This is the new *Amazon CloudFormation Template Reference Guide*. Please update your bookmarks and links. For help getting started with CloudFormation, see the [Amazon CloudFormation User Guide](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/Welcome.html). # AWS::ACMPCA::Certificate The `AWS::ACMPCA::Certificate` resource is used to issue a certificate using your private certificate authority. For more information, see the [IssueCertificate](https://docs.amazonaws.cn/privateca/latest/APIReference/API_IssueCertificate.html) action. ## Syntax To declare this entity in your Amazon CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::ACMPCA::Certificate", "Properties" : { "[ApiPassthrough](#cfn-acmpca-certificate-apipassthrough)" : ApiPassthrough, "[CertificateAuthorityArn](#cfn-acmpca-certificate-certificateauthorityarn)" : String, "[CertificateSigningRequest](#cfn-acmpca-certificate-certificatesigningrequest)" : String, "[SigningAlgorithm](#cfn-acmpca-certificate-signingalgorithm)" : String, "[TemplateArn](#cfn-acmpca-certificate-templatearn)" : String, "[Validity](#cfn-acmpca-certificate-validity)" : Validity, "[ValidityNotBefore](#cfn-acmpca-certificate-validitynotbefore)" : Validity } } ``` ### YAML ``` Type: AWS::ACMPCA::Certificate Properties: [ApiPassthrough](#cfn-acmpca-certificate-apipassthrough): ApiPassthrough [CertificateAuthorityArn](#cfn-acmpca-certificate-certificateauthorityarn): String [CertificateSigningRequest](#cfn-acmpca-certificate-certificatesigningrequest): String [SigningAlgorithm](#cfn-acmpca-certificate-signingalgorithm): String [TemplateArn](#cfn-acmpca-certificate-templatearn): String [Validity](#cfn-acmpca-certificate-validity): Validity [ValidityNotBefore](#cfn-acmpca-certificate-validitynotbefore): Validity ``` ## Properties `ApiPassthrough` Specifies X.509 certificate information to be included in the issued certificate. An `APIPassthrough` or `APICSRPassthrough` template variant must be selected, or else this parameter is ignored. *Required*: No *Type*: [ApiPassthrough](aws-properties-acmpca-certificate-apipassthrough.md) *Update requires*: [Replacement](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `CertificateAuthorityArn` The Amazon Resource Name (ARN) for the private CA issues the certificate. *Required*: Yes *Type*: String *Update requires*: [Replacement](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `CertificateSigningRequest` The certificate signing request (CSR) for the certificate. *Required*: Yes *Type*: String *Minimum*: `1` *Update requires*: [Replacement](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `SigningAlgorithm` The name of the algorithm that will be used to sign the certificate to be issued. This parameter should not be confused with the `SigningAlgorithm` parameter used to sign a CSR in the `CreateCertificateAuthority` action. The specified signing algorithm family (RSA or ECDSA) must match the algorithm family of the CA's secret key. *Required*: Yes *Type*: String *Allowed values*: `SHA256WITHECDSA | SHA384WITHECDSA | SHA512WITHECDSA | SHA256WITHRSA | SHA384WITHRSA | SHA512WITHRSA | SM3WITHSM2 | ML_DSA_44 | ML_DSA_65 | ML_DSA_87` *Update requires*: [Replacement](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `TemplateArn` Specifies a custom configuration template to use when issuing a certificate. If this parameter is not provided, Amazon Private CA defaults to the `EndEntityCertificate/V1` template. For more information about Amazon Private CA templates, see [Using Templates](https://docs.amazonaws.cn/privateca/latest/userguide/UsingTemplates.html). *Required*: No *Type*: String *Update requires*: [Replacement](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `Validity` The period of time during which the certificate will be valid. *Required*: Yes *Type*: [Validity](aws-properties-acmpca-certificate-validity.md) *Update requires*: [Replacement](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `ValidityNotBefore` Information describing the start of the validity period of the certificate. This parameter sets the “Not Before" date for the certificate. By default, when issuing a certificate, Amazon Private CA sets the "Not Before" date to the issuance time minus 60 minutes. This compensates for clock inconsistencies across computer systems. The `ValidityNotBefore` parameter can be used to customize the “Not Before” value. Unlike the `Validity` parameter, the `ValidityNotBefore` parameter is optional. The `ValidityNotBefore` value is expressed as an explicit date and time, using the `Validity` type value `ABSOLUTE`. *Required*: No *Type*: [Validity](aws-properties-acmpca-certificate-validity.md) *Update requires*: [Replacement](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) ## Return values ### Ref This reference should not be used in CloudFormation templates. Instead, use `AWS::ACMPCA::Certificate.Arn` to identify a certificate, and use `AWS::ACMPCA::Certificate.CertificateAuthorityArn` to identify a certificate authority. ### Fn::GetAtt The `Fn::GetAtt` intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values. For more information about using the `Fn::GetAtt` intrinsic function, see [Fn::GetAtt](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-getatt.html). #### `Arn` The Amazon Resource Name (ARN) of the issued certificate. `Certificate` The issued Base64 PEM-encoded certificate.