Docs Home
We recommend new projects start with resources from the AWS provider.
aws-native.acmpca.CertificateAuthority
Explore with Pulumi AI
We recommend new projects start with resources from the AWS provider.
Private certificate authority.
Example Usage
Example
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AwsNative = Pulumi.AwsNative;
return await Deployment.RunAsync(() =>
{
var rootCA = new AwsNative.Acmpca.CertificateAuthority("rootCA", new()
{
Type = "ROOT",
KeyAlgorithm = "RSA_2048",
SigningAlgorithm = "SHA256WITHRSA",
Subject = new AwsNative.Acmpca.Inputs.CertificateAuthoritySubjectArgs
{
Country = "US",
Organization = "string",
OrganizationalUnit = "string",
DistinguishedNameQualifier = "string",
State = "string",
CommonName = "123",
SerialNumber = "string",
Locality = "string",
Title = "string",
Surname = "string",
GivenName = "string",
Initials = "DG",
Pseudonym = "string",
GenerationQualifier = "DBG",
},
RevocationConfiguration = new AwsNative.Acmpca.Inputs.CertificateAuthorityRevocationConfigurationArgs
{
CrlConfiguration = new AwsNative.Acmpca.Inputs.CertificateAuthorityCrlConfigurationArgs
{
Enabled = false,
},
},
});
var rootCACertificate = new AwsNative.Acmpca.Certificate("rootCACertificate", new()
{
CertificateAuthorityArn = rootCA.Id,
CertificateSigningRequest = rootCA.CertificateSigningRequest,
SigningAlgorithm = "SHA256WITHRSA",
TemplateArn = "arn:aws:acm-pca:::template/RootCACertificate/V1",
Validity = new AwsNative.Acmpca.Inputs.CertificateValidityArgs
{
Type = "DAYS",
Value = 100,
},
});
var rootCAActivation = new AwsNative.Acmpca.CertificateAuthorityActivation("rootCAActivation", new()
{
CertificateAuthorityArn = rootCA.Id,
Certificate = rootCACertificate.Certificate,
Status = "ACTIVE",
});
var rootCAPermission = new AwsNative.Acmpca.Permission("rootCAPermission", new()
{
Actions = new[]
{
"IssueCertificate",
"GetCertificate",
"ListPermissions",
},
CertificateAuthorityArn = rootCA.Id,
Principal = "acm.amazonaws.com",
});
var subordinateCAOne = new AwsNative.Acmpca.CertificateAuthority("subordinateCAOne", new()
{
Type = "SUBORDINATE",
KeyAlgorithm = "RSA_2048",
SigningAlgorithm = "SHA256WITHRSA",
Subject = new AwsNative.Acmpca.Inputs.CertificateAuthoritySubjectArgs
{
Country = "US",
Organization = "string",
OrganizationalUnit = "string",
DistinguishedNameQualifier = "string",
State = "string",
CommonName = "Sub1",
SerialNumber = "string",
Locality = "string",
Title = "string",
Surname = "string",
GivenName = "string",
Initials = "DG",
Pseudonym = "string",
GenerationQualifier = "DBG",
},
RevocationConfiguration = null,
Tags = new[] {},
});
var subordinateCAOneCACertificate = new AwsNative.Acmpca.Certificate("subordinateCAOneCACertificate", new()
{
CertificateAuthorityArn = rootCA.Id,
CertificateSigningRequest = subordinateCAOne.CertificateSigningRequest,
SigningAlgorithm = "SHA256WITHRSA",
TemplateArn = "arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen3/V1",
Validity = new AwsNative.Acmpca.Inputs.CertificateValidityArgs
{
Type = "DAYS",
Value = 90,
},
}, new CustomResourceOptions
{
DependsOn =
{
rootCAActivation,
},
});
var subordinateCAOneActivation = new AwsNative.Acmpca.CertificateAuthorityActivation("subordinateCAOneActivation", new()
{
CertificateAuthorityArn = subordinateCAOne.Id,
Certificate = subordinateCAOneCACertificate.Certificate,
CertificateChain = rootCAActivation.CompleteCertificateChain,
Status = "ACTIVE",
});
var subordinateCAOnePermission = new AwsNative.Acmpca.Permission("subordinateCAOnePermission", new()
{
Actions = new[]
{
"IssueCertificate",
"GetCertificate",
"ListPermissions",
},
CertificateAuthorityArn = subordinateCAOne.Id,
Principal = "acm.amazonaws.com",
});
var subordinateCATwo = new AwsNative.Acmpca.CertificateAuthority("subordinateCATwo", new()
{
Type = "SUBORDINATE",
KeyAlgorithm = "RSA_2048",
SigningAlgorithm = "SHA256WITHRSA",
Subject = new AwsNative.Acmpca.Inputs.CertificateAuthoritySubjectArgs
{
Country = "US",
Organization = "string",
OrganizationalUnit = "string",
DistinguishedNameQualifier = "string",
State = "string",
SerialNumber = "string",
Locality = "string",
Title = "string",
Surname = "string",
GivenName = "string",
Initials = "DG",
Pseudonym = "string",
GenerationQualifier = "DBG",
},
Tags = new[]
{
new AwsNative.Inputs.TagArgs
{
Key = "Key1",
Value = "Value1",
},
new AwsNative.Inputs.TagArgs
{
Key = "Key2",
Value = "Value2",
},
},
});
var subordinateCATwoCACertificate = new AwsNative.Acmpca.Certificate("subordinateCATwoCACertificate", new()
{
CertificateAuthorityArn = subordinateCAOne.Id,
CertificateSigningRequest = subordinateCATwo.CertificateSigningRequest,
SigningAlgorithm = "SHA256WITHRSA",
TemplateArn = "arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen2/V1",
Validity = new AwsNative.Acmpca.Inputs.CertificateValidityArgs
{
Type = "DAYS",
Value = 80,
},
}, new CustomResourceOptions
{
DependsOn =
{
subordinateCAOneActivation,
},
});
var subordinateCATwoActivation = new AwsNative.Acmpca.CertificateAuthorityActivation("subordinateCATwoActivation", new()
{
CertificateAuthorityArn = subordinateCATwo.Id,
Certificate = subordinateCATwoCACertificate.Certificate,
CertificateChain = subordinateCAOneActivation.CompleteCertificateChain,
});
var subordinateCATwoPermission = new AwsNative.Acmpca.Permission("subordinateCATwoPermission", new()
{
Actions = new[]
{
"IssueCertificate",
"GetCertificate",
"ListPermissions",
},
CertificateAuthorityArn = subordinateCATwo.Id,
Principal = "acm.amazonaws.com",
});
var endEntityCertificate = new AwsNative.Acmpca.Certificate("endEntityCertificate", new()
{
CertificateAuthorityArn = subordinateCATwo.Id,
CertificateSigningRequest = @"-----BEGIN CERTIFICATE REQUEST-----
MIICvDCCAaQCAQAwdzELMAkGA1UEBhMCVVMxDTALBgNVBAgMBFV0YWgxDzANBgNV
BAcMBkxpbmRvbjEWMBQGA1UECgwNRGlnaUNlcnQgSW5jLjERMA8GA1UECwwIRGln
aUNlcnQxHTAbBgNVBAMMFGV4YW1wbGUuZGlnaWNlcnQuY29tMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8+To7d+2kPWeBv/orU3LVbJwDrSQbeKamCmo
wp5bqDxIwV20zqRb7APUOKYoVEFFOEQs6T6gImnIolhbiH6m4zgZ/CPvWBOkZc+c
1Po2EmvBz+AD5sBdT5kzGQA6NbWyZGldxRthNLOs1efOhdnWFuhI162qmcflgpiI
WDuwq4C9f+YkeJhNn9dF5+owm8cOQmDrV8NNdiTqin8q3qYAHHJRW28glJUCZkTZ
wIaSR6crBQ8TbYNE0dc+Caa3DOIkz1EOsHWzTx+n0zKfqcbgXi4DJx+C1bjptYPR
BPZL8DAeWuA8ebudVT44yEp82G96/Ggcf7F33xMxe0yc+Xa6owIDAQABoAAwDQYJ
KoZIhvcNAQEFBQADggEBAB0kcrFccSmFDmxox0Ne01UIqSsDqHgL+XmHTXJwre6D
hJSZwbvEtOK0G3+dr4Fs11WuUNt5qcLsx5a8uk4G6AKHMzuhLsJ7XZjgmQXGECpY
Q4mC3yT3ZoCGpIXbw+iP3lmEEXgaQL0Tx5LFl/okKbKYwIqNiyKWOMj7ZR/wxWg/
ZDGRs55xuoeLDJ/ZRFf9bI+IaCUd1YrfYcHIl3G87Av+r49YVwqRDT0VDV7uLgqn
29XI1PpVUNCPQGn9p/eX6Qo7vpDaPybRtA2R7XLKjQaF9oXWeCUqy1hvJac9QFO2
97Ob1alpHPoZ7mWiEuJwjBPii6a9M9G30nUo39lBi1w=
-----END CERTIFICATE REQUEST-----",
SigningAlgorithm = "SHA256WITHRSA",
Validity = new AwsNative.Acmpca.Inputs.CertificateValidityArgs
{
Type = "DAYS",
Value = 70,
},
}, new CustomResourceOptions
{
DependsOn =
{
subordinateCATwoActivation,
},
});
return new Dictionary<string, object?>
{
["completeCertificateChain"] = subordinateCATwoActivation.CompleteCertificateChain,
["certificateArn"] = endEntityCertificate.Arn,
};
});
package main
import (
awsnative "github.com/pulumi/pulumi-aws-native/sdk/go/aws"
"github.com/pulumi/pulumi-aws-native/sdk/go/aws/acmpca"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
rootCA, err := acmpca.NewCertificateAuthority(ctx, "rootCA", &acmpca.CertificateAuthorityArgs{
Type: pulumi.String("ROOT"),
KeyAlgorithm: pulumi.String("RSA_2048"),
SigningAlgorithm: pulumi.String("SHA256WITHRSA"),
Subject: &acmpca.CertificateAuthoritySubjectArgs{
Country: pulumi.String("US"),
Organization: pulumi.String("string"),
OrganizationalUnit: pulumi.String("string"),
DistinguishedNameQualifier: pulumi.String("string"),
State: pulumi.String("string"),
CommonName: pulumi.String("123"),
SerialNumber: pulumi.String("string"),
Locality: pulumi.String("string"),
Title: pulumi.String("string"),
Surname: pulumi.String("string"),
GivenName: pulumi.String("string"),
Initials: pulumi.String("DG"),
Pseudonym: pulumi.String("string"),
GenerationQualifier: pulumi.String("DBG"),
},
RevocationConfiguration: &acmpca.CertificateAuthorityRevocationConfigurationArgs{
CrlConfiguration: &acmpca.CertificateAuthorityCrlConfigurationArgs{
Enabled: pulumi.Bool(false),
},
},
})
if err != nil {
return err
}
rootCACertificate, err := acmpca.NewCertificate(ctx, "rootCACertificate", &acmpca.CertificateArgs{
CertificateAuthorityArn: rootCA.ID(),
CertificateSigningRequest: rootCA.CertificateSigningRequest,
SigningAlgorithm: pulumi.String("SHA256WITHRSA"),
TemplateArn: pulumi.String("arn:aws:acm-pca:::template/RootCACertificate/V1"),
Validity: &acmpca.CertificateValidityArgs{
Type: pulumi.String("DAYS"),
Value: pulumi.Float64(100),
},
})
if err != nil {
return err
}
rootCAActivation, err := acmpca.NewCertificateAuthorityActivation(ctx, "rootCAActivation", &acmpca.CertificateAuthorityActivationArgs{
CertificateAuthorityArn: rootCA.ID(),
Certificate: rootCACertificate.Certificate,
Status: pulumi.String("ACTIVE"),
})
if err != nil {
return err
}
_, err = acmpca.NewPermission(ctx, "rootCAPermission", &acmpca.PermissionArgs{
Actions: pulumi.StringArray{
pulumi.String("IssueCertificate"),
pulumi.String("GetCertificate"),
pulumi.String("ListPermissions"),
},
CertificateAuthorityArn: rootCA.ID(),
Principal: pulumi.String("acm.amazonaws.com"),
})
if err != nil {
return err
}
subordinateCAOne, err := acmpca.NewCertificateAuthority(ctx, "subordinateCAOne", &acmpca.CertificateAuthorityArgs{
Type: pulumi.String("SUBORDINATE"),
KeyAlgorithm: pulumi.String("RSA_2048"),
SigningAlgorithm: pulumi.String("SHA256WITHRSA"),
Subject: &acmpca.CertificateAuthoritySubjectArgs{
Country: pulumi.String("US"),
Organization: pulumi.String("string"),
OrganizationalUnit: pulumi.String("string"),
DistinguishedNameQualifier: pulumi.String("string"),
State: pulumi.String("string"),
CommonName: pulumi.String("Sub1"),
SerialNumber: pulumi.String("string"),
Locality: pulumi.String("string"),
Title: pulumi.String("string"),
Surname: pulumi.String("string"),
GivenName: pulumi.String("string"),
Initials: pulumi.String("DG"),
Pseudonym: pulumi.String("string"),
GenerationQualifier: pulumi.String("DBG"),
},
RevocationConfiguration: &acmpca.CertificateAuthorityRevocationConfigurationArgs{},
Tags: aws.TagArray{},
})
if err != nil {
return err
}
subordinateCAOneCACertificate, err := acmpca.NewCertificate(ctx, "subordinateCAOneCACertificate", &acmpca.CertificateArgs{
CertificateAuthorityArn: rootCA.ID(),
CertificateSigningRequest: subordinateCAOne.CertificateSigningRequest,
SigningAlgorithm: pulumi.String("SHA256WITHRSA"),
TemplateArn: pulumi.String("arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen3/V1"),
Validity: &acmpca.CertificateValidityArgs{
Type: pulumi.String("DAYS"),
Value: pulumi.Float64(90),
},
}, pulumi.DependsOn([]pulumi.Resource{
rootCAActivation,
}))
if err != nil {
return err
}
subordinateCAOneActivation, err := acmpca.NewCertificateAuthorityActivation(ctx, "subordinateCAOneActivation", &acmpca.CertificateAuthorityActivationArgs{
CertificateAuthorityArn: subordinateCAOne.ID(),
Certificate: subordinateCAOneCACertificate.Certificate,
CertificateChain: rootCAActivation.CompleteCertificateChain,
Status: pulumi.String("ACTIVE"),
})
if err != nil {
return err
}
_, err = acmpca.NewPermission(ctx, "subordinateCAOnePermission", &acmpca.PermissionArgs{
Actions: pulumi.StringArray{
pulumi.String("IssueCertificate"),
pulumi.String("GetCertificate"),
pulumi.String("ListPermissions"),
},
CertificateAuthorityArn: subordinateCAOne.ID(),
Principal: pulumi.String("acm.amazonaws.com"),
})
if err != nil {
return err
}
subordinateCATwo, err := acmpca.NewCertificateAuthority(ctx, "subordinateCATwo", &acmpca.CertificateAuthorityArgs{
Type: pulumi.String("SUBORDINATE"),
KeyAlgorithm: pulumi.String("RSA_2048"),
SigningAlgorithm: pulumi.String("SHA256WITHRSA"),
Subject: &acmpca.CertificateAuthoritySubjectArgs{
Country: pulumi.String("US"),
Organization: pulumi.String("string"),
OrganizationalUnit: pulumi.String("string"),
DistinguishedNameQualifier: pulumi.String("string"),
State: pulumi.String("string"),
SerialNumber: pulumi.String("string"),
Locality: pulumi.String("string"),
Title: pulumi.String("string"),
Surname: pulumi.String("string"),
GivenName: pulumi.String("string"),
Initials: pulumi.String("DG"),
Pseudonym: pulumi.String("string"),
GenerationQualifier: pulumi.String("DBG"),
},
Tags: aws.TagArray{
&aws.TagArgs{
Key: pulumi.String("Key1"),
Value: pulumi.String("Value1"),
},
&aws.TagArgs{
Key: pulumi.String("Key2"),
Value: pulumi.String("Value2"),
},
},
})
if err != nil {
return err
}
subordinateCATwoCACertificate, err := acmpca.NewCertificate(ctx, "subordinateCATwoCACertificate", &acmpca.CertificateArgs{
CertificateAuthorityArn: subordinateCAOne.ID(),
CertificateSigningRequest: subordinateCATwo.CertificateSigningRequest,
SigningAlgorithm: pulumi.String("SHA256WITHRSA"),
TemplateArn: pulumi.String("arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen2/V1"),
Validity: &acmpca.CertificateValidityArgs{
Type: pulumi.String("DAYS"),
Value: pulumi.Float64(80),
},
}, pulumi.DependsOn([]pulumi.Resource{
subordinateCAOneActivation,
}))
if err != nil {
return err
}
subordinateCATwoActivation, err := acmpca.NewCertificateAuthorityActivation(ctx, "subordinateCATwoActivation", &acmpca.CertificateAuthorityActivationArgs{
CertificateAuthorityArn: subordinateCATwo.ID(),
Certificate: subordinateCATwoCACertificate.Certificate,
CertificateChain: subordinateCAOneActivation.CompleteCertificateChain,
})
if err != nil {
return err
}
_, err = acmpca.NewPermission(ctx, "subordinateCATwoPermission", &acmpca.PermissionArgs{
Actions: pulumi.StringArray{
pulumi.String("IssueCertificate"),
pulumi.String("GetCertificate"),
pulumi.String("ListPermissions"),
},
CertificateAuthorityArn: subordinateCATwo.ID(),
Principal: pulumi.String("acm.amazonaws.com"),
})
if err != nil {
return err
}
endEntityCertificate, err := acmpca.NewCertificate(ctx, "endEntityCertificate", &acmpca.CertificateArgs{
CertificateAuthorityArn: subordinateCATwo.ID(),
CertificateSigningRequest: pulumi.String(`-----BEGIN CERTIFICATE REQUEST-----
MIICvDCCAaQCAQAwdzELMAkGA1UEBhMCVVMxDTALBgNVBAgMBFV0YWgxDzANBgNV
BAcMBkxpbmRvbjEWMBQGA1UECgwNRGlnaUNlcnQgSW5jLjERMA8GA1UECwwIRGln
aUNlcnQxHTAbBgNVBAMMFGV4YW1wbGUuZGlnaWNlcnQuY29tMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8+To7d+2kPWeBv/orU3LVbJwDrSQbeKamCmo
wp5bqDxIwV20zqRb7APUOKYoVEFFOEQs6T6gImnIolhbiH6m4zgZ/CPvWBOkZc+c
1Po2EmvBz+AD5sBdT5kzGQA6NbWyZGldxRthNLOs1efOhdnWFuhI162qmcflgpiI
WDuwq4C9f+YkeJhNn9dF5+owm8cOQmDrV8NNdiTqin8q3qYAHHJRW28glJUCZkTZ
wIaSR6crBQ8TbYNE0dc+Caa3DOIkz1EOsHWzTx+n0zKfqcbgXi4DJx+C1bjptYPR
BPZL8DAeWuA8ebudVT44yEp82G96/Ggcf7F33xMxe0yc+Xa6owIDAQABoAAwDQYJ
KoZIhvcNAQEFBQADggEBAB0kcrFccSmFDmxox0Ne01UIqSsDqHgL+XmHTXJwre6D
hJSZwbvEtOK0G3+dr4Fs11WuUNt5qcLsx5a8uk4G6AKHMzuhLsJ7XZjgmQXGECpY
Q4mC3yT3ZoCGpIXbw+iP3lmEEXgaQL0Tx5LFl/okKbKYwIqNiyKWOMj7ZR/wxWg/
ZDGRs55xuoeLDJ/ZRFf9bI+IaCUd1YrfYcHIl3G87Av+r49YVwqRDT0VDV7uLgqn
29XI1PpVUNCPQGn9p/eX6Qo7vpDaPybRtA2R7XLKjQaF9oXWeCUqy1hvJac9QFO2
97Ob1alpHPoZ7mWiEuJwjBPii6a9M9G30nUo39lBi1w=
-----END CERTIFICATE REQUEST-----`),
SigningAlgorithm: pulumi.String("SHA256WITHRSA"),
Validity: &acmpca.CertificateValidityArgs{
Type: pulumi.String("DAYS"),
Value: pulumi.Float64(70),
},
}, pulumi.DependsOn([]pulumi.Resource{
subordinateCATwoActivation,
}))
if err != nil {
return err
}
ctx.Export("completeCertificateChain", subordinateCATwoActivation.CompleteCertificateChain)
ctx.Export("certificateArn", endEntityCertificate.Arn)
return nil
})
}
Coming soon!
import * as pulumi from "@pulumi/pulumi";
import * as aws_native from "@pulumi/aws-native";
const rootCA = new aws_native.acmpca.CertificateAuthority("rootCA", {
type: "ROOT",
keyAlgorithm: "RSA_2048",
signingAlgorithm: "SHA256WITHRSA",
subject: {
country: "US",
organization: "string",
organizationalUnit: "string",
distinguishedNameQualifier: "string",
state: "string",
commonName: "123",
serialNumber: "string",
locality: "string",
title: "string",
surname: "string",
givenName: "string",
initials: "DG",
pseudonym: "string",
generationQualifier: "DBG",
},
revocationConfiguration: {
crlConfiguration: {
enabled: false,
},
},
});
const rootCACertificate = new aws_native.acmpca.Certificate("rootCACertificate", {
certificateAuthorityArn: rootCA.id,
certificateSigningRequest: rootCA.certificateSigningRequest,
signingAlgorithm: "SHA256WITHRSA",
templateArn: "arn:aws:acm-pca:::template/RootCACertificate/V1",
validity: {
type: "DAYS",
value: 100,
},
});
const rootCAActivation = new aws_native.acmpca.CertificateAuthorityActivation("rootCAActivation", {
certificateAuthorityArn: rootCA.id,
certificate: rootCACertificate.certificate,
status: "ACTIVE",
});
const rootCAPermission = new aws_native.acmpca.Permission("rootCAPermission", {
actions: [
"IssueCertificate",
"GetCertificate",
"ListPermissions",
],
certificateAuthorityArn: rootCA.id,
principal: "acm.amazonaws.com",
});
const subordinateCAOne = new aws_native.acmpca.CertificateAuthority("subordinateCAOne", {
type: "SUBORDINATE",
keyAlgorithm: "RSA_2048",
signingAlgorithm: "SHA256WITHRSA",
subject: {
country: "US",
organization: "string",
organizationalUnit: "string",
distinguishedNameQualifier: "string",
state: "string",
commonName: "Sub1",
serialNumber: "string",
locality: "string",
title: "string",
surname: "string",
givenName: "string",
initials: "DG",
pseudonym: "string",
generationQualifier: "DBG",
},
revocationConfiguration: {},
tags: [],
});
const subordinateCAOneCACertificate = new aws_native.acmpca.Certificate("subordinateCAOneCACertificate", {
certificateAuthorityArn: rootCA.id,
certificateSigningRequest: subordinateCAOne.certificateSigningRequest,
signingAlgorithm: "SHA256WITHRSA",
templateArn: "arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen3/V1",
validity: {
type: "DAYS",
value: 90,
},
}, {
dependsOn: [rootCAActivation],
});
const subordinateCAOneActivation = new aws_native.acmpca.CertificateAuthorityActivation("subordinateCAOneActivation", {
certificateAuthorityArn: subordinateCAOne.id,
certificate: subordinateCAOneCACertificate.certificate,
certificateChain: rootCAActivation.completeCertificateChain,
status: "ACTIVE",
});
const subordinateCAOnePermission = new aws_native.acmpca.Permission("subordinateCAOnePermission", {
actions: [
"IssueCertificate",
"GetCertificate",
"ListPermissions",
],
certificateAuthorityArn: subordinateCAOne.id,
principal: "acm.amazonaws.com",
});
const subordinateCATwo = new aws_native.acmpca.CertificateAuthority("subordinateCATwo", {
type: "SUBORDINATE",
keyAlgorithm: "RSA_2048",
signingAlgorithm: "SHA256WITHRSA",
subject: {
country: "US",
organization: "string",
organizationalUnit: "string",
distinguishedNameQualifier: "string",
state: "string",
serialNumber: "string",
locality: "string",
title: "string",
surname: "string",
givenName: "string",
initials: "DG",
pseudonym: "string",
generationQualifier: "DBG",
},
tags: [
{
key: "Key1",
value: "Value1",
},
{
key: "Key2",
value: "Value2",
},
],
});
const subordinateCATwoCACertificate = new aws_native.acmpca.Certificate("subordinateCATwoCACertificate", {
certificateAuthorityArn: subordinateCAOne.id,
certificateSigningRequest: subordinateCATwo.certificateSigningRequest,
signingAlgorithm: "SHA256WITHRSA",
templateArn: "arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen2/V1",
validity: {
type: "DAYS",
value: 80,
},
}, {
dependsOn: [subordinateCAOneActivation],
});
const subordinateCATwoActivation = new aws_native.acmpca.CertificateAuthorityActivation("subordinateCATwoActivation", {
certificateAuthorityArn: subordinateCATwo.id,
certificate: subordinateCATwoCACertificate.certificate,
certificateChain: subordinateCAOneActivation.completeCertificateChain,
});
const subordinateCATwoPermission = new aws_native.acmpca.Permission("subordinateCATwoPermission", {
actions: [
"IssueCertificate",
"GetCertificate",
"ListPermissions",
],
certificateAuthorityArn: subordinateCATwo.id,
principal: "acm.amazonaws.com",
});
const endEntityCertificate = new aws_native.acmpca.Certificate("endEntityCertificate", {
certificateAuthorityArn: subordinateCATwo.id,
certificateSigningRequest: `-----BEGIN CERTIFICATE REQUEST-----
MIICvDCCAaQCAQAwdzELMAkGA1UEBhMCVVMxDTALBgNVBAgMBFV0YWgxDzANBgNV
BAcMBkxpbmRvbjEWMBQGA1UECgwNRGlnaUNlcnQgSW5jLjERMA8GA1UECwwIRGln
aUNlcnQxHTAbBgNVBAMMFGV4YW1wbGUuZGlnaWNlcnQuY29tMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8+To7d+2kPWeBv/orU3LVbJwDrSQbeKamCmo
wp5bqDxIwV20zqRb7APUOKYoVEFFOEQs6T6gImnIolhbiH6m4zgZ/CPvWBOkZc+c
1Po2EmvBz+AD5sBdT5kzGQA6NbWyZGldxRthNLOs1efOhdnWFuhI162qmcflgpiI
WDuwq4C9f+YkeJhNn9dF5+owm8cOQmDrV8NNdiTqin8q3qYAHHJRW28glJUCZkTZ
wIaSR6crBQ8TbYNE0dc+Caa3DOIkz1EOsHWzTx+n0zKfqcbgXi4DJx+C1bjptYPR
BPZL8DAeWuA8ebudVT44yEp82G96/Ggcf7F33xMxe0yc+Xa6owIDAQABoAAwDQYJ
KoZIhvcNAQEFBQADggEBAB0kcrFccSmFDmxox0Ne01UIqSsDqHgL+XmHTXJwre6D
hJSZwbvEtOK0G3+dr4Fs11WuUNt5qcLsx5a8uk4G6AKHMzuhLsJ7XZjgmQXGECpY
Q4mC3yT3ZoCGpIXbw+iP3lmEEXgaQL0Tx5LFl/okKbKYwIqNiyKWOMj7ZR/wxWg/
ZDGRs55xuoeLDJ/ZRFf9bI+IaCUd1YrfYcHIl3G87Av+r49YVwqRDT0VDV7uLgqn
29XI1PpVUNCPQGn9p/eX6Qo7vpDaPybRtA2R7XLKjQaF9oXWeCUqy1hvJac9QFO2
97Ob1alpHPoZ7mWiEuJwjBPii6a9M9G30nUo39lBi1w=
-----END CERTIFICATE REQUEST-----`,
signingAlgorithm: "SHA256WITHRSA",
validity: {
type: "DAYS",
value: 70,
},
}, {
dependsOn: [subordinateCATwoActivation],
});
export const completeCertificateChain = subordinateCATwoActivation.completeCertificateChain;
export const certificateArn = endEntityCertificate.arn;
import pulumi
import pulumi_aws_native as aws_native
root_ca = aws_native.acmpca.CertificateAuthority("rootCA",
type="ROOT",
key_algorithm="RSA_2048",
signing_algorithm="SHA256WITHRSA",
subject={
"country": "US",
"organization": "string",
"organizational_unit": "string",
"distinguished_name_qualifier": "string",
"state": "string",
"common_name": "123",
"serial_number": "string",
"locality": "string",
"title": "string",
"surname": "string",
"given_name": "string",
"initials": "DG",
"pseudonym": "string",
"generation_qualifier": "DBG",
},
revocation_configuration={
"crl_configuration": {
"enabled": False,
},
})
root_ca_certificate = aws_native.acmpca.Certificate("rootCACertificate",
certificate_authority_arn=root_ca.id,
certificate_signing_request=root_ca.certificate_signing_request,
signing_algorithm="SHA256WITHRSA",
template_arn="arn:aws:acm-pca:::template/RootCACertificate/V1",
validity={
"type": "DAYS",
"value": 100,
})
root_ca_activation = aws_native.acmpca.CertificateAuthorityActivation("rootCAActivation",
certificate_authority_arn=root_ca.id,
certificate=root_ca_certificate.certificate,
status="ACTIVE")
root_ca_permission = aws_native.acmpca.Permission("rootCAPermission",
actions=[
"IssueCertificate",
"GetCertificate",
"ListPermissions",
],
certificate_authority_arn=root_ca.id,
principal="acm.amazonaws.com")
subordinate_ca_one = aws_native.acmpca.CertificateAuthority("subordinateCAOne",
type="SUBORDINATE",
key_algorithm="RSA_2048",
signing_algorithm="SHA256WITHRSA",
subject={
"country": "US",
"organization": "string",
"organizational_unit": "string",
"distinguished_name_qualifier": "string",
"state": "string",
"common_name": "Sub1",
"serial_number": "string",
"locality": "string",
"title": "string",
"surname": "string",
"given_name": "string",
"initials": "DG",
"pseudonym": "string",
"generation_qualifier": "DBG",
},
revocation_configuration={},
tags=[])
subordinate_ca_one_ca_certificate = aws_native.acmpca.Certificate("subordinateCAOneCACertificate",
certificate_authority_arn=root_ca.id,
certificate_signing_request=subordinate_ca_one.certificate_signing_request,
signing_algorithm="SHA256WITHRSA",
template_arn="arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen3/V1",
validity={
"type": "DAYS",
"value": 90,
},
opts = pulumi.ResourceOptions(depends_on=[root_ca_activation]))
subordinate_ca_one_activation = aws_native.acmpca.CertificateAuthorityActivation("subordinateCAOneActivation",
certificate_authority_arn=subordinate_ca_one.id,
certificate=subordinate_ca_one_ca_certificate.certificate,
certificate_chain=root_ca_activation.complete_certificate_chain,
status="ACTIVE")
subordinate_ca_one_permission = aws_native.acmpca.Permission("subordinateCAOnePermission",
actions=[
"IssueCertificate",
"GetCertificate",
"ListPermissions",
],
certificate_authority_arn=subordinate_ca_one.id,
principal="acm.amazonaws.com")
subordinate_ca_two = aws_native.acmpca.CertificateAuthority("subordinateCATwo",
type="SUBORDINATE",
key_algorithm="RSA_2048",
signing_algorithm="SHA256WITHRSA",
subject={
"country": "US",
"organization": "string",
"organizational_unit": "string",
"distinguished_name_qualifier": "string",
"state": "string",
"serial_number": "string",
"locality": "string",
"title": "string",
"surname": "string",
"given_name": "string",
"initials": "DG",
"pseudonym": "string",
"generation_qualifier": "DBG",
},
tags=[
{
"key": "Key1",
"value": "Value1",
},
{
"key": "Key2",
"value": "Value2",
},
])
subordinate_ca_two_ca_certificate = aws_native.acmpca.Certificate("subordinateCATwoCACertificate",
certificate_authority_arn=subordinate_ca_one.id,
certificate_signing_request=subordinate_ca_two.certificate_signing_request,
signing_algorithm="SHA256WITHRSA",
template_arn="arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen2/V1",
validity={
"type": "DAYS",
"value": 80,
},
opts = pulumi.ResourceOptions(depends_on=[subordinate_ca_one_activation]))
subordinate_ca_two_activation = aws_native.acmpca.CertificateAuthorityActivation("subordinateCATwoActivation",
certificate_authority_arn=subordinate_ca_two.id,
certificate=subordinate_ca_two_ca_certificate.certificate,
certificate_chain=subordinate_ca_one_activation.complete_certificate_chain)
subordinate_ca_two_permission = aws_native.acmpca.Permission("subordinateCATwoPermission",
actions=[
"IssueCertificate",
"GetCertificate",
"ListPermissions",
],
certificate_authority_arn=subordinate_ca_two.id,
principal="acm.amazonaws.com")
end_entity_certificate = aws_native.acmpca.Certificate("endEntityCertificate",
certificate_authority_arn=subordinate_ca_two.id,
certificate_signing_request="""-----BEGIN CERTIFICATE REQUEST-----
MIICvDCCAaQCAQAwdzELMAkGA1UEBhMCVVMxDTALBgNVBAgMBFV0YWgxDzANBgNV
BAcMBkxpbmRvbjEWMBQGA1UECgwNRGlnaUNlcnQgSW5jLjERMA8GA1UECwwIRGln
aUNlcnQxHTAbBgNVBAMMFGV4YW1wbGUuZGlnaWNlcnQuY29tMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8+To7d+2kPWeBv/orU3LVbJwDrSQbeKamCmo
wp5bqDxIwV20zqRb7APUOKYoVEFFOEQs6T6gImnIolhbiH6m4zgZ/CPvWBOkZc+c
1Po2EmvBz+AD5sBdT5kzGQA6NbWyZGldxRthNLOs1efOhdnWFuhI162qmcflgpiI
WDuwq4C9f+YkeJhNn9dF5+owm8cOQmDrV8NNdiTqin8q3qYAHHJRW28glJUCZkTZ
wIaSR6crBQ8TbYNE0dc+Caa3DOIkz1EOsHWzTx+n0zKfqcbgXi4DJx+C1bjptYPR
BPZL8DAeWuA8ebudVT44yEp82G96/Ggcf7F33xMxe0yc+Xa6owIDAQABoAAwDQYJ
KoZIhvcNAQEFBQADggEBAB0kcrFccSmFDmxox0Ne01UIqSsDqHgL+XmHTXJwre6D
hJSZwbvEtOK0G3+dr4Fs11WuUNt5qcLsx5a8uk4G6AKHMzuhLsJ7XZjgmQXGECpY
Q4mC3yT3ZoCGpIXbw+iP3lmEEXgaQL0Tx5LFl/okKbKYwIqNiyKWOMj7ZR/wxWg/
ZDGRs55xuoeLDJ/ZRFf9bI+IaCUd1YrfYcHIl3G87Av+r49YVwqRDT0VDV7uLgqn
29XI1PpVUNCPQGn9p/eX6Qo7vpDaPybRtA2R7XLKjQaF9oXWeCUqy1hvJac9QFO2
97Ob1alpHPoZ7mWiEuJwjBPii6a9M9G30nUo39lBi1w=
-----END CERTIFICATE REQUEST-----""",
signing_algorithm="SHA256WITHRSA",
validity={
"type": "DAYS",
"value": 70,
},
opts = pulumi.ResourceOptions(depends_on=[subordinate_ca_two_activation]))
pulumi.export("completeCertificateChain", subordinate_ca_two_activation.complete_certificate_chain)
pulumi.export("certificateArn", end_entity_certificate.arn)
Coming soon!
Create CertificateAuthority Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new CertificateAuthority(name: string, args: CertificateAuthorityArgs, opts?: CustomResourceOptions);@overload
def CertificateAuthority(resource_name: str,
args: CertificateAuthorityArgs,
opts: Optional[ResourceOptions] = None)
@overload
def CertificateAuthority(resource_name: str,
opts: Optional[ResourceOptions] = None,
key_algorithm: Optional[str] = None,
signing_algorithm: Optional[str] = None,
subject: Optional[CertificateAuthoritySubjectArgs] = None,
type: Optional[str] = None,
csr_extensions: Optional[CertificateAuthorityCsrExtensionsArgs] = None,
key_storage_security_standard: Optional[str] = None,
revocation_configuration: Optional[CertificateAuthorityRevocationConfigurationArgs] = None,
tags: Optional[Sequence[_root_inputs.TagArgs]] = None,
usage_mode: Optional[str] = None)func NewCertificateAuthority(ctx *Context, name string, args CertificateAuthorityArgs, opts ...ResourceOption) (*CertificateAuthority, error)public CertificateAuthority(string name, CertificateAuthorityArgs args, CustomResourceOptions? opts = null)
public CertificateAuthority(String name, CertificateAuthorityArgs args)
public CertificateAuthority(String name, CertificateAuthorityArgs args, CustomResourceOptions options)
type: aws-native:acmpca:CertificateAuthority
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args CertificateAuthorityArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args CertificateAuthorityArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args CertificateAuthorityArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args CertificateAuthorityArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args CertificateAuthorityArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
CertificateAuthority Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The CertificateAuthority resource accepts the following input properties:
- Key
Algorithm string - Public key algorithm and size, in bits, of the key pair that your CA creates when it issues a certificate.
- Signing
Algorithm string - Algorithm your CA uses to sign certificate requests.
- Subject
Pulumi.
Aws Native. Acmpca. Inputs. Certificate Authority Subject - Structure that contains X.500 distinguished name information for your CA.
- Type string
- The type of the certificate authority.
- Csr
Extensions Pulumi.Aws Native. Acmpca. Inputs. Certificate Authority Csr Extensions - Structure that contains CSR pass through extension information used by the CreateCertificateAuthority action.
- Key
Storage stringSecurity Standard - KeyStorageSecurityStadard defines a cryptographic key management compliance standard used for handling CA keys.
- Revocation
Configuration Pulumi.Aws Native. Acmpca. Inputs. Certificate Authority Revocation Configuration - Certificate revocation information used by the CreateCertificateAuthority and UpdateCertificateAuthority actions.
-
List<Pulumi.
Aws Native. Inputs. Tag> - Key-value pairs that will be attached to the new private CA. You can associate up to 50 tags with a private CA. For information using tags with IAM to manage permissions, see Controlling Access Using IAM Tags .
- Usage
Mode string - Usage mode of the ceritificate authority.
- Key
Algorithm string - Public key algorithm and size, in bits, of the key pair that your CA creates when it issues a certificate.
- Signing
Algorithm string - Algorithm your CA uses to sign certificate requests.
- Subject
Certificate
Authority Subject Args - Structure that contains X.500 distinguished name information for your CA.
- Type string
- The type of the certificate authority.
- Csr
Extensions CertificateAuthority Csr Extensions Args - Structure that contains CSR pass through extension information used by the CreateCertificateAuthority action.
- Key
Storage stringSecurity Standard - KeyStorageSecurityStadard defines a cryptographic key management compliance standard used for handling CA keys.
- Revocation
Configuration CertificateAuthority Revocation Configuration Args - Certificate revocation information used by the CreateCertificateAuthority and UpdateCertificateAuthority actions.
-
Tag
Args - Key-value pairs that will be attached to the new private CA. You can associate up to 50 tags with a private CA. For information using tags with IAM to manage permissions, see Controlling Access Using IAM Tags .
- Usage
Mode string - Usage mode of the ceritificate authority.
- key
Algorithm String - Public key algorithm and size, in bits, of the key pair that your CA creates when it issues a certificate.
- signing
Algorithm String - Algorithm your CA uses to sign certificate requests.
- subject
Certificate
Authority Subject - Structure that contains X.500 distinguished name information for your CA.
- type String
- The type of the certificate authority.
- csr
Extensions CertificateAuthority Csr Extensions - Structure that contains CSR pass through extension information used by the CreateCertificateAuthority action.
- key
Storage StringSecurity Standard - KeyStorageSecurityStadard defines a cryptographic key management compliance standard used for handling CA keys.
- revocation
Configuration CertificateAuthority Revocation Configuration - Certificate revocation information used by the CreateCertificateAuthority and UpdateCertificateAuthority actions.
- List<Tag>
- Key-value pairs that will be attached to the new private CA. You can associate up to 50 tags with a private CA. For information using tags with IAM to manage permissions, see Controlling Access Using IAM Tags .
- usage
Mode String - Usage mode of the ceritificate authority.
- key
Algorithm string - Public key algorithm and size, in bits, of the key pair that your CA creates when it issues a certificate.
- signing
Algorithm string - Algorithm your CA uses to sign certificate requests.
- subject
Certificate
Authority Subject - Structure that contains X.500 distinguished name information for your CA.
- type string
- The type of the certificate authority.
- csr
Extensions CertificateAuthority Csr Extensions - Structure that contains CSR pass through extension information used by the CreateCertificateAuthority action.
- key
Storage stringSecurity Standard - KeyStorageSecurityStadard defines a cryptographic key management compliance standard used for handling CA keys.
- revocation
Configuration CertificateAuthority Revocation Configuration - Certificate revocation information used by the CreateCertificateAuthority and UpdateCertificateAuthority actions.
- Tag[]
- Key-value pairs that will be attached to the new private CA. You can associate up to 50 tags with a private CA. For information using tags with IAM to manage permissions, see Controlling Access Using IAM Tags .
- usage
Mode string - Usage mode of the ceritificate authority.
- key_
algorithm str - Public key algorithm and size, in bits, of the key pair that your CA creates when it issues a certificate.
- signing_
algorithm str - Algorithm your CA uses to sign certificate requests.
- subject
Certificate
Authority Subject Args - Structure that contains X.500 distinguished name information for your CA.
- type str
- The type of the certificate authority.
- csr_
extensions CertificateAuthority Csr Extensions Args - Structure that contains CSR pass through extension information used by the CreateCertificateAuthority action.
- key_
storage_ strsecurity_ standard - KeyStorageSecurityStadard defines a cryptographic key management compliance standard used for handling CA keys.
- revocation_
configuration CertificateAuthority Revocation Configuration Args - Certificate revocation information used by the CreateCertificateAuthority and UpdateCertificateAuthority actions.
-
Sequence[Tag
Args] - Key-value pairs that will be attached to the new private CA. You can associate up to 50 tags with a private CA. For information using tags with IAM to manage permissions, see Controlling Access Using IAM Tags .
- usage_
mode str - Usage mode of the ceritificate authority.
- key
Algorithm String - Public key algorithm and size, in bits, of the key pair that your CA creates when it issues a certificate.
- signing
Algorithm String - Algorithm your CA uses to sign certificate requests.
- subject Property Map
- Structure that contains X.500 distinguished name information for your CA.
- type String
- The type of the certificate authority.
- csr
Extensions Property Map - Structure that contains CSR pass through extension information used by the CreateCertificateAuthority action.
- key
Storage StringSecurity Standard - KeyStorageSecurityStadard defines a cryptographic key management compliance standard used for handling CA keys.
- revocation
Configuration Property Map - Certificate revocation information used by the CreateCertificateAuthority and UpdateCertificateAuthority actions.
- List<Property Map>
- Key-value pairs that will be attached to the new private CA. You can associate up to 50 tags with a private CA. For information using tags with IAM to manage permissions, see Controlling Access Using IAM Tags .
- usage
Mode String - Usage mode of the ceritificate authority.
Outputs
All input properties are implicitly available as output properties. Additionally, the CertificateAuthority resource produces the following output properties:
- Arn string
- The Amazon Resource Name (ARN) of the certificate authority.
- Certificate
Signing stringRequest - The base64 PEM-encoded certificate signing request (CSR) for your certificate authority certificate.
- Id string
- The provider-assigned unique ID for this managed resource.
- Arn string
- The Amazon Resource Name (ARN) of the certificate authority.
- Certificate
Signing stringRequest - The base64 PEM-encoded certificate signing request (CSR) for your certificate authority certificate.
- Id string
- The provider-assigned unique ID for this managed resource.
- arn String
- The Amazon Resource Name (ARN) of the certificate authority.
- certificate
Signing StringRequest - The base64 PEM-encoded certificate signing request (CSR) for your certificate authority certificate.
- id String
- The provider-assigned unique ID for this managed resource.
- arn string
- The Amazon Resource Name (ARN) of the certificate authority.
- certificate
Signing stringRequest - The base64 PEM-encoded certificate signing request (CSR) for your certificate authority certificate.
- id string
- The provider-assigned unique ID for this managed resource.
- arn str
- The Amazon Resource Name (ARN) of the certificate authority.
- certificate_
signing_ strrequest - The base64 PEM-encoded certificate signing request (CSR) for your certificate authority certificate.
- id str
- The provider-assigned unique ID for this managed resource.
- arn String
- The Amazon Resource Name (ARN) of the certificate authority.
- certificate
Signing StringRequest - The base64 PEM-encoded certificate signing request (CSR) for your certificate authority certificate.
- id String
- The provider-assigned unique ID for this managed resource.
Supporting Types
CertificateAuthorityAccessDescription, CertificateAuthorityAccessDescriptionArgs
CertificateAuthorityAccessMethod, CertificateAuthorityAccessMethodArgs
- Access
Method stringType - Custom
Object stringIdentifier
- Access
Method stringType - Custom
Object stringIdentifier
- access
Method StringType - custom
Object StringIdentifier
- access
Method stringType - custom
Object stringIdentifier
- access
Method StringType - custom
Object StringIdentifier
CertificateAuthorityCrlConfiguration, CertificateAuthorityCrlConfigurationArgs
- Enabled bool
- Boolean value that specifies whether certificate revocation lists (CRLs) are enabled. You can use this value to enable certificate revocation for a new CA when you call the
CreateCertificateAuthorityoperation or for an existing CA when you call theUpdateCertificateAuthorityoperation. - Crl
Distribution Pulumi.Point Extension Configuration Aws Native. Acmpca. Inputs. Certificate Authority Crl Distribution Point Extension Configuration - Configures the default behavior of the CRL Distribution Point extension for certificates issued by your CA. If this field is not provided, then the CRL Distribution Point extension will be present and contain the default CRL URL.
- Crl
Type string Specifies the type of CRL. This setting determines the maximum number of certificates that the certificate authority can issue and revoke. For more information, see AWS Private CA quotas .
COMPLETE- The default setting. AWS Private CA maintains a single CRL file for all unexpired certificates issued by a CA that have been revoked for any reason. Each certificate that AWS Private CA issues is bound to a specific CRL through the CRL distribution point (CDP) defined in RFC 5280 .PARTITIONED- Compared to complete CRLs, partitioned CRLs dramatically increase the number of certificates your private CA can issue.
When using partitioned CRLs, you must validate that the CRL's associated issuing distribution point (IDP) URI matches the certificate's CDP URI to ensure the right CRL has been fetched. AWS Private CA marks the IDP extension as critical, which your client must be able to process.
- Custom
Cname string Name inserted into the certificate CRL Distribution Points extension that enables the use of an alias for the CRL distribution point. Use this value if you don't want the name of your S3 bucket to be public.
The content of a Canonical Name (CNAME) record must conform to RFC2396 restrictions on the use of special characters in URIs. Additionally, the value of the CNAME must not include a protocol prefix such as "http://" or "https://".
- Custom
Path string - Designates a custom file path in S3 for CRL(s). For example,
http://<CustomName>/<CustomPath>/<CrlPartition_GUID>.crl. - Expiration
In intDays - Validity period of the CRL in days.
- S3Bucket
Name string Name of the S3 bucket that contains the CRL. If you do not provide a value for the CustomCname argument, the name of your S3 bucket is placed into the CRL Distribution Points extension of the issued certificate. You can change the name of your bucket by calling the UpdateCertificateAuthority operation. You must specify a bucket policy that allows AWS Private CA to write the CRL to your bucket.
The
S3BucketNameparameter must conform to the S3 bucket naming rules .- S3Object
Acl string Determines whether the CRL will be publicly readable or privately held in the CRL Amazon S3 bucket. If you choose PUBLIC_READ, the CRL will be accessible over the public internet. If you choose BUCKET_OWNER_FULL_CONTROL, only the owner of the CRL S3 bucket can access the CRL, and your PKI clients may need an alternative method of access.
If no value is specified, the default is PUBLIC_READ.
Note: This default can cause CA creation to fail in some circumstances. If you have have enabled the Block Public Access (BPA) feature in your S3 account, then you must specify the value of this parameter as
BUCKET_OWNER_FULL_CONTROL, and not doing so results in an error. If you have disabled BPA in S3, then you can specify eitherBUCKET_OWNER_FULL_CONTROLorPUBLIC_READas the value.For more information, see Blocking public access to the S3 bucket .
- Enabled bool
- Boolean value that specifies whether certificate revocation lists (CRLs) are enabled. You can use this value to enable certificate revocation for a new CA when you call the
CreateCertificateAuthorityoperation or for an existing CA when you call theUpdateCertificateAuthorityoperation. - Crl
Distribution CertificatePoint Extension Configuration Authority Crl Distribution Point Extension Configuration - Configures the default behavior of the CRL Distribution Point extension for certificates issued by your CA. If this field is not provided, then the CRL Distribution Point extension will be present and contain the default CRL URL.
- Crl
Type string Specifies the type of CRL. This setting determines the maximum number of certificates that the certificate authority can issue and revoke. For more information, see AWS Private CA quotas .
COMPLETE- The default setting. AWS Private CA maintains a single CRL file for all unexpired certificates issued by a CA that have been revoked for any reason. Each certificate that AWS Private CA issues is bound to a specific CRL through the CRL distribution point (CDP) defined in RFC 5280 .PARTITIONED- Compared to complete CRLs, partitioned CRLs dramatically increase the number of certificates your private CA can issue.
When using partitioned CRLs, you must validate that the CRL's associated issuing distribution point (IDP) URI matches the certificate's CDP URI to ensure the right CRL has been fetched. AWS Private CA marks the IDP extension as critical, which your client must be able to process.
- Custom
Cname string Name inserted into the certificate CRL Distribution Points extension that enables the use of an alias for the CRL distribution point. Use this value if you don't want the name of your S3 bucket to be public.
The content of a Canonical Name (CNAME) record must conform to RFC2396 restrictions on the use of special characters in URIs. Additionally, the value of the CNAME must not include a protocol prefix such as "http://" or "https://".
- Custom
Path string - Designates a custom file path in S3 for CRL(s). For example,
http://<CustomName>/<CustomPath>/<CrlPartition_GUID>.crl. - Expiration
In intDays - Validity period of the CRL in days.
- S3Bucket
Name string Name of the S3 bucket that contains the CRL. If you do not provide a value for the CustomCname argument, the name of your S3 bucket is placed into the CRL Distribution Points extension of the issued certificate. You can change the name of your bucket by calling the UpdateCertificateAuthority operation. You must specify a bucket policy that allows AWS Private CA to write the CRL to your bucket.
The
S3BucketNameparameter must conform to the S3 bucket naming rules .- S3Object
Acl string Determines whether the CRL will be publicly readable or privately held in the CRL Amazon S3 bucket. If you choose PUBLIC_READ, the CRL will be accessible over the public internet. If you choose BUCKET_OWNER_FULL_CONTROL, only the owner of the CRL S3 bucket can access the CRL, and your PKI clients may need an alternative method of access.
If no value is specified, the default is PUBLIC_READ.
Note: This default can cause CA creation to fail in some circumstances. If you have have enabled the Block Public Access (BPA) feature in your S3 account, then you must specify the value of this parameter as
BUCKET_OWNER_FULL_CONTROL, and not doing so results in an error. If you have disabled BPA in S3, then you can specify eitherBUCKET_OWNER_FULL_CONTROLorPUBLIC_READas the value.For more information, see Blocking public access to the S3 bucket .
- enabled Boolean
- Boolean value that specifies whether certificate revocation lists (CRLs) are enabled. You can use this value to enable certificate revocation for a new CA when you call the
CreateCertificateAuthorityoperation or for an existing CA when you call theUpdateCertificateAuthorityoperation. - crl
Distribution CertificatePoint Extension Configuration Authority Crl Distribution Point Extension Configuration - Configures the default behavior of the CRL Distribution Point extension for certificates issued by your CA. If this field is not provided, then the CRL Distribution Point extension will be present and contain the default CRL URL.
- crl
Type String Specifies the type of CRL. This setting determines the maximum number of certificates that the certificate authority can issue and revoke. For more information, see AWS Private CA quotas .
COMPLETE- The default setting. AWS Private CA maintains a single CRL file for all unexpired certificates issued by a CA that have been revoked for any reason. Each certificate that AWS Private CA issues is bound to a specific CRL through the CRL distribution point (CDP) defined in RFC 5280 .PARTITIONED- Compared to complete CRLs, partitioned CRLs dramatically increase the number of certificates your private CA can issue.
When using partitioned CRLs, you must validate that the CRL's associated issuing distribution point (IDP) URI matches the certificate's CDP URI to ensure the right CRL has been fetched. AWS Private CA marks the IDP extension as critical, which your client must be able to process.
- custom
Cname String Name inserted into the certificate CRL Distribution Points extension that enables the use of an alias for the CRL distribution point. Use this value if you don't want the name of your S3 bucket to be public.
The content of a Canonical Name (CNAME) record must conform to RFC2396 restrictions on the use of special characters in URIs. Additionally, the value of the CNAME must not include a protocol prefix such as "http://" or "https://".
- custom
Path String - Designates a custom file path in S3 for CRL(s). For example,
http://<CustomName>/<CustomPath>/<CrlPartition_GUID>.crl. - expiration
In IntegerDays - Validity period of the CRL in days.
- s3Bucket
Name String Name of the S3 bucket that contains the CRL. If you do not provide a value for the CustomCname argument, the name of your S3 bucket is placed into the CRL Distribution Points extension of the issued certificate. You can change the name of your bucket by calling the UpdateCertificateAuthority operation. You must specify a bucket policy that allows AWS Private CA to write the CRL to your bucket.
The
S3BucketNameparameter must conform to the S3 bucket naming rules .- s3Object
Acl String Determines whether the CRL will be publicly readable or privately held in the CRL Amazon S3 bucket. If you choose PUBLIC_READ, the CRL will be accessible over the public internet. If you choose BUCKET_OWNER_FULL_CONTROL, only the owner of the CRL S3 bucket can access the CRL, and your PKI clients may need an alternative method of access.
If no value is specified, the default is PUBLIC_READ.
Note: This default can cause CA creation to fail in some circumstances. If you have have enabled the Block Public Access (BPA) feature in your S3 account, then you must specify the value of this parameter as
BUCKET_OWNER_FULL_CONTROL, and not doing so results in an error. If you have disabled BPA in S3, then you can specify eitherBUCKET_OWNER_FULL_CONTROLorPUBLIC_READas the value.For more information, see Blocking public access to the S3 bucket .
- enabled boolean
- Boolean value that specifies whether certificate revocation lists (CRLs) are enabled. You can use this value to enable certificate revocation for a new CA when you call the
CreateCertificateAuthorityoperation or for an existing CA when you call theUpdateCertificateAuthorityoperation. - crl
Distribution CertificatePoint Extension Configuration Authority Crl Distribution Point Extension Configuration - Configures the default behavior of the CRL Distribution Point extension for certificates issued by your CA. If this field is not provided, then the CRL Distribution Point extension will be present and contain the default CRL URL.
- crl
Type string Specifies the type of CRL. This setting determines the maximum number of certificates that the certificate authority can issue and revoke. For more information, see AWS Private CA quotas .
COMPLETE- The default setting. AWS Private CA maintains a single CRL file for all unexpired certificates issued by a CA that have been revoked for any reason. Each certificate that AWS Private CA issues is bound to a specific CRL through the CRL distribution point (CDP) defined in RFC 5280 .PARTITIONED- Compared to complete CRLs, partitioned CRLs dramatically increase the number of certificates your private CA can issue.
When using partitioned CRLs, you must validate that the CRL's associated issuing distribution point (IDP) URI matches the certificate's CDP URI to ensure the right CRL has been fetched. AWS Private CA marks the IDP extension as critical, which your client must be able to process.
- custom
Cname string Name inserted into the certificate CRL Distribution Points extension that enables the use of an alias for the CRL distribution point. Use this value if you don't want the name of your S3 bucket to be public.
The content of a Canonical Name (CNAME) record must conform to RFC2396 restrictions on the use of special characters in URIs. Additionally, the value of the CNAME must not include a protocol prefix such as "http://" or "https://".
- custom
Path string - Designates a custom file path in S3 for CRL(s). For example,
http://<CustomName>/<CustomPath>/<CrlPartition_GUID>.crl. - expiration
In numberDays - Validity period of the CRL in days.
- s3Bucket
Name string Name of the S3 bucket that contains the CRL. If you do not provide a value for the CustomCname argument, the name of your S3 bucket is placed into the CRL Distribution Points extension of the issued certificate. You can change the name of your bucket by calling the UpdateCertificateAuthority operation. You must specify a bucket policy that allows AWS Private CA to write the CRL to your bucket.
The
S3BucketNameparameter must conform to the S3 bucket naming rules .- s3Object
Acl string Determines whether the CRL will be publicly readable or privately held in the CRL Amazon S3 bucket. If you choose PUBLIC_READ, the CRL will be accessible over the public internet. If you choose BUCKET_OWNER_FULL_CONTROL, only the owner of the CRL S3 bucket can access the CRL, and your PKI clients may need an alternative method of access.
If no value is specified, the default is PUBLIC_READ.
Note: This default can cause CA creation to fail in some circumstances. If you have have enabled the Block Public Access (BPA) feature in your S3 account, then you must specify the value of this parameter as
BUCKET_OWNER_FULL_CONTROL, and not doing so results in an error. If you have disabled BPA in S3, then you can specify eitherBUCKET_OWNER_FULL_CONTROLorPUBLIC_READas the value.For more information, see Blocking public access to the S3 bucket .
- enabled bool
- Boolean value that specifies whether certificate revocation lists (CRLs) are enabled. You can use this value to enable certificate revocation for a new CA when you call the
CreateCertificateAuthorityoperation or for an existing CA when you call theUpdateCertificateAuthorityoperation. - crl_
distribution_ Certificatepoint_ extension_ configuration Authority Crl Distribution Point Extension Configuration - Configures the default behavior of the CRL Distribution Point extension for certificates issued by your CA. If this field is not provided, then the CRL Distribution Point extension will be present and contain the default CRL URL.
- crl_
type str Specifies the type of CRL. This setting determines the maximum number of certificates that the certificate authority can issue and revoke. For more information, see AWS Private CA quotas .
COMPLETE- The default setting. AWS Private CA maintains a single CRL file for all unexpired certificates issued by a CA that have been revoked for any reason. Each certificate that AWS Private CA issues is bound to a specific CRL through the CRL distribution point (CDP) defined in RFC 5280 .PARTITIONED- Compared to complete CRLs, partitioned CRLs dramatically increase the number of certificates your private CA can issue.
When using partitioned CRLs, you must validate that the CRL's associated issuing distribution point (IDP) URI matches the certificate's CDP URI to ensure the right CRL has been fetched. AWS Private CA marks the IDP extension as critical, which your client must be able to process.
- custom_
cname str Name inserted into the certificate CRL Distribution Points extension that enables the use of an alias for the CRL distribution point. Use this value if you don't want the name of your S3 bucket to be public.
The content of a Canonical Name (CNAME) record must conform to RFC2396 restrictions on the use of special characters in URIs. Additionally, the value of the CNAME must not include a protocol prefix such as "http://" or "https://".
- custom_
path str - Designates a custom file path in S3 for CRL(s). For example,
http://<CustomName>/<CustomPath>/<CrlPartition_GUID>.crl. - expiration_
in_ intdays - Validity period of the CRL in days.
- s3_
bucket_ strname Name of the S3 bucket that contains the CRL. If you do not provide a value for the CustomCname argument, the name of your S3 bucket is placed into the CRL Distribution Points extension of the issued certificate. You can change the name of your bucket by calling the UpdateCertificateAuthority operation. You must specify a bucket policy that allows AWS Private CA to write the CRL to your bucket.
The
S3BucketNameparameter must conform to the S3 bucket naming rules .- s3_
object_ stracl Determines whether the CRL will be publicly readable or privately held in the CRL Amazon S3 bucket. If you choose PUBLIC_READ, the CRL will be accessible over the public internet. If you choose BUCKET_OWNER_FULL_CONTROL, only the owner of the CRL S3 bucket can access the CRL, and your PKI clients may need an alternative method of access.
If no value is specified, the default is PUBLIC_READ.
Note: This default can cause CA creation to fail in some circumstances. If you have have enabled the Block Public Access (BPA) feature in your S3 account, then you must specify the value of this parameter as
BUCKET_OWNER_FULL_CONTROL, and not doing so results in an error. If you have disabled BPA in S3, then you can specify eitherBUCKET_OWNER_FULL_CONTROLorPUBLIC_READas the value.For more information, see Blocking public access to the S3 bucket .
- enabled Boolean
- Boolean value that specifies whether certificate revocation lists (CRLs) are enabled. You can use this value to enable certificate revocation for a new CA when you call the
CreateCertificateAuthorityoperation or for an existing CA when you call theUpdateCertificateAuthorityoperation. - crl
Distribution Property MapPoint Extension Configuration - Configures the default behavior of the CRL Distribution Point extension for certificates issued by your CA. If this field is not provided, then the CRL Distribution Point extension will be present and contain the default CRL URL.
- crl
Type String Specifies the type of CRL. This setting determines the maximum number of certificates that the certificate authority can issue and revoke. For more information, see AWS Private CA quotas .
COMPLETE- The default setting. AWS Private CA maintains a single CRL file for all unexpired certificates issued by a CA that have been revoked for any reason. Each certificate that AWS Private CA issues is bound to a specific CRL through the CRL distribution point (CDP) defined in RFC 5280 .PARTITIONED- Compared to complete CRLs, partitioned CRLs dramatically increase the number of certificates your private CA can issue.
When using partitioned CRLs, you must validate that the CRL's associated issuing distribution point (IDP) URI matches the certificate's CDP URI to ensure the right CRL has been fetched. AWS Private CA marks the IDP extension as critical, which your client must be able to process.
- custom
Cname String Name inserted into the certificate CRL Distribution Points extension that enables the use of an alias for the CRL distribution point. Use this value if you don't want the name of your S3 bucket to be public.
The content of a Canonical Name (CNAME) record must conform to RFC2396 restrictions on the use of special characters in URIs. Additionally, the value of the CNAME must not include a protocol prefix such as "http://" or "https://".
- custom
Path String - Designates a custom file path in S3 for CRL(s). For example,
http://<CustomName>/<CustomPath>/<CrlPartition_GUID>.crl. - expiration
In NumberDays - Validity period of the CRL in days.
- s3Bucket
Name String Name of the S3 bucket that contains the CRL. If you do not provide a value for the CustomCname argument, the name of your S3 bucket is placed into the CRL Distribution Points extension of the issued certificate. You can change the name of your bucket by calling the UpdateCertificateAuthority operation. You must specify a bucket policy that allows AWS Private CA to write the CRL to your bucket.
The
S3BucketNameparameter must conform to the S3 bucket naming rules .- s3Object
Acl String Determines whether the CRL will be publicly readable or privately held in the CRL Amazon S3 bucket. If you choose PUBLIC_READ, the CRL will be accessible over the public internet. If you choose BUCKET_OWNER_FULL_CONTROL, only the owner of the CRL S3 bucket can access the CRL, and your PKI clients may need an alternative method of access.
If no value is specified, the default is PUBLIC_READ.
Note: This default can cause CA creation to fail in some circumstances. If you have have enabled the Block Public Access (BPA) feature in your S3 account, then you must specify the value of this parameter as
BUCKET_OWNER_FULL_CONTROL, and not doing so results in an error. If you have disabled BPA in S3, then you can specify eitherBUCKET_OWNER_FULL_CONTROLorPUBLIC_READas the value.For more information, see Blocking public access to the S3 bucket .
CertificateAuthorityCrlDistributionPointExtensionConfiguration, CertificateAuthorityCrlDistributionPointExtensionConfigurationArgs
- Omit
Extension bool Configures whether the CRL Distribution Point extension should be populated with the default URL to the CRL. If set to
true, then the CDP extension will not be present in any certificates issued by that CA unless otherwise specified through CSR or API passthrough.Only set this if you have another way to distribute the CRL Distribution Points for certificates issued by your CA, such as the Matter Distributed Compliance Ledger.
This configuration cannot be enabled with a custom CNAME set.
- Omit
Extension bool Configures whether the CRL Distribution Point extension should be populated with the default URL to the CRL. If set to
true, then the CDP extension will not be present in any certificates issued by that CA unless otherwise specified through CSR or API passthrough.Only set this if you have another way to distribute the CRL Distribution Points for certificates issued by your CA, such as the Matter Distributed Compliance Ledger.
This configuration cannot be enabled with a custom CNAME set.
- omit
Extension Boolean Configures whether the CRL Distribution Point extension should be populated with the default URL to the CRL. If set to
true, then the CDP extension will not be present in any certificates issued by that CA unless otherwise specified through CSR or API passthrough.Only set this if you have another way to distribute the CRL Distribution Points for certificates issued by your CA, such as the Matter Distributed Compliance Ledger.
This configuration cannot be enabled with a custom CNAME set.
- omit
Extension boolean Configures whether the CRL Distribution Point extension should be populated with the default URL to the CRL. If set to
true, then the CDP extension will not be present in any certificates issued by that CA unless otherwise specified through CSR or API passthrough.Only set this if you have another way to distribute the CRL Distribution Points for certificates issued by your CA, such as the Matter Distributed Compliance Ledger.
This configuration cannot be enabled with a custom CNAME set.
- omit_
extension bool Configures whether the CRL Distribution Point extension should be populated with the default URL to the CRL. If set to
true, then the CDP extension will not be present in any certificates issued by that CA unless otherwise specified through CSR or API passthrough.Only set this if you have another way to distribute the CRL Distribution Points for certificates issued by your CA, such as the Matter Distributed Compliance Ledger.
This configuration cannot be enabled with a custom CNAME set.
- omit
Extension Boolean Configures whether the CRL Distribution Point extension should be populated with the default URL to the CRL. If set to
true, then the CDP extension will not be present in any certificates issued by that CA unless otherwise specified through CSR or API passthrough.Only set this if you have another way to distribute the CRL Distribution Points for certificates issued by your CA, such as the Matter Distributed Compliance Ledger.
This configuration cannot be enabled with a custom CNAME set.
CertificateAuthorityCsrExtensions, CertificateAuthorityCsrExtensionsArgs
- Key
Usage Pulumi.Aws Native. Acmpca. Inputs. Certificate Authority Key Usage - Indicates the purpose of the certificate and of the key contained in the certificate.
- Subject
Information List<Pulumi.Access Aws Native. Acmpca. Inputs. Certificate Authority Access Description> - For CA certificates, provides a path to additional information pertaining to the CA, such as revocation and policy. For more information, see Subject Information Access in RFC 5280.
- Key
Usage CertificateAuthority Key Usage - Indicates the purpose of the certificate and of the key contained in the certificate.
- Subject
Information []CertificateAccess Authority Access Description - For CA certificates, provides a path to additional information pertaining to the CA, such as revocation and policy. For more information, see Subject Information Access in RFC 5280.
- key
Usage CertificateAuthority Key Usage - Indicates the purpose of the certificate and of the key contained in the certificate.
- subject
Information List<CertificateAccess Authority Access Description> - For CA certificates, provides a path to additional information pertaining to the CA, such as revocation and policy. For more information, see Subject Information Access in RFC 5280.
- key
Usage CertificateAuthority Key Usage - Indicates the purpose of the certificate and of the key contained in the certificate.
- subject
Information CertificateAccess Authority Access Description[] - For CA certificates, provides a path to additional information pertaining to the CA, such as revocation and policy. For more information, see Subject Information Access in RFC 5280.
- key_
usage CertificateAuthority Key Usage - Indicates the purpose of the certificate and of the key contained in the certificate.
- subject_
information_ Sequence[Certificateaccess Authority Access Description] - For CA certificates, provides a path to additional information pertaining to the CA, such as revocation and policy. For more information, see Subject Information Access in RFC 5280.
- key
Usage Property Map - Indicates the purpose of the certificate and of the key contained in the certificate.
- subject
Information List<Property Map>Access - For CA certificates, provides a path to additional information pertaining to the CA, such as revocation and policy. For more information, see Subject Information Access in RFC 5280.
CertificateAuthorityCustomAttribute, CertificateAuthorityCustomAttributeArgs
- Object
Identifier string - Value string
- Object
Identifier string - Value string
- object
Identifier String - value String
- object
Identifier string - value string
- object_
identifier str - value str
- object
Identifier String - value String
CertificateAuthorityEdiPartyName, CertificateAuthorityEdiPartyNameArgs
- Party
Name string - Name
Assigner string
- Party
Name string - Name
Assigner string
- party
Name String - name
Assigner String
- party
Name string - name
Assigner string
- party_
name str - name_
assigner str
- party
Name String - name
Assigner String
CertificateAuthorityGeneralName, CertificateAuthorityGeneralNameArgs
- Directory
Name Pulumi.Aws Native. Acmpca. Inputs. Certificate Authority Subject - Dns
Name string - Edi
Party Pulumi.Name Aws Native. Acmpca. Inputs. Certificate Authority Edi Party Name - Ip
Address string - Other
Name Pulumi.Aws Native. Acmpca. Inputs. Certificate Authority Other Name - Registered
Id string - Rfc822Name string
- Uniform
Resource stringIdentifier
- directory
Name Property Map - dns
Name String - edi
Party Property MapName - ip
Address String - other
Name Property Map - registered
Id String - rfc822Name String
- uniform
Resource StringIdentifier
CertificateAuthorityKeyUsage, CertificateAuthorityKeyUsageArgs
- Crl
Sign bool - Key can be used to sign CRLs.
- Data
Encipherment bool - Key can be used to decipher data.
- Decipher
Only bool - Key can be used only to decipher data.
- Digital
Signature bool - Key can be used for digital signing.
- Encipher
Only bool - Key can be used only to encipher data.
- Key
Agreement bool - Key can be used in a key-agreement protocol.
- Key
Cert boolSign - Key can be used to sign certificates.
- Key
Encipherment bool - Key can be used to encipher data.
- Non
Repudiation bool - Key can be used for non-repudiation.
- Crl
Sign bool - Key can be used to sign CRLs.
- Data
Encipherment bool - Key can be used to decipher data.
- Decipher
Only bool - Key can be used only to decipher data.
- Digital
Signature bool - Key can be used for digital signing.
- Encipher
Only bool - Key can be used only to encipher data.
- Key
Agreement bool - Key can be used in a key-agreement protocol.
- Key
Cert boolSign - Key can be used to sign certificates.
- Key
Encipherment bool - Key can be used to encipher data.
- Non
Repudiation bool - Key can be used for non-repudiation.
- crl
Sign Boolean - Key can be used to sign CRLs.
- data
Encipherment Boolean - Key can be used to decipher data.
- decipher
Only Boolean - Key can be used only to decipher data.
- digital
Signature Boolean - Key can be used for digital signing.
- encipher
Only Boolean - Key can be used only to encipher data.
- key
Agreement Boolean - Key can be used in a key-agreement protocol.
- key
Cert BooleanSign - Key can be used to sign certificates.
- key
Encipherment Boolean - Key can be used to encipher data.
- non
Repudiation Boolean - Key can be used for non-repudiation.
- crl
Sign boolean - Key can be used to sign CRLs.
- data
Encipherment boolean - Key can be used to decipher data.
- decipher
Only boolean - Key can be used only to decipher data.
- digital
Signature boolean - Key can be used for digital signing.
- encipher
Only boolean - Key can be used only to encipher data.
- key
Agreement boolean - Key can be used in a key-agreement protocol.
- key
Cert booleanSign - Key can be used to sign certificates.
- key
Encipherment boolean - Key can be used to encipher data.
- non
Repudiation boolean - Key can be used for non-repudiation.
- crl_
sign bool - Key can be used to sign CRLs.
- data_
encipherment bool - Key can be used to decipher data.
- decipher_
only bool - Key can be used only to decipher data.
- digital_
signature bool - Key can be used for digital signing.
- encipher_
only bool - Key can be used only to encipher data.
- key_
agreement bool - Key can be used in a key-agreement protocol.
- key_
cert_ boolsign - Key can be used to sign certificates.
- key_
encipherment bool - Key can be used to encipher data.
- non_
repudiation bool - Key can be used for non-repudiation.
- crl
Sign Boolean - Key can be used to sign CRLs.
- data
Encipherment Boolean - Key can be used to decipher data.
- decipher
Only Boolean - Key can be used only to decipher data.
- digital
Signature Boolean - Key can be used for digital signing.
- encipher
Only Boolean - Key can be used only to encipher data.
- key
Agreement Boolean - Key can be used in a key-agreement protocol.
- key
Cert BooleanSign - Key can be used to sign certificates.
- key
Encipherment Boolean - Key can be used to encipher data.
- non
Repudiation Boolean - Key can be used for non-repudiation.
CertificateAuthorityOcspConfiguration, CertificateAuthorityOcspConfigurationArgs
- Enabled bool
- Flag enabling use of the Online Certificate Status Protocol (OCSP) for validating certificate revocation status.
- Ocsp
Custom stringCname By default, AWS Private CA injects an Amazon domain into certificates being validated by the Online Certificate Status Protocol (OCSP). A customer can alternatively use this object to define a CNAME specifying a customized OCSP domain.
The content of a Canonical Name (CNAME) record must conform to RFC2396 restrictions on the use of special characters in URIs. Additionally, the value of the CNAME must not include a protocol prefix such as "http://" or "https://".
- Enabled bool
- Flag enabling use of the Online Certificate Status Protocol (OCSP) for validating certificate revocation status.
- Ocsp
Custom stringCname By default, AWS Private CA injects an Amazon domain into certificates being validated by the Online Certificate Status Protocol (OCSP). A customer can alternatively use this object to define a CNAME specifying a customized OCSP domain.
The content of a Canonical Name (CNAME) record must conform to RFC2396 restrictions on the use of special characters in URIs. Additionally, the value of the CNAME must not include a protocol prefix such as "http://" or "https://".
- enabled Boolean
- Flag enabling use of the Online Certificate Status Protocol (OCSP) for validating certificate revocation status.
- ocsp
Custom StringCname By default, AWS Private CA injects an Amazon domain into certificates being validated by the Online Certificate Status Protocol (OCSP). A customer can alternatively use this object to define a CNAME specifying a customized OCSP domain.
The content of a Canonical Name (CNAME) record must conform to RFC2396 restrictions on the use of special characters in URIs. Additionally, the value of the CNAME must not include a protocol prefix such as "http://" or "https://".
- enabled boolean
- Flag enabling use of the Online Certificate Status Protocol (OCSP) for validating certificate revocation status.
- ocsp
Custom stringCname By default, AWS Private CA injects an Amazon domain into certificates being validated by the Online Certificate Status Protocol (OCSP). A customer can alternatively use this object to define a CNAME specifying a customized OCSP domain.
The content of a Canonical Name (CNAME) record must conform to RFC2396 restrictions on the use of special characters in URIs. Additionally, the value of the CNAME must not include a protocol prefix such as "http://" or "https://".
- enabled bool
- Flag enabling use of the Online Certificate Status Protocol (OCSP) for validating certificate revocation status.
- ocsp_
custom_ strcname By default, AWS Private CA injects an Amazon domain into certificates being validated by the Online Certificate Status Protocol (OCSP). A customer can alternatively use this object to define a CNAME specifying a customized OCSP domain.
The content of a Canonical Name (CNAME) record must conform to RFC2396 restrictions on the use of special characters in URIs. Additionally, the value of the CNAME must not include a protocol prefix such as "http://" or "https://".
- enabled Boolean
- Flag enabling use of the Online Certificate Status Protocol (OCSP) for validating certificate revocation status.
- ocsp
Custom StringCname By default, AWS Private CA injects an Amazon domain into certificates being validated by the Online Certificate Status Protocol (OCSP). A customer can alternatively use this object to define a CNAME specifying a customized OCSP domain.
The content of a Canonical Name (CNAME) record must conform to RFC2396 restrictions on the use of special characters in URIs. Additionally, the value of the CNAME must not include a protocol prefix such as "http://" or "https://".
CertificateAuthorityOtherName, CertificateAuthorityOtherNameArgs
CertificateAuthorityRevocationConfiguration, CertificateAuthorityRevocationConfigurationArgs
- Crl
Configuration Pulumi.Aws Native. Acmpca. Inputs. Certificate Authority Crl Configuration - Configuration of the certificate revocation list (CRL), if any, maintained by your private CA.
- Ocsp
Configuration Pulumi.Aws Native. Acmpca. Inputs. Certificate Authority Ocsp Configuration - Configuration of Online Certificate Status Protocol (OCSP) support, if any, maintained by your private CA.
- Crl
Configuration CertificateAuthority Crl Configuration - Configuration of the certificate revocation list (CRL), if any, maintained by your private CA.
- Ocsp
Configuration CertificateAuthority Ocsp Configuration - Configuration of Online Certificate Status Protocol (OCSP) support, if any, maintained by your private CA.
- crl
Configuration CertificateAuthority Crl Configuration - Configuration of the certificate revocation list (CRL), if any, maintained by your private CA.
- ocsp
Configuration CertificateAuthority Ocsp Configuration - Configuration of Online Certificate Status Protocol (OCSP) support, if any, maintained by your private CA.
- crl
Configuration CertificateAuthority Crl Configuration - Configuration of the certificate revocation list (CRL), if any, maintained by your private CA.
- ocsp
Configuration CertificateAuthority Ocsp Configuration - Configuration of Online Certificate Status Protocol (OCSP) support, if any, maintained by your private CA.
- crl_
configuration CertificateAuthority Crl Configuration - Configuration of the certificate revocation list (CRL), if any, maintained by your private CA.
- ocsp_
configuration CertificateAuthority Ocsp Configuration - Configuration of Online Certificate Status Protocol (OCSP) support, if any, maintained by your private CA.
- crl
Configuration Property Map - Configuration of the certificate revocation list (CRL), if any, maintained by your private CA.
- ocsp
Configuration Property Map - Configuration of Online Certificate Status Protocol (OCSP) support, if any, maintained by your private CA.
CertificateAuthoritySubject, CertificateAuthoritySubjectArgs
- Common
Name string - Country string
- Custom
Attributes List<Pulumi.Aws Native. Acmpca. Inputs. Certificate Authority Custom Attribute> - Distinguished
Name stringQualifier - Generation
Qualifier string - Given
Name string - Initials string
- Locality string
- Organization string
- Organizational
Unit string - Pseudonym string
- Serial
Number string - State string
- Surname string
- Title string
- Common
Name string - Country string
- Custom
Attributes []CertificateAuthority Custom Attribute - Distinguished
Name stringQualifier - Generation
Qualifier string - Given
Name string - Initials string
- Locality string
- Organization string
- Organizational
Unit string - Pseudonym string
- Serial
Number string - State string
- Surname string
- Title string
- common
Name String - country String
- custom
Attributes List<CertificateAuthority Custom Attribute> - distinguished
Name StringQualifier - generation
Qualifier String - given
Name String - initials String
- locality String
- organization String
- organizational
Unit String - pseudonym String
- serial
Number String - state String
- surname String
- title String
- common
Name string - country string
- custom
Attributes CertificateAuthority Custom Attribute[] - distinguished
Name stringQualifier - generation
Qualifier string - given
Name string - initials string
- locality string
- organization string
- organizational
Unit string - pseudonym string
- serial
Number string - state string
- surname string
- title string
- common_
name str - country str
- custom_
attributes Sequence[CertificateAuthority Custom Attribute] - distinguished_
name_ strqualifier - generation_
qualifier str - given_
name str - initials str
- locality str
- organization str
- organizational_
unit str - pseudonym str
- serial_
number str - state str
- surname str
- title str
- common
Name String - country String
- custom
Attributes List<Property Map> - distinguished
Name StringQualifier - generation
Qualifier String - given
Name String - initials String
- locality String
- organization String
- organizational
Unit String - pseudonym String
- serial
Number String - state String
- surname String
- title String
Tag, TagArgs
Package Details
- Repository
- AWS Native pulumi/pulumi-aws-native
- License
- Apache-2.0
We recommend new projects start with resources from the AWS provider.