Certificate
acmpca.services.k8s.aws/v1alpha1
| Type | Link |
|---|---|
| GoDoc | acmpca-controller/apis/v1alpha1#Certificate |
Metadata
| Property | Value |
|---|---|
| Scope | Namespaced |
| Kind | Certificate |
| ListKind | CertificateList |
| Plural | certificates |
| Singular | certificate |
Spec
apiPassthrough:
extensions:
certificatePolicies:
- certPolicyID: string
policyQualifiers:
- policyQualifierID: string
qualifier:
cpsURI: string
customExtensions:
- critical: boolean
objectIdentifier: string
value: string
extendedKeyUsage:
- extendedKeyUsageObjectIdentifier: string
extendedKeyUsageType: string
keyUsage:
crlSign: boolean
dataEncipherment: boolean
decipherOnly: boolean
digitalSignature: boolean
encipherOnly: boolean
keyAgreement: boolean
keyCertSign: boolean
keyEncipherment: boolean
nonRepudiation: boolean
subjectAlternativeNames:
directoryName:
commonName: string
country: string
customAttributes:
- objectIdentifier: string
value: string
distinguishedNameQualifier: string
generationQualifier: string
givenName: string
initials: string
locality: string
organization: string
organizationalUnit: string
pseudonym: string
serialNumber: string
state: string
surname: string
title: string
dnsName: string
ediPartyName:
nameAssigner: string
partyName: string
ipAddress: string
otherName:
typeID: string
value: string
registeredID: string
rfc822Name: string
uniformResourceIdentifier: string
subject:
commonName: string
country: string
customAttributes:
- objectIdentifier: string
value: string
distinguishedNameQualifier: string
generationQualifier: string
givenName: string
initials: string
locality: string
organization: string
organizationalUnit: string
pseudonym: string
serialNumber: string
state: string
surname: string
title: string
certificateAuthorityARN: string
certificateAuthorityRef:
from:
name: string
csr: string
csrRef:
from:
name: string
signingAlgorithm: string
templateARN: string
validity:
type: string
value: integer
validityNotBefore:
type: string
value: integer
| Field | Description |
|---|---|
| apiPassthrough Optional | object Specifies X.509 certificate information to be included in the issued certificate. An APIPassthrough or APICSRPassthrough template variant must be selected, or else this parameter is ignored. For more information about using these templates, see Understanding Certificate Templates (https://docs.aws.amazon.com/privateca/latest/userguide/UsingTemplates.html). If conflicting or duplicate certificate information is supplied during certificate issuance, Amazon Web Services Private CA applies order of operation rules (https://docs.aws.amazon.com/privateca/latest/userguide/UsingTemplates.html#template-order-of-operations) to determine what information is used. |
| apiPassthrough.extensions Optional | object Contains X.509 extension information for a certificate. |
| apiPassthrough.extensions.certificatePolicies Optional | array |
| apiPassthrough.extensions.certificatePolicies.[] Required | object Defines the X.509 CertificatePolicies extension. |
| apiPassthrough.extensions.certificatePolicies.[].policyQualifiers Optional | array |
| apiPassthrough.extensions.certificatePolicies.[].policyQualifiers.[] Required | object Modifies the CertPolicyId of a PolicyInformation object with a qualifier. |
| Amazon Web Services Private CA supports the certification practice statement | |
| (CPS) qualifier. | |
| apiPassthrough.extensions.certificatePolicies.[].policyQualifiers.[].qualifier Optional | object Defines a PolicyInformation qualifier. Amazon Web Services Private CA supports the certification practice statement (CPS) qualifier (https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.4) defined in RFC 5280. |
| apiPassthrough.extensions.certificatePolicies.[].policyQualifiers.[].qualifier.cpsURI Optional | string |
| apiPassthrough.extensions.customExtensions Optional | array |
| apiPassthrough.extensions.customExtensions.[] Required | object Specifies the X.509 extension information for a certificate. |
Extensions present in CustomExtensions follow the ApiPassthrough template
rules (https://docs.aws.amazon.com/privateca/latest/userguide/UsingTemplates.html#template-order-of-operations). || apiPassthrough.extensions.customExtensions.[].critical
Optional | boolean
|
| apiPassthrough.extensions.customExtensions.[].objectIdentifier
Optional | string
|
| apiPassthrough.extensions.customExtensions.[].value
Optional | string
|
| apiPassthrough.extensions.extendedKeyUsage
Optional | array
|
| apiPassthrough.extensions.extendedKeyUsage.[]
Required | object
Specifies additional purposes for which the certified public key may be used
other than basic purposes indicated in the KeyUsage extension. || apiPassthrough.extensions.extendedKeyUsage.[].extendedKeyUsageObjectIdentifier
Optional | string
|
| apiPassthrough.extensions.extendedKeyUsage.[].extendedKeyUsageType
Optional | string
|
| apiPassthrough.extensions.keyUsage
Optional | object
Defines one or more purposes for which the key contained in the certificate
can be used. Default value for each option is false. |
| apiPassthrough.extensions.keyUsage.crlSign
Optional | boolean
|
| apiPassthrough.extensions.keyUsage.dataEncipherment
Optional | boolean
|
| apiPassthrough.extensions.keyUsage.decipherOnly
Optional | boolean
|
| apiPassthrough.extensions.keyUsage.digitalSignature
Optional | boolean
|
| apiPassthrough.extensions.keyUsage.encipherOnly
Optional | boolean
|
| apiPassthrough.extensions.keyUsage.keyAgreement
Optional | boolean
|
| apiPassthrough.extensions.keyUsage.keyCertSign
Optional | boolean
|
| apiPassthrough.extensions.keyUsage.keyEncipherment
Optional | boolean
|
| apiPassthrough.extensions.keyUsage.nonRepudiation
Optional | boolean
|
| apiPassthrough.extensions.subjectAlternativeNames
Optional | array
|
| apiPassthrough.extensions.subjectAlternativeNames.[]
Required | object
Describes an ASN.1 X.400 GeneralName as defined in RFC 5280 (https://datatracker.ietf.org/doc/html/rfc5280).
Only one of the following naming options should be provided. Providing more
than one option results in an InvalidArgsException error. || apiPassthrough.extensions.subjectAlternativeNames.[].directoryName
Optional | object
Contains information about the certificate subject. The Subject field in
the certificate identifies the entity that owns or controls the public key
in the certificate. The entity can be a user, computer, device, or service.
The Subject must contain an X.500 distinguished name (DN). A DN is a sequence
of relative distinguished names (RDNs). The RDNs are separated by commas
in the certificate. |
| apiPassthrough.extensions.subjectAlternativeNames.[].directoryName.commonName
Optional | string
|
| apiPassthrough.extensions.subjectAlternativeNames.[].directoryName.country
Optional | string
|
| apiPassthrough.extensions.subjectAlternativeNames.[].directoryName.customAttributes
Optional | array
|
| apiPassthrough.extensions.subjectAlternativeNames.[].directoryName.customAttributes.[]
Required | object
Defines the X.500 relative distinguished name (RDN). || apiPassthrough.extensions.subjectAlternativeNames.[].directoryName.customAttributes.[].objectIdentifier
Optional | string
|
| apiPassthrough.extensions.subjectAlternativeNames.[].directoryName.customAttributes.[].value
Optional | string
|
| apiPassthrough.extensions.subjectAlternativeNames.[].directoryName.distinguishedNameQualifier
Optional | string
|
| apiPassthrough.extensions.subjectAlternativeNames.[].directoryName.generationQualifier
Optional | string
|
| apiPassthrough.extensions.subjectAlternativeNames.[].directoryName.givenName
Optional | string
|
| apiPassthrough.extensions.subjectAlternativeNames.[].directoryName.initials
Optional | string
|
| apiPassthrough.extensions.subjectAlternativeNames.[].directoryName.locality
Optional | string
|
| apiPassthrough.extensions.subjectAlternativeNames.[].directoryName.organization
Optional | string
|
| apiPassthrough.extensions.subjectAlternativeNames.[].directoryName.organizationalUnit
Optional | string
|
| apiPassthrough.extensions.subjectAlternativeNames.[].directoryName.pseudonym
Optional | string
|
| apiPassthrough.extensions.subjectAlternativeNames.[].directoryName.serialNumber
Optional | string
|
| apiPassthrough.extensions.subjectAlternativeNames.[].directoryName.state
Optional | string
|
| apiPassthrough.extensions.subjectAlternativeNames.[].directoryName.surname
Optional | string
|
| apiPassthrough.extensions.subjectAlternativeNames.[].directoryName.title
Optional | string
|
| apiPassthrough.extensions.subjectAlternativeNames.[].dnsName
Optional | string
|
| apiPassthrough.extensions.subjectAlternativeNames.[].ediPartyName
Optional | object
Describes an Electronic Data Interchange (EDI) entity as described in as
defined in Subject Alternative Name (https://datatracker.ietf.org/doc/html/rfc5280)
in RFC 5280. |
| apiPassthrough.extensions.subjectAlternativeNames.[].ediPartyName.nameAssigner
Optional | string
|
| apiPassthrough.extensions.subjectAlternativeNames.[].ediPartyName.partyName
Optional | string
|
| apiPassthrough.extensions.subjectAlternativeNames.[].ipAddress
Optional | string
|
| apiPassthrough.extensions.subjectAlternativeNames.[].otherName
Optional | object
Defines a custom ASN.1 X.400 GeneralName using an object identifier (OID)
and value. The OID must satisfy the regular expression shown below. For more
information, see NIST’s definition of Object Identifier (OID) (https://csrc.nist.gov/glossary/term/Object_Identifier). |
| apiPassthrough.extensions.subjectAlternativeNames.[].otherName.typeID
Optional | string
|
| apiPassthrough.extensions.subjectAlternativeNames.[].otherName.value
Optional | string
|
| apiPassthrough.extensions.subjectAlternativeNames.[].registeredID
Optional | string
|
| apiPassthrough.extensions.subjectAlternativeNames.[].rfc822Name
Optional | string
|
| apiPassthrough.extensions.subjectAlternativeNames.[].uniformResourceIdentifier
Optional | string
|
| apiPassthrough.subject
Optional | object
Contains information about the certificate subject. The Subject field in
the certificate identifies the entity that owns or controls the public key
in the certificate. The entity can be a user, computer, device, or service.
The Subject must contain an X.500 distinguished name (DN). A DN is a sequence
of relative distinguished names (RDNs). The RDNs are separated by commas
in the certificate. |
| apiPassthrough.subject.commonName
Optional | string
|
| apiPassthrough.subject.country
Optional | string
|
| apiPassthrough.subject.customAttributes
Optional | array
|
| apiPassthrough.subject.customAttributes.[]
Required | object
Defines the X.500 relative distinguished name (RDN). || apiPassthrough.subject.customAttributes.[].objectIdentifier
Optional | string
|
| apiPassthrough.subject.customAttributes.[].value
Optional | string
|
| apiPassthrough.subject.distinguishedNameQualifier
Optional | string
|
| apiPassthrough.subject.generationQualifier
Optional | string
|
| apiPassthrough.subject.givenName
Optional | string
|
| apiPassthrough.subject.initials
Optional | string
|
| apiPassthrough.subject.locality
Optional | string
|
| apiPassthrough.subject.organization
Optional | string
|
| apiPassthrough.subject.organizationalUnit
Optional | string
|
| apiPassthrough.subject.pseudonym
Optional | string
|
| apiPassthrough.subject.serialNumber
Optional | string
|
| apiPassthrough.subject.state
Optional | string
|
| apiPassthrough.subject.surname
Optional | string
|
| apiPassthrough.subject.title
Optional | string
|
| certificateAuthorityARN
Optional | string
The Amazon Resource Name (ARN) that was returned when you called CreateCertificateAuthority
(https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreateCertificateAuthority.html).
This must be of the form:
arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012 |
| certificateAuthorityRef
Optional | object
AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference
type to provide more user friendly syntax for references using ‘from’ field
Ex:
APIIDRef:
from:
name: my-api |
| certificateAuthorityRef.from
Optional | object
AWSResourceReference provides all the values necessary to reference another
k8s resource for finding the identifier(Id/ARN/Name) |
| certificateAuthorityRef.from.name
Optional | string
|
| csr
Optional | string
The certificate signing request (CSR) for the certificate you want to issue.
As an example, you can use the following OpenSSL command to create the CSR
and a 2048 bit RSA private key.
openssl req -new -newkey rsa:2048 -days 365 -keyout private/test_cert_priv_key.pem
-out csr/test_cert_.csr
If you have a configuration file, you can then use the following OpenSSL
command. The usr_cert block in the configuration file contains your X509
version 3 extensions.
openssl req -new -config openssl_rsa.cnf -extensions usr_cert -newkey rsa:2048
-days 365 -keyout private/test_cert_priv_key.pem -out csr/test_cert_.csr
Note: A CSR must provide either a subject name or a subject alternative name
or the request will be rejected. |
| **csrRef**
Optional | **object**
AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference
type to provide more user friendly syntax for references using ‘from’ field
Ex:
APIIDRef:
from:
name: my-api |
| **csrRef.from**
Optional | **object**
AWSResourceReference provides all the values necessary to reference another
k8s resource for finding the identifier(Id/ARN/Name) |
| **csrRef.from.name**
Optional | **string**
|
| **signingAlgorithm**
Required | **string**
The name of the algorithm that will be used to sign the certificate to be
issued.
This parameter should not be confused with the SigningAlgorithm parameter
used to sign a CSR in the CreateCertificateAuthority action.
The specified signing algorithm family (RSA or ECDSA) must match the algorithm
family of the CA’s secret key. |
| **templateARN**
Optional | **string**
Specifies a custom configuration template to use when issuing a certificate.
If this parameter is not provided, Amazon Web Services Private CA defaults
to the EndEntityCertificate/V1 template. For CA certificates, you should
choose the shortest path length that meets your needs. The path length is
indicated by the PathLenN portion of the ARN, where N is the CA depth (https://docs.aws.amazon.com/privateca/latest/userguide/PcaTerms.html#terms-cadepth).
Note: The CA depth configured on a subordinate CA certificate must not exceed
the limit set by its parents in the CA hierarchy.
For a list of TemplateArn values supported by Amazon Web Services Private
CA, see Understanding Certificate Templates (https://docs.aws.amazon.com/privateca/latest/userguide/UsingTemplates.html). |
| **validity**
Required | **object**
Information describing the end of the validity period of the certificate.
This parameter sets the “Not After” date for the certificate.
Certificate validity is the period of time during which a certificate is
valid. Validity can be expressed as an explicit date and time when the certificate
expires, or as a span of time after issuance, stated in days, months, or
years. For more information, see Validity (https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.5)
in RFC 5280.
This value is unaffected when ValidityNotBefore is also specified. For example,
if Validity is set to 20 days in the future, the certificate will expire
20 days from issuance time regardless of the ValidityNotBefore value.
The end of the validity period configured on a certificate must not exceed
the limit set on its parents in the CA hierarchy. |
| **validity.type**
Optional | **string**
|
| **validity.value**
Optional | **integer**
|
| **validityNotBefore**
Optional | **object**
Information describing the start of the validity period of the certificate.
This parameter sets the “Not Before" date for the certificate.
By default, when issuing a certificate, Amazon Web Services Private CA sets
the “Not Before” date to the issuance time minus 60 minutes. This compensates
for clock inconsistencies across computer systems. The ValidityNotBefore
parameter can be used to customize the “Not Before” value.
Unlike the Validity parameter, the ValidityNotBefore parameter is optional.
The ValidityNotBefore value is expressed as an explicit date and time, using
the Validity type value ABSOLUTE. For more information, see Validity (https://docs.aws.amazon.com/privateca/latest/APIReference/API_Validity.html)
in this API reference and Validity (https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.5)
in RFC 5280. |
| **validityNotBefore.type**
Optional | **string**
|
| **validityNotBefore.value**
Optional | **integer**
|
Status
ackResourceMetadata:
arn: string
ownerAccountID: string
region: string
conditions:
- lastTransitionTime: string
message: string
reason: string
status: string
type: string
| Field | Description |
|---|---|
| ackResourceMetadata Optional | object All CRs managed by ACK have a common Status.ACKResourceMetadata memberthat is used to contain resource sync state, account ownership, constructed ARN for the resource |
| ackResourceMetadata.arn Optional | string ARN is the Amazon Resource Name for the resource. This is a globally-unique identifier and is set only by the ACK service controller once the controller has orchestrated the creation of the resource OR when it has verified that an “adopted” resource (a resource where the ARN annotation was set by the Kubernetes user on the CR) exists and matches the supplied CR’s Spec field values. TODO(vijat@): Find a better strategy for resources that do not have ARN in CreateOutputResponse https://github.com/aws/aws-controllers-k8s/issues/270 |
| ackResourceMetadata.ownerAccountID Required | string OwnerAccountID is the AWS Account ID of the account that owns the backend AWS service API resource. |
| ackResourceMetadata.region Required | string Region is the AWS region in which the resource exists or will exist. |
| conditions Optional | array All CRS managed by ACK have a common Status.Conditions member thatcontains a collection of ackv1alpha1.Condition objects that describethe various terminal states of the CR and its backend AWS service API resource |
| conditions.[] Required | object Condition is the common struct used by all CRDs managed by ACK service |
| controllers to indicate terminal states of the CR and its backend AWS | |
| service API resource | |
| conditions.[].message Optional | string A human readable message indicating details about the transition. |
| conditions.[].reason Optional | string The reason for the condition’s last transition. |
| conditions.[].status Optional | string Status of the condition, one of True, False, Unknown. |
| conditions.[].type Optional | string Type is the type of the Condition |