{-# LANGUAGE DeriveGeneric #-}
{-# LANGUAGE DuplicateRecordFields #-}
{-# LANGUAGE NamedFieldPuns #-}
{-# LANGUAGE OverloadedStrings #-}
{-# LANGUAGE RecordWildCards #-}
{-# LANGUAGE StrictData #-}
{-# LANGUAGE TypeFamilies #-}
{-# LANGUAGE NoImplicitPrelude #-}
{-# OPTIONS_GHC -fno-warn-unused-binds #-}
{-# OPTIONS_GHC -fno-warn-unused-imports #-}
{-# OPTIONS_GHC -fno-warn-unused-matches #-}

-- Derived from AWS service descriptions, licensed under Apache 2.0.

-- |
-- Module      : Amazonka.CertificateManagerPCA.IssueCertificate
-- Copyright   : (c) 2013-2021 Brendan Hay
-- License     : Mozilla Public License, v. 2.0.
-- Maintainer  : Brendan Hay <brendan.g.hay+amazonka@gmail.com>
-- Stability   : auto-generated
-- Portability : non-portable (GHC extensions)
--
-- Uses your private certificate authority (CA), or one that has been
-- shared with you, to issue a client certificate. This action returns the
-- Amazon Resource Name (ARN) of the certificate. You can retrieve the
-- certificate by calling the
-- <https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_GetCertificate.html GetCertificate>
-- action and specifying the ARN.
--
-- You cannot use the ACM __ListCertificateAuthorities__ action to retrieve
-- the ARNs of the certificates that you issue by using ACM Private CA.
module Amazonka.CertificateManagerPCA.IssueCertificate
  ( -- * Creating a Request
    IssueCertificate (..),
    newIssueCertificate,

    -- * Request Lenses
    issueCertificate_idempotencyToken,
    issueCertificate_apiPassthrough,
    issueCertificate_templateArn,
    issueCertificate_validityNotBefore,
    issueCertificate_certificateAuthorityArn,
    issueCertificate_csr,
    issueCertificate_signingAlgorithm,
    issueCertificate_validity,

    -- * Destructuring the Response
    IssueCertificateResponse (..),
    newIssueCertificateResponse,

    -- * Response Lenses
    issueCertificateResponse_certificateArn,
    issueCertificateResponse_httpStatus,
  )
where

import Amazonka.CertificateManagerPCA.Types
import qualified Amazonka.Core as Core
import qualified Amazonka.Lens as Lens
import qualified Amazonka.Prelude as Prelude
import qualified Amazonka.Request as Request
import qualified Amazonka.Response as Response

-- | /See:/ 'newIssueCertificate' smart constructor.
data IssueCertificate = IssueCertificate'
  { -- | Alphanumeric string that can be used to distinguish between calls to the
    -- __IssueCertificate__ action. Idempotency tokens for __IssueCertificate__
    -- time out after one minute. Therefore, if you call __IssueCertificate__
    -- multiple times with the same idempotency token within one minute, ACM
    -- Private CA recognizes that you are requesting only one certificate and
    -- will issue only one. If you change the idempotency token for each call,
    -- PCA recognizes that you are requesting multiple certificates.
    IssueCertificate -> Maybe Text
idempotencyToken :: Prelude.Maybe Prelude.Text,
    -- | Specifies X.509 certificate information to be included in the issued
    -- certificate. An @APIPassthrough@ or @APICSRPassthrough@ template variant
    -- must be selected, or else this parameter is ignored. For more
    -- information about using these templates, see
    -- <https://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html Understanding Certificate Templates>.
    --
    -- If conflicting or duplicate certificate information is supplied during
    -- certificate issuance, ACM Private CA applies
    -- <https://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html#template-order-of-operations order of operation rules>
    -- to determine what information is used.
    IssueCertificate -> Maybe ApiPassthrough
apiPassthrough :: Prelude.Maybe ApiPassthrough,
    -- | Specifies a custom configuration template to use when issuing a
    -- certificate. If this parameter is not provided, ACM Private CA defaults
    -- to the @EndEntityCertificate\/V1@ template. For CA certificates, you
    -- should choose the shortest path length that meets your needs. The path
    -- length is indicated by the PathLen/N/ portion of the ARN, where /N/ is
    -- the
    -- <https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaTerms.html#terms-cadepth CA depth>.
    --
    -- Note: The CA depth configured on a subordinate CA certificate must not
    -- exceed the limit set by its parents in the CA hierarchy.
    --
    -- For a list of @TemplateArn@ values supported by ACM Private CA, see
    -- <https://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html Understanding Certificate Templates>.
    IssueCertificate -> Maybe Text
templateArn :: Prelude.Maybe Prelude.Text,
    -- | Information describing the start of the validity period of the
    -- certificate. This parameter sets the “Not Before\" date for the
    -- certificate.
    --
    -- By default, when issuing a certificate, ACM Private CA sets the \"Not
    -- Before\" date to the issuance time minus 60 minutes. This compensates
    -- for clock inconsistencies across computer systems. The
    -- @ValidityNotBefore@ parameter can be used to customize the “Not Before”
    -- value.
    --
    -- Unlike the @Validity@ parameter, the @ValidityNotBefore@ parameter is
    -- optional.
    --
    -- The @ValidityNotBefore@ value is expressed as an explicit date and time,
    -- using the @Validity@ type value @ABSOLUTE@. For more information, see
    -- <https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_Validity.html Validity>
    -- in this API reference and
    -- <https://tools.ietf.org/html/rfc5280#section-4.1.2.5 Validity> in RFC
    -- 5280.
    IssueCertificate -> Maybe Validity
validityNotBefore :: Prelude.Maybe Validity,
    -- | The Amazon Resource Name (ARN) that was returned when you called
    -- <https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html CreateCertificateAuthority>.
    -- This must be of the form:
    --
    -- @arn:aws:acm-pca:region:account:certificate-authority\/12345678-1234-1234-1234-123456789012 @
    IssueCertificate -> Text
certificateAuthorityArn :: Prelude.Text,
    -- | The certificate signing request (CSR) for the certificate you want to
    -- issue. As an example, you can use the following OpenSSL command to
    -- create the CSR and a 2048 bit RSA private key.
    --
    -- @openssl req -new -newkey rsa:2048 -days 365 -keyout private\/test_cert_priv_key.pem -out csr\/test_cert_.csr@
    --
    -- If you have a configuration file, you can then use the following OpenSSL
    -- command. The @usr_cert@ block in the configuration file contains your
    -- X509 version 3 extensions.
    --
    -- @openssl req -new -config openssl_rsa.cnf -extensions usr_cert -newkey rsa:2048 -days -365 -keyout private\/test_cert_priv_key.pem -out csr\/test_cert_.csr@
    --
    -- Note: A CSR must provide either a /subject name/ or a /subject
    -- alternative name/ or the request will be rejected.
    IssueCertificate -> Base64
csr :: Core.Base64,
    -- | The name of the algorithm that will be used to sign the certificate to
    -- be issued.
    --
    -- This parameter should not be confused with the @SigningAlgorithm@
    -- parameter used to sign a CSR in the @CreateCertificateAuthority@ action.
    IssueCertificate -> SigningAlgorithm
signingAlgorithm :: SigningAlgorithm,
    -- | Information describing the end of the validity period of the
    -- certificate. This parameter sets the “Not After” date for the
    -- certificate.
    --
    -- Certificate validity is the period of time during which a certificate is
    -- valid. Validity can be expressed as an explicit date and time when the
    -- certificate expires, or as a span of time after issuance, stated in
    -- days, months, or years. For more information, see
    -- <https://tools.ietf.org/html/rfc5280#section-4.1.2.5 Validity> in RFC
    -- 5280.
    --
    -- This value is unaffected when @ValidityNotBefore@ is also specified. For
    -- example, if @Validity@ is set to 20 days in the future, the certificate
    -- will expire 20 days from issuance time regardless of the
    -- @ValidityNotBefore@ value.
    --
    -- The end of the validity period configured on a certificate must not
    -- exceed the limit set on its parents in the CA hierarchy.
    IssueCertificate -> Validity
validity :: Validity
  }
  deriving (IssueCertificate -> IssueCertificate -> Bool
(IssueCertificate -> IssueCertificate -> Bool)
-> (IssueCertificate -> IssueCertificate -> Bool)
-> Eq IssueCertificate
forall a. (a -> a -> Bool) -> (a -> a -> Bool) -> Eq a
/= :: IssueCertificate -> IssueCertificate -> Bool
$c/= :: IssueCertificate -> IssueCertificate -> Bool
== :: IssueCertificate -> IssueCertificate -> Bool
$c== :: IssueCertificate -> IssueCertificate -> Bool
Prelude.Eq, ReadPrec [IssueCertificate]
ReadPrec IssueCertificate
Int -> ReadS IssueCertificate
ReadS [IssueCertificate]
(Int -> ReadS IssueCertificate)
-> ReadS [IssueCertificate]
-> ReadPrec IssueCertificate
-> ReadPrec [IssueCertificate]
-> Read IssueCertificate
forall a.
(Int -> ReadS a)
-> ReadS [a] -> ReadPrec a -> ReadPrec [a] -> Read a
readListPrec :: ReadPrec [IssueCertificate]
$creadListPrec :: ReadPrec [IssueCertificate]
readPrec :: ReadPrec IssueCertificate
$creadPrec :: ReadPrec IssueCertificate
readList :: ReadS [IssueCertificate]
$creadList :: ReadS [IssueCertificate]
readsPrec :: Int -> ReadS IssueCertificate
$creadsPrec :: Int -> ReadS IssueCertificate
Prelude.Read, Int -> IssueCertificate -> ShowS
[IssueCertificate] -> ShowS
IssueCertificate -> String
(Int -> IssueCertificate -> ShowS)
-> (IssueCertificate -> String)
-> ([IssueCertificate] -> ShowS)
-> Show IssueCertificate
forall a.
(Int -> a -> ShowS) -> (a -> String) -> ([a] -> ShowS) -> Show a
showList :: [IssueCertificate] -> ShowS
$cshowList :: [IssueCertificate] -> ShowS
show :: IssueCertificate -> String
$cshow :: IssueCertificate -> String
showsPrec :: Int -> IssueCertificate -> ShowS
$cshowsPrec :: Int -> IssueCertificate -> ShowS
Prelude.Show, (forall x. IssueCertificate -> Rep IssueCertificate x)
-> (forall x. Rep IssueCertificate x -> IssueCertificate)
-> Generic IssueCertificate
forall x. Rep IssueCertificate x -> IssueCertificate
forall x. IssueCertificate -> Rep IssueCertificate x
forall a.
(forall x. a -> Rep a x) -> (forall x. Rep a x -> a) -> Generic a
$cto :: forall x. Rep IssueCertificate x -> IssueCertificate
$cfrom :: forall x. IssueCertificate -> Rep IssueCertificate x
Prelude.Generic)

-- |
-- Create a value of 'IssueCertificate' with all optional fields omitted.
--
-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
--
-- The following record fields are available, with the corresponding lenses provided
-- for backwards compatibility:
--
-- 'idempotencyToken', 'issueCertificate_idempotencyToken' - Alphanumeric string that can be used to distinguish between calls to the
-- __IssueCertificate__ action. Idempotency tokens for __IssueCertificate__
-- time out after one minute. Therefore, if you call __IssueCertificate__
-- multiple times with the same idempotency token within one minute, ACM
-- Private CA recognizes that you are requesting only one certificate and
-- will issue only one. If you change the idempotency token for each call,
-- PCA recognizes that you are requesting multiple certificates.
--
-- 'apiPassthrough', 'issueCertificate_apiPassthrough' - Specifies X.509 certificate information to be included in the issued
-- certificate. An @APIPassthrough@ or @APICSRPassthrough@ template variant
-- must be selected, or else this parameter is ignored. For more
-- information about using these templates, see
-- <https://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html Understanding Certificate Templates>.
--
-- If conflicting or duplicate certificate information is supplied during
-- certificate issuance, ACM Private CA applies
-- <https://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html#template-order-of-operations order of operation rules>
-- to determine what information is used.
--
-- 'templateArn', 'issueCertificate_templateArn' - Specifies a custom configuration template to use when issuing a
-- certificate. If this parameter is not provided, ACM Private CA defaults
-- to the @EndEntityCertificate\/V1@ template. For CA certificates, you
-- should choose the shortest path length that meets your needs. The path
-- length is indicated by the PathLen/N/ portion of the ARN, where /N/ is
-- the
-- <https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaTerms.html#terms-cadepth CA depth>.
--
-- Note: The CA depth configured on a subordinate CA certificate must not
-- exceed the limit set by its parents in the CA hierarchy.
--
-- For a list of @TemplateArn@ values supported by ACM Private CA, see
-- <https://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html Understanding Certificate Templates>.
--
-- 'validityNotBefore', 'issueCertificate_validityNotBefore' - Information describing the start of the validity period of the
-- certificate. This parameter sets the “Not Before\" date for the
-- certificate.
--
-- By default, when issuing a certificate, ACM Private CA sets the \"Not
-- Before\" date to the issuance time minus 60 minutes. This compensates
-- for clock inconsistencies across computer systems. The
-- @ValidityNotBefore@ parameter can be used to customize the “Not Before”
-- value.
--
-- Unlike the @Validity@ parameter, the @ValidityNotBefore@ parameter is
-- optional.
--
-- The @ValidityNotBefore@ value is expressed as an explicit date and time,
-- using the @Validity@ type value @ABSOLUTE@. For more information, see
-- <https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_Validity.html Validity>
-- in this API reference and
-- <https://tools.ietf.org/html/rfc5280#section-4.1.2.5 Validity> in RFC
-- 5280.
--
-- 'certificateAuthorityArn', 'issueCertificate_certificateAuthorityArn' - The Amazon Resource Name (ARN) that was returned when you called
-- <https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html CreateCertificateAuthority>.
-- This must be of the form:
--
-- @arn:aws:acm-pca:region:account:certificate-authority\/12345678-1234-1234-1234-123456789012 @
--
-- 'csr', 'issueCertificate_csr' - The certificate signing request (CSR) for the certificate you want to
-- issue. As an example, you can use the following OpenSSL command to
-- create the CSR and a 2048 bit RSA private key.
--
-- @openssl req -new -newkey rsa:2048 -days 365 -keyout private\/test_cert_priv_key.pem -out csr\/test_cert_.csr@
--
-- If you have a configuration file, you can then use the following OpenSSL
-- command. The @usr_cert@ block in the configuration file contains your
-- X509 version 3 extensions.
--
-- @openssl req -new -config openssl_rsa.cnf -extensions usr_cert -newkey rsa:2048 -days -365 -keyout private\/test_cert_priv_key.pem -out csr\/test_cert_.csr@
--
-- Note: A CSR must provide either a /subject name/ or a /subject
-- alternative name/ or the request will be rejected.--
-- -- /Note:/ This 'Lens' automatically encodes and decodes Base64 data.
-- -- The underlying isomorphism will encode to Base64 representation during
-- -- serialisation, and decode from Base64 representation during deserialisation.
-- -- This 'Lens' accepts and returns only raw unencoded data.
--
-- 'signingAlgorithm', 'issueCertificate_signingAlgorithm' - The name of the algorithm that will be used to sign the certificate to
-- be issued.
--
-- This parameter should not be confused with the @SigningAlgorithm@
-- parameter used to sign a CSR in the @CreateCertificateAuthority@ action.
--
-- 'validity', 'issueCertificate_validity' - Information describing the end of the validity period of the
-- certificate. This parameter sets the “Not After” date for the
-- certificate.
--
-- Certificate validity is the period of time during which a certificate is
-- valid. Validity can be expressed as an explicit date and time when the
-- certificate expires, or as a span of time after issuance, stated in
-- days, months, or years. For more information, see
-- <https://tools.ietf.org/html/rfc5280#section-4.1.2.5 Validity> in RFC
-- 5280.
--
-- This value is unaffected when @ValidityNotBefore@ is also specified. For
-- example, if @Validity@ is set to 20 days in the future, the certificate
-- will expire 20 days from issuance time regardless of the
-- @ValidityNotBefore@ value.
--
-- The end of the validity period configured on a certificate must not
-- exceed the limit set on its parents in the CA hierarchy.
newIssueCertificate ::
  -- | 'certificateAuthorityArn'
  Prelude.Text ->
  -- | 'csr'
  Prelude.ByteString ->
  -- | 'signingAlgorithm'
  SigningAlgorithm ->
  -- | 'validity'
  Validity ->
  IssueCertificate
newIssueCertificate :: Text
-> ByteString -> SigningAlgorithm -> Validity -> IssueCertificate
newIssueCertificate
  Text
pCertificateAuthorityArn_
  ByteString
pCsr_
  SigningAlgorithm
pSigningAlgorithm_
  Validity
pValidity_ =
    IssueCertificate' :: Maybe Text
-> Maybe ApiPassthrough
-> Maybe Text
-> Maybe Validity
-> Text
-> Base64
-> SigningAlgorithm
-> Validity
-> IssueCertificate
IssueCertificate'
      { $sel:idempotencyToken:IssueCertificate' :: Maybe Text
idempotencyToken =
          Maybe Text
forall a. Maybe a
Prelude.Nothing,
        $sel:apiPassthrough:IssueCertificate' :: Maybe ApiPassthrough
apiPassthrough = Maybe ApiPassthrough
forall a. Maybe a
Prelude.Nothing,
        $sel:templateArn:IssueCertificate' :: Maybe Text
templateArn = Maybe Text
forall a. Maybe a
Prelude.Nothing,
        $sel:validityNotBefore:IssueCertificate' :: Maybe Validity
validityNotBefore = Maybe Validity
forall a. Maybe a
Prelude.Nothing,
        $sel:certificateAuthorityArn:IssueCertificate' :: Text
certificateAuthorityArn = Text
pCertificateAuthorityArn_,
        $sel:csr:IssueCertificate' :: Base64
csr = Tagged ByteString (Identity ByteString)
-> Tagged Base64 (Identity Base64)
Iso' Base64 ByteString
Core._Base64 (Tagged ByteString (Identity ByteString)
 -> Tagged Base64 (Identity Base64))
-> ByteString -> Base64
forall t b. AReview t b -> b -> t
Lens.# ByteString
pCsr_,
        $sel:signingAlgorithm:IssueCertificate' :: SigningAlgorithm
signingAlgorithm = SigningAlgorithm
pSigningAlgorithm_,
        $sel:validity:IssueCertificate' :: Validity
validity = Validity
pValidity_
      }

-- | Alphanumeric string that can be used to distinguish between calls to the
-- __IssueCertificate__ action. Idempotency tokens for __IssueCertificate__
-- time out after one minute. Therefore, if you call __IssueCertificate__
-- multiple times with the same idempotency token within one minute, ACM
-- Private CA recognizes that you are requesting only one certificate and
-- will issue only one. If you change the idempotency token for each call,
-- PCA recognizes that you are requesting multiple certificates.
issueCertificate_idempotencyToken :: Lens.Lens' IssueCertificate (Prelude.Maybe Prelude.Text)
issueCertificate_idempotencyToken :: (Maybe Text -> f (Maybe Text))
-> IssueCertificate -> f IssueCertificate
issueCertificate_idempotencyToken = (IssueCertificate -> Maybe Text)
-> (IssueCertificate -> Maybe Text -> IssueCertificate)
-> Lens IssueCertificate IssueCertificate (Maybe Text) (Maybe Text)
forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b
Lens.lens (\IssueCertificate' {Maybe Text
idempotencyToken :: Maybe Text
$sel:idempotencyToken:IssueCertificate' :: IssueCertificate -> Maybe Text
idempotencyToken} -> Maybe Text
idempotencyToken) (\s :: IssueCertificate
s@IssueCertificate' {} Maybe Text
a -> IssueCertificate
s {$sel:idempotencyToken:IssueCertificate' :: Maybe Text
idempotencyToken = Maybe Text
a} :: IssueCertificate)

-- | Specifies X.509 certificate information to be included in the issued
-- certificate. An @APIPassthrough@ or @APICSRPassthrough@ template variant
-- must be selected, or else this parameter is ignored. For more
-- information about using these templates, see
-- <https://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html Understanding Certificate Templates>.
--
-- If conflicting or duplicate certificate information is supplied during
-- certificate issuance, ACM Private CA applies
-- <https://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html#template-order-of-operations order of operation rules>
-- to determine what information is used.
issueCertificate_apiPassthrough :: Lens.Lens' IssueCertificate (Prelude.Maybe ApiPassthrough)
issueCertificate_apiPassthrough :: (Maybe ApiPassthrough -> f (Maybe ApiPassthrough))
-> IssueCertificate -> f IssueCertificate
issueCertificate_apiPassthrough = (IssueCertificate -> Maybe ApiPassthrough)
-> (IssueCertificate -> Maybe ApiPassthrough -> IssueCertificate)
-> Lens
     IssueCertificate
     IssueCertificate
     (Maybe ApiPassthrough)
     (Maybe ApiPassthrough)
forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b
Lens.lens (\IssueCertificate' {Maybe ApiPassthrough
apiPassthrough :: Maybe ApiPassthrough
$sel:apiPassthrough:IssueCertificate' :: IssueCertificate -> Maybe ApiPassthrough
apiPassthrough} -> Maybe ApiPassthrough
apiPassthrough) (\s :: IssueCertificate
s@IssueCertificate' {} Maybe ApiPassthrough
a -> IssueCertificate
s {$sel:apiPassthrough:IssueCertificate' :: Maybe ApiPassthrough
apiPassthrough = Maybe ApiPassthrough
a} :: IssueCertificate)

-- | Specifies a custom configuration template to use when issuing a
-- certificate. If this parameter is not provided, ACM Private CA defaults
-- to the @EndEntityCertificate\/V1@ template. For CA certificates, you
-- should choose the shortest path length that meets your needs. The path
-- length is indicated by the PathLen/N/ portion of the ARN, where /N/ is
-- the
-- <https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaTerms.html#terms-cadepth CA depth>.
--
-- Note: The CA depth configured on a subordinate CA certificate must not
-- exceed the limit set by its parents in the CA hierarchy.
--
-- For a list of @TemplateArn@ values supported by ACM Private CA, see
-- <https://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html Understanding Certificate Templates>.
issueCertificate_templateArn :: Lens.Lens' IssueCertificate (Prelude.Maybe Prelude.Text)
issueCertificate_templateArn :: (Maybe Text -> f (Maybe Text))
-> IssueCertificate -> f IssueCertificate
issueCertificate_templateArn = (IssueCertificate -> Maybe Text)
-> (IssueCertificate -> Maybe Text -> IssueCertificate)
-> Lens IssueCertificate IssueCertificate (Maybe Text) (Maybe Text)
forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b
Lens.lens (\IssueCertificate' {Maybe Text
templateArn :: Maybe Text
$sel:templateArn:IssueCertificate' :: IssueCertificate -> Maybe Text
templateArn} -> Maybe Text
templateArn) (\s :: IssueCertificate
s@IssueCertificate' {} Maybe Text
a -> IssueCertificate
s {$sel:templateArn:IssueCertificate' :: Maybe Text
templateArn = Maybe Text
a} :: IssueCertificate)

-- | Information describing the start of the validity period of the
-- certificate. This parameter sets the “Not Before\" date for the
-- certificate.
--
-- By default, when issuing a certificate, ACM Private CA sets the \"Not
-- Before\" date to the issuance time minus 60 minutes. This compensates
-- for clock inconsistencies across computer systems. The
-- @ValidityNotBefore@ parameter can be used to customize the “Not Before”
-- value.
--
-- Unlike the @Validity@ parameter, the @ValidityNotBefore@ parameter is
-- optional.
--
-- The @ValidityNotBefore@ value is expressed as an explicit date and time,
-- using the @Validity@ type value @ABSOLUTE@. For more information, see
-- <https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_Validity.html Validity>
-- in this API reference and
-- <https://tools.ietf.org/html/rfc5280#section-4.1.2.5 Validity> in RFC
-- 5280.
issueCertificate_validityNotBefore :: Lens.Lens' IssueCertificate (Prelude.Maybe Validity)
issueCertificate_validityNotBefore :: (Maybe Validity -> f (Maybe Validity))
-> IssueCertificate -> f IssueCertificate
issueCertificate_validityNotBefore = (IssueCertificate -> Maybe Validity)
-> (IssueCertificate -> Maybe Validity -> IssueCertificate)
-> Lens
     IssueCertificate IssueCertificate (Maybe Validity) (Maybe Validity)
forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b
Lens.lens (\IssueCertificate' {Maybe Validity
validityNotBefore :: Maybe Validity
$sel:validityNotBefore:IssueCertificate' :: IssueCertificate -> Maybe Validity
validityNotBefore} -> Maybe Validity
validityNotBefore) (\s :: IssueCertificate
s@IssueCertificate' {} Maybe Validity
a -> IssueCertificate
s {$sel:validityNotBefore:IssueCertificate' :: Maybe Validity
validityNotBefore = Maybe Validity
a} :: IssueCertificate)

-- | The Amazon Resource Name (ARN) that was returned when you called
-- <https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html CreateCertificateAuthority>.
-- This must be of the form:
--
-- @arn:aws:acm-pca:region:account:certificate-authority\/12345678-1234-1234-1234-123456789012 @
issueCertificate_certificateAuthorityArn :: Lens.Lens' IssueCertificate Prelude.Text
issueCertificate_certificateAuthorityArn :: (Text -> f Text) -> IssueCertificate -> f IssueCertificate
issueCertificate_certificateAuthorityArn = (IssueCertificate -> Text)
-> (IssueCertificate -> Text -> IssueCertificate)
-> Lens IssueCertificate IssueCertificate Text Text
forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b
Lens.lens (\IssueCertificate' {Text
certificateAuthorityArn :: Text
$sel:certificateAuthorityArn:IssueCertificate' :: IssueCertificate -> Text
certificateAuthorityArn} -> Text
certificateAuthorityArn) (\s :: IssueCertificate
s@IssueCertificate' {} Text
a -> IssueCertificate
s {$sel:certificateAuthorityArn:IssueCertificate' :: Text
certificateAuthorityArn = Text
a} :: IssueCertificate)

-- | The certificate signing request (CSR) for the certificate you want to
-- issue. As an example, you can use the following OpenSSL command to
-- create the CSR and a 2048 bit RSA private key.
--
-- @openssl req -new -newkey rsa:2048 -days 365 -keyout private\/test_cert_priv_key.pem -out csr\/test_cert_.csr@
--
-- If you have a configuration file, you can then use the following OpenSSL
-- command. The @usr_cert@ block in the configuration file contains your
-- X509 version 3 extensions.
--
-- @openssl req -new -config openssl_rsa.cnf -extensions usr_cert -newkey rsa:2048 -days -365 -keyout private\/test_cert_priv_key.pem -out csr\/test_cert_.csr@
--
-- Note: A CSR must provide either a /subject name/ or a /subject
-- alternative name/ or the request will be rejected.--
-- -- /Note:/ This 'Lens' automatically encodes and decodes Base64 data.
-- -- The underlying isomorphism will encode to Base64 representation during
-- -- serialisation, and decode from Base64 representation during deserialisation.
-- -- This 'Lens' accepts and returns only raw unencoded data.
issueCertificate_csr :: Lens.Lens' IssueCertificate Prelude.ByteString
issueCertificate_csr :: (ByteString -> f ByteString)
-> IssueCertificate -> f IssueCertificate
issueCertificate_csr = (IssueCertificate -> Base64)
-> (IssueCertificate -> Base64 -> IssueCertificate)
-> Lens IssueCertificate IssueCertificate Base64 Base64
forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b
Lens.lens (\IssueCertificate' {Base64
csr :: Base64
$sel:csr:IssueCertificate' :: IssueCertificate -> Base64
csr} -> Base64
csr) (\s :: IssueCertificate
s@IssueCertificate' {} Base64
a -> IssueCertificate
s {$sel:csr:IssueCertificate' :: Base64
csr = Base64
a} :: IssueCertificate) ((Base64 -> f Base64) -> IssueCertificate -> f IssueCertificate)
-> ((ByteString -> f ByteString) -> Base64 -> f Base64)
-> (ByteString -> f ByteString)
-> IssueCertificate
-> f IssueCertificate
forall b c a. (b -> c) -> (a -> b) -> a -> c
Prelude.. (ByteString -> f ByteString) -> Base64 -> f Base64
Iso' Base64 ByteString
Core._Base64

-- | The name of the algorithm that will be used to sign the certificate to
-- be issued.
--
-- This parameter should not be confused with the @SigningAlgorithm@
-- parameter used to sign a CSR in the @CreateCertificateAuthority@ action.
issueCertificate_signingAlgorithm :: Lens.Lens' IssueCertificate SigningAlgorithm
issueCertificate_signingAlgorithm :: (SigningAlgorithm -> f SigningAlgorithm)
-> IssueCertificate -> f IssueCertificate
issueCertificate_signingAlgorithm = (IssueCertificate -> SigningAlgorithm)
-> (IssueCertificate -> SigningAlgorithm -> IssueCertificate)
-> Lens
     IssueCertificate IssueCertificate SigningAlgorithm SigningAlgorithm
forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b
Lens.lens (\IssueCertificate' {SigningAlgorithm
signingAlgorithm :: SigningAlgorithm
$sel:signingAlgorithm:IssueCertificate' :: IssueCertificate -> SigningAlgorithm
signingAlgorithm} -> SigningAlgorithm
signingAlgorithm) (\s :: IssueCertificate
s@IssueCertificate' {} SigningAlgorithm
a -> IssueCertificate
s {$sel:signingAlgorithm:IssueCertificate' :: SigningAlgorithm
signingAlgorithm = SigningAlgorithm
a} :: IssueCertificate)

-- | Information describing the end of the validity period of the
-- certificate. This parameter sets the “Not After” date for the
-- certificate.
--
-- Certificate validity is the period of time during which a certificate is
-- valid. Validity can be expressed as an explicit date and time when the
-- certificate expires, or as a span of time after issuance, stated in
-- days, months, or years. For more information, see
-- <https://tools.ietf.org/html/rfc5280#section-4.1.2.5 Validity> in RFC
-- 5280.
--
-- This value is unaffected when @ValidityNotBefore@ is also specified. For
-- example, if @Validity@ is set to 20 days in the future, the certificate
-- will expire 20 days from issuance time regardless of the
-- @ValidityNotBefore@ value.
--
-- The end of the validity period configured on a certificate must not
-- exceed the limit set on its parents in the CA hierarchy.
issueCertificate_validity :: Lens.Lens' IssueCertificate Validity
issueCertificate_validity :: (Validity -> f Validity) -> IssueCertificate -> f IssueCertificate
issueCertificate_validity = (IssueCertificate -> Validity)
-> (IssueCertificate -> Validity -> IssueCertificate)
-> Lens IssueCertificate IssueCertificate Validity Validity
forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b
Lens.lens (\IssueCertificate' {Validity
validity :: Validity
$sel:validity:IssueCertificate' :: IssueCertificate -> Validity
validity} -> Validity
validity) (\s :: IssueCertificate
s@IssueCertificate' {} Validity
a -> IssueCertificate
s {$sel:validity:IssueCertificate' :: Validity
validity = Validity
a} :: IssueCertificate)

instance Core.AWSRequest IssueCertificate where
  type
    AWSResponse IssueCertificate =
      IssueCertificateResponse
  request :: IssueCertificate -> Request IssueCertificate
request = Service -> IssueCertificate -> Request IssueCertificate
forall a. (ToRequest a, ToJSON a) => Service -> a -> Request a
Request.postJSON Service
defaultService
  response :: Logger
-> Service
-> Proxy IssueCertificate
-> ClientResponse ClientBody
-> m (Either Error (ClientResponse (AWSResponse IssueCertificate)))
response =
    (Int
 -> ResponseHeaders
 -> Object
 -> Either String (AWSResponse IssueCertificate))
-> Logger
-> Service
-> Proxy IssueCertificate
-> ClientResponse ClientBody
-> m (Either Error (ClientResponse (AWSResponse IssueCertificate)))
forall (m :: * -> *) a.
MonadResource m =>
(Int -> ResponseHeaders -> Object -> Either String (AWSResponse a))
-> Logger
-> Service
-> Proxy a
-> ClientResponse ClientBody
-> m (Either Error (ClientResponse (AWSResponse a)))
Response.receiveJSON
      ( \Int
s ResponseHeaders
h Object
x ->
          Maybe Text -> Int -> IssueCertificateResponse
IssueCertificateResponse'
            (Maybe Text -> Int -> IssueCertificateResponse)
-> Either String (Maybe Text)
-> Either String (Int -> IssueCertificateResponse)
forall (f :: * -> *) a b. Functor f => (a -> b) -> f a -> f b
Prelude.<$> (Object
x Object -> Text -> Either String (Maybe Text)
forall a. FromJSON a => Object -> Text -> Either String (Maybe a)
Core..?> Text
"CertificateArn")
            Either String (Int -> IssueCertificateResponse)
-> Either String Int -> Either String IssueCertificateResponse
forall (f :: * -> *) a b. Applicative f => f (a -> b) -> f a -> f b
Prelude.<*> (Int -> Either String Int
forall (f :: * -> *) a. Applicative f => a -> f a
Prelude.pure (Int -> Int
forall a. Enum a => a -> Int
Prelude.fromEnum Int
s))
      )

instance Prelude.Hashable IssueCertificate

instance Prelude.NFData IssueCertificate

instance Core.ToHeaders IssueCertificate where
  toHeaders :: IssueCertificate -> ResponseHeaders
toHeaders =
    ResponseHeaders -> IssueCertificate -> ResponseHeaders
forall a b. a -> b -> a
Prelude.const
      ( [ResponseHeaders] -> ResponseHeaders
forall a. Monoid a => [a] -> a
Prelude.mconcat
          [ HeaderName
"X-Amz-Target"
              HeaderName -> ByteString -> ResponseHeaders
forall a. ToHeader a => HeaderName -> a -> ResponseHeaders
Core.=# ( ByteString
"ACMPrivateCA.IssueCertificate" ::
                          Prelude.ByteString
                      ),
            HeaderName
"Content-Type"
              HeaderName -> ByteString -> ResponseHeaders
forall a. ToHeader a => HeaderName -> a -> ResponseHeaders
Core.=# ( ByteString
"application/x-amz-json-1.1" ::
                          Prelude.ByteString
                      )
          ]
      )

instance Core.ToJSON IssueCertificate where
  toJSON :: IssueCertificate -> Value
toJSON IssueCertificate' {Maybe Text
Maybe ApiPassthrough
Maybe Validity
Text
Base64
SigningAlgorithm
Validity
validity :: Validity
signingAlgorithm :: SigningAlgorithm
csr :: Base64
certificateAuthorityArn :: Text
validityNotBefore :: Maybe Validity
templateArn :: Maybe Text
apiPassthrough :: Maybe ApiPassthrough
idempotencyToken :: Maybe Text
$sel:validity:IssueCertificate' :: IssueCertificate -> Validity
$sel:signingAlgorithm:IssueCertificate' :: IssueCertificate -> SigningAlgorithm
$sel:csr:IssueCertificate' :: IssueCertificate -> Base64
$sel:certificateAuthorityArn:IssueCertificate' :: IssueCertificate -> Text
$sel:validityNotBefore:IssueCertificate' :: IssueCertificate -> Maybe Validity
$sel:templateArn:IssueCertificate' :: IssueCertificate -> Maybe Text
$sel:apiPassthrough:IssueCertificate' :: IssueCertificate -> Maybe ApiPassthrough
$sel:idempotencyToken:IssueCertificate' :: IssueCertificate -> Maybe Text
..} =
    [Pair] -> Value
Core.object
      ( [Maybe Pair] -> [Pair]
forall a. [Maybe a] -> [a]
Prelude.catMaybes
          [ (Text
"IdempotencyToken" Text -> Text -> Pair
forall kv v. (KeyValue kv, ToJSON v) => Text -> v -> kv
Core..=)
              (Text -> Pair) -> Maybe Text -> Maybe Pair
forall (f :: * -> *) a b. Functor f => (a -> b) -> f a -> f b
Prelude.<$> Maybe Text
idempotencyToken,
            (Text
"ApiPassthrough" Text -> ApiPassthrough -> Pair
forall kv v. (KeyValue kv, ToJSON v) => Text -> v -> kv
Core..=)
              (ApiPassthrough -> Pair) -> Maybe ApiPassthrough -> Maybe Pair
forall (f :: * -> *) a b. Functor f => (a -> b) -> f a -> f b
Prelude.<$> Maybe ApiPassthrough
apiPassthrough,
            (Text
"TemplateArn" Text -> Text -> Pair
forall kv v. (KeyValue kv, ToJSON v) => Text -> v -> kv
Core..=) (Text -> Pair) -> Maybe Text -> Maybe Pair
forall (f :: * -> *) a b. Functor f => (a -> b) -> f a -> f b
Prelude.<$> Maybe Text
templateArn,
            (Text
"ValidityNotBefore" Text -> Validity -> Pair
forall kv v. (KeyValue kv, ToJSON v) => Text -> v -> kv
Core..=)
              (Validity -> Pair) -> Maybe Validity -> Maybe Pair
forall (f :: * -> *) a b. Functor f => (a -> b) -> f a -> f b
Prelude.<$> Maybe Validity
validityNotBefore,
            Pair -> Maybe Pair
forall a. a -> Maybe a
Prelude.Just
              ( Text
"CertificateAuthorityArn"
                  Text -> Text -> Pair
forall kv v. (KeyValue kv, ToJSON v) => Text -> v -> kv
Core..= Text
certificateAuthorityArn
              ),
            Pair -> Maybe Pair
forall a. a -> Maybe a
Prelude.Just (Text
"Csr" Text -> Base64 -> Pair
forall kv v. (KeyValue kv, ToJSON v) => Text -> v -> kv
Core..= Base64
csr),
            Pair -> Maybe Pair
forall a. a -> Maybe a
Prelude.Just
              (Text
"SigningAlgorithm" Text -> SigningAlgorithm -> Pair
forall kv v. (KeyValue kv, ToJSON v) => Text -> v -> kv
Core..= SigningAlgorithm
signingAlgorithm),
            Pair -> Maybe Pair
forall a. a -> Maybe a
Prelude.Just (Text
"Validity" Text -> Validity -> Pair
forall kv v. (KeyValue kv, ToJSON v) => Text -> v -> kv
Core..= Validity
validity)
          ]
      )

instance Core.ToPath IssueCertificate where
  toPath :: IssueCertificate -> ByteString
toPath = ByteString -> IssueCertificate -> ByteString
forall a b. a -> b -> a
Prelude.const ByteString
"/"

instance Core.ToQuery IssueCertificate where
  toQuery :: IssueCertificate -> QueryString
toQuery = QueryString -> IssueCertificate -> QueryString
forall a b. a -> b -> a
Prelude.const QueryString
forall a. Monoid a => a
Prelude.mempty

-- | /See:/ 'newIssueCertificateResponse' smart constructor.
data IssueCertificateResponse = IssueCertificateResponse'
  { -- | The Amazon Resource Name (ARN) of the issued certificate and the
    -- certificate serial number. This is of the form:
    --
    -- @arn:aws:acm-pca:region:account:certificate-authority\/12345678-1234-1234-1234-123456789012\/certificate\/286535153982981100925020015808220737245 @
    IssueCertificateResponse -> Maybe Text
certificateArn :: Prelude.Maybe Prelude.Text,
    -- | The response's http status code.
    IssueCertificateResponse -> Int
httpStatus :: Prelude.Int
  }
  deriving (IssueCertificateResponse -> IssueCertificateResponse -> Bool
(IssueCertificateResponse -> IssueCertificateResponse -> Bool)
-> (IssueCertificateResponse -> IssueCertificateResponse -> Bool)
-> Eq IssueCertificateResponse
forall a. (a -> a -> Bool) -> (a -> a -> Bool) -> Eq a
/= :: IssueCertificateResponse -> IssueCertificateResponse -> Bool
$c/= :: IssueCertificateResponse -> IssueCertificateResponse -> Bool
== :: IssueCertificateResponse -> IssueCertificateResponse -> Bool
$c== :: IssueCertificateResponse -> IssueCertificateResponse -> Bool
Prelude.Eq, ReadPrec [IssueCertificateResponse]
ReadPrec IssueCertificateResponse
Int -> ReadS IssueCertificateResponse
ReadS [IssueCertificateResponse]
(Int -> ReadS IssueCertificateResponse)
-> ReadS [IssueCertificateResponse]
-> ReadPrec IssueCertificateResponse
-> ReadPrec [IssueCertificateResponse]
-> Read IssueCertificateResponse
forall a.
(Int -> ReadS a)
-> ReadS [a] -> ReadPrec a -> ReadPrec [a] -> Read a
readListPrec :: ReadPrec [IssueCertificateResponse]
$creadListPrec :: ReadPrec [IssueCertificateResponse]
readPrec :: ReadPrec IssueCertificateResponse
$creadPrec :: ReadPrec IssueCertificateResponse
readList :: ReadS [IssueCertificateResponse]
$creadList :: ReadS [IssueCertificateResponse]
readsPrec :: Int -> ReadS IssueCertificateResponse
$creadsPrec :: Int -> ReadS IssueCertificateResponse
Prelude.Read, Int -> IssueCertificateResponse -> ShowS
[IssueCertificateResponse] -> ShowS
IssueCertificateResponse -> String
(Int -> IssueCertificateResponse -> ShowS)
-> (IssueCertificateResponse -> String)
-> ([IssueCertificateResponse] -> ShowS)
-> Show IssueCertificateResponse
forall a.
(Int -> a -> ShowS) -> (a -> String) -> ([a] -> ShowS) -> Show a
showList :: [IssueCertificateResponse] -> ShowS
$cshowList :: [IssueCertificateResponse] -> ShowS
show :: IssueCertificateResponse -> String
$cshow :: IssueCertificateResponse -> String
showsPrec :: Int -> IssueCertificateResponse -> ShowS
$cshowsPrec :: Int -> IssueCertificateResponse -> ShowS
Prelude.Show, (forall x.
 IssueCertificateResponse -> Rep IssueCertificateResponse x)
-> (forall x.
    Rep IssueCertificateResponse x -> IssueCertificateResponse)
-> Generic IssueCertificateResponse
forall x.
Rep IssueCertificateResponse x -> IssueCertificateResponse
forall x.
IssueCertificateResponse -> Rep IssueCertificateResponse x
forall a.
(forall x. a -> Rep a x) -> (forall x. Rep a x -> a) -> Generic a
$cto :: forall x.
Rep IssueCertificateResponse x -> IssueCertificateResponse
$cfrom :: forall x.
IssueCertificateResponse -> Rep IssueCertificateResponse x
Prelude.Generic)

-- |
-- Create a value of 'IssueCertificateResponse' with all optional fields omitted.
--
-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
--
-- The following record fields are available, with the corresponding lenses provided
-- for backwards compatibility:
--
-- 'certificateArn', 'issueCertificateResponse_certificateArn' - The Amazon Resource Name (ARN) of the issued certificate and the
-- certificate serial number. This is of the form:
--
-- @arn:aws:acm-pca:region:account:certificate-authority\/12345678-1234-1234-1234-123456789012\/certificate\/286535153982981100925020015808220737245 @
--
-- 'httpStatus', 'issueCertificateResponse_httpStatus' - The response's http status code.
newIssueCertificateResponse ::
  -- | 'httpStatus'
  Prelude.Int ->
  IssueCertificateResponse
newIssueCertificateResponse :: Int -> IssueCertificateResponse
newIssueCertificateResponse Int
pHttpStatus_ =
  IssueCertificateResponse' :: Maybe Text -> Int -> IssueCertificateResponse
IssueCertificateResponse'
    { $sel:certificateArn:IssueCertificateResponse' :: Maybe Text
certificateArn =
        Maybe Text
forall a. Maybe a
Prelude.Nothing,
      $sel:httpStatus:IssueCertificateResponse' :: Int
httpStatus = Int
pHttpStatus_
    }

-- | The Amazon Resource Name (ARN) of the issued certificate and the
-- certificate serial number. This is of the form:
--
-- @arn:aws:acm-pca:region:account:certificate-authority\/12345678-1234-1234-1234-123456789012\/certificate\/286535153982981100925020015808220737245 @
issueCertificateResponse_certificateArn :: Lens.Lens' IssueCertificateResponse (Prelude.Maybe Prelude.Text)
issueCertificateResponse_certificateArn :: (Maybe Text -> f (Maybe Text))
-> IssueCertificateResponse -> f IssueCertificateResponse
issueCertificateResponse_certificateArn = (IssueCertificateResponse -> Maybe Text)
-> (IssueCertificateResponse
    -> Maybe Text -> IssueCertificateResponse)
-> Lens
     IssueCertificateResponse
     IssueCertificateResponse
     (Maybe Text)
     (Maybe Text)
forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b
Lens.lens (\IssueCertificateResponse' {Maybe Text
certificateArn :: Maybe Text
$sel:certificateArn:IssueCertificateResponse' :: IssueCertificateResponse -> Maybe Text
certificateArn} -> Maybe Text
certificateArn) (\s :: IssueCertificateResponse
s@IssueCertificateResponse' {} Maybe Text
a -> IssueCertificateResponse
s {$sel:certificateArn:IssueCertificateResponse' :: Maybe Text
certificateArn = Maybe Text
a} :: IssueCertificateResponse)

-- | The response's http status code.
issueCertificateResponse_httpStatus :: Lens.Lens' IssueCertificateResponse Prelude.Int
issueCertificateResponse_httpStatus :: (Int -> f Int)
-> IssueCertificateResponse -> f IssueCertificateResponse
issueCertificateResponse_httpStatus = (IssueCertificateResponse -> Int)
-> (IssueCertificateResponse -> Int -> IssueCertificateResponse)
-> Lens IssueCertificateResponse IssueCertificateResponse Int Int
forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b
Lens.lens (\IssueCertificateResponse' {Int
httpStatus :: Int
$sel:httpStatus:IssueCertificateResponse' :: IssueCertificateResponse -> Int
httpStatus} -> Int
httpStatus) (\s :: IssueCertificateResponse
s@IssueCertificateResponse' {} Int
a -> IssueCertificateResponse
s {$sel:httpStatus:IssueCertificateResponse' :: Int
httpStatus = Int
a} :: IssueCertificateResponse)

instance Prelude.NFData IssueCertificateResponse