AWS ACM PCA Certificate Authority

This page shows how to write Terraform and CloudFormation for ACM PCA Certificate Authority and write them securely.

aws_acmpca_certificate_authority (Terraform)

The Certificate Authority in ACM PCA can be configured in Terraform with the resource name aws_acmpca_certificate_authority. The following sections describe 5 examples of how to use the resource and its parameters.

Example Usage from GitHub

acmpca_certificate_authority_test.tf#L13
resource "aws_acmpca_certificate_authority" "private_ca_noUsage" {
  certificate_authority_configuration {
    key_algorithm     = "RSA_4096"
    signing_algorithm = "SHA512WITHRSA"
    subject {
      common_name = "private-ca.com"
acmpca_certificate_authority_test.tf#L13
resource "aws_acmpca_certificate_authority" "private_ca_noUsage" {
  certificate_authority_configuration {
    key_algorithm     = "RSA_4096"
    signing_algorithm = "SHA512WITHRSA"
    subject {
      common_name = "private-ca.com"
acm_pca.tf#L3
resource "aws_acmpca_certificate_authority" "example" {
  certificate_authority_configuration {
    key_algorithm     = "RSA_4096"
    signing_algorithm = "SHA512WITHRSA"

    subject {
acm_pca.tf#L3
resource "aws_acmpca_certificate_authority" "example" {
  certificate_authority_configuration {
    key_algorithm     = "RSA_4096"
    signing_algorithm = "SHA512WITHRSA"

    subject {
acm_pca.tf#L3
resource "aws_acmpca_certificate_authority" "example" {
  certificate_authority_configuration {
    key_algorithm     = "RSA_4096"
    signing_algorithm = "SHA512WITHRSA"

    subject {

Parameters

Explanation in Terraform Registry

Provides a resource to manage AWS Certificate Manager Private Certificate Authorities (ACM PCA Certificate Authorities).

NOTE: Creating this resource will leave the certificate authority in a PENDING_CERTIFICATE status, which means it cannot yet issue certificates. To complete this setup, you must fully sign the certificate authority CSR available in the certificate_signing_request attribute and import the signed certificate outside of Terraform. Terraform can support another resource to manage that workflow automatically in the future.

AWS::ACMPCA::CertificateAuthority (CloudFormation)

The CertificateAuthority in ACMPCA can be configured in CloudFormation with the resource name AWS::ACMPCA::CertificateAuthority. The following sections describe 9 examples of how to use the resource and its parameters.

Example Usage from GitHub

acm.yml#L6
    Type: AWS::ACMPCA::CertificateAuthority
    Properties:
      Type: ROOT
      KeyAlgorithm: RSA_2048
      SigningAlgorithm: SHA256WITHRSA
      Subject:
acm-pca.yml#L6
    Type: 'AWS::ACMPCA::CertificateAuthority'
    Properties:
      Type: ROOT
      KeyAlgorithm: RSA_2048
      SigningAlgorithm: SHA256WITHRSA
      Subject:
acm.yml#L6
    Type: AWS::ACMPCA::CertificateAuthority
    Properties:
      Type: ROOT
      KeyAlgorithm: RSA_2048
      SigningAlgorithm: SHA256WITHRSA
      Subject:
acm.yml#L6
    Type: AWS::ACMPCA::CertificateAuthority
    Properties:
      Type: ROOT
      KeyAlgorithm: RSA_2048
      SigningAlgorithm: SHA256WITHRSA
      Subject:
acm.yml#L6
    Type: AWS::ACMPCA::CertificateAuthority
    Properties:
      Type: ROOT
      KeyAlgorithm: RSA_2048
      SigningAlgorithm: SHA256WITHRSA
      Subject:
acmpca.json#L4
            "Type": "AWS::ACMPCA::CertificateAuthority",
            "Properties": {
                "KeyAlgorithm": "RSA_2048",
                "RevocationConfiguration": {
                    "CrlConfiguration": {
                        "Enabled": false
awsResouceIconMatches.json#L381
        "resourceType": "AWS::ACMPCA::CertificateAuthority",
        "filePath": null
      },
      {
        "resourceType": "AWS::ACMPCA::CertificateAuthorityActivation",
        "filePath": null
ACMPCACertificateAuthoritySpecification.json#L3
    "AWS::ACMPCA::CertificateAuthority.Subject": {
      "Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-acmpca-certificateauthority-subject.html",
      "Properties": {
        "Country": {
          "Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-acmpca-certificateauthority-subject.html#cfn-acmpca-certificateauthority-subject-country",
          "UpdateType": "Immutable",
template.json#L19
    "AWS::ACMPCA::CertificateAuthority": {
      "Type": "AWS::ACMPCA::CertificateAuthority",
      "Properties": {}
    },
    "AWS::GlobalAccelerator::Accelerator": {
      "Type": "AWS::GlobalAccelerator::Accelerator",

Parameters

Explanation in CloudFormation Registry

Use the AWS::ACMPCA::CertificateAuthority resource to create a private CA. Once the CA exists, you can use the AWS::ACMPCA::Certificate resource to issue a new CA certificate. Alternatively, you can issue a CA certificate using an on-premises CA, and then use the AWS::ACMPCA::CertificateAuthorityActivation resource to import the new CA certificate and activate the CA.

Note Before removing a AWS::ACMPCA::CertificateAuthority resource from the CloudFormation stack, disable the affected CA. Otherwise, the action will fail. You can disable the CA by removing its associated AWS::ACMPCA::CertificateAuthorityActivation resource from CloudFormation.

Frequently asked questions

What is AWS ACM PCA Certificate Authority?

AWS ACM PCA Certificate Authority is a resource for ACM PCA of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.

Where can I find the example code for the AWS ACM PCA Certificate Authority?

For Terraform, the gilyas/infracost, infracost/infracost and DavidDikker/endgame source code examples are useful. See the Terraform Example section for further details.

For CloudFormation, the awsandy/ecs-workshop, gmcorral/acm-tools and aws/aws-app-mesh-examples source code examples are useful. See the CloudFormation Example section for further details.