AWS ACM PCA Certificate Authority
This page shows how to write Terraform and CloudFormation for ACM PCA Certificate Authority and write them securely.
aws_acmpca_certificate_authority (Terraform)
The Certificate Authority in ACM PCA can be configured in Terraform with the resource name aws_acmpca_certificate_authority
. The following sections describe 5 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "aws_acmpca_certificate_authority" "private_ca_noUsage" {
certificate_authority_configuration {
key_algorithm = "RSA_4096"
signing_algorithm = "SHA512WITHRSA"
subject {
common_name = "private-ca.com"
resource "aws_acmpca_certificate_authority" "private_ca_noUsage" {
certificate_authority_configuration {
key_algorithm = "RSA_4096"
signing_algorithm = "SHA512WITHRSA"
subject {
common_name = "private-ca.com"
resource "aws_acmpca_certificate_authority" "example" {
certificate_authority_configuration {
key_algorithm = "RSA_4096"
signing_algorithm = "SHA512WITHRSA"
subject {
resource "aws_acmpca_certificate_authority" "example" {
certificate_authority_configuration {
key_algorithm = "RSA_4096"
signing_algorithm = "SHA512WITHRSA"
subject {
resource "aws_acmpca_certificate_authority" "example" {
certificate_authority_configuration {
key_algorithm = "RSA_4096"
signing_algorithm = "SHA512WITHRSA"
subject {
Parameters
-
arn
optional computed - string -
certificate
optional computed - string -
certificate_chain
optional computed - string -
certificate_signing_request
optional computed - string -
enabled
optional - bool -
id
optional computed - string -
not_after
optional computed - string -
not_before
optional computed - string -
permanent_deletion_time_in_days
optional - number -
serial
optional computed - string -
status
optional computed - string -
tags
optional - map from string to string -
type
optional - string -
certificate_authority_configuration
list block-
key_algorithm
required - string -
signing_algorithm
required - string -
subject
list block-
common_name
optional - string -
country
optional - string -
distinguished_name_qualifier
optional - string -
generation_qualifier
optional - string -
given_name
optional - string -
initials
optional - string -
locality
optional - string -
organization
optional - string -
organizational_unit
optional - string -
pseudonym
optional - string -
state
optional - string -
surname
optional - string -
title
optional - string
-
-
-
revocation_configuration
list block-
crl_configuration
list block-
custom_cname
optional - string -
enabled
optional - bool -
expiration_in_days
required - number -
s3_bucket_name
optional - string
-
-
-
timeouts
single block-
create
optional - string
-
Explanation in Terraform Registry
Provides a resource to manage AWS Certificate Manager Private Certificate Authorities (ACM PCA Certificate Authorities).
NOTE: Creating this resource will leave the certificate authority in a
PENDING_CERTIFICATE
status, which means it cannot yet issue certificates. To complete this setup, you must fully sign the certificate authority CSR available in thecertificate_signing_request
attribute and import the signed certificate outside of Terraform. Terraform can support another resource to manage that workflow automatically in the future.
AWS::ACMPCA::CertificateAuthority (CloudFormation)
The CertificateAuthority in ACMPCA can be configured in CloudFormation with the resource name AWS::ACMPCA::CertificateAuthority
. The following sections describe 9 examples of how to use the resource and its parameters.
Example Usage from GitHub
Type: AWS::ACMPCA::CertificateAuthority
Properties:
Type: ROOT
KeyAlgorithm: RSA_2048
SigningAlgorithm: SHA256WITHRSA
Subject:
Type: AWS::ACMPCA::CertificateAuthority
Properties:
Type: ROOT
KeyAlgorithm: RSA_2048
SigningAlgorithm: SHA256WITHRSA
Subject:
Type: 'AWS::ACMPCA::CertificateAuthority'
Properties:
Type: ROOT
KeyAlgorithm: RSA_2048
SigningAlgorithm: SHA256WITHRSA
Subject:
Type: AWS::ACMPCA::CertificateAuthority
Properties:
Type: ROOT
KeyAlgorithm: RSA_2048
SigningAlgorithm: SHA256WITHRSA
Subject:
Type: AWS::ACMPCA::CertificateAuthority
Properties:
Type: ROOT
KeyAlgorithm: RSA_2048
SigningAlgorithm: SHA256WITHRSA
Subject:
"Type": "AWS::ACMPCA::CertificateAuthority",
"Properties": {
"KeyAlgorithm": "RSA_2048",
"RevocationConfiguration": {
"CrlConfiguration": {
"Enabled": false
"resourceType": "AWS::ACMPCA::CertificateAuthority",
"filePath": null
},
{
"resourceType": "AWS::ACMPCA::CertificateAuthorityActivation",
"filePath": null
"AWS::ACMPCA::CertificateAuthority.Subject": {
"Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-acmpca-certificateauthority-subject.html",
"Properties": {
"Country": {
"Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-acmpca-certificateauthority-subject.html#cfn-acmpca-certificateauthority-subject-country",
"UpdateType": "Immutable",
"AWS::ACMPCA::CertificateAuthority": {
"Type": "AWS::ACMPCA::CertificateAuthority",
"Properties": {}
},
"AWS::GlobalAccelerator::Accelerator": {
"Type": "AWS::GlobalAccelerator::Accelerator",
Parameters
-
Type
required - String -
KeyAlgorithm
required - String -
SigningAlgorithm
required - String -
Subject
required - Subject -
RevocationConfiguration
optional - RevocationConfiguration -
Tags
optional - List of Tag -
CsrExtensions
optional - CsrExtensions -
KeyStorageSecurityStandard
optional - String
Explanation in CloudFormation Registry
Use the
AWS::ACMPCA::CertificateAuthority
resource to create a private CA. Once the CA exists, you can use theAWS::ACMPCA::Certificate
resource to issue a new CA certificate. Alternatively, you can issue a CA certificate using an on-premises CA, and then use theAWS::ACMPCA::CertificateAuthorityActivation
resource to import the new CA certificate and activate the CA.Note Before removing a
AWS::ACMPCA::CertificateAuthority
resource from the CloudFormation stack, disable the affected CA. Otherwise, the action will fail. You can disable the CA by removing its associatedAWS::ACMPCA::CertificateAuthorityActivation
resource from CloudFormation.
Frequently asked questions
What is AWS ACM PCA Certificate Authority?
AWS ACM PCA Certificate Authority is a resource for ACM PCA of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.
Where can I find the example code for the AWS ACM PCA Certificate Authority?
For Terraform, the gilyas/infracost, infracost/infracost and DavidDikker/endgame source code examples are useful. See the Terraform Example section for further details.
For CloudFormation, the awsandy/ecs-workshop, saaish/AppMesh and gmcorral/acm-tools source code examples are useful. See the CloudFormation Example section for further details.