CA 풀의 발급 정책을 설정하거나 업데이트합니다. 이 CA 풀에서 발급되는 모든 인증서는 발급 정책을 충족해야 합니다.
코드 샘플
Java
CA Service에 인증하려면 애플리케이션 기본 사용자 인증 정보를 설정합니다. 자세한 내용은 로컬 개발 환경의 인증 설정을 참조하세요.
import com.google.api.core.ApiFuture;
import com.google.cloud.security.privateca.v1.CaPool;
import com.google.cloud.security.privateca.v1.CaPool.IssuancePolicy;
import com.google.cloud.security.privateca.v1.CaPoolName;
import com.google.cloud.security.privateca.v1.CertificateAuthorityServiceClient;
import com.google.cloud.security.privateca.v1.CertificateIdentityConstraints;
import com.google.cloud.security.privateca.v1.UpdateCaPoolRequest;
import com.google.longrunning.Operation;
import com.google.protobuf.FieldMask;
import com.google.type.Expr;
import java.io.IOException;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.TimeoutException;
public class UpdateCaPoolIssuancePolicy {
public static void main(String[] args)
throws IOException, ExecutionException, InterruptedException, TimeoutException {
// TODO(developer): Replace these variables before running the sample.
// location: For a list of locations, see:
// https://cloud.google.com/certificate-authority-service/docs/locations
// poolId: The CA pool for which the issuance policy is to be updated.
String project = "your-project-id";
String location = "ca-location";
String poolId = "ca-pool-id";
updateCaPoolIssuancePolicy(project, location, poolId);
}
/* Update the Issuance policy for a CA Pool. All certificates issued from this CA Pool should
meet the issuance policy. */
public static void updateCaPoolIssuancePolicy(String project, String location, String poolId)
throws IOException, ExecutionException, InterruptedException, TimeoutException {
/* Initialize client that will be used to send requests. This client only needs to be created
once, and can be reused for multiple requests. After completing all of your requests, call
the `certificateAuthorityServiceClient.close()` method on the client to safely
clean up any remaining background resources. */
try (CertificateAuthorityServiceClient certificateAuthorityServiceClient =
CertificateAuthorityServiceClient.create()) {
/* Set the updated issuance policy for the CA Pool.
This particular issuance policy allows only SANs that
have DNS Names as "us.google.org" or ending in ".google.com". */
String expr =
"subject_alt_names.all(san, san.type == DNS && (san.value == \"dns.example.com\""
+ " || san.value.endsWith(\".example.com\")) )";
CaPool.IssuancePolicy issuancePolicy =
IssuancePolicy.newBuilder()
.setIdentityConstraints(
CertificateIdentityConstraints.newBuilder()
.setAllowSubjectPassthrough(true)
.setAllowSubjectAltNamesPassthrough(true)
.setCelExpression(Expr.newBuilder().setExpression(expr).build())
.build())
.build();
CaPool caPool =
CaPool.newBuilder()
.setName(CaPoolName.of(project, location, poolId).toString())
.setIssuancePolicy(issuancePolicy)
.build();
/* 1. Set the CA pool with updated values.
2. Set the update mask to specify which properties of the CA Pool should be updated.
Only the properties specified in the mask will be updated. Make sure that the mask fields
match the updated issuance policy.
For more info on constructing path for update mask, see:
https://cloud.google.com/certificate-authority-service/docs/reference/rest/v1/projects.locations.caPools#issuancepolicy */
UpdateCaPoolRequest updateCaPoolRequest =
UpdateCaPoolRequest.newBuilder()
.setCaPool(caPool)
.setUpdateMask(
FieldMask.newBuilder(
FieldMask.newBuilder()
.addPaths(
"issuance_policy.identity_constraints.allow_subject_passthrough")
.addPaths(
"issuance_policy.identity_constraints."
+ "allow_subject_alt_names_passthrough")
.addPaths("issuance_policy.identity_constraints.cel_expression")
.build()))
.build();
// Update CA Pool request.
ApiFuture<Operation> futureCall =
certificateAuthorityServiceClient.updateCaPoolCallable().futureCall(updateCaPoolRequest);
Operation operation = futureCall.get(60, TimeUnit.SECONDS);
// Check for errors.
if (operation.hasError()) {
System.out.println("Error in updating CA Pool Issuance policy ! " + operation.getError());
return;
}
// Get the CA Pool's issuance policy and verify if the fields have been successfully updated.
IssuancePolicy response =
certificateAuthorityServiceClient
.getCaPool(CaPoolName.of(project, location, poolId).toString())
.getIssuancePolicy();
// Similarly, you can check for other modified fields as well.
if (response.getIdentityConstraints().getAllowSubjectPassthrough()
&& response.getIdentityConstraints().getAllowSubjectAltNamesPassthrough()) {
System.out.println("CA Pool Issuance policy has been updated successfully ! ");
return;
}
System.out.println(
"Error in updating CA Pool Issuance policy ! Please try again ! " + response);
}
}
}Python
CA Service에 인증하려면 애플리케이션 기본 사용자 인증 정보를 설정합니다. 자세한 내용은 로컬 개발 환경의 인증 설정을 참조하세요.
import google.cloud.security.privateca_v1 as privateca_v1
from google.protobuf import field_mask_pb2
from google.type import expr_pb2
def update_ca_pool_issuance_policy(
project_id: str,
location: str,
ca_pool_name: str,
) -> None:
"""
Update the issuance policy for a CA Pool. All certificates issued from this CA Pool should
meet the issuance policy
Args:
project_id: project ID or project number of the Cloud project you want to use.
location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.
ca_pool_name: a unique name for the ca pool.
"""
caServiceClient = privateca_v1.CertificateAuthorityServiceClient()
ca_pool_path = caServiceClient.ca_pool_path(project_id, location, ca_pool_name)
# Set the updated issuance policy for the CA Pool.
# This particular issuance policy allows only SANs that
# have DNS Names as "us.google.org" or ending in ".google.com". */
expr = expr_pb2.Expr(
expression='subject_alt_names.all(san, san.type == DNS && (san.value == "us.google.org" || san.value.endsWith(".google.com")) )'
)
issuance_policy = privateca_v1.CaPool.IssuancePolicy(
identity_constraints=privateca_v1.CertificateIdentityConstraints(
allow_subject_passthrough=True,
allow_subject_alt_names_passthrough=True,
cel_expression=expr,
),
)
ca_pool = privateca_v1.CaPool(
name=ca_pool_path,
issuance_policy=issuance_policy,
)
# 1. Set the CA pool with updated values.
# 2. Set the update mask to specify which properties of the CA Pool should be updated.
# Only the properties specified in the mask will be updated. Make sure that the mask fields
# match the updated issuance policy.
# For more info on constructing path for update mask, see:
# https://cloud.google.com/certificate-authority-service/docs/reference/rest/v1/projects.locations.caPools#issuancepolicy */
request = privateca_v1.UpdateCaPoolRequest(
ca_pool=ca_pool,
update_mask=field_mask_pb2.FieldMask(
paths=[
"issuance_policy.identity_constraints.allow_subject_alt_names_passthrough",
"issuance_policy.identity_constraints.allow_subject_passthrough",
"issuance_policy.identity_constraints.cel_expression",
],
),
)
operation = caServiceClient.update_ca_pool(request=request)
result = operation.result()
print("Operation result", result)
# Get the CA Pool's issuance policy and verify if the fields have been successfully updated.
issuance_policy = caServiceClient.get_ca_pool(name=ca_pool_path).issuance_policy
# Similarly, you can check for other modified fields as well.
if (
issuance_policy.identity_constraints.allow_subject_passthrough
and issuance_policy.identity_constraints.allow_subject_alt_names_passthrough
):
print("CA Pool Issuance policy has been updated successfully!")
return
print("Error in updating CA Pool Issuance policy! Please try again!")
다음 단계
다른 Google Cloud 제품의 코드 샘플을 검색하고 필터링하려면 Google Cloud 샘플 브라우저를 참조하세요.