feat(client-acm-pca): AWS Private CA now supports an option to omit the CDP extension from issued certificates, when CRL revocation is enabled.

Author: awstools

clients/client-acm-pca/src/commands/CreateCertificateAuthorityCommand.ts

@@ -147,6 +147,9 @@ export interface CreateCertificateAuthorityCommandOutput extends CreateCertifica
  *       CustomCname: "STRING_VALUE",
  *       S3BucketName: "STRING_VALUE",
  *       S3ObjectAcl: "PUBLIC_READ" || "BUCKET_OWNER_FULL_CONTROL",
+ *       CrlDistributionPointExtensionConfiguration: { // CrlDistributionPointExtensionConfiguration
+ *         OmitExtension: true || false, // required
+ *       },
  *     },
  *     OcspConfiguration: { // OcspConfiguration
  *       Enabled: true || false, // required

clients/client-acm-pca/src/commands/DescribeCertificateAuthorityCommand.ts

@@ -188,6 +188,9 @@ export interface DescribeCertificateAuthorityCommandOutput
  * //         CustomCname: "STRING_VALUE",
  * //         S3BucketName: "STRING_VALUE",
  * //         S3ObjectAcl: "PUBLIC_READ" || "BUCKET_OWNER_FULL_CONTROL",
+ * //         CrlDistributionPointExtensionConfiguration: { // CrlDistributionPointExtensionConfiguration
+ * //           OmitExtension: true || false, // required
+ * //         },
  * //       },
  * //       OcspConfiguration: { // OcspConfiguration
  * //         Enabled: true || false, // required

clients/client-acm-pca/src/commands/ListCertificateAuthoritiesCommand.ts

@@ -146,6 +146,9 @@ export interface ListCertificateAuthoritiesCommandOutput extends ListCertificate
  * //           CustomCname: "STRING_VALUE",
  * //           S3BucketName: "STRING_VALUE",
  * //           S3ObjectAcl: "PUBLIC_READ" || "BUCKET_OWNER_FULL_CONTROL",
+ * //           CrlDistributionPointExtensionConfiguration: { // CrlDistributionPointExtensionConfiguration
+ * //             OmitExtension: true || false, // required
+ * //           },
  * //         },
  * //         OcspConfiguration: { // OcspConfiguration
  * //           Enabled: true || false, // required

clients/client-acm-pca/src/commands/UpdateCertificateAuthorityCommand.ts

@@ -54,6 +54,9 @@ export interface UpdateCertificateAuthorityCommandOutput extends __MetadataBeare
  *       CustomCname: "STRING_VALUE",
  *       S3BucketName: "STRING_VALUE",
  *       S3ObjectAcl: "PUBLIC_READ" || "BUCKET_OWNER_FULL_CONTROL",
+ *       CrlDistributionPointExtensionConfiguration: { // CrlDistributionPointExtensionConfiguration
+ *         OmitExtension: true || false, // required
+ *       },
  *     },
  *     OcspConfiguration: { // OcspConfiguration
  *       Enabled: true || false, // required

clients/client-acm-pca/src/models/models_0.ts

@@ -486,6 +486,25 @@ export const KeyStorageSecurityStandard = {
  */
 export type KeyStorageSecurityStandard = (typeof KeyStorageSecurityStandard)[keyof typeof KeyStorageSecurityStandard];
 
+/**
+ * @public
+ * <p>Contains configuration information for the default behavior of the CRL Distribution Point (CDP) extension in certificates issued by your CA. This extension
+ * 			contains a link to download the CRL, so you can check whether a certificate has been revoked. To choose whether you want this extension
+ * 			omitted or not in certificates issued by your CA, you can set the <b>OmitExtension</b> parameter.</p>
+ */
+export interface CrlDistributionPointExtensionConfiguration {
+  /**
+   * @public
+   * <p>Configures whether the CRL Distribution Point extension should be populated with the default URL to the CRL. If set to <code>true</code>, then the CDP extension will
+   * 			not be present in any certificates issued by that CA unless otherwise specified through CSR or API passthrough.</p>
+   *          <note>
+   *             <p>Only set this if you have another way to distribute the CRL Distribution Points ffor certificates issued by your CA, such as the Matter Distributed Compliance Ledger</p>
+   *             <p>This configuration cannot be enabled with a custom CNAME set.</p>
+   *          </note>
+   */
+  OmitExtension: boolean | undefined;
+}
+
 /**
  * @public
  * @enum
@@ -507,8 +526,10 @@ export type S3ObjectAcl = (typeof S3ObjectAcl)[keyof typeof S3ObjectAcl];
  * 			can enable CRLs for your new or an existing private CA by setting the <b>Enabled</b> parameter to <code>true</code>. Your private CA
  * 			writes CRLs to an S3 bucket that you specify in the <b>S3BucketName</b> parameter. You can hide the name of your bucket by
  * 			specifying a value for the <b>CustomCname</b> parameter. Your
- * 			private CA copies the CNAME or the S3 bucket name to the <b>CRL
- * 				Distribution Points</b> extension of each certificate it issues. Your S3
+ * 			private CA by default copies the CNAME or the S3 bucket name to the <b>CRL
+ * 				Distribution Points</b> extension of each certificate it issues. If you want to configure
+ * 				this default behavior to be something different, you can set the <b>CrlDistributionPointExtensionConfiguration</b>
+ * 				parameter. Your S3
  * 			bucket policy must give write permission to Amazon Web Services Private CA. </p>
  *          <p>Amazon Web Services Private CA assets that are stored in Amazon S3 can be protected with encryption.
  *   For more information, see <a href="https://docs.aws.amazon.com/privateca/latest/userguide/PcaCreateCa.html#crl-encryption">Encrypting Your
@@ -678,6 +699,12 @@ export interface CrlConfiguration {
    * 				bucket</a>.</p>
    */
   S3ObjectAcl?: S3ObjectAcl;
+
+  /**
+   * @public
+   * <p>Configures the behavior of the CRL Distribution Point extension for certificates issued by your certificate authority. If this field is not provided, then the CRl Distribution Point Extension will be present and contain the default CRL URL.</p>
+   */
+  CrlDistributionPointExtensionConfiguration?: CrlDistributionPointExtensionConfiguration;
 }
 
 /**
@@ -2311,6 +2338,7 @@ export interface ListCertificateAuthoritiesRequest {
    * 			specify, the <code>NextToken</code> element is sent in the response. Use this
    * 				<code>NextToken</code> value in a subsequent request to retrieve additional
    * 			items.</p>
+   *          <p>Although the maximum value is 1000, the action only returns a maximum of 100 items.</p>
    */
   MaxResults?: number;
 

clients/client-acm-pca/src/protocols/Aws_json1_1.ts

@@ -95,6 +95,7 @@ import {
   CreateCertificateAuthorityRequest,
   CreatePermissionRequest,
   CrlConfiguration,
+  CrlDistributionPointExtensionConfiguration,
   CsrExtensions,
   CustomAttribute,
   CustomExtension,
@@ -2062,6 +2063,8 @@ const de_TooManyTagsExceptionRes = async (
 
 // se_CrlConfiguration omitted.
 
+// se_CrlDistributionPointExtensionConfiguration omitted.
+
 // se_CsrExtensions omitted.
 
 // se_CustomAttribute omitted.
@@ -2229,6 +2232,8 @@ const de_CertificateAuthority = (output: any, context: __SerdeContext): Certific
 
 // de_CrlConfiguration omitted.
 
+// de_CrlDistributionPointExtensionConfiguration omitted.
+
 // de_CsrExtensions omitted.
 
 // de_CustomAttribute omitted.

clients/client-acm-pca/src/waiters/waitForCertificateIssued.ts

@@ -26,7 +26,7 @@ export const waitForCertificateIssued = async (
   params: WaiterConfiguration<ACMPCAClient>,
   input: GetCertificateCommandInput
 ): Promise<WaiterResult> => {
-  const serviceDefaults = { minDelay: 3, maxDelay: 120 };
+  const serviceDefaults = { minDelay: 1, maxDelay: 120 };
   return createWaiter({ ...serviceDefaults, ...params }, input, checkState);
 };
 /**
@@ -38,7 +38,7 @@ export const waitUntilCertificateIssued = async (
   params: WaiterConfiguration<ACMPCAClient>,
   input: GetCertificateCommandInput
 ): Promise<WaiterResult> => {
-  const serviceDefaults = { minDelay: 3, maxDelay: 120 };
+  const serviceDefaults = { minDelay: 1, maxDelay: 120 };
   const result = await createWaiter({ ...serviceDefaults, ...params }, input, checkState);
   return checkExceptions(result);
 };