aws-sdk-acmpca 1.46.0 → 1.49.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 20e6a6916b4d2b10c02df975b6cda79f7dbbfe8ac786ca19628f2c89c2c2609e
-  data.tar.gz: 65e51a4da808f4d5566e6ce85c0f79dffdab3940333d93bd7586fe7ab14f6ee0
+  metadata.gz: a68035efe70685c51e54df7849d02337ab1ed8055de98c659b0537a81271b709
+  data.tar.gz: cd8092280a1c134272eaab5bbb70de6ad8d908cc1636575cd6af72ca01d38a4e
 SHA512:
-  metadata.gz: d38f9e3091c190934dfb3d0ed160cbc5602baa22495abd110fce61b4a8517e9998c73154f5fa3bb8058d588b9f3ab25315e8120caacdeb4a04bed2b31c163002
-  data.tar.gz: 58866f5386c2e197b6460328ccf1233257c2f80e3101c7c2e8bc74b1aad8027bf0e5e9598190f89717d60bac0282681484853a6f8241e65b128d64766d8b7951
+  metadata.gz: 0bd3680eff0c321ebc29d32e3c1b872131fb29d49f621deb2c7dba50d069fd8fd51fb5ca588ddf7183aecf8411638d80f407e5b826faf4923bcf5ddc397413d0
+  data.tar.gz: 95e81fd32a6da57c832b1a1ee66010f361cf73214108dcb0e2b0e624a6375e66838b124611ae76e49ff353f70fb1d4c7defc1c3554379aaf694e3c95886c8cdd

data/CHANGELOG.md

@@ -1,6 +1,21 @@
 Unreleased Changes
 ------------------
 
+1.49.0 (2022-07-20)
+------------------
+
+* Feature - AWS Certificate Manager (ACM) Private Certificate Authority (PCA) documentation updates
+
+1.48.0 (2022-03-28)
+------------------
+
+* Feature - Updating service name entities
+
+1.47.0 (2022-03-16)
+------------------
+
+* Feature - AWS Certificate Manager (ACM) Private Certificate Authority (CA) now supports customizable certificate subject names and extensions.
+
 1.46.0 (2022-02-24)
 ------------------
 

data/VERSION

@@ -1 +1 @@
-1.46.0
+1.49.0

data/lib/aws-sdk-acmpca/client.rb

@@ -382,14 +382,14 @@ module Aws::ACMPCA
     # <note markdown="1"> Both PCA and the IAM principal must have permission to write to the S3
     # bucket that you specify. If the IAM principal making the call does not
     # have permission to write to the bucket, then an exception is thrown.
-    # For more information, see [Configure Access to ACM Private CA][2].
+    # For more information, see [Access policies for CRLs in Amazon S3][2].
     #
     #  </note>
     #
     #
     #
     # [1]: https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaCreateCa.html#crl-encryption
-    # [2]: https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaAuthAccess.html
+    # [2]: https://docs.aws.amazon.com/acm-pca/latest/userguide/crl-planning.html#s3-policies
     #
     # @option params [required, Types::CertificateAuthorityConfiguration] :certificate_authority_configuration
     #   Name and bit size of the private key algorithm, the name of the
@@ -426,9 +426,15 @@ module Aws::ACMPCA
     #
     #   Default: FIPS\_140\_2\_LEVEL\_3\_OR\_HIGHER
     #
-    #   Note: `FIPS_140_2_LEVEL_3_OR_HIGHER` is not supported in Region
-    #   ap-northeast-3. When creating a CA in the ap-northeast-3, you must
-    #   provide `FIPS_140_2_LEVEL_2_OR_HIGHER` as the argument for
+    #   *Note:* `FIPS_140_2_LEVEL_3_OR_HIGHER` is not supported in the
+    #   following Regions:
+    #
+    #   * ap-northeast-3
+    #
+    #   * ap-southeast-3
+    #
+    #   When creating a CA in these Regions, you must provide
+    #   `FIPS_140_2_LEVEL_2_OR_HIGHER` as the argument for
     #   `KeyStorageSecurityStandard`. Failure to do this results in an
     #   `InvalidArgsException` with the message, "A certificate authority
     #   cannot be created in this region with the specified security
@@ -469,6 +475,12 @@ module Aws::ACMPCA
     #         initials: "String5",
     #         pseudonym: "String128",
     #         generation_qualifier: "String3",
+    #         custom_attributes: [
+    #           {
+    #             object_identifier: "CustomObjectIdentifier", # required
+    #             value: "String1To256", # required
+    #           },
+    #         ],
     #       },
     #       csr_extensions: {
     #         key_usage: {
@@ -510,6 +522,12 @@ module Aws::ACMPCA
     #                 initials: "String5",
     #                 pseudonym: "String128",
     #                 generation_qualifier: "String3",
+    #                 custom_attributes: [
+    #                   {
+    #                     object_identifier: "CustomObjectIdentifier", # required
+    #                     value: "String1To256", # required
+    #                   },
+    #                 ],
     #               },
     #               edi_party_name: {
     #                 party_name: "String256", # required
@@ -568,7 +586,7 @@ module Aws::ACMPCA
     # <note markdown="1"> Both PCA and the IAM principal must have permission to write to the S3
     # bucket that you specify. If the IAM principal making the call does not
     # have permission to write to the bucket, then an exception is thrown.
-    # For more information, see [Configure Access to ACM Private CA][3].
+    # For more information, see [Access policies for CRLs in Amazon S3][3].
     #
     #  </note>
     #
@@ -576,11 +594,15 @@ module Aws::ACMPCA
     # with encryption. For more information, see [Encrypting Your Audit
     # Reports][4].
     #
+    # <note markdown="1"> You can generate a maximum of one report every 30 minutes.
+    #
+    #  </note>
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_IssueCertificate.html
     # [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_RevokeCertificate.html
-    # [3]: https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaAuthAccess.html
+    # [3]: https://docs.aws.amazon.com/acm-pca/latest/userguide/crl-planning.html#s3-policies
     # [4]: https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaAuditReport.html#audit-report-encryption
     #
     # @option params [required, String] :certificate_authority_arn
@@ -624,10 +646,10 @@ module Aws::ACMPCA
       req.send_request(options)
     end
 
-    # Grants one or more permissions on a private CA to the AWS Certificate
+    # Grants one or more permissions on a private CA to the Certificate
     # Manager (ACM) service principal (`acm.amazonaws.com`). These
     # permissions allow ACM to issue and renew ACM certificates that reside
-    # in the same AWS account as the CA.
+    # in the same Amazon Web Services account as the CA.
     #
     # You can list current permissions with the [ListPermissions][1] action
     # and revoke them with the [DeletePermission][2] action.
@@ -668,15 +690,17 @@ module Aws::ACMPCA
     #   [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ListCertificateAuthorities.html
     #
     # @option params [required, String] :principal
-    #   The AWS service or identity that receives the permission. At this
-    #   time, the only valid principal is `acm.amazonaws.com`.
+    #   The Amazon Web Services service or identity that receives the
+    #   permission. At this time, the only valid principal is
+    #   `acm.amazonaws.com`.
     #
     # @option params [String] :source_account
     #   The ID of the calling account.
     #
     # @option params [required, Array<String>] :actions
-    #   The actions that the specified AWS service principal can use. These
-    #   include `IssueCertificate`, `GetCertificate`, and `ListPermissions`.
+    #   The actions that the specified Amazon Web Services service principal
+    #   can use. These include `IssueCertificate`, `GetCertificate`, and
+    #   `ListPermissions`.
     #
     # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
     #
@@ -770,13 +794,13 @@ module Aws::ACMPCA
       req.send_request(options)
     end
 
-    # Revokes permissions on a private CA granted to the AWS Certificate
-    # Manager (ACM) service principal (acm.amazonaws.com).
+    # Revokes permissions on a private CA granted to the Certificate Manager
+    # (ACM) service principal (acm.amazonaws.com).
     #
     # These permissions allow ACM to issue and renew ACM certificates that
-    # reside in the same AWS account as the CA. If you revoke these
-    # permissions, ACM will no longer renew the affected certificates
-    # automatically.
+    # reside in the same Amazon Web Services account as the CA. If you
+    # revoke these permissions, ACM will no longer renew the affected
+    # certificates automatically.
     #
     # Permissions can be granted with the [CreatePermission][1] action and
     # listed with the [ListPermissions][2] action.
@@ -818,11 +842,12 @@ module Aws::ACMPCA
     #   [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ListCertificateAuthorities.html
     #
     # @option params [required, String] :principal
-    #   The AWS service or identity that will have its CA permissions revoked.
-    #   At this time, the only valid service principal is `acm.amazonaws.com`
+    #   The Amazon Web Services service or identity that will have its CA
+    #   permissions revoked. At this time, the only valid service principal is
+    #   `acm.amazonaws.com`
     #
     # @option params [String] :source_account
-    #   The AWS account that calls this action.
+    #   The Amazon Web Services account that calls this action.
     #
     # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
     #
@@ -847,25 +872,26 @@ module Aws::ACMPCA
     # will remove any access that the policy has granted. If there is no
     # policy attached to the private CA, this action will return successful.
     #
-    # If you delete a policy that was applied through AWS Resource Access
-    # Manager (RAM), the CA will be removed from all shares in which it was
-    # included.
+    # If you delete a policy that was applied through Amazon Web Services
+    # Resource Access Manager (RAM), the CA will be removed from all shares
+    # in which it was included.
     #
-    # The AWS Certificate Manager Service Linked Role that the policy
-    # supports is not affected when you delete the policy.
+    # The Certificate Manager Service Linked Role that the policy supports
+    # is not affected when you delete the policy.
     #
     # The current policy can be shown with [GetPolicy][1] and updated with
     # [PutPolicy][2].
     #
     # **About Policies**
     #
-    # * A policy grants access on a private CA to an AWS customer account,
-    #   to AWS Organizations, or to an AWS Organizations unit. Policies are
-    #   under the control of a CA administrator. For more information, see
-    #   [Using a Resource Based Policy with ACM Private CA][3].
+    # * A policy grants access on a private CA to an Amazon Web Services
+    #   customer account, to Amazon Web Services Organizations, or to an
+    #   Amazon Web Services Organizations unit. Policies are under the
+    #   control of a CA administrator. For more information, see [Using a
+    #   Resource Based Policy with ACM Private CA][3].
     #
-    # * A policy permits a user of AWS Certificate Manager (ACM) to issue
-    #   ACM certificates signed by a CA in another account.
+    # * A policy permits a user of Certificate Manager (ACM) to issue ACM
+    #   certificates signed by a CA in another account.
     #
     # * For ACM to manage automatic renewal of these certificates, the ACM
     #   user must configure a Service Linked Role (SLR). The SLR allows the
@@ -873,9 +899,9 @@ module Aws::ACMPCA
     #   confirmation against the ACM Private CA policy. For more
     #   information, see [Using a Service Linked Role with ACM][4].
     #
-    # * Updates made in AWS Resource Manager (RAM) are reflected in
-    #   policies. For more information, see [Attach a Policy for
-    #   Cross-Account Access][5].
+    # * Updates made in Amazon Web Services Resource Manager (RAM) are
+    #   reflected in policies. For more information, see [Attach a Policy
+    #   for Cross-Account Access][5].
     #
     #
     #
@@ -932,9 +958,9 @@ module Aws::ACMPCA
     # * `EXPIRED` - Your private CA certificate has expired.
     #
     # * `FAILED` - Your private CA has failed. Your CA can fail because of
-    #   problems such a network outage or back-end AWS failure or other
-    #   errors. A failed CA can never return to the pending state. You must
-    #   create a new CA.
+    #   problems such a network outage or back-end Amazon Web Services
+    #   failure or other errors. A failed CA can never return to the pending
+    #   state. You must create a new CA.
     #
     # * `DELETED` - Your private CA is within the restoration period, after
     #   which it is permanently deleted. The length of time remaining in the
@@ -989,6 +1015,9 @@ module Aws::ACMPCA
     #   resp.certificate_authority.certificate_authority_configuration.subject.initials #=> String
     #   resp.certificate_authority.certificate_authority_configuration.subject.pseudonym #=> String
     #   resp.certificate_authority.certificate_authority_configuration.subject.generation_qualifier #=> String
+    #   resp.certificate_authority.certificate_authority_configuration.subject.custom_attributes #=> Array
+    #   resp.certificate_authority.certificate_authority_configuration.subject.custom_attributes[0].object_identifier #=> String
+    #   resp.certificate_authority.certificate_authority_configuration.subject.custom_attributes[0].value #=> String
     #   resp.certificate_authority.certificate_authority_configuration.csr_extensions.key_usage.digital_signature #=> Boolean
     #   resp.certificate_authority.certificate_authority_configuration.csr_extensions.key_usage.non_repudiation #=> Boolean
     #   resp.certificate_authority.certificate_authority_configuration.csr_extensions.key_usage.key_encipherment #=> Boolean
@@ -1019,6 +1048,9 @@ module Aws::ACMPCA
     #   resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.initials #=> String
     #   resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.pseudonym #=> String
     #   resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.generation_qualifier #=> String
+    #   resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.custom_attributes #=> Array
+    #   resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.custom_attributes[0].object_identifier #=> String
+    #   resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.custom_attributes[0].value #=> String
     #   resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.edi_party_name.party_name #=> String
     #   resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.edi_party_name.name_assigner #=> String
     #   resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.uniform_resource_identifier #=> String
@@ -1268,13 +1300,14 @@ module Aws::ACMPCA
     #
     # **About Policies**
     #
-    # * A policy grants access on a private CA to an AWS customer account,
-    #   to AWS Organizations, or to an AWS Organizations unit. Policies are
-    #   under the control of a CA administrator. For more information, see
-    #   [Using a Resource Based Policy with ACM Private CA][3].
+    # * A policy grants access on a private CA to an Amazon Web Services
+    #   customer account, to Amazon Web Services Organizations, or to an
+    #   Amazon Web Services Organizations unit. Policies are under the
+    #   control of a CA administrator. For more information, see [Using a
+    #   Resource Based Policy with ACM Private CA][3].
     #
-    # * A policy permits a user of AWS Certificate Manager (ACM) to issue
-    #   ACM certificates signed by a CA in another account.
+    # * A policy permits a user of Certificate Manager (ACM) to issue ACM
+    #   certificates signed by a CA in another account.
     #
     # * For ACM to manage automatic renewal of these certificates, the ACM
     #   user must configure a Service Linked Role (SLR). The SLR allows the
@@ -1282,9 +1315,9 @@ module Aws::ACMPCA
     #   confirmation against the ACM Private CA policy. For more
     #   information, see [Using a Service Linked Role with ACM][4].
     #
-    # * Updates made in AWS Resource Manager (RAM) are reflected in
-    #   policies. For more information, see [Attach a Policy for
-    #   Cross-Account Access][5].
+    # * Updates made in Amazon Web Services Resource Manager (RAM) are
+    #   reflected in policies. For more information, see [Attach a Policy
+    #   for Cross-Account Access][5].
     #
     #
     #
@@ -1521,7 +1554,7 @@ module Aws::ACMPCA
     #   contains your X509 version 3 extensions.
     #
     #   `openssl req -new -config openssl_rsa.cnf -extensions usr_cert -newkey
-    #   rsa:2048 -days -365 -keyout private/test_cert_priv_key.pem -out
+    #   rsa:2048 -days 365 -keyout private/test_cert_priv_key.pem -out
     #   csr/test_cert_.csr`
     #
     #   Note: A CSR must provide either a *subject name* or a *subject
@@ -1535,6 +1568,11 @@ module Aws::ACMPCA
     #   parameter used to sign a CSR in the `CreateCertificateAuthority`
     #   action.
     #
+    #   <note markdown="1"> The specified signing algorithm family (RSA or ECDSA) much match the
+    #   algorithm family of the CA's secret key.
+    #
+    #    </note>
+    #
     # @option params [String] :template_arn
     #   Specifies a custom configuration template to use when issuing a
     #   certificate. If this parameter is not provided, ACM Private CA
@@ -1575,7 +1613,7 @@ module Aws::ACMPCA
     #
     #
     #
-    #   [1]: https://tools.ietf.org/html/rfc5280#section-4.1.2.5
+    #   [1]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.5
     #
     # @option params [Types::Validity] :validity_not_before
     #   Information describing the start of the validity period of the
@@ -1599,7 +1637,7 @@ module Aws::ACMPCA
     #
     #
     #   [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_Validity.html
-    #   [2]: https://tools.ietf.org/html/rfc5280#section-4.1.2.5
+    #   [2]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.5
     #
     # @option params [String] :idempotency_token
     #   Alphanumeric string that can be used to distinguish between calls to
@@ -1673,6 +1711,12 @@ module Aws::ACMPCA
     #               initials: "String5",
     #               pseudonym: "String128",
     #               generation_qualifier: "String3",
+    #               custom_attributes: [
+    #                 {
+    #                   object_identifier: "CustomObjectIdentifier", # required
+    #                   value: "String1To256", # required
+    #                 },
+    #               ],
     #             },
     #             edi_party_name: {
     #               party_name: "String256", # required
@@ -1683,6 +1727,13 @@ module Aws::ACMPCA
     #             registered_id: "CustomObjectIdentifier",
     #           },
     #         ],
+    #         custom_extensions: [
+    #           {
+    #             object_identifier: "CustomObjectIdentifier", # required
+    #             value: "Base64String1To4096", # required
+    #             critical: false,
+    #           },
+    #         ],
     #       },
     #       subject: {
     #         country: "CountryCodeString",
@@ -1699,6 +1750,12 @@ module Aws::ACMPCA
     #         initials: "String5",
     #         pseudonym: "String128",
     #         generation_qualifier: "String3",
+    #         custom_attributes: [
+    #           {
+    #             object_identifier: "CustomObjectIdentifier", # required
+    #             value: "String1To256", # required
+    #           },
+    #         ],
     #       },
     #     },
     #     certificate_authority_arn: "Arn", # required
@@ -1797,6 +1854,9 @@ module Aws::ACMPCA
     #   resp.certificate_authorities[0].certificate_authority_configuration.subject.initials #=> String
     #   resp.certificate_authorities[0].certificate_authority_configuration.subject.pseudonym #=> String
     #   resp.certificate_authorities[0].certificate_authority_configuration.subject.generation_qualifier #=> String
+    #   resp.certificate_authorities[0].certificate_authority_configuration.subject.custom_attributes #=> Array
+    #   resp.certificate_authorities[0].certificate_authority_configuration.subject.custom_attributes[0].object_identifier #=> String
+    #   resp.certificate_authorities[0].certificate_authority_configuration.subject.custom_attributes[0].value #=> String
     #   resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.key_usage.digital_signature #=> Boolean
     #   resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.key_usage.non_repudiation #=> Boolean
     #   resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.key_usage.key_encipherment #=> Boolean
@@ -1827,6 +1887,9 @@ module Aws::ACMPCA
     #   resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.initials #=> String
     #   resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.pseudonym #=> String
     #   resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.generation_qualifier #=> String
+    #   resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.custom_attributes #=> Array
+    #   resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.custom_attributes[0].object_identifier #=> String
+    #   resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.custom_attributes[0].value #=> String
     #   resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.edi_party_name.party_name #=> String
     #   resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.edi_party_name.name_assigner #=> String
     #   resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.uniform_resource_identifier #=> String
@@ -1852,11 +1915,11 @@ module Aws::ACMPCA
       req.send_request(options)
     end
 
-    # List all permissions on a private CA, if any, granted to the AWS
+    # List all permissions on a private CA, if any, granted to the
     # Certificate Manager (ACM) service principal (acm.amazonaws.com).
     #
     # These permissions allow ACM to issue and renew ACM certificates that
-    # reside in the same AWS account as the CA.
+    # reside in the same Amazon Web Services account as the CA.
     #
     # Permissions can be granted with the [CreatePermission][1] action and
     # revoked with the [DeletePermission][2] action.
@@ -2012,22 +2075,23 @@ module Aws::ACMPCA
 
     # Attaches a resource-based policy to a private CA.
     #
-    # A policy can also be applied by sharing a private CA through AWS
-    # Resource Access Manager (RAM). For more information, see [Attach a
-    # Policy for Cross-Account Access][1].
+    # A policy can also be applied by sharing a private CA through Amazon
+    # Web Services Resource Access Manager (RAM). For more information, see
+    # [Attach a Policy for Cross-Account Access][1].
     #
     # The policy can be displayed with [GetPolicy][2] and removed with
     # [DeletePolicy][3].
     #
     # **About Policies**
     #
-    # * A policy grants access on a private CA to an AWS customer account,
-    #   to AWS Organizations, or to an AWS Organizations unit. Policies are
-    #   under the control of a CA administrator. For more information, see
-    #   [Using a Resource Based Policy with ACM Private CA][4].
+    # * A policy grants access on a private CA to an Amazon Web Services
+    #   customer account, to Amazon Web Services Organizations, or to an
+    #   Amazon Web Services Organizations unit. Policies are under the
+    #   control of a CA administrator. For more information, see [Using a
+    #   Resource Based Policy with ACM Private CA][4].
     #
-    # * A policy permits a user of AWS Certificate Manager (ACM) to issue
-    #   ACM certificates signed by a CA in another account.
+    # * A policy permits a user of Certificate Manager (ACM) to issue ACM
+    #   certificates signed by a CA in another account.
     #
     # * For ACM to manage automatic renewal of these certificates, the ACM
     #   user must configure a Service Linked Role (SLR). The SLR allows the
@@ -2035,9 +2099,9 @@ module Aws::ACMPCA
     #   confirmation against the ACM Private CA policy. For more
     #   information, see [Using a Service Linked Role with ACM][5].
     #
-    # * Updates made in AWS Resource Manager (RAM) are reflected in
-    #   policies. For more information, see [Attach a Policy for
-    #   Cross-Account Access][1].
+    # * Updates made in Amazon Web Services Resource Manager (RAM) are
+    #   reflected in policies. For more information, see [Attach a Policy
+    #   for Cross-Account Access][1].
     #
     #
     #
@@ -2156,7 +2220,7 @@ module Aws::ACMPCA
     # <note markdown="1"> Both PCA and the IAM principal must have permission to write to the S3
     # bucket that you specify. If the IAM principal making the call does not
     # have permission to write to the bucket, then an exception is thrown.
-    # For more information, see [Configure Access to ACM Private CA][2].
+    # For more information, see [Access policies for CRLs in Amazon S3][2].
     #
     #  </note>
     #
@@ -2170,7 +2234,7 @@ module Aws::ACMPCA
     #
     #
     # [1]: https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaCloudWatch.html
-    # [2]: https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaAuthAccess.html
+    # [2]: https://docs.aws.amazon.com/acm-pca/latest/userguide/crl-planning.html#s3-policies
     # [3]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthorityAuditReport.html
     #
     # @option params [required, String] :certificate_authority_arn
@@ -2192,7 +2256,7 @@ module Aws::ACMPCA
     #   `openssl x509 -in file_path -text -noout`
     #
     #   You can also copy the serial number from the console or use the
-    #   [DescribeCertificate][2] action in the *AWS Certificate Manager API
+    #   [DescribeCertificate][2] action in the *Certificate Manager API
     #   Reference*.
     #
     #
@@ -2223,15 +2287,15 @@ module Aws::ACMPCA
     end
 
     # Adds one or more tags to your private CA. Tags are labels that you can
-    # use to identify and organize your AWS resources. Each tag consists of
-    # a key and an optional value. You specify the private CA on input by
-    # its Amazon Resource Name (ARN). You specify the tag by using a
-    # key-value pair. You can apply a tag to just one private CA if you want
-    # to identify a specific characteristic of that CA, or you can apply the
-    # same tag to multiple private CAs if you want to filter for a common
-    # relationship among those CAs. To remove one or more tags, use the
-    # [UntagCertificateAuthority][1] action. Call the [ListTags][2] action
-    # to see what tags are associated with your CA.
+    # use to identify and organize your Amazon Web Services resources. Each
+    # tag consists of a key and an optional value. You specify the private
+    # CA on input by its Amazon Resource Name (ARN). You specify the tag by
+    # using a key-value pair. You can apply a tag to just one private CA if
+    # you want to identify a specific characteristic of that CA, or you can
+    # apply the same tag to multiple private CAs if you want to filter for a
+    # common relationship among those CAs. To remove one or more tags, use
+    # the [UntagCertificateAuthority][1] action. Call the [ListTags][2]
+    # action to see what tags are associated with your CA.
     #
     #
     #
@@ -2334,13 +2398,13 @@ module Aws::ACMPCA
     # <note markdown="1"> Both PCA and the IAM principal must have permission to write to the S3
     # bucket that you specify. If the IAM principal making the call does not
     # have permission to write to the bucket, then an exception is thrown.
-    # For more information, see [Configure Access to ACM Private CA][1].
+    # For more information, see [Access policies for CRLs in Amazon S3][1].
     #
     #  </note>
     #
     #
     #
-    # [1]: https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaAuthAccess.html
+    # [1]: https://docs.aws.amazon.com/acm-pca/latest/userguide/crl-planning.html#s3-policies
     #
     # @option params [required, String] :certificate_authority_arn
     #   Amazon Resource Name (ARN) of the private CA that issued the
@@ -2408,7 +2472,7 @@ module Aws::ACMPCA
         params: params,
         config: config)
       context[:gem_name] = 'aws-sdk-acmpca'
-      context[:gem_version] = '1.46.0'
+      context[:gem_version] = '1.49.0'
       Seahorse::Client::Request.new(handlers, context)
     end
 

data/lib/aws-sdk-acmpca/client_api.rb

@@ -28,6 +28,7 @@ module Aws::ACMPCA
     AuditReportId = Shapes::StringShape.new(name: 'AuditReportId')
     AuditReportResponseFormat = Shapes::StringShape.new(name: 'AuditReportResponseFormat')
     AuditReportStatus = Shapes::StringShape.new(name: 'AuditReportStatus')
+    Base64String1To4096 = Shapes::StringShape.new(name: 'Base64String1To4096')
     Boolean = Shapes::BooleanShape.new(name: 'Boolean')
     CertificateAuthorities = Shapes::ListShape.new(name: 'CertificateAuthorities')
     CertificateAuthority = Shapes::StructureShape.new(name: 'CertificateAuthority')
@@ -51,6 +52,10 @@ module Aws::ACMPCA
     CsrBlob = Shapes::BlobShape.new(name: 'CsrBlob')
     CsrBody = Shapes::StringShape.new(name: 'CsrBody')
     CsrExtensions = Shapes::StructureShape.new(name: 'CsrExtensions')
+    CustomAttribute = Shapes::StructureShape.new(name: 'CustomAttribute')
+    CustomAttributeList = Shapes::ListShape.new(name: 'CustomAttributeList')
+    CustomExtension = Shapes::StructureShape.new(name: 'CustomExtension')
+    CustomExtensionList = Shapes::ListShape.new(name: 'CustomExtensionList')
     CustomObjectIdentifier = Shapes::StringShape.new(name: 'CustomObjectIdentifier')
     DeleteCertificateAuthorityRequest = Shapes::StructureShape.new(name: 'DeleteCertificateAuthorityRequest')
     DeletePermissionRequest = Shapes::StructureShape.new(name: 'DeletePermissionRequest')
@@ -132,6 +137,7 @@ module Aws::ACMPCA
     String = Shapes::StringShape.new(name: 'String')
     String128 = Shapes::StringShape.new(name: 'String128')
     String16 = Shapes::StringShape.new(name: 'String16')
+    String1To256 = Shapes::StringShape.new(name: 'String1To256')
     String253 = Shapes::StringShape.new(name: 'String253')
     String256 = Shapes::StringShape.new(name: 'String256')
     String3 = Shapes::StringShape.new(name: 'String3')
@@ -166,6 +172,7 @@ module Aws::ACMPCA
     ASN1Subject.add_member(:initials, Shapes::ShapeRef.new(shape: String5, location_name: "Initials"))
     ASN1Subject.add_member(:pseudonym, Shapes::ShapeRef.new(shape: String128, location_name: "Pseudonym"))
     ASN1Subject.add_member(:generation_qualifier, Shapes::ShapeRef.new(shape: String3, location_name: "GenerationQualifier"))
+    ASN1Subject.add_member(:custom_attributes, Shapes::ShapeRef.new(shape: CustomAttributeList, location_name: "CustomAttributes"))
     ASN1Subject.struct_class = Types::ASN1Subject
 
     AccessDescription.add_member(:access_method, Shapes::ShapeRef.new(shape: AccessMethod, required: true, location_name: "AccessMethod"))
@@ -253,6 +260,19 @@ module Aws::ACMPCA
     CsrExtensions.add_member(:subject_information_access, Shapes::ShapeRef.new(shape: AccessDescriptionList, location_name: "SubjectInformationAccess"))
     CsrExtensions.struct_class = Types::CsrExtensions
 
+    CustomAttribute.add_member(:object_identifier, Shapes::ShapeRef.new(shape: CustomObjectIdentifier, required: true, location_name: "ObjectIdentifier"))
+    CustomAttribute.add_member(:value, Shapes::ShapeRef.new(shape: String1To256, required: true, location_name: "Value"))
+    CustomAttribute.struct_class = Types::CustomAttribute
+
+    CustomAttributeList.member = Shapes::ShapeRef.new(shape: CustomAttribute)
+
+    CustomExtension.add_member(:object_identifier, Shapes::ShapeRef.new(shape: CustomObjectIdentifier, required: true, location_name: "ObjectIdentifier"))
+    CustomExtension.add_member(:value, Shapes::ShapeRef.new(shape: Base64String1To4096, required: true, location_name: "Value"))
+    CustomExtension.add_member(:critical, Shapes::ShapeRef.new(shape: Boolean, location_name: "Critical", metadata: {"box"=>true}))
+    CustomExtension.struct_class = Types::CustomExtension
+
+    CustomExtensionList.member = Shapes::ShapeRef.new(shape: CustomExtension)
+
     DeleteCertificateAuthorityRequest.add_member(:certificate_authority_arn, Shapes::ShapeRef.new(shape: Arn, required: true, location_name: "CertificateAuthorityArn"))
     DeleteCertificateAuthorityRequest.add_member(:permanent_deletion_time_in_days, Shapes::ShapeRef.new(shape: PermanentDeletionTimeInDays, location_name: "PermanentDeletionTimeInDays"))
     DeleteCertificateAuthorityRequest.struct_class = Types::DeleteCertificateAuthorityRequest
@@ -295,6 +315,7 @@ module Aws::ACMPCA
     Extensions.add_member(:extended_key_usage, Shapes::ShapeRef.new(shape: ExtendedKeyUsageList, location_name: "ExtendedKeyUsage"))
     Extensions.add_member(:key_usage, Shapes::ShapeRef.new(shape: KeyUsage, location_name: "KeyUsage"))
     Extensions.add_member(:subject_alternative_names, Shapes::ShapeRef.new(shape: GeneralNameList, location_name: "SubjectAlternativeNames"))
+    Extensions.add_member(:custom_extensions, Shapes::ShapeRef.new(shape: CustomExtensionList, location_name: "CustomExtensions"))
     Extensions.struct_class = Types::Extensions
 
     GeneralName.add_member(:other_name, Shapes::ShapeRef.new(shape: OtherName, location_name: "OtherName"))

data/lib/aws-sdk-acmpca/types.rb

@@ -35,6 +35,12 @@ module Aws::ACMPCA
     #         initials: "String5",
     #         pseudonym: "String128",
     #         generation_qualifier: "String3",
+    #         custom_attributes: [
+    #           {
+    #             object_identifier: "CustomObjectIdentifier", # required
+    #             value: "String1To256", # required
+    #           },
+    #         ],
     #       }
     #
     # @!attribute [rw] country
@@ -110,6 +116,22 @@ module Aws::ACMPCA
     #   Examples include Jr. for junior, Sr. for senior, and III for third.
     #   @return [String]
     #
+    # @!attribute [rw] custom_attributes
+    #   Contains a sequence of one or more X.500 relative distinguished
+    #   names (RDNs), each of which consists of an object identifier (OID)
+    #   and a value. For more information, see NIST’s definition of [Object
+    #   Identifier (OID)][1].
+    #
+    #   <note markdown="1"> Custom attributes cannot be used in combination with standard
+    #   attributes.
+    #
+    #    </note>
+    #
+    #
+    #
+    #   [1]: https://csrc.nist.gov/glossary/term/Object_Identifier
+    #   @return [Array<Types::CustomAttribute>]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/ASN1Subject AWS API Documentation
     #
     class ASN1Subject < Struct.new(
@@ -126,7 +148,8 @@ module Aws::ACMPCA
       :given_name,
       :initials,
       :pseudonym,
-      :generation_qualifier)
+      :generation_qualifier,
+      :custom_attributes)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -136,7 +159,7 @@ module Aws::ACMPCA
     #
     #
     #
-    # [1]: https://tools.ietf.org/html/rfc5280
+    # [1]: https://datatracker.ietf.org/doc/html/rfc5280
     #
     # @note When making an API call, you may pass AccessDescription
     #   data as a hash:
@@ -168,6 +191,12 @@ module Aws::ACMPCA
     #             initials: "String5",
     #             pseudonym: "String128",
     #             generation_qualifier: "String3",
+    #             custom_attributes: [
+    #               {
+    #                 object_identifier: "CustomObjectIdentifier", # required
+    #                 value: "String1To256", # required
+    #               },
+    #             ],
     #           },
     #           edi_party_name: {
     #             party_name: "String256", # required
@@ -301,6 +330,12 @@ module Aws::ACMPCA
     #                 initials: "String5",
     #                 pseudonym: "String128",
     #                 generation_qualifier: "String3",
+    #                 custom_attributes: [
+    #                   {
+    #                     object_identifier: "CustomObjectIdentifier", # required
+    #                     value: "String1To256", # required
+    #                   },
+    #                 ],
     #               },
     #               edi_party_name: {
     #                 party_name: "String256", # required
@@ -311,6 +346,13 @@ module Aws::ACMPCA
     #               registered_id: "CustomObjectIdentifier",
     #             },
     #           ],
+    #           custom_extensions: [
+    #             {
+    #               object_identifier: "CustomObjectIdentifier", # required
+    #               value: "Base64String1To4096", # required
+    #               critical: false,
+    #             },
+    #           ],
     #         },
     #         subject: {
     #           country: "CountryCodeString",
@@ -327,6 +369,12 @@ module Aws::ACMPCA
     #           initials: "String5",
     #           pseudonym: "String128",
     #           generation_qualifier: "String3",
+    #           custom_attributes: [
+    #             {
+    #               object_identifier: "CustomObjectIdentifier", # required
+    #               value: "String1To256", # required
+    #             },
+    #           ],
     #         },
     #       }
     #
@@ -363,7 +411,7 @@ module Aws::ACMPCA
     # retrieve a private CA certificate signing request (CSR). Sign the CSR
     # with your ACM Private CA-hosted or on-premises root or subordinate CA
     # certificate. Call the [ImportCertificateAuthorityCertificate][3]
-    # action to import the signed certificate into AWS Certificate Manager
+    # action to import the signed certificate into Certificate Manager
     # (ACM).
     #
     #
@@ -378,7 +426,8 @@ module Aws::ACMPCA
     #   @return [String]
     #
     # @!attribute [rw] owner_account
-    #   The AWS account ID that owns the certificate authority.
+    #   The Amazon Web Services account ID that owns the certificate
+    #   authority.
     #   @return [String]
     #
     # @!attribute [rw] created_at
@@ -439,7 +488,7 @@ module Aws::ACMPCA
     #
     #   Default: FIPS\_140\_2\_LEVEL\_3\_OR\_HIGHER
     #
-    #   Note: AWS Region ap-northeast-3 supports only
+    #   Note: Amazon Web Services Region ap-northeast-3 supports only
     #   FIPS\_140\_2\_LEVEL\_2\_OR\_HIGHER. You must explicitly specify this
     #   parameter and value when creating a CA in that Region. Specifying a
     #   different value (or no value) results in an `InvalidArgsException`
@@ -501,6 +550,12 @@ module Aws::ACMPCA
     #           initials: "String5",
     #           pseudonym: "String128",
     #           generation_qualifier: "String3",
+    #           custom_attributes: [
+    #             {
+    #               object_identifier: "CustomObjectIdentifier", # required
+    #               value: "String1To256", # required
+    #             },
+    #           ],
     #         },
     #         csr_extensions: {
     #           key_usage: {
@@ -542,6 +597,12 @@ module Aws::ACMPCA
     #                   initials: "String5",
     #                   pseudonym: "String128",
     #                   generation_qualifier: "String3",
+    #                   custom_attributes: [
+    #                     {
+    #                       object_identifier: "CustomObjectIdentifier", # required
+    #                       value: "String1To256", # required
+    #                     },
+    #                   ],
     #                 },
     #                 edi_party_name: {
     #                   party_name: "String256", # required
@@ -695,6 +756,12 @@ module Aws::ACMPCA
     #             initials: "String5",
     #             pseudonym: "String128",
     #             generation_qualifier: "String3",
+    #             custom_attributes: [
+    #               {
+    #                 object_identifier: "CustomObjectIdentifier", # required
+    #                 value: "String1To256", # required
+    #               },
+    #             ],
     #           },
     #           csr_extensions: {
     #             key_usage: {
@@ -736,6 +803,12 @@ module Aws::ACMPCA
     #                     initials: "String5",
     #                     pseudonym: "String128",
     #                     generation_qualifier: "String3",
+    #                     custom_attributes: [
+    #                       {
+    #                         object_identifier: "CustomObjectIdentifier", # required
+    #                         value: "String1To256", # required
+    #                       },
+    #                     ],
     #                   },
     #                   edi_party_name: {
     #                     party_name: "String256", # required
@@ -814,9 +887,15 @@ module Aws::ACMPCA
     #
     #   Default: FIPS\_140\_2\_LEVEL\_3\_OR\_HIGHER
     #
-    #   Note: `FIPS_140_2_LEVEL_3_OR_HIGHER` is not supported in Region
-    #   ap-northeast-3. When creating a CA in the ap-northeast-3, you must
-    #   provide `FIPS_140_2_LEVEL_2_OR_HIGHER` as the argument for
+    #   *Note:* `FIPS_140_2_LEVEL_3_OR_HIGHER` is not supported in the
+    #   following Regions:
+    #
+    #   * ap-northeast-3
+    #
+    #   * ap-southeast-3
+    #
+    #   When creating a CA in these Regions, you must provide
+    #   `FIPS_140_2_LEVEL_2_OR_HIGHER` as the argument for
     #   `KeyStorageSecurityStandard`. Failure to do this results in an
     #   `InvalidArgsException` with the message, "A certificate authority
     #   cannot be created in this region with the specified security
@@ -888,8 +967,9 @@ module Aws::ACMPCA
     #   @return [String]
     #
     # @!attribute [rw] principal
-    #   The AWS service or identity that receives the permission. At this
-    #   time, the only valid principal is `acm.amazonaws.com`.
+    #   The Amazon Web Services service or identity that receives the
+    #   permission. At this time, the only valid principal is
+    #   `acm.amazonaws.com`.
     #   @return [String]
     #
     # @!attribute [rw] source_account
@@ -897,8 +977,9 @@ module Aws::ACMPCA
     #   @return [String]
     #
     # @!attribute [rw] actions
-    #   The actions that the specified AWS service principal can use. These
-    #   include `IssueCertificate`, `GetCertificate`, and `ListPermissions`.
+    #   The actions that the specified Amazon Web Services service principal
+    #   can use. These include `IssueCertificate`, `GetCertificate`, and
+    #   `ListPermissions`.
     #   @return [Array<String>]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/CreatePermissionRequest AWS API Documentation
@@ -928,10 +1009,10 @@ module Aws::ACMPCA
     #
     # Your private CA uses the value in the **ExpirationInDays** parameter
     # to calculate the **nextUpdate** field in the CRL. The CRL is refreshed
-    # at 1/2 the age of next update or when a certificate is revoked. When a
-    # certificate is revoked, it is recorded in the next CRL that is
-    # generated and in the next audit report. Only time valid certificates
-    # are listed in the CRL. Expired certificates are not included.
+    # prior to a certificate's expiration date or when a certificate is
+    # revoked. When a certificate is revoked, it appears in the CRL until
+    # the certificate expires, and then in one additional CRL after
+    # expiration, and it always appears in the audit report.
     #
     # A CRL is typically updated approximately 30 minutes after a
     # certificate is revoked. If for any reason a CRL update fails, ACM
@@ -985,8 +1066,8 @@ module Aws::ACMPCA
     # `openssl crl -inform DER -text -in crl_path -noout`
     #
     # For more information, see [Planning a certificate revocation list
-    # (CRL)][2] in the *AWS Certificate Manager Private Certificate
-    # Authority (PCA) User Guide*
+    # (CRL)][2] in the *Certificate Manager Private Certificate Authority
+    # (PCA) User Guide*
     #
     #
     #
@@ -1127,6 +1208,12 @@ module Aws::ACMPCA
     #                 initials: "String5",
     #                 pseudonym: "String128",
     #                 generation_qualifier: "String3",
+    #                 custom_attributes: [
+    #                   {
+    #                     object_identifier: "CustomObjectIdentifier", # required
+    #                     value: "String1To256", # required
+    #                   },
+    #                 ],
     #               },
     #               edi_party_name: {
     #                 party_name: "String256", # required
@@ -1152,7 +1239,7 @@ module Aws::ACMPCA
     #
     #
     #
-    #   [1]: https://tools.ietf.org/html/rfc5280#section-4.2.2.2
+    #   [1]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.2.2
     #   @return [Array<Types::AccessDescription>]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/CsrExtensions AWS API Documentation
@@ -1164,6 +1251,79 @@ module Aws::ACMPCA
       include Aws::Structure
     end
 
+    # Defines the X.500 relative distinguished name (RDN).
+    #
+    # @note When making an API call, you may pass CustomAttribute
+    #   data as a hash:
+    #
+    #       {
+    #         object_identifier: "CustomObjectIdentifier", # required
+    #         value: "String1To256", # required
+    #       }
+    #
+    # @!attribute [rw] object_identifier
+    #   Specifies the object identifier (OID) of the attribute type of the
+    #   relative distinguished name (RDN).
+    #   @return [String]
+    #
+    # @!attribute [rw] value
+    #   Specifies the attribute value of relative distinguished name (RDN).
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/CustomAttribute AWS API Documentation
+    #
+    class CustomAttribute < Struct.new(
+      :object_identifier,
+      :value)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # Specifies the X.509 extension information for a certificate.
+    #
+    # Extensions present in `CustomExtensions` follow the `ApiPassthrough`
+    # [template rules][1].
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html#template-order-of-operations
+    #
+    # @note When making an API call, you may pass CustomExtension
+    #   data as a hash:
+    #
+    #       {
+    #         object_identifier: "CustomObjectIdentifier", # required
+    #         value: "Base64String1To4096", # required
+    #         critical: false,
+    #       }
+    #
+    # @!attribute [rw] object_identifier
+    #   Specifies the object identifier (OID) of the X.509 extension. For
+    #   more information, see the [Global OID reference database.][1]
+    #
+    #
+    #
+    #   [1]: https://oidref.com/2.5.29
+    #   @return [String]
+    #
+    # @!attribute [rw] value
+    #   Specifies the base64-encoded value of the X.509 extension.
+    #   @return [String]
+    #
+    # @!attribute [rw] critical
+    #   Specifies the critical flag of the X.509 extension.
+    #   @return [Boolean]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/CustomExtension AWS API Documentation
+    #
+    class CustomExtension < Struct.new(
+      :object_identifier,
+      :value,
+      :critical)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # @note When making an API call, you may pass DeleteCertificateAuthorityRequest
     #   data as a hash:
     #
@@ -1223,13 +1383,13 @@ module Aws::ACMPCA
     #   @return [String]
     #
     # @!attribute [rw] principal
-    #   The AWS service or identity that will have its CA permissions
-    #   revoked. At this time, the only valid service principal is
-    #   `acm.amazonaws.com`
+    #   The Amazon Web Services service or identity that will have its CA
+    #   permissions revoked. At this time, the only valid service principal
+    #   is `acm.amazonaws.com`
     #   @return [String]
     #
     # @!attribute [rw] source_account
-    #   The AWS account that calls this action.
+    #   The Amazon Web Services account that calls this action.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/DeletePermissionRequest AWS API Documentation
@@ -1381,7 +1541,7 @@ module Aws::ACMPCA
     #
     #
     #
-    # [1]: https://tools.ietf.org/html/rfc5280
+    # [1]: https://datatracker.ietf.org/doc/html/rfc5280
     #
     # @note When making an API call, you may pass EdiPartyName
     #   data as a hash:
@@ -1426,7 +1586,7 @@ module Aws::ACMPCA
     #
     #
     #
-    #   [1]: https://tools.ietf.org/html/rfc5280#section-4.2.1.12
+    #   [1]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.12
     #   @return [String]
     #
     # @!attribute [rw] extended_key_usage_object_identifier
@@ -1502,6 +1662,12 @@ module Aws::ACMPCA
     #               initials: "String5",
     #               pseudonym: "String128",
     #               generation_qualifier: "String3",
+    #               custom_attributes: [
+    #                 {
+    #                   object_identifier: "CustomObjectIdentifier", # required
+    #                   value: "String1To256", # required
+    #                 },
+    #               ],
     #             },
     #             edi_party_name: {
     #               party_name: "String256", # required
@@ -1512,6 +1678,13 @@ module Aws::ACMPCA
     #             registered_id: "CustomObjectIdentifier",
     #           },
     #         ],
+    #         custom_extensions: [
+    #           {
+    #             object_identifier: "CustomObjectIdentifier", # required
+    #             value: "Base64String1To4096", # required
+    #             critical: false,
+    #           },
+    #         ],
     #       }
     #
     # @!attribute [rw] certificate_policies
@@ -1548,13 +1721,25 @@ module Aws::ACMPCA
     #   the certificate.
     #   @return [Array<Types::GeneralName>]
     #
+    # @!attribute [rw] custom_extensions
+    #   Contains a sequence of one or more X.509 extensions, each of which
+    #   consists of an object identifier (OID), a base64-encoded value, and
+    #   the critical flag. For more information, see the [Global OID
+    #   reference database.][1]
+    #
+    #
+    #
+    #   [1]: https://oidref.com/2.5.29
+    #   @return [Array<Types::CustomExtension>]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/Extensions AWS API Documentation
     #
     class Extensions < Struct.new(
       :certificate_policies,
       :extended_key_usage,
       :key_usage,
-      :subject_alternative_names)
+      :subject_alternative_names,
+      :custom_extensions)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -1565,7 +1750,7 @@ module Aws::ACMPCA
     #
     #
     #
-    # [1]: https://tools.ietf.org/html/rfc5280
+    # [1]: https://datatracker.ietf.org/doc/html/rfc5280
     #
     # @note When making an API call, you may pass GeneralName
     #   data as a hash:
@@ -1592,6 +1777,12 @@ module Aws::ACMPCA
     #           initials: "String5",
     #           pseudonym: "String128",
     #           generation_qualifier: "String3",
+    #           custom_attributes: [
+    #             {
+    #               object_identifier: "CustomObjectIdentifier", # required
+    #               value: "String1To256", # required
+    #             },
+    #           ],
     #         },
     #         edi_party_name: {
     #           party_name: "String256", # required
@@ -1611,7 +1802,7 @@ module Aws::ACMPCA
     #
     #
     #
-    #   [1]: https://tools.ietf.org/html/rfc822
+    #   [1]: https://datatracker.ietf.org/doc/html/rfc822
     #   @return [String]
     #
     # @!attribute [rw] dns_name
@@ -2043,6 +2234,12 @@ module Aws::ACMPCA
     #                   initials: "String5",
     #                   pseudonym: "String128",
     #                   generation_qualifier: "String3",
+    #                   custom_attributes: [
+    #                     {
+    #                       object_identifier: "CustomObjectIdentifier", # required
+    #                       value: "String1To256", # required
+    #                     },
+    #                   ],
     #                 },
     #                 edi_party_name: {
     #                   party_name: "String256", # required
@@ -2053,6 +2250,13 @@ module Aws::ACMPCA
     #                 registered_id: "CustomObjectIdentifier",
     #               },
     #             ],
+    #             custom_extensions: [
+    #               {
+    #                 object_identifier: "CustomObjectIdentifier", # required
+    #                 value: "Base64String1To4096", # required
+    #                 critical: false,
+    #               },
+    #             ],
     #           },
     #           subject: {
     #             country: "CountryCodeString",
@@ -2069,6 +2273,12 @@ module Aws::ACMPCA
     #             initials: "String5",
     #             pseudonym: "String128",
     #             generation_qualifier: "String3",
+    #             custom_attributes: [
+    #               {
+    #                 object_identifier: "CustomObjectIdentifier", # required
+    #                 value: "String1To256", # required
+    #               },
+    #             ],
     #           },
     #         },
     #         certificate_authority_arn: "Arn", # required
@@ -2128,7 +2338,7 @@ module Aws::ACMPCA
     #   contains your X509 version 3 extensions.
     #
     #   `openssl req -new -config openssl_rsa.cnf -extensions usr_cert
-    #   -newkey rsa:2048 -days -365 -keyout private/test_cert_priv_key.pem
+    #   -newkey rsa:2048 -days 365 -keyout private/test_cert_priv_key.pem
     #   -out csr/test_cert_.csr`
     #
     #   Note: A CSR must provide either a *subject name* or a *subject
@@ -2142,6 +2352,11 @@ module Aws::ACMPCA
     #   This parameter should not be confused with the `SigningAlgorithm`
     #   parameter used to sign a CSR in the `CreateCertificateAuthority`
     #   action.
+    #
+    #   <note markdown="1"> The specified signing algorithm family (RSA or ECDSA) much match the
+    #   algorithm family of the CA's secret key.
+    #
+    #    </note>
     #   @return [String]
     #
     # @!attribute [rw] template_arn
@@ -2185,7 +2400,7 @@ module Aws::ACMPCA
     #
     #
     #
-    #   [1]: https://tools.ietf.org/html/rfc5280#section-4.1.2.5
+    #   [1]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.5
     #   @return [Types::Validity]
     #
     # @!attribute [rw] validity_not_before
@@ -2210,7 +2425,7 @@ module Aws::ACMPCA
     #
     #
     #   [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_Validity.html
-    #   [2]: https://tools.ietf.org/html/rfc5280#section-4.1.2.5
+    #   [2]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.5
     #   @return [Types::Validity]
     #
     # @!attribute [rw] idempotency_token
@@ -2588,17 +2803,17 @@ module Aws::ACMPCA
     #   @return [Boolean]
     #
     # @!attribute [rw] ocsp_custom_cname
-    #   By default, ACM Private CA injects an AWS domain into certificates
-    #   being validated by the Online Certificate Status Protocol (OCSP). A
-    #   customer can alternatively use this object to define a CNAME
-    #   specifying a customized OCSP domain.
+    #   By default, ACM Private CA injects an Amazon Web Services domain
+    #   into certificates being validated by the Online Certificate Status
+    #   Protocol (OCSP). A customer can alternatively use this object to
+    #   define a CNAME specifying a customized OCSP domain.
     #
     #   Note: The value of the CNAME must not include a protocol prefix such
     #   as "http://" or "https://".
     #
     #   For more information, see [Customizing Online Certificate Status
-    #   Protocol (OCSP) ][1] in the *AWS Certificate Manager Private
-    #   Certificate Authority (PCA) User Guide*.
+    #   Protocol (OCSP) ][1] in the *Certificate Manager Private Certificate
+    #   Authority (PCA) User Guide*.
     #
     #
     #
@@ -2649,12 +2864,13 @@ module Aws::ACMPCA
     end
 
     # Permissions designate which private CA actions can be performed by an
-    # AWS service or entity. In order for ACM to automatically renew private
-    # certificates, you must give the ACM service principal all available
-    # permissions (`IssueCertificate`, `GetCertificate`, and
-    # `ListPermissions`). Permissions can be assigned with the
-    # [CreatePermission][1] action, removed with the [DeletePermission][2]
-    # action, and listed with the [ListPermissions][3] action.
+    # Amazon Web Services service or entity. In order for ACM to
+    # automatically renew private certificates, you must give the ACM
+    # service principal all available permissions (`IssueCertificate`,
+    # `GetCertificate`, and `ListPermissions`). Permissions can be assigned
+    # with the [CreatePermission][1] action, removed with the
+    # [DeletePermission][2] action, and listed with the [ListPermissions][3]
+    # action.
     #
     #
     #
@@ -2672,8 +2888,8 @@ module Aws::ACMPCA
     #   @return [Time]
     #
     # @!attribute [rw] principal
-    #   The AWS service or entity that holds the permission. At this time,
-    #   the only valid principal is `acm.amazonaws.com`.
+    #   The Amazon Web Services service or entity that holds the permission.
+    #   At this time, the only valid principal is `acm.amazonaws.com`.
     #   @return [String]
     #
     # @!attribute [rw] source_account
@@ -2681,8 +2897,8 @@ module Aws::ACMPCA
     #   @return [String]
     #
     # @!attribute [rw] actions
-    #   The private CA actions that can be performed by the designated AWS
-    #   service.
+    #   The private CA actions that can be performed by the designated
+    #   Amazon Web Services service.
     #   @return [Array<String>]
     #
     # @!attribute [rw] policy
@@ -2836,7 +3052,7 @@ module Aws::ACMPCA
     #
     #
     #
-    # [1]: https://tools.ietf.org/html/rfc5280#section-4.2.1.4
+    # [1]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.4
     #
     # @note When making an API call, you may pass Qualifier
     #   data as a hash:
@@ -2946,8 +3162,8 @@ module Aws::ACMPCA
     # about certificates as requested by clients, and a CRL contains an
     # updated list of certificates revoked by your CA. For more information,
     # see [RevokeCertificate][3] and [Setting up a certificate revocation
-    # method][4] in the *AWS Certificate Manager Private Certificate
-    # Authority (PCA) User Guide*.
+    # method][4] in the *Certificate Manager Private Certificate Authority
+    # (PCA) User Guide*.
     #
     #
     #
@@ -3026,7 +3242,7 @@ module Aws::ACMPCA
     #   `openssl x509 -in file_path -text -noout`
     #
     #   You can also copy the serial number from the console or use the
-    #   [DescribeCertificate][2] action in the *AWS Certificate Manager API
+    #   [DescribeCertificate][2] action in the *Certificate Manager API
     #   Reference*.
     #
     #
@@ -3247,7 +3463,7 @@ module Aws::ACMPCA
     #
     #
     #
-    # [1]: https://tools.ietf.org/html/rfc5280#section-4.1.2.5
+    # [1]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.5
     #
     # @note When making an API call, you may pass Validity
     #   data as a hash:

data/lib/aws-sdk-acmpca.rb

@@ -49,6 +49,6 @@ require_relative 'aws-sdk-acmpca/customizations'
 # @!group service
 module Aws::ACMPCA
 
-  GEM_VERSION = '1.46.0'
+  GEM_VERSION = '1.49.0'
 
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aws-sdk-acmpca
 version: !ruby/object:Gem::Version
-  version: 1.46.0
+  version: 1.49.0
 platform: ruby
 authors:
 - Amazon Web Services
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-02-24 00:00:00.000000000 Z
+date: 2022-07-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-core