aws-sdk-acmpca 1.44.0 → 1.47.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +15 -0
- data/VERSION +1 -1
- data/lib/aws-sdk-acmpca/client.rb +222 -153
- data/lib/aws-sdk-acmpca/client_api.rb +21 -0
- data/lib/aws-sdk-acmpca/types.rb +331 -112
- data/lib/aws-sdk-acmpca.rb +1 -1
- metadata +4 -4
data/lib/aws-sdk-acmpca/types.rb
CHANGED
@@ -35,6 +35,12 @@ module Aws::ACMPCA
|
|
35
35
|
# initials: "String5",
|
36
36
|
# pseudonym: "String128",
|
37
37
|
# generation_qualifier: "String3",
|
38
|
+
# custom_attributes: [
|
39
|
+
# {
|
40
|
+
# object_identifier: "CustomObjectIdentifier", # required
|
41
|
+
# value: "String1To256", # required
|
42
|
+
# },
|
43
|
+
# ],
|
38
44
|
# }
|
39
45
|
#
|
40
46
|
# @!attribute [rw] country
|
@@ -110,6 +116,22 @@ module Aws::ACMPCA
|
|
110
116
|
# Examples include Jr. for junior, Sr. for senior, and III for third.
|
111
117
|
# @return [String]
|
112
118
|
#
|
119
|
+
# @!attribute [rw] custom_attributes
|
120
|
+
# Contains a sequence of one or more X.500 relative distinguished
|
121
|
+
# names (RDNs), each of which consists of an object identifier (OID)
|
122
|
+
# and a value. For more information, see NIST’s definition of [Object
|
123
|
+
# Identifier (OID)][1].
|
124
|
+
#
|
125
|
+
# <note markdown="1"> Custom attributes cannot be used in combination with standard
|
126
|
+
# attributes.
|
127
|
+
#
|
128
|
+
# </note>
|
129
|
+
#
|
130
|
+
#
|
131
|
+
#
|
132
|
+
# [1]: https://csrc.nist.gov/glossary/term/Object_Identifier
|
133
|
+
# @return [Array<Types::CustomAttribute>]
|
134
|
+
#
|
113
135
|
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/ASN1Subject AWS API Documentation
|
114
136
|
#
|
115
137
|
class ASN1Subject < Struct.new(
|
@@ -126,7 +148,8 @@ module Aws::ACMPCA
|
|
126
148
|
:given_name,
|
127
149
|
:initials,
|
128
150
|
:pseudonym,
|
129
|
-
:generation_qualifier
|
151
|
+
:generation_qualifier,
|
152
|
+
:custom_attributes)
|
130
153
|
SENSITIVE = []
|
131
154
|
include Aws::Structure
|
132
155
|
end
|
@@ -136,7 +159,7 @@ module Aws::ACMPCA
|
|
136
159
|
#
|
137
160
|
#
|
138
161
|
#
|
139
|
-
# [1]: https://
|
162
|
+
# [1]: https://datatracker.ietf.org/doc/html/rfc5280
|
140
163
|
#
|
141
164
|
# @note When making an API call, you may pass AccessDescription
|
142
165
|
# data as a hash:
|
@@ -168,6 +191,12 @@ module Aws::ACMPCA
|
|
168
191
|
# initials: "String5",
|
169
192
|
# pseudonym: "String128",
|
170
193
|
# generation_qualifier: "String3",
|
194
|
+
# custom_attributes: [
|
195
|
+
# {
|
196
|
+
# object_identifier: "CustomObjectIdentifier", # required
|
197
|
+
# value: "String1To256", # required
|
198
|
+
# },
|
199
|
+
# ],
|
171
200
|
# },
|
172
201
|
# edi_party_name: {
|
173
202
|
# party_name: "String256", # required
|
@@ -236,8 +265,8 @@ module Aws::ACMPCA
|
|
236
265
|
# variant must be selected, or else this parameter is ignored.
|
237
266
|
#
|
238
267
|
# If conflicting or duplicate certificate information is supplied from
|
239
|
-
# other sources,
|
240
|
-
# determine what information is used.
|
268
|
+
# other sources, Amazon Web Services Private CA applies [order of
|
269
|
+
# operation rules][1] to determine what information is used.
|
241
270
|
#
|
242
271
|
#
|
243
272
|
#
|
@@ -301,6 +330,12 @@ module Aws::ACMPCA
|
|
301
330
|
# initials: "String5",
|
302
331
|
# pseudonym: "String128",
|
303
332
|
# generation_qualifier: "String3",
|
333
|
+
# custom_attributes: [
|
334
|
+
# {
|
335
|
+
# object_identifier: "CustomObjectIdentifier", # required
|
336
|
+
# value: "String1To256", # required
|
337
|
+
# },
|
338
|
+
# ],
|
304
339
|
# },
|
305
340
|
# edi_party_name: {
|
306
341
|
# party_name: "String256", # required
|
@@ -311,6 +346,13 @@ module Aws::ACMPCA
|
|
311
346
|
# registered_id: "CustomObjectIdentifier",
|
312
347
|
# },
|
313
348
|
# ],
|
349
|
+
# custom_extensions: [
|
350
|
+
# {
|
351
|
+
# object_identifier: "CustomObjectIdentifier", # required
|
352
|
+
# value: "Base64String1To4096", # required
|
353
|
+
# critical: false,
|
354
|
+
# },
|
355
|
+
# ],
|
314
356
|
# },
|
315
357
|
# subject: {
|
316
358
|
# country: "CountryCodeString",
|
@@ -327,6 +369,12 @@ module Aws::ACMPCA
|
|
327
369
|
# initials: "String5",
|
328
370
|
# pseudonym: "String128",
|
329
371
|
# generation_qualifier: "String3",
|
372
|
+
# custom_attributes: [
|
373
|
+
# {
|
374
|
+
# object_identifier: "CustomObjectIdentifier", # required
|
375
|
+
# value: "String1To256", # required
|
376
|
+
# },
|
377
|
+
# ],
|
330
378
|
# },
|
331
379
|
# }
|
332
380
|
#
|
@@ -361,10 +409,10 @@ module Aws::ACMPCA
|
|
361
409
|
# [CreateCertificateAuthority][1] action to create your private CA. You
|
362
410
|
# must then call the [GetCertificateAuthorityCertificate][2] action to
|
363
411
|
# retrieve a private CA certificate signing request (CSR). Sign the CSR
|
364
|
-
# with your
|
365
|
-
# certificate. Call the
|
366
|
-
# action to import the signed
|
367
|
-
# (ACM).
|
412
|
+
# with your Amazon Web Services Private CA-hosted or on-premises root or
|
413
|
+
# subordinate CA certificate. Call the
|
414
|
+
# [ImportCertificateAuthorityCertificate][3] action to import the signed
|
415
|
+
# certificate into Certificate Manager (ACM).
|
368
416
|
#
|
369
417
|
#
|
370
418
|
#
|
@@ -378,7 +426,8 @@ module Aws::ACMPCA
|
|
378
426
|
# @return [String]
|
379
427
|
#
|
380
428
|
# @!attribute [rw] owner_account
|
381
|
-
# The
|
429
|
+
# The Amazon Web Services account ID that owns the certificate
|
430
|
+
# authority.
|
382
431
|
# @return [String]
|
383
432
|
#
|
384
433
|
# @!attribute [rw] created_at
|
@@ -439,7 +488,7 @@ module Aws::ACMPCA
|
|
439
488
|
#
|
440
489
|
# Default: FIPS\_140\_2\_LEVEL\_3\_OR\_HIGHER
|
441
490
|
#
|
442
|
-
# Note:
|
491
|
+
# Note: Amazon Web Services Region ap-northeast-3 supports only
|
443
492
|
# FIPS\_140\_2\_LEVEL\_2\_OR\_HIGHER. You must explicitly specify this
|
444
493
|
# parameter and value when creating a CA in that Region. Specifying a
|
445
494
|
# different value (or no value) results in an `InvalidArgsException`
|
@@ -501,6 +550,12 @@ module Aws::ACMPCA
|
|
501
550
|
# initials: "String5",
|
502
551
|
# pseudonym: "String128",
|
503
552
|
# generation_qualifier: "String3",
|
553
|
+
# custom_attributes: [
|
554
|
+
# {
|
555
|
+
# object_identifier: "CustomObjectIdentifier", # required
|
556
|
+
# value: "String1To256", # required
|
557
|
+
# },
|
558
|
+
# ],
|
504
559
|
# },
|
505
560
|
# csr_extensions: {
|
506
561
|
# key_usage: {
|
@@ -542,6 +597,12 @@ module Aws::ACMPCA
|
|
542
597
|
# initials: "String5",
|
543
598
|
# pseudonym: "String128",
|
544
599
|
# generation_qualifier: "String3",
|
600
|
+
# custom_attributes: [
|
601
|
+
# {
|
602
|
+
# object_identifier: "CustomObjectIdentifier", # required
|
603
|
+
# value: "String1To256", # required
|
604
|
+
# },
|
605
|
+
# ],
|
545
606
|
# },
|
546
607
|
# edi_party_name: {
|
547
608
|
# party_name: "String256", # required
|
@@ -695,6 +756,12 @@ module Aws::ACMPCA
|
|
695
756
|
# initials: "String5",
|
696
757
|
# pseudonym: "String128",
|
697
758
|
# generation_qualifier: "String3",
|
759
|
+
# custom_attributes: [
|
760
|
+
# {
|
761
|
+
# object_identifier: "CustomObjectIdentifier", # required
|
762
|
+
# value: "String1To256", # required
|
763
|
+
# },
|
764
|
+
# ],
|
698
765
|
# },
|
699
766
|
# csr_extensions: {
|
700
767
|
# key_usage: {
|
@@ -736,6 +803,12 @@ module Aws::ACMPCA
|
|
736
803
|
# initials: "String5",
|
737
804
|
# pseudonym: "String128",
|
738
805
|
# generation_qualifier: "String3",
|
806
|
+
# custom_attributes: [
|
807
|
+
# {
|
808
|
+
# object_identifier: "CustomObjectIdentifier", # required
|
809
|
+
# value: "String1To256", # required
|
810
|
+
# },
|
811
|
+
# ],
|
739
812
|
# },
|
740
813
|
# edi_party_name: {
|
741
814
|
# party_name: "String256", # required
|
@@ -801,11 +874,11 @@ module Aws::ACMPCA
|
|
801
874
|
# **CreateCertificateAuthority** action. Idempotency tokens for
|
802
875
|
# **CreateCertificateAuthority** time out after five minutes.
|
803
876
|
# Therefore, if you call **CreateCertificateAuthority** multiple times
|
804
|
-
# with the same idempotency token within five minutes,
|
805
|
-
# recognizes that you are requesting only
|
806
|
-
# will issue only one. If you change the
|
807
|
-
# call, PCA recognizes that you are
|
808
|
-
# authorities.
|
877
|
+
# with the same idempotency token within five minutes, Amazon Web
|
878
|
+
# Services Private CA recognizes that you are requesting only
|
879
|
+
# certificate authority and will issue only one. If you change the
|
880
|
+
# idempotency token for each call, PCA recognizes that you are
|
881
|
+
# requesting multiple certificate authorities.
|
809
882
|
# @return [String]
|
810
883
|
#
|
811
884
|
# @!attribute [rw] key_storage_security_standard
|
@@ -888,8 +961,9 @@ module Aws::ACMPCA
|
|
888
961
|
# @return [String]
|
889
962
|
#
|
890
963
|
# @!attribute [rw] principal
|
891
|
-
# The
|
892
|
-
# time, the only valid principal is
|
964
|
+
# The Amazon Web Services service or identity that receives the
|
965
|
+
# permission. At this time, the only valid principal is
|
966
|
+
# `acm.amazonaws.com`.
|
893
967
|
# @return [String]
|
894
968
|
#
|
895
969
|
# @!attribute [rw] source_account
|
@@ -897,8 +971,9 @@ module Aws::ACMPCA
|
|
897
971
|
# @return [String]
|
898
972
|
#
|
899
973
|
# @!attribute [rw] actions
|
900
|
-
# The actions that the specified
|
901
|
-
# include `IssueCertificate`, `GetCertificate`, and
|
974
|
+
# The actions that the specified Amazon Web Services service principal
|
975
|
+
# can use. These include `IssueCertificate`, `GetCertificate`, and
|
976
|
+
# `ListPermissions`.
|
902
977
|
# @return [Array<String>]
|
903
978
|
#
|
904
979
|
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/CreatePermissionRequest AWS API Documentation
|
@@ -921,21 +996,22 @@ module Aws::ACMPCA
|
|
921
996
|
# specifying a value for the **CustomCname** parameter. Your private CA
|
922
997
|
# copies the CNAME or the S3 bucket name to the **CRL Distribution
|
923
998
|
# Points** extension of each certificate it issues. Your S3 bucket
|
924
|
-
# policy must give write permission to
|
999
|
+
# policy must give write permission to Amazon Web Services Private CA.
|
925
1000
|
#
|
926
|
-
#
|
927
|
-
# with encryption. For more information, see [Encrypting
|
1001
|
+
# Amazon Web Services Private CA assets that are stored in Amazon S3 can
|
1002
|
+
# be protected with encryption. For more information, see [Encrypting
|
1003
|
+
# Your CRLs][1].
|
928
1004
|
#
|
929
1005
|
# Your private CA uses the value in the **ExpirationInDays** parameter
|
930
1006
|
# to calculate the **nextUpdate** field in the CRL. The CRL is refreshed
|
931
|
-
#
|
932
|
-
# certificate is revoked, it
|
933
|
-
#
|
934
|
-
#
|
1007
|
+
# prior to a certificate's expiration date or when a certificate is
|
1008
|
+
# revoked. When a certificate is revoked, it appears in the CRL until
|
1009
|
+
# the certificate expires, and then in one additional CRL after
|
1010
|
+
# expiration, and it always appears in the audit report.
|
935
1011
|
#
|
936
1012
|
# A CRL is typically updated approximately 30 minutes after a
|
937
|
-
# certificate is revoked. If for any reason a CRL update fails,
|
938
|
-
# Private CA makes further attempts every 15 minutes.
|
1013
|
+
# certificate is revoked. If for any reason a CRL update fails, Amazon
|
1014
|
+
# Web Services Private CA makes further attempts every 15 minutes.
|
939
1015
|
#
|
940
1016
|
# CRLs contain the following fields:
|
941
1017
|
#
|
@@ -979,14 +1055,15 @@ module Aws::ACMPCA
|
|
979
1055
|
#
|
980
1056
|
# * **Signature Value**\: Signature computed over the CRL.
|
981
1057
|
#
|
982
|
-
# Certificate revocation lists created by
|
983
|
-
# DER-encoded. You can use the following OpenSSL command to list a
|
1058
|
+
# Certificate revocation lists created by Amazon Web Services Private CA
|
1059
|
+
# are DER-encoded. You can use the following OpenSSL command to list a
|
1060
|
+
# CRL.
|
984
1061
|
#
|
985
1062
|
# `openssl crl -inform DER -text -in crl_path -noout`
|
986
1063
|
#
|
987
1064
|
# For more information, see [Planning a certificate revocation list
|
988
|
-
# (CRL)][2] in the *
|
989
|
-
#
|
1065
|
+
# (CRL)][2] in the *Amazon Web Services Private Certificate Authority
|
1066
|
+
# User Guide*
|
990
1067
|
#
|
991
1068
|
#
|
992
1069
|
#
|
@@ -1034,8 +1111,8 @@ module Aws::ACMPCA
|
|
1034
1111
|
# is placed into the **CRL Distribution Points** extension of the
|
1035
1112
|
# issued certificate. You can change the name of your bucket by
|
1036
1113
|
# calling the [UpdateCertificateAuthority][1] operation. You must
|
1037
|
-
# specify a [bucket policy][2] that allows
|
1038
|
-
# CRL to your bucket.
|
1114
|
+
# specify a [bucket policy][2] that allows Amazon Web Services Private
|
1115
|
+
# CA to write the CRL to your bucket.
|
1039
1116
|
#
|
1040
1117
|
#
|
1041
1118
|
#
|
@@ -1127,6 +1204,12 @@ module Aws::ACMPCA
|
|
1127
1204
|
# initials: "String5",
|
1128
1205
|
# pseudonym: "String128",
|
1129
1206
|
# generation_qualifier: "String3",
|
1207
|
+
# custom_attributes: [
|
1208
|
+
# {
|
1209
|
+
# object_identifier: "CustomObjectIdentifier", # required
|
1210
|
+
# value: "String1To256", # required
|
1211
|
+
# },
|
1212
|
+
# ],
|
1130
1213
|
# },
|
1131
1214
|
# edi_party_name: {
|
1132
1215
|
# party_name: "String256", # required
|
@@ -1152,7 +1235,7 @@ module Aws::ACMPCA
|
|
1152
1235
|
#
|
1153
1236
|
#
|
1154
1237
|
#
|
1155
|
-
# [1]: https://
|
1238
|
+
# [1]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.2.2
|
1156
1239
|
# @return [Array<Types::AccessDescription>]
|
1157
1240
|
#
|
1158
1241
|
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/CsrExtensions AWS API Documentation
|
@@ -1164,6 +1247,79 @@ module Aws::ACMPCA
|
|
1164
1247
|
include Aws::Structure
|
1165
1248
|
end
|
1166
1249
|
|
1250
|
+
# Defines the X.500 relative distinguished name (RDN).
|
1251
|
+
#
|
1252
|
+
# @note When making an API call, you may pass CustomAttribute
|
1253
|
+
# data as a hash:
|
1254
|
+
#
|
1255
|
+
# {
|
1256
|
+
# object_identifier: "CustomObjectIdentifier", # required
|
1257
|
+
# value: "String1To256", # required
|
1258
|
+
# }
|
1259
|
+
#
|
1260
|
+
# @!attribute [rw] object_identifier
|
1261
|
+
# Specifies the object identifier (OID) of the attribute type of the
|
1262
|
+
# relative distinguished name (RDN).
|
1263
|
+
# @return [String]
|
1264
|
+
#
|
1265
|
+
# @!attribute [rw] value
|
1266
|
+
# Specifies the attribute value of relative distinguished name (RDN).
|
1267
|
+
# @return [String]
|
1268
|
+
#
|
1269
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/CustomAttribute AWS API Documentation
|
1270
|
+
#
|
1271
|
+
class CustomAttribute < Struct.new(
|
1272
|
+
:object_identifier,
|
1273
|
+
:value)
|
1274
|
+
SENSITIVE = []
|
1275
|
+
include Aws::Structure
|
1276
|
+
end
|
1277
|
+
|
1278
|
+
# Specifies the X.509 extension information for a certificate.
|
1279
|
+
#
|
1280
|
+
# Extensions present in `CustomExtensions` follow the `ApiPassthrough`
|
1281
|
+
# [template rules][1].
|
1282
|
+
#
|
1283
|
+
#
|
1284
|
+
#
|
1285
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html#template-order-of-operations
|
1286
|
+
#
|
1287
|
+
# @note When making an API call, you may pass CustomExtension
|
1288
|
+
# data as a hash:
|
1289
|
+
#
|
1290
|
+
# {
|
1291
|
+
# object_identifier: "CustomObjectIdentifier", # required
|
1292
|
+
# value: "Base64String1To4096", # required
|
1293
|
+
# critical: false,
|
1294
|
+
# }
|
1295
|
+
#
|
1296
|
+
# @!attribute [rw] object_identifier
|
1297
|
+
# Specifies the object identifier (OID) of the X.509 extension. For
|
1298
|
+
# more information, see the [Global OID reference database.][1]
|
1299
|
+
#
|
1300
|
+
#
|
1301
|
+
#
|
1302
|
+
# [1]: https://oidref.com/2.5.29
|
1303
|
+
# @return [String]
|
1304
|
+
#
|
1305
|
+
# @!attribute [rw] value
|
1306
|
+
# Specifies the base64-encoded value of the X.509 extension.
|
1307
|
+
# @return [String]
|
1308
|
+
#
|
1309
|
+
# @!attribute [rw] critical
|
1310
|
+
# Specifies the critical flag of the X.509 extension.
|
1311
|
+
# @return [Boolean]
|
1312
|
+
#
|
1313
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/CustomExtension AWS API Documentation
|
1314
|
+
#
|
1315
|
+
class CustomExtension < Struct.new(
|
1316
|
+
:object_identifier,
|
1317
|
+
:value,
|
1318
|
+
:critical)
|
1319
|
+
SENSITIVE = []
|
1320
|
+
include Aws::Structure
|
1321
|
+
end
|
1322
|
+
|
1167
1323
|
# @note When making an API call, you may pass DeleteCertificateAuthorityRequest
|
1168
1324
|
# data as a hash:
|
1169
1325
|
#
|
@@ -1223,13 +1379,13 @@ module Aws::ACMPCA
|
|
1223
1379
|
# @return [String]
|
1224
1380
|
#
|
1225
1381
|
# @!attribute [rw] principal
|
1226
|
-
# The
|
1227
|
-
# revoked. At this time, the only valid service principal
|
1228
|
-
# `acm.amazonaws.com`
|
1382
|
+
# The Amazon Web Services service or identity that will have its CA
|
1383
|
+
# permissions revoked. At this time, the only valid service principal
|
1384
|
+
# is `acm.amazonaws.com`
|
1229
1385
|
# @return [String]
|
1230
1386
|
#
|
1231
1387
|
# @!attribute [rw] source_account
|
1232
|
-
# The
|
1388
|
+
# The Amazon Web Services account that calls this action.
|
1233
1389
|
# @return [String]
|
1234
1390
|
#
|
1235
1391
|
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/DeletePermissionRequest AWS API Documentation
|
@@ -1381,7 +1537,7 @@ module Aws::ACMPCA
|
|
1381
1537
|
#
|
1382
1538
|
#
|
1383
1539
|
#
|
1384
|
-
# [1]: https://
|
1540
|
+
# [1]: https://datatracker.ietf.org/doc/html/rfc5280
|
1385
1541
|
#
|
1386
1542
|
# @note When making an API call, you may pass EdiPartyName
|
1387
1543
|
# data as a hash:
|
@@ -1426,7 +1582,7 @@ module Aws::ACMPCA
|
|
1426
1582
|
#
|
1427
1583
|
#
|
1428
1584
|
#
|
1429
|
-
# [1]: https://
|
1585
|
+
# [1]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.12
|
1430
1586
|
# @return [String]
|
1431
1587
|
#
|
1432
1588
|
# @!attribute [rw] extended_key_usage_object_identifier
|
@@ -1502,6 +1658,12 @@ module Aws::ACMPCA
|
|
1502
1658
|
# initials: "String5",
|
1503
1659
|
# pseudonym: "String128",
|
1504
1660
|
# generation_qualifier: "String3",
|
1661
|
+
# custom_attributes: [
|
1662
|
+
# {
|
1663
|
+
# object_identifier: "CustomObjectIdentifier", # required
|
1664
|
+
# value: "String1To256", # required
|
1665
|
+
# },
|
1666
|
+
# ],
|
1505
1667
|
# },
|
1506
1668
|
# edi_party_name: {
|
1507
1669
|
# party_name: "String256", # required
|
@@ -1512,6 +1674,13 @@ module Aws::ACMPCA
|
|
1512
1674
|
# registered_id: "CustomObjectIdentifier",
|
1513
1675
|
# },
|
1514
1676
|
# ],
|
1677
|
+
# custom_extensions: [
|
1678
|
+
# {
|
1679
|
+
# object_identifier: "CustomObjectIdentifier", # required
|
1680
|
+
# value: "Base64String1To4096", # required
|
1681
|
+
# critical: false,
|
1682
|
+
# },
|
1683
|
+
# ],
|
1515
1684
|
# }
|
1516
1685
|
#
|
1517
1686
|
# @!attribute [rw] certificate_policies
|
@@ -1548,13 +1717,31 @@ module Aws::ACMPCA
|
|
1548
1717
|
# the certificate.
|
1549
1718
|
# @return [Array<Types::GeneralName>]
|
1550
1719
|
#
|
1720
|
+
# @!attribute [rw] custom_extensions
|
1721
|
+
# Contains a sequence of one or more X.509 extensions, each of which
|
1722
|
+
# consists of an object identifier (OID), a base64-encoded value, and
|
1723
|
+
# the critical flag. For more information, see the [Global OID
|
1724
|
+
# reference database.][1]
|
1725
|
+
#
|
1726
|
+
# <note markdown="1"> The OID value of a [CustomExtension][2] must not match the OID of a
|
1727
|
+
# predefined extension.
|
1728
|
+
#
|
1729
|
+
# </note>
|
1730
|
+
#
|
1731
|
+
#
|
1732
|
+
#
|
1733
|
+
# [1]: https://oidref.com/2.5.29
|
1734
|
+
# [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CustomExtension.html
|
1735
|
+
# @return [Array<Types::CustomExtension>]
|
1736
|
+
#
|
1551
1737
|
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/Extensions AWS API Documentation
|
1552
1738
|
#
|
1553
1739
|
class Extensions < Struct.new(
|
1554
1740
|
:certificate_policies,
|
1555
1741
|
:extended_key_usage,
|
1556
1742
|
:key_usage,
|
1557
|
-
:subject_alternative_names
|
1743
|
+
:subject_alternative_names,
|
1744
|
+
:custom_extensions)
|
1558
1745
|
SENSITIVE = []
|
1559
1746
|
include Aws::Structure
|
1560
1747
|
end
|
@@ -1565,7 +1752,7 @@ module Aws::ACMPCA
|
|
1565
1752
|
#
|
1566
1753
|
#
|
1567
1754
|
#
|
1568
|
-
# [1]: https://
|
1755
|
+
# [1]: https://datatracker.ietf.org/doc/html/rfc5280
|
1569
1756
|
#
|
1570
1757
|
# @note When making an API call, you may pass GeneralName
|
1571
1758
|
# data as a hash:
|
@@ -1592,6 +1779,12 @@ module Aws::ACMPCA
|
|
1592
1779
|
# initials: "String5",
|
1593
1780
|
# pseudonym: "String128",
|
1594
1781
|
# generation_qualifier: "String3",
|
1782
|
+
# custom_attributes: [
|
1783
|
+
# {
|
1784
|
+
# object_identifier: "CustomObjectIdentifier", # required
|
1785
|
+
# value: "String1To256", # required
|
1786
|
+
# },
|
1787
|
+
# ],
|
1595
1788
|
# },
|
1596
1789
|
# edi_party_name: {
|
1597
1790
|
# party_name: "String256", # required
|
@@ -1611,7 +1804,7 @@ module Aws::ACMPCA
|
|
1611
1804
|
#
|
1612
1805
|
#
|
1613
1806
|
#
|
1614
|
-
# [1]: https://
|
1807
|
+
# [1]: https://datatracker.ietf.org/doc/html/rfc822
|
1615
1808
|
# @return [String]
|
1616
1809
|
#
|
1617
1810
|
# @!attribute [rw] dns_name
|
@@ -1861,9 +2054,9 @@ module Aws::ACMPCA
|
|
1861
2054
|
# @!attribute [rw] certificate_chain
|
1862
2055
|
# A PEM-encoded file that contains all of your certificates, other
|
1863
2056
|
# than the certificate you're importing, chaining up to your root CA.
|
1864
|
-
# Your
|
1865
|
-
# last in the chain, and each certificate in the
|
1866
|
-
# preceding.
|
2057
|
+
# Your Amazon Web Services Private CA-hosted or on-premises root
|
2058
|
+
# certificate is the last in the chain, and each certificate in the
|
2059
|
+
# chain signs the one preceding.
|
1867
2060
|
#
|
1868
2061
|
# This parameter must be supplied when you import a subordinate CA.
|
1869
2062
|
# When you import a root CA, there is no chain.
|
@@ -2043,6 +2236,12 @@ module Aws::ACMPCA
|
|
2043
2236
|
# initials: "String5",
|
2044
2237
|
# pseudonym: "String128",
|
2045
2238
|
# generation_qualifier: "String3",
|
2239
|
+
# custom_attributes: [
|
2240
|
+
# {
|
2241
|
+
# object_identifier: "CustomObjectIdentifier", # required
|
2242
|
+
# value: "String1To256", # required
|
2243
|
+
# },
|
2244
|
+
# ],
|
2046
2245
|
# },
|
2047
2246
|
# edi_party_name: {
|
2048
2247
|
# party_name: "String256", # required
|
@@ -2053,6 +2252,13 @@ module Aws::ACMPCA
|
|
2053
2252
|
# registered_id: "CustomObjectIdentifier",
|
2054
2253
|
# },
|
2055
2254
|
# ],
|
2255
|
+
# custom_extensions: [
|
2256
|
+
# {
|
2257
|
+
# object_identifier: "CustomObjectIdentifier", # required
|
2258
|
+
# value: "Base64String1To4096", # required
|
2259
|
+
# critical: false,
|
2260
|
+
# },
|
2261
|
+
# ],
|
2056
2262
|
# },
|
2057
2263
|
# subject: {
|
2058
2264
|
# country: "CountryCodeString",
|
@@ -2069,6 +2275,12 @@ module Aws::ACMPCA
|
|
2069
2275
|
# initials: "String5",
|
2070
2276
|
# pseudonym: "String128",
|
2071
2277
|
# generation_qualifier: "String3",
|
2278
|
+
# custom_attributes: [
|
2279
|
+
# {
|
2280
|
+
# object_identifier: "CustomObjectIdentifier", # required
|
2281
|
+
# value: "String1To256", # required
|
2282
|
+
# },
|
2283
|
+
# ],
|
2072
2284
|
# },
|
2073
2285
|
# },
|
2074
2286
|
# certificate_authority_arn: "Arn", # required
|
@@ -2094,8 +2306,8 @@ module Aws::ACMPCA
|
|
2094
2306
|
# Certificate Templates][1].
|
2095
2307
|
#
|
2096
2308
|
# If conflicting or duplicate certificate information is supplied
|
2097
|
-
# during certificate issuance,
|
2098
|
-
# operation rules][2] to determine what information is used.
|
2309
|
+
# during certificate issuance, Amazon Web Services Private CA applies
|
2310
|
+
# [order of operation rules][2] to determine what information is used.
|
2099
2311
|
#
|
2100
2312
|
#
|
2101
2313
|
#
|
@@ -2128,7 +2340,7 @@ module Aws::ACMPCA
|
|
2128
2340
|
# contains your X509 version 3 extensions.
|
2129
2341
|
#
|
2130
2342
|
# `openssl req -new -config openssl_rsa.cnf -extensions usr_cert
|
2131
|
-
# -newkey rsa:2048 -days
|
2343
|
+
# -newkey rsa:2048 -days 365 -keyout private/test_cert_priv_key.pem
|
2132
2344
|
# -out csr/test_cert_.csr`
|
2133
2345
|
#
|
2134
2346
|
# Note: A CSR must provide either a *subject name* or a *subject
|
@@ -2142,21 +2354,26 @@ module Aws::ACMPCA
|
|
2142
2354
|
# This parameter should not be confused with the `SigningAlgorithm`
|
2143
2355
|
# parameter used to sign a CSR in the `CreateCertificateAuthority`
|
2144
2356
|
# action.
|
2357
|
+
#
|
2358
|
+
# <note markdown="1"> The specified signing algorithm family (RSA or ECDSA) much match the
|
2359
|
+
# algorithm family of the CA's secret key.
|
2360
|
+
#
|
2361
|
+
# </note>
|
2145
2362
|
# @return [String]
|
2146
2363
|
#
|
2147
2364
|
# @!attribute [rw] template_arn
|
2148
2365
|
# Specifies a custom configuration template to use when issuing a
|
2149
|
-
# certificate. If this parameter is not provided,
|
2150
|
-
# defaults to the `EndEntityCertificate/V1` template. For
|
2151
|
-
# certificates, you should choose the shortest path length that
|
2152
|
-
# your needs. The path length is indicated by the PathLen*N*
|
2153
|
-
# of the ARN, where *N* is the [CA depth][1].
|
2366
|
+
# certificate. If this parameter is not provided, Amazon Web Services
|
2367
|
+
# Private CA defaults to the `EndEntityCertificate/V1` template. For
|
2368
|
+
# CA certificates, you should choose the shortest path length that
|
2369
|
+
# meets your needs. The path length is indicated by the PathLen*N*
|
2370
|
+
# portion of the ARN, where *N* is the [CA depth][1].
|
2154
2371
|
#
|
2155
2372
|
# Note: The CA depth configured on a subordinate CA certificate must
|
2156
2373
|
# not exceed the limit set by its parents in the CA hierarchy.
|
2157
2374
|
#
|
2158
|
-
# For a list of `TemplateArn` values supported by
|
2159
|
-
# [Understanding Certificate Templates][2].
|
2375
|
+
# For a list of `TemplateArn` values supported by Amazon Web Services
|
2376
|
+
# Private CA, see [Understanding Certificate Templates][2].
|
2160
2377
|
#
|
2161
2378
|
#
|
2162
2379
|
#
|
@@ -2185,7 +2402,7 @@ module Aws::ACMPCA
|
|
2185
2402
|
#
|
2186
2403
|
#
|
2187
2404
|
#
|
2188
|
-
# [1]: https://
|
2405
|
+
# [1]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.5
|
2189
2406
|
# @return [Types::Validity]
|
2190
2407
|
#
|
2191
2408
|
# @!attribute [rw] validity_not_before
|
@@ -2193,11 +2410,11 @@ module Aws::ACMPCA
|
|
2193
2410
|
# certificate. This parameter sets the “Not Before" date for the
|
2194
2411
|
# certificate.
|
2195
2412
|
#
|
2196
|
-
# By default, when issuing a certificate,
|
2197
|
-
# "Not Before" date to the issuance time minus 60
|
2198
|
-
# compensates for clock inconsistencies across computer
|
2199
|
-
# `ValidityNotBefore` parameter can be used to customize
|
2200
|
-
# Before” value.
|
2413
|
+
# By default, when issuing a certificate, Amazon Web Services Private
|
2414
|
+
# CA sets the "Not Before" date to the issuance time minus 60
|
2415
|
+
# minutes. This compensates for clock inconsistencies across computer
|
2416
|
+
# systems. The `ValidityNotBefore` parameter can be used to customize
|
2417
|
+
# the “Not Before” value.
|
2201
2418
|
#
|
2202
2419
|
# Unlike the `Validity` parameter, the `ValidityNotBefore` parameter
|
2203
2420
|
# is optional.
|
@@ -2210,7 +2427,7 @@ module Aws::ACMPCA
|
|
2210
2427
|
#
|
2211
2428
|
#
|
2212
2429
|
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_Validity.html
|
2213
|
-
# [2]: https://
|
2430
|
+
# [2]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.5
|
2214
2431
|
# @return [Types::Validity]
|
2215
2432
|
#
|
2216
2433
|
# @!attribute [rw] idempotency_token
|
@@ -2218,10 +2435,10 @@ module Aws::ACMPCA
|
|
2218
2435
|
# the **IssueCertificate** action. Idempotency tokens for
|
2219
2436
|
# **IssueCertificate** time out after one minute. Therefore, if you
|
2220
2437
|
# call **IssueCertificate** multiple times with the same idempotency
|
2221
|
-
# token within one minute,
|
2222
|
-
# requesting only one certificate and will issue only
|
2223
|
-
# change the idempotency token for each call, PCA
|
2224
|
-
# are requesting multiple certificates.
|
2438
|
+
# token within one minute, Amazon Web Services Private CA recognizes
|
2439
|
+
# that you are requesting only one certificate and will issue only
|
2440
|
+
# one. If you change the idempotency token for each call, PCA
|
2441
|
+
# recognizes that you are requesting multiple certificates.
|
2225
2442
|
# @return [String]
|
2226
2443
|
#
|
2227
2444
|
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/IssueCertificateRequest AWS API Documentation
|
@@ -2325,8 +2542,8 @@ module Aws::ACMPCA
|
|
2325
2542
|
include Aws::Structure
|
2326
2543
|
end
|
2327
2544
|
|
2328
|
-
# An
|
2329
|
-
# returned to determine the quota that was exceeded.
|
2545
|
+
# An Amazon Web Services Private CA quota has been exceeded. See the
|
2546
|
+
# exception message returned to determine the quota that was exceeded.
|
2330
2547
|
#
|
2331
2548
|
# @!attribute [rw] message
|
2332
2549
|
# @return [String]
|
@@ -2588,17 +2805,17 @@ module Aws::ACMPCA
|
|
2588
2805
|
# @return [Boolean]
|
2589
2806
|
#
|
2590
2807
|
# @!attribute [rw] ocsp_custom_cname
|
2591
|
-
# By default,
|
2592
|
-
# being validated by the Online
|
2593
|
-
#
|
2594
|
-
# specifying a customized OCSP domain.
|
2808
|
+
# By default, Amazon Web Services Private CA injects an Amazon Web
|
2809
|
+
# Services domain into certificates being validated by the Online
|
2810
|
+
# Certificate Status Protocol (OCSP). A customer can alternatively use
|
2811
|
+
# this object to define a CNAME specifying a customized OCSP domain.
|
2595
2812
|
#
|
2596
2813
|
# Note: The value of the CNAME must not include a protocol prefix such
|
2597
2814
|
# as "http://" or "https://".
|
2598
2815
|
#
|
2599
2816
|
# For more information, see [Customizing Online Certificate Status
|
2600
|
-
# Protocol (OCSP) ][1] in the *
|
2601
|
-
#
|
2817
|
+
# Protocol (OCSP) ][1] in the *Amazon Web Services Private Certificate
|
2818
|
+
# Authority User Guide*.
|
2602
2819
|
#
|
2603
2820
|
#
|
2604
2821
|
#
|
@@ -2649,12 +2866,13 @@ module Aws::ACMPCA
|
|
2649
2866
|
end
|
2650
2867
|
|
2651
2868
|
# Permissions designate which private CA actions can be performed by an
|
2652
|
-
#
|
2653
|
-
# certificates, you must give the ACM
|
2654
|
-
# permissions (`IssueCertificate`,
|
2655
|
-
# `ListPermissions`). Permissions can be assigned
|
2656
|
-
# [CreatePermission][1] action, removed with the
|
2657
|
-
# action, and listed with the [ListPermissions][3]
|
2869
|
+
# Amazon Web Services service or entity. In order for ACM to
|
2870
|
+
# automatically renew private certificates, you must give the ACM
|
2871
|
+
# service principal all available permissions (`IssueCertificate`,
|
2872
|
+
# `GetCertificate`, and `ListPermissions`). Permissions can be assigned
|
2873
|
+
# with the [CreatePermission][1] action, removed with the
|
2874
|
+
# [DeletePermission][2] action, and listed with the [ListPermissions][3]
|
2875
|
+
# action.
|
2658
2876
|
#
|
2659
2877
|
#
|
2660
2878
|
#
|
@@ -2672,8 +2890,8 @@ module Aws::ACMPCA
|
|
2672
2890
|
# @return [Time]
|
2673
2891
|
#
|
2674
2892
|
# @!attribute [rw] principal
|
2675
|
-
# The
|
2676
|
-
# the only valid principal is `acm.amazonaws.com`.
|
2893
|
+
# The Amazon Web Services service or entity that holds the permission.
|
2894
|
+
# At this time, the only valid principal is `acm.amazonaws.com`.
|
2677
2895
|
# @return [String]
|
2678
2896
|
#
|
2679
2897
|
# @!attribute [rw] source_account
|
@@ -2681,8 +2899,8 @@ module Aws::ACMPCA
|
|
2681
2899
|
# @return [String]
|
2682
2900
|
#
|
2683
2901
|
# @!attribute [rw] actions
|
2684
|
-
# The private CA actions that can be performed by the designated
|
2685
|
-
# service.
|
2902
|
+
# The private CA actions that can be performed by the designated
|
2903
|
+
# Amazon Web Services service.
|
2686
2904
|
# @return [Array<String>]
|
2687
2905
|
#
|
2688
2906
|
# @!attribute [rw] policy
|
@@ -2743,8 +2961,9 @@ module Aws::ACMPCA
|
|
2743
2961
|
# @return [String]
|
2744
2962
|
#
|
2745
2963
|
# @!attribute [rw] policy_qualifiers
|
2746
|
-
# Modifies the given `CertPolicyId` with a qualifier.
|
2747
|
-
# supports the certification practice statement
|
2964
|
+
# Modifies the given `CertPolicyId` with a qualifier. Amazon Web
|
2965
|
+
# Services Private CA supports the certification practice statement
|
2966
|
+
# (CPS) qualifier.
|
2748
2967
|
# @return [Array<Types::PolicyQualifierInfo>]
|
2749
2968
|
#
|
2750
2969
|
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/PolicyInformation AWS API Documentation
|
@@ -2757,8 +2976,8 @@ module Aws::ACMPCA
|
|
2757
2976
|
end
|
2758
2977
|
|
2759
2978
|
# Modifies the `CertPolicyId` of a `PolicyInformation` object with a
|
2760
|
-
# qualifier.
|
2761
|
-
# statement (CPS) qualifier.
|
2979
|
+
# qualifier. Amazon Web Services Private CA supports the certification
|
2980
|
+
# practice statement (CPS) qualifier.
|
2762
2981
|
#
|
2763
2982
|
# @note When making an API call, you may pass PolicyQualifierInfo
|
2764
2983
|
# data as a hash:
|
@@ -2775,8 +2994,8 @@ module Aws::ACMPCA
|
|
2775
2994
|
# @return [String]
|
2776
2995
|
#
|
2777
2996
|
# @!attribute [rw] qualifier
|
2778
|
-
# Defines the qualifier type.
|
2779
|
-
# for a CPS qualifier in this field.
|
2997
|
+
# Defines the qualifier type. Amazon Web Services Private CA supports
|
2998
|
+
# the use of a URI for a CPS qualifier in this field.
|
2780
2999
|
# @return [Types::Qualifier]
|
2781
3000
|
#
|
2782
3001
|
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/PolicyQualifierInfo AWS API Documentation
|
@@ -2830,13 +3049,13 @@ module Aws::ACMPCA
|
|
2830
3049
|
include Aws::Structure
|
2831
3050
|
end
|
2832
3051
|
|
2833
|
-
# Defines a `PolicyInformation` qualifier.
|
2834
|
-
# [certification practice statement (CPS) qualifier][1]
|
2835
|
-
# 5280.
|
3052
|
+
# Defines a `PolicyInformation` qualifier. Amazon Web Services Private
|
3053
|
+
# CA supports the [certification practice statement (CPS) qualifier][1]
|
3054
|
+
# defined in RFC 5280.
|
2836
3055
|
#
|
2837
3056
|
#
|
2838
3057
|
#
|
2839
|
-
# [1]: https://
|
3058
|
+
# [1]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.4
|
2840
3059
|
#
|
2841
3060
|
# @note When making an API call, you may pass Qualifier
|
2842
3061
|
# data as a hash:
|
@@ -2946,8 +3165,8 @@ module Aws::ACMPCA
|
|
2946
3165
|
# about certificates as requested by clients, and a CRL contains an
|
2947
3166
|
# updated list of certificates revoked by your CA. For more information,
|
2948
3167
|
# see [RevokeCertificate][3] and [Setting up a certificate revocation
|
2949
|
-
# method][4] in the *
|
2950
|
-
#
|
3168
|
+
# method][4] in the *Amazon Web Services Private Certificate Authority
|
3169
|
+
# User Guide*.
|
2951
3170
|
#
|
2952
3171
|
#
|
2953
3172
|
#
|
@@ -2977,8 +3196,8 @@ module Aws::ACMPCA
|
|
2977
3196
|
# Configuration of the certificate revocation list (CRL), if any,
|
2978
3197
|
# maintained by your private CA. A CRL is typically updated
|
2979
3198
|
# approximately 30 minutes after a certificate is revoked. If for any
|
2980
|
-
# reason a CRL update fails,
|
2981
|
-
# every 15 minutes.
|
3199
|
+
# reason a CRL update fails, Amazon Web Services Private CA makes
|
3200
|
+
# further attempts every 15 minutes.
|
2982
3201
|
# @return [Types::CrlConfiguration]
|
2983
3202
|
#
|
2984
3203
|
# @!attribute [rw] ocsp_configuration
|
@@ -3026,7 +3245,7 @@ module Aws::ACMPCA
|
|
3026
3245
|
# `openssl x509 -in file_path -text -noout`
|
3027
3246
|
#
|
3028
3247
|
# You can also copy the serial number from the console or use the
|
3029
|
-
# [DescribeCertificate][2] action in the *
|
3248
|
+
# [DescribeCertificate][2] action in the *Certificate Manager API
|
3030
3249
|
# Reference*.
|
3031
3250
|
#
|
3032
3251
|
#
|
@@ -3238,16 +3457,16 @@ module Aws::ACMPCA
|
|
3238
3457
|
# after issuance, stated in days, months, or years. For more
|
3239
3458
|
# information, see [Validity][1] in RFC 5280.
|
3240
3459
|
#
|
3241
|
-
#
|
3242
|
-
# two distinct parameters of the `IssueCertificate`
|
3243
|
-
# parameter `IssueCertificate`\:`Validity`
|
3244
|
-
# certificate's validity period. The optional
|
3245
|
-
# `IssueCertificate`\:`ValidityNotBefore` specifies a
|
3246
|
-
# starting time for the validity period.
|
3460
|
+
# Amazon Web Services Private CA API consumes the `Validity` data type
|
3461
|
+
# differently in two distinct parameters of the `IssueCertificate`
|
3462
|
+
# action. The required parameter `IssueCertificate`\:`Validity`
|
3463
|
+
# specifies the end of a certificate's validity period. The optional
|
3464
|
+
# parameter `IssueCertificate`\:`ValidityNotBefore` specifies a
|
3465
|
+
# customized starting time for the validity period.
|
3247
3466
|
#
|
3248
3467
|
#
|
3249
3468
|
#
|
3250
|
-
# [1]: https://
|
3469
|
+
# [1]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.5
|
3251
3470
|
#
|
3252
3471
|
# @note When making an API call, you may pass Validity
|
3253
3472
|
# data as a hash:
|
@@ -3262,10 +3481,10 @@ module Aws::ACMPCA
|
|
3262
3481
|
# @return [Integer]
|
3263
3482
|
#
|
3264
3483
|
# @!attribute [rw] type
|
3265
|
-
# Determines how *
|
3266
|
-
# integer. Supported validity types include
|
3267
|
-
# definitions with values include a sample
|
3268
|
-
# resulting output.
|
3484
|
+
# Determines how *Amazon Web Services Private CA* interprets the
|
3485
|
+
# `Value` parameter, an integer. Supported validity types include
|
3486
|
+
# those listed below. Type definitions with values include a sample
|
3487
|
+
# input value and the resulting output.
|
3269
3488
|
#
|
3270
3489
|
# `END_DATE`\: The specific date and time when the certificate will
|
3271
3490
|
# expire, expressed using UTCTime (YYMMDDHHMMSS) or GeneralizedTime
|