1. Packages
  2. AWS
  3. API Docs
  4. acmpca
  5. CertificateAuthority
AWS v6.77.0 published on Wednesday, Apr 9, 2025 by Pulumi

aws.acmpca.CertificateAuthority

Explore with Pulumi AI

Provides a resource to manage AWS Certificate Manager Private Certificate Authorities (ACM PCA Certificate Authorities).

NOTE: Creating this resource will leave the certificate authority in a PENDING_CERTIFICATE status, which means it cannot yet issue certificates. To complete this setup, you must fully sign the certificate authority CSR available in the certificate_signing_request attribute. The aws.acmpca.CertificateAuthorityCertificate resource can be used for this purpose.

Example Usage

Basic

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const example = new aws.acmpca.CertificateAuthority("example", {
    certificateAuthorityConfiguration: {
        keyAlgorithm: "RSA_4096",
        signingAlgorithm: "SHA512WITHRSA",
        subject: {
            commonName: "example.com",
        },
    },
    permanentDeletionTimeInDays: 7,
});
Copy
import pulumi
import pulumi_aws as aws

example = aws.acmpca.CertificateAuthority("example",
    certificate_authority_configuration={
        "key_algorithm": "RSA_4096",
        "signing_algorithm": "SHA512WITHRSA",
        "subject": {
            "common_name": "example.com",
        },
    },
    permanent_deletion_time_in_days=7)
Copy
package main

import (
	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/acmpca"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := acmpca.NewCertificateAuthority(ctx, "example", &acmpca.CertificateAuthorityArgs{
			CertificateAuthorityConfiguration: &acmpca.CertificateAuthorityCertificateAuthorityConfigurationArgs{
				KeyAlgorithm:     pulumi.String("RSA_4096"),
				SigningAlgorithm: pulumi.String("SHA512WITHRSA"),
				Subject: &acmpca.CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs{
					CommonName: pulumi.String("example.com"),
				},
			},
			PermanentDeletionTimeInDays: pulumi.Int(7),
		})
		if err != nil {
			return err
		}
		return nil
	})
}
Copy
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;

return await Deployment.RunAsync(() => 
{
    var example = new Aws.Acmpca.CertificateAuthority("example", new()
    {
        CertificateAuthorityConfiguration = new Aws.Acmpca.Inputs.CertificateAuthorityCertificateAuthorityConfigurationArgs
        {
            KeyAlgorithm = "RSA_4096",
            SigningAlgorithm = "SHA512WITHRSA",
            Subject = new Aws.Acmpca.Inputs.CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs
            {
                CommonName = "example.com",
            },
        },
        PermanentDeletionTimeInDays = 7,
    });

});
Copy
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.acmpca.CertificateAuthority;
import com.pulumi.aws.acmpca.CertificateAuthorityArgs;
import com.pulumi.aws.acmpca.inputs.CertificateAuthorityCertificateAuthorityConfigurationArgs;
import com.pulumi.aws.acmpca.inputs.CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var example = new CertificateAuthority("example", CertificateAuthorityArgs.builder()
            .certificateAuthorityConfiguration(CertificateAuthorityCertificateAuthorityConfigurationArgs.builder()
                .keyAlgorithm("RSA_4096")
                .signingAlgorithm("SHA512WITHRSA")
                .subject(CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs.builder()
                    .commonName("example.com")
                    .build())
                .build())
            .permanentDeletionTimeInDays(7)
            .build());

    }
}
Copy
resources:
  example:
    type: aws:acmpca:CertificateAuthority
    properties:
      certificateAuthorityConfiguration:
        keyAlgorithm: RSA_4096
        signingAlgorithm: SHA512WITHRSA
        subject:
          commonName: example.com
      permanentDeletionTimeInDays: 7
Copy

Short-lived certificate

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const example = new aws.acmpca.CertificateAuthority("example", {
    usageMode: "SHORT_LIVED_CERTIFICATE",
    certificateAuthorityConfiguration: {
        keyAlgorithm: "RSA_4096",
        signingAlgorithm: "SHA512WITHRSA",
        subject: {
            commonName: "example.com",
        },
    },
});
Copy
import pulumi
import pulumi_aws as aws

example = aws.acmpca.CertificateAuthority("example",
    usage_mode="SHORT_LIVED_CERTIFICATE",
    certificate_authority_configuration={
        "key_algorithm": "RSA_4096",
        "signing_algorithm": "SHA512WITHRSA",
        "subject": {
            "common_name": "example.com",
        },
    })
Copy
package main

import (
	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/acmpca"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := acmpca.NewCertificateAuthority(ctx, "example", &acmpca.CertificateAuthorityArgs{
			UsageMode: pulumi.String("SHORT_LIVED_CERTIFICATE"),
			CertificateAuthorityConfiguration: &acmpca.CertificateAuthorityCertificateAuthorityConfigurationArgs{
				KeyAlgorithm:     pulumi.String("RSA_4096"),
				SigningAlgorithm: pulumi.String("SHA512WITHRSA"),
				Subject: &acmpca.CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs{
					CommonName: pulumi.String("example.com"),
				},
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}
Copy
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;

return await Deployment.RunAsync(() => 
{
    var example = new Aws.Acmpca.CertificateAuthority("example", new()
    {
        UsageMode = "SHORT_LIVED_CERTIFICATE",
        CertificateAuthorityConfiguration = new Aws.Acmpca.Inputs.CertificateAuthorityCertificateAuthorityConfigurationArgs
        {
            KeyAlgorithm = "RSA_4096",
            SigningAlgorithm = "SHA512WITHRSA",
            Subject = new Aws.Acmpca.Inputs.CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs
            {
                CommonName = "example.com",
            },
        },
    });

});
Copy
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.acmpca.CertificateAuthority;
import com.pulumi.aws.acmpca.CertificateAuthorityArgs;
import com.pulumi.aws.acmpca.inputs.CertificateAuthorityCertificateAuthorityConfigurationArgs;
import com.pulumi.aws.acmpca.inputs.CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var example = new CertificateAuthority("example", CertificateAuthorityArgs.builder()
            .usageMode("SHORT_LIVED_CERTIFICATE")
            .certificateAuthorityConfiguration(CertificateAuthorityCertificateAuthorityConfigurationArgs.builder()
                .keyAlgorithm("RSA_4096")
                .signingAlgorithm("SHA512WITHRSA")
                .subject(CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs.builder()
                    .commonName("example.com")
                    .build())
                .build())
            .build());

    }
}
Copy
resources:
  example:
    type: aws:acmpca:CertificateAuthority
    properties:
      usageMode: SHORT_LIVED_CERTIFICATE
      certificateAuthorityConfiguration:
        keyAlgorithm: RSA_4096
        signingAlgorithm: SHA512WITHRSA
        subject:
          commonName: example.com
Copy

Enable Certificate Revocation List

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const example = new aws.s3.BucketV2("example", {
    bucket: "example",
    forceDestroy: true,
});
const acmpcaBucketAccess = aws.iam.getPolicyDocumentOutput({
    statements: [{
        actions: [
            "s3:GetBucketAcl",
            "s3:GetBucketLocation",
            "s3:PutObject",
            "s3:PutObjectAcl",
        ],
        resources: [
            example.arn,
            pulumi.interpolate`${example.arn}/*`,
        ],
        principals: [{
            identifiers: ["acm-pca.amazonaws.com"],
            type: "Service",
        }],
    }],
});
const exampleBucketPolicy = new aws.s3.BucketPolicy("example", {
    bucket: example.id,
    policy: acmpcaBucketAccess.apply(acmpcaBucketAccess => acmpcaBucketAccess.json),
});
const exampleCertificateAuthority = new aws.acmpca.CertificateAuthority("example", {
    certificateAuthorityConfiguration: {
        keyAlgorithm: "RSA_4096",
        signingAlgorithm: "SHA512WITHRSA",
        subject: {
            commonName: "example.com",
        },
    },
    revocationConfiguration: {
        crlConfiguration: {
            customCname: "crl.example.com",
            enabled: true,
            expirationInDays: 7,
            s3BucketName: example.id,
            s3ObjectAcl: "BUCKET_OWNER_FULL_CONTROL",
        },
    },
}, {
    dependsOn: [exampleBucketPolicy],
});
Copy
import pulumi
import pulumi_aws as aws

example = aws.s3.BucketV2("example",
    bucket="example",
    force_destroy=True)
acmpca_bucket_access = aws.iam.get_policy_document_output(statements=[{
    "actions": [
        "s3:GetBucketAcl",
        "s3:GetBucketLocation",
        "s3:PutObject",
        "s3:PutObjectAcl",
    ],
    "resources": [
        example.arn,
        example.arn.apply(lambda arn: f"{arn}/*"),
    ],
    "principals": [{
        "identifiers": ["acm-pca.amazonaws.com"],
        "type": "Service",
    }],
}])
example_bucket_policy = aws.s3.BucketPolicy("example",
    bucket=example.id,
    policy=acmpca_bucket_access.json)
example_certificate_authority = aws.acmpca.CertificateAuthority("example",
    certificate_authority_configuration={
        "key_algorithm": "RSA_4096",
        "signing_algorithm": "SHA512WITHRSA",
        "subject": {
            "common_name": "example.com",
        },
    },
    revocation_configuration={
        "crl_configuration": {
            "custom_cname": "crl.example.com",
            "enabled": True,
            "expiration_in_days": 7,
            "s3_bucket_name": example.id,
            "s3_object_acl": "BUCKET_OWNER_FULL_CONTROL",
        },
    },
    opts = pulumi.ResourceOptions(depends_on=[example_bucket_policy]))
Copy
package main

import (
	"fmt"

	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/acmpca"
	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/s3"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		example, err := s3.NewBucketV2(ctx, "example", &s3.BucketV2Args{
			Bucket:       pulumi.String("example"),
			ForceDestroy: pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		acmpcaBucketAccess := iam.GetPolicyDocumentOutput(ctx, iam.GetPolicyDocumentOutputArgs{
			Statements: iam.GetPolicyDocumentStatementArray{
				&iam.GetPolicyDocumentStatementArgs{
					Actions: pulumi.StringArray{
						pulumi.String("s3:GetBucketAcl"),
						pulumi.String("s3:GetBucketLocation"),
						pulumi.String("s3:PutObject"),
						pulumi.String("s3:PutObjectAcl"),
					},
					Resources: pulumi.StringArray{
						example.Arn,
						example.Arn.ApplyT(func(arn string) (string, error) {
							return fmt.Sprintf("%v/*", arn), nil
						}).(pulumi.StringOutput),
					},
					Principals: iam.GetPolicyDocumentStatementPrincipalArray{
						&iam.GetPolicyDocumentStatementPrincipalArgs{
							Identifiers: pulumi.StringArray{
								pulumi.String("acm-pca.amazonaws.com"),
							},
							Type: pulumi.String("Service"),
						},
					},
				},
			},
		}, nil)
		exampleBucketPolicy, err := s3.NewBucketPolicy(ctx, "example", &s3.BucketPolicyArgs{
			Bucket: example.ID(),
			Policy: pulumi.String(acmpcaBucketAccess.ApplyT(func(acmpcaBucketAccess iam.GetPolicyDocumentResult) (*string, error) {
				return &acmpcaBucketAccess.Json, nil
			}).(pulumi.StringPtrOutput)),
		})
		if err != nil {
			return err
		}
		_, err = acmpca.NewCertificateAuthority(ctx, "example", &acmpca.CertificateAuthorityArgs{
			CertificateAuthorityConfiguration: &acmpca.CertificateAuthorityCertificateAuthorityConfigurationArgs{
				KeyAlgorithm:     pulumi.String("RSA_4096"),
				SigningAlgorithm: pulumi.String("SHA512WITHRSA"),
				Subject: &acmpca.CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs{
					CommonName: pulumi.String("example.com"),
				},
			},
			RevocationConfiguration: &acmpca.CertificateAuthorityRevocationConfigurationArgs{
				CrlConfiguration: &acmpca.CertificateAuthorityRevocationConfigurationCrlConfigurationArgs{
					CustomCname:      pulumi.String("crl.example.com"),
					Enabled:          pulumi.Bool(true),
					ExpirationInDays: pulumi.Int(7),
					S3BucketName:     example.ID(),
					S3ObjectAcl:      pulumi.String("BUCKET_OWNER_FULL_CONTROL"),
				},
			},
		}, pulumi.DependsOn([]pulumi.Resource{
			exampleBucketPolicy,
		}))
		if err != nil {
			return err
		}
		return nil
	})
}
Copy
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;

return await Deployment.RunAsync(() => 
{
    var example = new Aws.S3.BucketV2("example", new()
    {
        Bucket = "example",
        ForceDestroy = true,
    });

    var acmpcaBucketAccess = Aws.Iam.GetPolicyDocument.Invoke(new()
    {
        Statements = new[]
        {
            new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
            {
                Actions = new[]
                {
                    "s3:GetBucketAcl",
                    "s3:GetBucketLocation",
                    "s3:PutObject",
                    "s3:PutObjectAcl",
                },
                Resources = new[]
                {
                    example.Arn,
                    $"{example.Arn}/*",
                },
                Principals = new[]
                {
                    new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
                    {
                        Identifiers = new[]
                        {
                            "acm-pca.amazonaws.com",
                        },
                        Type = "Service",
                    },
                },
            },
        },
    });

    var exampleBucketPolicy = new Aws.S3.BucketPolicy("example", new()
    {
        Bucket = example.Id,
        Policy = acmpcaBucketAccess.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
    });

    var exampleCertificateAuthority = new Aws.Acmpca.CertificateAuthority("example", new()
    {
        CertificateAuthorityConfiguration = new Aws.Acmpca.Inputs.CertificateAuthorityCertificateAuthorityConfigurationArgs
        {
            KeyAlgorithm = "RSA_4096",
            SigningAlgorithm = "SHA512WITHRSA",
            Subject = new Aws.Acmpca.Inputs.CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs
            {
                CommonName = "example.com",
            },
        },
        RevocationConfiguration = new Aws.Acmpca.Inputs.CertificateAuthorityRevocationConfigurationArgs
        {
            CrlConfiguration = new Aws.Acmpca.Inputs.CertificateAuthorityRevocationConfigurationCrlConfigurationArgs
            {
                CustomCname = "crl.example.com",
                Enabled = true,
                ExpirationInDays = 7,
                S3BucketName = example.Id,
                S3ObjectAcl = "BUCKET_OWNER_FULL_CONTROL",
            },
        },
    }, new CustomResourceOptions
    {
        DependsOn =
        {
            exampleBucketPolicy,
        },
    });

});
Copy
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.s3.BucketV2;
import com.pulumi.aws.s3.BucketV2Args;
import com.pulumi.aws.iam.IamFunctions;
import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
import com.pulumi.aws.s3.BucketPolicy;
import com.pulumi.aws.s3.BucketPolicyArgs;
import com.pulumi.aws.acmpca.CertificateAuthority;
import com.pulumi.aws.acmpca.CertificateAuthorityArgs;
import com.pulumi.aws.acmpca.inputs.CertificateAuthorityCertificateAuthorityConfigurationArgs;
import com.pulumi.aws.acmpca.inputs.CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs;
import com.pulumi.aws.acmpca.inputs.CertificateAuthorityRevocationConfigurationArgs;
import com.pulumi.aws.acmpca.inputs.CertificateAuthorityRevocationConfigurationCrlConfigurationArgs;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var example = new BucketV2("example", BucketV2Args.builder()
            .bucket("example")
            .forceDestroy(true)
            .build());

        final var acmpcaBucketAccess = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
            .statements(GetPolicyDocumentStatementArgs.builder()
                .actions(                
                    "s3:GetBucketAcl",
                    "s3:GetBucketLocation",
                    "s3:PutObject",
                    "s3:PutObjectAcl")
                .resources(                
                    example.arn(),
                    example.arn().applyValue(_arn -> String.format("%s/*", _arn)))
                .principals(GetPolicyDocumentStatementPrincipalArgs.builder()
                    .identifiers("acm-pca.amazonaws.com")
                    .type("Service")
                    .build())
                .build())
            .build());

        var exampleBucketPolicy = new BucketPolicy("exampleBucketPolicy", BucketPolicyArgs.builder()
            .bucket(example.id())
            .policy(acmpcaBucketAccess.applyValue(_acmpcaBucketAccess -> _acmpcaBucketAccess.json()))
            .build());

        var exampleCertificateAuthority = new CertificateAuthority("exampleCertificateAuthority", CertificateAuthorityArgs.builder()
            .certificateAuthorityConfiguration(CertificateAuthorityCertificateAuthorityConfigurationArgs.builder()
                .keyAlgorithm("RSA_4096")
                .signingAlgorithm("SHA512WITHRSA")
                .subject(CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs.builder()
                    .commonName("example.com")
                    .build())
                .build())
            .revocationConfiguration(CertificateAuthorityRevocationConfigurationArgs.builder()
                .crlConfiguration(CertificateAuthorityRevocationConfigurationCrlConfigurationArgs.builder()
                    .customCname("crl.example.com")
                    .enabled(true)
                    .expirationInDays(7)
                    .s3BucketName(example.id())
                    .s3ObjectAcl("BUCKET_OWNER_FULL_CONTROL")
                    .build())
                .build())
            .build(), CustomResourceOptions.builder()
                .dependsOn(exampleBucketPolicy)
                .build());

    }
}
Copy
resources:
  example:
    type: aws:s3:BucketV2
    properties:
      bucket: example
      forceDestroy: true
  exampleBucketPolicy:
    type: aws:s3:BucketPolicy
    name: example
    properties:
      bucket: ${example.id}
      policy: ${acmpcaBucketAccess.json}
  exampleCertificateAuthority:
    type: aws:acmpca:CertificateAuthority
    name: example
    properties:
      certificateAuthorityConfiguration:
        keyAlgorithm: RSA_4096
        signingAlgorithm: SHA512WITHRSA
        subject:
          commonName: example.com
      revocationConfiguration:
        crlConfiguration:
          customCname: crl.example.com
          enabled: true
          expirationInDays: 7
          s3BucketName: ${example.id}
          s3ObjectAcl: BUCKET_OWNER_FULL_CONTROL
    options:
      dependsOn:
        - ${exampleBucketPolicy}
variables:
  acmpcaBucketAccess:
    fn::invoke:
      function: aws:iam:getPolicyDocument
      arguments:
        statements:
          - actions:
              - s3:GetBucketAcl
              - s3:GetBucketLocation
              - s3:PutObject
              - s3:PutObjectAcl
            resources:
              - ${example.arn}
              - ${example.arn}/*
            principals:
              - identifiers:
                  - acm-pca.amazonaws.com
                type: Service
Copy

Create CertificateAuthority Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new CertificateAuthority(name: string, args: CertificateAuthorityArgs, opts?: CustomResourceOptions);
@overload
def CertificateAuthority(resource_name: str,
                         args: CertificateAuthorityArgs,
                         opts: Optional[ResourceOptions] = None)

@overload
def CertificateAuthority(resource_name: str,
                         opts: Optional[ResourceOptions] = None,
                         certificate_authority_configuration: Optional[CertificateAuthorityCertificateAuthorityConfigurationArgs] = None,
                         enabled: Optional[bool] = None,
                         key_storage_security_standard: Optional[str] = None,
                         permanent_deletion_time_in_days: Optional[int] = None,
                         revocation_configuration: Optional[CertificateAuthorityRevocationConfigurationArgs] = None,
                         tags: Optional[Mapping[str, str]] = None,
                         type: Optional[str] = None,
                         usage_mode: Optional[str] = None)
func NewCertificateAuthority(ctx *Context, name string, args CertificateAuthorityArgs, opts ...ResourceOption) (*CertificateAuthority, error)
public CertificateAuthority(string name, CertificateAuthorityArgs args, CustomResourceOptions? opts = null)
public CertificateAuthority(String name, CertificateAuthorityArgs args)
public CertificateAuthority(String name, CertificateAuthorityArgs args, CustomResourceOptions options)
type: aws:acmpca:CertificateAuthority
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name This property is required. string
The unique name of the resource.
args This property is required. CertificateAuthorityArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name This property is required. str
The unique name of the resource.
args This property is required. CertificateAuthorityArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name This property is required. string
The unique name of the resource.
args This property is required. CertificateAuthorityArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name This property is required. string
The unique name of the resource.
args This property is required. CertificateAuthorityArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
name This property is required. String
The unique name of the resource.
args This property is required. CertificateAuthorityArgs
The arguments to resource properties.
options CustomResourceOptions
Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var certificateAuthorityResource = new Aws.Acmpca.CertificateAuthority("certificateAuthorityResource", new()
{
    CertificateAuthorityConfiguration = new Aws.Acmpca.Inputs.CertificateAuthorityCertificateAuthorityConfigurationArgs
    {
        KeyAlgorithm = "string",
        SigningAlgorithm = "string",
        Subject = new Aws.Acmpca.Inputs.CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs
        {
            CommonName = "string",
            Country = "string",
            DistinguishedNameQualifier = "string",
            GenerationQualifier = "string",
            GivenName = "string",
            Initials = "string",
            Locality = "string",
            Organization = "string",
            OrganizationalUnit = "string",
            Pseudonym = "string",
            State = "string",
            Surname = "string",
            Title = "string",
        },
    },
    Enabled = false,
    KeyStorageSecurityStandard = "string",
    PermanentDeletionTimeInDays = 0,
    RevocationConfiguration = new Aws.Acmpca.Inputs.CertificateAuthorityRevocationConfigurationArgs
    {
        CrlConfiguration = new Aws.Acmpca.Inputs.CertificateAuthorityRevocationConfigurationCrlConfigurationArgs
        {
            CustomCname = "string",
            Enabled = false,
            ExpirationInDays = 0,
            S3BucketName = "string",
            S3ObjectAcl = "string",
        },
        OcspConfiguration = new Aws.Acmpca.Inputs.CertificateAuthorityRevocationConfigurationOcspConfigurationArgs
        {
            Enabled = false,
            OcspCustomCname = "string",
        },
    },
    Tags = 
    {
        { "string", "string" },
    },
    Type = "string",
    UsageMode = "string",
});
Copy
example, err := acmpca.NewCertificateAuthority(ctx, "certificateAuthorityResource", &acmpca.CertificateAuthorityArgs{
	CertificateAuthorityConfiguration: &acmpca.CertificateAuthorityCertificateAuthorityConfigurationArgs{
		KeyAlgorithm:     pulumi.String("string"),
		SigningAlgorithm: pulumi.String("string"),
		Subject: &acmpca.CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs{
			CommonName:                 pulumi.String("string"),
			Country:                    pulumi.String("string"),
			DistinguishedNameQualifier: pulumi.String("string"),
			GenerationQualifier:        pulumi.String("string"),
			GivenName:                  pulumi.String("string"),
			Initials:                   pulumi.String("string"),
			Locality:                   pulumi.String("string"),
			Organization:               pulumi.String("string"),
			OrganizationalUnit:         pulumi.String("string"),
			Pseudonym:                  pulumi.String("string"),
			State:                      pulumi.String("string"),
			Surname:                    pulumi.String("string"),
			Title:                      pulumi.String("string"),
		},
	},
	Enabled:                     pulumi.Bool(false),
	KeyStorageSecurityStandard:  pulumi.String("string"),
	PermanentDeletionTimeInDays: pulumi.Int(0),
	RevocationConfiguration: &acmpca.CertificateAuthorityRevocationConfigurationArgs{
		CrlConfiguration: &acmpca.CertificateAuthorityRevocationConfigurationCrlConfigurationArgs{
			CustomCname:      pulumi.String("string"),
			Enabled:          pulumi.Bool(false),
			ExpirationInDays: pulumi.Int(0),
			S3BucketName:     pulumi.String("string"),
			S3ObjectAcl:      pulumi.String("string"),
		},
		OcspConfiguration: &acmpca.CertificateAuthorityRevocationConfigurationOcspConfigurationArgs{
			Enabled:         pulumi.Bool(false),
			OcspCustomCname: pulumi.String("string"),
		},
	},
	Tags: pulumi.StringMap{
		"string": pulumi.String("string"),
	},
	Type:      pulumi.String("string"),
	UsageMode: pulumi.String("string"),
})
Copy
var certificateAuthorityResource = new CertificateAuthority("certificateAuthorityResource", CertificateAuthorityArgs.builder()
    .certificateAuthorityConfiguration(CertificateAuthorityCertificateAuthorityConfigurationArgs.builder()
        .keyAlgorithm("string")
        .signingAlgorithm("string")
        .subject(CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs.builder()
            .commonName("string")
            .country("string")
            .distinguishedNameQualifier("string")
            .generationQualifier("string")
            .givenName("string")
            .initials("string")
            .locality("string")
            .organization("string")
            .organizationalUnit("string")
            .pseudonym("string")
            .state("string")
            .surname("string")
            .title("string")
            .build())
        .build())
    .enabled(false)
    .keyStorageSecurityStandard("string")
    .permanentDeletionTimeInDays(0)
    .revocationConfiguration(CertificateAuthorityRevocationConfigurationArgs.builder()
        .crlConfiguration(CertificateAuthorityRevocationConfigurationCrlConfigurationArgs.builder()
            .customCname("string")
            .enabled(false)
            .expirationInDays(0)
            .s3BucketName("string")
            .s3ObjectAcl("string")
            .build())
        .ocspConfiguration(CertificateAuthorityRevocationConfigurationOcspConfigurationArgs.builder()
            .enabled(false)
            .ocspCustomCname("string")
            .build())
        .build())
    .tags(Map.of("string", "string"))
    .type("string")
    .usageMode("string")
    .build());
Copy
certificate_authority_resource = aws.acmpca.CertificateAuthority("certificateAuthorityResource",
    certificate_authority_configuration={
        "key_algorithm": "string",
        "signing_algorithm": "string",
        "subject": {
            "common_name": "string",
            "country": "string",
            "distinguished_name_qualifier": "string",
            "generation_qualifier": "string",
            "given_name": "string",
            "initials": "string",
            "locality": "string",
            "organization": "string",
            "organizational_unit": "string",
            "pseudonym": "string",
            "state": "string",
            "surname": "string",
            "title": "string",
        },
    },
    enabled=False,
    key_storage_security_standard="string",
    permanent_deletion_time_in_days=0,
    revocation_configuration={
        "crl_configuration": {
            "custom_cname": "string",
            "enabled": False,
            "expiration_in_days": 0,
            "s3_bucket_name": "string",
            "s3_object_acl": "string",
        },
        "ocsp_configuration": {
            "enabled": False,
            "ocsp_custom_cname": "string",
        },
    },
    tags={
        "string": "string",
    },
    type="string",
    usage_mode="string")
Copy
const certificateAuthorityResource = new aws.acmpca.CertificateAuthority("certificateAuthorityResource", {
    certificateAuthorityConfiguration: {
        keyAlgorithm: "string",
        signingAlgorithm: "string",
        subject: {
            commonName: "string",
            country: "string",
            distinguishedNameQualifier: "string",
            generationQualifier: "string",
            givenName: "string",
            initials: "string",
            locality: "string",
            organization: "string",
            organizationalUnit: "string",
            pseudonym: "string",
            state: "string",
            surname: "string",
            title: "string",
        },
    },
    enabled: false,
    keyStorageSecurityStandard: "string",
    permanentDeletionTimeInDays: 0,
    revocationConfiguration: {
        crlConfiguration: {
            customCname: "string",
            enabled: false,
            expirationInDays: 0,
            s3BucketName: "string",
            s3ObjectAcl: "string",
        },
        ocspConfiguration: {
            enabled: false,
            ocspCustomCname: "string",
        },
    },
    tags: {
        string: "string",
    },
    type: "string",
    usageMode: "string",
});
Copy
type: aws:acmpca:CertificateAuthority
properties:
    certificateAuthorityConfiguration:
        keyAlgorithm: string
        signingAlgorithm: string
        subject:
            commonName: string
            country: string
            distinguishedNameQualifier: string
            generationQualifier: string
            givenName: string
            initials: string
            locality: string
            organization: string
            organizationalUnit: string
            pseudonym: string
            state: string
            surname: string
            title: string
    enabled: false
    keyStorageSecurityStandard: string
    permanentDeletionTimeInDays: 0
    revocationConfiguration:
        crlConfiguration:
            customCname: string
            enabled: false
            expirationInDays: 0
            s3BucketName: string
            s3ObjectAcl: string
        ocspConfiguration:
            enabled: false
            ocspCustomCname: string
    tags:
        string: string
    type: string
    usageMode: string
Copy

CertificateAuthority Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The CertificateAuthority resource accepts the following input properties:

CertificateAuthorityConfiguration This property is required. CertificateAuthorityCertificateAuthorityConfiguration
Nested argument containing algorithms and certificate subject information. Defined below.
Enabled bool
Whether the certificate authority is enabled or disabled. Defaults to true. Can only be disabled if the CA is in an ACTIVE state.
KeyStorageSecurityStandard Changes to this property will trigger replacement. string
Cryptographic key management compliance standard used for handling CA keys. Defaults to FIPS_140_2_LEVEL_3_OR_HIGHER. Valid values: FIPS_140_2_LEVEL_3_OR_HIGHER and FIPS_140_2_LEVEL_2_OR_HIGHER. Supported standard for each region can be found in the Storage and security compliance of AWS Private CA private keys Documentation.
PermanentDeletionTimeInDays int
Number of days to make a CA restorable after it has been deleted, must be between 7 to 30 days, with default to 30 days.
RevocationConfiguration CertificateAuthorityRevocationConfiguration
Nested argument containing revocation configuration. Defined below.
Tags Dictionary<string, string>
Key-value map of user-defined tags that are attached to the certificate authority. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
Type Changes to this property will trigger replacement. string
Type of the certificate authority. Defaults to SUBORDINATE. Valid values: ROOT and SUBORDINATE.
UsageMode string
Specifies whether the CA issues general-purpose certificates that typically require a revocation mechanism, or short-lived certificates that may optionally omit revocation because they expire quickly. Short-lived certificate validity is limited to seven days. Defaults to GENERAL_PURPOSE. Valid values: GENERAL_PURPOSE and SHORT_LIVED_CERTIFICATE.
CertificateAuthorityConfiguration This property is required. CertificateAuthorityCertificateAuthorityConfigurationArgs
Nested argument containing algorithms and certificate subject information. Defined below.
Enabled bool
Whether the certificate authority is enabled or disabled. Defaults to true. Can only be disabled if the CA is in an ACTIVE state.
KeyStorageSecurityStandard Changes to this property will trigger replacement. string
Cryptographic key management compliance standard used for handling CA keys. Defaults to FIPS_140_2_LEVEL_3_OR_HIGHER. Valid values: FIPS_140_2_LEVEL_3_OR_HIGHER and FIPS_140_2_LEVEL_2_OR_HIGHER. Supported standard for each region can be found in the Storage and security compliance of AWS Private CA private keys Documentation.
PermanentDeletionTimeInDays int
Number of days to make a CA restorable after it has been deleted, must be between 7 to 30 days, with default to 30 days.
RevocationConfiguration CertificateAuthorityRevocationConfigurationArgs
Nested argument containing revocation configuration. Defined below.
Tags map[string]string
Key-value map of user-defined tags that are attached to the certificate authority. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
Type Changes to this property will trigger replacement. string
Type of the certificate authority. Defaults to SUBORDINATE. Valid values: ROOT and SUBORDINATE.
UsageMode string
Specifies whether the CA issues general-purpose certificates that typically require a revocation mechanism, or short-lived certificates that may optionally omit revocation because they expire quickly. Short-lived certificate validity is limited to seven days. Defaults to GENERAL_PURPOSE. Valid values: GENERAL_PURPOSE and SHORT_LIVED_CERTIFICATE.
certificateAuthorityConfiguration This property is required. CertificateAuthorityCertificateAuthorityConfiguration
Nested argument containing algorithms and certificate subject information. Defined below.
enabled Boolean
Whether the certificate authority is enabled or disabled. Defaults to true. Can only be disabled if the CA is in an ACTIVE state.
keyStorageSecurityStandard Changes to this property will trigger replacement. String
Cryptographic key management compliance standard used for handling CA keys. Defaults to FIPS_140_2_LEVEL_3_OR_HIGHER. Valid values: FIPS_140_2_LEVEL_3_OR_HIGHER and FIPS_140_2_LEVEL_2_OR_HIGHER. Supported standard for each region can be found in the Storage and security compliance of AWS Private CA private keys Documentation.
permanentDeletionTimeInDays Integer
Number of days to make a CA restorable after it has been deleted, must be between 7 to 30 days, with default to 30 days.
revocationConfiguration CertificateAuthorityRevocationConfiguration
Nested argument containing revocation configuration. Defined below.
tags Map<String,String>
Key-value map of user-defined tags that are attached to the certificate authority. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
type Changes to this property will trigger replacement. String
Type of the certificate authority. Defaults to SUBORDINATE. Valid values: ROOT and SUBORDINATE.
usageMode String
Specifies whether the CA issues general-purpose certificates that typically require a revocation mechanism, or short-lived certificates that may optionally omit revocation because they expire quickly. Short-lived certificate validity is limited to seven days. Defaults to GENERAL_PURPOSE. Valid values: GENERAL_PURPOSE and SHORT_LIVED_CERTIFICATE.
certificateAuthorityConfiguration This property is required. CertificateAuthorityCertificateAuthorityConfiguration
Nested argument containing algorithms and certificate subject information. Defined below.
enabled boolean
Whether the certificate authority is enabled or disabled. Defaults to true. Can only be disabled if the CA is in an ACTIVE state.
keyStorageSecurityStandard Changes to this property will trigger replacement. string
Cryptographic key management compliance standard used for handling CA keys. Defaults to FIPS_140_2_LEVEL_3_OR_HIGHER. Valid values: FIPS_140_2_LEVEL_3_OR_HIGHER and FIPS_140_2_LEVEL_2_OR_HIGHER. Supported standard for each region can be found in the Storage and security compliance of AWS Private CA private keys Documentation.
permanentDeletionTimeInDays number
Number of days to make a CA restorable after it has been deleted, must be between 7 to 30 days, with default to 30 days.
revocationConfiguration CertificateAuthorityRevocationConfiguration
Nested argument containing revocation configuration. Defined below.
tags {[key: string]: string}
Key-value map of user-defined tags that are attached to the certificate authority. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
type Changes to this property will trigger replacement. string
Type of the certificate authority. Defaults to SUBORDINATE. Valid values: ROOT and SUBORDINATE.
usageMode string
Specifies whether the CA issues general-purpose certificates that typically require a revocation mechanism, or short-lived certificates that may optionally omit revocation because they expire quickly. Short-lived certificate validity is limited to seven days. Defaults to GENERAL_PURPOSE. Valid values: GENERAL_PURPOSE and SHORT_LIVED_CERTIFICATE.
certificate_authority_configuration This property is required. CertificateAuthorityCertificateAuthorityConfigurationArgs
Nested argument containing algorithms and certificate subject information. Defined below.
enabled bool
Whether the certificate authority is enabled or disabled. Defaults to true. Can only be disabled if the CA is in an ACTIVE state.
key_storage_security_standard Changes to this property will trigger replacement. str
Cryptographic key management compliance standard used for handling CA keys. Defaults to FIPS_140_2_LEVEL_3_OR_HIGHER. Valid values: FIPS_140_2_LEVEL_3_OR_HIGHER and FIPS_140_2_LEVEL_2_OR_HIGHER. Supported standard for each region can be found in the Storage and security compliance of AWS Private CA private keys Documentation.
permanent_deletion_time_in_days int
Number of days to make a CA restorable after it has been deleted, must be between 7 to 30 days, with default to 30 days.
revocation_configuration CertificateAuthorityRevocationConfigurationArgs
Nested argument containing revocation configuration. Defined below.
tags Mapping[str, str]
Key-value map of user-defined tags that are attached to the certificate authority. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
type Changes to this property will trigger replacement. str
Type of the certificate authority. Defaults to SUBORDINATE. Valid values: ROOT and SUBORDINATE.
usage_mode str
Specifies whether the CA issues general-purpose certificates that typically require a revocation mechanism, or short-lived certificates that may optionally omit revocation because they expire quickly. Short-lived certificate validity is limited to seven days. Defaults to GENERAL_PURPOSE. Valid values: GENERAL_PURPOSE and SHORT_LIVED_CERTIFICATE.
certificateAuthorityConfiguration This property is required. Property Map
Nested argument containing algorithms and certificate subject information. Defined below.
enabled Boolean
Whether the certificate authority is enabled or disabled. Defaults to true. Can only be disabled if the CA is in an ACTIVE state.
keyStorageSecurityStandard Changes to this property will trigger replacement. String
Cryptographic key management compliance standard used for handling CA keys. Defaults to FIPS_140_2_LEVEL_3_OR_HIGHER. Valid values: FIPS_140_2_LEVEL_3_OR_HIGHER and FIPS_140_2_LEVEL_2_OR_HIGHER. Supported standard for each region can be found in the Storage and security compliance of AWS Private CA private keys Documentation.
permanentDeletionTimeInDays Number
Number of days to make a CA restorable after it has been deleted, must be between 7 to 30 days, with default to 30 days.
revocationConfiguration Property Map
Nested argument containing revocation configuration. Defined below.
tags Map<String>
Key-value map of user-defined tags that are attached to the certificate authority. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
type Changes to this property will trigger replacement. String
Type of the certificate authority. Defaults to SUBORDINATE. Valid values: ROOT and SUBORDINATE.
usageMode String
Specifies whether the CA issues general-purpose certificates that typically require a revocation mechanism, or short-lived certificates that may optionally omit revocation because they expire quickly. Short-lived certificate validity is limited to seven days. Defaults to GENERAL_PURPOSE. Valid values: GENERAL_PURPOSE and SHORT_LIVED_CERTIFICATE.

Outputs

All input properties are implicitly available as output properties. Additionally, the CertificateAuthority resource produces the following output properties:

Arn string
ARN of the certificate authority.
Certificate string
Base64-encoded certificate authority (CA) certificate. Only available after the certificate authority certificate has been imported.
CertificateChain string
Base64-encoded certificate chain that includes any intermediate certificates and chains up to root on-premises certificate that you used to sign your private CA certificate. The chain does not include your private CA certificate. Only available after the certificate authority certificate has been imported.
CertificateSigningRequest string
The base64 PEM-encoded certificate signing request (CSR) for your private CA certificate.
Id string
The provider-assigned unique ID for this managed resource.
NotAfter string
Date and time after which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
NotBefore string
Date and time before which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
Serial string
Serial number of the certificate authority. Only available after the certificate authority certificate has been imported.
TagsAll Dictionary<string, string>
Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

Deprecated: Please use tags instead.

Arn string
ARN of the certificate authority.
Certificate string
Base64-encoded certificate authority (CA) certificate. Only available after the certificate authority certificate has been imported.
CertificateChain string
Base64-encoded certificate chain that includes any intermediate certificates and chains up to root on-premises certificate that you used to sign your private CA certificate. The chain does not include your private CA certificate. Only available after the certificate authority certificate has been imported.
CertificateSigningRequest string
The base64 PEM-encoded certificate signing request (CSR) for your private CA certificate.
Id string
The provider-assigned unique ID for this managed resource.
NotAfter string
Date and time after which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
NotBefore string
Date and time before which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
Serial string
Serial number of the certificate authority. Only available after the certificate authority certificate has been imported.
TagsAll map[string]string
Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

Deprecated: Please use tags instead.

arn String
ARN of the certificate authority.
certificate String
Base64-encoded certificate authority (CA) certificate. Only available after the certificate authority certificate has been imported.
certificateChain String
Base64-encoded certificate chain that includes any intermediate certificates and chains up to root on-premises certificate that you used to sign your private CA certificate. The chain does not include your private CA certificate. Only available after the certificate authority certificate has been imported.
certificateSigningRequest String
The base64 PEM-encoded certificate signing request (CSR) for your private CA certificate.
id String
The provider-assigned unique ID for this managed resource.
notAfter String
Date and time after which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
notBefore String
Date and time before which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
serial String
Serial number of the certificate authority. Only available after the certificate authority certificate has been imported.
tagsAll Map<String,String>
Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

Deprecated: Please use tags instead.

arn string
ARN of the certificate authority.
certificate string
Base64-encoded certificate authority (CA) certificate. Only available after the certificate authority certificate has been imported.
certificateChain string
Base64-encoded certificate chain that includes any intermediate certificates and chains up to root on-premises certificate that you used to sign your private CA certificate. The chain does not include your private CA certificate. Only available after the certificate authority certificate has been imported.
certificateSigningRequest string
The base64 PEM-encoded certificate signing request (CSR) for your private CA certificate.
id string
The provider-assigned unique ID for this managed resource.
notAfter string
Date and time after which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
notBefore string
Date and time before which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
serial string
Serial number of the certificate authority. Only available after the certificate authority certificate has been imported.
tagsAll {[key: string]: string}
Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

Deprecated: Please use tags instead.

arn str
ARN of the certificate authority.
certificate str
Base64-encoded certificate authority (CA) certificate. Only available after the certificate authority certificate has been imported.
certificate_chain str
Base64-encoded certificate chain that includes any intermediate certificates and chains up to root on-premises certificate that you used to sign your private CA certificate. The chain does not include your private CA certificate. Only available after the certificate authority certificate has been imported.
certificate_signing_request str
The base64 PEM-encoded certificate signing request (CSR) for your private CA certificate.
id str
The provider-assigned unique ID for this managed resource.
not_after str
Date and time after which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
not_before str
Date and time before which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
serial str
Serial number of the certificate authority. Only available after the certificate authority certificate has been imported.
tags_all Mapping[str, str]
Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

Deprecated: Please use tags instead.

arn String
ARN of the certificate authority.
certificate String
Base64-encoded certificate authority (CA) certificate. Only available after the certificate authority certificate has been imported.
certificateChain String
Base64-encoded certificate chain that includes any intermediate certificates and chains up to root on-premises certificate that you used to sign your private CA certificate. The chain does not include your private CA certificate. Only available after the certificate authority certificate has been imported.
certificateSigningRequest String
The base64 PEM-encoded certificate signing request (CSR) for your private CA certificate.
id String
The provider-assigned unique ID for this managed resource.
notAfter String
Date and time after which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
notBefore String
Date and time before which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
serial String
Serial number of the certificate authority. Only available after the certificate authority certificate has been imported.
tagsAll Map<String>
Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

Deprecated: Please use tags instead.

Look up Existing CertificateAuthority Resource

Get an existing CertificateAuthority resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: CertificateAuthorityState, opts?: CustomResourceOptions): CertificateAuthority
@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        arn: Optional[str] = None,
        certificate: Optional[str] = None,
        certificate_authority_configuration: Optional[CertificateAuthorityCertificateAuthorityConfigurationArgs] = None,
        certificate_chain: Optional[str] = None,
        certificate_signing_request: Optional[str] = None,
        enabled: Optional[bool] = None,
        key_storage_security_standard: Optional[str] = None,
        not_after: Optional[str] = None,
        not_before: Optional[str] = None,
        permanent_deletion_time_in_days: Optional[int] = None,
        revocation_configuration: Optional[CertificateAuthorityRevocationConfigurationArgs] = None,
        serial: Optional[str] = None,
        tags: Optional[Mapping[str, str]] = None,
        tags_all: Optional[Mapping[str, str]] = None,
        type: Optional[str] = None,
        usage_mode: Optional[str] = None) -> CertificateAuthority
func GetCertificateAuthority(ctx *Context, name string, id IDInput, state *CertificateAuthorityState, opts ...ResourceOption) (*CertificateAuthority, error)
public static CertificateAuthority Get(string name, Input<string> id, CertificateAuthorityState? state, CustomResourceOptions? opts = null)
public static CertificateAuthority get(String name, Output<String> id, CertificateAuthorityState state, CustomResourceOptions options)
resources:  _:    type: aws:acmpca:CertificateAuthority    get:      id: ${id}
name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
resource_name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
The following state arguments are supported:
Arn string
ARN of the certificate authority.
Certificate string
Base64-encoded certificate authority (CA) certificate. Only available after the certificate authority certificate has been imported.
CertificateAuthorityConfiguration CertificateAuthorityCertificateAuthorityConfiguration
Nested argument containing algorithms and certificate subject information. Defined below.
CertificateChain string
Base64-encoded certificate chain that includes any intermediate certificates and chains up to root on-premises certificate that you used to sign your private CA certificate. The chain does not include your private CA certificate. Only available after the certificate authority certificate has been imported.
CertificateSigningRequest string
The base64 PEM-encoded certificate signing request (CSR) for your private CA certificate.
Enabled bool
Whether the certificate authority is enabled or disabled. Defaults to true. Can only be disabled if the CA is in an ACTIVE state.
KeyStorageSecurityStandard Changes to this property will trigger replacement. string
Cryptographic key management compliance standard used for handling CA keys. Defaults to FIPS_140_2_LEVEL_3_OR_HIGHER. Valid values: FIPS_140_2_LEVEL_3_OR_HIGHER and FIPS_140_2_LEVEL_2_OR_HIGHER. Supported standard for each region can be found in the Storage and security compliance of AWS Private CA private keys Documentation.
NotAfter string
Date and time after which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
NotBefore string
Date and time before which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
PermanentDeletionTimeInDays int
Number of days to make a CA restorable after it has been deleted, must be between 7 to 30 days, with default to 30 days.
RevocationConfiguration CertificateAuthorityRevocationConfiguration
Nested argument containing revocation configuration. Defined below.
Serial string
Serial number of the certificate authority. Only available after the certificate authority certificate has been imported.
Tags Dictionary<string, string>
Key-value map of user-defined tags that are attached to the certificate authority. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
TagsAll Dictionary<string, string>
Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

Deprecated: Please use tags instead.

Type Changes to this property will trigger replacement. string
Type of the certificate authority. Defaults to SUBORDINATE. Valid values: ROOT and SUBORDINATE.
UsageMode string
Specifies whether the CA issues general-purpose certificates that typically require a revocation mechanism, or short-lived certificates that may optionally omit revocation because they expire quickly. Short-lived certificate validity is limited to seven days. Defaults to GENERAL_PURPOSE. Valid values: GENERAL_PURPOSE and SHORT_LIVED_CERTIFICATE.
Arn string
ARN of the certificate authority.
Certificate string
Base64-encoded certificate authority (CA) certificate. Only available after the certificate authority certificate has been imported.
CertificateAuthorityConfiguration CertificateAuthorityCertificateAuthorityConfigurationArgs
Nested argument containing algorithms and certificate subject information. Defined below.
CertificateChain string
Base64-encoded certificate chain that includes any intermediate certificates and chains up to root on-premises certificate that you used to sign your private CA certificate. The chain does not include your private CA certificate. Only available after the certificate authority certificate has been imported.
CertificateSigningRequest string
The base64 PEM-encoded certificate signing request (CSR) for your private CA certificate.
Enabled bool
Whether the certificate authority is enabled or disabled. Defaults to true. Can only be disabled if the CA is in an ACTIVE state.
KeyStorageSecurityStandard Changes to this property will trigger replacement. string
Cryptographic key management compliance standard used for handling CA keys. Defaults to FIPS_140_2_LEVEL_3_OR_HIGHER. Valid values: FIPS_140_2_LEVEL_3_OR_HIGHER and FIPS_140_2_LEVEL_2_OR_HIGHER. Supported standard for each region can be found in the Storage and security compliance of AWS Private CA private keys Documentation.
NotAfter string
Date and time after which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
NotBefore string
Date and time before which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
PermanentDeletionTimeInDays int
Number of days to make a CA restorable after it has been deleted, must be between 7 to 30 days, with default to 30 days.
RevocationConfiguration CertificateAuthorityRevocationConfigurationArgs
Nested argument containing revocation configuration. Defined below.
Serial string
Serial number of the certificate authority. Only available after the certificate authority certificate has been imported.
Tags map[string]string
Key-value map of user-defined tags that are attached to the certificate authority. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
TagsAll map[string]string
Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

Deprecated: Please use tags instead.

Type Changes to this property will trigger replacement. string
Type of the certificate authority. Defaults to SUBORDINATE. Valid values: ROOT and SUBORDINATE.
UsageMode string
Specifies whether the CA issues general-purpose certificates that typically require a revocation mechanism, or short-lived certificates that may optionally omit revocation because they expire quickly. Short-lived certificate validity is limited to seven days. Defaults to GENERAL_PURPOSE. Valid values: GENERAL_PURPOSE and SHORT_LIVED_CERTIFICATE.
arn String
ARN of the certificate authority.
certificate String
Base64-encoded certificate authority (CA) certificate. Only available after the certificate authority certificate has been imported.
certificateAuthorityConfiguration CertificateAuthorityCertificateAuthorityConfiguration
Nested argument containing algorithms and certificate subject information. Defined below.
certificateChain String
Base64-encoded certificate chain that includes any intermediate certificates and chains up to root on-premises certificate that you used to sign your private CA certificate. The chain does not include your private CA certificate. Only available after the certificate authority certificate has been imported.
certificateSigningRequest String
The base64 PEM-encoded certificate signing request (CSR) for your private CA certificate.
enabled Boolean
Whether the certificate authority is enabled or disabled. Defaults to true. Can only be disabled if the CA is in an ACTIVE state.
keyStorageSecurityStandard Changes to this property will trigger replacement. String
Cryptographic key management compliance standard used for handling CA keys. Defaults to FIPS_140_2_LEVEL_3_OR_HIGHER. Valid values: FIPS_140_2_LEVEL_3_OR_HIGHER and FIPS_140_2_LEVEL_2_OR_HIGHER. Supported standard for each region can be found in the Storage and security compliance of AWS Private CA private keys Documentation.
notAfter String
Date and time after which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
notBefore String
Date and time before which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
permanentDeletionTimeInDays Integer
Number of days to make a CA restorable after it has been deleted, must be between 7 to 30 days, with default to 30 days.
revocationConfiguration CertificateAuthorityRevocationConfiguration
Nested argument containing revocation configuration. Defined below.
serial String
Serial number of the certificate authority. Only available after the certificate authority certificate has been imported.
tags Map<String,String>
Key-value map of user-defined tags that are attached to the certificate authority. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
tagsAll Map<String,String>
Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

Deprecated: Please use tags instead.

type Changes to this property will trigger replacement. String
Type of the certificate authority. Defaults to SUBORDINATE. Valid values: ROOT and SUBORDINATE.
usageMode String
Specifies whether the CA issues general-purpose certificates that typically require a revocation mechanism, or short-lived certificates that may optionally omit revocation because they expire quickly. Short-lived certificate validity is limited to seven days. Defaults to GENERAL_PURPOSE. Valid values: GENERAL_PURPOSE and SHORT_LIVED_CERTIFICATE.
arn string
ARN of the certificate authority.
certificate string
Base64-encoded certificate authority (CA) certificate. Only available after the certificate authority certificate has been imported.
certificateAuthorityConfiguration CertificateAuthorityCertificateAuthorityConfiguration
Nested argument containing algorithms and certificate subject information. Defined below.
certificateChain string
Base64-encoded certificate chain that includes any intermediate certificates and chains up to root on-premises certificate that you used to sign your private CA certificate. The chain does not include your private CA certificate. Only available after the certificate authority certificate has been imported.
certificateSigningRequest string
The base64 PEM-encoded certificate signing request (CSR) for your private CA certificate.
enabled boolean
Whether the certificate authority is enabled or disabled. Defaults to true. Can only be disabled if the CA is in an ACTIVE state.
keyStorageSecurityStandard Changes to this property will trigger replacement. string
Cryptographic key management compliance standard used for handling CA keys. Defaults to FIPS_140_2_LEVEL_3_OR_HIGHER. Valid values: FIPS_140_2_LEVEL_3_OR_HIGHER and FIPS_140_2_LEVEL_2_OR_HIGHER. Supported standard for each region can be found in the Storage and security compliance of AWS Private CA private keys Documentation.
notAfter string
Date and time after which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
notBefore string
Date and time before which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
permanentDeletionTimeInDays number
Number of days to make a CA restorable after it has been deleted, must be between 7 to 30 days, with default to 30 days.
revocationConfiguration CertificateAuthorityRevocationConfiguration
Nested argument containing revocation configuration. Defined below.
serial string
Serial number of the certificate authority. Only available after the certificate authority certificate has been imported.
tags {[key: string]: string}
Key-value map of user-defined tags that are attached to the certificate authority. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
tagsAll {[key: string]: string}
Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

Deprecated: Please use tags instead.

type Changes to this property will trigger replacement. string
Type of the certificate authority. Defaults to SUBORDINATE. Valid values: ROOT and SUBORDINATE.
usageMode string
Specifies whether the CA issues general-purpose certificates that typically require a revocation mechanism, or short-lived certificates that may optionally omit revocation because they expire quickly. Short-lived certificate validity is limited to seven days. Defaults to GENERAL_PURPOSE. Valid values: GENERAL_PURPOSE and SHORT_LIVED_CERTIFICATE.
arn str
ARN of the certificate authority.
certificate str
Base64-encoded certificate authority (CA) certificate. Only available after the certificate authority certificate has been imported.
certificate_authority_configuration CertificateAuthorityCertificateAuthorityConfigurationArgs
Nested argument containing algorithms and certificate subject information. Defined below.
certificate_chain str
Base64-encoded certificate chain that includes any intermediate certificates and chains up to root on-premises certificate that you used to sign your private CA certificate. The chain does not include your private CA certificate. Only available after the certificate authority certificate has been imported.
certificate_signing_request str
The base64 PEM-encoded certificate signing request (CSR) for your private CA certificate.
enabled bool
Whether the certificate authority is enabled or disabled. Defaults to true. Can only be disabled if the CA is in an ACTIVE state.
key_storage_security_standard Changes to this property will trigger replacement. str
Cryptographic key management compliance standard used for handling CA keys. Defaults to FIPS_140_2_LEVEL_3_OR_HIGHER. Valid values: FIPS_140_2_LEVEL_3_OR_HIGHER and FIPS_140_2_LEVEL_2_OR_HIGHER. Supported standard for each region can be found in the Storage and security compliance of AWS Private CA private keys Documentation.
not_after str
Date and time after which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
not_before str
Date and time before which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
permanent_deletion_time_in_days int
Number of days to make a CA restorable after it has been deleted, must be between 7 to 30 days, with default to 30 days.
revocation_configuration CertificateAuthorityRevocationConfigurationArgs
Nested argument containing revocation configuration. Defined below.
serial str
Serial number of the certificate authority. Only available after the certificate authority certificate has been imported.
tags Mapping[str, str]
Key-value map of user-defined tags that are attached to the certificate authority. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
tags_all Mapping[str, str]
Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

Deprecated: Please use tags instead.

type Changes to this property will trigger replacement. str
Type of the certificate authority. Defaults to SUBORDINATE. Valid values: ROOT and SUBORDINATE.
usage_mode str
Specifies whether the CA issues general-purpose certificates that typically require a revocation mechanism, or short-lived certificates that may optionally omit revocation because they expire quickly. Short-lived certificate validity is limited to seven days. Defaults to GENERAL_PURPOSE. Valid values: GENERAL_PURPOSE and SHORT_LIVED_CERTIFICATE.
arn String
ARN of the certificate authority.
certificate String
Base64-encoded certificate authority (CA) certificate. Only available after the certificate authority certificate has been imported.
certificateAuthorityConfiguration Property Map
Nested argument containing algorithms and certificate subject information. Defined below.
certificateChain String
Base64-encoded certificate chain that includes any intermediate certificates and chains up to root on-premises certificate that you used to sign your private CA certificate. The chain does not include your private CA certificate. Only available after the certificate authority certificate has been imported.
certificateSigningRequest String
The base64 PEM-encoded certificate signing request (CSR) for your private CA certificate.
enabled Boolean
Whether the certificate authority is enabled or disabled. Defaults to true. Can only be disabled if the CA is in an ACTIVE state.
keyStorageSecurityStandard Changes to this property will trigger replacement. String
Cryptographic key management compliance standard used for handling CA keys. Defaults to FIPS_140_2_LEVEL_3_OR_HIGHER. Valid values: FIPS_140_2_LEVEL_3_OR_HIGHER and FIPS_140_2_LEVEL_2_OR_HIGHER. Supported standard for each region can be found in the Storage and security compliance of AWS Private CA private keys Documentation.
notAfter String
Date and time after which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
notBefore String
Date and time before which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
permanentDeletionTimeInDays Number
Number of days to make a CA restorable after it has been deleted, must be between 7 to 30 days, with default to 30 days.
revocationConfiguration Property Map
Nested argument containing revocation configuration. Defined below.
serial String
Serial number of the certificate authority. Only available after the certificate authority certificate has been imported.
tags Map<String>
Key-value map of user-defined tags that are attached to the certificate authority. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
tagsAll Map<String>
Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

Deprecated: Please use tags instead.

type Changes to this property will trigger replacement. String
Type of the certificate authority. Defaults to SUBORDINATE. Valid values: ROOT and SUBORDINATE.
usageMode String
Specifies whether the CA issues general-purpose certificates that typically require a revocation mechanism, or short-lived certificates that may optionally omit revocation because they expire quickly. Short-lived certificate validity is limited to seven days. Defaults to GENERAL_PURPOSE. Valid values: GENERAL_PURPOSE and SHORT_LIVED_CERTIFICATE.

Supporting Types

CertificateAuthorityCertificateAuthorityConfiguration
, CertificateAuthorityCertificateAuthorityConfigurationArgs

KeyAlgorithm
This property is required.
Changes to this property will trigger replacement.
string
Type of the public key algorithm and size, in bits, of the key pair that your key pair creates when it issues a certificate. Valid values can be found in the ACM PCA Documentation.
SigningAlgorithm
This property is required.
Changes to this property will trigger replacement.
string
Name of the algorithm your private CA uses to sign certificate requests. Valid values can be found in the ACM PCA Documentation.
Subject
This property is required.
Changes to this property will trigger replacement.
CertificateAuthorityCertificateAuthorityConfigurationSubject
Nested argument that contains X.500 distinguished name information. At least one nested attribute must be specified.
KeyAlgorithm
This property is required.
Changes to this property will trigger replacement.
string
Type of the public key algorithm and size, in bits, of the key pair that your key pair creates when it issues a certificate. Valid values can be found in the ACM PCA Documentation.
SigningAlgorithm
This property is required.
Changes to this property will trigger replacement.
string
Name of the algorithm your private CA uses to sign certificate requests. Valid values can be found in the ACM PCA Documentation.
Subject
This property is required.
Changes to this property will trigger replacement.
CertificateAuthorityCertificateAuthorityConfigurationSubject
Nested argument that contains X.500 distinguished name information. At least one nested attribute must be specified.
keyAlgorithm
This property is required.
Changes to this property will trigger replacement.
String
Type of the public key algorithm and size, in bits, of the key pair that your key pair creates when it issues a certificate. Valid values can be found in the ACM PCA Documentation.
signingAlgorithm
This property is required.
Changes to this property will trigger replacement.
String
Name of the algorithm your private CA uses to sign certificate requests. Valid values can be found in the ACM PCA Documentation.
subject
This property is required.
Changes to this property will trigger replacement.
CertificateAuthorityCertificateAuthorityConfigurationSubject
Nested argument that contains X.500 distinguished name information. At least one nested attribute must be specified.
keyAlgorithm
This property is required.
Changes to this property will trigger replacement.
string
Type of the public key algorithm and size, in bits, of the key pair that your key pair creates when it issues a certificate. Valid values can be found in the ACM PCA Documentation.
signingAlgorithm
This property is required.
Changes to this property will trigger replacement.
string
Name of the algorithm your private CA uses to sign certificate requests. Valid values can be found in the ACM PCA Documentation.
subject
This property is required.
Changes to this property will trigger replacement.
CertificateAuthorityCertificateAuthorityConfigurationSubject
Nested argument that contains X.500 distinguished name information. At least one nested attribute must be specified.
key_algorithm
This property is required.
Changes to this property will trigger replacement.
str
Type of the public key algorithm and size, in bits, of the key pair that your key pair creates when it issues a certificate. Valid values can be found in the ACM PCA Documentation.
signing_algorithm
This property is required.
Changes to this property will trigger replacement.
str
Name of the algorithm your private CA uses to sign certificate requests. Valid values can be found in the ACM PCA Documentation.
subject
This property is required.
Changes to this property will trigger replacement.
CertificateAuthorityCertificateAuthorityConfigurationSubject
Nested argument that contains X.500 distinguished name information. At least one nested attribute must be specified.
keyAlgorithm
This property is required.
Changes to this property will trigger replacement.
String
Type of the public key algorithm and size, in bits, of the key pair that your key pair creates when it issues a certificate. Valid values can be found in the ACM PCA Documentation.
signingAlgorithm
This property is required.
Changes to this property will trigger replacement.
String
Name of the algorithm your private CA uses to sign certificate requests. Valid values can be found in the ACM PCA Documentation.
subject
This property is required.
Changes to this property will trigger replacement.
Property Map
Nested argument that contains X.500 distinguished name information. At least one nested attribute must be specified.

CertificateAuthorityCertificateAuthorityConfigurationSubject
, CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs

CommonName Changes to this property will trigger replacement. string
Fully qualified domain name (FQDN) associated with the certificate subject. Must be less than or equal to 64 characters in length.
Country Changes to this property will trigger replacement. string
Two digit code that specifies the country in which the certificate subject located. Must be less than or equal to 2 characters in length.
DistinguishedNameQualifier Changes to this property will trigger replacement. string
Disambiguating information for the certificate subject. Must be less than or equal to 64 characters in length.
GenerationQualifier Changes to this property will trigger replacement. string
Typically a qualifier appended to the name of an individual. Examples include Jr. for junior, Sr. for senior, and III for third. Must be less than or equal to 3 characters in length.
GivenName Changes to this property will trigger replacement. string
First name. Must be less than or equal to 16 characters in length.
Initials Changes to this property will trigger replacement. string
Concatenation that typically contains the first letter of the given_name, the first letter of the middle name if one exists, and the first letter of the surname. Must be less than or equal to 5 characters in length.
Locality Changes to this property will trigger replacement. string
Locality (such as a city or town) in which the certificate subject is located. Must be less than or equal to 128 characters in length.
Organization Changes to this property will trigger replacement. string
Legal name of the organization with which the certificate subject is affiliated. Must be less than or equal to 64 characters in length.
OrganizationalUnit Changes to this property will trigger replacement. string
Subdivision or unit of the organization (such as sales or finance) with which the certificate subject is affiliated. Must be less than or equal to 64 characters in length.
Pseudonym Changes to this property will trigger replacement. string
Typically a shortened version of a longer given_name. For example, Jonathan is often shortened to John. Elizabeth is often shortened to Beth, Liz, or Eliza. Must be less than or equal to 128 characters in length.
State Changes to this property will trigger replacement. string
State in which the subject of the certificate is located. Must be less than or equal to 128 characters in length.
Surname Changes to this property will trigger replacement. string
Family name. In the US and the UK for example, the surname of an individual is ordered last. In Asian cultures the surname is typically ordered first. Must be less than or equal to 40 characters in length.
Title Changes to this property will trigger replacement. string
Title such as Mr. or Ms. which is pre-pended to the name to refer formally to the certificate subject. Must be less than or equal to 64 characters in length.
CommonName Changes to this property will trigger replacement. string
Fully qualified domain name (FQDN) associated with the certificate subject. Must be less than or equal to 64 characters in length.
Country Changes to this property will trigger replacement. string
Two digit code that specifies the country in which the certificate subject located. Must be less than or equal to 2 characters in length.
DistinguishedNameQualifier Changes to this property will trigger replacement. string
Disambiguating information for the certificate subject. Must be less than or equal to 64 characters in length.
GenerationQualifier Changes to this property will trigger replacement. string
Typically a qualifier appended to the name of an individual. Examples include Jr. for junior, Sr. for senior, and III for third. Must be less than or equal to 3 characters in length.
GivenName Changes to this property will trigger replacement. string
First name. Must be less than or equal to 16 characters in length.
Initials Changes to this property will trigger replacement. string
Concatenation that typically contains the first letter of the given_name, the first letter of the middle name if one exists, and the first letter of the surname. Must be less than or equal to 5 characters in length.
Locality Changes to this property will trigger replacement. string
Locality (such as a city or town) in which the certificate subject is located. Must be less than or equal to 128 characters in length.
Organization Changes to this property will trigger replacement. string
Legal name of the organization with which the certificate subject is affiliated. Must be less than or equal to 64 characters in length.
OrganizationalUnit Changes to this property will trigger replacement. string
Subdivision or unit of the organization (such as sales or finance) with which the certificate subject is affiliated. Must be less than or equal to 64 characters in length.
Pseudonym Changes to this property will trigger replacement. string
Typically a shortened version of a longer given_name. For example, Jonathan is often shortened to John. Elizabeth is often shortened to Beth, Liz, or Eliza. Must be less than or equal to 128 characters in length.
State Changes to this property will trigger replacement. string
State in which the subject of the certificate is located. Must be less than or equal to 128 characters in length.
Surname Changes to this property will trigger replacement. string
Family name. In the US and the UK for example, the surname of an individual is ordered last. In Asian cultures the surname is typically ordered first. Must be less than or equal to 40 characters in length.
Title Changes to this property will trigger replacement. string
Title such as Mr. or Ms. which is pre-pended to the name to refer formally to the certificate subject. Must be less than or equal to 64 characters in length.
commonName Changes to this property will trigger replacement. String
Fully qualified domain name (FQDN) associated with the certificate subject. Must be less than or equal to 64 characters in length.
country Changes to this property will trigger replacement. String
Two digit code that specifies the country in which the certificate subject located. Must be less than or equal to 2 characters in length.
distinguishedNameQualifier Changes to this property will trigger replacement. String
Disambiguating information for the certificate subject. Must be less than or equal to 64 characters in length.
generationQualifier Changes to this property will trigger replacement. String
Typically a qualifier appended to the name of an individual. Examples include Jr. for junior, Sr. for senior, and III for third. Must be less than or equal to 3 characters in length.
givenName Changes to this property will trigger replacement. String
First name. Must be less than or equal to 16 characters in length.
initials Changes to this property will trigger replacement. String
Concatenation that typically contains the first letter of the given_name, the first letter of the middle name if one exists, and the first letter of the surname. Must be less than or equal to 5 characters in length.
locality Changes to this property will trigger replacement. String
Locality (such as a city or town) in which the certificate subject is located. Must be less than or equal to 128 characters in length.
organization Changes to this property will trigger replacement. String
Legal name of the organization with which the certificate subject is affiliated. Must be less than or equal to 64 characters in length.
organizationalUnit Changes to this property will trigger replacement. String
Subdivision or unit of the organization (such as sales or finance) with which the certificate subject is affiliated. Must be less than or equal to 64 characters in length.
pseudonym Changes to this property will trigger replacement. String
Typically a shortened version of a longer given_name. For example, Jonathan is often shortened to John. Elizabeth is often shortened to Beth, Liz, or Eliza. Must be less than or equal to 128 characters in length.
state Changes to this property will trigger replacement. String
State in which the subject of the certificate is located. Must be less than or equal to 128 characters in length.
surname Changes to this property will trigger replacement. String
Family name. In the US and the UK for example, the surname of an individual is ordered last. In Asian cultures the surname is typically ordered first. Must be less than or equal to 40 characters in length.
title Changes to this property will trigger replacement. String
Title such as Mr. or Ms. which is pre-pended to the name to refer formally to the certificate subject. Must be less than or equal to 64 characters in length.
commonName Changes to this property will trigger replacement. string
Fully qualified domain name (FQDN) associated with the certificate subject. Must be less than or equal to 64 characters in length.
country Changes to this property will trigger replacement. string
Two digit code that specifies the country in which the certificate subject located. Must be less than or equal to 2 characters in length.
distinguishedNameQualifier Changes to this property will trigger replacement. string
Disambiguating information for the certificate subject. Must be less than or equal to 64 characters in length.
generationQualifier Changes to this property will trigger replacement. string
Typically a qualifier appended to the name of an individual. Examples include Jr. for junior, Sr. for senior, and III for third. Must be less than or equal to 3 characters in length.
givenName Changes to this property will trigger replacement. string
First name. Must be less than or equal to 16 characters in length.
initials Changes to this property will trigger replacement. string
Concatenation that typically contains the first letter of the given_name, the first letter of the middle name if one exists, and the first letter of the surname. Must be less than or equal to 5 characters in length.
locality Changes to this property will trigger replacement. string
Locality (such as a city or town) in which the certificate subject is located. Must be less than or equal to 128 characters in length.
organization Changes to this property will trigger replacement. string
Legal name of the organization with which the certificate subject is affiliated. Must be less than or equal to 64 characters in length.
organizationalUnit Changes to this property will trigger replacement. string
Subdivision or unit of the organization (such as sales or finance) with which the certificate subject is affiliated. Must be less than or equal to 64 characters in length.
pseudonym Changes to this property will trigger replacement. string
Typically a shortened version of a longer given_name. For example, Jonathan is often shortened to John. Elizabeth is often shortened to Beth, Liz, or Eliza. Must be less than or equal to 128 characters in length.
state Changes to this property will trigger replacement. string
State in which the subject of the certificate is located. Must be less than or equal to 128 characters in length.
surname Changes to this property will trigger replacement. string
Family name. In the US and the UK for example, the surname of an individual is ordered last. In Asian cultures the surname is typically ordered first. Must be less than or equal to 40 characters in length.
title Changes to this property will trigger replacement. string
Title such as Mr. or Ms. which is pre-pended to the name to refer formally to the certificate subject. Must be less than or equal to 64 characters in length.
common_name Changes to this property will trigger replacement. str
Fully qualified domain name (FQDN) associated with the certificate subject. Must be less than or equal to 64 characters in length.
country Changes to this property will trigger replacement. str
Two digit code that specifies the country in which the certificate subject located. Must be less than or equal to 2 characters in length.
distinguished_name_qualifier Changes to this property will trigger replacement. str
Disambiguating information for the certificate subject. Must be less than or equal to 64 characters in length.
generation_qualifier Changes to this property will trigger replacement. str
Typically a qualifier appended to the name of an individual. Examples include Jr. for junior, Sr. for senior, and III for third. Must be less than or equal to 3 characters in length.
given_name Changes to this property will trigger replacement. str
First name. Must be less than or equal to 16 characters in length.
initials Changes to this property will trigger replacement. str
Concatenation that typically contains the first letter of the given_name, the first letter of the middle name if one exists, and the first letter of the surname. Must be less than or equal to 5 characters in length.
locality Changes to this property will trigger replacement. str
Locality (such as a city or town) in which the certificate subject is located. Must be less than or equal to 128 characters in length.
organization Changes to this property will trigger replacement. str
Legal name of the organization with which the certificate subject is affiliated. Must be less than or equal to 64 characters in length.
organizational_unit Changes to this property will trigger replacement. str
Subdivision or unit of the organization (such as sales or finance) with which the certificate subject is affiliated. Must be less than or equal to 64 characters in length.
pseudonym Changes to this property will trigger replacement. str
Typically a shortened version of a longer given_name. For example, Jonathan is often shortened to John. Elizabeth is often shortened to Beth, Liz, or Eliza. Must be less than or equal to 128 characters in length.
state Changes to this property will trigger replacement. str
State in which the subject of the certificate is located. Must be less than or equal to 128 characters in length.
surname Changes to this property will trigger replacement. str
Family name. In the US and the UK for example, the surname of an individual is ordered last. In Asian cultures the surname is typically ordered first. Must be less than or equal to 40 characters in length.
title Changes to this property will trigger replacement. str
Title such as Mr. or Ms. which is pre-pended to the name to refer formally to the certificate subject. Must be less than or equal to 64 characters in length.
commonName Changes to this property will trigger replacement. String
Fully qualified domain name (FQDN) associated with the certificate subject. Must be less than or equal to 64 characters in length.
country Changes to this property will trigger replacement. String
Two digit code that specifies the country in which the certificate subject located. Must be less than or equal to 2 characters in length.
distinguishedNameQualifier Changes to this property will trigger replacement. String
Disambiguating information for the certificate subject. Must be less than or equal to 64 characters in length.
generationQualifier Changes to this property will trigger replacement. String
Typically a qualifier appended to the name of an individual. Examples include Jr. for junior, Sr. for senior, and III for third. Must be less than or equal to 3 characters in length.
givenName Changes to this property will trigger replacement. String
First name. Must be less than or equal to 16 characters in length.
initials Changes to this property will trigger replacement. String
Concatenation that typically contains the first letter of the given_name, the first letter of the middle name if one exists, and the first letter of the surname. Must be less than or equal to 5 characters in length.
locality Changes to this property will trigger replacement. String
Locality (such as a city or town) in which the certificate subject is located. Must be less than or equal to 128 characters in length.
organization Changes to this property will trigger replacement. String
Legal name of the organization with which the certificate subject is affiliated. Must be less than or equal to 64 characters in length.
organizationalUnit Changes to this property will trigger replacement. String
Subdivision or unit of the organization (such as sales or finance) with which the certificate subject is affiliated. Must be less than or equal to 64 characters in length.
pseudonym Changes to this property will trigger replacement. String
Typically a shortened version of a longer given_name. For example, Jonathan is often shortened to John. Elizabeth is often shortened to Beth, Liz, or Eliza. Must be less than or equal to 128 characters in length.
state Changes to this property will trigger replacement. String
State in which the subject of the certificate is located. Must be less than or equal to 128 characters in length.
surname Changes to this property will trigger replacement. String
Family name. In the US and the UK for example, the surname of an individual is ordered last. In Asian cultures the surname is typically ordered first. Must be less than or equal to 40 characters in length.
title Changes to this property will trigger replacement. String
Title such as Mr. or Ms. which is pre-pended to the name to refer formally to the certificate subject. Must be less than or equal to 64 characters in length.

CertificateAuthorityRevocationConfiguration
, CertificateAuthorityRevocationConfigurationArgs

CrlConfiguration CertificateAuthorityRevocationConfigurationCrlConfiguration
Nested argument containing configuration of the certificate revocation list (CRL), if any, maintained by the certificate authority. Defined below.
OcspConfiguration CertificateAuthorityRevocationConfigurationOcspConfiguration
Nested argument containing configuration of the custom OCSP responder endpoint. Defined below.
CrlConfiguration CertificateAuthorityRevocationConfigurationCrlConfiguration
Nested argument containing configuration of the certificate revocation list (CRL), if any, maintained by the certificate authority. Defined below.
OcspConfiguration CertificateAuthorityRevocationConfigurationOcspConfiguration
Nested argument containing configuration of the custom OCSP responder endpoint. Defined below.
crlConfiguration CertificateAuthorityRevocationConfigurationCrlConfiguration
Nested argument containing configuration of the certificate revocation list (CRL), if any, maintained by the certificate authority. Defined below.
ocspConfiguration CertificateAuthorityRevocationConfigurationOcspConfiguration
Nested argument containing configuration of the custom OCSP responder endpoint. Defined below.
crlConfiguration CertificateAuthorityRevocationConfigurationCrlConfiguration
Nested argument containing configuration of the certificate revocation list (CRL), if any, maintained by the certificate authority. Defined below.
ocspConfiguration CertificateAuthorityRevocationConfigurationOcspConfiguration
Nested argument containing configuration of the custom OCSP responder endpoint. Defined below.
crl_configuration CertificateAuthorityRevocationConfigurationCrlConfiguration
Nested argument containing configuration of the certificate revocation list (CRL), if any, maintained by the certificate authority. Defined below.
ocsp_configuration CertificateAuthorityRevocationConfigurationOcspConfiguration
Nested argument containing configuration of the custom OCSP responder endpoint. Defined below.
crlConfiguration Property Map
Nested argument containing configuration of the certificate revocation list (CRL), if any, maintained by the certificate authority. Defined below.
ocspConfiguration Property Map
Nested argument containing configuration of the custom OCSP responder endpoint. Defined below.

CertificateAuthorityRevocationConfigurationCrlConfiguration
, CertificateAuthorityRevocationConfigurationCrlConfigurationArgs

CustomCname string
Name inserted into the certificate CRL Distribution Points extension that enables the use of an alias for the CRL distribution point. Use this value if you don't want the name of your S3 bucket to be public. Must be less than or equal to 253 characters in length.
Enabled bool
Boolean value that specifies whether certificate revocation lists (CRLs) are enabled. Defaults to false.
ExpirationInDays int
Number of days until a certificate expires. Must be between 1 and 5000.
S3BucketName string
Name of the S3 bucket that contains the CRL. If you do not provide a value for the custom_cname argument, the name of your S3 bucket is placed into the CRL Distribution Points extension of the issued certificate. You must specify a bucket policy that allows ACM PCA to write the CRL to your bucket. Must be between 3 and 255 characters in length.
S3ObjectAcl string
Determines whether the CRL will be publicly readable or privately held in the CRL Amazon S3 bucket. Defaults to PUBLIC_READ.
CustomCname string
Name inserted into the certificate CRL Distribution Points extension that enables the use of an alias for the CRL distribution point. Use this value if you don't want the name of your S3 bucket to be public. Must be less than or equal to 253 characters in length.
Enabled bool
Boolean value that specifies whether certificate revocation lists (CRLs) are enabled. Defaults to false.
ExpirationInDays int
Number of days until a certificate expires. Must be between 1 and 5000.
S3BucketName string
Name of the S3 bucket that contains the CRL. If you do not provide a value for the custom_cname argument, the name of your S3 bucket is placed into the CRL Distribution Points extension of the issued certificate. You must specify a bucket policy that allows ACM PCA to write the CRL to your bucket. Must be between 3 and 255 characters in length.
S3ObjectAcl string
Determines whether the CRL will be publicly readable or privately held in the CRL Amazon S3 bucket. Defaults to PUBLIC_READ.
customCname String
Name inserted into the certificate CRL Distribution Points extension that enables the use of an alias for the CRL distribution point. Use this value if you don't want the name of your S3 bucket to be public. Must be less than or equal to 253 characters in length.
enabled Boolean
Boolean value that specifies whether certificate revocation lists (CRLs) are enabled. Defaults to false.
expirationInDays Integer
Number of days until a certificate expires. Must be between 1 and 5000.
s3BucketName String
Name of the S3 bucket that contains the CRL. If you do not provide a value for the custom_cname argument, the name of your S3 bucket is placed into the CRL Distribution Points extension of the issued certificate. You must specify a bucket policy that allows ACM PCA to write the CRL to your bucket. Must be between 3 and 255 characters in length.
s3ObjectAcl String
Determines whether the CRL will be publicly readable or privately held in the CRL Amazon S3 bucket. Defaults to PUBLIC_READ.
customCname string
Name inserted into the certificate CRL Distribution Points extension that enables the use of an alias for the CRL distribution point. Use this value if you don't want the name of your S3 bucket to be public. Must be less than or equal to 253 characters in length.
enabled boolean
Boolean value that specifies whether certificate revocation lists (CRLs) are enabled. Defaults to false.
expirationInDays number
Number of days until a certificate expires. Must be between 1 and 5000.
s3BucketName string
Name of the S3 bucket that contains the CRL. If you do not provide a value for the custom_cname argument, the name of your S3 bucket is placed into the CRL Distribution Points extension of the issued certificate. You must specify a bucket policy that allows ACM PCA to write the CRL to your bucket. Must be between 3 and 255 characters in length.
s3ObjectAcl string
Determines whether the CRL will be publicly readable or privately held in the CRL Amazon S3 bucket. Defaults to PUBLIC_READ.
custom_cname str
Name inserted into the certificate CRL Distribution Points extension that enables the use of an alias for the CRL distribution point. Use this value if you don't want the name of your S3 bucket to be public. Must be less than or equal to 253 characters in length.
enabled bool
Boolean value that specifies whether certificate revocation lists (CRLs) are enabled. Defaults to false.
expiration_in_days int
Number of days until a certificate expires. Must be between 1 and 5000.
s3_bucket_name str
Name of the S3 bucket that contains the CRL. If you do not provide a value for the custom_cname argument, the name of your S3 bucket is placed into the CRL Distribution Points extension of the issued certificate. You must specify a bucket policy that allows ACM PCA to write the CRL to your bucket. Must be between 3 and 255 characters in length.
s3_object_acl str
Determines whether the CRL will be publicly readable or privately held in the CRL Amazon S3 bucket. Defaults to PUBLIC_READ.
customCname String
Name inserted into the certificate CRL Distribution Points extension that enables the use of an alias for the CRL distribution point. Use this value if you don't want the name of your S3 bucket to be public. Must be less than or equal to 253 characters in length.
enabled Boolean
Boolean value that specifies whether certificate revocation lists (CRLs) are enabled. Defaults to false.
expirationInDays Number
Number of days until a certificate expires. Must be between 1 and 5000.
s3BucketName String
Name of the S3 bucket that contains the CRL. If you do not provide a value for the custom_cname argument, the name of your S3 bucket is placed into the CRL Distribution Points extension of the issued certificate. You must specify a bucket policy that allows ACM PCA to write the CRL to your bucket. Must be between 3 and 255 characters in length.
s3ObjectAcl String
Determines whether the CRL will be publicly readable or privately held in the CRL Amazon S3 bucket. Defaults to PUBLIC_READ.

CertificateAuthorityRevocationConfigurationOcspConfiguration
, CertificateAuthorityRevocationConfigurationOcspConfigurationArgs

Enabled This property is required. bool
Boolean value that specifies whether a custom OCSP responder is enabled.
OcspCustomCname string
CNAME specifying a customized OCSP domain. Note: The value of the CNAME must not include a protocol prefix such as "http://" or "https://".
Enabled This property is required. bool
Boolean value that specifies whether a custom OCSP responder is enabled.
OcspCustomCname string
CNAME specifying a customized OCSP domain. Note: The value of the CNAME must not include a protocol prefix such as "http://" or "https://".
enabled This property is required. Boolean
Boolean value that specifies whether a custom OCSP responder is enabled.
ocspCustomCname String
CNAME specifying a customized OCSP domain. Note: The value of the CNAME must not include a protocol prefix such as "http://" or "https://".
enabled This property is required. boolean
Boolean value that specifies whether a custom OCSP responder is enabled.
ocspCustomCname string
CNAME specifying a customized OCSP domain. Note: The value of the CNAME must not include a protocol prefix such as "http://" or "https://".
enabled This property is required. bool
Boolean value that specifies whether a custom OCSP responder is enabled.
ocsp_custom_cname str
CNAME specifying a customized OCSP domain. Note: The value of the CNAME must not include a protocol prefix such as "http://" or "https://".
enabled This property is required. Boolean
Boolean value that specifies whether a custom OCSP responder is enabled.
ocspCustomCname String
CNAME specifying a customized OCSP domain. Note: The value of the CNAME must not include a protocol prefix such as "http://" or "https://".

Import

Using pulumi import, import aws_acmpca_certificate_authority using the certificate authority ARN. For example:

$ pulumi import aws:acmpca/certificateAuthority:CertificateAuthority example arn:aws:acm-pca:us-east-1:123456789012:certificate-authority/12345678-1234-1234-1234-123456789012
Copy

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository
AWS Classic pulumi/pulumi-aws
License
Apache-2.0
Notes
This Pulumi package is based on the aws Terraform Provider.