AWS::ACMPCA::CertificateAuthority RevocationConfiguration
Certificate revocation information used by the CreateCertificateAuthority and UpdateCertificateAuthority actions. Your private certificate authority (CA) can configure Online Certificate Status Protocol (OCSP) support and/or maintain a certificate revocation list (CRL). OCSP returns validation information about certificates as requested by clients, and a CRL contains an updated list of certificates revoked by your CA. For more information, see RevokeCertificate in the AWS Private CA API Reference and Setting up a certificate revocation method in the AWS Private CA User Guide.
The following requirements and constraints apply to revocation configurations.
-
A configuration disabling CRLs or OCSP must contain only the
Enabled=Falseparameter, and will fail if other parameters such asCustomCnameorExpirationInDaysare included. -
In a CRL configuration, the
S3BucketNameparameter must conform to the Amazon S3 bucket naming rules. -
A configuration containing a custom Canonical Name (CNAME) parameter for CRLs or OCSP must conform to RFC2396
restrictions on the use of special characters in a CNAME. -
In a CRL or OCSP configuration, the value of a CNAME parameter must not include a protocol prefix such as "http://" or "https://".
-
To revoke a certificate, delete the resource from your template, and call the AWS Private CA RevokeCertificate API and specify the resource's certificate authority ARN.
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{ "CrlConfiguration" :CrlConfiguration, "OcspConfiguration" :OcspConfiguration}
Properties
-
Configuration of the certificate revocation list (CRL), if any, maintained by your private CA.
Required: No
Type: CrlConfiguration
Update requires: No interruption
-
Configuration of Online Certificate Status Protocol (OCSP) support, if any, maintained by your private CA.
Required: No
Type: OcspConfiguration
Update requires: No interruption
