REST Resource: projects.locations.caPools.certificates

Resource: Certificate

A Certificate corresponds to a signed X.509 certificate issued by a CertificateAuthority.

JSON representation
{
  "name": string,
  "issuerCertificateAuthority": string,
  "lifetime": string,
  "certificateTemplate": string,
  "subjectMode": enum (SubjectRequestMode),
  "revocationDetails": {
    object (RevocationDetails)
  },
  "pemCertificate": string,
  "certificateDescription": {
    object (CertificateDescription)
  },
  "pemCertificateChain": [
    string
  ],
  "createTime": string,
  "updateTime": string,
  "labels": {
    string: string,
    ...
  },

  // Union field certificate_config can be only one of the following:
  "pemCsr": string,
  "config": {
    object (CertificateConfig)
  }
  // End of list of possible types for union field certificate_config.
}
Fields
name

string

Output only. The resource name for this Certificate in the format projects/*/locations/*/caPools/*/certificates/*.

issuerCertificateAuthority

string

Output only. The resource name of the issuing CertificateAuthority in the format projects/*/locations/*/caPools/*/certificateAuthorities/*.

lifetime

string (Duration format)

Required. Immutable. The desired lifetime of a certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. Note that the lifetime may be truncated if it would extend past the life of any certificate authority in the issuing chain.

A duration in seconds with up to nine fractional digits, ending with 's'. Example: "3.5s".

certificateTemplate

string

Immutable. The resource name for a CertificateTemplate used to issue this certificate, in the format projects/*/locations/*/certificateTemplates/*. If this is specified, the caller must have the necessary permission to use this template. If this is omitted, no template will be used. This template must be in the same location as the Certificate.

subjectMode

enum (SubjectRequestMode)

Immutable. Specifies how the Certificate's identity fields are to be decided. If this is omitted, the DEFAULT subject mode will be used.

revocationDetails

object (RevocationDetails)

Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present.

pemCertificate

string

Output only. The pem-encoded, signed X.509 certificate.

certificateDescription

object (CertificateDescription)

Output only. A structured description of the issued X.509 certificate.

pemCertificateChain[]

string

Output only. The chain that may be used to verify the X.509 certificate. Expected to be in issuer-to-root order according to RFC 5246.

createTime

string (Timestamp format)

Output only. The time at which this Certificate was created.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

updateTime

string (Timestamp format)

Output only. The time at which this Certificate was updated.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

labels

map (key: string, value: string)

Optional. Labels with user-defined metadata.

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

Union field certificate_config. The config used to create a signed X.509 certificate. certificate_config can be only one of the following:
pemCsr

string

Immutable. A pem-encoded X.509 certificate signing request (CSR).

config

object (CertificateConfig)

Immutable. A description of the certificate and key that does not require X.509 or ASN.1.

SubjectRequestMode

Describes the way in which a Certificate's Subject and/or SubjectAltNames will be resolved.

Enums
SUBJECT_REQUEST_MODE_UNSPECIFIED Not specified.
DEFAULT The default mode used in most cases. Indicates that the certificate's Subject and/or SubjectAltNames are specified in the certificate request. This mode requires the caller to have the privateca.certificates.create permission.
REFLECTED_SPIFFE A mode reserved for special cases. Indicates that the certificate should have one SPIFFE SubjectAltNames set by the service based on the caller's identity. This mode will ignore any explicitly specified Subject and/or SubjectAltNames in the certificate request. This mode requires the caller to have the privateca.certificates.createForSelf permission.

RevocationDetails

Describes fields that are relavent to the revocation of a Certificate.

JSON representation
{
  "revocationState": enum (RevocationReason),
  "revocationTime": string
}
Fields
revocationState

enum (RevocationReason)

Indicates why a Certificate was revoked.

revocationTime

string (Timestamp format)

The time at which this Certificate was revoked.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

Methods

create

Create a new Certificate in a given Project, Location from a particular CaPool.

get

Returns a Certificate.

list

Lists Certificates.

patch

Update a Certificate.

revoke

Revoke a Certificate.