AWS API Changes

2026/02/19 - Private CA Connector for SCEP - 3 updated api methods

Changes AWS Private CA Connector for SCEP now supports AWS PrivateLink, allowing your clients to request certificates from within your Amazon Virtual Private Cloud (VPC) without traversing the public internet. With this launch, you can create VPC endpoints to connect to your SCEP connector privately.

CreateConnector (updated)

Link ¶
Changes (request)

{'VpcEndpointId': 'string'}

Creates a SCEP connector. A SCEP connector links Amazon Web Services Private Certificate Authority to your SCEP-compatible devices and mobile device management (MDM) systems. Before you create a connector, you must complete a set of prerequisites, including creation of a private certificate authority (CA) to use with this connector. For more information, see Connector for SCEP prerequisites.

See also: AWS API Documentation

Request Syntax

client.create_connector(
    CertificateAuthorityArn='string',
    MobileDeviceManagement={
        'Intune': {
            'AzureApplicationId': 'string',
            'Domain': 'string'
        }
    },
    VpcEndpointId='string',
    ClientToken='string',
    Tags={
        'string': 'string'
    }
)

type CertificateAuthorityArn:

string

param CertificateAuthorityArn:

[REQUIRED]

The Amazon Resource Name (ARN) of the Amazon Web Services Private Certificate Authority certificate authority to use with this connector. Due to security vulnerabilities present in the SCEP protocol, we recommend using a private CA that's dedicated for use with the connector.

To retrieve the private CAs associated with your account, you can call ListCertificateAuthorities using the Amazon Web Services Private CA API.

type MobileDeviceManagement:

dict

param MobileDeviceManagement:

If you don't supply a value, by default Connector for SCEP creates a connector for general-purpose use. A general-purpose connector is designed to work with clients or endpoints that support the SCEP protocol, except Connector for SCEP for Microsoft Intune. With connectors for general-purpose use, you manage SCEP challenge passwords using Connector for SCEP. For information about considerations and limitations with using Connector for SCEP, see Considerations and Limitations.

If you provide an IntuneConfiguration, Connector for SCEP creates a connector for use with Microsoft Intune, and you manage the challenge passwords using Microsoft Intune. For more information, see Using Connector for SCEP for Microsoft Intune.

Intune (dict) --

Configuration settings for use with Microsoft Intune. For information about using Connector for SCEP for Microsoft Intune, see Using Connector for SCEP for Microsoft Intune.
- AzureApplicationId (string) -- [REQUIRED]
  
  The directory (tenant) ID from your Microsoft Entra ID app registration.
- Domain (string) -- [REQUIRED]
  
  The primary domain from your Microsoft Entra ID app registration.

type VpcEndpointId:

string

param VpcEndpointId:

If you don't supply a value, by default Connector for SCEP creates a connector accessible over the public internet. If you provide a VPC endpoint ID, creates a connector accessible only through that specific VPC endpoint.

type ClientToken:

string

param ClientToken:

Custom string that can be used to distinguish between calls to the CreateChallenge action. Client tokens for CreateChallenge time out after five minutes. Therefore, if you call CreateChallenge multiple times with the same client token within five minutes, Connector for SCEP recognizes that you are requesting only one challenge and will only respond with one. If you change the client token for each call, Connector for SCEP recognizes that you are requesting multiple challenge passwords.

This field is autopopulated if not provided.

type Tags:

dict

param Tags:

The key-value pairs to associate with the resource.

(string) --
- (string) --

rtype:

dict

returns:

Response Syntax

{
    'ConnectorArn': 'string'
}

Response Structure

(dict) --
- ConnectorArn (string) --
  
  Returns the Amazon Resource Name (ARN) of the connector.

GetConnector (updated)

Link ¶
Changes (response)

{'Connector': {'StatusReason': {'VPC_ENDPOINT_DNS_ENTRIES_NOT_FOUND',
                                'VPC_ENDPOINT_RESOURCE_NOT_FOUND'}}}

Retrieves details about the specified Connector. Calling this action returns important details about the connector, such as the public SCEP URL where your clients can request certificates.

See also: AWS API Documentation

Request Syntax

client.get_connector(
    ConnectorArn='string'
)

type ConnectorArn:

string

param ConnectorArn:

[REQUIRED]

The Amazon Resource Name (ARN) of the connector.

rtype:

dict

returns:

Response Syntax

{
    'Connector': {
        'Arn': 'string',
        'CertificateAuthorityArn': 'string',
        'Type': 'GENERAL_PURPOSE'|'INTUNE',
        'MobileDeviceManagement': {
            'Intune': {
                'AzureApplicationId': 'string',
                'Domain': 'string'
            }
        },
        'OpenIdConfiguration': {
            'Issuer': 'string',
            'Subject': 'string',
            'Audience': 'string'
        },
        'Status': 'CREATING'|'ACTIVE'|'DELETING'|'FAILED',
        'StatusReason': 'INTERNAL_FAILURE'|'PRIVATECA_ACCESS_DENIED'|'PRIVATECA_INVALID_STATE'|'PRIVATECA_RESOURCE_NOT_FOUND'|'VPC_ENDPOINT_RESOURCE_NOT_FOUND'|'VPC_ENDPOINT_DNS_ENTRIES_NOT_FOUND',
        'Endpoint': 'string',
        'CreatedAt': datetime(2015, 1, 1),
        'UpdatedAt': datetime(2015, 1, 1)
    }
}

Response Structure

(dict) --
- Connector (dict) --
  
  The properties of the connector.
  - Arn (string) --
    
    The Amazon Resource Name (ARN) of the connector.
  - CertificateAuthorityArn (string) --
    
    The Amazon Resource Name (ARN) of the certificate authority associated with the connector.
  - Type (string) --
    
    The connector type.
  - MobileDeviceManagement (dict) --
    
    Contains settings relevant to the mobile device management system that you chose for the connector. If you didn't configure MobileDeviceManagement, then the connector is for general-purpose use and this object is empty.
    Note
    
    This is a Tagged Union structure. Only one of the following top level keys will be set: Intune. If a client receives an unknown member it will set SDK_UNKNOWN_MEMBER as the top level key, which maps to the name or tag of the unknown member. The structure of SDK_UNKNOWN_MEMBER is as follows:
```
'SDK_UNKNOWN_MEMBER': {'name': 'UnknownMemberName'}
```
    - Intune (dict) --
      
      Configuration settings for use with Microsoft Intune. For information about using Connector for SCEP for Microsoft Intune, see Using Connector for SCEP for Microsoft Intune.
      - AzureApplicationId (string) --
        
        The directory (tenant) ID from your Microsoft Entra ID app registration.
      - Domain (string) --
        
        The primary domain from your Microsoft Entra ID app registration.
  - OpenIdConfiguration (dict) --
    
    Contains OpenID Connect (OIDC) parameters for use with Connector for SCEP for Microsoft Intune. For more information about using Connector for SCEP for Microsoft Intune, see Using Connector for SCEP for Microsoft Intune.
    - Issuer (string) --
      
      The issuer value to copy into your Microsoft Entra app registration's OIDC.
    - Subject (string) --
      
      The subject value to copy into your Microsoft Entra app registration's OIDC.
    - Audience (string) --
      
      The audience value to copy into your Microsoft Entra app registration's OIDC.
  - Status (string) --
    
    The connector's status.
  - StatusReason (string) --
    
    Information about why connector creation failed, if status is FAILED.
  - Endpoint (string) --
    
    The connector's HTTPS public SCEP URL.
  - CreatedAt (datetime) --
    
    The date and time that the connector was created.
  - UpdatedAt (datetime) --
    
    The date and time that the connector was updated.

ListConnectors (updated)

Link ¶
Changes (response)

{'Connectors': {'StatusReason': {'VPC_ENDPOINT_DNS_ENTRIES_NOT_FOUND',
                                 'VPC_ENDPOINT_RESOURCE_NOT_FOUND'}}}

Lists the connectors belonging to your Amazon Web Services account.

See also: AWS API Documentation

Request Syntax

client.list_connectors(
    MaxResults=123,
    NextToken='string'
)

type MaxResults:

integer

param MaxResults:

The maximum number of objects that you want Connector for SCEP to return for this request. If more objects are available, in the response, Connector for SCEP provides a NextToken value that you can use in a subsequent call to get the next batch of objects.

type NextToken:

string

param NextToken:

When you request a list of objects with a MaxResults setting, if the number of objects that are still available for retrieval exceeds the maximum you requested, Connector for SCEP returns a NextToken value in the response. To retrieve the next batch of objects, use the token returned from the prior request in your next request.

rtype:

dict

returns:

Response Syntax

{
    'Connectors': [
        {
            'Arn': 'string',
            'CertificateAuthorityArn': 'string',
            'Type': 'GENERAL_PURPOSE'|'INTUNE',
            'MobileDeviceManagement': {
                'Intune': {
                    'AzureApplicationId': 'string',
                    'Domain': 'string'
                }
            },
            'OpenIdConfiguration': {
                'Issuer': 'string',
                'Subject': 'string',
                'Audience': 'string'
            },
            'Status': 'CREATING'|'ACTIVE'|'DELETING'|'FAILED',
            'StatusReason': 'INTERNAL_FAILURE'|'PRIVATECA_ACCESS_DENIED'|'PRIVATECA_INVALID_STATE'|'PRIVATECA_RESOURCE_NOT_FOUND'|'VPC_ENDPOINT_RESOURCE_NOT_FOUND'|'VPC_ENDPOINT_DNS_ENTRIES_NOT_FOUND',
            'Endpoint': 'string',
            'CreatedAt': datetime(2015, 1, 1),
            'UpdatedAt': datetime(2015, 1, 1)
        },
    ],
    'NextToken': 'string'
}

Response Structure

(dict) --
- Connectors (list) --
  
  The connectors belonging to your Amazon Web Services account.
  - (dict) --
    
    Lists the Amazon Web Services Private CA SCEP connectors belonging to your Amazon Web Services account.
    - Arn (string) --
      
      The Amazon Resource Name (ARN) of the connector.
    - CertificateAuthorityArn (string) --
      
      The Amazon Resource Name (ARN) of the connector's associated certificate authority.
    - Type (string) --
      
      The connector type.
    - MobileDeviceManagement (dict) --
      
      Contains settings relevant to the mobile device management system that you chose for the connector. If you didn't configure MobileDeviceManagement, then the connector is for general-purpose use and this object is empty.
      Note
      
      This is a Tagged Union structure. Only one of the following top level keys will be set: Intune. If a client receives an unknown member it will set SDK_UNKNOWN_MEMBER as the top level key, which maps to the name or tag of the unknown member. The structure of SDK_UNKNOWN_MEMBER is as follows:
      
      'SDK_UNKNOWN_MEMBER': {'name': 'UnknownMemberName'}
      - Intune (dict) --
        
        Configuration settings for use with Microsoft Intune. For information about using Connector for SCEP for Microsoft Intune, see Using Connector for SCEP for Microsoft Intune.
        
        AzureApplicationId (string) --
        
        The directory (tenant) ID from your Microsoft Entra ID app registration.
        
        Domain (string) --
        
        The primary domain from your Microsoft Entra ID app registration.
    - OpenIdConfiguration (dict) --
      
      Contains OpenID Connect (OIDC) parameters for use with Microsoft Intune.
      - Issuer (string) --
        
        The issuer value to copy into your Microsoft Entra app registration's OIDC.
      - Subject (string) --
        
        The subject value to copy into your Microsoft Entra app registration's OIDC.
      - Audience (string) --
        
        The audience value to copy into your Microsoft Entra app registration's OIDC.
    - Status (string) --
      
      The connector's status. Status can be creating, active, deleting, or failed.
    - StatusReason (string) --
      
      Information about why connector creation failed, if status is FAILED.
    - Endpoint (string) --
      
      The connector's HTTPS public SCEP URL.
    - CreatedAt (datetime) --
      
      The date and time that the challenge was created.
    - UpdatedAt (datetime) --
      
      The date and time that the challenge was updated.
- NextToken (string) --
  
  When you request a list of objects with a MaxResults setting, if the number of objects that are still available for retrieval exceeds the maximum you requested, Connector for SCEP returns a NextToken value in the response. To retrieve the next batch of objects, use the token returned from the prior request in your next request.