Skip to content

Resource: awsAcmpcaCertificateAuthorityCertificate

Associates a certificate with an AWS Certificate Manager Private Certificate Authority (ACM PCA Certificate Authority). An ACM PCA Certificate Authority is unable to issue certificates until it has a certificate associated with it. A root level ACM PCA Certificate Authority is able to self-sign its own root certificate.

Example Usage

Self-Signed Root Certificate Authority Certificate

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsAcmpcaCertificateAuthorityExample =
  new aws.acmpcaCertificateAuthority.AcmpcaCertificateAuthority(
    this,
    "example",
    {
      certificateAuthorityConfiguration: {
        keyAlgorithm: "RSA_4096",
        signingAlgorithm: "SHA512WITHRSA",
        subject: {
          commonName: "example.com",
        },
      },
      type: "ROOT",
    }
  );
const dataAwsPartitionCurrent = new aws.dataAwsPartition.DataAwsPartition(
  this,
  "current",
  {}
);
const awsAcmpcaCertificateExample = new aws.acmpcaCertificate.AcmpcaCertificate(
  this,
  "example_2",
  {
    certificateAuthorityArn: awsAcmpcaCertificateAuthorityExample.arn,
    certificateSigningRequest:
      awsAcmpcaCertificateAuthorityExample.certificateSigningRequest,
    signingAlgorithm: "SHA512WITHRSA",
    templateArn: `arn:\${${dataAwsPartitionCurrent.partition}}:acm-pca:::template/RootCACertificate/V1`,
    validity: {
      type: "YEARS",
      value: 1,
    },
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsAcmpcaCertificateExample.overrideLogicalId("example");
const awsAcmpcaCertificateAuthorityCertificateExample =
  new aws.acmpcaCertificateAuthorityCertificate.AcmpcaCertificateAuthorityCertificate(
    this,
    "example_3",
    {
      certificate: awsAcmpcaCertificateExample.certificate,
      certificateAuthorityArn: awsAcmpcaCertificateAuthorityExample.arn,
      certificateChain: awsAcmpcaCertificateExample.certificateChain,
    }
  );
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsAcmpcaCertificateAuthorityCertificateExample.overrideLogicalId("example");

Certificate for Subordinate Certificate Authority

Note that the certificate for the subordinate certificate authority must be issued by the root certificate authority using a signing request from the subordinate certificate authority.

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.acmpcaCertificate.AcmpcaCertificate(this, "root", {});
const awsAcmpcaCertificateAuthorityRoot =
  new aws.acmpcaCertificateAuthority.AcmpcaCertificateAuthority(
    this,
    "root_1",
    {}
  );
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsAcmpcaCertificateAuthorityRoot.overrideLogicalId("root");
const awsAcmpcaCertificateAuthoritySubordinate =
  new aws.acmpcaCertificateAuthority.AcmpcaCertificateAuthority(
    this,
    "subordinate",
    {
      certificateAuthorityConfiguration: {
        keyAlgorithm: "RSA_2048",
        signingAlgorithm: "SHA512WITHRSA",
        subject: {
          commonName: "sub.example.com",
        },
      },
      type: "SUBORDINATE",
    }
  );
const awsAcmpcaCertificateAuthorityCertificateRoot =
  new aws.acmpcaCertificateAuthorityCertificate.AcmpcaCertificateAuthorityCertificate(
    this,
    "root_3",
    {}
  );
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsAcmpcaCertificateAuthorityCertificateRoot.overrideLogicalId("root");
const dataAwsPartitionCurrent = new aws.dataAwsPartition.DataAwsPartition(
  this,
  "current",
  {}
);
const awsAcmpcaCertificateSubordinate =
  new aws.acmpcaCertificate.AcmpcaCertificate(this, "subordinate_5", {
    certificateAuthorityArn: awsAcmpcaCertificateAuthorityRoot.arn,
    certificateSigningRequest:
      awsAcmpcaCertificateAuthoritySubordinate.certificateSigningRequest,
    signingAlgorithm: "SHA512WITHRSA",
    templateArn: `arn:\${${dataAwsPartitionCurrent.partition}}:acm-pca:::template/SubordinateCACertificate_PathLen0/V1`,
    validity: {
      type: "YEARS",
      value: 1,
    },
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsAcmpcaCertificateSubordinate.overrideLogicalId("subordinate");
const awsAcmpcaCertificateAuthorityCertificateSubordinate =
  new aws.acmpcaCertificateAuthorityCertificate.AcmpcaCertificateAuthorityCertificate(
    this,
    "subordinate_6",
    {
      certificate: awsAcmpcaCertificateSubordinate.certificate,
      certificateAuthorityArn: awsAcmpcaCertificateAuthoritySubordinate.arn,
      certificateChain: awsAcmpcaCertificateSubordinate.certificateChain,
    }
  );
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsAcmpcaCertificateAuthorityCertificateSubordinate.overrideLogicalId(
  "subordinate"
);

Argument Reference

The following arguments are supported:

  • certificate - (Required) PEM-encoded certificate for the Certificate Authority.
  • certificateAuthorityArn - (Required) ARN of the Certificate Authority.
  • certificateChain - (Optional) PEM-encoded certificate chain that includes any intermediate certificates and chains up to root CA. Required for subordinate Certificate Authorities. Not allowed for root Certificate Authorities.

Attributes Reference

No additional attributes are exported.