My Saved Presets
You must be logged in to view saved presets

Loading Library ...

Private Certificate Authroity (ACM-PCA)

Configuration for an AWS ACM-PCA (Private Certificate Authority) configured as a Root CA, including activation with a self-signed certificate and permissions for automatically renewing certificates within the account.

Important: Review the cost for ACM-PCA before provisioning any resources

The following settings are available in this template: 

  • Subject information (Common Name, Organization, Country, etc.). At least one should be provided.
  • Key Storage Security Standard and Signing Algorithm
  • Revocation Configuration including both options to enable CRL and OSCP configurations
  • Key Usage CRL Extensions
  • Permissions for Automatic Certificate Renewal adds the necessary permissions to allow the acm service to renew certificates within the account (Note: Currently not supported in Terraform)
  • Activate Root CA: When enabled, will issue a self-signed certificate by the root CA created and import it into the CA to activate it
Items
4
Size
1.9 KB
AWSTemplateFormatVersion: '2010-09-09'
Description: ''
Resources:
  CertificateAuthority:
    Type: 'AWS::ACMPCA::CertificateAuthority'
    Properties:
      KeyAlgorithm: RSA_2048
      SigningAlgorithm: SHA512WITHRSA
      Subject: {}
      Type: ROOT
      KeyStorageSecurityStandard: FIPS_140_2_LEVEL_3_OR_HIGHER
      CsrExtensions:
        KeyUsage:
          CRLSign: true
          DataEncipherment: true
          DecipherOnly: true
          DigitalSignature: true
          EncipherOnly: true
          KeyAgreement: true
          KeyCertSign: true
          KeyEncipherment: true
          NonRepudiation: true
      RevocationConfiguration:
        CrlConfiguration:
          Enabled: true
          ExpirationInDays: 1
          S3ObjectAcl: PUBLIC_READ
        OcspConfiguration:
          Enabled: true
  CertificateAuthorityPermission:
    Type: 'AWS::ACMPCA::Permission'
    Properties:
      CertificateAuthorityArn:
        Ref: CertificateAuthority
      Actions:
        - IssueCertificate
        - GetCertificate
        - ListPermissions
      Principal: acm.amazonaws.com
  CertificateAuthorityCertificate:
    Type: 'AWS::ACMPCA::Certificate'
    Properties:
      CertificateAuthorityArn:
        Ref: CertificateAuthority
      CertificateSigningRequest:
        'Fn::GetAtt':
          - CertificateAuthority
          - CertificateSigningRequest
      SigningAlgorithm: SHA256WITHRSA
      TemplateArn: 'arn:aws:acm-pca:::template/RootCACertificate/V1'
      Validity:
        Type: YEARS
        Value: 5
  CertificateAuthorityActivationCertificateAuthority:
    Type: 'AWS::ACMPCA::CertificateAuthorityActivation'
    Properties:
      CertificateAuthorityArn:
        Ref: CertificateAuthority
      Certificate:
        'Fn::GetAtt':
          - CertificateAuthorityCertificate
          - Certificate
      Status: ACTIVE
Parameters: {}
Metadata: {}
Conditions: {}

Actions



Customize Template

* Required field

© 2024 asecurecloud. All rights reserved.