aws-cdk-lib 2.200.2__py3-none-any.whl → 2.224.0__py3-none-any.whl

aws_cdk/aws_certificatemanager/__init__.py

@@ -146,6 +146,17 @@ acm.PrivateCertificate(self, "PrivateCertificate",
 )
 ```
 
+## Requesting public SSL/TLS certificates exportable to use anywhere
+
+AWS Certificate Manager can issue an exportable public certificate. There is a charge at certificate issuance and again when the certificate renews. See [opting out of certificate transparency logging](https://docs.aws.amazon.com/acm/latest/userguide/acm-exportable-certificates.html) for details.
+
+```python
+acm.Certificate(self, "Certificate",
+    domain_name="test.example.com",
+    allow_export=True
+)
+```
+
 ## Requesting certificates without transparency logging
 
 Transparency logging can be opted out of for AWS Certificate Manager certificates. See [opting out of certificate transparency logging](https://docs.aws.amazon.com/acm/latest/userguide/acm-bestpractices.html#best-practices-transparency) for limits.
@@ -269,6 +280,12 @@ from ..aws_cloudwatch import (
 )
 from ..aws_iam import IRole as _IRole_235f5d8e
 from ..aws_route53 import IHostedZone as _IHostedZone_9a6907ad
+from ..interfaces.aws_certificatemanager import (
+    AccountReference as _AccountReference_2fb6748e,
+    CertificateReference as _CertificateReference_6d6c82cf,
+    IAccountRef as _IAccountRef_dbc6fc0d,
+    ICertificateRef as _ICertificateRef_1878d79b,
+)
 
 
 @jsii.data_type(
@@ -276,6 +293,7 @@ from ..aws_route53 import IHostedZone as _IHostedZone_9a6907ad
     jsii_struct_bases=[],
     name_mapping={
         "domain_name": "domainName",
+        "allow_export": "allowExport",
         "certificate_name": "certificateName",
         "key_algorithm": "keyAlgorithm",
         "subject_alternative_names": "subjectAlternativeNames",
@@ -288,6 +306,7 @@ class CertificateProps:
         self,
         *,
         domain_name: builtins.str,
+        allow_export: typing.Optional[builtins.bool] = None,
         certificate_name: typing.Optional[builtins.str] = None,
         key_algorithm: typing.Optional["KeyAlgorithm"] = None,
         subject_alternative_names: typing.Optional[typing.Sequence[builtins.str]] = None,
@@ -297,6 +316,7 @@ class CertificateProps:
         '''Properties for your certificate.
 
         :param domain_name: Fully-qualified domain name to request a certificate for. May contain wildcards, such as ``*.domain.com``.
+        :param allow_export: Enable or disable export of this certificate. If you issue an exportable public certificate, there is a charge at certificate issuance and again when the certificate renews. Ref: https://aws.amazon.com/certificate-manager/pricing Default: false
         :param certificate_name: The Certificate name. Since the Certificate resource doesn't support providing a physical name, the value provided here will be recorded in the ``Name`` tag Default: the full, absolute path of this construct
         :param key_algorithm: Specifies the algorithm of the public and private key pair that your certificate uses to encrypt data. Default: KeyAlgorithm.RSA_2048
         :param subject_alternative_names: Alternative domain names on your certificate. Use this to register alternative domain names that represent the same site. Default: - No additional FQDNs will be included as alternative domain names.
@@ -307,27 +327,27 @@ class CertificateProps:
 
         Example::
 
-            # To use your own domain name in a Distribution, you must associate a certificate
-            import aws_cdk.aws_certificatemanager as acm
-            import aws_cdk.aws_route53 as route53
-            
-            # hosted_zone: route53.HostedZone
-            
-            # my_bucket: s3.Bucket
-            
-            my_certificate = acm.Certificate(self, "mySiteCert",
-                domain_name="www.example.com",
-                validation=acm.CertificateValidation.from_dns(hosted_zone)
+            example_com = route53.HostedZone(self, "ExampleCom",
+                zone_name="example.com"
+            )
+            example_net = route53.HostedZone(self, "ExampleNet",
+                zone_name="example.net"
             )
-            cloudfront.Distribution(self, "myDist",
-                default_behavior=cloudfront.BehaviorOptions(origin=origins.S3Origin(my_bucket)),
-                domain_names=["www.example.com"],
-                certificate=my_certificate
+            
+            cert = acm.Certificate(self, "Certificate",
+                domain_name="test.example.com",
+                subject_alternative_names=["cool.example.com", "test.example.net"],
+                validation=acm.CertificateValidation.from_dns_multi_zone({
+                    "test.example.com": example_com,
+                    "cool.example.com": example_com,
+                    "test.example.net": example_net
+                })
             )
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__0454180af2ed6575d11cf361cd5374f722ba32d4007970472aca57751d85258f)
             check_type(argname="argument domain_name", value=domain_name, expected_type=type_hints["domain_name"])
+            check_type(argname="argument allow_export", value=allow_export, expected_type=type_hints["allow_export"])
             check_type(argname="argument certificate_name", value=certificate_name, expected_type=type_hints["certificate_name"])
             check_type(argname="argument key_algorithm", value=key_algorithm, expected_type=type_hints["key_algorithm"])
             check_type(argname="argument subject_alternative_names", value=subject_alternative_names, expected_type=type_hints["subject_alternative_names"])
@@ -336,6 +356,8 @@ class CertificateProps:
         self._values: typing.Dict[builtins.str, typing.Any] = {
             "domain_name": domain_name,
         }
+        if allow_export is not None:
+            self._values["allow_export"] = allow_export
         if certificate_name is not None:
             self._values["certificate_name"] = certificate_name
         if key_algorithm is not None:
@@ -357,6 +379,18 @@ class CertificateProps:
         assert result is not None, "Required property 'domain_name' is missing"
         return typing.cast(builtins.str, result)
 
+    @builtins.property
+    def allow_export(self) -> typing.Optional[builtins.bool]:
+        '''Enable or disable export of this certificate.
+
+        If you issue an exportable public certificate, there is a charge at certificate issuance and again when the certificate renews.
+        Ref: https://aws.amazon.com/certificate-manager/pricing
+
+        :default: false
+        '''
+        result = self._values.get("allow_export")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
     @builtins.property
     def certificate_name(self) -> typing.Optional[builtins.str]:
         '''The Certificate name.
@@ -648,7 +682,7 @@ class CertificationValidationProps:
         )
 
 
-@jsii.implements(_IInspectable_c2943556)
+@jsii.implements(_IInspectable_c2943556, _IAccountRef_dbc6fc0d)
 class CfnAccount(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
@@ -680,7 +714,8 @@ class CfnAccount(
         *,
         expiry_events_configuration: typing.Union[_IResolvable_da3f097b, typing.Union["CfnAccount.ExpiryEventsConfigurationProperty", typing.Dict[builtins.str, typing.Any]]],
     ) -> None:
-        '''
+        '''Create a new ``AWS::CertificateManager::Account``.
+
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param expiry_events_configuration: Object containing expiration events options associated with an AWS account . For more information, see `ExpiryEventsConfiguration <https://docs.aws.amazon.com/acm/latest/APIReference/API_ExpiryEventsConfiguration.html>`_ in the API reference.
@@ -725,6 +760,12 @@ class CfnAccount(
         '''The CloudFormation resource type name for this resource class.'''
         return typing.cast(builtins.str, jsii.sget(cls, "CFN_RESOURCE_TYPE_NAME"))
 
+    @builtins.property
+    @jsii.member(jsii_name="accountRef")
+    def account_ref(self) -> _AccountReference_2fb6748e:
+        '''A reference to a Account resource.'''
+        return typing.cast(_AccountReference_2fb6748e, jsii.get(self, "accountRef"))
+
     @builtins.property
     @jsii.member(jsii_name="attrAccountId")
     def attr_account_id(self) -> builtins.str:
@@ -880,15 +921,15 @@ class CfnAccountProps:
         )
 
 
-@jsii.implements(_IInspectable_c2943556, _ITaggable_36806126)
+@jsii.implements(_IInspectable_c2943556, _ICertificateRef_1878d79b, _ITaggable_36806126)
 class CfnCertificate(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
     jsii_type="aws-cdk-lib.aws_certificatemanager.CfnCertificate",
 ):
-    '''The ``AWS::CertificateManager::Certificate`` resource requests an AWS Certificate Manager ( ACM ) certificate that you can use to enable secure connections.
+    '''The ``AWS::CertificateManager::Certificate`` resource requests an Certificate Manager ( ACM ) certificate that you can use to enable secure connections.
 
-    For example, you can deploy an ACM certificate to an Elastic Load Balancer to enable HTTPS support. For more information, see `RequestCertificate <https://docs.aws.amazon.com/acm/latest/APIReference/API_RequestCertificate.html>`_ in the AWS Certificate Manager API Reference.
+    For example, you can deploy an ACM certificate to an Elastic Load Balancer to enable HTTPS support. For more information, see `RequestCertificate <https://docs.aws.amazon.com/acm/latest/APIReference/API_RequestCertificate.html>`_ in the Certificate Manager API Reference.
     .. epigraph::
 
        When you use the ``AWS::CertificateManager::Certificate`` resource in a CloudFormation stack, domain validation is handled automatically if all three of the following are true: The certificate domain is hosted in Amazon Route 53, the domain resides in your AWS account , and you are using DNS validation.
@@ -910,6 +951,7 @@ class CfnCertificate(
         
             # the properties below are optional
             certificate_authority_arn="certificateAuthorityArn",
+            certificate_export="certificateExport",
             certificate_transparency_logging_preference="certificateTransparencyLoggingPreference",
             domain_validation_options=[certificatemanager.CfnCertificate.DomainValidationOptionProperty(
                 domain_name="domainName",
@@ -935,6 +977,7 @@ class CfnCertificate(
         *,
         domain_name: builtins.str,
         certificate_authority_arn: typing.Optional[builtins.str] = None,
+        certificate_export: typing.Optional[builtins.str] = None,
         certificate_transparency_logging_preference: typing.Optional[builtins.str] = None,
         domain_validation_options: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union["CfnCertificate.DomainValidationOptionProperty", typing.Dict[builtins.str, typing.Any]]]]]] = None,
         key_algorithm: typing.Optional[builtins.str] = None,
@@ -942,14 +985,16 @@ class CfnCertificate(
         tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
         validation_method: typing.Optional[builtins.str] = None,
     ) -> None:
-        '''
+        '''Create a new ``AWS::CertificateManager::Certificate``.
+
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param domain_name: The fully qualified domain name (FQDN), such as www.example.com, with which you want to secure an ACM certificate. Use an asterisk (*) to create a wildcard certificate that protects several sites in the same domain. For example, ``*.example.com`` protects ``www.example.com`` , ``site.example.com`` , and ``images.example.com.``.
         :param certificate_authority_arn: The Amazon Resource Name (ARN) of the private certificate authority (CA) that will be used to issue the certificate. If you do not provide an ARN and you are trying to request a private certificate, ACM will attempt to issue a public certificate. For more information about private CAs, see the `AWS Private Certificate Authority <https://docs.aws.amazon.com/privateca/latest/userguide/PcaWelcome.html>`_ user guide. The ARN must have the following form: ``arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012``
-        :param certificate_transparency_logging_preference: You can opt out of certificate transparency logging by specifying the ``DISABLED`` option. Opt in by specifying ``ENABLED`` . If you do not specify a certificate transparency logging preference on a new CloudFormation template, or if you remove the logging preference from an existing template, this is the same as explicitly enabling the preference. Changing the certificate transparency logging preference will update the existing resource by calling ``UpdateCertificateOptions`` on the certificate. This action will not create a new resource.
+        :param certificate_export: You can opt out of allowing export of your certificate by specifying the ``DISABLED`` option. Allow export of your certificate by specifying the ``ENABLED`` option. If you do not specify an export preference in a new CloudFormation template, it is the same as explicitly denying export of your certificate.
+        :param certificate_transparency_logging_preference: You can opt out of certificate transparency logging by specifying the ``DISABLED`` option. Opt in by specifying ``ENABLED`` . This setting doces not apply to private certificates. If you do not specify a certificate transparency logging preference on a new CloudFormation template, or if you remove the logging preference from an existing template, this is the same as explicitly enabling the preference. Changing the certificate transparency logging preference will update the existing resource by calling ``UpdateCertificateOptions`` on the certificate. This action will not create a new resource.
         :param domain_validation_options: Domain information that domain name registrars use to verify your identity. .. epigraph:: In order for a AWS::CertificateManager::Certificate to be provisioned and validated in CloudFormation automatically, the ``DomainName`` property needs to be identical to one of the ``DomainName`` property supplied in DomainValidationOptions, if the ValidationMethod is **DNS**. Failing to keep them like-for-like will result in failure to create the domain validation records in Route53.
-        :param key_algorithm: Specifies the algorithm of the public and private key pair that your certificate uses to encrypt data. RSA is the default key algorithm for ACM certificates. Elliptic Curve Digital Signature Algorithm (ECDSA) keys are smaller, offering security comparable to RSA keys but with greater computing efficiency. However, ECDSA is not supported by all network clients. Some AWS services may require RSA keys, or only support ECDSA keys of a particular size, while others allow the use of either RSA and ECDSA keys to ensure that compatibility is not broken. Check the requirements for the AWS service where you plan to deploy your certificate. For more information about selecting an algorithm, see `Key algorithms <https://docs.aws.amazon.com/acm/latest/userguide/acm-certificate.html#algorithms>`_ . .. epigraph:: Algorithms supported for an ACM certificate request include: - ``RSA_2048`` - ``EC_prime256v1`` - ``EC_secp384r1`` Other listed algorithms are for imported certificates only. > When you request a private PKI certificate signed by a CA from AWS Private CA, the specified signing algorithm family (RSA or ECDSA) must match the algorithm family of the CA's secret key. Default: RSA_2048
+        :param key_algorithm: Specifies the algorithm of the public and private key pair that your certificate uses to encrypt data. RSA is the default key algorithm for ACM certificates. Elliptic Curve Digital Signature Algorithm (ECDSA) keys are smaller, offering security comparable to RSA keys but with greater computing efficiency. However, ECDSA is not supported by all network clients. Some AWS services may require RSA keys, or only support ECDSA keys of a particular size, while others allow the use of either RSA and ECDSA keys to ensure that compatibility is not broken. Check the requirements for the AWS service where you plan to deploy your certificate. For more information about selecting an algorithm, see `Key algorithms <https://docs.aws.amazon.com/acm/latest/userguide/acm-certificate-characteristics.html#algorithms-term>`_ . .. epigraph:: Algorithms supported for an ACM certificate request include: - ``RSA_2048`` - ``EC_prime256v1`` - ``EC_secp384r1`` Other listed algorithms are for imported certificates only. > When you request a private PKI certificate signed by a CA from AWS Private CA, the specified signing algorithm family (RSA or ECDSA) must match the algorithm family of the CA's secret key. Default: RSA_2048
         :param subject_alternative_names: Additional FQDNs to be included in the Subject Alternative Name extension of the ACM certificate. For example, you can add www.example.net to a certificate for which the ``DomainName`` field is www.example.com if users can reach your site by using either name.
         :param tags: Key-value pairs that can identify the certificate.
         :param validation_method: The method you want to use to validate that you own or control the domain associated with a public certificate. You can `validate with DNS <https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-validate-dns.html>`_ or `validate with email <https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-validate-email.html>`_ . We recommend that you use DNS validation. If not specified, this property defaults to email validation.
@@ -961,6 +1006,7 @@ class CfnCertificate(
         props = CfnCertificateProps(
             domain_name=domain_name,
             certificate_authority_arn=certificate_authority_arn,
+            certificate_export=certificate_export,
             certificate_transparency_logging_preference=certificate_transparency_logging_preference,
             domain_validation_options=domain_validation_options,
             key_algorithm=key_algorithm,
@@ -971,6 +1017,27 @@ class CfnCertificate(
 
         jsii.create(self.__class__, self, [scope, id, props])
 
+    @jsii.member(jsii_name="fromCertificateId")
+    @builtins.classmethod
+    def from_certificate_id(
+        cls,
+        scope: _constructs_77d1e7e8.Construct,
+        id: builtins.str,
+        certificate_id: builtins.str,
+    ) -> _ICertificateRef_1878d79b:
+        '''Creates a new ICertificateRef from a certificateId.
+
+        :param scope: -
+        :param id: -
+        :param certificate_id: -
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__74ad5174285b28bb947e64c6319be4642c1bb37681ea5d0d736a58181c45689e)
+            check_type(argname="argument scope", value=scope, expected_type=type_hints["scope"])
+            check_type(argname="argument id", value=id, expected_type=type_hints["id"])
+            check_type(argname="argument certificate_id", value=certificate_id, expected_type=type_hints["certificate_id"])
+        return typing.cast(_ICertificateRef_1878d79b, jsii.sinvoke(cls, "fromCertificateId", [scope, id, certificate_id]))
+
     @jsii.member(jsii_name="inspect")
     def inspect(self, inspector: _TreeInspector_488e0dd5) -> None:
         '''Examines the CloudFormation resource and discloses attributes.
@@ -1009,6 +1076,12 @@ class CfnCertificate(
         '''
         return typing.cast(builtins.str, jsii.get(self, "attrId"))
 
+    @builtins.property
+    @jsii.member(jsii_name="certificateRef")
+    def certificate_ref(self) -> _CertificateReference_6d6c82cf:
+        '''A reference to a Certificate resource.'''
+        return typing.cast(_CertificateReference_6d6c82cf, jsii.get(self, "certificateRef"))
+
     @builtins.property
     @jsii.member(jsii_name="cfnProperties")
     def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
@@ -1046,15 +1119,25 @@ class CfnCertificate(
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
         jsii.set(self, "certificateAuthorityArn", value) # pyright: ignore[reportArgumentType]
 
+    @builtins.property
+    @jsii.member(jsii_name="certificateExport")
+    def certificate_export(self) -> typing.Optional[builtins.str]:
+        '''You can opt out of allowing export of your certificate by specifying the ``DISABLED`` option.'''
+        return typing.cast(typing.Optional[builtins.str], jsii.get(self, "certificateExport"))
+
+    @certificate_export.setter
+    def certificate_export(self, value: typing.Optional[builtins.str]) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__d950c422d5c6ee00cbcc4b8b9fb7d0b251571a9084cb4b6e68065e797e461b4a)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "certificateExport", value) # pyright: ignore[reportArgumentType]
+
     @builtins.property
     @jsii.member(jsii_name="certificateTransparencyLoggingPreference")
     def certificate_transparency_logging_preference(
         self,
     ) -> typing.Optional[builtins.str]:
-        '''You can opt out of certificate transparency logging by specifying the ``DISABLED`` option.
-
-        Opt in by specifying ``ENABLED`` .
-        '''
+        '''You can opt out of certificate transparency logging by specifying the ``DISABLED`` option.'''
         return typing.cast(typing.Optional[builtins.str], jsii.get(self, "certificateTransparencyLoggingPreference"))
 
     @certificate_transparency_logging_preference.setter
@@ -1157,7 +1240,7 @@ class CfnCertificate(
             hosted_zone_id: typing.Optional[builtins.str] = None,
             validation_domain: typing.Optional[builtins.str] = None,
         ) -> None:
-            '''``DomainValidationOption`` is a property of the `AWS::CertificateManager::Certificate <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-certificatemanager-certificate.html>`_ resource that specifies the AWS Certificate Manager ( ACM ) certificate domain to validate. Depending on the chosen validation method, ACM checks the domain's DNS record for a validation CNAME, or it attempts to send a validation email message to the domain owner.
+            '''``DomainValidationOption`` is a property of the `AWS::CertificateManager::Certificate <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-certificatemanager-certificate.html>`_ resource that specifies the Certificate Manager ( ACM ) certificate domain to validate. Depending on the chosen validation method, ACM checks the domain's DNS record for a validation CNAME, or it attempts to send a validation email message to the domain owner.
 
             :param domain_name: A fully qualified domain name (FQDN) in the certificate request.
             :param hosted_zone_id: The ``HostedZoneId`` option, which is available if you are using Route 53 as your domain registrar, causes ACM to add your CNAME to the domain record. Your list of ``DomainValidationOptions`` must contain one and only one of the domain-validation options, and the ``HostedZoneId`` can be used only when ``DNS`` is specified as your validation method. Use the Route 53 ``ListHostedZones`` API to discover IDs for available hosted zones. This option is required for publicly trusted certificates. .. epigraph:: The ``ListHostedZones`` API returns IDs in the format "/hostedzone/Z111111QQQQQQQ", but CloudFormation requires the IDs to be in the format "Z111111QQQQQQQ". When you change your ``DomainValidationOptions`` , a new resource is created.
@@ -1258,6 +1341,7 @@ class CfnCertificate(
     name_mapping={
         "domain_name": "domainName",
         "certificate_authority_arn": "certificateAuthorityArn",
+        "certificate_export": "certificateExport",
         "certificate_transparency_logging_preference": "certificateTransparencyLoggingPreference",
         "domain_validation_options": "domainValidationOptions",
         "key_algorithm": "keyAlgorithm",
@@ -1272,6 +1356,7 @@ class CfnCertificateProps:
         *,
         domain_name: builtins.str,
         certificate_authority_arn: typing.Optional[builtins.str] = None,
+        certificate_export: typing.Optional[builtins.str] = None,
         certificate_transparency_logging_preference: typing.Optional[builtins.str] = None,
         domain_validation_options: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union[CfnCertificate.DomainValidationOptionProperty, typing.Dict[builtins.str, typing.Any]]]]]] = None,
         key_algorithm: typing.Optional[builtins.str] = None,
@@ -1283,9 +1368,10 @@ class CfnCertificateProps:
 
         :param domain_name: The fully qualified domain name (FQDN), such as www.example.com, with which you want to secure an ACM certificate. Use an asterisk (*) to create a wildcard certificate that protects several sites in the same domain. For example, ``*.example.com`` protects ``www.example.com`` , ``site.example.com`` , and ``images.example.com.``.
         :param certificate_authority_arn: The Amazon Resource Name (ARN) of the private certificate authority (CA) that will be used to issue the certificate. If you do not provide an ARN and you are trying to request a private certificate, ACM will attempt to issue a public certificate. For more information about private CAs, see the `AWS Private Certificate Authority <https://docs.aws.amazon.com/privateca/latest/userguide/PcaWelcome.html>`_ user guide. The ARN must have the following form: ``arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012``
-        :param certificate_transparency_logging_preference: You can opt out of certificate transparency logging by specifying the ``DISABLED`` option. Opt in by specifying ``ENABLED`` . If you do not specify a certificate transparency logging preference on a new CloudFormation template, or if you remove the logging preference from an existing template, this is the same as explicitly enabling the preference. Changing the certificate transparency logging preference will update the existing resource by calling ``UpdateCertificateOptions`` on the certificate. This action will not create a new resource.
+        :param certificate_export: You can opt out of allowing export of your certificate by specifying the ``DISABLED`` option. Allow export of your certificate by specifying the ``ENABLED`` option. If you do not specify an export preference in a new CloudFormation template, it is the same as explicitly denying export of your certificate.
+        :param certificate_transparency_logging_preference: You can opt out of certificate transparency logging by specifying the ``DISABLED`` option. Opt in by specifying ``ENABLED`` . This setting doces not apply to private certificates. If you do not specify a certificate transparency logging preference on a new CloudFormation template, or if you remove the logging preference from an existing template, this is the same as explicitly enabling the preference. Changing the certificate transparency logging preference will update the existing resource by calling ``UpdateCertificateOptions`` on the certificate. This action will not create a new resource.
         :param domain_validation_options: Domain information that domain name registrars use to verify your identity. .. epigraph:: In order for a AWS::CertificateManager::Certificate to be provisioned and validated in CloudFormation automatically, the ``DomainName`` property needs to be identical to one of the ``DomainName`` property supplied in DomainValidationOptions, if the ValidationMethod is **DNS**. Failing to keep them like-for-like will result in failure to create the domain validation records in Route53.
-        :param key_algorithm: Specifies the algorithm of the public and private key pair that your certificate uses to encrypt data. RSA is the default key algorithm for ACM certificates. Elliptic Curve Digital Signature Algorithm (ECDSA) keys are smaller, offering security comparable to RSA keys but with greater computing efficiency. However, ECDSA is not supported by all network clients. Some AWS services may require RSA keys, or only support ECDSA keys of a particular size, while others allow the use of either RSA and ECDSA keys to ensure that compatibility is not broken. Check the requirements for the AWS service where you plan to deploy your certificate. For more information about selecting an algorithm, see `Key algorithms <https://docs.aws.amazon.com/acm/latest/userguide/acm-certificate.html#algorithms>`_ . .. epigraph:: Algorithms supported for an ACM certificate request include: - ``RSA_2048`` - ``EC_prime256v1`` - ``EC_secp384r1`` Other listed algorithms are for imported certificates only. > When you request a private PKI certificate signed by a CA from AWS Private CA, the specified signing algorithm family (RSA or ECDSA) must match the algorithm family of the CA's secret key. Default: RSA_2048
+        :param key_algorithm: Specifies the algorithm of the public and private key pair that your certificate uses to encrypt data. RSA is the default key algorithm for ACM certificates. Elliptic Curve Digital Signature Algorithm (ECDSA) keys are smaller, offering security comparable to RSA keys but with greater computing efficiency. However, ECDSA is not supported by all network clients. Some AWS services may require RSA keys, or only support ECDSA keys of a particular size, while others allow the use of either RSA and ECDSA keys to ensure that compatibility is not broken. Check the requirements for the AWS service where you plan to deploy your certificate. For more information about selecting an algorithm, see `Key algorithms <https://docs.aws.amazon.com/acm/latest/userguide/acm-certificate-characteristics.html#algorithms-term>`_ . .. epigraph:: Algorithms supported for an ACM certificate request include: - ``RSA_2048`` - ``EC_prime256v1`` - ``EC_secp384r1`` Other listed algorithms are for imported certificates only. > When you request a private PKI certificate signed by a CA from AWS Private CA, the specified signing algorithm family (RSA or ECDSA) must match the algorithm family of the CA's secret key. Default: RSA_2048
         :param subject_alternative_names: Additional FQDNs to be included in the Subject Alternative Name extension of the ACM certificate. For example, you can add www.example.net to a certificate for which the ``DomainName`` field is www.example.com if users can reach your site by using either name.
         :param tags: Key-value pairs that can identify the certificate.
         :param validation_method: The method you want to use to validate that you own or control the domain associated with a public certificate. You can `validate with DNS <https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-validate-dns.html>`_ or `validate with email <https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-validate-email.html>`_ . We recommend that you use DNS validation. If not specified, this property defaults to email validation.
@@ -1304,6 +1390,7 @@ class CfnCertificateProps:
             
                 # the properties below are optional
                 certificate_authority_arn="certificateAuthorityArn",
+                certificate_export="certificateExport",
                 certificate_transparency_logging_preference="certificateTransparencyLoggingPreference",
                 domain_validation_options=[certificatemanager.CfnCertificate.DomainValidationOptionProperty(
                     domain_name="domainName",
@@ -1325,6 +1412,7 @@ class CfnCertificateProps:
             type_hints = typing.get_type_hints(_typecheckingstub__0e42a641d895acaee35ba9ec88335a357b8cbfb64b98867f1792ccd63242a79d)
             check_type(argname="argument domain_name", value=domain_name, expected_type=type_hints["domain_name"])
             check_type(argname="argument certificate_authority_arn", value=certificate_authority_arn, expected_type=type_hints["certificate_authority_arn"])
+            check_type(argname="argument certificate_export", value=certificate_export, expected_type=type_hints["certificate_export"])
             check_type(argname="argument certificate_transparency_logging_preference", value=certificate_transparency_logging_preference, expected_type=type_hints["certificate_transparency_logging_preference"])
             check_type(argname="argument domain_validation_options", value=domain_validation_options, expected_type=type_hints["domain_validation_options"])
             check_type(argname="argument key_algorithm", value=key_algorithm, expected_type=type_hints["key_algorithm"])
@@ -1336,6 +1424,8 @@ class CfnCertificateProps:
         }
         if certificate_authority_arn is not None:
             self._values["certificate_authority_arn"] = certificate_authority_arn
+        if certificate_export is not None:
+            self._values["certificate_export"] = certificate_export
         if certificate_transparency_logging_preference is not None:
             self._values["certificate_transparency_logging_preference"] = certificate_transparency_logging_preference
         if domain_validation_options is not None:
@@ -1372,11 +1462,26 @@ class CfnCertificateProps:
         result = self._values.get("certificate_authority_arn")
         return typing.cast(typing.Optional[builtins.str], result)
 
+    @builtins.property
+    def certificate_export(self) -> typing.Optional[builtins.str]:
+        '''You can opt out of allowing export of your certificate by specifying the ``DISABLED`` option.
+
+        Allow export of your certificate by specifying the ``ENABLED`` option.
+
+        If you do not specify an export preference in a new CloudFormation template, it is the same as explicitly denying export of your certificate.
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-certificatemanager-certificate.html#cfn-certificatemanager-certificate-certificateexport
+        '''
+        result = self._values.get("certificate_export")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     @builtins.property
     def certificate_transparency_logging_preference(
         self,
     ) -> typing.Optional[builtins.str]:
-        '''You can opt out of certificate transparency logging by specifying the ``DISABLED`` option. Opt in by specifying ``ENABLED`` .
+        '''You can opt out of certificate transparency logging by specifying the ``DISABLED`` option.
+
+        Opt in by specifying ``ENABLED`` . This setting doces not apply to private certificates.
 
         If you do not specify a certificate transparency logging preference on a new CloudFormation template, or if you remove the logging preference from an existing template, this is the same as explicitly enabling the preference.
 
@@ -1406,7 +1511,7 @@ class CfnCertificateProps:
     def key_algorithm(self) -> typing.Optional[builtins.str]:
         '''Specifies the algorithm of the public and private key pair that your certificate uses to encrypt data.
 
-        RSA is the default key algorithm for ACM certificates. Elliptic Curve Digital Signature Algorithm (ECDSA) keys are smaller, offering security comparable to RSA keys but with greater computing efficiency. However, ECDSA is not supported by all network clients. Some AWS services may require RSA keys, or only support ECDSA keys of a particular size, while others allow the use of either RSA and ECDSA keys to ensure that compatibility is not broken. Check the requirements for the AWS service where you plan to deploy your certificate. For more information about selecting an algorithm, see `Key algorithms <https://docs.aws.amazon.com/acm/latest/userguide/acm-certificate.html#algorithms>`_ .
+        RSA is the default key algorithm for ACM certificates. Elliptic Curve Digital Signature Algorithm (ECDSA) keys are smaller, offering security comparable to RSA keys but with greater computing efficiency. However, ECDSA is not supported by all network clients. Some AWS services may require RSA keys, or only support ECDSA keys of a particular size, while others allow the use of either RSA and ECDSA keys to ensure that compatibility is not broken. Check the requirements for the AWS service where you plan to deploy your certificate. For more information about selecting an algorithm, see `Key algorithms <https://docs.aws.amazon.com/acm/latest/userguide/acm-certificate-characteristics.html#algorithms-term>`_ .
         .. epigraph::
 
            Algorithms supported for an ACM certificate request include:
@@ -1474,6 +1579,7 @@ class CfnCertificateProps:
     jsii_struct_bases=[CertificateProps],
     name_mapping={
         "domain_name": "domainName",
+        "allow_export": "allowExport",
         "certificate_name": "certificateName",
         "key_algorithm": "keyAlgorithm",
         "subject_alternative_names": "subjectAlternativeNames",
@@ -1491,6 +1597,7 @@ class DnsValidatedCertificateProps(CertificateProps):
         self,
         *,
         domain_name: builtins.str,
+        allow_export: typing.Optional[builtins.bool] = None,
         certificate_name: typing.Optional[builtins.str] = None,
         key_algorithm: typing.Optional["KeyAlgorithm"] = None,
         subject_alternative_names: typing.Optional[typing.Sequence[builtins.str]] = None,
@@ -1505,6 +1612,7 @@ class DnsValidatedCertificateProps(CertificateProps):
         '''Properties to create a DNS validated certificate managed by AWS Certificate Manager.
 
         :param domain_name: Fully-qualified domain name to request a certificate for. May contain wildcards, such as ``*.domain.com``.
+        :param allow_export: Enable or disable export of this certificate. If you issue an exportable public certificate, there is a charge at certificate issuance and again when the certificate renews. Ref: https://aws.amazon.com/certificate-manager/pricing Default: false
         :param certificate_name: The Certificate name. Since the Certificate resource doesn't support providing a physical name, the value provided here will be recorded in the ``Name`` tag Default: the full, absolute path of this construct
         :param key_algorithm: Specifies the algorithm of the public and private key pair that your certificate uses to encrypt data. Default: KeyAlgorithm.RSA_2048
         :param subject_alternative_names: Alternative domain names on your certificate. Use this to register alternative domain names that represent the same site. Default: - No additional FQDNs will be included as alternative domain names.
@@ -1536,6 +1644,7 @@ class DnsValidatedCertificateProps(CertificateProps):
                 hosted_zone=hosted_zone,
             
                 # the properties below are optional
+                allow_export=False,
                 certificate_name="certificateName",
                 cleanup_route53_records=False,
                 custom_resource_role=role,
@@ -1550,6 +1659,7 @@ class DnsValidatedCertificateProps(CertificateProps):
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__f8749c95da859ba878861eff7c4231de11fa86681f0df8dbe02a3b4e4f5128b6)
             check_type(argname="argument domain_name", value=domain_name, expected_type=type_hints["domain_name"])
+            check_type(argname="argument allow_export", value=allow_export, expected_type=type_hints["allow_export"])
             check_type(argname="argument certificate_name", value=certificate_name, expected_type=type_hints["certificate_name"])
             check_type(argname="argument key_algorithm", value=key_algorithm, expected_type=type_hints["key_algorithm"])
             check_type(argname="argument subject_alternative_names", value=subject_alternative_names, expected_type=type_hints["subject_alternative_names"])
@@ -1564,6 +1674,8 @@ class DnsValidatedCertificateProps(CertificateProps):
             "domain_name": domain_name,
             "hosted_zone": hosted_zone,
         }
+        if allow_export is not None:
+            self._values["allow_export"] = allow_export
         if certificate_name is not None:
             self._values["certificate_name"] = certificate_name
         if key_algorithm is not None:
@@ -1593,6 +1705,18 @@ class DnsValidatedCertificateProps(CertificateProps):
         assert result is not None, "Required property 'domain_name' is missing"
         return typing.cast(builtins.str, result)
 
+    @builtins.property
+    def allow_export(self) -> typing.Optional[builtins.bool]:
+        '''Enable or disable export of this certificate.
+
+        If you issue an exportable public certificate, there is a charge at certificate issuance and again when the certificate renews.
+        Ref: https://aws.amazon.com/certificate-manager/pricing
+
+        :default: false
+        '''
+        result = self._values.get("allow_export")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
     @builtins.property
     def certificate_name(self) -> typing.Optional[builtins.str]:
         '''The Certificate name.
@@ -1743,6 +1867,7 @@ class ICertificate(_IResource_c80c4260, typing_extensions.Protocol):
         account: typing.Optional[builtins.str] = None,
         color: typing.Optional[builtins.str] = None,
         dimensions_map: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+        id: typing.Optional[builtins.str] = None,
         label: typing.Optional[builtins.str] = None,
         period: typing.Optional[_Duration_4839e8c3] = None,
         region: typing.Optional[builtins.str] = None,
@@ -1750,6 +1875,7 @@ class ICertificate(_IResource_c80c4260, typing_extensions.Protocol):
         stack_region: typing.Optional[builtins.str] = None,
         statistic: typing.Optional[builtins.str] = None,
         unit: typing.Optional[_Unit_61bc6f70] = None,
+        visible: typing.Optional[builtins.bool] = None,
     ) -> _Metric_e396a4dc:
         '''Return the DaysToExpiry metric for this AWS Certificate Manager Certificate. By default, this is the minimum value over 1 day.
 
@@ -1760,6 +1886,7 @@ class ICertificate(_IResource_c80c4260, typing_extensions.Protocol):
         :param account: Account which this metric comes from. Default: - Deployment account.
         :param color: The hex color code, prefixed with '#' (e.g. '#00ff00'), to use when this metric is rendered on a graph. The ``Color`` class has a set of standard colors that can be used here. Default: - Automatic color
         :param dimensions_map: Dimensions of the metric. Default: - No dimensions.
+        :param id: Unique identifier for this metric when used in dashboard widgets. The id can be used as a variable to represent this metric in math expressions. Valid characters are letters, numbers, and underscore. The first character must be a lowercase letter. Default: - No ID
         :param label: Label for this metric when added to a Graph in a Dashboard. You can use `dynamic labels <https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/graph-dynamic-labels.html>`_ to show summary information about the entire displayed time series in the legend. For example, if you use:: [max: ${MAX}] MyMetric As the metric label, the maximum value in the visible range will be shown next to the time series name in the graph's legend. Default: - No label
         :param period: The period over which the specified statistic is applied. Default: Duration.minutes(5)
         :param region: Region which this metric comes from. Default: - Deployment region.
@@ -1767,6 +1894,7 @@ class ICertificate(_IResource_c80c4260, typing_extensions.Protocol):
         :param stack_region: Region of the stack this metric is attached to. Default: - Deployment region.
         :param statistic: What function to use for aggregating. Use the ``aws_cloudwatch.Stats`` helper class to construct valid input strings. Can be one of the following: - "Minimum" | "min" - "Maximum" | "max" - "Average" | "avg" - "Sum" | "sum" - "SampleCount | "n" - "pNN.NN" - "tmNN.NN" | "tm(NN.NN%:NN.NN%)" - "iqm" - "wmNN.NN" | "wm(NN.NN%:NN.NN%)" - "tcNN.NN" | "tc(NN.NN%:NN.NN%)" - "tsNN.NN" | "ts(NN.NN%:NN.NN%)" Default: Average
         :param unit: Unit used to filter the metric stream. Only refer to datums emitted to the metric stream with the given unit and ignore all others. Only useful when datums are being emitted to the same metric stream under different units. The default is to use all matric datums in the stream, regardless of unit, which is recommended in nearly all cases. CloudWatch does not honor this property for graphs. Default: - All metric datums in the given metric stream
+        :param visible: Whether this metric should be visible in dashboard graphs. Setting this to false is useful when you want to hide raw metrics that are used in math expressions, and show only the expression results. Default: true
         '''
         ...
 
@@ -1794,6 +1922,7 @@ class _ICertificateProxy(
         account: typing.Optional[builtins.str] = None,
         color: typing.Optional[builtins.str] = None,
         dimensions_map: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+        id: typing.Optional[builtins.str] = None,
         label: typing.Optional[builtins.str] = None,
         period: typing.Optional[_Duration_4839e8c3] = None,
         region: typing.Optional[builtins.str] = None,
@@ -1801,6 +1930,7 @@ class _ICertificateProxy(
         stack_region: typing.Optional[builtins.str] = None,
         statistic: typing.Optional[builtins.str] = None,
         unit: typing.Optional[_Unit_61bc6f70] = None,
+        visible: typing.Optional[builtins.bool] = None,
     ) -> _Metric_e396a4dc:
         '''Return the DaysToExpiry metric for this AWS Certificate Manager Certificate. By default, this is the minimum value over 1 day.
 
@@ -1811,6 +1941,7 @@ class _ICertificateProxy(
         :param account: Account which this metric comes from. Default: - Deployment account.
         :param color: The hex color code, prefixed with '#' (e.g. '#00ff00'), to use when this metric is rendered on a graph. The ``Color`` class has a set of standard colors that can be used here. Default: - Automatic color
         :param dimensions_map: Dimensions of the metric. Default: - No dimensions.
+        :param id: Unique identifier for this metric when used in dashboard widgets. The id can be used as a variable to represent this metric in math expressions. Valid characters are letters, numbers, and underscore. The first character must be a lowercase letter. Default: - No ID
         :param label: Label for this metric when added to a Graph in a Dashboard. You can use `dynamic labels <https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/graph-dynamic-labels.html>`_ to show summary information about the entire displayed time series in the legend. For example, if you use:: [max: ${MAX}] MyMetric As the metric label, the maximum value in the visible range will be shown next to the time series name in the graph's legend. Default: - No label
         :param period: The period over which the specified statistic is applied. Default: Duration.minutes(5)
         :param region: Region which this metric comes from. Default: - Deployment region.
@@ -1818,11 +1949,13 @@ class _ICertificateProxy(
         :param stack_region: Region of the stack this metric is attached to. Default: - Deployment region.
         :param statistic: What function to use for aggregating. Use the ``aws_cloudwatch.Stats`` helper class to construct valid input strings. Can be one of the following: - "Minimum" | "min" - "Maximum" | "max" - "Average" | "avg" - "Sum" | "sum" - "SampleCount | "n" - "pNN.NN" - "tmNN.NN" | "tm(NN.NN%:NN.NN%)" - "iqm" - "wmNN.NN" | "wm(NN.NN%:NN.NN%)" - "tcNN.NN" | "tc(NN.NN%:NN.NN%)" - "tsNN.NN" | "ts(NN.NN%:NN.NN%)" Default: Average
         :param unit: Unit used to filter the metric stream. Only refer to datums emitted to the metric stream with the given unit and ignore all others. Only useful when datums are being emitted to the same metric stream under different units. The default is to use all matric datums in the stream, regardless of unit, which is recommended in nearly all cases. CloudWatch does not honor this property for graphs. Default: - All metric datums in the given metric stream
+        :param visible: Whether this metric should be visible in dashboard graphs. Setting this to false is useful when you want to hide raw metrics that are used in math expressions, and show only the expression results. Default: true
         '''
         props = _MetricOptions_1788b62f(
             account=account,
             color=color,
             dimensions_map=dimensions_map,
+            id=id,
             label=label,
             period=period,
             region=region,
@@ -1830,6 +1963,7 @@ class _ICertificateProxy(
             stack_region=stack_region,
             statistic=statistic,
             unit=unit,
+            visible=visible,
         )
 
         return typing.cast(_Metric_e396a4dc, jsii.invoke(self, "metricDaysToExpiry", [props]))
@@ -1952,6 +2086,7 @@ class PrivateCertificate(
         *,
         certificate_authority: _ICertificateAuthority_26727cab,
         domain_name: builtins.str,
+        allow_export: typing.Optional[builtins.bool] = None,
         key_algorithm: typing.Optional[KeyAlgorithm] = None,
         subject_alternative_names: typing.Optional[typing.Sequence[builtins.str]] = None,
     ) -> None:
@@ -1960,6 +2095,7 @@ class PrivateCertificate(
         :param id: -
         :param certificate_authority: Private certificate authority (CA) that will be used to issue the certificate.
         :param domain_name: Fully-qualified domain name to request a private certificate for. May contain wildcards, such as ``*.domain.com``.
+        :param allow_export: Enable or disable export of this certificate. If you issue an exportable public certificate, there is a charge at certificate issuance and again when the certificate renews. Ref: https://aws.amazon.com/certificate-manager/pricing Default: false
         :param key_algorithm: Specifies the algorithm of the public and private key pair that your certificate uses to encrypt data. When you request a private PKI certificate signed by a CA from AWS Private CA, the specified signing algorithm family (RSA or ECDSA) must match the algorithm family of the CA's secret key. Default: KeyAlgorithm.RSA_2048
         :param subject_alternative_names: Alternative domain names on your private certificate. Use this to register alternative domain names that represent the same site. Default: - No additional FQDNs will be included as alternative domain names.
         '''
@@ -1970,6 +2106,7 @@ class PrivateCertificate(
         props = PrivateCertificateProps(
             certificate_authority=certificate_authority,
             domain_name=domain_name,
+            allow_export=allow_export,
             key_algorithm=key_algorithm,
             subject_alternative_names=subject_alternative_names,
         )
@@ -2004,6 +2141,7 @@ class PrivateCertificate(
         account: typing.Optional[builtins.str] = None,
         color: typing.Optional[builtins.str] = None,
         dimensions_map: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+        id: typing.Optional[builtins.str] = None,
         label: typing.Optional[builtins.str] = None,
         period: typing.Optional[_Duration_4839e8c3] = None,
         region: typing.Optional[builtins.str] = None,
@@ -2011,6 +2149,7 @@ class PrivateCertificate(
         stack_region: typing.Optional[builtins.str] = None,
         statistic: typing.Optional[builtins.str] = None,
         unit: typing.Optional[_Unit_61bc6f70] = None,
+        visible: typing.Optional[builtins.bool] = None,
     ) -> _Metric_e396a4dc:
         '''Return the DaysToExpiry metric for this AWS Certificate Manager Certificate. By default, this is the minimum value over 1 day.
 
@@ -2021,6 +2160,7 @@ class PrivateCertificate(
         :param account: Account which this metric comes from. Default: - Deployment account.
         :param color: The hex color code, prefixed with '#' (e.g. '#00ff00'), to use when this metric is rendered on a graph. The ``Color`` class has a set of standard colors that can be used here. Default: - Automatic color
         :param dimensions_map: Dimensions of the metric. Default: - No dimensions.
+        :param id: Unique identifier for this metric when used in dashboard widgets. The id can be used as a variable to represent this metric in math expressions. Valid characters are letters, numbers, and underscore. The first character must be a lowercase letter. Default: - No ID
         :param label: Label for this metric when added to a Graph in a Dashboard. You can use `dynamic labels <https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/graph-dynamic-labels.html>`_ to show summary information about the entire displayed time series in the legend. For example, if you use:: [max: ${MAX}] MyMetric As the metric label, the maximum value in the visible range will be shown next to the time series name in the graph's legend. Default: - No label
         :param period: The period over which the specified statistic is applied. Default: Duration.minutes(5)
         :param region: Region which this metric comes from. Default: - Deployment region.
@@ -2028,11 +2168,13 @@ class PrivateCertificate(
         :param stack_region: Region of the stack this metric is attached to. Default: - Deployment region.
         :param statistic: What function to use for aggregating. Use the ``aws_cloudwatch.Stats`` helper class to construct valid input strings. Can be one of the following: - "Minimum" | "min" - "Maximum" | "max" - "Average" | "avg" - "Sum" | "sum" - "SampleCount | "n" - "pNN.NN" - "tmNN.NN" | "tm(NN.NN%:NN.NN%)" - "iqm" - "wmNN.NN" | "wm(NN.NN%:NN.NN%)" - "tcNN.NN" | "tc(NN.NN%:NN.NN%)" - "tsNN.NN" | "ts(NN.NN%:NN.NN%)" Default: Average
         :param unit: Unit used to filter the metric stream. Only refer to datums emitted to the metric stream with the given unit and ignore all others. Only useful when datums are being emitted to the same metric stream under different units. The default is to use all matric datums in the stream, regardless of unit, which is recommended in nearly all cases. CloudWatch does not honor this property for graphs. Default: - All metric datums in the given metric stream
+        :param visible: Whether this metric should be visible in dashboard graphs. Setting this to false is useful when you want to hide raw metrics that are used in math expressions, and show only the expression results. Default: true
         '''
         props = _MetricOptions_1788b62f(
             account=account,
             color=color,
             dimensions_map=dimensions_map,
+            id=id,
             label=label,
             period=period,
             region=region,
@@ -2040,6 +2182,7 @@ class PrivateCertificate(
             stack_region=stack_region,
             statistic=statistic,
             unit=unit,
+            visible=visible,
         )
 
         return typing.cast(_Metric_e396a4dc, jsii.invoke(self, "metricDaysToExpiry", [props]))
@@ -2069,6 +2212,7 @@ class PrivateCertificate(
     name_mapping={
         "certificate_authority": "certificateAuthority",
         "domain_name": "domainName",
+        "allow_export": "allowExport",
         "key_algorithm": "keyAlgorithm",
         "subject_alternative_names": "subjectAlternativeNames",
     },
@@ -2079,6 +2223,7 @@ class PrivateCertificateProps:
         *,
         certificate_authority: _ICertificateAuthority_26727cab,
         domain_name: builtins.str,
+        allow_export: typing.Optional[builtins.bool] = None,
         key_algorithm: typing.Optional[KeyAlgorithm] = None,
         subject_alternative_names: typing.Optional[typing.Sequence[builtins.str]] = None,
     ) -> None:
@@ -2086,6 +2231,7 @@ class PrivateCertificateProps:
 
         :param certificate_authority: Private certificate authority (CA) that will be used to issue the certificate.
         :param domain_name: Fully-qualified domain name to request a private certificate for. May contain wildcards, such as ``*.domain.com``.
+        :param allow_export: Enable or disable export of this certificate. If you issue an exportable public certificate, there is a charge at certificate issuance and again when the certificate renews. Ref: https://aws.amazon.com/certificate-manager/pricing Default: false
         :param key_algorithm: Specifies the algorithm of the public and private key pair that your certificate uses to encrypt data. When you request a private PKI certificate signed by a CA from AWS Private CA, the specified signing algorithm family (RSA or ECDSA) must match the algorithm family of the CA's secret key. Default: KeyAlgorithm.RSA_2048
         :param subject_alternative_names: Alternative domain names on your private certificate. Use this to register alternative domain names that represent the same site. Default: - No additional FQDNs will be included as alternative domain names.
 
@@ -2107,12 +2253,15 @@ class PrivateCertificateProps:
             type_hints = typing.get_type_hints(_typecheckingstub__74588c43933e5f34a3203601cc823ca974676f71701280dcd43e9f037bba43e3)
             check_type(argname="argument certificate_authority", value=certificate_authority, expected_type=type_hints["certificate_authority"])
             check_type(argname="argument domain_name", value=domain_name, expected_type=type_hints["domain_name"])
+            check_type(argname="argument allow_export", value=allow_export, expected_type=type_hints["allow_export"])
             check_type(argname="argument key_algorithm", value=key_algorithm, expected_type=type_hints["key_algorithm"])
             check_type(argname="argument subject_alternative_names", value=subject_alternative_names, expected_type=type_hints["subject_alternative_names"])
         self._values: typing.Dict[builtins.str, typing.Any] = {
             "certificate_authority": certificate_authority,
             "domain_name": domain_name,
         }
+        if allow_export is not None:
+            self._values["allow_export"] = allow_export
         if key_algorithm is not None:
             self._values["key_algorithm"] = key_algorithm
         if subject_alternative_names is not None:
@@ -2135,6 +2284,18 @@ class PrivateCertificateProps:
         assert result is not None, "Required property 'domain_name' is missing"
         return typing.cast(builtins.str, result)
 
+    @builtins.property
+    def allow_export(self) -> typing.Optional[builtins.bool]:
+        '''Enable or disable export of this certificate.
+
+        If you issue an exportable public certificate, there is a charge at certificate issuance and again when the certificate renews.
+        Ref: https://aws.amazon.com/certificate-manager/pricing
+
+        :default: false
+        '''
+        result = self._values.get("allow_export")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
     @builtins.property
     def key_algorithm(self) -> typing.Optional[KeyAlgorithm]:
         '''Specifies the algorithm of the public and private key pair that your certificate uses to encrypt data.
@@ -2225,6 +2386,7 @@ class Certificate(
         id: builtins.str,
         *,
         domain_name: builtins.str,
+        allow_export: typing.Optional[builtins.bool] = None,
         certificate_name: typing.Optional[builtins.str] = None,
         key_algorithm: typing.Optional[KeyAlgorithm] = None,
         subject_alternative_names: typing.Optional[typing.Sequence[builtins.str]] = None,
@@ -2235,6 +2397,7 @@ class Certificate(
         :param scope: -
         :param id: -
         :param domain_name: Fully-qualified domain name to request a certificate for. May contain wildcards, such as ``*.domain.com``.
+        :param allow_export: Enable or disable export of this certificate. If you issue an exportable public certificate, there is a charge at certificate issuance and again when the certificate renews. Ref: https://aws.amazon.com/certificate-manager/pricing Default: false
         :param certificate_name: The Certificate name. Since the Certificate resource doesn't support providing a physical name, the value provided here will be recorded in the ``Name`` tag Default: the full, absolute path of this construct
         :param key_algorithm: Specifies the algorithm of the public and private key pair that your certificate uses to encrypt data. Default: KeyAlgorithm.RSA_2048
         :param subject_alternative_names: Alternative domain names on your certificate. Use this to register alternative domain names that represent the same site. Default: - No additional FQDNs will be included as alternative domain names.
@@ -2247,6 +2410,7 @@ class Certificate(
             check_type(argname="argument id", value=id, expected_type=type_hints["id"])
         props = CertificateProps(
             domain_name=domain_name,
+            allow_export=allow_export,
             certificate_name=certificate_name,
             key_algorithm=key_algorithm,
             subject_alternative_names=subject_alternative_names,
@@ -2284,6 +2448,7 @@ class Certificate(
         account: typing.Optional[builtins.str] = None,
         color: typing.Optional[builtins.str] = None,
         dimensions_map: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+        id: typing.Optional[builtins.str] = None,
         label: typing.Optional[builtins.str] = None,
         period: typing.Optional[_Duration_4839e8c3] = None,
         region: typing.Optional[builtins.str] = None,
@@ -2291,6 +2456,7 @@ class Certificate(
         stack_region: typing.Optional[builtins.str] = None,
         statistic: typing.Optional[builtins.str] = None,
         unit: typing.Optional[_Unit_61bc6f70] = None,
+        visible: typing.Optional[builtins.bool] = None,
     ) -> _Metric_e396a4dc:
         '''Return the DaysToExpiry metric for this AWS Certificate Manager Certificate. By default, this is the minimum value over 1 day.
 
@@ -2301,6 +2467,7 @@ class Certificate(
         :param account: Account which this metric comes from. Default: - Deployment account.
         :param color: The hex color code, prefixed with '#' (e.g. '#00ff00'), to use when this metric is rendered on a graph. The ``Color`` class has a set of standard colors that can be used here. Default: - Automatic color
         :param dimensions_map: Dimensions of the metric. Default: - No dimensions.
+        :param id: Unique identifier for this metric when used in dashboard widgets. The id can be used as a variable to represent this metric in math expressions. Valid characters are letters, numbers, and underscore. The first character must be a lowercase letter. Default: - No ID
         :param label: Label for this metric when added to a Graph in a Dashboard. You can use `dynamic labels <https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/graph-dynamic-labels.html>`_ to show summary information about the entire displayed time series in the legend. For example, if you use:: [max: ${MAX}] MyMetric As the metric label, the maximum value in the visible range will be shown next to the time series name in the graph's legend. Default: - No label
         :param period: The period over which the specified statistic is applied. Default: Duration.minutes(5)
         :param region: Region which this metric comes from. Default: - Deployment region.
@@ -2308,11 +2475,13 @@ class Certificate(
         :param stack_region: Region of the stack this metric is attached to. Default: - Deployment region.
         :param statistic: What function to use for aggregating. Use the ``aws_cloudwatch.Stats`` helper class to construct valid input strings. Can be one of the following: - "Minimum" | "min" - "Maximum" | "max" - "Average" | "avg" - "Sum" | "sum" - "SampleCount | "n" - "pNN.NN" - "tmNN.NN" | "tm(NN.NN%:NN.NN%)" - "iqm" - "wmNN.NN" | "wm(NN.NN%:NN.NN%)" - "tcNN.NN" | "tc(NN.NN%:NN.NN%)" - "tsNN.NN" | "ts(NN.NN%:NN.NN%)" Default: Average
         :param unit: Unit used to filter the metric stream. Only refer to datums emitted to the metric stream with the given unit and ignore all others. Only useful when datums are being emitted to the same metric stream under different units. The default is to use all matric datums in the stream, regardless of unit, which is recommended in nearly all cases. CloudWatch does not honor this property for graphs. Default: - All metric datums in the given metric stream
+        :param visible: Whether this metric should be visible in dashboard graphs. Setting this to false is useful when you want to hide raw metrics that are used in math expressions, and show only the expression results. Default: true
         '''
         props = _MetricOptions_1788b62f(
             account=account,
             color=color,
             dimensions_map=dimensions_map,
+            id=id,
             label=label,
             period=period,
             region=region,
@@ -2320,6 +2489,7 @@ class Certificate(
             stack_region=stack_region,
             statistic=statistic,
             unit=unit,
+            visible=visible,
         )
 
         return typing.cast(_Metric_e396a4dc, jsii.invoke(self, "metricDaysToExpiry", [props]))
@@ -2378,6 +2548,7 @@ class DnsValidatedCertificate(
             hosted_zone=hosted_zone,
         
             # the properties below are optional
+            allow_export=False,
             certificate_name="certificateName",
             cleanup_route53_records=False,
             custom_resource_role=role,
@@ -2401,6 +2572,7 @@ class DnsValidatedCertificate(
         region: typing.Optional[builtins.str] = None,
         route53_endpoint: typing.Optional[builtins.str] = None,
         domain_name: builtins.str,
+        allow_export: typing.Optional[builtins.bool] = None,
         certificate_name: typing.Optional[builtins.str] = None,
         key_algorithm: typing.Optional[KeyAlgorithm] = None,
         subject_alternative_names: typing.Optional[typing.Sequence[builtins.str]] = None,
@@ -2416,6 +2588,7 @@ class DnsValidatedCertificate(
         :param region: AWS region that will host the certificate. This is needed especially for certificates used for CloudFront distributions, which require the region to be us-east-1. Default: the region the stack is deployed in.
         :param route53_endpoint: An endpoint of Route53 service, which is not necessary as AWS SDK could figure out the right endpoints for most regions, but for some regions such as those in aws-cn partition, the default endpoint is not working now, hence the right endpoint need to be specified through this prop. Route53 is not been officially launched in China, it is only available for AWS internal accounts now. To make DnsValidatedCertificate work for internal accounts now, a special endpoint needs to be provided. Default: - The AWS SDK will determine the Route53 endpoint to use based on region
         :param domain_name: Fully-qualified domain name to request a certificate for. May contain wildcards, such as ``*.domain.com``.
+        :param allow_export: Enable or disable export of this certificate. If you issue an exportable public certificate, there is a charge at certificate issuance and again when the certificate renews. Ref: https://aws.amazon.com/certificate-manager/pricing Default: false
         :param certificate_name: The Certificate name. Since the Certificate resource doesn't support providing a physical name, the value provided here will be recorded in the ``Name`` tag Default: the full, absolute path of this construct
         :param key_algorithm: Specifies the algorithm of the public and private key pair that your certificate uses to encrypt data. Default: KeyAlgorithm.RSA_2048
         :param subject_alternative_names: Alternative domain names on your certificate. Use this to register alternative domain names that represent the same site. Default: - No additional FQDNs will be included as alternative domain names.
@@ -2435,6 +2608,7 @@ class DnsValidatedCertificate(
             region=region,
             route53_endpoint=route53_endpoint,
             domain_name=domain_name,
+            allow_export=allow_export,
             certificate_name=certificate_name,
             key_algorithm=key_algorithm,
             subject_alternative_names=subject_alternative_names,
@@ -2472,6 +2646,7 @@ class DnsValidatedCertificate(
         account: typing.Optional[builtins.str] = None,
         color: typing.Optional[builtins.str] = None,
         dimensions_map: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+        id: typing.Optional[builtins.str] = None,
         label: typing.Optional[builtins.str] = None,
         period: typing.Optional[_Duration_4839e8c3] = None,
         region: typing.Optional[builtins.str] = None,
@@ -2479,6 +2654,7 @@ class DnsValidatedCertificate(
         stack_region: typing.Optional[builtins.str] = None,
         statistic: typing.Optional[builtins.str] = None,
         unit: typing.Optional[_Unit_61bc6f70] = None,
+        visible: typing.Optional[builtins.bool] = None,
     ) -> _Metric_e396a4dc:
         '''(deprecated) Return the DaysToExpiry metric for this AWS Certificate Manager Certificate. By default, this is the minimum value over 1 day.
 
@@ -2489,6 +2665,7 @@ class DnsValidatedCertificate(
         :param account: Account which this metric comes from. Default: - Deployment account.
         :param color: The hex color code, prefixed with '#' (e.g. '#00ff00'), to use when this metric is rendered on a graph. The ``Color`` class has a set of standard colors that can be used here. Default: - Automatic color
         :param dimensions_map: Dimensions of the metric. Default: - No dimensions.
+        :param id: Unique identifier for this metric when used in dashboard widgets. The id can be used as a variable to represent this metric in math expressions. Valid characters are letters, numbers, and underscore. The first character must be a lowercase letter. Default: - No ID
         :param label: Label for this metric when added to a Graph in a Dashboard. You can use `dynamic labels <https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/graph-dynamic-labels.html>`_ to show summary information about the entire displayed time series in the legend. For example, if you use:: [max: ${MAX}] MyMetric As the metric label, the maximum value in the visible range will be shown next to the time series name in the graph's legend. Default: - No label
         :param period: The period over which the specified statistic is applied. Default: Duration.minutes(5)
         :param region: Region which this metric comes from. Default: - Deployment region.
@@ -2496,6 +2673,7 @@ class DnsValidatedCertificate(
         :param stack_region: Region of the stack this metric is attached to. Default: - Deployment region.
         :param statistic: What function to use for aggregating. Use the ``aws_cloudwatch.Stats`` helper class to construct valid input strings. Can be one of the following: - "Minimum" | "min" - "Maximum" | "max" - "Average" | "avg" - "Sum" | "sum" - "SampleCount | "n" - "pNN.NN" - "tmNN.NN" | "tm(NN.NN%:NN.NN%)" - "iqm" - "wmNN.NN" | "wm(NN.NN%:NN.NN%)" - "tcNN.NN" | "tc(NN.NN%:NN.NN%)" - "tsNN.NN" | "ts(NN.NN%:NN.NN%)" Default: Average
         :param unit: Unit used to filter the metric stream. Only refer to datums emitted to the metric stream with the given unit and ignore all others. Only useful when datums are being emitted to the same metric stream under different units. The default is to use all matric datums in the stream, regardless of unit, which is recommended in nearly all cases. CloudWatch does not honor this property for graphs. Default: - All metric datums in the given metric stream
+        :param visible: Whether this metric should be visible in dashboard graphs. Setting this to false is useful when you want to hide raw metrics that are used in math expressions, and show only the expression results. Default: true
 
         :stability: deprecated
         '''
@@ -2503,6 +2681,7 @@ class DnsValidatedCertificate(
             account=account,
             color=color,
             dimensions_map=dimensions_map,
+            id=id,
             label=label,
             period=period,
             region=region,
@@ -2510,6 +2689,7 @@ class DnsValidatedCertificate(
             stack_region=stack_region,
             statistic=statistic,
             unit=unit,
+            visible=visible,
         )
 
         return typing.cast(_Metric_e396a4dc, jsii.invoke(self, "metricDaysToExpiry", [props]))
@@ -2575,6 +2755,7 @@ publication.publish()
 def _typecheckingstub__0454180af2ed6575d11cf361cd5374f722ba32d4007970472aca57751d85258f(
     *,
     domain_name: builtins.str,
+    allow_export: typing.Optional[builtins.bool] = None,
     certificate_name: typing.Optional[builtins.str] = None,
     key_algorithm: typing.Optional[KeyAlgorithm] = None,
     subject_alternative_names: typing.Optional[typing.Sequence[builtins.str]] = None,
@@ -2659,6 +2840,7 @@ def _typecheckingstub__6f094b3f6a318b9501162c46d45eaf42466c16a9c333dd4021dc90258
     *,
     domain_name: builtins.str,
     certificate_authority_arn: typing.Optional[builtins.str] = None,
+    certificate_export: typing.Optional[builtins.str] = None,
     certificate_transparency_logging_preference: typing.Optional[builtins.str] = None,
     domain_validation_options: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union[CfnCertificate.DomainValidationOptionProperty, typing.Dict[builtins.str, typing.Any]]]]]] = None,
     key_algorithm: typing.Optional[builtins.str] = None,
@@ -2669,6 +2851,14 @@ def _typecheckingstub__6f094b3f6a318b9501162c46d45eaf42466c16a9c333dd4021dc90258
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__74ad5174285b28bb947e64c6319be4642c1bb37681ea5d0d736a58181c45689e(
+    scope: _constructs_77d1e7e8.Construct,
+    id: builtins.str,
+    certificate_id: builtins.str,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__6cc2233ca7729f72437c57a4d626536c7b9150faa120045db48045a6b05d1e2a(
     inspector: _TreeInspector_488e0dd5,
 ) -> None:
@@ -2693,6 +2883,12 @@ def _typecheckingstub__58a46e864da863431c56823a56fc6f403857fef239765fe1b0400f623
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__d950c422d5c6ee00cbcc4b8b9fb7d0b251571a9084cb4b6e68065e797e461b4a(
+    value: typing.Optional[builtins.str],
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__f6946e1448636db36ed5e4ce9c801fc6db4c58d0f89d88789b24f93a2628abc0(
     value: typing.Optional[builtins.str],
 ) -> None:
@@ -2742,6 +2938,7 @@ def _typecheckingstub__0e42a641d895acaee35ba9ec88335a357b8cbfb64b98867f1792ccd63
     *,
     domain_name: builtins.str,
     certificate_authority_arn: typing.Optional[builtins.str] = None,
+    certificate_export: typing.Optional[builtins.str] = None,
     certificate_transparency_logging_preference: typing.Optional[builtins.str] = None,
     domain_validation_options: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union[CfnCertificate.DomainValidationOptionProperty, typing.Dict[builtins.str, typing.Any]]]]]] = None,
     key_algorithm: typing.Optional[builtins.str] = None,
@@ -2755,6 +2952,7 @@ def _typecheckingstub__0e42a641d895acaee35ba9ec88335a357b8cbfb64b98867f1792ccd63
 def _typecheckingstub__f8749c95da859ba878861eff7c4231de11fa86681f0df8dbe02a3b4e4f5128b6(
     *,
     domain_name: builtins.str,
+    allow_export: typing.Optional[builtins.bool] = None,
     certificate_name: typing.Optional[builtins.str] = None,
     key_algorithm: typing.Optional[KeyAlgorithm] = None,
     subject_alternative_names: typing.Optional[typing.Sequence[builtins.str]] = None,
@@ -2781,6 +2979,7 @@ def _typecheckingstub__f15cee4bdac8e70000027c8ca1386d49408a399d3919aa965c46bb68f
     *,
     certificate_authority: _ICertificateAuthority_26727cab,
     domain_name: builtins.str,
+    allow_export: typing.Optional[builtins.bool] = None,
     key_algorithm: typing.Optional[KeyAlgorithm] = None,
     subject_alternative_names: typing.Optional[typing.Sequence[builtins.str]] = None,
 ) -> None:
@@ -2799,6 +2998,7 @@ def _typecheckingstub__74588c43933e5f34a3203601cc823ca974676f71701280dcd43e9f037
     *,
     certificate_authority: _ICertificateAuthority_26727cab,
     domain_name: builtins.str,
+    allow_export: typing.Optional[builtins.bool] = None,
     key_algorithm: typing.Optional[KeyAlgorithm] = None,
     subject_alternative_names: typing.Optional[typing.Sequence[builtins.str]] = None,
 ) -> None:
@@ -2810,6 +3010,7 @@ def _typecheckingstub__64139efa4ed87482ec95b7e38ad6cf94c6873d02b05ba33c374316868
     id: builtins.str,
     *,
     domain_name: builtins.str,
+    allow_export: typing.Optional[builtins.bool] = None,
     certificate_name: typing.Optional[builtins.str] = None,
     key_algorithm: typing.Optional[KeyAlgorithm] = None,
     subject_alternative_names: typing.Optional[typing.Sequence[builtins.str]] = None,
@@ -2837,6 +3038,7 @@ def _typecheckingstub__9ce11c00a812f11e5a7783956e3e90d7c684153bef62852779a324183
     region: typing.Optional[builtins.str] = None,
     route53_endpoint: typing.Optional[builtins.str] = None,
     domain_name: builtins.str,
+    allow_export: typing.Optional[builtins.bool] = None,
     certificate_name: typing.Optional[builtins.str] = None,
     key_algorithm: typing.Optional[KeyAlgorithm] = None,
     subject_alternative_names: typing.Optional[typing.Sequence[builtins.str]] = None,
@@ -2851,3 +3053,6 @@ def _typecheckingstub__ba22afa55d26d44bc7ab216beab4c3cde2bb1d3e614622e603aa02f7a
 ) -> None:
     """Type checking stubs"""
     pass
+
+for cls in [ICertificate]:
+    typing.cast(typing.Any, cls).__protocol_attrs__ = typing.cast(typing.Any, cls).__protocol_attrs__ - set(['__jsii_proxy_class__', '__jsii_type__'])