Note:

You are viewing the documentation for an older major version of the AWS CLI (version 1).

AWS CLI version 2, the latest major version of AWS CLI, is now stable and recommended for general use. To view this page for the AWS CLI version 2, click here. For more information see the AWS CLI version 2 installation instructions and migration guide.

[ aws . lightsail ]

create-certificate

Description

Creates an SSL/TLS certificate for an Amazon Lightsail content delivery network (CDN) distribution and a container service.

After the certificate is valid, use the AttachCertificateToDistribution action to use the certificate and its domains with your distribution. Or use the UpdateContainerService action to use the certificate and its domains with your container service.

Warning

Only certificates created in the us-east-1 Amazon Web Services Region can be attached to Lightsail distributions. Lightsail distributions are global resources that can reference an origin in any Amazon Web Services Region, and distribute its content globally. However, all distributions are located in the us-east-1 Region.

See also: AWS API Documentation

Synopsis

  create-certificate
--certificate-name <value>
--domain-name <value>
[--subject-alternative-names <value>]
[--tags <value>]
[--cli-input-json <value>]
[--generate-cli-skeleton <value>]
[--debug]
[--endpoint-url <value>]
[--no-verify-ssl]
[--no-paginate]
[--output <value>]
[--query <value>]
[--profile <value>]
[--region <value>]
[--version <value>]
[--color <value>]
[--no-sign-request]
[--ca-bundle <value>]
[--cli-read-timeout <value>]
[--cli-connect-timeout <value>]

Options

--certificate-name (string)

The name for the certificate.

--domain-name (string)

The domain name (example.com ) for the certificate.

--subject-alternative-names (list)

An array of strings that specify the alternate domains (example2.com ) and subdomains (blog.example.com ) for the certificate.

You can specify a maximum of nine alternate domains (in addition to the primary domain name).

Wildcard domain entries (*.example.com ) are not supported.

(string)

Syntax:

"string" "string" ...

--tags (list)

The tag keys and optional values to add to the certificate during create.

Use the TagResource action to tag a resource after it's created.

(structure)

Describes a tag key and optional value assigned to an Amazon Lightsail resource.

For more information about tags in Lightsail, see the Amazon Lightsail Developer Guide .

key -> (string)

The key of the tag.

Constraints: Tag keys accept a maximum of 128 letters, numbers, spaces in UTF-8, or the following characters: + - = . _ : / @

value -> (string)

The value of the tag.

Constraints: Tag values accept a maximum of 256 letters, numbers, spaces in UTF-8, or the following characters: + - = . _ : / @

Shorthand Syntax:

key=string,value=string ...

JSON Syntax:

[
  {
    "key": "string",
    "value": "string"
  }
  ...
]

--cli-input-json (string) Performs service operation based on the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton. If other arguments are provided on the command line, the CLI values will override the JSON-provided values. It is not possible to pass arbitrary binary values using a JSON-provided value as the string will be taken literally.

--generate-cli-skeleton (string) Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input, prints a sample input JSON that can be used as an argument for --cli-input-json. If provided with the value output, it validates the command inputs and returns a sample output JSON for that command.

Global Options

--debug (boolean)

Turn on debug logging.

--endpoint-url (string)

Override command's default URL with the given URL.

--no-verify-ssl (boolean)

By default, the AWS CLI uses SSL when communicating with AWS services. For each SSL connection, the AWS CLI will verify SSL certificates. This option overrides the default behavior of verifying SSL certificates.

--no-paginate (boolean)

Disable automatic pagination.

--output (string)

The formatting style for command output.

  • json
  • text
  • table

--query (string)

A JMESPath query to use in filtering the response data.

--profile (string)

Use a specific profile from your credential file.

--region (string)

The region to use. Overrides config/env settings.

--version (string)

Display the version of this tool.

--color (string)

Turn on/off color output.

  • on
  • off
  • auto

--no-sign-request (boolean)

Do not sign requests. Credentials will not be loaded if this argument is provided.

--ca-bundle (string)

The CA certificate bundle to use when verifying SSL certificates. Overrides config/env settings.

--cli-read-timeout (int)

The maximum socket read time in seconds. If the value is set to 0, the socket read will be blocking and not timeout. The default value is 60 seconds.

--cli-connect-timeout (int)

The maximum socket connect time in seconds. If the value is set to 0, the socket connect will be blocking and not timeout. The default value is 60 seconds.

Output

certificate -> (structure)

An object that describes the certificate created.

certificateArn -> (string)

The Amazon Resource Name (ARN) of the certificate.

certificateName -> (string)

The name of the certificate.

domainName -> (string)

The domain name of the certificate.

certificateDetail -> (structure)

An object that describes a certificate in detail.

arn -> (string)

The Amazon Resource Name (ARN) of the certificate.

name -> (string)

The name of the certificate (my-certificate ).

domainName -> (string)

The domain name of the certificate.

status -> (string)

The validation status of the certificate.

serialNumber -> (string)

The serial number of the certificate.

subjectAlternativeNames -> (list)

An array of strings that specify the alternate domains (example2.com ) and subdomains (blog.example.com ) of the certificate.

(string)

domainValidationRecords -> (list)

An array of objects that describe the domain validation records of the certificate.

(structure)

Describes the domain name system (DNS) records that you must add to the DNS of your registered domain to validate ownership for an Amazon Lightsail SSL/TLS certificate.

domainName -> (string)

The domain name of the certificate validation record. For example, example.com or www.example.com .

resourceRecord -> (structure)

An object that describes the DNS records to add to your domain's DNS to validate it for the certificate.

name -> (string)

The name of the record.

type -> (string)

The DNS record type.

value -> (string)

The value for the DNS record.

dnsRecordCreationState -> (structure)

An object that describes the state of the canonical name (CNAME) records that are automatically added by Lightsail to the DNS of the domain to validate domain ownership.

code -> (string)

The status code for the automated DNS record creation.

Following are the possible values:

  • SUCCEEDED - The validation records were successfully added to the domain.
  • STARTED - The automatic DNS record creation has started.
  • FAILED - The validation records failed to be added to the domain.

message -> (string)

The message that describes the reason for the status code.

validationStatus -> (string)

The validation status of the record.

requestFailureReason -> (string)

The validation failure reason, if any, of the certificate.

The following failure reasons are possible:

  • **NO_AVAILABLE_CONTACTS ** - This failure applies to email validation, which is not available for Lightsail certificates.
  • **ADDITIONAL_VERIFICATION_REQUIRED ** - Lightsail requires additional information to process this certificate request. This can happen as a fraud-protection measure, such as when the domain ranks within the Alexa top 1000 websites. To provide the required information, use the Amazon Web Services Support Center to contact Amazon Web Services Support.

Note

You cannot request a certificate for Amazon-owned domain names such as those ending in amazonaws.com, cloudfront.net, or elasticbeanstalk.com.
  • **DOMAIN_NOT_ALLOWED ** - One or more of the domain names in the certificate request was reported as an unsafe domain by VirusTotal . To correct the problem, search for your domain name on the VirusTotal website. If your domain is reported as suspicious, see Google Help for Hacked Websites to learn what you can do. If you believe that the result is a false positive, notify the organization that is reporting the domain. VirusTotal is an aggregate of several antivirus and URL scanners and cannot remove your domain from a block list itself. After you correct the problem and the VirusTotal registry has been updated, request a new certificate. If you see this error and your domain is not included in the VirusTotal list, visit the Amazon Web Services Support Center and create a case.
  • **INVALID_PUBLIC_DOMAIN ** - One or more of the domain names in the certificate request is not valid. Typically, this is because a domain name in the request is not a valid top-level domain. Try to request a certificate again, correcting any spelling errors or typos that were in the failed request, and ensure that all domain names in the request are for valid top-level domains. For example, you cannot request a certificate for example.invalidpublicdomain because invalidpublicdomain is not a valid top-level domain.
  • **OTHER ** - Typically, this failure occurs when there is a typographical error in one or more of the domain names in the certificate request. Try to request a certificate again, correcting any spelling errors or typos that were in the failed request.

inUseResourceCount -> (integer)

The number of Lightsail resources that the certificate is attached to.

keyAlgorithm -> (string)

The algorithm used to generate the key pair (the public and private key) of the certificate.

createdAt -> (timestamp)

The timestamp when the certificate was created.

issuedAt -> (timestamp)

The timestamp when the certificate was issued.

issuerCA -> (string)

The certificate authority that issued the certificate.

notBefore -> (timestamp)

The timestamp when the certificate is first valid.

notAfter -> (timestamp)

The timestamp when the certificate expires.

eligibleToRenew -> (string)

The renewal eligibility of the certificate.

renewalSummary -> (structure)

An object that describes the status of the certificate renewal managed by Lightsail.

domainValidationRecords -> (list)

An array of objects that describe the domain validation records of the certificate.

(structure)

Describes the domain name system (DNS) records that you must add to the DNS of your registered domain to validate ownership for an Amazon Lightsail SSL/TLS certificate.

domainName -> (string)

The domain name of the certificate validation record. For example, example.com or www.example.com .

resourceRecord -> (structure)

An object that describes the DNS records to add to your domain's DNS to validate it for the certificate.

name -> (string)

The name of the record.

type -> (string)

The DNS record type.

value -> (string)

The value for the DNS record.

dnsRecordCreationState -> (structure)

An object that describes the state of the canonical name (CNAME) records that are automatically added by Lightsail to the DNS of the domain to validate domain ownership.

code -> (string)

The status code for the automated DNS record creation.

Following are the possible values:

  • SUCCEEDED - The validation records were successfully added to the domain.
  • STARTED - The automatic DNS record creation has started.
  • FAILED - The validation records failed to be added to the domain.

message -> (string)

The message that describes the reason for the status code.

validationStatus -> (string)

The validation status of the record.

renewalStatus -> (string)

The renewal status of the certificate.

The following renewal status are possible:

  • **PendingAutoRenewal ** - Lightsail is attempting to automatically validate the domain names of the certificate. No further action is required.
  • **PendingValidation ** - Lightsail couldn't automatically validate one or more domain names of the certificate. You must take action to validate these domain names or the certificate won't be renewed. Check to make sure your certificate's domain validation records exist in your domain's DNS, and that your certificate remains in use.
  • **Success ** - All domain names in the certificate are validated, and Lightsail renewed the certificate. No further action is required.
  • **Failed ** - One or more domain names were not validated before the certificate expired, and Lightsail did not renew the certificate. You can request a new certificate using the CreateCertificate action.

renewalStatusReason -> (string)

The reason for the renewal status of the certificate.

updatedAt -> (timestamp)

The timestamp when the certificate was last updated.

revokedAt -> (timestamp)

The timestamp when the certificate was revoked. This value is present only when the certificate status is REVOKED .

revocationReason -> (string)

The reason the certificate was revoked. This value is present only when the certificate status is REVOKED .

tags -> (list)

The tag keys and optional values for the resource. For more information about tags in Lightsail, see the Amazon Lightsail Developer Guide .

(structure)

Describes a tag key and optional value assigned to an Amazon Lightsail resource.

For more information about tags in Lightsail, see the Amazon Lightsail Developer Guide .

key -> (string)

The key of the tag.

Constraints: Tag keys accept a maximum of 128 letters, numbers, spaces in UTF-8, or the following characters: + - = . _ : / @

value -> (string)

The value of the tag.

Constraints: Tag values accept a maximum of 256 letters, numbers, spaces in UTF-8, or the following characters: + - = . _ : / @

supportCode -> (string)

The support code. Include this code in your email to support when you have questions about your Lightsail certificate. This code enables our support team to look up your Lightsail information more easily.

tags -> (list)

The tag keys and optional values for the resource. For more information about tags in Lightsail, see the Amazon Lightsail Developer Guide .

(structure)

Describes a tag key and optional value assigned to an Amazon Lightsail resource.

For more information about tags in Lightsail, see the Amazon Lightsail Developer Guide .

key -> (string)

The key of the tag.

Constraints: Tag keys accept a maximum of 128 letters, numbers, spaces in UTF-8, or the following characters: + - = . _ : / @

value -> (string)

The value of the tag.

Constraints: Tag values accept a maximum of 256 letters, numbers, spaces in UTF-8, or the following characters: + - = . _ : / @

operations -> (list)

An array of objects that describe the result of the action, such as the status of the request, the timestamp of the request, and the resources affected by the request.

(structure)

Describes the API operation.

id -> (string)

The ID of the operation.

resourceName -> (string)

The resource name.

resourceType -> (string)

The resource type.

createdAt -> (timestamp)

The timestamp when the operation was initialized (1479816991.349 ).

location -> (structure)

The Amazon Web Services Region and Availability Zone.

availabilityZone -> (string)

The Availability Zone. Follows the format us-east-2a (case-sensitive).

regionName -> (string)

The Amazon Web Services Region name.

isTerminal -> (boolean)

A Boolean value indicating whether the operation is terminal.

operationDetails -> (string)

Details about the operation (Debian-1GB-Ohio-1 ).

operationType -> (string)

The type of operation.

status -> (string)

The status of the operation.

statusChangedAt -> (timestamp)

The timestamp when the status was changed (1479816991.349 ).

errorCode -> (string)

The error code.

errorDetails -> (string)

The error details.