AWS::ACMPCA::CertificateAuthority - AWS CloudFormation
AWS 文档中描述的 AWS 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 AWS 服务入门

AWS::ACMPCA::CertificateAuthority

使用 AWS::ACMPCA::CertificateAuthority 资源创建私有 CA。CA 存在后,您可以使用 AWS::ACMPCA::Certificate 资源发布新的 CA 证书。或者,您可以使用本地 CA 发布 CA 证书,然后使用 AWS::ACMPCA::CertificateAuthorityActivation 资源导入新 CA 证书并激活 CA。

注意

在从 CloudFormation 堆栈中删除 AWS::ACMPCA::CertificateAuthority 资源之前,请禁用受影响的 CA。否则,操作将失败。您可以通过从 CloudFormation 中删除其关联的 AWS::ACMPCA::CertificateAuthorityActivation 资源来禁用 CA。

语法

要在 AWS CloudFormation 模板中声明此实体,请使用以下语法:

JSON

{ "Type" : "AWS::ACMPCA::CertificateAuthority", "Properties" : { "KeyAlgorithm" : String, "RevocationConfiguration" : RevocationConfiguration, "SigningAlgorithm" : String, "Subject" : Subject, "Tags" : [ Tag, ... ], "Type" : String } }

YAML

Type: AWS::ACMPCA::CertificateAuthority Properties: KeyAlgorithm: String RevocationConfiguration: RevocationConfiguration SigningAlgorithm: String Subject: Subject Tags: - Tag Type: String

属性

KeyAlgorithm

公有密钥算法的类型,以及 CA 在发布证书时创建的密钥对的大小(以位为单位)。创建从属 CA 时,您必须使用父 CA 支持的密钥算法。

必需:是

类型:字符串

允许的值EC_prime256v1 | EC_secp384r1 | RSA_2048 | RSA_4096

Update requires: Replacement

RevocationConfiguration

有关由私有 CA 创建和维护的证书吊销列表 (CRL) 的信息。创建由 CreateCertificateAuthority 和 UpdateCertificateAuthority 操作使用的证书吊销 信息。您的证书颁发机构可以创建和维护证书吊销列表 (CRL)。CRL 包含有关已吊销证书的信息。

必需:否

类型RevocationConfiguration

Update requires: No interruption

SigningAlgorithm

您的私有 CA 签署证书请求所用算法的名称。

此参数不应与发布证书时用于签署证书的 SigningAlgorithm 参数混淆。

必需:是

类型:字符串

允许的值SHA256WITHECDSA | SHA256WITHRSA | SHA384WITHECDSA | SHA384WITHRSA | SHA512WITHECDSA | SHA512WITHRSA

Update requires: Replacement

Subject

包含您私有 CA 的 X.500 可分辨名称信息的结构。

必需:是

类型Subject

Update requires: Replacement

Tags

将附加到新私有 CA 的键/值对。您最多可以将 50 个标签与私有 CA 关联。有关在 IAM 中使用标签来管理权限的信息,请参阅使用 IAM 标签控制访问

必需:否

类型Tag 的列表

Update requires: No interruption

Type

您的私有 CA 的类型。

必需:是

类型:字符串

允许的值ROOT | SUBORDINATE

Update requires: Replacement

返回值

Ref

证书颁发机构的 Amazon 资源名称 (ARN)。

Fn::GetAtt

Fn::GetAtt 内部函数返回此类型的一个指定属性的值。以下为可用属性和示例返回值。

有关使用 Fn::GetAtt 内部函数的更多信息,请参阅 Fn::GetAtt

Arn

发布证书的私有 CA 的 Amazon 资源名称 (ARN)。

CertificateSigningRequest

您的证书颁发机构证书的 Base64 PEM 编码的证书签名请求 (CSR)。

示例

以下 CloudFormation 模板示例设置了 CA 层次结构。此示例演示 AWS::ACMPCA::CertificateAWS::ACMPCA::CertificateAuthorityAWS::ACMPCA::CertificateAuthorityActivation 资源的使用。

声明私有 CA 层次结构

JSON

{ "AWSTemplateFormatVersion":"2010-09-09", "Description":"Cloudformation template to setup CA.", "Resources":{ "RootCA":{ "Type":"AWS::ACMPCA::CertificateAuthority", "Properties":{ "Type":"ROOT", "KeyAlgorithm":"RSA_2048", "SigningAlgorithm":"SHA256WITHRSA", "Subject":{ "Country":"US", "Organization":"string", "OrganizationalUnit":"string", "DistinguishedNameQualifier":"string", "State":"string", "CommonName":"123", "SerialNumber":"string", "Locality":"string", "Title":"string", "Surname":"string", "GivenName":"string", "Initials":"DG", "Pseudonym":"string", "GenerationQualifier":"DBG" }, "RevocationConfiguration":{ "CrlConfiguration":{ "Enabled":false } } } }, "RootCACertificate":{ "Type":"AWS::ACMPCA::Certificate", "Properties":{ "CertificateAuthorityArn":{ "Ref":"RootCA" }, "CertificateSigningRequest":{ "Fn::GetAtt":[ "RootCA", "CertificateSigningRequest" ] }, "SigningAlgorithm":"SHA256WITHRSA", "TemplateArn":"arn:aws:acm-pca:::template/RootCACertificate/V1", "Validity":{ "Type":"DAYS", "Value":100 } } }, "RootCAActivation":{ "Type":"AWS::ACMPCA::CertificateAuthorityActivation", "Properties":{ "CertificateAuthorityArn":{ "Ref":"RootCA" }, "Certificate":{ "Fn::GetAtt":[ "RootCACertificate", "Certificate" ] }, "Status":"ACTIVE" } }, "SubordinateCAOne":{ "Type":"AWS::ACMPCA::CertificateAuthority", "Properties":{ "Type":"SUBORDINATE", "KeyAlgorithm":"RSA_2048", "SigningAlgorithm":"SHA256WITHRSA", "Subject":{ "Country":"US", "Organization":"string", "OrganizationalUnit":"string", "DistinguishedNameQualifier":"string", "State":"string", "CommonName":"Sub1", "SerialNumber":"string", "Locality":"string", "Title":"string", "Surname":"string", "GivenName":"string", "Initials":"DG", "Pseudonym":"string", "GenerationQualifier":"DBG" }, "RevocationConfiguration":{ }, "Tags":[ ] } }, "SubordinateCAOneCACertificate":{ "DependsOn":"RootCAActivation", "Type":"AWS::ACMPCA::Certificate", "Properties":{ "CertificateAuthorityArn":{ "Ref":"RootCA" }, "CertificateSigningRequest":{ "Fn::GetAtt":[ "SubordinateCAOne", "CertificateSigningRequest" ] }, "SigningAlgorithm":"SHA256WITHRSA", "TemplateArn":"arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen3/V1", "Validity":{ "Type":"DAYS", "Value":90 } } }, "SubordinateCAOneActivation":{ "Type":"AWS::ACMPCA::CertificateAuthorityActivation", "Properties":{ "CertificateAuthorityArn":{ "Ref":"SubordinateCAOne" }, "Certificate":{ "Fn::GetAtt":[ "SubordinateCAOneCACertificate", "Certificate" ] }, "CertificateChain":{ "Fn::GetAtt":[ "RootCAActivation", "CompleteCertificateChain" ] }, "Status":"ACTIVE" } }, "SubordinateCATwo":{ "Type":"AWS::ACMPCA::CertificateAuthority", "Properties":{ "Type":"SUBORDINATE", "KeyAlgorithm":"RSA_2048", "SigningAlgorithm":"SHA256WITHRSA", "Subject":{ "Country":"US", "Organization":"string", "OrganizationalUnit":"string", "DistinguishedNameQualifier":"string", "State":"string", "SerialNumber":"string", "Locality":"string", "Title":"string", "Surname":"string", "GivenName":"string", "Initials":"DG", "Pseudonym":"string", "GenerationQualifier":"DBG" }, "Tags":[ { "Key":"Key1", "Value":"Value1" }, { "Key":"Key2", "Value":"Value2" } ] } }, "SubordinateCATwoCACertificate":{ "DependsOn":"SubordinateCAOneActivation", "Type":"AWS::ACMPCA::Certificate", "Properties":{ "CertificateAuthorityArn":{ "Ref":"SubordinateCAOne" }, "CertificateSigningRequest":{ "Fn::GetAtt":[ "SubordinateCATwo", "CertificateSigningRequest" ] }, "SigningAlgorithm":"SHA256WITHRSA", "TemplateArn":"arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen2/V1", "Validity":{ "Type":"DAYS", "Value":80 } } }, "SubordinateCATwoActivation":{ "Type":"AWS::ACMPCA::CertificateAuthorityActivation", "Properties":{ "CertificateAuthorityArn":{ "Ref":"SubordinateCATwo" }, "Certificate":{ "Fn::GetAtt":[ "SubordinateCATwoCACertificate", "Certificate" ] }, "CertificateChain":{ "Fn::GetAtt":[ "SubordinateCAOneActivation", "CompleteCertificateChain" ] } } }, "EndEntityCertificate":{ "DependsOn":"SubordinateCATwoActivation", "Type":"AWS::ACMPCA::Certificate", "Properties":{ "CertificateAuthorityArn":{ "Ref":"SubordinateCATwo" }, "CertificateSigningRequest":{ "Fn::Join":[ "\n", [ "-----BEGIN CERTIFICATE REQUEST-----", "MIICvDCCAaQCAQAwdzELMAkGA1UEBhMCVVMxDTALBgNVBAgMBFV0YWgxDzANBgNV", "BAcMBkxpbmRvbjEWMBQGA1UECgwNRGlnaUNlcnQgSW5jLjERMA8GA1UECwwIRGln", "aUNlcnQxHTAbBgNVBAMMFGV4YW1wbGUuZGlnaWNlcnQuY29tMIIBIjANBgkqhkiG", "9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8+To7d+2kPWeBv/orU3LVbJwDrSQbeKamCmo", "wp5bqDxIwV20zqRb7APUOKYoVEFFOEQs6T6gImnIolhbiH6m4zgZ/CPvWBOkZc+c", "1Po2EmvBz+AD5sBdT5kzGQA6NbWyZGldxRthNLOs1efOhdnWFuhI162qmcflgpiI", "WDuwq4C9f+YkeJhNn9dF5+owm8cOQmDrV8NNdiTqin8q3qYAHHJRW28glJUCZkTZ", "wIaSR6crBQ8TbYNE0dc+Caa3DOIkz1EOsHWzTx+n0zKfqcbgXi4DJx+C1bjptYPR", "BPZL8DAeWuA8ebudVT44yEp82G96/Ggcf7F33xMxe0yc+Xa6owIDAQABoAAwDQYJ", "KoZIhvcNAQEFBQADggEBAB0kcrFccSmFDmxox0Ne01UIqSsDqHgL+XmHTXJwre6D", "hJSZwbvEtOK0G3+dr4Fs11WuUNt5qcLsx5a8uk4G6AKHMzuhLsJ7XZjgmQXGECpY", "Q4mC3yT3ZoCGpIXbw+iP3lmEEXgaQL0Tx5LFl/okKbKYwIqNiyKWOMj7ZR/wxWg/", "ZDGRs55xuoeLDJ/ZRFf9bI+IaCUd1YrfYcHIl3G87Av+r49YVwqRDT0VDV7uLgqn", "29XI1PpVUNCPQGn9p/eX6Qo7vpDaPybRtA2R7XLKjQaF9oXWeCUqy1hvJac9QFO2", "97Ob1alpHPoZ7mWiEuJwjBPii6a9M9G30nUo39lBi1w=", "-----END CERTIFICATE REQUEST-----" ] ] }, "SigningAlgorithm":"SHA256WITHRSA", "Validity":{ "Type":"DAYS", "Value":70 } } } }, "Outputs":{ "CompleteCertificateChain":{ "Value":{ "Fn::GetAtt":[ "SubordinateCATwoActivation", "CompleteCertificateChain" ] } }, "CertificateArn":{ "Value":{ "Fn::GetAtt":[ "EndEntityCertificate", "Arn" ] } } } }

YAML

AWSTemplateFormatVersion: 2010-09-09 Description: Cloudformation template to setup CA. Resources: RootCA: Type: 'AWS::ACMPCA::CertificateAuthority' Properties: Type: ROOT KeyAlgorithm: RSA_2048 SigningAlgorithm: SHA256WITHRSA Subject: Country: US Organization: string OrganizationalUnit: string DistinguishedNameQualifier: string State: string CommonName: '123' SerialNumber: string Locality: string Title: string Surname: string GivenName: string Initials: DG Pseudonym: string GenerationQualifier: DBG RevocationConfiguration: CrlConfiguration: Enabled: false RootCACertificate: Type: 'AWS::ACMPCA::Certificate' Properties: CertificateAuthorityArn: !Ref RootCA CertificateSigningRequest: !GetAtt - RootCA - CertificateSigningRequest SigningAlgorithm: SHA256WITHRSA TemplateArn: 'arn:aws:acm-pca:::template/RootCACertificate/V1' Validity: Type: DAYS Value: 100 RootCAActivation: Type: 'AWS::ACMPCA::CertificateAuthorityActivation' Properties: CertificateAuthorityArn: !Ref RootCA Certificate: !GetAtt - RootCACertificate - Certificate Status: ACTIVE SubordinateCAOne: Type: 'AWS::ACMPCA::CertificateAuthority' Properties: Type: SUBORDINATE KeyAlgorithm: RSA_2048 SigningAlgorithm: SHA256WITHRSA Subject: Country: US Organization: string OrganizationalUnit: string DistinguishedNameQualifier: string State: string CommonName: Sub1 SerialNumber: string Locality: string Title: string Surname: string GivenName: string Initials: DG Pseudonym: string GenerationQualifier: DBG RevocationConfiguration: {} Tags: [] SubordinateCAOneCACertificate: DependsOn: RootCAActivation Type: 'AWS::ACMPCA::Certificate' Properties: CertificateAuthorityArn: !Ref RootCA CertificateSigningRequest: !GetAtt - SubordinateCAOne - CertificateSigningRequest SigningAlgorithm: SHA256WITHRSA TemplateArn: 'arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen3/V1' Validity: Type: DAYS Value: 90 SubordinateCAOneActivation: Type: 'AWS::ACMPCA::CertificateAuthorityActivation' Properties: CertificateAuthorityArn: !Ref SubordinateCAOne Certificate: !GetAtt - SubordinateCAOneCACertificate - Certificate CertificateChain: !GetAtt - RootCAActivation - CompleteCertificateChain Status: ACTIVE SubordinateCATwo: Type: 'AWS::ACMPCA::CertificateAuthority' Properties: Type: SUBORDINATE KeyAlgorithm: RSA_2048 SigningAlgorithm: SHA256WITHRSA Subject: Country: US Organization: string OrganizationalUnit: string DistinguishedNameQualifier: string State: string SerialNumber: string Locality: string Title: string Surname: string GivenName: string Initials: DG Pseudonym: string GenerationQualifier: DBG Tags: - Key: Key1 Value: Value1 - Key: Key2 Value: Value2 SubordinateCATwoCACertificate: DependsOn: SubordinateCAOneActivation Type: 'AWS::ACMPCA::Certificate' Properties: CertificateAuthorityArn: !Ref SubordinateCAOne CertificateSigningRequest: !GetAtt - SubordinateCATwo - CertificateSigningRequest SigningAlgorithm: SHA256WITHRSA TemplateArn: 'arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen2/V1' Validity: Type: DAYS Value: 80 SubordinateCATwoActivation: Type: 'AWS::ACMPCA::CertificateAuthorityActivation' Properties: CertificateAuthorityArn: !Ref SubordinateCATwo Certificate: !GetAtt - SubordinateCATwoCACertificate - Certificate CertificateChain: !GetAtt - SubordinateCAOneActivation - CompleteCertificateChain EndEntityCertificate: DependsOn: SubordinateCATwoActivation Type: 'AWS::ACMPCA::Certificate' Properties: CertificateAuthorityArn: !Ref SubordinateCATwo CertificateSigningRequest: !Join - |+ - - '-----BEGIN CERTIFICATE REQUEST-----' - MIICvDCCAaQCAQAwdzELMAkGA1UEBhMCVVMxDTALBgNVBAgMBFV0YWgxDzANBgNV - BAcMBkxpbmRvbjEWMBQGA1UECgwNRGlnaUNlcnQgSW5jLjERMA8GA1UECwwIRGln - aUNlcnQxHTAbBgNVBAMMFGV4YW1wbGUuZGlnaWNlcnQuY29tMIIBIjANBgkqhkiG - 9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8+To7d+2kPWeBv/orU3LVbJwDrSQbeKamCmo - wp5bqDxIwV20zqRb7APUOKYoVEFFOEQs6T6gImnIolhbiH6m4zgZ/CPvWBOkZc+c - 1Po2EmvBz+AD5sBdT5kzGQA6NbWyZGldxRthNLOs1efOhdnWFuhI162qmcflgpiI - WDuwq4C9f+YkeJhNn9dF5+owm8cOQmDrV8NNdiTqin8q3qYAHHJRW28glJUCZkTZ - wIaSR6crBQ8TbYNE0dc+Caa3DOIkz1EOsHWzTx+n0zKfqcbgXi4DJx+C1bjptYPR - BPZL8DAeWuA8ebudVT44yEp82G96/Ggcf7F33xMxe0yc+Xa6owIDAQABoAAwDQYJ - KoZIhvcNAQEFBQADggEBAB0kcrFccSmFDmxox0Ne01UIqSsDqHgL+XmHTXJwre6D - hJSZwbvEtOK0G3+dr4Fs11WuUNt5qcLsx5a8uk4G6AKHMzuhLsJ7XZjgmQXGECpY - Q4mC3yT3ZoCGpIXbw+iP3lmEEXgaQL0Tx5LFl/okKbKYwIqNiyKWOMj7ZR/wxWg/ - ZDGRs55xuoeLDJ/ZRFf9bI+IaCUd1YrfYcHIl3G87Av+r49YVwqRDT0VDV7uLgqn - 29XI1PpVUNCPQGn9p/eX6Qo7vpDaPybRtA2R7XLKjQaF9oXWeCUqy1hvJac9QFO2 - 97Ob1alpHPoZ7mWiEuJwjBPii6a9M9G30nUo39lBi1w= - '-----END CERTIFICATE REQUEST-----' SigningAlgorithm: SHA256WITHRSA Validity: Type: DAYS Value: 70 Outputs: CompleteCertificateChain: Value: !GetAtt - SubordinateCATwoActivation - CompleteCertificateChain CertificateArn: Value: !GetAtt - EndEntityCertificate - Arn