certificate_authorities

Creates, updates, deletes or gets a certificate_authority resource or lists certificate_authorities in a region

Overview

Name	certificate_authorities
Type	Resource
Description	Private certificate authority.
Id	awscc.acmpca.certificate_authorities

Fields

get (all properties)

Name	Datatype	Description
arn	string	The Amazon Resource Name (ARN) of the certificate authority.
type	string	The type of the certificate authority.
key_algorithm	string	Public key algorithm and size, in bits, of the key pair that your CA creates when it issues a certificate.
signing_algorithm	string	Algorithm your CA uses to sign certificate requests.
▶subject	object	Structure that contains X.500 distinguished name information for your CA.
▶revocation_configuration	object	Certificate revocation information used by the CreateCertificateAuthority and UpdateCertificateAuthority actions.
▶tags	array
certificate_signing_request	string	The base64 PEM-encoded certificate signing request (CSR) for your certificate authority certificate.
▶csr_extensions	object	Structure that contains CSR pass through extension information used by the CreateCertificateAuthority action.
key_storage_security_standard	string	KeyStorageSecurityStadard defines a cryptographic key management compliance standard used for handling CA keys.
usage_mode	string	Usage mode of the ceritificate authority.
region	string	AWS region.

list (identifiers only)

Name	Datatype	Description
arn	string	The Amazon Resource Name (ARN) of the certificate authority.
region	string	AWS region.

For more information, see AWS::ACMPCA::CertificateAuthority.

Methods

Name	Resource	Accessible by	Required Params
create_resource	certificate_authorities	INSERT	Type, KeyAlgorithm, SigningAlgorithm, Subject, region
delete_resource	certificate_authorities	DELETE	Identifier, region
update_resource	certificate_authorities	UPDATE	Identifier, PatchDocument, region
list_resources	certificate_authorities_list_only	SELECT	region
get_resource	certificate_authorities	SELECT	Identifier, region

SELECT examples

get (all properties)

Gets all properties from an individual certificate_authority.

SELECT
  region,
  arn,
  type,
  key_algorithm,
  signing_algorithm,
  subject,
  revocation_configuration,
  tags,
  certificate_signing_request,
  csr_extensions,
  key_storage_security_standard,
  usage_mode
FROM awscc.acmpca.certificate_authorities
WHERE
  region = 'us-east-1' AND
  Identifier = '{{ arn }}';

list (identifiers only)

Lists all certificate_authorities in a region.

SELECT
  region,
  arn
FROM awscc.acmpca.certificate_authorities_list_only
WHERE
  region = 'us-east-1';

INSERT example

Use the following StackQL query and manifest file to create a new certificate_authority resource, using stack-deploy.

Required Properties

/*+ create */
INSERT INTO awscc.acmpca.certificate_authorities (
  Type,
  KeyAlgorithm,
  SigningAlgorithm,
  Subject,
  region
)
SELECT
  '{{ type }}',
  '{{ key_algorithm }}',
  '{{ signing_algorithm }}',
  '{{ subject }}',
  '{{ region }}';

All Properties

/*+ create */
INSERT INTO awscc.acmpca.certificate_authorities (
  Type,
  KeyAlgorithm,
  SigningAlgorithm,
  Subject,
  RevocationConfiguration,
  Tags,
  CsrExtensions,
  KeyStorageSecurityStandard,
  UsageMode,
  region
)
SELECT
  '{{ type }}',
  '{{ key_algorithm }}',
  '{{ signing_algorithm }}',
  '{{ subject }}',
  '{{ revocation_configuration }}',
  '{{ tags }}',
  '{{ csr_extensions }}',
  '{{ key_storage_security_standard }}',
  '{{ usage_mode }}',
  '{{ region }}';

Manifest

version: 1
name: stack name
description: stack description
providers:
  - aws
globals:
  - name: region
    value: '{{ vars.AWS_REGION }}'
resources:
  - name: certificate_authority
    props:
      - name: type
        value: '{{ type }}'
      - name: key_algorithm
        value: '{{ key_algorithm }}'
      - name: signing_algorithm
        value: '{{ signing_algorithm }}'
      - name: subject
        value:
          country: '{{ country }}'
          organization: '{{ organization }}'
          organizational_unit: '{{ organizational_unit }}'
          distinguished_name_qualifier: '{{ distinguished_name_qualifier }}'
          state: '{{ state }}'
          common_name: '{{ common_name }}'
          serial_number: '{{ serial_number }}'
          locality: '{{ locality }}'
          title: '{{ title }}'
          surname: '{{ surname }}'
          given_name: '{{ given_name }}'
          initials: '{{ initials }}'
          pseudonym: '{{ pseudonym }}'
          generation_qualifier: '{{ generation_qualifier }}'
          custom_attributes:
            - object_identifier: '{{ object_identifier }}'
              value: '{{ value }}'
      - name: revocation_configuration
        value:
          crl_configuration:
            enabled: '{{ enabled }}'
            expiration_in_days: '{{ expiration_in_days }}'
            custom_cname: '{{ custom_cname }}'
            s3_bucket_name: '{{ s3_bucket_name }}'
            s3_object_acl: '{{ s3_object_acl }}'
            crl_distribution_point_extension_configuration:
              omit_extension: '{{ omit_extension }}'
            crl_type: '{{ crl_type }}'
            custom_path: '{{ custom_path }}'
          ocsp_configuration:
            enabled: '{{ enabled }}'
            ocsp_custom_cname: '{{ ocsp_custom_cname }}'
      - name: tags
        value:
          - key: '{{ key }}'
            value: '{{ value }}'
      - name: csr_extensions
        value:
          key_usage:
            digital_signature: '{{ digital_signature }}'
            non_repudiation: '{{ non_repudiation }}'
            key_encipherment: '{{ key_encipherment }}'
            data_encipherment: '{{ data_encipherment }}'
            key_agreement: '{{ key_agreement }}'
            key_cert_sign: '{{ key_cert_sign }}'
            c_rl_sign: '{{ c_rl_sign }}'
            encipher_only: '{{ encipher_only }}'
            decipher_only: '{{ decipher_only }}'
          subject_information_access:
            - access_method:
                custom_object_identifier: null
                access_method_type: '{{ access_method_type }}'
              access_location:
                other_name:
                  type_id: null
                  value: '{{ value }}'
                rfc822_name: '{{ rfc822_name }}'
                dns_name: '{{ dns_name }}'
                directory_name: null
                edi_party_name:
                  party_name: '{{ party_name }}'
                  name_assigner: '{{ name_assigner }}'
                uniform_resource_identifier: '{{ uniform_resource_identifier }}'
                ip_address: '{{ ip_address }}'
                registered_id: null
      - name: key_storage_security_standard
        value: '{{ key_storage_security_standard }}'
      - name: usage_mode
        value: '{{ usage_mode }}'

UPDATE example

Use the following StackQL query and manifest file to update a certificate_authority resource, using stack-deploy.

/*+ update */
UPDATE awscc.acmpca.certificate_authorities
SET PatchDocument = string('{{ {
    "RevocationConfiguration": revocation_configuration,
    "Tags": tags
} | generate_patch_document }}')
WHERE
  region = '{{ region }}' AND
  Identifier = '{{ arn }}';

DELETE example

/*+ delete */
DELETE FROM awscc.acmpca.certificate_authorities
WHERE
  Identifier = '{{ arn }}' AND
  region = 'us-east-1';

Permissions

To operate on the certificate_authorities resource, the following permissions are required:

Create

acm-pca:CreateCertificateAuthority,
acm-pca:DescribeCertificateAuthority,
acm-pca:GetCertificateAuthorityCsr,
acm-pca:TagCertificateAuthority

Read

acm-pca:DescribeCertificateAuthority,
acm-pca:GetCertificateAuthorityCsr,
acm-pca:ListTags

Update

acm-pca:TagCertificateAuthority,
acm-pca:UntagCertificateAuthority,
acm-pca:UpdateCertificateAuthority

Delete

acm-pca:DeleteCertificateAuthority,
acm-pca:DescribeCertificateAuthority

List

acm-pca:DescribeCertificateAuthority,
acm-pca:GetCertificateAuthorityCsr,
acm-pca:ListCertificateAuthorities,
acm-pca:ListTags