CertificateAuthority

Provides a resource to manage AWS Certificate Manager Private Certificate Authorities (ACM PCA Certificate Authorities).

NOTE: Creating this resource will leave the certificate authority in a PENDING_CERTIFICATE status, which means it cannot yet issue certificates. To complete this setup, you must fully sign the certificate authority CSR available in the certificate_signing_request attribute and import the signed certificate using the AWS SDK, CLI or Console. This provider can support another resource to manage that workflow automatically in the future.

Example Usage

Basic

using Pulumi;
using Aws = Pulumi.Aws;

class MyStack : Stack
{
    public MyStack()
    {
        var example = new Aws.Acmpca.CertificateAuthority("example", new Aws.Acmpca.CertificateAuthorityArgs
        {
            CertificateAuthorityConfiguration = new Aws.Acmpca.Inputs.CertificateAuthorityCertificateAuthorityConfigurationArgs
            {
                KeyAlgorithm = "RSA_4096",
                SigningAlgorithm = "SHA512WITHRSA",
                Subject = new Aws.Acmpca.Inputs.CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs
                {
                    CommonName = "example.com",
                },
            },
            PermanentDeletionTimeInDays = 7,
        });
    }

}

package main

import (
    "github.com/pulumi/pulumi-aws/sdk/v2/go/aws/acmpca"
    "github.com/pulumi/pulumi/sdk/v2/go/pulumi"
)

func main() {
    pulumi.Run(func(ctx *pulumi.Context) error {
        _, err := acmpca.NewCertificateAuthority(ctx, "example", &acmpca.CertificateAuthorityArgs{
            CertificateAuthorityConfiguration: &acmpca.CertificateAuthorityCertificateAuthorityConfigurationArgs{
                KeyAlgorithm:     pulumi.String("RSA_4096"),
                SigningAlgorithm: pulumi.String("SHA512WITHRSA"),
                Subject: &acmpca.CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs{
                    CommonName: pulumi.String("example.com"),
                },
            },
            PermanentDeletionTimeInDays: pulumi.Int(7),
        })
        if err != nil {
            return err
        }
        return nil
    })
}

import pulumi
import pulumi_aws as aws

example = aws.acmpca.CertificateAuthority("example",
    certificate_authority_configuration={
        "keyAlgorithm": "RSA_4096",
        "signingAlgorithm": "SHA512WITHRSA",
        "subject": {
            "commonName": "example.com",
        },
    },
    permanent_deletion_time_in_days=7)

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const example = new aws.acmpca.CertificateAuthority("example", {
    certificateAuthorityConfiguration: {
        keyAlgorithm: "RSA_4096",
        signingAlgorithm: "SHA512WITHRSA",
        subject: {
            commonName: "example.com",
        },
    },
    permanentDeletionTimeInDays: 7,
});

Enable Certificate Revocation List

using Pulumi;
using Aws = Pulumi.Aws;

class MyStack : Stack
{
    public MyStack()
    {
        var exampleBucket = new Aws.S3.Bucket("exampleBucket", new Aws.S3.BucketArgs
        {
        });
        var acmpcaBucketAccess = Output.Tuple(exampleBucket.Arn, exampleBucket.Arn).Apply(values =>
        {
            var exampleBucketArn = values.Item1;
            var exampleBucketArn1 = values.Item2;
            return Aws.Iam.GetPolicyDocument.InvokeAsync(new Aws.Iam.GetPolicyDocumentArgs
            {
                Statements = 
                {
                    new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
                    {
                        Actions = 
                        {
                            "s3:GetBucketAcl",
                            "s3:GetBucketLocation",
                            "s3:PutObject",
                            "s3:PutObjectAcl",
                        },
                        Principals = 
                        {
                            new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalArgs
                            {
                                Identifiers = 
                                {
                                    "acm-pca.amazonaws.com",
                                },
                                Type = "Service",
                            },
                        },
                        Resources = 
                        {
                            exampleBucketArn,
                            $"{exampleBucketArn1}/*",
                        },
                    },
                },
            });
        });
        var exampleBucketPolicy = new Aws.S3.BucketPolicy("exampleBucketPolicy", new Aws.S3.BucketPolicyArgs
        {
            Bucket = exampleBucket.Id,
            Policy = acmpcaBucketAccess.Apply(acmpcaBucketAccess => acmpcaBucketAccess.Json),
        });
        var exampleCertificateAuthority = new Aws.Acmpca.CertificateAuthority("exampleCertificateAuthority", new Aws.Acmpca.CertificateAuthorityArgs
        {
            CertificateAuthorityConfiguration = new Aws.Acmpca.Inputs.CertificateAuthorityCertificateAuthorityConfigurationArgs
            {
                KeyAlgorithm = "RSA_4096",
                SigningAlgorithm = "SHA512WITHRSA",
                Subject = new Aws.Acmpca.Inputs.CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs
                {
                    CommonName = "example.com",
                },
            },
            RevocationConfiguration = new Aws.Acmpca.Inputs.CertificateAuthorityRevocationConfigurationArgs
            {
                CrlConfiguration = new Aws.Acmpca.Inputs.CertificateAuthorityRevocationConfigurationCrlConfigurationArgs
                {
                    CustomCname = "crl.example.com",
                    Enabled = true,
                    ExpirationInDays = 7,
                    S3BucketName = exampleBucket.Id,
                },
            },
        }, new CustomResourceOptions
        {
            DependsOn = 
            {
                "aws_s3_bucket_policy.example",
            },
        });
    }

}

package main

import (
    "fmt"

    "github.com/pulumi/pulumi-aws/sdk/v2/go/aws/acmpca"
    "github.com/pulumi/pulumi-aws/sdk/v2/go/aws/iam"
    "github.com/pulumi/pulumi-aws/sdk/v2/go/aws/s3"
    "github.com/pulumi/pulumi/sdk/v2/go/pulumi"
)

func main() {
    pulumi.Run(func(ctx *pulumi.Context) error {
        exampleBucket, err := s3.NewBucket(ctx, "exampleBucket", nil)
        if err != nil {
            return err
        }
        _, err = s3.NewBucketPolicy(ctx, "exampleBucketPolicy", &s3.BucketPolicyArgs{
            Bucket: exampleBucket.ID(),
            Policy: acmpcaBucketAccess.ApplyT(func(acmpcaBucketAccess iam.GetPolicyDocumentResult) (string, error) {
                return acmpcaBucketAccess.Json, nil
            }).(pulumi.StringOutput),
        })
        if err != nil {
            return err
        }
        _, err = acmpca.NewCertificateAuthority(ctx, "exampleCertificateAuthority", &acmpca.CertificateAuthorityArgs{
            CertificateAuthorityConfiguration: &acmpca.CertificateAuthorityCertificateAuthorityConfigurationArgs{
                KeyAlgorithm:     pulumi.String("RSA_4096"),
                SigningAlgorithm: pulumi.String("SHA512WITHRSA"),
                Subject: &acmpca.CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs{
                    CommonName: pulumi.String("example.com"),
                },
            },
            RevocationConfiguration: &acmpca.CertificateAuthorityRevocationConfigurationArgs{
                CrlConfiguration: &acmpca.CertificateAuthorityRevocationConfigurationCrlConfigurationArgs{
                    CustomCname:      pulumi.String("crl.example.com"),
                    Enabled:          pulumi.Bool(true),
                    ExpirationInDays: pulumi.Int(7),
                    S3BucketName:     exampleBucket.ID(),
                },
            },
        }, pulumi.DependsOn([]pulumi.Resource{
            "aws_s3_bucket_policy.example",
        }))
        if err != nil {
            return err
        }
        return nil
    })
}

import pulumi
import pulumi_aws as aws

example_bucket = aws.s3.Bucket("exampleBucket")
acmpca_bucket_access = pulumi.Output.all(example_bucket.arn, example_bucket.arn).apply(lambda exampleBucketArn, exampleBucketArn1: aws.iam.get_policy_document(statements=[{
    "actions": [
        "s3:GetBucketAcl",
        "s3:GetBucketLocation",
        "s3:PutObject",
        "s3:PutObjectAcl",
    ],
    "principals": [{
        "identifiers": ["acm-pca.amazonaws.com"],
        "type": "Service",
    }],
    "resources": [
        example_bucket_arn,
        f"{example_bucket_arn1}/*",
    ],
}]))
example_bucket_policy = aws.s3.BucketPolicy("exampleBucketPolicy",
    bucket=example_bucket.id,
    policy=acmpca_bucket_access.json)
example_certificate_authority = aws.acmpca.CertificateAuthority("exampleCertificateAuthority",
    certificate_authority_configuration={
        "keyAlgorithm": "RSA_4096",
        "signingAlgorithm": "SHA512WITHRSA",
        "subject": {
            "commonName": "example.com",
        },
    },
    revocation_configuration={
        "crlConfiguration": {
            "customCname": "crl.example.com",
            "enabled": True,
            "expirationInDays": 7,
            "s3_bucket_name": example_bucket.id,
        },
    },
    opts=ResourceOptions(depends_on=["aws_s3_bucket_policy.example"]))

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const exampleBucket = new aws.s3.Bucket("example", {});
const acmpcaBucketAccess = pulumi.all([exampleBucket.arn, exampleBucket.arn]).apply(([exampleBucketArn, exampleBucketArn1]) => aws.iam.getPolicyDocument({
    statements: [{
        actions: [
            "s3:GetBucketAcl",
            "s3:GetBucketLocation",
            "s3:PutObject",
            "s3:PutObjectAcl",
        ],
        principals: [{
            identifiers: ["acm-pca.amazonaws.com"],
            type: "Service",
        }],
        resources: [
            exampleBucketArn,
            `${exampleBucketArn1}/*`,
        ],
    }],
}, { async: true }));
const exampleBucketPolicy = new aws.s3.BucketPolicy("example", {
    bucket: exampleBucket.id,
    policy: acmpcaBucketAccess.json,
});
const exampleCertificateAuthority = new aws.acmpca.CertificateAuthority("example", {
    certificateAuthorityConfiguration: {
        keyAlgorithm: "RSA_4096",
        signingAlgorithm: "SHA512WITHRSA",
        subject: {
            commonName: "example.com",
        },
    },
    revocationConfiguration: {
        crlConfiguration: {
            customCname: "crl.example.com",
            enabled: true,
            expirationInDays: 7,
            s3BucketName: exampleBucket.id,
        },
    },
}, { dependsOn: [exampleBucketPolicy] });

Create a CertificateAuthority Resource

new CertificateAuthority(name: string, args: CertificateAuthorityArgs, opts?: CustomResourceOptions);

def CertificateAuthority(resource_name, opts=None, certificate_authority_configuration=None, enabled=None, permanent_deletion_time_in_days=None, revocation_configuration=None, tags=None, type=None, __props__=None);

func NewCertificateAuthority(ctx *Context, name string, args CertificateAuthorityArgs, opts ...ResourceOption) (*CertificateAuthority, error)

public CertificateAuthority(string name, CertificateAuthorityArgs args, CustomResourceOptions? opts = null)

name string: The unique name of the resource.
args CertificateAuthorityArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
opts ResourceOptions: A bag of options that control this resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args CertificateAuthorityArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args CertificateAuthorityArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

CertificateAuthority Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Programming Model docs.

Inputs

The CertificateAuthority resource accepts the following input properties:

CertificateAuthorityConfiguration CertificateAuthorityCertificateAuthorityConfigurationArgs: Nested argument containing algorithms and certificate subject information. Defined below.
Enabled bool: Boolean value that specifies whether certificate revocation lists (CRLs) are enabled. Defaults to false.
PermanentDeletionTimeInDays int: The number of days to make a CA restorable after it has been deleted, must be between 7 to 30 days, with default to 30 days.
RevocationConfiguration CertificateAuthorityRevocationConfigurationArgs: Nested argument containing revocation configuration. Defined below.
Tags Dictionary<string, string>: Specifies a key-value map of user-defined tags that are attached to the certificate authority.
Type string: The type of the certificate authority. Defaults to SUBORDINATE. Valid values: ROOT and SUBORDINATE.

CertificateAuthorityConfiguration CertificateAuthorityCertificateAuthorityConfiguration: Nested argument containing algorithms and certificate subject information. Defined below.
Enabled bool: Boolean value that specifies whether certificate revocation lists (CRLs) are enabled. Defaults to false.
PermanentDeletionTimeInDays int: The number of days to make a CA restorable after it has been deleted, must be between 7 to 30 days, with default to 30 days.
RevocationConfiguration CertificateAuthorityRevocationConfiguration: Nested argument containing revocation configuration. Defined below.
Tags map[string]string: Specifies a key-value map of user-defined tags that are attached to the certificate authority.
Type string: The type of the certificate authority. Defaults to SUBORDINATE. Valid values: ROOT and SUBORDINATE.

certificateAuthorityConfiguration CertificateAuthorityCertificateAuthorityConfiguration: Nested argument containing algorithms and certificate subject information. Defined below.
enabled boolean: Boolean value that specifies whether certificate revocation lists (CRLs) are enabled. Defaults to false.
permanentDeletionTimeInDays number: The number of days to make a CA restorable after it has been deleted, must be between 7 to 30 days, with default to 30 days.
revocationConfiguration CertificateAuthorityRevocationConfiguration: Nested argument containing revocation configuration. Defined below.
tags {[key: string]: string}: Specifies a key-value map of user-defined tags that are attached to the certificate authority.
type string: The type of the certificate authority. Defaults to SUBORDINATE. Valid values: ROOT and SUBORDINATE.

certificate_authority_configuration Dict[CertificateAuthorityCertificateAuthorityConfiguration]: Nested argument containing algorithms and certificate subject information. Defined below.
enabled bool: Boolean value that specifies whether certificate revocation lists (CRLs) are enabled. Defaults to false.
permanent_deletion_time_in_days float: The number of days to make a CA restorable after it has been deleted, must be between 7 to 30 days, with default to 30 days.
revocation_configuration Dict[CertificateAuthorityRevocationConfiguration]: Nested argument containing revocation configuration. Defined below.
tags Dict[str, str]: Specifies a key-value map of user-defined tags that are attached to the certificate authority.
type str: The type of the certificate authority. Defaults to SUBORDINATE. Valid values: ROOT and SUBORDINATE.

Outputs

All input properties are implicitly available as output properties. Additionally, the CertificateAuthority resource produces the following output properties:

Arn string: Amazon Resource Name (ARN) of the certificate authority.
Certificate string: Base64-encoded certificate authority (CA) certificate. Only available after the certificate authority certificate has been imported.
CertificateChain string: Base64-encoded certificate chain that includes any intermediate certificates and chains up to root on-premises certificate that you used to sign your private CA certificate. The chain does not include your private CA certificate. Only available after the certificate authority certificate has been imported.
CertificateSigningRequest string: The base64 PEM-encoded certificate signing request (CSR) for your private CA certificate.
Id string: The provider-assigned unique ID for this managed resource.
NotAfter string: Date and time after which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
NotBefore string: Date and time before which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
Serial string: Serial number of the certificate authority. Only available after the certificate authority certificate has been imported.
Status string: Status of the certificate authority.

Arn string: Amazon Resource Name (ARN) of the certificate authority.
Certificate string: Base64-encoded certificate authority (CA) certificate. Only available after the certificate authority certificate has been imported.
CertificateChain string: Base64-encoded certificate chain that includes any intermediate certificates and chains up to root on-premises certificate that you used to sign your private CA certificate. The chain does not include your private CA certificate. Only available after the certificate authority certificate has been imported.
CertificateSigningRequest string: The base64 PEM-encoded certificate signing request (CSR) for your private CA certificate.
Id string: The provider-assigned unique ID for this managed resource.
NotAfter string: Date and time after which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
NotBefore string: Date and time before which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
Serial string: Serial number of the certificate authority. Only available after the certificate authority certificate has been imported.
Status string: Status of the certificate authority.

arn string: Amazon Resource Name (ARN) of the certificate authority.
certificate string: Base64-encoded certificate authority (CA) certificate. Only available after the certificate authority certificate has been imported.
certificateChain string: Base64-encoded certificate chain that includes any intermediate certificates and chains up to root on-premises certificate that you used to sign your private CA certificate. The chain does not include your private CA certificate. Only available after the certificate authority certificate has been imported.
certificateSigningRequest string: The base64 PEM-encoded certificate signing request (CSR) for your private CA certificate.
id string: The provider-assigned unique ID for this managed resource.
notAfter string: Date and time after which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
notBefore string: Date and time before which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
serial string: Serial number of the certificate authority. Only available after the certificate authority certificate has been imported.
status string: Status of the certificate authority.

arn str: Amazon Resource Name (ARN) of the certificate authority.
certificate str: Base64-encoded certificate authority (CA) certificate. Only available after the certificate authority certificate has been imported.
certificate_chain str: Base64-encoded certificate chain that includes any intermediate certificates and chains up to root on-premises certificate that you used to sign your private CA certificate. The chain does not include your private CA certificate. Only available after the certificate authority certificate has been imported.
certificate_signing_request str: The base64 PEM-encoded certificate signing request (CSR) for your private CA certificate.
id str: The provider-assigned unique ID for this managed resource.
not_after str: Date and time after which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
not_before str: Date and time before which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
serial str: Serial number of the certificate authority. Only available after the certificate authority certificate has been imported.
status str: Status of the certificate authority.

Look up an Existing CertificateAuthority Resource

Get an existing CertificateAuthority resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: CertificateAuthorityState, opts?: CustomResourceOptions): CertificateAuthority

static get(resource_name, id, opts=None, arn=None, certificate=None, certificate_authority_configuration=None, certificate_chain=None, certificate_signing_request=None, enabled=None, not_after=None, not_before=None, permanent_deletion_time_in_days=None, revocation_configuration=None, serial=None, status=None, tags=None, type=None, __props__=None);

func GetCertificateAuthority(ctx *Context, name string, id IDInput, state *CertificateAuthorityState, opts ...ResourceOption) (*CertificateAuthority, error)

public static CertificateAuthority Get(string name, Input<string> id, CertificateAuthorityState? state, CustomResourceOptions? opts = null)

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

Arn string: Amazon Resource Name (ARN) of the certificate authority.
Certificate string: Base64-encoded certificate authority (CA) certificate. Only available after the certificate authority certificate has been imported.
CertificateAuthorityConfiguration CertificateAuthorityCertificateAuthorityConfigurationArgs: Nested argument containing algorithms and certificate subject information. Defined below.
CertificateChain string: Base64-encoded certificate chain that includes any intermediate certificates and chains up to root on-premises certificate that you used to sign your private CA certificate. The chain does not include your private CA certificate. Only available after the certificate authority certificate has been imported.
CertificateSigningRequest string: The base64 PEM-encoded certificate signing request (CSR) for your private CA certificate.
Enabled bool: Boolean value that specifies whether certificate revocation lists (CRLs) are enabled. Defaults to false.
NotAfter string: Date and time after which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
NotBefore string: Date and time before which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
PermanentDeletionTimeInDays int: The number of days to make a CA restorable after it has been deleted, must be between 7 to 30 days, with default to 30 days.
RevocationConfiguration CertificateAuthorityRevocationConfigurationArgs: Nested argument containing revocation configuration. Defined below.
Serial string: Serial number of the certificate authority. Only available after the certificate authority certificate has been imported.
Status string: Status of the certificate authority.
Tags Dictionary<string, string>: Specifies a key-value map of user-defined tags that are attached to the certificate authority.
Type string: The type of the certificate authority. Defaults to SUBORDINATE. Valid values: ROOT and SUBORDINATE.

Arn string: Amazon Resource Name (ARN) of the certificate authority.
Certificate string: Base64-encoded certificate authority (CA) certificate. Only available after the certificate authority certificate has been imported.
CertificateAuthorityConfiguration CertificateAuthorityCertificateAuthorityConfiguration: Nested argument containing algorithms and certificate subject information. Defined below.
CertificateChain string: Base64-encoded certificate chain that includes any intermediate certificates and chains up to root on-premises certificate that you used to sign your private CA certificate. The chain does not include your private CA certificate. Only available after the certificate authority certificate has been imported.
CertificateSigningRequest string: The base64 PEM-encoded certificate signing request (CSR) for your private CA certificate.
Enabled bool: Boolean value that specifies whether certificate revocation lists (CRLs) are enabled. Defaults to false.
NotAfter string: Date and time after which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
NotBefore string: Date and time before which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
PermanentDeletionTimeInDays int: The number of days to make a CA restorable after it has been deleted, must be between 7 to 30 days, with default to 30 days.
RevocationConfiguration CertificateAuthorityRevocationConfiguration: Nested argument containing revocation configuration. Defined below.
Serial string: Serial number of the certificate authority. Only available after the certificate authority certificate has been imported.
Status string: Status of the certificate authority.
Tags map[string]string: Specifies a key-value map of user-defined tags that are attached to the certificate authority.
Type string: The type of the certificate authority. Defaults to SUBORDINATE. Valid values: ROOT and SUBORDINATE.

arn string: Amazon Resource Name (ARN) of the certificate authority.
certificate string: Base64-encoded certificate authority (CA) certificate. Only available after the certificate authority certificate has been imported.
certificateAuthorityConfiguration CertificateAuthorityCertificateAuthorityConfiguration: Nested argument containing algorithms and certificate subject information. Defined below.
certificateChain string: Base64-encoded certificate chain that includes any intermediate certificates and chains up to root on-premises certificate that you used to sign your private CA certificate. The chain does not include your private CA certificate. Only available after the certificate authority certificate has been imported.
certificateSigningRequest string: The base64 PEM-encoded certificate signing request (CSR) for your private CA certificate.
enabled boolean: Boolean value that specifies whether certificate revocation lists (CRLs) are enabled. Defaults to false.
notAfter string: Date and time after which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
notBefore string: Date and time before which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
permanentDeletionTimeInDays number: The number of days to make a CA restorable after it has been deleted, must be between 7 to 30 days, with default to 30 days.
revocationConfiguration CertificateAuthorityRevocationConfiguration: Nested argument containing revocation configuration. Defined below.
serial string: Serial number of the certificate authority. Only available after the certificate authority certificate has been imported.
status string: Status of the certificate authority.
tags {[key: string]: string}: Specifies a key-value map of user-defined tags that are attached to the certificate authority.
type string: The type of the certificate authority. Defaults to SUBORDINATE. Valid values: ROOT and SUBORDINATE.

arn str: Amazon Resource Name (ARN) of the certificate authority.
certificate str: Base64-encoded certificate authority (CA) certificate. Only available after the certificate authority certificate has been imported.
certificate_authority_configuration Dict[CertificateAuthorityCertificateAuthorityConfiguration]: Nested argument containing algorithms and certificate subject information. Defined below.
certificate_chain str: Base64-encoded certificate chain that includes any intermediate certificates and chains up to root on-premises certificate that you used to sign your private CA certificate. The chain does not include your private CA certificate. Only available after the certificate authority certificate has been imported.
certificate_signing_request str: The base64 PEM-encoded certificate signing request (CSR) for your private CA certificate.
enabled bool: Boolean value that specifies whether certificate revocation lists (CRLs) are enabled. Defaults to false.
not_after str: Date and time after which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
not_before str: Date and time before which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
permanent_deletion_time_in_days float: The number of days to make a CA restorable after it has been deleted, must be between 7 to 30 days, with default to 30 days.
revocation_configuration Dict[CertificateAuthorityRevocationConfiguration]: Nested argument containing revocation configuration. Defined below.
serial str: Serial number of the certificate authority. Only available after the certificate authority certificate has been imported.
status str: Status of the certificate authority.
tags Dict[str, str]: Specifies a key-value map of user-defined tags that are attached to the certificate authority.
type str: The type of the certificate authority. Defaults to SUBORDINATE. Valid values: ROOT and SUBORDINATE.

Supporting Types

CertificateAuthorityCertificateAuthorityConfiguration

See the input and output API doc for this type.

KeyAlgorithm string: Type of the public key algorithm and size, in bits, of the key pair that your key pair creates when it issues a certificate. Valid values can be found in the ACM PCA Documentation.
SigningAlgorithm string: Name of the algorithm your private CA uses to sign certificate requests. Valid values can be found in the ACM PCA Documentation.
Subject CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs: Nested argument that contains X.500 distinguished name information. At least one nested attribute must be specified.

KeyAlgorithm string: Type of the public key algorithm and size, in bits, of the key pair that your key pair creates when it issues a certificate. Valid values can be found in the ACM PCA Documentation.
SigningAlgorithm string: Name of the algorithm your private CA uses to sign certificate requests. Valid values can be found in the ACM PCA Documentation.
Subject CertificateAuthorityCertificateAuthorityConfigurationSubject: Nested argument that contains X.500 distinguished name information. At least one nested attribute must be specified.

keyAlgorithm string: Type of the public key algorithm and size, in bits, of the key pair that your key pair creates when it issues a certificate. Valid values can be found in the ACM PCA Documentation.
signingAlgorithm string: Name of the algorithm your private CA uses to sign certificate requests. Valid values can be found in the ACM PCA Documentation.
subject CertificateAuthorityCertificateAuthorityConfigurationSubject: Nested argument that contains X.500 distinguished name information. At least one nested attribute must be specified.

keyAlgorithm str: Type of the public key algorithm and size, in bits, of the key pair that your key pair creates when it issues a certificate. Valid values can be found in the ACM PCA Documentation.
signingAlgorithm str: Name of the algorithm your private CA uses to sign certificate requests. Valid values can be found in the ACM PCA Documentation.
subject Dict[CertificateAuthorityCertificateAuthorityConfigurationSubject]: Nested argument that contains X.500 distinguished name information. At least one nested attribute must be specified.

CertificateAuthorityCertificateAuthorityConfigurationSubject

See the input and output API doc for this type.

CommonName string: Fully qualified domain name (FQDN) associated with the certificate subject.
Country string: Two digit code that specifies the country in which the certificate subject located.
DistinguishedNameQualifier string: Disambiguating information for the certificate subject.
GenerationQualifier string: Typically a qualifier appended to the name of an individual. Examples include Jr. for junior, Sr. for senior, and III for third.
GivenName string: First name.
Initials string: Concatenation that typically contains the first letter of the given_name, the first letter of the middle name if one exists, and the first letter of the surname.
Locality string: The locality (such as a city or town) in which the certificate subject is located.
Organization string: Legal name of the organization with which the certificate subject is affiliated.
OrganizationalUnit string: A subdivision or unit of the organization (such as sales or finance) with which the certificate subject is affiliated.
Pseudonym string: Typically a shortened version of a longer given_name. For example, Jonathan is often shortened to John. Elizabeth is often shortened to Beth, Liz, or Eliza.
State string: State in which the subject of the certificate is located.
Surname string: Family name. In the US and the UK for example, the surname of an individual is ordered last. In Asian cultures the surname is typically ordered first.
Title string: A title such as Mr. or Ms. which is pre-pended to the name to refer formally to the certificate subject.

CommonName string: Fully qualified domain name (FQDN) associated with the certificate subject.
Country string: Two digit code that specifies the country in which the certificate subject located.
DistinguishedNameQualifier string: Disambiguating information for the certificate subject.
GenerationQualifier string: Typically a qualifier appended to the name of an individual. Examples include Jr. for junior, Sr. for senior, and III for third.
GivenName string: First name.
Initials string: Concatenation that typically contains the first letter of the given_name, the first letter of the middle name if one exists, and the first letter of the surname.
Locality string: The locality (such as a city or town) in which the certificate subject is located.
Organization string: Legal name of the organization with which the certificate subject is affiliated.
OrganizationalUnit string: A subdivision or unit of the organization (such as sales or finance) with which the certificate subject is affiliated.
Pseudonym string: Typically a shortened version of a longer given_name. For example, Jonathan is often shortened to John. Elizabeth is often shortened to Beth, Liz, or Eliza.
State string: State in which the subject of the certificate is located.
Surname string: Family name. In the US and the UK for example, the surname of an individual is ordered last. In Asian cultures the surname is typically ordered first.
Title string: A title such as Mr. or Ms. which is pre-pended to the name to refer formally to the certificate subject.

commonName string: Fully qualified domain name (FQDN) associated with the certificate subject.
country string: Two digit code that specifies the country in which the certificate subject located.
distinguishedNameQualifier string: Disambiguating information for the certificate subject.
generationQualifier string: Typically a qualifier appended to the name of an individual. Examples include Jr. for junior, Sr. for senior, and III for third.
givenName string: First name.
initials string: Concatenation that typically contains the first letter of the given_name, the first letter of the middle name if one exists, and the first letter of the surname.
locality string: The locality (such as a city or town) in which the certificate subject is located.
organization string: Legal name of the organization with which the certificate subject is affiliated.
organizationalUnit string: A subdivision or unit of the organization (such as sales or finance) with which the certificate subject is affiliated.
pseudonym string: Typically a shortened version of a longer given_name. For example, Jonathan is often shortened to John. Elizabeth is often shortened to Beth, Liz, or Eliza.
state string: State in which the subject of the certificate is located.
surname string: Family name. In the US and the UK for example, the surname of an individual is ordered last. In Asian cultures the surname is typically ordered first.
title string: A title such as Mr. or Ms. which is pre-pended to the name to refer formally to the certificate subject.

commonName str: Fully qualified domain name (FQDN) associated with the certificate subject.
country str: Two digit code that specifies the country in which the certificate subject located.
distinguishedNameQualifier str: Disambiguating information for the certificate subject.
generationQualifier str: Typically a qualifier appended to the name of an individual. Examples include Jr. for junior, Sr. for senior, and III for third.
givenName str: First name.
initials str: Concatenation that typically contains the first letter of the given_name, the first letter of the middle name if one exists, and the first letter of the surname.
locality str: The locality (such as a city or town) in which the certificate subject is located.
organization str: Legal name of the organization with which the certificate subject is affiliated.
organizationalUnit str: A subdivision or unit of the organization (such as sales or finance) with which the certificate subject is affiliated.
pseudonym str: Typically a shortened version of a longer given_name. For example, Jonathan is often shortened to John. Elizabeth is often shortened to Beth, Liz, or Eliza.
state str: State in which the subject of the certificate is located.
surname str: Family name. In the US and the UK for example, the surname of an individual is ordered last. In Asian cultures the surname is typically ordered first.
title str: A title such as Mr. or Ms. which is pre-pended to the name to refer formally to the certificate subject.

CertificateAuthorityRevocationConfiguration

See the input and output API doc for this type.

CrlConfiguration CertificateAuthorityRevocationConfigurationCrlConfigurationArgs: Nested argument containing configuration of the certificate revocation list (CRL), if any, maintained by the certificate authority. Defined below.

CrlConfiguration CertificateAuthorityRevocationConfigurationCrlConfiguration: Nested argument containing configuration of the certificate revocation list (CRL), if any, maintained by the certificate authority. Defined below.

crlConfiguration CertificateAuthorityRevocationConfigurationCrlConfiguration: Nested argument containing configuration of the certificate revocation list (CRL), if any, maintained by the certificate authority. Defined below.

crlConfiguration Dict[CertificateAuthorityRevocationConfigurationCrlConfiguration]: Nested argument containing configuration of the certificate revocation list (CRL), if any, maintained by the certificate authority. Defined below.

CertificateAuthorityRevocationConfigurationCrlConfiguration

See the input and output API doc for this type.

ExpirationInDays int: Number of days until a certificate expires. Must be between 1 and 5000.
CustomCname string: Name inserted into the certificate CRL Distribution Points extension that enables the use of an alias for the CRL distribution point. Use this value if you don’t want the name of your S3 bucket to be public.
Enabled bool: Boolean value that specifies whether certificate revocation lists (CRLs) are enabled. Defaults to false.
S3BucketName string: Name of the S3 bucket that contains the CRL. If you do not provide a value for the custom_cname argument, the name of your S3 bucket is placed into the CRL Distribution Points extension of the issued certificate. You must specify a bucket policy that allows ACM PCA to write the CRL to your bucket.

ExpirationInDays int: Number of days until a certificate expires. Must be between 1 and 5000.
CustomCname string: Name inserted into the certificate CRL Distribution Points extension that enables the use of an alias for the CRL distribution point. Use this value if you don’t want the name of your S3 bucket to be public.
Enabled bool: Boolean value that specifies whether certificate revocation lists (CRLs) are enabled. Defaults to false.
S3BucketName string: Name of the S3 bucket that contains the CRL. If you do not provide a value for the custom_cname argument, the name of your S3 bucket is placed into the CRL Distribution Points extension of the issued certificate. You must specify a bucket policy that allows ACM PCA to write the CRL to your bucket.

expirationInDays number: Number of days until a certificate expires. Must be between 1 and 5000.
customCname string: Name inserted into the certificate CRL Distribution Points extension that enables the use of an alias for the CRL distribution point. Use this value if you don’t want the name of your S3 bucket to be public.
enabled boolean: Boolean value that specifies whether certificate revocation lists (CRLs) are enabled. Defaults to false.
s3BucketName string: Name of the S3 bucket that contains the CRL. If you do not provide a value for the custom_cname argument, the name of your S3 bucket is placed into the CRL Distribution Points extension of the issued certificate. You must specify a bucket policy that allows ACM PCA to write the CRL to your bucket.

expirationInDays float: Number of days until a certificate expires. Must be between 1 and 5000.
customCname str: Name inserted into the certificate CRL Distribution Points extension that enables the use of an alias for the CRL distribution point. Use this value if you don’t want the name of your S3 bucket to be public.
enabled bool: Boolean value that specifies whether certificate revocation lists (CRLs) are enabled. Defaults to false.
s3_bucket_name str: Name of the S3 bucket that contains the CRL. If you do not provide a value for the custom_cname argument, the name of your S3 bucket is placed into the CRL Distribution Points extension of the issued certificate. You must specify a bucket policy that allows ACM PCA to write the CRL to your bucket.

Package Details

Repository: https://github.com/pulumi/pulumi-aws
License: Apache-2.0
Notes: This Pulumi package is based on the aws Terraform Provider.

The Pulumi Platform

Get Started

Migrate to Pulumi

Solutions for All Teams and Engineers

Any Code

Any Cloud

CertificateAuthority

Example Usage

Basic

Enable Certificate Revocation List

Create a CertificateAuthority Resource

CertificateAuthority Resource Properties

Inputs

Outputs

Look up an Existing CertificateAuthority Resource

Supporting Types

CertificateAuthorityCertificateAuthorityConfiguration

CertificateAuthorityCertificateAuthorityConfigurationSubject

CertificateAuthorityRevocationConfiguration

CertificateAuthorityRevocationConfigurationCrlConfiguration

Package Details

On This Page