AWS ACM PCA Certificate Authority

This page shows how to write Terraform and CloudFormation for ACM PCA Certificate Authority and write them securely.

aws_acmpca_certificate_authority (Terraform)

The Certificate Authority in ACM PCA can be configured in Terraform with the resource name aws_acmpca_certificate_authority. The following sections describe 5 examples of how to use the resource and its parameters.

Example Usage from GitHub

acmpca_certificate_authority_test.tf#L13
resource "aws_acmpca_certificate_authority" "private_ca_noUsage" {
  certificate_authority_configuration {
    key_algorithm     = "RSA_4096"
    signing_algorithm = "SHA512WITHRSA"
    subject {
      common_name = "private-ca.com"
acmpca_certificate_authority_test.tf#L13
resource "aws_acmpca_certificate_authority" "private_ca_noUsage" {
  certificate_authority_configuration {
    key_algorithm     = "RSA_4096"
    signing_algorithm = "SHA512WITHRSA"
    subject {
      common_name = "private-ca.com"
acm_pca.tf#L3
resource "aws_acmpca_certificate_authority" "example" {
  certificate_authority_configuration {
    key_algorithm     = "RSA_4096"
    signing_algorithm = "SHA512WITHRSA"

    subject {
acm_pca.tf#L3
resource "aws_acmpca_certificate_authority" "example" {
  certificate_authority_configuration {
    key_algorithm     = "RSA_4096"
    signing_algorithm = "SHA512WITHRSA"

    subject {
acm_pca.tf#L3
resource "aws_acmpca_certificate_authority" "example" {
  certificate_authority_configuration {
    key_algorithm     = "RSA_4096"
    signing_algorithm = "SHA512WITHRSA"

    subject {

Review your Terraform file for AWS best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Parameters

Explanation in Terraform Registry

Provides a resource to manage AWS Certificate Manager Private Certificate Authorities (ACM PCA Certificate Authorities).

NOTE: Creating this resource will leave the certificate authority in a PENDING_CERTIFICATE status, which means it cannot yet issue certificates. To complete this setup, you must fully sign the certificate authority CSR available in the certificate_signing_request attribute and import the signed certificate outside of Terraform. Terraform can support another resource to manage that workflow automatically in the future.

AWS::ACMPCA::CertificateAuthority (CloudFormation)

The CertificateAuthority in ACMPCA can be configured in CloudFormation with the resource name AWS::ACMPCA::CertificateAuthority. The following sections describe 9 examples of how to use the resource and its parameters.

Example Usage from GitHub

acm.yml#L6
    Type: AWS::ACMPCA::CertificateAuthority
    Properties:
      Type: ROOT
      KeyAlgorithm: RSA_2048
      SigningAlgorithm: SHA256WITHRSA
      Subject:
acm.yml#L6
    Type: AWS::ACMPCA::CertificateAuthority
    Properties:
      Type: ROOT
      KeyAlgorithm: RSA_2048
      SigningAlgorithm: SHA256WITHRSA
      Subject:
acm-pca.yml#L6
    Type: 'AWS::ACMPCA::CertificateAuthority'
    Properties:
      Type: ROOT
      KeyAlgorithm: RSA_2048
      SigningAlgorithm: SHA256WITHRSA
      Subject:
acm.yml#L6
    Type: AWS::ACMPCA::CertificateAuthority
    Properties:
      Type: ROOT
      KeyAlgorithm: RSA_2048
      SigningAlgorithm: SHA256WITHRSA
      Subject:
acm.yml#L6
    Type: AWS::ACMPCA::CertificateAuthority
    Properties:
      Type: ROOT
      KeyAlgorithm: RSA_2048
      SigningAlgorithm: SHA256WITHRSA
      Subject:
acmpca.json#L4
            "Type": "AWS::ACMPCA::CertificateAuthority",
            "Properties": {
                "KeyAlgorithm": "RSA_2048",
                "RevocationConfiguration": {
                    "CrlConfiguration": {
                        "Enabled": false
awsResouceIconMatches.json#L381
        "resourceType": "AWS::ACMPCA::CertificateAuthority",
        "filePath": null
      },
      {
        "resourceType": "AWS::ACMPCA::CertificateAuthorityActivation",
        "filePath": null
ACMPCACertificateAuthoritySpecification.json#L3
    "AWS::ACMPCA::CertificateAuthority.Subject": {
      "Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-acmpca-certificateauthority-subject.html",
      "Properties": {
        "Country": {
          "Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-acmpca-certificateauthority-subject.html#cfn-acmpca-certificateauthority-subject-country",
          "UpdateType": "Immutable",
template.json#L19
    "AWS::ACMPCA::CertificateAuthority": {
      "Type": "AWS::ACMPCA::CertificateAuthority",
      "Properties": {}
    },
    "AWS::GlobalAccelerator::Accelerator": {
      "Type": "AWS::GlobalAccelerator::Accelerator",

Parameters

Explanation in CloudFormation Registry

Use the AWS::ACMPCA::CertificateAuthority resource to create a private CA. Once the CA exists, you can use the AWS::ACMPCA::Certificate resource to issue a new CA certificate. Alternatively, you can issue a CA certificate using an on-premises CA, and then use the AWS::ACMPCA::CertificateAuthorityActivation resource to import the new CA certificate and activate the CA.

Note Before removing a AWS::ACMPCA::CertificateAuthority resource from the CloudFormation stack, disable the affected CA. Otherwise, the action will fail. You can disable the CA by removing its associated AWS::ACMPCA::CertificateAuthorityActivation resource from CloudFormation.

Frequently asked questions

What is AWS ACM PCA Certificate Authority?

AWS ACM PCA Certificate Authority is a resource for ACM PCA of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.

Where can I find the example code for the AWS ACM PCA Certificate Authority?

For Terraform, the gilyas/infracost, infracost/infracost and DavidDikker/endgame source code examples are useful. See the Terraform Example section for further details.

For CloudFormation, the ft20006/aws-app-mesh-examples, aws/aws-app-mesh-examples and gmcorral/acm-tools source code examples are useful. See the CloudFormation Example section for further details.