aws-sdk-acmpca 1.31.0 → 1.32.0

data/lib/aws-sdk-acmpca/types.rb

@@ -10,16 +10,12 @@
 module Aws::ACMPCA
   module Types
 
-    # Contains information about the certificate subject. The certificate
-    # can be one issued by your private certificate authority (CA) or it can
-    # be your private CA certificate. The **Subject** field in the
-    # certificate identifies the entity that owns or controls the public key
-    # in the certificate. The entity can be a user, computer, device, or
-    # service. The **Subject** must contain an X.500 distinguished name
-    # (DN). A DN is a sequence of relative distinguished names (RDNs). The
-    # RDNs are separated by commas in the certificate. The DN must be unique
-    # for each entity, but your private CA can issue more than one
-    # certificate with the same DN to the same entity.
+    # Contains information about the certificate subject. The `Subject`
+    # field in the certificate identifies the entity that owns or controls
+    # the public key in the certificate. The entity can be a user, computer,
+    # device, or service. The `Subject `must contain an X.500 distinguished
+    # name (DN). A DN is a sequence of relative distinguished names (RDNs).
+    # The RDNs are separated by commas in the certificate.
     #
     # @note When making an API call, you may pass ASN1Subject
     #   data as a hash:
@@ -100,7 +96,7 @@ module Aws::ACMPCA
     # @!attribute [rw] initials
     #   Concatenation that typically contains the first letter of the
     #   **GivenName**, the first letter of the middle name if one exists,
-    #   and the first letter of the **SurName**.
+    #   and the first letter of the **Surname**.
     #   @return [String]
     #
     # @!attribute [rw] pseudonym
@@ -235,6 +231,124 @@ module Aws::ACMPCA
       include Aws::Structure
     end
 
+    # Contains X.509 certificate information to be placed in an issued
+    # certificate. An `APIPassthrough` or `APICSRPassthrough` template
+    # variant must be selected, or else this parameter is ignored.
+    #
+    # If conflicting or duplicate certificate information is supplied from
+    # other sources, ACM Private CA applies [order of operation
+    # rules](xxxxx) to determine what information is used.
+    #
+    # @note When making an API call, you may pass ApiPassthrough
+    #   data as a hash:
+    #
+    #       {
+    #         extensions: {
+    #           certificate_policies: [
+    #             {
+    #               cert_policy_id: "CustomObjectIdentifier", # required
+    #               policy_qualifiers: [
+    #                 {
+    #                   policy_qualifier_id: "CPS", # required, accepts CPS
+    #                   qualifier: { # required
+    #                     cps_uri: "String256", # required
+    #                   },
+    #                 },
+    #               ],
+    #             },
+    #           ],
+    #           extended_key_usage: [
+    #             {
+    #               extended_key_usage_type: "SERVER_AUTH", # accepts SERVER_AUTH, CLIENT_AUTH, CODE_SIGNING, EMAIL_PROTECTION, TIME_STAMPING, OCSP_SIGNING, SMART_CARD_LOGIN, DOCUMENT_SIGNING, CERTIFICATE_TRANSPARENCY
+    #               extended_key_usage_object_identifier: "CustomObjectIdentifier",
+    #             },
+    #           ],
+    #           key_usage: {
+    #             digital_signature: false,
+    #             non_repudiation: false,
+    #             key_encipherment: false,
+    #             data_encipherment: false,
+    #             key_agreement: false,
+    #             key_cert_sign: false,
+    #             crl_sign: false,
+    #             encipher_only: false,
+    #             decipher_only: false,
+    #           },
+    #           subject_alternative_names: [
+    #             {
+    #               other_name: {
+    #                 type_id: "CustomObjectIdentifier", # required
+    #                 value: "String256", # required
+    #               },
+    #               rfc_822_name: "String256",
+    #               dns_name: "String253",
+    #               directory_name: {
+    #                 country: "CountryCodeString",
+    #                 organization: "String64",
+    #                 organizational_unit: "String64",
+    #                 distinguished_name_qualifier: "ASN1PrintableString64",
+    #                 state: "String128",
+    #                 common_name: "String64",
+    #                 serial_number: "ASN1PrintableString64",
+    #                 locality: "String128",
+    #                 title: "String64",
+    #                 surname: "String40",
+    #                 given_name: "String16",
+    #                 initials: "String5",
+    #                 pseudonym: "String128",
+    #                 generation_qualifier: "String3",
+    #               },
+    #               edi_party_name: {
+    #                 party_name: "String256", # required
+    #                 name_assigner: "String256",
+    #               },
+    #               uniform_resource_identifier: "String253",
+    #               ip_address: "String39",
+    #               registered_id: "CustomObjectIdentifier",
+    #             },
+    #           ],
+    #         },
+    #         subject: {
+    #           country: "CountryCodeString",
+    #           organization: "String64",
+    #           organizational_unit: "String64",
+    #           distinguished_name_qualifier: "ASN1PrintableString64",
+    #           state: "String128",
+    #           common_name: "String64",
+    #           serial_number: "ASN1PrintableString64",
+    #           locality: "String128",
+    #           title: "String64",
+    #           surname: "String40",
+    #           given_name: "String16",
+    #           initials: "String5",
+    #           pseudonym: "String128",
+    #           generation_qualifier: "String3",
+    #         },
+    #       }
+    #
+    # @!attribute [rw] extensions
+    #   Specifies X.509 extension information for a certificate.
+    #   @return [Types::Extensions]
+    #
+    # @!attribute [rw] subject
+    #   Contains information about the certificate subject. The `Subject`
+    #   field in the certificate identifies the entity that owns or controls
+    #   the public key in the certificate. The entity can be a user,
+    #   computer, device, or service. The `Subject `must contain an X.500
+    #   distinguished name (DN). A DN is a sequence of relative
+    #   distinguished names (RDNs). The RDNs are separated by commas in the
+    #   certificate.
+    #   @return [Types::ASN1Subject]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/ApiPassthrough AWS API Documentation
+    #
+    class ApiPassthrough < Struct.new(
+      :extensions,
+      :subject)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # Contains information about your private certificate authority (CA).
     # Your private CA can issue and revoke X.509 digital certificates.
     # Digital certificates verify that the entity named in the certificate
@@ -656,13 +770,15 @@ module Aws::ACMPCA
     #   @return [String]
     #
     # @!attribute [rw] idempotency_token
-    #   Alphanumeric string that can be used to distinguish between calls to
-    #   **CreateCertificateAuthority**. For a given token, ACM Private CA
-    #   creates exactly one CA. If you issue a subsequent call using the
-    #   same token, ACM Private CA returns the ARN of the existing CA and
-    #   takes no further action. If you change the idempotency token across
-    #   multiple calls, ACM Private CA creates a unique CA for each unique
-    #   token.
+    #   Custom string that can be used to distinguish between calls to the
+    #   **CreateCertificateAuthority** action. Idempotency tokens for
+    #   **CreateCertificateAuthority** time out after five minutes.
+    #   Therefore, if you call **CreateCertificateAuthority** multiple times
+    #   with the same idempotency token within five minutes, ACM Private CA
+    #   recognizes that you are requesting only certificate authority and
+    #   will issue only one. If you change the idempotency token for each
+    #   call, PCA recognizes that you are requesting multiple certificate
+    #   authorities.
     #   @return [String]
     #
     # @!attribute [rw] tags
@@ -1211,10 +1327,160 @@ module Aws::ACMPCA
       include Aws::Structure
     end
 
+    # Specifies additional purposes for which the certified public key may
+    # be used other than basic purposes indicated in the `KeyUsage`
+    # extension.
+    #
+    # @note When making an API call, you may pass ExtendedKeyUsage
+    #   data as a hash:
+    #
+    #       {
+    #         extended_key_usage_type: "SERVER_AUTH", # accepts SERVER_AUTH, CLIENT_AUTH, CODE_SIGNING, EMAIL_PROTECTION, TIME_STAMPING, OCSP_SIGNING, SMART_CARD_LOGIN, DOCUMENT_SIGNING, CERTIFICATE_TRANSPARENCY
+    #         extended_key_usage_object_identifier: "CustomObjectIdentifier",
+    #       }
+    #
+    # @!attribute [rw] extended_key_usage_type
+    #   Specifies a standard `ExtendedKeyUsage` as defined as in [RFC
+    #   5280][1].
+    #
+    #
+    #
+    #   [1]: https://tools.ietf.org/html/rfc5280#section-4.2.1.12
+    #   @return [String]
+    #
+    # @!attribute [rw] extended_key_usage_object_identifier
+    #   Specifies a custom `ExtendedKeyUsage` with an object identifier
+    #   (OID).
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/ExtendedKeyUsage AWS API Documentation
+    #
+    class ExtendedKeyUsage < Struct.new(
+      :extended_key_usage_type,
+      :extended_key_usage_object_identifier)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # Contains X.509 extension information for a certificate.
+    #
+    # @note When making an API call, you may pass Extensions
+    #   data as a hash:
+    #
+    #       {
+    #         certificate_policies: [
+    #           {
+    #             cert_policy_id: "CustomObjectIdentifier", # required
+    #             policy_qualifiers: [
+    #               {
+    #                 policy_qualifier_id: "CPS", # required, accepts CPS
+    #                 qualifier: { # required
+    #                   cps_uri: "String256", # required
+    #                 },
+    #               },
+    #             ],
+    #           },
+    #         ],
+    #         extended_key_usage: [
+    #           {
+    #             extended_key_usage_type: "SERVER_AUTH", # accepts SERVER_AUTH, CLIENT_AUTH, CODE_SIGNING, EMAIL_PROTECTION, TIME_STAMPING, OCSP_SIGNING, SMART_CARD_LOGIN, DOCUMENT_SIGNING, CERTIFICATE_TRANSPARENCY
+    #             extended_key_usage_object_identifier: "CustomObjectIdentifier",
+    #           },
+    #         ],
+    #         key_usage: {
+    #           digital_signature: false,
+    #           non_repudiation: false,
+    #           key_encipherment: false,
+    #           data_encipherment: false,
+    #           key_agreement: false,
+    #           key_cert_sign: false,
+    #           crl_sign: false,
+    #           encipher_only: false,
+    #           decipher_only: false,
+    #         },
+    #         subject_alternative_names: [
+    #           {
+    #             other_name: {
+    #               type_id: "CustomObjectIdentifier", # required
+    #               value: "String256", # required
+    #             },
+    #             rfc_822_name: "String256",
+    #             dns_name: "String253",
+    #             directory_name: {
+    #               country: "CountryCodeString",
+    #               organization: "String64",
+    #               organizational_unit: "String64",
+    #               distinguished_name_qualifier: "ASN1PrintableString64",
+    #               state: "String128",
+    #               common_name: "String64",
+    #               serial_number: "ASN1PrintableString64",
+    #               locality: "String128",
+    #               title: "String64",
+    #               surname: "String40",
+    #               given_name: "String16",
+    #               initials: "String5",
+    #               pseudonym: "String128",
+    #               generation_qualifier: "String3",
+    #             },
+    #             edi_party_name: {
+    #               party_name: "String256", # required
+    #               name_assigner: "String256",
+    #             },
+    #             uniform_resource_identifier: "String253",
+    #             ip_address: "String39",
+    #             registered_id: "CustomObjectIdentifier",
+    #           },
+    #         ],
+    #       }
+    #
+    # @!attribute [rw] certificate_policies
+    #   Contains a sequence of one or more policy information terms, each of
+    #   which consists of an object identifier (OID) and optional
+    #   qualifiers. For more information, see NIST's definition of [Object
+    #   Identifier (OID)][1].
+    #
+    #   In an end-entity certificate, these terms indicate the policy under
+    #   which the certificate was issued and the purposes for which it may
+    #   be used. In a CA certificate, these terms limit the set of policies
+    #   for certification paths that include this certificate.
+    #
+    #
+    #
+    #   [1]: https://csrc.nist.gov/glossary/term/Object_Identifier
+    #   @return [Array<Types::PolicyInformation>]
+    #
+    # @!attribute [rw] extended_key_usage
+    #   Specifies additional purposes for which the certified public key may
+    #   be used other than basic purposes indicated in the `KeyUsage`
+    #   extension.
+    #   @return [Array<Types::ExtendedKeyUsage>]
+    #
+    # @!attribute [rw] key_usage
+    #   Defines one or more purposes for which the key contained in the
+    #   certificate can be used. Default value for each option is false.
+    #   @return [Types::KeyUsage]
+    #
+    # @!attribute [rw] subject_alternative_names
+    #   The subject alternative name extension allows identities to be bound
+    #   to the subject of the certificate. These identities may be included
+    #   in addition to or in place of the identity in the subject field of
+    #   the certificate.
+    #   @return [Array<Types::GeneralName>]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/Extensions AWS API Documentation
+    #
+    class Extensions < Struct.new(
+      :certificate_policies,
+      :extended_key_usage,
+      :key_usage,
+      :subject_alternative_names)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # Describes an ASN.1 X.400 `GeneralName` as defined in [RFC 5280][1].
-    # Only one of the following naming options should be providied.
-    # Providing more than one option results in an `InvalidArgsException`
-    # error.
+    # Only one of the following naming options should be provided. Providing
+    # more than one option results in an `InvalidArgsException` error.
     #
     #
     #
@@ -1272,16 +1538,13 @@ module Aws::ACMPCA
     #   @return [String]
     #
     # @!attribute [rw] directory_name
-    #   Contains information about the certificate subject. The certificate
-    #   can be one issued by your private certificate authority (CA) or it
-    #   can be your private CA certificate. The **Subject** field in the
-    #   certificate identifies the entity that owns or controls the public
-    #   key in the certificate. The entity can be a user, computer, device,
-    #   or service. The **Subject** must contain an X.500 distinguished name
-    #   (DN). A DN is a sequence of relative distinguished names (RDNs). The
-    #   RDNs are separated by commas in the certificate. The DN must be
-    #   unique for each entity, but your private CA can issue more than one
-    #   certificate with the same DN to the same entity.
+    #   Contains information about the certificate subject. The `Subject`
+    #   field in the certificate identifies the entity that owns or controls
+    #   the public key in the certificate. The entity can be a user,
+    #   computer, device, or service. The `Subject `must contain an X.500
+    #   distinguished name (DN). A DN is a sequence of relative
+    #   distinguished names (RDNs). The RDNs are separated by commas in the
+    #   certificate.
     #   @return [Types::ASN1Subject]
     #
     # @!attribute [rw] edi_party_name
@@ -1644,6 +1907,89 @@ module Aws::ACMPCA
     #   data as a hash:
     #
     #       {
+    #         api_passthrough: {
+    #           extensions: {
+    #             certificate_policies: [
+    #               {
+    #                 cert_policy_id: "CustomObjectIdentifier", # required
+    #                 policy_qualifiers: [
+    #                   {
+    #                     policy_qualifier_id: "CPS", # required, accepts CPS
+    #                     qualifier: { # required
+    #                       cps_uri: "String256", # required
+    #                     },
+    #                   },
+    #                 ],
+    #               },
+    #             ],
+    #             extended_key_usage: [
+    #               {
+    #                 extended_key_usage_type: "SERVER_AUTH", # accepts SERVER_AUTH, CLIENT_AUTH, CODE_SIGNING, EMAIL_PROTECTION, TIME_STAMPING, OCSP_SIGNING, SMART_CARD_LOGIN, DOCUMENT_SIGNING, CERTIFICATE_TRANSPARENCY
+    #                 extended_key_usage_object_identifier: "CustomObjectIdentifier",
+    #               },
+    #             ],
+    #             key_usage: {
+    #               digital_signature: false,
+    #               non_repudiation: false,
+    #               key_encipherment: false,
+    #               data_encipherment: false,
+    #               key_agreement: false,
+    #               key_cert_sign: false,
+    #               crl_sign: false,
+    #               encipher_only: false,
+    #               decipher_only: false,
+    #             },
+    #             subject_alternative_names: [
+    #               {
+    #                 other_name: {
+    #                   type_id: "CustomObjectIdentifier", # required
+    #                   value: "String256", # required
+    #                 },
+    #                 rfc_822_name: "String256",
+    #                 dns_name: "String253",
+    #                 directory_name: {
+    #                   country: "CountryCodeString",
+    #                   organization: "String64",
+    #                   organizational_unit: "String64",
+    #                   distinguished_name_qualifier: "ASN1PrintableString64",
+    #                   state: "String128",
+    #                   common_name: "String64",
+    #                   serial_number: "ASN1PrintableString64",
+    #                   locality: "String128",
+    #                   title: "String64",
+    #                   surname: "String40",
+    #                   given_name: "String16",
+    #                   initials: "String5",
+    #                   pseudonym: "String128",
+    #                   generation_qualifier: "String3",
+    #                 },
+    #                 edi_party_name: {
+    #                   party_name: "String256", # required
+    #                   name_assigner: "String256",
+    #                 },
+    #                 uniform_resource_identifier: "String253",
+    #                 ip_address: "String39",
+    #                 registered_id: "CustomObjectIdentifier",
+    #               },
+    #             ],
+    #           },
+    #           subject: {
+    #             country: "CountryCodeString",
+    #             organization: "String64",
+    #             organizational_unit: "String64",
+    #             distinguished_name_qualifier: "ASN1PrintableString64",
+    #             state: "String128",
+    #             common_name: "String64",
+    #             serial_number: "ASN1PrintableString64",
+    #             locality: "String128",
+    #             title: "String64",
+    #             surname: "String40",
+    #             given_name: "String16",
+    #             initials: "String5",
+    #             pseudonym: "String128",
+    #             generation_qualifier: "String3",
+    #           },
+    #         },
     #         certificate_authority_arn: "Arn", # required
     #         csr: "data", # required
     #         signing_algorithm: "SHA256WITHECDSA", # required, accepts SHA256WITHECDSA, SHA384WITHECDSA, SHA512WITHECDSA, SHA256WITHRSA, SHA384WITHRSA, SHA512WITHRSA
@@ -1652,9 +1998,29 @@ module Aws::ACMPCA
     #           value: 1, # required
     #           type: "END_DATE", # required, accepts END_DATE, ABSOLUTE, DAYS, MONTHS, YEARS
     #         },
+    #         validity_not_before: {
+    #           value: 1, # required
+    #           type: "END_DATE", # required, accepts END_DATE, ABSOLUTE, DAYS, MONTHS, YEARS
+    #         },
     #         idempotency_token: "IdempotencyToken",
     #       }
     #
+    # @!attribute [rw] api_passthrough
+    #   Specifies X.509 certificate information to be included in the issued
+    #   certificate. An `APIPassthrough` or `APICSRPassthrough` template
+    #   variant must be selected, or else this parameter is ignored. For
+    #   more information about using these templates, see [Understanding
+    #   Certificate Templates][1].
+    #
+    #   If conflicting or duplicate certificate information is supplied
+    #   during certificate issuance, ACM Private CA applies [order of
+    #   operation rules](xxxxx) to determine what information is used.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html
+    #   @return [Types::ApiPassthrough]
+    #
     # @!attribute [rw] certificate_authority_arn
     #   The Amazon Resource Name (ARN) that was returned when you called
     #   [CreateCertificateAuthority][1]. This must be of the form:
@@ -1669,15 +2035,15 @@ module Aws::ACMPCA
     #
     # @!attribute [rw] csr
     #   The certificate signing request (CSR) for the certificate you want
-    #   to issue. You can use the following OpenSSL command to create the
-    #   CSR and a 2048 bit RSA private key.
+    #   to issue. As an example, you can use the following OpenSSL command
+    #   to create the CSR and a 2048 bit RSA private key.
     #
     #   `openssl req -new -newkey rsa:2048 -days 365 -keyout
     #   private/test_cert_priv_key.pem -out csr/test_cert_.csr`
     #
-    #   If you have a configuration file, you can use the following OpenSSL
-    #   command. The `usr_cert` block in the configuration file contains
-    #   your X509 version 3 extensions.
+    #   If you have a configuration file, you can then use the following
+    #   OpenSSL command. The `usr_cert` block in the configuration file
+    #   contains your X509 version 3 extensions.
     #
     #   `openssl req -new -config openssl_rsa.cnf -extensions usr_cert
     #   -newkey rsa:2048 -days -365 -keyout private/test_cert_priv_key.pem
@@ -1692,7 +2058,8 @@ module Aws::ACMPCA
     #   to be issued.
     #
     #   This parameter should not be confused with the `SigningAlgorithm`
-    #   parameter used to sign a CSR.
+    #   parameter used to sign a CSR in the `CreateCertificateAuthority`
+    #   action.
     #   @return [String]
     #
     # @!attribute [rw] template_arn
@@ -1706,77 +2073,85 @@ module Aws::ACMPCA
     #   Note: The CA depth configured on a subordinate CA certificate must
     #   not exceed the limit set by its parents in the CA hierarchy.
     #
-    #   The following service-owned `TemplateArn` values are supported by
-    #   ACM Private CA:
-    #
-    #   * arn:aws:acm-pca:::template/CodeSigningCertificate/V1
+    #   For a list of `TemplateArn` values supported by ACM Private CA, see
+    #   [Understanding Certificate Templates][2].
     #
-    #   * arn:aws:acm-pca:::template/CodeSigningCertificate\_CSRPassthrough/V1
     #
-    #   * arn:aws:acm-pca:::template/EndEntityCertificate/V1
     #
-    #   * arn:aws:acm-pca:::template/EndEntityCertificate\_CSRPassthrough/V1
-    #
-    #   * arn:aws:acm-pca:::template/EndEntityClientAuthCertificate/V1
-    #
-    #   * arn:aws:acm-pca:::template/EndEntityClientAuthCertificate\_CSRPassthrough/V1
-    #
-    #   * arn:aws:acm-pca:::template/EndEntityServerAuthCertificate/V1
-    #
-    #   * arn:aws:acm-pca:::template/EndEntityServerAuthCertificate\_CSRPassthrough/V1
+    #   [1]: https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaTerms.html#terms-cadepth
+    #   [2]: https://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html
+    #   @return [String]
     #
-    #   * arn:aws:acm-pca:::template/OCSPSigningCertificate/V1
+    # @!attribute [rw] validity
+    #   Information describing the end of the validity period of the
+    #   certificate. This parameter sets the “Not After” date for the
+    #   certificate.
     #
-    #   * arn:aws:acm-pca:::template/OCSPSigningCertificate\_CSRPassthrough/V1
+    #   Certificate validity is the period of time during which a
+    #   certificate is valid. Validity can be expressed as an explicit date
+    #   and time when the certificate expires, or as a span of time after
+    #   issuance, stated in days, months, or years. For more information,
+    #   see [Validity][1] in RFC 5280.
     #
-    #   * arn:aws:acm-pca:::template/RootCACertificate/V1
+    #   This value is unaffected when `ValidityNotBefore` is also specified.
+    #   For example, if `Validity` is set to 20 days in the future, the
+    #   certificate will expire 20 days from issuance time regardless of the
+    #   `ValidityNotBefore` value.
     #
-    #   * arn:aws:acm-pca:::template/SubordinateCACertificate\_PathLen0/V1
+    #   The end of the validity period configured on a certificate must not
+    #   exceed the limit set on its parents in the CA hierarchy.
     #
-    #   * arn:aws:acm-pca:::template/SubordinateCACertificate\_PathLen1/V1
     #
-    #   * arn:aws:acm-pca:::template/SubordinateCACertificate\_PathLen2/V1
     #
-    #   * arn:aws:acm-pca:::template/SubordinateCACertificate\_PathLen3/V1
+    #   [1]: https://tools.ietf.org/html/rfc5280#section-4.1.2.5
+    #   @return [Types::Validity]
     #
-    #   For more information, see [Using Templates][2].
+    # @!attribute [rw] validity_not_before
+    #   Information describing the start of the validity period of the
+    #   certificate. This parameter sets the “Not Before" date for the
+    #   certificate.
     #
+    #   By default, when issuing a certificate, ACM Private CA sets the
+    #   "Not Before" date to the issuance time minus 60 minutes. This
+    #   compensates for clock inconsistencies across computer systems. The
+    #   `ValidityNotBefore` parameter can be used to customize the “Not
+    #   Before” value.
     #
+    #   Unlike the `Validity` parameter, the `ValidityNotBefore` parameter
+    #   is optional.
     #
-    #   [1]: https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaTerms.html#terms-cadepth
-    #   [2]: https://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html
-    #   @return [String]
+    #   The `ValidityNotBefore` value is expressed as an explicit date and
+    #   time, using the `Validity` type value `ABSOLUTE`. For more
+    #   information, see [Validity][1] in this API reference and
+    #   [Validity][2] in RFC 5280.
     #
-    # @!attribute [rw] validity
-    #   Information describing the validity period of the certificate.
     #
-    #   When issuing a certificate, ACM Private CA sets the "Not Before"
-    #   date in the validity field to date and time minus 60 minutes. This
-    #   is intended to compensate for time inconsistencies across systems of
-    #   60 minutes or less.
     #
-    #   The validity period configured on a certificate must not exceed the
-    #   limit set by its parents in the CA hierarchy.
+    #   [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_Validity.html
+    #   [2]: https://tools.ietf.org/html/rfc5280#section-4.1.2.5
     #   @return [Types::Validity]
     #
     # @!attribute [rw] idempotency_token
-    #   Custom string that can be used to distinguish between calls to the
-    #   **IssueCertificate** action. Idempotency tokens time out after one
-    #   hour. Therefore, if you call **IssueCertificate** multiple times
-    #   with the same idempotency token within 5 minutes, ACM Private CA
-    #   recognizes that you are requesting only one certificate and will
-    #   issue only one. If you change the idempotency token for each call,
-    #   PCA recognizes that you are requesting multiple certificates.
+    #   Alphanumeric string that can be used to distinguish between calls to
+    #   the **IssueCertificate** action. Idempotency tokens for
+    #   **IssueCertificate** time out after one minute. Therefore, if you
+    #   call **IssueCertificate** multiple times with the same idempotency
+    #   token within one minute, ACM Private CA recognizes that you are
+    #   requesting only one certificate and will issue only one. If you
+    #   change the idempotency token for each call, PCA recognizes that you
+    #   are requesting multiple certificates.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/IssueCertificateRequest AWS API Documentation
     #
     class IssueCertificateRequest < Struct.new(
+      :api_passthrough,
       :certificate_authority_arn,
       :csr,
       :signing_algorithm,
       :template_arn,
       :validity,
+      :validity_not_before,
       :idempotency_token)
       SENSITIVE = []
       include Aws::Structure
@@ -2212,6 +2587,79 @@ module Aws::ACMPCA
       include Aws::Structure
     end
 
+    # Defines the X.509 `CertificatePolicies` extension.
+    #
+    # @note When making an API call, you may pass PolicyInformation
+    #   data as a hash:
+    #
+    #       {
+    #         cert_policy_id: "CustomObjectIdentifier", # required
+    #         policy_qualifiers: [
+    #           {
+    #             policy_qualifier_id: "CPS", # required, accepts CPS
+    #             qualifier: { # required
+    #               cps_uri: "String256", # required
+    #             },
+    #           },
+    #         ],
+    #       }
+    #
+    # @!attribute [rw] cert_policy_id
+    #   Specifies the object identifier (OID) of the certificate policy
+    #   under which the certificate was issued. For more information, see
+    #   NIST's definition of [Object Identifier (OID)][1].
+    #
+    #
+    #
+    #   [1]: https://csrc.nist.gov/glossary/term/Object_Identifier
+    #   @return [String]
+    #
+    # @!attribute [rw] policy_qualifiers
+    #   Modifies the given `CertPolicyId` with a qualifier. ACM Private CA
+    #   supports the certification practice statement (CPS) qualifier.
+    #   @return [Array<Types::PolicyQualifierInfo>]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/PolicyInformation AWS API Documentation
+    #
+    class PolicyInformation < Struct.new(
+      :cert_policy_id,
+      :policy_qualifiers)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # Modifies the `CertPolicyId` of a `PolicyInformation` object with a
+    # qualifier. ACM Private CA supports the certification practice
+    # statement (CPS) qualifier.
+    #
+    # @note When making an API call, you may pass PolicyQualifierInfo
+    #   data as a hash:
+    #
+    #       {
+    #         policy_qualifier_id: "CPS", # required, accepts CPS
+    #         qualifier: { # required
+    #           cps_uri: "String256", # required
+    #         },
+    #       }
+    #
+    # @!attribute [rw] policy_qualifier_id
+    #   Identifies the qualifier modifying a `CertPolicyId`.
+    #   @return [String]
+    #
+    # @!attribute [rw] qualifier
+    #   Defines the qualifier type. ACM Private CA supports the use of a URI
+    #   for a CPS qualifier in this field.
+    #   @return [Types::Qualifier]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/PolicyQualifierInfo AWS API Documentation
+    #
+    class PolicyQualifierInfo < Struct.new(
+      :policy_qualifier_id,
+      :qualifier)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # @note When making an API call, you may pass PutPolicyRequest
     #   data as a hash:
     #
@@ -2233,7 +2681,7 @@ module Aws::ACMPCA
     #   @return [String]
     #
     # @!attribute [rw] policy
-    #   The path and filename of a JSON-formatted IAM policy to attach to
+    #   The path and file name of a JSON-formatted IAM policy to attach to
     #   the specified private CA resource. If this policy does not contain
     #   all required statements or if it includes any statement that is not
     #   allowed, the `PutPolicy` action returns an `InvalidPolicyException`.
@@ -2254,6 +2702,34 @@ module Aws::ACMPCA
       include Aws::Structure
     end
 
+    # Defines a `PolicyInformation` qualifier. ACM Private CA supports the
+    # [certification practice statement (CPS) qualifier][1] defined in RFC
+    # 5280.
+    #
+    #
+    #
+    # [1]: https://tools.ietf.org/html/rfc5280#section-4.2.1.4
+    #
+    # @note When making an API call, you may pass Qualifier
+    #   data as a hash:
+    #
+    #       {
+    #         cps_uri: "String256", # required
+    #       }
+    #
+    # @!attribute [rw] cps_uri
+    #   Contains a pointer to a certification practice statement (CPS)
+    #   published by the CA.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/Qualifier AWS API Documentation
+    #
+    class Qualifier < Struct.new(
+      :cps_uri)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # Your request has already been completed.
     #
     # @!attribute [rw] message
@@ -2594,17 +3070,20 @@ module Aws::ACMPCA
 
     # Validity specifies the period of time during which a certificate is
     # valid. Validity can be expressed as an explicit date and time when the
-    # certificate expires, or as a span of time after issuance, stated in
-    # days, months, or years. For more information, see [Validity][1] in RFC
-    # 5280.
+    # validity of a certificate starts or expires, or as a span of time
+    # after issuance, stated in days, months, or years. For more
+    # information, see [Validity][1] in RFC 5280.
     #
-    # You can issue a certificate by calling the [IssueCertificate][2]
-    # action.
+    # ACM Private CA API consumes the `Validity` data type differently in
+    # two distinct parameters of the `IssueCertificate` action. The required
+    # parameter `IssueCertificate`\:`Validity` specifies the end of a
+    # certificate's validity period. The optional parameter
+    # `IssueCertificate`\:`ValidityNotBefore` specifies a customized
+    # starting time for the validity period.
     #
     #
     #
     # [1]: https://tools.ietf.org/html/rfc5280#section-4.1.2.5
-    # [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_IssueCertificate.html
     #
     # @note When making an API call, you may pass Validity
     #   data as a hash:
@@ -2635,8 +3114,9 @@ module Aws::ACMPCA
     #
     #   * Output expiration date/time: 12/31/2049 23:59:59
     #
-    #   `ABSOLUTE`\: The specific date and time when the certificate will
-    #   expire, expressed in seconds since the Unix Epoch.
+    #   `ABSOLUTE`\: The specific date and time when the validity of a
+    #   certificate will start or expire, expressed in seconds since the
+    #   Unix Epoch.
     #
     #   * Sample input value: 2524608000
     #