AWS::NetworkFirewall::TLSInspectionConfiguration ServerCertificateConfiguration
Configures the Amazon Certificate Manager certificates and scope that Network Firewall uses to decrypt and re-encrypt traffic using a TLSInspectionConfiguration. You can configure ServerCertificates
for inbound SSL/TLS inspection, a CertificateAuthorityArn
for outbound SSL/TLS inspection, or both. For information about working with certificates for TLS inspection, see Using SSL/TLS server certficiates with TLS inspection configurations in the
Amazon Network Firewall Developer Guide.
Note
If a server certificate that's associated with your TLSInspectionConfiguration is revoked, deleted, or expired it can result in client-side TLS errors.
Syntax
To declare this entity in your Amazon CloudFormation template, use the following syntax:
JSON
{ "CertificateAuthorityArn" :
String
, "CheckCertificateRevocationStatus" :CheckCertificateRevocationStatus
, "Scopes" :[ ServerCertificateScope, ... ]
, "ServerCertificates" :[ ServerCertificate, ... ]
}
YAML
CertificateAuthorityArn:
String
CheckCertificateRevocationStatus:CheckCertificateRevocationStatus
Scopes:- ServerCertificateScope
ServerCertificates:- ServerCertificate
Properties
-
The Amazon Resource Name (ARN) of the imported certificate authority (CA) certificate within Amazon Certificate Manager (ACM) to use for outbound SSL/TLS inspection.
The following limitations apply:
-
You can use CA certificates that you imported into ACM, but you can't generate CA certificates with ACM.
-
You can't use certificates issued by Amazon Private Certificate Authority.
For more information about configuring certificates for outbound inspection, see Using SSL/TLS certificates with certificates with TLS inspection configurations in the Amazon Network Firewall Developer Guide.
For information about working with certificates in ACM, see Importing certificates in the Amazon Certificate Manager User Guide.
Required: No
Type: String
Pattern:
^(arn:aws.*)$
Minimum:
1
Maximum:
256
Update requires: No interruption
-
CheckCertificateRevocationStatus
-
When enabled, Network Firewall checks if the server certificate presented by the server in the SSL/TLS connection has a revoked or unkown status. If the certificate has an unknown or revoked status, you must specify the actions that Network Firewall takes on outbound traffic. To check the certificate revocation status, you must also specify a
CertificateAuthorityArn
in ServerCertificateConfiguration.Required: No
Type: CheckCertificateRevocationStatus
Update requires: No interruption
Scopes
-
A list of scopes.
Required: No
Type: Array of ServerCertificateScope
Update requires: No interruption
ServerCertificates
-
The list of server certificates to use for inbound SSL/TLS inspection.
Required: No
Type: Array of ServerCertificate
Update requires: No interruption