aws-sdk-acmpca 1.31.0 → 1.36.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -3,7 +3,7 @@
3
3
  # WARNING ABOUT GENERATED CODE
4
4
  #
5
5
  # This file is generated. See the contributing guide for more information:
6
- # https://github.com/aws/aws-sdk-ruby/blob/master/CONTRIBUTING.md
6
+ # https://github.com/aws/aws-sdk-ruby/blob/version-3/CONTRIBUTING.md
7
7
  #
8
8
  # WARNING ABOUT GENERATED CODE
9
9
 
@@ -23,6 +23,7 @@ module Aws::ACMPCA
23
23
  AccountId = Shapes::StringShape.new(name: 'AccountId')
24
24
  ActionList = Shapes::ListShape.new(name: 'ActionList')
25
25
  ActionType = Shapes::StringShape.new(name: 'ActionType')
26
+ ApiPassthrough = Shapes::StructureShape.new(name: 'ApiPassthrough')
26
27
  Arn = Shapes::StringShape.new(name: 'Arn')
27
28
  AuditReportId = Shapes::StringShape.new(name: 'AuditReportId')
28
29
  AuditReportResponseFormat = Shapes::StringShape.new(name: 'AuditReportResponseFormat')
@@ -38,6 +39,7 @@ module Aws::ACMPCA
38
39
  CertificateChain = Shapes::StringShape.new(name: 'CertificateChain')
39
40
  CertificateChainBlob = Shapes::BlobShape.new(name: 'CertificateChainBlob')
40
41
  CertificateMismatchException = Shapes::StructureShape.new(name: 'CertificateMismatchException')
42
+ CertificatePolicyList = Shapes::ListShape.new(name: 'CertificatePolicyList')
41
43
  ConcurrentModificationException = Shapes::StructureShape.new(name: 'ConcurrentModificationException')
42
44
  CountryCodeString = Shapes::StringShape.new(name: 'CountryCodeString')
43
45
  CreateCertificateAuthorityAuditReportRequest = Shapes::StructureShape.new(name: 'CreateCertificateAuthorityAuditReportRequest')
@@ -58,8 +60,13 @@ module Aws::ACMPCA
58
60
  DescribeCertificateAuthorityRequest = Shapes::StructureShape.new(name: 'DescribeCertificateAuthorityRequest')
59
61
  DescribeCertificateAuthorityResponse = Shapes::StructureShape.new(name: 'DescribeCertificateAuthorityResponse')
60
62
  EdiPartyName = Shapes::StructureShape.new(name: 'EdiPartyName')
63
+ ExtendedKeyUsage = Shapes::StructureShape.new(name: 'ExtendedKeyUsage')
64
+ ExtendedKeyUsageList = Shapes::ListShape.new(name: 'ExtendedKeyUsageList')
65
+ ExtendedKeyUsageType = Shapes::StringShape.new(name: 'ExtendedKeyUsageType')
66
+ Extensions = Shapes::StructureShape.new(name: 'Extensions')
61
67
  FailureReason = Shapes::StringShape.new(name: 'FailureReason')
62
68
  GeneralName = Shapes::StructureShape.new(name: 'GeneralName')
69
+ GeneralNameList = Shapes::ListShape.new(name: 'GeneralNameList')
63
70
  GetCertificateAuthorityCertificateRequest = Shapes::StructureShape.new(name: 'GetCertificateAuthorityCertificateRequest')
64
71
  GetCertificateAuthorityCertificateResponse = Shapes::StructureShape.new(name: 'GetCertificateAuthorityCertificateResponse')
65
72
  GetCertificateAuthorityCsrRequest = Shapes::StructureShape.new(name: 'GetCertificateAuthorityCsrRequest')
@@ -81,6 +88,7 @@ module Aws::ACMPCA
81
88
  IssueCertificateRequest = Shapes::StructureShape.new(name: 'IssueCertificateRequest')
82
89
  IssueCertificateResponse = Shapes::StructureShape.new(name: 'IssueCertificateResponse')
83
90
  KeyAlgorithm = Shapes::StringShape.new(name: 'KeyAlgorithm')
91
+ KeyStorageSecurityStandard = Shapes::StringShape.new(name: 'KeyStorageSecurityStandard')
84
92
  KeyUsage = Shapes::StructureShape.new(name: 'KeyUsage')
85
93
  LimitExceededException = Shapes::StructureShape.new(name: 'LimitExceededException')
86
94
  ListCertificateAuthoritiesRequest = Shapes::StructureShape.new(name: 'ListCertificateAuthoritiesRequest')
@@ -99,9 +107,14 @@ module Aws::ACMPCA
99
107
  Permission = Shapes::StructureShape.new(name: 'Permission')
100
108
  PermissionAlreadyExistsException = Shapes::StructureShape.new(name: 'PermissionAlreadyExistsException')
101
109
  PermissionList = Shapes::ListShape.new(name: 'PermissionList')
110
+ PolicyInformation = Shapes::StructureShape.new(name: 'PolicyInformation')
111
+ PolicyQualifierId = Shapes::StringShape.new(name: 'PolicyQualifierId')
112
+ PolicyQualifierInfo = Shapes::StructureShape.new(name: 'PolicyQualifierInfo')
113
+ PolicyQualifierInfoList = Shapes::ListShape.new(name: 'PolicyQualifierInfoList')
102
114
  PositiveLong = Shapes::IntegerShape.new(name: 'PositiveLong')
103
115
  Principal = Shapes::StringShape.new(name: 'Principal')
104
116
  PutPolicyRequest = Shapes::StructureShape.new(name: 'PutPolicyRequest')
117
+ Qualifier = Shapes::StructureShape.new(name: 'Qualifier')
105
118
  RequestAlreadyProcessedException = Shapes::StructureShape.new(name: 'RequestAlreadyProcessedException')
106
119
  RequestFailedException = Shapes::StructureShape.new(name: 'RequestFailedException')
107
120
  RequestInProgressException = Shapes::StructureShape.new(name: 'RequestInProgressException')
@@ -113,6 +126,7 @@ module Aws::ACMPCA
113
126
  RevokeCertificateRequest = Shapes::StructureShape.new(name: 'RevokeCertificateRequest')
114
127
  S3BucketName = Shapes::StringShape.new(name: 'S3BucketName')
115
128
  S3Key = Shapes::StringShape.new(name: 'S3Key')
129
+ S3ObjectAcl = Shapes::StringShape.new(name: 'S3ObjectAcl')
116
130
  SigningAlgorithm = Shapes::StringShape.new(name: 'SigningAlgorithm')
117
131
  String = Shapes::StringShape.new(name: 'String')
118
132
  String128 = Shapes::StringShape.new(name: 'String128')
@@ -165,6 +179,10 @@ module Aws::ACMPCA
165
179
 
166
180
  ActionList.member = Shapes::ShapeRef.new(shape: ActionType)
167
181
 
182
+ ApiPassthrough.add_member(:extensions, Shapes::ShapeRef.new(shape: Extensions, location_name: "Extensions"))
183
+ ApiPassthrough.add_member(:subject, Shapes::ShapeRef.new(shape: ASN1Subject, location_name: "Subject"))
184
+ ApiPassthrough.struct_class = Types::ApiPassthrough
185
+
168
186
  CertificateAuthorities.member = Shapes::ShapeRef.new(shape: CertificateAuthority)
169
187
 
170
188
  CertificateAuthority.add_member(:arn, Shapes::ShapeRef.new(shape: Arn, location_name: "Arn"))
@@ -180,6 +198,7 @@ module Aws::ACMPCA
180
198
  CertificateAuthority.add_member(:certificate_authority_configuration, Shapes::ShapeRef.new(shape: CertificateAuthorityConfiguration, location_name: "CertificateAuthorityConfiguration"))
181
199
  CertificateAuthority.add_member(:revocation_configuration, Shapes::ShapeRef.new(shape: RevocationConfiguration, location_name: "RevocationConfiguration"))
182
200
  CertificateAuthority.add_member(:restorable_until, Shapes::ShapeRef.new(shape: TStamp, location_name: "RestorableUntil"))
201
+ CertificateAuthority.add_member(:key_storage_security_standard, Shapes::ShapeRef.new(shape: KeyStorageSecurityStandard, location_name: "KeyStorageSecurityStandard"))
183
202
  CertificateAuthority.struct_class = Types::CertificateAuthority
184
203
 
185
204
  CertificateAuthorityConfiguration.add_member(:key_algorithm, Shapes::ShapeRef.new(shape: KeyAlgorithm, required: true, location_name: "KeyAlgorithm"))
@@ -191,6 +210,8 @@ module Aws::ACMPCA
191
210
  CertificateMismatchException.add_member(:message, Shapes::ShapeRef.new(shape: String, location_name: "message"))
192
211
  CertificateMismatchException.struct_class = Types::CertificateMismatchException
193
212
 
213
+ CertificatePolicyList.member = Shapes::ShapeRef.new(shape: PolicyInformation)
214
+
194
215
  ConcurrentModificationException.add_member(:message, Shapes::ShapeRef.new(shape: String, location_name: "message"))
195
216
  ConcurrentModificationException.struct_class = Types::ConcurrentModificationException
196
217
 
@@ -207,6 +228,7 @@ module Aws::ACMPCA
207
228
  CreateCertificateAuthorityRequest.add_member(:revocation_configuration, Shapes::ShapeRef.new(shape: RevocationConfiguration, location_name: "RevocationConfiguration"))
208
229
  CreateCertificateAuthorityRequest.add_member(:certificate_authority_type, Shapes::ShapeRef.new(shape: CertificateAuthorityType, required: true, location_name: "CertificateAuthorityType"))
209
230
  CreateCertificateAuthorityRequest.add_member(:idempotency_token, Shapes::ShapeRef.new(shape: IdempotencyToken, location_name: "IdempotencyToken"))
231
+ CreateCertificateAuthorityRequest.add_member(:key_storage_security_standard, Shapes::ShapeRef.new(shape: KeyStorageSecurityStandard, location_name: "KeyStorageSecurityStandard"))
210
232
  CreateCertificateAuthorityRequest.add_member(:tags, Shapes::ShapeRef.new(shape: TagList, location_name: "Tags"))
211
233
  CreateCertificateAuthorityRequest.struct_class = Types::CreateCertificateAuthorityRequest
212
234
 
@@ -223,6 +245,7 @@ module Aws::ACMPCA
223
245
  CrlConfiguration.add_member(:expiration_in_days, Shapes::ShapeRef.new(shape: Integer1To5000, location_name: "ExpirationInDays", metadata: {"box"=>true}))
224
246
  CrlConfiguration.add_member(:custom_cname, Shapes::ShapeRef.new(shape: String253, location_name: "CustomCname"))
225
247
  CrlConfiguration.add_member(:s3_bucket_name, Shapes::ShapeRef.new(shape: String3To255, location_name: "S3BucketName"))
248
+ CrlConfiguration.add_member(:s3_object_acl, Shapes::ShapeRef.new(shape: S3ObjectAcl, location_name: "S3ObjectAcl"))
226
249
  CrlConfiguration.struct_class = Types::CrlConfiguration
227
250
 
228
251
  CsrExtensions.add_member(:key_usage, Shapes::ShapeRef.new(shape: KeyUsage, location_name: "KeyUsage"))
@@ -261,6 +284,18 @@ module Aws::ACMPCA
261
284
  EdiPartyName.add_member(:name_assigner, Shapes::ShapeRef.new(shape: String256, location_name: "NameAssigner"))
262
285
  EdiPartyName.struct_class = Types::EdiPartyName
263
286
 
287
+ ExtendedKeyUsage.add_member(:extended_key_usage_type, Shapes::ShapeRef.new(shape: ExtendedKeyUsageType, location_name: "ExtendedKeyUsageType"))
288
+ ExtendedKeyUsage.add_member(:extended_key_usage_object_identifier, Shapes::ShapeRef.new(shape: CustomObjectIdentifier, location_name: "ExtendedKeyUsageObjectIdentifier"))
289
+ ExtendedKeyUsage.struct_class = Types::ExtendedKeyUsage
290
+
291
+ ExtendedKeyUsageList.member = Shapes::ShapeRef.new(shape: ExtendedKeyUsage)
292
+
293
+ Extensions.add_member(:certificate_policies, Shapes::ShapeRef.new(shape: CertificatePolicyList, location_name: "CertificatePolicies"))
294
+ Extensions.add_member(:extended_key_usage, Shapes::ShapeRef.new(shape: ExtendedKeyUsageList, location_name: "ExtendedKeyUsage"))
295
+ Extensions.add_member(:key_usage, Shapes::ShapeRef.new(shape: KeyUsage, location_name: "KeyUsage"))
296
+ Extensions.add_member(:subject_alternative_names, Shapes::ShapeRef.new(shape: GeneralNameList, location_name: "SubjectAlternativeNames"))
297
+ Extensions.struct_class = Types::Extensions
298
+
264
299
  GeneralName.add_member(:other_name, Shapes::ShapeRef.new(shape: OtherName, location_name: "OtherName"))
265
300
  GeneralName.add_member(:rfc_822_name, Shapes::ShapeRef.new(shape: String256, location_name: "Rfc822Name"))
266
301
  GeneralName.add_member(:dns_name, Shapes::ShapeRef.new(shape: String253, location_name: "DnsName"))
@@ -271,6 +306,8 @@ module Aws::ACMPCA
271
306
  GeneralName.add_member(:registered_id, Shapes::ShapeRef.new(shape: CustomObjectIdentifier, location_name: "RegisteredId"))
272
307
  GeneralName.struct_class = Types::GeneralName
273
308
 
309
+ GeneralNameList.member = Shapes::ShapeRef.new(shape: GeneralName)
310
+
274
311
  GetCertificateAuthorityCertificateRequest.add_member(:certificate_authority_arn, Shapes::ShapeRef.new(shape: Arn, required: true, location_name: "CertificateAuthorityArn"))
275
312
  GetCertificateAuthorityCertificateRequest.struct_class = Types::GetCertificateAuthorityCertificateRequest
276
313
 
@@ -324,11 +361,13 @@ module Aws::ACMPCA
324
361
  InvalidTagException.add_member(:message, Shapes::ShapeRef.new(shape: String, location_name: "message"))
325
362
  InvalidTagException.struct_class = Types::InvalidTagException
326
363
 
364
+ IssueCertificateRequest.add_member(:api_passthrough, Shapes::ShapeRef.new(shape: ApiPassthrough, location_name: "ApiPassthrough"))
327
365
  IssueCertificateRequest.add_member(:certificate_authority_arn, Shapes::ShapeRef.new(shape: Arn, required: true, location_name: "CertificateAuthorityArn"))
328
366
  IssueCertificateRequest.add_member(:csr, Shapes::ShapeRef.new(shape: CsrBlob, required: true, location_name: "Csr"))
329
367
  IssueCertificateRequest.add_member(:signing_algorithm, Shapes::ShapeRef.new(shape: SigningAlgorithm, required: true, location_name: "SigningAlgorithm"))
330
368
  IssueCertificateRequest.add_member(:template_arn, Shapes::ShapeRef.new(shape: Arn, location_name: "TemplateArn"))
331
369
  IssueCertificateRequest.add_member(:validity, Shapes::ShapeRef.new(shape: Validity, required: true, location_name: "Validity"))
370
+ IssueCertificateRequest.add_member(:validity_not_before, Shapes::ShapeRef.new(shape: Validity, location_name: "ValidityNotBefore"))
332
371
  IssueCertificateRequest.add_member(:idempotency_token, Shapes::ShapeRef.new(shape: IdempotencyToken, location_name: "IdempotencyToken"))
333
372
  IssueCertificateRequest.struct_class = Types::IssueCertificateRequest
334
373
 
@@ -402,10 +441,23 @@ module Aws::ACMPCA
402
441
 
403
442
  PermissionList.member = Shapes::ShapeRef.new(shape: Permission)
404
443
 
444
+ PolicyInformation.add_member(:cert_policy_id, Shapes::ShapeRef.new(shape: CustomObjectIdentifier, required: true, location_name: "CertPolicyId"))
445
+ PolicyInformation.add_member(:policy_qualifiers, Shapes::ShapeRef.new(shape: PolicyQualifierInfoList, location_name: "PolicyQualifiers"))
446
+ PolicyInformation.struct_class = Types::PolicyInformation
447
+
448
+ PolicyQualifierInfo.add_member(:policy_qualifier_id, Shapes::ShapeRef.new(shape: PolicyQualifierId, required: true, location_name: "PolicyQualifierId"))
449
+ PolicyQualifierInfo.add_member(:qualifier, Shapes::ShapeRef.new(shape: Qualifier, required: true, location_name: "Qualifier"))
450
+ PolicyQualifierInfo.struct_class = Types::PolicyQualifierInfo
451
+
452
+ PolicyQualifierInfoList.member = Shapes::ShapeRef.new(shape: PolicyQualifierInfo)
453
+
405
454
  PutPolicyRequest.add_member(:resource_arn, Shapes::ShapeRef.new(shape: Arn, required: true, location_name: "ResourceArn"))
406
455
  PutPolicyRequest.add_member(:policy, Shapes::ShapeRef.new(shape: AWSPolicy, required: true, location_name: "Policy"))
407
456
  PutPolicyRequest.struct_class = Types::PutPolicyRequest
408
457
 
458
+ Qualifier.add_member(:cps_uri, Shapes::ShapeRef.new(shape: String256, required: true, location_name: "CpsUri"))
459
+ Qualifier.struct_class = Types::Qualifier
460
+
409
461
  RequestAlreadyProcessedException.add_member(:message, Shapes::ShapeRef.new(shape: String, location_name: "message"))
410
462
  RequestAlreadyProcessedException.struct_class = Types::RequestAlreadyProcessedException
411
463
 
@@ -3,7 +3,7 @@
3
3
  # WARNING ABOUT GENERATED CODE
4
4
  #
5
5
  # This file is generated. See the contributing guide for more information:
6
- # https://github.com/aws/aws-sdk-ruby/blob/master/CONTRIBUTING.md
6
+ # https://github.com/aws/aws-sdk-ruby/blob/version-3/CONTRIBUTING.md
7
7
  #
8
8
  # WARNING ABOUT GENERATED CODE
9
9
 
@@ -3,7 +3,7 @@
3
3
  # WARNING ABOUT GENERATED CODE
4
4
  #
5
5
  # This file is generated. See the contributing guide for more information:
6
- # https://github.com/aws/aws-sdk-ruby/blob/master/CONTRIBUTING.md
6
+ # https://github.com/aws/aws-sdk-ruby/blob/version-3/CONTRIBUTING.md
7
7
  #
8
8
  # WARNING ABOUT GENERATED CODE
9
9
 
@@ -3,23 +3,19 @@
3
3
  # WARNING ABOUT GENERATED CODE
4
4
  #
5
5
  # This file is generated. See the contributing guide for more information:
6
- # https://github.com/aws/aws-sdk-ruby/blob/master/CONTRIBUTING.md
6
+ # https://github.com/aws/aws-sdk-ruby/blob/version-3/CONTRIBUTING.md
7
7
  #
8
8
  # WARNING ABOUT GENERATED CODE
9
9
 
10
10
  module Aws::ACMPCA
11
11
  module Types
12
12
 
13
- # Contains information about the certificate subject. The certificate
14
- # can be one issued by your private certificate authority (CA) or it can
15
- # be your private CA certificate. The **Subject** field in the
16
- # certificate identifies the entity that owns or controls the public key
17
- # in the certificate. The entity can be a user, computer, device, or
18
- # service. The **Subject** must contain an X.500 distinguished name
19
- # (DN). A DN is a sequence of relative distinguished names (RDNs). The
20
- # RDNs are separated by commas in the certificate. The DN must be unique
21
- # for each entity, but your private CA can issue more than one
22
- # certificate with the same DN to the same entity.
13
+ # Contains information about the certificate subject. The `Subject`
14
+ # field in the certificate identifies the entity that owns or controls
15
+ # the public key in the certificate. The entity can be a user, computer,
16
+ # device, or service. The `Subject `must contain an X.500 distinguished
17
+ # name (DN). A DN is a sequence of relative distinguished names (RDNs).
18
+ # The RDNs are separated by commas in the certificate.
23
19
  #
24
20
  # @note When making an API call, you may pass ASN1Subject
25
21
  # data as a hash:
@@ -100,7 +96,7 @@ module Aws::ACMPCA
100
96
  # @!attribute [rw] initials
101
97
  # Concatenation that typically contains the first letter of the
102
98
  # **GivenName**, the first letter of the middle name if one exists,
103
- # and the first letter of the **SurName**.
99
+ # and the first letter of the **Surname**.
104
100
  # @return [String]
105
101
  #
106
102
  # @!attribute [rw] pseudonym
@@ -235,6 +231,128 @@ module Aws::ACMPCA
235
231
  include Aws::Structure
236
232
  end
237
233
 
234
+ # Contains X.509 certificate information to be placed in an issued
235
+ # certificate. An `APIPassthrough` or `APICSRPassthrough` template
236
+ # variant must be selected, or else this parameter is ignored.
237
+ #
238
+ # If conflicting or duplicate certificate information is supplied from
239
+ # other sources, ACM Private CA applies [order of operation rules][1] to
240
+ # determine what information is used.
241
+ #
242
+ #
243
+ #
244
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html#template-order-of-operations
245
+ #
246
+ # @note When making an API call, you may pass ApiPassthrough
247
+ # data as a hash:
248
+ #
249
+ # {
250
+ # extensions: {
251
+ # certificate_policies: [
252
+ # {
253
+ # cert_policy_id: "CustomObjectIdentifier", # required
254
+ # policy_qualifiers: [
255
+ # {
256
+ # policy_qualifier_id: "CPS", # required, accepts CPS
257
+ # qualifier: { # required
258
+ # cps_uri: "String256", # required
259
+ # },
260
+ # },
261
+ # ],
262
+ # },
263
+ # ],
264
+ # extended_key_usage: [
265
+ # {
266
+ # extended_key_usage_type: "SERVER_AUTH", # accepts SERVER_AUTH, CLIENT_AUTH, CODE_SIGNING, EMAIL_PROTECTION, TIME_STAMPING, OCSP_SIGNING, SMART_CARD_LOGIN, DOCUMENT_SIGNING, CERTIFICATE_TRANSPARENCY
267
+ # extended_key_usage_object_identifier: "CustomObjectIdentifier",
268
+ # },
269
+ # ],
270
+ # key_usage: {
271
+ # digital_signature: false,
272
+ # non_repudiation: false,
273
+ # key_encipherment: false,
274
+ # data_encipherment: false,
275
+ # key_agreement: false,
276
+ # key_cert_sign: false,
277
+ # crl_sign: false,
278
+ # encipher_only: false,
279
+ # decipher_only: false,
280
+ # },
281
+ # subject_alternative_names: [
282
+ # {
283
+ # other_name: {
284
+ # type_id: "CustomObjectIdentifier", # required
285
+ # value: "String256", # required
286
+ # },
287
+ # rfc_822_name: "String256",
288
+ # dns_name: "String253",
289
+ # directory_name: {
290
+ # country: "CountryCodeString",
291
+ # organization: "String64",
292
+ # organizational_unit: "String64",
293
+ # distinguished_name_qualifier: "ASN1PrintableString64",
294
+ # state: "String128",
295
+ # common_name: "String64",
296
+ # serial_number: "ASN1PrintableString64",
297
+ # locality: "String128",
298
+ # title: "String64",
299
+ # surname: "String40",
300
+ # given_name: "String16",
301
+ # initials: "String5",
302
+ # pseudonym: "String128",
303
+ # generation_qualifier: "String3",
304
+ # },
305
+ # edi_party_name: {
306
+ # party_name: "String256", # required
307
+ # name_assigner: "String256",
308
+ # },
309
+ # uniform_resource_identifier: "String253",
310
+ # ip_address: "String39",
311
+ # registered_id: "CustomObjectIdentifier",
312
+ # },
313
+ # ],
314
+ # },
315
+ # subject: {
316
+ # country: "CountryCodeString",
317
+ # organization: "String64",
318
+ # organizational_unit: "String64",
319
+ # distinguished_name_qualifier: "ASN1PrintableString64",
320
+ # state: "String128",
321
+ # common_name: "String64",
322
+ # serial_number: "ASN1PrintableString64",
323
+ # locality: "String128",
324
+ # title: "String64",
325
+ # surname: "String40",
326
+ # given_name: "String16",
327
+ # initials: "String5",
328
+ # pseudonym: "String128",
329
+ # generation_qualifier: "String3",
330
+ # },
331
+ # }
332
+ #
333
+ # @!attribute [rw] extensions
334
+ # Specifies X.509 extension information for a certificate.
335
+ # @return [Types::Extensions]
336
+ #
337
+ # @!attribute [rw] subject
338
+ # Contains information about the certificate subject. The `Subject`
339
+ # field in the certificate identifies the entity that owns or controls
340
+ # the public key in the certificate. The entity can be a user,
341
+ # computer, device, or service. The `Subject `must contain an X.500
342
+ # distinguished name (DN). A DN is a sequence of relative
343
+ # distinguished names (RDNs). The RDNs are separated by commas in the
344
+ # certificate.
345
+ # @return [Types::ASN1Subject]
346
+ #
347
+ # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/ApiPassthrough AWS API Documentation
348
+ #
349
+ class ApiPassthrough < Struct.new(
350
+ :extensions,
351
+ :subject)
352
+ SENSITIVE = []
353
+ include Aws::Structure
354
+ end
355
+
238
356
  # Contains information about your private certificate authority (CA).
239
357
  # Your private CA can issue and revoke X.509 digital certificates.
240
358
  # Digital certificates verify that the entity named in the certificate
@@ -314,6 +432,20 @@ module Aws::ACMPCA
314
432
  # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_DeleteCertificateAuthorityRequest.html
315
433
  # @return [Time]
316
434
  #
435
+ # @!attribute [rw] key_storage_security_standard
436
+ # Defines a cryptographic key management compliance standard used for
437
+ # handling CA keys.
438
+ #
439
+ # Default: FIPS\_140\_2\_LEVEL\_3\_OR\_HIGHER
440
+ #
441
+ # Note: AWS Region ap-northeast-3 supports only
442
+ # FIPS\_140\_2\_LEVEL\_2\_OR\_HIGHER. You must explicitly specify this
443
+ # parameter and value when creating a CA in that Region. Specifying a
444
+ # different value (or no value) results in an `InvalidArgsException`
445
+ # with the message "A certificate authority cannot be created in this
446
+ # region with the specified security standard."
447
+ # @return [String]
448
+ #
317
449
  # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/CertificateAuthority AWS API Documentation
318
450
  #
319
451
  class CertificateAuthority < Struct.new(
@@ -329,7 +461,8 @@ module Aws::ACMPCA
329
461
  :failure_reason,
330
462
  :certificate_authority_configuration,
331
463
  :revocation_configuration,
332
- :restorable_until)
464
+ :restorable_until,
465
+ :key_storage_security_standard)
333
466
  SENSITIVE = []
334
467
  include Aws::Structure
335
468
  end
@@ -621,10 +754,12 @@ module Aws::ACMPCA
621
754
  # expiration_in_days: 1,
622
755
  # custom_cname: "String253",
623
756
  # s3_bucket_name: "String3To255",
757
+ # s3_object_acl: "PUBLIC_READ", # accepts PUBLIC_READ, BUCKET_OWNER_FULL_CONTROL
624
758
  # },
625
759
  # },
626
760
  # certificate_authority_type: "ROOT", # required, accepts ROOT, SUBORDINATE
627
761
  # idempotency_token: "IdempotencyToken",
762
+ # key_storage_security_standard: "FIPS_140_2_LEVEL_2_OR_HIGHER", # accepts FIPS_140_2_LEVEL_2_OR_HIGHER, FIPS_140_2_LEVEL_3_OR_HIGHER
628
763
  # tags: [
629
764
  # {
630
765
  # key: "TagKey", # required
@@ -656,13 +791,30 @@ module Aws::ACMPCA
656
791
  # @return [String]
657
792
  #
658
793
  # @!attribute [rw] idempotency_token
659
- # Alphanumeric string that can be used to distinguish between calls to
660
- # **CreateCertificateAuthority**. For a given token, ACM Private CA
661
- # creates exactly one CA. If you issue a subsequent call using the
662
- # same token, ACM Private CA returns the ARN of the existing CA and
663
- # takes no further action. If you change the idempotency token across
664
- # multiple calls, ACM Private CA creates a unique CA for each unique
665
- # token.
794
+ # Custom string that can be used to distinguish between calls to the
795
+ # **CreateCertificateAuthority** action. Idempotency tokens for
796
+ # **CreateCertificateAuthority** time out after five minutes.
797
+ # Therefore, if you call **CreateCertificateAuthority** multiple times
798
+ # with the same idempotency token within five minutes, ACM Private CA
799
+ # recognizes that you are requesting only certificate authority and
800
+ # will issue only one. If you change the idempotency token for each
801
+ # call, PCA recognizes that you are requesting multiple certificate
802
+ # authorities.
803
+ # @return [String]
804
+ #
805
+ # @!attribute [rw] key_storage_security_standard
806
+ # Specifies a cryptographic key management compliance standard used
807
+ # for handling CA keys.
808
+ #
809
+ # Default: FIPS\_140\_2\_LEVEL\_3\_OR\_HIGHER
810
+ #
811
+ # Note: `FIPS_140_2_LEVEL_3_OR_HIGHER` is not supported in Region
812
+ # ap-northeast-3. When creating a CA in the ap-northeast-3, you must
813
+ # provide `FIPS_140_2_LEVEL_2_OR_HIGHER` as the argument for
814
+ # `KeyStorageSecurityStandard`. Failure to do this results in an
815
+ # `InvalidArgsException` with the message, "A certificate authority
816
+ # cannot be created in this region with the specified security
817
+ # standard."
666
818
  # @return [String]
667
819
  #
668
820
  # @!attribute [rw] tags
@@ -683,6 +835,7 @@ module Aws::ACMPCA
683
835
  :revocation_configuration,
684
836
  :certificate_authority_type,
685
837
  :idempotency_token,
838
+ :key_storage_security_standard,
686
839
  :tags)
687
840
  SENSITIVE = []
688
841
  include Aws::Structure
@@ -764,7 +917,7 @@ module Aws::ACMPCA
764
917
  # Points** extension of each certificate it issues. Your S3 bucket
765
918
  # policy must give write permission to ACM Private CA.
766
919
  #
767
- # ACM Private CAA assets that are stored in Amazon S3 can be protected
920
+ # ACM Private CA assets that are stored in Amazon S3 can be protected
768
921
  # with encryption. For more information, see [Encrypting Your CRLs][1].
769
922
  #
770
923
  # Your private CA uses the value in the **ExpirationInDays** parameter
@@ -833,6 +986,7 @@ module Aws::ACMPCA
833
986
  # expiration_in_days: 1,
834
987
  # custom_cname: "String253",
835
988
  # s3_bucket_name: "String3To255",
989
+ # s3_object_acl: "PUBLIC_READ", # accepts PUBLIC_READ, BUCKET_OWNER_FULL_CONTROL
836
990
  # }
837
991
  #
838
992
  # @!attribute [rw] enabled
@@ -865,12 +1019,39 @@ module Aws::ACMPCA
865
1019
  # is placed into the **CRL Distribution Points** extension of the
866
1020
  # issued certificate. You can change the name of your bucket by
867
1021
  # calling the [UpdateCertificateAuthority][1] action. You must specify
868
- # a bucket policy that allows ACM Private CA to write the CRL to your
869
- # bucket.
1022
+ # a [bucket policy][2] that allows ACM Private CA to write the CRL to
1023
+ # your bucket.
870
1024
  #
871
1025
  #
872
1026
  #
873
1027
  # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_UpdateCertificateAuthority.html
1028
+ # [2]: https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaCreateCa.html#s3-policies
1029
+ # @return [String]
1030
+ #
1031
+ # @!attribute [rw] s3_object_acl
1032
+ # Determines whether the CRL will be publicly readable or privately
1033
+ # held in the CRL Amazon S3 bucket. If you choose PUBLIC\_READ, the
1034
+ # CRL will be accessible over the public internet. If you choose
1035
+ # BUCKET\_OWNER\_FULL\_CONTROL, only the owner of the CRL S3 bucket
1036
+ # can access the CRL, and your PKI clients may need an alternative
1037
+ # method of access.
1038
+ #
1039
+ # If no value is specified, the default is `PUBLIC_READ`.
1040
+ #
1041
+ # *Note:* This default can cause CA creation to fail in some
1042
+ # circumstances. If you have have enabled the Block Public Access
1043
+ # (BPA) feature in your S3 account, then you must specify the value of
1044
+ # this parameter as `BUCKET_OWNER_FULL_CONTROL`, and not doing so
1045
+ # results in an error. If you have disabled BPA in S3, then you can
1046
+ # specify either `BUCKET_OWNER_FULL_CONTROL` or `PUBLIC_READ` as the
1047
+ # value.
1048
+ #
1049
+ # For more information, see [Blocking public access to the S3
1050
+ # bucket][1].
1051
+ #
1052
+ #
1053
+ #
1054
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaCreateCa.html#s3-bpa
874
1055
  # @return [String]
875
1056
  #
876
1057
  # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/CrlConfiguration AWS API Documentation
@@ -879,7 +1060,8 @@ module Aws::ACMPCA
879
1060
  :enabled,
880
1061
  :expiration_in_days,
881
1062
  :custom_cname,
882
- :s3_bucket_name)
1063
+ :s3_bucket_name,
1064
+ :s3_object_acl)
883
1065
  SENSITIVE = []
884
1066
  include Aws::Structure
885
1067
  end
@@ -1211,10 +1393,160 @@ module Aws::ACMPCA
1211
1393
  include Aws::Structure
1212
1394
  end
1213
1395
 
1396
+ # Specifies additional purposes for which the certified public key may
1397
+ # be used other than basic purposes indicated in the `KeyUsage`
1398
+ # extension.
1399
+ #
1400
+ # @note When making an API call, you may pass ExtendedKeyUsage
1401
+ # data as a hash:
1402
+ #
1403
+ # {
1404
+ # extended_key_usage_type: "SERVER_AUTH", # accepts SERVER_AUTH, CLIENT_AUTH, CODE_SIGNING, EMAIL_PROTECTION, TIME_STAMPING, OCSP_SIGNING, SMART_CARD_LOGIN, DOCUMENT_SIGNING, CERTIFICATE_TRANSPARENCY
1405
+ # extended_key_usage_object_identifier: "CustomObjectIdentifier",
1406
+ # }
1407
+ #
1408
+ # @!attribute [rw] extended_key_usage_type
1409
+ # Specifies a standard `ExtendedKeyUsage` as defined as in [RFC
1410
+ # 5280][1].
1411
+ #
1412
+ #
1413
+ #
1414
+ # [1]: https://tools.ietf.org/html/rfc5280#section-4.2.1.12
1415
+ # @return [String]
1416
+ #
1417
+ # @!attribute [rw] extended_key_usage_object_identifier
1418
+ # Specifies a custom `ExtendedKeyUsage` with an object identifier
1419
+ # (OID).
1420
+ # @return [String]
1421
+ #
1422
+ # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/ExtendedKeyUsage AWS API Documentation
1423
+ #
1424
+ class ExtendedKeyUsage < Struct.new(
1425
+ :extended_key_usage_type,
1426
+ :extended_key_usage_object_identifier)
1427
+ SENSITIVE = []
1428
+ include Aws::Structure
1429
+ end
1430
+
1431
+ # Contains X.509 extension information for a certificate.
1432
+ #
1433
+ # @note When making an API call, you may pass Extensions
1434
+ # data as a hash:
1435
+ #
1436
+ # {
1437
+ # certificate_policies: [
1438
+ # {
1439
+ # cert_policy_id: "CustomObjectIdentifier", # required
1440
+ # policy_qualifiers: [
1441
+ # {
1442
+ # policy_qualifier_id: "CPS", # required, accepts CPS
1443
+ # qualifier: { # required
1444
+ # cps_uri: "String256", # required
1445
+ # },
1446
+ # },
1447
+ # ],
1448
+ # },
1449
+ # ],
1450
+ # extended_key_usage: [
1451
+ # {
1452
+ # extended_key_usage_type: "SERVER_AUTH", # accepts SERVER_AUTH, CLIENT_AUTH, CODE_SIGNING, EMAIL_PROTECTION, TIME_STAMPING, OCSP_SIGNING, SMART_CARD_LOGIN, DOCUMENT_SIGNING, CERTIFICATE_TRANSPARENCY
1453
+ # extended_key_usage_object_identifier: "CustomObjectIdentifier",
1454
+ # },
1455
+ # ],
1456
+ # key_usage: {
1457
+ # digital_signature: false,
1458
+ # non_repudiation: false,
1459
+ # key_encipherment: false,
1460
+ # data_encipherment: false,
1461
+ # key_agreement: false,
1462
+ # key_cert_sign: false,
1463
+ # crl_sign: false,
1464
+ # encipher_only: false,
1465
+ # decipher_only: false,
1466
+ # },
1467
+ # subject_alternative_names: [
1468
+ # {
1469
+ # other_name: {
1470
+ # type_id: "CustomObjectIdentifier", # required
1471
+ # value: "String256", # required
1472
+ # },
1473
+ # rfc_822_name: "String256",
1474
+ # dns_name: "String253",
1475
+ # directory_name: {
1476
+ # country: "CountryCodeString",
1477
+ # organization: "String64",
1478
+ # organizational_unit: "String64",
1479
+ # distinguished_name_qualifier: "ASN1PrintableString64",
1480
+ # state: "String128",
1481
+ # common_name: "String64",
1482
+ # serial_number: "ASN1PrintableString64",
1483
+ # locality: "String128",
1484
+ # title: "String64",
1485
+ # surname: "String40",
1486
+ # given_name: "String16",
1487
+ # initials: "String5",
1488
+ # pseudonym: "String128",
1489
+ # generation_qualifier: "String3",
1490
+ # },
1491
+ # edi_party_name: {
1492
+ # party_name: "String256", # required
1493
+ # name_assigner: "String256",
1494
+ # },
1495
+ # uniform_resource_identifier: "String253",
1496
+ # ip_address: "String39",
1497
+ # registered_id: "CustomObjectIdentifier",
1498
+ # },
1499
+ # ],
1500
+ # }
1501
+ #
1502
+ # @!attribute [rw] certificate_policies
1503
+ # Contains a sequence of one or more policy information terms, each of
1504
+ # which consists of an object identifier (OID) and optional
1505
+ # qualifiers. For more information, see NIST's definition of [Object
1506
+ # Identifier (OID)][1].
1507
+ #
1508
+ # In an end-entity certificate, these terms indicate the policy under
1509
+ # which the certificate was issued and the purposes for which it may
1510
+ # be used. In a CA certificate, these terms limit the set of policies
1511
+ # for certification paths that include this certificate.
1512
+ #
1513
+ #
1514
+ #
1515
+ # [1]: https://csrc.nist.gov/glossary/term/Object_Identifier
1516
+ # @return [Array<Types::PolicyInformation>]
1517
+ #
1518
+ # @!attribute [rw] extended_key_usage
1519
+ # Specifies additional purposes for which the certified public key may
1520
+ # be used other than basic purposes indicated in the `KeyUsage`
1521
+ # extension.
1522
+ # @return [Array<Types::ExtendedKeyUsage>]
1523
+ #
1524
+ # @!attribute [rw] key_usage
1525
+ # Defines one or more purposes for which the key contained in the
1526
+ # certificate can be used. Default value for each option is false.
1527
+ # @return [Types::KeyUsage]
1528
+ #
1529
+ # @!attribute [rw] subject_alternative_names
1530
+ # The subject alternative name extension allows identities to be bound
1531
+ # to the subject of the certificate. These identities may be included
1532
+ # in addition to or in place of the identity in the subject field of
1533
+ # the certificate.
1534
+ # @return [Array<Types::GeneralName>]
1535
+ #
1536
+ # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/Extensions AWS API Documentation
1537
+ #
1538
+ class Extensions < Struct.new(
1539
+ :certificate_policies,
1540
+ :extended_key_usage,
1541
+ :key_usage,
1542
+ :subject_alternative_names)
1543
+ SENSITIVE = []
1544
+ include Aws::Structure
1545
+ end
1546
+
1214
1547
  # Describes an ASN.1 X.400 `GeneralName` as defined in [RFC 5280][1].
1215
- # Only one of the following naming options should be providied.
1216
- # Providing more than one option results in an `InvalidArgsException`
1217
- # error.
1548
+ # Only one of the following naming options should be provided. Providing
1549
+ # more than one option results in an `InvalidArgsException` error.
1218
1550
  #
1219
1551
  #
1220
1552
  #
@@ -1272,16 +1604,13 @@ module Aws::ACMPCA
1272
1604
  # @return [String]
1273
1605
  #
1274
1606
  # @!attribute [rw] directory_name
1275
- # Contains information about the certificate subject. The certificate
1276
- # can be one issued by your private certificate authority (CA) or it
1277
- # can be your private CA certificate. The **Subject** field in the
1278
- # certificate identifies the entity that owns or controls the public
1279
- # key in the certificate. The entity can be a user, computer, device,
1280
- # or service. The **Subject** must contain an X.500 distinguished name
1281
- # (DN). A DN is a sequence of relative distinguished names (RDNs). The
1282
- # RDNs are separated by commas in the certificate. The DN must be
1283
- # unique for each entity, but your private CA can issue more than one
1284
- # certificate with the same DN to the same entity.
1607
+ # Contains information about the certificate subject. The `Subject`
1608
+ # field in the certificate identifies the entity that owns or controls
1609
+ # the public key in the certificate. The entity can be a user,
1610
+ # computer, device, or service. The `Subject `must contain an X.500
1611
+ # distinguished name (DN). A DN is a sequence of relative
1612
+ # distinguished names (RDNs). The RDNs are separated by commas in the
1613
+ # certificate.
1285
1614
  # @return [Types::ASN1Subject]
1286
1615
  #
1287
1616
  # @!attribute [rw] edi_party_name
@@ -1644,6 +1973,89 @@ module Aws::ACMPCA
1644
1973
  # data as a hash:
1645
1974
  #
1646
1975
  # {
1976
+ # api_passthrough: {
1977
+ # extensions: {
1978
+ # certificate_policies: [
1979
+ # {
1980
+ # cert_policy_id: "CustomObjectIdentifier", # required
1981
+ # policy_qualifiers: [
1982
+ # {
1983
+ # policy_qualifier_id: "CPS", # required, accepts CPS
1984
+ # qualifier: { # required
1985
+ # cps_uri: "String256", # required
1986
+ # },
1987
+ # },
1988
+ # ],
1989
+ # },
1990
+ # ],
1991
+ # extended_key_usage: [
1992
+ # {
1993
+ # extended_key_usage_type: "SERVER_AUTH", # accepts SERVER_AUTH, CLIENT_AUTH, CODE_SIGNING, EMAIL_PROTECTION, TIME_STAMPING, OCSP_SIGNING, SMART_CARD_LOGIN, DOCUMENT_SIGNING, CERTIFICATE_TRANSPARENCY
1994
+ # extended_key_usage_object_identifier: "CustomObjectIdentifier",
1995
+ # },
1996
+ # ],
1997
+ # key_usage: {
1998
+ # digital_signature: false,
1999
+ # non_repudiation: false,
2000
+ # key_encipherment: false,
2001
+ # data_encipherment: false,
2002
+ # key_agreement: false,
2003
+ # key_cert_sign: false,
2004
+ # crl_sign: false,
2005
+ # encipher_only: false,
2006
+ # decipher_only: false,
2007
+ # },
2008
+ # subject_alternative_names: [
2009
+ # {
2010
+ # other_name: {
2011
+ # type_id: "CustomObjectIdentifier", # required
2012
+ # value: "String256", # required
2013
+ # },
2014
+ # rfc_822_name: "String256",
2015
+ # dns_name: "String253",
2016
+ # directory_name: {
2017
+ # country: "CountryCodeString",
2018
+ # organization: "String64",
2019
+ # organizational_unit: "String64",
2020
+ # distinguished_name_qualifier: "ASN1PrintableString64",
2021
+ # state: "String128",
2022
+ # common_name: "String64",
2023
+ # serial_number: "ASN1PrintableString64",
2024
+ # locality: "String128",
2025
+ # title: "String64",
2026
+ # surname: "String40",
2027
+ # given_name: "String16",
2028
+ # initials: "String5",
2029
+ # pseudonym: "String128",
2030
+ # generation_qualifier: "String3",
2031
+ # },
2032
+ # edi_party_name: {
2033
+ # party_name: "String256", # required
2034
+ # name_assigner: "String256",
2035
+ # },
2036
+ # uniform_resource_identifier: "String253",
2037
+ # ip_address: "String39",
2038
+ # registered_id: "CustomObjectIdentifier",
2039
+ # },
2040
+ # ],
2041
+ # },
2042
+ # subject: {
2043
+ # country: "CountryCodeString",
2044
+ # organization: "String64",
2045
+ # organizational_unit: "String64",
2046
+ # distinguished_name_qualifier: "ASN1PrintableString64",
2047
+ # state: "String128",
2048
+ # common_name: "String64",
2049
+ # serial_number: "ASN1PrintableString64",
2050
+ # locality: "String128",
2051
+ # title: "String64",
2052
+ # surname: "String40",
2053
+ # given_name: "String16",
2054
+ # initials: "String5",
2055
+ # pseudonym: "String128",
2056
+ # generation_qualifier: "String3",
2057
+ # },
2058
+ # },
1647
2059
  # certificate_authority_arn: "Arn", # required
1648
2060
  # csr: "data", # required
1649
2061
  # signing_algorithm: "SHA256WITHECDSA", # required, accepts SHA256WITHECDSA, SHA384WITHECDSA, SHA512WITHECDSA, SHA256WITHRSA, SHA384WITHRSA, SHA512WITHRSA
@@ -1652,9 +2064,30 @@ module Aws::ACMPCA
1652
2064
  # value: 1, # required
1653
2065
  # type: "END_DATE", # required, accepts END_DATE, ABSOLUTE, DAYS, MONTHS, YEARS
1654
2066
  # },
2067
+ # validity_not_before: {
2068
+ # value: 1, # required
2069
+ # type: "END_DATE", # required, accepts END_DATE, ABSOLUTE, DAYS, MONTHS, YEARS
2070
+ # },
1655
2071
  # idempotency_token: "IdempotencyToken",
1656
2072
  # }
1657
2073
  #
2074
+ # @!attribute [rw] api_passthrough
2075
+ # Specifies X.509 certificate information to be included in the issued
2076
+ # certificate. An `APIPassthrough` or `APICSRPassthrough` template
2077
+ # variant must be selected, or else this parameter is ignored. For
2078
+ # more information about using these templates, see [Understanding
2079
+ # Certificate Templates][1].
2080
+ #
2081
+ # If conflicting or duplicate certificate information is supplied
2082
+ # during certificate issuance, ACM Private CA applies [order of
2083
+ # operation rules][2] to determine what information is used.
2084
+ #
2085
+ #
2086
+ #
2087
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html
2088
+ # [2]: https://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html#template-order-of-operations
2089
+ # @return [Types::ApiPassthrough]
2090
+ #
1658
2091
  # @!attribute [rw] certificate_authority_arn
1659
2092
  # The Amazon Resource Name (ARN) that was returned when you called
1660
2093
  # [CreateCertificateAuthority][1]. This must be of the form:
@@ -1669,15 +2102,15 @@ module Aws::ACMPCA
1669
2102
  #
1670
2103
  # @!attribute [rw] csr
1671
2104
  # The certificate signing request (CSR) for the certificate you want
1672
- # to issue. You can use the following OpenSSL command to create the
1673
- # CSR and a 2048 bit RSA private key.
2105
+ # to issue. As an example, you can use the following OpenSSL command
2106
+ # to create the CSR and a 2048 bit RSA private key.
1674
2107
  #
1675
2108
  # `openssl req -new -newkey rsa:2048 -days 365 -keyout
1676
2109
  # private/test_cert_priv_key.pem -out csr/test_cert_.csr`
1677
2110
  #
1678
- # If you have a configuration file, you can use the following OpenSSL
1679
- # command. The `usr_cert` block in the configuration file contains
1680
- # your X509 version 3 extensions.
2111
+ # If you have a configuration file, you can then use the following
2112
+ # OpenSSL command. The `usr_cert` block in the configuration file
2113
+ # contains your X509 version 3 extensions.
1681
2114
  #
1682
2115
  # `openssl req -new -config openssl_rsa.cnf -extensions usr_cert
1683
2116
  # -newkey rsa:2048 -days -365 -keyout private/test_cert_priv_key.pem
@@ -1692,7 +2125,8 @@ module Aws::ACMPCA
1692
2125
  # to be issued.
1693
2126
  #
1694
2127
  # This parameter should not be confused with the `SigningAlgorithm`
1695
- # parameter used to sign a CSR.
2128
+ # parameter used to sign a CSR in the `CreateCertificateAuthority`
2129
+ # action.
1696
2130
  # @return [String]
1697
2131
  #
1698
2132
  # @!attribute [rw] template_arn
@@ -1706,77 +2140,85 @@ module Aws::ACMPCA
1706
2140
  # Note: The CA depth configured on a subordinate CA certificate must
1707
2141
  # not exceed the limit set by its parents in the CA hierarchy.
1708
2142
  #
1709
- # The following service-owned `TemplateArn` values are supported by
1710
- # ACM Private CA:
1711
- #
1712
- # * arn:aws:acm-pca:::template/CodeSigningCertificate/V1
2143
+ # For a list of `TemplateArn` values supported by ACM Private CA, see
2144
+ # [Understanding Certificate Templates][2].
1713
2145
  #
1714
- # * arn:aws:acm-pca:::template/CodeSigningCertificate\_CSRPassthrough/V1
1715
2146
  #
1716
- # * arn:aws:acm-pca:::template/EndEntityCertificate/V1
1717
2147
  #
1718
- # * arn:aws:acm-pca:::template/EndEntityCertificate\_CSRPassthrough/V1
1719
- #
1720
- # * arn:aws:acm-pca:::template/EndEntityClientAuthCertificate/V1
1721
- #
1722
- # * arn:aws:acm-pca:::template/EndEntityClientAuthCertificate\_CSRPassthrough/V1
1723
- #
1724
- # * arn:aws:acm-pca:::template/EndEntityServerAuthCertificate/V1
1725
- #
1726
- # * arn:aws:acm-pca:::template/EndEntityServerAuthCertificate\_CSRPassthrough/V1
2148
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaTerms.html#terms-cadepth
2149
+ # [2]: https://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html
2150
+ # @return [String]
1727
2151
  #
1728
- # * arn:aws:acm-pca:::template/OCSPSigningCertificate/V1
2152
+ # @!attribute [rw] validity
2153
+ # Information describing the end of the validity period of the
2154
+ # certificate. This parameter sets the “Not After” date for the
2155
+ # certificate.
1729
2156
  #
1730
- # * arn:aws:acm-pca:::template/OCSPSigningCertificate\_CSRPassthrough/V1
2157
+ # Certificate validity is the period of time during which a
2158
+ # certificate is valid. Validity can be expressed as an explicit date
2159
+ # and time when the certificate expires, or as a span of time after
2160
+ # issuance, stated in days, months, or years. For more information,
2161
+ # see [Validity][1] in RFC 5280.
1731
2162
  #
1732
- # * arn:aws:acm-pca:::template/RootCACertificate/V1
2163
+ # This value is unaffected when `ValidityNotBefore` is also specified.
2164
+ # For example, if `Validity` is set to 20 days in the future, the
2165
+ # certificate will expire 20 days from issuance time regardless of the
2166
+ # `ValidityNotBefore` value.
1733
2167
  #
1734
- # * arn:aws:acm-pca:::template/SubordinateCACertificate\_PathLen0/V1
2168
+ # The end of the validity period configured on a certificate must not
2169
+ # exceed the limit set on its parents in the CA hierarchy.
1735
2170
  #
1736
- # * arn:aws:acm-pca:::template/SubordinateCACertificate\_PathLen1/V1
1737
2171
  #
1738
- # * arn:aws:acm-pca:::template/SubordinateCACertificate\_PathLen2/V1
1739
2172
  #
1740
- # * arn:aws:acm-pca:::template/SubordinateCACertificate\_PathLen3/V1
2173
+ # [1]: https://tools.ietf.org/html/rfc5280#section-4.1.2.5
2174
+ # @return [Types::Validity]
1741
2175
  #
1742
- # For more information, see [Using Templates][2].
2176
+ # @!attribute [rw] validity_not_before
2177
+ # Information describing the start of the validity period of the
2178
+ # certificate. This parameter sets the “Not Before" date for the
2179
+ # certificate.
1743
2180
  #
2181
+ # By default, when issuing a certificate, ACM Private CA sets the
2182
+ # "Not Before" date to the issuance time minus 60 minutes. This
2183
+ # compensates for clock inconsistencies across computer systems. The
2184
+ # `ValidityNotBefore` parameter can be used to customize the “Not
2185
+ # Before” value.
1744
2186
  #
2187
+ # Unlike the `Validity` parameter, the `ValidityNotBefore` parameter
2188
+ # is optional.
1745
2189
  #
1746
- # [1]: https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaTerms.html#terms-cadepth
1747
- # [2]: https://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html
1748
- # @return [String]
2190
+ # The `ValidityNotBefore` value is expressed as an explicit date and
2191
+ # time, using the `Validity` type value `ABSOLUTE`. For more
2192
+ # information, see [Validity][1] in this API reference and
2193
+ # [Validity][2] in RFC 5280.
1749
2194
  #
1750
- # @!attribute [rw] validity
1751
- # Information describing the validity period of the certificate.
1752
2195
  #
1753
- # When issuing a certificate, ACM Private CA sets the "Not Before"
1754
- # date in the validity field to date and time minus 60 minutes. This
1755
- # is intended to compensate for time inconsistencies across systems of
1756
- # 60 minutes or less.
1757
2196
  #
1758
- # The validity period configured on a certificate must not exceed the
1759
- # limit set by its parents in the CA hierarchy.
2197
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_Validity.html
2198
+ # [2]: https://tools.ietf.org/html/rfc5280#section-4.1.2.5
1760
2199
  # @return [Types::Validity]
1761
2200
  #
1762
2201
  # @!attribute [rw] idempotency_token
1763
- # Custom string that can be used to distinguish between calls to the
1764
- # **IssueCertificate** action. Idempotency tokens time out after one
1765
- # hour. Therefore, if you call **IssueCertificate** multiple times
1766
- # with the same idempotency token within 5 minutes, ACM Private CA
1767
- # recognizes that you are requesting only one certificate and will
1768
- # issue only one. If you change the idempotency token for each call,
1769
- # PCA recognizes that you are requesting multiple certificates.
2202
+ # Alphanumeric string that can be used to distinguish between calls to
2203
+ # the **IssueCertificate** action. Idempotency tokens for
2204
+ # **IssueCertificate** time out after one minute. Therefore, if you
2205
+ # call **IssueCertificate** multiple times with the same idempotency
2206
+ # token within one minute, ACM Private CA recognizes that you are
2207
+ # requesting only one certificate and will issue only one. If you
2208
+ # change the idempotency token for each call, PCA recognizes that you
2209
+ # are requesting multiple certificates.
1770
2210
  # @return [String]
1771
2211
  #
1772
2212
  # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/IssueCertificateRequest AWS API Documentation
1773
2213
  #
1774
2214
  class IssueCertificateRequest < Struct.new(
2215
+ :api_passthrough,
1775
2216
  :certificate_authority_arn,
1776
2217
  :csr,
1777
2218
  :signing_algorithm,
1778
2219
  :template_arn,
1779
2220
  :validity,
2221
+ :validity_not_before,
1780
2222
  :idempotency_token)
1781
2223
  SENSITIVE = []
1782
2224
  include Aws::Structure
@@ -2212,6 +2654,79 @@ module Aws::ACMPCA
2212
2654
  include Aws::Structure
2213
2655
  end
2214
2656
 
2657
+ # Defines the X.509 `CertificatePolicies` extension.
2658
+ #
2659
+ # @note When making an API call, you may pass PolicyInformation
2660
+ # data as a hash:
2661
+ #
2662
+ # {
2663
+ # cert_policy_id: "CustomObjectIdentifier", # required
2664
+ # policy_qualifiers: [
2665
+ # {
2666
+ # policy_qualifier_id: "CPS", # required, accepts CPS
2667
+ # qualifier: { # required
2668
+ # cps_uri: "String256", # required
2669
+ # },
2670
+ # },
2671
+ # ],
2672
+ # }
2673
+ #
2674
+ # @!attribute [rw] cert_policy_id
2675
+ # Specifies the object identifier (OID) of the certificate policy
2676
+ # under which the certificate was issued. For more information, see
2677
+ # NIST's definition of [Object Identifier (OID)][1].
2678
+ #
2679
+ #
2680
+ #
2681
+ # [1]: https://csrc.nist.gov/glossary/term/Object_Identifier
2682
+ # @return [String]
2683
+ #
2684
+ # @!attribute [rw] policy_qualifiers
2685
+ # Modifies the given `CertPolicyId` with a qualifier. ACM Private CA
2686
+ # supports the certification practice statement (CPS) qualifier.
2687
+ # @return [Array<Types::PolicyQualifierInfo>]
2688
+ #
2689
+ # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/PolicyInformation AWS API Documentation
2690
+ #
2691
+ class PolicyInformation < Struct.new(
2692
+ :cert_policy_id,
2693
+ :policy_qualifiers)
2694
+ SENSITIVE = []
2695
+ include Aws::Structure
2696
+ end
2697
+
2698
+ # Modifies the `CertPolicyId` of a `PolicyInformation` object with a
2699
+ # qualifier. ACM Private CA supports the certification practice
2700
+ # statement (CPS) qualifier.
2701
+ #
2702
+ # @note When making an API call, you may pass PolicyQualifierInfo
2703
+ # data as a hash:
2704
+ #
2705
+ # {
2706
+ # policy_qualifier_id: "CPS", # required, accepts CPS
2707
+ # qualifier: { # required
2708
+ # cps_uri: "String256", # required
2709
+ # },
2710
+ # }
2711
+ #
2712
+ # @!attribute [rw] policy_qualifier_id
2713
+ # Identifies the qualifier modifying a `CertPolicyId`.
2714
+ # @return [String]
2715
+ #
2716
+ # @!attribute [rw] qualifier
2717
+ # Defines the qualifier type. ACM Private CA supports the use of a URI
2718
+ # for a CPS qualifier in this field.
2719
+ # @return [Types::Qualifier]
2720
+ #
2721
+ # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/PolicyQualifierInfo AWS API Documentation
2722
+ #
2723
+ class PolicyQualifierInfo < Struct.new(
2724
+ :policy_qualifier_id,
2725
+ :qualifier)
2726
+ SENSITIVE = []
2727
+ include Aws::Structure
2728
+ end
2729
+
2215
2730
  # @note When making an API call, you may pass PutPolicyRequest
2216
2731
  # data as a hash:
2217
2732
  #
@@ -2233,7 +2748,7 @@ module Aws::ACMPCA
2233
2748
  # @return [String]
2234
2749
  #
2235
2750
  # @!attribute [rw] policy
2236
- # The path and filename of a JSON-formatted IAM policy to attach to
2751
+ # The path and file name of a JSON-formatted IAM policy to attach to
2237
2752
  # the specified private CA resource. If this policy does not contain
2238
2753
  # all required statements or if it includes any statement that is not
2239
2754
  # allowed, the `PutPolicy` action returns an `InvalidPolicyException`.
@@ -2254,6 +2769,34 @@ module Aws::ACMPCA
2254
2769
  include Aws::Structure
2255
2770
  end
2256
2771
 
2772
+ # Defines a `PolicyInformation` qualifier. ACM Private CA supports the
2773
+ # [certification practice statement (CPS) qualifier][1] defined in RFC
2774
+ # 5280.
2775
+ #
2776
+ #
2777
+ #
2778
+ # [1]: https://tools.ietf.org/html/rfc5280#section-4.2.1.4
2779
+ #
2780
+ # @note When making an API call, you may pass Qualifier
2781
+ # data as a hash:
2782
+ #
2783
+ # {
2784
+ # cps_uri: "String256", # required
2785
+ # }
2786
+ #
2787
+ # @!attribute [rw] cps_uri
2788
+ # Contains a pointer to a certification practice statement (CPS)
2789
+ # published by the CA.
2790
+ # @return [String]
2791
+ #
2792
+ # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/Qualifier AWS API Documentation
2793
+ #
2794
+ class Qualifier < Struct.new(
2795
+ :cps_uri)
2796
+ SENSITIVE = []
2797
+ include Aws::Structure
2798
+ end
2799
+
2257
2800
  # Your request has already been completed.
2258
2801
  #
2259
2802
  # @!attribute [rw] message
@@ -2356,6 +2899,7 @@ module Aws::ACMPCA
2356
2899
  # expiration_in_days: 1,
2357
2900
  # custom_cname: "String253",
2358
2901
  # s3_bucket_name: "String3To255",
2902
+ # s3_object_acl: "PUBLIC_READ", # accepts PUBLIC_READ, BUCKET_OWNER_FULL_CONTROL
2359
2903
  # },
2360
2904
  # }
2361
2905
  #
@@ -2561,6 +3105,7 @@ module Aws::ACMPCA
2561
3105
  # expiration_in_days: 1,
2562
3106
  # custom_cname: "String253",
2563
3107
  # s3_bucket_name: "String3To255",
3108
+ # s3_object_acl: "PUBLIC_READ", # accepts PUBLIC_READ, BUCKET_OWNER_FULL_CONTROL
2564
3109
  # },
2565
3110
  # },
2566
3111
  # status: "CREATING", # accepts CREATING, PENDING_CERTIFICATE, ACTIVE, DELETED, DISABLED, EXPIRED, FAILED
@@ -2594,17 +3139,20 @@ module Aws::ACMPCA
2594
3139
 
2595
3140
  # Validity specifies the period of time during which a certificate is
2596
3141
  # valid. Validity can be expressed as an explicit date and time when the
2597
- # certificate expires, or as a span of time after issuance, stated in
2598
- # days, months, or years. For more information, see [Validity][1] in RFC
2599
- # 5280.
3142
+ # validity of a certificate starts or expires, or as a span of time
3143
+ # after issuance, stated in days, months, or years. For more
3144
+ # information, see [Validity][1] in RFC 5280.
2600
3145
  #
2601
- # You can issue a certificate by calling the [IssueCertificate][2]
2602
- # action.
3146
+ # ACM Private CA API consumes the `Validity` data type differently in
3147
+ # two distinct parameters of the `IssueCertificate` action. The required
3148
+ # parameter `IssueCertificate`\:`Validity` specifies the end of a
3149
+ # certificate's validity period. The optional parameter
3150
+ # `IssueCertificate`\:`ValidityNotBefore` specifies a customized
3151
+ # starting time for the validity period.
2603
3152
  #
2604
3153
  #
2605
3154
  #
2606
3155
  # [1]: https://tools.ietf.org/html/rfc5280#section-4.1.2.5
2607
- # [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_IssueCertificate.html
2608
3156
  #
2609
3157
  # @note When making an API call, you may pass Validity
2610
3158
  # data as a hash:
@@ -2635,8 +3183,9 @@ module Aws::ACMPCA
2635
3183
  #
2636
3184
  # * Output expiration date/time: 12/31/2049 23:59:59
2637
3185
  #
2638
- # `ABSOLUTE`\: The specific date and time when the certificate will
2639
- # expire, expressed in seconds since the Unix Epoch.
3186
+ # `ABSOLUTE`\: The specific date and time when the validity of a
3187
+ # certificate will start or expire, expressed in seconds since the
3188
+ # Unix Epoch.
2640
3189
  #
2641
3190
  # * Sample input value: 2524608000
2642
3191
  #