AWS Certificate Manager

2026/06/30 - AWS Certificate Manager - 22 new3 updated api methods

Changes  AWS Certificate Manager now supports the Automatic Certificate Management Environment (ACME) protocol to issue public certificates. ACME is an industry-standard protocol for automating certificate lifecycle on customer-managed infrastructure such as on-premises servers and Kubernetes clusters.

ListAcmeExternalAccountBindings (new) Link ¶

Retrieves a list of external account bindings for the specified ACME endpoint.

See also: AWS API Documentation

Request Syntax

client.list_acme_external_account_bindings(
    NextToken='string',
    MaxResults=123,
    AcmeEndpointArn='string'
)
type NextToken:

string

param NextToken:

A token for pagination.

type MaxResults:

integer

param MaxResults:

The maximum number of results to return.

type AcmeEndpointArn:

string

param AcmeEndpointArn:

[REQUIRED]

The Amazon Resource Name (ARN) of the ACME endpoint.

rtype:

dict

returns:

Response Syntax

{
    'ExternalAccountBindings': [
        {
            'AcmeExternalAccountBindingArn': 'string',
            'AcmeEndpointArn': 'string',
            'RoleArn': 'string',
            'ExpiresAt': datetime(2015, 1, 1),
            'RevokedAt': datetime(2015, 1, 1),
            'LastUsedAt': datetime(2015, 1, 1),
            'CreatedAt': datetime(2015, 1, 1),
            'UpdatedAt': datetime(2015, 1, 1)
        },
    ],
    'NextToken': 'string'
}

Response Structure

  • (dict) --

    • ExternalAccountBindings (list) --

      The list of external account bindings.

      • (dict) --

        Contains summary information about an ACME external account binding.

        • AcmeExternalAccountBindingArn (string) --

          The Amazon Resource Name (ARN) of the ACME external account binding.

        • AcmeEndpointArn (string) --

          The Amazon Resource Name (ARN) of the ACME endpoint.

        • RoleArn (string) --

          The Amazon Resource Name (ARN) of the IAM role associated with the external account binding.

        • ExpiresAt (datetime) --

          The time at which the external account binding expires.

        • RevokedAt (datetime) --

          The time at which the external account binding was revoked.

        • LastUsedAt (datetime) --

          The time at which the external account binding was last used.

        • CreatedAt (datetime) --

          The time at which the external account binding was created.

        • UpdatedAt (datetime) --

          The time at which the external account binding was last updated.

    • NextToken (string) --

      A token for pagination.

UpdateAcmeEndpoint (new) Link ¶

Updates the configuration of an existing ACME endpoint. You can change the authorization behavior, contact requirement, or certificate authority settings.

See also: AWS API Documentation

Request Syntax

client.update_acme_endpoint(
    AcmeEndpointArn='string',
    AuthorizationBehavior='PRE_APPROVED',
    Contact='REQUIRED'|'NOT_REQUIRED',
    CertificateAuthority={
        'PublicCertificateAuthority': {
            'AllowedKeyAlgorithms': [
                'RSA_2048'|'EC_prime256v1'|'EC_secp384r1',
            ]
        }
    }
)
type AcmeEndpointArn:

string

param AcmeEndpointArn:

[REQUIRED]

The Amazon Resource Name (ARN) of the ACME endpoint to update.

type AuthorizationBehavior:

string

param AuthorizationBehavior:

The updated authorization behavior.

type Contact:

string

param Contact:

The updated contact requirement.

type CertificateAuthority:

dict

param CertificateAuthority:

The updated certificate authority configuration.

  • PublicCertificateAuthority (dict) --

    Configuration for using a public certificate authority.

    • AllowedKeyAlgorithms (list) --

      The key algorithms allowed for certificates issued by this certificate authority.

      • (string) --

returns:

None

UntagResource (new) Link ¶

Removes one or more tags from an ACM resource.

To add one or more tags, use the TagResource action. To view all of the tags that have been applied to a resource, use the ListTagsForResource action.

See also: AWS API Documentation

Request Syntax

client.untag_resource(
    ResourceArn='string',
    TagKeys=[
        'string',
    ]
)
type ResourceArn:

string

param ResourceArn:

[REQUIRED]

The ARN of the ACM resource from which the tag is to be removed.

type TagKeys:

list

param TagKeys:

[REQUIRED]

The key of each tag to remove.

  • (string) --

returns:

None

UpdateAcmeDomainValidation (new) Link ¶

Updates the prevalidation configuration of an existing domain validation.

See also: AWS API Documentation

Request Syntax

client.update_acme_domain_validation(
    AcmeDomainValidationArn='string',
    PrevalidationOptions={
        'DnsPrevalidation': {
            'DomainScope': {
                'ExactDomain': 'ENABLED'|'DISABLED',
                'Subdomains': 'ENABLED'|'DISABLED',
                'Wildcards': 'ENABLED'|'DISABLED'
            },
            'HostedZoneId': 'string'
        }
    }
)
type AcmeDomainValidationArn:

string

param AcmeDomainValidationArn:

[REQUIRED]

The Amazon Resource Name (ARN) of the ACME domain validation to update.

type PrevalidationOptions:

dict

param PrevalidationOptions:

The updated prevalidation options.

  • DnsPrevalidation (dict) --

    DNS-based prevalidation options.

    • DomainScope (dict) --

      The scope of domains covered by this prevalidation.

      • ExactDomain (string) --

        Whether validation applies to the exact domain.

      • Subdomains (string) --

        Whether validation applies to subdomains.

      • Wildcards (string) --

        Whether validation applies to wildcard domains.

    • HostedZoneId (string) --

      The Route 53 hosted zone ID for DNS validation.

returns:

None

CreateAcmeDomainValidation (new) Link ¶

Creates a domain validation for an ACME endpoint. Domain validations authorize the endpoint to issue certificates for specified domain names. You configure prevalidation to prove domain ownership.

See also: AWS API Documentation

Request Syntax

client.create_acme_domain_validation(
    IdempotencyToken='string',
    AcmeEndpointArn='string',
    DomainName='string',
    PrevalidationOptions={
        'DnsPrevalidation': {
            'DomainScope': {
                'ExactDomain': 'ENABLED'|'DISABLED',
                'Subdomains': 'ENABLED'|'DISABLED',
                'Wildcards': 'ENABLED'|'DISABLED'
            },
            'HostedZoneId': 'string'
        }
    },
    Tags=[
        {
            'Key': 'string',
            'Value': 'string'
        },
    ]
)
type IdempotencyToken:

string

param IdempotencyToken:

A unique, case-sensitive identifier to ensure idempotency of the request.

This field is autopopulated if not provided.

type AcmeEndpointArn:

string

param AcmeEndpointArn:

[REQUIRED]

The Amazon Resource Name (ARN) of the ACME endpoint.

type DomainName:

string

param DomainName:

[REQUIRED]

The domain name to validate.

type PrevalidationOptions:

dict

param PrevalidationOptions:

[REQUIRED]

The prevalidation options for the domain.

  • DnsPrevalidation (dict) --

    DNS-based prevalidation options.

    • DomainScope (dict) --

      The scope of domains covered by this prevalidation.

      • ExactDomain (string) --

        Whether validation applies to the exact domain.

      • Subdomains (string) --

        Whether validation applies to subdomains.

      • Wildcards (string) --

        Whether validation applies to wildcard domains.

    • HostedZoneId (string) --

      The Route 53 hosted zone ID for DNS validation.

type Tags:

list

param Tags:

One or more tags to associate with the domain validation.

  • (dict) --

    A key-value pair that identifies or specifies metadata about an ACM resource.

    • Key (string) -- [REQUIRED]

      The key of the tag.

    • Value (string) --

      The value of the tag.

rtype:

dict

returns:

Response Syntax

{
    'AcmeDomainValidationArn': 'string'
}

Response Structure

  • (dict) --

    • AcmeDomainValidationArn (string) --

      The Amazon Resource Name (ARN) of the created domain validation.

CreateAcmeEndpoint (new) Link ¶

Creates an ACME endpoint, which is a managed ACME server with a unique endpoint URL. After creation, ACME clients can use the endpoint URL to automate certificate issuance using the ACME protocol.

See also: AWS API Documentation

Request Syntax

client.create_acme_endpoint(
    IdempotencyToken='string',
    AuthorizationBehavior='PRE_APPROVED',
    Contact='REQUIRED'|'NOT_REQUIRED',
    CertificateAuthority={
        'PublicCertificateAuthority': {
            'AllowedKeyAlgorithms': [
                'RSA_2048'|'EC_prime256v1'|'EC_secp384r1',
            ]
        }
    },
    Tags=[
        {
            'Key': 'string',
            'Value': 'string'
        },
    ],
    CertificateTags=[
        {
            'Key': 'string',
            'Value': 'string'
        },
    ]
)
type IdempotencyToken:

string

param IdempotencyToken:

A unique, case-sensitive identifier to ensure idempotency of the request.

This field is autopopulated if not provided.

type AuthorizationBehavior:

string

param AuthorizationBehavior:

[REQUIRED]

The authorization behavior for the ACME endpoint.

type Contact:

string

param Contact:

Specifies whether ACME clients must provide contact information during account registration.

type CertificateAuthority:

dict

param CertificateAuthority:

[REQUIRED]

The type of certificate authority to use for issuing certificates through this ACME endpoint.

  • PublicCertificateAuthority (dict) --

    Configuration for using a public certificate authority.

    • AllowedKeyAlgorithms (list) --

      The key algorithms allowed for certificates issued by this certificate authority.

      • (string) --

type Tags:

list

param Tags:

One or more tags to associate with the ACME endpoint.

  • (dict) --

    A key-value pair that identifies or specifies metadata about an ACM resource.

    • Key (string) -- [REQUIRED]

      The key of the tag.

    • Value (string) --

      The value of the tag.

type CertificateTags:

list

param CertificateTags:

Tags to apply to certificates issued through this ACME endpoint.

  • (dict) --

    A key-value pair that identifies or specifies metadata about an ACM resource.

    • Key (string) -- [REQUIRED]

      The key of the tag.

    • Value (string) --

      The value of the tag.

rtype:

dict

returns:

Response Syntax

{
    'AcmeEndpointArn': 'string'
}

Response Structure

  • (dict) --

    • AcmeEndpointArn (string) --

      The Amazon Resource Name (ARN) of the created ACME endpoint.

CreateAcmeExternalAccountBinding (new) Link ¶

Creates an external account binding (EAB) for an ACME endpoint. An EAB provides credentials that authorize an ACME client to register an account with the endpoint. Each EAB is associated with an IAM role that controls what certificate operations the ACME client can perform.

See also: AWS API Documentation

Request Syntax

client.create_acme_external_account_binding(
    IdempotencyToken='string',
    AcmeEndpointArn='string',
    RoleArn='string',
    Expiration={
        'Value': 123,
        'Type': 'MINUTES'|'HOURS'|'DAYS'
    },
    Tags=[
        {
            'Key': 'string',
            'Value': 'string'
        },
    ]
)
type IdempotencyToken:

string

param IdempotencyToken:

A unique, case-sensitive identifier to ensure idempotency of the request.

This field is autopopulated if not provided.

type AcmeEndpointArn:

string

param AcmeEndpointArn:

[REQUIRED]

The Amazon Resource Name (ARN) of the ACME endpoint.

type RoleArn:

string

param RoleArn:

[REQUIRED]

The Amazon Resource Name (ARN) of the IAM role to associate with the external account binding.

type Expiration:

dict

param Expiration:

The expiration configuration for the external account binding.

  • Value (integer) -- [REQUIRED]

    The numeric value of the expiration.

  • Type (string) -- [REQUIRED]

    The time unit for the expiration value.

type Tags:

list

param Tags:

One or more tags to associate with the external account binding.

  • (dict) --

    A key-value pair that identifies or specifies metadata about an ACM resource.

    • Key (string) -- [REQUIRED]

      The key of the tag.

    • Value (string) --

      The value of the tag.

rtype:

dict

returns:

Response Syntax

{
    'ExternalAccountBinding': {
        'AcmeExternalAccountBindingArn': 'string',
        'AcmeEndpointArn': 'string',
        'RoleArn': 'string',
        'ExpiresAt': datetime(2015, 1, 1),
        'RevokedAt': datetime(2015, 1, 1),
        'LastUsedAt': datetime(2015, 1, 1),
        'CreatedAt': datetime(2015, 1, 1),
        'UpdatedAt': datetime(2015, 1, 1)
    }
}

Response Structure

  • (dict) --

    • ExternalAccountBinding (dict) --

      The created external account binding.

      • AcmeExternalAccountBindingArn (string) --

        The Amazon Resource Name (ARN) of the ACME external account binding.

      • AcmeEndpointArn (string) --

        The Amazon Resource Name (ARN) of the ACME endpoint.

      • RoleArn (string) --

        The Amazon Resource Name (ARN) of the IAM role associated with the external account binding.

      • ExpiresAt (datetime) --

        The time at which the external account binding expires.

      • RevokedAt (datetime) --

        The time at which the external account binding was revoked.

      • LastUsedAt (datetime) --

        The time at which the external account binding was last used.

      • CreatedAt (datetime) --

        The time at which the external account binding was created.

      • UpdatedAt (datetime) --

        The time at which the external account binding was last updated.

TagResource (new) Link ¶

Adds one or more tags to an ACM resource. Tags are labels that you can use to identify and organize your Amazon Web Services resources. Each tag consists of a key and an optional value.

To remove one or more tags, use the UntagResource action. To view all of the tags that have been applied to a resource, use the ListTagsForResource action.

See also: AWS API Documentation

Request Syntax

client.tag_resource(
    ResourceArn='string',
    Tags=[
        {
            'Key': 'string',
            'Value': 'string'
        },
    ]
)
type ResourceArn:

string

param ResourceArn:

[REQUIRED]

The ARN of the ACM resource to which the tag is to be applied.

type Tags:

list

param Tags:

[REQUIRED]

The key-value pair that defines the tag to apply.

  • (dict) --

    A key-value pair that identifies or specifies metadata about an ACM resource.

    • Key (string) -- [REQUIRED]

      The key of the tag.

    • Value (string) --

      The value of the tag.

returns:

None

GetAcmeExternalAccountBindingCredentials (new) Link ¶

Retrieves the key ID and MAC key credentials for an external account binding. These credentials are used by ACME clients during account registration to bind to the endpoint.

See also: AWS API Documentation

Request Syntax

client.get_acme_external_account_binding_credentials(
    AcmeExternalAccountBindingArn='string'
)
type AcmeExternalAccountBindingArn:

string

param AcmeExternalAccountBindingArn:

[REQUIRED]

The Amazon Resource Name (ARN) of the ACME external account binding.

rtype:

dict

returns:

Response Syntax

{
    'KeyId': 'string',
    'MacKey': 'string'
}

Response Structure

  • (dict) --

    • KeyId (string) --

      The key identifier for the external account binding credentials.

    • MacKey (string) --

      The MAC key for the external account binding credentials.

RevokeAcmeAccount (new) Link ¶

Revokes an ACME account, preventing it from requesting or revoking certificates. This operation is irreversible.

See also: AWS API Documentation

Request Syntax

client.revoke_acme_account(
    AcmeEndpointArn='string',
    AccountUrl='string'
)
type AcmeEndpointArn:

string

param AcmeEndpointArn:

[REQUIRED]

The Amazon Resource Name (ARN) of the ACME endpoint.

type AccountUrl:

string

param AccountUrl:

[REQUIRED]

The URL of the ACME account to revoke.

returns:

None

ListAcmeDomainValidations (new) Link ¶

Retrieves a list of domain validations for the specified ACME endpoint.

See also: AWS API Documentation

Request Syntax

client.list_acme_domain_validations(
    NextToken='string',
    MaxResults=123,
    AcmeEndpointArn='string'
)
type NextToken:

string

param NextToken:

A token for pagination.

type MaxResults:

integer

param MaxResults:

The maximum number of results to return.

type AcmeEndpointArn:

string

param AcmeEndpointArn:

[REQUIRED]

The Amazon Resource Name (ARN) of the ACME endpoint.

rtype:

dict

returns:

Response Syntax

{
    'AcmeDomainValidations': [
        {
            'AcmeDomainValidationArn': 'string',
            'AcmeEndpointArn': 'string',
            'DomainName': 'string',
            'PrevalidationType': 'DNS_PREVALIDATION',
            'PrevalidationDetails': {
                'DnsPrevalidation': {
                    'DomainScope': {
                        'ExactDomain': 'ENABLED'|'DISABLED',
                        'Subdomains': 'ENABLED'|'DISABLED',
                        'Wildcards': 'ENABLED'|'DISABLED'
                    },
                    'HostedZoneId': 'string',
                    'ResourceRecord': {
                        'Name': 'string',
                        'Type': 'CNAME',
                        'Value': 'string'
                    }
                }
            },
            'Status': 'VALIDATING'|'VALID'|'INVALID'|'DELETING',
            'FailureDetails': {
                'Reason': 'ACCESS_DENIED'|'DOMAIN_MISMATCH'|'DOMAIN_NOT_ALLOWED'|'ENDPOINT_NOT_ACTIVE'|'HOSTED_ZONE_NOT_FOUND'|'INTERNAL_FAILURE'|'INVALID_CHANGE_BATCH'|'INVALID_PUBLIC_DOMAIN'|'TIMED_OUT',
                'Message': 'string'
            },
            'CreatedAt': datetime(2015, 1, 1),
            'UpdatedAt': datetime(2015, 1, 1)
        },
    ],
    'NextToken': 'string'
}

Response Structure

  • (dict) --

    • AcmeDomainValidations (list) --

      The list of domain validations.

      • (dict) --

        Contains summary information about an ACME domain validation.

        • AcmeDomainValidationArn (string) --

          The Amazon Resource Name (ARN) of the ACME domain validation.

        • AcmeEndpointArn (string) --

          The Amazon Resource Name (ARN) of the ACME endpoint.

        • DomainName (string) --

          The domain name being validated.

        • PrevalidationType (string) --

          The type of prevalidation used.

        • PrevalidationDetails (dict) --

          Details about the prevalidation configuration.

          • DnsPrevalidation (dict) --

            DNS-based prevalidation details.

            • DomainScope (dict) --

              The scope of domains covered by this prevalidation.

              • ExactDomain (string) --

                Whether validation applies to the exact domain.

              • Subdomains (string) --

                Whether validation applies to subdomains.

              • Wildcards (string) --

                Whether validation applies to wildcard domains.

            • HostedZoneId (string) --

              The Route 53 hosted zone ID for DNS validation.

            • ResourceRecord (dict) --

              The DNS resource record to create for domain validation.

              • Name (string) --

                The name of the DNS record to create in your domain. This is supplied by ACM.

              • Type (string) --

                The type of DNS record. Currently this can be CNAME.

              • Value (string) --

                The value of the CNAME record to add to your DNS database. This is supplied by ACM.

        • Status (string) --

          The status of the domain validation.

        • FailureDetails (dict) --

          Details about the failure, if the validation failed.

          • Reason (string) --

            The reason for the failure.

          • Message (string) --

            A message describing the failure.

        • CreatedAt (datetime) --

          The time at which the domain validation was created.

        • UpdatedAt (datetime) --

          The time at which the domain validation was last updated.

    • NextToken (string) --

      A token for pagination.

DescribeAcmeExternalAccountBinding (new) Link ¶

Returns detailed metadata about the specified external account binding, including the associated IAM role, expiration time, and usage history.

See also: AWS API Documentation

Request Syntax

client.describe_acme_external_account_binding(
    AcmeExternalAccountBindingArn='string'
)
type AcmeExternalAccountBindingArn:

string

param AcmeExternalAccountBindingArn:

[REQUIRED]

The Amazon Resource Name (ARN) of the ACME external account binding.

rtype:

dict

returns:

Response Syntax

{
    'ExternalAccountBinding': {
        'AcmeExternalAccountBindingArn': 'string',
        'AcmeEndpointArn': 'string',
        'RoleArn': 'string',
        'ExpiresAt': datetime(2015, 1, 1),
        'RevokedAt': datetime(2015, 1, 1),
        'LastUsedAt': datetime(2015, 1, 1),
        'CreatedAt': datetime(2015, 1, 1),
        'UpdatedAt': datetime(2015, 1, 1)
    }
}

Response Structure

  • (dict) --

    • ExternalAccountBinding (dict) --

      The external account binding details.

      • AcmeExternalAccountBindingArn (string) --

        The Amazon Resource Name (ARN) of the ACME external account binding.

      • AcmeEndpointArn (string) --

        The Amazon Resource Name (ARN) of the ACME endpoint.

      • RoleArn (string) --

        The Amazon Resource Name (ARN) of the IAM role associated with the external account binding.

      • ExpiresAt (datetime) --

        The time at which the external account binding expires.

      • RevokedAt (datetime) --

        The time at which the external account binding was revoked.

      • LastUsedAt (datetime) --

        The time at which the external account binding was last used.

      • CreatedAt (datetime) --

        The time at which the external account binding was created.

      • UpdatedAt (datetime) --

        The time at which the external account binding was last updated.

ListAcmeEndpoints (new) Link ¶

Retrieves a list of ACME endpoints in your account. Use this operation to view all configured ACME endpoints and their current status.

See also: AWS API Documentation

Request Syntax

client.list_acme_endpoints(
    NextToken='string',
    MaxResults=123
)
type NextToken:

string

param NextToken:

A token for pagination.

type MaxResults:

integer

param MaxResults:

The maximum number of results to return.

rtype:

dict

returns:

Response Syntax

{
    'AcmeEndpoints': [
        {
            'AcmeEndpointArn': 'string',
            'EndpointUrl': 'string',
            'Status': 'CREATING'|'ACTIVE'|'DELETING'|'FAILED',
            'FailureReason': 'string',
            'AuthorizationBehavior': 'PRE_APPROVED',
            'Contact': 'REQUIRED'|'NOT_REQUIRED',
            'CertificateAuthority': {
                'PublicCertificateAuthority': {
                    'AllowedKeyAlgorithms': [
                        'RSA_2048'|'EC_prime256v1'|'EC_secp384r1',
                    ]
                }
            },
            'CertificateTags': [
                {
                    'Key': 'string',
                    'Value': 'string'
                },
            ],
            'CreatedAt': datetime(2015, 1, 1),
            'UpdatedAt': datetime(2015, 1, 1)
        },
    ],
    'NextToken': 'string'
}

Response Structure

  • (dict) --

    • AcmeEndpoints (list) --

      The list of ACME endpoints.

      • (dict) --

        Contains summary information about an ACME endpoint.

        • AcmeEndpointArn (string) --

          The Amazon Resource Name (ARN) of the ACME endpoint.

        • EndpointUrl (string) --

          The URL of the ACME endpoint.

        • Status (string) --

          The status of the ACME endpoint.

        • FailureReason (string) --

          The reason the ACME endpoint failed, if applicable.

        • AuthorizationBehavior (string) --

          The authorization behavior of the ACME endpoint.

        • Contact (string) --

          Whether ACME clients must provide contact information during account registration.

        • CertificateAuthority (dict) --

          The certificate authority configuration for the ACME endpoint.

          • PublicCertificateAuthority (dict) --

            Configuration for using a public certificate authority.

            • AllowedKeyAlgorithms (list) --

              The key algorithms allowed for certificates issued by this certificate authority.

              • (string) --

        • CertificateTags (list) --

          Tags applied to certificates issued through this ACME endpoint.

          • (dict) --

            A key-value pair that identifies or specifies metadata about an ACM resource.

            • Key (string) --

              The key of the tag.

            • Value (string) --

              The value of the tag.

        • CreatedAt (datetime) --

          The time at which the ACME endpoint was created.

        • UpdatedAt (datetime) --

          The time at which the ACME endpoint was last updated.

    • NextToken (string) --

      A token for pagination.

DeleteAcmeDomainValidation (new) Link ¶

Deletes a domain validation. After deletion, the ACME endpoint can no longer issue certificates for the associated domain.

See also: AWS API Documentation

Request Syntax

client.delete_acme_domain_validation(
    AcmeDomainValidationArn='string'
)
type AcmeDomainValidationArn:

string

param AcmeDomainValidationArn:

[REQUIRED]

The Amazon Resource Name (ARN) of the ACME domain validation to delete.

returns:

None

DeleteAcmeEndpoint (new) Link ¶

Deletes an ACME endpoint. After deletion, the endpoint URL is no longer accessible and ACME clients cannot issue certificates through it. Any existing external account bindings and domain validations associated with the endpoint are also deleted.

See also: AWS API Documentation

Request Syntax

client.delete_acme_endpoint(
    AcmeEndpointArn='string'
)
type AcmeEndpointArn:

string

param AcmeEndpointArn:

[REQUIRED]

The Amazon Resource Name (ARN) of the ACME endpoint to delete.

returns:

None

DescribeAcmeEndpoint (new) Link ¶

Returns detailed metadata about the specified ACME endpoint, including its status, URL, authorization behavior, and certificate authority configuration.

See also: AWS API Documentation

Request Syntax

client.describe_acme_endpoint(
    AcmeEndpointArn='string'
)
type AcmeEndpointArn:

string

param AcmeEndpointArn:

[REQUIRED]

The Amazon Resource Name (ARN) of the ACME endpoint.

rtype:

dict

returns:

Response Syntax

{
    'AcmeEndpoint': {
        'AcmeEndpointArn': 'string',
        'EndpointUrl': 'string',
        'Status': 'CREATING'|'ACTIVE'|'DELETING'|'FAILED',
        'FailureReason': 'string',
        'AuthorizationBehavior': 'PRE_APPROVED',
        'Contact': 'REQUIRED'|'NOT_REQUIRED',
        'CertificateAuthority': {
            'PublicCertificateAuthority': {
                'AllowedKeyAlgorithms': [
                    'RSA_2048'|'EC_prime256v1'|'EC_secp384r1',
                ]
            }
        },
        'CertificateTags': [
            {
                'Key': 'string',
                'Value': 'string'
            },
        ],
        'CreatedAt': datetime(2015, 1, 1),
        'UpdatedAt': datetime(2015, 1, 1)
    }
}

Response Structure

  • (dict) --

    • AcmeEndpoint (dict) --

      The ACME endpoint details.

      • AcmeEndpointArn (string) --

        The Amazon Resource Name (ARN) of the ACME endpoint.

      • EndpointUrl (string) --

        The URL of the ACME endpoint.

      • Status (string) --

        The status of the ACME endpoint.

      • FailureReason (string) --

        The reason the ACME endpoint failed, if applicable.

      • AuthorizationBehavior (string) --

        The authorization behavior of the ACME endpoint.

      • Contact (string) --

        Whether ACME clients must provide contact information during account registration.

      • CertificateAuthority (dict) --

        The certificate authority configuration for the ACME endpoint.

        • PublicCertificateAuthority (dict) --

          Configuration for using a public certificate authority.

          • AllowedKeyAlgorithms (list) --

            The key algorithms allowed for certificates issued by this certificate authority.

            • (string) --

      • CertificateTags (list) --

        Tags applied to certificates issued through this ACME endpoint.

        • (dict) --

          A key-value pair that identifies or specifies metadata about an ACM resource.

          • Key (string) --

            The key of the tag.

          • Value (string) --

            The value of the tag.

      • CreatedAt (datetime) --

        The time at which the ACME endpoint was created.

      • UpdatedAt (datetime) --

        The time at which the ACME endpoint was last updated.

ListTagsForResource (new) Link ¶

Lists the tags associated with an ACM resource.

To add one or more tags, use the TagResource action. To remove one or more tags, use the UntagResource action.

See also: AWS API Documentation

Request Syntax

client.list_tags_for_resource(
    ResourceArn='string'
)
type ResourceArn:

string

param ResourceArn:

[REQUIRED]

The ARN of the ACM resource for which to list tags.

rtype:

dict

returns:

Response Syntax

{
    'Tags': [
        {
            'Key': 'string',
            'Value': 'string'
        },
    ]
}

Response Structure

  • (dict) --

    • Tags (list) --

      The tags associated with the resource.

      • (dict) --

        A key-value pair that identifies or specifies metadata about an ACM resource.

        • Key (string) --

          The key of the tag.

        • Value (string) --

          The value of the tag.

DescribeAcmeAccount (new) Link ¶

Returns detailed metadata about the specified ACME account, including its status, public key thumbprint, and associated external account binding.

See also: AWS API Documentation

Request Syntax

client.describe_acme_account(
    AcmeEndpointArn='string',
    AccountUrl='string'
)
type AcmeEndpointArn:

string

param AcmeEndpointArn:

[REQUIRED]

The Amazon Resource Name (ARN) of the ACME endpoint.

type AccountUrl:

string

param AccountUrl:

[REQUIRED]

The URL of the ACME account.

rtype:

dict

returns:

Response Syntax

{
    'AcmeAccount': {
        'AccountUrl': 'string',
        'PublicKeyThumbprint': 'string',
        'Status': 'VALID'|'DEACTIVATED'|'REVOKED',
        'CreatedAt': datetime(2015, 1, 1),
        'AcmeExternalAccountBindingArn': 'string',
        'Contacts': [
            'string',
        ]
    }
}

Response Structure

  • (dict) --

    • AcmeAccount (dict) --

      The ACME account details.

      • AccountUrl (string) --

        The URL of the ACME account.

      • PublicKeyThumbprint (string) --

        The thumbprint of the public key associated with the ACME account.

      • Status (string) --

        The status of the ACME account.

      • CreatedAt (datetime) --

        The time at which the ACME account was created.

      • AcmeExternalAccountBindingArn (string) --

        The Amazon Resource Name (ARN) of the external account binding associated with this ACME account.

      • Contacts (list) --

        The contact information for the ACME account.

        • (string) --

DescribeAcmeDomainValidation (new) Link ¶

Returns detailed metadata about the specified domain validation, including its status, domain scope, and DNS resource records required for validation.

See also: AWS API Documentation

Request Syntax

client.describe_acme_domain_validation(
    AcmeDomainValidationArn='string'
)
type AcmeDomainValidationArn:

string

param AcmeDomainValidationArn:

[REQUIRED]

The Amazon Resource Name (ARN) of the ACME domain validation.

rtype:

dict

returns:

Response Syntax

{
    'AcmeDomainValidation': {
        'AcmeDomainValidationArn': 'string',
        'AcmeEndpointArn': 'string',
        'DomainName': 'string',
        'PrevalidationType': 'DNS_PREVALIDATION',
        'PrevalidationDetails': {
            'DnsPrevalidation': {
                'DomainScope': {
                    'ExactDomain': 'ENABLED'|'DISABLED',
                    'Subdomains': 'ENABLED'|'DISABLED',
                    'Wildcards': 'ENABLED'|'DISABLED'
                },
                'HostedZoneId': 'string',
                'ResourceRecord': {
                    'Name': 'string',
                    'Type': 'CNAME',
                    'Value': 'string'
                }
            }
        },
        'Status': 'VALIDATING'|'VALID'|'INVALID'|'DELETING',
        'FailureDetails': {
            'Reason': 'ACCESS_DENIED'|'DOMAIN_MISMATCH'|'DOMAIN_NOT_ALLOWED'|'ENDPOINT_NOT_ACTIVE'|'HOSTED_ZONE_NOT_FOUND'|'INTERNAL_FAILURE'|'INVALID_CHANGE_BATCH'|'INVALID_PUBLIC_DOMAIN'|'TIMED_OUT',
            'Message': 'string'
        },
        'CreatedAt': datetime(2015, 1, 1),
        'UpdatedAt': datetime(2015, 1, 1)
    }
}

Response Structure

  • (dict) --

    • AcmeDomainValidation (dict) --

      The ACME domain validation details.

      • AcmeDomainValidationArn (string) --

        The Amazon Resource Name (ARN) of the ACME domain validation.

      • AcmeEndpointArn (string) --

        The Amazon Resource Name (ARN) of the ACME endpoint.

      • DomainName (string) --

        The domain name being validated.

      • PrevalidationType (string) --

        The type of prevalidation used.

      • PrevalidationDetails (dict) --

        Details about the prevalidation configuration.

        • DnsPrevalidation (dict) --

          DNS-based prevalidation details.

          • DomainScope (dict) --

            The scope of domains covered by this prevalidation.

            • ExactDomain (string) --

              Whether validation applies to the exact domain.

            • Subdomains (string) --

              Whether validation applies to subdomains.

            • Wildcards (string) --

              Whether validation applies to wildcard domains.

          • HostedZoneId (string) --

            The Route 53 hosted zone ID for DNS validation.

          • ResourceRecord (dict) --

            The DNS resource record to create for domain validation.

            • Name (string) --

              The name of the DNS record to create in your domain. This is supplied by ACM.

            • Type (string) --

              The type of DNS record. Currently this can be CNAME.

            • Value (string) --

              The value of the CNAME record to add to your DNS database. This is supplied by ACM.

      • Status (string) --

        The status of the domain validation.

      • FailureDetails (dict) --

        Details about the failure, if the validation failed.

        • Reason (string) --

          The reason for the failure.

        • Message (string) --

          A message describing the failure.

      • CreatedAt (datetime) --

        The time at which the domain validation was created.

      • UpdatedAt (datetime) --

        The time at which the domain validation was last updated.

DeleteAcmeExternalAccountBinding (new) Link ¶

Deletes an external account binding. Previously fetched credentials for this binding will no longer be usable for account registration. A deleted binding cannot be recovered.

See also: AWS API Documentation

Request Syntax

client.delete_acme_external_account_binding(
    AcmeExternalAccountBindingArn='string'
)
type AcmeExternalAccountBindingArn:

string

param AcmeExternalAccountBindingArn:

[REQUIRED]

The Amazon Resource Name (ARN) of the ACME external account binding to delete.

returns:

None

ListAcmeAccounts (new) Link ¶

Retrieves a list of ACME accounts registered with the specified ACME endpoint. ACME accounts are created when clients use external account binding credentials to register.

See also: AWS API Documentation

Request Syntax

client.list_acme_accounts(
    NextToken='string',
    MaxResults=123,
    AcmeEndpointArn='string'
)
type NextToken:

string

param NextToken:

A token for pagination.

type MaxResults:

integer

param MaxResults:

The maximum number of results to return.

type AcmeEndpointArn:

string

param AcmeEndpointArn:

[REQUIRED]

The Amazon Resource Name (ARN) of the ACME endpoint.

rtype:

dict

returns:

Response Syntax

{
    'AcmeAccounts': [
        {
            'AccountUrl': 'string',
            'PublicKeyThumbprint': 'string',
            'Status': 'VALID'|'DEACTIVATED'|'REVOKED',
            'CreatedAt': datetime(2015, 1, 1),
            'AcmeExternalAccountBindingArn': 'string',
            'Contacts': [
                'string',
            ]
        },
    ],
    'NextToken': 'string'
}

Response Structure

  • (dict) --

    • AcmeAccounts (list) --

      The list of ACME accounts.

      • (dict) --

        Contains summary information about an ACME account.

        • AccountUrl (string) --

          The URL of the ACME account.

        • PublicKeyThumbprint (string) --

          The thumbprint of the public key associated with the ACME account.

        • Status (string) --

          The status of the ACME account.

        • CreatedAt (datetime) --

          The time at which the ACME account was created.

        • AcmeExternalAccountBindingArn (string) --

          The Amazon Resource Name (ARN) of the external account binding associated with this ACME account.

        • Contacts (list) --

          The contact information for the ACME account.

          • (string) --

    • NextToken (string) --

      A token for pagination.

RevokeAcmeExternalAccountBinding (new) Link ¶

Revokes an external account binding, preventing new ACME accounts from being registered using this binding. Existing ACME accounts that were previously registered using the binding are not affected and must be revoked separately.

See also: AWS API Documentation

Request Syntax

client.revoke_acme_external_account_binding(
    AcmeExternalAccountBindingArn='string'
)
type AcmeExternalAccountBindingArn:

string

param AcmeExternalAccountBindingArn:

[REQUIRED]

The Amazon Resource Name (ARN) of the ACME external account binding to revoke.

returns:

None

DescribeCertificate (updated) Link ¶
Changes (response)
{'Certificate': {'AcmeAccountId': 'string',
                 'AcmeEndpointArn': 'string',
                 'CertificateKeyPairOrigin': 'AWS_MANAGED | ACME | '
                                             'CUSTOMER_PROVIDED'}}

Returns detailed metadata about the specified ACM certificate.

If you have just created a certificate using the RequestCertificate action, there is a delay of several seconds before you can retrieve information about it.

See also: AWS API Documentation

Request Syntax

client.describe_certificate(
    CertificateArn='string'
)
type CertificateArn:

string

param CertificateArn:

[REQUIRED]

The Amazon Resource Name (ARN) of the ACM certificate. The ARN must have the following form:

arn:aws:acm:region:123456789012:certificate/12345678-1234-1234-1234-123456789012

For more information about ARNs, see Amazon Resource Names (ARNs).

rtype:

dict

returns:

Response Syntax

{
    'Certificate': {
        'CertificateArn': 'string',
        'DomainName': 'string',
        'SubjectAlternativeNames': [
            'string',
        ],
        'ManagedBy': 'CLOUDFRONT',
        'DomainValidationOptions': [
            {
                'DomainName': 'string',
                'ValidationEmails': [
                    'string',
                ],
                'ValidationDomain': 'string',
                'ValidationStatus': 'PENDING_VALIDATION'|'SUCCESS'|'FAILED',
                'ResourceRecord': {
                    'Name': 'string',
                    'Type': 'CNAME',
                    'Value': 'string'
                },
                'HttpRedirect': {
                    'RedirectFrom': 'string',
                    'RedirectTo': 'string'
                },
                'ValidationMethod': 'EMAIL'|'DNS'|'HTTP'
            },
        ],
        'Serial': 'string',
        'Subject': 'string',
        'Issuer': 'string',
        'CreatedAt': datetime(2015, 1, 1),
        'IssuedAt': datetime(2015, 1, 1),
        'ImportedAt': datetime(2015, 1, 1),
        'Status': 'PENDING_VALIDATION'|'ISSUED'|'INACTIVE'|'EXPIRED'|'VALIDATION_TIMED_OUT'|'REVOKED'|'FAILED',
        'RevokedAt': datetime(2015, 1, 1),
        'RevocationReason': 'UNSPECIFIED'|'KEY_COMPROMISE'|'CA_COMPROMISE'|'AFFILIATION_CHANGED'|'SUPERCEDED'|'SUPERSEDED'|'CESSATION_OF_OPERATION'|'CERTIFICATE_HOLD'|'REMOVE_FROM_CRL'|'PRIVILEGE_WITHDRAWN'|'A_A_COMPROMISE',
        'NotBefore': datetime(2015, 1, 1),
        'NotAfter': datetime(2015, 1, 1),
        'KeyAlgorithm': 'RSA_1024'|'RSA_2048'|'RSA_3072'|'RSA_4096'|'EC_prime256v1'|'EC_secp384r1'|'EC_secp521r1',
        'SignatureAlgorithm': 'string',
        'InUseBy': [
            'string',
        ],
        'FailureReason': 'NO_AVAILABLE_CONTACTS'|'ADDITIONAL_VERIFICATION_REQUIRED'|'DOMAIN_NOT_ALLOWED'|'INVALID_PUBLIC_DOMAIN'|'DOMAIN_VALIDATION_DENIED'|'CAA_ERROR'|'PCA_LIMIT_EXCEEDED'|'PCA_INVALID_ARN'|'PCA_INVALID_STATE'|'PCA_REQUEST_FAILED'|'PCA_NAME_CONSTRAINTS_VALIDATION'|'PCA_RESOURCE_NOT_FOUND'|'PCA_INVALID_ARGS'|'PCA_INVALID_DURATION'|'PCA_ACCESS_DENIED'|'SLR_NOT_FOUND'|'OTHER',
        'Type': 'IMPORTED'|'AMAZON_ISSUED'|'PRIVATE',
        'RenewalSummary': {
            'RenewalStatus': 'PENDING_AUTO_RENEWAL'|'PENDING_VALIDATION'|'SUCCESS'|'FAILED',
            'DomainValidationOptions': [
                {
                    'DomainName': 'string',
                    'ValidationEmails': [
                        'string',
                    ],
                    'ValidationDomain': 'string',
                    'ValidationStatus': 'PENDING_VALIDATION'|'SUCCESS'|'FAILED',
                    'ResourceRecord': {
                        'Name': 'string',
                        'Type': 'CNAME',
                        'Value': 'string'
                    },
                    'HttpRedirect': {
                        'RedirectFrom': 'string',
                        'RedirectTo': 'string'
                    },
                    'ValidationMethod': 'EMAIL'|'DNS'|'HTTP'
                },
            ],
            'RenewalStatusReason': 'NO_AVAILABLE_CONTACTS'|'ADDITIONAL_VERIFICATION_REQUIRED'|'DOMAIN_NOT_ALLOWED'|'INVALID_PUBLIC_DOMAIN'|'DOMAIN_VALIDATION_DENIED'|'CAA_ERROR'|'PCA_LIMIT_EXCEEDED'|'PCA_INVALID_ARN'|'PCA_INVALID_STATE'|'PCA_REQUEST_FAILED'|'PCA_NAME_CONSTRAINTS_VALIDATION'|'PCA_RESOURCE_NOT_FOUND'|'PCA_INVALID_ARGS'|'PCA_INVALID_DURATION'|'PCA_ACCESS_DENIED'|'SLR_NOT_FOUND'|'OTHER',
            'UpdatedAt': datetime(2015, 1, 1)
        },
        'KeyUsages': [
            {
                'Name': 'DIGITAL_SIGNATURE'|'NON_REPUDIATION'|'KEY_ENCIPHERMENT'|'DATA_ENCIPHERMENT'|'KEY_AGREEMENT'|'CERTIFICATE_SIGNING'|'CRL_SIGNING'|'ENCIPHER_ONLY'|'DECIPHER_ONLY'|'ANY'|'CUSTOM'
            },
        ],
        'ExtendedKeyUsages': [
            {
                'Name': 'TLS_WEB_SERVER_AUTHENTICATION'|'TLS_WEB_CLIENT_AUTHENTICATION'|'CODE_SIGNING'|'EMAIL_PROTECTION'|'TIME_STAMPING'|'OCSP_SIGNING'|'IPSEC_END_SYSTEM'|'IPSEC_TUNNEL'|'IPSEC_USER'|'ANY'|'NONE'|'CUSTOM',
                'OID': 'string'
            },
        ],
        'CertificateAuthorityArn': 'string',
        'RenewalEligibility': 'ELIGIBLE'|'INELIGIBLE',
        'Options': {
            'CertificateTransparencyLoggingPreference': 'ENABLED'|'DISABLED',
            'Export': 'ENABLED'|'DISABLED'
        },
        'CertificateKeyPairOrigin': 'AWS_MANAGED'|'ACME'|'CUSTOMER_PROVIDED',
        'AcmeEndpointArn': 'string',
        'AcmeAccountId': 'string'
    }
}

Response Structure

  • (dict) --

    • Certificate (dict) --

      Metadata about an ACM certificate.

      • CertificateArn (string) --

        The Amazon Resource Name (ARN) of the certificate. For more information about ARNs, see Amazon Resource Names (ARNs) in the Amazon Web Services General Reference.

      • DomainName (string) --

        The fully qualified domain name for the certificate, such as www.example.com or example.com.

      • SubjectAlternativeNames (list) --

        One or more domain names (subject alternative names) included in the certificate. This list contains the domain names that are bound to the public key that is contained in the certificate. The subject alternative names include the canonical domain name (CN) of the certificate and additional domain names that can be used to connect to the website.

        • (string) --

      • ManagedBy (string) --

        Identifies the Amazon Web Services service that manages the certificate issued by ACM.

      • DomainValidationOptions (list) --

        Contains information about the initial validation of each domain name that occurs as a result of the RequestCertificate request. This field exists only when the certificate type is AMAZON_ISSUED.

        • (dict) --

          Contains information about the validation of each domain name in the certificate.

          • DomainName (string) --

            A fully qualified domain name (FQDN) in the certificate. For example, www.example.com or example.com.

          • ValidationEmails (list) --

            A list of email addresses that ACM used to send domain validation emails.

            • (string) --

          • ValidationDomain (string) --

            The domain name that ACM used to send domain validation emails.

          • ValidationStatus (string) --

            The validation status of the domain name. This can be one of the following values:

            • PENDING_VALIDATION

            • SUCCESS

            • FAILED

          • ResourceRecord (dict) --

            Contains the CNAME record that you add to your DNS database for domain validation. For more information, see Use DNS to Validate Domain Ownership.

            • Name (string) --

              The name of the DNS record to create in your domain. This is supplied by ACM.

            • Type (string) --

              The type of DNS record. Currently this can be CNAME.

            • Value (string) --

              The value of the CNAME record to add to your DNS database. This is supplied by ACM.

          • HttpRedirect (dict) --

            Contains information for HTTP-based domain validation of certificates requested through Amazon CloudFront and issued by ACM. This field exists only when the certificate type is AMAZON_ISSUED and the validation method is HTTP.

            • RedirectFrom (string) --

              The URL including the domain to be validated. The certificate authority sends GET requests here during validation.

            • RedirectTo (string) --

              The URL hosting the validation token. RedirectFrom must return this content or redirect here.

          • ValidationMethod (string) --

            Specifies the domain validation method.

      • Serial (string) --

        The serial number of the certificate.

      • Subject (string) --

        The name of the entity that is associated with the public key contained in the certificate.

      • Issuer (string) --

        The name of the certificate authority that issued and signed the certificate.

      • CreatedAt (datetime) --

        The time at which the certificate was requested.

      • IssuedAt (datetime) --

        The time at which the certificate was issued. This value exists only when the certificate type is AMAZON_ISSUED.

      • ImportedAt (datetime) --

        The date and time when the certificate was imported. This value exists only when the certificate type is IMPORTED.

      • Status (string) --

        The status of the certificate.

        A certificate enters status PENDING_VALIDATION upon being requested, unless it fails for any of the reasons given in the troubleshooting topic Certificate request fails. ACM makes repeated attempts to validate a certificate for 72 hours and then times out. If a certificate shows status FAILED or VALIDATION_TIMED_OUT, delete the request, correct the issue with DNS validation or Email validation, and try again. If validation succeeds, the certificate enters status ISSUED.

      • RevokedAt (datetime) --

        The time at which the certificate was revoked. This value exists only when the certificate status is REVOKED.

      • RevocationReason (string) --

        The reason the certificate was revoked. This value exists only when the certificate status is REVOKED.

      • NotBefore (datetime) --

        The time before which the certificate is not valid.

      • NotAfter (datetime) --

        The time after which the certificate is not valid.

      • KeyAlgorithm (string) --

        The algorithm that was used to generate the public-private key pair.

      • SignatureAlgorithm (string) --

        The algorithm that was used to sign the certificate.

      • InUseBy (list) --

        A list of ARNs for the Amazon Web Services resources that are using the certificate. A certificate can be used by multiple Amazon Web Services resources.

        • (string) --

      • FailureReason (string) --

        The reason the certificate request failed. This value exists only when the certificate status is FAILED. For more information, see Certificate Request Failed in the Certificate Manager User Guide.

      • Type (string) --

        The source of the certificate. For certificates provided by ACM, this value is AMAZON_ISSUED. For certificates that you imported with ImportCertificate, this value is IMPORTED. ACM does not provide managed renewal for imported certificates. For more information about the differences between certificates that you import and those that ACM provides, see Importing Certificates in the Certificate Manager User Guide.

      • RenewalSummary (dict) --

        Contains information about the status of ACM's managed renewal for the certificate. This field exists only when the certificate type is AMAZON_ISSUED.

        • RenewalStatus (string) --

          The status of ACM's managed renewal of the certificate.

        • DomainValidationOptions (list) --

          Contains information about the validation of each domain name in the certificate, as it pertains to ACM's managed renewal. This is different from the initial validation that occurs as a result of the RequestCertificate request. This field exists only when the certificate type is AMAZON_ISSUED.

          • (dict) --

            Contains information about the validation of each domain name in the certificate.

            • DomainName (string) --

              A fully qualified domain name (FQDN) in the certificate. For example, www.example.com or example.com.

            • ValidationEmails (list) --

              A list of email addresses that ACM used to send domain validation emails.

              • (string) --

            • ValidationDomain (string) --

              The domain name that ACM used to send domain validation emails.

            • ValidationStatus (string) --

              The validation status of the domain name. This can be one of the following values:

              • PENDING_VALIDATION

              • SUCCESS

              • FAILED

            • ResourceRecord (dict) --

              Contains the CNAME record that you add to your DNS database for domain validation. For more information, see Use DNS to Validate Domain Ownership.

              • Name (string) --

                The name of the DNS record to create in your domain. This is supplied by ACM.

              • Type (string) --

                The type of DNS record. Currently this can be CNAME.

              • Value (string) --

                The value of the CNAME record to add to your DNS database. This is supplied by ACM.

            • HttpRedirect (dict) --

              Contains information for HTTP-based domain validation of certificates requested through Amazon CloudFront and issued by ACM. This field exists only when the certificate type is AMAZON_ISSUED and the validation method is HTTP.

              • RedirectFrom (string) --

                The URL including the domain to be validated. The certificate authority sends GET requests here during validation.

              • RedirectTo (string) --

                The URL hosting the validation token. RedirectFrom must return this content or redirect here.

            • ValidationMethod (string) --

              Specifies the domain validation method.

        • RenewalStatusReason (string) --

          The reason that a renewal request was unsuccessful.

        • UpdatedAt (datetime) --

          The time at which the renewal summary was last updated.

      • KeyUsages (list) --

        A list of Key Usage X.509 v3 extension objects. Each object is a string value that identifies the purpose of the public key contained in the certificate. Possible extension values include DIGITAL_SIGNATURE, KEY_ENCHIPHERMENT, NON_REPUDIATION, and more.

        • (dict) --

          The Key Usage X.509 v3 extension defines the purpose of the public key contained in the certificate.

          • Name (string) --

            A string value that contains a Key Usage extension name.

      • ExtendedKeyUsages (list) --

        Contains a list of Extended Key Usage X.509 v3 extension objects. Each object specifies a purpose for which the certificate public key can be used and consists of a name and an object identifier (OID).

        • (dict) --

          The Extended Key Usage X.509 v3 extension defines one or more purposes for which the public key can be used. This is in addition to or in place of the basic purposes specified by the Key Usage extension.

          • Name (string) --

            The name of an Extended Key Usage value.

          • OID (string) --

            An object identifier (OID) for the extension value. OIDs are strings of numbers separated by periods. The following OIDs are defined in RFC 3280 and RFC 5280.

            • 1.3.6.1.5.5.7.3.1 (TLS_WEB_SERVER_AUTHENTICATION)

            • 1.3.6.1.5.5.7.3.2 (TLS_WEB_CLIENT_AUTHENTICATION)

            • 1.3.6.1.5.5.7.3.3 (CODE_SIGNING)

            • 1.3.6.1.5.5.7.3.4 (EMAIL_PROTECTION)

            • 1.3.6.1.5.5.7.3.8 (TIME_STAMPING)

            • 1.3.6.1.5.5.7.3.9 (OCSP_SIGNING)

            • 1.3.6.1.5.5.7.3.5 (IPSEC_END_SYSTEM)

            • 1.3.6.1.5.5.7.3.6 (IPSEC_TUNNEL)

            • 1.3.6.1.5.5.7.3.7 (IPSEC_USER)

      • CertificateAuthorityArn (string) --

        The Amazon Resource Name (ARN) of the private certificate authority (CA) that issued the certificate. This has the following format:

        arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012

      • RenewalEligibility (string) --

        Specifies whether the certificate is eligible for renewal. At this time, only exported private certificates can be renewed with the RenewCertificate command.

      • Options (dict) --

        Contains the certificate options. Certificate transparency logging opt-out is no longer available. All public certificates are recorded in a certificate transparency log.

        • CertificateTransparencyLoggingPreference (string) --

          This parameter has been deprecated. Certificate transparency logging opt-out is no longer available. All public certificates are recorded in a certificate transparency log.

        • Export (string) --

          You can opt in to allow the export of your certificates by specifying ENABLED. You cannot update the value of Export after the the certificate is created.

      • CertificateKeyPairOrigin (string) --

        The origin of the certificate's key pair.

      • AcmeEndpointArn (string) --

        The ARN of the ACME endpoint used to issue the certificate.

      • AcmeAccountId (string) --

        The ACME account identifier associated with the certificate.

ListCertificates (updated) Link ¶
Changes (request, response)
Request
{'CertificateKeyPairOrigins': ['AWS_MANAGED | ACME | CUSTOMER_PROVIDED']}
Response
{'CertificateSummaryList': {'CertificateKeyPairOrigin': 'AWS_MANAGED | ACME | '
                                                        'CUSTOMER_PROVIDED'}}

Retrieves a list of certificate ARNs and domain names. You can request that only certificates that match a specific status be listed. You can also filter by specific attributes of the certificate. Default filtering returns only RSA_2048 certificates. For more information, see Filters.

See also: AWS API Documentation

Request Syntax

client.list_certificates(
    CertificateStatuses=[
        'PENDING_VALIDATION'|'ISSUED'|'INACTIVE'|'EXPIRED'|'VALIDATION_TIMED_OUT'|'REVOKED'|'FAILED',
    ],
    CertificateKeyPairOrigins=[
        'AWS_MANAGED'|'ACME'|'CUSTOMER_PROVIDED',
    ],
    Includes={
        'extendedKeyUsage': [
            'TLS_WEB_SERVER_AUTHENTICATION'|'TLS_WEB_CLIENT_AUTHENTICATION'|'CODE_SIGNING'|'EMAIL_PROTECTION'|'TIME_STAMPING'|'OCSP_SIGNING'|'IPSEC_END_SYSTEM'|'IPSEC_TUNNEL'|'IPSEC_USER'|'ANY'|'NONE'|'CUSTOM',
        ],
        'keyUsage': [
            'DIGITAL_SIGNATURE'|'NON_REPUDIATION'|'KEY_ENCIPHERMENT'|'DATA_ENCIPHERMENT'|'KEY_AGREEMENT'|'CERTIFICATE_SIGNING'|'CRL_SIGNING'|'ENCIPHER_ONLY'|'DECIPHER_ONLY'|'ANY'|'CUSTOM',
        ],
        'keyTypes': [
            'RSA_1024'|'RSA_2048'|'RSA_3072'|'RSA_4096'|'EC_prime256v1'|'EC_secp384r1'|'EC_secp521r1',
        ],
        'exportOption': 'ENABLED'|'DISABLED',
        'managedBy': 'CLOUDFRONT'
    },
    NextToken='string',
    MaxItems=123,
    SortBy='CREATED_AT',
    SortOrder='ASCENDING'|'DESCENDING'
)
type CertificateStatuses:

list

param CertificateStatuses:

Filter the certificate list by status value.

  • (string) --

type CertificateKeyPairOrigins:

list

param CertificateKeyPairOrigins:

Filter the certificate list by certificate key pair origin. Specify one or more CertificateKeyPairOrigin values. Default filtering returns only certificates with key pair origin of AWS_MANAGED and CUSTOMER_PROVIDED.

  • (string) --

    The origin of the certificate's key pair.

type Includes:

dict

param Includes:

Filter the certificate list. For more information, see the Filters structure.

  • extendedKeyUsage (list) --

    Specify one or more ExtendedKeyUsage extension values.

    • (string) --

  • keyUsage (list) --

    Specify one or more KeyUsage extension values.

    • (string) --

  • keyTypes (list) --

    Specify one or more algorithms that can be used to generate key pairs.

    Default filtering returns only RSA_1024 and RSA_2048 certificates that have at least one domain. To return other certificate types, provide the desired type signatures in a comma-separated list. For example, "keyTypes": ["RSA_2048","RSA_4096"] returns both RSA_2048 and RSA_4096 certificates.

    • (string) --

  • exportOption (string) --

    Specify ENABLED or DISABLED to identify certificates that can be exported.

  • managedBy (string) --

    Identifies the Amazon Web Services service that manages the certificate issued by ACM.

type NextToken:

string

param NextToken:

Use this parameter only when paginating results and only in a subsequent request after you receive a response with truncated results. Set it to the value of NextToken from the response you just received.

type MaxItems:

integer

param MaxItems:

Use this parameter when paginating results to specify the maximum number of items to return in the response. If additional items exist beyond the number you specify, the NextToken element is sent in the response. Use this NextToken value in a subsequent request to retrieve additional items.

type SortBy:

string

param SortBy:

Specifies the field to sort results by. If you specify SortBy, you must also specify SortOrder.

type SortOrder:

string

param SortOrder:

Specifies the order of sorted results. If you specify SortOrder, you must also specify SortBy.

rtype:

dict

returns:

Response Syntax

{
    'NextToken': 'string',
    'CertificateSummaryList': [
        {
            'CertificateArn': 'string',
            'DomainName': 'string',
            'SubjectAlternativeNameSummaries': [
                'string',
            ],
            'HasAdditionalSubjectAlternativeNames': True|False,
            'Status': 'PENDING_VALIDATION'|'ISSUED'|'INACTIVE'|'EXPIRED'|'VALIDATION_TIMED_OUT'|'REVOKED'|'FAILED',
            'Type': 'IMPORTED'|'AMAZON_ISSUED'|'PRIVATE',
            'KeyAlgorithm': 'RSA_1024'|'RSA_2048'|'RSA_3072'|'RSA_4096'|'EC_prime256v1'|'EC_secp384r1'|'EC_secp521r1',
            'KeyUsages': [
                'DIGITAL_SIGNATURE'|'NON_REPUDIATION'|'KEY_ENCIPHERMENT'|'DATA_ENCIPHERMENT'|'KEY_AGREEMENT'|'CERTIFICATE_SIGNING'|'CRL_SIGNING'|'ENCIPHER_ONLY'|'DECIPHER_ONLY'|'ANY'|'CUSTOM',
            ],
            'ExtendedKeyUsages': [
                'TLS_WEB_SERVER_AUTHENTICATION'|'TLS_WEB_CLIENT_AUTHENTICATION'|'CODE_SIGNING'|'EMAIL_PROTECTION'|'TIME_STAMPING'|'OCSP_SIGNING'|'IPSEC_END_SYSTEM'|'IPSEC_TUNNEL'|'IPSEC_USER'|'ANY'|'NONE'|'CUSTOM',
            ],
            'ExportOption': 'ENABLED'|'DISABLED',
            'InUse': True|False,
            'Exported': True|False,
            'RenewalEligibility': 'ELIGIBLE'|'INELIGIBLE',
            'NotBefore': datetime(2015, 1, 1),
            'NotAfter': datetime(2015, 1, 1),
            'CreatedAt': datetime(2015, 1, 1),
            'IssuedAt': datetime(2015, 1, 1),
            'ImportedAt': datetime(2015, 1, 1),
            'RevokedAt': datetime(2015, 1, 1),
            'ManagedBy': 'CLOUDFRONT',
            'CertificateKeyPairOrigin': 'AWS_MANAGED'|'ACME'|'CUSTOMER_PROVIDED'
        },
    ]
}

Response Structure

  • (dict) --

    • NextToken (string) --

      When the list is truncated, this value is present and contains the value to use for the NextToken parameter in a subsequent pagination request.

    • CertificateSummaryList (list) --

      A list of ACM certificates.

      • (dict) --

        This structure is returned in the response object of ListCertificates action.

        • CertificateArn (string) --

          Amazon Resource Name (ARN) of the certificate. This is of the form:

          arn:aws:acm:region:123456789012:certificate/12345678-1234-1234-1234-123456789012

          For more information about ARNs, see Amazon Resource Names (ARNs).

        • DomainName (string) --

          Fully qualified domain name (FQDN), such as www.example.com or example.com, for the certificate.

        • SubjectAlternativeNameSummaries (list) --

          One or more domain names (subject alternative names) included in the certificate. This list contains the domain names that are bound to the public key that is contained in the certificate. The subject alternative names include the canonical domain name (CN) of the certificate and additional domain names that can be used to connect to the website.

          When called by ListCertificates, this parameter will only return the first 100 subject alternative names included in the certificate. To display the full list of subject alternative names, use DescribeCertificate.

          • (string) --

        • HasAdditionalSubjectAlternativeNames (boolean) --

          When called by ListCertificates, indicates whether the full list of subject alternative names has been included in the response. If false, the response includes all of the subject alternative names included in the certificate. If true, the response only includes the first 100 subject alternative names included in the certificate. To display the full list of subject alternative names, use DescribeCertificate.

        • Status (string) --

          The status of the certificate.

          A certificate enters status PENDING_VALIDATION upon being requested, unless it fails for any of the reasons given in the troubleshooting topic Certificate request fails. ACM makes repeated attempts to validate a certificate for 72 hours and then times out. If a certificate shows status FAILED or VALIDATION_TIMED_OUT, delete the request, correct the issue with DNS validation or Email validation, and try again. If validation succeeds, the certificate enters status ISSUED.

        • Type (string) --

          The source of the certificate. For certificates provided by ACM, this value is AMAZON_ISSUED. For certificates that you imported with ImportCertificate, this value is IMPORTED. ACM does not provide managed renewal for imported certificates. For more information about the differences between certificates that you import and those that ACM provides, see Importing Certificates in the Certificate Manager User Guide.

        • KeyAlgorithm (string) --

          The algorithm that was used to generate the public-private key pair.

        • KeyUsages (list) --

          A list of Key Usage X.509 v3 extension objects. Each object is a string value that identifies the purpose of the public key contained in the certificate. Possible extension values include DIGITAL_SIGNATURE, KEY_ENCHIPHERMENT, NON_REPUDIATION, and more.

          • (string) --

        • ExtendedKeyUsages (list) --

          Contains a list of Extended Key Usage X.509 v3 extension objects. Each object specifies a purpose for which the certificate public key can be used and consists of a name and an object identifier (OID).

          • (string) --

        • ExportOption (string) --

          Indicates if export is enabled for the certificate.

        • InUse (boolean) --

          Indicates whether the certificate is currently in use by any Amazon Web Services resources.

        • Exported (boolean) --

          Indicates whether the certificate has been exported.

        • RenewalEligibility (string) --

          Specifies whether the certificate is eligible for renewal. At this time, only exported private certificates can be renewed with the RenewCertificate command.

        • NotBefore (datetime) --

          The time before which the certificate is not valid.

        • NotAfter (datetime) --

          The time after which the certificate is not valid.

        • CreatedAt (datetime) --

          The time at which the certificate was requested.

        • IssuedAt (datetime) --

          The time at which the certificate was issued. This value exists only when the certificate type is AMAZON_ISSUED.

        • ImportedAt (datetime) --

          The date and time when the certificate was imported. This value exists only when the certificate type is IMPORTED.

        • RevokedAt (datetime) --

          The time at which the certificate was revoked. This value exists only when the certificate status is REVOKED.

        • ManagedBy (string) --

          Identifies the Amazon Web Services service that manages the certificate issued by ACM.

        • CertificateKeyPairOrigin (string) --

          The origin of the certificate's key pair.

SearchCertificates (updated) Link ¶
Changes (request, response)
Request
{'FilterStatement': {'Filter': {'AcmCertificateMetadataFilter': {'AcmeAccountId': 'string',
                                                                 'AcmeEndpointArn': 'string',
                                                                 'CertificateKeyPairOrigin': 'AWS_MANAGED '
                                                                                             '| '
                                                                                             'ACME '
                                                                                             '| '
                                                                                             'CUSTOMER_PROVIDED'}}},
 'SortBy': {'ACME_ACCOUNT_ID',
            'ACME_ENDPOINT_ARN',
            'CERTIFICATE_KEY_PAIR_ORIGIN'}}
Response
{'Results': {'CertificateMetadata': {'AcmCertificateMetadata': {'AcmeAccountId': 'string',
                                                                'AcmeEndpointArn': 'string',
                                                                'CertificateKeyPairOrigin': 'AWS_MANAGED '
                                                                                            '| '
                                                                                            'ACME '
                                                                                            '| '
                                                                                            'CUSTOMER_PROVIDED'}}}}

Retrieves a list of certificates matching search criteria. You can filter certificates by X.509 attributes and ACM specific properties like certificate status, type and renewal eligibility. This operation provides more flexible filtering than ListCertificates by supporting complex filter statements.

See also: AWS API Documentation

Request Syntax

client.search_certificates(
    FilterStatement={
        'And': [
            {'... recursive ...'},
        ],
        'Or': [
            {'... recursive ...'},
        ],
        'Not': {'... recursive ...'},
        'Filter': {
            'CertificateArn': 'string',
            'X509AttributeFilter': {
                'Subject': {
                    'CommonName': {
                        'Value': 'string',
                        'ComparisonOperator': 'CONTAINS'|'EQUALS'
                    }
                },
                'SubjectAlternativeName': {
                    'DnsName': {
                        'Value': 'string',
                        'ComparisonOperator': 'CONTAINS'|'EQUALS'
                    }
                },
                'ExtendedKeyUsage': 'TLS_WEB_SERVER_AUTHENTICATION'|'TLS_WEB_CLIENT_AUTHENTICATION'|'CODE_SIGNING'|'EMAIL_PROTECTION'|'TIME_STAMPING'|'OCSP_SIGNING'|'IPSEC_END_SYSTEM'|'IPSEC_TUNNEL'|'IPSEC_USER'|'ANY'|'NONE'|'CUSTOM',
                'KeyUsage': 'DIGITAL_SIGNATURE'|'NON_REPUDIATION'|'KEY_ENCIPHERMENT'|'DATA_ENCIPHERMENT'|'KEY_AGREEMENT'|'CERTIFICATE_SIGNING'|'CRL_SIGNING'|'ENCIPHER_ONLY'|'DECIPHER_ONLY'|'ANY'|'CUSTOM',
                'KeyAlgorithm': 'RSA_1024'|'RSA_2048'|'RSA_3072'|'RSA_4096'|'EC_prime256v1'|'EC_secp384r1'|'EC_secp521r1',
                'SerialNumber': 'string',
                'NotAfter': {
                    'Start': datetime(2015, 1, 1),
                    'End': datetime(2015, 1, 1)
                },
                'NotBefore': {
                    'Start': datetime(2015, 1, 1),
                    'End': datetime(2015, 1, 1)
                }
            },
            'AcmCertificateMetadataFilter': {
                'Status': 'PENDING_VALIDATION'|'ISSUED'|'INACTIVE'|'EXPIRED'|'VALIDATION_TIMED_OUT'|'REVOKED'|'FAILED',
                'RenewalStatus': 'PENDING_AUTO_RENEWAL'|'PENDING_VALIDATION'|'SUCCESS'|'FAILED',
                'Type': 'IMPORTED'|'AMAZON_ISSUED'|'PRIVATE',
                'InUse': True|False,
                'Exported': True|False,
                'ExportOption': 'ENABLED'|'DISABLED',
                'ManagedBy': 'CLOUDFRONT',
                'ValidationMethod': 'EMAIL'|'DNS'|'HTTP',
                'CertificateKeyPairOrigin': 'AWS_MANAGED'|'ACME'|'CUSTOMER_PROVIDED',
                'AcmeEndpointArn': 'string',
                'AcmeAccountId': 'string'
            }
        }
    },
    MaxResults=123,
    NextToken='string',
    SortBy='CREATED_AT'|'NOT_AFTER'|'STATUS'|'RENEWAL_STATUS'|'EXPORTED'|'IN_USE'|'NOT_BEFORE'|'KEY_ALGORITHM'|'TYPE'|'CERTIFICATE_ARN'|'COMMON_NAME'|'REVOKED_AT'|'RENEWAL_ELIGIBILITY'|'ISSUED_AT'|'MANAGED_BY'|'EXPORT_OPTION'|'VALIDATION_METHOD'|'IMPORTED_AT'|'ACME_ENDPOINT_ARN'|'ACME_ACCOUNT_ID'|'CERTIFICATE_KEY_PAIR_ORIGIN',
    SortOrder='ASCENDING'|'DESCENDING'
)
type FilterStatement:

dict

param FilterStatement:

A filter statement that defines the search criteria. You can combine multiple filters using AND, OR, and NOT logical operators to create complex queries.

  • And (list) --

    A list of filter statements that must all be true.

    • (dict) --

      A filter statement used to search for certificates. Can contain AND, OR, NOT logical operators or a single filter.

  • Or (list) --

    A list of filter statements where at least one must be true.

    • (dict) --

      A filter statement used to search for certificates. Can contain AND, OR, NOT logical operators or a single filter.

  • Not (dict) --

    A filter statement that must not be true.

  • Filter (dict) --

    A single certificate filter.

    • CertificateArn (string) --

      Filter by certificate ARN.

    • X509AttributeFilter (dict) --

      Filter by X.509 certificate attributes.

      • Subject (dict) --

        Filter by certificate subject.

        • CommonName (dict) --

          Filter by common name in the subject.

          • Value (string) -- [REQUIRED]

            The value to match against.

          • ComparisonOperator (string) -- [REQUIRED]

            The comparison operator to use.

      • SubjectAlternativeName (dict) --

        Filter by subject alternative names.

        • DnsName (dict) --

          Filter by DNS name in subject alternative names.

          • Value (string) -- [REQUIRED]

            The DNS name value to match against.

          • ComparisonOperator (string) -- [REQUIRED]

            The comparison operator to use.

      • ExtendedKeyUsage (string) --

        Filter by extended key usage.

      • KeyUsage (string) --

        Filter by key usage.

      • KeyAlgorithm (string) --

        Filter by key algorithm.

      • SerialNumber (string) --

        Filter by serial number.

      • NotAfter (dict) --

        Filter by certificate expiration date. The start date is inclusive.

        • Start (datetime) --

          The start of the time range. This value is inclusive.

        • End (datetime) --

          The end of the time range. This value is inclusive.

      • NotBefore (dict) --

        Filter by certificate validity start date. The start date is inclusive.

        • Start (datetime) --

          The start of the time range. This value is inclusive.

        • End (datetime) --

          The end of the time range. This value is inclusive.

    • AcmCertificateMetadataFilter (dict) --

      Filter by ACM certificate metadata.

      • Status (string) --

        Filter by certificate status.

      • RenewalStatus (string) --

        Filter by certificate renewal status.

      • Type (string) --

        Filter by certificate type.

      • InUse (boolean) --

        Filter by whether the certificate is in use.

      • Exported (boolean) --

        Filter by whether the certificate has been exported.

      • ExportOption (string) --

        Filter by certificate export option.

      • ManagedBy (string) --

        Filter by the entity that manages the certificate.

      • ValidationMethod (string) --

        Filter by validation method.

      • CertificateKeyPairOrigin (string) --

        Filter by certificate key pair origin.

      • AcmeEndpointArn (string) --

        Filter by ACME endpoint ARN.

      • AcmeAccountId (string) --

        Filter by ACME account identifier.

type MaxResults:

integer

param MaxResults:

The maximum number of results to return in the response. Default is 100.

type NextToken:

string

param NextToken:

Use this parameter only when paginating results and only in a subsequent request after you receive a response with truncated results. Set it to the value of NextToken from the response you just received.

type SortBy:

string

param SortBy:

Specifies the field to sort results by. Valid values are CREATED_AT, NOT_AFTER, STATUS, RENEWAL_STATUS, EXPORTED, IN_USE, NOT_BEFORE, KEY_ALGORITHM, TYPE, CERTIFICATE_ARN, COMMON_NAME, REVOKED_AT, RENEWAL_ELIGIBILITY, ISSUED_AT, MANAGED_BY, EXPORT_OPTION, VALIDATION_METHOD, and IMPORTED_AT.

type SortOrder:

string

param SortOrder:

Specifies the order of sorted results. Valid values are ASCENDING or DESCENDING.

rtype:

dict

returns:

Response Syntax

{
    'Results': [
        {
            'CertificateArn': 'string',
            'X509Attributes': {
                'Issuer': {
                    'CommonName': 'string',
                    'DomainComponents': [
                        'string',
                    ],
                    'Country': 'string',
                    'CustomAttributes': [
                        {
                            'ObjectIdentifier': 'string',
                            'Value': 'string'
                        },
                    ],
                    'DistinguishedNameQualifier': 'string',
                    'GenerationQualifier': 'string',
                    'GivenName': 'string',
                    'Initials': 'string',
                    'Locality': 'string',
                    'Organization': 'string',
                    'OrganizationalUnit': 'string',
                    'Pseudonym': 'string',
                    'SerialNumber': 'string',
                    'State': 'string',
                    'Surname': 'string',
                    'Title': 'string'
                },
                'Subject': {
                    'CommonName': 'string',
                    'DomainComponents': [
                        'string',
                    ],
                    'Country': 'string',
                    'CustomAttributes': [
                        {
                            'ObjectIdentifier': 'string',
                            'Value': 'string'
                        },
                    ],
                    'DistinguishedNameQualifier': 'string',
                    'GenerationQualifier': 'string',
                    'GivenName': 'string',
                    'Initials': 'string',
                    'Locality': 'string',
                    'Organization': 'string',
                    'OrganizationalUnit': 'string',
                    'Pseudonym': 'string',
                    'SerialNumber': 'string',
                    'State': 'string',
                    'Surname': 'string',
                    'Title': 'string'
                },
                'SubjectAlternativeNames': [
                    {
                        'DirectoryName': {
                            'CommonName': 'string',
                            'DomainComponents': [
                                'string',
                            ],
                            'Country': 'string',
                            'CustomAttributes': [
                                {
                                    'ObjectIdentifier': 'string',
                                    'Value': 'string'
                                },
                            ],
                            'DistinguishedNameQualifier': 'string',
                            'GenerationQualifier': 'string',
                            'GivenName': 'string',
                            'Initials': 'string',
                            'Locality': 'string',
                            'Organization': 'string',
                            'OrganizationalUnit': 'string',
                            'Pseudonym': 'string',
                            'SerialNumber': 'string',
                            'State': 'string',
                            'Surname': 'string',
                            'Title': 'string'
                        },
                        'DnsName': 'string',
                        'IpAddress': 'string',
                        'OtherName': {
                            'ObjectIdentifier': 'string',
                            'Value': 'string'
                        },
                        'RegisteredId': 'string',
                        'Rfc822Name': 'string',
                        'UniformResourceIdentifier': 'string'
                    },
                ],
                'ExtendedKeyUsages': [
                    'TLS_WEB_SERVER_AUTHENTICATION'|'TLS_WEB_CLIENT_AUTHENTICATION'|'CODE_SIGNING'|'EMAIL_PROTECTION'|'TIME_STAMPING'|'OCSP_SIGNING'|'IPSEC_END_SYSTEM'|'IPSEC_TUNNEL'|'IPSEC_USER'|'ANY'|'NONE'|'CUSTOM',
                ],
                'KeyAlgorithm': 'RSA_1024'|'RSA_2048'|'RSA_3072'|'RSA_4096'|'EC_prime256v1'|'EC_secp384r1'|'EC_secp521r1',
                'KeyUsages': [
                    'DIGITAL_SIGNATURE'|'NON_REPUDIATION'|'KEY_ENCIPHERMENT'|'DATA_ENCIPHERMENT'|'KEY_AGREEMENT'|'CERTIFICATE_SIGNING'|'CRL_SIGNING'|'ENCIPHER_ONLY'|'DECIPHER_ONLY'|'ANY'|'CUSTOM',
                ],
                'SerialNumber': 'string',
                'NotAfter': datetime(2015, 1, 1),
                'NotBefore': datetime(2015, 1, 1)
            },
            'CertificateMetadata': {
                'AcmCertificateMetadata': {
                    'CreatedAt': datetime(2015, 1, 1),
                    'Exported': True|False,
                    'ImportedAt': datetime(2015, 1, 1),
                    'InUse': True|False,
                    'IssuedAt': datetime(2015, 1, 1),
                    'RenewalEligibility': 'ELIGIBLE'|'INELIGIBLE',
                    'RevokedAt': datetime(2015, 1, 1),
                    'Status': 'PENDING_VALIDATION'|'ISSUED'|'INACTIVE'|'EXPIRED'|'VALIDATION_TIMED_OUT'|'REVOKED'|'FAILED',
                    'RenewalStatus': 'PENDING_AUTO_RENEWAL'|'PENDING_VALIDATION'|'SUCCESS'|'FAILED',
                    'Type': 'IMPORTED'|'AMAZON_ISSUED'|'PRIVATE',
                    'ExportOption': 'ENABLED'|'DISABLED',
                    'ManagedBy': 'CLOUDFRONT',
                    'ValidationMethod': 'EMAIL'|'DNS'|'HTTP',
                    'CertificateKeyPairOrigin': 'AWS_MANAGED'|'ACME'|'CUSTOMER_PROVIDED',
                    'AcmeEndpointArn': 'string',
                    'AcmeAccountId': 'string'
                }
            }
        },
    ],
    'NextToken': 'string'
}

Response Structure

  • (dict) --

    • Results (list) --

      A list of certificate search results containing certificate ARNs, X.509 attributes, and ACM metadata.

      • (dict) --

        Contains information about a certificate returned by the SearchCertificates action. This structure includes the certificate ARN, X.509 attributes, and ACM metadata.

        • CertificateArn (string) --

          The Amazon Resource Name (ARN) of the certificate.

        • X509Attributes (dict) --

          X.509 certificate attributes such as subject, issuer, and validity period.

          • Issuer (dict) --

            The distinguished name of the certificate issuer.

            • CommonName (string) --

              The common name (CN) attribute.

            • DomainComponents (list) --

              The domain component attributes.

              • (string) --

            • Country (string) --

              The country (C) attribute.

            • CustomAttributes (list) --

              A list of custom attributes in the distinguished name. Each custom attribute contains an object identifier (OID) and its corresponding value.

              • (dict) --

                Defines the X.500 relative distinguished name (RDN).

                • ObjectIdentifier (string) --

                  Specifies the object identifier (OID) of the attribute type of the relative distinguished name (RDN).

                • Value (string) --

                  Specifies the attribute value of relative distinguished name (RDN).

            • DistinguishedNameQualifier (string) --

              The distinguished name qualifier attribute.

            • GenerationQualifier (string) --

              The generation qualifier attribute.

            • GivenName (string) --

              The given name attribute.

            • Initials (string) --

              The initials attribute.

            • Locality (string) --

              The locality (L) attribute.

            • Organization (string) --

              The organization (O) attribute.

            • OrganizationalUnit (string) --

              The organizational unit (OU) attribute.

            • Pseudonym (string) --

              The pseudonym attribute.

            • SerialNumber (string) --

              The serial number attribute.

            • State (string) --

              The state or province (ST) attribute.

            • Surname (string) --

              The surname attribute.

            • Title (string) --

              The title attribute.

          • Subject (dict) --

            The distinguished name of the certificate subject.

            • CommonName (string) --

              The common name (CN) attribute.

            • DomainComponents (list) --

              The domain component attributes.

              • (string) --

            • Country (string) --

              The country (C) attribute.

            • CustomAttributes (list) --

              A list of custom attributes in the distinguished name. Each custom attribute contains an object identifier (OID) and its corresponding value.

              • (dict) --

                Defines the X.500 relative distinguished name (RDN).

                • ObjectIdentifier (string) --

                  Specifies the object identifier (OID) of the attribute type of the relative distinguished name (RDN).

                • Value (string) --

                  Specifies the attribute value of relative distinguished name (RDN).

            • DistinguishedNameQualifier (string) --

              The distinguished name qualifier attribute.

            • GenerationQualifier (string) --

              The generation qualifier attribute.

            • GivenName (string) --

              The given name attribute.

            • Initials (string) --

              The initials attribute.

            • Locality (string) --

              The locality (L) attribute.

            • Organization (string) --

              The organization (O) attribute.

            • OrganizationalUnit (string) --

              The organizational unit (OU) attribute.

            • Pseudonym (string) --

              The pseudonym attribute.

            • SerialNumber (string) --

              The serial number attribute.

            • State (string) --

              The state or province (ST) attribute.

            • Surname (string) --

              The surname attribute.

            • Title (string) --

              The title attribute.

          • SubjectAlternativeNames (list) --

            One or more domain names (subject alternative names) included in the certificate. This list contains the domain names that are bound to the public key that is contained in the certificate. The subject alternative names include the canonical domain name (CN) of the certificate and additional domain names that can be used to connect to the website.

            • (dict) --

              Describes an ASN.1 X.400 GeneralName as defined in RFC 5280. Only one of the following naming options should be provided.

              • DirectoryName (dict) --

                Contains information about the certificate subject. The Subject field in the certificate identifies the entity that owns or controls the public key in the certificate. The entity can be a user, computer, device, or service. The Subject must contain an X.500 distinguished name (DN). A DN is a sequence of relative distinguished names (RDNs). The RDNs are separated by commas in the certificate.

                • CommonName (string) --

                  The common name (CN) attribute.

                • DomainComponents (list) --

                  The domain component attributes.

                  • (string) --

                • Country (string) --

                  The country (C) attribute.

                • CustomAttributes (list) --

                  A list of custom attributes in the distinguished name. Each custom attribute contains an object identifier (OID) and its corresponding value.

                  • (dict) --

                    Defines the X.500 relative distinguished name (RDN).

                    • ObjectIdentifier (string) --

                      Specifies the object identifier (OID) of the attribute type of the relative distinguished name (RDN).

                    • Value (string) --

                      Specifies the attribute value of relative distinguished name (RDN).

                • DistinguishedNameQualifier (string) --

                  The distinguished name qualifier attribute.

                • GenerationQualifier (string) --

                  The generation qualifier attribute.

                • GivenName (string) --

                  The given name attribute.

                • Initials (string) --

                  The initials attribute.

                • Locality (string) --

                  The locality (L) attribute.

                • Organization (string) --

                  The organization (O) attribute.

                • OrganizationalUnit (string) --

                  The organizational unit (OU) attribute.

                • Pseudonym (string) --

                  The pseudonym attribute.

                • SerialNumber (string) --

                  The serial number attribute.

                • State (string) --

                  The state or province (ST) attribute.

                • Surname (string) --

                  The surname attribute.

                • Title (string) --

                  The title attribute.

              • DnsName (string) --

                Represents GeneralName as a DNS name.

              • IpAddress (string) --

                Represents GeneralName as an IPv4 or IPv6 address.

              • OtherName (dict) --

                Represents GeneralName using an OtherName object.

                • ObjectIdentifier (string) --

                  Specifies an OID.

                • Value (string) --

                  Specifies an OID value.

              • RegisteredId (string) --

                Represents GeneralName as an object identifier (OID).

              • Rfc822Name (string) --

                Represents GeneralName as an RFC 822 email address.

              • UniformResourceIdentifier (string) --

                Represents GeneralName as a URI.

          • ExtendedKeyUsages (list) --

            Contains a list of Extended Key Usage X.509 v3 extension objects. Each object specifies a purpose for which the certificate public key can be used and consists of a name and an object identifier (OID).

            • (string) --

          • KeyAlgorithm (string) --

            The algorithm that was used to generate the public-private key pair.

          • KeyUsages (list) --

            A list of Key Usage X.509 v3 extension objects. Each object is a string value that identifies the purpose of the public key contained in the certificate. Possible extension values include DIGITAL_SIGNATURE, KEY_ENCHIPHERMENT, NON_REPUDIATION, and more.

            • (string) --

          • SerialNumber (string) --

            The serial number assigned by the certificate authority.

          • NotAfter (datetime) --

            The time after which the certificate is not valid.

          • NotBefore (datetime) --

            The time before which the certificate is not valid.

        • CertificateMetadata (dict) --

          ACM-specific metadata about the certificate.

          • AcmCertificateMetadata (dict) --

            Metadata for an ACM certificate.

            • CreatedAt (datetime) --

              The time at which the certificate was requested.

            • Exported (boolean) --

              Indicates whether the certificate has been exported.

            • ImportedAt (datetime) --

              The date and time when the certificate was imported. This value exists only when the certificate type is IMPORTED.

            • InUse (boolean) --

              Indicates whether the certificate is currently in use by an Amazon Web Services service.

            • IssuedAt (datetime) --

              The time at which the certificate was issued. This value exists only when the certificate type is AMAZON_ISSUED.

            • RenewalEligibility (string) --

              Specifies whether the certificate is eligible for renewal. At this time, only exported private certificates can be renewed with the RenewCertificate command.

            • RevokedAt (datetime) --

              The time at which the certificate was revoked. This value exists only when the certificate status is REVOKED.

            • Status (string) --

              The status of the certificate.

              A certificate enters status PENDING_VALIDATION upon being requested, unless it fails for any of the reasons given in the troubleshooting topic Certificate request fails. ACM makes repeated attempts to validate a certificate for 72 hours and then times out. If a certificate shows status FAILED or VALIDATION_TIMED_OUT, delete the request, correct the issue with DNS validation or Email validation, and try again. If validation succeeds, the certificate enters status ISSUED.

            • RenewalStatus (string) --

              The renewal status of the certificate.

            • Type (string) --

              The source of the certificate. For certificates provided by ACM, this value is AMAZON_ISSUED. For certificates that you imported with ImportCertificate, this value is IMPORTED. ACM does not provide managed renewal for imported certificates. For more information about the differences between certificates that you import and those that ACM provides, see Importing Certificates in the Certificate Manager User Guide.

            • ExportOption (string) --

              Indicates whether the certificate can be exported.

            • ManagedBy (string) --

              Identifies the Amazon Web Services service that manages the certificate issued by ACM.

            • ValidationMethod (string) --

              Specifies the domain validation method.

            • CertificateKeyPairOrigin (string) --

              The origin of the certificate's key pair.

            • AcmeEndpointArn (string) --

              The ARN of the ACME endpoint used to issue the certificate.

            • AcmeAccountId (string) --

              The ACME account identifier associated with the certificate.

    • NextToken (string) --

      When the list is truncated, this value is present and contains the value to use for the NextToken parameter in a subsequent pagination request.