# frozen_string_literal: true
# WARNING ABOUT GENERATED CODE
#
# This file is generated. See the contributing guide for more information:
# https://github.com/aws/aws-sdk-ruby/blob/version-3/CONTRIBUTING.md
#
# WARNING ABOUT GENERATED CODE
module Aws::ACMPCA
module Types
# Contains information about the certificate subject. The `Subject`
# field in the certificate identifies the entity that owns or controls
# the public key in the certificate. The entity can be a user, computer,
# device, or service. The `Subject `must contain an X.500 distinguished
# name (DN). A DN is a sequence of relative distinguished names (RDNs).
# The RDNs are separated by commas in the certificate.
#
# @note When making an API call, you may pass ASN1Subject
# data as a hash:
#
# {
# country: "CountryCodeString",
# organization: "String64",
# organizational_unit: "String64",
# distinguished_name_qualifier: "ASN1PrintableString64",
# state: "String128",
# common_name: "String64",
# serial_number: "ASN1PrintableString64",
# locality: "String128",
# title: "String64",
# surname: "String40",
# given_name: "String16",
# initials: "String5",
# pseudonym: "String128",
# generation_qualifier: "String3",
# custom_attributes: [
# {
# object_identifier: "CustomObjectIdentifier", # required
# value: "String1To256", # required
# },
# ],
# }
#
# @!attribute [rw] country
# Two-digit code that specifies the country in which the certificate
# subject located.
# @return [String]
#
# @!attribute [rw] organization
# Legal name of the organization with which the certificate subject is
# affiliated.
# @return [String]
#
# @!attribute [rw] organizational_unit
# A subdivision or unit of the organization (such as sales or finance)
# with which the certificate subject is affiliated.
# @return [String]
#
# @!attribute [rw] distinguished_name_qualifier
# Disambiguating information for the certificate subject.
# @return [String]
#
# @!attribute [rw] state
# State in which the subject of the certificate is located.
# @return [String]
#
# @!attribute [rw] common_name
# For CA and end-entity certificates in a private PKI, the common name
# (CN) can be any string within the length limit.
#
# Note: In publicly trusted certificates, the common name must be a
# fully qualified domain name (FQDN) associated with the certificate
# subject.
# @return [String]
#
# @!attribute [rw] serial_number
# The certificate serial number.
# @return [String]
#
# @!attribute [rw] locality
# The locality (such as a city or town) in which the certificate
# subject is located.
# @return [String]
#
# @!attribute [rw] title
# A title such as Mr. or Ms., which is pre-pended to the name to refer
# formally to the certificate subject.
# @return [String]
#
# @!attribute [rw] surname
# Family name. In the US and the UK, for example, the surname of an
# individual is ordered last. In Asian cultures the surname is
# typically ordered first.
# @return [String]
#
# @!attribute [rw] given_name
# First name.
# @return [String]
#
# @!attribute [rw] initials
# Concatenation that typically contains the first letter of the
# **GivenName**, the first letter of the middle name if one exists,
# and the first letter of the **Surname**.
# @return [String]
#
# @!attribute [rw] pseudonym
# Typically a shortened version of a longer **GivenName**. For
# example, Jonathan is often shortened to John. Elizabeth is often
# shortened to Beth, Liz, or Eliza.
# @return [String]
#
# @!attribute [rw] generation_qualifier
# Typically a qualifier appended to the name of an individual.
# Examples include Jr. for junior, Sr. for senior, and III for third.
# @return [String]
#
# @!attribute [rw] custom_attributes
# Contains a sequence of one or more X.500 relative distinguished
# names (RDNs), each of which consists of an object identifier (OID)
# and a value. For more information, see NIST’s definition of [Object
# Identifier (OID)][1].
#
# Custom attributes cannot be used in combination with standard
# attributes.
#
#
#
#
#
# [1]: https://csrc.nist.gov/glossary/term/Object_Identifier
# @return [Array]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/ASN1Subject AWS API Documentation
#
class ASN1Subject < Struct.new(
:country,
:organization,
:organizational_unit,
:distinguished_name_qualifier,
:state,
:common_name,
:serial_number,
:locality,
:title,
:surname,
:given_name,
:initials,
:pseudonym,
:generation_qualifier,
:custom_attributes)
SENSITIVE = []
include Aws::Structure
end
# Provides access information used by the `authorityInfoAccess` and
# `subjectInfoAccess` extensions described in [RFC 5280][1].
#
#
#
# [1]: https://datatracker.ietf.org/doc/html/rfc5280
#
# @note When making an API call, you may pass AccessDescription
# data as a hash:
#
# {
# access_method: { # required
# custom_object_identifier: "CustomObjectIdentifier",
# access_method_type: "CA_REPOSITORY", # accepts CA_REPOSITORY, RESOURCE_PKI_MANIFEST, RESOURCE_PKI_NOTIFY
# },
# access_location: { # required
# other_name: {
# type_id: "CustomObjectIdentifier", # required
# value: "String256", # required
# },
# rfc_822_name: "String256",
# dns_name: "String253",
# directory_name: {
# country: "CountryCodeString",
# organization: "String64",
# organizational_unit: "String64",
# distinguished_name_qualifier: "ASN1PrintableString64",
# state: "String128",
# common_name: "String64",
# serial_number: "ASN1PrintableString64",
# locality: "String128",
# title: "String64",
# surname: "String40",
# given_name: "String16",
# initials: "String5",
# pseudonym: "String128",
# generation_qualifier: "String3",
# custom_attributes: [
# {
# object_identifier: "CustomObjectIdentifier", # required
# value: "String1To256", # required
# },
# ],
# },
# edi_party_name: {
# party_name: "String256", # required
# name_assigner: "String256",
# },
# uniform_resource_identifier: "String253",
# ip_address: "String39",
# registered_id: "CustomObjectIdentifier",
# },
# }
#
# @!attribute [rw] access_method
# The type and format of `AccessDescription` information.
# @return [Types::AccessMethod]
#
# @!attribute [rw] access_location
# The location of `AccessDescription` information.
# @return [Types::GeneralName]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/AccessDescription AWS API Documentation
#
class AccessDescription < Struct.new(
:access_method,
:access_location)
SENSITIVE = []
include Aws::Structure
end
# Describes the type and format of extension access. Only one of
# `CustomObjectIdentifier` or `AccessMethodType` may be provided.
# Providing both results in `InvalidArgsException`.
#
# @note When making an API call, you may pass AccessMethod
# data as a hash:
#
# {
# custom_object_identifier: "CustomObjectIdentifier",
# access_method_type: "CA_REPOSITORY", # accepts CA_REPOSITORY, RESOURCE_PKI_MANIFEST, RESOURCE_PKI_NOTIFY
# }
#
# @!attribute [rw] custom_object_identifier
# An object identifier (OID) specifying the `AccessMethod`. The OID
# must satisfy the regular expression shown below. For more
# information, see NIST's definition of [Object Identifier (OID)][1].
#
#
#
# [1]: https://csrc.nist.gov/glossary/term/Object_Identifier
# @return [String]
#
# @!attribute [rw] access_method_type
# Specifies the `AccessMethod`.
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/AccessMethod AWS API Documentation
#
class AccessMethod < Struct.new(
:custom_object_identifier,
:access_method_type)
SENSITIVE = []
include Aws::Structure
end
# Contains X.509 certificate information to be placed in an issued
# certificate. An `APIPassthrough` or `APICSRPassthrough` template
# variant must be selected, or else this parameter is ignored.
#
# If conflicting or duplicate certificate information is supplied from
# other sources, ACM Private CA applies [order of operation rules][1] to
# determine what information is used.
#
#
#
# [1]: https://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html#template-order-of-operations
#
# @note When making an API call, you may pass ApiPassthrough
# data as a hash:
#
# {
# extensions: {
# certificate_policies: [
# {
# cert_policy_id: "CustomObjectIdentifier", # required
# policy_qualifiers: [
# {
# policy_qualifier_id: "CPS", # required, accepts CPS
# qualifier: { # required
# cps_uri: "String256", # required
# },
# },
# ],
# },
# ],
# extended_key_usage: [
# {
# extended_key_usage_type: "SERVER_AUTH", # accepts SERVER_AUTH, CLIENT_AUTH, CODE_SIGNING, EMAIL_PROTECTION, TIME_STAMPING, OCSP_SIGNING, SMART_CARD_LOGIN, DOCUMENT_SIGNING, CERTIFICATE_TRANSPARENCY
# extended_key_usage_object_identifier: "CustomObjectIdentifier",
# },
# ],
# key_usage: {
# digital_signature: false,
# non_repudiation: false,
# key_encipherment: false,
# data_encipherment: false,
# key_agreement: false,
# key_cert_sign: false,
# crl_sign: false,
# encipher_only: false,
# decipher_only: false,
# },
# subject_alternative_names: [
# {
# other_name: {
# type_id: "CustomObjectIdentifier", # required
# value: "String256", # required
# },
# rfc_822_name: "String256",
# dns_name: "String253",
# directory_name: {
# country: "CountryCodeString",
# organization: "String64",
# organizational_unit: "String64",
# distinguished_name_qualifier: "ASN1PrintableString64",
# state: "String128",
# common_name: "String64",
# serial_number: "ASN1PrintableString64",
# locality: "String128",
# title: "String64",
# surname: "String40",
# given_name: "String16",
# initials: "String5",
# pseudonym: "String128",
# generation_qualifier: "String3",
# custom_attributes: [
# {
# object_identifier: "CustomObjectIdentifier", # required
# value: "String1To256", # required
# },
# ],
# },
# edi_party_name: {
# party_name: "String256", # required
# name_assigner: "String256",
# },
# uniform_resource_identifier: "String253",
# ip_address: "String39",
# registered_id: "CustomObjectIdentifier",
# },
# ],
# custom_extensions: [
# {
# object_identifier: "CustomObjectIdentifier", # required
# value: "Base64String1To4096", # required
# critical: false,
# },
# ],
# },
# subject: {
# country: "CountryCodeString",
# organization: "String64",
# organizational_unit: "String64",
# distinguished_name_qualifier: "ASN1PrintableString64",
# state: "String128",
# common_name: "String64",
# serial_number: "ASN1PrintableString64",
# locality: "String128",
# title: "String64",
# surname: "String40",
# given_name: "String16",
# initials: "String5",
# pseudonym: "String128",
# generation_qualifier: "String3",
# custom_attributes: [
# {
# object_identifier: "CustomObjectIdentifier", # required
# value: "String1To256", # required
# },
# ],
# },
# }
#
# @!attribute [rw] extensions
# Specifies X.509 extension information for a certificate.
# @return [Types::Extensions]
#
# @!attribute [rw] subject
# Contains information about the certificate subject. The `Subject`
# field in the certificate identifies the entity that owns or controls
# the public key in the certificate. The entity can be a user,
# computer, device, or service. The `Subject `must contain an X.500
# distinguished name (DN). A DN is a sequence of relative
# distinguished names (RDNs). The RDNs are separated by commas in the
# certificate.
# @return [Types::ASN1Subject]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/ApiPassthrough AWS API Documentation
#
class ApiPassthrough < Struct.new(
:extensions,
:subject)
SENSITIVE = []
include Aws::Structure
end
# Contains information about your private certificate authority (CA).
# Your private CA can issue and revoke X.509 digital certificates.
# Digital certificates verify that the entity named in the certificate
# **Subject** field owns or controls the public key contained in the
# **Subject Public Key Info** field. Call the
# [CreateCertificateAuthority][1] action to create your private CA. You
# must then call the [GetCertificateAuthorityCertificate][2] action to
# retrieve a private CA certificate signing request (CSR). Sign the CSR
# with your ACM Private CA-hosted or on-premises root or subordinate CA
# certificate. Call the [ImportCertificateAuthorityCertificate][3]
# action to import the signed certificate into Certificate Manager
# (ACM).
#
#
#
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html
# [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_GetCertificateAuthorityCertificate.html
# [3]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ImportCertificateAuthorityCertificate.html
#
# @!attribute [rw] arn
# Amazon Resource Name (ARN) for your private certificate authority
# (CA). The format is ` 12345678-1234-1234-1234-123456789012 `.
# @return [String]
#
# @!attribute [rw] owner_account
# The Amazon Web Services account ID that owns the certificate
# authority.
# @return [String]
#
# @!attribute [rw] created_at
# Date and time at which your private CA was created.
# @return [Time]
#
# @!attribute [rw] last_state_change_at
# Date and time at which your private CA was last updated.
# @return [Time]
#
# @!attribute [rw] type
# Type of your private CA.
# @return [String]
#
# @!attribute [rw] serial
# Serial number of your private CA.
# @return [String]
#
# @!attribute [rw] status
# Status of your private CA.
# @return [String]
#
# @!attribute [rw] not_before
# Date and time before which your private CA certificate is not valid.
# @return [Time]
#
# @!attribute [rw] not_after
# Date and time after which your private CA certificate is not valid.
# @return [Time]
#
# @!attribute [rw] failure_reason
# Reason the request to create your private CA failed.
# @return [String]
#
# @!attribute [rw] certificate_authority_configuration
# Your private CA configuration.
# @return [Types::CertificateAuthorityConfiguration]
#
# @!attribute [rw] revocation_configuration
# Information about the Online Certificate Status Protocol (OCSP)
# configuration or certificate revocation list (CRL) created and
# maintained by your private CA.
# @return [Types::RevocationConfiguration]
#
# @!attribute [rw] restorable_until
# The period during which a deleted CA can be restored. For more
# information, see the `PermanentDeletionTimeInDays` parameter of the
# [DeleteCertificateAuthorityRequest][1] action.
#
#
#
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_DeleteCertificateAuthorityRequest.html
# @return [Time]
#
# @!attribute [rw] key_storage_security_standard
# Defines a cryptographic key management compliance standard used for
# handling CA keys.
#
# Default: FIPS\_140\_2\_LEVEL\_3\_OR\_HIGHER
#
# Note: Amazon Web Services Region ap-northeast-3 supports only
# FIPS\_140\_2\_LEVEL\_2\_OR\_HIGHER. You must explicitly specify this
# parameter and value when creating a CA in that Region. Specifying a
# different value (or no value) results in an `InvalidArgsException`
# with the message "A certificate authority cannot be created in this
# region with the specified security standard."
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/CertificateAuthority AWS API Documentation
#
class CertificateAuthority < Struct.new(
:arn,
:owner_account,
:created_at,
:last_state_change_at,
:type,
:serial,
:status,
:not_before,
:not_after,
:failure_reason,
:certificate_authority_configuration,
:revocation_configuration,
:restorable_until,
:key_storage_security_standard)
SENSITIVE = []
include Aws::Structure
end
# Contains configuration information for your private certificate
# authority (CA). This includes information about the class of public
# key algorithm and the key pair that your private CA creates when it
# issues a certificate. It also includes the signature algorithm that it
# uses when issuing certificates, and its X.500 distinguished name. You
# must specify this information when you call the
# [CreateCertificateAuthority][1] action.
#
#
#
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html
#
# @note When making an API call, you may pass CertificateAuthorityConfiguration
# data as a hash:
#
# {
# key_algorithm: "RSA_2048", # required, accepts RSA_2048, RSA_4096, EC_prime256v1, EC_secp384r1
# signing_algorithm: "SHA256WITHECDSA", # required, accepts SHA256WITHECDSA, SHA384WITHECDSA, SHA512WITHECDSA, SHA256WITHRSA, SHA384WITHRSA, SHA512WITHRSA
# subject: { # required
# country: "CountryCodeString",
# organization: "String64",
# organizational_unit: "String64",
# distinguished_name_qualifier: "ASN1PrintableString64",
# state: "String128",
# common_name: "String64",
# serial_number: "ASN1PrintableString64",
# locality: "String128",
# title: "String64",
# surname: "String40",
# given_name: "String16",
# initials: "String5",
# pseudonym: "String128",
# generation_qualifier: "String3",
# custom_attributes: [
# {
# object_identifier: "CustomObjectIdentifier", # required
# value: "String1To256", # required
# },
# ],
# },
# csr_extensions: {
# key_usage: {
# digital_signature: false,
# non_repudiation: false,
# key_encipherment: false,
# data_encipherment: false,
# key_agreement: false,
# key_cert_sign: false,
# crl_sign: false,
# encipher_only: false,
# decipher_only: false,
# },
# subject_information_access: [
# {
# access_method: { # required
# custom_object_identifier: "CustomObjectIdentifier",
# access_method_type: "CA_REPOSITORY", # accepts CA_REPOSITORY, RESOURCE_PKI_MANIFEST, RESOURCE_PKI_NOTIFY
# },
# access_location: { # required
# other_name: {
# type_id: "CustomObjectIdentifier", # required
# value: "String256", # required
# },
# rfc_822_name: "String256",
# dns_name: "String253",
# directory_name: {
# country: "CountryCodeString",
# organization: "String64",
# organizational_unit: "String64",
# distinguished_name_qualifier: "ASN1PrintableString64",
# state: "String128",
# common_name: "String64",
# serial_number: "ASN1PrintableString64",
# locality: "String128",
# title: "String64",
# surname: "String40",
# given_name: "String16",
# initials: "String5",
# pseudonym: "String128",
# generation_qualifier: "String3",
# custom_attributes: [
# {
# object_identifier: "CustomObjectIdentifier", # required
# value: "String1To256", # required
# },
# ],
# },
# edi_party_name: {
# party_name: "String256", # required
# name_assigner: "String256",
# },
# uniform_resource_identifier: "String253",
# ip_address: "String39",
# registered_id: "CustomObjectIdentifier",
# },
# },
# ],
# },
# }
#
# @!attribute [rw] key_algorithm
# Type of the public key algorithm and size, in bits, of the key pair
# that your CA creates when it issues a certificate. When you create a
# subordinate CA, you must use a key algorithm supported by the parent
# CA.
# @return [String]
#
# @!attribute [rw] signing_algorithm
# Name of the algorithm your private CA uses to sign certificate
# requests.
#
# This parameter should not be confused with the `SigningAlgorithm`
# parameter used to sign certificates when they are issued.
# @return [String]
#
# @!attribute [rw] subject
# Structure that contains X.500 distinguished name information for
# your private CA.
# @return [Types::ASN1Subject]
#
# @!attribute [rw] csr_extensions
# Specifies information to be added to the extension section of the
# certificate signing request (CSR).
# @return [Types::CsrExtensions]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/CertificateAuthorityConfiguration AWS API Documentation
#
class CertificateAuthorityConfiguration < Struct.new(
:key_algorithm,
:signing_algorithm,
:subject,
:csr_extensions)
SENSITIVE = []
include Aws::Structure
end
# The certificate authority certificate you are importing does not
# comply with conditions specified in the certificate that signed it.
#
# @!attribute [rw] message
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/CertificateMismatchException AWS API Documentation
#
class CertificateMismatchException < Struct.new(
:message)
SENSITIVE = []
include Aws::Structure
end
# A previous update to your private CA is still ongoing.
#
# @!attribute [rw] message
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/ConcurrentModificationException AWS API Documentation
#
class ConcurrentModificationException < Struct.new(
:message)
SENSITIVE = []
include Aws::Structure
end
# @note When making an API call, you may pass CreateCertificateAuthorityAuditReportRequest
# data as a hash:
#
# {
# certificate_authority_arn: "Arn", # required
# s3_bucket_name: "S3BucketName", # required
# audit_report_response_format: "JSON", # required, accepts JSON, CSV
# }
#
# @!attribute [rw] certificate_authority_arn
# The Amazon Resource Name (ARN) of the CA to be audited. This is of
# the form:
#
# `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
# `.
# @return [String]
#
# @!attribute [rw] s3_bucket_name
# The name of the S3 bucket that will contain the audit report.
# @return [String]
#
# @!attribute [rw] audit_report_response_format
# The format in which to create the report. This can be either
# **JSON** or **CSV**.
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/CreateCertificateAuthorityAuditReportRequest AWS API Documentation
#
class CreateCertificateAuthorityAuditReportRequest < Struct.new(
:certificate_authority_arn,
:s3_bucket_name,
:audit_report_response_format)
SENSITIVE = []
include Aws::Structure
end
# @!attribute [rw] audit_report_id
# An alphanumeric string that contains a report identifier.
# @return [String]
#
# @!attribute [rw] s3_key
# The **key** that uniquely identifies the report file in your S3
# bucket.
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/CreateCertificateAuthorityAuditReportResponse AWS API Documentation
#
class CreateCertificateAuthorityAuditReportResponse < Struct.new(
:audit_report_id,
:s3_key)
SENSITIVE = []
include Aws::Structure
end
# @note When making an API call, you may pass CreateCertificateAuthorityRequest
# data as a hash:
#
# {
# certificate_authority_configuration: { # required
# key_algorithm: "RSA_2048", # required, accepts RSA_2048, RSA_4096, EC_prime256v1, EC_secp384r1
# signing_algorithm: "SHA256WITHECDSA", # required, accepts SHA256WITHECDSA, SHA384WITHECDSA, SHA512WITHECDSA, SHA256WITHRSA, SHA384WITHRSA, SHA512WITHRSA
# subject: { # required
# country: "CountryCodeString",
# organization: "String64",
# organizational_unit: "String64",
# distinguished_name_qualifier: "ASN1PrintableString64",
# state: "String128",
# common_name: "String64",
# serial_number: "ASN1PrintableString64",
# locality: "String128",
# title: "String64",
# surname: "String40",
# given_name: "String16",
# initials: "String5",
# pseudonym: "String128",
# generation_qualifier: "String3",
# custom_attributes: [
# {
# object_identifier: "CustomObjectIdentifier", # required
# value: "String1To256", # required
# },
# ],
# },
# csr_extensions: {
# key_usage: {
# digital_signature: false,
# non_repudiation: false,
# key_encipherment: false,
# data_encipherment: false,
# key_agreement: false,
# key_cert_sign: false,
# crl_sign: false,
# encipher_only: false,
# decipher_only: false,
# },
# subject_information_access: [
# {
# access_method: { # required
# custom_object_identifier: "CustomObjectIdentifier",
# access_method_type: "CA_REPOSITORY", # accepts CA_REPOSITORY, RESOURCE_PKI_MANIFEST, RESOURCE_PKI_NOTIFY
# },
# access_location: { # required
# other_name: {
# type_id: "CustomObjectIdentifier", # required
# value: "String256", # required
# },
# rfc_822_name: "String256",
# dns_name: "String253",
# directory_name: {
# country: "CountryCodeString",
# organization: "String64",
# organizational_unit: "String64",
# distinguished_name_qualifier: "ASN1PrintableString64",
# state: "String128",
# common_name: "String64",
# serial_number: "ASN1PrintableString64",
# locality: "String128",
# title: "String64",
# surname: "String40",
# given_name: "String16",
# initials: "String5",
# pseudonym: "String128",
# generation_qualifier: "String3",
# custom_attributes: [
# {
# object_identifier: "CustomObjectIdentifier", # required
# value: "String1To256", # required
# },
# ],
# },
# edi_party_name: {
# party_name: "String256", # required
# name_assigner: "String256",
# },
# uniform_resource_identifier: "String253",
# ip_address: "String39",
# registered_id: "CustomObjectIdentifier",
# },
# },
# ],
# },
# },
# revocation_configuration: {
# crl_configuration: {
# enabled: false, # required
# expiration_in_days: 1,
# custom_cname: "String253",
# s3_bucket_name: "String3To255",
# s3_object_acl: "PUBLIC_READ", # accepts PUBLIC_READ, BUCKET_OWNER_FULL_CONTROL
# },
# ocsp_configuration: {
# enabled: false, # required
# ocsp_custom_cname: "String253",
# },
# },
# certificate_authority_type: "ROOT", # required, accepts ROOT, SUBORDINATE
# idempotency_token: "IdempotencyToken",
# key_storage_security_standard: "FIPS_140_2_LEVEL_2_OR_HIGHER", # accepts FIPS_140_2_LEVEL_2_OR_HIGHER, FIPS_140_2_LEVEL_3_OR_HIGHER
# tags: [
# {
# key: "TagKey", # required
# value: "TagValue",
# },
# ],
# }
#
# @!attribute [rw] certificate_authority_configuration
# Name and bit size of the private key algorithm, the name of the
# signing algorithm, and X.500 certificate subject information.
# @return [Types::CertificateAuthorityConfiguration]
#
# @!attribute [rw] revocation_configuration
# Contains information to enable Online Certificate Status Protocol
# (OCSP) support, to enable a certificate revocation list (CRL), to
# enable both, or to enable neither. The default is for both
# certificate validation mechanisms to be disabled. For more
# information, see the [OcspConfiguration][1] and
# [CrlConfiguration][2] types.
#
#
#
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_OcspConfiguration.html
# [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CrlConfiguration.html
# @return [Types::RevocationConfiguration]
#
# @!attribute [rw] certificate_authority_type
# The type of the certificate authority.
# @return [String]
#
# @!attribute [rw] idempotency_token
# Custom string that can be used to distinguish between calls to the
# **CreateCertificateAuthority** action. Idempotency tokens for
# **CreateCertificateAuthority** time out after five minutes.
# Therefore, if you call **CreateCertificateAuthority** multiple times
# with the same idempotency token within five minutes, ACM Private CA
# recognizes that you are requesting only certificate authority and
# will issue only one. If you change the idempotency token for each
# call, PCA recognizes that you are requesting multiple certificate
# authorities.
# @return [String]
#
# @!attribute [rw] key_storage_security_standard
# Specifies a cryptographic key management compliance standard used
# for handling CA keys.
#
# Default: FIPS\_140\_2\_LEVEL\_3\_OR\_HIGHER
#
# Note: `FIPS_140_2_LEVEL_3_OR_HIGHER` is not supported in Region
# ap-northeast-3. When creating a CA in the ap-northeast-3, you must
# provide `FIPS_140_2_LEVEL_2_OR_HIGHER` as the argument for
# `KeyStorageSecurityStandard`. Failure to do this results in an
# `InvalidArgsException` with the message, "A certificate authority
# cannot be created in this region with the specified security
# standard."
# @return [String]
#
# @!attribute [rw] tags
# Key-value pairs that will be attached to the new private CA. You can
# associate up to 50 tags with a private CA. For information using
# tags with IAM to manage permissions, see [Controlling Access Using
# IAM Tags][1].
#
#
#
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_iam-tags.html
# @return [Array]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/CreateCertificateAuthorityRequest AWS API Documentation
#
class CreateCertificateAuthorityRequest < Struct.new(
:certificate_authority_configuration,
:revocation_configuration,
:certificate_authority_type,
:idempotency_token,
:key_storage_security_standard,
:tags)
SENSITIVE = []
include Aws::Structure
end
# @!attribute [rw] certificate_authority_arn
# If successful, the Amazon Resource Name (ARN) of the certificate
# authority (CA). This is of the form:
#
# `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
# `.
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/CreateCertificateAuthorityResponse AWS API Documentation
#
class CreateCertificateAuthorityResponse < Struct.new(
:certificate_authority_arn)
SENSITIVE = []
include Aws::Structure
end
# @note When making an API call, you may pass CreatePermissionRequest
# data as a hash:
#
# {
# certificate_authority_arn: "Arn", # required
# principal: "Principal", # required
# source_account: "AccountId",
# actions: ["IssueCertificate"], # required, accepts IssueCertificate, GetCertificate, ListPermissions
# }
#
# @!attribute [rw] certificate_authority_arn
# The Amazon Resource Name (ARN) of the CA that grants the
# permissions. You can find the ARN by calling the
# [ListCertificateAuthorities][1] action. This must have the following
# form:
#
# `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
# `.
#
#
#
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ListCertificateAuthorities.html
# @return [String]
#
# @!attribute [rw] principal
# The Amazon Web Services service or identity that receives the
# permission. At this time, the only valid principal is
# `acm.amazonaws.com`.
# @return [String]
#
# @!attribute [rw] source_account
# The ID of the calling account.
# @return [String]
#
# @!attribute [rw] actions
# The actions that the specified Amazon Web Services service principal
# can use. These include `IssueCertificate`, `GetCertificate`, and
# `ListPermissions`.
# @return [Array]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/CreatePermissionRequest AWS API Documentation
#
class CreatePermissionRequest < Struct.new(
:certificate_authority_arn,
:principal,
:source_account,
:actions)
SENSITIVE = []
include Aws::Structure
end
# Contains configuration information for a certificate revocation list
# (CRL). Your private certificate authority (CA) creates base CRLs.
# Delta CRLs are not supported. You can enable CRLs for your new or an
# existing private CA by setting the **Enabled** parameter to `true`.
# Your private CA writes CRLs to an S3 bucket that you specify in the
# **S3BucketName** parameter. You can hide the name of your bucket by
# specifying a value for the **CustomCname** parameter. Your private CA
# copies the CNAME or the S3 bucket name to the **CRL Distribution
# Points** extension of each certificate it issues. Your S3 bucket
# policy must give write permission to ACM Private CA.
#
# ACM Private CA assets that are stored in Amazon S3 can be protected
# with encryption. For more information, see [Encrypting Your CRLs][1].
#
# Your private CA uses the value in the **ExpirationInDays** parameter
# to calculate the **nextUpdate** field in the CRL. The CRL is refreshed
# prior to a certificate's expiration date or when a certificate is
# revoked. When a certificate is revoked, it appears in the CRL until
# the certificate expires, and then in one additional CRL after
# expiration, and it always appears in the audit report.
#
# A CRL is typically updated approximately 30 minutes after a
# certificate is revoked. If for any reason a CRL update fails, ACM
# Private CA makes further attempts every 15 minutes.
#
# CRLs contain the following fields:
#
# * **Version**\: The current version number defined in RFC 5280 is V2.
# The integer value is 0x1.
#
# * **Signature Algorithm**\: The name of the algorithm used to sign the
# CRL.
#
# * **Issuer**\: The X.500 distinguished name of your private CA that
# issued the CRL.
#
# * **Last Update**\: The issue date and time of this CRL.
#
# * **Next Update**\: The day and time by which the next CRL will be
# issued.
#
# * **Revoked Certificates**\: List of revoked certificates. Each list
# item contains the following information.
#
# * **Serial Number**\: The serial number, in hexadecimal format, of
# the revoked certificate.
#
# * **Revocation Date**\: Date and time the certificate was revoked.
#
# * **CRL Entry Extensions**\: Optional extensions for the CRL entry.
#
# * **X509v3 CRL Reason Code**\: Reason the certificate was revoked.
#
# ^
#
# * **CRL Extensions**\: Optional extensions for the CRL.
#
# * **X509v3 Authority Key Identifier**\: Identifies the public key
# associated with the private key used to sign the certificate.
#
# * **X509v3 CRL Number:**\: Decimal sequence number for the CRL.
#
# * **Signature Algorithm**\: Algorithm used by your private CA to sign
# the CRL.
#
# * **Signature Value**\: Signature computed over the CRL.
#
# Certificate revocation lists created by ACM Private CA are
# DER-encoded. You can use the following OpenSSL command to list a CRL.
#
# `openssl crl -inform DER -text -in crl_path -noout`
#
# For more information, see [Planning a certificate revocation list
# (CRL)][2] in the *Certificate Manager Private Certificate Authority
# (PCA) User Guide*
#
#
#
# [1]: https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaCreateCa.html#crl-encryption
# [2]: https://docs.aws.amazon.com/acm-pca/latest/userguide/crl-planning.html
#
# @note When making an API call, you may pass CrlConfiguration
# data as a hash:
#
# {
# enabled: false, # required
# expiration_in_days: 1,
# custom_cname: "String253",
# s3_bucket_name: "String3To255",
# s3_object_acl: "PUBLIC_READ", # accepts PUBLIC_READ, BUCKET_OWNER_FULL_CONTROL
# }
#
# @!attribute [rw] enabled
# Boolean value that specifies whether certificate revocation lists
# (CRLs) are enabled. You can use this value to enable certificate
# revocation for a new CA when you call the
# [CreateCertificateAuthority][1] action or for an existing CA when
# you call the [UpdateCertificateAuthority][2] action.
#
#
#
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html
# [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_UpdateCertificateAuthority.html
# @return [Boolean]
#
# @!attribute [rw] expiration_in_days
# Validity period of the CRL in days.
# @return [Integer]
#
# @!attribute [rw] custom_cname
# Name inserted into the certificate **CRL Distribution Points**
# extension that enables the use of an alias for the CRL distribution
# point. Use this value if you don't want the name of your S3 bucket
# to be public.
# @return [String]
#
# @!attribute [rw] s3_bucket_name
# Name of the S3 bucket that contains the CRL. If you do not provide a
# value for the **CustomCname** argument, the name of your S3 bucket
# is placed into the **CRL Distribution Points** extension of the
# issued certificate. You can change the name of your bucket by
# calling the [UpdateCertificateAuthority][1] operation. You must
# specify a [bucket policy][2] that allows ACM Private CA to write the
# CRL to your bucket.
#
#
#
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_UpdateCertificateAuthority.html
# [2]: https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaCreateCa.html#s3-policies
# @return [String]
#
# @!attribute [rw] s3_object_acl
# Determines whether the CRL will be publicly readable or privately
# held in the CRL Amazon S3 bucket. If you choose PUBLIC\_READ, the
# CRL will be accessible over the public internet. If you choose
# BUCKET\_OWNER\_FULL\_CONTROL, only the owner of the CRL S3 bucket
# can access the CRL, and your PKI clients may need an alternative
# method of access.
#
# If no value is specified, the default is `PUBLIC_READ`.
#
# *Note:* This default can cause CA creation to fail in some
# circumstances. If you have have enabled the Block Public Access
# (BPA) feature in your S3 account, then you must specify the value of
# this parameter as `BUCKET_OWNER_FULL_CONTROL`, and not doing so
# results in an error. If you have disabled BPA in S3, then you can
# specify either `BUCKET_OWNER_FULL_CONTROL` or `PUBLIC_READ` as the
# value.
#
# For more information, see [Blocking public access to the S3
# bucket][1].
#
#
#
# [1]: https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaCreateCa.html#s3-bpa
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/CrlConfiguration AWS API Documentation
#
class CrlConfiguration < Struct.new(
:enabled,
:expiration_in_days,
:custom_cname,
:s3_bucket_name,
:s3_object_acl)
SENSITIVE = []
include Aws::Structure
end
# Describes the certificate extensions to be added to the certificate
# signing request (CSR).
#
# @note When making an API call, you may pass CsrExtensions
# data as a hash:
#
# {
# key_usage: {
# digital_signature: false,
# non_repudiation: false,
# key_encipherment: false,
# data_encipherment: false,
# key_agreement: false,
# key_cert_sign: false,
# crl_sign: false,
# encipher_only: false,
# decipher_only: false,
# },
# subject_information_access: [
# {
# access_method: { # required
# custom_object_identifier: "CustomObjectIdentifier",
# access_method_type: "CA_REPOSITORY", # accepts CA_REPOSITORY, RESOURCE_PKI_MANIFEST, RESOURCE_PKI_NOTIFY
# },
# access_location: { # required
# other_name: {
# type_id: "CustomObjectIdentifier", # required
# value: "String256", # required
# },
# rfc_822_name: "String256",
# dns_name: "String253",
# directory_name: {
# country: "CountryCodeString",
# organization: "String64",
# organizational_unit: "String64",
# distinguished_name_qualifier: "ASN1PrintableString64",
# state: "String128",
# common_name: "String64",
# serial_number: "ASN1PrintableString64",
# locality: "String128",
# title: "String64",
# surname: "String40",
# given_name: "String16",
# initials: "String5",
# pseudonym: "String128",
# generation_qualifier: "String3",
# custom_attributes: [
# {
# object_identifier: "CustomObjectIdentifier", # required
# value: "String1To256", # required
# },
# ],
# },
# edi_party_name: {
# party_name: "String256", # required
# name_assigner: "String256",
# },
# uniform_resource_identifier: "String253",
# ip_address: "String39",
# registered_id: "CustomObjectIdentifier",
# },
# },
# ],
# }
#
# @!attribute [rw] key_usage
# Indicates the purpose of the certificate and of the key contained in
# the certificate.
# @return [Types::KeyUsage]
#
# @!attribute [rw] subject_information_access
# For CA certificates, provides a path to additional information
# pertaining to the CA, such as revocation and policy. For more
# information, see [Subject Information Access][1] in RFC 5280.
#
#
#
# [1]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.2.2
# @return [Array]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/CsrExtensions AWS API Documentation
#
class CsrExtensions < Struct.new(
:key_usage,
:subject_information_access)
SENSITIVE = []
include Aws::Structure
end
# Defines the X.500 relative distinguished name (RDN).
#
# @note When making an API call, you may pass CustomAttribute
# data as a hash:
#
# {
# object_identifier: "CustomObjectIdentifier", # required
# value: "String1To256", # required
# }
#
# @!attribute [rw] object_identifier
# Specifies the object identifier (OID) of the attribute type of the
# relative distinguished name (RDN).
# @return [String]
#
# @!attribute [rw] value
# Specifies the attribute value of relative distinguished name (RDN).
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/CustomAttribute AWS API Documentation
#
class CustomAttribute < Struct.new(
:object_identifier,
:value)
SENSITIVE = []
include Aws::Structure
end
# Specifies the X.509 extension information for a certificate.
#
# Extensions present in `CustomExtensions` follow the `ApiPassthrough`
# [template rules][1].
#
#
#
# [1]: https://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html#template-order-of-operations
#
# @note When making an API call, you may pass CustomExtension
# data as a hash:
#
# {
# object_identifier: "CustomObjectIdentifier", # required
# value: "Base64String1To4096", # required
# critical: false,
# }
#
# @!attribute [rw] object_identifier
# Specifies the object identifier (OID) of the X.509 extension. For
# more information, see the [Global OID reference database.][1]
#
#
#
# [1]: https://oidref.com/2.5.29
# @return [String]
#
# @!attribute [rw] value
# Specifies the base64-encoded value of the X.509 extension.
# @return [String]
#
# @!attribute [rw] critical
# Specifies the critical flag of the X.509 extension.
# @return [Boolean]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/CustomExtension AWS API Documentation
#
class CustomExtension < Struct.new(
:object_identifier,
:value,
:critical)
SENSITIVE = []
include Aws::Structure
end
# @note When making an API call, you may pass DeleteCertificateAuthorityRequest
# data as a hash:
#
# {
# certificate_authority_arn: "Arn", # required
# permanent_deletion_time_in_days: 1,
# }
#
# @!attribute [rw] certificate_authority_arn
# The Amazon Resource Name (ARN) that was returned when you called
# [CreateCertificateAuthority][1]. This must have the following form:
#
# `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
# `.
#
#
#
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html
# @return [String]
#
# @!attribute [rw] permanent_deletion_time_in_days
# The number of days to make a CA restorable after it has been
# deleted. This can be anywhere from 7 to 30 days, with 30 being the
# default.
# @return [Integer]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/DeleteCertificateAuthorityRequest AWS API Documentation
#
class DeleteCertificateAuthorityRequest < Struct.new(
:certificate_authority_arn,
:permanent_deletion_time_in_days)
SENSITIVE = []
include Aws::Structure
end
# @note When making an API call, you may pass DeletePermissionRequest
# data as a hash:
#
# {
# certificate_authority_arn: "Arn", # required
# principal: "Principal", # required
# source_account: "AccountId",
# }
#
# @!attribute [rw] certificate_authority_arn
# The Amazon Resource Number (ARN) of the private CA that issued the
# permissions. You can find the CA's ARN by calling the
# [ListCertificateAuthorities][1] action. This must have the following
# form:
#
# `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
# `.
#
#
#
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ListCertificateAuthorities.html
# @return [String]
#
# @!attribute [rw] principal
# The Amazon Web Services service or identity that will have its CA
# permissions revoked. At this time, the only valid service principal
# is `acm.amazonaws.com`
# @return [String]
#
# @!attribute [rw] source_account
# The Amazon Web Services account that calls this action.
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/DeletePermissionRequest AWS API Documentation
#
class DeletePermissionRequest < Struct.new(
:certificate_authority_arn,
:principal,
:source_account)
SENSITIVE = []
include Aws::Structure
end
# @note When making an API call, you may pass DeletePolicyRequest
# data as a hash:
#
# {
# resource_arn: "Arn", # required
# }
#
# @!attribute [rw] resource_arn
# The Amazon Resource Number (ARN) of the private CA that will have
# its policy deleted. You can find the CA's ARN by calling the
# [ListCertificateAuthorities][1] action. The ARN value must have the
# form
# `arn:aws:acm-pca:region:account:certificate-authority/01234567-89ab-cdef-0123-0123456789ab`.
#
#
#
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ListCertificateAuthorities.html
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/DeletePolicyRequest AWS API Documentation
#
class DeletePolicyRequest < Struct.new(
:resource_arn)
SENSITIVE = []
include Aws::Structure
end
# @note When making an API call, you may pass DescribeCertificateAuthorityAuditReportRequest
# data as a hash:
#
# {
# certificate_authority_arn: "Arn", # required
# audit_report_id: "AuditReportId", # required
# }
#
# @!attribute [rw] certificate_authority_arn
# The Amazon Resource Name (ARN) of the private CA. This must be of
# the form:
#
# `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
# `.
# @return [String]
#
# @!attribute [rw] audit_report_id
# The report ID returned by calling the
# [CreateCertificateAuthorityAuditReport][1] action.
#
#
#
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthorityAuditReport.html
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/DescribeCertificateAuthorityAuditReportRequest AWS API Documentation
#
class DescribeCertificateAuthorityAuditReportRequest < Struct.new(
:certificate_authority_arn,
:audit_report_id)
SENSITIVE = []
include Aws::Structure
end
# @!attribute [rw] audit_report_status
# Specifies whether report creation is in progress, has succeeded, or
# has failed.
# @return [String]
#
# @!attribute [rw] s3_bucket_name
# Name of the S3 bucket that contains the report.
# @return [String]
#
# @!attribute [rw] s3_key
# S3 **key** that uniquely identifies the report file in your S3
# bucket.
# @return [String]
#
# @!attribute [rw] created_at
# The date and time at which the report was created.
# @return [Time]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/DescribeCertificateAuthorityAuditReportResponse AWS API Documentation
#
class DescribeCertificateAuthorityAuditReportResponse < Struct.new(
:audit_report_status,
:s3_bucket_name,
:s3_key,
:created_at)
SENSITIVE = []
include Aws::Structure
end
# @note When making an API call, you may pass DescribeCertificateAuthorityRequest
# data as a hash:
#
# {
# certificate_authority_arn: "Arn", # required
# }
#
# @!attribute [rw] certificate_authority_arn
# The Amazon Resource Name (ARN) that was returned when you called
# [CreateCertificateAuthority][1]. This must be of the form:
#
# `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
# `.
#
#
#
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/DescribeCertificateAuthorityRequest AWS API Documentation
#
class DescribeCertificateAuthorityRequest < Struct.new(
:certificate_authority_arn)
SENSITIVE = []
include Aws::Structure
end
# @!attribute [rw] certificate_authority
# A [CertificateAuthority][1] structure that contains information
# about your private CA.
#
#
#
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CertificateAuthority.html
# @return [Types::CertificateAuthority]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/DescribeCertificateAuthorityResponse AWS API Documentation
#
class DescribeCertificateAuthorityResponse < Struct.new(
:certificate_authority)
SENSITIVE = []
include Aws::Structure
end
# Describes an Electronic Data Interchange (EDI) entity as described in
# as defined in [Subject Alternative Name][1] in RFC 5280.
#
#
#
# [1]: https://datatracker.ietf.org/doc/html/rfc5280
#
# @note When making an API call, you may pass EdiPartyName
# data as a hash:
#
# {
# party_name: "String256", # required
# name_assigner: "String256",
# }
#
# @!attribute [rw] party_name
# Specifies the party name.
# @return [String]
#
# @!attribute [rw] name_assigner
# Specifies the name assigner.
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/EdiPartyName AWS API Documentation
#
class EdiPartyName < Struct.new(
:party_name,
:name_assigner)
SENSITIVE = []
include Aws::Structure
end
# Specifies additional purposes for which the certified public key may
# be used other than basic purposes indicated in the `KeyUsage`
# extension.
#
# @note When making an API call, you may pass ExtendedKeyUsage
# data as a hash:
#
# {
# extended_key_usage_type: "SERVER_AUTH", # accepts SERVER_AUTH, CLIENT_AUTH, CODE_SIGNING, EMAIL_PROTECTION, TIME_STAMPING, OCSP_SIGNING, SMART_CARD_LOGIN, DOCUMENT_SIGNING, CERTIFICATE_TRANSPARENCY
# extended_key_usage_object_identifier: "CustomObjectIdentifier",
# }
#
# @!attribute [rw] extended_key_usage_type
# Specifies a standard `ExtendedKeyUsage` as defined as in [RFC
# 5280][1].
#
#
#
# [1]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.12
# @return [String]
#
# @!attribute [rw] extended_key_usage_object_identifier
# Specifies a custom `ExtendedKeyUsage` with an object identifier
# (OID).
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/ExtendedKeyUsage AWS API Documentation
#
class ExtendedKeyUsage < Struct.new(
:extended_key_usage_type,
:extended_key_usage_object_identifier)
SENSITIVE = []
include Aws::Structure
end
# Contains X.509 extension information for a certificate.
#
# @note When making an API call, you may pass Extensions
# data as a hash:
#
# {
# certificate_policies: [
# {
# cert_policy_id: "CustomObjectIdentifier", # required
# policy_qualifiers: [
# {
# policy_qualifier_id: "CPS", # required, accepts CPS
# qualifier: { # required
# cps_uri: "String256", # required
# },
# },
# ],
# },
# ],
# extended_key_usage: [
# {
# extended_key_usage_type: "SERVER_AUTH", # accepts SERVER_AUTH, CLIENT_AUTH, CODE_SIGNING, EMAIL_PROTECTION, TIME_STAMPING, OCSP_SIGNING, SMART_CARD_LOGIN, DOCUMENT_SIGNING, CERTIFICATE_TRANSPARENCY
# extended_key_usage_object_identifier: "CustomObjectIdentifier",
# },
# ],
# key_usage: {
# digital_signature: false,
# non_repudiation: false,
# key_encipherment: false,
# data_encipherment: false,
# key_agreement: false,
# key_cert_sign: false,
# crl_sign: false,
# encipher_only: false,
# decipher_only: false,
# },
# subject_alternative_names: [
# {
# other_name: {
# type_id: "CustomObjectIdentifier", # required
# value: "String256", # required
# },
# rfc_822_name: "String256",
# dns_name: "String253",
# directory_name: {
# country: "CountryCodeString",
# organization: "String64",
# organizational_unit: "String64",
# distinguished_name_qualifier: "ASN1PrintableString64",
# state: "String128",
# common_name: "String64",
# serial_number: "ASN1PrintableString64",
# locality: "String128",
# title: "String64",
# surname: "String40",
# given_name: "String16",
# initials: "String5",
# pseudonym: "String128",
# generation_qualifier: "String3",
# custom_attributes: [
# {
# object_identifier: "CustomObjectIdentifier", # required
# value: "String1To256", # required
# },
# ],
# },
# edi_party_name: {
# party_name: "String256", # required
# name_assigner: "String256",
# },
# uniform_resource_identifier: "String253",
# ip_address: "String39",
# registered_id: "CustomObjectIdentifier",
# },
# ],
# custom_extensions: [
# {
# object_identifier: "CustomObjectIdentifier", # required
# value: "Base64String1To4096", # required
# critical: false,
# },
# ],
# }
#
# @!attribute [rw] certificate_policies
# Contains a sequence of one or more policy information terms, each of
# which consists of an object identifier (OID) and optional
# qualifiers. For more information, see NIST's definition of [Object
# Identifier (OID)][1].
#
# In an end-entity certificate, these terms indicate the policy under
# which the certificate was issued and the purposes for which it may
# be used. In a CA certificate, these terms limit the set of policies
# for certification paths that include this certificate.
#
#
#
# [1]: https://csrc.nist.gov/glossary/term/Object_Identifier
# @return [Array]
#
# @!attribute [rw] extended_key_usage
# Specifies additional purposes for which the certified public key may
# be used other than basic purposes indicated in the `KeyUsage`
# extension.
# @return [Array]
#
# @!attribute [rw] key_usage
# Defines one or more purposes for which the key contained in the
# certificate can be used. Default value for each option is false.
# @return [Types::KeyUsage]
#
# @!attribute [rw] subject_alternative_names
# The subject alternative name extension allows identities to be bound
# to the subject of the certificate. These identities may be included
# in addition to or in place of the identity in the subject field of
# the certificate.
# @return [Array]
#
# @!attribute [rw] custom_extensions
# Contains a sequence of one or more X.509 extensions, each of which
# consists of an object identifier (OID), a base64-encoded value, and
# the critical flag. For more information, see the [Global OID
# reference database.][1]
#
# The OID value of a [CustomExtension][2] must not match the OID of a
# predefined extension.
#
#
#
#
#
# [1]: https://oidref.com/2.5.29
# [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CustomExtension.html
# @return [Array]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/Extensions AWS API Documentation
#
class Extensions < Struct.new(
:certificate_policies,
:extended_key_usage,
:key_usage,
:subject_alternative_names,
:custom_extensions)
SENSITIVE = []
include Aws::Structure
end
# Describes an ASN.1 X.400 `GeneralName` as defined in [RFC 5280][1].
# Only one of the following naming options should be provided. Providing
# more than one option results in an `InvalidArgsException` error.
#
#
#
# [1]: https://datatracker.ietf.org/doc/html/rfc5280
#
# @note When making an API call, you may pass GeneralName
# data as a hash:
#
# {
# other_name: {
# type_id: "CustomObjectIdentifier", # required
# value: "String256", # required
# },
# rfc_822_name: "String256",
# dns_name: "String253",
# directory_name: {
# country: "CountryCodeString",
# organization: "String64",
# organizational_unit: "String64",
# distinguished_name_qualifier: "ASN1PrintableString64",
# state: "String128",
# common_name: "String64",
# serial_number: "ASN1PrintableString64",
# locality: "String128",
# title: "String64",
# surname: "String40",
# given_name: "String16",
# initials: "String5",
# pseudonym: "String128",
# generation_qualifier: "String3",
# custom_attributes: [
# {
# object_identifier: "CustomObjectIdentifier", # required
# value: "String1To256", # required
# },
# ],
# },
# edi_party_name: {
# party_name: "String256", # required
# name_assigner: "String256",
# },
# uniform_resource_identifier: "String253",
# ip_address: "String39",
# registered_id: "CustomObjectIdentifier",
# }
#
# @!attribute [rw] other_name
# Represents `GeneralName` using an `OtherName` object.
# @return [Types::OtherName]
#
# @!attribute [rw] rfc_822_name
# Represents `GeneralName` as an [RFC 822][1] email address.
#
#
#
# [1]: https://datatracker.ietf.org/doc/html/rfc822
# @return [String]
#
# @!attribute [rw] dns_name
# Represents `GeneralName` as a DNS name.
# @return [String]
#
# @!attribute [rw] directory_name
# Contains information about the certificate subject. The `Subject`
# field in the certificate identifies the entity that owns or controls
# the public key in the certificate. The entity can be a user,
# computer, device, or service. The `Subject `must contain an X.500
# distinguished name (DN). A DN is a sequence of relative
# distinguished names (RDNs). The RDNs are separated by commas in the
# certificate.
# @return [Types::ASN1Subject]
#
# @!attribute [rw] edi_party_name
# Represents `GeneralName` as an `EdiPartyName` object.
# @return [Types::EdiPartyName]
#
# @!attribute [rw] uniform_resource_identifier
# Represents `GeneralName` as a URI.
# @return [String]
#
# @!attribute [rw] ip_address
# Represents `GeneralName` as an IPv4 or IPv6 address.
# @return [String]
#
# @!attribute [rw] registered_id
# Represents `GeneralName` as an object identifier (OID).
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/GeneralName AWS API Documentation
#
class GeneralName < Struct.new(
:other_name,
:rfc_822_name,
:dns_name,
:directory_name,
:edi_party_name,
:uniform_resource_identifier,
:ip_address,
:registered_id)
SENSITIVE = []
include Aws::Structure
end
# @note When making an API call, you may pass GetCertificateAuthorityCertificateRequest
# data as a hash:
#
# {
# certificate_authority_arn: "Arn", # required
# }
#
# @!attribute [rw] certificate_authority_arn
# The Amazon Resource Name (ARN) of your private CA. This is of the
# form:
#
# `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
# `.
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/GetCertificateAuthorityCertificateRequest AWS API Documentation
#
class GetCertificateAuthorityCertificateRequest < Struct.new(
:certificate_authority_arn)
SENSITIVE = []
include Aws::Structure
end
# @!attribute [rw] certificate
# Base64-encoded certificate authority (CA) certificate.
# @return [String]
#
# @!attribute [rw] certificate_chain
# Base64-encoded certificate chain that includes any intermediate
# certificates and chains up to root certificate that you used to sign
# your private CA certificate. The chain does not include your private
# CA certificate. If this is a root CA, the value will be null.
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/GetCertificateAuthorityCertificateResponse AWS API Documentation
#
class GetCertificateAuthorityCertificateResponse < Struct.new(
:certificate,
:certificate_chain)
SENSITIVE = []
include Aws::Structure
end
# @note When making an API call, you may pass GetCertificateAuthorityCsrRequest
# data as a hash:
#
# {
# certificate_authority_arn: "Arn", # required
# }
#
# @!attribute [rw] certificate_authority_arn
# The Amazon Resource Name (ARN) that was returned when you called the
# [CreateCertificateAuthority][1] action. This must be of the form:
#
# `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
# `
#
#
#
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/GetCertificateAuthorityCsrRequest AWS API Documentation
#
class GetCertificateAuthorityCsrRequest < Struct.new(
:certificate_authority_arn)
SENSITIVE = []
include Aws::Structure
end
# @!attribute [rw] csr
# The base64 PEM-encoded certificate signing request (CSR) for your
# private CA certificate.
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/GetCertificateAuthorityCsrResponse AWS API Documentation
#
class GetCertificateAuthorityCsrResponse < Struct.new(
:csr)
SENSITIVE = []
include Aws::Structure
end
# @note When making an API call, you may pass GetCertificateRequest
# data as a hash:
#
# {
# certificate_authority_arn: "Arn", # required
# certificate_arn: "Arn", # required
# }
#
# @!attribute [rw] certificate_authority_arn
# The Amazon Resource Name (ARN) that was returned when you called
# [CreateCertificateAuthority][1]. This must be of the form:
#
# `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
# `.
#
#
#
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html
# @return [String]
#
# @!attribute [rw] certificate_arn
# The ARN of the issued certificate. The ARN contains the certificate
# serial number and must be in the following form:
#
# `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012/certificate/286535153982981100925020015808220737245
# `
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/GetCertificateRequest AWS API Documentation
#
class GetCertificateRequest < Struct.new(
:certificate_authority_arn,
:certificate_arn)
SENSITIVE = []
include Aws::Structure
end
# @!attribute [rw] certificate
# The base64 PEM-encoded certificate specified by the `CertificateArn`
# parameter.
# @return [String]
#
# @!attribute [rw] certificate_chain
# The base64 PEM-encoded certificate chain that chains up to the root
# CA certificate that you used to sign your private CA certificate.
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/GetCertificateResponse AWS API Documentation
#
class GetCertificateResponse < Struct.new(
:certificate,
:certificate_chain)
SENSITIVE = []
include Aws::Structure
end
# @note When making an API call, you may pass GetPolicyRequest
# data as a hash:
#
# {
# resource_arn: "Arn", # required
# }
#
# @!attribute [rw] resource_arn
# The Amazon Resource Number (ARN) of the private CA that will have
# its policy retrieved. You can find the CA's ARN by calling the
# ListCertificateAuthorities action.
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/GetPolicyRequest AWS API Documentation
#
class GetPolicyRequest < Struct.new(
:resource_arn)
SENSITIVE = []
include Aws::Structure
end
# @!attribute [rw] policy
# The policy attached to the private CA as a JSON document.
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/GetPolicyResponse AWS API Documentation
#
class GetPolicyResponse < Struct.new(
:policy)
SENSITIVE = []
include Aws::Structure
end
# @note When making an API call, you may pass ImportCertificateAuthorityCertificateRequest
# data as a hash:
#
# {
# certificate_authority_arn: "Arn", # required
# certificate: "data", # required
# certificate_chain: "data",
# }
#
# @!attribute [rw] certificate_authority_arn
# The Amazon Resource Name (ARN) that was returned when you called
# [CreateCertificateAuthority][1]. This must be of the form:
#
# `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
# `
#
#
#
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html
# @return [String]
#
# @!attribute [rw] certificate
# The PEM-encoded certificate for a private CA. This may be a
# self-signed certificate in the case of a root CA, or it may be
# signed by another CA that you control.
# @return [String]
#
# @!attribute [rw] certificate_chain
# A PEM-encoded file that contains all of your certificates, other
# than the certificate you're importing, chaining up to your root CA.
# Your ACM Private CA-hosted or on-premises root certificate is the
# last in the chain, and each certificate in the chain signs the one
# preceding.
#
# This parameter must be supplied when you import a subordinate CA.
# When you import a root CA, there is no chain.
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/ImportCertificateAuthorityCertificateRequest AWS API Documentation
#
class ImportCertificateAuthorityCertificateRequest < Struct.new(
:certificate_authority_arn,
:certificate,
:certificate_chain)
SENSITIVE = []
include Aws::Structure
end
# One or more of the specified arguments was not valid.
#
# @!attribute [rw] message
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/InvalidArgsException AWS API Documentation
#
class InvalidArgsException < Struct.new(
:message)
SENSITIVE = []
include Aws::Structure
end
# The requested Amazon Resource Name (ARN) does not refer to an existing
# resource.
#
# @!attribute [rw] message
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/InvalidArnException AWS API Documentation
#
class InvalidArnException < Struct.new(
:message)
SENSITIVE = []
include Aws::Structure
end
# The token specified in the `NextToken` argument is not valid. Use the
# token returned from your previous call to
# [ListCertificateAuthorities][1].
#
#
#
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ListCertificateAuthorities.html
#
# @!attribute [rw] message
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/InvalidNextTokenException AWS API Documentation
#
class InvalidNextTokenException < Struct.new(
:message)
SENSITIVE = []
include Aws::Structure
end
# The resource policy is invalid or is missing a required statement. For
# general information about IAM policy and statement structure, see
# [Overview of JSON Policies][1].
#
#
#
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policies-json
#
# @!attribute [rw] message
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/InvalidPolicyException AWS API Documentation
#
class InvalidPolicyException < Struct.new(
:message)
SENSITIVE = []
include Aws::Structure
end
# The request action cannot be performed or is prohibited.
#
# @!attribute [rw] message
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/InvalidRequestException AWS API Documentation
#
class InvalidRequestException < Struct.new(
:message)
SENSITIVE = []
include Aws::Structure
end
# The state of the private CA does not allow this action to occur.
#
# @!attribute [rw] message
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/InvalidStateException AWS API Documentation
#
class InvalidStateException < Struct.new(
:message)
SENSITIVE = []
include Aws::Structure
end
# The tag associated with the CA is not valid. The invalid argument is
# contained in the message field.
#
# @!attribute [rw] message
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/InvalidTagException AWS API Documentation
#
class InvalidTagException < Struct.new(
:message)
SENSITIVE = []
include Aws::Structure
end
# @note When making an API call, you may pass IssueCertificateRequest
# data as a hash:
#
# {
# api_passthrough: {
# extensions: {
# certificate_policies: [
# {
# cert_policy_id: "CustomObjectIdentifier", # required
# policy_qualifiers: [
# {
# policy_qualifier_id: "CPS", # required, accepts CPS
# qualifier: { # required
# cps_uri: "String256", # required
# },
# },
# ],
# },
# ],
# extended_key_usage: [
# {
# extended_key_usage_type: "SERVER_AUTH", # accepts SERVER_AUTH, CLIENT_AUTH, CODE_SIGNING, EMAIL_PROTECTION, TIME_STAMPING, OCSP_SIGNING, SMART_CARD_LOGIN, DOCUMENT_SIGNING, CERTIFICATE_TRANSPARENCY
# extended_key_usage_object_identifier: "CustomObjectIdentifier",
# },
# ],
# key_usage: {
# digital_signature: false,
# non_repudiation: false,
# key_encipherment: false,
# data_encipherment: false,
# key_agreement: false,
# key_cert_sign: false,
# crl_sign: false,
# encipher_only: false,
# decipher_only: false,
# },
# subject_alternative_names: [
# {
# other_name: {
# type_id: "CustomObjectIdentifier", # required
# value: "String256", # required
# },
# rfc_822_name: "String256",
# dns_name: "String253",
# directory_name: {
# country: "CountryCodeString",
# organization: "String64",
# organizational_unit: "String64",
# distinguished_name_qualifier: "ASN1PrintableString64",
# state: "String128",
# common_name: "String64",
# serial_number: "ASN1PrintableString64",
# locality: "String128",
# title: "String64",
# surname: "String40",
# given_name: "String16",
# initials: "String5",
# pseudonym: "String128",
# generation_qualifier: "String3",
# custom_attributes: [
# {
# object_identifier: "CustomObjectIdentifier", # required
# value: "String1To256", # required
# },
# ],
# },
# edi_party_name: {
# party_name: "String256", # required
# name_assigner: "String256",
# },
# uniform_resource_identifier: "String253",
# ip_address: "String39",
# registered_id: "CustomObjectIdentifier",
# },
# ],
# custom_extensions: [
# {
# object_identifier: "CustomObjectIdentifier", # required
# value: "Base64String1To4096", # required
# critical: false,
# },
# ],
# },
# subject: {
# country: "CountryCodeString",
# organization: "String64",
# organizational_unit: "String64",
# distinguished_name_qualifier: "ASN1PrintableString64",
# state: "String128",
# common_name: "String64",
# serial_number: "ASN1PrintableString64",
# locality: "String128",
# title: "String64",
# surname: "String40",
# given_name: "String16",
# initials: "String5",
# pseudonym: "String128",
# generation_qualifier: "String3",
# custom_attributes: [
# {
# object_identifier: "CustomObjectIdentifier", # required
# value: "String1To256", # required
# },
# ],
# },
# },
# certificate_authority_arn: "Arn", # required
# csr: "data", # required
# signing_algorithm: "SHA256WITHECDSA", # required, accepts SHA256WITHECDSA, SHA384WITHECDSA, SHA512WITHECDSA, SHA256WITHRSA, SHA384WITHRSA, SHA512WITHRSA
# template_arn: "Arn",
# validity: { # required
# value: 1, # required
# type: "END_DATE", # required, accepts END_DATE, ABSOLUTE, DAYS, MONTHS, YEARS
# },
# validity_not_before: {
# value: 1, # required
# type: "END_DATE", # required, accepts END_DATE, ABSOLUTE, DAYS, MONTHS, YEARS
# },
# idempotency_token: "IdempotencyToken",
# }
#
# @!attribute [rw] api_passthrough
# Specifies X.509 certificate information to be included in the issued
# certificate. An `APIPassthrough` or `APICSRPassthrough` template
# variant must be selected, or else this parameter is ignored. For
# more information about using these templates, see [Understanding
# Certificate Templates][1].
#
# If conflicting or duplicate certificate information is supplied
# during certificate issuance, ACM Private CA applies [order of
# operation rules][2] to determine what information is used.
#
#
#
# [1]: https://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html
# [2]: https://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html#template-order-of-operations
# @return [Types::ApiPassthrough]
#
# @!attribute [rw] certificate_authority_arn
# The Amazon Resource Name (ARN) that was returned when you called
# [CreateCertificateAuthority][1]. This must be of the form:
#
# `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
# `
#
#
#
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html
# @return [String]
#
# @!attribute [rw] csr
# The certificate signing request (CSR) for the certificate you want
# to issue. As an example, you can use the following OpenSSL command
# to create the CSR and a 2048 bit RSA private key.
#
# `openssl req -new -newkey rsa:2048 -days 365 -keyout
# private/test_cert_priv_key.pem -out csr/test_cert_.csr`
#
# If you have a configuration file, you can then use the following
# OpenSSL command. The `usr_cert` block in the configuration file
# contains your X509 version 3 extensions.
#
# `openssl req -new -config openssl_rsa.cnf -extensions usr_cert
# -newkey rsa:2048 -days 365 -keyout private/test_cert_priv_key.pem
# -out csr/test_cert_.csr`
#
# Note: A CSR must provide either a *subject name* or a *subject
# alternative name* or the request will be rejected.
# @return [String]
#
# @!attribute [rw] signing_algorithm
# The name of the algorithm that will be used to sign the certificate
# to be issued.
#
# This parameter should not be confused with the `SigningAlgorithm`
# parameter used to sign a CSR in the `CreateCertificateAuthority`
# action.
#
# The specified signing algorithm family (RSA or ECDSA) much match the
# algorithm family of the CA's secret key.
#
#
# @return [String]
#
# @!attribute [rw] template_arn
# Specifies a custom configuration template to use when issuing a
# certificate. If this parameter is not provided, ACM Private CA
# defaults to the `EndEntityCertificate/V1` template. For CA
# certificates, you should choose the shortest path length that meets
# your needs. The path length is indicated by the PathLen*N* portion
# of the ARN, where *N* is the [CA depth][1].
#
# Note: The CA depth configured on a subordinate CA certificate must
# not exceed the limit set by its parents in the CA hierarchy.
#
# For a list of `TemplateArn` values supported by ACM Private CA, see
# [Understanding Certificate Templates][2].
#
#
#
# [1]: https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaTerms.html#terms-cadepth
# [2]: https://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html
# @return [String]
#
# @!attribute [rw] validity
# Information describing the end of the validity period of the
# certificate. This parameter sets the “Not After” date for the
# certificate.
#
# Certificate validity is the period of time during which a
# certificate is valid. Validity can be expressed as an explicit date
# and time when the certificate expires, or as a span of time after
# issuance, stated in days, months, or years. For more information,
# see [Validity][1] in RFC 5280.
#
# This value is unaffected when `ValidityNotBefore` is also specified.
# For example, if `Validity` is set to 20 days in the future, the
# certificate will expire 20 days from issuance time regardless of the
# `ValidityNotBefore` value.
#
# The end of the validity period configured on a certificate must not
# exceed the limit set on its parents in the CA hierarchy.
#
#
#
# [1]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.5
# @return [Types::Validity]
#
# @!attribute [rw] validity_not_before
# Information describing the start of the validity period of the
# certificate. This parameter sets the “Not Before" date for the
# certificate.
#
# By default, when issuing a certificate, ACM Private CA sets the
# "Not Before" date to the issuance time minus 60 minutes. This
# compensates for clock inconsistencies across computer systems. The
# `ValidityNotBefore` parameter can be used to customize the “Not
# Before” value.
#
# Unlike the `Validity` parameter, the `ValidityNotBefore` parameter
# is optional.
#
# The `ValidityNotBefore` value is expressed as an explicit date and
# time, using the `Validity` type value `ABSOLUTE`. For more
# information, see [Validity][1] in this API reference and
# [Validity][2] in RFC 5280.
#
#
#
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_Validity.html
# [2]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.5
# @return [Types::Validity]
#
# @!attribute [rw] idempotency_token
# Alphanumeric string that can be used to distinguish between calls to
# the **IssueCertificate** action. Idempotency tokens for
# **IssueCertificate** time out after one minute. Therefore, if you
# call **IssueCertificate** multiple times with the same idempotency
# token within one minute, ACM Private CA recognizes that you are
# requesting only one certificate and will issue only one. If you
# change the idempotency token for each call, PCA recognizes that you
# are requesting multiple certificates.
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/IssueCertificateRequest AWS API Documentation
#
class IssueCertificateRequest < Struct.new(
:api_passthrough,
:certificate_authority_arn,
:csr,
:signing_algorithm,
:template_arn,
:validity,
:validity_not_before,
:idempotency_token)
SENSITIVE = []
include Aws::Structure
end
# @!attribute [rw] certificate_arn
# The Amazon Resource Name (ARN) of the issued certificate and the
# certificate serial number. This is of the form:
#
# `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012/certificate/286535153982981100925020015808220737245
# `
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/IssueCertificateResponse AWS API Documentation
#
class IssueCertificateResponse < Struct.new(
:certificate_arn)
SENSITIVE = []
include Aws::Structure
end
# Defines one or more purposes for which the key contained in the
# certificate can be used. Default value for each option is false.
#
# @note When making an API call, you may pass KeyUsage
# data as a hash:
#
# {
# digital_signature: false,
# non_repudiation: false,
# key_encipherment: false,
# data_encipherment: false,
# key_agreement: false,
# key_cert_sign: false,
# crl_sign: false,
# encipher_only: false,
# decipher_only: false,
# }
#
# @!attribute [rw] digital_signature
# Key can be used for digital signing.
# @return [Boolean]
#
# @!attribute [rw] non_repudiation
# Key can be used for non-repudiation.
# @return [Boolean]
#
# @!attribute [rw] key_encipherment
# Key can be used to encipher data.
# @return [Boolean]
#
# @!attribute [rw] data_encipherment
# Key can be used to decipher data.
# @return [Boolean]
#
# @!attribute [rw] key_agreement
# Key can be used in a key-agreement protocol.
# @return [Boolean]
#
# @!attribute [rw] key_cert_sign
# Key can be used to sign certificates.
# @return [Boolean]
#
# @!attribute [rw] crl_sign
# Key can be used to sign CRLs.
# @return [Boolean]
#
# @!attribute [rw] encipher_only
# Key can be used only to encipher data.
# @return [Boolean]
#
# @!attribute [rw] decipher_only
# Key can be used only to decipher data.
# @return [Boolean]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/KeyUsage AWS API Documentation
#
class KeyUsage < Struct.new(
:digital_signature,
:non_repudiation,
:key_encipherment,
:data_encipherment,
:key_agreement,
:key_cert_sign,
:crl_sign,
:encipher_only,
:decipher_only)
SENSITIVE = []
include Aws::Structure
end
# An ACM Private CA quota has been exceeded. See the exception message
# returned to determine the quota that was exceeded.
#
# @!attribute [rw] message
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/LimitExceededException AWS API Documentation
#
class LimitExceededException < Struct.new(
:message)
SENSITIVE = []
include Aws::Structure
end
# @note When making an API call, you may pass ListCertificateAuthoritiesRequest
# data as a hash:
#
# {
# next_token: "NextToken",
# max_results: 1,
# resource_owner: "SELF", # accepts SELF, OTHER_ACCOUNTS
# }
#
# @!attribute [rw] next_token
# Use this parameter when paginating results in a subsequent request
# after you receive a response with truncated results. Set it to the
# value of the `NextToken` parameter from the response you just
# received.
# @return [String]
#
# @!attribute [rw] max_results
# Use this parameter when paginating results to specify the maximum
# number of items to return in the response on each page. If
# additional items exist beyond the number you specify, the
# `NextToken` element is sent in the response. Use this `NextToken`
# value in a subsequent request to retrieve additional items.
# @return [Integer]
#
# @!attribute [rw] resource_owner
# Use this parameter to filter the returned set of certificate
# authorities based on their owner. The default is SELF.
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/ListCertificateAuthoritiesRequest AWS API Documentation
#
class ListCertificateAuthoritiesRequest < Struct.new(
:next_token,
:max_results,
:resource_owner)
SENSITIVE = []
include Aws::Structure
end
# @!attribute [rw] certificate_authorities
# Summary information about each certificate authority you have
# created.
# @return [Array]
#
# @!attribute [rw] next_token
# When the list is truncated, this value is present and should be used
# for the `NextToken` parameter in a subsequent pagination request.
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/ListCertificateAuthoritiesResponse AWS API Documentation
#
class ListCertificateAuthoritiesResponse < Struct.new(
:certificate_authorities,
:next_token)
SENSITIVE = []
include Aws::Structure
end
# @note When making an API call, you may pass ListPermissionsRequest
# data as a hash:
#
# {
# certificate_authority_arn: "Arn", # required
# next_token: "NextToken",
# max_results: 1,
# }
#
# @!attribute [rw] certificate_authority_arn
# The Amazon Resource Number (ARN) of the private CA to inspect. You
# can find the ARN by calling the [ListCertificateAuthorities][1]
# action. This must be of the form:
# `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012`
# You can get a private CA's ARN by running the
# [ListCertificateAuthorities][1] action.
#
#
#
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ListCertificateAuthorities.html
# @return [String]
#
# @!attribute [rw] next_token
# When paginating results, use this parameter in a subsequent request
# after you receive a response with truncated results. Set it to the
# value of **NextToken** from the response you just received.
# @return [String]
#
# @!attribute [rw] max_results
# When paginating results, use this parameter to specify the maximum
# number of items to return in the response. If additional items exist
# beyond the number you specify, the **NextToken** element is sent in
# the response. Use this **NextToken** value in a subsequent request
# to retrieve additional items.
# @return [Integer]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/ListPermissionsRequest AWS API Documentation
#
class ListPermissionsRequest < Struct.new(
:certificate_authority_arn,
:next_token,
:max_results)
SENSITIVE = []
include Aws::Structure
end
# @!attribute [rw] permissions
# Summary information about each permission assigned by the specified
# private CA, including the action enabled, the policy provided, and
# the time of creation.
# @return [Array]
#
# @!attribute [rw] next_token
# When the list is truncated, this value is present and should be used
# for the **NextToken** parameter in a subsequent pagination request.
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/ListPermissionsResponse AWS API Documentation
#
class ListPermissionsResponse < Struct.new(
:permissions,
:next_token)
SENSITIVE = []
include Aws::Structure
end
# @note When making an API call, you may pass ListTagsRequest
# data as a hash:
#
# {
# certificate_authority_arn: "Arn", # required
# next_token: "NextToken",
# max_results: 1,
# }
#
# @!attribute [rw] certificate_authority_arn
# The Amazon Resource Name (ARN) that was returned when you called the
# [CreateCertificateAuthority][1] action. This must be of the form:
#
# `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
# `
#
#
#
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html
# @return [String]
#
# @!attribute [rw] next_token
# Use this parameter when paginating results in a subsequent request
# after you receive a response with truncated results. Set it to the
# value of **NextToken** from the response you just received.
# @return [String]
#
# @!attribute [rw] max_results
# Use this parameter when paginating results to specify the maximum
# number of items to return in the response. If additional items exist
# beyond the number you specify, the **NextToken** element is sent in
# the response. Use this **NextToken** value in a subsequent request
# to retrieve additional items.
# @return [Integer]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/ListTagsRequest AWS API Documentation
#
class ListTagsRequest < Struct.new(
:certificate_authority_arn,
:next_token,
:max_results)
SENSITIVE = []
include Aws::Structure
end
# @!attribute [rw] tags
# The tags associated with your private CA.
# @return [Array]
#
# @!attribute [rw] next_token
# When the list is truncated, this value is present and should be used
# for the **NextToken** parameter in a subsequent pagination request.
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/ListTagsResponse AWS API Documentation
#
class ListTagsResponse < Struct.new(
:tags,
:next_token)
SENSITIVE = []
include Aws::Structure
end
# The current action was prevented because it would lock the caller out
# from performing subsequent actions. Verify that the specified
# parameters would not result in the caller being denied access to the
# resource.
#
# @!attribute [rw] message
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/LockoutPreventedException AWS API Documentation
#
class LockoutPreventedException < Struct.new(
:message)
SENSITIVE = []
include Aws::Structure
end
# The certificate signing request is invalid.
#
# @!attribute [rw] message
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/MalformedCSRException AWS API Documentation
#
class MalformedCSRException < Struct.new(
:message)
SENSITIVE = []
include Aws::Structure
end
# One or more fields in the certificate are invalid.
#
# @!attribute [rw] message
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/MalformedCertificateException AWS API Documentation
#
class MalformedCertificateException < Struct.new(
:message)
SENSITIVE = []
include Aws::Structure
end
# Contains information to enable and configure Online Certificate Status
# Protocol (OCSP) for validating certificate revocation status.
#
# When you revoke a certificate, OCSP responses may take up to 60
# minutes to reflect the new status.
#
# @note When making an API call, you may pass OcspConfiguration
# data as a hash:
#
# {
# enabled: false, # required
# ocsp_custom_cname: "String253",
# }
#
# @!attribute [rw] enabled
# Flag enabling use of the Online Certificate Status Protocol (OCSP)
# for validating certificate revocation status.
# @return [Boolean]
#
# @!attribute [rw] ocsp_custom_cname
# By default, ACM Private CA injects an Amazon Web Services domain
# into certificates being validated by the Online Certificate Status
# Protocol (OCSP). A customer can alternatively use this object to
# define a CNAME specifying a customized OCSP domain.
#
# Note: The value of the CNAME must not include a protocol prefix such
# as "http://" or "https://".
#
# For more information, see [Customizing Online Certificate Status
# Protocol (OCSP) ][1] in the *Certificate Manager Private Certificate
# Authority (PCA) User Guide*.
#
#
#
# [1]: https://docs.aws.amazon.com/acm-pca/latest/userguide/ocsp-customize.html
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/OcspConfiguration AWS API Documentation
#
class OcspConfiguration < Struct.new(
:enabled,
:ocsp_custom_cname)
SENSITIVE = []
include Aws::Structure
end
# Defines a custom ASN.1 X.400 `GeneralName` using an object identifier
# (OID) and value. The OID must satisfy the regular expression shown
# below. For more information, see NIST's definition of [Object
# Identifier (OID)][1].
#
#
#
# [1]: https://csrc.nist.gov/glossary/term/Object_Identifier
#
# @note When making an API call, you may pass OtherName
# data as a hash:
#
# {
# type_id: "CustomObjectIdentifier", # required
# value: "String256", # required
# }
#
# @!attribute [rw] type_id
# Specifies an OID.
# @return [String]
#
# @!attribute [rw] value
# Specifies an OID value.
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/OtherName AWS API Documentation
#
class OtherName < Struct.new(
:type_id,
:value)
SENSITIVE = []
include Aws::Structure
end
# Permissions designate which private CA actions can be performed by an
# Amazon Web Services service or entity. In order for ACM to
# automatically renew private certificates, you must give the ACM
# service principal all available permissions (`IssueCertificate`,
# `GetCertificate`, and `ListPermissions`). Permissions can be assigned
# with the [CreatePermission][1] action, removed with the
# [DeletePermission][2] action, and listed with the [ListPermissions][3]
# action.
#
#
#
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreatePermission.html
# [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_DeletePermission.html
# [3]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ListPermissions.html
#
# @!attribute [rw] certificate_authority_arn
# The Amazon Resource Number (ARN) of the private CA from which the
# permission was issued.
# @return [String]
#
# @!attribute [rw] created_at
# The time at which the permission was created.
# @return [Time]
#
# @!attribute [rw] principal
# The Amazon Web Services service or entity that holds the permission.
# At this time, the only valid principal is `acm.amazonaws.com`.
# @return [String]
#
# @!attribute [rw] source_account
# The ID of the account that assigned the permission.
# @return [String]
#
# @!attribute [rw] actions
# The private CA actions that can be performed by the designated
# Amazon Web Services service.
# @return [Array]
#
# @!attribute [rw] policy
# The name of the policy that is associated with the permission.
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/Permission AWS API Documentation
#
class Permission < Struct.new(
:certificate_authority_arn,
:created_at,
:principal,
:source_account,
:actions,
:policy)
SENSITIVE = []
include Aws::Structure
end
# The designated permission has already been given to the user.
#
# @!attribute [rw] message
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/PermissionAlreadyExistsException AWS API Documentation
#
class PermissionAlreadyExistsException < Struct.new(
:message)
SENSITIVE = []
include Aws::Structure
end
# Defines the X.509 `CertificatePolicies` extension.
#
# @note When making an API call, you may pass PolicyInformation
# data as a hash:
#
# {
# cert_policy_id: "CustomObjectIdentifier", # required
# policy_qualifiers: [
# {
# policy_qualifier_id: "CPS", # required, accepts CPS
# qualifier: { # required
# cps_uri: "String256", # required
# },
# },
# ],
# }
#
# @!attribute [rw] cert_policy_id
# Specifies the object identifier (OID) of the certificate policy
# under which the certificate was issued. For more information, see
# NIST's definition of [Object Identifier (OID)][1].
#
#
#
# [1]: https://csrc.nist.gov/glossary/term/Object_Identifier
# @return [String]
#
# @!attribute [rw] policy_qualifiers
# Modifies the given `CertPolicyId` with a qualifier. ACM Private CA
# supports the certification practice statement (CPS) qualifier.
# @return [Array]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/PolicyInformation AWS API Documentation
#
class PolicyInformation < Struct.new(
:cert_policy_id,
:policy_qualifiers)
SENSITIVE = []
include Aws::Structure
end
# Modifies the `CertPolicyId` of a `PolicyInformation` object with a
# qualifier. ACM Private CA supports the certification practice
# statement (CPS) qualifier.
#
# @note When making an API call, you may pass PolicyQualifierInfo
# data as a hash:
#
# {
# policy_qualifier_id: "CPS", # required, accepts CPS
# qualifier: { # required
# cps_uri: "String256", # required
# },
# }
#
# @!attribute [rw] policy_qualifier_id
# Identifies the qualifier modifying a `CertPolicyId`.
# @return [String]
#
# @!attribute [rw] qualifier
# Defines the qualifier type. ACM Private CA supports the use of a URI
# for a CPS qualifier in this field.
# @return [Types::Qualifier]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/PolicyQualifierInfo AWS API Documentation
#
class PolicyQualifierInfo < Struct.new(
:policy_qualifier_id,
:qualifier)
SENSITIVE = []
include Aws::Structure
end
# @note When making an API call, you may pass PutPolicyRequest
# data as a hash:
#
# {
# resource_arn: "Arn", # required
# policy: "AWSPolicy", # required
# }
#
# @!attribute [rw] resource_arn
# The Amazon Resource Number (ARN) of the private CA to associate with
# the policy. The ARN of the CA can be found by calling the
# [ListCertificateAuthorities][1] action.
#
#
#
#
#
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ListCertificateAuthorities.html
# @return [String]
#
# @!attribute [rw] policy
# The path and file name of a JSON-formatted IAM policy to attach to
# the specified private CA resource. If this policy does not contain
# all required statements or if it includes any statement that is not
# allowed, the `PutPolicy` action returns an `InvalidPolicyException`.
# For information about IAM policy and statement structure, see
# [Overview of JSON Policies][1].
#
#
#
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policies-json
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/PutPolicyRequest AWS API Documentation
#
class PutPolicyRequest < Struct.new(
:resource_arn,
:policy)
SENSITIVE = []
include Aws::Structure
end
# Defines a `PolicyInformation` qualifier. ACM Private CA supports the
# [certification practice statement (CPS) qualifier][1] defined in RFC
# 5280.
#
#
#
# [1]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.4
#
# @note When making an API call, you may pass Qualifier
# data as a hash:
#
# {
# cps_uri: "String256", # required
# }
#
# @!attribute [rw] cps_uri
# Contains a pointer to a certification practice statement (CPS)
# published by the CA.
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/Qualifier AWS API Documentation
#
class Qualifier < Struct.new(
:cps_uri)
SENSITIVE = []
include Aws::Structure
end
# Your request has already been completed.
#
# @!attribute [rw] message
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/RequestAlreadyProcessedException AWS API Documentation
#
class RequestAlreadyProcessedException < Struct.new(
:message)
SENSITIVE = []
include Aws::Structure
end
# The request has failed for an unspecified reason.
#
# @!attribute [rw] message
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/RequestFailedException AWS API Documentation
#
class RequestFailedException < Struct.new(
:message)
SENSITIVE = []
include Aws::Structure
end
# Your request is already in progress.
#
# @!attribute [rw] message
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/RequestInProgressException AWS API Documentation
#
class RequestInProgressException < Struct.new(
:message)
SENSITIVE = []
include Aws::Structure
end
# A resource such as a private CA, S3 bucket, certificate, audit report,
# or policy cannot be found.
#
# @!attribute [rw] message
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/ResourceNotFoundException AWS API Documentation
#
class ResourceNotFoundException < Struct.new(
:message)
SENSITIVE = []
include Aws::Structure
end
# @note When making an API call, you may pass RestoreCertificateAuthorityRequest
# data as a hash:
#
# {
# certificate_authority_arn: "Arn", # required
# }
#
# @!attribute [rw] certificate_authority_arn
# The Amazon Resource Name (ARN) that was returned when you called the
# [CreateCertificateAuthority][1] action. This must be of the form:
#
# `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
# `
#
#
#
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/RestoreCertificateAuthorityRequest AWS API Documentation
#
class RestoreCertificateAuthorityRequest < Struct.new(
:certificate_authority_arn)
SENSITIVE = []
include Aws::Structure
end
# Certificate revocation information used by the
# [CreateCertificateAuthority][1] and [UpdateCertificateAuthority][2]
# actions. Your private certificate authority (CA) can configure Online
# Certificate Status Protocol (OCSP) support and/or maintain a
# certificate revocation list (CRL). OCSP returns validation information
# about certificates as requested by clients, and a CRL contains an
# updated list of certificates revoked by your CA. For more information,
# see [RevokeCertificate][3] and [Setting up a certificate revocation
# method][4] in the *Certificate Manager Private Certificate Authority
# (PCA) User Guide*.
#
#
#
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html
# [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_UpdateCertificateAuthority.html
# [3]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_RevokeCertificate.html
# [4]: https://docs.aws.amazon.com/acm-pca/latest/userguide/revocation-setup.html
#
# @note When making an API call, you may pass RevocationConfiguration
# data as a hash:
#
# {
# crl_configuration: {
# enabled: false, # required
# expiration_in_days: 1,
# custom_cname: "String253",
# s3_bucket_name: "String3To255",
# s3_object_acl: "PUBLIC_READ", # accepts PUBLIC_READ, BUCKET_OWNER_FULL_CONTROL
# },
# ocsp_configuration: {
# enabled: false, # required
# ocsp_custom_cname: "String253",
# },
# }
#
# @!attribute [rw] crl_configuration
# Configuration of the certificate revocation list (CRL), if any,
# maintained by your private CA. A CRL is typically updated
# approximately 30 minutes after a certificate is revoked. If for any
# reason a CRL update fails, ACM Private CA makes further attempts
# every 15 minutes.
# @return [Types::CrlConfiguration]
#
# @!attribute [rw] ocsp_configuration
# Configuration of Online Certificate Status Protocol (OCSP) support,
# if any, maintained by your private CA. When you revoke a
# certificate, OCSP responses may take up to 60 minutes to reflect the
# new status.
# @return [Types::OcspConfiguration]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/RevocationConfiguration AWS API Documentation
#
class RevocationConfiguration < Struct.new(
:crl_configuration,
:ocsp_configuration)
SENSITIVE = []
include Aws::Structure
end
# @note When making an API call, you may pass RevokeCertificateRequest
# data as a hash:
#
# {
# certificate_authority_arn: "Arn", # required
# certificate_serial: "String128", # required
# revocation_reason: "UNSPECIFIED", # required, accepts UNSPECIFIED, KEY_COMPROMISE, CERTIFICATE_AUTHORITY_COMPROMISE, AFFILIATION_CHANGED, SUPERSEDED, CESSATION_OF_OPERATION, PRIVILEGE_WITHDRAWN, A_A_COMPROMISE
# }
#
# @!attribute [rw] certificate_authority_arn
# Amazon Resource Name (ARN) of the private CA that issued the
# certificate to be revoked. This must be of the form:
#
# `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
# `
# @return [String]
#
# @!attribute [rw] certificate_serial
# Serial number of the certificate to be revoked. This must be in
# hexadecimal format. You can retrieve the serial number by calling
# [GetCertificate][1] with the Amazon Resource Name (ARN) of the
# certificate you want and the ARN of your private CA. The
# **GetCertificate** action retrieves the certificate in the PEM
# format. You can use the following OpenSSL command to list the
# certificate in text format and copy the hexadecimal serial number.
#
# `openssl x509 -in file_path -text -noout`
#
# You can also copy the serial number from the console or use the
# [DescribeCertificate][2] action in the *Certificate Manager API
# Reference*.
#
#
#
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_GetCertificate.html
# [2]: https://docs.aws.amazon.com/acm/latest/APIReference/API_DescribeCertificate.html
# @return [String]
#
# @!attribute [rw] revocation_reason
# Specifies why you revoked the certificate.
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/RevokeCertificateRequest AWS API Documentation
#
class RevokeCertificateRequest < Struct.new(
:certificate_authority_arn,
:certificate_serial,
:revocation_reason)
SENSITIVE = []
include Aws::Structure
end
# Tags are labels that you can use to identify and organize your private
# CAs. Each tag consists of a key and an optional value. You can
# associate up to 50 tags with a private CA. To add one or more tags to
# a private CA, call the [TagCertificateAuthority][1] action. To remove
# a tag, call the [UntagCertificateAuthority][2] action.
#
#
#
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_TagCertificateAuthority.html
# [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_UntagCertificateAuthority.html
#
# @note When making an API call, you may pass Tag
# data as a hash:
#
# {
# key: "TagKey", # required
# value: "TagValue",
# }
#
# @!attribute [rw] key
# Key (name) of the tag.
# @return [String]
#
# @!attribute [rw] value
# Value of the tag.
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/Tag AWS API Documentation
#
class Tag < Struct.new(
:key,
:value)
SENSITIVE = []
include Aws::Structure
end
# @note When making an API call, you may pass TagCertificateAuthorityRequest
# data as a hash:
#
# {
# certificate_authority_arn: "Arn", # required
# tags: [ # required
# {
# key: "TagKey", # required
# value: "TagValue",
# },
# ],
# }
#
# @!attribute [rw] certificate_authority_arn
# The Amazon Resource Name (ARN) that was returned when you called
# [CreateCertificateAuthority][1]. This must be of the form:
#
# `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
# `
#
#
#
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html
# @return [String]
#
# @!attribute [rw] tags
# List of tags to be associated with the CA.
# @return [Array]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/TagCertificateAuthorityRequest AWS API Documentation
#
class TagCertificateAuthorityRequest < Struct.new(
:certificate_authority_arn,
:tags)
SENSITIVE = []
include Aws::Structure
end
# You can associate up to 50 tags with a private CA. Exception
# information is contained in the exception message field.
#
# @!attribute [rw] message
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/TooManyTagsException AWS API Documentation
#
class TooManyTagsException < Struct.new(
:message)
SENSITIVE = []
include Aws::Structure
end
# @note When making an API call, you may pass UntagCertificateAuthorityRequest
# data as a hash:
#
# {
# certificate_authority_arn: "Arn", # required
# tags: [ # required
# {
# key: "TagKey", # required
# value: "TagValue",
# },
# ],
# }
#
# @!attribute [rw] certificate_authority_arn
# The Amazon Resource Name (ARN) that was returned when you called
# [CreateCertificateAuthority][1]. This must be of the form:
#
# `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
# `
#
#
#
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html
# @return [String]
#
# @!attribute [rw] tags
# List of tags to be removed from the CA.
# @return [Array]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/UntagCertificateAuthorityRequest AWS API Documentation
#
class UntagCertificateAuthorityRequest < Struct.new(
:certificate_authority_arn,
:tags)
SENSITIVE = []
include Aws::Structure
end
# @note When making an API call, you may pass UpdateCertificateAuthorityRequest
# data as a hash:
#
# {
# certificate_authority_arn: "Arn", # required
# revocation_configuration: {
# crl_configuration: {
# enabled: false, # required
# expiration_in_days: 1,
# custom_cname: "String253",
# s3_bucket_name: "String3To255",
# s3_object_acl: "PUBLIC_READ", # accepts PUBLIC_READ, BUCKET_OWNER_FULL_CONTROL
# },
# ocsp_configuration: {
# enabled: false, # required
# ocsp_custom_cname: "String253",
# },
# },
# status: "CREATING", # accepts CREATING, PENDING_CERTIFICATE, ACTIVE, DELETED, DISABLED, EXPIRED, FAILED
# }
#
# @!attribute [rw] certificate_authority_arn
# Amazon Resource Name (ARN) of the private CA that issued the
# certificate to be revoked. This must be of the form:
#
# `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
# `
# @return [String]
#
# @!attribute [rw] revocation_configuration
# Contains information to enable Online Certificate Status Protocol
# (OCSP) support, to enable a certificate revocation list (CRL), to
# enable both, or to enable neither. If this parameter is not
# supplied, existing capibilites remain unchanged. For more
# information, see the [OcspConfiguration][1] and
# [CrlConfiguration][2] types.
#
#
#
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_OcspConfiguration.html
# [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CrlConfiguration.html
# @return [Types::RevocationConfiguration]
#
# @!attribute [rw] status
# Status of your private CA.
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/UpdateCertificateAuthorityRequest AWS API Documentation
#
class UpdateCertificateAuthorityRequest < Struct.new(
:certificate_authority_arn,
:revocation_configuration,
:status)
SENSITIVE = []
include Aws::Structure
end
# Validity specifies the period of time during which a certificate is
# valid. Validity can be expressed as an explicit date and time when the
# validity of a certificate starts or expires, or as a span of time
# after issuance, stated in days, months, or years. For more
# information, see [Validity][1] in RFC 5280.
#
# ACM Private CA API consumes the `Validity` data type differently in
# two distinct parameters of the `IssueCertificate` action. The required
# parameter `IssueCertificate`\:`Validity` specifies the end of a
# certificate's validity period. The optional parameter
# `IssueCertificate`\:`ValidityNotBefore` specifies a customized
# starting time for the validity period.
#
#
#
# [1]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.5
#
# @note When making an API call, you may pass Validity
# data as a hash:
#
# {
# value: 1, # required
# type: "END_DATE", # required, accepts END_DATE, ABSOLUTE, DAYS, MONTHS, YEARS
# }
#
# @!attribute [rw] value
# A long integer interpreted according to the value of `Type`, below.
# @return [Integer]
#
# @!attribute [rw] type
# Determines how *ACM Private CA* interprets the `Value` parameter, an
# integer. Supported validity types include those listed below. Type
# definitions with values include a sample input value and the
# resulting output.
#
# `END_DATE`\: The specific date and time when the certificate will
# expire, expressed using UTCTime (YYMMDDHHMMSS) or GeneralizedTime
# (YYYYMMDDHHMMSS) format. When UTCTime is used, if the year field
# (YY) is greater than or equal to 50, the year is interpreted as
# 19YY. If the year field is less than 50, the year is interpreted as
# 20YY.
#
# * Sample input value: 491231235959 (UTCTime format)
#
# * Output expiration date/time: 12/31/2049 23:59:59
#
# `ABSOLUTE`\: The specific date and time when the validity of a
# certificate will start or expire, expressed in seconds since the
# Unix Epoch.
#
# * Sample input value: 2524608000
#
# * Output expiration date/time: 01/01/2050 00:00:00
#
# `DAYS`, `MONTHS`, `YEARS`\: The relative time from the moment of
# issuance until the certificate will expire, expressed in days,
# months, or years.
#
# Example if `DAYS`, issued on 10/12/2020 at 12:34:54 UTC:
#
# * Sample input value: 90
#
# * Output expiration date: 01/10/2020 12:34:54 UTC
#
# The minimum validity duration for a certificate using relative time
# (`DAYS`) is one day. The minimum validity for a certificate using
# absolute time (`ABSOLUTE` or `END_DATE`) is one second.
# @return [String]
#
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/Validity AWS API Documentation
#
class Validity < Struct.new(
:value,
:type)
SENSITIVE = []
include Aws::Structure
end
end
end