CertificateAuthority

acmpca.services.k8s.aws/v1alpha1

TypeLink
GoDocacmpca-controller/apis/v1alpha1#CertificateAuthority

Metadata

PropertyValue
ScopeNamespaced
KindCertificateAuthority
ListKindCertificateAuthorityList
Pluralcertificateauthorities
Singularcertificateauthority

Contains information about your private certificate authority (CA). Your private CA can issue and revoke X.509 digital certificates. Digital certificates verify that the entity named in the certificate Subject field owns or controls the public key contained in the Subject Public Key Info field. Call the CreateCertificateAuthority (https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreateCertificateAuthority.html) action to create your private CA. You must then call the GetCertificateAuthorityCertificate (https://docs.aws.amazon.com/privateca/latest/APIReference/API_GetCertificateAuthorityCertificate.html) action to retrieve a private CA certificate signing request (CSR). Sign the CSR with your Amazon Web Services Private CA-hosted or on-premises root or subordinate CA certificate. Call the ImportCertificateAuthorityCertificate (https://docs.aws.amazon.com/privateca/latest/APIReference/API_ImportCertificateAuthorityCertificate.html) action to import the signed certificate into Certificate Manager (ACM).

Spec

certificateAuthorityConfiguration: 
  csrExtensions: 
    keyUsage: 
      crlSign: boolean
      dataEncipherment: boolean
      decipherOnly: boolean
      digitalSignature: boolean
      encipherOnly: boolean
      keyAgreement: boolean
      keyCertSign: boolean
      keyEncipherment: boolean
      nonRepudiation: boolean
    subjectInformationAccess:
      accessLocation: 
        directoryName: 
          commonName: string
          country: string
          customAttributes:
          - objectIdentifier: string
            value: string
          distinguishedNameQualifier: string
          generationQualifier: string
          givenName: string
          initials: string
          locality: string
          organization: string
          organizationalUnit: string
          pseudonym: string
          serialNumber: string
          state: string
          surname: string
          title: string
        dnsName: string
        ediPartyName: 
          nameAssigner: string
          partyName: string
        ipAddress: string
        otherName: 
          typeID: string
          value: string
        registeredID: string
        rfc822Name: string
        uniformResourceIdentifier: string
      accessMethod: 
        accessMethodType: string
        customObjectIdentifier: string
  keyAlgorithm: string
  signingAlgorithm: string
  subject: 
    commonName: string
    country: string
    customAttributes:
    - objectIdentifier: string
      value: string
    distinguishedNameQualifier: string
    generationQualifier: string
    givenName: string
    initials: string
    locality: string
    organization: string
    organizationalUnit: string
    pseudonym: string
    serialNumber: string
    state: string
    surname: string
    title: string
keyStorageSecurityStandard: string
revocationConfiguration: 
  crlConfiguration: 
    customCNAME: string
    enabled: boolean
    expirationInDays: integer
    s3BucketName: string
    s3ObjectACL: string
  ocspConfiguration: 
    enabled: boolean
    ocspCustomCNAME: string
tags:
- key: string
  value: string
type: string
usageMode: string
FieldDescription
certificateAuthorityConfiguration
Required		object
Name and bit size of the private key algorithm, the name of the signing algorithm,
and X.500 certificate subject information.
certificateAuthorityConfiguration.csrExtensions
Optional		object
Describes the certificate extensions to be added to the certificate signing
request (CSR).
certificateAuthorityConfiguration.csrExtensions.keyUsage
Optional		object
Defines one or more purposes for which the key contained in the certificate
can be used. Default value for each option is false.
certificateAuthorityConfiguration.csrExtensions.keyUsage.crlSign
Optional		boolean
certificateAuthorityConfiguration.csrExtensions.keyUsage.dataEncipherment
Optional		boolean
certificateAuthorityConfiguration.csrExtensions.keyUsage.decipherOnly
Optional		boolean
certificateAuthorityConfiguration.csrExtensions.keyUsage.digitalSignature
Optional		boolean
certificateAuthorityConfiguration.csrExtensions.keyUsage.encipherOnly
Optional		boolean
certificateAuthorityConfiguration.csrExtensions.keyUsage.keyAgreement
Optional		boolean
certificateAuthorityConfiguration.csrExtensions.keyUsage.keyCertSign
Optional		boolean
certificateAuthorityConfiguration.csrExtensions.keyUsage.keyEncipherment
Optional		boolean
certificateAuthorityConfiguration.csrExtensions.keyUsage.nonRepudiation
Optional		boolean
certificateAuthorityConfiguration.csrExtensions.subjectInformationAccess
Optional		array
certificateAuthorityConfiguration.csrExtensions.subjectInformationAccess.[]
Required		object
Provides access information used by the authorityInfoAccess and subjectInfoAccess
extensions described in RFC 5280 (https://datatracker.ietf.org/doc/html/rfc5280).
certificateAuthorityConfiguration.csrExtensions.subjectInformationAccess.[].accessLocation.directoryName
Optional		object
Contains information about the certificate subject. The Subject field in
the certificate identifies the entity that owns or controls the public key
in the certificate. The entity can be a user, computer, device, or service.
The Subject must contain an X.500 distinguished name (DN). A DN is a sequence
of relative distinguished names (RDNs). The RDNs are separated by commas
in the certificate.
certificateAuthorityConfiguration.csrExtensions.subjectInformationAccess.[].accessLocation.directoryName.commonName
Optional		string
certificateAuthorityConfiguration.csrExtensions.subjectInformationAccess.[].accessLocation.directoryName.country
Optional		string
certificateAuthorityConfiguration.csrExtensions.subjectInformationAccess.[].accessLocation.directoryName.customAttributes
Optional		array
certificateAuthorityConfiguration.csrExtensions.subjectInformationAccess.[].accessLocation.directoryName.customAttributes.[]
Required		object
Defines the X.500 relative distinguished name (RDN).
certificateAuthorityConfiguration.csrExtensions.subjectInformationAccess.[].accessLocation.directoryName.customAttributes.[].value
Optional		string
certificateAuthorityConfiguration.csrExtensions.subjectInformationAccess.[].accessLocation.directoryName.distinguishedNameQualifier
Optional		string
certificateAuthorityConfiguration.csrExtensions.subjectInformationAccess.[].accessLocation.directoryName.generationQualifier
Optional		string
certificateAuthorityConfiguration.csrExtensions.subjectInformationAccess.[].accessLocation.directoryName.givenName
Optional		string
certificateAuthorityConfiguration.csrExtensions.subjectInformationAccess.[].accessLocation.directoryName.initials
Optional		string
certificateAuthorityConfiguration.csrExtensions.subjectInformationAccess.[].accessLocation.directoryName.locality
Optional		string
certificateAuthorityConfiguration.csrExtensions.subjectInformationAccess.[].accessLocation.directoryName.organization
Optional		string
certificateAuthorityConfiguration.csrExtensions.subjectInformationAccess.[].accessLocation.directoryName.organizationalUnit
Optional		string
certificateAuthorityConfiguration.csrExtensions.subjectInformationAccess.[].accessLocation.directoryName.pseudonym
Optional		string
certificateAuthorityConfiguration.csrExtensions.subjectInformationAccess.[].accessLocation.directoryName.serialNumber
Optional		string
certificateAuthorityConfiguration.csrExtensions.subjectInformationAccess.[].accessLocation.directoryName.state
Optional		string
certificateAuthorityConfiguration.csrExtensions.subjectInformationAccess.[].accessLocation.directoryName.surname
Optional		string
certificateAuthorityConfiguration.csrExtensions.subjectInformationAccess.[].accessLocation.directoryName.title
Optional		string
certificateAuthorityConfiguration.csrExtensions.subjectInformationAccess.[].accessLocation.dnsName
Optional		string
certificateAuthorityConfiguration.csrExtensions.subjectInformationAccess.[].accessLocation.ediPartyName
Optional		object
Describes an Electronic Data Interchange (EDI) entity as described in as
defined in Subject Alternative Name (https://datatracker.ietf.org/doc/html/rfc5280)
in RFC 5280.
certificateAuthorityConfiguration.csrExtensions.subjectInformationAccess.[].accessLocation.ediPartyName.nameAssigner
Optional		string
certificateAuthorityConfiguration.csrExtensions.subjectInformationAccess.[].accessLocation.ediPartyName.partyName
Optional		string
certificateAuthorityConfiguration.csrExtensions.subjectInformationAccess.[].accessLocation.ipAddress
Optional		string
certificateAuthorityConfiguration.csrExtensions.subjectInformationAccess.[].accessLocation.otherName
Optional		object
Defines a custom ASN.1 X.400 GeneralName using an object identifier (OID)
and value. The OID must satisfy the regular expression shown below. For more
information, see NIST’s definition of Object Identifier (OID) (https://csrc.nist.gov/glossary/term/Object_Identifier).
certificateAuthorityConfiguration.csrExtensions.subjectInformationAccess.[].accessLocation.otherName.typeID
Optional		string
certificateAuthorityConfiguration.csrExtensions.subjectInformationAccess.[].accessLocation.otherName.value
Optional		string
certificateAuthorityConfiguration.csrExtensions.subjectInformationAccess.[].accessLocation.registeredID
Optional		string
certificateAuthorityConfiguration.csrExtensions.subjectInformationAccess.[].accessLocation.rfc822Name
Optional		string
certificateAuthorityConfiguration.csrExtensions.subjectInformationAccess.[].accessLocation.uniformResourceIdentifier
Optional		string
certificateAuthorityConfiguration.csrExtensions.subjectInformationAccess.[].accessMethod
Optional		object
Describes the type and format of extension access. Only one of CustomObjectIdentifier
or AccessMethodType may be provided. Providing both results in InvalidArgsException.
certificateAuthorityConfiguration.csrExtensions.subjectInformationAccess.[].accessMethod.accessMethodType
Optional		string
certificateAuthorityConfiguration.csrExtensions.subjectInformationAccess.[].accessMethod.customObjectIdentifier
Optional		string
certificateAuthorityConfiguration.keyAlgorithm
Optional		string
certificateAuthorityConfiguration.signingAlgorithm
Optional		string
certificateAuthorityConfiguration.subject
Optional		object
Contains information about the certificate subject. The Subject field in
the certificate identifies the entity that owns or controls the public key
in the certificate. The entity can be a user, computer, device, or service.
The Subject must contain an X.500 distinguished name (DN). A DN is a sequence
of relative distinguished names (RDNs). The RDNs are separated by commas
in the certificate.
certificateAuthorityConfiguration.subject.commonName
Optional		string
certificateAuthorityConfiguration.subject.country
Optional		string
certificateAuthorityConfiguration.subject.customAttributes
Optional		array
certificateAuthorityConfiguration.subject.customAttributes.[]
Required		object
Defines the X.500 relative distinguished name (RDN).
certificateAuthorityConfiguration.subject.customAttributes.[].value
Optional		string
certificateAuthorityConfiguration.subject.distinguishedNameQualifier
Optional		string
certificateAuthorityConfiguration.subject.generationQualifier
Optional		string
certificateAuthorityConfiguration.subject.givenName
Optional		string
certificateAuthorityConfiguration.subject.initials
Optional		string
certificateAuthorityConfiguration.subject.locality
Optional		string
certificateAuthorityConfiguration.subject.organization
Optional		string
certificateAuthorityConfiguration.subject.organizationalUnit
Optional		string
certificateAuthorityConfiguration.subject.pseudonym
Optional		string
certificateAuthorityConfiguration.subject.serialNumber
Optional		string
certificateAuthorityConfiguration.subject.state
Optional		string
certificateAuthorityConfiguration.subject.surname
Optional		string
certificateAuthorityConfiguration.subject.title
Optional		string
keyStorageSecurityStandard
Optional		string
Specifies a cryptographic key management compliance standard used for handling
CA keys.

Default: FIPS_140_2_LEVEL_3_OR_HIGHER

Some Amazon Web Services Regions do not support the default. When creating
a CA in these Regions, you must provide FIPS_140_2_LEVEL_2_OR_HIGHER as the
argument for KeyStorageSecurityStandard. Failure to do this results in an
InvalidArgsException with the message, “A certificate authority cannot be
created in this region with the specified security standard."

For information about security standard support in various Regions, see Storage
and security compliance of Amazon Web Services Private CA private keys (https://docs.aws.amazon.com/privateca/latest/userguide/data-protection.html#private-keys).
revocationConfiguration
Optional		object
Contains information to enable Online Certificate Status Protocol (OCSP)
support, to enable a certificate revocation list (CRL), to enable both, or
to enable neither. The default is for both certificate validation mechanisms
to be disabled.

The following requirements apply to revocation configurations.

* A configuration disabling CRLs or OCSP must contain only the Enabled=False
parameter, and will fail if other parameters such as CustomCname or ExpirationInDays
are included.

* In a CRL configuration, the S3BucketName parameter must conform to Amazon
S3 bucket naming rules (https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucketnamingrules.html).

* A configuration containing a custom Canonical Name (CNAME) parameter
for CRLs or OCSP must conform to RFC2396 (https://www.ietf.org/rfc/rfc2396.txt)
restrictions on the use of special characters in a CNAME.

* In a CRL or OCSP configuration, the value of a CNAME parameter must
not include a protocol prefix such as “http://” or “https://”.

For more information, see the OcspConfiguration (https://docs.aws.amazon.com/privateca/latest/APIReference/API_OcspConfiguration.html)
and CrlConfiguration (https://docs.aws.amazon.com/privateca/latest/APIReference/API_CrlConfiguration.html)
types.
revocationConfiguration.crlConfiguration
Optional		object
Contains configuration information for a certificate revocation list (CRL).
Your private certificate authority (CA) creates base CRLs. Delta CRLs are
not supported. You can enable CRLs for your new or an existing private CA
by setting the Enabled parameter to true. Your private CA writes CRLs to
an S3 bucket that you specify in the S3BucketName parameter. You can hide
the name of your bucket by specifying a value for the CustomCname parameter.
Your private CA copies the CNAME or the S3 bucket name to the CRL Distribution
Points extension of each certificate it issues. Your S3 bucket policy must
give write permission to Amazon Web Services Private CA.

Amazon Web Services Private CA assets that are stored in Amazon S3 can be
protected with encryption. For more information, see Encrypting Your CRLs
(https://docs.aws.amazon.com/privateca/latest/userguide/PcaCreateCa.html#crl-encryption).

Your private CA uses the value in the ExpirationInDays parameter to calculate
the nextUpdate field in the CRL. The CRL is refreshed prior to a certificate’s
expiration date or when a certificate is revoked. When a certificate is revoked,
it appears in the CRL until the certificate expires, and then in one additional
CRL after expiration, and it always appears in the audit report.

A CRL is typically updated approximately 30 minutes after a certificate is
revoked. If for any reason a CRL update fails, Amazon Web Services Private
CA makes further attempts every 15 minutes.

CRLs contain the following fields:

* Version: The current version number defined in RFC 5280 is V2. The integer
value is 0x1.

* Signature Algorithm: The name of the algorithm used to sign the CRL.

* Issuer: The X.500 distinguished name of your private CA that issued
the CRL.

* Last Update: The issue date and time of this CRL.

* Next Update: The day and time by which the next CRL will be issued.

* Revoked Certificates: List of revoked certificates. Each list item contains
the following information. Serial Number: The serial number, in hexadecimal
format, of the revoked certificate. Revocation Date: Date and time the
certificate was revoked. CRL Entry Extensions: Optional extensions for
the CRL entry. X509v3 CRL Reason Code: Reason the certificate was revoked.

* CRL Extensions: Optional extensions for the CRL. X509v3 Authority Key
Identifier: Identifies the public key associated with the private key
used to sign the certificate. X509v3 CRL Number:: Decimal sequence number
for the CRL.

* Signature Algorithm: Algorithm used by your private CA to sign the CRL.

* Signature Value: Signature computed over the CRL.

Certificate revocation lists created by Amazon Web Services Private CA are
DER-encoded. You can use the following OpenSSL command to list a CRL.

openssl crl -inform DER -text -in crl_path -noout

For more information, see Planning a certificate revocation list (CRL) (https://docs.aws.amazon.com/privateca/latest/userguide/crl-planning.html)
in the Amazon Web Services Private Certificate Authority User Guide
revocationConfiguration.crlConfiguration.customCNAME
Optional		string
revocationConfiguration.crlConfiguration.enabled
Optional		boolean
revocationConfiguration.crlConfiguration.expirationInDays
Optional		integer
revocationConfiguration.crlConfiguration.s3BucketName
Optional		string
revocationConfiguration.crlConfiguration.s3ObjectACL
Optional		string
revocationConfiguration.ocspConfiguration
Optional		object
Contains information to enable and configure Online Certificate Status Protocol
(OCSP) for validating certificate revocation status.

When you revoke a certificate, OCSP responses may take up to 60 minutes to
reflect the new status.
revocationConfiguration.ocspConfiguration.enabled
Optional		boolean
revocationConfiguration.ocspConfiguration.ocspCustomCNAME
Optional		string
tags
Optional		array
Key-value pairs that will be attached to the new private CA. You can associate
up to 50 tags with a private CA. For information using tags with IAM to manage
permissions, see Controlling Access Using IAM Tags (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_iam-tags.html).
tags.[]
Required		object
Tags are labels that you can use to identify and organize your private CAs.
Each tag consists of a key and an optional value. You can associate up to
50 tags with a private CA. To add one or more tags to a private CA, call
the TagCertificateAuthority (https://docs.aws.amazon.com/privateca/latest/APIReference/API_TagCertificateAuthority.html)
action. To remove a tag, call the UntagCertificateAuthority (https://docs.aws.amazon.com/privateca/latest/APIReference/API_UntagCertificateAuthority.html)
action.
tags.[].value
Optional		string
type
Required		string
The type of the certificate authority.
usageMode
Optional		string
Specifies whether the CA issues general-purpose certificates that typically
require a revocation mechanism, or short-lived certificates that may optionally
omit revocation because they expire quickly. Short-lived certificate validity
is limited to seven days.

The default value is GENERAL_PURPOSE.

Status

ackResourceMetadata: 
  arn: string
  ownerAccountID: string
  region: string
certificateSigningRequest: string
conditions:
- lastTransitionTime: string
  message: string
  reason: string
  status: string
  type: string
createdAt: string
failureReason: string
lastStateChangeAt: string
notAfter: string
notBefore: string
ownerAccount: string
restorableUntil: string
serial: string
status: string
FieldDescription
ackResourceMetadata
Optional		object
All CRs managed by ACK have a common Status.ACKResourceMetadata member
that is used to contain resource sync state, account ownership,
constructed ARN for the resource
ackResourceMetadata.arn
Optional		string
ARN is the Amazon Resource Name for the resource. This is a
globally-unique identifier and is set only by the ACK service controller
once the controller has orchestrated the creation of the resource OR
when it has verified that an “adopted” resource (a resource where the
ARN annotation was set by the Kubernetes user on the CR) exists and
matches the supplied CR’s Spec field values.
https://github.com/aws/aws-controllers-k8s/issues/270
ackResourceMetadata.ownerAccountID
Required		string
OwnerAccountID is the AWS Account ID of the account that owns the
backend AWS service API resource.
ackResourceMetadata.region
Required		string
Region is the AWS region in which the resource exists or will exist.
certificateSigningRequest
Optional		string
The base64 PEM-encoded certificate signing request (CSR) for your private
CA certificate.
conditions
Optional		array
All CRS managed by ACK have a common Status.Conditions member that
contains a collection of ackv1alpha1.Condition objects that describe
the various terminal states of the CR and its backend AWS service API
resource
conditions.[]
Required		object
Condition is the common struct used by all CRDs managed by ACK service
controllers to indicate terminal states of the CR and its backend AWS
service API resource
conditions.[].message
Optional		string
A human readable message indicating details about the transition.
conditions.[].reason
Optional		string
The reason for the condition’s last transition.
conditions.[].status
Optional		string
Status of the condition, one of True, False, Unknown.
conditions.[].type
Optional		string
Type is the type of the Condition
createdAt
Optional		string
Date and time at which your private CA was created.
failureReason
Optional		string
Reason the request to create your private CA failed.
lastStateChangeAt
Optional		string
Date and time at which your private CA was last updated.
notAfter
Optional		string
Date and time after which your private CA certificate is not valid.
notBefore
Optional		string
Date and time before which your private CA certificate is not valid.
ownerAccount
Optional		string
The Amazon Web Services account ID that owns the certificate authority.
restorableUntil
Optional		string
The period during which a deleted CA can be restored. For more information,
see the PermanentDeletionTimeInDays parameter of the DeleteCertificateAuthorityRequest
(https://docs.aws.amazon.com/privateca/latest/APIReference/API_DeleteCertificateAuthorityRequest.html)
action.
serial
Optional		string
Serial number of your private CA.
status
Optional		string
Status of your private CA.