AWS::ACMPCA::CertificateAuthority
Use the AWS::ACMPCA::CertificateAuthority resource to create a private
CA. Once the CA exists, you can use the AWS::ACMPCA::Certificate resource
to issue a new CA certificate. Alternatively, you can issue a CA certificate using an
on-premises CA, and then use the
AWS::ACMPCA::CertificateAuthorityActivation resource to import the new
CA certificate and activate the CA.
Note
Before removing a AWS::ACMPCA::CertificateAuthority resource from the
CloudFormation stack, disable the affected CA. Otherwise, the action will fail. You
can disable the CA by removing its associated
AWS::ACMPCA::CertificateAuthorityActivation resource from
CloudFormation.
Syntax
To declare this entity in your Amazon CloudFormation template, use the following syntax:
JSON
{ "Type" : "AWS::ACMPCA::CertificateAuthority", "Properties" : { "CsrExtensions" :CsrExtensions, "KeyAlgorithm" :String, "KeyStorageSecurityStandard" :String, "RevocationConfiguration" :RevocationConfiguration, "SigningAlgorithm" :String, "Subject" :Subject, "Tags" :[ Tag, ... ], "Type" :String, "UsageMode" :String} }
YAML
Type: AWS::ACMPCA::CertificateAuthority Properties: CsrExtensions:CsrExtensionsKeyAlgorithm:StringKeyStorageSecurityStandard:StringRevocationConfiguration:RevocationConfigurationSigningAlgorithm:StringSubject:SubjectTags:- TagType:StringUsageMode:String
Properties
CsrExtensions-
Specifies information to be added to the extension section of the certificate signing request (CSR).
Required: No
Type: CsrExtensions
Update requires: Replacement
KeyAlgorithm-
Type of the public key algorithm and size, in bits, of the key pair that your CA creates when it issues a certificate. When you create a subordinate CA, you must use a key algorithm supported by the parent CA.
Required: Yes
Type: String
Allowed values:
EC_prime256v1 | EC_secp384r1 | RSA_2048 | RSA_4096Update requires: Replacement
KeyStorageSecurityStandard-
Specifies a cryptographic key management compliance standard used for handling CA keys.
Default: FIPS_140_2_LEVEL_3_OR_HIGHER
Note
Some Amazon Regions do not support the default. When creating a CA in these Regions, you must provide
FIPS_140_2_LEVEL_2_OR_HIGHERas the argument forKeyStorageSecurityStandard. Failure to do this results in anInvalidArgsExceptionwith the message, "A certificate authority cannot be created in this region with the specified security standard."For information about security standard support in various Regions, see Storage and security compliance of Amazon Private CA private keys.
Required: No
Type: String
Allowed values:
FIPS_140_2_LEVEL_2_OR_HIGHER | FIPS_140_2_LEVEL_3_OR_HIGHERUpdate requires: Replacement
RevocationConfiguration-
Certificate revocation information used by the CreateCertificateAuthority and UpdateCertificateAuthority actions. Your private certificate authority (CA) can configure Online Certificate Status Protocol (OCSP) support and/or maintain a certificate revocation list (CRL). OCSP returns validation information about certificates as requested by clients, and a CRL contains an updated list of certificates revoked by your CA. For more information, see RevokeCertificate in the Amazon Private CA API Reference and Setting up a certificate revocation method in the Amazon Private CA User Guide.
Note
The following requirements apply to revocation configurations.
-
A configuration disabling CRLs or OCSP must contain only the
Enabled=Falseparameter, and will fail if other parameters such asCustomCnameorExpirationInDaysare included. -
In a CRL configuration, the
S3BucketNameparameter must conform to the Amazon S3 bucket naming rules. -
A configuration containing a custom Canonical Name (CNAME) parameter for CRLs or OCSP must conform to RFC2396
restrictions on the use of special characters in a CNAME. -
In a CRL or OCSP configuration, the value of a CNAME parameter must not include a protocol prefix such as "http://" or "https://".
Required: No
Type: RevocationConfiguration
Update requires: No interruption
-
SigningAlgorithm-
Name of the algorithm your private CA uses to sign certificate requests.
This parameter should not be confused with the
SigningAlgorithmparameter used to sign certificates when they are issued.Required: Yes
Type: String
Allowed values:
SHA256WITHECDSA | SHA256WITHRSA | SHA384WITHECDSA | SHA384WITHRSA | SHA512WITHECDSA | SHA512WITHRSAUpdate requires: Replacement
Subject-
Structure that contains X.500 distinguished name information for your private CA.
Required: Yes
Type: Subject
Update requires: Replacement
Tags-
Key-value pairs that will be attached to the new private CA. You can associate up to 50 tags with a private CA. For information using tags with IAM to manage permissions, see Controlling Access Using IAM Tags.
Required: No
Type: List of Tag
Update requires: No interruption
Type-
Type of your private CA.
Required: Yes
Type: String
Allowed values:
ROOT | SUBORDINATEUpdate requires: Replacement
UsageMode-
Specifies whether the CA issues general-purpose certificates that typically require a revocation mechanism, or short-lived certificates that may optionally omit revocation because they expire quickly. Short-lived certificate validity is limited to seven days.
The default value is GENERAL_PURPOSE.
Required: No
Type: String
Allowed values:
GENERAL_PURPOSE | SHORT_LIVED_CERTIFICATEUpdate requires: Replacement
Return values
Ref
The Amazon Resource Name (ARN) of the certificate authority.
Fn::GetAtt
The Fn::GetAtt intrinsic function returns a value for a specified
attribute of this type. The following are the available attributes and sample return
values.
For more information about using the Fn::GetAtt intrinsic function, see
Fn::GetAtt.
Examples
The following example of a CloudFormation template sets up a CA hierarchy and
permission. The example illustrates the use of
AWS::ACMPCA::Certificate,
AWS::ACMPCA::CertificateAuthority, and
AWS::ACMPCA::CertificateAuthorityActivation, and
AWS::ACMPCA::Permission resources.
Declaring a private CA Hierarchy
JSON
{ "AWSTemplateFormatVersion":"2010-09-09", "Description":"Cloudformation template to setup CA.", "Resources":{ "RootCA":{ "Type":"AWS::ACMPCA::CertificateAuthority", "Properties":{ "Type":"ROOT", "KeyAlgorithm":"RSA_2048", "SigningAlgorithm":"SHA256WITHRSA", "Subject":{ "Country":"US", "Organization":"string", "OrganizationalUnit":"string", "DistinguishedNameQualifier":"string", "State":"string", "CommonName":"123", "SerialNumber":"string", "Locality":"string", "Title":"string", "Surname":"string", "GivenName":"string", "Initials":"DG", "Pseudonym":"string", "GenerationQualifier":"DBG" }, "RevocationConfiguration":{ "CrlConfiguration":{ "Enabled":false } } } }, "RootCACertificate":{ "Type":"AWS::ACMPCA::Certificate", "Properties":{ "CertificateAuthorityArn":{ "Ref":"RootCA" }, "CertificateSigningRequest":{ "Fn::GetAtt":[ "RootCA", "CertificateSigningRequest" ] }, "SigningAlgorithm":"SHA256WITHRSA", "TemplateArn":"arn:aws:acm-pca:::template/RootCACertificate/V1", "Validity":{ "Type":"DAYS", "Value":100 } } }, "RootCAActivation":{ "Type":"AWS::ACMPCA::CertificateAuthorityActivation", "Properties":{ "CertificateAuthorityArn":{ "Ref":"RootCA" }, "Certificate":{ "Fn::GetAtt":[ "RootCACertificate", "Certificate" ] }, "Status":"ACTIVE" } }, "RootCAPermission":{ "Type":"AWS::ACMPCA::Permission", "Properties":{ "Actions":[ "IssueCertificate", "GetCertificate", "ListPermissions" ], "CertificateAuthorityArn":{ "Ref":"RootCA" }, "Principal":"acm.amazonaws.com" } }, "SubordinateCAOne":{ "Type":"AWS::ACMPCA::CertificateAuthority", "Properties":{ "Type":"SUBORDINATE", "KeyAlgorithm":"RSA_2048", "SigningAlgorithm":"SHA256WITHRSA", "Subject":{ "Country":"US", "Organization":"string", "OrganizationalUnit":"string", "DistinguishedNameQualifier":"string", "State":"string", "CommonName":"Sub1", "SerialNumber":"string", "Locality":"string", "Title":"string", "Surname":"string", "GivenName":"string", "Initials":"DG", "Pseudonym":"string", "GenerationQualifier":"DBG" }, "RevocationConfiguration":{ }, "Tags":[ ] } }, "SubordinateCAOneCACertificate":{ "DependsOn":"RootCAActivation", "Type":"AWS::ACMPCA::Certificate", "Properties":{ "CertificateAuthorityArn":{ "Ref":"RootCA" }, "CertificateSigningRequest":{ "Fn::GetAtt":[ "SubordinateCAOne", "CertificateSigningRequest" ] }, "SigningAlgorithm":"SHA256WITHRSA", "TemplateArn":"arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen3/V1", "Validity":{ "Type":"DAYS", "Value":90 } } }, "SubordinateCAOneActivation":{ "Type":"AWS::ACMPCA::CertificateAuthorityActivation", "Properties":{ "CertificateAuthorityArn":{ "Ref":"SubordinateCAOne" }, "Certificate":{ "Fn::GetAtt":[ "SubordinateCAOneCACertificate", "Certificate" ] }, "CertificateChain":{ "Fn::GetAtt":[ "RootCAActivation", "CompleteCertificateChain" ] }, "Status":"ACTIVE" } }, "SubordinateCAOnePermission":{ "Type":"AWS::ACMPCA::Permission", "Properties":{ "Actions":[ "IssueCertificate", "GetCertificate", "ListPermissions" ], "CertificateAuthorityArn":{ "Ref":"SubordinateCAOne" }, "Principal":"acm.amazonaws.com" } }, "SubordinateCATwo":{ "Type":"AWS::ACMPCA::CertificateAuthority", "Properties":{ "Type":"SUBORDINATE", "KeyAlgorithm":"RSA_2048", "SigningAlgorithm":"SHA256WITHRSA", "Subject":{ "Country":"US", "Organization":"string", "OrganizationalUnit":"string", "DistinguishedNameQualifier":"string", "State":"string", "SerialNumber":"string", "Locality":"string", "Title":"string", "Surname":"string", "GivenName":"string", "Initials":"DG", "Pseudonym":"string", "GenerationQualifier":"DBG" }, "Tags":[ { "Key":"Key1", "Value":"Value1" }, { "Key":"Key2", "Value":"Value2" } ] } }, "SubordinateCATwoCACertificate":{ "DependsOn":"SubordinateCAOneActivation", "Type":"AWS::ACMPCA::Certificate", "Properties":{ "CertificateAuthorityArn":{ "Ref":"SubordinateCAOne" }, "CertificateSigningRequest":{ "Fn::GetAtt":[ "SubordinateCATwo", "CertificateSigningRequest" ] }, "SigningAlgorithm":"SHA256WITHRSA", "TemplateArn":"arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen2/V1", "Validity":{ "Type":"DAYS", "Value":80 } } }, "SubordinateCATwoActivation":{ "Type":"AWS::ACMPCA::CertificateAuthorityActivation", "Properties":{ "CertificateAuthorityArn":{ "Ref":"SubordinateCATwo" }, "Certificate":{ "Fn::GetAtt":[ "SubordinateCATwoCACertificate", "Certificate" ] }, "CertificateChain":{ "Fn::GetAtt":[ "SubordinateCAOneActivation", "CompleteCertificateChain" ] } } }, "SubordinateCATwoPermission":{ "Type":"AWS::ACMPCA::Permission", "Properties":{ "Actions":[ "IssueCertificate", "GetCertificate", "ListPermissions" ], "CertificateAuthorityArn":{ "Ref":"SubordinateCATwo" }, "Principal":"acm.amazonaws.com" } }, "EndEntityCertificate":{ "DependsOn":"SubordinateCATwoActivation", "Type":"AWS::ACMPCA::Certificate", "Properties":{ "CertificateAuthorityArn":{ "Ref":"SubordinateCATwo" }, "CertificateSigningRequest":{ "Fn::Join":[ "\n", [ "-----BEGIN CERTIFICATE REQUEST-----", "MIICvDCCAaQCAQAwdzELMAkGA1UEBhMCVVMxDTALBgNVBAgMBFV0YWgxDzANBgNV", "BAcMBkxpbmRvbjEWMBQGA1UECgwNRGlnaUNlcnQgSW5jLjERMA8GA1UECwwIRGln", "aUNlcnQxHTAbBgNVBAMMFGV4YW1wbGUuZGlnaWNlcnQuY29tMIIBIjANBgkqhkiG", "9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8+To7d+2kPWeBv/orU3LVbJwDrSQbeKamCmo", "wp5bqDxIwV20zqRb7APUOKYoVEFFOEQs6T6gImnIolhbiH6m4zgZ/CPvWBOkZc+c", "1Po2EmvBz+AD5sBdT5kzGQA6NbWyZGldxRthNLOs1efOhdnWFuhI162qmcflgpiI", "WDuwq4C9f+YkeJhNn9dF5+owm8cOQmDrV8NNdiTqin8q3qYAHHJRW28glJUCZkTZ", "wIaSR6crBQ8TbYNE0dc+Caa3DOIkz1EOsHWzTx+n0zKfqcbgXi4DJx+C1bjptYPR", "BPZL8DAeWuA8ebudVT44yEp82G96/Ggcf7F33xMxe0yc+Xa6owIDAQABoAAwDQYJ", "KoZIhvcNAQEFBQADggEBAB0kcrFccSmFDmxox0Ne01UIqSsDqHgL+XmHTXJwre6D", "hJSZwbvEtOK0G3+dr4Fs11WuUNt5qcLsx5a8uk4G6AKHMzuhLsJ7XZjgmQXGECpY", "Q4mC3yT3ZoCGpIXbw+iP3lmEEXgaQL0Tx5LFl/okKbKYwIqNiyKWOMj7ZR/wxWg/", "ZDGRs55xuoeLDJ/ZRFf9bI+IaCUd1YrfYcHIl3G87Av+r49YVwqRDT0VDV7uLgqn", "29XI1PpVUNCPQGn9p/eX6Qo7vpDaPybRtA2R7XLKjQaF9oXWeCUqy1hvJac9QFO2", "97Ob1alpHPoZ7mWiEuJwjBPii6a9M9G30nUo39lBi1w=", "-----END CERTIFICATE REQUEST-----" ] ] }, "SigningAlgorithm":"SHA256WITHRSA", "Validity":{ "Type":"DAYS", "Value":70 } } } }, "Outputs":{ "CompleteCertificateChain":{ "Value":{ "Fn::GetAtt":[ "SubordinateCATwoActivation", "CompleteCertificateChain" ] } }, "CertificateArn":{ "Value":{ "Fn::GetAtt":[ "EndEntityCertificate", "Arn" ] } } } }
YAML
--- AWSTemplateFormatVersion: '2010-09-09' Description: Cloudformation template to setup CA. Resources: RootCA: Type: AWS::ACMPCA::CertificateAuthority Properties: Type: ROOT KeyAlgorithm: RSA_2048 SigningAlgorithm: SHA256WITHRSA Subject: Country: US Organization: string OrganizationalUnit: string DistinguishedNameQualifier: string State: string CommonName: '123' SerialNumber: string Locality: string Title: string Surname: string GivenName: string Initials: DG Pseudonym: string GenerationQualifier: DBG RevocationConfiguration: CrlConfiguration: Enabled: false RootCACertificate: Type: AWS::ACMPCA::Certificate Properties: CertificateAuthorityArn: Ref: RootCA CertificateSigningRequest: Fn::GetAtt: - RootCA - CertificateSigningRequest SigningAlgorithm: SHA256WITHRSA TemplateArn: arn:aws:acm-pca:::template/RootCACertificate/V1 Validity: Type: DAYS Value: 100 RootCAActivation: Type: AWS::ACMPCA::CertificateAuthorityActivation Properties: CertificateAuthorityArn: Ref: RootCA Certificate: Fn::GetAtt: - RootCACertificate - Certificate Status: ACTIVE RootCAPermission: Type: AWS::ACMPCA::Permission Properties: Actions: - IssueCertificate - GetCertificate - ListPermissions CertificateAuthorityArn: !Ref: RootCA Principal: acm.amazonaws.com SubordinateCAOne: Type: AWS::ACMPCA::CertificateAuthority Properties: Type: SUBORDINATE KeyAlgorithm: RSA_2048 SigningAlgorithm: SHA256WITHRSA Subject: Country: US Organization: string OrganizationalUnit: string DistinguishedNameQualifier: string State: string CommonName: Sub1 SerialNumber: string Locality: string Title: string Surname: string GivenName: string Initials: DG Pseudonym: string GenerationQualifier: DBG RevocationConfiguration: {} Tags: [] SubordinateCAOneCACertificate: DependsOn: RootCAActivation Type: AWS::ACMPCA::Certificate Properties: CertificateAuthorityArn: Ref: RootCA CertificateSigningRequest: Fn::GetAtt: - SubordinateCAOne - CertificateSigningRequest SigningAlgorithm: SHA256WITHRSA TemplateArn: arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen3/V1 Validity: Type: DAYS Value: 90 SubordinateCAOneActivation: Type: AWS::ACMPCA::CertificateAuthorityActivation Properties: CertificateAuthorityArn: Ref: SubordinateCAOne Certificate: Fn::GetAtt: - SubordinateCAOneCACertificate - Certificate CertificateChain: Fn::GetAtt: - RootCAActivation - CompleteCertificateChain Status: ACTIVE SubordinateCAOnePermission: Type: AWS::ACMPCA::Permission Properties: Actions: - IssueCertificate - GetCertificate - ListPermissions CertificateAuthorityArn: !Ref: SubordinateCAOne Principal: acm.amazonaws.com SubordinateCATwo: Type: AWS::ACMPCA::CertificateAuthority Properties: Type: SUBORDINATE KeyAlgorithm: RSA_2048 SigningAlgorithm: SHA256WITHRSA Subject: Country: US Organization: string OrganizationalUnit: string DistinguishedNameQualifier: string State: string SerialNumber: string Locality: string Title: string Surname: string GivenName: string Initials: DG Pseudonym: string GenerationQualifier: DBG Tags: - Key: Key1 Value: Value1 - Key: Key2 Value: Value2 SubordinateCATwoCACertificate: DependsOn: SubordinateCAOneActivation Type: AWS::ACMPCA::Certificate Properties: CertificateAuthorityArn: Ref: SubordinateCAOne CertificateSigningRequest: Fn::GetAtt: - SubordinateCATwo - CertificateSigningRequest SigningAlgorithm: SHA256WITHRSA TemplateArn: arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen2/V1 Validity: Type: DAYS Value: 80 SubordinateCATwoActivation: Type: AWS::ACMPCA::CertificateAuthorityActivation Properties: CertificateAuthorityArn: Ref: SubordinateCATwo Certificate: Fn::GetAtt: - SubordinateCATwoCACertificate - Certificate CertificateChain: Fn::GetAtt: - SubordinateCAOneActivation - CompleteCertificateChain SubordinateCATwoPermission: Type: AWS::ACMPCA::Permission Properties: Actions: - IssueCertificate - GetCertificate - ListPermissions CertificateAuthorityArn: !Ref: SubordinateCATwo Principal: acm.amazonaws.com EndEntityCertificate: DependsOn: SubordinateCATwoActivation Type: AWS::ACMPCA::Certificate Properties: CertificateAuthorityArn: Ref: SubordinateCATwo CertificateSigningRequest: Fn::Join: - "\n" - - "-----BEGIN CERTIFICATE REQUEST-----" - MIICvDCCAaQCAQAwdzELMAkGA1UEBhMCVVMxDTALBgNVBAgMBFV0YWgxDzANBgNV - BAcMBkxpbmRvbjEWMBQGA1UECgwNRGlnaUNlcnQgSW5jLjERMA8GA1UECwwIRGln - aUNlcnQxHTAbBgNVBAMMFGV4YW1wbGUuZGlnaWNlcnQuY29tMIIBIjANBgkqhkiG - 9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8+To7d+2kPWeBv/orU3LVbJwDrSQbeKamCmo - wp5bqDxIwV20zqRb7APUOKYoVEFFOEQs6T6gImnIolhbiH6m4zgZ/CPvWBOkZc+c - 1Po2EmvBz+AD5sBdT5kzGQA6NbWyZGldxRthNLOs1efOhdnWFuhI162qmcflgpiI - WDuwq4C9f+YkeJhNn9dF5+owm8cOQmDrV8NNdiTqin8q3qYAHHJRW28glJUCZkTZ - wIaSR6crBQ8TbYNE0dc+Caa3DOIkz1EOsHWzTx+n0zKfqcbgXi4DJx+C1bjptYPR - BPZL8DAeWuA8ebudVT44yEp82G96/Ggcf7F33xMxe0yc+Xa6owIDAQABoAAwDQYJ - KoZIhvcNAQEFBQADggEBAB0kcrFccSmFDmxox0Ne01UIqSsDqHgL+XmHTXJwre6D - hJSZwbvEtOK0G3+dr4Fs11WuUNt5qcLsx5a8uk4G6AKHMzuhLsJ7XZjgmQXGECpY - Q4mC3yT3ZoCGpIXbw+iP3lmEEXgaQL0Tx5LFl/okKbKYwIqNiyKWOMj7ZR/wxWg/ - ZDGRs55xuoeLDJ/ZRFf9bI+IaCUd1YrfYcHIl3G87Av+r49YVwqRDT0VDV7uLgqn - 29XI1PpVUNCPQGn9p/eX6Qo7vpDaPybRtA2R7XLKjQaF9oXWeCUqy1hvJac9QFO2 - 97Ob1alpHPoZ7mWiEuJwjBPii6a9M9G30nUo39lBi1w= - "-----END CERTIFICATE REQUEST-----" SigningAlgorithm: SHA256WITHRSA Validity: Type: DAYS Value: 70 Outputs: CompleteCertificateChain: Value: Fn::GetAtt: - SubordinateCATwoActivation - CompleteCertificateChain CertificateArn: Value: Fn::GetAtt: - EndEntityCertificate - Arn