As you know, Amazon Certificate Manager (ACM) is used to help managing certificates, from the creation to the renewal process.
Well, ACM can now be used by CloudFormation to automate SSL/TLS certificate management for DNS-validated certificates with domain managed by Amazon Route 53.
With this improvement you no longer need to manually validate your request.
To start using this new capability, you create a new CloudFormation template using the below sample
{
“Type” : “AWS::CertificateManager::Certificate”,
“Properties” : {
“CertificateAuthorityArn” : String,
“CertificateTransparencyLoggingPreference” : String,
“DomainName” : String,
“DomainValidationOptions” : [ DomainValidationOption, … ],
“SubjectAlternativeNames” : [ String, … ],
“Tags” : [ Tag, … ],
“ValidationMethod” : String
}
}
Where
- CertificateAuthorityArn is the Amazon Resource Name (ARN) of the private certificate authority (CA) using the following form: arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
- CertificateTransparencyLoggingPreference defines if you opt-in/opt-out for automatically log your certificate in a public CT log. Accepted values are enabled or disabled
- DomainName (required) defines the full qualified domain name (like www.amazon.com) for which you want to generate/renew a certificate
- DomainValidationOptions defines the validation option used to verify your identity. You can get the list of available validation options here https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-certificatemanager-certificate-domainvalidationoption.html
- SubjectAlternativeNames if you want to define alternative names for your certificate; same as for the domain name, you need to use the FQDN
- Tags helps you define tags to identify your certificate
- ValidationMethod defines the validation method (DNS or email) to use for verifying your ownership. In the context of this post, you should then use the DNS option
Below is a sample of JSON file to create the new template
“mycertificate” : {
“Type” : “AWS::CertificateManager::Certificate”,
“Properties” : {
“DomainName” : “mydomain.com”,
“DomainValidationOptions” : [{
“DomainName” : “mydomain.com”,
“ValidationDomain” : “mydomain.com”
}],
“ValidationMethod” : “dns”
}
}