aws-sdk-acmpca 1.47.0 → 1.48.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +5 -0
- data/VERSION +1 -1
- data/lib/aws-sdk-acmpca/client.rb +81 -88
- data/lib/aws-sdk-acmpca/types.rb +74 -77
- data/lib/aws-sdk-acmpca.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 9d5e73b72e120fe6f31fdb18760aa8a128be5cc432116ce6084da30f9e8d3140
|
4
|
+
data.tar.gz: 85d9985fb896de12f98b252e9ed8608a056bd4dd98faf9b7f80530dc2e6049d4
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: a7f3210122e4e950a70270cdc69afa4f776e9ef3f73e5fbc7cb863d1e27910818bf909b461af3de8d3f574b9629d5c8d36563211e3d4f0f40f44ce053b71046d
|
7
|
+
data.tar.gz: 2d2e4e53f928df205f5c5624c502d17af55bf3c2d798ac821575380fb12dd59ece4369e7cff091183e2ebbc8bb271e3fb17ff92c74a6cbbce5d2bf12a343df57
|
data/CHANGELOG.md
CHANGED
data/VERSION
CHANGED
@@ -1 +1 @@
|
|
1
|
-
1.
|
1
|
+
1.48.0
|
@@ -376,9 +376,8 @@ module Aws::ACMPCA
|
|
376
376
|
# CA. If successful, this action returns the Amazon Resource Name (ARN)
|
377
377
|
# of the CA.
|
378
378
|
#
|
379
|
-
#
|
380
|
-
#
|
381
|
-
# Your CRLs][1].
|
379
|
+
# ACM Private CA assets that are stored in Amazon S3 can be protected
|
380
|
+
# with encryption. For more information, see [Encrypting Your CRLs][1].
|
382
381
|
#
|
383
382
|
# <note markdown="1"> Both PCA and the IAM principal must have permission to write to the S3
|
384
383
|
# bucket that you specify. If the IAM principal making the call does not
|
@@ -416,11 +415,10 @@ module Aws::ACMPCA
|
|
416
415
|
# **CreateCertificateAuthority** action. Idempotency tokens for
|
417
416
|
# **CreateCertificateAuthority** time out after five minutes. Therefore,
|
418
417
|
# if you call **CreateCertificateAuthority** multiple times with the
|
419
|
-
# same idempotency token within five minutes,
|
420
|
-
#
|
421
|
-
#
|
422
|
-
#
|
423
|
-
# certificate authorities.
|
418
|
+
# same idempotency token within five minutes, ACM Private CA recognizes
|
419
|
+
# that you are requesting only certificate authority and will issue only
|
420
|
+
# one. If you change the idempotency token for each call, PCA recognizes
|
421
|
+
# that you are requesting multiple certificate authorities.
|
424
422
|
#
|
425
423
|
# @option params [String] :key_storage_security_standard
|
426
424
|
# Specifies a cryptographic key management compliance standard used for
|
@@ -586,9 +584,9 @@ module Aws::ACMPCA
|
|
586
584
|
#
|
587
585
|
# </note>
|
588
586
|
#
|
589
|
-
#
|
590
|
-
#
|
591
|
-
#
|
587
|
+
# ACM Private CA assets that are stored in Amazon S3 can be protected
|
588
|
+
# with encryption. For more information, see [Encrypting Your Audit
|
589
|
+
# Reports][4].
|
592
590
|
#
|
593
591
|
# <note markdown="1"> You can generate a maximum of one report every 30 minutes.
|
594
592
|
#
|
@@ -664,8 +662,8 @@ module Aws::ACMPCA
|
|
664
662
|
# accounts, then permissions cannot be used to enable automatic
|
665
663
|
# renewals. Instead, the ACM certificate owner must set up a
|
666
664
|
# resource-based policy to enable cross-account issuance and renewals.
|
667
|
-
# For more information, see [Using a Resource Based Policy with
|
668
|
-
#
|
665
|
+
# For more information, see [Using a Resource Based Policy with ACM
|
666
|
+
# Private CA][3].
|
669
667
|
#
|
670
668
|
#
|
671
669
|
#
|
@@ -736,8 +734,8 @@ module Aws::ACMPCA
|
|
736
734
|
# Additionally, you can delete a CA if you are waiting for it to be
|
737
735
|
# created (that is, the status of the CA is `CREATING`). You can also
|
738
736
|
# delete it if the CA has been created but you haven't yet imported the
|
739
|
-
# signed certificate into
|
740
|
-
#
|
737
|
+
# signed certificate into ACM Private CA (that is, the status of the CA
|
738
|
+
# is `PENDING_CERTIFICATE`).
|
741
739
|
#
|
742
740
|
# When you successfully call [DeleteCertificateAuthority][3], the CA's
|
743
741
|
# status changes to `DELETED`. However, the CA won't be permanently
|
@@ -815,8 +813,8 @@ module Aws::ACMPCA
|
|
815
813
|
# accounts, then permissions cannot be used to enable automatic
|
816
814
|
# renewals. Instead, the ACM certificate owner must set up a
|
817
815
|
# resource-based policy to enable cross-account issuance and renewals.
|
818
|
-
# For more information, see [Using a Resource Based Policy with
|
819
|
-
#
|
816
|
+
# For more information, see [Using a Resource Based Policy with ACM
|
817
|
+
# Private CA][3].
|
820
818
|
#
|
821
819
|
#
|
822
820
|
#
|
@@ -884,7 +882,7 @@ module Aws::ACMPCA
|
|
884
882
|
# customer account, to Amazon Web Services Organizations, or to an
|
885
883
|
# Amazon Web Services Organizations unit. Policies are under the
|
886
884
|
# control of a CA administrator. For more information, see [Using a
|
887
|
-
# Resource Based Policy with
|
885
|
+
# Resource Based Policy with ACM Private CA][3].
|
888
886
|
#
|
889
887
|
# * A policy permits a user of Certificate Manager (ACM) to issue ACM
|
890
888
|
# certificates signed by a CA in another account.
|
@@ -892,8 +890,8 @@ module Aws::ACMPCA
|
|
892
890
|
# * For ACM to manage automatic renewal of these certificates, the ACM
|
893
891
|
# user must configure a Service Linked Role (SLR). The SLR allows the
|
894
892
|
# ACM service to assume the identity of the user, subject to
|
895
|
-
# confirmation against the
|
896
|
-
#
|
893
|
+
# confirmation against the ACM Private CA policy. For more
|
894
|
+
# information, see [Using a Service Linked Role with ACM][4].
|
897
895
|
#
|
898
896
|
# * Updates made in Amazon Web Services Resource Manager (RAM) are
|
899
897
|
# reflected in policies. For more information, see [Attach a Policy
|
@@ -940,13 +938,12 @@ module Aws::ACMPCA
|
|
940
938
|
# its ARN (Amazon Resource Name). The output contains the status of your
|
941
939
|
# CA. This can be any of the following:
|
942
940
|
#
|
943
|
-
# * `CREATING` -
|
944
|
-
#
|
941
|
+
# * `CREATING` - ACM Private CA is creating your private certificate
|
942
|
+
# authority.
|
945
943
|
#
|
946
944
|
# * `PENDING_CERTIFICATE` - The certificate is pending. You must use
|
947
|
-
# your
|
948
|
-
#
|
949
|
-
# PCA.
|
945
|
+
# your ACM Private CA-hosted or on-premises root or subordinate CA to
|
946
|
+
# sign your private CA CSR and then import it into PCA.
|
950
947
|
#
|
951
948
|
# * `ACTIVE` - Your private CA is active.
|
952
949
|
#
|
@@ -1238,11 +1235,11 @@ module Aws::ACMPCA
|
|
1238
1235
|
|
1239
1236
|
# Retrieves the certificate signing request (CSR) for your private
|
1240
1237
|
# certificate authority (CA). The CSR is created when you call the
|
1241
|
-
# [CreateCertificateAuthority][1] action. Sign the CSR with your
|
1242
|
-
#
|
1243
|
-
#
|
1244
|
-
#
|
1245
|
-
#
|
1238
|
+
# [CreateCertificateAuthority][1] action. Sign the CSR with your ACM
|
1239
|
+
# Private CA-hosted or on-premises root or subordinate CA. Then import
|
1240
|
+
# the signed certificate back into ACM Private CA by calling the
|
1241
|
+
# [ImportCertificateAuthorityCertificate][2] action. The CSR is returned
|
1242
|
+
# as a base64 PEM-encoded string.
|
1246
1243
|
#
|
1247
1244
|
#
|
1248
1245
|
#
|
@@ -1301,7 +1298,7 @@ module Aws::ACMPCA
|
|
1301
1298
|
# customer account, to Amazon Web Services Organizations, or to an
|
1302
1299
|
# Amazon Web Services Organizations unit. Policies are under the
|
1303
1300
|
# control of a CA administrator. For more information, see [Using a
|
1304
|
-
# Resource Based Policy with
|
1301
|
+
# Resource Based Policy with ACM Private CA][3].
|
1305
1302
|
#
|
1306
1303
|
# * A policy permits a user of Certificate Manager (ACM) to issue ACM
|
1307
1304
|
# certificates signed by a CA in another account.
|
@@ -1309,8 +1306,8 @@ module Aws::ACMPCA
|
|
1309
1306
|
# * For ACM to manage automatic renewal of these certificates, the ACM
|
1310
1307
|
# user must configure a Service Linked Role (SLR). The SLR allows the
|
1311
1308
|
# ACM service to assume the identity of the user, subject to
|
1312
|
-
# confirmation against the
|
1313
|
-
#
|
1309
|
+
# confirmation against the ACM Private CA policy. For more
|
1310
|
+
# information, see [Using a Service Linked Role with ACM][4].
|
1314
1311
|
#
|
1315
1312
|
# * Updates made in Amazon Web Services Resource Manager (RAM) are
|
1316
1313
|
# reflected in policies. For more information, see [Attach a Policy
|
@@ -1352,14 +1349,14 @@ module Aws::ACMPCA
|
|
1352
1349
|
req.send_request(options)
|
1353
1350
|
end
|
1354
1351
|
|
1355
|
-
# Imports a signed private CA certificate into
|
1356
|
-
#
|
1357
|
-
#
|
1358
|
-
#
|
1352
|
+
# Imports a signed private CA certificate into ACM Private CA. This
|
1353
|
+
# action is used when you are using a chain of trust whose root is
|
1354
|
+
# located outside ACM Private CA. Before you can call this action, the
|
1355
|
+
# following preparations must in place:
|
1359
1356
|
#
|
1360
|
-
# 1. In
|
1361
|
-
#
|
1362
|
-
#
|
1357
|
+
# 1. In ACM Private CA, call the [CreateCertificateAuthority][1] action
|
1358
|
+
# to create the private CA that you plan to back with the imported
|
1359
|
+
# certificate.
|
1363
1360
|
#
|
1364
1361
|
# 2. Call the [GetCertificateAuthorityCsr][2] action to generate a
|
1365
1362
|
# certificate signing request (CSR).
|
@@ -1370,14 +1367,13 @@ module Aws::ACMPCA
|
|
1370
1367
|
# 4. Create a certificate chain and copy the signed certificate and the
|
1371
1368
|
# certificate chain to your working directory.
|
1372
1369
|
#
|
1373
|
-
#
|
1374
|
-
#
|
1370
|
+
# ACM Private CA supports three scenarios for installing a CA
|
1371
|
+
# certificate:
|
1375
1372
|
#
|
1376
|
-
# * Installing a certificate for a root CA hosted by
|
1377
|
-
# Private CA.
|
1373
|
+
# * Installing a certificate for a root CA hosted by ACM Private CA.
|
1378
1374
|
#
|
1379
1375
|
# * Installing a subordinate CA certificate whose parent authority is
|
1380
|
-
# hosted by
|
1376
|
+
# hosted by ACM Private CA.
|
1381
1377
|
#
|
1382
1378
|
# * Installing a subordinate CA certificate whose parent authority is
|
1383
1379
|
# externally hosted.
|
@@ -1405,8 +1401,8 @@ module Aws::ACMPCA
|
|
1405
1401
|
#
|
1406
1402
|
# *Enforcement of Critical Constraints*
|
1407
1403
|
#
|
1408
|
-
#
|
1409
|
-
#
|
1404
|
+
# ACM Private CA allows the following extensions to be marked critical
|
1405
|
+
# in the imported CA certificate or chain.
|
1410
1406
|
#
|
1411
1407
|
# * Basic constraints (*must* be marked critical)
|
1412
1408
|
#
|
@@ -1432,8 +1428,8 @@ module Aws::ACMPCA
|
|
1432
1428
|
#
|
1433
1429
|
# * Inhibit anyPolicy
|
1434
1430
|
#
|
1435
|
-
#
|
1436
|
-
#
|
1431
|
+
# ACM Private CA rejects the following extensions when they are marked
|
1432
|
+
# critical in an imported CA certificate or chain.
|
1437
1433
|
#
|
1438
1434
|
# * Name constraints
|
1439
1435
|
#
|
@@ -1471,9 +1467,8 @@ module Aws::ACMPCA
|
|
1471
1467
|
# @option params [String, StringIO, File] :certificate_chain
|
1472
1468
|
# A PEM-encoded file that contains all of your certificates, other than
|
1473
1469
|
# the certificate you're importing, chaining up to your root CA. Your
|
1474
|
-
#
|
1475
|
-
#
|
1476
|
-
# one preceding.
|
1470
|
+
# ACM Private CA-hosted or on-premises root certificate is the last in
|
1471
|
+
# the chain, and each certificate in the chain signs the one preceding.
|
1477
1472
|
#
|
1478
1473
|
# This parameter must be supplied when you import a subordinate CA. When
|
1479
1474
|
# you import a root CA, there is no chain.
|
@@ -1504,8 +1499,8 @@ module Aws::ACMPCA
|
|
1504
1499
|
# specifying the ARN.
|
1505
1500
|
#
|
1506
1501
|
# <note markdown="1"> You cannot use the ACM **ListCertificateAuthorities** action to
|
1507
|
-
# retrieve the ARNs of the certificates that you issue by using
|
1508
|
-
#
|
1502
|
+
# retrieve the ARNs of the certificates that you issue by using ACM
|
1503
|
+
# Private CA.
|
1509
1504
|
#
|
1510
1505
|
# </note>
|
1511
1506
|
#
|
@@ -1521,8 +1516,8 @@ module Aws::ACMPCA
|
|
1521
1516
|
# Certificate Templates][1].
|
1522
1517
|
#
|
1523
1518
|
# If conflicting or duplicate certificate information is supplied during
|
1524
|
-
# certificate issuance,
|
1525
|
-
#
|
1519
|
+
# certificate issuance, ACM Private CA applies [order of operation
|
1520
|
+
# rules][2] to determine what information is used.
|
1526
1521
|
#
|
1527
1522
|
#
|
1528
1523
|
#
|
@@ -1574,8 +1569,8 @@ module Aws::ACMPCA
|
|
1574
1569
|
#
|
1575
1570
|
# @option params [String] :template_arn
|
1576
1571
|
# Specifies a custom configuration template to use when issuing a
|
1577
|
-
# certificate. If this parameter is not provided,
|
1578
|
-
#
|
1572
|
+
# certificate. If this parameter is not provided, ACM Private CA
|
1573
|
+
# defaults to the `EndEntityCertificate/V1` template. For CA
|
1579
1574
|
# certificates, you should choose the shortest path length that meets
|
1580
1575
|
# your needs. The path length is indicated by the PathLen*N* portion of
|
1581
1576
|
# the ARN, where *N* is the [CA depth][1].
|
@@ -1583,8 +1578,8 @@ module Aws::ACMPCA
|
|
1583
1578
|
# Note: The CA depth configured on a subordinate CA certificate must not
|
1584
1579
|
# exceed the limit set by its parents in the CA hierarchy.
|
1585
1580
|
#
|
1586
|
-
# For a list of `TemplateArn` values supported by
|
1587
|
-
#
|
1581
|
+
# For a list of `TemplateArn` values supported by ACM Private CA, see
|
1582
|
+
# [Understanding Certificate Templates][2].
|
1588
1583
|
#
|
1589
1584
|
#
|
1590
1585
|
#
|
@@ -1619,10 +1614,10 @@ module Aws::ACMPCA
|
|
1619
1614
|
# certificate. This parameter sets the “Not Before" date for the
|
1620
1615
|
# certificate.
|
1621
1616
|
#
|
1622
|
-
# By default, when issuing a certificate,
|
1623
|
-
#
|
1624
|
-
#
|
1625
|
-
#
|
1617
|
+
# By default, when issuing a certificate, ACM Private CA sets the "Not
|
1618
|
+
# Before" date to the issuance time minus 60 minutes. This compensates
|
1619
|
+
# for clock inconsistencies across computer systems. The
|
1620
|
+
# `ValidityNotBefore` parameter can be used to customize the “Not
|
1626
1621
|
# Before” value.
|
1627
1622
|
#
|
1628
1623
|
# Unlike the `Validity` parameter, the `ValidityNotBefore` parameter is
|
@@ -1643,10 +1638,10 @@ module Aws::ACMPCA
|
|
1643
1638
|
# the **IssueCertificate** action. Idempotency tokens for
|
1644
1639
|
# **IssueCertificate** time out after one minute. Therefore, if you call
|
1645
1640
|
# **IssueCertificate** multiple times with the same idempotency token
|
1646
|
-
# within one minute,
|
1647
|
-
#
|
1648
|
-
#
|
1649
|
-
#
|
1641
|
+
# within one minute, ACM Private CA recognizes that you are requesting
|
1642
|
+
# only one certificate and will issue only one. If you change the
|
1643
|
+
# idempotency token for each call, PCA recognizes that you are
|
1644
|
+
# requesting multiple certificates.
|
1650
1645
|
#
|
1651
1646
|
# @return [Types::IssueCertificateResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
1652
1647
|
#
|
@@ -1937,8 +1932,8 @@ module Aws::ACMPCA
|
|
1937
1932
|
# accounts, then permissions cannot be used to enable automatic
|
1938
1933
|
# renewals. Instead, the ACM certificate owner must set up a
|
1939
1934
|
# resource-based policy to enable cross-account issuance and renewals.
|
1940
|
-
# For more information, see [Using a Resource Based Policy with
|
1941
|
-
#
|
1935
|
+
# For more information, see [Using a Resource Based Policy with ACM
|
1936
|
+
# Private CA][3].
|
1942
1937
|
#
|
1943
1938
|
#
|
1944
1939
|
#
|
@@ -2087,7 +2082,7 @@ module Aws::ACMPCA
|
|
2087
2082
|
# customer account, to Amazon Web Services Organizations, or to an
|
2088
2083
|
# Amazon Web Services Organizations unit. Policies are under the
|
2089
2084
|
# control of a CA administrator. For more information, see [Using a
|
2090
|
-
# Resource Based Policy with
|
2085
|
+
# Resource Based Policy with ACM Private CA][4].
|
2091
2086
|
#
|
2092
2087
|
# * A policy permits a user of Certificate Manager (ACM) to issue ACM
|
2093
2088
|
# certificates signed by a CA in another account.
|
@@ -2095,8 +2090,8 @@ module Aws::ACMPCA
|
|
2095
2090
|
# * For ACM to manage automatic renewal of these certificates, the ACM
|
2096
2091
|
# user must configure a Service Linked Role (SLR). The SLR allows the
|
2097
2092
|
# ACM service to assume the identity of the user, subject to
|
2098
|
-
# confirmation against the
|
2099
|
-
#
|
2093
|
+
# confirmation against the ACM Private CA policy. For more
|
2094
|
+
# information, see [Using a Service Linked Role with ACM][5].
|
2100
2095
|
#
|
2101
2096
|
# * Updates made in Amazon Web Services Resource Manager (RAM) are
|
2102
2097
|
# reflected in policies. For more information, see [Attach a Policy
|
@@ -2205,17 +2200,16 @@ module Aws::ACMPCA
|
|
2205
2200
|
req.send_request(options)
|
2206
2201
|
end
|
2207
2202
|
|
2208
|
-
# Revokes a certificate that was issued inside
|
2209
|
-
#
|
2210
|
-
#
|
2211
|
-
#
|
2212
|
-
#
|
2213
|
-
#
|
2214
|
-
#
|
2215
|
-
#
|
2216
|
-
#
|
2217
|
-
#
|
2218
|
-
# CloudWatch Metrics][1].
|
2203
|
+
# Revokes a certificate that was issued inside ACM Private CA. If you
|
2204
|
+
# enable a certificate revocation list (CRL) when you create or update
|
2205
|
+
# your private CA, information about the revoked certificates will be
|
2206
|
+
# included in the CRL. ACM Private CA writes the CRL to an S3 bucket
|
2207
|
+
# that you specify. A CRL is typically updated approximately 30 minutes
|
2208
|
+
# after a certificate is revoked. If for any reason the CRL update
|
2209
|
+
# fails, ACM Private CA attempts makes further attempts every 15
|
2210
|
+
# minutes. With Amazon CloudWatch, you can create alarms for the metrics
|
2211
|
+
# `CRLGenerated` and `MisconfiguredCRLBucket`. For more information, see
|
2212
|
+
# [Supported CloudWatch Metrics][1].
|
2219
2213
|
#
|
2220
2214
|
# <note markdown="1"> Both PCA and the IAM principal must have permission to write to the S3
|
2221
2215
|
# bucket that you specify. If the IAM principal making the call does not
|
@@ -2224,9 +2218,8 @@ module Aws::ACMPCA
|
|
2224
2218
|
#
|
2225
2219
|
# </note>
|
2226
2220
|
#
|
2227
|
-
#
|
2228
|
-
#
|
2229
|
-
# [CreateCertificateAuthorityAuditReport][3].
|
2221
|
+
# ACM Private CA also writes revocation information to the audit report.
|
2222
|
+
# For more information, see [CreateCertificateAuthorityAuditReport][3].
|
2230
2223
|
#
|
2231
2224
|
# <note markdown="1"> You cannot revoke a root CA self-signed certificate.
|
2232
2225
|
#
|
@@ -2473,7 +2466,7 @@ module Aws::ACMPCA
|
|
2473
2466
|
params: params,
|
2474
2467
|
config: config)
|
2475
2468
|
context[:gem_name] = 'aws-sdk-acmpca'
|
2476
|
-
context[:gem_version] = '1.
|
2469
|
+
context[:gem_version] = '1.48.0'
|
2477
2470
|
Seahorse::Client::Request.new(handlers, context)
|
2478
2471
|
end
|
2479
2472
|
|
data/lib/aws-sdk-acmpca/types.rb
CHANGED
@@ -265,8 +265,8 @@ module Aws::ACMPCA
|
|
265
265
|
# variant must be selected, or else this parameter is ignored.
|
266
266
|
#
|
267
267
|
# If conflicting or duplicate certificate information is supplied from
|
268
|
-
# other sources,
|
269
|
-
#
|
268
|
+
# other sources, ACM Private CA applies [order of operation rules][1] to
|
269
|
+
# determine what information is used.
|
270
270
|
#
|
271
271
|
#
|
272
272
|
#
|
@@ -409,10 +409,10 @@ module Aws::ACMPCA
|
|
409
409
|
# [CreateCertificateAuthority][1] action to create your private CA. You
|
410
410
|
# must then call the [GetCertificateAuthorityCertificate][2] action to
|
411
411
|
# retrieve a private CA certificate signing request (CSR). Sign the CSR
|
412
|
-
# with your
|
413
|
-
#
|
414
|
-
#
|
415
|
-
#
|
412
|
+
# with your ACM Private CA-hosted or on-premises root or subordinate CA
|
413
|
+
# certificate. Call the [ImportCertificateAuthorityCertificate][3]
|
414
|
+
# action to import the signed certificate into Certificate Manager
|
415
|
+
# (ACM).
|
416
416
|
#
|
417
417
|
#
|
418
418
|
#
|
@@ -874,11 +874,11 @@ module Aws::ACMPCA
|
|
874
874
|
# **CreateCertificateAuthority** action. Idempotency tokens for
|
875
875
|
# **CreateCertificateAuthority** time out after five minutes.
|
876
876
|
# Therefore, if you call **CreateCertificateAuthority** multiple times
|
877
|
-
# with the same idempotency token within five minutes,
|
878
|
-
#
|
879
|
-
#
|
880
|
-
#
|
881
|
-
#
|
877
|
+
# with the same idempotency token within five minutes, ACM Private CA
|
878
|
+
# recognizes that you are requesting only certificate authority and
|
879
|
+
# will issue only one. If you change the idempotency token for each
|
880
|
+
# call, PCA recognizes that you are requesting multiple certificate
|
881
|
+
# authorities.
|
882
882
|
# @return [String]
|
883
883
|
#
|
884
884
|
# @!attribute [rw] key_storage_security_standard
|
@@ -996,11 +996,10 @@ module Aws::ACMPCA
|
|
996
996
|
# specifying a value for the **CustomCname** parameter. Your private CA
|
997
997
|
# copies the CNAME or the S3 bucket name to the **CRL Distribution
|
998
998
|
# Points** extension of each certificate it issues. Your S3 bucket
|
999
|
-
# policy must give write permission to
|
999
|
+
# policy must give write permission to ACM Private CA.
|
1000
1000
|
#
|
1001
|
-
#
|
1002
|
-
#
|
1003
|
-
# Your CRLs][1].
|
1001
|
+
# ACM Private CA assets that are stored in Amazon S3 can be protected
|
1002
|
+
# with encryption. For more information, see [Encrypting Your CRLs][1].
|
1004
1003
|
#
|
1005
1004
|
# Your private CA uses the value in the **ExpirationInDays** parameter
|
1006
1005
|
# to calculate the **nextUpdate** field in the CRL. The CRL is refreshed
|
@@ -1010,8 +1009,8 @@ module Aws::ACMPCA
|
|
1010
1009
|
# expiration, and it always appears in the audit report.
|
1011
1010
|
#
|
1012
1011
|
# A CRL is typically updated approximately 30 minutes after a
|
1013
|
-
# certificate is revoked. If for any reason a CRL update fails,
|
1014
|
-
#
|
1012
|
+
# certificate is revoked. If for any reason a CRL update fails, ACM
|
1013
|
+
# Private CA makes further attempts every 15 minutes.
|
1015
1014
|
#
|
1016
1015
|
# CRLs contain the following fields:
|
1017
1016
|
#
|
@@ -1055,15 +1054,14 @@ module Aws::ACMPCA
|
|
1055
1054
|
#
|
1056
1055
|
# * **Signature Value**\: Signature computed over the CRL.
|
1057
1056
|
#
|
1058
|
-
# Certificate revocation lists created by
|
1059
|
-
#
|
1060
|
-
# CRL.
|
1057
|
+
# Certificate revocation lists created by ACM Private CA are
|
1058
|
+
# DER-encoded. You can use the following OpenSSL command to list a CRL.
|
1061
1059
|
#
|
1062
1060
|
# `openssl crl -inform DER -text -in crl_path -noout`
|
1063
1061
|
#
|
1064
1062
|
# For more information, see [Planning a certificate revocation list
|
1065
|
-
# (CRL)][2] in the *
|
1066
|
-
# User Guide*
|
1063
|
+
# (CRL)][2] in the *Certificate Manager Private Certificate Authority
|
1064
|
+
# (PCA) User Guide*
|
1067
1065
|
#
|
1068
1066
|
#
|
1069
1067
|
#
|
@@ -1111,8 +1109,8 @@ module Aws::ACMPCA
|
|
1111
1109
|
# is placed into the **CRL Distribution Points** extension of the
|
1112
1110
|
# issued certificate. You can change the name of your bucket by
|
1113
1111
|
# calling the [UpdateCertificateAuthority][1] operation. You must
|
1114
|
-
# specify a [bucket policy][2] that allows
|
1115
|
-
#
|
1112
|
+
# specify a [bucket policy][2] that allows ACM Private CA to write the
|
1113
|
+
# CRL to your bucket.
|
1116
1114
|
#
|
1117
1115
|
#
|
1118
1116
|
#
|
@@ -2054,9 +2052,9 @@ module Aws::ACMPCA
|
|
2054
2052
|
# @!attribute [rw] certificate_chain
|
2055
2053
|
# A PEM-encoded file that contains all of your certificates, other
|
2056
2054
|
# than the certificate you're importing, chaining up to your root CA.
|
2057
|
-
# Your
|
2058
|
-
#
|
2059
|
-
#
|
2055
|
+
# Your ACM Private CA-hosted or on-premises root certificate is the
|
2056
|
+
# last in the chain, and each certificate in the chain signs the one
|
2057
|
+
# preceding.
|
2060
2058
|
#
|
2061
2059
|
# This parameter must be supplied when you import a subordinate CA.
|
2062
2060
|
# When you import a root CA, there is no chain.
|
@@ -2306,8 +2304,8 @@ module Aws::ACMPCA
|
|
2306
2304
|
# Certificate Templates][1].
|
2307
2305
|
#
|
2308
2306
|
# If conflicting or duplicate certificate information is supplied
|
2309
|
-
# during certificate issuance,
|
2310
|
-
#
|
2307
|
+
# during certificate issuance, ACM Private CA applies [order of
|
2308
|
+
# operation rules][2] to determine what information is used.
|
2311
2309
|
#
|
2312
2310
|
#
|
2313
2311
|
#
|
@@ -2363,17 +2361,17 @@ module Aws::ACMPCA
|
|
2363
2361
|
#
|
2364
2362
|
# @!attribute [rw] template_arn
|
2365
2363
|
# Specifies a custom configuration template to use when issuing a
|
2366
|
-
# certificate. If this parameter is not provided,
|
2367
|
-
#
|
2368
|
-
#
|
2369
|
-
#
|
2370
|
-
#
|
2364
|
+
# certificate. If this parameter is not provided, ACM Private CA
|
2365
|
+
# defaults to the `EndEntityCertificate/V1` template. For CA
|
2366
|
+
# certificates, you should choose the shortest path length that meets
|
2367
|
+
# your needs. The path length is indicated by the PathLen*N* portion
|
2368
|
+
# of the ARN, where *N* is the [CA depth][1].
|
2371
2369
|
#
|
2372
2370
|
# Note: The CA depth configured on a subordinate CA certificate must
|
2373
2371
|
# not exceed the limit set by its parents in the CA hierarchy.
|
2374
2372
|
#
|
2375
|
-
# For a list of `TemplateArn` values supported by
|
2376
|
-
#
|
2373
|
+
# For a list of `TemplateArn` values supported by ACM Private CA, see
|
2374
|
+
# [Understanding Certificate Templates][2].
|
2377
2375
|
#
|
2378
2376
|
#
|
2379
2377
|
#
|
@@ -2410,11 +2408,11 @@ module Aws::ACMPCA
|
|
2410
2408
|
# certificate. This parameter sets the “Not Before" date for the
|
2411
2409
|
# certificate.
|
2412
2410
|
#
|
2413
|
-
# By default, when issuing a certificate,
|
2414
|
-
#
|
2415
|
-
#
|
2416
|
-
#
|
2417
|
-
#
|
2411
|
+
# By default, when issuing a certificate, ACM Private CA sets the
|
2412
|
+
# "Not Before" date to the issuance time minus 60 minutes. This
|
2413
|
+
# compensates for clock inconsistencies across computer systems. The
|
2414
|
+
# `ValidityNotBefore` parameter can be used to customize the “Not
|
2415
|
+
# Before” value.
|
2418
2416
|
#
|
2419
2417
|
# Unlike the `Validity` parameter, the `ValidityNotBefore` parameter
|
2420
2418
|
# is optional.
|
@@ -2435,10 +2433,10 @@ module Aws::ACMPCA
|
|
2435
2433
|
# the **IssueCertificate** action. Idempotency tokens for
|
2436
2434
|
# **IssueCertificate** time out after one minute. Therefore, if you
|
2437
2435
|
# call **IssueCertificate** multiple times with the same idempotency
|
2438
|
-
# token within one minute,
|
2439
|
-
#
|
2440
|
-
#
|
2441
|
-
#
|
2436
|
+
# token within one minute, ACM Private CA recognizes that you are
|
2437
|
+
# requesting only one certificate and will issue only one. If you
|
2438
|
+
# change the idempotency token for each call, PCA recognizes that you
|
2439
|
+
# are requesting multiple certificates.
|
2442
2440
|
# @return [String]
|
2443
2441
|
#
|
2444
2442
|
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/IssueCertificateRequest AWS API Documentation
|
@@ -2542,8 +2540,8 @@ module Aws::ACMPCA
|
|
2542
2540
|
include Aws::Structure
|
2543
2541
|
end
|
2544
2542
|
|
2545
|
-
# An
|
2546
|
-
#
|
2543
|
+
# An ACM Private CA quota has been exceeded. See the exception message
|
2544
|
+
# returned to determine the quota that was exceeded.
|
2547
2545
|
#
|
2548
2546
|
# @!attribute [rw] message
|
2549
2547
|
# @return [String]
|
@@ -2805,17 +2803,17 @@ module Aws::ACMPCA
|
|
2805
2803
|
# @return [Boolean]
|
2806
2804
|
#
|
2807
2805
|
# @!attribute [rw] ocsp_custom_cname
|
2808
|
-
# By default,
|
2809
|
-
#
|
2810
|
-
#
|
2811
|
-
#
|
2806
|
+
# By default, ACM Private CA injects an Amazon Web Services domain
|
2807
|
+
# into certificates being validated by the Online Certificate Status
|
2808
|
+
# Protocol (OCSP). A customer can alternatively use this object to
|
2809
|
+
# define a CNAME specifying a customized OCSP domain.
|
2812
2810
|
#
|
2813
2811
|
# Note: The value of the CNAME must not include a protocol prefix such
|
2814
2812
|
# as "http://" or "https://".
|
2815
2813
|
#
|
2816
2814
|
# For more information, see [Customizing Online Certificate Status
|
2817
|
-
# Protocol (OCSP) ][1] in the *
|
2818
|
-
# Authority User Guide*.
|
2815
|
+
# Protocol (OCSP) ][1] in the *Certificate Manager Private Certificate
|
2816
|
+
# Authority (PCA) User Guide*.
|
2819
2817
|
#
|
2820
2818
|
#
|
2821
2819
|
#
|
@@ -2961,9 +2959,8 @@ module Aws::ACMPCA
|
|
2961
2959
|
# @return [String]
|
2962
2960
|
#
|
2963
2961
|
# @!attribute [rw] policy_qualifiers
|
2964
|
-
# Modifies the given `CertPolicyId` with a qualifier.
|
2965
|
-
#
|
2966
|
-
# (CPS) qualifier.
|
2962
|
+
# Modifies the given `CertPolicyId` with a qualifier. ACM Private CA
|
2963
|
+
# supports the certification practice statement (CPS) qualifier.
|
2967
2964
|
# @return [Array<Types::PolicyQualifierInfo>]
|
2968
2965
|
#
|
2969
2966
|
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/PolicyInformation AWS API Documentation
|
@@ -2976,8 +2973,8 @@ module Aws::ACMPCA
|
|
2976
2973
|
end
|
2977
2974
|
|
2978
2975
|
# Modifies the `CertPolicyId` of a `PolicyInformation` object with a
|
2979
|
-
# qualifier.
|
2980
|
-
#
|
2976
|
+
# qualifier. ACM Private CA supports the certification practice
|
2977
|
+
# statement (CPS) qualifier.
|
2981
2978
|
#
|
2982
2979
|
# @note When making an API call, you may pass PolicyQualifierInfo
|
2983
2980
|
# data as a hash:
|
@@ -2994,8 +2991,8 @@ module Aws::ACMPCA
|
|
2994
2991
|
# @return [String]
|
2995
2992
|
#
|
2996
2993
|
# @!attribute [rw] qualifier
|
2997
|
-
# Defines the qualifier type.
|
2998
|
-
#
|
2994
|
+
# Defines the qualifier type. ACM Private CA supports the use of a URI
|
2995
|
+
# for a CPS qualifier in this field.
|
2999
2996
|
# @return [Types::Qualifier]
|
3000
2997
|
#
|
3001
2998
|
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/PolicyQualifierInfo AWS API Documentation
|
@@ -3049,9 +3046,9 @@ module Aws::ACMPCA
|
|
3049
3046
|
include Aws::Structure
|
3050
3047
|
end
|
3051
3048
|
|
3052
|
-
# Defines a `PolicyInformation` qualifier.
|
3053
|
-
#
|
3054
|
-
#
|
3049
|
+
# Defines a `PolicyInformation` qualifier. ACM Private CA supports the
|
3050
|
+
# [certification practice statement (CPS) qualifier][1] defined in RFC
|
3051
|
+
# 5280.
|
3055
3052
|
#
|
3056
3053
|
#
|
3057
3054
|
#
|
@@ -3165,8 +3162,8 @@ module Aws::ACMPCA
|
|
3165
3162
|
# about certificates as requested by clients, and a CRL contains an
|
3166
3163
|
# updated list of certificates revoked by your CA. For more information,
|
3167
3164
|
# see [RevokeCertificate][3] and [Setting up a certificate revocation
|
3168
|
-
# method][4] in the *
|
3169
|
-
# User Guide*.
|
3165
|
+
# method][4] in the *Certificate Manager Private Certificate Authority
|
3166
|
+
# (PCA) User Guide*.
|
3170
3167
|
#
|
3171
3168
|
#
|
3172
3169
|
#
|
@@ -3196,8 +3193,8 @@ module Aws::ACMPCA
|
|
3196
3193
|
# Configuration of the certificate revocation list (CRL), if any,
|
3197
3194
|
# maintained by your private CA. A CRL is typically updated
|
3198
3195
|
# approximately 30 minutes after a certificate is revoked. If for any
|
3199
|
-
# reason a CRL update fails,
|
3200
|
-
#
|
3196
|
+
# reason a CRL update fails, ACM Private CA makes further attempts
|
3197
|
+
# every 15 minutes.
|
3201
3198
|
# @return [Types::CrlConfiguration]
|
3202
3199
|
#
|
3203
3200
|
# @!attribute [rw] ocsp_configuration
|
@@ -3457,12 +3454,12 @@ module Aws::ACMPCA
|
|
3457
3454
|
# after issuance, stated in days, months, or years. For more
|
3458
3455
|
# information, see [Validity][1] in RFC 5280.
|
3459
3456
|
#
|
3460
|
-
#
|
3461
|
-
#
|
3462
|
-
#
|
3463
|
-
#
|
3464
|
-
#
|
3465
|
-
#
|
3457
|
+
# ACM Private CA API consumes the `Validity` data type differently in
|
3458
|
+
# two distinct parameters of the `IssueCertificate` action. The required
|
3459
|
+
# parameter `IssueCertificate`\:`Validity` specifies the end of a
|
3460
|
+
# certificate's validity period. The optional parameter
|
3461
|
+
# `IssueCertificate`\:`ValidityNotBefore` specifies a customized
|
3462
|
+
# starting time for the validity period.
|
3466
3463
|
#
|
3467
3464
|
#
|
3468
3465
|
#
|
@@ -3481,10 +3478,10 @@ module Aws::ACMPCA
|
|
3481
3478
|
# @return [Integer]
|
3482
3479
|
#
|
3483
3480
|
# @!attribute [rw] type
|
3484
|
-
# Determines how *
|
3485
|
-
#
|
3486
|
-
#
|
3487
|
-
#
|
3481
|
+
# Determines how *ACM Private CA* interprets the `Value` parameter, an
|
3482
|
+
# integer. Supported validity types include those listed below. Type
|
3483
|
+
# definitions with values include a sample input value and the
|
3484
|
+
# resulting output.
|
3488
3485
|
#
|
3489
3486
|
# `END_DATE`\: The specific date and time when the certificate will
|
3490
3487
|
# expire, expressed using UTCTime (YYMMDDHHMMSS) or GeneralizedTime
|
data/lib/aws-sdk-acmpca.rb
CHANGED
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: aws-sdk-acmpca
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.
|
4
|
+
version: 1.48.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Amazon Web Services
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2022-03-
|
11
|
+
date: 2022-03-28 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: aws-sdk-core
|