Index
CertificateAuthorityService
(interface)ActivateCertificateAuthorityRequest
(message)CaPool
(message)CaPool.IssuancePolicy
(message)CaPool.IssuancePolicy.AllowedKeyType
(message)CaPool.IssuancePolicy.AllowedKeyType.EcKeyType
(message)CaPool.IssuancePolicy.AllowedKeyType.EcKeyType.EcSignatureAlgorithm
(enum)CaPool.IssuancePolicy.AllowedKeyType.RsaKeyType
(message)CaPool.IssuancePolicy.IssuanceModes
(message)CaPool.PublishingOptions
(message)CaPool.PublishingOptions.EncodingFormat
(enum)CaPool.Tier
(enum)Certificate
(message)Certificate.RevocationDetails
(message)CertificateAuthority
(message)CertificateAuthority.AccessUrls
(message)CertificateAuthority.KeyVersionSpec
(message)CertificateAuthority.SignHashAlgorithm
(enum)CertificateAuthority.State
(enum)CertificateAuthority.Type
(enum)CertificateConfig
(message)CertificateConfig.KeyId
(message)CertificateConfig.SubjectConfig
(message)CertificateDescription
(message)CertificateDescription.CertificateFingerprint
(message)CertificateDescription.KeyId
(message)CertificateDescription.SubjectDescription
(message)CertificateExtensionConstraints
(message)CertificateExtensionConstraints.KnownCertificateExtension
(enum)CertificateIdentityConstraints
(message)CertificateRevocationList
(message)CertificateRevocationList.RevokedCertificate
(message)CertificateRevocationList.State
(enum)CertificateTemplate
(message)CreateCaPoolRequest
(message)CreateCertificateAuthorityRequest
(message)CreateCertificateRequest
(message)CreateCertificateTemplateRequest
(message)DeleteCaPoolRequest
(message)DeleteCertificateAuthorityRequest
(message)DeleteCertificateTemplateRequest
(message)DisableCertificateAuthorityRequest
(message)EnableCertificateAuthorityRequest
(message)FetchCaCertsRequest
(message)FetchCaCertsResponse
(message)FetchCaCertsResponse.CertChain
(message)FetchCertificateAuthorityCsrRequest
(message)FetchCertificateAuthorityCsrResponse
(message)GetCaPoolRequest
(message)GetCertificateAuthorityRequest
(message)GetCertificateRequest
(message)GetCertificateRevocationListRequest
(message)GetCertificateTemplateRequest
(message)KeyUsage
(message)KeyUsage.ExtendedKeyUsageOptions
(message)KeyUsage.KeyUsageOptions
(message)ListCaPoolsRequest
(message)ListCaPoolsResponse
(message)ListCertificateAuthoritiesRequest
(message)ListCertificateAuthoritiesResponse
(message)ListCertificateRevocationListsRequest
(message)ListCertificateRevocationListsResponse
(message)ListCertificateTemplatesRequest
(message)ListCertificateTemplatesResponse
(message)ListCertificatesRequest
(message)ListCertificatesResponse
(message)ObjectId
(message)OperationMetadata
(message)PublicKey
(message)PublicKey.KeyFormat
(enum)RevocationReason
(enum)RevokeCertificateRequest
(message)Subject
(message)SubjectAltNames
(message)SubjectRequestMode
(enum)SubordinateConfig
(message)SubordinateConfig.SubordinateConfigChain
(message)UndeleteCertificateAuthorityRequest
(message)UpdateCaPoolRequest
(message)UpdateCertificateAuthorityRequest
(message)UpdateCertificateRequest
(message)UpdateCertificateRevocationListRequest
(message)UpdateCertificateTemplateRequest
(message)X509Extension
(message)X509Parameters
(message)X509Parameters.CaOptions
(message)X509Parameters.NameConstraints
(message)
CertificateAuthorityService
Certificate Authority Service
manages private certificate authorities and issued certificates.
ActivateCertificateAuthority |
---|
Activate a
|
CreateCaPool |
---|
Create a
|
CreateCertificate |
---|
Create a new
|
CreateCertificateAuthority |
---|
Create a new
|
CreateCertificateTemplate |
---|
Create a new
|
DeleteCaPool |
---|
Delete a
|
DeleteCertificateAuthority |
---|
Delete a
|
DeleteCertificateTemplate |
---|
DeleteCertificateTemplate deletes a
|
DisableCertificateAuthority |
---|
Disable a
|
EnableCertificateAuthority |
---|
Enable a
|
FetchCaCerts |
---|
FetchCaCerts returns the current trust anchor for the
|
FetchCertificateAuthorityCsr |
---|
Fetch a certificate signing request (CSR) from a
|
GetCaPool |
---|
Returns a
|
GetCertificate |
---|
Returns a
|
GetCertificateAuthority |
---|
Returns a
|
GetCertificateRevocationList |
---|
Returns a
|
GetCertificateTemplate |
---|
Returns a
|
ListCaPools |
---|
Lists
|
ListCertificateAuthorities |
---|
Lists
|
ListCertificateRevocationLists |
---|
Lists
|
ListCertificateTemplates |
---|
Lists
|
ListCertificates |
---|
Lists
|
RevokeCertificate |
---|
Revoke a
|
UndeleteCertificateAuthority |
---|
Undelete a
|
UpdateCaPool |
---|
Update a
|
UpdateCertificate |
---|
Update a
|
UpdateCertificateAuthority |
---|
Update a
|
UpdateCertificateRevocationList |
---|
Update a
|
UpdateCertificateTemplate |
---|
Update a
|
ActivateCertificateAuthorityRequest
Request message for CertificateAuthorityService.ActivateCertificateAuthority
.
Fields | |
---|---|
name |
Required. The resource name for this Authorization requires the following IAM permission on the specified resource
|
pem_ca_certificate |
Required. The signed CA certificate issued from |
subordinate_config |
Required. Must include information about the issuer of 'pem_ca_certificate', and any further issuers until the self-signed CA. |
request_id |
Optional. An ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. The server will guarantee that for at least 60 minutes since the first request. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000). |
CaPool
A CaPool
represents a group of CertificateAuthorities
that form a trust anchor. A CaPool
can be used to manage issuance policies for one or more CertificateAuthority
resources and to rotate CA certificates in and out of the trust anchor.
Fields | |
---|---|
name |
Output only. The resource name for this |
tier |
|
issuance_policy |
Optional. The |
publishing_options |
Optional. The |
labels |
Optional. Labels with user-defined metadata. |
IssuancePolicy
Defines controls over all certificate issuance within a CaPool
.
Fields | |
---|---|
allowed_key_types[] |
Optional. If any |
maximum_lifetime |
Optional. The maximum lifetime allowed for issued |
allowed_issuance_modes |
Optional. If specified, then only methods allowed in the |
baseline_values |
Optional. A set of X.509 values that will be applied to all certificates issued through this |
identity_constraints |
Optional. Describes constraints on identities that may appear in |
passthrough_extensions |
Optional. Describes the set of X.509 extensions that may appear in a |
AllowedKeyType
Describes a "type" of key that may be used in a Certificate
issued from a CaPool
. Note that a single AllowedKeyType
may refer to either a fully-qualified key algorithm, such as RSA 4096, or a family of key algorithms, such as any RSA key.
Fields | |
---|---|
Union field
|
|
rsa |
Represents an allowed RSA key type. |
elliptic_curve |
Represents an allowed Elliptic Curve key type. |
EcKeyType
Describes an Elliptic Curve key that may be used in a Certificate
issued from a CaPool
.
Fields | |
---|---|
signature_algorithm |
Optional. A signature algorithm that must be used. If this is omitted, any EC-based signature algorithm will be allowed. |
EcSignatureAlgorithm
Describes an elliptic curve-based signature algorithm that may be used in a Certificate
issued from a CaPool
.
Enums | |
---|---|
EC_SIGNATURE_ALGORITHM_UNSPECIFIED |
Not specified. Signifies that any signature algorithm may be used. |
ECDSA_P256 |
Refers to the Elliptic Curve Digital Signature Algorithm over the NIST P-256 curve. |
ECDSA_P384 |
Refers to the Elliptic Curve Digital Signature Algorithm over the NIST P-384 curve. |
EDDSA_25519 |
Refers to the Edwards-curve Digital Signature Algorithm over curve 25519, as described in RFC 8410. |
RsaKeyType
Describes an RSA key that may be used in a Certificate
issued from a CaPool
.
Fields | |
---|---|
min_modulus_size |
Optional. The minimum allowed RSA modulus size (inclusive), in bits. If this is not set, or if set to zero, the service-level min RSA modulus size will continue to apply. |
max_modulus_size |
Optional. The maximum allowed RSA modulus size (inclusive), in bits. If this is not set, or if set to zero, the service will not enforce an explicit upper bound on RSA modulus sizes. |
IssuanceModes
IssuanceModes
specifies the allowed ways in which Certificates
may be requested from this CaPool
.
Fields | |
---|---|
allow_csr_based_issuance |
Optional. When true, allows callers to create |
allow_config_based_issuance |
Optional. When true, allows callers to create |
PublishingOptions
Options relating to the publication of each CertificateAuthority
's CA certificate and CRLs and their inclusion as extensions in issued Certificates
. The options set here apply to certificates issued by any CertificateAuthority
in the CaPool
.
Fields | |
---|---|
publish_ca_cert |
Optional. When true, publishes each |
publish_crl |
Optional. When true, publishes each |
encoding_format |
Optional. Specifies the encoding format of each |
EncodingFormat
Supported encoding formats for publishing.
Enums | |
---|---|
ENCODING_FORMAT_UNSPECIFIED |
Not specified. By default, PEM format will be used. |
PEM |
The CertificateAuthority 's CA certificate and CRLs will be published in PEM format. |
DER |
The CertificateAuthority 's CA certificate and CRLs will be published in DER format. |
Tier
The tier of a CaPool
, indicating its supported functionality and/or billing SKU.
Enums | |
---|---|
TIER_UNSPECIFIED |
Not specified. |
ENTERPRISE |
Enterprise tier. |
DEVOPS |
DevOps tier. |
Certificate
A Certificate
corresponds to a signed X.509 certificate issued by a CertificateAuthority
.
Fields | |
---|---|
name |
Output only. The resource name for this |
issuer_certificate_authority |
Output only. The resource name of the issuing |
lifetime |
Required. Immutable. The desired lifetime of a certificate. Used to create the "not_before_time" and "not_after_time" fields inside an X.509 certificate. Note that the lifetime may be truncated if it would extend past the life of any certificate authority in the issuing chain. |
certificate_template |
Immutable. The resource name for a |
subject_mode |
Immutable. Specifies how the |
revocation_details |
Output only. Details regarding the revocation of this |
pem_certificate |
Output only. The pem-encoded, signed X.509 certificate. |
certificate_description |
Output only. A structured description of the issued X.509 certificate. |
pem_certificate_chain[] |
Output only. The chain that may be used to verify the X.509 certificate. Expected to be in issuer-to-root order according to RFC 5246. |
create_time |
Output only. The time at which this |
update_time |
Output only. The time at which this |
labels |
Optional. Labels with user-defined metadata. |
Union field certificate_config . The config used to create a signed X.509 certificate. certificate_config can be only one of the following: |
|
pem_csr |
Immutable. A pem-encoded X.509 certificate signing request (CSR). |
config |
Immutable. A description of the certificate and key that does not require X.509 or ASN.1. |
RevocationDetails
Describes fields that are relavent to the revocation of a Certificate
.
Fields | |
---|---|
revocation_state |
Indicates why a |
revocation_time |
The time at which this |
CertificateAuthority
A CertificateAuthority
represents an individual Certificate Authority. A CertificateAuthority
can be used to create Certificates
.
Fields | |
---|---|
name |
Output only. The resource name for this |
type |
Required. Immutable. The |
config |
Required. Immutable. The config used to create a self-signed X.509 certificate or CSR. |
lifetime |
Required. Immutable. The desired lifetime of the CA certificate. Used to create the "not_before_time" and "not_after_time" fields inside an X.509 certificate. |
key_spec |
Required. Immutable. Used when issuing certificates for this |
subordinate_config |
Optional. If this is a subordinate |
tier |
Output only. The |
state |
Output only. The |
pem_ca_certificates[] |
Output only. This |
ca_certificate_descriptions[] |
Output only. A structured description of this |
gcs_bucket |
Immutable. The name of a Cloud Storage bucket where this |
access_urls |
Output only. URLs for accessing content published by this CA, such as the CA certificate and CRLs. |
create_time |
Output only. The time at which this |
update_time |
Output only. The time at which this |
delete_time |
Output only. The time at which this |
expire_time |
Output only. The time at which this |
labels |
Optional. Labels with user-defined metadata. |
satisfies_pzs |
Output only. Reserved for future use. |
satisfies_pzi |
Output only. Reserved for future use. |
AccessUrls
URLs where a CertificateAuthority
will publish content.
Fields | |
---|---|
ca_certificate_access_url |
The URL where this |
crl_access_urls[] |
The URLs where this |
KeyVersionSpec
A Cloud KMS key configuration that a CertificateAuthority
will use.
Fields | |
---|---|
Union field
|
|
cloud_kms_key_version |
The resource name for an existing Cloud KMS CryptoKeyVersion in the format |
algorithm |
The algorithm to use for creating a managed Cloud KMS key for a for a simplified experience. All managed keys will be have their [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] as |
SignHashAlgorithm
The algorithm of a Cloud KMS CryptoKeyVersion of a [CryptoKey][google.cloud.kms.v1.CryptoKey] with the [CryptoKeyPurpose][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose] value ASYMMETRIC_SIGN
. These values correspond to the [CryptoKeyVersionAlgorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm] values. For RSA signing algorithms, the PSS algorithms should be preferred, use PKCS1 algorithms if required for compatibility. For further recommendations, see https://cloud.google.com/kms/docs/algorithms#algorithm_recommendations.
Enums | |
---|---|
SIGN_HASH_ALGORITHM_UNSPECIFIED |
Not specified. |
RSA_PSS_2048_SHA256 |
maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_2048_SHA256 |
RSA_PSS_3072_SHA256 |
maps to CryptoKeyVersionAlgorithm. RSA_SIGN_PSS_3072_SHA256 |
RSA_PSS_4096_SHA256 |
maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_4096_SHA256 |
RSA_PKCS1_2048_SHA256 |
maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_2048_SHA256 |
RSA_PKCS1_3072_SHA256 |
maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_3072_SHA256 |
RSA_PKCS1_4096_SHA256 |
maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_4096_SHA256 |
EC_P256_SHA256 |
maps to CryptoKeyVersionAlgorithm.EC_SIGN_P256_SHA256 |
EC_P384_SHA384 |
maps to CryptoKeyVersionAlgorithm.EC_SIGN_P384_SHA384 |
State
The state of a CertificateAuthority
, indicating if it can be used.
Enums | |
---|---|
STATE_UNSPECIFIED |
Not specified. |
ENABLED |
Certificates can be issued from this CA. CRLs will be generated for this CA. The CA will be part of the CaPool 's trust anchor, and will be used to issue certificates from the CaPool . |
DISABLED |
Certificates cannot be issued from this CA. CRLs will still be generated. The CA will be part of the CaPool 's trust anchor, but will not be used to issue certificates from the CaPool . |
STAGED |
Certificates can be issued from this CA. CRLs will be generated for this CA. The CA will be part of the CaPool 's trust anchor, but will not be used to issue certificates from the CaPool . |
AWAITING_USER_ACTIVATION |
Certificates cannot be issued from this CA. CRLs will not be generated. The CA will not be part of the CaPool 's trust anchor, and will not be used to issue certificates from the CaPool . |
DELETED |
Certificates cannot be issued from this CA. CRLs will not be generated. The CA may still be recovered by calling CertificateAuthorityService.UndeleteCertificateAuthority before expire_time . The CA will not be part of the CaPool 's trust anchor, and will not be used to issue certificates from the CaPool . |
Type
The type of a CertificateAuthority
, indicating its issuing chain.
Enums | |
---|---|
TYPE_UNSPECIFIED |
Not specified. |
SELF_SIGNED |
Self-signed CA. |
SUBORDINATE |
Subordinate CA. Could be issued by a Private CA CertificateAuthority or an unmanaged CA. |
CertificateConfig
A CertificateConfig
describes an X.509 certificate or CSR that is to be created, as an alternative to using ASN.1.
Fields | |
---|---|
subject_config |
Required. Specifies some of the values in a certificate that are related to the subject. |
x509_config |
Required. Describes how some of the technical X.509 fields in a certificate should be populated. |
public_key |
Optional. The public key that corresponds to this config. This is, for example, used when issuing |
subject_key_id |
Optional. When specified this provides a custom SKI to be used in the certificate. This should only be used to maintain a SKI of an existing CA originally created outside CA service, which was not generated using method (1) described in RFC 5280 section 4.2.1.2. |
KeyId
A KeyId identifies a specific public key, usually by hashing the public key.
Fields | |
---|---|
key_id |
Required. The value of this KeyId encoded in lowercase hexadecimal. This is most likely the 160 bit SHA-1 hash of the public key. |
SubjectConfig
These values are used to create the distinguished name and subject alternative name fields in an X.509 certificate.
Fields | |
---|---|
subject |
Optional. Contains distinguished name fields such as the common name, location and organization. |
subject_alt_name |
Optional. The subject alternative name fields. |
CertificateDescription
A CertificateDescription
describes an X.509 certificate or CSR that has been issued, as an alternative to using ASN.1 / X.509.
Fields | |
---|---|
subject_description |
Describes some of the values in a certificate that are related to the subject and lifetime. |
x509_description |
Describes some of the technical X.509 fields in a certificate. |
public_key |
The public key that corresponds to an issued certificate. |
subject_key_id |
Provides a means of identifiying certificates that contain a particular public key, per https://tools.ietf.org/html/rfc5280#section-4.2.1.2. |
authority_key_id |
Identifies the subject_key_id of the parent certificate, per https://tools.ietf.org/html/rfc5280#section-4.2.1.1 |
crl_distribution_points[] |
Describes a list of locations to obtain CRL information, i.e. the DistributionPoint.fullName described by https://tools.ietf.org/html/rfc5280#section-4.2.1.13 |
aia_issuing_certificate_urls[] |
Describes lists of issuer CA certificate URLs that appear in the "Authority Information Access" extension in the certificate. |
cert_fingerprint |
The hash of the x.509 certificate. |
CertificateFingerprint
A group of fingerprints for the x509 certificate.
Fields | |
---|---|
sha256_hash |
The SHA 256 hash, encoded in hexadecimal, of the DER x509 certificate. |
KeyId
A KeyId identifies a specific public key, usually by hashing the public key.
Fields | |
---|---|
key_id |
Optional. The value of this KeyId encoded in lowercase hexadecimal. This is most likely the 160 bit SHA-1 hash of the public key. |
SubjectDescription
These values describe fields in an issued X.509 certificate such as the distinguished name, subject alternative names, serial number, and lifetime.
Fields | |
---|---|
subject |
Contains distinguished name fields such as the common name, location and / organization. |
subject_alt_name |
The subject alternative name fields. |
hex_serial_number |
The serial number encoded in lowercase hexadecimal. |
lifetime |
For convenience, the actual lifetime of an issued certificate. |
not_before_time |
The time at which the certificate becomes valid. |
not_after_time |
The time after which the certificate is expired. Per RFC 5280, the validity period for a certificate is the period of time from not_before_time through not_after_time, inclusive. Corresponds to 'not_before_time' + 'lifetime' - 1 second. |
CertificateExtensionConstraints
Describes a set of X.509 extensions that may be part of some certificate issuance controls.
Fields | |
---|---|
known_extensions[] |
Optional. A set of named X.509 extensions. Will be combined with |
additional_extensions[] |
Optional. A set of |
KnownCertificateExtension
Describes well-known X.509 extensions that can appear in a Certificate
, not including the SubjectAltNames
extension.
Enums | |
---|---|
KNOWN_CERTIFICATE_EXTENSION_UNSPECIFIED |
Not specified. |
BASE_KEY_USAGE |
Refers to a certificate's Key Usage extension, as described in RFC 5280 section 4.2.1.3. This corresponds to the KeyUsage.base_key_usage field. |
EXTENDED_KEY_USAGE |
Refers to a certificate's Extended Key Usage extension, as described in RFC 5280 section 4.2.1.12. This corresponds to the KeyUsage.extended_key_usage message. |
CA_OPTIONS |
Refers to a certificate's Basic Constraints extension, as described in RFC 5280 section 4.2.1.9. This corresponds to the X509Parameters.ca_options field. |
POLICY_IDS |
Refers to a certificate's Policy object identifiers, as described in RFC 5280 section 4.2.1.4. This corresponds to the X509Parameters.policy_ids field. |
AIA_OCSP_SERVERS |
Refers to OCSP servers in a certificate's Authority Information Access extension, as described in RFC 5280 section 4.2.2.1, This corresponds to the X509Parameters.aia_ocsp_servers field. |
NAME_CONSTRAINTS |
Refers to Name Constraints extension as described in RFC 5280 section 4.2.1.10 |
CertificateIdentityConstraints
Describes constraints on a Certificate
's Subject
and SubjectAltNames
.
Fields | |
---|---|
cel_expression |
Optional. A CEL expression that may be used to validate the resolved X.509 Subject and/or Subject Alternative Name before a certificate is signed. To see the full allowed syntax and some examples, see https://cloud.google.com/certificate-authority-service/docs/using-cel |
allow_subject_passthrough |
Required. If this is true, the |
allow_subject_alt_names_passthrough |
Required. If this is true, the |
CertificateRevocationList
A CertificateRevocationList
corresponds to a signed X.509 certificate Revocation List (CRL). A CRL contains the serial numbers of certificates that should no longer be trusted.
Fields | |
---|---|
name |
Output only. The resource name for this |
sequence_number |
Output only. The CRL sequence number that appears in pem_crl. |
revoked_certificates[] |
Output only. The revoked serial numbers that appear in pem_crl. |
pem_crl |
Output only. The PEM-encoded X.509 CRL. |
access_url |
Output only. The location where 'pem_crl' can be accessed. |
state |
Output only. The |
create_time |
Output only. The time at which this |
update_time |
Output only. The time at which this |
revision_id |
Output only. The revision ID of this |
labels |
Optional. Labels with user-defined metadata. |
RevokedCertificate
Describes a revoked Certificate
.
Fields | |
---|---|
certificate |
The resource name for the |
hex_serial_number |
The serial number of the |
revocation_reason |
The reason the |
State
The state of a CertificateRevocationList
, indicating if it is current.
Enums | |
---|---|
STATE_UNSPECIFIED |
Not specified. |
ACTIVE |
The CertificateRevocationList is up to date. |
SUPERSEDED |
The CertificateRevocationList is no longer current. |
CertificateTemplate
A CertificateTemplate
refers to a managed template for certificate issuance.
Fields | |
---|---|
name |
Output only. The resource name for this |
maximum_lifetime |
Optional. The maximum lifetime allowed for issued |
predefined_values |
Optional. A set of X.509 values that will be applied to all issued certificates that use this template. If the certificate request includes conflicting values for the same properties, they will be overwritten by the values defined here. If the issuing |
identity_constraints |
Optional. Describes constraints on identities that may be appear in |
passthrough_extensions |
Optional. Describes the set of X.509 extensions that may appear in a |
description |
Optional. A human-readable description of scenarios this template is intended for. |
create_time |
Output only. The time at which this |
update_time |
Output only. The time at which this |
labels |
Optional. Labels with user-defined metadata. |
CreateCaPoolRequest
Request message for CertificateAuthorityService.CreateCaPool
.
Fields | |
---|---|
parent |
Required. The resource name of the location associated with the Authorization requires the following IAM permission on the specified resource
|
ca_pool_id |
Required. It must be unique within a location and match the regular expression |
ca_pool |
Required. A |
request_id |
Optional. An ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. The server will guarantee that for at least 60 minutes since the first request. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000). |
CreateCertificateAuthorityRequest
Request message for CertificateAuthorityService.CreateCertificateAuthority
.
Fields | |
---|---|
parent |
Required. The resource name of the Authorization requires the following IAM permission on the specified resource
|
certificate_authority_id |
Required. It must be unique within a location and match the regular expression |
certificate_authority |
Required. A |
request_id |
Optional. An ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. The server will guarantee that for at least 60 minutes since the first request. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000). |
CreateCertificateRequest
Request message for CertificateAuthorityService.CreateCertificate
.
Fields | |
---|---|
parent |
Required. The resource name of the Authorization requires one or more of the following IAM permissions on the specified resource
|
certificate_id |
Optional. It must be unique within a location and match the regular expression |
certificate |
Required. A |
request_id |
Optional. An ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. The server will guarantee that for at least 60 minutes since the first request. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000). |
validate_only |
Optional. If this is true, no |
issuing_certificate_authority_id |
Optional. The resource ID of the |
CreateCertificateTemplateRequest
Request message for CertificateAuthorityService.CreateCertificateTemplate
.
Fields | |
---|---|
parent |
Required. The resource name of the location associated with the Authorization requires the following IAM permission on the specified resource
|
certificate_template_id |
Required. It must be unique within a location and match the regular expression |
certificate_template |
Required. A |
request_id |
Optional. An ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. The server will guarantee that for at least 60 minutes since the first request. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000). |
DeleteCaPoolRequest
Request message for CertificateAuthorityService.DeleteCaPool
.
Fields | |
---|---|
name |
Required. The resource name for this Authorization requires the following IAM permission on the specified resource
|
request_id |
Optional. An ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. The server will guarantee that for at least 60 minutes since the first request. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000). |
ignore_dependent_resources |
Optional. This field allows this pool to be deleted even if it's being depended on by another resource. However, doing so may result in unintended and unrecoverable effects on any dependent resources since the pool will no longer be able to issue certificates. |
DeleteCertificateAuthorityRequest
Request message for CertificateAuthorityService.DeleteCertificateAuthority
.
Fields | |
---|---|
name |
Required. The resource name for this Authorization requires the following IAM permission on the specified resource
|
request_id |
Optional. An ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. The server will guarantee that for at least 60 minutes since the first request. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000). |
ignore_active_certificates |
Optional. This field allows the CA to be deleted even if the CA has active certs. Active certs include both unrevoked and unexpired certs. |
skip_grace_period |
Optional. If this flag is set, the Certificate Authority will be deleted as soon as possible without a 30-day grace period where undeletion would have been allowed. If you proceed, there will be no way to recover this CA. |
ignore_dependent_resources |
Optional. This field allows this CA to be deleted even if it's being depended on by another resource. However, doing so may result in unintended and unrecoverable effects on any dependent resources since the CA will no longer be able to issue certificates. |
DeleteCertificateTemplateRequest
Request message for CertificateAuthorityService.DeleteCertificateTemplate
.
Fields | |
---|---|
name |
Required. The resource name for this Authorization requires the following IAM permission on the specified resource
|
request_id |
Optional. An ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. The server will guarantee that for at least 60 minutes since the first request. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000). |
DisableCertificateAuthorityRequest
Request message for CertificateAuthorityService.DisableCertificateAuthority
.
Fields | |
---|---|
name |
Required. The resource name for this Authorization requires the following IAM permission on the specified resource
|
request_id |
Optional. An ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. The server will guarantee that for at least 60 minutes since the first request. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000). |
ignore_dependent_resources |
Optional. This field allows this CA to be disabled even if it's being depended on by another resource. However, doing so may result in unintended and unrecoverable effects on any dependent resources since the CA will no longer be able to issue certificates. |
EnableCertificateAuthorityRequest
Request message for CertificateAuthorityService.EnableCertificateAuthority
.
Fields | |
---|---|
name |
Required. The resource name for this Authorization requires the following IAM permission on the specified resource
|
request_id |
Optional. An ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. The server will guarantee that for at least 60 minutes since the first request. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000). |
FetchCaCertsRequest
Request message for CertificateAuthorityService.FetchCaCerts
.
Fields | |
---|---|
ca_pool |
Required. The resource name for the Authorization requires the following IAM permission on the specified resource
|
request_id |
Optional. An ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. The server will guarantee that for at least 60 minutes since the first request. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000). |
FetchCaCertsResponse
Response message for CertificateAuthorityService.FetchCaCerts
.
Fields | |
---|---|
ca_certs[] |
The PEM encoded CA certificate chains of all certificate authorities in this |
CertChain
Fields | |
---|---|
certificates[] |
The certificates that form the CA chain, from leaf to root order. |
FetchCertificateAuthorityCsrRequest
Request message for CertificateAuthorityService.FetchCertificateAuthorityCsr
.
Fields | |
---|---|
name |
Required. The resource name for this Authorization requires the following IAM permission on the specified resource
|
FetchCertificateAuthorityCsrResponse
Response message for CertificateAuthorityService.FetchCertificateAuthorityCsr
.
Fields | |
---|---|
pem_csr |
Output only. The PEM-encoded signed certificate signing request (CSR). |
GetCaPoolRequest
Request message for CertificateAuthorityService.GetCaPool
.
Fields | |
---|---|
name |
Required. The Authorization requires the following IAM permission on the specified resource
|
GetCertificateAuthorityRequest
Request message for CertificateAuthorityService.GetCertificateAuthority
.
Fields | |
---|---|
name |
Required. The Authorization requires the following IAM permission on the specified resource
|
GetCertificateRequest
Request message for CertificateAuthorityService.GetCertificate
.
Fields | |
---|---|
name |
Required. The Authorization requires the following IAM permission on the specified resource
|
GetCertificateRevocationListRequest
Request message for CertificateAuthorityService.GetCertificateRevocationList
.
Fields | |
---|---|
name |
Required. The Authorization requires the following IAM permission on the specified resource
|
GetCertificateTemplateRequest
Request message for CertificateAuthorityService.GetCertificateTemplate
.
Fields | |
---|---|
name |
Required. The Authorization requires the following IAM permission on the specified resource
|
KeyUsage
A KeyUsage
describes key usage values that may appear in an X.509 certificate.
Fields | |
---|---|
base_key_usage |
Describes high-level ways in which a key may be used. |
extended_key_usage |
Detailed scenarios in which a key may be used. |
unknown_extended_key_usages[] |
Used to describe extended key usages that are not listed in the |
ExtendedKeyUsageOptions
KeyUsage.ExtendedKeyUsageOptions
has fields that correspond to certain common OIDs that could be specified as an extended key usage value.
Fields | |
---|---|
server_auth |
Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS. |
client_auth |
Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS. |
code_signing |
Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication". |
email_protection |
Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection". |
time_stamping |
Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time". |
ocsp_signing |
Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses". |
KeyUsageOptions
KeyUsage.KeyUsageOptions
corresponds to the key usage values described in https://tools.ietf.org/html/rfc5280#section-4.2.1.3.
Fields | |
---|---|
digital_signature |
The key may be used for digital signatures. |
content_commitment |
The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation". |
key_encipherment |
The key may be used to encipher other keys. |
data_encipherment |
The key may be used to encipher data. |
key_agreement |
The key may be used in a key agreement protocol. |
cert_sign |
The key may be used to sign certificates. |
crl_sign |
The key may be used sign certificate revocation lists. |
encipher_only |
The key may be used to encipher only. |
decipher_only |
The key may be used to decipher only. |
ListCaPoolsRequest
Request message for CertificateAuthorityService.ListCaPools
.
Fields | |
---|---|
parent |
Required. The resource name of the location associated with the Authorization requires the following IAM permission on the specified resource
|
page_size |
Optional. Limit on the number of |
page_token |
Optional. Pagination token, returned earlier via |
filter |
Optional. Only include resources that match the filter in the response. |
order_by |
Optional. Specify how the results should be sorted. |
ListCaPoolsResponse
Response message for CertificateAuthorityService.ListCaPools
.
Fields | |
---|---|
ca_pools[] |
The list of |
next_page_token |
A token to retrieve next page of results. Pass this value in [ListCertificateAuthoritiesRequest.next_page_token][] to retrieve the next page of results. |
unreachable[] |
A list of locations (e.g. "us-west1") that could not be reached. |
ListCertificateAuthoritiesRequest
Request message for CertificateAuthorityService.ListCertificateAuthorities
.
Fields | |
---|---|
parent |
Required. The resource name of the Authorization requires the following IAM permission on the specified resource
|
page_size |
Optional. Limit on the number of |
page_token |
Optional. Pagination token, returned earlier via |
filter |
Optional. Only include resources that match the filter in the response. |
order_by |
Optional. Specify how the results should be sorted. |
ListCertificateAuthoritiesResponse
Response message for CertificateAuthorityService.ListCertificateAuthorities
.
Fields | |
---|---|
certificate_authorities[] |
The list of |
next_page_token |
A token to retrieve next page of results. Pass this value in [ListCertificateAuthoritiesRequest.next_page_token][] to retrieve the next page of results. |
unreachable[] |
A list of locations (e.g. "us-west1") that could not be reached. |
ListCertificateRevocationListsRequest
Request message for CertificateAuthorityService.ListCertificateRevocationLists
.
Fields | |
---|---|
parent |
Required. The resource name of the location associated with the Authorization requires the following IAM permission on the specified resource
|
page_size |
Optional. Limit on the number of |
page_token |
Optional. Pagination token, returned earlier via |
filter |
Optional. Only include resources that match the filter in the response. |
order_by |
Optional. Specify how the results should be sorted. |
ListCertificateRevocationListsResponse
Response message for CertificateAuthorityService.ListCertificateRevocationLists
.
Fields | |
---|---|
certificate_revocation_lists[] |
The list of |
next_page_token |
A token to retrieve next page of results. Pass this value in [ListCertificateRevocationListsRequest.next_page_token][] to retrieve the next page of results. |
unreachable[] |
A list of locations (e.g. "us-west1") that could not be reached. |
ListCertificateTemplatesRequest
Request message for CertificateAuthorityService.ListCertificateTemplates
.
Fields | |
---|---|
parent |
Required. The resource name of the location associated with the Authorization requires the following IAM permission on the specified resource
|
page_size |
Optional. Limit on the number of |
page_token |
Optional. Pagination token, returned earlier via |
filter |
Optional. Only include resources that match the filter in the response. |
order_by |
Optional. Specify how the results should be sorted. |
ListCertificateTemplatesResponse
Response message for CertificateAuthorityService.ListCertificateTemplates
.
Fields | |
---|---|
certificate_templates[] |
The list of |
next_page_token |
A token to retrieve next page of results. Pass this value in [ListCertificateTemplatesRequest.next_page_token][] to retrieve the next page of results. |
unreachable[] |
A list of locations (e.g. "us-west1") that could not be reached. |
ListCertificatesRequest
Request message for CertificateAuthorityService.ListCertificates
.
Fields | |
---|---|
parent |
Required. The resource name of the location associated with the Authorization requires the following IAM permission on the specified resource
|
page_size |
Optional. Limit on the number of |
page_token |
Optional. Pagination token, returned earlier via |
filter |
Optional. Only include resources that match the filter in the response. For details on supported filters and syntax, see Certificates Filtering documentation. |
order_by |
Optional. Specify how the results should be sorted. For details on supported fields and syntax, see Certificates Sorting documentation. |
ListCertificatesResponse
Response message for CertificateAuthorityService.ListCertificates
.
Fields | |
---|---|
certificates[] |
The list of |
next_page_token |
A token to retrieve next page of results. Pass this value in [ListCertificatesRequest.next_page_token][] to retrieve the next page of results. |
unreachable[] |
A list of locations (e.g. "us-west1") that could not be reached. |
ObjectId
An ObjectId
specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
Fields | |
---|---|
object_id_path[] |
Required. The parts of an OID path. The most significant parts of the path come first. |
OperationMetadata
Represents the metadata of the long-running operation.
Fields | |
---|---|
create_time |
Output only. The time the operation was created. |
end_time |
Output only. The time the operation finished running. |
target |
Output only. Server-defined resource path for the target of the operation. |
verb |
Output only. Name of the verb executed by the operation. |
status_message |
Output only. Human-readable status of the operation, if any. |
requested_cancellation |
Output only. Identifies whether the user has requested cancellation of the operation. Operations that have successfully been cancelled have [Operation.error][] value with a |
api_version |
Output only. API version used to start the operation. |
PublicKey
A PublicKey
describes a public key.
Fields | |
---|---|
key |
Required. A public key. The padding and encoding must match with the |
format |
Required. The format of the public key. |
KeyFormat
Types of public keys formats that are supported. Currently, only PEM
format is supported.
Enums | |
---|---|
KEY_FORMAT_UNSPECIFIED |
Default unspecified value. |
PEM |
The key is PEM-encoded as defined in RFC 7468. It can be any of the following: a PEM-encoded PKCS#1/RFC 3447 RSAPublicKey structure, an RFC 5280 SubjectPublicKeyInfo or a PEM-encoded X.509 certificate signing request (CSR). If a SubjectPublicKeyInfo is specified, it can contain a A PEM-encoded PKCS#1/RFC 3447 RSAPublicKey or a NIST P-256/secp256r1/prime256v1 or P-384 key. If a CSR is specified, it will used solely for the purpose of extracting the public key. When generated by the service, it will always be an RFC 5280 SubjectPublicKeyInfo structure containing an algorithm identifier and a key. |
RevocationReason
A RevocationReason
indicates whether a Certificate
has been revoked, and the reason for revocation. These correspond to standard revocation reasons from RFC 5280. Note that the enum labels and values in this definition are not the same ASN.1 values defined in RFC 5280. These values will be translated to the correct ASN.1 values when a CRL is created.
Enums | |
---|---|
REVOCATION_REASON_UNSPECIFIED |
Default unspecified value. This value does indicate that a Certificate has been revoked, but that a reason has not been recorded. |
KEY_COMPROMISE |
Key material for this Certificate may have leaked. |
CERTIFICATE_AUTHORITY_COMPROMISE |
The key material for a certificate authority in the issuing path may have leaked. |
AFFILIATION_CHANGED |
The subject or other attributes in this Certificate have changed. |
SUPERSEDED |
This Certificate has been superseded. |
CESSATION_OF_OPERATION |
This Certificate or entities in the issuing path have ceased to operate. |
CERTIFICATE_HOLD |
This Certificate should not be considered valid, it is expected that it may become valid in the future. |
PRIVILEGE_WITHDRAWN |
This Certificate no longer has permission to assert the listed attributes. |
ATTRIBUTE_AUTHORITY_COMPROMISE |
The authority which determines appropriate attributes for a Certificate may have been compromised. |
RevokeCertificateRequest
Request message for CertificateAuthorityService.RevokeCertificate
.
Fields | |
---|---|
name |
Required. The resource name for this Authorization requires the following IAM permission on the specified resource
|
reason |
Required. The |
request_id |
Optional. An ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. The server will guarantee that for at least 60 minutes since the first request. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000). |
Subject
Subject
describes parts of a distinguished name that, in turn, describes the subject of the certificate.
Fields | |
---|---|
common_name |
The "common name" of the subject. |
country_code |
The country code of the subject. |
organization |
The organization of the subject. |
organizational_unit |
The organizational_unit of the subject. |
locality |
The locality or city of the subject. |
province |
The province, territory, or regional state of the subject. |
street_address |
The street address of the subject. |
postal_code |
The postal code of the subject. |
SubjectAltNames
SubjectAltNames
corresponds to a more modern way of listing what the asserted identity is in a certificate (i.e., compared to the "common name" in the distinguished name).
Fields | |
---|---|
dns_names[] |
Contains only valid, fully-qualified host names. |
uris[] |
Contains only valid RFC 3986 URIs. |
email_addresses[] |
Contains only valid RFC 2822 E-mail addresses. |
ip_addresses[] |
Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses. |
custom_sans[] |
Contains additional subject alternative name values. For each custom_san, the |
SubjectRequestMode
Describes the way in which a Certificate
's Subject
and/or SubjectAltNames
will be resolved.
Enums | |
---|---|
SUBJECT_REQUEST_MODE_UNSPECIFIED |
Not specified. |
DEFAULT |
The default mode used in most cases. Indicates that the certificate's Subject and/or SubjectAltNames are specified in the certificate request. This mode requires the caller to have the privateca.certificates.create permission. |
REFLECTED_SPIFFE |
A mode reserved for special cases. Indicates that the certificate should have one SPIFFE SubjectAltNames set by the service based on the caller's identity. This mode will ignore any explicitly specified Subject and/or SubjectAltNames in the certificate request. This mode requires the caller to have the privateca.certificates.createForSelf permission. |
SubordinateConfig
Describes a subordinate CA's issuers. This is either a resource name to a known issuing CertificateAuthority
, or a PEM issuer certificate chain.
Fields | |
---|---|
Union field
|
|
certificate_authority |
Required. This can refer to a |
pem_issuer_chain |
Required. Contains the PEM certificate chain for the issuers of this |
SubordinateConfigChain
This message describes a subordinate CA's issuer certificate chain. This wrapper exists for compatibility reasons.
Fields | |
---|---|
pem_certificates[] |
Required. Expected to be in leaf-to-root order according to RFC 5246. |
UndeleteCertificateAuthorityRequest
Request message for CertificateAuthorityService.UndeleteCertificateAuthority
.
Fields | |
---|---|
name |
Required. The resource name for this Authorization requires the following IAM permission on the specified resource
|
request_id |
Optional. An ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. The server will guarantee that for at least 60 minutes since the first request. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000). |
UpdateCaPoolRequest
Request message for CertificateAuthorityService.UpdateCaPool
.
Fields | |
---|---|
ca_pool |
Required. Authorization requires the following IAM permission on the specified resource
|
update_mask |
Required. A list of fields to be updated in this request. |
request_id |
Optional. An ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. The server will guarantee that for at least 60 minutes since the first request. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000). |
UpdateCertificateAuthorityRequest
Request message for CertificateAuthorityService.UpdateCertificateAuthority
.
Fields | |
---|---|
certificate_authority |
Required. Authorization requires the following IAM permission on the specified resource
|
update_mask |
Required. A list of fields to be updated in this request. |
request_id |
Optional. An ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. The server will guarantee that for at least 60 minutes since the first request. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000). |
UpdateCertificateRequest
Request message for CertificateAuthorityService.UpdateCertificate
.
Fields | |
---|---|
certificate |
Required. Authorization requires the following IAM permission on the specified resource
|
update_mask |
Required. A list of fields to be updated in this request. |
request_id |
Optional. An ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. The server will guarantee that for at least 60 minutes since the first request. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000). |
UpdateCertificateRevocationListRequest
Request message for CertificateAuthorityService.UpdateCertificateRevocationList
.
Fields | |
---|---|
certificate_revocation_list |
Required. Authorization requires the following IAM permission on the specified resource
|
update_mask |
Required. A list of fields to be updated in this request. |
request_id |
Optional. An ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. The server will guarantee that for at least 60 minutes since the first request. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000). |
UpdateCertificateTemplateRequest
Request message for CertificateAuthorityService.UpdateCertificateTemplate
.
Fields | |
---|---|
certificate_template |
Required. Authorization requires the following IAM permission on the specified resource
|
update_mask |
Required. A list of fields to be updated in this request. |
request_id |
Optional. An ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. The server will guarantee that for at least 60 minutes since the first request. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000). |
X509Extension
An X509Extension
specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs.
Fields | |
---|---|
object_id |
Required. The OID for this X.509 extension. |
critical |
Optional. Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error). |
value |
Required. The value of this X.509 extension. |
X509Parameters
An X509Parameters
is used to describe certain fields of an X.509 certificate, such as the key usage fields, fields specific to CA certificates, certificate policy extensions and custom extensions.
Fields | |
---|---|
key_usage |
Optional. Indicates the intended use for keys that correspond to a certificate. |
ca_options |
Optional. Describes options in this |
policy_ids[] |
Optional. Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. |
aia_ocsp_servers[] |
Optional. Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate. |
name_constraints |
Optional. Describes the X.509 name constraints extension. |
additional_extensions[] |
Optional. Describes custom X.509 extensions. |
CaOptions
Describes the X.509 basic constraints extension, per RFC 5280 section 4.2.1.9
Fields | |
---|---|
is_ca |
Optional. Refers to the "CA" boolean field in the X.509 extension. When this value is missing, the basic constraints extension will be omitted from the certificate. |
max_issuer_path_length |
Optional. Refers to the path length constraint field in the X.509 extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail. If this value is missing, the max path length will be omitted from the certificate. |
NameConstraints
Describes the X.509 name constraints extension, per https://tools.ietf.org/html/rfc5280#section-4.2.1.10
Fields | |
---|---|
critical |
Indicates whether or not the name constraints are marked critical. |
permitted_dns_names[] |
Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, |
excluded_dns_names[] |
Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, |
permitted_ip_ranges[] |
Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses. |
excluded_ip_ranges[] |
Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses. |
permitted_email_addresses[] |
Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. |
excluded_email_addresses[] |
Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. |
permitted_uris[] |
Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like |
excluded_uris[] |
Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like |