PrivateCACertificate


Property Value
Google Cloud Service Name Private CA
Google Cloud Service Documentation /certificate-authority-service/docs/
Google Cloud REST Resource Name v1.projects.locations.caPools.certificates
Google Cloud REST Resource Documentation /certificate-authority-service/docs/reference/rest/v1/projects.locations.caPools.certificates
Config Connector Resource Short Names gcpprivatecacertificate
gcpprivatecacertificates
privatecacertificate
Config Connector Service Name privateca.googleapis.com
Config Connector Resource Fully Qualified Name privatecacertificates.privateca.cnrm.cloud.google.com
Can Be Referenced by IAMPolicy/IAMPolicyMember No
Config Connector Default Average Reconcile Interval In Seconds 600

Custom Resource Definition Properties

Spec

Schema

caPoolRef:
  external: string
  name: string
  namespace: string
certificateAuthorityRef:
  external: string
  name: string
  namespace: string
certificateTemplateRef:
  external: string
  name: string
  namespace: string
config:
  publicKey:
    format: string
    key: string
  subjectConfig:
    subject:
      commonName: string
      countryCode: string
      locality: string
      organization: string
      organizationalUnit: string
      postalCode: string
      province: string
      streetAddress: string
    subjectAltName:
      dnsNames:
      - string
      emailAddresses:
      - string
      ipAddresses:
      - string
      uris:
      - string
  x509Config:
    additionalExtensions:
    - critical: boolean
      objectId:
        objectIdPath:
        - integer
      value: string
    aiaOcspServers:
    - string
    caOptions:
      isCa: boolean
      maxIssuerPathLength: integer
      nonCa: boolean
      zeroMaxIssuerPathLength: boolean
    keyUsage:
      baseKeyUsage:
        certSign: boolean
        contentCommitment: boolean
        crlSign: boolean
        dataEncipherment: boolean
        decipherOnly: boolean
        digitalSignature: boolean
        encipherOnly: boolean
        keyAgreement: boolean
        keyEncipherment: boolean
      extendedKeyUsage:
        clientAuth: boolean
        codeSigning: boolean
        emailProtection: boolean
        ocspSigning: boolean
        serverAuth: boolean
        timeStamping: boolean
      unknownExtendedKeyUsages:
      - objectIdPath:
        - integer
    policyIds:
    - objectIdPath:
      - integer
lifetime: string
location: string
pemCsr: string
projectRef:
  external: string
  name: string
  namespace: string
resourceID: string
subjectMode: string
Fields

caPoolRef

Required

object

Immutable.

caPoolRef.external

Optional

string

The ca_pool for the resource Allowed value: The Google Cloud resource name of a `PrivateCACAPool` resource (format: `projects/{{project}}/locations/{{location}}/caPools/{{name}}`).

caPoolRef.name

Optional

string

Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

caPoolRef.namespace

Optional

string

Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/

certificateAuthorityRef

Optional

object

Immutable.

certificateAuthorityRef.external

Optional

string

The certificate authority for the resource Allowed value: The Google Cloud resource name of a `PrivateCACertificateAuthority` resource (format: `projects/{{project}}/locations/{{location}}/caPools/{{ca_pool}}/certificateAuthorities/{{name}}`).

certificateAuthorityRef.name

Optional

string

Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

certificateAuthorityRef.namespace

Optional

string

Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/

certificateTemplateRef

Optional

object

Immutable.

certificateTemplateRef.external

Optional

string

Immutable. The resource name for a CertificateTemplate used to issue this certificate, in the format `projects/*/locations/*/certificateTemplates/*`. If this is specified, the caller must have the necessary permission to use this template. If this is omitted, no template will be used. This template must be in the same location as the Certificate. Allowed value: The `selfLink` field of a `PrivateCACertificateTemplate` resource.

certificateTemplateRef.name

Optional

string

Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

certificateTemplateRef.namespace

Optional

string

Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/

config

Optional

object

Immutable. Immutable. A description of the certificate and key that does not require X.509 or ASN.1.

config.publicKey

Optional

object

Immutable. Optional. The public key that corresponds to this config. This is, for example, used when issuing Certificates, but not when creating a self-signed CertificateAuthority or CertificateAuthority CSR.

config.publicKey.format

Required*

string

Immutable. Required. The format of the public key. Possible values: KEY_FORMAT_UNSPECIFIED, PEM

config.publicKey.key

Required*

string

Immutable. Required. A public key. The padding and encoding must match with the `KeyFormat` value specified for the `format` field.

config.subjectConfig

Required*

object

Immutable. Required. Specifies some of the values in a certificate that are related to the subject.

config.subjectConfig.subject

Required*

object

Immutable. Required. Contains distinguished name fields such as the common name, location and organization.

config.subjectConfig.subject.commonName

Optional

string

Immutable. The "common name" of the subject.

config.subjectConfig.subject.countryCode

Optional

string

Immutable. The country code of the subject.

config.subjectConfig.subject.locality

Optional

string

Immutable. The locality or city of the subject.

config.subjectConfig.subject.organization

Optional

string

Immutable. The organization of the subject.

config.subjectConfig.subject.organizationalUnit

Optional

string

Immutable. The organizational_unit of the subject.

config.subjectConfig.subject.postalCode

Optional

string

Immutable. The postal code of the subject.

config.subjectConfig.subject.province

Optional

string

Immutable. The province, territory, or regional state of the subject.

config.subjectConfig.subject.streetAddress

Optional

string

Immutable. The street address of the subject.

config.subjectConfig.subjectAltName

Optional

object

Immutable. Optional. The subject alternative name fields.

config.subjectConfig.subjectAltName.dnsNames

Optional

list (string)

Immutable. Contains only valid, fully-qualified host names.

config.subjectConfig.subjectAltName.dnsNames[]

Optional

string

config.subjectConfig.subjectAltName.emailAddresses

Optional

list (string)

Immutable. Contains only valid RFC 2822 E-mail addresses.

config.subjectConfig.subjectAltName.emailAddresses[]

Optional

string

config.subjectConfig.subjectAltName.ipAddresses

Optional

list (string)

Immutable. Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.

config.subjectConfig.subjectAltName.ipAddresses[]

Optional

string

config.subjectConfig.subjectAltName.uris

Optional

list (string)

Immutable. Contains only valid RFC 3986 URIs.

config.subjectConfig.subjectAltName.uris[]

Optional

string

config.x509Config

Required*

object

Immutable. Required. Describes how some of the technical X.509 fields in a certificate should be populated.

config.x509Config.additionalExtensions

Optional

list (object)

Immutable. Optional. Describes custom X.509 extensions.

config.x509Config.additionalExtensions[]

Optional

object

config.x509Config.additionalExtensions[].critical

Optional

boolean

Immutable. Optional. Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).

config.x509Config.additionalExtensions[].objectId

Required*

object

Immutable. Required. The OID for this X.509 extension.

config.x509Config.additionalExtensions[].objectId.objectIdPath

Required*

list (integer)

Immutable. Required. The parts of an OID path. The most significant parts of the path come first.

config.x509Config.additionalExtensions[].objectId.objectIdPath[]

Required*

integer

config.x509Config.additionalExtensions[].value

Required*

string

Immutable. Required. The value of this X.509 extension.

config.x509Config.aiaOcspServers

Optional

list (string)

Immutable. Optional. Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.

config.x509Config.aiaOcspServers[]

Optional

string

config.x509Config.caOptions

Optional

object

Immutable. Optional. Describes options in this X509Parameters that are relevant in a CA certificate.

config.x509Config.caOptions.isCa

Optional

boolean

Immutable. Optional. When true, the "CA" in Basic Constraints extension will be set to true.

config.x509Config.caOptions.maxIssuerPathLength

Optional

integer

Immutable. Optional. Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.

config.x509Config.caOptions.nonCa

Optional

boolean

Immutable. Optional. When true, the "CA" in Basic Constraints extension will be set to false. If both `is_ca` and `non_ca` are unset, the extension will be omitted from the CA certificate.

config.x509Config.caOptions.zeroMaxIssuerPathLength

Optional

boolean

Immutable. Optional. When true, the "path length constraint" in Basic Constraints extension will be set to 0. if both max_issuer_path_length and zero_max_issuer_path_length are unset, the max path length will be omitted from the CA certificate.

config.x509Config.keyUsage

Optional

object

Immutable. Optional. Indicates the intended use for keys that correspond to a certificate.

config.x509Config.keyUsage.baseKeyUsage

Optional

object

Immutable. Describes high-level ways in which a key may be used.

config.x509Config.keyUsage.baseKeyUsage.certSign

Optional

boolean

Immutable. The key may be used to sign certificates.

config.x509Config.keyUsage.baseKeyUsage.contentCommitment

Optional

boolean

Immutable. The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".

config.x509Config.keyUsage.baseKeyUsage.crlSign

Optional

boolean

Immutable. The key may be used sign certificate revocation lists.

config.x509Config.keyUsage.baseKeyUsage.dataEncipherment

Optional

boolean

Immutable. The key may be used to encipher data.

config.x509Config.keyUsage.baseKeyUsage.decipherOnly

Optional

boolean

Immutable. The key may be used to decipher only.

config.x509Config.keyUsage.baseKeyUsage.digitalSignature

Optional

boolean

Immutable. The key may be used for digital signatures.

config.x509Config.keyUsage.baseKeyUsage.encipherOnly

Optional

boolean

Immutable. The key may be used to encipher only.

config.x509Config.keyUsage.baseKeyUsage.keyAgreement

Optional

boolean

Immutable. The key may be used in a key agreement protocol.

config.x509Config.keyUsage.baseKeyUsage.keyEncipherment

Optional

boolean

Immutable. The key may be used to encipher other keys.

config.x509Config.keyUsage.extendedKeyUsage

Optional

object

Immutable. Detailed scenarios in which a key may be used.

config.x509Config.keyUsage.extendedKeyUsage.clientAuth

Optional

boolean

Immutable. Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.

config.x509Config.keyUsage.extendedKeyUsage.codeSigning

Optional

boolean

Immutable. Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".

config.x509Config.keyUsage.extendedKeyUsage.emailProtection

Optional

boolean

Immutable. Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".

config.x509Config.keyUsage.extendedKeyUsage.ocspSigning

Optional

boolean

Immutable. Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".

config.x509Config.keyUsage.extendedKeyUsage.serverAuth

Optional

boolean

Immutable. Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.

config.x509Config.keyUsage.extendedKeyUsage.timeStamping

Optional

boolean

Immutable. Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".

config.x509Config.keyUsage.unknownExtendedKeyUsages

Optional

list (object)

Immutable. Used to describe extended key usages that are not listed in the KeyUsage.ExtendedKeyUsageOptions message.

config.x509Config.keyUsage.unknownExtendedKeyUsages[]

Optional

object

config.x509Config.keyUsage.unknownExtendedKeyUsages[].objectIdPath

Required*

list (integer)

Immutable. Required. The parts of an OID path. The most significant parts of the path come first.

config.x509Config.keyUsage.unknownExtendedKeyUsages[].objectIdPath[]

Required*

integer

config.x509Config.policyIds

Optional

list (object)

Immutable. Optional. Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4.

config.x509Config.policyIds[]

Optional

object

config.x509Config.policyIds[].objectIdPath

Required*

list (integer)

Immutable. Required. The parts of an OID path. The most significant parts of the path come first.

config.x509Config.policyIds[].objectIdPath[]

Required*

integer

lifetime

Required

string

Immutable. Required. Immutable. The desired lifetime of a certificate. Used to create the "not_before_time" and "not_after_time" fields inside an X.509 certificate. Note that the lifetime may be truncated if it would extend past the life of any certificate authority in the issuing chain.

location

Required

string

Immutable. The location for the resource

pemCsr

Optional

string

Immutable. Immutable. A pem-encoded X.509 certificate signing request (CSR).

projectRef

Required

object

Immutable. The Project that this resource belongs to.

projectRef.external

Optional

string

The project for the resource Allowed value: The Google Cloud resource name of a `Project` resource (format: `projects/{{name}}`).

projectRef.name

Optional

string

Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

projectRef.namespace

Optional

string

Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/

resourceID

Optional

string

Immutable. Optional. The name of the resource. Used for creation and acquisition. When unset, the value of `metadata.name` is used as the default.

subjectMode

Optional

string

Immutable. Immutable. Specifies how the Certificate's identity fields are to be decided. If this is omitted, the `DEFAULT` subject mode will be used. Possible values: SUBJECT_REQUEST_MODE_UNSPECIFIED, DEFAULT, REFLECTED_SPIFFE

* Field is required when parent field is specified

Status

Schema

certificateDescription:
  aiaIssuingCertificateUrls:
  - string
  authorityKeyId:
    keyId: string
  certFingerprint:
    sha256Hash: string
  crlDistributionPoints:
  - string
  publicKey:
    format: string
    key: string
  subjectDescription:
    hexSerialNumber: string
    lifetime: string
    notAfterTime: string
    notBeforeTime: string
    subject:
      commonName: string
      countryCode: string
      locality: string
      organization: string
      organizationalUnit: string
      postalCode: string
      province: string
      streetAddress: string
    subjectAltName:
      customSans:
      - critical: boolean
        objectId:
          objectIdPath:
          - integer
        value: string
      dnsNames:
      - string
      emailAddresses:
      - string
      ipAddresses:
      - string
      uris:
      - string
  subjectKeyId:
    keyId: string
  x509Description:
    additionalExtensions:
    - critical: boolean
      objectId:
        objectIdPath:
        - integer
      value: string
    aiaOcspServers:
    - string
    caOptions:
      isCa: boolean
      maxIssuerPathLength: integer
    keyUsage:
      baseKeyUsage:
        certSign: boolean
        contentCommitment: boolean
        crlSign: boolean
        dataEncipherment: boolean
        decipherOnly: boolean
        digitalSignature: boolean
        encipherOnly: boolean
        keyAgreement: boolean
        keyEncipherment: boolean
      extendedKeyUsage:
        clientAuth: boolean
        codeSigning: boolean
        emailProtection: boolean
        ocspSigning: boolean
        serverAuth: boolean
        timeStamping: boolean
      unknownExtendedKeyUsages:
      - objectIdPath:
        - integer
    policyIds:
    - objectIdPath:
      - integer
conditions:
- lastTransitionTime: string
  message: string
  reason: string
  status: string
  type: string
createTime: string
issuerCertificateAuthority: string
observedGeneration: integer
pemCertificate: string
pemCertificateChain:
- string
revocationDetails:
  revocationState: string
  revocationTime: string
updateTime: string
Fields
certificateDescription

object

Output only. A structured description of the issued X.509 certificate.

certificateDescription.aiaIssuingCertificateUrls

list (string)

Describes lists of issuer CA certificate URLs that appear in the "Authority Information Access" extension in the certificate.

certificateDescription.aiaIssuingCertificateUrls[]

string

certificateDescription.authorityKeyId

object

Identifies the subject_key_id of the parent certificate, per https://tools.ietf.org/html/rfc5280#section-4.2.1.1

certificateDescription.authorityKeyId.keyId

string

Optional. The value of this KeyId encoded in lowercase hexadecimal. This is most likely the 160 bit SHA-1 hash of the public key.

certificateDescription.certFingerprint

object

The hash of the x.509 certificate.

certificateDescription.certFingerprint.sha256Hash

string

The SHA 256 hash, encoded in hexadecimal, of the DER x509 certificate.

certificateDescription.crlDistributionPoints

list (string)

Describes a list of locations to obtain CRL information, i.e. the DistributionPoint.fullName described by https://tools.ietf.org/html/rfc5280#section-4.2.1.13

certificateDescription.crlDistributionPoints[]

string

certificateDescription.publicKey

object

The public key that corresponds to an issued certificate.

certificateDescription.publicKey.format

string

Required. The format of the public key. Possible values: KEY_FORMAT_UNSPECIFIED, PEM

certificateDescription.publicKey.key

string

Required. A public key. The padding and encoding must match with the `KeyFormat` value specified for the `format` field.

certificateDescription.subjectDescription

object

Describes some of the values in a certificate that are related to the subject and lifetime.

certificateDescription.subjectDescription.hexSerialNumber

string

The serial number encoded in lowercase hexadecimal.

certificateDescription.subjectDescription.lifetime

string

For convenience, the actual lifetime of an issued certificate.

certificateDescription.subjectDescription.notAfterTime

string

The time after which the certificate is expired. Per RFC 5280, the validity period for a certificate is the period of time from not_before_time through not_after_time, inclusive. Corresponds to 'not_before_time' + 'lifetime' - 1 second.

certificateDescription.subjectDescription.notBeforeTime

string

The time at which the certificate becomes valid.

certificateDescription.subjectDescription.subject

object

Contains distinguished name fields such as the common name, location and / organization.

certificateDescription.subjectDescription.subject.commonName

string

The "common name" of the subject.

certificateDescription.subjectDescription.subject.countryCode

string

The country code of the subject.

certificateDescription.subjectDescription.subject.locality

string

The locality or city of the subject.

certificateDescription.subjectDescription.subject.organization

string

The organization of the subject.

certificateDescription.subjectDescription.subject.organizationalUnit

string

The organizational_unit of the subject.

certificateDescription.subjectDescription.subject.postalCode

string

The postal code of the subject.

certificateDescription.subjectDescription.subject.province

string

The province, territory, or regional state of the subject.

certificateDescription.subjectDescription.subject.streetAddress

string

The street address of the subject.

certificateDescription.subjectDescription.subjectAltName

object

The subject alternative name fields.

certificateDescription.subjectDescription.subjectAltName.customSans

list (object)

Contains additional subject alternative name values.

certificateDescription.subjectDescription.subjectAltName.customSans[]

object

certificateDescription.subjectDescription.subjectAltName.customSans[].critical

boolean

Optional. Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).

certificateDescription.subjectDescription.subjectAltName.customSans[].objectId

object

Required. The OID for this X.509 extension.

certificateDescription.subjectDescription.subjectAltName.customSans[].objectId.objectIdPath

list (integer)

Required. The parts of an OID path. The most significant parts of the path come first.

certificateDescription.subjectDescription.subjectAltName.customSans[].objectId.objectIdPath[]

integer

certificateDescription.subjectDescription.subjectAltName.customSans[].value

string

Required. The value of this X.509 extension.

certificateDescription.subjectDescription.subjectAltName.dnsNames

list (string)

Contains only valid, fully-qualified host names.

certificateDescription.subjectDescription.subjectAltName.dnsNames[]

string

certificateDescription.subjectDescription.subjectAltName.emailAddresses

list (string)

Contains only valid RFC 2822 E-mail addresses.

certificateDescription.subjectDescription.subjectAltName.emailAddresses[]

string

certificateDescription.subjectDescription.subjectAltName.ipAddresses

list (string)

Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.

certificateDescription.subjectDescription.subjectAltName.ipAddresses[]

string

certificateDescription.subjectDescription.subjectAltName.uris

list (string)

Contains only valid RFC 3986 URIs.

certificateDescription.subjectDescription.subjectAltName.uris[]

string

certificateDescription.subjectKeyId

object

Provides a means of identifiying certificates that contain a particular public key, per https://tools.ietf.org/html/rfc5280#section-4.2.1.2.

certificateDescription.subjectKeyId.keyId

string

Optional. The value of this KeyId encoded in lowercase hexadecimal. This is most likely the 160 bit SHA-1 hash of the public key.

certificateDescription.x509Description

object

Describes some of the technical X.509 fields in a certificate.

certificateDescription.x509Description.additionalExtensions

list (object)

Optional. Describes custom X.509 extensions.

certificateDescription.x509Description.additionalExtensions[]

object

certificateDescription.x509Description.additionalExtensions[].critical

boolean

Optional. Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).

certificateDescription.x509Description.additionalExtensions[].objectId

object

Required. The OID for this X.509 extension.

certificateDescription.x509Description.additionalExtensions[].objectId.objectIdPath

list (integer)

Required. The parts of an OID path. The most significant parts of the path come first.

certificateDescription.x509Description.additionalExtensions[].objectId.objectIdPath[]

integer

certificateDescription.x509Description.additionalExtensions[].value

string

Required. The value of this X.509 extension.

certificateDescription.x509Description.aiaOcspServers

list (string)

Optional. Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.

certificateDescription.x509Description.aiaOcspServers[]

string

certificateDescription.x509Description.caOptions

object

Optional. Describes options in this X509Parameters that are relevant in a CA certificate.

certificateDescription.x509Description.caOptions.isCa

boolean

Optional. Refers to the "CA" X.509 extension, which is a boolean value. When this value is missing, the extension will be omitted from the CA certificate.

certificateDescription.x509Description.caOptions.maxIssuerPathLength

integer

Optional. Refers to the path length restriction X.509 extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail. If this value is missing, the max path length will be omitted from the CA certificate.

certificateDescription.x509Description.keyUsage

object

Optional. Indicates the intended use for keys that correspond to a certificate.

certificateDescription.x509Description.keyUsage.baseKeyUsage

object

Describes high-level ways in which a key may be used.

certificateDescription.x509Description.keyUsage.baseKeyUsage.certSign

boolean

The key may be used to sign certificates.

certificateDescription.x509Description.keyUsage.baseKeyUsage.contentCommitment

boolean

The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".

certificateDescription.x509Description.keyUsage.baseKeyUsage.crlSign

boolean

The key may be used sign certificate revocation lists.

certificateDescription.x509Description.keyUsage.baseKeyUsage.dataEncipherment

boolean

The key may be used to encipher data.

certificateDescription.x509Description.keyUsage.baseKeyUsage.decipherOnly

boolean

The key may be used to decipher only.

certificateDescription.x509Description.keyUsage.baseKeyUsage.digitalSignature

boolean

The key may be used for digital signatures.

certificateDescription.x509Description.keyUsage.baseKeyUsage.encipherOnly

boolean

The key may be used to encipher only.

certificateDescription.x509Description.keyUsage.baseKeyUsage.keyAgreement

boolean

The key may be used in a key agreement protocol.

certificateDescription.x509Description.keyUsage.baseKeyUsage.keyEncipherment

boolean

The key may be used to encipher other keys.

certificateDescription.x509Description.keyUsage.extendedKeyUsage

object

Detailed scenarios in which a key may be used.

certificateDescription.x509Description.keyUsage.extendedKeyUsage.clientAuth

boolean

Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.

certificateDescription.x509Description.keyUsage.extendedKeyUsage.codeSigning

boolean

Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".

certificateDescription.x509Description.keyUsage.extendedKeyUsage.emailProtection

boolean

Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".

certificateDescription.x509Description.keyUsage.extendedKeyUsage.ocspSigning

boolean

Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".

certificateDescription.x509Description.keyUsage.extendedKeyUsage.serverAuth

boolean

Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.

certificateDescription.x509Description.keyUsage.extendedKeyUsage.timeStamping

boolean

Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".

certificateDescription.x509Description.keyUsage.unknownExtendedKeyUsages

list (object)

Used to describe extended key usages that are not listed in the KeyUsage.ExtendedKeyUsageOptions message.

certificateDescription.x509Description.keyUsage.unknownExtendedKeyUsages[]

object

certificateDescription.x509Description.keyUsage.unknownExtendedKeyUsages[].objectIdPath

list (integer)

Required. The parts of an OID path. The most significant parts of the path come first.

certificateDescription.x509Description.keyUsage.unknownExtendedKeyUsages[].objectIdPath[]

integer

certificateDescription.x509Description.policyIds

list (object)

Optional. Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4.

certificateDescription.x509Description.policyIds[]

object

certificateDescription.x509Description.policyIds[].objectIdPath

list (integer)

Required. The parts of an OID path. The most significant parts of the path come first.

certificateDescription.x509Description.policyIds[].objectIdPath[]

integer

conditions

list (object)

Conditions represent the latest available observation of the resource's current state.

conditions[]

object

conditions[].lastTransitionTime

string

Last time the condition transitioned from one status to another.

conditions[].message

string

Human-readable message indicating details about last transition.

conditions[].reason

string

Unique, one-word, CamelCase reason for the condition's last transition.

conditions[].status

string

Status is the status of the condition. Can be True, False, Unknown.

conditions[].type

string

Type is the type of the condition.

createTime

string

Output only. The time at which this Certificate was created.

issuerCertificateAuthority

string

Output only. The resource name of the issuing CertificateAuthority in the format `projects/*/locations/*/caPools/*/certificateAuthorities/*`.

observedGeneration

integer

ObservedGeneration is the generation of the resource that was most recently observed by the Config Connector controller. If this is equal to metadata.generation, then that means that the current reported status reflects the most recent desired state of the resource.

pemCertificate

string

Output only. The pem-encoded, signed X.509 certificate.

pemCertificateChain

list (string)

Output only. The chain that may be used to verify the X.509 certificate. Expected to be in issuer-to-root order according to RFC 5246.

pemCertificateChain[]

string

revocationDetails

object

Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present.

revocationDetails.revocationState

string

Indicates why a Certificate was revoked. Possible values: REVOCATION_REASON_UNSPECIFIED, KEY_COMPROMISE, CERTIFICATE_AUTHORITY_COMPROMISE, AFFILIATION_CHANGED, SUPERSEDED, CESSATION_OF_OPERATION, CERTIFICATE_HOLD, PRIVILEGE_WITHDRAWN, ATTRIBUTE_AUTHORITY_COMPROMISE

revocationDetails.revocationTime

string

The time at which this Certificate was revoked.

updateTime

string

Output only. The time at which this Certificate was updated.

Sample YAML(s)

Basic Certificate

# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

apiVersion: privateca.cnrm.cloud.google.com/v1beta1
kind: PrivateCACertificate
metadata:
  name: privatecacertificate-sample-basic
  labels:
    key: value
spec:
  location: us-central1
  certificateAuthorityRef:
    name: privatecacertificate-dep-basic
  caPoolRef:
    name: privatecacertificate-dep-basic
  lifetime: 860s
  subjectMode: DEFAULT
  config:
    subjectConfig:
      subject:
        commonName: san1.example.com
      subjectAltName:
        dnsNames:
        - san1.example.com
        uris:
        - http://www.ietf.org/rfc/rfc3986.txt
        emailAddresses:
        - test_example@google.com
        ipAddresses:
        - 127.0.0.1
    x509Config:
      caOptions:
        isCa: false
      keyUsage:
        baseKeyUsage:
          crlSign: true
        extendedKeyUsage:
          serverAuth: true
    publicKey:
      format: PEM
      key: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQ0lqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FnOEFNSUlDQ2dLQ0FnRUF2NndlQzFhVDE2bDJxUzZxZFljeQo3Qk9qelA3VHdUOXpVQWlGaFdwTDI1NkdScUM4eVFSZHFNc2k2OFEvLzc2MklVeXUvcWFIYkVnUThXUm1RZFZWCkdEbHhrQmZyQS9pWEIyZGd1anE4amgwSFdJVjJldjNUZXJWM2FVd3ZZVWxyb3docTAyN1NYOVUxaGJ1ZmRHQ00KdUtzSGlGMDVFcmdOdkV1UjhYQWtlSi9ZVjJEVjIrc1JxK1dnOXk0UndVWWJkY2hkRnR5MWQ1U1gvczBZcXN3Zwp5T0c5Vm9DZFI3YmFGMjJ1Z2hWUjQ0YVJtKzgzbWd0cUFaNE0rUnBlN0pHUnNVR1kvcFIzOTFUb2kwczhFbjE1CkpHaUFocVgyVzBVby9GWlpyeTN5dXFSZmRIWUVOQitBRHV5VE1UclVhS1p2N2V1YTBsVEJ6NW9vbTNqU0YzZ3YKSTdTUW9MZEsvamhFVk9PcTQxSWpCOEQ2MFNnZDY5YkQ3eVRJNTE2eXZaL3MzQXlLelc2ZjZLbmpkYkNjWktLVAowR0FlUE5MTmhEWWZTbEE5YndKOEhRUzJGZW5TcFNUQXJLdkdpVnJzaW5KdU5qYlFkUHVRSGNwV2Y5eDFtM0dSClRNdkYrVE5ZTS9scDdJTDJWTWJKUmZXUHkxaVd4bTlGMVlyNmRrSFZvTFA3b2NZa05SSG9QTHV0NUU2SUZKdEsKbFZJMk5uZVVZSkduWVNPKzF4UFY5VHFsSmVNTndyM3VGTUFOOE4vb0IzZjRXV3d1UllnUjBMNWcyQStMdngrZwpiYmRsK1RiLzBDTmZzbGZTdURyRlY4WjRuNmdWd2I5WlBHbE5IQ3ZucVJmTFVwUkZKd21SN1VZdnppL0U3clhKCkVEa0srdGNuUGt6Mkp0amRMS1I3cVZjQ0F3RUFBUT09Ci0tLS0tRU5EIFBVQkxJQyBLRVktLS0tLQ==
  projectRef:
    # Replace ${PROJECT_ID?} with your project ID.
    external: projects/${PROJECT_ID?}
---
apiVersion: privateca.cnrm.cloud.google.com/v1beta1
kind: PrivateCACAPool
metadata:
  labels:
    label-two: "value-two"
  name: privatecacertificate-dep-basic
  # PrivateCACertificateAuthority cannot be deleted immediately, and must wait
  # 30 days in a 'DELETED' status before it is fully deleted. Since a PrivateCACAPool
  # with a PrivateCACertificateAuthority in 'DELETED' status cannot be deleted
  # itself, we abandon this resource on deletion.
  annotations:
    cnrm.cloud.google.com/deletion-policy: "abandon"
spec:
  projectRef:
    # Replace ${PROJECT_ID?} with your project ID.
    external: projects/${PROJECT_ID?}
  location: us-central1
  tier: ENTERPRISE
  issuancePolicy:
    maximumLifetime: 43200s
    baselineValues:
      keyUsage:
        baseKeyUsage:
          digitalSignature: false
          contentCommitment: false
          keyEncipherment: false
          dataEncipherment: false
          keyAgreement: false
          certSign: false
          crlSign: false
          encipherOnly: false
          decipherOnly: false
        extendedKeyUsage:
          serverAuth: false
          clientAuth: false
          codeSigning: false
          emailProtection: false
          timeStamping: false
          ocspSigning: false
        unknownExtendedKeyUsages:
        - objectIdPath:
          - 1
          - 7
      caOptions:
        isCa: false
        maxIssuerPathLength: 7
      policyIds:
      - objectIdPath:
        - 1
        - 7
      aiaOcspServers:
      - string
      additionalExtensions:
      - objectId:
          objectIdPath:
          - 1
          - 7
        critical: false
        value: c3RyaW5nCg==
    passthroughExtensions:
      knownExtensions:
      - BASE_KEY_USAGE
      additionalExtensions:
      - objectIdPath:
        - 1
        - 7
---
apiVersion: privateca.cnrm.cloud.google.com/v1beta1
kind: PrivateCACertificateAuthority
metadata:
  labels:
    label-two: "value-two"
  name: privatecacertificate-dep-basic
spec:
  projectRef:
    # Replace ${PROJECT_ID?} with your project ID.
    external: projects/${PROJECT_ID?}
  location: us-central1
  type: SELF_SIGNED
  caPoolRef:
    name: privatecacertificate-dep-basic
  lifetime: 86400s
  config:
    subjectConfig:
      subject:
        organization: Example
        commonName: my-certificate-authority
      subjectAltName:
        dnsNames:
        - example.com
    x509Config:
      caOptions:
        isCa: true
      keyUsage:
        baseKeyUsage:
          certSign: true
          crlSign: true
        extendedKeyUsage:
          serverAuth: true
  keySpec:
    algorithm: RSA_PKCS1_4096_SHA256

Cert Sign Certificate

# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

apiVersion: privateca.cnrm.cloud.google.com/v1beta1
kind: PrivateCACertificate
metadata:
  name: privatecacertificate-sample-cert-sign
  labels:
    key: value
spec:
  location: us-central1
  certificateAuthorityRef:
    name: privatecacertificate-dep-cert-sign
  caPoolRef:
    name: privatecacertificate-dep-cert-sign
  lifetime: "860s"
  config:
    subjectConfig:
      subject:
        commonName: "san1.example.com"
      subjectAltName:
        dnsNames:
        - "san1.example.com"
        uris:
        - "http://www.ietf.org/rfc/rfc3986.txt"
        emailAddresses:
        - test_example@google.com
        ipAddresses:
        - "127.0.0.1"
    x509Config:
      aiaOcspServers:
      - "www.example.com"
      caOptions:
        isCa: true
        maxIssuerPathLength: 100
      policyIds:
      - objectIdPath:
        - 1
        - 2
        - 3
        - 4
        - 5
        - 5
      additionalExtensions:
      - objectId:
          objectIdPath:
          - 1
          - 2
          - 3
          - 4
          - 5
          - 5
        critical: false
        value: "d3d3LmV4YW1wbGUuY29t"
      keyUsage:
        baseKeyUsage:
          digitalSignature: true
          contentCommitment: true
          keyEncipherment: true
          dataEncipherment: true
          keyAgreement: true
          crlSign: true
          encipherOnly: true
          certSign: true
        extendedKeyUsage:
          serverAuth: true
          clientAuth: true
          codeSigning: true
          emailProtection: true
          timeStamping: true
          ocspSigning: true
        unknownExtendedKeyUsages:
        - objectIdPath:
          - 1
          - 2
          - 3
          - 4
          - 5
          - 5
    publicKey:
      format: "PEM"
      key: "LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQ0lqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FnOEFNSUlDQ2dLQ0FnRUF2NndlQzFhVDE2bDJxUzZxZFljeQo3Qk9qelA3VHdUOXpVQWlGaFdwTDI1NkdScUM4eVFSZHFNc2k2OFEvLzc2MklVeXUvcWFIYkVnUThXUm1RZFZWCkdEbHhrQmZyQS9pWEIyZGd1anE4amgwSFdJVjJldjNUZXJWM2FVd3ZZVWxyb3docTAyN1NYOVUxaGJ1ZmRHQ00KdUtzSGlGMDVFcmdOdkV1UjhYQWtlSi9ZVjJEVjIrc1JxK1dnOXk0UndVWWJkY2hkRnR5MWQ1U1gvczBZcXN3Zwp5T0c5Vm9DZFI3YmFGMjJ1Z2hWUjQ0YVJtKzgzbWd0cUFaNE0rUnBlN0pHUnNVR1kvcFIzOTFUb2kwczhFbjE1CkpHaUFocVgyVzBVby9GWlpyeTN5dXFSZmRIWUVOQitBRHV5VE1UclVhS1p2N2V1YTBsVEJ6NW9vbTNqU0YzZ3YKSTdTUW9MZEsvamhFVk9PcTQxSWpCOEQ2MFNnZDY5YkQ3eVRJNTE2eXZaL3MzQXlLelc2ZjZLbmpkYkNjWktLVAowR0FlUE5MTmhEWWZTbEE5YndKOEhRUzJGZW5TcFNUQXJLdkdpVnJzaW5KdU5qYlFkUHVRSGNwV2Y5eDFtM0dSClRNdkYrVE5ZTS9scDdJTDJWTWJKUmZXUHkxaVd4bTlGMVlyNmRrSFZvTFA3b2NZa05SSG9QTHV0NUU2SUZKdEsKbFZJMk5uZVVZSkduWVNPKzF4UFY5VHFsSmVNTndyM3VGTUFOOE4vb0IzZjRXV3d1UllnUjBMNWcyQStMdngrZwpiYmRsK1RiLzBDTmZzbGZTdURyRlY4WjRuNmdWd2I5WlBHbE5IQ3ZucVJmTFVwUkZKd21SN1VZdnppL0U3clhKCkVEa0srdGNuUGt6Mkp0amRMS1I3cVZjQ0F3RUFBUT09Ci0tLS0tRU5EIFBVQkxJQyBLRVktLS0tLQ=="
  projectRef:
    # Replace ${PROJECT_ID?} with your project ID.
    external: projects/${PROJECT_ID?}
---
apiVersion: privateca.cnrm.cloud.google.com/v1beta1
kind: PrivateCACAPool
metadata:
  labels:
    label-two: "value-two"
  name: privatecacertificate-dep-cert-sign
  # PrivateCACertificateAuthority cannot be deleted immediately, and must wait
  # 30 days in a 'DELETED' status before it is fully deleted. Since a PrivateCACAPool
  # with a PrivateCACertificateAuthority in 'DELETED' status cannot be deleted
  # itself, we abandon this resource on deletion.
  annotations:
    cnrm.cloud.google.com/deletion-policy: "abandon"
spec:
  projectRef:
    # Replace ${PROJECT_ID?} with your project ID.
    external: projects/${PROJECT_ID?}
  location: us-central1
  tier: ENTERPRISE
---
apiVersion: privateca.cnrm.cloud.google.com/v1beta1
kind: PrivateCACertificateAuthority
metadata:
  name: privatecacertificate-dep-cert-sign
spec:
  location: us-central1
  type: "SELF_SIGNED"
  caPoolRef:
    name: privatecacertificate-dep-cert-sign
  lifetime: "86400s"
  config:
    subjectConfig:
      subject:
        organization: "Example"
        commonName: "my-certificate-authority"
      subjectAltName:
        dnsNames:
        - "example.com"
    x509Config:
      caOptions:
        isCa: true
      keyUsage:
        baseKeyUsage:
          certSign: true
          crlSign: true
        extendedKeyUsage:
          serverAuth: true
  keySpec:
    algorithm: "RSA_PKCS1_4096_SHA256"
  projectRef:
    # Replace ${PROJECT_ID?} with your project ID.
    external: projects/${PROJECT_ID?}

Complex Certificate

# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

apiVersion: privateca.cnrm.cloud.google.com/v1beta1
kind: PrivateCACertificate
metadata:
  name: privatecacertificate-sample-complex
  labels:
    key: value
spec:
  location: "us-central1"
  certificateAuthorityRef:
    name: privatecacertificate-dep-complex
  caPoolRef:
    name: privatecacertificate-dep-complex
  lifetime: "860s"
  config:
    subjectConfig:
      subject:
        commonName: "san1.example.com"
      subjectAltName:
        dnsNames:
        - "san1.example.com"
        uris:
        - "http://www.ietf.org/rfc/rfc3986.txt"
        emailAddresses:
        - test_example@google.com
        ipAddresses:
        - "127.0.0.1"
    x509Config:
      caOptions:
        isCa: false
      keyUsage:
        baseKeyUsage:
          digitalSignature: true
          contentCommitment: true
          keyEncipherment: true
          dataEncipherment: true
          keyAgreement: true
          crlSign: true
          encipherOnly: true
          decipherOnly: true
        extendedKeyUsage:
          serverAuth: true
          clientAuth: true
          codeSigning: true
          emailProtection: true
          timeStamping: true
          ocspSigning: true
    publicKey:
      format: "PEM"
      key: "LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQ0lqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FnOEFNSUlDQ2dLQ0FnRUF2NndlQzFhVDE2bDJxUzZxZFljeQo3Qk9qelA3VHdUOXpVQWlGaFdwTDI1NkdScUM4eVFSZHFNc2k2OFEvLzc2MklVeXUvcWFIYkVnUThXUm1RZFZWCkdEbHhrQmZyQS9pWEIyZGd1anE4amgwSFdJVjJldjNUZXJWM2FVd3ZZVWxyb3docTAyN1NYOVUxaGJ1ZmRHQ00KdUtzSGlGMDVFcmdOdkV1UjhYQWtlSi9ZVjJEVjIrc1JxK1dnOXk0UndVWWJkY2hkRnR5MWQ1U1gvczBZcXN3Zwp5T0c5Vm9DZFI3YmFGMjJ1Z2hWUjQ0YVJtKzgzbWd0cUFaNE0rUnBlN0pHUnNVR1kvcFIzOTFUb2kwczhFbjE1CkpHaUFocVgyVzBVby9GWlpyeTN5dXFSZmRIWUVOQitBRHV5VE1UclVhS1p2N2V1YTBsVEJ6NW9vbTNqU0YzZ3YKSTdTUW9MZEsvamhFVk9PcTQxSWpCOEQ2MFNnZDY5YkQ3eVRJNTE2eXZaL3MzQXlLelc2ZjZLbmpkYkNjWktLVAowR0FlUE5MTmhEWWZTbEE5YndKOEhRUzJGZW5TcFNUQXJLdkdpVnJzaW5KdU5qYlFkUHVRSGNwV2Y5eDFtM0dSClRNdkYrVE5ZTS9scDdJTDJWTWJKUmZXUHkxaVd4bTlGMVlyNmRrSFZvTFA3b2NZa05SSG9QTHV0NUU2SUZKdEsKbFZJMk5uZVVZSkduWVNPKzF4UFY5VHFsSmVNTndyM3VGTUFOOE4vb0IzZjRXV3d1UllnUjBMNWcyQStMdngrZwpiYmRsK1RiLzBDTmZzbGZTdURyRlY4WjRuNmdWd2I5WlBHbE5IQ3ZucVJmTFVwUkZKd21SN1VZdnppL0U3clhKCkVEa0srdGNuUGt6Mkp0amRMS1I3cVZjQ0F3RUFBUT09Ci0tLS0tRU5EIFBVQkxJQyBLRVktLS0tLQ=="
  projectRef:
    # Replace ${PROJECT_ID?} with your project ID.
    external: projects/${PROJECT_ID?}
---
apiVersion: privateca.cnrm.cloud.google.com/v1beta1
kind: PrivateCACAPool
metadata:
  labels:
    label-two: "value-two"
  name: privatecacertificate-dep-complex
  # PrivateCACertificateAuthority cannot be deleted immediately, and must wait
  # 30 days in a 'DELETED' status before it is fully deleted. Since a PrivateCACAPool
  # with a PrivateCACertificateAuthority in 'DELETED' status cannot be deleted
  # itself, we abandon this resource on deletion.
  annotations:
    cnrm.cloud.google.com/deletion-policy: "abandon"
spec:
  projectRef:
    # Replace ${PROJECT_ID?} with your project ID.
    external: projects/${PROJECT_ID?}
  location: us-central1
  tier: ENTERPRISE
---
apiVersion: privateca.cnrm.cloud.google.com/v1beta1
kind: PrivateCACertificateAuthority
metadata:
  name: privatecacertificate-dep-complex
spec:
  location: us-central1
  type: "SELF_SIGNED"
  caPoolRef:
    name: privatecacertificate-dep-complex
  lifetime: "86400s"
  config:
    subjectConfig:
      subject:
        organization: "Example"
        commonName: "my-certificate-authority"
      subjectAltName:
        dnsNames:
        - "example.com"
    x509Config:
      caOptions:
        isCa: true
      keyUsage:
        baseKeyUsage:
          certSign: true
          crlSign: true
        extendedKeyUsage:
          serverAuth: true
  keySpec:
    algorithm: "RSA_PKCS1_4096_SHA256"
  projectRef:
    # Replace ${PROJECT_ID?} with your project ID.
    external: projects/${PROJECT_ID?}