Package software.amazon.awscdk.services.acmpca

Class CfnCertificateAuthority

java.lang.Object
software.amazon.jsii.JsiiObject
software.constructs.Construct
software.amazon.awscdk.core.Construct
software.amazon.awscdk.core.CfnElement
software.amazon.awscdk.core.CfnRefElement
software.amazon.awscdk.core.CfnResource
software.amazon.awscdk.services.acmpca.CfnCertificateAuthority
All Implemented Interfaces:
IConstruct, IDependable, IInspectable, software.amazon.jsii.JsiiSerializable, software.constructs.IConstruct
@Generated(value="jsii-pacmak/1.84.0 (build 5404dcf)", date="2023-06-19T16:29:55.261Z") @Stability(Stable) public class CfnCertificateAuthority extends CfnResource implements IInspectable
A CloudFormation AWS::ACMPCA::CertificateAuthority.

Use the AWS::ACMPCA::CertificateAuthority resource to create a private CA. Once the CA exists, you can use the AWS::ACMPCA::Certificate resource to issue a new CA certificate. Alternatively, you can issue a CA certificate using an on-premises CA, and then use the AWS::ACMPCA::CertificateAuthorityActivation resource to import the new CA certificate and activate the CA.

Before removing a AWS::ACMPCA::CertificateAuthority resource from the CloudFormation stack, disable the affected CA. Otherwise, the action will fail. You can disable the CA by removing its associated AWS::ACMPCA::CertificateAuthorityActivation resource from CloudFormation.

Example: 

 CfnCertificateAuthority cfnCertificateAuthority = CfnCertificateAuthority.Builder.create(this, "CA")
         .type("ROOT")
         .keyAlgorithm("RSA_2048")
         .signingAlgorithm("SHA256WITHRSA")
         .subject(SubjectProperty.builder()
                 .country("US")
                 .organization("string")
                 .organizationalUnit("string")
                 .distinguishedNameQualifier("string")
                 .state("string")
                 .commonName("123")
                 .serialNumber("string")
                 .locality("string")
                 .title("string")
                 .surname("string")
                 .givenName("string")
                 .initials("DG")
                 .pseudonym("string")
                 .generationQualifier("DBG")
                 .build())
         .build();

  • Field Details

    • CFN_RESOURCE_TYPE_NAME

      @Stability(Stable) public static final String CFN_RESOURCE_TYPE_NAME
      The CloudFormation resource type name for this resource class.

  • Constructor Details

    • CfnCertificateAuthority

      protected CfnCertificateAuthority(software.amazon.jsii.JsiiObjectRef objRef)

    • CfnCertificateAuthority

      protected CfnCertificateAuthority(software.amazon.jsii.JsiiObject.InitializationMode initializationMode)

    • CfnCertificateAuthority

      @Stability(Stable) public CfnCertificateAuthority(@NotNull Construct scope, @NotNull String id, @NotNull CfnCertificateAuthorityProps props)
      Create a new AWS::ACMPCA::CertificateAuthority.

      Parameters:
      scope -
      • scope in which this resource is defined.
      This parameter is required.
      id -
      • scoped id of the resource.
      This parameter is required.
      props -
      • resource properties.
      This parameter is required.

  • Method Details

    • inspect

      @Stability(Stable) public void inspect(@NotNull TreeInspector inspector)
      Examines the CloudFormation resource and discloses attributes.

      Specified by:
      inspect in interface IInspectable
      Parameters:
      inspector -
      • tree inspector to collect and process attributes.
      This parameter is required.

    • renderProperties

      @Stability(Stable) @NotNull protected Map<String,Object> renderProperties(@NotNull Map<String,Object> props)
      Overrides:
      renderProperties in class CfnResource
      Parameters:
      props - This parameter is required.

    • getAttrArn

      @Stability(Stable) @NotNull public String getAttrArn()
      The Amazon Resource Name (ARN) for the private CA that issued the certificate.

    • getAttrCertificateSigningRequest

      @Stability(Stable) @NotNull public String getAttrCertificateSigningRequest()
      The Base64 PEM-encoded certificate signing request (CSR) for your certificate authority certificate.

    • getCfnProperties

      @Stability(Stable) @NotNull protected Map<String,Object> getCfnProperties()
      Overrides:
      getCfnProperties in class CfnResource

    • getTags

      @Stability(Stable) @NotNull public TagManager getTags()
      Key-value pairs that will be attached to the new private CA.

      You can associate up to 50 tags with a private CA. For information using tags with IAM to manage permissions, see Controlling Access Using IAM Tags .

    • getKeyAlgorithm

      @Stability(Stable) @NotNull public String getKeyAlgorithm()
      Type of the public key algorithm and size, in bits, of the key pair that your CA creates when it issues a certificate.

      When you create a subordinate CA, you must use a key algorithm supported by the parent CA.

    • setKeyAlgorithm

      @Stability(Stable) public void setKeyAlgorithm(@NotNull String value)
      Type of the public key algorithm and size, in bits, of the key pair that your CA creates when it issues a certificate.

      When you create a subordinate CA, you must use a key algorithm supported by the parent CA.

    • getSigningAlgorithm

      @Stability(Stable) @NotNull public String getSigningAlgorithm()
      Name of the algorithm your private CA uses to sign certificate requests.

      This parameter should not be confused with the SigningAlgorithm parameter used to sign certificates when they are issued.

    • setSigningAlgorithm

      @Stability(Stable) public void setSigningAlgorithm(@NotNull String value)
      Name of the algorithm your private CA uses to sign certificate requests.

      This parameter should not be confused with the SigningAlgorithm parameter used to sign certificates when they are issued.

    • getSubject

      @Stability(Stable) @NotNull public Object getSubject()
      Structure that contains X.500 distinguished name information for your private CA.

    • setSubject

      @Stability(Stable) public void setSubject(@NotNull IResolvable value)
      Structure that contains X.500 distinguished name information for your private CA.

    • setSubject

      @Stability(Stable) public void setSubject(@NotNull CfnCertificateAuthority.SubjectProperty value)
      Structure that contains X.500 distinguished name information for your private CA.

    • getType

      @Stability(Stable) @NotNull public String getType()
      Type of your private CA.

    • setType

      @Stability(Stable) public void setType(@NotNull String value)
      Type of your private CA.

    • getCsrExtensions

      @Stability(Stable) @Nullable public Object getCsrExtensions()
      Specifies information to be added to the extension section of the certificate signing request (CSR).

    • setCsrExtensions

      @Stability(Stable) public void setCsrExtensions(@Nullable IResolvable value)
      Specifies information to be added to the extension section of the certificate signing request (CSR).

    • setCsrExtensions

      @Stability(Stable) public void setCsrExtensions(@Nullable CfnCertificateAuthority.CsrExtensionsProperty value)
      Specifies information to be added to the extension section of the certificate signing request (CSR).

    • getKeyStorageSecurityStandard

      @Stability(Stable) @Nullable public String getKeyStorageSecurityStandard()
      Specifies a cryptographic key management compliance standard used for handling CA keys.

      Default: FIPS_140_2_LEVEL_3_OR_HIGHER

      Some AWS Regions do not support the default. When creating a CA in these Regions, you must provide FIPS_140_2_LEVEL_2_OR_HIGHER as the argument for KeyStorageSecurityStandard . Failure to do this results in an InvalidArgsException with the message, "A certificate authority cannot be created in this region with the specified security standard."

      For information about security standard support in various Regions, see Storage and security compliance of AWS Private CA private keys .

    • setKeyStorageSecurityStandard

      @Stability(Stable) public void setKeyStorageSecurityStandard(@Nullable String value)
      Specifies a cryptographic key management compliance standard used for handling CA keys.

      Default: FIPS_140_2_LEVEL_3_OR_HIGHER

      Some AWS Regions do not support the default. When creating a CA in these Regions, you must provide FIPS_140_2_LEVEL_2_OR_HIGHER as the argument for KeyStorageSecurityStandard . Failure to do this results in an InvalidArgsException with the message, "A certificate authority cannot be created in this region with the specified security standard."

      For information about security standard support in various Regions, see Storage and security compliance of AWS Private CA private keys .

    • getRevocationConfiguration

      @Stability(Stable) @Nullable public Object getRevocationConfiguration()
      Certificate revocation information used by the CreateCertificateAuthority and UpdateCertificateAuthority actions. Your private certificate authority (CA) can configure Online Certificate Status Protocol (OCSP) support and/or maintain a certificate revocation list (CRL). OCSP returns validation information about certificates as requested by clients, and a CRL contains an updated list of certificates revoked by your CA. For more information, see RevokeCertificate in the AWS Private CA API Reference and Setting up a certificate revocation method in the AWS Private CA User Guide .

      The following requirements apply to revocation configurations.

      • A configuration disabling CRLs or OCSP must contain only the Enabled=False parameter, and will fail if other parameters such as CustomCname or ExpirationInDays are included.
      • In a CRL configuration, the S3BucketName parameter must conform to the Amazon S3 bucket naming rules .
      • A configuration containing a custom Canonical Name (CNAME) parameter for CRLs or OCSP must conform to RFC2396 restrictions on the use of special characters in a CNAME.
      • In a CRL or OCSP configuration, the value of a CNAME parameter must not include a protocol prefix such as "http://" or "https://".

    • setRevocationConfiguration

      @Stability(Stable) public void setRevocationConfiguration(@Nullable IResolvable value)
      Certificate revocation information used by the CreateCertificateAuthority and UpdateCertificateAuthority actions. Your private certificate authority (CA) can configure Online Certificate Status Protocol (OCSP) support and/or maintain a certificate revocation list (CRL). OCSP returns validation information about certificates as requested by clients, and a CRL contains an updated list of certificates revoked by your CA. For more information, see RevokeCertificate in the AWS Private CA API Reference and Setting up a certificate revocation method in the AWS Private CA User Guide .

      The following requirements apply to revocation configurations.

      • A configuration disabling CRLs or OCSP must contain only the Enabled=False parameter, and will fail if other parameters such as CustomCname or ExpirationInDays are included.
      • In a CRL configuration, the S3BucketName parameter must conform to the Amazon S3 bucket naming rules .
      • A configuration containing a custom Canonical Name (CNAME) parameter for CRLs or OCSP must conform to RFC2396 restrictions on the use of special characters in a CNAME.
      • In a CRL or OCSP configuration, the value of a CNAME parameter must not include a protocol prefix such as "http://" or "https://".

    • setRevocationConfiguration

      @Stability(Stable) public void setRevocationConfiguration(@Nullable CfnCertificateAuthority.RevocationConfigurationProperty value)
      Certificate revocation information used by the CreateCertificateAuthority and UpdateCertificateAuthority actions. Your private certificate authority (CA) can configure Online Certificate Status Protocol (OCSP) support and/or maintain a certificate revocation list (CRL). OCSP returns validation information about certificates as requested by clients, and a CRL contains an updated list of certificates revoked by your CA. For more information, see RevokeCertificate in the AWS Private CA API Reference and Setting up a certificate revocation method in the AWS Private CA User Guide .

      The following requirements apply to revocation configurations.

      • A configuration disabling CRLs or OCSP must contain only the Enabled=False parameter, and will fail if other parameters such as CustomCname or ExpirationInDays are included.
      • In a CRL configuration, the S3BucketName parameter must conform to the Amazon S3 bucket naming rules .
      • A configuration containing a custom Canonical Name (CNAME) parameter for CRLs or OCSP must conform to RFC2396 restrictions on the use of special characters in a CNAME.
      • In a CRL or OCSP configuration, the value of a CNAME parameter must not include a protocol prefix such as "http://" or "https://".

    • getUsageMode

      @Stability(Stable) @Nullable public String getUsageMode()
      Specifies whether the CA issues general-purpose certificates that typically require a revocation mechanism, or short-lived certificates that may optionally omit revocation because they expire quickly.

      Short-lived certificate validity is limited to seven days.

      The default value is GENERAL_PURPOSE.

    • setUsageMode

      @Stability(Stable) public void setUsageMode(@Nullable String value)
      Specifies whether the CA issues general-purpose certificates that typically require a revocation mechanism, or short-lived certificates that may optionally omit revocation because they expire quickly.

      Short-lived certificate validity is limited to seven days.

      The default value is GENERAL_PURPOSE.