Class: AWS.PcaConnectorAd
- Inherits:
-
AWS.Service
- Object
- AWS.Service
- AWS.PcaConnectorAd
- Identifier:
- pcaconnectorad
- API Version:
- 2018-05-10
- Defined in:
- (unknown)
Overview
Constructs a service interface object. Each API operation is exposed as a function on service.
Service Description
Amazon Web Services Private CA Connector for Active Directory creates a connector between Amazon Web Services Private CA and Active Directory (AD) that enables you to provision security certificates for AD signed by a private CA that you own. For more information, see Amazon Web Services Private CA Connector for Active Directory.
Sending a Request Using PcaConnectorAd
var pcaconnectorad = new AWS.PcaConnectorAd();
pcaconnectorad.createConnector(params, function (err, data) {
if (err) console.log(err, err.stack); // an error occurred
else console.log(data); // successful response
});
Locking the API Version
In order to ensure that the PcaConnectorAd object uses this specific API, you can
construct the object by passing the apiVersion option to the constructor:
var pcaconnectorad = new AWS.PcaConnectorAd({apiVersion: '2018-05-10'});
You can also set the API version globally in AWS.config.apiVersions using
the pcaconnectorad service identifier:
AWS.config.apiVersions = {
pcaconnectorad: '2018-05-10',
// other service API versions
};
var pcaconnectorad = new AWS.PcaConnectorAd();
Version:
-
2018-05-10
Constructor Summary collapse
-
new AWS.PcaConnectorAd(options = {}) ⇒ Object
constructor
Constructs a service object.
Property Summary collapse
-
endpoint ⇒ AWS.Endpoint
readwrite
An Endpoint object representing the endpoint URL for service requests.
Properties inherited from AWS.Service
Method Summary collapse
-
createConnector(params = {}, callback) ⇒ AWS.Request
Creates a connector between Amazon Web Services Private CA and an Active Directory.
-
createDirectoryRegistration(params = {}, callback) ⇒ AWS.Request
Creates a directory registration that authorizes communication between Amazon Web Services Private CA and an Active Directory
.
-
createServicePrincipalName(params = {}, callback) ⇒ AWS.Request
Creates a service principal name (SPN) for the service account in Active Directory.
-
createTemplate(params = {}, callback) ⇒ AWS.Request
Creates an Active Directory compatible certificate template.
-
createTemplateGroupAccessControlEntry(params = {}, callback) ⇒ AWS.Request
Create a group access control entry.
-
deleteConnector(params = {}, callback) ⇒ AWS.Request
Deletes a connector for Active Directory.
-
deleteDirectoryRegistration(params = {}, callback) ⇒ AWS.Request
Deletes a directory registration.
-
deleteServicePrincipalName(params = {}, callback) ⇒ AWS.Request
Deletes the service principal name (SPN) used by a connector to authenticate with your Active Directory.
.
-
deleteTemplate(params = {}, callback) ⇒ AWS.Request
Deletes a template.
-
deleteTemplateGroupAccessControlEntry(params = {}, callback) ⇒ AWS.Request
Deletes a group access control entry.
.
-
getConnector(params = {}, callback) ⇒ AWS.Request
Lists information about your connector.
-
getDirectoryRegistration(params = {}, callback) ⇒ AWS.Request
A structure that contains information about your directory registration.
.
-
getServicePrincipalName(params = {}, callback) ⇒ AWS.Request
Lists the service principal name that the connector uses to authenticate with Active Directory.
.
-
getTemplate(params = {}, callback) ⇒ AWS.Request
Retrieves a certificate template that the connector uses to issue certificates from a private CA.
.
-
getTemplateGroupAccessControlEntry(params = {}, callback) ⇒ AWS.Request
Retrieves the group access control entries for a template.
.
-
listConnectors(params = {}, callback) ⇒ AWS.Request
Lists the connectors that you created by using the https://docs.aws.amazon.com/pca-connector-ad/latest/APIReference/API_CreateConnector action.
.
-
listDirectoryRegistrations(params = {}, callback) ⇒ AWS.Request
Lists the directory registrations that you created by using the https://docs.aws.amazon.com/pca-connector-ad/latest/APIReference/API_CreateDirectoryRegistration action.
.
-
listServicePrincipalNames(params = {}, callback) ⇒ AWS.Request
Lists the service principal names that the connector uses to authenticate with Active Directory.
.
-
listTagsForResource(params = {}, callback) ⇒ AWS.Request
Lists the tags, if any, that are associated with your resource.
-
listTemplateGroupAccessControlEntries(params = {}, callback) ⇒ AWS.Request
Lists group access control entries you created.
-
listTemplates(params = {}, callback) ⇒ AWS.Request
Lists the templates, if any, that are associated with a connector.
.
-
tagResource(params = {}, callback) ⇒ AWS.Request
Adds one or more tags to your resource.
.
-
untagResource(params = {}, callback) ⇒ AWS.Request
Removes one or more tags from your resource.
.
-
updateTemplate(params = {}, callback) ⇒ AWS.Request
Update template configuration to define the information included in certificates.
.
-
updateTemplateGroupAccessControlEntry(params = {}, callback) ⇒ AWS.Request
Update a group access control entry you created using CreateTemplateGroupAccessControlEntry.
Methods inherited from AWS.Service
makeRequest, makeUnauthenticatedRequest, waitFor, setupRequestListeners, defineService
Constructor Details
new AWS.PcaConnectorAd(options = {}) ⇒ Object
Constructs a service object. This object has one method for each API operation.
Examples:
Constructing a PcaConnectorAd object
var pcaconnectorad = new AWS.PcaConnectorAd({apiVersion: '2018-05-10'});Options Hash (options):
-
params
(map)
—
An optional map of parameters to bind to every request sent by this service object. For more information on bound parameters, see "Working with Services" in the Getting Started Guide.
-
endpoint
(String|AWS.Endpoint)
—
The endpoint URI to send requests to. The default endpoint is built from the configured
region. The endpoint should be a string like'https://{service}.{region}.amazonaws.com'or an Endpoint object. -
accessKeyId
(String)
—
your AWS access key ID.
-
secretAccessKey
(String)
—
your AWS secret access key.
-
sessionToken
(AWS.Credentials)
—
the optional AWS session token to sign requests with.
-
credentials
(AWS.Credentials)
—
the AWS credentials to sign requests with. You can either specify this object, or specify the accessKeyId and secretAccessKey options directly.
-
credentialProvider
(AWS.CredentialProviderChain)
—
the provider chain used to resolve credentials if no static
credentialsproperty is set. -
region
(String)
—
the region to send service requests to. See AWS.PcaConnectorAd.region for more information.
-
maxRetries
(Integer)
—
the maximum amount of retries to attempt with a request. See AWS.PcaConnectorAd.maxRetries for more information.
-
maxRedirects
(Integer)
—
the maximum amount of redirects to follow with a request. See AWS.PcaConnectorAd.maxRedirects for more information.
-
sslEnabled
(Boolean)
—
whether to enable SSL for requests.
-
paramValidation
(Boolean|map)
—
whether input parameters should be validated against the operation description before sending the request. Defaults to true. Pass a map to enable any of the following specific validation features:
- min [Boolean] — Validates that a value meets the min
constraint. This is enabled by default when paramValidation is set
to
true. - max [Boolean] — Validates that a value meets the max constraint.
- pattern [Boolean] — Validates that a string value matches a regular expression.
- enum [Boolean] — Validates that a string value matches one of the allowable enum values.
- min [Boolean] — Validates that a value meets the min
constraint. This is enabled by default when paramValidation is set
to
-
computeChecksums
(Boolean)
—
whether to compute checksums for payload bodies when the service accepts it (currently supported in S3 only)
-
convertResponseTypes
(Boolean)
—
whether types are converted when parsing response data. Currently only supported for JSON based services. Turning this off may improve performance on large response payloads. Defaults to
true. -
correctClockSkew
(Boolean)
—
whether to apply a clock skew correction and retry requests that fail because of an skewed client clock. Defaults to
false. -
s3ForcePathStyle
(Boolean)
—
whether to force path style URLs for S3 objects.
-
s3BucketEndpoint
(Boolean)
—
whether the provided endpoint addresses an individual bucket (false if it addresses the root API endpoint). Note that setting this configuration option requires an
endpointto be provided explicitly to the service constructor. -
s3DisableBodySigning
(Boolean)
—
whether S3 body signing should be disabled when using signature version
v4. Body signing can only be disabled when using https. Defaults totrue. -
s3UsEast1RegionalEndpoint
('legacy'|'regional')
—
when region is set to 'us-east-1', whether to send s3 request to global endpoints or 'us-east-1' regional endpoints. This config is only applicable to S3 client. Defaults to
legacy -
s3UseArnRegion
(Boolean)
—
whether to override the request region with the region inferred from requested resource's ARN. Only available for S3 buckets Defaults to
true -
retryDelayOptions
(map)
—
A set of options to configure the retry delay on retryable errors. Currently supported options are:
- base [Integer] — The base number of milliseconds to use in the exponential backoff for operation retries. Defaults to 100 ms for all services except DynamoDB, where it defaults to 50ms.
- customBackoff [function] — A custom function that accepts a
retry count and error and returns the amount of time to delay in
milliseconds. If the result is a non-zero negative value, no further
retry attempts will be made. The
baseoption will be ignored if this option is supplied. The function is only called for retryable errors.
-
httpOptions
(map)
—
A set of options to pass to the low-level HTTP request. Currently supported options are:
- proxy [String] — the URL to proxy requests through
- agent [http.Agent, https.Agent] — the Agent object to perform
HTTP requests with. Used for connection pooling. Defaults to the global
agent (
http.globalAgent) for non-SSL connections. Note that for SSL connections, a special Agent object is used in order to enable peer certificate verification. This feature is only available in the Node.js environment. - connectTimeout [Integer] — Sets the socket to timeout after
failing to establish a connection with the server after
connectTimeoutmilliseconds. This timeout has no effect once a socket connection has been established. - timeout [Integer] — Sets the socket to timeout after timeout milliseconds of inactivity on the socket. Defaults to two minutes (120000).
- xhrAsync [Boolean] — Whether the SDK will send asynchronous HTTP requests. Used in the browser environment only. Set to false to send requests synchronously. Defaults to true (async on).
- xhrWithCredentials [Boolean] — Sets the "withCredentials" property of an XMLHttpRequest object. Used in the browser environment only. Defaults to false.
-
apiVersion
(String, Date)
—
a String in YYYY-MM-DD format (or a date) that represents the latest possible API version that can be used in all services (unless overridden by
apiVersions). Specify 'latest' to use the latest possible version. -
apiVersions
(map<String, String|Date>)
—
a map of service identifiers (the lowercase service class name) with the API version to use when instantiating a service. Specify 'latest' for each individual that can use the latest available version.
-
logger
(#write, #log)
—
an object that responds to .write() (like a stream) or .log() (like the console object) in order to log information about requests
-
systemClockOffset
(Number)
—
an offset value in milliseconds to apply to all signing times. Use this to compensate for clock skew when your system may be out of sync with the service time. Note that this configuration option can only be applied to the global
AWS.configobject and cannot be overridden in service-specific configuration. Defaults to 0 milliseconds. -
signatureVersion
(String)
—
the signature version to sign requests with (overriding the API configuration). Possible values are: 'v2', 'v3', 'v4'.
-
signatureCache
(Boolean)
—
whether the signature to sign requests with (overriding the API configuration) is cached. Only applies to the signature version 'v4'. Defaults to
true. -
dynamoDbCrc32
(Boolean)
—
whether to validate the CRC32 checksum of HTTP response bodies returned by DynamoDB. Default:
true. -
useAccelerateEndpoint
(Boolean)
—
Whether to use the S3 Transfer Acceleration endpoint with the S3 service. Default:
false. -
clientSideMonitoring
(Boolean)
—
whether to collect and publish this client's performance metrics of all its API requests.
-
endpointDiscoveryEnabled
(Boolean|undefined)
—
whether to call operations with endpoints given by service dynamically. Setting this
-
endpointCacheSize
(Number)
—
the size of the global cache storing endpoints from endpoint discovery operations. Once endpoint cache is created, updating this setting cannot change existing cache size. Defaults to 1000
-
hostPrefixEnabled
(Boolean)
—
whether to marshal request parameters to the prefix of hostname. Defaults to
true. -
stsRegionalEndpoints
('legacy'|'regional')
—
whether to send sts request to global endpoints or regional endpoints. Defaults to 'legacy'.
-
useFipsEndpoint
(Boolean)
—
Enables FIPS compatible endpoints. Defaults to
false. -
useDualstackEndpoint
(Boolean)
—
Enables IPv6 dualstack endpoint. Defaults to
false.
Property Details
Method Details
createConnector(params = {}, callback) ⇒ AWS.Request
Creates a connector between Amazon Web Services Private CA and an Active Directory. You must specify the private CA, directory ID, and security groups.
Service Reference:
Examples:
Calling the createConnector operation
var params = {
CertificateAuthorityArn: 'STRING_VALUE', /* required */
DirectoryId: 'STRING_VALUE', /* required */
VpcInformation: { /* required */
SecurityGroupIds: [ /* required */
'STRING_VALUE',
/* more items */
]
},
ClientToken: 'STRING_VALUE',
Tags: {
'<String>': 'STRING_VALUE',
/* '<String>': ... */
}
};
pcaconnectorad.createConnector(params, function(err, data) {
if (err) console.log(err, err.stack); // an error occurred
else console.log(data); // successful response
});Parameters:
-
params
(Object)
(defaults to: {})
—
CertificateAuthorityArn— (String)The Amazon Resource Name (ARN) of the certificate authority being used.
ClientToken— (String)Idempotency token.
If a token is not provided, the SDK will use a version 4 UUID.DirectoryId— (String)The identifier of the Active Directory.
Tags— (map<String>)Metadata assigned to a connector consisting of a key-value pair.
VpcInformation— (map)Security group IDs that describe the inbound and outbound rules.
SecurityGroupIds— required — (Array<String>)The security groups used with the connector. You can use a maximum of 4 security groups with a connector.
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
nullif the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
nullif a request error occurs. Thedataobject has the following properties:ConnectorArn— (String)If successful, the Amazon Resource Name (ARN) of the connector for Active Directory.
-
(AWS.Response)
—
Returns:
createDirectoryRegistration(params = {}, callback) ⇒ AWS.Request
Creates a directory registration that authorizes communication between Amazon Web Services Private CA and an Active Directory
Service Reference:
Examples:
Calling the createDirectoryRegistration operation
var params = {
DirectoryId: 'STRING_VALUE', /* required */
ClientToken: 'STRING_VALUE',
Tags: {
'<String>': 'STRING_VALUE',
/* '<String>': ... */
}
};
pcaconnectorad.createDirectoryRegistration(params, function(err, data) {
if (err) console.log(err, err.stack); // an error occurred
else console.log(data); // successful response
});Parameters:
-
params
(Object)
(defaults to: {})
—
ClientToken— (String)Idempotency token.
If a token is not provided, the SDK will use a version 4 UUID.DirectoryId— (String)The identifier of the Active Directory.
Tags— (map<String>)Metadata assigned to a directory registration consisting of a key-value pair.
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
nullif the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
nullif a request error occurs. Thedataobject has the following properties:DirectoryRegistrationArn— (String)The Amazon Resource Name (ARN) that was returned when you called CreateDirectoryRegistration.
-
(AWS.Response)
—
Returns:
createServicePrincipalName(params = {}, callback) ⇒ AWS.Request
Creates a service principal name (SPN) for the service account in Active Directory. Kerberos authentication uses SPNs to associate a service instance with a service sign-in account.
Service Reference:
Examples:
Calling the createServicePrincipalName operation
var params = {
ConnectorArn: 'STRING_VALUE', /* required */
DirectoryRegistrationArn: 'STRING_VALUE', /* required */
ClientToken: 'STRING_VALUE'
};
pcaconnectorad.createServicePrincipalName(params, function(err, data) {
if (err) console.log(err, err.stack); // an error occurred
else console.log(data); // successful response
});Parameters:
-
params
(Object)
(defaults to: {})
—
ClientToken— (String)Idempotency token.
If a token is not provided, the SDK will use a version 4 UUID.ConnectorArn— (String)The Amazon Resource Name (ARN) that was returned when you called CreateConnector.
DirectoryRegistrationArn— (String)The Amazon Resource Name (ARN) that was returned when you called CreateDirectoryRegistration.
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
nullif the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
nullif a request error occurs.
-
(AWS.Response)
—
Returns:
createTemplate(params = {}, callback) ⇒ AWS.Request
Creates an Active Directory compatible certificate template. The connectors issues certificates using these templates based on the requester’s Active Directory group membership.
Service Reference:
Examples:
Calling the createTemplate operation
var params = {
ConnectorArn: 'STRING_VALUE', /* required */
Definition: { /* required */
TemplateV2: {
CertificateValidity: { /* required */
RenewalPeriod: { /* required */
Period: 'NUMBER_VALUE', /* required */
PeriodType: HOURS | DAYS | WEEKS | MONTHS | YEARS /* required */
},
ValidityPeriod: { /* required */
Period: 'NUMBER_VALUE', /* required */
PeriodType: HOURS | DAYS | WEEKS | MONTHS | YEARS /* required */
}
},
EnrollmentFlags: { /* required */
EnableKeyReuseOnNtTokenKeysetStorageFull: true || false,
IncludeSymmetricAlgorithms: true || false,
NoSecurityExtension: true || false,
RemoveInvalidCertificateFromPersonalStore: true || false,
UserInteractionRequired: true || false
},
Extensions: { /* required */
KeyUsage: { /* required */
UsageFlags: { /* required */
DataEncipherment: true || false,
DigitalSignature: true || false,
KeyAgreement: true || false,
KeyEncipherment: true || false,
NonRepudiation: true || false
},
Critical: true || false
},
ApplicationPolicies: {
Policies: [ /* required */
{
PolicyObjectIdentifier: 'STRING_VALUE',
PolicyType: ALL_APPLICATION_POLICIES | ANY_PURPOSE | ATTESTATION_IDENTITY_KEY_CERTIFICATE | CERTIFICATE_REQUEST_AGENT | CLIENT_AUTHENTICATION | CODE_SIGNING | CTL_USAGE | DIGITAL_RIGHTS | DIRECTORY_SERVICE_EMAIL_REPLICATION | DISALLOWED_LIST | DNS_SERVER_TRUST | DOCUMENT_ENCRYPTION | DOCUMENT_SIGNING | DYNAMIC_CODE_GENERATOR | EARLY_LAUNCH_ANTIMALWARE_DRIVER | EMBEDDED_WINDOWS_SYSTEM_COMPONENT_VERIFICATION | ENCLAVE | ENCRYPTING_FILE_SYSTEM | ENDORSEMENT_KEY_CERTIFICATE | FILE_RECOVERY | HAL_EXTENSION | IP_SECURITY_END_SYSTEM | IP_SECURITY_IKE_INTERMEDIATE | IP_SECURITY_TUNNEL_TERMINATION | IP_SECURITY_USER | ISOLATED_USER_MODE | KDC_AUTHENTICATION | KERNEL_MODE_CODE_SIGNING | KEY_PACK_LICENSES | KEY_RECOVERY | KEY_RECOVERY_AGENT | LICENSE_SERVER_VERIFICATION | LIFETIME_SIGNING | MICROSOFT_PUBLISHER | MICROSOFT_TIME_STAMPING | MICROSOFT_TRUST_LIST_SIGNING | OCSP_SIGNING | OEM_WINDOWS_SYSTEM_COMPONENT_VERIFICATION | PLATFORM_CERTIFICATE | PREVIEW_BUILD_SIGNING | PRIVATE_KEY_ARCHIVAL | PROTECTED_PROCESS_LIGHT_VERIFICATION | PROTECTED_PROCESS_VERIFICATION | QUALIFIED_SUBORDINATION | REVOKED_LIST_SIGNER | ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION | ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION | ROOT_PROGRAM_NO_OSCP_FAILOVER_TO_CRL | ROOT_LIST_SIGNER | SECURE_EMAIL | SERVER_AUTHENTICATION | SMART_CARD_LOGIN | SPC_ENCRYPTED_DIGEST_RETRY_COUNT | SPC_RELAXED_PE_MARKER_CHECK | TIME_STAMPING | WINDOWS_HARDWARE_DRIVER_ATTESTED_VERIFICATION | WINDOWS_HARDWARE_DRIVER_EXTENDED_VERIFICATION | WINDOWS_HARDWARE_DRIVER_VERIFICATION | WINDOWS_HELLO_RECOVERY_KEY_ENCRYPTION | WINDOWS_KITS_COMPONENT | WINDOWS_RT_VERIFICATION | WINDOWS_SOFTWARE_EXTENSION_VERIFICATION | WINDOWS_STORE | WINDOWS_SYSTEM_COMPONENT_VERIFICATION | WINDOWS_TCB_COMPONENT | WINDOWS_THIRD_PARTY_APPLICATION_COMPONENT | WINDOWS_UPDATE
},
/* more items */
],
Critical: true || false
}
},
GeneralFlags: { /* required */
AutoEnrollment: true || false,
MachineType: true || false
},
PrivateKeyAttributes: { /* required */
KeySpec: KEY_EXCHANGE | SIGNATURE, /* required */
MinimalKeyLength: 'NUMBER_VALUE', /* required */
CryptoProviders: [
'STRING_VALUE',
/* more items */
]
},
PrivateKeyFlags: { /* required */
ClientVersion: WINDOWS_SERVER_2003 | WINDOWS_SERVER_2008 | WINDOWS_SERVER_2008_R2 | WINDOWS_SERVER_2012 | WINDOWS_SERVER_2012_R2 | WINDOWS_SERVER_2016, /* required */
ExportableKey: true || false,
StrongKeyProtectionRequired: true || false
},
SubjectNameFlags: { /* required */
RequireCommonName: true || false,
RequireDirectoryPath: true || false,
RequireDnsAsCn: true || false,
RequireEmail: true || false,
SanRequireDirectoryGuid: true || false,
SanRequireDns: true || false,
SanRequireDomainDns: true || false,
SanRequireEmail: true || false,
SanRequireSpn: true || false,
SanRequireUpn: true || false
},
SupersededTemplates: [
'STRING_VALUE',
/* more items */
]
},
TemplateV3: {
CertificateValidity: { /* required */
RenewalPeriod: { /* required */
Period: 'NUMBER_VALUE', /* required */
PeriodType: HOURS | DAYS | WEEKS | MONTHS | YEARS /* required */
},
ValidityPeriod: { /* required */
Period: 'NUMBER_VALUE', /* required */
PeriodType: HOURS | DAYS | WEEKS | MONTHS | YEARS /* required */
}
},
EnrollmentFlags: { /* required */
EnableKeyReuseOnNtTokenKeysetStorageFull: true || false,
IncludeSymmetricAlgorithms: true || false,
NoSecurityExtension: true || false,
RemoveInvalidCertificateFromPersonalStore: true || false,
UserInteractionRequired: true || false
},
Extensions: { /* required */
KeyUsage: { /* required */
UsageFlags: { /* required */
DataEncipherment: true || false,
DigitalSignature: true || false,
KeyAgreement: true || false,
KeyEncipherment: true || false,
NonRepudiation: true || false
},
Critical: true || false
},
ApplicationPolicies: {
Policies: [ /* required */
{
PolicyObjectIdentifier: 'STRING_VALUE',
PolicyType: ALL_APPLICATION_POLICIES | ANY_PURPOSE | ATTESTATION_IDENTITY_KEY_CERTIFICATE | CERTIFICATE_REQUEST_AGENT | CLIENT_AUTHENTICATION | CODE_SIGNING | CTL_USAGE | DIGITAL_RIGHTS | DIRECTORY_SERVICE_EMAIL_REPLICATION | DISALLOWED_LIST | DNS_SERVER_TRUST | DOCUMENT_ENCRYPTION | DOCUMENT_SIGNING | DYNAMIC_CODE_GENERATOR | EARLY_LAUNCH_ANTIMALWARE_DRIVER | EMBEDDED_WINDOWS_SYSTEM_COMPONENT_VERIFICATION | ENCLAVE | ENCRYPTING_FILE_SYSTEM | ENDORSEMENT_KEY_CERTIFICATE | FILE_RECOVERY | HAL_EXTENSION | IP_SECURITY_END_SYSTEM | IP_SECURITY_IKE_INTERMEDIATE | IP_SECURITY_TUNNEL_TERMINATION | IP_SECURITY_USER | ISOLATED_USER_MODE | KDC_AUTHENTICATION | KERNEL_MODE_CODE_SIGNING | KEY_PACK_LICENSES | KEY_RECOVERY | KEY_RECOVERY_AGENT | LICENSE_SERVER_VERIFICATION | LIFETIME_SIGNING | MICROSOFT_PUBLISHER | MICROSOFT_TIME_STAMPING | MICROSOFT_TRUST_LIST_SIGNING | OCSP_SIGNING | OEM_WINDOWS_SYSTEM_COMPONENT_VERIFICATION | PLATFORM_CERTIFICATE | PREVIEW_BUILD_SIGNING | PRIVATE_KEY_ARCHIVAL | PROTECTED_PROCESS_LIGHT_VERIFICATION | PROTECTED_PROCESS_VERIFICATION | QUALIFIED_SUBORDINATION | REVOKED_LIST_SIGNER | ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION | ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION | ROOT_PROGRAM_NO_OSCP_FAILOVER_TO_CRL | ROOT_LIST_SIGNER | SECURE_EMAIL | SERVER_AUTHENTICATION | SMART_CARD_LOGIN | SPC_ENCRYPTED_DIGEST_RETRY_COUNT | SPC_RELAXED_PE_MARKER_CHECK | TIME_STAMPING | WINDOWS_HARDWARE_DRIVER_ATTESTED_VERIFICATION | WINDOWS_HARDWARE_DRIVER_EXTENDED_VERIFICATION | WINDOWS_HARDWARE_DRIVER_VERIFICATION | WINDOWS_HELLO_RECOVERY_KEY_ENCRYPTION | WINDOWS_KITS_COMPONENT | WINDOWS_RT_VERIFICATION | WINDOWS_SOFTWARE_EXTENSION_VERIFICATION | WINDOWS_STORE | WINDOWS_SYSTEM_COMPONENT_VERIFICATION | WINDOWS_TCB_COMPONENT | WINDOWS_THIRD_PARTY_APPLICATION_COMPONENT | WINDOWS_UPDATE
},
/* more items */
],
Critical: true || false
}
},
GeneralFlags: { /* required */
AutoEnrollment: true || false,
MachineType: true || false
},
HashAlgorithm: SHA256 | SHA384 | SHA512, /* required */
PrivateKeyAttributes: { /* required */
Algorithm: RSA | ECDH_P256 | ECDH_P384 | ECDH_P521, /* required */
KeySpec: KEY_EXCHANGE | SIGNATURE, /* required */
KeyUsageProperty: { /* required */
PropertyFlags: {
Decrypt: true || false,
KeyAgreement: true || false,
Sign: true || false
},
PropertyType: ALL
},
MinimalKeyLength: 'NUMBER_VALUE', /* required */
CryptoProviders: [
'STRING_VALUE',
/* more items */
]
},
PrivateKeyFlags: { /* required */
ClientVersion: WINDOWS_SERVER_2008 | WINDOWS_SERVER_2008_R2 | WINDOWS_SERVER_2012 | WINDOWS_SERVER_2012_R2 | WINDOWS_SERVER_2016, /* required */
ExportableKey: true || false,
RequireAlternateSignatureAlgorithm: true || false,
StrongKeyProtectionRequired: true || false
},
SubjectNameFlags: { /* required */
RequireCommonName: true || false,
RequireDirectoryPath: true || false,
RequireDnsAsCn: true || false,
RequireEmail: true || false,
SanRequireDirectoryGuid: true || false,
SanRequireDns: true || false,
SanRequireDomainDns: true || false,
SanRequireEmail: true || false,
SanRequireSpn: true || false,
SanRequireUpn: true || false
},
SupersededTemplates: [
'STRING_VALUE',
/* more items */
]
},
TemplateV4: {
CertificateValidity: { /* required */
RenewalPeriod: { /* required */
Period: 'NUMBER_VALUE', /* required */
PeriodType: HOURS | DAYS | WEEKS | MONTHS | YEARS /* required */
},
ValidityPeriod: { /* required */
Period: 'NUMBER_VALUE', /* required */
PeriodType: HOURS | DAYS | WEEKS | MONTHS | YEARS /* required */
}
},
EnrollmentFlags: { /* required */
EnableKeyReuseOnNtTokenKeysetStorageFull: true || false,
IncludeSymmetricAlgorithms: true || false,
NoSecurityExtension: true || false,
RemoveInvalidCertificateFromPersonalStore: true || false,
UserInteractionRequired: true || false
},
Extensions: { /* required */
KeyUsage: { /* required */
UsageFlags: { /* required */
DataEncipherment: true || false,
DigitalSignature: true || false,
KeyAgreement: true || false,
KeyEncipherment: true || false,
NonRepudiation: true || false
},
Critical: true || false
},
ApplicationPolicies: {
Policies: [ /* required */
{
PolicyObjectIdentifier: 'STRING_VALUE',
PolicyType: ALL_APPLICATION_POLICIES | ANY_PURPOSE | ATTESTATION_IDENTITY_KEY_CERTIFICATE | CERTIFICATE_REQUEST_AGENT | CLIENT_AUTHENTICATION | CODE_SIGNING | CTL_USAGE | DIGITAL_RIGHTS | DIRECTORY_SERVICE_EMAIL_REPLICATION | DISALLOWED_LIST | DNS_SERVER_TRUST | DOCUMENT_ENCRYPTION | DOCUMENT_SIGNING | DYNAMIC_CODE_GENERATOR | EARLY_LAUNCH_ANTIMALWARE_DRIVER | EMBEDDED_WINDOWS_SYSTEM_COMPONENT_VERIFICATION | ENCLAVE | ENCRYPTING_FILE_SYSTEM | ENDORSEMENT_KEY_CERTIFICATE | FILE_RECOVERY | HAL_EXTENSION | IP_SECURITY_END_SYSTEM | IP_SECURITY_IKE_INTERMEDIATE | IP_SECURITY_TUNNEL_TERMINATION | IP_SECURITY_USER | ISOLATED_USER_MODE | KDC_AUTHENTICATION | KERNEL_MODE_CODE_SIGNING | KEY_PACK_LICENSES | KEY_RECOVERY | KEY_RECOVERY_AGENT | LICENSE_SERVER_VERIFICATION | LIFETIME_SIGNING | MICROSOFT_PUBLISHER | MICROSOFT_TIME_STAMPING | MICROSOFT_TRUST_LIST_SIGNING | OCSP_SIGNING | OEM_WINDOWS_SYSTEM_COMPONENT_VERIFICATION | PLATFORM_CERTIFICATE | PREVIEW_BUILD_SIGNING | PRIVATE_KEY_ARCHIVAL | PROTECTED_PROCESS_LIGHT_VERIFICATION | PROTECTED_PROCESS_VERIFICATION | QUALIFIED_SUBORDINATION | REVOKED_LIST_SIGNER | ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION | ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION | ROOT_PROGRAM_NO_OSCP_FAILOVER_TO_CRL | ROOT_LIST_SIGNER | SECURE_EMAIL | SERVER_AUTHENTICATION | SMART_CARD_LOGIN | SPC_ENCRYPTED_DIGEST_RETRY_COUNT | SPC_RELAXED_PE_MARKER_CHECK | TIME_STAMPING | WINDOWS_HARDWARE_DRIVER_ATTESTED_VERIFICATION | WINDOWS_HARDWARE_DRIVER_EXTENDED_VERIFICATION | WINDOWS_HARDWARE_DRIVER_VERIFICATION | WINDOWS_HELLO_RECOVERY_KEY_ENCRYPTION | WINDOWS_KITS_COMPONENT | WINDOWS_RT_VERIFICATION | WINDOWS_SOFTWARE_EXTENSION_VERIFICATION | WINDOWS_STORE | WINDOWS_SYSTEM_COMPONENT_VERIFICATION | WINDOWS_TCB_COMPONENT | WINDOWS_THIRD_PARTY_APPLICATION_COMPONENT | WINDOWS_UPDATE
},
/* more items */
],
Critical: true || false
}
},
GeneralFlags: { /* required */
AutoEnrollment: true || false,
MachineType: true || false
},
PrivateKeyAttributes: { /* required */
KeySpec: KEY_EXCHANGE | SIGNATURE, /* required */
MinimalKeyLength: 'NUMBER_VALUE', /* required */
Algorithm: RSA | ECDH_P256 | ECDH_P384 | ECDH_P521,
CryptoProviders: [
'STRING_VALUE',
/* more items */
],
KeyUsageProperty: {
PropertyFlags: {
Decrypt: true || false,
KeyAgreement: true || false,
Sign: true || false
},
PropertyType: ALL
}
},
PrivateKeyFlags: { /* required */
ClientVersion: WINDOWS_SERVER_2012 | WINDOWS_SERVER_2012_R2 | WINDOWS_SERVER_2016, /* required */
ExportableKey: true || false,
RequireAlternateSignatureAlgorithm: true || false,
RequireSameKeyRenewal: true || false,
StrongKeyProtectionRequired: true || false,
UseLegacyProvider: true || false
},
SubjectNameFlags: { /* required */
RequireCommonName: true || false,
RequireDirectoryPath: true || false,
RequireDnsAsCn: true || false,
RequireEmail: true || false,
SanRequireDirectoryGuid: true || false,
SanRequireDns: true || false,
SanRequireDomainDns: true || false,
SanRequireEmail: true || false,
SanRequireSpn: true || false,
SanRequireUpn: true || false
},
HashAlgorithm: SHA256 | SHA384 | SHA512,
SupersededTemplates: [
'STRING_VALUE',
/* more items */
]
}
},
Name: 'STRING_VALUE', /* required */
ClientToken: 'STRING_VALUE',
Tags: {
'<String>': 'STRING_VALUE',
/* '<String>': ... */
}
};
pcaconnectorad.createTemplate(params, function(err, data) {
if (err) console.log(err, err.stack); // an error occurred
else console.log(data); // successful response
});Parameters:
-
params
(Object)
(defaults to: {})
—
ClientToken— (String)Idempotency token.
If a token is not provided, the SDK will use a version 4 UUID.ConnectorArn— (String)The Amazon Resource Name (ARN) that was returned when you called CreateConnector.
Definition— (map)Template configuration to define the information included in certificates. Define certificate validity and renewal periods, certificate request handling and enrollment options, key usage extensions, application policies, and cryptography settings.
TemplateV2— (map)Template configuration to define the information included in certificates. Define certificate validity and renewal periods, certificate request handling and enrollment options, key usage extensions, application policies, and cryptography settings.
CertificateValidity— required — (map)Certificate validity describes the validity and renewal periods of a certificate.
RenewalPeriod— required — (map)Renewal period is the period of time before certificate expiration when a new certificate will be requested.
Period— required — (Integer)The numeric value for the validity period.
PeriodType— required — (String)The unit of time. You can select hours, days, weeks, months, and years.
Possible values include:"HOURS""DAYS""WEEKS""MONTHS""YEARS"
ValidityPeriod— required — (map)Information describing the end of the validity period of the certificate. This parameter sets the “Not After” date for the certificate. Certificate validity is the period of time during which a certificate is valid. Validity can be expressed as an explicit date and time when the certificate expires, or as a span of time after issuance, stated in days, months, or years. For more information, see Validity in RFC 5280. This value is unaffected when ValidityNotBefore is also specified. For example, if Validity is set to 20 days in the future, the certificate will expire 20 days from issuance time regardless of the ValidityNotBefore value.
Period— required — (Integer)The numeric value for the validity period.
PeriodType— required — (String)The unit of time. You can select hours, days, weeks, months, and years.
Possible values include:"HOURS""DAYS""WEEKS""MONTHS""YEARS"
EnrollmentFlags— required — (map)Enrollment flags describe the enrollment settings for certificates such as using the existing private key and deleting expired or revoked certificates.
EnableKeyReuseOnNtTokenKeysetStorageFull— (Boolean)Allow renewal using the same key.
IncludeSymmetricAlgorithms— (Boolean)Include symmetric algorithms allowed by the subject.
NoSecurityExtension— (Boolean)This flag instructs the CA to not include the security extension szOID_NTDS_CA_SECURITY_EXT (OID:1.3.6.1.4.1.311.25.2), as specified in [MS-WCCE] sections 2.2.2.7.7.4 and 3.2.2.6.2.1.4.5.9, in the issued certificate. This addresses a Windows Kerberos elevation-of-privilege vulnerability.
RemoveInvalidCertificateFromPersonalStore— (Boolean)Delete expired or revoked certificates instead of archiving them.
UserInteractionRequired— (Boolean)Require user interaction when the subject is enrolled and the private key associated with the certificate is used.
Extensions— required — (map)Extensions describe the key usage extensions and application policies for a template.
ApplicationPolicies— (map)Application policies specify what the certificate is used for and its purpose.
Critical— (Boolean)Marks the application policy extension as critical.
Policies— required — (Array<map>)Application policies describe what the certificate can be used for.
PolicyObjectIdentifier— (String)The object identifier (OID) of an application policy.
PolicyType— (String)The type of application policy
Possible values include:"ALL_APPLICATION_POLICIES""ANY_PURPOSE""ATTESTATION_IDENTITY_KEY_CERTIFICATE""CERTIFICATE_REQUEST_AGENT""CLIENT_AUTHENTICATION""CODE_SIGNING""CTL_USAGE""DIGITAL_RIGHTS""DIRECTORY_SERVICE_EMAIL_REPLICATION""DISALLOWED_LIST""DNS_SERVER_TRUST""DOCUMENT_ENCRYPTION""DOCUMENT_SIGNING""DYNAMIC_CODE_GENERATOR""EARLY_LAUNCH_ANTIMALWARE_DRIVER""EMBEDDED_WINDOWS_SYSTEM_COMPONENT_VERIFICATION""ENCLAVE""ENCRYPTING_FILE_SYSTEM""ENDORSEMENT_KEY_CERTIFICATE""FILE_RECOVERY""HAL_EXTENSION""IP_SECURITY_END_SYSTEM""IP_SECURITY_IKE_INTERMEDIATE""IP_SECURITY_TUNNEL_TERMINATION""IP_SECURITY_USER""ISOLATED_USER_MODE""KDC_AUTHENTICATION""KERNEL_MODE_CODE_SIGNING""KEY_PACK_LICENSES""KEY_RECOVERY""KEY_RECOVERY_AGENT""LICENSE_SERVER_VERIFICATION""LIFETIME_SIGNING""MICROSOFT_PUBLISHER""MICROSOFT_TIME_STAMPING""MICROSOFT_TRUST_LIST_SIGNING""OCSP_SIGNING""OEM_WINDOWS_SYSTEM_COMPONENT_VERIFICATION""PLATFORM_CERTIFICATE""PREVIEW_BUILD_SIGNING""PRIVATE_KEY_ARCHIVAL""PROTECTED_PROCESS_LIGHT_VERIFICATION""PROTECTED_PROCESS_VERIFICATION""QUALIFIED_SUBORDINATION""REVOKED_LIST_SIGNER""ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION""ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION""ROOT_PROGRAM_NO_OSCP_FAILOVER_TO_CRL""ROOT_LIST_SIGNER""SECURE_EMAIL""SERVER_AUTHENTICATION""SMART_CARD_LOGIN""SPC_ENCRYPTED_DIGEST_RETRY_COUNT""SPC_RELAXED_PE_MARKER_CHECK""TIME_STAMPING""WINDOWS_HARDWARE_DRIVER_ATTESTED_VERIFICATION""WINDOWS_HARDWARE_DRIVER_EXTENDED_VERIFICATION""WINDOWS_HARDWARE_DRIVER_VERIFICATION""WINDOWS_HELLO_RECOVERY_KEY_ENCRYPTION""WINDOWS_KITS_COMPONENT""WINDOWS_RT_VERIFICATION""WINDOWS_SOFTWARE_EXTENSION_VERIFICATION""WINDOWS_STORE""WINDOWS_SYSTEM_COMPONENT_VERIFICATION""WINDOWS_TCB_COMPONENT""WINDOWS_THIRD_PARTY_APPLICATION_COMPONENT""WINDOWS_UPDATE"
KeyUsage— required — (map)The key usage extension defines the purpose (e.g., encipherment, signature, certificate signing) of the key contained in the certificate.
Critical— (Boolean)Sets the key usage extension to critical.
UsageFlags— required — (map)The key usage flags represent the purpose (e.g., encipherment, signature) of the key contained in the certificate.
DataEncipherment— (Boolean)DataEncipherment is asserted when the subject public key is used for directly enciphering raw user data without the use of an intermediate symmetric cipher.
DigitalSignature— (Boolean)The digitalSignature is asserted when the subject public key is used for verifying digital signatures.
KeyAgreement— (Boolean)KeyAgreement is asserted when the subject public key is used for key agreement.
KeyEncipherment— (Boolean)KeyEncipherment is asserted when the subject public key is used for enciphering private or secret keys, i.e., for key transport.
NonRepudiation— (Boolean)NonRepudiation is asserted when the subject public key is used to verify digital signatures.
GeneralFlags— required — (map)General flags describe whether the template is used for computers or users and if the template can be used with autoenrollment.
AutoEnrollment— (Boolean)Allows certificate issuance using autoenrollment. Set to TRUE to allow autoenrollment.
MachineType— (Boolean)Defines if the template is for machines or users. Set to TRUE if the template is for machines. Set to FALSE if the template is for users.
PrivateKeyAttributes— required — (map)Private key attributes allow you to specify the minimal key length, key spec, and cryptographic providers for the private key of a certificate for v2 templates. V2 templates allow you to use Legacy Cryptographic Service Providers.
CryptoProviders— (Array<String>)Defines the cryptographic providers used to generate the private key.
KeySpec— required — (String)Defines the purpose of the private key. Set it to "KEY_EXCHANGE" or "SIGNATURE" value.
Possible values include:"KEY_EXCHANGE""SIGNATURE"
MinimalKeyLength— required — (Integer)Set the minimum key length of the private key.
PrivateKeyFlags— required — (map)Private key flags for v2 templates specify the client compatibility, if the private key can be exported, and if user input is required when using a private key.
ClientVersion— required — (String)Defines the minimum client compatibility.
Possible values include:"WINDOWS_SERVER_2003""WINDOWS_SERVER_2008""WINDOWS_SERVER_2008_R2""WINDOWS_SERVER_2012""WINDOWS_SERVER_2012_R2""WINDOWS_SERVER_2016"
ExportableKey— (Boolean)Allows the private key to be exported.
StrongKeyProtectionRequired— (Boolean)Require user input when using the private key for enrollment.
SubjectNameFlags— required — (map)Subject name flags describe the subject name and subject alternate name that is included in a certificate.
RequireCommonName— (Boolean)Include the common name in the subject name.
RequireDirectoryPath— (Boolean)Include the directory path in the subject name.
RequireDnsAsCn— (Boolean)Include the DNS as common name in the subject name.
RequireEmail— (Boolean)Include the subject's email in the subject name.
SanRequireDirectoryGuid— (Boolean)Include the globally unique identifier (GUID) in the subject alternate name.
SanRequireDns— (Boolean)Include the DNS in the subject alternate name.
SanRequireDomainDns— (Boolean)Include the domain DNS in the subject alternate name.
SanRequireEmail— (Boolean)Include the subject's email in the subject alternate name.
SanRequireSpn— (Boolean)Include the service principal name (SPN) in the subject alternate name.
SanRequireUpn— (Boolean)Include the user principal name (UPN) in the subject alternate name.
SupersededTemplates— (Array<String>)List of templates in Active Directory that are superseded by this template.
TemplateV3— (map)Template configuration to define the information included in certificates. Define certificate validity and renewal periods, certificate request handling and enrollment options, key usage extensions, application policies, and cryptography settings.
CertificateValidity— required — (map)Certificate validity describes the validity and renewal periods of a certificate.
RenewalPeriod— required — (map)Renewal period is the period of time before certificate expiration when a new certificate will be requested.
Period— required — (Integer)The numeric value for the validity period.
PeriodType— required — (String)The unit of time. You can select hours, days, weeks, months, and years.
Possible values include:"HOURS""DAYS""WEEKS""MONTHS""YEARS"
ValidityPeriod— required — (map)Information describing the end of the validity period of the certificate. This parameter sets the “Not After” date for the certificate. Certificate validity is the period of time during which a certificate is valid. Validity can be expressed as an explicit date and time when the certificate expires, or as a span of time after issuance, stated in days, months, or years. For more information, see Validity in RFC 5280. This value is unaffected when ValidityNotBefore is also specified. For example, if Validity is set to 20 days in the future, the certificate will expire 20 days from issuance time regardless of the ValidityNotBefore value.
Period— required — (Integer)The numeric value for the validity period.
PeriodType— required — (String)The unit of time. You can select hours, days, weeks, months, and years.
Possible values include:"HOURS""DAYS""WEEKS""MONTHS""YEARS"
EnrollmentFlags— required — (map)Enrollment flags describe the enrollment settings for certificates such as using the existing private key and deleting expired or revoked certificates.
EnableKeyReuseOnNtTokenKeysetStorageFull— (Boolean)Allow renewal using the same key.
IncludeSymmetricAlgorithms— (Boolean)Include symmetric algorithms allowed by the subject.
NoSecurityExtension— (Boolean)This flag instructs the CA to not include the security extension szOID_NTDS_CA_SECURITY_EXT (OID:1.3.6.1.4.1.311.25.2), as specified in [MS-WCCE] sections 2.2.2.7.7.4 and 3.2.2.6.2.1.4.5.9, in the issued certificate. This addresses a Windows Kerberos elevation-of-privilege vulnerability.
RemoveInvalidCertificateFromPersonalStore— (Boolean)Delete expired or revoked certificates instead of archiving them.
UserInteractionRequired— (Boolean)Require user interaction when the subject is enrolled and the private key associated with the certificate is used.
Extensions— required — (map)Extensions describe the key usage extensions and application policies for a template.
ApplicationPolicies— (map)Application policies specify what the certificate is used for and its purpose.
Critical— (Boolean)Marks the application policy extension as critical.
Policies— required — (Array<map>)Application policies describe what the certificate can be used for.
PolicyObjectIdentifier— (String)The object identifier (OID) of an application policy.
PolicyType— (String)The type of application policy
Possible values include:"ALL_APPLICATION_POLICIES""ANY_PURPOSE""ATTESTATION_IDENTITY_KEY_CERTIFICATE""CERTIFICATE_REQUEST_AGENT""CLIENT_AUTHENTICATION""CODE_SIGNING""CTL_USAGE""DIGITAL_RIGHTS""DIRECTORY_SERVICE_EMAIL_REPLICATION""DISALLOWED_LIST""DNS_SERVER_TRUST""DOCUMENT_ENCRYPTION""DOCUMENT_SIGNING""DYNAMIC_CODE_GENERATOR""EARLY_LAUNCH_ANTIMALWARE_DRIVER""EMBEDDED_WINDOWS_SYSTEM_COMPONENT_VERIFICATION""ENCLAVE""ENCRYPTING_FILE_SYSTEM""ENDORSEMENT_KEY_CERTIFICATE""FILE_RECOVERY""HAL_EXTENSION""IP_SECURITY_END_SYSTEM""IP_SECURITY_IKE_INTERMEDIATE""IP_SECURITY_TUNNEL_TERMINATION""IP_SECURITY_USER""ISOLATED_USER_MODE""KDC_AUTHENTICATION""KERNEL_MODE_CODE_SIGNING""KEY_PACK_LICENSES""KEY_RECOVERY""KEY_RECOVERY_AGENT""LICENSE_SERVER_VERIFICATION""LIFETIME_SIGNING""MICROSOFT_PUBLISHER""MICROSOFT_TIME_STAMPING""MICROSOFT_TRUST_LIST_SIGNING""OCSP_SIGNING""OEM_WINDOWS_SYSTEM_COMPONENT_VERIFICATION""PLATFORM_CERTIFICATE""PREVIEW_BUILD_SIGNING""PRIVATE_KEY_ARCHIVAL""PROTECTED_PROCESS_LIGHT_VERIFICATION""PROTECTED_PROCESS_VERIFICATION""QUALIFIED_SUBORDINATION""REVOKED_LIST_SIGNER""ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION""ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION""ROOT_PROGRAM_NO_OSCP_FAILOVER_TO_CRL""ROOT_LIST_SIGNER""SECURE_EMAIL""SERVER_AUTHENTICATION""SMART_CARD_LOGIN""SPC_ENCRYPTED_DIGEST_RETRY_COUNT""SPC_RELAXED_PE_MARKER_CHECK""TIME_STAMPING""WINDOWS_HARDWARE_DRIVER_ATTESTED_VERIFICATION""WINDOWS_HARDWARE_DRIVER_EXTENDED_VERIFICATION""WINDOWS_HARDWARE_DRIVER_VERIFICATION""WINDOWS_HELLO_RECOVERY_KEY_ENCRYPTION""WINDOWS_KITS_COMPONENT""WINDOWS_RT_VERIFICATION""WINDOWS_SOFTWARE_EXTENSION_VERIFICATION""WINDOWS_STORE""WINDOWS_SYSTEM_COMPONENT_VERIFICATION""WINDOWS_TCB_COMPONENT""WINDOWS_THIRD_PARTY_APPLICATION_COMPONENT""WINDOWS_UPDATE"
KeyUsage— required — (map)The key usage extension defines the purpose (e.g., encipherment, signature, certificate signing) of the key contained in the certificate.
Critical— (Boolean)Sets the key usage extension to critical.
UsageFlags— required — (map)The key usage flags represent the purpose (e.g., encipherment, signature) of the key contained in the certificate.
DataEncipherment— (Boolean)DataEncipherment is asserted when the subject public key is used for directly enciphering raw user data without the use of an intermediate symmetric cipher.
DigitalSignature— (Boolean)The digitalSignature is asserted when the subject public key is used for verifying digital signatures.
KeyAgreement— (Boolean)KeyAgreement is asserted when the subject public key is used for key agreement.
KeyEncipherment— (Boolean)KeyEncipherment is asserted when the subject public key is used for enciphering private or secret keys, i.e., for key transport.
NonRepudiation— (Boolean)NonRepudiation is asserted when the subject public key is used to verify digital signatures.
GeneralFlags— required — (map)General flags describe whether the template is used for computers or users and if the template can be used with autoenrollment.
AutoEnrollment— (Boolean)Allows certificate issuance using autoenrollment. Set to TRUE to allow autoenrollment.
MachineType— (Boolean)Defines if the template is for machines or users. Set to TRUE if the template is for machines. Set to FALSE if the template is for users
HashAlgorithm— required — (String)Specifies the hash algorithm used to hash the private key.
Possible values include:"SHA256""SHA384""SHA512"
PrivateKeyAttributes— required — (map)Private key attributes allow you to specify the algorithm, minimal key length, key spec, key usage, and cryptographic providers for the private key of a certificate for v3 templates. V3 templates allow you to use Key Storage Providers.
Algorithm— required — (String)Defines the algorithm used to generate the private key.
Possible values include:"RSA""ECDH_P256""ECDH_P384""ECDH_P521"
CryptoProviders— (Array<String>)Defines the cryptographic providers used to generate the private key.
KeySpec— required — (String)Defines the purpose of the private key. Set it to "KEY_EXCHANGE" or "SIGNATURE" value.
Possible values include:"KEY_EXCHANGE""SIGNATURE"
KeyUsageProperty— required — (map)The key usage property defines the purpose of the private key contained in the certificate. You can specify specific purposes using property flags or all by using property type ALL.
PropertyFlags— (map)You can specify key usage for encryption, key agreement, and signature. You can use property flags or property type but not both.
Decrypt— (Boolean)Allows key for encryption and decryption.
KeyAgreement— (Boolean)Allows key exchange without encryption.
Sign— (Boolean)Allow key use for digital signature.
PropertyType— (String)You can specify all key usages using property type ALL. You can use property type or property flags but not both.
Possible values include:"ALL"
MinimalKeyLength— required — (Integer)Set the minimum key length of the private key.
PrivateKeyFlags— required — (map)Private key flags for v3 templates specify the client compatibility, if the private key can be exported, if user input is required when using a private key, and if an alternate signature algorithm should be used.
ClientVersion— required — (String)Defines the minimum client compatibility.
Possible values include:"WINDOWS_SERVER_2008""WINDOWS_SERVER_2008_R2""WINDOWS_SERVER_2012""WINDOWS_SERVER_2012_R2""WINDOWS_SERVER_2016"
ExportableKey— (Boolean)Allows the private key to be exported.
RequireAlternateSignatureAlgorithm— (Boolean)Reguires the PKCS #1 v2.1 signature format for certificates. You should verify that your CA, objects, and applications can accept this signature format.
StrongKeyProtectionRequired— (Boolean)Requirer user input when using the private key for enrollment.
SubjectNameFlags— required — (map)Subject name flags describe the subject name and subject alternate name that is included in a certificate.
RequireCommonName— (Boolean)Include the common name in the subject name.
RequireDirectoryPath— (Boolean)Include the directory path in the subject name.
RequireDnsAsCn— (Boolean)Include the DNS as common name in the subject name.
RequireEmail— (Boolean)Include the subject's email in the subject name.
SanRequireDirectoryGuid— (Boolean)Include the globally unique identifier (GUID) in the subject alternate name.
SanRequireDns— (Boolean)Include the DNS in the subject alternate name.
SanRequireDomainDns— (Boolean)Include the domain DNS in the subject alternate name.
SanRequireEmail— (Boolean)Include the subject's email in the subject alternate name.
SanRequireSpn— (Boolean)Include the service principal name (SPN) in the subject alternate name.
SanRequireUpn— (Boolean)Include the user principal name (UPN) in the subject alternate name.
SupersededTemplates— (Array<String>)List of templates in Active Directory that are superseded by this template.
TemplateV4— (map)Template configuration to define the information included in certificates. Define certificate validity and renewal periods, certificate request handling and enrollment options, key usage extensions, application policies, and cryptography settings.
CertificateValidity— required — (map)Certificate validity describes the validity and renewal periods of a certificate.
RenewalPeriod— required — (map)Renewal period is the period of time before certificate expiration when a new certificate will be requested.
Period— required — (Integer)The numeric value for the validity period.
PeriodType— required — (String)The unit of time. You can select hours, days, weeks, months, and years.
Possible values include:"HOURS""DAYS""WEEKS""MONTHS""YEARS"
ValidityPeriod— required — (map)Information describing the end of the validity period of the certificate. This parameter sets the “Not After” date for the certificate. Certificate validity is the period of time during which a certificate is valid. Validity can be expressed as an explicit date and time when the certificate expires, or as a span of time after issuance, stated in days, months, or years. For more information, see Validity in RFC 5280. This value is unaffected when ValidityNotBefore is also specified. For example, if Validity is set to 20 days in the future, the certificate will expire 20 days from issuance time regardless of the ValidityNotBefore value.
Period— required — (Integer)The numeric value for the validity period.
PeriodType— required — (String)The unit of time. You can select hours, days, weeks, months, and years.
Possible values include:"HOURS""DAYS""WEEKS""MONTHS""YEARS"
EnrollmentFlags— required — (map)Enrollment flags describe the enrollment settings for certificates using the existing private key and deleting expired or revoked certificates.
EnableKeyReuseOnNtTokenKeysetStorageFull— (Boolean)Allow renewal using the same key.
IncludeSymmetricAlgorithms— (Boolean)Include symmetric algorithms allowed by the subject.
NoSecurityExtension— (Boolean)This flag instructs the CA to not include the security extension szOID_NTDS_CA_SECURITY_EXT (OID:1.3.6.1.4.1.311.25.2), as specified in [MS-WCCE] sections 2.2.2.7.7.4 and 3.2.2.6.2.1.4.5.9, in the issued certificate. This addresses a Windows Kerberos elevation-of-privilege vulnerability.
RemoveInvalidCertificateFromPersonalStore— (Boolean)Delete expired or revoked certificates instead of archiving them.
UserInteractionRequired— (Boolean)Require user interaction when the subject is enrolled and the private key associated with the certificate is used.
Extensions— required — (map)Extensions describe the key usage extensions and application policies for a template.
ApplicationPolicies— (map)Application policies specify what the certificate is used for and its purpose.
Critical— (Boolean)Marks the application policy extension as critical.
Policies— required — (Array<map>)Application policies describe what the certificate can be used for.
PolicyObjectIdentifier— (String)The object identifier (OID) of an application policy.
PolicyType— (String)The type of application policy
Possible values include:"ALL_APPLICATION_POLICIES""ANY_PURPOSE""ATTESTATION_IDENTITY_KEY_CERTIFICATE""CERTIFICATE_REQUEST_AGENT""CLIENT_AUTHENTICATION""CODE_SIGNING""CTL_USAGE""DIGITAL_RIGHTS""DIRECTORY_SERVICE_EMAIL_REPLICATION""DISALLOWED_LIST""DNS_SERVER_TRUST""DOCUMENT_ENCRYPTION""DOCUMENT_SIGNING""DYNAMIC_CODE_GENERATOR""EARLY_LAUNCH_ANTIMALWARE_DRIVER""EMBEDDED_WINDOWS_SYSTEM_COMPONENT_VERIFICATION""ENCLAVE""ENCRYPTING_FILE_SYSTEM""ENDORSEMENT_KEY_CERTIFICATE""FILE_RECOVERY""HAL_EXTENSION""IP_SECURITY_END_SYSTEM""IP_SECURITY_IKE_INTERMEDIATE""IP_SECURITY_TUNNEL_TERMINATION""IP_SECURITY_USER""ISOLATED_USER_MODE""KDC_AUTHENTICATION""KERNEL_MODE_CODE_SIGNING""KEY_PACK_LICENSES""KEY_RECOVERY""KEY_RECOVERY_AGENT""LICENSE_SERVER_VERIFICATION""LIFETIME_SIGNING""MICROSOFT_PUBLISHER""MICROSOFT_TIME_STAMPING""MICROSOFT_TRUST_LIST_SIGNING""OCSP_SIGNING""OEM_WINDOWS_SYSTEM_COMPONENT_VERIFICATION""PLATFORM_CERTIFICATE""PREVIEW_BUILD_SIGNING""PRIVATE_KEY_ARCHIVAL""PROTECTED_PROCESS_LIGHT_VERIFICATION""PROTECTED_PROCESS_VERIFICATION""QUALIFIED_SUBORDINATION""REVOKED_LIST_SIGNER""ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION""ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION""ROOT_PROGRAM_NO_OSCP_FAILOVER_TO_CRL""ROOT_LIST_SIGNER""SECURE_EMAIL""SERVER_AUTHENTICATION""SMART_CARD_LOGIN""SPC_ENCRYPTED_DIGEST_RETRY_COUNT""SPC_RELAXED_PE_MARKER_CHECK""TIME_STAMPING""WINDOWS_HARDWARE_DRIVER_ATTESTED_VERIFICATION""WINDOWS_HARDWARE_DRIVER_EXTENDED_VERIFICATION""WINDOWS_HARDWARE_DRIVER_VERIFICATION""WINDOWS_HELLO_RECOVERY_KEY_ENCRYPTION""WINDOWS_KITS_COMPONENT""WINDOWS_RT_VERIFICATION""WINDOWS_SOFTWARE_EXTENSION_VERIFICATION""WINDOWS_STORE""WINDOWS_SYSTEM_COMPONENT_VERIFICATION""WINDOWS_TCB_COMPONENT""WINDOWS_THIRD_PARTY_APPLICATION_COMPONENT""WINDOWS_UPDATE"
KeyUsage— required — (map)The key usage extension defines the purpose (e.g., encipherment, signature) of the key contained in the certificate.
Critical— (Boolean)Sets the key usage extension to critical.
UsageFlags— required — (map)The key usage flags represent the purpose (e.g., encipherment, signature) of the key contained in the certificate.
DataEncipherment— (Boolean)DataEncipherment is asserted when the subject public key is used for directly enciphering raw user data without the use of an intermediate symmetric cipher.
DigitalSignature— (Boolean)The digitalSignature is asserted when the subject public key is used for verifying digital signatures.
KeyAgreement— (Boolean)KeyAgreement is asserted when the subject public key is used for key agreement.
KeyEncipherment— (Boolean)KeyEncipherment is asserted when the subject public key is used for enciphering private or secret keys, i.e., for key transport.
NonRepudiation— (Boolean)NonRepudiation is asserted when the subject public key is used to verify digital signatures.
GeneralFlags— required — (map)General flags describe whether the template is used for computers or users and if the template can be used with autoenrollment.
AutoEnrollment— (Boolean)Allows certificate issuance using autoenrollment. Set to TRUE to allow autoenrollment.
MachineType— (Boolean)Defines if the template is for machines or users. Set to TRUE if the template is for machines. Set to FALSE if the template is for users
HashAlgorithm— (String)Specifies the hash algorithm used to hash the private key. Hash algorithm can only be specified when using Key Storage Providers.
Possible values include:"SHA256""SHA384""SHA512"
PrivateKeyAttributes— required — (map)Private key attributes allow you to specify the minimal key length, key spec, key usage, and cryptographic providers for the private key of a certificate for v4 templates. V4 templates allow you to use either Key Storage Providers or Legacy Cryptographic Service Providers. You specify the cryptography provider category in private key flags.
Algorithm— (String)Defines the algorithm used to generate the private key.
Possible values include:"RSA""ECDH_P256""ECDH_P384""ECDH_P521"
CryptoProviders— (Array<String>)Defines the cryptographic providers used to generate the private key.
KeySpec— required — (String)Defines the purpose of the private key. Set it to "KEY_EXCHANGE" or "SIGNATURE" value.
Possible values include:"KEY_EXCHANGE""SIGNATURE"
KeyUsageProperty— (map)The key usage property defines the purpose of the private key contained in the certificate. You can specify specific purposes using property flags or all by using property type ALL.
PropertyFlags— (map)You can specify key usage for encryption, key agreement, and signature. You can use property flags or property type but not both.
Decrypt— (Boolean)Allows key for encryption and decryption.
KeyAgreement— (Boolean)Allows key exchange without encryption.
Sign— (Boolean)Allow key use for digital signature.
PropertyType— (String)You can specify all key usages using property type ALL. You can use property type or property flags but not both.
Possible values include:"ALL"
MinimalKeyLength— required — (Integer)Set the minimum key length of the private key.
PrivateKeyFlags— required — (map)Private key flags for v4 templates specify the client compatibility, if the private key can be exported, if user input is required when using a private key, if an alternate signature algorithm should be used, and if certificates are renewed using the same private key.
ClientVersion— required — (String)Defines the minimum client compatibility.
Possible values include:"WINDOWS_SERVER_2012""WINDOWS_SERVER_2012_R2""WINDOWS_SERVER_2016"
ExportableKey— (Boolean)Allows the private key to be exported.
RequireAlternateSignatureAlgorithm— (Boolean)Requires the PKCS #1 v2.1 signature format for certificates. You should verify that your CA, objects, and applications can accept this signature format.
RequireSameKeyRenewal— (Boolean)Renew certificate using the same private key.
StrongKeyProtectionRequired— (Boolean)Require user input when using the private key for enrollment.
UseLegacyProvider— (Boolean)Specifies the cryptographic service provider category used to generate private keys. Set to TRUE to use Legacy Cryptographic Service Providers and FALSE to use Key Storage Providers.
SubjectNameFlags— required — (map)Subject name flags describe the subject name and subject alternate name that is included in a certificate.
RequireCommonName— (Boolean)Include the common name in the subject name.
RequireDirectoryPath— (Boolean)Include the directory path in the subject name.
RequireDnsAsCn— (Boolean)Include the DNS as common name in the subject name.
RequireEmail— (Boolean)Include the subject's email in the subject name.
SanRequireDirectoryGuid— (Boolean)Include the globally unique identifier (GUID) in the subject alternate name.
SanRequireDns— (Boolean)Include the DNS in the subject alternate name.
SanRequireDomainDns— (Boolean)Include the domain DNS in the subject alternate name.
SanRequireEmail— (Boolean)Include the subject's email in the subject alternate name.
SanRequireSpn— (Boolean)Include the service principal name (SPN) in the subject alternate name.
SanRequireUpn— (Boolean)Include the user principal name (UPN) in the subject alternate name.
SupersededTemplates— (Array<String>)List of templates in Active Directory that are superseded by this template.
Name— (String)Name of the template. The template name must be unique.
Tags— (map<String>)Metadata assigned to a template consisting of a key-value pair.
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
nullif the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
nullif a request error occurs. Thedataobject has the following properties:TemplateArn— (String)If successful, the Amazon Resource Name (ARN) of the template.
-
(AWS.Response)
—
Returns:
createTemplateGroupAccessControlEntry(params = {}, callback) ⇒ AWS.Request
Create a group access control entry. Allow or deny Active Directory groups from enrolling and/or autoenrolling with the template based on the group security identifiers (SIDs).
Service Reference:
Examples:
Calling the createTemplateGroupAccessControlEntry operation
var params = {
AccessRights: { /* required */
AutoEnroll: ALLOW | DENY,
Enroll: ALLOW | DENY
},
GroupDisplayName: 'STRING_VALUE', /* required */
GroupSecurityIdentifier: 'STRING_VALUE', /* required */
TemplateArn: 'STRING_VALUE', /* required */
ClientToken: 'STRING_VALUE'
};
pcaconnectorad.createTemplateGroupAccessControlEntry(params, function(err, data) {
if (err) console.log(err, err.stack); // an error occurred
else console.log(data); // successful response
});Parameters:
-
params
(Object)
(defaults to: {})
—
AccessRights— (map)Allow or deny permissions for an Active Directory group to enroll or autoenroll certificates for a template.
AutoEnroll— (String)Allow or deny an Active Directory group from autoenrolling certificates issued against a template. The Active Directory group must be allowed to enroll to allow autoenrollment
Possible values include:"ALLOW""DENY"
Enroll— (String)Allow or deny an Active Directory group from enrolling certificates issued against a template.
Possible values include:"ALLOW""DENY"
ClientToken— (String)Idempotency token.
If a token is not provided, the SDK will use a version 4 UUID.GroupDisplayName— (String)Name of the Active Directory group. This name does not need to match the group name in Active Directory.
GroupSecurityIdentifier— (String)Security identifier (SID) of the group object from Active Directory. The SID starts with "S-".
TemplateArn— (String)The Amazon Resource Name (ARN) that was returned when you called CreateTemplate.
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
nullif the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
nullif a request error occurs.
-
(AWS.Response)
—
Returns:
deleteConnector(params = {}, callback) ⇒ AWS.Request
Deletes a connector for Active Directory. You must provide the Amazon Resource Name (ARN) of the connector that you want to delete. You can find the ARN by calling the https://docs.aws.amazon.com/pca-connector-ad/latest/APIReference/API_ListConnectors action. Deleting a connector does not deregister your directory with Amazon Web Services Private CA. You can deregister your directory by calling the https://docs.aws.amazon.com/pca-connector-ad/latest/APIReference/API_DeleteDirectoryRegistration action.
Service Reference:
Examples:
Calling the deleteConnector operation
var params = {
ConnectorArn: 'STRING_VALUE' /* required */
};
pcaconnectorad.deleteConnector(params, function(err, data) {
if (err) console.log(err, err.stack); // an error occurred
else console.log(data); // successful response
});Parameters:
-
params
(Object)
(defaults to: {})
—
ConnectorArn— (String)The Amazon Resource Name (ARN) that was returned when you called CreateConnector.
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
nullif the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
nullif a request error occurs.
-
(AWS.Response)
—
Returns:
deleteDirectoryRegistration(params = {}, callback) ⇒ AWS.Request
Deletes a directory registration. Deleting a directory registration deauthorizes Amazon Web Services Private CA with the directory.
Service Reference:
Examples:
Calling the deleteDirectoryRegistration operation
var params = {
DirectoryRegistrationArn: 'STRING_VALUE' /* required */
};
pcaconnectorad.deleteDirectoryRegistration(params, function(err, data) {
if (err) console.log(err, err.stack); // an error occurred
else console.log(data); // successful response
});Parameters:
-
params
(Object)
(defaults to: {})
—
DirectoryRegistrationArn— (String)The Amazon Resource Name (ARN) that was returned when you called CreateDirectoryRegistration.
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
nullif the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
nullif a request error occurs.
-
(AWS.Response)
—
Returns:
deleteServicePrincipalName(params = {}, callback) ⇒ AWS.Request
Deletes the service principal name (SPN) used by a connector to authenticate with your Active Directory.
Service Reference:
Examples:
Calling the deleteServicePrincipalName operation
var params = {
ConnectorArn: 'STRING_VALUE', /* required */
DirectoryRegistrationArn: 'STRING_VALUE' /* required */
};
pcaconnectorad.deleteServicePrincipalName(params, function(err, data) {
if (err) console.log(err, err.stack); // an error occurred
else console.log(data); // successful response
});Parameters:
-
params
(Object)
(defaults to: {})
—
ConnectorArn— (String)The Amazon Resource Name (ARN) that was returned when you called CreateConnector.
DirectoryRegistrationArn— (String)The Amazon Resource Name (ARN) that was returned when you called CreateDirectoryRegistration.
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
nullif the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
nullif a request error occurs.
-
(AWS.Response)
—
Returns:
deleteTemplate(params = {}, callback) ⇒ AWS.Request
Deletes a template. Certificates issued using the template are still valid until they are revoked or expired.
Service Reference:
Examples:
Calling the deleteTemplate operation
var params = {
TemplateArn: 'STRING_VALUE' /* required */
};
pcaconnectorad.deleteTemplate(params, function(err, data) {
if (err) console.log(err, err.stack); // an error occurred
else console.log(data); // successful response
});Parameters:
-
params
(Object)
(defaults to: {})
—
TemplateArn— (String)The Amazon Resource Name (ARN) that was returned when you called CreateTemplate.
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
nullif the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
nullif a request error occurs.
-
(AWS.Response)
—
Returns:
deleteTemplateGroupAccessControlEntry(params = {}, callback) ⇒ AWS.Request
Deletes a group access control entry.
Service Reference:
Examples:
Calling the deleteTemplateGroupAccessControlEntry operation
var params = {
GroupSecurityIdentifier: 'STRING_VALUE', /* required */
TemplateArn: 'STRING_VALUE' /* required */
};
pcaconnectorad.deleteTemplateGroupAccessControlEntry(params, function(err, data) {
if (err) console.log(err, err.stack); // an error occurred
else console.log(data); // successful response
});Parameters:
-
params
(Object)
(defaults to: {})
—
GroupSecurityIdentifier— (String)Security identifier (SID) of the group object from Active Directory. The SID starts with "S-".
TemplateArn— (String)The Amazon Resource Name (ARN) that was returned when you called CreateTemplate.
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
nullif the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
nullif a request error occurs.
-
(AWS.Response)
—
Returns:
getConnector(params = {}, callback) ⇒ AWS.Request
Lists information about your connector. You specify the connector on input by its ARN (Amazon Resource Name).
Service Reference:
Examples:
Calling the getConnector operation
var params = {
ConnectorArn: 'STRING_VALUE' /* required */
};
pcaconnectorad.getConnector(params, function(err, data) {
if (err) console.log(err, err.stack); // an error occurred
else console.log(data); // successful response
});Parameters:
-
params
(Object)
(defaults to: {})
—
ConnectorArn— (String)The Amazon Resource Name (ARN) that was returned when you called CreateConnector.
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
nullif the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
nullif a request error occurs. Thedataobject has the following properties:Connector— (map)A structure that contains information about your connector.
Arn— (String)The Amazon Resource Name (ARN) that was returned when you called CreateConnector.
CertificateAuthorityArn— (String)The Amazon Resource Name (ARN) of the certificate authority being used.
CertificateEnrollmentPolicyServerEndpoint— (String)Certificate enrollment endpoint for Active Directory domain-joined objects reach out to when requesting certificates.
CreatedAt— (Date)The date and time that the connector was created.
DirectoryId— (String)The identifier of the Active Directory.
Status— (String)Status of the connector. Status can be creating, active, deleting, or failed.
Possible values include:"CREATING""ACTIVE""DELETING""FAILED"
StatusReason— (String)Additional information about the connector status if the status is failed.
Possible values include:"DIRECTORY_ACCESS_DENIED""INTERNAL_FAILURE""PRIVATECA_ACCESS_DENIED""PRIVATECA_RESOURCE_NOT_FOUND""SECURITY_GROUP_NOT_IN_VPC""VPC_ACCESS_DENIED""VPC_ENDPOINT_LIMIT_EXCEEDED""VPC_RESOURCE_NOT_FOUND"
UpdatedAt— (Date)The date and time that the connector was updated.
VpcInformation— (map)Information of the VPC and security group(s) used with the connector.
SecurityGroupIds— required — (Array<String>)The security groups used with the connector. You can use a maximum of 4 security groups with a connector.
-
(AWS.Response)
—
Returns:
getDirectoryRegistration(params = {}, callback) ⇒ AWS.Request
A structure that contains information about your directory registration.
Service Reference:
Examples:
Calling the getDirectoryRegistration operation
var params = {
DirectoryRegistrationArn: 'STRING_VALUE' /* required */
};
pcaconnectorad.getDirectoryRegistration(params, function(err, data) {
if (err) console.log(err, err.stack); // an error occurred
else console.log(data); // successful response
});Parameters:
-
params
(Object)
(defaults to: {})
—
DirectoryRegistrationArn— (String)The Amazon Resource Name (ARN) that was returned when you called CreateDirectoryRegistration.
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
nullif the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
nullif a request error occurs. Thedataobject has the following properties:DirectoryRegistration— (map)The directory registration represents the authorization of the connector service with a directory.
Arn— (String)The Amazon Resource Name (ARN) that was returned when you called CreateDirectoryRegistration.
CreatedAt— (Date)The date and time that the directory registration was created.
DirectoryId— (String)The identifier of the Active Directory.
Status— (String)Status of the directory registration.
Possible values include:"CREATING""ACTIVE""DELETING""FAILED"
StatusReason— (String)Additional information about the directory registration status if the status is failed.
Possible values include:"DIRECTORY_ACCESS_DENIED""DIRECTORY_RESOURCE_NOT_FOUND""DIRECTORY_NOT_ACTIVE""DIRECTORY_NOT_REACHABLE""DIRECTORY_TYPE_NOT_SUPPORTED""INTERNAL_FAILURE"
UpdatedAt— (Date)The date and time that the directory registration was updated.
-
(AWS.Response)
—
Returns:
getServicePrincipalName(params = {}, callback) ⇒ AWS.Request
Lists the service principal name that the connector uses to authenticate with Active Directory.
Service Reference:
Examples:
Calling the getServicePrincipalName operation
var params = {
ConnectorArn: 'STRING_VALUE', /* required */
DirectoryRegistrationArn: 'STRING_VALUE' /* required */
};
pcaconnectorad.getServicePrincipalName(params, function(err, data) {
if (err) console.log(err, err.stack); // an error occurred
else console.log(data); // successful response
});Parameters:
-
params
(Object)
(defaults to: {})
—
ConnectorArn— (String)The Amazon Resource Name (ARN) that was returned when you called CreateConnector.
DirectoryRegistrationArn— (String)The Amazon Resource Name (ARN) that was returned when you called CreateDirectoryRegistration.
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
nullif the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
nullif a request error occurs. Thedataobject has the following properties:ServicePrincipalName— (map)The service principal name that the connector uses to authenticate with Active Directory.
ConnectorArn— (String)The Amazon Resource Name (ARN) that was returned when you called CreateConnector.html.
CreatedAt— (Date)The date and time that the service principal name was created.
DirectoryRegistrationArn— (String)The Amazon Resource Name (ARN) that was returned when you called CreateDirectoryRegistration.
Status— (String)The status of a service principal name.
Possible values include:"CREATING""ACTIVE""DELETING""FAILED"
StatusReason— (String)Additional information for the status of a service principal name if the status is failed.
Possible values include:"DIRECTORY_ACCESS_DENIED""DIRECTORY_NOT_REACHABLE""DIRECTORY_RESOURCE_NOT_FOUND""SPN_EXISTS_ON_DIFFERENT_AD_OBJECT""INTERNAL_FAILURE"
UpdatedAt— (Date)The date and time that the service principal name was updated.
-
(AWS.Response)
—
Returns:
getTemplate(params = {}, callback) ⇒ AWS.Request
Retrieves a certificate template that the connector uses to issue certificates from a private CA.
Service Reference:
Examples:
Calling the getTemplate operation
var params = {
TemplateArn: 'STRING_VALUE' /* required */
};
pcaconnectorad.getTemplate(params, function(err, data) {
if (err) console.log(err, err.stack); // an error occurred
else console.log(data); // successful response
});Parameters:
-
params
(Object)
(defaults to: {})
—
TemplateArn— (String)The Amazon Resource Name (ARN) that was returned when you called CreateTemplate.
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
nullif the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
nullif a request error occurs. Thedataobject has the following properties:Template— (map)A certificate template that the connector uses to issue certificates from a private CA.
Arn— (String)The Amazon Resource Name (ARN) that was returned when you called CreateTemplate.
ConnectorArn— (String)The Amazon Resource Name (ARN) that was returned when you called CreateConnector.
CreatedAt— (Date)The date and time that the template was created.
Definition— (map)Template configuration to define the information included in certificates. Define certificate validity and renewal periods, certificate request handling and enrollment options, key usage extensions, application policies, and cryptography settings.
TemplateV2— (map)Template configuration to define the information included in certificates. Define certificate validity and renewal periods, certificate request handling and enrollment options, key usage extensions, application policies, and cryptography settings.
CertificateValidity— required — (map)Certificate validity describes the validity and renewal periods of a certificate.
RenewalPeriod— required — (map)Renewal period is the period of time before certificate expiration when a new certificate will be requested.
Period— required — (Integer)The numeric value for the validity period.
PeriodType— required — (String)The unit of time. You can select hours, days, weeks, months, and years.
Possible values include:"HOURS""DAYS""WEEKS""MONTHS""YEARS"
ValidityPeriod— required — (map)Information describing the end of the validity period of the certificate. This parameter sets the “Not After” date for the certificate. Certificate validity is the period of time during which a certificate is valid. Validity can be expressed as an explicit date and time when the certificate expires, or as a span of time after issuance, stated in days, months, or years. For more information, see Validity in RFC 5280. This value is unaffected when ValidityNotBefore is also specified. For example, if Validity is set to 20 days in the future, the certificate will expire 20 days from issuance time regardless of the ValidityNotBefore value.
Period— required — (Integer)The numeric value for the validity period.
PeriodType— required — (String)The unit of time. You can select hours, days, weeks, months, and years.
Possible values include:"HOURS""DAYS""WEEKS""MONTHS""YEARS"
EnrollmentFlags— required — (map)Enrollment flags describe the enrollment settings for certificates such as using the existing private key and deleting expired or revoked certificates.
EnableKeyReuseOnNtTokenKeysetStorageFull— (Boolean)Allow renewal using the same key.
IncludeSymmetricAlgorithms— (Boolean)Include symmetric algorithms allowed by the subject.
NoSecurityExtension— (Boolean)This flag instructs the CA to not include the security extension szOID_NTDS_CA_SECURITY_EXT (OID:1.3.6.1.4.1.311.25.2), as specified in [MS-WCCE] sections 2.2.2.7.7.4 and 3.2.2.6.2.1.4.5.9, in the issued certificate. This addresses a Windows Kerberos elevation-of-privilege vulnerability.
RemoveInvalidCertificateFromPersonalStore— (Boolean)Delete expired or revoked certificates instead of archiving them.
UserInteractionRequired— (Boolean)Require user interaction when the subject is enrolled and the private key associated with the certificate is used.
Extensions— required — (map)Extensions describe the key usage extensions and application policies for a template.
ApplicationPolicies— (map)Application policies specify what the certificate is used for and its purpose.
Critical— (Boolean)Marks the application policy extension as critical.
Policies— required — (Array<map>)Application policies describe what the certificate can be used for.
PolicyObjectIdentifier— (String)The object identifier (OID) of an application policy.
PolicyType— (String)The type of application policy
Possible values include:"ALL_APPLICATION_POLICIES""ANY_PURPOSE""ATTESTATION_IDENTITY_KEY_CERTIFICATE""CERTIFICATE_REQUEST_AGENT""CLIENT_AUTHENTICATION""CODE_SIGNING""CTL_USAGE""DIGITAL_RIGHTS""DIRECTORY_SERVICE_EMAIL_REPLICATION""DISALLOWED_LIST""DNS_SERVER_TRUST""DOCUMENT_ENCRYPTION""DOCUMENT_SIGNING""DYNAMIC_CODE_GENERATOR""EARLY_LAUNCH_ANTIMALWARE_DRIVER""EMBEDDED_WINDOWS_SYSTEM_COMPONENT_VERIFICATION""ENCLAVE""ENCRYPTING_FILE_SYSTEM""ENDORSEMENT_KEY_CERTIFICATE""FILE_RECOVERY""HAL_EXTENSION""IP_SECURITY_END_SYSTEM""IP_SECURITY_IKE_INTERMEDIATE""IP_SECURITY_TUNNEL_TERMINATION""IP_SECURITY_USER""ISOLATED_USER_MODE""KDC_AUTHENTICATION""KERNEL_MODE_CODE_SIGNING""KEY_PACK_LICENSES""KEY_RECOVERY""KEY_RECOVERY_AGENT""LICENSE_SERVER_VERIFICATION""LIFETIME_SIGNING""MICROSOFT_PUBLISHER""MICROSOFT_TIME_STAMPING""MICROSOFT_TRUST_LIST_SIGNING""OCSP_SIGNING""OEM_WINDOWS_SYSTEM_COMPONENT_VERIFICATION""PLATFORM_CERTIFICATE""PREVIEW_BUILD_SIGNING""PRIVATE_KEY_ARCHIVAL""PROTECTED_PROCESS_LIGHT_VERIFICATION""PROTECTED_PROCESS_VERIFICATION""QUALIFIED_SUBORDINATION""REVOKED_LIST_SIGNER""ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION""ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION""ROOT_PROGRAM_NO_OSCP_FAILOVER_TO_CRL""ROOT_LIST_SIGNER""SECURE_EMAIL""SERVER_AUTHENTICATION""SMART_CARD_LOGIN""SPC_ENCRYPTED_DIGEST_RETRY_COUNT""SPC_RELAXED_PE_MARKER_CHECK""TIME_STAMPING""WINDOWS_HARDWARE_DRIVER_ATTESTED_VERIFICATION""WINDOWS_HARDWARE_DRIVER_EXTENDED_VERIFICATION""WINDOWS_HARDWARE_DRIVER_VERIFICATION""WINDOWS_HELLO_RECOVERY_KEY_ENCRYPTION""WINDOWS_KITS_COMPONENT""WINDOWS_RT_VERIFICATION""WINDOWS_SOFTWARE_EXTENSION_VERIFICATION""WINDOWS_STORE""WINDOWS_SYSTEM_COMPONENT_VERIFICATION""WINDOWS_TCB_COMPONENT""WINDOWS_THIRD_PARTY_APPLICATION_COMPONENT""WINDOWS_UPDATE"
KeyUsage— required — (map)The key usage extension defines the purpose (e.g., encipherment, signature, certificate signing) of the key contained in the certificate.
Critical— (Boolean)Sets the key usage extension to critical.
UsageFlags— required — (map)The key usage flags represent the purpose (e.g., encipherment, signature) of the key contained in the certificate.
DataEncipherment— (Boolean)DataEncipherment is asserted when the subject public key is used for directly enciphering raw user data without the use of an intermediate symmetric cipher.
DigitalSignature— (Boolean)The digitalSignature is asserted when the subject public key is used for verifying digital signatures.
KeyAgreement— (Boolean)KeyAgreement is asserted when the subject public key is used for key agreement.
KeyEncipherment— (Boolean)KeyEncipherment is asserted when the subject public key is used for enciphering private or secret keys, i.e., for key transport.
NonRepudiation— (Boolean)NonRepudiation is asserted when the subject public key is used to verify digital signatures.
GeneralFlags— required — (map)General flags describe whether the template is used for computers or users and if the template can be used with autoenrollment.
AutoEnrollment— (Boolean)Allows certificate issuance using autoenrollment. Set to TRUE to allow autoenrollment.
MachineType— (Boolean)Defines if the template is for machines or users. Set to TRUE if the template is for machines. Set to FALSE if the template is for users.
PrivateKeyAttributes— required — (map)Private key attributes allow you to specify the minimal key length, key spec, and cryptographic providers for the private key of a certificate for v2 templates. V2 templates allow you to use Legacy Cryptographic Service Providers.
CryptoProviders— (Array<String>)Defines the cryptographic providers used to generate the private key.
KeySpec— required — (String)Defines the purpose of the private key. Set it to "KEY_EXCHANGE" or "SIGNATURE" value.
Possible values include:"KEY_EXCHANGE""SIGNATURE"
MinimalKeyLength— required — (Integer)Set the minimum key length of the private key.
PrivateKeyFlags— required — (map)Private key flags for v2 templates specify the client compatibility, if the private key can be exported, and if user input is required when using a private key.
ClientVersion— required — (String)Defines the minimum client compatibility.
Possible values include:"WINDOWS_SERVER_2003""WINDOWS_SERVER_2008""WINDOWS_SERVER_2008_R2""WINDOWS_SERVER_2012""WINDOWS_SERVER_2012_R2""WINDOWS_SERVER_2016"
ExportableKey— (Boolean)Allows the private key to be exported.
StrongKeyProtectionRequired— (Boolean)Require user input when using the private key for enrollment.
SubjectNameFlags— required — (map)Subject name flags describe the subject name and subject alternate name that is included in a certificate.
RequireCommonName— (Boolean)Include the common name in the subject name.
RequireDirectoryPath— (Boolean)Include the directory path in the subject name.
RequireDnsAsCn— (Boolean)Include the DNS as common name in the subject name.
RequireEmail— (Boolean)Include the subject's email in the subject name.
SanRequireDirectoryGuid— (Boolean)Include the globally unique identifier (GUID) in the subject alternate name.
SanRequireDns— (Boolean)Include the DNS in the subject alternate name.
SanRequireDomainDns— (Boolean)Include the domain DNS in the subject alternate name.
SanRequireEmail— (Boolean)Include the subject's email in the subject alternate name.
SanRequireSpn— (Boolean)Include the service principal name (SPN) in the subject alternate name.
SanRequireUpn— (Boolean)Include the user principal name (UPN) in the subject alternate name.
SupersededTemplates— (Array<String>)List of templates in Active Directory that are superseded by this template.
TemplateV3— (map)Template configuration to define the information included in certificates. Define certificate validity and renewal periods, certificate request handling and enrollment options, key usage extensions, application policies, and cryptography settings.
CertificateValidity— required — (map)Certificate validity describes the validity and renewal periods of a certificate.
RenewalPeriod— required — (map)Renewal period is the period of time before certificate expiration when a new certificate will be requested.
Period— required — (Integer)The numeric value for the validity period.
PeriodType— required — (String)The unit of time. You can select hours, days, weeks, months, and years.
Possible values include:"HOURS""DAYS""WEEKS""MONTHS""YEARS"
ValidityPeriod— required — (map)Information describing the end of the validity period of the certificate. This parameter sets the “Not After” date for the certificate. Certificate validity is the period of time during which a certificate is valid. Validity can be expressed as an explicit date and time when the certificate expires, or as a span of time after issuance, stated in days, months, or years. For more information, see Validity in RFC 5280. This value is unaffected when ValidityNotBefore is also specified. For example, if Validity is set to 20 days in the future, the certificate will expire 20 days from issuance time regardless of the ValidityNotBefore value.
Period— required — (Integer)The numeric value for the validity period.
PeriodType— required — (String)The unit of time. You can select hours, days, weeks, months, and years.
Possible values include:"HOURS""DAYS""WEEKS""MONTHS""YEARS"
EnrollmentFlags— required — (map)Enrollment flags describe the enrollment settings for certificates such as using the existing private key and deleting expired or revoked certificates.
EnableKeyReuseOnNtTokenKeysetStorageFull— (Boolean)Allow renewal using the same key.
IncludeSymmetricAlgorithms— (Boolean)Include symmetric algorithms allowed by the subject.
NoSecurityExtension— (Boolean)This flag instructs the CA to not include the security extension szOID_NTDS_CA_SECURITY_EXT (OID:1.3.6.1.4.1.311.25.2), as specified in [MS-WCCE] sections 2.2.2.7.7.4 and 3.2.2.6.2.1.4.5.9, in the issued certificate. This addresses a Windows Kerberos elevation-of-privilege vulnerability.
RemoveInvalidCertificateFromPersonalStore— (Boolean)Delete expired or revoked certificates instead of archiving them.
UserInteractionRequired— (Boolean)Require user interaction when the subject is enrolled and the private key associated with the certificate is used.
Extensions— required — (map)Extensions describe the key usage extensions and application policies for a template.
ApplicationPolicies— (map)Application policies specify what the certificate is used for and its purpose.
Critical— (Boolean)Marks the application policy extension as critical.
Policies— required — (Array<map>)Application policies describe what the certificate can be used for.
PolicyObjectIdentifier— (String)The object identifier (OID) of an application policy.
PolicyType— (String)The type of application policy
Possible values include:"ALL_APPLICATION_POLICIES""ANY_PURPOSE""ATTESTATION_IDENTITY_KEY_CERTIFICATE""CERTIFICATE_REQUEST_AGENT""CLIENT_AUTHENTICATION""CODE_SIGNING""CTL_USAGE""DIGITAL_RIGHTS""DIRECTORY_SERVICE_EMAIL_REPLICATION""DISALLOWED_LIST""DNS_SERVER_TRUST""DOCUMENT_ENCRYPTION""DOCUMENT_SIGNING""DYNAMIC_CODE_GENERATOR""EARLY_LAUNCH_ANTIMALWARE_DRIVER""EMBEDDED_WINDOWS_SYSTEM_COMPONENT_VERIFICATION""ENCLAVE""ENCRYPTING_FILE_SYSTEM""ENDORSEMENT_KEY_CERTIFICATE""FILE_RECOVERY""HAL_EXTENSION""IP_SECURITY_END_SYSTEM""IP_SECURITY_IKE_INTERMEDIATE""IP_SECURITY_TUNNEL_TERMINATION""IP_SECURITY_USER""ISOLATED_USER_MODE""KDC_AUTHENTICATION""KERNEL_MODE_CODE_SIGNING""KEY_PACK_LICENSES""KEY_RECOVERY""KEY_RECOVERY_AGENT""LICENSE_SERVER_VERIFICATION""LIFETIME_SIGNING""MICROSOFT_PUBLISHER""MICROSOFT_TIME_STAMPING""MICROSOFT_TRUST_LIST_SIGNING""OCSP_SIGNING""OEM_WINDOWS_SYSTEM_COMPONENT_VERIFICATION""PLATFORM_CERTIFICATE""PREVIEW_BUILD_SIGNING""PRIVATE_KEY_ARCHIVAL""PROTECTED_PROCESS_LIGHT_VERIFICATION""PROTECTED_PROCESS_VERIFICATION""QUALIFIED_SUBORDINATION""REVOKED_LIST_SIGNER""ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION""ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION""ROOT_PROGRAM_NO_OSCP_FAILOVER_TO_CRL""ROOT_LIST_SIGNER""SECURE_EMAIL""SERVER_AUTHENTICATION""SMART_CARD_LOGIN""SPC_ENCRYPTED_DIGEST_RETRY_COUNT""SPC_RELAXED_PE_MARKER_CHECK""TIME_STAMPING""WINDOWS_HARDWARE_DRIVER_ATTESTED_VERIFICATION""WINDOWS_HARDWARE_DRIVER_EXTENDED_VERIFICATION""WINDOWS_HARDWARE_DRIVER_VERIFICATION""WINDOWS_HELLO_RECOVERY_KEY_ENCRYPTION""WINDOWS_KITS_COMPONENT""WINDOWS_RT_VERIFICATION""WINDOWS_SOFTWARE_EXTENSION_VERIFICATION""WINDOWS_STORE""WINDOWS_SYSTEM_COMPONENT_VERIFICATION""WINDOWS_TCB_COMPONENT""WINDOWS_THIRD_PARTY_APPLICATION_COMPONENT""WINDOWS_UPDATE"
KeyUsage— required — (map)The key usage extension defines the purpose (e.g., encipherment, signature, certificate signing) of the key contained in the certificate.
Critical— (Boolean)Sets the key usage extension to critical.
UsageFlags— required — (map)The key usage flags represent the purpose (e.g., encipherment, signature) of the key contained in the certificate.
DataEncipherment— (Boolean)DataEncipherment is asserted when the subject public key is used for directly enciphering raw user data without the use of an intermediate symmetric cipher.
DigitalSignature— (Boolean)The digitalSignature is asserted when the subject public key is used for verifying digital signatures.
KeyAgreement— (Boolean)KeyAgreement is asserted when the subject public key is used for key agreement.
KeyEncipherment— (Boolean)KeyEncipherment is asserted when the subject public key is used for enciphering private or secret keys, i.e., for key transport.
NonRepudiation— (Boolean)NonRepudiation is asserted when the subject public key is used to verify digital signatures.
GeneralFlags— required — (map)General flags describe whether the template is used for computers or users and if the template can be used with autoenrollment.
AutoEnrollment— (Boolean)Allows certificate issuance using autoenrollment. Set to TRUE to allow autoenrollment.
MachineType— (Boolean)Defines if the template is for machines or users. Set to TRUE if the template is for machines. Set to FALSE if the template is for users
HashAlgorithm— required — (String)Specifies the hash algorithm used to hash the private key.
Possible values include:"SHA256""SHA384""SHA512"
PrivateKeyAttributes— required — (map)Private key attributes allow you to specify the algorithm, minimal key length, key spec, key usage, and cryptographic providers for the private key of a certificate for v3 templates. V3 templates allow you to use Key Storage Providers.
Algorithm— required — (String)Defines the algorithm used to generate the private key.
Possible values include:"RSA""ECDH_P256""ECDH_P384""ECDH_P521"
CryptoProviders— (Array<String>)Defines the cryptographic providers used to generate the private key.
KeySpec— required — (String)Defines the purpose of the private key. Set it to "KEY_EXCHANGE" or "SIGNATURE" value.
Possible values include:"KEY_EXCHANGE""SIGNATURE"
KeyUsageProperty— required — (map)The key usage property defines the purpose of the private key contained in the certificate. You can specify specific purposes using property flags or all by using property type ALL.
PropertyFlags— (map)You can specify key usage for encryption, key agreement, and signature. You can use property flags or property type but not both.
Decrypt— (Boolean)Allows key for encryption and decryption.
KeyAgreement— (Boolean)Allows key exchange without encryption.
Sign— (Boolean)Allow key use for digital signature.
PropertyType— (String)You can specify all key usages using property type ALL. You can use property type or property flags but not both.
Possible values include:"ALL"
MinimalKeyLength— required — (Integer)Set the minimum key length of the private key.
PrivateKeyFlags— required — (map)Private key flags for v3 templates specify the client compatibility, if the private key can be exported, if user input is required when using a private key, and if an alternate signature algorithm should be used.
ClientVersion— required — (String)Defines the minimum client compatibility.
Possible values include:"WINDOWS_SERVER_2008""WINDOWS_SERVER_2008_R2""WINDOWS_SERVER_2012""WINDOWS_SERVER_2012_R2""WINDOWS_SERVER_2016"
ExportableKey— (Boolean)Allows the private key to be exported.
RequireAlternateSignatureAlgorithm— (Boolean)Reguires the PKCS #1 v2.1 signature format for certificates. You should verify that your CA, objects, and applications can accept this signature format.
StrongKeyProtectionRequired— (Boolean)Requirer user input when using the private key for enrollment.
SubjectNameFlags— required — (map)Subject name flags describe the subject name and subject alternate name that is included in a certificate.
RequireCommonName— (Boolean)Include the common name in the subject name.
RequireDirectoryPath— (Boolean)Include the directory path in the subject name.
RequireDnsAsCn— (Boolean)Include the DNS as common name in the subject name.
RequireEmail— (Boolean)Include the subject's email in the subject name.
SanRequireDirectoryGuid— (Boolean)Include the globally unique identifier (GUID) in the subject alternate name.
SanRequireDns— (Boolean)Include the DNS in the subject alternate name.
SanRequireDomainDns— (Boolean)Include the domain DNS in the subject alternate name.
SanRequireEmail— (Boolean)Include the subject's email in the subject alternate name.
SanRequireSpn— (Boolean)Include the service principal name (SPN) in the subject alternate name.
SanRequireUpn— (Boolean)Include the user principal name (UPN) in the subject alternate name.
SupersededTemplates— (Array<String>)List of templates in Active Directory that are superseded by this template.
TemplateV4— (map)Template configuration to define the information included in certificates. Define certificate validity and renewal periods, certificate request handling and enrollment options, key usage extensions, application policies, and cryptography settings.
CertificateValidity— required — (map)Certificate validity describes the validity and renewal periods of a certificate.
RenewalPeriod— required — (map)Renewal period is the period of time before certificate expiration when a new certificate will be requested.
Period— required — (Integer)The numeric value for the validity period.
PeriodType— required — (String)The unit of time. You can select hours, days, weeks, months, and years.
Possible values include:"HOURS""DAYS""WEEKS""MONTHS""YEARS"
ValidityPeriod— required — (map)Information describing the end of the validity period of the certificate. This parameter sets the “Not After” date for the certificate. Certificate validity is the period of time during which a certificate is valid. Validity can be expressed as an explicit date and time when the certificate expires, or as a span of time after issuance, stated in days, months, or years. For more information, see Validity in RFC 5280. This value is unaffected when ValidityNotBefore is also specified. For example, if Validity is set to 20 days in the future, the certificate will expire 20 days from issuance time regardless of the ValidityNotBefore value.
Period— required — (Integer)The numeric value for the validity period.
PeriodType— required — (String)The unit of time. You can select hours, days, weeks, months, and years.
Possible values include:"HOURS""DAYS""WEEKS""MONTHS""YEARS"
EnrollmentFlags— required — (map)Enrollment flags describe the enrollment settings for certificates using the existing private key and deleting expired or revoked certificates.
EnableKeyReuseOnNtTokenKeysetStorageFull— (Boolean)Allow renewal using the same key.
IncludeSymmetricAlgorithms— (Boolean)Include symmetric algorithms allowed by the subject.
NoSecurityExtension— (Boolean)This flag instructs the CA to not include the security extension szOID_NTDS_CA_SECURITY_EXT (OID:1.3.6.1.4.1.311.25.2), as specified in [MS-WCCE] sections 2.2.2.7.7.4 and 3.2.2.6.2.1.4.5.9, in the issued certificate. This addresses a Windows Kerberos elevation-of-privilege vulnerability.
RemoveInvalidCertificateFromPersonalStore— (Boolean)Delete expired or revoked certificates instead of archiving them.
UserInteractionRequired— (Boolean)Require user interaction when the subject is enrolled and the private key associated with the certificate is used.
Extensions— required — (map)Extensions describe the key usage extensions and application policies for a template.
ApplicationPolicies— (map)Application policies specify what the certificate is used for and its purpose.
Critical— (Boolean)Marks the application policy extension as critical.
Policies— required — (Array<map>)Application policies describe what the certificate can be used for.
PolicyObjectIdentifier— (String)The object identifier (OID) of an application policy.
PolicyType— (String)The type of application policy
Possible values include:"ALL_APPLICATION_POLICIES""ANY_PURPOSE""ATTESTATION_IDENTITY_KEY_CERTIFICATE""CERTIFICATE_REQUEST_AGENT""CLIENT_AUTHENTICATION""CODE_SIGNING""CTL_USAGE""DIGITAL_RIGHTS""DIRECTORY_SERVICE_EMAIL_REPLICATION""DISALLOWED_LIST""DNS_SERVER_TRUST""DOCUMENT_ENCRYPTION""DOCUMENT_SIGNING""DYNAMIC_CODE_GENERATOR""EARLY_LAUNCH_ANTIMALWARE_DRIVER""EMBEDDED_WINDOWS_SYSTEM_COMPONENT_VERIFICATION""ENCLAVE""ENCRYPTING_FILE_SYSTEM""ENDORSEMENT_KEY_CERTIFICATE""FILE_RECOVERY""HAL_EXTENSION""IP_SECURITY_END_SYSTEM""IP_SECURITY_IKE_INTERMEDIATE""IP_SECURITY_TUNNEL_TERMINATION""IP_SECURITY_USER""ISOLATED_USER_MODE""KDC_AUTHENTICATION""KERNEL_MODE_CODE_SIGNING""KEY_PACK_LICENSES""KEY_RECOVERY""KEY_RECOVERY_AGENT""LICENSE_SERVER_VERIFICATION""LIFETIME_SIGNING""MICROSOFT_PUBLISHER""MICROSOFT_TIME_STAMPING""MICROSOFT_TRUST_LIST_SIGNING""OCSP_SIGNING""OEM_WINDOWS_SYSTEM_COMPONENT_VERIFICATION""PLATFORM_CERTIFICATE""PREVIEW_BUILD_SIGNING""PRIVATE_KEY_ARCHIVAL""PROTECTED_PROCESS_LIGHT_VERIFICATION""PROTECTED_PROCESS_VERIFICATION""QUALIFIED_SUBORDINATION""REVOKED_LIST_SIGNER""ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION""ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION""ROOT_PROGRAM_NO_OSCP_FAILOVER_TO_CRL""ROOT_LIST_SIGNER""SECURE_EMAIL""SERVER_AUTHENTICATION""SMART_CARD_LOGIN""SPC_ENCRYPTED_DIGEST_RETRY_COUNT""SPC_RELAXED_PE_MARKER_CHECK""TIME_STAMPING""WINDOWS_HARDWARE_DRIVER_ATTESTED_VERIFICATION""WINDOWS_HARDWARE_DRIVER_EXTENDED_VERIFICATION""WINDOWS_HARDWARE_DRIVER_VERIFICATION""WINDOWS_HELLO_RECOVERY_KEY_ENCRYPTION""WINDOWS_KITS_COMPONENT""WINDOWS_RT_VERIFICATION""WINDOWS_SOFTWARE_EXTENSION_VERIFICATION""WINDOWS_STORE""WINDOWS_SYSTEM_COMPONENT_VERIFICATION""WINDOWS_TCB_COMPONENT""WINDOWS_THIRD_PARTY_APPLICATION_COMPONENT""WINDOWS_UPDATE"
KeyUsage— required — (map)The key usage extension defines the purpose (e.g., encipherment, signature) of the key contained in the certificate.
Critical— (Boolean)Sets the key usage extension to critical.
UsageFlags— required — (map)The key usage flags represent the purpose (e.g., encipherment, signature) of the key contained in the certificate.
DataEncipherment— (Boolean)DataEncipherment is asserted when the subject public key is used for directly enciphering raw user data without the use of an intermediate symmetric cipher.
DigitalSignature— (Boolean)The digitalSignature is asserted when the subject public key is used for verifying digital signatures.
KeyAgreement— (Boolean)KeyAgreement is asserted when the subject public key is used for key agreement.
KeyEncipherment— (Boolean)KeyEncipherment is asserted when the subject public key is used for enciphering private or secret keys, i.e., for key transport.
NonRepudiation— (Boolean)NonRepudiation is asserted when the subject public key is used to verify digital signatures.
GeneralFlags— required — (map)General flags describe whether the template is used for computers or users and if the template can be used with autoenrollment.
AutoEnrollment— (Boolean)Allows certificate issuance using autoenrollment. Set to TRUE to allow autoenrollment.
MachineType— (Boolean)Defines if the template is for machines or users. Set to TRUE if the template is for machines. Set to FALSE if the template is for users
HashAlgorithm— (String)Specifies the hash algorithm used to hash the private key. Hash algorithm can only be specified when using Key Storage Providers.
Possible values include:"SHA256""SHA384""SHA512"
PrivateKeyAttributes— required — (map)Private key attributes allow you to specify the minimal key length, key spec, key usage, and cryptographic providers for the private key of a certificate for v4 templates. V4 templates allow you to use either Key Storage Providers or Legacy Cryptographic Service Providers. You specify the cryptography provider category in private key flags.
Algorithm— (String)Defines the algorithm used to generate the private key.
Possible values include:"RSA""ECDH_P256""ECDH_P384""ECDH_P521"
CryptoProviders— (Array<String>)Defines the cryptographic providers used to generate the private key.
KeySpec— required — (String)Defines the purpose of the private key. Set it to "KEY_EXCHANGE" or "SIGNATURE" value.
Possible values include:"KEY_EXCHANGE""SIGNATURE"
KeyUsageProperty— (map)The key usage property defines the purpose of the private key contained in the certificate. You can specify specific purposes using property flags or all by using property type ALL.
PropertyFlags— (map)You can specify key usage for encryption, key agreement, and signature. You can use property flags or property type but not both.
Decrypt— (Boolean)Allows key for encryption and decryption.
KeyAgreement— (Boolean)Allows key exchange without encryption.
Sign— (Boolean)Allow key use for digital signature.
PropertyType— (String)You can specify all key usages using property type ALL. You can use property type or property flags but not both.
Possible values include:"ALL"
MinimalKeyLength— required — (Integer)Set the minimum key length of the private key.
PrivateKeyFlags— required — (map)Private key flags for v4 templates specify the client compatibility, if the private key can be exported, if user input is required when using a private key, if an alternate signature algorithm should be used, and if certificates are renewed using the same private key.
ClientVersion— required — (String)Defines the minimum client compatibility.
Possible values include:"WINDOWS_SERVER_2012""WINDOWS_SERVER_2012_R2""WINDOWS_SERVER_2016"
ExportableKey— (Boolean)Allows the private key to be exported.
RequireAlternateSignatureAlgorithm— (Boolean)Requires the PKCS #1 v2.1 signature format for certificates. You should verify that your CA, objects, and applications can accept this signature format.
RequireSameKeyRenewal— (Boolean)Renew certificate using the same private key.
StrongKeyProtectionRequired— (Boolean)Require user input when using the private key for enrollment.
UseLegacyProvider— (Boolean)Specifies the cryptographic service provider category used to generate private keys. Set to TRUE to use Legacy Cryptographic Service Providers and FALSE to use Key Storage Providers.
SubjectNameFlags— required — (map)Subject name flags describe the subject name and subject alternate name that is included in a certificate.
RequireCommonName— (Boolean)Include the common name in the subject name.
RequireDirectoryPath— (Boolean)Include the directory path in the subject name.
RequireDnsAsCn— (Boolean)Include the DNS as common name in the subject name.
RequireEmail— (Boolean)Include the subject's email in the subject name.
SanRequireDirectoryGuid— (Boolean)Include the globally unique identifier (GUID) in the subject alternate name.
SanRequireDns— (Boolean)Include the DNS in the subject alternate name.
SanRequireDomainDns— (Boolean)Include the domain DNS in the subject alternate name.
SanRequireEmail— (Boolean)Include the subject's email in the subject alternate name.
SanRequireSpn— (Boolean)Include the service principal name (SPN) in the subject alternate name.
SanRequireUpn— (Boolean)Include the user principal name (UPN) in the subject alternate name.
SupersededTemplates— (Array<String>)List of templates in Active Directory that are superseded by this template.
Name— (String)Name of the templates. Template names must be unique.
ObjectIdentifier— (String)Object identifier of a template.
PolicySchema— (Integer)The template schema version. Template schema versions can be v2, v3, or v4. The template configuration options change based on the template schema version.
Revision— (map)The version of the template. Template updates will increment the minor revision. Re-enrolling all certificate holders will increment the major revision.
MajorRevision— required — (Integer)The revision version of the template. Re-enrolling all certificate holders will increment the major revision.
MinorRevision— required — (Integer)The revision version of the template. Re-enrolling all certificate holders will increment the major revision.
Status— (String)Status of the template. Status can be creating, active, deleting, or failed.
Possible values include:"ACTIVE""DELETING"
UpdatedAt— (Date)The date and time that the template was updated.
-
(AWS.Response)
—
Returns:
getTemplateGroupAccessControlEntry(params = {}, callback) ⇒ AWS.Request
Retrieves the group access control entries for a template.
Service Reference:
Examples:
Calling the getTemplateGroupAccessControlEntry operation
var params = {
GroupSecurityIdentifier: 'STRING_VALUE', /* required */
TemplateArn: 'STRING_VALUE' /* required */
};
pcaconnectorad.getTemplateGroupAccessControlEntry(params, function(err, data) {
if (err) console.log(err, err.stack); // an error occurred
else console.log(data); // successful response
});Parameters:
-
params
(Object)
(defaults to: {})
—
GroupSecurityIdentifier— (String)Security identifier (SID) of the group object from Active Directory. The SID starts with "S-".
TemplateArn— (String)The Amazon Resource Name (ARN) that was returned when you called CreateTemplate.
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
nullif the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
nullif a request error occurs. Thedataobject has the following properties:AccessControlEntry— (map)An access control entry allows or denies an Active Directory group from enrolling and/or autoenrolling with a template.
AccessRights— (map)Permissions to allow or deny an Active Directory group to enroll or autoenroll certificates issued against a template.
AutoEnroll— (String)Allow or deny an Active Directory group from autoenrolling certificates issued against a template. The Active Directory group must be allowed to enroll to allow autoenrollment
Possible values include:"ALLOW""DENY"
Enroll— (String)Allow or deny an Active Directory group from enrolling certificates issued against a template.
Possible values include:"ALLOW""DENY"
CreatedAt— (Date)The date and time that the Access Control Entry was created.
GroupDisplayName— (String)Name of the Active Directory group. This name does not need to match the group name in Active Directory.
GroupSecurityIdentifier— (String)Security identifier (SID) of the group object from Active Directory. The SID starts with "S-".
TemplateArn— (String)The Amazon Resource Name (ARN) that was returned when you called CreateTemplate.
UpdatedAt— (Date)The date and time that the Access Control Entry was updated.
-
(AWS.Response)
—
Returns:
listConnectors(params = {}, callback) ⇒ AWS.Request
Lists the connectors that you created by using the https://docs.aws.amazon.com/pca-connector-ad/latest/APIReference/API_CreateConnector action.
Service Reference:
Examples:
Calling the listConnectors operation
var params = {
MaxResults: 'NUMBER_VALUE',
NextToken: 'STRING_VALUE'
};
pcaconnectorad.listConnectors(params, function(err, data) {
if (err) console.log(err, err.stack); // an error occurred
else console.log(data); // successful response
});Parameters:
-
params
(Object)
(defaults to: {})
—
MaxResults— (Integer)Use this parameter when paginating results to specify the maximum number of items to return in the response on each page. If additional items exist beyond the number you specify, the
NextTokenelement is sent in the response. Use thisNextTokenvalue in a subsequent request to retrieve additional items.NextToken— (String)Use this parameter when paginating results in a subsequent request after you receive a response with truncated results. Set it to the value of the
NextTokenparameter from the response you just received.
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
nullif the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
nullif a request error occurs. Thedataobject has the following properties:Connectors— (Array<map>)Summary information about each connector you have created.
Arn— (String)The Amazon Resource Name (ARN) that was returned when you called CreateConnector.
CertificateAuthorityArn— (String)The Amazon Resource Name (ARN) of the certificate authority being used.
CertificateEnrollmentPolicyServerEndpoint— (String)Certificate enrollment endpoint for Active Directory domain-joined objects to request certificates.
CreatedAt— (Date)The date and time that the connector was created.
DirectoryId— (String)The identifier of the Active Directory.
Status— (String)Status of the connector. Status can be creating, active, deleting, or failed.
Possible values include:"CREATING""ACTIVE""DELETING""FAILED"
StatusReason— (String)Additional information about the connector status if the status is failed.
Possible values include:"DIRECTORY_ACCESS_DENIED""INTERNAL_FAILURE""PRIVATECA_ACCESS_DENIED""PRIVATECA_RESOURCE_NOT_FOUND""SECURITY_GROUP_NOT_IN_VPC""VPC_ACCESS_DENIED""VPC_ENDPOINT_LIMIT_EXCEEDED""VPC_RESOURCE_NOT_FOUND"
UpdatedAt— (Date)The date and time that the connector was updated.
VpcInformation— (map)Information of the VPC and security group(s) used with the connector.
SecurityGroupIds— required — (Array<String>)The security groups used with the connector. You can use a maximum of 4 security groups with a connector.
NextToken— (String)Use this parameter when paginating results in a subsequent request after you receive a response with truncated results. Set it to the value of the NextToken parameter from the response you just received.
-
(AWS.Response)
—
Returns:
listDirectoryRegistrations(params = {}, callback) ⇒ AWS.Request
Lists the directory registrations that you created by using the https://docs.aws.amazon.com/pca-connector-ad/latest/APIReference/API_CreateDirectoryRegistration action.
Service Reference:
Examples:
Calling the listDirectoryRegistrations operation
var params = {
MaxResults: 'NUMBER_VALUE',
NextToken: 'STRING_VALUE'
};
pcaconnectorad.listDirectoryRegistrations(params, function(err, data) {
if (err) console.log(err, err.stack); // an error occurred
else console.log(data); // successful response
});Parameters:
-
params
(Object)
(defaults to: {})
—
MaxResults— (Integer)Use this parameter when paginating results to specify the maximum number of items to return in the response on each page. If additional items exist beyond the number you specify, the
NextTokenelement is sent in the response. Use thisNextTokenvalue in a subsequent request to retrieve additional items.NextToken— (String)Use this parameter when paginating results in a subsequent request after you receive a response with truncated results. Set it to the value of the
NextTokenparameter from the response you just received.
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
nullif the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
nullif a request error occurs. Thedataobject has the following properties:DirectoryRegistrations— (Array<map>)Summary information about each directory registration you have created.
Arn— (String)The Amazon Resource Name (ARN) that was returned when you called CreateDirectoryRegistration.
CreatedAt— (Date)The date and time that the directory registration was created.
DirectoryId— (String)The identifier of the Active Directory.
Status— (String)Status of the directory registration.
Possible values include:"CREATING""ACTIVE""DELETING""FAILED"
StatusReason— (String)Additional information about the directory registration status if the status is failed.
Possible values include:"DIRECTORY_ACCESS_DENIED""DIRECTORY_RESOURCE_NOT_FOUND""DIRECTORY_NOT_ACTIVE""DIRECTORY_NOT_REACHABLE""DIRECTORY_TYPE_NOT_SUPPORTED""INTERNAL_FAILURE"
UpdatedAt— (Date)The date and time that the directory registration was updated.
NextToken— (String)Use this parameter when paginating results in a subsequent request after you receive a response with truncated results. Set it to the value of the
NextTokenparameter from the response you just received.
-
(AWS.Response)
—
Returns:
listServicePrincipalNames(params = {}, callback) ⇒ AWS.Request
Lists the service principal names that the connector uses to authenticate with Active Directory.
Service Reference:
Examples:
Calling the listServicePrincipalNames operation
var params = {
DirectoryRegistrationArn: 'STRING_VALUE', /* required */
MaxResults: 'NUMBER_VALUE',
NextToken: 'STRING_VALUE'
};
pcaconnectorad.listServicePrincipalNames(params, function(err, data) {
if (err) console.log(err, err.stack); // an error occurred
else console.log(data); // successful response
});Parameters:
-
params
(Object)
(defaults to: {})
—
DirectoryRegistrationArn— (String)The Amazon Resource Name (ARN) that was returned when you called CreateDirectoryRegistration.
MaxResults— (Integer)Use this parameter when paginating results to specify the maximum number of items to return in the response on each page. If additional items exist beyond the number you specify, the
NextTokenelement is sent in the response. Use thisNextTokenvalue in a subsequent request to retrieve additional items.NextToken— (String)Use this parameter when paginating results in a subsequent request after you receive a response with truncated results. Set it to the value of the
NextTokenparameter from the response you just received.
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
nullif the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
nullif a request error occurs. Thedataobject has the following properties:NextToken— (String)Use this parameter when paginating results in a subsequent request after you receive a response with truncated results. Set it to the value of the
NextTokenparameter from the response you just received.ServicePrincipalNames— (Array<map>)The service principal name, if any, that the connector uses to authenticate with Active Directory.
ConnectorArn— (String)The Amazon Resource Name (ARN) that was returned when you called CreateConnector.
CreatedAt— (Date)The date and time that the service principal name was created.
DirectoryRegistrationArn— (String)The Amazon Resource Name (ARN) that was returned when you called CreateDirectoryRegistration.
Status— (String)The status of a service principal name.
Possible values include:"CREATING""ACTIVE""DELETING""FAILED"
StatusReason— (String)Additional information for the status of a service principal name if the status is failed.
Possible values include:"DIRECTORY_ACCESS_DENIED""DIRECTORY_NOT_REACHABLE""DIRECTORY_RESOURCE_NOT_FOUND""SPN_EXISTS_ON_DIFFERENT_AD_OBJECT""INTERNAL_FAILURE"
UpdatedAt— (Date)Time when the service principal name was updated.
-
(AWS.Response)
—
Returns:
listTagsForResource(params = {}, callback) ⇒ AWS.Request
Lists the tags, if any, that are associated with your resource.
Service Reference:
Examples:
Calling the listTagsForResource operation
var params = {
ResourceArn: 'STRING_VALUE' /* required */
};
pcaconnectorad.listTagsForResource(params, function(err, data) {
if (err) console.log(err, err.stack); // an error occurred
else console.log(data); // successful response
});Parameters:
-
params
(Object)
(defaults to: {})
—
ResourceArn— (String)The Amazon Resource Name (ARN) that was returned when you created the resource.
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
nullif the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
nullif a request error occurs. Thedataobject has the following properties:Tags— (map<String>)The tags, if any, that are associated with your resource.
-
(AWS.Response)
—
Returns:
listTemplateGroupAccessControlEntries(params = {}, callback) ⇒ AWS.Request
Lists group access control entries you created.
Service Reference:
Examples:
Calling the listTemplateGroupAccessControlEntries operation
var params = {
TemplateArn: 'STRING_VALUE', /* required */
MaxResults: 'NUMBER_VALUE',
NextToken: 'STRING_VALUE'
};
pcaconnectorad.listTemplateGroupAccessControlEntries(params, function(err, data) {
if (err) console.log(err, err.stack); // an error occurred
else console.log(data); // successful response
});Parameters:
-
params
(Object)
(defaults to: {})
—
MaxResults— (Integer)Use this parameter when paginating results to specify the maximum number of items to return in the response on each page. If additional items exist beyond the number you specify, the
NextTokenelement is sent in the response. Use thisNextTokenvalue in a subsequent request to retrieve additional items.NextToken— (String)Use this parameter when paginating results in a subsequent request after you receive a response with truncated results. Set it to the value of the
NextTokenparameter from the response you just received.TemplateArn— (String)The Amazon Resource Name (ARN) that was returned when you called CreateTemplate.
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
nullif the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
nullif a request error occurs. Thedataobject has the following properties:AccessControlEntries— (Array<map>)An access control entry grants or denies permission to an Active Directory group to enroll certificates for a template.
AccessRights— (map)Allow or deny an Active Directory group from enrolling and autoenrolling certificates issued against a template.
AutoEnroll— (String)Allow or deny an Active Directory group from autoenrolling certificates issued against a template. The Active Directory group must be allowed to enroll to allow autoenrollment
Possible values include:"ALLOW""DENY"
Enroll— (String)Allow or deny an Active Directory group from enrolling certificates issued against a template.
Possible values include:"ALLOW""DENY"
CreatedAt— (Date)The date and time that the Access Control Entry was created.
GroupDisplayName— (String)Name of the Active Directory group. This name does not need to match the group name in Active Directory.
GroupSecurityIdentifier— (String)Security identifier (SID) of the group object from Active Directory. The SID starts with "S-".
TemplateArn— (String)The Amazon Resource Name (ARN) that was returned when you called CreateTemplate.
UpdatedAt— (Date)The date and time that the Access Control Entry was updated.
NextToken— (String)Use this parameter when paginating results in a subsequent request after you receive a response with truncated results. Set it to the value of the
NextTokenparameter from the response you just received.
-
(AWS.Response)
—
Returns:
listTemplates(params = {}, callback) ⇒ AWS.Request
Lists the templates, if any, that are associated with a connector.
Service Reference:
Examples:
Calling the listTemplates operation
var params = {
ConnectorArn: 'STRING_VALUE', /* required */
MaxResults: 'NUMBER_VALUE',
NextToken: 'STRING_VALUE'
};
pcaconnectorad.listTemplates(params, function(err, data) {
if (err) console.log(err, err.stack); // an error occurred
else console.log(data); // successful response
});Parameters:
-
params
(Object)
(defaults to: {})
—
ConnectorArn— (String)The Amazon Resource Name (ARN) that was returned when you called CreateConnector.
MaxResults— (Integer)Use this parameter when paginating results to specify the maximum number of items to return in the response on each page. If additional items exist beyond the number you specify, the
NextTokenelement is sent in the response. Use thisNextTokenvalue in a subsequent request to retrieve additional items.NextToken— (String)Use this parameter when paginating results in a subsequent request after you receive a response with truncated results. Set it to the value of the
NextTokenparameter from the response you just received.
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
nullif the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
nullif a request error occurs. Thedataobject has the following properties:NextToken— (String)Use this parameter when paginating results in a subsequent request after you receive a response with truncated results. Set it to the value of the
NextTokenparameter from the response you just received.Templates— (Array<map>)Custom configuration templates used when issuing a certificate.
Arn— (String)The Amazon Resource Name (ARN) that was returned when you called CreateTemplate.
ConnectorArn— (String)The Amazon Resource Name (ARN) that was returned when you called CreateConnector.
CreatedAt— (Date)The date and time that the template was created.
Definition— (map)Template configuration to define the information included in certificates. Define certificate validity and renewal periods, certificate request handling and enrollment options, key usage extensions, application policies, and cryptography settings.
TemplateV2— (map)Template configuration to define the information included in certificates. Define certificate validity and renewal periods, certificate request handling and enrollment options, key usage extensions, application policies, and cryptography settings.
CertificateValidity— required — (map)Certificate validity describes the validity and renewal periods of a certificate.
RenewalPeriod— required — (map)Renewal period is the period of time before certificate expiration when a new certificate will be requested.
Period— required — (Integer)The numeric value for the validity period.
PeriodType— required — (String)The unit of time. You can select hours, days, weeks, months, and years.
Possible values include:"HOURS""DAYS""WEEKS""MONTHS""YEARS"
ValidityPeriod— required — (map)Information describing the end of the validity period of the certificate. This parameter sets the “Not After” date for the certificate. Certificate validity is the period of time during which a certificate is valid. Validity can be expressed as an explicit date and time when the certificate expires, or as a span of time after issuance, stated in days, months, or years. For more information, see Validity in RFC 5280. This value is unaffected when ValidityNotBefore is also specified. For example, if Validity is set to 20 days in the future, the certificate will expire 20 days from issuance time regardless of the ValidityNotBefore value.
Period— required — (Integer)The numeric value for the validity period.
PeriodType— required — (String)The unit of time. You can select hours, days, weeks, months, and years.
Possible values include:"HOURS""DAYS""WEEKS""MONTHS""YEARS"
EnrollmentFlags— required — (map)Enrollment flags describe the enrollment settings for certificates such as using the existing private key and deleting expired or revoked certificates.
EnableKeyReuseOnNtTokenKeysetStorageFull— (Boolean)Allow renewal using the same key.
IncludeSymmetricAlgorithms— (Boolean)Include symmetric algorithms allowed by the subject.
NoSecurityExtension— (Boolean)This flag instructs the CA to not include the security extension szOID_NTDS_CA_SECURITY_EXT (OID:1.3.6.1.4.1.311.25.2), as specified in [MS-WCCE] sections 2.2.2.7.7.4 and 3.2.2.6.2.1.4.5.9, in the issued certificate. This addresses a Windows Kerberos elevation-of-privilege vulnerability.
RemoveInvalidCertificateFromPersonalStore— (Boolean)Delete expired or revoked certificates instead of archiving them.
UserInteractionRequired— (Boolean)Require user interaction when the subject is enrolled and the private key associated with the certificate is used.
Extensions— required — (map)Extensions describe the key usage extensions and application policies for a template.
ApplicationPolicies— (map)Application policies specify what the certificate is used for and its purpose.
Critical— (Boolean)Marks the application policy extension as critical.
Policies— required — (Array<map>)Application policies describe what the certificate can be used for.
PolicyObjectIdentifier— (String)The object identifier (OID) of an application policy.
PolicyType— (String)The type of application policy
Possible values include:"ALL_APPLICATION_POLICIES""ANY_PURPOSE""ATTESTATION_IDENTITY_KEY_CERTIFICATE""CERTIFICATE_REQUEST_AGENT""CLIENT_AUTHENTICATION""CODE_SIGNING""CTL_USAGE""DIGITAL_RIGHTS""DIRECTORY_SERVICE_EMAIL_REPLICATION""DISALLOWED_LIST""DNS_SERVER_TRUST""DOCUMENT_ENCRYPTION""DOCUMENT_SIGNING""DYNAMIC_CODE_GENERATOR""EARLY_LAUNCH_ANTIMALWARE_DRIVER""EMBEDDED_WINDOWS_SYSTEM_COMPONENT_VERIFICATION""ENCLAVE""ENCRYPTING_FILE_SYSTEM""ENDORSEMENT_KEY_CERTIFICATE""FILE_RECOVERY""HAL_EXTENSION""IP_SECURITY_END_SYSTEM""IP_SECURITY_IKE_INTERMEDIATE""IP_SECURITY_TUNNEL_TERMINATION""IP_SECURITY_USER""ISOLATED_USER_MODE""KDC_AUTHENTICATION""KERNEL_MODE_CODE_SIGNING""KEY_PACK_LICENSES""KEY_RECOVERY""KEY_RECOVERY_AGENT""LICENSE_SERVER_VERIFICATION""LIFETIME_SIGNING""MICROSOFT_PUBLISHER""MICROSOFT_TIME_STAMPING""MICROSOFT_TRUST_LIST_SIGNING""OCSP_SIGNING""OEM_WINDOWS_SYSTEM_COMPONENT_VERIFICATION""PLATFORM_CERTIFICATE""PREVIEW_BUILD_SIGNING""PRIVATE_KEY_ARCHIVAL""PROTECTED_PROCESS_LIGHT_VERIFICATION""PROTECTED_PROCESS_VERIFICATION""QUALIFIED_SUBORDINATION""REVOKED_LIST_SIGNER""ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION""ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION""ROOT_PROGRAM_NO_OSCP_FAILOVER_TO_CRL""ROOT_LIST_SIGNER""SECURE_EMAIL""SERVER_AUTHENTICATION""SMART_CARD_LOGIN""SPC_ENCRYPTED_DIGEST_RETRY_COUNT""SPC_RELAXED_PE_MARKER_CHECK""TIME_STAMPING""WINDOWS_HARDWARE_DRIVER_ATTESTED_VERIFICATION""WINDOWS_HARDWARE_DRIVER_EXTENDED_VERIFICATION""WINDOWS_HARDWARE_DRIVER_VERIFICATION""WINDOWS_HELLO_RECOVERY_KEY_ENCRYPTION""WINDOWS_KITS_COMPONENT""WINDOWS_RT_VERIFICATION""WINDOWS_SOFTWARE_EXTENSION_VERIFICATION""WINDOWS_STORE""WINDOWS_SYSTEM_COMPONENT_VERIFICATION""WINDOWS_TCB_COMPONENT""WINDOWS_THIRD_PARTY_APPLICATION_COMPONENT""WINDOWS_UPDATE"
KeyUsage— required — (map)The key usage extension defines the purpose (e.g., encipherment, signature, certificate signing) of the key contained in the certificate.
Critical— (Boolean)Sets the key usage extension to critical.
UsageFlags— required — (map)The key usage flags represent the purpose (e.g., encipherment, signature) of the key contained in the certificate.
DataEncipherment— (Boolean)DataEncipherment is asserted when the subject public key is used for directly enciphering raw user data without the use of an intermediate symmetric cipher.
DigitalSignature— (Boolean)The digitalSignature is asserted when the subject public key is used for verifying digital signatures.
KeyAgreement— (Boolean)KeyAgreement is asserted when the subject public key is used for key agreement.
KeyEncipherment— (Boolean)KeyEncipherment is asserted when the subject public key is used for enciphering private or secret keys, i.e., for key transport.
NonRepudiation— (Boolean)NonRepudiation is asserted when the subject public key is used to verify digital signatures.
GeneralFlags— required — (map)General flags describe whether the template is used for computers or users and if the template can be used with autoenrollment.
AutoEnrollment— (Boolean)Allows certificate issuance using autoenrollment. Set to TRUE to allow autoenrollment.
MachineType— (Boolean)Defines if the template is for machines or users. Set to TRUE if the template is for machines. Set to FALSE if the template is for users.
PrivateKeyAttributes— required — (map)Private key attributes allow you to specify the minimal key length, key spec, and cryptographic providers for the private key of a certificate for v2 templates. V2 templates allow you to use Legacy Cryptographic Service Providers.
CryptoProviders— (Array<String>)Defines the cryptographic providers used to generate the private key.
KeySpec— required — (String)Defines the purpose of the private key. Set it to "KEY_EXCHANGE" or "SIGNATURE" value.
Possible values include:"KEY_EXCHANGE""SIGNATURE"
MinimalKeyLength— required — (Integer)Set the minimum key length of the private key.
PrivateKeyFlags— required — (map)Private key flags for v2 templates specify the client compatibility, if the private key can be exported, and if user input is required when using a private key.
ClientVersion— required — (String)Defines the minimum client compatibility.
Possible values include:"WINDOWS_SERVER_2003""WINDOWS_SERVER_2008""WINDOWS_SERVER_2008_R2""WINDOWS_SERVER_2012""WINDOWS_SERVER_2012_R2""WINDOWS_SERVER_2016"
ExportableKey— (Boolean)Allows the private key to be exported.
StrongKeyProtectionRequired— (Boolean)Require user input when using the private key for enrollment.
SubjectNameFlags— required — (map)Subject name flags describe the subject name and subject alternate name that is included in a certificate.
RequireCommonName— (Boolean)Include the common name in the subject name.
RequireDirectoryPath— (Boolean)Include the directory path in the subject name.
RequireDnsAsCn— (Boolean)Include the DNS as common name in the subject name.
RequireEmail— (Boolean)Include the subject's email in the subject name.
SanRequireDirectoryGuid— (Boolean)Include the globally unique identifier (GUID) in the subject alternate name.
SanRequireDns— (Boolean)Include the DNS in the subject alternate name.
SanRequireDomainDns— (Boolean)Include the domain DNS in the subject alternate name.
SanRequireEmail— (Boolean)Include the subject's email in the subject alternate name.
SanRequireSpn— (Boolean)Include the service principal name (SPN) in the subject alternate name.
SanRequireUpn— (Boolean)Include the user principal name (UPN) in the subject alternate name.
SupersededTemplates— (Array<String>)List of templates in Active Directory that are superseded by this template.
TemplateV3— (map)Template configuration to define the information included in certificates. Define certificate validity and renewal periods, certificate request handling and enrollment options, key usage extensions, application policies, and cryptography settings.
CertificateValidity— required — (map)Certificate validity describes the validity and renewal periods of a certificate.
RenewalPeriod— required — (map)Renewal period is the period of time before certificate expiration when a new certificate will be requested.
Period— required — (Integer)The numeric value for the validity period.
PeriodType— required — (String)The unit of time. You can select hours, days, weeks, months, and years.
Possible values include:"HOURS""DAYS""WEEKS""MONTHS""YEARS"
ValidityPeriod— required — (map)Information describing the end of the validity period of the certificate. This parameter sets the “Not After” date for the certificate. Certificate validity is the period of time during which a certificate is valid. Validity can be expressed as an explicit date and time when the certificate expires, or as a span of time after issuance, stated in days, months, or years. For more information, see Validity in RFC 5280. This value is unaffected when ValidityNotBefore is also specified. For example, if Validity is set to 20 days in the future, the certificate will expire 20 days from issuance time regardless of the ValidityNotBefore value.
Period— required — (Integer)The numeric value for the validity period.
PeriodType— required — (String)The unit of time. You can select hours, days, weeks, months, and years.
Possible values include:"HOURS""DAYS""WEEKS""MONTHS""YEARS"
EnrollmentFlags— required — (map)Enrollment flags describe the enrollment settings for certificates such as using the existing private key and deleting expired or revoked certificates.
EnableKeyReuseOnNtTokenKeysetStorageFull— (Boolean)Allow renewal using the same key.
IncludeSymmetricAlgorithms— (Boolean)Include symmetric algorithms allowed by the subject.
NoSecurityExtension— (Boolean)This flag instructs the CA to not include the security extension szOID_NTDS_CA_SECURITY_EXT (OID:1.3.6.1.4.1.311.25.2), as specified in [MS-WCCE] sections 2.2.2.7.7.4 and 3.2.2.6.2.1.4.5.9, in the issued certificate. This addresses a Windows Kerberos elevation-of-privilege vulnerability.
RemoveInvalidCertificateFromPersonalStore— (Boolean)Delete expired or revoked certificates instead of archiving them.
UserInteractionRequired— (Boolean)Require user interaction when the subject is enrolled and the private key associated with the certificate is used.
Extensions— required — (map)Extensions describe the key usage extensions and application policies for a template.
ApplicationPolicies— (map)Application policies specify what the certificate is used for and its purpose.
Critical— (Boolean)Marks the application policy extension as critical.
Policies— required — (Array<map>)Application policies describe what the certificate can be used for.
PolicyObjectIdentifier— (String)The object identifier (OID) of an application policy.
PolicyType— (String)The type of application policy
Possible values include:"ALL_APPLICATION_POLICIES""ANY_PURPOSE""ATTESTATION_IDENTITY_KEY_CERTIFICATE""CERTIFICATE_REQUEST_AGENT""CLIENT_AUTHENTICATION""CODE_SIGNING""CTL_USAGE""DIGITAL_RIGHTS""DIRECTORY_SERVICE_EMAIL_REPLICATION""DISALLOWED_LIST""DNS_SERVER_TRUST""DOCUMENT_ENCRYPTION""DOCUMENT_SIGNING""DYNAMIC_CODE_GENERATOR""EARLY_LAUNCH_ANTIMALWARE_DRIVER""EMBEDDED_WINDOWS_SYSTEM_COMPONENT_VERIFICATION""ENCLAVE""ENCRYPTING_FILE_SYSTEM""ENDORSEMENT_KEY_CERTIFICATE""FILE_RECOVERY""HAL_EXTENSION""IP_SECURITY_END_SYSTEM""IP_SECURITY_IKE_INTERMEDIATE""IP_SECURITY_TUNNEL_TERMINATION""IP_SECURITY_USER""ISOLATED_USER_MODE""KDC_AUTHENTICATION""KERNEL_MODE_CODE_SIGNING""KEY_PACK_LICENSES""KEY_RECOVERY""KEY_RECOVERY_AGENT""LICENSE_SERVER_VERIFICATION""LIFETIME_SIGNING""MICROSOFT_PUBLISHER""MICROSOFT_TIME_STAMPING""MICROSOFT_TRUST_LIST_SIGNING""OCSP_SIGNING""OEM_WINDOWS_SYSTEM_COMPONENT_VERIFICATION""PLATFORM_CERTIFICATE""PREVIEW_BUILD_SIGNING""PRIVATE_KEY_ARCHIVAL""PROTECTED_PROCESS_LIGHT_VERIFICATION""PROTECTED_PROCESS_VERIFICATION""QUALIFIED_SUBORDINATION""REVOKED_LIST_SIGNER""ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION""ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION""ROOT_PROGRAM_NO_OSCP_FAILOVER_TO_CRL""ROOT_LIST_SIGNER""SECURE_EMAIL""SERVER_AUTHENTICATION""SMART_CARD_LOGIN""SPC_ENCRYPTED_DIGEST_RETRY_COUNT""SPC_RELAXED_PE_MARKER_CHECK""TIME_STAMPING""WINDOWS_HARDWARE_DRIVER_ATTESTED_VERIFICATION""WINDOWS_HARDWARE_DRIVER_EXTENDED_VERIFICATION""WINDOWS_HARDWARE_DRIVER_VERIFICATION""WINDOWS_HELLO_RECOVERY_KEY_ENCRYPTION""WINDOWS_KITS_COMPONENT""WINDOWS_RT_VERIFICATION""WINDOWS_SOFTWARE_EXTENSION_VERIFICATION""WINDOWS_STORE""WINDOWS_SYSTEM_COMPONENT_VERIFICATION""WINDOWS_TCB_COMPONENT""WINDOWS_THIRD_PARTY_APPLICATION_COMPONENT""WINDOWS_UPDATE"
KeyUsage— required — (map)The key usage extension defines the purpose (e.g., encipherment, signature, certificate signing) of the key contained in the certificate.
Critical— (Boolean)Sets the key usage extension to critical.
UsageFlags— required — (map)The key usage flags represent the purpose (e.g., encipherment, signature) of the key contained in the certificate.
DataEncipherment— (Boolean)DataEncipherment is asserted when the subject public key is used for directly enciphering raw user data without the use of an intermediate symmetric cipher.
DigitalSignature— (Boolean)The digitalSignature is asserted when the subject public key is used for verifying digital signatures.
KeyAgreement— (Boolean)KeyAgreement is asserted when the subject public key is used for key agreement.
KeyEncipherment— (Boolean)KeyEncipherment is asserted when the subject public key is used for enciphering private or secret keys, i.e., for key transport.
NonRepudiation— (Boolean)NonRepudiation is asserted when the subject public key is used to verify digital signatures.
GeneralFlags— required — (map)General flags describe whether the template is used for computers or users and if the template can be used with autoenrollment.
AutoEnrollment— (Boolean)Allows certificate issuance using autoenrollment. Set to TRUE to allow autoenrollment.
MachineType— (Boolean)Defines if the template is for machines or users. Set to TRUE if the template is for machines. Set to FALSE if the template is for users
HashAlgorithm— required — (String)Specifies the hash algorithm used to hash the private key.
Possible values include:"SHA256""SHA384""SHA512"
PrivateKeyAttributes— required — (map)Private key attributes allow you to specify the algorithm, minimal key length, key spec, key usage, and cryptographic providers for the private key of a certificate for v3 templates. V3 templates allow you to use Key Storage Providers.
Algorithm— required — (String)Defines the algorithm used to generate the private key.
Possible values include:"RSA""ECDH_P256""ECDH_P384""ECDH_P521"
CryptoProviders— (Array<String>)Defines the cryptographic providers used to generate the private key.
KeySpec— required — (String)Defines the purpose of the private key. Set it to "KEY_EXCHANGE" or "SIGNATURE" value.
Possible values include:"KEY_EXCHANGE""SIGNATURE"
KeyUsageProperty— required — (map)The key usage property defines the purpose of the private key contained in the certificate. You can specify specific purposes using property flags or all by using property type ALL.
PropertyFlags— (map)You can specify key usage for encryption, key agreement, and signature. You can use property flags or property type but not both.
Decrypt— (Boolean)Allows key for encryption and decryption.
KeyAgreement— (Boolean)Allows key exchange without encryption.
Sign— (Boolean)Allow key use for digital signature.
PropertyType— (String)You can specify all key usages using property type ALL. You can use property type or property flags but not both.
Possible values include:"ALL"
MinimalKeyLength— required — (Integer)Set the minimum key length of the private key.
PrivateKeyFlags— required — (map)Private key flags for v3 templates specify the client compatibility, if the private key can be exported, if user input is required when using a private key, and if an alternate signature algorithm should be used.
ClientVersion— required — (String)Defines the minimum client compatibility.
Possible values include:"WINDOWS_SERVER_2008""WINDOWS_SERVER_2008_R2""WINDOWS_SERVER_2012""WINDOWS_SERVER_2012_R2""WINDOWS_SERVER_2016"
ExportableKey— (Boolean)Allows the private key to be exported.
RequireAlternateSignatureAlgorithm— (Boolean)Reguires the PKCS #1 v2.1 signature format for certificates. You should verify that your CA, objects, and applications can accept this signature format.
StrongKeyProtectionRequired— (Boolean)Requirer user input when using the private key for enrollment.
SubjectNameFlags— required — (map)Subject name flags describe the subject name and subject alternate name that is included in a certificate.
RequireCommonName— (Boolean)Include the common name in the subject name.
RequireDirectoryPath— (Boolean)Include the directory path in the subject name.
RequireDnsAsCn— (Boolean)Include the DNS as common name in the subject name.
RequireEmail— (Boolean)Include the subject's email in the subject name.
SanRequireDirectoryGuid— (Boolean)Include the globally unique identifier (GUID) in the subject alternate name.
SanRequireDns— (Boolean)Include the DNS in the subject alternate name.
SanRequireDomainDns— (Boolean)Include the domain DNS in the subject alternate name.
SanRequireEmail— (Boolean)Include the subject's email in the subject alternate name.
SanRequireSpn— (Boolean)Include the service principal name (SPN) in the subject alternate name.
SanRequireUpn— (Boolean)Include the user principal name (UPN) in the subject alternate name.
SupersededTemplates— (Array<String>)List of templates in Active Directory that are superseded by this template.
TemplateV4— (map)Template configuration to define the information included in certificates. Define certificate validity and renewal periods, certificate request handling and enrollment options, key usage extensions, application policies, and cryptography settings.
CertificateValidity— required — (map)Certificate validity describes the validity and renewal periods of a certificate.
RenewalPeriod— required — (map)Renewal period is the period of time before certificate expiration when a new certificate will be requested.
Period— required — (Integer)The numeric value for the validity period.
PeriodType— required — (String)The unit of time. You can select hours, days, weeks, months, and years.
Possible values include:"HOURS""DAYS""WEEKS""MONTHS""YEARS"
ValidityPeriod— required — (map)Information describing the end of the validity period of the certificate. This parameter sets the “Not After” date for the certificate. Certificate validity is the period of time during which a certificate is valid. Validity can be expressed as an explicit date and time when the certificate expires, or as a span of time after issuance, stated in days, months, or years. For more information, see Validity in RFC 5280. This value is unaffected when ValidityNotBefore is also specified. For example, if Validity is set to 20 days in the future, the certificate will expire 20 days from issuance time regardless of the ValidityNotBefore value.
Period— required — (Integer)The numeric value for the validity period.
PeriodType— required — (String)The unit of time. You can select hours, days, weeks, months, and years.
Possible values include:"HOURS""DAYS""WEEKS""MONTHS""YEARS"
EnrollmentFlags— required — (map)Enrollment flags describe the enrollment settings for certificates using the existing private key and deleting expired or revoked certificates.
EnableKeyReuseOnNtTokenKeysetStorageFull— (Boolean)Allow renewal using the same key.
IncludeSymmetricAlgorithms— (Boolean)Include symmetric algorithms allowed by the subject.
NoSecurityExtension— (Boolean)This flag instructs the CA to not include the security extension szOID_NTDS_CA_SECURITY_EXT (OID:1.3.6.1.4.1.311.25.2), as specified in [MS-WCCE] sections 2.2.2.7.7.4 and 3.2.2.6.2.1.4.5.9, in the issued certificate. This addresses a Windows Kerberos elevation-of-privilege vulnerability.
RemoveInvalidCertificateFromPersonalStore— (Boolean)Delete expired or revoked certificates instead of archiving them.
UserInteractionRequired— (Boolean)Require user interaction when the subject is enrolled and the private key associated with the certificate is used.
Extensions— required — (map)Extensions describe the key usage extensions and application policies for a template.
ApplicationPolicies— (map)Application policies specify what the certificate is used for and its purpose.
Critical— (Boolean)Marks the application policy extension as critical.
Policies— required — (Array<map>)Application policies describe what the certificate can be used for.
PolicyObjectIdentifier— (String)The object identifier (OID) of an application policy.
PolicyType— (String)The type of application policy
Possible values include:"ALL_APPLICATION_POLICIES""ANY_PURPOSE""ATTESTATION_IDENTITY_KEY_CERTIFICATE""CERTIFICATE_REQUEST_AGENT""CLIENT_AUTHENTICATION""CODE_SIGNING""CTL_USAGE""DIGITAL_RIGHTS""DIRECTORY_SERVICE_EMAIL_REPLICATION""DISALLOWED_LIST""DNS_SERVER_TRUST""DOCUMENT_ENCRYPTION""DOCUMENT_SIGNING""DYNAMIC_CODE_GENERATOR""EARLY_LAUNCH_ANTIMALWARE_DRIVER""EMBEDDED_WINDOWS_SYSTEM_COMPONENT_VERIFICATION""ENCLAVE""ENCRYPTING_FILE_SYSTEM""ENDORSEMENT_KEY_CERTIFICATE""FILE_RECOVERY""HAL_EXTENSION""IP_SECURITY_END_SYSTEM""IP_SECURITY_IKE_INTERMEDIATE""IP_SECURITY_TUNNEL_TERMINATION""IP_SECURITY_USER""ISOLATED_USER_MODE""KDC_AUTHENTICATION""KERNEL_MODE_CODE_SIGNING""KEY_PACK_LICENSES""KEY_RECOVERY""KEY_RECOVERY_AGENT""LICENSE_SERVER_VERIFICATION""LIFETIME_SIGNING""MICROSOFT_PUBLISHER""MICROSOFT_TIME_STAMPING""MICROSOFT_TRUST_LIST_SIGNING""OCSP_SIGNING""OEM_WINDOWS_SYSTEM_COMPONENT_VERIFICATION""PLATFORM_CERTIFICATE""PREVIEW_BUILD_SIGNING""PRIVATE_KEY_ARCHIVAL""PROTECTED_PROCESS_LIGHT_VERIFICATION""PROTECTED_PROCESS_VERIFICATION""QUALIFIED_SUBORDINATION""REVOKED_LIST_SIGNER""ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION""ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION""ROOT_PROGRAM_NO_OSCP_FAILOVER_TO_CRL""ROOT_LIST_SIGNER""SECURE_EMAIL""SERVER_AUTHENTICATION""SMART_CARD_LOGIN""SPC_ENCRYPTED_DIGEST_RETRY_COUNT""SPC_RELAXED_PE_MARKER_CHECK""TIME_STAMPING""WINDOWS_HARDWARE_DRIVER_ATTESTED_VERIFICATION""WINDOWS_HARDWARE_DRIVER_EXTENDED_VERIFICATION""WINDOWS_HARDWARE_DRIVER_VERIFICATION""WINDOWS_HELLO_RECOVERY_KEY_ENCRYPTION""WINDOWS_KITS_COMPONENT""WINDOWS_RT_VERIFICATION""WINDOWS_SOFTWARE_EXTENSION_VERIFICATION""WINDOWS_STORE""WINDOWS_SYSTEM_COMPONENT_VERIFICATION""WINDOWS_TCB_COMPONENT""WINDOWS_THIRD_PARTY_APPLICATION_COMPONENT""WINDOWS_UPDATE"
KeyUsage— required — (map)The key usage extension defines the purpose (e.g., encipherment, signature) of the key contained in the certificate.
Critical— (Boolean)Sets the key usage extension to critical.
UsageFlags— required — (map)The key usage flags represent the purpose (e.g., encipherment, signature) of the key contained in the certificate.
DataEncipherment— (Boolean)DataEncipherment is asserted when the subject public key is used for directly enciphering raw user data without the use of an intermediate symmetric cipher.
DigitalSignature— (Boolean)The digitalSignature is asserted when the subject public key is used for verifying digital signatures.
KeyAgreement— (Boolean)KeyAgreement is asserted when the subject public key is used for key agreement.
KeyEncipherment— (Boolean)KeyEncipherment is asserted when the subject public key is used for enciphering private or secret keys, i.e., for key transport.
NonRepudiation— (Boolean)NonRepudiation is asserted when the subject public key is used to verify digital signatures.
GeneralFlags— required — (map)General flags describe whether the template is used for computers or users and if the template can be used with autoenrollment.
AutoEnrollment— (Boolean)Allows certificate issuance using autoenrollment. Set to TRUE to allow autoenrollment.
MachineType— (Boolean)Defines if the template is for machines or users. Set to TRUE if the template is for machines. Set to FALSE if the template is for users
HashAlgorithm— (String)Specifies the hash algorithm used to hash the private key. Hash algorithm can only be specified when using Key Storage Providers.
Possible values include:"SHA256""SHA384""SHA512"
PrivateKeyAttributes— required — (map)Private key attributes allow you to specify the minimal key length, key spec, key usage, and cryptographic providers for the private key of a certificate for v4 templates. V4 templates allow you to use either Key Storage Providers or Legacy Cryptographic Service Providers. You specify the cryptography provider category in private key flags.
Algorithm— (String)Defines the algorithm used to generate the private key.
Possible values include:"RSA""ECDH_P256""ECDH_P384""ECDH_P521"
CryptoProviders— (Array<String>)Defines the cryptographic providers used to generate the private key.
KeySpec— required — (String)Defines the purpose of the private key. Set it to "KEY_EXCHANGE" or "SIGNATURE" value.
Possible values include:"KEY_EXCHANGE""SIGNATURE"
KeyUsageProperty— (map)The key usage property defines the purpose of the private key contained in the certificate. You can specify specific purposes using property flags or all by using property type ALL.
PropertyFlags— (map)You can specify key usage for encryption, key agreement, and signature. You can use property flags or property type but not both.
Decrypt— (Boolean)Allows key for encryption and decryption.
KeyAgreement— (Boolean)Allows key exchange without encryption.
Sign— (Boolean)Allow key use for digital signature.
PropertyType— (String)You can specify all key usages using property type ALL. You can use property type or property flags but not both.
Possible values include:"ALL"
MinimalKeyLength— required — (Integer)Set the minimum key length of the private key.
PrivateKeyFlags— required — (map)Private key flags for v4 templates specify the client compatibility, if the private key can be exported, if user input is required when using a private key, if an alternate signature algorithm should be used, and if certificates are renewed using the same private key.
ClientVersion— required — (String)Defines the minimum client compatibility.
Possible values include:"WINDOWS_SERVER_2012""WINDOWS_SERVER_2012_R2""WINDOWS_SERVER_2016"
ExportableKey— (Boolean)Allows the private key to be exported.
RequireAlternateSignatureAlgorithm— (Boolean)Requires the PKCS #1 v2.1 signature format for certificates. You should verify that your CA, objects, and applications can accept this signature format.
RequireSameKeyRenewal— (Boolean)Renew certificate using the same private key.
StrongKeyProtectionRequired— (Boolean)Require user input when using the private key for enrollment.
UseLegacyProvider— (Boolean)Specifies the cryptographic service provider category used to generate private keys. Set to TRUE to use Legacy Cryptographic Service Providers and FALSE to use Key Storage Providers.
SubjectNameFlags— required — (map)Subject name flags describe the subject name and subject alternate name that is included in a certificate.
RequireCommonName— (Boolean)Include the common name in the subject name.
RequireDirectoryPath— (Boolean)Include the directory path in the subject name.
RequireDnsAsCn— (Boolean)Include the DNS as common name in the subject name.
RequireEmail— (Boolean)Include the subject's email in the subject name.
SanRequireDirectoryGuid— (Boolean)Include the globally unique identifier (GUID) in the subject alternate name.
SanRequireDns— (Boolean)Include the DNS in the subject alternate name.
SanRequireDomainDns— (Boolean)Include the domain DNS in the subject alternate name.
SanRequireEmail— (Boolean)Include the subject's email in the subject alternate name.
SanRequireSpn— (Boolean)Include the service principal name (SPN) in the subject alternate name.
SanRequireUpn— (Boolean)Include the user principal name (UPN) in the subject alternate name.
SupersededTemplates— (Array<String>)List of templates in Active Directory that are superseded by this template.
Name— (String)Name of the template. The template name must be unique.
ObjectIdentifier— (String)Object identifier of a template.
PolicySchema— (Integer)The template schema version. Template schema versions can be v2, v3, or v4. The template configuration options change based on the template schema version.
Revision— (map)The revision version of the template. Template updates will increment the minor revision. Re-enrolling all certificate holders will increment the major revision.
MajorRevision— required — (Integer)The revision version of the template. Re-enrolling all certificate holders will increment the major revision.
MinorRevision— required — (Integer)The revision version of the template. Re-enrolling all certificate holders will increment the major revision.
Status— (String)Status of the template. Status can be creating, active, deleting, or failed.
Possible values include:"ACTIVE""DELETING"
UpdatedAt— (Date)The date and time that the template was updated.
-
(AWS.Response)
—
Returns:
tagResource(params = {}, callback) ⇒ AWS.Request
Adds one or more tags to your resource.
Service Reference:
Examples:
Calling the tagResource operation
var params = {
ResourceArn: 'STRING_VALUE', /* required */
Tags: { /* required */
'<String>': 'STRING_VALUE',
/* '<String>': ... */
}
};
pcaconnectorad.tagResource(params, function(err, data) {
if (err) console.log(err, err.stack); // an error occurred
else console.log(data); // successful response
});Parameters:
-
params
(Object)
(defaults to: {})
—
ResourceArn— (String)The Amazon Resource Name (ARN) that was returned when you created the resource.
Tags— (map<String>)Metadata assigned to a directory registration consisting of a key-value pair.
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
nullif the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
nullif a request error occurs.
-
(AWS.Response)
—
Returns:
untagResource(params = {}, callback) ⇒ AWS.Request
Removes one or more tags from your resource.
Service Reference:
Examples:
Calling the untagResource operation
var params = {
ResourceArn: 'STRING_VALUE', /* required */
TagKeys: [ /* required */
'STRING_VALUE',
/* more items */
]
};
pcaconnectorad.untagResource(params, function(err, data) {
if (err) console.log(err, err.stack); // an error occurred
else console.log(data); // successful response
});Parameters:
-
params
(Object)
(defaults to: {})
—
ResourceArn— (String)The Amazon Resource Name (ARN) that was returned when you created the resource.
TagKeys— (Array<String>)Specifies a list of tag keys that you want to remove from the specified resources.
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
nullif the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
nullif a request error occurs.
-
(AWS.Response)
—
Returns:
updateTemplate(params = {}, callback) ⇒ AWS.Request
Update template configuration to define the information included in certificates.
Service Reference:
Examples:
Calling the updateTemplate operation
var params = {
TemplateArn: 'STRING_VALUE', /* required */
Definition: {
TemplateV2: {
CertificateValidity: { /* required */
RenewalPeriod: { /* required */
Period: 'NUMBER_VALUE', /* required */
PeriodType: HOURS | DAYS | WEEKS | MONTHS | YEARS /* required */
},
ValidityPeriod: { /* required */
Period: 'NUMBER_VALUE', /* required */
PeriodType: HOURS | DAYS | WEEKS | MONTHS | YEARS /* required */
}
},
EnrollmentFlags: { /* required */
EnableKeyReuseOnNtTokenKeysetStorageFull: true || false,
IncludeSymmetricAlgorithms: true || false,
NoSecurityExtension: true || false,
RemoveInvalidCertificateFromPersonalStore: true || false,
UserInteractionRequired: true || false
},
Extensions: { /* required */
KeyUsage: { /* required */
UsageFlags: { /* required */
DataEncipherment: true || false,
DigitalSignature: true || false,
KeyAgreement: true || false,
KeyEncipherment: true || false,
NonRepudiation: true || false
},
Critical: true || false
},
ApplicationPolicies: {
Policies: [ /* required */
{
PolicyObjectIdentifier: 'STRING_VALUE',
PolicyType: ALL_APPLICATION_POLICIES | ANY_PURPOSE | ATTESTATION_IDENTITY_KEY_CERTIFICATE | CERTIFICATE_REQUEST_AGENT | CLIENT_AUTHENTICATION | CODE_SIGNING | CTL_USAGE | DIGITAL_RIGHTS | DIRECTORY_SERVICE_EMAIL_REPLICATION | DISALLOWED_LIST | DNS_SERVER_TRUST | DOCUMENT_ENCRYPTION | DOCUMENT_SIGNING | DYNAMIC_CODE_GENERATOR | EARLY_LAUNCH_ANTIMALWARE_DRIVER | EMBEDDED_WINDOWS_SYSTEM_COMPONENT_VERIFICATION | ENCLAVE | ENCRYPTING_FILE_SYSTEM | ENDORSEMENT_KEY_CERTIFICATE | FILE_RECOVERY | HAL_EXTENSION | IP_SECURITY_END_SYSTEM | IP_SECURITY_IKE_INTERMEDIATE | IP_SECURITY_TUNNEL_TERMINATION | IP_SECURITY_USER | ISOLATED_USER_MODE | KDC_AUTHENTICATION | KERNEL_MODE_CODE_SIGNING | KEY_PACK_LICENSES | KEY_RECOVERY | KEY_RECOVERY_AGENT | LICENSE_SERVER_VERIFICATION | LIFETIME_SIGNING | MICROSOFT_PUBLISHER | MICROSOFT_TIME_STAMPING | MICROSOFT_TRUST_LIST_SIGNING | OCSP_SIGNING | OEM_WINDOWS_SYSTEM_COMPONENT_VERIFICATION | PLATFORM_CERTIFICATE | PREVIEW_BUILD_SIGNING | PRIVATE_KEY_ARCHIVAL | PROTECTED_PROCESS_LIGHT_VERIFICATION | PROTECTED_PROCESS_VERIFICATION | QUALIFIED_SUBORDINATION | REVOKED_LIST_SIGNER | ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION | ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION | ROOT_PROGRAM_NO_OSCP_FAILOVER_TO_CRL | ROOT_LIST_SIGNER | SECURE_EMAIL | SERVER_AUTHENTICATION | SMART_CARD_LOGIN | SPC_ENCRYPTED_DIGEST_RETRY_COUNT | SPC_RELAXED_PE_MARKER_CHECK | TIME_STAMPING | WINDOWS_HARDWARE_DRIVER_ATTESTED_VERIFICATION | WINDOWS_HARDWARE_DRIVER_EXTENDED_VERIFICATION | WINDOWS_HARDWARE_DRIVER_VERIFICATION | WINDOWS_HELLO_RECOVERY_KEY_ENCRYPTION | WINDOWS_KITS_COMPONENT | WINDOWS_RT_VERIFICATION | WINDOWS_SOFTWARE_EXTENSION_VERIFICATION | WINDOWS_STORE | WINDOWS_SYSTEM_COMPONENT_VERIFICATION | WINDOWS_TCB_COMPONENT | WINDOWS_THIRD_PARTY_APPLICATION_COMPONENT | WINDOWS_UPDATE
},
/* more items */
],
Critical: true || false
}
},
GeneralFlags: { /* required */
AutoEnrollment: true || false,
MachineType: true || false
},
PrivateKeyAttributes: { /* required */
KeySpec: KEY_EXCHANGE | SIGNATURE, /* required */
MinimalKeyLength: 'NUMBER_VALUE', /* required */
CryptoProviders: [
'STRING_VALUE',
/* more items */
]
},
PrivateKeyFlags: { /* required */
ClientVersion: WINDOWS_SERVER_2003 | WINDOWS_SERVER_2008 | WINDOWS_SERVER_2008_R2 | WINDOWS_SERVER_2012 | WINDOWS_SERVER_2012_R2 | WINDOWS_SERVER_2016, /* required */
ExportableKey: true || false,
StrongKeyProtectionRequired: true || false
},
SubjectNameFlags: { /* required */
RequireCommonName: true || false,
RequireDirectoryPath: true || false,
RequireDnsAsCn: true || false,
RequireEmail: true || false,
SanRequireDirectoryGuid: true || false,
SanRequireDns: true || false,
SanRequireDomainDns: true || false,
SanRequireEmail: true || false,
SanRequireSpn: true || false,
SanRequireUpn: true || false
},
SupersededTemplates: [
'STRING_VALUE',
/* more items */
]
},
TemplateV3: {
CertificateValidity: { /* required */
RenewalPeriod: { /* required */
Period: 'NUMBER_VALUE', /* required */
PeriodType: HOURS | DAYS | WEEKS | MONTHS | YEARS /* required */
},
ValidityPeriod: { /* required */
Period: 'NUMBER_VALUE', /* required */
PeriodType: HOURS | DAYS | WEEKS | MONTHS | YEARS /* required */
}
},
EnrollmentFlags: { /* required */
EnableKeyReuseOnNtTokenKeysetStorageFull: true || false,
IncludeSymmetricAlgorithms: true || false,
NoSecurityExtension: true || false,
RemoveInvalidCertificateFromPersonalStore: true || false,
UserInteractionRequired: true || false
},
Extensions: { /* required */
KeyUsage: { /* required */
UsageFlags: { /* required */
DataEncipherment: true || false,
DigitalSignature: true || false,
KeyAgreement: true || false,
KeyEncipherment: true || false,
NonRepudiation: true || false
},
Critical: true || false
},
ApplicationPolicies: {
Policies: [ /* required */
{
PolicyObjectIdentifier: 'STRING_VALUE',
PolicyType: ALL_APPLICATION_POLICIES | ANY_PURPOSE | ATTESTATION_IDENTITY_KEY_CERTIFICATE | CERTIFICATE_REQUEST_AGENT | CLIENT_AUTHENTICATION | CODE_SIGNING | CTL_USAGE | DIGITAL_RIGHTS | DIRECTORY_SERVICE_EMAIL_REPLICATION | DISALLOWED_LIST | DNS_SERVER_TRUST | DOCUMENT_ENCRYPTION | DOCUMENT_SIGNING | DYNAMIC_CODE_GENERATOR | EARLY_LAUNCH_ANTIMALWARE_DRIVER | EMBEDDED_WINDOWS_SYSTEM_COMPONENT_VERIFICATION | ENCLAVE | ENCRYPTING_FILE_SYSTEM | ENDORSEMENT_KEY_CERTIFICATE | FILE_RECOVERY | HAL_EXTENSION | IP_SECURITY_END_SYSTEM | IP_SECURITY_IKE_INTERMEDIATE | IP_SECURITY_TUNNEL_TERMINATION | IP_SECURITY_USER | ISOLATED_USER_MODE | KDC_AUTHENTICATION | KERNEL_MODE_CODE_SIGNING | KEY_PACK_LICENSES | KEY_RECOVERY | KEY_RECOVERY_AGENT | LICENSE_SERVER_VERIFICATION | LIFETIME_SIGNING | MICROSOFT_PUBLISHER | MICROSOFT_TIME_STAMPING | MICROSOFT_TRUST_LIST_SIGNING | OCSP_SIGNING | OEM_WINDOWS_SYSTEM_COMPONENT_VERIFICATION | PLATFORM_CERTIFICATE | PREVIEW_BUILD_SIGNING | PRIVATE_KEY_ARCHIVAL | PROTECTED_PROCESS_LIGHT_VERIFICATION | PROTECTED_PROCESS_VERIFICATION | QUALIFIED_SUBORDINATION | REVOKED_LIST_SIGNER | ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION | ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION | ROOT_PROGRAM_NO_OSCP_FAILOVER_TO_CRL | ROOT_LIST_SIGNER | SECURE_EMAIL | SERVER_AUTHENTICATION | SMART_CARD_LOGIN | SPC_ENCRYPTED_DIGEST_RETRY_COUNT | SPC_RELAXED_PE_MARKER_CHECK | TIME_STAMPING | WINDOWS_HARDWARE_DRIVER_ATTESTED_VERIFICATION | WINDOWS_HARDWARE_DRIVER_EXTENDED_VERIFICATION | WINDOWS_HARDWARE_DRIVER_VERIFICATION | WINDOWS_HELLO_RECOVERY_KEY_ENCRYPTION | WINDOWS_KITS_COMPONENT | WINDOWS_RT_VERIFICATION | WINDOWS_SOFTWARE_EXTENSION_VERIFICATION | WINDOWS_STORE | WINDOWS_SYSTEM_COMPONENT_VERIFICATION | WINDOWS_TCB_COMPONENT | WINDOWS_THIRD_PARTY_APPLICATION_COMPONENT | WINDOWS_UPDATE
},
/* more items */
],
Critical: true || false
}
},
GeneralFlags: { /* required */
AutoEnrollment: true || false,
MachineType: true || false
},
HashAlgorithm: SHA256 | SHA384 | SHA512, /* required */
PrivateKeyAttributes: { /* required */
Algorithm: RSA | ECDH_P256 | ECDH_P384 | ECDH_P521, /* required */
KeySpec: KEY_EXCHANGE | SIGNATURE, /* required */
KeyUsageProperty: { /* required */
PropertyFlags: {
Decrypt: true || false,
KeyAgreement: true || false,
Sign: true || false
},
PropertyType: ALL
},
MinimalKeyLength: 'NUMBER_VALUE', /* required */
CryptoProviders: [
'STRING_VALUE',
/* more items */
]
},
PrivateKeyFlags: { /* required */
ClientVersion: WINDOWS_SERVER_2008 | WINDOWS_SERVER_2008_R2 | WINDOWS_SERVER_2012 | WINDOWS_SERVER_2012_R2 | WINDOWS_SERVER_2016, /* required */
ExportableKey: true || false,
RequireAlternateSignatureAlgorithm: true || false,
StrongKeyProtectionRequired: true || false
},
SubjectNameFlags: { /* required */
RequireCommonName: true || false,
RequireDirectoryPath: true || false,
RequireDnsAsCn: true || false,
RequireEmail: true || false,
SanRequireDirectoryGuid: true || false,
SanRequireDns: true || false,
SanRequireDomainDns: true || false,
SanRequireEmail: true || false,
SanRequireSpn: true || false,
SanRequireUpn: true || false
},
SupersededTemplates: [
'STRING_VALUE',
/* more items */
]
},
TemplateV4: {
CertificateValidity: { /* required */
RenewalPeriod: { /* required */
Period: 'NUMBER_VALUE', /* required */
PeriodType: HOURS | DAYS | WEEKS | MONTHS | YEARS /* required */
},
ValidityPeriod: { /* required */
Period: 'NUMBER_VALUE', /* required */
PeriodType: HOURS | DAYS | WEEKS | MONTHS | YEARS /* required */
}
},
EnrollmentFlags: { /* required */
EnableKeyReuseOnNtTokenKeysetStorageFull: true || false,
IncludeSymmetricAlgorithms: true || false,
NoSecurityExtension: true || false,
RemoveInvalidCertificateFromPersonalStore: true || false,
UserInteractionRequired: true || false
},
Extensions: { /* required */
KeyUsage: { /* required */
UsageFlags: { /* required */
DataEncipherment: true || false,
DigitalSignature: true || false,
KeyAgreement: true || false,
KeyEncipherment: true || false,
NonRepudiation: true || false
},
Critical: true || false
},
ApplicationPolicies: {
Policies: [ /* required */
{
PolicyObjectIdentifier: 'STRING_VALUE',
PolicyType: ALL_APPLICATION_POLICIES | ANY_PURPOSE | ATTESTATION_IDENTITY_KEY_CERTIFICATE | CERTIFICATE_REQUEST_AGENT | CLIENT_AUTHENTICATION | CODE_SIGNING | CTL_USAGE | DIGITAL_RIGHTS | DIRECTORY_SERVICE_EMAIL_REPLICATION | DISALLOWED_LIST | DNS_SERVER_TRUST | DOCUMENT_ENCRYPTION | DOCUMENT_SIGNING | DYNAMIC_CODE_GENERATOR | EARLY_LAUNCH_ANTIMALWARE_DRIVER | EMBEDDED_WINDOWS_SYSTEM_COMPONENT_VERIFICATION | ENCLAVE | ENCRYPTING_FILE_SYSTEM | ENDORSEMENT_KEY_CERTIFICATE | FILE_RECOVERY | HAL_EXTENSION | IP_SECURITY_END_SYSTEM | IP_SECURITY_IKE_INTERMEDIATE | IP_SECURITY_TUNNEL_TERMINATION | IP_SECURITY_USER | ISOLATED_USER_MODE | KDC_AUTHENTICATION | KERNEL_MODE_CODE_SIGNING | KEY_PACK_LICENSES | KEY_RECOVERY | KEY_RECOVERY_AGENT | LICENSE_SERVER_VERIFICATION | LIFETIME_SIGNING | MICROSOFT_PUBLISHER | MICROSOFT_TIME_STAMPING | MICROSOFT_TRUST_LIST_SIGNING | OCSP_SIGNING | OEM_WINDOWS_SYSTEM_COMPONENT_VERIFICATION | PLATFORM_CERTIFICATE | PREVIEW_BUILD_SIGNING | PRIVATE_KEY_ARCHIVAL | PROTECTED_PROCESS_LIGHT_VERIFICATION | PROTECTED_PROCESS_VERIFICATION | QUALIFIED_SUBORDINATION | REVOKED_LIST_SIGNER | ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION | ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION | ROOT_PROGRAM_NO_OSCP_FAILOVER_TO_CRL | ROOT_LIST_SIGNER | SECURE_EMAIL | SERVER_AUTHENTICATION | SMART_CARD_LOGIN | SPC_ENCRYPTED_DIGEST_RETRY_COUNT | SPC_RELAXED_PE_MARKER_CHECK | TIME_STAMPING | WINDOWS_HARDWARE_DRIVER_ATTESTED_VERIFICATION | WINDOWS_HARDWARE_DRIVER_EXTENDED_VERIFICATION | WINDOWS_HARDWARE_DRIVER_VERIFICATION | WINDOWS_HELLO_RECOVERY_KEY_ENCRYPTION | WINDOWS_KITS_COMPONENT | WINDOWS_RT_VERIFICATION | WINDOWS_SOFTWARE_EXTENSION_VERIFICATION | WINDOWS_STORE | WINDOWS_SYSTEM_COMPONENT_VERIFICATION | WINDOWS_TCB_COMPONENT | WINDOWS_THIRD_PARTY_APPLICATION_COMPONENT | WINDOWS_UPDATE
},
/* more items */
],
Critical: true || false
}
},
GeneralFlags: { /* required */
AutoEnrollment: true || false,
MachineType: true || false
},
PrivateKeyAttributes: { /* required */
KeySpec: KEY_EXCHANGE | SIGNATURE, /* required */
MinimalKeyLength: 'NUMBER_VALUE', /* required */
Algorithm: RSA | ECDH_P256 | ECDH_P384 | ECDH_P521,
CryptoProviders: [
'STRING_VALUE',
/* more items */
],
KeyUsageProperty: {
PropertyFlags: {
Decrypt: true || false,
KeyAgreement: true || false,
Sign: true || false
},
PropertyType: ALL
}
},
PrivateKeyFlags: { /* required */
ClientVersion: WINDOWS_SERVER_2012 | WINDOWS_SERVER_2012_R2 | WINDOWS_SERVER_2016, /* required */
ExportableKey: true || false,
RequireAlternateSignatureAlgorithm: true || false,
RequireSameKeyRenewal: true || false,
StrongKeyProtectionRequired: true || false,
UseLegacyProvider: true || false
},
SubjectNameFlags: { /* required */
RequireCommonName: true || false,
RequireDirectoryPath: true || false,
RequireDnsAsCn: true || false,
RequireEmail: true || false,
SanRequireDirectoryGuid: true || false,
SanRequireDns: true || false,
SanRequireDomainDns: true || false,
SanRequireEmail: true || false,
SanRequireSpn: true || false,
SanRequireUpn: true || false
},
HashAlgorithm: SHA256 | SHA384 | SHA512,
SupersededTemplates: [
'STRING_VALUE',
/* more items */
]
}
},
ReenrollAllCertificateHolders: true || false
};
pcaconnectorad.updateTemplate(params, function(err, data) {
if (err) console.log(err, err.stack); // an error occurred
else console.log(data); // successful response
});Parameters:
-
params
(Object)
(defaults to: {})
—
Definition— (map)Template configuration to define the information included in certificates. Define certificate validity and renewal periods, certificate request handling and enrollment options, key usage extensions, application policies, and cryptography settings.
TemplateV2— (map)Template configuration to define the information included in certificates. Define certificate validity and renewal periods, certificate request handling and enrollment options, key usage extensions, application policies, and cryptography settings.
CertificateValidity— required — (map)Certificate validity describes the validity and renewal periods of a certificate.
RenewalPeriod— required — (map)Renewal period is the period of time before certificate expiration when a new certificate will be requested.
Period— required — (Integer)The numeric value for the validity period.
PeriodType— required — (String)The unit of time. You can select hours, days, weeks, months, and years.
Possible values include:"HOURS""DAYS""WEEKS""MONTHS""YEARS"
ValidityPeriod— required — (map)Information describing the end of the validity period of the certificate. This parameter sets the “Not After” date for the certificate. Certificate validity is the period of time during which a certificate is valid. Validity can be expressed as an explicit date and time when the certificate expires, or as a span of time after issuance, stated in days, months, or years. For more information, see Validity in RFC 5280. This value is unaffected when ValidityNotBefore is also specified. For example, if Validity is set to 20 days in the future, the certificate will expire 20 days from issuance time regardless of the ValidityNotBefore value.
Period— required — (Integer)The numeric value for the validity period.
PeriodType— required — (String)The unit of time. You can select hours, days, weeks, months, and years.
Possible values include:"HOURS""DAYS""WEEKS""MONTHS""YEARS"
EnrollmentFlags— required — (map)Enrollment flags describe the enrollment settings for certificates such as using the existing private key and deleting expired or revoked certificates.
EnableKeyReuseOnNtTokenKeysetStorageFull— (Boolean)Allow renewal using the same key.
IncludeSymmetricAlgorithms— (Boolean)Include symmetric algorithms allowed by the subject.
NoSecurityExtension— (Boolean)This flag instructs the CA to not include the security extension szOID_NTDS_CA_SECURITY_EXT (OID:1.3.6.1.4.1.311.25.2), as specified in [MS-WCCE] sections 2.2.2.7.7.4 and 3.2.2.6.2.1.4.5.9, in the issued certificate. This addresses a Windows Kerberos elevation-of-privilege vulnerability.
RemoveInvalidCertificateFromPersonalStore— (Boolean)Delete expired or revoked certificates instead of archiving them.
UserInteractionRequired— (Boolean)Require user interaction when the subject is enrolled and the private key associated with the certificate is used.
Extensions— required — (map)Extensions describe the key usage extensions and application policies for a template.
ApplicationPolicies— (map)Application policies specify what the certificate is used for and its purpose.
Critical— (Boolean)Marks the application policy extension as critical.
Policies— required — (Array<map>)Application policies describe what the certificate can be used for.
PolicyObjectIdentifier— (String)The object identifier (OID) of an application policy.
PolicyType— (String)The type of application policy
Possible values include:"ALL_APPLICATION_POLICIES""ANY_PURPOSE""ATTESTATION_IDENTITY_KEY_CERTIFICATE""CERTIFICATE_REQUEST_AGENT""CLIENT_AUTHENTICATION""CODE_SIGNING""CTL_USAGE""DIGITAL_RIGHTS""DIRECTORY_SERVICE_EMAIL_REPLICATION""DISALLOWED_LIST""DNS_SERVER_TRUST""DOCUMENT_ENCRYPTION""DOCUMENT_SIGNING""DYNAMIC_CODE_GENERATOR""EARLY_LAUNCH_ANTIMALWARE_DRIVER""EMBEDDED_WINDOWS_SYSTEM_COMPONENT_VERIFICATION""ENCLAVE""ENCRYPTING_FILE_SYSTEM""ENDORSEMENT_KEY_CERTIFICATE""FILE_RECOVERY""HAL_EXTENSION""IP_SECURITY_END_SYSTEM""IP_SECURITY_IKE_INTERMEDIATE""IP_SECURITY_TUNNEL_TERMINATION""IP_SECURITY_USER""ISOLATED_USER_MODE""KDC_AUTHENTICATION""KERNEL_MODE_CODE_SIGNING""KEY_PACK_LICENSES""KEY_RECOVERY""KEY_RECOVERY_AGENT""LICENSE_SERVER_VERIFICATION""LIFETIME_SIGNING""MICROSOFT_PUBLISHER""MICROSOFT_TIME_STAMPING""MICROSOFT_TRUST_LIST_SIGNING""OCSP_SIGNING""OEM_WINDOWS_SYSTEM_COMPONENT_VERIFICATION""PLATFORM_CERTIFICATE""PREVIEW_BUILD_SIGNING""PRIVATE_KEY_ARCHIVAL""PROTECTED_PROCESS_LIGHT_VERIFICATION""PROTECTED_PROCESS_VERIFICATION""QUALIFIED_SUBORDINATION""REVOKED_LIST_SIGNER""ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION""ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION""ROOT_PROGRAM_NO_OSCP_FAILOVER_TO_CRL""ROOT_LIST_SIGNER""SECURE_EMAIL""SERVER_AUTHENTICATION""SMART_CARD_LOGIN""SPC_ENCRYPTED_DIGEST_RETRY_COUNT""SPC_RELAXED_PE_MARKER_CHECK""TIME_STAMPING""WINDOWS_HARDWARE_DRIVER_ATTESTED_VERIFICATION""WINDOWS_HARDWARE_DRIVER_EXTENDED_VERIFICATION""WINDOWS_HARDWARE_DRIVER_VERIFICATION""WINDOWS_HELLO_RECOVERY_KEY_ENCRYPTION""WINDOWS_KITS_COMPONENT""WINDOWS_RT_VERIFICATION""WINDOWS_SOFTWARE_EXTENSION_VERIFICATION""WINDOWS_STORE""WINDOWS_SYSTEM_COMPONENT_VERIFICATION""WINDOWS_TCB_COMPONENT""WINDOWS_THIRD_PARTY_APPLICATION_COMPONENT""WINDOWS_UPDATE"
KeyUsage— required — (map)The key usage extension defines the purpose (e.g., encipherment, signature, certificate signing) of the key contained in the certificate.
Critical— (Boolean)Sets the key usage extension to critical.
UsageFlags— required — (map)The key usage flags represent the purpose (e.g., encipherment, signature) of the key contained in the certificate.
DataEncipherment— (Boolean)DataEncipherment is asserted when the subject public key is used for directly enciphering raw user data without the use of an intermediate symmetric cipher.
DigitalSignature— (Boolean)The digitalSignature is asserted when the subject public key is used for verifying digital signatures.
KeyAgreement— (Boolean)KeyAgreement is asserted when the subject public key is used for key agreement.
KeyEncipherment— (Boolean)KeyEncipherment is asserted when the subject public key is used for enciphering private or secret keys, i.e., for key transport.
NonRepudiation— (Boolean)NonRepudiation is asserted when the subject public key is used to verify digital signatures.
GeneralFlags— required — (map)General flags describe whether the template is used for computers or users and if the template can be used with autoenrollment.
AutoEnrollment— (Boolean)Allows certificate issuance using autoenrollment. Set to TRUE to allow autoenrollment.
MachineType— (Boolean)Defines if the template is for machines or users. Set to TRUE if the template is for machines. Set to FALSE if the template is for users.
PrivateKeyAttributes— required — (map)Private key attributes allow you to specify the minimal key length, key spec, and cryptographic providers for the private key of a certificate for v2 templates. V2 templates allow you to use Legacy Cryptographic Service Providers.
CryptoProviders— (Array<String>)Defines the cryptographic providers used to generate the private key.
KeySpec— required — (String)Defines the purpose of the private key. Set it to "KEY_EXCHANGE" or "SIGNATURE" value.
Possible values include:"KEY_EXCHANGE""SIGNATURE"
MinimalKeyLength— required — (Integer)Set the minimum key length of the private key.
PrivateKeyFlags— required — (map)Private key flags for v2 templates specify the client compatibility, if the private key can be exported, and if user input is required when using a private key.
ClientVersion— required — (String)Defines the minimum client compatibility.
Possible values include:"WINDOWS_SERVER_2003""WINDOWS_SERVER_2008""WINDOWS_SERVER_2008_R2""WINDOWS_SERVER_2012""WINDOWS_SERVER_2012_R2""WINDOWS_SERVER_2016"
ExportableKey— (Boolean)Allows the private key to be exported.
StrongKeyProtectionRequired— (Boolean)Require user input when using the private key for enrollment.
SubjectNameFlags— required — (map)Subject name flags describe the subject name and subject alternate name that is included in a certificate.
RequireCommonName— (Boolean)Include the common name in the subject name.
RequireDirectoryPath— (Boolean)Include the directory path in the subject name.
RequireDnsAsCn— (Boolean)Include the DNS as common name in the subject name.
RequireEmail— (Boolean)Include the subject's email in the subject name.
SanRequireDirectoryGuid— (Boolean)Include the globally unique identifier (GUID) in the subject alternate name.
SanRequireDns— (Boolean)Include the DNS in the subject alternate name.
SanRequireDomainDns— (Boolean)Include the domain DNS in the subject alternate name.
SanRequireEmail— (Boolean)Include the subject's email in the subject alternate name.
SanRequireSpn— (Boolean)Include the service principal name (SPN) in the subject alternate name.
SanRequireUpn— (Boolean)Include the user principal name (UPN) in the subject alternate name.
SupersededTemplates— (Array<String>)List of templates in Active Directory that are superseded by this template.
TemplateV3— (map)Template configuration to define the information included in certificates. Define certificate validity and renewal periods, certificate request handling and enrollment options, key usage extensions, application policies, and cryptography settings.
CertificateValidity— required — (map)Certificate validity describes the validity and renewal periods of a certificate.
RenewalPeriod— required — (map)Renewal period is the period of time before certificate expiration when a new certificate will be requested.
Period— required — (Integer)The numeric value for the validity period.
PeriodType— required — (String)The unit of time. You can select hours, days, weeks, months, and years.
Possible values include:"HOURS""DAYS""WEEKS""MONTHS""YEARS"
ValidityPeriod— required — (map)Information describing the end of the validity period of the certificate. This parameter sets the “Not After” date for the certificate. Certificate validity is the period of time during which a certificate is valid. Validity can be expressed as an explicit date and time when the certificate expires, or as a span of time after issuance, stated in days, months, or years. For more information, see Validity in RFC 5280. This value is unaffected when ValidityNotBefore is also specified. For example, if Validity is set to 20 days in the future, the certificate will expire 20 days from issuance time regardless of the ValidityNotBefore value.
Period— required — (Integer)The numeric value for the validity period.
PeriodType— required — (String)The unit of time. You can select hours, days, weeks, months, and years.
Possible values include:"HOURS""DAYS""WEEKS""MONTHS""YEARS"
EnrollmentFlags— required — (map)Enrollment flags describe the enrollment settings for certificates such as using the existing private key and deleting expired or revoked certificates.
EnableKeyReuseOnNtTokenKeysetStorageFull— (Boolean)Allow renewal using the same key.
IncludeSymmetricAlgorithms— (Boolean)Include symmetric algorithms allowed by the subject.
NoSecurityExtension— (Boolean)This flag instructs the CA to not include the security extension szOID_NTDS_CA_SECURITY_EXT (OID:1.3.6.1.4.1.311.25.2), as specified in [MS-WCCE] sections 2.2.2.7.7.4 and 3.2.2.6.2.1.4.5.9, in the issued certificate. This addresses a Windows Kerberos elevation-of-privilege vulnerability.
RemoveInvalidCertificateFromPersonalStore— (Boolean)Delete expired or revoked certificates instead of archiving them.
UserInteractionRequired— (Boolean)Require user interaction when the subject is enrolled and the private key associated with the certificate is used.
Extensions— required — (map)Extensions describe the key usage extensions and application policies for a template.
ApplicationPolicies— (map)Application policies specify what the certificate is used for and its purpose.
Critical— (Boolean)Marks the application policy extension as critical.
Policies— required — (Array<map>)Application policies describe what the certificate can be used for.
PolicyObjectIdentifier— (String)The object identifier (OID) of an application policy.
PolicyType— (String)The type of application policy
Possible values include:"ALL_APPLICATION_POLICIES""ANY_PURPOSE""ATTESTATION_IDENTITY_KEY_CERTIFICATE""CERTIFICATE_REQUEST_AGENT""CLIENT_AUTHENTICATION""CODE_SIGNING""CTL_USAGE""DIGITAL_RIGHTS""DIRECTORY_SERVICE_EMAIL_REPLICATION""DISALLOWED_LIST""DNS_SERVER_TRUST""DOCUMENT_ENCRYPTION""DOCUMENT_SIGNING""DYNAMIC_CODE_GENERATOR""EARLY_LAUNCH_ANTIMALWARE_DRIVER""EMBEDDED_WINDOWS_SYSTEM_COMPONENT_VERIFICATION""ENCLAVE""ENCRYPTING_FILE_SYSTEM""ENDORSEMENT_KEY_CERTIFICATE""FILE_RECOVERY""HAL_EXTENSION""IP_SECURITY_END_SYSTEM""IP_SECURITY_IKE_INTERMEDIATE""IP_SECURITY_TUNNEL_TERMINATION""IP_SECURITY_USER""ISOLATED_USER_MODE""KDC_AUTHENTICATION""KERNEL_MODE_CODE_SIGNING""KEY_PACK_LICENSES""KEY_RECOVERY""KEY_RECOVERY_AGENT""LICENSE_SERVER_VERIFICATION""LIFETIME_SIGNING""MICROSOFT_PUBLISHER""MICROSOFT_TIME_STAMPING""MICROSOFT_TRUST_LIST_SIGNING""OCSP_SIGNING""OEM_WINDOWS_SYSTEM_COMPONENT_VERIFICATION""PLATFORM_CERTIFICATE""PREVIEW_BUILD_SIGNING""PRIVATE_KEY_ARCHIVAL""PROTECTED_PROCESS_LIGHT_VERIFICATION""PROTECTED_PROCESS_VERIFICATION""QUALIFIED_SUBORDINATION""REVOKED_LIST_SIGNER""ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION""ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION""ROOT_PROGRAM_NO_OSCP_FAILOVER_TO_CRL""ROOT_LIST_SIGNER""SECURE_EMAIL""SERVER_AUTHENTICATION""SMART_CARD_LOGIN""SPC_ENCRYPTED_DIGEST_RETRY_COUNT""SPC_RELAXED_PE_MARKER_CHECK""TIME_STAMPING""WINDOWS_HARDWARE_DRIVER_ATTESTED_VERIFICATION""WINDOWS_HARDWARE_DRIVER_EXTENDED_VERIFICATION""WINDOWS_HARDWARE_DRIVER_VERIFICATION""WINDOWS_HELLO_RECOVERY_KEY_ENCRYPTION""WINDOWS_KITS_COMPONENT""WINDOWS_RT_VERIFICATION""WINDOWS_SOFTWARE_EXTENSION_VERIFICATION""WINDOWS_STORE""WINDOWS_SYSTEM_COMPONENT_VERIFICATION""WINDOWS_TCB_COMPONENT""WINDOWS_THIRD_PARTY_APPLICATION_COMPONENT""WINDOWS_UPDATE"
KeyUsage— required — (map)The key usage extension defines the purpose (e.g., encipherment, signature, certificate signing) of the key contained in the certificate.
Critical— (Boolean)Sets the key usage extension to critical.
UsageFlags— required — (map)The key usage flags represent the purpose (e.g., encipherment, signature) of the key contained in the certificate.
DataEncipherment— (Boolean)DataEncipherment is asserted when the subject public key is used for directly enciphering raw user data without the use of an intermediate symmetric cipher.
DigitalSignature— (Boolean)The digitalSignature is asserted when the subject public key is used for verifying digital signatures.
KeyAgreement— (Boolean)KeyAgreement is asserted when the subject public key is used for key agreement.
KeyEncipherment— (Boolean)KeyEncipherment is asserted when the subject public key is used for enciphering private or secret keys, i.e., for key transport.
NonRepudiation— (Boolean)NonRepudiation is asserted when the subject public key is used to verify digital signatures.
GeneralFlags— required — (map)General flags describe whether the template is used for computers or users and if the template can be used with autoenrollment.
AutoEnrollment— (Boolean)Allows certificate issuance using autoenrollment. Set to TRUE to allow autoenrollment.
MachineType— (Boolean)Defines if the template is for machines or users. Set to TRUE if the template is for machines. Set to FALSE if the template is for users
HashAlgorithm— required — (String)Specifies the hash algorithm used to hash the private key.
Possible values include:"SHA256""SHA384""SHA512"
PrivateKeyAttributes— required — (map)Private key attributes allow you to specify the algorithm, minimal key length, key spec, key usage, and cryptographic providers for the private key of a certificate for v3 templates. V3 templates allow you to use Key Storage Providers.
Algorithm— required — (String)Defines the algorithm used to generate the private key.
Possible values include:"RSA""ECDH_P256""ECDH_P384""ECDH_P521"
CryptoProviders— (Array<String>)Defines the cryptographic providers used to generate the private key.
KeySpec— required — (String)Defines the purpose of the private key. Set it to "KEY_EXCHANGE" or "SIGNATURE" value.
Possible values include:"KEY_EXCHANGE""SIGNATURE"
KeyUsageProperty— required — (map)The key usage property defines the purpose of the private key contained in the certificate. You can specify specific purposes using property flags or all by using property type ALL.
PropertyFlags— (map)You can specify key usage for encryption, key agreement, and signature. You can use property flags or property type but not both.
Decrypt— (Boolean)Allows key for encryption and decryption.
KeyAgreement— (Boolean)Allows key exchange without encryption.
Sign— (Boolean)Allow key use for digital signature.
PropertyType— (String)You can specify all key usages using property type ALL. You can use property type or property flags but not both.
Possible values include:"ALL"
MinimalKeyLength— required — (Integer)Set the minimum key length of the private key.
PrivateKeyFlags— required — (map)Private key flags for v3 templates specify the client compatibility, if the private key can be exported, if user input is required when using a private key, and if an alternate signature algorithm should be used.
ClientVersion— required — (String)Defines the minimum client compatibility.
Possible values include:"WINDOWS_SERVER_2008""WINDOWS_SERVER_2008_R2""WINDOWS_SERVER_2012""WINDOWS_SERVER_2012_R2""WINDOWS_SERVER_2016"
ExportableKey— (Boolean)Allows the private key to be exported.
RequireAlternateSignatureAlgorithm— (Boolean)Reguires the PKCS #1 v2.1 signature format for certificates. You should verify that your CA, objects, and applications can accept this signature format.
StrongKeyProtectionRequired— (Boolean)Requirer user input when using the private key for enrollment.
SubjectNameFlags— required — (map)Subject name flags describe the subject name and subject alternate name that is included in a certificate.
RequireCommonName— (Boolean)Include the common name in the subject name.
RequireDirectoryPath— (Boolean)Include the directory path in the subject name.
RequireDnsAsCn— (Boolean)Include the DNS as common name in the subject name.
RequireEmail— (Boolean)Include the subject's email in the subject name.
SanRequireDirectoryGuid— (Boolean)Include the globally unique identifier (GUID) in the subject alternate name.
SanRequireDns— (Boolean)Include the DNS in the subject alternate name.
SanRequireDomainDns— (Boolean)Include the domain DNS in the subject alternate name.
SanRequireEmail— (Boolean)Include the subject's email in the subject alternate name.
SanRequireSpn— (Boolean)Include the service principal name (SPN) in the subject alternate name.
SanRequireUpn— (Boolean)Include the user principal name (UPN) in the subject alternate name.
SupersededTemplates— (Array<String>)List of templates in Active Directory that are superseded by this template.
TemplateV4— (map)Template configuration to define the information included in certificates. Define certificate validity and renewal periods, certificate request handling and enrollment options, key usage extensions, application policies, and cryptography settings.
CertificateValidity— required — (map)Certificate validity describes the validity and renewal periods of a certificate.
RenewalPeriod— required — (map)Renewal period is the period of time before certificate expiration when a new certificate will be requested.
Period— required — (Integer)The numeric value for the validity period.
PeriodType— required — (String)The unit of time. You can select hours, days, weeks, months, and years.
Possible values include:"HOURS""DAYS""WEEKS""MONTHS""YEARS"
ValidityPeriod— required — (map)Information describing the end of the validity period of the certificate. This parameter sets the “Not After” date for the certificate. Certificate validity is the period of time during which a certificate is valid. Validity can be expressed as an explicit date and time when the certificate expires, or as a span of time after issuance, stated in days, months, or years. For more information, see Validity in RFC 5280. This value is unaffected when ValidityNotBefore is also specified. For example, if Validity is set to 20 days in the future, the certificate will expire 20 days from issuance time regardless of the ValidityNotBefore value.
Period— required — (Integer)The numeric value for the validity period.
PeriodType— required — (String)The unit of time. You can select hours, days, weeks, months, and years.
Possible values include:"HOURS""DAYS""WEEKS""MONTHS""YEARS"
EnrollmentFlags— required — (map)Enrollment flags describe the enrollment settings for certificates using the existing private key and deleting expired or revoked certificates.
EnableKeyReuseOnNtTokenKeysetStorageFull— (Boolean)Allow renewal using the same key.
IncludeSymmetricAlgorithms— (Boolean)Include symmetric algorithms allowed by the subject.
NoSecurityExtension— (Boolean)This flag instructs the CA to not include the security extension szOID_NTDS_CA_SECURITY_EXT (OID:1.3.6.1.4.1.311.25.2), as specified in [MS-WCCE] sections 2.2.2.7.7.4 and 3.2.2.6.2.1.4.5.9, in the issued certificate. This addresses a Windows Kerberos elevation-of-privilege vulnerability.
RemoveInvalidCertificateFromPersonalStore— (Boolean)Delete expired or revoked certificates instead of archiving them.
UserInteractionRequired— (Boolean)Require user interaction when the subject is enrolled and the private key associated with the certificate is used.
Extensions— required — (map)Extensions describe the key usage extensions and application policies for a template.
ApplicationPolicies— (map)Application policies specify what the certificate is used for and its purpose.
Critical— (Boolean)Marks the application policy extension as critical.
Policies— required — (Array<map>)Application policies describe what the certificate can be used for.
PolicyObjectIdentifier— (String)The object identifier (OID) of an application policy.
PolicyType— (String)The type of application policy
Possible values include:"ALL_APPLICATION_POLICIES""ANY_PURPOSE""ATTESTATION_IDENTITY_KEY_CERTIFICATE""CERTIFICATE_REQUEST_AGENT""CLIENT_AUTHENTICATION""CODE_SIGNING""CTL_USAGE""DIGITAL_RIGHTS""DIRECTORY_SERVICE_EMAIL_REPLICATION""DISALLOWED_LIST""DNS_SERVER_TRUST""DOCUMENT_ENCRYPTION""DOCUMENT_SIGNING""DYNAMIC_CODE_GENERATOR""EARLY_LAUNCH_ANTIMALWARE_DRIVER""EMBEDDED_WINDOWS_SYSTEM_COMPONENT_VERIFICATION""ENCLAVE""ENCRYPTING_FILE_SYSTEM""ENDORSEMENT_KEY_CERTIFICATE""FILE_RECOVERY""HAL_EXTENSION""IP_SECURITY_END_SYSTEM""IP_SECURITY_IKE_INTERMEDIATE""IP_SECURITY_TUNNEL_TERMINATION""IP_SECURITY_USER""ISOLATED_USER_MODE""KDC_AUTHENTICATION""KERNEL_MODE_CODE_SIGNING""KEY_PACK_LICENSES""KEY_RECOVERY""KEY_RECOVERY_AGENT""LICENSE_SERVER_VERIFICATION""LIFETIME_SIGNING""MICROSOFT_PUBLISHER""MICROSOFT_TIME_STAMPING""MICROSOFT_TRUST_LIST_SIGNING""OCSP_SIGNING""OEM_WINDOWS_SYSTEM_COMPONENT_VERIFICATION""PLATFORM_CERTIFICATE""PREVIEW_BUILD_SIGNING""PRIVATE_KEY_ARCHIVAL""PROTECTED_PROCESS_LIGHT_VERIFICATION""PROTECTED_PROCESS_VERIFICATION""QUALIFIED_SUBORDINATION""REVOKED_LIST_SIGNER""ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION""ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION""ROOT_PROGRAM_NO_OSCP_FAILOVER_TO_CRL""ROOT_LIST_SIGNER""SECURE_EMAIL""SERVER_AUTHENTICATION""SMART_CARD_LOGIN""SPC_ENCRYPTED_DIGEST_RETRY_COUNT""SPC_RELAXED_PE_MARKER_CHECK""TIME_STAMPING""WINDOWS_HARDWARE_DRIVER_ATTESTED_VERIFICATION""WINDOWS_HARDWARE_DRIVER_EXTENDED_VERIFICATION""WINDOWS_HARDWARE_DRIVER_VERIFICATION""WINDOWS_HELLO_RECOVERY_KEY_ENCRYPTION""WINDOWS_KITS_COMPONENT""WINDOWS_RT_VERIFICATION""WINDOWS_SOFTWARE_EXTENSION_VERIFICATION""WINDOWS_STORE""WINDOWS_SYSTEM_COMPONENT_VERIFICATION""WINDOWS_TCB_COMPONENT""WINDOWS_THIRD_PARTY_APPLICATION_COMPONENT""WINDOWS_UPDATE"
KeyUsage— required — (map)The key usage extension defines the purpose (e.g., encipherment, signature) of the key contained in the certificate.
Critical— (Boolean)Sets the key usage extension to critical.
UsageFlags— required — (map)The key usage flags represent the purpose (e.g., encipherment, signature) of the key contained in the certificate.
DataEncipherment— (Boolean)DataEncipherment is asserted when the subject public key is used for directly enciphering raw user data without the use of an intermediate symmetric cipher.
DigitalSignature— (Boolean)The digitalSignature is asserted when the subject public key is used for verifying digital signatures.
KeyAgreement— (Boolean)KeyAgreement is asserted when the subject public key is used for key agreement.
KeyEncipherment— (Boolean)KeyEncipherment is asserted when the subject public key is used for enciphering private or secret keys, i.e., for key transport.
NonRepudiation— (Boolean)NonRepudiation is asserted when the subject public key is used to verify digital signatures.
GeneralFlags— required — (map)General flags describe whether the template is used for computers or users and if the template can be used with autoenrollment.
AutoEnrollment— (Boolean)Allows certificate issuance using autoenrollment. Set to TRUE to allow autoenrollment.
MachineType— (Boolean)Defines if the template is for machines or users. Set to TRUE if the template is for machines. Set to FALSE if the template is for users
HashAlgorithm— (String)Specifies the hash algorithm used to hash the private key. Hash algorithm can only be specified when using Key Storage Providers.
Possible values include:"SHA256""SHA384""SHA512"
PrivateKeyAttributes— required — (map)Private key attributes allow you to specify the minimal key length, key spec, key usage, and cryptographic providers for the private key of a certificate for v4 templates. V4 templates allow you to use either Key Storage Providers or Legacy Cryptographic Service Providers. You specify the cryptography provider category in private key flags.
Algorithm— (String)Defines the algorithm used to generate the private key.
Possible values include:"RSA""ECDH_P256""ECDH_P384""ECDH_P521"
CryptoProviders— (Array<String>)Defines the cryptographic providers used to generate the private key.
KeySpec— required — (String)Defines the purpose of the private key. Set it to "KEY_EXCHANGE" or "SIGNATURE" value.
Possible values include:"KEY_EXCHANGE""SIGNATURE"
KeyUsageProperty— (map)The key usage property defines the purpose of the private key contained in the certificate. You can specify specific purposes using property flags or all by using property type ALL.
PropertyFlags— (map)You can specify key usage for encryption, key agreement, and signature. You can use property flags or property type but not both.
Decrypt— (Boolean)Allows key for encryption and decryption.
KeyAgreement— (Boolean)Allows key exchange without encryption.
Sign— (Boolean)Allow key use for digital signature.
PropertyType— (String)You can specify all key usages using property type ALL. You can use property type or property flags but not both.
Possible values include:"ALL"
MinimalKeyLength— required — (Integer)Set the minimum key length of the private key.
PrivateKeyFlags— required — (map)Private key flags for v4 templates specify the client compatibility, if the private key can be exported, if user input is required when using a private key, if an alternate signature algorithm should be used, and if certificates are renewed using the same private key.
ClientVersion— required — (String)Defines the minimum client compatibility.
Possible values include:"WINDOWS_SERVER_2012""WINDOWS_SERVER_2012_R2""WINDOWS_SERVER_2016"
ExportableKey— (Boolean)Allows the private key to be exported.
RequireAlternateSignatureAlgorithm— (Boolean)Requires the PKCS #1 v2.1 signature format for certificates. You should verify that your CA, objects, and applications can accept this signature format.
RequireSameKeyRenewal— (Boolean)Renew certificate using the same private key.
StrongKeyProtectionRequired— (Boolean)Require user input when using the private key for enrollment.
UseLegacyProvider— (Boolean)Specifies the cryptographic service provider category used to generate private keys. Set to TRUE to use Legacy Cryptographic Service Providers and FALSE to use Key Storage Providers.
SubjectNameFlags— required — (map)Subject name flags describe the subject name and subject alternate name that is included in a certificate.
RequireCommonName— (Boolean)Include the common name in the subject name.
RequireDirectoryPath— (Boolean)Include the directory path in the subject name.
RequireDnsAsCn— (Boolean)Include the DNS as common name in the subject name.
RequireEmail— (Boolean)Include the subject's email in the subject name.
SanRequireDirectoryGuid— (Boolean)Include the globally unique identifier (GUID) in the subject alternate name.
SanRequireDns— (Boolean)Include the DNS in the subject alternate name.
SanRequireDomainDns— (Boolean)Include the domain DNS in the subject alternate name.
SanRequireEmail— (Boolean)Include the subject's email in the subject alternate name.
SanRequireSpn— (Boolean)Include the service principal name (SPN) in the subject alternate name.
SanRequireUpn— (Boolean)Include the user principal name (UPN) in the subject alternate name.
SupersededTemplates— (Array<String>)List of templates in Active Directory that are superseded by this template.
ReenrollAllCertificateHolders— (Boolean)This setting allows the major version of a template to be increased automatically. All members of Active Directory groups that are allowed to enroll with a template will receive a new certificate issued using that template.
TemplateArn— (String)The Amazon Resource Name (ARN) that was returned when you called CreateTemplate.
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
nullif the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
nullif a request error occurs.
-
(AWS.Response)
—
Returns:
updateTemplateGroupAccessControlEntry(params = {}, callback) ⇒ AWS.Request
Update a group access control entry you created using CreateTemplateGroupAccessControlEntry.
Service Reference:
Examples:
Calling the updateTemplateGroupAccessControlEntry operation
var params = {
GroupSecurityIdentifier: 'STRING_VALUE', /* required */
TemplateArn: 'STRING_VALUE', /* required */
AccessRights: {
AutoEnroll: ALLOW | DENY,
Enroll: ALLOW | DENY
},
GroupDisplayName: 'STRING_VALUE'
};
pcaconnectorad.updateTemplateGroupAccessControlEntry(params, function(err, data) {
if (err) console.log(err, err.stack); // an error occurred
else console.log(data); // successful response
});Parameters:
-
params
(Object)
(defaults to: {})
—
AccessRights— (map)Allow or deny permissions for an Active Directory group to enroll or autoenroll certificates for a template.
AutoEnroll— (String)Allow or deny an Active Directory group from autoenrolling certificates issued against a template. The Active Directory group must be allowed to enroll to allow autoenrollment
Possible values include:"ALLOW""DENY"
Enroll— (String)Allow or deny an Active Directory group from enrolling certificates issued against a template.
Possible values include:"ALLOW""DENY"
GroupDisplayName— (String)Name of the Active Directory group. This name does not need to match the group name in Active Directory.
GroupSecurityIdentifier— (String)Security identifier (SID) of the group object from Active Directory. The SID starts with "S-".
TemplateArn— (String)The Amazon Resource Name (ARN) that was returned when you called CreateTemplate.
Callback (callback):
-
function(err, data) { ... }
Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.
Context (this):
-
(AWS.Response)
—
the response object containing error, data properties, and the original request object.
Parameters:
-
err
(Error)
—
the error object returned from the request. Set to
nullif the request is successful. -
data
(Object)
—
the de-serialized data returned from the request. Set to
nullif a request error occurs.
-
(AWS.Response)
—
Returns: