CertificateAuthority
CertificateAuthority is the Schema for the CertificateAuthoritys API. Provides a resource to manage AWS Certificate Manager Private Certificate Authorities
TypeMR
Providerprovider-aws-acmpca
Groupacmpca.aws.upbound.io
Scopecluster
Versionv1beta1

1apiVersion: acmpca.aws.upbound.io/v1beta1

2kind: CertificateAuthority

apiVersion
string
kind
string
metadata
object
spec
object

CertificateAuthoritySpec defines the desired state of CertificateAuthority

deletionPolicy
string
forProvider
required
object

(No description available)

certificateAuthorityConfiguration
array

Nested argument containing algorithms and certificate subject information. Defined below.

keyAlgorithm
string
signingAlgorithm
string
subject
array

Nested argument that contains X.500 distinguished name information. At least one nested attribute must be specified.

commonName
string
country
string
distinguishedNameQualifier
string
generationQualifier
string
givenName
string
initials
string
locality
string
organization
string
organizationalUnit
string
pseudonym
string
state
string
surname
string
title
string
enabled
boolean
keyStorageSecurityStandard
string
permanentDeletionTimeInDays
number
region
required
string
revocationConfiguration
array

Nested argument containing revocation configuration. Defined below.

crlConfiguration
array

Nested argument containing configuration of the certificate revocation list (CRL), if any, maintained by the certificate authority. Defined below.

customCname
string
enabled
boolean
expirationInDays
number
s3BucketName
string
s3ObjectAcl
string
ocspConfiguration
array

Nested argument containing configuration of the custom OCSP responder endpoint. Defined below.

enabled
boolean
ocspCustomCname
string
tags
object
type
string
usageMode
string
initProvider
object

THIS IS A BETA FIELD. It will be honored unless the Management Policies feature flag is disabled. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler.

certificateAuthorityConfiguration
array

Nested argument containing algorithms and certificate subject information. Defined below.

keyAlgorithm
string
signingAlgorithm
string
subject
array

Nested argument that contains X.500 distinguished name information. At least one nested attribute must be specified.

commonName
string
country
string
distinguishedNameQualifier
string
generationQualifier
string
givenName
string
initials
string
locality
string
organization
string
organizationalUnit
string
pseudonym
string
state
string
surname
string
title
string
enabled
boolean
keyStorageSecurityStandard
string
permanentDeletionTimeInDays
number
revocationConfiguration
array

Nested argument containing revocation configuration. Defined below.

crlConfiguration
array

Nested argument containing configuration of the certificate revocation list (CRL), if any, maintained by the certificate authority. Defined below.

customCname
string
enabled
boolean
expirationInDays
number
s3BucketName
string
s3ObjectAcl
string
ocspConfiguration
array

Nested argument containing configuration of the custom OCSP responder endpoint. Defined below.

enabled
boolean
ocspCustomCname
string
tags
object
type
string
usageMode
string
managementPolicies
array

THIS IS A BETA FIELD. It is on by default but can be opted out through a Crossplane feature flag. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md

providerConfigRef
object

ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured.

name
required
string
policy
object

Policies for referencing.

resolution
string
resolve
string
publishConnectionDetailsTo
object

PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource.

configRef
object

SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret.

name
required
string
policy
object

Policies for referencing.

resolution
string
resolve
string
metadata
object

Metadata is the metadata for connection secret.

annotations
object
labels
object
type
string
name
required
string
writeConnectionSecretToRef
object

WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other.

name
required
string
namespace
required
string
status
object

CertificateAuthorityStatus defines the observed state of CertificateAuthority.

atProvider
object

(No description available)

arn
string
certificate
string
certificateAuthorityConfiguration
array

Nested argument containing algorithms and certificate subject information. Defined below.

keyAlgorithm
string
signingAlgorithm
string
subject
array

Nested argument that contains X.500 distinguished name information. At least one nested attribute must be specified.

commonName
string
country
string
distinguishedNameQualifier
string
generationQualifier
string
givenName
string
initials
string
locality
string
organization
string
organizationalUnit
string
pseudonym
string
state
string
surname
string
title
string
certificateChain
string
certificateSigningRequest
string
enabled
boolean
id
string
keyStorageSecurityStandard
string
notAfter
string
notBefore
string
permanentDeletionTimeInDays
number
revocationConfiguration
array

Nested argument containing revocation configuration. Defined below.

crlConfiguration
array

Nested argument containing configuration of the certificate revocation list (CRL), if any, maintained by the certificate authority. Defined below.

customCname
string
enabled
boolean
expirationInDays
number
s3BucketName
string
s3ObjectAcl
string
ocspConfiguration
array

Nested argument containing configuration of the custom OCSP responder endpoint. Defined below.

enabled
boolean
ocspCustomCname
string
serial
string
tags
object
tagsAll
object
type
string
usageMode
string
conditions
array

Conditions of the resource.

lastTransitionTime
required
string
message
string
observedGeneration
integer
reason
required
string
status
required
string
type
required
string
observedGeneration
integer
Discover the building blocks for your internal cloud platform.
© 2026 Upbound, Inc.
Solutions
Learn
Company
Community
More