-
Notifications
You must be signed in to change notification settings - Fork 17
/
CfnCertificateAuthorityProps.go
95 lines (92 loc) · 7.1 KB
/
CfnCertificateAuthorityProps.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
package awsacmpca
import (
"github.com/aws/aws-cdk-go/awscdk/v2"
)
// Properties for defining a `CfnCertificateAuthority`.
//
// Example:
// cfnCertificateAuthority := acmpca.NewCfnCertificateAuthority(this, jsii.String("CA"), &CfnCertificateAuthorityProps{
// Type: jsii.String("ROOT"),
// KeyAlgorithm: jsii.String("RSA_2048"),
// SigningAlgorithm: jsii.String("SHA256WITHRSA"),
// Subject: &SubjectProperty{
// Country: jsii.String("US"),
// Organization: jsii.String("string"),
// OrganizationalUnit: jsii.String("string"),
// DistinguishedNameQualifier: jsii.String("string"),
// State: jsii.String("string"),
// CommonName: jsii.String("123"),
// SerialNumber: jsii.String("string"),
// Locality: jsii.String("string"),
// Title: jsii.String("string"),
// Surname: jsii.String("string"),
// GivenName: jsii.String("string"),
// Initials: jsii.String("DG"),
// Pseudonym: jsii.String("string"),
// GenerationQualifier: jsii.String("DBG"),
// },
// })
//
// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-acmpca-certificateauthority.html
//
type CfnCertificateAuthorityProps struct {
// Type of the public key algorithm and size, in bits, of the key pair that your CA creates when it issues a certificate.
//
// When you create a subordinate CA, you must use a key algorithm supported by the parent CA.
// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-acmpca-certificateauthority.html#cfn-acmpca-certificateauthority-keyalgorithm
//
KeyAlgorithm *string `field:"required" json:"keyAlgorithm" yaml:"keyAlgorithm"`
// Name of the algorithm your private CA uses to sign certificate requests.
//
// This parameter should not be confused with the `SigningAlgorithm` parameter used to sign certificates when they are issued.
// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-acmpca-certificateauthority.html#cfn-acmpca-certificateauthority-signingalgorithm
//
SigningAlgorithm *string `field:"required" json:"signingAlgorithm" yaml:"signingAlgorithm"`
// Structure that contains X.500 distinguished name information for your private CA.
// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-acmpca-certificateauthority.html#cfn-acmpca-certificateauthority-subject
//
Subject interface{} `field:"required" json:"subject" yaml:"subject"`
// Type of your private CA.
// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-acmpca-certificateauthority.html#cfn-acmpca-certificateauthority-type
//
Type *string `field:"required" json:"type" yaml:"type"`
// Specifies information to be added to the extension section of the certificate signing request (CSR).
// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-acmpca-certificateauthority.html#cfn-acmpca-certificateauthority-csrextensions
//
CsrExtensions interface{} `field:"optional" json:"csrExtensions" yaml:"csrExtensions"`
// Specifies a cryptographic key management compliance standard used for handling CA keys.
//
// Default: FIPS_140_2_LEVEL_3_OR_HIGHER
//
// > Some AWS Regions do not support the default. When creating a CA in these Regions, you must provide `FIPS_140_2_LEVEL_2_OR_HIGHER` as the argument for `KeyStorageSecurityStandard` . Failure to do this results in an `InvalidArgsException` with the message, "A certificate authority cannot be created in this region with the specified security standard."
// >
// > For information about security standard support in various Regions, see [Storage and security compliance of AWS Private CA private keys](https://docs.aws.amazon.com/privateca/latest/userguide/data-protection.html#private-keys) .
// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-acmpca-certificateauthority.html#cfn-acmpca-certificateauthority-keystoragesecuritystandard
//
KeyStorageSecurityStandard *string `field:"optional" json:"keyStorageSecurityStandard" yaml:"keyStorageSecurityStandard"`
// Certificate revocation information used by the [CreateCertificateAuthority](https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreateCertificateAuthority.html) and [UpdateCertificateAuthority](https://docs.aws.amazon.com/privateca/latest/APIReference/API_UpdateCertificateAuthority.html) actions. Your private certificate authority (CA) can configure Online Certificate Status Protocol (OCSP) support and/or maintain a certificate revocation list (CRL). OCSP returns validation information about certificates as requested by clients, and a CRL contains an updated list of certificates revoked by your CA. For more information, see [RevokeCertificate](https://docs.aws.amazon.com/privateca/latest/APIReference/API_RevokeCertificate.html) in the *AWS Private CA API Reference* and [Setting up a certificate revocation method](https://docs.aws.amazon.com/privateca/latest/userguide/revocation-setup.html) in the *AWS Private CA User Guide* .
//
// > The following requirements apply to revocation configurations.
// >
// > - A configuration disabling CRLs or OCSP must contain only the `Enabled=False` parameter, and will fail if other parameters such as `CustomCname` or `ExpirationInDays` are included.
// > - In a CRL configuration, the `S3BucketName` parameter must conform to the [Amazon S3 bucket naming rules](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucketnamingrules.html) .
// > - A configuration containing a custom Canonical Name (CNAME) parameter for CRLs or OCSP must conform to [RFC2396](https://docs.aws.amazon.com/https://www.ietf.org/rfc/rfc2396.txt) restrictions on the use of special characters in a CNAME.
// > - In a CRL or OCSP configuration, the value of a CNAME parameter must not include a protocol prefix such as "http://" or "https://".
// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-acmpca-certificateauthority.html#cfn-acmpca-certificateauthority-revocationconfiguration
//
RevocationConfiguration interface{} `field:"optional" json:"revocationConfiguration" yaml:"revocationConfiguration"`
// Key-value pairs that will be attached to the new private CA.
//
// You can associate up to 50 tags with a private CA. For information using tags with IAM to manage permissions, see [Controlling Access Using IAM Tags](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_iam-tags.html) .
// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-acmpca-certificateauthority.html#cfn-acmpca-certificateauthority-tags
//
Tags *[]*awscdk.CfnTag `field:"optional" json:"tags" yaml:"tags"`
// Specifies whether the CA issues general-purpose certificates that typically require a revocation mechanism, or short-lived certificates that may optionally omit revocation because they expire quickly.
//
// Short-lived certificate validity is limited to seven days.
//
// The default value is GENERAL_PURPOSE.
// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-acmpca-certificateauthority.html#cfn-acmpca-certificateauthority-usagemode
//
UsageMode *string `field:"optional" json:"usageMode" yaml:"usageMode"`
}