CfnCertificateAuthorityProps
- class aws_cdk.aws_acmpca.CfnCertificateAuthorityProps(*, key_algorithm, signing_algorithm, subject, type, csr_extensions=None, key_storage_security_standard=None, revocation_configuration=None, tags=None, usage_mode=None)
Bases:
object
Properties for defining a
CfnCertificateAuthority
.- Parameters:
key_algorithm (
str
) – Type of the public key algorithm and size, in bits, of the key pair that your CA creates when it issues a certificate. When you create a subordinate CA, you must use a key algorithm supported by the parent CA.signing_algorithm (
str
) – Name of the algorithm your private CA uses to sign certificate requests. This parameter should not be confused with theSigningAlgorithm
parameter used to sign certificates when they are issued.subject (
Union
[IResolvable
,SubjectProperty
,Dict
[str
,Any
]]) – Structure that contains X.500 distinguished name information for your private CA.type (
str
) – Type of your private CA.csr_extensions (
Union
[IResolvable
,CsrExtensionsProperty
,Dict
[str
,Any
],None
]) – Specifies information to be added to the extension section of the certificate signing request (CSR).key_storage_security_standard (
Optional
[str
]) – Specifies a cryptographic key management compliance standard used for handling CA keys. Default: FIPS_140_2_LEVEL_3_OR_HIGHER .. epigraph:: Some AWS Regions do not support the default. When creating a CA in these Regions, you must provideFIPS_140_2_LEVEL_2_OR_HIGHER
as the argument forKeyStorageSecurityStandard
. Failure to do this results in anInvalidArgsException
with the message, “A certificate authority cannot be created in this region with the specified security standard.” For information about security standard support in various Regions, see Storage and security compliance of AWS Private CA private keys .revocation_configuration (
Union
[IResolvable
,RevocationConfigurationProperty
,Dict
[str
,Any
],None
]) – Certificate revocation information used by the CreateCertificateAuthority and UpdateCertificateAuthority actions. Your private certificate authority (CA) can configure Online Certificate Status Protocol (OCSP) support and/or maintain a certificate revocation list (CRL). OCSP returns validation information about certificates as requested by clients, and a CRL contains an updated list of certificates revoked by your CA. For more information, see RevokeCertificate in the AWS Private CA API Reference and Setting up a certificate revocation method in the AWS Private CA User Guide . .. epigraph:: The following requirements apply to revocation configurations. - A configuration disabling CRLs or OCSP must contain only theEnabled=False
parameter, and will fail if other parameters such asCustomCname
orExpirationInDays
are included. - In a CRL configuration, theS3BucketName
parameter must conform to the Amazon S3 bucket naming rules . - A configuration containing a custom Canonical Name (CNAME) parameter for CRLs or OCSP must conform to RFC2396 restrictions on the use of special characters in a CNAME. - In a CRL or OCSP configuration, the value of a CNAME parameter must not include a protocol prefix such as “http://” or “https://”.tags (
Optional
[Sequence
[Union
[CfnTag
,Dict
[str
,Any
]]]]) – Key-value pairs that will be attached to the new private CA. You can associate up to 50 tags with a private CA. For information using tags with IAM to manage permissions, see Controlling Access Using IAM Tags .usage_mode (
Optional
[str
]) – Specifies whether the CA issues general-purpose certificates that typically require a revocation mechanism, or short-lived certificates that may optionally omit revocation because they expire quickly. Short-lived certificate validity is limited to seven days. The default value is GENERAL_PURPOSE.
- Link:
- ExampleMetadata:
infused
Example:
cfn_certificate_authority = acmpca.CfnCertificateAuthority(self, "CA", type="ROOT", key_algorithm="RSA_2048", signing_algorithm="SHA256WITHRSA", subject=acmpca.CfnCertificateAuthority.SubjectProperty( country="US", organization="string", organizational_unit="string", distinguished_name_qualifier="string", state="string", common_name="123", serial_number="string", locality="string", title="string", surname="string", given_name="string", initials="DG", pseudonym="string", generation_qualifier="DBG" ) )
Attributes
- csr_extensions
Specifies information to be added to the extension section of the certificate signing request (CSR).
- key_algorithm
Type of the public key algorithm and size, in bits, of the key pair that your CA creates when it issues a certificate.
When you create a subordinate CA, you must use a key algorithm supported by the parent CA.
- key_storage_security_standard
Specifies a cryptographic key management compliance standard used for handling CA keys.
Default: FIPS_140_2_LEVEL_3_OR_HIGHER .. epigraph:
Some AWS Regions do not support the default. When creating a CA in these Regions, you must provide ``FIPS_140_2_LEVEL_2_OR_HIGHER`` as the argument for ``KeyStorageSecurityStandard`` . Failure to do this results in an ``InvalidArgsException`` with the message, "A certificate authority cannot be created in this region with the specified security standard." For information about security standard support in various Regions, see `Storage and security compliance of AWS Private CA private keys <https://docs.aws.amazon.com/privateca/latest/userguide/data-protection.html#private-keys>`_ .
- revocation_configuration
//docs.aws.amazon.com/privateca/latest/APIReference/API_UpdateCertificateAuthority.html>`_ actions. Your private certificate authority (CA) can configure Online Certificate Status Protocol (OCSP) support and/or maintain a certificate revocation list (CRL). OCSP returns validation information about certificates as requested by clients, and a CRL contains an updated list of certificates revoked by your CA. For more information, see RevokeCertificate in the AWS Private CA API Reference and Setting up a certificate revocation method in the AWS Private CA User Guide .
The following requirements apply to revocation configurations.
A configuration disabling CRLs or OCSP must contain only the
Enabled=False
parameter, and will fail if other parameters such asCustomCname
orExpirationInDays
are included.In a CRL configuration, the
S3BucketName
parameter must conform to the Amazon S3 bucket naming rules .A configuration containing a custom Canonical Name (CNAME) parameter for CRLs or OCSP must conform to RFC2396 restrictions on the use of special characters in a CNAME.
In a CRL or OCSP configuration, the value of a CNAME parameter must not include a protocol prefix such as “http://” or “https://”.
- signing_algorithm
Name of the algorithm your private CA uses to sign certificate requests.
This parameter should not be confused with the
SigningAlgorithm
parameter used to sign certificates when they are issued.
- subject
Structure that contains X.500 distinguished name information for your private CA.
- tags
Key-value pairs that will be attached to the new private CA.
You can associate up to 50 tags with a private CA. For information using tags with IAM to manage permissions, see Controlling Access Using IAM Tags .
- type
Type of your private CA.
- usage_mode
Specifies whether the CA issues general-purpose certificates that typically require a revocation mechanism, or short-lived certificates that may optionally omit revocation because they expire quickly.
Short-lived certificate validity is limited to seven days.
The default value is GENERAL_PURPOSE.