AWS v6.73.0, Mar 19 25

AWS v6.73.0 published on Wednesday, Mar 19, 2025 by Pulumi

aws.acmpca.CertificateAuthority

Explore with Pulumi AI

AWS v6.73.0 published on Wednesday, Mar 19, 2025 by Pulumi

NOTE: Creating this resource will leave the certificate authority in a PENDING_CERTIFICATE status, which means it cannot yet issue certificates. To complete this setup, you must fully sign the certificate authority CSR available in the certificate_signing_request attribute. The aws.acmpca.CertificateAuthorityCertificate resource can be used for this purpose.

Example Usage

Basic

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const example = new aws.acmpca.CertificateAuthority("example", {
    certificateAuthorityConfiguration: {
        keyAlgorithm: "RSA_4096",
        signingAlgorithm: "SHA512WITHRSA",
        subject: {
            commonName: "example.com",
        },
    },
    permanentDeletionTimeInDays: 7,
});

import pulumi
import pulumi_aws as aws

example = aws.acmpca.CertificateAuthority("example",
    certificate_authority_configuration={
        "key_algorithm": "RSA_4096",
        "signing_algorithm": "SHA512WITHRSA",
        "subject": {
            "common_name": "example.com",
        },
    },
    permanent_deletion_time_in_days=7)

package main

import (
	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/acmpca"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := acmpca.NewCertificateAuthority(ctx, "example", &acmpca.CertificateAuthorityArgs{
			CertificateAuthorityConfiguration: &acmpca.CertificateAuthorityCertificateAuthorityConfigurationArgs{
				KeyAlgorithm:     pulumi.String("RSA_4096"),
				SigningAlgorithm: pulumi.String("SHA512WITHRSA"),
				Subject: &acmpca.CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs{
					CommonName: pulumi.String("example.com"),
				},
			},
			PermanentDeletionTimeInDays: pulumi.Int(7),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;

return await Deployment.RunAsync(() => 
{
    var example = new Aws.Acmpca.CertificateAuthority("example", new()
    {
        CertificateAuthorityConfiguration = new Aws.Acmpca.Inputs.CertificateAuthorityCertificateAuthorityConfigurationArgs
        {
            KeyAlgorithm = "RSA_4096",
            SigningAlgorithm = "SHA512WITHRSA",
            Subject = new Aws.Acmpca.Inputs.CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs
            {
                CommonName = "example.com",
            },
        },
        PermanentDeletionTimeInDays = 7,
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.acmpca.CertificateAuthority;
import com.pulumi.aws.acmpca.CertificateAuthorityArgs;
import com.pulumi.aws.acmpca.inputs.CertificateAuthorityCertificateAuthorityConfigurationArgs;
import com.pulumi.aws.acmpca.inputs.CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var example = new CertificateAuthority("example", CertificateAuthorityArgs.builder()
            .certificateAuthorityConfiguration(CertificateAuthorityCertificateAuthorityConfigurationArgs.builder()
                .keyAlgorithm("RSA_4096")
                .signingAlgorithm("SHA512WITHRSA")
                .subject(CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs.builder()
                    .commonName("example.com")
                    .build())
                .build())
            .permanentDeletionTimeInDays(7)
            .build());

    }
}

resources:
  example:
    type: aws:acmpca:CertificateAuthority
    properties:
      certificateAuthorityConfiguration:
        keyAlgorithm: RSA_4096
        signingAlgorithm: SHA512WITHRSA
        subject:
          commonName: example.com
      permanentDeletionTimeInDays: 7

Short-lived certificate

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const example = new aws.acmpca.CertificateAuthority("example", {
    usageMode: "SHORT_LIVED_CERTIFICATE",
    certificateAuthorityConfiguration: {
        keyAlgorithm: "RSA_4096",
        signingAlgorithm: "SHA512WITHRSA",
        subject: {
            commonName: "example.com",
        },
    },
});

import pulumi
import pulumi_aws as aws

example = aws.acmpca.CertificateAuthority("example",
    usage_mode="SHORT_LIVED_CERTIFICATE",
    certificate_authority_configuration={
        "key_algorithm": "RSA_4096",
        "signing_algorithm": "SHA512WITHRSA",
        "subject": {
            "common_name": "example.com",
        },
    })

package main

import (
	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/acmpca"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := acmpca.NewCertificateAuthority(ctx, "example", &acmpca.CertificateAuthorityArgs{
			UsageMode: pulumi.String("SHORT_LIVED_CERTIFICATE"),
			CertificateAuthorityConfiguration: &acmpca.CertificateAuthorityCertificateAuthorityConfigurationArgs{
				KeyAlgorithm:     pulumi.String("RSA_4096"),
				SigningAlgorithm: pulumi.String("SHA512WITHRSA"),
				Subject: &acmpca.CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs{
					CommonName: pulumi.String("example.com"),
				},
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;

return await Deployment.RunAsync(() => 
{
    var example = new Aws.Acmpca.CertificateAuthority("example", new()
    {
        UsageMode = "SHORT_LIVED_CERTIFICATE",
        CertificateAuthorityConfiguration = new Aws.Acmpca.Inputs.CertificateAuthorityCertificateAuthorityConfigurationArgs
        {
            KeyAlgorithm = "RSA_4096",
            SigningAlgorithm = "SHA512WITHRSA",
            Subject = new Aws.Acmpca.Inputs.CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs
            {
                CommonName = "example.com",
            },
        },
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.acmpca.CertificateAuthority;
import com.pulumi.aws.acmpca.CertificateAuthorityArgs;
import com.pulumi.aws.acmpca.inputs.CertificateAuthorityCertificateAuthorityConfigurationArgs;
import com.pulumi.aws.acmpca.inputs.CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var example = new CertificateAuthority("example", CertificateAuthorityArgs.builder()
            .usageMode("SHORT_LIVED_CERTIFICATE")
            .certificateAuthorityConfiguration(CertificateAuthorityCertificateAuthorityConfigurationArgs.builder()
                .keyAlgorithm("RSA_4096")
                .signingAlgorithm("SHA512WITHRSA")
                .subject(CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs.builder()
                    .commonName("example.com")
                    .build())
                .build())
            .build());

    }
}

resources:
  example:
    type: aws:acmpca:CertificateAuthority
    properties:
      usageMode: SHORT_LIVED_CERTIFICATE
      certificateAuthorityConfiguration:
        keyAlgorithm: RSA_4096
        signingAlgorithm: SHA512WITHRSA
        subject:
          commonName: example.com

Enable Certificate Revocation List

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const example = new aws.s3.BucketV2("example", {
    bucket: "example",
    forceDestroy: true,
});
const acmpcaBucketAccess = aws.iam.getPolicyDocumentOutput({
    statements: [{
        actions: [
            "s3:GetBucketAcl",
            "s3:GetBucketLocation",
            "s3:PutObject",
            "s3:PutObjectAcl",
        ],
        resources: [
            example.arn,
            pulumi.interpolate`${example.arn}/*`,
        ],
        principals: [{
            identifiers: ["acm-pca.amazonaws.com"],
            type: "Service",
        }],
    }],
});
const exampleBucketPolicy = new aws.s3.BucketPolicy("example", {
    bucket: example.id,
    policy: acmpcaBucketAccess.apply(acmpcaBucketAccess => acmpcaBucketAccess.json),
});
const exampleCertificateAuthority = new aws.acmpca.CertificateAuthority("example", {
    certificateAuthorityConfiguration: {
        keyAlgorithm: "RSA_4096",
        signingAlgorithm: "SHA512WITHRSA",
        subject: {
            commonName: "example.com",
        },
    },
    revocationConfiguration: {
        crlConfiguration: {
            customCname: "crl.example.com",
            enabled: true,
            expirationInDays: 7,
            s3BucketName: example.id,
            s3ObjectAcl: "BUCKET_OWNER_FULL_CONTROL",
        },
    },
}, {
    dependsOn: [exampleBucketPolicy],
});

import pulumi
import pulumi_aws as aws

example = aws.s3.BucketV2("example",
    bucket="example",
    force_destroy=True)
acmpca_bucket_access = aws.iam.get_policy_document_output(statements=[{
    "actions": [
        "s3:GetBucketAcl",
        "s3:GetBucketLocation",
        "s3:PutObject",
        "s3:PutObjectAcl",
    ],
    "resources": [
        example.arn,
        example.arn.apply(lambda arn: f"{arn}/*"),
    ],
    "principals": [{
        "identifiers": ["acm-pca.amazonaws.com"],
        "type": "Service",
    }],
}])
example_bucket_policy = aws.s3.BucketPolicy("example",
    bucket=example.id,
    policy=acmpca_bucket_access.json)
example_certificate_authority = aws.acmpca.CertificateAuthority("example",
    certificate_authority_configuration={
        "key_algorithm": "RSA_4096",
        "signing_algorithm": "SHA512WITHRSA",
        "subject": {
            "common_name": "example.com",
        },
    },
    revocation_configuration={
        "crl_configuration": {
            "custom_cname": "crl.example.com",
            "enabled": True,
            "expiration_in_days": 7,
            "s3_bucket_name": example.id,
            "s3_object_acl": "BUCKET_OWNER_FULL_CONTROL",
        },
    },
    opts = pulumi.ResourceOptions(depends_on=[example_bucket_policy]))

package main

import (
	"fmt"

	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/acmpca"
	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/s3"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		example, err := s3.NewBucketV2(ctx, "example", &s3.BucketV2Args{
			Bucket:       pulumi.String("example"),
			ForceDestroy: pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		acmpcaBucketAccess := iam.GetPolicyDocumentOutput(ctx, iam.GetPolicyDocumentOutputArgs{
			Statements: iam.GetPolicyDocumentStatementArray{
				&iam.GetPolicyDocumentStatementArgs{
					Actions: pulumi.StringArray{
						pulumi.String("s3:GetBucketAcl"),
						pulumi.String("s3:GetBucketLocation"),
						pulumi.String("s3:PutObject"),
						pulumi.String("s3:PutObjectAcl"),
					},
					Resources: pulumi.StringArray{
						example.Arn,
						example.Arn.ApplyT(func(arn string) (string, error) {
							return fmt.Sprintf("%v/*", arn), nil
						}).(pulumi.StringOutput),
					},
					Principals: iam.GetPolicyDocumentStatementPrincipalArray{
						&iam.GetPolicyDocumentStatementPrincipalArgs{
							Identifiers: pulumi.StringArray{
								pulumi.String("acm-pca.amazonaws.com"),
							},
							Type: pulumi.String("Service"),
						},
					},
				},
			},
		}, nil)
		exampleBucketPolicy, err := s3.NewBucketPolicy(ctx, "example", &s3.BucketPolicyArgs{
			Bucket: example.ID(),
			Policy: pulumi.String(acmpcaBucketAccess.ApplyT(func(acmpcaBucketAccess iam.GetPolicyDocumentResult) (*string, error) {
				return &acmpcaBucketAccess.Json, nil
			}).(pulumi.StringPtrOutput)),
		})
		if err != nil {
			return err
		}
		_, err = acmpca.NewCertificateAuthority(ctx, "example", &acmpca.CertificateAuthorityArgs{
			CertificateAuthorityConfiguration: &acmpca.CertificateAuthorityCertificateAuthorityConfigurationArgs{
				KeyAlgorithm:     pulumi.String("RSA_4096"),
				SigningAlgorithm: pulumi.String("SHA512WITHRSA"),
				Subject: &acmpca.CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs{
					CommonName: pulumi.String("example.com"),
				},
			},
			RevocationConfiguration: &acmpca.CertificateAuthorityRevocationConfigurationArgs{
				CrlConfiguration: &acmpca.CertificateAuthorityRevocationConfigurationCrlConfigurationArgs{
					CustomCname:      pulumi.String("crl.example.com"),
					Enabled:          pulumi.Bool(true),
					ExpirationInDays: pulumi.Int(7),
					S3BucketName:     example.ID(),
					S3ObjectAcl:      pulumi.String("BUCKET_OWNER_FULL_CONTROL"),
				},
			},
		}, pulumi.DependsOn([]pulumi.Resource{
			exampleBucketPolicy,
		}))
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;

return await Deployment.RunAsync(() => 
{
    var example = new Aws.S3.BucketV2("example", new()
    {
        Bucket = "example",
        ForceDestroy = true,
    });

    var acmpcaBucketAccess = Aws.Iam.GetPolicyDocument.Invoke(new()
    {
        Statements = new[]
        {
            new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
            {
                Actions = new[]
                {
                    "s3:GetBucketAcl",
                    "s3:GetBucketLocation",
                    "s3:PutObject",
                    "s3:PutObjectAcl",
                },
                Resources = new[]
                {
                    example.Arn,
                    $"{example.Arn}/*",
                },
                Principals = new[]
                {
                    new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
                    {
                        Identifiers = new[]
                        {
                            "acm-pca.amazonaws.com",
                        },
                        Type = "Service",
                    },
                },
            },
        },
    });

    var exampleBucketPolicy = new Aws.S3.BucketPolicy("example", new()
    {
        Bucket = example.Id,
        Policy = acmpcaBucketAccess.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
    });

    var exampleCertificateAuthority = new Aws.Acmpca.CertificateAuthority("example", new()
    {
        CertificateAuthorityConfiguration = new Aws.Acmpca.Inputs.CertificateAuthorityCertificateAuthorityConfigurationArgs
        {
            KeyAlgorithm = "RSA_4096",
            SigningAlgorithm = "SHA512WITHRSA",
            Subject = new Aws.Acmpca.Inputs.CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs
            {
                CommonName = "example.com",
            },
        },
        RevocationConfiguration = new Aws.Acmpca.Inputs.CertificateAuthorityRevocationConfigurationArgs
        {
            CrlConfiguration = new Aws.Acmpca.Inputs.CertificateAuthorityRevocationConfigurationCrlConfigurationArgs
            {
                CustomCname = "crl.example.com",
                Enabled = true,
                ExpirationInDays = 7,
                S3BucketName = example.Id,
                S3ObjectAcl = "BUCKET_OWNER_FULL_CONTROL",
            },
        },
    }, new CustomResourceOptions
    {
        DependsOn =
        {
            exampleBucketPolicy,
        },
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.s3.BucketV2;
import com.pulumi.aws.s3.BucketV2Args;
import com.pulumi.aws.iam.IamFunctions;
import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
import com.pulumi.aws.s3.BucketPolicy;
import com.pulumi.aws.s3.BucketPolicyArgs;
import com.pulumi.aws.acmpca.CertificateAuthority;
import com.pulumi.aws.acmpca.CertificateAuthorityArgs;
import com.pulumi.aws.acmpca.inputs.CertificateAuthorityCertificateAuthorityConfigurationArgs;
import com.pulumi.aws.acmpca.inputs.CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs;
import com.pulumi.aws.acmpca.inputs.CertificateAuthorityRevocationConfigurationArgs;
import com.pulumi.aws.acmpca.inputs.CertificateAuthorityRevocationConfigurationCrlConfigurationArgs;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var example = new BucketV2("example", BucketV2Args.builder()
            .bucket("example")
            .forceDestroy(true)
            .build());

        final var acmpcaBucketAccess = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
            .statements(GetPolicyDocumentStatementArgs.builder()
                .actions(                
                    "s3:GetBucketAcl",
                    "s3:GetBucketLocation",
                    "s3:PutObject",
                    "s3:PutObjectAcl")
                .resources(                
                    example.arn(),
                    example.arn().applyValue(arn -> String.format("%s/*", arn)))
                .principals(GetPolicyDocumentStatementPrincipalArgs.builder()
                    .identifiers("acm-pca.amazonaws.com")
                    .type("Service")
                    .build())
                .build())
            .build());

        var exampleBucketPolicy = new BucketPolicy("exampleBucketPolicy", BucketPolicyArgs.builder()
            .bucket(example.id())
            .policy(acmpcaBucketAccess.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult).applyValue(acmpcaBucketAccess -> acmpcaBucketAccess.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json())))
            .build());

        var exampleCertificateAuthority = new CertificateAuthority("exampleCertificateAuthority", CertificateAuthorityArgs.builder()
            .certificateAuthorityConfiguration(CertificateAuthorityCertificateAuthorityConfigurationArgs.builder()
                .keyAlgorithm("RSA_4096")
                .signingAlgorithm("SHA512WITHRSA")
                .subject(CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs.builder()
                    .commonName("example.com")
                    .build())
                .build())
            .revocationConfiguration(CertificateAuthorityRevocationConfigurationArgs.builder()
                .crlConfiguration(CertificateAuthorityRevocationConfigurationCrlConfigurationArgs.builder()
                    .customCname("crl.example.com")
                    .enabled(true)
                    .expirationInDays(7)
                    .s3BucketName(example.id())
                    .s3ObjectAcl("BUCKET_OWNER_FULL_CONTROL")
                    .build())
                .build())
            .build(), CustomResourceOptions.builder()
                .dependsOn(exampleBucketPolicy)
                .build());

    }
}

resources:
  example:
    type: aws:s3:BucketV2
    properties:
      bucket: example
      forceDestroy: true
  exampleBucketPolicy:
    type: aws:s3:BucketPolicy
    name: example
    properties:
      bucket: ${example.id}
      policy: ${acmpcaBucketAccess.json}
  exampleCertificateAuthority:
    type: aws:acmpca:CertificateAuthority
    name: example
    properties:
      certificateAuthorityConfiguration:
        keyAlgorithm: RSA_4096
        signingAlgorithm: SHA512WITHRSA
        subject:
          commonName: example.com
      revocationConfiguration:
        crlConfiguration:
          customCname: crl.example.com
          enabled: true
          expirationInDays: 7
          s3BucketName: ${example.id}
          s3ObjectAcl: BUCKET_OWNER_FULL_CONTROL
    options:
      dependsOn:
        - ${exampleBucketPolicy}
variables:
  acmpcaBucketAccess:
    fn::invoke:
      function: aws:iam:getPolicyDocument
      arguments:
        statements:
          - actions:
              - s3:GetBucketAcl
              - s3:GetBucketLocation
              - s3:PutObject
              - s3:PutObjectAcl
            resources:
              - ${example.arn}
              - ${example.arn}/*
            principals:
              - identifiers:
                  - acm-pca.amazonaws.com
                type: Service

Create CertificateAuthority Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new CertificateAuthority(name: string, args: CertificateAuthorityArgs, opts?: CustomResourceOptions);

@overload
def CertificateAuthority(resource_name: str,
                         args: CertificateAuthorityArgs,
                         opts: Optional[ResourceOptions] = None)

@overload
def CertificateAuthority(resource_name: str,
                         opts: Optional[ResourceOptions] = None,
                         certificate_authority_configuration: Optional[CertificateAuthorityCertificateAuthorityConfigurationArgs] = None,
                         enabled: Optional[bool] = None,
                         key_storage_security_standard: Optional[str] = None,
                         permanent_deletion_time_in_days: Optional[int] = None,
                         revocation_configuration: Optional[CertificateAuthorityRevocationConfigurationArgs] = None,
                         tags: Optional[Mapping[str, str]] = None,
                         type: Optional[str] = None,
                         usage_mode: Optional[str] = None)

func NewCertificateAuthority(ctx *Context, name string, args CertificateAuthorityArgs, opts ...ResourceOption) (*CertificateAuthority, error)

public CertificateAuthority(string name, CertificateAuthorityArgs args, CustomResourceOptions? opts = null)

public CertificateAuthority(String name, CertificateAuthorityArgs args)
public CertificateAuthority(String name, CertificateAuthorityArgs args, CustomResourceOptions options)

type: aws:acmpca:CertificateAuthority
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args CertificateAuthorityArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args CertificateAuthorityArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args CertificateAuthorityArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args CertificateAuthorityArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args CertificateAuthorityArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var certificateAuthorityResource = new Aws.Acmpca.CertificateAuthority("certificateAuthorityResource", new()
{
    CertificateAuthorityConfiguration = new Aws.Acmpca.Inputs.CertificateAuthorityCertificateAuthorityConfigurationArgs
    {
        KeyAlgorithm = "string",
        SigningAlgorithm = "string",
        Subject = new Aws.Acmpca.Inputs.CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs
        {
            CommonName = "string",
            Country = "string",
            DistinguishedNameQualifier = "string",
            GenerationQualifier = "string",
            GivenName = "string",
            Initials = "string",
            Locality = "string",
            Organization = "string",
            OrganizationalUnit = "string",
            Pseudonym = "string",
            State = "string",
            Surname = "string",
            Title = "string",
        },
    },
    Enabled = false,
    KeyStorageSecurityStandard = "string",
    PermanentDeletionTimeInDays = 0,
    RevocationConfiguration = new Aws.Acmpca.Inputs.CertificateAuthorityRevocationConfigurationArgs
    {
        CrlConfiguration = new Aws.Acmpca.Inputs.CertificateAuthorityRevocationConfigurationCrlConfigurationArgs
        {
            CustomCname = "string",
            Enabled = false,
            ExpirationInDays = 0,
            S3BucketName = "string",
            S3ObjectAcl = "string",
        },
        OcspConfiguration = new Aws.Acmpca.Inputs.CertificateAuthorityRevocationConfigurationOcspConfigurationArgs
        {
            Enabled = false,
            OcspCustomCname = "string",
        },
    },
    Tags = 
    {
        { "string", "string" },
    },
    Type = "string",
    UsageMode = "string",
});

example, err := acmpca.NewCertificateAuthority(ctx, "certificateAuthorityResource", &acmpca.CertificateAuthorityArgs{
	CertificateAuthorityConfiguration: &acmpca.CertificateAuthorityCertificateAuthorityConfigurationArgs{
		KeyAlgorithm:     pulumi.String("string"),
		SigningAlgorithm: pulumi.String("string"),
		Subject: &acmpca.CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs{
			CommonName:                 pulumi.String("string"),
			Country:                    pulumi.String("string"),
			DistinguishedNameQualifier: pulumi.String("string"),
			GenerationQualifier:        pulumi.String("string"),
			GivenName:                  pulumi.String("string"),
			Initials:                   pulumi.String("string"),
			Locality:                   pulumi.String("string"),
			Organization:               pulumi.String("string"),
			OrganizationalUnit:         pulumi.String("string"),
			Pseudonym:                  pulumi.String("string"),
			State:                      pulumi.String("string"),
			Surname:                    pulumi.String("string"),
			Title:                      pulumi.String("string"),
		},
	},
	Enabled:                     pulumi.Bool(false),
	KeyStorageSecurityStandard:  pulumi.String("string"),
	PermanentDeletionTimeInDays: pulumi.Int(0),
	RevocationConfiguration: &acmpca.CertificateAuthorityRevocationConfigurationArgs{
		CrlConfiguration: &acmpca.CertificateAuthorityRevocationConfigurationCrlConfigurationArgs{
			CustomCname:      pulumi.String("string"),
			Enabled:          pulumi.Bool(false),
			ExpirationInDays: pulumi.Int(0),
			S3BucketName:     pulumi.String("string"),
			S3ObjectAcl:      pulumi.String("string"),
		},
		OcspConfiguration: &acmpca.CertificateAuthorityRevocationConfigurationOcspConfigurationArgs{
			Enabled:         pulumi.Bool(false),
			OcspCustomCname: pulumi.String("string"),
		},
	},
	Tags: pulumi.StringMap{
		"string": pulumi.String("string"),
	},
	Type:      pulumi.String("string"),
	UsageMode: pulumi.String("string"),
})

var certificateAuthorityResource = new CertificateAuthority("certificateAuthorityResource", CertificateAuthorityArgs.builder()
    .certificateAuthorityConfiguration(CertificateAuthorityCertificateAuthorityConfigurationArgs.builder()
        .keyAlgorithm("string")
        .signingAlgorithm("string")
        .subject(CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs.builder()
            .commonName("string")
            .country("string")
            .distinguishedNameQualifier("string")
            .generationQualifier("string")
            .givenName("string")
            .initials("string")
            .locality("string")
            .organization("string")
            .organizationalUnit("string")
            .pseudonym("string")
            .state("string")
            .surname("string")
            .title("string")
            .build())
        .build())
    .enabled(false)
    .keyStorageSecurityStandard("string")
    .permanentDeletionTimeInDays(0)
    .revocationConfiguration(CertificateAuthorityRevocationConfigurationArgs.builder()
        .crlConfiguration(CertificateAuthorityRevocationConfigurationCrlConfigurationArgs.builder()
            .customCname("string")
            .enabled(false)
            .expirationInDays(0)
            .s3BucketName("string")
            .s3ObjectAcl("string")
            .build())
        .ocspConfiguration(CertificateAuthorityRevocationConfigurationOcspConfigurationArgs.builder()
            .enabled(false)
            .ocspCustomCname("string")
            .build())
        .build())
    .tags(Map.of("string", "string"))
    .type("string")
    .usageMode("string")
    .build());

certificate_authority_resource = aws.acmpca.CertificateAuthority("certificateAuthorityResource",
    certificate_authority_configuration={
        "key_algorithm": "string",
        "signing_algorithm": "string",
        "subject": {
            "common_name": "string",
            "country": "string",
            "distinguished_name_qualifier": "string",
            "generation_qualifier": "string",
            "given_name": "string",
            "initials": "string",
            "locality": "string",
            "organization": "string",
            "organizational_unit": "string",
            "pseudonym": "string",
            "state": "string",
            "surname": "string",
            "title": "string",
        },
    },
    enabled=False,
    key_storage_security_standard="string",
    permanent_deletion_time_in_days=0,
    revocation_configuration={
        "crl_configuration": {
            "custom_cname": "string",
            "enabled": False,
            "expiration_in_days": 0,
            "s3_bucket_name": "string",
            "s3_object_acl": "string",
        },
        "ocsp_configuration": {
            "enabled": False,
            "ocsp_custom_cname": "string",
        },
    },
    tags={
        "string": "string",
    },
    type="string",
    usage_mode="string")

const certificateAuthorityResource = new aws.acmpca.CertificateAuthority("certificateAuthorityResource", {
    certificateAuthorityConfiguration: {
        keyAlgorithm: "string",
        signingAlgorithm: "string",
        subject: {
            commonName: "string",
            country: "string",
            distinguishedNameQualifier: "string",
            generationQualifier: "string",
            givenName: "string",
            initials: "string",
            locality: "string",
            organization: "string",
            organizationalUnit: "string",
            pseudonym: "string",
            state: "string",
            surname: "string",
            title: "string",
        },
    },
    enabled: false,
    keyStorageSecurityStandard: "string",
    permanentDeletionTimeInDays: 0,
    revocationConfiguration: {
        crlConfiguration: {
            customCname: "string",
            enabled: false,
            expirationInDays: 0,
            s3BucketName: "string",
            s3ObjectAcl: "string",
        },
        ocspConfiguration: {
            enabled: false,
            ocspCustomCname: "string",
        },
    },
    tags: {
        string: "string",
    },
    type: "string",
    usageMode: "string",
});

type: aws:acmpca:CertificateAuthority
properties:
    certificateAuthorityConfiguration:
        keyAlgorithm: string
        signingAlgorithm: string
        subject:
            commonName: string
            country: string
            distinguishedNameQualifier: string
            generationQualifier: string
            givenName: string
            initials: string
            locality: string
            organization: string
            organizationalUnit: string
            pseudonym: string
            state: string
            surname: string
            title: string
    enabled: false
    keyStorageSecurityStandard: string
    permanentDeletionTimeInDays: 0
    revocationConfiguration:
        crlConfiguration:
            customCname: string
            enabled: false
            expirationInDays: 0
            s3BucketName: string
            s3ObjectAcl: string
        ocspConfiguration:
            enabled: false
            ocspCustomCname: string
    tags:
        string: string
    type: string
    usageMode: string

CertificateAuthority Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The CertificateAuthority resource accepts the following input properties:

CertificateAuthorityConfiguration CertificateAuthorityCertificateAuthorityConfiguration: Nested argument containing algorithms and certificate subject information. Defined below.
Enabled bool: Whether the certificate authority is enabled or disabled. Defaults to true. Can only be disabled if the CA is in an ACTIVE state.
KeyStorageSecurityStandard string: Cryptographic key management compliance standard used for handling CA keys. Defaults to FIPS_140_2_LEVEL_3_OR_HIGHER. Valid values: FIPS_140_2_LEVEL_3_OR_HIGHER and FIPS_140_2_LEVEL_2_OR_HIGHER. Supported standard for each region can be found in the Storage and security compliance of AWS Private CA private keys Documentation.
PermanentDeletionTimeInDays int: Number of days to make a CA restorable after it has been deleted, must be between 7 to 30 days, with default to 30 days.
RevocationConfiguration CertificateAuthorityRevocationConfiguration: Nested argument containing revocation configuration. Defined below.
Tags Dictionary<string, string>: Key-value map of user-defined tags that are attached to the certificate authority. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
Type string: Type of the certificate authority. Defaults to SUBORDINATE. Valid values: ROOT and SUBORDINATE.
UsageMode string: Specifies whether the CA issues general-purpose certificates that typically require a revocation mechanism, or short-lived certificates that may optionally omit revocation because they expire quickly. Short-lived certificate validity is limited to seven days. Defaults to GENERAL_PURPOSE. Valid values: GENERAL_PURPOSE and SHORT_LIVED_CERTIFICATE.

CertificateAuthorityConfiguration CertificateAuthorityCertificateAuthorityConfigurationArgs: Nested argument containing algorithms and certificate subject information. Defined below.
Enabled bool: Whether the certificate authority is enabled or disabled. Defaults to true. Can only be disabled if the CA is in an ACTIVE state.
KeyStorageSecurityStandard string: Cryptographic key management compliance standard used for handling CA keys. Defaults to FIPS_140_2_LEVEL_3_OR_HIGHER. Valid values: FIPS_140_2_LEVEL_3_OR_HIGHER and FIPS_140_2_LEVEL_2_OR_HIGHER. Supported standard for each region can be found in the Storage and security compliance of AWS Private CA private keys Documentation.
PermanentDeletionTimeInDays int: Number of days to make a CA restorable after it has been deleted, must be between 7 to 30 days, with default to 30 days.
RevocationConfiguration CertificateAuthorityRevocationConfigurationArgs: Nested argument containing revocation configuration. Defined below.
Tags map[string]string: Key-value map of user-defined tags that are attached to the certificate authority. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
Type string: Type of the certificate authority. Defaults to SUBORDINATE. Valid values: ROOT and SUBORDINATE.
UsageMode string: Specifies whether the CA issues general-purpose certificates that typically require a revocation mechanism, or short-lived certificates that may optionally omit revocation because they expire quickly. Short-lived certificate validity is limited to seven days. Defaults to GENERAL_PURPOSE. Valid values: GENERAL_PURPOSE and SHORT_LIVED_CERTIFICATE.

certificateAuthorityConfiguration CertificateAuthorityCertificateAuthorityConfiguration: Nested argument containing algorithms and certificate subject information. Defined below.
enabled Boolean: Whether the certificate authority is enabled or disabled. Defaults to true. Can only be disabled if the CA is in an ACTIVE state.
keyStorageSecurityStandard String: Cryptographic key management compliance standard used for handling CA keys. Defaults to FIPS_140_2_LEVEL_3_OR_HIGHER. Valid values: FIPS_140_2_LEVEL_3_OR_HIGHER and FIPS_140_2_LEVEL_2_OR_HIGHER. Supported standard for each region can be found in the Storage and security compliance of AWS Private CA private keys Documentation.
permanentDeletionTimeInDays Integer: Number of days to make a CA restorable after it has been deleted, must be between 7 to 30 days, with default to 30 days.
revocationConfiguration CertificateAuthorityRevocationConfiguration: Nested argument containing revocation configuration. Defined below.
tags Map<String,String>: Key-value map of user-defined tags that are attached to the certificate authority. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
type String: Type of the certificate authority. Defaults to SUBORDINATE. Valid values: ROOT and SUBORDINATE.
usageMode String: Specifies whether the CA issues general-purpose certificates that typically require a revocation mechanism, or short-lived certificates that may optionally omit revocation because they expire quickly. Short-lived certificate validity is limited to seven days. Defaults to GENERAL_PURPOSE. Valid values: GENERAL_PURPOSE and SHORT_LIVED_CERTIFICATE.

certificateAuthorityConfiguration CertificateAuthorityCertificateAuthorityConfiguration: Nested argument containing algorithms and certificate subject information. Defined below.
enabled boolean: Whether the certificate authority is enabled or disabled. Defaults to true. Can only be disabled if the CA is in an ACTIVE state.
keyStorageSecurityStandard string: Cryptographic key management compliance standard used for handling CA keys. Defaults to FIPS_140_2_LEVEL_3_OR_HIGHER. Valid values: FIPS_140_2_LEVEL_3_OR_HIGHER and FIPS_140_2_LEVEL_2_OR_HIGHER. Supported standard for each region can be found in the Storage and security compliance of AWS Private CA private keys Documentation.
permanentDeletionTimeInDays number: Number of days to make a CA restorable after it has been deleted, must be between 7 to 30 days, with default to 30 days.
revocationConfiguration CertificateAuthorityRevocationConfiguration: Nested argument containing revocation configuration. Defined below.
tags {[key: string]: string}: Key-value map of user-defined tags that are attached to the certificate authority. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
type string: Type of the certificate authority. Defaults to SUBORDINATE. Valid values: ROOT and SUBORDINATE.
usageMode string: Specifies whether the CA issues general-purpose certificates that typically require a revocation mechanism, or short-lived certificates that may optionally omit revocation because they expire quickly. Short-lived certificate validity is limited to seven days. Defaults to GENERAL_PURPOSE. Valid values: GENERAL_PURPOSE and SHORT_LIVED_CERTIFICATE.

certificate_authority_configuration CertificateAuthorityCertificateAuthorityConfigurationArgs: Nested argument containing algorithms and certificate subject information. Defined below.
enabled bool: Whether the certificate authority is enabled or disabled. Defaults to true. Can only be disabled if the CA is in an ACTIVE state.
key_storage_security_standard str: Cryptographic key management compliance standard used for handling CA keys. Defaults to FIPS_140_2_LEVEL_3_OR_HIGHER. Valid values: FIPS_140_2_LEVEL_3_OR_HIGHER and FIPS_140_2_LEVEL_2_OR_HIGHER. Supported standard for each region can be found in the Storage and security compliance of AWS Private CA private keys Documentation.
permanent_deletion_time_in_days int: Number of days to make a CA restorable after it has been deleted, must be between 7 to 30 days, with default to 30 days.
revocation_configuration CertificateAuthorityRevocationConfigurationArgs: Nested argument containing revocation configuration. Defined below.
tags Mapping[str, str]: Key-value map of user-defined tags that are attached to the certificate authority. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
type str: Type of the certificate authority. Defaults to SUBORDINATE. Valid values: ROOT and SUBORDINATE.
usage_mode str: Specifies whether the CA issues general-purpose certificates that typically require a revocation mechanism, or short-lived certificates that may optionally omit revocation because they expire quickly. Short-lived certificate validity is limited to seven days. Defaults to GENERAL_PURPOSE. Valid values: GENERAL_PURPOSE and SHORT_LIVED_CERTIFICATE.

certificateAuthorityConfiguration Property Map: Nested argument containing algorithms and certificate subject information. Defined below.
enabled Boolean: Whether the certificate authority is enabled or disabled. Defaults to true. Can only be disabled if the CA is in an ACTIVE state.
keyStorageSecurityStandard String: Cryptographic key management compliance standard used for handling CA keys. Defaults to FIPS_140_2_LEVEL_3_OR_HIGHER. Valid values: FIPS_140_2_LEVEL_3_OR_HIGHER and FIPS_140_2_LEVEL_2_OR_HIGHER. Supported standard for each region can be found in the Storage and security compliance of AWS Private CA private keys Documentation.
permanentDeletionTimeInDays Number: Number of days to make a CA restorable after it has been deleted, must be between 7 to 30 days, with default to 30 days.
revocationConfiguration Property Map: Nested argument containing revocation configuration. Defined below.
tags Map<String>: Key-value map of user-defined tags that are attached to the certificate authority. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
type String: Type of the certificate authority. Defaults to SUBORDINATE. Valid values: ROOT and SUBORDINATE.
usageMode String: Specifies whether the CA issues general-purpose certificates that typically require a revocation mechanism, or short-lived certificates that may optionally omit revocation because they expire quickly. Short-lived certificate validity is limited to seven days. Defaults to GENERAL_PURPOSE. Valid values: GENERAL_PURPOSE and SHORT_LIVED_CERTIFICATE.

Outputs

All input properties are implicitly available as output properties. Additionally, the CertificateAuthority resource produces the following output properties:

Arn string: ARN of the certificate authority.
Certificate string: Base64-encoded certificate authority (CA) certificate. Only available after the certificate authority certificate has been imported.
CertificateChain string: Base64-encoded certificate chain that includes any intermediate certificates and chains up to root on-premises certificate that you used to sign your private CA certificate. The chain does not include your private CA certificate. Only available after the certificate authority certificate has been imported.
CertificateSigningRequest string: The base64 PEM-encoded certificate signing request (CSR) for your private CA certificate.
Id string: The provider-assigned unique ID for this managed resource.
NotAfter string: Date and time after which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
NotBefore string: Date and time before which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
Serial string: Serial number of the certificate authority. Only available after the certificate authority certificate has been imported.
TagsAll Dictionary<string, string>: Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
Deprecated: Please use tags instead.

Arn string: ARN of the certificate authority.
Certificate string: Base64-encoded certificate authority (CA) certificate. Only available after the certificate authority certificate has been imported.
CertificateChain string: Base64-encoded certificate chain that includes any intermediate certificates and chains up to root on-premises certificate that you used to sign your private CA certificate. The chain does not include your private CA certificate. Only available after the certificate authority certificate has been imported.
CertificateSigningRequest string: The base64 PEM-encoded certificate signing request (CSR) for your private CA certificate.
Id string: The provider-assigned unique ID for this managed resource.
NotAfter string: Date and time after which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
NotBefore string: Date and time before which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
Serial string: Serial number of the certificate authority. Only available after the certificate authority certificate has been imported.
TagsAll map[string]string: Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
Deprecated: Please use tags instead.

arn String: ARN of the certificate authority.
certificate String: Base64-encoded certificate authority (CA) certificate. Only available after the certificate authority certificate has been imported.
certificateChain String: Base64-encoded certificate chain that includes any intermediate certificates and chains up to root on-premises certificate that you used to sign your private CA certificate. The chain does not include your private CA certificate. Only available after the certificate authority certificate has been imported.
certificateSigningRequest String: The base64 PEM-encoded certificate signing request (CSR) for your private CA certificate.
id String: The provider-assigned unique ID for this managed resource.
notAfter String: Date and time after which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
notBefore String: Date and time before which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
serial String: Serial number of the certificate authority. Only available after the certificate authority certificate has been imported.
tagsAll Map<String,String>: Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
Deprecated: Please use tags instead.

arn string: ARN of the certificate authority.
certificate string: Base64-encoded certificate authority (CA) certificate. Only available after the certificate authority certificate has been imported.
certificateChain string: Base64-encoded certificate chain that includes any intermediate certificates and chains up to root on-premises certificate that you used to sign your private CA certificate. The chain does not include your private CA certificate. Only available after the certificate authority certificate has been imported.
certificateSigningRequest string: The base64 PEM-encoded certificate signing request (CSR) for your private CA certificate.
id string: The provider-assigned unique ID for this managed resource.
notAfter string: Date and time after which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
notBefore string: Date and time before which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
serial string: Serial number of the certificate authority. Only available after the certificate authority certificate has been imported.
tagsAll {[key: string]: string}: Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
Deprecated: Please use tags instead.

arn str: ARN of the certificate authority.
certificate str: Base64-encoded certificate authority (CA) certificate. Only available after the certificate authority certificate has been imported.
certificate_chain str: Base64-encoded certificate chain that includes any intermediate certificates and chains up to root on-premises certificate that you used to sign your private CA certificate. The chain does not include your private CA certificate. Only available after the certificate authority certificate has been imported.
certificate_signing_request str: The base64 PEM-encoded certificate signing request (CSR) for your private CA certificate.
id str: The provider-assigned unique ID for this managed resource.
not_after str: Date and time after which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
not_before str: Date and time before which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
serial str: Serial number of the certificate authority. Only available after the certificate authority certificate has been imported.
tags_all Mapping[str, str]: Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
Deprecated: Please use tags instead.

arn String: ARN of the certificate authority.
certificate String: Base64-encoded certificate authority (CA) certificate. Only available after the certificate authority certificate has been imported.
certificateChain String: Base64-encoded certificate chain that includes any intermediate certificates and chains up to root on-premises certificate that you used to sign your private CA certificate. The chain does not include your private CA certificate. Only available after the certificate authority certificate has been imported.
certificateSigningRequest String: The base64 PEM-encoded certificate signing request (CSR) for your private CA certificate.
id String: The provider-assigned unique ID for this managed resource.
notAfter String: Date and time after which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
notBefore String: Date and time before which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
serial String: Serial number of the certificate authority. Only available after the certificate authority certificate has been imported.
tagsAll Map<String>: Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
Deprecated: Please use tags instead.

Look up Existing CertificateAuthority Resource

Get an existing CertificateAuthority resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: CertificateAuthorityState, opts?: CustomResourceOptions): CertificateAuthority

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        arn: Optional[str] = None,
        certificate: Optional[str] = None,
        certificate_authority_configuration: Optional[CertificateAuthorityCertificateAuthorityConfigurationArgs] = None,
        certificate_chain: Optional[str] = None,
        certificate_signing_request: Optional[str] = None,
        enabled: Optional[bool] = None,
        key_storage_security_standard: Optional[str] = None,
        not_after: Optional[str] = None,
        not_before: Optional[str] = None,
        permanent_deletion_time_in_days: Optional[int] = None,
        revocation_configuration: Optional[CertificateAuthorityRevocationConfigurationArgs] = None,
        serial: Optional[str] = None,
        tags: Optional[Mapping[str, str]] = None,
        tags_all: Optional[Mapping[str, str]] = None,
        type: Optional[str] = None,
        usage_mode: Optional[str] = None) -> CertificateAuthority

func GetCertificateAuthority(ctx *Context, name string, id IDInput, state *CertificateAuthorityState, opts ...ResourceOption) (*CertificateAuthority, error)

public static CertificateAuthority Get(string name, Input<string> id, CertificateAuthorityState? state, CustomResourceOptions? opts = null)

public static CertificateAuthority get(String name, Output<String> id, CertificateAuthorityState state, CustomResourceOptions options)

resources:  _:    type: aws:acmpca:CertificateAuthority    get:      id: ${id}

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

Arn string: ARN of the certificate authority.
Certificate string: Base64-encoded certificate authority (CA) certificate. Only available after the certificate authority certificate has been imported.
CertificateAuthorityConfiguration CertificateAuthorityCertificateAuthorityConfiguration: Nested argument containing algorithms and certificate subject information. Defined below.
CertificateChain string: Base64-encoded certificate chain that includes any intermediate certificates and chains up to root on-premises certificate that you used to sign your private CA certificate. The chain does not include your private CA certificate. Only available after the certificate authority certificate has been imported.
CertificateSigningRequest string: The base64 PEM-encoded certificate signing request (CSR) for your private CA certificate.
Enabled bool: Whether the certificate authority is enabled or disabled. Defaults to true. Can only be disabled if the CA is in an ACTIVE state.
KeyStorageSecurityStandard string: Cryptographic key management compliance standard used for handling CA keys. Defaults to FIPS_140_2_LEVEL_3_OR_HIGHER. Valid values: FIPS_140_2_LEVEL_3_OR_HIGHER and FIPS_140_2_LEVEL_2_OR_HIGHER. Supported standard for each region can be found in the Storage and security compliance of AWS Private CA private keys Documentation.
NotAfter string: Date and time after which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
NotBefore string: Date and time before which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
PermanentDeletionTimeInDays int: Number of days to make a CA restorable after it has been deleted, must be between 7 to 30 days, with default to 30 days.
RevocationConfiguration CertificateAuthorityRevocationConfiguration: Nested argument containing revocation configuration. Defined below.
Serial string: Serial number of the certificate authority. Only available after the certificate authority certificate has been imported.
Tags Dictionary<string, string>: Key-value map of user-defined tags that are attached to the certificate authority. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
TagsAll Dictionary<string, string>: Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
Deprecated: Please use tags instead.
Type string: Type of the certificate authority. Defaults to SUBORDINATE. Valid values: ROOT and SUBORDINATE.
UsageMode string: Specifies whether the CA issues general-purpose certificates that typically require a revocation mechanism, or short-lived certificates that may optionally omit revocation because they expire quickly. Short-lived certificate validity is limited to seven days. Defaults to GENERAL_PURPOSE. Valid values: GENERAL_PURPOSE and SHORT_LIVED_CERTIFICATE.

Arn string: ARN of the certificate authority.
Certificate string: Base64-encoded certificate authority (CA) certificate. Only available after the certificate authority certificate has been imported.
CertificateAuthorityConfiguration CertificateAuthorityCertificateAuthorityConfigurationArgs: Nested argument containing algorithms and certificate subject information. Defined below.
CertificateChain string: Base64-encoded certificate chain that includes any intermediate certificates and chains up to root on-premises certificate that you used to sign your private CA certificate. The chain does not include your private CA certificate. Only available after the certificate authority certificate has been imported.
CertificateSigningRequest string: The base64 PEM-encoded certificate signing request (CSR) for your private CA certificate.
Enabled bool: Whether the certificate authority is enabled or disabled. Defaults to true. Can only be disabled if the CA is in an ACTIVE state.
KeyStorageSecurityStandard string: Cryptographic key management compliance standard used for handling CA keys. Defaults to FIPS_140_2_LEVEL_3_OR_HIGHER. Valid values: FIPS_140_2_LEVEL_3_OR_HIGHER and FIPS_140_2_LEVEL_2_OR_HIGHER. Supported standard for each region can be found in the Storage and security compliance of AWS Private CA private keys Documentation.
NotAfter string: Date and time after which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
NotBefore string: Date and time before which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
PermanentDeletionTimeInDays int: Number of days to make a CA restorable after it has been deleted, must be between 7 to 30 days, with default to 30 days.
RevocationConfiguration CertificateAuthorityRevocationConfigurationArgs: Nested argument containing revocation configuration. Defined below.
Serial string: Serial number of the certificate authority. Only available after the certificate authority certificate has been imported.
Tags map[string]string: Key-value map of user-defined tags that are attached to the certificate authority. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
TagsAll map[string]string: Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
Deprecated: Please use tags instead.
Type string: Type of the certificate authority. Defaults to SUBORDINATE. Valid values: ROOT and SUBORDINATE.
UsageMode string: Specifies whether the CA issues general-purpose certificates that typically require a revocation mechanism, or short-lived certificates that may optionally omit revocation because they expire quickly. Short-lived certificate validity is limited to seven days. Defaults to GENERAL_PURPOSE. Valid values: GENERAL_PURPOSE and SHORT_LIVED_CERTIFICATE.

arn String: ARN of the certificate authority.
certificate String: Base64-encoded certificate authority (CA) certificate. Only available after the certificate authority certificate has been imported.
certificateAuthorityConfiguration CertificateAuthorityCertificateAuthorityConfiguration: Nested argument containing algorithms and certificate subject information. Defined below.
certificateChain String: Base64-encoded certificate chain that includes any intermediate certificates and chains up to root on-premises certificate that you used to sign your private CA certificate. The chain does not include your private CA certificate. Only available after the certificate authority certificate has been imported.
certificateSigningRequest String: The base64 PEM-encoded certificate signing request (CSR) for your private CA certificate.
enabled Boolean: Whether the certificate authority is enabled or disabled. Defaults to true. Can only be disabled if the CA is in an ACTIVE state.
keyStorageSecurityStandard String: Cryptographic key management compliance standard used for handling CA keys. Defaults to FIPS_140_2_LEVEL_3_OR_HIGHER. Valid values: FIPS_140_2_LEVEL_3_OR_HIGHER and FIPS_140_2_LEVEL_2_OR_HIGHER. Supported standard for each region can be found in the Storage and security compliance of AWS Private CA private keys Documentation.
notAfter String: Date and time after which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
notBefore String: Date and time before which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
permanentDeletionTimeInDays Integer: Number of days to make a CA restorable after it has been deleted, must be between 7 to 30 days, with default to 30 days.
revocationConfiguration CertificateAuthorityRevocationConfiguration: Nested argument containing revocation configuration. Defined below.
serial String: Serial number of the certificate authority. Only available after the certificate authority certificate has been imported.
tags Map<String,String>: Key-value map of user-defined tags that are attached to the certificate authority. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
tagsAll Map<String,String>: Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
Deprecated: Please use tags instead.
type String: Type of the certificate authority. Defaults to SUBORDINATE. Valid values: ROOT and SUBORDINATE.
usageMode String: Specifies whether the CA issues general-purpose certificates that typically require a revocation mechanism, or short-lived certificates that may optionally omit revocation because they expire quickly. Short-lived certificate validity is limited to seven days. Defaults to GENERAL_PURPOSE. Valid values: GENERAL_PURPOSE and SHORT_LIVED_CERTIFICATE.

arn string: ARN of the certificate authority.
certificate string: Base64-encoded certificate authority (CA) certificate. Only available after the certificate authority certificate has been imported.
certificateAuthorityConfiguration CertificateAuthorityCertificateAuthorityConfiguration: Nested argument containing algorithms and certificate subject information. Defined below.
certificateChain string: Base64-encoded certificate chain that includes any intermediate certificates and chains up to root on-premises certificate that you used to sign your private CA certificate. The chain does not include your private CA certificate. Only available after the certificate authority certificate has been imported.
certificateSigningRequest string: The base64 PEM-encoded certificate signing request (CSR) for your private CA certificate.
enabled boolean: Whether the certificate authority is enabled or disabled. Defaults to true. Can only be disabled if the CA is in an ACTIVE state.
keyStorageSecurityStandard string: Cryptographic key management compliance standard used for handling CA keys. Defaults to FIPS_140_2_LEVEL_3_OR_HIGHER. Valid values: FIPS_140_2_LEVEL_3_OR_HIGHER and FIPS_140_2_LEVEL_2_OR_HIGHER. Supported standard for each region can be found in the Storage and security compliance of AWS Private CA private keys Documentation.
notAfter string: Date and time after which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
notBefore string: Date and time before which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
permanentDeletionTimeInDays number: Number of days to make a CA restorable after it has been deleted, must be between 7 to 30 days, with default to 30 days.
revocationConfiguration CertificateAuthorityRevocationConfiguration: Nested argument containing revocation configuration. Defined below.
serial string: Serial number of the certificate authority. Only available after the certificate authority certificate has been imported.
tags {[key: string]: string}: Key-value map of user-defined tags that are attached to the certificate authority. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
tagsAll {[key: string]: string}: Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
Deprecated: Please use tags instead.
type string: Type of the certificate authority. Defaults to SUBORDINATE. Valid values: ROOT and SUBORDINATE.
usageMode string: Specifies whether the CA issues general-purpose certificates that typically require a revocation mechanism, or short-lived certificates that may optionally omit revocation because they expire quickly. Short-lived certificate validity is limited to seven days. Defaults to GENERAL_PURPOSE. Valid values: GENERAL_PURPOSE and SHORT_LIVED_CERTIFICATE.

arn str: ARN of the certificate authority.
certificate str: Base64-encoded certificate authority (CA) certificate. Only available after the certificate authority certificate has been imported.
certificate_authority_configuration CertificateAuthorityCertificateAuthorityConfigurationArgs: Nested argument containing algorithms and certificate subject information. Defined below.
certificate_chain str: Base64-encoded certificate chain that includes any intermediate certificates and chains up to root on-premises certificate that you used to sign your private CA certificate. The chain does not include your private CA certificate. Only available after the certificate authority certificate has been imported.
certificate_signing_request str: The base64 PEM-encoded certificate signing request (CSR) for your private CA certificate.
enabled bool: Whether the certificate authority is enabled or disabled. Defaults to true. Can only be disabled if the CA is in an ACTIVE state.
key_storage_security_standard str: Cryptographic key management compliance standard used for handling CA keys. Defaults to FIPS_140_2_LEVEL_3_OR_HIGHER. Valid values: FIPS_140_2_LEVEL_3_OR_HIGHER and FIPS_140_2_LEVEL_2_OR_HIGHER. Supported standard for each region can be found in the Storage and security compliance of AWS Private CA private keys Documentation.
not_after str: Date and time after which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
not_before str: Date and time before which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
permanent_deletion_time_in_days int: Number of days to make a CA restorable after it has been deleted, must be between 7 to 30 days, with default to 30 days.
revocation_configuration CertificateAuthorityRevocationConfigurationArgs: Nested argument containing revocation configuration. Defined below.
serial str: Serial number of the certificate authority. Only available after the certificate authority certificate has been imported.
tags Mapping[str, str]: Key-value map of user-defined tags that are attached to the certificate authority. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
tags_all Mapping[str, str]: Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
Deprecated: Please use tags instead.
type str: Type of the certificate authority. Defaults to SUBORDINATE. Valid values: ROOT and SUBORDINATE.
usage_mode str: Specifies whether the CA issues general-purpose certificates that typically require a revocation mechanism, or short-lived certificates that may optionally omit revocation because they expire quickly. Short-lived certificate validity is limited to seven days. Defaults to GENERAL_PURPOSE. Valid values: GENERAL_PURPOSE and SHORT_LIVED_CERTIFICATE.

arn String: ARN of the certificate authority.
certificate String: Base64-encoded certificate authority (CA) certificate. Only available after the certificate authority certificate has been imported.
certificateAuthorityConfiguration Property Map: Nested argument containing algorithms and certificate subject information. Defined below.
certificateChain String: Base64-encoded certificate chain that includes any intermediate certificates and chains up to root on-premises certificate that you used to sign your private CA certificate. The chain does not include your private CA certificate. Only available after the certificate authority certificate has been imported.
certificateSigningRequest String: The base64 PEM-encoded certificate signing request (CSR) for your private CA certificate.
enabled Boolean: Whether the certificate authority is enabled or disabled. Defaults to true. Can only be disabled if the CA is in an ACTIVE state.
keyStorageSecurityStandard String: Cryptographic key management compliance standard used for handling CA keys. Defaults to FIPS_140_2_LEVEL_3_OR_HIGHER. Valid values: FIPS_140_2_LEVEL_3_OR_HIGHER and FIPS_140_2_LEVEL_2_OR_HIGHER. Supported standard for each region can be found in the Storage and security compliance of AWS Private CA private keys Documentation.
notAfter String: Date and time after which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
notBefore String: Date and time before which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
permanentDeletionTimeInDays Number: Number of days to make a CA restorable after it has been deleted, must be between 7 to 30 days, with default to 30 days.
revocationConfiguration Property Map: Nested argument containing revocation configuration. Defined below.
serial String: Serial number of the certificate authority. Only available after the certificate authority certificate has been imported.
tags Map<String>: Key-value map of user-defined tags that are attached to the certificate authority. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
tagsAll Map<String>: Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
Deprecated: Please use tags instead.
type String: Type of the certificate authority. Defaults to SUBORDINATE. Valid values: ROOT and SUBORDINATE.
usageMode String: Specifies whether the CA issues general-purpose certificates that typically require a revocation mechanism, or short-lived certificates that may optionally omit revocation because they expire quickly. Short-lived certificate validity is limited to seven days. Defaults to GENERAL_PURPOSE. Valid values: GENERAL_PURPOSE and SHORT_LIVED_CERTIFICATE.

Supporting Types

CertificateAuthorityCertificateAuthorityConfiguration, CertificateAuthorityCertificateAuthorityConfigurationArgs

KeyAlgorithm string: Type of the public key algorithm and size, in bits, of the key pair that your key pair creates when it issues a certificate. Valid values can be found in the ACM PCA Documentation.
SigningAlgorithm string: Name of the algorithm your private CA uses to sign certificate requests. Valid values can be found in the ACM PCA Documentation.
Subject CertificateAuthorityCertificateAuthorityConfigurationSubject: Nested argument that contains X.500 distinguished name information. At least one nested attribute must be specified.

KeyAlgorithm string: Type of the public key algorithm and size, in bits, of the key pair that your key pair creates when it issues a certificate. Valid values can be found in the ACM PCA Documentation.
SigningAlgorithm string: Name of the algorithm your private CA uses to sign certificate requests. Valid values can be found in the ACM PCA Documentation.
Subject CertificateAuthorityCertificateAuthorityConfigurationSubject: Nested argument that contains X.500 distinguished name information. At least one nested attribute must be specified.

keyAlgorithm String: Type of the public key algorithm and size, in bits, of the key pair that your key pair creates when it issues a certificate. Valid values can be found in the ACM PCA Documentation.
signingAlgorithm String: Name of the algorithm your private CA uses to sign certificate requests. Valid values can be found in the ACM PCA Documentation.
subject CertificateAuthorityCertificateAuthorityConfigurationSubject: Nested argument that contains X.500 distinguished name information. At least one nested attribute must be specified.

keyAlgorithm string: Type of the public key algorithm and size, in bits, of the key pair that your key pair creates when it issues a certificate. Valid values can be found in the ACM PCA Documentation.
signingAlgorithm string: Name of the algorithm your private CA uses to sign certificate requests. Valid values can be found in the ACM PCA Documentation.
subject CertificateAuthorityCertificateAuthorityConfigurationSubject: Nested argument that contains X.500 distinguished name information. At least one nested attribute must be specified.

key_algorithm str: Type of the public key algorithm and size, in bits, of the key pair that your key pair creates when it issues a certificate. Valid values can be found in the ACM PCA Documentation.
signing_algorithm str: Name of the algorithm your private CA uses to sign certificate requests. Valid values can be found in the ACM PCA Documentation.
subject CertificateAuthorityCertificateAuthorityConfigurationSubject: Nested argument that contains X.500 distinguished name information. At least one nested attribute must be specified.

keyAlgorithm String: Type of the public key algorithm and size, in bits, of the key pair that your key pair creates when it issues a certificate. Valid values can be found in the ACM PCA Documentation.
signingAlgorithm String: Name of the algorithm your private CA uses to sign certificate requests. Valid values can be found in the ACM PCA Documentation.
subject Property Map: Nested argument that contains X.500 distinguished name information. At least one nested attribute must be specified.

CertificateAuthorityCertificateAuthorityConfigurationSubject, CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs

CommonName string: Fully qualified domain name (FQDN) associated with the certificate subject. Must be less than or equal to 64 characters in length.
Country string: Two digit code that specifies the country in which the certificate subject located. Must be less than or equal to 2 characters in length.
DistinguishedNameQualifier string: Disambiguating information for the certificate subject. Must be less than or equal to 64 characters in length.
GenerationQualifier string: Typically a qualifier appended to the name of an individual. Examples include Jr. for junior, Sr. for senior, and III for third. Must be less than or equal to 3 characters in length.
GivenName string: First name. Must be less than or equal to 16 characters in length.
Initials string: Concatenation that typically contains the first letter of the given_name, the first letter of the middle name if one exists, and the first letter of the surname. Must be less than or equal to 5 characters in length.
Locality string: Locality (such as a city or town) in which the certificate subject is located. Must be less than or equal to 128 characters in length.
Organization string: Legal name of the organization with which the certificate subject is affiliated. Must be less than or equal to 64 characters in length.
OrganizationalUnit string: Subdivision or unit of the organization (such as sales or finance) with which the certificate subject is affiliated. Must be less than or equal to 64 characters in length.
Pseudonym string: Typically a shortened version of a longer given_name. For example, Jonathan is often shortened to John. Elizabeth is often shortened to Beth, Liz, or Eliza. Must be less than or equal to 128 characters in length.
State string: State in which the subject of the certificate is located. Must be less than or equal to 128 characters in length.
Surname string: Family name. In the US and the UK for example, the surname of an individual is ordered last. In Asian cultures the surname is typically ordered first. Must be less than or equal to 40 characters in length.
Title string: Title such as Mr. or Ms. which is pre-pended to the name to refer formally to the certificate subject. Must be less than or equal to 64 characters in length.

CommonName string: Fully qualified domain name (FQDN) associated with the certificate subject. Must be less than or equal to 64 characters in length.
Country string: Two digit code that specifies the country in which the certificate subject located. Must be less than or equal to 2 characters in length.
DistinguishedNameQualifier string: Disambiguating information for the certificate subject. Must be less than or equal to 64 characters in length.
GenerationQualifier string: Typically a qualifier appended to the name of an individual. Examples include Jr. for junior, Sr. for senior, and III for third. Must be less than or equal to 3 characters in length.
GivenName string: First name. Must be less than or equal to 16 characters in length.
Initials string: Concatenation that typically contains the first letter of the given_name, the first letter of the middle name if one exists, and the first letter of the surname. Must be less than or equal to 5 characters in length.
Locality string: Locality (such as a city or town) in which the certificate subject is located. Must be less than or equal to 128 characters in length.
Organization string: Legal name of the organization with which the certificate subject is affiliated. Must be less than or equal to 64 characters in length.
OrganizationalUnit string: Subdivision or unit of the organization (such as sales or finance) with which the certificate subject is affiliated. Must be less than or equal to 64 characters in length.
Pseudonym string: Typically a shortened version of a longer given_name. For example, Jonathan is often shortened to John. Elizabeth is often shortened to Beth, Liz, or Eliza. Must be less than or equal to 128 characters in length.
State string: State in which the subject of the certificate is located. Must be less than or equal to 128 characters in length.
Surname string: Family name. In the US and the UK for example, the surname of an individual is ordered last. In Asian cultures the surname is typically ordered first. Must be less than or equal to 40 characters in length.
Title string: Title such as Mr. or Ms. which is pre-pended to the name to refer formally to the certificate subject. Must be less than or equal to 64 characters in length.

commonName String: Fully qualified domain name (FQDN) associated with the certificate subject. Must be less than or equal to 64 characters in length.
country String: Two digit code that specifies the country in which the certificate subject located. Must be less than or equal to 2 characters in length.
distinguishedNameQualifier String: Disambiguating information for the certificate subject. Must be less than or equal to 64 characters in length.
generationQualifier String: Typically a qualifier appended to the name of an individual. Examples include Jr. for junior, Sr. for senior, and III for third. Must be less than or equal to 3 characters in length.
givenName String: First name. Must be less than or equal to 16 characters in length.
initials String: Concatenation that typically contains the first letter of the given_name, the first letter of the middle name if one exists, and the first letter of the surname. Must be less than or equal to 5 characters in length.
locality String: Locality (such as a city or town) in which the certificate subject is located. Must be less than or equal to 128 characters in length.
organization String: Legal name of the organization with which the certificate subject is affiliated. Must be less than or equal to 64 characters in length.
organizationalUnit String: Subdivision or unit of the organization (such as sales or finance) with which the certificate subject is affiliated. Must be less than or equal to 64 characters in length.
pseudonym String: Typically a shortened version of a longer given_name. For example, Jonathan is often shortened to John. Elizabeth is often shortened to Beth, Liz, or Eliza. Must be less than or equal to 128 characters in length.
state String: State in which the subject of the certificate is located. Must be less than or equal to 128 characters in length.
surname String: Family name. In the US and the UK for example, the surname of an individual is ordered last. In Asian cultures the surname is typically ordered first. Must be less than or equal to 40 characters in length.
title String: Title such as Mr. or Ms. which is pre-pended to the name to refer formally to the certificate subject. Must be less than or equal to 64 characters in length.

commonName string: Fully qualified domain name (FQDN) associated with the certificate subject. Must be less than or equal to 64 characters in length.
country string: Two digit code that specifies the country in which the certificate subject located. Must be less than or equal to 2 characters in length.
distinguishedNameQualifier string: Disambiguating information for the certificate subject. Must be less than or equal to 64 characters in length.
generationQualifier string: Typically a qualifier appended to the name of an individual. Examples include Jr. for junior, Sr. for senior, and III for third. Must be less than or equal to 3 characters in length.
givenName string: First name. Must be less than or equal to 16 characters in length.
initials string: Concatenation that typically contains the first letter of the given_name, the first letter of the middle name if one exists, and the first letter of the surname. Must be less than or equal to 5 characters in length.
locality string: Locality (such as a city or town) in which the certificate subject is located. Must be less than or equal to 128 characters in length.
organization string: Legal name of the organization with which the certificate subject is affiliated. Must be less than or equal to 64 characters in length.
organizationalUnit string: Subdivision or unit of the organization (such as sales or finance) with which the certificate subject is affiliated. Must be less than or equal to 64 characters in length.
pseudonym string: Typically a shortened version of a longer given_name. For example, Jonathan is often shortened to John. Elizabeth is often shortened to Beth, Liz, or Eliza. Must be less than or equal to 128 characters in length.
state string: State in which the subject of the certificate is located. Must be less than or equal to 128 characters in length.
surname string: Family name. In the US and the UK for example, the surname of an individual is ordered last. In Asian cultures the surname is typically ordered first. Must be less than or equal to 40 characters in length.
title string: Title such as Mr. or Ms. which is pre-pended to the name to refer formally to the certificate subject. Must be less than or equal to 64 characters in length.

common_name str: Fully qualified domain name (FQDN) associated with the certificate subject. Must be less than or equal to 64 characters in length.
country str: Two digit code that specifies the country in which the certificate subject located. Must be less than or equal to 2 characters in length.
distinguished_name_qualifier str: Disambiguating information for the certificate subject. Must be less than or equal to 64 characters in length.
generation_qualifier str: Typically a qualifier appended to the name of an individual. Examples include Jr. for junior, Sr. for senior, and III for third. Must be less than or equal to 3 characters in length.
given_name str: First name. Must be less than or equal to 16 characters in length.
initials str: Concatenation that typically contains the first letter of the given_name, the first letter of the middle name if one exists, and the first letter of the surname. Must be less than or equal to 5 characters in length.
locality str: Locality (such as a city or town) in which the certificate subject is located. Must be less than or equal to 128 characters in length.
organization str: Legal name of the organization with which the certificate subject is affiliated. Must be less than or equal to 64 characters in length.
organizational_unit str: Subdivision or unit of the organization (such as sales or finance) with which the certificate subject is affiliated. Must be less than or equal to 64 characters in length.
pseudonym str: Typically a shortened version of a longer given_name. For example, Jonathan is often shortened to John. Elizabeth is often shortened to Beth, Liz, or Eliza. Must be less than or equal to 128 characters in length.
state str: State in which the subject of the certificate is located. Must be less than or equal to 128 characters in length.
surname str: Family name. In the US and the UK for example, the surname of an individual is ordered last. In Asian cultures the surname is typically ordered first. Must be less than or equal to 40 characters in length.
title str: Title such as Mr. or Ms. which is pre-pended to the name to refer formally to the certificate subject. Must be less than or equal to 64 characters in length.

commonName String: Fully qualified domain name (FQDN) associated with the certificate subject. Must be less than or equal to 64 characters in length.
country String: Two digit code that specifies the country in which the certificate subject located. Must be less than or equal to 2 characters in length.
distinguishedNameQualifier String: Disambiguating information for the certificate subject. Must be less than or equal to 64 characters in length.
generationQualifier String: Typically a qualifier appended to the name of an individual. Examples include Jr. for junior, Sr. for senior, and III for third. Must be less than or equal to 3 characters in length.
givenName String: First name. Must be less than or equal to 16 characters in length.
initials String: Concatenation that typically contains the first letter of the given_name, the first letter of the middle name if one exists, and the first letter of the surname. Must be less than or equal to 5 characters in length.
locality String: Locality (such as a city or town) in which the certificate subject is located. Must be less than or equal to 128 characters in length.
organization String: Legal name of the organization with which the certificate subject is affiliated. Must be less than or equal to 64 characters in length.
organizationalUnit String: Subdivision or unit of the organization (such as sales or finance) with which the certificate subject is affiliated. Must be less than or equal to 64 characters in length.
pseudonym String: Typically a shortened version of a longer given_name. For example, Jonathan is often shortened to John. Elizabeth is often shortened to Beth, Liz, or Eliza. Must be less than or equal to 128 characters in length.
state String: State in which the subject of the certificate is located. Must be less than or equal to 128 characters in length.
surname String: Family name. In the US and the UK for example, the surname of an individual is ordered last. In Asian cultures the surname is typically ordered first. Must be less than or equal to 40 characters in length.
title String: Title such as Mr. or Ms. which is pre-pended to the name to refer formally to the certificate subject. Must be less than or equal to 64 characters in length.

CertificateAuthorityRevocationConfiguration, CertificateAuthorityRevocationConfigurationArgs

CrlConfiguration CertificateAuthorityRevocationConfigurationCrlConfiguration: Nested argument containing configuration of the certificate revocation list (CRL), if any, maintained by the certificate authority. Defined below.
OcspConfiguration CertificateAuthorityRevocationConfigurationOcspConfiguration: Nested argument containing configuration of the custom OCSP responder endpoint. Defined below.

CrlConfiguration CertificateAuthorityRevocationConfigurationCrlConfiguration: Nested argument containing configuration of the certificate revocation list (CRL), if any, maintained by the certificate authority. Defined below.
OcspConfiguration CertificateAuthorityRevocationConfigurationOcspConfiguration: Nested argument containing configuration of the custom OCSP responder endpoint. Defined below.

crlConfiguration CertificateAuthorityRevocationConfigurationCrlConfiguration: Nested argument containing configuration of the certificate revocation list (CRL), if any, maintained by the certificate authority. Defined below.
ocspConfiguration CertificateAuthorityRevocationConfigurationOcspConfiguration: Nested argument containing configuration of the custom OCSP responder endpoint. Defined below.

crlConfiguration CertificateAuthorityRevocationConfigurationCrlConfiguration: Nested argument containing configuration of the certificate revocation list (CRL), if any, maintained by the certificate authority. Defined below.
ocspConfiguration CertificateAuthorityRevocationConfigurationOcspConfiguration: Nested argument containing configuration of the custom OCSP responder endpoint. Defined below.

crl_configuration CertificateAuthorityRevocationConfigurationCrlConfiguration: Nested argument containing configuration of the certificate revocation list (CRL), if any, maintained by the certificate authority. Defined below.
ocsp_configuration CertificateAuthorityRevocationConfigurationOcspConfiguration: Nested argument containing configuration of the custom OCSP responder endpoint. Defined below.

crlConfiguration Property Map: Nested argument containing configuration of the certificate revocation list (CRL), if any, maintained by the certificate authority. Defined below.
ocspConfiguration Property Map: Nested argument containing configuration of the custom OCSP responder endpoint. Defined below.

CertificateAuthorityRevocationConfigurationCrlConfiguration, CertificateAuthorityRevocationConfigurationCrlConfigurationArgs

CustomCname string: Name inserted into the certificate CRL Distribution Points extension that enables the use of an alias for the CRL distribution point. Use this value if you don't want the name of your S3 bucket to be public. Must be less than or equal to 253 characters in length.
Enabled bool: Boolean value that specifies whether certificate revocation lists (CRLs) are enabled. Defaults to false.
ExpirationInDays int: Number of days until a certificate expires. Must be between 1 and 5000.
S3BucketName string: Name of the S3 bucket that contains the CRL. If you do not provide a value for the custom_cname argument, the name of your S3 bucket is placed into the CRL Distribution Points extension of the issued certificate. You must specify a bucket policy that allows ACM PCA to write the CRL to your bucket. Must be between 3 and 255 characters in length.
S3ObjectAcl string: Determines whether the CRL will be publicly readable or privately held in the CRL Amazon S3 bucket. Defaults to PUBLIC_READ.

CustomCname string: Name inserted into the certificate CRL Distribution Points extension that enables the use of an alias for the CRL distribution point. Use this value if you don't want the name of your S3 bucket to be public. Must be less than or equal to 253 characters in length.
Enabled bool: Boolean value that specifies whether certificate revocation lists (CRLs) are enabled. Defaults to false.
ExpirationInDays int: Number of days until a certificate expires. Must be between 1 and 5000.
S3BucketName string: Name of the S3 bucket that contains the CRL. If you do not provide a value for the custom_cname argument, the name of your S3 bucket is placed into the CRL Distribution Points extension of the issued certificate. You must specify a bucket policy that allows ACM PCA to write the CRL to your bucket. Must be between 3 and 255 characters in length.
S3ObjectAcl string: Determines whether the CRL will be publicly readable or privately held in the CRL Amazon S3 bucket. Defaults to PUBLIC_READ.

customCname String: Name inserted into the certificate CRL Distribution Points extension that enables the use of an alias for the CRL distribution point. Use this value if you don't want the name of your S3 bucket to be public. Must be less than or equal to 253 characters in length.
enabled Boolean: Boolean value that specifies whether certificate revocation lists (CRLs) are enabled. Defaults to false.
expirationInDays Integer: Number of days until a certificate expires. Must be between 1 and 5000.
s3BucketName String: Name of the S3 bucket that contains the CRL. If you do not provide a value for the custom_cname argument, the name of your S3 bucket is placed into the CRL Distribution Points extension of the issued certificate. You must specify a bucket policy that allows ACM PCA to write the CRL to your bucket. Must be between 3 and 255 characters in length.
s3ObjectAcl String: Determines whether the CRL will be publicly readable or privately held in the CRL Amazon S3 bucket. Defaults to PUBLIC_READ.

customCname string: Name inserted into the certificate CRL Distribution Points extension that enables the use of an alias for the CRL distribution point. Use this value if you don't want the name of your S3 bucket to be public. Must be less than or equal to 253 characters in length.
enabled boolean: Boolean value that specifies whether certificate revocation lists (CRLs) are enabled. Defaults to false.
expirationInDays number: Number of days until a certificate expires. Must be between 1 and 5000.
s3BucketName string: Name of the S3 bucket that contains the CRL. If you do not provide a value for the custom_cname argument, the name of your S3 bucket is placed into the CRL Distribution Points extension of the issued certificate. You must specify a bucket policy that allows ACM PCA to write the CRL to your bucket. Must be between 3 and 255 characters in length.
s3ObjectAcl string: Determines whether the CRL will be publicly readable or privately held in the CRL Amazon S3 bucket. Defaults to PUBLIC_READ.

custom_cname str: Name inserted into the certificate CRL Distribution Points extension that enables the use of an alias for the CRL distribution point. Use this value if you don't want the name of your S3 bucket to be public. Must be less than or equal to 253 characters in length.
enabled bool: Boolean value that specifies whether certificate revocation lists (CRLs) are enabled. Defaults to false.
expiration_in_days int: Number of days until a certificate expires. Must be between 1 and 5000.
s3_bucket_name str: Name of the S3 bucket that contains the CRL. If you do not provide a value for the custom_cname argument, the name of your S3 bucket is placed into the CRL Distribution Points extension of the issued certificate. You must specify a bucket policy that allows ACM PCA to write the CRL to your bucket. Must be between 3 and 255 characters in length.
s3_object_acl str: Determines whether the CRL will be publicly readable or privately held in the CRL Amazon S3 bucket. Defaults to PUBLIC_READ.

customCname String: Name inserted into the certificate CRL Distribution Points extension that enables the use of an alias for the CRL distribution point. Use this value if you don't want the name of your S3 bucket to be public. Must be less than or equal to 253 characters in length.
enabled Boolean: Boolean value that specifies whether certificate revocation lists (CRLs) are enabled. Defaults to false.
expirationInDays Number: Number of days until a certificate expires. Must be between 1 and 5000.
s3BucketName String: Name of the S3 bucket that contains the CRL. If you do not provide a value for the custom_cname argument, the name of your S3 bucket is placed into the CRL Distribution Points extension of the issued certificate. You must specify a bucket policy that allows ACM PCA to write the CRL to your bucket. Must be between 3 and 255 characters in length.
s3ObjectAcl String: Determines whether the CRL will be publicly readable or privately held in the CRL Amazon S3 bucket. Defaults to PUBLIC_READ.

CertificateAuthorityRevocationConfigurationOcspConfiguration, CertificateAuthorityRevocationConfigurationOcspConfigurationArgs

Enabled bool: Boolean value that specifies whether a custom OCSP responder is enabled.
OcspCustomCname string: CNAME specifying a customized OCSP domain. Note: The value of the CNAME must not include a protocol prefix such as "http://" or "https://".

Enabled bool: Boolean value that specifies whether a custom OCSP responder is enabled.
OcspCustomCname string: CNAME specifying a customized OCSP domain. Note: The value of the CNAME must not include a protocol prefix such as "http://" or "https://".

enabled Boolean: Boolean value that specifies whether a custom OCSP responder is enabled.
ocspCustomCname String: CNAME specifying a customized OCSP domain. Note: The value of the CNAME must not include a protocol prefix such as "http://" or "https://".

enabled boolean: Boolean value that specifies whether a custom OCSP responder is enabled.
ocspCustomCname string: CNAME specifying a customized OCSP domain. Note: The value of the CNAME must not include a protocol prefix such as "http://" or "https://".

enabled bool: Boolean value that specifies whether a custom OCSP responder is enabled.
ocsp_custom_cname str: CNAME specifying a customized OCSP domain. Note: The value of the CNAME must not include a protocol prefix such as "http://" or "https://".

enabled Boolean: Boolean value that specifies whether a custom OCSP responder is enabled.
ocspCustomCname String: CNAME specifying a customized OCSP domain. Note: The value of the CNAME must not include a protocol prefix such as "http://" or "https://".

Import

Using pulumi import, import aws_acmpca_certificate_authority using the certificate authority ARN. For example:

$ pulumi import aws:acmpca/certificateAuthority:CertificateAuthority example arn:aws:acm-pca:us-east-1:123456789012:certificate-authority/12345678-1234-1234-1234-123456789012

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository: AWS Classic pulumi/pulumi-aws
License: Apache-2.0
Notes: This Pulumi package is based on the aws Terraform Provider.

AWS v6.73.0 published on Wednesday, Mar 19, 2025 by Pulumi

pulumi/pulumi-aws

aws.acmpca.CertificateAuthority

On this page

On this page

Example Usage

Basic

Short-lived certificate

Enable Certificate Revocation List

Create CertificateAuthority Resource

Constructor syntax

Parameters

Constructor example

CertificateAuthority Resource Properties

Inputs

Outputs

Look up Existing CertificateAuthority Resource

Supporting Types

CertificateAuthorityCertificateAuthorityConfiguration, CertificateAuthorityCertificateAuthorityConfigurationArgs

CertificateAuthorityCertificateAuthorityConfigurationSubject, CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs

CertificateAuthorityRevocationConfiguration, CertificateAuthorityRevocationConfigurationArgs

CertificateAuthorityRevocationConfigurationCrlConfiguration, CertificateAuthorityRevocationConfigurationCrlConfigurationArgs

CertificateAuthorityRevocationConfigurationOcspConfiguration, CertificateAuthorityRevocationConfigurationOcspConfigurationArgs

Import

Package Details

On this page

On this page