AWS::ACMPCA::CertificateAuthority - AWS CloudFormation
SyntaxPropertiesReturn valuesExamples

AWS::ACMPCA::CertificateAuthority

Use the AWS::ACMPCA::CertificateAuthority resource to create a private CA. Once the CA exists, you can use the AWS::ACMPCA::Certificate resource to issue a new CA certificate. Alternatively, you can issue a CA certificate using an on-premises CA, and then use the AWS::ACMPCA::CertificateAuthorityActivation resource to import the new CA certificate and activate the CA.

Note

Before removing a AWS::ACMPCA::CertificateAuthority resource from the CloudFormation stack, disable the affected CA. Otherwise, the action will fail. You can disable the CA by removing its associated AWS::ACMPCA::CertificateAuthorityActivation resource from CloudFormation.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON

{
  "Type" : "AWS::ACMPCA::CertificateAuthority",
  "Properties" : {
      "CsrExtensions" : CsrExtensions,
      "KeyAlgorithm" : String,
      "KeyStorageSecurityStandard" : String,
      "RevocationConfiguration" : RevocationConfiguration,
      "SigningAlgorithm" : String,
      "Subject" : Subject,
      "Tags" : [ Tag, ... ],
      "Type" : String,
      "UsageMode" : String
    }
}

YAML

Type: AWS::ACMPCA::CertificateAuthority
Properties:
  CsrExtensions: 
    CsrExtensions
  KeyAlgorithm: String
  KeyStorageSecurityStandard: String
  RevocationConfiguration: 
    RevocationConfiguration
  SigningAlgorithm: String
  Subject: 
    Subject
  Tags: 
    - Tag
  Type: String
  UsageMode: String

Properties

CsrExtensions

Specifies information to be added to the extension section of the certificate signing request (CSR).

Required: No

Type: CsrExtensions

Update requires: Replacement

KeyAlgorithm

Type of the public key algorithm and size, in bits, of the key pair that your CA creates when it issues a certificate. When you create a subordinate CA, you must use a key algorithm supported by the parent CA.

Required: Yes

Type: String

Allowed values: RSA_2048 | RSA_4096 | EC_prime256v1 | EC_secp384r1 | SM2

Update requires: Replacement

KeyStorageSecurityStandard

Specifies a cryptographic key management compliance standard used for handling CA keys.

Default: FIPS_140_2_LEVEL_3_OR_HIGHER

Note

Some AWS Regions do not support the default. When creating a CA in these Regions, you must provide FIPS_140_2_LEVEL_2_OR_HIGHER as the argument for KeyStorageSecurityStandard. Failure to do this results in an InvalidArgsException with the message, "A certificate authority cannot be created in this region with the specified security standard."

For information about security standard support in various Regions, see Storage and security compliance of AWS Private CA private keys.

Required: No

Type: String

Allowed values: FIPS_140_2_LEVEL_2_OR_HIGHER | FIPS_140_2_LEVEL_3_OR_HIGHER | CCPC_LEVEL_1_OR_HIGHER

Update requires: Replacement

RevocationConfiguration

Information about the Online Certificate Status Protocol (OCSP) configuration or certificate revocation list (CRL) created and maintained by your private CA.

Required: No

Type: RevocationConfiguration

Update requires: No interruption

SigningAlgorithm

Name of the algorithm your private CA uses to sign certificate requests.

This parameter should not be confused with the SigningAlgorithm parameter used to sign certificates when they are issued.

Required: Yes

Type: String

Allowed values: SHA256WITHECDSA | SHA384WITHECDSA | SHA512WITHECDSA | SHA256WITHRSA | SHA384WITHRSA | SHA512WITHRSA | SM3WITHSM2

Update requires: Replacement

Subject

Structure that contains X.500 distinguished name information for your private CA.

Required: Yes

Type: Subject

Update requires: Replacement

Tags

Key-value pairs that will be attached to the new private CA. You can associate up to 50 tags with a private CA. For information using tags with IAM to manage permissions, see Controlling Access Using IAM Tags.

Required: No

Type: Array of Tag

Update requires: No interruption

Type

Type of your private CA.

Required: Yes

Type: String

Allowed values: ROOT | SUBORDINATE

Update requires: Replacement

UsageMode

Specifies whether the CA issues general-purpose certificates that typically require a revocation mechanism, or short-lived certificates that may optionally omit revocation because they expire quickly. Short-lived certificate validity is limited to seven days.

The default value is GENERAL_PURPOSE.

Required: No

Type: String

Allowed values: GENERAL_PURPOSE | SHORT_LIVED_CERTIFICATE

Update requires: Replacement

Return values

Ref

The Amazon Resource Name (ARN) of the certificate authority.

Fn::GetAtt

The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.

For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.

Arn

The Amazon Resource Name (ARN) for the private CA that issued the certificate.

CertificateSigningRequest

The Base64 PEM-encoded certificate signing request (CSR) for your certificate authority certificate.

Examples

The following example of a CloudFormation template sets up a CA hierarchy and permission. The example illustrates the use of AWS::ACMPCA::Certificate, AWS::ACMPCA::CertificateAuthority, and AWS::ACMPCA::CertificateAuthorityActivation, and AWS::ACMPCA::Permission resources.

Declaring a private CA Hierarchy

JSON

{
   "AWSTemplateFormatVersion":"2010-09-09",
   "Description":"Cloudformation template to setup CA.",
   "Resources":{
      "RootCA":{
         "Type":"AWS::ACMPCA::CertificateAuthority",
         "Properties":{
            "Type":"ROOT",
            "KeyAlgorithm":"RSA_2048",
            "SigningAlgorithm":"SHA256WITHRSA",
            "Subject":{
               "Country":"US",
               "Organization":"string",
               "OrganizationalUnit":"string",
               "DistinguishedNameQualifier":"string",
               "State":"string",
               "CommonName":"123",
               "SerialNumber":"string",
               "Locality":"string",
               "Title":"string",
               "Surname":"string",
               "GivenName":"string",
               "Initials":"DG",
               "Pseudonym":"string",
               "GenerationQualifier":"DBG"
            },
            "RevocationConfiguration":{
               "CrlConfiguration":{
                  "Enabled":false
               }
            }
         }
      },
      "RootCACertificate":{
         "Type":"AWS::ACMPCA::Certificate",
         "Properties":{
            "CertificateAuthorityArn":{
               "Ref":"RootCA"
            },
            "CertificateSigningRequest":{
               "Fn::GetAtt":[
                  "RootCA",
                  "CertificateSigningRequest"
               ]
            },
            "SigningAlgorithm":"SHA256WITHRSA",
            "TemplateArn":"arn:aws:acm-pca:::template/RootCACertificate/V1",
            "Validity":{
               "Type":"DAYS",
               "Value":100
            }
         }
      },
      "RootCAActivation":{
         "Type":"AWS::ACMPCA::CertificateAuthorityActivation",
         "Properties":{
            "CertificateAuthorityArn":{
               "Ref":"RootCA"
            },
            "Certificate":{
               "Fn::GetAtt":[
                  "RootCACertificate",
                  "Certificate"
               ]
            },
            "Status":"ACTIVE"
         }
      },
      "RootCAPermission":{
         "Type":"AWS::ACMPCA::Permission",
         "Properties":{
            "Actions":[
                "IssueCertificate",
                "GetCertificate",
                "ListPermissions"
            ],
            "CertificateAuthorityArn":{
               "Ref":"RootCA"
            },
            "Principal":"acm.amazonaws.com"
         }
      },
      "SubordinateCAOne":{
         "Type":"AWS::ACMPCA::CertificateAuthority",
         "Properties":{
            "Type":"SUBORDINATE",
            "KeyAlgorithm":"RSA_2048",
            "SigningAlgorithm":"SHA256WITHRSA",
            "Subject":{
               "Country":"US",
               "Organization":"string",
               "OrganizationalUnit":"string",
               "DistinguishedNameQualifier":"string",
               "State":"string",
               "CommonName":"Sub1",
               "SerialNumber":"string",
               "Locality":"string",
               "Title":"string",
               "Surname":"string",
               "GivenName":"string",
               "Initials":"DG",
               "Pseudonym":"string",
               "GenerationQualifier":"DBG"
            },
            "RevocationConfiguration":{
               
            },
            "Tags":[
               
            ]
         }
      },
      "SubordinateCAOneCACertificate":{
         "DependsOn":"RootCAActivation",
         "Type":"AWS::ACMPCA::Certificate",
         "Properties":{
            "CertificateAuthorityArn":{
               "Ref":"RootCA"
            },
            "CertificateSigningRequest":{
               "Fn::GetAtt":[
                  "SubordinateCAOne",
                  "CertificateSigningRequest"
               ]
            },
            "SigningAlgorithm":"SHA256WITHRSA",
            "TemplateArn":"arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen3/V1",
            "Validity":{
               "Type":"DAYS",
               "Value":90
            }
         }
      },
      "SubordinateCAOneActivation":{
         "Type":"AWS::ACMPCA::CertificateAuthorityActivation",
         "Properties":{
            "CertificateAuthorityArn":{
               "Ref":"SubordinateCAOne"
            },
            "Certificate":{
               "Fn::GetAtt":[
                  "SubordinateCAOneCACertificate",
                  "Certificate"
               ]
            },
            "CertificateChain":{
               "Fn::GetAtt":[
                  "RootCAActivation",
                  "CompleteCertificateChain"
               ]
            },
            "Status":"ACTIVE"
         }
      },
      "SubordinateCAOnePermission":{
         "Type":"AWS::ACMPCA::Permission",
         "Properties":{
            "Actions":[
                "IssueCertificate",
                "GetCertificate",
                "ListPermissions"
            ],
            "CertificateAuthorityArn":{
               "Ref":"SubordinateCAOne"
            },
            "Principal":"acm.amazonaws.com"
         }
      },
      "SubordinateCATwo":{
         "Type":"AWS::ACMPCA::CertificateAuthority",
         "Properties":{
            "Type":"SUBORDINATE",
            "KeyAlgorithm":"RSA_2048",
            "SigningAlgorithm":"SHA256WITHRSA",
            "Subject":{
               "Country":"US",
               "Organization":"string",
               "OrganizationalUnit":"string",
               "DistinguishedNameQualifier":"string",
               "State":"string",
               "SerialNumber":"string",
               "Locality":"string",
               "Title":"string",
               "Surname":"string",
               "GivenName":"string",
               "Initials":"DG",
               "Pseudonym":"string",
               "GenerationQualifier":"DBG"
            },
            "Tags":[
               {
                  "Key":"Key1",
                  "Value":"Value1"
               },
               {
                  "Key":"Key2",
                  "Value":"Value2"
               }
            ]
         }
      },
      "SubordinateCATwoCACertificate":{
         "DependsOn":"SubordinateCAOneActivation",
         "Type":"AWS::ACMPCA::Certificate",
         "Properties":{
            "CertificateAuthorityArn":{
               "Ref":"SubordinateCAOne"
            },
            "CertificateSigningRequest":{
               "Fn::GetAtt":[
                  "SubordinateCATwo",
                  "CertificateSigningRequest"
               ]
            },
            "SigningAlgorithm":"SHA256WITHRSA",
            "TemplateArn":"arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen2/V1",
            "Validity":{
               "Type":"DAYS",
               "Value":80
            }
         }
      },
      "SubordinateCATwoActivation":{
         "Type":"AWS::ACMPCA::CertificateAuthorityActivation",
         "Properties":{
            "CertificateAuthorityArn":{
               "Ref":"SubordinateCATwo"
            },
            "Certificate":{
               "Fn::GetAtt":[
                  "SubordinateCATwoCACertificate",
                  "Certificate"
               ]
            },
            "CertificateChain":{
               "Fn::GetAtt":[
                  "SubordinateCAOneActivation",
                  "CompleteCertificateChain"
               ]
            }
         }
      },
      "SubordinateCATwoPermission":{
         "Type":"AWS::ACMPCA::Permission",
         "Properties":{
            "Actions":[
                "IssueCertificate",
                "GetCertificate",
                "ListPermissions"
            ],
            "CertificateAuthorityArn":{
               "Ref":"SubordinateCATwo"
            },
            "Principal":"acm.amazonaws.com"
         }
      },
      "EndEntityCertificate":{
         "DependsOn":"SubordinateCATwoActivation",
         "Type":"AWS::ACMPCA::Certificate",
         "Properties":{
            "CertificateAuthorityArn":{
               "Ref":"SubordinateCATwo"
            },
            "CertificateSigningRequest":{
               "Fn::Join":[
                  "\n",
                  [
                     "-----BEGIN CERTIFICATE REQUEST-----",
                     "MIICvDCCAaQCAQAwdzELMAkGA1UEBhMCVVMxDTALBgNVBAgMBFV0YWgxDzANBgNV",
                     "BAcMBkxpbmRvbjEWMBQGA1UECgwNRGlnaUNlcnQgSW5jLjERMA8GA1UECwwIRGln",
                     "aUNlcnQxHTAbBgNVBAMMFGV4YW1wbGUuZGlnaWNlcnQuY29tMIIBIjANBgkqhkiG",
                     "9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8+To7d+2kPWeBv/orU3LVbJwDrSQbeKamCmo",
                     "wp5bqDxIwV20zqRb7APUOKYoVEFFOEQs6T6gImnIolhbiH6m4zgZ/CPvWBOkZc+c",
                     "1Po2EmvBz+AD5sBdT5kzGQA6NbWyZGldxRthNLOs1efOhdnWFuhI162qmcflgpiI",
                     "WDuwq4C9f+YkeJhNn9dF5+owm8cOQmDrV8NNdiTqin8q3qYAHHJRW28glJUCZkTZ",
                     "wIaSR6crBQ8TbYNE0dc+Caa3DOIkz1EOsHWzTx+n0zKfqcbgXi4DJx+C1bjptYPR",
                     "BPZL8DAeWuA8ebudVT44yEp82G96/Ggcf7F33xMxe0yc+Xa6owIDAQABoAAwDQYJ",
                     "KoZIhvcNAQEFBQADggEBAB0kcrFccSmFDmxox0Ne01UIqSsDqHgL+XmHTXJwre6D",
                     "hJSZwbvEtOK0G3+dr4Fs11WuUNt5qcLsx5a8uk4G6AKHMzuhLsJ7XZjgmQXGECpY",
                     "Q4mC3yT3ZoCGpIXbw+iP3lmEEXgaQL0Tx5LFl/okKbKYwIqNiyKWOMj7ZR/wxWg/",
                     "ZDGRs55xuoeLDJ/ZRFf9bI+IaCUd1YrfYcHIl3G87Av+r49YVwqRDT0VDV7uLgqn",
                     "29XI1PpVUNCPQGn9p/eX6Qo7vpDaPybRtA2R7XLKjQaF9oXWeCUqy1hvJac9QFO2",
                     "97Ob1alpHPoZ7mWiEuJwjBPii6a9M9G30nUo39lBi1w=",
                     "-----END CERTIFICATE REQUEST-----"
                  ]
               ]
            },
            "SigningAlgorithm":"SHA256WITHRSA",
            "Validity":{
               "Type":"DAYS",
               "Value":70
            }
         }
      }
   },
   "Outputs":{
      "CompleteCertificateChain":{
         "Value":{
            "Fn::GetAtt":[
               "SubordinateCATwoActivation",
               "CompleteCertificateChain"
            ]
         }
      },
      "CertificateArn":{
         "Value":{
            "Fn::GetAtt":[
               "EndEntityCertificate",
               "Arn"
            ]
         }
      }
   }
}

YAML

---
AWSTemplateFormatVersion: '2010-09-09'
Description: Cloudformation template to setup CA.
Resources:
  RootCA:
    Type: AWS::ACMPCA::CertificateAuthority
    Properties:
      Type: ROOT
      KeyAlgorithm: RSA_2048
      SigningAlgorithm: SHA256WITHRSA
      Subject:
        Country: US
        Organization: string
        OrganizationalUnit: string
        DistinguishedNameQualifier: string
        State: string
        CommonName: '123'
        SerialNumber: string
        Locality: string
        Title: string
        Surname: string
        GivenName: string
        Initials: DG
        Pseudonym: string
        GenerationQualifier: DBG
      RevocationConfiguration:
        CrlConfiguration:
          Enabled: false
  RootCACertificate:
    Type: AWS::ACMPCA::Certificate
    Properties:
      CertificateAuthorityArn:
        Ref: RootCA
      CertificateSigningRequest:
        Fn::GetAtt:
        - RootCA
        - CertificateSigningRequest
      SigningAlgorithm: SHA256WITHRSA
      TemplateArn: arn:aws:acm-pca:::template/RootCACertificate/V1
      Validity:
        Type: DAYS
        Value: 100
  RootCAActivation:
    Type: AWS::ACMPCA::CertificateAuthorityActivation
    Properties:
      CertificateAuthorityArn:
        Ref: RootCA
      Certificate:
        Fn::GetAtt:
        - RootCACertificate
        - Certificate
      Status: ACTIVE
  RootCAPermission:
    Type: AWS::ACMPCA::Permission
    Properties:
      Actions:
        - IssueCertificate
        - GetCertificate
        - ListPermissions
      CertificateAuthorityArn: !Ref RootCA
      Principal: acm.amazonaws.com
  SubordinateCAOne:
    Type: AWS::ACMPCA::CertificateAuthority
    Properties:
      Type: SUBORDINATE
      KeyAlgorithm: RSA_2048
      SigningAlgorithm: SHA256WITHRSA
      Subject:
        Country: US
        Organization: string
        OrganizationalUnit: string
        DistinguishedNameQualifier: string
        State: string
        CommonName: Sub1
        SerialNumber: string
        Locality: string
        Title: string
        Surname: string
        GivenName: string
        Initials: DG
        Pseudonym: string
        GenerationQualifier: DBG
      RevocationConfiguration: {}
      Tags: []
  SubordinateCAOneCACertificate:
    DependsOn: RootCAActivation
    Type: AWS::ACMPCA::Certificate
    Properties:
      CertificateAuthorityArn:
        Ref: RootCA
      CertificateSigningRequest:
        Fn::GetAtt:
        - SubordinateCAOne
        - CertificateSigningRequest
      SigningAlgorithm: SHA256WITHRSA
      TemplateArn: arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen3/V1
      Validity:
        Type: DAYS
        Value: 90
  SubordinateCAOneActivation:
    Type: AWS::ACMPCA::CertificateAuthorityActivation
    Properties:
      CertificateAuthorityArn:
        Ref: SubordinateCAOne
      Certificate:
        Fn::GetAtt:
        - SubordinateCAOneCACertificate
        - Certificate
      CertificateChain:
        Fn::GetAtt:
        - RootCAActivation
        - CompleteCertificateChain
      Status: ACTIVE
  SubordinateCAOnePermission:
    Type: AWS::ACMPCA::Permission
    Properties:
      Actions:
        - IssueCertificate
        - GetCertificate
        - ListPermissions
      CertificateAuthorityArn: !Ref SubordinateCAOne
      Principal: acm.amazonaws.com
  SubordinateCATwo:
    Type: AWS::ACMPCA::CertificateAuthority
    Properties:
      Type: SUBORDINATE
      KeyAlgorithm: RSA_2048
      SigningAlgorithm: SHA256WITHRSA
      Subject:
        Country: US
        Organization: string
        OrganizationalUnit: string
        DistinguishedNameQualifier: string
        State: string
        SerialNumber: string
        Locality: string
        Title: string
        Surname: string
        GivenName: string
        Initials: DG
        Pseudonym: string
        GenerationQualifier: DBG
      Tags:
      - Key: Key1
        Value: Value1
      - Key: Key2
        Value: Value2
  SubordinateCATwoCACertificate:
    DependsOn: SubordinateCAOneActivation
    Type: AWS::ACMPCA::Certificate
    Properties:
      CertificateAuthorityArn:
        Ref: SubordinateCAOne
      CertificateSigningRequest:
        Fn::GetAtt:
        - SubordinateCATwo
        - CertificateSigningRequest
      SigningAlgorithm: SHA256WITHRSA
      TemplateArn: arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen2/V1
      Validity:
        Type: DAYS
        Value: 80
  SubordinateCATwoActivation:
    Type: AWS::ACMPCA::CertificateAuthorityActivation
    Properties:
      CertificateAuthorityArn:
        Ref: SubordinateCATwo
      Certificate:
        Fn::GetAtt:
        - SubordinateCATwoCACertificate
        - Certificate
      CertificateChain:
        Fn::GetAtt:
        - SubordinateCAOneActivation
        - CompleteCertificateChain
  SubordinateCATwoPermission:
    Type: AWS::ACMPCA::Permission
    Properties:
      Actions:
        - IssueCertificate
        - GetCertificate
        - ListPermissions
      CertificateAuthorityArn: !Ref SubordinateCATwo
      Principal: acm.amazonaws.com
  EndEntityCertificate:
    DependsOn: SubordinateCATwoActivation
    Type: AWS::ACMPCA::Certificate
    Properties:
      CertificateAuthorityArn:
        Ref: SubordinateCATwo
      CertificateSigningRequest:
        Fn::Join:
        - "\n"
        - - "-----BEGIN CERTIFICATE REQUEST-----"
          - MIICvDCCAaQCAQAwdzELMAkGA1UEBhMCVVMxDTALBgNVBAgMBFV0YWgxDzANBgNV
          - BAcMBkxpbmRvbjEWMBQGA1UECgwNRGlnaUNlcnQgSW5jLjERMA8GA1UECwwIRGln
          - aUNlcnQxHTAbBgNVBAMMFGV4YW1wbGUuZGlnaWNlcnQuY29tMIIBIjANBgkqhkiG
          - 9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8+To7d+2kPWeBv/orU3LVbJwDrSQbeKamCmo
          - wp5bqDxIwV20zqRb7APUOKYoVEFFOEQs6T6gImnIolhbiH6m4zgZ/CPvWBOkZc+c
          - 1Po2EmvBz+AD5sBdT5kzGQA6NbWyZGldxRthNLOs1efOhdnWFuhI162qmcflgpiI
          - WDuwq4C9f+YkeJhNn9dF5+owm8cOQmDrV8NNdiTqin8q3qYAHHJRW28glJUCZkTZ
          - wIaSR6crBQ8TbYNE0dc+Caa3DOIkz1EOsHWzTx+n0zKfqcbgXi4DJx+C1bjptYPR
          - BPZL8DAeWuA8ebudVT44yEp82G96/Ggcf7F33xMxe0yc+Xa6owIDAQABoAAwDQYJ
          - KoZIhvcNAQEFBQADggEBAB0kcrFccSmFDmxox0Ne01UIqSsDqHgL+XmHTXJwre6D
          - hJSZwbvEtOK0G3+dr4Fs11WuUNt5qcLsx5a8uk4G6AKHMzuhLsJ7XZjgmQXGECpY
          - Q4mC3yT3ZoCGpIXbw+iP3lmEEXgaQL0Tx5LFl/okKbKYwIqNiyKWOMj7ZR/wxWg/
          - ZDGRs55xuoeLDJ/ZRFf9bI+IaCUd1YrfYcHIl3G87Av+r49YVwqRDT0VDV7uLgqn
          - 29XI1PpVUNCPQGn9p/eX6Qo7vpDaPybRtA2R7XLKjQaF9oXWeCUqy1hvJac9QFO2
          - 97Ob1alpHPoZ7mWiEuJwjBPii6a9M9G30nUo39lBi1w=
          - "-----END CERTIFICATE REQUEST-----"
      SigningAlgorithm: SHA256WITHRSA
      Validity:
        Type: DAYS
        Value: 70
Outputs:
  CompleteCertificateChain:
    Value:
      Fn::GetAtt:
      - SubordinateCATwoActivation
      - CompleteCertificateChain
  CertificateArn:
    Value:
      Fn::GetAtt:
      - EndEntityCertificate
      - Arn