REST Resource: apps.authorizedCertificates

Resource: AuthorizedCertificate

An SSL certificate that a user has been authorized to administer. A user is authorized to administer any certificate that applies to one of their authorized domains.

JSON representation
{
  "name": string,
  "id": string,
  "displayName": string,
  "domainNames": [
    string
  ],
  "expireTime": string,
  "certificateRawData": {
    object (CertificateRawData)
  },
  "managedCertificate": {
    object (ManagedCertificate)
  },
  "visibleDomainMappings": [
    string
  ],
  "domainMappingsCount": integer
}
Fields
name

string

Full path to the AuthorizedCertificate resource in the API. Example: apps/myapp/authorizedCertificates/12345.

Note: This field is used in responses only. Any value specified here in a request is ignored.

id

string

Relative name of the certificate. This is a unique value autogenerated on AuthorizedCertificate resource creation. Example: 12345.

Note: This field is used in responses only. Any value specified here in a request is ignored.

displayName

string

The user-specified display name of the certificate. This is not guaranteed to be unique. Example: My Certificate.

domainNames[]

string

Topmost applicable domains of this certificate. This certificate applies to these domains and their subdomains. Example: example.com.

Note: This field is used in responses only. Any value specified here in a request is ignored.

expireTime

string (Timestamp format)

The time when this certificate expires. To update the renewal time on this certificate, upload an SSL certificate with a different expiration time using AuthorizedCertificates.UpdateAuthorizedCertificate.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

Note: This field is used in responses only. Any value specified here in a request is ignored.

certificateRawData

object (CertificateRawData)

The SSL certificate serving the AuthorizedCertificate resource. This must be obtained independently from a certificate authority.

managedCertificate

object (ManagedCertificate)

Only applicable if this certificate is managed by App Engine. Managed certificates are tied to the lifecycle of a DomainMapping and cannot be updated or deleted via the AuthorizedCertificates API. If this certificate is manually administered by the user, this field will be empty.

Note: This field is used in responses only. Any value specified here in a request is ignored.

visibleDomainMappings[]

string

The full paths to user visible Domain Mapping resources that have this certificate mapped. Example: apps/myapp/domainMappings/example.com.

This may not represent the full list of mapped domain mappings if the user does not have VIEWER permissions on all of the applications that have this certificate mapped. See domainMappingsCount for a complete count.

Only returned by GET or LIST requests when specifically requested by the view=FULL_CERTIFICATE option.

Note: This field is used in responses only. Any value specified here in a request is ignored.

domainMappingsCount

integer

Aggregate count of the domain mappings with this certificate mapped. This count includes domain mappings on applications for which the user does not have VIEWER permissions.

Only returned by GET or LIST requests when specifically requested by the view=FULL_CERTIFICATE option.

Note: This field is used in responses only. Any value specified here in a request is ignored.

CertificateRawData

An SSL certificate obtained from a certificate authority.

JSON representation
{
  "publicCertificate": string,
  "privateKey": string
}
Fields
publicCertificate

string

PEM encoded x.509 public key certificate. This field is set once on certificate creation. Must include the header and footer. Example:

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
privateKey

string

Unencrypted PEM encoded RSA private key. This field is set once on certificate creation and then encrypted. The key size must be 2048 bits or fewer. Must include the header and footer. Example:

-----BEGIN RSA PRIVATE KEY-----

-----END RSA PRIVATE KEY-----

@InputOnly

ManagedCertificate

A certificate managed by App Engine.

JSON representation
{
  "lastRenewalTime": string,
  "status": enum (ManagementStatus)
}
Fields
lastRenewalTime

string (Timestamp format)

Time at which the certificate was last renewed. The renewal process is fully managed. Certificate renewal will automatically occur before the certificate expires. Renewal errors can be tracked via ManagementStatus.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

Note: This field is used in responses only. Any value specified here in a request is ignored.

status

enum (ManagementStatus)

Status of certificate management. Refers to the most recent certificate acquisition or renewal attempt.

Note: This field is used in responses only. Any value specified here in a request is ignored.

ManagementStatus

State of certificate management. Refers to the most recent certificate acquisition or renewal attempt.

Enums
MANAGEMENT_STATUS_UNSPECIFIED
OK Certificate was successfully obtained and inserted into the serving system.
PENDING Certificate is under active attempts to acquire or renew.
FAILED_RETRYING_NOT_VISIBLE Most recent renewal failed due to an invalid DNS setup and will be retried. Renewal attempts will continue to fail until the certificate domain's DNS configuration is fixed. The last successfully provisioned certificate may still be serving.
FAILED_PERMANENT All renewal attempts have been exhausted, likely due to an invalid DNS setup.
FAILED_RETRYING_CAA_FORBIDDEN Most recent renewal failed due to an explicit CAA record that does not include one of the in-use CAs (Google CA and Let's Encrypt). Renewals will continue to fail until the CAA is reconfigured. The last successfully provisioned certificate may still be serving.
FAILED_RETRYING_CAA_CHECKING Most recent renewal failed due to a CAA retrieval failure. This means that the domain's DNS provider does not properly handle CAA records, failing requests for CAA records when no CAA records are defined. Renewals will continue to fail until the DNS provider is changed or a CAA record is added for the given domain. The last successfully provisioned certificate may still be serving.

Methods

create

Uploads the specified SSL certificate.

delete

Deletes the specified SSL certificate.

get

Gets the specified SSL certificate.

list

Lists all SSL certificates the user is authorized to administer.

patch

Updates the specified SSL certificate.