v1alpha1

type APIPassthrough struct {
	// Contains X.509 extension information for a certificate.
	Extensions *Extensions `json:"extensions,omitempty"`
	// Contains information about the certificate subject. The Subject field in
	// the certificate identifies the entity that owns or controls the public key
	// in the certificate. The entity can be a user, computer, device, or service.
	// The Subject must contain an X.500 distinguished name (DN). A DN is a sequence
	// of relative distinguished names (RDNs). The RDNs are separated by commas
	// in the certificate.
	Subject *ASN1Subject `json:"subject,omitempty"`
}

type ASN1Subject struct {
	CommonName                 *string            `json:"commonName,omitempty"`
	Country                    *string            `json:"country,omitempty"`
	CustomAttributes           []*CustomAttribute `json:"customAttributes,omitempty"`
	DistinguishedNameQualifier *string            `json:"distinguishedNameQualifier,omitempty"`
	GenerationQualifier        *string            `json:"generationQualifier,omitempty"`
	GivenName                  *string            `json:"givenName,omitempty"`
	Initials                   *string            `json:"initials,omitempty"`
	Locality                   *string            `json:"locality,omitempty"`
	Organization               *string            `json:"organization,omitempty"`
	OrganizationalUnit         *string            `json:"organizationalUnit,omitempty"`
	Pseudonym                  *string            `json:"pseudonym,omitempty"`
	SerialNumber               *string            `json:"serialNumber,omitempty"`
	State                      *string            `json:"state,omitempty"`
	Surname                    *string            `json:"surname,omitempty"`
	Title                      *string            `json:"title,omitempty"`
}

type AccessDescription struct {
	// Describes an ASN.1 X.400 GeneralName as defined in RFC 5280 (https://datatracker.ietf.org/doc/html/rfc5280).
	// Only one of the following naming options should be provided. Providing more
	// than one option results in an InvalidArgsException error.
	AccessLocation *GeneralName `json:"accessLocation,omitempty"`
	// Describes the type and format of extension access. Only one of CustomObjectIdentifier
	// or AccessMethodType may be provided. Providing both results in InvalidArgsException.
	AccessMethod *AccessMethod `json:"accessMethod,omitempty"`
}

type AccessMethod struct {
	AccessMethodType       *string `json:"accessMethodType,omitempty"`
	CustomObjectIdentifier *string `json:"customObjectIdentifier,omitempty"`
}

type AccessMethodType string

type ActionType string

type AuditReportResponseFormat string

type AuditReportStatus string

type CRLConfiguration struct {
	CustomCNAME      *string `json:"customCNAME,omitempty"`
	Enabled          *bool   `json:"enabled,omitempty"`
	ExpirationInDays *int64  `json:"expirationInDays,omitempty"`
	S3BucketName     *string `json:"s3BucketName,omitempty"`
	S3ObjectACL      *string `json:"s3ObjectACL,omitempty"`
}

type CSRExtensions struct {
	// Defines one or more purposes for which the key contained in the certificate
	// can be used. Default value for each option is false.
	KeyUsage                 *KeyUsage            `json:"keyUsage,omitempty"`
	SubjectInformationAccess []*AccessDescription `json:"subjectInformationAccess,omitempty"`
}

type Certificate struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`
	Spec              CertificateSpec   `json:"spec,omitempty"`
	Status            CertificateStatus `json:"status,omitempty"`
}

type CertificateAuthority struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`
	Spec              CertificateAuthoritySpec   `json:"spec,omitempty"`
	Status            CertificateAuthorityStatus `json:"status,omitempty"`
}

type CertificateAuthorityActivation struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`
	Spec              CertificateAuthorityActivationSpec   `json:"spec,omitempty"`
	Status            CertificateAuthorityActivationStatus `json:"status,omitempty"`
}

type CertificateAuthorityActivationList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []CertificateAuthorityActivation `json:"items"`
}

type CertificateAuthorityActivationSpec struct {

	// +kubebuilder:validation:Required
	Certificate *ackv1alpha1.SecretKeyReference `json:"certificate"`
	// The Amazon Resource Name (ARN) that was returned when you called CreateCertificateAuthority
	// (https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreateCertificateAuthority.html).
	// This must be of the form:
	//
	// arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
	CertificateAuthorityARN *string                                  `json:"certificateAuthorityARN,omitempty"`
	CertificateAuthorityRef *ackv1alpha1.AWSResourceReferenceWrapper `json:"certificateAuthorityRef,omitempty"`
	CertificateChain        *ackv1alpha1.SecretKeyReference          `json:"certificateChain,omitempty"`
	Status                  *string                                  `json:"status,omitempty"`
}

type CertificateAuthorityActivationStatus struct {
	// All CRs managed by ACK have a common `Status.ACKResourceMetadata` member
	// that is used to contain resource sync state, account ownership,
	// constructed ARN for the resource
	// +kubebuilder:validation:Optional
	ACKResourceMetadata *ackv1alpha1.ResourceMetadata `json:"ackResourceMetadata"`
	// All CRS managed by ACK have a common `Status.Conditions` member that
	// contains a collection of `ackv1alpha1.Condition` objects that describe
	// the various terminal states of the CR and its backend AWS service API
	// resource
	// +kubebuilder:validation:Optional
	Conditions []*ackv1alpha1.Condition `json:"conditions"`
}

type CertificateAuthorityConfiguration struct {
	// Describes the certificate extensions to be added to the certificate signing
	// request (CSR).
	CSRExtensions    *CSRExtensions `json:"csrExtensions,omitempty"`
	KeyAlgorithm     *string        `json:"keyAlgorithm,omitempty"`
	SigningAlgorithm *string        `json:"signingAlgorithm,omitempty"`
	// Contains information about the certificate subject. The Subject field in
	// the certificate identifies the entity that owns or controls the public key
	// in the certificate. The entity can be a user, computer, device, or service.
	// The Subject must contain an X.500 distinguished name (DN). A DN is a sequence
	// of relative distinguished names (RDNs). The RDNs are separated by commas
	// in the certificate.
	Subject *ASN1Subject `json:"subject,omitempty"`
}

type CertificateAuthorityList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []CertificateAuthority `json:"items"`
}

type CertificateAuthoritySpec struct {

	// Name and bit size of the private key algorithm, the name of the signing algorithm,
	// and X.500 certificate subject information.
	// +kubebuilder:validation:Required
	CertificateAuthorityConfiguration *CertificateAuthorityConfiguration `json:"certificateAuthorityConfiguration"`
	// Specifies a cryptographic key management compliance standard used for handling
	// CA keys.
	//
	// Default: FIPS_140_2_LEVEL_3_OR_HIGHER
	//
	// Some Amazon Web Services Regions do not support the default. When creating
	// a CA in these Regions, you must provide FIPS_140_2_LEVEL_2_OR_HIGHER as the
	// argument for KeyStorageSecurityStandard. Failure to do this results in an
	// InvalidArgsException with the message, "A certificate authority cannot be
	// created in this region with the specified security standard."
	//
	// For information about security standard support in various Regions, see Storage
	// and security compliance of Amazon Web Services Private CA private keys (https://docs.aws.amazon.com/privateca/latest/userguide/data-protection.html#private-keys).
	KeyStorageSecurityStandard *string `json:"keyStorageSecurityStandard,omitempty"`
	// Contains information to enable Online Certificate Status Protocol (OCSP)
	// support, to enable a certificate revocation list (CRL), to enable both, or
	// to enable neither. The default is for both certificate validation mechanisms
	// to be disabled.
	//
	// The following requirements apply to revocation configurations.
	//
	//   - A configuration disabling CRLs or OCSP must contain only the Enabled=False
	//     parameter, and will fail if other parameters such as CustomCname or ExpirationInDays
	//     are included.
	//
	//   - In a CRL configuration, the S3BucketName parameter must conform to Amazon
	//     S3 bucket naming rules (https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucketnamingrules.html).
	//
	//   - A configuration containing a custom Canonical Name (CNAME) parameter
	//     for CRLs or OCSP must conform to RFC2396 (https://www.ietf.org/rfc/rfc2396.txt)
	//     restrictions on the use of special characters in a CNAME.
	//
	//   - In a CRL or OCSP configuration, the value of a CNAME parameter must
	//     not include a protocol prefix such as "http://" or "https://".
	//
	// For more information, see the OcspConfiguration (https://docs.aws.amazon.com/privateca/latest/APIReference/API_OcspConfiguration.html)
	// and CrlConfiguration (https://docs.aws.amazon.com/privateca/latest/APIReference/API_CrlConfiguration.html)
	// types.
	RevocationConfiguration *RevocationConfiguration `json:"revocationConfiguration,omitempty"`
	// Key-value pairs that will be attached to the new private CA. You can associate
	// up to 50 tags with a private CA. For information using tags with IAM to manage
	// permissions, see Controlling Access Using IAM Tags (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_iam-tags.html).
	Tags []*Tag `json:"tags,omitempty"`
	// The type of the certificate authority.
	// +kubebuilder:validation:Required
	Type *string `json:"type,omitempty"`
	// Specifies whether the CA issues general-purpose certificates that typically
	// require a revocation mechanism, or short-lived certificates that may optionally
	// omit revocation because they expire quickly. Short-lived certificate validity
	// is limited to seven days.
	//
	// The default value is GENERAL_PURPOSE.
	UsageMode *string `json:"usageMode,omitempty"`
}

type CertificateAuthorityStatus struct {
	// All CRs managed by ACK have a common `Status.ACKResourceMetadata` member
	// that is used to contain resource sync state, account ownership,
	// constructed ARN for the resource
	// +kubebuilder:validation:Optional
	ACKResourceMetadata *ackv1alpha1.ResourceMetadata `json:"ackResourceMetadata"`
	// All CRS managed by ACK have a common `Status.Conditions` member that
	// contains a collection of `ackv1alpha1.Condition` objects that describe
	// the various terminal states of the CR and its backend AWS service API
	// resource
	// +kubebuilder:validation:Optional
	Conditions []*ackv1alpha1.Condition `json:"conditions"`
	// The base64 PEM-encoded certificate signing request (CSR) for your private
	// CA certificate.
	// +kubebuilder:validation:Optional
	CertificateSigningRequest *string `json:"certificateSigningRequest,omitempty"`
	// Date and time at which your private CA was created.
	// +kubebuilder:validation:Optional
	CreatedAt *metav1.Time `json:"createdAt,omitempty"`
	// Reason the request to create your private CA failed.
	// +kubebuilder:validation:Optional
	FailureReason *string `json:"failureReason,omitempty"`
	// Date and time at which your private CA was last updated.
	// +kubebuilder:validation:Optional
	LastStateChangeAt *metav1.Time `json:"lastStateChangeAt,omitempty"`
	// Date and time after which your private CA certificate is not valid.
	// +kubebuilder:validation:Optional
	NotAfter *metav1.Time `json:"notAfter,omitempty"`
	// Date and time before which your private CA certificate is not valid.
	// +kubebuilder:validation:Optional
	NotBefore *metav1.Time `json:"notBefore,omitempty"`
	// The Amazon Web Services account ID that owns the certificate authority.
	// +kubebuilder:validation:Optional
	OwnerAccount *string `json:"ownerAccount,omitempty"`
	// The period during which a deleted CA can be restored. For more information,
	// see the PermanentDeletionTimeInDays parameter of the DeleteCertificateAuthorityRequest
	// (https://docs.aws.amazon.com/privateca/latest/APIReference/API_DeleteCertificateAuthorityRequest.html)
	// action.
	// +kubebuilder:validation:Optional
	RestorableUntil *metav1.Time `json:"restorableUntil,omitempty"`
	// Serial number of your private CA.
	// +kubebuilder:validation:Optional
	Serial *string `json:"serial,omitempty"`
	// Status of your private CA.
	// +kubebuilder:validation:Optional
	Status *string `json:"status,omitempty"`
}

type CertificateAuthorityStatus_SDK string

type CertificateAuthorityType string

type CertificateAuthorityUsageMode string

type CertificateAuthority_SDK struct {
	ARN *string `json:"arn,omitempty"`
	// Contains configuration information for your private certificate authority
	// (CA). This includes information about the class of public key algorithm and
	// the key pair that your private CA creates when it issues a certificate. It
	// also includes the signature algorithm that it uses when issuing certificates,
	// and its X.500 distinguished name. You must specify this information when
	// you call the CreateCertificateAuthority (https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreateCertificateAuthority.html)
	// action.
	CertificateAuthorityConfiguration *CertificateAuthorityConfiguration `json:"certificateAuthorityConfiguration,omitempty"`
	CreatedAt                         *metav1.Time                       `json:"createdAt,omitempty"`
	FailureReason                     *string                            `json:"failureReason,omitempty"`
	KeyStorageSecurityStandard        *string                            `json:"keyStorageSecurityStandard,omitempty"`
	LastStateChangeAt                 *metav1.Time                       `json:"lastStateChangeAt,omitempty"`
	NotAfter                          *metav1.Time                       `json:"notAfter,omitempty"`
	NotBefore                         *metav1.Time                       `json:"notBefore,omitempty"`
	OwnerAccount                      *string                            `json:"ownerAccount,omitempty"`
	RestorableUntil                   *metav1.Time                       `json:"restorableUntil,omitempty"`
	// Certificate revocation information used by the CreateCertificateAuthority
	// (https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreateCertificateAuthority.html)
	// and UpdateCertificateAuthority (https://docs.aws.amazon.com/privateca/latest/APIReference/API_UpdateCertificateAuthority.html)
	// actions. Your private certificate authority (CA) can configure Online Certificate
	// Status Protocol (OCSP) support and/or maintain a certificate revocation list
	// (CRL). OCSP returns validation information about certificates as requested
	// by clients, and a CRL contains an updated list of certificates revoked by
	// your CA. For more information, see RevokeCertificate (https://docs.aws.amazon.com/privateca/latest/APIReference/API_RevokeCertificate.html)
	// and Setting up a certificate revocation method (https://docs.aws.amazon.com/privateca/latest/userguide/revocation-setup.html)
	// in the Amazon Web Services Private Certificate Authority User Guide.
	RevocationConfiguration *RevocationConfiguration `json:"revocationConfiguration,omitempty"`
	Serial                  *string                  `json:"serial,omitempty"`
	Status                  *string                  `json:"status,omitempty"`
	Type                    *string                  `json:"type_,omitempty"`
	UsageMode               *string                  `json:"usageMode,omitempty"`
}

type CertificateList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []Certificate `json:"items"`
}

type CertificateSpec struct {

	// Specifies X.509 certificate information to be included in the issued certificate.
	// An APIPassthrough or APICSRPassthrough template variant must be selected,
	// or else this parameter is ignored. For more information about using these
	// templates, see Understanding Certificate Templates (https://docs.aws.amazon.com/privateca/latest/userguide/UsingTemplates.html).
	//
	// If conflicting or duplicate certificate information is supplied during certificate
	// issuance, Amazon Web Services Private CA applies order of operation rules
	// (https://docs.aws.amazon.com/privateca/latest/userguide/UsingTemplates.html#template-order-of-operations)
	// to determine what information is used.
	APIPassthrough *APIPassthrough `json:"apiPassthrough,omitempty"`
	// The Amazon Resource Name (ARN) that was returned when you called CreateCertificateAuthority
	// (https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreateCertificateAuthority.html).
	// This must be of the form:
	//
	// arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
	CertificateAuthorityARN      *string                                  `json:"certificateAuthorityARN,omitempty"`
	CertificateAuthorityRef      *ackv1alpha1.AWSResourceReferenceWrapper `json:"certificateAuthorityRef,omitempty"`
	CertificateSigningRequest    *string                                  `json:"certificateSigningRequest,omitempty"`
	CertificateSigningRequestRef *ackv1alpha1.AWSResourceReferenceWrapper `json:"certificateSigningRequestRef,omitempty"`
	// The name of the algorithm that will be used to sign the certificate to be
	// issued.
	//
	// This parameter should not be confused with the SigningAlgorithm parameter
	// used to sign a CSR in the CreateCertificateAuthority action.
	//
	// The specified signing algorithm family (RSA or ECDSA) must match the algorithm
	// family of the CA's secret key.
	// +kubebuilder:validation:Required
	SigningAlgorithm *string `json:"signingAlgorithm"`
	// Specifies a custom configuration template to use when issuing a certificate.
	// If this parameter is not provided, Amazon Web Services Private CA defaults
	// to the EndEntityCertificate/V1 template. For CA certificates, you should
	// choose the shortest path length that meets your needs. The path length is
	// indicated by the PathLenN portion of the ARN, where N is the CA depth (https://docs.aws.amazon.com/privateca/latest/userguide/PcaTerms.html#terms-cadepth).
	//
	// Note: The CA depth configured on a subordinate CA certificate must not exceed
	// the limit set by its parents in the CA hierarchy.
	//
	// For a list of TemplateArn values supported by Amazon Web Services Private
	// CA, see Understanding Certificate Templates (https://docs.aws.amazon.com/privateca/latest/userguide/UsingTemplates.html).
	TemplateARN *string `json:"templateARN,omitempty"`
	// Information describing the end of the validity period of the certificate.
	// This parameter sets the “Not After” date for the certificate.
	//
	// Certificate validity is the period of time during which a certificate is
	// valid. Validity can be expressed as an explicit date and time when the certificate
	// expires, or as a span of time after issuance, stated in days, months, or
	// years. For more information, see Validity (https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.5)
	// in RFC 5280.
	//
	// This value is unaffected when ValidityNotBefore is also specified. For example,
	// if Validity is set to 20 days in the future, the certificate will expire
	// 20 days from issuance time regardless of the ValidityNotBefore value.
	//
	// The end of the validity period configured on a certificate must not exceed
	// the limit set on its parents in the CA hierarchy.
	// +kubebuilder:validation:Required
	Validity *Validity `json:"validity"`
	// Information describing the start of the validity period of the certificate.
	// This parameter sets the “Not Before" date for the certificate.
	//
	// By default, when issuing a certificate, Amazon Web Services Private CA sets
	// the "Not Before" date to the issuance time minus 60 minutes. This compensates
	// for clock inconsistencies across computer systems. The ValidityNotBefore
	// parameter can be used to customize the “Not Before” value.
	//
	// Unlike the Validity parameter, the ValidityNotBefore parameter is optional.
	//
	// The ValidityNotBefore value is expressed as an explicit date and time, using
	// the Validity type value ABSOLUTE. For more information, see Validity (https://docs.aws.amazon.com/privateca/latest/APIReference/API_Validity.html)
	// in this API reference and Validity (https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.5)
	// in RFC 5280.
	ValidityNotBefore *Validity `json:"validityNotBefore,omitempty"`
}

type CertificateStatus struct {
	// All CRs managed by ACK have a common `Status.ACKResourceMetadata` member
	// that is used to contain resource sync state, account ownership,
	// constructed ARN for the resource
	// +kubebuilder:validation:Optional
	ACKResourceMetadata *ackv1alpha1.ResourceMetadata `json:"ackResourceMetadata"`
	// All CRS managed by ACK have a common `Status.Conditions` member that
	// contains a collection of `ackv1alpha1.Condition` objects that describe
	// the various terminal states of the CR and its backend AWS service API
	// resource
	// +kubebuilder:validation:Optional
	Conditions []*ackv1alpha1.Condition `json:"conditions"`
}

type CustomAttribute struct {
	ObjectIdentifier *string `json:"objectIdentifier,omitempty"`
	Value            *string `json:"value,omitempty"`
}

type CustomExtension struct {
	Critical         *bool   `json:"critical,omitempty"`
	ObjectIdentifier *string `json:"objectIdentifier,omitempty"`
	Value            *string `json:"value,omitempty"`
}

type EDIPartyName struct {
	NameAssigner *string `json:"nameAssigner,omitempty"`
	PartyName    *string `json:"partyName,omitempty"`
}

type ExtendedKeyUsage struct {
	ExtendedKeyUsageObjectIdentifier *string `json:"extendedKeyUsageObjectIdentifier,omitempty"`
	ExtendedKeyUsageType             *string `json:"extendedKeyUsageType,omitempty"`
}

type ExtendedKeyUsageType string

type Extensions struct {
	CertificatePolicies []*PolicyInformation `json:"certificatePolicies,omitempty"`
	CustomExtensions    []*CustomExtension   `json:"customExtensions,omitempty"`
	ExtendedKeyUsage    []*ExtendedKeyUsage  `json:"extendedKeyUsage,omitempty"`
	// Defines one or more purposes for which the key contained in the certificate
	// can be used. Default value for each option is false.
	KeyUsage                *KeyUsage      `json:"keyUsage,omitempty"`
	SubjectAlternativeNames []*GeneralName `json:"subjectAlternativeNames,omitempty"`
}

type FailureReason string

type GeneralName struct {
	// Contains information about the certificate subject. The Subject field in
	// the certificate identifies the entity that owns or controls the public key
	// in the certificate. The entity can be a user, computer, device, or service.
	// The Subject must contain an X.500 distinguished name (DN). A DN is a sequence
	// of relative distinguished names (RDNs). The RDNs are separated by commas
	// in the certificate.
	DirectoryName *ASN1Subject `json:"directoryName,omitempty"`
	DNSName       *string      `json:"dnsName,omitempty"`
	// Describes an Electronic Data Interchange (EDI) entity as described in as
	// defined in Subject Alternative Name (https://datatracker.ietf.org/doc/html/rfc5280)
	// in RFC 5280.
	EDIPartyName *EDIPartyName `json:"ediPartyName,omitempty"`
	IPAddress    *string       `json:"ipAddress,omitempty"`
	// Defines a custom ASN.1 X.400 GeneralName using an object identifier (OID)
	// and value. The OID must satisfy the regular expression shown below. For more
	// information, see NIST's definition of Object Identifier (OID) (https://csrc.nist.gov/glossary/term/Object_Identifier).
	OtherName                 *OtherName `json:"otherName,omitempty"`
	RegisteredID              *string    `json:"registeredID,omitempty"`
	RFC822Name                *string    `json:"rfc822Name,omitempty"`
	UniformResourceIdentifier *string    `json:"uniformResourceIdentifier,omitempty"`
}

type KeyAlgorithm string

type KeyStorageSecurityStandard string

type KeyUsage struct {
	CRLSign          *bool `json:"crlSign,omitempty"`
	DataEncipherment *bool `json:"dataEncipherment,omitempty"`
	DecipherOnly     *bool `json:"decipherOnly,omitempty"`
	DigitalSignature *bool `json:"digitalSignature,omitempty"`
	EncipherOnly     *bool `json:"encipherOnly,omitempty"`
	KeyAgreement     *bool `json:"keyAgreement,omitempty"`
	KeyCertSign      *bool `json:"keyCertSign,omitempty"`
	KeyEncipherment  *bool `json:"keyEncipherment,omitempty"`
	NonRepudiation   *bool `json:"nonRepudiation,omitempty"`
}

type OCSPConfiguration struct {
	Enabled         *bool   `json:"enabled,omitempty"`
	OCSPCustomCNAME *string `json:"ocspCustomCNAME,omitempty"`
}

type OtherName struct {
	TypeID *string `json:"typeID,omitempty"`
	Value  *string `json:"value,omitempty"`
}

type Permission struct {
	CertificateAuthorityARN *string      `json:"certificateAuthorityARN,omitempty"`
	CreatedAt               *metav1.Time `json:"createdAt,omitempty"`
	SourceAccount           *string      `json:"sourceAccount,omitempty"`
}

type PolicyInformation struct {
	CertPolicyID     *string                `json:"certPolicyID,omitempty"`
	PolicyQualifiers []*PolicyQualifierInfo `json:"policyQualifiers,omitempty"`
}

type PolicyQualifierID string

type PolicyQualifierInfo struct {
	PolicyQualifierID *string `json:"policyQualifierID,omitempty"`
	// Defines a PolicyInformation qualifier. Amazon Web Services Private CA supports
	// the certification practice statement (CPS) qualifier (https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.4)
	// defined in RFC 5280.
	Qualifier *Qualifier `json:"qualifier,omitempty"`
}

type Qualifier struct {
	CPSURI *string `json:"cpsURI,omitempty"`
}

type ResourceOwner string

type RevocationConfiguration struct {
	// Contains configuration information for a certificate revocation list (CRL).
	// Your private certificate authority (CA) creates base CRLs. Delta CRLs are
	// not supported. You can enable CRLs for your new or an existing private CA
	// by setting the Enabled parameter to true. Your private CA writes CRLs to
	// an S3 bucket that you specify in the S3BucketName parameter. You can hide
	// the name of your bucket by specifying a value for the CustomCname parameter.
	// Your private CA copies the CNAME or the S3 bucket name to the CRL Distribution
	// Points extension of each certificate it issues. Your S3 bucket policy must
	// give write permission to Amazon Web Services Private CA.
	//
	// Amazon Web Services Private CA assets that are stored in Amazon S3 can be
	// protected with encryption. For more information, see Encrypting Your CRLs
	// (https://docs.aws.amazon.com/privateca/latest/userguide/PcaCreateCa.html#crl-encryption).
	//
	// Your private CA uses the value in the ExpirationInDays parameter to calculate
	// the nextUpdate field in the CRL. The CRL is refreshed prior to a certificate's
	// expiration date or when a certificate is revoked. When a certificate is revoked,
	// it appears in the CRL until the certificate expires, and then in one additional
	// CRL after expiration, and it always appears in the audit report.
	//
	// A CRL is typically updated approximately 30 minutes after a certificate is
	// revoked. If for any reason a CRL update fails, Amazon Web Services Private
	// CA makes further attempts every 15 minutes.
	//
	// CRLs contain the following fields:
	//
	//    * Version: The current version number defined in RFC 5280 is V2. The integer
	//    value is 0x1.
	//
	//    * Signature Algorithm: The name of the algorithm used to sign the CRL.
	//
	//    * Issuer: The X.500 distinguished name of your private CA that issued
	//    the CRL.
	//
	//    * Last Update: The issue date and time of this CRL.
	//
	//    * Next Update: The day and time by which the next CRL will be issued.
	//
	//    * Revoked Certificates: List of revoked certificates. Each list item contains
	//    the following information. Serial Number: The serial number, in hexadecimal
	//    format, of the revoked certificate. Revocation Date: Date and time the
	//    certificate was revoked. CRL Entry Extensions: Optional extensions for
	//    the CRL entry. X509v3 CRL Reason Code: Reason the certificate was revoked.
	//
	//    * CRL Extensions: Optional extensions for the CRL. X509v3 Authority Key
	//    Identifier: Identifies the public key associated with the private key
	//    used to sign the certificate. X509v3 CRL Number:: Decimal sequence number
	//    for the CRL.
	//
	//    * Signature Algorithm: Algorithm used by your private CA to sign the CRL.
	//
	//    * Signature Value: Signature computed over the CRL.
	//
	// Certificate revocation lists created by Amazon Web Services Private CA are
	// DER-encoded. You can use the following OpenSSL command to list a CRL.
	//
	// openssl crl -inform DER -text -in crl_path -noout
	//
	// For more information, see Planning a certificate revocation list (CRL) (https://docs.aws.amazon.com/privateca/latest/userguide/crl-planning.html)
	// in the Amazon Web Services Private Certificate Authority User Guide
	CRLConfiguration *CRLConfiguration `json:"crlConfiguration,omitempty"`
	// Contains information to enable and configure Online Certificate Status Protocol
	// (OCSP) for validating certificate revocation status.
	//
	// When you revoke a certificate, OCSP responses may take up to 60 minutes to
	// reflect the new status.
	OCSPConfiguration *OCSPConfiguration `json:"ocspConfiguration,omitempty"`
}

type RevocationReason string

type S3ObjectACL string

type SigningAlgorithm string

type Tag struct {
	Key   *string `json:"key,omitempty"`
	Value *string `json:"value,omitempty"`
}

type Validity struct {
	Type  *string `json:"type,omitempty"`
	Value *int64  `json:"value,omitempty"`
}

type ValidityPeriodType string