/** * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. * SPDX-License-Identifier: Apache-2.0. */ #pragma once #include #include #include #include namespace Aws { namespace Utils { namespace Json { class JsonValue; class JsonView; } // namespace Json } // namespace Utils namespace ACMPCA { namespace Model { /** *

Contains configuration information for a certificate revocation list (CRL). * Your private certificate authority (CA) creates base CRLs. Delta CRLs are not * supported. You can enable CRLs for your new or an existing private CA by setting * the Enabled parameter to true. Your private CA writes CRLs * to an S3 bucket that you specify in the S3BucketName parameter. You can * hide the name of your bucket by specifying a value for the CustomCname * parameter. Your private CA copies the CNAME or the S3 bucket name to the CRL * Distribution Points extension of each certificate it issues. Your S3 bucket * policy must give write permission to Amazon Web Services Private CA.

*

Amazon Web Services Private CA assets that are stored in Amazon S3 can be * protected with encryption. For more information, see Encrypting * Your CRLs.

Your private CA uses the value in the * ExpirationInDays parameter to calculate the nextUpdate field in * the CRL. The CRL is refreshed prior to a certificate's expiration date or when a * certificate is revoked. When a certificate is revoked, it appears in the CRL * until the certificate expires, and then in one additional CRL after expiration, * and it always appears in the audit report.

A CRL is typically updated * approximately 30 minutes after a certificate is revoked. If for any reason a CRL * update fails, Amazon Web Services Private CA makes further attempts every 15 * minutes.

CRLs contain the following fields:

  • * Version: The current version number defined in RFC 5280 is V2. The * integer value is 0x1.

  • Signature Algorithm: The name * of the algorithm used to sign the CRL.

  • Issuer: The * X.500 distinguished name of your private CA that issued the CRL.

  • *

    Last Update: The issue date and time of this CRL.

  • * Next Update: The day and time by which the next CRL will be issued.

    *

  • Revoked Certificates: List of revoked certificates. Each * list item contains the following information.

    • Serial * Number: The serial number, in hexadecimal format, of the revoked * certificate.

    • Revocation Date: Date and time the * certificate was revoked.

    • CRL Entry Extensions: * Optional extensions for the CRL entry.

      • X509v3 CRL Reason * Code: Reason the certificate was revoked.

    • *

  • CRL Extensions: Optional extensions for the CRL.

    • *

      X509v3 Authority Key Identifier: Identifies the public key associated * with the private key used to sign the certificate.

    • X509v3 * CRL Number:: Decimal sequence number for the CRL.

  • *

    Signature Algorithm: Algorithm used by your private CA to sign the * CRL.

  • Signature Value: Signature computed over the * CRL.

Certificate revocation lists created by Amazon Web * Services Private CA are DER-encoded. You can use the following OpenSSL command * to list a CRL.

openssl crl -inform DER -text -in crl_path * -noout

For more information, see Planning * a certificate revocation list (CRL) in the Amazon Web Services Private * Certificate Authority User Guide

See Also:

AWS * API Reference

*/ class CrlConfiguration { public: AWS_ACMPCA_API CrlConfiguration(); AWS_ACMPCA_API CrlConfiguration(Aws::Utils::Json::JsonView jsonValue); AWS_ACMPCA_API CrlConfiguration& operator=(Aws::Utils::Json::JsonView jsonValue); AWS_ACMPCA_API Aws::Utils::Json::JsonValue Jsonize() const; /** *

Boolean value that specifies whether certificate revocation lists (CRLs) are * enabled. You can use this value to enable certificate revocation for a new CA * when you call the CreateCertificateAuthority * action or for an existing CA when you call the UpdateCertificateAuthority * action.

*/ inline bool GetEnabled() const{ return m_enabled; } /** *

Boolean value that specifies whether certificate revocation lists (CRLs) are * enabled. You can use this value to enable certificate revocation for a new CA * when you call the CreateCertificateAuthority * action or for an existing CA when you call the UpdateCertificateAuthority * action.

*/ inline bool EnabledHasBeenSet() const { return m_enabledHasBeenSet; } /** *

Boolean value that specifies whether certificate revocation lists (CRLs) are * enabled. You can use this value to enable certificate revocation for a new CA * when you call the CreateCertificateAuthority * action or for an existing CA when you call the UpdateCertificateAuthority * action.

*/ inline void SetEnabled(bool value) { m_enabledHasBeenSet = true; m_enabled = value; } /** *

Boolean value that specifies whether certificate revocation lists (CRLs) are * enabled. You can use this value to enable certificate revocation for a new CA * when you call the CreateCertificateAuthority * action or for an existing CA when you call the UpdateCertificateAuthority * action.

*/ inline CrlConfiguration& WithEnabled(bool value) { SetEnabled(value); return *this;} /** *

Validity period of the CRL in days.

*/ inline int GetExpirationInDays() const{ return m_expirationInDays; } /** *

Validity period of the CRL in days.

*/ inline bool ExpirationInDaysHasBeenSet() const { return m_expirationInDaysHasBeenSet; } /** *

Validity period of the CRL in days.

*/ inline void SetExpirationInDays(int value) { m_expirationInDaysHasBeenSet = true; m_expirationInDays = value; } /** *

Validity period of the CRL in days.

*/ inline CrlConfiguration& WithExpirationInDays(int value) { SetExpirationInDays(value); return *this;} /** *

Name inserted into the certificate CRL Distribution Points extension * that enables the use of an alias for the CRL distribution point. Use this value * if you don't want the name of your S3 bucket to be public.

The * content of a Canonical Name (CNAME) record must conform to RFC2396 restrictions on the use * of special characters in URIs. Additionally, the value of the CNAME must not * include a protocol prefix such as "http://" or "https://".

*/ inline const Aws::String& GetCustomCname() const{ return m_customCname; } /** *

Name inserted into the certificate CRL Distribution Points extension * that enables the use of an alias for the CRL distribution point. Use this value * if you don't want the name of your S3 bucket to be public.

The * content of a Canonical Name (CNAME) record must conform to RFC2396 restrictions on the use * of special characters in URIs. Additionally, the value of the CNAME must not * include a protocol prefix such as "http://" or "https://".

*/ inline bool CustomCnameHasBeenSet() const { return m_customCnameHasBeenSet; } /** *

Name inserted into the certificate CRL Distribution Points extension * that enables the use of an alias for the CRL distribution point. Use this value * if you don't want the name of your S3 bucket to be public.

The * content of a Canonical Name (CNAME) record must conform to RFC2396 restrictions on the use * of special characters in URIs. Additionally, the value of the CNAME must not * include a protocol prefix such as "http://" or "https://".

*/ inline void SetCustomCname(const Aws::String& value) { m_customCnameHasBeenSet = true; m_customCname = value; } /** *

Name inserted into the certificate CRL Distribution Points extension * that enables the use of an alias for the CRL distribution point. Use this value * if you don't want the name of your S3 bucket to be public.

The * content of a Canonical Name (CNAME) record must conform to RFC2396 restrictions on the use * of special characters in URIs. Additionally, the value of the CNAME must not * include a protocol prefix such as "http://" or "https://".

*/ inline void SetCustomCname(Aws::String&& value) { m_customCnameHasBeenSet = true; m_customCname = std::move(value); } /** *

Name inserted into the certificate CRL Distribution Points extension * that enables the use of an alias for the CRL distribution point. Use this value * if you don't want the name of your S3 bucket to be public.

The * content of a Canonical Name (CNAME) record must conform to RFC2396 restrictions on the use * of special characters in URIs. Additionally, the value of the CNAME must not * include a protocol prefix such as "http://" or "https://".

*/ inline void SetCustomCname(const char* value) { m_customCnameHasBeenSet = true; m_customCname.assign(value); } /** *

Name inserted into the certificate CRL Distribution Points extension * that enables the use of an alias for the CRL distribution point. Use this value * if you don't want the name of your S3 bucket to be public.

The * content of a Canonical Name (CNAME) record must conform to RFC2396 restrictions on the use * of special characters in URIs. Additionally, the value of the CNAME must not * include a protocol prefix such as "http://" or "https://".

*/ inline CrlConfiguration& WithCustomCname(const Aws::String& value) { SetCustomCname(value); return *this;} /** *

Name inserted into the certificate CRL Distribution Points extension * that enables the use of an alias for the CRL distribution point. Use this value * if you don't want the name of your S3 bucket to be public.

The * content of a Canonical Name (CNAME) record must conform to RFC2396 restrictions on the use * of special characters in URIs. Additionally, the value of the CNAME must not * include a protocol prefix such as "http://" or "https://".

*/ inline CrlConfiguration& WithCustomCname(Aws::String&& value) { SetCustomCname(std::move(value)); return *this;} /** *

Name inserted into the certificate CRL Distribution Points extension * that enables the use of an alias for the CRL distribution point. Use this value * if you don't want the name of your S3 bucket to be public.

The * content of a Canonical Name (CNAME) record must conform to RFC2396 restrictions on the use * of special characters in URIs. Additionally, the value of the CNAME must not * include a protocol prefix such as "http://" or "https://".

*/ inline CrlConfiguration& WithCustomCname(const char* value) { SetCustomCname(value); return *this;} /** *

Name of the S3 bucket that contains the CRL. If you do not provide a value * for the CustomCname argument, the name of your S3 bucket is placed into * the CRL Distribution Points extension of the issued certificate. You can * change the name of your bucket by calling the UpdateCertificateAuthority * operation. You must specify a bucket * policy that allows Amazon Web Services Private CA to write the CRL to your * bucket.

The S3BucketName parameter must conform to * the S3 * bucket naming rules.

*/ inline const Aws::String& GetS3BucketName() const{ return m_s3BucketName; } /** *

Name of the S3 bucket that contains the CRL. If you do not provide a value * for the CustomCname argument, the name of your S3 bucket is placed into * the CRL Distribution Points extension of the issued certificate. You can * change the name of your bucket by calling the UpdateCertificateAuthority * operation. You must specify a bucket * policy that allows Amazon Web Services Private CA to write the CRL to your * bucket.

The S3BucketName parameter must conform to * the S3 * bucket naming rules.

*/ inline bool S3BucketNameHasBeenSet() const { return m_s3BucketNameHasBeenSet; } /** *

Name of the S3 bucket that contains the CRL. If you do not provide a value * for the CustomCname argument, the name of your S3 bucket is placed into * the CRL Distribution Points extension of the issued certificate. You can * change the name of your bucket by calling the UpdateCertificateAuthority * operation. You must specify a bucket * policy that allows Amazon Web Services Private CA to write the CRL to your * bucket.

The S3BucketName parameter must conform to * the S3 * bucket naming rules.

*/ inline void SetS3BucketName(const Aws::String& value) { m_s3BucketNameHasBeenSet = true; m_s3BucketName = value; } /** *

Name of the S3 bucket that contains the CRL. If you do not provide a value * for the CustomCname argument, the name of your S3 bucket is placed into * the CRL Distribution Points extension of the issued certificate. You can * change the name of your bucket by calling the UpdateCertificateAuthority * operation. You must specify a bucket * policy that allows Amazon Web Services Private CA to write the CRL to your * bucket.

The S3BucketName parameter must conform to * the S3 * bucket naming rules.

*/ inline void SetS3BucketName(Aws::String&& value) { m_s3BucketNameHasBeenSet = true; m_s3BucketName = std::move(value); } /** *

Name of the S3 bucket that contains the CRL. If you do not provide a value * for the CustomCname argument, the name of your S3 bucket is placed into * the CRL Distribution Points extension of the issued certificate. You can * change the name of your bucket by calling the UpdateCertificateAuthority * operation. You must specify a bucket * policy that allows Amazon Web Services Private CA to write the CRL to your * bucket.

The S3BucketName parameter must conform to * the S3 * bucket naming rules.

*/ inline void SetS3BucketName(const char* value) { m_s3BucketNameHasBeenSet = true; m_s3BucketName.assign(value); } /** *

Name of the S3 bucket that contains the CRL. If you do not provide a value * for the CustomCname argument, the name of your S3 bucket is placed into * the CRL Distribution Points extension of the issued certificate. You can * change the name of your bucket by calling the UpdateCertificateAuthority * operation. You must specify a bucket * policy that allows Amazon Web Services Private CA to write the CRL to your * bucket.

The S3BucketName parameter must conform to * the S3 * bucket naming rules.

*/ inline CrlConfiguration& WithS3BucketName(const Aws::String& value) { SetS3BucketName(value); return *this;} /** *

Name of the S3 bucket that contains the CRL. If you do not provide a value * for the CustomCname argument, the name of your S3 bucket is placed into * the CRL Distribution Points extension of the issued certificate. You can * change the name of your bucket by calling the UpdateCertificateAuthority * operation. You must specify a bucket * policy that allows Amazon Web Services Private CA to write the CRL to your * bucket.

The S3BucketName parameter must conform to * the S3 * bucket naming rules.

*/ inline CrlConfiguration& WithS3BucketName(Aws::String&& value) { SetS3BucketName(std::move(value)); return *this;} /** *

Name of the S3 bucket that contains the CRL. If you do not provide a value * for the CustomCname argument, the name of your S3 bucket is placed into * the CRL Distribution Points extension of the issued certificate. You can * change the name of your bucket by calling the UpdateCertificateAuthority * operation. You must specify a bucket * policy that allows Amazon Web Services Private CA to write the CRL to your * bucket.

The S3BucketName parameter must conform to * the S3 * bucket naming rules.

*/ inline CrlConfiguration& WithS3BucketName(const char* value) { SetS3BucketName(value); return *this;} /** *

Determines whether the CRL will be publicly readable or privately held in the * CRL Amazon S3 bucket. If you choose PUBLIC_READ, the CRL will be accessible over * the public internet. If you choose BUCKET_OWNER_FULL_CONTROL, only the owner of * the CRL S3 bucket can access the CRL, and your PKI clients may need an * alternative method of access.

If no value is specified, the default is * PUBLIC_READ.

Note: This default can cause CA * creation to fail in some circumstances. If you have have enabled the Block * Public Access (BPA) feature in your S3 account, then you must specify the value * of this parameter as BUCKET_OWNER_FULL_CONTROL, and not doing so * results in an error. If you have disabled BPA in S3, then you can specify either * BUCKET_OWNER_FULL_CONTROL or PUBLIC_READ as the * value.

For more information, see Blocking * public access to the S3 bucket.

*/ inline const S3ObjectAcl& GetS3ObjectAcl() const{ return m_s3ObjectAcl; } /** *

Determines whether the CRL will be publicly readable or privately held in the * CRL Amazon S3 bucket. If you choose PUBLIC_READ, the CRL will be accessible over * the public internet. If you choose BUCKET_OWNER_FULL_CONTROL, only the owner of * the CRL S3 bucket can access the CRL, and your PKI clients may need an * alternative method of access.

If no value is specified, the default is * PUBLIC_READ.

Note: This default can cause CA * creation to fail in some circumstances. If you have have enabled the Block * Public Access (BPA) feature in your S3 account, then you must specify the value * of this parameter as BUCKET_OWNER_FULL_CONTROL, and not doing so * results in an error. If you have disabled BPA in S3, then you can specify either * BUCKET_OWNER_FULL_CONTROL or PUBLIC_READ as the * value.

For more information, see Blocking * public access to the S3 bucket.

*/ inline bool S3ObjectAclHasBeenSet() const { return m_s3ObjectAclHasBeenSet; } /** *

Determines whether the CRL will be publicly readable or privately held in the * CRL Amazon S3 bucket. If you choose PUBLIC_READ, the CRL will be accessible over * the public internet. If you choose BUCKET_OWNER_FULL_CONTROL, only the owner of * the CRL S3 bucket can access the CRL, and your PKI clients may need an * alternative method of access.

If no value is specified, the default is * PUBLIC_READ.

Note: This default can cause CA * creation to fail in some circumstances. If you have have enabled the Block * Public Access (BPA) feature in your S3 account, then you must specify the value * of this parameter as BUCKET_OWNER_FULL_CONTROL, and not doing so * results in an error. If you have disabled BPA in S3, then you can specify either * BUCKET_OWNER_FULL_CONTROL or PUBLIC_READ as the * value.

For more information, see Blocking * public access to the S3 bucket.

*/ inline void SetS3ObjectAcl(const S3ObjectAcl& value) { m_s3ObjectAclHasBeenSet = true; m_s3ObjectAcl = value; } /** *

Determines whether the CRL will be publicly readable or privately held in the * CRL Amazon S3 bucket. If you choose PUBLIC_READ, the CRL will be accessible over * the public internet. If you choose BUCKET_OWNER_FULL_CONTROL, only the owner of * the CRL S3 bucket can access the CRL, and your PKI clients may need an * alternative method of access.

If no value is specified, the default is * PUBLIC_READ.

Note: This default can cause CA * creation to fail in some circumstances. If you have have enabled the Block * Public Access (BPA) feature in your S3 account, then you must specify the value * of this parameter as BUCKET_OWNER_FULL_CONTROL, and not doing so * results in an error. If you have disabled BPA in S3, then you can specify either * BUCKET_OWNER_FULL_CONTROL or PUBLIC_READ as the * value.

For more information, see Blocking * public access to the S3 bucket.

*/ inline void SetS3ObjectAcl(S3ObjectAcl&& value) { m_s3ObjectAclHasBeenSet = true; m_s3ObjectAcl = std::move(value); } /** *

Determines whether the CRL will be publicly readable or privately held in the * CRL Amazon S3 bucket. If you choose PUBLIC_READ, the CRL will be accessible over * the public internet. If you choose BUCKET_OWNER_FULL_CONTROL, only the owner of * the CRL S3 bucket can access the CRL, and your PKI clients may need an * alternative method of access.

If no value is specified, the default is * PUBLIC_READ.

Note: This default can cause CA * creation to fail in some circumstances. If you have have enabled the Block * Public Access (BPA) feature in your S3 account, then you must specify the value * of this parameter as BUCKET_OWNER_FULL_CONTROL, and not doing so * results in an error. If you have disabled BPA in S3, then you can specify either * BUCKET_OWNER_FULL_CONTROL or PUBLIC_READ as the * value.

For more information, see Blocking * public access to the S3 bucket.

*/ inline CrlConfiguration& WithS3ObjectAcl(const S3ObjectAcl& value) { SetS3ObjectAcl(value); return *this;} /** *

Determines whether the CRL will be publicly readable or privately held in the * CRL Amazon S3 bucket. If you choose PUBLIC_READ, the CRL will be accessible over * the public internet. If you choose BUCKET_OWNER_FULL_CONTROL, only the owner of * the CRL S3 bucket can access the CRL, and your PKI clients may need an * alternative method of access.

If no value is specified, the default is * PUBLIC_READ.

Note: This default can cause CA * creation to fail in some circumstances. If you have have enabled the Block * Public Access (BPA) feature in your S3 account, then you must specify the value * of this parameter as BUCKET_OWNER_FULL_CONTROL, and not doing so * results in an error. If you have disabled BPA in S3, then you can specify either * BUCKET_OWNER_FULL_CONTROL or PUBLIC_READ as the * value.

For more information, see Blocking * public access to the S3 bucket.

*/ inline CrlConfiguration& WithS3ObjectAcl(S3ObjectAcl&& value) { SetS3ObjectAcl(std::move(value)); return *this;} private: bool m_enabled; bool m_enabledHasBeenSet = false; int m_expirationInDays; bool m_expirationInDaysHasBeenSet = false; Aws::String m_customCname; bool m_customCnameHasBeenSet = false; Aws::String m_s3BucketName; bool m_s3BucketNameHasBeenSet = false; S3ObjectAcl m_s3ObjectAcl; bool m_s3ObjectAclHasBeenSet = false; }; } // namespace Model } // namespace ACMPCA } // namespace Aws