awsacmpca

package
v2.7.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 12, 2022 License: Apache-2.0 Imports: 6 Imported by: 2

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func CfnCertificateAuthorityActivation_CFN_RESOURCE_TYPE_NAME

func CfnCertificateAuthorityActivation_CFN_RESOURCE_TYPE_NAME() *string

func CfnCertificateAuthorityActivation_IsCfnElement

func CfnCertificateAuthorityActivation_IsCfnElement(x interface{}) *bool

Returns `true` if a construct is a stack element (i.e. part of the synthesized cloudformation template).

Uses duck-typing instead of `instanceof` to allow stack elements from different versions of this library to be included in the same stack.

Returns: The construct as a stack element or undefined if it is not a stack element.

func CfnCertificateAuthorityActivation_IsCfnResource

func CfnCertificateAuthorityActivation_IsCfnResource(construct constructs.IConstruct) *bool

Check whether the given construct is a CfnResource.

func CfnCertificateAuthorityActivation_IsConstruct

func CfnCertificateAuthorityActivation_IsConstruct(x interface{}) *bool

Checks if `x` is a construct.

Returns: true if `x` is an object created from a class which extends `Construct`. Deprecated: use `x instanceof Construct` instead

func CfnCertificateAuthority_CFN_RESOURCE_TYPE_NAME

func CfnCertificateAuthority_CFN_RESOURCE_TYPE_NAME() *string

func CfnCertificateAuthority_IsCfnElement

func CfnCertificateAuthority_IsCfnElement(x interface{}) *bool

Returns `true` if a construct is a stack element (i.e. part of the synthesized cloudformation template).

Uses duck-typing instead of `instanceof` to allow stack elements from different versions of this library to be included in the same stack.

Returns: The construct as a stack element or undefined if it is not a stack element.

func CfnCertificateAuthority_IsCfnResource

func CfnCertificateAuthority_IsCfnResource(construct constructs.IConstruct) *bool

Check whether the given construct is a CfnResource.

func CfnCertificateAuthority_IsConstruct

func CfnCertificateAuthority_IsConstruct(x interface{}) *bool

Checks if `x` is a construct.

Returns: true if `x` is an object created from a class which extends `Construct`. Deprecated: use `x instanceof Construct` instead

func CfnCertificate_CFN_RESOURCE_TYPE_NAME

func CfnCertificate_CFN_RESOURCE_TYPE_NAME() *string

func CfnCertificate_IsCfnElement

func CfnCertificate_IsCfnElement(x interface{}) *bool

Returns `true` if a construct is a stack element (i.e. part of the synthesized cloudformation template).

Uses duck-typing instead of `instanceof` to allow stack elements from different versions of this library to be included in the same stack.

Returns: The construct as a stack element or undefined if it is not a stack element.

func CfnCertificate_IsCfnResource

func CfnCertificate_IsCfnResource(construct constructs.IConstruct) *bool

Check whether the given construct is a CfnResource.

func CfnCertificate_IsConstruct

func CfnCertificate_IsConstruct(x interface{}) *bool

Checks if `x` is a construct.

Returns: true if `x` is an object created from a class which extends `Construct`. Deprecated: use `x instanceof Construct` instead

func CfnPermission_CFN_RESOURCE_TYPE_NAME

func CfnPermission_CFN_RESOURCE_TYPE_NAME() *string

func CfnPermission_IsCfnElement

func CfnPermission_IsCfnElement(x interface{}) *bool

Returns `true` if a construct is a stack element (i.e. part of the synthesized cloudformation template).

Uses duck-typing instead of `instanceof` to allow stack elements from different versions of this library to be included in the same stack.

Returns: The construct as a stack element or undefined if it is not a stack element.

func CfnPermission_IsCfnResource

func CfnPermission_IsCfnResource(construct constructs.IConstruct) *bool

Check whether the given construct is a CfnResource.

func CfnPermission_IsConstruct

func CfnPermission_IsConstruct(x interface{}) *bool

Checks if `x` is a construct.

Returns: true if `x` is an object created from a class which extends `Construct`. Deprecated: use `x instanceof Construct` instead

func NewCfnCertificateAuthorityActivation_Override

func NewCfnCertificateAuthorityActivation_Override(c CfnCertificateAuthorityActivation, scope constructs.Construct, id *string, props *CfnCertificateAuthorityActivationProps)

Create a new `AWS::ACMPCA::CertificateAuthorityActivation`.

func NewCfnCertificateAuthority_Override

func NewCfnCertificateAuthority_Override(c CfnCertificateAuthority, scope constructs.Construct, id *string, props *CfnCertificateAuthorityProps)

Create a new `AWS::ACMPCA::CertificateAuthority`.

func NewCfnCertificate_Override

func NewCfnCertificate_Override(c CfnCertificate, scope constructs.Construct, id *string, props *CfnCertificateProps)

Create a new `AWS::ACMPCA::Certificate`.

func NewCfnPermission_Override

func NewCfnPermission_Override(c CfnPermission, scope constructs.Construct, id *string, props *CfnPermissionProps)

Create a new `AWS::ACMPCA::Permission`.

Types

type CertificateAuthority

type CertificateAuthority interface {
}

Defines a Certificate for ACMPCA.

TODO: EXAMPLE

type CfnCertificate

type CfnCertificate interface {
	awscdk.CfnResource
	awscdk.IInspectable
	ApiPassthrough() interface{}
	SetApiPassthrough(val interface{})
	AttrArn() *string
	AttrCertificate() *string
	CertificateAuthorityArn() *string
	SetCertificateAuthorityArn(val *string)
	CertificateSigningRequest() *string
	SetCertificateSigningRequest(val *string)
	CfnOptions() awscdk.ICfnResourceOptions
	CfnProperties() *map[string]interface{}
	CfnResourceType() *string
	CreationStack() *[]*string
	LogicalId() *string
	Node() constructs.Node
	Ref() *string
	SigningAlgorithm() *string
	SetSigningAlgorithm(val *string)
	Stack() awscdk.Stack
	TemplateArn() *string
	SetTemplateArn(val *string)
	UpdatedProperites() *map[string]interface{}
	Validity() interface{}
	SetValidity(val interface{})
	ValidityNotBefore() interface{}
	SetValidityNotBefore(val interface{})
	AddDeletionOverride(path *string)
	AddDependsOn(target awscdk.CfnResource)
	AddMetadata(key *string, value interface{})
	AddOverride(path *string, value interface{})
	AddPropertyDeletionOverride(propertyPath *string)
	AddPropertyOverride(propertyPath *string, value interface{})
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy, options *awscdk.RemovalPolicyOptions)
	GetAtt(attributeName *string) awscdk.Reference
	GetMetadata(key *string) interface{}
	Inspect(inspector awscdk.TreeInspector)
	OverrideLogicalId(newLogicalId *string)
	RenderProperties(props *map[string]interface{}) *map[string]interface{}
	ShouldSynthesize() *bool
	ToString() *string
	ValidateProperties(_properties interface{})
}

A CloudFormation `AWS::ACMPCA::Certificate`.

The `AWS::ACMPCA::Certificate` resource is used to issue a certificate using your private certificate authority. For more information, see the [IssueCertificate](https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_IssueCertificate.html) action.

TODO: EXAMPLE

func NewCfnCertificate

func NewCfnCertificate(scope constructs.Construct, id *string, props *CfnCertificateProps) CfnCertificate

Create a new `AWS::ACMPCA::Certificate`.

type CfnCertificateAuthority

type CfnCertificateAuthority interface {
	awscdk.CfnResource
	awscdk.IInspectable
	AttrArn() *string
	AttrCertificateSigningRequest() *string
	CfnOptions() awscdk.ICfnResourceOptions
	CfnProperties() *map[string]interface{}
	CfnResourceType() *string
	CreationStack() *[]*string
	CsrExtensions() interface{}
	SetCsrExtensions(val interface{})
	KeyAlgorithm() *string
	SetKeyAlgorithm(val *string)
	KeyStorageSecurityStandard() *string
	SetKeyStorageSecurityStandard(val *string)
	LogicalId() *string
	Node() constructs.Node
	Ref() *string
	RevocationConfiguration() interface{}
	SetRevocationConfiguration(val interface{})
	SigningAlgorithm() *string
	SetSigningAlgorithm(val *string)
	Stack() awscdk.Stack
	Subject() interface{}
	SetSubject(val interface{})
	Tags() awscdk.TagManager
	Type() *string
	SetType(val *string)
	UpdatedProperites() *map[string]interface{}
	AddDeletionOverride(path *string)
	AddDependsOn(target awscdk.CfnResource)
	AddMetadata(key *string, value interface{})
	AddOverride(path *string, value interface{})
	AddPropertyDeletionOverride(propertyPath *string)
	AddPropertyOverride(propertyPath *string, value interface{})
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy, options *awscdk.RemovalPolicyOptions)
	GetAtt(attributeName *string) awscdk.Reference
	GetMetadata(key *string) interface{}
	Inspect(inspector awscdk.TreeInspector)
	OverrideLogicalId(newLogicalId *string)
	RenderProperties(props *map[string]interface{}) *map[string]interface{}
	ShouldSynthesize() *bool
	ToString() *string
	ValidateProperties(_properties interface{})
}

A CloudFormation `AWS::ACMPCA::CertificateAuthority`.

Use the `AWS::ACMPCA::CertificateAuthority` resource to create a private CA. Once the CA exists, you can use the `AWS::ACMPCA::Certificate` resource to issue a new CA certificate. Alternatively, you can issue a CA certificate using an on-premises CA, and then use the `AWS::ACMPCA::CertificateAuthorityActivation` resource to import the new CA certificate and activate the CA.

> Before removing a `AWS::ACMPCA::CertificateAuthority` resource from the CloudFormation stack, disable the affected CA. Otherwise, the action will fail. You can disable the CA by removing its associated `AWS::ACMPCA::CertificateAuthorityActivation` resource from CloudFormation.

TODO: EXAMPLE

func NewCfnCertificateAuthority

func NewCfnCertificateAuthority(scope constructs.Construct, id *string, props *CfnCertificateAuthorityProps) CfnCertificateAuthority

Create a new `AWS::ACMPCA::CertificateAuthority`.

type CfnCertificateAuthorityActivation

type CfnCertificateAuthorityActivation interface {
	awscdk.CfnResource
	awscdk.IInspectable
	AttrCompleteCertificateChain() *string
	Certificate() *string
	SetCertificate(val *string)
	CertificateAuthorityArn() *string
	SetCertificateAuthorityArn(val *string)
	CertificateChain() *string
	SetCertificateChain(val *string)
	CfnOptions() awscdk.ICfnResourceOptions
	CfnProperties() *map[string]interface{}
	CfnResourceType() *string
	CreationStack() *[]*string
	LogicalId() *string
	Node() constructs.Node
	Ref() *string
	Stack() awscdk.Stack
	Status() *string
	SetStatus(val *string)
	UpdatedProperites() *map[string]interface{}
	AddDeletionOverride(path *string)
	AddDependsOn(target awscdk.CfnResource)
	AddMetadata(key *string, value interface{})
	AddOverride(path *string, value interface{})
	AddPropertyDeletionOverride(propertyPath *string)
	AddPropertyOverride(propertyPath *string, value interface{})
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy, options *awscdk.RemovalPolicyOptions)
	GetAtt(attributeName *string) awscdk.Reference
	GetMetadata(key *string) interface{}
	Inspect(inspector awscdk.TreeInspector)
	OverrideLogicalId(newLogicalId *string)
	RenderProperties(props *map[string]interface{}) *map[string]interface{}
	ShouldSynthesize() *bool
	ToString() *string
	ValidateProperties(_properties interface{})
}

A CloudFormation `AWS::ACMPCA::CertificateAuthorityActivation`.

The `AWS::ACMPCA::CertificateAuthorityActivation` resource creates and installs a CA certificate on a CA. If no status is specified, the `AWS::ACMPCA::CertificateAuthorityActivation` resource status defaults to ACTIVE. Once the CA has a CA certificate installed, you can use the resource to toggle the CA status field between `ACTIVE` and `DISABLED` .

TODO: EXAMPLE

func NewCfnCertificateAuthorityActivation

func NewCfnCertificateAuthorityActivation(scope constructs.Construct, id *string, props *CfnCertificateAuthorityActivationProps) CfnCertificateAuthorityActivation

Create a new `AWS::ACMPCA::CertificateAuthorityActivation`.

type CfnCertificateAuthorityActivationProps

type CfnCertificateAuthorityActivationProps struct {
	// The Base64 PEM-encoded certificate authority certificate.
	Certificate *string `json:"certificate"`
	// The Amazon Resource Name (ARN) of your private CA.
	CertificateAuthorityArn *string `json:"certificateAuthorityArn"`
	// The Base64 PEM-encoded certificate chain that chains up to the root CA certificate that you used to sign your private CA certificate.
	CertificateChain *string `json:"certificateChain"`
	// Status of your private CA.
	Status *string `json:"status"`
}

Properties for defining a `CfnCertificateAuthorityActivation`.

TODO: EXAMPLE

type CfnCertificateAuthorityProps

type CfnCertificateAuthorityProps struct {
	// Type of the public key algorithm and size, in bits, of the key pair that your CA creates when it issues a certificate.
	//
	// When you create a subordinate CA, you must use a key algorithm supported by the parent CA.
	KeyAlgorithm *string `json:"keyAlgorithm"`
	// Name of the algorithm your private CA uses to sign certificate requests.
	//
	// This parameter should not be confused with the `SigningAlgorithm` parameter used to sign certificates when they are issued.
	SigningAlgorithm *string `json:"signingAlgorithm"`
	// Structure that contains X.500 distinguished name information for your private CA.
	Subject interface{} `json:"subject"`
	// Type of your private CA.
	Type *string `json:"type"`
	// Specifies information to be added to the extension section of the certificate signing request (CSR).
	CsrExtensions interface{} `json:"csrExtensions"`
	// Specifies a cryptographic key management compliance standard used for handling CA keys.
	//
	// Default: FIPS_140_2_LEVEL_3_OR_HIGHER
	//
	// Note: `FIPS_140_2_LEVEL_3_OR_HIGHER` is not supported in Region ap-northeast-3. When creating a CA in the ap-northeast-3, you must provide `FIPS_140_2_LEVEL_2_OR_HIGHER` as the argument for `KeyStorageSecurityStandard` . Failure to do this results in an `InvalidArgsException` with the message, "A certificate authority cannot be created in this region with the specified security standard."
	KeyStorageSecurityStandard *string `json:"keyStorageSecurityStandard"`
	// Information about the certificate revocation list (CRL) created and maintained by your private CA.
	//
	// Certificate revocation information used by the CreateCertificateAuthority and UpdateCertificateAuthority actions. Your certificate authority can create and maintain a certificate revocation list (CRL). A CRL contains information about certificates that have been revoked.
	RevocationConfiguration interface{} `json:"revocationConfiguration"`
	// Key-value pairs that will be attached to the new private CA.
	//
	// You can associate up to 50 tags with a private CA. For information using tags with IAM to manage permissions, see [Controlling Access Using IAM Tags](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_iam-tags.html) .
	Tags *[]*awscdk.CfnTag `json:"tags"`
}

Properties for defining a `CfnCertificateAuthority`.

TODO: EXAMPLE

type CfnCertificateAuthority_AccessDescriptionProperty

type CfnCertificateAuthority_AccessDescriptionProperty struct {
	// The location of `AccessDescription` information.
	AccessLocation interface{} `json:"accessLocation"`
	// The type and format of `AccessDescription` information.
	AccessMethod interface{} `json:"accessMethod"`
}

Provides access information used by the `authorityInfoAccess` and `subjectInfoAccess` extensions described in [RFC 5280](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc5280) .

TODO: EXAMPLE

type CfnCertificateAuthority_AccessMethodProperty

type CfnCertificateAuthority_AccessMethodProperty struct {
	// Specifies the `AccessMethod` .
	AccessMethodType *string `json:"accessMethodType"`
	// An object identifier (OID) specifying the `AccessMethod` .
	//
	// The OID must satisfy the regular expression shown below. For more information, see NIST's definition of [Object Identifier (OID)](https://docs.aws.amazon.com/https://csrc.nist.gov/glossary/term/Object_Identifier) .
	CustomObjectIdentifier *string `json:"customObjectIdentifier"`
}

Describes the type and format of extension access.

Only one of `CustomObjectIdentifier` or `AccessMethodType` may be provided. Providing both results in `InvalidArgsException` .

TODO: EXAMPLE

type CfnCertificateAuthority_CrlConfigurationProperty

type CfnCertificateAuthority_CrlConfigurationProperty struct {
	// Name inserted into the certificate *CRL Distribution Points* extension that enables the use of an alias for the CRL distribution point.
	//
	// Use this value if you don't want the name of your S3 bucket to be public.
	CustomCname *string `json:"customCname"`
	// Boolean value that specifies whether certificate revocation lists (CRLs) are enabled.
	//
	// You can use this value to enable certificate revocation for a new CA when you call the `CreateCertificateAuthority` operation or for an existing CA when you call the `UpdateCertificateAuthority` operation.
	Enabled interface{} `json:"enabled"`
	// Validity period of the CRL in days.
	ExpirationInDays *float64 `json:"expirationInDays"`
	// Name of the S3 bucket that contains the CRL.
	//
	// If you do not provide a value for the *CustomCname* argument, the name of your S3 bucket is placed into the *CRL Distribution Points* extension of the issued certificate. You can change the name of your bucket by calling the [UpdateCertificateAuthority](https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_UpdateCertificateAuthority.html) operation. You must specify a [bucket policy](https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaCreateCa.html#s3-policies) that allows ACM Private CA to write the CRL to your bucket.
	S3BucketName *string `json:"s3BucketName"`
	// Determines whether the CRL will be publicly readable or privately held in the CRL Amazon S3 bucket.
	//
	// If you choose PUBLIC_READ, the CRL will be accessible over the public internet. If you choose BUCKET_OWNER_FULL_CONTROL, only the owner of the CRL S3 bucket can access the CRL, and your PKI clients may need an alternative method of access.
	//
	// If no value is specified, the default is PUBLIC_READ.
	//
	// > This default can cause CA creation to fail in some circumstances. If you have enabled the Block Public Access (BPA) feature in your S3 account, then you must specify the value of this parameter as `BUCKET_OWNER_FULL_CONTROL` , and not doing so results in an error. If you have disabled BPA in S3, then you can specify either `BUCKET_OWNER_FULL_CONTROL` or `PUBLIC_READ` as the value.
	//
	// For more information, see [Blocking public access to the S3 bucket](https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaCreateCa.html#s3-bpa) .
	S3ObjectAcl *string `json:"s3ObjectAcl"`
}

Contains configuration information for a certificate revocation list (CRL).

Your private certificate authority (CA) creates base CRLs. Delta CRLs are not supported. You can enable CRLs for your new or an existing private CA by setting the *Enabled* parameter to `true` . Your private CA writes CRLs to an S3 bucket that you specify in the *S3BucketName* parameter. You can hide the name of your bucket by specifying a value for the *CustomCname* parameter. Your private CA copies the CNAME or the S3 bucket name to the *CRL Distribution Points* extension of each certificate it issues. Your S3 bucket policy must give write permission to ACM Private CA.

ACM Private CA assets that are stored in Amazon S3 can be protected with encryption. For more information, see [Encrypting Your CRLs](https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaCreateCa.html#crl-encryption) .

Your private CA uses the value in the *ExpirationInDays* parameter to calculate the *nextUpdate* field in the CRL. The CRL is refreshed at 1/2 the age of next update or when a certificate is revoked. When a certificate is revoked, it is recorded in the next CRL that is generated and in the next audit report. Only time valid certificates are listed in the CRL. Expired certificates are not included.

A CRL is typically updated approximately 30 minutes after a certificate is revoked. If for any reason a CRL update fails, ACM Private CA makes further attempts every 15 minutes.

CRLs contain the following fields:

- *Version* : The current version number defined in RFC 5280 is V2. The integer value is 0x1. - *Signature Algorithm* : The name of the algorithm used to sign the CRL. - *Issuer* : The X.500 distinguished name of your private CA that issued the CRL. - *Last Update* : The issue date and time of this CRL. - *Next Update* : The day and time by which the next CRL will be issued. - *Revoked Certificates* : List of revoked certificates. Each list item contains the following information.

- *Serial Number* : The serial number, in hexadecimal format, of the revoked certificate. - *Revocation Date* : Date and time the certificate was revoked. - *CRL Entry Extensions* : Optional extensions for the CRL entry.

- *X509v3 CRL Reason Code* : Reason the certificate was revoked. - *CRL Extensions* : Optional extensions for the CRL.

- *X509v3 Authority Key Identifier* : Identifies the public key associated with the private key used to sign the certificate. - *X509v3 CRL Number:* : Decimal sequence number for the CRL. - *Signature Algorithm* : Algorithm used by your private CA to sign the CRL. - *Signature Value* : Signature computed over the CRL.

Certificate revocation lists created by ACM Private CA are DER-encoded. You can use the following OpenSSL command to list a CRL.

`openssl crl -inform DER -text -in *crl_path* -noout`

For more information, see [Planning a certificate revocation list (CRL)](https://docs.aws.amazon.com/acm-pca/latest/userguide/crl-planning.html) in the *AWS Certificate Manager Private Certificate Authority (PCA) User Guide*

TODO: EXAMPLE

type CfnCertificateAuthority_CsrExtensionsProperty

type CfnCertificateAuthority_CsrExtensionsProperty struct {
	// Indicates the purpose of the certificate and of the key contained in the certificate.
	KeyUsage interface{} `json:"keyUsage"`
	// For CA certificates, provides a path to additional information pertaining to the CA, such as revocation and policy.
	//
	// For more information, see [Subject Information Access](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc5280#section-4.2.2.2) in RFC 5280.
	SubjectInformationAccess interface{} `json:"subjectInformationAccess"`
}

Describes the certificate extensions to be added to the certificate signing request (CSR).

TODO: EXAMPLE

type CfnCertificateAuthority_EdiPartyNameProperty

type CfnCertificateAuthority_EdiPartyNameProperty struct {
	// Specifies the name assigner.
	NameAssigner *string `json:"nameAssigner"`
	// Specifies the party name.
	PartyName *string `json:"partyName"`
}

Describes an Electronic Data Interchange (EDI) entity as described in as defined in [Subject Alternative Name](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc5280) in RFC 5280.

TODO: EXAMPLE

type CfnCertificateAuthority_GeneralNameProperty

type CfnCertificateAuthority_GeneralNameProperty struct {
	// Contains information about the certificate subject.
	//
	// The certificate can be one issued by your private certificate authority (CA) or it can be your private CA certificate. The Subject field in the certificate identifies the entity that owns or controls the public key in the certificate. The entity can be a user, computer, device, or service. The Subject must contain an X.500 distinguished name (DN). A DN is a sequence of relative distinguished names (RDNs). The RDNs are separated by commas in the certificate. The DN must be unique for each entity, but your private CA can issue more than one certificate with the same DN to the same entity.
	DirectoryName interface{} `json:"directoryName"`
	// Represents `GeneralName` as a DNS name.
	DnsName *string `json:"dnsName"`
	// Represents `GeneralName` as an `EdiPartyName` object.
	EdiPartyName interface{} `json:"ediPartyName"`
	// Represents `GeneralName` as an IPv4 or IPv6 address.
	IpAddress *string `json:"ipAddress"`
	// Represents `GeneralName` using an `OtherName` object.
	OtherName interface{} `json:"otherName"`
	// Represents `GeneralName` as an object identifier (OID).
	RegisteredId *string `json:"registeredId"`
	// Represents `GeneralName` as an [RFC 822](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc822) email address.
	Rfc822Name *string `json:"rfc822Name"`
	// Represents `GeneralName` as a URI.
	UniformResourceIdentifier *string `json:"uniformResourceIdentifier"`
}

Describes an ASN.1 X.400 `GeneralName` as defined in [RFC 5280](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc5280) . Only one of the following naming options should be provided. Providing more than one option results in an `InvalidArgsException` error.

TODO: EXAMPLE

type CfnCertificateAuthority_KeyUsageProperty

type CfnCertificateAuthority_KeyUsageProperty struct {
	// Key can be used to sign CRLs.
	CrlSign interface{} `json:"crlSign"`
	// Key can be used to decipher data.
	DataEncipherment interface{} `json:"dataEncipherment"`
	// Key can be used only to decipher data.
	DecipherOnly interface{} `json:"decipherOnly"`
	// Key can be used for digital signing.
	DigitalSignature interface{} `json:"digitalSignature"`
	// Key can be used only to encipher data.
	EncipherOnly interface{} `json:"encipherOnly"`
	// Key can be used in a key-agreement protocol.
	KeyAgreement interface{} `json:"keyAgreement"`
	// Key can be used to sign certificates.
	KeyCertSign interface{} `json:"keyCertSign"`
	// Key can be used to encipher data.
	KeyEncipherment interface{} `json:"keyEncipherment"`
	// Key can be used for non-repudiation.
	NonRepudiation interface{} `json:"nonRepudiation"`
}

Defines one or more purposes for which the key contained in the certificate can be used.

Default value for each option is false.

TODO: EXAMPLE

type CfnCertificateAuthority_OcspConfigurationProperty

type CfnCertificateAuthority_OcspConfigurationProperty struct {
	// Flag enabling use of the Online Certificate Status Protocol (OCSP) for validating certificate revocation status.
	Enabled interface{} `json:"enabled"`
	// By default, ACM Private CA injects an Amazon domain into certificates being validated by the Online Certificate Status Protocol (OCSP).
	//
	// A customer can alternatively use this object to define a CNAME specifying a customized OCSP domain.
	//
	// Note: The value of the CNAME must not include a protocol prefix such as "http://" or "https://".
	OcspCustomCname *string `json:"ocspCustomCname"`
}

Contains information to enable and configure Online Certificate Status Protocol (OCSP) for validating certificate revocation status.

TODO: EXAMPLE

type CfnCertificateAuthority_OtherNameProperty

type CfnCertificateAuthority_OtherNameProperty struct {
	// Specifies an OID.
	TypeId *string `json:"typeId"`
	// Specifies an OID value.
	Value *string `json:"value"`
}

Defines a custom ASN.1 X.400 `GeneralName` using an object identifier (OID) and value. The OID must satisfy the regular expression shown below. For more information, see NIST's definition of [Object Identifier (OID)](https://docs.aws.amazon.com/https://csrc.nist.gov/glossary/term/Object_Identifier) .

TODO: EXAMPLE

type CfnCertificateAuthority_RevocationConfigurationProperty

type CfnCertificateAuthority_RevocationConfigurationProperty struct {
	// Configuration of the certificate revocation list (CRL), if any, maintained by your private CA.
	CrlConfiguration interface{} `json:"crlConfiguration"`
	// Configuration of Online Certificate Status Protocol (OCSP) support, if any, maintained by your private CA.
	OcspConfiguration interface{} `json:"ocspConfiguration"`
}

Certificate revocation information used by the CreateCertificateAuthority and UpdateCertificateAuthority actions.

Your private certificate authority (CA) can configure Online Certificate Status Protocol (OCSP) support and/or maintain a certificate revocation list (CRL). OCSP returns validation information about certificates as requested by clients, and a CRL contains an updated list of certificates revoked by your CA. For more information, see [RevokeCertificate](https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_RevokeCertificate.html) .

TODO: EXAMPLE

type CfnCertificateAuthority_SubjectProperty

type CfnCertificateAuthority_SubjectProperty struct {
	// Fully qualified domain name (FQDN) associated with the certificate subject.
	CommonName *string `json:"commonName"`
	// Two-digit code that specifies the country in which the certificate subject located.
	Country *string `json:"country"`
	// Disambiguating information for the certificate subject.
	DistinguishedNameQualifier *string `json:"distinguishedNameQualifier"`
	// Typically a qualifier appended to the name of an individual.
	//
	// Examples include Jr. for junior, Sr. for senior, and III for third.
	GenerationQualifier *string `json:"generationQualifier"`
	// First name.
	GivenName *string `json:"givenName"`
	// Concatenation that typically contains the first letter of the GivenName, the first letter of the middle name if one exists, and the first letter of the SurName.
	Initials *string `json:"initials"`
	// The locality (such as a city or town) in which the certificate subject is located.
	Locality *string `json:"locality"`
	// Legal name of the organization with which the certificate subject is affiliated.
	Organization *string `json:"organization"`
	// A subdivision or unit of the organization (such as sales or finance) with which the certificate subject is affiliated.
	OrganizationalUnit *string `json:"organizationalUnit"`
	// Typically a shortened version of a longer GivenName.
	//
	// For example, Jonathan is often shortened to John. Elizabeth is often shortened to Beth, Liz, or Eliza.
	Pseudonym *string `json:"pseudonym"`
	// The certificate serial number.
	SerialNumber *string `json:"serialNumber"`
	// State in which the subject of the certificate is located.
	State *string `json:"state"`
	// Family name.
	Surname *string `json:"surname"`
	// A personal title such as Mr.
	Title *string `json:"title"`
}

ASN1 subject for the certificate authority.

TODO: EXAMPLE

type CfnCertificateProps

type CfnCertificateProps struct {
	// The Amazon Resource Name (ARN) for the private CA issues the certificate.
	CertificateAuthorityArn *string `json:"certificateAuthorityArn"`
	// The certificate signing request (CSR) for the certificate.
	CertificateSigningRequest *string `json:"certificateSigningRequest"`
	// The name of the algorithm that will be used to sign the certificate to be issued.
	//
	// This parameter should not be confused with the `SigningAlgorithm` parameter used to sign a CSR in the `CreateCertificateAuthority` action.
	//
	// > The specified signing algorithm family (RSA or ECDSA) must match the algorithm family of the CA's secret key.
	SigningAlgorithm *string `json:"signingAlgorithm"`
	// The period of time during which the certificate will be valid.
	Validity interface{} `json:"validity"`
	// Specifies X.509 certificate information to be included in the issued certificate. An `APIPassthrough` or `APICSRPassthrough` template variant must be selected, or else this parameter is ignored.
	ApiPassthrough interface{} `json:"apiPassthrough"`
	// Specifies a custom configuration template to use when issuing a certificate.
	//
	// If this parameter is not provided, ACM Private CA defaults to the `EndEntityCertificate/V1` template. For more information about ACM Private CA templates, see [Using Templates](https://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html) .
	TemplateArn *string `json:"templateArn"`
	// Information describing the start of the validity period of the certificate.
	//
	// This parameter sets the “Not Before" date for the certificate.
	//
	// By default, when issuing a certificate, ACM Private CA sets the "Not Before" date to the issuance time minus 60 minutes. This compensates for clock inconsistencies across computer systems. The `ValidityNotBefore` parameter can be used to customize the “Not Before” value.
	//
	// Unlike the `Validity` parameter, the `ValidityNotBefore` parameter is optional.
	//
	// The `ValidityNotBefore` value is expressed as an explicit date and time, using the `Validity` type value `ABSOLUTE` .
	ValidityNotBefore interface{} `json:"validityNotBefore"`
}

Properties for defining a `CfnCertificate`.

TODO: EXAMPLE

type CfnCertificate_ApiPassthroughProperty

type CfnCertificate_ApiPassthroughProperty struct {
	// Specifies X.509 extension information for a certificate.
	Extensions interface{} `json:"extensions"`
	// Contains information about the certificate subject.
	//
	// The Subject field in the certificate identifies the entity that owns or controls the public key in the certificate. The entity can be a user, computer, device, or service. The Subject must contain an X.500 distinguished name (DN). A DN is a sequence of relative distinguished names (RDNs). The RDNs are separated by commas in the certificate.
	Subject interface{} `json:"subject"`
}

Contains X.509 certificate information to be placed in an issued certificate. An `APIPassthrough` or `APICSRPassthrough` template variant must be selected, or else this parameter is ignored.

If conflicting or duplicate certificate information is supplied from other sources, ACM Private CA applies [order of operation rules](https://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html#template-order-of-operations) to determine what information is used.

TODO: EXAMPLE

type CfnCertificate_EdiPartyNameProperty

type CfnCertificate_EdiPartyNameProperty struct {
	// Specifies the name assigner.
	NameAssigner *string `json:"nameAssigner"`
	// Specifies the party name.
	PartyName *string `json:"partyName"`
}

Describes an Electronic Data Interchange (EDI) entity as described in as defined in [Subject Alternative Name](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc5280) in RFC 5280.

TODO: EXAMPLE

type CfnCertificate_ExtendedKeyUsageProperty

type CfnCertificate_ExtendedKeyUsageProperty struct {
	// Specifies a custom `ExtendedKeyUsage` with an object identifier (OID).
	ExtendedKeyUsageObjectIdentifier *string `json:"extendedKeyUsageObjectIdentifier"`
	// Specifies a standard `ExtendedKeyUsage` as defined as in [RFC 5280](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc5280#section-4.2.1.12) .
	ExtendedKeyUsageType *string `json:"extendedKeyUsageType"`
}

Specifies additional purposes for which the certified public key may be used other than basic purposes indicated in the `KeyUsage` extension.

TODO: EXAMPLE

type CfnCertificate_ExtensionsProperty

type CfnCertificate_ExtensionsProperty struct {
	// Contains a sequence of one or more policy information terms, each of which consists of an object identifier (OID) and optional qualifiers.
	//
	// For more information, see NIST's definition of [Object Identifier (OID)](https://docs.aws.amazon.com/https://csrc.nist.gov/glossary/term/Object_Identifier) .
	//
	// In an end-entity certificate, these terms indicate the policy under which the certificate was issued and the purposes for which it may be used. In a CA certificate, these terms limit the set of policies for certification paths that include this certificate.
	CertificatePolicies interface{} `json:"certificatePolicies"`
	// Specifies additional purposes for which the certified public key may be used other than basic purposes indicated in the `KeyUsage` extension.
	ExtendedKeyUsage interface{} `json:"extendedKeyUsage"`
	// Defines one or more purposes for which the key contained in the certificate can be used.
	//
	// Default value for each option is false.
	KeyUsage interface{} `json:"keyUsage"`
	// The subject alternative name extension allows identities to be bound to the subject of the certificate.
	//
	// These identities may be included in addition to or in place of the identity in the subject field of the certificate.
	SubjectAlternativeNames interface{} `json:"subjectAlternativeNames"`
}

Contains X.509 extension information for a certificate.

TODO: EXAMPLE

type CfnCertificate_GeneralNameProperty

type CfnCertificate_GeneralNameProperty struct {
	// Contains information about the certificate subject.
	//
	// The certificate can be one issued by your private certificate authority (CA) or it can be your private CA certificate. The Subject field in the certificate identifies the entity that owns or controls the public key in the certificate. The entity can be a user, computer, device, or service. The Subject must contain an X.500 distinguished name (DN). A DN is a sequence of relative distinguished names (RDNs). The RDNs are separated by commas in the certificate. The DN must be unique for each entity, but your private CA can issue more than one certificate with the same DN to the same entity.
	DirectoryName interface{} `json:"directoryName"`
	// Represents `GeneralName` as a DNS name.
	DnsName *string `json:"dnsName"`
	// Represents `GeneralName` as an `EdiPartyName` object.
	EdiPartyName interface{} `json:"ediPartyName"`
	// Represents `GeneralName` as an IPv4 or IPv6 address.
	IpAddress *string `json:"ipAddress"`
	// Represents `GeneralName` using an `OtherName` object.
	OtherName interface{} `json:"otherName"`
	// Represents `GeneralName` as an object identifier (OID).
	RegisteredId *string `json:"registeredId"`
	// Represents `GeneralName` as an [RFC 822](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc822) email address.
	Rfc822Name *string `json:"rfc822Name"`
	// Represents `GeneralName` as a URI.
	UniformResourceIdentifier *string `json:"uniformResourceIdentifier"`
}

Describes an ASN.1 X.400 `GeneralName` as defined in [RFC 5280](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc5280) . Only one of the following naming options should be provided. Providing more than one option results in an `InvalidArgsException` error.

TODO: EXAMPLE

type CfnCertificate_KeyUsageProperty

type CfnCertificate_KeyUsageProperty struct {
	// Key can be used to sign CRLs.
	CrlSign interface{} `json:"crlSign"`
	// Key can be used to decipher data.
	DataEncipherment interface{} `json:"dataEncipherment"`
	// Key can be used only to decipher data.
	DecipherOnly interface{} `json:"decipherOnly"`
	// Key can be used for digital signing.
	DigitalSignature interface{} `json:"digitalSignature"`
	// Key can be used only to encipher data.
	EncipherOnly interface{} `json:"encipherOnly"`
	// Key can be used in a key-agreement protocol.
	KeyAgreement interface{} `json:"keyAgreement"`
	// Key can be used to sign certificates.
	KeyCertSign interface{} `json:"keyCertSign"`
	// Key can be used to encipher data.
	KeyEncipherment interface{} `json:"keyEncipherment"`
	// Key can be used for non-repudiation.
	NonRepudiation interface{} `json:"nonRepudiation"`
}

Defines one or more purposes for which the key contained in the certificate can be used.

Default value for each option is false.

TODO: EXAMPLE

type CfnCertificate_OtherNameProperty

type CfnCertificate_OtherNameProperty struct {
	// Specifies an OID.
	TypeId *string `json:"typeId"`
	// Specifies an OID value.
	Value *string `json:"value"`
}

Defines a custom ASN.1 X.400 `GeneralName` using an object identifier (OID) and value. The OID must satisfy the regular expression shown below. For more information, see NIST's definition of [Object Identifier (OID)](https://docs.aws.amazon.com/https://csrc.nist.gov/glossary/term/Object_Identifier) .

TODO: EXAMPLE

type CfnCertificate_PolicyInformationProperty

type CfnCertificate_PolicyInformationProperty struct {
	// Specifies the object identifier (OID) of the certificate policy under which the certificate was issued.
	//
	// For more information, see NIST's definition of [Object Identifier (OID)](https://docs.aws.amazon.com/https://csrc.nist.gov/glossary/term/Object_Identifier) .
	CertPolicyId *string `json:"certPolicyId"`
	// Modifies the given `CertPolicyId` with a qualifier.
	//
	// ACM Private CA supports the certification practice statement (CPS) qualifier.
	PolicyQualifiers interface{} `json:"policyQualifiers"`
}

Defines the X.509 `CertificatePolicies` extension.

TODO: EXAMPLE

type CfnCertificate_PolicyQualifierInfoProperty

type CfnCertificate_PolicyQualifierInfoProperty struct {
	// Identifies the qualifier modifying a `CertPolicyId` .
	PolicyQualifierId *string `json:"policyQualifierId"`
	// Defines the qualifier type.
	//
	// ACM Private CA supports the use of a URI for a CPS qualifier in this field.
	Qualifier interface{} `json:"qualifier"`
}

Modifies the `CertPolicyId` of a `PolicyInformation` object with a qualifier.

ACM Private CA supports the certification practice statement (CPS) qualifier.

TODO: EXAMPLE

type CfnCertificate_QualifierProperty

type CfnCertificate_QualifierProperty struct {
	// Contains a pointer to a certification practice statement (CPS) published by the CA.
	CpsUri *string `json:"cpsUri"`
}

Defines a `PolicyInformation` qualifier.

ACM Private CA supports the [certification practice statement (CPS) qualifier](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc5280#section-4.2.1.4) defined in RFC 5280.

TODO: EXAMPLE

type CfnCertificate_SubjectProperty

type CfnCertificate_SubjectProperty struct {
	// For CA and end-entity certificates in a private PKI, the common name (CN) can be any string within the length limit.
	//
	// Note: In publicly trusted certificates, the common name must be a fully qualified domain name (FQDN) associated with the certificate subject.
	CommonName *string `json:"commonName"`
	// Two-digit code that specifies the country in which the certificate subject located.
	Country *string `json:"country"`
	// Disambiguating information for the certificate subject.
	DistinguishedNameQualifier *string `json:"distinguishedNameQualifier"`
	// Typically a qualifier appended to the name of an individual.
	//
	// Examples include Jr. for junior, Sr. for senior, and III for third.
	GenerationQualifier *string `json:"generationQualifier"`
	// First name.
	GivenName *string `json:"givenName"`
	// Concatenation that typically contains the first letter of the *GivenName* , the first letter of the middle name if one exists, and the first letter of the *Surname* .
	Initials *string `json:"initials"`
	// The locality (such as a city or town) in which the certificate subject is located.
	Locality *string `json:"locality"`
	// Legal name of the organization with which the certificate subject is affiliated.
	Organization *string `json:"organization"`
	// A subdivision or unit of the organization (such as sales or finance) with which the certificate subject is affiliated.
	OrganizationalUnit *string `json:"organizationalUnit"`
	// Typically a shortened version of a longer *GivenName* .
	//
	// For example, Jonathan is often shortened to John. Elizabeth is often shortened to Beth, Liz, or Eliza.
	Pseudonym *string `json:"pseudonym"`
	// The certificate serial number.
	SerialNumber *string `json:"serialNumber"`
	// State in which the subject of the certificate is located.
	State *string `json:"state"`
	// Family name.
	//
	// In the US and the UK, for example, the surname of an individual is ordered last. In Asian cultures the surname is typically ordered first.
	Surname *string `json:"surname"`
	// A title such as Mr.
	//
	// or Ms., which is pre-pended to the name to refer formally to the certificate subject.
	Title *string `json:"title"`
}

Contains information about the certificate subject.

The `Subject` field in the certificate identifies the entity that owns or controls the public key in the certificate. The entity can be a user, computer, device, or service. The `Subject` must contain an X.500 distinguished name (DN). A DN is a sequence of relative distinguished names (RDNs). The RDNs are separated by commas in the certificate.

TODO: EXAMPLE

type CfnCertificate_ValidityProperty

type CfnCertificate_ValidityProperty struct {
	// Specifies whether the `Value` parameter represents days, months, or years.
	Type *string `json:"type"`
	// A long integer interpreted according to the value of `Type` , below.
	Value *float64 `json:"value"`
}

Length of time for which the certificate issued by your private certificate authority (CA), or by the private CA itself, is valid in days, months, or years.

You can issue a certificate by calling the `IssueCertificate` operation.

TODO: EXAMPLE

type CfnPermission

type CfnPermission interface {
	awscdk.CfnResource
	awscdk.IInspectable
	Actions() *[]*string
	SetActions(val *[]*string)
	CertificateAuthorityArn() *string
	SetCertificateAuthorityArn(val *string)
	CfnOptions() awscdk.ICfnResourceOptions
	CfnProperties() *map[string]interface{}
	CfnResourceType() *string
	CreationStack() *[]*string
	LogicalId() *string
	Node() constructs.Node
	Principal() *string
	SetPrincipal(val *string)
	Ref() *string
	SourceAccount() *string
	SetSourceAccount(val *string)
	Stack() awscdk.Stack
	UpdatedProperites() *map[string]interface{}
	AddDeletionOverride(path *string)
	AddDependsOn(target awscdk.CfnResource)
	AddMetadata(key *string, value interface{})
	AddOverride(path *string, value interface{})
	AddPropertyDeletionOverride(propertyPath *string)
	AddPropertyOverride(propertyPath *string, value interface{})
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy, options *awscdk.RemovalPolicyOptions)
	GetAtt(attributeName *string) awscdk.Reference
	GetMetadata(key *string) interface{}
	Inspect(inspector awscdk.TreeInspector)
	OverrideLogicalId(newLogicalId *string)
	RenderProperties(props *map[string]interface{}) *map[string]interface{}
	ShouldSynthesize() *bool
	ToString() *string
	ValidateProperties(_properties interface{})
}

A CloudFormation `AWS::ACMPCA::Permission`.

Grants permissions to the AWS Certificate Manager (ACM) service principal ( `acm.amazonaws.com` ) to perform [IssueCertificate](https://docs.aws.amazon.com/latest/APIReference/API_IssueCertificate.html) , [GetCertificate](https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_GetCertificate.html) , and [ListPermissions](https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ListPermissions.html) actions on a CA. These actions are needed for the ACM principal to renew private PKI certificates requested through ACM and residing in the same AWS account as the CA.

**About permissions** - If the private CA and the certificates it issues reside in the same account, you can use `AWS::ACMPCA::Permission` to grant permissions for ACM to carry out automatic certificate renewals. - For automatic certificate renewal to succeed, the ACM service principal needs permissions to create, retrieve, and list permissions. - If the private CA and the ACM certificates reside in different accounts, then permissions cannot be used to enable automatic renewals. Instead, the ACM certificate owner must set up a resource-based policy to enable cross-account issuance and renewals. For more information, see [Using a Resource Based Policy with ACM Private CA](https://docs.aws.amazon.com/acm-pca/latest/userguide/pca-rbp.html) .

> To update an `AWS::ACMPCA::Permission` resource, you must first delete the existing permission resource from the CloudFormation stack and then create a new permission resource with updated properties.

TODO: EXAMPLE

func NewCfnPermission

func NewCfnPermission(scope constructs.Construct, id *string, props *CfnPermissionProps) CfnPermission

Create a new `AWS::ACMPCA::Permission`.

type CfnPermissionProps

type CfnPermissionProps struct {
	// The private CA actions that can be performed by the designated AWS service.
	//
	// Supported actions are `IssueCertificate` , `GetCertificate` , and `ListPermissions` .
	Actions *[]*string `json:"actions"`
	// The Amazon Resource Number (ARN) of the private CA from which the permission was issued.
	CertificateAuthorityArn *string `json:"certificateAuthorityArn"`
	// The AWS service or entity that holds the permission.
	//
	// At this time, the only valid principal is `acm.amazonaws.com` .
	Principal *string `json:"principal"`
	// The ID of the account that assigned the permission.
	SourceAccount *string `json:"sourceAccount"`
}

Properties for defining a `CfnPermission`.

TODO: EXAMPLE

type ICertificateAuthority

type ICertificateAuthority interface {
	awscdk.IResource
	// The Amazon Resource Name of the Certificate.
	CertificateAuthorityArn() *string
}

Interface which all CertificateAuthority based class must implement.

func CertificateAuthority_FromCertificateAuthorityArn

func CertificateAuthority_FromCertificateAuthorityArn(scope constructs.Construct, id *string, certificateAuthorityArn *string) ICertificateAuthority

Import an existing Certificate given an ARN.

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL