This is the new *CloudFormation Template Reference Guide*. Please update your bookmarks and links. For help getting started with CloudFormation, see the [AWS CloudFormation User Guide](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html). # AWS Private Certificate Authority for Active Directory **Resource types** + [AWS::PCAConnectorAD::Connector](aws-resource-pcaconnectorad-connector.md) + [AWS::PCAConnectorAD::DirectoryRegistration](aws-resource-pcaconnectorad-directoryregistration.md) + [AWS::PCAConnectorAD::ServicePrincipalName](aws-resource-pcaconnectorad-serviceprincipalname.md) + [AWS::PCAConnectorAD::Template](aws-resource-pcaconnectorad-template.md) + [AWS::PCAConnectorAD::TemplateGroupAccessControlEntry](aws-resource-pcaconnectorad-templategroupaccesscontrolentry.md) # AWS::PCAConnectorAD::Connector Creates a connector between AWS Private CA and an Active Directory. You must specify the private CA, directory ID, and security groups. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::PCAConnectorAD::Connector", "Properties" : { "[CertificateAuthorityArn](#cfn-pcaconnectorad-connector-certificateauthorityarn)" : String, "[DirectoryId](#cfn-pcaconnectorad-connector-directoryid)" : String, "[Tags](#cfn-pcaconnectorad-connector-tags)" : {Key: Value, ...}, "[VpcInformation](#cfn-pcaconnectorad-connector-vpcinformation)" : VpcInformation } } ``` ### YAML ``` Type: AWS::PCAConnectorAD::Connector Properties: [CertificateAuthorityArn](#cfn-pcaconnectorad-connector-certificateauthorityarn): String [DirectoryId](#cfn-pcaconnectorad-connector-directoryid): String [Tags](#cfn-pcaconnectorad-connector-tags): Key: Value [VpcInformation](#cfn-pcaconnectorad-connector-vpcinformation): VpcInformation ``` ## Properties `CertificateAuthorityArn` The Amazon Resource Name (ARN) of the certificate authority being used. *Required*: Yes *Type*: String *Pattern*: `^arn:[\w-]+:acm-pca:[\w-]+:[0-9]+:certificate-authority\/[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}$` *Minimum*: `5` *Maximum*: `200` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `DirectoryId` The identifier of the Active Directory. *Required*: Yes *Type*: String *Pattern*: `^d-[0-9a-f]{10}$` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `Tags` Metadata assigned to a connector consisting of a key-value pair. *Required*: No *Type*: Object of String *Pattern*: `.+` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `VpcInformation` Information of the VPC and security group(s) used with the connector. *Required*: Yes *Type*: [VpcInformation](aws-properties-pcaconnectorad-connector-vpcinformation.md) *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) ## Return values ### Fn::GetAtt The `Fn::GetAtt` intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values. For more information about using the `Fn::GetAtt` intrinsic function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html). #### `ConnectorArn` The Amazon Resource Name (ARN) that was returned when you called [CreateConnector](https://docs.aws.amazon.com/pca-connector-ad/latest/APIReference/API_CreateConnector.html). # AWS::PCAConnectorAD::Connector VpcInformation Information about your VPC and security groups used with the connector. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[IpAddressType](#cfn-pcaconnectorad-connector-vpcinformation-ipaddresstype)" : String, "[SecurityGroupIds](#cfn-pcaconnectorad-connector-vpcinformation-securitygroupids)" : [ String, ... ] } ``` ### YAML ``` [IpAddressType](#cfn-pcaconnectorad-connector-vpcinformation-ipaddresstype): String [SecurityGroupIds](#cfn-pcaconnectorad-connector-vpcinformation-securitygroupids): - String ``` ## Properties `IpAddressType` The VPC IP address type. *Required*: No *Type*: String *Allowed values*: `IPV4 | DUALSTACK` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `SecurityGroupIds` The security groups used with the connector. You can use a maximum of 4 security groups with a connector. *Required*: Yes *Type*: Array of String *Minimum*: `11 | 1` *Maximum*: `20 | 5` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) # AWS::PCAConnectorAD::DirectoryRegistration Creates a directory registration that authorizes communication between AWS Private CA and an Active Directory ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::PCAConnectorAD::DirectoryRegistration", "Properties" : { "[DirectoryId](#cfn-pcaconnectorad-directoryregistration-directoryid)" : String, "[Tags](#cfn-pcaconnectorad-directoryregistration-tags)" : {Key: Value, ...} } } ``` ### YAML ``` Type: AWS::PCAConnectorAD::DirectoryRegistration Properties: [DirectoryId](#cfn-pcaconnectorad-directoryregistration-directoryid): String [Tags](#cfn-pcaconnectorad-directoryregistration-tags): Key: Value ``` ## Properties `DirectoryId` The identifier of the Active Directory. *Required*: Yes *Type*: String *Pattern*: `^d-[0-9a-f]{10}$` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `Tags` Metadata assigned to a directory registration consisting of a key-value pair. *Required*: No *Type*: Object of String *Pattern*: `.+` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Return values ### Fn::GetAtt The `Fn::GetAtt` intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values. For more information about using the `Fn::GetAtt` intrinsic function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html). #### `DirectoryRegistrationArn` The Amazon Resource Name (ARN) that was returned when you called [CreateDirectoryRegistration](https://docs.aws.amazon.com/pca-connector-ad/latest/APIReference/API_CreateDirectoryRegistration.html) . # AWS::PCAConnectorAD::ServicePrincipalName Creates a service principal name (SPN) for the service account in Active Directory. Kerberos authentication uses SPNs to associate a service instance with a service sign-in account. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::PCAConnectorAD::ServicePrincipalName", "Properties" : { "[ConnectorArn](#cfn-pcaconnectorad-serviceprincipalname-connectorarn)" : String, "[DirectoryRegistrationArn](#cfn-pcaconnectorad-serviceprincipalname-directoryregistrationarn)" : String } } ``` ### YAML ``` Type: AWS::PCAConnectorAD::ServicePrincipalName Properties: [ConnectorArn](#cfn-pcaconnectorad-serviceprincipalname-connectorarn): String [DirectoryRegistrationArn](#cfn-pcaconnectorad-serviceprincipalname-directoryregistrationarn): String ``` ## Properties `ConnectorArn` The Amazon Resource Name (ARN) that was returned when you called [CreateConnector.html](https://docs.aws.amazon.com/pca-connector-ad/latest/APIReference/API_CreateConnector.html). *Required*: No *Type*: String *Pattern*: `^arn:[\w-]+:pca-connector-ad:[\w-]+:[0-9]+:connector(\/[\w-]+)$` *Minimum*: `5` *Maximum*: `200` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `DirectoryRegistrationArn` The Amazon Resource Name (ARN) that was returned when you called [CreateDirectoryRegistration](https://docs.aws.amazon.com/pca-connector-ad/latest/APIReference/API_CreateDirectoryRegistration.html). *Required*: No *Type*: String *Pattern*: `^arn:[\w-]+:pca-connector-ad:[\w-]+:[0-9]+:directory-registration(\/[\w-]+)$` *Minimum*: `5` *Maximum*: `200` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) # AWS::PCAConnectorAD::Template Creates an Active Directory compatible certificate template. The connectors issues certificates using these templates based on the requester’s Active Directory group membership. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::PCAConnectorAD::Template", "Properties" : { "[ConnectorArn](#cfn-pcaconnectorad-template-connectorarn)" : String, "[Definition](#cfn-pcaconnectorad-template-definition)" : TemplateDefinition, "[Name](#cfn-pcaconnectorad-template-name)" : String, "[ReenrollAllCertificateHolders](#cfn-pcaconnectorad-template-reenrollallcertificateholders)" : Boolean, "[Tags](#cfn-pcaconnectorad-template-tags)" : {Key: Value, ...} } } ``` ### YAML ``` Type: AWS::PCAConnectorAD::Template Properties: [ConnectorArn](#cfn-pcaconnectorad-template-connectorarn): String [Definition](#cfn-pcaconnectorad-template-definition): TemplateDefinition [Name](#cfn-pcaconnectorad-template-name): String [ReenrollAllCertificateHolders](#cfn-pcaconnectorad-template-reenrollallcertificateholders): Boolean [Tags](#cfn-pcaconnectorad-template-tags): Key: Value ``` ## Properties `ConnectorArn` The Amazon Resource Name (ARN) that was returned when you called [CreateConnector](https://docs.aws.amazon.com/pca-connector-ad/latest/APIReference/API_CreateConnector.html). *Required*: Yes *Type*: String *Pattern*: `^arn:[\w-]+:pca-connector-ad:[\w-]+:[0-9]+:connector\/[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}$` *Minimum*: `5` *Maximum*: `200` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `Definition` Template configuration to define the information included in certificates. Define certificate validity and renewal periods, certificate request handling and enrollment options, key usage extensions, application policies, and cryptography settings. *Required*: Yes *Type*: [TemplateDefinition](aws-properties-pcaconnectorad-template-templatedefinition.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Name` Name of the templates. Template names must be unique. *Required*: Yes *Type*: String *Pattern*: `^(?!^\s+$)((?![\x5c'\x2b,;<=>#\x22])([\x20-\x7E]))+$` *Minimum*: `1` *Maximum*: `64` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `ReenrollAllCertificateHolders` This setting allows the major version of a template to be increased automatically. All members of Active Directory groups that are allowed to enroll with a template will receive a new certificate issued using that template. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Tags` Metadata assigned to a template consisting of a key-value pair. *Required*: No *Type*: Object of String *Pattern*: `.+` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Return values ### Ref ### Fn::GetAtt The `Fn::GetAtt` intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values. For more information about using the `Fn::GetAtt` intrinsic function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html). #### `TemplateArn` The Amazon Resource Name (ARN) that was returned when you called [CreateTemplate](https://docs.aws.amazon.com/pca-connector-ad/latest/APIReference/API_CreateTemplate.html) . # AWS::PCAConnectorAD::Template ApplicationPolicies Application policies describe what the certificate can be used for. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Critical](#cfn-pcaconnectorad-template-applicationpolicies-critical)" : Boolean, "[Policies](#cfn-pcaconnectorad-template-applicationpolicies-policies)" : [ ApplicationPolicy, ... ] } ``` ### YAML ``` [Critical](#cfn-pcaconnectorad-template-applicationpolicies-critical): Boolean [Policies](#cfn-pcaconnectorad-template-applicationpolicies-policies): - ApplicationPolicy ``` ## Properties `Critical` Marks the application policy extension as critical. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Policies` Application policies describe what the certificate can be used for. *Required*: Yes *Type*: Array of [ApplicationPolicy](aws-properties-pcaconnectorad-template-applicationpolicy.md) *Minimum*: `1` *Maximum*: `100` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::PCAConnectorAD::Template ApplicationPolicy Application policies describe what the certificate can be used for. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[PolicyObjectIdentifier](#cfn-pcaconnectorad-template-applicationpolicy-policyobjectidentifier)" : String, "[PolicyType](#cfn-pcaconnectorad-template-applicationpolicy-policytype)" : String } ``` ### YAML ``` [PolicyObjectIdentifier](#cfn-pcaconnectorad-template-applicationpolicy-policyobjectidentifier): String [PolicyType](#cfn-pcaconnectorad-template-applicationpolicy-policytype): String ``` ## Properties `PolicyObjectIdentifier` The object identifier (OID) of an application policy. *Required*: No *Type*: String *Pattern*: `^([0-2])\.([0-9]|([0-3][0-9]))(\.([0-9]+)){0,126}$` *Minimum*: `1` *Maximum*: `64` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `PolicyType` The type of application policy *Required*: No *Type*: String *Allowed values*: `ALL_APPLICATION_POLICIES | ANY_PURPOSE | ATTESTATION_IDENTITY_KEY_CERTIFICATE | CERTIFICATE_REQUEST_AGENT | CLIENT_AUTHENTICATION | CODE_SIGNING | CTL_USAGE | DIGITAL_RIGHTS | DIRECTORY_SERVICE_EMAIL_REPLICATION | DISALLOWED_LIST | DNS_SERVER_TRUST | DOCUMENT_ENCRYPTION | DOCUMENT_SIGNING | DYNAMIC_CODE_GENERATOR | EARLY_LAUNCH_ANTIMALWARE_DRIVER | EMBEDDED_WINDOWS_SYSTEM_COMPONENT_VERIFICATION | ENCLAVE | ENCRYPTING_FILE_SYSTEM | ENDORSEMENT_KEY_CERTIFICATE | FILE_RECOVERY | HAL_EXTENSION | IP_SECURITY_END_SYSTEM | IP_SECURITY_IKE_INTERMEDIATE | IP_SECURITY_TUNNEL_TERMINATION | IP_SECURITY_USER | ISOLATED_USER_MODE | KDC_AUTHENTICATION | KERNEL_MODE_CODE_SIGNING | KEY_PACK_LICENSES | KEY_RECOVERY | KEY_RECOVERY_AGENT | LICENSE_SERVER_VERIFICATION | LIFETIME_SIGNING | MICROSOFT_PUBLISHER | MICROSOFT_TIME_STAMPING | MICROSOFT_TRUST_LIST_SIGNING | OCSP_SIGNING | OEM_WINDOWS_SYSTEM_COMPONENT_VERIFICATION | PLATFORM_CERTIFICATE | PREVIEW_BUILD_SIGNING | PRIVATE_KEY_ARCHIVAL | PROTECTED_PROCESS_LIGHT_VERIFICATION | PROTECTED_PROCESS_VERIFICATION | QUALIFIED_SUBORDINATION | REVOKED_LIST_SIGNER | ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION | ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION | ROOT_PROGRAM_NO_OSCP_FAILOVER_TO_CRL | ROOT_LIST_SIGNER | SECURE_EMAIL | SERVER_AUTHENTICATION | SMART_CARD_LOGIN | SPC_ENCRYPTED_DIGEST_RETRY_COUNT | SPC_RELAXED_PE_MARKER_CHECK | TIME_STAMPING | WINDOWS_HARDWARE_DRIVER_ATTESTED_VERIFICATION | WINDOWS_HARDWARE_DRIVER_EXTENDED_VERIFICATION | WINDOWS_HARDWARE_DRIVER_VERIFICATION | WINDOWS_HELLO_RECOVERY_KEY_ENCRYPTION | WINDOWS_KITS_COMPONENT | WINDOWS_RT_VERIFICATION | WINDOWS_SOFTWARE_EXTENSION_VERIFICATION | WINDOWS_STORE | WINDOWS_SYSTEM_COMPONENT_VERIFICATION | WINDOWS_TCB_COMPONENT | WINDOWS_THIRD_PARTY_APPLICATION_COMPONENT | WINDOWS_UPDATE` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::PCAConnectorAD::Template CertificateValidity Information describing the end of the validity period of the certificate. This parameter sets the “Not After” date for the certificate. Certificate validity is the period of time during which a certificate is valid. Validity can be expressed as an explicit date and time when the certificate expires, or as a span of time after issuance, stated in days, months, or years. For more information, see Validity in RFC 5280. This value is unaffected when ValidityNotBefore is also specified. For example, if Validity is set to 20 days in the future, the certificate will expire 20 days from issuance time regardless of the ValidityNotBefore value. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[RenewalPeriod](#cfn-pcaconnectorad-template-certificatevalidity-renewalperiod)" : ValidityPeriod, "[ValidityPeriod](#cfn-pcaconnectorad-template-certificatevalidity-validityperiod)" : ValidityPeriod } ``` ### YAML ``` [RenewalPeriod](#cfn-pcaconnectorad-template-certificatevalidity-renewalperiod): ValidityPeriod [ValidityPeriod](#cfn-pcaconnectorad-template-certificatevalidity-validityperiod): ValidityPeriod ``` ## Properties `RenewalPeriod` Renewal period is the period of time before certificate expiration when a new certificate will be requested. *Required*: Yes *Type*: [ValidityPeriod](aws-properties-pcaconnectorad-template-validityperiod.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ValidityPeriod` Information describing the end of the validity period of the certificate. This parameter sets the “Not After” date for the certificate. Certificate validity is the period of time during which a certificate is valid. Validity can be expressed as an explicit date and time when the certificate expires, or as a span of time after issuance, stated in days, months, or years. For more information, see Validity in RFC 5280. This value is unaffected when ValidityNotBefore is also specified. For example, if Validity is set to 20 days in the future, the certificate will expire 20 days from issuance time regardless of the ValidityNotBefore value. *Required*: Yes *Type*: [ValidityPeriod](aws-properties-pcaconnectorad-template-validityperiod.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::PCAConnectorAD::Template EnrollmentFlagsV2 Template configurations for v2 template schema. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[EnableKeyReuseOnNtTokenKeysetStorageFull](#cfn-pcaconnectorad-template-enrollmentflagsv2-enablekeyreuseonnttokenkeysetstoragefull)" : Boolean, "[IncludeSymmetricAlgorithms](#cfn-pcaconnectorad-template-enrollmentflagsv2-includesymmetricalgorithms)" : Boolean, "[NoSecurityExtension](#cfn-pcaconnectorad-template-enrollmentflagsv2-nosecurityextension)" : Boolean, "[RemoveInvalidCertificateFromPersonalStore](#cfn-pcaconnectorad-template-enrollmentflagsv2-removeinvalidcertificatefrompersonalstore)" : Boolean, "[UserInteractionRequired](#cfn-pcaconnectorad-template-enrollmentflagsv2-userinteractionrequired)" : Boolean } ``` ### YAML ``` [EnableKeyReuseOnNtTokenKeysetStorageFull](#cfn-pcaconnectorad-template-enrollmentflagsv2-enablekeyreuseonnttokenkeysetstoragefull): Boolean [IncludeSymmetricAlgorithms](#cfn-pcaconnectorad-template-enrollmentflagsv2-includesymmetricalgorithms): Boolean [NoSecurityExtension](#cfn-pcaconnectorad-template-enrollmentflagsv2-nosecurityextension): Boolean [RemoveInvalidCertificateFromPersonalStore](#cfn-pcaconnectorad-template-enrollmentflagsv2-removeinvalidcertificatefrompersonalstore): Boolean [UserInteractionRequired](#cfn-pcaconnectorad-template-enrollmentflagsv2-userinteractionrequired): Boolean ``` ## Properties `EnableKeyReuseOnNtTokenKeysetStorageFull` Allow renewal using the same key. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `IncludeSymmetricAlgorithms` Include symmetric algorithms allowed by the subject. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `NoSecurityExtension` This flag instructs the CA to not include the security extension szOID\$1NTDS\$1CA\$1SECURITY\$1EXT (OID:1.3.6.1.4.1.311.25.2), as specified in [MS-WCCE] sections 2.2.2.7.7.4 and 3.2.2.6.2.1.4.5.9, in the issued certificate. This addresses a Windows Kerberos elevation-of-privilege vulnerability. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `RemoveInvalidCertificateFromPersonalStore` Delete expired or revoked certificates instead of archiving them. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `UserInteractionRequired` Require user interaction when the subject is enrolled and the private key associated with the certificate is used. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::PCAConnectorAD::Template EnrollmentFlagsV3 Template configurations for v3 template schema. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[EnableKeyReuseOnNtTokenKeysetStorageFull](#cfn-pcaconnectorad-template-enrollmentflagsv3-enablekeyreuseonnttokenkeysetstoragefull)" : Boolean, "[IncludeSymmetricAlgorithms](#cfn-pcaconnectorad-template-enrollmentflagsv3-includesymmetricalgorithms)" : Boolean, "[NoSecurityExtension](#cfn-pcaconnectorad-template-enrollmentflagsv3-nosecurityextension)" : Boolean, "[RemoveInvalidCertificateFromPersonalStore](#cfn-pcaconnectorad-template-enrollmentflagsv3-removeinvalidcertificatefrompersonalstore)" : Boolean, "[UserInteractionRequired](#cfn-pcaconnectorad-template-enrollmentflagsv3-userinteractionrequired)" : Boolean } ``` ### YAML ``` [EnableKeyReuseOnNtTokenKeysetStorageFull](#cfn-pcaconnectorad-template-enrollmentflagsv3-enablekeyreuseonnttokenkeysetstoragefull): Boolean [IncludeSymmetricAlgorithms](#cfn-pcaconnectorad-template-enrollmentflagsv3-includesymmetricalgorithms): Boolean [NoSecurityExtension](#cfn-pcaconnectorad-template-enrollmentflagsv3-nosecurityextension): Boolean [RemoveInvalidCertificateFromPersonalStore](#cfn-pcaconnectorad-template-enrollmentflagsv3-removeinvalidcertificatefrompersonalstore): Boolean [UserInteractionRequired](#cfn-pcaconnectorad-template-enrollmentflagsv3-userinteractionrequired): Boolean ``` ## Properties `EnableKeyReuseOnNtTokenKeysetStorageFull` Allow renewal using the same key. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `IncludeSymmetricAlgorithms` Include symmetric algorithms allowed by the subject. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `NoSecurityExtension` This flag instructs the CA to not include the security extension szOID\$1NTDS\$1CA\$1SECURITY\$1EXT (OID:1.3.6.1.4.1.311.25.2), as specified in [MS-WCCE] sections 2.2.2.7.7.4 and 3.2.2.6.2.1.4.5.9, in the issued certificate. This addresses a Windows Kerberos elevation-of-privilege vulnerability. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `RemoveInvalidCertificateFromPersonalStore` Delete expired or revoked certificates instead of archiving them. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `UserInteractionRequired` Require user interaction when the subject is enrolled and the private key associated with the certificate is used. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::PCAConnectorAD::Template EnrollmentFlagsV4 Template configurations for v4 template schema. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[EnableKeyReuseOnNtTokenKeysetStorageFull](#cfn-pcaconnectorad-template-enrollmentflagsv4-enablekeyreuseonnttokenkeysetstoragefull)" : Boolean, "[IncludeSymmetricAlgorithms](#cfn-pcaconnectorad-template-enrollmentflagsv4-includesymmetricalgorithms)" : Boolean, "[NoSecurityExtension](#cfn-pcaconnectorad-template-enrollmentflagsv4-nosecurityextension)" : Boolean, "[RemoveInvalidCertificateFromPersonalStore](#cfn-pcaconnectorad-template-enrollmentflagsv4-removeinvalidcertificatefrompersonalstore)" : Boolean, "[UserInteractionRequired](#cfn-pcaconnectorad-template-enrollmentflagsv4-userinteractionrequired)" : Boolean } ``` ### YAML ``` [EnableKeyReuseOnNtTokenKeysetStorageFull](#cfn-pcaconnectorad-template-enrollmentflagsv4-enablekeyreuseonnttokenkeysetstoragefull): Boolean [IncludeSymmetricAlgorithms](#cfn-pcaconnectorad-template-enrollmentflagsv4-includesymmetricalgorithms): Boolean [NoSecurityExtension](#cfn-pcaconnectorad-template-enrollmentflagsv4-nosecurityextension): Boolean [RemoveInvalidCertificateFromPersonalStore](#cfn-pcaconnectorad-template-enrollmentflagsv4-removeinvalidcertificatefrompersonalstore): Boolean [UserInteractionRequired](#cfn-pcaconnectorad-template-enrollmentflagsv4-userinteractionrequired): Boolean ``` ## Properties `EnableKeyReuseOnNtTokenKeysetStorageFull` Allow renewal using the same key. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `IncludeSymmetricAlgorithms` Include symmetric algorithms allowed by the subject. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `NoSecurityExtension` This flag instructs the CA to not include the security extension szOID\$1NTDS\$1CA\$1SECURITY\$1EXT (OID:1.3.6.1.4.1.311.25.2), as specified in [MS-WCCE] sections 2.2.2.7.7.4 and 3.2.2.6.2.1.4.5.9, in the issued certificate. This addresses a Windows Kerberos elevation-of-privilege vulnerability. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `RemoveInvalidCertificateFromPersonalStore` Delete expired or revoked certificates instead of archiving them. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `UserInteractionRequired` Require user interaction when the subject is enrolled and the private key associated with the certificate is used. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::PCAConnectorAD::Template ExtensionsV2 Certificate extensions for v2 template schema ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[ApplicationPolicies](#cfn-pcaconnectorad-template-extensionsv2-applicationpolicies)" : ApplicationPolicies, "[KeyUsage](#cfn-pcaconnectorad-template-extensionsv2-keyusage)" : KeyUsage } ``` ### YAML ``` [ApplicationPolicies](#cfn-pcaconnectorad-template-extensionsv2-applicationpolicies): ApplicationPolicies [KeyUsage](#cfn-pcaconnectorad-template-extensionsv2-keyusage): KeyUsage ``` ## Properties `ApplicationPolicies` Application policies specify what the certificate is used for and its purpose. *Required*: No *Type*: [ApplicationPolicies](aws-properties-pcaconnectorad-template-applicationpolicies.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `KeyUsage` The key usage extension defines the purpose (e.g., encipherment, signature, certificate signing) of the key contained in the certificate. *Required*: Yes *Type*: [KeyUsage](aws-properties-pcaconnectorad-template-keyusage.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::PCAConnectorAD::Template ExtensionsV3 Certificate extensions for v3 template schema ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[ApplicationPolicies](#cfn-pcaconnectorad-template-extensionsv3-applicationpolicies)" : ApplicationPolicies, "[KeyUsage](#cfn-pcaconnectorad-template-extensionsv3-keyusage)" : KeyUsage } ``` ### YAML ``` [ApplicationPolicies](#cfn-pcaconnectorad-template-extensionsv3-applicationpolicies): ApplicationPolicies [KeyUsage](#cfn-pcaconnectorad-template-extensionsv3-keyusage): KeyUsage ``` ## Properties `ApplicationPolicies` Application policies specify what the certificate is used for and its purpose. *Required*: No *Type*: [ApplicationPolicies](aws-properties-pcaconnectorad-template-applicationpolicies.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `KeyUsage` The key usage extension defines the purpose (e.g., encipherment, signature, certificate signing) of the key contained in the certificate. *Required*: Yes *Type*: [KeyUsage](aws-properties-pcaconnectorad-template-keyusage.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::PCAConnectorAD::Template ExtensionsV4 Certificate extensions for v4 template schema ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[ApplicationPolicies](#cfn-pcaconnectorad-template-extensionsv4-applicationpolicies)" : ApplicationPolicies, "[KeyUsage](#cfn-pcaconnectorad-template-extensionsv4-keyusage)" : KeyUsage } ``` ### YAML ``` [ApplicationPolicies](#cfn-pcaconnectorad-template-extensionsv4-applicationpolicies): ApplicationPolicies [KeyUsage](#cfn-pcaconnectorad-template-extensionsv4-keyusage): KeyUsage ``` ## Properties `ApplicationPolicies` Application policies specify what the certificate is used for and its purpose. *Required*: No *Type*: [ApplicationPolicies](aws-properties-pcaconnectorad-template-applicationpolicies.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `KeyUsage` The key usage extension defines the purpose (e.g., encipherment, signature) of the key contained in the certificate. *Required*: Yes *Type*: [KeyUsage](aws-properties-pcaconnectorad-template-keyusage.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::PCAConnectorAD::Template GeneralFlagsV2 General flags for v2 template schema that defines if the template is for a machine or a user and if the template can be issued using autoenrollment. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[AutoEnrollment](#cfn-pcaconnectorad-template-generalflagsv2-autoenrollment)" : Boolean, "[MachineType](#cfn-pcaconnectorad-template-generalflagsv2-machinetype)" : Boolean } ``` ### YAML ``` [AutoEnrollment](#cfn-pcaconnectorad-template-generalflagsv2-autoenrollment): Boolean [MachineType](#cfn-pcaconnectorad-template-generalflagsv2-machinetype): Boolean ``` ## Properties `AutoEnrollment` Allows certificate issuance using autoenrollment. Set to TRUE to allow autoenrollment. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `MachineType` Defines if the template is for machines or users. Set to TRUE if the template is for machines. Set to FALSE if the template is for users. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::PCAConnectorAD::Template GeneralFlagsV3 General flags for v3 template schema that defines if the template is for a machine or a user and if the template can be issued using autoenrollment. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[AutoEnrollment](#cfn-pcaconnectorad-template-generalflagsv3-autoenrollment)" : Boolean, "[MachineType](#cfn-pcaconnectorad-template-generalflagsv3-machinetype)" : Boolean } ``` ### YAML ``` [AutoEnrollment](#cfn-pcaconnectorad-template-generalflagsv3-autoenrollment): Boolean [MachineType](#cfn-pcaconnectorad-template-generalflagsv3-machinetype): Boolean ``` ## Properties `AutoEnrollment` Allows certificate issuance using autoenrollment. Set to TRUE to allow autoenrollment. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `MachineType` Defines if the template is for machines or users. Set to TRUE if the template is for machines. Set to FALSE if the template is for users *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::PCAConnectorAD::Template GeneralFlagsV4 General flags for v4 template schema that defines if the template is for a machine or a user and if the template can be issued using autoenrollment. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[AutoEnrollment](#cfn-pcaconnectorad-template-generalflagsv4-autoenrollment)" : Boolean, "[MachineType](#cfn-pcaconnectorad-template-generalflagsv4-machinetype)" : Boolean } ``` ### YAML ``` [AutoEnrollment](#cfn-pcaconnectorad-template-generalflagsv4-autoenrollment): Boolean [MachineType](#cfn-pcaconnectorad-template-generalflagsv4-machinetype): Boolean ``` ## Properties `AutoEnrollment` Allows certificate issuance using autoenrollment. Set to TRUE to allow autoenrollment. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `MachineType` Defines if the template is for machines or users. Set to TRUE if the template is for machines. Set to FALSE if the template is for users *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::PCAConnectorAD::Template KeyUsage The key usage extension defines the purpose (e.g., encipherment, signature) of the key contained in the certificate. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Critical](#cfn-pcaconnectorad-template-keyusage-critical)" : Boolean, "[UsageFlags](#cfn-pcaconnectorad-template-keyusage-usageflags)" : KeyUsageFlags } ``` ### YAML ``` [Critical](#cfn-pcaconnectorad-template-keyusage-critical): Boolean [UsageFlags](#cfn-pcaconnectorad-template-keyusage-usageflags): KeyUsageFlags ``` ## Properties `Critical` Sets the key usage extension to critical. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `UsageFlags` The key usage flags represent the purpose (e.g., encipherment, signature) of the key contained in the certificate. *Required*: Yes *Type*: [KeyUsageFlags](aws-properties-pcaconnectorad-template-keyusageflags.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::PCAConnectorAD::Template KeyUsageFlags The key usage flags represent the purpose (e.g., encipherment, signature) of the key contained in the certificate. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[DataEncipherment](#cfn-pcaconnectorad-template-keyusageflags-dataencipherment)" : Boolean, "[DigitalSignature](#cfn-pcaconnectorad-template-keyusageflags-digitalsignature)" : Boolean, "[KeyAgreement](#cfn-pcaconnectorad-template-keyusageflags-keyagreement)" : Boolean, "[KeyEncipherment](#cfn-pcaconnectorad-template-keyusageflags-keyencipherment)" : Boolean, "[NonRepudiation](#cfn-pcaconnectorad-template-keyusageflags-nonrepudiation)" : Boolean } ``` ### YAML ``` [DataEncipherment](#cfn-pcaconnectorad-template-keyusageflags-dataencipherment): Boolean [DigitalSignature](#cfn-pcaconnectorad-template-keyusageflags-digitalsignature): Boolean [KeyAgreement](#cfn-pcaconnectorad-template-keyusageflags-keyagreement): Boolean [KeyEncipherment](#cfn-pcaconnectorad-template-keyusageflags-keyencipherment): Boolean [NonRepudiation](#cfn-pcaconnectorad-template-keyusageflags-nonrepudiation): Boolean ``` ## Properties `DataEncipherment` DataEncipherment is asserted when the subject public key is used for directly enciphering raw user data without the use of an intermediate symmetric cipher. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `DigitalSignature` The digitalSignature is asserted when the subject public key is used for verifying digital signatures. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `KeyAgreement` KeyAgreement is asserted when the subject public key is used for key agreement. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `KeyEncipherment` KeyEncipherment is asserted when the subject public key is used for enciphering private or secret keys, i.e., for key transport. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `NonRepudiation` NonRepudiation is asserted when the subject public key is used to verify digital signatures. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::PCAConnectorAD::Template KeyUsageProperty The key usage property defines the purpose of the private key contained in the certificate. You can specify specific purposes using property flags or all by using property type ALL. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[PropertyFlags](#cfn-pcaconnectorad-template-keyusageproperty-propertyflags)" : KeyUsagePropertyFlags, "[PropertyType](#cfn-pcaconnectorad-template-keyusageproperty-propertytype)" : String } ``` ### YAML ``` [PropertyFlags](#cfn-pcaconnectorad-template-keyusageproperty-propertyflags): KeyUsagePropertyFlags [PropertyType](#cfn-pcaconnectorad-template-keyusageproperty-propertytype): String ``` ## Properties `PropertyFlags` You can specify key usage for encryption, key agreement, and signature. You can use property flags or property type but not both. *Required*: No *Type*: [KeyUsagePropertyFlags](aws-properties-pcaconnectorad-template-keyusagepropertyflags.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `PropertyType` You can specify all key usages using property type ALL. You can use property type or property flags but not both. *Required*: No *Type*: String *Allowed values*: `ALL` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::PCAConnectorAD::Template KeyUsagePropertyFlags Specifies key usage. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Decrypt](#cfn-pcaconnectorad-template-keyusagepropertyflags-decrypt)" : Boolean, "[KeyAgreement](#cfn-pcaconnectorad-template-keyusagepropertyflags-keyagreement)" : Boolean, "[Sign](#cfn-pcaconnectorad-template-keyusagepropertyflags-sign)" : Boolean } ``` ### YAML ``` [Decrypt](#cfn-pcaconnectorad-template-keyusagepropertyflags-decrypt): Boolean [KeyAgreement](#cfn-pcaconnectorad-template-keyusagepropertyflags-keyagreement): Boolean [Sign](#cfn-pcaconnectorad-template-keyusagepropertyflags-sign): Boolean ``` ## Properties `Decrypt` Allows key for encryption and decryption. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `KeyAgreement` Allows key exchange without encryption. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Sign` Allow key use for digital signature. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::PCAConnectorAD::Template PrivateKeyAttributesV2 Defines the attributes of the private key. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[CryptoProviders](#cfn-pcaconnectorad-template-privatekeyattributesv2-cryptoproviders)" : [ String, ... ], "[KeySpec](#cfn-pcaconnectorad-template-privatekeyattributesv2-keyspec)" : String, "[MinimalKeyLength](#cfn-pcaconnectorad-template-privatekeyattributesv2-minimalkeylength)" : Number } ``` ### YAML ``` [CryptoProviders](#cfn-pcaconnectorad-template-privatekeyattributesv2-cryptoproviders): - String [KeySpec](#cfn-pcaconnectorad-template-privatekeyattributesv2-keyspec): String [MinimalKeyLength](#cfn-pcaconnectorad-template-privatekeyattributesv2-minimalkeylength): Number ``` ## Properties `CryptoProviders` Defines the cryptographic providers used to generate the private key. *Required*: No *Type*: Array of String *Minimum*: `1 | 1` *Maximum*: `100 | 100` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `KeySpec` Defines the purpose of the private key. Set it to "KEY\$1EXCHANGE" or "SIGNATURE" value. *Required*: Yes *Type*: String *Allowed values*: `KEY_EXCHANGE | SIGNATURE` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `MinimalKeyLength` Set the minimum key length of the private key. *Required*: Yes *Type*: Number *Minimum*: `1` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::PCAConnectorAD::Template PrivateKeyAttributesV3 Defines the attributes of the private key. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Algorithm](#cfn-pcaconnectorad-template-privatekeyattributesv3-algorithm)" : String, "[CryptoProviders](#cfn-pcaconnectorad-template-privatekeyattributesv3-cryptoproviders)" : [ String, ... ], "[KeySpec](#cfn-pcaconnectorad-template-privatekeyattributesv3-keyspec)" : String, "[KeyUsageProperty](#cfn-pcaconnectorad-template-privatekeyattributesv3-keyusageproperty)" : KeyUsageProperty, "[MinimalKeyLength](#cfn-pcaconnectorad-template-privatekeyattributesv3-minimalkeylength)" : Number } ``` ### YAML ``` [Algorithm](#cfn-pcaconnectorad-template-privatekeyattributesv3-algorithm): String [CryptoProviders](#cfn-pcaconnectorad-template-privatekeyattributesv3-cryptoproviders): - String [KeySpec](#cfn-pcaconnectorad-template-privatekeyattributesv3-keyspec): String [KeyUsageProperty](#cfn-pcaconnectorad-template-privatekeyattributesv3-keyusageproperty): KeyUsageProperty [MinimalKeyLength](#cfn-pcaconnectorad-template-privatekeyattributesv3-minimalkeylength): Number ``` ## Properties `Algorithm` Defines the algorithm used to generate the private key. *Required*: Yes *Type*: String *Allowed values*: `RSA | ECDH_P256 | ECDH_P384 | ECDH_P521` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `CryptoProviders` Defines the cryptographic providers used to generate the private key. *Required*: No *Type*: Array of String *Minimum*: `1 | 1` *Maximum*: `100 | 100` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `KeySpec` Defines the purpose of the private key. Set it to "KEY\$1EXCHANGE" or "SIGNATURE" value. *Required*: Yes *Type*: String *Allowed values*: `KEY_EXCHANGE | SIGNATURE` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `KeyUsageProperty` The key usage property defines the purpose of the private key contained in the certificate. You can specify specific purposes using property flags or all by using property type ALL. *Required*: Yes *Type*: [KeyUsageProperty](aws-properties-pcaconnectorad-template-keyusageproperty.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `MinimalKeyLength` Set the minimum key length of the private key. *Required*: Yes *Type*: Number *Minimum*: `1` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::PCAConnectorAD::Template PrivateKeyAttributesV4 Defines the attributes of the private key. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Algorithm](#cfn-pcaconnectorad-template-privatekeyattributesv4-algorithm)" : String, "[CryptoProviders](#cfn-pcaconnectorad-template-privatekeyattributesv4-cryptoproviders)" : [ String, ... ], "[KeySpec](#cfn-pcaconnectorad-template-privatekeyattributesv4-keyspec)" : String, "[KeyUsageProperty](#cfn-pcaconnectorad-template-privatekeyattributesv4-keyusageproperty)" : KeyUsageProperty, "[MinimalKeyLength](#cfn-pcaconnectorad-template-privatekeyattributesv4-minimalkeylength)" : Number } ``` ### YAML ``` [Algorithm](#cfn-pcaconnectorad-template-privatekeyattributesv4-algorithm): String [CryptoProviders](#cfn-pcaconnectorad-template-privatekeyattributesv4-cryptoproviders): - String [KeySpec](#cfn-pcaconnectorad-template-privatekeyattributesv4-keyspec): String [KeyUsageProperty](#cfn-pcaconnectorad-template-privatekeyattributesv4-keyusageproperty): KeyUsageProperty [MinimalKeyLength](#cfn-pcaconnectorad-template-privatekeyattributesv4-minimalkeylength): Number ``` ## Properties `Algorithm` Defines the algorithm used to generate the private key. *Required*: No *Type*: String *Allowed values*: `RSA | ECDH_P256 | ECDH_P384 | ECDH_P521` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `CryptoProviders` Defines the cryptographic providers used to generate the private key. *Required*: No *Type*: Array of String *Minimum*: `1 | 1` *Maximum*: `100 | 100` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `KeySpec` Defines the purpose of the private key. Set it to "KEY\$1EXCHANGE" or "SIGNATURE" value. *Required*: Yes *Type*: String *Allowed values*: `KEY_EXCHANGE | SIGNATURE` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `KeyUsageProperty` The key usage property defines the purpose of the private key contained in the certificate. You can specify specific purposes using property flags or all by using property type ALL. *Required*: No *Type*: [KeyUsageProperty](aws-properties-pcaconnectorad-template-keyusageproperty.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `MinimalKeyLength` Set the minimum key length of the private key. *Required*: Yes *Type*: Number *Minimum*: `1` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::PCAConnectorAD::Template PrivateKeyFlagsV2 Private key flags for v2 templates specify the client compatibility, if the private key can be exported, and if user input is required when using a private key. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[ClientVersion](#cfn-pcaconnectorad-template-privatekeyflagsv2-clientversion)" : String, "[ExportableKey](#cfn-pcaconnectorad-template-privatekeyflagsv2-exportablekey)" : Boolean, "[StrongKeyProtectionRequired](#cfn-pcaconnectorad-template-privatekeyflagsv2-strongkeyprotectionrequired)" : Boolean } ``` ### YAML ``` [ClientVersion](#cfn-pcaconnectorad-template-privatekeyflagsv2-clientversion): String [ExportableKey](#cfn-pcaconnectorad-template-privatekeyflagsv2-exportablekey): Boolean [StrongKeyProtectionRequired](#cfn-pcaconnectorad-template-privatekeyflagsv2-strongkeyprotectionrequired): Boolean ``` ## Properties `ClientVersion` Defines the minimum client compatibility. *Required*: Yes *Type*: String *Allowed values*: `WINDOWS_SERVER_2003 | WINDOWS_SERVER_2008 | WINDOWS_SERVER_2008_R2 | WINDOWS_SERVER_2012 | WINDOWS_SERVER_2012_R2 | WINDOWS_SERVER_2016` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ExportableKey` Allows the private key to be exported. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `StrongKeyProtectionRequired` Require user input when using the private key for enrollment. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::PCAConnectorAD::Template PrivateKeyFlagsV3 Private key flags for v3 templates specify the client compatibility, if the private key can be exported, if user input is required when using a private key, and if an alternate signature algorithm should be used. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[ClientVersion](#cfn-pcaconnectorad-template-privatekeyflagsv3-clientversion)" : String, "[ExportableKey](#cfn-pcaconnectorad-template-privatekeyflagsv3-exportablekey)" : Boolean, "[RequireAlternateSignatureAlgorithm](#cfn-pcaconnectorad-template-privatekeyflagsv3-requirealternatesignaturealgorithm)" : Boolean, "[StrongKeyProtectionRequired](#cfn-pcaconnectorad-template-privatekeyflagsv3-strongkeyprotectionrequired)" : Boolean } ``` ### YAML ``` [ClientVersion](#cfn-pcaconnectorad-template-privatekeyflagsv3-clientversion): String [ExportableKey](#cfn-pcaconnectorad-template-privatekeyflagsv3-exportablekey): Boolean [RequireAlternateSignatureAlgorithm](#cfn-pcaconnectorad-template-privatekeyflagsv3-requirealternatesignaturealgorithm): Boolean [StrongKeyProtectionRequired](#cfn-pcaconnectorad-template-privatekeyflagsv3-strongkeyprotectionrequired): Boolean ``` ## Properties `ClientVersion` Defines the minimum client compatibility. *Required*: Yes *Type*: String *Allowed values*: `WINDOWS_SERVER_2008 | WINDOWS_SERVER_2008_R2 | WINDOWS_SERVER_2012 | WINDOWS_SERVER_2012_R2 | WINDOWS_SERVER_2016` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ExportableKey` Allows the private key to be exported. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `RequireAlternateSignatureAlgorithm` Reguires the PKCS \$11 v2.1 signature format for certificates. You should verify that your CA, objects, and applications can accept this signature format. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `StrongKeyProtectionRequired` Requirer user input when using the private key for enrollment. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::PCAConnectorAD::Template PrivateKeyFlagsV4 Private key flags for v4 templates specify the client compatibility, if the private key can be exported, if user input is required when using a private key, if an alternate signature algorithm should be used, and if certificates are renewed using the same private key. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[ClientVersion](#cfn-pcaconnectorad-template-privatekeyflagsv4-clientversion)" : String, "[ExportableKey](#cfn-pcaconnectorad-template-privatekeyflagsv4-exportablekey)" : Boolean, "[RequireAlternateSignatureAlgorithm](#cfn-pcaconnectorad-template-privatekeyflagsv4-requirealternatesignaturealgorithm)" : Boolean, "[RequireSameKeyRenewal](#cfn-pcaconnectorad-template-privatekeyflagsv4-requiresamekeyrenewal)" : Boolean, "[StrongKeyProtectionRequired](#cfn-pcaconnectorad-template-privatekeyflagsv4-strongkeyprotectionrequired)" : Boolean, "[UseLegacyProvider](#cfn-pcaconnectorad-template-privatekeyflagsv4-uselegacyprovider)" : Boolean } ``` ### YAML ``` [ClientVersion](#cfn-pcaconnectorad-template-privatekeyflagsv4-clientversion): String [ExportableKey](#cfn-pcaconnectorad-template-privatekeyflagsv4-exportablekey): Boolean [RequireAlternateSignatureAlgorithm](#cfn-pcaconnectorad-template-privatekeyflagsv4-requirealternatesignaturealgorithm): Boolean [RequireSameKeyRenewal](#cfn-pcaconnectorad-template-privatekeyflagsv4-requiresamekeyrenewal): Boolean [StrongKeyProtectionRequired](#cfn-pcaconnectorad-template-privatekeyflagsv4-strongkeyprotectionrequired): Boolean [UseLegacyProvider](#cfn-pcaconnectorad-template-privatekeyflagsv4-uselegacyprovider): Boolean ``` ## Properties `ClientVersion` Defines the minimum client compatibility. *Required*: Yes *Type*: String *Allowed values*: `WINDOWS_SERVER_2012 | WINDOWS_SERVER_2012_R2 | WINDOWS_SERVER_2016` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ExportableKey` Allows the private key to be exported. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `RequireAlternateSignatureAlgorithm` Requires the PKCS \$11 v2.1 signature format for certificates. You should verify that your CA, objects, and applications can accept this signature format. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `RequireSameKeyRenewal` Renew certificate using the same private key. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `StrongKeyProtectionRequired` Require user input when using the private key for enrollment. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `UseLegacyProvider` Specifies the cryptographic service provider category used to generate private keys. Set to TRUE to use Legacy Cryptographic Service Providers and FALSE to use Key Storage Providers. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::PCAConnectorAD::Template SubjectNameFlagsV2 Information to include in the subject name and alternate subject name of the certificate. The subject name can be common name, directory path, DNS as common name, or left blank. You can optionally include email to the subject name for user templates. If you leave the subject name blank then you must set a subject alternate name. The subject alternate name (SAN) can include globally unique identifier (GUID), DNS, domain DNS, email, service principal name (SPN), and user principal name (UPN). You can leave the SAN blank. If you leave the SAN blank, then you must set a subject name. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[RequireCommonName](#cfn-pcaconnectorad-template-subjectnameflagsv2-requirecommonname)" : Boolean, "[RequireDirectoryPath](#cfn-pcaconnectorad-template-subjectnameflagsv2-requiredirectorypath)" : Boolean, "[RequireDnsAsCn](#cfn-pcaconnectorad-template-subjectnameflagsv2-requirednsascn)" : Boolean, "[RequireEmail](#cfn-pcaconnectorad-template-subjectnameflagsv2-requireemail)" : Boolean, "[SanRequireDirectoryGuid](#cfn-pcaconnectorad-template-subjectnameflagsv2-sanrequiredirectoryguid)" : Boolean, "[SanRequireDns](#cfn-pcaconnectorad-template-subjectnameflagsv2-sanrequiredns)" : Boolean, "[SanRequireDomainDns](#cfn-pcaconnectorad-template-subjectnameflagsv2-sanrequiredomaindns)" : Boolean, "[SanRequireEmail](#cfn-pcaconnectorad-template-subjectnameflagsv2-sanrequireemail)" : Boolean, "[SanRequireSpn](#cfn-pcaconnectorad-template-subjectnameflagsv2-sanrequirespn)" : Boolean, "[SanRequireUpn](#cfn-pcaconnectorad-template-subjectnameflagsv2-sanrequireupn)" : Boolean } ``` ### YAML ``` [RequireCommonName](#cfn-pcaconnectorad-template-subjectnameflagsv2-requirecommonname): Boolean [RequireDirectoryPath](#cfn-pcaconnectorad-template-subjectnameflagsv2-requiredirectorypath): Boolean [RequireDnsAsCn](#cfn-pcaconnectorad-template-subjectnameflagsv2-requirednsascn): Boolean [RequireEmail](#cfn-pcaconnectorad-template-subjectnameflagsv2-requireemail): Boolean [SanRequireDirectoryGuid](#cfn-pcaconnectorad-template-subjectnameflagsv2-sanrequiredirectoryguid): Boolean [SanRequireDns](#cfn-pcaconnectorad-template-subjectnameflagsv2-sanrequiredns): Boolean [SanRequireDomainDns](#cfn-pcaconnectorad-template-subjectnameflagsv2-sanrequiredomaindns): Boolean [SanRequireEmail](#cfn-pcaconnectorad-template-subjectnameflagsv2-sanrequireemail): Boolean [SanRequireSpn](#cfn-pcaconnectorad-template-subjectnameflagsv2-sanrequirespn): Boolean [SanRequireUpn](#cfn-pcaconnectorad-template-subjectnameflagsv2-sanrequireupn): Boolean ``` ## Properties `RequireCommonName` Include the common name in the subject name. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `RequireDirectoryPath` Include the directory path in the subject name. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `RequireDnsAsCn` Include the DNS as common name in the subject name. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `RequireEmail` Include the subject's email in the subject name. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `SanRequireDirectoryGuid` Include the globally unique identifier (GUID) in the subject alternate name. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `SanRequireDns` Include the DNS in the subject alternate name. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `SanRequireDomainDns` Include the domain DNS in the subject alternate name. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `SanRequireEmail` Include the subject's email in the subject alternate name. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `SanRequireSpn` Include the service principal name (SPN) in the subject alternate name. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `SanRequireUpn` Include the user principal name (UPN) in the subject alternate name. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::PCAConnectorAD::Template SubjectNameFlagsV3 Information to include in the subject name and alternate subject name of the certificate. The subject name can be common name, directory path, DNS as common name, or left blank. You can optionally include email to the subject name for user templates. If you leave the subject name blank then you must set a subject alternate name. The subject alternate name (SAN) can include globally unique identifier (GUID), DNS, domain DNS, email, service principal name (SPN), and user principal name (UPN). You can leave the SAN blank. If you leave the SAN blank, then you must set a subject name. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[RequireCommonName](#cfn-pcaconnectorad-template-subjectnameflagsv3-requirecommonname)" : Boolean, "[RequireDirectoryPath](#cfn-pcaconnectorad-template-subjectnameflagsv3-requiredirectorypath)" : Boolean, "[RequireDnsAsCn](#cfn-pcaconnectorad-template-subjectnameflagsv3-requirednsascn)" : Boolean, "[RequireEmail](#cfn-pcaconnectorad-template-subjectnameflagsv3-requireemail)" : Boolean, "[SanRequireDirectoryGuid](#cfn-pcaconnectorad-template-subjectnameflagsv3-sanrequiredirectoryguid)" : Boolean, "[SanRequireDns](#cfn-pcaconnectorad-template-subjectnameflagsv3-sanrequiredns)" : Boolean, "[SanRequireDomainDns](#cfn-pcaconnectorad-template-subjectnameflagsv3-sanrequiredomaindns)" : Boolean, "[SanRequireEmail](#cfn-pcaconnectorad-template-subjectnameflagsv3-sanrequireemail)" : Boolean, "[SanRequireSpn](#cfn-pcaconnectorad-template-subjectnameflagsv3-sanrequirespn)" : Boolean, "[SanRequireUpn](#cfn-pcaconnectorad-template-subjectnameflagsv3-sanrequireupn)" : Boolean } ``` ### YAML ``` [RequireCommonName](#cfn-pcaconnectorad-template-subjectnameflagsv3-requirecommonname): Boolean [RequireDirectoryPath](#cfn-pcaconnectorad-template-subjectnameflagsv3-requiredirectorypath): Boolean [RequireDnsAsCn](#cfn-pcaconnectorad-template-subjectnameflagsv3-requirednsascn): Boolean [RequireEmail](#cfn-pcaconnectorad-template-subjectnameflagsv3-requireemail): Boolean [SanRequireDirectoryGuid](#cfn-pcaconnectorad-template-subjectnameflagsv3-sanrequiredirectoryguid): Boolean [SanRequireDns](#cfn-pcaconnectorad-template-subjectnameflagsv3-sanrequiredns): Boolean [SanRequireDomainDns](#cfn-pcaconnectorad-template-subjectnameflagsv3-sanrequiredomaindns): Boolean [SanRequireEmail](#cfn-pcaconnectorad-template-subjectnameflagsv3-sanrequireemail): Boolean [SanRequireSpn](#cfn-pcaconnectorad-template-subjectnameflagsv3-sanrequirespn): Boolean [SanRequireUpn](#cfn-pcaconnectorad-template-subjectnameflagsv3-sanrequireupn): Boolean ``` ## Properties `RequireCommonName` Include the common name in the subject name. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `RequireDirectoryPath` Include the directory path in the subject name. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `RequireDnsAsCn` Include the DNS as common name in the subject name. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `RequireEmail` Include the subject's email in the subject name. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `SanRequireDirectoryGuid` Include the globally unique identifier (GUID) in the subject alternate name. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `SanRequireDns` Include the DNS in the subject alternate name. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `SanRequireDomainDns` Include the domain DNS in the subject alternate name. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `SanRequireEmail` Include the subject's email in the subject alternate name. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `SanRequireSpn` Include the service principal name (SPN) in the subject alternate name. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `SanRequireUpn` Include the user principal name (UPN) in the subject alternate name. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::PCAConnectorAD::Template SubjectNameFlagsV4 Information to include in the subject name and alternate subject name of the certificate. The subject name can be common name, directory path, DNS as common name, or left blank. You can optionally include email to the subject name for user templates. If you leave the subject name blank then you must set a subject alternate name. The subject alternate name (SAN) can include globally unique identifier (GUID), DNS, domain DNS, email, service principal name (SPN), and user principal name (UPN). You can leave the SAN blank. If you leave the SAN blank, then you must set a subject name. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[RequireCommonName](#cfn-pcaconnectorad-template-subjectnameflagsv4-requirecommonname)" : Boolean, "[RequireDirectoryPath](#cfn-pcaconnectorad-template-subjectnameflagsv4-requiredirectorypath)" : Boolean, "[RequireDnsAsCn](#cfn-pcaconnectorad-template-subjectnameflagsv4-requirednsascn)" : Boolean, "[RequireEmail](#cfn-pcaconnectorad-template-subjectnameflagsv4-requireemail)" : Boolean, "[SanRequireDirectoryGuid](#cfn-pcaconnectorad-template-subjectnameflagsv4-sanrequiredirectoryguid)" : Boolean, "[SanRequireDns](#cfn-pcaconnectorad-template-subjectnameflagsv4-sanrequiredns)" : Boolean, "[SanRequireDomainDns](#cfn-pcaconnectorad-template-subjectnameflagsv4-sanrequiredomaindns)" : Boolean, "[SanRequireEmail](#cfn-pcaconnectorad-template-subjectnameflagsv4-sanrequireemail)" : Boolean, "[SanRequireSpn](#cfn-pcaconnectorad-template-subjectnameflagsv4-sanrequirespn)" : Boolean, "[SanRequireUpn](#cfn-pcaconnectorad-template-subjectnameflagsv4-sanrequireupn)" : Boolean } ``` ### YAML ``` [RequireCommonName](#cfn-pcaconnectorad-template-subjectnameflagsv4-requirecommonname): Boolean [RequireDirectoryPath](#cfn-pcaconnectorad-template-subjectnameflagsv4-requiredirectorypath): Boolean [RequireDnsAsCn](#cfn-pcaconnectorad-template-subjectnameflagsv4-requirednsascn): Boolean [RequireEmail](#cfn-pcaconnectorad-template-subjectnameflagsv4-requireemail): Boolean [SanRequireDirectoryGuid](#cfn-pcaconnectorad-template-subjectnameflagsv4-sanrequiredirectoryguid): Boolean [SanRequireDns](#cfn-pcaconnectorad-template-subjectnameflagsv4-sanrequiredns): Boolean [SanRequireDomainDns](#cfn-pcaconnectorad-template-subjectnameflagsv4-sanrequiredomaindns): Boolean [SanRequireEmail](#cfn-pcaconnectorad-template-subjectnameflagsv4-sanrequireemail): Boolean [SanRequireSpn](#cfn-pcaconnectorad-template-subjectnameflagsv4-sanrequirespn): Boolean [SanRequireUpn](#cfn-pcaconnectorad-template-subjectnameflagsv4-sanrequireupn): Boolean ``` ## Properties `RequireCommonName` Include the common name in the subject name. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `RequireDirectoryPath` Include the directory path in the subject name. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `RequireDnsAsCn` Include the DNS as common name in the subject name. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `RequireEmail` Include the subject's email in the subject name. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `SanRequireDirectoryGuid` Include the globally unique identifier (GUID) in the subject alternate name. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `SanRequireDns` Include the DNS in the subject alternate name. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `SanRequireDomainDns` Include the domain DNS in the subject alternate name. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `SanRequireEmail` Include the subject's email in the subject alternate name. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `SanRequireSpn` Include the service principal name (SPN) in the subject alternate name. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `SanRequireUpn` Include the user principal name (UPN) in the subject alternate name. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::PCAConnectorAD::Template TemplateDefinition Template configuration to define the information included in certificates. Define certificate validity and renewal periods, certificate request handling and enrollment options, key usage extensions, application policies, and cryptography settings. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[TemplateV2](#cfn-pcaconnectorad-template-templatedefinition-templatev2)" : TemplateV2, "[TemplateV3](#cfn-pcaconnectorad-template-templatedefinition-templatev3)" : TemplateV3, "[TemplateV4](#cfn-pcaconnectorad-template-templatedefinition-templatev4)" : TemplateV4 } ``` ### YAML ``` [TemplateV2](#cfn-pcaconnectorad-template-templatedefinition-templatev2): TemplateV2 [TemplateV3](#cfn-pcaconnectorad-template-templatedefinition-templatev3): TemplateV3 [TemplateV4](#cfn-pcaconnectorad-template-templatedefinition-templatev4): TemplateV4 ``` ## Properties `TemplateV2` Template configuration to define the information included in certificates. Define certificate validity and renewal periods, certificate request handling and enrollment options, key usage extensions, application policies, and cryptography settings. *Required*: No *Type*: [TemplateV2](aws-properties-pcaconnectorad-template-templatev2.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `TemplateV3` Template configuration to define the information included in certificates. Define certificate validity and renewal periods, certificate request handling and enrollment options, key usage extensions, application policies, and cryptography settings. *Required*: No *Type*: [TemplateV3](aws-properties-pcaconnectorad-template-templatev3.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `TemplateV4` Template configuration to define the information included in certificates. Define certificate validity and renewal periods, certificate request handling and enrollment options, key usage extensions, application policies, and cryptography settings. *Required*: No *Type*: [TemplateV4](aws-properties-pcaconnectorad-template-templatev4.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::PCAConnectorAD::Template TemplateV2 v2 template schema that uses Legacy Cryptographic Providers. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[CertificateValidity](#cfn-pcaconnectorad-template-templatev2-certificatevalidity)" : CertificateValidity, "[EnrollmentFlags](#cfn-pcaconnectorad-template-templatev2-enrollmentflags)" : EnrollmentFlagsV2, "[Extensions](#cfn-pcaconnectorad-template-templatev2-extensions)" : ExtensionsV2, "[GeneralFlags](#cfn-pcaconnectorad-template-templatev2-generalflags)" : GeneralFlagsV2, "[PrivateKeyAttributes](#cfn-pcaconnectorad-template-templatev2-privatekeyattributes)" : PrivateKeyAttributesV2, "[PrivateKeyFlags](#cfn-pcaconnectorad-template-templatev2-privatekeyflags)" : PrivateKeyFlagsV2, "[SubjectNameFlags](#cfn-pcaconnectorad-template-templatev2-subjectnameflags)" : SubjectNameFlagsV2, "[SupersededTemplates](#cfn-pcaconnectorad-template-templatev2-supersededtemplates)" : [ String, ... ] } ``` ### YAML ``` [CertificateValidity](#cfn-pcaconnectorad-template-templatev2-certificatevalidity): CertificateValidity [EnrollmentFlags](#cfn-pcaconnectorad-template-templatev2-enrollmentflags): EnrollmentFlagsV2 [Extensions](#cfn-pcaconnectorad-template-templatev2-extensions): ExtensionsV2 [GeneralFlags](#cfn-pcaconnectorad-template-templatev2-generalflags): GeneralFlagsV2 [PrivateKeyAttributes](#cfn-pcaconnectorad-template-templatev2-privatekeyattributes): PrivateKeyAttributesV2 [PrivateKeyFlags](#cfn-pcaconnectorad-template-templatev2-privatekeyflags): PrivateKeyFlagsV2 [SubjectNameFlags](#cfn-pcaconnectorad-template-templatev2-subjectnameflags): SubjectNameFlagsV2 [SupersededTemplates](#cfn-pcaconnectorad-template-templatev2-supersededtemplates): - String ``` ## Properties `CertificateValidity` Certificate validity describes the validity and renewal periods of a certificate. *Required*: Yes *Type*: [CertificateValidity](aws-properties-pcaconnectorad-template-certificatevalidity.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `EnrollmentFlags` Enrollment flags describe the enrollment settings for certificates such as using the existing private key and deleting expired or revoked certificates. *Required*: Yes *Type*: [EnrollmentFlagsV2](aws-properties-pcaconnectorad-template-enrollmentflagsv2.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Extensions` Extensions describe the key usage extensions and application policies for a template. *Required*: Yes *Type*: [ExtensionsV2](aws-properties-pcaconnectorad-template-extensionsv2.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `GeneralFlags` General flags describe whether the template is used for computers or users and if the template can be used with autoenrollment. *Required*: Yes *Type*: [GeneralFlagsV2](aws-properties-pcaconnectorad-template-generalflagsv2.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `PrivateKeyAttributes` Private key attributes allow you to specify the minimal key length, key spec, and cryptographic providers for the private key of a certificate for v2 templates. V2 templates allow you to use Legacy Cryptographic Service Providers. *Required*: Yes *Type*: [PrivateKeyAttributesV2](aws-properties-pcaconnectorad-template-privatekeyattributesv2.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `PrivateKeyFlags` Private key flags for v2 templates specify the client compatibility, if the private key can be exported, and if user input is required when using a private key. *Required*: Yes *Type*: [PrivateKeyFlagsV2](aws-properties-pcaconnectorad-template-privatekeyflagsv2.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `SubjectNameFlags` Subject name flags describe the subject name and subject alternate name that is included in a certificate. *Required*: Yes *Type*: [SubjectNameFlagsV2](aws-properties-pcaconnectorad-template-subjectnameflagsv2.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `SupersededTemplates` List of templates in Active Directory that are superseded by this template. *Required*: No *Type*: Array of String *Minimum*: `1 | 1` *Maximum*: `64 | 100` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::PCAConnectorAD::Template TemplateV3 v3 template schema that uses Key Storage Providers. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[CertificateValidity](#cfn-pcaconnectorad-template-templatev3-certificatevalidity)" : CertificateValidity, "[EnrollmentFlags](#cfn-pcaconnectorad-template-templatev3-enrollmentflags)" : EnrollmentFlagsV3, "[Extensions](#cfn-pcaconnectorad-template-templatev3-extensions)" : ExtensionsV3, "[GeneralFlags](#cfn-pcaconnectorad-template-templatev3-generalflags)" : GeneralFlagsV3, "[HashAlgorithm](#cfn-pcaconnectorad-template-templatev3-hashalgorithm)" : String, "[PrivateKeyAttributes](#cfn-pcaconnectorad-template-templatev3-privatekeyattributes)" : PrivateKeyAttributesV3, "[PrivateKeyFlags](#cfn-pcaconnectorad-template-templatev3-privatekeyflags)" : PrivateKeyFlagsV3, "[SubjectNameFlags](#cfn-pcaconnectorad-template-templatev3-subjectnameflags)" : SubjectNameFlagsV3, "[SupersededTemplates](#cfn-pcaconnectorad-template-templatev3-supersededtemplates)" : [ String, ... ] } ``` ### YAML ``` [CertificateValidity](#cfn-pcaconnectorad-template-templatev3-certificatevalidity): CertificateValidity [EnrollmentFlags](#cfn-pcaconnectorad-template-templatev3-enrollmentflags): EnrollmentFlagsV3 [Extensions](#cfn-pcaconnectorad-template-templatev3-extensions): ExtensionsV3 [GeneralFlags](#cfn-pcaconnectorad-template-templatev3-generalflags): GeneralFlagsV3 [HashAlgorithm](#cfn-pcaconnectorad-template-templatev3-hashalgorithm): String [PrivateKeyAttributes](#cfn-pcaconnectorad-template-templatev3-privatekeyattributes): PrivateKeyAttributesV3 [PrivateKeyFlags](#cfn-pcaconnectorad-template-templatev3-privatekeyflags): PrivateKeyFlagsV3 [SubjectNameFlags](#cfn-pcaconnectorad-template-templatev3-subjectnameflags): SubjectNameFlagsV3 [SupersededTemplates](#cfn-pcaconnectorad-template-templatev3-supersededtemplates): - String ``` ## Properties `CertificateValidity` Certificate validity describes the validity and renewal periods of a certificate. *Required*: Yes *Type*: [CertificateValidity](aws-properties-pcaconnectorad-template-certificatevalidity.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `EnrollmentFlags` Enrollment flags describe the enrollment settings for certificates such as using the existing private key and deleting expired or revoked certificates. *Required*: Yes *Type*: [EnrollmentFlagsV3](aws-properties-pcaconnectorad-template-enrollmentflagsv3.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Extensions` Extensions describe the key usage extensions and application policies for a template. *Required*: Yes *Type*: [ExtensionsV3](aws-properties-pcaconnectorad-template-extensionsv3.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `GeneralFlags` General flags describe whether the template is used for computers or users and if the template can be used with autoenrollment. *Required*: Yes *Type*: [GeneralFlagsV3](aws-properties-pcaconnectorad-template-generalflagsv3.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `HashAlgorithm` Specifies the hash algorithm used to hash the private key. *Required*: Yes *Type*: String *Allowed values*: `SHA256 | SHA384 | SHA512` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `PrivateKeyAttributes` Private key attributes allow you to specify the algorithm, minimal key length, key spec, key usage, and cryptographic providers for the private key of a certificate for v3 templates. V3 templates allow you to use Key Storage Providers. *Required*: Yes *Type*: [PrivateKeyAttributesV3](aws-properties-pcaconnectorad-template-privatekeyattributesv3.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `PrivateKeyFlags` Private key flags for v3 templates specify the client compatibility, if the private key can be exported, if user input is required when using a private key, and if an alternate signature algorithm should be used. *Required*: Yes *Type*: [PrivateKeyFlagsV3](aws-properties-pcaconnectorad-template-privatekeyflagsv3.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `SubjectNameFlags` Subject name flags describe the subject name and subject alternate name that is included in a certificate. *Required*: Yes *Type*: [SubjectNameFlagsV3](aws-properties-pcaconnectorad-template-subjectnameflagsv3.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `SupersededTemplates` List of templates in Active Directory that are superseded by this template. *Required*: No *Type*: Array of String *Minimum*: `1 | 1` *Maximum*: `64 | 100` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::PCAConnectorAD::Template TemplateV4 v4 template schema that can use either Legacy Cryptographic Providers or Key Storage Providers. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[CertificateValidity](#cfn-pcaconnectorad-template-templatev4-certificatevalidity)" : CertificateValidity, "[EnrollmentFlags](#cfn-pcaconnectorad-template-templatev4-enrollmentflags)" : EnrollmentFlagsV4, "[Extensions](#cfn-pcaconnectorad-template-templatev4-extensions)" : ExtensionsV4, "[GeneralFlags](#cfn-pcaconnectorad-template-templatev4-generalflags)" : GeneralFlagsV4, "[HashAlgorithm](#cfn-pcaconnectorad-template-templatev4-hashalgorithm)" : String, "[PrivateKeyAttributes](#cfn-pcaconnectorad-template-templatev4-privatekeyattributes)" : PrivateKeyAttributesV4, "[PrivateKeyFlags](#cfn-pcaconnectorad-template-templatev4-privatekeyflags)" : PrivateKeyFlagsV4, "[SubjectNameFlags](#cfn-pcaconnectorad-template-templatev4-subjectnameflags)" : SubjectNameFlagsV4, "[SupersededTemplates](#cfn-pcaconnectorad-template-templatev4-supersededtemplates)" : [ String, ... ] } ``` ### YAML ``` [CertificateValidity](#cfn-pcaconnectorad-template-templatev4-certificatevalidity): CertificateValidity [EnrollmentFlags](#cfn-pcaconnectorad-template-templatev4-enrollmentflags): EnrollmentFlagsV4 [Extensions](#cfn-pcaconnectorad-template-templatev4-extensions): ExtensionsV4 [GeneralFlags](#cfn-pcaconnectorad-template-templatev4-generalflags): GeneralFlagsV4 [HashAlgorithm](#cfn-pcaconnectorad-template-templatev4-hashalgorithm): String [PrivateKeyAttributes](#cfn-pcaconnectorad-template-templatev4-privatekeyattributes): PrivateKeyAttributesV4 [PrivateKeyFlags](#cfn-pcaconnectorad-template-templatev4-privatekeyflags): PrivateKeyFlagsV4 [SubjectNameFlags](#cfn-pcaconnectorad-template-templatev4-subjectnameflags): SubjectNameFlagsV4 [SupersededTemplates](#cfn-pcaconnectorad-template-templatev4-supersededtemplates): - String ``` ## Properties `CertificateValidity` Certificate validity describes the validity and renewal periods of a certificate. *Required*: Yes *Type*: [CertificateValidity](aws-properties-pcaconnectorad-template-certificatevalidity.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `EnrollmentFlags` Enrollment flags describe the enrollment settings for certificates using the existing private key and deleting expired or revoked certificates. *Required*: Yes *Type*: [EnrollmentFlagsV4](aws-properties-pcaconnectorad-template-enrollmentflagsv4.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Extensions` Extensions describe the key usage extensions and application policies for a template. *Required*: Yes *Type*: [ExtensionsV4](aws-properties-pcaconnectorad-template-extensionsv4.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `GeneralFlags` General flags describe whether the template is used for computers or users and if the template can be used with autoenrollment. *Required*: Yes *Type*: [GeneralFlagsV4](aws-properties-pcaconnectorad-template-generalflagsv4.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `HashAlgorithm` Specifies the hash algorithm used to hash the private key. Hash algorithm can only be specified when using Key Storage Providers. *Required*: No *Type*: String *Allowed values*: `SHA256 | SHA384 | SHA512` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `PrivateKeyAttributes` Private key attributes allow you to specify the minimal key length, key spec, key usage, and cryptographic providers for the private key of a certificate for v4 templates. V4 templates allow you to use either Key Storage Providers or Legacy Cryptographic Service Providers. You specify the cryptography provider category in private key flags. *Required*: Yes *Type*: [PrivateKeyAttributesV4](aws-properties-pcaconnectorad-template-privatekeyattributesv4.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `PrivateKeyFlags` Private key flags for v4 templates specify the client compatibility, if the private key can be exported, if user input is required when using a private key, if an alternate signature algorithm should be used, and if certificates are renewed using the same private key. *Required*: Yes *Type*: [PrivateKeyFlagsV4](aws-properties-pcaconnectorad-template-privatekeyflagsv4.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `SubjectNameFlags` Subject name flags describe the subject name and subject alternate name that is included in a certificate. *Required*: Yes *Type*: [SubjectNameFlagsV4](aws-properties-pcaconnectorad-template-subjectnameflagsv4.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `SupersededTemplates` List of templates in Active Directory that are superseded by this template. *Required*: No *Type*: Array of String *Minimum*: `1 | 1` *Maximum*: `64 | 100` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::PCAConnectorAD::Template ValidityPeriod Information describing the end of the validity period of the certificate. This parameter sets the “Not After” date for the certificate. Certificate validity is the period of time during which a certificate is valid. Validity can be expressed as an explicit date and time when the certificate expires, or as a span of time after issuance, stated in hours, days, months, or years. For more information, see Validity in RFC 5280. This value is unaffected when ValidityNotBefore is also specified. For example, if Validity is set to 20 days in the future, the certificate will expire 20 days from issuance time regardless of the ValidityNotBefore value. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Period](#cfn-pcaconnectorad-template-validityperiod-period)" : Number, "[PeriodType](#cfn-pcaconnectorad-template-validityperiod-periodtype)" : String } ``` ### YAML ``` [Period](#cfn-pcaconnectorad-template-validityperiod-period): Number [PeriodType](#cfn-pcaconnectorad-template-validityperiod-periodtype): String ``` ## Properties `Period` The numeric value for the validity period. *Required*: Yes *Type*: Number *Minimum*: `1` *Maximum*: `8766000` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `PeriodType` The unit of time. You can select hours, days, weeks, months, and years. *Required*: Yes *Type*: String *Allowed values*: `HOURS | DAYS | WEEKS | MONTHS | YEARS` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::PCAConnectorAD::TemplateGroupAccessControlEntry Create a group access control entry. Allow or deny Active Directory groups from enrolling and/or autoenrolling with the template based on the group security identifiers (SIDs). ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::PCAConnectorAD::TemplateGroupAccessControlEntry", "Properties" : { "[AccessRights](#cfn-pcaconnectorad-templategroupaccesscontrolentry-accessrights)" : AccessRights, "[GroupDisplayName](#cfn-pcaconnectorad-templategroupaccesscontrolentry-groupdisplayname)" : String, "[GroupSecurityIdentifier](#cfn-pcaconnectorad-templategroupaccesscontrolentry-groupsecurityidentifier)" : String, "[TemplateArn](#cfn-pcaconnectorad-templategroupaccesscontrolentry-templatearn)" : String } } ``` ### YAML ``` Type: AWS::PCAConnectorAD::TemplateGroupAccessControlEntry Properties: [AccessRights](#cfn-pcaconnectorad-templategroupaccesscontrolentry-accessrights): AccessRights [GroupDisplayName](#cfn-pcaconnectorad-templategroupaccesscontrolentry-groupdisplayname): String [GroupSecurityIdentifier](#cfn-pcaconnectorad-templategroupaccesscontrolentry-groupsecurityidentifier): String [TemplateArn](#cfn-pcaconnectorad-templategroupaccesscontrolentry-templatearn): String ``` ## Properties `AccessRights` Permissions to allow or deny an Active Directory group to enroll or autoenroll certificates issued against a template. *Required*: Yes *Type*: [AccessRights](aws-properties-pcaconnectorad-templategroupaccesscontrolentry-accessrights.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `GroupDisplayName` Name of the Active Directory group. This name does not need to match the group name in Active Directory. *Required*: Yes *Type*: String *Pattern*: `^[\x20-\x7E]+$` *Minimum*: `0` *Maximum*: `256` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `GroupSecurityIdentifier` Security identifier (SID) of the group object from Active Directory. The SID starts with "S-". *Required*: No *Type*: String *Pattern*: `^S-[0-9]-([0-9]+-){1,14}[0-9]+$` *Minimum*: `7` *Maximum*: `256` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `TemplateArn` The Amazon Resource Name (ARN) that was returned when you called [CreateTemplate](https://docs.aws.amazon.com/pca-connector-ad/latest/APIReference/API_CreateTemplate.html). *Required*: No *Type*: String *Pattern*: `^arn:[\w-]+:pca-connector-ad:[\w-]+:[0-9]+:connector(\/[\w-]+)\/template(\/[\w-]+)$` *Minimum*: `5` *Maximum*: `200` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) # AWS::PCAConnectorAD::TemplateGroupAccessControlEntry AccessRights Allow or deny permissions for an Active Directory group to enroll or autoenroll certificates for a template. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[AutoEnroll](#cfn-pcaconnectorad-templategroupaccesscontrolentry-accessrights-autoenroll)" : String, "[Enroll](#cfn-pcaconnectorad-templategroupaccesscontrolentry-accessrights-enroll)" : String } ``` ### YAML ``` [AutoEnroll](#cfn-pcaconnectorad-templategroupaccesscontrolentry-accessrights-autoenroll): String [Enroll](#cfn-pcaconnectorad-templategroupaccesscontrolentry-accessrights-enroll): String ``` ## Properties `AutoEnroll` Allow or deny an Active Directory group from autoenrolling certificates issued against a template. The Active Directory group must be allowed to enroll to allow autoenrollment *Required*: No *Type*: String *Allowed values*: `ALLOW | DENY` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Enroll` Allow or deny an Active Directory group from enrolling certificates issued against a template. *Required*: No *Type*: String *Allowed values*: `ALLOW | DENY` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)