1// Code generated by smithy-go-codegen DO NOT EDIT.
2
3package acmpca
4
5import (
6	"context"
7	awsmiddleware "github.com/aws/aws-sdk-go-v2/aws/middleware"
8	"github.com/aws/aws-sdk-go-v2/aws/signer/v4"
9	"github.com/aws/aws-sdk-go-v2/service/acmpca/types"
10	"github.com/aws/smithy-go/middleware"
11	smithyhttp "github.com/aws/smithy-go/transport/http"
12)
13
14// Uses your private certificate authority (CA), or one that has been shared with
15// you, to issue a client certificate. This action returns the Amazon Resource Name
16// (ARN) of the certificate. You can retrieve the certificate by calling the
17// GetCertificate
18// (https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_GetCertificate.html)
19// action and specifying the ARN. You cannot use the ACM ListCertificateAuthorities
20// action to retrieve the ARNs of the certificates that you issue by using ACM
21// Private CA.
22func (c *Client) IssueCertificate(ctx context.Context, params *IssueCertificateInput, optFns ...func(*Options)) (*IssueCertificateOutput, error) {
23	if params == nil {
24		params = &IssueCertificateInput{}
25	}
26
27	result, metadata, err := c.invokeOperation(ctx, "IssueCertificate", params, optFns, addOperationIssueCertificateMiddlewares)
28	if err != nil {
29		return nil, err
30	}
31
32	out := result.(*IssueCertificateOutput)
33	out.ResultMetadata = metadata
34	return out, nil
35}
36
37type IssueCertificateInput struct {
38
39	// The Amazon Resource Name (ARN) that was returned when you called
40	// CreateCertificateAuthority
41	// (https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html).
42	// This must be of the form:
43	// arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
44	//
45	// This member is required.
46	CertificateAuthorityArn *string
47
48	// The certificate signing request (CSR) for the certificate you want to issue. As
49	// an example, you can use the following OpenSSL command to create the CSR and a
50	// 2048 bit RSA private key. openssl req -new -newkey rsa:2048 -days 365 -keyout
51	// private/test_cert_priv_key.pem -out csr/test_cert_.csr If you have a
52	// configuration file, you can then use the following OpenSSL command. The usr_cert
53	// block in the configuration file contains your X509 version 3 extensions. openssl
54	// req -new -config openssl_rsa.cnf -extensions usr_cert -newkey rsa:2048 -days
55	// -365 -keyout private/test_cert_priv_key.pem -out csr/test_cert_.csr Note: A CSR
56	// must provide either a subject name or a subject alternative name or the request
57	// will be rejected.
58	//
59	// This member is required.
60	Csr []byte
61
62	// The name of the algorithm that will be used to sign the certificate to be
63	// issued. This parameter should not be confused with the SigningAlgorithm
64	// parameter used to sign a CSR in the CreateCertificateAuthority action.
65	//
66	// This member is required.
67	SigningAlgorithm types.SigningAlgorithm
68
69	// Information describing the end of the validity period of the certificate. This
70	// parameter sets the “Not After” date for the certificate. Certificate validity is
71	// the period of time during which a certificate is valid. Validity can be
72	// expressed as an explicit date and time when the certificate expires, or as a
73	// span of time after issuance, stated in days, months, or years. For more
74	// information, see Validity (https://tools.ietf.org/html/rfc5280#section-4.1.2.5)
75	// in RFC 5280. This value is unaffected when ValidityNotBefore is also specified.
76	// For example, if Validity is set to 20 days in the future, the certificate will
77	// expire 20 days from issuance time regardless of the ValidityNotBefore value. The
78	// end of the validity period configured on a certificate must not exceed the limit
79	// set on its parents in the CA hierarchy.
80	//
81	// This member is required.
82	Validity *types.Validity
83
84	// Specifies X.509 certificate information to be included in the issued
85	// certificate. An APIPassthrough or APICSRPassthrough template variant must be
86	// selected, or else this parameter is ignored. For more information about using
87	// these templates, see Understanding Certificate Templates
88	// (https://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html). If
89	// conflicting or duplicate certificate information is supplied during certificate
90	// issuance, ACM Private CA applies order of operation rules to determine what
91	// information is used.
92	ApiPassthrough *types.ApiPassthrough
93
94	// Alphanumeric string that can be used to distinguish between calls to the
95	// IssueCertificate action. Idempotency tokens for IssueCertificate time out after
96	// one minute. Therefore, if you call IssueCertificate multiple times with the same
97	// idempotency token within one minute, ACM Private CA recognizes that you are
98	// requesting only one certificate and will issue only one. If you change the
99	// idempotency token for each call, PCA recognizes that you are requesting multiple
100	// certificates.
101	IdempotencyToken *string
102
103	// Specifies a custom configuration template to use when issuing a certificate. If
104	// this parameter is not provided, ACM Private CA defaults to the
105	// EndEntityCertificate/V1 template. For CA certificates, you should choose the
106	// shortest path length that meets your needs. The path length is indicated by the
107	// PathLenN portion of the ARN, where N is the CA depth
108	// (https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaTerms.html#terms-cadepth).
109	// Note: The CA depth configured on a subordinate CA certificate must not exceed
110	// the limit set by its parents in the CA hierarchy. For a list of TemplateArn
111	// values supported by ACM Private CA, see Understanding Certificate Templates
112	// (https://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html).
113	TemplateArn *string
114
115	// Information describing the start of the validity period of the certificate. This
116	// parameter sets the “Not Before" date for the certificate. By default, when
117	// issuing a certificate, ACM Private CA sets the "Not Before" date to the issuance
118	// time minus 60 minutes. This compensates for clock inconsistencies across
119	// computer systems. The ValidityNotBefore parameter can be used to customize the
120	// “Not Before” value. Unlike the Validity parameter, the ValidityNotBefore
121	// parameter is optional. The ValidityNotBefore value is expressed as an explicit
122	// date and time, using the Validity type value ABSOLUTE. For more information, see
123	// Validity
124	// (https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_Validity.html) in
125	// this API reference and Validity
126	// (https://tools.ietf.org/html/rfc5280#section-4.1.2.5) in RFC 5280.
127	ValidityNotBefore *types.Validity
128}
129
130type IssueCertificateOutput struct {
131
132	// The Amazon Resource Name (ARN) of the issued certificate and the certificate
133	// serial number. This is of the form:
134	// arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012/certificate/286535153982981100925020015808220737245
135	CertificateArn *string
136
137	// Metadata pertaining to the operation's result.
138	ResultMetadata middleware.Metadata
139}
140
141func addOperationIssueCertificateMiddlewares(stack *middleware.Stack, options Options) (err error) {
142	err = stack.Serialize.Add(&awsAwsjson11_serializeOpIssueCertificate{}, middleware.After)
143	if err != nil {
144		return err
145	}
146	err = stack.Deserialize.Add(&awsAwsjson11_deserializeOpIssueCertificate{}, middleware.After)
147	if err != nil {
148		return err
149	}
150	if err = addSetLoggerMiddleware(stack, options); err != nil {
151		return err
152	}
153	if err = awsmiddleware.AddClientRequestIDMiddleware(stack); err != nil {
154		return err
155	}
156	if err = smithyhttp.AddComputeContentLengthMiddleware(stack); err != nil {
157		return err
158	}
159	if err = addResolveEndpointMiddleware(stack, options); err != nil {
160		return err
161	}
162	if err = v4.AddComputePayloadSHA256Middleware(stack); err != nil {
163		return err
164	}
165	if err = addRetryMiddlewares(stack, options); err != nil {
166		return err
167	}
168	if err = addHTTPSignerV4Middleware(stack, options); err != nil {
169		return err
170	}
171	if err = awsmiddleware.AddRawResponseToMetadata(stack); err != nil {
172		return err
173	}
174	if err = awsmiddleware.AddRecordResponseTiming(stack); err != nil {
175		return err
176	}
177	if err = addClientUserAgent(stack); err != nil {
178		return err
179	}
180	if err = smithyhttp.AddErrorCloseResponseBodyMiddleware(stack); err != nil {
181		return err
182	}
183	if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil {
184		return err
185	}
186	if err = addOpIssueCertificateValidationMiddleware(stack); err != nil {
187		return err
188	}
189	if err = stack.Initialize.Add(newServiceMetadataMiddleware_opIssueCertificate(options.Region), middleware.Before); err != nil {
190		return err
191	}
192	if err = addRequestIDRetrieverMiddleware(stack); err != nil {
193		return err
194	}
195	if err = addResponseErrorMiddleware(stack); err != nil {
196		return err
197	}
198	if err = addRequestResponseLogging(stack, options); err != nil {
199		return err
200	}
201	return nil
202}
203
204func newServiceMetadataMiddleware_opIssueCertificate(region string) *awsmiddleware.RegisterServiceMetadata {
205	return &awsmiddleware.RegisterServiceMetadata{
206		Region:        region,
207		ServiceID:     ServiceID,
208		SigningName:   "acm-pca",
209		OperationName: "IssueCertificate",
210	}
211}
212