Crate rusoto_acm_pca

Expand description

This is the ACM Private CA API Reference. It provides descriptions, syntax, and usage examples for each of the actions and data types involved in creating and managing private certificate authorities (CA) for your organization.

The documentation for each action shows the Query API request parameters and the XML response. Alternatively, you can use one of the AWS SDKs to access an API that's tailored to the programming language or platform that you're using. For more information, see AWS SDKs.

Each ACM Private CA API action has a quota that determines the number of times the action can be called per second. For more information, see API Rate Quotas in ACM Private CA in the ACM Private CA user guide.

If you’re using the service, you’re probably looking for AcmPcaClient and AcmPca.

Structs

ASN1Subject

Contains information about the certificate subject. The Subject field in the certificate identifies the entity that owns or controls the public key in the certificate. The entity can be a user, computer, device, or service. The Subject must contain an X.500 distinguished name (DN). A DN is a sequence of relative distinguished names (RDNs). The RDNs are separated by commas in the certificate.

AccessDescription

Provides access information used by the authorityInfoAccess and subjectInfoAccess extensions described in RFC 5280.

AccessMethod

Describes the type and format of extension access. Only one of CustomObjectIdentifier or AccessMethodType may be provided. Providing both results in InvalidArgsException.

AcmPcaClient

A client for the ACM-PCA API.

ApiPassthrough

Contains X.509 certificate information to be placed in an issued certificate. An APIPassthrough or APICSRPassthrough template variant must be selected, or else this parameter is ignored.

If conflicting or duplicate certificate information is supplied from other sources, ACM Private CA applies order of operation rules to determine what information is used.

CertificateAuthority

Contains information about your private certificate authority (CA). Your private CA can issue and revoke X.509 digital certificates. Digital certificates verify that the entity named in the certificate Subject field owns or controls the public key contained in the Subject Public Key Info field. Call the CreateCertificateAuthority action to create your private CA. You must then call the GetCertificateAuthorityCertificate action to retrieve a private CA certificate signing request (CSR). Sign the CSR with your ACM Private CA-hosted or on-premises root or subordinate CA certificate. Call the ImportCertificateAuthorityCertificate action to import the signed certificate into AWS Certificate Manager (ACM).

CertificateAuthorityConfiguration

Contains configuration information for your private certificate authority (CA). This includes information about the class of public key algorithm and the key pair that your private CA creates when it issues a certificate. It also includes the signature algorithm that it uses when issuing certificates, and its X.500 distinguished name. You must specify this information when you call the CreateCertificateAuthority action.

CreateCertificateAuthorityAuditReportRequest

CreateCertificateAuthorityAuditReportResponse

CreateCertificateAuthorityRequest

CreateCertificateAuthorityResponse

CreatePermissionRequest

CrlConfiguration

Contains configuration information for a certificate revocation list (CRL). Your private certificate authority (CA) creates base CRLs. Delta CRLs are not supported. You can enable CRLs for your new or an existing private CA by setting the Enabled parameter to true. Your private CA writes CRLs to an S3 bucket that you specify in the S3BucketName parameter. You can hide the name of your bucket by specifying a value for the CustomCname parameter. Your private CA copies the CNAME or the S3 bucket name to the CRL Distribution Points extension of each certificate it issues. Your S3 bucket policy must give write permission to ACM Private CA.

ACM Private CA assets that are stored in Amazon S3 can be protected with encryption. For more information, see Encrypting Your CRLs.

Your private CA uses the value in the ExpirationInDays parameter to calculate the nextUpdate field in the CRL. The CRL is refreshed at 1/2 the age of next update or when a certificate is revoked. When a certificate is revoked, it is recorded in the next CRL that is generated and in the next audit report. Only time valid certificates are listed in the CRL. Expired certificates are not included.

CRLs contain the following fields:

Version: The current version number defined in RFC 5280 is V2. The integer value is 0x1.
Signature Algorithm: The name of the algorithm used to sign the CRL.
Issuer: The X.500 distinguished name of your private CA that issued the CRL.
Last Update: The issue date and time of this CRL.
Next Update: The day and time by which the next CRL will be issued.
Revoked Certificates: List of revoked certificates. Each list item contains the following information.
- Serial Number: The serial number, in hexadecimal format, of the revoked certificate.
- Revocation Date: Date and time the certificate was revoked.
- CRL Entry Extensions: Optional extensions for the CRL entry.
  - X509v3 CRL Reason Code: Reason the certificate was revoked.
CRL Extensions: Optional extensions for the CRL.
- X509v3 Authority Key Identifier: Identifies the public key associated with the private key used to sign the certificate.
- X509v3 CRL Number:: Decimal sequence number for the CRL.
Signature Algorithm: Algorithm used by your private CA to sign the CRL.
Signature Value: Signature computed over the CRL.

Certificate revocation lists created by ACM Private CA are DER-encoded. You can use the following OpenSSL command to list a CRL.

openssl crl -inform DER -text -in crl_path -noout

CsrExtensions

Describes the certificate extensions to be added to the certificate signing request (CSR).

DeleteCertificateAuthorityRequest

DeletePermissionRequest

DeletePolicyRequest

DescribeCertificateAuthorityAuditReportRequest

DescribeCertificateAuthorityAuditReportResponse

DescribeCertificateAuthorityRequest

DescribeCertificateAuthorityResponse

EdiPartyName

Describes an Electronic Data Interchange (EDI) entity as described in as defined in Subject Alternative Name in RFC 5280.

ExtendedKeyUsage

Specifies additional purposes for which the certified public key may be used other than basic purposes indicated in the KeyUsage extension.

Extensions

Contains X.509 extension information for a certificate.

GeneralName

Describes an ASN.1 X.400 GeneralName as defined in RFC 5280. Only one of the following naming options should be provided. Providing more than one option results in an InvalidArgsException error.

GetCertificateAuthorityCertificateRequest

GetCertificateAuthorityCertificateResponse

GetCertificateAuthorityCsrRequest

GetCertificateAuthorityCsrResponse

GetCertificateRequest

GetCertificateResponse

GetPolicyRequest

GetPolicyResponse

ImportCertificateAuthorityCertificateRequest

IssueCertificateRequest

IssueCertificateResponse

KeyUsage

Defines one or more purposes for which the key contained in the certificate can be used. Default value for each option is false.

ListCertificateAuthoritiesRequest

ListCertificateAuthoritiesResponse

ListPermissionsRequest

ListPermissionsResponse

ListTagsRequest

ListTagsResponse

OtherName

Defines a custom ASN.1 X.400 GeneralName using an object identifier (OID) and value. The OID must satisfy the regular expression shown below. For more information, see NIST's definition of Object Identifier (OID).

Permission

Permissions designate which private CA actions can be performed by an AWS service or entity. In order for ACM to automatically renew private certificates, you must give the ACM service principal all available permissions (IssueCertificate, GetCertificate, and ListPermissions). Permissions can be assigned with the CreatePermission action, removed with the DeletePermission action, and listed with the ListPermissions action.

PolicyInformation

Defines the X.509 CertificatePolicies extension.

PolicyQualifierInfo

Modifies the CertPolicyId of a PolicyInformation object with a qualifier. ACM Private CA supports the certification practice statement (CPS) qualifier.

PutPolicyRequest

Qualifier

Defines a PolicyInformation qualifier. ACM Private CA supports the certification practice statement (CPS) qualifier defined in RFC 5280.

RestoreCertificateAuthorityRequest

RevocationConfiguration

Certificate revocation information used by the CreateCertificateAuthority and UpdateCertificateAuthority actions. Your private certificate authority (CA) can create and maintain a certificate revocation list (CRL). A CRL contains information about certificates revoked by your CA. For more information, see RevokeCertificate.

RevokeCertificateRequest

Tag

Tags are labels that you can use to identify and organize your private CAs. Each tag consists of a key and an optional value. You can associate up to 50 tags with a private CA. To add one or more tags to a private CA, call the TagCertificateAuthority action. To remove a tag, call the UntagCertificateAuthority action.

TagCertificateAuthorityRequest

UntagCertificateAuthorityRequest

UpdateCertificateAuthorityRequest

Validity

Validity specifies the period of time during which a certificate is valid. Validity can be expressed as an explicit date and time when the validity of a certificate starts or expires, or as a span of time after issuance, stated in days, months, or years. For more information, see Validity in RFC 5280.

ACM Private CA API consumes the Validity data type differently in two distinct parameters of the IssueCertificate action. The required parameter IssueCertificate:Validity specifies the end of a certificate's validity period. The optional parameter IssueCertificate:ValidityNotBefore specifies a customized starting time for the validity period.