@Generated(value="jsii-pacmak/1.74.0 (build 6d08790)", date="2023-03-14T16:25:20.762Z") public class CfnCertificateAuthority extends CfnResource implements IInspectable
Use the AWS::ACMPCA::CertificateAuthority
resource to create a private CA. Once the CA exists, you can use the AWS::ACMPCA::Certificate
resource to issue a new CA certificate. Alternatively, you can issue a CA certificate using an on-premises CA, and then use the AWS::ACMPCA::CertificateAuthorityActivation
resource to import the new CA certificate and activate the CA.
Before removing a
AWS::ACMPCA::CertificateAuthority
resource from the CloudFormation stack, disable the affected CA. Otherwise, the action will fail. You can disable the CA by removing its associatedAWS::ACMPCA::CertificateAuthorityActivation
resource from CloudFormation.
Example:
CfnCertificateAuthority cfnCertificateAuthority = CfnCertificateAuthority.Builder.create(this, "CA") .type("ROOT") .keyAlgorithm("RSA_2048") .signingAlgorithm("SHA256WITHRSA") .subject(SubjectProperty.builder() .country("US") .organization("string") .organizationalUnit("string") .distinguishedNameQualifier("string") .state("string") .commonName("123") .serialNumber("string") .locality("string") .title("string") .surname("string") .givenName("string") .initials("DG") .pseudonym("string") .generationQualifier("DBG") .build()) .build();
Modifier and Type | Class and Description |
---|---|
static interface |
CfnCertificateAuthority.AccessDescriptionProperty
Provides access information used by the `authorityInfoAccess` and `subjectInfoAccess` extensions described in [RFC 5280](https://docs.aws.amazon.com/https://datatracker.ietf.org/doc/html/rfc5280) .
|
static interface |
CfnCertificateAuthority.AccessMethodProperty
Describes the type and format of extension access.
|
static class |
CfnCertificateAuthority.Builder
A fluent builder for
CfnCertificateAuthority . |
static interface |
CfnCertificateAuthority.CrlConfigurationProperty
Contains configuration information for a certificate revocation list (CRL).
|
static interface |
CfnCertificateAuthority.CsrExtensionsProperty
Describes the certificate extensions to be added to the certificate signing request (CSR).
|
static interface |
CfnCertificateAuthority.CustomAttributeProperty
Defines the X.500 relative distinguished name (RDN).
|
static interface |
CfnCertificateAuthority.EdiPartyNameProperty
Describes an Electronic Data Interchange (EDI) entity as described in as defined in [Subject Alternative Name](https://docs.aws.amazon.com/https://datatracker.ietf.org/doc/html/rfc5280) in RFC 5280.
|
static interface |
CfnCertificateAuthority.GeneralNameProperty
Describes an ASN.1 X.400 `GeneralName` as defined in [RFC 5280](https://docs.aws.amazon.com/https://datatracker.ietf.org/doc/html/rfc5280) .
|
static interface |
CfnCertificateAuthority.KeyUsageProperty
Defines one or more purposes for which the key contained in the certificate can be used.
|
static interface |
CfnCertificateAuthority.OcspConfigurationProperty
Contains information to enable and configure Online Certificate Status Protocol (OCSP) for validating certificate revocation status.
|
static interface |
CfnCertificateAuthority.OtherNameProperty
Defines a custom ASN.1 X.400 `GeneralName` using an object identifier (OID) and value.
|
static interface |
CfnCertificateAuthority.RevocationConfigurationProperty
Certificate revocation information used by the [CreateCertificateAuthority](https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreateCertificateAuthority.html) and [UpdateCertificateAuthority](https://docs.aws.amazon.com/privateca/latest/APIReference/API_UpdateCertificateAuthority.html) actions.
|
static interface |
CfnCertificateAuthority.SubjectProperty
ASN1 subject for the certificate authority.
|
IInspectable.Jsii$Default, IInspectable.Jsii$Proxy
IConstruct.Jsii$Default
Modifier and Type | Field and Description |
---|---|
static java.lang.String |
CFN_RESOURCE_TYPE_NAME
The CloudFormation resource type name for this resource class.
|
Modifier | Constructor and Description |
---|---|
|
CfnCertificateAuthority(Construct scope,
java.lang.String id,
CfnCertificateAuthorityProps props)
Create a new `AWS::ACMPCA::CertificateAuthority`.
|
protected |
CfnCertificateAuthority(software.amazon.jsii.JsiiObject.InitializationMode initializationMode) |
protected |
CfnCertificateAuthority(software.amazon.jsii.JsiiObjectRef objRef) |
Modifier and Type | Method and Description |
---|---|
java.lang.String |
getAttrArn()
The Amazon Resource Name (ARN) for the private CA that issued the certificate.
|
java.lang.String |
getAttrCertificateSigningRequest()
The Base64 PEM-encoded certificate signing request (CSR) for your certificate authority certificate.
|
protected java.util.Map<java.lang.String,java.lang.Object> |
getCfnProperties() |
java.lang.Object |
getCsrExtensions()
Specifies information to be added to the extension section of the certificate signing request (CSR).
|
java.lang.String |
getKeyAlgorithm()
Type of the public key algorithm and size, in bits, of the key pair that your CA creates when it issues a certificate.
|
java.lang.String |
getKeyStorageSecurityStandard()
Specifies a cryptographic key management compliance standard used for handling CA keys.
|
java.lang.Object |
getRevocationConfiguration()
Certificate revocation information used by the [CreateCertificateAuthority](https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreateCertificateAuthority.html) and [UpdateCertificateAuthority](https://docs.aws.amazon.com/privateca/latest/APIReference/API_UpdateCertificateAuthority.html) actions.
|
java.lang.String |
getSigningAlgorithm()
Name of the algorithm your private CA uses to sign certificate requests.
|
java.lang.Object |
getSubject()
Structure that contains X.500 distinguished name information for your private CA.
|
TagManager |
getTags()
Key-value pairs that will be attached to the new private CA.
|
java.lang.String |
getType()
Type of your private CA.
|
java.lang.String |
getUsageMode()
Specifies whether the CA issues general-purpose certificates that typically require a revocation mechanism, or short-lived certificates that may optionally omit revocation because they expire quickly.
|
void |
inspect(TreeInspector inspector)
Examines the CloudFormation resource and discloses attributes.
|
protected java.util.Map<java.lang.String,java.lang.Object> |
renderProperties(java.util.Map<java.lang.String,java.lang.Object> props) |
void |
setCsrExtensions(CfnCertificateAuthority.CsrExtensionsProperty value)
Specifies information to be added to the extension section of the certificate signing request (CSR).
|
void |
setCsrExtensions(IResolvable value)
Specifies information to be added to the extension section of the certificate signing request (CSR).
|
void |
setKeyAlgorithm(java.lang.String value)
Type of the public key algorithm and size, in bits, of the key pair that your CA creates when it issues a certificate.
|
void |
setKeyStorageSecurityStandard(java.lang.String value)
Specifies a cryptographic key management compliance standard used for handling CA keys.
|
void |
setRevocationConfiguration(CfnCertificateAuthority.RevocationConfigurationProperty value)
Certificate revocation information used by the [CreateCertificateAuthority](https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreateCertificateAuthority.html) and [UpdateCertificateAuthority](https://docs.aws.amazon.com/privateca/latest/APIReference/API_UpdateCertificateAuthority.html) actions.
|
void |
setRevocationConfiguration(IResolvable value)
Certificate revocation information used by the [CreateCertificateAuthority](https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreateCertificateAuthority.html) and [UpdateCertificateAuthority](https://docs.aws.amazon.com/privateca/latest/APIReference/API_UpdateCertificateAuthority.html) actions.
|
void |
setSigningAlgorithm(java.lang.String value)
Name of the algorithm your private CA uses to sign certificate requests.
|
void |
setSubject(CfnCertificateAuthority.SubjectProperty value)
Structure that contains X.500 distinguished name information for your private CA.
|
void |
setSubject(IResolvable value)
Structure that contains X.500 distinguished name information for your private CA.
|
void |
setType(java.lang.String value)
Type of your private CA.
|
void |
setUsageMode(java.lang.String value)
Specifies whether the CA issues general-purpose certificates that typically require a revocation mechanism, or short-lived certificates that may optionally omit revocation because they expire quickly.
|
addDeletionOverride, addDependsOn, addMetadata, addOverride, addPropertyDeletionOverride, addPropertyOverride, applyRemovalPolicy, applyRemovalPolicy, applyRemovalPolicy, getAtt, getCfnOptions, getCfnResourceType, getMetadata, getUpdatedProperites, isCfnResource, shouldSynthesize, toString, validateProperties
getRef
getCreationStack, getLogicalId, getStack, isCfnElement, overrideLogicalId
getNode, isConstruct, onPrepare, onSynthesize, onValidate, prepare, synthesize, validate
public static final java.lang.String CFN_RESOURCE_TYPE_NAME
protected CfnCertificateAuthority(software.amazon.jsii.JsiiObjectRef objRef)
protected CfnCertificateAuthority(software.amazon.jsii.JsiiObject.InitializationMode initializationMode)
public CfnCertificateAuthority(Construct scope, java.lang.String id, CfnCertificateAuthorityProps props)
scope
- - scope in which this resource is defined. This parameter is required.id
- - scoped id of the resource. This parameter is required.props
- - resource properties. This parameter is required.public void inspect(TreeInspector inspector)
inspect
in interface IInspectable
inspector
- - tree inspector to collect and process attributes. This parameter is required.protected java.util.Map<java.lang.String,java.lang.Object> renderProperties(java.util.Map<java.lang.String,java.lang.Object> props)
renderProperties
in class CfnResource
props
- This parameter is required.public java.lang.String getAttrArn()
public java.lang.String getAttrCertificateSigningRequest()
protected java.util.Map<java.lang.String,java.lang.Object> getCfnProperties()
getCfnProperties
in class CfnResource
public TagManager getTags()
You can associate up to 50 tags with a private CA. For information using tags with IAM to manage permissions, see Controlling Access Using IAM Tags .
public java.lang.String getKeyAlgorithm()
When you create a subordinate CA, you must use a key algorithm supported by the parent CA.
public void setKeyAlgorithm(java.lang.String value)
When you create a subordinate CA, you must use a key algorithm supported by the parent CA.
public java.lang.String getSigningAlgorithm()
This parameter should not be confused with the SigningAlgorithm
parameter used to sign certificates when they are issued.
public void setSigningAlgorithm(java.lang.String value)
This parameter should not be confused with the SigningAlgorithm
parameter used to sign certificates when they are issued.
public java.lang.Object getSubject()
public void setSubject(IResolvable value)
public void setSubject(CfnCertificateAuthority.SubjectProperty value)
public java.lang.String getType()
public void setType(java.lang.String value)
public java.lang.Object getCsrExtensions()
public void setCsrExtensions(IResolvable value)
public void setCsrExtensions(CfnCertificateAuthority.CsrExtensionsProperty value)
public java.lang.String getKeyStorageSecurityStandard()
Default: FIPS_140_2_LEVEL_3_OR_HIGHER
Note: FIPS_140_2_LEVEL_3_OR_HIGHER
is not supported in the following Regions:
When creating a CA in these Regions, you must provide FIPS_140_2_LEVEL_2_OR_HIGHER
as the argument for KeyStorageSecurityStandard
. Failure to do this results in an InvalidArgsException
with the message, "A certificate authority cannot be created in this region with the specified security standard."
public void setKeyStorageSecurityStandard(java.lang.String value)
Default: FIPS_140_2_LEVEL_3_OR_HIGHER
Note: FIPS_140_2_LEVEL_3_OR_HIGHER
is not supported in the following Regions:
When creating a CA in these Regions, you must provide FIPS_140_2_LEVEL_2_OR_HIGHER
as the argument for KeyStorageSecurityStandard
. Failure to do this results in an InvalidArgsException
with the message, "A certificate authority cannot be created in this region with the specified security standard."
public java.lang.Object getRevocationConfiguration()
The following requirements apply to revocation configurations.
- A configuration disabling CRLs or OCSP must contain only the
Enabled=False
parameter, and will fail if other parameters such asCustomCname
orExpirationInDays
are included.- In a CRL configuration, the
S3BucketName
parameter must conform to the Amazon S3 bucket naming rules .- A configuration containing a custom Canonical Name (CNAME) parameter for CRLs or OCSP must conform to RFC2396 restrictions on the use of special characters in a CNAME.
- In a CRL or OCSP configuration, the value of a CNAME parameter must not include a protocol prefix such as "http://" or "https://".
public void setRevocationConfiguration(IResolvable value)
The following requirements apply to revocation configurations.
- A configuration disabling CRLs or OCSP must contain only the
Enabled=False
parameter, and will fail if other parameters such asCustomCname
orExpirationInDays
are included.- In a CRL configuration, the
S3BucketName
parameter must conform to the Amazon S3 bucket naming rules .- A configuration containing a custom Canonical Name (CNAME) parameter for CRLs or OCSP must conform to RFC2396 restrictions on the use of special characters in a CNAME.
- In a CRL or OCSP configuration, the value of a CNAME parameter must not include a protocol prefix such as "http://" or "https://".
public void setRevocationConfiguration(CfnCertificateAuthority.RevocationConfigurationProperty value)
The following requirements apply to revocation configurations.
- A configuration disabling CRLs or OCSP must contain only the
Enabled=False
parameter, and will fail if other parameters such asCustomCname
orExpirationInDays
are included.- In a CRL configuration, the
S3BucketName
parameter must conform to the Amazon S3 bucket naming rules .- A configuration containing a custom Canonical Name (CNAME) parameter for CRLs or OCSP must conform to RFC2396 restrictions on the use of special characters in a CNAME.
- In a CRL or OCSP configuration, the value of a CNAME parameter must not include a protocol prefix such as "http://" or "https://".
public java.lang.String getUsageMode()
Short-lived certificate validity is limited to seven days.
The default value is GENERAL_PURPOSE.
public void setUsageMode(java.lang.String value)
Short-lived certificate validity is limited to seven days.
The default value is GENERAL_PURPOSE.