Package google.cloud.security.privateca.v1beta1

Index

CertificateAuthorityService (interface)
ActivateCertificateAuthorityRequest (message)
Certificate (message)
Certificate.RevocationDetails (message)
CertificateAuthority (message)
CertificateAuthority.AccessUrls (message)
CertificateAuthority.CertificateAuthorityPolicy (message)
CertificateAuthority.CertificateAuthorityPolicy.AllowedConfigList (message)
CertificateAuthority.CertificateAuthorityPolicy.AllowedSubjectAltNames (message)
CertificateAuthority.CertificateAuthorityPolicy.IssuanceModes (message)
CertificateAuthority.IssuingOptions (message)
CertificateAuthority.KeyVersionSpec (message)
CertificateAuthority.SignHashAlgorithm (enum)
CertificateAuthority.State (enum)
CertificateAuthority.Tier (enum)
CertificateAuthority.Type (enum)
CertificateConfig (message)
CertificateConfig.SubjectConfig (message)
CertificateDescription (message)
CertificateDescription.CertificateFingerprint (message)
CertificateDescription.KeyId (message)
CertificateDescription.SubjectDescription (message)
CertificateRevocationList (message)
CertificateRevocationList.RevokedCertificate (message)
CertificateRevocationList.State (enum)
CreateCertificateAuthorityRequest (message)
CreateCertificateRequest (message)
DisableCertificateAuthorityRequest (message)
EnableCertificateAuthorityRequest (message)
FetchCertificateAuthorityCsrRequest (message)
FetchCertificateAuthorityCsrResponse (message)
GetCertificateAuthorityRequest (message)
GetCertificateRequest (message)
GetCertificateRevocationListRequest (message)
GetReusableConfigRequest (message)
KeyUsage (message)
KeyUsage.ExtendedKeyUsageOptions (message)
KeyUsage.KeyUsageOptions (message)
ListCertificateAuthoritiesRequest (message)
ListCertificateAuthoritiesResponse (message)
ListCertificateRevocationListsRequest (message)
ListCertificateRevocationListsResponse (message)
ListCertificatesRequest (message)
ListCertificatesResponse (message)
ListReusableConfigsRequest (message)
ListReusableConfigsResponse (message)
ObjectId (message)
OperationMetadata (message)
PublicKey (message)
PublicKey.KeyType (enum)
RestoreCertificateAuthorityRequest (message)
ReusableConfig (message)
ReusableConfigValues (message)
ReusableConfigValues.CaOptions (message)
ReusableConfigWrapper (message)
RevocationReason (enum)
RevokeCertificateRequest (message)
ScheduleDeleteCertificateAuthorityRequest (message)
Subject (message)
SubjectAltNames (message)
SubordinateConfig (message)
SubordinateConfig.SubordinateConfigChain (message)
UpdateCertificateAuthorityRequest (message)
UpdateCertificateRequest (message)
UpdateCertificateRevocationListRequest (message)
X509Extension (message)

CertificateAuthorityService

Certificate Authority Service manages private certificate authorities and issued certificates.

ActivateCertificateAuthority

ActivateCertificateAuthority
`rpc ActivateCertificateAuthority(ActivateCertificateAuthorityRequest) returns (Operation)` Activate a `CertificateAuthority` that is in state `PENDING_ACTIVATION` and is of type `SUBORDINATE`. After the parent Certificate Authority signs a certificate signing request from `FetchCertificateAuthorityCsr`, this method can complete the activation process. Authorization Scopes Requires the following OAuth scope: `https://www.googleapis.com/auth/cloud-platform` For more information, see the Authentication Overview.

rpc ActivateCertificateAuthority(ActivateCertificateAuthorityRequest) returns (Operation)

Activate a CertificateAuthority that is in state PENDING_ACTIVATION and is of type SUBORDINATE. After the parent Certificate Authority signs a certificate signing request from FetchCertificateAuthorityCsr, this method can complete the activation process.

Authorization Scopes

Requires the following OAuth scope:

https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

CreateCertificate

CreateCertificate
`rpc CreateCertificate(CreateCertificateRequest) returns (Certificate)` Create a new `Certificate` in a given Project, Location from a particular `CertificateAuthority`. Authorization Scopes Requires the following OAuth scope: `https://www.googleapis.com/auth/cloud-platform` For more information, see the Authentication Overview.

rpc CreateCertificate(CreateCertificateRequest) returns (Certificate)

Create a new Certificate in a given Project, Location from a particular CertificateAuthority.

Authorization Scopes

Requires the following OAuth scope:

https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

CreateCertificateAuthority

CreateCertificateAuthority
`rpc CreateCertificateAuthority(CreateCertificateAuthorityRequest) returns (Operation)` Create a new `CertificateAuthority` in a given Project and Location. Authorization Scopes Requires the following OAuth scope: `https://www.googleapis.com/auth/cloud-platform` For more information, see the Authentication Overview.

rpc CreateCertificateAuthority(CreateCertificateAuthorityRequest) returns (Operation)

Create a new CertificateAuthority in a given Project and Location.

Authorization Scopes

Requires the following OAuth scope:

https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

DisableCertificateAuthority

DisableCertificateAuthority
`rpc DisableCertificateAuthority(DisableCertificateAuthorityRequest) returns (Operation)` Disable a `CertificateAuthority`. Authorization Scopes Requires the following OAuth scope: `https://www.googleapis.com/auth/cloud-platform` For more information, see the Authentication Overview.

rpc DisableCertificateAuthority(DisableCertificateAuthorityRequest) returns (Operation)

Disable a CertificateAuthority.

Authorization Scopes

Requires the following OAuth scope:

https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

EnableCertificateAuthority

EnableCertificateAuthority
`rpc EnableCertificateAuthority(EnableCertificateAuthorityRequest) returns (Operation)` Enable a `CertificateAuthority`. Authorization Scopes Requires the following OAuth scope: `https://www.googleapis.com/auth/cloud-platform` For more information, see the Authentication Overview.

rpc EnableCertificateAuthority(EnableCertificateAuthorityRequest) returns (Operation)

Enable a CertificateAuthority.

Authorization Scopes

Requires the following OAuth scope:

https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

FetchCertificateAuthorityCsr

FetchCertificateAuthorityCsr
`rpc FetchCertificateAuthorityCsr(FetchCertificateAuthorityCsrRequest) returns (FetchCertificateAuthorityCsrResponse)` Fetch a certificate signing request (CSR) from a `CertificateAuthority` that is in state `PENDING_ACTIVATION` and is of type `SUBORDINATE`. The CSR must then be signed by the desired parent Certificate Authority, which could be another `CertificateAuthority` resource, or could be an on-prem certificate authority. See also `ActivateCertificateAuthority`. Authorization Scopes Requires the following OAuth scope: `https://www.googleapis.com/auth/cloud-platform` For more information, see the Authentication Overview.

rpc FetchCertificateAuthorityCsr(FetchCertificateAuthorityCsrRequest) returns (FetchCertificateAuthorityCsrResponse)

Fetch a certificate signing request (CSR) from a CertificateAuthority that is in state PENDING_ACTIVATION and is of type SUBORDINATE. The CSR must then be signed by the desired parent Certificate Authority, which could be another CertificateAuthority resource, or could be an on-prem certificate authority. See also ActivateCertificateAuthority.

Authorization Scopes

Requires the following OAuth scope:

https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

GetCertificate

GetCertificate
`rpc GetCertificate(GetCertificateRequest) returns (Certificate)` Returns a `Certificate`. Authorization Scopes Requires the following OAuth scope: `https://www.googleapis.com/auth/cloud-platform` For more information, see the Authentication Overview.

rpc GetCertificate(GetCertificateRequest) returns (Certificate)

Returns a Certificate.

Authorization Scopes

Requires the following OAuth scope:

https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

GetCertificateAuthority

GetCertificateAuthority
`rpc GetCertificateAuthority(GetCertificateAuthorityRequest) returns (CertificateAuthority)` Returns a `CertificateAuthority`. Authorization Scopes Requires the following OAuth scope: `https://www.googleapis.com/auth/cloud-platform` For more information, see the Authentication Overview.

rpc GetCertificateAuthority(GetCertificateAuthorityRequest) returns (CertificateAuthority)

Returns a CertificateAuthority.

Authorization Scopes

Requires the following OAuth scope:

https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

GetCertificateRevocationList

GetCertificateRevocationList
`rpc GetCertificateRevocationList(GetCertificateRevocationListRequest) returns (CertificateRevocationList)` Returns a `CertificateRevocationList`. Authorization Scopes Requires the following OAuth scope: `https://www.googleapis.com/auth/cloud-platform` For more information, see the Authentication Overview.

rpc GetCertificateRevocationList(GetCertificateRevocationListRequest) returns (CertificateRevocationList)

Returns a CertificateRevocationList.

Authorization Scopes

Requires the following OAuth scope:

https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

GetReusableConfig

GetReusableConfig
`rpc GetReusableConfig(GetReusableConfigRequest) returns (ReusableConfig)` Returns a `ReusableConfig`. Authorization Scopes Requires the following OAuth scope: `https://www.googleapis.com/auth/cloud-platform` For more information, see the Authentication Overview.

rpc GetReusableConfig(GetReusableConfigRequest) returns (ReusableConfig)

Returns a ReusableConfig.

Authorization Scopes

Requires the following OAuth scope:

https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

ListCertificateAuthorities

ListCertificateAuthorities
`rpc ListCertificateAuthorities(ListCertificateAuthoritiesRequest) returns (ListCertificateAuthoritiesResponse)` Lists `CertificateAuthorities`. Authorization Scopes Requires the following OAuth scope: `https://www.googleapis.com/auth/cloud-platform` For more information, see the Authentication Overview.

rpc ListCertificateAuthorities(ListCertificateAuthoritiesRequest) returns (ListCertificateAuthoritiesResponse)

Lists CertificateAuthorities.

Authorization Scopes

Requires the following OAuth scope:

https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

ListCertificateRevocationLists

ListCertificateRevocationLists
`rpc ListCertificateRevocationLists(ListCertificateRevocationListsRequest) returns (ListCertificateRevocationListsResponse)` Lists `CertificateRevocationLists`. Authorization Scopes Requires the following OAuth scope: `https://www.googleapis.com/auth/cloud-platform` For more information, see the Authentication Overview.

rpc ListCertificateRevocationLists(ListCertificateRevocationListsRequest) returns (ListCertificateRevocationListsResponse)

Lists CertificateRevocationLists.

Authorization Scopes

Requires the following OAuth scope:

https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

ListCertificates

ListCertificates
`rpc ListCertificates(ListCertificatesRequest) returns (ListCertificatesResponse)` Lists `Certificates`. Authorization Scopes Requires the following OAuth scope: `https://www.googleapis.com/auth/cloud-platform` For more information, see the Authentication Overview.

rpc ListCertificates(ListCertificatesRequest) returns (ListCertificatesResponse)

Lists Certificates.

Authorization Scopes

Requires the following OAuth scope:

https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

ListReusableConfigs

ListReusableConfigs
`rpc ListReusableConfigs(ListReusableConfigsRequest) returns (ListReusableConfigsResponse)` Lists `ReusableConfigs`. Authorization Scopes Requires the following OAuth scope: `https://www.googleapis.com/auth/cloud-platform` For more information, see the Authentication Overview.

rpc ListReusableConfigs(ListReusableConfigsRequest) returns (ListReusableConfigsResponse)

Lists ReusableConfigs.

Authorization Scopes

Requires the following OAuth scope:

https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

RestoreCertificateAuthority

RestoreCertificateAuthority
`rpc RestoreCertificateAuthority(RestoreCertificateAuthorityRequest) returns (Operation)` Restore a `CertificateAuthority` that is scheduled for deletion. Authorization Scopes Requires the following OAuth scope: `https://www.googleapis.com/auth/cloud-platform` For more information, see the Authentication Overview.

rpc RestoreCertificateAuthority(RestoreCertificateAuthorityRequest) returns (Operation)

Restore a CertificateAuthority that is scheduled for deletion.

Authorization Scopes

Requires the following OAuth scope:

https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

RevokeCertificate

RevokeCertificate
`rpc RevokeCertificate(RevokeCertificateRequest) returns (Certificate)` Revoke a `Certificate`. Authorization Scopes Requires the following OAuth scope: `https://www.googleapis.com/auth/cloud-platform` For more information, see the Authentication Overview.

rpc RevokeCertificate(RevokeCertificateRequest) returns (Certificate)

Revoke a Certificate.

Authorization Scopes

Requires the following OAuth scope:

https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

ScheduleDeleteCertificateAuthority

ScheduleDeleteCertificateAuthority
`rpc ScheduleDeleteCertificateAuthority(ScheduleDeleteCertificateAuthorityRequest) returns (Operation)` Schedule a `CertificateAuthority` for deletion. Authorization Scopes Requires the following OAuth scope: `https://www.googleapis.com/auth/cloud-platform` For more information, see the Authentication Overview.

rpc ScheduleDeleteCertificateAuthority(ScheduleDeleteCertificateAuthorityRequest) returns (Operation)

Schedule a CertificateAuthority for deletion.

Authorization Scopes

Requires the following OAuth scope:

https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

UpdateCertificate

UpdateCertificate
`rpc UpdateCertificate(UpdateCertificateRequest) returns (Certificate)` Update a `Certificate`. Currently, the only field you can update is the `labels` field. Authorization Scopes Requires the following OAuth scope: `https://www.googleapis.com/auth/cloud-platform` For more information, see the Authentication Overview.

rpc UpdateCertificate(UpdateCertificateRequest) returns (Certificate)

Update a Certificate. Currently, the only field you can update is the labels field.

Authorization Scopes

Requires the following OAuth scope:

https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

UpdateCertificateAuthority

UpdateCertificateAuthority
`rpc UpdateCertificateAuthority(UpdateCertificateAuthorityRequest) returns (Operation)` Update a `CertificateAuthority`. Authorization Scopes Requires the following OAuth scope: `https://www.googleapis.com/auth/cloud-platform` For more information, see the Authentication Overview.

rpc UpdateCertificateAuthority(UpdateCertificateAuthorityRequest) returns (Operation)

Update a CertificateAuthority.

Authorization Scopes

Requires the following OAuth scope:

https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

UpdateCertificateRevocationList

UpdateCertificateRevocationList
`rpc UpdateCertificateRevocationList(UpdateCertificateRevocationListRequest) returns (Operation)` Update a `CertificateRevocationList`. Authorization Scopes Requires the following OAuth scope: `https://www.googleapis.com/auth/cloud-platform` For more information, see the Authentication Overview.

rpc UpdateCertificateRevocationList(UpdateCertificateRevocationListRequest) returns (Operation)

Update a CertificateRevocationList.

Authorization Scopes

Requires the following OAuth scope:

https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

ActivateCertificateAuthorityRequest

Request message for CertificateAuthorityService.ActivateCertificateAuthority.

Fields
`name`	`string` Required. The resource name for this `CertificateAuthority` in the format `projects//locations//certificateAuthorities/*`. Authorization requires the following IAM permission on the specified resource `name`: `privateca.certificateAuthorities.update`
`pem_ca_certificate`	`string` Required. The signed CA certificate issued from `FetchCertificateAuthorityCsrResponse.pem_csr`.
`subordinate_config`	`SubordinateConfig` Required. Must include information about the issuer of 'pem_ca_certificate', and any further issuers until the self-signed CA.
`request_id`	`string` Optional. An ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. The server will guarantee that for at least 60 minutes since the first request. For example, consider a situation where you make an initial request and t he request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).

Certificate

A Certificate corresponds to a signed X.509 certificate issued by a CertificateAuthority.

Fields
`name`	`string` Output only. The resource path for this `Certificate` in the format `projects//locations//certificateAuthorities//certificates/`.
`lifetime`	`Duration` Required. Immutable. The desired lifetime of a certificate. Used to create the "not_before_time" and "not_after_time" fields inside an X.509 certificate. Note that the lifetime may be truncated if it would extend past the life of any certificate authority in the issuing chain.
`revocation_details`	`RevocationDetails` Output only. Details regarding the revocation of this `Certificate`. This `Certificate` is considered revoked if and only if this field is present.
`pem_certificate`	`string` Output only. The pem-encoded, signed X.509 certificate.
`certificate_description`	`CertificateDescription` Output only. A structured description of the issued X.509 certificate.
`pem_certificate_chain[]`	`string` Output only. The chain that may be used to verify the X.509 certificate. Expected to be in issuer-to-root order according to RFC 5246.
`create_time`	`Timestamp` Output only. The time at which this `Certificate` was created.
`update_time`	`Timestamp` Output only. The time at which this `Certificate` was updated.
`labels`	`map<string, string>` Optional. Labels with user-defined metadata.
Union field `certificate_config`. The config used to create a signed X.509 certificate. `certificate_config` can be only one of the following:
`pem_csr`	`string` Immutable. A pem-encoded X.509 certificate signing request (CSR).
`config`	`CertificateConfig` Immutable. A description of the certificate and key that does not require X.509 or ASN.1.

RevocationDetails

Describes fields that are relavent to the revocation of a Certificate.

Fields

Fields
`revocation_state`	`RevocationReason` Indicates why a `Certificate` was revoked.
`revocation_time`	`Timestamp` The time at which this `Certificate` was revoked.

revocation_state

RevocationReason

Indicates why a Certificate was revoked.

revocation_time

Timestamp

The time at which this Certificate was revoked.

CertificateAuthority

A CertificateAuthority represents an individual Certificate Authority. A CertificateAuthority can be used to create Certificates.

Fields
`name`	`string` Output only. The resource name for this `CertificateAuthority` in the format `projects//locations//certificateAuthorities/*`.
`type`	`Type` Required. Immutable. The `Type` of this `CertificateAuthority`.
`tier`	`Tier` Required. Immutable. The `Tier` of this `CertificateAuthority`.
`config`	`CertificateConfig` Required. Immutable. The config used to create a self-signed X.509 certificate or CSR.
`lifetime`	`Duration` Required. The desired lifetime of the CA certificate. Used to create the "not_before_time" and "not_after_time" fields inside an X.509 certificate.
`key_spec`	`KeyVersionSpec` Required. Immutable. Used when issuing certificates for this `CertificateAuthority`. If this `CertificateAuthority` is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR.
`certificate_policy`	`CertificateAuthorityPolicy` Optional. The `CertificateAuthorityPolicy` to enforce when issuing `Certificates` from this `CertificateAuthority`.
`issuing_options`	`IssuingOptions` Optional. The `IssuingOptions` to follow when issuing `Certificates` from this `CertificateAuthority`.
`subordinate_config`	`SubordinateConfig` Optional. If this is a subordinate `CertificateAuthority`, this field will be set with the subordinate configuration, which describes its issuers. This may be updated, but this `CertificateAuthority` must continue to validate.
`state`	`State` Output only. The `State` for this `CertificateAuthority`.
`pem_ca_certificates[]`	`string` Output only. This `CertificateAuthority`'s certificate chain, including the current `CertificateAuthority`'s certificate. Ordered such that the root issuer is the final element (consistent with RFC 5246). For a self-signed CA, this will only list the current `CertificateAuthority`'s certificate.
`ca_certificate_descriptions[]`	`CertificateDescription` Output only. A structured description of this `CertificateAuthority`'s CA certificate and its issuers. Ordered as self-to-root.
`gcs_bucket`	`string` Immutable. The name of a Cloud Storage bucket where this `CertificateAuthority` will publish content, such as the CA certificate and CRLs. This must be a bucket name, without any prefixes (such as `gs://`) or suffixes (such as `.googleapis.com`). For example, to use a bucket named `my-bucket`, you would simply specify `my-bucket`. If not specified, a managed bucket will be created.
`access_urls`	`AccessUrls` Output only. URLs for accessing content published by this CA, such as the CA certificate and CRLs.
`create_time`	`Timestamp` Output only. The time at which this `CertificateAuthority` was created.
`update_time`	`Timestamp` Output only. The time at which this `CertificateAuthority` was updated.
`delete_time`	`Timestamp` Output only. The time at which this `CertificateAuthority` will be deleted, if scheduled for deletion.
`labels`	`map<string, string>` Optional. Labels with user-defined metadata.

AccessUrls

URLs where a CertificateAuthority will publish content.

Fields

Fields
`ca_certificate_access_url`	`string` The URL where this `CertificateAuthority`'s CA certificate is published. This will only be set for CAs that have been activated.
`crl_access_url`	`string` The URL where this `CertificateAuthority`'s CRLs are published. This will only be set for CAs that have been activated.

ca_certificate_access_url

string

The URL where this CertificateAuthority's CA certificate is published. This will only be set for CAs that have been activated.

crl_access_url

string

The URL where this CertificateAuthority's CRLs are published. This will only be set for CAs that have been activated.

CertificateAuthorityPolicy

The issuing policy for a CertificateAuthority. Certificates will not be successfully issued from this CertificateAuthority if they violate the policy.

Fields
`allowed_locations_and_organizations[]`	`Subject` Optional. If any `Subject` is specified here, then all `Certificates` issued by the `CertificateAuthority` must match at least one listed `Subject`. If a `Subject` has an empty field, any value will be allowed for that field.
`allowed_common_names[]`	`string` Optional. If any value is specified here, then all `Certificates` issued by the `CertificateAuthority` must match at least one listed value. If no value is specified, all values will be allowed for this fied. Glob patterns are also supported.
`allowed_sans`	`AllowedSubjectAltNames` Optional. If a `AllowedSubjectAltNames` is specified here, then all `Certificates` issued by the `CertificateAuthority` must match `AllowedSubjectAltNames`. If no value or an empty value is specified, any value will be allowed for the `SubjectAltNames` field.
`maximum_lifetime`	`Duration` Optional. The maximum lifetime allowed by the `CertificateAuthority`. Note that if the any part if the issuing chain expires before a `Certificate`'s requested maximum_lifetime, the effective lifetime will be explicitly truncated.
`allowed_issuance_modes`	`IssuanceModes` Optional. If specified, then only methods allowed in the `IssuanceModes` may be used to issue `Certificates`.
Union field `config_policy`. Allowed configurations or a single configuration for all issued certificates. `config_policy` can be only one of the following:
`allowed_config_list`	`AllowedConfigList` Optional. All `Certificates` issued by the `CertificateAuthority` must match at least one listed `ReusableConfigWrapper` in the list.
`overwrite_config_values`	`ReusableConfigWrapper` Optional. All `Certificates` issued by the `CertificateAuthority` will use the provided configuration values, overwriting any requested configuration values.

AllowedConfigList

Fields

Fields
`allowed_config_values[]`	`ReusableConfigWrapper` Required. All `Certificates` issued by the `CertificateAuthority` must match at least one listed `ReusableConfigWrapper`. If a `ReusableConfigWrapper` has an empty field, any value will be allowed for that field.

allowed_config_values[]

ReusableConfigWrapper

Required. All Certificates issued by the CertificateAuthority must match at least one listed ReusableConfigWrapper. If a ReusableConfigWrapper has an empty field, any value will be allowed for that field.

AllowedSubjectAltNames

AllowedSubjectAltNames specifies the allowed values for SubjectAltNames by the CertificateAuthority when issuing Certificates.

Fields
`allowed_dns_names[]`	`string` Optional. Contains valid, fully-qualified host names. Glob patterns are also supported. To allow an explicit wildcard certificate, escape with backlash (i.e. ""). E.g. for globbed entries: 'bar.com' will allow 'foo.bar.com', but not '.bar.com', unless the `allow_globbing_dns_wildcards` field is set. E.g. for wildcard entries: '.bar.com' will allow '*.bar.com', but not 'foo.bar.com'.
`allowed_uris[]`	`string` Optional. Contains valid RFC 3986 URIs. Glob patterns are also supported. To match across path seperators (i.e. '/') use the double star glob pattern (i.e. '**').
`allowed_email_addresses[]`	`string` Optional. Contains valid RFC 2822 E-mail addresses. Glob patterns are also supported.
`allowed_ips[]`	`string` Optional. Contains valid 32-bit IPv4 addresses and subnet ranges or RFC 4291 IPv6 addresses and subnet ranges. Subnet ranges are specified using the '/' notation (e.g. 10.0.0.0/8, 2001:700:300:1800::/64). Glob patterns are supported only for ip address entries (i.e. not for subnet ranges).
`allow_globbing_dns_wildcards`	`bool` Optional. Specifies if glob patterns used for `allowed_dns_names` allow wildcard certificates. If this is set, certificate requests with wildcard domains will be permitted to match a glob pattern specified in `allowed_dns_names`. Otherwise, certificate requests with wildcard domains will be permitted only if `allowed_dns_names` contains a literal wildcard.
`allow_custom_sans`	`bool` Optional. Specifies if to allow custom X509Extension values.

IssuanceModes

IssuanceModes specifies the allowed ways in which Certificates may be requested from this CertificateAuthority.

Fields

Fields
`allow_csr_based_issuance`	`bool` Required. When true, allows callers to create `Certificates` by specifying a CSR.
`allow_config_based_issuance`	`bool` Required. When true, allows callers to create `Certificates` by specifying a `CertificateConfig`.

allow_csr_based_issuance

bool

Required. When true, allows callers to create Certificates by specifying a CSR.

allow_config_based_issuance

bool

Required. When true, allows callers to create Certificates by specifying a CertificateConfig.

IssuingOptions

Options that affect all certificates issued by a CertificateAuthority.

Fields

Fields
`include_ca_cert_url`	`bool` Required. When true, includes a URL to the issuing CA certificate in the "authority information access" X.509 extension.
`include_crl_access_url`	`bool` Required. When true, includes a URL to the CRL corresponding to certificates issued from a `CertificateAuthority`. CRLs will expire 7 days from their creation. However, we will rebuild daily. CRLs are also rebuilt shortly after a certificate is revoked.

include_ca_cert_url

bool

Required. When true, includes a URL to the issuing CA certificate in the "authority information access" X.509 extension.

include_crl_access_url

bool

Required. When true, includes a URL to the CRL corresponding to certificates issued from a CertificateAuthority. CRLs will expire 7 days from their creation. However, we will rebuild daily. CRLs are also rebuilt shortly after a certificate is revoked.

KeyVersionSpec

A Cloud KMS key configuration that a CertificateAuthority will use.

Fields

Fields
Union field `KeyVersion`. `KeyVersion` can be only one of the following:
`cloud_kms_key_version`	`string` Required. The resource name for an existing Cloud KMS CryptoKeyVersion in the format `projects//locations//keyRings//cryptoKeys//cryptoKeyVersions/*`. This option enables full flexibility in the key's capabilities and properties.
`algorithm`	`SignHashAlgorithm` Required. The algorithm to use for creating a managed Cloud KMS key for a for a simplified experience. All managed keys will be have their [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] as `HSM`.

Union field KeyVersion.

KeyVersion can be only one of the following:

cloud_kms_key_version

string

Required. The resource name for an existing Cloud KMS CryptoKeyVersion in the format projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*. This option enables full flexibility in the key's capabilities and properties.

algorithm

SignHashAlgorithm

Required. The algorithm to use for creating a managed Cloud KMS key for a for a simplified experience. All managed keys will be have their [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] as HSM.

SignHashAlgorithm

The algorithm of a Cloud KMS CryptoKeyVersion of a [CryptoKey][google.cloud.kms.v1.CryptoKey] with the [CryptoKeyPurpose][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose] value ASYMMETRIC_SIGN. These values correspond to the [CryptoKeyVersionAlgorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm] values. For RSA signing algorithms, the PSS algorithms should be preferred, use PKCS1 algorithms if required for compatibility. For further recommandations, see https://cloud.google.com/kms/docs/algorithms#algorithm_recommendations.

Enums
`SIGN_HASH_ALGORITHM_UNSPECIFIED`	Not specified.
`RSA_PSS_2048_SHA256`	maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_2048_SHA256
`RSA_PSS_3072_SHA256`	maps to CryptoKeyVersionAlgorithm. RSA_SIGN_PSS_3072_SHA256
`RSA_PSS_4096_SHA256`	maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_4096_SHA256
`RSA_PKCS1_2048_SHA256`	maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_2048_SHA256
`RSA_PKCS1_3072_SHA256`	maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_3072_SHA256
`RSA_PKCS1_4096_SHA256`	maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_4096_SHA256
`EC_P256_SHA256`	maps to CryptoKeyVersionAlgorithm.EC_SIGN_P256_SHA256
`EC_P384_SHA384`	maps to CryptoKeyVersionAlgorithm.EC_SIGN_P384_SHA384

State

The state of a CertificateAuthority, indicating if it can be used.

Enums
`STATE_UNSPECIFIED`	Not specified.
`ENABLED`	Certificates can be issued from this CA. CRLs will be generated for this CA.
`DISABLED`	Certificates cannot be issued from this CA. CRLs will still be generated.
`PENDING_ACTIVATION`	Certificates cannot be issued from this CA. CRLs will not be generated.
`PENDING_DELETION`	Certificates cannot be issued from this CA. CRLs will not be generated.

Tier

The tier of a CertificateAuthority, indicating its supported functionality and/or billing SKU.

Enums
`TIER_UNSPECIFIED`	Not specified.
`ENTERPRISE`	Enterprise tier.
`DEVOPS`	DevOps tier.

Type

The type of a CertificateAuthority, indicating its issuing chain.

Enums
`TYPE_UNSPECIFIED`	Not specified.
`SELF_SIGNED`	Self-signed CA.
`SUBORDINATE`	Subordinate CA. Could be issued by a Private CA `CertificateAuthority` or an unmanaged CA.

CertificateConfig

A CertificateConfig describes an X.509 certificate or CSR that is to be created, as an alternative to using ASN.1.

Fields

Fields
`subject_config`	`SubjectConfig` Required. Specifies some of the values in a certificate that are related to the subject.
`reusable_config`	`ReusableConfigWrapper` Required. Describes how some of the technical fields in a certificate should be populated.
`public_key`	`PublicKey` Optional. The public key that corresponds to this config. This is, for example, used when issuing `Certificates`, but not when creating a self-signed `CertificateAuthority` or `CertificateAuthority` CSR.

subject_config

SubjectConfig

Required. Specifies some of the values in a certificate that are related to the subject.

reusable_config

ReusableConfigWrapper

Required. Describes how some of the technical fields in a certificate should be populated.

public_key

PublicKey

Optional. The public key that corresponds to this config. This is, for example, used when issuing Certificates, but not when creating a self-signed CertificateAuthority or CertificateAuthority CSR.

SubjectConfig

These values are used to create the distinguished name and subject alternative name fields in an X.509 certificate.

Fields

Fields
`subject`	`Subject` Required. Contains distinguished name fields such as the location and organization.
`common_name`	`string` Optional. The "common name" of the distinguished name.
`subject_alt_name`	`SubjectAltNames` Optional. The subject alternative name fields.

subject

Subject

Required. Contains distinguished name fields such as the location and organization.

common_name

string

Optional. The "common name" of the distinguished name.

subject_alt_name

SubjectAltNames

Optional. The subject alternative name fields.

CertificateDescription

A CertificateDescription describes an X.509 certificate or CSR that has been issued, as an alternative to using ASN.1 / X.509.

Fields
`subject_description`	`SubjectDescription` Describes some of the values in a certificate that are related to the subject and lifetime.
`config_values`	`ReusableConfigValues` Describes some of the technical fields in a certificate.
`public_key`	`PublicKey` The public key that corresponds to an issued certificate.
`subject_key_id`	`KeyId` Provides a means of identifiying certificates that contain a particular public key, per https://tools.ietf.org/html/rfc5280#section-4.2.1.2.
`authority_key_id`	`KeyId` Identifies the subject_key_id of the parent certificate, per https://tools.ietf.org/html/rfc5280#section-4.2.1.1
`crl_distribution_points[]`	`string` Describes a list of locations to obtain CRL information, i.e. the DistributionPoint.fullName described by https://tools.ietf.org/html/rfc5280#section-4.2.1.13
`aia_issuing_certificate_urls[]`	`string` Describes lists of issuer CA certificate URLs that appear in the "Authority Information Access" extension in the certificate.
`cert_fingerprint`	`CertificateFingerprint` The hash of the x.509 certificate.

CertificateFingerprint

A group of fingerprints for the x509 certificate.

Fields

Fields
`sha256_hash`	`string` The SHA 256 hash, encoded in hexadecimal, of the DER x509 certificate.

sha256_hash

string

The SHA 256 hash, encoded in hexadecimal, of the DER x509 certificate.

KeyId

A KeyId identifies a specific public key, usually by hashing the public key.

Fields

Fields
`key_id`	`string` Optional. The value of this KeyId encoded in lowercase hexadecimal. This is most likely the 160 bit SHA-1 hash of the public key.

key_id

string

Optional. The value of this KeyId encoded in lowercase hexadecimal. This is most likely the 160 bit SHA-1 hash of the public key.

SubjectDescription

These values describe fields in an issued X.509 certificate such as the distinguished name, subject alternative names, serial number, and lifetime.

Fields
`subject`	`Subject` Contains distinguished name fields such as the location and organization.
`common_name`	`string` The "common name" of the distinguished name.
`subject_alt_name`	`SubjectAltNames` The subject alternative name fields.
`hex_serial_number`	`string` The serial number encoded in lowercase hexadecimal.
`lifetime`	`Duration` For convenience, the actual lifetime of an issued certificate. Corresponds to 'not_after_time' - 'not_before_time'.
`not_before_time`	`Timestamp` The time at which the certificate becomes valid.
`not_after_time`	`Timestamp` The time at which the certificate expires.

CertificateRevocationList

A CertificateRevocationList corresponds to a signed X.509 certificate Revocation List (CRL). A CRL contains the serial numbers of certificates that should no longer be trusted.

Fields
`name`	`string` Output only. The resource path for this `CertificateRevocationList` in the format `projects//locations//certificateAuthorities// certificateRevocationLists/`.
`sequence_number`	`int64` Output only. The CRL sequence number that appears in pem_crl.
`revoked_certificates[]`	`RevokedCertificate` Output only. The revoked serial numbers that appear in pem_crl.
`pem_crl`	`string` Output only. The PEM-encoded X.509 CRL.
`access_url`	`string` Output only. The location where 'pem_crl' can be accessed.
`state`	`State` Output only. The `State` for this `CertificateRevocationList`.
`create_time`	`Timestamp` Output only. The time at which this `CertificateRevocationList` was created.
`update_time`	`Timestamp` Output only. The time at which this `CertificateRevocationList` was updated.
`labels`	`map<string, string>` Optional. Labels with user-defined metadata.

RevokedCertificate

Describes a revoked Certificate.

Fields

Fields
`certificate`	`string` The resource path for the `Certificate` in the format `projects//locations//certificateAuthorities//certificates/`.
`hex_serial_number`	`string` The serial number of the `Certificate`.
`revocation_reason`	`RevocationReason` The reason the `Certificate` was revoked.

certificate

string

The resource path for the Certificate in the format projects/*/locations/*/certificateAuthorities/*/certificates/*.

hex_serial_number

string

The serial number of the Certificate.

revocation_reason

RevocationReason

The reason the Certificate was revoked.

State

The state of a CertificateRevocationList, indicating if it is current.

Enums
`STATE_UNSPECIFIED`	Not specified.
`ACTIVE`	The `CertificateRevocationList` is up to date.
`SUPERSEDED`	The `CertificateRevocationList` is no longer current.

CreateCertificateAuthorityRequest

Request message for CertificateAuthorityService.CreateCertificateAuthority.

Fields
`parent`	`string` Required. The resource name of the location associated with the `CertificateAuthorities`, in the format `projects//locations/`. Authorization requires the following IAM permission on the specified resource `parent`: `privateca.certificateAuthorities.create`
`certificate_authority_id`	`string` Required. It must be unique within a location and match the regular expression `[a-zA-Z0-9_-]{1,63}`
`certificate_authority`	`CertificateAuthority` Required. A `CertificateAuthority` with initial field values.
`request_id`	`string` Optional. An ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. The server will guarantee that for at least 60 minutes since the first request. For example, consider a situation where you make an initial request and t he request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).

CreateCertificateRequest

Request message for CertificateAuthorityService.CreateCertificate.

Fields
`parent`	`string` Required. The resource name of the location and `CertificateAuthority` associated with the `Certificate`, in the format `projects//locations//certificateAuthorities/*`. Authorization requires the following IAM permission on the specified resource `parent`: `privateca.certificates.create`
`certificate_id`	`string` Optional. It must be unique within a location and match the regular expression `[a-zA-Z0-9_-]{1,63}`. This field is required when using a `CertificateAuthority` in the Enterprise `CertificateAuthority.Tier`, but is optional and its value is ignored otherwise.
`certificate`	`Certificate` Required. A `Certificate` with initial field values.
`request_id`	`string` Optional. An ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. The server will guarantee that for at least 60 minutes since the first request. For example, consider a situation where you make an initial request and t he request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).

DisableCertificateAuthorityRequest

Request message for CertificateAuthorityService.DisableCertificateAuthority.

Fields

name

string

Required. The resource name for this CertificateAuthority in the format projects/*/locations/*/certificateAuthorities/*.

Authorization requires the following IAM permission on the specified resource name:

privateca.certificateAuthorities.update

request_id

string

Optional. An ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. The server will guarantee that for at least 60 minutes since the first request.

For example, consider a situation where you make an initial request and t he request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments.

The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).

EnableCertificateAuthorityRequest

Request message for CertificateAuthorityService.EnableCertificateAuthority.

Fields

name

string

Required. The resource name for this CertificateAuthority in the format projects/*/locations/*/certificateAuthorities/*.

Authorization requires the following IAM permission on the specified resource name:

privateca.certificateAuthorities.update

request_id

string

The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).

FetchCertificateAuthorityCsrRequest

Request message for CertificateAuthorityService.FetchCertificateAuthorityCsr.

Fields

Fields
`name`	`string` Required. The resource name for this `CertificateAuthority` in the format `projects//locations//certificateAuthorities/*`. Authorization requires the following IAM permission on the specified resource `name`: `privateca.certificateAuthorities.get`

name

string

Required. The resource name for this CertificateAuthority in the format projects/*/locations/*/certificateAuthorities/*.

Authorization requires the following IAM permission on the specified resource name:

privateca.certificateAuthorities.get

FetchCertificateAuthorityCsrResponse

Response message for CertificateAuthorityService.FetchCertificateAuthorityCsr.

Fields

Fields
`pem_csr`	`string` Output only. The PEM-encoded signed certificate signing request (CSR).

pem_csr

string

Output only. The PEM-encoded signed certificate signing request (CSR).

GetCertificateAuthorityRequest

Request message for CertificateAuthorityService.GetCertificateAuthority.

Fields

name

string

Required. The name of the CertificateAuthority to get.

Authorization requires the following IAM permission on the specified resource name:

privateca.certificateAuthorities.get

GetCertificateRequest

Request message for CertificateAuthorityService.GetCertificate.

Fields

name

string

Required. The name of the Certificate to get.

Authorization requires the following IAM permission on the specified resource name:

privateca.certificates.get

GetCertificateRevocationListRequest

Request message for CertificateAuthorityService.GetCertificateRevocationList.

Fields

name

string

Required. The name of the CertificateRevocationList to get.

Authorization requires the following IAM permission on the specified resource name:

privateca.certificateRevocationLists.get

GetReusableConfigRequest

Request message for CertificateAuthorityService.GetReusableConfig.

Fields

name

string

Required. The [name][ReusableConfigs.name] of the [ReusableConfigs][] to get.

Authorization requires the following IAM permission on the specified resource name:

privateca.reusableConfigs.get

KeyUsage

A KeyUsage describes key usage values that may appear in an X.509 certificate.

Fields

base_key_usage

KeyUsageOptions

Describes high-level ways in which a key may be used.

extended_key_usage

ExtendedKeyUsageOptions

Detailed scenarios in which a key may be used.

unknown_extended_key_usages[]

ObjectId

Used to describe extended key usages that are not listed in the KeyUsage.ExtendedKeyUsageOptions message.

ExtendedKeyUsageOptions

KeyUsage.ExtendedKeyUsageOptions has fields that correspond to certain common OIDs that could be specified as an extended key usage value.

Fields
`server_auth`	`bool` Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
`client_auth`	`bool` Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
`code_signing`	`bool` Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
`email_protection`	`bool` Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
`time_stamping`	`bool` Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".
`ocsp_signing`	`bool` Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".

KeyUsageOptions

KeyUsage.KeyUsageOptions corresponds to the key usage values described in https://tools.ietf.org/html/rfc5280#section-4.2.1.3.

Fields
`digital_signature`	`bool` The key may be used for digital signatures.
`content_commitment`	`bool` The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
`key_encipherment`	`bool` The key may be used to encipher other keys.
`data_encipherment`	`bool` The key may be used to encipher data.
`key_agreement`	`bool` The key may be used in a key agreement protocol.
`cert_sign`	`bool` The key may be used to sign certificates.
`crl_sign`	`bool` The key may be used sign certificate revocation lists.
`encipher_only`	`bool` The key may be used to encipher only.
`decipher_only`	`bool` The key may be used to decipher only.

ListCertificateAuthoritiesRequest

Request message for CertificateAuthorityService.ListCertificateAuthorities.

Fields
`parent`	`string` Required. The resource name of the location associated with the `CertificateAuthorities`, in the format `projects//locations/`. Authorization requires the following IAM permission on the specified resource `parent`: `privateca.certificateAuthorities.list`
`page_size`	`int32` Optional. Limit on the number of `CertificateAuthorities` to include in the response. Further `CertificateAuthorities` can subsequently be obtained by including the `ListCertificateAuthoritiesResponse.next_page_token` in a subsequent request. If unspecified, the server will pick an appropriate default.
`page_token`	`string` Optional. Pagination token, returned earlier via `ListCertificateAuthoritiesResponse.next_page_token`.
`filter`	`string` Optional. Only include resources that match the filter in the response.
`order_by`	`string` Optional. Specify how the results should be sorted.

ListCertificateAuthoritiesResponse

Response message for CertificateAuthorityService.ListCertificateAuthorities.

Fields

certificate_authorities[]

CertificateAuthority

The list of CertificateAuthorities.

next_page_token

string

A token to retrieve next page of results. Pass this value in [ListCertificateAuthoritiesRequest.next_page_token][] to retrieve the next page of results.

unreachable[]

string

A list of locations (e.g. "us-west1") that could not be reached.

ListCertificateRevocationListsRequest

Request message for CertificateAuthorityService.ListCertificateRevocationLists.

Fields
`parent`	`string` Required. The resource name of the location associated with the `CertificateRevocationLists`, in the format `projects//locations//certificateauthorities/*`. Authorization requires the following IAM permission on the specified resource `parent`: `privateca.certificateRevocationLists.list`
`page_size`	`int32` Optional. Limit on the number of `CertificateRevocationLists` to include in the response. Further `CertificateRevocationLists` can subsequently be obtained by including the `ListCertificateRevocationListsResponse.next_page_token` in a subsequent request. If unspecified, the server will pick an appropriate default.
`page_token`	`string` Optional. Pagination token, returned earlier via `ListCertificateRevocationListsResponse.next_page_token`.
`filter`	`string` Optional. Only include resources that match the filter in the response.
`order_by`	`string` Optional. Specify how the results should be sorted.

ListCertificateRevocationListsResponse

Response message for CertificateAuthorityService.ListCertificateRevocationLists.

Fields

certificate_revocation_lists[]

CertificateRevocationList

The list of CertificateRevocationLists.

next_page_token

string

A token to retrieve next page of results. Pass this value in [ListCertificateRevocationListsRequest.next_page_token][] to retrieve the next page of results.

unreachable[]

string

A list of locations (e.g. "us-west1") that could not be reached.

ListCertificatesRequest

Request message for CertificateAuthorityService.ListCertificates.

Fields
`parent`	`string` Required. The resource name of the location associated with the `Certificates`, in the format `projects//locations//certificateauthorities/*`. Authorization requires the following IAM permission on the specified resource `parent`: `privateca.certificates.list`
`page_size`	`int32` Optional. Limit on the number of `Certificates` to include in the response. Further `Certificates` can subsequently be obtained by including the `ListCertificatesResponse.next_page_token` in a subsequent request. If unspecified, the server will pick an appropriate default.
`page_token`	`string` Optional. Pagination token, returned earlier via `ListCertificatesResponse.next_page_token`.
`filter`	`string` Optional. Only include resources that match the filter in the response. For details on supported filters and syntax, see Certificates Filtering documentation.
`order_by`	`string` Optional. Specify how the results should be sorted. For details on supported fields and syntax, see Certificates Sorting documentation.

ListCertificatesResponse

Response message for CertificateAuthorityService.ListCertificates.

Fields

certificates[]

Certificate

The list of Certificates.

next_page_token

string

A token to retrieve next page of results. Pass this value in [ListCertificatesRequest.next_page_token][] to retrieve the next page of results.

unreachable[]

string

A list of locations (e.g. "us-west1") that could not be reached.

ListReusableConfigsRequest

Request message for CertificateAuthorityService.ListReusableConfigs.

Fields
`parent`	`string` Required. The resource name of the location associated with the `ReusableConfigs`, in the format `projects//locations/`. Authorization requires the following IAM permission on the specified resource `parent`: `privateca.reusableConfigs.list`
`page_size`	`int32` Optional. Limit on the number of `ReusableConfigs` to include in the response. Further `ReusableConfigs` can subsequently be obtained by including the `ListReusableConfigsResponse.next_page_token` in a subsequent request. If unspecified, the server will pick an appropriate default.
`page_token`	`string` Optional. Pagination token, returned earlier via `ListReusableConfigsResponse.next_page_token`.
`filter`	`string` Optional. Only include resources that match the filter in the response.
`order_by`	`string` Optional. Specify how the results should be sorted.

ListReusableConfigsResponse

Response message for CertificateAuthorityService.ListReusableConfigs.

Fields

reusable_configs[]

ReusableConfig

The list of ReusableConfigs.

next_page_token

string

A token to retrieve next page of results. Pass this value in [ListReusableConfigsRequest.next_page_token][] to retrieve the next page of results.

unreachable[]

string

A list of locations (e.g. "us-west1") that could not be reached.

ObjectId

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

Fields

object_id_path[]

int32

Required. The parts of an OID path. The most significant parts of the path come first.

OperationMetadata

Represents the metadata of the long-running operation.

Fields
`create_time`	`Timestamp` Output only. The time the operation was created.
`end_time`	`Timestamp` Output only. The time the operation finished running.
`target`	`string` Output only. Server-defined resource path for the target of the operation.
`verb`	`string` Output only. Name of the verb executed by the operation.
`status_message`	`string` Output only. Human-readable status of the operation, if any.
`requested_cancellation`	`bool` Output only. Identifies whether the user has requested cancellation of the operation. Operations that have successfully been cancelled have [Operation.error][] value with a `google.rpc.Status.code` of 1, corresponding to `Code.CANCELLED`.
`api_version`	`string` Output only. API version used to start the operation.

PublicKey

A PublicKey describes a public key.

Fields

type

KeyType

Optional. The type of public key. If specified, it must match the public key used for thekey field.

key

bytes

Required. A public key. When this is specified in a request, the padding and encoding can be any of the options described by the respective 'KeyType' value. When this is generated by the service, it will always be an RFC 5280 SubjectPublicKeyInfo structure containing an algorithm identifier and a key.

KeyType

Types of public keys that are supported. At a minimum, we support RSA and ECDSA, for the key sizes or curves listed: https://cloud.google.com/kms/docs/algorithms#asymmetric_signing_algorithms

Enums
`KEY_TYPE_UNSPECIFIED`	Default unspecified value.
`PEM_RSA_KEY`	A PEM-encoded PKCS#1/RFC 3447 RSAPublicKey structure, or an RFC 5280 SubjectPublicKeyInfo structure containing the former.
`PEM_EC_KEY`	An RFC 5280 SubjectPublicKeyInfo structure containing a PEM-encoded compressed NIST P-256/secp256r1/prime256v1 or P-384 key.

RestoreCertificateAuthorityRequest

Request message for CertificateAuthorityService.RestoreCertificateAuthority.

Fields

name

string

Required. The resource name for this CertificateAuthority in the format projects/*/locations/*/certificateAuthorities/*.

Authorization requires the following IAM permission on the specified resource name:

privateca.certificateAuthorities.update

request_id

string

The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).

ReusableConfig

A ReusableConfig refers to a managed ReusableConfigValues. Those, in turn, are used to describe certain fields of an X.509 certificate, such as the key usage fields, fields specific to CA certificates, certificate policy extensions and custom extensions.

Fields
`name`	`string` Output only. The resource path for this `ReusableConfig` in the format `projects//locations//reusableConfigs/*`.
`values`	`ReusableConfigValues` Required. The config values.
`description`	`string` Optional. A human-readable description of scenarios these ReusableConfigValues may be compatible with.
`create_time`	`Timestamp` Output only. The time at which this `ReusableConfig` was created.
`update_time`	`Timestamp` Output only. The time at which this `ReusableConfig` was updated.
`labels`	`map<string, string>` Optional. Labels with user-defined metadata.

ReusableConfigValues

A ReusableConfigValues is used to describe certain fields of an X.509 certificate, such as the key usage fields, fields specific to CA certificates, certificate policy extensions and custom extensions.

Fields
`key_usage`	`KeyUsage` Optional. Indicates the intended use for keys that correspond to a certificate.
`ca_options`	`CaOptions` Optional. Describes options in this `ReusableConfigValues` that are relevant in a CA certificate.
`policy_ids[]`	`ObjectId` Optional. Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4.
`aia_ocsp_servers[]`	`string` Optional. Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
`additional_extensions[]`	`X509Extension` Optional. Describes custom X.509 extensions.

CaOptions

Describes values that are relevant in a CA certificate.

Fields

is_ca

BoolValue

Optional. Refers to the "CA" X.509 extension, which is a boolean value. When this value is missing, the extension will be omitted from the CA certificate.

max_issuer_path_length

Int32Value

Optional. Refers to the path length restriction X.509 extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail. If this value is missing, the max path length will be omitted from the CA certificate.

ReusableConfigWrapper

A ReusableConfigWrapper describes values that may assist in creating an X.509 certificate, or a reference to a pre-defined set of values.

Fields

Union field config_values. Reusable or inline config values. config_values can be only one of the following:

reusable_config

string

Required. A resource path to a ReusableConfig in the format projects/*/locations/*/reusableConfigs/*.

reusable_config_values

ReusableConfigValues

Required. A user-specified inline ReusableConfigValues.

RevocationReason

A RevocationReason indicates whether a Certificate has been revoked, and the reason for revocation. These correspond to standard revocation reasons from RFC 5280. Note that the enum labels and values in this definition are not the same ASN.1 values defined in RFC 5280. These values will be translated to the correct ASN.1 values when a CRL is created.

Enums
`REVOCATION_REASON_UNSPECIFIED`	Default unspecified value. This value does indicate that a `Certificate` has been revoked, but that a reason has not been recorded.
`KEY_COMPROMISE`	Key material for this `Certificate` may have leaked.
`CERTIFICATE_AUTHORITY_COMPROMISE`	The key material for a certificate authority in the issuing path may have leaked.
`AFFILIATION_CHANGED`	The subject or other attributes in this `Certificate` have changed.
`SUPERSEDED`	This `Certificate` has been superseded.
`CESSATION_OF_OPERATION`	This `Certificate` or entities in the issuing path have ceased to operate.
`CERTIFICATE_HOLD`	This `Certificate` should not be considered valid, it is expected that it may become valid in the future.
`PRIVILEGE_WITHDRAWN`	This `Certificate` no longer has permission to assert the listed attributes.
`ATTRIBUTE_AUTHORITY_COMPROMISE`	The authority which determines appropriate attributes for a `Certificate` may have been compromised.

RevokeCertificateRequest

Request message for CertificateAuthorityService.RevokeCertificate.

Fields

name

string

Required. The resource name for this Certificate in the format projects/*/locations/*/certificateAuthorities/*/certificates/*.

Authorization requires the following IAM permission on the specified resource name:

privateca.certificates.update

reason

RevocationReason

Required. The RevocationReason for revoking this certificate.

request_id

string

The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).

ScheduleDeleteCertificateAuthorityRequest

Request message for CertificateAuthorityService.ScheduleDeleteCertificateAuthority.

Fields

name

string

Required. The resource name for this CertificateAuthority in the format projects/*/locations/*/certificateAuthorities/*.

Authorization requires the following IAM permission on the specified resource name:

privateca.certificateAuthorities.delete

request_id

string

The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).

ignore_active_certificates

bool

Optional. This field allows the CA to be scheduled for deletion even if the CA has active certs. Active certs include both unrevoked and unexpired certs.

Subject

Subject describes parts of a distinguished name that, in turn, describes the subject of the certificate.

Fields
`country_code`	`string` The country code of the subject.
`organization`	`string` The organization of the subject.
`organizational_unit`	`string` The organizational_unit of the subject.
`locality`	`string` The locality or city of the subject.
`province`	`string` The province, territory, or regional state of the subject.
`street_address`	`string` The street address of the subject.
`postal_code`	`string` The postal code of the subject.

SubjectAltNames

SubjectAltNames corresponds to a more modern way of listing what the asserted identity is in a certificate (i.e., compared to the "common name" in the distinguished name).

Fields
`dns_names[]`	`string` Contains only valid, fully-qualified host names.
`uris[]`	`string` Contains only valid RFC 3986 URIs.
`email_addresses[]`	`string` Contains only valid RFC 2822 E-mail addresses.
`ip_addresses[]`	`string` Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.
`custom_sans[]`	`X509Extension` Contains additional subject alternative name values.

SubordinateConfig

Describes a subordinate CA's issuers. This is either a resource path to a known issuing CertificateAuthority, or a PEM issuer certificate chain.

Fields

Union field subordinate_config.

subordinate_config can be only one of the following:

certificate_authority

string

Required. This can refer to a CertificateAuthority in the same project that was used to create a subordinate CertificateAuthority. This field is used for information and usability purposes only. The resource name is in the format projects/*/locations/*/certificateAuthorities/*.

pem_issuer_chain

SubordinateConfigChain

Required. Contains the PEM certificate chain for the issuers of this CertificateAuthority, but not pem certificate for this CA itself.

SubordinateConfigChain

This message describes a subordinate CA's issuer certificate chain. This wrapper exists for compatibility reasons.

Fields

pem_certificates[]

string

Required. Expected to be in leaf-to-root order according to RFC 5246.

UpdateCertificateAuthorityRequest

Request message for CertificateAuthorityService.UpdateCertificateAuthority.

Fields

certificate_authority

CertificateAuthority

Required. CertificateAuthority with updated values.

Authorization requires the following IAM permission on the specified resource certificateAuthority:

privateca.certificateAuthorities.update

update_mask

FieldMask

Required. A list of fields to be updated in this request.

request_id

string

The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).

UpdateCertificateRequest

Request message for CertificateAuthorityService.UpdateCertificate.

Fields

certificate

Certificate

Required. Certificate with updated values.

Authorization requires the following IAM permission on the specified resource certificate:

privateca.certificates.update

update_mask

FieldMask

Required. A list of fields to be updated in this request.

request_id

string

The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).

UpdateCertificateRevocationListRequest

Request message for CertificateAuthorityService.UpdateCertificateRevocationList.

Fields

certificate_revocation_list

CertificateRevocationList

Required. CertificateRevocationList with updated values.

Authorization requires the following IAM permission on the specified resource certificateRevocationList:

privateca.certificateRevocationLists.update

update_mask

FieldMask

Required. A list of fields to be updated in this request.

request_id

string

The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).

X509Extension

An X509Extension specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs.

Fields

object_id

ObjectId

Required. The OID for this X.509 extension.

critical

bool

Required. Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).

value

bytes

Required. The value of this X.509 extension.