aws-sdk-acmpca 1.50.0 → 1.52.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +10 -0
- data/VERSION +1 -1
- data/lib/aws-sdk-acmpca/client.rb +271 -192
- data/lib/aws-sdk-acmpca/client_api.rb +5 -4
- data/lib/aws-sdk-acmpca/endpoint_parameters.rb +69 -0
- data/lib/aws-sdk-acmpca/endpoint_provider.rb +115 -0
- data/lib/aws-sdk-acmpca/endpoints.rb +337 -0
- data/lib/aws-sdk-acmpca/plugins/endpoints.rb +114 -0
- data/lib/aws-sdk-acmpca/types.rb +202 -1159
- data/lib/aws-sdk-acmpca.rb +5 -1
- metadata +8 -4
@@ -30,7 +30,7 @@ require 'aws-sdk-core/plugins/http_checksum.rb'
|
|
30
30
|
require 'aws-sdk-core/plugins/checksum_algorithm.rb'
|
31
31
|
require 'aws-sdk-core/plugins/defaults_mode.rb'
|
32
32
|
require 'aws-sdk-core/plugins/recursion_detection.rb'
|
33
|
-
require 'aws-sdk-core/plugins/
|
33
|
+
require 'aws-sdk-core/plugins/sign.rb'
|
34
34
|
require 'aws-sdk-core/plugins/protocols/json_rpc.rb'
|
35
35
|
|
36
36
|
Aws::Plugins::GlobalConfiguration.add_identifier(:acmpca)
|
@@ -79,8 +79,9 @@ module Aws::ACMPCA
|
|
79
79
|
add_plugin(Aws::Plugins::ChecksumAlgorithm)
|
80
80
|
add_plugin(Aws::Plugins::DefaultsMode)
|
81
81
|
add_plugin(Aws::Plugins::RecursionDetection)
|
82
|
-
add_plugin(Aws::Plugins::
|
82
|
+
add_plugin(Aws::Plugins::Sign)
|
83
83
|
add_plugin(Aws::Plugins::Protocols::JsonRpc)
|
84
|
+
add_plugin(Aws::ACMPCA::Plugins::Endpoints)
|
84
85
|
|
85
86
|
# @overload initialize(options)
|
86
87
|
# @param [Hash] options
|
@@ -297,6 +298,19 @@ module Aws::ACMPCA
|
|
297
298
|
# ** Please note ** When response stubbing is enabled, no HTTP
|
298
299
|
# requests are made, and retries are disabled.
|
299
300
|
#
|
301
|
+
# @option options [Aws::TokenProvider] :token_provider
|
302
|
+
# A Bearer Token Provider. This can be an instance of any one of the
|
303
|
+
# following classes:
|
304
|
+
#
|
305
|
+
# * `Aws::StaticTokenProvider` - Used for configuring static, non-refreshing
|
306
|
+
# tokens.
|
307
|
+
#
|
308
|
+
# * `Aws::SSOTokenProvider` - Used for loading tokens from AWS SSO using an
|
309
|
+
# access token generated from `aws login`.
|
310
|
+
#
|
311
|
+
# When `:token_provider` is not configured directly, the `Aws::TokenProviderChain`
|
312
|
+
# will be used to search for tokens configured for your profile in shared configuration files.
|
313
|
+
#
|
300
314
|
# @option options [Boolean] :use_dualstack_endpoint
|
301
315
|
# When set to `true`, dualstack enabled endpoints (with `.aws` TLD)
|
302
316
|
# will be used if available.
|
@@ -310,6 +324,9 @@ module Aws::ACMPCA
|
|
310
324
|
# When `true`, request parameters are validated before
|
311
325
|
# sending the request.
|
312
326
|
#
|
327
|
+
# @option options [Aws::ACMPCA::EndpointProvider] :endpoint_provider
|
328
|
+
# The endpoint provider used to resolve endpoints. Any object that responds to `#resolve_endpoint(parameters)` where `parameters` is a Struct similar to `Aws::ACMPCA::EndpointParameters`
|
329
|
+
#
|
313
330
|
# @option options [URI::HTTP,String] :http_proxy A proxy to send
|
314
331
|
# requests through. Formatted like 'http://proxy.com:123'.
|
315
332
|
#
|
@@ -376,20 +393,22 @@ module Aws::ACMPCA
|
|
376
393
|
# CA. If successful, this action returns the Amazon Resource Name (ARN)
|
377
394
|
# of the CA.
|
378
395
|
#
|
379
|
-
#
|
380
|
-
#
|
381
|
-
#
|
382
|
-
#
|
383
|
-
#
|
384
|
-
# have permission to write to the bucket, then an exception is thrown.
|
385
|
-
# For more information, see [Access policies for CRLs in Amazon S3][2].
|
396
|
+
# <note markdown="1"> Both Amazon Web Services Private CA and the IAM principal must have
|
397
|
+
# permission to write to the S3 bucket that you specify. If the IAM
|
398
|
+
# principal making the call does not have permission to write to the
|
399
|
+
# bucket, then an exception is thrown. For more information, see [Access
|
400
|
+
# policies for CRLs in Amazon S3][1].
|
386
401
|
#
|
387
402
|
# </note>
|
388
403
|
#
|
404
|
+
# Amazon Web Services Private CA assets that are stored in Amazon S3 can
|
405
|
+
# be protected with encryption. For more information, see [Encrypting
|
406
|
+
# Your CRLs][2].
|
407
|
+
#
|
389
408
|
#
|
390
409
|
#
|
391
|
-
# [1]: https://docs.aws.amazon.com/
|
392
|
-
# [2]: https://docs.aws.amazon.com/
|
410
|
+
# [1]: https://docs.aws.amazon.com/privateca/latest/userguide/crl-planning.html#s3-policies
|
411
|
+
# [2]: https://docs.aws.amazon.com/privateca/latest/userguide/PcaCreateCa.html#crl-encryption
|
393
412
|
#
|
394
413
|
# @option params [required, Types::CertificateAuthorityConfiguration] :certificate_authority_configuration
|
395
414
|
# Name and bit size of the private key algorithm, the name of the
|
@@ -399,13 +418,35 @@ module Aws::ACMPCA
|
|
399
418
|
# Contains information to enable Online Certificate Status Protocol
|
400
419
|
# (OCSP) support, to enable a certificate revocation list (CRL), to
|
401
420
|
# enable both, or to enable neither. The default is for both certificate
|
402
|
-
# validation mechanisms to be disabled.
|
403
|
-
#
|
421
|
+
# validation mechanisms to be disabled.
|
422
|
+
#
|
423
|
+
# <note markdown="1"> The following requirements apply to revocation configurations.
|
424
|
+
#
|
425
|
+
# * A configuration disabling CRLs or OCSP must contain only the
|
426
|
+
# `Enabled=False` parameter, and will fail if other parameters such as
|
427
|
+
# `CustomCname` or `ExpirationInDays` are included.
|
428
|
+
#
|
429
|
+
# * In a CRL configuration, the `S3BucketName` parameter must conform to
|
430
|
+
# [Amazon S3 bucket naming rules][1].
|
431
|
+
#
|
432
|
+
# * A configuration containing a custom Canonical Name (CNAME) parameter
|
433
|
+
# for CRLs or OCSP must conform to [RFC2396][2] restrictions on the
|
434
|
+
# use of special characters in a CNAME.
|
435
|
+
#
|
436
|
+
# * In a CRL or OCSP configuration, the value of a CNAME parameter must
|
437
|
+
# not include a protocol prefix such as "http://" or "https://".
|
438
|
+
#
|
439
|
+
# </note>
|
440
|
+
#
|
441
|
+
# For more information, see the [OcspConfiguration][3] and
|
442
|
+
# [CrlConfiguration][4] types.
|
404
443
|
#
|
405
444
|
#
|
406
445
|
#
|
407
|
-
# [1]: https://docs.aws.amazon.com/
|
408
|
-
# [2]: https://
|
446
|
+
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucketnamingrules.html
|
447
|
+
# [2]: https://www.ietf.org/rfc/rfc2396.txt
|
448
|
+
# [3]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_OcspConfiguration.html
|
449
|
+
# [4]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_CrlConfiguration.html
|
409
450
|
#
|
410
451
|
# @option params [required, String] :certificate_authority_type
|
411
452
|
# The type of the certificate authority.
|
@@ -415,10 +456,11 @@ module Aws::ACMPCA
|
|
415
456
|
# **CreateCertificateAuthority** action. Idempotency tokens for
|
416
457
|
# **CreateCertificateAuthority** time out after five minutes. Therefore,
|
417
458
|
# if you call **CreateCertificateAuthority** multiple times with the
|
418
|
-
# same idempotency token within five minutes,
|
419
|
-
# that you are requesting only certificate
|
420
|
-
# one. If you change the idempotency token
|
421
|
-
#
|
459
|
+
# same idempotency token within five minutes, Amazon Web Services
|
460
|
+
# Private CA recognizes that you are requesting only certificate
|
461
|
+
# authority and will issue only one. If you change the idempotency token
|
462
|
+
# for each call, Amazon Web Services Private CA recognizes that you are
|
463
|
+
# requesting multiple certificate authorities.
|
422
464
|
#
|
423
465
|
# @option params [String] :key_storage_security_standard
|
424
466
|
# Specifies a cryptographic key management compliance standard used for
|
@@ -553,13 +595,13 @@ module Aws::ACMPCA
|
|
553
595
|
# crl_configuration: {
|
554
596
|
# enabled: false, # required
|
555
597
|
# expiration_in_days: 1,
|
556
|
-
# custom_cname: "
|
557
|
-
# s3_bucket_name: "
|
598
|
+
# custom_cname: "CnameString",
|
599
|
+
# s3_bucket_name: "S3BucketName3To255",
|
558
600
|
# s3_object_acl: "PUBLIC_READ", # accepts PUBLIC_READ, BUCKET_OWNER_FULL_CONTROL
|
559
601
|
# },
|
560
602
|
# ocsp_configuration: {
|
561
603
|
# enabled: false, # required
|
562
|
-
# ocsp_custom_cname: "
|
604
|
+
# ocsp_custom_cname: "CnameString",
|
563
605
|
# },
|
564
606
|
# },
|
565
607
|
# certificate_authority_type: "ROOT", # required, accepts ROOT, SUBORDINATE
|
@@ -592,16 +634,17 @@ module Aws::ACMPCA
|
|
592
634
|
# on input. The [IssueCertificate][1] and [RevokeCertificate][2] actions
|
593
635
|
# use the private key.
|
594
636
|
#
|
595
|
-
# <note markdown="1"> Both
|
596
|
-
# bucket that you specify. If the IAM
|
597
|
-
# have permission to write to the
|
598
|
-
# For more information, see [Access
|
637
|
+
# <note markdown="1"> Both Amazon Web Services Private CA and the IAM principal must have
|
638
|
+
# permission to write to the S3 bucket that you specify. If the IAM
|
639
|
+
# principal making the call does not have permission to write to the
|
640
|
+
# bucket, then an exception is thrown. For more information, see [Access
|
641
|
+
# policies for CRLs in Amazon S3][3].
|
599
642
|
#
|
600
643
|
# </note>
|
601
644
|
#
|
602
|
-
#
|
603
|
-
# with encryption. For more information, see [Encrypting
|
604
|
-
# Reports][4].
|
645
|
+
# Amazon Web Services Private CA assets that are stored in Amazon S3 can
|
646
|
+
# be protected with encryption. For more information, see [Encrypting
|
647
|
+
# Your Audit Reports][4].
|
605
648
|
#
|
606
649
|
# <note markdown="1"> You can generate a maximum of one report every 30 minutes.
|
607
650
|
#
|
@@ -609,10 +652,10 @@ module Aws::ACMPCA
|
|
609
652
|
#
|
610
653
|
#
|
611
654
|
#
|
612
|
-
# [1]: https://docs.aws.amazon.com/
|
613
|
-
# [2]: https://docs.aws.amazon.com/
|
614
|
-
# [3]: https://docs.aws.amazon.com/
|
615
|
-
# [4]: https://docs.aws.amazon.com/
|
655
|
+
# [1]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_IssueCertificate.html
|
656
|
+
# [2]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_RevokeCertificate.html
|
657
|
+
# [3]: https://docs.aws.amazon.com/privateca/latest/userguide/crl-planning.html#s3-policies
|
658
|
+
# [4]: https://docs.aws.amazon.com/privateca/latest/userguide/PcaAuditReport.html#audit-report-encryption
|
616
659
|
#
|
617
660
|
# @option params [required, String] :certificate_authority_arn
|
618
661
|
# The Amazon Resource Name (ARN) of the CA to be audited. This is of the
|
@@ -677,14 +720,14 @@ module Aws::ACMPCA
|
|
677
720
|
# accounts, then permissions cannot be used to enable automatic
|
678
721
|
# renewals. Instead, the ACM certificate owner must set up a
|
679
722
|
# resource-based policy to enable cross-account issuance and renewals.
|
680
|
-
# For more information, see [Using a Resource Based Policy with
|
681
|
-
# Private CA][3].
|
723
|
+
# For more information, see [Using a Resource Based Policy with Amazon
|
724
|
+
# Web Services Private CA][3].
|
682
725
|
#
|
683
726
|
#
|
684
727
|
#
|
685
|
-
# [1]: https://docs.aws.amazon.com/
|
686
|
-
# [2]: https://docs.aws.amazon.com/
|
687
|
-
# [3]: https://docs.aws.amazon.com/
|
728
|
+
# [1]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_ListPermissions.html
|
729
|
+
# [2]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_DeletePermission.html
|
730
|
+
# [3]: https://docs.aws.amazon.com/privateca/latest/userguide/pca-rbp.html
|
688
731
|
#
|
689
732
|
# @option params [required, String] :certificate_authority_arn
|
690
733
|
# The Amazon Resource Name (ARN) of the CA that grants the permissions.
|
@@ -696,7 +739,7 @@ module Aws::ACMPCA
|
|
696
739
|
#
|
697
740
|
#
|
698
741
|
#
|
699
|
-
# [1]: https://docs.aws.amazon.com/
|
742
|
+
# [1]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_ListCertificateAuthorities.html
|
700
743
|
#
|
701
744
|
# @option params [required, String] :principal
|
702
745
|
# The Amazon Web Services service or identity that receives the
|
@@ -749,8 +792,8 @@ module Aws::ACMPCA
|
|
749
792
|
# Additionally, you can delete a CA if you are waiting for it to be
|
750
793
|
# created (that is, the status of the CA is `CREATING`). You can also
|
751
794
|
# delete it if the CA has been created but you haven't yet imported the
|
752
|
-
# signed certificate into
|
753
|
-
# is `PENDING_CERTIFICATE`).
|
795
|
+
# signed certificate into Amazon Web Services Private CA (that is, the
|
796
|
+
# status of the CA is `PENDING_CERTIFICATE`).
|
754
797
|
#
|
755
798
|
# When you successfully call [DeleteCertificateAuthority][3], the CA's
|
756
799
|
# status changes to `DELETED`. However, the CA won't be permanently
|
@@ -764,11 +807,11 @@ module Aws::ACMPCA
|
|
764
807
|
#
|
765
808
|
#
|
766
809
|
#
|
767
|
-
# [1]: https://docs.aws.amazon.com/
|
768
|
-
# [2]: https://docs.aws.amazon.com/
|
769
|
-
# [3]: https://docs.aws.amazon.com/
|
770
|
-
# [4]: https://docs.aws.amazon.com/
|
771
|
-
# [5]: https://docs.aws.amazon.com/
|
810
|
+
# [1]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_ListCertificateAuthorities.html
|
811
|
+
# [2]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_UpdateCertificateAuthority.html
|
812
|
+
# [3]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_DeleteCertificateAuthority.html
|
813
|
+
# [4]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_DescribeCertificateAuthority.html
|
814
|
+
# [5]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_RestoreCertificateAuthority.html
|
772
815
|
#
|
773
816
|
# @option params [required, String] :certificate_authority_arn
|
774
817
|
# The Amazon Resource Name (ARN) that was returned when you called
|
@@ -779,7 +822,7 @@ module Aws::ACMPCA
|
|
779
822
|
#
|
780
823
|
#
|
781
824
|
#
|
782
|
-
# [1]: https://docs.aws.amazon.com/
|
825
|
+
# [1]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreateCertificateAuthority.html
|
783
826
|
#
|
784
827
|
# @option params [Integer] :permanent_deletion_time_in_days
|
785
828
|
# The number of days to make a CA restorable after it has been deleted.
|
@@ -828,14 +871,14 @@ module Aws::ACMPCA
|
|
828
871
|
# accounts, then permissions cannot be used to enable automatic
|
829
872
|
# renewals. Instead, the ACM certificate owner must set up a
|
830
873
|
# resource-based policy to enable cross-account issuance and renewals.
|
831
|
-
# For more information, see [Using a Resource Based Policy with
|
832
|
-
# Private CA][3].
|
874
|
+
# For more information, see [Using a Resource Based Policy with Amazon
|
875
|
+
# Web Services Private CA][3].
|
833
876
|
#
|
834
877
|
#
|
835
878
|
#
|
836
|
-
# [1]: https://docs.aws.amazon.com/
|
837
|
-
# [2]: https://docs.aws.amazon.com/
|
838
|
-
# [3]: https://docs.aws.amazon.com/
|
879
|
+
# [1]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreatePermission.html
|
880
|
+
# [2]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_ListPermissions.html
|
881
|
+
# [3]: https://docs.aws.amazon.com/privateca/latest/userguide/pca-rbp.html
|
839
882
|
#
|
840
883
|
# @option params [required, String] :certificate_authority_arn
|
841
884
|
# The Amazon Resource Number (ARN) of the private CA that issued the
|
@@ -848,7 +891,7 @@ module Aws::ACMPCA
|
|
848
891
|
#
|
849
892
|
#
|
850
893
|
#
|
851
|
-
# [1]: https://docs.aws.amazon.com/
|
894
|
+
# [1]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_ListCertificateAuthorities.html
|
852
895
|
#
|
853
896
|
# @option params [required, String] :principal
|
854
897
|
# The Amazon Web Services service or identity that will have its CA
|
@@ -897,7 +940,7 @@ module Aws::ACMPCA
|
|
897
940
|
# customer account, to Amazon Web Services Organizations, or to an
|
898
941
|
# Amazon Web Services Organizations unit. Policies are under the
|
899
942
|
# control of a CA administrator. For more information, see [Using a
|
900
|
-
# Resource Based Policy with
|
943
|
+
# Resource Based Policy with Amazon Web Services Private CA][3].
|
901
944
|
#
|
902
945
|
# * A policy permits a user of Certificate Manager (ACM) to issue ACM
|
903
946
|
# certificates signed by a CA in another account.
|
@@ -905,8 +948,8 @@ module Aws::ACMPCA
|
|
905
948
|
# * For ACM to manage automatic renewal of these certificates, the ACM
|
906
949
|
# user must configure a Service Linked Role (SLR). The SLR allows the
|
907
950
|
# ACM service to assume the identity of the user, subject to
|
908
|
-
# confirmation against the
|
909
|
-
# information, see [Using a Service Linked Role with ACM][4].
|
951
|
+
# confirmation against the Amazon Web Services Private CA policy. For
|
952
|
+
# more information, see [Using a Service Linked Role with ACM][4].
|
910
953
|
#
|
911
954
|
# * Updates made in Amazon Web Services Resource Manager (RAM) are
|
912
955
|
# reflected in policies. For more information, see [Attach a Policy
|
@@ -914,11 +957,11 @@ module Aws::ACMPCA
|
|
914
957
|
#
|
915
958
|
#
|
916
959
|
#
|
917
|
-
# [1]: https://docs.aws.amazon.com/
|
918
|
-
# [2]: https://docs.aws.amazon.com/
|
919
|
-
# [3]: https://docs.aws.amazon.com/
|
960
|
+
# [1]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_GetPolicy.html
|
961
|
+
# [2]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_PutPolicy.html
|
962
|
+
# [3]: https://docs.aws.amazon.com/privateca/latest/userguide/pca-rbp.html
|
920
963
|
# [4]: https://docs.aws.amazon.com/acm/latest/userguide/acm-slr.html
|
921
|
-
# [5]: https://docs.aws.amazon.com/
|
964
|
+
# [5]: https://docs.aws.amazon.com/privateca/latest/userguide/pca-ram.html
|
922
965
|
#
|
923
966
|
# @option params [required, String] :resource_arn
|
924
967
|
# The Amazon Resource Number (ARN) of the private CA that will have its
|
@@ -929,7 +972,7 @@ module Aws::ACMPCA
|
|
929
972
|
#
|
930
973
|
#
|
931
974
|
#
|
932
|
-
# [1]: https://docs.aws.amazon.com/
|
975
|
+
# [1]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_ListCertificateAuthorities.html
|
933
976
|
#
|
934
977
|
# @return [Struct] Returns an empty {Seahorse::Client::Response response}.
|
935
978
|
#
|
@@ -953,12 +996,13 @@ module Aws::ACMPCA
|
|
953
996
|
# its ARN (Amazon Resource Name). The output contains the status of your
|
954
997
|
# CA. This can be any of the following:
|
955
998
|
#
|
956
|
-
# * `CREATING` -
|
957
|
-
# authority.
|
999
|
+
# * `CREATING` - Amazon Web Services Private CA is creating your private
|
1000
|
+
# certificate authority.
|
958
1001
|
#
|
959
1002
|
# * `PENDING_CERTIFICATE` - The certificate is pending. You must use
|
960
|
-
# your
|
961
|
-
# sign your private CA CSR and then import it into
|
1003
|
+
# your Amazon Web Services Private CA-hosted or on-premises root or
|
1004
|
+
# subordinate CA to sign your private CA CSR and then import it into
|
1005
|
+
# Amazon Web Services Private CA.
|
962
1006
|
#
|
963
1007
|
# * `ACTIVE` - Your private CA is active.
|
964
1008
|
#
|
@@ -984,7 +1028,7 @@ module Aws::ACMPCA
|
|
984
1028
|
#
|
985
1029
|
#
|
986
1030
|
#
|
987
|
-
# [1]: https://docs.aws.amazon.com/
|
1031
|
+
# [1]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreateCertificateAuthority.html
|
988
1032
|
#
|
989
1033
|
# @return [Types::DescribeCertificateAuthorityResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
990
1034
|
#
|
@@ -1093,9 +1137,9 @@ module Aws::ACMPCA
|
|
1093
1137
|
#
|
1094
1138
|
#
|
1095
1139
|
#
|
1096
|
-
# [1]: https://docs.aws.amazon.com/
|
1097
|
-
# [2]: https://docs.aws.amazon.com/
|
1098
|
-
# [3]: https://docs.aws.amazon.com/
|
1140
|
+
# [1]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreateCertificateAuthorityAuditReport.html
|
1141
|
+
# [2]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_IssueCertificate.html
|
1142
|
+
# [3]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_RevokeCertificate.html
|
1099
1143
|
#
|
1100
1144
|
# @option params [required, String] :certificate_authority_arn
|
1101
1145
|
# The Amazon Resource Name (ARN) of the private CA. This must be of the
|
@@ -1110,7 +1154,7 @@ module Aws::ACMPCA
|
|
1110
1154
|
#
|
1111
1155
|
#
|
1112
1156
|
#
|
1113
|
-
# [1]: https://docs.aws.amazon.com/
|
1157
|
+
# [1]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreateCertificateAuthorityAuditReport.html
|
1114
1158
|
#
|
1115
1159
|
# @return [Types::DescribeCertificateAuthorityAuditReportResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
1116
1160
|
#
|
@@ -1159,8 +1203,8 @@ module Aws::ACMPCA
|
|
1159
1203
|
#
|
1160
1204
|
#
|
1161
1205
|
#
|
1162
|
-
# [1]: https://docs.aws.amazon.com/
|
1163
|
-
# [2]: https://docs.aws.amazon.com/
|
1206
|
+
# [1]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_IssueCertificate.html
|
1207
|
+
# [2]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreateCertificateAuthorityAuditReport.html
|
1164
1208
|
#
|
1165
1209
|
# @option params [required, String] :certificate_authority_arn
|
1166
1210
|
# The Amazon Resource Name (ARN) that was returned when you called
|
@@ -1171,7 +1215,7 @@ module Aws::ACMPCA
|
|
1171
1215
|
#
|
1172
1216
|
#
|
1173
1217
|
#
|
1174
|
-
# [1]: https://docs.aws.amazon.com/
|
1218
|
+
# [1]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreateCertificateAuthority.html
|
1175
1219
|
#
|
1176
1220
|
# @option params [required, String] :certificate_arn
|
1177
1221
|
# The ARN of the issued certificate. The ARN contains the certificate
|
@@ -1251,16 +1295,16 @@ module Aws::ACMPCA
|
|
1251
1295
|
|
1252
1296
|
# Retrieves the certificate signing request (CSR) for your private
|
1253
1297
|
# certificate authority (CA). The CSR is created when you call the
|
1254
|
-
# [CreateCertificateAuthority][1] action. Sign the CSR with your
|
1255
|
-
# Private CA-hosted or on-premises root or subordinate CA.
|
1256
|
-
# the signed certificate back into
|
1257
|
-
# [ImportCertificateAuthorityCertificate][2]
|
1258
|
-
# as a base64 PEM-encoded string.
|
1298
|
+
# [CreateCertificateAuthority][1] action. Sign the CSR with your Amazon
|
1299
|
+
# Web Services Private CA-hosted or on-premises root or subordinate CA.
|
1300
|
+
# Then import the signed certificate back into Amazon Web Services
|
1301
|
+
# Private CA by calling the [ImportCertificateAuthorityCertificate][2]
|
1302
|
+
# action. The CSR is returned as a base64 PEM-encoded string.
|
1259
1303
|
#
|
1260
1304
|
#
|
1261
1305
|
#
|
1262
|
-
# [1]: https://docs.aws.amazon.com/
|
1263
|
-
# [2]: https://docs.aws.amazon.com/
|
1306
|
+
# [1]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreateCertificateAuthority.html
|
1307
|
+
# [2]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_ImportCertificateAuthorityCertificate.html
|
1264
1308
|
#
|
1265
1309
|
# @option params [required, String] :certificate_authority_arn
|
1266
1310
|
# The Amazon Resource Name (ARN) that was returned when you called the
|
@@ -1271,7 +1315,7 @@ module Aws::ACMPCA
|
|
1271
1315
|
#
|
1272
1316
|
#
|
1273
1317
|
#
|
1274
|
-
# [1]: https://docs.aws.amazon.com/
|
1318
|
+
# [1]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreateCertificateAuthority.html
|
1275
1319
|
#
|
1276
1320
|
# @return [Types::GetCertificateAuthorityCsrResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
1277
1321
|
#
|
@@ -1314,7 +1358,7 @@ module Aws::ACMPCA
|
|
1314
1358
|
# customer account, to Amazon Web Services Organizations, or to an
|
1315
1359
|
# Amazon Web Services Organizations unit. Policies are under the
|
1316
1360
|
# control of a CA administrator. For more information, see [Using a
|
1317
|
-
# Resource Based Policy with
|
1361
|
+
# Resource Based Policy with Amazon Web Services Private CA][3].
|
1318
1362
|
#
|
1319
1363
|
# * A policy permits a user of Certificate Manager (ACM) to issue ACM
|
1320
1364
|
# certificates signed by a CA in another account.
|
@@ -1322,8 +1366,8 @@ module Aws::ACMPCA
|
|
1322
1366
|
# * For ACM to manage automatic renewal of these certificates, the ACM
|
1323
1367
|
# user must configure a Service Linked Role (SLR). The SLR allows the
|
1324
1368
|
# ACM service to assume the identity of the user, subject to
|
1325
|
-
# confirmation against the
|
1326
|
-
# information, see [Using a Service Linked Role with ACM][4].
|
1369
|
+
# confirmation against the Amazon Web Services Private CA policy. For
|
1370
|
+
# more information, see [Using a Service Linked Role with ACM][4].
|
1327
1371
|
#
|
1328
1372
|
# * Updates made in Amazon Web Services Resource Manager (RAM) are
|
1329
1373
|
# reflected in policies. For more information, see [Attach a Policy
|
@@ -1331,11 +1375,11 @@ module Aws::ACMPCA
|
|
1331
1375
|
#
|
1332
1376
|
#
|
1333
1377
|
#
|
1334
|
-
# [1]: https://docs.aws.amazon.com/
|
1335
|
-
# [2]: https://docs.aws.amazon.com/
|
1336
|
-
# [3]: https://docs.aws.amazon.com/
|
1378
|
+
# [1]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_PutPolicy.html
|
1379
|
+
# [2]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_DeletePolicy.html
|
1380
|
+
# [3]: https://docs.aws.amazon.com/privateca/latest/userguide/pca-rbp.html
|
1337
1381
|
# [4]: https://docs.aws.amazon.com/acm/latest/userguide/acm-slr.html
|
1338
|
-
# [5]: https://docs.aws.amazon.com/
|
1382
|
+
# [5]: https://docs.aws.amazon.com/privateca/latest/userguide/pca-ram.html
|
1339
1383
|
#
|
1340
1384
|
# @option params [required, String] :resource_arn
|
1341
1385
|
# The Amazon Resource Number (ARN) of the private CA that will have its
|
@@ -1365,14 +1409,14 @@ module Aws::ACMPCA
|
|
1365
1409
|
req.send_request(options)
|
1366
1410
|
end
|
1367
1411
|
|
1368
|
-
# Imports a signed private CA certificate into
|
1369
|
-
# action is used when you are using a chain of trust
|
1370
|
-
# located outside
|
1371
|
-
# following preparations must in place:
|
1412
|
+
# Imports a signed private CA certificate into Amazon Web Services
|
1413
|
+
# Private CA. This action is used when you are using a chain of trust
|
1414
|
+
# whose root is located outside Amazon Web Services Private CA. Before
|
1415
|
+
# you can call this action, the following preparations must in place:
|
1372
1416
|
#
|
1373
|
-
# 1. In
|
1374
|
-
# to create the private CA
|
1375
|
-
# certificate.
|
1417
|
+
# 1. In Amazon Web Services Private CA, call the
|
1418
|
+
# [CreateCertificateAuthority][1] action to create the private CA
|
1419
|
+
# that you plan to back with the imported certificate.
|
1376
1420
|
#
|
1377
1421
|
# 2. Call the [GetCertificateAuthorityCsr][2] action to generate a
|
1378
1422
|
# certificate signing request (CSR).
|
@@ -1383,13 +1427,14 @@ module Aws::ACMPCA
|
|
1383
1427
|
# 4. Create a certificate chain and copy the signed certificate and the
|
1384
1428
|
# certificate chain to your working directory.
|
1385
1429
|
#
|
1386
|
-
#
|
1387
|
-
# certificate:
|
1430
|
+
# Amazon Web Services Private CA supports three scenarios for installing
|
1431
|
+
# a CA certificate:
|
1388
1432
|
#
|
1389
|
-
# * Installing a certificate for a root CA hosted by
|
1433
|
+
# * Installing a certificate for a root CA hosted by Amazon Web Services
|
1434
|
+
# Private CA.
|
1390
1435
|
#
|
1391
1436
|
# * Installing a subordinate CA certificate whose parent authority is
|
1392
|
-
# hosted by
|
1437
|
+
# hosted by Amazon Web Services Private CA.
|
1393
1438
|
#
|
1394
1439
|
# * Installing a subordinate CA certificate whose parent authority is
|
1395
1440
|
# externally hosted.
|
@@ -1417,8 +1462,8 @@ module Aws::ACMPCA
|
|
1417
1462
|
#
|
1418
1463
|
# *Enforcement of Critical Constraints*
|
1419
1464
|
#
|
1420
|
-
#
|
1421
|
-
# in the imported CA certificate or chain.
|
1465
|
+
# Amazon Web Services Private CA allows the following extensions to be
|
1466
|
+
# marked critical in the imported CA certificate or chain.
|
1422
1467
|
#
|
1423
1468
|
# * Basic constraints (*must* be marked critical)
|
1424
1469
|
#
|
@@ -1444,8 +1489,8 @@ module Aws::ACMPCA
|
|
1444
1489
|
#
|
1445
1490
|
# * Inhibit anyPolicy
|
1446
1491
|
#
|
1447
|
-
#
|
1448
|
-
# critical in an imported CA certificate or chain.
|
1492
|
+
# Amazon Web Services Private CA rejects the following extensions when
|
1493
|
+
# they are marked critical in an imported CA certificate or chain.
|
1449
1494
|
#
|
1450
1495
|
# * Name constraints
|
1451
1496
|
#
|
@@ -1461,8 +1506,8 @@ module Aws::ACMPCA
|
|
1461
1506
|
#
|
1462
1507
|
#
|
1463
1508
|
#
|
1464
|
-
# [1]: https://docs.aws.amazon.com/
|
1465
|
-
# [2]: https://docs.aws.amazon.com/
|
1509
|
+
# [1]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreateCertificateAuthority.html
|
1510
|
+
# [2]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_GetCertificateAuthorityCsr.html
|
1466
1511
|
#
|
1467
1512
|
# @option params [required, String] :certificate_authority_arn
|
1468
1513
|
# The Amazon Resource Name (ARN) that was returned when you called
|
@@ -1473,7 +1518,7 @@ module Aws::ACMPCA
|
|
1473
1518
|
#
|
1474
1519
|
#
|
1475
1520
|
#
|
1476
|
-
# [1]: https://docs.aws.amazon.com/
|
1521
|
+
# [1]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreateCertificateAuthority.html
|
1477
1522
|
#
|
1478
1523
|
# @option params [required, String, StringIO, File] :certificate
|
1479
1524
|
# The PEM-encoded certificate for a private CA. This may be a
|
@@ -1483,8 +1528,9 @@ module Aws::ACMPCA
|
|
1483
1528
|
# @option params [String, StringIO, File] :certificate_chain
|
1484
1529
|
# A PEM-encoded file that contains all of your certificates, other than
|
1485
1530
|
# the certificate you're importing, chaining up to your root CA. Your
|
1486
|
-
#
|
1487
|
-
# the chain, and each certificate in the chain signs the
|
1531
|
+
# Amazon Web Services Private CA-hosted or on-premises root certificate
|
1532
|
+
# is the last in the chain, and each certificate in the chain signs the
|
1533
|
+
# one preceding.
|
1488
1534
|
#
|
1489
1535
|
# This parameter must be supplied when you import a subordinate CA. When
|
1490
1536
|
# you import a root CA, there is no chain.
|
@@ -1515,14 +1561,14 @@ module Aws::ACMPCA
|
|
1515
1561
|
# specifying the ARN.
|
1516
1562
|
#
|
1517
1563
|
# <note markdown="1"> You cannot use the ACM **ListCertificateAuthorities** action to
|
1518
|
-
# retrieve the ARNs of the certificates that you issue by using
|
1519
|
-
# Private CA.
|
1564
|
+
# retrieve the ARNs of the certificates that you issue by using Amazon
|
1565
|
+
# Web Services Private CA.
|
1520
1566
|
#
|
1521
1567
|
# </note>
|
1522
1568
|
#
|
1523
1569
|
#
|
1524
1570
|
#
|
1525
|
-
# [1]: https://docs.aws.amazon.com/
|
1571
|
+
# [1]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_GetCertificate.html
|
1526
1572
|
#
|
1527
1573
|
# @option params [Types::ApiPassthrough] :api_passthrough
|
1528
1574
|
# Specifies X.509 certificate information to be included in the issued
|
@@ -1532,13 +1578,13 @@ module Aws::ACMPCA
|
|
1532
1578
|
# Certificate Templates][1].
|
1533
1579
|
#
|
1534
1580
|
# If conflicting or duplicate certificate information is supplied during
|
1535
|
-
# certificate issuance,
|
1536
|
-
# rules][2] to determine what information is used.
|
1581
|
+
# certificate issuance, Amazon Web Services Private CA applies [order of
|
1582
|
+
# operation rules][2] to determine what information is used.
|
1537
1583
|
#
|
1538
1584
|
#
|
1539
1585
|
#
|
1540
|
-
# [1]: https://docs.aws.amazon.com/
|
1541
|
-
# [2]: https://docs.aws.amazon.com/
|
1586
|
+
# [1]: https://docs.aws.amazon.com/privateca/latest/userguide/UsingTemplates.html
|
1587
|
+
# [2]: https://docs.aws.amazon.com/privateca/latest/userguide/UsingTemplates.html#template-order-of-operations
|
1542
1588
|
#
|
1543
1589
|
# @option params [required, String] :certificate_authority_arn
|
1544
1590
|
# The Amazon Resource Name (ARN) that was returned when you called
|
@@ -1549,7 +1595,7 @@ module Aws::ACMPCA
|
|
1549
1595
|
#
|
1550
1596
|
#
|
1551
1597
|
#
|
1552
|
-
# [1]: https://docs.aws.amazon.com/
|
1598
|
+
# [1]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreateCertificateAuthority.html
|
1553
1599
|
#
|
1554
1600
|
# @option params [required, String, StringIO, File] :csr
|
1555
1601
|
# The certificate signing request (CSR) for the certificate you want to
|
@@ -1585,8 +1631,8 @@ module Aws::ACMPCA
|
|
1585
1631
|
#
|
1586
1632
|
# @option params [String] :template_arn
|
1587
1633
|
# Specifies a custom configuration template to use when issuing a
|
1588
|
-
# certificate. If this parameter is not provided,
|
1589
|
-
# defaults to the `EndEntityCertificate/V1` template. For CA
|
1634
|
+
# certificate. If this parameter is not provided, Amazon Web Services
|
1635
|
+
# Private CA defaults to the `EndEntityCertificate/V1` template. For CA
|
1590
1636
|
# certificates, you should choose the shortest path length that meets
|
1591
1637
|
# your needs. The path length is indicated by the PathLen*N* portion of
|
1592
1638
|
# the ARN, where *N* is the [CA depth][1].
|
@@ -1594,13 +1640,13 @@ module Aws::ACMPCA
|
|
1594
1640
|
# Note: The CA depth configured on a subordinate CA certificate must not
|
1595
1641
|
# exceed the limit set by its parents in the CA hierarchy.
|
1596
1642
|
#
|
1597
|
-
# For a list of `TemplateArn` values supported by
|
1598
|
-
# [Understanding Certificate Templates][2].
|
1643
|
+
# For a list of `TemplateArn` values supported by Amazon Web Services
|
1644
|
+
# Private CA, see [Understanding Certificate Templates][2].
|
1599
1645
|
#
|
1600
1646
|
#
|
1601
1647
|
#
|
1602
|
-
# [1]: https://docs.aws.amazon.com/
|
1603
|
-
# [2]: https://docs.aws.amazon.com/
|
1648
|
+
# [1]: https://docs.aws.amazon.com/privateca/latest/userguide/PcaTerms.html#terms-cadepth
|
1649
|
+
# [2]: https://docs.aws.amazon.com/privateca/latest/userguide/UsingTemplates.html
|
1604
1650
|
#
|
1605
1651
|
# @option params [required, Types::Validity] :validity
|
1606
1652
|
# Information describing the end of the validity period of the
|
@@ -1630,10 +1676,10 @@ module Aws::ACMPCA
|
|
1630
1676
|
# certificate. This parameter sets the “Not Before" date for the
|
1631
1677
|
# certificate.
|
1632
1678
|
#
|
1633
|
-
# By default, when issuing a certificate,
|
1634
|
-
# Before" date to the issuance time minus 60 minutes.
|
1635
|
-
# for clock inconsistencies across computer systems.
|
1636
|
-
# `ValidityNotBefore` parameter can be used to customize the “Not
|
1679
|
+
# By default, when issuing a certificate, Amazon Web Services Private CA
|
1680
|
+
# sets the "Not Before" date to the issuance time minus 60 minutes.
|
1681
|
+
# This compensates for clock inconsistencies across computer systems.
|
1682
|
+
# The `ValidityNotBefore` parameter can be used to customize the “Not
|
1637
1683
|
# Before” value.
|
1638
1684
|
#
|
1639
1685
|
# Unlike the `Validity` parameter, the `ValidityNotBefore` parameter is
|
@@ -1654,10 +1700,10 @@ module Aws::ACMPCA
|
|
1654
1700
|
# the **IssueCertificate** action. Idempotency tokens for
|
1655
1701
|
# **IssueCertificate** time out after one minute. Therefore, if you call
|
1656
1702
|
# **IssueCertificate** multiple times with the same idempotency token
|
1657
|
-
# within one minute,
|
1658
|
-
# only one certificate and will issue only one. If you
|
1659
|
-
# idempotency token for each call,
|
1660
|
-
# requesting multiple certificates.
|
1703
|
+
# within one minute, Amazon Web Services Private CA recognizes that you
|
1704
|
+
# are requesting only one certificate and will issue only one. If you
|
1705
|
+
# change the idempotency token for each call, Amazon Web Services
|
1706
|
+
# Private CA recognizes that you are requesting multiple certificates.
|
1661
1707
|
#
|
1662
1708
|
# @return [Types::IssueCertificateResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
1663
1709
|
#
|
@@ -1801,7 +1847,7 @@ module Aws::ACMPCA
|
|
1801
1847
|
#
|
1802
1848
|
#
|
1803
1849
|
#
|
1804
|
-
# [1]: https://docs.aws.amazon.com/
|
1850
|
+
# [1]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreateCertificateAuthority.html
|
1805
1851
|
#
|
1806
1852
|
# @option params [String] :next_token
|
1807
1853
|
# Use this parameter when paginating results in a subsequent request
|
@@ -1949,14 +1995,14 @@ module Aws::ACMPCA
|
|
1949
1995
|
# accounts, then permissions cannot be used to enable automatic
|
1950
1996
|
# renewals. Instead, the ACM certificate owner must set up a
|
1951
1997
|
# resource-based policy to enable cross-account issuance and renewals.
|
1952
|
-
# For more information, see [Using a Resource Based Policy with
|
1953
|
-
# Private CA][3].
|
1998
|
+
# For more information, see [Using a Resource Based Policy with Amazon
|
1999
|
+
# Web Services Private CA][3].
|
1954
2000
|
#
|
1955
2001
|
#
|
1956
2002
|
#
|
1957
|
-
# [1]: https://docs.aws.amazon.com/
|
1958
|
-
# [2]: https://docs.aws.amazon.com/
|
1959
|
-
# [3]: https://docs.aws.amazon.com/
|
2003
|
+
# [1]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreatePermission.html
|
2004
|
+
# [2]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_DeletePermission.html
|
2005
|
+
# [3]: https://docs.aws.amazon.com/privateca/latest/userguide/pca-rbp.html
|
1960
2006
|
#
|
1961
2007
|
# @option params [required, String] :certificate_authority_arn
|
1962
2008
|
# The Amazon Resource Number (ARN) of the private CA to inspect. You can
|
@@ -1968,7 +2014,7 @@ module Aws::ACMPCA
|
|
1968
2014
|
#
|
1969
2015
|
#
|
1970
2016
|
#
|
1971
|
-
# [1]: https://docs.aws.amazon.com/
|
2017
|
+
# [1]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_ListCertificateAuthorities.html
|
1972
2018
|
#
|
1973
2019
|
# @option params [String] :next_token
|
1974
2020
|
# When paginating results, use this parameter in a subsequent request
|
@@ -2027,8 +2073,8 @@ module Aws::ACMPCA
|
|
2027
2073
|
#
|
2028
2074
|
#
|
2029
2075
|
#
|
2030
|
-
# [1]: https://docs.aws.amazon.com/
|
2031
|
-
# [2]: https://docs.aws.amazon.com/
|
2076
|
+
# [1]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_TagCertificateAuthority.html
|
2077
|
+
# [2]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_UntagCertificateAuthority.html
|
2032
2078
|
#
|
2033
2079
|
# @option params [required, String] :certificate_authority_arn
|
2034
2080
|
# The Amazon Resource Name (ARN) that was returned when you called the
|
@@ -2039,7 +2085,7 @@ module Aws::ACMPCA
|
|
2039
2085
|
#
|
2040
2086
|
#
|
2041
2087
|
#
|
2042
|
-
# [1]: https://docs.aws.amazon.com/
|
2088
|
+
# [1]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreateCertificateAuthority.html
|
2043
2089
|
#
|
2044
2090
|
# @option params [String] :next_token
|
2045
2091
|
# Use this parameter when paginating results in a subsequent request
|
@@ -2099,7 +2145,7 @@ module Aws::ACMPCA
|
|
2099
2145
|
# customer account, to Amazon Web Services Organizations, or to an
|
2100
2146
|
# Amazon Web Services Organizations unit. Policies are under the
|
2101
2147
|
# control of a CA administrator. For more information, see [Using a
|
2102
|
-
# Resource Based Policy with
|
2148
|
+
# Resource Based Policy with Amazon Web Services Private CA][4].
|
2103
2149
|
#
|
2104
2150
|
# * A policy permits a user of Certificate Manager (ACM) to issue ACM
|
2105
2151
|
# certificates signed by a CA in another account.
|
@@ -2107,8 +2153,8 @@ module Aws::ACMPCA
|
|
2107
2153
|
# * For ACM to manage automatic renewal of these certificates, the ACM
|
2108
2154
|
# user must configure a Service Linked Role (SLR). The SLR allows the
|
2109
2155
|
# ACM service to assume the identity of the user, subject to
|
2110
|
-
# confirmation against the
|
2111
|
-
# information, see [Using a Service Linked Role with ACM][5].
|
2156
|
+
# confirmation against the Amazon Web Services Private CA policy. For
|
2157
|
+
# more information, see [Using a Service Linked Role with ACM][5].
|
2112
2158
|
#
|
2113
2159
|
# * Updates made in Amazon Web Services Resource Manager (RAM) are
|
2114
2160
|
# reflected in policies. For more information, see [Attach a Policy
|
@@ -2116,10 +2162,10 @@ module Aws::ACMPCA
|
|
2116
2162
|
#
|
2117
2163
|
#
|
2118
2164
|
#
|
2119
|
-
# [1]: https://docs.aws.amazon.com/
|
2120
|
-
# [2]: https://docs.aws.amazon.com/
|
2121
|
-
# [3]: https://docs.aws.amazon.com/
|
2122
|
-
# [4]: https://docs.aws.amazon.com/
|
2165
|
+
# [1]: https://docs.aws.amazon.com/privateca/latest/userguide/pca-ram.html
|
2166
|
+
# [2]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_GetPolicy.html
|
2167
|
+
# [3]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_DeletePolicy.html
|
2168
|
+
# [4]: https://docs.aws.amazon.com/privateca/latest/userguide/pca-rbp.html
|
2123
2169
|
# [5]: https://docs.aws.amazon.com/acm/latest/userguide/acm-slr.html
|
2124
2170
|
#
|
2125
2171
|
# @option params [required, String] :resource_arn
|
@@ -2131,7 +2177,7 @@ module Aws::ACMPCA
|
|
2131
2177
|
#
|
2132
2178
|
#
|
2133
2179
|
#
|
2134
|
-
# [1]: https://docs.aws.amazon.com/
|
2180
|
+
# [1]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_ListCertificateAuthorities.html
|
2135
2181
|
#
|
2136
2182
|
# @option params [required, String] :policy
|
2137
2183
|
# The path and file name of a JSON-formatted IAM policy to attach to the
|
@@ -2183,11 +2229,11 @@ module Aws::ACMPCA
|
|
2183
2229
|
#
|
2184
2230
|
#
|
2185
2231
|
#
|
2186
|
-
# [1]: https://docs.aws.amazon.com/
|
2187
|
-
# [2]: https://docs.aws.amazon.com/
|
2188
|
-
# [3]: https://docs.aws.amazon.com/
|
2189
|
-
# [4]: https://docs.aws.amazon.com/
|
2190
|
-
# [5]: https://docs.aws.amazon.com/
|
2232
|
+
# [1]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_DeleteCertificateAuthority.html
|
2233
|
+
# [2]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_DescribeCertificateAuthority.html
|
2234
|
+
# [3]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_ListCertificateAuthorities.html
|
2235
|
+
# [4]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_UpdateCertificateAuthority.html
|
2236
|
+
# [5]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_ImportCertificateAuthorityCertificate.html
|
2191
2237
|
#
|
2192
2238
|
# @option params [required, String] :certificate_authority_arn
|
2193
2239
|
# The Amazon Resource Name (ARN) that was returned when you called the
|
@@ -2198,7 +2244,7 @@ module Aws::ACMPCA
|
|
2198
2244
|
#
|
2199
2245
|
#
|
2200
2246
|
#
|
2201
|
-
# [1]: https://docs.aws.amazon.com/
|
2247
|
+
# [1]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreateCertificateAuthority.html
|
2202
2248
|
#
|
2203
2249
|
# @return [Struct] Returns an empty {Seahorse::Client::Response response}.
|
2204
2250
|
#
|
@@ -2217,26 +2263,29 @@ module Aws::ACMPCA
|
|
2217
2263
|
req.send_request(options)
|
2218
2264
|
end
|
2219
2265
|
|
2220
|
-
# Revokes a certificate that was issued inside
|
2221
|
-
# enable a certificate revocation list (CRL) when you
|
2222
|
-
# your private CA, information about the revoked
|
2223
|
-
# included in the CRL.
|
2224
|
-
# that you specify. A CRL is typically
|
2225
|
-
# after a certificate is revoked. If
|
2226
|
-
#
|
2227
|
-
#
|
2228
|
-
#
|
2229
|
-
#
|
2230
|
-
#
|
2231
|
-
#
|
2232
|
-
#
|
2233
|
-
#
|
2234
|
-
#
|
2266
|
+
# Revokes a certificate that was issued inside Amazon Web Services
|
2267
|
+
# Private CA. If you enable a certificate revocation list (CRL) when you
|
2268
|
+
# create or update your private CA, information about the revoked
|
2269
|
+
# certificates will be included in the CRL. Amazon Web Services Private
|
2270
|
+
# CA writes the CRL to an S3 bucket that you specify. A CRL is typically
|
2271
|
+
# updated approximately 30 minutes after a certificate is revoked. If
|
2272
|
+
# for any reason the CRL update fails, Amazon Web Services Private CA
|
2273
|
+
# attempts makes further attempts every 15 minutes. With Amazon
|
2274
|
+
# CloudWatch, you can create alarms for the metrics `CRLGenerated` and
|
2275
|
+
# `MisconfiguredCRLBucket`. For more information, see [Supported
|
2276
|
+
# CloudWatch Metrics][1].
|
2277
|
+
#
|
2278
|
+
# <note markdown="1"> Both Amazon Web Services Private CA and the IAM principal must have
|
2279
|
+
# permission to write to the S3 bucket that you specify. If the IAM
|
2280
|
+
# principal making the call does not have permission to write to the
|
2281
|
+
# bucket, then an exception is thrown. For more information, see [Access
|
2282
|
+
# policies for CRLs in Amazon S3][2].
|
2235
2283
|
#
|
2236
2284
|
# </note>
|
2237
2285
|
#
|
2238
|
-
#
|
2239
|
-
# For more information, see
|
2286
|
+
# Amazon Web Services Private CA also writes revocation information to
|
2287
|
+
# the audit report. For more information, see
|
2288
|
+
# [CreateCertificateAuthorityAuditReport][3].
|
2240
2289
|
#
|
2241
2290
|
# <note markdown="1"> You cannot revoke a root CA self-signed certificate.
|
2242
2291
|
#
|
@@ -2244,9 +2293,9 @@ module Aws::ACMPCA
|
|
2244
2293
|
#
|
2245
2294
|
#
|
2246
2295
|
#
|
2247
|
-
# [1]: https://docs.aws.amazon.com/
|
2248
|
-
# [2]: https://docs.aws.amazon.com/
|
2249
|
-
# [3]: https://docs.aws.amazon.com/
|
2296
|
+
# [1]: https://docs.aws.amazon.com/privateca/latest/userguide/PcaCloudWatch.html
|
2297
|
+
# [2]: https://docs.aws.amazon.com/privateca/latest/userguide/crl-planning.html#s3-policies
|
2298
|
+
# [3]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreateCertificateAuthorityAuditReport.html
|
2250
2299
|
#
|
2251
2300
|
# @option params [required, String] :certificate_authority_arn
|
2252
2301
|
# Amazon Resource Name (ARN) of the private CA that issued the
|
@@ -2272,7 +2321,7 @@ module Aws::ACMPCA
|
|
2272
2321
|
#
|
2273
2322
|
#
|
2274
2323
|
#
|
2275
|
-
# [1]: https://docs.aws.amazon.com/
|
2324
|
+
# [1]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_GetCertificate.html
|
2276
2325
|
# [2]: https://docs.aws.amazon.com/acm/latest/APIReference/API_DescribeCertificate.html
|
2277
2326
|
#
|
2278
2327
|
# @option params [required, String] :revocation_reason
|
@@ -2308,10 +2357,19 @@ module Aws::ACMPCA
|
|
2308
2357
|
# the [UntagCertificateAuthority][1] action. Call the [ListTags][2]
|
2309
2358
|
# action to see what tags are associated with your CA.
|
2310
2359
|
#
|
2360
|
+
# <note markdown="1"> To attach tags to a private CA during the creation procedure, a CA
|
2361
|
+
# administrator must first associate an inline IAM policy with the
|
2362
|
+
# `CreateCertificateAuthority` action and explicitly allow tagging. For
|
2363
|
+
# more information, see [Attaching tags to a CA at the time of
|
2364
|
+
# creation][3].
|
2365
|
+
#
|
2366
|
+
# </note>
|
2367
|
+
#
|
2311
2368
|
#
|
2312
2369
|
#
|
2313
|
-
# [1]: https://docs.aws.amazon.com/
|
2314
|
-
# [2]: https://docs.aws.amazon.com/
|
2370
|
+
# [1]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_UntagCertificateAuthority.html
|
2371
|
+
# [2]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_ListTags.html
|
2372
|
+
# [3]: https://docs.aws.amazon.com/privateca/latest/userguide/auth-InlinePolicies.html#policy-tag-ca
|
2315
2373
|
#
|
2316
2374
|
# @option params [required, String] :certificate_authority_arn
|
2317
2375
|
# The Amazon Resource Name (ARN) that was returned when you called
|
@@ -2322,7 +2380,7 @@ module Aws::ACMPCA
|
|
2322
2380
|
#
|
2323
2381
|
#
|
2324
2382
|
#
|
2325
|
-
# [1]: https://docs.aws.amazon.com/
|
2383
|
+
# [1]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreateCertificateAuthority.html
|
2326
2384
|
#
|
2327
2385
|
# @option params [required, Array<Types::Tag>] :tags
|
2328
2386
|
# List of tags to be associated with the CA.
|
@@ -2360,8 +2418,8 @@ module Aws::ACMPCA
|
|
2360
2418
|
#
|
2361
2419
|
#
|
2362
2420
|
#
|
2363
|
-
# [1]: https://docs.aws.amazon.com/
|
2364
|
-
# [2]: https://docs.aws.amazon.com/
|
2421
|
+
# [1]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_TagCertificateAuthority.html
|
2422
|
+
# [2]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_ListTags.html
|
2365
2423
|
#
|
2366
2424
|
# @option params [required, String] :certificate_authority_arn
|
2367
2425
|
# The Amazon Resource Name (ARN) that was returned when you called
|
@@ -2372,7 +2430,7 @@ module Aws::ACMPCA
|
|
2372
2430
|
#
|
2373
2431
|
#
|
2374
2432
|
#
|
2375
|
-
# [1]: https://docs.aws.amazon.com/
|
2433
|
+
# [1]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreateCertificateAuthority.html
|
2376
2434
|
#
|
2377
2435
|
# @option params [required, Array<Types::Tag>] :tags
|
2378
2436
|
# List of tags to be removed from the CA.
|
@@ -2406,16 +2464,17 @@ module Aws::ACMPCA
|
|
2406
2464
|
# `ACTIVE` state or make a CA that is in the `DISABLED` state active
|
2407
2465
|
# again.
|
2408
2466
|
#
|
2409
|
-
# <note markdown="1"> Both
|
2410
|
-
# bucket that you specify. If the IAM
|
2411
|
-
# have permission to write to the
|
2412
|
-
# For more information, see [Access
|
2467
|
+
# <note markdown="1"> Both Amazon Web Services Private CA and the IAM principal must have
|
2468
|
+
# permission to write to the S3 bucket that you specify. If the IAM
|
2469
|
+
# principal making the call does not have permission to write to the
|
2470
|
+
# bucket, then an exception is thrown. For more information, see [Access
|
2471
|
+
# policies for CRLs in Amazon S3][1].
|
2413
2472
|
#
|
2414
2473
|
# </note>
|
2415
2474
|
#
|
2416
2475
|
#
|
2417
2476
|
#
|
2418
|
-
# [1]: https://docs.aws.amazon.com/
|
2477
|
+
# [1]: https://docs.aws.amazon.com/privateca/latest/userguide/crl-planning.html#s3-policies
|
2419
2478
|
#
|
2420
2479
|
# @option params [required, String] :certificate_authority_arn
|
2421
2480
|
# Amazon Resource Name (ARN) of the private CA that issued the
|
@@ -2431,10 +2490,30 @@ module Aws::ACMPCA
|
|
2431
2490
|
# existing capibilites remain unchanged. For more information, see the
|
2432
2491
|
# [OcspConfiguration][1] and [CrlConfiguration][2] types.
|
2433
2492
|
#
|
2493
|
+
# <note markdown="1"> The following requirements apply to revocation configurations.
|
2494
|
+
#
|
2495
|
+
# * A configuration disabling CRLs or OCSP must contain only the
|
2496
|
+
# `Enabled=False` parameter, and will fail if other parameters such as
|
2497
|
+
# `CustomCname` or `ExpirationInDays` are included.
|
2498
|
+
#
|
2499
|
+
# * In a CRL configuration, the `S3BucketName` parameter must conform to
|
2500
|
+
# [Amazon S3 bucket naming rules][3].
|
2501
|
+
#
|
2502
|
+
# * A configuration containing a custom Canonical Name (CNAME) parameter
|
2503
|
+
# for CRLs or OCSP must conform to [RFC2396][4] restrictions on the
|
2504
|
+
# use of special characters in a CNAME.
|
2505
|
+
#
|
2506
|
+
# * In a CRL or OCSP configuration, the value of a CNAME parameter must
|
2507
|
+
# not include a protocol prefix such as "http://" or "https://".
|
2508
|
+
#
|
2509
|
+
# </note>
|
2510
|
+
#
|
2434
2511
|
#
|
2435
2512
|
#
|
2436
|
-
# [1]: https://docs.aws.amazon.com/
|
2437
|
-
# [2]: https://docs.aws.amazon.com/
|
2513
|
+
# [1]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_OcspConfiguration.html
|
2514
|
+
# [2]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_CrlConfiguration.html
|
2515
|
+
# [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucketnamingrules.html
|
2516
|
+
# [4]: https://www.ietf.org/rfc/rfc2396.txt
|
2438
2517
|
#
|
2439
2518
|
# @option params [String] :status
|
2440
2519
|
# Status of your private CA.
|
@@ -2449,13 +2528,13 @@ module Aws::ACMPCA
|
|
2449
2528
|
# crl_configuration: {
|
2450
2529
|
# enabled: false, # required
|
2451
2530
|
# expiration_in_days: 1,
|
2452
|
-
# custom_cname: "
|
2453
|
-
# s3_bucket_name: "
|
2531
|
+
# custom_cname: "CnameString",
|
2532
|
+
# s3_bucket_name: "S3BucketName3To255",
|
2454
2533
|
# s3_object_acl: "PUBLIC_READ", # accepts PUBLIC_READ, BUCKET_OWNER_FULL_CONTROL
|
2455
2534
|
# },
|
2456
2535
|
# ocsp_configuration: {
|
2457
2536
|
# enabled: false, # required
|
2458
|
-
# ocsp_custom_cname: "
|
2537
|
+
# ocsp_custom_cname: "CnameString",
|
2459
2538
|
# },
|
2460
2539
|
# },
|
2461
2540
|
# status: "CREATING", # accepts CREATING, PENDING_CERTIFICATE, ACTIVE, DELETED, DISABLED, EXPIRED, FAILED
|
@@ -2483,7 +2562,7 @@ module Aws::ACMPCA
|
|
2483
2562
|
params: params,
|
2484
2563
|
config: config)
|
2485
2564
|
context[:gem_name] = 'aws-sdk-acmpca'
|
2486
|
-
context[:gem_version] = '1.
|
2565
|
+
context[:gem_version] = '1.52.0'
|
2487
2566
|
Seahorse::Client::Request.new(handlers, context)
|
2488
2567
|
end
|
2489
2568
|
|