CertificateAuthority - Amazon Private Certificate Authority
ContentsSee Also
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

CertificateAuthority

Contains information about your private certificate authority (CA). Your private CA can issue and revoke X.509 digital certificates. Digital certificates verify that the entity named in the certificate Subject field owns or controls the public key contained in the Subject Public Key Info field. Call the CreateCertificateAuthority action to create your private CA. You must then call the GetCertificateAuthorityCertificate action to retrieve a private CA certificate signing request (CSR). Sign the CSR with your Amazon Private CA-hosted or on-premises root or subordinate CA certificate. Call the ImportCertificateAuthorityCertificate action to import the signed certificate into Amazon Certificate Manager (ACM).

Contents

Arn

Amazon Resource Name (ARN) for your private certificate authority (CA). The format is 12345678-1234-1234-1234-123456789012 .

Type: String

Length Constraints: Minimum length of 5. Maximum length of 200.

Pattern: arn:[\w+=/,.@-]+:acm-pca:[\w+=/,.@-]*:[0-9]*:[\w+=,.@-]+(/[\w+=,.@-]+)*

Required: No

CertificateAuthorityConfiguration

Your private CA configuration.

Type: CertificateAuthorityConfiguration object

Required: No

CreatedAt

Date and time at which your private CA was created.

Type: Timestamp

Required: No

FailureReason

Reason the request to create your private CA failed.

Type: String

Valid Values: REQUEST_TIMED_OUT | UNSUPPORTED_ALGORITHM | OTHER

Required: No

KeyStorageSecurityStandard

Defines a cryptographic key management compliance standard for handling and protecting CA keys.

Default: FIPS_140_2_LEVEL_3_OR_HIGHER

Note

Starting January 26, 2023, Amazon Private CA protects all CA private keys in non-China regions using hardware security modules (HSMs) that comply with FIPS PUB 140-2 Level 3.

For information about security standard support in different Amazon Regions, see Storage and security compliance of Amazon Private CA private keys.

Type: String

Valid Values: FIPS_140_2_LEVEL_2_OR_HIGHER | FIPS_140_2_LEVEL_3_OR_HIGHER | CCPC_LEVEL_1_OR_HIGHER

Required: No

LastStateChangeAt

Date and time at which your private CA was last updated.

Type: Timestamp

Required: No

NotAfter

Date and time after which your private CA certificate is not valid.

Type: Timestamp

Required: No

NotBefore

Date and time before which your private CA certificate is not valid.

Type: Timestamp

Required: No

OwnerAccount

The Amazon account ID that owns the certificate authority.

Type: String

Length Constraints: Fixed length of 12.

Pattern: [0-9]+

Required: No

RestorableUntil

The period during which a deleted CA can be restored. For more information, see the PermanentDeletionTimeInDays parameter of the DeleteCertificateAuthorityRequest action.

Type: Timestamp

Required: No

RevocationConfiguration

Information about the Online Certificate Status Protocol (OCSP) configuration or certificate revocation list (CRL) created and maintained by your private CA.

Type: RevocationConfiguration object

Required: No

Serial

Serial number of your private CA.

Type: String

Required: No

Status

Status of your private CA.

Type: String

Valid Values: CREATING | PENDING_CERTIFICATE | ACTIVE | DELETED | DISABLED | EXPIRED | FAILED

Required: No

Type

Type of your private CA.

Type: String

Valid Values: ROOT | SUBORDINATE

Required: No

UsageMode

Specifies whether the CA issues general-purpose certificates that typically require a revocation mechanism, or short-lived certificates that may optionally omit revocation because they expire quickly. Short-lived certificate validity is limited to seven days.

The default value is GENERAL_PURPOSE.

Type: String

Valid Values: GENERAL_PURPOSE | SHORT_LIVED_CERTIFICATE

Required: No

See Also

For more information about using this API in one of the language-specific Amazon SDKs, see the following: