aws-sdk-acmpca 1.30.0 → 1.31.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 00c2347bbc506b283aa9fd8cee61a8df05ca898e00bcee9b738abb85e77a9100
-  data.tar.gz: ad05977d7cbba22aed287e314cc154e00f5c4af983fd54df56ea66291cc5dbb3
+  metadata.gz: e9248de24e8f0650decb902183ab1be075185fcbd936d73fa01d60288195baab
+  data.tar.gz: c97ad717942496ed6dd1b9210872f51ee89c5db7795612d43215ab4306ddd8a5
 SHA512:
-  metadata.gz: 11ad57150ae7e8c40434580a1a9aa00e8b9830288468dbab28bb455a1a8fa979cf99199857d62a19b3ee791502baf18bea28317fca2af4996c283b849944e312
-  data.tar.gz: 7f0465156ddef7a3fd19e3270f5bf9476d083c1a150c1982021f40919a101b1783302ad4897d2db24c99f6fa709ff583cb1cbe4ad8c18936d24e1feb311dc178
+  metadata.gz: bb1c7a2154501ecdb1a26f5402da4239c8667255169d172f42a7a7f0f215cff3d08d116a39a0fab7c7efe35b1c57321ecb598d03fc163f43541d6d87e0e44114
+  data.tar.gz: b21951246a975ef7d3a62d4e92ad64775760f60c4297d12382c4510faac8b8c422ccd0ed4ae21d632e1f5c5e3dd3f04fd9210dc395022778c295246d57236ea2

data/lib/aws-sdk-acmpca.rb

@@ -49,6 +49,6 @@ require_relative 'aws-sdk-acmpca/customizations'
 # @!group service
 module Aws::ACMPCA
 
-  GEM_VERSION = '1.30.0'
+  GEM_VERSION = '1.31.0'
 
 end

data/lib/aws-sdk-acmpca/client.rb

@@ -428,6 +428,58 @@ module Aws::ACMPCA
     #         pseudonym: "String128",
     #         generation_qualifier: "String3",
     #       },
+    #       csr_extensions: {
+    #         key_usage: {
+    #           digital_signature: false,
+    #           non_repudiation: false,
+    #           key_encipherment: false,
+    #           data_encipherment: false,
+    #           key_agreement: false,
+    #           key_cert_sign: false,
+    #           crl_sign: false,
+    #           encipher_only: false,
+    #           decipher_only: false,
+    #         },
+    #         subject_information_access: [
+    #           {
+    #             access_method: { # required
+    #               custom_object_identifier: "CustomObjectIdentifier",
+    #               access_method_type: "CA_REPOSITORY", # accepts CA_REPOSITORY, RESOURCE_PKI_MANIFEST, RESOURCE_PKI_NOTIFY
+    #             },
+    #             access_location: { # required
+    #               other_name: {
+    #                 type_id: "CustomObjectIdentifier", # required
+    #                 value: "String256", # required
+    #               },
+    #               rfc_822_name: "String256",
+    #               dns_name: "String253",
+    #               directory_name: {
+    #                 country: "CountryCodeString",
+    #                 organization: "String64",
+    #                 organizational_unit: "String64",
+    #                 distinguished_name_qualifier: "ASN1PrintableString64",
+    #                 state: "String128",
+    #                 common_name: "String64",
+    #                 serial_number: "ASN1PrintableString64",
+    #                 locality: "String128",
+    #                 title: "String64",
+    #                 surname: "String40",
+    #                 given_name: "String16",
+    #                 initials: "String5",
+    #                 pseudonym: "String128",
+    #                 generation_qualifier: "String3",
+    #               },
+    #               edi_party_name: {
+    #                 party_name: "String256", # required
+    #                 name_assigner: "String256",
+    #               },
+    #               uniform_resource_identifier: "String253",
+    #               ip_address: "String39",
+    #               registered_id: "CustomObjectIdentifier",
+    #             },
+    #           },
+    #         ],
+    #       },
     #     },
     #     revocation_configuration: {
     #       crl_configuration: {
@@ -547,12 +599,13 @@ module Aws::ACMPCA
     #   renewals. Instead, the ACM certificate owner must set up a
     #   resource-based policy to enable cross-account issuance and renewals.
     #   For more information, see [Using a Resource Based Policy with ACM
-    #   Private CA](acm-pca/latest/userguide/pca-rbp.html).
+    #   Private CA][3].
     #
     #
     #
     # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ListPermissions.html
     # [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_DeletePermission.html
+    # [3]: https://docs.aws.amazon.com/acm-pca/latest/userguide/pca-rbp.html
     #
     # @option params [required, String] :certificate_authority_arn
     #   The Amazon Resource Name (ARN) of the CA that grants the permissions.
@@ -695,12 +748,13 @@ module Aws::ACMPCA
     #   renewals. Instead, the ACM certificate owner must set up a
     #   resource-based policy to enable cross-account issuance and renewals.
     #   For more information, see [Using a Resource Based Policy with ACM
-    #   Private CA](acm-pca/latest/userguide/pca-rbp.html).
+    #   Private CA][3].
     #
     #
     #
     # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreatePermission.html
     # [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ListPermissions.html
+    # [3]: https://docs.aws.amazon.com/acm-pca/latest/userguide/pca-rbp.html
     #
     # @option params [required, String] :certificate_authority_arn
     #   The Amazon Resource Number (ARN) of the private CA that issued the
@@ -760,8 +814,7 @@ module Aws::ACMPCA
     # * A policy grants access on a private CA to an AWS customer account,
     #   to AWS Organizations, or to an AWS Organizations unit. Policies are
     #   under the control of a CA administrator. For more information, see
-    #   [Using a Resource Based Policy with ACM Private
-    #   CA](acm-pca/latest/userguide/pca-rbp.html).
+    #   [Using a Resource Based Policy with ACM Private CA][3].
     #
     # * A policy permits a user of AWS Certificate Manager (ACM) to issue
     #   ACM certificates signed by a CA in another account.
@@ -770,18 +823,19 @@ module Aws::ACMPCA
     #   user must configure a Service Linked Role (SLR). The SLR allows the
     #   ACM service to assume the identity of the user, subject to
     #   confirmation against the ACM Private CA policy. For more
-    #   information, see [Using a Service Linked Role with ACM][3].
+    #   information, see [Using a Service Linked Role with ACM][4].
     #
     # * Updates made in AWS Resource Manager (RAM) are reflected in
-    #   policies. For more information, see [Using AWS Resource Access
-    #   Manager (RAM) with ACM Private
-    #   CA](acm-pca/latest/userguide/pca-ram.html).
+    #   policies. For more information, see [Attach a Policy for
+    #   Cross-Account Access][5].
     #
     #
     #
     # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_GetPolicy.html
     # [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_PutPolicy.html
-    # [3]: https://docs.aws.amazon.com/acm/latest/userguide/acm-slr.html
+    # [3]: https://docs.aws.amazon.com/acm-pca/latest/userguide/pca-rbp.html
+    # [4]: https://docs.aws.amazon.com/acm/latest/userguide/acm-slr.html
+    # [5]: https://docs.aws.amazon.com/acm-pca/latest/userguide/pca-ram.html
     #
     # @option params [required, String] :resource_arn
     #   The Amazon Resource Number (ARN) of the private CA that will have its
@@ -887,6 +941,41 @@ module Aws::ACMPCA
     #   resp.certificate_authority.certificate_authority_configuration.subject.initials #=> String
     #   resp.certificate_authority.certificate_authority_configuration.subject.pseudonym #=> String
     #   resp.certificate_authority.certificate_authority_configuration.subject.generation_qualifier #=> String
+    #   resp.certificate_authority.certificate_authority_configuration.csr_extensions.key_usage.digital_signature #=> Boolean
+    #   resp.certificate_authority.certificate_authority_configuration.csr_extensions.key_usage.non_repudiation #=> Boolean
+    #   resp.certificate_authority.certificate_authority_configuration.csr_extensions.key_usage.key_encipherment #=> Boolean
+    #   resp.certificate_authority.certificate_authority_configuration.csr_extensions.key_usage.data_encipherment #=> Boolean
+    #   resp.certificate_authority.certificate_authority_configuration.csr_extensions.key_usage.key_agreement #=> Boolean
+    #   resp.certificate_authority.certificate_authority_configuration.csr_extensions.key_usage.key_cert_sign #=> Boolean
+    #   resp.certificate_authority.certificate_authority_configuration.csr_extensions.key_usage.crl_sign #=> Boolean
+    #   resp.certificate_authority.certificate_authority_configuration.csr_extensions.key_usage.encipher_only #=> Boolean
+    #   resp.certificate_authority.certificate_authority_configuration.csr_extensions.key_usage.decipher_only #=> Boolean
+    #   resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access #=> Array
+    #   resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_method.custom_object_identifier #=> String
+    #   resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_method.access_method_type #=> String, one of "CA_REPOSITORY", "RESOURCE_PKI_MANIFEST", "RESOURCE_PKI_NOTIFY"
+    #   resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.other_name.type_id #=> String
+    #   resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.other_name.value #=> String
+    #   resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.rfc_822_name #=> String
+    #   resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.dns_name #=> String
+    #   resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.country #=> String
+    #   resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.organization #=> String
+    #   resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.organizational_unit #=> String
+    #   resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.distinguished_name_qualifier #=> String
+    #   resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.state #=> String
+    #   resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.common_name #=> String
+    #   resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.serial_number #=> String
+    #   resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.locality #=> String
+    #   resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.title #=> String
+    #   resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.surname #=> String
+    #   resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.given_name #=> String
+    #   resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.initials #=> String
+    #   resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.pseudonym #=> String
+    #   resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.generation_qualifier #=> String
+    #   resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.edi_party_name.party_name #=> String
+    #   resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.edi_party_name.name_assigner #=> String
+    #   resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.uniform_resource_identifier #=> String
+    #   resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.ip_address #=> String
+    #   resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.registered_id #=> String
     #   resp.certificate_authority.revocation_configuration.crl_configuration.enabled #=> Boolean
     #   resp.certificate_authority.revocation_configuration.crl_configuration.expiration_in_days #=> Integer
     #   resp.certificate_authority.revocation_configuration.crl_configuration.custom_cname #=> String
@@ -1123,16 +1212,14 @@ module Aws::ACMPCA
     # action returns a `ResourceNotFoundException`.
     #
     # The policy can be attached or updated with [PutPolicy][1] and removed
-    # with
-    # [DeletePolicy](acm-pca/latest/APIReference/API_DeletePolicy.html).
+    # with [DeletePolicy][2].
     #
     # **About Policies**
     #
     # * A policy grants access on a private CA to an AWS customer account,
     #   to AWS Organizations, or to an AWS Organizations unit. Policies are
     #   under the control of a CA administrator. For more information, see
-    #   [Using a Resource Based Policy with ACM Private
-    #   CA](acm-pca/latest/userguide/pca-rbp.html).
+    #   [Using a Resource Based Policy with ACM Private CA][3].
     #
     # * A policy permits a user of AWS Certificate Manager (ACM) to issue
     #   ACM certificates signed by a CA in another account.
@@ -1141,17 +1228,19 @@ module Aws::ACMPCA
     #   user must configure a Service Linked Role (SLR). The SLR allows the
     #   ACM service to assume the identity of the user, subject to
     #   confirmation against the ACM Private CA policy. For more
-    #   information, see [Using a Service Linked Role with ACM][2].
+    #   information, see [Using a Service Linked Role with ACM][4].
     #
     # * Updates made in AWS Resource Manager (RAM) are reflected in
-    #   policies. For more information, see [Using AWS Resource Access
-    #   Manager (RAM) with ACM Private
-    #   CA](acm-pca/latest/userguide/pca-ram.html).
+    #   policies. For more information, see [Attach a Policy for
+    #   Cross-Account Access][5].
     #
     #
     #
     # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_PutPolicy.html
-    # [2]: https://docs.aws.amazon.com/acm/latest/userguide/acm-slr.html
+    # [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_DeletePolicy.html
+    # [3]: https://docs.aws.amazon.com/acm-pca/latest/userguide/pca-rbp.html
+    # [4]: https://docs.aws.amazon.com/acm/latest/userguide/acm-slr.html
+    # [5]: https://docs.aws.amazon.com/acm-pca/latest/userguide/pca-ram.html
     #
     # @option params [required, String] :resource_arn
     #   The Amazon Resource Number (ARN) of the private CA that will have its
@@ -1199,22 +1288,31 @@ module Aws::ACMPCA
     # 4.  Create a certificate chain and copy the signed certificate and the
     #     certificate chain to your working directory.
     #
-    # The following requirements apply when you import a CA certificate.
+    # ACM Private CA supports three scenarios for installing a CA
+    # certificate:
+    #
+    # * Installing a certificate for a root CA hosted by ACM Private CA.
     #
-    # * You cannot import a non-self-signed certificate for use as a root
-    #   CA.
+    # * Installing a subordinate CA certificate whose parent authority is
+    #   hosted by ACM Private CA.
     #
-    # * You cannot import a self-signed certificate for use as a subordinate
-    #   CA.
+    # * Installing a subordinate CA certificate whose parent authority is
+    #   externally hosted.
+    #
+    # The following addtitional requirements apply when you import a CA
+    # certificate.
+    #
+    # * Only a self-signed certificate can be imported as a root CA.
+    #
+    # * A self-signed certificate cannot be imported as a subordinate CA.
     #
     # * Your certificate chain must not include the private CA certificate
     #   that you are importing.
     #
-    # * Your ACM Private CA-hosted or on-premises CA certificate must be the
-    #   last certificate in your chain. The subordinate certificate, if any,
-    #   that your root CA signed must be next to last. The subordinate
-    #   certificate signed by the preceding subordinate CA must come next,
-    #   and so on until your chain is built.
+    # * Your root CA must be the last certificate in your chain. The
+    #   subordinate certificate, if any, that your root CA signed must be
+    #   next to last. The subordinate certificate signed by the preceding
+    #   subordinate CA must come next, and so on until your chain is built.
     #
     # * The chain must be PEM-encoded.
     #
@@ -1538,6 +1636,41 @@ module Aws::ACMPCA
     #   resp.certificate_authorities[0].certificate_authority_configuration.subject.initials #=> String
     #   resp.certificate_authorities[0].certificate_authority_configuration.subject.pseudonym #=> String
     #   resp.certificate_authorities[0].certificate_authority_configuration.subject.generation_qualifier #=> String
+    #   resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.key_usage.digital_signature #=> Boolean
+    #   resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.key_usage.non_repudiation #=> Boolean
+    #   resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.key_usage.key_encipherment #=> Boolean
+    #   resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.key_usage.data_encipherment #=> Boolean
+    #   resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.key_usage.key_agreement #=> Boolean
+    #   resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.key_usage.key_cert_sign #=> Boolean
+    #   resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.key_usage.crl_sign #=> Boolean
+    #   resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.key_usage.encipher_only #=> Boolean
+    #   resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.key_usage.decipher_only #=> Boolean
+    #   resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access #=> Array
+    #   resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_method.custom_object_identifier #=> String
+    #   resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_method.access_method_type #=> String, one of "CA_REPOSITORY", "RESOURCE_PKI_MANIFEST", "RESOURCE_PKI_NOTIFY"
+    #   resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.other_name.type_id #=> String
+    #   resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.other_name.value #=> String
+    #   resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.rfc_822_name #=> String
+    #   resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.dns_name #=> String
+    #   resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.country #=> String
+    #   resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.organization #=> String
+    #   resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.organizational_unit #=> String
+    #   resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.distinguished_name_qualifier #=> String
+    #   resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.state #=> String
+    #   resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.common_name #=> String
+    #   resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.serial_number #=> String
+    #   resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.locality #=> String
+    #   resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.title #=> String
+    #   resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.surname #=> String
+    #   resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.given_name #=> String
+    #   resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.initials #=> String
+    #   resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.pseudonym #=> String
+    #   resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.generation_qualifier #=> String
+    #   resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.edi_party_name.party_name #=> String
+    #   resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.edi_party_name.name_assigner #=> String
+    #   resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.uniform_resource_identifier #=> String
+    #   resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.ip_address #=> String
+    #   resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.registered_id #=> String
     #   resp.certificate_authorities[0].revocation_configuration.crl_configuration.enabled #=> Boolean
     #   resp.certificate_authorities[0].revocation_configuration.crl_configuration.expiration_in_days #=> Integer
     #   resp.certificate_authorities[0].revocation_configuration.crl_configuration.custom_cname #=> String
@@ -1578,12 +1711,13 @@ module Aws::ACMPCA
     #   renewals. Instead, the ACM certificate owner must set up a
     #   resource-based policy to enable cross-account issuance and renewals.
     #   For more information, see [Using a Resource Based Policy with ACM
-    #   Private CA](acm-pca/latest/userguide/pca-rbp.html).
+    #   Private CA][3].
     #
     #
     #
     # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreatePermission.html
     # [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_DeletePermission.html
+    # [3]: https://docs.aws.amazon.com/acm-pca/latest/userguide/pca-rbp.html
     #
     # @option params [required, String] :certificate_authority_arn
     #   The Amazon Resource Number (ARN) of the private CA to inspect. You can
@@ -1713,8 +1847,9 @@ module Aws::ACMPCA
 
     # Attaches a resource-based policy to a private CA.
     #
-    # A policy can also be applied by [sharing][1] a private CA through AWS
-    # Resource Access Manager (RAM).
+    # A policy can also be applied by sharing a private CA through AWS
+    # Resource Access Manager (RAM). For more information, see [Attach a
+    # Policy for Cross-Account Access][1].
     #
     # The policy can be displayed with [GetPolicy][2] and removed with
     # [DeletePolicy][3].
@@ -1724,8 +1859,7 @@ module Aws::ACMPCA
     # * A policy grants access on a private CA to an AWS customer account,
     #   to AWS Organizations, or to an AWS Organizations unit. Policies are
     #   under the control of a CA administrator. For more information, see
-    #   [Using a Resource Based Policy with ACM Private
-    #   CA](acm-pca/latest/userguide/pca-rbp.html).
+    #   [Using a Resource Based Policy with ACM Private CA][4].
     #
     # * A policy permits a user of AWS Certificate Manager (ACM) to issue
     #   ACM certificates signed by a CA in another account.
@@ -1734,19 +1868,19 @@ module Aws::ACMPCA
     #   user must configure a Service Linked Role (SLR). The SLR allows the
     #   ACM service to assume the identity of the user, subject to
     #   confirmation against the ACM Private CA policy. For more
-    #   information, see [Using a Service Linked Role with ACM][4].
+    #   information, see [Using a Service Linked Role with ACM][5].
     #
     # * Updates made in AWS Resource Manager (RAM) are reflected in
-    #   policies. For more information, see [Using AWS Resource Access
-    #   Manager (RAM) with ACM Private
-    #   CA](acm-pca/latest/userguide/pca-ram.html).
+    #   policies. For more information, see [Attach a Policy for
+    #   Cross-Account Access][1].
     #
     #
     #
     # [1]: https://docs.aws.amazon.com/acm-pca/latest/userguide/pca-ram.html
     # [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_GetPolicy.html
     # [3]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_DeletePolicy.html
-    # [4]: https://docs.aws.amazon.com/acm/latest/userguide/acm-slr.html
+    # [4]: https://docs.aws.amazon.com/acm-pca/latest/userguide/pca-rbp.html
+    # [5]: https://docs.aws.amazon.com/acm/latest/userguide/acm-slr.html
     #
     # @option params [required, String] :resource_arn
     #   The Amazon Resource Number (ARN) of the private CA to associate with
@@ -2095,7 +2229,7 @@ module Aws::ACMPCA
         params: params,
         config: config)
       context[:gem_name] = 'aws-sdk-acmpca'
-      context[:gem_version] = '1.30.0'
+      context[:gem_version] = '1.31.0'
       Seahorse::Client::Request.new(handlers, context)
     end
 

data/lib/aws-sdk-acmpca/client_api.rb

@@ -16,6 +16,10 @@ module Aws::ACMPCA
     ASN1PrintableString64 = Shapes::StringShape.new(name: 'ASN1PrintableString64')
     ASN1Subject = Shapes::StructureShape.new(name: 'ASN1Subject')
     AWSPolicy = Shapes::StringShape.new(name: 'AWSPolicy')
+    AccessDescription = Shapes::StructureShape.new(name: 'AccessDescription')
+    AccessDescriptionList = Shapes::ListShape.new(name: 'AccessDescriptionList')
+    AccessMethod = Shapes::StructureShape.new(name: 'AccessMethod')
+    AccessMethodType = Shapes::StringShape.new(name: 'AccessMethodType')
     AccountId = Shapes::StringShape.new(name: 'AccountId')
     ActionList = Shapes::ListShape.new(name: 'ActionList')
     ActionType = Shapes::StringShape.new(name: 'ActionType')
@@ -44,6 +48,8 @@ module Aws::ACMPCA
     CrlConfiguration = Shapes::StructureShape.new(name: 'CrlConfiguration')
     CsrBlob = Shapes::BlobShape.new(name: 'CsrBlob')
     CsrBody = Shapes::StringShape.new(name: 'CsrBody')
+    CsrExtensions = Shapes::StructureShape.new(name: 'CsrExtensions')
+    CustomObjectIdentifier = Shapes::StringShape.new(name: 'CustomObjectIdentifier')
     DeleteCertificateAuthorityRequest = Shapes::StructureShape.new(name: 'DeleteCertificateAuthorityRequest')
     DeletePermissionRequest = Shapes::StructureShape.new(name: 'DeletePermissionRequest')
     DeletePolicyRequest = Shapes::StructureShape.new(name: 'DeletePolicyRequest')
@@ -51,7 +57,9 @@ module Aws::ACMPCA
     DescribeCertificateAuthorityAuditReportResponse = Shapes::StructureShape.new(name: 'DescribeCertificateAuthorityAuditReportResponse')
     DescribeCertificateAuthorityRequest = Shapes::StructureShape.new(name: 'DescribeCertificateAuthorityRequest')
     DescribeCertificateAuthorityResponse = Shapes::StructureShape.new(name: 'DescribeCertificateAuthorityResponse')
+    EdiPartyName = Shapes::StructureShape.new(name: 'EdiPartyName')
     FailureReason = Shapes::StringShape.new(name: 'FailureReason')
+    GeneralName = Shapes::StructureShape.new(name: 'GeneralName')
     GetCertificateAuthorityCertificateRequest = Shapes::StructureShape.new(name: 'GetCertificateAuthorityCertificateRequest')
     GetCertificateAuthorityCertificateResponse = Shapes::StructureShape.new(name: 'GetCertificateAuthorityCertificateResponse')
     GetCertificateAuthorityCsrRequest = Shapes::StructureShape.new(name: 'GetCertificateAuthorityCsrRequest')
@@ -73,6 +81,7 @@ module Aws::ACMPCA
     IssueCertificateRequest = Shapes::StructureShape.new(name: 'IssueCertificateRequest')
     IssueCertificateResponse = Shapes::StructureShape.new(name: 'IssueCertificateResponse')
     KeyAlgorithm = Shapes::StringShape.new(name: 'KeyAlgorithm')
+    KeyUsage = Shapes::StructureShape.new(name: 'KeyUsage')
     LimitExceededException = Shapes::StructureShape.new(name: 'LimitExceededException')
     ListCertificateAuthoritiesRequest = Shapes::StructureShape.new(name: 'ListCertificateAuthoritiesRequest')
     ListCertificateAuthoritiesResponse = Shapes::StructureShape.new(name: 'ListCertificateAuthoritiesResponse')
@@ -85,6 +94,7 @@ module Aws::ACMPCA
     MalformedCertificateException = Shapes::StructureShape.new(name: 'MalformedCertificateException')
     MaxResults = Shapes::IntegerShape.new(name: 'MaxResults')
     NextToken = Shapes::StringShape.new(name: 'NextToken')
+    OtherName = Shapes::StructureShape.new(name: 'OtherName')
     PermanentDeletionTimeInDays = Shapes::IntegerShape.new(name: 'PermanentDeletionTimeInDays')
     Permission = Shapes::StructureShape.new(name: 'Permission')
     PermissionAlreadyExistsException = Shapes::StructureShape.new(name: 'PermissionAlreadyExistsException')
@@ -108,7 +118,9 @@ module Aws::ACMPCA
     String128 = Shapes::StringShape.new(name: 'String128')
     String16 = Shapes::StringShape.new(name: 'String16')
     String253 = Shapes::StringShape.new(name: 'String253')
+    String256 = Shapes::StringShape.new(name: 'String256')
     String3 = Shapes::StringShape.new(name: 'String3')
+    String39 = Shapes::StringShape.new(name: 'String39')
     String3To255 = Shapes::StringShape.new(name: 'String3To255')
     String40 = Shapes::StringShape.new(name: 'String40')
     String5 = Shapes::StringShape.new(name: 'String5')
@@ -141,6 +153,16 @@ module Aws::ACMPCA
     ASN1Subject.add_member(:generation_qualifier, Shapes::ShapeRef.new(shape: String3, location_name: "GenerationQualifier"))
     ASN1Subject.struct_class = Types::ASN1Subject
 
+    AccessDescription.add_member(:access_method, Shapes::ShapeRef.new(shape: AccessMethod, required: true, location_name: "AccessMethod"))
+    AccessDescription.add_member(:access_location, Shapes::ShapeRef.new(shape: GeneralName, required: true, location_name: "AccessLocation"))
+    AccessDescription.struct_class = Types::AccessDescription
+
+    AccessDescriptionList.member = Shapes::ShapeRef.new(shape: AccessDescription)
+
+    AccessMethod.add_member(:custom_object_identifier, Shapes::ShapeRef.new(shape: CustomObjectIdentifier, location_name: "CustomObjectIdentifier"))
+    AccessMethod.add_member(:access_method_type, Shapes::ShapeRef.new(shape: AccessMethodType, location_name: "AccessMethodType"))
+    AccessMethod.struct_class = Types::AccessMethod
+
     ActionList.member = Shapes::ShapeRef.new(shape: ActionType)
 
     CertificateAuthorities.member = Shapes::ShapeRef.new(shape: CertificateAuthority)
@@ -163,6 +185,7 @@ module Aws::ACMPCA
     CertificateAuthorityConfiguration.add_member(:key_algorithm, Shapes::ShapeRef.new(shape: KeyAlgorithm, required: true, location_name: "KeyAlgorithm"))
     CertificateAuthorityConfiguration.add_member(:signing_algorithm, Shapes::ShapeRef.new(shape: SigningAlgorithm, required: true, location_name: "SigningAlgorithm"))
     CertificateAuthorityConfiguration.add_member(:subject, Shapes::ShapeRef.new(shape: ASN1Subject, required: true, location_name: "Subject"))
+    CertificateAuthorityConfiguration.add_member(:csr_extensions, Shapes::ShapeRef.new(shape: CsrExtensions, location_name: "CsrExtensions"))
     CertificateAuthorityConfiguration.struct_class = Types::CertificateAuthorityConfiguration
 
     CertificateMismatchException.add_member(:message, Shapes::ShapeRef.new(shape: String, location_name: "message"))
@@ -202,6 +225,10 @@ module Aws::ACMPCA
     CrlConfiguration.add_member(:s3_bucket_name, Shapes::ShapeRef.new(shape: String3To255, location_name: "S3BucketName"))
     CrlConfiguration.struct_class = Types::CrlConfiguration
 
+    CsrExtensions.add_member(:key_usage, Shapes::ShapeRef.new(shape: KeyUsage, location_name: "KeyUsage"))
+    CsrExtensions.add_member(:subject_information_access, Shapes::ShapeRef.new(shape: AccessDescriptionList, location_name: "SubjectInformationAccess"))
+    CsrExtensions.struct_class = Types::CsrExtensions
+
     DeleteCertificateAuthorityRequest.add_member(:certificate_authority_arn, Shapes::ShapeRef.new(shape: Arn, required: true, location_name: "CertificateAuthorityArn"))
     DeleteCertificateAuthorityRequest.add_member(:permanent_deletion_time_in_days, Shapes::ShapeRef.new(shape: PermanentDeletionTimeInDays, location_name: "PermanentDeletionTimeInDays"))
     DeleteCertificateAuthorityRequest.struct_class = Types::DeleteCertificateAuthorityRequest
@@ -230,6 +257,20 @@ module Aws::ACMPCA
     DescribeCertificateAuthorityResponse.add_member(:certificate_authority, Shapes::ShapeRef.new(shape: CertificateAuthority, location_name: "CertificateAuthority"))
     DescribeCertificateAuthorityResponse.struct_class = Types::DescribeCertificateAuthorityResponse
 
+    EdiPartyName.add_member(:party_name, Shapes::ShapeRef.new(shape: String256, required: true, location_name: "PartyName"))
+    EdiPartyName.add_member(:name_assigner, Shapes::ShapeRef.new(shape: String256, location_name: "NameAssigner"))
+    EdiPartyName.struct_class = Types::EdiPartyName
+
+    GeneralName.add_member(:other_name, Shapes::ShapeRef.new(shape: OtherName, location_name: "OtherName"))
+    GeneralName.add_member(:rfc_822_name, Shapes::ShapeRef.new(shape: String256, location_name: "Rfc822Name"))
+    GeneralName.add_member(:dns_name, Shapes::ShapeRef.new(shape: String253, location_name: "DnsName"))
+    GeneralName.add_member(:directory_name, Shapes::ShapeRef.new(shape: ASN1Subject, location_name: "DirectoryName"))
+    GeneralName.add_member(:edi_party_name, Shapes::ShapeRef.new(shape: EdiPartyName, location_name: "EdiPartyName"))
+    GeneralName.add_member(:uniform_resource_identifier, Shapes::ShapeRef.new(shape: String253, location_name: "UniformResourceIdentifier"))
+    GeneralName.add_member(:ip_address, Shapes::ShapeRef.new(shape: String39, location_name: "IpAddress"))
+    GeneralName.add_member(:registered_id, Shapes::ShapeRef.new(shape: CustomObjectIdentifier, location_name: "RegisteredId"))
+    GeneralName.struct_class = Types::GeneralName
+
     GetCertificateAuthorityCertificateRequest.add_member(:certificate_authority_arn, Shapes::ShapeRef.new(shape: Arn, required: true, location_name: "CertificateAuthorityArn"))
     GetCertificateAuthorityCertificateRequest.struct_class = Types::GetCertificateAuthorityCertificateRequest
 
@@ -294,6 +335,17 @@ module Aws::ACMPCA
     IssueCertificateResponse.add_member(:certificate_arn, Shapes::ShapeRef.new(shape: Arn, location_name: "CertificateArn"))
     IssueCertificateResponse.struct_class = Types::IssueCertificateResponse
 
+    KeyUsage.add_member(:digital_signature, Shapes::ShapeRef.new(shape: Boolean, location_name: "DigitalSignature"))
+    KeyUsage.add_member(:non_repudiation, Shapes::ShapeRef.new(shape: Boolean, location_name: "NonRepudiation"))
+    KeyUsage.add_member(:key_encipherment, Shapes::ShapeRef.new(shape: Boolean, location_name: "KeyEncipherment"))
+    KeyUsage.add_member(:data_encipherment, Shapes::ShapeRef.new(shape: Boolean, location_name: "DataEncipherment"))
+    KeyUsage.add_member(:key_agreement, Shapes::ShapeRef.new(shape: Boolean, location_name: "KeyAgreement"))
+    KeyUsage.add_member(:key_cert_sign, Shapes::ShapeRef.new(shape: Boolean, location_name: "KeyCertSign"))
+    KeyUsage.add_member(:crl_sign, Shapes::ShapeRef.new(shape: Boolean, location_name: "CRLSign"))
+    KeyUsage.add_member(:encipher_only, Shapes::ShapeRef.new(shape: Boolean, location_name: "EncipherOnly"))
+    KeyUsage.add_member(:decipher_only, Shapes::ShapeRef.new(shape: Boolean, location_name: "DecipherOnly"))
+    KeyUsage.struct_class = Types::KeyUsage
+
     LimitExceededException.add_member(:message, Shapes::ShapeRef.new(shape: String, location_name: "message"))
     LimitExceededException.struct_class = Types::LimitExceededException
 
@@ -333,6 +385,10 @@ module Aws::ACMPCA
     MalformedCertificateException.add_member(:message, Shapes::ShapeRef.new(shape: String, location_name: "message"))
     MalformedCertificateException.struct_class = Types::MalformedCertificateException
 
+    OtherName.add_member(:type_id, Shapes::ShapeRef.new(shape: CustomObjectIdentifier, required: true, location_name: "TypeId"))
+    OtherName.add_member(:value, Shapes::ShapeRef.new(shape: String256, required: true, location_name: "Value"))
+    OtherName.struct_class = Types::OtherName
+
     Permission.add_member(:certificate_authority_arn, Shapes::ShapeRef.new(shape: Arn, location_name: "CertificateAuthorityArn"))
     Permission.add_member(:created_at, Shapes::ShapeRef.new(shape: TStamp, location_name: "CreatedAt"))
     Permission.add_member(:principal, Shapes::ShapeRef.new(shape: Principal, location_name: "Principal"))

data/lib/aws-sdk-acmpca/types.rb

@@ -65,7 +65,11 @@ module Aws::ACMPCA
     #   @return [String]
     #
     # @!attribute [rw] common_name
-    #   Fully qualified domain name (FQDN) associated with the certificate
+    #   For CA and end-entity certificates in a private PKI, the common name
+    #   (CN) can be any string within the length limit.
+    #
+    #   Note: In publicly trusted certificates, the common name must be a
+    #   fully qualified domain name (FQDN) associated with the certificate
     #   subject.
     #   @return [String]
     #
@@ -131,6 +135,106 @@ module Aws::ACMPCA
       include Aws::Structure
     end
 
+    # Provides access information used by the `authorityInfoAccess` and
+    # `subjectInfoAccess` extensions described in [RFC 5280][1].
+    #
+    #
+    #
+    # [1]: https://tools.ietf.org/html/rfc5280
+    #
+    # @note When making an API call, you may pass AccessDescription
+    #   data as a hash:
+    #
+    #       {
+    #         access_method: { # required
+    #           custom_object_identifier: "CustomObjectIdentifier",
+    #           access_method_type: "CA_REPOSITORY", # accepts CA_REPOSITORY, RESOURCE_PKI_MANIFEST, RESOURCE_PKI_NOTIFY
+    #         },
+    #         access_location: { # required
+    #           other_name: {
+    #             type_id: "CustomObjectIdentifier", # required
+    #             value: "String256", # required
+    #           },
+    #           rfc_822_name: "String256",
+    #           dns_name: "String253",
+    #           directory_name: {
+    #             country: "CountryCodeString",
+    #             organization: "String64",
+    #             organizational_unit: "String64",
+    #             distinguished_name_qualifier: "ASN1PrintableString64",
+    #             state: "String128",
+    #             common_name: "String64",
+    #             serial_number: "ASN1PrintableString64",
+    #             locality: "String128",
+    #             title: "String64",
+    #             surname: "String40",
+    #             given_name: "String16",
+    #             initials: "String5",
+    #             pseudonym: "String128",
+    #             generation_qualifier: "String3",
+    #           },
+    #           edi_party_name: {
+    #             party_name: "String256", # required
+    #             name_assigner: "String256",
+    #           },
+    #           uniform_resource_identifier: "String253",
+    #           ip_address: "String39",
+    #           registered_id: "CustomObjectIdentifier",
+    #         },
+    #       }
+    #
+    # @!attribute [rw] access_method
+    #   The type and format of `AccessDescription` information.
+    #   @return [Types::AccessMethod]
+    #
+    # @!attribute [rw] access_location
+    #   The location of `AccessDescription` information.
+    #   @return [Types::GeneralName]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/AccessDescription AWS API Documentation
+    #
+    class AccessDescription < Struct.new(
+      :access_method,
+      :access_location)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # Describes the type and format of extension access. Only one of
+    # `CustomObjectIdentifier` or `AccessMethodType` may be provided.
+    # Providing both results in `InvalidArgsException`.
+    #
+    # @note When making an API call, you may pass AccessMethod
+    #   data as a hash:
+    #
+    #       {
+    #         custom_object_identifier: "CustomObjectIdentifier",
+    #         access_method_type: "CA_REPOSITORY", # accepts CA_REPOSITORY, RESOURCE_PKI_MANIFEST, RESOURCE_PKI_NOTIFY
+    #       }
+    #
+    # @!attribute [rw] custom_object_identifier
+    #   An object identifier (OID) specifying the `AccessMethod`. The OID
+    #   must satisfy the regular expression shown below. For more
+    #   information, see NIST's definition of [Object Identifier (OID)][1].
+    #
+    #
+    #
+    #   [1]: https://csrc.nist.gov/glossary/term/Object_Identifier
+    #   @return [String]
+    #
+    # @!attribute [rw] access_method_type
+    #   Specifies the `AccessMethod`.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/AccessMethod AWS API Documentation
+    #
+    class AccessMethod < Struct.new(
+      :custom_object_identifier,
+      :access_method_type)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # Contains information about your private certificate authority (CA).
     # Your private CA can issue and revoke X.509 digital certificates.
     # Digital certificates verify that the entity named in the certificate
@@ -264,6 +368,58 @@ module Aws::ACMPCA
     #           pseudonym: "String128",
     #           generation_qualifier: "String3",
     #         },
+    #         csr_extensions: {
+    #           key_usage: {
+    #             digital_signature: false,
+    #             non_repudiation: false,
+    #             key_encipherment: false,
+    #             data_encipherment: false,
+    #             key_agreement: false,
+    #             key_cert_sign: false,
+    #             crl_sign: false,
+    #             encipher_only: false,
+    #             decipher_only: false,
+    #           },
+    #           subject_information_access: [
+    #             {
+    #               access_method: { # required
+    #                 custom_object_identifier: "CustomObjectIdentifier",
+    #                 access_method_type: "CA_REPOSITORY", # accepts CA_REPOSITORY, RESOURCE_PKI_MANIFEST, RESOURCE_PKI_NOTIFY
+    #               },
+    #               access_location: { # required
+    #                 other_name: {
+    #                   type_id: "CustomObjectIdentifier", # required
+    #                   value: "String256", # required
+    #                 },
+    #                 rfc_822_name: "String256",
+    #                 dns_name: "String253",
+    #                 directory_name: {
+    #                   country: "CountryCodeString",
+    #                   organization: "String64",
+    #                   organizational_unit: "String64",
+    #                   distinguished_name_qualifier: "ASN1PrintableString64",
+    #                   state: "String128",
+    #                   common_name: "String64",
+    #                   serial_number: "ASN1PrintableString64",
+    #                   locality: "String128",
+    #                   title: "String64",
+    #                   surname: "String40",
+    #                   given_name: "String16",
+    #                   initials: "String5",
+    #                   pseudonym: "String128",
+    #                   generation_qualifier: "String3",
+    #                 },
+    #                 edi_party_name: {
+    #                   party_name: "String256", # required
+    #                   name_assigner: "String256",
+    #                 },
+    #                 uniform_resource_identifier: "String253",
+    #                 ip_address: "String39",
+    #                 registered_id: "CustomObjectIdentifier",
+    #               },
+    #             },
+    #           ],
+    #         },
     #       }
     #
     # @!attribute [rw] key_algorithm
@@ -286,12 +442,18 @@ module Aws::ACMPCA
     #   your private CA.
     #   @return [Types::ASN1Subject]
     #
+    # @!attribute [rw] csr_extensions
+    #   Specifies information to be added to the extension section of the
+    #   certificate signing request (CSR).
+    #   @return [Types::CsrExtensions]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/CertificateAuthorityConfiguration AWS API Documentation
     #
     class CertificateAuthorityConfiguration < Struct.new(
       :key_algorithm,
       :signing_algorithm,
-      :subject)
+      :subject,
+      :csr_extensions)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -400,6 +562,58 @@ module Aws::ACMPCA
     #             pseudonym: "String128",
     #             generation_qualifier: "String3",
     #           },
+    #           csr_extensions: {
+    #             key_usage: {
+    #               digital_signature: false,
+    #               non_repudiation: false,
+    #               key_encipherment: false,
+    #               data_encipherment: false,
+    #               key_agreement: false,
+    #               key_cert_sign: false,
+    #               crl_sign: false,
+    #               encipher_only: false,
+    #               decipher_only: false,
+    #             },
+    #             subject_information_access: [
+    #               {
+    #                 access_method: { # required
+    #                   custom_object_identifier: "CustomObjectIdentifier",
+    #                   access_method_type: "CA_REPOSITORY", # accepts CA_REPOSITORY, RESOURCE_PKI_MANIFEST, RESOURCE_PKI_NOTIFY
+    #                 },
+    #                 access_location: { # required
+    #                   other_name: {
+    #                     type_id: "CustomObjectIdentifier", # required
+    #                     value: "String256", # required
+    #                   },
+    #                   rfc_822_name: "String256",
+    #                   dns_name: "String253",
+    #                   directory_name: {
+    #                     country: "CountryCodeString",
+    #                     organization: "String64",
+    #                     organizational_unit: "String64",
+    #                     distinguished_name_qualifier: "ASN1PrintableString64",
+    #                     state: "String128",
+    #                     common_name: "String64",
+    #                     serial_number: "ASN1PrintableString64",
+    #                     locality: "String128",
+    #                     title: "String64",
+    #                     surname: "String40",
+    #                     given_name: "String16",
+    #                     initials: "String5",
+    #                     pseudonym: "String128",
+    #                     generation_qualifier: "String3",
+    #                   },
+    #                   edi_party_name: {
+    #                     party_name: "String256", # required
+    #                     name_assigner: "String256",
+    #                   },
+    #                   uniform_resource_identifier: "String253",
+    #                   ip_address: "String39",
+    #                   registered_id: "CustomObjectIdentifier",
+    #                 },
+    #               },
+    #             ],
+    #           },
     #         },
     #         revocation_configuration: {
     #           crl_configuration: {
@@ -635,7 +849,7 @@ module Aws::ACMPCA
     #   @return [Boolean]
     #
     # @!attribute [rw] expiration_in_days
-    #   Number of days until a certificate expires.
+    #   Validity period of the CRL in days.
     #   @return [Integer]
     #
     # @!attribute [rw] custom_cname
@@ -670,6 +884,89 @@ module Aws::ACMPCA
       include Aws::Structure
     end
 
+    # Describes the certificate extensions to be added to the certificate
+    # signing request (CSR).
+    #
+    # @note When making an API call, you may pass CsrExtensions
+    #   data as a hash:
+    #
+    #       {
+    #         key_usage: {
+    #           digital_signature: false,
+    #           non_repudiation: false,
+    #           key_encipherment: false,
+    #           data_encipherment: false,
+    #           key_agreement: false,
+    #           key_cert_sign: false,
+    #           crl_sign: false,
+    #           encipher_only: false,
+    #           decipher_only: false,
+    #         },
+    #         subject_information_access: [
+    #           {
+    #             access_method: { # required
+    #               custom_object_identifier: "CustomObjectIdentifier",
+    #               access_method_type: "CA_REPOSITORY", # accepts CA_REPOSITORY, RESOURCE_PKI_MANIFEST, RESOURCE_PKI_NOTIFY
+    #             },
+    #             access_location: { # required
+    #               other_name: {
+    #                 type_id: "CustomObjectIdentifier", # required
+    #                 value: "String256", # required
+    #               },
+    #               rfc_822_name: "String256",
+    #               dns_name: "String253",
+    #               directory_name: {
+    #                 country: "CountryCodeString",
+    #                 organization: "String64",
+    #                 organizational_unit: "String64",
+    #                 distinguished_name_qualifier: "ASN1PrintableString64",
+    #                 state: "String128",
+    #                 common_name: "String64",
+    #                 serial_number: "ASN1PrintableString64",
+    #                 locality: "String128",
+    #                 title: "String64",
+    #                 surname: "String40",
+    #                 given_name: "String16",
+    #                 initials: "String5",
+    #                 pseudonym: "String128",
+    #                 generation_qualifier: "String3",
+    #               },
+    #               edi_party_name: {
+    #                 party_name: "String256", # required
+    #                 name_assigner: "String256",
+    #               },
+    #               uniform_resource_identifier: "String253",
+    #               ip_address: "String39",
+    #               registered_id: "CustomObjectIdentifier",
+    #             },
+    #           },
+    #         ],
+    #       }
+    #
+    # @!attribute [rw] key_usage
+    #   Indicates the purpose of the certificate and of the key contained in
+    #   the certificate.
+    #   @return [Types::KeyUsage]
+    #
+    # @!attribute [rw] subject_information_access
+    #   For CA certificates, provides a path to additional information
+    #   pertaining to the CA, such as revocation and policy. For more
+    #   information, see [Subject Information Access][1] in RFC 5280.
+    #
+    #
+    #
+    #   [1]: https://tools.ietf.org/html/rfc5280#section-4.2.2.2
+    #   @return [Array<Types::AccessDescription>]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/CsrExtensions AWS API Documentation
+    #
+    class CsrExtensions < Struct.new(
+      :key_usage,
+      :subject_information_access)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # @note When making an API call, you may pass DeleteCertificateAuthorityRequest
     #   data as a hash:
     #
@@ -882,6 +1179,142 @@ module Aws::ACMPCA
       include Aws::Structure
     end
 
+    # Describes an Electronic Data Interchange (EDI) entity as described in
+    # as defined in [Subject Alternative Name][1] in RFC 5280.
+    #
+    #
+    #
+    # [1]: https://tools.ietf.org/html/rfc5280
+    #
+    # @note When making an API call, you may pass EdiPartyName
+    #   data as a hash:
+    #
+    #       {
+    #         party_name: "String256", # required
+    #         name_assigner: "String256",
+    #       }
+    #
+    # @!attribute [rw] party_name
+    #   Specifies the party name.
+    #   @return [String]
+    #
+    # @!attribute [rw] name_assigner
+    #   Specifies the name assigner.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/EdiPartyName AWS API Documentation
+    #
+    class EdiPartyName < Struct.new(
+      :party_name,
+      :name_assigner)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # Describes an ASN.1 X.400 `GeneralName` as defined in [RFC 5280][1].
+    # Only one of the following naming options should be providied.
+    # Providing more than one option results in an `InvalidArgsException`
+    # error.
+    #
+    #
+    #
+    # [1]: https://tools.ietf.org/html/rfc5280
+    #
+    # @note When making an API call, you may pass GeneralName
+    #   data as a hash:
+    #
+    #       {
+    #         other_name: {
+    #           type_id: "CustomObjectIdentifier", # required
+    #           value: "String256", # required
+    #         },
+    #         rfc_822_name: "String256",
+    #         dns_name: "String253",
+    #         directory_name: {
+    #           country: "CountryCodeString",
+    #           organization: "String64",
+    #           organizational_unit: "String64",
+    #           distinguished_name_qualifier: "ASN1PrintableString64",
+    #           state: "String128",
+    #           common_name: "String64",
+    #           serial_number: "ASN1PrintableString64",
+    #           locality: "String128",
+    #           title: "String64",
+    #           surname: "String40",
+    #           given_name: "String16",
+    #           initials: "String5",
+    #           pseudonym: "String128",
+    #           generation_qualifier: "String3",
+    #         },
+    #         edi_party_name: {
+    #           party_name: "String256", # required
+    #           name_assigner: "String256",
+    #         },
+    #         uniform_resource_identifier: "String253",
+    #         ip_address: "String39",
+    #         registered_id: "CustomObjectIdentifier",
+    #       }
+    #
+    # @!attribute [rw] other_name
+    #   Represents `GeneralName` using an `OtherName` object.
+    #   @return [Types::OtherName]
+    #
+    # @!attribute [rw] rfc_822_name
+    #   Represents `GeneralName` as an [RFC 822][1] email address.
+    #
+    #
+    #
+    #   [1]: https://tools.ietf.org/html/rfc822
+    #   @return [String]
+    #
+    # @!attribute [rw] dns_name
+    #   Represents `GeneralName` as a DNS name.
+    #   @return [String]
+    #
+    # @!attribute [rw] directory_name
+    #   Contains information about the certificate subject. The certificate
+    #   can be one issued by your private certificate authority (CA) or it
+    #   can be your private CA certificate. The **Subject** field in the
+    #   certificate identifies the entity that owns or controls the public
+    #   key in the certificate. The entity can be a user, computer, device,
+    #   or service. The **Subject** must contain an X.500 distinguished name
+    #   (DN). A DN is a sequence of relative distinguished names (RDNs). The
+    #   RDNs are separated by commas in the certificate. The DN must be
+    #   unique for each entity, but your private CA can issue more than one
+    #   certificate with the same DN to the same entity.
+    #   @return [Types::ASN1Subject]
+    #
+    # @!attribute [rw] edi_party_name
+    #   Represents `GeneralName` as an `EdiPartyName` object.
+    #   @return [Types::EdiPartyName]
+    #
+    # @!attribute [rw] uniform_resource_identifier
+    #   Represents `GeneralName` as a URI.
+    #   @return [String]
+    #
+    # @!attribute [rw] ip_address
+    #   Represents `GeneralName` as an IPv4 or IPv6 address.
+    #   @return [String]
+    #
+    # @!attribute [rw] registered_id
+    #   Represents `GeneralName` as an object identifier (OID).
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/GeneralName AWS API Documentation
+    #
+    class GeneralName < Struct.new(
+      :other_name,
+      :rfc_822_name,
+      :dns_name,
+      :directory_name,
+      :edi_party_name,
+      :uniform_resource_identifier,
+      :ip_address,
+      :registered_id)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # @note When making an API call, you may pass GetCertificateAuthorityCertificateRequest
     #   data as a hash:
     #
@@ -911,10 +1344,9 @@ module Aws::ACMPCA
     #
     # @!attribute [rw] certificate_chain
     #   Base64-encoded certificate chain that includes any intermediate
-    #   certificates and chains up to root on-premises certificate that you
-    #   used to sign your private CA certificate. The chain does not include
-    #   your private CA certificate. If this is a root CA, the value will be
-    #   null.
+    #   certificates and chains up to root certificate that you used to sign
+    #   your private CA certificate. The chain does not include your private
+    #   CA certificate. If this is a root CA, the value will be null.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/GetCertificateAuthorityCertificateResponse AWS API Documentation
@@ -1009,9 +1441,8 @@ module Aws::ACMPCA
     #   @return [String]
     #
     # @!attribute [rw] certificate_chain
-    #   The base64 PEM-encoded certificate chain that chains up to the
-    #   on-premises root CA certificate that you used to sign your private
-    #   CA certificate.
+    #   The base64 PEM-encoded certificate chain that chains up to the root
+    #   CA certificate that you used to sign your private CA certificate.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/GetCertificateResponse AWS API Documentation
@@ -1156,7 +1587,7 @@ module Aws::ACMPCA
     #
     #
     #
-    # [1]: https://docs.aws.amazon.com/https:/docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policies-json
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policies-json
     #
     # @!attribute [rw] message
     #   @return [String]
@@ -1367,6 +1798,76 @@ module Aws::ACMPCA
       include Aws::Structure
     end
 
+    # Defines one or more purposes for which the key contained in the
+    # certificate can be used. Default value for each option is false.
+    #
+    # @note When making an API call, you may pass KeyUsage
+    #   data as a hash:
+    #
+    #       {
+    #         digital_signature: false,
+    #         non_repudiation: false,
+    #         key_encipherment: false,
+    #         data_encipherment: false,
+    #         key_agreement: false,
+    #         key_cert_sign: false,
+    #         crl_sign: false,
+    #         encipher_only: false,
+    #         decipher_only: false,
+    #       }
+    #
+    # @!attribute [rw] digital_signature
+    #   Key can be used for digital signing.
+    #   @return [Boolean]
+    #
+    # @!attribute [rw] non_repudiation
+    #   Key can be used for non-repudiation.
+    #   @return [Boolean]
+    #
+    # @!attribute [rw] key_encipherment
+    #   Key can be used to encipher data.
+    #   @return [Boolean]
+    #
+    # @!attribute [rw] data_encipherment
+    #   Key can be used to decipher data.
+    #   @return [Boolean]
+    #
+    # @!attribute [rw] key_agreement
+    #   Key can be used in a key-agreement protocol.
+    #   @return [Boolean]
+    #
+    # @!attribute [rw] key_cert_sign
+    #   Key can be used to sign certificates.
+    #   @return [Boolean]
+    #
+    # @!attribute [rw] crl_sign
+    #   Key can be used to sign CRLs.
+    #   @return [Boolean]
+    #
+    # @!attribute [rw] encipher_only
+    #   Key can be used only to encipher data.
+    #   @return [Boolean]
+    #
+    # @!attribute [rw] decipher_only
+    #   Key can be used only to decipher data.
+    #   @return [Boolean]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/KeyUsage AWS API Documentation
+    #
+    class KeyUsage < Struct.new(
+      :digital_signature,
+      :non_repudiation,
+      :key_encipherment,
+      :data_encipherment,
+      :key_agreement,
+      :key_cert_sign,
+      :crl_sign,
+      :encipher_only,
+      :decipher_only)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # An ACM Private CA quota has been exceeded. See the exception message
     # returned to determine the quota that was exceeded.
     #
@@ -1610,6 +2111,40 @@ module Aws::ACMPCA
       include Aws::Structure
     end
 
+    # Defines a custom ASN.1 X.400 `GeneralName` using an object identifier
+    # (OID) and value. The OID must satisfy the regular expression shown
+    # below. For more information, see NIST's definition of [Object
+    # Identifier (OID)][1].
+    #
+    #
+    #
+    # [1]: https://csrc.nist.gov/glossary/term/Object_Identifier
+    #
+    # @note When making an API call, you may pass OtherName
+    #   data as a hash:
+    #
+    #       {
+    #         type_id: "CustomObjectIdentifier", # required
+    #         value: "String256", # required
+    #       }
+    #
+    # @!attribute [rw] type_id
+    #   Specifies an OID.
+    #   @return [String]
+    #
+    # @!attribute [rw] value
+    #   Specifies an OID value.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/OtherName AWS API Documentation
+    #
+    class OtherName < Struct.new(
+      :type_id,
+      :value)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # Permissions designate which private CA actions can be performed by an
     # AWS service or entity. In order for ACM to automatically renew private
     # certificates, you must give the ACM service principal all available
@@ -2116,6 +2651,10 @@ module Aws::ACMPCA
     #   * Sample input value: 90
     #
     #   * Output expiration date: 01/10/2020 12:34:54 UTC
+    #
+    #   The minimum validity duration for a certificate using relative time
+    #   (`DAYS`) is one day. The minimum validity for a certificate using
+    #   absolute time (`ABSOLUTE` or `END_DATE`) is one second.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/Validity AWS API Documentation

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aws-sdk-acmpca
 version: !ruby/object:Gem::Version
-  version: 1.30.0
+  version: 1.31.0
 platform: ruby
 authors:
 - Amazon Web Services
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-09-30 00:00:00.000000000 Z
+date: 2020-12-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-core