Package google.cloud.security.privateca.v1

Index

CertificateAuthorityService

Certificate Authority Service manages private certificate authorities and issued certificates.

ActivateCertificateAuthority

rpc ActivateCertificateAuthority(ActivateCertificateAuthorityRequest) returns (Operation)

Activate a CertificateAuthority that is in state AWAITING_USER_ACTIVATION and is of type SUBORDINATE. After the parent Certificate Authority signs a certificate signing request from FetchCertificateAuthorityCsr, this method can complete the activation process.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

CreateCaPool

rpc CreateCaPool(CreateCaPoolRequest) returns (Operation)

Create a CaPool.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

CreateCertificate

rpc CreateCertificate(CreateCertificateRequest) returns (Certificate)

Create a new Certificate in a given Project, Location from a particular CaPool.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

CreateCertificateAuthority

rpc CreateCertificateAuthority(CreateCertificateAuthorityRequest) returns (Operation)

Create a new CertificateAuthority in a given Project and Location.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

CreateCertificateTemplate

rpc CreateCertificateTemplate(CreateCertificateTemplateRequest) returns (Operation)

Create a new CertificateTemplate in a given Project and Location.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

DeleteCaPool

rpc DeleteCaPool(DeleteCaPoolRequest) returns (Operation)

Delete a CaPool.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

DeleteCertificateAuthority

rpc DeleteCertificateAuthority(DeleteCertificateAuthorityRequest) returns (Operation)

Delete a CertificateAuthority.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

DeleteCertificateTemplate

rpc DeleteCertificateTemplate(DeleteCertificateTemplateRequest) returns (Operation)

DeleteCertificateTemplate deletes a CertificateTemplate.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

DisableCertificateAuthority

rpc DisableCertificateAuthority(DisableCertificateAuthorityRequest) returns (Operation)

Disable a CertificateAuthority.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

EnableCertificateAuthority

rpc EnableCertificateAuthority(EnableCertificateAuthorityRequest) returns (Operation)

Enable a CertificateAuthority.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

FetchCaCerts

rpc FetchCaCerts(FetchCaCertsRequest) returns (FetchCaCertsResponse)

FetchCaCerts returns the current trust anchor for the CaPool. This will include CA certificate chains for all certificate authorities in the ENABLED, DISABLED, or STAGED states.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

FetchCertificateAuthorityCsr

rpc FetchCertificateAuthorityCsr(FetchCertificateAuthorityCsrRequest) returns (FetchCertificateAuthorityCsrResponse)

Fetch a certificate signing request (CSR) from a CertificateAuthority that is in state AWAITING_USER_ACTIVATION and is of type SUBORDINATE. The CSR must then be signed by the desired parent Certificate Authority, which could be another CertificateAuthority resource, or could be an on-prem certificate authority. See also ActivateCertificateAuthority.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

GetCaPool

rpc GetCaPool(GetCaPoolRequest) returns (CaPool)

Returns a CaPool.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

GetCertificate

rpc GetCertificate(GetCertificateRequest) returns (Certificate)

Returns a Certificate.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

GetCertificateAuthority

rpc GetCertificateAuthority(GetCertificateAuthorityRequest) returns (CertificateAuthority)

Returns a CertificateAuthority.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

GetCertificateRevocationList

rpc GetCertificateRevocationList(GetCertificateRevocationListRequest) returns (CertificateRevocationList)

Returns a CertificateRevocationList.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

GetCertificateTemplate

rpc GetCertificateTemplate(GetCertificateTemplateRequest) returns (CertificateTemplate)

Returns a CertificateTemplate.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

ListCaPools

rpc ListCaPools(ListCaPoolsRequest) returns (ListCaPoolsResponse)

Lists CaPools.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

ListCertificateAuthorities

rpc ListCertificateAuthorities(ListCertificateAuthoritiesRequest) returns (ListCertificateAuthoritiesResponse)

Lists CertificateAuthorities.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

ListCertificateRevocationLists

rpc ListCertificateRevocationLists(ListCertificateRevocationListsRequest) returns (ListCertificateRevocationListsResponse)

Lists CertificateRevocationLists.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

ListCertificateTemplates

rpc ListCertificateTemplates(ListCertificateTemplatesRequest) returns (ListCertificateTemplatesResponse)

Lists CertificateTemplates.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

ListCertificates

rpc ListCertificates(ListCertificatesRequest) returns (ListCertificatesResponse)

Lists Certificates.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

RevokeCertificate

rpc RevokeCertificate(RevokeCertificateRequest) returns (Certificate)

Revoke a Certificate.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

UndeleteCertificateAuthority

rpc UndeleteCertificateAuthority(UndeleteCertificateAuthorityRequest) returns (Operation)

Undelete a CertificateAuthority that has been deleted.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

UpdateCaPool

rpc UpdateCaPool(UpdateCaPoolRequest) returns (Operation)

Update a CaPool.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

UpdateCertificate

rpc UpdateCertificate(UpdateCertificateRequest) returns (Certificate)

Update a Certificate. Currently, the only field you can update is the labels field.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

UpdateCertificateAuthority

rpc UpdateCertificateAuthority(UpdateCertificateAuthorityRequest) returns (Operation)

Update a CertificateAuthority.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

UpdateCertificateRevocationList

rpc UpdateCertificateRevocationList(UpdateCertificateRevocationListRequest) returns (Operation)

Update a CertificateRevocationList.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

UpdateCertificateTemplate

rpc UpdateCertificateTemplate(UpdateCertificateTemplateRequest) returns (Operation)

Update a CertificateTemplate.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

ActivateCertificateAuthorityRequest

Request message for CertificateAuthorityService.ActivateCertificateAuthority.

Fields
name

string

Required. The resource name for this CertificateAuthority in the format projects/*/locations/*/caPools/*/certificateAuthorities/*.

Authorization requires the following IAM permission on the specified resource name:

  • privateca.certificateAuthorities.update
pem_ca_certificate

string

Required. The signed CA certificate issued from FetchCertificateAuthorityCsrResponse.pem_csr.

subordinate_config

SubordinateConfig

Required. Must include information about the issuer of 'pem_ca_certificate', and any further issuers until the self-signed CA.

request_id

string

Optional. An ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. The server will guarantee that for at least 60 minutes since the first request.

For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments.

The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).

CaPool

A CaPool represents a group of CertificateAuthorities that form a trust anchor. A CaPool can be used to manage issuance policies for one or more CertificateAuthority resources and to rotate CA certificates in and out of the trust anchor.

Fields
name

string

Output only. The resource name for this CaPool in the format projects/*/locations/*/caPools/*.

tier

Tier

Required. Immutable. The Tier of this CaPool.

issuance_policy

IssuancePolicy

Optional. The IssuancePolicy to control how Certificates will be issued from this CaPool.

publishing_options

PublishingOptions

Optional. The PublishingOptions to follow when issuing Certificates from any CertificateAuthority in this CaPool.

labels

map<string, string>

Optional. Labels with user-defined metadata.

IssuancePolicy

Defines controls over all certificate issuance within a CaPool.

Fields
allowed_key_types[]

AllowedKeyType

Optional. If any AllowedKeyType is specified, then the certificate request's public key must match one of the key types listed here. Otherwise, any key may be used.

maximum_lifetime

Duration

Optional. The maximum lifetime allowed for issued Certificates. Note that if the issuing CertificateAuthority expires before a Certificate resource's requested maximum_lifetime, the effective lifetime will be explicitly truncated to match it.

allowed_issuance_modes

IssuanceModes

Optional. If specified, then only methods allowed in the IssuanceModes may be used to issue Certificates.

baseline_values

X509Parameters

Optional. A set of X.509 values that will be applied to all certificates issued through this CaPool. If a certificate request includes conflicting values for the same properties, they will be overwritten by the values defined here. If a certificate request uses a CertificateTemplate that defines conflicting predefined_values for the same properties, the certificate issuance request will fail.

identity_constraints

CertificateIdentityConstraints

Optional. Describes constraints on identities that may appear in Certificates issued through this CaPool. If this is omitted, then this CaPool will not add restrictions on a certificate's identity.

passthrough_extensions

CertificateExtensionConstraints

Optional. Describes the set of X.509 extensions that may appear in a Certificate issued through this CaPool. If a certificate request sets extensions that don't appear in the passthrough_extensions, those extensions will be dropped. If a certificate request uses a CertificateTemplate with predefined_values that don't appear here, the certificate issuance request will fail. If this is omitted, then this CaPool will not add restrictions on a certificate's X.509 extensions. These constraints do not apply to X.509 extensions set in this CaPool's baseline_values.

AllowedKeyType

Describes a "type" of key that may be used in a Certificate issued from a CaPool. Note that a single AllowedKeyType may refer to either a fully-qualified key algorithm, such as RSA 4096, or a family of key algorithms, such as any RSA key.

Fields

Union field key_type.

key_type can be only one of the following:

rsa

RsaKeyType

Represents an allowed RSA key type.

elliptic_curve

EcKeyType

Represents an allowed Elliptic Curve key type.

EcKeyType

Describes an Elliptic Curve key that may be used in a Certificate issued from a CaPool.

Fields
signature_algorithm

EcSignatureAlgorithm

Optional. A signature algorithm that must be used. If this is omitted, any EC-based signature algorithm will be allowed.

EcSignatureAlgorithm

Describes an elliptic curve-based signature algorithm that may be used in a Certificate issued from a CaPool.

Enums
EC_SIGNATURE_ALGORITHM_UNSPECIFIED Not specified. Signifies that any signature algorithm may be used.
ECDSA_P256 Refers to the Elliptic Curve Digital Signature Algorithm over the NIST P-256 curve.
ECDSA_P384 Refers to the Elliptic Curve Digital Signature Algorithm over the NIST P-384 curve.
EDDSA_25519 Refers to the Edwards-curve Digital Signature Algorithm over curve 25519, as described in RFC 8410.

RsaKeyType

Describes an RSA key that may be used in a Certificate issued from a CaPool.

Fields
min_modulus_size

int64

Optional. The minimum allowed RSA modulus size (inclusive), in bits. If this is not set, or if set to zero, the service-level min RSA modulus size will continue to apply.

max_modulus_size

int64

Optional. The maximum allowed RSA modulus size (inclusive), in bits. If this is not set, or if set to zero, the service will not enforce an explicit upper bound on RSA modulus sizes.

IssuanceModes

IssuanceModes specifies the allowed ways in which Certificates may be requested from this CaPool.

Fields
allow_csr_based_issuance

bool

Optional. When true, allows callers to create Certificates by specifying a CSR.

allow_config_based_issuance

bool

Optional. When true, allows callers to create Certificates by specifying a CertificateConfig.

PublishingOptions

Options relating to the publication of each CertificateAuthority's CA certificate and CRLs and their inclusion as extensions in issued Certificates. The options set here apply to certificates issued by any CertificateAuthority in the CaPool.

Fields
publish_ca_cert

bool

Optional. When true, publishes each CertificateAuthority's CA certificate and includes its URL in the "Authority Information Access" X.509 extension in all issued Certificates. If this is false, the CA certificate will not be published and the corresponding X.509 extension will not be written in issued certificates.

publish_crl

bool

Optional. When true, publishes each CertificateAuthority's CRL and includes its URL in the "CRL Distribution Points" X.509 extension in all issued Certificates. If this is false, CRLs will not be published and the corresponding X.509 extension will not be written in issued certificates. CRLs will expire 7 days from their creation. However, we will rebuild daily. CRLs are also rebuilt shortly after a certificate is revoked.

encoding_format

EncodingFormat

Optional. Specifies the encoding format of each CertificateAuthority resource's CA certificate and CRLs. If this is omitted, CA certificates and CRLs will be published in PEM.

EncodingFormat

Supported encoding formats for publishing.

Enums
ENCODING_FORMAT_UNSPECIFIED Not specified. By default, PEM format will be used.
PEM The CertificateAuthority's CA certificate and CRLs will be published in PEM format.
DER The CertificateAuthority's CA certificate and CRLs will be published in DER format.

Tier

The tier of a CaPool, indicating its supported functionality and/or billing SKU.

Enums
TIER_UNSPECIFIED Not specified.
ENTERPRISE Enterprise tier.
DEVOPS DevOps tier.

Certificate

A Certificate corresponds to a signed X.509 certificate issued by a CertificateAuthority.

Fields
name

string

Output only. The resource name for this Certificate in the format projects/*/locations/*/caPools/*/certificates/*.

issuer_certificate_authority

string

Output only. The resource name of the issuing CertificateAuthority in the format projects/*/locations/*/caPools/*/certificateAuthorities/*.

lifetime

Duration

Required. Immutable. The desired lifetime of a certificate. Used to create the "not_before_time" and "not_after_time" fields inside an X.509 certificate. Note that the lifetime may be truncated if it would extend past the life of any certificate authority in the issuing chain.

certificate_template

string

Immutable. The resource name for a CertificateTemplate used to issue this certificate, in the format projects/*/locations/*/certificateTemplates/*. If this is specified, the caller must have the necessary permission to use this template. If this is omitted, no template will be used. This template must be in the same location as the Certificate.

subject_mode

SubjectRequestMode

Immutable. Specifies how the Certificate's identity fields are to be decided. If this is omitted, the DEFAULT subject mode will be used.

revocation_details

RevocationDetails

Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present.

pem_certificate

string

Output only. The pem-encoded, signed X.509 certificate.

certificate_description

CertificateDescription

Output only. A structured description of the issued X.509 certificate.

pem_certificate_chain[]

string

Output only. The chain that may be used to verify the X.509 certificate. Expected to be in issuer-to-root order according to RFC 5246.

create_time

Timestamp

Output only. The time at which this Certificate was created.

update_time

Timestamp

Output only. The time at which this Certificate was updated.

labels

map<string, string>

Optional. Labels with user-defined metadata.

Union field certificate_config. The config used to create a signed X.509 certificate. certificate_config can be only one of the following:
pem_csr

string

Immutable. A pem-encoded X.509 certificate signing request (CSR).

config

CertificateConfig

Immutable. A description of the certificate and key that does not require X.509 or ASN.1.

RevocationDetails

Describes fields that are relavent to the revocation of a Certificate.

Fields
revocation_state

RevocationReason

Indicates why a Certificate was revoked.

revocation_time

Timestamp

The time at which this Certificate was revoked.

CertificateAuthority

A CertificateAuthority represents an individual Certificate Authority. A CertificateAuthority can be used to create Certificates.

Fields
name

string

Output only. The resource name for this CertificateAuthority in the format projects/*/locations/*/caPools/*/certificateAuthorities/*.

type

Type

Required. Immutable. The Type of this CertificateAuthority.

config

CertificateConfig

Required. Immutable. The config used to create a self-signed X.509 certificate or CSR.

lifetime

Duration

Required. Immutable. The desired lifetime of the CA certificate. Used to create the "not_before_time" and "not_after_time" fields inside an X.509 certificate.

key_spec

KeyVersionSpec

Required. Immutable. Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR.

subordinate_config

SubordinateConfig

Optional. If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which describes its issuers. This may be updated, but this CertificateAuthority must continue to validate.

tier

Tier

Output only. The CaPool.Tier of the CaPool that includes this CertificateAuthority.

state

State

Output only. The State for this CertificateAuthority.

pem_ca_certificates[]

string

Output only. This CertificateAuthority's certificate chain, including the current CertificateAuthority's certificate. Ordered such that the root issuer is the final element (consistent with RFC 5246). For a self-signed CA, this will only list the current CertificateAuthority's certificate.

ca_certificate_descriptions[]

CertificateDescription

Output only. A structured description of this CertificateAuthority's CA certificate and its issuers. Ordered as self-to-root.

gcs_bucket

string

Immutable. The name of a Cloud Storage bucket where this CertificateAuthority will publish content, such as the CA certificate and CRLs. This must be a bucket name, without any prefixes (such as gs://) or suffixes (such as .googleapis.com). For example, to use a bucket named my-bucket, you would simply specify my-bucket. If not specified, a managed bucket will be created.

access_urls

AccessUrls

Output only. URLs for accessing content published by this CA, such as the CA certificate and CRLs.

create_time

Timestamp

Output only. The time at which this CertificateAuthority was created.

update_time

Timestamp

Output only. The time at which this CertificateAuthority was last updated.

delete_time

Timestamp

Output only. The time at which this CertificateAuthority was soft deleted, if it is in the DELETED state.

expire_time

Timestamp

Output only. The time at which this CertificateAuthority will be permanently purged, if it is in the DELETED state.

labels

map<string, string>

Optional. Labels with user-defined metadata.

satisfies_pzs

bool

Output only. Reserved for future use.

satisfies_pzi

bool

Output only. Reserved for future use.

AccessUrls

URLs where a CertificateAuthority will publish content.

Fields
ca_certificate_access_url

string

The URL where this CertificateAuthority's CA certificate is published. This will only be set for CAs that have been activated.

crl_access_urls[]

string

The URLs where this CertificateAuthority's CRLs are published. This will only be set for CAs that have been activated.

KeyVersionSpec

A Cloud KMS key configuration that a CertificateAuthority will use.

Fields

Union field KeyVersion.

KeyVersion can be only one of the following:

cloud_kms_key_version

string

The resource name for an existing Cloud KMS CryptoKeyVersion in the format projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*. This option enables full flexibility in the key's capabilities and properties.

algorithm

SignHashAlgorithm

The algorithm to use for creating a managed Cloud KMS key for a for a simplified experience. All managed keys will be have their [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] as HSM.

SignHashAlgorithm

The algorithm of a Cloud KMS CryptoKeyVersion of a [CryptoKey][google.cloud.kms.v1.CryptoKey] with the [CryptoKeyPurpose][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose] value ASYMMETRIC_SIGN. These values correspond to the [CryptoKeyVersionAlgorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm] values. For RSA signing algorithms, the PSS algorithms should be preferred, use PKCS1 algorithms if required for compatibility. For further recommendations, see https://cloud.google.com/kms/docs/algorithms#algorithm_recommendations.

Enums
SIGN_HASH_ALGORITHM_UNSPECIFIED Not specified.
RSA_PSS_2048_SHA256 maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_2048_SHA256
RSA_PSS_3072_SHA256 maps to CryptoKeyVersionAlgorithm. RSA_SIGN_PSS_3072_SHA256
RSA_PSS_4096_SHA256 maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_4096_SHA256
RSA_PKCS1_2048_SHA256 maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_2048_SHA256
RSA_PKCS1_3072_SHA256 maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_3072_SHA256
RSA_PKCS1_4096_SHA256 maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_4096_SHA256
EC_P256_SHA256 maps to CryptoKeyVersionAlgorithm.EC_SIGN_P256_SHA256
EC_P384_SHA384 maps to CryptoKeyVersionAlgorithm.EC_SIGN_P384_SHA384

State

The state of a CertificateAuthority, indicating if it can be used.

Enums
STATE_UNSPECIFIED Not specified.
ENABLED Certificates can be issued from this CA. CRLs will be generated for this CA. The CA will be part of the CaPool's trust anchor, and will be used to issue certificates from the CaPool.
DISABLED Certificates cannot be issued from this CA. CRLs will still be generated. The CA will be part of the CaPool's trust anchor, but will not be used to issue certificates from the CaPool.
STAGED Certificates can be issued from this CA. CRLs will be generated for this CA. The CA will be part of the CaPool's trust anchor, but will not be used to issue certificates from the CaPool.
AWAITING_USER_ACTIVATION Certificates cannot be issued from this CA. CRLs will not be generated. The CA will not be part of the CaPool's trust anchor, and will not be used to issue certificates from the CaPool.
DELETED Certificates cannot be issued from this CA. CRLs will not be generated. The CA may still be recovered by calling CertificateAuthorityService.UndeleteCertificateAuthority before expire_time. The CA will not be part of the CaPool's trust anchor, and will not be used to issue certificates from the CaPool.

Type

The type of a CertificateAuthority, indicating its issuing chain.

Enums
TYPE_UNSPECIFIED Not specified.
SELF_SIGNED Self-signed CA.
SUBORDINATE Subordinate CA. Could be issued by a Private CA CertificateAuthority or an unmanaged CA.

CertificateConfig

A CertificateConfig describes an X.509 certificate or CSR that is to be created, as an alternative to using ASN.1.

Fields
subject_config

SubjectConfig

Required. Specifies some of the values in a certificate that are related to the subject.

x509_config

X509Parameters

Required. Describes how some of the technical X.509 fields in a certificate should be populated.

public_key

PublicKey

Optional. The public key that corresponds to this config. This is, for example, used when issuing Certificates, but not when creating a self-signed CertificateAuthority or CertificateAuthority CSR.

subject_key_id

KeyId

Optional. When specified this provides a custom SKI to be used in the certificate. This should only be used to maintain a SKI of an existing CA originally created outside CA service, which was not generated using method (1) described in RFC 5280 section 4.2.1.2.

KeyId

A KeyId identifies a specific public key, usually by hashing the public key.

Fields
key_id

string

Required. The value of this KeyId encoded in lowercase hexadecimal. This is most likely the 160 bit SHA-1 hash of the public key.

SubjectConfig

These values are used to create the distinguished name and subject alternative name fields in an X.509 certificate.

Fields
subject

Subject

Optional. Contains distinguished name fields such as the common name, location and organization.

subject_alt_name

SubjectAltNames

Optional. The subject alternative name fields.

CertificateDescription

A CertificateDescription describes an X.509 certificate or CSR that has been issued, as an alternative to using ASN.1 / X.509.

Fields
subject_description

SubjectDescription

Describes some of the values in a certificate that are related to the subject and lifetime.

x509_description

X509Parameters

Describes some of the technical X.509 fields in a certificate.

public_key

PublicKey

The public key that corresponds to an issued certificate.

subject_key_id

KeyId

Provides a means of identifiying certificates that contain a particular public key, per https://tools.ietf.org/html/rfc5280#section-4.2.1.2.

authority_key_id

KeyId

Identifies the subject_key_id of the parent certificate, per https://tools.ietf.org/html/rfc5280#section-4.2.1.1

crl_distribution_points[]

string

Describes a list of locations to obtain CRL information, i.e. the DistributionPoint.fullName described by https://tools.ietf.org/html/rfc5280#section-4.2.1.13

aia_issuing_certificate_urls[]

string

Describes lists of issuer CA certificate URLs that appear in the "Authority Information Access" extension in the certificate.

cert_fingerprint

CertificateFingerprint

The hash of the x.509 certificate.

CertificateFingerprint

A group of fingerprints for the x509 certificate.

Fields
sha256_hash

string

The SHA 256 hash, encoded in hexadecimal, of the DER x509 certificate.

KeyId

A KeyId identifies a specific public key, usually by hashing the public key.

Fields
key_id

string

Optional. The value of this KeyId encoded in lowercase hexadecimal. This is most likely the 160 bit SHA-1 hash of the public key.

SubjectDescription

These values describe fields in an issued X.509 certificate such as the distinguished name, subject alternative names, serial number, and lifetime.

Fields
subject

Subject

Contains distinguished name fields such as the common name, location and / organization.

subject_alt_name

SubjectAltNames

The subject alternative name fields.

hex_serial_number

string

The serial number encoded in lowercase hexadecimal.

lifetime

Duration

For convenience, the actual lifetime of an issued certificate.

not_before_time

Timestamp

The time at which the certificate becomes valid.

not_after_time

Timestamp

The time after which the certificate is expired. Per RFC 5280, the validity period for a certificate is the period of time from not_before_time through not_after_time, inclusive. Corresponds to 'not_before_time' + 'lifetime' - 1 second.

CertificateExtensionConstraints

Describes a set of X.509 extensions that may be part of some certificate issuance controls.

Fields
known_extensions[]

KnownCertificateExtension

Optional. A set of named X.509 extensions. Will be combined with additional_extensions to determine the full set of X.509 extensions.

additional_extensions[]

ObjectId

Optional. A set of ObjectIds identifying custom X.509 extensions. Will be combined with known_extensions to determine the full set of X.509 extensions.

KnownCertificateExtension

Describes well-known X.509 extensions that can appear in a Certificate, not including the SubjectAltNames extension.

Enums
KNOWN_CERTIFICATE_EXTENSION_UNSPECIFIED Not specified.
BASE_KEY_USAGE Refers to a certificate's Key Usage extension, as described in RFC 5280 section 4.2.1.3. This corresponds to the KeyUsage.base_key_usage field.
EXTENDED_KEY_USAGE Refers to a certificate's Extended Key Usage extension, as described in RFC 5280 section 4.2.1.12. This corresponds to the KeyUsage.extended_key_usage message.
CA_OPTIONS Refers to a certificate's Basic Constraints extension, as described in RFC 5280 section 4.2.1.9. This corresponds to the X509Parameters.ca_options field.
POLICY_IDS Refers to a certificate's Policy object identifiers, as described in RFC 5280 section 4.2.1.4. This corresponds to the X509Parameters.policy_ids field.
AIA_OCSP_SERVERS Refers to OCSP servers in a certificate's Authority Information Access extension, as described in RFC 5280 section 4.2.2.1, This corresponds to the X509Parameters.aia_ocsp_servers field.
NAME_CONSTRAINTS Refers to Name Constraints extension as described in RFC 5280 section 4.2.1.10

CertificateIdentityConstraints

Describes constraints on a Certificate's Subject and SubjectAltNames.

Fields
cel_expression

Expr

Optional. A CEL expression that may be used to validate the resolved X.509 Subject and/or Subject Alternative Name before a certificate is signed. To see the full allowed syntax and some examples, see https://cloud.google.com/certificate-authority-service/docs/using-cel

allow_subject_passthrough

bool

Required. If this is true, the Subject field may be copied from a certificate request into the signed certificate. Otherwise, the requested Subject will be discarded.

allow_subject_alt_names_passthrough

bool

Required. If this is true, the SubjectAltNames extension may be copied from a certificate request into the signed certificate. Otherwise, the requested SubjectAltNames will be discarded.

CertificateRevocationList

A CertificateRevocationList corresponds to a signed X.509 certificate Revocation List (CRL). A CRL contains the serial numbers of certificates that should no longer be trusted.

Fields
name

string

Output only. The resource name for this CertificateRevocationList in the format projects/*/locations/*/caPools/*certificateAuthorities/*/ certificateRevocationLists/*.

sequence_number

int64

Output only. The CRL sequence number that appears in pem_crl.

revoked_certificates[]

RevokedCertificate

Output only. The revoked serial numbers that appear in pem_crl.

pem_crl

string

Output only. The PEM-encoded X.509 CRL.

access_url

string

Output only. The location where 'pem_crl' can be accessed.

state

State

Output only. The State for this CertificateRevocationList.

create_time

Timestamp

Output only. The time at which this CertificateRevocationList was created.

update_time

Timestamp

Output only. The time at which this CertificateRevocationList was updated.

revision_id

string

Output only. The revision ID of this CertificateRevocationList. A new revision is committed whenever a new CRL is published. The format is an 8-character hexadecimal string.

labels

map<string, string>

Optional. Labels with user-defined metadata.

RevokedCertificate

Describes a revoked Certificate.

Fields
certificate

string

The resource name for the Certificate in the format projects/*/locations/*/caPools/*/certificates/*.

hex_serial_number

string

The serial number of the Certificate.

revocation_reason

RevocationReason

The reason the Certificate was revoked.

State

The state of a CertificateRevocationList, indicating if it is current.

Enums
STATE_UNSPECIFIED Not specified.
ACTIVE The CertificateRevocationList is up to date.
SUPERSEDED The CertificateRevocationList is no longer current.

CertificateTemplate

A CertificateTemplate refers to a managed template for certificate issuance.

Fields
name

string

Output only. The resource name for this CertificateTemplate in the format projects/*/locations/*/certificateTemplates/*.

maximum_lifetime

Duration

Optional. The maximum lifetime allowed for issued Certificates that use this template. If the issuing CaPool resource's IssuancePolicy specifies a maximum_lifetime the minimum of the two durations will be the maximum lifetime for issued Certificates. Note that if the issuing CertificateAuthority expires before a Certificate's requested maximum_lifetime, the effective lifetime will be explicitly truncated to match it.

predefined_values

X509Parameters

Optional. A set of X.509 values that will be applied to all issued certificates that use this template. If the certificate request includes conflicting values for the same properties, they will be overwritten by the values defined here. If the issuing CaPool's IssuancePolicy defines conflicting baseline_values for the same properties, the certificate issuance request will fail.

identity_constraints

CertificateIdentityConstraints

Optional. Describes constraints on identities that may be appear in Certificates issued using this template. If this is omitted, then this template will not add restrictions on a certificate's identity.

passthrough_extensions

CertificateExtensionConstraints

Optional. Describes the set of X.509 extensions that may appear in a Certificate issued using this CertificateTemplate. If a certificate request sets extensions that don't appear in the passthrough_extensions, those extensions will be dropped. If the issuing CaPool's IssuancePolicy defines baseline_values that don't appear here, the certificate issuance request will fail. If this is omitted, then this template will not add restrictions on a certificate's X.509 extensions. These constraints do not apply to X.509 extensions set in this CertificateTemplate's predefined_values.

description

string

Optional. A human-readable description of scenarios this template is intended for.

create_time

Timestamp

Output only. The time at which this CertificateTemplate was created.

update_time

Timestamp

Output only. The time at which this CertificateTemplate was updated.

labels

map<string, string>

Optional. Labels with user-defined metadata.

CreateCaPoolRequest

Request message for CertificateAuthorityService.CreateCaPool.

Fields
parent

string

Required. The resource name of the location associated with the CaPool, in the format projects/*/locations/*.

Authorization requires the following IAM permission on the specified resource parent:

  • privateca.caPools.create
ca_pool_id

string

Required. It must be unique within a location and match the regular expression [a-zA-Z0-9_-]{1,63}

ca_pool

CaPool

Required. A CaPool with initial field values.

request_id

string

Optional. An ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. The server will guarantee that for at least 60 minutes since the first request.

For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments.

The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).

CreateCertificateAuthorityRequest

Request message for CertificateAuthorityService.CreateCertificateAuthority.

Fields
parent

string

Required. The resource name of the CaPool associated with the CertificateAuthorities, in the format projects/*/locations/*/caPools/*.

Authorization requires the following IAM permission on the specified resource parent:

  • privateca.certificateAuthorities.create
certificate_authority_id

string

Required. It must be unique within a location and match the regular expression [a-zA-Z0-9_-]{1,63}

certificate_authority

CertificateAuthority

Required. A CertificateAuthority with initial field values.

request_id

string

Optional. An ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. The server will guarantee that for at least 60 minutes since the first request.

For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments.

The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).

CreateCertificateRequest

Request message for CertificateAuthorityService.CreateCertificate.

Fields
parent

string

Required. The resource name of the CaPool associated with the Certificate, in the format projects/*/locations/*/caPools/*.

Authorization requires one or more of the following IAM permissions on the specified resource parent:

  • privateca.certificates.create
  • privateca.certificates.createForSelf
certificate_id

string

Optional. It must be unique within a location and match the regular expression [a-zA-Z0-9_-]{1,63}. This field is required when using a CertificateAuthority in the Enterprise [CertificateAuthority.Tier][], but is optional and its value is ignored otherwise.

certificate

Certificate

Required. A Certificate with initial field values.

request_id

string

Optional. An ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. The server will guarantee that for at least 60 minutes since the first request.

For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments.

The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).

validate_only

bool

Optional. If this is true, no Certificate resource will be persisted regardless of the CaPool's tier, and the returned Certificate will not contain the pem_certificate field.

issuing_certificate_authority_id

string

Optional. The resource ID of the CertificateAuthority that should issue the certificate. This optional field will ignore the load-balancing scheme of the Pool and directly issue the certificate from the CA with the specified ID, contained in the same CaPool referenced by parent. Per-CA quota rules apply. If left empty, a CertificateAuthority will be chosen from the CaPool by the service. For example, to issue a Certificate from a Certificate Authority with resource name "projects/my-project/locations/us-central1/caPools/my-pool/certificateAuthorities/my-ca", you can set the parent to "projects/my-project/locations/us-central1/caPools/my-pool" and the issuing_certificate_authority_id to "my-ca".

CreateCertificateTemplateRequest

Request message for CertificateAuthorityService.CreateCertificateTemplate.

Fields
parent

string

Required. The resource name of the location associated with the CertificateTemplate, in the format projects/*/locations/*.

Authorization requires the following IAM permission on the specified resource parent:

  • privateca.certificateTemplates.create
certificate_template_id

string

Required. It must be unique within a location and match the regular expression [a-zA-Z0-9_-]{1,63}

certificate_template

CertificateTemplate

Required. A CertificateTemplate with initial field values.

request_id

string

Optional. An ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. The server will guarantee that for at least 60 minutes since the first request.

For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments.

The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).

DeleteCaPoolRequest

Request message for CertificateAuthorityService.DeleteCaPool.

Fields
name

string

Required. The resource name for this CaPool in the format projects/*/locations/*/caPools/*.

Authorization requires the following IAM permission on the specified resource name:

  • privateca.caPools.delete
request_id

string

Optional. An ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. The server will guarantee that for at least 60 minutes since the first request.

For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments.

The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).

ignore_dependent_resources

bool

Optional. This field allows this pool to be deleted even if it's being depended on by another resource. However, doing so may result in unintended and unrecoverable effects on any dependent resources since the pool will no longer be able to issue certificates.

DeleteCertificateAuthorityRequest

Request message for CertificateAuthorityService.DeleteCertificateAuthority.

Fields
name

string

Required. The resource name for this CertificateAuthority in the format projects/*/locations/*/caPools/*/certificateAuthorities/*.

Authorization requires the following IAM permission on the specified resource name:

  • privateca.certificateAuthorities.delete
request_id

string

Optional. An ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. The server will guarantee that for at least 60 minutes since the first request.

For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments.

The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).

ignore_active_certificates

bool

Optional. This field allows the CA to be deleted even if the CA has active certs. Active certs include both unrevoked and unexpired certs.

skip_grace_period

bool

Optional. If this flag is set, the Certificate Authority will be deleted as soon as possible without a 30-day grace period where undeletion would have been allowed. If you proceed, there will be no way to recover this CA.

ignore_dependent_resources

bool

Optional. This field allows this CA to be deleted even if it's being depended on by another resource. However, doing so may result in unintended and unrecoverable effects on any dependent resources since the CA will no longer be able to issue certificates.

DeleteCertificateTemplateRequest

Request message for CertificateAuthorityService.DeleteCertificateTemplate.

Fields
name

string

Required. The resource name for this CertificateTemplate in the format projects/*/locations/*/certificateTemplates/*.

Authorization requires the following IAM permission on the specified resource name:

  • privateca.certificateTemplates.delete
request_id

string

Optional. An ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. The server will guarantee that for at least 60 minutes since the first request.

For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments.

The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).

DisableCertificateAuthorityRequest

Request message for CertificateAuthorityService.DisableCertificateAuthority.

Fields
name

string

Required. The resource name for this CertificateAuthority in the format projects/*/locations/*/caPools/*/certificateAuthorities/*.

Authorization requires the following IAM permission on the specified resource name:

  • privateca.certificateAuthorities.update
request_id

string

Optional. An ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. The server will guarantee that for at least 60 minutes since the first request.

For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments.

The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).

ignore_dependent_resources

bool

Optional. This field allows this CA to be disabled even if it's being depended on by another resource. However, doing so may result in unintended and unrecoverable effects on any dependent resources since the CA will no longer be able to issue certificates.

EnableCertificateAuthorityRequest

Request message for CertificateAuthorityService.EnableCertificateAuthority.

Fields
name

string

Required. The resource name for this CertificateAuthority in the format projects/*/locations/*/caPools/*/certificateAuthorities/*.

Authorization requires the following IAM permission on the specified resource name:

  • privateca.certificateAuthorities.update
request_id

string

Optional. An ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. The server will guarantee that for at least 60 minutes since the first request.

For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments.

The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).

FetchCaCertsRequest

Request message for CertificateAuthorityService.FetchCaCerts.

Fields
ca_pool

string

Required. The resource name for the CaPool in the format projects/*/locations/*/caPools/*.

Authorization requires the following IAM permission on the specified resource caPool:

  • privateca.caPools.get
request_id

string

Optional. An ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. The server will guarantee that for at least 60 minutes since the first request.

For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments.

The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).

FetchCaCertsResponse

Response message for CertificateAuthorityService.FetchCaCerts.

Fields
ca_certs[]

CertChain

The PEM encoded CA certificate chains of all certificate authorities in this CaPool in the ENABLED, DISABLED, or STAGED states.

CertChain

Fields
certificates[]

string

The certificates that form the CA chain, from leaf to root order.

FetchCertificateAuthorityCsrRequest

Request message for CertificateAuthorityService.FetchCertificateAuthorityCsr.

Fields
name

string

Required. The resource name for this CertificateAuthority in the format projects/*/locations/*/caPools/*/certificateAuthorities/*.

Authorization requires the following IAM permission on the specified resource name:

  • privateca.certificateAuthorities.get

FetchCertificateAuthorityCsrResponse

Response message for CertificateAuthorityService.FetchCertificateAuthorityCsr.

Fields
pem_csr

string

Output only. The PEM-encoded signed certificate signing request (CSR).

GetCaPoolRequest

Request message for CertificateAuthorityService.GetCaPool.

Fields
name

string

Required. The name of the CaPool to get.

Authorization requires the following IAM permission on the specified resource name:

  • privateca.caPools.get

GetCertificateAuthorityRequest

Request message for CertificateAuthorityService.GetCertificateAuthority.

Fields
name

string

Required. The name of the CertificateAuthority to get.

Authorization requires the following IAM permission on the specified resource name:

  • privateca.certificateAuthorities.get

GetCertificateRequest

Request message for CertificateAuthorityService.GetCertificate.

Fields
name

string

Required. The name of the Certificate to get.

Authorization requires the following IAM permission on the specified resource name:

  • privateca.certificates.get

GetCertificateRevocationListRequest

Request message for CertificateAuthorityService.GetCertificateRevocationList.

Fields
name

string

Required. The name of the CertificateRevocationList to get.

Authorization requires the following IAM permission on the specified resource name:

  • privateca.certificateRevocationLists.get

GetCertificateTemplateRequest

Request message for CertificateAuthorityService.GetCertificateTemplate.

Fields
name

string

Required. The name of the CertificateTemplate to get.

Authorization requires the following IAM permission on the specified resource name:

  • privateca.certificateTemplates.get

KeyUsage

A KeyUsage describes key usage values that may appear in an X.509 certificate.

Fields
base_key_usage

KeyUsageOptions

Describes high-level ways in which a key may be used.

extended_key_usage

ExtendedKeyUsageOptions

Detailed scenarios in which a key may be used.

unknown_extended_key_usages[]

ObjectId

Used to describe extended key usages that are not listed in the KeyUsage.ExtendedKeyUsageOptions message.

ExtendedKeyUsageOptions

KeyUsage.ExtendedKeyUsageOptions has fields that correspond to certain common OIDs that could be specified as an extended key usage value.

Fields
server_auth

bool

Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.

client_auth

bool

Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.

code_signing

bool

Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".

email_protection

bool

Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".

time_stamping

bool

Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".

ocsp_signing

bool

Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".

KeyUsageOptions

KeyUsage.KeyUsageOptions corresponds to the key usage values described in https://tools.ietf.org/html/rfc5280#section-4.2.1.3.

Fields
digital_signature

bool

The key may be used for digital signatures.

content_commitment

bool

The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".

key_encipherment

bool

The key may be used to encipher other keys.

data_encipherment

bool

The key may be used to encipher data.

key_agreement

bool

The key may be used in a key agreement protocol.

cert_sign

bool

The key may be used to sign certificates.

crl_sign

bool

The key may be used sign certificate revocation lists.

encipher_only

bool

The key may be used to encipher only.

decipher_only

bool

The key may be used to decipher only.

ListCaPoolsRequest

Request message for CertificateAuthorityService.ListCaPools.

Fields
parent

string

Required. The resource name of the location associated with the CaPools, in the format projects/*/locations/*.

Authorization requires the following IAM permission on the specified resource parent:

  • privateca.caPools.list
page_size

int32

Optional. Limit on the number of CaPools to include in the response. Further CaPools can subsequently be obtained by including the ListCaPoolsResponse.next_page_token in a subsequent request. If unspecified, the server will pick an appropriate default.

page_token

string

Optional. Pagination token, returned earlier via ListCaPoolsResponse.next_page_token.

filter

string

Optional. Only include resources that match the filter in the response.

order_by

string

Optional. Specify how the results should be sorted.

ListCaPoolsResponse

Response message for CertificateAuthorityService.ListCaPools.

Fields
ca_pools[]

CaPool

The list of CaPools.

next_page_token

string

A token to retrieve next page of results. Pass this value in [ListCertificateAuthoritiesRequest.next_page_token][] to retrieve the next page of results.

unreachable[]

string

A list of locations (e.g. "us-west1") that could not be reached.

ListCertificateAuthoritiesRequest

Request message for CertificateAuthorityService.ListCertificateAuthorities.

Fields
parent

string

Required. The resource name of the CaPool associated with the CertificateAuthorities, in the format projects/*/locations/*/caPools/*.

Authorization requires the following IAM permission on the specified resource parent:

  • privateca.certificateAuthorities.list
page_size

int32

Optional. Limit on the number of CertificateAuthorities to include in the response. Further CertificateAuthorities can subsequently be obtained by including the ListCertificateAuthoritiesResponse.next_page_token in a subsequent request. If unspecified, the server will pick an appropriate default.

page_token

string

Optional. Pagination token, returned earlier via ListCertificateAuthoritiesResponse.next_page_token.

filter

string

Optional. Only include resources that match the filter in the response.

order_by

string

Optional. Specify how the results should be sorted.

ListCertificateAuthoritiesResponse

Response message for CertificateAuthorityService.ListCertificateAuthorities.

Fields
certificate_authorities[]

CertificateAuthority

The list of CertificateAuthorities.

next_page_token

string

A token to retrieve next page of results. Pass this value in [ListCertificateAuthoritiesRequest.next_page_token][] to retrieve the next page of results.

unreachable[]

string

A list of locations (e.g. "us-west1") that could not be reached.

ListCertificateRevocationListsRequest

Request message for CertificateAuthorityService.ListCertificateRevocationLists.

Fields
parent

string

Required. The resource name of the location associated with the CertificateRevocationLists, in the format projects/*/locations/*/caPools/*/certificateAuthorities/*.

Authorization requires the following IAM permission on the specified resource parent:

  • privateca.certificateRevocationLists.list
page_size

int32

Optional. Limit on the number of CertificateRevocationLists to include in the response. Further CertificateRevocationLists can subsequently be obtained by including the ListCertificateRevocationListsResponse.next_page_token in a subsequent request. If unspecified, the server will pick an appropriate default.

page_token

string

Optional. Pagination token, returned earlier via ListCertificateRevocationListsResponse.next_page_token.

filter

string

Optional. Only include resources that match the filter in the response.

order_by

string

Optional. Specify how the results should be sorted.

ListCertificateRevocationListsResponse

Response message for CertificateAuthorityService.ListCertificateRevocationLists.

Fields
certificate_revocation_lists[]

CertificateRevocationList

The list of CertificateRevocationLists.

next_page_token

string

A token to retrieve next page of results. Pass this value in [ListCertificateRevocationListsRequest.next_page_token][] to retrieve the next page of results.

unreachable[]

string

A list of locations (e.g. "us-west1") that could not be reached.

ListCertificateTemplatesRequest

Request message for CertificateAuthorityService.ListCertificateTemplates.

Fields
parent

string

Required. The resource name of the location associated with the CertificateTemplates, in the format projects/*/locations/*.

Authorization requires the following IAM permission on the specified resource parent:

  • privateca.certificateTemplates.list
page_size

int32

Optional. Limit on the number of CertificateTemplates to include in the response. Further CertificateTemplates can subsequently be obtained by including the ListCertificateTemplatesResponse.next_page_token in a subsequent request. If unspecified, the server will pick an appropriate default.

page_token

string

Optional. Pagination token, returned earlier via ListCertificateTemplatesResponse.next_page_token.

filter

string

Optional. Only include resources that match the filter in the response.

order_by

string

Optional. Specify how the results should be sorted.

ListCertificateTemplatesResponse

Response message for CertificateAuthorityService.ListCertificateTemplates.

Fields
certificate_templates[]

CertificateTemplate

The list of CertificateTemplates.

next_page_token

string

A token to retrieve next page of results. Pass this value in [ListCertificateTemplatesRequest.next_page_token][] to retrieve the next page of results.

unreachable[]

string

A list of locations (e.g. "us-west1") that could not be reached.

ListCertificatesRequest

Request message for CertificateAuthorityService.ListCertificates.

Fields
parent

string

Required. The resource name of the location associated with the Certificates, in the format projects/*/locations/*/caPools/*.

Authorization requires the following IAM permission on the specified resource parent:

  • privateca.certificates.list
page_size

int32

Optional. Limit on the number of Certificates to include in the response. Further Certificates can subsequently be obtained by including the ListCertificatesResponse.next_page_token in a subsequent request. If unspecified, the server will pick an appropriate default.

page_token

string

Optional. Pagination token, returned earlier via ListCertificatesResponse.next_page_token.

filter

string

Optional. Only include resources that match the filter in the response. For details on supported filters and syntax, see Certificates Filtering documentation.

order_by

string

Optional. Specify how the results should be sorted. For details on supported fields and syntax, see Certificates Sorting documentation.

ListCertificatesResponse

Response message for CertificateAuthorityService.ListCertificates.

Fields
certificates[]

Certificate

The list of Certificates.

next_page_token

string

A token to retrieve next page of results. Pass this value in [ListCertificatesRequest.next_page_token][] to retrieve the next page of results.

unreachable[]

string

A list of locations (e.g. "us-west1") that could not be reached.

ObjectId

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

Fields
object_id_path[]

int32

Required. The parts of an OID path. The most significant parts of the path come first.

OperationMetadata

Represents the metadata of the long-running operation.

Fields
create_time

Timestamp

Output only. The time the operation was created.

end_time

Timestamp

Output only. The time the operation finished running.

target

string

Output only. Server-defined resource path for the target of the operation.

verb

string

Output only. Name of the verb executed by the operation.

status_message

string

Output only. Human-readable status of the operation, if any.

requested_cancellation

bool

Output only. Identifies whether the user has requested cancellation of the operation. Operations that have successfully been cancelled have [Operation.error][] value with a google.rpc.Status.code of 1, corresponding to Code.CANCELLED.

api_version

string

Output only. API version used to start the operation.

PublicKey

A PublicKey describes a public key.

Fields
key

bytes

Required. A public key. The padding and encoding must match with the KeyFormat value specified for the format field.

format

KeyFormat

Required. The format of the public key.

KeyFormat

Types of public keys formats that are supported. Currently, only PEM format is supported.

Enums
KEY_FORMAT_UNSPECIFIED Default unspecified value.
PEM The key is PEM-encoded as defined in RFC 7468. It can be any of the following: a PEM-encoded PKCS#1/RFC 3447 RSAPublicKey structure, an RFC 5280 SubjectPublicKeyInfo or a PEM-encoded X.509 certificate signing request (CSR). If a SubjectPublicKeyInfo is specified, it can contain a A PEM-encoded PKCS#1/RFC 3447 RSAPublicKey or a NIST P-256/secp256r1/prime256v1 or P-384 key. If a CSR is specified, it will used solely for the purpose of extracting the public key. When generated by the service, it will always be an RFC 5280 SubjectPublicKeyInfo structure containing an algorithm identifier and a key.

RevocationReason

A RevocationReason indicates whether a Certificate has been revoked, and the reason for revocation. These correspond to standard revocation reasons from RFC 5280. Note that the enum labels and values in this definition are not the same ASN.1 values defined in RFC 5280. These values will be translated to the correct ASN.1 values when a CRL is created.

Enums
REVOCATION_REASON_UNSPECIFIED Default unspecified value. This value does indicate that a Certificate has been revoked, but that a reason has not been recorded.
KEY_COMPROMISE Key material for this Certificate may have leaked.
CERTIFICATE_AUTHORITY_COMPROMISE The key material for a certificate authority in the issuing path may have leaked.
AFFILIATION_CHANGED The subject or other attributes in this Certificate have changed.
SUPERSEDED This Certificate has been superseded.
CESSATION_OF_OPERATION This Certificate or entities in the issuing path have ceased to operate.
CERTIFICATE_HOLD This Certificate should not be considered valid, it is expected that it may become valid in the future.
PRIVILEGE_WITHDRAWN This Certificate no longer has permission to assert the listed attributes.
ATTRIBUTE_AUTHORITY_COMPROMISE The authority which determines appropriate attributes for a Certificate may have been compromised.

RevokeCertificateRequest

Request message for CertificateAuthorityService.RevokeCertificate.

Fields
name

string

Required. The resource name for this Certificate in the format projects/*/locations/*/caPools/*/certificates/*.

Authorization requires the following IAM permission on the specified resource name:

  • privateca.certificates.update
reason

RevocationReason

Required. The RevocationReason for revoking this certificate.

request_id

string

Optional. An ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. The server will guarantee that for at least 60 minutes since the first request.

For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments.

The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).

Subject

Subject describes parts of a distinguished name that, in turn, describes the subject of the certificate.

Fields
common_name

string

The "common name" of the subject.

country_code

string

The country code of the subject.

organization

string

The organization of the subject.

organizational_unit

string

The organizational_unit of the subject.

locality

string

The locality or city of the subject.

province

string

The province, territory, or regional state of the subject.

street_address

string

The street address of the subject.

postal_code

string

The postal code of the subject.

SubjectAltNames

SubjectAltNames corresponds to a more modern way of listing what the asserted identity is in a certificate (i.e., compared to the "common name" in the distinguished name).

Fields
dns_names[]

string

Contains only valid, fully-qualified host names.

uris[]

string

Contains only valid RFC 3986 URIs.

email_addresses[]

string

Contains only valid RFC 2822 E-mail addresses.

ip_addresses[]

string

Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.

custom_sans[]

X509Extension

Contains additional subject alternative name values. For each custom_san, the value field must contain an ASN.1 encoded UTF8String.

SubjectRequestMode

Describes the way in which a Certificate's Subject and/or SubjectAltNames will be resolved.

Enums
SUBJECT_REQUEST_MODE_UNSPECIFIED Not specified.
DEFAULT The default mode used in most cases. Indicates that the certificate's Subject and/or SubjectAltNames are specified in the certificate request. This mode requires the caller to have the privateca.certificates.create permission.
REFLECTED_SPIFFE A mode reserved for special cases. Indicates that the certificate should have one SPIFFE SubjectAltNames set by the service based on the caller's identity. This mode will ignore any explicitly specified Subject and/or SubjectAltNames in the certificate request. This mode requires the caller to have the privateca.certificates.createForSelf permission.

SubordinateConfig

Describes a subordinate CA's issuers. This is either a resource name to a known issuing CertificateAuthority, or a PEM issuer certificate chain.

Fields

Union field subordinate_config.

subordinate_config can be only one of the following:

certificate_authority

string

Required. This can refer to a CertificateAuthority that was used to create a subordinate CertificateAuthority. This field is used for information and usability purposes only. The resource name is in the format projects/*/locations/*/caPools/*/certificateAuthorities/*.

pem_issuer_chain

SubordinateConfigChain

Required. Contains the PEM certificate chain for the issuers of this CertificateAuthority, but not pem certificate for this CA itself.

SubordinateConfigChain

This message describes a subordinate CA's issuer certificate chain. This wrapper exists for compatibility reasons.

Fields
pem_certificates[]

string

Required. Expected to be in leaf-to-root order according to RFC 5246.

UndeleteCertificateAuthorityRequest

Request message for CertificateAuthorityService.UndeleteCertificateAuthority.

Fields
name

string

Required. The resource name for this CertificateAuthority in the format projects/*/locations/*/caPools/*/certificateAuthorities/*.

Authorization requires the following IAM permission on the specified resource name:

  • privateca.certificateAuthorities.update
request_id

string

Optional. An ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. The server will guarantee that for at least 60 minutes since the first request.

For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments.

The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).

UpdateCaPoolRequest

Request message for CertificateAuthorityService.UpdateCaPool.

Fields
ca_pool

CaPool

Required. CaPool with updated values.

Authorization requires the following IAM permission on the specified resource caPool:

  • privateca.caPools.update
update_mask

FieldMask

Required. A list of fields to be updated in this request.

request_id

string

Optional. An ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. The server will guarantee that for at least 60 minutes since the first request.

For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments.

The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).

UpdateCertificateAuthorityRequest

Request message for CertificateAuthorityService.UpdateCertificateAuthority.

Fields
certificate_authority

CertificateAuthority

Required. CertificateAuthority with updated values.

Authorization requires the following IAM permission on the specified resource certificateAuthority:

  • privateca.certificateAuthorities.update
update_mask

FieldMask

Required. A list of fields to be updated in this request.

request_id

string

Optional. An ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. The server will guarantee that for at least 60 minutes since the first request.

For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments.

The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).

UpdateCertificateRequest

Request message for CertificateAuthorityService.UpdateCertificate.

Fields
certificate

Certificate

Required. Certificate with updated values.

Authorization requires the following IAM permission on the specified resource certificate:

  • privateca.certificates.update
update_mask

FieldMask

Required. A list of fields to be updated in this request.

request_id

string

Optional. An ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. The server will guarantee that for at least 60 minutes since the first request.

For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments.

The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).

UpdateCertificateRevocationListRequest

Request message for CertificateAuthorityService.UpdateCertificateRevocationList.

Fields
certificate_revocation_list

CertificateRevocationList

Required. CertificateRevocationList with updated values.

Authorization requires the following IAM permission on the specified resource certificateRevocationList:

  • privateca.certificateRevocationLists.update
update_mask

FieldMask

Required. A list of fields to be updated in this request.

request_id

string

Optional. An ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. The server will guarantee that for at least 60 minutes since the first request.

For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments.

The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).

UpdateCertificateTemplateRequest

Request message for CertificateAuthorityService.UpdateCertificateTemplate.

Fields
certificate_template

CertificateTemplate

Required. CertificateTemplate with updated values.

Authorization requires the following IAM permission on the specified resource certificateTemplate:

  • privateca.certificateTemplates.update
update_mask

FieldMask

Required. A list of fields to be updated in this request.

request_id

string

Optional. An ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. The server will guarantee that for at least 60 minutes since the first request.

For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments.

The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).

X509Extension

An X509Extension specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs.

Fields
object_id

ObjectId

Required. The OID for this X.509 extension.

critical

bool

Optional. Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).

value

bytes

Required. The value of this X.509 extension.

X509Parameters

An X509Parameters is used to describe certain fields of an X.509 certificate, such as the key usage fields, fields specific to CA certificates, certificate policy extensions and custom extensions.

Fields
key_usage

KeyUsage

Optional. Indicates the intended use for keys that correspond to a certificate.

ca_options

CaOptions

Optional. Describes options in this X509Parameters that are relevant in a CA certificate. If not specified, a default basic constraints extension with is_ca=false will be added for leaf certificates.

policy_ids[]

ObjectId

Optional. Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4.

aia_ocsp_servers[]

string

Optional. Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.

name_constraints

NameConstraints

Optional. Describes the X.509 name constraints extension.

additional_extensions[]

X509Extension

Optional. Describes custom X.509 extensions.

CaOptions

Describes the X.509 basic constraints extension, per RFC 5280 section 4.2.1.9

Fields
is_ca

bool

Optional. Refers to the "CA" boolean field in the X.509 extension. When this value is missing, the basic constraints extension will be omitted from the certificate.

max_issuer_path_length

int32

Optional. Refers to the path length constraint field in the X.509 extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail. If this value is missing, the max path length will be omitted from the certificate.

NameConstraints

Describes the X.509 name constraints extension, per https://tools.ietf.org/html/rfc5280#section-4.2.1.10

Fields
critical

bool

Indicates whether or not the name constraints are marked critical.

permitted_dns_names[]

string

Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.

excluded_dns_names[]

string

Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.

permitted_ip_ranges[]

string

Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.

excluded_ip_ranges[]

string

Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.

permitted_email_addresses[]

string

Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.

excluded_email_addresses[]

string

Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.

permitted_uris[]

string

Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)

excluded_uris[]

string

Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)