Docs Home
AWS v6.80.0 published on Tuesday, May 6, 2025 by Pulumi
aws.acmpca.CertificateAuthority
Explore with Pulumi AI
Provides a resource to manage AWS Certificate Manager Private Certificate Authorities (ACM PCA Certificate Authorities).
NOTE: Creating this resource will leave the certificate authority in a
PENDING_CERTIFICATEstatus, which means it cannot yet issue certificates. To complete this setup, you must fully sign the certificate authority CSR available in thecertificate_signing_requestattribute. Theaws.acmpca.CertificateAuthorityCertificateresource can be used for this purpose.
Example Usage
Basic
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.acmpca.CertificateAuthority("example", {
certificateAuthorityConfiguration: {
keyAlgorithm: "RSA_4096",
signingAlgorithm: "SHA512WITHRSA",
subject: {
commonName: "example.com",
},
},
permanentDeletionTimeInDays: 7,
});
import pulumi
import pulumi_aws as aws
example = aws.acmpca.CertificateAuthority("example",
certificate_authority_configuration={
"key_algorithm": "RSA_4096",
"signing_algorithm": "SHA512WITHRSA",
"subject": {
"common_name": "example.com",
},
},
permanent_deletion_time_in_days=7)
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/acmpca"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := acmpca.NewCertificateAuthority(ctx, "example", &acmpca.CertificateAuthorityArgs{
CertificateAuthorityConfiguration: &acmpca.CertificateAuthorityCertificateAuthorityConfigurationArgs{
KeyAlgorithm: pulumi.String("RSA_4096"),
SigningAlgorithm: pulumi.String("SHA512WITHRSA"),
Subject: &acmpca.CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs{
CommonName: pulumi.String("example.com"),
},
},
PermanentDeletionTimeInDays: pulumi.Int(7),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.Acmpca.CertificateAuthority("example", new()
{
CertificateAuthorityConfiguration = new Aws.Acmpca.Inputs.CertificateAuthorityCertificateAuthorityConfigurationArgs
{
KeyAlgorithm = "RSA_4096",
SigningAlgorithm = "SHA512WITHRSA",
Subject = new Aws.Acmpca.Inputs.CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs
{
CommonName = "example.com",
},
},
PermanentDeletionTimeInDays = 7,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.acmpca.CertificateAuthority;
import com.pulumi.aws.acmpca.CertificateAuthorityArgs;
import com.pulumi.aws.acmpca.inputs.CertificateAuthorityCertificateAuthorityConfigurationArgs;
import com.pulumi.aws.acmpca.inputs.CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new CertificateAuthority("example", CertificateAuthorityArgs.builder()
.certificateAuthorityConfiguration(CertificateAuthorityCertificateAuthorityConfigurationArgs.builder()
.keyAlgorithm("RSA_4096")
.signingAlgorithm("SHA512WITHRSA")
.subject(CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs.builder()
.commonName("example.com")
.build())
.build())
.permanentDeletionTimeInDays(7)
.build());
}
}
resources:
example:
type: aws:acmpca:CertificateAuthority
properties:
certificateAuthorityConfiguration:
keyAlgorithm: RSA_4096
signingAlgorithm: SHA512WITHRSA
subject:
commonName: example.com
permanentDeletionTimeInDays: 7
Short-lived certificate
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.acmpca.CertificateAuthority("example", {
usageMode: "SHORT_LIVED_CERTIFICATE",
certificateAuthorityConfiguration: {
keyAlgorithm: "RSA_4096",
signingAlgorithm: "SHA512WITHRSA",
subject: {
commonName: "example.com",
},
},
});
import pulumi
import pulumi_aws as aws
example = aws.acmpca.CertificateAuthority("example",
usage_mode="SHORT_LIVED_CERTIFICATE",
certificate_authority_configuration={
"key_algorithm": "RSA_4096",
"signing_algorithm": "SHA512WITHRSA",
"subject": {
"common_name": "example.com",
},
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/acmpca"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := acmpca.NewCertificateAuthority(ctx, "example", &acmpca.CertificateAuthorityArgs{
UsageMode: pulumi.String("SHORT_LIVED_CERTIFICATE"),
CertificateAuthorityConfiguration: &acmpca.CertificateAuthorityCertificateAuthorityConfigurationArgs{
KeyAlgorithm: pulumi.String("RSA_4096"),
SigningAlgorithm: pulumi.String("SHA512WITHRSA"),
Subject: &acmpca.CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs{
CommonName: pulumi.String("example.com"),
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.Acmpca.CertificateAuthority("example", new()
{
UsageMode = "SHORT_LIVED_CERTIFICATE",
CertificateAuthorityConfiguration = new Aws.Acmpca.Inputs.CertificateAuthorityCertificateAuthorityConfigurationArgs
{
KeyAlgorithm = "RSA_4096",
SigningAlgorithm = "SHA512WITHRSA",
Subject = new Aws.Acmpca.Inputs.CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs
{
CommonName = "example.com",
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.acmpca.CertificateAuthority;
import com.pulumi.aws.acmpca.CertificateAuthorityArgs;
import com.pulumi.aws.acmpca.inputs.CertificateAuthorityCertificateAuthorityConfigurationArgs;
import com.pulumi.aws.acmpca.inputs.CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new CertificateAuthority("example", CertificateAuthorityArgs.builder()
.usageMode("SHORT_LIVED_CERTIFICATE")
.certificateAuthorityConfiguration(CertificateAuthorityCertificateAuthorityConfigurationArgs.builder()
.keyAlgorithm("RSA_4096")
.signingAlgorithm("SHA512WITHRSA")
.subject(CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs.builder()
.commonName("example.com")
.build())
.build())
.build());
}
}
resources:
example:
type: aws:acmpca:CertificateAuthority
properties:
usageMode: SHORT_LIVED_CERTIFICATE
certificateAuthorityConfiguration:
keyAlgorithm: RSA_4096
signingAlgorithm: SHA512WITHRSA
subject:
commonName: example.com
Enable Certificate Revocation List
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.s3.BucketV2("example", {
bucket: "example",
forceDestroy: true,
});
const acmpcaBucketAccess = aws.iam.getPolicyDocumentOutput({
statements: [{
actions: [
"s3:GetBucketAcl",
"s3:GetBucketLocation",
"s3:PutObject",
"s3:PutObjectAcl",
],
resources: [
example.arn,
pulumi.interpolate`${example.arn}/*`,
],
principals: [{
identifiers: ["acm-pca.amazonaws.com"],
type: "Service",
}],
}],
});
const exampleBucketPolicy = new aws.s3.BucketPolicy("example", {
bucket: example.id,
policy: acmpcaBucketAccess.apply(acmpcaBucketAccess => acmpcaBucketAccess.json),
});
const exampleCertificateAuthority = new aws.acmpca.CertificateAuthority("example", {
certificateAuthorityConfiguration: {
keyAlgorithm: "RSA_4096",
signingAlgorithm: "SHA512WITHRSA",
subject: {
commonName: "example.com",
},
},
revocationConfiguration: {
crlConfiguration: {
customCname: "crl.example.com",
enabled: true,
expirationInDays: 7,
s3BucketName: example.id,
s3ObjectAcl: "BUCKET_OWNER_FULL_CONTROL",
},
},
}, {
dependsOn: [exampleBucketPolicy],
});
import pulumi
import pulumi_aws as aws
example = aws.s3.BucketV2("example",
bucket="example",
force_destroy=True)
acmpca_bucket_access = aws.iam.get_policy_document_output(statements=[{
"actions": [
"s3:GetBucketAcl",
"s3:GetBucketLocation",
"s3:PutObject",
"s3:PutObjectAcl",
],
"resources": [
example.arn,
example.arn.apply(lambda arn: f"{arn}/*"),
],
"principals": [{
"identifiers": ["acm-pca.amazonaws.com"],
"type": "Service",
}],
}])
example_bucket_policy = aws.s3.BucketPolicy("example",
bucket=example.id,
policy=acmpca_bucket_access.json)
example_certificate_authority = aws.acmpca.CertificateAuthority("example",
certificate_authority_configuration={
"key_algorithm": "RSA_4096",
"signing_algorithm": "SHA512WITHRSA",
"subject": {
"common_name": "example.com",
},
},
revocation_configuration={
"crl_configuration": {
"custom_cname": "crl.example.com",
"enabled": True,
"expiration_in_days": 7,
"s3_bucket_name": example.id,
"s3_object_acl": "BUCKET_OWNER_FULL_CONTROL",
},
},
opts = pulumi.ResourceOptions(depends_on=[example_bucket_policy]))
package main
import (
"fmt"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/acmpca"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/s3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
example, err := s3.NewBucketV2(ctx, "example", &s3.BucketV2Args{
Bucket: pulumi.String("example"),
ForceDestroy: pulumi.Bool(true),
})
if err != nil {
return err
}
acmpcaBucketAccess := iam.GetPolicyDocumentOutput(ctx, iam.GetPolicyDocumentOutputArgs{
Statements: iam.GetPolicyDocumentStatementArray{
&iam.GetPolicyDocumentStatementArgs{
Actions: pulumi.StringArray{
pulumi.String("s3:GetBucketAcl"),
pulumi.String("s3:GetBucketLocation"),
pulumi.String("s3:PutObject"),
pulumi.String("s3:PutObjectAcl"),
},
Resources: pulumi.StringArray{
example.Arn,
example.Arn.ApplyT(func(arn string) (string, error) {
return fmt.Sprintf("%v/*", arn), nil
}).(pulumi.StringOutput),
},
Principals: iam.GetPolicyDocumentStatementPrincipalArray{
&iam.GetPolicyDocumentStatementPrincipalArgs{
Identifiers: pulumi.StringArray{
pulumi.String("acm-pca.amazonaws.com"),
},
Type: pulumi.String("Service"),
},
},
},
},
}, nil)
exampleBucketPolicy, err := s3.NewBucketPolicy(ctx, "example", &s3.BucketPolicyArgs{
Bucket: example.ID(),
Policy: pulumi.String(acmpcaBucketAccess.ApplyT(func(acmpcaBucketAccess iam.GetPolicyDocumentResult) (*string, error) {
return &acmpcaBucketAccess.Json, nil
}).(pulumi.StringPtrOutput)),
})
if err != nil {
return err
}
_, err = acmpca.NewCertificateAuthority(ctx, "example", &acmpca.CertificateAuthorityArgs{
CertificateAuthorityConfiguration: &acmpca.CertificateAuthorityCertificateAuthorityConfigurationArgs{
KeyAlgorithm: pulumi.String("RSA_4096"),
SigningAlgorithm: pulumi.String("SHA512WITHRSA"),
Subject: &acmpca.CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs{
CommonName: pulumi.String("example.com"),
},
},
RevocationConfiguration: &acmpca.CertificateAuthorityRevocationConfigurationArgs{
CrlConfiguration: &acmpca.CertificateAuthorityRevocationConfigurationCrlConfigurationArgs{
CustomCname: pulumi.String("crl.example.com"),
Enabled: pulumi.Bool(true),
ExpirationInDays: pulumi.Int(7),
S3BucketName: example.ID(),
S3ObjectAcl: pulumi.String("BUCKET_OWNER_FULL_CONTROL"),
},
},
}, pulumi.DependsOn([]pulumi.Resource{
exampleBucketPolicy,
}))
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.S3.BucketV2("example", new()
{
Bucket = "example",
ForceDestroy = true,
});
var acmpcaBucketAccess = Aws.Iam.GetPolicyDocument.Invoke(new()
{
Statements = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Actions = new[]
{
"s3:GetBucketAcl",
"s3:GetBucketLocation",
"s3:PutObject",
"s3:PutObjectAcl",
},
Resources = new[]
{
example.Arn,
$"{example.Arn}/*",
},
Principals = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
{
Identifiers = new[]
{
"acm-pca.amazonaws.com",
},
Type = "Service",
},
},
},
},
});
var exampleBucketPolicy = new Aws.S3.BucketPolicy("example", new()
{
Bucket = example.Id,
Policy = acmpcaBucketAccess.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
});
var exampleCertificateAuthority = new Aws.Acmpca.CertificateAuthority("example", new()
{
CertificateAuthorityConfiguration = new Aws.Acmpca.Inputs.CertificateAuthorityCertificateAuthorityConfigurationArgs
{
KeyAlgorithm = "RSA_4096",
SigningAlgorithm = "SHA512WITHRSA",
Subject = new Aws.Acmpca.Inputs.CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs
{
CommonName = "example.com",
},
},
RevocationConfiguration = new Aws.Acmpca.Inputs.CertificateAuthorityRevocationConfigurationArgs
{
CrlConfiguration = new Aws.Acmpca.Inputs.CertificateAuthorityRevocationConfigurationCrlConfigurationArgs
{
CustomCname = "crl.example.com",
Enabled = true,
ExpirationInDays = 7,
S3BucketName = example.Id,
S3ObjectAcl = "BUCKET_OWNER_FULL_CONTROL",
},
},
}, new CustomResourceOptions
{
DependsOn =
{
exampleBucketPolicy,
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.s3.BucketV2;
import com.pulumi.aws.s3.BucketV2Args;
import com.pulumi.aws.iam.IamFunctions;
import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
import com.pulumi.aws.s3.BucketPolicy;
import com.pulumi.aws.s3.BucketPolicyArgs;
import com.pulumi.aws.acmpca.CertificateAuthority;
import com.pulumi.aws.acmpca.CertificateAuthorityArgs;
import com.pulumi.aws.acmpca.inputs.CertificateAuthorityCertificateAuthorityConfigurationArgs;
import com.pulumi.aws.acmpca.inputs.CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs;
import com.pulumi.aws.acmpca.inputs.CertificateAuthorityRevocationConfigurationArgs;
import com.pulumi.aws.acmpca.inputs.CertificateAuthorityRevocationConfigurationCrlConfigurationArgs;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new BucketV2("example", BucketV2Args.builder()
.bucket("example")
.forceDestroy(true)
.build());
final var acmpcaBucketAccess = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(GetPolicyDocumentStatementArgs.builder()
.actions(
"s3:GetBucketAcl",
"s3:GetBucketLocation",
"s3:PutObject",
"s3:PutObjectAcl")
.resources(
example.arn(),
example.arn().applyValue(_arn -> String.format("%s/*", _arn)))
.principals(GetPolicyDocumentStatementPrincipalArgs.builder()
.identifiers("acm-pca.amazonaws.com")
.type("Service")
.build())
.build())
.build());
var exampleBucketPolicy = new BucketPolicy("exampleBucketPolicy", BucketPolicyArgs.builder()
.bucket(example.id())
.policy(acmpcaBucketAccess.applyValue(_acmpcaBucketAccess -> _acmpcaBucketAccess.json()))
.build());
var exampleCertificateAuthority = new CertificateAuthority("exampleCertificateAuthority", CertificateAuthorityArgs.builder()
.certificateAuthorityConfiguration(CertificateAuthorityCertificateAuthorityConfigurationArgs.builder()
.keyAlgorithm("RSA_4096")
.signingAlgorithm("SHA512WITHRSA")
.subject(CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs.builder()
.commonName("example.com")
.build())
.build())
.revocationConfiguration(CertificateAuthorityRevocationConfigurationArgs.builder()
.crlConfiguration(CertificateAuthorityRevocationConfigurationCrlConfigurationArgs.builder()
.customCname("crl.example.com")
.enabled(true)
.expirationInDays(7)
.s3BucketName(example.id())
.s3ObjectAcl("BUCKET_OWNER_FULL_CONTROL")
.build())
.build())
.build(), CustomResourceOptions.builder()
.dependsOn(exampleBucketPolicy)
.build());
}
}
resources:
example:
type: aws:s3:BucketV2
properties:
bucket: example
forceDestroy: true
exampleBucketPolicy:
type: aws:s3:BucketPolicy
name: example
properties:
bucket: ${example.id}
policy: ${acmpcaBucketAccess.json}
exampleCertificateAuthority:
type: aws:acmpca:CertificateAuthority
name: example
properties:
certificateAuthorityConfiguration:
keyAlgorithm: RSA_4096
signingAlgorithm: SHA512WITHRSA
subject:
commonName: example.com
revocationConfiguration:
crlConfiguration:
customCname: crl.example.com
enabled: true
expirationInDays: 7
s3BucketName: ${example.id}
s3ObjectAcl: BUCKET_OWNER_FULL_CONTROL
options:
dependsOn:
- ${exampleBucketPolicy}
variables:
acmpcaBucketAccess:
fn::invoke:
function: aws:iam:getPolicyDocument
arguments:
statements:
- actions:
- s3:GetBucketAcl
- s3:GetBucketLocation
- s3:PutObject
- s3:PutObjectAcl
resources:
- ${example.arn}
- ${example.arn}/*
principals:
- identifiers:
- acm-pca.amazonaws.com
type: Service
Create CertificateAuthority Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new CertificateAuthority(name: string, args: CertificateAuthorityArgs, opts?: CustomResourceOptions);@overload
def CertificateAuthority(resource_name: str,
args: CertificateAuthorityArgs,
opts: Optional[ResourceOptions] = None)
@overload
def CertificateAuthority(resource_name: str,
opts: Optional[ResourceOptions] = None,
certificate_authority_configuration: Optional[CertificateAuthorityCertificateAuthorityConfigurationArgs] = None,
enabled: Optional[bool] = None,
key_storage_security_standard: Optional[str] = None,
permanent_deletion_time_in_days: Optional[int] = None,
revocation_configuration: Optional[CertificateAuthorityRevocationConfigurationArgs] = None,
tags: Optional[Mapping[str, str]] = None,
type: Optional[str] = None,
usage_mode: Optional[str] = None)func NewCertificateAuthority(ctx *Context, name string, args CertificateAuthorityArgs, opts ...ResourceOption) (*CertificateAuthority, error)public CertificateAuthority(string name, CertificateAuthorityArgs args, CustomResourceOptions? opts = null)
public CertificateAuthority(String name, CertificateAuthorityArgs args)
public CertificateAuthority(String name, CertificateAuthorityArgs args, CustomResourceOptions options)
type: aws:acmpca:CertificateAuthority
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args CertificateAuthorityArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args CertificateAuthorityArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args CertificateAuthorityArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args CertificateAuthorityArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args CertificateAuthorityArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var certificateAuthorityResource = new Aws.Acmpca.CertificateAuthority("certificateAuthorityResource", new()
{
CertificateAuthorityConfiguration = new Aws.Acmpca.Inputs.CertificateAuthorityCertificateAuthorityConfigurationArgs
{
KeyAlgorithm = "string",
SigningAlgorithm = "string",
Subject = new Aws.Acmpca.Inputs.CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs
{
CommonName = "string",
Country = "string",
DistinguishedNameQualifier = "string",
GenerationQualifier = "string",
GivenName = "string",
Initials = "string",
Locality = "string",
Organization = "string",
OrganizationalUnit = "string",
Pseudonym = "string",
State = "string",
Surname = "string",
Title = "string",
},
},
Enabled = false,
KeyStorageSecurityStandard = "string",
PermanentDeletionTimeInDays = 0,
RevocationConfiguration = new Aws.Acmpca.Inputs.CertificateAuthorityRevocationConfigurationArgs
{
CrlConfiguration = new Aws.Acmpca.Inputs.CertificateAuthorityRevocationConfigurationCrlConfigurationArgs
{
CustomCname = "string",
Enabled = false,
ExpirationInDays = 0,
S3BucketName = "string",
S3ObjectAcl = "string",
},
OcspConfiguration = new Aws.Acmpca.Inputs.CertificateAuthorityRevocationConfigurationOcspConfigurationArgs
{
Enabled = false,
OcspCustomCname = "string",
},
},
Tags =
{
{ "string", "string" },
},
Type = "string",
UsageMode = "string",
});
example, err := acmpca.NewCertificateAuthority(ctx, "certificateAuthorityResource", &acmpca.CertificateAuthorityArgs{
CertificateAuthorityConfiguration: &acmpca.CertificateAuthorityCertificateAuthorityConfigurationArgs{
KeyAlgorithm: pulumi.String("string"),
SigningAlgorithm: pulumi.String("string"),
Subject: &acmpca.CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs{
CommonName: pulumi.String("string"),
Country: pulumi.String("string"),
DistinguishedNameQualifier: pulumi.String("string"),
GenerationQualifier: pulumi.String("string"),
GivenName: pulumi.String("string"),
Initials: pulumi.String("string"),
Locality: pulumi.String("string"),
Organization: pulumi.String("string"),
OrganizationalUnit: pulumi.String("string"),
Pseudonym: pulumi.String("string"),
State: pulumi.String("string"),
Surname: pulumi.String("string"),
Title: pulumi.String("string"),
},
},
Enabled: pulumi.Bool(false),
KeyStorageSecurityStandard: pulumi.String("string"),
PermanentDeletionTimeInDays: pulumi.Int(0),
RevocationConfiguration: &acmpca.CertificateAuthorityRevocationConfigurationArgs{
CrlConfiguration: &acmpca.CertificateAuthorityRevocationConfigurationCrlConfigurationArgs{
CustomCname: pulumi.String("string"),
Enabled: pulumi.Bool(false),
ExpirationInDays: pulumi.Int(0),
S3BucketName: pulumi.String("string"),
S3ObjectAcl: pulumi.String("string"),
},
OcspConfiguration: &acmpca.CertificateAuthorityRevocationConfigurationOcspConfigurationArgs{
Enabled: pulumi.Bool(false),
OcspCustomCname: pulumi.String("string"),
},
},
Tags: pulumi.StringMap{
"string": pulumi.String("string"),
},
Type: pulumi.String("string"),
UsageMode: pulumi.String("string"),
})
var certificateAuthorityResource = new CertificateAuthority("certificateAuthorityResource", CertificateAuthorityArgs.builder()
.certificateAuthorityConfiguration(CertificateAuthorityCertificateAuthorityConfigurationArgs.builder()
.keyAlgorithm("string")
.signingAlgorithm("string")
.subject(CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs.builder()
.commonName("string")
.country("string")
.distinguishedNameQualifier("string")
.generationQualifier("string")
.givenName("string")
.initials("string")
.locality("string")
.organization("string")
.organizationalUnit("string")
.pseudonym("string")
.state("string")
.surname("string")
.title("string")
.build())
.build())
.enabled(false)
.keyStorageSecurityStandard("string")
.permanentDeletionTimeInDays(0)
.revocationConfiguration(CertificateAuthorityRevocationConfigurationArgs.builder()
.crlConfiguration(CertificateAuthorityRevocationConfigurationCrlConfigurationArgs.builder()
.customCname("string")
.enabled(false)
.expirationInDays(0)
.s3BucketName("string")
.s3ObjectAcl("string")
.build())
.ocspConfiguration(CertificateAuthorityRevocationConfigurationOcspConfigurationArgs.builder()
.enabled(false)
.ocspCustomCname("string")
.build())
.build())
.tags(Map.of("string", "string"))
.type("string")
.usageMode("string")
.build());
certificate_authority_resource = aws.acmpca.CertificateAuthority("certificateAuthorityResource",
certificate_authority_configuration={
"key_algorithm": "string",
"signing_algorithm": "string",
"subject": {
"common_name": "string",
"country": "string",
"distinguished_name_qualifier": "string",
"generation_qualifier": "string",
"given_name": "string",
"initials": "string",
"locality": "string",
"organization": "string",
"organizational_unit": "string",
"pseudonym": "string",
"state": "string",
"surname": "string",
"title": "string",
},
},
enabled=False,
key_storage_security_standard="string",
permanent_deletion_time_in_days=0,
revocation_configuration={
"crl_configuration": {
"custom_cname": "string",
"enabled": False,
"expiration_in_days": 0,
"s3_bucket_name": "string",
"s3_object_acl": "string",
},
"ocsp_configuration": {
"enabled": False,
"ocsp_custom_cname": "string",
},
},
tags={
"string": "string",
},
type="string",
usage_mode="string")
const certificateAuthorityResource = new aws.acmpca.CertificateAuthority("certificateAuthorityResource", {
certificateAuthorityConfiguration: {
keyAlgorithm: "string",
signingAlgorithm: "string",
subject: {
commonName: "string",
country: "string",
distinguishedNameQualifier: "string",
generationQualifier: "string",
givenName: "string",
initials: "string",
locality: "string",
organization: "string",
organizationalUnit: "string",
pseudonym: "string",
state: "string",
surname: "string",
title: "string",
},
},
enabled: false,
keyStorageSecurityStandard: "string",
permanentDeletionTimeInDays: 0,
revocationConfiguration: {
crlConfiguration: {
customCname: "string",
enabled: false,
expirationInDays: 0,
s3BucketName: "string",
s3ObjectAcl: "string",
},
ocspConfiguration: {
enabled: false,
ocspCustomCname: "string",
},
},
tags: {
string: "string",
},
type: "string",
usageMode: "string",
});
type: aws:acmpca:CertificateAuthority
properties:
certificateAuthorityConfiguration:
keyAlgorithm: string
signingAlgorithm: string
subject:
commonName: string
country: string
distinguishedNameQualifier: string
generationQualifier: string
givenName: string
initials: string
locality: string
organization: string
organizationalUnit: string
pseudonym: string
state: string
surname: string
title: string
enabled: false
keyStorageSecurityStandard: string
permanentDeletionTimeInDays: 0
revocationConfiguration:
crlConfiguration:
customCname: string
enabled: false
expirationInDays: 0
s3BucketName: string
s3ObjectAcl: string
ocspConfiguration:
enabled: false
ocspCustomCname: string
tags:
string: string
type: string
usageMode: string
CertificateAuthority Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The CertificateAuthority resource accepts the following input properties:
-
Certificate
Authority Certificate Authority Configuration - Nested argument containing algorithms and certificate subject information. Defined below.
- Enabled bool
- Whether the certificate authority is enabled or disabled. Defaults to
true. Can only be disabled if the CA is in anACTIVEstate. - Key
Storage stringSecurity Standard - Cryptographic key management compliance standard used for handling CA keys. Defaults to
FIPS_140_2_LEVEL_3_OR_HIGHER. Valid values:FIPS_140_2_LEVEL_3_OR_HIGHERandFIPS_140_2_LEVEL_2_OR_HIGHER. Supported standard for each region can be found in the Storage and security compliance of AWS Private CA private keys Documentation. - Permanent
Deletion intTime In Days - Number of days to make a CA restorable after it has been deleted, must be between 7 to 30 days, with default to 30 days.
- Revocation
Configuration CertificateAuthority Revocation Configuration - Nested argument containing revocation configuration. Defined below.
- Dictionary<string, string>
- Key-value map of user-defined tags that are attached to the certificate authority. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level. - Type string
- Type of the certificate authority. Defaults to
SUBORDINATE. Valid values:ROOTandSUBORDINATE. - Usage
Mode string - Specifies whether the CA issues general-purpose certificates that typically require a revocation mechanism, or short-lived certificates that may optionally omit revocation because they expire quickly. Short-lived certificate validity is limited to seven days. Defaults to
GENERAL_PURPOSE. Valid values:GENERAL_PURPOSEandSHORT_LIVED_CERTIFICATE.
-
Certificate
Authority Certificate Authority Configuration Args - Nested argument containing algorithms and certificate subject information. Defined below.
- Enabled bool
- Whether the certificate authority is enabled or disabled. Defaults to
true. Can only be disabled if the CA is in anACTIVEstate. - Key
Storage stringSecurity Standard - Cryptographic key management compliance standard used for handling CA keys. Defaults to
FIPS_140_2_LEVEL_3_OR_HIGHER. Valid values:FIPS_140_2_LEVEL_3_OR_HIGHERandFIPS_140_2_LEVEL_2_OR_HIGHER. Supported standard for each region can be found in the Storage and security compliance of AWS Private CA private keys Documentation. - Permanent
Deletion intTime In Days - Number of days to make a CA restorable after it has been deleted, must be between 7 to 30 days, with default to 30 days.
- Revocation
Configuration CertificateAuthority Revocation Configuration Args - Nested argument containing revocation configuration. Defined below.
- map[string]string
- Key-value map of user-defined tags that are attached to the certificate authority. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level. - Type string
- Type of the certificate authority. Defaults to
SUBORDINATE. Valid values:ROOTandSUBORDINATE. - Usage
Mode string - Specifies whether the CA issues general-purpose certificates that typically require a revocation mechanism, or short-lived certificates that may optionally omit revocation because they expire quickly. Short-lived certificate validity is limited to seven days. Defaults to
GENERAL_PURPOSE. Valid values:GENERAL_PURPOSEandSHORT_LIVED_CERTIFICATE.
-
Certificate
Authority Certificate Authority Configuration - Nested argument containing algorithms and certificate subject information. Defined below.
- enabled Boolean
- Whether the certificate authority is enabled or disabled. Defaults to
true. Can only be disabled if the CA is in anACTIVEstate. - key
Storage StringSecurity Standard - Cryptographic key management compliance standard used for handling CA keys. Defaults to
FIPS_140_2_LEVEL_3_OR_HIGHER. Valid values:FIPS_140_2_LEVEL_3_OR_HIGHERandFIPS_140_2_LEVEL_2_OR_HIGHER. Supported standard for each region can be found in the Storage and security compliance of AWS Private CA private keys Documentation. - permanent
Deletion IntegerTime In Days - Number of days to make a CA restorable after it has been deleted, must be between 7 to 30 days, with default to 30 days.
- revocation
Configuration CertificateAuthority Revocation Configuration - Nested argument containing revocation configuration. Defined below.
- Map<String,String>
- Key-value map of user-defined tags that are attached to the certificate authority. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level. - type String
- Type of the certificate authority. Defaults to
SUBORDINATE. Valid values:ROOTandSUBORDINATE. - usage
Mode String - Specifies whether the CA issues general-purpose certificates that typically require a revocation mechanism, or short-lived certificates that may optionally omit revocation because they expire quickly. Short-lived certificate validity is limited to seven days. Defaults to
GENERAL_PURPOSE. Valid values:GENERAL_PURPOSEandSHORT_LIVED_CERTIFICATE.
-
Certificate
Authority Certificate Authority Configuration - Nested argument containing algorithms and certificate subject information. Defined below.
- enabled boolean
- Whether the certificate authority is enabled or disabled. Defaults to
true. Can only be disabled if the CA is in anACTIVEstate. - key
Storage stringSecurity Standard - Cryptographic key management compliance standard used for handling CA keys. Defaults to
FIPS_140_2_LEVEL_3_OR_HIGHER. Valid values:FIPS_140_2_LEVEL_3_OR_HIGHERandFIPS_140_2_LEVEL_2_OR_HIGHER. Supported standard for each region can be found in the Storage and security compliance of AWS Private CA private keys Documentation. - permanent
Deletion numberTime In Days - Number of days to make a CA restorable after it has been deleted, must be between 7 to 30 days, with default to 30 days.
- revocation
Configuration CertificateAuthority Revocation Configuration - Nested argument containing revocation configuration. Defined below.
- {[key: string]: string}
- Key-value map of user-defined tags that are attached to the certificate authority. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level. - type string
- Type of the certificate authority. Defaults to
SUBORDINATE. Valid values:ROOTandSUBORDINATE. - usage
Mode string - Specifies whether the CA issues general-purpose certificates that typically require a revocation mechanism, or short-lived certificates that may optionally omit revocation because they expire quickly. Short-lived certificate validity is limited to seven days. Defaults to
GENERAL_PURPOSE. Valid values:GENERAL_PURPOSEandSHORT_LIVED_CERTIFICATE.
-
Certificate
Authority Certificate Authority Configuration Args - Nested argument containing algorithms and certificate subject information. Defined below.
- enabled bool
- Whether the certificate authority is enabled or disabled. Defaults to
true. Can only be disabled if the CA is in anACTIVEstate. - key_
storage_ strsecurity_ standard - Cryptographic key management compliance standard used for handling CA keys. Defaults to
FIPS_140_2_LEVEL_3_OR_HIGHER. Valid values:FIPS_140_2_LEVEL_3_OR_HIGHERandFIPS_140_2_LEVEL_2_OR_HIGHER. Supported standard for each region can be found in the Storage and security compliance of AWS Private CA private keys Documentation. - permanent_
deletion_ inttime_ in_ days - Number of days to make a CA restorable after it has been deleted, must be between 7 to 30 days, with default to 30 days.
- revocation_
configuration CertificateAuthority Revocation Configuration Args - Nested argument containing revocation configuration. Defined below.
- Mapping[str, str]
- Key-value map of user-defined tags that are attached to the certificate authority. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level. - type str
- Type of the certificate authority. Defaults to
SUBORDINATE. Valid values:ROOTandSUBORDINATE. - usage_
mode str - Specifies whether the CA issues general-purpose certificates that typically require a revocation mechanism, or short-lived certificates that may optionally omit revocation because they expire quickly. Short-lived certificate validity is limited to seven days. Defaults to
GENERAL_PURPOSE. Valid values:GENERAL_PURPOSEandSHORT_LIVED_CERTIFICATE.
- Property Map
- Nested argument containing algorithms and certificate subject information. Defined below.
- enabled Boolean
- Whether the certificate authority is enabled or disabled. Defaults to
true. Can only be disabled if the CA is in anACTIVEstate. - key
Storage StringSecurity Standard - Cryptographic key management compliance standard used for handling CA keys. Defaults to
FIPS_140_2_LEVEL_3_OR_HIGHER. Valid values:FIPS_140_2_LEVEL_3_OR_HIGHERandFIPS_140_2_LEVEL_2_OR_HIGHER. Supported standard for each region can be found in the Storage and security compliance of AWS Private CA private keys Documentation. - permanent
Deletion NumberTime In Days - Number of days to make a CA restorable after it has been deleted, must be between 7 to 30 days, with default to 30 days.
- revocation
Configuration Property Map - Nested argument containing revocation configuration. Defined below.
- Map<String>
- Key-value map of user-defined tags that are attached to the certificate authority. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level. - type String
- Type of the certificate authority. Defaults to
SUBORDINATE. Valid values:ROOTandSUBORDINATE. - usage
Mode String - Specifies whether the CA issues general-purpose certificates that typically require a revocation mechanism, or short-lived certificates that may optionally omit revocation because they expire quickly. Short-lived certificate validity is limited to seven days. Defaults to
GENERAL_PURPOSE. Valid values:GENERAL_PURPOSEandSHORT_LIVED_CERTIFICATE.
Outputs
All input properties are implicitly available as output properties. Additionally, the CertificateAuthority resource produces the following output properties:
- Arn string
- ARN of the certificate authority.
- Certificate string
- Base64-encoded certificate authority (CA) certificate. Only available after the certificate authority certificate has been imported.
- Certificate
Chain string - Base64-encoded certificate chain that includes any intermediate certificates and chains up to root on-premises certificate that you used to sign your private CA certificate. The chain does not include your private CA certificate. Only available after the certificate authority certificate has been imported.
- Certificate
Signing stringRequest - The base64 PEM-encoded certificate signing request (CSR) for your private CA certificate.
- Id string
- The provider-assigned unique ID for this managed resource.
- Not
After string - Date and time after which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
- Not
Before string - Date and time before which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
- Serial string
- Serial number of the certificate authority. Only available after the certificate authority certificate has been imported.
- Dictionary<string, string>
- Map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block.
- Arn string
- ARN of the certificate authority.
- Certificate string
- Base64-encoded certificate authority (CA) certificate. Only available after the certificate authority certificate has been imported.
- Certificate
Chain string - Base64-encoded certificate chain that includes any intermediate certificates and chains up to root on-premises certificate that you used to sign your private CA certificate. The chain does not include your private CA certificate. Only available after the certificate authority certificate has been imported.
- Certificate
Signing stringRequest - The base64 PEM-encoded certificate signing request (CSR) for your private CA certificate.
- Id string
- The provider-assigned unique ID for this managed resource.
- Not
After string - Date and time after which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
- Not
Before string - Date and time before which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
- Serial string
- Serial number of the certificate authority. Only available after the certificate authority certificate has been imported.
- map[string]string
- Map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block.
- arn String
- ARN of the certificate authority.
- certificate String
- Base64-encoded certificate authority (CA) certificate. Only available after the certificate authority certificate has been imported.
- certificate
Chain String - Base64-encoded certificate chain that includes any intermediate certificates and chains up to root on-premises certificate that you used to sign your private CA certificate. The chain does not include your private CA certificate. Only available after the certificate authority certificate has been imported.
- certificate
Signing StringRequest - The base64 PEM-encoded certificate signing request (CSR) for your private CA certificate.
- id String
- The provider-assigned unique ID for this managed resource.
- not
After String - Date and time after which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
- not
Before String - Date and time before which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
- serial String
- Serial number of the certificate authority. Only available after the certificate authority certificate has been imported.
- Map<String,String>
- Map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block.
- arn string
- ARN of the certificate authority.
- certificate string
- Base64-encoded certificate authority (CA) certificate. Only available after the certificate authority certificate has been imported.
- certificate
Chain string - Base64-encoded certificate chain that includes any intermediate certificates and chains up to root on-premises certificate that you used to sign your private CA certificate. The chain does not include your private CA certificate. Only available after the certificate authority certificate has been imported.
- certificate
Signing stringRequest - The base64 PEM-encoded certificate signing request (CSR) for your private CA certificate.
- id string
- The provider-assigned unique ID for this managed resource.
- not
After string - Date and time after which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
- not
Before string - Date and time before which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
- serial string
- Serial number of the certificate authority. Only available after the certificate authority certificate has been imported.
- {[key: string]: string}
- Map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block.
- arn str
- ARN of the certificate authority.
- certificate str
- Base64-encoded certificate authority (CA) certificate. Only available after the certificate authority certificate has been imported.
- certificate_
chain str - Base64-encoded certificate chain that includes any intermediate certificates and chains up to root on-premises certificate that you used to sign your private CA certificate. The chain does not include your private CA certificate. Only available after the certificate authority certificate has been imported.
- certificate_
signing_ strrequest - The base64 PEM-encoded certificate signing request (CSR) for your private CA certificate.
- id str
- The provider-assigned unique ID for this managed resource.
- not_
after str - Date and time after which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
- not_
before str - Date and time before which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
- serial str
- Serial number of the certificate authority. Only available after the certificate authority certificate has been imported.
- Mapping[str, str]
- Map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block.
- arn String
- ARN of the certificate authority.
- certificate String
- Base64-encoded certificate authority (CA) certificate. Only available after the certificate authority certificate has been imported.
- certificate
Chain String - Base64-encoded certificate chain that includes any intermediate certificates and chains up to root on-premises certificate that you used to sign your private CA certificate. The chain does not include your private CA certificate. Only available after the certificate authority certificate has been imported.
- certificate
Signing StringRequest - The base64 PEM-encoded certificate signing request (CSR) for your private CA certificate.
- id String
- The provider-assigned unique ID for this managed resource.
- not
After String - Date and time after which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
- not
Before String - Date and time before which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
- serial String
- Serial number of the certificate authority. Only available after the certificate authority certificate has been imported.
- Map<String>
- Map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block.
Look up Existing CertificateAuthority Resource
Get an existing CertificateAuthority resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: CertificateAuthorityState, opts?: CustomResourceOptions): CertificateAuthority@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
arn: Optional[str] = None,
certificate: Optional[str] = None,
certificate_authority_configuration: Optional[CertificateAuthorityCertificateAuthorityConfigurationArgs] = None,
certificate_chain: Optional[str] = None,
certificate_signing_request: Optional[str] = None,
enabled: Optional[bool] = None,
key_storage_security_standard: Optional[str] = None,
not_after: Optional[str] = None,
not_before: Optional[str] = None,
permanent_deletion_time_in_days: Optional[int] = None,
revocation_configuration: Optional[CertificateAuthorityRevocationConfigurationArgs] = None,
serial: Optional[str] = None,
tags: Optional[Mapping[str, str]] = None,
tags_all: Optional[Mapping[str, str]] = None,
type: Optional[str] = None,
usage_mode: Optional[str] = None) -> CertificateAuthorityfunc GetCertificateAuthority(ctx *Context, name string, id IDInput, state *CertificateAuthorityState, opts ...ResourceOption) (*CertificateAuthority, error)public static CertificateAuthority Get(string name, Input<string> id, CertificateAuthorityState? state, CustomResourceOptions? opts = null)public static CertificateAuthority get(String name, Output<String> id, CertificateAuthorityState state, CustomResourceOptions options)resources: _: type: aws:acmpca:CertificateAuthority get: id: ${id}- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Arn string
- ARN of the certificate authority.
- Certificate string
- Base64-encoded certificate authority (CA) certificate. Only available after the certificate authority certificate has been imported.
-
Certificate
Authority Certificate Authority Configuration - Nested argument containing algorithms and certificate subject information. Defined below.
- Certificate
Chain string - Base64-encoded certificate chain that includes any intermediate certificates and chains up to root on-premises certificate that you used to sign your private CA certificate. The chain does not include your private CA certificate. Only available after the certificate authority certificate has been imported.
- Certificate
Signing stringRequest - The base64 PEM-encoded certificate signing request (CSR) for your private CA certificate.
- Enabled bool
- Whether the certificate authority is enabled or disabled. Defaults to
true. Can only be disabled if the CA is in anACTIVEstate. - Key
Storage stringSecurity Standard - Cryptographic key management compliance standard used for handling CA keys. Defaults to
FIPS_140_2_LEVEL_3_OR_HIGHER. Valid values:FIPS_140_2_LEVEL_3_OR_HIGHERandFIPS_140_2_LEVEL_2_OR_HIGHER. Supported standard for each region can be found in the Storage and security compliance of AWS Private CA private keys Documentation. - Not
After string - Date and time after which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
- Not
Before string - Date and time before which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
- Permanent
Deletion intTime In Days - Number of days to make a CA restorable after it has been deleted, must be between 7 to 30 days, with default to 30 days.
- Revocation
Configuration CertificateAuthority Revocation Configuration - Nested argument containing revocation configuration. Defined below.
- Serial string
- Serial number of the certificate authority. Only available after the certificate authority certificate has been imported.
- Dictionary<string, string>
- Key-value map of user-defined tags that are attached to the certificate authority. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level. - Dictionary<string, string>
- Map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block. - Type string
- Type of the certificate authority. Defaults to
SUBORDINATE. Valid values:ROOTandSUBORDINATE. - Usage
Mode string - Specifies whether the CA issues general-purpose certificates that typically require a revocation mechanism, or short-lived certificates that may optionally omit revocation because they expire quickly. Short-lived certificate validity is limited to seven days. Defaults to
GENERAL_PURPOSE. Valid values:GENERAL_PURPOSEandSHORT_LIVED_CERTIFICATE.
- Arn string
- ARN of the certificate authority.
- Certificate string
- Base64-encoded certificate authority (CA) certificate. Only available after the certificate authority certificate has been imported.
-
Certificate
Authority Certificate Authority Configuration Args - Nested argument containing algorithms and certificate subject information. Defined below.
- Certificate
Chain string - Base64-encoded certificate chain that includes any intermediate certificates and chains up to root on-premises certificate that you used to sign your private CA certificate. The chain does not include your private CA certificate. Only available after the certificate authority certificate has been imported.
- Certificate
Signing stringRequest - The base64 PEM-encoded certificate signing request (CSR) for your private CA certificate.
- Enabled bool
- Whether the certificate authority is enabled or disabled. Defaults to
true. Can only be disabled if the CA is in anACTIVEstate. - Key
Storage stringSecurity Standard - Cryptographic key management compliance standard used for handling CA keys. Defaults to
FIPS_140_2_LEVEL_3_OR_HIGHER. Valid values:FIPS_140_2_LEVEL_3_OR_HIGHERandFIPS_140_2_LEVEL_2_OR_HIGHER. Supported standard for each region can be found in the Storage and security compliance of AWS Private CA private keys Documentation. - Not
After string - Date and time after which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
- Not
Before string - Date and time before which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
- Permanent
Deletion intTime In Days - Number of days to make a CA restorable after it has been deleted, must be between 7 to 30 days, with default to 30 days.
- Revocation
Configuration CertificateAuthority Revocation Configuration Args - Nested argument containing revocation configuration. Defined below.
- Serial string
- Serial number of the certificate authority. Only available after the certificate authority certificate has been imported.
- map[string]string
- Key-value map of user-defined tags that are attached to the certificate authority. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level. - map[string]string
- Map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block. - Type string
- Type of the certificate authority. Defaults to
SUBORDINATE. Valid values:ROOTandSUBORDINATE. - Usage
Mode string - Specifies whether the CA issues general-purpose certificates that typically require a revocation mechanism, or short-lived certificates that may optionally omit revocation because they expire quickly. Short-lived certificate validity is limited to seven days. Defaults to
GENERAL_PURPOSE. Valid values:GENERAL_PURPOSEandSHORT_LIVED_CERTIFICATE.
- arn String
- ARN of the certificate authority.
- certificate String
- Base64-encoded certificate authority (CA) certificate. Only available after the certificate authority certificate has been imported.
-
Certificate
Authority Certificate Authority Configuration - Nested argument containing algorithms and certificate subject information. Defined below.
- certificate
Chain String - Base64-encoded certificate chain that includes any intermediate certificates and chains up to root on-premises certificate that you used to sign your private CA certificate. The chain does not include your private CA certificate. Only available after the certificate authority certificate has been imported.
- certificate
Signing StringRequest - The base64 PEM-encoded certificate signing request (CSR) for your private CA certificate.
- enabled Boolean
- Whether the certificate authority is enabled or disabled. Defaults to
true. Can only be disabled if the CA is in anACTIVEstate. - key
Storage StringSecurity Standard - Cryptographic key management compliance standard used for handling CA keys. Defaults to
FIPS_140_2_LEVEL_3_OR_HIGHER. Valid values:FIPS_140_2_LEVEL_3_OR_HIGHERandFIPS_140_2_LEVEL_2_OR_HIGHER. Supported standard for each region can be found in the Storage and security compliance of AWS Private CA private keys Documentation. - not
After String - Date and time after which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
- not
Before String - Date and time before which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
- permanent
Deletion IntegerTime In Days - Number of days to make a CA restorable after it has been deleted, must be between 7 to 30 days, with default to 30 days.
- revocation
Configuration CertificateAuthority Revocation Configuration - Nested argument containing revocation configuration. Defined below.
- serial String
- Serial number of the certificate authority. Only available after the certificate authority certificate has been imported.
- Map<String,String>
- Key-value map of user-defined tags that are attached to the certificate authority. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level. - Map<String,String>
- Map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block. - type String
- Type of the certificate authority. Defaults to
SUBORDINATE. Valid values:ROOTandSUBORDINATE. - usage
Mode String - Specifies whether the CA issues general-purpose certificates that typically require a revocation mechanism, or short-lived certificates that may optionally omit revocation because they expire quickly. Short-lived certificate validity is limited to seven days. Defaults to
GENERAL_PURPOSE. Valid values:GENERAL_PURPOSEandSHORT_LIVED_CERTIFICATE.
- arn string
- ARN of the certificate authority.
- certificate string
- Base64-encoded certificate authority (CA) certificate. Only available after the certificate authority certificate has been imported.
-
Certificate
Authority Certificate Authority Configuration - Nested argument containing algorithms and certificate subject information. Defined below.
- certificate
Chain string - Base64-encoded certificate chain that includes any intermediate certificates and chains up to root on-premises certificate that you used to sign your private CA certificate. The chain does not include your private CA certificate. Only available after the certificate authority certificate has been imported.
- certificate
Signing stringRequest - The base64 PEM-encoded certificate signing request (CSR) for your private CA certificate.
- enabled boolean
- Whether the certificate authority is enabled or disabled. Defaults to
true. Can only be disabled if the CA is in anACTIVEstate. - key
Storage stringSecurity Standard - Cryptographic key management compliance standard used for handling CA keys. Defaults to
FIPS_140_2_LEVEL_3_OR_HIGHER. Valid values:FIPS_140_2_LEVEL_3_OR_HIGHERandFIPS_140_2_LEVEL_2_OR_HIGHER. Supported standard for each region can be found in the Storage and security compliance of AWS Private CA private keys Documentation. - not
After string - Date and time after which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
- not
Before string - Date and time before which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
- permanent
Deletion numberTime In Days - Number of days to make a CA restorable after it has been deleted, must be between 7 to 30 days, with default to 30 days.
- revocation
Configuration CertificateAuthority Revocation Configuration - Nested argument containing revocation configuration. Defined below.
- serial string
- Serial number of the certificate authority. Only available after the certificate authority certificate has been imported.
- {[key: string]: string}
- Key-value map of user-defined tags that are attached to the certificate authority. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level. - {[key: string]: string}
- Map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block. - type string
- Type of the certificate authority. Defaults to
SUBORDINATE. Valid values:ROOTandSUBORDINATE. - usage
Mode string - Specifies whether the CA issues general-purpose certificates that typically require a revocation mechanism, or short-lived certificates that may optionally omit revocation because they expire quickly. Short-lived certificate validity is limited to seven days. Defaults to
GENERAL_PURPOSE. Valid values:GENERAL_PURPOSEandSHORT_LIVED_CERTIFICATE.
- arn str
- ARN of the certificate authority.
- certificate str
- Base64-encoded certificate authority (CA) certificate. Only available after the certificate authority certificate has been imported.
-
Certificate
Authority Certificate Authority Configuration Args - Nested argument containing algorithms and certificate subject information. Defined below.
- certificate_
chain str - Base64-encoded certificate chain that includes any intermediate certificates and chains up to root on-premises certificate that you used to sign your private CA certificate. The chain does not include your private CA certificate. Only available after the certificate authority certificate has been imported.
- certificate_
signing_ strrequest - The base64 PEM-encoded certificate signing request (CSR) for your private CA certificate.
- enabled bool
- Whether the certificate authority is enabled or disabled. Defaults to
true. Can only be disabled if the CA is in anACTIVEstate. - key_
storage_ strsecurity_ standard - Cryptographic key management compliance standard used for handling CA keys. Defaults to
FIPS_140_2_LEVEL_3_OR_HIGHER. Valid values:FIPS_140_2_LEVEL_3_OR_HIGHERandFIPS_140_2_LEVEL_2_OR_HIGHER. Supported standard for each region can be found in the Storage and security compliance of AWS Private CA private keys Documentation. - not_
after str - Date and time after which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
- not_
before str - Date and time before which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
- permanent_
deletion_ inttime_ in_ days - Number of days to make a CA restorable after it has been deleted, must be between 7 to 30 days, with default to 30 days.
- revocation_
configuration CertificateAuthority Revocation Configuration Args - Nested argument containing revocation configuration. Defined below.
- serial str
- Serial number of the certificate authority. Only available after the certificate authority certificate has been imported.
- Mapping[str, str]
- Key-value map of user-defined tags that are attached to the certificate authority. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level. - Mapping[str, str]
- Map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block. - type str
- Type of the certificate authority. Defaults to
SUBORDINATE. Valid values:ROOTandSUBORDINATE. - usage_
mode str - Specifies whether the CA issues general-purpose certificates that typically require a revocation mechanism, or short-lived certificates that may optionally omit revocation because they expire quickly. Short-lived certificate validity is limited to seven days. Defaults to
GENERAL_PURPOSE. Valid values:GENERAL_PURPOSEandSHORT_LIVED_CERTIFICATE.
- arn String
- ARN of the certificate authority.
- certificate String
- Base64-encoded certificate authority (CA) certificate. Only available after the certificate authority certificate has been imported.
- Property Map
- Nested argument containing algorithms and certificate subject information. Defined below.
- certificate
Chain String - Base64-encoded certificate chain that includes any intermediate certificates and chains up to root on-premises certificate that you used to sign your private CA certificate. The chain does not include your private CA certificate. Only available after the certificate authority certificate has been imported.
- certificate
Signing StringRequest - The base64 PEM-encoded certificate signing request (CSR) for your private CA certificate.
- enabled Boolean
- Whether the certificate authority is enabled or disabled. Defaults to
true. Can only be disabled if the CA is in anACTIVEstate. - key
Storage StringSecurity Standard - Cryptographic key management compliance standard used for handling CA keys. Defaults to
FIPS_140_2_LEVEL_3_OR_HIGHER. Valid values:FIPS_140_2_LEVEL_3_OR_HIGHERandFIPS_140_2_LEVEL_2_OR_HIGHER. Supported standard for each region can be found in the Storage and security compliance of AWS Private CA private keys Documentation. - not
After String - Date and time after which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
- not
Before String - Date and time before which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
- permanent
Deletion NumberTime In Days - Number of days to make a CA restorable after it has been deleted, must be between 7 to 30 days, with default to 30 days.
- revocation
Configuration Property Map - Nested argument containing revocation configuration. Defined below.
- serial String
- Serial number of the certificate authority. Only available after the certificate authority certificate has been imported.
- Map<String>
- Key-value map of user-defined tags that are attached to the certificate authority. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level. - Map<String>
- Map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block. - type String
- Type of the certificate authority. Defaults to
SUBORDINATE. Valid values:ROOTandSUBORDINATE. - usage
Mode String - Specifies whether the CA issues general-purpose certificates that typically require a revocation mechanism, or short-lived certificates that may optionally omit revocation because they expire quickly. Short-lived certificate validity is limited to seven days. Defaults to
GENERAL_PURPOSE. Valid values:GENERAL_PURPOSEandSHORT_LIVED_CERTIFICATE.
Supporting Types
CertificateAuthorityCertificateAuthorityConfiguration, CertificateAuthorityCertificateAuthorityConfigurationArgs
- Key
Algorithm string - Type of the public key algorithm and size, in bits, of the key pair that your key pair creates when it issues a certificate. Valid values can be found in the ACM PCA Documentation.
- Signing
Algorithm string - Name of the algorithm your private CA uses to sign certificate requests. Valid values can be found in the ACM PCA Documentation.
- Subject
Certificate
Authority Certificate Authority Configuration Subject - Nested argument that contains X.500 distinguished name information. At least one nested attribute must be specified.
- Key
Algorithm string - Type of the public key algorithm and size, in bits, of the key pair that your key pair creates when it issues a certificate. Valid values can be found in the ACM PCA Documentation.
- Signing
Algorithm string - Name of the algorithm your private CA uses to sign certificate requests. Valid values can be found in the ACM PCA Documentation.
- Subject
Certificate
Authority Certificate Authority Configuration Subject - Nested argument that contains X.500 distinguished name information. At least one nested attribute must be specified.
- key
Algorithm String - Type of the public key algorithm and size, in bits, of the key pair that your key pair creates when it issues a certificate. Valid values can be found in the ACM PCA Documentation.
- signing
Algorithm String - Name of the algorithm your private CA uses to sign certificate requests. Valid values can be found in the ACM PCA Documentation.
- subject
Certificate
Authority Certificate Authority Configuration Subject - Nested argument that contains X.500 distinguished name information. At least one nested attribute must be specified.
- key
Algorithm string - Type of the public key algorithm and size, in bits, of the key pair that your key pair creates when it issues a certificate. Valid values can be found in the ACM PCA Documentation.
- signing
Algorithm string - Name of the algorithm your private CA uses to sign certificate requests. Valid values can be found in the ACM PCA Documentation.
- subject
Certificate
Authority Certificate Authority Configuration Subject - Nested argument that contains X.500 distinguished name information. At least one nested attribute must be specified.
- key_
algorithm str - Type of the public key algorithm and size, in bits, of the key pair that your key pair creates when it issues a certificate. Valid values can be found in the ACM PCA Documentation.
- signing_
algorithm str - Name of the algorithm your private CA uses to sign certificate requests. Valid values can be found in the ACM PCA Documentation.
- subject
Certificate
Authority Certificate Authority Configuration Subject - Nested argument that contains X.500 distinguished name information. At least one nested attribute must be specified.
- key
Algorithm String - Type of the public key algorithm and size, in bits, of the key pair that your key pair creates when it issues a certificate. Valid values can be found in the ACM PCA Documentation.
- signing
Algorithm String - Name of the algorithm your private CA uses to sign certificate requests. Valid values can be found in the ACM PCA Documentation.
- subject Property Map
- Nested argument that contains X.500 distinguished name information. At least one nested attribute must be specified.
CertificateAuthorityCertificateAuthorityConfigurationSubject, CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs
- Common
Name string - Fully qualified domain name (FQDN) associated with the certificate subject. Must be less than or equal to 64 characters in length.
- Country string
- Two digit code that specifies the country in which the certificate subject located. Must be less than or equal to 2 characters in length.
- Distinguished
Name stringQualifier - Disambiguating information for the certificate subject. Must be less than or equal to 64 characters in length.
- Generation
Qualifier string - Typically a qualifier appended to the name of an individual. Examples include Jr. for junior, Sr. for senior, and III for third. Must be less than or equal to 3 characters in length.
- Given
Name string - First name. Must be less than or equal to 16 characters in length.
- Initials string
- Concatenation that typically contains the first letter of the
given_name, the first letter of the middle name if one exists, and the first letter of thesurname. Must be less than or equal to 5 characters in length. - Locality string
- Locality (such as a city or town) in which the certificate subject is located. Must be less than or equal to 128 characters in length.
- Organization string
- Legal name of the organization with which the certificate subject is affiliated. Must be less than or equal to 64 characters in length.
- Organizational
Unit string - Subdivision or unit of the organization (such as sales or finance) with which the certificate subject is affiliated. Must be less than or equal to 64 characters in length.
- Pseudonym string
- Typically a shortened version of a longer
given_name. For example, Jonathan is often shortened to John. Elizabeth is often shortened to Beth, Liz, or Eliza. Must be less than or equal to 128 characters in length. - State string
- State in which the subject of the certificate is located. Must be less than or equal to 128 characters in length.
- Surname string
- Family name. In the US and the UK for example, the surname of an individual is ordered last. In Asian cultures the surname is typically ordered first. Must be less than or equal to 40 characters in length.
- Title string
- Title such as Mr. or Ms. which is pre-pended to the name to refer formally to the certificate subject. Must be less than or equal to 64 characters in length.
- Common
Name string - Fully qualified domain name (FQDN) associated with the certificate subject. Must be less than or equal to 64 characters in length.
- Country string
- Two digit code that specifies the country in which the certificate subject located. Must be less than or equal to 2 characters in length.
- Distinguished
Name stringQualifier - Disambiguating information for the certificate subject. Must be less than or equal to 64 characters in length.
- Generation
Qualifier string - Typically a qualifier appended to the name of an individual. Examples include Jr. for junior, Sr. for senior, and III for third. Must be less than or equal to 3 characters in length.
- Given
Name string - First name. Must be less than or equal to 16 characters in length.
- Initials string
- Concatenation that typically contains the first letter of the
given_name, the first letter of the middle name if one exists, and the first letter of thesurname. Must be less than or equal to 5 characters in length. - Locality string
- Locality (such as a city or town) in which the certificate subject is located. Must be less than or equal to 128 characters in length.
- Organization string
- Legal name of the organization with which the certificate subject is affiliated. Must be less than or equal to 64 characters in length.
- Organizational
Unit string - Subdivision or unit of the organization (such as sales or finance) with which the certificate subject is affiliated. Must be less than or equal to 64 characters in length.
- Pseudonym string
- Typically a shortened version of a longer
given_name. For example, Jonathan is often shortened to John. Elizabeth is often shortened to Beth, Liz, or Eliza. Must be less than or equal to 128 characters in length. - State string
- State in which the subject of the certificate is located. Must be less than or equal to 128 characters in length.
- Surname string
- Family name. In the US and the UK for example, the surname of an individual is ordered last. In Asian cultures the surname is typically ordered first. Must be less than or equal to 40 characters in length.
- Title string
- Title such as Mr. or Ms. which is pre-pended to the name to refer formally to the certificate subject. Must be less than or equal to 64 characters in length.
- common
Name String - Fully qualified domain name (FQDN) associated with the certificate subject. Must be less than or equal to 64 characters in length.
- country String
- Two digit code that specifies the country in which the certificate subject located. Must be less than or equal to 2 characters in length.
- distinguished
Name StringQualifier - Disambiguating information for the certificate subject. Must be less than or equal to 64 characters in length.
- generation
Qualifier String - Typically a qualifier appended to the name of an individual. Examples include Jr. for junior, Sr. for senior, and III for third. Must be less than or equal to 3 characters in length.
- given
Name String - First name. Must be less than or equal to 16 characters in length.
- initials String
- Concatenation that typically contains the first letter of the
given_name, the first letter of the middle name if one exists, and the first letter of thesurname. Must be less than or equal to 5 characters in length. - locality String
- Locality (such as a city or town) in which the certificate subject is located. Must be less than or equal to 128 characters in length.
- organization String
- Legal name of the organization with which the certificate subject is affiliated. Must be less than or equal to 64 characters in length.
- organizational
Unit String - Subdivision or unit of the organization (such as sales or finance) with which the certificate subject is affiliated. Must be less than or equal to 64 characters in length.
- pseudonym String
- Typically a shortened version of a longer
given_name. For example, Jonathan is often shortened to John. Elizabeth is often shortened to Beth, Liz, or Eliza. Must be less than or equal to 128 characters in length. - state String
- State in which the subject of the certificate is located. Must be less than or equal to 128 characters in length.
- surname String
- Family name. In the US and the UK for example, the surname of an individual is ordered last. In Asian cultures the surname is typically ordered first. Must be less than or equal to 40 characters in length.
- title String
- Title such as Mr. or Ms. which is pre-pended to the name to refer formally to the certificate subject. Must be less than or equal to 64 characters in length.
- common
Name string - Fully qualified domain name (FQDN) associated with the certificate subject. Must be less than or equal to 64 characters in length.
- country string
- Two digit code that specifies the country in which the certificate subject located. Must be less than or equal to 2 characters in length.
- distinguished
Name stringQualifier - Disambiguating information for the certificate subject. Must be less than or equal to 64 characters in length.
- generation
Qualifier string - Typically a qualifier appended to the name of an individual. Examples include Jr. for junior, Sr. for senior, and III for third. Must be less than or equal to 3 characters in length.
- given
Name string - First name. Must be less than or equal to 16 characters in length.
- initials string
- Concatenation that typically contains the first letter of the
given_name, the first letter of the middle name if one exists, and the first letter of thesurname. Must be less than or equal to 5 characters in length. - locality string
- Locality (such as a city or town) in which the certificate subject is located. Must be less than or equal to 128 characters in length.
- organization string
- Legal name of the organization with which the certificate subject is affiliated. Must be less than or equal to 64 characters in length.
- organizational
Unit string - Subdivision or unit of the organization (such as sales or finance) with which the certificate subject is affiliated. Must be less than or equal to 64 characters in length.
- pseudonym string
- Typically a shortened version of a longer
given_name. For example, Jonathan is often shortened to John. Elizabeth is often shortened to Beth, Liz, or Eliza. Must be less than or equal to 128 characters in length. - state string
- State in which the subject of the certificate is located. Must be less than or equal to 128 characters in length.
- surname string
- Family name. In the US and the UK for example, the surname of an individual is ordered last. In Asian cultures the surname is typically ordered first. Must be less than or equal to 40 characters in length.
- title string
- Title such as Mr. or Ms. which is pre-pended to the name to refer formally to the certificate subject. Must be less than or equal to 64 characters in length.
- common_
name str - Fully qualified domain name (FQDN) associated with the certificate subject. Must be less than or equal to 64 characters in length.
- country str
- Two digit code that specifies the country in which the certificate subject located. Must be less than or equal to 2 characters in length.
- distinguished_
name_ strqualifier - Disambiguating information for the certificate subject. Must be less than or equal to 64 characters in length.
- generation_
qualifier str - Typically a qualifier appended to the name of an individual. Examples include Jr. for junior, Sr. for senior, and III for third. Must be less than or equal to 3 characters in length.
- given_
name str - First name. Must be less than or equal to 16 characters in length.
- initials str
- Concatenation that typically contains the first letter of the
given_name, the first letter of the middle name if one exists, and the first letter of thesurname. Must be less than or equal to 5 characters in length. - locality str
- Locality (such as a city or town) in which the certificate subject is located. Must be less than or equal to 128 characters in length.
- organization str
- Legal name of the organization with which the certificate subject is affiliated. Must be less than or equal to 64 characters in length.
- organizational_
unit str - Subdivision or unit of the organization (such as sales or finance) with which the certificate subject is affiliated. Must be less than or equal to 64 characters in length.
- pseudonym str
- Typically a shortened version of a longer
given_name. For example, Jonathan is often shortened to John. Elizabeth is often shortened to Beth, Liz, or Eliza. Must be less than or equal to 128 characters in length. - state str
- State in which the subject of the certificate is located. Must be less than or equal to 128 characters in length.
- surname str
- Family name. In the US and the UK for example, the surname of an individual is ordered last. In Asian cultures the surname is typically ordered first. Must be less than or equal to 40 characters in length.
- title str
- Title such as Mr. or Ms. which is pre-pended to the name to refer formally to the certificate subject. Must be less than or equal to 64 characters in length.
- common
Name String - Fully qualified domain name (FQDN) associated with the certificate subject. Must be less than or equal to 64 characters in length.
- country String
- Two digit code that specifies the country in which the certificate subject located. Must be less than or equal to 2 characters in length.
- distinguished
Name StringQualifier - Disambiguating information for the certificate subject. Must be less than or equal to 64 characters in length.
- generation
Qualifier String - Typically a qualifier appended to the name of an individual. Examples include Jr. for junior, Sr. for senior, and III for third. Must be less than or equal to 3 characters in length.
- given
Name String - First name. Must be less than or equal to 16 characters in length.
- initials String
- Concatenation that typically contains the first letter of the
given_name, the first letter of the middle name if one exists, and the first letter of thesurname. Must be less than or equal to 5 characters in length. - locality String
- Locality (such as a city or town) in which the certificate subject is located. Must be less than or equal to 128 characters in length.
- organization String
- Legal name of the organization with which the certificate subject is affiliated. Must be less than or equal to 64 characters in length.
- organizational
Unit String - Subdivision or unit of the organization (such as sales or finance) with which the certificate subject is affiliated. Must be less than or equal to 64 characters in length.
- pseudonym String
- Typically a shortened version of a longer
given_name. For example, Jonathan is often shortened to John. Elizabeth is often shortened to Beth, Liz, or Eliza. Must be less than or equal to 128 characters in length. - state String
- State in which the subject of the certificate is located. Must be less than or equal to 128 characters in length.
- surname String
- Family name. In the US and the UK for example, the surname of an individual is ordered last. In Asian cultures the surname is typically ordered first. Must be less than or equal to 40 characters in length.
- title String
- Title such as Mr. or Ms. which is pre-pended to the name to refer formally to the certificate subject. Must be less than or equal to 64 characters in length.
CertificateAuthorityRevocationConfiguration, CertificateAuthorityRevocationConfigurationArgs
- Crl
Configuration CertificateAuthority Revocation Configuration Crl Configuration - Nested argument containing configuration of the certificate revocation list (CRL), if any, maintained by the certificate authority. Defined below.
- Ocsp
Configuration CertificateAuthority Revocation Configuration Ocsp Configuration - Nested argument containing configuration of the custom OCSP responder endpoint. Defined below.
- Crl
Configuration CertificateAuthority Revocation Configuration Crl Configuration - Nested argument containing configuration of the certificate revocation list (CRL), if any, maintained by the certificate authority. Defined below.
- Ocsp
Configuration CertificateAuthority Revocation Configuration Ocsp Configuration - Nested argument containing configuration of the custom OCSP responder endpoint. Defined below.
- crl
Configuration CertificateAuthority Revocation Configuration Crl Configuration - Nested argument containing configuration of the certificate revocation list (CRL), if any, maintained by the certificate authority. Defined below.
- ocsp
Configuration CertificateAuthority Revocation Configuration Ocsp Configuration - Nested argument containing configuration of the custom OCSP responder endpoint. Defined below.
- crl
Configuration CertificateAuthority Revocation Configuration Crl Configuration - Nested argument containing configuration of the certificate revocation list (CRL), if any, maintained by the certificate authority. Defined below.
- ocsp
Configuration CertificateAuthority Revocation Configuration Ocsp Configuration - Nested argument containing configuration of the custom OCSP responder endpoint. Defined below.
- crl_
configuration CertificateAuthority Revocation Configuration Crl Configuration - Nested argument containing configuration of the certificate revocation list (CRL), if any, maintained by the certificate authority. Defined below.
- ocsp_
configuration CertificateAuthority Revocation Configuration Ocsp Configuration - Nested argument containing configuration of the custom OCSP responder endpoint. Defined below.
- crl
Configuration Property Map - Nested argument containing configuration of the certificate revocation list (CRL), if any, maintained by the certificate authority. Defined below.
- ocsp
Configuration Property Map - Nested argument containing configuration of the custom OCSP responder endpoint. Defined below.
CertificateAuthorityRevocationConfigurationCrlConfiguration, CertificateAuthorityRevocationConfigurationCrlConfigurationArgs
- Custom
Cname string - Name inserted into the certificate CRL Distribution Points extension that enables the use of an alias for the CRL distribution point. Use this value if you don't want the name of your S3 bucket to be public. Must be less than or equal to 253 characters in length.
- Enabled bool
- Boolean value that specifies whether certificate revocation lists (CRLs) are enabled. Defaults to
false. - Expiration
In intDays - Number of days until a certificate expires. Must be between 1 and 5000.
- S3Bucket
Name string - Name of the S3 bucket that contains the CRL. If you do not provide a value for the
custom_cnameargument, the name of your S3 bucket is placed into the CRL Distribution Points extension of the issued certificate. You must specify a bucket policy that allows ACM PCA to write the CRL to your bucket. Must be between 3 and 255 characters in length. - S3Object
Acl string - Determines whether the CRL will be publicly readable or privately held in the CRL Amazon S3 bucket. Defaults to
PUBLIC_READ.
- Custom
Cname string - Name inserted into the certificate CRL Distribution Points extension that enables the use of an alias for the CRL distribution point. Use this value if you don't want the name of your S3 bucket to be public. Must be less than or equal to 253 characters in length.
- Enabled bool
- Boolean value that specifies whether certificate revocation lists (CRLs) are enabled. Defaults to
false. - Expiration
In intDays - Number of days until a certificate expires. Must be between 1 and 5000.
- S3Bucket
Name string - Name of the S3 bucket that contains the CRL. If you do not provide a value for the
custom_cnameargument, the name of your S3 bucket is placed into the CRL Distribution Points extension of the issued certificate. You must specify a bucket policy that allows ACM PCA to write the CRL to your bucket. Must be between 3 and 255 characters in length. - S3Object
Acl string - Determines whether the CRL will be publicly readable or privately held in the CRL Amazon S3 bucket. Defaults to
PUBLIC_READ.
- custom
Cname String - Name inserted into the certificate CRL Distribution Points extension that enables the use of an alias for the CRL distribution point. Use this value if you don't want the name of your S3 bucket to be public. Must be less than or equal to 253 characters in length.
- enabled Boolean
- Boolean value that specifies whether certificate revocation lists (CRLs) are enabled. Defaults to
false. - expiration
In IntegerDays - Number of days until a certificate expires. Must be between 1 and 5000.
- s3Bucket
Name String - Name of the S3 bucket that contains the CRL. If you do not provide a value for the
custom_cnameargument, the name of your S3 bucket is placed into the CRL Distribution Points extension of the issued certificate. You must specify a bucket policy that allows ACM PCA to write the CRL to your bucket. Must be between 3 and 255 characters in length. - s3Object
Acl String - Determines whether the CRL will be publicly readable or privately held in the CRL Amazon S3 bucket. Defaults to
PUBLIC_READ.
- custom
Cname string - Name inserted into the certificate CRL Distribution Points extension that enables the use of an alias for the CRL distribution point. Use this value if you don't want the name of your S3 bucket to be public. Must be less than or equal to 253 characters in length.
- enabled boolean
- Boolean value that specifies whether certificate revocation lists (CRLs) are enabled. Defaults to
false. - expiration
In numberDays - Number of days until a certificate expires. Must be between 1 and 5000.
- s3Bucket
Name string - Name of the S3 bucket that contains the CRL. If you do not provide a value for the
custom_cnameargument, the name of your S3 bucket is placed into the CRL Distribution Points extension of the issued certificate. You must specify a bucket policy that allows ACM PCA to write the CRL to your bucket. Must be between 3 and 255 characters in length. - s3Object
Acl string - Determines whether the CRL will be publicly readable or privately held in the CRL Amazon S3 bucket. Defaults to
PUBLIC_READ.
- custom_
cname str - Name inserted into the certificate CRL Distribution Points extension that enables the use of an alias for the CRL distribution point. Use this value if you don't want the name of your S3 bucket to be public. Must be less than or equal to 253 characters in length.
- enabled bool
- Boolean value that specifies whether certificate revocation lists (CRLs) are enabled. Defaults to
false. - expiration_
in_ intdays - Number of days until a certificate expires. Must be between 1 and 5000.
- s3_
bucket_ strname - Name of the S3 bucket that contains the CRL. If you do not provide a value for the
custom_cnameargument, the name of your S3 bucket is placed into the CRL Distribution Points extension of the issued certificate. You must specify a bucket policy that allows ACM PCA to write the CRL to your bucket. Must be between 3 and 255 characters in length. - s3_
object_ stracl - Determines whether the CRL will be publicly readable or privately held in the CRL Amazon S3 bucket. Defaults to
PUBLIC_READ.
- custom
Cname String - Name inserted into the certificate CRL Distribution Points extension that enables the use of an alias for the CRL distribution point. Use this value if you don't want the name of your S3 bucket to be public. Must be less than or equal to 253 characters in length.
- enabled Boolean
- Boolean value that specifies whether certificate revocation lists (CRLs) are enabled. Defaults to
false. - expiration
In NumberDays - Number of days until a certificate expires. Must be between 1 and 5000.
- s3Bucket
Name String - Name of the S3 bucket that contains the CRL. If you do not provide a value for the
custom_cnameargument, the name of your S3 bucket is placed into the CRL Distribution Points extension of the issued certificate. You must specify a bucket policy that allows ACM PCA to write the CRL to your bucket. Must be between 3 and 255 characters in length. - s3Object
Acl String - Determines whether the CRL will be publicly readable or privately held in the CRL Amazon S3 bucket. Defaults to
PUBLIC_READ.
CertificateAuthorityRevocationConfigurationOcspConfiguration, CertificateAuthorityRevocationConfigurationOcspConfigurationArgs
- Enabled bool
- Boolean value that specifies whether a custom OCSP responder is enabled.
- Ocsp
Custom stringCname - CNAME specifying a customized OCSP domain. Note: The value of the CNAME must not include a protocol prefix such as "http://" or "https://".
- Enabled bool
- Boolean value that specifies whether a custom OCSP responder is enabled.
- Ocsp
Custom stringCname - CNAME specifying a customized OCSP domain. Note: The value of the CNAME must not include a protocol prefix such as "http://" or "https://".
- enabled Boolean
- Boolean value that specifies whether a custom OCSP responder is enabled.
- ocsp
Custom StringCname - CNAME specifying a customized OCSP domain. Note: The value of the CNAME must not include a protocol prefix such as "http://" or "https://".
- enabled boolean
- Boolean value that specifies whether a custom OCSP responder is enabled.
- ocsp
Custom stringCname - CNAME specifying a customized OCSP domain. Note: The value of the CNAME must not include a protocol prefix such as "http://" or "https://".
- enabled bool
- Boolean value that specifies whether a custom OCSP responder is enabled.
- ocsp_
custom_ strcname - CNAME specifying a customized OCSP domain. Note: The value of the CNAME must not include a protocol prefix such as "http://" or "https://".
- enabled Boolean
- Boolean value that specifies whether a custom OCSP responder is enabled.
- ocsp
Custom StringCname - CNAME specifying a customized OCSP domain. Note: The value of the CNAME must not include a protocol prefix such as "http://" or "https://".
Import
Using pulumi import, import aws_acmpca_certificate_authority using the certificate authority ARN. For example:
$ pulumi import aws:acmpca/certificateAuthority:CertificateAuthority example arn:aws:acm-pca:us-east-1:123456789012:certificate-authority/12345678-1234-1234-1234-123456789012
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- AWS Classic pulumi/pulumi-aws
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
awsTerraform Provider.