Skip to content

Resource: awsAcmpcaCertificate

Provides a resource to issue a certificate using AWS Certificate Manager Private Certificate Authority (ACM PCA).

Certificates created using awsAcmpcaCertificate are not eligible for automatic renewal, and must be replaced instead. To issue a renewable certificate using an ACM PCA, create a awsAcmCertificate with the parameter certificateAuthorityArn.

Example Usage

Basic

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
import * as tls from "./.gen/providers/tls";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: tls.
For a more precise conversion please use the --provider flag in convert.*/
const awsAcmpcaCertificateAuthorityExample =
  new aws.acmpcaCertificateAuthority.AcmpcaCertificateAuthority(
    this,
    "example",
    {
      permanentDeletionTimeInDays: 7,
      private_certificate_configuration: [
        {
          key_algorithm: "RSA_4096",
          signing_algorithm: "SHA512WITHRSA",
          subject: [
            {
              common_name: "example.com",
            },
          ],
        },
      ],
    }
  );
const tlsPrivateKeyKey = new tls.privateKey.PrivateKey(this, "key", {
  algorithm: "RSA",
});
const tlsCertRequestCsr = new tls.certRequest.CertRequest(this, "csr", {
  key_algorithm: "RSA",
  private_key_pem: tlsPrivateKeyKey.privateKeyPem,
  subject: [
    {
      common_name: "example",
    },
  ],
});
const awsAcmpcaCertificateExample = new aws.acmpcaCertificate.AcmpcaCertificate(
  this,
  "example_3",
  {
    certificateAuthorityArn: awsAcmpcaCertificateAuthorityExample.arn,
    certificateSigningRequest: tlsCertRequestCsr.certRequestPem,
    signingAlgorithm: "SHA256WITHRSA",
    validity: {
      type: "YEARS",
      value: 1,
    },
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsAcmpcaCertificateExample.overrideLogicalId("example");

Argument Reference

The following arguments are supported:

  • certificateAuthorityArn - (Required) ARN of the certificate authority.
  • certificateSigningRequest - (Required) Certificate Signing Request in PEM format.
  • signingAlgorithm - (Required) Algorithm to use to sign certificate requests. Valid values: sha256Withrsa, sha256Withecdsa, sha384Withrsa, sha384Withecdsa, sha512Withrsa, sha512Withecdsa.
  • validity - (Required) Configures end of the validity period for the certificate. See validity block below.
  • templateArn - (Optional) Template to use when issuing a certificate. See ACM PCA Documentation for more information.

validity block

  • type - (Required) Determines how value is interpreted. Valid values: days, months, years, absolute, END_DATE.
  • value - (Required) If type is days, months, or years, the relative time until the certificate expires. If type is absolute, the date in seconds since the Unix epoch. If type is END_DATE, the date in RFC 3339 format.

Attributes Reference

In addition to all arguments above, the following attributes are exported:

  • arn - ARN of the certificate.
  • certificate - PEM-encoded certificate value.
  • certificateChain - PEM-encoded certificate chain that includes any intermediate certificates and chains up to root CA.

Import

ACM PCA Certificates can be imported using their ARN, e.g.,

$ terraform import aws_acmpca_certificate.cert arn:aws:acm-pca:eu-west-1:675225743824:certificate-authority/08319ede-83g9-1400-8f21-c7d12b2b6edb/certificate/a4e9c2aa4bcfab625g1b9136464cd3a