This is the new *Amazon CloudFormation Template Reference Guide*. Please update your bookmarks and links. For help getting started with CloudFormation, see the [Amazon CloudFormation User Guide](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/Welcome.html).
# AWS::PCAConnectorSCEP::Connector
Connector for SCEP is a service that links Amazon Private Certificate Authority to your SCEP-enabled devices. The connector brokers the exchange of certificates from Amazon Private CA to your SCEP-enabled devices and mobile device management systems. The connector is a complex type that contains the connector's configuration settings.
## Syntax
To declare this entity in your Amazon CloudFormation template, use the following syntax:
### JSON
```
{
"Type" : "AWS::PCAConnectorSCEP::Connector",
"Properties" : {
"[CertificateAuthorityArn](#cfn-pcaconnectorscep-connector-certificateauthorityarn)" : {{String}},
"[MobileDeviceManagement](#cfn-pcaconnectorscep-connector-mobiledevicemanagement)" : {{MobileDeviceManagement}},
"[Tags](#cfn-pcaconnectorscep-connector-tags)" : {{{{{Key}}: {{Value}}, ...}}},
"[VpcEndpointId](#cfn-pcaconnectorscep-connector-vpcendpointid)" : {{String}}
}
}
```
### YAML
```
Type: AWS::PCAConnectorSCEP::Connector
Properties:
[CertificateAuthorityArn](#cfn-pcaconnectorscep-connector-certificateauthorityarn): {{String}}
[MobileDeviceManagement](#cfn-pcaconnectorscep-connector-mobiledevicemanagement): {{
MobileDeviceManagement}}
[Tags](#cfn-pcaconnectorscep-connector-tags): {{
{{Key}}: {{Value}}}}
[VpcEndpointId](#cfn-pcaconnectorscep-connector-vpcendpointid): {{String}}
```
## Properties
`CertificateAuthorityArn`
The Amazon Resource Name (ARN) of the certificate authority associated with the connector.
*Required*: Yes
*Type*: String
*Pattern*: `^arn:aws(-[a-z]+)*:acm-pca:[a-z]+(-[a-z]+)+-[1-9]\d*:\d{12}:certificate-authority\/[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}$`
*Minimum*: `5`
*Maximum*: `200`
*Update requires*: [Replacement](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement)
`MobileDeviceManagement`
Contains settings relevant to the mobile device management system that you chose for the connector. If you didn't configure `MobileDeviceManagement`, then the connector is for general-purpose use and this object is empty.
*Required*: No
*Type*: [MobileDeviceManagement](aws-properties-pcaconnectorscep-connector-mobiledevicemanagement.md)
*Update requires*: [Replacement](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement)
`Tags`
Property description not available.
*Required*: No
*Type*: Object of String
*Pattern*: `.+`
*Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
`VpcEndpointId`
Property description not available.
*Required*: No
*Type*: String
*Minimum*: `5`
*Maximum*: `200`
*Update requires*: [Replacement](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement)
## Return values
### Ref
### Fn::GetAtt
####
`ConnectorArn`
The Amazon Resource Name (ARN) of the connector.
`Endpoint`
The connector's HTTPS public SCEP URL.
`Type`
The connector type.
## Examples
**Topics**
+ [Create a general-purpose SCEP connector and challenge resource](#aws-resource-pcaconnectorscep-connector--examples--Create_a_general-purpose_SCEP_connector_and_challenge_resource)
+ [Create connector to use with Microsoft Intune](#aws-resource-pcaconnectorscep-connector--examples--Create_connector_to_use_with_Microsoft_Intune)
### Create a general-purpose SCEP connector and challenge resource
The following example creates a Amazon Private Certificate Authority (CA) general-purpose connector with a challenge password. Before you create a connector, you must complete a few prerequisites, including creating a private CA in Amazon Private Certificate Authority (CA). For more information, see [Set up Connector for SCEP](https://docs.amazonaws.cn/privateca/latest/userguide/connector-for-scep-setting-up.html).
#### JSON
```
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Cloudformation template to set up a general-purpose connector for SCEP and challenge password.",
"Resources": {
"RootCA": {
"Type": "AWS::ACMPCA::CertificateAuthority",
"Properties": {
"Type": "ROOT",
"KeyAlgorithm": "RSA_2048",
"SigningAlgorithm": "SHA256WITHRSA",
"Subject": {
"Country": "US",
"Organization": "string",
"OrganizationalUnit": "string",
"DistinguishedNameQualifier": "string",
"State": "string",
"CommonName": "123",
"SerialNumber": "string",
"Locality": "string",
"Title": "string",
"Surname": "string",
"GivenName": "string",
"Initials": "DG",
"Pseudonym": "string",
"GenerationQualifier": "DBG"
},
"RevocationConfiguration": {
"CrlConfiguration": {
"Enabled": false
}
}
}
},
"RootCACertificate": {
"Type": "AWS::ACMPCA::Certificate",
"Properties": {
"CertificateAuthorityArn": {
"Fn::Ref": "RootCA"
},
"CertificateSigningRequest": {
"Fn::GetAtt": [
"RootCA",
"CertificateSigningRequest"
]
},
"SigningAlgorithm": "SHA256WITHRSA",
"TemplateArn": "arn:aws:acm-pca:::template/RootCACertificate/V1",
"Validity": {
"Type": "YEARS",
"Value": 100
}
}
},
"RootCAActivation": {
"Type": "AWS::ACMPCA::CertificateAuthorityActivation",
"Properties": {
"CertificateAuthorityArn": {
"Fn::Ref": "RootCA"
},
"Certificate": {
"Fn::GetAtt": [
"RootCACertificate",
"Certificate"
]
},
"Status": "ACTIVE"
}
},
"RootCAResourceShare": {
"DependsOn": "RootCAActivation",
"Type": "AWS::RAM::ResourceShare",
"Properties": {
"Name": "RootCAResourceShare",
"PermissionArns": [
"arn:aws:ram::aws:permission/AWSRAMBlankEndEntityCertificateAPICSRPassthroughIssuanceCertificateAuthority"
],
"ResourceArns": [
{
"Fn::Ref": "RootCA"
}
],
"Sources": [
{
"Fn::Ref": "AWS::AccountId"
}
],
"Principals": [
"pca-connector-scep.amazonaws.com"
]
}
},
"GeneralPurposeConnector": {
"DependsOn": "RootCAResourceShare",
"Type": "AWS::PCAConnectorSCEP::Connector",
"Properties": {
"CertificateAuthorityArn": {
"Fn::Ref": "RootCA"
}
}
},
"GeneralPurposeConnectorChallenge": {
"DependsOn": "GeneralPurposeConnector",
"Type": "AWS::PCAConnectorSCEP::Challenge",
"Properties": {
"ConnectorArn": {
"Fn::Ref": "GeneralPurposeConnector"
}
}
}
},
"Outputs": {
"GeneralPurposeConnector": {
"Value": {
"Fn::Ref": "GeneralPurposeConnector"
}
},
"GeneralPurposeConnectorChallenge": {
"Value": {
"Fn::Ref": "GeneralPurposeConnectorChallenge"
}
}
}
}
```
#### YAML
```
AWSTemplateFormatVersion: '2010-09-09'
Description: Cloudformation template to set up a general-purpose connector for SCEP and challenge password.
Resources:
RootCA:
Type: AWS::ACMPCA::CertificateAuthority
Properties:
Type: ROOT
KeyAlgorithm: RSA_2048
SigningAlgorithm: SHA256WITHRSA
Subject:
Country: US
Organization: string
OrganizationalUnit: string
DistinguishedNameQualifier: string
State: string
CommonName: '123'
SerialNumber: string
Locality: string
Title: string
Surname: string
GivenName: string
Initials: DG
Pseudonym: string
GenerationQualifier: DBG
RevocationConfiguration:
CrlConfiguration:
Enabled: false
RootCACertificate:
Type: AWS::ACMPCA::Certificate
Properties:
CertificateAuthorityArn: !Ref RootCA
CertificateSigningRequest: !GetAtt RootCA.CertificateSigningRequest
SigningAlgorithm: SHA256WITHRSA
TemplateArn: arn:aws:acm-pca:::template/RootCACertificate/V1
Validity:
Type: YEARS
Value: 100
RootCAActivation:
Type: AWS::ACMPCA::CertificateAuthorityActivation
Properties:
CertificateAuthorityArn: !Ref RootCA
Certificate: !GetAtt RootCACertificate.Certificate
Status: ACTIVE
RootCAResourceShare:
DependsOn: RootCAActivation
Type: AWS::RAM::ResourceShare
Properties:
Name: RootCAResourceShare
PermissionArns:
- arn:aws:ram::aws:permission/AWSRAMBlankEndEntityCertificateAPICSRPassthroughIssuanceCertificateAuthority
ResourceArns:
- !Ref RootCA
Sources:
- !Ref AWS::AccountId
Principals:
- pca-connector-scep.amazonaws.com
GeneralPurposeConnector:
DependsOn: RootCAResourceShare
Type: AWS::PCAConnectorSCEP::Connector
Properties:
CertificateAuthorityArn: !Ref RootCA
GeneralPurposeConnectorChallenge:
DependsOn: GeneralPurposeConnector
Type: AWS::PCAConnectorSCEP::Challenge
Properties:
ConnectorArn: !Ref GeneralPurposeConnector
Outputs:
GeneralPurposeConnector:
Value: !Ref GeneralPurposeConnector
GeneralPurposeConnectorChallenge:
Value: !Ref GeneralPurposeConnectorChallenge
```
### Create connector to use with Microsoft Intune
The following example creates a Amazon Private Certificate Authority (CA) connector to use with Microsoft Intune. Before you create a connector, you must complete a few prerequisites, including creating a private CA in Amazon Private Certificate Authority (CA). For more information, see [Set up Connector for SCEP](https://docs.amazonaws.cn/privateca/latest/userguide/connector-for-scep-setting-up.html).
#### JSON
```
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Cloudformation template to set up a connector to use with Microsoft Intune.",
"Resources": {
"RootCA": {
"Type": "AWS::ACMPCA::CertificateAuthority",
"Properties": {
"Type": "ROOT",
"KeyAlgorithm": "RSA_2048",
"SigningAlgorithm": "SHA256WITHRSA",
"Subject": {
"Country": "US",
"Organization": "string",
"OrganizationalUnit": "string",
"DistinguishedNameQualifier": "string",
"State": "string",
"CommonName": "123",
"SerialNumber": "string",
"Locality": "string",
"Title": "string",
"Surname": "string",
"GivenName": "string",
"Initials": "DG",
"Pseudonym": "string",
"GenerationQualifier": "DBG"
},
"RevocationConfiguration": {
"CrlConfiguration": {
"Enabled": false
}
}
}
},
"RootCACertificate": {
"Type": "AWS::ACMPCA::Certificate",
"Properties": {
"CertificateAuthorityArn": {
"Fn::Ref": "RootCA"
},
"CertificateSigningRequest": {
"Fn::GetAtt": [
"RootCA",
"CertificateSigningRequest"
]
},
"SigningAlgorithm": "SHA256WITHRSA",
"TemplateArn": "arn:aws:acm-pca:::template/RootCACertificate/V1",
"Validity": {
"Type": "YEARS",
"Value": 100
}
}
},
"RootCAActivation": {
"Type": "AWS::ACMPCA::CertificateAuthorityActivation",
"Properties": {
"CertificateAuthorityArn": {
"Fn::Ref": "RootCA"
},
"Certificate": {
"Fn::GetAtt": [
"RootCACertificate",
"Certificate"
]
},
"Status": "ACTIVE"
}
},
"RootCAResourceShare": {
"DependsOn": "RootCAActivation",
"Type": "AWS::RAM::ResourceShare",
"Properties": {
"Name": "RootCAResourceShare",
"PermissionArns": [
"arn:aws:ram::aws:permission/AWSRAMBlankEndEntityCertificateAPICSRPassthroughIssuanceCertificateAuthority"
],
"ResourceArns": [
{
"Fn::Ref": "RootCA"
}
],
"Sources": [
{
"Fn::Ref": "AWS::AccountId"
}
],
"Principals": [
"pca-connector-scep.amazonaws.com"
]
}
},
"IntuneConnector": {
"DependsOn": "RootCAResourceShare",
"Type": "AWS::PCAConnectorSCEP::Connector",
"Properties": {
"CertificateAuthorityArn": {
"Fn::Ref": "RootCA"
},
"MobileDeviceManagement": {
"Intune": {
"AzureApplicationId": "222-222-222-222-222",
"Domain": "example.onmicrosoft.com"
}
}
}
}
},
"Outputs": {
"IntuneConnector": {
"Value": {
"Fn::Ref": "IntuneConnector"
}
}
}
}
```
#### YAML
```
AWSTemplateFormatVersion: '2010-09-09'
Description: Cloudformation template to set up a connector to use with Microsoft Intune.
Resources:
RootCA:
Type: AWS::ACMPCA::CertificateAuthority
Properties:
Type: ROOT
KeyAlgorithm: RSA_2048
SigningAlgorithm: SHA256WITHRSA
Subject:
Country: US
Organization: string
OrganizationalUnit: string
DistinguishedNameQualifier: string
State: string
CommonName: '123'
SerialNumber: string
Locality: string
Title: string
Surname: string
GivenName: string
Initials: DG
Pseudonym: string
GenerationQualifier: DBG
RevocationConfiguration:
CrlConfiguration:
Enabled: false
RootCACertificate:
Type: AWS::ACMPCA::Certificate
Properties:
CertificateAuthorityArn: !Ref RootCA
CertificateSigningRequest: !GetAtt RootCA.CertificateSigningRequest
SigningAlgorithm: SHA256WITHRSA
TemplateArn: arn:aws:acm-pca:::template/RootCACertificate/V1
Validity:
Type: YEARS
Value: 100
RootCAActivation:
Type: AWS::ACMPCA::CertificateAuthorityActivation
Properties:
CertificateAuthorityArn: !Ref RootCA
Certificate: !GetAtt RootCACertificate.Certificate
Status: ACTIVE
RootCAResourceShare:
DependsOn: RootCAActivation
Type: AWS::RAM::ResourceShare
Properties:
Name: RootCAResourceShare
PermissionArns:
- arn:aws:ram::aws:permission/AWSRAMBlankEndEntityCertificateAPICSRPassthroughIssuanceCertificateAuthority
ResourceArns:
- !Ref RootCA
Sources:
- !Ref AWS::AccountId
Principals:
- pca-connector-scep.amazonaws.com
IntuneConnector:
DependsOn: RootCAResourceShare
Type: AWS::PCAConnectorSCEP::Connector
Properties:
CertificateAuthorityArn: !Ref RootCA
MobileDeviceManagement:
Intune:
AzureApplicationId: "222-222-222-222-222"
Domain: "example.onmicrosoft.com"
Outputs:
IntuneConnector:
Value: !Ref IntuneConnector
```