REST Resource: projects.locations.certificateAuthorities

Resource: CertificateAuthority

A CertificateAuthority represents an individual Certificate Authority. A CertificateAuthority can be used to create Certificates.

JSON representation
{
  "name": string,
  "type": enum (Type),
  "tier": enum (Tier),
  "config": {
    object (CertificateConfig)
  },
  "lifetime": string,
  "keySpec": {
    object (KeyVersionSpec)
  },
  "certificatePolicy": {
    object (CertificateAuthorityPolicy)
  },
  "issuingOptions": {
    object (IssuingOptions)
  },
  "subordinateConfig": {
    object (SubordinateConfig)
  },
  "state": enum (State),
  "pemCaCertificates": [
    string
  ],
  "caCertificateDescriptions": [
    {
      object (CertificateDescription)
    }
  ],
  "gcsBucket": string,
  "accessUrls": {
    object (AccessUrls)
  },
  "createTime": string,
  "updateTime": string,
  "deleteTime": string,
  "labels": {
    string: string,
    ...
  }
}
Fields
name

string

Output only. The resource name for this CertificateAuthority in the format projects/*/locations/*/certificateAuthorities/*.

type

enum (Type)

Required. Immutable. The Type of this CertificateAuthority.

tier

enum (Tier)

Required. Immutable. The Tier of this CertificateAuthority.

config

object (CertificateConfig)

Required. Immutable. The config used to create a self-signed X.509 certificate or CSR.

lifetime

string (Duration format)

Required. The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate.

A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".

keySpec

object (KeyVersionSpec)

Required. Immutable. Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR.

certificatePolicy

object (CertificateAuthorityPolicy)

Optional. The CertificateAuthorityPolicy to enforce when issuing Certificates from this CertificateAuthority.

issuingOptions

object (IssuingOptions)

Optional. The IssuingOptions to follow when issuing Certificates from this CertificateAuthority.

subordinateConfig

object (SubordinateConfig)

Optional. If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which describes its issuers. This may be updated, but this CertificateAuthority must continue to validate.

state

enum (State)

Output only. The State for this CertificateAuthority.

pemCaCertificates[]

string

Output only. This CertificateAuthority's certificate chain, including the current CertificateAuthority's certificate. Ordered such that the root issuer is the final element (consistent with RFC 5246). For a self-signed CA, this will only list the current CertificateAuthority's certificate.

caCertificateDescriptions[]

object (CertificateDescription)

Output only. A structured description of this CertificateAuthority's CA certificate and its issuers. Ordered as self-to-root.

gcsBucket

string

Immutable. The name of a Cloud Storage bucket where this CertificateAuthority will publish content, such as the CA certificate and CRLs. This must be a bucket name, without any prefixes (such as gs://) or suffixes (such as .googleapis.com). For example, to use a bucket named my-bucket, you would simply specify my-bucket. If not specified, a managed bucket will be created.

accessUrls

object (AccessUrls)

Output only. URLs for accessing content published by this CA, such as the CA certificate and CRLs.

createTime

string (Timestamp format)

Output only. The time at which this CertificateAuthority was created.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

updateTime

string (Timestamp format)

Output only. The time at which this CertificateAuthority was updated.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

deleteTime

string (Timestamp format)

Output only. The time at which this CertificateAuthority will be deleted, if scheduled for deletion.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

labels

map (key: string, value: string)

Optional. Labels with user-defined metadata.

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

Type

The type of a CertificateAuthority, indicating its issuing chain.

Enums
TYPE_UNSPECIFIED Not specified.
SELF_SIGNED Self-signed CA.
SUBORDINATE Subordinate CA. Could be issued by a Private CA CertificateAuthority or an unmanaged CA.

Tier

The tier of a CertificateAuthority, indicating its supported functionality and/or billing SKU.

Enums
TIER_UNSPECIFIED Not specified.
ENTERPRISE Enterprise tier.
DEVOPS DevOps tier.

KeyVersionSpec

A Cloud KMS key configuration that a CertificateAuthority will use.

JSON representation
{

  // Union field KeyVersion can be only one of the following:
  "cloudKmsKeyVersion": string,
  "algorithm": enum (SignHashAlgorithm)
  // End of list of possible types for union field KeyVersion.
}
Fields

Union field KeyVersion.

KeyVersion can be only one of the following:

cloudKmsKeyVersion

string

Required. The resource name for an existing Cloud KMS CryptoKeyVersion in the format projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*. This option enables full flexibility in the key's capabilities and properties.

algorithm

enum (SignHashAlgorithm)

Required. The algorithm to use for creating a managed Cloud KMS key for a for a simplified experience. All managed keys will be have their [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] as HSM.

SignHashAlgorithm

The algorithm of a Cloud KMS CryptoKeyVersion of a [CryptoKey][google.cloud.kms.v1.CryptoKey] with the [CryptoKeyPurpose][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose] value ASYMMETRIC_SIGN. These values correspond to the [CryptoKeyVersionAlgorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm] values. For RSA signing algorithms, the PSS algorithms should be preferred, use PKCS1 algorithms if required for compatibility. For further recommandations, see https://cloud.google.com/kms/docs/algorithms#algorithm_recommendations.

Enums
SIGN_HASH_ALGORITHM_UNSPECIFIED Not specified.
RSA_PSS_2048_SHA256 maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_2048_SHA256
RSA_PSS_3072_SHA256 maps to CryptoKeyVersionAlgorithm. RSA_SIGN_PSS_3072_SHA256
RSA_PSS_4096_SHA256 maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_4096_SHA256
RSA_PKCS1_2048_SHA256 maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_2048_SHA256
RSA_PKCS1_3072_SHA256 maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_3072_SHA256
RSA_PKCS1_4096_SHA256 maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_4096_SHA256
EC_P256_SHA256 maps to CryptoKeyVersionAlgorithm.EC_SIGN_P256_SHA256
EC_P384_SHA384 maps to CryptoKeyVersionAlgorithm.EC_SIGN_P384_SHA384

CertificateAuthorityPolicy

The issuing policy for a CertificateAuthority. Certificates will not be successfully issued from this CertificateAuthority if they violate the policy.

JSON representation
{
  "allowedLocationsAndOrganizations": [
    {
      object (Subject)
    }
  ],
  "allowedCommonNames": [
    string
  ],
  "allowedSans": {
    object (AllowedSubjectAltNames)
  },
  "maximumLifetime": string,
  "allowedIssuanceModes": {
    object (IssuanceModes)
  },

  // Union field config_policy can be only one of the following:
  "allowedConfigList": {
    object (AllowedConfigList)
  },
  "overwriteConfigValues": {
    object (ReusableConfigWrapper)
  }
  // End of list of possible types for union field config_policy.
}
Fields
allowedLocationsAndOrganizations[]

object (Subject)

Optional. If any Subject is specified here, then all Certificates issued by the CertificateAuthority must match at least one listed Subject. If a Subject has an empty field, any value will be allowed for that field.

allowedCommonNames[]

string

Optional. If any value is specified here, then all Certificates issued by the CertificateAuthority must match at least one listed value. If no value is specified, all values will be allowed for this fied. Glob patterns are also supported.

allowedSans

object (AllowedSubjectAltNames)

Optional. If a AllowedSubjectAltNames is specified here, then all Certificates issued by the CertificateAuthority must match AllowedSubjectAltNames. If no value or an empty value is specified, any value will be allowed for the SubjectAltNames field.

maximumLifetime

string (Duration format)

Optional. The maximum lifetime allowed by the CertificateAuthority. Note that if the any part if the issuing chain expires before a Certificate's requested maximumLifetime, the effective lifetime will be explicitly truncated.

A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".

allowedIssuanceModes

object (IssuanceModes)

Optional. If specified, then only methods allowed in the IssuanceModes may be used to issue Certificates.

Union field config_policy. Allowed configurations or a single configuration for all issued certificates. config_policy can be only one of the following:
allowedConfigList

object (AllowedConfigList)

Optional. All Certificates issued by the CertificateAuthority must match at least one listed ReusableConfigWrapper in the list.

overwriteConfigValues

object (ReusableConfigWrapper)

Optional. All Certificates issued by the CertificateAuthority will use the provided configuration values, overwriting any requested configuration values.

AllowedConfigList

JSON representation
{
  "allowedConfigValues": [
    {
      object (ReusableConfigWrapper)
    }
  ]
}
Fields
allowedConfigValues[]

object (ReusableConfigWrapper)

Required. All Certificates issued by the CertificateAuthority must match at least one listed ReusableConfigWrapper. If a ReusableConfigWrapper has an empty field, any value will be allowed for that field.

AllowedSubjectAltNames

AllowedSubjectAltNames specifies the allowed values for SubjectAltNames by the CertificateAuthority when issuing Certificates.

JSON representation
{
  "allowedDnsNames": [
    string
  ],
  "allowedUris": [
    string
  ],
  "allowedEmailAddresses": [
    string
  ],
  "allowedIps": [
    string
  ],
  "allowGlobbingDnsWildcards": boolean,
  "allowCustomSans": boolean
}
Fields
allowedDnsNames[]

string

Optional. Contains valid, fully-qualified host names. Glob patterns are also supported. To allow an explicit wildcard certificate, escape with backlash (i.e. "*"). E.g. for globbed entries: '*bar.com' will allow 'foo.bar.com', but not '*.bar.com', unless the allowGlobbingDnsWildcards field is set. E.g. for wildcard entries: '*.bar.com' will allow '*.bar.com', but not 'foo.bar.com'.

allowedUris[]

string

Optional. Contains valid RFC 3986 URIs. Glob patterns are also supported. To match across path seperators (i.e. '/') use the double star glob pattern (i.e. '**').

allowedEmailAddresses[]

string

Optional. Contains valid RFC 2822 E-mail addresses. Glob patterns are also supported.

allowedIps[]

string

Optional. Contains valid 32-bit IPv4 addresses and subnet ranges or RFC 4291 IPv6 addresses and subnet ranges. Subnet ranges are specified using the '/' notation (e.g. 10.0.0.0/8, 2001:700:300:1800::/64). Glob patterns are supported only for ip address entries (i.e. not for subnet ranges).

allowGlobbingDnsWildcards

boolean

Optional. Specifies if glob patterns used for allowedDnsNames allow wildcard certificates. If this is set, certificate requests with wildcard domains will be permitted to match a glob pattern specified in allowedDnsNames. Otherwise, certificate requests with wildcard domains will be permitted only if allowedDnsNames contains a literal wildcard.

allowCustomSans

boolean

Optional. Specifies if to allow custom X509Extension values.

IssuanceModes

IssuanceModes specifies the allowed ways in which Certificates may be requested from this CertificateAuthority.

JSON representation
{
  "allowCsrBasedIssuance": boolean,
  "allowConfigBasedIssuance": boolean
}
Fields
allowCsrBasedIssuance

boolean

Required. When true, allows callers to create Certificates by specifying a CSR.

allowConfigBasedIssuance

boolean

Required. When true, allows callers to create Certificates by specifying a CertificateConfig.

IssuingOptions

Options that affect all certificates issued by a CertificateAuthority.

JSON representation
{
  "includeCaCertUrl": boolean,
  "includeCrlAccessUrl": boolean
}
Fields
includeCaCertUrl

boolean

Required. When true, includes a URL to the issuing CA certificate in the "authority information access" X.509 extension.

includeCrlAccessUrl

boolean

Required. When true, includes a URL to the CRL corresponding to certificates issued from a CertificateAuthority. CRLs will expire 7 days from their creation. However, we will rebuild daily. CRLs are also rebuilt shortly after a certificate is revoked.

SubordinateConfig

Describes a subordinate CA's issuers. This is either a resource path to a known issuing CertificateAuthority, or a PEM issuer certificate chain.

JSON representation
{

  // Union field subordinate_config can be only one of the following:
  "certificateAuthority": string,
  "pemIssuerChain": {
    object (SubordinateConfigChain)
  }
  // End of list of possible types for union field subordinate_config.
}
Fields

Union field subordinate_config.

subordinate_config can be only one of the following:

certificateAuthority

string

Required. This can refer to a CertificateAuthority in the same project that was used to create a subordinate CertificateAuthority. This field is used for information and usability purposes only. The resource name is in the format projects/*/locations/*/certificateAuthorities/*.

pemIssuerChain

object (SubordinateConfigChain)

Required. Contains the PEM certificate chain for the issuers of this CertificateAuthority, but not pem certificate for this CA itself.

SubordinateConfigChain

This message describes a subordinate CA's issuer certificate chain. This wrapper exists for compatibility reasons.

JSON representation
{
  "pemCertificates": [
    string
  ]
}
Fields
pemCertificates[]

string

Required. Expected to be in leaf-to-root order according to RFC 5246.

State

The state of a CertificateAuthority, indicating if it can be used.

Enums
STATE_UNSPECIFIED Not specified.
ENABLED Certificates can be issued from this CA. CRLs will be generated for this CA.
DISABLED Certificates cannot be issued from this CA. CRLs will still be generated.
PENDING_ACTIVATION Certificates cannot be issued from this CA. CRLs will not be generated.
PENDING_DELETION Certificates cannot be issued from this CA. CRLs will not be generated.

AccessUrls

URLs where a CertificateAuthority will publish content.

JSON representation
{
  "caCertificateAccessUrl": string,
  "crlAccessUrl": string
}
Fields
caCertificateAccessUrl

string

The URL where this CertificateAuthority's CA certificate is published. This will only be set for CAs that have been activated.

crlAccessUrl

string

The URL where this CertificateAuthority's CRLs are published. This will only be set for CAs that have been activated.

Methods

activate

Activate a CertificateAuthority that is in state PENDING_ACTIVATION and is of type SUBORDINATE.

create

Create a new CertificateAuthority in a given Project and Location.

disable

Disable a CertificateAuthority.

enable

Enable a CertificateAuthority.

fetch

Fetch a certificate signing request (CSR) from a CertificateAuthority that is in state PENDING_ACTIVATION and is of type SUBORDINATE.

get

Returns a CertificateAuthority.

getIamPolicy

Gets the access control policy for a resource.

list

Lists CertificateAuthorities.

patch

Update a CertificateAuthority.

restore

Restore a CertificateAuthority that is scheduled for deletion.

scheduleDelete

Schedule a CertificateAuthority for deletion.

setIamPolicy

Sets the access control policy on the specified resource.

testIamPermissions

Returns permissions that a caller has on the specified resource.