Package google.cloud.certificatemanager.v1

Index

CertificateManager (interface)
Certificate (message)
Certificate.ManagedCertificate (message)
Certificate.ManagedCertificate.AuthorizationAttemptInfo (message)
Certificate.ManagedCertificate.AuthorizationAttemptInfo.FailureReason (enum)
Certificate.ManagedCertificate.AuthorizationAttemptInfo.State (enum)
Certificate.ManagedCertificate.ProvisioningIssue (message)
Certificate.ManagedCertificate.ProvisioningIssue.Reason (enum)
Certificate.ManagedCertificate.State (enum)
Certificate.Scope (enum)
Certificate.SelfManagedCertificate (message)
CertificateIssuanceConfig (message)
CertificateIssuanceConfig.CertificateAuthorityConfig (message)
CertificateIssuanceConfig.CertificateAuthorityConfig.CertificateAuthorityServiceConfig (message)
CertificateIssuanceConfig.KeyAlgorithm (enum)
CertificateMap (message)
CertificateMap.GclbTarget (message)
CertificateMap.GclbTarget.IpConfig (message)
CertificateMapEntry (message)
CertificateMapEntry.Matcher (enum)
CreateCertificateIssuanceConfigRequest (message)
CreateCertificateMapEntryRequest (message)
CreateCertificateMapRequest (message)
CreateCertificateRequest (message)
CreateDnsAuthorizationRequest (message)
CreateTrustConfigRequest (message)
DeleteCertificateIssuanceConfigRequest (message)
DeleteCertificateMapEntryRequest (message)
DeleteCertificateMapRequest (message)
DeleteCertificateRequest (message)
DeleteDnsAuthorizationRequest (message)
DeleteTrustConfigRequest (message)
DnsAuthorization (message)
DnsAuthorization.DnsResourceRecord (message)
DnsAuthorization.Type (enum)
GetCertificateIssuanceConfigRequest (message)
GetCertificateMapEntryRequest (message)
GetCertificateMapRequest (message)
GetCertificateRequest (message)
GetDnsAuthorizationRequest (message)
GetTrustConfigRequest (message)
ListCertificateIssuanceConfigsRequest (message)
ListCertificateIssuanceConfigsResponse (message)
ListCertificateMapEntriesRequest (message)
ListCertificateMapEntriesResponse (message)
ListCertificateMapsRequest (message)
ListCertificateMapsResponse (message)
ListCertificatesRequest (message)
ListCertificatesResponse (message)
ListDnsAuthorizationsRequest (message)
ListDnsAuthorizationsResponse (message)
ListTrustConfigsRequest (message)
ListTrustConfigsResponse (message)
OperationMetadata (message)
ServingState (enum)
TrustConfig (message)
TrustConfig.AllowlistedCertificate (message)
TrustConfig.IntermediateCA (message)
TrustConfig.TrustAnchor (message)
TrustConfig.TrustStore (message)
UpdateCertificateMapEntryRequest (message)
UpdateCertificateMapRequest (message)
UpdateCertificateRequest (message)
UpdateDnsAuthorizationRequest (message)
UpdateTrustConfigRequest (message)

CertificateManager

API Overview

Certificates Manager API allows customers to see and manage all their TLS certificates.

Certificates Manager API service provides methods to manage certificates, group them into collections, and create serving configuration that can be easily applied to other Cloud resources e.g. Target Proxies.

Data Model

The Certificates Manager service exposes the following resources:

Certificate that describes a single TLS certificate.
CertificateMap that describes a collection of certificates that can be attached to a target resource.
CertificateMapEntry that describes a single configuration entry that consists of a SNI and a group of certificates. It's a subresource of CertificateMap.

Certificate, CertificateMap and CertificateMapEntry IDs have to fully match the regexp [a-z0-9-]{1,63}. In other words, - only lower case letters, digits, and hyphen are allowed - length of the resource ID has to be in [1,63] range.

Provides methods to manage Cloud Certificate Manager entities.

CreateCertificate

CreateCertificate
`rpc CreateCertificate(CreateCertificateRequest) returns (Operation)` Creates a new Certificate in a given project and location. Authorization scopes Requires the following OAuth scope: `https://www.googleapis.com/auth/cloud-platform` For more information, see the Authentication Overview.

rpc CreateCertificate(CreateCertificateRequest) returns (Operation)

Creates a new Certificate in a given project and location.

Authorization scopes

Requires the following OAuth scope:

https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

CreateCertificateIssuanceConfig

CreateCertificateIssuanceConfig
`rpc CreateCertificateIssuanceConfig(CreateCertificateIssuanceConfigRequest) returns (Operation)` Creates a new CertificateIssuanceConfig in a given project and location. Authorization scopes Requires the following OAuth scope: `https://www.googleapis.com/auth/cloud-platform` For more information, see the Authentication Overview.

rpc CreateCertificateIssuanceConfig(CreateCertificateIssuanceConfigRequest) returns (Operation)

Creates a new CertificateIssuanceConfig in a given project and location.

Authorization scopes

Requires the following OAuth scope:

https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

CreateCertificateMap

CreateCertificateMap
`rpc CreateCertificateMap(CreateCertificateMapRequest) returns (Operation)` Creates a new CertificateMap in a given project and location. Authorization scopes Requires the following OAuth scope: `https://www.googleapis.com/auth/cloud-platform` For more information, see the Authentication Overview.

rpc CreateCertificateMap(CreateCertificateMapRequest) returns (Operation)

Creates a new CertificateMap in a given project and location.

Authorization scopes

Requires the following OAuth scope:

https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

CreateCertificateMapEntry

CreateCertificateMapEntry
`rpc CreateCertificateMapEntry(CreateCertificateMapEntryRequest) returns (Operation)` Creates a new CertificateMapEntry in a given project and location. Authorization scopes Requires the following OAuth scope: `https://www.googleapis.com/auth/cloud-platform` For more information, see the Authentication Overview.

rpc CreateCertificateMapEntry(CreateCertificateMapEntryRequest) returns (Operation)

Creates a new CertificateMapEntry in a given project and location.

Authorization scopes

Requires the following OAuth scope:

https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

CreateDnsAuthorization

CreateDnsAuthorization
`rpc CreateDnsAuthorization(CreateDnsAuthorizationRequest) returns (Operation)` Creates a new DnsAuthorization in a given project and location. Authorization scopes Requires the following OAuth scope: `https://www.googleapis.com/auth/cloud-platform` For more information, see the Authentication Overview.

rpc CreateDnsAuthorization(CreateDnsAuthorizationRequest) returns (Operation)

Creates a new DnsAuthorization in a given project and location.

Authorization scopes

Requires the following OAuth scope:

https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

CreateTrustConfig

CreateTrustConfig
`rpc CreateTrustConfig(CreateTrustConfigRequest) returns (Operation)` Creates a new TrustConfig in a given project and location. Authorization scopes Requires the following OAuth scope: `https://www.googleapis.com/auth/cloud-platform` For more information, see the Authentication Overview.

rpc CreateTrustConfig(CreateTrustConfigRequest) returns (Operation)

Creates a new TrustConfig in a given project and location.

Authorization scopes

Requires the following OAuth scope:

https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

DeleteCertificate

DeleteCertificate
`rpc DeleteCertificate(DeleteCertificateRequest) returns (Operation)` Deletes a single Certificate. Authorization scopes Requires the following OAuth scope: `https://www.googleapis.com/auth/cloud-platform` For more information, see the Authentication Overview.

rpc DeleteCertificate(DeleteCertificateRequest) returns (Operation)

Deletes a single Certificate.

Authorization scopes

Requires the following OAuth scope:

https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

DeleteCertificateIssuanceConfig

DeleteCertificateIssuanceConfig
`rpc DeleteCertificateIssuanceConfig(DeleteCertificateIssuanceConfigRequest) returns (Operation)` Deletes a single CertificateIssuanceConfig. Authorization scopes Requires the following OAuth scope: `https://www.googleapis.com/auth/cloud-platform` For more information, see the Authentication Overview.

rpc DeleteCertificateIssuanceConfig(DeleteCertificateIssuanceConfigRequest) returns (Operation)

Deletes a single CertificateIssuanceConfig.

Authorization scopes

Requires the following OAuth scope:

https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

DeleteCertificateMap

DeleteCertificateMap
`rpc DeleteCertificateMap(DeleteCertificateMapRequest) returns (Operation)` Deletes a single CertificateMap. A Certificate Map can't be deleted if it contains Certificate Map Entries. Remove all the entries from the map before calling this method. Authorization scopes Requires the following OAuth scope: `https://www.googleapis.com/auth/cloud-platform` For more information, see the Authentication Overview.

rpc DeleteCertificateMap(DeleteCertificateMapRequest) returns (Operation)

Deletes a single CertificateMap. A Certificate Map can't be deleted if it contains Certificate Map Entries. Remove all the entries from the map before calling this method.

Authorization scopes

Requires the following OAuth scope:

https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

DeleteCertificateMapEntry

DeleteCertificateMapEntry
`rpc DeleteCertificateMapEntry(DeleteCertificateMapEntryRequest) returns (Operation)` Deletes a single CertificateMapEntry. Authorization scopes Requires the following OAuth scope: `https://www.googleapis.com/auth/cloud-platform` For more information, see the Authentication Overview.

rpc DeleteCertificateMapEntry(DeleteCertificateMapEntryRequest) returns (Operation)

Deletes a single CertificateMapEntry.

Authorization scopes

Requires the following OAuth scope:

https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

DeleteDnsAuthorization

DeleteDnsAuthorization
`rpc DeleteDnsAuthorization(DeleteDnsAuthorizationRequest) returns (Operation)` Deletes a single DnsAuthorization. Authorization scopes Requires the following OAuth scope: `https://www.googleapis.com/auth/cloud-platform` For more information, see the Authentication Overview.

rpc DeleteDnsAuthorization(DeleteDnsAuthorizationRequest) returns (Operation)

Deletes a single DnsAuthorization.

Authorization scopes

Requires the following OAuth scope:

https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

DeleteTrustConfig

DeleteTrustConfig
`rpc DeleteTrustConfig(DeleteTrustConfigRequest) returns (Operation)` Deletes a single TrustConfig. Authorization scopes Requires the following OAuth scope: `https://www.googleapis.com/auth/cloud-platform` For more information, see the Authentication Overview.

rpc DeleteTrustConfig(DeleteTrustConfigRequest) returns (Operation)

Deletes a single TrustConfig.

Authorization scopes

Requires the following OAuth scope:

https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

GetCertificate

GetCertificate
`rpc GetCertificate(GetCertificateRequest) returns (Certificate)` Gets details of a single Certificate. Authorization scopes Requires the following OAuth scope: `https://www.googleapis.com/auth/cloud-platform` For more information, see the Authentication Overview.

rpc GetCertificate(GetCertificateRequest) returns (Certificate)

Gets details of a single Certificate.

Authorization scopes

Requires the following OAuth scope:

https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

GetCertificateIssuanceConfig

GetCertificateIssuanceConfig
`rpc GetCertificateIssuanceConfig(GetCertificateIssuanceConfigRequest) returns (CertificateIssuanceConfig)` Gets details of a single CertificateIssuanceConfig. Authorization scopes Requires the following OAuth scope: `https://www.googleapis.com/auth/cloud-platform` For more information, see the Authentication Overview.

rpc GetCertificateIssuanceConfig(GetCertificateIssuanceConfigRequest) returns (CertificateIssuanceConfig)

Gets details of a single CertificateIssuanceConfig.

Authorization scopes

Requires the following OAuth scope:

https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

GetCertificateMap

GetCertificateMap
`rpc GetCertificateMap(GetCertificateMapRequest) returns (CertificateMap)` Gets details of a single CertificateMap. Authorization scopes Requires the following OAuth scope: `https://www.googleapis.com/auth/cloud-platform` For more information, see the Authentication Overview.

rpc GetCertificateMap(GetCertificateMapRequest) returns (CertificateMap)

Gets details of a single CertificateMap.

Authorization scopes

Requires the following OAuth scope:

https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

GetCertificateMapEntry

GetCertificateMapEntry
`rpc GetCertificateMapEntry(GetCertificateMapEntryRequest) returns (CertificateMapEntry)` Gets details of a single CertificateMapEntry. Authorization scopes Requires the following OAuth scope: `https://www.googleapis.com/auth/cloud-platform` For more information, see the Authentication Overview.

rpc GetCertificateMapEntry(GetCertificateMapEntryRequest) returns (CertificateMapEntry)

Gets details of a single CertificateMapEntry.

Authorization scopes

Requires the following OAuth scope:

https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

GetDnsAuthorization

GetDnsAuthorization
`rpc GetDnsAuthorization(GetDnsAuthorizationRequest) returns (DnsAuthorization)` Gets details of a single DnsAuthorization. Authorization scopes Requires the following OAuth scope: `https://www.googleapis.com/auth/cloud-platform` For more information, see the Authentication Overview.

rpc GetDnsAuthorization(GetDnsAuthorizationRequest) returns (DnsAuthorization)

Gets details of a single DnsAuthorization.

Authorization scopes

Requires the following OAuth scope:

https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

GetTrustConfig

GetTrustConfig
`rpc GetTrustConfig(GetTrustConfigRequest) returns (TrustConfig)` Gets details of a single TrustConfig. Authorization scopes Requires the following OAuth scope: `https://www.googleapis.com/auth/cloud-platform` For more information, see the Authentication Overview.

rpc GetTrustConfig(GetTrustConfigRequest) returns (TrustConfig)

Gets details of a single TrustConfig.

Authorization scopes

Requires the following OAuth scope:

https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

ListCertificateIssuanceConfigs

ListCertificateIssuanceConfigs
`rpc ListCertificateIssuanceConfigs(ListCertificateIssuanceConfigsRequest) returns (ListCertificateIssuanceConfigsResponse)` Lists CertificateIssuanceConfigs in a given project and location. Authorization scopes Requires the following OAuth scope: `https://www.googleapis.com/auth/cloud-platform` For more information, see the Authentication Overview.

rpc ListCertificateIssuanceConfigs(ListCertificateIssuanceConfigsRequest) returns (ListCertificateIssuanceConfigsResponse)

Lists CertificateIssuanceConfigs in a given project and location.

Authorization scopes

Requires the following OAuth scope:

https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

ListCertificateMapEntries

ListCertificateMapEntries
`rpc ListCertificateMapEntries(ListCertificateMapEntriesRequest) returns (ListCertificateMapEntriesResponse)` Lists CertificateMapEntries in a given project and location. Authorization scopes Requires the following OAuth scope: `https://www.googleapis.com/auth/cloud-platform` For more information, see the Authentication Overview.

rpc ListCertificateMapEntries(ListCertificateMapEntriesRequest) returns (ListCertificateMapEntriesResponse)

Lists CertificateMapEntries in a given project and location.

Authorization scopes

Requires the following OAuth scope:

https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

ListCertificateMaps

ListCertificateMaps
`rpc ListCertificateMaps(ListCertificateMapsRequest) returns (ListCertificateMapsResponse)` Lists CertificateMaps in a given project and location. Authorization scopes Requires the following OAuth scope: `https://www.googleapis.com/auth/cloud-platform` For more information, see the Authentication Overview.

rpc ListCertificateMaps(ListCertificateMapsRequest) returns (ListCertificateMapsResponse)

Lists CertificateMaps in a given project and location.

Authorization scopes

Requires the following OAuth scope:

https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

ListCertificates

ListCertificates
`rpc ListCertificates(ListCertificatesRequest) returns (ListCertificatesResponse)` Lists Certificates in a given project and location. Authorization scopes Requires the following OAuth scope: `https://www.googleapis.com/auth/cloud-platform` For more information, see the Authentication Overview.

rpc ListCertificates(ListCertificatesRequest) returns (ListCertificatesResponse)

Lists Certificates in a given project and location.

Authorization scopes

Requires the following OAuth scope:

https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

ListDnsAuthorizations

ListDnsAuthorizations
`rpc ListDnsAuthorizations(ListDnsAuthorizationsRequest) returns (ListDnsAuthorizationsResponse)` Lists DnsAuthorizations in a given project and location. Authorization scopes Requires the following OAuth scope: `https://www.googleapis.com/auth/cloud-platform` For more information, see the Authentication Overview.

rpc ListDnsAuthorizations(ListDnsAuthorizationsRequest) returns (ListDnsAuthorizationsResponse)

Lists DnsAuthorizations in a given project and location.

Authorization scopes

Requires the following OAuth scope:

https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

ListTrustConfigs

ListTrustConfigs
`rpc ListTrustConfigs(ListTrustConfigsRequest) returns (ListTrustConfigsResponse)` Lists TrustConfigs in a given project and location. Authorization scopes Requires the following OAuth scope: `https://www.googleapis.com/auth/cloud-platform` For more information, see the Authentication Overview.

rpc ListTrustConfigs(ListTrustConfigsRequest) returns (ListTrustConfigsResponse)

Lists TrustConfigs in a given project and location.

Authorization scopes

Requires the following OAuth scope:

https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

UpdateCertificate

UpdateCertificate
`rpc UpdateCertificate(UpdateCertificateRequest) returns (Operation)` Updates a Certificate. Authorization scopes Requires the following OAuth scope: `https://www.googleapis.com/auth/cloud-platform` For more information, see the Authentication Overview.

rpc UpdateCertificate(UpdateCertificateRequest) returns (Operation)

Updates a Certificate.

Authorization scopes

Requires the following OAuth scope:

https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

UpdateCertificateMap

UpdateCertificateMap
`rpc UpdateCertificateMap(UpdateCertificateMapRequest) returns (Operation)` Updates a CertificateMap. Authorization scopes Requires the following OAuth scope: `https://www.googleapis.com/auth/cloud-platform` For more information, see the Authentication Overview.

rpc UpdateCertificateMap(UpdateCertificateMapRequest) returns (Operation)

Updates a CertificateMap.

Authorization scopes

Requires the following OAuth scope:

https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

UpdateCertificateMapEntry

UpdateCertificateMapEntry
`rpc UpdateCertificateMapEntry(UpdateCertificateMapEntryRequest) returns (Operation)` Updates a CertificateMapEntry. Authorization scopes Requires the following OAuth scope: `https://www.googleapis.com/auth/cloud-platform` For more information, see the Authentication Overview.

rpc UpdateCertificateMapEntry(UpdateCertificateMapEntryRequest) returns (Operation)

Updates a CertificateMapEntry.

Authorization scopes

Requires the following OAuth scope:

https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

UpdateDnsAuthorization

UpdateDnsAuthorization
`rpc UpdateDnsAuthorization(UpdateDnsAuthorizationRequest) returns (Operation)` Updates a DnsAuthorization. Authorization scopes Requires the following OAuth scope: `https://www.googleapis.com/auth/cloud-platform` For more information, see the Authentication Overview.

rpc UpdateDnsAuthorization(UpdateDnsAuthorizationRequest) returns (Operation)

Updates a DnsAuthorization.

Authorization scopes

Requires the following OAuth scope:

https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

UpdateTrustConfig

UpdateTrustConfig
`rpc UpdateTrustConfig(UpdateTrustConfigRequest) returns (Operation)` Updates a TrustConfig. Authorization scopes Requires the following OAuth scope: `https://www.googleapis.com/auth/cloud-platform` For more information, see the Authentication Overview.

rpc UpdateTrustConfig(UpdateTrustConfigRequest) returns (Operation)

Updates a TrustConfig.

Authorization scopes

Requires the following OAuth scope:

https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

Certificate

Defines TLS certificate.

Fields
`name`	`string` A user-defined name of the certificate. Certificate names must be unique globally and match pattern `projects//locations//certificates/*`.
`description`	`string` One or more paragraphs of text description of a certificate.
`create_time`	`Timestamp` Output only. The creation timestamp of a Certificate.
`update_time`	`Timestamp` Output only. The last update timestamp of a Certificate.
`labels`	`map<string, string>` Set of labels associated with a Certificate.
`san_dnsnames[]`	`string` Output only. The list of Subject Alternative Names of dnsName type defined in the certificate (see RFC 5280 4.2.1.6). Managed certificates that haven't been provisioned yet have this field populated with a value of the managed.domains field.
`pem_certificate`	`string` Output only. The PEM-encoded certificate chain.
`expire_time`	`Timestamp` Output only. The expiry timestamp of a Certificate.
`scope`	`Scope` Immutable. The scope of the certificate.
Union field `type`. `type` can be only one of the following:
`self_managed`	`SelfManagedCertificate` If set, defines data of a self-managed certificate.
`managed`	`ManagedCertificate` If set, contains configuration and state of a managed certificate.

ManagedCertificate

Configuration and state of a Managed Certificate. Certificate Manager provisions and renews Managed Certificates automatically, for as long as it's authorized to do so.

Fields
`domains[]`	`string` Immutable. The domains for which a managed SSL certificate will be generated. Wildcard domains are only supported with DNS challenge resolution.
`dns_authorizations[]`	`string` Immutable. Authorizations that will be used for performing domain authorization. Authorization requires the following IAM permission on the specified resource `dnsAuthorizations`: `certificatemanager.dnsauthorizations.use`
`issuance_config`	`string` Immutable. The resource name for a `CertificateIssuanceConfig` used to configure private PKI certificates in the format `projects//locations//certificateIssuanceConfigs/*`. If this field is not set, the certificates will instead be publicly signed as documented at https://cloud.google.com/load-balancing/docs/ssl-certificates/google-managed-certs#caa. Authorization requires the following IAM permission on the specified resource `issuanceConfig`: `certificatemanager.certissuanceconfigs.use`
`state`	`State` Output only. State of the managed certificate resource.
`provisioning_issue`	`ProvisioningIssue` Output only. Information about issues with provisioning a Managed Certificate.
`authorization_attempt_info[]`	`AuthorizationAttemptInfo` Output only. Detailed state of the latest authorization attempt for each domain specified for managed certificate resource.

AuthorizationAttemptInfo

State of the latest attempt to authorize a domain for certificate issuance.

Fields
`domain`	`string` Domain name of the authorization attempt.
`state`	`State` Output only. State of the domain for managed certificate issuance.
`failure_reason`	`FailureReason` Output only. Reason for failure of the authorization attempt for the domain.
`details`	`string` Output only. Human readable explanation for reaching the state. Provided to help address the configuration issues. Not guaranteed to be stable. For programmatic access use FailureReason enum.

FailureReason

Reason for failure of the authorization attempt for the domain.

Enums
`FAILURE_REASON_UNSPECIFIED`	FailureReason is unspecified.
`CONFIG`	There was a problem with the user's DNS or load balancer configuration for this domain.
`CAA`	Certificate issuance forbidden by an explicit CAA record for the domain or a failure to check CAA records for the domain.
`RATE_LIMITED`	Reached a CA or internal rate-limit for the domain, e.g. for certificates per top-level private domain.

State

State of the domain for managed certificate issuance.

Enums
`STATE_UNSPECIFIED`	State is unspecified.
`AUTHORIZING`	Certificate provisioning for this domain is under way. Google Cloud will attempt to authorize the domain.
`AUTHORIZED`	A managed certificate can be provisioned, no issues for this domain.
`FAILED`	Attempt to authorize the domain failed. This prevents the Managed Certificate from being issued. See `failure_reason` and `details` fields for more information.

ProvisioningIssue

Information about issues with provisioning a Managed Certificate.

Fields

Fields
`reason`	`Reason` Output only. Reason for provisioning failures.
`details`	`string` Output only. Human readable explanation about the issue. Provided to help address the configuration issues. Not guaranteed to be stable. For programmatic access use Reason enum.

reason

Reason

Output only. Reason for provisioning failures.

details

string

Output only. Human readable explanation about the issue. Provided to help address the configuration issues. Not guaranteed to be stable. For programmatic access use Reason enum.

Reason

Reason for provisioning failures.

Enums
`REASON_UNSPECIFIED`	Reason is unspecified.
`AUTHORIZATION_ISSUE`	Certificate provisioning failed due to an issue with one or more of the domains on the certificate. For details of which domains failed, consult the `authorization_attempt_info` field.
`RATE_LIMITED`	Exceeded Certificate Authority quotas or internal rate limits of the system. Provisioning may take longer to complete.

State

State of the managed certificate resource.

Enums
`STATE_UNSPECIFIED`	State is unspecified.
`PROVISIONING`	Certificate Manager attempts to provision or renew the certificate. If the process takes longer than expected, consult the `provisioning_issue` field.
`FAILED`	Multiple certificate provisioning attempts failed and Certificate Manager gave up. To try again, delete and create a new managed Certificate resource. For details see the `provisioning_issue` field.
`ACTIVE`	The certificate management is working, and a certificate has been provisioned.

Scope

Certificate scope.

Enums
`DEFAULT`	Certificates with default scope are served from core Google data centers. If unsure, choose this option.
`EDGE_CACHE`	Certificates with scope EDGE_CACHE are special-purposed certificates, served from Edge Points of Presence. See https://cloud.google.com/vpc/docs/edge-locations.
`ALL_REGIONS`	Certificates with ALL_REGIONS scope are served from all Google Cloud regions. See https://cloud.google.com/compute/docs/regions-zones.

SelfManagedCertificate

Certificate data for a SelfManaged Certificate. SelfManaged Certificates are uploaded by the user. Updating such certificates before they expire remains the user's responsibility.

Fields

Fields
`pem_certificate`	`string` Input only. The PEM-encoded certificate chain. Leaf certificate comes first, followed by intermediate ones if any.
`pem_private_key`	`string` Input only. The PEM-encoded private key of the leaf certificate.

pem_certificate

string

Input only. The PEM-encoded certificate chain. Leaf certificate comes first, followed by intermediate ones if any.

pem_private_key

string

Input only. The PEM-encoded private key of the leaf certificate.

CertificateIssuanceConfig

CertificateIssuanceConfig specifies how to issue and manage a certificate.

Fields
`name`	`string` A user-defined name of the certificate issuance config. CertificateIssuanceConfig names must be unique globally and match pattern `projects//locations//certificateIssuanceConfigs/*`.
`create_time`	`Timestamp` Output only. The creation timestamp of a CertificateIssuanceConfig.
`update_time`	`Timestamp` Output only. The last update timestamp of a CertificateIssuanceConfig.
`labels`	`map<string, string>` Set of labels associated with a CertificateIssuanceConfig.
`description`	`string` One or more paragraphs of text description of a CertificateIssuanceConfig.
`certificate_authority_config`	`CertificateAuthorityConfig` Required. The CA that issues the workload certificate. It includes the CA address, type, authentication to CA service, etc.
`lifetime`	`Duration` Required. Workload certificate lifetime requested.
`rotation_window_percentage`	`int32` Required. Specifies the percentage of elapsed time of the certificate lifetime to wait before renewing the certificate. Must be a number between 1-99, inclusive.
`key_algorithm`	`KeyAlgorithm` Required. The key algorithm to use when generating the private key.

CertificateAuthorityConfig

The CA that issues the workload certificate. It includes CA address, type, authentication to CA service, etc.

Fields

Fields
Union field `kind`. `kind` can be only one of the following:
`certificate_authority_service_config`	`CertificateAuthorityServiceConfig` Defines a CertificateAuthorityServiceConfig.

Union field kind.

kind can be only one of the following:

certificate_authority_service_config

CertificateAuthorityServiceConfig

Defines a CertificateAuthorityServiceConfig.

CertificateAuthorityServiceConfig

Contains information required to contact CA service.

Fields

Fields
`ca_pool`	`string` Required. A CA pool resource used to issue a certificate. The CA pool string has a relative resource path following the form "projects/{project}/locations/{location}/caPools/{ca_pool}". Authorization requires the following IAM permission on the specified resource `caPool`: `privateca.caPools.use`

ca_pool

string

Required. A CA pool resource used to issue a certificate. The CA pool string has a relative resource path following the form "projects/{project}/locations/{location}/caPools/{ca_pool}".

Authorization requires the following IAM permission on the specified resource caPool:

privateca.caPools.use

KeyAlgorithm

The type of keypair to generate.

Enums
`KEY_ALGORITHM_UNSPECIFIED`	Unspecified key algorithm.
`RSA_2048`	Specifies RSA with a 2048-bit modulus.
`ECDSA_P256`	Specifies ECDSA with curve P256.

CertificateMap

Defines a collection of certificate configurations.

Fields
`name`	`string` A user-defined name of the Certificate Map. Certificate Map names must be unique globally and match pattern `projects//locations//certificateMaps/*`.
`description`	`string` One or more paragraphs of text description of a certificate map.
`create_time`	`Timestamp` Output only. The creation timestamp of a Certificate Map.
`update_time`	`Timestamp` Output only. The update timestamp of a Certificate Map.
`labels`	`map<string, string>` Set of labels associated with a Certificate Map.
`gclb_targets[]`	`GclbTarget` Output only. A list of GCLB targets that use this Certificate Map. A Target Proxy is only present on this list if it's attached to a Forwarding Rule.

GclbTarget

Describes a Target Proxy that uses this Certificate Map.

Fields
`ip_configs[]`	`IpConfig` Output only. IP configurations for this Target Proxy where the Certificate Map is serving.
Union field `target_proxy`. A Target Proxy to which this map is attached to. `target_proxy` can be only one of the following:
`target_https_proxy`	`string` Output only. This field returns the resource name in the following format: `//compute.googleapis.com/projects//global/targetHttpsProxies/`.
`target_ssl_proxy`	`string` Output only. This field returns the resource name in the following format: `//compute.googleapis.com/projects//global/targetSslProxies/`.

IpConfig

Defines IP configuration where this Certificate Map is serving.

Fields

Fields
`ip_address`	`string` Output only. An external IP address.
`ports[]`	`uint32` Output only. Ports.

ip_address

string

Output only. An external IP address.

ports[]

uint32

Output only. Ports.

CertificateMapEntry

Defines a certificate map entry.

Fields
`name`	`string` A user-defined name of the Certificate Map Entry. Certificate Map Entry names must be unique globally and match pattern `projects//locations//certificateMaps//certificateMapEntries/`.
`description`	`string` One or more paragraphs of text description of a certificate map entry.
`create_time`	`Timestamp` Output only. The creation timestamp of a Certificate Map Entry.
`update_time`	`Timestamp` Output only. The update timestamp of a Certificate Map Entry.
`labels`	`map<string, string>` Set of labels associated with a Certificate Map Entry.
`certificates[]`	`string` A set of Certificates defines for the given `hostname`. There can be defined up to four certificates in each Certificate Map Entry. Each certificate must match pattern `projects//locations//certificates/*`. Authorization requires the following IAM permission on the specified resource `certificates`: `certificatemanager.certs.use`
`state`	`ServingState` Output only. A serving state of this Certificate Map Entry.
Union field `match`. `match` can be only one of the following:
`hostname`	`string` A Hostname (FQDN, e.g. `example.com`) or a wildcard hostname expression (`*.example.com`) for a set of hostnames with common suffix. Used as Server Name Indication (SNI) for selecting a proper certificate.
`matcher`	`Matcher` A predefined matcher for particular cases, other than SNI selection.

Matcher

Defines predefined cases other than SNI-hostname match when this configuration should be applied.

Enums
`MATCHER_UNSPECIFIED`	A matcher has't been recognized.
`PRIMARY`	A primary certificate that is served when SNI wasn't specified in the request or SNI couldn't be found in the map.

CreateCertificateIssuanceConfigRequest

Request for the CreateCertificateIssuanceConfig method.

Fields

Fields
`parent`	`string` Required. The parent resource of the certificate issuance config. Must be in the format `projects//locations/`. Authorization requires the following IAM permission on the specified resource `parent`: `certificatemanager.certissuanceconfigs.create`
`certificate_issuance_config_id`	`string` Required. A user-provided name of the certificate config.
`certificate_issuance_config`	`CertificateIssuanceConfig` Required. A definition of the certificate issuance config to create.

parent

string

Required. The parent resource of the certificate issuance config. Must be in the format projects/*/locations/*.

Authorization requires the following IAM permission on the specified resource parent:

certificatemanager.certissuanceconfigs.create

certificate_issuance_config_id

string

Required. A user-provided name of the certificate config.

certificate_issuance_config

CertificateIssuanceConfig

Required. A definition of the certificate issuance config to create.

CreateCertificateMapEntryRequest

Request for the CreateCertificateMapEntry method.

Fields

Fields
`parent`	`string` Required. The parent resource of the certificate map entry. Must be in the format `projects//locations//certificateMaps/*`. Authorization requires the following IAM permission on the specified resource `parent`: `certificatemanager.certmapentries.create`
`certificate_map_entry_id`	`string` Required. A user-provided name of the certificate map entry.
`certificate_map_entry`	`CertificateMapEntry` Required. A definition of the certificate map entry to create.

parent

string

Required. The parent resource of the certificate map entry. Must be in the format projects/*/locations/*/certificateMaps/*.

Authorization requires the following IAM permission on the specified resource parent:

certificatemanager.certmapentries.create

certificate_map_entry_id

string

Required. A user-provided name of the certificate map entry.

certificate_map_entry

CertificateMapEntry

Required. A definition of the certificate map entry to create.

CreateCertificateMapRequest

Request for the CreateCertificateMap method.

Fields

parent

string

Required. The parent resource of the certificate map. Must be in the format projects/*/locations/*.

Authorization requires the following IAM permission on the specified resource parent:

certificatemanager.certmaps.create

certificate_map_id

string

Required. A user-provided name of the certificate map.

certificate_map

CertificateMap

Required. A definition of the certificate map to create.

CreateCertificateRequest

Request for the CreateCertificate method.

Fields

parent

string

Required. The parent resource of the certificate. Must be in the format projects/*/locations/*.

Authorization requires the following IAM permission on the specified resource parent:

certificatemanager.certs.create

certificate_id

string

Required. A user-provided name of the certificate.

certificate

Certificate

Required. A definition of the certificate to create.

CreateDnsAuthorizationRequest

Request for the CreateDnsAuthorization method.

Fields

parent

string

Required. The parent resource of the dns authorization. Must be in the format projects/*/locations/*.

Authorization requires the following IAM permission on the specified resource parent:

certificatemanager.dnsauthorizations.create

dns_authorization_id

string

Required. A user-provided name of the dns authorization.

dns_authorization

DnsAuthorization

Required. A definition of the dns authorization to create.

CreateTrustConfigRequest

Request for the CreateTrustConfig method.

Fields

parent

string

Required. The parent resource of the TrustConfig. Must be in the format projects/*/locations/*.

Authorization requires the following IAM permission on the specified resource parent:

certificatemanager.trustconfigs.create

trust_config_id

string

Required. A user-provided name of the TrustConfig. Must match the regexp [a-z0-9-]{1,63}.

trust_config

TrustConfig

Required. A definition of the TrustConfig to create.

DeleteCertificateIssuanceConfigRequest

Request for the DeleteCertificateIssuanceConfig method.

Fields

name

string

Required. A name of the certificate issuance config to delete. Must be in the format projects/*/locations/*/certificateIssuanceConfigs/*.

Authorization requires the following IAM permission on the specified resource name:

certificatemanager.certissuanceconfigs.delete

DeleteCertificateMapEntryRequest

Request for the DeleteCertificateMapEntry method.

Fields

name

string

Required. A name of the certificate map entry to delete. Must be in the format projects/*/locations/*/certificateMaps/*/certificateMapEntries/*.

Authorization requires the following IAM permission on the specified resource name:

certificatemanager.certmapentries.delete

DeleteCertificateMapRequest

Request for the DeleteCertificateMap method.

Fields

name

string

Required. A name of the certificate map to delete. Must be in the format projects/*/locations/*/certificateMaps/*.

Authorization requires the following IAM permission on the specified resource name:

certificatemanager.certmaps.delete

DeleteCertificateRequest

Request for the DeleteCertificate method.

Fields

name

string

Required. A name of the certificate to delete. Must be in the format projects/*/locations/*/certificates/*.

Authorization requires the following IAM permission on the specified resource name:

certificatemanager.certs.delete

DeleteDnsAuthorizationRequest

Request for the DeleteDnsAuthorization method.

Fields

name

string

Required. A name of the dns authorization to delete. Must be in the format projects/*/locations/*/dnsAuthorizations/*.

Authorization requires the following IAM permission on the specified resource name:

certificatemanager.dnsauthorizations.delete

DeleteTrustConfigRequest

Request for the DeleteTrustConfig method.

Fields

name

string

Required. A name of the TrustConfig to delete. Must be in the format projects/*/locations/*/trustConfigs/*.

Authorization requires the following IAM permission on the specified resource name:

certificatemanager.trustconfigs.delete

etag

string

The current etag of the TrustConfig. If an etag is provided and does not match the current etag of the resource, deletion will be blocked and an ABORTED error will be returned.

DnsAuthorization

A DnsAuthorization resource describes a way to perform domain authorization for certificate issuance.

Fields
`name`	`string` A user-defined name of the dns authorization. DnsAuthorization names must be unique globally and match pattern `projects//locations//dnsAuthorizations/*`.
`create_time`	`Timestamp` Output only. The creation timestamp of a DnsAuthorization.
`update_time`	`Timestamp` Output only. The last update timestamp of a DnsAuthorization.
`labels`	`map<string, string>` Set of labels associated with a DnsAuthorization.
`description`	`string` One or more paragraphs of text description of a DnsAuthorization.
`domain`	`string` Required. Immutable. A domain that is being authorized. A DnsAuthorization resource covers a single domain and its wildcard, e.g. authorization for `example.com` can be used to issue certificates for `example.com` and `*.example.com`.
`dns_resource_record`	`DnsResourceRecord` Output only. DNS Resource Record that needs to be added to DNS configuration.
`type`	`Type` Immutable. Type of DnsAuthorization. If unset during resource creation the following default will be used: - in location global: FIXED_RECORD.

DnsResourceRecord

The structure describing the DNS Resource Record that needs to be added to DNS configuration for the authorization to be usable by certificate.

Fields

name

string

Output only. Fully qualified name of the DNS Resource Record. e.g. _acme-challenge.example.com

type

string

Output only. Type of the DNS Resource Record. Currently always set to "CNAME".

data

string

Output only. Data of the DNS Resource Record.

Type

DnsAuthorization type.

Enums
`TYPE_UNSPECIFIED`	Type is unspecified.
`FIXED_RECORD`	FIXED_RECORD DNS authorization uses DNS-01 validation method.
`PER_PROJECT_RECORD`	PER_PROJECT_RECORD DNS authorization allows for independent management of Google-managed certificates with DNS authorization across multiple projects.

GetCertificateIssuanceConfigRequest

Request for the GetCertificateIssuanceConfig method.

Fields

name

string

Required. A name of the certificate issuance config to describe. Must be in the format projects/*/locations/*/certificateIssuanceConfigs/*.

Authorization requires the following IAM permission on the specified resource name:

certificatemanager.certissuanceconfigs.get

GetCertificateMapEntryRequest

Request for the GetCertificateMapEntry method.

Fields

name

string

Required. A name of the certificate map entry to describe. Must be in the format projects/*/locations/*/certificateMaps/*/certificateMapEntries/*.

Authorization requires the following IAM permission on the specified resource name:

certificatemanager.certmapentries.get

GetCertificateMapRequest

Request for the GetCertificateMap method.

Fields

name

string

Required. A name of the certificate map to describe. Must be in the format projects/*/locations/*/certificateMaps/*.

Authorization requires the following IAM permission on the specified resource name:

certificatemanager.certmaps.get

GetCertificateRequest

Request for the GetCertificate method.

Fields

name

string

Required. A name of the certificate to describe. Must be in the format projects/*/locations/*/certificates/*.

Authorization requires the following IAM permission on the specified resource name:

certificatemanager.certs.get

GetDnsAuthorizationRequest

Request for the GetDnsAuthorization method.

Fields

name

string

Required. A name of the dns authorization to describe. Must be in the format projects/*/locations/*/dnsAuthorizations/*.

Authorization requires the following IAM permission on the specified resource name:

certificatemanager.dnsauthorizations.get

GetTrustConfigRequest

Request for the GetTrustConfig method.

Fields

name

string

Required. A name of the TrustConfig to describe. Must be in the format projects/*/locations/*/trustConfigs/*.

Authorization requires the following IAM permission on the specified resource name:

certificatemanager.trustconfigs.get

ListCertificateIssuanceConfigsRequest

Request for the ListCertificateIssuanceConfigs method.

Fields
`parent`	`string` Required. The project and location from which the certificate should be listed, specified in the format `projects//locations/`. Authorization requires the following IAM permission on the specified resource `parent`: `certificatemanager.certissuanceconfigs.list`
`page_size`	`int32` Maximum number of certificate configs to return per call.
`page_token`	`string` The value returned by the last `ListCertificateIssuanceConfigsResponse`. Indicates that this is a continuation of a prior `ListCertificateIssuanceConfigs` call, and that the system should return the next page of data.
`filter`	`string` Filter expression to restrict the Certificates Configs returned.
`order_by`	`string` A list of Certificate Config field names used to specify the order of the returned results. The default sorting order is ascending. To specify descending order for a field, add a suffix `" desc"`.

ListCertificateIssuanceConfigsResponse

Response for the ListCertificateIssuanceConfigs method.

Fields

certificate_issuance_configs[]

CertificateIssuanceConfig

A list of certificate configs for the parent resource.

next_page_token

string

If there might be more results than those appearing in this response, then next_page_token is included. To get the next set of results, call this method again using the value of next_page_token as page_token.

unreachable[]

string

Locations that could not be reached.

ListCertificateMapEntriesRequest

Request for the ListCertificateMapEntries method.

Fields
`parent`	`string` Required. The project, location and certificate map from which the certificate map entries should be listed, specified in the format `projects//locations//certificateMaps/*`. Authorization requires the following IAM permission on the specified resource `parent`: `certificatemanager.certmapentries.list`
`page_size`	`int32` Maximum number of certificate map entries to return. The service may return fewer than this value. If unspecified, at most 50 certificate map entries will be returned. The maximum value is 1000; values above 1000 will be coerced to 1000.
`page_token`	`string` The value returned by the last `ListCertificateMapEntriesResponse`. Indicates that this is a continuation of a prior `ListCertificateMapEntries` call, and that the system should return the next page of data.
`filter`	`string` Filter expression to restrict the returned Certificate Map Entries.
`order_by`	`string` A list of Certificate Map Entry field names used to specify the order of the returned results. The default sorting order is ascending. To specify descending order for a field, add a suffix `" desc"`.

ListCertificateMapEntriesResponse

Response for the ListCertificateMapEntries method.

Fields

certificate_map_entries[]

CertificateMapEntry

A list of certificate map entries for the parent resource.

next_page_token

string

unreachable[]

string

Locations that could not be reached.

ListCertificateMapsRequest

Request for the ListCertificateMaps method.

Fields
`parent`	`string` Required. The project and location from which the certificate maps should be listed, specified in the format `projects//locations/`. Authorization requires the following IAM permission on the specified resource `parent`: `certificatemanager.certmaps.list`
`page_size`	`int32` Maximum number of certificate maps to return per call.
`page_token`	`string` The value returned by the last `ListCertificateMapsResponse`. Indicates that this is a continuation of a prior `ListCertificateMaps` call, and that the system should return the next page of data.
`filter`	`string` Filter expression to restrict the Certificates Maps returned.
`order_by`	`string` A list of Certificate Map field names used to specify the order of the returned results. The default sorting order is ascending. To specify descending order for a field, add a suffix `" desc"`.

ListCertificateMapsResponse

Response for the ListCertificateMaps method.

Fields

certificate_maps[]

CertificateMap

A list of certificate maps for the parent resource.

next_page_token

string

unreachable[]

string

Locations that could not be reached.

ListCertificatesRequest

Request for the ListCertificates method.

Fields
`parent`	`string` Required. The project and location from which the certificate should be listed, specified in the format `projects//locations/`. Authorization requires the following IAM permission on the specified resource `parent`: `certificatemanager.certs.list`
`page_size`	`int32` Maximum number of certificates to return per call.
`page_token`	`string` The value returned by the last `ListCertificatesResponse`. Indicates that this is a continuation of a prior `ListCertificates` call, and that the system should return the next page of data.
`filter`	`string` Filter expression to restrict the Certificates returned.
`order_by`	`string` A list of Certificate field names used to specify the order of the returned results. The default sorting order is ascending. To specify descending order for a field, add a suffix `" desc"`.

ListCertificatesResponse

Response for the ListCertificates method.

Fields

certificates[]

Certificate

A list of certificates for the parent resource.

next_page_token

string

unreachable[]

string

A list of locations that could not be reached.

ListDnsAuthorizationsRequest

Request for the ListDnsAuthorizations method.

Fields
`parent`	`string` Required. The project and location from which the dns authorizations should be listed, specified in the format `projects//locations/`. Authorization requires the following IAM permission on the specified resource `parent`: `certificatemanager.dnsauthorizations.list`
`page_size`	`int32` Maximum number of dns authorizations to return per call.
`page_token`	`string` The value returned by the last `ListDnsAuthorizationsResponse`. Indicates that this is a continuation of a prior `ListDnsAuthorizations` call, and that the system should return the next page of data.
`filter`	`string` Filter expression to restrict the Dns Authorizations returned.
`order_by`	`string` A list of Dns Authorization field names used to specify the order of the returned results. The default sorting order is ascending. To specify descending order for a field, add a suffix `" desc"`.

ListDnsAuthorizationsResponse

Response for the ListDnsAuthorizations method.

Fields

dns_authorizations[]

DnsAuthorization

A list of dns authorizations for the parent resource.

next_page_token

string

unreachable[]

string

Locations that could not be reached.

ListTrustConfigsRequest

Request for the ListTrustConfigs method.

Fields
`parent`	`string` Required. The project and location from which the TrustConfigs should be listed, specified in the format `projects//locations/`. Authorization requires the following IAM permission on the specified resource `parent`: `certificatemanager.trustconfigs.list`
`page_size`	`int32` Maximum number of TrustConfigs to return per call.
`page_token`	`string` The value returned by the last `ListTrustConfigsResponse`. Indicates that this is a continuation of a prior `ListTrustConfigs` call, and that the system should return the next page of data.
`filter`	`string` Filter expression to restrict the TrustConfigs returned.
`order_by`	`string` A list of TrustConfig field names used to specify the order of the returned results. The default sorting order is ascending. To specify descending order for a field, add a suffix `" desc"`.

ListTrustConfigsResponse

Response for the ListTrustConfigs method.

Fields

trust_configs[]

TrustConfig

A list of TrustConfigs for the parent resource.

next_page_token

string

unreachable[]

string

Locations that could not be reached.

OperationMetadata

Represents the metadata of the long-running operation. Output only.

Fields
`create_time`	`Timestamp` The time the operation was created.
`end_time`	`Timestamp` The time the operation finished running.
`target`	`string` Server-defined resource path for the target of the operation.
`verb`	`string` Name of the verb executed by the operation.
`status_message`	`string` Human-readable status of the operation, if any.
`requested_cancellation`	`bool` Identifies whether the user has requested cancellation of the operation. Operations that have successfully been cancelled have [Operation.error][] value with a `google.rpc.Status.code` of 1, corresponding to `Code.CANCELLED`.
`api_version`	`string` API version used to start the operation.

ServingState

Defines set of serving states associated with a resource.

Enums
`SERVING_STATE_UNSPECIFIED`	The status is undefined.
`ACTIVE`	The configuration is serving.
`PENDING`	Update is in progress. Some frontends may serve this configuration.

TrustConfig

Defines a trust config.

Fields
`name`	`string` A user-defined name of the trust config. TrustConfig names must be unique globally and match pattern `projects//locations//trustConfigs/*`.
`create_time`	`Timestamp` Output only. The creation timestamp of a TrustConfig.
`update_time`	`Timestamp` Output only. The last update timestamp of a TrustConfig.
`labels`	`map<string, string>` Set of labels associated with a TrustConfig.
`description`	`string` One or more paragraphs of text description of a TrustConfig.
`etag`	`string` This checksum is computed by the server based on the value of other fields, and may be sent on update and delete requests to ensure the client has an up-to-date value before proceeding.
`trust_stores[]`	`TrustStore` Set of trust stores to perform validation against. This field is supported when TrustConfig is configured with Load Balancers, currently not supported for SPIFFE certificate validation. Only one TrustStore specified is currently allowed.
`allowlisted_certificates[]`	`AllowlistedCertificate` Optional. A certificate matching an allowlisted certificate is always considered valid as long as the certificate is parseable, proof of private key possession is established, and constraints on the certificate's SAN field are met.

AllowlistedCertificate

Defines an allowlisted certificate.

Fields

pem_certificate

string

Required. PEM certificate that is allowlisted. The certificate can be up to 5k bytes, and must be a parseable X.509 certificate.

IntermediateCA

Defines an intermediate CA.

Fields

Union field kind.

kind can be only one of the following:

pem_certificate

string

PEM intermediate certificate used for building up paths for validation.

Each certificate provided in PEM format may occupy up to 5kB.

TrustAnchor

Defines a trust anchor.

Fields

Union field kind.

kind can be only one of the following:

pem_certificate

string

PEM root certificate of the PKI used for validation.

Each certificate provided in PEM format may occupy up to 5kB.

TrustStore

Defines a trust store.

Fields

trust_anchors[]

TrustAnchor

List of Trust Anchors to be used while performing validation against a given TrustStore.

intermediate_cas[]

IntermediateCA

Set of intermediate CA certificates used for the path building phase of chain validation.

The field is currently not supported if TrustConfig is used for the workload certificate feature.

UpdateCertificateMapEntryRequest

Request for the UpdateCertificateMapEntry method.

Fields

certificate_map_entry

CertificateMapEntry

Required. A definition of the certificate map entry to create map entry.

Authorization requires the following IAM permission on the specified resource certificateMapEntry:

certificatemanager.certmapentries.update

update_mask

FieldMask

Required. The update mask applies to the resource. For the FieldMask definition, see https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#fieldmask.

UpdateCertificateMapRequest

Request for the UpdateCertificateMap method.

Fields

certificate_map

CertificateMap

Required. A definition of the certificate map to update.

Authorization requires the following IAM permission on the specified resource certificateMap:

certificatemanager.certmaps.update

update_mask

FieldMask

Required. The update mask applies to the resource. For the FieldMask definition, see https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#fieldmask.

UpdateCertificateRequest

Request for the UpdateCertificate method.

Fields

certificate

Certificate

Required. A definition of the certificate to update.

Authorization requires the following IAM permission on the specified resource certificate:

certificatemanager.certs.update

update_mask

FieldMask

Required. The update mask applies to the resource. For the FieldMask definition, see https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#fieldmask.

UpdateDnsAuthorizationRequest

Request for the UpdateDnsAuthorization method.

Fields

dns_authorization

DnsAuthorization

Required. A definition of the dns authorization to update.

Authorization requires the following IAM permission on the specified resource dnsAuthorization:

certificatemanager.dnsauthorizations.update

update_mask

FieldMask

Required. The update mask applies to the resource. For the FieldMask definition, see https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#fieldmask.

UpdateTrustConfigRequest

Request for the UpdateTrustConfig method.

Fields

trust_config

TrustConfig

Required. A definition of the TrustConfig to update.

Authorization requires the following IAM permission on the specified resource trustConfig:

certificatemanager.trustconfigs.update

update_mask

FieldMask

Required. The update mask applies to the resource. For the FieldMask definition, see https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#fieldmask.