{ "description": "CertificateAuthority is the Schema for the CertificateAuthorities API", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "kind": { "description": "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string" }, "metadata": { "type": "object" }, "spec": { "description": "CertificateAuthoritySpec defines the desired state of CertificateAuthority.\n\nContains information about your private certificate authority (CA). Your\nprivate CA can issue and revoke X.509 digital certificates. Digital certificates\nverify that the entity named in the certificate Subject field owns or controls\nthe public key contained in the Subject Public Key Info field. Call the CreateCertificateAuthority\n(https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreateCertificateAuthority.html)\naction to create your private CA. You must then call the GetCertificateAuthorityCertificate\n(https://docs.aws.amazon.com/privateca/latest/APIReference/API_GetCertificateAuthorityCertificate.html)\naction to retrieve a private CA certificate signing request (CSR). Sign the\nCSR with your Amazon Web Services Private CA-hosted or on-premises root or\nsubordinate CA certificate. Call the ImportCertificateAuthorityCertificate\n(https://docs.aws.amazon.com/privateca/latest/APIReference/API_ImportCertificateAuthorityCertificate.html)\naction to import the signed certificate into Certificate Manager (ACM).", "properties": { "certificateAuthorityConfiguration": { "description": "Name and bit size of the private key algorithm, the name of the signing algorithm,\nand X.500 certificate subject information.", "properties": { "csrExtensions": { "description": "Describes the certificate extensions to be added to the certificate signing\nrequest (CSR).", "properties": { "keyUsage": { "description": "Defines one or more purposes for which the key contained in the certificate\ncan be used. Default value for each option is false.", "properties": { "crlSign": { "type": "boolean" }, "dataEncipherment": { "type": "boolean" }, "decipherOnly": { "type": "boolean" }, "digitalSignature": { "type": "boolean" }, "encipherOnly": { "type": "boolean" }, "keyAgreement": { "type": "boolean" }, "keyCertSign": { "type": "boolean" }, "keyEncipherment": { "type": "boolean" }, "nonRepudiation": { "type": "boolean" } }, "type": "object", "additionalProperties": false }, "subjectInformationAccess": { "items": { "description": "Provides access information used by the authorityInfoAccess and subjectInfoAccess\nextensions described in RFC 5280 (https://datatracker.ietf.org/doc/html/rfc5280).", "properties": { "accessLocation": { "description": "Describes an ASN.1 X.400 GeneralName as defined in RFC 5280 (https://datatracker.ietf.org/doc/html/rfc5280).\nOnly one of the following naming options should be provided. Providing more\nthan one option results in an InvalidArgsException error.", "properties": { "directoryName": { "description": "Contains information about the certificate subject. The Subject field in\nthe certificate identifies the entity that owns or controls the public key\nin the certificate. The entity can be a user, computer, device, or service.\nThe Subject must contain an X.500 distinguished name (DN). A DN is a sequence\nof relative distinguished names (RDNs). The RDNs are separated by commas\nin the certificate.", "properties": { "commonName": { "type": "string" }, "country": { "type": "string" }, "customAttributes": { "items": { "description": "Defines the X.500 relative distinguished name (RDN).", "properties": { "objectIdentifier": { "type": "string" }, "value": { "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "distinguishedNameQualifier": { "type": "string" }, "generationQualifier": { "type": "string" }, "givenName": { "type": "string" }, "initials": { "type": "string" }, "locality": { "type": "string" }, "organization": { "type": "string" }, "organizationalUnit": { "type": "string" }, "pseudonym": { "type": "string" }, "serialNumber": { "type": "string" }, "state": { "type": "string" }, "surname": { "type": "string" }, "title": { "type": "string" } }, "type": "object", "additionalProperties": false }, "dnsName": { "type": "string" }, "ediPartyName": { "description": "Describes an Electronic Data Interchange (EDI) entity as described in as\ndefined in Subject Alternative Name (https://datatracker.ietf.org/doc/html/rfc5280)\nin RFC 5280.", "properties": { "nameAssigner": { "type": "string" }, "partyName": { "type": "string" } }, "type": "object", "additionalProperties": false }, "ipAddress": { "type": "string" }, "otherName": { "description": "Defines a custom ASN.1 X.400 GeneralName using an object identifier (OID)\nand value. The OID must satisfy the regular expression shown below. For more\ninformation, see NIST's definition of Object Identifier (OID) (https://csrc.nist.gov/glossary/term/Object_Identifier).", "properties": { "typeID": { "type": "string" }, "value": { "type": "string" } }, "type": "object", "additionalProperties": false }, "registeredID": { "type": "string" }, "rfc822Name": { "type": "string" }, "uniformResourceIdentifier": { "type": "string" } }, "type": "object", "additionalProperties": false }, "accessMethod": { "description": "Describes the type and format of extension access. Only one of CustomObjectIdentifier\nor AccessMethodType may be provided. Providing both results in InvalidArgsException.", "properties": { "accessMethodType": { "type": "string" }, "customObjectIdentifier": { "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "type": "array" } }, "type": "object", "additionalProperties": false }, "keyAlgorithm": { "type": "string" }, "signingAlgorithm": { "type": "string" }, "subject": { "description": "Contains information about the certificate subject. The Subject field in\nthe certificate identifies the entity that owns or controls the public key\nin the certificate. The entity can be a user, computer, device, or service.\nThe Subject must contain an X.500 distinguished name (DN). A DN is a sequence\nof relative distinguished names (RDNs). The RDNs are separated by commas\nin the certificate.", "properties": { "commonName": { "type": "string" }, "country": { "type": "string" }, "customAttributes": { "items": { "description": "Defines the X.500 relative distinguished name (RDN).", "properties": { "objectIdentifier": { "type": "string" }, "value": { "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "distinguishedNameQualifier": { "type": "string" }, "generationQualifier": { "type": "string" }, "givenName": { "type": "string" }, "initials": { "type": "string" }, "locality": { "type": "string" }, "organization": { "type": "string" }, "organizationalUnit": { "type": "string" }, "pseudonym": { "type": "string" }, "serialNumber": { "type": "string" }, "state": { "type": "string" }, "surname": { "type": "string" }, "title": { "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object", "x-kubernetes-validations": [ { "message": "Value is immutable once set", "rule": "self == oldSelf" } ], "additionalProperties": false }, "keyStorageSecurityStandard": { "description": "Specifies a cryptographic key management compliance standard used for handling\nCA keys.\n\nDefault: FIPS_140_2_LEVEL_3_OR_HIGHER\n\nSome Amazon Web Services Regions do not support the default. When creating\na CA in these Regions, you must provide FIPS_140_2_LEVEL_2_OR_HIGHER as the\nargument for KeyStorageSecurityStandard. Failure to do this results in an\nInvalidArgsException with the message, \"A certificate authority cannot be\ncreated in this region with the specified security standard.\"\n\nFor information about security standard support in various Regions, see Storage\nand security compliance of Amazon Web Services Private CA private keys (https://docs.aws.amazon.com/privateca/latest/userguide/data-protection.html#private-keys).", "type": "string", "x-kubernetes-validations": [ { "message": "Value is immutable once set", "rule": "self == oldSelf" } ] }, "revocationConfiguration": { "description": "Contains information to enable support for Online Certificate Status Protocol\n(OCSP), certificate revocation list (CRL), both protocols, or neither. By\ndefault, both certificate validation mechanisms are disabled.\n\nThe following requirements apply to revocation configurations.\n\n - A configuration disabling CRLs or OCSP must contain only the Enabled=False\n parameter, and will fail if other parameters such as CustomCname or ExpirationInDays\n are included.\n\n - In a CRL configuration, the S3BucketName parameter must conform to Amazon\n S3 bucket naming rules (https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucketnamingrules.html).\n\n - A configuration containing a custom Canonical Name (CNAME) parameter\n for CRLs or OCSP must conform to RFC2396 (https://www.ietf.org/rfc/rfc2396.txt)\n restrictions on the use of special characters in a CNAME.\n\n - In a CRL or OCSP configuration, the value of a CNAME parameter must\n not include a protocol prefix such as \"http://\" or \"https://\".\n\nFor more information, see the OcspConfiguration (https://docs.aws.amazon.com/privateca/latest/APIReference/API_OcspConfiguration.html)\nand CrlConfiguration (https://docs.aws.amazon.com/privateca/latest/APIReference/API_CrlConfiguration.html)\ntypes.", "properties": { "crlConfiguration": { "description": "Contains configuration information for a certificate revocation list (CRL).\nYour private certificate authority (CA) creates base CRLs. Delta CRLs are\nnot supported. You can enable CRLs for your new or an existing private CA\nby setting the Enabled parameter to true. Your private CA writes CRLs to\nan S3 bucket that you specify in the S3BucketName parameter. You can hide\nthe name of your bucket by specifying a value for the CustomCname parameter.\nYour private CA by default copies the CNAME or the S3 bucket name to the\nCRL Distribution Points extension of each certificate it issues. If you want\nto configure this default behavior to be something different, you can set\nthe CrlDistributionPointExtensionConfiguration parameter. Your S3 bucket\npolicy must give write permission to Amazon Web Services Private CA.\n\nAmazon Web Services Private CA assets that are stored in Amazon S3 can be\nprotected with encryption. For more information, see Encrypting Your CRLs\n(https://docs.aws.amazon.com/privateca/latest/userguide/crl-planning.html#crl-encryption).\n\nYour private CA uses the value in the ExpirationInDays parameter to calculate\nthe nextUpdate field in the CRL. The CRL is refreshed prior to a certificate's\nexpiration date or when a certificate is revoked. When a certificate is revoked,\nit appears in the CRL until the certificate expires, and then in one additional\nCRL after expiration, and it always appears in the audit report.\n\nA CRL is typically updated approximately 30 minutes after a certificate is\nrevoked. If for any reason a CRL update fails, Amazon Web Services Private\nCA makes further attempts every 15 minutes.\n\nCRLs contain the following fields:\n\n * Version: The current version number defined in RFC 5280 is V2. The integer\n value is 0x1.\n\n * Signature Algorithm: The name of the algorithm used to sign the CRL.\n\n * Issuer: The X.500 distinguished name of your private CA that issued\n the CRL.\n\n * Last Update: The issue date and time of this CRL.\n\n * Next Update: The day and time by which the next CRL will be issued.\n\n * Revoked Certificates: List of revoked certificates. Each list item contains\n the following information. Serial Number: The serial number, in hexadecimal\n format, of the revoked certificate. Revocation Date: Date and time the\n certificate was revoked. CRL Entry Extensions: Optional extensions for\n the CRL entry. X509v3 CRL Reason Code: Reason the certificate was revoked.\n\n * CRL Extensions: Optional extensions for the CRL. X509v3 Authority Key\n Identifier: Identifies the public key associated with the private key\n used to sign the certificate. X509v3 CRL Number:: Decimal sequence number\n for the CRL.\n\n * Signature Algorithm: Algorithm used by your private CA to sign the CRL.\n\n * Signature Value: Signature computed over the CRL.\n\nCertificate revocation lists created by Amazon Web Services Private CA are\nDER-encoded. You can use the following OpenSSL command to list a CRL.\n\nopenssl crl -inform DER -text -in crl_path -noout\n\nFor more information, see Planning a certificate revocation list (CRL) (https://docs.aws.amazon.com/privateca/latest/userguide/crl-planning.html)\nin the Amazon Web Services Private Certificate Authority User Guide", "properties": { "customCNAME": { "type": "string" }, "enabled": { "type": "boolean" }, "expirationInDays": { "format": "int64", "type": "integer" }, "s3BucketName": { "type": "string" }, "s3ObjectACL": { "type": "string" } }, "type": "object", "additionalProperties": false }, "ocspConfiguration": { "description": "Contains information to enable and configure Online Certificate Status Protocol\n(OCSP) for validating certificate revocation status.\n\nWhen you revoke a certificate, OCSP responses may take up to 60 minutes to\nreflect the new status.", "properties": { "enabled": { "type": "boolean" }, "ocspCustomCNAME": { "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "tags": { "description": "Key-value pairs that will be attached to the new private CA. You can associate\nup to 50 tags with a private CA. For information using tags with IAM to manage\npermissions, see Controlling Access Using IAM Tags (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_iam-tags.html).", "items": { "description": "Tags are labels that you can use to identify and organize your private CAs.\nEach tag consists of a key and an optional value. You can associate up to\n50 tags with a private CA. To add one or more tags to a private CA, call\nthe TagCertificateAuthority (https://docs.aws.amazon.com/privateca/latest/APIReference/API_TagCertificateAuthority.html)\naction. To remove a tag, call the UntagCertificateAuthority (https://docs.aws.amazon.com/privateca/latest/APIReference/API_UntagCertificateAuthority.html)\naction.", "properties": { "key": { "type": "string" }, "value": { "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "type": { "description": "The type of the certificate authority.", "type": "string", "x-kubernetes-validations": [ { "message": "Value is immutable once set", "rule": "self == oldSelf" } ] }, "usageMode": { "description": "Specifies whether the CA issues general-purpose certificates that typically\nrequire a revocation mechanism, or short-lived certificates that may optionally\nomit revocation because they expire quickly. Short-lived certificate validity\nis limited to seven days.\n\nThe default value is GENERAL_PURPOSE.", "type": "string", "x-kubernetes-validations": [ { "message": "Value is immutable once set", "rule": "self == oldSelf" } ] } }, "required": [ "certificateAuthorityConfiguration", "type" ], "type": "object", "additionalProperties": false }, "status": { "description": "CertificateAuthorityStatus defines the observed state of CertificateAuthority", "properties": { "ackResourceMetadata": { "description": "All CRs managed by ACK have a common `Status.ACKResourceMetadata` member\nthat is used to contain resource sync state, account ownership,\nconstructed ARN for the resource", "properties": { "arn": { "description": "ARN is the Amazon Resource Name for the resource. This is a\nglobally-unique identifier and is set only by the ACK service controller\nonce the controller has orchestrated the creation of the resource OR\nwhen it has verified that an \"adopted\" resource (a resource where the\nARN annotation was set by the Kubernetes user on the CR) exists and\nmatches the supplied CR's Spec field values.\nhttps://github.com/aws/aws-controllers-k8s/issues/270", "type": "string" }, "ownerAccountID": { "description": "OwnerAccountID is the AWS Account ID of the account that owns the\nbackend AWS service API resource.", "type": "string" }, "region": { "description": "Region is the AWS region in which the resource exists or will exist.", "type": "string" } }, "required": [ "ownerAccountID", "region" ], "type": "object", "additionalProperties": false }, "certificateSigningRequest": { "description": "The base64 PEM-encoded certificate signing request (CSR) for your private\nCA certificate.", "type": "string" }, "conditions": { "description": "All CRs managed by ACK have a common `Status.Conditions` member that\ncontains a collection of `ackv1alpha1.Condition` objects that describe\nthe various terminal states of the CR and its backend AWS service API\nresource", "items": { "description": "Condition is the common struct used by all CRDs managed by ACK service\ncontrollers to indicate terminal states of the CR and its backend AWS\nservice API resource", "properties": { "lastTransitionTime": { "description": "Last time the condition transitioned from one status to another.", "format": "date-time", "type": "string" }, "message": { "description": "A human readable message indicating details about the transition.", "type": "string" }, "reason": { "description": "The reason for the condition's last transition.", "type": "string" }, "status": { "description": "Status of the condition, one of True, False, Unknown.", "type": "string" }, "type": { "description": "Type is the type of the Condition", "type": "string" } }, "required": [ "status", "type" ], "type": "object", "additionalProperties": false }, "type": "array" }, "createdAt": { "description": "Date and time at which your private CA was created.", "format": "date-time", "type": "string" }, "failureReason": { "description": "Reason the request to create your private CA failed.", "type": "string" }, "lastStateChangeAt": { "description": "Date and time at which your private CA was last updated.", "format": "date-time", "type": "string" }, "notAfter": { "description": "Date and time after which your private CA certificate is not valid.", "format": "date-time", "type": "string" }, "notBefore": { "description": "Date and time before which your private CA certificate is not valid.", "format": "date-time", "type": "string" }, "ownerAccount": { "description": "The Amazon Web Services account ID that owns the certificate authority.\n\nRegex Pattern: `^[0-9]+$`", "type": "string" }, "restorableUntil": { "description": "The period during which a deleted CA can be restored. For more information,\nsee the PermanentDeletionTimeInDays parameter of the DeleteCertificateAuthorityRequest\n(https://docs.aws.amazon.com/privateca/latest/APIReference/API_DeleteCertificateAuthorityRequest.html)\naction.", "format": "date-time", "type": "string" }, "serial": { "description": "Serial number of your private CA.", "type": "string" }, "status": { "description": "Status of your private CA.", "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object" }