AWS::IoT::Certificate
Use the AWS::IoT::Certificate
resource to declare an AWS IoT
X.509 certificate. For information about working with X.509 certificates, see X.509 Client
Certificates in the
AWS IoT Developer
Guide.
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{ "Type" : "AWS::IoT::Certificate", "Properties" : { "CACertificatePem" :
String
, "CertificateMode" :String
, "CertificatePem" :String
, "CertificateSigningRequest" :String
, "Status" :String
} }
YAML
Type: AWS::IoT::Certificate Properties: CACertificatePem:
String
CertificateMode:String
CertificatePem:String
CertificateSigningRequest:String
Status:String
Properties
CACertificatePem
-
The CA certificate used to sign the device certificate being registered, not available when CertificateMode is SNI_ONLY.
Required: No
Type: String
Minimum:
1
Maximum:
65536
Update requires: Replacement
CertificateMode
-
Specifies which mode of certificate registration to use with this resource. Valid options are DEFAULT with CaCertificatePem and CertificatePem, SNI_ONLY with CertificatePem, and Default with CertificateSigningRequest.
DEFAULT
: A certificate inDEFAULT
mode is either generated by AWS IoT Core or registered with an issuer certificate authority (CA). Devices with certificates inDEFAULT
mode aren't required to send the Server Name Indication (SNI) extension when connecting to AWS IoT Core. However, to use features such as custom domains and VPC endpoints, we recommend that you use the SNI extension when connecting to AWS IoT Core.SNI_ONLY
: A certificate inSNI_ONLY
mode is registered without an issuer CA. Devices with certificates inSNI_ONLY
mode must send the SNI extension when connecting to AWS IoT Core.Required: No
Type: String
Allowed values:
DEFAULT | SNI_ONLY
Update requires: Replacement
CertificatePem
-
The certificate data in PEM format. Requires SNI_ONLY for the certificate mode or the accompanying CACertificatePem for registration.
Required: No
Type: String
Minimum:
1
Maximum:
65536
Update requires: Replacement
CertificateSigningRequest
-
The certificate signing request (CSR).
Required: No
Type: String
Pattern:
[\s\S]*
Minimum:
1
Maximum:
4096
Update requires: Replacement
Status
-
The status of the certificate.
Valid values are ACTIVE, INACTIVE, REVOKED, PENDING_TRANSFER, and PENDING_ACTIVATION.
The status value REGISTER_INACTIVE is deprecated and should not be used.
Required: Yes
Type: String
Allowed values:
ACTIVE | INACTIVE | REVOKED | PENDING_TRANSFER | PENDING_ACTIVATION
Update requires: No interruption
Return values
Ref
When you pass the logical ID of this resource to the intrinsic Ref
function, Ref
returns the certificate ID. For example:
{ "Ref": "MyCertificate" }
A value similar to the following is returned:
a1234567b89c012d3e4fg567hij8k9l01mno1p23q45678901rs234567890t1u2
For more information about using the Ref
function, see Ref
.
Fn::GetAtt
The Fn::GetAtt
intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.
For more information about using the Fn::GetAtt
intrinsic function, see Fn::GetAtt
.
Arn
-
Returns the Amazon Resource Name (ARN) for the certificate. For example:
{ "Fn::GetAtt": ["MyCertificate", "Arn"] }
A value similar to the following is returned:
arn:aws:iot:ap-southeast-2:123456789012:cert/a1234567b89c012d3e4fg567hij8k9l01mno1p23q45678901rs234567890t1u2
Id
-
The certificate ID.