aws-sdk-acmpca 1.46.0 → 1.47.0

data/lib/aws-sdk-acmpca/client.rb

@@ -376,20 +376,21 @@ module Aws::ACMPCA
     # CA. If successful, this action returns the Amazon Resource Name (ARN)
     # of the CA.
     #
-    # ACM Private CA assets that are stored in Amazon S3 can be protected
-    # with encryption. For more information, see [Encrypting Your CRLs][1].
+    # Amazon Web Services Private CA assets that are stored in Amazon S3 can
+    # be protected with encryption. For more information, see [Encrypting
+    # Your CRLs][1].
     #
     # <note markdown="1"> Both PCA and the IAM principal must have permission to write to the S3
     # bucket that you specify. If the IAM principal making the call does not
     # have permission to write to the bucket, then an exception is thrown.
-    # For more information, see [Configure Access to ACM Private CA][2].
+    # For more information, see [Access policies for CRLs in Amazon S3][2].
     #
     #  </note>
     #
     #
     #
     # [1]: https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaCreateCa.html#crl-encryption
-    # [2]: https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaAuthAccess.html
+    # [2]: https://docs.aws.amazon.com/acm-pca/latest/userguide/crl-planning.html#s3-policies
     #
     # @option params [required, Types::CertificateAuthorityConfiguration] :certificate_authority_configuration
     #   Name and bit size of the private key algorithm, the name of the
@@ -415,10 +416,11 @@ module Aws::ACMPCA
     #   **CreateCertificateAuthority** action. Idempotency tokens for
     #   **CreateCertificateAuthority** time out after five minutes. Therefore,
     #   if you call **CreateCertificateAuthority** multiple times with the
-    #   same idempotency token within five minutes, ACM Private CA recognizes
-    #   that you are requesting only certificate authority and will issue only
-    #   one. If you change the idempotency token for each call, PCA recognizes
-    #   that you are requesting multiple certificate authorities.
+    #   same idempotency token within five minutes, Amazon Web Services
+    #   Private CA recognizes that you are requesting only certificate
+    #   authority and will issue only one. If you change the idempotency token
+    #   for each call, PCA recognizes that you are requesting multiple
+    #   certificate authorities.
     #
     # @option params [String] :key_storage_security_standard
     #   Specifies a cryptographic key management compliance standard used for
@@ -469,6 +471,12 @@ module Aws::ACMPCA
     #         initials: "String5",
     #         pseudonym: "String128",
     #         generation_qualifier: "String3",
+    #         custom_attributes: [
+    #           {
+    #             object_identifier: "CustomObjectIdentifier", # required
+    #             value: "String1To256", # required
+    #           },
+    #         ],
     #       },
     #       csr_extensions: {
     #         key_usage: {
@@ -510,6 +518,12 @@ module Aws::ACMPCA
     #                 initials: "String5",
     #                 pseudonym: "String128",
     #                 generation_qualifier: "String3",
+    #                 custom_attributes: [
+    #                   {
+    #                     object_identifier: "CustomObjectIdentifier", # required
+    #                     value: "String1To256", # required
+    #                   },
+    #                 ],
     #               },
     #               edi_party_name: {
     #                 party_name: "String256", # required
@@ -568,19 +582,23 @@ module Aws::ACMPCA
     # <note markdown="1"> Both PCA and the IAM principal must have permission to write to the S3
     # bucket that you specify. If the IAM principal making the call does not
     # have permission to write to the bucket, then an exception is thrown.
-    # For more information, see [Configure Access to ACM Private CA][3].
+    # For more information, see [Access policies for CRLs in Amazon S3][3].
     #
     #  </note>
     #
-    # ACM Private CA assets that are stored in Amazon S3 can be protected
-    # with encryption. For more information, see [Encrypting Your Audit
-    # Reports][4].
+    # Amazon Web Services Private CA assets that are stored in Amazon S3 can
+    # be protected with encryption. For more information, see [Encrypting
+    # Your Audit Reports][4].
+    #
+    # <note markdown="1"> You can generate a maximum of one report every 30 minutes.
+    #
+    #  </note>
     #
     #
     #
     # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_IssueCertificate.html
     # [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_RevokeCertificate.html
-    # [3]: https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaAuthAccess.html
+    # [3]: https://docs.aws.amazon.com/acm-pca/latest/userguide/crl-planning.html#s3-policies
     # [4]: https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaAuditReport.html#audit-report-encryption
     #
     # @option params [required, String] :certificate_authority_arn
@@ -624,10 +642,10 @@ module Aws::ACMPCA
       req.send_request(options)
     end
 
-    # Grants one or more permissions on a private CA to the AWS Certificate
+    # Grants one or more permissions on a private CA to the Certificate
     # Manager (ACM) service principal (`acm.amazonaws.com`). These
     # permissions allow ACM to issue and renew ACM certificates that reside
-    # in the same AWS account as the CA.
+    # in the same Amazon Web Services account as the CA.
     #
     # You can list current permissions with the [ListPermissions][1] action
     # and revoke them with the [DeletePermission][2] action.
@@ -646,8 +664,8 @@ module Aws::ACMPCA
     #   accounts, then permissions cannot be used to enable automatic
     #   renewals. Instead, the ACM certificate owner must set up a
     #   resource-based policy to enable cross-account issuance and renewals.
-    #   For more information, see [Using a Resource Based Policy with ACM
-    #   Private CA][3].
+    #   For more information, see [Using a Resource Based Policy with Amazon
+    #   Web Services Private CA][3].
     #
     #
     #
@@ -668,15 +686,17 @@ module Aws::ACMPCA
     #   [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ListCertificateAuthorities.html
     #
     # @option params [required, String] :principal
-    #   The AWS service or identity that receives the permission. At this
-    #   time, the only valid principal is `acm.amazonaws.com`.
+    #   The Amazon Web Services service or identity that receives the
+    #   permission. At this time, the only valid principal is
+    #   `acm.amazonaws.com`.
     #
     # @option params [String] :source_account
     #   The ID of the calling account.
     #
     # @option params [required, Array<String>] :actions
-    #   The actions that the specified AWS service principal can use. These
-    #   include `IssueCertificate`, `GetCertificate`, and `ListPermissions`.
+    #   The actions that the specified Amazon Web Services service principal
+    #   can use. These include `IssueCertificate`, `GetCertificate`, and
+    #   `ListPermissions`.
     #
     # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
     #
@@ -716,8 +736,8 @@ module Aws::ACMPCA
     # Additionally, you can delete a CA if you are waiting for it to be
     # created (that is, the status of the CA is `CREATING`). You can also
     # delete it if the CA has been created but you haven't yet imported the
-    # signed certificate into ACM Private CA (that is, the status of the CA
-    # is `PENDING_CERTIFICATE`).
+    # signed certificate into Amazon Web Services Private CA (that is, the
+    # status of the CA is `PENDING_CERTIFICATE`).
     #
     # When you successfully call [DeleteCertificateAuthority][3], the CA's
     # status changes to `DELETED`. However, the CA won't be permanently
@@ -770,13 +790,13 @@ module Aws::ACMPCA
       req.send_request(options)
     end
 
-    # Revokes permissions on a private CA granted to the AWS Certificate
-    # Manager (ACM) service principal (acm.amazonaws.com).
+    # Revokes permissions on a private CA granted to the Certificate Manager
+    # (ACM) service principal (acm.amazonaws.com).
     #
     # These permissions allow ACM to issue and renew ACM certificates that
-    # reside in the same AWS account as the CA. If you revoke these
-    # permissions, ACM will no longer renew the affected certificates
-    # automatically.
+    # reside in the same Amazon Web Services account as the CA. If you
+    # revoke these permissions, ACM will no longer renew the affected
+    # certificates automatically.
     #
     # Permissions can be granted with the [CreatePermission][1] action and
     # listed with the [ListPermissions][2] action.
@@ -795,8 +815,8 @@ module Aws::ACMPCA
     #   accounts, then permissions cannot be used to enable automatic
     #   renewals. Instead, the ACM certificate owner must set up a
     #   resource-based policy to enable cross-account issuance and renewals.
-    #   For more information, see [Using a Resource Based Policy with ACM
-    #   Private CA][3].
+    #   For more information, see [Using a Resource Based Policy with Amazon
+    #   Web Services Private CA][3].
     #
     #
     #
@@ -818,11 +838,12 @@ module Aws::ACMPCA
     #   [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ListCertificateAuthorities.html
     #
     # @option params [required, String] :principal
-    #   The AWS service or identity that will have its CA permissions revoked.
-    #   At this time, the only valid service principal is `acm.amazonaws.com`
+    #   The Amazon Web Services service or identity that will have its CA
+    #   permissions revoked. At this time, the only valid service principal is
+    #   `acm.amazonaws.com`
     #
     # @option params [String] :source_account
-    #   The AWS account that calls this action.
+    #   The Amazon Web Services account that calls this action.
     #
     # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
     #
@@ -847,35 +868,36 @@ module Aws::ACMPCA
     # will remove any access that the policy has granted. If there is no
     # policy attached to the private CA, this action will return successful.
     #
-    # If you delete a policy that was applied through AWS Resource Access
-    # Manager (RAM), the CA will be removed from all shares in which it was
-    # included.
+    # If you delete a policy that was applied through Amazon Web Services
+    # Resource Access Manager (RAM), the CA will be removed from all shares
+    # in which it was included.
     #
-    # The AWS Certificate Manager Service Linked Role that the policy
-    # supports is not affected when you delete the policy.
+    # The Certificate Manager Service Linked Role that the policy supports
+    # is not affected when you delete the policy.
     #
     # The current policy can be shown with [GetPolicy][1] and updated with
     # [PutPolicy][2].
     #
     # **About Policies**
     #
-    # * A policy grants access on a private CA to an AWS customer account,
-    #   to AWS Organizations, or to an AWS Organizations unit. Policies are
-    #   under the control of a CA administrator. For more information, see
-    #   [Using a Resource Based Policy with ACM Private CA][3].
+    # * A policy grants access on a private CA to an Amazon Web Services
+    #   customer account, to Amazon Web Services Organizations, or to an
+    #   Amazon Web Services Organizations unit. Policies are under the
+    #   control of a CA administrator. For more information, see [Using a
+    #   Resource Based Policy with Amazon Web Services Private CA][3].
     #
-    # * A policy permits a user of AWS Certificate Manager (ACM) to issue
-    #   ACM certificates signed by a CA in another account.
+    # * A policy permits a user of Certificate Manager (ACM) to issue ACM
+    #   certificates signed by a CA in another account.
     #
     # * For ACM to manage automatic renewal of these certificates, the ACM
     #   user must configure a Service Linked Role (SLR). The SLR allows the
     #   ACM service to assume the identity of the user, subject to
-    #   confirmation against the ACM Private CA policy. For more
-    #   information, see [Using a Service Linked Role with ACM][4].
+    #   confirmation against the Amazon Web Services Private CA policy. For
+    #   more information, see [Using a Service Linked Role with ACM][4].
     #
-    # * Updates made in AWS Resource Manager (RAM) are reflected in
-    #   policies. For more information, see [Attach a Policy for
-    #   Cross-Account Access][5].
+    # * Updates made in Amazon Web Services Resource Manager (RAM) are
+    #   reflected in policies. For more information, see [Attach a Policy
+    #   for Cross-Account Access][5].
     #
     #
     #
@@ -918,12 +940,13 @@ module Aws::ACMPCA
     # its ARN (Amazon Resource Name). The output contains the status of your
     # CA. This can be any of the following:
     #
-    # * `CREATING` - ACM Private CA is creating your private certificate
-    #   authority.
+    # * `CREATING` - Amazon Web Services Private CA is creating your private
+    #   certificate authority.
     #
     # * `PENDING_CERTIFICATE` - The certificate is pending. You must use
-    #   your ACM Private CA-hosted or on-premises root or subordinate CA to
-    #   sign your private CA CSR and then import it into PCA.
+    #   your Amazon Web Services Private CA-hosted or on-premises root or
+    #   subordinate CA to sign your private CA CSR and then import it into
+    #   PCA.
     #
     # * `ACTIVE` - Your private CA is active.
     #
@@ -932,9 +955,9 @@ module Aws::ACMPCA
     # * `EXPIRED` - Your private CA certificate has expired.
     #
     # * `FAILED` - Your private CA has failed. Your CA can fail because of
-    #   problems such a network outage or back-end AWS failure or other
-    #   errors. A failed CA can never return to the pending state. You must
-    #   create a new CA.
+    #   problems such a network outage or back-end Amazon Web Services
+    #   failure or other errors. A failed CA can never return to the pending
+    #   state. You must create a new CA.
     #
     # * `DELETED` - Your private CA is within the restoration period, after
     #   which it is permanently deleted. The length of time remaining in the
@@ -989,6 +1012,9 @@ module Aws::ACMPCA
     #   resp.certificate_authority.certificate_authority_configuration.subject.initials #=> String
     #   resp.certificate_authority.certificate_authority_configuration.subject.pseudonym #=> String
     #   resp.certificate_authority.certificate_authority_configuration.subject.generation_qualifier #=> String
+    #   resp.certificate_authority.certificate_authority_configuration.subject.custom_attributes #=> Array
+    #   resp.certificate_authority.certificate_authority_configuration.subject.custom_attributes[0].object_identifier #=> String
+    #   resp.certificate_authority.certificate_authority_configuration.subject.custom_attributes[0].value #=> String
     #   resp.certificate_authority.certificate_authority_configuration.csr_extensions.key_usage.digital_signature #=> Boolean
     #   resp.certificate_authority.certificate_authority_configuration.csr_extensions.key_usage.non_repudiation #=> Boolean
     #   resp.certificate_authority.certificate_authority_configuration.csr_extensions.key_usage.key_encipherment #=> Boolean
@@ -1019,6 +1045,9 @@ module Aws::ACMPCA
     #   resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.initials #=> String
     #   resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.pseudonym #=> String
     #   resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.generation_qualifier #=> String
+    #   resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.custom_attributes #=> Array
+    #   resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.custom_attributes[0].object_identifier #=> String
+    #   resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.custom_attributes[0].value #=> String
     #   resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.edi_party_name.party_name #=> String
     #   resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.edi_party_name.name_assigner #=> String
     #   resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.uniform_resource_identifier #=> String
@@ -1209,11 +1238,11 @@ module Aws::ACMPCA
 
     # Retrieves the certificate signing request (CSR) for your private
     # certificate authority (CA). The CSR is created when you call the
-    # [CreateCertificateAuthority][1] action. Sign the CSR with your ACM
-    # Private CA-hosted or on-premises root or subordinate CA. Then import
-    # the signed certificate back into ACM Private CA by calling the
-    # [ImportCertificateAuthorityCertificate][2] action. The CSR is returned
-    # as a base64 PEM-encoded string.
+    # [CreateCertificateAuthority][1] action. Sign the CSR with your Amazon
+    # Web Services Private CA-hosted or on-premises root or subordinate CA.
+    # Then import the signed certificate back into Amazon Web Services
+    # Private CA by calling the [ImportCertificateAuthorityCertificate][2]
+    # action. The CSR is returned as a base64 PEM-encoded string.
     #
     #
     #
@@ -1268,23 +1297,24 @@ module Aws::ACMPCA
     #
     # **About Policies**
     #
-    # * A policy grants access on a private CA to an AWS customer account,
-    #   to AWS Organizations, or to an AWS Organizations unit. Policies are
-    #   under the control of a CA administrator. For more information, see
-    #   [Using a Resource Based Policy with ACM Private CA][3].
+    # * A policy grants access on a private CA to an Amazon Web Services
+    #   customer account, to Amazon Web Services Organizations, or to an
+    #   Amazon Web Services Organizations unit. Policies are under the
+    #   control of a CA administrator. For more information, see [Using a
+    #   Resource Based Policy with Amazon Web Services Private CA][3].
     #
-    # * A policy permits a user of AWS Certificate Manager (ACM) to issue
-    #   ACM certificates signed by a CA in another account.
+    # * A policy permits a user of Certificate Manager (ACM) to issue ACM
+    #   certificates signed by a CA in another account.
     #
     # * For ACM to manage automatic renewal of these certificates, the ACM
     #   user must configure a Service Linked Role (SLR). The SLR allows the
     #   ACM service to assume the identity of the user, subject to
-    #   confirmation against the ACM Private CA policy. For more
-    #   information, see [Using a Service Linked Role with ACM][4].
+    #   confirmation against the Amazon Web Services Private CA policy. For
+    #   more information, see [Using a Service Linked Role with ACM][4].
     #
-    # * Updates made in AWS Resource Manager (RAM) are reflected in
-    #   policies. For more information, see [Attach a Policy for
-    #   Cross-Account Access][5].
+    # * Updates made in Amazon Web Services Resource Manager (RAM) are
+    #   reflected in policies. For more information, see [Attach a Policy
+    #   for Cross-Account Access][5].
     #
     #
     #
@@ -1322,14 +1352,14 @@ module Aws::ACMPCA
       req.send_request(options)
     end
 
-    # Imports a signed private CA certificate into ACM Private CA. This
-    # action is used when you are using a chain of trust whose root is
-    # located outside ACM Private CA. Before you can call this action, the
-    # following preparations must in place:
+    # Imports a signed private CA certificate into Amazon Web Services
+    # Private CA. This action is used when you are using a chain of trust
+    # whose root is located outside Amazon Web Services Private CA. Before
+    # you can call this action, the following preparations must in place:
     #
-    # 1.  In ACM Private CA, call the [CreateCertificateAuthority][1] action
-    #     to create the private CA that you plan to back with the imported
-    #     certificate.
+    # 1.  In Amazon Web Services Private CA, call the
+    #     [CreateCertificateAuthority][1] action to create the private CA
+    #     that you plan to back with the imported certificate.
     #
     # 2.  Call the [GetCertificateAuthorityCsr][2] action to generate a
     #     certificate signing request (CSR).
@@ -1340,13 +1370,14 @@ module Aws::ACMPCA
     # 4.  Create a certificate chain and copy the signed certificate and the
     #     certificate chain to your working directory.
     #
-    # ACM Private CA supports three scenarios for installing a CA
-    # certificate:
+    # Amazon Web Services Private CA supports three scenarios for installing
+    # a CA certificate:
     #
-    # * Installing a certificate for a root CA hosted by ACM Private CA.
+    # * Installing a certificate for a root CA hosted by Amazon Web Services
+    #   Private CA.
     #
     # * Installing a subordinate CA certificate whose parent authority is
-    #   hosted by ACM Private CA.
+    #   hosted by Amazon Web Services Private CA.
     #
     # * Installing a subordinate CA certificate whose parent authority is
     #   externally hosted.
@@ -1374,8 +1405,8 @@ module Aws::ACMPCA
     #
     # *Enforcement of Critical Constraints*
     #
-    # ACM Private CA allows the following extensions to be marked critical
-    # in the imported CA certificate or chain.
+    # Amazon Web Services Private CA allows the following extensions to be
+    # marked critical in the imported CA certificate or chain.
     #
     # * Basic constraints (*must* be marked critical)
     #
@@ -1401,8 +1432,8 @@ module Aws::ACMPCA
     #
     # * Inhibit anyPolicy
     #
-    # ACM Private CA rejects the following extensions when they are marked
-    # critical in an imported CA certificate or chain.
+    # Amazon Web Services Private CA rejects the following extensions when
+    # they are marked critical in an imported CA certificate or chain.
     #
     # * Name constraints
     #
@@ -1440,8 +1471,9 @@ module Aws::ACMPCA
     # @option params [String, StringIO, File] :certificate_chain
     #   A PEM-encoded file that contains all of your certificates, other than
     #   the certificate you're importing, chaining up to your root CA. Your
-    #   ACM Private CA-hosted or on-premises root certificate is the last in
-    #   the chain, and each certificate in the chain signs the one preceding.
+    #   Amazon Web Services Private CA-hosted or on-premises root certificate
+    #   is the last in the chain, and each certificate in the chain signs the
+    #   one preceding.
     #
     #   This parameter must be supplied when you import a subordinate CA. When
     #   you import a root CA, there is no chain.
@@ -1472,8 +1504,8 @@ module Aws::ACMPCA
     # specifying the ARN.
     #
     # <note markdown="1"> You cannot use the ACM **ListCertificateAuthorities** action to
-    # retrieve the ARNs of the certificates that you issue by using ACM
-    # Private CA.
+    # retrieve the ARNs of the certificates that you issue by using Amazon
+    # Web Services Private CA.
     #
     #  </note>
     #
@@ -1489,8 +1521,8 @@ module Aws::ACMPCA
     #   Certificate Templates][1].
     #
     #   If conflicting or duplicate certificate information is supplied during
-    #   certificate issuance, ACM Private CA applies [order of operation
-    #   rules][2] to determine what information is used.
+    #   certificate issuance, Amazon Web Services Private CA applies [order of
+    #   operation rules][2] to determine what information is used.
     #
     #
     #
@@ -1521,7 +1553,7 @@ module Aws::ACMPCA
     #   contains your X509 version 3 extensions.
     #
     #   `openssl req -new -config openssl_rsa.cnf -extensions usr_cert -newkey
-    #   rsa:2048 -days -365 -keyout private/test_cert_priv_key.pem -out
+    #   rsa:2048 -days 365 -keyout private/test_cert_priv_key.pem -out
     #   csr/test_cert_.csr`
     #
     #   Note: A CSR must provide either a *subject name* or a *subject
@@ -1535,10 +1567,15 @@ module Aws::ACMPCA
     #   parameter used to sign a CSR in the `CreateCertificateAuthority`
     #   action.
     #
+    #   <note markdown="1"> The specified signing algorithm family (RSA or ECDSA) much match the
+    #   algorithm family of the CA's secret key.
+    #
+    #    </note>
+    #
     # @option params [String] :template_arn
     #   Specifies a custom configuration template to use when issuing a
-    #   certificate. If this parameter is not provided, ACM Private CA
-    #   defaults to the `EndEntityCertificate/V1` template. For CA
+    #   certificate. If this parameter is not provided, Amazon Web Services
+    #   Private CA defaults to the `EndEntityCertificate/V1` template. For CA
     #   certificates, you should choose the shortest path length that meets
     #   your needs. The path length is indicated by the PathLen*N* portion of
     #   the ARN, where *N* is the [CA depth][1].
@@ -1546,8 +1583,8 @@ module Aws::ACMPCA
     #   Note: The CA depth configured on a subordinate CA certificate must not
     #   exceed the limit set by its parents in the CA hierarchy.
     #
-    #   For a list of `TemplateArn` values supported by ACM Private CA, see
-    #   [Understanding Certificate Templates][2].
+    #   For a list of `TemplateArn` values supported by Amazon Web Services
+    #   Private CA, see [Understanding Certificate Templates][2].
     #
     #
     #
@@ -1575,17 +1612,17 @@ module Aws::ACMPCA
     #
     #
     #
-    #   [1]: https://tools.ietf.org/html/rfc5280#section-4.1.2.5
+    #   [1]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.5
     #
     # @option params [Types::Validity] :validity_not_before
     #   Information describing the start of the validity period of the
     #   certificate. This parameter sets the “Not Before" date for the
     #   certificate.
     #
-    #   By default, when issuing a certificate, ACM Private CA sets the "Not
-    #   Before" date to the issuance time minus 60 minutes. This compensates
-    #   for clock inconsistencies across computer systems. The
-    #   `ValidityNotBefore` parameter can be used to customize the “Not
+    #   By default, when issuing a certificate, Amazon Web Services Private CA
+    #   sets the "Not Before" date to the issuance time minus 60 minutes.
+    #   This compensates for clock inconsistencies across computer systems.
+    #   The `ValidityNotBefore` parameter can be used to customize the “Not
     #   Before” value.
     #
     #   Unlike the `Validity` parameter, the `ValidityNotBefore` parameter is
@@ -1599,17 +1636,17 @@ module Aws::ACMPCA
     #
     #
     #   [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_Validity.html
-    #   [2]: https://tools.ietf.org/html/rfc5280#section-4.1.2.5
+    #   [2]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.5
     #
     # @option params [String] :idempotency_token
     #   Alphanumeric string that can be used to distinguish between calls to
     #   the **IssueCertificate** action. Idempotency tokens for
     #   **IssueCertificate** time out after one minute. Therefore, if you call
     #   **IssueCertificate** multiple times with the same idempotency token
-    #   within one minute, ACM Private CA recognizes that you are requesting
-    #   only one certificate and will issue only one. If you change the
-    #   idempotency token for each call, PCA recognizes that you are
-    #   requesting multiple certificates.
+    #   within one minute, Amazon Web Services Private CA recognizes that you
+    #   are requesting only one certificate and will issue only one. If you
+    #   change the idempotency token for each call, PCA recognizes that you
+    #   are requesting multiple certificates.
     #
     # @return [Types::IssueCertificateResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
@@ -1673,6 +1710,12 @@ module Aws::ACMPCA
     #               initials: "String5",
     #               pseudonym: "String128",
     #               generation_qualifier: "String3",
+    #               custom_attributes: [
+    #                 {
+    #                   object_identifier: "CustomObjectIdentifier", # required
+    #                   value: "String1To256", # required
+    #                 },
+    #               ],
     #             },
     #             edi_party_name: {
     #               party_name: "String256", # required
@@ -1683,6 +1726,13 @@ module Aws::ACMPCA
     #             registered_id: "CustomObjectIdentifier",
     #           },
     #         ],
+    #         custom_extensions: [
+    #           {
+    #             object_identifier: "CustomObjectIdentifier", # required
+    #             value: "Base64String1To4096", # required
+    #             critical: false,
+    #           },
+    #         ],
     #       },
     #       subject: {
     #         country: "CountryCodeString",
@@ -1699,6 +1749,12 @@ module Aws::ACMPCA
     #         initials: "String5",
     #         pseudonym: "String128",
     #         generation_qualifier: "String3",
+    #         custom_attributes: [
+    #           {
+    #             object_identifier: "CustomObjectIdentifier", # required
+    #             value: "String1To256", # required
+    #           },
+    #         ],
     #       },
     #     },
     #     certificate_authority_arn: "Arn", # required
@@ -1797,6 +1853,9 @@ module Aws::ACMPCA
     #   resp.certificate_authorities[0].certificate_authority_configuration.subject.initials #=> String
     #   resp.certificate_authorities[0].certificate_authority_configuration.subject.pseudonym #=> String
     #   resp.certificate_authorities[0].certificate_authority_configuration.subject.generation_qualifier #=> String
+    #   resp.certificate_authorities[0].certificate_authority_configuration.subject.custom_attributes #=> Array
+    #   resp.certificate_authorities[0].certificate_authority_configuration.subject.custom_attributes[0].object_identifier #=> String
+    #   resp.certificate_authorities[0].certificate_authority_configuration.subject.custom_attributes[0].value #=> String
     #   resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.key_usage.digital_signature #=> Boolean
     #   resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.key_usage.non_repudiation #=> Boolean
     #   resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.key_usage.key_encipherment #=> Boolean
@@ -1827,6 +1886,9 @@ module Aws::ACMPCA
     #   resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.initials #=> String
     #   resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.pseudonym #=> String
     #   resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.generation_qualifier #=> String
+    #   resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.custom_attributes #=> Array
+    #   resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.custom_attributes[0].object_identifier #=> String
+    #   resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.custom_attributes[0].value #=> String
     #   resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.edi_party_name.party_name #=> String
     #   resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.edi_party_name.name_assigner #=> String
     #   resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.uniform_resource_identifier #=> String
@@ -1852,11 +1914,11 @@ module Aws::ACMPCA
       req.send_request(options)
     end
 
-    # List all permissions on a private CA, if any, granted to the AWS
+    # List all permissions on a private CA, if any, granted to the
     # Certificate Manager (ACM) service principal (acm.amazonaws.com).
     #
     # These permissions allow ACM to issue and renew ACM certificates that
-    # reside in the same AWS account as the CA.
+    # reside in the same Amazon Web Services account as the CA.
     #
     # Permissions can be granted with the [CreatePermission][1] action and
     # revoked with the [DeletePermission][2] action.
@@ -1875,8 +1937,8 @@ module Aws::ACMPCA
     #   accounts, then permissions cannot be used to enable automatic
     #   renewals. Instead, the ACM certificate owner must set up a
     #   resource-based policy to enable cross-account issuance and renewals.
-    #   For more information, see [Using a Resource Based Policy with ACM
-    #   Private CA][3].
+    #   For more information, see [Using a Resource Based Policy with Amazon
+    #   Web Services Private CA][3].
     #
     #
     #
@@ -2012,32 +2074,33 @@ module Aws::ACMPCA
 
     # Attaches a resource-based policy to a private CA.
     #
-    # A policy can also be applied by sharing a private CA through AWS
-    # Resource Access Manager (RAM). For more information, see [Attach a
-    # Policy for Cross-Account Access][1].
+    # A policy can also be applied by sharing a private CA through Amazon
+    # Web Services Resource Access Manager (RAM). For more information, see
+    # [Attach a Policy for Cross-Account Access][1].
     #
     # The policy can be displayed with [GetPolicy][2] and removed with
     # [DeletePolicy][3].
     #
     # **About Policies**
     #
-    # * A policy grants access on a private CA to an AWS customer account,
-    #   to AWS Organizations, or to an AWS Organizations unit. Policies are
-    #   under the control of a CA administrator. For more information, see
-    #   [Using a Resource Based Policy with ACM Private CA][4].
+    # * A policy grants access on a private CA to an Amazon Web Services
+    #   customer account, to Amazon Web Services Organizations, or to an
+    #   Amazon Web Services Organizations unit. Policies are under the
+    #   control of a CA administrator. For more information, see [Using a
+    #   Resource Based Policy with Amazon Web Services Private CA][4].
     #
-    # * A policy permits a user of AWS Certificate Manager (ACM) to issue
-    #   ACM certificates signed by a CA in another account.
+    # * A policy permits a user of Certificate Manager (ACM) to issue ACM
+    #   certificates signed by a CA in another account.
     #
     # * For ACM to manage automatic renewal of these certificates, the ACM
     #   user must configure a Service Linked Role (SLR). The SLR allows the
     #   ACM service to assume the identity of the user, subject to
-    #   confirmation against the ACM Private CA policy. For more
-    #   information, see [Using a Service Linked Role with ACM][5].
+    #   confirmation against the Amazon Web Services Private CA policy. For
+    #   more information, see [Using a Service Linked Role with ACM][5].
     #
-    # * Updates made in AWS Resource Manager (RAM) are reflected in
-    #   policies. For more information, see [Attach a Policy for
-    #   Cross-Account Access][1].
+    # * Updates made in Amazon Web Services Resource Manager (RAM) are
+    #   reflected in policies. For more information, see [Attach a Policy
+    #   for Cross-Account Access][1].
     #
     #
     #
@@ -2142,26 +2205,28 @@ module Aws::ACMPCA
       req.send_request(options)
     end
 
-    # Revokes a certificate that was issued inside ACM Private CA. If you
-    # enable a certificate revocation list (CRL) when you create or update
-    # your private CA, information about the revoked certificates will be
-    # included in the CRL. ACM Private CA writes the CRL to an S3 bucket
-    # that you specify. A CRL is typically updated approximately 30 minutes
-    # after a certificate is revoked. If for any reason the CRL update
-    # fails, ACM Private CA attempts makes further attempts every 15
-    # minutes. With Amazon CloudWatch, you can create alarms for the metrics
-    # `CRLGenerated` and `MisconfiguredCRLBucket`. For more information, see
-    # [Supported CloudWatch Metrics][1].
+    # Revokes a certificate that was issued inside Amazon Web Services
+    # Private CA. If you enable a certificate revocation list (CRL) when you
+    # create or update your private CA, information about the revoked
+    # certificates will be included in the CRL. Amazon Web Services Private
+    # CA writes the CRL to an S3 bucket that you specify. A CRL is typically
+    # updated approximately 30 minutes after a certificate is revoked. If
+    # for any reason the CRL update fails, Amazon Web Services Private CA
+    # attempts makes further attempts every 15 minutes. With Amazon
+    # CloudWatch, you can create alarms for the metrics `CRLGenerated` and
+    # `MisconfiguredCRLBucket`. For more information, see [Supported
+    # CloudWatch Metrics][1].
     #
     # <note markdown="1"> Both PCA and the IAM principal must have permission to write to the S3
     # bucket that you specify. If the IAM principal making the call does not
     # have permission to write to the bucket, then an exception is thrown.
-    # For more information, see [Configure Access to ACM Private CA][2].
+    # For more information, see [Access policies for CRLs in Amazon S3][2].
     #
     #  </note>
     #
-    # ACM Private CA also writes revocation information to the audit report.
-    # For more information, see [CreateCertificateAuthorityAuditReport][3].
+    # Amazon Web Services Private CA also writes revocation information to
+    # the audit report. For more information, see
+    # [CreateCertificateAuthorityAuditReport][3].
     #
     # <note markdown="1"> You cannot revoke a root CA self-signed certificate.
     #
@@ -2170,7 +2235,7 @@ module Aws::ACMPCA
     #
     #
     # [1]: https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaCloudWatch.html
-    # [2]: https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaAuthAccess.html
+    # [2]: https://docs.aws.amazon.com/acm-pca/latest/userguide/crl-planning.html#s3-policies
     # [3]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthorityAuditReport.html
     #
     # @option params [required, String] :certificate_authority_arn
@@ -2192,7 +2257,7 @@ module Aws::ACMPCA
     #   `openssl x509 -in file_path -text -noout`
     #
     #   You can also copy the serial number from the console or use the
-    #   [DescribeCertificate][2] action in the *AWS Certificate Manager API
+    #   [DescribeCertificate][2] action in the *Certificate Manager API
     #   Reference*.
     #
     #
@@ -2223,15 +2288,15 @@ module Aws::ACMPCA
     end
 
     # Adds one or more tags to your private CA. Tags are labels that you can
-    # use to identify and organize your AWS resources. Each tag consists of
-    # a key and an optional value. You specify the private CA on input by
-    # its Amazon Resource Name (ARN). You specify the tag by using a
-    # key-value pair. You can apply a tag to just one private CA if you want
-    # to identify a specific characteristic of that CA, or you can apply the
-    # same tag to multiple private CAs if you want to filter for a common
-    # relationship among those CAs. To remove one or more tags, use the
-    # [UntagCertificateAuthority][1] action. Call the [ListTags][2] action
-    # to see what tags are associated with your CA.
+    # use to identify and organize your Amazon Web Services resources. Each
+    # tag consists of a key and an optional value. You specify the private
+    # CA on input by its Amazon Resource Name (ARN). You specify the tag by
+    # using a key-value pair. You can apply a tag to just one private CA if
+    # you want to identify a specific characteristic of that CA, or you can
+    # apply the same tag to multiple private CAs if you want to filter for a
+    # common relationship among those CAs. To remove one or more tags, use
+    # the [UntagCertificateAuthority][1] action. Call the [ListTags][2]
+    # action to see what tags are associated with your CA.
     #
     #
     #
@@ -2334,13 +2399,13 @@ module Aws::ACMPCA
     # <note markdown="1"> Both PCA and the IAM principal must have permission to write to the S3
     # bucket that you specify. If the IAM principal making the call does not
     # have permission to write to the bucket, then an exception is thrown.
-    # For more information, see [Configure Access to ACM Private CA][1].
+    # For more information, see [Access policies for CRLs in Amazon S3][1].
     #
     #  </note>
     #
     #
     #
-    # [1]: https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaAuthAccess.html
+    # [1]: https://docs.aws.amazon.com/acm-pca/latest/userguide/crl-planning.html#s3-policies
     #
     # @option params [required, String] :certificate_authority_arn
     #   Amazon Resource Name (ARN) of the private CA that issued the
@@ -2408,7 +2473,7 @@ module Aws::ACMPCA
         params: params,
         config: config)
       context[:gem_name] = 'aws-sdk-acmpca'
-      context[:gem_version] = '1.46.0'
+      context[:gem_version] = '1.47.0'
       Seahorse::Client::Request.new(handlers, context)
     end