Certificate

acm.services.k8s.aws/v1alpha1

TypeLink
GoDocacm-controller/apis/v1alpha1#Certificate

Metadata

PropertyValue
ScopeNamespaced
KindCertificate
ListKindCertificateList
Pluralcertificates
Singularcertificate

Spec

certificateAuthorityARN: string
domainName: string
domainValidationOptions:
- domainName: string
  validationDomain: string
keyAlgorithm: string
options: 
  certificateTransparencyLoggingPreference: string
subjectAlternativeNames:
- string
tags:
- key: string
  value: string
FieldDescription
certificateAuthorityARN
Optional
string
The Amazon Resource Name (ARN) of the private certificate authority (CA)
that will be used to issue the certificate. If you do not provide an ARN
and you are trying to request a private certificate, ACM will attempt to
issue a public certificate. For more information about private CAs, see the
Amazon Web Services Private Certificate Authority (https://docs.aws.amazon.com/privateca/latest/userguide/PcaWelcome.html)
user guide. The ARN must have the following form:


arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
domainName
Required
string
Fully qualified domain name (FQDN), such as www.example.com, that you want
to secure with an ACM certificate. Use an asterisk () to create a wildcard
certificate that protects several sites in the same domain. For example,
.example.com protects www.example.com, site.example.com, and images.example.com.


In compliance with RFC 5280 (https://datatracker.ietf.org/doc/html/rfc5280),
the length of the domain name (technically, the Common Name) that you provide
cannot exceed 64 octets (characters), including periods. To add a longer
domain name, specify it in the Subject Alternative Name field, which supports
names up to 253 octets in length.
domainValidationOptions
Optional
array
The domain name that you want ACM to use to send you emails so that you can
validate domain ownership.
domainValidationOptions.[]
Required
object
Contains information about the domain names that you want ACM to use to send
you emails that enable you to validate domain ownership.
domainValidationOptions.[].validationDomain
Optional
string
keyAlgorithm
Optional
string
Specifies the algorithm of the public and private key pair that your certificate
uses to encrypt data. RSA is the default key algorithm for ACM certificates.
Elliptic Curve Digital Signature Algorithm (ECDSA) keys are smaller, offering
security comparable to RSA keys but with greater computing efficiency. However,
ECDSA is not supported by all network clients. Some AWS services may require
RSA keys, or only support ECDSA keys of a particular size, while others allow
the use of either RSA and ECDSA keys to ensure that compatibility is not
broken. Check the requirements for the AWS service where you plan to deploy
your certificate.


Default: RSA_2048
options
Optional
object
Currently, you can use this parameter to specify whether to add the certificate
to a certificate transparency log. Certificate transparency makes it possible
to detect SSL/TLS certificates that have been mistakenly or maliciously issued.
Certificates that have not been logged typically produce an error message
in a browser. For more information, see Opting Out of Certificate Transparency
Logging (https://docs.aws.amazon.com/acm/latest/userguide/acm-bestpractices.html#best-practices-transparency).
options.certificateTransparencyLoggingPreference
Optional
string
subjectAlternativeNames
Optional
array
Additional FQDNs to be included in the Subject Alternative Name extension
of the ACM certificate. For example, add the name www.example.net to a certificate
for which the DomainName field is www.example.com if users can reach your
site by using either name. The maximum number of domain names that you can
add to an ACM certificate is 100. However, the initial quota is 10 domain
names. If you need more than 10 names, you must request a quota increase.
For more information, see Quotas (https://docs.aws.amazon.com/acm/latest/userguide/acm-limits.html).


The maximum length of a SAN DNS name is 253 octets. The name is made up of
multiple labels separated by periods. No label can be longer than 63 octets.
Consider the following examples:


* (63 octets).(63 octets).(63 octets).(61 octets) is legal because the
total length is 253 octets (63+1+63+1+63+1+61) and no label exceeds 63
octets.


* (64 octets).(63 octets).(63 octets).(61 octets) is not legal because
the total length exceeds 253 octets (64+1+63+1+63+1+61) and the first
label exceeds 63 octets.


* (63 octets).(63 octets).(63 octets).(62 octets) is not legal because
the total length of the DNS name (63+1+63+1+63+1+62) exceeds 253 octets.
subjectAlternativeNames.[]
Required
string
tags.[]
Required
object
A key-value pair that identifies or specifies metadata about an ACM resource.
tags.[].value
Optional
string

Status

ackResourceMetadata: 
  arn: string
  ownerAccountID: string
  region: string
conditions:
- lastTransitionTime: string
  message: string
  reason: string
  status: string
  type: string
createdAt: string
domainValidations:
- domainName: string
  resourceRecord: 
    name: string
    type_: string
    value: string
  validationDomain: string
  validationEmails:
  - string
  validationMethod: string
  validationStatus: string
extendedKeyUsages:
- name: string
  oid: string
failureReason: string
importedAt: string
inUseBy:
- string
issuedAt: string
issuer: string
keyUsages:
- name: string
notAfter: string
notBefore: string
renewalEligibility: string
renewalSummary: 
  domainValidationOptions:
  - domainName: string
    resourceRecord: 
      name: string
      type_: string
      value: string
    validationDomain: string
    validationEmails:
    - string
    validationMethod: string
    validationStatus: string
  renewalStatus: string
  renewalStatusReason: string
  updatedAt: string
revocationReason: string
revokedAt: string
serial: string
signatureAlgorithm: string
status: string
subject: string
type_: string
FieldDescription
ackResourceMetadata
Optional
object
All CRs managed by ACK have a common Status.ACKResourceMetadata member
that is used to contain resource sync state, account ownership,
constructed ARN for the resource
ackResourceMetadata.arn
Optional
string
ARN is the Amazon Resource Name for the resource. This is a
globally-unique identifier and is set only by the ACK service controller
once the controller has orchestrated the creation of the resource OR
when it has verified that an “adopted” resource (a resource where the
ARN annotation was set by the Kubernetes user on the CR) exists and
matches the supplied CR’s Spec field values.
TODO(vijat@): Find a better strategy for resources that do not have ARN in CreateOutputResponse
https://github.com/aws/aws-controllers-k8s/issues/270
ackResourceMetadata.ownerAccountID
Required
string
OwnerAccountID is the AWS Account ID of the account that owns the
backend AWS service API resource.
ackResourceMetadata.region
Required
string
Region is the AWS region in which the resource exists or will exist.
conditions
Optional
array
All CRS managed by ACK have a common Status.Conditions member that
contains a collection of ackv1alpha1.Condition objects that describe
the various terminal states of the CR and its backend AWS service API
resource
conditions.[]
Required
object
Condition is the common struct used by all CRDs managed by ACK service
controllers to indicate terminal states of the CR and its backend AWS
service API resource
conditions.[].message
Optional
string
A human readable message indicating details about the transition.
conditions.[].reason
Optional
string
The reason for the condition’s last transition.
conditions.[].status
Optional
string
Status of the condition, one of True, False, Unknown.
conditions.[].type
Optional
string
Type is the type of the Condition
createdAt
Optional
string
The time at which the certificate was requested.
domainValidations
Optional
array
Contains information about the initial validation of each domain name that
occurs as a result of the RequestCertificate request. This field exists only
when the certificate type is AMAZON_ISSUED.
domainValidations.[]
Required
object
Contains information about the validation of each domain name in the certificate.
domainValidations.[].resourceRecord
Optional
object
Contains a DNS record value that you can use to validate ownership or control
of a domain. This is used by the DescribeCertificate action.
domainValidations.[].resourceRecord.name
Optional
string
**domainValidations.[].resourceRecord.type_**
Optional
string
domainValidations.[].resourceRecord.value
Optional
string
domainValidations.[].validationDomain
Optional
string
domainValidations.[].validationEmails
Optional
array
domainValidations.[].validationEmails.[]
Required
string
domainValidations.[].validationStatus
Optional
string
extendedKeyUsages
Optional
array
Contains a list of Extended Key Usage X.509 v3 extension objects. Each object
specifies a purpose for which the certificate public key can be used and
consists of a name and an object identifier (OID).
extendedKeyUsages.[]
Required
object
The Extended Key Usage X.509 v3 extension defines one or more purposes for
which the public key can be used. This is in addition to or in place of the
basic purposes specified by the Key Usage extension.
extendedKeyUsages.[].oid
Optional
string
failureReason
Optional
string
The reason the certificate request failed. This value exists only when the
certificate status is FAILED. For more information, see Certificate Request
Failed (https://docs.aws.amazon.com/acm/latest/userguide/troubleshooting.html#troubleshooting-failed)
in the Certificate Manager User Guide.
importedAt
Optional
string
The date and time when the certificate was imported. This value exists only
when the certificate type is IMPORTED.
inUseBy
Optional
array
A list of ARNs for the Amazon Web Services resources that are using the certificate.
A certificate can be used by multiple Amazon Web Services resources.
inUseBy.[]
Required
string
issuer
Optional
string
The name of the certificate authority that issued and signed the certificate.
keyUsages
Optional
array
A list of Key Usage X.509 v3 extension objects. Each object is a string value
that identifies the purpose of the public key contained in the certificate.
Possible extension values include DIGITAL_SIGNATURE, KEY_ENCHIPHERMENT, NON_REPUDIATION,
and more.
keyUsages.[]
Required
object
The Key Usage X.509 v3 extension defines the purpose of the public key contained
in the certificate.
notAfter
Optional
string
The time after which the certificate is not valid.
notBefore
Optional
string
The time before which the certificate is not valid.
renewalEligibility
Optional
string
Specifies whether the certificate is eligible for renewal. At this time,
only exported private certificates can be renewed with the RenewCertificate
command.
renewalSummary
Optional
object
Contains information about the status of ACM’s managed renewal (https://docs.aws.amazon.com/acm/latest/userguide/acm-renewal.html)
for the certificate. This field exists only when the certificate type is
AMAZON_ISSUED.
renewalSummary.domainValidationOptions
Optional
array
renewalSummary.domainValidationOptions.[]
Required
object
Contains information about the validation of each domain name in the certificate.
renewalSummary.domainValidationOptions.[].resourceRecord
Optional
object
Contains a DNS record value that you can use to validate ownership or control
of a domain. This is used by the DescribeCertificate action.
renewalSummary.domainValidationOptions.[].resourceRecord.name
Optional
string
**renewalSummary.domainValidationOptions.[].resourceRecord.type_**
Optional
string
renewalSummary.domainValidationOptions.[].resourceRecord.value
Optional
string
renewalSummary.domainValidationOptions.[].validationDomain
Optional
string
renewalSummary.domainValidationOptions.[].validationEmails
Optional
array
renewalSummary.domainValidationOptions.[].validationEmails.[]
Required
string
renewalSummary.domainValidationOptions.[].validationStatus
Optional
string
renewalSummary.renewalStatus
Optional
string
renewalSummary.renewalStatusReason
Optional
string
renewalSummary.updatedAt
Optional
string
revocationReason
Optional
string
The reason the certificate was revoked. This value exists only when the certificate
status is REVOKED.
revokedAt
Optional
string
The time at which the certificate was revoked. This value exists only when
the certificate status is REVOKED.
serial
Optional
string
The serial number of the certificate.
signatureAlgorithm
Optional
string
The algorithm that was used to sign the certificate.
status
Optional
string
The status of the certificate.


A certificate enters status PENDING_VALIDATION upon being requested, unless
it fails for any of the reasons given in the troubleshooting topic Certificate
request fails (https://docs.aws.amazon.com/acm/latest/userguide/troubleshooting-failed.html).
ACM makes repeated attempts to validate a certificate for 72 hours and then
times out. If a certificate shows status FAILED or VALIDATION_TIMED_OUT,
delete the request, correct the issue with DNS validation (https://docs.aws.amazon.com/acm/latest/userguide/dns-validation.html)
or Email validation (https://docs.aws.amazon.com/acm/latest/userguide/email-validation.html),
and try again. If validation succeeds, the certificate enters status ISSUED.
subject
Optional
string
The name of the entity that is associated with the public key contained in
the certificate.
**type_**
Optional
string
The source of the certificate. For certificates provided by ACM, this value
is AMAZON_ISSUED. For certificates that you imported with ImportCertificate,
this value is IMPORTED. ACM does not provide managed renewal (https://docs.aws.amazon.com/acm/latest/userguide/acm-renewal.html)
for imported certificates. For more information about the differences between
certificates that you import and those that ACM provides, see Importing Certificates
(https://docs.aws.amazon.com/acm/latest/userguide/import-certificate.html)
in the Certificate Manager User Guide.