Package software.amazon.awscdk.services.certificatemanager

@Stability(Stable) @Deprecated package software.amazon.awscdk.services.certificatemanager

Deprecated.

AWS Certificate Manager Construct Library

---

AWS CDK v1 has reached End-of-Support on 2023-06-01. This package is no longer being updated, and users should migrate to AWS CDK v2.

For more information on how to migrate, see the Migrating to AWS CDK v2 guide.

AWS Certificate Manager (ACM) handles the complexity of creating, storing, and renewing public and private SSL/TLS X.509 certificates and keys that protect your AWS websites and applications. ACM certificates can secure singular domain names, multiple specific domain names, wildcard domains, or combinations of these. ACM wildcard certificates can protect an unlimited number of subdomains.

This package provides Constructs for provisioning and referencing ACM certificates which can be used with CloudFront and ELB.

After requesting a certificate, you will need to prove that you own the domain in question before the certificate will be granted. The CloudFormation deployment will wait until this verification process has been completed.

Because of this wait time, when using manual validation methods, it's better to provision your certificates either in a separate stack from your main service, or provision them manually and import them into your CDK application.

Note: There is a limit on total number of ACM certificates that can be requested on an account and region within a year. The default limit is 2000, but this limit may be (much) lower on new AWS accounts. See https://docs.aws.amazon.com/acm/latest/userguide/acm-limits.html for more information.

DNS validation

DNS validation is the preferred method to validate domain ownership, as it has a number of advantages over email validation. See also Validate with DNS in the AWS Certificate Manager User Guide.

If Amazon Route 53 is your DNS provider for the requested domain, the DNS record can be created automatically:

 HostedZone myHostedZone = HostedZone.Builder.create(this, "HostedZone")
         .zoneName("example.com")
         .build();
 Certificate.Builder.create(this, "Certificate")
         .domainName("hello.example.com")
         .validation(CertificateValidation.fromDns(myHostedZone))
         .build();
 

If Route 53 is not your DNS provider, the DNS records must be added manually and the stack will not complete creating until the records are added.

 Certificate.Builder.create(this, "Certificate")
         .domainName("hello.example.com")
         .validation(CertificateValidation.fromDns())
         .build();
 

When working with multiple domains, use the CertificateValidation.fromDnsMultiZone():

 HostedZone exampleCom = HostedZone.Builder.create(this, "ExampleCom")
         .zoneName("example.com")
         .build();
 HostedZone exampleNet = HostedZone.Builder.create(this, "ExampleNet")
         .zoneName("example.net")
         .build();
 
 Certificate cert = Certificate.Builder.create(this, "Certificate")
         .domainName("test.example.com")
         .subjectAlternativeNames(List.of("cool.example.com", "test.example.net"))
         .validation(CertificateValidation.fromDnsMultiZone(Map.of(
                 "test.example.com", exampleCom,
                 "cool.example.com", exampleCom,
                 "test.example.net", exampleNet)))
         .build();
 

Email validation

Email-validated certificates (the default) are validated by receiving an email on one of a number of predefined domains and following the instructions in the email.

See Validate with Email in the AWS Certificate Manager User Guide.

 Certificate.Builder.create(this, "Certificate")
         .domainName("hello.example.com")
         .validation(CertificateValidation.fromEmail())
         .build();
 

Cross-region Certificates

ACM certificates that are used with CloudFront -- or higher-level constructs which rely on CloudFront -- must be in the us-east-1 region. The DnsValidatedCertificate construct exists to facilitate creating these certificates cross-region. This resource can only be used with Route53-based DNS validation.

 HostedZone myHostedZone;
 
 DnsValidatedCertificate.Builder.create(this, "CrossRegionCertificate")
         .domainName("hello.example.com")
         .hostedZone(myHostedZone)
         .region("us-east-1")
         .build();
 

Requesting private certificates

AWS Certificate Manager can create private certificates issued by Private Certificate Authority (PCA). Validation of private certificates is not necessary.

 import software.amazon.awscdk.services.acmpca.*;
 
 
 PrivateCertificate.Builder.create(this, "PrivateCertificate")
         .domainName("test.example.com")
         .subjectAlternativeNames(List.of("cool.example.com", "test.example.net")) // optional
         .certificateAuthority(CertificateAuthority.fromCertificateAuthorityArn(this, "CA", "arn:aws:acm-pca:us-east-1:123456789012:certificate-authority/023077d8-2bfa-4eb0-8f22-05c96deade77"))
         .build();
 

Importing

If you want to import an existing certificate, you can do so from its ARN:

 String arn = "arn:aws:...";
 ICertificate certificate = Certificate.fromCertificateArn(this, "Certificate", arn);
 

Sharing between Stacks

To share the certificate between stacks in the same CDK application, simply pass the Certificate object between the stacks.

Metrics

The DaysToExpiry metric is available via the metricDaysToExpiry method for all certificates. This metric is emitted by AWS Certificates Manager once per day until the certificate has effectively expired.

An alarm can be created to determine whether a certificate is soon due for renewal ussing the following code:

 import software.amazon.awscdk.services.cloudwatch.*;
 
 HostedZone myHostedZone;
 
 Certificate certificate = Certificate.Builder.create(this, "Certificate")
         .domainName("hello.example.com")
         .validation(CertificateValidation.fromDns(myHostedZone))
         .build();
 certificate.metricDaysToExpiry().createAlarm(this, "Alarm", CreateAlarmOptions.builder()
         .comparisonOperator(ComparisonOperator.LESS_THAN_THRESHOLD)
         .evaluationPeriods(1)
         .threshold(45)
         .build());
 

Deprecated: AWS CDK v1 has reached End-of-Support on 2023-06-01. This package is no longer being updated, and users should migrate to AWS CDK v2. For more information on how to migrate, see https://docs.aws.amazon.com/cdk/v2/guide/migrating-v2.html

Class	Description
$Module
Certificate	A certificate managed by AWS Certificate Manager.
Certificate.Builder	A fluent builder for Certificate.
CertificateProps	Properties for your certificate.
CertificateProps.Builder	A builder for CertificateProps
CertificateProps.Jsii$Proxy	An implementation for CertificateProps
CertificateValidation	How to validate a certificate.
CertificationValidationProps	Properties for certificate validation.
CertificationValidationProps.Builder	A builder for CertificationValidationProps
CertificationValidationProps.Jsii$Proxy	An implementation for CertificationValidationProps
CfnAccount	A CloudFormation AWS::CertificateManager::Account.
CfnAccount.Builder	A fluent builder for CfnAccount.
CfnAccount.ExpiryEventsConfigurationProperty	Object containing expiration events options associated with an AWS account .
CfnAccount.ExpiryEventsConfigurationProperty.Builder	A builder for CfnAccount.ExpiryEventsConfigurationProperty
CfnAccount.ExpiryEventsConfigurationProperty.Jsii$Proxy	An implementation for CfnAccount.ExpiryEventsConfigurationProperty
CfnAccountProps	Properties for defining a CfnAccount.
CfnAccountProps.Builder	A builder for CfnAccountProps
CfnAccountProps.Jsii$Proxy	An implementation for CfnAccountProps
CfnCertificate	A CloudFormation AWS::CertificateManager::Certificate.
CfnCertificate.Builder	A fluent builder for CfnCertificate.
CfnCertificate.DomainValidationOptionProperty	DomainValidationOption is a property of the AWS::CertificateManager::Certificate resource that specifies the AWS Certificate Manager ( ACM ) certificate domain to validate.
CfnCertificate.DomainValidationOptionProperty.Builder	A builder for CfnCertificate.DomainValidationOptionProperty
CfnCertificate.DomainValidationOptionProperty.Jsii$Proxy	An implementation for CfnCertificate.DomainValidationOptionProperty
CfnCertificateProps	Properties for defining a CfnCertificate.
CfnCertificateProps.Builder	A builder for CfnCertificateProps
CfnCertificateProps.Jsii$Proxy	An implementation for CfnCertificateProps
DnsValidatedCertificate	A certificate managed by AWS Certificate Manager.
DnsValidatedCertificate.Builder	A fluent builder for DnsValidatedCertificate.
DnsValidatedCertificateProps	Properties to create a DNS validated certificate managed by AWS Certificate Manager.
DnsValidatedCertificateProps.Builder	A builder for DnsValidatedCertificateProps
DnsValidatedCertificateProps.Jsii$Proxy	An implementation for DnsValidatedCertificateProps
ICertificate	Represents a certificate in AWS Certificate Manager.
ICertificate.Jsii$Default	Internal default implementation for ICertificate.
ICertificate.Jsii$Proxy	A proxy class which represents a concrete javascript instance of this type.
PrivateCertificate	A private certificate managed by AWS Certificate Manager.
PrivateCertificate.Builder	A fluent builder for PrivateCertificate.
PrivateCertificateProps	Properties for your private certificate.
PrivateCertificateProps.Builder	A builder for PrivateCertificateProps
PrivateCertificateProps.Jsii$Proxy	An implementation for PrivateCertificateProps
ValidationMethod	Method used to assert ownership of the domain.