aws-sdk-acmpca 1.17.0 → 1.18.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/aws-sdk-acmpca.rb +1 -1
- data/lib/aws-sdk-acmpca/client.rb +208 -152
- data/lib/aws-sdk-acmpca/client_api.rb +9 -1
- data/lib/aws-sdk-acmpca/errors.rb +16 -0
- data/lib/aws-sdk-acmpca/types.rb +127 -69
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 040d9eb30d98a3af7dcda6f131c91a9da812962e
|
4
|
+
data.tar.gz: 6547e6a03786399ad10383bf887b21f7a9783747
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: b7ec58a76fa84ab3d6538b32c5a053bbcf85a895194c7c3f23031bbf112cd42745fc8809e2e19c3e82856f45017391b904950cd7b0189e1709916684b118df39
|
7
|
+
data.tar.gz: 6d0b23fa739b744e5f17ec2b1a5c24a15fb9817f744a48050b968e654f4bae2a9ec92540091f626abc73a6bf10bc97455e12c0a5fb3cae9be924dfac16723116
|
data/lib/aws-sdk-acmpca.rb
CHANGED
@@ -264,17 +264,18 @@ module Aws::ACMPCA
|
|
264
264
|
|
265
265
|
# @!group API Operations
|
266
266
|
|
267
|
-
# Creates a
|
268
|
-
# specify the CA configuration, the revocation
|
269
|
-
# type, and an optional idempotency token
|
267
|
+
# Creates a root or subordinate private certificate authority (CA). You
|
268
|
+
# must specify the CA configuration, the certificate revocation list
|
269
|
+
# (CRL) configuration, the CA type, and an optional idempotency token to
|
270
|
+
# avoid accidental creation of multiple CAs. The CA configuration
|
270
271
|
# specifies the name of the algorithm and key size to be used to create
|
271
|
-
# the CA private key, the type of signing algorithm that the CA uses
|
272
|
-
#
|
273
|
-
#
|
274
|
-
#
|
275
|
-
#
|
276
|
-
#
|
277
|
-
#
|
272
|
+
# the CA private key, the type of signing algorithm that the CA uses,
|
273
|
+
# and X.500 subject information. The CRL configuration specifies the CRL
|
274
|
+
# expiration period in days (the validity period of the CRL), the Amazon
|
275
|
+
# S3 bucket that will contain the CRL, and a CNAME alias for the S3
|
276
|
+
# bucket that is included in certificates issued by the CA. If
|
277
|
+
# successful, this action returns the Amazon Resource Name (ARN) of the
|
278
|
+
# CA.
|
278
279
|
#
|
279
280
|
# @option params [required, Types::CertificateAuthorityConfiguration] :certificate_authority_configuration
|
280
281
|
# Name and bit size of the private key algorithm, the name of the
|
@@ -283,28 +284,34 @@ module Aws::ACMPCA
|
|
283
284
|
# @option params [Types::RevocationConfiguration] :revocation_configuration
|
284
285
|
# Contains a Boolean value that you can use to enable a certification
|
285
286
|
# revocation list (CRL) for the CA, the name of the S3 bucket to which
|
286
|
-
# ACM
|
287
|
-
# use to hide the name of your bucket in the **CRL Distribution
|
288
|
-
# extension of your CA certificate. For more information, see
|
289
|
-
# CrlConfiguration structure.
|
287
|
+
# ACM Private CA will write the CRL, and an optional CNAME alias that
|
288
|
+
# you can use to hide the name of your bucket in the **CRL Distribution
|
289
|
+
# Points** extension of your CA certificate. For more information, see
|
290
|
+
# the CrlConfiguration structure.
|
290
291
|
#
|
291
292
|
# @option params [required, String] :certificate_authority_type
|
292
|
-
# The type of the certificate authority.
|
293
|
-
# **SUBORDINATE**.
|
293
|
+
# The type of the certificate authority.
|
294
294
|
#
|
295
295
|
# @option params [String] :idempotency_token
|
296
296
|
# Alphanumeric string that can be used to distinguish between calls to
|
297
297
|
# **CreateCertificateAuthority**. Idempotency tokens time out after five
|
298
298
|
# minutes. Therefore, if you call **CreateCertificateAuthority**
|
299
299
|
# multiple times with the same idempotency token within a five minute
|
300
|
-
# period, ACM
|
301
|
-
# certificate. As a result, ACM
|
302
|
-
# idempotency token for each call, however, ACM
|
303
|
-
# are requesting multiple certificates.
|
300
|
+
# period, ACM Private CA recognizes that you are requesting only one
|
301
|
+
# certificate. As a result, ACM Private CA issues only one. If you
|
302
|
+
# change the idempotency token for each call, however, ACM Private CA
|
303
|
+
# recognizes that you are requesting multiple certificates.
|
304
304
|
#
|
305
305
|
# @option params [Array<Types::Tag>] :tags
|
306
306
|
# Key-value pairs that will be attached to the new private CA. You can
|
307
|
-
# associate up to 50 tags with a private CA.
|
307
|
+
# associate up to 50 tags with a private CA. For information using tags
|
308
|
+
# with
|
309
|
+
#
|
310
|
+
# IAM to manage permissions, see [Controlling Access Using IAM Tags][1].
|
311
|
+
#
|
312
|
+
#
|
313
|
+
#
|
314
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_iam-tags.html
|
308
315
|
#
|
309
316
|
# @return [Types::CreateCertificateAuthorityResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
310
317
|
#
|
@@ -341,7 +348,7 @@ module Aws::ACMPCA
|
|
341
348
|
# s3_bucket_name: "String3To255",
|
342
349
|
# },
|
343
350
|
# },
|
344
|
-
# certificate_authority_type: "
|
351
|
+
# certificate_authority_type: "ROOT", # required, accepts ROOT, SUBORDINATE
|
345
352
|
# idempotency_token: "IdempotencyToken",
|
346
353
|
# tags: [
|
347
354
|
# {
|
@@ -366,8 +373,8 @@ module Aws::ACMPCA
|
|
366
373
|
|
367
374
|
# Creates an audit report that lists every time that your CA private key
|
368
375
|
# is used. The report is saved in the Amazon S3 bucket that you specify
|
369
|
-
# on input. The IssueCertificate and RevokeCertificate
|
370
|
-
#
|
376
|
+
# on input. The IssueCertificate and RevokeCertificate actions use the
|
377
|
+
# private key.
|
371
378
|
#
|
372
379
|
# @option params [required, String] :certificate_authority_arn
|
373
380
|
# The Amazon Resource Name (ARN) of the CA to be audited. This is of the
|
@@ -420,13 +427,12 @@ module Aws::ACMPCA
|
|
420
427
|
#
|
421
428
|
# At this time, you can only assign permissions to ACM
|
422
429
|
# (`acm.amazonaws.com`). Permissions can be revoked with the
|
423
|
-
# DeletePermission
|
424
|
-
# operation.
|
430
|
+
# DeletePermission action and listed with the ListPermissions action.
|
425
431
|
#
|
426
432
|
# @option params [required, String] :certificate_authority_arn
|
427
433
|
# The Amazon Resource Name (ARN) of the CA that grants the permissions.
|
428
|
-
# You can find the ARN by calling the ListCertificateAuthorities
|
429
|
-
#
|
434
|
+
# You can find the ARN by calling the ListCertificateAuthorities action.
|
435
|
+
# This must have the following form:
|
430
436
|
#
|
431
437
|
# `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
|
432
438
|
# `.
|
@@ -462,29 +468,34 @@ module Aws::ACMPCA
|
|
462
468
|
req.send_request(options)
|
463
469
|
end
|
464
470
|
|
465
|
-
# Deletes a private certificate authority (CA). You must provide the
|
466
|
-
#
|
467
|
-
# can find the ARN by calling the ListCertificateAuthorities
|
468
|
-
#
|
469
|
-
#
|
470
|
-
#
|
471
|
+
# Deletes a private certificate authority (CA). You must provide the
|
472
|
+
# Amazon Resource Name (ARN) of the private CA that you want to delete.
|
473
|
+
# You can find the ARN by calling the ListCertificateAuthorities action.
|
474
|
+
#
|
475
|
+
# <note markdown="1"> Deleting a CA will invalidate other CAs and certificates below it in
|
476
|
+
# your CA hierarchy.
|
477
|
+
#
|
478
|
+
# </note>
|
479
|
+
#
|
480
|
+
# Before you can delete a CA that you have created and activated, you
|
481
|
+
# must disable it. To do this, call the UpdateCertificateAuthority
|
482
|
+
# action and set the **CertificateAuthorityStatus** parameter to
|
483
|
+
# `DISABLED`.
|
471
484
|
#
|
472
485
|
# Additionally, you can delete a CA if you are waiting for it to be
|
473
|
-
# created (the
|
474
|
-
#
|
475
|
-
#
|
476
|
-
# `PENDING_CERTIFICATE`)
|
477
|
-
#
|
478
|
-
#
|
479
|
-
#
|
480
|
-
#
|
481
|
-
#
|
482
|
-
#
|
483
|
-
#
|
484
|
-
#
|
485
|
-
#
|
486
|
-
# restore an eligible CA, call the RestoreCertificateAuthority
|
487
|
-
# operation.
|
486
|
+
# created (that is, the status of the CA is `CREATING`). You can also
|
487
|
+
# delete it if the CA has been created but you haven't yet imported the
|
488
|
+
# signed certificate into ACM Private CA (that is, the status of the CA
|
489
|
+
# is `PENDING_CERTIFICATE`).
|
490
|
+
#
|
491
|
+
# When you successfully call DeleteCertificateAuthority, the CA's
|
492
|
+
# status changes to `DELETED`. However, the CA won't be permanently
|
493
|
+
# deleted until the restoration period has passed. By default, if you do
|
494
|
+
# not set the `PermanentDeletionTimeInDays` parameter, the CA remains
|
495
|
+
# restorable for 30 days. You can set the parameter from 7 to 30 days.
|
496
|
+
# The DescribeCertificateAuthority action returns the time remaining in
|
497
|
+
# the restoration window of a private CA in the `DELETED` state. To
|
498
|
+
# restore an eligible CA, call the RestoreCertificateAuthority action.
|
488
499
|
#
|
489
500
|
# @option params [required, String] :certificate_authority_arn
|
490
501
|
# The Amazon Resource Name (ARN) that was returned when you called
|
@@ -516,14 +527,13 @@ module Aws::ACMPCA
|
|
516
527
|
end
|
517
528
|
|
518
529
|
# Revokes permissions that a private CA assigned to a designated AWS
|
519
|
-
# service. Permissions can be created with the CreatePermission
|
520
|
-
#
|
530
|
+
# service. Permissions can be created with the CreatePermission action
|
531
|
+
# and listed with the ListPermissions action.
|
521
532
|
#
|
522
533
|
# @option params [required, String] :certificate_authority_arn
|
523
534
|
# The Amazon Resource Number (ARN) of the private CA that issued the
|
524
535
|
# permissions. You can find the CA's ARN by calling the
|
525
|
-
# ListCertificateAuthorities
|
526
|
-
# form:
|
536
|
+
# ListCertificateAuthorities action. This must have the following form:
|
527
537
|
#
|
528
538
|
# `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
|
529
539
|
# `.
|
@@ -533,7 +543,7 @@ module Aws::ACMPCA
|
|
533
543
|
# At this time, the only valid service principal is `acm.amazonaws.com`
|
534
544
|
#
|
535
545
|
# @option params [String] :source_account
|
536
|
-
# The AWS account that calls this
|
546
|
+
# The AWS account that calls this action.
|
537
547
|
#
|
538
548
|
# @return [Struct] Returns an empty {Seahorse::Client::Response response}.
|
539
549
|
#
|
@@ -559,11 +569,12 @@ module Aws::ACMPCA
|
|
559
569
|
# output contains the status of your CA. This can be any of the
|
560
570
|
# following:
|
561
571
|
#
|
562
|
-
# * `CREATING` - ACM
|
572
|
+
# * `CREATING` - ACM Private CA is creating your private certificate
|
573
|
+
# authority.
|
563
574
|
#
|
564
575
|
# * `PENDING_CERTIFICATE` - The certificate is pending. You must use
|
565
|
-
# your on-premises root or subordinate CA to
|
566
|
-
# and then import it into PCA.
|
576
|
+
# your ACM Private CA-hosted or on-premises root or subordinate CA to
|
577
|
+
# sign your private CA CSR and then import it into PCA.
|
567
578
|
#
|
568
579
|
# * `ACTIVE` - Your private CA is active.
|
569
580
|
#
|
@@ -578,8 +589,7 @@ module Aws::ACMPCA
|
|
578
589
|
#
|
579
590
|
# * `DELETED` - Your private CA is within the restoration period, after
|
580
591
|
# which it is permanently deleted. The length of time remaining in the
|
581
|
-
# CA's restoration period is also included in this
|
582
|
-
# output.
|
592
|
+
# CA's restoration period is also included in this action's output.
|
583
593
|
#
|
584
594
|
# @option params [required, String] :certificate_authority_arn
|
585
595
|
# The Amazon Resource Name (ARN) that was returned when you called
|
@@ -603,7 +613,7 @@ module Aws::ACMPCA
|
|
603
613
|
# resp.certificate_authority.arn #=> String
|
604
614
|
# resp.certificate_authority.created_at #=> Time
|
605
615
|
# resp.certificate_authority.last_state_change_at #=> Time
|
606
|
-
# resp.certificate_authority.type #=> String, one of "SUBORDINATE"
|
616
|
+
# resp.certificate_authority.type #=> String, one of "ROOT", "SUBORDINATE"
|
607
617
|
# resp.certificate_authority.serial #=> String
|
608
618
|
# resp.certificate_authority.status #=> String, one of "CREATING", "PENDING_CERTIFICATE", "ACTIVE", "DELETED", "DISABLED", "EXPIRED", "FAILED"
|
609
619
|
# resp.certificate_authority.not_before #=> Time
|
@@ -641,10 +651,10 @@ module Aws::ACMPCA
|
|
641
651
|
end
|
642
652
|
|
643
653
|
# Lists information about a specific audit report created by calling the
|
644
|
-
# CreateCertificateAuthorityAuditReport
|
654
|
+
# CreateCertificateAuthorityAuditReport action. Audit information is
|
645
655
|
# created every time the certificate authority (CA) private key is used.
|
646
|
-
# The private key is used when you call the IssueCertificate
|
647
|
-
#
|
656
|
+
# The private key is used when you call the IssueCertificate action or
|
657
|
+
# the RevokeCertificate action.
|
648
658
|
#
|
649
659
|
# @option params [required, String] :certificate_authority_arn
|
650
660
|
# The Amazon Resource Name (ARN) of the private CA. This must be of the
|
@@ -655,7 +665,7 @@ module Aws::ACMPCA
|
|
655
665
|
#
|
656
666
|
# @option params [required, String] :audit_report_id
|
657
667
|
# The report ID returned by calling the
|
658
|
-
# CreateCertificateAuthorityAuditReport
|
668
|
+
# CreateCertificateAuthorityAuditReport action.
|
659
669
|
#
|
660
670
|
# @return [Types::DescribeCertificateAuthorityAuditReportResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
661
671
|
#
|
@@ -688,11 +698,11 @@ module Aws::ACMPCA
|
|
688
698
|
end
|
689
699
|
|
690
700
|
# Retrieves a certificate from your private CA. The ARN of the
|
691
|
-
# certificate is returned when you call the IssueCertificate
|
692
|
-
#
|
693
|
-
#
|
694
|
-
#
|
695
|
-
# call the CreateCertificateAuthorityAuditReport
|
701
|
+
# certificate is returned when you call the IssueCertificate action. You
|
702
|
+
# must specify both the ARN of your private CA and the ARN of the issued
|
703
|
+
# certificate when calling the **GetCertificate** action. You can
|
704
|
+
# retrieve the certificate if it is in the **ISSUED** state. You can
|
705
|
+
# call the CreateCertificateAuthorityAuditReport action to create a
|
696
706
|
# report that contains information about all of the certificates issued
|
697
707
|
# and revoked by your private CA.
|
698
708
|
#
|
@@ -775,15 +785,15 @@ module Aws::ACMPCA
|
|
775
785
|
|
776
786
|
# Retrieves the certificate signing request (CSR) for your private
|
777
787
|
# certificate authority (CA). The CSR is created when you call the
|
778
|
-
# CreateCertificateAuthority
|
779
|
-
#
|
780
|
-
#
|
781
|
-
#
|
782
|
-
#
|
788
|
+
# CreateCertificateAuthority action. Sign the CSR with your ACM Private
|
789
|
+
# CA-hosted or on-premises root or subordinate CA. Then import the
|
790
|
+
# signed certificate back into ACM Private CA by calling the
|
791
|
+
# ImportCertificateAuthorityCertificate action. The CSR is returned as a
|
792
|
+
# base64 PEM-encoded string.
|
783
793
|
#
|
784
794
|
# @option params [required, String] :certificate_authority_arn
|
785
795
|
# The Amazon Resource Name (ARN) that was returned when you called the
|
786
|
-
# CreateCertificateAuthority
|
796
|
+
# CreateCertificateAuthority action. This must be of the form:
|
787
797
|
#
|
788
798
|
# `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
|
789
799
|
# `
|
@@ -811,31 +821,42 @@ module Aws::ACMPCA
|
|
811
821
|
req.send_request(options)
|
812
822
|
end
|
813
823
|
|
814
|
-
# Imports
|
815
|
-
#
|
816
|
-
#
|
817
|
-
#
|
818
|
-
# GetCertificateAuthorityCsr operation. Take the CSR to your on-premises
|
819
|
-
# CA and use the root certificate or a subordinate certificate to sign
|
820
|
-
# it. Create a certificate chain and copy the signed certificate and the
|
821
|
-
# certificate chain to your working directory.
|
822
|
-
#
|
823
|
-
# <note markdown="1"> Your certificate chain must not include the private CA certificate
|
824
|
-
# that you are importing.
|
824
|
+
# Imports a signed private CA certificate into ACM Private CA. This
|
825
|
+
# action is used when you are using a chain of trust whose root is
|
826
|
+
# located outside ACM Private CA. Before you can call this action, the
|
827
|
+
# following preparations must in place:
|
825
828
|
#
|
826
|
-
#
|
829
|
+
# 1. In ACM Private CA, call the CreateCertificateAuthority action to
|
830
|
+
# create the private CA that that you plan to back with the imported
|
831
|
+
# certificate.
|
827
832
|
#
|
828
|
-
#
|
829
|
-
#
|
830
|
-
# must be next to last. The subordinate certificate signed by the
|
831
|
-
# preceding subordinate CA must come next, and so on until your chain is
|
832
|
-
# built.
|
833
|
+
# 2. Call the GetCertificateAuthorityCsr action to generate a
|
834
|
+
# certificate signing request (CSR).
|
833
835
|
#
|
834
|
-
#
|
836
|
+
# 3. Sign the CSR using a root or intermediate CA hosted either by an
|
837
|
+
# on-premises PKI hierarchy or a commercial CA..
|
835
838
|
#
|
836
|
-
#
|
839
|
+
# 4. Create a certificate chain and copy the signed certificate and the
|
840
|
+
# certificate chain to your working directory.
|
837
841
|
#
|
838
|
-
#
|
842
|
+
# The following requirements apply when you import a CA certificate.
|
843
|
+
#
|
844
|
+
# * You cannot import a non-self-signed certificate for use as a root
|
845
|
+
# CA.
|
846
|
+
#
|
847
|
+
# * You cannot import a self-signed certificate for use as a subordinate
|
848
|
+
# CA.
|
849
|
+
#
|
850
|
+
# * Your certificate chain must not include the private CA certificate
|
851
|
+
# that you are importing.
|
852
|
+
#
|
853
|
+
# * Your ACM Private CA-hosted or on-premises CA certificate must be the
|
854
|
+
# last certificate in your chain. The subordinate certificate, if any,
|
855
|
+
# that your root CA signed must be next to last. The subordinate
|
856
|
+
# certificate signed by the preceding subordinate CA must come next,
|
857
|
+
# and so on until your chain is built.
|
858
|
+
#
|
859
|
+
# * The chain must be PEM-encoded.
|
839
860
|
#
|
840
861
|
# @option params [required, String] :certificate_authority_arn
|
841
862
|
# The Amazon Resource Name (ARN) that was returned when you called
|
@@ -845,14 +866,18 @@ module Aws::ACMPCA
|
|
845
866
|
# `
|
846
867
|
#
|
847
868
|
# @option params [required, String, IO] :certificate
|
848
|
-
# The PEM-encoded certificate for
|
849
|
-
#
|
869
|
+
# The PEM-encoded certificate for a private CA. This may be a
|
870
|
+
# self-signed certificate in the case of a root CA, or it may be signed
|
871
|
+
# by another CA that you control.
|
850
872
|
#
|
851
|
-
# @option params [
|
873
|
+
# @option params [String, IO] :certificate_chain
|
852
874
|
# A PEM-encoded file that contains all of your certificates, other than
|
853
875
|
# the certificate you're importing, chaining up to your root CA. Your
|
854
|
-
# on-premises root certificate is the last in
|
855
|
-
# certificate in the chain signs the one preceding.
|
876
|
+
# ACM Private CA-hosted or on-premises root certificate is the last in
|
877
|
+
# the chain, and each certificate in the chain signs the one preceding.
|
878
|
+
#
|
879
|
+
# This parameter must be supplied when you import a subordinate CA. When
|
880
|
+
# you import a root CA, there is no chain.
|
856
881
|
#
|
857
882
|
# @return [Struct] Returns an empty {Seahorse::Client::Response response}.
|
858
883
|
#
|
@@ -861,7 +886,7 @@ module Aws::ACMPCA
|
|
861
886
|
# resp = client.import_certificate_authority_certificate({
|
862
887
|
# certificate_authority_arn: "Arn", # required
|
863
888
|
# certificate: "data", # required
|
864
|
-
# certificate_chain: "data",
|
889
|
+
# certificate_chain: "data",
|
865
890
|
# })
|
866
891
|
#
|
867
892
|
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/ImportCertificateAuthorityCertificate AWS API Documentation
|
@@ -874,12 +899,13 @@ module Aws::ACMPCA
|
|
874
899
|
end
|
875
900
|
|
876
901
|
# Uses your private certificate authority (CA) to issue a client
|
877
|
-
# certificate. This
|
878
|
-
#
|
879
|
-
# GetCertificate
|
902
|
+
# certificate. This action returns the Amazon Resource Name (ARN) of the
|
903
|
+
# certificate. You can retrieve the certificate by calling the
|
904
|
+
# GetCertificate action and specifying the ARN.
|
880
905
|
#
|
881
|
-
# <note markdown="1"> You cannot use the ACM **ListCertificateAuthorities**
|
882
|
-
# retrieve the ARNs of the certificates that you issue by using ACM
|
906
|
+
# <note markdown="1"> You cannot use the ACM **ListCertificateAuthorities** action to
|
907
|
+
# retrieve the ARNs of the certificates that you issue by using ACM
|
908
|
+
# Private CA.
|
883
909
|
#
|
884
910
|
# </note>
|
885
911
|
#
|
@@ -910,16 +936,42 @@ module Aws::ACMPCA
|
|
910
936
|
# The name of the algorithm that will be used to sign the certificate to
|
911
937
|
# be issued.
|
912
938
|
#
|
939
|
+
# @option params [String] :template_arn
|
940
|
+
# Specifies a custom configuration template to use when issuing a
|
941
|
+
# certificate. If this parameter is not provided, ACM Private CA
|
942
|
+
# defaults to the `EndEntityCertificate/V1` template.
|
943
|
+
#
|
944
|
+
# The following service-owned `TemplateArn` values are supported by ACM
|
945
|
+
# Private CA:
|
946
|
+
#
|
947
|
+
# * arn:aws:acm-pca:::template/EndEntityCertificate/V1
|
948
|
+
#
|
949
|
+
# * arn:aws:acm-pca:::template/SubordinateCACertificate\_PathLen0/V1
|
950
|
+
#
|
951
|
+
# * arn:aws:acm-pca:::template/SubordinateCACertificate\_PathLen1/V1
|
952
|
+
#
|
953
|
+
# * arn:aws:acm-pca:::template/SubordinateCACertificate\_PathLen2/V1
|
954
|
+
#
|
955
|
+
# * arn:aws:acm-pca:::template/SubordinateCACertificate\_PathLen3/V1
|
956
|
+
#
|
957
|
+
# * arn:aws:acm-pca:::template/RootCACertificate/V1
|
958
|
+
#
|
959
|
+
# For more information, see [Using Templates][1].
|
960
|
+
#
|
961
|
+
#
|
962
|
+
#
|
963
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html
|
964
|
+
#
|
913
965
|
# @option params [required, Types::Validity] :validity
|
914
966
|
# The type of the validity period.
|
915
967
|
#
|
916
968
|
# @option params [String] :idempotency_token
|
917
969
|
# Custom string that can be used to distinguish between calls to the
|
918
|
-
# **IssueCertificate**
|
970
|
+
# **IssueCertificate** action. Idempotency tokens time out after one
|
919
971
|
# hour. Therefore, if you call **IssueCertificate** multiple times with
|
920
|
-
# the same idempotency token within 5 minutes, ACM
|
921
|
-
# you are requesting only one certificate and will issue only one.
|
922
|
-
# you change the idempotency token for each call, PCA recognizes that
|
972
|
+
# the same idempotency token within 5 minutes, ACM Private CA recognizes
|
973
|
+
# that you are requesting only one certificate and will issue only one.
|
974
|
+
# If you change the idempotency token for each call, PCA recognizes that
|
923
975
|
# you are requesting multiple certificates.
|
924
976
|
#
|
925
977
|
# @return [Types::IssueCertificateResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
@@ -932,6 +984,7 @@ module Aws::ACMPCA
|
|
932
984
|
# certificate_authority_arn: "Arn", # required
|
933
985
|
# csr: "data", # required
|
934
986
|
# signing_algorithm: "SHA256WITHECDSA", # required, accepts SHA256WITHECDSA, SHA384WITHECDSA, SHA512WITHECDSA, SHA256WITHRSA, SHA384WITHRSA, SHA512WITHRSA
|
987
|
+
# template_arn: "Arn",
|
935
988
|
# validity: { # required
|
936
989
|
# value: 1, # required
|
937
990
|
# type: "END_DATE", # required, accepts END_DATE, ABSOLUTE, DAYS, MONTHS, YEARS
|
@@ -953,7 +1006,7 @@ module Aws::ACMPCA
|
|
953
1006
|
end
|
954
1007
|
|
955
1008
|
# Lists the private certificate authorities that you created by using
|
956
|
-
# the CreateCertificateAuthority
|
1009
|
+
# the CreateCertificateAuthority action.
|
957
1010
|
#
|
958
1011
|
# @option params [String] :next_token
|
959
1012
|
# Use this parameter when paginating results in a subsequent request
|
@@ -986,7 +1039,7 @@ module Aws::ACMPCA
|
|
986
1039
|
# resp.certificate_authorities[0].arn #=> String
|
987
1040
|
# resp.certificate_authorities[0].created_at #=> Time
|
988
1041
|
# resp.certificate_authorities[0].last_state_change_at #=> Time
|
989
|
-
# resp.certificate_authorities[0].type #=> String, one of "SUBORDINATE"
|
1042
|
+
# resp.certificate_authorities[0].type #=> String, one of "ROOT", "SUBORDINATE"
|
990
1043
|
# resp.certificate_authorities[0].serial #=> String
|
991
1044
|
# resp.certificate_authorities[0].status #=> String, one of "CREATING", "PENDING_CERTIFICATE", "ACTIVE", "DELETED", "DISABLED", "EXPIRED", "FAILED"
|
992
1045
|
# resp.certificate_authorities[0].not_before #=> Time
|
@@ -1026,15 +1079,15 @@ module Aws::ACMPCA
|
|
1026
1079
|
|
1027
1080
|
# Lists all the permissions, if any, that have been assigned by a
|
1028
1081
|
# private CA. Permissions can be granted with the CreatePermission
|
1029
|
-
#
|
1082
|
+
# action and revoked with the DeletePermission action.
|
1030
1083
|
#
|
1031
1084
|
# @option params [required, String] :certificate_authority_arn
|
1032
1085
|
# The Amazon Resource Number (ARN) of the private CA to inspect. You can
|
1033
|
-
# find the ARN by calling the ListCertificateAuthorities
|
1086
|
+
# find the ARN by calling the ListCertificateAuthorities action. This
|
1034
1087
|
# must be of the form:
|
1035
1088
|
# `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012`
|
1036
1089
|
# You can get a private CA's ARN by running the
|
1037
|
-
# ListCertificateAuthorities
|
1090
|
+
# ListCertificateAuthorities action.
|
1038
1091
|
#
|
1039
1092
|
# @option params [String] :next_token
|
1040
1093
|
# When paginating results, use this parameter in a subsequent request
|
@@ -1085,12 +1138,12 @@ module Aws::ACMPCA
|
|
1085
1138
|
# Lists the tags, if any, that are associated with your private CA. Tags
|
1086
1139
|
# are labels that you can use to identify and organize your CAs. Each
|
1087
1140
|
# tag consists of a key and an optional value. Call the
|
1088
|
-
# TagCertificateAuthority
|
1089
|
-
# Call the UntagCertificateAuthority
|
1141
|
+
# TagCertificateAuthority action to add one or more tags to your CA.
|
1142
|
+
# Call the UntagCertificateAuthority action to remove tags.
|
1090
1143
|
#
|
1091
1144
|
# @option params [required, String] :certificate_authority_arn
|
1092
1145
|
# The Amazon Resource Name (ARN) that was returned when you called the
|
1093
|
-
# CreateCertificateAuthority
|
1146
|
+
# CreateCertificateAuthority action. This must be of the form:
|
1094
1147
|
#
|
1095
1148
|
# `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
|
1096
1149
|
# `
|
@@ -1139,24 +1192,23 @@ module Aws::ACMPCA
|
|
1139
1192
|
# Restores a certificate authority (CA) that is in the `DELETED` state.
|
1140
1193
|
# You can restore a CA during the period that you defined in the
|
1141
1194
|
# **PermanentDeletionTimeInDays** parameter of the
|
1142
|
-
# DeleteCertificateAuthority
|
1143
|
-
#
|
1144
|
-
#
|
1145
|
-
#
|
1146
|
-
#
|
1147
|
-
#
|
1148
|
-
#
|
1149
|
-
#
|
1150
|
-
#
|
1151
|
-
#
|
1152
|
-
#
|
1153
|
-
#
|
1154
|
-
#
|
1155
|
-
# ended.
|
1195
|
+
# DeleteCertificateAuthority action. Currently, you can specify 7 to 30
|
1196
|
+
# days. If you did not specify a **PermanentDeletionTimeInDays** value,
|
1197
|
+
# by default you can restore the CA at any time in a 30 day period. You
|
1198
|
+
# can check the time remaining in the restoration period of a private CA
|
1199
|
+
# in the `DELETED` state by calling the DescribeCertificateAuthority or
|
1200
|
+
# ListCertificateAuthorities actions. The status of a restored CA is set
|
1201
|
+
# to its pre-deletion status when the **RestoreCertificateAuthority**
|
1202
|
+
# action returns. To change its status to `ACTIVE`, call the
|
1203
|
+
# UpdateCertificateAuthority action. If the private CA was in the
|
1204
|
+
# `PENDING_CERTIFICATE` state at deletion, you must use the
|
1205
|
+
# ImportCertificateAuthorityCertificate action to import a certificate
|
1206
|
+
# authority into the private CA before it can be activated. You cannot
|
1207
|
+
# restore a CA after the restoration period has ended.
|
1156
1208
|
#
|
1157
1209
|
# @option params [required, String] :certificate_authority_arn
|
1158
1210
|
# The Amazon Resource Name (ARN) that was returned when you called the
|
1159
|
-
# CreateCertificateAuthority
|
1211
|
+
# CreateCertificateAuthority action. This must be of the form:
|
1160
1212
|
#
|
1161
1213
|
# `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
|
1162
1214
|
# `
|
@@ -1178,15 +1230,19 @@ module Aws::ACMPCA
|
|
1178
1230
|
req.send_request(options)
|
1179
1231
|
end
|
1180
1232
|
|
1181
|
-
# Revokes a certificate that
|
1182
|
-
#
|
1183
|
-
#
|
1184
|
-
#
|
1185
|
-
#
|
1186
|
-
#
|
1233
|
+
# Revokes a certificate that was issued inside ACM Private CA. If you
|
1234
|
+
# enable a certificate revocation list (CRL) when you create or update
|
1235
|
+
# your private CA, information about the revoked certificates will be
|
1236
|
+
# included in the CRL. ACM Private CA writes the CRL to an S3 bucket
|
1237
|
+
# that you specify. For more information about revocation, see the
|
1238
|
+
# CrlConfiguration structure. ACM Private CA also writes revocation
|
1187
1239
|
# information to the audit report. For more information, see
|
1188
1240
|
# CreateCertificateAuthorityAuditReport.
|
1189
1241
|
#
|
1242
|
+
# <note markdown="1"> You cannot revoke a root CA self-signed certificate.
|
1243
|
+
#
|
1244
|
+
# </note>
|
1245
|
+
#
|
1190
1246
|
# @option params [required, String] :certificate_authority_arn
|
1191
1247
|
# Amazon Resource Name (ARN) of the private CA that issued the
|
1192
1248
|
# certificate to be revoked. This must be of the form:
|
@@ -1198,15 +1254,15 @@ module Aws::ACMPCA
|
|
1198
1254
|
# Serial number of the certificate to be revoked. This must be in
|
1199
1255
|
# hexadecimal format. You can retrieve the serial number by calling
|
1200
1256
|
# GetCertificate with the Amazon Resource Name (ARN) of the certificate
|
1201
|
-
# you want and the ARN of your private CA. The **GetCertificate**
|
1202
|
-
#
|
1203
|
-
#
|
1204
|
-
#
|
1257
|
+
# you want and the ARN of your private CA. The **GetCertificate** action
|
1258
|
+
# retrieves the certificate in the PEM format. You can use the following
|
1259
|
+
# OpenSSL command to list the certificate in text format and copy the
|
1260
|
+
# hexadecimal serial number.
|
1205
1261
|
#
|
1206
1262
|
# `openssl x509 -in file_path -text -noout`
|
1207
1263
|
#
|
1208
1264
|
# You can also copy the serial number from the console or use the
|
1209
|
-
# [DescribeCertificate][1]
|
1265
|
+
# [DescribeCertificate][1] action in the *AWS Certificate Manager API
|
1210
1266
|
# Reference*.
|
1211
1267
|
#
|
1212
1268
|
#
|
@@ -1243,8 +1299,8 @@ module Aws::ACMPCA
|
|
1243
1299
|
# to identify a specific characteristic of that CA, or you can apply the
|
1244
1300
|
# same tag to multiple private CAs if you want to filter for a common
|
1245
1301
|
# relationship among those CAs. To remove one or more tags, use the
|
1246
|
-
# UntagCertificateAuthority
|
1247
|
-
#
|
1302
|
+
# UntagCertificateAuthority action. Call the ListTags action to see what
|
1303
|
+
# tags are associated with your CA.
|
1248
1304
|
#
|
1249
1305
|
# @option params [required, String] :certificate_authority_arn
|
1250
1306
|
# The Amazon Resource Name (ARN) that was returned when you called
|
@@ -1281,11 +1337,11 @@ module Aws::ACMPCA
|
|
1281
1337
|
|
1282
1338
|
# Remove one or more tags from your private CA. A tag consists of a
|
1283
1339
|
# key-value pair. If you do not specify the value portion of the tag
|
1284
|
-
# when calling this
|
1285
|
-
#
|
1286
|
-
#
|
1287
|
-
#
|
1288
|
-
#
|
1340
|
+
# when calling this action, the tag will be removed regardless of value.
|
1341
|
+
# If you specify a value, the tag is removed only if it is associated
|
1342
|
+
# with the specified value. To add tags to a private CA, use the
|
1343
|
+
# TagCertificateAuthority. Call the ListTags action to see what tags are
|
1344
|
+
# associated with your CA.
|
1289
1345
|
#
|
1290
1346
|
# @option params [required, String] :certificate_authority_arn
|
1291
1347
|
# The Amazon Resource Name (ARN) that was returned when you called
|
@@ -1378,7 +1434,7 @@ module Aws::ACMPCA
|
|
1378
1434
|
params: params,
|
1379
1435
|
config: config)
|
1380
1436
|
context[:gem_name] = 'aws-sdk-acmpca'
|
1381
|
-
context[:gem_version] = '1.
|
1437
|
+
context[:gem_version] = '1.18.0'
|
1382
1438
|
Seahorse::Client::Request.new(handlers, context)
|
1383
1439
|
end
|
1384
1440
|
|
@@ -61,6 +61,7 @@ module Aws::ACMPCA
|
|
61
61
|
InvalidArnException = Shapes::StructureShape.new(name: 'InvalidArnException')
|
62
62
|
InvalidNextTokenException = Shapes::StructureShape.new(name: 'InvalidNextTokenException')
|
63
63
|
InvalidPolicyException = Shapes::StructureShape.new(name: 'InvalidPolicyException')
|
64
|
+
InvalidRequestException = Shapes::StructureShape.new(name: 'InvalidRequestException')
|
64
65
|
InvalidStateException = Shapes::StructureShape.new(name: 'InvalidStateException')
|
65
66
|
InvalidTagException = Shapes::StructureShape.new(name: 'InvalidTagException')
|
66
67
|
IssueCertificateRequest = Shapes::StructureShape.new(name: 'IssueCertificateRequest')
|
@@ -237,7 +238,7 @@ module Aws::ACMPCA
|
|
237
238
|
|
238
239
|
ImportCertificateAuthorityCertificateRequest.add_member(:certificate_authority_arn, Shapes::ShapeRef.new(shape: Arn, required: true, location_name: "CertificateAuthorityArn"))
|
239
240
|
ImportCertificateAuthorityCertificateRequest.add_member(:certificate, Shapes::ShapeRef.new(shape: CertificateBodyBlob, required: true, location_name: "Certificate"))
|
240
|
-
ImportCertificateAuthorityCertificateRequest.add_member(:certificate_chain, Shapes::ShapeRef.new(shape: CertificateChainBlob,
|
241
|
+
ImportCertificateAuthorityCertificateRequest.add_member(:certificate_chain, Shapes::ShapeRef.new(shape: CertificateChainBlob, location_name: "CertificateChain"))
|
241
242
|
ImportCertificateAuthorityCertificateRequest.struct_class = Types::ImportCertificateAuthorityCertificateRequest
|
242
243
|
|
243
244
|
InvalidArgsException.add_member(:message, Shapes::ShapeRef.new(shape: String, location_name: "message"))
|
@@ -252,6 +253,9 @@ module Aws::ACMPCA
|
|
252
253
|
InvalidPolicyException.add_member(:message, Shapes::ShapeRef.new(shape: String, location_name: "message"))
|
253
254
|
InvalidPolicyException.struct_class = Types::InvalidPolicyException
|
254
255
|
|
256
|
+
InvalidRequestException.add_member(:message, Shapes::ShapeRef.new(shape: String, location_name: "message"))
|
257
|
+
InvalidRequestException.struct_class = Types::InvalidRequestException
|
258
|
+
|
255
259
|
InvalidStateException.add_member(:message, Shapes::ShapeRef.new(shape: String, location_name: "message"))
|
256
260
|
InvalidStateException.struct_class = Types::InvalidStateException
|
257
261
|
|
@@ -261,6 +265,7 @@ module Aws::ACMPCA
|
|
261
265
|
IssueCertificateRequest.add_member(:certificate_authority_arn, Shapes::ShapeRef.new(shape: Arn, required: true, location_name: "CertificateAuthorityArn"))
|
262
266
|
IssueCertificateRequest.add_member(:csr, Shapes::ShapeRef.new(shape: CsrBlob, required: true, location_name: "Csr"))
|
263
267
|
IssueCertificateRequest.add_member(:signing_algorithm, Shapes::ShapeRef.new(shape: SigningAlgorithm, required: true, location_name: "SigningAlgorithm"))
|
268
|
+
IssueCertificateRequest.add_member(:template_arn, Shapes::ShapeRef.new(shape: Arn, location_name: "TemplateArn"))
|
264
269
|
IssueCertificateRequest.add_member(:validity, Shapes::ShapeRef.new(shape: Validity, required: true, location_name: "Validity"))
|
265
270
|
IssueCertificateRequest.add_member(:idempotency_token, Shapes::ShapeRef.new(shape: IdempotencyToken, location_name: "IdempotencyToken"))
|
266
271
|
IssueCertificateRequest.struct_class = Types::IssueCertificateRequest
|
@@ -517,6 +522,7 @@ module Aws::ACMPCA
|
|
517
522
|
o.errors << Shapes::ShapeRef.new(shape: RequestFailedException)
|
518
523
|
o.errors << Shapes::ShapeRef.new(shape: ResourceNotFoundException)
|
519
524
|
o.errors << Shapes::ShapeRef.new(shape: InvalidArnException)
|
525
|
+
o.errors << Shapes::ShapeRef.new(shape: InvalidRequestException)
|
520
526
|
o.errors << Shapes::ShapeRef.new(shape: InvalidStateException)
|
521
527
|
o.errors << Shapes::ShapeRef.new(shape: MalformedCertificateException)
|
522
528
|
o.errors << Shapes::ShapeRef.new(shape: CertificateMismatchException)
|
@@ -578,6 +584,7 @@ module Aws::ACMPCA
|
|
578
584
|
o.output = Shapes::ShapeRef.new(shape: ListTagsResponse)
|
579
585
|
o.errors << Shapes::ShapeRef.new(shape: ResourceNotFoundException)
|
580
586
|
o.errors << Shapes::ShapeRef.new(shape: InvalidArnException)
|
587
|
+
o.errors << Shapes::ShapeRef.new(shape: InvalidStateException)
|
581
588
|
o[:pager] = Aws::Pager.new(
|
582
589
|
limit_key: "max_results",
|
583
590
|
tokens: {
|
@@ -605,6 +612,7 @@ module Aws::ACMPCA
|
|
605
612
|
o.output = Shapes::ShapeRef.new(shape: Shapes::StructureShape.new(struct_class: Aws::EmptyStructure))
|
606
613
|
o.errors << Shapes::ShapeRef.new(shape: ConcurrentModificationException)
|
607
614
|
o.errors << Shapes::ShapeRef.new(shape: InvalidArnException)
|
615
|
+
o.errors << Shapes::ShapeRef.new(shape: InvalidRequestException)
|
608
616
|
o.errors << Shapes::ShapeRef.new(shape: InvalidStateException)
|
609
617
|
o.errors << Shapes::ShapeRef.new(shape: LimitExceededException)
|
610
618
|
o.errors << Shapes::ShapeRef.new(shape: ResourceNotFoundException)
|
@@ -106,6 +106,22 @@ module Aws::ACMPCA
|
|
106
106
|
|
107
107
|
end
|
108
108
|
|
109
|
+
class InvalidRequestException < ServiceError
|
110
|
+
|
111
|
+
# @param [Seahorse::Client::RequestContext] context
|
112
|
+
# @param [String] message
|
113
|
+
# @param [Aws::ACMPCA::Types::InvalidRequestException] data
|
114
|
+
def initialize(context, message, data = Aws::EmptyStructure.new)
|
115
|
+
super(context, message, data)
|
116
|
+
end
|
117
|
+
|
118
|
+
# @return [String]
|
119
|
+
def message
|
120
|
+
@message || @data[:message]
|
121
|
+
end
|
122
|
+
|
123
|
+
end
|
124
|
+
|
109
125
|
class InvalidStateException < ServiceError
|
110
126
|
|
111
127
|
# @param [Seahorse::Client::RequestContext] context
|
data/lib/aws-sdk-acmpca/types.rb
CHANGED
@@ -133,12 +133,12 @@ module Aws::ACMPCA
|
|
133
133
|
# Digital certificates verify that the entity named in the certificate
|
134
134
|
# **Subject** field owns or controls the public key contained in the
|
135
135
|
# **Subject Public Key Info** field. Call the CreateCertificateAuthority
|
136
|
-
#
|
137
|
-
# GetCertificateAuthorityCertificate
|
138
|
-
# certificate signing request (CSR).
|
139
|
-
#
|
140
|
-
#
|
141
|
-
#
|
136
|
+
# action to create your private CA. You must then call the
|
137
|
+
# GetCertificateAuthorityCertificate action to retrieve a private CA
|
138
|
+
# certificate signing request (CSR). Sign the CSR with your ACM Private
|
139
|
+
# CA-hosted or on-premises root or subordinate CA certificate. Call the
|
140
|
+
# ImportCertificateAuthorityCertificate action to import the signed
|
141
|
+
# certificate into AWS Certificate Manager (ACM).
|
142
142
|
#
|
143
143
|
# @!attribute [rw] arn
|
144
144
|
# Amazon Resource Name (ARN) for your private certificate authority
|
@@ -189,7 +189,7 @@ module Aws::ACMPCA
|
|
189
189
|
# @!attribute [rw] restorable_until
|
190
190
|
# The period during which a deleted CA can be restored. For more
|
191
191
|
# information, see the `PermanentDeletionTimeInDays` parameter of the
|
192
|
-
# DeleteCertificateAuthorityRequest
|
192
|
+
# DeleteCertificateAuthorityRequest action.
|
193
193
|
# @return [Time]
|
194
194
|
#
|
195
195
|
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/CertificateAuthority AWS API Documentation
|
@@ -216,7 +216,7 @@ module Aws::ACMPCA
|
|
216
216
|
# issues a certificate. It also includes the signature algorithm that it
|
217
217
|
# uses when issuing certificates, and its X.500 distinguished name. You
|
218
218
|
# must specify this information when you call the
|
219
|
-
# CreateCertificateAuthority
|
219
|
+
# CreateCertificateAuthority action.
|
220
220
|
#
|
221
221
|
# @note When making an API call, you may pass CertificateAuthorityConfiguration
|
222
222
|
# data as a hash:
|
@@ -244,7 +244,9 @@ module Aws::ACMPCA
|
|
244
244
|
#
|
245
245
|
# @!attribute [rw] key_algorithm
|
246
246
|
# Type of the public key algorithm and size, in bits, of the key pair
|
247
|
-
# that your
|
247
|
+
# that your CA creates when it issues a certificate. When you create a
|
248
|
+
# subordinate CA, you must use a key algorithm supported by the parent
|
249
|
+
# CA.
|
248
250
|
# @return [String]
|
249
251
|
#
|
250
252
|
# @!attribute [rw] signing_algorithm
|
@@ -375,7 +377,7 @@ module Aws::ACMPCA
|
|
375
377
|
# s3_bucket_name: "String3To255",
|
376
378
|
# },
|
377
379
|
# },
|
378
|
-
# certificate_authority_type: "
|
380
|
+
# certificate_authority_type: "ROOT", # required, accepts ROOT, SUBORDINATE
|
379
381
|
# idempotency_token: "IdempotencyToken",
|
380
382
|
# tags: [
|
381
383
|
# {
|
@@ -393,15 +395,14 @@ module Aws::ACMPCA
|
|
393
395
|
# @!attribute [rw] revocation_configuration
|
394
396
|
# Contains a Boolean value that you can use to enable a certification
|
395
397
|
# revocation list (CRL) for the CA, the name of the S3 bucket to which
|
396
|
-
# ACM
|
397
|
-
# use to hide the name of your bucket in the **CRL
|
398
|
-
# Points** extension of your CA certificate. For more
|
399
|
-
# the CrlConfiguration structure.
|
398
|
+
# ACM Private CA will write the CRL, and an optional CNAME alias that
|
399
|
+
# you can use to hide the name of your bucket in the **CRL
|
400
|
+
# Distribution Points** extension of your CA certificate. For more
|
401
|
+
# information, see the CrlConfiguration structure.
|
400
402
|
# @return [Types::RevocationConfiguration]
|
401
403
|
#
|
402
404
|
# @!attribute [rw] certificate_authority_type
|
403
|
-
# The type of the certificate authority.
|
404
|
-
# **SUBORDINATE**.
|
405
|
+
# The type of the certificate authority.
|
405
406
|
# @return [String]
|
406
407
|
#
|
407
408
|
# @!attribute [rw] idempotency_token
|
@@ -409,15 +410,23 @@ module Aws::ACMPCA
|
|
409
410
|
# **CreateCertificateAuthority**. Idempotency tokens time out after
|
410
411
|
# five minutes. Therefore, if you call **CreateCertificateAuthority**
|
411
412
|
# multiple times with the same idempotency token within a five minute
|
412
|
-
# period, ACM
|
413
|
-
# certificate. As a result, ACM
|
414
|
-
# idempotency token for each call, however, ACM
|
415
|
-
# you are requesting multiple certificates.
|
413
|
+
# period, ACM Private CA recognizes that you are requesting only one
|
414
|
+
# certificate. As a result, ACM Private CA issues only one. If you
|
415
|
+
# change the idempotency token for each call, however, ACM Private CA
|
416
|
+
# recognizes that you are requesting multiple certificates.
|
416
417
|
# @return [String]
|
417
418
|
#
|
418
419
|
# @!attribute [rw] tags
|
419
420
|
# Key-value pairs that will be attached to the new private CA. You can
|
420
|
-
# associate up to 50 tags with a private CA.
|
421
|
+
# associate up to 50 tags with a private CA. For information using
|
422
|
+
# tags with
|
423
|
+
#
|
424
|
+
# IAM to manage permissions, see [Controlling Access Using IAM
|
425
|
+
# Tags][1].
|
426
|
+
#
|
427
|
+
#
|
428
|
+
#
|
429
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_iam-tags.html
|
421
430
|
# @return [Array<Types::Tag>]
|
422
431
|
#
|
423
432
|
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/CreateCertificateAuthorityRequest AWS API Documentation
|
@@ -459,7 +468,7 @@ module Aws::ACMPCA
|
|
459
468
|
# @!attribute [rw] certificate_authority_arn
|
460
469
|
# The Amazon Resource Name (ARN) of the CA that grants the
|
461
470
|
# permissions. You can find the ARN by calling the
|
462
|
-
# ListCertificateAuthorities
|
471
|
+
# ListCertificateAuthorities action. This must have the following
|
463
472
|
# form:
|
464
473
|
#
|
465
474
|
# `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
|
@@ -499,7 +508,7 @@ module Aws::ACMPCA
|
|
499
508
|
# specifying a value for the **CustomCname** parameter. Your private CA
|
500
509
|
# copies the CNAME or the S3 bucket name to the **CRL Distribution
|
501
510
|
# Points** extension of each certificate it issues. Your S3 bucket
|
502
|
-
# policy must give write permission to ACM
|
511
|
+
# policy must give write permission to ACM Private CA.
|
503
512
|
#
|
504
513
|
# Your private CA uses the value in the **ExpirationInDays** parameter
|
505
514
|
# to calculate the **nextUpdate** field in the CRL. The CRL is refreshed
|
@@ -550,8 +559,8 @@ module Aws::ACMPCA
|
|
550
559
|
#
|
551
560
|
# * **Signature Value**\: Signature computed over the CRL.
|
552
561
|
#
|
553
|
-
# Certificate revocation lists created by ACM
|
554
|
-
# can use the following OpenSSL command to list a CRL.
|
562
|
+
# Certificate revocation lists created by ACM Private CA are
|
563
|
+
# DER-encoded. You can use the following OpenSSL command to list a CRL.
|
555
564
|
#
|
556
565
|
# `openssl crl -inform DER -text -in crl_path -noout`
|
557
566
|
#
|
@@ -569,8 +578,8 @@ module Aws::ACMPCA
|
|
569
578
|
# Boolean value that specifies whether certificate revocation lists
|
570
579
|
# (CRLs) are enabled. You can use this value to enable certificate
|
571
580
|
# revocation for a new CA when you call the CreateCertificateAuthority
|
572
|
-
#
|
573
|
-
# UpdateCertificateAuthority
|
581
|
+
# action or for an existing CA when you call the
|
582
|
+
# UpdateCertificateAuthority action.
|
574
583
|
# @return [Boolean]
|
575
584
|
#
|
576
585
|
# @!attribute [rw] expiration_in_days
|
@@ -589,8 +598,9 @@ module Aws::ACMPCA
|
|
589
598
|
# value for the **CustomCname** argument, the name of your S3 bucket
|
590
599
|
# is placed into the **CRL Distribution Points** extension of the
|
591
600
|
# issued certificate. You can change the name of your bucket by
|
592
|
-
# calling the UpdateCertificateAuthority
|
593
|
-
# bucket policy that allows ACM
|
601
|
+
# calling the UpdateCertificateAuthority action. You must specify a
|
602
|
+
# bucket policy that allows ACM Private CA to write the CRL to your
|
603
|
+
# bucket.
|
594
604
|
# @return [String]
|
595
605
|
#
|
596
606
|
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/CrlConfiguration AWS API Documentation
|
@@ -645,7 +655,7 @@ module Aws::ACMPCA
|
|
645
655
|
# @!attribute [rw] certificate_authority_arn
|
646
656
|
# The Amazon Resource Number (ARN) of the private CA that issued the
|
647
657
|
# permissions. You can find the CA's ARN by calling the
|
648
|
-
# ListCertificateAuthorities
|
658
|
+
# ListCertificateAuthorities action. This must have the following
|
649
659
|
# form:
|
650
660
|
#
|
651
661
|
# `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
|
@@ -659,7 +669,7 @@ module Aws::ACMPCA
|
|
659
669
|
# @return [String]
|
660
670
|
#
|
661
671
|
# @!attribute [rw] source_account
|
662
|
-
# The AWS account that calls this
|
672
|
+
# The AWS account that calls this action.
|
663
673
|
# @return [String]
|
664
674
|
#
|
665
675
|
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/DeletePermissionRequest AWS API Documentation
|
@@ -689,7 +699,7 @@ module Aws::ACMPCA
|
|
689
699
|
#
|
690
700
|
# @!attribute [rw] audit_report_id
|
691
701
|
# The report ID returned by calling the
|
692
|
-
# CreateCertificateAuthorityAuditReport
|
702
|
+
# CreateCertificateAuthorityAuditReport action.
|
693
703
|
# @return [String]
|
694
704
|
#
|
695
705
|
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/DescribeCertificateAuthorityAuditReportRequest AWS API Documentation
|
@@ -792,7 +802,8 @@ module Aws::ACMPCA
|
|
792
802
|
# Base64-encoded certificate chain that includes any intermediate
|
793
803
|
# certificates and chains up to root on-premises certificate that you
|
794
804
|
# used to sign your private CA certificate. The chain does not include
|
795
|
-
# your private CA certificate.
|
805
|
+
# your private CA certificate. If this is a root CA, the value will be
|
806
|
+
# null.
|
796
807
|
# @return [String]
|
797
808
|
#
|
798
809
|
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/GetCertificateAuthorityCertificateResponse AWS API Documentation
|
@@ -812,7 +823,7 @@ module Aws::ACMPCA
|
|
812
823
|
#
|
813
824
|
# @!attribute [rw] certificate_authority_arn
|
814
825
|
# The Amazon Resource Name (ARN) that was returned when you called the
|
815
|
-
# CreateCertificateAuthority
|
826
|
+
# CreateCertificateAuthority action. This must be of the form:
|
816
827
|
#
|
817
828
|
# `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
|
818
829
|
# `
|
@@ -894,7 +905,7 @@ module Aws::ACMPCA
|
|
894
905
|
# {
|
895
906
|
# certificate_authority_arn: "Arn", # required
|
896
907
|
# certificate: "data", # required
|
897
|
-
# certificate_chain: "data",
|
908
|
+
# certificate_chain: "data",
|
898
909
|
# }
|
899
910
|
#
|
900
911
|
# @!attribute [rw] certificate_authority_arn
|
@@ -906,15 +917,20 @@ module Aws::ACMPCA
|
|
906
917
|
# @return [String]
|
907
918
|
#
|
908
919
|
# @!attribute [rw] certificate
|
909
|
-
# The PEM-encoded certificate for
|
910
|
-
#
|
920
|
+
# The PEM-encoded certificate for a private CA. This may be a
|
921
|
+
# self-signed certificate in the case of a root CA, or it may be
|
922
|
+
# signed by another CA that you control.
|
911
923
|
# @return [String]
|
912
924
|
#
|
913
925
|
# @!attribute [rw] certificate_chain
|
914
926
|
# A PEM-encoded file that contains all of your certificates, other
|
915
927
|
# than the certificate you're importing, chaining up to your root CA.
|
916
|
-
# Your on-premises root certificate is the
|
917
|
-
# certificate in the chain signs the one
|
928
|
+
# Your ACM Private CA-hosted or on-premises root certificate is the
|
929
|
+
# last in the chain, and each certificate in the chain signs the one
|
930
|
+
# preceding.
|
931
|
+
#
|
932
|
+
# This parameter must be supplied when you import a subordinate CA.
|
933
|
+
# When you import a root CA, there is no chain.
|
918
934
|
# @return [String]
|
919
935
|
#
|
920
936
|
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/ImportCertificateAuthorityCertificateRequest AWS API Documentation
|
@@ -964,8 +980,9 @@ module Aws::ACMPCA
|
|
964
980
|
include Aws::Structure
|
965
981
|
end
|
966
982
|
|
967
|
-
# The S3 bucket policy is not valid. The policy must give ACM
|
968
|
-
# to read from and write to the bucket and find the bucket
|
983
|
+
# The S3 bucket policy is not valid. The policy must give ACM Private CA
|
984
|
+
# rights to read from and write to the bucket and find the bucket
|
985
|
+
# location.
|
969
986
|
#
|
970
987
|
# @!attribute [rw] message
|
971
988
|
# @return [String]
|
@@ -977,6 +994,18 @@ module Aws::ACMPCA
|
|
977
994
|
include Aws::Structure
|
978
995
|
end
|
979
996
|
|
997
|
+
# The request action cannot be performed or is prohibited.
|
998
|
+
#
|
999
|
+
# @!attribute [rw] message
|
1000
|
+
# @return [String]
|
1001
|
+
#
|
1002
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/InvalidRequestException AWS API Documentation
|
1003
|
+
#
|
1004
|
+
class InvalidRequestException < Struct.new(
|
1005
|
+
:message)
|
1006
|
+
include Aws::Structure
|
1007
|
+
end
|
1008
|
+
|
980
1009
|
# The private CA is in a state during which a report or certificate
|
981
1010
|
# cannot be generated.
|
982
1011
|
#
|
@@ -1010,6 +1039,7 @@ module Aws::ACMPCA
|
|
1010
1039
|
# certificate_authority_arn: "Arn", # required
|
1011
1040
|
# csr: "data", # required
|
1012
1041
|
# signing_algorithm: "SHA256WITHECDSA", # required, accepts SHA256WITHECDSA, SHA384WITHECDSA, SHA512WITHECDSA, SHA256WITHRSA, SHA384WITHRSA, SHA512WITHRSA
|
1042
|
+
# template_arn: "Arn",
|
1013
1043
|
# validity: { # required
|
1014
1044
|
# value: 1, # required
|
1015
1045
|
# type: "END_DATE", # required, accepts END_DATE, ABSOLUTE, DAYS, MONTHS, YEARS
|
@@ -1047,18 +1077,45 @@ module Aws::ACMPCA
|
|
1047
1077
|
# to be issued.
|
1048
1078
|
# @return [String]
|
1049
1079
|
#
|
1080
|
+
# @!attribute [rw] template_arn
|
1081
|
+
# Specifies a custom configuration template to use when issuing a
|
1082
|
+
# certificate. If this parameter is not provided, ACM Private CA
|
1083
|
+
# defaults to the `EndEntityCertificate/V1` template.
|
1084
|
+
#
|
1085
|
+
# The following service-owned `TemplateArn` values are supported by
|
1086
|
+
# ACM Private CA:
|
1087
|
+
#
|
1088
|
+
# * arn:aws:acm-pca:::template/EndEntityCertificate/V1
|
1089
|
+
#
|
1090
|
+
# * arn:aws:acm-pca:::template/SubordinateCACertificate\_PathLen0/V1
|
1091
|
+
#
|
1092
|
+
# * arn:aws:acm-pca:::template/SubordinateCACertificate\_PathLen1/V1
|
1093
|
+
#
|
1094
|
+
# * arn:aws:acm-pca:::template/SubordinateCACertificate\_PathLen2/V1
|
1095
|
+
#
|
1096
|
+
# * arn:aws:acm-pca:::template/SubordinateCACertificate\_PathLen3/V1
|
1097
|
+
#
|
1098
|
+
# * arn:aws:acm-pca:::template/RootCACertificate/V1
|
1099
|
+
#
|
1100
|
+
# For more information, see [Using Templates][1].
|
1101
|
+
#
|
1102
|
+
#
|
1103
|
+
#
|
1104
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html
|
1105
|
+
# @return [String]
|
1106
|
+
#
|
1050
1107
|
# @!attribute [rw] validity
|
1051
1108
|
# The type of the validity period.
|
1052
1109
|
# @return [Types::Validity]
|
1053
1110
|
#
|
1054
1111
|
# @!attribute [rw] idempotency_token
|
1055
1112
|
# Custom string that can be used to distinguish between calls to the
|
1056
|
-
# **IssueCertificate**
|
1057
|
-
#
|
1058
|
-
# with the same idempotency token within 5 minutes, ACM
|
1059
|
-
# that you are requesting only one certificate and will
|
1060
|
-
# one. If you change the idempotency token for each call,
|
1061
|
-
# recognizes that you are requesting multiple certificates.
|
1113
|
+
# **IssueCertificate** action. Idempotency tokens time out after one
|
1114
|
+
# hour. Therefore, if you call **IssueCertificate** multiple times
|
1115
|
+
# with the same idempotency token within 5 minutes, ACM Private CA
|
1116
|
+
# recognizes that you are requesting only one certificate and will
|
1117
|
+
# issue only one. If you change the idempotency token for each call,
|
1118
|
+
# PCA recognizes that you are requesting multiple certificates.
|
1062
1119
|
# @return [String]
|
1063
1120
|
#
|
1064
1121
|
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/IssueCertificateRequest AWS API Documentation
|
@@ -1067,6 +1124,7 @@ module Aws::ACMPCA
|
|
1067
1124
|
:certificate_authority_arn,
|
1068
1125
|
:csr,
|
1069
1126
|
:signing_algorithm,
|
1127
|
+
:template_arn,
|
1070
1128
|
:validity,
|
1071
1129
|
:idempotency_token)
|
1072
1130
|
include Aws::Structure
|
@@ -1087,8 +1145,8 @@ module Aws::ACMPCA
|
|
1087
1145
|
include Aws::Structure
|
1088
1146
|
end
|
1089
1147
|
|
1090
|
-
# An ACM
|
1091
|
-
# to determine the limit that was exceeded.
|
1148
|
+
# An ACM Private CA limit has been exceeded. See the exception message
|
1149
|
+
# returned to determine the limit that was exceeded.
|
1092
1150
|
#
|
1093
1151
|
# @!attribute [rw] message
|
1094
1152
|
# @return [String]
|
@@ -1160,11 +1218,11 @@ module Aws::ACMPCA
|
|
1160
1218
|
#
|
1161
1219
|
# @!attribute [rw] certificate_authority_arn
|
1162
1220
|
# The Amazon Resource Number (ARN) of the private CA to inspect. You
|
1163
|
-
# can find the ARN by calling the ListCertificateAuthorities
|
1164
|
-
#
|
1221
|
+
# can find the ARN by calling the ListCertificateAuthorities action.
|
1222
|
+
# This must be of the form:
|
1165
1223
|
# `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012`
|
1166
1224
|
# You can get a private CA's ARN by running the
|
1167
|
-
# ListCertificateAuthorities
|
1225
|
+
# ListCertificateAuthorities action.
|
1168
1226
|
# @return [String]
|
1169
1227
|
#
|
1170
1228
|
# @!attribute [rw] next_token
|
@@ -1220,7 +1278,7 @@ module Aws::ACMPCA
|
|
1220
1278
|
#
|
1221
1279
|
# @!attribute [rw] certificate_authority_arn
|
1222
1280
|
# The Amazon Resource Name (ARN) that was returned when you called the
|
1223
|
-
# CreateCertificateAuthority
|
1281
|
+
# CreateCertificateAuthority action. This must be of the form:
|
1224
1282
|
#
|
1225
1283
|
# `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
|
1226
1284
|
# `
|
@@ -1290,13 +1348,13 @@ module Aws::ACMPCA
|
|
1290
1348
|
include Aws::Structure
|
1291
1349
|
end
|
1292
1350
|
|
1293
|
-
# Permissions designate which private CA
|
1294
|
-
#
|
1295
|
-
#
|
1296
|
-
#
|
1351
|
+
# Permissions designate which private CA actions can be performed by an
|
1352
|
+
# AWS service or entity. In order for ACM to automatically renew private
|
1353
|
+
# certificates, you must give the ACM service principal all available
|
1354
|
+
# permissions (`IssueCertificate`, `GetCertificate`, and
|
1297
1355
|
# `ListPermissions`). Permissions can be assigned with the
|
1298
|
-
# CreatePermission
|
1299
|
-
#
|
1356
|
+
# CreatePermission action, removed with the DeletePermission action, and
|
1357
|
+
# listed with the ListPermissions action.
|
1300
1358
|
#
|
1301
1359
|
# @!attribute [rw] certificate_authority_arn
|
1302
1360
|
# The Amazon Resource Number (ARN) of the private CA from which the
|
@@ -1317,8 +1375,8 @@ module Aws::ACMPCA
|
|
1317
1375
|
# @return [String]
|
1318
1376
|
#
|
1319
1377
|
# @!attribute [rw] actions
|
1320
|
-
# The private CA
|
1321
|
-
#
|
1378
|
+
# The private CA actions that can be performed by the designated AWS
|
1379
|
+
# service.
|
1322
1380
|
# @return [Array<String>]
|
1323
1381
|
#
|
1324
1382
|
# @!attribute [rw] policy
|
@@ -1407,7 +1465,7 @@ module Aws::ACMPCA
|
|
1407
1465
|
#
|
1408
1466
|
# @!attribute [rw] certificate_authority_arn
|
1409
1467
|
# The Amazon Resource Name (ARN) that was returned when you called the
|
1410
|
-
# CreateCertificateAuthority
|
1468
|
+
# CreateCertificateAuthority action. This must be of the form:
|
1411
1469
|
#
|
1412
1470
|
# `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
|
1413
1471
|
# `
|
@@ -1421,7 +1479,7 @@ module Aws::ACMPCA
|
|
1421
1479
|
end
|
1422
1480
|
|
1423
1481
|
# Certificate revocation information used by the
|
1424
|
-
# CreateCertificateAuthority and UpdateCertificateAuthority
|
1482
|
+
# CreateCertificateAuthority and UpdateCertificateAuthority actions.
|
1425
1483
|
# Your private certificate authority (CA) can create and maintain a
|
1426
1484
|
# certificate revocation list (CRL). A CRL contains information about
|
1427
1485
|
# certificates revoked by your CA. For more information, see
|
@@ -1473,15 +1531,15 @@ module Aws::ACMPCA
|
|
1473
1531
|
# hexadecimal format. You can retrieve the serial number by calling
|
1474
1532
|
# GetCertificate with the Amazon Resource Name (ARN) of the
|
1475
1533
|
# certificate you want and the ARN of your private CA. The
|
1476
|
-
# **GetCertificate**
|
1534
|
+
# **GetCertificate** action retrieves the certificate in the PEM
|
1477
1535
|
# format. You can use the following OpenSSL command to list the
|
1478
1536
|
# certificate in text format and copy the hexadecimal serial number.
|
1479
1537
|
#
|
1480
1538
|
# `openssl x509 -in file_path -text -noout`
|
1481
1539
|
#
|
1482
1540
|
# You can also copy the serial number from the console or use the
|
1483
|
-
# [DescribeCertificate][1]
|
1484
|
-
#
|
1541
|
+
# [DescribeCertificate][1] action in the *AWS Certificate Manager API
|
1542
|
+
# Reference*.
|
1485
1543
|
#
|
1486
1544
|
#
|
1487
1545
|
#
|
@@ -1504,8 +1562,8 @@ module Aws::ACMPCA
|
|
1504
1562
|
# Tags are labels that you can use to identify and organize your private
|
1505
1563
|
# CAs. Each tag consists of a key and an optional value. You can
|
1506
1564
|
# associate up to 50 tags with a private CA. To add one or more tags to
|
1507
|
-
# a private CA, call the TagCertificateAuthority
|
1508
|
-
# tag, call the UntagCertificateAuthority
|
1565
|
+
# a private CA, call the TagCertificateAuthority action. To remove a
|
1566
|
+
# tag, call the UntagCertificateAuthority action.
|
1509
1567
|
#
|
1510
1568
|
# @note When making an API call, you may pass Tag
|
1511
1569
|
# data as a hash:
|
@@ -1654,7 +1712,7 @@ module Aws::ACMPCA
|
|
1654
1712
|
# Length of time for which the certificate issued by your private
|
1655
1713
|
# certificate authority (CA), or by the private CA itself, is valid in
|
1656
1714
|
# days, months, or years. You can issue a certificate by calling the
|
1657
|
-
# IssueCertificate
|
1715
|
+
# IssueCertificate action.
|
1658
1716
|
#
|
1659
1717
|
# @note When making an API call, you may pass Validity
|
1660
1718
|
# data as a hash:
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: aws-sdk-acmpca
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.
|
4
|
+
version: 1.18.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Amazon Web Services
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2019-06-
|
11
|
+
date: 2019-06-20 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: aws-sdk-core
|