Skip to content
Alchemy
GitHubXDiscord

CertificateAuthority

The CertificateAuthority resource lets you create and manage AWS ACMPCA CertificateAuthoritys for issuing and managing digital certificates.

Minimal Example

Section titled “Minimal Example”

Create a basic certificate authority with required properties and a common optional property for revocation configuration.

import AWS from "alchemy/aws/control";


const basicCertificateAuthority = await AWS.ACMPCA.CertificateAuthority("basicCA", {
  Type: "SUBORDINATE",
  SigningAlgorithm: "SHA256WITHRSA",
  KeyAlgorithm: "RSA_2048",
  Subject: {
    Country: "US",
    Organization: "My Organization",
    OrganizationalUnit: "IT",
    CommonName: "myca.example.com"
  },
  RevocationConfiguration: {
    CrlConfiguration: {
      Enabled: true,
      ExpirationInDays: 7,
      S3BucketName: "my-certificate-revocation-list",
      CustomCname: "crl.myca.example.com"
    }
  },
  Tags: [{ Key: "Environment", Value: "Production" }]
});

Advanced Configuration

Section titled “Advanced Configuration”

Configure a certificate authority with additional options such as CSR extensions and key storage security standards.

const advancedCertificateAuthority = await AWS.ACMPCA.CertificateAuthority("advancedCA", {
  Type: "ROOT",
  SigningAlgorithm: "SHA256WITHRSA",
  KeyAlgorithm: "RSA_4096",
  Subject: {
    Country: "US",
    Organization: "Advanced Organization",
    OrganizationalUnit: "Security",
    CommonName: "advancedca.example.com"
  },
  CsrExtensions: {
    KeyUsage: ["DIGITAL_SIGNATURE", "KEY_ENCIPHERMENT"],
    ExtendedKeyUsage: ["SERVER_AUTH", "CLIENT_AUTH"]
  },
  KeyStorageSecurityStandard: "FIPS_140_2_LEVEL_3",
  Tags: [{ Key: "Project", Value: "SecureApp" }]
});

Adoption of Existing Certificate Authority

Section titled “Adoption of Existing Certificate Authority”

If you need to adopt an existing certificate authority instead of creating a new one, use the adopt property.

const existingCertificateAuthority = await AWS.ACMPCA.CertificateAuthority("existingCA", {
  Type: "SUBORDINATE",
  SigningAlgorithm: "SHA256WITHRSA",
  KeyAlgorithm: "RSA_2048",
  Subject: {
    Country: "US",
    Organization: "Existing Organization",
    OrganizationalUnit: "Compliance",
    CommonName: "existingca.example.com"
  },
  adopt: true // Adopt existing resource
});

Example with Usage Mode

Section titled “Example with Usage Mode”

Create a certificate authority with a specific usage mode, which defines how the certificates can be used.

const usageModeCertificateAuthority = await AWS.ACMPCA.CertificateAuthority("usageModeCA", {
  Type: "ROOT",
  SigningAlgorithm: "SHA256WITHRSA",
  KeyAlgorithm: "RSA_2048",
  Subject: {
    Country: "US",
    Organization: "Usage Mode Org",
    OrganizationalUnit: "Development",
    CommonName: "usagemodeca.example.com"
  },
  UsageMode: "DEFAULT", // Specify usage mode
  Tags: [{ Key: "Department", Value: "R&D" }]
});