AccessMethod accessMethod
The type and format of AccessDescription information.
GeneralName accessLocation
The location of AccessDescription information.
String customObjectIdentifier
An object identifier (OID) specifying the AccessMethod. The OID must satisfy the regular expression
shown below. For more information, see NIST's definition of Object Identifier (OID).
String accessMethodType
Specifies the AccessMethod.
Extensions extensions
Specifies X.509 extension information for a certificate.
ASN1Subject subject
String country
Two-digit code that specifies the country in which the certificate subject located.
String organization
Legal name of the organization with which the certificate subject is affiliated.
String organizationalUnit
A subdivision or unit of the organization (such as sales or finance) with which the certificate subject is affiliated.
String distinguishedNameQualifier
Disambiguating information for the certificate subject.
String state
State in which the subject of the certificate is located.
String commonName
For CA and end-entity certificates in a private PKI, the common name (CN) can be any string within the length limit.
Note: In publicly trusted certificates, the common name must be a fully qualified domain name (FQDN) associated with the certificate subject.
String serialNumber
The certificate serial number.
String locality
The locality (such as a city or town) in which the certificate subject is located.
String title
A title such as Mr. or Ms., which is pre-pended to the name to refer formally to the certificate subject.
String surname
Family name. In the US and the UK, for example, the surname of an individual is ordered last. In Asian cultures the surname is typically ordered first.
String givenName
First name.
String initials
Concatenation that typically contains the first letter of the GivenName, the first letter of the middle name if one exists, and the first letter of the Surname.
String pseudonym
Typically a shortened version of a longer GivenName. For example, Jonathan is often shortened to John. Elizabeth is often shortened to Beth, Liz, or Eliza.
String generationQualifier
Typically a qualifier appended to the name of an individual. Examples include Jr. for junior, Sr. for senior, and III for third.
List<E> customAttributes
Contains a sequence of one or more X.500 relative distinguished names (RDNs), each of which consists of an object identifier (OID) and a value. For more information, see NIST’s definition of Object Identifier (OID).
Custom attributes cannot be used in combination with standard attributes.
String arn
Amazon Resource Name (ARN) for your private certificate authority (CA). The format is
12345678-1234-1234-1234-123456789012 .
String ownerAccount
The Amazon Web Services account ID that owns the certificate authority.
Date createdAt
Date and time at which your private CA was created.
Date lastStateChangeAt
Date and time at which your private CA was last updated.
String type
Type of your private CA.
String serial
Serial number of your private CA.
String status
Status of your private CA.
Date notBefore
Date and time before which your private CA certificate is not valid.
Date notAfter
Date and time after which your private CA certificate is not valid.
String failureReason
Reason the request to create your private CA failed.
CertificateAuthorityConfiguration certificateAuthorityConfiguration
Your private CA configuration.
RevocationConfiguration revocationConfiguration
Information about the Online Certificate Status Protocol (OCSP) configuration or certificate revocation list (CRL) created and maintained by your private CA.
Date restorableUntil
The period during which a deleted CA can be restored. For more information, see the
PermanentDeletionTimeInDays parameter of the DeleteCertificateAuthorityRequest action.
String keyStorageSecurityStandard
Defines a cryptographic key management compliance standard used for handling CA keys.
Default: FIPS_140_2_LEVEL_3_OR_HIGHER
Note: Amazon Web Services Region ap-northeast-3 supports only FIPS_140_2_LEVEL_2_OR_HIGHER. You must explicitly
specify this parameter and value when creating a CA in that Region. Specifying a different value (or no value)
results in an InvalidArgsException with the message
"A certificate authority cannot be created in this region with the specified security standard."
String usageMode
Specifies whether the CA issues general-purpose certificates that typically require a revocation mechanism, or short-lived certificates that may optionally omit revocation because they expire quickly. Short-lived certificate validity is limited to seven days.
The default value is GENERAL_PURPOSE.
String keyAlgorithm
Type of the public key algorithm and size, in bits, of the key pair that your CA creates when it issues a certificate. When you create a subordinate CA, you must use a key algorithm supported by the parent CA.
String signingAlgorithm
Name of the algorithm your private CA uses to sign certificate requests.
This parameter should not be confused with the SigningAlgorithm parameter used to sign certificates
when they are issued.
ASN1Subject subject
Structure that contains X.500 distinguished name information for your private CA.
CsrExtensions csrExtensions
Specifies information to be added to the extension section of the certificate signing request (CSR).
String certificateAuthorityArn
The Amazon Resource Name (ARN) of the CA to be audited. This is of the form:
arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
.
String s3BucketName
The name of the S3 bucket that will contain the audit report.
String auditReportResponseFormat
The format in which to create the report. This can be either JSON or CSV.
CertificateAuthorityConfiguration certificateAuthorityConfiguration
Name and bit size of the private key algorithm, the name of the signing algorithm, and X.500 certificate subject information.
RevocationConfiguration revocationConfiguration
Contains information to enable Online Certificate Status Protocol (OCSP) support, to enable a certificate revocation list (CRL), to enable both, or to enable neither. The default is for both certificate validation mechanisms to be disabled.
The following requirements apply to revocation configurations.
A configuration disabling CRLs or OCSP must contain only the Enabled=False parameter, and will fail
if other parameters such as CustomCname or ExpirationInDays are included.
In a CRL configuration, the S3BucketName parameter must conform to Amazon S3 bucket naming
rules.
A configuration containing a custom Canonical Name (CNAME) parameter for CRLs or OCSP must conform to RFC2396 restrictions on the use of special characters in a CNAME.
In a CRL or OCSP configuration, the value of a CNAME parameter must not include a protocol prefix such as "http://" or "https://".
For more information, see the OcspConfiguration and CrlConfiguration types.
String certificateAuthorityType
The type of the certificate authority.
String idempotencyToken
Custom string that can be used to distinguish between calls to the CreateCertificateAuthority action. Idempotency tokens for CreateCertificateAuthority time out after five minutes. Therefore, if you call CreateCertificateAuthority multiple times with the same idempotency token within five minutes, Amazon Web Services Private CA recognizes that you are requesting only certificate authority and will issue only one. If you change the idempotency token for each call, Amazon Web Services Private CA recognizes that you are requesting multiple certificate authorities.
String keyStorageSecurityStandard
Specifies a cryptographic key management compliance standard used for handling CA keys.
Default: FIPS_140_2_LEVEL_3_OR_HIGHER
Some Amazon Web Services Regions do not support the default. When creating a CA in these Regions, you must
provide FIPS_140_2_LEVEL_2_OR_HIGHER as the argument for KeyStorageSecurityStandard.
Failure to do this results in an InvalidArgsException with the message,
"A certificate authority cannot be created in this region with the specified security standard."
For information about security standard support in various Regions, see Storage and security compliance of Amazon Web Services Private CA private keys.
List<E> tags
Key-value pairs that will be attached to the new private CA. You can associate up to 50 tags with a private CA. For information using tags with IAM to manage permissions, see Controlling Access Using IAM Tags.
String usageMode
Specifies whether the CA issues general-purpose certificates that typically require a revocation mechanism, or short-lived certificates that may optionally omit revocation because they expire quickly. Short-lived certificate validity is limited to seven days.
The default value is GENERAL_PURPOSE.
String certificateAuthorityArn
If successful, the Amazon Resource Name (ARN) of the certificate authority (CA). This is of the form:
arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
.
String certificateAuthorityArn
The Amazon Resource Name (ARN) of the CA that grants the permissions. You can find the ARN by calling the ListCertificateAuthorities action. This must have the following form:
arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
.
String principal
The Amazon Web Services service or identity that receives the permission. At this time, the only valid principal
is acm.amazonaws.com.
String sourceAccount
The ID of the calling account.
List<E> actions
The actions that the specified Amazon Web Services service principal can use. These include
IssueCertificate, GetCertificate, and ListPermissions.
Boolean enabled
Boolean value that specifies whether certificate revocation lists (CRLs) are enabled. You can use this value to enable certificate revocation for a new CA when you call the CreateCertificateAuthority action or for an existing CA when you call the UpdateCertificateAuthority action.
Integer expirationInDays
Validity period of the CRL in days.
String customCname
Name inserted into the certificate CRL Distribution Points extension that enables the use of an alias for the CRL distribution point. Use this value if you don't want the name of your S3 bucket to be public.
The content of a Canonical Name (CNAME) record must conform to RFC2396 restrictions on the use of special characters in URIs. Additionally, the value of the CNAME must not include a protocol prefix such as "http://" or "https://".
String s3BucketName
Name of the S3 bucket that contains the CRL. If you do not provide a value for the CustomCname argument, the name of your S3 bucket is placed into the CRL Distribution Points extension of the issued certificate. You can change the name of your bucket by calling the UpdateCertificateAuthority operation. You must specify a bucket policy that allows Amazon Web Services Private CA to write the CRL to your bucket.
The S3BucketName parameter must conform to the S3 bucket naming rules.
String s3ObjectAcl
Determines whether the CRL will be publicly readable or privately held in the CRL Amazon S3 bucket. If you choose PUBLIC_READ, the CRL will be accessible over the public internet. If you choose BUCKET_OWNER_FULL_CONTROL, only the owner of the CRL S3 bucket can access the CRL, and your PKI clients may need an alternative method of access.
If no value is specified, the default is PUBLIC_READ.
Note: This default can cause CA creation to fail in some circumstances. If you have have enabled the Block
Public Access (BPA) feature in your S3 account, then you must specify the value of this parameter as
BUCKET_OWNER_FULL_CONTROL, and not doing so results in an error. If you have disabled BPA in S3,
then you can specify either BUCKET_OWNER_FULL_CONTROL or PUBLIC_READ as the value.
For more information, see Blocking public access to the S3 bucket.
KeyUsage keyUsage
Indicates the purpose of the certificate and of the key contained in the certificate.
List<E> subjectInformationAccess
For CA certificates, provides a path to additional information pertaining to the CA, such as revocation and policy. For more information, see Subject Information Access in RFC 5280.
String objectIdentifier
Specifies the object identifier (OID) of the X.509 extension. For more information, see the Global OID reference database.
String value
Specifies the base64-encoded value of the X.509 extension.
Boolean critical
Specifies the critical flag of the X.509 extension.
String certificateAuthorityArn
The Amazon Resource Name (ARN) that was returned when you called CreateCertificateAuthority. This must have the following form:
arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
.
Integer permanentDeletionTimeInDays
The number of days to make a CA restorable after it has been deleted. This can be anywhere from 7 to 30 days, with 30 being the default.
String certificateAuthorityArn
The Amazon Resource Number (ARN) of the private CA that issued the permissions. You can find the CA's ARN by calling the ListCertificateAuthorities action. This must have the following form:
arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
.
String principal
The Amazon Web Services service or identity that will have its CA permissions revoked. At this time, the only
valid service principal is acm.amazonaws.com
String sourceAccount
The Amazon Web Services account that calls this action.
String resourceArn
The Amazon Resource Number (ARN) of the private CA that will have its policy deleted. You can find the CA's ARN
by calling the ListCertificateAuthorities action. The ARN value must have the form
arn:aws:acm-pca:region:account:certificate-authority/01234567-89ab-cdef-0123-0123456789ab.
String certificateAuthorityArn
The Amazon Resource Name (ARN) of the private CA. This must be of the form:
arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
.
String auditReportId
The report ID returned by calling the CreateCertificateAuthorityAuditReport action.
String auditReportStatus
Specifies whether report creation is in progress, has succeeded, or has failed.
String s3BucketName
Name of the S3 bucket that contains the report.
String s3Key
S3 key that uniquely identifies the report file in your S3 bucket.
Date createdAt
The date and time at which the report was created.
String certificateAuthorityArn
The Amazon Resource Name (ARN) that was returned when you called CreateCertificateAuthority. This must be of the form:
arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
.
CertificateAuthority certificateAuthority
A CertificateAuthority structure that contains information about your private CA.
List<E> certificatePolicies
Contains a sequence of one or more policy information terms, each of which consists of an object identifier (OID) and optional qualifiers. For more information, see NIST's definition of Object Identifier (OID).
In an end-entity certificate, these terms indicate the policy under which the certificate was issued and the purposes for which it may be used. In a CA certificate, these terms limit the set of policies for certification paths that include this certificate.
List<E> extendedKeyUsage
Specifies additional purposes for which the certified public key may be used other than basic purposes indicated
in the KeyUsage extension.
KeyUsage keyUsage
List<E> subjectAlternativeNames
The subject alternative name extension allows identities to be bound to the subject of the certificate. These identities may be included in addition to or in place of the identity in the subject field of the certificate.
List<E> customExtensions
Contains a sequence of one or more X.509 extensions, each of which consists of an object identifier (OID), a base64-encoded value, and the critical flag. For more information, see the Global OID reference database.
OtherName otherName
Represents GeneralName using an OtherName object.
String rfc822Name
Represents GeneralName as an RFC 822
email address.
String dnsName
Represents GeneralName as a DNS name.
ASN1Subject directoryName
EdiPartyName ediPartyName
Represents GeneralName as an EdiPartyName object.
String uniformResourceIdentifier
Represents GeneralName as a URI.
String ipAddress
Represents GeneralName as an IPv4 or IPv6 address.
String registeredId
Represents GeneralName as an object identifier (OID).
String certificateAuthorityArn
The Amazon Resource Name (ARN) of your private CA. This is of the form:
arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
.
String certificate
Base64-encoded certificate authority (CA) certificate.
String certificateChain
Base64-encoded certificate chain that includes any intermediate certificates and chains up to root certificate that you used to sign your private CA certificate. The chain does not include your private CA certificate. If this is a root CA, the value will be null.
String certificateAuthorityArn
The Amazon Resource Name (ARN) that was returned when you called the CreateCertificateAuthority action. This must be of the form:
arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
String csr
The base64 PEM-encoded certificate signing request (CSR) for your private CA certificate.
String certificateAuthorityArn
The Amazon Resource Name (ARN) that was returned when you called CreateCertificateAuthority. This must be of the form:
arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
.
String certificateArn
The ARN of the issued certificate. The ARN contains the certificate serial number and must be in the following form:
arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012/certificate/286535153982981100925020015808220737245
String resourceArn
The Amazon Resource Number (ARN) of the private CA that will have its policy retrieved. You can find the CA's ARN by calling the ListCertificateAuthorities action.
String policy
The policy attached to the private CA as a JSON document.
String certificateAuthorityArn
The Amazon Resource Name (ARN) that was returned when you called CreateCertificateAuthority. This must be of the form:
arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
ByteBuffer certificate
The PEM-encoded certificate for a private CA. This may be a self-signed certificate in the case of a root CA, or it may be signed by another CA that you control.
ByteBuffer certificateChain
A PEM-encoded file that contains all of your certificates, other than the certificate you're importing, chaining up to your root CA. Your Amazon Web Services Private CA-hosted or on-premises root certificate is the last in the chain, and each certificate in the chain signs the one preceding.
This parameter must be supplied when you import a subordinate CA. When you import a root CA, there is no chain.
ApiPassthrough apiPassthrough
Specifies X.509 certificate information to be included in the issued certificate. An APIPassthrough
or APICSRPassthrough template variant must be selected, or else this parameter is ignored. For more
information about using these templates, see Understanding Certificate
Templates.
If conflicting or duplicate certificate information is supplied during certificate issuance, Amazon Web Services Private CA applies order of operation rules to determine what information is used.
String certificateAuthorityArn
The Amazon Resource Name (ARN) that was returned when you called CreateCertificateAuthority. This must be of the form:
arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
ByteBuffer csr
The certificate signing request (CSR) for the certificate you want to issue. As an example, you can use the following OpenSSL command to create the CSR and a 2048 bit RSA private key.
openssl req -new -newkey rsa:2048 -days 365 -keyout private/test_cert_priv_key.pem -out csr/test_cert_.csr
If you have a configuration file, you can then use the following OpenSSL command. The usr_cert block
in the configuration file contains your X509 version 3 extensions.
openssl req -new -config openssl_rsa.cnf -extensions usr_cert -newkey rsa:2048 -days 365 -keyout private/test_cert_priv_key.pem -out csr/test_cert_.csr
Note: A CSR must provide either a subject name or a subject alternative name or the request will be rejected.
String signingAlgorithm
The name of the algorithm that will be used to sign the certificate to be issued.
This parameter should not be confused with the SigningAlgorithm parameter used to sign a CSR in the
CreateCertificateAuthority action.
The specified signing algorithm family (RSA or ECDSA) must match the algorithm family of the CA's secret key.
String templateArn
Specifies a custom configuration template to use when issuing a certificate. If this parameter is not provided,
Amazon Web Services Private CA defaults to the EndEntityCertificate/V1 template. For CA
certificates, you should choose the shortest path length that meets your needs. The path length is indicated by
the PathLenN portion of the ARN, where N is the CA depth.
Note: The CA depth configured on a subordinate CA certificate must not exceed the limit set by its parents in the CA hierarchy.
For a list of TemplateArn values supported by Amazon Web Services Private CA, see Understanding Certificate
Templates.
Validity validity
Information describing the end of the validity period of the certificate. This parameter sets the “Not After” date for the certificate.
Certificate validity is the period of time during which a certificate is valid. Validity can be expressed as an explicit date and time when the certificate expires, or as a span of time after issuance, stated in days, months, or years. For more information, see Validity in RFC 5280.
This value is unaffected when ValidityNotBefore is also specified. For example, if
Validity is set to 20 days in the future, the certificate will expire 20 days from issuance time
regardless of the ValidityNotBefore value.
The end of the validity period configured on a certificate must not exceed the limit set on its parents in the CA hierarchy.
Validity validityNotBefore
Information describing the start of the validity period of the certificate. This parameter sets the “Not Before" date for the certificate.
By default, when issuing a certificate, Amazon Web Services Private CA sets the "Not Before" date to the issuance
time minus 60 minutes. This compensates for clock inconsistencies across computer systems. The
ValidityNotBefore parameter can be used to customize the “Not Before” value.
Unlike the Validity parameter, the ValidityNotBefore parameter is optional.
The ValidityNotBefore value is expressed as an explicit date and time, using the
Validity type value ABSOLUTE. For more information, see Validity in this API
reference and Validity in RFC 5280.
String idempotencyToken
Alphanumeric string that can be used to distinguish between calls to the IssueCertificate action. Idempotency tokens for IssueCertificate time out after five minutes. Therefore, if you call IssueCertificate multiple times with the same idempotency token within five minutes, Amazon Web Services Private CA recognizes that you are requesting only one certificate and will issue only one. If you change the idempotency token for each call, Amazon Web Services Private CA recognizes that you are requesting multiple certificates.
String certificateArn
The Amazon Resource Name (ARN) of the issued certificate and the certificate serial number. This is of the form:
arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012/certificate/286535153982981100925020015808220737245
Boolean digitalSignature
Key can be used for digital signing.
Boolean nonRepudiation
Key can be used for non-repudiation.
Boolean keyEncipherment
Key can be used to encipher data.
Boolean dataEncipherment
Key can be used to decipher data.
Boolean keyAgreement
Key can be used in a key-agreement protocol.
Boolean keyCertSign
Key can be used to sign certificates.
Boolean cRLSign
Key can be used to sign CRLs.
Boolean encipherOnly
Key can be used only to encipher data.
Boolean decipherOnly
Key can be used only to decipher data.
String nextToken
Use this parameter when paginating results in a subsequent request after you receive a response with truncated
results. Set it to the value of the NextToken parameter from the response you just received.
Integer maxResults
Use this parameter when paginating results to specify the maximum number of items to return in the response on
each page. If additional items exist beyond the number you specify, the NextToken element is sent in
the response. Use this NextToken value in a subsequent request to retrieve additional items.
String resourceOwner
Use this parameter to filter the returned set of certificate authorities based on their owner. The default is SELF.
String certificateAuthorityArn
The Amazon Resource Number (ARN) of the private CA to inspect. You can find the ARN by calling the ListCertificateAuthorities action. This must be of the form:
arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012 You can
get a private CA's ARN by running the ListCertificateAuthorities action.
String nextToken
When paginating results, use this parameter in a subsequent request after you receive a response with truncated results. Set it to the value of NextToken from the response you just received.
Integer maxResults
When paginating results, use this parameter to specify the maximum number of items to return in the response. If additional items exist beyond the number you specify, the NextToken element is sent in the response. Use this NextToken value in a subsequent request to retrieve additional items.
List<E> permissions
Summary information about each permission assigned by the specified private CA, including the action enabled, the policy provided, and the time of creation.
String nextToken
When the list is truncated, this value is present and should be used for the NextToken parameter in a subsequent pagination request.
String certificateAuthorityArn
The Amazon Resource Name (ARN) that was returned when you called the CreateCertificateAuthority action. This must be of the form:
arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
String nextToken
Use this parameter when paginating results in a subsequent request after you receive a response with truncated results. Set it to the value of NextToken from the response you just received.
Integer maxResults
Use this parameter when paginating results to specify the maximum number of items to return in the response. If additional items exist beyond the number you specify, the NextToken element is sent in the response. Use this NextToken value in a subsequent request to retrieve additional items.
Boolean enabled
Flag enabling use of the Online Certificate Status Protocol (OCSP) for validating certificate revocation status.
String ocspCustomCname
By default, Amazon Web Services Private CA injects an Amazon Web Services domain into certificates being validated by the Online Certificate Status Protocol (OCSP). A customer can alternatively use this object to define a CNAME specifying a customized OCSP domain.
The content of a Canonical Name (CNAME) record must conform to RFC2396 restrictions on the use of special characters in URIs. Additionally, the value of the CNAME must not include a protocol prefix such as "http://" or "https://".
For more information, see Customizing Online Certificate Status Protocol (OCSP) in the Amazon Web Services Private Certificate Authority User Guide.
String certificateAuthorityArn
The Amazon Resource Number (ARN) of the private CA from which the permission was issued.
Date createdAt
The time at which the permission was created.
String principal
The Amazon Web Services service or entity that holds the permission. At this time, the only valid principal is
acm.amazonaws.com.
String sourceAccount
The ID of the account that assigned the permission.
List<E> actions
The private CA actions that can be performed by the designated Amazon Web Services service.
String policy
The name of the policy that is associated with the permission.
String certPolicyId
Specifies the object identifier (OID) of the certificate policy under which the certificate was issued. For more information, see NIST's definition of Object Identifier (OID).
List<E> policyQualifiers
Modifies the given CertPolicyId with a qualifier. Amazon Web Services Private CA supports the
certification practice statement (CPS) qualifier.
String resourceArn
The Amazon Resource Number (ARN) of the private CA to associate with the policy. The ARN of the CA can be found by calling the ListCertificateAuthorities action.
String policy
The path and file name of a JSON-formatted IAM policy to attach to the specified private CA resource. If this
policy does not contain all required statements or if it includes any statement that is not allowed, the
PutPolicy action returns an InvalidPolicyException. For information about IAM policy
and statement structure, see Overview of
JSON Policies.
String cpsUri
Contains a pointer to a certification practice statement (CPS) published by the CA.
String certificateAuthorityArn
The Amazon Resource Name (ARN) that was returned when you called the CreateCertificateAuthority action. This must be of the form:
arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
CrlConfiguration crlConfiguration
Configuration of the certificate revocation list (CRL), if any, maintained by your private CA. A CRL is typically updated approximately 30 minutes after a certificate is revoked. If for any reason a CRL update fails, Amazon Web Services Private CA makes further attempts every 15 minutes.
OcspConfiguration ocspConfiguration
Configuration of Online Certificate Status Protocol (OCSP) support, if any, maintained by your private CA. When you revoke a certificate, OCSP responses may take up to 60 minutes to reflect the new status.
String certificateAuthorityArn
Amazon Resource Name (ARN) of the private CA that issued the certificate to be revoked. This must be of the form:
arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
String certificateSerial
Serial number of the certificate to be revoked. This must be in hexadecimal format. You can retrieve the serial number by calling GetCertificate with the Amazon Resource Name (ARN) of the certificate you want and the ARN of your private CA. The GetCertificate action retrieves the certificate in the PEM format. You can use the following OpenSSL command to list the certificate in text format and copy the hexadecimal serial number.
openssl x509 -in file_path -text -noout
You can also copy the serial number from the console or use the DescribeCertificate action in the Certificate Manager API Reference.
String revocationReason
Specifies why you revoked the certificate.
String certificateAuthorityArn
The Amazon Resource Name (ARN) that was returned when you called CreateCertificateAuthority. This must be of the form:
arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
List<E> tags
List of tags to be associated with the CA.
String certificateAuthorityArn
The Amazon Resource Name (ARN) that was returned when you called CreateCertificateAuthority. This must be of the form:
arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
List<E> tags
List of tags to be removed from the CA.
String certificateAuthorityArn
Amazon Resource Name (ARN) of the private CA that issued the certificate to be revoked. This must be of the form:
arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
RevocationConfiguration revocationConfiguration
Contains information to enable Online Certificate Status Protocol (OCSP) support, to enable a certificate revocation list (CRL), to enable both, or to enable neither. If this parameter is not supplied, existing capibilites remain unchanged. For more information, see the OcspConfiguration and CrlConfiguration types.
The following requirements apply to revocation configurations.
A configuration disabling CRLs or OCSP must contain only the Enabled=False parameter, and will fail
if other parameters such as CustomCname or ExpirationInDays are included.
In a CRL configuration, the S3BucketName parameter must conform to Amazon S3 bucket naming
rules.
A configuration containing a custom Canonical Name (CNAME) parameter for CRLs or OCSP must conform to RFC2396 restrictions on the use of special characters in a CNAME.
In a CRL or OCSP configuration, the value of a CNAME parameter must not include a protocol prefix such as "http://" or "https://".
String status
Status of your private CA.
Long value
A long integer interpreted according to the value of Type, below.
String type
Determines how Amazon Web Services Private CA interprets the Value parameter, an integer.
Supported validity types include those listed below. Type definitions with values include a sample input value
and the resulting output.
END_DATE: The specific date and time when the certificate will expire, expressed using UTCTime
(YYMMDDHHMMSS) or GeneralizedTime (YYYYMMDDHHMMSS) format. When UTCTime is used, if the year field (YY) is
greater than or equal to 50, the year is interpreted as 19YY. If the year field is less than 50, the year is
interpreted as 20YY.
Sample input value: 491231235959 (UTCTime format)
Output expiration date/time: 12/31/2049 23:59:59
ABSOLUTE: The specific date and time when the validity of a certificate will start or expire,
expressed in seconds since the Unix Epoch.
Sample input value: 2524608000
Output expiration date/time: 01/01/2050 00:00:00
DAYS, MONTHS, YEARS: The relative time from the moment of issuance until
the certificate will expire, expressed in days, months, or years.
Example if DAYS, issued on 10/12/2020 at 12:34:54 UTC:
Sample input value: 90
Output expiration date: 01/10/2020 12:34:54 UTC
The minimum validity duration for a certificate using relative time (DAYS) is one day. The minimum
validity for a certificate using absolute time (ABSOLUTE or END_DATE) is one second.
Copyright © 2023. All rights reserved.