Certificate
data class CertificateAuthorityCertificateArgs(val certificate: Output<String>? = null, val certificateAuthorityArn: Output<String>? = null, val certificateChain: Output<String>? = null) : ConvertibleToJava<CertificateAuthorityCertificateArgs>
Associates a certificate with an AWS Certificate Manager Private Certificate Authority (ACM PCA Certificate Authority). An ACM PCA Certificate Authority is unable to issue certificates until it has a certificate associated with it. A root level ACM PCA Certificate Authority is able to self-sign its own root certificate.
Example Usage
Self-Signed Root Certificate Authority Certificate
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const exampleCertificateAuthority = new aws.acmpca.CertificateAuthority("example", {
type: "ROOT",
certificateAuthorityConfiguration: {
keyAlgorithm: "RSA_4096",
signingAlgorithm: "SHA512WITHRSA",
subject: {
commonName: "example.com",
},
},
});
const current = aws.getPartition({});
const exampleCertificate = new aws.acmpca.Certificate("example", {
certificateAuthorityArn: exampleCertificateAuthority.arn,
certificateSigningRequest: exampleCertificateAuthority.certificateSigningRequest,
signingAlgorithm: "SHA512WITHRSA",
templateArn: current.then(current => `arn:${current.partition}:acm-pca:::template/RootCACertificate/V1`),
validity: {
type: "YEARS",
value: "1",
},
});
const example = new aws.acmpca.CertificateAuthorityCertificate("example", {
certificateAuthorityArn: exampleCertificateAuthority.arn,
certificate: exampleCertificate.certificate,
certificateChain: exampleCertificate.certificateChain,
});Content copied to clipboard
import pulumi
import pulumi_aws as aws
example_certificate_authority = aws.acmpca.CertificateAuthority("example",
type="ROOT",
certificate_authority_configuration={
"key_algorithm": "RSA_4096",
"signing_algorithm": "SHA512WITHRSA",
"subject": {
"common_name": "example.com",
},
})
current = aws.get_partition()
example_certificate = aws.acmpca.Certificate("example",
certificate_authority_arn=example_certificate_authority.arn,
certificate_signing_request=example_certificate_authority.certificate_signing_request,
signing_algorithm="SHA512WITHRSA",
template_arn=f"arn:{current.partition}:acm-pca:::template/RootCACertificate/V1",
validity={
"type": "YEARS",
"value": "1",
})
example = aws.acmpca.CertificateAuthorityCertificate("example",
certificate_authority_arn=example_certificate_authority.arn,
certificate=example_certificate.certificate,
certificate_chain=example_certificate.certificate_chain)Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var exampleCertificateAuthority = new Aws.Acmpca.CertificateAuthority("example", new()
{
Type = "ROOT",
CertificateAuthorityConfiguration = new Aws.Acmpca.Inputs.CertificateAuthorityCertificateAuthorityConfigurationArgs
{
KeyAlgorithm = "RSA_4096",
SigningAlgorithm = "SHA512WITHRSA",
Subject = new Aws.Acmpca.Inputs.CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs
{
CommonName = "example.com",
},
},
});
var current = Aws.GetPartition.Invoke();
var exampleCertificate = new Aws.Acmpca.Certificate("example", new()
{
CertificateAuthorityArn = exampleCertificateAuthority.Arn,
CertificateSigningRequest = exampleCertificateAuthority.CertificateSigningRequest,
SigningAlgorithm = "SHA512WITHRSA",
TemplateArn = $"arn:{current.Apply(getPartitionResult => getPartitionResult.Partition)}:acm-pca:::template/RootCACertificate/V1",
Validity = new Aws.Acmpca.Inputs.CertificateValidityArgs
{
Type = "YEARS",
Value = "1",
},
});
var example = new Aws.Acmpca.CertificateAuthorityCertificate("example", new()
{
CertificateAuthorityArn = exampleCertificateAuthority.Arn,
Certificate = exampleCertificate.Certificate,
CertificateChain = exampleCertificate.CertificateChain,
});
});Content copied to clipboard
package main
import (
"fmt"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/acmpca"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
exampleCertificateAuthority, err := acmpca.NewCertificateAuthority(ctx, "example", &acmpca.CertificateAuthorityArgs{
Type: pulumi.String("ROOT"),
CertificateAuthorityConfiguration: &acmpca.CertificateAuthorityCertificateAuthorityConfigurationArgs{
KeyAlgorithm: pulumi.String("RSA_4096"),
SigningAlgorithm: pulumi.String("SHA512WITHRSA"),
Subject: &acmpca.CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs{
CommonName: pulumi.String("example.com"),
},
},
})
if err != nil {
return err
}
current, err := aws.GetPartition(ctx, &aws.GetPartitionArgs{}, nil)
if err != nil {
return err
}
exampleCertificate, err := acmpca.NewCertificate(ctx, "example", &acmpca.CertificateArgs{
CertificateAuthorityArn: exampleCertificateAuthority.Arn,
CertificateSigningRequest: exampleCertificateAuthority.CertificateSigningRequest,
SigningAlgorithm: pulumi.String("SHA512WITHRSA"),
TemplateArn: pulumi.Sprintf("arn:%v:acm-pca:::template/RootCACertificate/V1", current.Partition),
Validity: &acmpca.CertificateValidityArgs{
Type: pulumi.String("YEARS"),
Value: pulumi.String("1"),
},
})
if err != nil {
return err
}
_, err = acmpca.NewCertificateAuthorityCertificate(ctx, "example", &acmpca.CertificateAuthorityCertificateArgs{
CertificateAuthorityArn: exampleCertificateAuthority.Arn,
Certificate: exampleCertificate.Certificate,
CertificateChain: exampleCertificate.CertificateChain,
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.acmpca.CertificateAuthority;
import com.pulumi.aws.acmpca.CertificateAuthorityArgs;
import com.pulumi.aws.acmpca.inputs.CertificateAuthorityCertificateAuthorityConfigurationArgs;
import com.pulumi.aws.acmpca.inputs.CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs;
import com.pulumi.aws.AwsFunctions;
import com.pulumi.aws.inputs.GetPartitionArgs;
import com.pulumi.aws.acmpca.Certificate;
import com.pulumi.aws.acmpca.CertificateArgs;
import com.pulumi.aws.acmpca.inputs.CertificateValidityArgs;
import com.pulumi.aws.acmpca.CertificateAuthorityCertificate;
import com.pulumi.aws.acmpca.CertificateAuthorityCertificateArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var exampleCertificateAuthority = new CertificateAuthority("exampleCertificateAuthority", CertificateAuthorityArgs.builder()
.type("ROOT")
.certificateAuthorityConfiguration(CertificateAuthorityCertificateAuthorityConfigurationArgs.builder()
.keyAlgorithm("RSA_4096")
.signingAlgorithm("SHA512WITHRSA")
.subject(CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs.builder()
.commonName("example.com")
.build())
.build())
.build());
final var current = AwsFunctions.getPartition(GetPartitionArgs.builder()
.build());
var exampleCertificate = new Certificate("exampleCertificate", CertificateArgs.builder()
.certificateAuthorityArn(exampleCertificateAuthority.arn())
.certificateSigningRequest(exampleCertificateAuthority.certificateSigningRequest())
.signingAlgorithm("SHA512WITHRSA")
.templateArn(String.format("arn:%s:acm-pca:::template/RootCACertificate/V1", current.partition()))
.validity(CertificateValidityArgs.builder()
.type("YEARS")
.value("1")
.build())
.build());
var example = new CertificateAuthorityCertificate("example", CertificateAuthorityCertificateArgs.builder()
.certificateAuthorityArn(exampleCertificateAuthority.arn())
.certificate(exampleCertificate.certificate())
.certificateChain(exampleCertificate.certificateChain())
.build());
}
}Content copied to clipboard
resources:
example:
type: aws:acmpca:CertificateAuthorityCertificate
properties:
certificateAuthorityArn: ${exampleCertificateAuthority.arn}
certificate: ${exampleCertificate.certificate}
certificateChain: ${exampleCertificate.certificateChain}
exampleCertificate:
type: aws:acmpca:Certificate
name: example
properties:
certificateAuthorityArn: ${exampleCertificateAuthority.arn}
certificateSigningRequest: ${exampleCertificateAuthority.certificateSigningRequest}
signingAlgorithm: SHA512WITHRSA
templateArn: arn:${current.partition}:acm-pca:::template/RootCACertificate/V1
validity:
type: YEARS
value: 1
exampleCertificateAuthority:
type: aws:acmpca:CertificateAuthority
name: example
properties:
type: ROOT
certificateAuthorityConfiguration:
keyAlgorithm: RSA_4096
signingAlgorithm: SHA512WITHRSA
subject:
commonName: example.com
variables:
current:
fn::invoke:
function: aws:getPartition
arguments: {}Content copied to clipboard
Certificate for Subordinate Certificate Authority
Note that the certificate for the subordinate certificate authority must be issued by the root certificate authority using a signing request from the subordinate certificate authority.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const subordinateCertificateAuthority = new aws.acmpca.CertificateAuthority("subordinate", {
type: "SUBORDINATE",
certificateAuthorityConfiguration: {
keyAlgorithm: "RSA_2048",
signingAlgorithm: "SHA512WITHRSA",
subject: {
commonName: "sub.example.com",
},
},
});
const root = new aws.acmpca.CertificateAuthority("root", {});
const current = aws.getPartition({});
const subordinateCertificate = new aws.acmpca.Certificate("subordinate", {
certificateAuthorityArn: root.arn,
certificateSigningRequest: subordinateCertificateAuthority.certificateSigningRequest,
signingAlgorithm: "SHA512WITHRSA",
templateArn: current.then(current => `arn:${current.partition}:acm-pca:::template/SubordinateCACertificate_PathLen0/V1`),
validity: {
type: "YEARS",
value: "1",
},
});
const subordinate = new aws.acmpca.CertificateAuthorityCertificate("subordinate", {
certificateAuthorityArn: subordinateCertificateAuthority.arn,
certificate: subordinateCertificate.certificate,
certificateChain: subordinateCertificate.certificateChain,
});
const rootCertificateAuthorityCertificate = new aws.acmpca.CertificateAuthorityCertificate("root", {});
const rootCertificate = new aws.acmpca.Certificate("root", {});Content copied to clipboard
import pulumi
import pulumi_aws as aws
subordinate_certificate_authority = aws.acmpca.CertificateAuthority("subordinate",
type="SUBORDINATE",
certificate_authority_configuration={
"key_algorithm": "RSA_2048",
"signing_algorithm": "SHA512WITHRSA",
"subject": {
"common_name": "sub.example.com",
},
})
root = aws.acmpca.CertificateAuthority("root")
current = aws.get_partition()
subordinate_certificate = aws.acmpca.Certificate("subordinate",
certificate_authority_arn=root.arn,
certificate_signing_request=subordinate_certificate_authority.certificate_signing_request,
signing_algorithm="SHA512WITHRSA",
template_arn=f"arn:{current.partition}:acm-pca:::template/SubordinateCACertificate_PathLen0/V1",
validity={
"type": "YEARS",
"value": "1",
})
subordinate = aws.acmpca.CertificateAuthorityCertificate("subordinate",
certificate_authority_arn=subordinate_certificate_authority.arn,
certificate=subordinate_certificate.certificate,
certificate_chain=subordinate_certificate.certificate_chain)
root_certificate_authority_certificate = aws.acmpca.CertificateAuthorityCertificate("root")
root_certificate = aws.acmpca.Certificate("root")Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var subordinateCertificateAuthority = new Aws.Acmpca.CertificateAuthority("subordinate", new()
{
Type = "SUBORDINATE",
CertificateAuthorityConfiguration = new Aws.Acmpca.Inputs.CertificateAuthorityCertificateAuthorityConfigurationArgs
{
KeyAlgorithm = "RSA_2048",
SigningAlgorithm = "SHA512WITHRSA",
Subject = new Aws.Acmpca.Inputs.CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs
{
CommonName = "sub.example.com",
},
},
});
var root = new Aws.Acmpca.CertificateAuthority("root");
var current = Aws.GetPartition.Invoke();
var subordinateCertificate = new Aws.Acmpca.Certificate("subordinate", new()
{
CertificateAuthorityArn = root.Arn,
CertificateSigningRequest = subordinateCertificateAuthority.CertificateSigningRequest,
SigningAlgorithm = "SHA512WITHRSA",
TemplateArn = $"arn:{current.Apply(getPartitionResult => getPartitionResult.Partition)}:acm-pca:::template/SubordinateCACertificate_PathLen0/V1",
Validity = new Aws.Acmpca.Inputs.CertificateValidityArgs
{
Type = "YEARS",
Value = "1",
},
});
var subordinate = new Aws.Acmpca.CertificateAuthorityCertificate("subordinate", new()
{
CertificateAuthorityArn = subordinateCertificateAuthority.Arn,
Certificate = subordinateCertificate.Certificate,
CertificateChain = subordinateCertificate.CertificateChain,
});
var rootCertificateAuthorityCertificate = new Aws.Acmpca.CertificateAuthorityCertificate("root");
var rootCertificate = new Aws.Acmpca.Certificate("root");
});Content copied to clipboard
package main
import (
"fmt"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/acmpca"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
subordinateCertificateAuthority, err := acmpca.NewCertificateAuthority(ctx, "subordinate", &acmpca.CertificateAuthorityArgs{
Type: pulumi.String("SUBORDINATE"),
CertificateAuthorityConfiguration: &acmpca.CertificateAuthorityCertificateAuthorityConfigurationArgs{
KeyAlgorithm: pulumi.String("RSA_2048"),
SigningAlgorithm: pulumi.String("SHA512WITHRSA"),
Subject: &acmpca.CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs{
CommonName: pulumi.String("sub.example.com"),
},
},
})
if err != nil {
return err
}
root, err := acmpca.NewCertificateAuthority(ctx, "root", nil)
if err != nil {
return err
}
current, err := aws.GetPartition(ctx, &aws.GetPartitionArgs{}, nil)
if err != nil {
return err
}
subordinateCertificate, err := acmpca.NewCertificate(ctx, "subordinate", &acmpca.CertificateArgs{
CertificateAuthorityArn: root.Arn,
CertificateSigningRequest: subordinateCertificateAuthority.CertificateSigningRequest,
SigningAlgorithm: pulumi.String("SHA512WITHRSA"),
TemplateArn: pulumi.Sprintf("arn:%v:acm-pca:::template/SubordinateCACertificate_PathLen0/V1", current.Partition),
Validity: &acmpca.CertificateValidityArgs{
Type: pulumi.String("YEARS"),
Value: pulumi.String("1"),
},
})
if err != nil {
return err
}
_, err = acmpca.NewCertificateAuthorityCertificate(ctx, "subordinate", &acmpca.CertificateAuthorityCertificateArgs{
CertificateAuthorityArn: subordinateCertificateAuthority.Arn,
Certificate: subordinateCertificate.Certificate,
CertificateChain: subordinateCertificate.CertificateChain,
})
if err != nil {
return err
}
_, err = acmpca.NewCertificateAuthorityCertificate(ctx, "root", nil)
if err != nil {
return err
}
_, err = acmpca.NewCertificate(ctx, "root", nil)
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.acmpca.CertificateAuthority;
import com.pulumi.aws.acmpca.CertificateAuthorityArgs;
import com.pulumi.aws.acmpca.inputs.CertificateAuthorityCertificateAuthorityConfigurationArgs;
import com.pulumi.aws.acmpca.inputs.CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs;
import com.pulumi.aws.AwsFunctions;
import com.pulumi.aws.inputs.GetPartitionArgs;
import com.pulumi.aws.acmpca.Certificate;
import com.pulumi.aws.acmpca.CertificateArgs;
import com.pulumi.aws.acmpca.inputs.CertificateValidityArgs;
import com.pulumi.aws.acmpca.CertificateAuthorityCertificate;
import com.pulumi.aws.acmpca.CertificateAuthorityCertificateArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var subordinateCertificateAuthority = new CertificateAuthority("subordinateCertificateAuthority", CertificateAuthorityArgs.builder()
.type("SUBORDINATE")
.certificateAuthorityConfiguration(CertificateAuthorityCertificateAuthorityConfigurationArgs.builder()
.keyAlgorithm("RSA_2048")
.signingAlgorithm("SHA512WITHRSA")
.subject(CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs.builder()
.commonName("sub.example.com")
.build())
.build())
.build());
var root = new CertificateAuthority("root");
final var current = AwsFunctions.getPartition(GetPartitionArgs.builder()
.build());
var subordinateCertificate = new Certificate("subordinateCertificate", CertificateArgs.builder()
.certificateAuthorityArn(root.arn())
.certificateSigningRequest(subordinateCertificateAuthority.certificateSigningRequest())
.signingAlgorithm("SHA512WITHRSA")
.templateArn(String.format("arn:%s:acm-pca:::template/SubordinateCACertificate_PathLen0/V1", current.partition()))
.validity(CertificateValidityArgs.builder()
.type("YEARS")
.value("1")
.build())
.build());
var subordinate = new CertificateAuthorityCertificate("subordinate", CertificateAuthorityCertificateArgs.builder()
.certificateAuthorityArn(subordinateCertificateAuthority.arn())
.certificate(subordinateCertificate.certificate())
.certificateChain(subordinateCertificate.certificateChain())
.build());
var rootCertificateAuthorityCertificate = new CertificateAuthorityCertificate("rootCertificateAuthorityCertificate");
var rootCertificate = new Certificate("rootCertificate");
}
}Content copied to clipboard
resources:
subordinate:
type: aws:acmpca:CertificateAuthorityCertificate
properties:
certificateAuthorityArn: ${subordinateCertificateAuthority.arn}
certificate: ${subordinateCertificate.certificate}
certificateChain: ${subordinateCertificate.certificateChain}
subordinateCertificate:
type: aws:acmpca:Certificate
name: subordinate
properties:
certificateAuthorityArn: ${root.arn}
certificateSigningRequest: ${subordinateCertificateAuthority.certificateSigningRequest}
signingAlgorithm: SHA512WITHRSA
templateArn: arn:${current.partition}:acm-pca:::template/SubordinateCACertificate_PathLen0/V1
validity:
type: YEARS
value: 1
subordinateCertificateAuthority:
type: aws:acmpca:CertificateAuthority
name: subordinate
properties:
type: SUBORDINATE
certificateAuthorityConfiguration:
keyAlgorithm: RSA_2048
signingAlgorithm: SHA512WITHRSA
subject:
commonName: sub.example.com
root:
type: aws:acmpca:CertificateAuthority
rootCertificateAuthorityCertificate:
type: aws:acmpca:CertificateAuthorityCertificate
name: root
rootCertificate:
type: aws:acmpca:Certificate
name: root
variables:
current:
fn::invoke:
function: aws:getPartition
arguments: {}Content copied to clipboard
Properties
Link copied to clipboard
PEM-encoded certificate for the Certificate Authority.
Link copied to clipboard
ARN of the Certificate Authority.
Link copied to clipboard
PEM-encoded certificate chain that includes any intermediate certificates and chains up to root CA. Required for subordinate Certificate Authorities. Not allowed for root Certificate Authorities.