moto/tests/test_acmpca/test_acmpca.py

"""Unit tests for acmpca-supported APIs."""
import boto3
import pytest
import sure  # noqa # pylint: disable=unused-import
from botocore.exceptions import ClientError
from moto import mock_acmpca
from moto.core import DEFAULT_ACCOUNT_ID

import datetime
import cryptography.x509
from cryptography.x509 import NameOID
import cryptography.hazmat.primitives.asymmetric.rsa
from cryptography.hazmat.primitives import serialization, hashes
from cryptography.hazmat.backends import default_backend

# See our Development Tips on writing tests for hints on how to write good tests:
# http://docs.getmoto.org/en/latest/docs/contributing/development_tips/tests.html


@mock_acmpca
def test_create_certificate_authority():
    client = boto3.client("acm-pca", region_name="eu-west-1")
    resp = client.create_certificate_authority(
        CertificateAuthorityConfiguration={
            "KeyAlgorithm": "RSA_4096",
            "SigningAlgorithm": "SHA512WITHRSA",
            "Subject": {"CommonName": "yscb41lw.test"},
        },
        CertificateAuthorityType="SUBORDINATE",
        IdempotencyToken="terraform-20221125230308947400000001",
    )

    resp.should.have.key("CertificateAuthorityArn").match(
        f"^arn:aws:acm-pca:eu-west-1:{DEFAULT_ACCOUNT_ID}:certificate-authority/"
    )


@mock_acmpca
def test_describe_certificate_authority():
    client = boto3.client("acm-pca", region_name="ap-southeast-1")
    ca_arn = client.create_certificate_authority(
        CertificateAuthorityConfiguration={
            "KeyAlgorithm": "RSA_4096",
            "SigningAlgorithm": "SHA512WITHRSA",
            "Subject": {"CommonName": "yscb41lw.test"},
        },
        CertificateAuthorityType="SUBORDINATE",
        IdempotencyToken="terraform-20221125230308947400000001",
    )["CertificateAuthorityArn"]
    ca = client.describe_certificate_authority(CertificateAuthorityArn=ca_arn)[
        "CertificateAuthority"
    ]

    ca.should.have.key("Arn").equals(ca_arn)
    ca.should.have.key("OwnerAccount").equals(DEFAULT_ACCOUNT_ID)
    ca.should.have.key("CreatedAt")
    ca.should.have.key("Type").equals("SUBORDINATE")
    ca.should.have.key("Status").equals("PENDING_CERTIFICATE")
    ca.should.have.key("CertificateAuthorityConfiguration").equals(
        {
            "KeyAlgorithm": "RSA_4096",
            "SigningAlgorithm": "SHA512WITHRSA",
            "Subject": {"CommonName": "yscb41lw.test"},
        }
    )


@mock_acmpca
def test_describe_unknown_certificate_authority():
    client = boto3.client("acm-pca", region_name="ap-southeast-1")

    with pytest.raises(ClientError) as exc:
        client.describe_certificate_authority(CertificateAuthorityArn="unknown")
    err = exc.value.response["Error"]
    err["Code"].should.equal("ResourceNotFoundException")


@mock_acmpca
def test_get_certificate_authority_certificate():
    client = boto3.client("acm-pca", region_name="ap-southeast-1")
    ca_arn = client.create_certificate_authority(
        CertificateAuthorityConfiguration={
            "KeyAlgorithm": "RSA_4096",
            "SigningAlgorithm": "SHA512WITHRSA",
            "Subject": {"CommonName": "yscb41lw.test"},
        },
        CertificateAuthorityType="SUBORDINATE",
        IdempotencyToken="terraform-20221125230308947400000001",
    )["CertificateAuthorityArn"]

    resp = client.get_certificate_authority_certificate(CertificateAuthorityArn=ca_arn)

    # Certificate is empty for now,  until we call import_certificate_authority_certificate
    resp.should.have.key("Certificate").equals("")


@mock_acmpca
def test_get_certificate_authority_csr():
    client = boto3.client("acm-pca", region_name="us-east-2")
    ca_arn = client.create_certificate_authority(
        CertificateAuthorityConfiguration={
            "KeyAlgorithm": "RSA_4096",
            "SigningAlgorithm": "SHA512WITHRSA",
            "Subject": {"CommonName": "yscb41lw.test"},
        },
        CertificateAuthorityType="SUBORDINATE",
        IdempotencyToken="terraform-20221125230308947400000001",
    )["CertificateAuthorityArn"]

    resp = client.get_certificate_authority_csr(CertificateAuthorityArn=ca_arn)

    resp.should.have.key("Csr")


@mock_acmpca
def test_list_tags_when_ca_has_no_tags():
    client = boto3.client("acm-pca", region_name="us-east-2")
    ca_arn = client.create_certificate_authority(
        CertificateAuthorityConfiguration={
            "KeyAlgorithm": "RSA_4096",
            "SigningAlgorithm": "SHA512WITHRSA",
            "Subject": {"CommonName": "yscb41lw.test"},
        },
        CertificateAuthorityType="SUBORDINATE",
        IdempotencyToken="terraform-20221125230308947400000001",
    )["CertificateAuthorityArn"]

    resp = client.list_tags(CertificateAuthorityArn=ca_arn)
    resp.should.have.key("Tags").equals([])


@mock_acmpca
def test_list_tags():
    client = boto3.client("acm-pca", region_name="us-east-2")
    ca_arn = client.create_certificate_authority(
        CertificateAuthorityConfiguration={
            "KeyAlgorithm": "RSA_4096",
            "SigningAlgorithm": "SHA512WITHRSA",
            "Subject": {"CommonName": "yscb41lw.test"},
        },
        CertificateAuthorityType="SUBORDINATE",
        IdempotencyToken="terraform-20221125230308947400000001",
        Tags=[{"Key": "t1", "Value": "v1"}, {"Key": "t2", "Value": "v2"}],
    )["CertificateAuthorityArn"]

    resp = client.list_tags(CertificateAuthorityArn=ca_arn)
    resp.should.have.key("Tags").equals(
        [{"Key": "t1", "Value": "v1"}, {"Key": "t2", "Value": "v2"}]
    )


@mock_acmpca
def test_update_certificate_authority():
    client = boto3.client("acm-pca", region_name="eu-west-1")
    ca_arn = client.create_certificate_authority(
        CertificateAuthorityConfiguration={
            "KeyAlgorithm": "RSA_4096",
            "SigningAlgorithm": "SHA512WITHRSA",
            "Subject": {"CommonName": "yscb41lw.test"},
        },
        CertificateAuthorityType="SUBORDINATE",
    )["CertificateAuthorityArn"]

    client.update_certificate_authority(
        CertificateAuthorityArn=ca_arn,
        Status="DISABLED",
    )

    ca = client.describe_certificate_authority(CertificateAuthorityArn=ca_arn)[
        "CertificateAuthority"
    ]
    ca.should.have.key("Status").equals("DISABLED")
    ca.should.have.key("LastStateChangeAt")


@mock_acmpca
def test_delete_certificate_authority():
    client = boto3.client("acm-pca", region_name="ap-southeast-1")
    ca_arn = client.create_certificate_authority(
        CertificateAuthorityConfiguration={
            "KeyAlgorithm": "RSA_4096",
            "SigningAlgorithm": "SHA512WITHRSA",
            "Subject": {"CommonName": "yscb41lw.test"},
        },
        CertificateAuthorityType="SUBORDINATE",
    )["CertificateAuthorityArn"]

    client.delete_certificate_authority(CertificateAuthorityArn=ca_arn)

    ca = client.describe_certificate_authority(CertificateAuthorityArn=ca_arn)[
        "CertificateAuthority"
    ]
    ca.should.have.key("Status").equals("DELETED")


@mock_acmpca
def test_issue_certificate():
    client = boto3.client("acm-pca", region_name="ap-southeast-1")
    ca_arn = client.create_certificate_authority(
        CertificateAuthorityConfiguration={
            "KeyAlgorithm": "RSA_4096",
            "SigningAlgorithm": "SHA512WITHRSA",
            "Subject": {"CommonName": "t8fzth32.test"},
        },
        CertificateAuthorityType="ROOT",
    )["CertificateAuthorityArn"]

    csr = client.get_certificate_authority_csr(CertificateAuthorityArn=ca_arn)["Csr"]

    resp = client.issue_certificate(
        CertificateAuthorityArn=ca_arn,
        Csr=csr,
        SigningAlgorithm="SHA512WITHRSA",
        Validity={"Type": "YEARS", "Value": 10},
    )

    resp.should.have.key("CertificateArn")


@mock_acmpca
def test_get_certificate():
    client = boto3.client("acm-pca", region_name="us-east-2")
    ca_arn = client.create_certificate_authority(
        CertificateAuthorityConfiguration={
            "KeyAlgorithm": "RSA_4096",
            "SigningAlgorithm": "SHA512WITHRSA",
            "Subject": {"CommonName": "t8fzth32.test"},
        },
        CertificateAuthorityType="ROOT",
    )["CertificateAuthorityArn"]

    csr = client.get_certificate_authority_csr(CertificateAuthorityArn=ca_arn)["Csr"]

    certificate_arn = client.issue_certificate(
        CertificateAuthorityArn=ca_arn,
        Csr=csr,
        SigningAlgorithm="SHA512WITHRSA",
        Validity={"Type": "YEARS", "Value": 10},
    )["CertificateArn"]

    resp = client.get_certificate(
        CertificateAuthorityArn=ca_arn, CertificateArn=certificate_arn
    )
    resp.should.have.key("Certificate")


@mock_acmpca
def test_import_certificate_authority_certificate():
    client = boto3.client("acm-pca", region_name="eu-west-1")
    ca_arn = client.create_certificate_authority(
        CertificateAuthorityConfiguration={
            "KeyAlgorithm": "RSA_4096",
            "SigningAlgorithm": "SHA512WITHRSA",
            "Subject": {"CommonName": "yscb41lw.test"},
        },
        CertificateAuthorityType="SUBORDINATE",
    )["CertificateAuthorityArn"]

    cert = create_cert()

    client.import_certificate_authority_certificate(
        CertificateAuthorityArn=ca_arn,
        Certificate=cert,
    )

    ca = client.describe_certificate_authority(CertificateAuthorityArn=ca_arn)[
        "CertificateAuthority"
    ]
    ca.should.have.key("Status").equals("ACTIVE")
    ca.should.have.key("NotBefore")
    ca.should.have.key("NotAfter")

    resp = client.get_certificate_authority_certificate(CertificateAuthorityArn=ca_arn)
    resp.should.have.key("Certificate").match("^-----BEGIN CERTIFICATE-----")


@mock_acmpca
def test_tag_certificate_authority():
    client = boto3.client("acm-pca", region_name="eu-west-1")
    ca_arn = client.create_certificate_authority(
        CertificateAuthorityConfiguration={
            "KeyAlgorithm": "RSA_4096",
            "SigningAlgorithm": "SHA512WITHRSA",
            "Subject": {"CommonName": "yscb41lw.test"},
        },
        CertificateAuthorityType="SUBORDINATE",
    )["CertificateAuthorityArn"]

    client.tag_certificate_authority(
        CertificateAuthorityArn=ca_arn,
        Tags=[{"Key": "t1", "Value": "v1"}, {"Key": "t2", "Value": "v2"}],
    )

    resp = client.list_tags(CertificateAuthorityArn=ca_arn)
    resp.should.have.key("Tags").equals(
        [{"Key": "t1", "Value": "v1"}, {"Key": "t2", "Value": "v2"}]
    )


@mock_acmpca
def test_untag_certificate_authority():
    client = boto3.client("acm-pca", region_name="eu-west-1")
    ca_arn = client.create_certificate_authority(
        CertificateAuthorityConfiguration={
            "KeyAlgorithm": "RSA_4096",
            "SigningAlgorithm": "SHA512WITHRSA",
            "Subject": {"CommonName": "yscb41lw.test"},
        },
        CertificateAuthorityType="SUBORDINATE",
    )["CertificateAuthorityArn"]

    client.tag_certificate_authority(
        CertificateAuthorityArn=ca_arn,
        Tags=[{"Key": "t1", "Value": "v1"}, {"Key": "t2", "Value": "v2"}],
    )

    client.untag_certificate_authority(
        CertificateAuthorityArn=ca_arn, Tags=[{"Key": "t1", "Value": "v1"}]
    )

    resp = client.list_tags(CertificateAuthorityArn=ca_arn)
    resp.should.have.key("Tags").equals([{"Key": "t2", "Value": "v2"}])


def create_cert():
    serial_number = cryptography.x509.random_serial_number()
    subject = cryptography.x509.Name(
        [
            cryptography.x509.NameAttribute(NameOID.COUNTRY_NAME, "US"),
            cryptography.x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, "CA"),
            cryptography.x509.NameAttribute(NameOID.LOCALITY_NAME, "Test Francisco"),
            cryptography.x509.NameAttribute(NameOID.ORGANIZATION_NAME, "TestCompany"),
            cryptography.x509.NameAttribute(NameOID.COMMON_NAME, "testcert.io"),
        ]
    )
    issuer = cryptography.x509.Name(
        [  # C = US, O = Amazon, OU = Server CA 1B, CN = Amazon
            cryptography.x509.NameAttribute(NameOID.COUNTRY_NAME, "US"),
            cryptography.x509.NameAttribute(NameOID.ORGANIZATION_NAME, "Amazon"),
            cryptography.x509.NameAttribute(
                NameOID.ORGANIZATIONAL_UNIT_NAME, "Server CA 1B"
            ),
            cryptography.x509.NameAttribute(NameOID.COMMON_NAME, "TestCert"),
        ]
    )
    key = cryptography.hazmat.primitives.asymmetric.rsa.generate_private_key(
        public_exponent=65537, key_size=2048
    )
    cert = (
        cryptography.x509.CertificateBuilder()
        .subject_name(subject)
        .issuer_name(issuer)
        .public_key(key.public_key())
        .serial_number(serial_number)
        .not_valid_before(datetime.datetime.utcnow() - datetime.timedelta(days=10))
        .not_valid_after(datetime.datetime.utcnow() + datetime.timedelta(days=10))
        .sign(key, hashes.SHA512(), default_backend())
    )

    return cert.public_bytes(serialization.Encoding.PEM)
Feature: ACM-PCA (#5712) 2022-11-28 12:22:48 -01:00			`"""Unit tests for acmpca-supported APIs."""`
			`import boto3`
			`import pytest`
			`import sure # noqa # pylint: disable=unused-import`
			`from botocore.exceptions import ClientError`
			`from moto import mock_acmpca`
			`from moto.core import DEFAULT_ACCOUNT_ID`

			`import datetime`
			`import cryptography.x509`
			`from cryptography.x509 import NameOID`
			`import cryptography.hazmat.primitives.asymmetric.rsa`
			`from cryptography.hazmat.primitives import serialization, hashes`
			`from cryptography.hazmat.backends import default_backend`

			`# See our Development Tips on writing tests for hints on how to write good tests:`
			`# http://docs.getmoto.org/en/latest/docs/contributing/development_tips/tests.html`


			`@mock_acmpca`
			`def test_create_certificate_authority():`
			`client = boto3.client("acm-pca", region_name="eu-west-1")`
			`resp = client.create_certificate_authority(`
			`CertificateAuthorityConfiguration={`
			`"KeyAlgorithm": "RSA_4096",`
			`"SigningAlgorithm": "SHA512WITHRSA",`
			`"Subject": {"CommonName": "yscb41lw.test"},`
			`},`
			`CertificateAuthorityType="SUBORDINATE",`
			`IdempotencyToken="terraform-20221125230308947400000001",`
			`)`

			`resp.should.have.key("CertificateAuthorityArn").match(`
			`f"^arn:aws:acm-pca:eu-west-1:{DEFAULT_ACCOUNT_ID}:certificate-authority/"`
			`)`


			`@mock_acmpca`
			`def test_describe_certificate_authority():`
			`client = boto3.client("acm-pca", region_name="ap-southeast-1")`
			`ca_arn = client.create_certificate_authority(`
			`CertificateAuthorityConfiguration={`
			`"KeyAlgorithm": "RSA_4096",`
			`"SigningAlgorithm": "SHA512WITHRSA",`
			`"Subject": {"CommonName": "yscb41lw.test"},`
			`},`
			`CertificateAuthorityType="SUBORDINATE",`
			`IdempotencyToken="terraform-20221125230308947400000001",`
			`)["CertificateAuthorityArn"]`
			`ca = client.describe_certificate_authority(CertificateAuthorityArn=ca_arn)[`
			`"CertificateAuthority"`
			`]`

			`ca.should.have.key("Arn").equals(ca_arn)`
			`ca.should.have.key("OwnerAccount").equals(DEFAULT_ACCOUNT_ID)`
			`ca.should.have.key("CreatedAt")`
			`ca.should.have.key("Type").equals("SUBORDINATE")`
			`ca.should.have.key("Status").equals("PENDING_CERTIFICATE")`
			`ca.should.have.key("CertificateAuthorityConfiguration").equals(`
			`{`
			`"KeyAlgorithm": "RSA_4096",`
			`"SigningAlgorithm": "SHA512WITHRSA",`
			`"Subject": {"CommonName": "yscb41lw.test"},`
			`}`
			`)`


			`@mock_acmpca`
			`def test_describe_unknown_certificate_authority():`
			`client = boto3.client("acm-pca", region_name="ap-southeast-1")`

			`with pytest.raises(ClientError) as exc:`
			`client.describe_certificate_authority(CertificateAuthorityArn="unknown")`
			`err = exc.value.response["Error"]`
			`err["Code"].should.equal("ResourceNotFoundException")`


			`@mock_acmpca`
			`def test_get_certificate_authority_certificate():`
			`client = boto3.client("acm-pca", region_name="ap-southeast-1")`
			`ca_arn = client.create_certificate_authority(`
			`CertificateAuthorityConfiguration={`
			`"KeyAlgorithm": "RSA_4096",`
			`"SigningAlgorithm": "SHA512WITHRSA",`
			`"Subject": {"CommonName": "yscb41lw.test"},`
			`},`
			`CertificateAuthorityType="SUBORDINATE",`
			`IdempotencyToken="terraform-20221125230308947400000001",`
			`)["CertificateAuthorityArn"]`

			`resp = client.get_certificate_authority_certificate(CertificateAuthorityArn=ca_arn)`

			`# Certificate is empty for now, until we call import_certificate_authority_certificate`
			`resp.should.have.key("Certificate").equals("")`


			`@mock_acmpca`
			`def test_get_certificate_authority_csr():`
			`client = boto3.client("acm-pca", region_name="us-east-2")`
			`ca_arn = client.create_certificate_authority(`
			`CertificateAuthorityConfiguration={`
			`"KeyAlgorithm": "RSA_4096",`
			`"SigningAlgorithm": "SHA512WITHRSA",`
			`"Subject": {"CommonName": "yscb41lw.test"},`
			`},`
			`CertificateAuthorityType="SUBORDINATE",`
			`IdempotencyToken="terraform-20221125230308947400000001",`
			`)["CertificateAuthorityArn"]`

			`resp = client.get_certificate_authority_csr(CertificateAuthorityArn=ca_arn)`

			`resp.should.have.key("Csr")`


			`@mock_acmpca`
			`def test_list_tags_when_ca_has_no_tags():`
			`client = boto3.client("acm-pca", region_name="us-east-2")`
			`ca_arn = client.create_certificate_authority(`
			`CertificateAuthorityConfiguration={`
			`"KeyAlgorithm": "RSA_4096",`
			`"SigningAlgorithm": "SHA512WITHRSA",`
			`"Subject": {"CommonName": "yscb41lw.test"},`
			`},`
			`CertificateAuthorityType="SUBORDINATE",`
			`IdempotencyToken="terraform-20221125230308947400000001",`
			`)["CertificateAuthorityArn"]`

			`resp = client.list_tags(CertificateAuthorityArn=ca_arn)`
			`resp.should.have.key("Tags").equals([])`


			`@mock_acmpca`
			`def test_list_tags():`
			`client = boto3.client("acm-pca", region_name="us-east-2")`
			`ca_arn = client.create_certificate_authority(`
			`CertificateAuthorityConfiguration={`
			`"KeyAlgorithm": "RSA_4096",`
			`"SigningAlgorithm": "SHA512WITHRSA",`
			`"Subject": {"CommonName": "yscb41lw.test"},`
			`},`
			`CertificateAuthorityType="SUBORDINATE",`
			`IdempotencyToken="terraform-20221125230308947400000001",`
			`Tags=[{"Key": "t1", "Value": "v1"}, {"Key": "t2", "Value": "v2"}],`
			`)["CertificateAuthorityArn"]`

			`resp = client.list_tags(CertificateAuthorityArn=ca_arn)`
			`resp.should.have.key("Tags").equals(`
			`[{"Key": "t1", "Value": "v1"}, {"Key": "t2", "Value": "v2"}]`
			`)`


			`@mock_acmpca`
			`def test_update_certificate_authority():`
			`client = boto3.client("acm-pca", region_name="eu-west-1")`
			`ca_arn = client.create_certificate_authority(`
			`CertificateAuthorityConfiguration={`
			`"KeyAlgorithm": "RSA_4096",`
			`"SigningAlgorithm": "SHA512WITHRSA",`
			`"Subject": {"CommonName": "yscb41lw.test"},`
			`},`
			`CertificateAuthorityType="SUBORDINATE",`
			`)["CertificateAuthorityArn"]`

			`client.update_certificate_authority(`
			`CertificateAuthorityArn=ca_arn,`
			`Status="DISABLED",`
			`)`

			`ca = client.describe_certificate_authority(CertificateAuthorityArn=ca_arn)[`
			`"CertificateAuthority"`
			`]`
			`ca.should.have.key("Status").equals("DISABLED")`
			`ca.should.have.key("LastStateChangeAt")`


			`@mock_acmpca`
			`def test_delete_certificate_authority():`
			`client = boto3.client("acm-pca", region_name="ap-southeast-1")`
			`ca_arn = client.create_certificate_authority(`
			`CertificateAuthorityConfiguration={`
			`"KeyAlgorithm": "RSA_4096",`
			`"SigningAlgorithm": "SHA512WITHRSA",`
			`"Subject": {"CommonName": "yscb41lw.test"},`
			`},`
			`CertificateAuthorityType="SUBORDINATE",`
			`)["CertificateAuthorityArn"]`

			`client.delete_certificate_authority(CertificateAuthorityArn=ca_arn)`

			`ca = client.describe_certificate_authority(CertificateAuthorityArn=ca_arn)[`
			`"CertificateAuthority"`
			`]`
			`ca.should.have.key("Status").equals("DELETED")`


			`@mock_acmpca`
			`def test_issue_certificate():`
			`client = boto3.client("acm-pca", region_name="ap-southeast-1")`
			`ca_arn = client.create_certificate_authority(`
			`CertificateAuthorityConfiguration={`
			`"KeyAlgorithm": "RSA_4096",`
			`"SigningAlgorithm": "SHA512WITHRSA",`
			`"Subject": {"CommonName": "t8fzth32.test"},`
			`},`
			`CertificateAuthorityType="ROOT",`
			`)["CertificateAuthorityArn"]`

			`csr = client.get_certificate_authority_csr(CertificateAuthorityArn=ca_arn)["Csr"]`

			`resp = client.issue_certificate(`
			`CertificateAuthorityArn=ca_arn,`
			`Csr=csr,`
			`SigningAlgorithm="SHA512WITHRSA",`
			`Validity={"Type": "YEARS", "Value": 10},`
			`)`

			`resp.should.have.key("CertificateArn")`


			`@mock_acmpca`
			`def test_get_certificate():`
			`client = boto3.client("acm-pca", region_name="us-east-2")`
			`ca_arn = client.create_certificate_authority(`
			`CertificateAuthorityConfiguration={`
			`"KeyAlgorithm": "RSA_4096",`
			`"SigningAlgorithm": "SHA512WITHRSA",`
			`"Subject": {"CommonName": "t8fzth32.test"},`
			`},`
			`CertificateAuthorityType="ROOT",`
			`)["CertificateAuthorityArn"]`

			`csr = client.get_certificate_authority_csr(CertificateAuthorityArn=ca_arn)["Csr"]`

			`certificate_arn = client.issue_certificate(`
			`CertificateAuthorityArn=ca_arn,`
			`Csr=csr,`
			`SigningAlgorithm="SHA512WITHRSA",`
			`Validity={"Type": "YEARS", "Value": 10},`
			`)["CertificateArn"]`

			`resp = client.get_certificate(`
			`CertificateAuthorityArn=ca_arn, CertificateArn=certificate_arn`
			`)`
			`resp.should.have.key("Certificate")`


			`@mock_acmpca`
			`def test_import_certificate_authority_certificate():`
			`client = boto3.client("acm-pca", region_name="eu-west-1")`
			`ca_arn = client.create_certificate_authority(`
			`CertificateAuthorityConfiguration={`
			`"KeyAlgorithm": "RSA_4096",`
			`"SigningAlgorithm": "SHA512WITHRSA",`
			`"Subject": {"CommonName": "yscb41lw.test"},`
			`},`
			`CertificateAuthorityType="SUBORDINATE",`
			`)["CertificateAuthorityArn"]`

			`cert = create_cert()`

			`client.import_certificate_authority_certificate(`
			`CertificateAuthorityArn=ca_arn,`
			`Certificate=cert,`
			`)`

			`ca = client.describe_certificate_authority(CertificateAuthorityArn=ca_arn)[`
			`"CertificateAuthority"`
			`]`
			`ca.should.have.key("Status").equals("ACTIVE")`
			`ca.should.have.key("NotBefore")`
			`ca.should.have.key("NotAfter")`

			`resp = client.get_certificate_authority_certificate(CertificateAuthorityArn=ca_arn)`
			`resp.should.have.key("Certificate").match("^-----BEGIN CERTIFICATE-----")`


			`@mock_acmpca`
			`def test_tag_certificate_authority():`
			`client = boto3.client("acm-pca", region_name="eu-west-1")`
			`ca_arn = client.create_certificate_authority(`
			`CertificateAuthorityConfiguration={`
			`"KeyAlgorithm": "RSA_4096",`
			`"SigningAlgorithm": "SHA512WITHRSA",`
			`"Subject": {"CommonName": "yscb41lw.test"},`
			`},`
			`CertificateAuthorityType="SUBORDINATE",`
			`)["CertificateAuthorityArn"]`

			`client.tag_certificate_authority(`
			`CertificateAuthorityArn=ca_arn,`
			`Tags=[{"Key": "t1", "Value": "v1"}, {"Key": "t2", "Value": "v2"}],`
			`)`

			`resp = client.list_tags(CertificateAuthorityArn=ca_arn)`
			`resp.should.have.key("Tags").equals(`
			`[{"Key": "t1", "Value": "v1"}, {"Key": "t2", "Value": "v2"}]`
			`)`


			`@mock_acmpca`
			`def test_untag_certificate_authority():`
			`client = boto3.client("acm-pca", region_name="eu-west-1")`
			`ca_arn = client.create_certificate_authority(`
			`CertificateAuthorityConfiguration={`
			`"KeyAlgorithm": "RSA_4096",`
			`"SigningAlgorithm": "SHA512WITHRSA",`
			`"Subject": {"CommonName": "yscb41lw.test"},`
			`},`
			`CertificateAuthorityType="SUBORDINATE",`
			`)["CertificateAuthorityArn"]`

			`client.tag_certificate_authority(`
			`CertificateAuthorityArn=ca_arn,`
			`Tags=[{"Key": "t1", "Value": "v1"}, {"Key": "t2", "Value": "v2"}],`
			`)`

			`client.untag_certificate_authority(`
			`CertificateAuthorityArn=ca_arn, Tags=[{"Key": "t1", "Value": "v1"}]`
			`)`

			`resp = client.list_tags(CertificateAuthorityArn=ca_arn)`
			`resp.should.have.key("Tags").equals([{"Key": "t2", "Value": "v2"}])`


			`def create_cert():`
			`serial_number = cryptography.x509.random_serial_number()`
			`subject = cryptography.x509.Name(`
			`[`
			`cryptography.x509.NameAttribute(NameOID.COUNTRY_NAME, "US"),`
			`cryptography.x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, "CA"),`
			`cryptography.x509.NameAttribute(NameOID.LOCALITY_NAME, "Test Francisco"),`
			`cryptography.x509.NameAttribute(NameOID.ORGANIZATION_NAME, "TestCompany"),`
			`cryptography.x509.NameAttribute(NameOID.COMMON_NAME, "testcert.io"),`
			`]`
			`)`
			`issuer = cryptography.x509.Name(`
			`[ # C = US, O = Amazon, OU = Server CA 1B, CN = Amazon`
			`cryptography.x509.NameAttribute(NameOID.COUNTRY_NAME, "US"),`
			`cryptography.x509.NameAttribute(NameOID.ORGANIZATION_NAME, "Amazon"),`
			`cryptography.x509.NameAttribute(`
			`NameOID.ORGANIZATIONAL_UNIT_NAME, "Server CA 1B"`
			`),`
			`cryptography.x509.NameAttribute(NameOID.COMMON_NAME, "TestCert"),`
			`]`
			`)`
			`key = cryptography.hazmat.primitives.asymmetric.rsa.generate_private_key(`
			`public_exponent=65537, key_size=2048`
			`)`
			`cert = (`
			`cryptography.x509.CertificateBuilder()`
			`.subject_name(subject)`
			`.issuer_name(issuer)`
			`.public_key(key.public_key())`
			`.serial_number(serial_number)`
			`.not_valid_before(datetime.datetime.utcnow() - datetime.timedelta(days=10))`
			`.not_valid_after(datetime.datetime.utcnow() + datetime.timedelta(days=10))`
			`.sign(key, hashes.SHA512(), default_backend())`
			`)`

			`return cert.public_bytes(serialization.Encoding.PEM)`