- Resource: CertificateAuthority
- Type
- Tier
- KeyVersionSpec
- SignHashAlgorithm
- CertificateAuthorityPolicy
- AllowedConfigList
- AllowedSubjectAltNames
- IssuanceModes
- IssuingOptions
- SubordinateConfig
- SubordinateConfigChain
- State
- AccessUrls
- Methods
Resource: CertificateAuthority
A CertificateAuthority
represents an individual Certificate Authority. A CertificateAuthority
can be used to create Certificates
.
JSON representation | |
---|---|
{ "name": string, "type": enum ( |
Fields | |
---|---|
name |
Output only. The resource name for this |
type |
Required. Immutable. The |
tier |
Required. Immutable. The |
config |
Required. Immutable. The config used to create a self-signed X.509 certificate or CSR. |
lifetime |
Required. The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by ' |
keySpec |
Required. Immutable. Used when issuing certificates for this |
certificatePolicy |
Optional. The |
issuingOptions |
Optional. The |
subordinateConfig |
Optional. If this is a subordinate |
state |
Output only. The |
pemCaCertificates[] |
Output only. This |
caCertificateDescriptions[] |
Output only. A structured description of this |
gcsBucket |
Immutable. The name of a Cloud Storage bucket where this |
accessUrls |
Output only. URLs for accessing content published by this CA, such as the CA certificate and CRLs. |
createTime |
Output only. The time at which this A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: |
updateTime |
Output only. The time at which this A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: |
deleteTime |
Output only. The time at which this A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: |
labels |
Optional. Labels with user-defined metadata. An object containing a list of |
Type
The type of a CertificateAuthority
, indicating its issuing chain.
Enums | |
---|---|
TYPE_UNSPECIFIED |
Not specified. |
SELF_SIGNED |
Self-signed CA. |
SUBORDINATE |
Subordinate CA. Could be issued by a Private CA CertificateAuthority or an unmanaged CA. |
Tier
The tier of a CertificateAuthority
, indicating its supported functionality and/or billing SKU.
Enums | |
---|---|
TIER_UNSPECIFIED |
Not specified. |
ENTERPRISE |
Enterprise tier. |
DEVOPS |
DevOps tier. |
KeyVersionSpec
A Cloud KMS key configuration that a CertificateAuthority
will use.
JSON representation | |
---|---|
{ // Union field |
Fields | ||
---|---|---|
Union field
|
||
cloudKmsKeyVersion |
Required. The resource name for an existing Cloud KMS CryptoKeyVersion in the format |
|
algorithm |
Required. The algorithm to use for creating a managed Cloud KMS key for a for a simplified experience. All managed keys will be have their [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] as |
SignHashAlgorithm
The algorithm of a Cloud KMS CryptoKeyVersion of a [CryptoKey][google.cloud.kms.v1.CryptoKey] with the [CryptoKeyPurpose][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose] value ASYMMETRIC_SIGN
. These values correspond to the [CryptoKeyVersionAlgorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm] values. For RSA signing algorithms, the PSS algorithms should be preferred, use PKCS1 algorithms if required for compatibility. For further recommandations, see https://cloud.google.com/kms/docs/algorithms#algorithm_recommendations.
Enums | |
---|---|
SIGN_HASH_ALGORITHM_UNSPECIFIED |
Not specified. |
RSA_PSS_2048_SHA256 |
maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_2048_SHA256 |
RSA_PSS_3072_SHA256 |
maps to CryptoKeyVersionAlgorithm. RSA_SIGN_PSS_3072_SHA256 |
RSA_PSS_4096_SHA256 |
maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_4096_SHA256 |
RSA_PKCS1_2048_SHA256 |
maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_2048_SHA256 |
RSA_PKCS1_3072_SHA256 |
maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_3072_SHA256 |
RSA_PKCS1_4096_SHA256 |
maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_4096_SHA256 |
EC_P256_SHA256 |
maps to CryptoKeyVersionAlgorithm.EC_SIGN_P256_SHA256 |
EC_P384_SHA384 |
maps to CryptoKeyVersionAlgorithm.EC_SIGN_P384_SHA384 |
CertificateAuthorityPolicy
The issuing policy for a CertificateAuthority
. Certificates
will not be successfully issued from this CertificateAuthority
if they violate the policy.
JSON representation | |
---|---|
{ "allowedLocationsAndOrganizations": [ { object ( |
Fields | ||
---|---|---|
allowedLocationsAndOrganizations[] |
Optional. If any |
|
allowedCommonNames[] |
Optional. If any value is specified here, then all |
|
allowedSans |
Optional. If a |
|
maximumLifetime |
Optional. The maximum lifetime allowed by the A duration in seconds with up to nine fractional digits, terminated by ' |
|
allowedIssuanceModes |
Optional. If specified, then only methods allowed in the |
|
Union field config_policy . Allowed configurations or a single configuration for all issued certificates. config_policy can be only one of the following: |
||
allowedConfigList |
Optional. All |
|
overwriteConfigValues |
Optional. All |
AllowedConfigList
JSON representation | |
---|---|
{
"allowedConfigValues": [
{
object ( |
Fields | |
---|---|
allowedConfigValues[] |
Required. All |
AllowedSubjectAltNames
AllowedSubjectAltNames
specifies the allowed values for SubjectAltNames
by the CertificateAuthority
when issuing Certificates
.
JSON representation | |
---|---|
{ "allowedDnsNames": [ string ], "allowedUris": [ string ], "allowedEmailAddresses": [ string ], "allowedIps": [ string ], "allowGlobbingDnsWildcards": boolean, "allowCustomSans": boolean } |
Fields | |
---|---|
allowedDnsNames[] |
Optional. Contains valid, fully-qualified host names. Glob patterns are also supported. To allow an explicit wildcard certificate, escape with backlash (i.e. "*"). E.g. for globbed entries: '*bar.com' will allow 'foo.bar.com', but not '*.bar.com', unless the |
allowedUris[] |
Optional. Contains valid RFC 3986 URIs. Glob patterns are also supported. To match across path seperators (i.e. '/') use the double star glob pattern (i.e. '**'). |
allowedEmailAddresses[] |
Optional. Contains valid RFC 2822 E-mail addresses. Glob patterns are also supported. |
allowedIps[] |
Optional. Contains valid 32-bit IPv4 addresses and subnet ranges or RFC 4291 IPv6 addresses and subnet ranges. Subnet ranges are specified using the '/' notation (e.g. 10.0.0.0/8, 2001:700:300:1800::/64). Glob patterns are supported only for ip address entries (i.e. not for subnet ranges). |
allowGlobbingDnsWildcards |
Optional. Specifies if glob patterns used for |
allowCustomSans |
Optional. Specifies if to allow custom X509Extension values. |
IssuanceModes
IssuanceModes
specifies the allowed ways in which Certificates
may be requested from this CertificateAuthority
.
JSON representation | |
---|---|
{ "allowCsrBasedIssuance": boolean, "allowConfigBasedIssuance": boolean } |
Fields | |
---|---|
allowCsrBasedIssuance |
Required. When true, allows callers to create |
allowConfigBasedIssuance |
Required. When true, allows callers to create |
IssuingOptions
Options that affect all certificates issued by a CertificateAuthority
.
JSON representation | |
---|---|
{ "includeCaCertUrl": boolean, "includeCrlAccessUrl": boolean } |
Fields | |
---|---|
includeCaCertUrl |
Required. When true, includes a URL to the issuing CA certificate in the "authority information access" X.509 extension. |
includeCrlAccessUrl |
Required. When true, includes a URL to the CRL corresponding to certificates issued from a |
SubordinateConfig
Describes a subordinate CA's issuers. This is either a resource path to a known issuing CertificateAuthority
, or a PEM issuer certificate chain.
JSON representation | |
---|---|
{ // Union field |
Fields | ||
---|---|---|
Union field
|
||
certificateAuthority |
Required. This can refer to a |
|
pemIssuerChain |
Required. Contains the PEM certificate chain for the issuers of this |
SubordinateConfigChain
This message describes a subordinate CA's issuer certificate chain. This wrapper exists for compatibility reasons.
JSON representation | |
---|---|
{ "pemCertificates": [ string ] } |
Fields | |
---|---|
pemCertificates[] |
Required. Expected to be in leaf-to-root order according to RFC 5246. |
State
The state of a CertificateAuthority
, indicating if it can be used.
Enums | |
---|---|
STATE_UNSPECIFIED |
Not specified. |
ENABLED |
Certificates can be issued from this CA. CRLs will be generated for this CA. |
DISABLED |
Certificates cannot be issued from this CA. CRLs will still be generated. |
PENDING_ACTIVATION |
Certificates cannot be issued from this CA. CRLs will not be generated. |
PENDING_DELETION |
Certificates cannot be issued from this CA. CRLs will not be generated. |
AccessUrls
URLs where a CertificateAuthority
will publish content.
JSON representation | |
---|---|
{ "caCertificateAccessUrl": string, "crlAccessUrl": string } |
Fields | |
---|---|
caCertificateAccessUrl |
The URL where this |
crlAccessUrl |
The URL where this |
Methods |
|
---|---|
|
Activate a CertificateAuthority that is in state PENDING_ACTIVATION and is of type SUBORDINATE . |
|
Create a new CertificateAuthority in a given Project and Location. |
|
Disable a CertificateAuthority . |
|
Enable a CertificateAuthority . |
|
Fetch a certificate signing request (CSR) from a CertificateAuthority that is in state PENDING_ACTIVATION and is of type SUBORDINATE . |
|
Returns a CertificateAuthority . |
|
Gets the access control policy for a resource. |
|
Lists CertificateAuthorities . |
|
Update a CertificateAuthority . |
|
Restore a CertificateAuthority that is scheduled for deletion. |
|
Schedule a CertificateAuthority for deletion. |
|
Sets the access control policy on the specified resource. |
|
Returns permissions that a caller has on the specified resource. |