# Create CAs and certificates with custom subject names
The [CustomAttribute](https://docs.aws.amazon.com/privateca/latest/APIReference/API_CustomAttribute.html) object allows administrators to pass custom object identifiers (OIDs) to private CAs and certificates. Custom OIDs can be used to create specialized subject-name hierarchies that reflect the structure and needs of your organization. Customized certificates must be created using one of the `ApiPassthrough` templates. For more information about templates, see [AWS Private CA template varieties](template-varieties.md). For more information about using custom attrributes, see [Issue private end-entity certificates](PcaIssueCert.md) and [Create a private CA in AWS Private CA](create-CA.md).
You cannot use `StandardAttributes` in conjunction with `CustomAttributes`. However, you can pass standard OIDs as part of a `CustomAttributes`. The default subject name OIDs are listed in the following table:
| Subject name | Object ID |
| --- | --- |
| Country | 2.5.4.6 |
| CommonName | 2.5.4.3 |
| DistinguishedNameQualifier | 2.5.4.46 |
| GenerationQualifier | 2.5.4.44 |
| GivenName | 2.5.4.42 |
| Initials | 2.5.4.43 |
| Locality | 2.5.4.7 |
| Organization | 2.5.4.10 |
| OrganizationalUnit | 2.5.4.11 |
| Pseudonym | 2.5.4.65 |
| SerialNumber | 2.5.4.5 |
| State | 2.5.4.8 |
| Surname | 2.5.4.4 |
| Title | 2.5.4.12 |
**Topics**
+ [
## Create CA with CustomAttribute
](#CA_CustomAttribute)
+ [
## Issue a certificate with CustomAttribute
](#Certificate_CustomAttribute)
## Create CA with CustomAttribute
```
package com.amazonaws.samples;
import com.amazonaws.auth.AWSCredentials;
import com.amazonaws.auth.profile.ProfileCredentialsProvider;
import com.amazonaws.client.builder.AwsClientBuilder;
import com.amazonaws.client.builder.AwsClientBuilder.EndpointConfiguration;
import com.amazonaws.auth.AWSStaticCredentialsProvider;
import com.amazonaws.services.acmpca.AWSACMPCA;
import com.amazonaws.services.acmpca.AWSACMPCAClientBuilder;
import com.amazonaws.services.acmpca.model.ASN1Subject;
import com.amazonaws.services.acmpca.model.CertificateAuthorityConfiguration;
import com.amazonaws.services.acmpca.model.CertificateAuthorityType;
import com.amazonaws.services.acmpca.model.CreateCertificateAuthorityResult;
import com.amazonaws.services.acmpca.model.CreateCertificateAuthorityRequest;
import com.amazonaws.services.acmpca.model.CrlConfiguration;
import com.amazonaws.services.acmpca.model.CustomAttribute;
import com.amazonaws.services.acmpca.model.KeyAlgorithm;
import com.amazonaws.services.acmpca.model.SigningAlgorithm;
import com.amazonaws.services.acmpca.model.Tag;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import com.amazonaws.AmazonClientException;
import com.amazonaws.services.acmpca.model.LimitExceededException;
import com.amazonaws.services.acmpca.model.InvalidArgsException;
import com.amazonaws.services.acmpca.model.InvalidPolicyException;
import com.amazonaws.services.acmpca.model.RevocationConfiguration;
public class CreateCertificateAuthorityWithCustomAttributes {
public static void main(String[] args) throws Exception {
// Retrieve your credentials from the C:\Users\name\.aws\credentials file
// in Windows or the .aws/credentials file in Linux.
AWSCredentials credentials = null;
try {
credentials = new ProfileCredentialsProvider("default").getCredentials();
} catch (Exception e) {
throw new AmazonClientException(
"Cannot load the credentials from the credential profiles file. " +
"Please make sure that your credentials file is at the correct " +
"location (C:\\Users\\joneps\\.aws\\credentials), and is in valid format.",
e);
}
// Define the endpoint for your sample.
String endpointRegion = "us-west-2"; // Substitute your region here, e.g. "us-west-2"
String endpointProtocol = "https://acm-pca." + endpointRegion + ".amazonaws.com/";
EndpointConfiguration endpoint =
new AwsClientBuilder.EndpointConfiguration(endpointProtocol, endpointRegion);
// Create a client that you can use to make requests.
AWSACMPCA client = AWSACMPCAClientBuilder.standard()
.withEndpointConfiguration(endpoint)
.withCredentials(new AWSStaticCredentialsProvider(credentials))
.build();
// Define custom attributes
List customAttributes = Arrays.asList(
new CustomAttribute()
.withObjectIdentifier("2.5.4.6") // Country
.withValue("US"),
new CustomAttribute()
.withObjectIdentifier("2.5.4.3") // CommonName
.withValue("CommonName"),
new CustomAttribute()
.withObjectIdentifier("1.3.6.1.4.1") // CustomOID
.withValue("ABCDEFG"),
new CustomAttribute()
.withObjectIdentifier("1.3.6.1.4.1") // CustomOID
.withValue("BCDEFGH")
);
// Define a CA subject.
ASN1Subject subject = new ASN1Subject();
subject.setCustomAttributes(customAttributes);
// Define the CA configuration.
CertificateAuthorityConfiguration configCA = new CertificateAuthorityConfiguration();
configCA.withKeyAlgorithm(KeyAlgorithm.RSA_2048);
configCA.withSigningAlgorithm(SigningAlgorithm.SHA256WITHRSA);
configCA.withSubject(subject);
// Define a certificate revocation list configuration.
CrlConfiguration crlConfigure = new CrlConfiguration();
crlConfigure.withEnabled(true);
crlConfigure.withExpirationInDays(365);
crlConfigure.withCustomCname(null);
crlConfigure.withS3BucketName("your-bucket-name");
RevocationConfiguration revokeConfig = new RevocationConfiguration();
revokeConfig.setCrlConfiguration(crlConfigure);
// Define a certificate authority type: ROOT or SUBORDINATE
CertificateAuthorityType caType = CertificateAuthorityType.SUBORDINATE;
// Create a tag - method 1
Tag tag1 = new Tag();
tag1.withKey("PrivateCA");
tag1.withValue("Sample");
// Create a tag - method 2
Tag tag2 = new Tag()
.withKey("Purpose")
.withValue("WebServices");
// Add the tags to a collection.
ArrayList tags = new ArrayList();
tags.add(tag1);
tags.add(tag2);
// Create the request object.
CreateCertificateAuthorityRequest req = new CreateCertificateAuthorityRequest();
req.withCertificateAuthorityConfiguration(configCA);
req.withRevocationConfiguration(revokeConfig);
req.withIdempotencyToken("1234");
req.withCertificateAuthorityType(caType);
req.withTags(tags);
// Create the private CA.
CreateCertificateAuthorityResult result = null;
try {
result = client.createCertificateAuthority(req);
} catch (InvalidArgsException ex) {
throw ex;
} catch (InvalidPolicyException ex) {
throw ex;
} catch (LimitExceededException ex) {
throw ex;
}
// Retrieve the ARN of the private CA.
String arn = result.getCertificateAuthorityArn();
System.out.println(arn);
}
}
```
## Issue a certificate with CustomAttribute
```
package com.amazonaws.samples;
import com.amazonaws.auth.AWSCredentials;
import com.amazonaws.auth.profile.ProfileCredentialsProvider;
import com.amazonaws.client.builder.AwsClientBuilder;
import com.amazonaws.client.builder.AwsClientBuilder.EndpointConfiguration;
import com.amazonaws.auth.AWSStaticCredentialsProvider;
import java.nio.ByteBuffer;
import java.nio.charset.StandardCharsets;
import java.util.Arrays;
import java.util.Base64;
import java.util.List;
import java.util.Objects;
import com.amazonaws.services.acmpca.AWSACMPCA;
import com.amazonaws.services.acmpca.AWSACMPCAClientBuilder;
import com.amazonaws.services.acmpca.model.ASN1Subject;
import com.amazonaws.services.acmpca.model.ApiPassthrough;
import com.amazonaws.services.acmpca.model.CustomAttribute;
import com.amazonaws.services.acmpca.model.Extensions;
import com.amazonaws.services.acmpca.model.IssueCertificateRequest;
import com.amazonaws.services.acmpca.model.IssueCertificateResult;
import com.amazonaws.services.acmpca.model.SigningAlgorithm;
import com.amazonaws.services.acmpca.model.Validity;
import com.amazonaws.AmazonClientException;
import com.amazonaws.services.acmpca.model.LimitExceededException;
import com.amazonaws.services.acmpca.model.ResourceNotFoundException;
import com.amazonaws.services.acmpca.model.InvalidStateException;
import com.amazonaws.services.acmpca.model.InvalidArnException;
import com.amazonaws.services.acmpca.model.InvalidArgsException;
import com.amazonaws.services.acmpca.model.MalformedCSRException;
public class IssueCertificateWithCustomAttributes {
private static ByteBuffer stringToByteBuffer(final String string) {
if (Objects.isNull(string)) {
return null;
}
byte[] bytes = string.getBytes(StandardCharsets.UTF_8);
return ByteBuffer.wrap(bytes);
}
public static void main(String[] args) throws Exception {
// Retrieve your credentials from the C:\Users\name\.aws\credentials file
// in Windows or the .aws/credentials file in Linux.
AWSCredentials credentials = null;
try {
credentials = new ProfileCredentialsProvider("default").getCredentials();
} catch (Exception e) {
throw new AmazonClientException("Cannot load your credentials from disk", e);
}
// Define the endpoint for your sample.
String endpointRegion = "us-west-2"; // Substitute your region here, e.g. "us-west-2"
String endpointProtocol = "https://acm-pca." + endpointRegion + ".amazonaws.com/";
EndpointConfiguration endpoint =
new AwsClientBuilder.EndpointConfiguration(endpointProtocol, endpointRegion);
// Create a client that you can use to make requests.
AWSACMPCA client = AWSACMPCAClientBuilder.standard()
.withEndpointConfiguration(endpoint)
.withCredentials(new AWSStaticCredentialsProvider(credentials))
.build();
// Create a certificate request:
IssueCertificateRequest req = new IssueCertificateRequest();
// Set the CA ARN.
req.withCertificateAuthorityArn("arn:aws:acm-pca:region:account:" +
"certificate-authority/12345678-1234-1234-1234-123456789012");
// Specify the certificate signing request (CSR) for the certificate to be signed and issued.
String strCSR =
"-----BEGIN CERTIFICATE REQUEST-----\n" +
"base64-encoded CSR\n" +
"-----END CERTIFICATE REQUEST-----\n";
ByteBuffer csrByteBuffer = stringToByteBuffer(strCSR);
req.setCsr(csrByteBuffer);
// Specify the template for the issued certificate.
req.withTemplateArn("arn:aws:acm-pca:::template/EndEntityCertificate_APIPassthrough/V1");
// Set the signing algorithm.
req.withSigningAlgorithm(SigningAlgorithm.SHA256WITHRSA);
// Set the validity period for the certificate to be issued.
Validity validity = new Validity();
validity.withValue(100L);
validity.withType("DAYS");
req.withValidity(validity);
// Set the idempotency token.
req.setIdempotencyToken("1234");
// Define custom attributes
List customAttributes = Arrays.asList(
new CustomAttribute()
.withObjectIdentifier("2.5.4.6") // Country
.withValue("US"),
new CustomAttribute()
.withObjectIdentifier("2.5.4.3") // CommonName
.withValue("CommonName"),
new CustomAttribute()
.withObjectIdentifier("1.3.6.1.4.1") // CustomOID
.withValue("ABCDEFG"),
new CustomAttribute()
.withObjectIdentifier("1.3.6.1.4.1") // CustomOID
.withValue("BCDEFGH")
);
// Define certificate subject.
ASN1Subject subject = new ASN1Subject();
subject.setCustomAttributes(customAttributes);
// Add subject to api-passthrough
ApiPassthrough apiPassthrough = new ApiPassthrough();
apiPassthrough.setSubject(subject);
req.setApiPassthrough(apiPassthrough);
// Issue the certificate.
IssueCertificateResult result = null;
try {
result = client.issueCertificate(req);
} catch (LimitExceededException ex) {
throw ex;
} catch (ResourceNotFoundException ex) {
throw ex;
} catch (InvalidStateException ex) {
throw ex;
} catch (InvalidArnException ex) {
throw ex;
} catch (InvalidArgsException ex) {
throw ex;
} catch (MalformedCSRException ex) {
throw ex;
}
// Retrieve and display the certificate ARN.
String arn = result.getCertificateArn();
System.out.println(arn);
}
}
```