CfnTemplate
- class aws_cdk.aws_pcaconnectorad.CfnTemplate(scope, id, *, connector_arn, definition, name, reenroll_all_certificate_holders=None, tags=None)
Bases:
CfnResourceCreates an Active Directory compatible certificate template.
The connectors issues certificates using these templates based on the requester’s Active Directory group membership.
- See:
- CloudformationResource:
AWS::PCAConnectorAD::Template
- ExampleMetadata:
fixture=_generated
Example:
# The code below shows an example of how to instantiate this type. # The values are placeholders you should change. from aws_cdk import aws_pcaconnectorad as pcaconnectorad cfn_template = pcaconnectorad.CfnTemplate(self, "MyCfnTemplate", connector_arn="connectorArn", definition=pcaconnectorad.CfnTemplate.TemplateDefinitionProperty( template_v2=pcaconnectorad.CfnTemplate.TemplateV2Property( certificate_validity=pcaconnectorad.CfnTemplate.CertificateValidityProperty( renewal_period=pcaconnectorad.CfnTemplate.ValidityPeriodProperty( period=123, period_type="periodType" ), validity_period=pcaconnectorad.CfnTemplate.ValidityPeriodProperty( period=123, period_type="periodType" ) ), enrollment_flags=pcaconnectorad.CfnTemplate.EnrollmentFlagsV2Property( enable_key_reuse_on_nt_token_keyset_storage_full=False, include_symmetric_algorithms=False, no_security_extension=False, remove_invalid_certificate_from_personal_store=False, user_interaction_required=False ), extensions=pcaconnectorad.CfnTemplate.ExtensionsV2Property( key_usage=pcaconnectorad.CfnTemplate.KeyUsageProperty( usage_flags=pcaconnectorad.CfnTemplate.KeyUsageFlagsProperty( data_encipherment=False, digital_signature=False, key_agreement=False, key_encipherment=False, non_repudiation=False ), # the properties below are optional critical=False ), # the properties below are optional application_policies=pcaconnectorad.CfnTemplate.ApplicationPoliciesProperty( policies=[pcaconnectorad.CfnTemplate.ApplicationPolicyProperty( policy_object_identifier="policyObjectIdentifier", policy_type="policyType" )], # the properties below are optional critical=False ) ), general_flags=pcaconnectorad.CfnTemplate.GeneralFlagsV2Property( auto_enrollment=False, machine_type=False ), private_key_attributes=pcaconnectorad.CfnTemplate.PrivateKeyAttributesV2Property( key_spec="keySpec", minimal_key_length=123, # the properties below are optional crypto_providers=["cryptoProviders"] ), private_key_flags=pcaconnectorad.CfnTemplate.PrivateKeyFlagsV2Property( client_version="clientVersion", # the properties below are optional exportable_key=False, strong_key_protection_required=False ), subject_name_flags=pcaconnectorad.CfnTemplate.SubjectNameFlagsV2Property( require_common_name=False, require_directory_path=False, require_dns_as_cn=False, require_email=False, san_require_directory_guid=False, san_require_dns=False, san_require_domain_dns=False, san_require_email=False, san_require_spn=False, san_require_upn=False ), # the properties below are optional superseded_templates=["supersededTemplates"] ), template_v3=pcaconnectorad.CfnTemplate.TemplateV3Property( certificate_validity=pcaconnectorad.CfnTemplate.CertificateValidityProperty( renewal_period=pcaconnectorad.CfnTemplate.ValidityPeriodProperty( period=123, period_type="periodType" ), validity_period=pcaconnectorad.CfnTemplate.ValidityPeriodProperty( period=123, period_type="periodType" ) ), enrollment_flags=pcaconnectorad.CfnTemplate.EnrollmentFlagsV3Property( enable_key_reuse_on_nt_token_keyset_storage_full=False, include_symmetric_algorithms=False, no_security_extension=False, remove_invalid_certificate_from_personal_store=False, user_interaction_required=False ), extensions=pcaconnectorad.CfnTemplate.ExtensionsV3Property( key_usage=pcaconnectorad.CfnTemplate.KeyUsageProperty( usage_flags=pcaconnectorad.CfnTemplate.KeyUsageFlagsProperty( data_encipherment=False, digital_signature=False, key_agreement=False, key_encipherment=False, non_repudiation=False ), # the properties below are optional critical=False ), # the properties below are optional application_policies=pcaconnectorad.CfnTemplate.ApplicationPoliciesProperty( policies=[pcaconnectorad.CfnTemplate.ApplicationPolicyProperty( policy_object_identifier="policyObjectIdentifier", policy_type="policyType" )], # the properties below are optional critical=False ) ), general_flags=pcaconnectorad.CfnTemplate.GeneralFlagsV3Property( auto_enrollment=False, machine_type=False ), hash_algorithm="hashAlgorithm", private_key_attributes=pcaconnectorad.CfnTemplate.PrivateKeyAttributesV3Property( algorithm="algorithm", key_spec="keySpec", key_usage_property=pcaconnectorad.CfnTemplate.KeyUsagePropertyProperty( property_flags=pcaconnectorad.CfnTemplate.KeyUsagePropertyFlagsProperty( decrypt=False, key_agreement=False, sign=False ), property_type="propertyType" ), minimal_key_length=123, # the properties below are optional crypto_providers=["cryptoProviders"] ), private_key_flags=pcaconnectorad.CfnTemplate.PrivateKeyFlagsV3Property( client_version="clientVersion", # the properties below are optional exportable_key=False, require_alternate_signature_algorithm=False, strong_key_protection_required=False ), subject_name_flags=pcaconnectorad.CfnTemplate.SubjectNameFlagsV3Property( require_common_name=False, require_directory_path=False, require_dns_as_cn=False, require_email=False, san_require_directory_guid=False, san_require_dns=False, san_require_domain_dns=False, san_require_email=False, san_require_spn=False, san_require_upn=False ), # the properties below are optional superseded_templates=["supersededTemplates"] ), template_v4=pcaconnectorad.CfnTemplate.TemplateV4Property( certificate_validity=pcaconnectorad.CfnTemplate.CertificateValidityProperty( renewal_period=pcaconnectorad.CfnTemplate.ValidityPeriodProperty( period=123, period_type="periodType" ), validity_period=pcaconnectorad.CfnTemplate.ValidityPeriodProperty( period=123, period_type="periodType" ) ), enrollment_flags=pcaconnectorad.CfnTemplate.EnrollmentFlagsV4Property( enable_key_reuse_on_nt_token_keyset_storage_full=False, include_symmetric_algorithms=False, no_security_extension=False, remove_invalid_certificate_from_personal_store=False, user_interaction_required=False ), extensions=pcaconnectorad.CfnTemplate.ExtensionsV4Property( key_usage=pcaconnectorad.CfnTemplate.KeyUsageProperty( usage_flags=pcaconnectorad.CfnTemplate.KeyUsageFlagsProperty( data_encipherment=False, digital_signature=False, key_agreement=False, key_encipherment=False, non_repudiation=False ), # the properties below are optional critical=False ), # the properties below are optional application_policies=pcaconnectorad.CfnTemplate.ApplicationPoliciesProperty( policies=[pcaconnectorad.CfnTemplate.ApplicationPolicyProperty( policy_object_identifier="policyObjectIdentifier", policy_type="policyType" )], # the properties below are optional critical=False ) ), general_flags=pcaconnectorad.CfnTemplate.GeneralFlagsV4Property( auto_enrollment=False, machine_type=False ), private_key_attributes=pcaconnectorad.CfnTemplate.PrivateKeyAttributesV4Property( key_spec="keySpec", minimal_key_length=123, # the properties below are optional algorithm="algorithm", crypto_providers=["cryptoProviders"], key_usage_property=pcaconnectorad.CfnTemplate.KeyUsagePropertyProperty( property_flags=pcaconnectorad.CfnTemplate.KeyUsagePropertyFlagsProperty( decrypt=False, key_agreement=False, sign=False ), property_type="propertyType" ) ), private_key_flags=pcaconnectorad.CfnTemplate.PrivateKeyFlagsV4Property( client_version="clientVersion", # the properties below are optional exportable_key=False, require_alternate_signature_algorithm=False, require_same_key_renewal=False, strong_key_protection_required=False, use_legacy_provider=False ), subject_name_flags=pcaconnectorad.CfnTemplate.SubjectNameFlagsV4Property( require_common_name=False, require_directory_path=False, require_dns_as_cn=False, require_email=False, san_require_directory_guid=False, san_require_dns=False, san_require_domain_dns=False, san_require_email=False, san_require_spn=False, san_require_upn=False ), # the properties below are optional hash_algorithm="hashAlgorithm", superseded_templates=["supersededTemplates"] ) ), name="name", # the properties below are optional reenroll_all_certificate_holders=False, tags={ "tags_key": "tags" } )
- Parameters:
scope (
Construct) – Scope in which this resource is defined.id (
str) – Construct identifier for this resource (unique in its scope).connector_arn (
str) – The Amazon Resource Name (ARN) that was returned when you called CreateConnector .definition (
Union[IResolvable,TemplateDefinitionProperty,Dict[str,Any]]) – Template configuration to define the information included in certificates. Define certificate validity and renewal periods, certificate request handling and enrollment options, key usage extensions, application policies, and cryptography settings.name (
str) – Name of the templates. Template names must be unique.reenroll_all_certificate_holders (
Union[bool,IResolvable,None]) – This setting allows the major version of a template to be increased automatically. All members of Active Directory groups that are allowed to enroll with a template will receive a new certificate issued using that template.tags (
Optional[Mapping[str,str]]) – Metadata assigned to a template consisting of a key-value pair.
Methods
- add_deletion_override(path)
Syntactic sugar for
addOverride(path, undefined).- Parameters:
path (
str) – The path of the value to delete.- Return type:
None
- add_dependency(target)
Indicates that this resource depends on another resource and cannot be provisioned unless the other resource has been successfully provisioned.
This can be used for resources across stacks (or nested stack) boundaries and the dependency will automatically be transferred to the relevant scope.
- Parameters:
target (
CfnResource) –- Return type:
None
- add_depends_on(target)
(deprecated) Indicates that this resource depends on another resource and cannot be provisioned unless the other resource has been successfully provisioned.
- Parameters:
target (
CfnResource) –- Deprecated:
use addDependency
- Stability:
deprecated
- Return type:
None
- add_metadata(key, value)
Add a value to the CloudFormation Resource Metadata.
- Parameters:
key (
str) –value (
Any) –
- See:
- Return type:
None
Note that this is a different set of metadata from CDK node metadata; this metadata ends up in the stack template under the resource, whereas CDK node metadata ends up in the Cloud Assembly.
- add_override(path, value)
Adds an override to the synthesized CloudFormation resource.
To add a property override, either use
addPropertyOverrideor prefixpathwith “Properties.” (i.e.Properties.TopicName).If the override is nested, separate each nested level using a dot (.) in the path parameter. If there is an array as part of the nesting, specify the index in the path.
To include a literal
.in the property name, prefix with a\. In most programming languages you will need to write this as"\\."because the\itself will need to be escaped.For example:
cfn_resource.add_override("Properties.GlobalSecondaryIndexes.0.Projection.NonKeyAttributes", ["myattribute"]) cfn_resource.add_override("Properties.GlobalSecondaryIndexes.1.ProjectionType", "INCLUDE")
would add the overrides Example:
"Properties": { "GlobalSecondaryIndexes": [ { "Projection": { "NonKeyAttributes": [ "myattribute" ] ... } ... }, { "ProjectionType": "INCLUDE" ... }, ] ... }
The
valueargument toaddOverridewill not be processed or translated in any way. Pass raw JSON values in here with the correct capitalization for CloudFormation. If you pass CDK classes or structs, they will be rendered with lowercased key names, and CloudFormation will reject the template.- Parameters:
path (
str) –The path of the property, you can use dot notation to override values in complex types. Any intermediate keys will be created as needed.
value (
Any) –The value. Could be primitive or complex.
- Return type:
None
- add_property_deletion_override(property_path)
Adds an override that deletes the value of a property from the resource definition.
- Parameters:
property_path (
str) – The path to the property.- Return type:
None
- add_property_override(property_path, value)
Adds an override to a resource property.
Syntactic sugar for
addOverride("Properties.<...>", value).- Parameters:
property_path (
str) – The path of the property.value (
Any) – The value.
- Return type:
None
- apply_removal_policy(policy=None, *, apply_to_update_replace_policy=None, default=None)
Sets the deletion policy of the resource based on the removal policy specified.
The Removal Policy controls what happens to this resource when it stops being managed by CloudFormation, either because you’ve removed it from the CDK application or because you’ve made a change that requires the resource to be replaced.
The resource can be deleted (
RemovalPolicy.DESTROY), or left in your AWS account for data recovery and cleanup later (RemovalPolicy.RETAIN). In some cases, a snapshot can be taken of the resource prior to deletion (RemovalPolicy.SNAPSHOT). A list of resources that support this policy can be found in the following link:- Parameters:
policy (
Optional[RemovalPolicy]) –apply_to_update_replace_policy (
Optional[bool]) – Apply the same deletion policy to the resource’s “UpdateReplacePolicy”. Default: truedefault (
Optional[RemovalPolicy]) – The default policy to apply in case the removal policy is not defined. Default: - Default value is resource specific. To determine the default value for a resource, please consult that specific resource’s documentation.
- See:
- Return type:
None
- get_att(attribute_name, type_hint=None)
Returns a token for an runtime attribute of this resource.
Ideally, use generated attribute accessors (e.g.
resource.arn), but this can be used for future compatibility in case there is no generated attribute.- Parameters:
attribute_name (
str) – The name of the attribute.type_hint (
Optional[ResolutionTypeHint]) –
- Return type:
- get_metadata(key)
Retrieve a value value from the CloudFormation Resource Metadata.
- Parameters:
key (
str) –- See:
- Return type:
Any
Note that this is a different set of metadata from CDK node metadata; this metadata ends up in the stack template under the resource, whereas CDK node metadata ends up in the Cloud Assembly.
- inspect(inspector)
Examines the CloudFormation resource and discloses attributes.
- Parameters:
inspector (
TreeInspector) – tree inspector to collect and process attributes.- Return type:
None
- obtain_dependencies()
Retrieves an array of resources this resource depends on.
This assembles dependencies on resources across stacks (including nested stacks) automatically.
- Return type:
List[Union[Stack,CfnResource]]
- obtain_resource_dependencies()
Get a shallow copy of dependencies between this resource and other resources in the same stack.
- Return type:
List[CfnResource]
- override_logical_id(new_logical_id)
Overrides the auto-generated logical ID with a specific ID.
- Parameters:
new_logical_id (
str) – The new logical ID to use for this stack element.- Return type:
None
- remove_dependency(target)
Indicates that this resource no longer depends on another resource.
This can be used for resources across stacks (including nested stacks) and the dependency will automatically be removed from the relevant scope.
- Parameters:
target (
CfnResource) –- Return type:
None
- replace_dependency(target, new_target)
Replaces one dependency with another.
- Parameters:
target (
CfnResource) – The dependency to replace.new_target (
CfnResource) – The new dependency to add.
- Return type:
None
- to_string()
Returns a string representation of this construct.
- Return type:
str- Returns:
a string representation of this resource
Attributes
- CFN_RESOURCE_TYPE_NAME = 'AWS::PCAConnectorAD::Template'
- attr_template_arn
//docs.aws.amazon.com/pca-connector-ad/latest/APIReference/API_CreateTemplate.html>`_ .
- CloudformationAttribute:
TemplateArn
- Type:
The Amazon Resource Name (ARN) that was returned when you called `CreateTemplate <https
- cdk_tag_manager
Tag Manager which manages the tags for this resource.
- cfn_options
Options for this resource, such as condition, update policy etc.
- cfn_resource_type
AWS resource type.
- connector_arn
//docs.aws.amazon.com/pca-connector-ad/latest/APIReference/API_CreateConnector.html>`_ .
- Type:
The Amazon Resource Name (ARN) that was returned when you called `CreateConnector <https
- creation_stack
return:
the stack trace of the point where this Resource was created from, sourced from the +metadata+ entry typed +aws:cdk:logicalId+, and with the bottom-most node +internal+ entries filtered.
- definition
Template configuration to define the information included in certificates.
- logical_id
The logical ID for this CloudFormation stack element.
The logical ID of the element is calculated from the path of the resource node in the construct tree.
To override this value, use
overrideLogicalId(newLogicalId).- Returns:
the logical ID as a stringified token. This value will only get resolved during synthesis.
- name
Name of the templates.
- node
The tree node.
- reenroll_all_certificate_holders
This setting allows the major version of a template to be increased automatically.
- ref
Return a string that will be resolved to a CloudFormation
{ Ref }for this element.If, by any chance, the intrinsic reference of a resource is not a string, you could coerce it to an IResolvable through
Lazy.any({ produce: resource.ref }).
- stack
The stack in which this element is defined.
CfnElements must be defined within a stack scope (directly or indirectly).
- tags
Metadata assigned to a template consisting of a key-value pair.
Static Methods
- classmethod is_cfn_element(x)
Returns
trueif a construct is a stack element (i.e. part of the synthesized cloudformation template).Uses duck-typing instead of
instanceofto allow stack elements from different versions of this library to be included in the same stack.- Parameters:
x (
Any) –- Return type:
bool- Returns:
The construct as a stack element or undefined if it is not a stack element.
- classmethod is_cfn_resource(x)
Check whether the given object is a CfnResource.
- Parameters:
x (
Any) –- Return type:
bool
- classmethod is_construct(x)
Checks if
xis a construct.Use this method instead of
instanceofto properly detectConstructinstances, even when the construct library is symlinked.Explanation: in JavaScript, multiple copies of the
constructslibrary on disk are seen as independent, completely different libraries. As a consequence, the classConstructin each copy of theconstructslibrary is seen as a different class, and an instance of one class will not test asinstanceofthe other class.npm installwill not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of theconstructslibrary can be accidentally installed, andinstanceofwill behave unpredictably. It is safest to avoid usinginstanceof, and using this type-testing method instead.- Parameters:
x (
Any) – Any object.- Return type:
bool- Returns:
true if
xis an object created from a class which extendsConstruct.
ApplicationPoliciesProperty
- class CfnTemplate.ApplicationPoliciesProperty(*, policies, critical=None)
Bases:
objectApplication policies describe what the certificate can be used for.
- Parameters:
policies (
Union[IResolvable,Sequence[Union[IResolvable,ApplicationPolicyProperty,Dict[str,Any]]]]) – Application policies describe what the certificate can be used for.critical (
Union[bool,IResolvable,None]) – Marks the application policy extension as critical.
- See:
- ExampleMetadata:
fixture=_generated
Example:
# The code below shows an example of how to instantiate this type. # The values are placeholders you should change. from aws_cdk import aws_pcaconnectorad as pcaconnectorad application_policies_property = pcaconnectorad.CfnTemplate.ApplicationPoliciesProperty( policies=[pcaconnectorad.CfnTemplate.ApplicationPolicyProperty( policy_object_identifier="policyObjectIdentifier", policy_type="policyType" )], # the properties below are optional critical=False )
Attributes
- critical
Marks the application policy extension as critical.
- policies
Application policies describe what the certificate can be used for.
ApplicationPolicyProperty
- class CfnTemplate.ApplicationPolicyProperty(*, policy_object_identifier=None, policy_type=None)
Bases:
objectApplication policies describe what the certificate can be used for.
- Parameters:
policy_object_identifier (
Optional[str]) – The object identifier (OID) of an application policy.policy_type (
Optional[str]) – The type of application policy.
- See:
- ExampleMetadata:
fixture=_generated
Example:
# The code below shows an example of how to instantiate this type. # The values are placeholders you should change. from aws_cdk import aws_pcaconnectorad as pcaconnectorad application_policy_property = pcaconnectorad.CfnTemplate.ApplicationPolicyProperty( policy_object_identifier="policyObjectIdentifier", policy_type="policyType" )
Attributes
- policy_object_identifier
The object identifier (OID) of an application policy.
- policy_type
The type of application policy.
CertificateValidityProperty
- class CfnTemplate.CertificateValidityProperty(*, renewal_period, validity_period)
Bases:
objectInformation describing the end of the validity period of the certificate.
This parameter sets the “Not After” date for the certificate. Certificate validity is the period of time during which a certificate is valid. Validity can be expressed as an explicit date and time when the certificate expires, or as a span of time after issuance, stated in days, months, or years. For more information, see Validity in RFC 5280. This value is unaffected when ValidityNotBefore is also specified. For example, if Validity is set to 20 days in the future, the certificate will expire 20 days from issuance time regardless of the ValidityNotBefore value.
- Parameters:
renewal_period (
Union[IResolvable,ValidityPeriodProperty,Dict[str,Any]]) – Renewal period is the period of time before certificate expiration when a new certificate will be requested.validity_period (
Union[IResolvable,ValidityPeriodProperty,Dict[str,Any]]) – Information describing the end of the validity period of the certificate. This parameter sets the “Not After” date for the certificate. Certificate validity is the period of time during which a certificate is valid. Validity can be expressed as an explicit date and time when the certificate expires, or as a span of time after issuance, stated in days, months, or years. For more information, see Validity in RFC 5280. This value is unaffected when ValidityNotBefore is also specified. For example, if Validity is set to 20 days in the future, the certificate will expire 20 days from issuance time regardless of the ValidityNotBefore value.
- See:
- ExampleMetadata:
fixture=_generated
Example:
# The code below shows an example of how to instantiate this type. # The values are placeholders you should change. from aws_cdk import aws_pcaconnectorad as pcaconnectorad certificate_validity_property = pcaconnectorad.CfnTemplate.CertificateValidityProperty( renewal_period=pcaconnectorad.CfnTemplate.ValidityPeriodProperty( period=123, period_type="periodType" ), validity_period=pcaconnectorad.CfnTemplate.ValidityPeriodProperty( period=123, period_type="periodType" ) )
Attributes
- renewal_period
Renewal period is the period of time before certificate expiration when a new certificate will be requested.
- validity_period
Information describing the end of the validity period of the certificate.
This parameter sets the “Not After” date for the certificate. Certificate validity is the period of time during which a certificate is valid. Validity can be expressed as an explicit date and time when the certificate expires, or as a span of time after issuance, stated in days, months, or years. For more information, see Validity in RFC 5280. This value is unaffected when ValidityNotBefore is also specified. For example, if Validity is set to 20 days in the future, the certificate will expire 20 days from issuance time regardless of the ValidityNotBefore value.
EnrollmentFlagsV2Property
- class CfnTemplate.EnrollmentFlagsV2Property(*, enable_key_reuse_on_nt_token_keyset_storage_full=None, include_symmetric_algorithms=None, no_security_extension=None, remove_invalid_certificate_from_personal_store=None, user_interaction_required=None)
Bases:
objectTemplate configurations for v2 template schema.
- Parameters:
enable_key_reuse_on_nt_token_keyset_storage_full (
Union[bool,IResolvable,None]) – Allow renewal using the same key.include_symmetric_algorithms (
Union[bool,IResolvable,None]) – Include symmetric algorithms allowed by the subject.no_security_extension (
Union[bool,IResolvable,None]) – This flag instructs the CA to not include the security extension szOID_NTDS_CA_SECURITY_EXT (OID:1.3.6.1.4.1.311.25.2), as specified in [MS-WCCE] sections 2.2.2.7.7.4 and 3.2.2.6.2.1.4.5.9, in the issued certificate. This addresses a Windows Kerberos elevation-of-privilege vulnerability.remove_invalid_certificate_from_personal_store (
Union[bool,IResolvable,None]) – Delete expired or revoked certificates instead of archiving them.user_interaction_required (
Union[bool,IResolvable,None]) – Require user interaction when the subject is enrolled and the private key associated with the certificate is used.
- See:
- ExampleMetadata:
fixture=_generated
Example:
# The code below shows an example of how to instantiate this type. # The values are placeholders you should change. from aws_cdk import aws_pcaconnectorad as pcaconnectorad enrollment_flags_v2_property = pcaconnectorad.CfnTemplate.EnrollmentFlagsV2Property( enable_key_reuse_on_nt_token_keyset_storage_full=False, include_symmetric_algorithms=False, no_security_extension=False, remove_invalid_certificate_from_personal_store=False, user_interaction_required=False )
Attributes
- enable_key_reuse_on_nt_token_keyset_storage_full
Allow renewal using the same key.
- include_symmetric_algorithms
Include symmetric algorithms allowed by the subject.
- no_security_extension
1.3.6.1.4.1.311.25.2), as specified in [MS-WCCE] sections 2.2.2.7.7.4 and 3.2.2.6.2.1.4.5.9, in the issued certificate. This addresses a Windows Kerberos elevation-of-privilege vulnerability.
- See:
- Type:
This flag instructs the CA to not include the security extension szOID_NTDS_CA_SECURITY_EXT (OID
- remove_invalid_certificate_from_personal_store
Delete expired or revoked certificates instead of archiving them.
- user_interaction_required
Require user interaction when the subject is enrolled and the private key associated with the certificate is used.
EnrollmentFlagsV3Property
- class CfnTemplate.EnrollmentFlagsV3Property(*, enable_key_reuse_on_nt_token_keyset_storage_full=None, include_symmetric_algorithms=None, no_security_extension=None, remove_invalid_certificate_from_personal_store=None, user_interaction_required=None)
Bases:
objectTemplate configurations for v3 template schema.
- Parameters:
enable_key_reuse_on_nt_token_keyset_storage_full (
Union[bool,IResolvable,None]) – Allow renewal using the same key.include_symmetric_algorithms (
Union[bool,IResolvable,None]) – Include symmetric algorithms allowed by the subject.no_security_extension (
Union[bool,IResolvable,None]) – This flag instructs the CA to not include the security extension szOID_NTDS_CA_SECURITY_EXT (OID:1.3.6.1.4.1.311.25.2), as specified in [MS-WCCE] sections 2.2.2.7.7.4 and 3.2.2.6.2.1.4.5.9, in the issued certificate. This addresses a Windows Kerberos elevation-of-privilege vulnerability.remove_invalid_certificate_from_personal_store (
Union[bool,IResolvable,None]) – Delete expired or revoked certificates instead of archiving them.user_interaction_required (
Union[bool,IResolvable,None]) – Require user interaction when the subject is enrolled and the private key associated with the certificate is used.
- See:
- ExampleMetadata:
fixture=_generated
Example:
# The code below shows an example of how to instantiate this type. # The values are placeholders you should change. from aws_cdk import aws_pcaconnectorad as pcaconnectorad enrollment_flags_v3_property = pcaconnectorad.CfnTemplate.EnrollmentFlagsV3Property( enable_key_reuse_on_nt_token_keyset_storage_full=False, include_symmetric_algorithms=False, no_security_extension=False, remove_invalid_certificate_from_personal_store=False, user_interaction_required=False )
Attributes
- enable_key_reuse_on_nt_token_keyset_storage_full
Allow renewal using the same key.
- include_symmetric_algorithms
Include symmetric algorithms allowed by the subject.
- no_security_extension
1.3.6.1.4.1.311.25.2), as specified in [MS-WCCE] sections 2.2.2.7.7.4 and 3.2.2.6.2.1.4.5.9, in the issued certificate. This addresses a Windows Kerberos elevation-of-privilege vulnerability.
- See:
- Type:
This flag instructs the CA to not include the security extension szOID_NTDS_CA_SECURITY_EXT (OID
- remove_invalid_certificate_from_personal_store
Delete expired or revoked certificates instead of archiving them.
- user_interaction_required
Require user interaction when the subject is enrolled and the private key associated with the certificate is used.
EnrollmentFlagsV4Property
- class CfnTemplate.EnrollmentFlagsV4Property(*, enable_key_reuse_on_nt_token_keyset_storage_full=None, include_symmetric_algorithms=None, no_security_extension=None, remove_invalid_certificate_from_personal_store=None, user_interaction_required=None)
Bases:
objectTemplate configurations for v4 template schema.
- Parameters:
enable_key_reuse_on_nt_token_keyset_storage_full (
Union[bool,IResolvable,None]) – Allow renewal using the same key.include_symmetric_algorithms (
Union[bool,IResolvable,None]) – Include symmetric algorithms allowed by the subject.no_security_extension (
Union[bool,IResolvable,None]) – This flag instructs the CA to not include the security extension szOID_NTDS_CA_SECURITY_EXT (OID:1.3.6.1.4.1.311.25.2), as specified in [MS-WCCE] sections 2.2.2.7.7.4 and 3.2.2.6.2.1.4.5.9, in the issued certificate. This addresses a Windows Kerberos elevation-of-privilege vulnerability.remove_invalid_certificate_from_personal_store (
Union[bool,IResolvable,None]) – Delete expired or revoked certificates instead of archiving them.user_interaction_required (
Union[bool,IResolvable,None]) – Require user interaction when the subject is enrolled and the private key associated with the certificate is used.
- See:
- ExampleMetadata:
fixture=_generated
Example:
# The code below shows an example of how to instantiate this type. # The values are placeholders you should change. from aws_cdk import aws_pcaconnectorad as pcaconnectorad enrollment_flags_v4_property = pcaconnectorad.CfnTemplate.EnrollmentFlagsV4Property( enable_key_reuse_on_nt_token_keyset_storage_full=False, include_symmetric_algorithms=False, no_security_extension=False, remove_invalid_certificate_from_personal_store=False, user_interaction_required=False )
Attributes
- enable_key_reuse_on_nt_token_keyset_storage_full
Allow renewal using the same key.
- include_symmetric_algorithms
Include symmetric algorithms allowed by the subject.
- no_security_extension
1.3.6.1.4.1.311.25.2), as specified in [MS-WCCE] sections 2.2.2.7.7.4 and 3.2.2.6.2.1.4.5.9, in the issued certificate. This addresses a Windows Kerberos elevation-of-privilege vulnerability.
- See:
- Type:
This flag instructs the CA to not include the security extension szOID_NTDS_CA_SECURITY_EXT (OID
- remove_invalid_certificate_from_personal_store
Delete expired or revoked certificates instead of archiving them.
- user_interaction_required
Require user interaction when the subject is enrolled and the private key associated with the certificate is used.
ExtensionsV2Property
- class CfnTemplate.ExtensionsV2Property(*, key_usage, application_policies=None)
Bases:
objectCertificate extensions for v2 template schema.
- Parameters:
key_usage (
Union[IResolvable,KeyUsageProperty,Dict[str,Any]]) – The key usage extension defines the purpose (e.g., encipherment, signature, certificate signing) of the key contained in the certificate.application_policies (
Union[IResolvable,ApplicationPoliciesProperty,Dict[str,Any],None]) – Application policies specify what the certificate is used for and its purpose.
- See:
- ExampleMetadata:
fixture=_generated
Example:
# The code below shows an example of how to instantiate this type. # The values are placeholders you should change. from aws_cdk import aws_pcaconnectorad as pcaconnectorad extensions_v2_property = pcaconnectorad.CfnTemplate.ExtensionsV2Property( key_usage=pcaconnectorad.CfnTemplate.KeyUsageProperty( usage_flags=pcaconnectorad.CfnTemplate.KeyUsageFlagsProperty( data_encipherment=False, digital_signature=False, key_agreement=False, key_encipherment=False, non_repudiation=False ), # the properties below are optional critical=False ), # the properties below are optional application_policies=pcaconnectorad.CfnTemplate.ApplicationPoliciesProperty( policies=[pcaconnectorad.CfnTemplate.ApplicationPolicyProperty( policy_object_identifier="policyObjectIdentifier", policy_type="policyType" )], # the properties below are optional critical=False ) )
Attributes
- application_policies
Application policies specify what the certificate is used for and its purpose.
- key_usage
The key usage extension defines the purpose (e.g., encipherment, signature, certificate signing) of the key contained in the certificate.
ExtensionsV3Property
- class CfnTemplate.ExtensionsV3Property(*, key_usage, application_policies=None)
Bases:
objectCertificate extensions for v3 template schema.
- Parameters:
key_usage (
Union[IResolvable,KeyUsageProperty,Dict[str,Any]]) – The key usage extension defines the purpose (e.g., encipherment, signature, certificate signing) of the key contained in the certificate.application_policies (
Union[IResolvable,ApplicationPoliciesProperty,Dict[str,Any],None]) – Application policies specify what the certificate is used for and its purpose.
- See:
- ExampleMetadata:
fixture=_generated
Example:
# The code below shows an example of how to instantiate this type. # The values are placeholders you should change. from aws_cdk import aws_pcaconnectorad as pcaconnectorad extensions_v3_property = pcaconnectorad.CfnTemplate.ExtensionsV3Property( key_usage=pcaconnectorad.CfnTemplate.KeyUsageProperty( usage_flags=pcaconnectorad.CfnTemplate.KeyUsageFlagsProperty( data_encipherment=False, digital_signature=False, key_agreement=False, key_encipherment=False, non_repudiation=False ), # the properties below are optional critical=False ), # the properties below are optional application_policies=pcaconnectorad.CfnTemplate.ApplicationPoliciesProperty( policies=[pcaconnectorad.CfnTemplate.ApplicationPolicyProperty( policy_object_identifier="policyObjectIdentifier", policy_type="policyType" )], # the properties below are optional critical=False ) )
Attributes
- application_policies
Application policies specify what the certificate is used for and its purpose.
- key_usage
The key usage extension defines the purpose (e.g., encipherment, signature, certificate signing) of the key contained in the certificate.
ExtensionsV4Property
- class CfnTemplate.ExtensionsV4Property(*, key_usage, application_policies=None)
Bases:
objectCertificate extensions for v4 template schema.
- Parameters:
key_usage (
Union[IResolvable,KeyUsageProperty,Dict[str,Any]]) – The key usage extension defines the purpose (e.g., encipherment, signature) of the key contained in the certificate.application_policies (
Union[IResolvable,ApplicationPoliciesProperty,Dict[str,Any],None]) – Application policies specify what the certificate is used for and its purpose.
- See:
- ExampleMetadata:
fixture=_generated
Example:
# The code below shows an example of how to instantiate this type. # The values are placeholders you should change. from aws_cdk import aws_pcaconnectorad as pcaconnectorad extensions_v4_property = pcaconnectorad.CfnTemplate.ExtensionsV4Property( key_usage=pcaconnectorad.CfnTemplate.KeyUsageProperty( usage_flags=pcaconnectorad.CfnTemplate.KeyUsageFlagsProperty( data_encipherment=False, digital_signature=False, key_agreement=False, key_encipherment=False, non_repudiation=False ), # the properties below are optional critical=False ), # the properties below are optional application_policies=pcaconnectorad.CfnTemplate.ApplicationPoliciesProperty( policies=[pcaconnectorad.CfnTemplate.ApplicationPolicyProperty( policy_object_identifier="policyObjectIdentifier", policy_type="policyType" )], # the properties below are optional critical=False ) )
Attributes
- application_policies
Application policies specify what the certificate is used for and its purpose.
- key_usage
The key usage extension defines the purpose (e.g., encipherment, signature) of the key contained in the certificate.
GeneralFlagsV2Property
- class CfnTemplate.GeneralFlagsV2Property(*, auto_enrollment=None, machine_type=None)
Bases:
objectGeneral flags for v2 template schema that defines if the template is for a machine or a user and if the template can be issued using autoenrollment.
- Parameters:
auto_enrollment (
Union[bool,IResolvable,None]) – Allows certificate issuance using autoenrollment. Set to TRUE to allow autoenrollment.machine_type (
Union[bool,IResolvable,None]) – Defines if the template is for machines or users. Set to TRUE if the template is for machines. Set to FALSE if the template is for users.
- See:
- ExampleMetadata:
fixture=_generated
Example:
# The code below shows an example of how to instantiate this type. # The values are placeholders you should change. from aws_cdk import aws_pcaconnectorad as pcaconnectorad general_flags_v2_property = pcaconnectorad.CfnTemplate.GeneralFlagsV2Property( auto_enrollment=False, machine_type=False )
Attributes
- auto_enrollment
Allows certificate issuance using autoenrollment.
Set to TRUE to allow autoenrollment.
- machine_type
Defines if the template is for machines or users.
Set to TRUE if the template is for machines. Set to FALSE if the template is for users.
GeneralFlagsV3Property
- class CfnTemplate.GeneralFlagsV3Property(*, auto_enrollment=None, machine_type=None)
Bases:
objectGeneral flags for v3 template schema that defines if the template is for a machine or a user and if the template can be issued using autoenrollment.
- Parameters:
auto_enrollment (
Union[bool,IResolvable,None]) – Allows certificate issuance using autoenrollment. Set to TRUE to allow autoenrollment.machine_type (
Union[bool,IResolvable,None]) – Defines if the template is for machines or users. Set to TRUE if the template is for machines. Set to FALSE if the template is for users
- See:
- ExampleMetadata:
fixture=_generated
Example:
# The code below shows an example of how to instantiate this type. # The values are placeholders you should change. from aws_cdk import aws_pcaconnectorad as pcaconnectorad general_flags_v3_property = pcaconnectorad.CfnTemplate.GeneralFlagsV3Property( auto_enrollment=False, machine_type=False )
Attributes
- auto_enrollment
Allows certificate issuance using autoenrollment.
Set to TRUE to allow autoenrollment.
- machine_type
Defines if the template is for machines or users.
Set to TRUE if the template is for machines. Set to FALSE if the template is for users
GeneralFlagsV4Property
- class CfnTemplate.GeneralFlagsV4Property(*, auto_enrollment=None, machine_type=None)
Bases:
objectGeneral flags for v4 template schema that defines if the template is for a machine or a user and if the template can be issued using autoenrollment.
- Parameters:
auto_enrollment (
Union[bool,IResolvable,None]) – Allows certificate issuance using autoenrollment. Set to TRUE to allow autoenrollment.machine_type (
Union[bool,IResolvable,None]) – Defines if the template is for machines or users. Set to TRUE if the template is for machines. Set to FALSE if the template is for users
- See:
- ExampleMetadata:
fixture=_generated
Example:
# The code below shows an example of how to instantiate this type. # The values are placeholders you should change. from aws_cdk import aws_pcaconnectorad as pcaconnectorad general_flags_v4_property = pcaconnectorad.CfnTemplate.GeneralFlagsV4Property( auto_enrollment=False, machine_type=False )
Attributes
- auto_enrollment
Allows certificate issuance using autoenrollment.
Set to TRUE to allow autoenrollment.
- machine_type
Defines if the template is for machines or users.
Set to TRUE if the template is for machines. Set to FALSE if the template is for users
KeyUsageFlagsProperty
- class CfnTemplate.KeyUsageFlagsProperty(*, data_encipherment=None, digital_signature=None, key_agreement=None, key_encipherment=None, non_repudiation=None)
Bases:
objectThe key usage flags represent the purpose (e.g., encipherment, signature) of the key contained in the certificate.
- Parameters:
data_encipherment (
Union[bool,IResolvable,None]) – DataEncipherment is asserted when the subject public key is used for directly enciphering raw user data without the use of an intermediate symmetric cipher.digital_signature (
Union[bool,IResolvable,None]) – The digitalSignature is asserted when the subject public key is used for verifying digital signatures.key_agreement (
Union[bool,IResolvable,None]) – KeyAgreement is asserted when the subject public key is used for key agreement.key_encipherment (
Union[bool,IResolvable,None]) – KeyEncipherment is asserted when the subject public key is used for enciphering private or secret keys, i.e., for key transport.non_repudiation (
Union[bool,IResolvable,None]) – NonRepudiation is asserted when the subject public key is used to verify digital signatures.
- See:
- ExampleMetadata:
fixture=_generated
Example:
# The code below shows an example of how to instantiate this type. # The values are placeholders you should change. from aws_cdk import aws_pcaconnectorad as pcaconnectorad key_usage_flags_property = pcaconnectorad.CfnTemplate.KeyUsageFlagsProperty( data_encipherment=False, digital_signature=False, key_agreement=False, key_encipherment=False, non_repudiation=False )
Attributes
- data_encipherment
DataEncipherment is asserted when the subject public key is used for directly enciphering raw user data without the use of an intermediate symmetric cipher.
- digital_signature
The digitalSignature is asserted when the subject public key is used for verifying digital signatures.
- key_agreement
KeyAgreement is asserted when the subject public key is used for key agreement.
- key_encipherment
KeyEncipherment is asserted when the subject public key is used for enciphering private or secret keys, i.e., for key transport.
- non_repudiation
NonRepudiation is asserted when the subject public key is used to verify digital signatures.
KeyUsageProperty
- class CfnTemplate.KeyUsageProperty(*, usage_flags, critical=None)
Bases:
objectThe key usage extension defines the purpose (e.g., encipherment, signature) of the key contained in the certificate.
- Parameters:
usage_flags (
Union[IResolvable,KeyUsageFlagsProperty,Dict[str,Any]]) – The key usage flags represent the purpose (e.g., encipherment, signature) of the key contained in the certificate.critical (
Union[bool,IResolvable,None]) – Sets the key usage extension to critical.
- See:
- ExampleMetadata:
fixture=_generated
Example:
# The code below shows an example of how to instantiate this type. # The values are placeholders you should change. from aws_cdk import aws_pcaconnectorad as pcaconnectorad key_usage_property = pcaconnectorad.CfnTemplate.KeyUsageProperty( usage_flags=pcaconnectorad.CfnTemplate.KeyUsageFlagsProperty( data_encipherment=False, digital_signature=False, key_agreement=False, key_encipherment=False, non_repudiation=False ), # the properties below are optional critical=False )
Attributes
- critical
Sets the key usage extension to critical.
- usage_flags
The key usage flags represent the purpose (e.g., encipherment, signature) of the key contained in the certificate.
KeyUsagePropertyFlagsProperty
- class CfnTemplate.KeyUsagePropertyFlagsProperty(*, decrypt=None, key_agreement=None, sign=None)
Bases:
objectSpecifies key usage.
- Parameters:
decrypt (
Union[bool,IResolvable,None]) – Allows key for encryption and decryption.key_agreement (
Union[bool,IResolvable,None]) – Allows key exchange without encryption.sign (
Union[bool,IResolvable,None]) – Allow key use for digital signature.
- See:
- ExampleMetadata:
fixture=_generated
Example:
# The code below shows an example of how to instantiate this type. # The values are placeholders you should change. from aws_cdk import aws_pcaconnectorad as pcaconnectorad key_usage_property_flags_property = pcaconnectorad.CfnTemplate.KeyUsagePropertyFlagsProperty( decrypt=False, key_agreement=False, sign=False )
Attributes
- decrypt
Allows key for encryption and decryption.
- key_agreement
Allows key exchange without encryption.
- sign
Allow key use for digital signature.
KeyUsagePropertyProperty
- class CfnTemplate.KeyUsagePropertyProperty(*, property_flags=None, property_type=None)
Bases:
objectThe key usage property defines the purpose of the private key contained in the certificate.
You can specify specific purposes using property flags or all by using property type ALL.
- Parameters:
property_flags (
Union[IResolvable,KeyUsagePropertyFlagsProperty,Dict[str,Any],None]) – You can specify key usage for encryption, key agreement, and signature. You can use property flags or property type but not both.property_type (
Optional[str]) – You can specify all key usages using property type ALL. You can use property type or property flags but not both.
- See:
- ExampleMetadata:
fixture=_generated
Example:
# The code below shows an example of how to instantiate this type. # The values are placeholders you should change. from aws_cdk import aws_pcaconnectorad as pcaconnectorad key_usage_property_property = pcaconnectorad.CfnTemplate.KeyUsagePropertyProperty( property_flags=pcaconnectorad.CfnTemplate.KeyUsagePropertyFlagsProperty( decrypt=False, key_agreement=False, sign=False ), property_type="propertyType" )
Attributes
- property_flags
You can specify key usage for encryption, key agreement, and signature.
You can use property flags or property type but not both.
- property_type
You can specify all key usages using property type ALL.
You can use property type or property flags but not both.
PrivateKeyAttributesV2Property
- class CfnTemplate.PrivateKeyAttributesV2Property(*, key_spec, minimal_key_length, crypto_providers=None)
Bases:
objectDefines the attributes of the private key.
- Parameters:
key_spec (
str) – Defines the purpose of the private key. Set it to “KEY_EXCHANGE” or “SIGNATURE” value.minimal_key_length (
Union[int,float]) – Set the minimum key length of the private key.crypto_providers (
Optional[Sequence[str]]) – Defines the cryptographic providers used to generate the private key.
- See:
- ExampleMetadata:
fixture=_generated
Example:
# The code below shows an example of how to instantiate this type. # The values are placeholders you should change. from aws_cdk import aws_pcaconnectorad as pcaconnectorad private_key_attributes_v2_property = pcaconnectorad.CfnTemplate.PrivateKeyAttributesV2Property( key_spec="keySpec", minimal_key_length=123, # the properties below are optional crypto_providers=["cryptoProviders"] )
Attributes
- crypto_providers
Defines the cryptographic providers used to generate the private key.
- key_spec
Defines the purpose of the private key.
Set it to “KEY_EXCHANGE” or “SIGNATURE” value.
- minimal_key_length
Set the minimum key length of the private key.
PrivateKeyAttributesV3Property
- class CfnTemplate.PrivateKeyAttributesV3Property(*, algorithm, key_spec, key_usage_property, minimal_key_length, crypto_providers=None)
Bases:
objectDefines the attributes of the private key.
- Parameters:
algorithm (
str) – Defines the algorithm used to generate the private key.key_spec (
str) – Defines the purpose of the private key. Set it to “KEY_EXCHANGE” or “SIGNATURE” value.key_usage_property (
Union[IResolvable,KeyUsagePropertyProperty,Dict[str,Any]]) – The key usage property defines the purpose of the private key contained in the certificate. You can specify specific purposes using property flags or all by using property type ALL.minimal_key_length (
Union[int,float]) – Set the minimum key length of the private key.crypto_providers (
Optional[Sequence[str]]) – Defines the cryptographic providers used to generate the private key.
- See:
- ExampleMetadata:
fixture=_generated
Example:
# The code below shows an example of how to instantiate this type. # The values are placeholders you should change. from aws_cdk import aws_pcaconnectorad as pcaconnectorad private_key_attributes_v3_property = pcaconnectorad.CfnTemplate.PrivateKeyAttributesV3Property( algorithm="algorithm", key_spec="keySpec", key_usage_property=pcaconnectorad.CfnTemplate.KeyUsagePropertyProperty( property_flags=pcaconnectorad.CfnTemplate.KeyUsagePropertyFlagsProperty( decrypt=False, key_agreement=False, sign=False ), property_type="propertyType" ), minimal_key_length=123, # the properties below are optional crypto_providers=["cryptoProviders"] )
Attributes
- algorithm
Defines the algorithm used to generate the private key.
- crypto_providers
Defines the cryptographic providers used to generate the private key.
- key_spec
Defines the purpose of the private key.
Set it to “KEY_EXCHANGE” or “SIGNATURE” value.
- key_usage_property
The key usage property defines the purpose of the private key contained in the certificate.
You can specify specific purposes using property flags or all by using property type ALL.
- minimal_key_length
Set the minimum key length of the private key.
PrivateKeyAttributesV4Property
- class CfnTemplate.PrivateKeyAttributesV4Property(*, key_spec, minimal_key_length, algorithm=None, crypto_providers=None, key_usage_property=None)
Bases:
objectDefines the attributes of the private key.
- Parameters:
key_spec (
str) – Defines the purpose of the private key. Set it to “KEY_EXCHANGE” or “SIGNATURE” value.minimal_key_length (
Union[int,float]) – Set the minimum key length of the private key.algorithm (
Optional[str]) – Defines the algorithm used to generate the private key.crypto_providers (
Optional[Sequence[str]]) – Defines the cryptographic providers used to generate the private key.key_usage_property (
Union[IResolvable,KeyUsagePropertyProperty,Dict[str,Any],None]) – The key usage property defines the purpose of the private key contained in the certificate. You can specify specific purposes using property flags or all by using property type ALL.
- See:
- ExampleMetadata:
fixture=_generated
Example:
# The code below shows an example of how to instantiate this type. # The values are placeholders you should change. from aws_cdk import aws_pcaconnectorad as pcaconnectorad private_key_attributes_v4_property = pcaconnectorad.CfnTemplate.PrivateKeyAttributesV4Property( key_spec="keySpec", minimal_key_length=123, # the properties below are optional algorithm="algorithm", crypto_providers=["cryptoProviders"], key_usage_property=pcaconnectorad.CfnTemplate.KeyUsagePropertyProperty( property_flags=pcaconnectorad.CfnTemplate.KeyUsagePropertyFlagsProperty( decrypt=False, key_agreement=False, sign=False ), property_type="propertyType" ) )
Attributes
- algorithm
Defines the algorithm used to generate the private key.
- crypto_providers
Defines the cryptographic providers used to generate the private key.
- key_spec
Defines the purpose of the private key.
Set it to “KEY_EXCHANGE” or “SIGNATURE” value.
- key_usage_property
The key usage property defines the purpose of the private key contained in the certificate.
You can specify specific purposes using property flags or all by using property type ALL.
- minimal_key_length
Set the minimum key length of the private key.
PrivateKeyFlagsV2Property
- class CfnTemplate.PrivateKeyFlagsV2Property(*, client_version, exportable_key=None, strong_key_protection_required=None)
Bases:
objectPrivate key flags for v2 templates specify the client compatibility, if the private key can be exported, and if user input is required when using a private key.
- Parameters:
client_version (
str) – Defines the minimum client compatibility.exportable_key (
Union[bool,IResolvable,None]) – Allows the private key to be exported.strong_key_protection_required (
Union[bool,IResolvable,None]) – Require user input when using the private key for enrollment.
- See:
- ExampleMetadata:
fixture=_generated
Example:
# The code below shows an example of how to instantiate this type. # The values are placeholders you should change. from aws_cdk import aws_pcaconnectorad as pcaconnectorad private_key_flags_v2_property = pcaconnectorad.CfnTemplate.PrivateKeyFlagsV2Property( client_version="clientVersion", # the properties below are optional exportable_key=False, strong_key_protection_required=False )
Attributes
- client_version
Defines the minimum client compatibility.
- exportable_key
Allows the private key to be exported.
- strong_key_protection_required
Require user input when using the private key for enrollment.
PrivateKeyFlagsV3Property
- class CfnTemplate.PrivateKeyFlagsV3Property(*, client_version, exportable_key=None, require_alternate_signature_algorithm=None, strong_key_protection_required=None)
Bases:
objectPrivate key flags for v3 templates specify the client compatibility, if the private key can be exported, if user input is required when using a private key, and if an alternate signature algorithm should be used.
- Parameters:
client_version (
str) – Defines the minimum client compatibility.exportable_key (
Union[bool,IResolvable,None]) – Allows the private key to be exported.require_alternate_signature_algorithm (
Union[bool,IResolvable,None]) – Reguires the PKCS #1 v2.1 signature format for certificates. You should verify that your CA, objects, and applications can accept this signature format.strong_key_protection_required (
Union[bool,IResolvable,None]) – Requirer user input when using the private key for enrollment.
- See:
- ExampleMetadata:
fixture=_generated
Example:
# The code below shows an example of how to instantiate this type. # The values are placeholders you should change. from aws_cdk import aws_pcaconnectorad as pcaconnectorad private_key_flags_v3_property = pcaconnectorad.CfnTemplate.PrivateKeyFlagsV3Property( client_version="clientVersion", # the properties below are optional exportable_key=False, require_alternate_signature_algorithm=False, strong_key_protection_required=False )
Attributes
- client_version
Defines the minimum client compatibility.
- exportable_key
Allows the private key to be exported.
- require_alternate_signature_algorithm
Reguires the PKCS #1 v2.1 signature format for certificates. You should verify that your CA, objects, and applications can accept this signature format.
- strong_key_protection_required
Requirer user input when using the private key for enrollment.
PrivateKeyFlagsV4Property
- class CfnTemplate.PrivateKeyFlagsV4Property(*, client_version, exportable_key=None, require_alternate_signature_algorithm=None, require_same_key_renewal=None, strong_key_protection_required=None, use_legacy_provider=None)
Bases:
objectPrivate key flags for v4 templates specify the client compatibility, if the private key can be exported, if user input is required when using a private key, if an alternate signature algorithm should be used, and if certificates are renewed using the same private key.
- Parameters:
client_version (
str) – Defines the minimum client compatibility.exportable_key (
Union[bool,IResolvable,None]) – Allows the private key to be exported.require_alternate_signature_algorithm (
Union[bool,IResolvable,None]) – Requires the PKCS #1 v2.1 signature format for certificates. You should verify that your CA, objects, and applications can accept this signature format.require_same_key_renewal (
Union[bool,IResolvable,None]) – Renew certificate using the same private key.strong_key_protection_required (
Union[bool,IResolvable,None]) – Require user input when using the private key for enrollment.use_legacy_provider (
Union[bool,IResolvable,None]) – Specifies the cryptographic service provider category used to generate private keys. Set to TRUE to use Legacy Cryptographic Service Providers and FALSE to use Key Storage Providers.
- See:
- ExampleMetadata:
fixture=_generated
Example:
# The code below shows an example of how to instantiate this type. # The values are placeholders you should change. from aws_cdk import aws_pcaconnectorad as pcaconnectorad private_key_flags_v4_property = pcaconnectorad.CfnTemplate.PrivateKeyFlagsV4Property( client_version="clientVersion", # the properties below are optional exportable_key=False, require_alternate_signature_algorithm=False, require_same_key_renewal=False, strong_key_protection_required=False, use_legacy_provider=False )
Attributes
- client_version
Defines the minimum client compatibility.
- exportable_key
Allows the private key to be exported.
- require_alternate_signature_algorithm
Requires the PKCS #1 v2.1 signature format for certificates. You should verify that your CA, objects, and applications can accept this signature format.
- require_same_key_renewal
Renew certificate using the same private key.
- strong_key_protection_required
Require user input when using the private key for enrollment.
- use_legacy_provider
Specifies the cryptographic service provider category used to generate private keys.
Set to TRUE to use Legacy Cryptographic Service Providers and FALSE to use Key Storage Providers.
SubjectNameFlagsV2Property
- class CfnTemplate.SubjectNameFlagsV2Property(*, require_common_name=None, require_directory_path=None, require_dns_as_cn=None, require_email=None, san_require_directory_guid=None, san_require_dns=None, san_require_domain_dns=None, san_require_email=None, san_require_spn=None, san_require_upn=None)
Bases:
objectInformation to include in the subject name and alternate subject name of the certificate.
The subject name can be common name, directory path, DNS as common name, or left blank. You can optionally include email to the subject name for user templates. If you leave the subject name blank then you must set a subject alternate name. The subject alternate name (SAN) can include globally unique identifier (GUID), DNS, domain DNS, email, service principal name (SPN), and user principal name (UPN). You can leave the SAN blank. If you leave the SAN blank, then you must set a subject name.
- Parameters:
require_common_name (
Union[bool,IResolvable,None]) – Include the common name in the subject name.require_directory_path (
Union[bool,IResolvable,None]) – Include the directory path in the subject name.require_dns_as_cn (
Union[bool,IResolvable,None]) – Include the DNS as common name in the subject name.require_email (
Union[bool,IResolvable,None]) – Include the subject’s email in the subject name.san_require_directory_guid (
Union[bool,IResolvable,None]) – Include the globally unique identifier (GUID) in the subject alternate name.san_require_dns (
Union[bool,IResolvable,None]) – Include the DNS in the subject alternate name.san_require_domain_dns (
Union[bool,IResolvable,None]) – Include the domain DNS in the subject alternate name.san_require_email (
Union[bool,IResolvable,None]) – Include the subject’s email in the subject alternate name.san_require_spn (
Union[bool,IResolvable,None]) – Include the service principal name (SPN) in the subject alternate name.san_require_upn (
Union[bool,IResolvable,None]) – Include the user principal name (UPN) in the subject alternate name.
- See:
- ExampleMetadata:
fixture=_generated
Example:
# The code below shows an example of how to instantiate this type. # The values are placeholders you should change. from aws_cdk import aws_pcaconnectorad as pcaconnectorad subject_name_flags_v2_property = pcaconnectorad.CfnTemplate.SubjectNameFlagsV2Property( require_common_name=False, require_directory_path=False, require_dns_as_cn=False, require_email=False, san_require_directory_guid=False, san_require_dns=False, san_require_domain_dns=False, san_require_email=False, san_require_spn=False, san_require_upn=False )
Attributes
- require_common_name
Include the common name in the subject name.
- require_directory_path
Include the directory path in the subject name.
- require_dns_as_cn
Include the DNS as common name in the subject name.
- require_email
Include the subject’s email in the subject name.
- san_require_directory_guid
Include the globally unique identifier (GUID) in the subject alternate name.
- san_require_dns
Include the DNS in the subject alternate name.
- san_require_domain_dns
Include the domain DNS in the subject alternate name.
- san_require_email
Include the subject’s email in the subject alternate name.
- san_require_spn
Include the service principal name (SPN) in the subject alternate name.
- san_require_upn
Include the user principal name (UPN) in the subject alternate name.
SubjectNameFlagsV3Property
- class CfnTemplate.SubjectNameFlagsV3Property(*, require_common_name=None, require_directory_path=None, require_dns_as_cn=None, require_email=None, san_require_directory_guid=None, san_require_dns=None, san_require_domain_dns=None, san_require_email=None, san_require_spn=None, san_require_upn=None)
Bases:
objectInformation to include in the subject name and alternate subject name of the certificate.
The subject name can be common name, directory path, DNS as common name, or left blank. You can optionally include email to the subject name for user templates. If you leave the subject name blank then you must set a subject alternate name. The subject alternate name (SAN) can include globally unique identifier (GUID), DNS, domain DNS, email, service principal name (SPN), and user principal name (UPN). You can leave the SAN blank. If you leave the SAN blank, then you must set a subject name.
- Parameters:
require_common_name (
Union[bool,IResolvable,None]) – Include the common name in the subject name.require_directory_path (
Union[bool,IResolvable,None]) – Include the directory path in the subject name.require_dns_as_cn (
Union[bool,IResolvable,None]) – Include the DNS as common name in the subject name.require_email (
Union[bool,IResolvable,None]) – Include the subject’s email in the subject name.san_require_directory_guid (
Union[bool,IResolvable,None]) – Include the globally unique identifier (GUID) in the subject alternate name.san_require_dns (
Union[bool,IResolvable,None]) – Include the DNS in the subject alternate name.san_require_domain_dns (
Union[bool,IResolvable,None]) – Include the domain DNS in the subject alternate name.san_require_email (
Union[bool,IResolvable,None]) – Include the subject’s email in the subject alternate name.san_require_spn (
Union[bool,IResolvable,None]) – Include the service principal name (SPN) in the subject alternate name.san_require_upn (
Union[bool,IResolvable,None]) – Include the user principal name (UPN) in the subject alternate name.
- See:
- ExampleMetadata:
fixture=_generated
Example:
# The code below shows an example of how to instantiate this type. # The values are placeholders you should change. from aws_cdk import aws_pcaconnectorad as pcaconnectorad subject_name_flags_v3_property = pcaconnectorad.CfnTemplate.SubjectNameFlagsV3Property( require_common_name=False, require_directory_path=False, require_dns_as_cn=False, require_email=False, san_require_directory_guid=False, san_require_dns=False, san_require_domain_dns=False, san_require_email=False, san_require_spn=False, san_require_upn=False )
Attributes
- require_common_name
Include the common name in the subject name.
- require_directory_path
Include the directory path in the subject name.
- require_dns_as_cn
Include the DNS as common name in the subject name.
- require_email
Include the subject’s email in the subject name.
- san_require_directory_guid
Include the globally unique identifier (GUID) in the subject alternate name.
- san_require_dns
Include the DNS in the subject alternate name.
- san_require_domain_dns
Include the domain DNS in the subject alternate name.
- san_require_email
Include the subject’s email in the subject alternate name.
- san_require_spn
Include the service principal name (SPN) in the subject alternate name.
- san_require_upn
Include the user principal name (UPN) in the subject alternate name.
SubjectNameFlagsV4Property
- class CfnTemplate.SubjectNameFlagsV4Property(*, require_common_name=None, require_directory_path=None, require_dns_as_cn=None, require_email=None, san_require_directory_guid=None, san_require_dns=None, san_require_domain_dns=None, san_require_email=None, san_require_spn=None, san_require_upn=None)
Bases:
objectInformation to include in the subject name and alternate subject name of the certificate.
The subject name can be common name, directory path, DNS as common name, or left blank. You can optionally include email to the subject name for user templates. If you leave the subject name blank then you must set a subject alternate name. The subject alternate name (SAN) can include globally unique identifier (GUID), DNS, domain DNS, email, service principal name (SPN), and user principal name (UPN). You can leave the SAN blank. If you leave the SAN blank, then you must set a subject name.
- Parameters:
require_common_name (
Union[bool,IResolvable,None]) – Include the common name in the subject name.require_directory_path (
Union[bool,IResolvable,None]) – Include the directory path in the subject name.require_dns_as_cn (
Union[bool,IResolvable,None]) – Include the DNS as common name in the subject name.require_email (
Union[bool,IResolvable,None]) – Include the subject’s email in the subject name.san_require_directory_guid (
Union[bool,IResolvable,None]) – Include the globally unique identifier (GUID) in the subject alternate name.san_require_dns (
Union[bool,IResolvable,None]) – Include the DNS in the subject alternate name.san_require_domain_dns (
Union[bool,IResolvable,None]) – Include the domain DNS in the subject alternate name.san_require_email (
Union[bool,IResolvable,None]) – Include the subject’s email in the subject alternate name.san_require_spn (
Union[bool,IResolvable,None]) – Include the service principal name (SPN) in the subject alternate name.san_require_upn (
Union[bool,IResolvable,None]) – Include the user principal name (UPN) in the subject alternate name.
- See:
- ExampleMetadata:
fixture=_generated
Example:
# The code below shows an example of how to instantiate this type. # The values are placeholders you should change. from aws_cdk import aws_pcaconnectorad as pcaconnectorad subject_name_flags_v4_property = pcaconnectorad.CfnTemplate.SubjectNameFlagsV4Property( require_common_name=False, require_directory_path=False, require_dns_as_cn=False, require_email=False, san_require_directory_guid=False, san_require_dns=False, san_require_domain_dns=False, san_require_email=False, san_require_spn=False, san_require_upn=False )
Attributes
- require_common_name
Include the common name in the subject name.
- require_directory_path
Include the directory path in the subject name.
- require_dns_as_cn
Include the DNS as common name in the subject name.
- require_email
Include the subject’s email in the subject name.
- san_require_directory_guid
Include the globally unique identifier (GUID) in the subject alternate name.
- san_require_dns
Include the DNS in the subject alternate name.
- san_require_domain_dns
Include the domain DNS in the subject alternate name.
- san_require_email
Include the subject’s email in the subject alternate name.
- san_require_spn
Include the service principal name (SPN) in the subject alternate name.
- san_require_upn
Include the user principal name (UPN) in the subject alternate name.
TemplateDefinitionProperty
- class CfnTemplate.TemplateDefinitionProperty(*, template_v2=None, template_v3=None, template_v4=None)
Bases:
objectTemplate configuration to define the information included in certificates.
Define certificate validity and renewal periods, certificate request handling and enrollment options, key usage extensions, application policies, and cryptography settings.
- Parameters:
template_v2 (
Union[IResolvable,TemplateV2Property,Dict[str,Any],None]) – Template configuration to define the information included in certificates. Define certificate validity and renewal periods, certificate request handling and enrollment options, key usage extensions, application policies, and cryptography settings.template_v3 (
Union[IResolvable,TemplateV3Property,Dict[str,Any],None]) – Template configuration to define the information included in certificates. Define certificate validity and renewal periods, certificate request handling and enrollment options, key usage extensions, application policies, and cryptography settings.template_v4 (
Union[IResolvable,TemplateV4Property,Dict[str,Any],None]) – Template configuration to define the information included in certificates. Define certificate validity and renewal periods, certificate request handling and enrollment options, key usage extensions, application policies, and cryptography settings.
- See:
- ExampleMetadata:
fixture=_generated
Example:
# The code below shows an example of how to instantiate this type. # The values are placeholders you should change. from aws_cdk import aws_pcaconnectorad as pcaconnectorad template_definition_property = pcaconnectorad.CfnTemplate.TemplateDefinitionProperty( template_v2=pcaconnectorad.CfnTemplate.TemplateV2Property( certificate_validity=pcaconnectorad.CfnTemplate.CertificateValidityProperty( renewal_period=pcaconnectorad.CfnTemplate.ValidityPeriodProperty( period=123, period_type="periodType" ), validity_period=pcaconnectorad.CfnTemplate.ValidityPeriodProperty( period=123, period_type="periodType" ) ), enrollment_flags=pcaconnectorad.CfnTemplate.EnrollmentFlagsV2Property( enable_key_reuse_on_nt_token_keyset_storage_full=False, include_symmetric_algorithms=False, no_security_extension=False, remove_invalid_certificate_from_personal_store=False, user_interaction_required=False ), extensions=pcaconnectorad.CfnTemplate.ExtensionsV2Property( key_usage=pcaconnectorad.CfnTemplate.KeyUsageProperty( usage_flags=pcaconnectorad.CfnTemplate.KeyUsageFlagsProperty( data_encipherment=False, digital_signature=False, key_agreement=False, key_encipherment=False, non_repudiation=False ), # the properties below are optional critical=False ), # the properties below are optional application_policies=pcaconnectorad.CfnTemplate.ApplicationPoliciesProperty( policies=[pcaconnectorad.CfnTemplate.ApplicationPolicyProperty( policy_object_identifier="policyObjectIdentifier", policy_type="policyType" )], # the properties below are optional critical=False ) ), general_flags=pcaconnectorad.CfnTemplate.GeneralFlagsV2Property( auto_enrollment=False, machine_type=False ), private_key_attributes=pcaconnectorad.CfnTemplate.PrivateKeyAttributesV2Property( key_spec="keySpec", minimal_key_length=123, # the properties below are optional crypto_providers=["cryptoProviders"] ), private_key_flags=pcaconnectorad.CfnTemplate.PrivateKeyFlagsV2Property( client_version="clientVersion", # the properties below are optional exportable_key=False, strong_key_protection_required=False ), subject_name_flags=pcaconnectorad.CfnTemplate.SubjectNameFlagsV2Property( require_common_name=False, require_directory_path=False, require_dns_as_cn=False, require_email=False, san_require_directory_guid=False, san_require_dns=False, san_require_domain_dns=False, san_require_email=False, san_require_spn=False, san_require_upn=False ), # the properties below are optional superseded_templates=["supersededTemplates"] ), template_v3=pcaconnectorad.CfnTemplate.TemplateV3Property( certificate_validity=pcaconnectorad.CfnTemplate.CertificateValidityProperty( renewal_period=pcaconnectorad.CfnTemplate.ValidityPeriodProperty( period=123, period_type="periodType" ), validity_period=pcaconnectorad.CfnTemplate.ValidityPeriodProperty( period=123, period_type="periodType" ) ), enrollment_flags=pcaconnectorad.CfnTemplate.EnrollmentFlagsV3Property( enable_key_reuse_on_nt_token_keyset_storage_full=False, include_symmetric_algorithms=False, no_security_extension=False, remove_invalid_certificate_from_personal_store=False, user_interaction_required=False ), extensions=pcaconnectorad.CfnTemplate.ExtensionsV3Property( key_usage=pcaconnectorad.CfnTemplate.KeyUsageProperty( usage_flags=pcaconnectorad.CfnTemplate.KeyUsageFlagsProperty( data_encipherment=False, digital_signature=False, key_agreement=False, key_encipherment=False, non_repudiation=False ), # the properties below are optional critical=False ), # the properties below are optional application_policies=pcaconnectorad.CfnTemplate.ApplicationPoliciesProperty( policies=[pcaconnectorad.CfnTemplate.ApplicationPolicyProperty( policy_object_identifier="policyObjectIdentifier", policy_type="policyType" )], # the properties below are optional critical=False ) ), general_flags=pcaconnectorad.CfnTemplate.GeneralFlagsV3Property( auto_enrollment=False, machine_type=False ), hash_algorithm="hashAlgorithm", private_key_attributes=pcaconnectorad.CfnTemplate.PrivateKeyAttributesV3Property( algorithm="algorithm", key_spec="keySpec", key_usage_property=pcaconnectorad.CfnTemplate.KeyUsagePropertyProperty( property_flags=pcaconnectorad.CfnTemplate.KeyUsagePropertyFlagsProperty( decrypt=False, key_agreement=False, sign=False ), property_type="propertyType" ), minimal_key_length=123, # the properties below are optional crypto_providers=["cryptoProviders"] ), private_key_flags=pcaconnectorad.CfnTemplate.PrivateKeyFlagsV3Property( client_version="clientVersion", # the properties below are optional exportable_key=False, require_alternate_signature_algorithm=False, strong_key_protection_required=False ), subject_name_flags=pcaconnectorad.CfnTemplate.SubjectNameFlagsV3Property( require_common_name=False, require_directory_path=False, require_dns_as_cn=False, require_email=False, san_require_directory_guid=False, san_require_dns=False, san_require_domain_dns=False, san_require_email=False, san_require_spn=False, san_require_upn=False ), # the properties below are optional superseded_templates=["supersededTemplates"] ), template_v4=pcaconnectorad.CfnTemplate.TemplateV4Property( certificate_validity=pcaconnectorad.CfnTemplate.CertificateValidityProperty( renewal_period=pcaconnectorad.CfnTemplate.ValidityPeriodProperty( period=123, period_type="periodType" ), validity_period=pcaconnectorad.CfnTemplate.ValidityPeriodProperty( period=123, period_type="periodType" ) ), enrollment_flags=pcaconnectorad.CfnTemplate.EnrollmentFlagsV4Property( enable_key_reuse_on_nt_token_keyset_storage_full=False, include_symmetric_algorithms=False, no_security_extension=False, remove_invalid_certificate_from_personal_store=False, user_interaction_required=False ), extensions=pcaconnectorad.CfnTemplate.ExtensionsV4Property( key_usage=pcaconnectorad.CfnTemplate.KeyUsageProperty( usage_flags=pcaconnectorad.CfnTemplate.KeyUsageFlagsProperty( data_encipherment=False, digital_signature=False, key_agreement=False, key_encipherment=False, non_repudiation=False ), # the properties below are optional critical=False ), # the properties below are optional application_policies=pcaconnectorad.CfnTemplate.ApplicationPoliciesProperty( policies=[pcaconnectorad.CfnTemplate.ApplicationPolicyProperty( policy_object_identifier="policyObjectIdentifier", policy_type="policyType" )], # the properties below are optional critical=False ) ), general_flags=pcaconnectorad.CfnTemplate.GeneralFlagsV4Property( auto_enrollment=False, machine_type=False ), private_key_attributes=pcaconnectorad.CfnTemplate.PrivateKeyAttributesV4Property( key_spec="keySpec", minimal_key_length=123, # the properties below are optional algorithm="algorithm", crypto_providers=["cryptoProviders"], key_usage_property=pcaconnectorad.CfnTemplate.KeyUsagePropertyProperty( property_flags=pcaconnectorad.CfnTemplate.KeyUsagePropertyFlagsProperty( decrypt=False, key_agreement=False, sign=False ), property_type="propertyType" ) ), private_key_flags=pcaconnectorad.CfnTemplate.PrivateKeyFlagsV4Property( client_version="clientVersion", # the properties below are optional exportable_key=False, require_alternate_signature_algorithm=False, require_same_key_renewal=False, strong_key_protection_required=False, use_legacy_provider=False ), subject_name_flags=pcaconnectorad.CfnTemplate.SubjectNameFlagsV4Property( require_common_name=False, require_directory_path=False, require_dns_as_cn=False, require_email=False, san_require_directory_guid=False, san_require_dns=False, san_require_domain_dns=False, san_require_email=False, san_require_spn=False, san_require_upn=False ), # the properties below are optional hash_algorithm="hashAlgorithm", superseded_templates=["supersededTemplates"] ) )
Attributes
- template_v2
Template configuration to define the information included in certificates.
Define certificate validity and renewal periods, certificate request handling and enrollment options, key usage extensions, application policies, and cryptography settings.
- template_v3
Template configuration to define the information included in certificates.
Define certificate validity and renewal periods, certificate request handling and enrollment options, key usage extensions, application policies, and cryptography settings.
- template_v4
Template configuration to define the information included in certificates.
Define certificate validity and renewal periods, certificate request handling and enrollment options, key usage extensions, application policies, and cryptography settings.
TemplateV2Property
- class CfnTemplate.TemplateV2Property(*, certificate_validity, enrollment_flags, extensions, general_flags, private_key_attributes, private_key_flags, subject_name_flags, superseded_templates=None)
Bases:
objectv2 template schema that uses Legacy Cryptographic Providers.
- Parameters:
certificate_validity (
Union[IResolvable,CertificateValidityProperty,Dict[str,Any]]) – Certificate validity describes the validity and renewal periods of a certificate.enrollment_flags (
Union[IResolvable,EnrollmentFlagsV2Property,Dict[str,Any]]) – Enrollment flags describe the enrollment settings for certificates such as using the existing private key and deleting expired or revoked certificates.extensions (
Union[IResolvable,ExtensionsV2Property,Dict[str,Any]]) – Extensions describe the key usage extensions and application policies for a template.general_flags (
Union[IResolvable,GeneralFlagsV2Property,Dict[str,Any]]) – General flags describe whether the template is used for computers or users and if the template can be used with autoenrollment.private_key_attributes (
Union[IResolvable,PrivateKeyAttributesV2Property,Dict[str,Any]]) – Private key attributes allow you to specify the minimal key length, key spec, and cryptographic providers for the private key of a certificate for v2 templates. V2 templates allow you to use Legacy Cryptographic Service Providers.private_key_flags (
Union[IResolvable,PrivateKeyFlagsV2Property,Dict[str,Any]]) – Private key flags for v2 templates specify the client compatibility, if the private key can be exported, and if user input is required when using a private key.subject_name_flags (
Union[IResolvable,SubjectNameFlagsV2Property,Dict[str,Any]]) – Subject name flags describe the subject name and subject alternate name that is included in a certificate.superseded_templates (
Optional[Sequence[str]]) – List of templates in Active Directory that are superseded by this template.
- See:
- ExampleMetadata:
fixture=_generated
Example:
# The code below shows an example of how to instantiate this type. # The values are placeholders you should change. from aws_cdk import aws_pcaconnectorad as pcaconnectorad template_v2_property = pcaconnectorad.CfnTemplate.TemplateV2Property( certificate_validity=pcaconnectorad.CfnTemplate.CertificateValidityProperty( renewal_period=pcaconnectorad.CfnTemplate.ValidityPeriodProperty( period=123, period_type="periodType" ), validity_period=pcaconnectorad.CfnTemplate.ValidityPeriodProperty( period=123, period_type="periodType" ) ), enrollment_flags=pcaconnectorad.CfnTemplate.EnrollmentFlagsV2Property( enable_key_reuse_on_nt_token_keyset_storage_full=False, include_symmetric_algorithms=False, no_security_extension=False, remove_invalid_certificate_from_personal_store=False, user_interaction_required=False ), extensions=pcaconnectorad.CfnTemplate.ExtensionsV2Property( key_usage=pcaconnectorad.CfnTemplate.KeyUsageProperty( usage_flags=pcaconnectorad.CfnTemplate.KeyUsageFlagsProperty( data_encipherment=False, digital_signature=False, key_agreement=False, key_encipherment=False, non_repudiation=False ), # the properties below are optional critical=False ), # the properties below are optional application_policies=pcaconnectorad.CfnTemplate.ApplicationPoliciesProperty( policies=[pcaconnectorad.CfnTemplate.ApplicationPolicyProperty( policy_object_identifier="policyObjectIdentifier", policy_type="policyType" )], # the properties below are optional critical=False ) ), general_flags=pcaconnectorad.CfnTemplate.GeneralFlagsV2Property( auto_enrollment=False, machine_type=False ), private_key_attributes=pcaconnectorad.CfnTemplate.PrivateKeyAttributesV2Property( key_spec="keySpec", minimal_key_length=123, # the properties below are optional crypto_providers=["cryptoProviders"] ), private_key_flags=pcaconnectorad.CfnTemplate.PrivateKeyFlagsV2Property( client_version="clientVersion", # the properties below are optional exportable_key=False, strong_key_protection_required=False ), subject_name_flags=pcaconnectorad.CfnTemplate.SubjectNameFlagsV2Property( require_common_name=False, require_directory_path=False, require_dns_as_cn=False, require_email=False, san_require_directory_guid=False, san_require_dns=False, san_require_domain_dns=False, san_require_email=False, san_require_spn=False, san_require_upn=False ), # the properties below are optional superseded_templates=["supersededTemplates"] )
Attributes
- certificate_validity
Certificate validity describes the validity and renewal periods of a certificate.
- enrollment_flags
Enrollment flags describe the enrollment settings for certificates such as using the existing private key and deleting expired or revoked certificates.
- extensions
Extensions describe the key usage extensions and application policies for a template.
- general_flags
General flags describe whether the template is used for computers or users and if the template can be used with autoenrollment.
- private_key_attributes
Private key attributes allow you to specify the minimal key length, key spec, and cryptographic providers for the private key of a certificate for v2 templates.
V2 templates allow you to use Legacy Cryptographic Service Providers.
- private_key_flags
Private key flags for v2 templates specify the client compatibility, if the private key can be exported, and if user input is required when using a private key.
- subject_name_flags
Subject name flags describe the subject name and subject alternate name that is included in a certificate.
- superseded_templates
List of templates in Active Directory that are superseded by this template.
TemplateV3Property
- class CfnTemplate.TemplateV3Property(*, certificate_validity, enrollment_flags, extensions, general_flags, hash_algorithm, private_key_attributes, private_key_flags, subject_name_flags, superseded_templates=None)
Bases:
objectv3 template schema that uses Key Storage Providers.
- Parameters:
certificate_validity (
Union[IResolvable,CertificateValidityProperty,Dict[str,Any]]) – Certificate validity describes the validity and renewal periods of a certificate.enrollment_flags (
Union[IResolvable,EnrollmentFlagsV3Property,Dict[str,Any]]) – Enrollment flags describe the enrollment settings for certificates such as using the existing private key and deleting expired or revoked certificates.extensions (
Union[IResolvable,ExtensionsV3Property,Dict[str,Any]]) – Extensions describe the key usage extensions and application policies for a template.general_flags (
Union[IResolvable,GeneralFlagsV3Property,Dict[str,Any]]) – General flags describe whether the template is used for computers or users and if the template can be used with autoenrollment.hash_algorithm (
str) – Specifies the hash algorithm used to hash the private key.private_key_attributes (
Union[IResolvable,PrivateKeyAttributesV3Property,Dict[str,Any]]) – Private key attributes allow you to specify the algorithm, minimal key length, key spec, key usage, and cryptographic providers for the private key of a certificate for v3 templates. V3 templates allow you to use Key Storage Providers.private_key_flags (
Union[IResolvable,PrivateKeyFlagsV3Property,Dict[str,Any]]) – Private key flags for v3 templates specify the client compatibility, if the private key can be exported, if user input is required when using a private key, and if an alternate signature algorithm should be used.subject_name_flags (
Union[IResolvable,SubjectNameFlagsV3Property,Dict[str,Any]]) – Subject name flags describe the subject name and subject alternate name that is included in a certificate.superseded_templates (
Optional[Sequence[str]]) – List of templates in Active Directory that are superseded by this template.
- See:
- ExampleMetadata:
fixture=_generated
Example:
# The code below shows an example of how to instantiate this type. # The values are placeholders you should change. from aws_cdk import aws_pcaconnectorad as pcaconnectorad template_v3_property = pcaconnectorad.CfnTemplate.TemplateV3Property( certificate_validity=pcaconnectorad.CfnTemplate.CertificateValidityProperty( renewal_period=pcaconnectorad.CfnTemplate.ValidityPeriodProperty( period=123, period_type="periodType" ), validity_period=pcaconnectorad.CfnTemplate.ValidityPeriodProperty( period=123, period_type="periodType" ) ), enrollment_flags=pcaconnectorad.CfnTemplate.EnrollmentFlagsV3Property( enable_key_reuse_on_nt_token_keyset_storage_full=False, include_symmetric_algorithms=False, no_security_extension=False, remove_invalid_certificate_from_personal_store=False, user_interaction_required=False ), extensions=pcaconnectorad.CfnTemplate.ExtensionsV3Property( key_usage=pcaconnectorad.CfnTemplate.KeyUsageProperty( usage_flags=pcaconnectorad.CfnTemplate.KeyUsageFlagsProperty( data_encipherment=False, digital_signature=False, key_agreement=False, key_encipherment=False, non_repudiation=False ), # the properties below are optional critical=False ), # the properties below are optional application_policies=pcaconnectorad.CfnTemplate.ApplicationPoliciesProperty( policies=[pcaconnectorad.CfnTemplate.ApplicationPolicyProperty( policy_object_identifier="policyObjectIdentifier", policy_type="policyType" )], # the properties below are optional critical=False ) ), general_flags=pcaconnectorad.CfnTemplate.GeneralFlagsV3Property( auto_enrollment=False, machine_type=False ), hash_algorithm="hashAlgorithm", private_key_attributes=pcaconnectorad.CfnTemplate.PrivateKeyAttributesV3Property( algorithm="algorithm", key_spec="keySpec", key_usage_property=pcaconnectorad.CfnTemplate.KeyUsagePropertyProperty( property_flags=pcaconnectorad.CfnTemplate.KeyUsagePropertyFlagsProperty( decrypt=False, key_agreement=False, sign=False ), property_type="propertyType" ), minimal_key_length=123, # the properties below are optional crypto_providers=["cryptoProviders"] ), private_key_flags=pcaconnectorad.CfnTemplate.PrivateKeyFlagsV3Property( client_version="clientVersion", # the properties below are optional exportable_key=False, require_alternate_signature_algorithm=False, strong_key_protection_required=False ), subject_name_flags=pcaconnectorad.CfnTemplate.SubjectNameFlagsV3Property( require_common_name=False, require_directory_path=False, require_dns_as_cn=False, require_email=False, san_require_directory_guid=False, san_require_dns=False, san_require_domain_dns=False, san_require_email=False, san_require_spn=False, san_require_upn=False ), # the properties below are optional superseded_templates=["supersededTemplates"] )
Attributes
- certificate_validity
Certificate validity describes the validity and renewal periods of a certificate.
- enrollment_flags
Enrollment flags describe the enrollment settings for certificates such as using the existing private key and deleting expired or revoked certificates.
- extensions
Extensions describe the key usage extensions and application policies for a template.
- general_flags
General flags describe whether the template is used for computers or users and if the template can be used with autoenrollment.
- hash_algorithm
Specifies the hash algorithm used to hash the private key.
- private_key_attributes
Private key attributes allow you to specify the algorithm, minimal key length, key spec, key usage, and cryptographic providers for the private key of a certificate for v3 templates.
V3 templates allow you to use Key Storage Providers.
- private_key_flags
Private key flags for v3 templates specify the client compatibility, if the private key can be exported, if user input is required when using a private key, and if an alternate signature algorithm should be used.
- subject_name_flags
Subject name flags describe the subject name and subject alternate name that is included in a certificate.
- superseded_templates
List of templates in Active Directory that are superseded by this template.
TemplateV4Property
- class CfnTemplate.TemplateV4Property(*, certificate_validity, enrollment_flags, extensions, general_flags, private_key_attributes, private_key_flags, subject_name_flags, hash_algorithm=None, superseded_templates=None)
Bases:
objectv4 template schema that can use either Legacy Cryptographic Providers or Key Storage Providers.
- Parameters:
certificate_validity (
Union[IResolvable,CertificateValidityProperty,Dict[str,Any]]) – Certificate validity describes the validity and renewal periods of a certificate.enrollment_flags (
Union[IResolvable,EnrollmentFlagsV4Property,Dict[str,Any]]) – Enrollment flags describe the enrollment settings for certificates using the existing private key and deleting expired or revoked certificates.extensions (
Union[IResolvable,ExtensionsV4Property,Dict[str,Any]]) – Extensions describe the key usage extensions and application policies for a template.general_flags (
Union[IResolvable,GeneralFlagsV4Property,Dict[str,Any]]) – General flags describe whether the template is used for computers or users and if the template can be used with autoenrollment.private_key_attributes (
Union[IResolvable,PrivateKeyAttributesV4Property,Dict[str,Any]]) – Private key attributes allow you to specify the minimal key length, key spec, key usage, and cryptographic providers for the private key of a certificate for v4 templates. V4 templates allow you to use either Key Storage Providers or Legacy Cryptographic Service Providers. You specify the cryptography provider category in private key flags.private_key_flags (
Union[IResolvable,PrivateKeyFlagsV4Property,Dict[str,Any]]) – Private key flags for v4 templates specify the client compatibility, if the private key can be exported, if user input is required when using a private key, if an alternate signature algorithm should be used, and if certificates are renewed using the same private key.subject_name_flags (
Union[IResolvable,SubjectNameFlagsV4Property,Dict[str,Any]]) – Subject name flags describe the subject name and subject alternate name that is included in a certificate.hash_algorithm (
Optional[str]) – Specifies the hash algorithm used to hash the private key. Hash algorithm can only be specified when using Key Storage Providers.superseded_templates (
Optional[Sequence[str]]) – List of templates in Active Directory that are superseded by this template.
- See:
- ExampleMetadata:
fixture=_generated
Example:
# The code below shows an example of how to instantiate this type. # The values are placeholders you should change. from aws_cdk import aws_pcaconnectorad as pcaconnectorad template_v4_property = pcaconnectorad.CfnTemplate.TemplateV4Property( certificate_validity=pcaconnectorad.CfnTemplate.CertificateValidityProperty( renewal_period=pcaconnectorad.CfnTemplate.ValidityPeriodProperty( period=123, period_type="periodType" ), validity_period=pcaconnectorad.CfnTemplate.ValidityPeriodProperty( period=123, period_type="periodType" ) ), enrollment_flags=pcaconnectorad.CfnTemplate.EnrollmentFlagsV4Property( enable_key_reuse_on_nt_token_keyset_storage_full=False, include_symmetric_algorithms=False, no_security_extension=False, remove_invalid_certificate_from_personal_store=False, user_interaction_required=False ), extensions=pcaconnectorad.CfnTemplate.ExtensionsV4Property( key_usage=pcaconnectorad.CfnTemplate.KeyUsageProperty( usage_flags=pcaconnectorad.CfnTemplate.KeyUsageFlagsProperty( data_encipherment=False, digital_signature=False, key_agreement=False, key_encipherment=False, non_repudiation=False ), # the properties below are optional critical=False ), # the properties below are optional application_policies=pcaconnectorad.CfnTemplate.ApplicationPoliciesProperty( policies=[pcaconnectorad.CfnTemplate.ApplicationPolicyProperty( policy_object_identifier="policyObjectIdentifier", policy_type="policyType" )], # the properties below are optional critical=False ) ), general_flags=pcaconnectorad.CfnTemplate.GeneralFlagsV4Property( auto_enrollment=False, machine_type=False ), private_key_attributes=pcaconnectorad.CfnTemplate.PrivateKeyAttributesV4Property( key_spec="keySpec", minimal_key_length=123, # the properties below are optional algorithm="algorithm", crypto_providers=["cryptoProviders"], key_usage_property=pcaconnectorad.CfnTemplate.KeyUsagePropertyProperty( property_flags=pcaconnectorad.CfnTemplate.KeyUsagePropertyFlagsProperty( decrypt=False, key_agreement=False, sign=False ), property_type="propertyType" ) ), private_key_flags=pcaconnectorad.CfnTemplate.PrivateKeyFlagsV4Property( client_version="clientVersion", # the properties below are optional exportable_key=False, require_alternate_signature_algorithm=False, require_same_key_renewal=False, strong_key_protection_required=False, use_legacy_provider=False ), subject_name_flags=pcaconnectorad.CfnTemplate.SubjectNameFlagsV4Property( require_common_name=False, require_directory_path=False, require_dns_as_cn=False, require_email=False, san_require_directory_guid=False, san_require_dns=False, san_require_domain_dns=False, san_require_email=False, san_require_spn=False, san_require_upn=False ), # the properties below are optional hash_algorithm="hashAlgorithm", superseded_templates=["supersededTemplates"] )
Attributes
- certificate_validity
Certificate validity describes the validity and renewal periods of a certificate.
- enrollment_flags
Enrollment flags describe the enrollment settings for certificates using the existing private key and deleting expired or revoked certificates.
- extensions
Extensions describe the key usage extensions and application policies for a template.
- general_flags
General flags describe whether the template is used for computers or users and if the template can be used with autoenrollment.
- hash_algorithm
Specifies the hash algorithm used to hash the private key.
Hash algorithm can only be specified when using Key Storage Providers.
- private_key_attributes
Private key attributes allow you to specify the minimal key length, key spec, key usage, and cryptographic providers for the private key of a certificate for v4 templates.
V4 templates allow you to use either Key Storage Providers or Legacy Cryptographic Service Providers. You specify the cryptography provider category in private key flags.
- private_key_flags
Private key flags for v4 templates specify the client compatibility, if the private key can be exported, if user input is required when using a private key, if an alternate signature algorithm should be used, and if certificates are renewed using the same private key.
- subject_name_flags
Subject name flags describe the subject name and subject alternate name that is included in a certificate.
- superseded_templates
List of templates in Active Directory that are superseded by this template.
ValidityPeriodProperty
- class CfnTemplate.ValidityPeriodProperty(*, period, period_type)
Bases:
objectInformation describing the end of the validity period of the certificate.
This parameter sets the “Not After” date for the certificate. Certificate validity is the period of time during which a certificate is valid. Validity can be expressed as an explicit date and time when the certificate expires, or as a span of time after issuance, stated in hours, days, months, or years. For more information, see Validity in RFC 5280. This value is unaffected when ValidityNotBefore is also specified. For example, if Validity is set to 20 days in the future, the certificate will expire 20 days from issuance time regardless of the ValidityNotBefore value.
- Parameters:
period (
Union[int,float]) – The numeric value for the validity period.period_type (
str) – The unit of time. You can select hours, days, weeks, months, and years.
- See:
- ExampleMetadata:
fixture=_generated
Example:
# The code below shows an example of how to instantiate this type. # The values are placeholders you should change. from aws_cdk import aws_pcaconnectorad as pcaconnectorad validity_period_property = pcaconnectorad.CfnTemplate.ValidityPeriodProperty( period=123, period_type="periodType" )
Attributes
- period
The numeric value for the validity period.
- period_type
The unit of time.
You can select hours, days, weeks, months, and years.