REST Resource: projects.locations.caPools.certificateAuthorities

Resource: CertificateAuthority

A CertificateAuthority represents an individual Certificate Authority. A CertificateAuthority can be used to create Certificates.

JSON representation
{
  "name": string,
  "type": enum (Type),
  "config": {
    object (CertificateConfig)
  },
  "lifetime": string,
  "keySpec": {
    object (KeyVersionSpec)
  },
  "subordinateConfig": {
    object (SubordinateConfig)
  },
  "tier": enum (Tier),
  "state": enum (State),
  "pemCaCertificates": [
    string
  ],
  "caCertificateDescriptions": [
    {
      object (CertificateDescription)
    }
  ],
  "gcsBucket": string,
  "accessUrls": {
    object (AccessUrls)
  },
  "createTime": string,
  "updateTime": string,
  "deleteTime": string,
  "expireTime": string,
  "labels": {
    string: string,
    ...
  },
  "satisfiesPzs": boolean,
  "satisfiesPzi": boolean
}
Fields
name

string

Output only. The resource name for this CertificateAuthority in the format projects/*/locations/*/caPools/*/certificateAuthorities/*.

type

enum (Type)

Required. Immutable. The Type of this CertificateAuthority.

config

object (CertificateConfig)

Required. Immutable. The config used to create a self-signed X.509 certificate or CSR.

lifetime

string (Duration format)

Required. Immutable. The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate.

A duration in seconds with up to nine fractional digits, ending with 's'. Example: "3.5s".

keySpec

object (KeyVersionSpec)

Required. Immutable. Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR.

subordinateConfig

object (SubordinateConfig)

Optional. If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which describes its issuers. This may be updated, but this CertificateAuthority must continue to validate.

tier

enum (Tier)

Output only. The CaPool.Tier of the CaPool that includes this CertificateAuthority.

state

enum (State)

Output only. The State for this CertificateAuthority.

pemCaCertificates[]

string

Output only. This CertificateAuthority's certificate chain, including the current CertificateAuthority's certificate. Ordered such that the root issuer is the final element (consistent with RFC 5246). For a self-signed CA, this will only list the current CertificateAuthority's certificate.

caCertificateDescriptions[]

object (CertificateDescription)

Output only. A structured description of this CertificateAuthority's CA certificate and its issuers. Ordered as self-to-root.

gcsBucket

string

Immutable. The name of a Cloud Storage bucket where this CertificateAuthority will publish content, such as the CA certificate and CRLs. This must be a bucket name, without any prefixes (such as gs://) or suffixes (such as .googleapis.com). For example, to use a bucket named my-bucket, you would simply specify my-bucket. If not specified, a managed bucket will be created.

accessUrls

object (AccessUrls)

Output only. URLs for accessing content published by this CA, such as the CA certificate and CRLs.

createTime

string (Timestamp format)

Output only. The time at which this CertificateAuthority was created.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

updateTime

string (Timestamp format)

Output only. The time at which this CertificateAuthority was last updated.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

deleteTime

string (Timestamp format)

Output only. The time at which this CertificateAuthority was soft deleted, if it is in the DELETED state.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

expireTime

string (Timestamp format)

Output only. The time at which this CertificateAuthority will be permanently purged, if it is in the DELETED state.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

labels

map (key: string, value: string)

Optional. Labels with user-defined metadata.

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

satisfiesPzs

boolean

Output only. Reserved for future use.

satisfiesPzi

boolean

Output only. Reserved for future use.

Type

The type of a CertificateAuthority, indicating its issuing chain.

Enums
TYPE_UNSPECIFIED Not specified.
SELF_SIGNED Self-signed CA.
SUBORDINATE Subordinate CA. Could be issued by a Private CA CertificateAuthority or an unmanaged CA.

KeyVersionSpec

A Cloud KMS key configuration that a CertificateAuthority will use.

JSON representation
{

  // Union field KeyVersion can be only one of the following:
  "cloudKmsKeyVersion": string,
  "algorithm": enum (SignHashAlgorithm)
  // End of list of possible types for union field KeyVersion.
}
Fields

Union field KeyVersion.

KeyVersion can be only one of the following:

cloudKmsKeyVersion

string

The resource name for an existing Cloud KMS CryptoKeyVersion in the format projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*. This option enables full flexibility in the key's capabilities and properties.

algorithm

enum (SignHashAlgorithm)

The algorithm to use for creating a managed Cloud KMS key for a for a simplified experience. All managed keys will be have their [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] as HSM.

SignHashAlgorithm

The algorithm of a Cloud KMS CryptoKeyVersion of a [CryptoKey][google.cloud.kms.v1.CryptoKey] with the [CryptoKeyPurpose][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose] value ASYMMETRIC_SIGN. These values correspond to the [CryptoKeyVersionAlgorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm] values. For RSA signing algorithms, the PSS algorithms should be preferred, use PKCS1 algorithms if required for compatibility. For further recommendations, see https://cloud.google.com/kms/docs/algorithms#algorithm_recommendations.

Enums
SIGN_HASH_ALGORITHM_UNSPECIFIED Not specified.
RSA_PSS_2048_SHA256 maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_2048_SHA256
RSA_PSS_3072_SHA256 maps to CryptoKeyVersionAlgorithm. RSA_SIGN_PSS_3072_SHA256
RSA_PSS_4096_SHA256 maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_4096_SHA256
RSA_PKCS1_2048_SHA256 maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_2048_SHA256
RSA_PKCS1_3072_SHA256 maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_3072_SHA256
RSA_PKCS1_4096_SHA256 maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_4096_SHA256
EC_P256_SHA256 maps to CryptoKeyVersionAlgorithm.EC_SIGN_P256_SHA256
EC_P384_SHA384 maps to CryptoKeyVersionAlgorithm.EC_SIGN_P384_SHA384

SubordinateConfig

Describes a subordinate CA's issuers. This is either a resource name to a known issuing CertificateAuthority, or a PEM issuer certificate chain.

JSON representation
{

  // Union field subordinate_config can be only one of the following:
  "certificateAuthority": string,
  "pemIssuerChain": {
    object (SubordinateConfigChain)
  }
  // End of list of possible types for union field subordinate_config.
}
Fields

Union field subordinate_config.

subordinate_config can be only one of the following:

certificateAuthority

string

Required. This can refer to a CertificateAuthority that was used to create a subordinate CertificateAuthority. This field is used for information and usability purposes only. The resource name is in the format projects/*/locations/*/caPools/*/certificateAuthorities/*.

pemIssuerChain

object (SubordinateConfigChain)

Required. Contains the PEM certificate chain for the issuers of this CertificateAuthority, but not pem certificate for this CA itself.

SubordinateConfigChain

This message describes a subordinate CA's issuer certificate chain. This wrapper exists for compatibility reasons.

JSON representation
{
  "pemCertificates": [
    string
  ]
}
Fields
pemCertificates[]

string

Required. Expected to be in leaf-to-root order according to RFC 5246.

State

The state of a CertificateAuthority, indicating if it can be used.

Enums
STATE_UNSPECIFIED Not specified.
ENABLED Certificates can be issued from this CA. CRLs will be generated for this CA. The CA will be part of the CaPool's trust anchor, and will be used to issue certificates from the CaPool.
DISABLED Certificates cannot be issued from this CA. CRLs will still be generated. The CA will be part of the CaPool's trust anchor, but will not be used to issue certificates from the CaPool.
STAGED Certificates can be issued from this CA. CRLs will be generated for this CA. The CA will be part of the CaPool's trust anchor, but will not be used to issue certificates from the CaPool.
AWAITING_USER_ACTIVATION Certificates cannot be issued from this CA. CRLs will not be generated. The CA will not be part of the CaPool's trust anchor, and will not be used to issue certificates from the CaPool.
DELETED Certificates cannot be issued from this CA. CRLs will not be generated. The CA may still be recovered by calling CertificateAuthorityService.UndeleteCertificateAuthority before expireTime. The CA will not be part of the CaPool's trust anchor, and will not be used to issue certificates from the CaPool.

AccessUrls

URLs where a CertificateAuthority will publish content.

JSON representation
{
  "caCertificateAccessUrl": string,
  "crlAccessUrls": [
    string
  ]
}
Fields
caCertificateAccessUrl

string

The URL where this CertificateAuthority's CA certificate is published. This will only be set for CAs that have been activated.

crlAccessUrls[]

string

The URLs where this CertificateAuthority's CRLs are published. This will only be set for CAs that have been activated.

Methods

activate

Activate a CertificateAuthority that is in state AWAITING_USER_ACTIVATION and is of type SUBORDINATE.

create

Create a new CertificateAuthority in a given Project and Location.

delete

Delete a CertificateAuthority.

disable

Disable a CertificateAuthority.

enable

Enable a CertificateAuthority.

fetch

Fetch a certificate signing request (CSR) from a CertificateAuthority that is in state AWAITING_USER_ACTIVATION and is of type SUBORDINATE.

get

Returns a CertificateAuthority.

list

Lists CertificateAuthorities.

patch

Update a CertificateAuthority.

undelete

Undelete a CertificateAuthority that has been deleted.