) | PEM format Certificate Signing Request |
+| <a name="output_certificate_files"></a> [certificate\_files](#output\_certificate\_files) | Map of certificate file names |
+| <a name="output_certificate_key"></a> [certificate\_key](#output\_certificate\_key) | PEM format RSA Key |
+<!-- END_TF_DOCS -->
\ No newline at end of file