Package google.cloud.security.privateca.v1

string

Required. The resource name for this CertificateAuthority in the format projects/*/locations/*/caPools/*/certificateAuthorities/*.

Authorization requires the following IAM permission on the specified resource name:

• privateca.certificateAuthorities.update

string

Required. The signed CA certificate issued from FetchCertificateAuthorityCsrResponse.pem_csr.

SubordinateConfig

Required. Must include information about the issuer of 'pem_ca_certificate', and any further issuers until the self-signed CA.

string

Optional. An ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. The server will guarantee that for at least 60 minutes since the first request.

For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments.

The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).

string

Output only. The resource name for this CaPool in the format projects/*/locations/*/caPools/*.

Tier

Required. Immutable. The Tier of this CaPool.

IssuancePolicy

Optional. The IssuancePolicy to control how Certificates will be issued from this CaPool.

PublishingOptions

Optional. The PublishingOptions to follow when issuing Certificates from any CertificateAuthority in this CaPool.

map<string, string>

Optional. Labels with user-defined metadata.

AllowedKeyType

Optional. If any AllowedKeyType is specified, then the certificate request's public key must match one of the key types listed here. Otherwise, any key may be used.

Duration

Optional. The maximum lifetime allowed for issued Certificates. Note that if the issuing CertificateAuthority expires before a Certificate resource's requested maximum_lifetime, the effective lifetime will be explicitly truncated to match it.

IssuanceModes

Optional. If specified, then only methods allowed in the IssuanceModes may be used to issue Certificates.

X509Parameters

Optional. A set of X.509 values that will be applied to all certificates issued through this CaPool. If a certificate request includes conflicting values for the same properties, they will be overwritten by the values defined here. If a certificate request uses a CertificateTemplate that defines conflicting predefined_values for the same properties, the certificate issuance request will fail.

CertificateIdentityConstraints

Optional. Describes constraints on identities that may appear in Certificates issued through this CaPool. If this is omitted, then this CaPool will not add restrictions on a certificate's identity.

CertificateExtensionConstraints

Optional. Describes the set of X.509 extensions that may appear in a Certificate issued through this CaPool. If a certificate request sets extensions that don't appear in the passthrough_extensions, those extensions will be dropped. If a certificate request uses a CertificateTemplate with predefined_values that don't appear here, the certificate issuance request will fail. If this is omitted, then this CaPool will not add restrictions on a certificate's X.509 extensions. These constraints do not apply to X.509 extensions set in this CaPool's baseline_values.

RsaKeyType

Represents an allowed RSA key type.

EcKeyType

Represents an allowed Elliptic Curve key type.

EcSignatureAlgorithm

Optional. A signature algorithm that must be used. If this is omitted, any EC-based signature algorithm will be allowed.

int64

Optional. The minimum allowed RSA modulus size (inclusive), in bits. If this is not set, or if set to zero, the service-level min RSA modulus size will continue to apply.

int64

Optional. The maximum allowed RSA modulus size (inclusive), in bits. If this is not set, or if set to zero, the service will not enforce an explicit upper bound on RSA modulus sizes.

bool

Optional. When true, allows callers to create Certificates by specifying a CSR.

bool

Optional. When true, allows callers to create Certificates by specifying a CertificateConfig.

bool

Optional. When true, publishes each CertificateAuthority's CA certificate and includes its URL in the "Authority Information Access" X.509 extension in all issued Certificates. If this is false, the CA certificate will not be published and the corresponding X.509 extension will not be written in issued certificates.

bool

Optional. When true, publishes each CertificateAuthority's CRL and includes its URL in the "CRL Distribution Points" X.509 extension in all issued Certificates. If this is false, CRLs will not be published and the corresponding X.509 extension will not be written in issued certificates. CRLs will expire 7 days from their creation. However, we will rebuild daily. CRLs are also rebuilt shortly after a certificate is revoked.

EncodingFormat

Optional. Specifies the encoding format of each CertificateAuthority resource's CA certificate and CRLs. If this is omitted, CA certificates and CRLs will be published in PEM.

string

Output only. The resource name for this Certificate in the format projects/*/locations/*/caPools/*/certificates/*.

string

Output only. The resource name of the issuing CertificateAuthority in the format projects/*/locations/*/caPools/*/certificateAuthorities/*.

Duration

Required. Immutable. The desired lifetime of a certificate. Used to create the "not_before_time" and "not_after_time" fields inside an X.509 certificate. Note that the lifetime may be truncated if it would extend past the life of any certificate authority in the issuing chain.

string

Immutable. The resource name for a CertificateTemplate used to issue this certificate, in the format projects/*/locations/*/certificateTemplates/*. If this is specified, the caller must have the necessary permission to use this template. If this is omitted, no template will be used. This template must be in the same location as the Certificate.

SubjectRequestMode

Immutable. Specifies how the Certificate's identity fields are to be decided. If this is omitted, the DEFAULT subject mode will be used.

RevocationDetails

Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present.

string

Output only. The pem-encoded, signed X.509 certificate.

CertificateDescription

Output only. A structured description of the issued X.509 certificate.

string

Output only. The chain that may be used to verify the X.509 certificate. Expected to be in issuer-to-root order according to RFC 5246.

Timestamp

Output only. The time at which this Certificate was created.

Timestamp

Output only. The time at which this Certificate was updated.

map<string, string>

Optional. Labels with user-defined metadata.

string

Immutable. A pem-encoded X.509 certificate signing request (CSR).

CertificateConfig

Immutable. A description of the certificate and key that does not require X.509 or ASN.1.

RevocationReason

Indicates why a Certificate was revoked.

Timestamp

The time at which this Certificate was revoked.

string

Output only. The resource name for this CertificateAuthority in the format projects/*/locations/*/caPools/*/certificateAuthorities/*.

Type

Required. Immutable. The Type of this CertificateAuthority.

CertificateConfig

Required. Immutable. The config used to create a self-signed X.509 certificate or CSR.

Duration

Required. Immutable. The desired lifetime of the CA certificate. Used to create the "not_before_time" and "not_after_time" fields inside an X.509 certificate.

KeyVersionSpec

Required. Immutable. Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR.

SubordinateConfig

Optional. If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which describes its issuers. This may be updated, but this CertificateAuthority must continue to validate.

Tier

Output only. The CaPool.Tier of the CaPool that includes this CertificateAuthority.

State

Output only. The State for this CertificateAuthority.

string

Output only. This CertificateAuthority's certificate chain, including the current CertificateAuthority's certificate. Ordered such that the root issuer is the final element (consistent with RFC 5246). For a self-signed CA, this will only list the current CertificateAuthority's certificate.

CertificateDescription

Output only. A structured description of this CertificateAuthority's CA certificate and its issuers. Ordered as self-to-root.

string

Immutable. The name of a Cloud Storage bucket where this CertificateAuthority will publish content, such as the CA certificate and CRLs. This must be a bucket name, without any prefixes (such as gs://) or suffixes (such as .googleapis.com). For example, to use a bucket named my-bucket, you would simply specify my-bucket. If not specified, a managed bucket will be created.

AccessUrls

Output only. URLs for accessing content published by this CA, such as the CA certificate and CRLs.

Timestamp

Output only. The time at which this CertificateAuthority was created.

Timestamp

Output only. The time at which this CertificateAuthority was last updated.

Timestamp

Output only. The time at which this CertificateAuthority was soft deleted, if it is in the DELETED state.

Timestamp

Output only. The time at which this CertificateAuthority will be permanently purged, if it is in the DELETED state.

map<string, string>

Optional. Labels with user-defined metadata.

string

The URL where this CertificateAuthority's CA certificate is published. This will only be set for CAs that have been activated.

string

The URLs where this CertificateAuthority's CRLs are published. This will only be set for CAs that have been activated.

string

The resource name for an existing Cloud KMS CryptoKeyVersion in the format projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*. This option enables full flexibility in the key's capabilities and properties.

SignHashAlgorithm

The algorithm to use for creating a managed Cloud KMS key for a for a simplified experience. All managed keys will be have their [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] as HSM.

SubjectConfig

Required. Specifies some of the values in a certificate that are related to the subject.

X509Parameters

Required. Describes how some of the technical X.509 fields in a certificate should be populated.

PublicKey

Optional. The public key that corresponds to this config. This is, for example, used when issuing Certificates, but not when creating a self-signed CertificateAuthority or CertificateAuthority CSR.

KeyId

Optional. When specified this provides a custom SKI to be used in the certificate. This should only be used to maintain a SKI of an existing CA originally created outside CA service, which was not generated using method (1) described in RFC 5280 section 4.2.1.2.

string

Required. The value of this KeyId encoded in lowercase hexadecimal. This is most likely the 160 bit SHA-1 hash of the public key.

Subject

Optional. Contains distinguished name fields such as the common name, location and organization.

SubjectAltNames

Optional. The subject alternative name fields.

SubjectDescription

Describes some of the values in a certificate that are related to the subject and lifetime.

X509Parameters

Describes some of the technical X.509 fields in a certificate.

PublicKey

The public key that corresponds to an issued certificate.

KeyId

Provides a means of identifiying certificates that contain a particular public key, per https://tools.ietf.org/html/rfc5280#section-4.2.1.2.

KeyId

Identifies the subject_key_id of the parent certificate, per https://tools.ietf.org/html/rfc5280#section-4.2.1.1

string

Describes a list of locations to obtain CRL information, i.e. the DistributionPoint.fullName described by https://tools.ietf.org/html/rfc5280#section-4.2.1.13

string

Describes lists of issuer CA certificate URLs that appear in the "Authority Information Access" extension in the certificate.

CertificateFingerprint

The hash of the x.509 certificate.

string

The SHA 256 hash, encoded in hexadecimal, of the DER x509 certificate.

string

Optional. The value of this KeyId encoded in lowercase hexadecimal. This is most likely the 160 bit SHA-1 hash of the public key.

Subject

Contains distinguished name fields such as the common name, location and / organization.

SubjectAltNames

The subject alternative name fields.

string

The serial number encoded in lowercase hexadecimal.

Duration

For convenience, the actual lifetime of an issued certificate.

Timestamp

The time at which the certificate becomes valid.

Timestamp

The time after which the certificate is expired. Per RFC 5280, the validity period for a certificate is the period of time from not_before_time through not_after_time, inclusive. Corresponds to 'not_before_time' + 'lifetime' - 1 second.

KnownCertificateExtension

Optional. A set of named X.509 extensions. Will be combined with additional_extensions to determine the full set of X.509 extensions.

ObjectId

Optional. A set of ObjectIds identifying custom X.509 extensions. Will be combined with known_extensions to determine the full set of X.509 extensions.

Expr

Optional. A CEL expression that may be used to validate the resolved X.509 Subject and/or Subject Alternative Name before a certificate is signed. To see the full allowed syntax and some examples, see https://cloud.google.com/certificate-authority-service/docs/using-cel

bool

Required. If this is true, the Subject field may be copied from a certificate request into the signed certificate. Otherwise, the requested Subject will be discarded.

bool

Required. If this is true, the SubjectAltNames extension may be copied from a certificate request into the signed certificate. Otherwise, the requested SubjectAltNames will be discarded.

string

Output only. The resource name for this CertificateRevocationList in the format projects/*/locations/*/caPools/*certificateAuthorities/*/ certificateRevocationLists/*.

int64

Output only. The CRL sequence number that appears in pem_crl.

RevokedCertificate

Output only. The revoked serial numbers that appear in pem_crl.

string

Output only. The PEM-encoded X.509 CRL.

string

Output only. The location where 'pem_crl' can be accessed.

State

Output only. The State for this CertificateRevocationList.

Timestamp

Output only. The time at which this CertificateRevocationList was created.

Timestamp

Output only. The time at which this CertificateRevocationList was updated.

string

Output only. The revision ID of this CertificateRevocationList. A new revision is committed whenever a new CRL is published. The format is an 8-character hexadecimal string.

map<string, string>

Optional. Labels with user-defined metadata.

string

The resource name for the Certificate in the format projects/*/locations/*/caPools/*/certificates/*.

string

The serial number of the Certificate.

RevocationReason

The reason the Certificate was revoked.

string

Output only. The resource name for this CertificateTemplate in the format projects/*/locations/*/certificateTemplates/*.

Duration

Optional. The maximum lifetime allowed for issued Certificates that use this template. If the issuing CaPool resource's IssuancePolicy specifies a maximum_lifetime the minimum of the two durations will be the maximum lifetime for issued Certificates. Note that if the issuing CertificateAuthority expires before a Certificate's requested maximum_lifetime, the effective lifetime will be explicitly truncated to match it.

X509Parameters

Optional. A set of X.509 values that will be applied to all issued certificates that use this template. If the certificate request includes conflicting values for the same properties, they will be overwritten by the values defined here. If the issuing CaPool's IssuancePolicy defines conflicting baseline_values for the same properties, the certificate issuance request will fail.

CertificateIdentityConstraints

Optional. Describes constraints on identities that may be appear in Certificates issued using this template. If this is omitted, then this template will not add restrictions on a certificate's identity.

CertificateExtensionConstraints

Optional. Describes the set of X.509 extensions that may appear in a Certificate issued using this CertificateTemplate. If a certificate request sets extensions that don't appear in the passthrough_extensions, those extensions will be dropped. If the issuing CaPool's IssuancePolicy defines baseline_values that don't appear here, the certificate issuance request will fail. If this is omitted, then this template will not add restrictions on a certificate's X.509 extensions. These constraints do not apply to X.509 extensions set in this CertificateTemplate's predefined_values.

string

Optional. A human-readable description of scenarios this template is intended for.

Timestamp

Output only. The time at which this CertificateTemplate was created.

Timestamp

Output only. The time at which this CertificateTemplate was updated.

map<string, string>

Optional. Labels with user-defined metadata.

string

Required. The resource name of the location associated with the CaPool, in the format projects/*/locations/*.

Authorization requires the following IAM permission on the specified resource parent:

• privateca.caPools.create

string

Required. It must be unique within a location and match the regular expression [a-zA-Z0-9_-]{1,63}

CaPool

Required. A CaPool with initial field values.

string

Optional. An ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. The server will guarantee that for at least 60 minutes since the first request.

For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments.

The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).

string

Required. The resource name of the CaPool associated with the CertificateAuthorities, in the format projects/*/locations/*/caPools/*.

Authorization requires the following IAM permission on the specified resource parent:

• privateca.certificateAuthorities.create

string

Required. It must be unique within a location and match the regular expression [a-zA-Z0-9_-]{1,63}

CertificateAuthority

Required. A CertificateAuthority with initial field values.

string

Optional. An ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. The server will guarantee that for at least 60 minutes since the first request.

For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments.

The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).

string

Required. The resource name of the CaPool associated with the Certificate, in the format projects/*/locations/*/caPools/*.

Authorization requires one or more of the following IAM permissions on the specified resource parent:

• privateca.certificates.create
• privateca.certificates.createForSelf

string

Optional. It must be unique within a location and match the regular expression [a-zA-Z0-9_-]{1,63}. This field is required when using a CertificateAuthority in the Enterprise [CertificateAuthority.Tier][], but is optional and its value is ignored otherwise.

Certificate

Required. A Certificate with initial field values.

string

Optional. An ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. The server will guarantee that for at least 60 minutes since the first request.

For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments.

The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).

bool

Optional. If this is true, no Certificate resource will be persisted regardless of the CaPool's tier, and the returned Certificate will not contain the pem_certificate field.

string

Optional. The resource ID of the CertificateAuthority that should issue the certificate. This optional field will ignore the load-balancing scheme of the Pool and directly issue the certificate from the CA with the specified ID, contained in the same CaPool referenced by parent. Per-CA quota rules apply. If left empty, a CertificateAuthority will be chosen from the CaPool by the service. For example, to issue a Certificate from a Certificate Authority with resource name "projects/my-project/locations/us-central1/caPools/my-pool/certificateAuthorities/my-ca", you can set the parent to "projects/my-project/locations/us-central1/caPools/my-pool" and the issuing_certificate_authority_id to "my-ca".

string

Required. The resource name of the location associated with the CertificateTemplate, in the format projects/*/locations/*.

Authorization requires the following IAM permission on the specified resource parent:

• privateca.certificateTemplates.create

string

Required. It must be unique within a location and match the regular expression [a-zA-Z0-9_-]{1,63}

CertificateTemplate

Required. A CertificateTemplate with initial field values.

string

Optional. An ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. The server will guarantee that for at least 60 minutes since the first request.

For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments.

The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).

string

Required. The resource name for this CaPool in the format projects/*/locations/*/caPools/*.

Authorization requires the following IAM permission on the specified resource name:

• privateca.caPools.delete

string

Optional. An ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. The server will guarantee that for at least 60 minutes since the first request.

For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments.

The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).

bool

Optional. This field allows this pool to be deleted even if it's being depended on by another resource. However, doing so may result in unintended and unrecoverable effects on any dependent resources since the pool will no longer be able to issue certificates.

string

Required. The resource name for this CertificateAuthority in the format projects/*/locations/*/caPools/*/certificateAuthorities/*.

Authorization requires the following IAM permission on the specified resource name:

• privateca.certificateAuthorities.delete

string

Optional. An ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. The server will guarantee that for at least 60 minutes since the first request.

For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments.

The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).

bool

Optional. This field allows the CA to be deleted even if the CA has active certs. Active certs include both unrevoked and unexpired certs.

bool

Optional. If this flag is set, the Certificate Authority will be deleted as soon as possible without a 30-day grace period where undeletion would have been allowed. If you proceed, there will be no way to recover this CA.

bool

Optional. This field allows this CA to be deleted even if it's being depended on by another resource. However, doing so may result in unintended and unrecoverable effects on any dependent resources since the CA will no longer be able to issue certificates.

string

Required. The resource name for this CertificateTemplate in the format projects/*/locations/*/certificateTemplates/*.

Authorization requires the following IAM permission on the specified resource name:

• privateca.certificateTemplates.delete

string

Optional. An ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. The server will guarantee that for at least 60 minutes since the first request.

For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments.

The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).

string

Required. The resource name for this CertificateAuthority in the format projects/*/locations/*/caPools/*/certificateAuthorities/*.

Authorization requires the following IAM permission on the specified resource name:

• privateca.certificateAuthorities.update

string

Optional. An ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. The server will guarantee that for at least 60 minutes since the first request.

For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments.

The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).

bool

Optional. This field allows this CA to be disabled even if it's being depended on by another resource. However, doing so may result in unintended and unrecoverable effects on any dependent resources since the CA will no longer be able to issue certificates.

string

Required. The resource name for this CertificateAuthority in the format projects/*/locations/*/caPools/*/certificateAuthorities/*.

Authorization requires the following IAM permission on the specified resource name:

• privateca.certificateAuthorities.update

string

Optional. An ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. The server will guarantee that for at least 60 minutes since the first request.

For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments.

The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).

string

Required. The resource name for the CaPool in the format projects/*/locations/*/caPools/*.

Authorization requires the following IAM permission on the specified resource caPool:

• privateca.caPools.get

string

Optional. An ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. The server will guarantee that for at least 60 minutes since the first request.

For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments.

The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).

CertChain

The PEM encoded CA certificate chains of all certificate authorities in this CaPool in the ENABLED, DISABLED, or STAGED states.

string

The certificates that form the CA chain, from leaf to root order.

string

Required. The resource name for this CertificateAuthority in the format projects/*/locations/*/caPools/*/certificateAuthorities/*.

Authorization requires the following IAM permission on the specified resource name:

• privateca.certificateAuthorities.get

string

Output only. The PEM-encoded signed certificate signing request (CSR).

string

Required. The name of the CaPool to get.

Authorization requires the following IAM permission on the specified resource name:

• privateca.caPools.get

string

Required. The name of the CertificateAuthority to get.

Authorization requires the following IAM permission on the specified resource name:

• privateca.certificateAuthorities.get

string

Required. The name of the Certificate to get.

Authorization requires the following IAM permission on the specified resource name:

• privateca.certificates.get

string

Required. The name of the CertificateRevocationList to get.

Authorization requires the following IAM permission on the specified resource name:

• privateca.certificateRevocationLists.get

string

Required. The name of the CertificateTemplate to get.

Authorization requires the following IAM permission on the specified resource name:

• privateca.certificateTemplates.get

KeyUsageOptions

Describes high-level ways in which a key may be used.

ExtendedKeyUsageOptions

Detailed scenarios in which a key may be used.

ObjectId

Used to describe extended key usages that are not listed in the KeyUsage.ExtendedKeyUsageOptions message.

bool

Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.

bool

Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.

bool

Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".

bool

Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".

bool

Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".

bool

Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".

bool

The key may be used for digital signatures.

bool

The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".

bool

The key may be used to encipher other keys.

bool

The key may be used to encipher data.

bool

The key may be used in a key agreement protocol.

bool

The key may be used to sign certificates.

bool

The key may be used sign certificate revocation lists.

bool

The key may be used to encipher only.

bool

The key may be used to decipher only.

string

Required. The resource name of the location associated with the CaPools, in the format projects/*/locations/*.

Authorization requires the following IAM permission on the specified resource parent:

• privateca.caPools.list

int32

Optional. Limit on the number of CaPools to include in the response. Further CaPools can subsequently be obtained by including the ListCaPoolsResponse.next_page_token in a subsequent request. If unspecified, the server will pick an appropriate default.

string

Optional. Pagination token, returned earlier via ListCaPoolsResponse.next_page_token.

string

Optional. Only include resources that match the filter in the response.

string

Optional. Specify how the results should be sorted.

CaPool

The list of CaPools.

string

A token to retrieve next page of results. Pass this value in [ListCertificateAuthoritiesRequest.next_page_token][] to retrieve the next page of results.

string

A list of locations (e.g. "us-west1") that could not be reached.

string

Required. The resource name of the CaPool associated with the CertificateAuthorities, in the format projects/*/locations/*/caPools/*.

Authorization requires the following IAM permission on the specified resource parent:

• privateca.certificateAuthorities.list

int32

Optional. Limit on the number of CertificateAuthorities to include in the response. Further CertificateAuthorities can subsequently be obtained by including the ListCertificateAuthoritiesResponse.next_page_token in a subsequent request. If unspecified, the server will pick an appropriate default.

string

Optional. Pagination token, returned earlier via ListCertificateAuthoritiesResponse.next_page_token.

string

Optional. Only include resources that match the filter in the response.

string

Optional. Specify how the results should be sorted.

CertificateAuthority

The list of CertificateAuthorities.

string

A token to retrieve next page of results. Pass this value in [ListCertificateAuthoritiesRequest.next_page_token][] to retrieve the next page of results.

string

A list of locations (e.g. "us-west1") that could not be reached.

string

Required. The resource name of the location associated with the CertificateRevocationLists, in the format projects/*/locations/*/caPools/*/certificateAuthorities/*.

Authorization requires the following IAM permission on the specified resource parent:

• privateca.certificateRevocationLists.list

int32

Optional. Limit on the number of CertificateRevocationLists to include in the response. Further CertificateRevocationLists can subsequently be obtained by including the ListCertificateRevocationListsResponse.next_page_token in a subsequent request. If unspecified, the server will pick an appropriate default.

string

Optional. Pagination token, returned earlier via ListCertificateRevocationListsResponse.next_page_token.

string

Optional. Only include resources that match the filter in the response.

string

Optional. Specify how the results should be sorted.

CertificateRevocationList

The list of CertificateRevocationLists.

string

A token to retrieve next page of results. Pass this value in [ListCertificateRevocationListsRequest.next_page_token][] to retrieve the next page of results.

string

A list of locations (e.g. "us-west1") that could not be reached.

string

Required. The resource name of the location associated with the CertificateTemplates, in the format projects/*/locations/*.

Authorization requires the following IAM permission on the specified resource parent:

• privateca.certificateTemplates.list

int32

Optional. Limit on the number of CertificateTemplates to include in the response. Further CertificateTemplates can subsequently be obtained by including the ListCertificateTemplatesResponse.next_page_token in a subsequent request. If unspecified, the server will pick an appropriate default.

string

Optional. Pagination token, returned earlier via ListCertificateTemplatesResponse.next_page_token.

string

Optional. Only include resources that match the filter in the response.

string

Optional. Specify how the results should be sorted.

CertificateTemplate

The list of CertificateTemplates.

string

A token to retrieve next page of results. Pass this value in [ListCertificateTemplatesRequest.next_page_token][] to retrieve the next page of results.

string

A list of locations (e.g. "us-west1") that could not be reached.

string

Required. The resource name of the location associated with the Certificates, in the format projects/*/locations/*/caPools/*.

Authorization requires the following IAM permission on the specified resource parent:

• privateca.certificates.list

int32

Optional. Limit on the number of Certificates to include in the response. Further Certificates can subsequently be obtained by including the ListCertificatesResponse.next_page_token in a subsequent request. If unspecified, the server will pick an appropriate default.

string

Optional. Pagination token, returned earlier via ListCertificatesResponse.next_page_token.

string

Optional. Only include resources that match the filter in the response. For details on supported filters and syntax, see Certificates Filtering documentation.

string

Optional. Specify how the results should be sorted. For details on supported fields and syntax, see Certificates Sorting documentation.

Certificate

The list of Certificates.

string

A token to retrieve next page of results. Pass this value in [ListCertificatesRequest.next_page_token][] to retrieve the next page of results.

string

A list of locations (e.g. "us-west1") that could not be reached.

int32

Required. The parts of an OID path. The most significant parts of the path come first.

Timestamp

Output only. The time the operation was created.

Timestamp

Output only. The time the operation finished running.

string

Output only. Server-defined resource path for the target of the operation.

string

Output only. Name of the verb executed by the operation.

string

Output only. Human-readable status of the operation, if any.

bool

Output only. Identifies whether the user has requested cancellation of the operation. Operations that have successfully been cancelled have [Operation.error][] value with a google.rpc.Status.code of 1, corresponding to Code.CANCELLED.

string

Output only. API version used to start the operation.

bytes

Required. A public key. The padding and encoding must match with the KeyFormat value specified for the format field.

KeyFormat

Required. The format of the public key.

string

Required. The resource name for this Certificate in the format projects/*/locations/*/caPools/*/certificates/*.

Authorization requires the following IAM permission on the specified resource name:

• privateca.certificates.update

RevocationReason

Required. The RevocationReason for revoking this certificate.

string

Optional. An ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. The server will guarantee that for at least 60 minutes since the first request.

For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments.

The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).

string

The "common name" of the subject.

string

The country code of the subject.

string

The organization of the subject.

string

The organizational_unit of the subject.

string

The locality or city of the subject.

string

The province, territory, or regional state of the subject.

string

The street address of the subject.

string

The postal code of the subject.

string

Contains only valid, fully-qualified host names.

string

Contains only valid RFC 3986 URIs.

string

Contains only valid RFC 2822 E-mail addresses.

string

Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.

X509Extension

Contains additional subject alternative name values. For each custom_san, the value field must contain an ASN.1 encoded UTF8String.

string

Required. This can refer to a CertificateAuthority that was used to create a subordinate CertificateAuthority. This field is used for information and usability purposes only. The resource name is in the format projects/*/locations/*/caPools/*/certificateAuthorities/*.

SubordinateConfigChain

Required. Contains the PEM certificate chain for the issuers of this CertificateAuthority, but not pem certificate for this CA itself.

string

Required. Expected to be in leaf-to-root order according to RFC 5246.

string

Required. The resource name for this CertificateAuthority in the format projects/*/locations/*/caPools/*/certificateAuthorities/*.

Authorization requires the following IAM permission on the specified resource name:

• privateca.certificateAuthorities.update

string

Optional. An ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. The server will guarantee that for at least 60 minutes since the first request.

For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments.

The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).

CaPool

Required. CaPool with updated values.

Authorization requires the following IAM permission on the specified resource caPool:

• privateca.caPools.update

FieldMask

Required. A list of fields to be updated in this request.

string

Optional. An ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. The server will guarantee that for at least 60 minutes since the first request.

For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments.

The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).

CertificateAuthority

Required. CertificateAuthority with updated values.

Authorization requires the following IAM permission on the specified resource certificateAuthority:

• privateca.certificateAuthorities.update

FieldMask

Required. A list of fields to be updated in this request.

string

Optional. An ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. The server will guarantee that for at least 60 minutes since the first request.

For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments.

The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).

Certificate

Required. Certificate with updated values.

Authorization requires the following IAM permission on the specified resource certificate:

• privateca.certificates.update

FieldMask

Required. A list of fields to be updated in this request.

string

Optional. An ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. The server will guarantee that for at least 60 minutes since the first request.

For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments.

The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).

CertificateRevocationList

Required. CertificateRevocationList with updated values.

Authorization requires the following IAM permission on the specified resource certificateRevocationList:

• privateca.certificateRevocationLists.update

FieldMask

Required. A list of fields to be updated in this request.

string

Optional. An ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. The server will guarantee that for at least 60 minutes since the first request.

For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments.

The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).

CertificateTemplate

Required. CertificateTemplate with updated values.

Authorization requires the following IAM permission on the specified resource certificateTemplate:

• privateca.certificateTemplates.update

FieldMask

Required. A list of fields to be updated in this request.

string

Optional. An ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. The server will guarantee that for at least 60 minutes since the first request.

For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments.

The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).

ObjectId

Required. The OID for this X.509 extension.

bool

Optional. Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).

bytes

Required. The value of this X.509 extension.

KeyUsage

Optional. Indicates the intended use for keys that correspond to a certificate.

CaOptions

Optional. Describes options in this X509Parameters that are relevant in a CA certificate.

ObjectId

Optional. Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4.

string

Optional. Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.

NameConstraints

Optional. Describes the X.509 name constraints extension.

X509Extension

Optional. Describes custom X.509 extensions.

bool

Optional. Refers to the "CA" X.509 extension, which is a boolean value. When this value is missing, the extension will be omitted from the CA certificate.

int32

Optional. Refers to the path length restriction X.509 extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail. If this value is missing, the max path length will be omitted from the CA certificate.

bool

Indicates whether or not the name constraints are marked critical.

string

Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.

string

Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.

string

Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.

string

Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.

string

Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.

string

Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.

string

Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)

string

Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)