AWS::IoT::Certificate - AWS CloudFormation

AWS::IoT::Certificate

Use the AWS::IoT::Certificate resource to declare an AWS IoT X.509 certificate. For information about working with X.509 certificates, see X.509 Client Certificates in the AWS IoT Developer Guide.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON

{ "Type" : "AWS::IoT::Certificate", "Properties" : { "CACertificatePem" : String, "CertificateMode" : String, "CertificatePem" : String, "CertificateSigningRequest" : String, "Status" : String } }

YAML

Type: AWS::IoT::Certificate Properties: CACertificatePem: String CertificateMode: String CertificatePem: String CertificateSigningRequest: String Status: String

Properties

CACertificatePem

The CA certificate used to sign the device certificate being registered, not available when CertificateMode is SNI_ONLY.

Required: No

Type: String

Minimum: 1

Maximum: 65536

Update requires: Replacement

CertificateMode

Specifies which mode of certificate registration to use with this resource. Valid options are DEFAULT with CaCertificatePem and CertificatePem, SNI_ONLY with CertificatePem, and Default with CertificateSigningRequest.

DEFAULT: A certificate in DEFAULT mode is either generated by AWS IoT Core or registered with an issuer certificate authority (CA). Devices with certificates in DEFAULT mode aren't required to send the Server Name Indication (SNI) extension when connecting to AWS IoT Core. However, to use features such as custom domains and VPC endpoints, we recommend that you use the SNI extension when connecting to AWS IoT Core.

SNI_ONLY: A certificate in SNI_ONLY mode is registered without an issuer CA. Devices with certificates in SNI_ONLY mode must send the SNI extension when connecting to AWS IoT Core.

Required: No

Type: String

Allowed values: DEFAULT | SNI_ONLY

Update requires: Replacement

CertificatePem

The certificate data in PEM format. Requires SNI_ONLY for the certificate mode or the accompanying CACertificatePem for registration.

Required: No

Type: String

Minimum: 1

Maximum: 65536

Update requires: Replacement

CertificateSigningRequest

The certificate signing request (CSR).

Required: No

Type: String

Pattern: [\s\S]*

Minimum: 1

Maximum: 4096

Update requires: Replacement

Status

The status of the certificate.

Valid values are ACTIVE, INACTIVE, REVOKED, PENDING_TRANSFER, and PENDING_ACTIVATION.

The status value REGISTER_INACTIVE is deprecated and should not be used.

Required: Yes

Type: String

Allowed values: ACTIVE | INACTIVE | REVOKED | PENDING_TRANSFER | PENDING_ACTIVATION

Update requires: No interruption

Return values

Ref

When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the certificate ID. For example:

{ "Ref": "MyCertificate" }

A value similar to the following is returned:

a1234567b89c012d3e4fg567hij8k9l01mno1p23q45678901rs234567890t1u2

For more information about using the Ref function, see Ref.

Fn::GetAtt

The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.

For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.

Arn

Returns the Amazon Resource Name (ARN) for the certificate. For example:

{ "Fn::GetAtt": ["MyCertificate", "Arn"] }

A value similar to the following is returned:

arn:aws:iot:ap-southeast-2:123456789012:cert/a1234567b89c012d3e4fg567hij8k9l01mno1p23q45678901rs234567890t1u2

Id

The certificate ID.