1// Code generated by smithy-go-codegen DO NOT EDIT. 2 3package acmpca 4 5import ( 6 "context" 7 awsmiddleware "github.com/aws/aws-sdk-go-v2/aws/middleware" 8 "github.com/aws/aws-sdk-go-v2/aws/signer/v4" 9 "github.com/aws/aws-sdk-go-v2/service/acmpca/types" 10 "github.com/aws/smithy-go/middleware" 11 smithyhttp "github.com/aws/smithy-go/transport/http" 12) 13 14// Uses your private certificate authority (CA), or one that has been shared with 15// you, to issue a client certificate. This action returns the Amazon Resource Name 16// (ARN) of the certificate. You can retrieve the certificate by calling the 17// GetCertificate 18// (https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_GetCertificate.html) 19// action and specifying the ARN. You cannot use the ACM ListCertificateAuthorities 20// action to retrieve the ARNs of the certificates that you issue by using ACM 21// Private CA. 22func (c *Client) IssueCertificate(ctx context.Context, params *IssueCertificateInput, optFns ...func(*Options)) (*IssueCertificateOutput, error) { 23 if params == nil { 24 params = &IssueCertificateInput{} 25 } 26 27 result, metadata, err := c.invokeOperation(ctx, "IssueCertificate", params, optFns, addOperationIssueCertificateMiddlewares) 28 if err != nil { 29 return nil, err 30 } 31 32 out := result.(*IssueCertificateOutput) 33 out.ResultMetadata = metadata 34 return out, nil 35} 36 37type IssueCertificateInput struct { 38 39 // The Amazon Resource Name (ARN) that was returned when you called 40 // CreateCertificateAuthority 41 // (https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html). 42 // This must be of the form: 43 // arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012 44 // 45 // This member is required. 46 CertificateAuthorityArn *string 47 48 // The certificate signing request (CSR) for the certificate you want to issue. As 49 // an example, you can use the following OpenSSL command to create the CSR and a 50 // 2048 bit RSA private key. openssl req -new -newkey rsa:2048 -days 365 -keyout 51 // private/test_cert_priv_key.pem -out csr/test_cert_.csr If you have a 52 // configuration file, you can then use the following OpenSSL command. The usr_cert 53 // block in the configuration file contains your X509 version 3 extensions. openssl 54 // req -new -config openssl_rsa.cnf -extensions usr_cert -newkey rsa:2048 -days 55 // -365 -keyout private/test_cert_priv_key.pem -out csr/test_cert_.csr Note: A CSR 56 // must provide either a subject name or a subject alternative name or the request 57 // will be rejected. 58 // 59 // This member is required. 60 Csr []byte 61 62 // The name of the algorithm that will be used to sign the certificate to be 63 // issued. This parameter should not be confused with the SigningAlgorithm 64 // parameter used to sign a CSR in the CreateCertificateAuthority action. 65 // 66 // This member is required. 67 SigningAlgorithm types.SigningAlgorithm 68 69 // Information describing the end of the validity period of the certificate. This 70 // parameter sets the “Not After” date for the certificate. Certificate validity is 71 // the period of time during which a certificate is valid. Validity can be 72 // expressed as an explicit date and time when the certificate expires, or as a 73 // span of time after issuance, stated in days, months, or years. For more 74 // information, see Validity (https://tools.ietf.org/html/rfc5280#section-4.1.2.5) 75 // in RFC 5280. This value is unaffected when ValidityNotBefore is also specified. 76 // For example, if Validity is set to 20 days in the future, the certificate will 77 // expire 20 days from issuance time regardless of the ValidityNotBefore value. The 78 // end of the validity period configured on a certificate must not exceed the limit 79 // set on its parents in the CA hierarchy. 80 // 81 // This member is required. 82 Validity *types.Validity 83 84 // Specifies X.509 certificate information to be included in the issued 85 // certificate. An APIPassthrough or APICSRPassthrough template variant must be 86 // selected, or else this parameter is ignored. For more information about using 87 // these templates, see Understanding Certificate Templates 88 // (https://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html). If 89 // conflicting or duplicate certificate information is supplied during certificate 90 // issuance, ACM Private CA applies order of operation rules to determine what 91 // information is used. 92 ApiPassthrough *types.ApiPassthrough 93 94 // Alphanumeric string that can be used to distinguish between calls to the 95 // IssueCertificate action. Idempotency tokens for IssueCertificate time out after 96 // one minute. Therefore, if you call IssueCertificate multiple times with the same 97 // idempotency token within one minute, ACM Private CA recognizes that you are 98 // requesting only one certificate and will issue only one. If you change the 99 // idempotency token for each call, PCA recognizes that you are requesting multiple 100 // certificates. 101 IdempotencyToken *string 102 103 // Specifies a custom configuration template to use when issuing a certificate. If 104 // this parameter is not provided, ACM Private CA defaults to the 105 // EndEntityCertificate/V1 template. For CA certificates, you should choose the 106 // shortest path length that meets your needs. The path length is indicated by the 107 // PathLenN portion of the ARN, where N is the CA depth 108 // (https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaTerms.html#terms-cadepth). 109 // Note: The CA depth configured on a subordinate CA certificate must not exceed 110 // the limit set by its parents in the CA hierarchy. For a list of TemplateArn 111 // values supported by ACM Private CA, see Understanding Certificate Templates 112 // (https://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html). 113 TemplateArn *string 114 115 // Information describing the start of the validity period of the certificate. This 116 // parameter sets the “Not Before" date for the certificate. By default, when 117 // issuing a certificate, ACM Private CA sets the "Not Before" date to the issuance 118 // time minus 60 minutes. This compensates for clock inconsistencies across 119 // computer systems. The ValidityNotBefore parameter can be used to customize the 120 // “Not Before” value. Unlike the Validity parameter, the ValidityNotBefore 121 // parameter is optional. The ValidityNotBefore value is expressed as an explicit 122 // date and time, using the Validity type value ABSOLUTE. For more information, see 123 // Validity 124 // (https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_Validity.html) in 125 // this API reference and Validity 126 // (https://tools.ietf.org/html/rfc5280#section-4.1.2.5) in RFC 5280. 127 ValidityNotBefore *types.Validity 128} 129 130type IssueCertificateOutput struct { 131 132 // The Amazon Resource Name (ARN) of the issued certificate and the certificate 133 // serial number. This is of the form: 134 // arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012/certificate/286535153982981100925020015808220737245 135 CertificateArn *string 136 137 // Metadata pertaining to the operation's result. 138 ResultMetadata middleware.Metadata 139} 140 141func addOperationIssueCertificateMiddlewares(stack *middleware.Stack, options Options) (err error) { 142 err = stack.Serialize.Add(&awsAwsjson11_serializeOpIssueCertificate{}, middleware.After) 143 if err != nil { 144 return err 145 } 146 err = stack.Deserialize.Add(&awsAwsjson11_deserializeOpIssueCertificate{}, middleware.After) 147 if err != nil { 148 return err 149 } 150 if err = addSetLoggerMiddleware(stack, options); err != nil { 151 return err 152 } 153 if err = awsmiddleware.AddClientRequestIDMiddleware(stack); err != nil { 154 return err 155 } 156 if err = smithyhttp.AddComputeContentLengthMiddleware(stack); err != nil { 157 return err 158 } 159 if err = addResolveEndpointMiddleware(stack, options); err != nil { 160 return err 161 } 162 if err = v4.AddComputePayloadSHA256Middleware(stack); err != nil { 163 return err 164 } 165 if err = addRetryMiddlewares(stack, options); err != nil { 166 return err 167 } 168 if err = addHTTPSignerV4Middleware(stack, options); err != nil { 169 return err 170 } 171 if err = awsmiddleware.AddRawResponseToMetadata(stack); err != nil { 172 return err 173 } 174 if err = awsmiddleware.AddRecordResponseTiming(stack); err != nil { 175 return err 176 } 177 if err = addClientUserAgent(stack); err != nil { 178 return err 179 } 180 if err = smithyhttp.AddErrorCloseResponseBodyMiddleware(stack); err != nil { 181 return err 182 } 183 if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { 184 return err 185 } 186 if err = addOpIssueCertificateValidationMiddleware(stack); err != nil { 187 return err 188 } 189 if err = stack.Initialize.Add(newServiceMetadataMiddleware_opIssueCertificate(options.Region), middleware.Before); err != nil { 190 return err 191 } 192 if err = addRequestIDRetrieverMiddleware(stack); err != nil { 193 return err 194 } 195 if err = addResponseErrorMiddleware(stack); err != nil { 196 return err 197 } 198 if err = addRequestResponseLogging(stack, options); err != nil { 199 return err 200 } 201 return nil 202} 203 204func newServiceMetadataMiddleware_opIssueCertificate(region string) *awsmiddleware.RegisterServiceMetadata { 205 return &awsmiddleware.RegisterServiceMetadata{ 206 Region: region, 207 ServiceID: ServiceID, 208 SigningName: "acm-pca", 209 OperationName: "IssueCertificate", 210 } 211} 212