REST Resource: projects.locations.caPools

Resource: CaPool
- JSON representation
IssuancePolicy
- JSON representation
AllowedKeyType
- JSON representation
RsaKeyType
- JSON representation
EcKeyType
- JSON representation
EcSignatureAlgorithm
IssuanceModes
- JSON representation
PublishingOptions
- JSON representation
EncodingFormat
Methods

Resource: CaPool

A CaPool represents a group of CertificateAuthorities that form a trust anchor. A CaPool can be used to manage issuance policies for one or more CertificateAuthority resources and to rotate CA certificates in and out of the trust anchor.

JSON representation
{ "name": string, "tier": enum (`Tier`), "issuancePolicy": { object (`IssuancePolicy`) }, "publishingOptions": { object (`PublishingOptions`) }, "labels": { string: string, ... } }

Fields
`name`	`string` Output only. The resource name for this `CaPool` in the format `projects//locations//caPools/*`.
`tier`	`enum (Tier)` Required. Immutable. The `Tier` of this `CaPool`.
`issuancePolicy`	`object (IssuancePolicy)` Optional. The `IssuancePolicy` to control how `Certificates` will be issued from this `CaPool`.
`publishingOptions`	`object (PublishingOptions)` Optional. The `PublishingOptions` to follow when issuing `Certificates` from any `CertificateAuthority` in this `CaPool`.
`labels`	`map (key: string, value: string)` Optional. Labels with user-defined metadata. An object containing a list of `"key": value` pairs. Example: `{ "name": "wrench", "mass": "1.3kg", "count": "3" }`.

IssuancePolicy

Defines controls over all certificate issuance within a CaPool.

JSON representation

JSON representation
{ "allowedKeyTypes": [ { object (`AllowedKeyType`) } ], "maximumLifetime": string, "allowedIssuanceModes": { object (`IssuanceModes`) }, "baselineValues": { object (`X509Parameters`) }, "identityConstraints": { object (`CertificateIdentityConstraints`) }, "passthroughExtensions": { object (`CertificateExtensionConstraints`) } }

{
  "allowedKeyTypes": [
    {
      object (AllowedKeyType)
    }
  ],
  "maximumLifetime": string,
  "allowedIssuanceModes": {
    object (IssuanceModes)
  },
  "baselineValues": {
    object (X509Parameters)
  },
  "identityConstraints": {
    object (CertificateIdentityConstraints)
  },
  "passthroughExtensions": {
    object (CertificateExtensionConstraints)
  }
}

Fields
`allowedKeyTypes[]`	`object (AllowedKeyType)` Optional. If any `AllowedKeyType` is specified, then the certificate request's public key must match one of the key types listed here. Otherwise, any key may be used.
`maximumLifetime`	`string (Duration format)` Optional. The maximum lifetime allowed for issued `Certificates`. Note that if the issuing `CertificateAuthority` expires before a `Certificate` resource's requested maximumLifetime, the effective lifetime will be explicitly truncated to match it. A duration in seconds with up to nine fractional digits, ending with '`s`'. Example: `"3.5s"`.
`allowedIssuanceModes`	`object (IssuanceModes)` Optional. If specified, then only methods allowed in the `IssuanceModes` may be used to issue `Certificates`.
`baselineValues`	`object (X509Parameters)` Optional. A set of X.509 values that will be applied to all certificates issued through this `CaPool`. If a certificate request includes conflicting values for the same properties, they will be overwritten by the values defined here. If a certificate request uses a `CertificateTemplate` that defines conflicting `predefinedValues` for the same properties, the certificate issuance request will fail.
`identityConstraints`	`object (CertificateIdentityConstraints)` Optional. Describes constraints on identities that may appear in `Certificates` issued through this `CaPool`. If this is omitted, then this `CaPool` will not add restrictions on a certificate's identity.
`passthroughExtensions`	`object (CertificateExtensionConstraints)` Optional. Describes the set of X.509 extensions that may appear in a `Certificate` issued through this `CaPool`. If a certificate request sets extensions that don't appear in the `passthroughExtensions`, those extensions will be dropped. If a certificate request uses a `CertificateTemplate` with `predefinedValues` that don't appear here, the certificate issuance request will fail. If this is omitted, then this `CaPool` will not add restrictions on a certificate's X.509 extensions. These constraints do not apply to X.509 extensions set in this `CaPool`'s `baselineValues`.

AllowedKeyType

Describes a "type" of key that may be used in a Certificate issued from a CaPool. Note that a single AllowedKeyType may refer to either a fully-qualified key algorithm, such as RSA 4096, or a family of key algorithms, such as any RSA key.

JSON representation
{ // Union field `key_type` can be only one of the following: "rsa": { object (`RsaKeyType`) }, "ellipticCurve": { object (`EcKeyType`) } // End of list of possible types for union field `key_type`. }

Fields

Fields
Union field `key_type`. `key_type` can be only one of the following:
`rsa`	`object (RsaKeyType)` Represents an allowed RSA key type.
`ellipticCurve`	`object (EcKeyType)` Represents an allowed Elliptic Curve key type.

Union field key_type.

key_type can be only one of the following:

rsa

object (RsaKeyType)

Represents an allowed RSA key type.

ellipticCurve

object (EcKeyType)

Represents an allowed Elliptic Curve key type.

RsaKeyType

Describes an RSA key that may be used in a Certificate issued from a CaPool.

JSON representation
{ "minModulusSize": string, "maxModulusSize": string }

Fields

Fields
`minModulusSize`	`string (int64 format)` Optional. The minimum allowed RSA modulus size (inclusive), in bits. If this is not set, or if set to zero, the service-level min RSA modulus size will continue to apply.
`maxModulusSize`	`string (int64 format)` Optional. The maximum allowed RSA modulus size (inclusive), in bits. If this is not set, or if set to zero, the service will not enforce an explicit upper bound on RSA modulus sizes.

minModulusSize

string (int64 format)

Optional. The minimum allowed RSA modulus size (inclusive), in bits. If this is not set, or if set to zero, the service-level min RSA modulus size will continue to apply.

maxModulusSize

string (int64 format)

Optional. The maximum allowed RSA modulus size (inclusive), in bits. If this is not set, or if set to zero, the service will not enforce an explicit upper bound on RSA modulus sizes.

EcKeyType

Describes an Elliptic Curve key that may be used in a Certificate issued from a CaPool.

JSON representation
{ "signatureAlgorithm": enum (`EcSignatureAlgorithm`) }

Fields

Fields
`signatureAlgorithm`	`enum (EcSignatureAlgorithm)` Optional. A signature algorithm that must be used. If this is omitted, any EC-based signature algorithm will be allowed.

signatureAlgorithm

enum (EcSignatureAlgorithm)

Optional. A signature algorithm that must be used. If this is omitted, any EC-based signature algorithm will be allowed.

EcSignatureAlgorithm

Describes an elliptic curve-based signature algorithm that may be used in a Certificate issued from a CaPool.

Enums
`EC_SIGNATURE_ALGORITHM_UNSPECIFIED`	Not specified. Signifies that any signature algorithm may be used.
`ECDSA_P256`	Refers to the Elliptic Curve Digital Signature Algorithm over the NIST P-256 curve.
`ECDSA_P384`	Refers to the Elliptic Curve Digital Signature Algorithm over the NIST P-384 curve.
`EDDSA_25519`	Refers to the Edwards-curve Digital Signature Algorithm over curve 25519, as described in RFC 8410.

IssuanceModes

IssuanceModes specifies the allowed ways in which Certificates may be requested from this CaPool.

JSON representation
{ "allowCsrBasedIssuance": boolean, "allowConfigBasedIssuance": boolean }

Fields

Fields
`allowCsrBasedIssuance`	`boolean` Optional. When true, allows callers to create `Certificates` by specifying a CSR.
`allowConfigBasedIssuance`	`boolean` Optional. When true, allows callers to create `Certificates` by specifying a `CertificateConfig`.

allowCsrBasedIssuance

boolean

Optional. When true, allows callers to create Certificates by specifying a CSR.

allowConfigBasedIssuance

boolean

Optional. When true, allows callers to create Certificates by specifying a CertificateConfig.

PublishingOptions

Options relating to the publication of each CertificateAuthority's CA certificate and CRLs and their inclusion as extensions in issued Certificates. The options set here apply to certificates issued by any CertificateAuthority in the CaPool.

JSON representation
{ "publishCaCert": boolean, "publishCrl": boolean, "encodingFormat": enum (`EncodingFormat`) }

Fields

Fields
`publishCaCert`	`boolean` Optional. When true, publishes each `CertificateAuthority`'s CA certificate and includes its URL in the "Authority Information Access" X.509 extension in all issued `Certificates`. If this is false, the CA certificate will not be published and the corresponding X.509 extension will not be written in issued certificates.
`publishCrl`	`boolean` Optional. When true, publishes each `CertificateAuthority`'s CRL and includes its URL in the "CRL Distribution Points" X.509 extension in all issued `Certificates`. If this is false, CRLs will not be published and the corresponding X.509 extension will not be written in issued certificates. CRLs will expire 7 days from their creation. However, we will rebuild daily. CRLs are also rebuilt shortly after a certificate is revoked.
`encodingFormat`	`enum (EncodingFormat)` Optional. Specifies the encoding format of each `CertificateAuthority` resource's CA certificate and CRLs. If this is omitted, CA certificates and CRLs will be published in PEM.

publishCaCert

boolean

Optional. When true, publishes each CertificateAuthority's CA certificate and includes its URL in the "Authority Information Access" X.509 extension in all issued Certificates. If this is false, the CA certificate will not be published and the corresponding X.509 extension will not be written in issued certificates.

publishCrl

boolean

Optional. When true, publishes each CertificateAuthority's CRL and includes its URL in the "CRL Distribution Points" X.509 extension in all issued Certificates. If this is false, CRLs will not be published and the corresponding X.509 extension will not be written in issued certificates. CRLs will expire 7 days from their creation. However, we will rebuild daily. CRLs are also rebuilt shortly after a certificate is revoked.

encodingFormat

enum (EncodingFormat)

Optional. Specifies the encoding format of each CertificateAuthority resource's CA certificate and CRLs. If this is omitted, CA certificates and CRLs will be published in PEM.

EncodingFormat

Supported encoding formats for publishing.

Enums
`ENCODING_FORMAT_UNSPECIFIED`	Not specified. By default, PEM format will be used.
`PEM`	The `CertificateAuthority`'s CA certificate and CRLs will be published in PEM format.
`DER`	The `CertificateAuthority`'s CA certificate and CRLs will be published in DER format.

Methods
`create`	Create a `CaPool`.
`delete`	Delete a `CaPool`.
`fetchCaCerts`	FetchCaCerts returns the current trust anchor for the `CaPool`.
`get`	Returns a `CaPool`.
`getIamPolicy`	Gets the access control policy for a resource.
`list`	Lists `CaPools`.
`patch`	Update a `CaPool`.
`setIamPolicy`	Sets the access control policy on the specified resource.
`testIamPermissions`	Returns permissions that a caller has on the specified resource.

REST Resource: projects.locations.caPools

Resource: CaPool

IssuancePolicy

AllowedKeyType

RsaKeyType

EcKeyType

EcSignatureAlgorithm

IssuanceModes

PublishingOptions

EncodingFormat

Methods

`create`

`delete`

`fetchCaCerts`

`get`

`getIamPolicy`

`list`

`patch`

`setIamPolicy`

`testIamPermissions`