From d3f9d15002ac4a11968ee984b6b061f324428e2a Mon Sep 17 00:00:00 2001 From: awstools Date: Mon, 17 Jun 2024 18:23:16 +0000 Subject: [PATCH] docs(client-acm-pca): Doc-only update that adds name constraints as an allowed extension for ImportCertificateAuthorityCertificate. --- .../CreateCertificateAuthorityCommand.ts | 2 +- ...tCertificateAuthorityCertificateCommand.ts | 36 +++++++++---------- clients/client-acm-pca/src/models/models_0.ts | 2 +- codegen/sdk-codegen/aws-models/acm-pca.json | 6 ++-- 4 files changed, 22 insertions(+), 24 deletions(-) diff --git a/clients/client-acm-pca/src/commands/CreateCertificateAuthorityCommand.ts b/clients/client-acm-pca/src/commands/CreateCertificateAuthorityCommand.ts index e8aa90addb8f..b17f7486fb03 100644 --- a/clients/client-acm-pca/src/commands/CreateCertificateAuthorityCommand.ts +++ b/clients/client-acm-pca/src/commands/CreateCertificateAuthorityCommand.ts @@ -47,7 +47,7 @@ export interface CreateCertificateAuthorityCommandOutput extends CreateCertifica * policies for CRLs in Amazon S3.

* *

Amazon Web Services Private CA assets that are stored in Amazon S3 can be protected with encryption. - * For more information, see Encrypting Your + * For more information, see Encrypting Your * CRLs.

* @example * Use a bare-bones client and the command you need to make an API call. diff --git a/clients/client-acm-pca/src/commands/ImportCertificateAuthorityCertificateCommand.ts b/clients/client-acm-pca/src/commands/ImportCertificateAuthorityCertificateCommand.ts index c4927b8d9d4b..15da5b731412 100644 --- a/clients/client-acm-pca/src/commands/ImportCertificateAuthorityCertificateCommand.ts +++ b/clients/client-acm-pca/src/commands/ImportCertificateAuthorityCertificateCommand.ts @@ -102,64 +102,62 @@ export interface ImportCertificateAuthorityCertificateCommandOutput extends __Me * certificate or chain.

* *

Amazon Web Services Private CA rejects the following extensions when they are marked critical in an * imported CA certificate or chain.

* + *

Amazon Web Services Private Certificate Authority will also reject any other extension marked as critical not contained on the preceding list of allowed extensions.

* @example * Use a bare-bones client and the command you need to make an API call. * ```javascript diff --git a/clients/client-acm-pca/src/models/models_0.ts b/clients/client-acm-pca/src/models/models_0.ts index cf3318915dfb..ee1a4e086637 100644 --- a/clients/client-acm-pca/src/models/models_0.ts +++ b/clients/client-acm-pca/src/models/models_0.ts @@ -531,7 +531,7 @@ export type S3ObjectAcl = (typeof S3ObjectAcl)[keyof typeof S3ObjectAcl]; * parameter. Your S3 * bucket policy must give write permission to Amazon Web Services Private CA.

*

Amazon Web Services Private CA assets that are stored in Amazon S3 can be protected with encryption. - * For more information, see Encrypting Your + * For more information, see Encrypting Your * CRLs.

*

Your private CA uses the value in the ExpirationInDays parameter to calculate the nextUpdate field in the CRL. The CRL is refreshed prior to a * certificate's expiration date or when a certificate is revoked. When a certificate is diff --git a/codegen/sdk-codegen/aws-models/acm-pca.json b/codegen/sdk-codegen/aws-models/acm-pca.json index 5797e7528a36..b441e83dbfb2 100644 --- a/codegen/sdk-codegen/aws-models/acm-pca.json +++ b/codegen/sdk-codegen/aws-models/acm-pca.json @@ -1773,7 +1773,7 @@ } ], "traits": { - "smithy.api#documentation": "

Creates a root or subordinate private certificate authority (CA). You must specify the\n\t\t\tCA configuration, an optional configuration for Online Certificate Status Protocol\n\t\t\t(OCSP) and/or a certificate revocation list (CRL), the CA type, and an optional\n\t\t\tidempotency token to avoid accidental creation of multiple CAs. The CA configuration\n\t\t\tspecifies the name of the algorithm and key size to be used to create the CA private\n\t\t\tkey, the type of signing algorithm that the CA uses, and X.500 subject information. The\n\t\t\tOCSP configuration can optionally specify a custom URL for the OCSP responder. The CRL\n\t\t\tconfiguration specifies the CRL expiration period in days (the validity period of the\n\t\t\tCRL), the Amazon S3 bucket that will contain the CRL, and a CNAME alias for the S3\n\t\t\tbucket that is included in certificates issued by the CA. If successful, this action\n\t\t\treturns the Amazon Resource Name (ARN) of the CA.

\n \n

Both Amazon Web Services Private CA and the IAM principal must have permission to write to\n the S3 bucket that you specify. If the IAM principal making the call\n does not have permission to write to the bucket, then an exception is\n thrown. For more information, see Access \n\t\t\t\t\t\tpolicies for CRLs in Amazon S3.

\n \n

Amazon Web Services Private CA assets that are stored in Amazon S3 can be protected with encryption. \n For more information, see Encrypting Your\n\t\t\tCRLs.

", + "smithy.api#documentation": "

Creates a root or subordinate private certificate authority (CA). You must specify the\n\t\t\tCA configuration, an optional configuration for Online Certificate Status Protocol\n\t\t\t(OCSP) and/or a certificate revocation list (CRL), the CA type, and an optional\n\t\t\tidempotency token to avoid accidental creation of multiple CAs. The CA configuration\n\t\t\tspecifies the name of the algorithm and key size to be used to create the CA private\n\t\t\tkey, the type of signing algorithm that the CA uses, and X.500 subject information. The\n\t\t\tOCSP configuration can optionally specify a custom URL for the OCSP responder. The CRL\n\t\t\tconfiguration specifies the CRL expiration period in days (the validity period of the\n\t\t\tCRL), the Amazon S3 bucket that will contain the CRL, and a CNAME alias for the S3\n\t\t\tbucket that is included in certificates issued by the CA. If successful, this action\n\t\t\treturns the Amazon Resource Name (ARN) of the CA.

\n \n

Both Amazon Web Services Private CA and the IAM principal must have permission to write to\n the S3 bucket that you specify. If the IAM principal making the call\n does not have permission to write to the bucket, then an exception is\n thrown. For more information, see Access \n\t\t\t\t\t\tpolicies for CRLs in Amazon S3.

\n \n

Amazon Web Services Private CA assets that are stored in Amazon S3 can be protected with encryption. \n For more information, see Encrypting Your\n\t\t\tCRLs.

", "smithy.api#idempotent": {} } }, @@ -2035,7 +2035,7 @@ } }, "traits": { - "smithy.api#documentation": "

Contains configuration information for a certificate revocation list (CRL). Your\n\t\t\tprivate certificate authority (CA) creates base CRLs. Delta CRLs are not supported. You\n\t\t\tcan enable CRLs for your new or an existing private CA by setting the Enabled parameter to true. Your private CA\n\t\t\twrites CRLs to an S3 bucket that you specify in the S3BucketName parameter. You can hide the name of your bucket by\n\t\t\tspecifying a value for the CustomCname parameter. Your\n\t\t\tprivate CA by default copies the CNAME or the S3 bucket name to the CRL\n\t\t\t\tDistribution Points extension of each certificate it issues. If you want to configure\n\t\t\t\tthis default behavior to be something different, you can set the CrlDistributionPointExtensionConfiguration \n\t\t\t\tparameter. Your S3\n\t\t\tbucket policy must give write permission to Amazon Web Services Private CA.

\n

Amazon Web Services Private CA assets that are stored in Amazon S3 can be protected with encryption. \n For more information, see Encrypting Your\n\t\t\tCRLs.

\n

Your private CA uses the value in the ExpirationInDays parameter to calculate the nextUpdate field in the CRL. The CRL is refreshed prior to a\n\t\t\tcertificate's expiration date or when a certificate is revoked. When a certificate is\n\t\t\trevoked, it appears in the CRL until the certificate expires, and then in one additional\n\t\t\tCRL after expiration, and it always appears in the audit report.

\n

A CRL is typically updated approximately 30 minutes after a certificate \n\tis revoked. If for any reason a CRL update fails, Amazon Web Services Private CA makes further attempts \n\tevery 15 minutes.

\n

CRLs contain the following fields:

\n \n

Certificate revocation lists created by Amazon Web Services Private CA are DER-encoded. You can use the\n\t\t\tfollowing OpenSSL command to list a CRL.

\n

\n openssl crl -inform DER -text -in crl_path\n\t\t\t-noout\n

\n

For more information, see Planning a certificate revocation list\n\t\t\t\t(CRL) in the Amazon Web Services Private Certificate Authority User Guide\n

" + "smithy.api#documentation": "

Contains configuration information for a certificate revocation list (CRL). Your\n\t\t\tprivate certificate authority (CA) creates base CRLs. Delta CRLs are not supported. You\n\t\t\tcan enable CRLs for your new or an existing private CA by setting the Enabled parameter to true. Your private CA\n\t\t\twrites CRLs to an S3 bucket that you specify in the S3BucketName parameter. You can hide the name of your bucket by\n\t\t\tspecifying a value for the CustomCname parameter. Your\n\t\t\tprivate CA by default copies the CNAME or the S3 bucket name to the CRL\n\t\t\t\tDistribution Points extension of each certificate it issues. If you want to configure\n\t\t\t\tthis default behavior to be something different, you can set the CrlDistributionPointExtensionConfiguration \n\t\t\t\tparameter. Your S3\n\t\t\tbucket policy must give write permission to Amazon Web Services Private CA.

\n

Amazon Web Services Private CA assets that are stored in Amazon S3 can be protected with encryption. \n For more information, see Encrypting Your\n\t\t\tCRLs.

\n

Your private CA uses the value in the ExpirationInDays parameter to calculate the nextUpdate field in the CRL. The CRL is refreshed prior to a\n\t\t\tcertificate's expiration date or when a certificate is revoked. When a certificate is\n\t\t\trevoked, it appears in the CRL until the certificate expires, and then in one additional\n\t\t\tCRL after expiration, and it always appears in the audit report.

\n

A CRL is typically updated approximately 30 minutes after a certificate \n\tis revoked. If for any reason a CRL update fails, Amazon Web Services Private CA makes further attempts \n\tevery 15 minutes.

\n

CRLs contain the following fields:

\n \n

Certificate revocation lists created by Amazon Web Services Private CA are DER-encoded. You can use the\n\t\t\tfollowing OpenSSL command to list a CRL.

\n

\n openssl crl -inform DER -text -in crl_path\n\t\t\t-noout\n

\n

For more information, see Planning a certificate revocation list\n\t\t\t\t(CRL) in the Amazon Web Services Private Certificate Authority User Guide\n

" } }, "com.amazonaws.acmpca#CrlDistributionPointExtensionConfiguration": { @@ -3059,7 +3059,7 @@ } ], "traits": { - "smithy.api#documentation": "

Imports a signed private CA certificate into Amazon Web Services Private CA. This action is used when you\n\t\t\tare using a chain of trust whose root is located outside Amazon Web Services Private CA. Before you can call\n\t\t\tthis action, the following preparations must in place:

\n
    \n
  1. \n

    In Amazon Web Services Private CA, call the CreateCertificateAuthority action to create the private CA that you\n\t\t\t\t\tplan to back with the imported certificate.

    \n
    2. \n
  2. \n

    Call the GetCertificateAuthorityCsr action to generate a certificate signing\n\t\t\t\t\trequest (CSR).

    \n
    3. \n
  3. \n

    Sign the CSR using a root or intermediate CA hosted by either an on-premises\n\t\t\t\t\tPKI hierarchy or by a commercial CA.

    \n
    4. \n
  4. \n

    Create a certificate chain and copy the signed certificate and the certificate\n\t\t\t\t\tchain to your working directory.

    \n
    5. \n
\n

Amazon Web Services Private CA supports three scenarios for installing a CA certificate:

\n \n

The following additional requirements apply when you import a CA certificate.

\n \n

\n Enforcement of Critical Constraints\n

\n

Amazon Web Services Private CA allows the following extensions to be marked critical in the imported CA\n\t\t\tcertificate or chain.

\n \n

Amazon Web Services Private CA rejects the following extensions when they are marked critical in an\n\t\t\timported CA certificate or chain.

\n " + "smithy.api#documentation": "

Imports a signed private CA certificate into Amazon Web Services Private CA. This action is used when you\n\t\t\tare using a chain of trust whose root is located outside Amazon Web Services Private CA. Before you can call\n\t\t\tthis action, the following preparations must in place:

\n
    \n
  1. \n

    In Amazon Web Services Private CA, call the CreateCertificateAuthority action to create the private CA that you\n\t\t\t\t\tplan to back with the imported certificate.

    \n
    2. \n
  2. \n

    Call the GetCertificateAuthorityCsr action to generate a certificate signing\n\t\t\t\t\trequest (CSR).

    \n
    3. \n
  3. \n

    Sign the CSR using a root or intermediate CA hosted by either an on-premises\n\t\t\t\t\tPKI hierarchy or by a commercial CA.

    \n
    4. \n
  4. \n

    Create a certificate chain and copy the signed certificate and the certificate\n\t\t\t\t\tchain to your working directory.

    \n
    5. \n
\n

Amazon Web Services Private CA supports three scenarios for installing a CA certificate:

\n \n

The following additional requirements apply when you import a CA certificate.

\n \n

\n Enforcement of Critical Constraints\n

\n

Amazon Web Services Private CA allows the following extensions to be marked critical in the imported CA\n\t\t\tcertificate or chain.

\n \n

Amazon Web Services Private CA rejects the following extensions when they are marked critical in an\n\t\t\timported CA certificate or chain.

\n \n

Amazon Web Services Private Certificate Authority will also reject any other extension marked as critical not contained on the preceding list of allowed extensions.

" } }, "com.amazonaws.acmpca#ImportCertificateAuthorityCertificateRequest": {