This is the new *CloudFormation Template Reference Guide*. Please update your bookmarks and links. For help getting started with CloudFormation, see the [AWS CloudFormation User Guide](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html).
# AWS::PCAConnectorSCEP::Connector
Connector for SCEP is a service that links AWS Private Certificate Authority to your SCEP-enabled devices. The connector brokers the exchange of certificates from AWS Private CA to your SCEP-enabled devices and mobile device management systems. The connector is a complex type that contains the connector's configuration settings.
## Syntax
To declare this entity in your CloudFormation template, use the following syntax:
### JSON
```
{
"Type" : "AWS::PCAConnectorSCEP::Connector",
"Properties" : {
"[CertificateAuthorityArn](#cfn-pcaconnectorscep-connector-certificateauthorityarn)" : String,
"[MobileDeviceManagement](#cfn-pcaconnectorscep-connector-mobiledevicemanagement)" : MobileDeviceManagement,
"[Tags](#cfn-pcaconnectorscep-connector-tags)" : {Key: Value, ...},
"[VpcEndpointId](#cfn-pcaconnectorscep-connector-vpcendpointid)" : String
}
}
```
### YAML
```
Type: AWS::PCAConnectorSCEP::Connector
Properties:
[CertificateAuthorityArn](#cfn-pcaconnectorscep-connector-certificateauthorityarn): String
[MobileDeviceManagement](#cfn-pcaconnectorscep-connector-mobiledevicemanagement):
MobileDeviceManagement
[Tags](#cfn-pcaconnectorscep-connector-tags):
Key: Value
[VpcEndpointId](#cfn-pcaconnectorscep-connector-vpcendpointid): String
```
## Properties
`CertificateAuthorityArn`
The Amazon Resource Name (ARN) of the certificate authority associated with the connector.
*Required*: Yes
*Type*: String
*Pattern*: `^arn:aws(-[a-z]+)*:acm-pca:[a-z]+(-[a-z]+)+-[1-9]\d*:\d{12}:certificate-authority\/[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}$`
*Minimum*: `5`
*Maximum*: `200`
*Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement)
`MobileDeviceManagement`
Contains settings relevant to the mobile device management system that you chose for the connector. If you didn't configure `MobileDeviceManagement`, then the connector is for general-purpose use and this object is empty.
*Required*: No
*Type*: [MobileDeviceManagement](aws-properties-pcaconnectorscep-connector-mobiledevicemanagement.md)
*Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement)
`Tags`
Property description not available.
*Required*: No
*Type*: Object of String
*Pattern*: `.+`
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
`VpcEndpointId`
Property description not available.
*Required*: No
*Type*: String
*Minimum*: `5`
*Maximum*: `200`
*Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement)
## Return values
### Ref
### Fn::GetAtt
####
`ConnectorArn`
The Amazon Resource Name (ARN) of the connector.
`Endpoint`
The connector's HTTPS public SCEP URL.
`Type`
The connector type.
## Examples
**Topics**
+ [Create a general-purpose SCEP connector and challenge resource](#aws-resource-pcaconnectorscep-connector--examples--Create_a_general-purpose_SCEP_connector_and_challenge_resource)
+ [Create connector to use with Microsoft Intune](#aws-resource-pcaconnectorscep-connector--examples--Create_connector_to_use_with_Microsoft_Intune)
### Create a general-purpose SCEP connector and challenge resource
The following example creates a AWS Private Certificate Authority (CA) general-purpose connector with a challenge password. Before you create a connector, you must complete a few prerequisites, including creating a private CA in AWS Private Certificate Authority (CA). For more information, see [Set up Connector for SCEP](https://docs.aws.amazon.com/privateca/latest/userguide/connector-for-scep-setting-up.html).
#### JSON
```
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Cloudformation template to set up a general-purpose connector for SCEP and challenge password.",
"Resources": {
"RootCA": {
"Type": "AWS::ACMPCA::CertificateAuthority",
"Properties": {
"Type": "ROOT",
"KeyAlgorithm": "RSA_2048",
"SigningAlgorithm": "SHA256WITHRSA",
"Subject": {
"Country": "US",
"Organization": "string",
"OrganizationalUnit": "string",
"DistinguishedNameQualifier": "string",
"State": "string",
"CommonName": "123",
"SerialNumber": "string",
"Locality": "string",
"Title": "string",
"Surname": "string",
"GivenName": "string",
"Initials": "DG",
"Pseudonym": "string",
"GenerationQualifier": "DBG"
},
"RevocationConfiguration": {
"CrlConfiguration": {
"Enabled": false
}
}
}
},
"RootCACertificate": {
"Type": "AWS::ACMPCA::Certificate",
"Properties": {
"CertificateAuthorityArn": {
"Fn::Ref": "RootCA"
},
"CertificateSigningRequest": {
"Fn::GetAtt": [
"RootCA",
"CertificateSigningRequest"
]
},
"SigningAlgorithm": "SHA256WITHRSA",
"TemplateArn": "arn:aws:acm-pca:::template/RootCACertificate/V1",
"Validity": {
"Type": "YEARS",
"Value": 100
}
}
},
"RootCAActivation": {
"Type": "AWS::ACMPCA::CertificateAuthorityActivation",
"Properties": {
"CertificateAuthorityArn": {
"Fn::Ref": "RootCA"
},
"Certificate": {
"Fn::GetAtt": [
"RootCACertificate",
"Certificate"
]
},
"Status": "ACTIVE"
}
},
"RootCAResourceShare": {
"DependsOn": "RootCAActivation",
"Type": "AWS::RAM::ResourceShare",
"Properties": {
"Name": "RootCAResourceShare",
"PermissionArns": [
"arn:aws:ram::aws:permission/AWSRAMBlankEndEntityCertificateAPICSRPassthroughIssuanceCertificateAuthority"
],
"ResourceArns": [
{
"Fn::Ref": "RootCA"
}
],
"Sources": [
{
"Fn::Ref": "AWS::AccountId"
}
],
"Principals": [
"pca-connector-scep.amazonaws.com"
]
}
},
"GeneralPurposeConnector": {
"DependsOn": "RootCAResourceShare",
"Type": "AWS::PCAConnectorSCEP::Connector",
"Properties": {
"CertificateAuthorityArn": {
"Fn::Ref": "RootCA"
}
}
},
"GeneralPurposeConnectorChallenge": {
"DependsOn": "GeneralPurposeConnector",
"Type": "AWS::PCAConnectorSCEP::Challenge",
"Properties": {
"ConnectorArn": {
"Fn::Ref": "GeneralPurposeConnector"
}
}
}
},
"Outputs": {
"GeneralPurposeConnector": {
"Value": {
"Fn::Ref": "GeneralPurposeConnector"
}
},
"GeneralPurposeConnectorChallenge": {
"Value": {
"Fn::Ref": "GeneralPurposeConnectorChallenge"
}
}
}
}
```
#### YAML
```
AWSTemplateFormatVersion: '2010-09-09'
Description: Cloudformation template to set up a general-purpose connector for SCEP and challenge password.
Resources:
RootCA:
Type: AWS::ACMPCA::CertificateAuthority
Properties:
Type: ROOT
KeyAlgorithm: RSA_2048
SigningAlgorithm: SHA256WITHRSA
Subject:
Country: US
Organization: string
OrganizationalUnit: string
DistinguishedNameQualifier: string
State: string
CommonName: '123'
SerialNumber: string
Locality: string
Title: string
Surname: string
GivenName: string
Initials: DG
Pseudonym: string
GenerationQualifier: DBG
RevocationConfiguration:
CrlConfiguration:
Enabled: false
RootCACertificate:
Type: AWS::ACMPCA::Certificate
Properties:
CertificateAuthorityArn: !Ref RootCA
CertificateSigningRequest: !GetAtt RootCA.CertificateSigningRequest
SigningAlgorithm: SHA256WITHRSA
TemplateArn: arn:aws:acm-pca:::template/RootCACertificate/V1
Validity:
Type: YEARS
Value: 100
RootCAActivation:
Type: AWS::ACMPCA::CertificateAuthorityActivation
Properties:
CertificateAuthorityArn: !Ref RootCA
Certificate: !GetAtt RootCACertificate.Certificate
Status: ACTIVE
RootCAResourceShare:
DependsOn: RootCAActivation
Type: AWS::RAM::ResourceShare
Properties:
Name: RootCAResourceShare
PermissionArns:
- arn:aws:ram::aws:permission/AWSRAMBlankEndEntityCertificateAPICSRPassthroughIssuanceCertificateAuthority
ResourceArns:
- !Ref RootCA
Sources:
- !Ref AWS::AccountId
Principals:
- pca-connector-scep.amazonaws.com
GeneralPurposeConnector:
DependsOn: RootCAResourceShare
Type: AWS::PCAConnectorSCEP::Connector
Properties:
CertificateAuthorityArn: !Ref RootCA
GeneralPurposeConnectorChallenge:
DependsOn: GeneralPurposeConnector
Type: AWS::PCAConnectorSCEP::Challenge
Properties:
ConnectorArn: !Ref GeneralPurposeConnector
Outputs:
GeneralPurposeConnector:
Value: !Ref GeneralPurposeConnector
GeneralPurposeConnectorChallenge:
Value: !Ref GeneralPurposeConnectorChallenge
```
### Create connector to use with Microsoft Intune
The following example creates a AWS Private Certificate Authority (CA) connector to use with Microsoft Intune. Before you create a connector, you must complete a few prerequisites, including creating a private CA in AWS Private Certificate Authority (CA). For more information, see [Set up Connector for SCEP](https://docs.aws.amazon.com/privateca/latest/userguide/connector-for-scep-setting-up.html).
#### JSON
```
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Cloudformation template to set up a connector to use with Microsoft Intune.",
"Resources": {
"RootCA": {
"Type": "AWS::ACMPCA::CertificateAuthority",
"Properties": {
"Type": "ROOT",
"KeyAlgorithm": "RSA_2048",
"SigningAlgorithm": "SHA256WITHRSA",
"Subject": {
"Country": "US",
"Organization": "string",
"OrganizationalUnit": "string",
"DistinguishedNameQualifier": "string",
"State": "string",
"CommonName": "123",
"SerialNumber": "string",
"Locality": "string",
"Title": "string",
"Surname": "string",
"GivenName": "string",
"Initials": "DG",
"Pseudonym": "string",
"GenerationQualifier": "DBG"
},
"RevocationConfiguration": {
"CrlConfiguration": {
"Enabled": false
}
}
}
},
"RootCACertificate": {
"Type": "AWS::ACMPCA::Certificate",
"Properties": {
"CertificateAuthorityArn": {
"Fn::Ref": "RootCA"
},
"CertificateSigningRequest": {
"Fn::GetAtt": [
"RootCA",
"CertificateSigningRequest"
]
},
"SigningAlgorithm": "SHA256WITHRSA",
"TemplateArn": "arn:aws:acm-pca:::template/RootCACertificate/V1",
"Validity": {
"Type": "YEARS",
"Value": 100
}
}
},
"RootCAActivation": {
"Type": "AWS::ACMPCA::CertificateAuthorityActivation",
"Properties": {
"CertificateAuthorityArn": {
"Fn::Ref": "RootCA"
},
"Certificate": {
"Fn::GetAtt": [
"RootCACertificate",
"Certificate"
]
},
"Status": "ACTIVE"
}
},
"RootCAResourceShare": {
"DependsOn": "RootCAActivation",
"Type": "AWS::RAM::ResourceShare",
"Properties": {
"Name": "RootCAResourceShare",
"PermissionArns": [
"arn:aws:ram::aws:permission/AWSRAMBlankEndEntityCertificateAPICSRPassthroughIssuanceCertificateAuthority"
],
"ResourceArns": [
{
"Fn::Ref": "RootCA"
}
],
"Sources": [
{
"Fn::Ref": "AWS::AccountId"
}
],
"Principals": [
"pca-connector-scep.amazonaws.com"
]
}
},
"IntuneConnector": {
"DependsOn": "RootCAResourceShare",
"Type": "AWS::PCAConnectorSCEP::Connector",
"Properties": {
"CertificateAuthorityArn": {
"Fn::Ref": "RootCA"
},
"MobileDeviceManagement": {
"Intune": {
"AzureApplicationId": "222-222-222-222-222",
"Domain": "example.onmicrosoft.com"
}
}
}
}
},
"Outputs": {
"IntuneConnector": {
"Value": {
"Fn::Ref": "IntuneConnector"
}
}
}
}
```
#### YAML
```
AWSTemplateFormatVersion: '2010-09-09'
Description: Cloudformation template to set up a connector to use with Microsoft Intune.
Resources:
RootCA:
Type: AWS::ACMPCA::CertificateAuthority
Properties:
Type: ROOT
KeyAlgorithm: RSA_2048
SigningAlgorithm: SHA256WITHRSA
Subject:
Country: US
Organization: string
OrganizationalUnit: string
DistinguishedNameQualifier: string
State: string
CommonName: '123'
SerialNumber: string
Locality: string
Title: string
Surname: string
GivenName: string
Initials: DG
Pseudonym: string
GenerationQualifier: DBG
RevocationConfiguration:
CrlConfiguration:
Enabled: false
RootCACertificate:
Type: AWS::ACMPCA::Certificate
Properties:
CertificateAuthorityArn: !Ref RootCA
CertificateSigningRequest: !GetAtt RootCA.CertificateSigningRequest
SigningAlgorithm: SHA256WITHRSA
TemplateArn: arn:aws:acm-pca:::template/RootCACertificate/V1
Validity:
Type: YEARS
Value: 100
RootCAActivation:
Type: AWS::ACMPCA::CertificateAuthorityActivation
Properties:
CertificateAuthorityArn: !Ref RootCA
Certificate: !GetAtt RootCACertificate.Certificate
Status: ACTIVE
RootCAResourceShare:
DependsOn: RootCAActivation
Type: AWS::RAM::ResourceShare
Properties:
Name: RootCAResourceShare
PermissionArns:
- arn:aws:ram::aws:permission/AWSRAMBlankEndEntityCertificateAPICSRPassthroughIssuanceCertificateAuthority
ResourceArns:
- !Ref RootCA
Sources:
- !Ref AWS::AccountId
Principals:
- pca-connector-scep.amazonaws.com
IntuneConnector:
DependsOn: RootCAResourceShare
Type: AWS::PCAConnectorSCEP::Connector
Properties:
CertificateAuthorityArn: !Ref RootCA
MobileDeviceManagement:
Intune:
AzureApplicationId: "222-222-222-222-222"
Domain: "example.onmicrosoft.com"
Outputs:
IntuneConnector:
Value: !Ref IntuneConnector
```
# AWS::PCAConnectorSCEP::Connector IntuneConfiguration
Contains configuration details for use with Microsoft Intune. For information about using Connector for SCEP for Microsoft Intune, see [Using Connector for SCEP for Microsoft Intune](https://docs.aws.amazon.com/privateca/latest/userguide/scep-connector.htmlconnector-for-scep-intune.html).
When you use Connector for SCEP for Microsoft Intune, certain functionalities are enabled by accessing Microsoft Intune through the Microsoft API. Your use of the Connector for SCEP and accompanying AWS services doesn't remove your need to have a valid license for your use of the Microsoft Intune service. You should also review the [Microsoft IntuneĀ® App Protection Policies](https://learn.microsoft.com/en-us/mem/intune/apps/app-protection-policy).
## Syntax
To declare this entity in your CloudFormation template, use the following syntax:
### JSON
```
{
"[AzureApplicationId](#cfn-pcaconnectorscep-connector-intuneconfiguration-azureapplicationid)" : String,
"[Domain](#cfn-pcaconnectorscep-connector-intuneconfiguration-domain)" : String
}
```
### YAML
```
[AzureApplicationId](#cfn-pcaconnectorscep-connector-intuneconfiguration-azureapplicationid): String
[Domain](#cfn-pcaconnectorscep-connector-intuneconfiguration-domain): String
```
## Properties
`AzureApplicationId`
The directory (tenant) ID from your Microsoft Entra ID app registration.
*Required*: Yes
*Type*: String
*Pattern*: `^[a-zA-Z0-9]{2,15}-[a-zA-Z0-9]{2,15}-[a-zA-Z0-9]{2,15}-[a-zA-Z0-9]{2,15}-[a-zA-Z0-9]{2,15}$`
*Minimum*: `15`
*Maximum*: `100`
*Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement)
`Domain`
The primary domain from your Microsoft Entra ID app registration.
*Required*: Yes
*Type*: String
*Pattern*: `^[a-zA-Z0-9._-]+$`
*Minimum*: `1`
*Maximum*: `256`
*Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement)
# AWS::PCAConnectorSCEP::Connector MobileDeviceManagement
If you don't supply a value, by default Connector for SCEP creates a connector for general-purpose use. A general-purpose connector is designed to work with clients or endpoints that support the SCEP protocol, except Connector for SCEP for Microsoft Intune. For information about considerations and limitations with using Connector for SCEP, see [Considerations and Limitations](https://docs.aws.amazon.com/privateca/latest/userguide/scep-connector.htmlc4scep-considerations-limitations.html).
If you provide an `IntuneConfiguration`, Connector for SCEP creates a connector for use with Microsoft Intune, and you manage the challenge passwords using Microsoft Intune. For more information, see [Using Connector for SCEP for Microsoft Intune](https://docs.aws.amazon.com/privateca/latest/userguide/scep-connector.htmlconnector-for-scep-intune.html).
## Syntax
To declare this entity in your CloudFormation template, use the following syntax:
### JSON
```
{
"[Intune](#cfn-pcaconnectorscep-connector-mobiledevicemanagement-intune)" : IntuneConfiguration
}
```
### YAML
```
[Intune](#cfn-pcaconnectorscep-connector-mobiledevicemanagement-intune):
IntuneConfiguration
```
## Properties
`Intune`
Configuration settings for use with Microsoft Intune. For information about using Connector for SCEP for Microsoft Intune, see [Using Connector for SCEP for Microsoft Intune](https://docs.aws.amazon.com/privateca/latest/userguide/scep-connector.htmlconnector-for-scep-intune.html).
*Required*: Yes
*Type*: [IntuneConfiguration](aws-properties-pcaconnectorscep-connector-intuneconfiguration.md)
*Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement)
# AWS::PCAConnectorSCEP::Connector OpenIdConfiguration
Contains OpenID Connect (OIDC) parameters for use with Microsoft Intune. For more information about using Connector for SCEP for Microsoft Intune, see [Using Connector for SCEP for Microsoft Intune](https://docs.aws.amazon.com/privateca/latest/userguide/scep-connector.htmlconnector-for-scep-intune.html).
## Syntax
To declare this entity in your CloudFormation template, use the following syntax:
### JSON
```
{
"[Audience](#cfn-pcaconnectorscep-connector-openidconfiguration-audience)" : String,
"[Issuer](#cfn-pcaconnectorscep-connector-openidconfiguration-issuer)" : String,
"[Subject](#cfn-pcaconnectorscep-connector-openidconfiguration-subject)" : String
}
```
### YAML
```
[Audience](#cfn-pcaconnectorscep-connector-openidconfiguration-audience): String
[Issuer](#cfn-pcaconnectorscep-connector-openidconfiguration-issuer): String
[Subject](#cfn-pcaconnectorscep-connector-openidconfiguration-subject): String
```
## Properties
`Audience`
The audience value to copy into your Microsoft Entra app registration's OIDC.
*Required*: No
*Type*: String
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
`Issuer`
The issuer value to copy into your Microsoft Entra app registration's OIDC.
*Required*: No
*Type*: String
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
`Subject`
The subject value to copy into your Microsoft Entra app registration's OIDC.
*Required*: No
*Type*: String
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)