certificates

Creates, updates, deletes or gets a certificate resource or lists certificates in a region

Overview

Name	`certificates`
Type	Resource
Description	The `AWS::ACMPCA::Certificate` resource is used to issue a certificate using your private certificate authority. For more information, see the IssueCertificate action.
Id	`awscc.acmpca.certificates`

Fields

Name	Datatype	Description
▶`api_passthrough`	`object`	Specifies X.509 certificate information to be included in the issued certificate. An `APIPassthrough` or `APICSRPassthrough` template variant must be selected, or else this parameter is ignored.
`certificate_authority_arn`	`string`	The Amazon Resource Name (ARN) for the private CA issues the certificate.
`certificate_signing_request`	`string`	The certificate signing request (CSR) for the certificate.
`signing_algorithm`	`string`	The name of the algorithm that will be used to sign the certificate to be issued. This parameter should not be confused with the `SigningAlgorithm` parameter used to sign a CSR in the `CreateCertificateAuthority` action. The specified signing algorithm family (RSA or ECDSA) must match the algorithm family of the CA's secret key.
▶`validity`	`object`	The period of time during which the certificate will be valid.
`certificate`	`string`
`region`	`string`	AWS region.

For more information, see AWS::ACMPCA::Certificate.

Methods

Name	Accessible by	Required Params
`create_resource`	`INSERT`	`CertificateAuthorityArn, CertificateSigningRequest, SigningAlgorithm, Validity, region`
`delete_resource`	`DELETE`	`Identifier, region`
`get_resource`	`SELECT`	`Identifier, region`

`SELECT` examples

Gets all properties from an individual certificate.

SELECT
  region,
  api_passthrough,
  certificate_authority_arn,
  certificate_signing_request,
  signing_algorithm,
  template_arn,
  validity,
  validity_not_before,
  certificate,
  arn
FROM awscc.acmpca.certificates
WHERE
  region = '{{ region }}' AND
  Identifier = '{{ arn }}|{{ certificate_authority_arn }}';

`INSERT` example

Use the following StackQL query and manifest file to create a new certificate resource, using stack-deploy.

Required Properties
All Properties
Manifest

/*+ create */
INSERT INTO awscc.acmpca.certificates (
  CertificateAuthorityArn,
  CertificateSigningRequest,
  SigningAlgorithm,
  Validity,
  region
)
SELECT
  '{{ certificate_authority_arn }}',
  '{{ certificate_signing_request }}',
  '{{ signing_algorithm }}',
  '{{ validity }}',
  '{{ region }}'
RETURNING
  ErrorCode,
  EventTime,
  Identifier,
  Operation,
  OperationStatus,
  RequestToken,
  ResourceModel,
  RetryAfter,
  StatusMessage,
  TypeName
;

/*+ create */
INSERT INTO awscc.acmpca.certificates (
  ApiPassthrough,
  CertificateAuthorityArn,
  CertificateSigningRequest,
  SigningAlgorithm,
  TemplateArn,
  Validity,
  ValidityNotBefore,
  region
)
SELECT
  '{{ api_passthrough }}',
  '{{ certificate_authority_arn }}',
  '{{ certificate_signing_request }}',
  '{{ signing_algorithm }}',
  '{{ template_arn }}',
  '{{ validity }}',
  '{{ validity_not_before }}',
  '{{ region }}'
RETURNING
  ErrorCode,
  EventTime,
  Identifier,
  Operation,
  OperationStatus,
  RequestToken,
  ResourceModel,
  RetryAfter,
  StatusMessage,
  TypeName
;

version: 1
name: stack name
description: stack description
providers:
- aws
globals:
- name: region
  value: '{{ vars.AWS_REGION }}'
resources:
- name: certificate
  props:
    - name: api_passthrough
      value:
        extensions:
          certificate_policies:
            - cert_policy_id: '{{ cert_policy_id }}'
              policy_qualifiers:
                - policy_qualifier_id: '{{ policy_qualifier_id }}'
                  qualifier:
                    cps_uri: '{{ cps_uri }}'
          extended_key_usage:
            - extended_key_usage_type: '{{ extended_key_usage_type }}'
              extended_key_usage_object_identifier: null
          key_usage:
            digital_signature: '{{ digital_signature }}'
            non_repudiation: '{{ non_repudiation }}'
            key_encipherment: '{{ key_encipherment }}'
            data_encipherment: '{{ data_encipherment }}'
            key_agreement: '{{ key_agreement }}'
            key_cert_sign: '{{ key_cert_sign }}'
            c_rl_sign: '{{ c_rl_sign }}'
            encipher_only: '{{ encipher_only }}'
            decipher_only: '{{ decipher_only }}'
          subject_alternative_names:
            - other_name:
                type_id: null
                value: '{{ value }}'
              rfc822_name: '{{ rfc822_name }}'
              dns_name: '{{ dns_name }}'
              directory_name:
                country: '{{ country }}'
                organization: '{{ organization }}'
                organizational_unit: '{{ organizational_unit }}'
                distinguished_name_qualifier: '{{ distinguished_name_qualifier }}'
                state: '{{ state }}'
                common_name: '{{ common_name }}'
                serial_number: '{{ serial_number }}'
                locality: '{{ locality }}'
                title: '{{ title }}'
                surname: '{{ surname }}'
                given_name: '{{ given_name }}'
                initials: '{{ initials }}'
                pseudonym: '{{ pseudonym }}'
                generation_qualifier: '{{ generation_qualifier }}'
                custom_attributes:
                  - object_identifier: null
                    value: '{{ value }}'
              edi_party_name:
                party_name: '{{ party_name }}'
                name_assigner: '{{ name_assigner }}'
              uniform_resource_identifier: '{{ uniform_resource_identifier }}'
              ip_address: '{{ ip_address }}'
              registered_id: null
          custom_extensions:
            - critical: '{{ critical }}'
              object_identifier: null
              value: '{{ value }}'
        subject: null
    - name: certificate_authority_arn
      value: '{{ certificate_authority_arn }}'
    - name: certificate_signing_request
      value: '{{ certificate_signing_request }}'
    - name: signing_algorithm
      value: '{{ signing_algorithm }}'
    - name: template_arn
      value: null
    - name: validity
      value:
        value: null
        type: '{{ type }}'
    - name: validity_not_before
      value: null

`DELETE` example

/*+ delete */
DELETE FROM awscc.acmpca.certificates
WHERE
  Identifier = '{{ arn }}|{{ certificate_authority_arn }}' AND
  region = '{{ region }}'
RETURNING
  ErrorCode,
  EventTime,
  Identifier,
  Operation,
  OperationStatus,
  RequestToken,
  ResourceModel,
  RetryAfter,
  StatusMessage,
  TypeName
;

Additional Parameters

Mutable resources in the Cloud Control provider support additional optional parameters which can be supplied with INSERT, UPDATE, or DELETE operations. These include:

Parameter	Description
`ClientToken`	A unique identifier to ensure the idempotency of the resource request. This allows the provider to accurately distinguish between retries and new requests. A client token is valid for 36 hours once used. After that, a resource request with the same client token is treated as a new request. If you do not specify a client token, one is generated for inclusion in the request.
`RoleArn`	The ARN of the IAM role used to perform this resource operation. The role specified must have the permissions required for this operation. If you do not specify a role, a temporary session is created using your AWS user credentials.
`TypeVersionId`	For private resource types, the type version to use in this resource operation. If you do not specify a resource version, the default version is used.

Permissions

To operate on the certificates resource, the following permissions are required:

Create
Read
Delete

acm-pca:IssueCertificate,
acm-pca:GetCertificate

acm-pca:GetCertificate

acm-pca:GetCertificate

Overview​

Fields​

Methods​

SELECT examples​

INSERT example​

DELETE example​

Additional Parameters​

Permissions​