AWS::ACMPCA::CertificateAuthority RevocationConfiguration
Certificate revocation information used by the CreateCertificateAuthority and UpdateCertificateAuthority actions. Your private certificate authority (CA) can configure Online Certificate Status Protocol (OCSP) support and/or maintain a certificate revocation list (CRL). OCSP returns validation information about certificates as requested by clients, and a CRL contains an updated list of certificates revoked by your CA. For more information, see RevokeCertificate in the Amazon Private CA API Reference and Setting up a certificate revocation method in the Amazon Private CA User Guide.
Note
The following requirements apply to revocation configurations.
-
A configuration disabling CRLs or OCSP must contain only the
Enabled=False
parameter, and will fail if other parameters such asCustomCname
orExpirationInDays
are included. -
In a CRL configuration, the
S3BucketName
parameter must conform to the Amazon S3 bucket naming rules. -
A configuration containing a custom Canonical Name (CNAME) parameter for CRLs or OCSP must conform to RFC2396
restrictions on the use of special characters in a CNAME. -
In a CRL or OCSP configuration, the value of a CNAME parameter must not include a protocol prefix such as "http://" or "https://".
Syntax
To declare this entity in your Amazon CloudFormation template, use the following syntax:
JSON
{ "CrlConfiguration" :
CrlConfiguration
, "OcspConfiguration" :OcspConfiguration
}
Properties
-
Configuration of the certificate revocation list (CRL), if any, maintained by your private CA.
Required: No
Type: CrlConfiguration
Update requires: No interruption
-
Configuration of Online Certificate Status Protocol (OCSP) support, if any, maintained by your private CA.
Required: No
Type: OcspConfiguration
Update requires: No interruption