AWS Certificate Manager Private Certificate Authority

2018/06/20 - AWS Certificate Manager Private Certificate Authority - 1 new 4 updated api methods

Changes  CA Restore is a new feature within AWS Certificate Manager Private Certificate Authority (ACM PCA) that allows you to restore a private certificate authority that has been deleted. When you issue the DeleteCertificateAuthority call, you can now specify the number of days (7-30, with 30 being the default) in which the private certificate authority will remain in the DELETED state. During this time, the private certificate authority can be restored with the RestoreCertificateAuthority API call and then be returned to the PENDING_CERTIFICATE or DISABLED state, depending upon the state prior to deletion. Summary of API Changes: 1). Added RestoreCertificateAuthority API call; 2). Added optional PermanentDeletionTimeInDays parameter to DeleteCertificateAuthority API call. If this parameter is not specified, the DeleteCertificateAuthority API call will use a 30 day restore period as default.

RestoreCertificateAuthority (new) Link ¶

Restores a certificate authority (CA) that is in the DELETED state. You can restore a CA during the period that you defined in the PermanentDeletionTimeInDays parameter of the DeleteCertificateAuthority operation. Currently, you can specify 7 to 30 days. If you did not specify a PermanentDeletionTimeInDays value, by default you can restore the CA at any time in a 30 day period. You can check the time remaining in the restoration period of a private CA in the DELETED state by calling the DescribeCertificateAuthority or ListCertificateAuthorities operations. The status of a restored CA is set to its pre-deletion status when the RestoreCertificateAuthority operation returns. To change its status to ACTIVE , call the UpdateCertificateAuthority operation. If the private CA was in the PENDING_CERTIFICATE state at deletion, you must use the ImportCertificateAuthorityCertificate operation to import a certificate authority into the private CA before it can be activated. You cannot restore a CA after the restoration period has ended.

See also: AWS API Documentation

Request Syntax

client.restore_certificate_authority(
    CertificateAuthorityArn='string'
)
type CertificateAuthorityArn

string

param CertificateAuthorityArn

[REQUIRED]

The Amazon Resource Name (ARN) that was returned when you called the CreateCertificateAuthority operation. This must be of the form:

``arn:aws:acm-pca:region :account :certificate-authority/12345678-1234-1234-1234-123456789012 ``

returns

None

DeleteCertificateAuthority (updated) Link ¶
Changes (request)
{'PermanentDeletionTimeInDays': 'integer'}

Deletes a private certificate authority (CA). You must provide the ARN (Amazon Resource Name) of the private CA that you want to delete. You can find the ARN by calling the ListCertificateAuthorities operation. Before you can delete a CA, you must disable it. Call the UpdateCertificateAuthority operation and set the CertificateAuthorityStatus parameter to DISABLED .

Additionally, you can delete a CA if you are waiting for it to be created (the Status field of the CertificateAuthority is CREATING ). You can also delete it if the CA has been created but you haven't yet imported the signed certificate (the Status is PENDING_CERTIFICATE ) into ACM PCA.

If the CA is in one of the aforementioned states and you call DeleteCertificateAuthority , the CA's status changes to DELETED . However, the CA won't be permentantly deleted until the restoration period has passed. By default, if you do not set the PermanentDeletionTimeInDays parameter, the CA remains restorable for 30 days. You can set the parameter from 7 to 30 days. The DescribeCertificateAuthority operation returns the time remaining in the restoration window of a Private CA in the DELETED state. To restore an eligable CA, call the RestoreCertificateAuthority operation.

See also: AWS API Documentation

Request Syntax

client.delete_certificate_authority(
    CertificateAuthorityArn='string',
    PermanentDeletionTimeInDays=123
)
type CertificateAuthorityArn

string

param CertificateAuthorityArn

[REQUIRED]

The Amazon Resource Name (ARN) that was returned when you called CreateCertificateAuthority . This must have the following form:

``arn:aws:acm-pca:region :account :certificate-authority/12345678-1234-1234-1234-123456789012 `` .

type PermanentDeletionTimeInDays

integer

param PermanentDeletionTimeInDays

The number of days to make a CA restorable after it has been deleted. This can be anywhere from 7 to 30 days, with 30 being the default.

returns

None

DescribeCertificateAuthority (updated) Link ¶
Changes (response)
{'CertificateAuthority': {'RestorableUntil': 'timestamp',
                          'Status': ['DELETED']}}

Lists information about your private certificate authority (CA). You specify the private CA on input by its ARN (Amazon Resource Name). The output contains the status of your CA. This can be any of the following:

  • CREATING - ACM PCA is creating your private certificate authority.

  • PENDING_CERTIFICATE - The certificate is pending. You must use your on-premises root or subordinate CA to sign your private CA CSR and then import it into PCA.

  • ACTIVE - Your private CA is active.

  • DISABLED - Your private CA has been disabled.

  • EXPIRED - Your private CA certificate has expired.

  • FAILED - Your private CA has failed. Your CA can fail because of problems such a network outage or backend AWS failure or other errors. A failed CA can never return to the pending state. You must create a new CA.

  • DELETED - Your private CA is within the restoration period, after which it will be permanently deleted. The length of time remaining in the CA's restoration period will also be included in this operation's output.

See also: AWS API Documentation

Request Syntax

client.describe_certificate_authority(
    CertificateAuthorityArn='string'
)
type CertificateAuthorityArn

string

param CertificateAuthorityArn

[REQUIRED]

The Amazon Resource Name (ARN) that was returned when you called CreateCertificateAuthority . This must be of the form:

``arn:aws:acm-pca:region :account :certificate-authority/12345678-1234-1234-1234-123456789012 `` .

rtype

dict

returns

Response Syntax

{
    'CertificateAuthority': {
        'Arn': 'string',
        'CreatedAt': datetime(2015, 1, 1),
        'LastStateChangeAt': datetime(2015, 1, 1),
        'Type': 'SUBORDINATE',
        'Serial': 'string',
        'Status': 'CREATING'|'PENDING_CERTIFICATE'|'ACTIVE'|'DELETED'|'DISABLED'|'EXPIRED'|'FAILED',
        'NotBefore': datetime(2015, 1, 1),
        'NotAfter': datetime(2015, 1, 1),
        'FailureReason': 'REQUEST_TIMED_OUT'|'UNSUPPORTED_ALGORITHM'|'OTHER',
        'CertificateAuthorityConfiguration': {
            'KeyAlgorithm': 'RSA_2048'|'RSA_4096'|'EC_prime256v1'|'EC_secp384r1',
            'SigningAlgorithm': 'SHA256WITHECDSA'|'SHA384WITHECDSA'|'SHA512WITHECDSA'|'SHA256WITHRSA'|'SHA384WITHRSA'|'SHA512WITHRSA',
            'Subject': {
                'Country': 'string',
                'Organization': 'string',
                'OrganizationalUnit': 'string',
                'DistinguishedNameQualifier': 'string',
                'State': 'string',
                'CommonName': 'string',
                'SerialNumber': 'string',
                'Locality': 'string',
                'Title': 'string',
                'Surname': 'string',
                'GivenName': 'string',
                'Initials': 'string',
                'Pseudonym': 'string',
                'GenerationQualifier': 'string'
            }
        },
        'RevocationConfiguration': {
            'CrlConfiguration': {
                'Enabled': True|False,
                'ExpirationInDays': 123,
                'CustomCname': 'string',
                'S3BucketName': 'string'
            }
        },
        'RestorableUntil': datetime(2015, 1, 1)
    }
}

Response Structure

  • (dict) --

    • CertificateAuthority (dict) --

      A CertificateAuthority structure that contains information about your private CA.

      • Arn (string) --

        Amazon Resource Name (ARN) for your private certificate authority (CA). The format is `` 12345678-1234-1234-1234-123456789012 `` .

      • CreatedAt (datetime) --

        Date and time at which your private CA was created.

      • LastStateChangeAt (datetime) --

        Date and time at which your private CA was last updated.

      • Type (string) --

        Type of your private CA.

      • Serial (string) --

        Serial number of your private CA.

      • Status (string) --

        Status of your private CA.

      • NotBefore (datetime) --

        Date and time before which your private CA certificate is not valid.

      • NotAfter (datetime) --

        Date and time after which your private CA certificate is not valid.

      • FailureReason (string) --

        Reason the request to create your private CA failed.

      • CertificateAuthorityConfiguration (dict) --

        Your private CA configuration.

        • KeyAlgorithm (string) --

          Type of the public key algorithm and size, in bits, of the key pair that your key pair creates when it issues a certificate.

        • SigningAlgorithm (string) --

          Name of the algorithm your private CA uses to sign certificate requests.

        • Subject (dict) --

          Structure that contains X.500 distinguished name information for your private CA.

          • Country (string) --

            Two-digit code that specifies the country in which the certificate subject located.

          • Organization (string) --

            Legal name of the organization with which the certificate subject is affiliated.

          • OrganizationalUnit (string) --

            A subdivision or unit of the organization (such as sales or finance) with which the certificate subject is affiliated.

          • DistinguishedNameQualifier (string) --

            Disambiguating information for the certificate subject.

          • State (string) --

            State in which the subject of the certificate is located.

          • CommonName (string) --

            Fully qualified domain name (FQDN) associated with the certificate subject.

          • SerialNumber (string) --

            The certificate serial number.

          • Locality (string) --

            The locality (such as a city or town) in which the certificate subject is located.

          • Title (string) --

            A title such as Mr. or Ms., which is pre-pended to the name to refer formally to the certificate subject.

          • Surname (string) --

            Family name. In the US and the UK, for example, the surname of an individual is ordered last. In Asian cultures the surname is typically ordered first.

          • GivenName (string) --

            First name.

          • Initials (string) --

            Concatenation that typically contains the first letter of the GivenName , the first letter of the middle name if one exists, and the first letter of the SurName .

          • Pseudonym (string) --

            Typically a shortened version of a longer GivenName . For example, Jonathan is often shortened to John. Elizabeth is often shortened to Beth, Liz, or Eliza.

          • GenerationQualifier (string) --

            Typically a qualifier appended to the name of an individual. Examples include Jr. for junior, Sr. for senior, and III for third.

      • RevocationConfiguration (dict) --

        Information about the certificate revocation list (CRL) created and maintained by your private CA.

        • CrlConfiguration (dict) --

          Configuration of the certificate revocation list (CRL), if any, maintained by your private CA.

          • Enabled (boolean) --

            Boolean value that specifies whether certificate revocation lists (CRLs) are enabled. You can use this value to enable certificate revocation for a new CA when you call the CreateCertificateAuthority operation or for an existing CA when you call the UpdateCertificateAuthority operation.

          • ExpirationInDays (integer) --

            Number of days until a certificate expires.

          • CustomCname (string) --

            Name inserted into the certificate CRL Distribution Points extension that enables the use of an alias for the CRL distribution point. Use this value if you don't want the name of your S3 bucket to be public.

          • S3BucketName (string) --

            Name of the S3 bucket that contains the CRL. If you do not provide a value for the CustomCname argument, the name of your S3 bucket is placed into the CRL Distribution Points extension of the issued certificate. You can change the name of your bucket by calling the UpdateCertificateAuthority operation. You must specify a bucket policy that allows ACM PCA to write the CRL to your bucket.

      • RestorableUntil (datetime) --

        The period during which a deleted CA can be restored. For more information, see the PermanentDeletionTimeInDays parameter of the DeleteCertificateAuthorityRequest operation.

ListCertificateAuthorities (updated) Link ¶
Changes (response)
{'CertificateAuthorities': {'RestorableUntil': 'timestamp',
                            'Status': ['DELETED']}}

Lists the private certificate authorities that you created by using the CreateCertificateAuthority operation.

See also: AWS API Documentation

Request Syntax

client.list_certificate_authorities(
    NextToken='string',
    MaxResults=123
)
type NextToken

string

param NextToken

Use this parameter when paginating results in a subsequent request after you receive a response with truncated results. Set it to the value of the NextToken parameter from the response you just received.

type MaxResults

integer

param MaxResults

Use this parameter when paginating results to specify the maximum number of items to return in the response on each page. If additional items exist beyond the number you specify, the NextToken element is sent in the response. Use this NextToken value in a subsequent request to retrieve additional items.

rtype

dict

returns

Response Syntax

{
    'CertificateAuthorities': [
        {
            'Arn': 'string',
            'CreatedAt': datetime(2015, 1, 1),
            'LastStateChangeAt': datetime(2015, 1, 1),
            'Type': 'SUBORDINATE',
            'Serial': 'string',
            'Status': 'CREATING'|'PENDING_CERTIFICATE'|'ACTIVE'|'DELETED'|'DISABLED'|'EXPIRED'|'FAILED',
            'NotBefore': datetime(2015, 1, 1),
            'NotAfter': datetime(2015, 1, 1),
            'FailureReason': 'REQUEST_TIMED_OUT'|'UNSUPPORTED_ALGORITHM'|'OTHER',
            'CertificateAuthorityConfiguration': {
                'KeyAlgorithm': 'RSA_2048'|'RSA_4096'|'EC_prime256v1'|'EC_secp384r1',
                'SigningAlgorithm': 'SHA256WITHECDSA'|'SHA384WITHECDSA'|'SHA512WITHECDSA'|'SHA256WITHRSA'|'SHA384WITHRSA'|'SHA512WITHRSA',
                'Subject': {
                    'Country': 'string',
                    'Organization': 'string',
                    'OrganizationalUnit': 'string',
                    'DistinguishedNameQualifier': 'string',
                    'State': 'string',
                    'CommonName': 'string',
                    'SerialNumber': 'string',
                    'Locality': 'string',
                    'Title': 'string',
                    'Surname': 'string',
                    'GivenName': 'string',
                    'Initials': 'string',
                    'Pseudonym': 'string',
                    'GenerationQualifier': 'string'
                }
            },
            'RevocationConfiguration': {
                'CrlConfiguration': {
                    'Enabled': True|False,
                    'ExpirationInDays': 123,
                    'CustomCname': 'string',
                    'S3BucketName': 'string'
                }
            },
            'RestorableUntil': datetime(2015, 1, 1)
        },
    ],
    'NextToken': 'string'
}

Response Structure

  • (dict) --

    • CertificateAuthorities (list) --

      Summary information about each certificate authority you have created.

      • (dict) --

        Contains information about your private certificate authority (CA). Your private CA can issue and revoke X.509 digital certificates. Digital certificates verify that the entity named in the certificate Subject field owns or controls the public key contained in the Subject Public Key Info field. Call the CreateCertificateAuthority operation to create your private CA. You must then call the GetCertificateAuthorityCertificate operation to retrieve a private CA certificate signing request (CSR). Take the CSR to your on-premises CA and sign it with the root CA certificate or a subordinate certificate. Call the ImportCertificateAuthorityCertificate operation to import the signed certificate into AWS Certificate Manager (ACM).

        • Arn (string) --

          Amazon Resource Name (ARN) for your private certificate authority (CA). The format is `` 12345678-1234-1234-1234-123456789012 `` .

        • CreatedAt (datetime) --

          Date and time at which your private CA was created.

        • LastStateChangeAt (datetime) --

          Date and time at which your private CA was last updated.

        • Type (string) --

          Type of your private CA.

        • Serial (string) --

          Serial number of your private CA.

        • Status (string) --

          Status of your private CA.

        • NotBefore (datetime) --

          Date and time before which your private CA certificate is not valid.

        • NotAfter (datetime) --

          Date and time after which your private CA certificate is not valid.

        • FailureReason (string) --

          Reason the request to create your private CA failed.

        • CertificateAuthorityConfiguration (dict) --

          Your private CA configuration.

          • KeyAlgorithm (string) --

            Type of the public key algorithm and size, in bits, of the key pair that your key pair creates when it issues a certificate.

          • SigningAlgorithm (string) --

            Name of the algorithm your private CA uses to sign certificate requests.

          • Subject (dict) --

            Structure that contains X.500 distinguished name information for your private CA.

            • Country (string) --

              Two-digit code that specifies the country in which the certificate subject located.

            • Organization (string) --

              Legal name of the organization with which the certificate subject is affiliated.

            • OrganizationalUnit (string) --

              A subdivision or unit of the organization (such as sales or finance) with which the certificate subject is affiliated.

            • DistinguishedNameQualifier (string) --

              Disambiguating information for the certificate subject.

            • State (string) --

              State in which the subject of the certificate is located.

            • CommonName (string) --

              Fully qualified domain name (FQDN) associated with the certificate subject.

            • SerialNumber (string) --

              The certificate serial number.

            • Locality (string) --

              The locality (such as a city or town) in which the certificate subject is located.

            • Title (string) --

              A title such as Mr. or Ms., which is pre-pended to the name to refer formally to the certificate subject.

            • Surname (string) --

              Family name. In the US and the UK, for example, the surname of an individual is ordered last. In Asian cultures the surname is typically ordered first.

            • GivenName (string) --

              First name.

            • Initials (string) --

              Concatenation that typically contains the first letter of the GivenName , the first letter of the middle name if one exists, and the first letter of the SurName .

            • Pseudonym (string) --

              Typically a shortened version of a longer GivenName . For example, Jonathan is often shortened to John. Elizabeth is often shortened to Beth, Liz, or Eliza.

            • GenerationQualifier (string) --

              Typically a qualifier appended to the name of an individual. Examples include Jr. for junior, Sr. for senior, and III for third.

        • RevocationConfiguration (dict) --

          Information about the certificate revocation list (CRL) created and maintained by your private CA.

          • CrlConfiguration (dict) --

            Configuration of the certificate revocation list (CRL), if any, maintained by your private CA.

            • Enabled (boolean) --

              Boolean value that specifies whether certificate revocation lists (CRLs) are enabled. You can use this value to enable certificate revocation for a new CA when you call the CreateCertificateAuthority operation or for an existing CA when you call the UpdateCertificateAuthority operation.

            • ExpirationInDays (integer) --

              Number of days until a certificate expires.

            • CustomCname (string) --

              Name inserted into the certificate CRL Distribution Points extension that enables the use of an alias for the CRL distribution point. Use this value if you don't want the name of your S3 bucket to be public.

            • S3BucketName (string) --

              Name of the S3 bucket that contains the CRL. If you do not provide a value for the CustomCname argument, the name of your S3 bucket is placed into the CRL Distribution Points extension of the issued certificate. You can change the name of your bucket by calling the UpdateCertificateAuthority operation. You must specify a bucket policy that allows ACM PCA to write the CRL to your bucket.

        • RestorableUntil (datetime) --

          The period during which a deleted CA can be restored. For more information, see the PermanentDeletionTimeInDays parameter of the DeleteCertificateAuthorityRequest operation.

    • NextToken (string) --

      When the list is truncated, this value is present and should be used for the NextToken parameter in a subsequent pagination request.

UpdateCertificateAuthority (updated) Link ¶
Changes (request)
{'Status': ['DELETED']}

Updates the status or configuration of a private certificate authority (CA). Your private CA must be in the ACTIVE or DISABLED state before you can update it. You can disable a private CA that is in the ACTIVE state or make a CA that is in the DISABLED state active again.

See also: AWS API Documentation

Request Syntax

client.update_certificate_authority(
    CertificateAuthorityArn='string',
    RevocationConfiguration={
        'CrlConfiguration': {
            'Enabled': True|False,
            'ExpirationInDays': 123,
            'CustomCname': 'string',
            'S3BucketName': 'string'
        }
    },
    Status='CREATING'|'PENDING_CERTIFICATE'|'ACTIVE'|'DELETED'|'DISABLED'|'EXPIRED'|'FAILED'
)
type CertificateAuthorityArn

string

param CertificateAuthorityArn

[REQUIRED]

Amazon Resource Name (ARN) of the private CA that issued the certificate to be revoked. This must be of the form:

``arn:aws:acm-pca:region :account :certificate-authority/12345678-1234-1234-1234-123456789012 ``

type RevocationConfiguration

dict

param RevocationConfiguration

Revocation information for your private CA.

  • CrlConfiguration (dict) --

    Configuration of the certificate revocation list (CRL), if any, maintained by your private CA.

    • Enabled (boolean) -- [REQUIRED]

      Boolean value that specifies whether certificate revocation lists (CRLs) are enabled. You can use this value to enable certificate revocation for a new CA when you call the CreateCertificateAuthority operation or for an existing CA when you call the UpdateCertificateAuthority operation.

    • ExpirationInDays (integer) --

      Number of days until a certificate expires.

    • CustomCname (string) --

      Name inserted into the certificate CRL Distribution Points extension that enables the use of an alias for the CRL distribution point. Use this value if you don't want the name of your S3 bucket to be public.

    • S3BucketName (string) --

      Name of the S3 bucket that contains the CRL. If you do not provide a value for the CustomCname argument, the name of your S3 bucket is placed into the CRL Distribution Points extension of the issued certificate. You can change the name of your bucket by calling the UpdateCertificateAuthority operation. You must specify a bucket policy that allows ACM PCA to write the CRL to your bucket.

type Status

string

param Status

Status of your private CA.

returns

None