aws-sdk-acmpca 1.31.0 → 1.32.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e9248de24e8f0650decb902183ab1be075185fcbd936d73fa01d60288195baab
-  data.tar.gz: c97ad717942496ed6dd1b9210872f51ee89c5db7795612d43215ab4306ddd8a5
+  metadata.gz: dc98acc54b80d947d407c145b5f09f400dad5a8b943019e3b8c9bcd008f2b2c7
+  data.tar.gz: 5625afa10f80568e15a65cec8fce964cebe02a72ffeb314d9ec95374a073d012
 SHA512:
-  metadata.gz: bb1c7a2154501ecdb1a26f5402da4239c8667255169d172f42a7a7f0f215cff3d08d116a39a0fab7c7efe35b1c57321ecb598d03fc163f43541d6d87e0e44114
-  data.tar.gz: b21951246a975ef7d3a62d4e92ad64775760f60c4297d12382c4510faac8b8c422ccd0ed4ae21d632e1f5c5e3dd3f04fd9210dc395022778c295246d57236ea2
+  metadata.gz: 774424f9c13f043e133ee64be2b4d302d7797645b9d51075aea543f1c215deab51c914473d9f93b6a4d52942974a108c1e69f0946a65e66a1d3c635cab1d7d11
+  data.tar.gz: ea1de9d25fd213799a2a277027d62ca35f445a79cc4e2c23553dd182f16c9e8a93f086ffe040dcdd28449c283a5113e3d37fed4b474475d3acac8f4f42272af0

data/lib/aws-sdk-acmpca.rb

@@ -49,6 +49,6 @@ require_relative 'aws-sdk-acmpca/customizations'
 # @!group service
 module Aws::ACMPCA
 
-  GEM_VERSION = '1.31.0'
+  GEM_VERSION = '1.32.0'
 
 end

data/lib/aws-sdk-acmpca/client.rb

@@ -385,12 +385,14 @@ module Aws::ACMPCA
     #   The type of the certificate authority.
     #
     # @option params [String] :idempotency_token
-    #   Alphanumeric string that can be used to distinguish between calls to
-    #   **CreateCertificateAuthority**. For a given token, ACM Private CA
-    #   creates exactly one CA. If you issue a subsequent call using the same
-    #   token, ACM Private CA returns the ARN of the existing CA and takes no
-    #   further action. If you change the idempotency token across multiple
-    #   calls, ACM Private CA creates a unique CA for each unique token.
+    #   Custom string that can be used to distinguish between calls to the
+    #   **CreateCertificateAuthority** action. Idempotency tokens for
+    #   **CreateCertificateAuthority** time out after five minutes. Therefore,
+    #   if you call **CreateCertificateAuthority** multiple times with the
+    #   same idempotency token within five minutes, ACM Private CA recognizes
+    #   that you are requesting only certificate authority and will issue only
+    #   one. If you change the idempotency token for each call, PCA recognizes
+    #   that you are requesting multiple certificate authorities.
     #
     # @option params [Array<Types::Tag>] :tags
     #   Key-value pairs that will be attached to the new private CA. You can
@@ -884,7 +886,7 @@ module Aws::ACMPCA
     # * `EXPIRED` - Your private CA certificate has expired.
     #
     # * `FAILED` - Your private CA has failed. Your CA can fail because of
-    #   problems such a network outage or backend AWS failure or other
+    #   problems such a network outage or back-end AWS failure or other
     #   errors. A failed CA can never return to the pending state. You must
     #   create a new CA.
     #
@@ -1276,8 +1278,8 @@ module Aws::ACMPCA
     # following preparations must in place:
     #
     # 1.  In ACM Private CA, call the [CreateCertificateAuthority][1] action
-    #     to create the private CA that that you plan to back with the
-    #     imported certificate.
+    #     to create the private CA that you plan to back with the imported
+    #     certificate.
     #
     # 2.  Call the [GetCertificateAuthorityCsr][2] action to generate a
     #     certificate signing request (CSR).
@@ -1299,7 +1301,7 @@ module Aws::ACMPCA
     # * Installing a subordinate CA certificate whose parent authority is
     #   externally hosted.
     #
-    # The following addtitional requirements apply when you import a CA
+    # The following additional requirements apply when you import a CA
     # certificate.
     #
     # * Only a self-signed certificate can be imported as a root CA.
@@ -1429,6 +1431,21 @@ module Aws::ACMPCA
     #
     # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_GetCertificate.html
     #
+    # @option params [Types::ApiPassthrough] :api_passthrough
+    #   Specifies X.509 certificate information to be included in the issued
+    #   certificate. An `APIPassthrough` or `APICSRPassthrough` template
+    #   variant must be selected, or else this parameter is ignored. For more
+    #   information about using these templates, see [Understanding
+    #   Certificate Templates][1].
+    #
+    #   If conflicting or duplicate certificate information is supplied during
+    #   certificate issuance, ACM Private CA applies [order of operation
+    #   rules](xxxxx) to determine what information is used.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html
+    #
     # @option params [required, String] :certificate_authority_arn
     #   The Amazon Resource Name (ARN) that was returned when you called
     #   [CreateCertificateAuthority][1]. This must be of the form:
@@ -1442,15 +1459,15 @@ module Aws::ACMPCA
     #
     # @option params [required, String, StringIO, File] :csr
     #   The certificate signing request (CSR) for the certificate you want to
-    #   issue. You can use the following OpenSSL command to create the CSR and
-    #   a 2048 bit RSA private key.
+    #   issue. As an example, you can use the following OpenSSL command to
+    #   create the CSR and a 2048 bit RSA private key.
     #
     #   `openssl req -new -newkey rsa:2048 -days 365 -keyout
     #   private/test_cert_priv_key.pem -out csr/test_cert_.csr`
     #
-    #   If you have a configuration file, you can use the following OpenSSL
-    #   command. The `usr_cert` block in the configuration file contains your
-    #   X509 version 3 extensions.
+    #   If you have a configuration file, you can then use the following
+    #   OpenSSL command. The `usr_cert` block in the configuration file
+    #   contains your X509 version 3 extensions.
     #
     #   `openssl req -new -config openssl_rsa.cnf -extensions usr_cert -newkey
     #   rsa:2048 -days -365 -keyout private/test_cert_priv_key.pem -out
@@ -1464,7 +1481,8 @@ module Aws::ACMPCA
     #   be issued.
     #
     #   This parameter should not be confused with the `SigningAlgorithm`
-    #   parameter used to sign a CSR.
+    #   parameter used to sign a CSR in the `CreateCertificateAuthority`
+    #   action.
     #
     # @option params [String] :template_arn
     #   Specifies a custom configuration template to use when issuing a
@@ -1477,65 +1495,70 @@ module Aws::ACMPCA
     #   Note: The CA depth configured on a subordinate CA certificate must not
     #   exceed the limit set by its parents in the CA hierarchy.
     #
-    #   The following service-owned `TemplateArn` values are supported by ACM
-    #   Private CA:
-    #
-    #   * arn:aws:acm-pca:::template/CodeSigningCertificate/V1
+    #   For a list of `TemplateArn` values supported by ACM Private CA, see
+    #   [Understanding Certificate Templates][2].
     #
-    #   * arn:aws:acm-pca:::template/CodeSigningCertificate\_CSRPassthrough/V1
     #
-    #   * arn:aws:acm-pca:::template/EndEntityCertificate/V1
     #
-    #   * arn:aws:acm-pca:::template/EndEntityCertificate\_CSRPassthrough/V1
-    #
-    #   * arn:aws:acm-pca:::template/EndEntityClientAuthCertificate/V1
-    #
-    #   * arn:aws:acm-pca:::template/EndEntityClientAuthCertificate\_CSRPassthrough/V1
-    #
-    #   * arn:aws:acm-pca:::template/EndEntityServerAuthCertificate/V1
-    #
-    #   * arn:aws:acm-pca:::template/EndEntityServerAuthCertificate\_CSRPassthrough/V1
+    #   [1]: https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaTerms.html#terms-cadepth
+    #   [2]: https://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html
     #
-    #   * arn:aws:acm-pca:::template/OCSPSigningCertificate/V1
+    # @option params [required, Types::Validity] :validity
+    #   Information describing the end of the validity period of the
+    #   certificate. This parameter sets the “Not After” date for the
+    #   certificate.
     #
-    #   * arn:aws:acm-pca:::template/OCSPSigningCertificate\_CSRPassthrough/V1
+    #   Certificate validity is the period of time during which a certificate
+    #   is valid. Validity can be expressed as an explicit date and time when
+    #   the certificate expires, or as a span of time after issuance, stated
+    #   in days, months, or years. For more information, see [Validity][1] in
+    #   RFC 5280.
     #
-    #   * arn:aws:acm-pca:::template/RootCACertificate/V1
+    #   This value is unaffected when `ValidityNotBefore` is also specified.
+    #   For example, if `Validity` is set to 20 days in the future, the
+    #   certificate will expire 20 days from issuance time regardless of the
+    #   `ValidityNotBefore` value.
     #
-    #   * arn:aws:acm-pca:::template/SubordinateCACertificate\_PathLen0/V1
+    #   The end of the validity period configured on a certificate must not
+    #   exceed the limit set on its parents in the CA hierarchy.
     #
-    #   * arn:aws:acm-pca:::template/SubordinateCACertificate\_PathLen1/V1
     #
-    #   * arn:aws:acm-pca:::template/SubordinateCACertificate\_PathLen2/V1
     #
-    #   * arn:aws:acm-pca:::template/SubordinateCACertificate\_PathLen3/V1
+    #   [1]: https://tools.ietf.org/html/rfc5280#section-4.1.2.5
     #
-    #   For more information, see [Using Templates][2].
+    # @option params [Types::Validity] :validity_not_before
+    #   Information describing the start of the validity period of the
+    #   certificate. This parameter sets the “Not Before" date for the
+    #   certificate.
     #
+    #   By default, when issuing a certificate, ACM Private CA sets the "Not
+    #   Before" date to the issuance time minus 60 minutes. This compensates
+    #   for clock inconsistencies across computer systems. The
+    #   `ValidityNotBefore` parameter can be used to customize the “Not
+    #   Before” value.
     #
+    #   Unlike the `Validity` parameter, the `ValidityNotBefore` parameter is
+    #   optional.
     #
-    #   [1]: https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaTerms.html#terms-cadepth
-    #   [2]: https://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html
+    #   The `ValidityNotBefore` value is expressed as an explicit date and
+    #   time, using the `Validity` type value `ABSOLUTE`. For more
+    #   information, see [Validity][1] in this API reference and [Validity][2]
+    #   in RFC 5280.
     #
-    # @option params [required, Types::Validity] :validity
-    #   Information describing the validity period of the certificate.
     #
-    #   When issuing a certificate, ACM Private CA sets the "Not Before"
-    #   date in the validity field to date and time minus 60 minutes. This is
-    #   intended to compensate for time inconsistencies across systems of 60
-    #   minutes or less.
     #
-    #   The validity period configured on a certificate must not exceed the
-    #   limit set by its parents in the CA hierarchy.
+    #   [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_Validity.html
+    #   [2]: https://tools.ietf.org/html/rfc5280#section-4.1.2.5
     #
     # @option params [String] :idempotency_token
-    #   Custom string that can be used to distinguish between calls to the
-    #   **IssueCertificate** action. Idempotency tokens time out after one
-    #   hour. Therefore, if you call **IssueCertificate** multiple times with
-    #   the same idempotency token within 5 minutes, ACM Private CA recognizes
-    #   that you are requesting only one certificate and will issue only one.
-    #   If you change the idempotency token for each call, PCA recognizes that
-    #   you are requesting multiple certificates.
+    #   Alphanumeric string that can be used to distinguish between calls to
+    #   the **IssueCertificate** action. Idempotency tokens for
+    #   **IssueCertificate** time out after one minute. Therefore, if you call
+    #   **IssueCertificate** multiple times with the same idempotency token
+    #   within one minute, ACM Private CA recognizes that you are requesting
+    #   only one certificate and will issue only one. If you change the
+    #   idempotency token for each call, PCA recognizes that you are
+    #   requesting multiple certificates.
     #
     # @return [Types::IssueCertificateResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
@@ -1544,6 +1567,89 @@ module Aws::ACMPCA
     # @example Request syntax with placeholder values
     #
     #   resp = client.issue_certificate({
+    #     api_passthrough: {
+    #       extensions: {
+    #         certificate_policies: [
+    #           {
+    #             cert_policy_id: "CustomObjectIdentifier", # required
+    #             policy_qualifiers: [
+    #               {
+    #                 policy_qualifier_id: "CPS", # required, accepts CPS
+    #                 qualifier: { # required
+    #                   cps_uri: "String256", # required
+    #                 },
+    #               },
+    #             ],
+    #           },
+    #         ],
+    #         extended_key_usage: [
+    #           {
+    #             extended_key_usage_type: "SERVER_AUTH", # accepts SERVER_AUTH, CLIENT_AUTH, CODE_SIGNING, EMAIL_PROTECTION, TIME_STAMPING, OCSP_SIGNING, SMART_CARD_LOGIN, DOCUMENT_SIGNING, CERTIFICATE_TRANSPARENCY
+    #             extended_key_usage_object_identifier: "CustomObjectIdentifier",
+    #           },
+    #         ],
+    #         key_usage: {
+    #           digital_signature: false,
+    #           non_repudiation: false,
+    #           key_encipherment: false,
+    #           data_encipherment: false,
+    #           key_agreement: false,
+    #           key_cert_sign: false,
+    #           crl_sign: false,
+    #           encipher_only: false,
+    #           decipher_only: false,
+    #         },
+    #         subject_alternative_names: [
+    #           {
+    #             other_name: {
+    #               type_id: "CustomObjectIdentifier", # required
+    #               value: "String256", # required
+    #             },
+    #             rfc_822_name: "String256",
+    #             dns_name: "String253",
+    #             directory_name: {
+    #               country: "CountryCodeString",
+    #               organization: "String64",
+    #               organizational_unit: "String64",
+    #               distinguished_name_qualifier: "ASN1PrintableString64",
+    #               state: "String128",
+    #               common_name: "String64",
+    #               serial_number: "ASN1PrintableString64",
+    #               locality: "String128",
+    #               title: "String64",
+    #               surname: "String40",
+    #               given_name: "String16",
+    #               initials: "String5",
+    #               pseudonym: "String128",
+    #               generation_qualifier: "String3",
+    #             },
+    #             edi_party_name: {
+    #               party_name: "String256", # required
+    #               name_assigner: "String256",
+    #             },
+    #             uniform_resource_identifier: "String253",
+    #             ip_address: "String39",
+    #             registered_id: "CustomObjectIdentifier",
+    #           },
+    #         ],
+    #       },
+    #       subject: {
+    #         country: "CountryCodeString",
+    #         organization: "String64",
+    #         organizational_unit: "String64",
+    #         distinguished_name_qualifier: "ASN1PrintableString64",
+    #         state: "String128",
+    #         common_name: "String64",
+    #         serial_number: "ASN1PrintableString64",
+    #         locality: "String128",
+    #         title: "String64",
+    #         surname: "String40",
+    #         given_name: "String16",
+    #         initials: "String5",
+    #         pseudonym: "String128",
+    #         generation_qualifier: "String3",
+    #       },
+    #     },
     #     certificate_authority_arn: "Arn", # required
     #     csr: "data", # required
     #     signing_algorithm: "SHA256WITHECDSA", # required, accepts SHA256WITHECDSA, SHA384WITHECDSA, SHA512WITHECDSA, SHA256WITHRSA, SHA384WITHRSA, SHA512WITHRSA
@@ -1552,6 +1658,10 @@ module Aws::ACMPCA
     #       value: 1, # required
     #       type: "END_DATE", # required, accepts END_DATE, ABSOLUTE, DAYS, MONTHS, YEARS
     #     },
+    #     validity_not_before: {
+    #       value: 1, # required
+    #       type: "END_DATE", # required, accepts END_DATE, ABSOLUTE, DAYS, MONTHS, YEARS
+    #     },
     #     idempotency_token: "IdempotencyToken",
     #   })
     #
@@ -1894,7 +2004,7 @@ module Aws::ACMPCA
     #   [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ListCertificateAuthorities.html
     #
     # @option params [required, String] :policy
-    #   The path and filename of a JSON-formatted IAM policy to attach to the
+    #   The path and file name of a JSON-formatted IAM policy to attach to the
     #   specified private CA resource. If this policy does not contain all
     #   required statements or if it includes any statement that is not
     #   allowed, the `PutPolicy` action returns an `InvalidPolicyException`.
@@ -2229,7 +2339,7 @@ module Aws::ACMPCA
         params: params,
         config: config)
       context[:gem_name] = 'aws-sdk-acmpca'
-      context[:gem_version] = '1.31.0'
+      context[:gem_version] = '1.32.0'
       Seahorse::Client::Request.new(handlers, context)
     end
 

data/lib/aws-sdk-acmpca/client_api.rb

@@ -23,6 +23,7 @@ module Aws::ACMPCA
     AccountId = Shapes::StringShape.new(name: 'AccountId')
     ActionList = Shapes::ListShape.new(name: 'ActionList')
     ActionType = Shapes::StringShape.new(name: 'ActionType')
+    ApiPassthrough = Shapes::StructureShape.new(name: 'ApiPassthrough')
     Arn = Shapes::StringShape.new(name: 'Arn')
     AuditReportId = Shapes::StringShape.new(name: 'AuditReportId')
     AuditReportResponseFormat = Shapes::StringShape.new(name: 'AuditReportResponseFormat')
@@ -38,6 +39,7 @@ module Aws::ACMPCA
     CertificateChain = Shapes::StringShape.new(name: 'CertificateChain')
     CertificateChainBlob = Shapes::BlobShape.new(name: 'CertificateChainBlob')
     CertificateMismatchException = Shapes::StructureShape.new(name: 'CertificateMismatchException')
+    CertificatePolicyList = Shapes::ListShape.new(name: 'CertificatePolicyList')
     ConcurrentModificationException = Shapes::StructureShape.new(name: 'ConcurrentModificationException')
     CountryCodeString = Shapes::StringShape.new(name: 'CountryCodeString')
     CreateCertificateAuthorityAuditReportRequest = Shapes::StructureShape.new(name: 'CreateCertificateAuthorityAuditReportRequest')
@@ -58,8 +60,13 @@ module Aws::ACMPCA
     DescribeCertificateAuthorityRequest = Shapes::StructureShape.new(name: 'DescribeCertificateAuthorityRequest')
     DescribeCertificateAuthorityResponse = Shapes::StructureShape.new(name: 'DescribeCertificateAuthorityResponse')
     EdiPartyName = Shapes::StructureShape.new(name: 'EdiPartyName')
+    ExtendedKeyUsage = Shapes::StructureShape.new(name: 'ExtendedKeyUsage')
+    ExtendedKeyUsageList = Shapes::ListShape.new(name: 'ExtendedKeyUsageList')
+    ExtendedKeyUsageType = Shapes::StringShape.new(name: 'ExtendedKeyUsageType')
+    Extensions = Shapes::StructureShape.new(name: 'Extensions')
     FailureReason = Shapes::StringShape.new(name: 'FailureReason')
     GeneralName = Shapes::StructureShape.new(name: 'GeneralName')
+    GeneralNameList = Shapes::ListShape.new(name: 'GeneralNameList')
     GetCertificateAuthorityCertificateRequest = Shapes::StructureShape.new(name: 'GetCertificateAuthorityCertificateRequest')
     GetCertificateAuthorityCertificateResponse = Shapes::StructureShape.new(name: 'GetCertificateAuthorityCertificateResponse')
     GetCertificateAuthorityCsrRequest = Shapes::StructureShape.new(name: 'GetCertificateAuthorityCsrRequest')
@@ -99,9 +106,14 @@ module Aws::ACMPCA
     Permission = Shapes::StructureShape.new(name: 'Permission')
     PermissionAlreadyExistsException = Shapes::StructureShape.new(name: 'PermissionAlreadyExistsException')
     PermissionList = Shapes::ListShape.new(name: 'PermissionList')
+    PolicyInformation = Shapes::StructureShape.new(name: 'PolicyInformation')
+    PolicyQualifierId = Shapes::StringShape.new(name: 'PolicyQualifierId')
+    PolicyQualifierInfo = Shapes::StructureShape.new(name: 'PolicyQualifierInfo')
+    PolicyQualifierInfoList = Shapes::ListShape.new(name: 'PolicyQualifierInfoList')
     PositiveLong = Shapes::IntegerShape.new(name: 'PositiveLong')
     Principal = Shapes::StringShape.new(name: 'Principal')
     PutPolicyRequest = Shapes::StructureShape.new(name: 'PutPolicyRequest')
+    Qualifier = Shapes::StructureShape.new(name: 'Qualifier')
     RequestAlreadyProcessedException = Shapes::StructureShape.new(name: 'RequestAlreadyProcessedException')
     RequestFailedException = Shapes::StructureShape.new(name: 'RequestFailedException')
     RequestInProgressException = Shapes::StructureShape.new(name: 'RequestInProgressException')
@@ -165,6 +177,10 @@ module Aws::ACMPCA
 
     ActionList.member = Shapes::ShapeRef.new(shape: ActionType)
 
+    ApiPassthrough.add_member(:extensions, Shapes::ShapeRef.new(shape: Extensions, location_name: "Extensions"))
+    ApiPassthrough.add_member(:subject, Shapes::ShapeRef.new(shape: ASN1Subject, location_name: "Subject"))
+    ApiPassthrough.struct_class = Types::ApiPassthrough
+
     CertificateAuthorities.member = Shapes::ShapeRef.new(shape: CertificateAuthority)
 
     CertificateAuthority.add_member(:arn, Shapes::ShapeRef.new(shape: Arn, location_name: "Arn"))
@@ -191,6 +207,8 @@ module Aws::ACMPCA
     CertificateMismatchException.add_member(:message, Shapes::ShapeRef.new(shape: String, location_name: "message"))
     CertificateMismatchException.struct_class = Types::CertificateMismatchException
 
+    CertificatePolicyList.member = Shapes::ShapeRef.new(shape: PolicyInformation)
+
     ConcurrentModificationException.add_member(:message, Shapes::ShapeRef.new(shape: String, location_name: "message"))
     ConcurrentModificationException.struct_class = Types::ConcurrentModificationException
 
@@ -261,6 +279,18 @@ module Aws::ACMPCA
     EdiPartyName.add_member(:name_assigner, Shapes::ShapeRef.new(shape: String256, location_name: "NameAssigner"))
     EdiPartyName.struct_class = Types::EdiPartyName
 
+    ExtendedKeyUsage.add_member(:extended_key_usage_type, Shapes::ShapeRef.new(shape: ExtendedKeyUsageType, location_name: "ExtendedKeyUsageType"))
+    ExtendedKeyUsage.add_member(:extended_key_usage_object_identifier, Shapes::ShapeRef.new(shape: CustomObjectIdentifier, location_name: "ExtendedKeyUsageObjectIdentifier"))
+    ExtendedKeyUsage.struct_class = Types::ExtendedKeyUsage
+
+    ExtendedKeyUsageList.member = Shapes::ShapeRef.new(shape: ExtendedKeyUsage)
+
+    Extensions.add_member(:certificate_policies, Shapes::ShapeRef.new(shape: CertificatePolicyList, location_name: "CertificatePolicies"))
+    Extensions.add_member(:extended_key_usage, Shapes::ShapeRef.new(shape: ExtendedKeyUsageList, location_name: "ExtendedKeyUsage"))
+    Extensions.add_member(:key_usage, Shapes::ShapeRef.new(shape: KeyUsage, location_name: "KeyUsage"))
+    Extensions.add_member(:subject_alternative_names, Shapes::ShapeRef.new(shape: GeneralNameList, location_name: "SubjectAlternativeNames"))
+    Extensions.struct_class = Types::Extensions
+
     GeneralName.add_member(:other_name, Shapes::ShapeRef.new(shape: OtherName, location_name: "OtherName"))
     GeneralName.add_member(:rfc_822_name, Shapes::ShapeRef.new(shape: String256, location_name: "Rfc822Name"))
     GeneralName.add_member(:dns_name, Shapes::ShapeRef.new(shape: String253, location_name: "DnsName"))
@@ -271,6 +301,8 @@ module Aws::ACMPCA
     GeneralName.add_member(:registered_id, Shapes::ShapeRef.new(shape: CustomObjectIdentifier, location_name: "RegisteredId"))
     GeneralName.struct_class = Types::GeneralName
 
+    GeneralNameList.member = Shapes::ShapeRef.new(shape: GeneralName)
+
     GetCertificateAuthorityCertificateRequest.add_member(:certificate_authority_arn, Shapes::ShapeRef.new(shape: Arn, required: true, location_name: "CertificateAuthorityArn"))
     GetCertificateAuthorityCertificateRequest.struct_class = Types::GetCertificateAuthorityCertificateRequest
 
@@ -324,11 +356,13 @@ module Aws::ACMPCA
     InvalidTagException.add_member(:message, Shapes::ShapeRef.new(shape: String, location_name: "message"))
     InvalidTagException.struct_class = Types::InvalidTagException
 
+    IssueCertificateRequest.add_member(:api_passthrough, Shapes::ShapeRef.new(shape: ApiPassthrough, location_name: "ApiPassthrough"))
     IssueCertificateRequest.add_member(:certificate_authority_arn, Shapes::ShapeRef.new(shape: Arn, required: true, location_name: "CertificateAuthorityArn"))
     IssueCertificateRequest.add_member(:csr, Shapes::ShapeRef.new(shape: CsrBlob, required: true, location_name: "Csr"))
     IssueCertificateRequest.add_member(:signing_algorithm, Shapes::ShapeRef.new(shape: SigningAlgorithm, required: true, location_name: "SigningAlgorithm"))
     IssueCertificateRequest.add_member(:template_arn, Shapes::ShapeRef.new(shape: Arn, location_name: "TemplateArn"))
     IssueCertificateRequest.add_member(:validity, Shapes::ShapeRef.new(shape: Validity, required: true, location_name: "Validity"))
+    IssueCertificateRequest.add_member(:validity_not_before, Shapes::ShapeRef.new(shape: Validity, location_name: "ValidityNotBefore"))
     IssueCertificateRequest.add_member(:idempotency_token, Shapes::ShapeRef.new(shape: IdempotencyToken, location_name: "IdempotencyToken"))
     IssueCertificateRequest.struct_class = Types::IssueCertificateRequest
 
@@ -402,10 +436,23 @@ module Aws::ACMPCA
 
     PermissionList.member = Shapes::ShapeRef.new(shape: Permission)
 
+    PolicyInformation.add_member(:cert_policy_id, Shapes::ShapeRef.new(shape: CustomObjectIdentifier, required: true, location_name: "CertPolicyId"))
+    PolicyInformation.add_member(:policy_qualifiers, Shapes::ShapeRef.new(shape: PolicyQualifierInfoList, location_name: "PolicyQualifiers"))
+    PolicyInformation.struct_class = Types::PolicyInformation
+
+    PolicyQualifierInfo.add_member(:policy_qualifier_id, Shapes::ShapeRef.new(shape: PolicyQualifierId, required: true, location_name: "PolicyQualifierId"))
+    PolicyQualifierInfo.add_member(:qualifier, Shapes::ShapeRef.new(shape: Qualifier, required: true, location_name: "Qualifier"))
+    PolicyQualifierInfo.struct_class = Types::PolicyQualifierInfo
+
+    PolicyQualifierInfoList.member = Shapes::ShapeRef.new(shape: PolicyQualifierInfo)
+
     PutPolicyRequest.add_member(:resource_arn, Shapes::ShapeRef.new(shape: Arn, required: true, location_name: "ResourceArn"))
     PutPolicyRequest.add_member(:policy, Shapes::ShapeRef.new(shape: AWSPolicy, required: true, location_name: "Policy"))
     PutPolicyRequest.struct_class = Types::PutPolicyRequest
 
+    Qualifier.add_member(:cps_uri, Shapes::ShapeRef.new(shape: String256, required: true, location_name: "CpsUri"))
+    Qualifier.struct_class = Types::Qualifier
+
     RequestAlreadyProcessedException.add_member(:message, Shapes::ShapeRef.new(shape: String, location_name: "message"))
     RequestAlreadyProcessedException.struct_class = Types::RequestAlreadyProcessedException