L1 ConstructAWS::ACMPCA::CertificateAuthority

CfnCertificateAuthority

Use the `AWS::ACMPCA::CertificateAuthority` resource to create a private CA. Once the CA exists, you can use the `AWS::ACMPCA::Certificate` resource to issue a new CA certificate. Alternatively, you can issue a CA certificate using an on-premises CA, and then use the `AWS::ACMPCA::CertificateAuthorityActivation` resource to import the new CA certificate and activate the CA. > Before removing a `AWS::ACMPCA::CertificateAuthority` resource from the CloudFormation stack, disable the affected CA. Otherwise, the action will fail. You can disable the CA by removing its associated `AWS::ACMPCA::CertificateAuthorityActivation` resource from CloudFormation.

Import

import { CfnCertificateAuthority } from 'aws-cdk-lib/aws-acmpca';

Or use the module namespace:

import * as acmpca from 'aws-cdk-lib/aws-acmpca';
// acmpca.CfnCertificateAuthority

Properties

Configuration passed to the constructor as CfnCertificateAuthorityProps.

keyAlgorithmRequired

string

Type of the public key algorithm and size, in bits, of the key pair that your CA creates when it issues a certificate. When you create a subordinate CA, you must use a key algorithm supported by the parent CA.

signingAlgorithmRequired

string

Name of the algorithm your private CA uses to sign certificate requests. This parameter should not be confused with the `SigningAlgorithm` parameter used to sign certificates when they are issued.

subjectRequired

IResolvable | SubjectProperty

Structure that contains X.500 distinguished name information for your private CA.

typeRequired

string

Type of your private CA.

csrExtensionsOptional

IResolvable | CsrExtensionsProperty

Specifies information to be added to the extension section of the certificate signing request (CSR).

keyStorageSecurityStandardOptional

string

Specifies a cryptographic key management compliance standard for handling and protecting CA keys. Default: FIPS_140_2_LEVEL_3_OR_HIGHER > Some AWS Regions don't support the default value. When you create a CA in these Regions, you must use `CCPC_LEVEL_1_OR_HIGHER` for the `KeyStorageSecurityStandard` parameter. If you don't, the operation returns an `InvalidArgsException` with this message: "A certificate authority cannot be created in this region with the specified security standard." > > For information about security standard support in different AWS Regions, see [Storage and security compliance of AWS Private CA private keys](https://docs.aws.amazon.com/privateca/latest/userguide/data-protection.html#private-keys) .

revocationConfigurationOptional

IResolvable | RevocationConfigurationProperty

Information about the Online Certificate Status Protocol (OCSP) configuration or certificate revocation list (CRL) created and maintained by your private CA.

tagsOptional

CfnTag[]

Key-value pairs that will be attached to the new private CA. You can associate up to 50 tags with a private CA. For information using tags with IAM to manage permissions, see [Controlling Access Using IAM Tags](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_iam-tags.html) .

usageModeOptional

string

Specifies whether the CA issues general-purpose certificates that typically require a revocation mechanism, or short-lived certificates that may optionally omit revocation because they expire quickly. Short-lived certificate validity is limited to seven days. The default value is GENERAL_PURPOSE.

CloudFormation Resource

This L1 construct maps directly to the following CloudFormation resource type.

AWS::ACMPCA::CertificateAuthorityView in CloudFormation Explorer

Learn AWS the Practical Way

Our bi-weekly newsletter teaches hands-on AWS fundamentals. No certification fluff - just practical knowledge.

Subscribe to Newsletter

Quick Facts

LevelL1 (CloudFormation)

Moduleaws-acmpca

CFN TypeAWS::ACMPCA::CertificateAuthority

Properties9

Related Constructs

Explore This Service

External Links

CDK API Documentation