aws-sdk-acmpca 1.17.0 → 1.18.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: c2cf73f386ffc28bfe85214a5b9e9545fd902723
-  data.tar.gz: e21b06fd5ce7a5f3bea1d8983e3261193041d573
+  metadata.gz: 040d9eb30d98a3af7dcda6f131c91a9da812962e
+  data.tar.gz: 6547e6a03786399ad10383bf887b21f7a9783747
 SHA512:
-  metadata.gz: 589c4555c835d35d843aaae5a76fb0911bb326c897c54dc03ec38802756649373e7b2e3f5d3dc1bdde166f8405541204dcb6b03758f61ac3905011e802d3b52d
-  data.tar.gz: e942cb00ab822ca5b90c68dd99ea2160aee18cb390b3fde8a00557440e9bdcaec5077d87ce9308a741a712834a581d461997225a0ff124d3e0350a5405f296c1
+  metadata.gz: b7ec58a76fa84ab3d6538b32c5a053bbcf85a895194c7c3f23031bbf112cd42745fc8809e2e19c3e82856f45017391b904950cd7b0189e1709916684b118df39
+  data.tar.gz: 6d0b23fa739b744e5f17ec2b1a5c24a15fb9817f744a48050b968e654f4bae2a9ec92540091f626abc73a6bf10bc97455e12c0a5fb3cae9be924dfac16723116

data/lib/aws-sdk-acmpca.rb

@@ -43,6 +43,6 @@ require_relative 'aws-sdk-acmpca/customizations'
 # @service
 module Aws::ACMPCA
 
-  GEM_VERSION = '1.17.0'
+  GEM_VERSION = '1.18.0'
 
 end

data/lib/aws-sdk-acmpca/client.rb

@@ -264,17 +264,18 @@ module Aws::ACMPCA
 
     # @!group API Operations
 
-    # Creates a private subordinate certificate authority (CA). You must
-    # specify the CA configuration, the revocation configuration, the CA
-    # type, and an optional idempotency token. The CA configuration
+    # Creates a root or subordinate private certificate authority (CA). You
+    # must specify the CA configuration, the certificate revocation list
+    # (CRL) configuration, the CA type, and an optional idempotency token to
+    # avoid accidental creation of multiple CAs. The CA configuration
     # specifies the name of the algorithm and key size to be used to create
-    # the CA private key, the type of signing algorithm that the CA uses to
-    # sign, and X.500 subject information. The CRL (certificate revocation
-    # list) configuration specifies the CRL expiration period in days (the
-    # validity period of the CRL), the Amazon S3 bucket that will contain
-    # the CRL, and a CNAME alias for the S3 bucket that is included in
-    # certificates issued by the CA. If successful, this operation returns
-    # the Amazon Resource Name (ARN) of the CA.
+    # the CA private key, the type of signing algorithm that the CA uses,
+    # and X.500 subject information. The CRL configuration specifies the CRL
+    # expiration period in days (the validity period of the CRL), the Amazon
+    # S3 bucket that will contain the CRL, and a CNAME alias for the S3
+    # bucket that is included in certificates issued by the CA. If
+    # successful, this action returns the Amazon Resource Name (ARN) of the
+    # CA.
     #
     # @option params [required, Types::CertificateAuthorityConfiguration] :certificate_authority_configuration
     #   Name and bit size of the private key algorithm, the name of the
@@ -283,28 +284,34 @@ module Aws::ACMPCA
     # @option params [Types::RevocationConfiguration] :revocation_configuration
     #   Contains a Boolean value that you can use to enable a certification
     #   revocation list (CRL) for the CA, the name of the S3 bucket to which
-    #   ACM PCA will write the CRL, and an optional CNAME alias that you can
-    #   use to hide the name of your bucket in the **CRL Distribution Points**
-    #   extension of your CA certificate. For more information, see the
-    #   CrlConfiguration structure.
+    #   ACM Private CA will write the CRL, and an optional CNAME alias that
+    #   you can use to hide the name of your bucket in the **CRL Distribution
+    #   Points** extension of your CA certificate. For more information, see
+    #   the CrlConfiguration structure.
     #
     # @option params [required, String] :certificate_authority_type
-    #   The type of the certificate authority. Currently, this must be
-    #   **SUBORDINATE**.
+    #   The type of the certificate authority.
     #
     # @option params [String] :idempotency_token
     #   Alphanumeric string that can be used to distinguish between calls to
     #   **CreateCertificateAuthority**. Idempotency tokens time out after five
     #   minutes. Therefore, if you call **CreateCertificateAuthority**
     #   multiple times with the same idempotency token within a five minute
-    #   period, ACM PCA recognizes that you are requesting only one
-    #   certificate. As a result, ACM PCA issues only one. If you change the
-    #   idempotency token for each call, however, ACM PCA recognizes that you
-    #   are requesting multiple certificates.
+    #   period, ACM Private CA recognizes that you are requesting only one
+    #   certificate. As a result, ACM Private CA issues only one. If you
+    #   change the idempotency token for each call, however, ACM Private CA
+    #   recognizes that you are requesting multiple certificates.
     #
     # @option params [Array<Types::Tag>] :tags
     #   Key-value pairs that will be attached to the new private CA. You can
-    #   associate up to 50 tags with a private CA.
+    #   associate up to 50 tags with a private CA. For information using tags
+    #   with
+    #
+    #   IAM to manage permissions, see [Controlling Access Using IAM Tags][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_iam-tags.html
     #
     # @return [Types::CreateCertificateAuthorityResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
@@ -341,7 +348,7 @@ module Aws::ACMPCA
     #         s3_bucket_name: "String3To255",
     #       },
     #     },
-    #     certificate_authority_type: "SUBORDINATE", # required, accepts SUBORDINATE
+    #     certificate_authority_type: "ROOT", # required, accepts ROOT, SUBORDINATE
     #     idempotency_token: "IdempotencyToken",
     #     tags: [
     #       {
@@ -366,8 +373,8 @@ module Aws::ACMPCA
 
     # Creates an audit report that lists every time that your CA private key
     # is used. The report is saved in the Amazon S3 bucket that you specify
-    # on input. The IssueCertificate and RevokeCertificate operations use
-    # the private key. You can generate a new report every 30 minutes.
+    # on input. The IssueCertificate and RevokeCertificate actions use the
+    # private key.
     #
     # @option params [required, String] :certificate_authority_arn
     #   The Amazon Resource Name (ARN) of the CA to be audited. This is of the
@@ -420,13 +427,12 @@ module Aws::ACMPCA
     #
     # At this time, you can only assign permissions to ACM
     # (`acm.amazonaws.com`). Permissions can be revoked with the
-    # DeletePermission operation and listed with the ListPermissions
-    # operation.
+    # DeletePermission action and listed with the ListPermissions action.
     #
     # @option params [required, String] :certificate_authority_arn
     #   The Amazon Resource Name (ARN) of the CA that grants the permissions.
-    #   You can find the ARN by calling the ListCertificateAuthorities
-    #   operation. This must have the following form:
+    #   You can find the ARN by calling the ListCertificateAuthorities action.
+    #   This must have the following form:
     #
     #   `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
     #   `.
@@ -462,29 +468,34 @@ module Aws::ACMPCA
       req.send_request(options)
     end
 
-    # Deletes a private certificate authority (CA). You must provide the ARN
-    # (Amazon Resource Name) of the private CA that you want to delete. You
-    # can find the ARN by calling the ListCertificateAuthorities operation.
-    # Before you can delete a CA, you must disable it. Call the
-    # UpdateCertificateAuthority operation and set the
-    # **CertificateAuthorityStatus** parameter to `DISABLED`.
+    # Deletes a private certificate authority (CA). You must provide the
+    # Amazon Resource Name (ARN) of the private CA that you want to delete.
+    # You can find the ARN by calling the ListCertificateAuthorities action.
+    #
+    # <note markdown="1"> Deleting a CA will invalidate other CAs and certificates below it in
+    # your CA hierarchy.
+    #
+    #  </note>
+    #
+    # Before you can delete a CA that you have created and activated, you
+    # must disable it. To do this, call the UpdateCertificateAuthority
+    # action and set the **CertificateAuthorityStatus** parameter to
+    # `DISABLED`.
     #
     # Additionally, you can delete a CA if you are waiting for it to be
-    # created (the **Status** field of the CertificateAuthority is
-    # `CREATING`). You can also delete it if the CA has been created but you
-    # haven't yet imported the signed certificate (the **Status** is
-    # `PENDING_CERTIFICATE`) into ACM PCA.
-    #
-    # If the CA is in one of the previously mentioned states and you call
-    # DeleteCertificateAuthority, the CA's status changes to `DELETED`.
-    # However, the CA won't be permanently deleted until the restoration
-    # period has passed. By default, if you do not set the
-    # `PermanentDeletionTimeInDays` parameter, the CA remains restorable for
-    # 30 days. You can set the parameter from 7 to 30 days. The
-    # DescribeCertificateAuthority operation returns the time remaining in
-    # the restoration window of a Private CA in the `DELETED` state. To
-    # restore an eligible CA, call the RestoreCertificateAuthority
-    # operation.
+    # created (that is, the status of the CA is `CREATING`). You can also
+    # delete it if the CA has been created but you haven't yet imported the
+    # signed certificate into ACM Private CA (that is, the status of the CA
+    # is `PENDING_CERTIFICATE`).
+    #
+    # When you successfully call DeleteCertificateAuthority, the CA's
+    # status changes to `DELETED`. However, the CA won't be permanently
+    # deleted until the restoration period has passed. By default, if you do
+    # not set the `PermanentDeletionTimeInDays` parameter, the CA remains
+    # restorable for 30 days. You can set the parameter from 7 to 30 days.
+    # The DescribeCertificateAuthority action returns the time remaining in
+    # the restoration window of a private CA in the `DELETED` state. To
+    # restore an eligible CA, call the RestoreCertificateAuthority action.
     #
     # @option params [required, String] :certificate_authority_arn
     #   The Amazon Resource Name (ARN) that was returned when you called
@@ -516,14 +527,13 @@ module Aws::ACMPCA
     end
 
     # Revokes permissions that a private CA assigned to a designated AWS
-    # service. Permissions can be created with the CreatePermission
-    # operation and listed with the ListPermissions operation.
+    # service. Permissions can be created with the CreatePermission action
+    # and listed with the ListPermissions action.
     #
     # @option params [required, String] :certificate_authority_arn
     #   The Amazon Resource Number (ARN) of the private CA that issued the
     #   permissions. You can find the CA's ARN by calling the
-    #   ListCertificateAuthorities operation. This must have the following
-    #   form:
+    #   ListCertificateAuthorities action. This must have the following form:
     #
     #   `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
     #   `.
@@ -533,7 +543,7 @@ module Aws::ACMPCA
     #   At this time, the only valid service principal is `acm.amazonaws.com`
     #
     # @option params [String] :source_account
-    #   The AWS account that calls this operation.
+    #   The AWS account that calls this action.
     #
     # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
     #
@@ -559,11 +569,12 @@ module Aws::ACMPCA
     # output contains the status of your CA. This can be any of the
     # following:
     #
-    # * `CREATING` - ACM PCA is creating your private certificate authority.
+    # * `CREATING` - ACM Private CA is creating your private certificate
+    #   authority.
     #
     # * `PENDING_CERTIFICATE` - The certificate is pending. You must use
-    #   your on-premises root or subordinate CA to sign your private CA CSR
-    #   and then import it into PCA.
+    #   your ACM Private CA-hosted or on-premises root or subordinate CA to
+    #   sign your private CA CSR and then import it into PCA.
     #
     # * `ACTIVE` - Your private CA is active.
     #
@@ -578,8 +589,7 @@ module Aws::ACMPCA
     #
     # * `DELETED` - Your private CA is within the restoration period, after
     #   which it is permanently deleted. The length of time remaining in the
-    #   CA's restoration period is also included in this operation's
-    #   output.
+    #   CA's restoration period is also included in this action's output.
     #
     # @option params [required, String] :certificate_authority_arn
     #   The Amazon Resource Name (ARN) that was returned when you called
@@ -603,7 +613,7 @@ module Aws::ACMPCA
     #   resp.certificate_authority.arn #=> String
     #   resp.certificate_authority.created_at #=> Time
     #   resp.certificate_authority.last_state_change_at #=> Time
-    #   resp.certificate_authority.type #=> String, one of "SUBORDINATE"
+    #   resp.certificate_authority.type #=> String, one of "ROOT", "SUBORDINATE"
     #   resp.certificate_authority.serial #=> String
     #   resp.certificate_authority.status #=> String, one of "CREATING", "PENDING_CERTIFICATE", "ACTIVE", "DELETED", "DISABLED", "EXPIRED", "FAILED"
     #   resp.certificate_authority.not_before #=> Time
@@ -641,10 +651,10 @@ module Aws::ACMPCA
     end
 
     # Lists information about a specific audit report created by calling the
-    # CreateCertificateAuthorityAuditReport operation. Audit information is
+    # CreateCertificateAuthorityAuditReport action. Audit information is
     # created every time the certificate authority (CA) private key is used.
-    # The private key is used when you call the IssueCertificate operation
-    # or the RevokeCertificate operation.
+    # The private key is used when you call the IssueCertificate action or
+    # the RevokeCertificate action.
     #
     # @option params [required, String] :certificate_authority_arn
     #   The Amazon Resource Name (ARN) of the private CA. This must be of the
@@ -655,7 +665,7 @@ module Aws::ACMPCA
     #
     # @option params [required, String] :audit_report_id
     #   The report ID returned by calling the
-    #   CreateCertificateAuthorityAuditReport operation.
+    #   CreateCertificateAuthorityAuditReport action.
     #
     # @return [Types::DescribeCertificateAuthorityAuditReportResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
@@ -688,11 +698,11 @@ module Aws::ACMPCA
     end
 
     # Retrieves a certificate from your private CA. The ARN of the
-    # certificate is returned when you call the IssueCertificate operation.
-    # You must specify both the ARN of your private CA and the ARN of the
-    # issued certificate when calling the **GetCertificate** operation. You
-    # can retrieve the certificate if it is in the **ISSUED** state. You can
-    # call the CreateCertificateAuthorityAuditReport operation to create a
+    # certificate is returned when you call the IssueCertificate action. You
+    # must specify both the ARN of your private CA and the ARN of the issued
+    # certificate when calling the **GetCertificate** action. You can
+    # retrieve the certificate if it is in the **ISSUED** state. You can
+    # call the CreateCertificateAuthorityAuditReport action to create a
     # report that contains information about all of the certificates issued
     # and revoked by your private CA.
     #
@@ -775,15 +785,15 @@ module Aws::ACMPCA
 
     # Retrieves the certificate signing request (CSR) for your private
     # certificate authority (CA). The CSR is created when you call the
-    # CreateCertificateAuthority operation. Take the CSR to your on-premises
-    # X.509 infrastructure and sign it by using your root or a subordinate
-    # CA. Then import the signed certificate back into ACM PCA by calling
-    # the ImportCertificateAuthorityCertificate operation. The CSR is
-    # returned as a base64 PEM-encoded string.
+    # CreateCertificateAuthority action. Sign the CSR with your ACM Private
+    # CA-hosted or on-premises root or subordinate CA. Then import the
+    # signed certificate back into ACM Private CA by calling the
+    # ImportCertificateAuthorityCertificate action. The CSR is returned as a
+    # base64 PEM-encoded string.
     #
     # @option params [required, String] :certificate_authority_arn
     #   The Amazon Resource Name (ARN) that was returned when you called the
-    #   CreateCertificateAuthority operation. This must be of the form:
+    #   CreateCertificateAuthority action. This must be of the form:
     #
     #   `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
     #   `
@@ -811,31 +821,42 @@ module Aws::ACMPCA
       req.send_request(options)
     end
 
-    # Imports your signed private CA certificate into ACM PCA. Before you
-    # can call this operation, you must create the private certificate
-    # authority by calling the CreateCertificateAuthority operation. You
-    # must then generate a certificate signing request (CSR) by calling the
-    # GetCertificateAuthorityCsr operation. Take the CSR to your on-premises
-    # CA and use the root certificate or a subordinate certificate to sign
-    # it. Create a certificate chain and copy the signed certificate and the
-    # certificate chain to your working directory.
-    #
-    # <note markdown="1"> Your certificate chain must not include the private CA certificate
-    # that you are importing.
+    # Imports a signed private CA certificate into ACM Private CA. This
+    # action is used when you are using a chain of trust whose root is
+    # located outside ACM Private CA. Before you can call this action, the
+    # following preparations must in place:
     #
-    #  </note>
+    # 1.  In ACM Private CA, call the CreateCertificateAuthority action to
+    #     create the private CA that that you plan to back with the imported
+    #     certificate.
     #
-    # <note markdown="1"> Your on-premises CA certificate must be the last certificate in your
-    # chain. The subordinate certificate, if any, that your root CA signed
-    # must be next to last. The subordinate certificate signed by the
-    # preceding subordinate CA must come next, and so on until your chain is
-    # built.
+    # 2.  Call the GetCertificateAuthorityCsr action to generate a
+    #     certificate signing request (CSR).
     #
-    #  </note>
+    # 3.  Sign the CSR using a root or intermediate CA hosted either by an
+    #     on-premises PKI hierarchy or a commercial CA..
     #
-    # <note markdown="1"> The chain must be PEM-encoded.
+    # 4.  Create a certificate chain and copy the signed certificate and the
+    #     certificate chain to your working directory.
     #
-    #  </note>
+    # The following requirements apply when you import a CA certificate.
+    #
+    # * You cannot import a non-self-signed certificate for use as a root
+    #   CA.
+    #
+    # * You cannot import a self-signed certificate for use as a subordinate
+    #   CA.
+    #
+    # * Your certificate chain must not include the private CA certificate
+    #   that you are importing.
+    #
+    # * Your ACM Private CA-hosted or on-premises CA certificate must be the
+    #   last certificate in your chain. The subordinate certificate, if any,
+    #   that your root CA signed must be next to last. The subordinate
+    #   certificate signed by the preceding subordinate CA must come next,
+    #   and so on until your chain is built.
+    #
+    # * The chain must be PEM-encoded.
     #
     # @option params [required, String] :certificate_authority_arn
     #   The Amazon Resource Name (ARN) that was returned when you called
@@ -845,14 +866,18 @@ module Aws::ACMPCA
     #   `
     #
     # @option params [required, String, IO] :certificate
-    #   The PEM-encoded certificate for your private CA. This must be signed
-    #   by using your on-premises CA.
+    #   The PEM-encoded certificate for a private CA. This may be a
+    #   self-signed certificate in the case of a root CA, or it may be signed
+    #   by another CA that you control.
     #
-    # @option params [required, String, IO] :certificate_chain
+    # @option params [String, IO] :certificate_chain
     #   A PEM-encoded file that contains all of your certificates, other than
     #   the certificate you're importing, chaining up to your root CA. Your
-    #   on-premises root certificate is the last in the chain, and each
-    #   certificate in the chain signs the one preceding.
+    #   ACM Private CA-hosted or on-premises root certificate is the last in
+    #   the chain, and each certificate in the chain signs the one preceding.
+    #
+    #   This parameter must be supplied when you import a subordinate CA. When
+    #   you import a root CA, there is no chain.
     #
     # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
     #
@@ -861,7 +886,7 @@ module Aws::ACMPCA
     #   resp = client.import_certificate_authority_certificate({
     #     certificate_authority_arn: "Arn", # required
     #     certificate: "data", # required
-    #     certificate_chain: "data", # required
+    #     certificate_chain: "data",
     #   })
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/ImportCertificateAuthorityCertificate AWS API Documentation
@@ -874,12 +899,13 @@ module Aws::ACMPCA
     end
 
     # Uses your private certificate authority (CA) to issue a client
-    # certificate. This operation returns the Amazon Resource Name (ARN) of
-    # the certificate. You can retrieve the certificate by calling the
-    # GetCertificate operation and specifying the ARN.
+    # certificate. This action returns the Amazon Resource Name (ARN) of the
+    # certificate. You can retrieve the certificate by calling the
+    # GetCertificate action and specifying the ARN.
     #
-    # <note markdown="1"> You cannot use the ACM **ListCertificateAuthorities** operation to
-    # retrieve the ARNs of the certificates that you issue by using ACM PCA.
+    # <note markdown="1"> You cannot use the ACM **ListCertificateAuthorities** action to
+    # retrieve the ARNs of the certificates that you issue by using ACM
+    # Private CA.
     #
     #  </note>
     #
@@ -910,16 +936,42 @@ module Aws::ACMPCA
     #   The name of the algorithm that will be used to sign the certificate to
     #   be issued.
     #
+    # @option params [String] :template_arn
+    #   Specifies a custom configuration template to use when issuing a
+    #   certificate. If this parameter is not provided, ACM Private CA
+    #   defaults to the `EndEntityCertificate/V1` template.
+    #
+    #   The following service-owned `TemplateArn` values are supported by ACM
+    #   Private CA:
+    #
+    #   * arn:aws:acm-pca:::template/EndEntityCertificate/V1
+    #
+    #   * arn:aws:acm-pca:::template/SubordinateCACertificate\_PathLen0/V1
+    #
+    #   * arn:aws:acm-pca:::template/SubordinateCACertificate\_PathLen1/V1
+    #
+    #   * arn:aws:acm-pca:::template/SubordinateCACertificate\_PathLen2/V1
+    #
+    #   * arn:aws:acm-pca:::template/SubordinateCACertificate\_PathLen3/V1
+    #
+    #   * arn:aws:acm-pca:::template/RootCACertificate/V1
+    #
+    #   For more information, see [Using Templates][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html
+    #
     # @option params [required, Types::Validity] :validity
     #   The type of the validity period.
     #
     # @option params [String] :idempotency_token
     #   Custom string that can be used to distinguish between calls to the
-    #   **IssueCertificate** operation. Idempotency tokens time out after one
+    #   **IssueCertificate** action. Idempotency tokens time out after one
     #   hour. Therefore, if you call **IssueCertificate** multiple times with
-    #   the same idempotency token within 5 minutes, ACM PCA recognizes that
-    #   you are requesting only one certificate and will issue only one. If
-    #   you change the idempotency token for each call, PCA recognizes that
+    #   the same idempotency token within 5 minutes, ACM Private CA recognizes
+    #   that you are requesting only one certificate and will issue only one.
+    #   If you change the idempotency token for each call, PCA recognizes that
     #   you are requesting multiple certificates.
     #
     # @return [Types::IssueCertificateResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
@@ -932,6 +984,7 @@ module Aws::ACMPCA
     #     certificate_authority_arn: "Arn", # required
     #     csr: "data", # required
     #     signing_algorithm: "SHA256WITHECDSA", # required, accepts SHA256WITHECDSA, SHA384WITHECDSA, SHA512WITHECDSA, SHA256WITHRSA, SHA384WITHRSA, SHA512WITHRSA
+    #     template_arn: "Arn",
     #     validity: { # required
     #       value: 1, # required
     #       type: "END_DATE", # required, accepts END_DATE, ABSOLUTE, DAYS, MONTHS, YEARS
@@ -953,7 +1006,7 @@ module Aws::ACMPCA
     end
 
     # Lists the private certificate authorities that you created by using
-    # the CreateCertificateAuthority operation.
+    # the CreateCertificateAuthority action.
     #
     # @option params [String] :next_token
     #   Use this parameter when paginating results in a subsequent request
@@ -986,7 +1039,7 @@ module Aws::ACMPCA
     #   resp.certificate_authorities[0].arn #=> String
     #   resp.certificate_authorities[0].created_at #=> Time
     #   resp.certificate_authorities[0].last_state_change_at #=> Time
-    #   resp.certificate_authorities[0].type #=> String, one of "SUBORDINATE"
+    #   resp.certificate_authorities[0].type #=> String, one of "ROOT", "SUBORDINATE"
     #   resp.certificate_authorities[0].serial #=> String
     #   resp.certificate_authorities[0].status #=> String, one of "CREATING", "PENDING_CERTIFICATE", "ACTIVE", "DELETED", "DISABLED", "EXPIRED", "FAILED"
     #   resp.certificate_authorities[0].not_before #=> Time
@@ -1026,15 +1079,15 @@ module Aws::ACMPCA
 
     # Lists all the permissions, if any, that have been assigned by a
     # private CA. Permissions can be granted with the CreatePermission
-    # operation and revoked with the DeletePermission operation.
+    # action and revoked with the DeletePermission action.
     #
     # @option params [required, String] :certificate_authority_arn
     #   The Amazon Resource Number (ARN) of the private CA to inspect. You can
-    #   find the ARN by calling the ListCertificateAuthorities operation. This
+    #   find the ARN by calling the ListCertificateAuthorities action. This
     #   must be of the form:
     #   `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012`
     #   You can get a private CA's ARN by running the
-    #   ListCertificateAuthorities operation.
+    #   ListCertificateAuthorities action.
     #
     # @option params [String] :next_token
     #   When paginating results, use this parameter in a subsequent request
@@ -1085,12 +1138,12 @@ module Aws::ACMPCA
     # Lists the tags, if any, that are associated with your private CA. Tags
     # are labels that you can use to identify and organize your CAs. Each
     # tag consists of a key and an optional value. Call the
-    # TagCertificateAuthority operation to add one or more tags to your CA.
-    # Call the UntagCertificateAuthority operation to remove tags.
+    # TagCertificateAuthority action to add one or more tags to your CA.
+    # Call the UntagCertificateAuthority action to remove tags.
     #
     # @option params [required, String] :certificate_authority_arn
     #   The Amazon Resource Name (ARN) that was returned when you called the
-    #   CreateCertificateAuthority operation. This must be of the form:
+    #   CreateCertificateAuthority action. This must be of the form:
     #
     #   `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
     #   `
@@ -1139,24 +1192,23 @@ module Aws::ACMPCA
     # Restores a certificate authority (CA) that is in the `DELETED` state.
     # You can restore a CA during the period that you defined in the
     # **PermanentDeletionTimeInDays** parameter of the
-    # DeleteCertificateAuthority operation. Currently, you can specify 7 to
-    # 30 days. If you did not specify a **PermanentDeletionTimeInDays**
-    # value, by default you can restore the CA at any time in a 30 day
-    # period. You can check the time remaining in the restoration period of
-    # a private CA in the `DELETED` state by calling the
-    # DescribeCertificateAuthority or ListCertificateAuthorities operations.
-    # The status of a restored CA is set to its pre-deletion status when the
-    # **RestoreCertificateAuthority** operation returns. To change its
-    # status to `ACTIVE`, call the UpdateCertificateAuthority operation. If
-    # the private CA was in the `PENDING_CERTIFICATE` state at deletion, you
-    # must use the ImportCertificateAuthorityCertificate operation to import
-    # a certificate authority into the private CA before it can be
-    # activated. You cannot restore a CA after the restoration period has
-    # ended.
+    # DeleteCertificateAuthority action. Currently, you can specify 7 to 30
+    # days. If you did not specify a **PermanentDeletionTimeInDays** value,
+    # by default you can restore the CA at any time in a 30 day period. You
+    # can check the time remaining in the restoration period of a private CA
+    # in the `DELETED` state by calling the DescribeCertificateAuthority or
+    # ListCertificateAuthorities actions. The status of a restored CA is set
+    # to its pre-deletion status when the **RestoreCertificateAuthority**
+    # action returns. To change its status to `ACTIVE`, call the
+    # UpdateCertificateAuthority action. If the private CA was in the
+    # `PENDING_CERTIFICATE` state at deletion, you must use the
+    # ImportCertificateAuthorityCertificate action to import a certificate
+    # authority into the private CA before it can be activated. You cannot
+    # restore a CA after the restoration period has ended.
     #
     # @option params [required, String] :certificate_authority_arn
     #   The Amazon Resource Name (ARN) that was returned when you called the
-    #   CreateCertificateAuthority operation. This must be of the form:
+    #   CreateCertificateAuthority action. This must be of the form:
     #
     #   `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
     #   `
@@ -1178,15 +1230,19 @@ module Aws::ACMPCA
       req.send_request(options)
     end
 
-    # Revokes a certificate that you issued by calling the IssueCertificate
-    # operation. If you enable a certificate revocation list (CRL) when you
-    # create or update your private CA, information about the revoked
-    # certificates will be included in the CRL. ACM PCA writes the CRL to an
-    # S3 bucket that you specify. For more information about revocation, see
-    # the CrlConfiguration structure. ACM PCA also writes revocation
+    # Revokes a certificate that was issued inside ACM Private CA. If you
+    # enable a certificate revocation list (CRL) when you create or update
+    # your private CA, information about the revoked certificates will be
+    # included in the CRL. ACM Private CA writes the CRL to an S3 bucket
+    # that you specify. For more information about revocation, see the
+    # CrlConfiguration structure. ACM Private CA also writes revocation
     # information to the audit report. For more information, see
     # CreateCertificateAuthorityAuditReport.
     #
+    # <note markdown="1"> You cannot revoke a root CA self-signed certificate.
+    #
+    #  </note>
+    #
     # @option params [required, String] :certificate_authority_arn
     #   Amazon Resource Name (ARN) of the private CA that issued the
     #   certificate to be revoked. This must be of the form:
@@ -1198,15 +1254,15 @@ module Aws::ACMPCA
     #   Serial number of the certificate to be revoked. This must be in
     #   hexadecimal format. You can retrieve the serial number by calling
     #   GetCertificate with the Amazon Resource Name (ARN) of the certificate
-    #   you want and the ARN of your private CA. The **GetCertificate**
-    #   operation retrieves the certificate in the PEM format. You can use the
-    #   following OpenSSL command to list the certificate in text format and
-    #   copy the hexadecimal serial number.
+    #   you want and the ARN of your private CA. The **GetCertificate** action
+    #   retrieves the certificate in the PEM format. You can use the following
+    #   OpenSSL command to list the certificate in text format and copy the
+    #   hexadecimal serial number.
     #
     #   `openssl x509 -in file_path -text -noout`
     #
     #   You can also copy the serial number from the console or use the
-    #   [DescribeCertificate][1] operation in the *AWS Certificate Manager API
+    #   [DescribeCertificate][1] action in the *AWS Certificate Manager API
     #   Reference*.
     #
     #
@@ -1243,8 +1299,8 @@ module Aws::ACMPCA
     # to identify a specific characteristic of that CA, or you can apply the
     # same tag to multiple private CAs if you want to filter for a common
     # relationship among those CAs. To remove one or more tags, use the
-    # UntagCertificateAuthority operation. Call the ListTags operation to
-    # see what tags are associated with your CA.
+    # UntagCertificateAuthority action. Call the ListTags action to see what
+    # tags are associated with your CA.
     #
     # @option params [required, String] :certificate_authority_arn
     #   The Amazon Resource Name (ARN) that was returned when you called
@@ -1281,11 +1337,11 @@ module Aws::ACMPCA
 
     # Remove one or more tags from your private CA. A tag consists of a
     # key-value pair. If you do not specify the value portion of the tag
-    # when calling this operation, the tag will be removed regardless of
-    # value. If you specify a value, the tag is removed only if it is
-    # associated with the specified value. To add tags to a private CA, use
-    # the TagCertificateAuthority. Call the ListTags operation to see what
-    # tags are associated with your CA.
+    # when calling this action, the tag will be removed regardless of value.
+    # If you specify a value, the tag is removed only if it is associated
+    # with the specified value. To add tags to a private CA, use the
+    # TagCertificateAuthority. Call the ListTags action to see what tags are
+    # associated with your CA.
     #
     # @option params [required, String] :certificate_authority_arn
     #   The Amazon Resource Name (ARN) that was returned when you called
@@ -1378,7 +1434,7 @@ module Aws::ACMPCA
         params: params,
         config: config)
       context[:gem_name] = 'aws-sdk-acmpca'
-      context[:gem_version] = '1.17.0'
+      context[:gem_version] = '1.18.0'
       Seahorse::Client::Request.new(handlers, context)
     end
 

data/lib/aws-sdk-acmpca/client_api.rb

@@ -61,6 +61,7 @@ module Aws::ACMPCA
     InvalidArnException = Shapes::StructureShape.new(name: 'InvalidArnException')
     InvalidNextTokenException = Shapes::StructureShape.new(name: 'InvalidNextTokenException')
     InvalidPolicyException = Shapes::StructureShape.new(name: 'InvalidPolicyException')
+    InvalidRequestException = Shapes::StructureShape.new(name: 'InvalidRequestException')
     InvalidStateException = Shapes::StructureShape.new(name: 'InvalidStateException')
     InvalidTagException = Shapes::StructureShape.new(name: 'InvalidTagException')
     IssueCertificateRequest = Shapes::StructureShape.new(name: 'IssueCertificateRequest')
@@ -237,7 +238,7 @@ module Aws::ACMPCA
 
     ImportCertificateAuthorityCertificateRequest.add_member(:certificate_authority_arn, Shapes::ShapeRef.new(shape: Arn, required: true, location_name: "CertificateAuthorityArn"))
     ImportCertificateAuthorityCertificateRequest.add_member(:certificate, Shapes::ShapeRef.new(shape: CertificateBodyBlob, required: true, location_name: "Certificate"))
-    ImportCertificateAuthorityCertificateRequest.add_member(:certificate_chain, Shapes::ShapeRef.new(shape: CertificateChainBlob, required: true, location_name: "CertificateChain"))
+    ImportCertificateAuthorityCertificateRequest.add_member(:certificate_chain, Shapes::ShapeRef.new(shape: CertificateChainBlob, location_name: "CertificateChain"))
     ImportCertificateAuthorityCertificateRequest.struct_class = Types::ImportCertificateAuthorityCertificateRequest
 
     InvalidArgsException.add_member(:message, Shapes::ShapeRef.new(shape: String, location_name: "message"))
@@ -252,6 +253,9 @@ module Aws::ACMPCA
     InvalidPolicyException.add_member(:message, Shapes::ShapeRef.new(shape: String, location_name: "message"))
     InvalidPolicyException.struct_class = Types::InvalidPolicyException
 
+    InvalidRequestException.add_member(:message, Shapes::ShapeRef.new(shape: String, location_name: "message"))
+    InvalidRequestException.struct_class = Types::InvalidRequestException
+
     InvalidStateException.add_member(:message, Shapes::ShapeRef.new(shape: String, location_name: "message"))
     InvalidStateException.struct_class = Types::InvalidStateException
 
@@ -261,6 +265,7 @@ module Aws::ACMPCA
     IssueCertificateRequest.add_member(:certificate_authority_arn, Shapes::ShapeRef.new(shape: Arn, required: true, location_name: "CertificateAuthorityArn"))
     IssueCertificateRequest.add_member(:csr, Shapes::ShapeRef.new(shape: CsrBlob, required: true, location_name: "Csr"))
     IssueCertificateRequest.add_member(:signing_algorithm, Shapes::ShapeRef.new(shape: SigningAlgorithm, required: true, location_name: "SigningAlgorithm"))
+    IssueCertificateRequest.add_member(:template_arn, Shapes::ShapeRef.new(shape: Arn, location_name: "TemplateArn"))
     IssueCertificateRequest.add_member(:validity, Shapes::ShapeRef.new(shape: Validity, required: true, location_name: "Validity"))
     IssueCertificateRequest.add_member(:idempotency_token, Shapes::ShapeRef.new(shape: IdempotencyToken, location_name: "IdempotencyToken"))
     IssueCertificateRequest.struct_class = Types::IssueCertificateRequest
@@ -517,6 +522,7 @@ module Aws::ACMPCA
         o.errors << Shapes::ShapeRef.new(shape: RequestFailedException)
         o.errors << Shapes::ShapeRef.new(shape: ResourceNotFoundException)
         o.errors << Shapes::ShapeRef.new(shape: InvalidArnException)
+        o.errors << Shapes::ShapeRef.new(shape: InvalidRequestException)
         o.errors << Shapes::ShapeRef.new(shape: InvalidStateException)
         o.errors << Shapes::ShapeRef.new(shape: MalformedCertificateException)
         o.errors << Shapes::ShapeRef.new(shape: CertificateMismatchException)
@@ -578,6 +584,7 @@ module Aws::ACMPCA
         o.output = Shapes::ShapeRef.new(shape: ListTagsResponse)
         o.errors << Shapes::ShapeRef.new(shape: ResourceNotFoundException)
         o.errors << Shapes::ShapeRef.new(shape: InvalidArnException)
+        o.errors << Shapes::ShapeRef.new(shape: InvalidStateException)
         o[:pager] = Aws::Pager.new(
           limit_key: "max_results",
           tokens: {
@@ -605,6 +612,7 @@ module Aws::ACMPCA
         o.output = Shapes::ShapeRef.new(shape: Shapes::StructureShape.new(struct_class: Aws::EmptyStructure))
         o.errors << Shapes::ShapeRef.new(shape: ConcurrentModificationException)
         o.errors << Shapes::ShapeRef.new(shape: InvalidArnException)
+        o.errors << Shapes::ShapeRef.new(shape: InvalidRequestException)
         o.errors << Shapes::ShapeRef.new(shape: InvalidStateException)
         o.errors << Shapes::ShapeRef.new(shape: LimitExceededException)
         o.errors << Shapes::ShapeRef.new(shape: ResourceNotFoundException)

data/lib/aws-sdk-acmpca/errors.rb

@@ -106,6 +106,22 @@ module Aws::ACMPCA
 
     end
 
+    class InvalidRequestException < ServiceError
+
+      # @param [Seahorse::Client::RequestContext] context
+      # @param [String] message
+      # @param [Aws::ACMPCA::Types::InvalidRequestException] data
+      def initialize(context, message, data = Aws::EmptyStructure.new)
+        super(context, message, data)
+      end
+
+      # @return [String]
+      def message
+        @message || @data[:message]
+      end
+
+    end
+
     class InvalidStateException < ServiceError
 
       # @param [Seahorse::Client::RequestContext] context

data/lib/aws-sdk-acmpca/types.rb

@@ -133,12 +133,12 @@ module Aws::ACMPCA
     # Digital certificates verify that the entity named in the certificate
     # **Subject** field owns or controls the public key contained in the
     # **Subject Public Key Info** field. Call the CreateCertificateAuthority
-    # operation to create your private CA. You must then call the
-    # GetCertificateAuthorityCertificate operation to retrieve a private CA
-    # certificate signing request (CSR). Take the CSR to your on-premises CA
-    # and sign it with the root CA certificate or a subordinate certificate.
-    # Call the ImportCertificateAuthorityCertificate operation to import the
-    # signed certificate into AWS Certificate Manager (ACM).
+    # action to create your private CA. You must then call the
+    # GetCertificateAuthorityCertificate action to retrieve a private CA
+    # certificate signing request (CSR). Sign the CSR with your ACM Private
+    # CA-hosted or on-premises root or subordinate CA certificate. Call the
+    # ImportCertificateAuthorityCertificate action to import the signed
+    # certificate into AWS Certificate Manager (ACM).
     #
     # @!attribute [rw] arn
     #   Amazon Resource Name (ARN) for your private certificate authority
@@ -189,7 +189,7 @@ module Aws::ACMPCA
     # @!attribute [rw] restorable_until
     #   The period during which a deleted CA can be restored. For more
     #   information, see the `PermanentDeletionTimeInDays` parameter of the
-    #   DeleteCertificateAuthorityRequest operation.
+    #   DeleteCertificateAuthorityRequest action.
     #   @return [Time]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/CertificateAuthority AWS API Documentation
@@ -216,7 +216,7 @@ module Aws::ACMPCA
     # issues a certificate. It also includes the signature algorithm that it
     # uses when issuing certificates, and its X.500 distinguished name. You
     # must specify this information when you call the
-    # CreateCertificateAuthority operation.
+    # CreateCertificateAuthority action.
     #
     # @note When making an API call, you may pass CertificateAuthorityConfiguration
     #   data as a hash:
@@ -244,7 +244,9 @@ module Aws::ACMPCA
     #
     # @!attribute [rw] key_algorithm
     #   Type of the public key algorithm and size, in bits, of the key pair
-    #   that your key pair creates when it issues a certificate.
+    #   that your CA creates when it issues a certificate. When you create a
+    #   subordinate CA, you must use a key algorithm supported by the parent
+    #   CA.
     #   @return [String]
     #
     # @!attribute [rw] signing_algorithm
@@ -375,7 +377,7 @@ module Aws::ACMPCA
     #             s3_bucket_name: "String3To255",
     #           },
     #         },
-    #         certificate_authority_type: "SUBORDINATE", # required, accepts SUBORDINATE
+    #         certificate_authority_type: "ROOT", # required, accepts ROOT, SUBORDINATE
     #         idempotency_token: "IdempotencyToken",
     #         tags: [
     #           {
@@ -393,15 +395,14 @@ module Aws::ACMPCA
     # @!attribute [rw] revocation_configuration
     #   Contains a Boolean value that you can use to enable a certification
     #   revocation list (CRL) for the CA, the name of the S3 bucket to which
-    #   ACM PCA will write the CRL, and an optional CNAME alias that you can
-    #   use to hide the name of your bucket in the **CRL Distribution
-    #   Points** extension of your CA certificate. For more information, see
-    #   the CrlConfiguration structure.
+    #   ACM Private CA will write the CRL, and an optional CNAME alias that
+    #   you can use to hide the name of your bucket in the **CRL
+    #   Distribution Points** extension of your CA certificate. For more
+    #   information, see the CrlConfiguration structure.
     #   @return [Types::RevocationConfiguration]
     #
     # @!attribute [rw] certificate_authority_type
-    #   The type of the certificate authority. Currently, this must be
-    #   **SUBORDINATE**.
+    #   The type of the certificate authority.
     #   @return [String]
     #
     # @!attribute [rw] idempotency_token
@@ -409,15 +410,23 @@ module Aws::ACMPCA
     #   **CreateCertificateAuthority**. Idempotency tokens time out after
     #   five minutes. Therefore, if you call **CreateCertificateAuthority**
     #   multiple times with the same idempotency token within a five minute
-    #   period, ACM PCA recognizes that you are requesting only one
-    #   certificate. As a result, ACM PCA issues only one. If you change the
-    #   idempotency token for each call, however, ACM PCA recognizes that
-    #   you are requesting multiple certificates.
+    #   period, ACM Private CA recognizes that you are requesting only one
+    #   certificate. As a result, ACM Private CA issues only one. If you
+    #   change the idempotency token for each call, however, ACM Private CA
+    #   recognizes that you are requesting multiple certificates.
     #   @return [String]
     #
     # @!attribute [rw] tags
     #   Key-value pairs that will be attached to the new private CA. You can
-    #   associate up to 50 tags with a private CA.
+    #   associate up to 50 tags with a private CA. For information using
+    #   tags with
+    #
+    #   IAM to manage permissions, see [Controlling Access Using IAM
+    #   Tags][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_iam-tags.html
     #   @return [Array<Types::Tag>]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/CreateCertificateAuthorityRequest AWS API Documentation
@@ -459,7 +468,7 @@ module Aws::ACMPCA
     # @!attribute [rw] certificate_authority_arn
     #   The Amazon Resource Name (ARN) of the CA that grants the
     #   permissions. You can find the ARN by calling the
-    #   ListCertificateAuthorities operation. This must have the following
+    #   ListCertificateAuthorities action. This must have the following
     #   form:
     #
     #   `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
@@ -499,7 +508,7 @@ module Aws::ACMPCA
     # specifying a value for the **CustomCname** parameter. Your private CA
     # copies the CNAME or the S3 bucket name to the **CRL Distribution
     # Points** extension of each certificate it issues. Your S3 bucket
-    # policy must give write permission to ACM PCA.
+    # policy must give write permission to ACM Private CA.
     #
     # Your private CA uses the value in the **ExpirationInDays** parameter
     # to calculate the **nextUpdate** field in the CRL. The CRL is refreshed
@@ -550,8 +559,8 @@ module Aws::ACMPCA
     #
     # * **Signature Value**\: Signature computed over the CRL.
     #
-    # Certificate revocation lists created by ACM PCA are DER-encoded. You
-    # can use the following OpenSSL command to list a CRL.
+    # Certificate revocation lists created by ACM Private CA are
+    # DER-encoded. You can use the following OpenSSL command to list a CRL.
     #
     # `openssl crl -inform DER -text -in crl_path -noout`
     #
@@ -569,8 +578,8 @@ module Aws::ACMPCA
     #   Boolean value that specifies whether certificate revocation lists
     #   (CRLs) are enabled. You can use this value to enable certificate
     #   revocation for a new CA when you call the CreateCertificateAuthority
-    #   operation or for an existing CA when you call the
-    #   UpdateCertificateAuthority operation.
+    #   action or for an existing CA when you call the
+    #   UpdateCertificateAuthority action.
     #   @return [Boolean]
     #
     # @!attribute [rw] expiration_in_days
@@ -589,8 +598,9 @@ module Aws::ACMPCA
     #   value for the **CustomCname** argument, the name of your S3 bucket
     #   is placed into the **CRL Distribution Points** extension of the
     #   issued certificate. You can change the name of your bucket by
-    #   calling the UpdateCertificateAuthority operation. You must specify a
-    #   bucket policy that allows ACM PCA to write the CRL to your bucket.
+    #   calling the UpdateCertificateAuthority action. You must specify a
+    #   bucket policy that allows ACM Private CA to write the CRL to your
+    #   bucket.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/CrlConfiguration AWS API Documentation
@@ -645,7 +655,7 @@ module Aws::ACMPCA
     # @!attribute [rw] certificate_authority_arn
     #   The Amazon Resource Number (ARN) of the private CA that issued the
     #   permissions. You can find the CA's ARN by calling the
-    #   ListCertificateAuthorities operation. This must have the following
+    #   ListCertificateAuthorities action. This must have the following
     #   form:
     #
     #   `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
@@ -659,7 +669,7 @@ module Aws::ACMPCA
     #   @return [String]
     #
     # @!attribute [rw] source_account
-    #   The AWS account that calls this operation.
+    #   The AWS account that calls this action.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/DeletePermissionRequest AWS API Documentation
@@ -689,7 +699,7 @@ module Aws::ACMPCA
     #
     # @!attribute [rw] audit_report_id
     #   The report ID returned by calling the
-    #   CreateCertificateAuthorityAuditReport operation.
+    #   CreateCertificateAuthorityAuditReport action.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/DescribeCertificateAuthorityAuditReportRequest AWS API Documentation
@@ -792,7 +802,8 @@ module Aws::ACMPCA
     #   Base64-encoded certificate chain that includes any intermediate
     #   certificates and chains up to root on-premises certificate that you
     #   used to sign your private CA certificate. The chain does not include
-    #   your private CA certificate.
+    #   your private CA certificate. If this is a root CA, the value will be
+    #   null.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/GetCertificateAuthorityCertificateResponse AWS API Documentation
@@ -812,7 +823,7 @@ module Aws::ACMPCA
     #
     # @!attribute [rw] certificate_authority_arn
     #   The Amazon Resource Name (ARN) that was returned when you called the
-    #   CreateCertificateAuthority operation. This must be of the form:
+    #   CreateCertificateAuthority action. This must be of the form:
     #
     #   `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
     #   `
@@ -894,7 +905,7 @@ module Aws::ACMPCA
     #       {
     #         certificate_authority_arn: "Arn", # required
     #         certificate: "data", # required
-    #         certificate_chain: "data", # required
+    #         certificate_chain: "data",
     #       }
     #
     # @!attribute [rw] certificate_authority_arn
@@ -906,15 +917,20 @@ module Aws::ACMPCA
     #   @return [String]
     #
     # @!attribute [rw] certificate
-    #   The PEM-encoded certificate for your private CA. This must be signed
-    #   by using your on-premises CA.
+    #   The PEM-encoded certificate for a private CA. This may be a
+    #   self-signed certificate in the case of a root CA, or it may be
+    #   signed by another CA that you control.
     #   @return [String]
     #
     # @!attribute [rw] certificate_chain
     #   A PEM-encoded file that contains all of your certificates, other
     #   than the certificate you're importing, chaining up to your root CA.
-    #   Your on-premises root certificate is the last in the chain, and each
-    #   certificate in the chain signs the one preceding.
+    #   Your ACM Private CA-hosted or on-premises root certificate is the
+    #   last in the chain, and each certificate in the chain signs the one
+    #   preceding.
+    #
+    #   This parameter must be supplied when you import a subordinate CA.
+    #   When you import a root CA, there is no chain.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/ImportCertificateAuthorityCertificateRequest AWS API Documentation
@@ -964,8 +980,9 @@ module Aws::ACMPCA
       include Aws::Structure
     end
 
-    # The S3 bucket policy is not valid. The policy must give ACM PCA rights
-    # to read from and write to the bucket and find the bucket location.
+    # The S3 bucket policy is not valid. The policy must give ACM Private CA
+    # rights to read from and write to the bucket and find the bucket
+    # location.
     #
     # @!attribute [rw] message
     #   @return [String]
@@ -977,6 +994,18 @@ module Aws::ACMPCA
       include Aws::Structure
     end
 
+    # The request action cannot be performed or is prohibited.
+    #
+    # @!attribute [rw] message
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/InvalidRequestException AWS API Documentation
+    #
+    class InvalidRequestException < Struct.new(
+      :message)
+      include Aws::Structure
+    end
+
     # The private CA is in a state during which a report or certificate
     # cannot be generated.
     #
@@ -1010,6 +1039,7 @@ module Aws::ACMPCA
     #         certificate_authority_arn: "Arn", # required
     #         csr: "data", # required
     #         signing_algorithm: "SHA256WITHECDSA", # required, accepts SHA256WITHECDSA, SHA384WITHECDSA, SHA512WITHECDSA, SHA256WITHRSA, SHA384WITHRSA, SHA512WITHRSA
+    #         template_arn: "Arn",
     #         validity: { # required
     #           value: 1, # required
     #           type: "END_DATE", # required, accepts END_DATE, ABSOLUTE, DAYS, MONTHS, YEARS
@@ -1047,18 +1077,45 @@ module Aws::ACMPCA
     #   to be issued.
     #   @return [String]
     #
+    # @!attribute [rw] template_arn
+    #   Specifies a custom configuration template to use when issuing a
+    #   certificate. If this parameter is not provided, ACM Private CA
+    #   defaults to the `EndEntityCertificate/V1` template.
+    #
+    #   The following service-owned `TemplateArn` values are supported by
+    #   ACM Private CA:
+    #
+    #   * arn:aws:acm-pca:::template/EndEntityCertificate/V1
+    #
+    #   * arn:aws:acm-pca:::template/SubordinateCACertificate\_PathLen0/V1
+    #
+    #   * arn:aws:acm-pca:::template/SubordinateCACertificate\_PathLen1/V1
+    #
+    #   * arn:aws:acm-pca:::template/SubordinateCACertificate\_PathLen2/V1
+    #
+    #   * arn:aws:acm-pca:::template/SubordinateCACertificate\_PathLen3/V1
+    #
+    #   * arn:aws:acm-pca:::template/RootCACertificate/V1
+    #
+    #   For more information, see [Using Templates][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html
+    #   @return [String]
+    #
     # @!attribute [rw] validity
     #   The type of the validity period.
     #   @return [Types::Validity]
     #
     # @!attribute [rw] idempotency_token
     #   Custom string that can be used to distinguish between calls to the
-    #   **IssueCertificate** operation. Idempotency tokens time out after
-    #   one hour. Therefore, if you call **IssueCertificate** multiple times
-    #   with the same idempotency token within 5 minutes, ACM PCA recognizes
-    #   that you are requesting only one certificate and will issue only
-    #   one. If you change the idempotency token for each call, PCA
-    #   recognizes that you are requesting multiple certificates.
+    #   **IssueCertificate** action. Idempotency tokens time out after one
+    #   hour. Therefore, if you call **IssueCertificate** multiple times
+    #   with the same idempotency token within 5 minutes, ACM Private CA
+    #   recognizes that you are requesting only one certificate and will
+    #   issue only one. If you change the idempotency token for each call,
+    #   PCA recognizes that you are requesting multiple certificates.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/IssueCertificateRequest AWS API Documentation
@@ -1067,6 +1124,7 @@ module Aws::ACMPCA
       :certificate_authority_arn,
       :csr,
       :signing_algorithm,
+      :template_arn,
       :validity,
       :idempotency_token)
       include Aws::Structure
@@ -1087,8 +1145,8 @@ module Aws::ACMPCA
       include Aws::Structure
     end
 
-    # An ACM PCA limit has been exceeded. See the exception message returned
-    # to determine the limit that was exceeded.
+    # An ACM Private CA limit has been exceeded. See the exception message
+    # returned to determine the limit that was exceeded.
     #
     # @!attribute [rw] message
     #   @return [String]
@@ -1160,11 +1218,11 @@ module Aws::ACMPCA
     #
     # @!attribute [rw] certificate_authority_arn
     #   The Amazon Resource Number (ARN) of the private CA to inspect. You
-    #   can find the ARN by calling the ListCertificateAuthorities
-    #   operation. This must be of the form:
+    #   can find the ARN by calling the ListCertificateAuthorities action.
+    #   This must be of the form:
     #   `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012`
     #   You can get a private CA's ARN by running the
-    #   ListCertificateAuthorities operation.
+    #   ListCertificateAuthorities action.
     #   @return [String]
     #
     # @!attribute [rw] next_token
@@ -1220,7 +1278,7 @@ module Aws::ACMPCA
     #
     # @!attribute [rw] certificate_authority_arn
     #   The Amazon Resource Name (ARN) that was returned when you called the
-    #   CreateCertificateAuthority operation. This must be of the form:
+    #   CreateCertificateAuthority action. This must be of the form:
     #
     #   `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
     #   `
@@ -1290,13 +1348,13 @@ module Aws::ACMPCA
       include Aws::Structure
     end
 
-    # Permissions designate which private CA operations can be performed by
-    # an AWS service or entity. In order for ACM to automatically renew
-    # private certificates, you must give the ACM service principal all
-    # available permissions (`IssueCertificate`, `GetCertificate`, and
+    # Permissions designate which private CA actions can be performed by an
+    # AWS service or entity. In order for ACM to automatically renew private
+    # certificates, you must give the ACM service principal all available
+    # permissions (`IssueCertificate`, `GetCertificate`, and
     # `ListPermissions`). Permissions can be assigned with the
-    # CreatePermission operation, removed with the DeletePermission
-    # operation, and listed with the ListPermissions operation.
+    # CreatePermission action, removed with the DeletePermission action, and
+    # listed with the ListPermissions action.
     #
     # @!attribute [rw] certificate_authority_arn
     #   The Amazon Resource Number (ARN) of the private CA from which the
@@ -1317,8 +1375,8 @@ module Aws::ACMPCA
     #   @return [String]
     #
     # @!attribute [rw] actions
-    #   The private CA operations that can be performed by the designated
-    #   AWS service.
+    #   The private CA actions that can be performed by the designated AWS
+    #   service.
     #   @return [Array<String>]
     #
     # @!attribute [rw] policy
@@ -1407,7 +1465,7 @@ module Aws::ACMPCA
     #
     # @!attribute [rw] certificate_authority_arn
     #   The Amazon Resource Name (ARN) that was returned when you called the
-    #   CreateCertificateAuthority operation. This must be of the form:
+    #   CreateCertificateAuthority action. This must be of the form:
     #
     #   `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
     #   `
@@ -1421,7 +1479,7 @@ module Aws::ACMPCA
     end
 
     # Certificate revocation information used by the
-    # CreateCertificateAuthority and UpdateCertificateAuthority operations.
+    # CreateCertificateAuthority and UpdateCertificateAuthority actions.
     # Your private certificate authority (CA) can create and maintain a
     # certificate revocation list (CRL). A CRL contains information about
     # certificates revoked by your CA. For more information, see
@@ -1473,15 +1531,15 @@ module Aws::ACMPCA
     #   hexadecimal format. You can retrieve the serial number by calling
     #   GetCertificate with the Amazon Resource Name (ARN) of the
     #   certificate you want and the ARN of your private CA. The
-    #   **GetCertificate** operation retrieves the certificate in the PEM
+    #   **GetCertificate** action retrieves the certificate in the PEM
     #   format. You can use the following OpenSSL command to list the
     #   certificate in text format and copy the hexadecimal serial number.
     #
     #   `openssl x509 -in file_path -text -noout`
     #
     #   You can also copy the serial number from the console or use the
-    #   [DescribeCertificate][1] operation in the *AWS Certificate Manager
-    #   API Reference*.
+    #   [DescribeCertificate][1] action in the *AWS Certificate Manager API
+    #   Reference*.
     #
     #
     #
@@ -1504,8 +1562,8 @@ module Aws::ACMPCA
     # Tags are labels that you can use to identify and organize your private
     # CAs. Each tag consists of a key and an optional value. You can
     # associate up to 50 tags with a private CA. To add one or more tags to
-    # a private CA, call the TagCertificateAuthority operation. To remove a
-    # tag, call the UntagCertificateAuthority operation.
+    # a private CA, call the TagCertificateAuthority action. To remove a
+    # tag, call the UntagCertificateAuthority action.
     #
     # @note When making an API call, you may pass Tag
     #   data as a hash:
@@ -1654,7 +1712,7 @@ module Aws::ACMPCA
     # Length of time for which the certificate issued by your private
     # certificate authority (CA), or by the private CA itself, is valid in
     # days, months, or years. You can issue a certificate by calling the
-    # IssueCertificate operation.
+    # IssueCertificate action.
     #
     # @note When making an API call, you may pass Validity
     #   data as a hash:

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aws-sdk-acmpca
 version: !ruby/object:Gem::Version
-  version: 1.17.0
+  version: 1.18.0
 platform: ruby
 authors:
 - Amazon Web Services
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-06-17 00:00:00.000000000 Z
+date: 2019-06-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-core