Skip to main content

certificates

Creates, updates, deletes or gets a certificate resource or lists certificates in a region

Overview

Namecertificates
TypeResource
DescriptionThe AWS::ACMPCA::Certificate resource is used to issue a certificate using your private certificate authority. For more information, see the [IssueCertificate](https://docs.aws.amazon.com/privateca/latest/APIReference/API_IssueCertificate.html) action.
Idaws.acmpca.certificates

Fields

NameDatatypeDescription
api_passthroughobjectSpecifies X.509 certificate information to be included in the issued certificate. An APIPassthrough or APICSRPassthrough template variant must be selected, or else this parameter is ignored.
certificate_authority_arnstringThe Amazon Resource Name (ARN) for the private CA issues the certificate.
certificate_signing_requeststringThe certificate signing request (CSR) for the certificate.
signing_algorithmstringThe name of the algorithm that will be used to sign the certificate to be issued.
This parameter should not be confused with the SigningAlgorithm parameter used to sign a CSR in the CreateCertificateAuthority action.
The specified signing algorithm family (RSA or ECDSA) must match the algorithm family of the CA's secret key.
template_arnstringSpecifies a custom configuration template to use when issuing a certificate. If this parameter is not provided, PCAshort defaults to the EndEntityCertificate/V1 template. For more information about PCAshort templates, see [Using Templates](https://docs.aws.amazon.com/privateca/latest/userguide/UsingTemplates.html).
validityobjectThe period of time during which the certificate will be valid.
validity_not_beforeobjectInformation describing the start of the validity period of the certificate. This parameter sets the “Not Before" date for the certificate.
By default, when issuing a certificate, PCAshort sets the "Not Before" date to the issuance time minus 60 minutes. This compensates for clock inconsistencies across computer systems. The ValidityNotBefore parameter can be used to customize the “Not Before” value.
Unlike the Validity parameter, the ValidityNotBefore parameter is optional.
The ValidityNotBefore value is expressed as an explicit date and time, using the Validity type value ABSOLUTE.
certificatestring
arnstring
regionstringAWS region.

Methods

NameAccessible byRequired Params
create_resourceINSERTCertificateAuthorityArn, CertificateSigningRequest, SigningAlgorithm, Validity, region
delete_resourceDELETEdata__Identifier, region
get_resourceSELECTdata__Identifier, region

SELECT examples

Gets all properties from an individual certificate.

SELECT
region,
api_passthrough,
certificate_authority_arn,
certificate_signing_request,
signing_algorithm,
template_arn,
validity,
validity_not_before,
certificate,
arn
FROM aws.acmpca.certificates
WHERE region = 'us-east-1' AND data__Identifier = '<Arn>|<CertificateAuthorityArn>';

INSERT example

Use the following StackQL query and manifest file to create a new certificate resource, using stack-deploy.

/*+ create */
INSERT INTO aws.acmpca.certificates (
 CertificateAuthorityArn,
 CertificateSigningRequest,
 SigningAlgorithm,
 Validity,
 region
)
SELECT 
'{{ CertificateAuthorityArn }}',
 '{{ CertificateSigningRequest }}',
 '{{ SigningAlgorithm }}',
 '{{ Validity }}',
'{{ region }}';

DELETE example

/*+ delete */
DELETE FROM aws.acmpca.certificates
WHERE data__Identifier = '<Arn|CertificateAuthorityArn>'
AND region = 'us-east-1';

Permissions

To operate on the certificates resource, the following permissions are required:

Create

acm-pca:IssueCertificate,
acm-pca:GetCertificate

Read

acm-pca:GetCertificate

Delete

acm-pca:GetCertificate