aws-sdk-acmpca 1.36.0 → 1.40.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6f3a3088e948b635c92f274b880ceb55aa7dafd77799a3f19af7b2171c38f982
-  data.tar.gz: ed00f35cdce2863f478e50e1597eea47cf92bdc518c071fb7e544d9c6bc6497a
+  metadata.gz: 83ded82047c2f15aeb2eea331d16f41c3ad749a00534a13d8e95f77869f5ecf4
+  data.tar.gz: f15af40ada14477675f141ffe357da371e42009125374bae0ad2088fe0204274
 SHA512:
-  metadata.gz: 0c574e23bf71374dfd49579ce35aa830dac961fd033b03e324f63e30ff9114583610b2fcee9f7d5032e59de1d075de315cb71a51d80567bffbfb93d78a2211bf
-  data.tar.gz: 0df701f48febe1dbe26fa232ad220bcb6204b2627d972b5fbf8e206ad76ed5e2b7b4b265827e9977b1ad80a1bda064907b338469c40b991258a7e967a2ac90ab
+  metadata.gz: 71dc96e415b39a4a68924c83ca38a2afe387cf5f365351d6f6ddb4b8a8d758afbca0065f08061bd039c727b6c60602481291ce994ae344f90a95f1eeed27617c
+  data.tar.gz: 5a4c0c9fb97cb25d954f292a422583cf1a411164e804d0688a57cc7d4f57fe1a4b03ee08745752d5d51d219c3b4466796ac938ac9ede937fe151de0e69d456e9

data/CHANGELOG.md

@@ -1,6 +1,26 @@
 Unreleased Changes
 ------------------
 
+1.40.0 (2021-09-02)
+------------------
+
+* Feature - Private Certificate Authority Service now allows customers to enable an online certificate status protocol (OCSP) responder service on their private certificate authorities. Customers can also optionally configure a custom CNAME for their OCSP responder.
+
+1.39.0 (2021-09-01)
+------------------
+
+* Feature - Code Generated Changes, see `./build_tools` or `aws-sdk-core`'s CHANGELOG.md for details.
+
+1.38.0 (2021-07-30)
+------------------
+
+* Feature - Code Generated Changes, see `./build_tools` or `aws-sdk-core`'s CHANGELOG.md for details.
+
+1.37.0 (2021-07-28)
+------------------
+
+* Feature - Code Generated Changes, see `./build_tools` or `aws-sdk-core`'s CHANGELOG.md for details.
+
 1.36.0 (2021-05-26)
 ------------------
 

data/VERSION

@@ -1 +1 @@
-1.36.0
+1.40.0

data/lib/aws-sdk-acmpca/client.rb

@@ -338,17 +338,19 @@ module Aws::ACMPCA
     # @!group API Operations
 
     # Creates a root or subordinate private certificate authority (CA). You
-    # must specify the CA configuration, the certificate revocation list
-    # (CRL) configuration, the CA type, and an optional idempotency token to
-    # avoid accidental creation of multiple CAs. The CA configuration
+    # must specify the CA configuration, an optional configuration for
+    # Online Certificate Status Protocol (OCSP) and/or a certificate
+    # revocation list (CRL), the CA type, and an optional idempotency token
+    # to avoid accidental creation of multiple CAs. The CA configuration
     # specifies the name of the algorithm and key size to be used to create
     # the CA private key, the type of signing algorithm that the CA uses,
-    # and X.500 subject information. The CRL configuration specifies the CRL
-    # expiration period in days (the validity period of the CRL), the Amazon
-    # S3 bucket that will contain the CRL, and a CNAME alias for the S3
-    # bucket that is included in certificates issued by the CA. If
-    # successful, this action returns the Amazon Resource Name (ARN) of the
-    # CA.
+    # and X.500 subject information. The OCSP configuration can optionally
+    # specify a custom URL for the OCSP responder. The CRL configuration
+    # specifies the CRL expiration period in days (the validity period of
+    # the CRL), the Amazon S3 bucket that will contain the CRL, and a CNAME
+    # alias for the S3 bucket that is included in certificates issued by the
+    # CA. If successful, this action returns the Amazon Resource Name (ARN)
+    # of the CA.
     #
     # ACM Private CA assets that are stored in Amazon S3 can be protected
     # with encryption. For more information, see [Encrypting Your CRLs][1].
@@ -370,16 +372,16 @@ module Aws::ACMPCA
     #   signing algorithm, and X.500 certificate subject information.
     #
     # @option params [Types::RevocationConfiguration] :revocation_configuration
-    #   Contains a Boolean value that you can use to enable a certification
-    #   revocation list (CRL) for the CA, the name of the S3 bucket to which
-    #   ACM Private CA will write the CRL, and an optional CNAME alias that
-    #   you can use to hide the name of your bucket in the **CRL Distribution
-    #   Points** extension of your CA certificate. For more information, see
-    #   the [CrlConfiguration][1] structure.
+    #   Contains information to enable Online Certificate Status Protocol
+    #   (OCSP) support, to enable a certificate revocation list (CRL), to
+    #   enable both, or to enable neither. The default is for both certificate
+    #   validation mechanisms to be disabled. For more information, see the
+    #   [OcspConfiguration][1] and [CrlConfiguration][2] types.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CrlConfiguration.html
+    #   [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_OcspConfiguration.html
+    #   [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CrlConfiguration.html
     #
     # @option params [required, String] :certificate_authority_type
     #   The type of the certificate authority.
@@ -505,6 +507,10 @@ module Aws::ACMPCA
     #         s3_bucket_name: "String3To255",
     #         s3_object_acl: "PUBLIC_READ", # accepts PUBLIC_READ, BUCKET_OWNER_FULL_CONTROL
     #       },
+    #       ocsp_configuration: {
+    #         enabled: false, # required
+    #         ocsp_custom_cname: "String253",
+    #       },
     #     },
     #     certificate_authority_type: "ROOT", # required, accepts ROOT, SUBORDINATE
     #     idempotency_token: "IdempotencyToken",
@@ -999,6 +1005,8 @@ module Aws::ACMPCA
     #   resp.certificate_authority.revocation_configuration.crl_configuration.custom_cname #=> String
     #   resp.certificate_authority.revocation_configuration.crl_configuration.s3_bucket_name #=> String
     #   resp.certificate_authority.revocation_configuration.crl_configuration.s3_object_acl #=> String, one of "PUBLIC_READ", "BUCKET_OWNER_FULL_CONTROL"
+    #   resp.certificate_authority.revocation_configuration.ocsp_configuration.enabled #=> Boolean
+    #   resp.certificate_authority.revocation_configuration.ocsp_configuration.ocsp_custom_cname #=> String
     #   resp.certificate_authority.restorable_until #=> Time
     #   resp.certificate_authority.key_storage_security_standard #=> String, one of "FIPS_140_2_LEVEL_2_OR_HIGHER", "FIPS_140_2_LEVEL_3_OR_HIGHER"
     #
@@ -1805,6 +1813,8 @@ module Aws::ACMPCA
     #   resp.certificate_authorities[0].revocation_configuration.crl_configuration.custom_cname #=> String
     #   resp.certificate_authorities[0].revocation_configuration.crl_configuration.s3_bucket_name #=> String
     #   resp.certificate_authorities[0].revocation_configuration.crl_configuration.s3_object_acl #=> String, one of "PUBLIC_READ", "BUCKET_OWNER_FULL_CONTROL"
+    #   resp.certificate_authorities[0].revocation_configuration.ocsp_configuration.enabled #=> Boolean
+    #   resp.certificate_authorities[0].revocation_configuration.ocsp_configuration.ocsp_custom_cname #=> String
     #   resp.certificate_authorities[0].restorable_until #=> Time
     #   resp.certificate_authorities[0].key_storage_security_standard #=> String, one of "FIPS_140_2_LEVEL_2_OR_HIGHER", "FIPS_140_2_LEVEL_3_OR_HIGHER"
     #   resp.next_token #=> String
@@ -2316,7 +2326,16 @@ module Aws::ACMPCA
     #   `
     #
     # @option params [Types::RevocationConfiguration] :revocation_configuration
-    #   Revocation information for your private CA.
+    #   Contains information to enable Online Certificate Status Protocol
+    #   (OCSP) support, to enable a certificate revocation list (CRL), to
+    #   enable both, or to enable neither. If this parameter is not supplied,
+    #   existing capibilites remain unchanged. For more information, see the
+    #   [OcspConfiguration][1] and [CrlConfiguration][2] types.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_OcspConfiguration.html
+    #   [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CrlConfiguration.html
     #
     # @option params [String] :status
     #   Status of your private CA.
@@ -2335,6 +2354,10 @@ module Aws::ACMPCA
     #         s3_bucket_name: "String3To255",
     #         s3_object_acl: "PUBLIC_READ", # accepts PUBLIC_READ, BUCKET_OWNER_FULL_CONTROL
     #       },
+    #       ocsp_configuration: {
+    #         enabled: false, # required
+    #         ocsp_custom_cname: "String253",
+    #       },
     #     },
     #     status: "CREATING", # accepts CREATING, PENDING_CERTIFICATE, ACTIVE, DELETED, DISABLED, EXPIRED, FAILED
     #   })
@@ -2361,7 +2384,7 @@ module Aws::ACMPCA
         params: params,
         config: config)
       context[:gem_name] = 'aws-sdk-acmpca'
-      context[:gem_version] = '1.36.0'
+      context[:gem_version] = '1.40.0'
       Seahorse::Client::Request.new(handlers, context)
     end
 

data/lib/aws-sdk-acmpca/client_api.rb

@@ -102,6 +102,7 @@ module Aws::ACMPCA
     MalformedCertificateException = Shapes::StructureShape.new(name: 'MalformedCertificateException')
     MaxResults = Shapes::IntegerShape.new(name: 'MaxResults')
     NextToken = Shapes::StringShape.new(name: 'NextToken')
+    OcspConfiguration = Shapes::StructureShape.new(name: 'OcspConfiguration')
     OtherName = Shapes::StructureShape.new(name: 'OtherName')
     PermanentDeletionTimeInDays = Shapes::IntegerShape.new(name: 'PermanentDeletionTimeInDays')
     Permission = Shapes::StructureShape.new(name: 'Permission')
@@ -424,6 +425,10 @@ module Aws::ACMPCA
     MalformedCertificateException.add_member(:message, Shapes::ShapeRef.new(shape: String, location_name: "message"))
     MalformedCertificateException.struct_class = Types::MalformedCertificateException
 
+    OcspConfiguration.add_member(:enabled, Shapes::ShapeRef.new(shape: Boolean, required: true, location_name: "Enabled", metadata: {"box"=>true}))
+    OcspConfiguration.add_member(:ocsp_custom_cname, Shapes::ShapeRef.new(shape: String253, location_name: "OcspCustomCname"))
+    OcspConfiguration.struct_class = Types::OcspConfiguration
+
     OtherName.add_member(:type_id, Shapes::ShapeRef.new(shape: CustomObjectIdentifier, required: true, location_name: "TypeId"))
     OtherName.add_member(:value, Shapes::ShapeRef.new(shape: String256, required: true, location_name: "Value"))
     OtherName.struct_class = Types::OtherName
@@ -474,6 +479,7 @@ module Aws::ACMPCA
     RestoreCertificateAuthorityRequest.struct_class = Types::RestoreCertificateAuthorityRequest
 
     RevocationConfiguration.add_member(:crl_configuration, Shapes::ShapeRef.new(shape: CrlConfiguration, location_name: "CrlConfiguration"))
+    RevocationConfiguration.add_member(:ocsp_configuration, Shapes::ShapeRef.new(shape: OcspConfiguration, location_name: "OcspConfiguration"))
     RevocationConfiguration.struct_class = Types::RevocationConfiguration
 
     RevokeCertificateRequest.add_member(:certificate_authority_arn, Shapes::ShapeRef.new(shape: Arn, required: true, location_name: "CertificateAuthorityArn"))

data/lib/aws-sdk-acmpca/types.rb

@@ -418,7 +418,8 @@ module Aws::ACMPCA
     #   @return [Types::CertificateAuthorityConfiguration]
     #
     # @!attribute [rw] revocation_configuration
-    #   Information about the certificate revocation list (CRL) created and
+    #   Information about the Online Certificate Status Protocol (OCSP)
+    #   configuration or certificate revocation list (CRL) created and
     #   maintained by your private CA.
     #   @return [Types::RevocationConfiguration]
     #
@@ -756,6 +757,10 @@ module Aws::ACMPCA
     #             s3_bucket_name: "String3To255",
     #             s3_object_acl: "PUBLIC_READ", # accepts PUBLIC_READ, BUCKET_OWNER_FULL_CONTROL
     #           },
+    #           ocsp_configuration: {
+    #             enabled: false, # required
+    #             ocsp_custom_cname: "String253",
+    #           },
     #         },
     #         certificate_authority_type: "ROOT", # required, accepts ROOT, SUBORDINATE
     #         idempotency_token: "IdempotencyToken",
@@ -774,16 +779,17 @@ module Aws::ACMPCA
     #   @return [Types::CertificateAuthorityConfiguration]
     #
     # @!attribute [rw] revocation_configuration
-    #   Contains a Boolean value that you can use to enable a certification
-    #   revocation list (CRL) for the CA, the name of the S3 bucket to which
-    #   ACM Private CA will write the CRL, and an optional CNAME alias that
-    #   you can use to hide the name of your bucket in the **CRL
-    #   Distribution Points** extension of your CA certificate. For more
-    #   information, see the [CrlConfiguration][1] structure.
+    #   Contains information to enable Online Certificate Status Protocol
+    #   (OCSP) support, to enable a certificate revocation list (CRL), to
+    #   enable both, or to enable neither. The default is for both
+    #   certificate validation mechanisms to be disabled. For more
+    #   information, see the [OcspConfiguration][1] and
+    #   [CrlConfiguration][2] types.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CrlConfiguration.html
+    #   [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_OcspConfiguration.html
+    #   [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CrlConfiguration.html
     #   @return [Types::RevocationConfiguration]
     #
     # @!attribute [rw] certificate_authority_type
@@ -927,6 +933,10 @@ module Aws::ACMPCA
     # generated and in the next audit report. Only time valid certificates
     # are listed in the CRL. Expired certificates are not included.
     #
+    # A CRL is typically updated approximately 30 minutes after a
+    # certificate is revoked. If for any reason a CRL update fails, ACM
+    # Private CA makes further attempts every 15 minutes.
+    #
     # CRLs contain the following fields:
     #
     # * **Version**\: The current version number defined in RFC 5280 is V2.
@@ -974,9 +984,14 @@ module Aws::ACMPCA
     #
     # `openssl crl -inform DER -text -in crl_path -noout`
     #
+    # For more information, see [Planning a certificate revocation list
+    # (CRL)][2] in the *AWS Certificate Manager Private Certificate
+    # Authority (PCA) User Guide*
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaCreateCa.html#crl-encryption
+    # [2]: https://docs.aws.amazon.com/acm-pca/latest/userguide/crl-planning.html
     #
     # @note When making an API call, you may pass CrlConfiguration
     #   data as a hash:
@@ -1018,9 +1033,9 @@ module Aws::ACMPCA
     #   value for the **CustomCname** argument, the name of your S3 bucket
     #   is placed into the **CRL Distribution Points** extension of the
     #   issued certificate. You can change the name of your bucket by
-    #   calling the [UpdateCertificateAuthority][1] action. You must specify
-    #   a [bucket policy][2] that allows ACM Private CA to write the CRL to
-    #   your bucket.
+    #   calling the [UpdateCertificateAuthority][1] operation. You must
+    #   specify a [bucket policy][2] that allows ACM Private CA to write the
+    #   CRL to your bucket.
     #
     #
     #
@@ -2553,6 +2568,52 @@ module Aws::ACMPCA
       include Aws::Structure
     end
 
+    # Contains information to enable and configure Online Certificate Status
+    # Protocol (OCSP) for validating certificate revocation status.
+    #
+    # When you revoke a certificate, OCSP responses may take up to 60
+    # minutes to reflect the new status.
+    #
+    # @note When making an API call, you may pass OcspConfiguration
+    #   data as a hash:
+    #
+    #       {
+    #         enabled: false, # required
+    #         ocsp_custom_cname: "String253",
+    #       }
+    #
+    # @!attribute [rw] enabled
+    #   Flag enabling use of the Online Certificate Status Protocol (OCSP)
+    #   for validating certificate revocation status.
+    #   @return [Boolean]
+    #
+    # @!attribute [rw] ocsp_custom_cname
+    #   By default, ACM Private CA injects an AWS domain into certificates
+    #   being validated by the Online Certificate Status Protocol (OCSP). A
+    #   customer can alternatively use this object to define a CNAME
+    #   specifying a customized OCSP domain.
+    #
+    #   Note: The value of the CNAME must not include a protocol prefix such
+    #   as "http://" or "https://".
+    #
+    #   For more information, see [Customizing Online Certificate Status
+    #   Protocol (OCSP) ][1] in the *AWS Certificate Manager Private
+    #   Certificate Authority (PCA) User Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/acm-pca/latest/userguide/ocsp-customize.html
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/OcspConfiguration AWS API Documentation
+    #
+    class OcspConfiguration < Struct.new(
+      :enabled,
+      :ocsp_custom_cname)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # Defines a custom ASN.1 X.400 `GeneralName` using an object identifier
     # (OID) and value. The OID must satisfy the regular expression shown
     # below. For more information, see NIST's definition of [Object
@@ -2879,16 +2940,21 @@ module Aws::ACMPCA
 
     # Certificate revocation information used by the
     # [CreateCertificateAuthority][1] and [UpdateCertificateAuthority][2]
-    # actions. Your private certificate authority (CA) can create and
-    # maintain a certificate revocation list (CRL). A CRL contains
-    # information about certificates revoked by your CA. For more
-    # information, see [RevokeCertificate][3].
+    # actions. Your private certificate authority (CA) can configure Online
+    # Certificate Status Protocol (OCSP) support and/or maintain a
+    # certificate revocation list (CRL). OCSP returns validation information
+    # about certificates as requested by clients, and a CRL contains an
+    # updated list of certificates revoked by your CA. For more information,
+    # see [RevokeCertificate][3] and [Setting up a certificate revocation
+    # method][4] in the *AWS Certificate Manager Private Certificate
+    # Authority (PCA) User Guide*.
     #
     #
     #
     # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html
     # [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_UpdateCertificateAuthority.html
     # [3]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_RevokeCertificate.html
+    # [4]: https://docs.aws.amazon.com/acm-pca/latest/userguide/revocation-setup.html
     #
     # @note When making an API call, you may pass RevocationConfiguration
     #   data as a hash:
@@ -2901,17 +2967,32 @@ module Aws::ACMPCA
     #           s3_bucket_name: "String3To255",
     #           s3_object_acl: "PUBLIC_READ", # accepts PUBLIC_READ, BUCKET_OWNER_FULL_CONTROL
     #         },
+    #         ocsp_configuration: {
+    #           enabled: false, # required
+    #           ocsp_custom_cname: "String253",
+    #         },
     #       }
     #
     # @!attribute [rw] crl_configuration
     #   Configuration of the certificate revocation list (CRL), if any,
-    #   maintained by your private CA.
+    #   maintained by your private CA. A CRL is typically updated
+    #   approximately 30 minutes after a certificate is revoked. If for any
+    #   reason a CRL update fails, ACM Private CA makes further attempts
+    #   every 15 minutes.
     #   @return [Types::CrlConfiguration]
     #
+    # @!attribute [rw] ocsp_configuration
+    #   Configuration of Online Certificate Status Protocol (OCSP) support,
+    #   if any, maintained by your private CA. When you revoke a
+    #   certificate, OCSP responses may take up to 60 minutes to reflect the
+    #   new status.
+    #   @return [Types::OcspConfiguration]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/RevocationConfiguration AWS API Documentation
     #
     class RevocationConfiguration < Struct.new(
-      :crl_configuration)
+      :crl_configuration,
+      :ocsp_configuration)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -3107,6 +3188,10 @@ module Aws::ACMPCA
     #             s3_bucket_name: "String3To255",
     #             s3_object_acl: "PUBLIC_READ", # accepts PUBLIC_READ, BUCKET_OWNER_FULL_CONTROL
     #           },
+    #           ocsp_configuration: {
+    #             enabled: false, # required
+    #             ocsp_custom_cname: "String253",
+    #           },
     #         },
     #         status: "CREATING", # accepts CREATING, PENDING_CERTIFICATE, ACTIVE, DELETED, DISABLED, EXPIRED, FAILED
     #       }
@@ -3120,7 +3205,17 @@ module Aws::ACMPCA
     #   @return [String]
     #
     # @!attribute [rw] revocation_configuration
-    #   Revocation information for your private CA.
+    #   Contains information to enable Online Certificate Status Protocol
+    #   (OCSP) support, to enable a certificate revocation list (CRL), to
+    #   enable both, or to enable neither. If this parameter is not
+    #   supplied, existing capibilites remain unchanged. For more
+    #   information, see the [OcspConfiguration][1] and
+    #   [CrlConfiguration][2] types.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_OcspConfiguration.html
+    #   [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CrlConfiguration.html
     #   @return [Types::RevocationConfiguration]
     #
     # @!attribute [rw] status

data/lib/aws-sdk-acmpca.rb

@@ -49,6 +49,6 @@ require_relative 'aws-sdk-acmpca/customizations'
 # @!group service
 module Aws::ACMPCA
 
-  GEM_VERSION = '1.36.0'
+  GEM_VERSION = '1.40.0'
 
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aws-sdk-acmpca
 version: !ruby/object:Gem::Version
-  version: 1.36.0
+  version: 1.40.0
 platform: ruby
 authors:
 - Amazon Web Services
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-05-26 00:00:00.000000000 Z
+date: 2021-09-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-core
@@ -19,7 +19,7 @@ dependencies:
         version: '3'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 3.112.0
+        version: 3.120.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -29,7 +29,7 @@ dependencies:
         version: '3'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 3.112.0
+        version: 3.120.0
 - !ruby/object:Gem::Dependency
   name: aws-sigv4
   requirement: !ruby/object:Gem::Requirement
@@ -77,7 +77,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '0'
+      version: '2.3'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="