AWS::CertificateManager::Certificate
The AWS::CertificateManager::Certificate resource requests an Amazon Certificate Manager (ACM) certificate that you can use to enable secure
connections. For example, you can deploy an ACM certificate to an Elastic Load Balancer to
enable HTTPS support. For more information, see RequestCertificate in
the Amazon Certificate Manager API Reference.
Important
When you use the AWS::CertificateManager::Certificate resource in a
CloudFormation stack, domain validation is handled automatically if all three of the
following are true: The certificate domain is hosted in Amazon Route 53, the domain
resides in your Amazon Web Services account, and you are using DNS validation.
However, if the certificate uses email validation, or if the domain is not hosted in
Route 53, then the stack will remain in the CREATE_IN_PROGRESS state.
Further stack operations are delayed until you validate the certificate request, either
by acting upon the instructions in the validation email, or by adding a CNAME record to
your DNS configuration. For more information, see Option 1: DNS Validation and
Option
2: Email Validation.
Syntax
To declare this entity in your Amazon CloudFormation template, use the following syntax:
JSON
{ "Type" : "AWS::CertificateManager::Certificate", "Properties" : { "CertificateAuthorityArn" :String, "CertificateTransparencyLoggingPreference" :String, "DomainName" :String, "DomainValidationOptions" :[ DomainValidationOption, ... ], "SubjectAlternativeNames" :[ String, ... ], "Tags" :[ Tag, ... ], "ValidationMethod" :String} }
YAML
Type: AWS::CertificateManager::Certificate Properties: CertificateAuthorityArn:StringCertificateTransparencyLoggingPreference:StringDomainName:StringDomainValidationOptions:- DomainValidationOptionSubjectAlternativeNames:- StringTags:- TagValidationMethod:String
Properties
CertificateAuthorityArn-
The Amazon Resource Name (ARN) of the private certificate authority (CA) that will be used to issue the certificate. If you do not provide an ARN and you are trying to request a private certificate, ACM will attempt to issue a public certificate. For more information about private CAs, see the Amazon Private Certificate Authority user guide. The ARN must have the following form:
arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012Required: No
Type: String
Minimum:
20Maximum:
2048Pattern:
arn:[\w+=/,.@-]+:acm-pca:[\w+=/,.@-]*:[0-9]+:[\w+=,.@-]+(/[\w+=,.@-]+)*Update requires: Replacement
CertificateTransparencyLoggingPreference-
You can opt out of certificate transparency logging by specifying the
DISABLEDoption. Opt in by specifyingENABLED.If you do not specify a certificate transparency logging preference on a new CloudFormation template, or if you remove the logging preference from an existing template, this is the same as explicitly enabling the preference.
Changing the certificate transparency logging preference will update the existing resource by calling
UpdateCertificateOptionson the certificate. This action will not create a new resource.Required: No
Type: String
Allowed values:
DISABLED | ENABLEDUpdate requires: No interruption
DomainName-
The fully qualified domain name (FQDN), such as www.example.com, with which you want to secure an ACM certificate. Use an asterisk (*) to create a wildcard certificate that protects several sites in the same domain. For example,
*.example.comprotectswww.example.com,site.example.com, andimages.example.com.Required: Yes
Type: String
Minimum:
1Maximum:
253Pattern:
^(\*\.)?(((?!-)[A-Za-z0-9-]{0,62}[A-Za-z0-9])\.)+((?!-)[A-Za-z0-9-]{1,62}[A-Za-z0-9])$Update requires: Replacement
DomainValidationOptions-
Domain information that domain name registrars use to verify your identity.
Important
In order for a AWS::CertificateManager::Certificate to be provisioned and validated in CloudFormation automatically, the `DomainName` property needs to be identical to one of the `DomainName` property supplied in DomainValidationOptions, if the ValidationMethod is **DNS**. Failing to keep them like-for-like will result in failure to create the domain validation records in Route53.
Required: No
Type: List of DomainValidationOption
Maximum:
100Update requires: Replacement
SubjectAlternativeNames-
Additional FQDNs to be included in the Subject Alternative Name extension of the ACM certificate. For example, you can add www.example.net to a certificate for which the
DomainNamefield is www.example.com if users can reach your site by using either name.Required: No
Type: List of String
Maximum:
100Update requires: Replacement
Tags-
Key-value pairs that can identify the certificate.
Required: No
Type: List of Tag
Maximum:
50Update requires: No interruption
ValidationMethod-
The method you want to use to validate that you own or control the domain associated with a public certificate. You can validate with DNS or validate with email. We recommend that you use DNS validation.
If not specified, this property defaults to email validation.
Required: No
Type: String
Allowed values:
DNS | EMAILUpdate requires: Replacement
Return values
Ref
When you pass the logical ID of this resource to the intrinsic Reffunction, Refreturns the certificate's Amazon Resource Name (ARN).
For more information about using the Reffunction, see Ref.
Examples
Declaring an Amazon Certificate Manager Certificate Resource
The following example shows how to declare an
AWS::CertificateManager::Certificate resource to create an ACM
certificate.
JSON
{ "Resources":{ "MyCertificate":{ "Type":"AWS::CertificateManager::Certificate", "Properties":{ "DomainName":"example.com", "ValidationMethod":"DNS" } } } }
YAML
Resources: MyCertificate: Type: "AWS::CertificateManager::Certificate" Properties: DomainName: example.com ValidationMethod: DNS