aws-sdk-acmpca 1.27.0 → 1.32.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 7939b87eaa530aded1e2ae7c853b96ca3e83a80e1b465020ff96d6bd4889947f
4
- data.tar.gz: 7dcfc9b294fc6285b948742f513fac2e99a7d9feb751136df7a82a1275fa0f55
3
+ metadata.gz: dc98acc54b80d947d407c145b5f09f400dad5a8b943019e3b8c9bcd008f2b2c7
4
+ data.tar.gz: 5625afa10f80568e15a65cec8fce964cebe02a72ffeb314d9ec95374a073d012
5
5
  SHA512:
6
- metadata.gz: 32c5f502ee882b834a83626efaaa28dc7fe74975f9762c242470d5b21dde853f848b54628e838b09815f92bbaf906d0b764956ccf0f9b6114ea57f4379a77526
7
- data.tar.gz: 9575bcbd1baef4e9d5f09c15b5109ad51112d3aca19a3ab0c826bcfc3639992045a155a59ea97eb2f72ff420f8be7e359dda1e9f83edd8ef552ef2716f5603e5
6
+ metadata.gz: 774424f9c13f043e133ee64be2b4d302d7797645b9d51075aea543f1c215deab51c914473d9f93b6a4d52942974a108c1e69f0946a65e66a1d3c635cab1d7d11
7
+ data.tar.gz: ea1de9d25fd213799a2a277027d62ca35f445a79cc4e2c23553dd182f16c9e8a93f086ffe040dcdd28449c283a5113e3d37fed4b474475d3acac8f4f42272af0
@@ -7,6 +7,7 @@
7
7
  #
8
8
  # WARNING ABOUT GENERATED CODE
9
9
 
10
+
10
11
  require 'aws-sdk-core'
11
12
  require 'aws-sigv4'
12
13
 
@@ -45,9 +46,9 @@ require_relative 'aws-sdk-acmpca/customizations'
45
46
  #
46
47
  # See {Errors} for more information.
47
48
  #
48
- # @service
49
+ # @!group service
49
50
  module Aws::ACMPCA
50
51
 
51
- GEM_VERSION = '1.27.0'
52
+ GEM_VERSION = '1.32.0'
52
53
 
53
54
  end
@@ -85,13 +85,28 @@ module Aws::ACMPCA
85
85
  # * `Aws::Credentials` - Used for configuring static, non-refreshing
86
86
  # credentials.
87
87
  #
88
+ # * `Aws::SharedCredentials` - Used for loading static credentials from a
89
+ # shared file, such as `~/.aws/config`.
90
+ #
91
+ # * `Aws::AssumeRoleCredentials` - Used when you need to assume a role.
92
+ #
93
+ # * `Aws::AssumeRoleWebIdentityCredentials` - Used when you need to
94
+ # assume a role after providing credentials via the web.
95
+ #
96
+ # * `Aws::SSOCredentials` - Used for loading credentials from AWS SSO using an
97
+ # access token generated from `aws login`.
98
+ #
99
+ # * `Aws::ProcessCredentials` - Used for loading credentials from a
100
+ # process that outputs to stdout.
101
+ #
88
102
  # * `Aws::InstanceProfileCredentials` - Used for loading credentials
89
103
  # from an EC2 IMDS on an EC2 instance.
90
104
  #
91
- # * `Aws::SharedCredentials` - Used for loading credentials from a
92
- # shared file, such as `~/.aws/config`.
105
+ # * `Aws::ECSCredentials` - Used for loading credentials from
106
+ # instances running in ECS.
93
107
  #
94
- # * `Aws::AssumeRoleCredentials` - Used when you need to assume a role.
108
+ # * `Aws::CognitoIdentityCredentials` - Used for loading credentials
109
+ # from the Cognito Identity service.
95
110
  #
96
111
  # When `:credentials` are not configured directly, the following
97
112
  # locations will be searched for credentials:
@@ -101,10 +116,10 @@ module Aws::ACMPCA
101
116
  # * ENV['AWS_ACCESS_KEY_ID'], ENV['AWS_SECRET_ACCESS_KEY']
102
117
  # * `~/.aws/credentials`
103
118
  # * `~/.aws/config`
104
- # * EC2 IMDS instance profile - When used by default, the timeouts are
105
- # very aggressive. Construct and pass an instance of
106
- # `Aws::InstanceProfileCredentails` to enable retries and extended
107
- # timeouts.
119
+ # * EC2/ECS IMDS instance profile - When used by default, the timeouts
120
+ # are very aggressive. Construct and pass an instance of
121
+ # `Aws::InstanceProfileCredentails` or `Aws::ECSCredentials` to
122
+ # enable retries and extended timeouts.
108
123
  #
109
124
  # @option options [required, String] :region
110
125
  # The AWS region to connect to. The configured `:region` is
@@ -370,12 +385,14 @@ module Aws::ACMPCA
370
385
  # The type of the certificate authority.
371
386
  #
372
387
  # @option params [String] :idempotency_token
373
- # Alphanumeric string that can be used to distinguish between calls to
374
- # **CreateCertificateAuthority**. For a given token, ACM Private CA
375
- # creates exactly one CA. If you issue a subsequent call using the same
376
- # token, ACM Private CA returns the ARN of the existing CA and takes no
377
- # further action. If you change the idempotency token across multiple
378
- # calls, ACM Private CA creates a unique CA for each unique token.
388
+ # Custom string that can be used to distinguish between calls to the
389
+ # **CreateCertificateAuthority** action. Idempotency tokens for
390
+ # **CreateCertificateAuthority** time out after five minutes. Therefore,
391
+ # if you call **CreateCertificateAuthority** multiple times with the
392
+ # same idempotency token within five minutes, ACM Private CA recognizes
393
+ # that you are requesting only certificate authority and will issue only
394
+ # one. If you change the idempotency token for each call, PCA recognizes
395
+ # that you are requesting multiple certificate authorities.
379
396
  #
380
397
  # @option params [Array<Types::Tag>] :tags
381
398
  # Key-value pairs that will be attached to the new private CA. You can
@@ -413,6 +430,58 @@ module Aws::ACMPCA
413
430
  # pseudonym: "String128",
414
431
  # generation_qualifier: "String3",
415
432
  # },
433
+ # csr_extensions: {
434
+ # key_usage: {
435
+ # digital_signature: false,
436
+ # non_repudiation: false,
437
+ # key_encipherment: false,
438
+ # data_encipherment: false,
439
+ # key_agreement: false,
440
+ # key_cert_sign: false,
441
+ # crl_sign: false,
442
+ # encipher_only: false,
443
+ # decipher_only: false,
444
+ # },
445
+ # subject_information_access: [
446
+ # {
447
+ # access_method: { # required
448
+ # custom_object_identifier: "CustomObjectIdentifier",
449
+ # access_method_type: "CA_REPOSITORY", # accepts CA_REPOSITORY, RESOURCE_PKI_MANIFEST, RESOURCE_PKI_NOTIFY
450
+ # },
451
+ # access_location: { # required
452
+ # other_name: {
453
+ # type_id: "CustomObjectIdentifier", # required
454
+ # value: "String256", # required
455
+ # },
456
+ # rfc_822_name: "String256",
457
+ # dns_name: "String253",
458
+ # directory_name: {
459
+ # country: "CountryCodeString",
460
+ # organization: "String64",
461
+ # organizational_unit: "String64",
462
+ # distinguished_name_qualifier: "ASN1PrintableString64",
463
+ # state: "String128",
464
+ # common_name: "String64",
465
+ # serial_number: "ASN1PrintableString64",
466
+ # locality: "String128",
467
+ # title: "String64",
468
+ # surname: "String40",
469
+ # given_name: "String16",
470
+ # initials: "String5",
471
+ # pseudonym: "String128",
472
+ # generation_qualifier: "String3",
473
+ # },
474
+ # edi_party_name: {
475
+ # party_name: "String256", # required
476
+ # name_assigner: "String256",
477
+ # },
478
+ # uniform_resource_identifier: "String253",
479
+ # ip_address: "String39",
480
+ # registered_id: "CustomObjectIdentifier",
481
+ # },
482
+ # },
483
+ # ],
484
+ # },
416
485
  # },
417
486
  # revocation_configuration: {
418
487
  # crl_configuration: {
@@ -532,12 +601,13 @@ module Aws::ACMPCA
532
601
  # renewals. Instead, the ACM certificate owner must set up a
533
602
  # resource-based policy to enable cross-account issuance and renewals.
534
603
  # For more information, see [Using a Resource Based Policy with ACM
535
- # Private CA](acm-pca/latest/userguide/pca-rbp.html).
604
+ # Private CA][3].
536
605
  #
537
606
  #
538
607
  #
539
608
  # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ListPermissions.html
540
609
  # [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_DeletePermission.html
610
+ # [3]: https://docs.aws.amazon.com/acm-pca/latest/userguide/pca-rbp.html
541
611
  #
542
612
  # @option params [required, String] :certificate_authority_arn
543
613
  # The Amazon Resource Name (ARN) of the CA that grants the permissions.
@@ -680,12 +750,13 @@ module Aws::ACMPCA
680
750
  # renewals. Instead, the ACM certificate owner must set up a
681
751
  # resource-based policy to enable cross-account issuance and renewals.
682
752
  # For more information, see [Using a Resource Based Policy with ACM
683
- # Private CA](acm-pca/latest/userguide/pca-rbp.html).
753
+ # Private CA][3].
684
754
  #
685
755
  #
686
756
  #
687
757
  # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreatePermission.html
688
758
  # [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ListPermissions.html
759
+ # [3]: https://docs.aws.amazon.com/acm-pca/latest/userguide/pca-rbp.html
689
760
  #
690
761
  # @option params [required, String] :certificate_authority_arn
691
762
  # The Amazon Resource Number (ARN) of the private CA that issued the
@@ -745,8 +816,7 @@ module Aws::ACMPCA
745
816
  # * A policy grants access on a private CA to an AWS customer account,
746
817
  # to AWS Organizations, or to an AWS Organizations unit. Policies are
747
818
  # under the control of a CA administrator. For more information, see
748
- # [Using a Resource Based Policy with ACM Private
749
- # CA](acm-pca/latest/userguide/pca-rbp.html).
819
+ # [Using a Resource Based Policy with ACM Private CA][3].
750
820
  #
751
821
  # * A policy permits a user of AWS Certificate Manager (ACM) to issue
752
822
  # ACM certificates signed by a CA in another account.
@@ -755,18 +825,19 @@ module Aws::ACMPCA
755
825
  # user must configure a Service Linked Role (SLR). The SLR allows the
756
826
  # ACM service to assume the identity of the user, subject to
757
827
  # confirmation against the ACM Private CA policy. For more
758
- # information, see [Using a Service Linked Role with ACM][3].
828
+ # information, see [Using a Service Linked Role with ACM][4].
759
829
  #
760
830
  # * Updates made in AWS Resource Manager (RAM) are reflected in
761
- # policies. For more information, see [Using AWS Resource Access
762
- # Manager (RAM) with ACM Private
763
- # CA](acm-pca/latest/userguide/pca-ram.html).
831
+ # policies. For more information, see [Attach a Policy for
832
+ # Cross-Account Access][5].
764
833
  #
765
834
  #
766
835
  #
767
836
  # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_GetPolicy.html
768
837
  # [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_PutPolicy.html
769
- # [3]: https://docs.aws.amazon.com/acm/latest/userguide/acm-slr.html
838
+ # [3]: https://docs.aws.amazon.com/acm-pca/latest/userguide/pca-rbp.html
839
+ # [4]: https://docs.aws.amazon.com/acm/latest/userguide/acm-slr.html
840
+ # [5]: https://docs.aws.amazon.com/acm-pca/latest/userguide/pca-ram.html
770
841
  #
771
842
  # @option params [required, String] :resource_arn
772
843
  # The Amazon Resource Number (ARN) of the private CA that will have its
@@ -815,7 +886,7 @@ module Aws::ACMPCA
815
886
  # * `EXPIRED` - Your private CA certificate has expired.
816
887
  #
817
888
  # * `FAILED` - Your private CA has failed. Your CA can fail because of
818
- # problems such a network outage or backend AWS failure or other
889
+ # problems such a network outage or back-end AWS failure or other
819
890
  # errors. A failed CA can never return to the pending state. You must
820
891
  # create a new CA.
821
892
  #
@@ -872,6 +943,41 @@ module Aws::ACMPCA
872
943
  # resp.certificate_authority.certificate_authority_configuration.subject.initials #=> String
873
944
  # resp.certificate_authority.certificate_authority_configuration.subject.pseudonym #=> String
874
945
  # resp.certificate_authority.certificate_authority_configuration.subject.generation_qualifier #=> String
946
+ # resp.certificate_authority.certificate_authority_configuration.csr_extensions.key_usage.digital_signature #=> Boolean
947
+ # resp.certificate_authority.certificate_authority_configuration.csr_extensions.key_usage.non_repudiation #=> Boolean
948
+ # resp.certificate_authority.certificate_authority_configuration.csr_extensions.key_usage.key_encipherment #=> Boolean
949
+ # resp.certificate_authority.certificate_authority_configuration.csr_extensions.key_usage.data_encipherment #=> Boolean
950
+ # resp.certificate_authority.certificate_authority_configuration.csr_extensions.key_usage.key_agreement #=> Boolean
951
+ # resp.certificate_authority.certificate_authority_configuration.csr_extensions.key_usage.key_cert_sign #=> Boolean
952
+ # resp.certificate_authority.certificate_authority_configuration.csr_extensions.key_usage.crl_sign #=> Boolean
953
+ # resp.certificate_authority.certificate_authority_configuration.csr_extensions.key_usage.encipher_only #=> Boolean
954
+ # resp.certificate_authority.certificate_authority_configuration.csr_extensions.key_usage.decipher_only #=> Boolean
955
+ # resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access #=> Array
956
+ # resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_method.custom_object_identifier #=> String
957
+ # resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_method.access_method_type #=> String, one of "CA_REPOSITORY", "RESOURCE_PKI_MANIFEST", "RESOURCE_PKI_NOTIFY"
958
+ # resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.other_name.type_id #=> String
959
+ # resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.other_name.value #=> String
960
+ # resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.rfc_822_name #=> String
961
+ # resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.dns_name #=> String
962
+ # resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.country #=> String
963
+ # resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.organization #=> String
964
+ # resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.organizational_unit #=> String
965
+ # resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.distinguished_name_qualifier #=> String
966
+ # resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.state #=> String
967
+ # resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.common_name #=> String
968
+ # resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.serial_number #=> String
969
+ # resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.locality #=> String
970
+ # resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.title #=> String
971
+ # resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.surname #=> String
972
+ # resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.given_name #=> String
973
+ # resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.initials #=> String
974
+ # resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.pseudonym #=> String
975
+ # resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.generation_qualifier #=> String
976
+ # resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.edi_party_name.party_name #=> String
977
+ # resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.edi_party_name.name_assigner #=> String
978
+ # resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.uniform_resource_identifier #=> String
979
+ # resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.ip_address #=> String
980
+ # resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.registered_id #=> String
875
981
  # resp.certificate_authority.revocation_configuration.crl_configuration.enabled #=> Boolean
876
982
  # resp.certificate_authority.revocation_configuration.crl_configuration.expiration_in_days #=> Integer
877
983
  # resp.certificate_authority.revocation_configuration.crl_configuration.custom_cname #=> String
@@ -1108,16 +1214,14 @@ module Aws::ACMPCA
1108
1214
  # action returns a `ResourceNotFoundException`.
1109
1215
  #
1110
1216
  # The policy can be attached or updated with [PutPolicy][1] and removed
1111
- # with
1112
- # [DeletePolicy](acm-pca/latest/APIReference/API_DeletePolicy.html).
1217
+ # with [DeletePolicy][2].
1113
1218
  #
1114
1219
  # **About Policies**
1115
1220
  #
1116
1221
  # * A policy grants access on a private CA to an AWS customer account,
1117
1222
  # to AWS Organizations, or to an AWS Organizations unit. Policies are
1118
1223
  # under the control of a CA administrator. For more information, see
1119
- # [Using a Resource Based Policy with ACM Private
1120
- # CA](acm-pca/latest/userguide/pca-rbp.html).
1224
+ # [Using a Resource Based Policy with ACM Private CA][3].
1121
1225
  #
1122
1226
  # * A policy permits a user of AWS Certificate Manager (ACM) to issue
1123
1227
  # ACM certificates signed by a CA in another account.
@@ -1126,17 +1230,19 @@ module Aws::ACMPCA
1126
1230
  # user must configure a Service Linked Role (SLR). The SLR allows the
1127
1231
  # ACM service to assume the identity of the user, subject to
1128
1232
  # confirmation against the ACM Private CA policy. For more
1129
- # information, see [Using a Service Linked Role with ACM][2].
1233
+ # information, see [Using a Service Linked Role with ACM][4].
1130
1234
  #
1131
1235
  # * Updates made in AWS Resource Manager (RAM) are reflected in
1132
- # policies. For more information, see [Using AWS Resource Access
1133
- # Manager (RAM) with ACM Private
1134
- # CA](acm-pca/latest/userguide/pca-ram.html).
1236
+ # policies. For more information, see [Attach a Policy for
1237
+ # Cross-Account Access][5].
1135
1238
  #
1136
1239
  #
1137
1240
  #
1138
1241
  # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_PutPolicy.html
1139
- # [2]: https://docs.aws.amazon.com/acm/latest/userguide/acm-slr.html
1242
+ # [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_DeletePolicy.html
1243
+ # [3]: https://docs.aws.amazon.com/acm-pca/latest/userguide/pca-rbp.html
1244
+ # [4]: https://docs.aws.amazon.com/acm/latest/userguide/acm-slr.html
1245
+ # [5]: https://docs.aws.amazon.com/acm-pca/latest/userguide/pca-ram.html
1140
1246
  #
1141
1247
  # @option params [required, String] :resource_arn
1142
1248
  # The Amazon Resource Number (ARN) of the private CA that will have its
@@ -1172,8 +1278,8 @@ module Aws::ACMPCA
1172
1278
  # following preparations must in place:
1173
1279
  #
1174
1280
  # 1. In ACM Private CA, call the [CreateCertificateAuthority][1] action
1175
- # to create the private CA that that you plan to back with the
1176
- # imported certificate.
1281
+ # to create the private CA that you plan to back with the imported
1282
+ # certificate.
1177
1283
  #
1178
1284
  # 2. Call the [GetCertificateAuthorityCsr][2] action to generate a
1179
1285
  # certificate signing request (CSR).
@@ -1184,22 +1290,31 @@ module Aws::ACMPCA
1184
1290
  # 4. Create a certificate chain and copy the signed certificate and the
1185
1291
  # certificate chain to your working directory.
1186
1292
  #
1187
- # The following requirements apply when you import a CA certificate.
1293
+ # ACM Private CA supports three scenarios for installing a CA
1294
+ # certificate:
1295
+ #
1296
+ # * Installing a certificate for a root CA hosted by ACM Private CA.
1297
+ #
1298
+ # * Installing a subordinate CA certificate whose parent authority is
1299
+ # hosted by ACM Private CA.
1300
+ #
1301
+ # * Installing a subordinate CA certificate whose parent authority is
1302
+ # externally hosted.
1188
1303
  #
1189
- # * You cannot import a non-self-signed certificate for use as a root
1190
- # CA.
1304
+ # The following additional requirements apply when you import a CA
1305
+ # certificate.
1191
1306
  #
1192
- # * You cannot import a self-signed certificate for use as a subordinate
1193
- # CA.
1307
+ # * Only a self-signed certificate can be imported as a root CA.
1308
+ #
1309
+ # * A self-signed certificate cannot be imported as a subordinate CA.
1194
1310
  #
1195
1311
  # * Your certificate chain must not include the private CA certificate
1196
1312
  # that you are importing.
1197
1313
  #
1198
- # * Your ACM Private CA-hosted or on-premises CA certificate must be the
1199
- # last certificate in your chain. The subordinate certificate, if any,
1200
- # that your root CA signed must be next to last. The subordinate
1201
- # certificate signed by the preceding subordinate CA must come next,
1202
- # and so on until your chain is built.
1314
+ # * Your root CA must be the last certificate in your chain. The
1315
+ # subordinate certificate, if any, that your root CA signed must be
1316
+ # next to last. The subordinate certificate signed by the preceding
1317
+ # subordinate CA must come next, and so on until your chain is built.
1203
1318
  #
1204
1319
  # * The chain must be PEM-encoded.
1205
1320
  #
@@ -1316,6 +1431,21 @@ module Aws::ACMPCA
1316
1431
  #
1317
1432
  # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_GetCertificate.html
1318
1433
  #
1434
+ # @option params [Types::ApiPassthrough] :api_passthrough
1435
+ # Specifies X.509 certificate information to be included in the issued
1436
+ # certificate. An `APIPassthrough` or `APICSRPassthrough` template
1437
+ # variant must be selected, or else this parameter is ignored. For more
1438
+ # information about using these templates, see [Understanding
1439
+ # Certificate Templates][1].
1440
+ #
1441
+ # If conflicting or duplicate certificate information is supplied during
1442
+ # certificate issuance, ACM Private CA applies [order of operation
1443
+ # rules](xxxxx) to determine what information is used.
1444
+ #
1445
+ #
1446
+ #
1447
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html
1448
+ #
1319
1449
  # @option params [required, String] :certificate_authority_arn
1320
1450
  # The Amazon Resource Name (ARN) that was returned when you called
1321
1451
  # [CreateCertificateAuthority][1]. This must be of the form:
@@ -1329,15 +1459,15 @@ module Aws::ACMPCA
1329
1459
  #
1330
1460
  # @option params [required, String, StringIO, File] :csr
1331
1461
  # The certificate signing request (CSR) for the certificate you want to
1332
- # issue. You can use the following OpenSSL command to create the CSR and
1333
- # a 2048 bit RSA private key.
1462
+ # issue. As an example, you can use the following OpenSSL command to
1463
+ # create the CSR and a 2048 bit RSA private key.
1334
1464
  #
1335
1465
  # `openssl req -new -newkey rsa:2048 -days 365 -keyout
1336
1466
  # private/test_cert_priv_key.pem -out csr/test_cert_.csr`
1337
1467
  #
1338
- # If you have a configuration file, you can use the following OpenSSL
1339
- # command. The `usr_cert` block in the configuration file contains your
1340
- # X509 version 3 extensions.
1468
+ # If you have a configuration file, you can then use the following
1469
+ # OpenSSL command. The `usr_cert` block in the configuration file
1470
+ # contains your X509 version 3 extensions.
1341
1471
  #
1342
1472
  # `openssl req -new -config openssl_rsa.cnf -extensions usr_cert -newkey
1343
1473
  # rsa:2048 -days -365 -keyout private/test_cert_priv_key.pem -out
@@ -1351,7 +1481,8 @@ module Aws::ACMPCA
1351
1481
  # be issued.
1352
1482
  #
1353
1483
  # This parameter should not be confused with the `SigningAlgorithm`
1354
- # parameter used to sign a CSR.
1484
+ # parameter used to sign a CSR in the `CreateCertificateAuthority`
1485
+ # action.
1355
1486
  #
1356
1487
  # @option params [String] :template_arn
1357
1488
  # Specifies a custom configuration template to use when issuing a
@@ -1364,65 +1495,70 @@ module Aws::ACMPCA
1364
1495
  # Note: The CA depth configured on a subordinate CA certificate must not
1365
1496
  # exceed the limit set by its parents in the CA hierarchy.
1366
1497
  #
1367
- # The following service-owned `TemplateArn` values are supported by ACM
1368
- # Private CA:
1369
- #
1370
- # * arn:aws:acm-pca:::template/CodeSigningCertificate/V1
1371
- #
1372
- # * arn:aws:acm-pca:::template/CodeSigningCertificate\_CSRPassthrough/V1
1373
- #
1374
- # * arn:aws:acm-pca:::template/EndEntityCertificate/V1
1375
- #
1376
- # * arn:aws:acm-pca:::template/EndEntityCertificate\_CSRPassthrough/V1
1377
- #
1378
- # * arn:aws:acm-pca:::template/EndEntityClientAuthCertificate/V1
1498
+ # For a list of `TemplateArn` values supported by ACM Private CA, see
1499
+ # [Understanding Certificate Templates][2].
1379
1500
  #
1380
- # * arn:aws:acm-pca:::template/EndEntityClientAuthCertificate\_CSRPassthrough/V1
1381
1501
  #
1382
- # * arn:aws:acm-pca:::template/EndEntityServerAuthCertificate/V1
1383
1502
  #
1384
- # * arn:aws:acm-pca:::template/EndEntityServerAuthCertificate\_CSRPassthrough/V1
1503
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaTerms.html#terms-cadepth
1504
+ # [2]: https://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html
1385
1505
  #
1386
- # * arn:aws:acm-pca:::template/OCSPSigningCertificate/V1
1506
+ # @option params [required, Types::Validity] :validity
1507
+ # Information describing the end of the validity period of the
1508
+ # certificate. This parameter sets the “Not After” date for the
1509
+ # certificate.
1387
1510
  #
1388
- # * arn:aws:acm-pca:::template/OCSPSigningCertificate\_CSRPassthrough/V1
1511
+ # Certificate validity is the period of time during which a certificate
1512
+ # is valid. Validity can be expressed as an explicit date and time when
1513
+ # the certificate expires, or as a span of time after issuance, stated
1514
+ # in days, months, or years. For more information, see [Validity][1] in
1515
+ # RFC 5280.
1389
1516
  #
1390
- # * arn:aws:acm-pca:::template/RootCACertificate/V1
1517
+ # This value is unaffected when `ValidityNotBefore` is also specified.
1518
+ # For example, if `Validity` is set to 20 days in the future, the
1519
+ # certificate will expire 20 days from issuance time regardless of the
1520
+ # `ValidityNotBefore` value.
1391
1521
  #
1392
- # * arn:aws:acm-pca:::template/SubordinateCACertificate\_PathLen0/V1
1522
+ # The end of the validity period configured on a certificate must not
1523
+ # exceed the limit set on its parents in the CA hierarchy.
1393
1524
  #
1394
- # * arn:aws:acm-pca:::template/SubordinateCACertificate\_PathLen1/V1
1395
1525
  #
1396
- # * arn:aws:acm-pca:::template/SubordinateCACertificate\_PathLen2/V1
1397
1526
  #
1398
- # * arn:aws:acm-pca:::template/SubordinateCACertificate\_PathLen3/V1
1527
+ # [1]: https://tools.ietf.org/html/rfc5280#section-4.1.2.5
1399
1528
  #
1400
- # For more information, see [Using Templates][2].
1529
+ # @option params [Types::Validity] :validity_not_before
1530
+ # Information describing the start of the validity period of the
1531
+ # certificate. This parameter sets the “Not Before" date for the
1532
+ # certificate.
1401
1533
  #
1534
+ # By default, when issuing a certificate, ACM Private CA sets the "Not
1535
+ # Before" date to the issuance time minus 60 minutes. This compensates
1536
+ # for clock inconsistencies across computer systems. The
1537
+ # `ValidityNotBefore` parameter can be used to customize the “Not
1538
+ # Before” value.
1402
1539
  #
1540
+ # Unlike the `Validity` parameter, the `ValidityNotBefore` parameter is
1541
+ # optional.
1403
1542
  #
1404
- # [1]: https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaTerms.html#terms-cadepth
1405
- # [2]: https://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html
1543
+ # The `ValidityNotBefore` value is expressed as an explicit date and
1544
+ # time, using the `Validity` type value `ABSOLUTE`. For more
1545
+ # information, see [Validity][1] in this API reference and [Validity][2]
1546
+ # in RFC 5280.
1406
1547
  #
1407
- # @option params [required, Types::Validity] :validity
1408
- # Information describing the validity period of the certificate.
1409
1548
  #
1410
- # When issuing a certificate, ACM Private CA sets the "Not Before"
1411
- # date in the validity field to date and time minus 60 minutes. This is
1412
- # intended to compensate for time inconsistencies across systems of 60
1413
- # minutes or less.
1414
1549
  #
1415
- # The validity period configured on a certificate must not exceed the
1416
- # limit set by its parents in the CA hierarchy.
1550
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_Validity.html
1551
+ # [2]: https://tools.ietf.org/html/rfc5280#section-4.1.2.5
1417
1552
  #
1418
1553
  # @option params [String] :idempotency_token
1419
- # Custom string that can be used to distinguish between calls to the
1420
- # **IssueCertificate** action. Idempotency tokens time out after one
1421
- # hour. Therefore, if you call **IssueCertificate** multiple times with
1422
- # the same idempotency token within 5 minutes, ACM Private CA recognizes
1423
- # that you are requesting only one certificate and will issue only one.
1424
- # If you change the idempotency token for each call, PCA recognizes that
1425
- # you are requesting multiple certificates.
1554
+ # Alphanumeric string that can be used to distinguish between calls to
1555
+ # the **IssueCertificate** action. Idempotency tokens for
1556
+ # **IssueCertificate** time out after one minute. Therefore, if you call
1557
+ # **IssueCertificate** multiple times with the same idempotency token
1558
+ # within one minute, ACM Private CA recognizes that you are requesting
1559
+ # only one certificate and will issue only one. If you change the
1560
+ # idempotency token for each call, PCA recognizes that you are
1561
+ # requesting multiple certificates.
1426
1562
  #
1427
1563
  # @return [Types::IssueCertificateResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
1428
1564
  #
@@ -1431,6 +1567,89 @@ module Aws::ACMPCA
1431
1567
  # @example Request syntax with placeholder values
1432
1568
  #
1433
1569
  # resp = client.issue_certificate({
1570
+ # api_passthrough: {
1571
+ # extensions: {
1572
+ # certificate_policies: [
1573
+ # {
1574
+ # cert_policy_id: "CustomObjectIdentifier", # required
1575
+ # policy_qualifiers: [
1576
+ # {
1577
+ # policy_qualifier_id: "CPS", # required, accepts CPS
1578
+ # qualifier: { # required
1579
+ # cps_uri: "String256", # required
1580
+ # },
1581
+ # },
1582
+ # ],
1583
+ # },
1584
+ # ],
1585
+ # extended_key_usage: [
1586
+ # {
1587
+ # extended_key_usage_type: "SERVER_AUTH", # accepts SERVER_AUTH, CLIENT_AUTH, CODE_SIGNING, EMAIL_PROTECTION, TIME_STAMPING, OCSP_SIGNING, SMART_CARD_LOGIN, DOCUMENT_SIGNING, CERTIFICATE_TRANSPARENCY
1588
+ # extended_key_usage_object_identifier: "CustomObjectIdentifier",
1589
+ # },
1590
+ # ],
1591
+ # key_usage: {
1592
+ # digital_signature: false,
1593
+ # non_repudiation: false,
1594
+ # key_encipherment: false,
1595
+ # data_encipherment: false,
1596
+ # key_agreement: false,
1597
+ # key_cert_sign: false,
1598
+ # crl_sign: false,
1599
+ # encipher_only: false,
1600
+ # decipher_only: false,
1601
+ # },
1602
+ # subject_alternative_names: [
1603
+ # {
1604
+ # other_name: {
1605
+ # type_id: "CustomObjectIdentifier", # required
1606
+ # value: "String256", # required
1607
+ # },
1608
+ # rfc_822_name: "String256",
1609
+ # dns_name: "String253",
1610
+ # directory_name: {
1611
+ # country: "CountryCodeString",
1612
+ # organization: "String64",
1613
+ # organizational_unit: "String64",
1614
+ # distinguished_name_qualifier: "ASN1PrintableString64",
1615
+ # state: "String128",
1616
+ # common_name: "String64",
1617
+ # serial_number: "ASN1PrintableString64",
1618
+ # locality: "String128",
1619
+ # title: "String64",
1620
+ # surname: "String40",
1621
+ # given_name: "String16",
1622
+ # initials: "String5",
1623
+ # pseudonym: "String128",
1624
+ # generation_qualifier: "String3",
1625
+ # },
1626
+ # edi_party_name: {
1627
+ # party_name: "String256", # required
1628
+ # name_assigner: "String256",
1629
+ # },
1630
+ # uniform_resource_identifier: "String253",
1631
+ # ip_address: "String39",
1632
+ # registered_id: "CustomObjectIdentifier",
1633
+ # },
1634
+ # ],
1635
+ # },
1636
+ # subject: {
1637
+ # country: "CountryCodeString",
1638
+ # organization: "String64",
1639
+ # organizational_unit: "String64",
1640
+ # distinguished_name_qualifier: "ASN1PrintableString64",
1641
+ # state: "String128",
1642
+ # common_name: "String64",
1643
+ # serial_number: "ASN1PrintableString64",
1644
+ # locality: "String128",
1645
+ # title: "String64",
1646
+ # surname: "String40",
1647
+ # given_name: "String16",
1648
+ # initials: "String5",
1649
+ # pseudonym: "String128",
1650
+ # generation_qualifier: "String3",
1651
+ # },
1652
+ # },
1434
1653
  # certificate_authority_arn: "Arn", # required
1435
1654
  # csr: "data", # required
1436
1655
  # signing_algorithm: "SHA256WITHECDSA", # required, accepts SHA256WITHECDSA, SHA384WITHECDSA, SHA512WITHECDSA, SHA256WITHRSA, SHA384WITHRSA, SHA512WITHRSA
@@ -1439,6 +1658,10 @@ module Aws::ACMPCA
1439
1658
  # value: 1, # required
1440
1659
  # type: "END_DATE", # required, accepts END_DATE, ABSOLUTE, DAYS, MONTHS, YEARS
1441
1660
  # },
1661
+ # validity_not_before: {
1662
+ # value: 1, # required
1663
+ # type: "END_DATE", # required, accepts END_DATE, ABSOLUTE, DAYS, MONTHS, YEARS
1664
+ # },
1442
1665
  # idempotency_token: "IdempotencyToken",
1443
1666
  # })
1444
1667
  #
@@ -1523,6 +1746,41 @@ module Aws::ACMPCA
1523
1746
  # resp.certificate_authorities[0].certificate_authority_configuration.subject.initials #=> String
1524
1747
  # resp.certificate_authorities[0].certificate_authority_configuration.subject.pseudonym #=> String
1525
1748
  # resp.certificate_authorities[0].certificate_authority_configuration.subject.generation_qualifier #=> String
1749
+ # resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.key_usage.digital_signature #=> Boolean
1750
+ # resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.key_usage.non_repudiation #=> Boolean
1751
+ # resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.key_usage.key_encipherment #=> Boolean
1752
+ # resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.key_usage.data_encipherment #=> Boolean
1753
+ # resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.key_usage.key_agreement #=> Boolean
1754
+ # resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.key_usage.key_cert_sign #=> Boolean
1755
+ # resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.key_usage.crl_sign #=> Boolean
1756
+ # resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.key_usage.encipher_only #=> Boolean
1757
+ # resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.key_usage.decipher_only #=> Boolean
1758
+ # resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access #=> Array
1759
+ # resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_method.custom_object_identifier #=> String
1760
+ # resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_method.access_method_type #=> String, one of "CA_REPOSITORY", "RESOURCE_PKI_MANIFEST", "RESOURCE_PKI_NOTIFY"
1761
+ # resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.other_name.type_id #=> String
1762
+ # resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.other_name.value #=> String
1763
+ # resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.rfc_822_name #=> String
1764
+ # resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.dns_name #=> String
1765
+ # resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.country #=> String
1766
+ # resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.organization #=> String
1767
+ # resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.organizational_unit #=> String
1768
+ # resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.distinguished_name_qualifier #=> String
1769
+ # resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.state #=> String
1770
+ # resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.common_name #=> String
1771
+ # resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.serial_number #=> String
1772
+ # resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.locality #=> String
1773
+ # resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.title #=> String
1774
+ # resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.surname #=> String
1775
+ # resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.given_name #=> String
1776
+ # resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.initials #=> String
1777
+ # resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.pseudonym #=> String
1778
+ # resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.generation_qualifier #=> String
1779
+ # resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.edi_party_name.party_name #=> String
1780
+ # resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.edi_party_name.name_assigner #=> String
1781
+ # resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.uniform_resource_identifier #=> String
1782
+ # resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.ip_address #=> String
1783
+ # resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.registered_id #=> String
1526
1784
  # resp.certificate_authorities[0].revocation_configuration.crl_configuration.enabled #=> Boolean
1527
1785
  # resp.certificate_authorities[0].revocation_configuration.crl_configuration.expiration_in_days #=> Integer
1528
1786
  # resp.certificate_authorities[0].revocation_configuration.crl_configuration.custom_cname #=> String
@@ -1563,12 +1821,13 @@ module Aws::ACMPCA
1563
1821
  # renewals. Instead, the ACM certificate owner must set up a
1564
1822
  # resource-based policy to enable cross-account issuance and renewals.
1565
1823
  # For more information, see [Using a Resource Based Policy with ACM
1566
- # Private CA](acm-pca/latest/userguide/pca-rbp.html).
1824
+ # Private CA][3].
1567
1825
  #
1568
1826
  #
1569
1827
  #
1570
1828
  # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreatePermission.html
1571
1829
  # [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_DeletePermission.html
1830
+ # [3]: https://docs.aws.amazon.com/acm-pca/latest/userguide/pca-rbp.html
1572
1831
  #
1573
1832
  # @option params [required, String] :certificate_authority_arn
1574
1833
  # The Amazon Resource Number (ARN) of the private CA to inspect. You can
@@ -1698,8 +1957,9 @@ module Aws::ACMPCA
1698
1957
 
1699
1958
  # Attaches a resource-based policy to a private CA.
1700
1959
  #
1701
- # A policy can also be applied by [sharing][1] a private CA through AWS
1702
- # Resource Access Manager (RAM).
1960
+ # A policy can also be applied by sharing a private CA through AWS
1961
+ # Resource Access Manager (RAM). For more information, see [Attach a
1962
+ # Policy for Cross-Account Access][1].
1703
1963
  #
1704
1964
  # The policy can be displayed with [GetPolicy][2] and removed with
1705
1965
  # [DeletePolicy][3].
@@ -1709,8 +1969,7 @@ module Aws::ACMPCA
1709
1969
  # * A policy grants access on a private CA to an AWS customer account,
1710
1970
  # to AWS Organizations, or to an AWS Organizations unit. Policies are
1711
1971
  # under the control of a CA administrator. For more information, see
1712
- # [Using a Resource Based Policy with ACM Private
1713
- # CA](acm-pca/latest/userguide/pca-rbp.html).
1972
+ # [Using a Resource Based Policy with ACM Private CA][4].
1714
1973
  #
1715
1974
  # * A policy permits a user of AWS Certificate Manager (ACM) to issue
1716
1975
  # ACM certificates signed by a CA in another account.
@@ -1719,19 +1978,19 @@ module Aws::ACMPCA
1719
1978
  # user must configure a Service Linked Role (SLR). The SLR allows the
1720
1979
  # ACM service to assume the identity of the user, subject to
1721
1980
  # confirmation against the ACM Private CA policy. For more
1722
- # information, see [Using a Service Linked Role with ACM][4].
1981
+ # information, see [Using a Service Linked Role with ACM][5].
1723
1982
  #
1724
1983
  # * Updates made in AWS Resource Manager (RAM) are reflected in
1725
- # policies. For more information, see [Using AWS Resource Access
1726
- # Manager (RAM) with ACM Private
1727
- # CA](acm-pca/latest/userguide/pca-ram.html).
1984
+ # policies. For more information, see [Attach a Policy for
1985
+ # Cross-Account Access][1].
1728
1986
  #
1729
1987
  #
1730
1988
  #
1731
1989
  # [1]: https://docs.aws.amazon.com/acm-pca/latest/userguide/pca-ram.html
1732
1990
  # [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_GetPolicy.html
1733
1991
  # [3]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_DeletePolicy.html
1734
- # [4]: https://docs.aws.amazon.com/acm/latest/userguide/acm-slr.html
1992
+ # [4]: https://docs.aws.amazon.com/acm-pca/latest/userguide/pca-rbp.html
1993
+ # [5]: https://docs.aws.amazon.com/acm/latest/userguide/acm-slr.html
1735
1994
  #
1736
1995
  # @option params [required, String] :resource_arn
1737
1996
  # The Amazon Resource Number (ARN) of the private CA to associate with
@@ -1745,7 +2004,7 @@ module Aws::ACMPCA
1745
2004
  # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ListCertificateAuthorities.html
1746
2005
  #
1747
2006
  # @option params [required, String] :policy
1748
- # The path and filename of a JSON-formatted IAM policy to attach to the
2007
+ # The path and file name of a JSON-formatted IAM policy to attach to the
1749
2008
  # specified private CA resource. If this policy does not contain all
1750
2009
  # required statements or if it includes any statement that is not
1751
2010
  # allowed, the `PutPolicy` action returns an `InvalidPolicyException`.
@@ -2080,7 +2339,7 @@ module Aws::ACMPCA
2080
2339
  params: params,
2081
2340
  config: config)
2082
2341
  context[:gem_name] = 'aws-sdk-acmpca'
2083
- context[:gem_version] = '1.27.0'
2342
+ context[:gem_version] = '1.32.0'
2084
2343
  Seahorse::Client::Request.new(handlers, context)
2085
2344
  end
2086
2345