certificates

Creates, updates, deletes or gets a certificate resource or lists certificates in a region

Overview

Name	certificates
Type	Resource
Description	The ``AWS::ACMPCA::Certificate`` resource is used to issue a certificate using your private certificate authority. For more information, see the [IssueCertificate](https://docs.aws.amazon.com/privateca/latest/APIReference/API_IssueCertificate.html) action.
Id	awscc.acmpca.certificates

Fields

Name	Datatype	Description
▶api_passthrough	object	Specifies X.509 certificate information to be included in the issued certificate. An ``APIPassthrough`` or ``APICSRPassthrough`` template variant must be selected, or else this parameter is ignored.
certificate_authority_arn	string	The Amazon Resource Name (ARN) for the private CA issues the certificate.
certificate_signing_request	string	The certificate signing request (CSR) for the certificate.
signing_algorithm	string	The name of the algorithm that will be used to sign the certificate to be issued. <br />This parameter should not be confused with the &#96;&#96;SigningAlgorithm&#96;&#96; parameter used to sign a CSR in the &#96;&#96;CreateCertificateAuthority&#96;&#96; action.<br />The specified signing algorithm family (RSA or ECDSA) must match the algorithm family of the CA's secret key.
▶validity	object	The period of time during which the certificate will be valid.
certificate	string
region	string	AWS region.

For more information, see AWS::ACMPCA::Certificate.

Methods

Name	Accessible by	Required Params
create_resource	INSERT	CertificateAuthorityArn, CertificateSigningRequest, SigningAlgorithm, Validity, region
delete_resource	DELETE	Identifier, region
get_resource	SELECT	Identifier, region

SELECT examples

Gets all properties from an individual certificate.

SELECT
  region,
  api_passthrough,
  certificate_authority_arn,
  certificate_signing_request,
  signing_algorithm,
  template_arn,
  validity,
  validity_not_before,
  certificate,
  arn
FROM awscc.acmpca.certificates
WHERE
  region = 'us-east-1' AND
  Identifier = '{{ arn }}|{{ certificate_authority_arn }}';

INSERT example

Use the following StackQL query and manifest file to create a new certificate resource, using stack-deploy.

Required Properties

/*+ create */
INSERT INTO awscc.acmpca.certificates (
  CertificateAuthorityArn,
  CertificateSigningRequest,
  SigningAlgorithm,
  Validity,
  region
)
SELECT
  '{{ certificate_authority_arn }}',
  '{{ certificate_signing_request }}',
  '{{ signing_algorithm }}',
  '{{ validity }}',
  '{{ region }}';

All Properties

/*+ create */
INSERT INTO awscc.acmpca.certificates (
  ApiPassthrough,
  CertificateAuthorityArn,
  CertificateSigningRequest,
  SigningAlgorithm,
  TemplateArn,
  Validity,
  ValidityNotBefore,
  region
)
SELECT
  '{{ api_passthrough }}',
  '{{ certificate_authority_arn }}',
  '{{ certificate_signing_request }}',
  '{{ signing_algorithm }}',
  '{{ template_arn }}',
  '{{ validity }}',
  '{{ validity_not_before }}',
  '{{ region }}';

Manifest

version: 1
name: stack name
description: stack description
providers:
  - aws
globals:
  - name: region
    value: '{{ vars.AWS_REGION }}'
resources:
  - name: certificate
    props:
      - name: api_passthrough
        value:
          extensions:
            certificate_policies:
              - cert_policy_id: '{{ cert_policy_id }}'
                policy_qualifiers:
                  - policy_qualifier_id: '{{ policy_qualifier_id }}'
                    qualifier:
                      cps_uri: '{{ cps_uri }}'
            extended_key_usage:
              - extended_key_usage_type: '{{ extended_key_usage_type }}'
                extended_key_usage_object_identifier: null
            key_usage:
              digital_signature: '{{ digital_signature }}'
              non_repudiation: '{{ non_repudiation }}'
              key_encipherment: '{{ key_encipherment }}'
              data_encipherment: '{{ data_encipherment }}'
              key_agreement: '{{ key_agreement }}'
              key_cert_sign: '{{ key_cert_sign }}'
              c_rl_sign: '{{ c_rl_sign }}'
              encipher_only: '{{ encipher_only }}'
              decipher_only: '{{ decipher_only }}'
            subject_alternative_names:
              - other_name:
                  type_id: null
                  value: '{{ value }}'
                rfc822_name: '{{ rfc822_name }}'
                dns_name: '{{ dns_name }}'
                directory_name:
                  country: '{{ country }}'
                  organization: '{{ organization }}'
                  organizational_unit: '{{ organizational_unit }}'
                  distinguished_name_qualifier: '{{ distinguished_name_qualifier }}'
                  state: '{{ state }}'
                  common_name: '{{ common_name }}'
                  serial_number: '{{ serial_number }}'
                  locality: '{{ locality }}'
                  title: '{{ title }}'
                  surname: '{{ surname }}'
                  given_name: '{{ given_name }}'
                  initials: '{{ initials }}'
                  pseudonym: '{{ pseudonym }}'
                  generation_qualifier: '{{ generation_qualifier }}'
                  custom_attributes:
                    - object_identifier: null
                      value: '{{ value }}'
                edi_party_name:
                  party_name: '{{ party_name }}'
                  name_assigner: '{{ name_assigner }}'
                uniform_resource_identifier: '{{ uniform_resource_identifier }}'
                ip_address: '{{ ip_address }}'
                registered_id: null
            custom_extensions:
              - critical: '{{ critical }}'
                object_identifier: null
                value: '{{ value }}'
          subject: null
      - name: certificate_authority_arn
        value: '{{ certificate_authority_arn }}'
      - name: certificate_signing_request
        value: '{{ certificate_signing_request }}'
      - name: signing_algorithm
        value: '{{ signing_algorithm }}'
      - name: template_arn
        value: null
      - name: validity
        value:
          value: null
          type: '{{ type }}'
      - name: validity_not_before
        value: null

DELETE example

/*+ delete */
DELETE FROM awscc.acmpca.certificates
WHERE
  Identifier = '{{ arn }}|{{ certificate_authority_arn }}' AND
  region = 'us-east-1';

Permissions

To operate on the certificates resource, the following permissions are required:

Create

acm-pca:IssueCertificate,
acm-pca:GetCertificate

Read

acm-pca:GetCertificate

Delete

acm-pca:GetCertificate