# frozen_string_literal: true
# WARNING ABOUT GENERATED CODE
#
# This file is generated. See the contributing guide for more information:
# https://github.com/aws/aws-sdk-ruby/blob/version-3/CONTRIBUTING.md
#
# WARNING ABOUT GENERATED CODE
module Aws::ACMPCA
module Types
# Contains information about the certificate subject. The `Subject`
# field in the certificate identifies the entity that owns or controls
# the public key in the certificate. The entity can be a user, computer,
# device, or service. The `Subject `must contain an X.500 distinguished
# name (DN). A DN is a sequence of relative distinguished names (RDNs).
# The RDNs are separated by commas in the certificate.
#
# @!attribute [rw] country
# Two-digit code that specifies the country in which the certificate
# subject located.
# @return [String]
#
# @!attribute [rw] organization
# Legal name of the organization with which the certificate subject is
# affiliated.
# @return [String]
#
# @!attribute [rw] organizational_unit
# A subdivision or unit of the organization (such as sales or finance)
# with which the certificate subject is affiliated.
# @return [String]
#
# @!attribute [rw] distinguished_name_qualifier
# Disambiguating information for the certificate subject.
# @return [String]
#
# @!attribute [rw] state
# State in which the subject of the certificate is located.
# @return [String]
#
# @!attribute [rw] common_name
# For CA and end-entity certificates in a private PKI, the common name
# (CN) can be any string within the length limit.
#
# Note: In publicly trusted certificates, the common name must be a
# fully qualified domain name (FQDN) associated with the certificate
# subject.
# @return [String]
#
# @!attribute [rw] serial_number
# The certificate serial number.
# @return [String]
#
# @!attribute [rw] locality
# The locality (such as a city or town) in which the certificate
# subject is located.
# @return [String]
#
# @!attribute [rw] title
# A title such as Mr. or Ms., which is pre-pended to the name to refer
# formally to the certificate subject.
# @return [String]
#
# @!attribute [rw] surname
# Family name. In the US and the UK, for example, the surname of an
# individual is ordered last. In Asian cultures the surname is
# typically ordered first.
# @return [String]
#
# @!attribute [rw] given_name
# First name.
# @return [String]
#
# @!attribute [rw] initials
# Concatenation that typically contains the first letter of the
# **GivenName**, the first letter of the middle name if one exists,
# and the first letter of the **Surname**.
# @return [String]
#
# @!attribute [rw] pseudonym
# Typically a shortened version of a longer **GivenName**. For
# example, Jonathan is often shortened to John. Elizabeth is often
# shortened to Beth, Liz, or Eliza.
# @return [String]
#
# @!attribute [rw] generation_qualifier
# Typically a qualifier appended to the name of an individual.
# Examples include Jr. for junior, Sr. for senior, and III for third.
# @return [String]
#
# @!attribute [rw] custom_attributes
# Contains a sequence of one or more X.500 relative distinguished
# names (RDNs), each of which consists of an object identifier (OID)
# and a value. For more information, see NIST’s definition of [Object
# Identifier (OID)][1].
#
# Custom attributes cannot be used in combination with standard
# attributes.
#
#
#
#
#
# [1]: https://csrc.nist.gov/glossary/term/Object_Identifier
# @return [Array]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/ASN1Subject AWS API Documentation
#
class ASN1Subject < Struct.new(
:country,
:organization,
:organizational_unit,
:distinguished_name_qualifier,
:state,
:common_name,
:serial_number,
:locality,
:title,
:surname,
:given_name,
:initials,
:pseudonym,
:generation_qualifier,
:custom_attributes)
SENSITIVE = []
include Aws::Structure
end
# Provides access information used by the `authorityInfoAccess` and
# `subjectInfoAccess` extensions described in [RFC 5280][1].
#
#
#
# [1]: https://datatracker.ietf.org/doc/html/rfc5280
#
# @!attribute [rw] access_method
# The type and format of `AccessDescription` information.
# @return [Types::AccessMethod]
#
# @!attribute [rw] access_location
# The location of `AccessDescription` information.
# @return [Types::GeneralName]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/AccessDescription AWS API Documentation
#
class AccessDescription < Struct.new(
:access_method,
:access_location)
SENSITIVE = []
include Aws::Structure
end
# Describes the type and format of extension access. Only one of
# `CustomObjectIdentifier` or `AccessMethodType` may be provided.
# Providing both results in `InvalidArgsException`.
#
# @!attribute [rw] custom_object_identifier
# An object identifier (OID) specifying the `AccessMethod`. The OID
# must satisfy the regular expression shown below. For more
# information, see NIST's definition of [Object Identifier (OID)][1].
#
#
#
# [1]: https://csrc.nist.gov/glossary/term/Object_Identifier
# @return [String]
#
# @!attribute [rw] access_method_type
# Specifies the `AccessMethod`.
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/AccessMethod AWS API Documentation
#
class AccessMethod < Struct.new(
:custom_object_identifier,
:access_method_type)
SENSITIVE = []
include Aws::Structure
end
# Contains X.509 certificate information to be placed in an issued
# certificate. An `APIPassthrough` or `APICSRPassthrough` template
# variant must be selected, or else this parameter is ignored.
#
# If conflicting or duplicate certificate information is supplied from
# other sources, Amazon Web Services Private CA applies [order of
# operation rules][1] to determine what information is used.
#
#
#
# [1]: https://docs.aws.amazon.com/privateca/latest/userguide/UsingTemplates.html#template-order-of-operations
#
# @!attribute [rw] extensions
# Specifies X.509 extension information for a certificate.
# @return [Types::Extensions]
#
# @!attribute [rw] subject
# Contains information about the certificate subject. The `Subject`
# field in the certificate identifies the entity that owns or controls
# the public key in the certificate. The entity can be a user,
# computer, device, or service. The `Subject `must contain an X.500
# distinguished name (DN). A DN is a sequence of relative
# distinguished names (RDNs). The RDNs are separated by commas in the
# certificate.
# @return [Types::ASN1Subject]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/ApiPassthrough AWS API Documentation
#
class ApiPassthrough < Struct.new(
:extensions,
:subject)
SENSITIVE = []
include Aws::Structure
end
# Contains information about your private certificate authority (CA).
# Your private CA can issue and revoke X.509 digital certificates.
# Digital certificates verify that the entity named in the certificate
# **Subject** field owns or controls the public key contained in the
# **Subject Public Key Info** field. Call the
# [CreateCertificateAuthority][1] action to create your private CA. You
# must then call the [GetCertificateAuthorityCertificate][2] action to
# retrieve a private CA certificate signing request (CSR). Sign the CSR
# with your Amazon Web Services Private CA-hosted or on-premises root or
# subordinate CA certificate. Call the
# [ImportCertificateAuthorityCertificate][3] action to import the signed
# certificate into Certificate Manager (ACM).
#
#
#
# [1]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreateCertificateAuthority.html
# [2]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_GetCertificateAuthorityCertificate.html
# [3]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_ImportCertificateAuthorityCertificate.html
#
# @!attribute [rw] arn
# Amazon Resource Name (ARN) for your private certificate authority
# (CA). The format is ` 12345678-1234-1234-1234-123456789012 `.
# @return [String]
#
# @!attribute [rw] owner_account
# The Amazon Web Services account ID that owns the certificate
# authority.
# @return [String]
#
# @!attribute [rw] created_at
# Date and time at which your private CA was created.
# @return [Time]
#
# @!attribute [rw] last_state_change_at
# Date and time at which your private CA was last updated.
# @return [Time]
#
# @!attribute [rw] type
# Type of your private CA.
# @return [String]
#
# @!attribute [rw] serial
# Serial number of your private CA.
# @return [String]
#
# @!attribute [rw] status
# Status of your private CA.
# @return [String]
#
# @!attribute [rw] not_before
# Date and time before which your private CA certificate is not valid.
# @return [Time]
#
# @!attribute [rw] not_after
# Date and time after which your private CA certificate is not valid.
# @return [Time]
#
# @!attribute [rw] failure_reason
# Reason the request to create your private CA failed.
# @return [String]
#
# @!attribute [rw] certificate_authority_configuration
# Your private CA configuration.
# @return [Types::CertificateAuthorityConfiguration]
#
# @!attribute [rw] revocation_configuration
# Information about the Online Certificate Status Protocol (OCSP)
# configuration or certificate revocation list (CRL) created and
# maintained by your private CA.
# @return [Types::RevocationConfiguration]
#
# @!attribute [rw] restorable_until
# The period during which a deleted CA can be restored. For more
# information, see the `PermanentDeletionTimeInDays` parameter of the
# [DeleteCertificateAuthorityRequest][1] action.
#
#
#
# [1]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_DeleteCertificateAuthorityRequest.html
# @return [Time]
#
# @!attribute [rw] key_storage_security_standard
# Defines a cryptographic key management compliance standard used for
# handling CA keys.
#
# Default: FIPS\_140\_2\_LEVEL\_3\_OR\_HIGHER
#
# Note: Amazon Web Services Region ap-northeast-3 supports only
# FIPS\_140\_2\_LEVEL\_2\_OR\_HIGHER. You must explicitly specify this
# parameter and value when creating a CA in that Region. Specifying a
# different value (or no value) results in an `InvalidArgsException`
# with the message "A certificate authority cannot be created in this
# region with the specified security standard."
# @return [String]
#
# @!attribute [rw] usage_mode
# Specifies whether the CA issues general-purpose certificates that
# typically require a revocation mechanism, or short-lived
# certificates that may optionally omit revocation because they expire
# quickly. Short-lived certificate validity is limited to seven days.
#
# The default value is GENERAL\_PURPOSE.
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/CertificateAuthority AWS API Documentation
#
class CertificateAuthority < Struct.new(
:arn,
:owner_account,
:created_at,
:last_state_change_at,
:type,
:serial,
:status,
:not_before,
:not_after,
:failure_reason,
:certificate_authority_configuration,
:revocation_configuration,
:restorable_until,
:key_storage_security_standard,
:usage_mode)
SENSITIVE = []
include Aws::Structure
end
# Contains configuration information for your private certificate
# authority (CA). This includes information about the class of public
# key algorithm and the key pair that your private CA creates when it
# issues a certificate. It also includes the signature algorithm that it
# uses when issuing certificates, and its X.500 distinguished name. You
# must specify this information when you call the
# [CreateCertificateAuthority][1] action.
#
#
#
# [1]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreateCertificateAuthority.html
#
# @!attribute [rw] key_algorithm
# Type of the public key algorithm and size, in bits, of the key pair
# that your CA creates when it issues a certificate. When you create a
# subordinate CA, you must use a key algorithm supported by the parent
# CA.
# @return [String]
#
# @!attribute [rw] signing_algorithm
# Name of the algorithm your private CA uses to sign certificate
# requests.
#
# This parameter should not be confused with the `SigningAlgorithm`
# parameter used to sign certificates when they are issued.
# @return [String]
#
# @!attribute [rw] subject
# Structure that contains X.500 distinguished name information for
# your private CA.
# @return [Types::ASN1Subject]
#
# @!attribute [rw] csr_extensions
# Specifies information to be added to the extension section of the
# certificate signing request (CSR).
# @return [Types::CsrExtensions]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/CertificateAuthorityConfiguration AWS API Documentation
#
class CertificateAuthorityConfiguration < Struct.new(
:key_algorithm,
:signing_algorithm,
:subject,
:csr_extensions)
SENSITIVE = []
include Aws::Structure
end
# The certificate authority certificate you are importing does not
# comply with conditions specified in the certificate that signed it.
#
# @!attribute [rw] message
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/CertificateMismatchException AWS API Documentation
#
class CertificateMismatchException < Struct.new(
:message)
SENSITIVE = []
include Aws::Structure
end
# A previous update to your private CA is still ongoing.
#
# @!attribute [rw] message
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/ConcurrentModificationException AWS API Documentation
#
class ConcurrentModificationException < Struct.new(
:message)
SENSITIVE = []
include Aws::Structure
end
# @!attribute [rw] certificate_authority_arn
# The Amazon Resource Name (ARN) of the CA to be audited. This is of
# the form:
#
# `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
# `.
# @return [String]
#
# @!attribute [rw] s3_bucket_name
# The name of the S3 bucket that will contain the audit report.
# @return [String]
#
# @!attribute [rw] audit_report_response_format
# The format in which to create the report. This can be either
# **JSON** or **CSV**.
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/CreateCertificateAuthorityAuditReportRequest AWS API Documentation
#
class CreateCertificateAuthorityAuditReportRequest < Struct.new(
:certificate_authority_arn,
:s3_bucket_name,
:audit_report_response_format)
SENSITIVE = []
include Aws::Structure
end
# @!attribute [rw] audit_report_id
# An alphanumeric string that contains a report identifier.
# @return [String]
#
# @!attribute [rw] s3_key
# The **key** that uniquely identifies the report file in your S3
# bucket.
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/CreateCertificateAuthorityAuditReportResponse AWS API Documentation
#
class CreateCertificateAuthorityAuditReportResponse < Struct.new(
:audit_report_id,
:s3_key)
SENSITIVE = []
include Aws::Structure
end
# @!attribute [rw] certificate_authority_configuration
# Name and bit size of the private key algorithm, the name of the
# signing algorithm, and X.500 certificate subject information.
# @return [Types::CertificateAuthorityConfiguration]
#
# @!attribute [rw] revocation_configuration
# Contains information to enable Online Certificate Status Protocol
# (OCSP) support, to enable a certificate revocation list (CRL), to
# enable both, or to enable neither. The default is for both
# certificate validation mechanisms to be disabled.
#
# The following requirements apply to revocation configurations.
#
# * A configuration disabling CRLs or OCSP must contain only the
# `Enabled=False` parameter, and will fail if other parameters such
# as `CustomCname` or `ExpirationInDays` are included.
#
# * In a CRL configuration, the `S3BucketName` parameter must conform
# to [Amazon S3 bucket naming rules][1].
#
# * A configuration containing a custom Canonical Name (CNAME)
# parameter for CRLs or OCSP must conform to [RFC2396][2]
# restrictions on the use of special characters in a CNAME.
#
# * In a CRL or OCSP configuration, the value of a CNAME parameter
# must not include a protocol prefix such as "http://" or
# "https://".
#
#
#
# For more information, see the [OcspConfiguration][3] and
# [CrlConfiguration][4] types.
#
#
#
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucketnamingrules.html
# [2]: https://www.ietf.org/rfc/rfc2396.txt
# [3]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_OcspConfiguration.html
# [4]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_CrlConfiguration.html
# @return [Types::RevocationConfiguration]
#
# @!attribute [rw] certificate_authority_type
# The type of the certificate authority.
# @return [String]
#
# @!attribute [rw] idempotency_token
# Custom string that can be used to distinguish between calls to the
# **CreateCertificateAuthority** action. Idempotency tokens for
# **CreateCertificateAuthority** time out after five minutes.
# Therefore, if you call **CreateCertificateAuthority** multiple times
# with the same idempotency token within five minutes, Amazon Web
# Services Private CA recognizes that you are requesting only
# certificate authority and will issue only one. If you change the
# idempotency token for each call, Amazon Web Services Private CA
# recognizes that you are requesting multiple certificate authorities.
# @return [String]
#
# @!attribute [rw] key_storage_security_standard
# Specifies a cryptographic key management compliance standard used
# for handling CA keys.
#
# Default: FIPS\_140\_2\_LEVEL\_3\_OR\_HIGHER
#
# Some Amazon Web Services Regions do not support the default. When
# creating a CA in these Regions, you must provide
# `FIPS_140_2_LEVEL_2_OR_HIGHER` as the argument for
# `KeyStorageSecurityStandard`. Failure to do this results in an
# `InvalidArgsException` with the message, "A certificate authority
# cannot be created in this region with the specified security
# standard."
#
# For information about security standard support in various Regions,
# see [Storage and security compliance of Amazon Web Services Private
# CA private keys][1].
#
#
#
#
#
# [1]: https://docs.aws.amazon.com/privateca/latest/userguide/data-protection.html#private-keys
# @return [String]
#
# @!attribute [rw] tags
# Key-value pairs that will be attached to the new private CA. You can
# associate up to 50 tags with a private CA. For information using
# tags with IAM to manage permissions, see [Controlling Access Using
# IAM Tags][1].
#
#
#
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_iam-tags.html
# @return [Array]
#
# @!attribute [rw] usage_mode
# Specifies whether the CA issues general-purpose certificates that
# typically require a revocation mechanism, or short-lived
# certificates that may optionally omit revocation because they expire
# quickly. Short-lived certificate validity is limited to seven days.
#
# The default value is GENERAL\_PURPOSE.
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/CreateCertificateAuthorityRequest AWS API Documentation
#
class CreateCertificateAuthorityRequest < Struct.new(
:certificate_authority_configuration,
:revocation_configuration,
:certificate_authority_type,
:idempotency_token,
:key_storage_security_standard,
:tags,
:usage_mode)
SENSITIVE = []
include Aws::Structure
end
# @!attribute [rw] certificate_authority_arn
# If successful, the Amazon Resource Name (ARN) of the certificate
# authority (CA). This is of the form:
#
# `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
# `.
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/CreateCertificateAuthorityResponse AWS API Documentation
#
class CreateCertificateAuthorityResponse < Struct.new(
:certificate_authority_arn)
SENSITIVE = []
include Aws::Structure
end
# @!attribute [rw] certificate_authority_arn
# The Amazon Resource Name (ARN) of the CA that grants the
# permissions. You can find the ARN by calling the
# [ListCertificateAuthorities][1] action. This must have the following
# form:
#
# `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
# `.
#
#
#
# [1]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_ListCertificateAuthorities.html
# @return [String]
#
# @!attribute [rw] principal
# The Amazon Web Services service or identity that receives the
# permission. At this time, the only valid principal is
# `acm.amazonaws.com`.
# @return [String]
#
# @!attribute [rw] source_account
# The ID of the calling account.
# @return [String]
#
# @!attribute [rw] actions
# The actions that the specified Amazon Web Services service principal
# can use. These include `IssueCertificate`, `GetCertificate`, and
# `ListPermissions`.
# @return [Array]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/CreatePermissionRequest AWS API Documentation
#
class CreatePermissionRequest < Struct.new(
:certificate_authority_arn,
:principal,
:source_account,
:actions)
SENSITIVE = []
include Aws::Structure
end
# Contains configuration information for a certificate revocation list
# (CRL). Your private certificate authority (CA) creates base CRLs.
# Delta CRLs are not supported. You can enable CRLs for your new or an
# existing private CA by setting the **Enabled** parameter to `true`.
# Your private CA writes CRLs to an S3 bucket that you specify in the
# **S3BucketName** parameter. You can hide the name of your bucket by
# specifying a value for the **CustomCname** parameter. Your private CA
# copies the CNAME or the S3 bucket name to the **CRL Distribution
# Points** extension of each certificate it issues. Your S3 bucket
# policy must give write permission to Amazon Web Services Private CA.
#
# Amazon Web Services Private CA assets that are stored in Amazon S3 can
# be protected with encryption. For more information, see [Encrypting
# Your CRLs][1].
#
# Your private CA uses the value in the **ExpirationInDays** parameter
# to calculate the **nextUpdate** field in the CRL. The CRL is refreshed
# prior to a certificate's expiration date or when a certificate is
# revoked. When a certificate is revoked, it appears in the CRL until
# the certificate expires, and then in one additional CRL after
# expiration, and it always appears in the audit report.
#
# A CRL is typically updated approximately 30 minutes after a
# certificate is revoked. If for any reason a CRL update fails, Amazon
# Web Services Private CA makes further attempts every 15 minutes.
#
# CRLs contain the following fields:
#
# * **Version**: The current version number defined in RFC 5280 is V2.
# The integer value is 0x1.
#
# * **Signature Algorithm**: The name of the algorithm used to sign the
# CRL.
#
# * **Issuer**: The X.500 distinguished name of your private CA that
# issued the CRL.
#
# * **Last Update**: The issue date and time of this CRL.
#
# * **Next Update**: The day and time by which the next CRL will be
# issued.
#
# * **Revoked Certificates**: List of revoked certificates. Each list
# item contains the following information.
#
# * **Serial Number**: The serial number, in hexadecimal format, of
# the revoked certificate.
#
# * **Revocation Date**: Date and time the certificate was revoked.
#
# * **CRL Entry Extensions**: Optional extensions for the CRL entry.
#
# * **X509v3 CRL Reason Code**: Reason the certificate was revoked.
#
# ^
#
# * **CRL Extensions**: Optional extensions for the CRL.
#
# * **X509v3 Authority Key Identifier**: Identifies the public key
# associated with the private key used to sign the certificate.
#
# * **X509v3 CRL Number:**: Decimal sequence number for the CRL.
#
# * **Signature Algorithm**: Algorithm used by your private CA to sign
# the CRL.
#
# * **Signature Value**: Signature computed over the CRL.
#
# Certificate revocation lists created by Amazon Web Services Private CA
# are DER-encoded. You can use the following OpenSSL command to list a
# CRL.
#
# `openssl crl -inform DER -text -in crl_path -noout`
#
# For more information, see [Planning a certificate revocation list
# (CRL)][2] in the *Amazon Web Services Private Certificate Authority
# User Guide*
#
#
#
# [1]: https://docs.aws.amazon.com/privateca/latest/userguide/PcaCreateCa.html#crl-encryption
# [2]: https://docs.aws.amazon.com/privateca/latest/userguide/crl-planning.html
#
# @!attribute [rw] enabled
# Boolean value that specifies whether certificate revocation lists
# (CRLs) are enabled. You can use this value to enable certificate
# revocation for a new CA when you call the
# [CreateCertificateAuthority][1] action or for an existing CA when
# you call the [UpdateCertificateAuthority][2] action.
#
#
#
# [1]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreateCertificateAuthority.html
# [2]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_UpdateCertificateAuthority.html
# @return [Boolean]
#
# @!attribute [rw] expiration_in_days
# Validity period of the CRL in days.
# @return [Integer]
#
# @!attribute [rw] custom_cname
# Name inserted into the certificate **CRL Distribution Points**
# extension that enables the use of an alias for the CRL distribution
# point. Use this value if you don't want the name of your S3 bucket
# to be public.
#
# The content of a Canonical Name (CNAME) record must conform to
# [RFC2396][1] restrictions on the use of special characters in URIs.
# Additionally, the value of the CNAME must not include a protocol
# prefix such as "http://" or "https://".
#
#
#
#
#
# [1]: https://www.ietf.org/rfc/rfc2396.txt
# @return [String]
#
# @!attribute [rw] s3_bucket_name
# Name of the S3 bucket that contains the CRL. If you do not provide a
# value for the **CustomCname** argument, the name of your S3 bucket
# is placed into the **CRL Distribution Points** extension of the
# issued certificate. You can change the name of your bucket by
# calling the [UpdateCertificateAuthority][1] operation. You must
# specify a [bucket policy][2] that allows Amazon Web Services Private
# CA to write the CRL to your bucket.
#
# The `S3BucketName` parameter must conform to the [S3 bucket naming
# rules][3].
#
#
#
#
#
# [1]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_UpdateCertificateAuthority.html
# [2]: https://docs.aws.amazon.com/privateca/latest/userguide/PcaCreateCa.html#s3-policies
# [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucketnamingrules.html
# @return [String]
#
# @!attribute [rw] s3_object_acl
# Determines whether the CRL will be publicly readable or privately
# held in the CRL Amazon S3 bucket. If you choose PUBLIC\_READ, the
# CRL will be accessible over the public internet. If you choose
# BUCKET\_OWNER\_FULL\_CONTROL, only the owner of the CRL S3 bucket
# can access the CRL, and your PKI clients may need an alternative
# method of access.
#
# If no value is specified, the default is `PUBLIC_READ`.
#
# *Note:* This default can cause CA creation to fail in some
# circumstances. If you have have enabled the Block Public Access
# (BPA) feature in your S3 account, then you must specify the value of
# this parameter as `BUCKET_OWNER_FULL_CONTROL`, and not doing so
# results in an error. If you have disabled BPA in S3, then you can
# specify either `BUCKET_OWNER_FULL_CONTROL` or `PUBLIC_READ` as the
# value.
#
# For more information, see [Blocking public access to the S3
# bucket][1].
#
#
#
# [1]: https://docs.aws.amazon.com/privateca/latest/userguide/PcaCreateCa.html#s3-bpa
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/CrlConfiguration AWS API Documentation
#
class CrlConfiguration < Struct.new(
:enabled,
:expiration_in_days,
:custom_cname,
:s3_bucket_name,
:s3_object_acl)
SENSITIVE = []
include Aws::Structure
end
# Describes the certificate extensions to be added to the certificate
# signing request (CSR).
#
# @!attribute [rw] key_usage
# Indicates the purpose of the certificate and of the key contained in
# the certificate.
# @return [Types::KeyUsage]
#
# @!attribute [rw] subject_information_access
# For CA certificates, provides a path to additional information
# pertaining to the CA, such as revocation and policy. For more
# information, see [Subject Information Access][1] in RFC 5280.
#
#
#
# [1]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.2.2
# @return [Array]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/CsrExtensions AWS API Documentation
#
class CsrExtensions < Struct.new(
:key_usage,
:subject_information_access)
SENSITIVE = []
include Aws::Structure
end
# Defines the X.500 relative distinguished name (RDN).
#
# @!attribute [rw] object_identifier
# Specifies the object identifier (OID) of the attribute type of the
# relative distinguished name (RDN).
# @return [String]
#
# @!attribute [rw] value
# Specifies the attribute value of relative distinguished name (RDN).
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/CustomAttribute AWS API Documentation
#
class CustomAttribute < Struct.new(
:object_identifier,
:value)
SENSITIVE = []
include Aws::Structure
end
# Specifies the X.509 extension information for a certificate.
#
# Extensions present in `CustomExtensions` follow the `ApiPassthrough`
# [template rules][1].
#
#
#
# [1]: https://docs.aws.amazon.com/privateca/latest/userguide/UsingTemplates.html#template-order-of-operations
#
# @!attribute [rw] object_identifier
# Specifies the object identifier (OID) of the X.509 extension. For
# more information, see the [Global OID reference database.][1]
#
#
#
# [1]: https://oidref.com/2.5.29
# @return [String]
#
# @!attribute [rw] value
# Specifies the base64-encoded value of the X.509 extension.
# @return [String]
#
# @!attribute [rw] critical
# Specifies the critical flag of the X.509 extension.
# @return [Boolean]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/CustomExtension AWS API Documentation
#
class CustomExtension < Struct.new(
:object_identifier,
:value,
:critical)
SENSITIVE = []
include Aws::Structure
end
# @!attribute [rw] certificate_authority_arn
# The Amazon Resource Name (ARN) that was returned when you called
# [CreateCertificateAuthority][1]. This must have the following form:
#
# `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
# `.
#
#
#
# [1]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreateCertificateAuthority.html
# @return [String]
#
# @!attribute [rw] permanent_deletion_time_in_days
# The number of days to make a CA restorable after it has been
# deleted. This can be anywhere from 7 to 30 days, with 30 being the
# default.
# @return [Integer]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/DeleteCertificateAuthorityRequest AWS API Documentation
#
class DeleteCertificateAuthorityRequest < Struct.new(
:certificate_authority_arn,
:permanent_deletion_time_in_days)
SENSITIVE = []
include Aws::Structure
end
# @!attribute [rw] certificate_authority_arn
# The Amazon Resource Number (ARN) of the private CA that issued the
# permissions. You can find the CA's ARN by calling the
# [ListCertificateAuthorities][1] action. This must have the following
# form:
#
# `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
# `.
#
#
#
# [1]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_ListCertificateAuthorities.html
# @return [String]
#
# @!attribute [rw] principal
# The Amazon Web Services service or identity that will have its CA
# permissions revoked. At this time, the only valid service principal
# is `acm.amazonaws.com`
# @return [String]
#
# @!attribute [rw] source_account
# The Amazon Web Services account that calls this action.
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/DeletePermissionRequest AWS API Documentation
#
class DeletePermissionRequest < Struct.new(
:certificate_authority_arn,
:principal,
:source_account)
SENSITIVE = []
include Aws::Structure
end
# @!attribute [rw] resource_arn
# The Amazon Resource Number (ARN) of the private CA that will have
# its policy deleted. You can find the CA's ARN by calling the
# [ListCertificateAuthorities][1] action. The ARN value must have the
# form
# `arn:aws:acm-pca:region:account:certificate-authority/01234567-89ab-cdef-0123-0123456789ab`.
#
#
#
# [1]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_ListCertificateAuthorities.html
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/DeletePolicyRequest AWS API Documentation
#
class DeletePolicyRequest < Struct.new(
:resource_arn)
SENSITIVE = []
include Aws::Structure
end
# @!attribute [rw] certificate_authority_arn
# The Amazon Resource Name (ARN) of the private CA. This must be of
# the form:
#
# `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
# `.
# @return [String]
#
# @!attribute [rw] audit_report_id
# The report ID returned by calling the
# [CreateCertificateAuthorityAuditReport][1] action.
#
#
#
# [1]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreateCertificateAuthorityAuditReport.html
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/DescribeCertificateAuthorityAuditReportRequest AWS API Documentation
#
class DescribeCertificateAuthorityAuditReportRequest < Struct.new(
:certificate_authority_arn,
:audit_report_id)
SENSITIVE = []
include Aws::Structure
end
# @!attribute [rw] audit_report_status
# Specifies whether report creation is in progress, has succeeded, or
# has failed.
# @return [String]
#
# @!attribute [rw] s3_bucket_name
# Name of the S3 bucket that contains the report.
# @return [String]
#
# @!attribute [rw] s3_key
# S3 **key** that uniquely identifies the report file in your S3
# bucket.
# @return [String]
#
# @!attribute [rw] created_at
# The date and time at which the report was created.
# @return [Time]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/DescribeCertificateAuthorityAuditReportResponse AWS API Documentation
#
class DescribeCertificateAuthorityAuditReportResponse < Struct.new(
:audit_report_status,
:s3_bucket_name,
:s3_key,
:created_at)
SENSITIVE = []
include Aws::Structure
end
# @!attribute [rw] certificate_authority_arn
# The Amazon Resource Name (ARN) that was returned when you called
# [CreateCertificateAuthority][1]. This must be of the form:
#
# `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
# `.
#
#
#
# [1]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreateCertificateAuthority.html
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/DescribeCertificateAuthorityRequest AWS API Documentation
#
class DescribeCertificateAuthorityRequest < Struct.new(
:certificate_authority_arn)
SENSITIVE = []
include Aws::Structure
end
# @!attribute [rw] certificate_authority
# A [CertificateAuthority][1] structure that contains information
# about your private CA.
#
#
#
# [1]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_CertificateAuthority.html
# @return [Types::CertificateAuthority]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/DescribeCertificateAuthorityResponse AWS API Documentation
#
class DescribeCertificateAuthorityResponse < Struct.new(
:certificate_authority)
SENSITIVE = []
include Aws::Structure
end
# Describes an Electronic Data Interchange (EDI) entity as described in
# as defined in [Subject Alternative Name][1] in RFC 5280.
#
#
#
# [1]: https://datatracker.ietf.org/doc/html/rfc5280
#
# @!attribute [rw] party_name
# Specifies the party name.
# @return [String]
#
# @!attribute [rw] name_assigner
# Specifies the name assigner.
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/EdiPartyName AWS API Documentation
#
class EdiPartyName < Struct.new(
:party_name,
:name_assigner)
SENSITIVE = []
include Aws::Structure
end
# Specifies additional purposes for which the certified public key may
# be used other than basic purposes indicated in the `KeyUsage`
# extension.
#
# @!attribute [rw] extended_key_usage_type
# Specifies a standard `ExtendedKeyUsage` as defined as in [RFC
# 5280][1].
#
#
#
# [1]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.12
# @return [String]
#
# @!attribute [rw] extended_key_usage_object_identifier
# Specifies a custom `ExtendedKeyUsage` with an object identifier
# (OID).
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/ExtendedKeyUsage AWS API Documentation
#
class ExtendedKeyUsage < Struct.new(
:extended_key_usage_type,
:extended_key_usage_object_identifier)
SENSITIVE = []
include Aws::Structure
end
# Contains X.509 extension information for a certificate.
#
# @!attribute [rw] certificate_policies
# Contains a sequence of one or more policy information terms, each of
# which consists of an object identifier (OID) and optional
# qualifiers. For more information, see NIST's definition of [Object
# Identifier (OID)][1].
#
# In an end-entity certificate, these terms indicate the policy under
# which the certificate was issued and the purposes for which it may
# be used. In a CA certificate, these terms limit the set of policies
# for certification paths that include this certificate.
#
#
#
# [1]: https://csrc.nist.gov/glossary/term/Object_Identifier
# @return [Array]
#
# @!attribute [rw] extended_key_usage
# Specifies additional purposes for which the certified public key may
# be used other than basic purposes indicated in the `KeyUsage`
# extension.
# @return [Array]
#
# @!attribute [rw] key_usage
# Defines one or more purposes for which the key contained in the
# certificate can be used. Default value for each option is false.
# @return [Types::KeyUsage]
#
# @!attribute [rw] subject_alternative_names
# The subject alternative name extension allows identities to be bound
# to the subject of the certificate. These identities may be included
# in addition to or in place of the identity in the subject field of
# the certificate.
# @return [Array]
#
# @!attribute [rw] custom_extensions
# Contains a sequence of one or more X.509 extensions, each of which
# consists of an object identifier (OID), a base64-encoded value, and
# the critical flag. For more information, see the [Global OID
# reference database.][1]
#
#
#
# [1]: https://oidref.com/2.5.29
# @return [Array]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/Extensions AWS API Documentation
#
class Extensions < Struct.new(
:certificate_policies,
:extended_key_usage,
:key_usage,
:subject_alternative_names,
:custom_extensions)
SENSITIVE = []
include Aws::Structure
end
# Describes an ASN.1 X.400 `GeneralName` as defined in [RFC 5280][1].
# Only one of the following naming options should be provided. Providing
# more than one option results in an `InvalidArgsException` error.
#
#
#
# [1]: https://datatracker.ietf.org/doc/html/rfc5280
#
# @!attribute [rw] other_name
# Represents `GeneralName` using an `OtherName` object.
# @return [Types::OtherName]
#
# @!attribute [rw] rfc_822_name
# Represents `GeneralName` as an [RFC 822][1] email address.
#
#
#
# [1]: https://datatracker.ietf.org/doc/html/rfc822
# @return [String]
#
# @!attribute [rw] dns_name
# Represents `GeneralName` as a DNS name.
# @return [String]
#
# @!attribute [rw] directory_name
# Contains information about the certificate subject. The `Subject`
# field in the certificate identifies the entity that owns or controls
# the public key in the certificate. The entity can be a user,
# computer, device, or service. The `Subject `must contain an X.500
# distinguished name (DN). A DN is a sequence of relative
# distinguished names (RDNs). The RDNs are separated by commas in the
# certificate.
# @return [Types::ASN1Subject]
#
# @!attribute [rw] edi_party_name
# Represents `GeneralName` as an `EdiPartyName` object.
# @return [Types::EdiPartyName]
#
# @!attribute [rw] uniform_resource_identifier
# Represents `GeneralName` as a URI.
# @return [String]
#
# @!attribute [rw] ip_address
# Represents `GeneralName` as an IPv4 or IPv6 address.
# @return [String]
#
# @!attribute [rw] registered_id
# Represents `GeneralName` as an object identifier (OID).
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/GeneralName AWS API Documentation
#
class GeneralName < Struct.new(
:other_name,
:rfc_822_name,
:dns_name,
:directory_name,
:edi_party_name,
:uniform_resource_identifier,
:ip_address,
:registered_id)
SENSITIVE = []
include Aws::Structure
end
# @!attribute [rw] certificate_authority_arn
# The Amazon Resource Name (ARN) of your private CA. This is of the
# form:
#
# `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
# `.
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/GetCertificateAuthorityCertificateRequest AWS API Documentation
#
class GetCertificateAuthorityCertificateRequest < Struct.new(
:certificate_authority_arn)
SENSITIVE = []
include Aws::Structure
end
# @!attribute [rw] certificate
# Base64-encoded certificate authority (CA) certificate.
# @return [String]
#
# @!attribute [rw] certificate_chain
# Base64-encoded certificate chain that includes any intermediate
# certificates and chains up to root certificate that you used to sign
# your private CA certificate. The chain does not include your private
# CA certificate. If this is a root CA, the value will be null.
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/GetCertificateAuthorityCertificateResponse AWS API Documentation
#
class GetCertificateAuthorityCertificateResponse < Struct.new(
:certificate,
:certificate_chain)
SENSITIVE = []
include Aws::Structure
end
# @!attribute [rw] certificate_authority_arn
# The Amazon Resource Name (ARN) that was returned when you called the
# [CreateCertificateAuthority][1] action. This must be of the form:
#
# `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
# `
#
#
#
# [1]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreateCertificateAuthority.html
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/GetCertificateAuthorityCsrRequest AWS API Documentation
#
class GetCertificateAuthorityCsrRequest < Struct.new(
:certificate_authority_arn)
SENSITIVE = []
include Aws::Structure
end
# @!attribute [rw] csr
# The base64 PEM-encoded certificate signing request (CSR) for your
# private CA certificate.
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/GetCertificateAuthorityCsrResponse AWS API Documentation
#
class GetCertificateAuthorityCsrResponse < Struct.new(
:csr)
SENSITIVE = []
include Aws::Structure
end
# @!attribute [rw] certificate_authority_arn
# The Amazon Resource Name (ARN) that was returned when you called
# [CreateCertificateAuthority][1]. This must be of the form:
#
# `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
# `.
#
#
#
# [1]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreateCertificateAuthority.html
# @return [String]
#
# @!attribute [rw] certificate_arn
# The ARN of the issued certificate. The ARN contains the certificate
# serial number and must be in the following form:
#
# `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012/certificate/286535153982981100925020015808220737245
# `
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/GetCertificateRequest AWS API Documentation
#
class GetCertificateRequest < Struct.new(
:certificate_authority_arn,
:certificate_arn)
SENSITIVE = []
include Aws::Structure
end
# @!attribute [rw] certificate
# The base64 PEM-encoded certificate specified by the `CertificateArn`
# parameter.
# @return [String]
#
# @!attribute [rw] certificate_chain
# The base64 PEM-encoded certificate chain that chains up to the root
# CA certificate that you used to sign your private CA certificate.
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/GetCertificateResponse AWS API Documentation
#
class GetCertificateResponse < Struct.new(
:certificate,
:certificate_chain)
SENSITIVE = []
include Aws::Structure
end
# @!attribute [rw] resource_arn
# The Amazon Resource Number (ARN) of the private CA that will have
# its policy retrieved. You can find the CA's ARN by calling the
# ListCertificateAuthorities action.
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/GetPolicyRequest AWS API Documentation
#
class GetPolicyRequest < Struct.new(
:resource_arn)
SENSITIVE = []
include Aws::Structure
end
# @!attribute [rw] policy
# The policy attached to the private CA as a JSON document.
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/GetPolicyResponse AWS API Documentation
#
class GetPolicyResponse < Struct.new(
:policy)
SENSITIVE = []
include Aws::Structure
end
# @!attribute [rw] certificate_authority_arn
# The Amazon Resource Name (ARN) that was returned when you called
# [CreateCertificateAuthority][1]. This must be of the form:
#
# `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
# `
#
#
#
# [1]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreateCertificateAuthority.html
# @return [String]
#
# @!attribute [rw] certificate
# The PEM-encoded certificate for a private CA. This may be a
# self-signed certificate in the case of a root CA, or it may be
# signed by another CA that you control.
# @return [String]
#
# @!attribute [rw] certificate_chain
# A PEM-encoded file that contains all of your certificates, other
# than the certificate you're importing, chaining up to your root CA.
# Your Amazon Web Services Private CA-hosted or on-premises root
# certificate is the last in the chain, and each certificate in the
# chain signs the one preceding.
#
# This parameter must be supplied when you import a subordinate CA.
# When you import a root CA, there is no chain.
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/ImportCertificateAuthorityCertificateRequest AWS API Documentation
#
class ImportCertificateAuthorityCertificateRequest < Struct.new(
:certificate_authority_arn,
:certificate,
:certificate_chain)
SENSITIVE = []
include Aws::Structure
end
# One or more of the specified arguments was not valid.
#
# @!attribute [rw] message
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/InvalidArgsException AWS API Documentation
#
class InvalidArgsException < Struct.new(
:message)
SENSITIVE = []
include Aws::Structure
end
# The requested Amazon Resource Name (ARN) does not refer to an existing
# resource.
#
# @!attribute [rw] message
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/InvalidArnException AWS API Documentation
#
class InvalidArnException < Struct.new(
:message)
SENSITIVE = []
include Aws::Structure
end
# The token specified in the `NextToken` argument is not valid. Use the
# token returned from your previous call to
# [ListCertificateAuthorities][1].
#
#
#
# [1]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_ListCertificateAuthorities.html
#
# @!attribute [rw] message
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/InvalidNextTokenException AWS API Documentation
#
class InvalidNextTokenException < Struct.new(
:message)
SENSITIVE = []
include Aws::Structure
end
# The resource policy is invalid or is missing a required statement. For
# general information about IAM policy and statement structure, see
# [Overview of JSON Policies][1].
#
#
#
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policies-json
#
# @!attribute [rw] message
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/InvalidPolicyException AWS API Documentation
#
class InvalidPolicyException < Struct.new(
:message)
SENSITIVE = []
include Aws::Structure
end
# The request action cannot be performed or is prohibited.
#
# @!attribute [rw] message
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/InvalidRequestException AWS API Documentation
#
class InvalidRequestException < Struct.new(
:message)
SENSITIVE = []
include Aws::Structure
end
# The state of the private CA does not allow this action to occur.
#
# @!attribute [rw] message
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/InvalidStateException AWS API Documentation
#
class InvalidStateException < Struct.new(
:message)
SENSITIVE = []
include Aws::Structure
end
# The tag associated with the CA is not valid. The invalid argument is
# contained in the message field.
#
# @!attribute [rw] message
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/InvalidTagException AWS API Documentation
#
class InvalidTagException < Struct.new(
:message)
SENSITIVE = []
include Aws::Structure
end
# @!attribute [rw] api_passthrough
# Specifies X.509 certificate information to be included in the issued
# certificate. An `APIPassthrough` or `APICSRPassthrough` template
# variant must be selected, or else this parameter is ignored. For
# more information about using these templates, see [Understanding
# Certificate Templates][1].
#
# If conflicting or duplicate certificate information is supplied
# during certificate issuance, Amazon Web Services Private CA applies
# [order of operation rules][2] to determine what information is used.
#
#
#
# [1]: https://docs.aws.amazon.com/privateca/latest/userguide/UsingTemplates.html
# [2]: https://docs.aws.amazon.com/privateca/latest/userguide/UsingTemplates.html#template-order-of-operations
# @return [Types::ApiPassthrough]
#
# @!attribute [rw] certificate_authority_arn
# The Amazon Resource Name (ARN) that was returned when you called
# [CreateCertificateAuthority][1]. This must be of the form:
#
# `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
# `
#
#
#
# [1]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreateCertificateAuthority.html
# @return [String]
#
# @!attribute [rw] csr
# The certificate signing request (CSR) for the certificate you want
# to issue. As an example, you can use the following OpenSSL command
# to create the CSR and a 2048 bit RSA private key.
#
# `openssl req -new -newkey rsa:2048 -days 365 -keyout
# private/test_cert_priv_key.pem -out csr/test_cert_.csr`
#
# If you have a configuration file, you can then use the following
# OpenSSL command. The `usr_cert` block in the configuration file
# contains your X509 version 3 extensions.
#
# `openssl req -new -config openssl_rsa.cnf -extensions usr_cert
# -newkey rsa:2048 -days 365 -keyout private/test_cert_priv_key.pem
# -out csr/test_cert_.csr`
#
# Note: A CSR must provide either a *subject name* or a *subject
# alternative name* or the request will be rejected.
# @return [String]
#
# @!attribute [rw] signing_algorithm
# The name of the algorithm that will be used to sign the certificate
# to be issued.
#
# This parameter should not be confused with the `SigningAlgorithm`
# parameter used to sign a CSR in the `CreateCertificateAuthority`
# action.
#
# The specified signing algorithm family (RSA or ECDSA) must match the
# algorithm family of the CA's secret key.
#
#
# @return [String]
#
# @!attribute [rw] template_arn
# Specifies a custom configuration template to use when issuing a
# certificate. If this parameter is not provided, Amazon Web Services
# Private CA defaults to the `EndEntityCertificate/V1` template. For
# CA certificates, you should choose the shortest path length that
# meets your needs. The path length is indicated by the PathLen*N*
# portion of the ARN, where *N* is the [CA depth][1].
#
# Note: The CA depth configured on a subordinate CA certificate must
# not exceed the limit set by its parents in the CA hierarchy.
#
# For a list of `TemplateArn` values supported by Amazon Web Services
# Private CA, see [Understanding Certificate Templates][2].
#
#
#
# [1]: https://docs.aws.amazon.com/privateca/latest/userguide/PcaTerms.html#terms-cadepth
# [2]: https://docs.aws.amazon.com/privateca/latest/userguide/UsingTemplates.html
# @return [String]
#
# @!attribute [rw] validity
# Information describing the end of the validity period of the
# certificate. This parameter sets the “Not After” date for the
# certificate.
#
# Certificate validity is the period of time during which a
# certificate is valid. Validity can be expressed as an explicit date
# and time when the certificate expires, or as a span of time after
# issuance, stated in days, months, or years. For more information,
# see [Validity][1] in RFC 5280.
#
# This value is unaffected when `ValidityNotBefore` is also specified.
# For example, if `Validity` is set to 20 days in the future, the
# certificate will expire 20 days from issuance time regardless of the
# `ValidityNotBefore` value.
#
# The end of the validity period configured on a certificate must not
# exceed the limit set on its parents in the CA hierarchy.
#
#
#
# [1]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.5
# @return [Types::Validity]
#
# @!attribute [rw] validity_not_before
# Information describing the start of the validity period of the
# certificate. This parameter sets the “Not Before" date for the
# certificate.
#
# By default, when issuing a certificate, Amazon Web Services Private
# CA sets the "Not Before" date to the issuance time minus 60
# minutes. This compensates for clock inconsistencies across computer
# systems. The `ValidityNotBefore` parameter can be used to customize
# the “Not Before” value.
#
# Unlike the `Validity` parameter, the `ValidityNotBefore` parameter
# is optional.
#
# The `ValidityNotBefore` value is expressed as an explicit date and
# time, using the `Validity` type value `ABSOLUTE`. For more
# information, see [Validity][1] in this API reference and
# [Validity][2] in RFC 5280.
#
#
#
# [1]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_Validity.html
# [2]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.5
# @return [Types::Validity]
#
# @!attribute [rw] idempotency_token
# Alphanumeric string that can be used to distinguish between calls to
# the **IssueCertificate** action. Idempotency tokens for
# **IssueCertificate** time out after five minutes. Therefore, if you
# call **IssueCertificate** multiple times with the same idempotency
# token within five minutes, Amazon Web Services Private CA recognizes
# that you are requesting only one certificate and will issue only
# one. If you change the idempotency token for each call, Amazon Web
# Services Private CA recognizes that you are requesting multiple
# certificates.
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/IssueCertificateRequest AWS API Documentation
#
class IssueCertificateRequest < Struct.new(
:api_passthrough,
:certificate_authority_arn,
:csr,
:signing_algorithm,
:template_arn,
:validity,
:validity_not_before,
:idempotency_token)
SENSITIVE = []
include Aws::Structure
end
# @!attribute [rw] certificate_arn
# The Amazon Resource Name (ARN) of the issued certificate and the
# certificate serial number. This is of the form:
#
# `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012/certificate/286535153982981100925020015808220737245
# `
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/IssueCertificateResponse AWS API Documentation
#
class IssueCertificateResponse < Struct.new(
:certificate_arn)
SENSITIVE = []
include Aws::Structure
end
# Defines one or more purposes for which the key contained in the
# certificate can be used. Default value for each option is false.
#
# @!attribute [rw] digital_signature
# Key can be used for digital signing.
# @return [Boolean]
#
# @!attribute [rw] non_repudiation
# Key can be used for non-repudiation.
# @return [Boolean]
#
# @!attribute [rw] key_encipherment
# Key can be used to encipher data.
# @return [Boolean]
#
# @!attribute [rw] data_encipherment
# Key can be used to decipher data.
# @return [Boolean]
#
# @!attribute [rw] key_agreement
# Key can be used in a key-agreement protocol.
# @return [Boolean]
#
# @!attribute [rw] key_cert_sign
# Key can be used to sign certificates.
# @return [Boolean]
#
# @!attribute [rw] crl_sign
# Key can be used to sign CRLs.
# @return [Boolean]
#
# @!attribute [rw] encipher_only
# Key can be used only to encipher data.
# @return [Boolean]
#
# @!attribute [rw] decipher_only
# Key can be used only to decipher data.
# @return [Boolean]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/KeyUsage AWS API Documentation
#
class KeyUsage < Struct.new(
:digital_signature,
:non_repudiation,
:key_encipherment,
:data_encipherment,
:key_agreement,
:key_cert_sign,
:crl_sign,
:encipher_only,
:decipher_only)
SENSITIVE = []
include Aws::Structure
end
# An Amazon Web Services Private CA quota has been exceeded. See the
# exception message returned to determine the quota that was exceeded.
#
# @!attribute [rw] message
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/LimitExceededException AWS API Documentation
#
class LimitExceededException < Struct.new(
:message)
SENSITIVE = []
include Aws::Structure
end
# @!attribute [rw] next_token
# Use this parameter when paginating results in a subsequent request
# after you receive a response with truncated results. Set it to the
# value of the `NextToken` parameter from the response you just
# received.
# @return [String]
#
# @!attribute [rw] max_results
# Use this parameter when paginating results to specify the maximum
# number of items to return in the response on each page. If
# additional items exist beyond the number you specify, the
# `NextToken` element is sent in the response. Use this `NextToken`
# value in a subsequent request to retrieve additional items.
# @return [Integer]
#
# @!attribute [rw] resource_owner
# Use this parameter to filter the returned set of certificate
# authorities based on their owner. The default is SELF.
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/ListCertificateAuthoritiesRequest AWS API Documentation
#
class ListCertificateAuthoritiesRequest < Struct.new(
:next_token,
:max_results,
:resource_owner)
SENSITIVE = []
include Aws::Structure
end
# @!attribute [rw] certificate_authorities
# Summary information about each certificate authority you have
# created.
# @return [Array]
#
# @!attribute [rw] next_token
# When the list is truncated, this value is present and should be used
# for the `NextToken` parameter in a subsequent pagination request.
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/ListCertificateAuthoritiesResponse AWS API Documentation
#
class ListCertificateAuthoritiesResponse < Struct.new(
:certificate_authorities,
:next_token)
SENSITIVE = []
include Aws::Structure
end
# @!attribute [rw] certificate_authority_arn
# The Amazon Resource Number (ARN) of the private CA to inspect. You
# can find the ARN by calling the [ListCertificateAuthorities][1]
# action. This must be of the form:
# `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012`
# You can get a private CA's ARN by running the
# [ListCertificateAuthorities][1] action.
#
#
#
# [1]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_ListCertificateAuthorities.html
# @return [String]
#
# @!attribute [rw] next_token
# When paginating results, use this parameter in a subsequent request
# after you receive a response with truncated results. Set it to the
# value of **NextToken** from the response you just received.
# @return [String]
#
# @!attribute [rw] max_results
# When paginating results, use this parameter to specify the maximum
# number of items to return in the response. If additional items exist
# beyond the number you specify, the **NextToken** element is sent in
# the response. Use this **NextToken** value in a subsequent request
# to retrieve additional items.
# @return [Integer]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/ListPermissionsRequest AWS API Documentation
#
class ListPermissionsRequest < Struct.new(
:certificate_authority_arn,
:next_token,
:max_results)
SENSITIVE = []
include Aws::Structure
end
# @!attribute [rw] permissions
# Summary information about each permission assigned by the specified
# private CA, including the action enabled, the policy provided, and
# the time of creation.
# @return [Array]
#
# @!attribute [rw] next_token
# When the list is truncated, this value is present and should be used
# for the **NextToken** parameter in a subsequent pagination request.
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/ListPermissionsResponse AWS API Documentation
#
class ListPermissionsResponse < Struct.new(
:permissions,
:next_token)
SENSITIVE = []
include Aws::Structure
end
# @!attribute [rw] certificate_authority_arn
# The Amazon Resource Name (ARN) that was returned when you called the
# [CreateCertificateAuthority][1] action. This must be of the form:
#
# `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
# `
#
#
#
# [1]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreateCertificateAuthority.html
# @return [String]
#
# @!attribute [rw] next_token
# Use this parameter when paginating results in a subsequent request
# after you receive a response with truncated results. Set it to the
# value of **NextToken** from the response you just received.
# @return [String]
#
# @!attribute [rw] max_results
# Use this parameter when paginating results to specify the maximum
# number of items to return in the response. If additional items exist
# beyond the number you specify, the **NextToken** element is sent in
# the response. Use this **NextToken** value in a subsequent request
# to retrieve additional items.
# @return [Integer]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/ListTagsRequest AWS API Documentation
#
class ListTagsRequest < Struct.new(
:certificate_authority_arn,
:next_token,
:max_results)
SENSITIVE = []
include Aws::Structure
end
# @!attribute [rw] tags
# The tags associated with your private CA.
# @return [Array]
#
# @!attribute [rw] next_token
# When the list is truncated, this value is present and should be used
# for the **NextToken** parameter in a subsequent pagination request.
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/ListTagsResponse AWS API Documentation
#
class ListTagsResponse < Struct.new(
:tags,
:next_token)
SENSITIVE = []
include Aws::Structure
end
# The current action was prevented because it would lock the caller out
# from performing subsequent actions. Verify that the specified
# parameters would not result in the caller being denied access to the
# resource.
#
# @!attribute [rw] message
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/LockoutPreventedException AWS API Documentation
#
class LockoutPreventedException < Struct.new(
:message)
SENSITIVE = []
include Aws::Structure
end
# The certificate signing request is invalid.
#
# @!attribute [rw] message
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/MalformedCSRException AWS API Documentation
#
class MalformedCSRException < Struct.new(
:message)
SENSITIVE = []
include Aws::Structure
end
# One or more fields in the certificate are invalid.
#
# @!attribute [rw] message
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/MalformedCertificateException AWS API Documentation
#
class MalformedCertificateException < Struct.new(
:message)
SENSITIVE = []
include Aws::Structure
end
# Contains information to enable and configure Online Certificate Status
# Protocol (OCSP) for validating certificate revocation status.
#
# When you revoke a certificate, OCSP responses may take up to 60
# minutes to reflect the new status.
#
# @!attribute [rw] enabled
# Flag enabling use of the Online Certificate Status Protocol (OCSP)
# for validating certificate revocation status.
# @return [Boolean]
#
# @!attribute [rw] ocsp_custom_cname
# By default, Amazon Web Services Private CA injects an Amazon Web
# Services domain into certificates being validated by the Online
# Certificate Status Protocol (OCSP). A customer can alternatively use
# this object to define a CNAME specifying a customized OCSP domain.
#
# The content of a Canonical Name (CNAME) record must conform to
# [RFC2396][1] restrictions on the use of special characters in URIs.
# Additionally, the value of the CNAME must not include a protocol
# prefix such as "http://" or "https://".
#
#
#
# For more information, see [Customizing Online Certificate Status
# Protocol (OCSP) ][2] in the *Amazon Web Services Private Certificate
# Authority User Guide*.
#
#
#
# [1]: https://www.ietf.org/rfc/rfc2396.txt
# [2]: https://docs.aws.amazon.com/privateca/latest/userguide/ocsp-customize.html
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/OcspConfiguration AWS API Documentation
#
class OcspConfiguration < Struct.new(
:enabled,
:ocsp_custom_cname)
SENSITIVE = []
include Aws::Structure
end
# Defines a custom ASN.1 X.400 `GeneralName` using an object identifier
# (OID) and value. The OID must satisfy the regular expression shown
# below. For more information, see NIST's definition of [Object
# Identifier (OID)][1].
#
#
#
# [1]: https://csrc.nist.gov/glossary/term/Object_Identifier
#
# @!attribute [rw] type_id
# Specifies an OID.
# @return [String]
#
# @!attribute [rw] value
# Specifies an OID value.
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/OtherName AWS API Documentation
#
class OtherName < Struct.new(
:type_id,
:value)
SENSITIVE = []
include Aws::Structure
end
# Permissions designate which private CA actions can be performed by an
# Amazon Web Services service or entity. In order for ACM to
# automatically renew private certificates, you must give the ACM
# service principal all available permissions (`IssueCertificate`,
# `GetCertificate`, and `ListPermissions`). Permissions can be assigned
# with the [CreatePermission][1] action, removed with the
# [DeletePermission][2] action, and listed with the [ListPermissions][3]
# action.
#
#
#
# [1]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreatePermission.html
# [2]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_DeletePermission.html
# [3]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_ListPermissions.html
#
# @!attribute [rw] certificate_authority_arn
# The Amazon Resource Number (ARN) of the private CA from which the
# permission was issued.
# @return [String]
#
# @!attribute [rw] created_at
# The time at which the permission was created.
# @return [Time]
#
# @!attribute [rw] principal
# The Amazon Web Services service or entity that holds the permission.
# At this time, the only valid principal is `acm.amazonaws.com`.
# @return [String]
#
# @!attribute [rw] source_account
# The ID of the account that assigned the permission.
# @return [String]
#
# @!attribute [rw] actions
# The private CA actions that can be performed by the designated
# Amazon Web Services service.
# @return [Array]
#
# @!attribute [rw] policy
# The name of the policy that is associated with the permission.
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/Permission AWS API Documentation
#
class Permission < Struct.new(
:certificate_authority_arn,
:created_at,
:principal,
:source_account,
:actions,
:policy)
SENSITIVE = []
include Aws::Structure
end
# The designated permission has already been given to the user.
#
# @!attribute [rw] message
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/PermissionAlreadyExistsException AWS API Documentation
#
class PermissionAlreadyExistsException < Struct.new(
:message)
SENSITIVE = []
include Aws::Structure
end
# Defines the X.509 `CertificatePolicies` extension.
#
# @!attribute [rw] cert_policy_id
# Specifies the object identifier (OID) of the certificate policy
# under which the certificate was issued. For more information, see
# NIST's definition of [Object Identifier (OID)][1].
#
#
#
# [1]: https://csrc.nist.gov/glossary/term/Object_Identifier
# @return [String]
#
# @!attribute [rw] policy_qualifiers
# Modifies the given `CertPolicyId` with a qualifier. Amazon Web
# Services Private CA supports the certification practice statement
# (CPS) qualifier.
# @return [Array]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/PolicyInformation AWS API Documentation
#
class PolicyInformation < Struct.new(
:cert_policy_id,
:policy_qualifiers)
SENSITIVE = []
include Aws::Structure
end
# Modifies the `CertPolicyId` of a `PolicyInformation` object with a
# qualifier. Amazon Web Services Private CA supports the certification
# practice statement (CPS) qualifier.
#
# @!attribute [rw] policy_qualifier_id
# Identifies the qualifier modifying a `CertPolicyId`.
# @return [String]
#
# @!attribute [rw] qualifier
# Defines the qualifier type. Amazon Web Services Private CA supports
# the use of a URI for a CPS qualifier in this field.
# @return [Types::Qualifier]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/PolicyQualifierInfo AWS API Documentation
#
class PolicyQualifierInfo < Struct.new(
:policy_qualifier_id,
:qualifier)
SENSITIVE = []
include Aws::Structure
end
# @!attribute [rw] resource_arn
# The Amazon Resource Number (ARN) of the private CA to associate with
# the policy. The ARN of the CA can be found by calling the
# [ListCertificateAuthorities][1] action.
#
#
#
#
#
# [1]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_ListCertificateAuthorities.html
# @return [String]
#
# @!attribute [rw] policy
# The path and file name of a JSON-formatted IAM policy to attach to
# the specified private CA resource. If this policy does not contain
# all required statements or if it includes any statement that is not
# allowed, the `PutPolicy` action returns an `InvalidPolicyException`.
# For information about IAM policy and statement structure, see
# [Overview of JSON Policies][1].
#
#
#
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policies-json
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/PutPolicyRequest AWS API Documentation
#
class PutPolicyRequest < Struct.new(
:resource_arn,
:policy)
SENSITIVE = []
include Aws::Structure
end
# Defines a `PolicyInformation` qualifier. Amazon Web Services Private
# CA supports the [certification practice statement (CPS) qualifier][1]
# defined in RFC 5280.
#
#
#
# [1]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.4
#
# @!attribute [rw] cps_uri
# Contains a pointer to a certification practice statement (CPS)
# published by the CA.
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/Qualifier AWS API Documentation
#
class Qualifier < Struct.new(
:cps_uri)
SENSITIVE = []
include Aws::Structure
end
# Your request has already been completed.
#
# @!attribute [rw] message
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/RequestAlreadyProcessedException AWS API Documentation
#
class RequestAlreadyProcessedException < Struct.new(
:message)
SENSITIVE = []
include Aws::Structure
end
# The request has failed for an unspecified reason.
#
# @!attribute [rw] message
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/RequestFailedException AWS API Documentation
#
class RequestFailedException < Struct.new(
:message)
SENSITIVE = []
include Aws::Structure
end
# Your request is already in progress.
#
# @!attribute [rw] message
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/RequestInProgressException AWS API Documentation
#
class RequestInProgressException < Struct.new(
:message)
SENSITIVE = []
include Aws::Structure
end
# A resource such as a private CA, S3 bucket, certificate, audit report,
# or policy cannot be found.
#
# @!attribute [rw] message
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/ResourceNotFoundException AWS API Documentation
#
class ResourceNotFoundException < Struct.new(
:message)
SENSITIVE = []
include Aws::Structure
end
# @!attribute [rw] certificate_authority_arn
# The Amazon Resource Name (ARN) that was returned when you called the
# [CreateCertificateAuthority][1] action. This must be of the form:
#
# `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
# `
#
#
#
# [1]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreateCertificateAuthority.html
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/RestoreCertificateAuthorityRequest AWS API Documentation
#
class RestoreCertificateAuthorityRequest < Struct.new(
:certificate_authority_arn)
SENSITIVE = []
include Aws::Structure
end
# Certificate revocation information used by the
# [CreateCertificateAuthority][1] and [UpdateCertificateAuthority][2]
# actions. Your private certificate authority (CA) can configure Online
# Certificate Status Protocol (OCSP) support and/or maintain a
# certificate revocation list (CRL). OCSP returns validation information
# about certificates as requested by clients, and a CRL contains an
# updated list of certificates revoked by your CA. For more information,
# see [RevokeCertificate][3] and [Setting up a certificate revocation
# method][4] in the *Amazon Web Services Private Certificate Authority
# User Guide*.
#
#
#
# [1]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreateCertificateAuthority.html
# [2]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_UpdateCertificateAuthority.html
# [3]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_RevokeCertificate.html
# [4]: https://docs.aws.amazon.com/privateca/latest/userguide/revocation-setup.html
#
# @!attribute [rw] crl_configuration
# Configuration of the certificate revocation list (CRL), if any,
# maintained by your private CA. A CRL is typically updated
# approximately 30 minutes after a certificate is revoked. If for any
# reason a CRL update fails, Amazon Web Services Private CA makes
# further attempts every 15 minutes.
# @return [Types::CrlConfiguration]
#
# @!attribute [rw] ocsp_configuration
# Configuration of Online Certificate Status Protocol (OCSP) support,
# if any, maintained by your private CA. When you revoke a
# certificate, OCSP responses may take up to 60 minutes to reflect the
# new status.
# @return [Types::OcspConfiguration]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/RevocationConfiguration AWS API Documentation
#
class RevocationConfiguration < Struct.new(
:crl_configuration,
:ocsp_configuration)
SENSITIVE = []
include Aws::Structure
end
# @!attribute [rw] certificate_authority_arn
# Amazon Resource Name (ARN) of the private CA that issued the
# certificate to be revoked. This must be of the form:
#
# `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
# `
# @return [String]
#
# @!attribute [rw] certificate_serial
# Serial number of the certificate to be revoked. This must be in
# hexadecimal format. You can retrieve the serial number by calling
# [GetCertificate][1] with the Amazon Resource Name (ARN) of the
# certificate you want and the ARN of your private CA. The
# **GetCertificate** action retrieves the certificate in the PEM
# format. You can use the following OpenSSL command to list the
# certificate in text format and copy the hexadecimal serial number.
#
# `openssl x509 -in file_path -text -noout`
#
# You can also copy the serial number from the console or use the
# [DescribeCertificate][2] action in the *Certificate Manager API
# Reference*.
#
#
#
# [1]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_GetCertificate.html
# [2]: https://docs.aws.amazon.com/acm/latest/APIReference/API_DescribeCertificate.html
# @return [String]
#
# @!attribute [rw] revocation_reason
# Specifies why you revoked the certificate.
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/RevokeCertificateRequest AWS API Documentation
#
class RevokeCertificateRequest < Struct.new(
:certificate_authority_arn,
:certificate_serial,
:revocation_reason)
SENSITIVE = []
include Aws::Structure
end
# Tags are labels that you can use to identify and organize your private
# CAs. Each tag consists of a key and an optional value. You can
# associate up to 50 tags with a private CA. To add one or more tags to
# a private CA, call the [TagCertificateAuthority][1] action. To remove
# a tag, call the [UntagCertificateAuthority][2] action.
#
#
#
# [1]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_TagCertificateAuthority.html
# [2]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_UntagCertificateAuthority.html
#
# @!attribute [rw] key
# Key (name) of the tag.
# @return [String]
#
# @!attribute [rw] value
# Value of the tag.
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/Tag AWS API Documentation
#
class Tag < Struct.new(
:key,
:value)
SENSITIVE = []
include Aws::Structure
end
# @!attribute [rw] certificate_authority_arn
# The Amazon Resource Name (ARN) that was returned when you called
# [CreateCertificateAuthority][1]. This must be of the form:
#
# `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
# `
#
#
#
# [1]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreateCertificateAuthority.html
# @return [String]
#
# @!attribute [rw] tags
# List of tags to be associated with the CA.
# @return [Array]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/TagCertificateAuthorityRequest AWS API Documentation
#
class TagCertificateAuthorityRequest < Struct.new(
:certificate_authority_arn,
:tags)
SENSITIVE = []
include Aws::Structure
end
# You can associate up to 50 tags with a private CA. Exception
# information is contained in the exception message field.
#
# @!attribute [rw] message
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/TooManyTagsException AWS API Documentation
#
class TooManyTagsException < Struct.new(
:message)
SENSITIVE = []
include Aws::Structure
end
# @!attribute [rw] certificate_authority_arn
# The Amazon Resource Name (ARN) that was returned when you called
# [CreateCertificateAuthority][1]. This must be of the form:
#
# `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
# `
#
#
#
# [1]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreateCertificateAuthority.html
# @return [String]
#
# @!attribute [rw] tags
# List of tags to be removed from the CA.
# @return [Array]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/UntagCertificateAuthorityRequest AWS API Documentation
#
class UntagCertificateAuthorityRequest < Struct.new(
:certificate_authority_arn,
:tags)
SENSITIVE = []
include Aws::Structure
end
# @!attribute [rw] certificate_authority_arn
# Amazon Resource Name (ARN) of the private CA that issued the
# certificate to be revoked. This must be of the form:
#
# `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
# `
# @return [String]
#
# @!attribute [rw] revocation_configuration
# Contains information to enable Online Certificate Status Protocol
# (OCSP) support, to enable a certificate revocation list (CRL), to
# enable both, or to enable neither. If this parameter is not
# supplied, existing capibilites remain unchanged. For more
# information, see the [OcspConfiguration][1] and
# [CrlConfiguration][2] types.
#
# The following requirements apply to revocation configurations.
#
# * A configuration disabling CRLs or OCSP must contain only the
# `Enabled=False` parameter, and will fail if other parameters such
# as `CustomCname` or `ExpirationInDays` are included.
#
# * In a CRL configuration, the `S3BucketName` parameter must conform
# to [Amazon S3 bucket naming rules][3].
#
# * A configuration containing a custom Canonical Name (CNAME)
# parameter for CRLs or OCSP must conform to [RFC2396][4]
# restrictions on the use of special characters in a CNAME.
#
# * In a CRL or OCSP configuration, the value of a CNAME parameter
# must not include a protocol prefix such as "http://" or
# "https://".
#
#
#
#
#
# [1]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_OcspConfiguration.html
# [2]: https://docs.aws.amazon.com/privateca/latest/APIReference/API_CrlConfiguration.html
# [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucketnamingrules.html
# [4]: https://www.ietf.org/rfc/rfc2396.txt
# @return [Types::RevocationConfiguration]
#
# @!attribute [rw] status
# Status of your private CA.
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/UpdateCertificateAuthorityRequest AWS API Documentation
#
class UpdateCertificateAuthorityRequest < Struct.new(
:certificate_authority_arn,
:revocation_configuration,
:status)
SENSITIVE = []
include Aws::Structure
end
# Validity specifies the period of time during which a certificate is
# valid. Validity can be expressed as an explicit date and time when the
# validity of a certificate starts or expires, or as a span of time
# after issuance, stated in days, months, or years. For more
# information, see [Validity][1] in RFC 5280.
#
# Amazon Web Services Private CA API consumes the `Validity` data type
# differently in two distinct parameters of the `IssueCertificate`
# action. The required parameter `IssueCertificate`:`Validity` specifies
# the end of a certificate's validity period. The optional parameter
# `IssueCertificate`:`ValidityNotBefore` specifies a customized starting
# time for the validity period.
#
#
#
# [1]: https://tools.ietf.org/html/rfc5280#section-4.1.2.5
#
# @!attribute [rw] value
# A long integer interpreted according to the value of `Type`, below.
# @return [Integer]
#
# @!attribute [rw] type
# Determines how *Amazon Web Services Private CA* interprets the
# `Value` parameter, an integer. Supported validity types include
# those listed below. Type definitions with values include a sample
# input value and the resulting output.
#
# `END_DATE`: The specific date and time when the certificate will
# expire, expressed using UTCTime (YYMMDDHHMMSS) or GeneralizedTime
# (YYYYMMDDHHMMSS) format. When UTCTime is used, if the year field
# (YY) is greater than or equal to 50, the year is interpreted as
# 19YY. If the year field is less than 50, the year is interpreted as
# 20YY.
#
# * Sample input value: 491231235959 (UTCTime format)
#
# * Output expiration date/time: 12/31/2049 23:59:59
#
# `ABSOLUTE`: The specific date and time when the validity of a
# certificate will start or expire, expressed in seconds since the
# Unix Epoch.
#
# * Sample input value: 2524608000
#
# * Output expiration date/time: 01/01/2050 00:00:00
#
# `DAYS`, `MONTHS`, `YEARS`: The relative time from the moment of
# issuance until the certificate will expire, expressed in days,
# months, or years.
#
# Example if `DAYS`, issued on 10/12/2020 at 12:34:54 UTC:
#
# * Sample input value: 90
#
# * Output expiration date: 01/10/2020 12:34:54 UTC
#
# The minimum validity duration for a certificate using relative time
# (`DAYS`) is one day. The minimum validity for a certificate using
# absolute time (`ABSOLUTE` or `END_DATE`) is one second.
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/Validity AWS API Documentation
#
class Validity < Struct.new(
:value,
:type)
SENSITIVE = []
include Aws::Structure
end
end
end