aws-sdk-acmpca 1.27.0 → 1.32.0

data/lib/aws-sdk-acmpca/client_api.rb

@@ -16,9 +16,14 @@ module Aws::ACMPCA
     ASN1PrintableString64 = Shapes::StringShape.new(name: 'ASN1PrintableString64')
     ASN1Subject = Shapes::StructureShape.new(name: 'ASN1Subject')
     AWSPolicy = Shapes::StringShape.new(name: 'AWSPolicy')
+    AccessDescription = Shapes::StructureShape.new(name: 'AccessDescription')
+    AccessDescriptionList = Shapes::ListShape.new(name: 'AccessDescriptionList')
+    AccessMethod = Shapes::StructureShape.new(name: 'AccessMethod')
+    AccessMethodType = Shapes::StringShape.new(name: 'AccessMethodType')
     AccountId = Shapes::StringShape.new(name: 'AccountId')
     ActionList = Shapes::ListShape.new(name: 'ActionList')
     ActionType = Shapes::StringShape.new(name: 'ActionType')
+    ApiPassthrough = Shapes::StructureShape.new(name: 'ApiPassthrough')
     Arn = Shapes::StringShape.new(name: 'Arn')
     AuditReportId = Shapes::StringShape.new(name: 'AuditReportId')
     AuditReportResponseFormat = Shapes::StringShape.new(name: 'AuditReportResponseFormat')
@@ -34,6 +39,7 @@ module Aws::ACMPCA
     CertificateChain = Shapes::StringShape.new(name: 'CertificateChain')
     CertificateChainBlob = Shapes::BlobShape.new(name: 'CertificateChainBlob')
     CertificateMismatchException = Shapes::StructureShape.new(name: 'CertificateMismatchException')
+    CertificatePolicyList = Shapes::ListShape.new(name: 'CertificatePolicyList')
     ConcurrentModificationException = Shapes::StructureShape.new(name: 'ConcurrentModificationException')
     CountryCodeString = Shapes::StringShape.new(name: 'CountryCodeString')
     CreateCertificateAuthorityAuditReportRequest = Shapes::StructureShape.new(name: 'CreateCertificateAuthorityAuditReportRequest')
@@ -44,6 +50,8 @@ module Aws::ACMPCA
     CrlConfiguration = Shapes::StructureShape.new(name: 'CrlConfiguration')
     CsrBlob = Shapes::BlobShape.new(name: 'CsrBlob')
     CsrBody = Shapes::StringShape.new(name: 'CsrBody')
+    CsrExtensions = Shapes::StructureShape.new(name: 'CsrExtensions')
+    CustomObjectIdentifier = Shapes::StringShape.new(name: 'CustomObjectIdentifier')
     DeleteCertificateAuthorityRequest = Shapes::StructureShape.new(name: 'DeleteCertificateAuthorityRequest')
     DeletePermissionRequest = Shapes::StructureShape.new(name: 'DeletePermissionRequest')
     DeletePolicyRequest = Shapes::StructureShape.new(name: 'DeletePolicyRequest')
@@ -51,7 +59,14 @@ module Aws::ACMPCA
     DescribeCertificateAuthorityAuditReportResponse = Shapes::StructureShape.new(name: 'DescribeCertificateAuthorityAuditReportResponse')
     DescribeCertificateAuthorityRequest = Shapes::StructureShape.new(name: 'DescribeCertificateAuthorityRequest')
     DescribeCertificateAuthorityResponse = Shapes::StructureShape.new(name: 'DescribeCertificateAuthorityResponse')
+    EdiPartyName = Shapes::StructureShape.new(name: 'EdiPartyName')
+    ExtendedKeyUsage = Shapes::StructureShape.new(name: 'ExtendedKeyUsage')
+    ExtendedKeyUsageList = Shapes::ListShape.new(name: 'ExtendedKeyUsageList')
+    ExtendedKeyUsageType = Shapes::StringShape.new(name: 'ExtendedKeyUsageType')
+    Extensions = Shapes::StructureShape.new(name: 'Extensions')
     FailureReason = Shapes::StringShape.new(name: 'FailureReason')
+    GeneralName = Shapes::StructureShape.new(name: 'GeneralName')
+    GeneralNameList = Shapes::ListShape.new(name: 'GeneralNameList')
     GetCertificateAuthorityCertificateRequest = Shapes::StructureShape.new(name: 'GetCertificateAuthorityCertificateRequest')
     GetCertificateAuthorityCertificateResponse = Shapes::StructureShape.new(name: 'GetCertificateAuthorityCertificateResponse')
     GetCertificateAuthorityCsrRequest = Shapes::StructureShape.new(name: 'GetCertificateAuthorityCsrRequest')
@@ -73,6 +88,7 @@ module Aws::ACMPCA
     IssueCertificateRequest = Shapes::StructureShape.new(name: 'IssueCertificateRequest')
     IssueCertificateResponse = Shapes::StructureShape.new(name: 'IssueCertificateResponse')
     KeyAlgorithm = Shapes::StringShape.new(name: 'KeyAlgorithm')
+    KeyUsage = Shapes::StructureShape.new(name: 'KeyUsage')
     LimitExceededException = Shapes::StructureShape.new(name: 'LimitExceededException')
     ListCertificateAuthoritiesRequest = Shapes::StructureShape.new(name: 'ListCertificateAuthoritiesRequest')
     ListCertificateAuthoritiesResponse = Shapes::StructureShape.new(name: 'ListCertificateAuthoritiesResponse')
@@ -85,13 +101,19 @@ module Aws::ACMPCA
     MalformedCertificateException = Shapes::StructureShape.new(name: 'MalformedCertificateException')
     MaxResults = Shapes::IntegerShape.new(name: 'MaxResults')
     NextToken = Shapes::StringShape.new(name: 'NextToken')
+    OtherName = Shapes::StructureShape.new(name: 'OtherName')
     PermanentDeletionTimeInDays = Shapes::IntegerShape.new(name: 'PermanentDeletionTimeInDays')
     Permission = Shapes::StructureShape.new(name: 'Permission')
     PermissionAlreadyExistsException = Shapes::StructureShape.new(name: 'PermissionAlreadyExistsException')
     PermissionList = Shapes::ListShape.new(name: 'PermissionList')
+    PolicyInformation = Shapes::StructureShape.new(name: 'PolicyInformation')
+    PolicyQualifierId = Shapes::StringShape.new(name: 'PolicyQualifierId')
+    PolicyQualifierInfo = Shapes::StructureShape.new(name: 'PolicyQualifierInfo')
+    PolicyQualifierInfoList = Shapes::ListShape.new(name: 'PolicyQualifierInfoList')
     PositiveLong = Shapes::IntegerShape.new(name: 'PositiveLong')
     Principal = Shapes::StringShape.new(name: 'Principal')
     PutPolicyRequest = Shapes::StructureShape.new(name: 'PutPolicyRequest')
+    Qualifier = Shapes::StructureShape.new(name: 'Qualifier')
     RequestAlreadyProcessedException = Shapes::StructureShape.new(name: 'RequestAlreadyProcessedException')
     RequestFailedException = Shapes::StructureShape.new(name: 'RequestFailedException')
     RequestInProgressException = Shapes::StructureShape.new(name: 'RequestInProgressException')
@@ -108,7 +130,9 @@ module Aws::ACMPCA
     String128 = Shapes::StringShape.new(name: 'String128')
     String16 = Shapes::StringShape.new(name: 'String16')
     String253 = Shapes::StringShape.new(name: 'String253')
+    String256 = Shapes::StringShape.new(name: 'String256')
     String3 = Shapes::StringShape.new(name: 'String3')
+    String39 = Shapes::StringShape.new(name: 'String39')
     String3To255 = Shapes::StringShape.new(name: 'String3To255')
     String40 = Shapes::StringShape.new(name: 'String40')
     String5 = Shapes::StringShape.new(name: 'String5')
@@ -141,8 +165,22 @@ module Aws::ACMPCA
     ASN1Subject.add_member(:generation_qualifier, Shapes::ShapeRef.new(shape: String3, location_name: "GenerationQualifier"))
     ASN1Subject.struct_class = Types::ASN1Subject
 
+    AccessDescription.add_member(:access_method, Shapes::ShapeRef.new(shape: AccessMethod, required: true, location_name: "AccessMethod"))
+    AccessDescription.add_member(:access_location, Shapes::ShapeRef.new(shape: GeneralName, required: true, location_name: "AccessLocation"))
+    AccessDescription.struct_class = Types::AccessDescription
+
+    AccessDescriptionList.member = Shapes::ShapeRef.new(shape: AccessDescription)
+
+    AccessMethod.add_member(:custom_object_identifier, Shapes::ShapeRef.new(shape: CustomObjectIdentifier, location_name: "CustomObjectIdentifier"))
+    AccessMethod.add_member(:access_method_type, Shapes::ShapeRef.new(shape: AccessMethodType, location_name: "AccessMethodType"))
+    AccessMethod.struct_class = Types::AccessMethod
+
     ActionList.member = Shapes::ShapeRef.new(shape: ActionType)
 
+    ApiPassthrough.add_member(:extensions, Shapes::ShapeRef.new(shape: Extensions, location_name: "Extensions"))
+    ApiPassthrough.add_member(:subject, Shapes::ShapeRef.new(shape: ASN1Subject, location_name: "Subject"))
+    ApiPassthrough.struct_class = Types::ApiPassthrough
+
     CertificateAuthorities.member = Shapes::ShapeRef.new(shape: CertificateAuthority)
 
     CertificateAuthority.add_member(:arn, Shapes::ShapeRef.new(shape: Arn, location_name: "Arn"))
@@ -163,11 +201,14 @@ module Aws::ACMPCA
     CertificateAuthorityConfiguration.add_member(:key_algorithm, Shapes::ShapeRef.new(shape: KeyAlgorithm, required: true, location_name: "KeyAlgorithm"))
     CertificateAuthorityConfiguration.add_member(:signing_algorithm, Shapes::ShapeRef.new(shape: SigningAlgorithm, required: true, location_name: "SigningAlgorithm"))
     CertificateAuthorityConfiguration.add_member(:subject, Shapes::ShapeRef.new(shape: ASN1Subject, required: true, location_name: "Subject"))
+    CertificateAuthorityConfiguration.add_member(:csr_extensions, Shapes::ShapeRef.new(shape: CsrExtensions, location_name: "CsrExtensions"))
     CertificateAuthorityConfiguration.struct_class = Types::CertificateAuthorityConfiguration
 
     CertificateMismatchException.add_member(:message, Shapes::ShapeRef.new(shape: String, location_name: "message"))
     CertificateMismatchException.struct_class = Types::CertificateMismatchException
 
+    CertificatePolicyList.member = Shapes::ShapeRef.new(shape: PolicyInformation)
+
     ConcurrentModificationException.add_member(:message, Shapes::ShapeRef.new(shape: String, location_name: "message"))
     ConcurrentModificationException.struct_class = Types::ConcurrentModificationException
 
@@ -202,6 +243,10 @@ module Aws::ACMPCA
     CrlConfiguration.add_member(:s3_bucket_name, Shapes::ShapeRef.new(shape: String3To255, location_name: "S3BucketName"))
     CrlConfiguration.struct_class = Types::CrlConfiguration
 
+    CsrExtensions.add_member(:key_usage, Shapes::ShapeRef.new(shape: KeyUsage, location_name: "KeyUsage"))
+    CsrExtensions.add_member(:subject_information_access, Shapes::ShapeRef.new(shape: AccessDescriptionList, location_name: "SubjectInformationAccess"))
+    CsrExtensions.struct_class = Types::CsrExtensions
+
     DeleteCertificateAuthorityRequest.add_member(:certificate_authority_arn, Shapes::ShapeRef.new(shape: Arn, required: true, location_name: "CertificateAuthorityArn"))
     DeleteCertificateAuthorityRequest.add_member(:permanent_deletion_time_in_days, Shapes::ShapeRef.new(shape: PermanentDeletionTimeInDays, location_name: "PermanentDeletionTimeInDays"))
     DeleteCertificateAuthorityRequest.struct_class = Types::DeleteCertificateAuthorityRequest
@@ -230,6 +275,34 @@ module Aws::ACMPCA
     DescribeCertificateAuthorityResponse.add_member(:certificate_authority, Shapes::ShapeRef.new(shape: CertificateAuthority, location_name: "CertificateAuthority"))
     DescribeCertificateAuthorityResponse.struct_class = Types::DescribeCertificateAuthorityResponse
 
+    EdiPartyName.add_member(:party_name, Shapes::ShapeRef.new(shape: String256, required: true, location_name: "PartyName"))
+    EdiPartyName.add_member(:name_assigner, Shapes::ShapeRef.new(shape: String256, location_name: "NameAssigner"))
+    EdiPartyName.struct_class = Types::EdiPartyName
+
+    ExtendedKeyUsage.add_member(:extended_key_usage_type, Shapes::ShapeRef.new(shape: ExtendedKeyUsageType, location_name: "ExtendedKeyUsageType"))
+    ExtendedKeyUsage.add_member(:extended_key_usage_object_identifier, Shapes::ShapeRef.new(shape: CustomObjectIdentifier, location_name: "ExtendedKeyUsageObjectIdentifier"))
+    ExtendedKeyUsage.struct_class = Types::ExtendedKeyUsage
+
+    ExtendedKeyUsageList.member = Shapes::ShapeRef.new(shape: ExtendedKeyUsage)
+
+    Extensions.add_member(:certificate_policies, Shapes::ShapeRef.new(shape: CertificatePolicyList, location_name: "CertificatePolicies"))
+    Extensions.add_member(:extended_key_usage, Shapes::ShapeRef.new(shape: ExtendedKeyUsageList, location_name: "ExtendedKeyUsage"))
+    Extensions.add_member(:key_usage, Shapes::ShapeRef.new(shape: KeyUsage, location_name: "KeyUsage"))
+    Extensions.add_member(:subject_alternative_names, Shapes::ShapeRef.new(shape: GeneralNameList, location_name: "SubjectAlternativeNames"))
+    Extensions.struct_class = Types::Extensions
+
+    GeneralName.add_member(:other_name, Shapes::ShapeRef.new(shape: OtherName, location_name: "OtherName"))
+    GeneralName.add_member(:rfc_822_name, Shapes::ShapeRef.new(shape: String256, location_name: "Rfc822Name"))
+    GeneralName.add_member(:dns_name, Shapes::ShapeRef.new(shape: String253, location_name: "DnsName"))
+    GeneralName.add_member(:directory_name, Shapes::ShapeRef.new(shape: ASN1Subject, location_name: "DirectoryName"))
+    GeneralName.add_member(:edi_party_name, Shapes::ShapeRef.new(shape: EdiPartyName, location_name: "EdiPartyName"))
+    GeneralName.add_member(:uniform_resource_identifier, Shapes::ShapeRef.new(shape: String253, location_name: "UniformResourceIdentifier"))
+    GeneralName.add_member(:ip_address, Shapes::ShapeRef.new(shape: String39, location_name: "IpAddress"))
+    GeneralName.add_member(:registered_id, Shapes::ShapeRef.new(shape: CustomObjectIdentifier, location_name: "RegisteredId"))
+    GeneralName.struct_class = Types::GeneralName
+
+    GeneralNameList.member = Shapes::ShapeRef.new(shape: GeneralName)
+
     GetCertificateAuthorityCertificateRequest.add_member(:certificate_authority_arn, Shapes::ShapeRef.new(shape: Arn, required: true, location_name: "CertificateAuthorityArn"))
     GetCertificateAuthorityCertificateRequest.struct_class = Types::GetCertificateAuthorityCertificateRequest
 
@@ -283,17 +356,30 @@ module Aws::ACMPCA
     InvalidTagException.add_member(:message, Shapes::ShapeRef.new(shape: String, location_name: "message"))
     InvalidTagException.struct_class = Types::InvalidTagException
 
+    IssueCertificateRequest.add_member(:api_passthrough, Shapes::ShapeRef.new(shape: ApiPassthrough, location_name: "ApiPassthrough"))
     IssueCertificateRequest.add_member(:certificate_authority_arn, Shapes::ShapeRef.new(shape: Arn, required: true, location_name: "CertificateAuthorityArn"))
     IssueCertificateRequest.add_member(:csr, Shapes::ShapeRef.new(shape: CsrBlob, required: true, location_name: "Csr"))
     IssueCertificateRequest.add_member(:signing_algorithm, Shapes::ShapeRef.new(shape: SigningAlgorithm, required: true, location_name: "SigningAlgorithm"))
     IssueCertificateRequest.add_member(:template_arn, Shapes::ShapeRef.new(shape: Arn, location_name: "TemplateArn"))
     IssueCertificateRequest.add_member(:validity, Shapes::ShapeRef.new(shape: Validity, required: true, location_name: "Validity"))
+    IssueCertificateRequest.add_member(:validity_not_before, Shapes::ShapeRef.new(shape: Validity, location_name: "ValidityNotBefore"))
     IssueCertificateRequest.add_member(:idempotency_token, Shapes::ShapeRef.new(shape: IdempotencyToken, location_name: "IdempotencyToken"))
     IssueCertificateRequest.struct_class = Types::IssueCertificateRequest
 
     IssueCertificateResponse.add_member(:certificate_arn, Shapes::ShapeRef.new(shape: Arn, location_name: "CertificateArn"))
     IssueCertificateResponse.struct_class = Types::IssueCertificateResponse
 
+    KeyUsage.add_member(:digital_signature, Shapes::ShapeRef.new(shape: Boolean, location_name: "DigitalSignature"))
+    KeyUsage.add_member(:non_repudiation, Shapes::ShapeRef.new(shape: Boolean, location_name: "NonRepudiation"))
+    KeyUsage.add_member(:key_encipherment, Shapes::ShapeRef.new(shape: Boolean, location_name: "KeyEncipherment"))
+    KeyUsage.add_member(:data_encipherment, Shapes::ShapeRef.new(shape: Boolean, location_name: "DataEncipherment"))
+    KeyUsage.add_member(:key_agreement, Shapes::ShapeRef.new(shape: Boolean, location_name: "KeyAgreement"))
+    KeyUsage.add_member(:key_cert_sign, Shapes::ShapeRef.new(shape: Boolean, location_name: "KeyCertSign"))
+    KeyUsage.add_member(:crl_sign, Shapes::ShapeRef.new(shape: Boolean, location_name: "CRLSign"))
+    KeyUsage.add_member(:encipher_only, Shapes::ShapeRef.new(shape: Boolean, location_name: "EncipherOnly"))
+    KeyUsage.add_member(:decipher_only, Shapes::ShapeRef.new(shape: Boolean, location_name: "DecipherOnly"))
+    KeyUsage.struct_class = Types::KeyUsage
+
     LimitExceededException.add_member(:message, Shapes::ShapeRef.new(shape: String, location_name: "message"))
     LimitExceededException.struct_class = Types::LimitExceededException
 
@@ -333,6 +419,10 @@ module Aws::ACMPCA
     MalformedCertificateException.add_member(:message, Shapes::ShapeRef.new(shape: String, location_name: "message"))
     MalformedCertificateException.struct_class = Types::MalformedCertificateException
 
+    OtherName.add_member(:type_id, Shapes::ShapeRef.new(shape: CustomObjectIdentifier, required: true, location_name: "TypeId"))
+    OtherName.add_member(:value, Shapes::ShapeRef.new(shape: String256, required: true, location_name: "Value"))
+    OtherName.struct_class = Types::OtherName
+
     Permission.add_member(:certificate_authority_arn, Shapes::ShapeRef.new(shape: Arn, location_name: "CertificateAuthorityArn"))
     Permission.add_member(:created_at, Shapes::ShapeRef.new(shape: TStamp, location_name: "CreatedAt"))
     Permission.add_member(:principal, Shapes::ShapeRef.new(shape: Principal, location_name: "Principal"))
@@ -346,10 +436,23 @@ module Aws::ACMPCA
 
     PermissionList.member = Shapes::ShapeRef.new(shape: Permission)
 
+    PolicyInformation.add_member(:cert_policy_id, Shapes::ShapeRef.new(shape: CustomObjectIdentifier, required: true, location_name: "CertPolicyId"))
+    PolicyInformation.add_member(:policy_qualifiers, Shapes::ShapeRef.new(shape: PolicyQualifierInfoList, location_name: "PolicyQualifiers"))
+    PolicyInformation.struct_class = Types::PolicyInformation
+
+    PolicyQualifierInfo.add_member(:policy_qualifier_id, Shapes::ShapeRef.new(shape: PolicyQualifierId, required: true, location_name: "PolicyQualifierId"))
+    PolicyQualifierInfo.add_member(:qualifier, Shapes::ShapeRef.new(shape: Qualifier, required: true, location_name: "Qualifier"))
+    PolicyQualifierInfo.struct_class = Types::PolicyQualifierInfo
+
+    PolicyQualifierInfoList.member = Shapes::ShapeRef.new(shape: PolicyQualifierInfo)
+
     PutPolicyRequest.add_member(:resource_arn, Shapes::ShapeRef.new(shape: Arn, required: true, location_name: "ResourceArn"))
     PutPolicyRequest.add_member(:policy, Shapes::ShapeRef.new(shape: AWSPolicy, required: true, location_name: "Policy"))
     PutPolicyRequest.struct_class = Types::PutPolicyRequest
 
+    Qualifier.add_member(:cps_uri, Shapes::ShapeRef.new(shape: String256, required: true, location_name: "CpsUri"))
+    Qualifier.struct_class = Types::Qualifier
+
     RequestAlreadyProcessedException.add_member(:message, Shapes::ShapeRef.new(shape: String, location_name: "message"))
     RequestAlreadyProcessedException.struct_class = Types::RequestAlreadyProcessedException
 

data/lib/aws-sdk-acmpca/types.rb

@@ -10,16 +10,12 @@
 module Aws::ACMPCA
   module Types
 
-    # Contains information about the certificate subject. The certificate
-    # can be one issued by your private certificate authority (CA) or it can
-    # be your private CA certificate. The **Subject** field in the
-    # certificate identifies the entity that owns or controls the public key
-    # in the certificate. The entity can be a user, computer, device, or
-    # service. The **Subject** must contain an X.500 distinguished name
-    # (DN). A DN is a sequence of relative distinguished names (RDNs). The
-    # RDNs are separated by commas in the certificate. The DN must be unique
-    # for each entity, but your private CA can issue more than one
-    # certificate with the same DN to the same entity.
+    # Contains information about the certificate subject. The `Subject`
+    # field in the certificate identifies the entity that owns or controls
+    # the public key in the certificate. The entity can be a user, computer,
+    # device, or service. The `Subject `must contain an X.500 distinguished
+    # name (DN). A DN is a sequence of relative distinguished names (RDNs).
+    # The RDNs are separated by commas in the certificate.
     #
     # @note When making an API call, you may pass ASN1Subject
     #   data as a hash:
@@ -65,7 +61,11 @@ module Aws::ACMPCA
     #   @return [String]
     #
     # @!attribute [rw] common_name
-    #   Fully qualified domain name (FQDN) associated with the certificate
+    #   For CA and end-entity certificates in a private PKI, the common name
+    #   (CN) can be any string within the length limit.
+    #
+    #   Note: In publicly trusted certificates, the common name must be a
+    #   fully qualified domain name (FQDN) associated with the certificate
     #   subject.
     #   @return [String]
     #
@@ -96,7 +96,7 @@ module Aws::ACMPCA
     # @!attribute [rw] initials
     #   Concatenation that typically contains the first letter of the
     #   **GivenName**, the first letter of the middle name if one exists,
-    #   and the first letter of the **SurName**.
+    #   and the first letter of the **Surname**.
     #   @return [String]
     #
     # @!attribute [rw] pseudonym
@@ -131,6 +131,224 @@ module Aws::ACMPCA
       include Aws::Structure
     end
 
+    # Provides access information used by the `authorityInfoAccess` and
+    # `subjectInfoAccess` extensions described in [RFC 5280][1].
+    #
+    #
+    #
+    # [1]: https://tools.ietf.org/html/rfc5280
+    #
+    # @note When making an API call, you may pass AccessDescription
+    #   data as a hash:
+    #
+    #       {
+    #         access_method: { # required
+    #           custom_object_identifier: "CustomObjectIdentifier",
+    #           access_method_type: "CA_REPOSITORY", # accepts CA_REPOSITORY, RESOURCE_PKI_MANIFEST, RESOURCE_PKI_NOTIFY
+    #         },
+    #         access_location: { # required
+    #           other_name: {
+    #             type_id: "CustomObjectIdentifier", # required
+    #             value: "String256", # required
+    #           },
+    #           rfc_822_name: "String256",
+    #           dns_name: "String253",
+    #           directory_name: {
+    #             country: "CountryCodeString",
+    #             organization: "String64",
+    #             organizational_unit: "String64",
+    #             distinguished_name_qualifier: "ASN1PrintableString64",
+    #             state: "String128",
+    #             common_name: "String64",
+    #             serial_number: "ASN1PrintableString64",
+    #             locality: "String128",
+    #             title: "String64",
+    #             surname: "String40",
+    #             given_name: "String16",
+    #             initials: "String5",
+    #             pseudonym: "String128",
+    #             generation_qualifier: "String3",
+    #           },
+    #           edi_party_name: {
+    #             party_name: "String256", # required
+    #             name_assigner: "String256",
+    #           },
+    #           uniform_resource_identifier: "String253",
+    #           ip_address: "String39",
+    #           registered_id: "CustomObjectIdentifier",
+    #         },
+    #       }
+    #
+    # @!attribute [rw] access_method
+    #   The type and format of `AccessDescription` information.
+    #   @return [Types::AccessMethod]
+    #
+    # @!attribute [rw] access_location
+    #   The location of `AccessDescription` information.
+    #   @return [Types::GeneralName]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/AccessDescription AWS API Documentation
+    #
+    class AccessDescription < Struct.new(
+      :access_method,
+      :access_location)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # Describes the type and format of extension access. Only one of
+    # `CustomObjectIdentifier` or `AccessMethodType` may be provided.
+    # Providing both results in `InvalidArgsException`.
+    #
+    # @note When making an API call, you may pass AccessMethod
+    #   data as a hash:
+    #
+    #       {
+    #         custom_object_identifier: "CustomObjectIdentifier",
+    #         access_method_type: "CA_REPOSITORY", # accepts CA_REPOSITORY, RESOURCE_PKI_MANIFEST, RESOURCE_PKI_NOTIFY
+    #       }
+    #
+    # @!attribute [rw] custom_object_identifier
+    #   An object identifier (OID) specifying the `AccessMethod`. The OID
+    #   must satisfy the regular expression shown below. For more
+    #   information, see NIST's definition of [Object Identifier (OID)][1].
+    #
+    #
+    #
+    #   [1]: https://csrc.nist.gov/glossary/term/Object_Identifier
+    #   @return [String]
+    #
+    # @!attribute [rw] access_method_type
+    #   Specifies the `AccessMethod`.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/AccessMethod AWS API Documentation
+    #
+    class AccessMethod < Struct.new(
+      :custom_object_identifier,
+      :access_method_type)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # Contains X.509 certificate information to be placed in an issued
+    # certificate. An `APIPassthrough` or `APICSRPassthrough` template
+    # variant must be selected, or else this parameter is ignored.
+    #
+    # If conflicting or duplicate certificate information is supplied from
+    # other sources, ACM Private CA applies [order of operation
+    # rules](xxxxx) to determine what information is used.
+    #
+    # @note When making an API call, you may pass ApiPassthrough
+    #   data as a hash:
+    #
+    #       {
+    #         extensions: {
+    #           certificate_policies: [
+    #             {
+    #               cert_policy_id: "CustomObjectIdentifier", # required
+    #               policy_qualifiers: [
+    #                 {
+    #                   policy_qualifier_id: "CPS", # required, accepts CPS
+    #                   qualifier: { # required
+    #                     cps_uri: "String256", # required
+    #                   },
+    #                 },
+    #               ],
+    #             },
+    #           ],
+    #           extended_key_usage: [
+    #             {
+    #               extended_key_usage_type: "SERVER_AUTH", # accepts SERVER_AUTH, CLIENT_AUTH, CODE_SIGNING, EMAIL_PROTECTION, TIME_STAMPING, OCSP_SIGNING, SMART_CARD_LOGIN, DOCUMENT_SIGNING, CERTIFICATE_TRANSPARENCY
+    #               extended_key_usage_object_identifier: "CustomObjectIdentifier",
+    #             },
+    #           ],
+    #           key_usage: {
+    #             digital_signature: false,
+    #             non_repudiation: false,
+    #             key_encipherment: false,
+    #             data_encipherment: false,
+    #             key_agreement: false,
+    #             key_cert_sign: false,
+    #             crl_sign: false,
+    #             encipher_only: false,
+    #             decipher_only: false,
+    #           },
+    #           subject_alternative_names: [
+    #             {
+    #               other_name: {
+    #                 type_id: "CustomObjectIdentifier", # required
+    #                 value: "String256", # required
+    #               },
+    #               rfc_822_name: "String256",
+    #               dns_name: "String253",
+    #               directory_name: {
+    #                 country: "CountryCodeString",
+    #                 organization: "String64",
+    #                 organizational_unit: "String64",
+    #                 distinguished_name_qualifier: "ASN1PrintableString64",
+    #                 state: "String128",
+    #                 common_name: "String64",
+    #                 serial_number: "ASN1PrintableString64",
+    #                 locality: "String128",
+    #                 title: "String64",
+    #                 surname: "String40",
+    #                 given_name: "String16",
+    #                 initials: "String5",
+    #                 pseudonym: "String128",
+    #                 generation_qualifier: "String3",
+    #               },
+    #               edi_party_name: {
+    #                 party_name: "String256", # required
+    #                 name_assigner: "String256",
+    #               },
+    #               uniform_resource_identifier: "String253",
+    #               ip_address: "String39",
+    #               registered_id: "CustomObjectIdentifier",
+    #             },
+    #           ],
+    #         },
+    #         subject: {
+    #           country: "CountryCodeString",
+    #           organization: "String64",
+    #           organizational_unit: "String64",
+    #           distinguished_name_qualifier: "ASN1PrintableString64",
+    #           state: "String128",
+    #           common_name: "String64",
+    #           serial_number: "ASN1PrintableString64",
+    #           locality: "String128",
+    #           title: "String64",
+    #           surname: "String40",
+    #           given_name: "String16",
+    #           initials: "String5",
+    #           pseudonym: "String128",
+    #           generation_qualifier: "String3",
+    #         },
+    #       }
+    #
+    # @!attribute [rw] extensions
+    #   Specifies X.509 extension information for a certificate.
+    #   @return [Types::Extensions]
+    #
+    # @!attribute [rw] subject
+    #   Contains information about the certificate subject. The `Subject`
+    #   field in the certificate identifies the entity that owns or controls
+    #   the public key in the certificate. The entity can be a user,
+    #   computer, device, or service. The `Subject `must contain an X.500
+    #   distinguished name (DN). A DN is a sequence of relative
+    #   distinguished names (RDNs). The RDNs are separated by commas in the
+    #   certificate.
+    #   @return [Types::ASN1Subject]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/ApiPassthrough AWS API Documentation
+    #
+    class ApiPassthrough < Struct.new(
+      :extensions,
+      :subject)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # Contains information about your private certificate authority (CA).
     # Your private CA can issue and revoke X.509 digital certificates.
     # Digital certificates verify that the entity named in the certificate
@@ -264,6 +482,58 @@ module Aws::ACMPCA
     #           pseudonym: "String128",
     #           generation_qualifier: "String3",
     #         },
+    #         csr_extensions: {
+    #           key_usage: {
+    #             digital_signature: false,
+    #             non_repudiation: false,
+    #             key_encipherment: false,
+    #             data_encipherment: false,
+    #             key_agreement: false,
+    #             key_cert_sign: false,
+    #             crl_sign: false,
+    #             encipher_only: false,
+    #             decipher_only: false,
+    #           },
+    #           subject_information_access: [
+    #             {
+    #               access_method: { # required
+    #                 custom_object_identifier: "CustomObjectIdentifier",
+    #                 access_method_type: "CA_REPOSITORY", # accepts CA_REPOSITORY, RESOURCE_PKI_MANIFEST, RESOURCE_PKI_NOTIFY
+    #               },
+    #               access_location: { # required
+    #                 other_name: {
+    #                   type_id: "CustomObjectIdentifier", # required
+    #                   value: "String256", # required
+    #                 },
+    #                 rfc_822_name: "String256",
+    #                 dns_name: "String253",
+    #                 directory_name: {
+    #                   country: "CountryCodeString",
+    #                   organization: "String64",
+    #                   organizational_unit: "String64",
+    #                   distinguished_name_qualifier: "ASN1PrintableString64",
+    #                   state: "String128",
+    #                   common_name: "String64",
+    #                   serial_number: "ASN1PrintableString64",
+    #                   locality: "String128",
+    #                   title: "String64",
+    #                   surname: "String40",
+    #                   given_name: "String16",
+    #                   initials: "String5",
+    #                   pseudonym: "String128",
+    #                   generation_qualifier: "String3",
+    #                 },
+    #                 edi_party_name: {
+    #                   party_name: "String256", # required
+    #                   name_assigner: "String256",
+    #                 },
+    #                 uniform_resource_identifier: "String253",
+    #                 ip_address: "String39",
+    #                 registered_id: "CustomObjectIdentifier",
+    #               },
+    #             },
+    #           ],
+    #         },
     #       }
     #
     # @!attribute [rw] key_algorithm
@@ -286,12 +556,18 @@ module Aws::ACMPCA
     #   your private CA.
     #   @return [Types::ASN1Subject]
     #
+    # @!attribute [rw] csr_extensions
+    #   Specifies information to be added to the extension section of the
+    #   certificate signing request (CSR).
+    #   @return [Types::CsrExtensions]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/CertificateAuthorityConfiguration AWS API Documentation
     #
     class CertificateAuthorityConfiguration < Struct.new(
       :key_algorithm,
       :signing_algorithm,
-      :subject)
+      :subject,
+      :csr_extensions)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -400,6 +676,58 @@ module Aws::ACMPCA
     #             pseudonym: "String128",
     #             generation_qualifier: "String3",
     #           },
+    #           csr_extensions: {
+    #             key_usage: {
+    #               digital_signature: false,
+    #               non_repudiation: false,
+    #               key_encipherment: false,
+    #               data_encipherment: false,
+    #               key_agreement: false,
+    #               key_cert_sign: false,
+    #               crl_sign: false,
+    #               encipher_only: false,
+    #               decipher_only: false,
+    #             },
+    #             subject_information_access: [
+    #               {
+    #                 access_method: { # required
+    #                   custom_object_identifier: "CustomObjectIdentifier",
+    #                   access_method_type: "CA_REPOSITORY", # accepts CA_REPOSITORY, RESOURCE_PKI_MANIFEST, RESOURCE_PKI_NOTIFY
+    #                 },
+    #                 access_location: { # required
+    #                   other_name: {
+    #                     type_id: "CustomObjectIdentifier", # required
+    #                     value: "String256", # required
+    #                   },
+    #                   rfc_822_name: "String256",
+    #                   dns_name: "String253",
+    #                   directory_name: {
+    #                     country: "CountryCodeString",
+    #                     organization: "String64",
+    #                     organizational_unit: "String64",
+    #                     distinguished_name_qualifier: "ASN1PrintableString64",
+    #                     state: "String128",
+    #                     common_name: "String64",
+    #                     serial_number: "ASN1PrintableString64",
+    #                     locality: "String128",
+    #                     title: "String64",
+    #                     surname: "String40",
+    #                     given_name: "String16",
+    #                     initials: "String5",
+    #                     pseudonym: "String128",
+    #                     generation_qualifier: "String3",
+    #                   },
+    #                   edi_party_name: {
+    #                     party_name: "String256", # required
+    #                     name_assigner: "String256",
+    #                   },
+    #                   uniform_resource_identifier: "String253",
+    #                   ip_address: "String39",
+    #                   registered_id: "CustomObjectIdentifier",
+    #                 },
+    #               },
+    #             ],
+    #           },
     #         },
     #         revocation_configuration: {
     #           crl_configuration: {
@@ -442,13 +770,15 @@ module Aws::ACMPCA
     #   @return [String]
     #
     # @!attribute [rw] idempotency_token
-    #   Alphanumeric string that can be used to distinguish between calls to
-    #   **CreateCertificateAuthority**. For a given token, ACM Private CA
-    #   creates exactly one CA. If you issue a subsequent call using the
-    #   same token, ACM Private CA returns the ARN of the existing CA and
-    #   takes no further action. If you change the idempotency token across
-    #   multiple calls, ACM Private CA creates a unique CA for each unique
-    #   token.
+    #   Custom string that can be used to distinguish between calls to the
+    #   **CreateCertificateAuthority** action. Idempotency tokens for
+    #   **CreateCertificateAuthority** time out after five minutes.
+    #   Therefore, if you call **CreateCertificateAuthority** multiple times
+    #   with the same idempotency token within five minutes, ACM Private CA
+    #   recognizes that you are requesting only certificate authority and
+    #   will issue only one. If you change the idempotency token for each
+    #   call, PCA recognizes that you are requesting multiple certificate
+    #   authorities.
     #   @return [String]
     #
     # @!attribute [rw] tags
@@ -635,7 +965,7 @@ module Aws::ACMPCA
     #   @return [Boolean]
     #
     # @!attribute [rw] expiration_in_days
-    #   Number of days until a certificate expires.
+    #   Validity period of the CRL in days.
     #   @return [Integer]
     #
     # @!attribute [rw] custom_cname
@@ -670,6 +1000,89 @@ module Aws::ACMPCA
       include Aws::Structure
     end
 
+    # Describes the certificate extensions to be added to the certificate
+    # signing request (CSR).
+    #
+    # @note When making an API call, you may pass CsrExtensions
+    #   data as a hash:
+    #
+    #       {
+    #         key_usage: {
+    #           digital_signature: false,
+    #           non_repudiation: false,
+    #           key_encipherment: false,
+    #           data_encipherment: false,
+    #           key_agreement: false,
+    #           key_cert_sign: false,
+    #           crl_sign: false,
+    #           encipher_only: false,
+    #           decipher_only: false,
+    #         },
+    #         subject_information_access: [
+    #           {
+    #             access_method: { # required
+    #               custom_object_identifier: "CustomObjectIdentifier",
+    #               access_method_type: "CA_REPOSITORY", # accepts CA_REPOSITORY, RESOURCE_PKI_MANIFEST, RESOURCE_PKI_NOTIFY
+    #             },
+    #             access_location: { # required
+    #               other_name: {
+    #                 type_id: "CustomObjectIdentifier", # required
+    #                 value: "String256", # required
+    #               },
+    #               rfc_822_name: "String256",
+    #               dns_name: "String253",
+    #               directory_name: {
+    #                 country: "CountryCodeString",
+    #                 organization: "String64",
+    #                 organizational_unit: "String64",
+    #                 distinguished_name_qualifier: "ASN1PrintableString64",
+    #                 state: "String128",
+    #                 common_name: "String64",
+    #                 serial_number: "ASN1PrintableString64",
+    #                 locality: "String128",
+    #                 title: "String64",
+    #                 surname: "String40",
+    #                 given_name: "String16",
+    #                 initials: "String5",
+    #                 pseudonym: "String128",
+    #                 generation_qualifier: "String3",
+    #               },
+    #               edi_party_name: {
+    #                 party_name: "String256", # required
+    #                 name_assigner: "String256",
+    #               },
+    #               uniform_resource_identifier: "String253",
+    #               ip_address: "String39",
+    #               registered_id: "CustomObjectIdentifier",
+    #             },
+    #           },
+    #         ],
+    #       }
+    #
+    # @!attribute [rw] key_usage
+    #   Indicates the purpose of the certificate and of the key contained in
+    #   the certificate.
+    #   @return [Types::KeyUsage]
+    #
+    # @!attribute [rw] subject_information_access
+    #   For CA certificates, provides a path to additional information
+    #   pertaining to the CA, such as revocation and policy. For more
+    #   information, see [Subject Information Access][1] in RFC 5280.
+    #
+    #
+    #
+    #   [1]: https://tools.ietf.org/html/rfc5280#section-4.2.2.2
+    #   @return [Array<Types::AccessDescription>]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/CsrExtensions AWS API Documentation
+    #
+    class CsrExtensions < Struct.new(
+      :key_usage,
+      :subject_information_access)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # @note When making an API call, you may pass DeleteCertificateAuthorityRequest
     #   data as a hash:
     #
@@ -882,6 +1295,289 @@ module Aws::ACMPCA
       include Aws::Structure
     end
 
+    # Describes an Electronic Data Interchange (EDI) entity as described in
+    # as defined in [Subject Alternative Name][1] in RFC 5280.
+    #
+    #
+    #
+    # [1]: https://tools.ietf.org/html/rfc5280
+    #
+    # @note When making an API call, you may pass EdiPartyName
+    #   data as a hash:
+    #
+    #       {
+    #         party_name: "String256", # required
+    #         name_assigner: "String256",
+    #       }
+    #
+    # @!attribute [rw] party_name
+    #   Specifies the party name.
+    #   @return [String]
+    #
+    # @!attribute [rw] name_assigner
+    #   Specifies the name assigner.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/EdiPartyName AWS API Documentation
+    #
+    class EdiPartyName < Struct.new(
+      :party_name,
+      :name_assigner)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # Specifies additional purposes for which the certified public key may
+    # be used other than basic purposes indicated in the `KeyUsage`
+    # extension.
+    #
+    # @note When making an API call, you may pass ExtendedKeyUsage
+    #   data as a hash:
+    #
+    #       {
+    #         extended_key_usage_type: "SERVER_AUTH", # accepts SERVER_AUTH, CLIENT_AUTH, CODE_SIGNING, EMAIL_PROTECTION, TIME_STAMPING, OCSP_SIGNING, SMART_CARD_LOGIN, DOCUMENT_SIGNING, CERTIFICATE_TRANSPARENCY
+    #         extended_key_usage_object_identifier: "CustomObjectIdentifier",
+    #       }
+    #
+    # @!attribute [rw] extended_key_usage_type
+    #   Specifies a standard `ExtendedKeyUsage` as defined as in [RFC
+    #   5280][1].
+    #
+    #
+    #
+    #   [1]: https://tools.ietf.org/html/rfc5280#section-4.2.1.12
+    #   @return [String]
+    #
+    # @!attribute [rw] extended_key_usage_object_identifier
+    #   Specifies a custom `ExtendedKeyUsage` with an object identifier
+    #   (OID).
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/ExtendedKeyUsage AWS API Documentation
+    #
+    class ExtendedKeyUsage < Struct.new(
+      :extended_key_usage_type,
+      :extended_key_usage_object_identifier)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # Contains X.509 extension information for a certificate.
+    #
+    # @note When making an API call, you may pass Extensions
+    #   data as a hash:
+    #
+    #       {
+    #         certificate_policies: [
+    #           {
+    #             cert_policy_id: "CustomObjectIdentifier", # required
+    #             policy_qualifiers: [
+    #               {
+    #                 policy_qualifier_id: "CPS", # required, accepts CPS
+    #                 qualifier: { # required
+    #                   cps_uri: "String256", # required
+    #                 },
+    #               },
+    #             ],
+    #           },
+    #         ],
+    #         extended_key_usage: [
+    #           {
+    #             extended_key_usage_type: "SERVER_AUTH", # accepts SERVER_AUTH, CLIENT_AUTH, CODE_SIGNING, EMAIL_PROTECTION, TIME_STAMPING, OCSP_SIGNING, SMART_CARD_LOGIN, DOCUMENT_SIGNING, CERTIFICATE_TRANSPARENCY
+    #             extended_key_usage_object_identifier: "CustomObjectIdentifier",
+    #           },
+    #         ],
+    #         key_usage: {
+    #           digital_signature: false,
+    #           non_repudiation: false,
+    #           key_encipherment: false,
+    #           data_encipherment: false,
+    #           key_agreement: false,
+    #           key_cert_sign: false,
+    #           crl_sign: false,
+    #           encipher_only: false,
+    #           decipher_only: false,
+    #         },
+    #         subject_alternative_names: [
+    #           {
+    #             other_name: {
+    #               type_id: "CustomObjectIdentifier", # required
+    #               value: "String256", # required
+    #             },
+    #             rfc_822_name: "String256",
+    #             dns_name: "String253",
+    #             directory_name: {
+    #               country: "CountryCodeString",
+    #               organization: "String64",
+    #               organizational_unit: "String64",
+    #               distinguished_name_qualifier: "ASN1PrintableString64",
+    #               state: "String128",
+    #               common_name: "String64",
+    #               serial_number: "ASN1PrintableString64",
+    #               locality: "String128",
+    #               title: "String64",
+    #               surname: "String40",
+    #               given_name: "String16",
+    #               initials: "String5",
+    #               pseudonym: "String128",
+    #               generation_qualifier: "String3",
+    #             },
+    #             edi_party_name: {
+    #               party_name: "String256", # required
+    #               name_assigner: "String256",
+    #             },
+    #             uniform_resource_identifier: "String253",
+    #             ip_address: "String39",
+    #             registered_id: "CustomObjectIdentifier",
+    #           },
+    #         ],
+    #       }
+    #
+    # @!attribute [rw] certificate_policies
+    #   Contains a sequence of one or more policy information terms, each of
+    #   which consists of an object identifier (OID) and optional
+    #   qualifiers. For more information, see NIST's definition of [Object
+    #   Identifier (OID)][1].
+    #
+    #   In an end-entity certificate, these terms indicate the policy under
+    #   which the certificate was issued and the purposes for which it may
+    #   be used. In a CA certificate, these terms limit the set of policies
+    #   for certification paths that include this certificate.
+    #
+    #
+    #
+    #   [1]: https://csrc.nist.gov/glossary/term/Object_Identifier
+    #   @return [Array<Types::PolicyInformation>]
+    #
+    # @!attribute [rw] extended_key_usage
+    #   Specifies additional purposes for which the certified public key may
+    #   be used other than basic purposes indicated in the `KeyUsage`
+    #   extension.
+    #   @return [Array<Types::ExtendedKeyUsage>]
+    #
+    # @!attribute [rw] key_usage
+    #   Defines one or more purposes for which the key contained in the
+    #   certificate can be used. Default value for each option is false.
+    #   @return [Types::KeyUsage]
+    #
+    # @!attribute [rw] subject_alternative_names
+    #   The subject alternative name extension allows identities to be bound
+    #   to the subject of the certificate. These identities may be included
+    #   in addition to or in place of the identity in the subject field of
+    #   the certificate.
+    #   @return [Array<Types::GeneralName>]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/Extensions AWS API Documentation
+    #
+    class Extensions < Struct.new(
+      :certificate_policies,
+      :extended_key_usage,
+      :key_usage,
+      :subject_alternative_names)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # Describes an ASN.1 X.400 `GeneralName` as defined in [RFC 5280][1].
+    # Only one of the following naming options should be provided. Providing
+    # more than one option results in an `InvalidArgsException` error.
+    #
+    #
+    #
+    # [1]: https://tools.ietf.org/html/rfc5280
+    #
+    # @note When making an API call, you may pass GeneralName
+    #   data as a hash:
+    #
+    #       {
+    #         other_name: {
+    #           type_id: "CustomObjectIdentifier", # required
+    #           value: "String256", # required
+    #         },
+    #         rfc_822_name: "String256",
+    #         dns_name: "String253",
+    #         directory_name: {
+    #           country: "CountryCodeString",
+    #           organization: "String64",
+    #           organizational_unit: "String64",
+    #           distinguished_name_qualifier: "ASN1PrintableString64",
+    #           state: "String128",
+    #           common_name: "String64",
+    #           serial_number: "ASN1PrintableString64",
+    #           locality: "String128",
+    #           title: "String64",
+    #           surname: "String40",
+    #           given_name: "String16",
+    #           initials: "String5",
+    #           pseudonym: "String128",
+    #           generation_qualifier: "String3",
+    #         },
+    #         edi_party_name: {
+    #           party_name: "String256", # required
+    #           name_assigner: "String256",
+    #         },
+    #         uniform_resource_identifier: "String253",
+    #         ip_address: "String39",
+    #         registered_id: "CustomObjectIdentifier",
+    #       }
+    #
+    # @!attribute [rw] other_name
+    #   Represents `GeneralName` using an `OtherName` object.
+    #   @return [Types::OtherName]
+    #
+    # @!attribute [rw] rfc_822_name
+    #   Represents `GeneralName` as an [RFC 822][1] email address.
+    #
+    #
+    #
+    #   [1]: https://tools.ietf.org/html/rfc822
+    #   @return [String]
+    #
+    # @!attribute [rw] dns_name
+    #   Represents `GeneralName` as a DNS name.
+    #   @return [String]
+    #
+    # @!attribute [rw] directory_name
+    #   Contains information about the certificate subject. The `Subject`
+    #   field in the certificate identifies the entity that owns or controls
+    #   the public key in the certificate. The entity can be a user,
+    #   computer, device, or service. The `Subject `must contain an X.500
+    #   distinguished name (DN). A DN is a sequence of relative
+    #   distinguished names (RDNs). The RDNs are separated by commas in the
+    #   certificate.
+    #   @return [Types::ASN1Subject]
+    #
+    # @!attribute [rw] edi_party_name
+    #   Represents `GeneralName` as an `EdiPartyName` object.
+    #   @return [Types::EdiPartyName]
+    #
+    # @!attribute [rw] uniform_resource_identifier
+    #   Represents `GeneralName` as a URI.
+    #   @return [String]
+    #
+    # @!attribute [rw] ip_address
+    #   Represents `GeneralName` as an IPv4 or IPv6 address.
+    #   @return [String]
+    #
+    # @!attribute [rw] registered_id
+    #   Represents `GeneralName` as an object identifier (OID).
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/GeneralName AWS API Documentation
+    #
+    class GeneralName < Struct.new(
+      :other_name,
+      :rfc_822_name,
+      :dns_name,
+      :directory_name,
+      :edi_party_name,
+      :uniform_resource_identifier,
+      :ip_address,
+      :registered_id)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # @note When making an API call, you may pass GetCertificateAuthorityCertificateRequest
     #   data as a hash:
     #
@@ -911,10 +1607,9 @@ module Aws::ACMPCA
     #
     # @!attribute [rw] certificate_chain
     #   Base64-encoded certificate chain that includes any intermediate
-    #   certificates and chains up to root on-premises certificate that you
-    #   used to sign your private CA certificate. The chain does not include
-    #   your private CA certificate. If this is a root CA, the value will be
-    #   null.
+    #   certificates and chains up to root certificate that you used to sign
+    #   your private CA certificate. The chain does not include your private
+    #   CA certificate. If this is a root CA, the value will be null.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/GetCertificateAuthorityCertificateResponse AWS API Documentation
@@ -1009,9 +1704,8 @@ module Aws::ACMPCA
     #   @return [String]
     #
     # @!attribute [rw] certificate_chain
-    #   The base64 PEM-encoded certificate chain that chains up to the
-    #   on-premises root CA certificate that you used to sign your private
-    #   CA certificate.
+    #   The base64 PEM-encoded certificate chain that chains up to the root
+    #   CA certificate that you used to sign your private CA certificate.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/GetCertificateResponse AWS API Documentation
@@ -1156,7 +1850,7 @@ module Aws::ACMPCA
     #
     #
     #
-    # [1]: https://docs.aws.amazon.com/https:/docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policies-json
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policies-json
     #
     # @!attribute [rw] message
     #   @return [String]
@@ -1213,6 +1907,89 @@ module Aws::ACMPCA
     #   data as a hash:
     #
     #       {
+    #         api_passthrough: {
+    #           extensions: {
+    #             certificate_policies: [
+    #               {
+    #                 cert_policy_id: "CustomObjectIdentifier", # required
+    #                 policy_qualifiers: [
+    #                   {
+    #                     policy_qualifier_id: "CPS", # required, accepts CPS
+    #                     qualifier: { # required
+    #                       cps_uri: "String256", # required
+    #                     },
+    #                   },
+    #                 ],
+    #               },
+    #             ],
+    #             extended_key_usage: [
+    #               {
+    #                 extended_key_usage_type: "SERVER_AUTH", # accepts SERVER_AUTH, CLIENT_AUTH, CODE_SIGNING, EMAIL_PROTECTION, TIME_STAMPING, OCSP_SIGNING, SMART_CARD_LOGIN, DOCUMENT_SIGNING, CERTIFICATE_TRANSPARENCY
+    #                 extended_key_usage_object_identifier: "CustomObjectIdentifier",
+    #               },
+    #             ],
+    #             key_usage: {
+    #               digital_signature: false,
+    #               non_repudiation: false,
+    #               key_encipherment: false,
+    #               data_encipherment: false,
+    #               key_agreement: false,
+    #               key_cert_sign: false,
+    #               crl_sign: false,
+    #               encipher_only: false,
+    #               decipher_only: false,
+    #             },
+    #             subject_alternative_names: [
+    #               {
+    #                 other_name: {
+    #                   type_id: "CustomObjectIdentifier", # required
+    #                   value: "String256", # required
+    #                 },
+    #                 rfc_822_name: "String256",
+    #                 dns_name: "String253",
+    #                 directory_name: {
+    #                   country: "CountryCodeString",
+    #                   organization: "String64",
+    #                   organizational_unit: "String64",
+    #                   distinguished_name_qualifier: "ASN1PrintableString64",
+    #                   state: "String128",
+    #                   common_name: "String64",
+    #                   serial_number: "ASN1PrintableString64",
+    #                   locality: "String128",
+    #                   title: "String64",
+    #                   surname: "String40",
+    #                   given_name: "String16",
+    #                   initials: "String5",
+    #                   pseudonym: "String128",
+    #                   generation_qualifier: "String3",
+    #                 },
+    #                 edi_party_name: {
+    #                   party_name: "String256", # required
+    #                   name_assigner: "String256",
+    #                 },
+    #                 uniform_resource_identifier: "String253",
+    #                 ip_address: "String39",
+    #                 registered_id: "CustomObjectIdentifier",
+    #               },
+    #             ],
+    #           },
+    #           subject: {
+    #             country: "CountryCodeString",
+    #             organization: "String64",
+    #             organizational_unit: "String64",
+    #             distinguished_name_qualifier: "ASN1PrintableString64",
+    #             state: "String128",
+    #             common_name: "String64",
+    #             serial_number: "ASN1PrintableString64",
+    #             locality: "String128",
+    #             title: "String64",
+    #             surname: "String40",
+    #             given_name: "String16",
+    #             initials: "String5",
+    #             pseudonym: "String128",
+    #             generation_qualifier: "String3",
+    #           },
+    #         },
     #         certificate_authority_arn: "Arn", # required
     #         csr: "data", # required
     #         signing_algorithm: "SHA256WITHECDSA", # required, accepts SHA256WITHECDSA, SHA384WITHECDSA, SHA512WITHECDSA, SHA256WITHRSA, SHA384WITHRSA, SHA512WITHRSA
@@ -1221,9 +1998,29 @@ module Aws::ACMPCA
     #           value: 1, # required
     #           type: "END_DATE", # required, accepts END_DATE, ABSOLUTE, DAYS, MONTHS, YEARS
     #         },
+    #         validity_not_before: {
+    #           value: 1, # required
+    #           type: "END_DATE", # required, accepts END_DATE, ABSOLUTE, DAYS, MONTHS, YEARS
+    #         },
     #         idempotency_token: "IdempotencyToken",
     #       }
     #
+    # @!attribute [rw] api_passthrough
+    #   Specifies X.509 certificate information to be included in the issued
+    #   certificate. An `APIPassthrough` or `APICSRPassthrough` template
+    #   variant must be selected, or else this parameter is ignored. For
+    #   more information about using these templates, see [Understanding
+    #   Certificate Templates][1].
+    #
+    #   If conflicting or duplicate certificate information is supplied
+    #   during certificate issuance, ACM Private CA applies [order of
+    #   operation rules](xxxxx) to determine what information is used.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html
+    #   @return [Types::ApiPassthrough]
+    #
     # @!attribute [rw] certificate_authority_arn
     #   The Amazon Resource Name (ARN) that was returned when you called
     #   [CreateCertificateAuthority][1]. This must be of the form:
@@ -1238,15 +2035,15 @@ module Aws::ACMPCA
     #
     # @!attribute [rw] csr
     #   The certificate signing request (CSR) for the certificate you want
-    #   to issue. You can use the following OpenSSL command to create the
-    #   CSR and a 2048 bit RSA private key.
+    #   to issue. As an example, you can use the following OpenSSL command
+    #   to create the CSR and a 2048 bit RSA private key.
     #
     #   `openssl req -new -newkey rsa:2048 -days 365 -keyout
     #   private/test_cert_priv_key.pem -out csr/test_cert_.csr`
     #
-    #   If you have a configuration file, you can use the following OpenSSL
-    #   command. The `usr_cert` block in the configuration file contains
-    #   your X509 version 3 extensions.
+    #   If you have a configuration file, you can then use the following
+    #   OpenSSL command. The `usr_cert` block in the configuration file
+    #   contains your X509 version 3 extensions.
     #
     #   `openssl req -new -config openssl_rsa.cnf -extensions usr_cert
     #   -newkey rsa:2048 -days -365 -keyout private/test_cert_priv_key.pem
@@ -1261,7 +2058,8 @@ module Aws::ACMPCA
     #   to be issued.
     #
     #   This parameter should not be confused with the `SigningAlgorithm`
-    #   parameter used to sign a CSR.
+    #   parameter used to sign a CSR in the `CreateCertificateAuthority`
+    #   action.
     #   @return [String]
     #
     # @!attribute [rw] template_arn
@@ -1275,77 +2073,85 @@ module Aws::ACMPCA
     #   Note: The CA depth configured on a subordinate CA certificate must
     #   not exceed the limit set by its parents in the CA hierarchy.
     #
-    #   The following service-owned `TemplateArn` values are supported by
-    #   ACM Private CA:
-    #
-    #   * arn:aws:acm-pca:::template/CodeSigningCertificate/V1
-    #
-    #   * arn:aws:acm-pca:::template/CodeSigningCertificate\_CSRPassthrough/V1
-    #
-    #   * arn:aws:acm-pca:::template/EndEntityCertificate/V1
+    #   For a list of `TemplateArn` values supported by ACM Private CA, see
+    #   [Understanding Certificate Templates][2].
     #
-    #   * arn:aws:acm-pca:::template/EndEntityCertificate\_CSRPassthrough/V1
     #
-    #   * arn:aws:acm-pca:::template/EndEntityClientAuthCertificate/V1
     #
-    #   * arn:aws:acm-pca:::template/EndEntityClientAuthCertificate\_CSRPassthrough/V1
-    #
-    #   * arn:aws:acm-pca:::template/EndEntityServerAuthCertificate/V1
-    #
-    #   * arn:aws:acm-pca:::template/EndEntityServerAuthCertificate\_CSRPassthrough/V1
+    #   [1]: https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaTerms.html#terms-cadepth
+    #   [2]: https://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html
+    #   @return [String]
     #
-    #   * arn:aws:acm-pca:::template/OCSPSigningCertificate/V1
+    # @!attribute [rw] validity
+    #   Information describing the end of the validity period of the
+    #   certificate. This parameter sets the “Not After” date for the
+    #   certificate.
     #
-    #   * arn:aws:acm-pca:::template/OCSPSigningCertificate\_CSRPassthrough/V1
+    #   Certificate validity is the period of time during which a
+    #   certificate is valid. Validity can be expressed as an explicit date
+    #   and time when the certificate expires, or as a span of time after
+    #   issuance, stated in days, months, or years. For more information,
+    #   see [Validity][1] in RFC 5280.
     #
-    #   * arn:aws:acm-pca:::template/RootCACertificate/V1
+    #   This value is unaffected when `ValidityNotBefore` is also specified.
+    #   For example, if `Validity` is set to 20 days in the future, the
+    #   certificate will expire 20 days from issuance time regardless of the
+    #   `ValidityNotBefore` value.
     #
-    #   * arn:aws:acm-pca:::template/SubordinateCACertificate\_PathLen0/V1
+    #   The end of the validity period configured on a certificate must not
+    #   exceed the limit set on its parents in the CA hierarchy.
     #
-    #   * arn:aws:acm-pca:::template/SubordinateCACertificate\_PathLen1/V1
     #
-    #   * arn:aws:acm-pca:::template/SubordinateCACertificate\_PathLen2/V1
     #
-    #   * arn:aws:acm-pca:::template/SubordinateCACertificate\_PathLen3/V1
+    #   [1]: https://tools.ietf.org/html/rfc5280#section-4.1.2.5
+    #   @return [Types::Validity]
     #
-    #   For more information, see [Using Templates][2].
+    # @!attribute [rw] validity_not_before
+    #   Information describing the start of the validity period of the
+    #   certificate. This parameter sets the “Not Before" date for the
+    #   certificate.
     #
+    #   By default, when issuing a certificate, ACM Private CA sets the
+    #   "Not Before" date to the issuance time minus 60 minutes. This
+    #   compensates for clock inconsistencies across computer systems. The
+    #   `ValidityNotBefore` parameter can be used to customize the “Not
+    #   Before” value.
     #
+    #   Unlike the `Validity` parameter, the `ValidityNotBefore` parameter
+    #   is optional.
     #
-    #   [1]: https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaTerms.html#terms-cadepth
-    #   [2]: https://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html
-    #   @return [String]
+    #   The `ValidityNotBefore` value is expressed as an explicit date and
+    #   time, using the `Validity` type value `ABSOLUTE`. For more
+    #   information, see [Validity][1] in this API reference and
+    #   [Validity][2] in RFC 5280.
     #
-    # @!attribute [rw] validity
-    #   Information describing the validity period of the certificate.
     #
-    #   When issuing a certificate, ACM Private CA sets the "Not Before"
-    #   date in the validity field to date and time minus 60 minutes. This
-    #   is intended to compensate for time inconsistencies across systems of
-    #   60 minutes or less.
     #
-    #   The validity period configured on a certificate must not exceed the
-    #   limit set by its parents in the CA hierarchy.
+    #   [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_Validity.html
+    #   [2]: https://tools.ietf.org/html/rfc5280#section-4.1.2.5
     #   @return [Types::Validity]
     #
     # @!attribute [rw] idempotency_token
-    #   Custom string that can be used to distinguish between calls to the
-    #   **IssueCertificate** action. Idempotency tokens time out after one
-    #   hour. Therefore, if you call **IssueCertificate** multiple times
-    #   with the same idempotency token within 5 minutes, ACM Private CA
-    #   recognizes that you are requesting only one certificate and will
-    #   issue only one. If you change the idempotency token for each call,
-    #   PCA recognizes that you are requesting multiple certificates.
+    #   Alphanumeric string that can be used to distinguish between calls to
+    #   the **IssueCertificate** action. Idempotency tokens for
+    #   **IssueCertificate** time out after one minute. Therefore, if you
+    #   call **IssueCertificate** multiple times with the same idempotency
+    #   token within one minute, ACM Private CA recognizes that you are
+    #   requesting only one certificate and will issue only one. If you
+    #   change the idempotency token for each call, PCA recognizes that you
+    #   are requesting multiple certificates.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/IssueCertificateRequest AWS API Documentation
     #
     class IssueCertificateRequest < Struct.new(
+      :api_passthrough,
       :certificate_authority_arn,
       :csr,
       :signing_algorithm,
       :template_arn,
       :validity,
+      :validity_not_before,
       :idempotency_token)
       SENSITIVE = []
       include Aws::Structure
@@ -1367,6 +2173,76 @@ module Aws::ACMPCA
       include Aws::Structure
     end
 
+    # Defines one or more purposes for which the key contained in the
+    # certificate can be used. Default value for each option is false.
+    #
+    # @note When making an API call, you may pass KeyUsage
+    #   data as a hash:
+    #
+    #       {
+    #         digital_signature: false,
+    #         non_repudiation: false,
+    #         key_encipherment: false,
+    #         data_encipherment: false,
+    #         key_agreement: false,
+    #         key_cert_sign: false,
+    #         crl_sign: false,
+    #         encipher_only: false,
+    #         decipher_only: false,
+    #       }
+    #
+    # @!attribute [rw] digital_signature
+    #   Key can be used for digital signing.
+    #   @return [Boolean]
+    #
+    # @!attribute [rw] non_repudiation
+    #   Key can be used for non-repudiation.
+    #   @return [Boolean]
+    #
+    # @!attribute [rw] key_encipherment
+    #   Key can be used to encipher data.
+    #   @return [Boolean]
+    #
+    # @!attribute [rw] data_encipherment
+    #   Key can be used to decipher data.
+    #   @return [Boolean]
+    #
+    # @!attribute [rw] key_agreement
+    #   Key can be used in a key-agreement protocol.
+    #   @return [Boolean]
+    #
+    # @!attribute [rw] key_cert_sign
+    #   Key can be used to sign certificates.
+    #   @return [Boolean]
+    #
+    # @!attribute [rw] crl_sign
+    #   Key can be used to sign CRLs.
+    #   @return [Boolean]
+    #
+    # @!attribute [rw] encipher_only
+    #   Key can be used only to encipher data.
+    #   @return [Boolean]
+    #
+    # @!attribute [rw] decipher_only
+    #   Key can be used only to decipher data.
+    #   @return [Boolean]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/KeyUsage AWS API Documentation
+    #
+    class KeyUsage < Struct.new(
+      :digital_signature,
+      :non_repudiation,
+      :key_encipherment,
+      :data_encipherment,
+      :key_agreement,
+      :key_cert_sign,
+      :crl_sign,
+      :encipher_only,
+      :decipher_only)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # An ACM Private CA quota has been exceeded. See the exception message
     # returned to determine the quota that was exceeded.
     #
@@ -1610,6 +2486,40 @@ module Aws::ACMPCA
       include Aws::Structure
     end
 
+    # Defines a custom ASN.1 X.400 `GeneralName` using an object identifier
+    # (OID) and value. The OID must satisfy the regular expression shown
+    # below. For more information, see NIST's definition of [Object
+    # Identifier (OID)][1].
+    #
+    #
+    #
+    # [1]: https://csrc.nist.gov/glossary/term/Object_Identifier
+    #
+    # @note When making an API call, you may pass OtherName
+    #   data as a hash:
+    #
+    #       {
+    #         type_id: "CustomObjectIdentifier", # required
+    #         value: "String256", # required
+    #       }
+    #
+    # @!attribute [rw] type_id
+    #   Specifies an OID.
+    #   @return [String]
+    #
+    # @!attribute [rw] value
+    #   Specifies an OID value.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/OtherName AWS API Documentation
+    #
+    class OtherName < Struct.new(
+      :type_id,
+      :value)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # Permissions designate which private CA actions can be performed by an
     # AWS service or entity. In order for ACM to automatically renew private
     # certificates, you must give the ACM service principal all available
@@ -1677,6 +2587,79 @@ module Aws::ACMPCA
       include Aws::Structure
     end
 
+    # Defines the X.509 `CertificatePolicies` extension.
+    #
+    # @note When making an API call, you may pass PolicyInformation
+    #   data as a hash:
+    #
+    #       {
+    #         cert_policy_id: "CustomObjectIdentifier", # required
+    #         policy_qualifiers: [
+    #           {
+    #             policy_qualifier_id: "CPS", # required, accepts CPS
+    #             qualifier: { # required
+    #               cps_uri: "String256", # required
+    #             },
+    #           },
+    #         ],
+    #       }
+    #
+    # @!attribute [rw] cert_policy_id
+    #   Specifies the object identifier (OID) of the certificate policy
+    #   under which the certificate was issued. For more information, see
+    #   NIST's definition of [Object Identifier (OID)][1].
+    #
+    #
+    #
+    #   [1]: https://csrc.nist.gov/glossary/term/Object_Identifier
+    #   @return [String]
+    #
+    # @!attribute [rw] policy_qualifiers
+    #   Modifies the given `CertPolicyId` with a qualifier. ACM Private CA
+    #   supports the certification practice statement (CPS) qualifier.
+    #   @return [Array<Types::PolicyQualifierInfo>]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/PolicyInformation AWS API Documentation
+    #
+    class PolicyInformation < Struct.new(
+      :cert_policy_id,
+      :policy_qualifiers)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # Modifies the `CertPolicyId` of a `PolicyInformation` object with a
+    # qualifier. ACM Private CA supports the certification practice
+    # statement (CPS) qualifier.
+    #
+    # @note When making an API call, you may pass PolicyQualifierInfo
+    #   data as a hash:
+    #
+    #       {
+    #         policy_qualifier_id: "CPS", # required, accepts CPS
+    #         qualifier: { # required
+    #           cps_uri: "String256", # required
+    #         },
+    #       }
+    #
+    # @!attribute [rw] policy_qualifier_id
+    #   Identifies the qualifier modifying a `CertPolicyId`.
+    #   @return [String]
+    #
+    # @!attribute [rw] qualifier
+    #   Defines the qualifier type. ACM Private CA supports the use of a URI
+    #   for a CPS qualifier in this field.
+    #   @return [Types::Qualifier]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/PolicyQualifierInfo AWS API Documentation
+    #
+    class PolicyQualifierInfo < Struct.new(
+      :policy_qualifier_id,
+      :qualifier)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # @note When making an API call, you may pass PutPolicyRequest
     #   data as a hash:
     #
@@ -1698,7 +2681,7 @@ module Aws::ACMPCA
     #   @return [String]
     #
     # @!attribute [rw] policy
-    #   The path and filename of a JSON-formatted IAM policy to attach to
+    #   The path and file name of a JSON-formatted IAM policy to attach to
     #   the specified private CA resource. If this policy does not contain
     #   all required statements or if it includes any statement that is not
     #   allowed, the `PutPolicy` action returns an `InvalidPolicyException`.
@@ -1719,6 +2702,34 @@ module Aws::ACMPCA
       include Aws::Structure
     end
 
+    # Defines a `PolicyInformation` qualifier. ACM Private CA supports the
+    # [certification practice statement (CPS) qualifier][1] defined in RFC
+    # 5280.
+    #
+    #
+    #
+    # [1]: https://tools.ietf.org/html/rfc5280#section-4.2.1.4
+    #
+    # @note When making an API call, you may pass Qualifier
+    #   data as a hash:
+    #
+    #       {
+    #         cps_uri: "String256", # required
+    #       }
+    #
+    # @!attribute [rw] cps_uri
+    #   Contains a pointer to a certification practice statement (CPS)
+    #   published by the CA.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/Qualifier AWS API Documentation
+    #
+    class Qualifier < Struct.new(
+      :cps_uri)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # Your request has already been completed.
     #
     # @!attribute [rw] message
@@ -2059,17 +3070,20 @@ module Aws::ACMPCA
 
     # Validity specifies the period of time during which a certificate is
     # valid. Validity can be expressed as an explicit date and time when the
-    # certificate expires, or as a span of time after issuance, stated in
-    # days, months, or years. For more information, see [Validity][1] in RFC
-    # 5280.
+    # validity of a certificate starts or expires, or as a span of time
+    # after issuance, stated in days, months, or years. For more
+    # information, see [Validity][1] in RFC 5280.
     #
-    # You can issue a certificate by calling the [IssueCertificate][2]
-    # action.
+    # ACM Private CA API consumes the `Validity` data type differently in
+    # two distinct parameters of the `IssueCertificate` action. The required
+    # parameter `IssueCertificate`\:`Validity` specifies the end of a
+    # certificate's validity period. The optional parameter
+    # `IssueCertificate`\:`ValidityNotBefore` specifies a customized
+    # starting time for the validity period.
     #
     #
     #
     # [1]: https://tools.ietf.org/html/rfc5280#section-4.1.2.5
-    # [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_IssueCertificate.html
     #
     # @note When making an API call, you may pass Validity
     #   data as a hash:
@@ -2100,8 +3114,9 @@ module Aws::ACMPCA
     #
     #   * Output expiration date/time: 12/31/2049 23:59:59
     #
-    #   `ABSOLUTE`\: The specific date and time when the certificate will
-    #   expire, expressed in seconds since the Unix Epoch.
+    #   `ABSOLUTE`\: The specific date and time when the validity of a
+    #   certificate will start or expire, expressed in seconds since the
+    #   Unix Epoch.
     #
     #   * Sample input value: 2524608000
     #
@@ -2116,6 +3131,10 @@ module Aws::ACMPCA
     #   * Sample input value: 90
     #
     #   * Output expiration date: 01/10/2020 12:34:54 UTC
+    #
+    #   The minimum validity duration for a certificate using relative time
+    #   (`DAYS`) is one day. The minimum validity for a certificate using
+    #   absolute time (`ABSOLUTE` or `END_DATE`) is one second.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/Validity AWS API Documentation