AWS::ACMPCA::CertificateAuthority RevocationConfiguration - Amazon CloudFormation
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

AWS::ACMPCA::CertificateAuthority RevocationConfiguration

Certificate revocation information used by the CreateCertificateAuthority and UpdateCertificateAuthority actions. Your private certificate authority (CA) can configure Online Certificate Status Protocol (OCSP) support and/or maintain a certificate revocation list (CRL). OCSP returns validation information about certificates as requested by clients, and a CRL contains an updated list of certificates revoked by your CA. For more information, see RevokeCertificate in the Amazon Private CA API Reference and Setting up a certificate revocation method in the Amazon Private CA User Guide.


The following requirements apply to revocation configurations.

  • A configuration disabling CRLs or OCSP must contain only the Enabled=False parameter, and will fail if other parameters such as CustomCname or ExpirationInDays are included.

  • In a CRL configuration, the S3BucketName parameter must conform to the Amazon S3 bucket naming rules.

  • A configuration containing a custom Canonical Name (CNAME) parameter for CRLs or OCSP must conform to RFC2396 restrictions on the use of special characters in a CNAME.

  • In a CRL or OCSP configuration, the value of a CNAME parameter must not include a protocol prefix such as "http://" or "https://".


To declare this entity in your Amazon CloudFormation template, use the following syntax:



Configuration of the certificate revocation list (CRL), if any, maintained by your private CA.

Required: No

Type: CrlConfiguration

Update requires: No interruption


Configuration of Online Certificate Status Protocol (OCSP) support, if any, maintained by your private CA.

Required: No

Type: OcspConfiguration

Update requires: No interruption