/** * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. * SPDX-License-Identifier: Apache-2.0. */ #pragma once #include #include #include namespace Aws { namespace Utils { namespace Json { class JsonValue; class JsonView; } // namespace Json } // namespace Utils namespace ACMPCA { namespace Model { /** *

Contains configuration information for a certificate revocation list (CRL). * Your private certificate authority (CA) creates base CRLs. Delta CRLs are not * supported. You can enable CRLs for your new or an existing private CA by setting * the Enabled parameter to true. Your private CA writes CRLs * to an S3 bucket that you specify in the S3BucketName parameter. You can * hide the name of your bucket by specifying a value for the CustomCname * parameter. Your private CA copies the CNAME or the S3 bucket name to the CRL * Distribution Points extension of each certificate it issues. Your S3 bucket * policy must give write permission to ACM Private CA.

ACM Private CAA * assets that are stored in Amazon S3 can be protected with encryption. For more * information, see Encrypting * Your CRLs.

Your private CA uses the value in the * ExpirationInDays parameter to calculate the nextUpdate field in * the CRL. The CRL is refreshed at 1/2 the age of next update or when a * certificate is revoked. When a certificate is revoked, it is recorded in the * next CRL that is generated and in the next audit report. Only time valid * certificates are listed in the CRL. Expired certificates are not included.

*

CRLs contain the following fields:

  • Version: The * current version number defined in RFC 5280 is V2. The integer value is 0x1.

    *

  • Signature Algorithm: The name of the algorithm used to * sign the CRL.

  • Issuer: The X.500 distinguished name of * your private CA that issued the CRL.

  • Last Update: The * issue date and time of this CRL.

  • Next Update: The day * and time by which the next CRL will be issued.

  • Revoked * Certificates: List of revoked certificates. Each list item contains the * following information.

    • Serial Number: The serial * number, in hexadecimal format, of the revoked certificate.

    • * Revocation Date: Date and time the certificate was revoked.

      • *

    • CRL Entry Extensions: Optional extensions for the CRL entry.

      *

      • X509v3 CRL Reason Code: Reason the certificate was * revoked.

  • CRL Extensions: * Optional extensions for the CRL.

    • X509v3 Authority Key * Identifier: Identifies the public key associated with the private key used * to sign the certificate.

    • X509v3 CRL Number:: Decimal * sequence number for the CRL.

  • Signature * Algorithm: Algorithm used by your private CA to sign the CRL.

  • *

    Signature Value: Signature computed over the CRL.

*

Certificate revocation lists created by ACM Private CA are DER-encoded. You * can use the following OpenSSL command to list a CRL.

openssl crl * -inform DER -text -in crl_path -noout

See Also:

* AWS * API Reference

*/ class AWS_ACMPCA_API CrlConfiguration { public: CrlConfiguration(); CrlConfiguration(Aws::Utils::Json::JsonView jsonValue); CrlConfiguration& operator=(Aws::Utils::Json::JsonView jsonValue); Aws::Utils::Json::JsonValue Jsonize() const; /** *

Boolean value that specifies whether certificate revocation lists (CRLs) are * enabled. You can use this value to enable certificate revocation for a new CA * when you call the CreateCertificateAuthority * action or for an existing CA when you call the UpdateCertificateAuthority * action.

*/ inline bool GetEnabled() const{ return m_enabled; } /** *

Boolean value that specifies whether certificate revocation lists (CRLs) are * enabled. You can use this value to enable certificate revocation for a new CA * when you call the CreateCertificateAuthority * action or for an existing CA when you call the UpdateCertificateAuthority * action.

*/ inline bool EnabledHasBeenSet() const { return m_enabledHasBeenSet; } /** *

Boolean value that specifies whether certificate revocation lists (CRLs) are * enabled. You can use this value to enable certificate revocation for a new CA * when you call the CreateCertificateAuthority * action or for an existing CA when you call the UpdateCertificateAuthority * action.

*/ inline void SetEnabled(bool value) { m_enabledHasBeenSet = true; m_enabled = value; } /** *

Boolean value that specifies whether certificate revocation lists (CRLs) are * enabled. You can use this value to enable certificate revocation for a new CA * when you call the CreateCertificateAuthority * action or for an existing CA when you call the UpdateCertificateAuthority * action.

*/ inline CrlConfiguration& WithEnabled(bool value) { SetEnabled(value); return *this;} /** *

Number of days until a certificate expires.

*/ inline int GetExpirationInDays() const{ return m_expirationInDays; } /** *

Number of days until a certificate expires.

*/ inline bool ExpirationInDaysHasBeenSet() const { return m_expirationInDaysHasBeenSet; } /** *

Number of days until a certificate expires.

*/ inline void SetExpirationInDays(int value) { m_expirationInDaysHasBeenSet = true; m_expirationInDays = value; } /** *

Number of days until a certificate expires.

*/ inline CrlConfiguration& WithExpirationInDays(int value) { SetExpirationInDays(value); return *this;} /** *

Name inserted into the certificate CRL Distribution Points extension * that enables the use of an alias for the CRL distribution point. Use this value * if you don't want the name of your S3 bucket to be public.

*/ inline const Aws::String& GetCustomCname() const{ return m_customCname; } /** *

Name inserted into the certificate CRL Distribution Points extension * that enables the use of an alias for the CRL distribution point. Use this value * if you don't want the name of your S3 bucket to be public.

*/ inline bool CustomCnameHasBeenSet() const { return m_customCnameHasBeenSet; } /** *

Name inserted into the certificate CRL Distribution Points extension * that enables the use of an alias for the CRL distribution point. Use this value * if you don't want the name of your S3 bucket to be public.

*/ inline void SetCustomCname(const Aws::String& value) { m_customCnameHasBeenSet = true; m_customCname = value; } /** *

Name inserted into the certificate CRL Distribution Points extension * that enables the use of an alias for the CRL distribution point. Use this value * if you don't want the name of your S3 bucket to be public.

*/ inline void SetCustomCname(Aws::String&& value) { m_customCnameHasBeenSet = true; m_customCname = std::move(value); } /** *

Name inserted into the certificate CRL Distribution Points extension * that enables the use of an alias for the CRL distribution point. Use this value * if you don't want the name of your S3 bucket to be public.

*/ inline void SetCustomCname(const char* value) { m_customCnameHasBeenSet = true; m_customCname.assign(value); } /** *

Name inserted into the certificate CRL Distribution Points extension * that enables the use of an alias for the CRL distribution point. Use this value * if you don't want the name of your S3 bucket to be public.

*/ inline CrlConfiguration& WithCustomCname(const Aws::String& value) { SetCustomCname(value); return *this;} /** *

Name inserted into the certificate CRL Distribution Points extension * that enables the use of an alias for the CRL distribution point. Use this value * if you don't want the name of your S3 bucket to be public.

*/ inline CrlConfiguration& WithCustomCname(Aws::String&& value) { SetCustomCname(std::move(value)); return *this;} /** *

Name inserted into the certificate CRL Distribution Points extension * that enables the use of an alias for the CRL distribution point. Use this value * if you don't want the name of your S3 bucket to be public.

*/ inline CrlConfiguration& WithCustomCname(const char* value) { SetCustomCname(value); return *this;} /** *

Name of the S3 bucket that contains the CRL. If you do not provide a value * for the CustomCname argument, the name of your S3 bucket is placed into * the CRL Distribution Points extension of the issued certificate. You can * change the name of your bucket by calling the UpdateCertificateAuthority * action. You must specify a bucket policy that allows ACM Private CA to write the * CRL to your bucket.

*/ inline const Aws::String& GetS3BucketName() const{ return m_s3BucketName; } /** *

Name of the S3 bucket that contains the CRL. If you do not provide a value * for the CustomCname argument, the name of your S3 bucket is placed into * the CRL Distribution Points extension of the issued certificate. You can * change the name of your bucket by calling the UpdateCertificateAuthority * action. You must specify a bucket policy that allows ACM Private CA to write the * CRL to your bucket.

*/ inline bool S3BucketNameHasBeenSet() const { return m_s3BucketNameHasBeenSet; } /** *

Name of the S3 bucket that contains the CRL. If you do not provide a value * for the CustomCname argument, the name of your S3 bucket is placed into * the CRL Distribution Points extension of the issued certificate. You can * change the name of your bucket by calling the UpdateCertificateAuthority * action. You must specify a bucket policy that allows ACM Private CA to write the * CRL to your bucket.

*/ inline void SetS3BucketName(const Aws::String& value) { m_s3BucketNameHasBeenSet = true; m_s3BucketName = value; } /** *

Name of the S3 bucket that contains the CRL. If you do not provide a value * for the CustomCname argument, the name of your S3 bucket is placed into * the CRL Distribution Points extension of the issued certificate. You can * change the name of your bucket by calling the UpdateCertificateAuthority * action. You must specify a bucket policy that allows ACM Private CA to write the * CRL to your bucket.

*/ inline void SetS3BucketName(Aws::String&& value) { m_s3BucketNameHasBeenSet = true; m_s3BucketName = std::move(value); } /** *

Name of the S3 bucket that contains the CRL. If you do not provide a value * for the CustomCname argument, the name of your S3 bucket is placed into * the CRL Distribution Points extension of the issued certificate. You can * change the name of your bucket by calling the UpdateCertificateAuthority * action. You must specify a bucket policy that allows ACM Private CA to write the * CRL to your bucket.

*/ inline void SetS3BucketName(const char* value) { m_s3BucketNameHasBeenSet = true; m_s3BucketName.assign(value); } /** *

Name of the S3 bucket that contains the CRL. If you do not provide a value * for the CustomCname argument, the name of your S3 bucket is placed into * the CRL Distribution Points extension of the issued certificate. You can * change the name of your bucket by calling the UpdateCertificateAuthority * action. You must specify a bucket policy that allows ACM Private CA to write the * CRL to your bucket.

*/ inline CrlConfiguration& WithS3BucketName(const Aws::String& value) { SetS3BucketName(value); return *this;} /** *

Name of the S3 bucket that contains the CRL. If you do not provide a value * for the CustomCname argument, the name of your S3 bucket is placed into * the CRL Distribution Points extension of the issued certificate. You can * change the name of your bucket by calling the UpdateCertificateAuthority * action. You must specify a bucket policy that allows ACM Private CA to write the * CRL to your bucket.

*/ inline CrlConfiguration& WithS3BucketName(Aws::String&& value) { SetS3BucketName(std::move(value)); return *this;} /** *

Name of the S3 bucket that contains the CRL. If you do not provide a value * for the CustomCname argument, the name of your S3 bucket is placed into * the CRL Distribution Points extension of the issued certificate. You can * change the name of your bucket by calling the UpdateCertificateAuthority * action. You must specify a bucket policy that allows ACM Private CA to write the * CRL to your bucket.

*/ inline CrlConfiguration& WithS3BucketName(const char* value) { SetS3BucketName(value); return *this;} private: bool m_enabled; bool m_enabledHasBeenSet; int m_expirationInDays; bool m_expirationInDaysHasBeenSet; Aws::String m_customCname; bool m_customCnameHasBeenSet; Aws::String m_s3BucketName; bool m_s3BucketNameHasBeenSet; }; } // namespace Model } // namespace ACMPCA } // namespace Aws