[][src]Crate rusoto_acm_pca

You can use the ACM PCA API to create a private certificate authority (CA). You must first call the CreateCertificateAuthority operation. If successful, the operation returns an Amazon Resource Name (ARN) for your private CA. Use this ARN as input to the GetCertificateAuthorityCsr operation to retrieve the certificate signing request (CSR) for your private CA certificate. Sign the CSR using the root or an intermediate CA in your on-premises PKI hierarchy, and call the ImportCertificateAuthorityCertificate to import your signed private CA certificate into ACM PCA.

Use your private CA to issue and revoke certificates. These are private certificates that identify and secure client computers, servers, applications, services, devices, and users over SSLS/TLS connections within your organization. Call the IssueCertificate operation to issue a certificate. Call the RevokeCertificate operation to revoke a certificate.

Certificates issued by your private CA can be trusted only within your organization, not publicly.

Your private CA can optionally create a certificate revocation list (CRL) to track the certificates you revoke. To create a CRL, you must specify a RevocationConfiguration object when you call the CreateCertificateAuthority operation. ACM PCA writes the CRL to an S3 bucket that you specify. You must specify a bucket policy that grants ACM PCA write permission.

You can also call the CreateCertificateAuthorityAuditReport to create an optional audit report, which enumerates all of the issued, valid, expired, and revoked certificates from the CA.

Each ACM PCA API operation has a throttling limit which determines the number of times the operation can be called per second. For more information, see API Rate Limits in ACM PCA in the ACM PCA user guide.

If you're using the service, you're probably looking for AcmPcaClient and AcmPca.

Structs

ASN1Subject

Contains information about the certificate subject. The certificate can be one issued by your private certificate authority (CA) or it can be your private CA certificate. The Subject field in the certificate identifies the entity that owns or controls the public key in the certificate. The entity can be a user, computer, device, or service. The Subject must contain an X.500 distinguished name (DN). A DN is a sequence of relative distinguished names (RDNs). The RDNs are separated by commas in the certificate. The DN must be unique for each entity, but your private CA can issue more than one certificate with the same DN to the same entity.

AcmPcaClient

A client for the ACM-PCA API.

CertificateAuthority

Contains information about your private certificate authority (CA). Your private CA can issue and revoke X.509 digital certificates. Digital certificates verify that the entity named in the certificate Subject field owns or controls the public key contained in the Subject Public Key Info field. Call the CreateCertificateAuthority operation to create your private CA. You must then call the GetCertificateAuthorityCertificate operation to retrieve a private CA certificate signing request (CSR). Take the CSR to your on-premises CA and sign it with the root CA certificate or a subordinate certificate. Call the ImportCertificateAuthorityCertificate operation to import the signed certificate into AWS Certificate Manager (ACM).

CertificateAuthorityConfiguration

Contains configuration information for your private certificate authority (CA). This includes information about the class of public key algorithm and the key pair that your private CA creates when it issues a certificate. It also includes the signature algorithm that it uses when issuing certificates, and its X.500 distinguished name. You must specify this information when you call the CreateCertificateAuthority operation.

CreateCertificateAuthorityAuditReportRequest
CreateCertificateAuthorityAuditReportResponse
CreateCertificateAuthorityRequest
CreateCertificateAuthorityResponse
CreatePermissionRequest
CrlConfiguration

Contains configuration information for a certificate revocation list (CRL). Your private certificate authority (CA) creates base CRLs. Delta CRLs are not supported. You can enable CRLs for your new or an existing private CA by setting the Enabled parameter to true. Your private CA writes CRLs to an S3 bucket that you specify in the S3BucketName parameter. You can hide the name of your bucket by specifying a value for the CustomCname parameter. Your private CA copies the CNAME or the S3 bucket name to the CRL Distribution Points extension of each certificate it issues. Your S3 bucket policy must give write permission to ACM PCA.

Your private CA uses the value in the ExpirationInDays parameter to calculate the nextUpdate field in the CRL. The CRL is refreshed at 1/2 the age of next update or when a certificate is revoked. When a certificate is revoked, it is recorded in the next CRL that is generated and in the next audit report. Only time valid certificates are listed in the CRL. Expired certificates are not included.

CRLs contain the following fields:

  • Version: The current version number defined in RFC 5280 is V2. The integer value is 0x1.

  • Signature Algorithm: The name of the algorithm used to sign the CRL.

  • Issuer: The X.500 distinguished name of your private CA that issued the CRL.

  • Last Update: The issue date and time of this CRL.

  • Next Update: The day and time by which the next CRL will be issued.

  • Revoked Certificates: List of revoked certificates. Each list item contains the following information.

    • Serial Number: The serial number, in hexadecimal format, of the revoked certificate.

    • Revocation Date: Date and time the certificate was revoked.

    • CRL Entry Extensions: Optional extensions for the CRL entry.

      • X509v3 CRL Reason Code: Reason the certificate was revoked.

  • CRL Extensions: Optional extensions for the CRL.

    • X509v3 Authority Key Identifier: Identifies the public key associated with the private key used to sign the certificate.

    • X509v3 CRL Number:: Decimal sequence number for the CRL.

  • Signature Algorithm: Algorithm used by your private CA to sign the CRL.

  • Signature Value: Signature computed over the CRL.

Certificate revocation lists created by ACM PCA are DER-encoded. You can use the following OpenSSL command to list a CRL.

openssl crl -inform DER -text -in crl_path -noout

DeleteCertificateAuthorityRequest
DeletePermissionRequest
DescribeCertificateAuthorityAuditReportRequest
DescribeCertificateAuthorityAuditReportResponse
DescribeCertificateAuthorityRequest
DescribeCertificateAuthorityResponse
GetCertificateAuthorityCertificateRequest
GetCertificateAuthorityCertificateResponse
GetCertificateAuthorityCsrRequest
GetCertificateAuthorityCsrResponse
GetCertificateRequest
GetCertificateResponse
ImportCertificateAuthorityCertificateRequest
IssueCertificateRequest
IssueCertificateResponse
ListCertificateAuthoritiesRequest
ListCertificateAuthoritiesResponse
ListPermissionsRequest
ListPermissionsResponse
ListTagsRequest
ListTagsResponse
Permission

Permissions designate which private CA operations can be performed by an AWS service or entity. In order for ACM to automatically renew private certificates, you must give the ACM service principal all available permissions (IssueCertificate, GetCertificate, and ListPermissions). Permissions can be assigned with the CreatePermission operation, removed with the DeletePermission operation, and listed with the ListPermissions operation.

RestoreCertificateAuthorityRequest
RevocationConfiguration

Certificate revocation information used by the CreateCertificateAuthority and UpdateCertificateAuthority operations. Your private certificate authority (CA) can create and maintain a certificate revocation list (CRL). A CRL contains information about certificates revoked by your CA. For more information, see RevokeCertificate.

RevokeCertificateRequest
Tag

Tags are labels that you can use to identify and organize your private CAs. Each tag consists of a key and an optional value. You can associate up to 50 tags with a private CA. To add one or more tags to a private CA, call the TagCertificateAuthority operation. To remove a tag, call the UntagCertificateAuthority operation.

TagCertificateAuthorityRequest
UntagCertificateAuthorityRequest
UpdateCertificateAuthorityRequest
Validity

Length of time for which the certificate issued by your private certificate authority (CA), or by the private CA itself, is valid in days, months, or years. You can issue a certificate by calling the IssueCertificate operation.

Enums

CreateCertificateAuthorityAuditReportError

Errors returned by CreateCertificateAuthorityAuditReport

CreateCertificateAuthorityError

Errors returned by CreateCertificateAuthority

CreatePermissionError

Errors returned by CreatePermission

DeleteCertificateAuthorityError

Errors returned by DeleteCertificateAuthority

DeletePermissionError

Errors returned by DeletePermission

DescribeCertificateAuthorityAuditReportError

Errors returned by DescribeCertificateAuthorityAuditReport

DescribeCertificateAuthorityError

Errors returned by DescribeCertificateAuthority

GetCertificateAuthorityCertificateError

Errors returned by GetCertificateAuthorityCertificate

GetCertificateAuthorityCsrError

Errors returned by GetCertificateAuthorityCsr

GetCertificateError

Errors returned by GetCertificate

ImportCertificateAuthorityCertificateError

Errors returned by ImportCertificateAuthorityCertificate

IssueCertificateError

Errors returned by IssueCertificate

ListCertificateAuthoritiesError

Errors returned by ListCertificateAuthorities

ListPermissionsError

Errors returned by ListPermissions

ListTagsError

Errors returned by ListTags

RestoreCertificateAuthorityError

Errors returned by RestoreCertificateAuthority

RevokeCertificateError

Errors returned by RevokeCertificate

TagCertificateAuthorityError

Errors returned by TagCertificateAuthority

UntagCertificateAuthorityError

Errors returned by UntagCertificateAuthority

UpdateCertificateAuthorityError

Errors returned by UpdateCertificateAuthority

Traits

AcmPca

Trait representing the capabilities of the ACM-PCA API. ACM-PCA clients implement this trait.