software.amazon.awscdk.services.acmpca

Class CfnCertificateAuthority

java.lang.Object

software.constructs.Construct

software.amazon.awscdk.core.Construct

software.amazon.awscdk.core.CfnElement

software.amazon.awscdk.core.CfnRefElement

software.amazon.awscdk.core.CfnResource

software.amazon.awscdk.services.acmpca.CfnCertificateAuthority

All Implemented Interfaces:

IConstruct, IDependable, IInspectable

@Generated(value="jsii-pacmak/1.74.0 (build 6d08790)",
           date="2023-03-14T16:25:20.762Z")
public class CfnCertificateAuthority
extends CfnResource
implements IInspectable

A CloudFormation `AWS::ACMPCA::CertificateAuthority`.

Use the AWS::ACMPCA::CertificateAuthority resource to create a private CA. Once the CA exists, you can use the AWS::ACMPCA::Certificate resource to issue a new CA certificate. Alternatively, you can issue a CA certificate using an on-premises CA, and then use the AWS::ACMPCA::CertificateAuthorityActivation resource to import the new CA certificate and activate the CA.

Before removing a AWS::ACMPCA::CertificateAuthority resource from the CloudFormation stack, disable the affected CA. Otherwise, the action will fail. You can disable the CA by removing its associated AWS::ACMPCA::CertificateAuthorityActivation resource from CloudFormation.

Example:

 CfnCertificateAuthority cfnCertificateAuthority = CfnCertificateAuthority.Builder.create(this, "CA")
         .type("ROOT")
         .keyAlgorithm("RSA_2048")
         .signingAlgorithm("SHA256WITHRSA")
         .subject(SubjectProperty.builder()
                 .country("US")
                 .organization("string")
                 .organizationalUnit("string")
                 .distinguishedNameQualifier("string")
                 .state("string")
                 .commonName("123")
                 .serialNumber("string")
                 .locality("string")
                 .title("string")
                 .surname("string")
                 .givenName("string")
                 .initials("DG")
                 .pseudonym("string")
                 .generationQualifier("DBG")
                 .build())
         .build();
 

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static interface	CfnCertificateAuthority.AccessDescriptionProperty Provides access information used by the `authorityInfoAccess` and `subjectInfoAccess` extensions described in [RFC 5280](https://docs.aws.amazon.com/https://datatracker.ietf.org/doc/html/rfc5280) .
static interface	CfnCertificateAuthority.AccessMethodProperty Describes the type and format of extension access.
static class	CfnCertificateAuthority.Builder A fluent builder for CfnCertificateAuthority.
static interface	CfnCertificateAuthority.CrlConfigurationProperty Contains configuration information for a certificate revocation list (CRL).
static interface	CfnCertificateAuthority.CsrExtensionsProperty Describes the certificate extensions to be added to the certificate signing request (CSR).
static interface	CfnCertificateAuthority.CustomAttributeProperty Defines the X.500 relative distinguished name (RDN).
static interface	CfnCertificateAuthority.EdiPartyNameProperty Describes an Electronic Data Interchange (EDI) entity as described in as defined in [Subject Alternative Name](https://docs.aws.amazon.com/https://datatracker.ietf.org/doc/html/rfc5280) in RFC 5280.
static interface	CfnCertificateAuthority.GeneralNameProperty Describes an ASN.1 X.400 `GeneralName` as defined in [RFC 5280](https://docs.aws.amazon.com/https://datatracker.ietf.org/doc/html/rfc5280) .
static interface	CfnCertificateAuthority.KeyUsageProperty Defines one or more purposes for which the key contained in the certificate can be used.
static interface	CfnCertificateAuthority.OcspConfigurationProperty Contains information to enable and configure Online Certificate Status Protocol (OCSP) for validating certificate revocation status.
static interface	CfnCertificateAuthority.OtherNameProperty Defines a custom ASN.1 X.400 `GeneralName` using an object identifier (OID) and value.
static interface	CfnCertificateAuthority.RevocationConfigurationProperty Certificate revocation information used by the [CreateCertificateAuthority](https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreateCertificateAuthority.html) and [UpdateCertificateAuthority](https://docs.aws.amazon.com/privateca/latest/APIReference/API_UpdateCertificateAuthority.html) actions.
static interface	CfnCertificateAuthority.SubjectProperty ASN1 subject for the certificate authority.

Nested classes/interfaces inherited from interface software.amazon.awscdk.core.IInspectable

IInspectable.Jsii$Default, IInspectable.Jsii$Proxy

Nested classes/interfaces inherited from interface software.amazon.awscdk.core.IConstruct

IConstruct.Jsii$Default

Field Summary

Fields

Modifier and Type	Field and Description
static java.lang.String	CFN_RESOURCE_TYPE_NAME The CloudFormation resource type name for this resource class.

Constructor Summary

Constructors

Modifier	Constructor and Description
	CfnCertificateAuthority(Construct scope, java.lang.String id, CfnCertificateAuthorityProps props) Create a new `AWS::ACMPCA::CertificateAuthority`.
protected	CfnCertificateAuthority(software.amazon.jsii.JsiiObject.InitializationMode initializationMode)
protected	CfnCertificateAuthority(software.amazon.jsii.JsiiObjectRef objRef)

Method Summary

Modifier and Type	Method and Description
java.lang.String	getAttrArn() The Amazon Resource Name (ARN) for the private CA that issued the certificate.
java.lang.String	getAttrCertificateSigningRequest() The Base64 PEM-encoded certificate signing request (CSR) for your certificate authority certificate.
protected java.util.Map<java.lang.String,java.lang.Object>	getCfnProperties()
java.lang.Object	getCsrExtensions() Specifies information to be added to the extension section of the certificate signing request (CSR).
java.lang.String	getKeyAlgorithm() Type of the public key algorithm and size, in bits, of the key pair that your CA creates when it issues a certificate.
java.lang.String	getKeyStorageSecurityStandard() Specifies a cryptographic key management compliance standard used for handling CA keys.
java.lang.Object	getRevocationConfiguration() Certificate revocation information used by the [CreateCertificateAuthority](https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreateCertificateAuthority.html) and [UpdateCertificateAuthority](https://docs.aws.amazon.com/privateca/latest/APIReference/API_UpdateCertificateAuthority.html) actions.
java.lang.String	getSigningAlgorithm() Name of the algorithm your private CA uses to sign certificate requests.
java.lang.Object	getSubject() Structure that contains X.500 distinguished name information for your private CA.
TagManager	getTags() Key-value pairs that will be attached to the new private CA.
java.lang.String	getType() Type of your private CA.
java.lang.String	getUsageMode() Specifies whether the CA issues general-purpose certificates that typically require a revocation mechanism, or short-lived certificates that may optionally omit revocation because they expire quickly.
void	inspect(TreeInspector inspector) Examines the CloudFormation resource and discloses attributes.
protected java.util.Map<java.lang.String,java.lang.Object>	renderProperties(java.util.Map<java.lang.String,java.lang.Object> props)
void	setCsrExtensions(CfnCertificateAuthority.CsrExtensionsProperty value) Specifies information to be added to the extension section of the certificate signing request (CSR).
void	setCsrExtensions(IResolvable value) Specifies information to be added to the extension section of the certificate signing request (CSR).
void	setKeyAlgorithm(java.lang.String value) Type of the public key algorithm and size, in bits, of the key pair that your CA creates when it issues a certificate.
void	setKeyStorageSecurityStandard(java.lang.String value) Specifies a cryptographic key management compliance standard used for handling CA keys.
void	setRevocationConfiguration(CfnCertificateAuthority.RevocationConfigurationProperty value) Certificate revocation information used by the [CreateCertificateAuthority](https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreateCertificateAuthority.html) and [UpdateCertificateAuthority](https://docs.aws.amazon.com/privateca/latest/APIReference/API_UpdateCertificateAuthority.html) actions.
void	setRevocationConfiguration(IResolvable value) Certificate revocation information used by the [CreateCertificateAuthority](https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreateCertificateAuthority.html) and [UpdateCertificateAuthority](https://docs.aws.amazon.com/privateca/latest/APIReference/API_UpdateCertificateAuthority.html) actions.
void	setSigningAlgorithm(java.lang.String value) Name of the algorithm your private CA uses to sign certificate requests.
void	setSubject(CfnCertificateAuthority.SubjectProperty value) Structure that contains X.500 distinguished name information for your private CA.
void	setSubject(IResolvable value) Structure that contains X.500 distinguished name information for your private CA.
void	setType(java.lang.String value) Type of your private CA.
void	setUsageMode(java.lang.String value) Specifies whether the CA issues general-purpose certificates that typically require a revocation mechanism, or short-lived certificates that may optionally omit revocation because they expire quickly.

Methods inherited from class software.amazon.awscdk.core.CfnResource

addDeletionOverride, addDependsOn, addMetadata, addOverride, addPropertyDeletionOverride, addPropertyOverride, applyRemovalPolicy, applyRemovalPolicy, applyRemovalPolicy, getAtt, getCfnOptions, getCfnResourceType, getMetadata, getUpdatedProperites, isCfnResource, shouldSynthesize, toString, validateProperties

Methods inherited from class software.amazon.awscdk.core.CfnRefElement

getRef

Methods inherited from class software.amazon.awscdk.core.CfnElement

getCreationStack, getLogicalId, getStack, isCfnElement, overrideLogicalId

Methods inherited from class software.amazon.awscdk.core.Construct

getNode, isConstruct, onPrepare, onSynthesize, onValidate, prepare, synthesize, validate

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Field Detail

CFN_RESOURCE_TYPE_NAME

public static final java.lang.String CFN_RESOURCE_TYPE_NAME

The CloudFormation resource type name for this resource class.

Constructor Detail

CfnCertificateAuthority

protected CfnCertificateAuthority(software.amazon.jsii.JsiiObjectRef objRef)

CfnCertificateAuthority

protected CfnCertificateAuthority(software.amazon.jsii.JsiiObject.InitializationMode initializationMode)

CfnCertificateAuthority

public CfnCertificateAuthority(Construct scope,
                               java.lang.String id,
                               CfnCertificateAuthorityProps props)

Create a new `AWS::ACMPCA::CertificateAuthority`.

Parameters:

scope - - scope in which this resource is defined. This parameter is required.

id - - scoped id of the resource. This parameter is required.

props - - resource properties. This parameter is required.

Method Detail

inspect

public void inspect(TreeInspector inspector)

Examines the CloudFormation resource and discloses attributes.

Specified by:

inspect in interface IInspectable

Parameters:

inspector - - tree inspector to collect and process attributes. This parameter is required.

renderProperties

protected java.util.Map<java.lang.String,java.lang.Object> renderProperties(java.util.Map<java.lang.String,java.lang.Object> props)

Overrides:

renderProperties in class CfnResource

Parameters:

props - This parameter is required.

getAttrArn

public java.lang.String getAttrArn()

The Amazon Resource Name (ARN) for the private CA that issued the certificate.

getAttrCertificateSigningRequest

public java.lang.String getAttrCertificateSigningRequest()

The Base64 PEM-encoded certificate signing request (CSR) for your certificate authority certificate.

getCfnProperties

protected java.util.Map<java.lang.String,java.lang.Object> getCfnProperties()

Overrides:

getCfnProperties in class CfnResource

getTags

public TagManager getTags()

Key-value pairs that will be attached to the new private CA.

You can associate up to 50 tags with a private CA. For information using tags with IAM to manage permissions, see Controlling Access Using IAM Tags .

getKeyAlgorithm

public java.lang.String getKeyAlgorithm()

Type of the public key algorithm and size, in bits, of the key pair that your CA creates when it issues a certificate.

When you create a subordinate CA, you must use a key algorithm supported by the parent CA.

setKeyAlgorithm

public void setKeyAlgorithm(java.lang.String value)

Type of the public key algorithm and size, in bits, of the key pair that your CA creates when it issues a certificate.

When you create a subordinate CA, you must use a key algorithm supported by the parent CA.

getSigningAlgorithm

public java.lang.String getSigningAlgorithm()

Name of the algorithm your private CA uses to sign certificate requests.

This parameter should not be confused with the SigningAlgorithm parameter used to sign certificates when they are issued.

setSigningAlgorithm

public void setSigningAlgorithm(java.lang.String value)

Name of the algorithm your private CA uses to sign certificate requests.

This parameter should not be confused with the SigningAlgorithm parameter used to sign certificates when they are issued.

getSubject

public java.lang.Object getSubject()

Structure that contains X.500 distinguished name information for your private CA.

setSubject

public void setSubject(IResolvable value)

Structure that contains X.500 distinguished name information for your private CA.

setSubject

public void setSubject(CfnCertificateAuthority.SubjectProperty value)

Structure that contains X.500 distinguished name information for your private CA.

getType

public java.lang.String getType()

Type of your private CA.

setType

public void setType(java.lang.String value)

Type of your private CA.

getCsrExtensions

public java.lang.Object getCsrExtensions()

Specifies information to be added to the extension section of the certificate signing request (CSR).

setCsrExtensions

public void setCsrExtensions(IResolvable value)

Specifies information to be added to the extension section of the certificate signing request (CSR).

setCsrExtensions

public void setCsrExtensions(CfnCertificateAuthority.CsrExtensionsProperty value)

Specifies information to be added to the extension section of the certificate signing request (CSR).

getKeyStorageSecurityStandard

public java.lang.String getKeyStorageSecurityStandard()

Specifies a cryptographic key management compliance standard used for handling CA keys.

Default: FIPS_140_2_LEVEL_3_OR_HIGHER

Note: FIPS_140_2_LEVEL_3_OR_HIGHER is not supported in the following Regions:

• ap-northeast-3
• ap-southeast-3

When creating a CA in these Regions, you must provide FIPS_140_2_LEVEL_2_OR_HIGHER as the argument for KeyStorageSecurityStandard . Failure to do this results in an InvalidArgsException with the message, "A certificate authority cannot be created in this region with the specified security standard."

setKeyStorageSecurityStandard

public void setKeyStorageSecurityStandard(java.lang.String value)

Specifies a cryptographic key management compliance standard used for handling CA keys.

Default: FIPS_140_2_LEVEL_3_OR_HIGHER

Note: FIPS_140_2_LEVEL_3_OR_HIGHER is not supported in the following Regions:

• ap-northeast-3
• ap-southeast-3

When creating a CA in these Regions, you must provide FIPS_140_2_LEVEL_2_OR_HIGHER as the argument for KeyStorageSecurityStandard . Failure to do this results in an InvalidArgsException with the message, "A certificate authority cannot be created in this region with the specified security standard."

getRevocationConfiguration

public java.lang.Object getRevocationConfiguration()

Certificate revocation information used by the [CreateCertificateAuthority](https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreateCertificateAuthority.html) and [UpdateCertificateAuthority](https://docs.aws.amazon.com/privateca/latest/APIReference/API_UpdateCertificateAuthority.html) actions. Your private certificate authority (CA) can configure Online Certificate Status Protocol (OCSP) support and/or maintain a certificate revocation list (CRL). OCSP returns validation information about certificates as requested by clients, and a CRL contains an updated list of certificates revoked by your CA. For more information, see [RevokeCertificate](https://docs.aws.amazon.com/privateca/latest/APIReference/API_RevokeCertificate.html) in the *AWS Private CA API Reference* and [Setting up a certificate revocation method](https://docs.aws.amazon.com/privateca/latest/userguide/revocation-setup.html) in the *AWS Private CA User Guide* .

The following requirements apply to revocation configurations.

• A configuration disabling CRLs or OCSP must contain only the Enabled=False parameter, and will fail if other parameters such as CustomCname or ExpirationInDays are included.
• In a CRL configuration, the S3BucketName parameter must conform to the Amazon S3 bucket naming rules .
• A configuration containing a custom Canonical Name (CNAME) parameter for CRLs or OCSP must conform to RFC2396 restrictions on the use of special characters in a CNAME.
• In a CRL or OCSP configuration, the value of a CNAME parameter must not include a protocol prefix such as "http://" or "https://".

setRevocationConfiguration

public void setRevocationConfiguration(IResolvable value)

Certificate revocation information used by the [CreateCertificateAuthority](https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreateCertificateAuthority.html) and [UpdateCertificateAuthority](https://docs.aws.amazon.com/privateca/latest/APIReference/API_UpdateCertificateAuthority.html) actions. Your private certificate authority (CA) can configure Online Certificate Status Protocol (OCSP) support and/or maintain a certificate revocation list (CRL). OCSP returns validation information about certificates as requested by clients, and a CRL contains an updated list of certificates revoked by your CA. For more information, see [RevokeCertificate](https://docs.aws.amazon.com/privateca/latest/APIReference/API_RevokeCertificate.html) in the *AWS Private CA API Reference* and [Setting up a certificate revocation method](https://docs.aws.amazon.com/privateca/latest/userguide/revocation-setup.html) in the *AWS Private CA User Guide* .

The following requirements apply to revocation configurations.

• A configuration disabling CRLs or OCSP must contain only the Enabled=False parameter, and will fail if other parameters such as CustomCname or ExpirationInDays are included.
• In a CRL configuration, the S3BucketName parameter must conform to the Amazon S3 bucket naming rules .
• A configuration containing a custom Canonical Name (CNAME) parameter for CRLs or OCSP must conform to RFC2396 restrictions on the use of special characters in a CNAME.
• In a CRL or OCSP configuration, the value of a CNAME parameter must not include a protocol prefix such as "http://" or "https://".

setRevocationConfiguration

public void setRevocationConfiguration(CfnCertificateAuthority.RevocationConfigurationProperty value)

Certificate revocation information used by the [CreateCertificateAuthority](https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreateCertificateAuthority.html) and [UpdateCertificateAuthority](https://docs.aws.amazon.com/privateca/latest/APIReference/API_UpdateCertificateAuthority.html) actions. Your private certificate authority (CA) can configure Online Certificate Status Protocol (OCSP) support and/or maintain a certificate revocation list (CRL). OCSP returns validation information about certificates as requested by clients, and a CRL contains an updated list of certificates revoked by your CA. For more information, see [RevokeCertificate](https://docs.aws.amazon.com/privateca/latest/APIReference/API_RevokeCertificate.html) in the *AWS Private CA API Reference* and [Setting up a certificate revocation method](https://docs.aws.amazon.com/privateca/latest/userguide/revocation-setup.html) in the *AWS Private CA User Guide* .

The following requirements apply to revocation configurations.

• A configuration disabling CRLs or OCSP must contain only the Enabled=False parameter, and will fail if other parameters such as CustomCname or ExpirationInDays are included.
• In a CRL configuration, the S3BucketName parameter must conform to the Amazon S3 bucket naming rules .
• A configuration containing a custom Canonical Name (CNAME) parameter for CRLs or OCSP must conform to RFC2396 restrictions on the use of special characters in a CNAME.
• In a CRL or OCSP configuration, the value of a CNAME parameter must not include a protocol prefix such as "http://" or "https://".

getUsageMode

public java.lang.String getUsageMode()

Specifies whether the CA issues general-purpose certificates that typically require a revocation mechanism, or short-lived certificates that may optionally omit revocation because they expire quickly.

Short-lived certificate validity is limited to seven days.

The default value is GENERAL_PURPOSE.

setUsageMode

public void setUsageMode(java.lang.String value)

Specifies whether the CA issues general-purpose certificates that typically require a revocation mechanism, or short-lived certificates that may optionally omit revocation because they expire quickly.

Short-lived certificate validity is limited to seven days.

The default value is GENERAL_PURPOSE.