docs(client-acm-pca): Documentation updates for AWS Private CA.

clients/client-acm-pca/src/commands/CreateCertificateAuthorityAuditReportCommand.ts

@@ -37,16 +37,9 @@ export interface CreateCertificateAuthorityAuditReportCommandOutput
     __MetadataBearer {}
 
 /**
- * <p>Creates an audit report that lists every time that your CA private key is used. The
- * 			report is saved in the Amazon S3 bucket that you specify on input. The <a href="https://docs.aws.amazon.com/privateca/latest/APIReference/API_IssueCertificate.html">IssueCertificate</a> and <a href="https://docs.aws.amazon.com/privateca/latest/APIReference/API_RevokeCertificate.html">RevokeCertificate</a> actions use
- * 			the private key. </p>
- *          <note>
- *             <p>Both Amazon Web Services Private CA and the IAM principal must have permission to write to
- *                         the S3 bucket that you specify. If the IAM principal making the call
- *                         does not have permission to write to the bucket, then an exception is
- *                         thrown. For more information, see <a href="https://docs.aws.amazon.com/privateca/latest/userguide/crl-planning.html#s3-policies">Access
- * 						policies for CRLs in Amazon S3</a>.</p>
- *          </note>
+ * <p>Creates an audit report that lists every time that your CA private key is used to issue a certificate. The <a href="https://docs.aws.amazon.com/privateca/latest/APIReference/API_IssueCertificate.html">IssueCertificate</a> and <a href="https://docs.aws.amazon.com/privateca/latest/APIReference/API_RevokeCertificate.html">RevokeCertificate</a> actions use
+ * 			the private key.</p>
+ *          <p>To save the audit report to your designated Amazon S3 bucket, you must create a bucket policy that grants Amazon Web Services Private CA permission to access and write to it. For an example policy, see <a href="https://docs.aws.amazon.com/privateca/latest/userguide/PcaAuditReport.html#s3-access">Prepare an Amazon S3 bucket for audit reports</a>.</p>
  *          <p>Amazon Web Services Private CA assets that are stored in Amazon S3 can be protected with encryption.
  *   For more information, see <a href="https://docs.aws.amazon.com/privateca/latest/userguide/PcaAuditReport.html#audit-report-encryption">Encrypting Your Audit
  * 				Reports</a>.</p>

clients/client-acm-pca/src/commands/ImportCertificateAuthorityCertificateCommand.ts

@@ -102,64 +102,62 @@ export interface ImportCertificateAuthorityCertificateCommandOutput extends __Me
  * 			certificate or chain.</p>
  *          <ul>
  *             <li>
- *                <p>Basic constraints (<i>must</i> be marked critical)</p>
+ *                <p>Authority key identifier</p>
  *             </li>
  *             <li>
- *                <p>Subject alternative names</p>
+ *                <p>Basic constraints (<i>must</i> be marked critical)</p>
  *             </li>
  *             <li>
- *                <p>Key usage</p>
+ *                <p>Certificate policies</p>
  *             </li>
  *             <li>
  *                <p>Extended key usage</p>
  *             </li>
  *             <li>
- *                <p>Authority key identifier</p>
+ *                <p>Inhibit anyPolicy</p>
  *             </li>
  *             <li>
- *                <p>Subject key identifier</p>
+ *                <p>Issuer alternative name</p>
  *             </li>
  *             <li>
- *                <p>Issuer alternative name</p>
+ *                <p>Key usage</p>
  *             </li>
  *             <li>
- *                <p>Subject directory attributes</p>
+ *                <p>Name constraints</p>
  *             </li>
  *             <li>
- *                <p>Subject information access</p>
+ *                <p>Policy mappings</p>
  *             </li>
  *             <li>
- *                <p>Certificate policies</p>
+ *                <p>Subject alternative name</p>
  *             </li>
  *             <li>
- *                <p>Policy mappings</p>
+ *                <p>Subject directory attributes</p>
  *             </li>
  *             <li>
- *                <p>Inhibit anyPolicy</p>
+ *                <p>Subject key identifier</p>
+ *             </li>
+ *             <li>
+ *                <p>Subject information access</p>
  *             </li>
  *          </ul>
  *          <p>Amazon Web Services Private CA rejects the following extensions when they are marked critical in an
  * 			imported CA certificate or chain.</p>
  *          <ul>
  *             <li>
- *                <p>Name constraints</p>
- *             </li>
- *             <li>
- *                <p>Policy constraints</p>
+ *                <p>Authority information access</p>
  *             </li>
  *             <li>
  *                <p>CRL distribution points</p>
  *             </li>
  *             <li>
- *                <p>Authority information access</p>
- *             </li>
- *             <li>
  *                <p>Freshest CRL</p>
  *             </li>
  *             <li>
- *                <p>Any other extension</p>
+ *                <p>Policy constraints</p>
  *             </li>
  *          </ul>
+ *          <p>Amazon Web Services Private Certificate Authority will also reject any other extension marked as critical not contained on the preceding list of allowed extensions.</p>
  * @example
  * Use a bare-bones client and the command you need to make an API call.
  * ```javascript

clients/client-acm-pca/src/models/models_0.ts

@@ -818,33 +818,29 @@ export interface CreateCertificateAuthorityRequest {
   CertificateAuthorityConfiguration: CertificateAuthorityConfiguration | undefined;
 
   /**
-   * <p>Contains information to enable Online Certificate Status Protocol (OCSP) support, to
-   * 			enable a certificate revocation list (CRL), to enable both, or to enable neither. The
-   * 			default is for both certificate validation mechanisms to be disabled. </p>
-   *          <note>
-   *             <p>The following requirements apply to revocation configurations.</p>
-   *             <ul>
-   *                <li>
-   *                   <p>A configuration disabling CRLs or OCSP must contain only the <code>Enabled=False</code>
+   * <p>Contains information to enable support for Online Certificate Status Protocol (OCSP), certificate revocation list (CRL), both protocols, or neither. By default, both certificate validation mechanisms are disabled.</p>
+   *          <p>The following requirements apply to revocation configurations.</p>
+   *          <ul>
+   *             <li>
+   *                <p>A configuration disabling CRLs or OCSP must contain only the <code>Enabled=False</code>
    * 					parameter, and will fail if other parameters such as <code>CustomCname</code> or
    * 					<code>ExpirationInDays</code> are included.</p>
-   *                </li>
-   *                <li>
-   *                   <p>In a CRL configuration, the <code>S3BucketName</code> parameter must conform to
+   *             </li>
+   *             <li>
+   *                <p>In a CRL configuration, the <code>S3BucketName</code> parameter must conform to
    * 					<a href="https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucketnamingrules.html">Amazon S3
    * 					bucket naming rules</a>.</p>
-   *                </li>
-   *                <li>
-   *                   <p>A configuration containing a custom Canonical
+   *             </li>
+   *             <li>
+   *                <p>A configuration containing a custom Canonical
    * 						Name (CNAME) parameter for CRLs or OCSP must conform to <a href="https://www.ietf.org/rfc/rfc2396.txt">RFC2396</a> restrictions
    * 						on the use of special characters in a CNAME. </p>
-   *                </li>
-   *                <li>
-   *                   <p>In a CRL or OCSP configuration, the value of a CNAME parameter must not include a
+   *             </li>
+   *             <li>
+   *                <p>In a CRL or OCSP configuration, the value of a CNAME parameter must not include a
    * 						protocol prefix such as "http://" or "https://".</p>
-   *                </li>
-   *             </ul>
-   *          </note>
+   *             </li>
+   *          </ul>
    *          <p> For more information, see the <a href="https://docs.aws.amazon.com/privateca/latest/APIReference/API_OcspConfiguration.html">OcspConfiguration</a> and <a href="https://docs.aws.amazon.com/privateca/latest/APIReference/API_CrlConfiguration.html">CrlConfiguration</a>
    * 			types.</p>
    * @public
@@ -2716,34 +2712,33 @@ export interface UpdateCertificateAuthorityRequest {
   CertificateAuthorityArn: string | undefined;
 
   /**
-   * <p>Contains information to enable Online Certificate Status Protocol (OCSP) support, to
-   * 			enable a certificate revocation list (CRL), to enable both, or to enable neither. If
-   * 			this parameter is not supplied, existing capibilites remain unchanged. For more
+   * <p>Contains information to enable support for Online Certificate Status Protocol (OCSP), certificate revocation list (CRL), both protocols, or neither. If you don't supply this parameter, existing capibilites remain unchanged. For more
    * 			information, see the <a href="https://docs.aws.amazon.com/privateca/latest/APIReference/API_OcspConfiguration.html">OcspConfiguration</a> and <a href="https://docs.aws.amazon.com/privateca/latest/APIReference/API_CrlConfiguration.html">CrlConfiguration</a> types.</p>
-   *          <note>
-   *             <p>The following requirements apply to revocation configurations.</p>
-   *             <ul>
-   *                <li>
-   *                   <p>A configuration disabling CRLs or OCSP must contain only the <code>Enabled=False</code>
+   *          <p>The following requirements apply to revocation configurations.</p>
+   *          <ul>
+   *             <li>
+   *                <p>A configuration disabling CRLs or OCSP must contain only the <code>Enabled=False</code>
    * 					parameter, and will fail if other parameters such as <code>CustomCname</code> or
    * 					<code>ExpirationInDays</code> are included.</p>
-   *                </li>
-   *                <li>
-   *                   <p>In a CRL configuration, the <code>S3BucketName</code> parameter must conform to
+   *             </li>
+   *             <li>
+   *                <p>In a CRL configuration, the <code>S3BucketName</code> parameter must conform to
    * 					<a href="https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucketnamingrules.html">Amazon S3
    * 					bucket naming rules</a>.</p>
-   *                </li>
-   *                <li>
-   *                   <p>A configuration containing a custom Canonical
+   *             </li>
+   *             <li>
+   *                <p>A configuration containing a custom Canonical
    * 						Name (CNAME) parameter for CRLs or OCSP must conform to <a href="https://www.ietf.org/rfc/rfc2396.txt">RFC2396</a> restrictions
    * 						on the use of special characters in a CNAME. </p>
-   *                </li>
-   *                <li>
-   *                   <p>In a CRL or OCSP configuration, the value of a CNAME parameter must not include a
+   *             </li>
+   *             <li>
+   *                <p>In a CRL or OCSP configuration, the value of a CNAME parameter must not include a
    * 						protocol prefix such as "http://" or "https://".</p>
-   *                </li>
-   *             </ul>
-   *          </note>
+   *             </li>
+   *          </ul>
+   *          <important>
+   *             <p> If you update the <code>S3BucketName</code> of <a href="https://docs.aws.amazon.com/privateca/latest/APIReference/API_CrlConfiguration.html">CrlConfiguration</a>, you can break revocation for existing certificates. In other words, if you call <a href="https://docs.aws.amazon.com/privateca/latest/APIReference/API_UpdateCertificateAuthority.html">UpdateCertificateAuthority</a> to update the CRL configuration's S3 bucket name, Amazon Web Services Private CA only writes CRLs to the new S3 bucket. Certificates issued prior to this point will have the old S3 bucket name in your CRL Distribution Point (CDP) extension, essentially breaking revocation. If you must update the S3 bucket, you'll need to reissue old certificates to keep the revocation working. Alternatively, you can use a <a href="https://docs.aws.amazon.com/privateca/latest/APIReference/API_CrlConfiguration.html#privateca-Type-CrlConfiguration-CustomCname">CustomCname</a> in your CRL configuration if you might need to change the S3 bucket name in the future.</p>
+   *          </important>
    * @public
    */
   RevocationConfiguration?: RevocationConfiguration;