AWS::ACMPCA::Certificate - Amazon CloudFormation
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

AWS::ACMPCA::Certificate

The AWS::ACMPCA::Certificate resource is used to issue a certificate using your private certificate authority. For more information, see the IssueCertificate action.

Syntax

To declare this entity in your Amazon CloudFormation template, use the following syntax:

JSON

{ "Type" : "AWS::ACMPCA::Certificate", "Properties" : { "ApiPassthrough" : ApiPassthrough, "CertificateAuthorityArn" : String, "CertificateSigningRequest" : String, "SigningAlgorithm" : String, "TemplateArn" : String, "Validity" : Validity, "ValidityNotBefore" : Validity } }

Properties

ApiPassthrough

Specifies X.509 certificate information to be included in the issued certificate. An APIPassthrough or APICSRPassthrough template variant must be selected, or else this parameter is ignored.

Required: No

Type: ApiPassthrough

Update requires: Replacement

CertificateAuthorityArn

The Amazon Resource Name (ARN) for the private CA issues the certificate.

Required: Yes

Type: String

Update requires: Replacement

CertificateSigningRequest

The certificate signing request (CSR) for the certificate.

Required: Yes

Type: String

Minimum: 1

Update requires: Replacement

SigningAlgorithm

The name of the algorithm that will be used to sign the certificate to be issued.

This parameter should not be confused with the SigningAlgorithm parameter used to sign a CSR in the CreateCertificateAuthority action.

Note

The specified signing algorithm family (RSA or ECDSA) must match the algorithm family of the CA's secret key.

Required: Yes

Type: String

Allowed values: SHA256WITHECDSA | SHA384WITHECDSA | SHA512WITHECDSA | SHA256WITHRSA | SHA384WITHRSA | SHA512WITHRSA

Update requires: Replacement

TemplateArn

Specifies a custom configuration template to use when issuing a certificate. If this parameter is not provided, Amazon Private CA defaults to the EndEntityCertificate/V1 template. For more information about Amazon Private CA templates, see Using Templates.

Required: No

Type: String

Update requires: Replacement

Validity

The period of time during which the certificate will be valid.

Required: Yes

Type: Validity

Update requires: Replacement

ValidityNotBefore

Information describing the start of the validity period of the certificate. This parameter sets the “Not Before" date for the certificate.

By default, when issuing a certificate, Amazon Private CA sets the "Not Before" date to the issuance time minus 60 minutes. This compensates for clock inconsistencies across computer systems. The ValidityNotBefore parameter can be used to customize the “Not Before” value.

Unlike the Validity parameter, the ValidityNotBefore parameter is optional.

The ValidityNotBefore value is expressed as an explicit date and time, using the Validity type value ABSOLUTE.

Required: No

Type: Validity

Update requires: Replacement

Return values

Ref

This reference should not be used in CloudFormation templates. Instead, use AWS::ACMPCA::Certificate.Arn to identify a certificate, and use AWS::ACMPCA::Certificate.CertificateAuthorityArn to identify a certificate authority.

Fn::GetAtt

The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.

For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.

Arn

The Amazon Resource Name (ARN) of the issued certificate.

Certificate

The issued Base64 PEM-encoded certificate.