1. Packages
  2. AWS Classic
  3. API Docs
  4. acmpca
  5. CertificateAuthority

Try AWS Native preview for resources not in the classic version.

AWS Classic v6.24.0 published on Tuesday, Feb 27, 2024 by Pulumi

aws.acmpca.CertificateAuthority

Explore with Pulumi AI

aws logo

Try AWS Native preview for resources not in the classic version.

AWS Classic v6.24.0 published on Tuesday, Feb 27, 2024 by Pulumi

    Provides a resource to manage AWS Certificate Manager Private Certificate Authorities (ACM PCA Certificate Authorities).

    NOTE: Creating this resource will leave the certificate authority in a PENDING_CERTIFICATE status, which means it cannot yet issue certificates. To complete this setup, you must fully sign the certificate authority CSR available in the certificate_signing_request attribute. The aws.acmpca.CertificateAuthorityCertificate resource can be used for this purpose.

    Example Usage

    Basic

    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        var example = new Aws.Acmpca.CertificateAuthority("example", new()
        {
            CertificateAuthorityConfiguration = new Aws.Acmpca.Inputs.CertificateAuthorityCertificateAuthorityConfigurationArgs
            {
                KeyAlgorithm = "RSA_4096",
                SigningAlgorithm = "SHA512WITHRSA",
                Subject = new Aws.Acmpca.Inputs.CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs
                {
                    CommonName = "example.com",
                },
            },
            PermanentDeletionTimeInDays = 7,
        });
    
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/acmpca"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := acmpca.NewCertificateAuthority(ctx, "example", &acmpca.CertificateAuthorityArgs{
    			CertificateAuthorityConfiguration: &acmpca.CertificateAuthorityCertificateAuthorityConfigurationArgs{
    				KeyAlgorithm:     pulumi.String("RSA_4096"),
    				SigningAlgorithm: pulumi.String("SHA512WITHRSA"),
    				Subject: &acmpca.CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs{
    					CommonName: pulumi.String("example.com"),
    				},
    			},
    			PermanentDeletionTimeInDays: pulumi.Int(7),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.acmpca.CertificateAuthority;
    import com.pulumi.aws.acmpca.CertificateAuthorityArgs;
    import com.pulumi.aws.acmpca.inputs.CertificateAuthorityCertificateAuthorityConfigurationArgs;
    import com.pulumi.aws.acmpca.inputs.CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var example = new CertificateAuthority("example", CertificateAuthorityArgs.builder()        
                .certificateAuthorityConfiguration(CertificateAuthorityCertificateAuthorityConfigurationArgs.builder()
                    .keyAlgorithm("RSA_4096")
                    .signingAlgorithm("SHA512WITHRSA")
                    .subject(CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs.builder()
                        .commonName("example.com")
                        .build())
                    .build())
                .permanentDeletionTimeInDays(7)
                .build());
    
        }
    }
    
    import pulumi
    import pulumi_aws as aws
    
    example = aws.acmpca.CertificateAuthority("example",
        certificate_authority_configuration=aws.acmpca.CertificateAuthorityCertificateAuthorityConfigurationArgs(
            key_algorithm="RSA_4096",
            signing_algorithm="SHA512WITHRSA",
            subject=aws.acmpca.CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs(
                common_name="example.com",
            ),
        ),
        permanent_deletion_time_in_days=7)
    
    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    const example = new aws.acmpca.CertificateAuthority("example", {
        certificateAuthorityConfiguration: {
            keyAlgorithm: "RSA_4096",
            signingAlgorithm: "SHA512WITHRSA",
            subject: {
                commonName: "example.com",
            },
        },
        permanentDeletionTimeInDays: 7,
    });
    
    resources:
      example:
        type: aws:acmpca:CertificateAuthority
        properties:
          certificateAuthorityConfiguration:
            keyAlgorithm: RSA_4096
            signingAlgorithm: SHA512WITHRSA
            subject:
              commonName: example.com
          permanentDeletionTimeInDays: 7
    

    Short-lived certificate

    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        var example = new Aws.Acmpca.CertificateAuthority("example", new()
        {
            CertificateAuthorityConfiguration = new Aws.Acmpca.Inputs.CertificateAuthorityCertificateAuthorityConfigurationArgs
            {
                KeyAlgorithm = "RSA_4096",
                SigningAlgorithm = "SHA512WITHRSA",
                Subject = new Aws.Acmpca.Inputs.CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs
                {
                    CommonName = "example.com",
                },
            },
            UsageMode = "SHORT_LIVED_CERTIFICATE",
        });
    
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/acmpca"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := acmpca.NewCertificateAuthority(ctx, "example", &acmpca.CertificateAuthorityArgs{
    			CertificateAuthorityConfiguration: &acmpca.CertificateAuthorityCertificateAuthorityConfigurationArgs{
    				KeyAlgorithm:     pulumi.String("RSA_4096"),
    				SigningAlgorithm: pulumi.String("SHA512WITHRSA"),
    				Subject: &acmpca.CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs{
    					CommonName: pulumi.String("example.com"),
    				},
    			},
    			UsageMode: pulumi.String("SHORT_LIVED_CERTIFICATE"),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.acmpca.CertificateAuthority;
    import com.pulumi.aws.acmpca.CertificateAuthorityArgs;
    import com.pulumi.aws.acmpca.inputs.CertificateAuthorityCertificateAuthorityConfigurationArgs;
    import com.pulumi.aws.acmpca.inputs.CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var example = new CertificateAuthority("example", CertificateAuthorityArgs.builder()        
                .certificateAuthorityConfiguration(CertificateAuthorityCertificateAuthorityConfigurationArgs.builder()
                    .keyAlgorithm("RSA_4096")
                    .signingAlgorithm("SHA512WITHRSA")
                    .subject(CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs.builder()
                        .commonName("example.com")
                        .build())
                    .build())
                .usageMode("SHORT_LIVED_CERTIFICATE")
                .build());
    
        }
    }
    
    import pulumi
    import pulumi_aws as aws
    
    example = aws.acmpca.CertificateAuthority("example",
        certificate_authority_configuration=aws.acmpca.CertificateAuthorityCertificateAuthorityConfigurationArgs(
            key_algorithm="RSA_4096",
            signing_algorithm="SHA512WITHRSA",
            subject=aws.acmpca.CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs(
                common_name="example.com",
            ),
        ),
        usage_mode="SHORT_LIVED_CERTIFICATE")
    
    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    const example = new aws.acmpca.CertificateAuthority("example", {
        certificateAuthorityConfiguration: {
            keyAlgorithm: "RSA_4096",
            signingAlgorithm: "SHA512WITHRSA",
            subject: {
                commonName: "example.com",
            },
        },
        usageMode: "SHORT_LIVED_CERTIFICATE",
    });
    
    resources:
      example:
        type: aws:acmpca:CertificateAuthority
        properties:
          certificateAuthorityConfiguration:
            keyAlgorithm: RSA_4096
            signingAlgorithm: SHA512WITHRSA
            subject:
              commonName: example.com
          usageMode: SHORT_LIVED_CERTIFICATE
    

    Enable Certificate Revocation List

    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        var exampleBucketV2 = new Aws.S3.BucketV2("exampleBucketV2", new()
        {
            ForceDestroy = true,
        });
    
        var acmpcaBucketAccess = Aws.Iam.GetPolicyDocument.Invoke(new()
        {
            Statements = new[]
            {
                new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
                {
                    Actions = new[]
                    {
                        "s3:GetBucketAcl",
                        "s3:GetBucketLocation",
                        "s3:PutObject",
                        "s3:PutObjectAcl",
                    },
                    Resources = new[]
                    {
                        exampleBucketV2.Arn,
                        $"{exampleBucketV2.Arn}/*",
                    },
                    Principals = new[]
                    {
                        new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
                        {
                            Identifiers = new[]
                            {
                                "acm-pca.amazonaws.com",
                            },
                            Type = "Service",
                        },
                    },
                },
            },
        });
    
        var exampleBucketPolicy = new Aws.S3.BucketPolicy("exampleBucketPolicy", new()
        {
            Bucket = exampleBucketV2.Id,
            Policy = acmpcaBucketAccess.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
        });
    
        var exampleCertificateAuthority = new Aws.Acmpca.CertificateAuthority("exampleCertificateAuthority", new()
        {
            CertificateAuthorityConfiguration = new Aws.Acmpca.Inputs.CertificateAuthorityCertificateAuthorityConfigurationArgs
            {
                KeyAlgorithm = "RSA_4096",
                SigningAlgorithm = "SHA512WITHRSA",
                Subject = new Aws.Acmpca.Inputs.CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs
                {
                    CommonName = "example.com",
                },
            },
            RevocationConfiguration = new Aws.Acmpca.Inputs.CertificateAuthorityRevocationConfigurationArgs
            {
                CrlConfiguration = new Aws.Acmpca.Inputs.CertificateAuthorityRevocationConfigurationCrlConfigurationArgs
                {
                    CustomCname = "crl.example.com",
                    Enabled = true,
                    ExpirationInDays = 7,
                    S3BucketName = exampleBucketV2.Id,
                    S3ObjectAcl = "BUCKET_OWNER_FULL_CONTROL",
                },
            },
        }, new CustomResourceOptions
        {
            DependsOn = new[]
            {
                exampleBucketPolicy,
            },
        });
    
    });
    
    package main
    
    import (
    	"fmt"
    
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/acmpca"
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/s3"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		exampleBucketV2, err := s3.NewBucketV2(ctx, "exampleBucketV2", &s3.BucketV2Args{
    			ForceDestroy: pulumi.Bool(true),
    		})
    		if err != nil {
    			return err
    		}
    		acmpcaBucketAccess := iam.GetPolicyDocumentOutput(ctx, iam.GetPolicyDocumentOutputArgs{
    			Statements: iam.GetPolicyDocumentStatementArray{
    				&iam.GetPolicyDocumentStatementArgs{
    					Actions: pulumi.StringArray{
    						pulumi.String("s3:GetBucketAcl"),
    						pulumi.String("s3:GetBucketLocation"),
    						pulumi.String("s3:PutObject"),
    						pulumi.String("s3:PutObjectAcl"),
    					},
    					Resources: pulumi.StringArray{
    						exampleBucketV2.Arn,
    						exampleBucketV2.Arn.ApplyT(func(arn string) (string, error) {
    							return fmt.Sprintf("%v/*", arn), nil
    						}).(pulumi.StringOutput),
    					},
    					Principals: iam.GetPolicyDocumentStatementPrincipalArray{
    						&iam.GetPolicyDocumentStatementPrincipalArgs{
    							Identifiers: pulumi.StringArray{
    								pulumi.String("acm-pca.amazonaws.com"),
    							},
    							Type: pulumi.String("Service"),
    						},
    					},
    				},
    			},
    		}, nil)
    		exampleBucketPolicy, err := s3.NewBucketPolicy(ctx, "exampleBucketPolicy", &s3.BucketPolicyArgs{
    			Bucket: exampleBucketV2.ID(),
    			Policy: acmpcaBucketAccess.ApplyT(func(acmpcaBucketAccess iam.GetPolicyDocumentResult) (*string, error) {
    				return &acmpcaBucketAccess.Json, nil
    			}).(pulumi.StringPtrOutput),
    		})
    		if err != nil {
    			return err
    		}
    		_, err = acmpca.NewCertificateAuthority(ctx, "exampleCertificateAuthority", &acmpca.CertificateAuthorityArgs{
    			CertificateAuthorityConfiguration: &acmpca.CertificateAuthorityCertificateAuthorityConfigurationArgs{
    				KeyAlgorithm:     pulumi.String("RSA_4096"),
    				SigningAlgorithm: pulumi.String("SHA512WITHRSA"),
    				Subject: &acmpca.CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs{
    					CommonName: pulumi.String("example.com"),
    				},
    			},
    			RevocationConfiguration: &acmpca.CertificateAuthorityRevocationConfigurationArgs{
    				CrlConfiguration: &acmpca.CertificateAuthorityRevocationConfigurationCrlConfigurationArgs{
    					CustomCname:      pulumi.String("crl.example.com"),
    					Enabled:          pulumi.Bool(true),
    					ExpirationInDays: pulumi.Int(7),
    					S3BucketName:     exampleBucketV2.ID(),
    					S3ObjectAcl:      pulumi.String("BUCKET_OWNER_FULL_CONTROL"),
    				},
    			},
    		}, pulumi.DependsOn([]pulumi.Resource{
    			exampleBucketPolicy,
    		}))
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.s3.BucketV2;
    import com.pulumi.aws.s3.BucketV2Args;
    import com.pulumi.aws.iam.IamFunctions;
    import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
    import com.pulumi.aws.s3.BucketPolicy;
    import com.pulumi.aws.s3.BucketPolicyArgs;
    import com.pulumi.aws.acmpca.CertificateAuthority;
    import com.pulumi.aws.acmpca.CertificateAuthorityArgs;
    import com.pulumi.aws.acmpca.inputs.CertificateAuthorityCertificateAuthorityConfigurationArgs;
    import com.pulumi.aws.acmpca.inputs.CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs;
    import com.pulumi.aws.acmpca.inputs.CertificateAuthorityRevocationConfigurationArgs;
    import com.pulumi.aws.acmpca.inputs.CertificateAuthorityRevocationConfigurationCrlConfigurationArgs;
    import com.pulumi.resources.CustomResourceOptions;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var exampleBucketV2 = new BucketV2("exampleBucketV2", BucketV2Args.builder()        
                .forceDestroy(true)
                .build());
    
            final var acmpcaBucketAccess = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
                .statements(GetPolicyDocumentStatementArgs.builder()
                    .actions(                
                        "s3:GetBucketAcl",
                        "s3:GetBucketLocation",
                        "s3:PutObject",
                        "s3:PutObjectAcl")
                    .resources(                
                        exampleBucketV2.arn(),
                        exampleBucketV2.arn().applyValue(arn -> String.format("%s/*", arn)))
                    .principals(GetPolicyDocumentStatementPrincipalArgs.builder()
                        .identifiers("acm-pca.amazonaws.com")
                        .type("Service")
                        .build())
                    .build())
                .build());
    
            var exampleBucketPolicy = new BucketPolicy("exampleBucketPolicy", BucketPolicyArgs.builder()        
                .bucket(exampleBucketV2.id())
                .policy(acmpcaBucketAccess.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult).applyValue(acmpcaBucketAccess -> acmpcaBucketAccess.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json())))
                .build());
    
            var exampleCertificateAuthority = new CertificateAuthority("exampleCertificateAuthority", CertificateAuthorityArgs.builder()        
                .certificateAuthorityConfiguration(CertificateAuthorityCertificateAuthorityConfigurationArgs.builder()
                    .keyAlgorithm("RSA_4096")
                    .signingAlgorithm("SHA512WITHRSA")
                    .subject(CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs.builder()
                        .commonName("example.com")
                        .build())
                    .build())
                .revocationConfiguration(CertificateAuthorityRevocationConfigurationArgs.builder()
                    .crlConfiguration(CertificateAuthorityRevocationConfigurationCrlConfigurationArgs.builder()
                        .customCname("crl.example.com")
                        .enabled(true)
                        .expirationInDays(7)
                        .s3BucketName(exampleBucketV2.id())
                        .s3ObjectAcl("BUCKET_OWNER_FULL_CONTROL")
                        .build())
                    .build())
                .build(), CustomResourceOptions.builder()
                    .dependsOn(exampleBucketPolicy)
                    .build());
    
        }
    }
    
    import pulumi
    import pulumi_aws as aws
    
    example_bucket_v2 = aws.s3.BucketV2("exampleBucketV2", force_destroy=True)
    acmpca_bucket_access = aws.iam.get_policy_document_output(statements=[aws.iam.GetPolicyDocumentStatementArgs(
        actions=[
            "s3:GetBucketAcl",
            "s3:GetBucketLocation",
            "s3:PutObject",
            "s3:PutObjectAcl",
        ],
        resources=[
            example_bucket_v2.arn,
            example_bucket_v2.arn.apply(lambda arn: f"{arn}/*"),
        ],
        principals=[aws.iam.GetPolicyDocumentStatementPrincipalArgs(
            identifiers=["acm-pca.amazonaws.com"],
            type="Service",
        )],
    )])
    example_bucket_policy = aws.s3.BucketPolicy("exampleBucketPolicy",
        bucket=example_bucket_v2.id,
        policy=acmpca_bucket_access.json)
    example_certificate_authority = aws.acmpca.CertificateAuthority("exampleCertificateAuthority",
        certificate_authority_configuration=aws.acmpca.CertificateAuthorityCertificateAuthorityConfigurationArgs(
            key_algorithm="RSA_4096",
            signing_algorithm="SHA512WITHRSA",
            subject=aws.acmpca.CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs(
                common_name="example.com",
            ),
        ),
        revocation_configuration=aws.acmpca.CertificateAuthorityRevocationConfigurationArgs(
            crl_configuration=aws.acmpca.CertificateAuthorityRevocationConfigurationCrlConfigurationArgs(
                custom_cname="crl.example.com",
                enabled=True,
                expiration_in_days=7,
                s3_bucket_name=example_bucket_v2.id,
                s3_object_acl="BUCKET_OWNER_FULL_CONTROL",
            ),
        ),
        opts=pulumi.ResourceOptions(depends_on=[example_bucket_policy]))
    
    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    const exampleBucketV2 = new aws.s3.BucketV2("exampleBucketV2", {forceDestroy: true});
    const acmpcaBucketAccess = aws.iam.getPolicyDocumentOutput({
        statements: [{
            actions: [
                "s3:GetBucketAcl",
                "s3:GetBucketLocation",
                "s3:PutObject",
                "s3:PutObjectAcl",
            ],
            resources: [
                exampleBucketV2.arn,
                pulumi.interpolate`${exampleBucketV2.arn}/*`,
            ],
            principals: [{
                identifiers: ["acm-pca.amazonaws.com"],
                type: "Service",
            }],
        }],
    });
    const exampleBucketPolicy = new aws.s3.BucketPolicy("exampleBucketPolicy", {
        bucket: exampleBucketV2.id,
        policy: acmpcaBucketAccess.apply(acmpcaBucketAccess => acmpcaBucketAccess.json),
    });
    const exampleCertificateAuthority = new aws.acmpca.CertificateAuthority("exampleCertificateAuthority", {
        certificateAuthorityConfiguration: {
            keyAlgorithm: "RSA_4096",
            signingAlgorithm: "SHA512WITHRSA",
            subject: {
                commonName: "example.com",
            },
        },
        revocationConfiguration: {
            crlConfiguration: {
                customCname: "crl.example.com",
                enabled: true,
                expirationInDays: 7,
                s3BucketName: exampleBucketV2.id,
                s3ObjectAcl: "BUCKET_OWNER_FULL_CONTROL",
            },
        },
    }, {
        dependsOn: [exampleBucketPolicy],
    });
    
    resources:
      exampleBucketV2:
        type: aws:s3:BucketV2
        properties:
          forceDestroy: true
      exampleBucketPolicy:
        type: aws:s3:BucketPolicy
        properties:
          bucket: ${exampleBucketV2.id}
          policy: ${acmpcaBucketAccess.json}
      exampleCertificateAuthority:
        type: aws:acmpca:CertificateAuthority
        properties:
          certificateAuthorityConfiguration:
            keyAlgorithm: RSA_4096
            signingAlgorithm: SHA512WITHRSA
            subject:
              commonName: example.com
          revocationConfiguration:
            crlConfiguration:
              customCname: crl.example.com
              enabled: true
              expirationInDays: 7
              s3BucketName: ${exampleBucketV2.id}
              s3ObjectAcl: BUCKET_OWNER_FULL_CONTROL
        options:
          dependson:
            - ${exampleBucketPolicy}
    variables:
      acmpcaBucketAccess:
        fn::invoke:
          Function: aws:iam:getPolicyDocument
          Arguments:
            statements:
              - actions:
                  - s3:GetBucketAcl
                  - s3:GetBucketLocation
                  - s3:PutObject
                  - s3:PutObjectAcl
                resources:
                  - ${exampleBucketV2.arn}
                  - ${exampleBucketV2.arn}/*
                principals:
                  - identifiers:
                      - acm-pca.amazonaws.com
                    type: Service
    

    Create CertificateAuthority Resource

    new CertificateAuthority(name: string, args: CertificateAuthorityArgs, opts?: CustomResourceOptions);
    @overload
    def CertificateAuthority(resource_name: str,
                             opts: Optional[ResourceOptions] = None,
                             certificate_authority_configuration: Optional[CertificateAuthorityCertificateAuthorityConfigurationArgs] = None,
                             enabled: Optional[bool] = None,
                             key_storage_security_standard: Optional[str] = None,
                             permanent_deletion_time_in_days: Optional[int] = None,
                             revocation_configuration: Optional[CertificateAuthorityRevocationConfigurationArgs] = None,
                             tags: Optional[Mapping[str, str]] = None,
                             type: Optional[str] = None,
                             usage_mode: Optional[str] = None)
    @overload
    def CertificateAuthority(resource_name: str,
                             args: CertificateAuthorityArgs,
                             opts: Optional[ResourceOptions] = None)
    func NewCertificateAuthority(ctx *Context, name string, args CertificateAuthorityArgs, opts ...ResourceOption) (*CertificateAuthority, error)
    public CertificateAuthority(string name, CertificateAuthorityArgs args, CustomResourceOptions? opts = null)
    public CertificateAuthority(String name, CertificateAuthorityArgs args)
    public CertificateAuthority(String name, CertificateAuthorityArgs args, CustomResourceOptions options)
    
    type: aws:acmpca:CertificateAuthority
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    
    name string
    The unique name of the resource.
    args CertificateAuthorityArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args CertificateAuthorityArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args CertificateAuthorityArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args CertificateAuthorityArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args CertificateAuthorityArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    CertificateAuthority Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    The CertificateAuthority resource accepts the following input properties:

    CertificateAuthorityConfiguration CertificateAuthorityCertificateAuthorityConfiguration
    Nested argument containing algorithms and certificate subject information. Defined below.
    Enabled bool
    Whether the certificate authority is enabled or disabled. Defaults to true. Can only be disabled if the CA is in an ACTIVE state.
    KeyStorageSecurityStandard string
    Cryptographic key management compliance standard used for handling CA keys. Defaults to FIPS_140_2_LEVEL_3_OR_HIGHER. Valid values: FIPS_140_2_LEVEL_3_OR_HIGHER and FIPS_140_2_LEVEL_2_OR_HIGHER. Supported standard for each region can be found in the Storage and security compliance of AWS Private CA private keys Documentation.
    PermanentDeletionTimeInDays int
    Number of days to make a CA restorable after it has been deleted, must be between 7 to 30 days, with default to 30 days.
    RevocationConfiguration CertificateAuthorityRevocationConfiguration
    Nested argument containing revocation configuration. Defined below.
    Tags Dictionary<string, string>
    Key-value map of user-defined tags that are attached to the certificate authority. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    Type string
    Type of the certificate authority. Defaults to SUBORDINATE. Valid values: ROOT and SUBORDINATE.
    UsageMode string
    Specifies whether the CA issues general-purpose certificates that typically require a revocation mechanism, or short-lived certificates that may optionally omit revocation because they expire quickly. Short-lived certificate validity is limited to seven days. Defaults to GENERAL_PURPOSE. Valid values: GENERAL_PURPOSE and SHORT_LIVED_CERTIFICATE.
    CertificateAuthorityConfiguration CertificateAuthorityCertificateAuthorityConfigurationArgs
    Nested argument containing algorithms and certificate subject information. Defined below.
    Enabled bool
    Whether the certificate authority is enabled or disabled. Defaults to true. Can only be disabled if the CA is in an ACTIVE state.
    KeyStorageSecurityStandard string
    Cryptographic key management compliance standard used for handling CA keys. Defaults to FIPS_140_2_LEVEL_3_OR_HIGHER. Valid values: FIPS_140_2_LEVEL_3_OR_HIGHER and FIPS_140_2_LEVEL_2_OR_HIGHER. Supported standard for each region can be found in the Storage and security compliance of AWS Private CA private keys Documentation.
    PermanentDeletionTimeInDays int
    Number of days to make a CA restorable after it has been deleted, must be between 7 to 30 days, with default to 30 days.
    RevocationConfiguration CertificateAuthorityRevocationConfigurationArgs
    Nested argument containing revocation configuration. Defined below.
    Tags map[string]string
    Key-value map of user-defined tags that are attached to the certificate authority. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    Type string
    Type of the certificate authority. Defaults to SUBORDINATE. Valid values: ROOT and SUBORDINATE.
    UsageMode string
    Specifies whether the CA issues general-purpose certificates that typically require a revocation mechanism, or short-lived certificates that may optionally omit revocation because they expire quickly. Short-lived certificate validity is limited to seven days. Defaults to GENERAL_PURPOSE. Valid values: GENERAL_PURPOSE and SHORT_LIVED_CERTIFICATE.
    certificateAuthorityConfiguration CertificateAuthorityCertificateAuthorityConfiguration
    Nested argument containing algorithms and certificate subject information. Defined below.
    enabled Boolean
    Whether the certificate authority is enabled or disabled. Defaults to true. Can only be disabled if the CA is in an ACTIVE state.
    keyStorageSecurityStandard String
    Cryptographic key management compliance standard used for handling CA keys. Defaults to FIPS_140_2_LEVEL_3_OR_HIGHER. Valid values: FIPS_140_2_LEVEL_3_OR_HIGHER and FIPS_140_2_LEVEL_2_OR_HIGHER. Supported standard for each region can be found in the Storage and security compliance of AWS Private CA private keys Documentation.
    permanentDeletionTimeInDays Integer
    Number of days to make a CA restorable after it has been deleted, must be between 7 to 30 days, with default to 30 days.
    revocationConfiguration CertificateAuthorityRevocationConfiguration
    Nested argument containing revocation configuration. Defined below.
    tags Map<String,String>
    Key-value map of user-defined tags that are attached to the certificate authority. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    type String
    Type of the certificate authority. Defaults to SUBORDINATE. Valid values: ROOT and SUBORDINATE.
    usageMode String
    Specifies whether the CA issues general-purpose certificates that typically require a revocation mechanism, or short-lived certificates that may optionally omit revocation because they expire quickly. Short-lived certificate validity is limited to seven days. Defaults to GENERAL_PURPOSE. Valid values: GENERAL_PURPOSE and SHORT_LIVED_CERTIFICATE.
    certificateAuthorityConfiguration CertificateAuthorityCertificateAuthorityConfiguration
    Nested argument containing algorithms and certificate subject information. Defined below.
    enabled boolean
    Whether the certificate authority is enabled or disabled. Defaults to true. Can only be disabled if the CA is in an ACTIVE state.
    keyStorageSecurityStandard string
    Cryptographic key management compliance standard used for handling CA keys. Defaults to FIPS_140_2_LEVEL_3_OR_HIGHER. Valid values: FIPS_140_2_LEVEL_3_OR_HIGHER and FIPS_140_2_LEVEL_2_OR_HIGHER. Supported standard for each region can be found in the Storage and security compliance of AWS Private CA private keys Documentation.
    permanentDeletionTimeInDays number
    Number of days to make a CA restorable after it has been deleted, must be between 7 to 30 days, with default to 30 days.
    revocationConfiguration CertificateAuthorityRevocationConfiguration
    Nested argument containing revocation configuration. Defined below.
    tags {[key: string]: string}
    Key-value map of user-defined tags that are attached to the certificate authority. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    type string
    Type of the certificate authority. Defaults to SUBORDINATE. Valid values: ROOT and SUBORDINATE.
    usageMode string
    Specifies whether the CA issues general-purpose certificates that typically require a revocation mechanism, or short-lived certificates that may optionally omit revocation because they expire quickly. Short-lived certificate validity is limited to seven days. Defaults to GENERAL_PURPOSE. Valid values: GENERAL_PURPOSE and SHORT_LIVED_CERTIFICATE.
    certificate_authority_configuration CertificateAuthorityCertificateAuthorityConfigurationArgs
    Nested argument containing algorithms and certificate subject information. Defined below.
    enabled bool
    Whether the certificate authority is enabled or disabled. Defaults to true. Can only be disabled if the CA is in an ACTIVE state.
    key_storage_security_standard str
    Cryptographic key management compliance standard used for handling CA keys. Defaults to FIPS_140_2_LEVEL_3_OR_HIGHER. Valid values: FIPS_140_2_LEVEL_3_OR_HIGHER and FIPS_140_2_LEVEL_2_OR_HIGHER. Supported standard for each region can be found in the Storage and security compliance of AWS Private CA private keys Documentation.
    permanent_deletion_time_in_days int
    Number of days to make a CA restorable after it has been deleted, must be between 7 to 30 days, with default to 30 days.
    revocation_configuration CertificateAuthorityRevocationConfigurationArgs
    Nested argument containing revocation configuration. Defined below.
    tags Mapping[str, str]
    Key-value map of user-defined tags that are attached to the certificate authority. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    type str
    Type of the certificate authority. Defaults to SUBORDINATE. Valid values: ROOT and SUBORDINATE.
    usage_mode str
    Specifies whether the CA issues general-purpose certificates that typically require a revocation mechanism, or short-lived certificates that may optionally omit revocation because they expire quickly. Short-lived certificate validity is limited to seven days. Defaults to GENERAL_PURPOSE. Valid values: GENERAL_PURPOSE and SHORT_LIVED_CERTIFICATE.
    certificateAuthorityConfiguration Property Map
    Nested argument containing algorithms and certificate subject information. Defined below.
    enabled Boolean
    Whether the certificate authority is enabled or disabled. Defaults to true. Can only be disabled if the CA is in an ACTIVE state.
    keyStorageSecurityStandard String
    Cryptographic key management compliance standard used for handling CA keys. Defaults to FIPS_140_2_LEVEL_3_OR_HIGHER. Valid values: FIPS_140_2_LEVEL_3_OR_HIGHER and FIPS_140_2_LEVEL_2_OR_HIGHER. Supported standard for each region can be found in the Storage and security compliance of AWS Private CA private keys Documentation.
    permanentDeletionTimeInDays Number
    Number of days to make a CA restorable after it has been deleted, must be between 7 to 30 days, with default to 30 days.
    revocationConfiguration Property Map
    Nested argument containing revocation configuration. Defined below.
    tags Map<String>
    Key-value map of user-defined tags that are attached to the certificate authority. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    type String
    Type of the certificate authority. Defaults to SUBORDINATE. Valid values: ROOT and SUBORDINATE.
    usageMode String
    Specifies whether the CA issues general-purpose certificates that typically require a revocation mechanism, or short-lived certificates that may optionally omit revocation because they expire quickly. Short-lived certificate validity is limited to seven days. Defaults to GENERAL_PURPOSE. Valid values: GENERAL_PURPOSE and SHORT_LIVED_CERTIFICATE.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the CertificateAuthority resource produces the following output properties:

    Arn string
    ARN of the certificate authority.
    Certificate string
    Base64-encoded certificate authority (CA) certificate. Only available after the certificate authority certificate has been imported.
    CertificateChain string
    Base64-encoded certificate chain that includes any intermediate certificates and chains up to root on-premises certificate that you used to sign your private CA certificate. The chain does not include your private CA certificate. Only available after the certificate authority certificate has been imported.
    CertificateSigningRequest string
    The base64 PEM-encoded certificate signing request (CSR) for your private CA certificate.
    Id string
    The provider-assigned unique ID for this managed resource.
    NotAfter string
    Date and time after which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
    NotBefore string
    Date and time before which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
    Serial string
    Serial number of the certificate authority. Only available after the certificate authority certificate has been imported.
    TagsAll Dictionary<string, string>
    Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:Please use tags instead.

    Arn string
    ARN of the certificate authority.
    Certificate string
    Base64-encoded certificate authority (CA) certificate. Only available after the certificate authority certificate has been imported.
    CertificateChain string
    Base64-encoded certificate chain that includes any intermediate certificates and chains up to root on-premises certificate that you used to sign your private CA certificate. The chain does not include your private CA certificate. Only available after the certificate authority certificate has been imported.
    CertificateSigningRequest string
    The base64 PEM-encoded certificate signing request (CSR) for your private CA certificate.
    Id string
    The provider-assigned unique ID for this managed resource.
    NotAfter string
    Date and time after which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
    NotBefore string
    Date and time before which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
    Serial string
    Serial number of the certificate authority. Only available after the certificate authority certificate has been imported.
    TagsAll map[string]string
    Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:Please use tags instead.

    arn String
    ARN of the certificate authority.
    certificate String
    Base64-encoded certificate authority (CA) certificate. Only available after the certificate authority certificate has been imported.
    certificateChain String
    Base64-encoded certificate chain that includes any intermediate certificates and chains up to root on-premises certificate that you used to sign your private CA certificate. The chain does not include your private CA certificate. Only available after the certificate authority certificate has been imported.
    certificateSigningRequest String
    The base64 PEM-encoded certificate signing request (CSR) for your private CA certificate.
    id String
    The provider-assigned unique ID for this managed resource.
    notAfter String
    Date and time after which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
    notBefore String
    Date and time before which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
    serial String
    Serial number of the certificate authority. Only available after the certificate authority certificate has been imported.
    tagsAll Map<String,String>
    Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:Please use tags instead.

    arn string
    ARN of the certificate authority.
    certificate string
    Base64-encoded certificate authority (CA) certificate. Only available after the certificate authority certificate has been imported.
    certificateChain string
    Base64-encoded certificate chain that includes any intermediate certificates and chains up to root on-premises certificate that you used to sign your private CA certificate. The chain does not include your private CA certificate. Only available after the certificate authority certificate has been imported.
    certificateSigningRequest string
    The base64 PEM-encoded certificate signing request (CSR) for your private CA certificate.
    id string
    The provider-assigned unique ID for this managed resource.
    notAfter string
    Date and time after which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
    notBefore string
    Date and time before which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
    serial string
    Serial number of the certificate authority. Only available after the certificate authority certificate has been imported.
    tagsAll {[key: string]: string}
    Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:Please use tags instead.

    arn str
    ARN of the certificate authority.
    certificate str
    Base64-encoded certificate authority (CA) certificate. Only available after the certificate authority certificate has been imported.
    certificate_chain str
    Base64-encoded certificate chain that includes any intermediate certificates and chains up to root on-premises certificate that you used to sign your private CA certificate. The chain does not include your private CA certificate. Only available after the certificate authority certificate has been imported.
    certificate_signing_request str
    The base64 PEM-encoded certificate signing request (CSR) for your private CA certificate.
    id str
    The provider-assigned unique ID for this managed resource.
    not_after str
    Date and time after which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
    not_before str
    Date and time before which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
    serial str
    Serial number of the certificate authority. Only available after the certificate authority certificate has been imported.
    tags_all Mapping[str, str]
    Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:Please use tags instead.

    arn String
    ARN of the certificate authority.
    certificate String
    Base64-encoded certificate authority (CA) certificate. Only available after the certificate authority certificate has been imported.
    certificateChain String
    Base64-encoded certificate chain that includes any intermediate certificates and chains up to root on-premises certificate that you used to sign your private CA certificate. The chain does not include your private CA certificate. Only available after the certificate authority certificate has been imported.
    certificateSigningRequest String
    The base64 PEM-encoded certificate signing request (CSR) for your private CA certificate.
    id String
    The provider-assigned unique ID for this managed resource.
    notAfter String
    Date and time after which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
    notBefore String
    Date and time before which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
    serial String
    Serial number of the certificate authority. Only available after the certificate authority certificate has been imported.
    tagsAll Map<String>
    Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:Please use tags instead.

    Look up Existing CertificateAuthority Resource

    Get an existing CertificateAuthority resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: CertificateAuthorityState, opts?: CustomResourceOptions): CertificateAuthority
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            arn: Optional[str] = None,
            certificate: Optional[str] = None,
            certificate_authority_configuration: Optional[CertificateAuthorityCertificateAuthorityConfigurationArgs] = None,
            certificate_chain: Optional[str] = None,
            certificate_signing_request: Optional[str] = None,
            enabled: Optional[bool] = None,
            key_storage_security_standard: Optional[str] = None,
            not_after: Optional[str] = None,
            not_before: Optional[str] = None,
            permanent_deletion_time_in_days: Optional[int] = None,
            revocation_configuration: Optional[CertificateAuthorityRevocationConfigurationArgs] = None,
            serial: Optional[str] = None,
            tags: Optional[Mapping[str, str]] = None,
            tags_all: Optional[Mapping[str, str]] = None,
            type: Optional[str] = None,
            usage_mode: Optional[str] = None) -> CertificateAuthority
    func GetCertificateAuthority(ctx *Context, name string, id IDInput, state *CertificateAuthorityState, opts ...ResourceOption) (*CertificateAuthority, error)
    public static CertificateAuthority Get(string name, Input<string> id, CertificateAuthorityState? state, CustomResourceOptions? opts = null)
    public static CertificateAuthority get(String name, Output<String> id, CertificateAuthorityState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    Arn string
    ARN of the certificate authority.
    Certificate string
    Base64-encoded certificate authority (CA) certificate. Only available after the certificate authority certificate has been imported.
    CertificateAuthorityConfiguration CertificateAuthorityCertificateAuthorityConfiguration
    Nested argument containing algorithms and certificate subject information. Defined below.
    CertificateChain string
    Base64-encoded certificate chain that includes any intermediate certificates and chains up to root on-premises certificate that you used to sign your private CA certificate. The chain does not include your private CA certificate. Only available after the certificate authority certificate has been imported.
    CertificateSigningRequest string
    The base64 PEM-encoded certificate signing request (CSR) for your private CA certificate.
    Enabled bool
    Whether the certificate authority is enabled or disabled. Defaults to true. Can only be disabled if the CA is in an ACTIVE state.
    KeyStorageSecurityStandard string
    Cryptographic key management compliance standard used for handling CA keys. Defaults to FIPS_140_2_LEVEL_3_OR_HIGHER. Valid values: FIPS_140_2_LEVEL_3_OR_HIGHER and FIPS_140_2_LEVEL_2_OR_HIGHER. Supported standard for each region can be found in the Storage and security compliance of AWS Private CA private keys Documentation.
    NotAfter string
    Date and time after which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
    NotBefore string
    Date and time before which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
    PermanentDeletionTimeInDays int
    Number of days to make a CA restorable after it has been deleted, must be between 7 to 30 days, with default to 30 days.
    RevocationConfiguration CertificateAuthorityRevocationConfiguration
    Nested argument containing revocation configuration. Defined below.
    Serial string
    Serial number of the certificate authority. Only available after the certificate authority certificate has been imported.
    Tags Dictionary<string, string>
    Key-value map of user-defined tags that are attached to the certificate authority. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    TagsAll Dictionary<string, string>
    Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:Please use tags instead.

    Type string
    Type of the certificate authority. Defaults to SUBORDINATE. Valid values: ROOT and SUBORDINATE.
    UsageMode string
    Specifies whether the CA issues general-purpose certificates that typically require a revocation mechanism, or short-lived certificates that may optionally omit revocation because they expire quickly. Short-lived certificate validity is limited to seven days. Defaults to GENERAL_PURPOSE. Valid values: GENERAL_PURPOSE and SHORT_LIVED_CERTIFICATE.
    Arn string
    ARN of the certificate authority.
    Certificate string
    Base64-encoded certificate authority (CA) certificate. Only available after the certificate authority certificate has been imported.
    CertificateAuthorityConfiguration CertificateAuthorityCertificateAuthorityConfigurationArgs
    Nested argument containing algorithms and certificate subject information. Defined below.
    CertificateChain string
    Base64-encoded certificate chain that includes any intermediate certificates and chains up to root on-premises certificate that you used to sign your private CA certificate. The chain does not include your private CA certificate. Only available after the certificate authority certificate has been imported.
    CertificateSigningRequest string
    The base64 PEM-encoded certificate signing request (CSR) for your private CA certificate.
    Enabled bool
    Whether the certificate authority is enabled or disabled. Defaults to true. Can only be disabled if the CA is in an ACTIVE state.
    KeyStorageSecurityStandard string
    Cryptographic key management compliance standard used for handling CA keys. Defaults to FIPS_140_2_LEVEL_3_OR_HIGHER. Valid values: FIPS_140_2_LEVEL_3_OR_HIGHER and FIPS_140_2_LEVEL_2_OR_HIGHER. Supported standard for each region can be found in the Storage and security compliance of AWS Private CA private keys Documentation.
    NotAfter string
    Date and time after which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
    NotBefore string
    Date and time before which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
    PermanentDeletionTimeInDays int
    Number of days to make a CA restorable after it has been deleted, must be between 7 to 30 days, with default to 30 days.
    RevocationConfiguration CertificateAuthorityRevocationConfigurationArgs
    Nested argument containing revocation configuration. Defined below.
    Serial string
    Serial number of the certificate authority. Only available after the certificate authority certificate has been imported.
    Tags map[string]string
    Key-value map of user-defined tags that are attached to the certificate authority. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    TagsAll map[string]string
    Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:Please use tags instead.

    Type string
    Type of the certificate authority. Defaults to SUBORDINATE. Valid values: ROOT and SUBORDINATE.
    UsageMode string
    Specifies whether the CA issues general-purpose certificates that typically require a revocation mechanism, or short-lived certificates that may optionally omit revocation because they expire quickly. Short-lived certificate validity is limited to seven days. Defaults to GENERAL_PURPOSE. Valid values: GENERAL_PURPOSE and SHORT_LIVED_CERTIFICATE.
    arn String
    ARN of the certificate authority.
    certificate String
    Base64-encoded certificate authority (CA) certificate. Only available after the certificate authority certificate has been imported.
    certificateAuthorityConfiguration CertificateAuthorityCertificateAuthorityConfiguration
    Nested argument containing algorithms and certificate subject information. Defined below.
    certificateChain String
    Base64-encoded certificate chain that includes any intermediate certificates and chains up to root on-premises certificate that you used to sign your private CA certificate. The chain does not include your private CA certificate. Only available after the certificate authority certificate has been imported.
    certificateSigningRequest String
    The base64 PEM-encoded certificate signing request (CSR) for your private CA certificate.
    enabled Boolean
    Whether the certificate authority is enabled or disabled. Defaults to true. Can only be disabled if the CA is in an ACTIVE state.
    keyStorageSecurityStandard String
    Cryptographic key management compliance standard used for handling CA keys. Defaults to FIPS_140_2_LEVEL_3_OR_HIGHER. Valid values: FIPS_140_2_LEVEL_3_OR_HIGHER and FIPS_140_2_LEVEL_2_OR_HIGHER. Supported standard for each region can be found in the Storage and security compliance of AWS Private CA private keys Documentation.
    notAfter String
    Date and time after which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
    notBefore String
    Date and time before which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
    permanentDeletionTimeInDays Integer
    Number of days to make a CA restorable after it has been deleted, must be between 7 to 30 days, with default to 30 days.
    revocationConfiguration CertificateAuthorityRevocationConfiguration
    Nested argument containing revocation configuration. Defined below.
    serial String
    Serial number of the certificate authority. Only available after the certificate authority certificate has been imported.
    tags Map<String,String>
    Key-value map of user-defined tags that are attached to the certificate authority. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    tagsAll Map<String,String>
    Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:Please use tags instead.

    type String
    Type of the certificate authority. Defaults to SUBORDINATE. Valid values: ROOT and SUBORDINATE.
    usageMode String
    Specifies whether the CA issues general-purpose certificates that typically require a revocation mechanism, or short-lived certificates that may optionally omit revocation because they expire quickly. Short-lived certificate validity is limited to seven days. Defaults to GENERAL_PURPOSE. Valid values: GENERAL_PURPOSE and SHORT_LIVED_CERTIFICATE.
    arn string
    ARN of the certificate authority.
    certificate string
    Base64-encoded certificate authority (CA) certificate. Only available after the certificate authority certificate has been imported.
    certificateAuthorityConfiguration CertificateAuthorityCertificateAuthorityConfiguration
    Nested argument containing algorithms and certificate subject information. Defined below.
    certificateChain string
    Base64-encoded certificate chain that includes any intermediate certificates and chains up to root on-premises certificate that you used to sign your private CA certificate. The chain does not include your private CA certificate. Only available after the certificate authority certificate has been imported.
    certificateSigningRequest string
    The base64 PEM-encoded certificate signing request (CSR) for your private CA certificate.
    enabled boolean
    Whether the certificate authority is enabled or disabled. Defaults to true. Can only be disabled if the CA is in an ACTIVE state.
    keyStorageSecurityStandard string
    Cryptographic key management compliance standard used for handling CA keys. Defaults to FIPS_140_2_LEVEL_3_OR_HIGHER. Valid values: FIPS_140_2_LEVEL_3_OR_HIGHER and FIPS_140_2_LEVEL_2_OR_HIGHER. Supported standard for each region can be found in the Storage and security compliance of AWS Private CA private keys Documentation.
    notAfter string
    Date and time after which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
    notBefore string
    Date and time before which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
    permanentDeletionTimeInDays number
    Number of days to make a CA restorable after it has been deleted, must be between 7 to 30 days, with default to 30 days.
    revocationConfiguration CertificateAuthorityRevocationConfiguration
    Nested argument containing revocation configuration. Defined below.
    serial string
    Serial number of the certificate authority. Only available after the certificate authority certificate has been imported.
    tags {[key: string]: string}
    Key-value map of user-defined tags that are attached to the certificate authority. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    tagsAll {[key: string]: string}
    Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:Please use tags instead.

    type string
    Type of the certificate authority. Defaults to SUBORDINATE. Valid values: ROOT and SUBORDINATE.
    usageMode string
    Specifies whether the CA issues general-purpose certificates that typically require a revocation mechanism, or short-lived certificates that may optionally omit revocation because they expire quickly. Short-lived certificate validity is limited to seven days. Defaults to GENERAL_PURPOSE. Valid values: GENERAL_PURPOSE and SHORT_LIVED_CERTIFICATE.
    arn str
    ARN of the certificate authority.
    certificate str
    Base64-encoded certificate authority (CA) certificate. Only available after the certificate authority certificate has been imported.
    certificate_authority_configuration CertificateAuthorityCertificateAuthorityConfigurationArgs
    Nested argument containing algorithms and certificate subject information. Defined below.
    certificate_chain str
    Base64-encoded certificate chain that includes any intermediate certificates and chains up to root on-premises certificate that you used to sign your private CA certificate. The chain does not include your private CA certificate. Only available after the certificate authority certificate has been imported.
    certificate_signing_request str
    The base64 PEM-encoded certificate signing request (CSR) for your private CA certificate.
    enabled bool
    Whether the certificate authority is enabled or disabled. Defaults to true. Can only be disabled if the CA is in an ACTIVE state.
    key_storage_security_standard str
    Cryptographic key management compliance standard used for handling CA keys. Defaults to FIPS_140_2_LEVEL_3_OR_HIGHER. Valid values: FIPS_140_2_LEVEL_3_OR_HIGHER and FIPS_140_2_LEVEL_2_OR_HIGHER. Supported standard for each region can be found in the Storage and security compliance of AWS Private CA private keys Documentation.
    not_after str
    Date and time after which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
    not_before str
    Date and time before which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
    permanent_deletion_time_in_days int
    Number of days to make a CA restorable after it has been deleted, must be between 7 to 30 days, with default to 30 days.
    revocation_configuration CertificateAuthorityRevocationConfigurationArgs
    Nested argument containing revocation configuration. Defined below.
    serial str
    Serial number of the certificate authority. Only available after the certificate authority certificate has been imported.
    tags Mapping[str, str]
    Key-value map of user-defined tags that are attached to the certificate authority. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    tags_all Mapping[str, str]
    Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:Please use tags instead.

    type str
    Type of the certificate authority. Defaults to SUBORDINATE. Valid values: ROOT and SUBORDINATE.
    usage_mode str
    Specifies whether the CA issues general-purpose certificates that typically require a revocation mechanism, or short-lived certificates that may optionally omit revocation because they expire quickly. Short-lived certificate validity is limited to seven days. Defaults to GENERAL_PURPOSE. Valid values: GENERAL_PURPOSE and SHORT_LIVED_CERTIFICATE.
    arn String
    ARN of the certificate authority.
    certificate String
    Base64-encoded certificate authority (CA) certificate. Only available after the certificate authority certificate has been imported.
    certificateAuthorityConfiguration Property Map
    Nested argument containing algorithms and certificate subject information. Defined below.
    certificateChain String
    Base64-encoded certificate chain that includes any intermediate certificates and chains up to root on-premises certificate that you used to sign your private CA certificate. The chain does not include your private CA certificate. Only available after the certificate authority certificate has been imported.
    certificateSigningRequest String
    The base64 PEM-encoded certificate signing request (CSR) for your private CA certificate.
    enabled Boolean
    Whether the certificate authority is enabled or disabled. Defaults to true. Can only be disabled if the CA is in an ACTIVE state.
    keyStorageSecurityStandard String
    Cryptographic key management compliance standard used for handling CA keys. Defaults to FIPS_140_2_LEVEL_3_OR_HIGHER. Valid values: FIPS_140_2_LEVEL_3_OR_HIGHER and FIPS_140_2_LEVEL_2_OR_HIGHER. Supported standard for each region can be found in the Storage and security compliance of AWS Private CA private keys Documentation.
    notAfter String
    Date and time after which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
    notBefore String
    Date and time before which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
    permanentDeletionTimeInDays Number
    Number of days to make a CA restorable after it has been deleted, must be between 7 to 30 days, with default to 30 days.
    revocationConfiguration Property Map
    Nested argument containing revocation configuration. Defined below.
    serial String
    Serial number of the certificate authority. Only available after the certificate authority certificate has been imported.
    tags Map<String>
    Key-value map of user-defined tags that are attached to the certificate authority. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    tagsAll Map<String>
    Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:Please use tags instead.

    type String
    Type of the certificate authority. Defaults to SUBORDINATE. Valid values: ROOT and SUBORDINATE.
    usageMode String
    Specifies whether the CA issues general-purpose certificates that typically require a revocation mechanism, or short-lived certificates that may optionally omit revocation because they expire quickly. Short-lived certificate validity is limited to seven days. Defaults to GENERAL_PURPOSE. Valid values: GENERAL_PURPOSE and SHORT_LIVED_CERTIFICATE.

    Supporting Types

    CertificateAuthorityCertificateAuthorityConfiguration, CertificateAuthorityCertificateAuthorityConfigurationArgs

    KeyAlgorithm string
    Type of the public key algorithm and size, in bits, of the key pair that your key pair creates when it issues a certificate. Valid values can be found in the ACM PCA Documentation.
    SigningAlgorithm string
    Name of the algorithm your private CA uses to sign certificate requests. Valid values can be found in the ACM PCA Documentation.
    Subject CertificateAuthorityCertificateAuthorityConfigurationSubject
    Nested argument that contains X.500 distinguished name information. At least one nested attribute must be specified.
    KeyAlgorithm string
    Type of the public key algorithm and size, in bits, of the key pair that your key pair creates when it issues a certificate. Valid values can be found in the ACM PCA Documentation.
    SigningAlgorithm string
    Name of the algorithm your private CA uses to sign certificate requests. Valid values can be found in the ACM PCA Documentation.
    Subject CertificateAuthorityCertificateAuthorityConfigurationSubject
    Nested argument that contains X.500 distinguished name information. At least one nested attribute must be specified.
    keyAlgorithm String
    Type of the public key algorithm and size, in bits, of the key pair that your key pair creates when it issues a certificate. Valid values can be found in the ACM PCA Documentation.
    signingAlgorithm String
    Name of the algorithm your private CA uses to sign certificate requests. Valid values can be found in the ACM PCA Documentation.
    subject CertificateAuthorityCertificateAuthorityConfigurationSubject
    Nested argument that contains X.500 distinguished name information. At least one nested attribute must be specified.
    keyAlgorithm string
    Type of the public key algorithm and size, in bits, of the key pair that your key pair creates when it issues a certificate. Valid values can be found in the ACM PCA Documentation.
    signingAlgorithm string
    Name of the algorithm your private CA uses to sign certificate requests. Valid values can be found in the ACM PCA Documentation.
    subject CertificateAuthorityCertificateAuthorityConfigurationSubject
    Nested argument that contains X.500 distinguished name information. At least one nested attribute must be specified.
    key_algorithm str
    Type of the public key algorithm and size, in bits, of the key pair that your key pair creates when it issues a certificate. Valid values can be found in the ACM PCA Documentation.
    signing_algorithm str
    Name of the algorithm your private CA uses to sign certificate requests. Valid values can be found in the ACM PCA Documentation.
    subject CertificateAuthorityCertificateAuthorityConfigurationSubject
    Nested argument that contains X.500 distinguished name information. At least one nested attribute must be specified.
    keyAlgorithm String
    Type of the public key algorithm and size, in bits, of the key pair that your key pair creates when it issues a certificate. Valid values can be found in the ACM PCA Documentation.
    signingAlgorithm String
    Name of the algorithm your private CA uses to sign certificate requests. Valid values can be found in the ACM PCA Documentation.
    subject Property Map
    Nested argument that contains X.500 distinguished name information. At least one nested attribute must be specified.

    CertificateAuthorityCertificateAuthorityConfigurationSubject, CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs

    CommonName string
    Fully qualified domain name (FQDN) associated with the certificate subject. Must be less than or equal to 64 characters in length.
    Country string
    Two digit code that specifies the country in which the certificate subject located. Must be less than or equal to 2 characters in length.
    DistinguishedNameQualifier string
    Disambiguating information for the certificate subject. Must be less than or equal to 64 characters in length.
    GenerationQualifier string
    Typically a qualifier appended to the name of an individual. Examples include Jr. for junior, Sr. for senior, and III for third. Must be less than or equal to 3 characters in length.
    GivenName string
    First name. Must be less than or equal to 16 characters in length.
    Initials string
    Concatenation that typically contains the first letter of the given_name, the first letter of the middle name if one exists, and the first letter of the surname. Must be less than or equal to 5 characters in length.
    Locality string
    Locality (such as a city or town) in which the certificate subject is located. Must be less than or equal to 128 characters in length.
    Organization string
    Legal name of the organization with which the certificate subject is affiliated. Must be less than or equal to 64 characters in length.
    OrganizationalUnit string
    Subdivision or unit of the organization (such as sales or finance) with which the certificate subject is affiliated. Must be less than or equal to 64 characters in length.
    Pseudonym string
    Typically a shortened version of a longer given_name. For example, Jonathan is often shortened to John. Elizabeth is often shortened to Beth, Liz, or Eliza. Must be less than or equal to 128 characters in length.
    State string
    State in which the subject of the certificate is located. Must be less than or equal to 128 characters in length.
    Surname string
    Family name. In the US and the UK for example, the surname of an individual is ordered last. In Asian cultures the surname is typically ordered first. Must be less than or equal to 40 characters in length.
    Title string
    Title such as Mr. or Ms. which is pre-pended to the name to refer formally to the certificate subject. Must be less than or equal to 64 characters in length.
    CommonName string
    Fully qualified domain name (FQDN) associated with the certificate subject. Must be less than or equal to 64 characters in length.
    Country string
    Two digit code that specifies the country in which the certificate subject located. Must be less than or equal to 2 characters in length.
    DistinguishedNameQualifier string
    Disambiguating information for the certificate subject. Must be less than or equal to 64 characters in length.
    GenerationQualifier string
    Typically a qualifier appended to the name of an individual. Examples include Jr. for junior, Sr. for senior, and III for third. Must be less than or equal to 3 characters in length.
    GivenName string
    First name. Must be less than or equal to 16 characters in length.
    Initials string
    Concatenation that typically contains the first letter of the given_name, the first letter of the middle name if one exists, and the first letter of the surname. Must be less than or equal to 5 characters in length.
    Locality string
    Locality (such as a city or town) in which the certificate subject is located. Must be less than or equal to 128 characters in length.
    Organization string
    Legal name of the organization with which the certificate subject is affiliated. Must be less than or equal to 64 characters in length.
    OrganizationalUnit string
    Subdivision or unit of the organization (such as sales or finance) with which the certificate subject is affiliated. Must be less than or equal to 64 characters in length.
    Pseudonym string
    Typically a shortened version of a longer given_name. For example, Jonathan is often shortened to John. Elizabeth is often shortened to Beth, Liz, or Eliza. Must be less than or equal to 128 characters in length.
    State string
    State in which the subject of the certificate is located. Must be less than or equal to 128 characters in length.
    Surname string
    Family name. In the US and the UK for example, the surname of an individual is ordered last. In Asian cultures the surname is typically ordered first. Must be less than or equal to 40 characters in length.
    Title string
    Title such as Mr. or Ms. which is pre-pended to the name to refer formally to the certificate subject. Must be less than or equal to 64 characters in length.
    commonName String
    Fully qualified domain name (FQDN) associated with the certificate subject. Must be less than or equal to 64 characters in length.
    country String
    Two digit code that specifies the country in which the certificate subject located. Must be less than or equal to 2 characters in length.
    distinguishedNameQualifier String
    Disambiguating information for the certificate subject. Must be less than or equal to 64 characters in length.
    generationQualifier String
    Typically a qualifier appended to the name of an individual. Examples include Jr. for junior, Sr. for senior, and III for third. Must be less than or equal to 3 characters in length.
    givenName String
    First name. Must be less than or equal to 16 characters in length.
    initials String
    Concatenation that typically contains the first letter of the given_name, the first letter of the middle name if one exists, and the first letter of the surname. Must be less than or equal to 5 characters in length.
    locality String
    Locality (such as a city or town) in which the certificate subject is located. Must be less than or equal to 128 characters in length.
    organization String
    Legal name of the organization with which the certificate subject is affiliated. Must be less than or equal to 64 characters in length.
    organizationalUnit String
    Subdivision or unit of the organization (such as sales or finance) with which the certificate subject is affiliated. Must be less than or equal to 64 characters in length.
    pseudonym String
    Typically a shortened version of a longer given_name. For example, Jonathan is often shortened to John. Elizabeth is often shortened to Beth, Liz, or Eliza. Must be less than or equal to 128 characters in length.
    state String
    State in which the subject of the certificate is located. Must be less than or equal to 128 characters in length.
    surname String
    Family name. In the US and the UK for example, the surname of an individual is ordered last. In Asian cultures the surname is typically ordered first. Must be less than or equal to 40 characters in length.
    title String
    Title such as Mr. or Ms. which is pre-pended to the name to refer formally to the certificate subject. Must be less than or equal to 64 characters in length.
    commonName string
    Fully qualified domain name (FQDN) associated with the certificate subject. Must be less than or equal to 64 characters in length.
    country string
    Two digit code that specifies the country in which the certificate subject located. Must be less than or equal to 2 characters in length.
    distinguishedNameQualifier string
    Disambiguating information for the certificate subject. Must be less than or equal to 64 characters in length.
    generationQualifier string
    Typically a qualifier appended to the name of an individual. Examples include Jr. for junior, Sr. for senior, and III for third. Must be less than or equal to 3 characters in length.
    givenName string
    First name. Must be less than or equal to 16 characters in length.
    initials string
    Concatenation that typically contains the first letter of the given_name, the first letter of the middle name if one exists, and the first letter of the surname. Must be less than or equal to 5 characters in length.
    locality string
    Locality (such as a city or town) in which the certificate subject is located. Must be less than or equal to 128 characters in length.
    organization string
    Legal name of the organization with which the certificate subject is affiliated. Must be less than or equal to 64 characters in length.
    organizationalUnit string
    Subdivision or unit of the organization (such as sales or finance) with which the certificate subject is affiliated. Must be less than or equal to 64 characters in length.
    pseudonym string
    Typically a shortened version of a longer given_name. For example, Jonathan is often shortened to John. Elizabeth is often shortened to Beth, Liz, or Eliza. Must be less than or equal to 128 characters in length.
    state string
    State in which the subject of the certificate is located. Must be less than or equal to 128 characters in length.
    surname string
    Family name. In the US and the UK for example, the surname of an individual is ordered last. In Asian cultures the surname is typically ordered first. Must be less than or equal to 40 characters in length.
    title string
    Title such as Mr. or Ms. which is pre-pended to the name to refer formally to the certificate subject. Must be less than or equal to 64 characters in length.
    common_name str
    Fully qualified domain name (FQDN) associated with the certificate subject. Must be less than or equal to 64 characters in length.
    country str
    Two digit code that specifies the country in which the certificate subject located. Must be less than or equal to 2 characters in length.
    distinguished_name_qualifier str
    Disambiguating information for the certificate subject. Must be less than or equal to 64 characters in length.
    generation_qualifier str
    Typically a qualifier appended to the name of an individual. Examples include Jr. for junior, Sr. for senior, and III for third. Must be less than or equal to 3 characters in length.
    given_name str
    First name. Must be less than or equal to 16 characters in length.
    initials str
    Concatenation that typically contains the first letter of the given_name, the first letter of the middle name if one exists, and the first letter of the surname. Must be less than or equal to 5 characters in length.
    locality str
    Locality (such as a city or town) in which the certificate subject is located. Must be less than or equal to 128 characters in length.
    organization str
    Legal name of the organization with which the certificate subject is affiliated. Must be less than or equal to 64 characters in length.
    organizational_unit str
    Subdivision or unit of the organization (such as sales or finance) with which the certificate subject is affiliated. Must be less than or equal to 64 characters in length.
    pseudonym str
    Typically a shortened version of a longer given_name. For example, Jonathan is often shortened to John. Elizabeth is often shortened to Beth, Liz, or Eliza. Must be less than or equal to 128 characters in length.
    state str
    State in which the subject of the certificate is located. Must be less than or equal to 128 characters in length.
    surname str
    Family name. In the US and the UK for example, the surname of an individual is ordered last. In Asian cultures the surname is typically ordered first. Must be less than or equal to 40 characters in length.
    title str
    Title such as Mr. or Ms. which is pre-pended to the name to refer formally to the certificate subject. Must be less than or equal to 64 characters in length.
    commonName String
    Fully qualified domain name (FQDN) associated with the certificate subject. Must be less than or equal to 64 characters in length.
    country String
    Two digit code that specifies the country in which the certificate subject located. Must be less than or equal to 2 characters in length.
    distinguishedNameQualifier String
    Disambiguating information for the certificate subject. Must be less than or equal to 64 characters in length.
    generationQualifier String
    Typically a qualifier appended to the name of an individual. Examples include Jr. for junior, Sr. for senior, and III for third. Must be less than or equal to 3 characters in length.
    givenName String
    First name. Must be less than or equal to 16 characters in length.
    initials String
    Concatenation that typically contains the first letter of the given_name, the first letter of the middle name if one exists, and the first letter of the surname. Must be less than or equal to 5 characters in length.
    locality String
    Locality (such as a city or town) in which the certificate subject is located. Must be less than or equal to 128 characters in length.
    organization String
    Legal name of the organization with which the certificate subject is affiliated. Must be less than or equal to 64 characters in length.
    organizationalUnit String
    Subdivision or unit of the organization (such as sales or finance) with which the certificate subject is affiliated. Must be less than or equal to 64 characters in length.
    pseudonym String
    Typically a shortened version of a longer given_name. For example, Jonathan is often shortened to John. Elizabeth is often shortened to Beth, Liz, or Eliza. Must be less than or equal to 128 characters in length.
    state String
    State in which the subject of the certificate is located. Must be less than or equal to 128 characters in length.
    surname String
    Family name. In the US and the UK for example, the surname of an individual is ordered last. In Asian cultures the surname is typically ordered first. Must be less than or equal to 40 characters in length.
    title String
    Title such as Mr. or Ms. which is pre-pended to the name to refer formally to the certificate subject. Must be less than or equal to 64 characters in length.

    CertificateAuthorityRevocationConfiguration, CertificateAuthorityRevocationConfigurationArgs

    CrlConfiguration CertificateAuthorityRevocationConfigurationCrlConfiguration
    Nested argument containing configuration of the certificate revocation list (CRL), if any, maintained by the certificate authority. Defined below.
    OcspConfiguration CertificateAuthorityRevocationConfigurationOcspConfiguration
    Nested argument containing configuration of the custom OCSP responder endpoint. Defined below.
    CrlConfiguration CertificateAuthorityRevocationConfigurationCrlConfiguration
    Nested argument containing configuration of the certificate revocation list (CRL), if any, maintained by the certificate authority. Defined below.
    OcspConfiguration CertificateAuthorityRevocationConfigurationOcspConfiguration
    Nested argument containing configuration of the custom OCSP responder endpoint. Defined below.
    crlConfiguration CertificateAuthorityRevocationConfigurationCrlConfiguration
    Nested argument containing configuration of the certificate revocation list (CRL), if any, maintained by the certificate authority. Defined below.
    ocspConfiguration CertificateAuthorityRevocationConfigurationOcspConfiguration
    Nested argument containing configuration of the custom OCSP responder endpoint. Defined below.
    crlConfiguration CertificateAuthorityRevocationConfigurationCrlConfiguration
    Nested argument containing configuration of the certificate revocation list (CRL), if any, maintained by the certificate authority. Defined below.
    ocspConfiguration CertificateAuthorityRevocationConfigurationOcspConfiguration
    Nested argument containing configuration of the custom OCSP responder endpoint. Defined below.
    crl_configuration CertificateAuthorityRevocationConfigurationCrlConfiguration
    Nested argument containing configuration of the certificate revocation list (CRL), if any, maintained by the certificate authority. Defined below.
    ocsp_configuration CertificateAuthorityRevocationConfigurationOcspConfiguration
    Nested argument containing configuration of the custom OCSP responder endpoint. Defined below.
    crlConfiguration Property Map
    Nested argument containing configuration of the certificate revocation list (CRL), if any, maintained by the certificate authority. Defined below.
    ocspConfiguration Property Map
    Nested argument containing configuration of the custom OCSP responder endpoint. Defined below.

    CertificateAuthorityRevocationConfigurationCrlConfiguration, CertificateAuthorityRevocationConfigurationCrlConfigurationArgs

    CustomCname string
    Name inserted into the certificate CRL Distribution Points extension that enables the use of an alias for the CRL distribution point. Use this value if you don't want the name of your S3 bucket to be public. Must be less than or equal to 253 characters in length.
    Enabled bool
    Boolean value that specifies whether certificate revocation lists (CRLs) are enabled. Defaults to false.
    ExpirationInDays int
    Number of days until a certificate expires. Must be between 1 and 5000.
    S3BucketName string
    Name of the S3 bucket that contains the CRL. If you do not provide a value for the custom_cname argument, the name of your S3 bucket is placed into the CRL Distribution Points extension of the issued certificate. You must specify a bucket policy that allows ACM PCA to write the CRL to your bucket. Must be between 3 and 255 characters in length.
    S3ObjectAcl string
    Determines whether the CRL will be publicly readable or privately held in the CRL Amazon S3 bucket. Defaults to PUBLIC_READ.
    CustomCname string
    Name inserted into the certificate CRL Distribution Points extension that enables the use of an alias for the CRL distribution point. Use this value if you don't want the name of your S3 bucket to be public. Must be less than or equal to 253 characters in length.
    Enabled bool
    Boolean value that specifies whether certificate revocation lists (CRLs) are enabled. Defaults to false.
    ExpirationInDays int
    Number of days until a certificate expires. Must be between 1 and 5000.
    S3BucketName string
    Name of the S3 bucket that contains the CRL. If you do not provide a value for the custom_cname argument, the name of your S3 bucket is placed into the CRL Distribution Points extension of the issued certificate. You must specify a bucket policy that allows ACM PCA to write the CRL to your bucket. Must be between 3 and 255 characters in length.
    S3ObjectAcl string
    Determines whether the CRL will be publicly readable or privately held in the CRL Amazon S3 bucket. Defaults to PUBLIC_READ.
    customCname String
    Name inserted into the certificate CRL Distribution Points extension that enables the use of an alias for the CRL distribution point. Use this value if you don't want the name of your S3 bucket to be public. Must be less than or equal to 253 characters in length.
    enabled Boolean
    Boolean value that specifies whether certificate revocation lists (CRLs) are enabled. Defaults to false.
    expirationInDays Integer
    Number of days until a certificate expires. Must be between 1 and 5000.
    s3BucketName String
    Name of the S3 bucket that contains the CRL. If you do not provide a value for the custom_cname argument, the name of your S3 bucket is placed into the CRL Distribution Points extension of the issued certificate. You must specify a bucket policy that allows ACM PCA to write the CRL to your bucket. Must be between 3 and 255 characters in length.
    s3ObjectAcl String
    Determines whether the CRL will be publicly readable or privately held in the CRL Amazon S3 bucket. Defaults to PUBLIC_READ.
    customCname string
    Name inserted into the certificate CRL Distribution Points extension that enables the use of an alias for the CRL distribution point. Use this value if you don't want the name of your S3 bucket to be public. Must be less than or equal to 253 characters in length.
    enabled boolean
    Boolean value that specifies whether certificate revocation lists (CRLs) are enabled. Defaults to false.
    expirationInDays number
    Number of days until a certificate expires. Must be between 1 and 5000.
    s3BucketName string
    Name of the S3 bucket that contains the CRL. If you do not provide a value for the custom_cname argument, the name of your S3 bucket is placed into the CRL Distribution Points extension of the issued certificate. You must specify a bucket policy that allows ACM PCA to write the CRL to your bucket. Must be between 3 and 255 characters in length.
    s3ObjectAcl string
    Determines whether the CRL will be publicly readable or privately held in the CRL Amazon S3 bucket. Defaults to PUBLIC_READ.
    custom_cname str
    Name inserted into the certificate CRL Distribution Points extension that enables the use of an alias for the CRL distribution point. Use this value if you don't want the name of your S3 bucket to be public. Must be less than or equal to 253 characters in length.
    enabled bool
    Boolean value that specifies whether certificate revocation lists (CRLs) are enabled. Defaults to false.
    expiration_in_days int
    Number of days until a certificate expires. Must be between 1 and 5000.
    s3_bucket_name str
    Name of the S3 bucket that contains the CRL. If you do not provide a value for the custom_cname argument, the name of your S3 bucket is placed into the CRL Distribution Points extension of the issued certificate. You must specify a bucket policy that allows ACM PCA to write the CRL to your bucket. Must be between 3 and 255 characters in length.
    s3_object_acl str
    Determines whether the CRL will be publicly readable or privately held in the CRL Amazon S3 bucket. Defaults to PUBLIC_READ.
    customCname String
    Name inserted into the certificate CRL Distribution Points extension that enables the use of an alias for the CRL distribution point. Use this value if you don't want the name of your S3 bucket to be public. Must be less than or equal to 253 characters in length.
    enabled Boolean
    Boolean value that specifies whether certificate revocation lists (CRLs) are enabled. Defaults to false.
    expirationInDays Number
    Number of days until a certificate expires. Must be between 1 and 5000.
    s3BucketName String
    Name of the S3 bucket that contains the CRL. If you do not provide a value for the custom_cname argument, the name of your S3 bucket is placed into the CRL Distribution Points extension of the issued certificate. You must specify a bucket policy that allows ACM PCA to write the CRL to your bucket. Must be between 3 and 255 characters in length.
    s3ObjectAcl String
    Determines whether the CRL will be publicly readable or privately held in the CRL Amazon S3 bucket. Defaults to PUBLIC_READ.

    CertificateAuthorityRevocationConfigurationOcspConfiguration, CertificateAuthorityRevocationConfigurationOcspConfigurationArgs

    Enabled bool
    Boolean value that specifies whether a custom OCSP responder is enabled.
    OcspCustomCname string
    CNAME specifying a customized OCSP domain. Note: The value of the CNAME must not include a protocol prefix such as "http://" or "https://".
    Enabled bool
    Boolean value that specifies whether a custom OCSP responder is enabled.
    OcspCustomCname string
    CNAME specifying a customized OCSP domain. Note: The value of the CNAME must not include a protocol prefix such as "http://" or "https://".
    enabled Boolean
    Boolean value that specifies whether a custom OCSP responder is enabled.
    ocspCustomCname String
    CNAME specifying a customized OCSP domain. Note: The value of the CNAME must not include a protocol prefix such as "http://" or "https://".
    enabled boolean
    Boolean value that specifies whether a custom OCSP responder is enabled.
    ocspCustomCname string
    CNAME specifying a customized OCSP domain. Note: The value of the CNAME must not include a protocol prefix such as "http://" or "https://".
    enabled bool
    Boolean value that specifies whether a custom OCSP responder is enabled.
    ocsp_custom_cname str
    CNAME specifying a customized OCSP domain. Note: The value of the CNAME must not include a protocol prefix such as "http://" or "https://".
    enabled Boolean
    Boolean value that specifies whether a custom OCSP responder is enabled.
    ocspCustomCname String
    CNAME specifying a customized OCSP domain. Note: The value of the CNAME must not include a protocol prefix such as "http://" or "https://".

    Import

    Using pulumi import, import aws_acmpca_certificate_authority using the certificate authority ARN. For example:

     $ pulumi import aws:acmpca/certificateAuthority:CertificateAuthority example arn:aws:acm-pca:us-east-1:123456789012:certificate-authority/12345678-1234-1234-1234-123456789012
    

    Package Details

    Repository
    AWS Classic pulumi/pulumi-aws
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the aws Terraform Provider.
    aws logo

    Try AWS Native preview for resources not in the classic version.

    AWS Classic v6.24.0 published on Tuesday, Feb 27, 2024 by Pulumi