By Implementation

Service Control PoliciesConfig RulesAuto Remediation RulesConformance PacksAmazon GuardDutyAmazon InspectorAWS Security HubAWS Network FirewallRoute53 Resolver SecurityAmazon MacieS3 Bucket PoliciesCloudWatch Alarms and Event RulesAWS WAFAWS Secrets ManagerAWS Systems ManagerSecurity Groups & NACLsAWS KMSIAM PoliciesVPC Endpoint PoliciesAmazon ECRRDS Event Subscriptions

By Service Protected

Configuration Packages

Strategy Guides

Other

AWS Certificate Manager (ACM) Security

Private Certificate Authroity (ACM-PCA)

Configuration for an AWS ACM-PCA (Private Certificate Authority) configured as a Root CA, including activation with a self-signed certificate and permissions for automatically renewing certificates within the account.

Important: Review the cost for ACM-PCA before provisioning any resources

The following settings are available in this template: 

  • Subject information (Common Name, Organization, Country, etc.). At least one should be provided.
  • Key Storage Security Standard and Signing Algorithm
  • Revocation Configuration including both options to enable CRL and OSCP configurations
  • Key Usage CRL Extensions
  • Permissions for Automatic Certificate Renewal adds the necessary permissions to allow the acm service to renew certificates within the account (Note: Currently not supported in Terraform)
  • Activate Root CA: When enabled, will issue a self-signed certificate by the root CA created and import it into the CA to activate it
Items
4
Size
1.9 KB
AWSTemplateFormatVersion: "2010-09-09"
Description: ""
Resources:
  CertificateAuthority:
    Type: "AWS::ACMPCA::CertificateAuthority"
    Properties:
      KeyAlgorithm: "RSA_2048"
      SigningAlgorithm: "SHA512WITHRSA"
      Subject: {}
      Type: "ROOT"
      KeyStorageSecurityStandard: "FIPS_140_2_LEVEL_3_OR_HIGHER"
      CsrExtensions:
        KeyUsage:
          CRLSign: true
          DataEncipherment: true
          DecipherOnly: true
          DigitalSignature: true
          EncipherOnly: true
          KeyAgreement: true
          KeyCertSign: true
          KeyEncipherment: true
          NonRepudiation: true
      RevocationConfiguration:
        CrlConfiguration:
          Enabled: true
          ExpirationInDays: 1
          S3ObjectAcl: "PUBLIC_READ"
        OcspConfiguration:
          Enabled: true
  CertificateAuthorityPermission:
    Type: "AWS::ACMPCA::Permission"
    Properties:
      CertificateAuthorityArn:
        Ref: "CertificateAuthority"
      Actions:
        - "IssueCertificate"
        - "GetCertificate"
        - "ListPermissions"
      Principal: "acm.amazonaws.com"
  CertificateAuthorityCertificate:
    Type: "AWS::ACMPCA::Certificate"
    Properties:
      CertificateAuthorityArn:
        Ref: "CertificateAuthority"
      CertificateSigningRequest:
        Fn::GetAtt:
          - "CertificateAuthority"
          - "CertificateSigningRequest"
      SigningAlgorithm: "SHA256WITHRSA"
      TemplateArn: "arn:aws:acm-pca:::template/RootCACertificate/V1"
      Validity:
        Type: "YEARS"
        Value: 5
  CertificateAuthorityActivationCertificateAuthority:
    Type: "AWS::ACMPCA::CertificateAuthorityActivation"
    Properties:
      CertificateAuthorityArn:
        Ref: "CertificateAuthority"
      Certificate:
        Fn::GetAtt:
          - "CertificateAuthorityCertificate"
          - "Certificate"
      Status: "ACTIVE"
Parameters: {}
Metadata: {}
Conditions: {}

Actions



Customize Template

* Required field