This is the new *CloudFormation Template Reference Guide*. Please update your bookmarks and links. For help getting started with CloudFormation, see the [AWS CloudFormation User Guide](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html). # AWS::IoT::Certificate Use the `AWS::IoT::Certificate` resource to declare an AWS IoT X.509 certificate. For information about working with X.509 certificates, see [X.509 Client Certificates](https://docs.aws.amazon.com/iot/latest/developerguide/x509-client-certs.html) in the *AWS IoT Developer Guide*. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::IoT::Certificate", "Properties" : { "[CACertificatePem](#cfn-iot-certificate-cacertificatepem)" : String, "[CertificateMode](#cfn-iot-certificate-certificatemode)" : String, "[CertificatePem](#cfn-iot-certificate-certificatepem)" : String, "[CertificateSigningRequest](#cfn-iot-certificate-certificatesigningrequest)" : String, "[Status](#cfn-iot-certificate-status)" : String } } ``` ### YAML ``` Type: AWS::IoT::Certificate Properties: [CACertificatePem](#cfn-iot-certificate-cacertificatepem): String [CertificateMode](#cfn-iot-certificate-certificatemode): String [CertificatePem](#cfn-iot-certificate-certificatepem): String [CertificateSigningRequest](#cfn-iot-certificate-certificatesigningrequest): String [Status](#cfn-iot-certificate-status): String ``` ## Properties `CACertificatePem` The CA certificate used to sign the device certificate being registered, not available when CertificateMode is SNI\$1ONLY. *Required*: No *Type*: String *Minimum*: `1` *Maximum*: `65536` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `CertificateMode` Specifies which mode of certificate registration to use with this resource. Valid options are DEFAULT with CaCertificatePem and CertificatePem, SNI\$1ONLY with CertificatePem, and Default with CertificateSigningRequest. `DEFAULT`: A certificate in `DEFAULT` mode is either generated by AWS IoT Core or registered with an issuer certificate authority (CA). Devices with certificates in `DEFAULT` mode aren't required to send the Server Name Indication (SNI) extension when connecting to AWS IoT Core. However, to use features such as custom domains and VPC endpoints, we recommend that you use the SNI extension when connecting to AWS IoT Core. `SNI_ONLY`: A certificate in `SNI_ONLY` mode is registered without an issuer CA. Devices with certificates in `SNI_ONLY` mode must send the SNI extension when connecting to AWS IoT Core. *Required*: No *Type*: String *Allowed values*: `DEFAULT | SNI_ONLY` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `CertificatePem` The certificate data in PEM format. Requires SNI\$1ONLY for the certificate mode or the accompanying CACertificatePem for registration. *Required*: No *Type*: String *Minimum*: `1` *Maximum*: `65536` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `CertificateSigningRequest` The certificate signing request (CSR). *Required*: No *Type*: String *Pattern*: `[\s\S]*` *Minimum*: `1` *Maximum*: `4096` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `Status` The status of the certificate. Valid values are ACTIVE, INACTIVE, REVOKED, PENDING\$1TRANSFER, and PENDING\$1ACTIVATION. The status value REGISTER\$1INACTIVE is deprecated and should not be used. *Required*: Yes *Type*: String *Allowed values*: `ACTIVE | INACTIVE | REVOKED | PENDING_TRANSFER | PENDING_ACTIVATION` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Return values ### Ref When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns the certificate ID. For example: `{ "Ref": "MyCertificate" }` A value similar to the following is returned: `a1234567b89c012d3e4fg567hij8k9l01mno1p23q45678901rs234567890t1u2` For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html). ### Fn::GetAtt The `Fn::GetAtt` intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values. For more information about using the `Fn::GetAtt` intrinsic function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html). #### `Arn` Returns the Amazon Resource Name (ARN) for the certificate. For example: `{ "Fn::GetAtt": ["MyCertificate", "Arn"] }` A value similar to the following is returned: `arn:aws:iot:ap-southeast-2:123456789012:cert/a1234567b89c012d3e4fg567hij8k9l01mno1p23q45678901rs234567890t1u2` `Id` The certificate ID.