Package-level declarations
Types
Provides access information used by the authorityInfoAccess
and subjectInfoAccess
extensions described in RFC 5280.
Describes the type and format of extension access. Only one of CustomObjectIdentifier
or AccessMethodType
may be provided. Providing both results in InvalidArgsException
.
Base class for all service related exceptions thrown by the AcmPca client
Contains X.509 certificate information to be placed in an issued certificate. An APIPassthrough
or APICSRPassthrough
template variant must be selected, or else this parameter is ignored.
Contains information about the certificate subject. The Subject
field in the certificate identifies the entity that owns or controls the public key in the certificate. The entity can be a user, computer, device, or service. The Subject
must contain an X.500 distinguished name (DN). A DN is a sequence of relative distinguished names (RDNs). The RDNs are separated by commas in the certificate.
Contains information about your private certificate authority (CA). Your private CA can issue and revoke X.509 digital certificates. Digital certificates verify that the entity named in the certificate Subject field owns or controls the public key contained in the Subject Public Key Info field. Call the CreateCertificateAuthority action to create your private CA. You must then call the GetCertificateAuthorityCertificate action to retrieve a private CA certificate signing request (CSR). Sign the CSR with your Amazon Web Services Private CA-hosted or on-premises root or subordinate CA certificate. Call the ImportCertificateAuthorityCertificate action to import the signed certificate into Certificate Manager (ACM).
Contains configuration information for your private certificate authority (CA). This includes information about the class of public key algorithm and the key pair that your private CA creates when it issues a certificate. It also includes the signature algorithm that it uses when issuing certificates, and its X.500 distinguished name. You must specify this information when you call the CreateCertificateAuthority action.
The certificate authority certificate you are importing does not comply with conditions specified in the certificate that signed it.
A previous update to your private CA is still ongoing.
Contains configuration information for a certificate revocation list (CRL). Your private certificate authority (CA) creates base CRLs. Delta CRLs are not supported. You can enable CRLs for your new or an existing private CA by setting the Enabled parameter to true
. Your private CA writes CRLs to an S3 bucket that you specify in the S3BucketName parameter. You can hide the name of your bucket by specifying a value for the CustomCname parameter. Your private CA by default copies the CNAME or the S3 bucket name to the CRL Distribution Points extension of each certificate it issues. If you want to configure this default behavior to be something different, you can set the CrlDistributionPointExtensionConfiguration parameter. Your S3 bucket policy must give write permission to Amazon Web Services Private CA.
Contains configuration information for the default behavior of the CRL Distribution Point (CDP) extension in certificates issued by your CA. This extension contains a link to download the CRL, so you can check whether a certificate has been revoked. To choose whether you want this extension omitted or not in certificates issued by your CA, you can set the OmitExtension parameter.
Describes the certificate extensions to be added to the certificate signing request (CSR).
Defines the X.500 relative distinguished name (RDN).
Specifies the X.509 extension information for a certificate.
Describes an Electronic Data Interchange (EDI) entity as described in as defined in Subject Alternative Name in RFC 5280.
Specifies additional purposes for which the certified public key may be used other than basic purposes indicated in the KeyUsage
extension.
Contains X.509 extension information for a certificate.
Describes an ASN.1 X.400 GeneralName
as defined in RFC 5280. Only one of the following naming options should be provided. Providing more than one option results in an InvalidArgsException
error.
One or more of the specified arguments was not valid.
The requested Amazon Resource Name (ARN) does not refer to an existing resource.
The token specified in the NextToken
argument is not valid. Use the token returned from your previous call to ListCertificateAuthorities.
The resource policy is invalid or is missing a required statement. For general information about IAM policy and statement structure, see Overview of JSON Policies.
The request action cannot be performed or is prohibited.
The state of the private CA does not allow this action to occur.
The tag associated with the CA is not valid. The invalid argument is contained in the message field.
An Amazon Web Services Private CA quota has been exceeded. See the exception message returned to determine the quota that was exceeded.
The current action was prevented because it would lock the caller out from performing subsequent actions. Verify that the specified parameters would not result in the caller being denied access to the resource.
One or more fields in the certificate are invalid.
The certificate signing request is invalid.
Contains information to enable and configure Online Certificate Status Protocol (OCSP) for validating certificate revocation status.
Defines a custom ASN.1 X.400 GeneralName
using an object identifier (OID) and value. The OID must satisfy the regular expression shown below. For more information, see NIST's definition of Object Identifier (OID).
Permissions designate which private CA actions can be performed by an Amazon Web Services service or entity. In order for ACM to automatically renew private certificates, you must give the ACM service principal all available permissions (IssueCertificate
, GetCertificate
, and ListPermissions
). Permissions can be assigned with the CreatePermission action, removed with the DeletePermission action, and listed with the ListPermissions action.
The designated permission has already been given to the user.
Defines the X.509 CertificatePolicies
extension.
Modifies the CertPolicyId
of a PolicyInformation
object with a qualifier. Amazon Web Services Private CA supports the certification practice statement (CPS) qualifier.
Defines a PolicyInformation
qualifier. Amazon Web Services Private CA supports the certification practice statement (CPS) qualifier defined in RFC 5280.
Your request has already been completed.
The request has failed for an unspecified reason.
Your request is already in progress.
A resource such as a private CA, S3 bucket, certificate, audit report, or policy cannot be found.
Certificate revocation information used by the CreateCertificateAuthority and UpdateCertificateAuthority actions. Your private certificate authority (CA) can configure Online Certificate Status Protocol (OCSP) support and/or maintain a certificate revocation list (CRL). OCSP returns validation information about certificates as requested by clients, and a CRL contains an updated list of certificates revoked by your CA. For more information, see RevokeCertificate and Setting up a certificate revocation method in the Amazon Web Services Private Certificate Authority User Guide.
Tags are labels that you can use to identify and organize your private CAs. Each tag consists of a key and an optional value. You can associate up to 50 tags with a private CA. To add one or more tags to a private CA, call the TagCertificateAuthority action. To remove a tag, call the UntagCertificateAuthority action.
You can associate up to 50 tags with a private CA. Exception information is contained in the exception message field.
Validity specifies the period of time during which a certificate is valid. Validity can be expressed as an explicit date and time when the validity of a certificate starts or expires, or as a span of time after issuance, stated in days, months, or years. For more information, see Validity in RFC 5280.