* Contains configuration information for a certificate revocation list (CRL). Your private certificate authority (CA)
* creates base CRLs. Delta CRLs are not supported. You can enable CRLs for your new or an existing private CA by
* setting the Enabled parameter to true. Your private CA writes CRLs to an S3 bucket that you
* specify in the S3BucketName parameter. You can hide the name of your bucket by specifying a value for the
* CustomCname parameter. Your private CA copies the CNAME or the S3 bucket name to the CRL Distribution
* Points extension of each certificate it issues. Your S3 bucket policy must give write permission to Amazon Web
* Services Private CA.
*
* Amazon Web Services Private CA assets that are stored in Amazon S3 can be protected with encryption. For more * information, see Encrypting Your * CRLs. *
** Your private CA uses the value in the ExpirationInDays parameter to calculate the nextUpdate field in * the CRL. The CRL is refreshed prior to a certificate's expiration date or when a certificate is revoked. When a * certificate is revoked, it appears in the CRL until the certificate expires, and then in one additional CRL after * expiration, and it always appears in the audit report. *
** A CRL is typically updated approximately 30 minutes after a certificate is revoked. If for any reason a CRL update * fails, Amazon Web Services Private CA makes further attempts every 15 minutes. *
** CRLs contain the following fields: *
** Version: The current version number defined in RFC 5280 is V2. The integer value is 0x1. *
** Signature Algorithm: The name of the algorithm used to sign the CRL. *
** Issuer: The X.500 distinguished name of your private CA that issued the CRL. *
** Last Update: The issue date and time of this CRL. *
** Next Update: The day and time by which the next CRL will be issued. *
** Revoked Certificates: List of revoked certificates. Each list item contains the following information. *
** Serial Number: The serial number, in hexadecimal format, of the revoked certificate. *
** Revocation Date: Date and time the certificate was revoked. *
** CRL Entry Extensions: Optional extensions for the CRL entry. *
** X509v3 CRL Reason Code: Reason the certificate was revoked. *
** CRL Extensions: Optional extensions for the CRL. *
** X509v3 Authority Key Identifier: Identifies the public key associated with the private key used to sign the * certificate. *
** X509v3 CRL Number:: Decimal sequence number for the CRL. *
** Signature Algorithm: Algorithm used by your private CA to sign the CRL. *
** Signature Value: Signature computed over the CRL. *
** Certificate revocation lists created by Amazon Web Services Private CA are DER-encoded. You can use the following * OpenSSL command to list a CRL. *
*
* openssl crl -inform DER -text -in crl_path -noout
*
* For more information, see Planning * a certificate revocation list (CRL) in the Amazon Web Services Private Certificate Authority User Guide *
* * @see AWS API * Documentation */ @Generated("com.amazonaws:aws-java-sdk-code-generator") public class CrlConfiguration implements Serializable, Cloneable, StructuredPojo { /** ** Boolean value that specifies whether certificate revocation lists (CRLs) are enabled. You can use this value to * enable certificate revocation for a new CA when you call the CreateCertificateAuthority action or for an existing CA when you call the UpdateCertificateAuthority action. *
*/ private Boolean enabled; /** ** Validity period of the CRL in days. *
*/ private Integer expirationInDays; /** ** Name inserted into the certificate CRL Distribution Points extension that enables the use of an alias for * the CRL distribution point. Use this value if you don't want the name of your S3 bucket to be public. *
** The content of a Canonical Name (CNAME) record must conform to RFC2396 restrictions on the use of special characters in URIs. * Additionally, the value of the CNAME must not include a protocol prefix such as "http://" or "https://". *
** Name of the S3 bucket that contains the CRL. If you do not provide a value for the CustomCname argument, * the name of your S3 bucket is placed into the CRL Distribution Points extension of the issued certificate. * You can change the name of your bucket by calling the UpdateCertificateAuthority operation. You must specify a bucket policy that * allows Amazon Web Services Private CA to write the CRL to your bucket. *
*
* The S3BucketName parameter must conform to the S3 bucket naming rules.
*
* Determines whether the CRL will be publicly readable or privately held in the CRL Amazon S3 bucket. If you choose * PUBLIC_READ, the CRL will be accessible over the public internet. If you choose BUCKET_OWNER_FULL_CONTROL, only * the owner of the CRL S3 bucket can access the CRL, and your PKI clients may need an alternative method of access. *
*
* If no value is specified, the default is PUBLIC_READ.
*
* Note: This default can cause CA creation to fail in some circumstances. If you have have enabled the Block
* Public Access (BPA) feature in your S3 account, then you must specify the value of this parameter as
* BUCKET_OWNER_FULL_CONTROL, and not doing so results in an error. If you have disabled BPA in S3,
* then you can specify either BUCKET_OWNER_FULL_CONTROL or PUBLIC_READ as the value.
*
* For more information, see Blocking public access to * the S3 bucket. *
*/ private String s3ObjectAcl; /** ** Boolean value that specifies whether certificate revocation lists (CRLs) are enabled. You can use this value to * enable certificate revocation for a new CA when you call the CreateCertificateAuthority action or for an existing CA when you call the UpdateCertificateAuthority action. *
* * @param enabled * Boolean value that specifies whether certificate revocation lists (CRLs) are enabled. You can use this * value to enable certificate revocation for a new CA when you call the CreateCertificateAuthority action or for an existing CA when you call the UpdateCertificateAuthority action. */ public void setEnabled(Boolean enabled) { this.enabled = enabled; } /** ** Boolean value that specifies whether certificate revocation lists (CRLs) are enabled. You can use this value to * enable certificate revocation for a new CA when you call the CreateCertificateAuthority action or for an existing CA when you call the UpdateCertificateAuthority action. *
* * @return Boolean value that specifies whether certificate revocation lists (CRLs) are enabled. You can use this * value to enable certificate revocation for a new CA when you call the CreateCertificateAuthority action or for an existing CA when you call the UpdateCertificateAuthority action. */ public Boolean getEnabled() { return this.enabled; } /** ** Boolean value that specifies whether certificate revocation lists (CRLs) are enabled. You can use this value to * enable certificate revocation for a new CA when you call the CreateCertificateAuthority action or for an existing CA when you call the UpdateCertificateAuthority action. *
* * @param enabled * Boolean value that specifies whether certificate revocation lists (CRLs) are enabled. You can use this * value to enable certificate revocation for a new CA when you call the CreateCertificateAuthority action or for an existing CA when you call the UpdateCertificateAuthority action. * @return Returns a reference to this object so that method calls can be chained together. */ public CrlConfiguration withEnabled(Boolean enabled) { setEnabled(enabled); return this; } /** ** Boolean value that specifies whether certificate revocation lists (CRLs) are enabled. You can use this value to * enable certificate revocation for a new CA when you call the CreateCertificateAuthority action or for an existing CA when you call the UpdateCertificateAuthority action. *
* * @return Boolean value that specifies whether certificate revocation lists (CRLs) are enabled. You can use this * value to enable certificate revocation for a new CA when you call the CreateCertificateAuthority action or for an existing CA when you call the UpdateCertificateAuthority action. */ public Boolean isEnabled() { return this.enabled; } /** ** Validity period of the CRL in days. *
* * @param expirationInDays * Validity period of the CRL in days. */ public void setExpirationInDays(Integer expirationInDays) { this.expirationInDays = expirationInDays; } /** ** Validity period of the CRL in days. *
* * @return Validity period of the CRL in days. */ public Integer getExpirationInDays() { return this.expirationInDays; } /** ** Validity period of the CRL in days. *
* * @param expirationInDays * Validity period of the CRL in days. * @return Returns a reference to this object so that method calls can be chained together. */ public CrlConfiguration withExpirationInDays(Integer expirationInDays) { setExpirationInDays(expirationInDays); return this; } /** ** Name inserted into the certificate CRL Distribution Points extension that enables the use of an alias for * the CRL distribution point. Use this value if you don't want the name of your S3 bucket to be public. *
** The content of a Canonical Name (CNAME) record must conform to RFC2396 restrictions on the use of special characters in URIs. * Additionally, the value of the CNAME must not include a protocol prefix such as "http://" or "https://". *
** The content of a Canonical Name (CNAME) record must conform to RFC2396 restrictions on the use of special characters in * URIs. Additionally, the value of the CNAME must not include a protocol prefix such as "http://" or * "https://". *
*/ public void setCustomCname(String customCname) { this.customCname = customCname; } /** ** Name inserted into the certificate CRL Distribution Points extension that enables the use of an alias for * the CRL distribution point. Use this value if you don't want the name of your S3 bucket to be public. *
** The content of a Canonical Name (CNAME) record must conform to RFC2396 restrictions on the use of special characters in URIs. * Additionally, the value of the CNAME must not include a protocol prefix such as "http://" or "https://". *
** The content of a Canonical Name (CNAME) record must conform to RFC2396 restrictions on the use of special characters in * URIs. Additionally, the value of the CNAME must not include a protocol prefix such as "http://" or * "https://". *
*/ public String getCustomCname() { return this.customCname; } /** ** Name inserted into the certificate CRL Distribution Points extension that enables the use of an alias for * the CRL distribution point. Use this value if you don't want the name of your S3 bucket to be public. *
** The content of a Canonical Name (CNAME) record must conform to RFC2396 restrictions on the use of special characters in URIs. * Additionally, the value of the CNAME must not include a protocol prefix such as "http://" or "https://". *
** The content of a Canonical Name (CNAME) record must conform to RFC2396 restrictions on the use of special characters in * URIs. Additionally, the value of the CNAME must not include a protocol prefix such as "http://" or * "https://". *
* @return Returns a reference to this object so that method calls can be chained together. */ public CrlConfiguration withCustomCname(String customCname) { setCustomCname(customCname); return this; } /** ** Name of the S3 bucket that contains the CRL. If you do not provide a value for the CustomCname argument, * the name of your S3 bucket is placed into the CRL Distribution Points extension of the issued certificate. * You can change the name of your bucket by calling the UpdateCertificateAuthority operation. You must specify a bucket policy that * allows Amazon Web Services Private CA to write the CRL to your bucket. *
*
* The S3BucketName parameter must conform to the S3 bucket naming rules.
*
* The S3BucketName parameter must conform to the S3 bucket naming
* rules.
*
* Name of the S3 bucket that contains the CRL. If you do not provide a value for the CustomCname argument, * the name of your S3 bucket is placed into the CRL Distribution Points extension of the issued certificate. * You can change the name of your bucket by calling the UpdateCertificateAuthority operation. You must specify a bucket policy that * allows Amazon Web Services Private CA to write the CRL to your bucket. *
*
* The S3BucketName parameter must conform to the S3 bucket naming rules.
*
* The S3BucketName parameter must conform to the S3 bucket naming
* rules.
*
* Name of the S3 bucket that contains the CRL. If you do not provide a value for the CustomCname argument, * the name of your S3 bucket is placed into the CRL Distribution Points extension of the issued certificate. * You can change the name of your bucket by calling the UpdateCertificateAuthority operation. You must specify a bucket policy that * allows Amazon Web Services Private CA to write the CRL to your bucket. *
*
* The S3BucketName parameter must conform to the S3 bucket naming rules.
*
* The S3BucketName parameter must conform to the S3 bucket naming
* rules.
*
* Determines whether the CRL will be publicly readable or privately held in the CRL Amazon S3 bucket. If you choose * PUBLIC_READ, the CRL will be accessible over the public internet. If you choose BUCKET_OWNER_FULL_CONTROL, only * the owner of the CRL S3 bucket can access the CRL, and your PKI clients may need an alternative method of access. *
*
* If no value is specified, the default is PUBLIC_READ.
*
* Note: This default can cause CA creation to fail in some circumstances. If you have have enabled the Block
* Public Access (BPA) feature in your S3 account, then you must specify the value of this parameter as
* BUCKET_OWNER_FULL_CONTROL, and not doing so results in an error. If you have disabled BPA in S3,
* then you can specify either BUCKET_OWNER_FULL_CONTROL or PUBLIC_READ as the value.
*
* For more information, see Blocking public access to * the S3 bucket. *
* * @param s3ObjectAcl * Determines whether the CRL will be publicly readable or privately held in the CRL Amazon S3 bucket. If you * choose PUBLIC_READ, the CRL will be accessible over the public internet. If you choose * BUCKET_OWNER_FULL_CONTROL, only the owner of the CRL S3 bucket can access the CRL, and your PKI clients * may need an alternative method of access. *
* If no value is specified, the default is PUBLIC_READ.
*
* Note: This default can cause CA creation to fail in some circumstances. If you have have enabled
* the Block Public Access (BPA) feature in your S3 account, then you must specify the value of this
* parameter as BUCKET_OWNER_FULL_CONTROL, and not doing so results in an error. If you have
* disabled BPA in S3, then you can specify either BUCKET_OWNER_FULL_CONTROL or
* PUBLIC_READ as the value.
*
* For more information, see Blocking public * access to the S3 bucket. * @see S3ObjectAcl */ public void setS3ObjectAcl(String s3ObjectAcl) { this.s3ObjectAcl = s3ObjectAcl; } /** *
* Determines whether the CRL will be publicly readable or privately held in the CRL Amazon S3 bucket. If you choose * PUBLIC_READ, the CRL will be accessible over the public internet. If you choose BUCKET_OWNER_FULL_CONTROL, only * the owner of the CRL S3 bucket can access the CRL, and your PKI clients may need an alternative method of access. *
*
* If no value is specified, the default is PUBLIC_READ.
*
* Note: This default can cause CA creation to fail in some circumstances. If you have have enabled the Block
* Public Access (BPA) feature in your S3 account, then you must specify the value of this parameter as
* BUCKET_OWNER_FULL_CONTROL, and not doing so results in an error. If you have disabled BPA in S3,
* then you can specify either BUCKET_OWNER_FULL_CONTROL or PUBLIC_READ as the value.
*
* For more information, see Blocking public access to * the S3 bucket. *
* * @return Determines whether the CRL will be publicly readable or privately held in the CRL Amazon S3 bucket. If * you choose PUBLIC_READ, the CRL will be accessible over the public internet. If you choose * BUCKET_OWNER_FULL_CONTROL, only the owner of the CRL S3 bucket can access the CRL, and your PKI clients * may need an alternative method of access. *
* If no value is specified, the default is PUBLIC_READ.
*
* Note: This default can cause CA creation to fail in some circumstances. If you have have enabled
* the Block Public Access (BPA) feature in your S3 account, then you must specify the value of this
* parameter as BUCKET_OWNER_FULL_CONTROL, and not doing so results in an error. If you have
* disabled BPA in S3, then you can specify either BUCKET_OWNER_FULL_CONTROL or
* PUBLIC_READ as the value.
*
* For more information, see Blocking public * access to the S3 bucket. * @see S3ObjectAcl */ public String getS3ObjectAcl() { return this.s3ObjectAcl; } /** *
* Determines whether the CRL will be publicly readable or privately held in the CRL Amazon S3 bucket. If you choose * PUBLIC_READ, the CRL will be accessible over the public internet. If you choose BUCKET_OWNER_FULL_CONTROL, only * the owner of the CRL S3 bucket can access the CRL, and your PKI clients may need an alternative method of access. *
*
* If no value is specified, the default is PUBLIC_READ.
*
* Note: This default can cause CA creation to fail in some circumstances. If you have have enabled the Block
* Public Access (BPA) feature in your S3 account, then you must specify the value of this parameter as
* BUCKET_OWNER_FULL_CONTROL, and not doing so results in an error. If you have disabled BPA in S3,
* then you can specify either BUCKET_OWNER_FULL_CONTROL or PUBLIC_READ as the value.
*
* For more information, see Blocking public access to * the S3 bucket. *
* * @param s3ObjectAcl * Determines whether the CRL will be publicly readable or privately held in the CRL Amazon S3 bucket. If you * choose PUBLIC_READ, the CRL will be accessible over the public internet. If you choose * BUCKET_OWNER_FULL_CONTROL, only the owner of the CRL S3 bucket can access the CRL, and your PKI clients * may need an alternative method of access. *
* If no value is specified, the default is PUBLIC_READ.
*
* Note: This default can cause CA creation to fail in some circumstances. If you have have enabled
* the Block Public Access (BPA) feature in your S3 account, then you must specify the value of this
* parameter as BUCKET_OWNER_FULL_CONTROL, and not doing so results in an error. If you have
* disabled BPA in S3, then you can specify either BUCKET_OWNER_FULL_CONTROL or
* PUBLIC_READ as the value.
*
* For more information, see Blocking public * access to the S3 bucket. * @return Returns a reference to this object so that method calls can be chained together. * @see S3ObjectAcl */ public CrlConfiguration withS3ObjectAcl(String s3ObjectAcl) { setS3ObjectAcl(s3ObjectAcl); return this; } /** *
* Determines whether the CRL will be publicly readable or privately held in the CRL Amazon S3 bucket. If you choose * PUBLIC_READ, the CRL will be accessible over the public internet. If you choose BUCKET_OWNER_FULL_CONTROL, only * the owner of the CRL S3 bucket can access the CRL, and your PKI clients may need an alternative method of access. *
*
* If no value is specified, the default is PUBLIC_READ.
*
* Note: This default can cause CA creation to fail in some circumstances. If you have have enabled the Block
* Public Access (BPA) feature in your S3 account, then you must specify the value of this parameter as
* BUCKET_OWNER_FULL_CONTROL, and not doing so results in an error. If you have disabled BPA in S3,
* then you can specify either BUCKET_OWNER_FULL_CONTROL or PUBLIC_READ as the value.
*
* For more information, see Blocking public access to * the S3 bucket. *
* * @param s3ObjectAcl * Determines whether the CRL will be publicly readable or privately held in the CRL Amazon S3 bucket. If you * choose PUBLIC_READ, the CRL will be accessible over the public internet. If you choose * BUCKET_OWNER_FULL_CONTROL, only the owner of the CRL S3 bucket can access the CRL, and your PKI clients * may need an alternative method of access. *
* If no value is specified, the default is PUBLIC_READ.
*
* Note: This default can cause CA creation to fail in some circumstances. If you have have enabled
* the Block Public Access (BPA) feature in your S3 account, then you must specify the value of this
* parameter as BUCKET_OWNER_FULL_CONTROL, and not doing so results in an error. If you have
* disabled BPA in S3, then you can specify either BUCKET_OWNER_FULL_CONTROL or
* PUBLIC_READ as the value.
*
* For more information, see Blocking public * access to the S3 bucket. * @return Returns a reference to this object so that method calls can be chained together. * @see S3ObjectAcl */ public CrlConfiguration withS3ObjectAcl(S3ObjectAcl s3ObjectAcl) { this.s3ObjectAcl = s3ObjectAcl.toString(); return this; } /** * Returns a string representation of this object. This is useful for testing and debugging. Sensitive data will be * redacted from this string using a placeholder value. * * @return A string representation of this object. * * @see java.lang.Object#toString() */ @Override public String toString() { StringBuilder sb = new StringBuilder(); sb.append("{"); if (getEnabled() != null) sb.append("Enabled: ").append(getEnabled()).append(","); if (getExpirationInDays() != null) sb.append("ExpirationInDays: ").append(getExpirationInDays()).append(","); if (getCustomCname() != null) sb.append("CustomCname: ").append(getCustomCname()).append(","); if (getS3BucketName() != null) sb.append("S3BucketName: ").append(getS3BucketName()).append(","); if (getS3ObjectAcl() != null) sb.append("S3ObjectAcl: ").append(getS3ObjectAcl()); sb.append("}"); return sb.toString(); } @Override public boolean equals(Object obj) { if (this == obj) return true; if (obj == null) return false; if (obj instanceof CrlConfiguration == false) return false; CrlConfiguration other = (CrlConfiguration) obj; if (other.getEnabled() == null ^ this.getEnabled() == null) return false; if (other.getEnabled() != null && other.getEnabled().equals(this.getEnabled()) == false) return false; if (other.getExpirationInDays() == null ^ this.getExpirationInDays() == null) return false; if (other.getExpirationInDays() != null && other.getExpirationInDays().equals(this.getExpirationInDays()) == false) return false; if (other.getCustomCname() == null ^ this.getCustomCname() == null) return false; if (other.getCustomCname() != null && other.getCustomCname().equals(this.getCustomCname()) == false) return false; if (other.getS3BucketName() == null ^ this.getS3BucketName() == null) return false; if (other.getS3BucketName() != null && other.getS3BucketName().equals(this.getS3BucketName()) == false) return false; if (other.getS3ObjectAcl() == null ^ this.getS3ObjectAcl() == null) return false; if (other.getS3ObjectAcl() != null && other.getS3ObjectAcl().equals(this.getS3ObjectAcl()) == false) return false; return true; } @Override public int hashCode() { final int prime = 31; int hashCode = 1; hashCode = prime * hashCode + ((getEnabled() == null) ? 0 : getEnabled().hashCode()); hashCode = prime * hashCode + ((getExpirationInDays() == null) ? 0 : getExpirationInDays().hashCode()); hashCode = prime * hashCode + ((getCustomCname() == null) ? 0 : getCustomCname().hashCode()); hashCode = prime * hashCode + ((getS3BucketName() == null) ? 0 : getS3BucketName().hashCode()); hashCode = prime * hashCode + ((getS3ObjectAcl() == null) ? 0 : getS3ObjectAcl().hashCode()); return hashCode; } @Override public CrlConfiguration clone() { try { return (CrlConfiguration) super.clone(); } catch (CloneNotSupportedException e) { throw new IllegalStateException("Got a CloneNotSupportedException from Object.clone() " + "even though we're Cloneable!", e); } } @com.amazonaws.annotation.SdkInternalApi @Override public void marshall(ProtocolMarshaller protocolMarshaller) { com.amazonaws.services.acmpca.model.transform.CrlConfigurationMarshaller.getInstance().marshall(this, protocolMarshaller); } }