AWS Certificate Manager (ACM) Private Certificate Authority (CA) now enforces name constraints in imported CA certificates. Name constraints are defined in the Internet public key infrastructure (PKI) standard RFC 5280 and provide a way for CA administrators to restrict subject names in certificates.

from Recent Announcements https://aws.amazon.com/about-aws/whats-new/2019/10/aws-certificate-manager-private-certificate-authority-now-enforces-name-constraints-in-imported-ca-certificates/