aws-sdk-acmpca 1.27.0 → 1.32.0

Sign up to get free protection for your applications and to get access to all the features.
@@ -16,9 +16,14 @@ module Aws::ACMPCA
16
16
  ASN1PrintableString64 = Shapes::StringShape.new(name: 'ASN1PrintableString64')
17
17
  ASN1Subject = Shapes::StructureShape.new(name: 'ASN1Subject')
18
18
  AWSPolicy = Shapes::StringShape.new(name: 'AWSPolicy')
19
+ AccessDescription = Shapes::StructureShape.new(name: 'AccessDescription')
20
+ AccessDescriptionList = Shapes::ListShape.new(name: 'AccessDescriptionList')
21
+ AccessMethod = Shapes::StructureShape.new(name: 'AccessMethod')
22
+ AccessMethodType = Shapes::StringShape.new(name: 'AccessMethodType')
19
23
  AccountId = Shapes::StringShape.new(name: 'AccountId')
20
24
  ActionList = Shapes::ListShape.new(name: 'ActionList')
21
25
  ActionType = Shapes::StringShape.new(name: 'ActionType')
26
+ ApiPassthrough = Shapes::StructureShape.new(name: 'ApiPassthrough')
22
27
  Arn = Shapes::StringShape.new(name: 'Arn')
23
28
  AuditReportId = Shapes::StringShape.new(name: 'AuditReportId')
24
29
  AuditReportResponseFormat = Shapes::StringShape.new(name: 'AuditReportResponseFormat')
@@ -34,6 +39,7 @@ module Aws::ACMPCA
34
39
  CertificateChain = Shapes::StringShape.new(name: 'CertificateChain')
35
40
  CertificateChainBlob = Shapes::BlobShape.new(name: 'CertificateChainBlob')
36
41
  CertificateMismatchException = Shapes::StructureShape.new(name: 'CertificateMismatchException')
42
+ CertificatePolicyList = Shapes::ListShape.new(name: 'CertificatePolicyList')
37
43
  ConcurrentModificationException = Shapes::StructureShape.new(name: 'ConcurrentModificationException')
38
44
  CountryCodeString = Shapes::StringShape.new(name: 'CountryCodeString')
39
45
  CreateCertificateAuthorityAuditReportRequest = Shapes::StructureShape.new(name: 'CreateCertificateAuthorityAuditReportRequest')
@@ -44,6 +50,8 @@ module Aws::ACMPCA
44
50
  CrlConfiguration = Shapes::StructureShape.new(name: 'CrlConfiguration')
45
51
  CsrBlob = Shapes::BlobShape.new(name: 'CsrBlob')
46
52
  CsrBody = Shapes::StringShape.new(name: 'CsrBody')
53
+ CsrExtensions = Shapes::StructureShape.new(name: 'CsrExtensions')
54
+ CustomObjectIdentifier = Shapes::StringShape.new(name: 'CustomObjectIdentifier')
47
55
  DeleteCertificateAuthorityRequest = Shapes::StructureShape.new(name: 'DeleteCertificateAuthorityRequest')
48
56
  DeletePermissionRequest = Shapes::StructureShape.new(name: 'DeletePermissionRequest')
49
57
  DeletePolicyRequest = Shapes::StructureShape.new(name: 'DeletePolicyRequest')
@@ -51,7 +59,14 @@ module Aws::ACMPCA
51
59
  DescribeCertificateAuthorityAuditReportResponse = Shapes::StructureShape.new(name: 'DescribeCertificateAuthorityAuditReportResponse')
52
60
  DescribeCertificateAuthorityRequest = Shapes::StructureShape.new(name: 'DescribeCertificateAuthorityRequest')
53
61
  DescribeCertificateAuthorityResponse = Shapes::StructureShape.new(name: 'DescribeCertificateAuthorityResponse')
62
+ EdiPartyName = Shapes::StructureShape.new(name: 'EdiPartyName')
63
+ ExtendedKeyUsage = Shapes::StructureShape.new(name: 'ExtendedKeyUsage')
64
+ ExtendedKeyUsageList = Shapes::ListShape.new(name: 'ExtendedKeyUsageList')
65
+ ExtendedKeyUsageType = Shapes::StringShape.new(name: 'ExtendedKeyUsageType')
66
+ Extensions = Shapes::StructureShape.new(name: 'Extensions')
54
67
  FailureReason = Shapes::StringShape.new(name: 'FailureReason')
68
+ GeneralName = Shapes::StructureShape.new(name: 'GeneralName')
69
+ GeneralNameList = Shapes::ListShape.new(name: 'GeneralNameList')
55
70
  GetCertificateAuthorityCertificateRequest = Shapes::StructureShape.new(name: 'GetCertificateAuthorityCertificateRequest')
56
71
  GetCertificateAuthorityCertificateResponse = Shapes::StructureShape.new(name: 'GetCertificateAuthorityCertificateResponse')
57
72
  GetCertificateAuthorityCsrRequest = Shapes::StructureShape.new(name: 'GetCertificateAuthorityCsrRequest')
@@ -73,6 +88,7 @@ module Aws::ACMPCA
73
88
  IssueCertificateRequest = Shapes::StructureShape.new(name: 'IssueCertificateRequest')
74
89
  IssueCertificateResponse = Shapes::StructureShape.new(name: 'IssueCertificateResponse')
75
90
  KeyAlgorithm = Shapes::StringShape.new(name: 'KeyAlgorithm')
91
+ KeyUsage = Shapes::StructureShape.new(name: 'KeyUsage')
76
92
  LimitExceededException = Shapes::StructureShape.new(name: 'LimitExceededException')
77
93
  ListCertificateAuthoritiesRequest = Shapes::StructureShape.new(name: 'ListCertificateAuthoritiesRequest')
78
94
  ListCertificateAuthoritiesResponse = Shapes::StructureShape.new(name: 'ListCertificateAuthoritiesResponse')
@@ -85,13 +101,19 @@ module Aws::ACMPCA
85
101
  MalformedCertificateException = Shapes::StructureShape.new(name: 'MalformedCertificateException')
86
102
  MaxResults = Shapes::IntegerShape.new(name: 'MaxResults')
87
103
  NextToken = Shapes::StringShape.new(name: 'NextToken')
104
+ OtherName = Shapes::StructureShape.new(name: 'OtherName')
88
105
  PermanentDeletionTimeInDays = Shapes::IntegerShape.new(name: 'PermanentDeletionTimeInDays')
89
106
  Permission = Shapes::StructureShape.new(name: 'Permission')
90
107
  PermissionAlreadyExistsException = Shapes::StructureShape.new(name: 'PermissionAlreadyExistsException')
91
108
  PermissionList = Shapes::ListShape.new(name: 'PermissionList')
109
+ PolicyInformation = Shapes::StructureShape.new(name: 'PolicyInformation')
110
+ PolicyQualifierId = Shapes::StringShape.new(name: 'PolicyQualifierId')
111
+ PolicyQualifierInfo = Shapes::StructureShape.new(name: 'PolicyQualifierInfo')
112
+ PolicyQualifierInfoList = Shapes::ListShape.new(name: 'PolicyQualifierInfoList')
92
113
  PositiveLong = Shapes::IntegerShape.new(name: 'PositiveLong')
93
114
  Principal = Shapes::StringShape.new(name: 'Principal')
94
115
  PutPolicyRequest = Shapes::StructureShape.new(name: 'PutPolicyRequest')
116
+ Qualifier = Shapes::StructureShape.new(name: 'Qualifier')
95
117
  RequestAlreadyProcessedException = Shapes::StructureShape.new(name: 'RequestAlreadyProcessedException')
96
118
  RequestFailedException = Shapes::StructureShape.new(name: 'RequestFailedException')
97
119
  RequestInProgressException = Shapes::StructureShape.new(name: 'RequestInProgressException')
@@ -108,7 +130,9 @@ module Aws::ACMPCA
108
130
  String128 = Shapes::StringShape.new(name: 'String128')
109
131
  String16 = Shapes::StringShape.new(name: 'String16')
110
132
  String253 = Shapes::StringShape.new(name: 'String253')
133
+ String256 = Shapes::StringShape.new(name: 'String256')
111
134
  String3 = Shapes::StringShape.new(name: 'String3')
135
+ String39 = Shapes::StringShape.new(name: 'String39')
112
136
  String3To255 = Shapes::StringShape.new(name: 'String3To255')
113
137
  String40 = Shapes::StringShape.new(name: 'String40')
114
138
  String5 = Shapes::StringShape.new(name: 'String5')
@@ -141,8 +165,22 @@ module Aws::ACMPCA
141
165
  ASN1Subject.add_member(:generation_qualifier, Shapes::ShapeRef.new(shape: String3, location_name: "GenerationQualifier"))
142
166
  ASN1Subject.struct_class = Types::ASN1Subject
143
167
 
168
+ AccessDescription.add_member(:access_method, Shapes::ShapeRef.new(shape: AccessMethod, required: true, location_name: "AccessMethod"))
169
+ AccessDescription.add_member(:access_location, Shapes::ShapeRef.new(shape: GeneralName, required: true, location_name: "AccessLocation"))
170
+ AccessDescription.struct_class = Types::AccessDescription
171
+
172
+ AccessDescriptionList.member = Shapes::ShapeRef.new(shape: AccessDescription)
173
+
174
+ AccessMethod.add_member(:custom_object_identifier, Shapes::ShapeRef.new(shape: CustomObjectIdentifier, location_name: "CustomObjectIdentifier"))
175
+ AccessMethod.add_member(:access_method_type, Shapes::ShapeRef.new(shape: AccessMethodType, location_name: "AccessMethodType"))
176
+ AccessMethod.struct_class = Types::AccessMethod
177
+
144
178
  ActionList.member = Shapes::ShapeRef.new(shape: ActionType)
145
179
 
180
+ ApiPassthrough.add_member(:extensions, Shapes::ShapeRef.new(shape: Extensions, location_name: "Extensions"))
181
+ ApiPassthrough.add_member(:subject, Shapes::ShapeRef.new(shape: ASN1Subject, location_name: "Subject"))
182
+ ApiPassthrough.struct_class = Types::ApiPassthrough
183
+
146
184
  CertificateAuthorities.member = Shapes::ShapeRef.new(shape: CertificateAuthority)
147
185
 
148
186
  CertificateAuthority.add_member(:arn, Shapes::ShapeRef.new(shape: Arn, location_name: "Arn"))
@@ -163,11 +201,14 @@ module Aws::ACMPCA
163
201
  CertificateAuthorityConfiguration.add_member(:key_algorithm, Shapes::ShapeRef.new(shape: KeyAlgorithm, required: true, location_name: "KeyAlgorithm"))
164
202
  CertificateAuthorityConfiguration.add_member(:signing_algorithm, Shapes::ShapeRef.new(shape: SigningAlgorithm, required: true, location_name: "SigningAlgorithm"))
165
203
  CertificateAuthorityConfiguration.add_member(:subject, Shapes::ShapeRef.new(shape: ASN1Subject, required: true, location_name: "Subject"))
204
+ CertificateAuthorityConfiguration.add_member(:csr_extensions, Shapes::ShapeRef.new(shape: CsrExtensions, location_name: "CsrExtensions"))
166
205
  CertificateAuthorityConfiguration.struct_class = Types::CertificateAuthorityConfiguration
167
206
 
168
207
  CertificateMismatchException.add_member(:message, Shapes::ShapeRef.new(shape: String, location_name: "message"))
169
208
  CertificateMismatchException.struct_class = Types::CertificateMismatchException
170
209
 
210
+ CertificatePolicyList.member = Shapes::ShapeRef.new(shape: PolicyInformation)
211
+
171
212
  ConcurrentModificationException.add_member(:message, Shapes::ShapeRef.new(shape: String, location_name: "message"))
172
213
  ConcurrentModificationException.struct_class = Types::ConcurrentModificationException
173
214
 
@@ -202,6 +243,10 @@ module Aws::ACMPCA
202
243
  CrlConfiguration.add_member(:s3_bucket_name, Shapes::ShapeRef.new(shape: String3To255, location_name: "S3BucketName"))
203
244
  CrlConfiguration.struct_class = Types::CrlConfiguration
204
245
 
246
+ CsrExtensions.add_member(:key_usage, Shapes::ShapeRef.new(shape: KeyUsage, location_name: "KeyUsage"))
247
+ CsrExtensions.add_member(:subject_information_access, Shapes::ShapeRef.new(shape: AccessDescriptionList, location_name: "SubjectInformationAccess"))
248
+ CsrExtensions.struct_class = Types::CsrExtensions
249
+
205
250
  DeleteCertificateAuthorityRequest.add_member(:certificate_authority_arn, Shapes::ShapeRef.new(shape: Arn, required: true, location_name: "CertificateAuthorityArn"))
206
251
  DeleteCertificateAuthorityRequest.add_member(:permanent_deletion_time_in_days, Shapes::ShapeRef.new(shape: PermanentDeletionTimeInDays, location_name: "PermanentDeletionTimeInDays"))
207
252
  DeleteCertificateAuthorityRequest.struct_class = Types::DeleteCertificateAuthorityRequest
@@ -230,6 +275,34 @@ module Aws::ACMPCA
230
275
  DescribeCertificateAuthorityResponse.add_member(:certificate_authority, Shapes::ShapeRef.new(shape: CertificateAuthority, location_name: "CertificateAuthority"))
231
276
  DescribeCertificateAuthorityResponse.struct_class = Types::DescribeCertificateAuthorityResponse
232
277
 
278
+ EdiPartyName.add_member(:party_name, Shapes::ShapeRef.new(shape: String256, required: true, location_name: "PartyName"))
279
+ EdiPartyName.add_member(:name_assigner, Shapes::ShapeRef.new(shape: String256, location_name: "NameAssigner"))
280
+ EdiPartyName.struct_class = Types::EdiPartyName
281
+
282
+ ExtendedKeyUsage.add_member(:extended_key_usage_type, Shapes::ShapeRef.new(shape: ExtendedKeyUsageType, location_name: "ExtendedKeyUsageType"))
283
+ ExtendedKeyUsage.add_member(:extended_key_usage_object_identifier, Shapes::ShapeRef.new(shape: CustomObjectIdentifier, location_name: "ExtendedKeyUsageObjectIdentifier"))
284
+ ExtendedKeyUsage.struct_class = Types::ExtendedKeyUsage
285
+
286
+ ExtendedKeyUsageList.member = Shapes::ShapeRef.new(shape: ExtendedKeyUsage)
287
+
288
+ Extensions.add_member(:certificate_policies, Shapes::ShapeRef.new(shape: CertificatePolicyList, location_name: "CertificatePolicies"))
289
+ Extensions.add_member(:extended_key_usage, Shapes::ShapeRef.new(shape: ExtendedKeyUsageList, location_name: "ExtendedKeyUsage"))
290
+ Extensions.add_member(:key_usage, Shapes::ShapeRef.new(shape: KeyUsage, location_name: "KeyUsage"))
291
+ Extensions.add_member(:subject_alternative_names, Shapes::ShapeRef.new(shape: GeneralNameList, location_name: "SubjectAlternativeNames"))
292
+ Extensions.struct_class = Types::Extensions
293
+
294
+ GeneralName.add_member(:other_name, Shapes::ShapeRef.new(shape: OtherName, location_name: "OtherName"))
295
+ GeneralName.add_member(:rfc_822_name, Shapes::ShapeRef.new(shape: String256, location_name: "Rfc822Name"))
296
+ GeneralName.add_member(:dns_name, Shapes::ShapeRef.new(shape: String253, location_name: "DnsName"))
297
+ GeneralName.add_member(:directory_name, Shapes::ShapeRef.new(shape: ASN1Subject, location_name: "DirectoryName"))
298
+ GeneralName.add_member(:edi_party_name, Shapes::ShapeRef.new(shape: EdiPartyName, location_name: "EdiPartyName"))
299
+ GeneralName.add_member(:uniform_resource_identifier, Shapes::ShapeRef.new(shape: String253, location_name: "UniformResourceIdentifier"))
300
+ GeneralName.add_member(:ip_address, Shapes::ShapeRef.new(shape: String39, location_name: "IpAddress"))
301
+ GeneralName.add_member(:registered_id, Shapes::ShapeRef.new(shape: CustomObjectIdentifier, location_name: "RegisteredId"))
302
+ GeneralName.struct_class = Types::GeneralName
303
+
304
+ GeneralNameList.member = Shapes::ShapeRef.new(shape: GeneralName)
305
+
233
306
  GetCertificateAuthorityCertificateRequest.add_member(:certificate_authority_arn, Shapes::ShapeRef.new(shape: Arn, required: true, location_name: "CertificateAuthorityArn"))
234
307
  GetCertificateAuthorityCertificateRequest.struct_class = Types::GetCertificateAuthorityCertificateRequest
235
308
 
@@ -283,17 +356,30 @@ module Aws::ACMPCA
283
356
  InvalidTagException.add_member(:message, Shapes::ShapeRef.new(shape: String, location_name: "message"))
284
357
  InvalidTagException.struct_class = Types::InvalidTagException
285
358
 
359
+ IssueCertificateRequest.add_member(:api_passthrough, Shapes::ShapeRef.new(shape: ApiPassthrough, location_name: "ApiPassthrough"))
286
360
  IssueCertificateRequest.add_member(:certificate_authority_arn, Shapes::ShapeRef.new(shape: Arn, required: true, location_name: "CertificateAuthorityArn"))
287
361
  IssueCertificateRequest.add_member(:csr, Shapes::ShapeRef.new(shape: CsrBlob, required: true, location_name: "Csr"))
288
362
  IssueCertificateRequest.add_member(:signing_algorithm, Shapes::ShapeRef.new(shape: SigningAlgorithm, required: true, location_name: "SigningAlgorithm"))
289
363
  IssueCertificateRequest.add_member(:template_arn, Shapes::ShapeRef.new(shape: Arn, location_name: "TemplateArn"))
290
364
  IssueCertificateRequest.add_member(:validity, Shapes::ShapeRef.new(shape: Validity, required: true, location_name: "Validity"))
365
+ IssueCertificateRequest.add_member(:validity_not_before, Shapes::ShapeRef.new(shape: Validity, location_name: "ValidityNotBefore"))
291
366
  IssueCertificateRequest.add_member(:idempotency_token, Shapes::ShapeRef.new(shape: IdempotencyToken, location_name: "IdempotencyToken"))
292
367
  IssueCertificateRequest.struct_class = Types::IssueCertificateRequest
293
368
 
294
369
  IssueCertificateResponse.add_member(:certificate_arn, Shapes::ShapeRef.new(shape: Arn, location_name: "CertificateArn"))
295
370
  IssueCertificateResponse.struct_class = Types::IssueCertificateResponse
296
371
 
372
+ KeyUsage.add_member(:digital_signature, Shapes::ShapeRef.new(shape: Boolean, location_name: "DigitalSignature"))
373
+ KeyUsage.add_member(:non_repudiation, Shapes::ShapeRef.new(shape: Boolean, location_name: "NonRepudiation"))
374
+ KeyUsage.add_member(:key_encipherment, Shapes::ShapeRef.new(shape: Boolean, location_name: "KeyEncipherment"))
375
+ KeyUsage.add_member(:data_encipherment, Shapes::ShapeRef.new(shape: Boolean, location_name: "DataEncipherment"))
376
+ KeyUsage.add_member(:key_agreement, Shapes::ShapeRef.new(shape: Boolean, location_name: "KeyAgreement"))
377
+ KeyUsage.add_member(:key_cert_sign, Shapes::ShapeRef.new(shape: Boolean, location_name: "KeyCertSign"))
378
+ KeyUsage.add_member(:crl_sign, Shapes::ShapeRef.new(shape: Boolean, location_name: "CRLSign"))
379
+ KeyUsage.add_member(:encipher_only, Shapes::ShapeRef.new(shape: Boolean, location_name: "EncipherOnly"))
380
+ KeyUsage.add_member(:decipher_only, Shapes::ShapeRef.new(shape: Boolean, location_name: "DecipherOnly"))
381
+ KeyUsage.struct_class = Types::KeyUsage
382
+
297
383
  LimitExceededException.add_member(:message, Shapes::ShapeRef.new(shape: String, location_name: "message"))
298
384
  LimitExceededException.struct_class = Types::LimitExceededException
299
385
 
@@ -333,6 +419,10 @@ module Aws::ACMPCA
333
419
  MalformedCertificateException.add_member(:message, Shapes::ShapeRef.new(shape: String, location_name: "message"))
334
420
  MalformedCertificateException.struct_class = Types::MalformedCertificateException
335
421
 
422
+ OtherName.add_member(:type_id, Shapes::ShapeRef.new(shape: CustomObjectIdentifier, required: true, location_name: "TypeId"))
423
+ OtherName.add_member(:value, Shapes::ShapeRef.new(shape: String256, required: true, location_name: "Value"))
424
+ OtherName.struct_class = Types::OtherName
425
+
336
426
  Permission.add_member(:certificate_authority_arn, Shapes::ShapeRef.new(shape: Arn, location_name: "CertificateAuthorityArn"))
337
427
  Permission.add_member(:created_at, Shapes::ShapeRef.new(shape: TStamp, location_name: "CreatedAt"))
338
428
  Permission.add_member(:principal, Shapes::ShapeRef.new(shape: Principal, location_name: "Principal"))
@@ -346,10 +436,23 @@ module Aws::ACMPCA
346
436
 
347
437
  PermissionList.member = Shapes::ShapeRef.new(shape: Permission)
348
438
 
439
+ PolicyInformation.add_member(:cert_policy_id, Shapes::ShapeRef.new(shape: CustomObjectIdentifier, required: true, location_name: "CertPolicyId"))
440
+ PolicyInformation.add_member(:policy_qualifiers, Shapes::ShapeRef.new(shape: PolicyQualifierInfoList, location_name: "PolicyQualifiers"))
441
+ PolicyInformation.struct_class = Types::PolicyInformation
442
+
443
+ PolicyQualifierInfo.add_member(:policy_qualifier_id, Shapes::ShapeRef.new(shape: PolicyQualifierId, required: true, location_name: "PolicyQualifierId"))
444
+ PolicyQualifierInfo.add_member(:qualifier, Shapes::ShapeRef.new(shape: Qualifier, required: true, location_name: "Qualifier"))
445
+ PolicyQualifierInfo.struct_class = Types::PolicyQualifierInfo
446
+
447
+ PolicyQualifierInfoList.member = Shapes::ShapeRef.new(shape: PolicyQualifierInfo)
448
+
349
449
  PutPolicyRequest.add_member(:resource_arn, Shapes::ShapeRef.new(shape: Arn, required: true, location_name: "ResourceArn"))
350
450
  PutPolicyRequest.add_member(:policy, Shapes::ShapeRef.new(shape: AWSPolicy, required: true, location_name: "Policy"))
351
451
  PutPolicyRequest.struct_class = Types::PutPolicyRequest
352
452
 
453
+ Qualifier.add_member(:cps_uri, Shapes::ShapeRef.new(shape: String256, required: true, location_name: "CpsUri"))
454
+ Qualifier.struct_class = Types::Qualifier
455
+
353
456
  RequestAlreadyProcessedException.add_member(:message, Shapes::ShapeRef.new(shape: String, location_name: "message"))
354
457
  RequestAlreadyProcessedException.struct_class = Types::RequestAlreadyProcessedException
355
458
 
@@ -10,16 +10,12 @@
10
10
  module Aws::ACMPCA
11
11
  module Types
12
12
 
13
- # Contains information about the certificate subject. The certificate
14
- # can be one issued by your private certificate authority (CA) or it can
15
- # be your private CA certificate. The **Subject** field in the
16
- # certificate identifies the entity that owns or controls the public key
17
- # in the certificate. The entity can be a user, computer, device, or
18
- # service. The **Subject** must contain an X.500 distinguished name
19
- # (DN). A DN is a sequence of relative distinguished names (RDNs). The
20
- # RDNs are separated by commas in the certificate. The DN must be unique
21
- # for each entity, but your private CA can issue more than one
22
- # certificate with the same DN to the same entity.
13
+ # Contains information about the certificate subject. The `Subject`
14
+ # field in the certificate identifies the entity that owns or controls
15
+ # the public key in the certificate. The entity can be a user, computer,
16
+ # device, or service. The `Subject `must contain an X.500 distinguished
17
+ # name (DN). A DN is a sequence of relative distinguished names (RDNs).
18
+ # The RDNs are separated by commas in the certificate.
23
19
  #
24
20
  # @note When making an API call, you may pass ASN1Subject
25
21
  # data as a hash:
@@ -65,7 +61,11 @@ module Aws::ACMPCA
65
61
  # @return [String]
66
62
  #
67
63
  # @!attribute [rw] common_name
68
- # Fully qualified domain name (FQDN) associated with the certificate
64
+ # For CA and end-entity certificates in a private PKI, the common name
65
+ # (CN) can be any string within the length limit.
66
+ #
67
+ # Note: In publicly trusted certificates, the common name must be a
68
+ # fully qualified domain name (FQDN) associated with the certificate
69
69
  # subject.
70
70
  # @return [String]
71
71
  #
@@ -96,7 +96,7 @@ module Aws::ACMPCA
96
96
  # @!attribute [rw] initials
97
97
  # Concatenation that typically contains the first letter of the
98
98
  # **GivenName**, the first letter of the middle name if one exists,
99
- # and the first letter of the **SurName**.
99
+ # and the first letter of the **Surname**.
100
100
  # @return [String]
101
101
  #
102
102
  # @!attribute [rw] pseudonym
@@ -131,6 +131,224 @@ module Aws::ACMPCA
131
131
  include Aws::Structure
132
132
  end
133
133
 
134
+ # Provides access information used by the `authorityInfoAccess` and
135
+ # `subjectInfoAccess` extensions described in [RFC 5280][1].
136
+ #
137
+ #
138
+ #
139
+ # [1]: https://tools.ietf.org/html/rfc5280
140
+ #
141
+ # @note When making an API call, you may pass AccessDescription
142
+ # data as a hash:
143
+ #
144
+ # {
145
+ # access_method: { # required
146
+ # custom_object_identifier: "CustomObjectIdentifier",
147
+ # access_method_type: "CA_REPOSITORY", # accepts CA_REPOSITORY, RESOURCE_PKI_MANIFEST, RESOURCE_PKI_NOTIFY
148
+ # },
149
+ # access_location: { # required
150
+ # other_name: {
151
+ # type_id: "CustomObjectIdentifier", # required
152
+ # value: "String256", # required
153
+ # },
154
+ # rfc_822_name: "String256",
155
+ # dns_name: "String253",
156
+ # directory_name: {
157
+ # country: "CountryCodeString",
158
+ # organization: "String64",
159
+ # organizational_unit: "String64",
160
+ # distinguished_name_qualifier: "ASN1PrintableString64",
161
+ # state: "String128",
162
+ # common_name: "String64",
163
+ # serial_number: "ASN1PrintableString64",
164
+ # locality: "String128",
165
+ # title: "String64",
166
+ # surname: "String40",
167
+ # given_name: "String16",
168
+ # initials: "String5",
169
+ # pseudonym: "String128",
170
+ # generation_qualifier: "String3",
171
+ # },
172
+ # edi_party_name: {
173
+ # party_name: "String256", # required
174
+ # name_assigner: "String256",
175
+ # },
176
+ # uniform_resource_identifier: "String253",
177
+ # ip_address: "String39",
178
+ # registered_id: "CustomObjectIdentifier",
179
+ # },
180
+ # }
181
+ #
182
+ # @!attribute [rw] access_method
183
+ # The type and format of `AccessDescription` information.
184
+ # @return [Types::AccessMethod]
185
+ #
186
+ # @!attribute [rw] access_location
187
+ # The location of `AccessDescription` information.
188
+ # @return [Types::GeneralName]
189
+ #
190
+ # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/AccessDescription AWS API Documentation
191
+ #
192
+ class AccessDescription < Struct.new(
193
+ :access_method,
194
+ :access_location)
195
+ SENSITIVE = []
196
+ include Aws::Structure
197
+ end
198
+
199
+ # Describes the type and format of extension access. Only one of
200
+ # `CustomObjectIdentifier` or `AccessMethodType` may be provided.
201
+ # Providing both results in `InvalidArgsException`.
202
+ #
203
+ # @note When making an API call, you may pass AccessMethod
204
+ # data as a hash:
205
+ #
206
+ # {
207
+ # custom_object_identifier: "CustomObjectIdentifier",
208
+ # access_method_type: "CA_REPOSITORY", # accepts CA_REPOSITORY, RESOURCE_PKI_MANIFEST, RESOURCE_PKI_NOTIFY
209
+ # }
210
+ #
211
+ # @!attribute [rw] custom_object_identifier
212
+ # An object identifier (OID) specifying the `AccessMethod`. The OID
213
+ # must satisfy the regular expression shown below. For more
214
+ # information, see NIST's definition of [Object Identifier (OID)][1].
215
+ #
216
+ #
217
+ #
218
+ # [1]: https://csrc.nist.gov/glossary/term/Object_Identifier
219
+ # @return [String]
220
+ #
221
+ # @!attribute [rw] access_method_type
222
+ # Specifies the `AccessMethod`.
223
+ # @return [String]
224
+ #
225
+ # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/AccessMethod AWS API Documentation
226
+ #
227
+ class AccessMethod < Struct.new(
228
+ :custom_object_identifier,
229
+ :access_method_type)
230
+ SENSITIVE = []
231
+ include Aws::Structure
232
+ end
233
+
234
+ # Contains X.509 certificate information to be placed in an issued
235
+ # certificate. An `APIPassthrough` or `APICSRPassthrough` template
236
+ # variant must be selected, or else this parameter is ignored.
237
+ #
238
+ # If conflicting or duplicate certificate information is supplied from
239
+ # other sources, ACM Private CA applies [order of operation
240
+ # rules](xxxxx) to determine what information is used.
241
+ #
242
+ # @note When making an API call, you may pass ApiPassthrough
243
+ # data as a hash:
244
+ #
245
+ # {
246
+ # extensions: {
247
+ # certificate_policies: [
248
+ # {
249
+ # cert_policy_id: "CustomObjectIdentifier", # required
250
+ # policy_qualifiers: [
251
+ # {
252
+ # policy_qualifier_id: "CPS", # required, accepts CPS
253
+ # qualifier: { # required
254
+ # cps_uri: "String256", # required
255
+ # },
256
+ # },
257
+ # ],
258
+ # },
259
+ # ],
260
+ # extended_key_usage: [
261
+ # {
262
+ # extended_key_usage_type: "SERVER_AUTH", # accepts SERVER_AUTH, CLIENT_AUTH, CODE_SIGNING, EMAIL_PROTECTION, TIME_STAMPING, OCSP_SIGNING, SMART_CARD_LOGIN, DOCUMENT_SIGNING, CERTIFICATE_TRANSPARENCY
263
+ # extended_key_usage_object_identifier: "CustomObjectIdentifier",
264
+ # },
265
+ # ],
266
+ # key_usage: {
267
+ # digital_signature: false,
268
+ # non_repudiation: false,
269
+ # key_encipherment: false,
270
+ # data_encipherment: false,
271
+ # key_agreement: false,
272
+ # key_cert_sign: false,
273
+ # crl_sign: false,
274
+ # encipher_only: false,
275
+ # decipher_only: false,
276
+ # },
277
+ # subject_alternative_names: [
278
+ # {
279
+ # other_name: {
280
+ # type_id: "CustomObjectIdentifier", # required
281
+ # value: "String256", # required
282
+ # },
283
+ # rfc_822_name: "String256",
284
+ # dns_name: "String253",
285
+ # directory_name: {
286
+ # country: "CountryCodeString",
287
+ # organization: "String64",
288
+ # organizational_unit: "String64",
289
+ # distinguished_name_qualifier: "ASN1PrintableString64",
290
+ # state: "String128",
291
+ # common_name: "String64",
292
+ # serial_number: "ASN1PrintableString64",
293
+ # locality: "String128",
294
+ # title: "String64",
295
+ # surname: "String40",
296
+ # given_name: "String16",
297
+ # initials: "String5",
298
+ # pseudonym: "String128",
299
+ # generation_qualifier: "String3",
300
+ # },
301
+ # edi_party_name: {
302
+ # party_name: "String256", # required
303
+ # name_assigner: "String256",
304
+ # },
305
+ # uniform_resource_identifier: "String253",
306
+ # ip_address: "String39",
307
+ # registered_id: "CustomObjectIdentifier",
308
+ # },
309
+ # ],
310
+ # },
311
+ # subject: {
312
+ # country: "CountryCodeString",
313
+ # organization: "String64",
314
+ # organizational_unit: "String64",
315
+ # distinguished_name_qualifier: "ASN1PrintableString64",
316
+ # state: "String128",
317
+ # common_name: "String64",
318
+ # serial_number: "ASN1PrintableString64",
319
+ # locality: "String128",
320
+ # title: "String64",
321
+ # surname: "String40",
322
+ # given_name: "String16",
323
+ # initials: "String5",
324
+ # pseudonym: "String128",
325
+ # generation_qualifier: "String3",
326
+ # },
327
+ # }
328
+ #
329
+ # @!attribute [rw] extensions
330
+ # Specifies X.509 extension information for a certificate.
331
+ # @return [Types::Extensions]
332
+ #
333
+ # @!attribute [rw] subject
334
+ # Contains information about the certificate subject. The `Subject`
335
+ # field in the certificate identifies the entity that owns or controls
336
+ # the public key in the certificate. The entity can be a user,
337
+ # computer, device, or service. The `Subject `must contain an X.500
338
+ # distinguished name (DN). A DN is a sequence of relative
339
+ # distinguished names (RDNs). The RDNs are separated by commas in the
340
+ # certificate.
341
+ # @return [Types::ASN1Subject]
342
+ #
343
+ # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/ApiPassthrough AWS API Documentation
344
+ #
345
+ class ApiPassthrough < Struct.new(
346
+ :extensions,
347
+ :subject)
348
+ SENSITIVE = []
349
+ include Aws::Structure
350
+ end
351
+
134
352
  # Contains information about your private certificate authority (CA).
135
353
  # Your private CA can issue and revoke X.509 digital certificates.
136
354
  # Digital certificates verify that the entity named in the certificate
@@ -264,6 +482,58 @@ module Aws::ACMPCA
264
482
  # pseudonym: "String128",
265
483
  # generation_qualifier: "String3",
266
484
  # },
485
+ # csr_extensions: {
486
+ # key_usage: {
487
+ # digital_signature: false,
488
+ # non_repudiation: false,
489
+ # key_encipherment: false,
490
+ # data_encipherment: false,
491
+ # key_agreement: false,
492
+ # key_cert_sign: false,
493
+ # crl_sign: false,
494
+ # encipher_only: false,
495
+ # decipher_only: false,
496
+ # },
497
+ # subject_information_access: [
498
+ # {
499
+ # access_method: { # required
500
+ # custom_object_identifier: "CustomObjectIdentifier",
501
+ # access_method_type: "CA_REPOSITORY", # accepts CA_REPOSITORY, RESOURCE_PKI_MANIFEST, RESOURCE_PKI_NOTIFY
502
+ # },
503
+ # access_location: { # required
504
+ # other_name: {
505
+ # type_id: "CustomObjectIdentifier", # required
506
+ # value: "String256", # required
507
+ # },
508
+ # rfc_822_name: "String256",
509
+ # dns_name: "String253",
510
+ # directory_name: {
511
+ # country: "CountryCodeString",
512
+ # organization: "String64",
513
+ # organizational_unit: "String64",
514
+ # distinguished_name_qualifier: "ASN1PrintableString64",
515
+ # state: "String128",
516
+ # common_name: "String64",
517
+ # serial_number: "ASN1PrintableString64",
518
+ # locality: "String128",
519
+ # title: "String64",
520
+ # surname: "String40",
521
+ # given_name: "String16",
522
+ # initials: "String5",
523
+ # pseudonym: "String128",
524
+ # generation_qualifier: "String3",
525
+ # },
526
+ # edi_party_name: {
527
+ # party_name: "String256", # required
528
+ # name_assigner: "String256",
529
+ # },
530
+ # uniform_resource_identifier: "String253",
531
+ # ip_address: "String39",
532
+ # registered_id: "CustomObjectIdentifier",
533
+ # },
534
+ # },
535
+ # ],
536
+ # },
267
537
  # }
268
538
  #
269
539
  # @!attribute [rw] key_algorithm
@@ -286,12 +556,18 @@ module Aws::ACMPCA
286
556
  # your private CA.
287
557
  # @return [Types::ASN1Subject]
288
558
  #
559
+ # @!attribute [rw] csr_extensions
560
+ # Specifies information to be added to the extension section of the
561
+ # certificate signing request (CSR).
562
+ # @return [Types::CsrExtensions]
563
+ #
289
564
  # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/CertificateAuthorityConfiguration AWS API Documentation
290
565
  #
291
566
  class CertificateAuthorityConfiguration < Struct.new(
292
567
  :key_algorithm,
293
568
  :signing_algorithm,
294
- :subject)
569
+ :subject,
570
+ :csr_extensions)
295
571
  SENSITIVE = []
296
572
  include Aws::Structure
297
573
  end
@@ -400,6 +676,58 @@ module Aws::ACMPCA
400
676
  # pseudonym: "String128",
401
677
  # generation_qualifier: "String3",
402
678
  # },
679
+ # csr_extensions: {
680
+ # key_usage: {
681
+ # digital_signature: false,
682
+ # non_repudiation: false,
683
+ # key_encipherment: false,
684
+ # data_encipherment: false,
685
+ # key_agreement: false,
686
+ # key_cert_sign: false,
687
+ # crl_sign: false,
688
+ # encipher_only: false,
689
+ # decipher_only: false,
690
+ # },
691
+ # subject_information_access: [
692
+ # {
693
+ # access_method: { # required
694
+ # custom_object_identifier: "CustomObjectIdentifier",
695
+ # access_method_type: "CA_REPOSITORY", # accepts CA_REPOSITORY, RESOURCE_PKI_MANIFEST, RESOURCE_PKI_NOTIFY
696
+ # },
697
+ # access_location: { # required
698
+ # other_name: {
699
+ # type_id: "CustomObjectIdentifier", # required
700
+ # value: "String256", # required
701
+ # },
702
+ # rfc_822_name: "String256",
703
+ # dns_name: "String253",
704
+ # directory_name: {
705
+ # country: "CountryCodeString",
706
+ # organization: "String64",
707
+ # organizational_unit: "String64",
708
+ # distinguished_name_qualifier: "ASN1PrintableString64",
709
+ # state: "String128",
710
+ # common_name: "String64",
711
+ # serial_number: "ASN1PrintableString64",
712
+ # locality: "String128",
713
+ # title: "String64",
714
+ # surname: "String40",
715
+ # given_name: "String16",
716
+ # initials: "String5",
717
+ # pseudonym: "String128",
718
+ # generation_qualifier: "String3",
719
+ # },
720
+ # edi_party_name: {
721
+ # party_name: "String256", # required
722
+ # name_assigner: "String256",
723
+ # },
724
+ # uniform_resource_identifier: "String253",
725
+ # ip_address: "String39",
726
+ # registered_id: "CustomObjectIdentifier",
727
+ # },
728
+ # },
729
+ # ],
730
+ # },
403
731
  # },
404
732
  # revocation_configuration: {
405
733
  # crl_configuration: {
@@ -442,13 +770,15 @@ module Aws::ACMPCA
442
770
  # @return [String]
443
771
  #
444
772
  # @!attribute [rw] idempotency_token
445
- # Alphanumeric string that can be used to distinguish between calls to
446
- # **CreateCertificateAuthority**. For a given token, ACM Private CA
447
- # creates exactly one CA. If you issue a subsequent call using the
448
- # same token, ACM Private CA returns the ARN of the existing CA and
449
- # takes no further action. If you change the idempotency token across
450
- # multiple calls, ACM Private CA creates a unique CA for each unique
451
- # token.
773
+ # Custom string that can be used to distinguish between calls to the
774
+ # **CreateCertificateAuthority** action. Idempotency tokens for
775
+ # **CreateCertificateAuthority** time out after five minutes.
776
+ # Therefore, if you call **CreateCertificateAuthority** multiple times
777
+ # with the same idempotency token within five minutes, ACM Private CA
778
+ # recognizes that you are requesting only certificate authority and
779
+ # will issue only one. If you change the idempotency token for each
780
+ # call, PCA recognizes that you are requesting multiple certificate
781
+ # authorities.
452
782
  # @return [String]
453
783
  #
454
784
  # @!attribute [rw] tags
@@ -635,7 +965,7 @@ module Aws::ACMPCA
635
965
  # @return [Boolean]
636
966
  #
637
967
  # @!attribute [rw] expiration_in_days
638
- # Number of days until a certificate expires.
968
+ # Validity period of the CRL in days.
639
969
  # @return [Integer]
640
970
  #
641
971
  # @!attribute [rw] custom_cname
@@ -670,6 +1000,89 @@ module Aws::ACMPCA
670
1000
  include Aws::Structure
671
1001
  end
672
1002
 
1003
+ # Describes the certificate extensions to be added to the certificate
1004
+ # signing request (CSR).
1005
+ #
1006
+ # @note When making an API call, you may pass CsrExtensions
1007
+ # data as a hash:
1008
+ #
1009
+ # {
1010
+ # key_usage: {
1011
+ # digital_signature: false,
1012
+ # non_repudiation: false,
1013
+ # key_encipherment: false,
1014
+ # data_encipherment: false,
1015
+ # key_agreement: false,
1016
+ # key_cert_sign: false,
1017
+ # crl_sign: false,
1018
+ # encipher_only: false,
1019
+ # decipher_only: false,
1020
+ # },
1021
+ # subject_information_access: [
1022
+ # {
1023
+ # access_method: { # required
1024
+ # custom_object_identifier: "CustomObjectIdentifier",
1025
+ # access_method_type: "CA_REPOSITORY", # accepts CA_REPOSITORY, RESOURCE_PKI_MANIFEST, RESOURCE_PKI_NOTIFY
1026
+ # },
1027
+ # access_location: { # required
1028
+ # other_name: {
1029
+ # type_id: "CustomObjectIdentifier", # required
1030
+ # value: "String256", # required
1031
+ # },
1032
+ # rfc_822_name: "String256",
1033
+ # dns_name: "String253",
1034
+ # directory_name: {
1035
+ # country: "CountryCodeString",
1036
+ # organization: "String64",
1037
+ # organizational_unit: "String64",
1038
+ # distinguished_name_qualifier: "ASN1PrintableString64",
1039
+ # state: "String128",
1040
+ # common_name: "String64",
1041
+ # serial_number: "ASN1PrintableString64",
1042
+ # locality: "String128",
1043
+ # title: "String64",
1044
+ # surname: "String40",
1045
+ # given_name: "String16",
1046
+ # initials: "String5",
1047
+ # pseudonym: "String128",
1048
+ # generation_qualifier: "String3",
1049
+ # },
1050
+ # edi_party_name: {
1051
+ # party_name: "String256", # required
1052
+ # name_assigner: "String256",
1053
+ # },
1054
+ # uniform_resource_identifier: "String253",
1055
+ # ip_address: "String39",
1056
+ # registered_id: "CustomObjectIdentifier",
1057
+ # },
1058
+ # },
1059
+ # ],
1060
+ # }
1061
+ #
1062
+ # @!attribute [rw] key_usage
1063
+ # Indicates the purpose of the certificate and of the key contained in
1064
+ # the certificate.
1065
+ # @return [Types::KeyUsage]
1066
+ #
1067
+ # @!attribute [rw] subject_information_access
1068
+ # For CA certificates, provides a path to additional information
1069
+ # pertaining to the CA, such as revocation and policy. For more
1070
+ # information, see [Subject Information Access][1] in RFC 5280.
1071
+ #
1072
+ #
1073
+ #
1074
+ # [1]: https://tools.ietf.org/html/rfc5280#section-4.2.2.2
1075
+ # @return [Array<Types::AccessDescription>]
1076
+ #
1077
+ # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/CsrExtensions AWS API Documentation
1078
+ #
1079
+ class CsrExtensions < Struct.new(
1080
+ :key_usage,
1081
+ :subject_information_access)
1082
+ SENSITIVE = []
1083
+ include Aws::Structure
1084
+ end
1085
+
673
1086
  # @note When making an API call, you may pass DeleteCertificateAuthorityRequest
674
1087
  # data as a hash:
675
1088
  #
@@ -882,6 +1295,289 @@ module Aws::ACMPCA
882
1295
  include Aws::Structure
883
1296
  end
884
1297
 
1298
+ # Describes an Electronic Data Interchange (EDI) entity as described in
1299
+ # as defined in [Subject Alternative Name][1] in RFC 5280.
1300
+ #
1301
+ #
1302
+ #
1303
+ # [1]: https://tools.ietf.org/html/rfc5280
1304
+ #
1305
+ # @note When making an API call, you may pass EdiPartyName
1306
+ # data as a hash:
1307
+ #
1308
+ # {
1309
+ # party_name: "String256", # required
1310
+ # name_assigner: "String256",
1311
+ # }
1312
+ #
1313
+ # @!attribute [rw] party_name
1314
+ # Specifies the party name.
1315
+ # @return [String]
1316
+ #
1317
+ # @!attribute [rw] name_assigner
1318
+ # Specifies the name assigner.
1319
+ # @return [String]
1320
+ #
1321
+ # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/EdiPartyName AWS API Documentation
1322
+ #
1323
+ class EdiPartyName < Struct.new(
1324
+ :party_name,
1325
+ :name_assigner)
1326
+ SENSITIVE = []
1327
+ include Aws::Structure
1328
+ end
1329
+
1330
+ # Specifies additional purposes for which the certified public key may
1331
+ # be used other than basic purposes indicated in the `KeyUsage`
1332
+ # extension.
1333
+ #
1334
+ # @note When making an API call, you may pass ExtendedKeyUsage
1335
+ # data as a hash:
1336
+ #
1337
+ # {
1338
+ # extended_key_usage_type: "SERVER_AUTH", # accepts SERVER_AUTH, CLIENT_AUTH, CODE_SIGNING, EMAIL_PROTECTION, TIME_STAMPING, OCSP_SIGNING, SMART_CARD_LOGIN, DOCUMENT_SIGNING, CERTIFICATE_TRANSPARENCY
1339
+ # extended_key_usage_object_identifier: "CustomObjectIdentifier",
1340
+ # }
1341
+ #
1342
+ # @!attribute [rw] extended_key_usage_type
1343
+ # Specifies a standard `ExtendedKeyUsage` as defined as in [RFC
1344
+ # 5280][1].
1345
+ #
1346
+ #
1347
+ #
1348
+ # [1]: https://tools.ietf.org/html/rfc5280#section-4.2.1.12
1349
+ # @return [String]
1350
+ #
1351
+ # @!attribute [rw] extended_key_usage_object_identifier
1352
+ # Specifies a custom `ExtendedKeyUsage` with an object identifier
1353
+ # (OID).
1354
+ # @return [String]
1355
+ #
1356
+ # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/ExtendedKeyUsage AWS API Documentation
1357
+ #
1358
+ class ExtendedKeyUsage < Struct.new(
1359
+ :extended_key_usage_type,
1360
+ :extended_key_usage_object_identifier)
1361
+ SENSITIVE = []
1362
+ include Aws::Structure
1363
+ end
1364
+
1365
+ # Contains X.509 extension information for a certificate.
1366
+ #
1367
+ # @note When making an API call, you may pass Extensions
1368
+ # data as a hash:
1369
+ #
1370
+ # {
1371
+ # certificate_policies: [
1372
+ # {
1373
+ # cert_policy_id: "CustomObjectIdentifier", # required
1374
+ # policy_qualifiers: [
1375
+ # {
1376
+ # policy_qualifier_id: "CPS", # required, accepts CPS
1377
+ # qualifier: { # required
1378
+ # cps_uri: "String256", # required
1379
+ # },
1380
+ # },
1381
+ # ],
1382
+ # },
1383
+ # ],
1384
+ # extended_key_usage: [
1385
+ # {
1386
+ # extended_key_usage_type: "SERVER_AUTH", # accepts SERVER_AUTH, CLIENT_AUTH, CODE_SIGNING, EMAIL_PROTECTION, TIME_STAMPING, OCSP_SIGNING, SMART_CARD_LOGIN, DOCUMENT_SIGNING, CERTIFICATE_TRANSPARENCY
1387
+ # extended_key_usage_object_identifier: "CustomObjectIdentifier",
1388
+ # },
1389
+ # ],
1390
+ # key_usage: {
1391
+ # digital_signature: false,
1392
+ # non_repudiation: false,
1393
+ # key_encipherment: false,
1394
+ # data_encipherment: false,
1395
+ # key_agreement: false,
1396
+ # key_cert_sign: false,
1397
+ # crl_sign: false,
1398
+ # encipher_only: false,
1399
+ # decipher_only: false,
1400
+ # },
1401
+ # subject_alternative_names: [
1402
+ # {
1403
+ # other_name: {
1404
+ # type_id: "CustomObjectIdentifier", # required
1405
+ # value: "String256", # required
1406
+ # },
1407
+ # rfc_822_name: "String256",
1408
+ # dns_name: "String253",
1409
+ # directory_name: {
1410
+ # country: "CountryCodeString",
1411
+ # organization: "String64",
1412
+ # organizational_unit: "String64",
1413
+ # distinguished_name_qualifier: "ASN1PrintableString64",
1414
+ # state: "String128",
1415
+ # common_name: "String64",
1416
+ # serial_number: "ASN1PrintableString64",
1417
+ # locality: "String128",
1418
+ # title: "String64",
1419
+ # surname: "String40",
1420
+ # given_name: "String16",
1421
+ # initials: "String5",
1422
+ # pseudonym: "String128",
1423
+ # generation_qualifier: "String3",
1424
+ # },
1425
+ # edi_party_name: {
1426
+ # party_name: "String256", # required
1427
+ # name_assigner: "String256",
1428
+ # },
1429
+ # uniform_resource_identifier: "String253",
1430
+ # ip_address: "String39",
1431
+ # registered_id: "CustomObjectIdentifier",
1432
+ # },
1433
+ # ],
1434
+ # }
1435
+ #
1436
+ # @!attribute [rw] certificate_policies
1437
+ # Contains a sequence of one or more policy information terms, each of
1438
+ # which consists of an object identifier (OID) and optional
1439
+ # qualifiers. For more information, see NIST's definition of [Object
1440
+ # Identifier (OID)][1].
1441
+ #
1442
+ # In an end-entity certificate, these terms indicate the policy under
1443
+ # which the certificate was issued and the purposes for which it may
1444
+ # be used. In a CA certificate, these terms limit the set of policies
1445
+ # for certification paths that include this certificate.
1446
+ #
1447
+ #
1448
+ #
1449
+ # [1]: https://csrc.nist.gov/glossary/term/Object_Identifier
1450
+ # @return [Array<Types::PolicyInformation>]
1451
+ #
1452
+ # @!attribute [rw] extended_key_usage
1453
+ # Specifies additional purposes for which the certified public key may
1454
+ # be used other than basic purposes indicated in the `KeyUsage`
1455
+ # extension.
1456
+ # @return [Array<Types::ExtendedKeyUsage>]
1457
+ #
1458
+ # @!attribute [rw] key_usage
1459
+ # Defines one or more purposes for which the key contained in the
1460
+ # certificate can be used. Default value for each option is false.
1461
+ # @return [Types::KeyUsage]
1462
+ #
1463
+ # @!attribute [rw] subject_alternative_names
1464
+ # The subject alternative name extension allows identities to be bound
1465
+ # to the subject of the certificate. These identities may be included
1466
+ # in addition to or in place of the identity in the subject field of
1467
+ # the certificate.
1468
+ # @return [Array<Types::GeneralName>]
1469
+ #
1470
+ # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/Extensions AWS API Documentation
1471
+ #
1472
+ class Extensions < Struct.new(
1473
+ :certificate_policies,
1474
+ :extended_key_usage,
1475
+ :key_usage,
1476
+ :subject_alternative_names)
1477
+ SENSITIVE = []
1478
+ include Aws::Structure
1479
+ end
1480
+
1481
+ # Describes an ASN.1 X.400 `GeneralName` as defined in [RFC 5280][1].
1482
+ # Only one of the following naming options should be provided. Providing
1483
+ # more than one option results in an `InvalidArgsException` error.
1484
+ #
1485
+ #
1486
+ #
1487
+ # [1]: https://tools.ietf.org/html/rfc5280
1488
+ #
1489
+ # @note When making an API call, you may pass GeneralName
1490
+ # data as a hash:
1491
+ #
1492
+ # {
1493
+ # other_name: {
1494
+ # type_id: "CustomObjectIdentifier", # required
1495
+ # value: "String256", # required
1496
+ # },
1497
+ # rfc_822_name: "String256",
1498
+ # dns_name: "String253",
1499
+ # directory_name: {
1500
+ # country: "CountryCodeString",
1501
+ # organization: "String64",
1502
+ # organizational_unit: "String64",
1503
+ # distinguished_name_qualifier: "ASN1PrintableString64",
1504
+ # state: "String128",
1505
+ # common_name: "String64",
1506
+ # serial_number: "ASN1PrintableString64",
1507
+ # locality: "String128",
1508
+ # title: "String64",
1509
+ # surname: "String40",
1510
+ # given_name: "String16",
1511
+ # initials: "String5",
1512
+ # pseudonym: "String128",
1513
+ # generation_qualifier: "String3",
1514
+ # },
1515
+ # edi_party_name: {
1516
+ # party_name: "String256", # required
1517
+ # name_assigner: "String256",
1518
+ # },
1519
+ # uniform_resource_identifier: "String253",
1520
+ # ip_address: "String39",
1521
+ # registered_id: "CustomObjectIdentifier",
1522
+ # }
1523
+ #
1524
+ # @!attribute [rw] other_name
1525
+ # Represents `GeneralName` using an `OtherName` object.
1526
+ # @return [Types::OtherName]
1527
+ #
1528
+ # @!attribute [rw] rfc_822_name
1529
+ # Represents `GeneralName` as an [RFC 822][1] email address.
1530
+ #
1531
+ #
1532
+ #
1533
+ # [1]: https://tools.ietf.org/html/rfc822
1534
+ # @return [String]
1535
+ #
1536
+ # @!attribute [rw] dns_name
1537
+ # Represents `GeneralName` as a DNS name.
1538
+ # @return [String]
1539
+ #
1540
+ # @!attribute [rw] directory_name
1541
+ # Contains information about the certificate subject. The `Subject`
1542
+ # field in the certificate identifies the entity that owns or controls
1543
+ # the public key in the certificate. The entity can be a user,
1544
+ # computer, device, or service. The `Subject `must contain an X.500
1545
+ # distinguished name (DN). A DN is a sequence of relative
1546
+ # distinguished names (RDNs). The RDNs are separated by commas in the
1547
+ # certificate.
1548
+ # @return [Types::ASN1Subject]
1549
+ #
1550
+ # @!attribute [rw] edi_party_name
1551
+ # Represents `GeneralName` as an `EdiPartyName` object.
1552
+ # @return [Types::EdiPartyName]
1553
+ #
1554
+ # @!attribute [rw] uniform_resource_identifier
1555
+ # Represents `GeneralName` as a URI.
1556
+ # @return [String]
1557
+ #
1558
+ # @!attribute [rw] ip_address
1559
+ # Represents `GeneralName` as an IPv4 or IPv6 address.
1560
+ # @return [String]
1561
+ #
1562
+ # @!attribute [rw] registered_id
1563
+ # Represents `GeneralName` as an object identifier (OID).
1564
+ # @return [String]
1565
+ #
1566
+ # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/GeneralName AWS API Documentation
1567
+ #
1568
+ class GeneralName < Struct.new(
1569
+ :other_name,
1570
+ :rfc_822_name,
1571
+ :dns_name,
1572
+ :directory_name,
1573
+ :edi_party_name,
1574
+ :uniform_resource_identifier,
1575
+ :ip_address,
1576
+ :registered_id)
1577
+ SENSITIVE = []
1578
+ include Aws::Structure
1579
+ end
1580
+
885
1581
  # @note When making an API call, you may pass GetCertificateAuthorityCertificateRequest
886
1582
  # data as a hash:
887
1583
  #
@@ -911,10 +1607,9 @@ module Aws::ACMPCA
911
1607
  #
912
1608
  # @!attribute [rw] certificate_chain
913
1609
  # Base64-encoded certificate chain that includes any intermediate
914
- # certificates and chains up to root on-premises certificate that you
915
- # used to sign your private CA certificate. The chain does not include
916
- # your private CA certificate. If this is a root CA, the value will be
917
- # null.
1610
+ # certificates and chains up to root certificate that you used to sign
1611
+ # your private CA certificate. The chain does not include your private
1612
+ # CA certificate. If this is a root CA, the value will be null.
918
1613
  # @return [String]
919
1614
  #
920
1615
  # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/GetCertificateAuthorityCertificateResponse AWS API Documentation
@@ -1009,9 +1704,8 @@ module Aws::ACMPCA
1009
1704
  # @return [String]
1010
1705
  #
1011
1706
  # @!attribute [rw] certificate_chain
1012
- # The base64 PEM-encoded certificate chain that chains up to the
1013
- # on-premises root CA certificate that you used to sign your private
1014
- # CA certificate.
1707
+ # The base64 PEM-encoded certificate chain that chains up to the root
1708
+ # CA certificate that you used to sign your private CA certificate.
1015
1709
  # @return [String]
1016
1710
  #
1017
1711
  # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/GetCertificateResponse AWS API Documentation
@@ -1156,7 +1850,7 @@ module Aws::ACMPCA
1156
1850
  #
1157
1851
  #
1158
1852
  #
1159
- # [1]: https://docs.aws.amazon.com/https:/docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policies-json
1853
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policies-json
1160
1854
  #
1161
1855
  # @!attribute [rw] message
1162
1856
  # @return [String]
@@ -1213,6 +1907,89 @@ module Aws::ACMPCA
1213
1907
  # data as a hash:
1214
1908
  #
1215
1909
  # {
1910
+ # api_passthrough: {
1911
+ # extensions: {
1912
+ # certificate_policies: [
1913
+ # {
1914
+ # cert_policy_id: "CustomObjectIdentifier", # required
1915
+ # policy_qualifiers: [
1916
+ # {
1917
+ # policy_qualifier_id: "CPS", # required, accepts CPS
1918
+ # qualifier: { # required
1919
+ # cps_uri: "String256", # required
1920
+ # },
1921
+ # },
1922
+ # ],
1923
+ # },
1924
+ # ],
1925
+ # extended_key_usage: [
1926
+ # {
1927
+ # extended_key_usage_type: "SERVER_AUTH", # accepts SERVER_AUTH, CLIENT_AUTH, CODE_SIGNING, EMAIL_PROTECTION, TIME_STAMPING, OCSP_SIGNING, SMART_CARD_LOGIN, DOCUMENT_SIGNING, CERTIFICATE_TRANSPARENCY
1928
+ # extended_key_usage_object_identifier: "CustomObjectIdentifier",
1929
+ # },
1930
+ # ],
1931
+ # key_usage: {
1932
+ # digital_signature: false,
1933
+ # non_repudiation: false,
1934
+ # key_encipherment: false,
1935
+ # data_encipherment: false,
1936
+ # key_agreement: false,
1937
+ # key_cert_sign: false,
1938
+ # crl_sign: false,
1939
+ # encipher_only: false,
1940
+ # decipher_only: false,
1941
+ # },
1942
+ # subject_alternative_names: [
1943
+ # {
1944
+ # other_name: {
1945
+ # type_id: "CustomObjectIdentifier", # required
1946
+ # value: "String256", # required
1947
+ # },
1948
+ # rfc_822_name: "String256",
1949
+ # dns_name: "String253",
1950
+ # directory_name: {
1951
+ # country: "CountryCodeString",
1952
+ # organization: "String64",
1953
+ # organizational_unit: "String64",
1954
+ # distinguished_name_qualifier: "ASN1PrintableString64",
1955
+ # state: "String128",
1956
+ # common_name: "String64",
1957
+ # serial_number: "ASN1PrintableString64",
1958
+ # locality: "String128",
1959
+ # title: "String64",
1960
+ # surname: "String40",
1961
+ # given_name: "String16",
1962
+ # initials: "String5",
1963
+ # pseudonym: "String128",
1964
+ # generation_qualifier: "String3",
1965
+ # },
1966
+ # edi_party_name: {
1967
+ # party_name: "String256", # required
1968
+ # name_assigner: "String256",
1969
+ # },
1970
+ # uniform_resource_identifier: "String253",
1971
+ # ip_address: "String39",
1972
+ # registered_id: "CustomObjectIdentifier",
1973
+ # },
1974
+ # ],
1975
+ # },
1976
+ # subject: {
1977
+ # country: "CountryCodeString",
1978
+ # organization: "String64",
1979
+ # organizational_unit: "String64",
1980
+ # distinguished_name_qualifier: "ASN1PrintableString64",
1981
+ # state: "String128",
1982
+ # common_name: "String64",
1983
+ # serial_number: "ASN1PrintableString64",
1984
+ # locality: "String128",
1985
+ # title: "String64",
1986
+ # surname: "String40",
1987
+ # given_name: "String16",
1988
+ # initials: "String5",
1989
+ # pseudonym: "String128",
1990
+ # generation_qualifier: "String3",
1991
+ # },
1992
+ # },
1216
1993
  # certificate_authority_arn: "Arn", # required
1217
1994
  # csr: "data", # required
1218
1995
  # signing_algorithm: "SHA256WITHECDSA", # required, accepts SHA256WITHECDSA, SHA384WITHECDSA, SHA512WITHECDSA, SHA256WITHRSA, SHA384WITHRSA, SHA512WITHRSA
@@ -1221,9 +1998,29 @@ module Aws::ACMPCA
1221
1998
  # value: 1, # required
1222
1999
  # type: "END_DATE", # required, accepts END_DATE, ABSOLUTE, DAYS, MONTHS, YEARS
1223
2000
  # },
2001
+ # validity_not_before: {
2002
+ # value: 1, # required
2003
+ # type: "END_DATE", # required, accepts END_DATE, ABSOLUTE, DAYS, MONTHS, YEARS
2004
+ # },
1224
2005
  # idempotency_token: "IdempotencyToken",
1225
2006
  # }
1226
2007
  #
2008
+ # @!attribute [rw] api_passthrough
2009
+ # Specifies X.509 certificate information to be included in the issued
2010
+ # certificate. An `APIPassthrough` or `APICSRPassthrough` template
2011
+ # variant must be selected, or else this parameter is ignored. For
2012
+ # more information about using these templates, see [Understanding
2013
+ # Certificate Templates][1].
2014
+ #
2015
+ # If conflicting or duplicate certificate information is supplied
2016
+ # during certificate issuance, ACM Private CA applies [order of
2017
+ # operation rules](xxxxx) to determine what information is used.
2018
+ #
2019
+ #
2020
+ #
2021
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html
2022
+ # @return [Types::ApiPassthrough]
2023
+ #
1227
2024
  # @!attribute [rw] certificate_authority_arn
1228
2025
  # The Amazon Resource Name (ARN) that was returned when you called
1229
2026
  # [CreateCertificateAuthority][1]. This must be of the form:
@@ -1238,15 +2035,15 @@ module Aws::ACMPCA
1238
2035
  #
1239
2036
  # @!attribute [rw] csr
1240
2037
  # The certificate signing request (CSR) for the certificate you want
1241
- # to issue. You can use the following OpenSSL command to create the
1242
- # CSR and a 2048 bit RSA private key.
2038
+ # to issue. As an example, you can use the following OpenSSL command
2039
+ # to create the CSR and a 2048 bit RSA private key.
1243
2040
  #
1244
2041
  # `openssl req -new -newkey rsa:2048 -days 365 -keyout
1245
2042
  # private/test_cert_priv_key.pem -out csr/test_cert_.csr`
1246
2043
  #
1247
- # If you have a configuration file, you can use the following OpenSSL
1248
- # command. The `usr_cert` block in the configuration file contains
1249
- # your X509 version 3 extensions.
2044
+ # If you have a configuration file, you can then use the following
2045
+ # OpenSSL command. The `usr_cert` block in the configuration file
2046
+ # contains your X509 version 3 extensions.
1250
2047
  #
1251
2048
  # `openssl req -new -config openssl_rsa.cnf -extensions usr_cert
1252
2049
  # -newkey rsa:2048 -days -365 -keyout private/test_cert_priv_key.pem
@@ -1261,7 +2058,8 @@ module Aws::ACMPCA
1261
2058
  # to be issued.
1262
2059
  #
1263
2060
  # This parameter should not be confused with the `SigningAlgorithm`
1264
- # parameter used to sign a CSR.
2061
+ # parameter used to sign a CSR in the `CreateCertificateAuthority`
2062
+ # action.
1265
2063
  # @return [String]
1266
2064
  #
1267
2065
  # @!attribute [rw] template_arn
@@ -1275,77 +2073,85 @@ module Aws::ACMPCA
1275
2073
  # Note: The CA depth configured on a subordinate CA certificate must
1276
2074
  # not exceed the limit set by its parents in the CA hierarchy.
1277
2075
  #
1278
- # The following service-owned `TemplateArn` values are supported by
1279
- # ACM Private CA:
1280
- #
1281
- # * arn:aws:acm-pca:::template/CodeSigningCertificate/V1
1282
- #
1283
- # * arn:aws:acm-pca:::template/CodeSigningCertificate\_CSRPassthrough/V1
1284
- #
1285
- # * arn:aws:acm-pca:::template/EndEntityCertificate/V1
2076
+ # For a list of `TemplateArn` values supported by ACM Private CA, see
2077
+ # [Understanding Certificate Templates][2].
1286
2078
  #
1287
- # * arn:aws:acm-pca:::template/EndEntityCertificate\_CSRPassthrough/V1
1288
2079
  #
1289
- # * arn:aws:acm-pca:::template/EndEntityClientAuthCertificate/V1
1290
2080
  #
1291
- # * arn:aws:acm-pca:::template/EndEntityClientAuthCertificate\_CSRPassthrough/V1
1292
- #
1293
- # * arn:aws:acm-pca:::template/EndEntityServerAuthCertificate/V1
1294
- #
1295
- # * arn:aws:acm-pca:::template/EndEntityServerAuthCertificate\_CSRPassthrough/V1
2081
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaTerms.html#terms-cadepth
2082
+ # [2]: https://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html
2083
+ # @return [String]
1296
2084
  #
1297
- # * arn:aws:acm-pca:::template/OCSPSigningCertificate/V1
2085
+ # @!attribute [rw] validity
2086
+ # Information describing the end of the validity period of the
2087
+ # certificate. This parameter sets the “Not After” date for the
2088
+ # certificate.
1298
2089
  #
1299
- # * arn:aws:acm-pca:::template/OCSPSigningCertificate\_CSRPassthrough/V1
2090
+ # Certificate validity is the period of time during which a
2091
+ # certificate is valid. Validity can be expressed as an explicit date
2092
+ # and time when the certificate expires, or as a span of time after
2093
+ # issuance, stated in days, months, or years. For more information,
2094
+ # see [Validity][1] in RFC 5280.
1300
2095
  #
1301
- # * arn:aws:acm-pca:::template/RootCACertificate/V1
2096
+ # This value is unaffected when `ValidityNotBefore` is also specified.
2097
+ # For example, if `Validity` is set to 20 days in the future, the
2098
+ # certificate will expire 20 days from issuance time regardless of the
2099
+ # `ValidityNotBefore` value.
1302
2100
  #
1303
- # * arn:aws:acm-pca:::template/SubordinateCACertificate\_PathLen0/V1
2101
+ # The end of the validity period configured on a certificate must not
2102
+ # exceed the limit set on its parents in the CA hierarchy.
1304
2103
  #
1305
- # * arn:aws:acm-pca:::template/SubordinateCACertificate\_PathLen1/V1
1306
2104
  #
1307
- # * arn:aws:acm-pca:::template/SubordinateCACertificate\_PathLen2/V1
1308
2105
  #
1309
- # * arn:aws:acm-pca:::template/SubordinateCACertificate\_PathLen3/V1
2106
+ # [1]: https://tools.ietf.org/html/rfc5280#section-4.1.2.5
2107
+ # @return [Types::Validity]
1310
2108
  #
1311
- # For more information, see [Using Templates][2].
2109
+ # @!attribute [rw] validity_not_before
2110
+ # Information describing the start of the validity period of the
2111
+ # certificate. This parameter sets the “Not Before" date for the
2112
+ # certificate.
1312
2113
  #
2114
+ # By default, when issuing a certificate, ACM Private CA sets the
2115
+ # "Not Before" date to the issuance time minus 60 minutes. This
2116
+ # compensates for clock inconsistencies across computer systems. The
2117
+ # `ValidityNotBefore` parameter can be used to customize the “Not
2118
+ # Before” value.
1313
2119
  #
2120
+ # Unlike the `Validity` parameter, the `ValidityNotBefore` parameter
2121
+ # is optional.
1314
2122
  #
1315
- # [1]: https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaTerms.html#terms-cadepth
1316
- # [2]: https://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html
1317
- # @return [String]
2123
+ # The `ValidityNotBefore` value is expressed as an explicit date and
2124
+ # time, using the `Validity` type value `ABSOLUTE`. For more
2125
+ # information, see [Validity][1] in this API reference and
2126
+ # [Validity][2] in RFC 5280.
1318
2127
  #
1319
- # @!attribute [rw] validity
1320
- # Information describing the validity period of the certificate.
1321
2128
  #
1322
- # When issuing a certificate, ACM Private CA sets the "Not Before"
1323
- # date in the validity field to date and time minus 60 minutes. This
1324
- # is intended to compensate for time inconsistencies across systems of
1325
- # 60 minutes or less.
1326
2129
  #
1327
- # The validity period configured on a certificate must not exceed the
1328
- # limit set by its parents in the CA hierarchy.
2130
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_Validity.html
2131
+ # [2]: https://tools.ietf.org/html/rfc5280#section-4.1.2.5
1329
2132
  # @return [Types::Validity]
1330
2133
  #
1331
2134
  # @!attribute [rw] idempotency_token
1332
- # Custom string that can be used to distinguish between calls to the
1333
- # **IssueCertificate** action. Idempotency tokens time out after one
1334
- # hour. Therefore, if you call **IssueCertificate** multiple times
1335
- # with the same idempotency token within 5 minutes, ACM Private CA
1336
- # recognizes that you are requesting only one certificate and will
1337
- # issue only one. If you change the idempotency token for each call,
1338
- # PCA recognizes that you are requesting multiple certificates.
2135
+ # Alphanumeric string that can be used to distinguish between calls to
2136
+ # the **IssueCertificate** action. Idempotency tokens for
2137
+ # **IssueCertificate** time out after one minute. Therefore, if you
2138
+ # call **IssueCertificate** multiple times with the same idempotency
2139
+ # token within one minute, ACM Private CA recognizes that you are
2140
+ # requesting only one certificate and will issue only one. If you
2141
+ # change the idempotency token for each call, PCA recognizes that you
2142
+ # are requesting multiple certificates.
1339
2143
  # @return [String]
1340
2144
  #
1341
2145
  # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/IssueCertificateRequest AWS API Documentation
1342
2146
  #
1343
2147
  class IssueCertificateRequest < Struct.new(
2148
+ :api_passthrough,
1344
2149
  :certificate_authority_arn,
1345
2150
  :csr,
1346
2151
  :signing_algorithm,
1347
2152
  :template_arn,
1348
2153
  :validity,
2154
+ :validity_not_before,
1349
2155
  :idempotency_token)
1350
2156
  SENSITIVE = []
1351
2157
  include Aws::Structure
@@ -1367,6 +2173,76 @@ module Aws::ACMPCA
1367
2173
  include Aws::Structure
1368
2174
  end
1369
2175
 
2176
+ # Defines one or more purposes for which the key contained in the
2177
+ # certificate can be used. Default value for each option is false.
2178
+ #
2179
+ # @note When making an API call, you may pass KeyUsage
2180
+ # data as a hash:
2181
+ #
2182
+ # {
2183
+ # digital_signature: false,
2184
+ # non_repudiation: false,
2185
+ # key_encipherment: false,
2186
+ # data_encipherment: false,
2187
+ # key_agreement: false,
2188
+ # key_cert_sign: false,
2189
+ # crl_sign: false,
2190
+ # encipher_only: false,
2191
+ # decipher_only: false,
2192
+ # }
2193
+ #
2194
+ # @!attribute [rw] digital_signature
2195
+ # Key can be used for digital signing.
2196
+ # @return [Boolean]
2197
+ #
2198
+ # @!attribute [rw] non_repudiation
2199
+ # Key can be used for non-repudiation.
2200
+ # @return [Boolean]
2201
+ #
2202
+ # @!attribute [rw] key_encipherment
2203
+ # Key can be used to encipher data.
2204
+ # @return [Boolean]
2205
+ #
2206
+ # @!attribute [rw] data_encipherment
2207
+ # Key can be used to decipher data.
2208
+ # @return [Boolean]
2209
+ #
2210
+ # @!attribute [rw] key_agreement
2211
+ # Key can be used in a key-agreement protocol.
2212
+ # @return [Boolean]
2213
+ #
2214
+ # @!attribute [rw] key_cert_sign
2215
+ # Key can be used to sign certificates.
2216
+ # @return [Boolean]
2217
+ #
2218
+ # @!attribute [rw] crl_sign
2219
+ # Key can be used to sign CRLs.
2220
+ # @return [Boolean]
2221
+ #
2222
+ # @!attribute [rw] encipher_only
2223
+ # Key can be used only to encipher data.
2224
+ # @return [Boolean]
2225
+ #
2226
+ # @!attribute [rw] decipher_only
2227
+ # Key can be used only to decipher data.
2228
+ # @return [Boolean]
2229
+ #
2230
+ # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/KeyUsage AWS API Documentation
2231
+ #
2232
+ class KeyUsage < Struct.new(
2233
+ :digital_signature,
2234
+ :non_repudiation,
2235
+ :key_encipherment,
2236
+ :data_encipherment,
2237
+ :key_agreement,
2238
+ :key_cert_sign,
2239
+ :crl_sign,
2240
+ :encipher_only,
2241
+ :decipher_only)
2242
+ SENSITIVE = []
2243
+ include Aws::Structure
2244
+ end
2245
+
1370
2246
  # An ACM Private CA quota has been exceeded. See the exception message
1371
2247
  # returned to determine the quota that was exceeded.
1372
2248
  #
@@ -1610,6 +2486,40 @@ module Aws::ACMPCA
1610
2486
  include Aws::Structure
1611
2487
  end
1612
2488
 
2489
+ # Defines a custom ASN.1 X.400 `GeneralName` using an object identifier
2490
+ # (OID) and value. The OID must satisfy the regular expression shown
2491
+ # below. For more information, see NIST's definition of [Object
2492
+ # Identifier (OID)][1].
2493
+ #
2494
+ #
2495
+ #
2496
+ # [1]: https://csrc.nist.gov/glossary/term/Object_Identifier
2497
+ #
2498
+ # @note When making an API call, you may pass OtherName
2499
+ # data as a hash:
2500
+ #
2501
+ # {
2502
+ # type_id: "CustomObjectIdentifier", # required
2503
+ # value: "String256", # required
2504
+ # }
2505
+ #
2506
+ # @!attribute [rw] type_id
2507
+ # Specifies an OID.
2508
+ # @return [String]
2509
+ #
2510
+ # @!attribute [rw] value
2511
+ # Specifies an OID value.
2512
+ # @return [String]
2513
+ #
2514
+ # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/OtherName AWS API Documentation
2515
+ #
2516
+ class OtherName < Struct.new(
2517
+ :type_id,
2518
+ :value)
2519
+ SENSITIVE = []
2520
+ include Aws::Structure
2521
+ end
2522
+
1613
2523
  # Permissions designate which private CA actions can be performed by an
1614
2524
  # AWS service or entity. In order for ACM to automatically renew private
1615
2525
  # certificates, you must give the ACM service principal all available
@@ -1677,6 +2587,79 @@ module Aws::ACMPCA
1677
2587
  include Aws::Structure
1678
2588
  end
1679
2589
 
2590
+ # Defines the X.509 `CertificatePolicies` extension.
2591
+ #
2592
+ # @note When making an API call, you may pass PolicyInformation
2593
+ # data as a hash:
2594
+ #
2595
+ # {
2596
+ # cert_policy_id: "CustomObjectIdentifier", # required
2597
+ # policy_qualifiers: [
2598
+ # {
2599
+ # policy_qualifier_id: "CPS", # required, accepts CPS
2600
+ # qualifier: { # required
2601
+ # cps_uri: "String256", # required
2602
+ # },
2603
+ # },
2604
+ # ],
2605
+ # }
2606
+ #
2607
+ # @!attribute [rw] cert_policy_id
2608
+ # Specifies the object identifier (OID) of the certificate policy
2609
+ # under which the certificate was issued. For more information, see
2610
+ # NIST's definition of [Object Identifier (OID)][1].
2611
+ #
2612
+ #
2613
+ #
2614
+ # [1]: https://csrc.nist.gov/glossary/term/Object_Identifier
2615
+ # @return [String]
2616
+ #
2617
+ # @!attribute [rw] policy_qualifiers
2618
+ # Modifies the given `CertPolicyId` with a qualifier. ACM Private CA
2619
+ # supports the certification practice statement (CPS) qualifier.
2620
+ # @return [Array<Types::PolicyQualifierInfo>]
2621
+ #
2622
+ # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/PolicyInformation AWS API Documentation
2623
+ #
2624
+ class PolicyInformation < Struct.new(
2625
+ :cert_policy_id,
2626
+ :policy_qualifiers)
2627
+ SENSITIVE = []
2628
+ include Aws::Structure
2629
+ end
2630
+
2631
+ # Modifies the `CertPolicyId` of a `PolicyInformation` object with a
2632
+ # qualifier. ACM Private CA supports the certification practice
2633
+ # statement (CPS) qualifier.
2634
+ #
2635
+ # @note When making an API call, you may pass PolicyQualifierInfo
2636
+ # data as a hash:
2637
+ #
2638
+ # {
2639
+ # policy_qualifier_id: "CPS", # required, accepts CPS
2640
+ # qualifier: { # required
2641
+ # cps_uri: "String256", # required
2642
+ # },
2643
+ # }
2644
+ #
2645
+ # @!attribute [rw] policy_qualifier_id
2646
+ # Identifies the qualifier modifying a `CertPolicyId`.
2647
+ # @return [String]
2648
+ #
2649
+ # @!attribute [rw] qualifier
2650
+ # Defines the qualifier type. ACM Private CA supports the use of a URI
2651
+ # for a CPS qualifier in this field.
2652
+ # @return [Types::Qualifier]
2653
+ #
2654
+ # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/PolicyQualifierInfo AWS API Documentation
2655
+ #
2656
+ class PolicyQualifierInfo < Struct.new(
2657
+ :policy_qualifier_id,
2658
+ :qualifier)
2659
+ SENSITIVE = []
2660
+ include Aws::Structure
2661
+ end
2662
+
1680
2663
  # @note When making an API call, you may pass PutPolicyRequest
1681
2664
  # data as a hash:
1682
2665
  #
@@ -1698,7 +2681,7 @@ module Aws::ACMPCA
1698
2681
  # @return [String]
1699
2682
  #
1700
2683
  # @!attribute [rw] policy
1701
- # The path and filename of a JSON-formatted IAM policy to attach to
2684
+ # The path and file name of a JSON-formatted IAM policy to attach to
1702
2685
  # the specified private CA resource. If this policy does not contain
1703
2686
  # all required statements or if it includes any statement that is not
1704
2687
  # allowed, the `PutPolicy` action returns an `InvalidPolicyException`.
@@ -1719,6 +2702,34 @@ module Aws::ACMPCA
1719
2702
  include Aws::Structure
1720
2703
  end
1721
2704
 
2705
+ # Defines a `PolicyInformation` qualifier. ACM Private CA supports the
2706
+ # [certification practice statement (CPS) qualifier][1] defined in RFC
2707
+ # 5280.
2708
+ #
2709
+ #
2710
+ #
2711
+ # [1]: https://tools.ietf.org/html/rfc5280#section-4.2.1.4
2712
+ #
2713
+ # @note When making an API call, you may pass Qualifier
2714
+ # data as a hash:
2715
+ #
2716
+ # {
2717
+ # cps_uri: "String256", # required
2718
+ # }
2719
+ #
2720
+ # @!attribute [rw] cps_uri
2721
+ # Contains a pointer to a certification practice statement (CPS)
2722
+ # published by the CA.
2723
+ # @return [String]
2724
+ #
2725
+ # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/Qualifier AWS API Documentation
2726
+ #
2727
+ class Qualifier < Struct.new(
2728
+ :cps_uri)
2729
+ SENSITIVE = []
2730
+ include Aws::Structure
2731
+ end
2732
+
1722
2733
  # Your request has already been completed.
1723
2734
  #
1724
2735
  # @!attribute [rw] message
@@ -2059,17 +3070,20 @@ module Aws::ACMPCA
2059
3070
 
2060
3071
  # Validity specifies the period of time during which a certificate is
2061
3072
  # valid. Validity can be expressed as an explicit date and time when the
2062
- # certificate expires, or as a span of time after issuance, stated in
2063
- # days, months, or years. For more information, see [Validity][1] in RFC
2064
- # 5280.
3073
+ # validity of a certificate starts or expires, or as a span of time
3074
+ # after issuance, stated in days, months, or years. For more
3075
+ # information, see [Validity][1] in RFC 5280.
2065
3076
  #
2066
- # You can issue a certificate by calling the [IssueCertificate][2]
2067
- # action.
3077
+ # ACM Private CA API consumes the `Validity` data type differently in
3078
+ # two distinct parameters of the `IssueCertificate` action. The required
3079
+ # parameter `IssueCertificate`\:`Validity` specifies the end of a
3080
+ # certificate's validity period. The optional parameter
3081
+ # `IssueCertificate`\:`ValidityNotBefore` specifies a customized
3082
+ # starting time for the validity period.
2068
3083
  #
2069
3084
  #
2070
3085
  #
2071
3086
  # [1]: https://tools.ietf.org/html/rfc5280#section-4.1.2.5
2072
- # [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_IssueCertificate.html
2073
3087
  #
2074
3088
  # @note When making an API call, you may pass Validity
2075
3089
  # data as a hash:
@@ -2100,8 +3114,9 @@ module Aws::ACMPCA
2100
3114
  #
2101
3115
  # * Output expiration date/time: 12/31/2049 23:59:59
2102
3116
  #
2103
- # `ABSOLUTE`\: The specific date and time when the certificate will
2104
- # expire, expressed in seconds since the Unix Epoch.
3117
+ # `ABSOLUTE`\: The specific date and time when the validity of a
3118
+ # certificate will start or expire, expressed in seconds since the
3119
+ # Unix Epoch.
2105
3120
  #
2106
3121
  # * Sample input value: 2524608000
2107
3122
  #
@@ -2116,6 +3131,10 @@ module Aws::ACMPCA
2116
3131
  # * Sample input value: 90
2117
3132
  #
2118
3133
  # * Output expiration date: 01/10/2020 12:34:54 UTC
3134
+ #
3135
+ # The minimum validity duration for a certificate using relative time
3136
+ # (`DAYS`) is one day. The minimum validity for a certificate using
3137
+ # absolute time (`ABSOLUTE` or `END_DATE`) is one second.
2119
3138
  # @return [String]
2120
3139
  #
2121
3140
  # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/Validity AWS API Documentation