Amazon Web Services Private CA assets that are stored in Amazon S3 can be protected with encryption. - * For more information, see Encrypting Your + * For more information, see Encrypting Your * CRLs.
* @example * Use a bare-bones client and the command you need to make an API call. diff --git a/clients/client-acm-pca/src/commands/ImportCertificateAuthorityCertificateCommand.ts b/clients/client-acm-pca/src/commands/ImportCertificateAuthorityCertificateCommand.ts index c4927b8d9d4b..15da5b731412 100644 --- a/clients/client-acm-pca/src/commands/ImportCertificateAuthorityCertificateCommand.ts +++ b/clients/client-acm-pca/src/commands/ImportCertificateAuthorityCertificateCommand.ts @@ -102,64 +102,62 @@ export interface ImportCertificateAuthorityCertificateCommandOutput extends __Me * certificate or chain. *Basic constraints (must be marked critical)
+ *Authority key identifier
*Subject alternative names
+ *Basic constraints (must be marked critical)
*Key usage
+ *Certificate policies
*Extended key usage
*Authority key identifier
+ *Inhibit anyPolicy
*Subject key identifier
+ *Issuer alternative name
*Issuer alternative name
+ *Key usage
*Subject directory attributes
+ *Name constraints
*Subject information access
+ *Policy mappings
*Certificate policies
+ *Subject alternative name
*Policy mappings
+ *Subject directory attributes
*Inhibit anyPolicy
+ *Subject key identifier
+ *Subject information access
*Amazon Web Services Private CA rejects the following extensions when they are marked critical in an * imported CA certificate or chain.
*Name constraints
- *Policy constraints
+ *Authority information access
*CRL distribution points
*Authority information access
- *Freshest CRL
*Any other extension
+ *Policy constraints
*Amazon Web Services Private Certificate Authority will also reject any other extension marked as critical not contained on the preceding list of allowed extensions.
* @example * Use a bare-bones client and the command you need to make an API call. * ```javascript diff --git a/clients/client-acm-pca/src/models/models_0.ts b/clients/client-acm-pca/src/models/models_0.ts index cf3318915dfb..ee1a4e086637 100644 --- a/clients/client-acm-pca/src/models/models_0.ts +++ b/clients/client-acm-pca/src/models/models_0.ts @@ -531,7 +531,7 @@ export type S3ObjectAcl = (typeof S3ObjectAcl)[keyof typeof S3ObjectAcl]; * parameter. Your S3 * bucket policy must give write permission to Amazon Web Services Private CA. *Amazon Web Services Private CA assets that are stored in Amazon S3 can be protected with encryption. - * For more information, see Encrypting Your + * For more information, see Encrypting Your * CRLs.
*Your private CA uses the value in the ExpirationInDays parameter to calculate the nextUpdate field in the CRL. The CRL is refreshed prior to a * certificate's expiration date or when a certificate is revoked. When a certificate is diff --git a/codegen/sdk-codegen/aws-models/acm-pca.json b/codegen/sdk-codegen/aws-models/acm-pca.json index 5797e7528a36..b441e83dbfb2 100644 --- a/codegen/sdk-codegen/aws-models/acm-pca.json +++ b/codegen/sdk-codegen/aws-models/acm-pca.json @@ -1773,7 +1773,7 @@ } ], "traits": { - "smithy.api#documentation": "
Creates a root or subordinate private certificate authority (CA). You must specify the\n\t\t\tCA configuration, an optional configuration for Online Certificate Status Protocol\n\t\t\t(OCSP) and/or a certificate revocation list (CRL), the CA type, and an optional\n\t\t\tidempotency token to avoid accidental creation of multiple CAs. The CA configuration\n\t\t\tspecifies the name of the algorithm and key size to be used to create the CA private\n\t\t\tkey, the type of signing algorithm that the CA uses, and X.500 subject information. The\n\t\t\tOCSP configuration can optionally specify a custom URL for the OCSP responder. The CRL\n\t\t\tconfiguration specifies the CRL expiration period in days (the validity period of the\n\t\t\tCRL), the Amazon S3 bucket that will contain the CRL, and a CNAME alias for the S3\n\t\t\tbucket that is included in certificates issued by the CA. If successful, this action\n\t\t\treturns the Amazon Resource Name (ARN) of the CA.
\nBoth Amazon Web Services Private CA and the IAM principal must have permission to write to\n the S3 bucket that you specify. If the IAM principal making the call\n does not have permission to write to the bucket, then an exception is\n thrown. For more information, see Access \n\t\t\t\t\t\tpolicies for CRLs in Amazon S3.
\nAmazon Web Services Private CA assets that are stored in Amazon S3 can be protected with encryption. \n For more information, see Encrypting Your\n\t\t\tCRLs.
", + "smithy.api#documentation": "Creates a root or subordinate private certificate authority (CA). You must specify the\n\t\t\tCA configuration, an optional configuration for Online Certificate Status Protocol\n\t\t\t(OCSP) and/or a certificate revocation list (CRL), the CA type, and an optional\n\t\t\tidempotency token to avoid accidental creation of multiple CAs. The CA configuration\n\t\t\tspecifies the name of the algorithm and key size to be used to create the CA private\n\t\t\tkey, the type of signing algorithm that the CA uses, and X.500 subject information. The\n\t\t\tOCSP configuration can optionally specify a custom URL for the OCSP responder. The CRL\n\t\t\tconfiguration specifies the CRL expiration period in days (the validity period of the\n\t\t\tCRL), the Amazon S3 bucket that will contain the CRL, and a CNAME alias for the S3\n\t\t\tbucket that is included in certificates issued by the CA. If successful, this action\n\t\t\treturns the Amazon Resource Name (ARN) of the CA.
\nBoth Amazon Web Services Private CA and the IAM principal must have permission to write to\n the S3 bucket that you specify. If the IAM principal making the call\n does not have permission to write to the bucket, then an exception is\n thrown. For more information, see Access \n\t\t\t\t\t\tpolicies for CRLs in Amazon S3.
\nAmazon Web Services Private CA assets that are stored in Amazon S3 can be protected with encryption. \n For more information, see Encrypting Your\n\t\t\tCRLs.
", "smithy.api#idempotent": {} } }, @@ -2035,7 +2035,7 @@ } }, "traits": { - "smithy.api#documentation": "Contains configuration information for a certificate revocation list (CRL). Your\n\t\t\tprivate certificate authority (CA) creates base CRLs. Delta CRLs are not supported. You\n\t\t\tcan enable CRLs for your new or an existing private CA by setting the Enabled parameter to true. Your private CA\n\t\t\twrites CRLs to an S3 bucket that you specify in the S3BucketName parameter. You can hide the name of your bucket by\n\t\t\tspecifying a value for the CustomCname parameter. Your\n\t\t\tprivate CA by default copies the CNAME or the S3 bucket name to the CRL\n\t\t\t\tDistribution Points extension of each certificate it issues. If you want to configure\n\t\t\t\tthis default behavior to be something different, you can set the CrlDistributionPointExtensionConfiguration \n\t\t\t\tparameter. Your S3\n\t\t\tbucket policy must give write permission to Amazon Web Services Private CA.
Amazon Web Services Private CA assets that are stored in Amazon S3 can be protected with encryption. \n For more information, see Encrypting Your\n\t\t\tCRLs.
\nYour private CA uses the value in the ExpirationInDays parameter to calculate the nextUpdate field in the CRL. The CRL is refreshed prior to a\n\t\t\tcertificate's expiration date or when a certificate is revoked. When a certificate is\n\t\t\trevoked, it appears in the CRL until the certificate expires, and then in one additional\n\t\t\tCRL after expiration, and it always appears in the audit report.
\nA CRL is typically updated approximately 30 minutes after a certificate \n\tis revoked. If for any reason a CRL update fails, Amazon Web Services Private CA makes further attempts \n\tevery 15 minutes.
\nCRLs contain the following fields:
\n\n Version: The current version number defined\n\t\t\t\t\tin RFC 5280 is V2. The integer value is 0x1.
\n\n Signature Algorithm: The name of the\n\t\t\t\t\talgorithm used to sign the CRL.
\n\n Issuer: The X.500 distinguished name of your\n\t\t\t\t\tprivate CA that issued the CRL.
\n\n Last Update: The issue date and time of this\n\t\t\t\t\tCRL.
\n\n Next Update: The day and time by which the\n\t\t\t\t\tnext CRL will be issued.
\n\n Revoked Certificates: List of revoked\n\t\t\t\t\tcertificates. Each list item contains the following information.
\n\n Serial Number: The serial number, in\n\t\t\t\t\t\t\thexadecimal format, of the revoked certificate.
\n\n Revocation Date: Date and time the\n\t\t\t\t\t\t\tcertificate was revoked.
\n\n CRL Entry Extensions: Optional\n\t\t\t\t\t\t\textensions for the CRL entry.
\n\n X509v3 CRL Reason Code:\n\t\t\t\t\t\t\t\t\tReason the certificate was revoked.
\n\n CRL Extensions: Optional extensions for the\n\t\t\t\t\tCRL.
\n\n X509v3 Authority Key Identifier:\n\t\t\t\t\t\t\tIdentifies the public key associated with the private key used to sign\n\t\t\t\t\t\t\tthe certificate.
\n\n X509v3 CRL Number:: Decimal sequence\n\t\t\t\t\t\t\tnumber for the CRL.
\n\n Signature Algorithm: Algorithm used by your\n\t\t\t\t\tprivate CA to sign the CRL.
\n\n Signature Value: Signature computed over the\n\t\t\t\t\tCRL.
\nCertificate revocation lists created by Amazon Web Services Private CA are DER-encoded. You can use the\n\t\t\tfollowing OpenSSL command to list a CRL.
\n\n openssl crl -inform DER -text -in crl_path\n\t\t\t-noout\n
For more information, see Planning a certificate revocation list\n\t\t\t\t(CRL) in the Amazon Web Services Private Certificate Authority User Guide\n
" + "smithy.api#documentation": "Contains configuration information for a certificate revocation list (CRL). Your\n\t\t\tprivate certificate authority (CA) creates base CRLs. Delta CRLs are not supported. You\n\t\t\tcan enable CRLs for your new or an existing private CA by setting the Enabled parameter to true. Your private CA\n\t\t\twrites CRLs to an S3 bucket that you specify in the S3BucketName parameter. You can hide the name of your bucket by\n\t\t\tspecifying a value for the CustomCname parameter. Your\n\t\t\tprivate CA by default copies the CNAME or the S3 bucket name to the CRL\n\t\t\t\tDistribution Points extension of each certificate it issues. If you want to configure\n\t\t\t\tthis default behavior to be something different, you can set the CrlDistributionPointExtensionConfiguration \n\t\t\t\tparameter. Your S3\n\t\t\tbucket policy must give write permission to Amazon Web Services Private CA.
Amazon Web Services Private CA assets that are stored in Amazon S3 can be protected with encryption. \n For more information, see Encrypting Your\n\t\t\tCRLs.
\nYour private CA uses the value in the ExpirationInDays parameter to calculate the nextUpdate field in the CRL. The CRL is refreshed prior to a\n\t\t\tcertificate's expiration date or when a certificate is revoked. When a certificate is\n\t\t\trevoked, it appears in the CRL until the certificate expires, and then in one additional\n\t\t\tCRL after expiration, and it always appears in the audit report.
\nA CRL is typically updated approximately 30 minutes after a certificate \n\tis revoked. If for any reason a CRL update fails, Amazon Web Services Private CA makes further attempts \n\tevery 15 minutes.
\nCRLs contain the following fields:
\n\n Version: The current version number defined\n\t\t\t\t\tin RFC 5280 is V2. The integer value is 0x1.
\n\n Signature Algorithm: The name of the\n\t\t\t\t\talgorithm used to sign the CRL.
\n\n Issuer: The X.500 distinguished name of your\n\t\t\t\t\tprivate CA that issued the CRL.
\n\n Last Update: The issue date and time of this\n\t\t\t\t\tCRL.
\n\n Next Update: The day and time by which the\n\t\t\t\t\tnext CRL will be issued.
\n\n Revoked Certificates: List of revoked\n\t\t\t\t\tcertificates. Each list item contains the following information.
\n\n Serial Number: The serial number, in\n\t\t\t\t\t\t\thexadecimal format, of the revoked certificate.
\n\n Revocation Date: Date and time the\n\t\t\t\t\t\t\tcertificate was revoked.
\n\n CRL Entry Extensions: Optional\n\t\t\t\t\t\t\textensions for the CRL entry.
\n\n X509v3 CRL Reason Code:\n\t\t\t\t\t\t\t\t\tReason the certificate was revoked.
\n\n CRL Extensions: Optional extensions for the\n\t\t\t\t\tCRL.
\n\n X509v3 Authority Key Identifier:\n\t\t\t\t\t\t\tIdentifies the public key associated with the private key used to sign\n\t\t\t\t\t\t\tthe certificate.
\n\n X509v3 CRL Number:: Decimal sequence\n\t\t\t\t\t\t\tnumber for the CRL.
\n\n Signature Algorithm: Algorithm used by your\n\t\t\t\t\tprivate CA to sign the CRL.
\n\n Signature Value: Signature computed over the\n\t\t\t\t\tCRL.
\nCertificate revocation lists created by Amazon Web Services Private CA are DER-encoded. You can use the\n\t\t\tfollowing OpenSSL command to list a CRL.
\n\n openssl crl -inform DER -text -in crl_path\n\t\t\t-noout\n
For more information, see Planning a certificate revocation list\n\t\t\t\t(CRL) in the Amazon Web Services Private Certificate Authority User Guide\n
" } }, "com.amazonaws.acmpca#CrlDistributionPointExtensionConfiguration": { @@ -3059,7 +3059,7 @@ } ], "traits": { - "smithy.api#documentation": "Imports a signed private CA certificate into Amazon Web Services Private CA. This action is used when you\n\t\t\tare using a chain of trust whose root is located outside Amazon Web Services Private CA. Before you can call\n\t\t\tthis action, the following preparations must in place:
\nIn Amazon Web Services Private CA, call the CreateCertificateAuthority action to create the private CA that you\n\t\t\t\t\tplan to back with the imported certificate.
\nCall the GetCertificateAuthorityCsr action to generate a certificate signing\n\t\t\t\t\trequest (CSR).
\nSign the CSR using a root or intermediate CA hosted by either an on-premises\n\t\t\t\t\tPKI hierarchy or by a commercial CA.
\nCreate a certificate chain and copy the signed certificate and the certificate\n\t\t\t\t\tchain to your working directory.
\nAmazon Web Services Private CA supports three scenarios for installing a CA certificate:
\nInstalling a certificate for a root CA hosted by Amazon Web Services Private CA.
\nInstalling a subordinate CA certificate whose parent authority is hosted by\n\t\t\t\t\tAmazon Web Services Private CA.
\nInstalling a subordinate CA certificate whose parent authority is externally\n\t\t\t\t\thosted.
\nThe following additional requirements apply when you import a CA certificate.
\nOnly a self-signed certificate can be imported as a root CA.
\nA self-signed certificate cannot be imported as a subordinate CA.
\nYour certificate chain must not include the private CA certificate that you\n\t\t\t\t\tare importing.
\nYour root CA must be the last certificate in your chain. The subordinate\n\t\t\t\t\tcertificate, if any, that your root CA signed must be next to last. The\n\t\t\t\t\tsubordinate certificate signed by the preceding subordinate CA must come next,\n\t\t\t\t\tand so on until your chain is built.
\nThe chain must be PEM-encoded.
\nThe maximum allowed size of a certificate is 32 KB.
\nThe maximum allowed size of a certificate chain is 2 MB.
\n\n Enforcement of Critical Constraints\n
\nAmazon Web Services Private CA allows the following extensions to be marked critical in the imported CA\n\t\t\tcertificate or chain.
\nBasic constraints (must be marked critical)
\nSubject alternative names
\nKey usage
\nExtended key usage
\nAuthority key identifier
\nSubject key identifier
\nIssuer alternative name
\nSubject directory attributes
\nSubject information access
\nCertificate policies
\nPolicy mappings
\nInhibit anyPolicy
\nAmazon Web Services Private CA rejects the following extensions when they are marked critical in an\n\t\t\timported CA certificate or chain.
\nName constraints
\nPolicy constraints
\nCRL distribution points
\nAuthority information access
\nFreshest CRL
\nAny other extension
\nImports a signed private CA certificate into Amazon Web Services Private CA. This action is used when you\n\t\t\tare using a chain of trust whose root is located outside Amazon Web Services Private CA. Before you can call\n\t\t\tthis action, the following preparations must in place:
\nIn Amazon Web Services Private CA, call the CreateCertificateAuthority action to create the private CA that you\n\t\t\t\t\tplan to back with the imported certificate.
\nCall the GetCertificateAuthorityCsr action to generate a certificate signing\n\t\t\t\t\trequest (CSR).
\nSign the CSR using a root or intermediate CA hosted by either an on-premises\n\t\t\t\t\tPKI hierarchy or by a commercial CA.
\nCreate a certificate chain and copy the signed certificate and the certificate\n\t\t\t\t\tchain to your working directory.
\nAmazon Web Services Private CA supports three scenarios for installing a CA certificate:
\nInstalling a certificate for a root CA hosted by Amazon Web Services Private CA.
\nInstalling a subordinate CA certificate whose parent authority is hosted by\n\t\t\t\t\tAmazon Web Services Private CA.
\nInstalling a subordinate CA certificate whose parent authority is externally\n\t\t\t\t\thosted.
\nThe following additional requirements apply when you import a CA certificate.
\nOnly a self-signed certificate can be imported as a root CA.
\nA self-signed certificate cannot be imported as a subordinate CA.
\nYour certificate chain must not include the private CA certificate that you\n\t\t\t\t\tare importing.
\nYour root CA must be the last certificate in your chain. The subordinate\n\t\t\t\t\tcertificate, if any, that your root CA signed must be next to last. The\n\t\t\t\t\tsubordinate certificate signed by the preceding subordinate CA must come next,\n\t\t\t\t\tand so on until your chain is built.
\nThe chain must be PEM-encoded.
\nThe maximum allowed size of a certificate is 32 KB.
\nThe maximum allowed size of a certificate chain is 2 MB.
\n\n Enforcement of Critical Constraints\n
\nAmazon Web Services Private CA allows the following extensions to be marked critical in the imported CA\n\t\t\tcertificate or chain.
\nAuthority key identifier
\nBasic constraints (must be marked critical)
\nCertificate policies
\nExtended key usage
\nInhibit anyPolicy
\nIssuer alternative name
\nKey usage
\nName constraints
\nPolicy mappings
\nSubject alternative name
\nSubject directory attributes
\nSubject key identifier
\nSubject information access
\nAmazon Web Services Private CA rejects the following extensions when they are marked critical in an\n\t\t\timported CA certificate or chain.
\nAuthority information access
\nCRL distribution points
\nFreshest CRL
\nPolicy constraints
\nAmazon Web Services Private Certificate Authority will also reject any other extension marked as critical not contained on the preceding list of allowed extensions.
" } }, "com.amazonaws.acmpca#ImportCertificateAuthorityCertificateRequest": {