PrivateCACertificateAuthority


Property Value
Google Cloud Service Name Private CA
Google Cloud Service Documentation /certificate-authority-service/docs/
Google Cloud REST Resource Name v1.projects.locations.caPools.certificateAuthorities
Google Cloud REST Resource Documentation /certificate-authority-service/docs/reference/rest/v1/projects.locations.caPools.certificateAuthorities
Config Connector Resource Short Names gcpprivatecacertificateauthority
gcpprivatecacertificateauthorities
privatecacertificateauthority
Config Connector Service Name privateca.googleapis.com
Config Connector Resource Fully Qualified Name privatecacertificateauthorities.privateca.cnrm.cloud.google.com
Can Be Referenced by IAMPolicy/IAMPolicyMember No
Config Connector Default Average Reconcile Interval In Seconds 600

Custom Resource Definition Properties

Spec

Schema

caPoolRef:
  external: string
  name: string
  namespace: string
config:
  subjectConfig:
    subject:
      commonName: string
      countryCode: string
      locality: string
      organization: string
      organizationalUnit: string
      postalCode: string
      province: string
      streetAddress: string
    subjectAltName:
      customSans:
      - critical: boolean
        objectId:
          objectIdPath:
          - integer
        value: string
      dnsNames:
      - string
      emailAddresses:
      - string
      ipAddresses:
      - string
      uris:
      - string
  x509Config:
    additionalExtensions:
    - critical: boolean
      objectId:
        objectIdPath:
        - integer
      value: string
    caOptions:
      isCa: boolean
      maxIssuerPathLength: integer
      zeroMaxIssuerPathLength: boolean
    keyUsage:
      baseKeyUsage:
        certSign: boolean
        contentCommitment: boolean
        crlSign: boolean
        dataEncipherment: boolean
        decipherOnly: boolean
        digitalSignature: boolean
        encipherOnly: boolean
        keyAgreement: boolean
        keyEncipherment: boolean
      extendedKeyUsage:
        clientAuth: boolean
        codeSigning: boolean
        emailProtection: boolean
        ocspSigning: boolean
        serverAuth: boolean
        timeStamping: boolean
      unknownExtendedKeyUsages:
      - objectIdPath:
        - integer
    policyIds:
    - objectIdPath:
      - integer
gcsBucketRef:
  external: string
  name: string
  namespace: string
keySpec:
  algorithm: string
  cloudKmsKeyVersionRef:
    external: string
    name: string
    namespace: string
lifetime: string
location: string
projectRef:
  external: string
  name: string
  namespace: string
resourceID: string
type: string
Fields

caPoolRef

Required

object

Immutable.

caPoolRef.external

Optional

string

The caPool for the resource Allowed value: The Google Cloud resource name of a `PrivateCACAPool` resource (format: `projects/{{project}}/locations/{{location}}/caPools/{{name}}`).

caPoolRef.name

Optional

string

Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

caPoolRef.namespace

Optional

string

Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/

config

Required

object

Immutable. Required. Immutable. The config used to create a self-signed X.509 certificate or CSR.

config.subjectConfig

Required

object

Immutable. Required. Specifies some of the values in a certificate that are related to the subject.

config.subjectConfig.subject

Required

object

Immutable. Required. Contains distinguished name fields such as the common name, location and organization.

config.subjectConfig.subject.commonName

Optional

string

Immutable. The "common name" of the subject.

config.subjectConfig.subject.countryCode

Optional

string

Immutable. The country code of the subject.

config.subjectConfig.subject.locality

Optional

string

Immutable. The locality or city of the subject.

config.subjectConfig.subject.organization

Optional

string

Immutable. The organization of the subject.

config.subjectConfig.subject.organizationalUnit

Optional

string

Immutable. The organizational_unit of the subject.

config.subjectConfig.subject.postalCode

Optional

string

Immutable. The postal code of the subject.

config.subjectConfig.subject.province

Optional

string

Immutable. The province, territory, or regional state of the subject.

config.subjectConfig.subject.streetAddress

Optional

string

Immutable. The street address of the subject.

config.subjectConfig.subjectAltName

Optional

object

Immutable. Optional. The subject alternative name fields.

config.subjectConfig.subjectAltName.customSans

Optional

list (object)

Immutable. Contains additional subject alternative name values.

config.subjectConfig.subjectAltName.customSans[]

Optional

object

config.subjectConfig.subjectAltName.customSans[].critical

Optional

boolean

Immutable. Optional. Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).

config.subjectConfig.subjectAltName.customSans[].objectId

Required*

object

Immutable. Required. The OID for this X.509 extension.

config.subjectConfig.subjectAltName.customSans[].objectId.objectIdPath

Required*

list (integer)

Immutable. Required. The parts of an OID path. The most significant parts of the path come first.

config.subjectConfig.subjectAltName.customSans[].objectId.objectIdPath[]

Required*

integer

config.subjectConfig.subjectAltName.customSans[].value

Required*

string

Immutable. Required. The value of this X.509 extension.

config.subjectConfig.subjectAltName.dnsNames

Optional

list (string)

Immutable. Contains only valid, fully-qualified host names.

config.subjectConfig.subjectAltName.dnsNames[]

Optional

string

config.subjectConfig.subjectAltName.emailAddresses

Optional

list (string)

Immutable. Contains only valid RFC 2822 E-mail addresses.

config.subjectConfig.subjectAltName.emailAddresses[]

Optional

string

config.subjectConfig.subjectAltName.ipAddresses

Optional

list (string)

Immutable. Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.

config.subjectConfig.subjectAltName.ipAddresses[]

Optional

string

config.subjectConfig.subjectAltName.uris

Optional

list (string)

Immutable. Contains only valid RFC 3986 URIs.

config.subjectConfig.subjectAltName.uris[]

Optional

string

config.x509Config

Required

object

Immutable. Required. Describes how some of the technical X.509 fields in a certificate should be populated.

config.x509Config.additionalExtensions

Optional

list (object)

Immutable. Optional. Describes custom X.509 extensions.

config.x509Config.additionalExtensions[]

Optional

object

config.x509Config.additionalExtensions[].critical

Optional

boolean

Immutable. Optional. Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).

config.x509Config.additionalExtensions[].objectId

Required*

object

Immutable. Required. The OID for this X.509 extension.

config.x509Config.additionalExtensions[].objectId.objectIdPath

Required*

list (integer)

Immutable. Required. The parts of an OID path. The most significant parts of the path come first.

config.x509Config.additionalExtensions[].objectId.objectIdPath[]

Required*

integer

config.x509Config.additionalExtensions[].value

Required*

string

Immutable. Required. The value of this X.509 extension.

config.x509Config.caOptions

Optional

object

Immutable. Optional. Describes options in this X509Parameters that are relevant in a CA certificate.

config.x509Config.caOptions.isCa

Optional

boolean

Immutable. Optional. Refers to the "CA" X.509 extension, which is a boolean value. When this value is missing, the extension will be omitted from the CA certificate.

config.x509Config.caOptions.maxIssuerPathLength

Optional

integer

Immutable. Optional. Refers to the path length restriction X.509 extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail. If this value is missing, the max path length will be omitted from the CA certificate.

config.x509Config.caOptions.zeroMaxIssuerPathLength

Optional

boolean

Immutable. Optional. When true, the "path length constraint" in Basic Constraints extension will be set to 0. if both max_issuer_path_length and zero_max_issuer_path_length are unset, the max path length will be omitted from the CA certificate.

config.x509Config.keyUsage

Optional

object

Immutable. Optional. Indicates the intended use for keys that correspond to a certificate.

config.x509Config.keyUsage.baseKeyUsage

Optional

object

Immutable. Describes high-level ways in which a key may be used.

config.x509Config.keyUsage.baseKeyUsage.certSign

Optional

boolean

Immutable. The key may be used to sign certificates.

config.x509Config.keyUsage.baseKeyUsage.contentCommitment

Optional

boolean

Immutable. The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".

config.x509Config.keyUsage.baseKeyUsage.crlSign

Optional

boolean

Immutable. The key may be used sign certificate revocation lists.

config.x509Config.keyUsage.baseKeyUsage.dataEncipherment

Optional

boolean

Immutable. The key may be used to encipher data.

config.x509Config.keyUsage.baseKeyUsage.decipherOnly

Optional

boolean

Immutable. The key may be used to decipher only.

config.x509Config.keyUsage.baseKeyUsage.digitalSignature

Optional

boolean

Immutable. The key may be used for digital signatures.

config.x509Config.keyUsage.baseKeyUsage.encipherOnly

Optional

boolean

Immutable. The key may be used to encipher only.

config.x509Config.keyUsage.baseKeyUsage.keyAgreement

Optional

boolean

Immutable. The key may be used in a key agreement protocol.

config.x509Config.keyUsage.baseKeyUsage.keyEncipherment

Optional

boolean

Immutable. The key may be used to encipher other keys.

config.x509Config.keyUsage.extendedKeyUsage

Optional

object

Immutable. Detailed scenarios in which a key may be used.

config.x509Config.keyUsage.extendedKeyUsage.clientAuth

Optional

boolean

Immutable. Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.

config.x509Config.keyUsage.extendedKeyUsage.codeSigning

Optional

boolean

Immutable. Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".

config.x509Config.keyUsage.extendedKeyUsage.emailProtection

Optional

boolean

Immutable. Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".

config.x509Config.keyUsage.extendedKeyUsage.ocspSigning

Optional

boolean

Immutable. Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".

config.x509Config.keyUsage.extendedKeyUsage.serverAuth

Optional

boolean

Immutable. Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.

config.x509Config.keyUsage.extendedKeyUsage.timeStamping

Optional

boolean

Immutable. Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".

config.x509Config.keyUsage.unknownExtendedKeyUsages

Optional

list (object)

Immutable. Used to describe extended key usages that are not listed in the KeyUsage.ExtendedKeyUsageOptions message.

config.x509Config.keyUsage.unknownExtendedKeyUsages[]

Optional

object

config.x509Config.keyUsage.unknownExtendedKeyUsages[].objectIdPath

Required*

list (integer)

Immutable. Required. The parts of an OID path. The most significant parts of the path come first.

config.x509Config.keyUsage.unknownExtendedKeyUsages[].objectIdPath[]

Required*

integer

config.x509Config.policyIds

Optional

list (object)

Immutable. Optional. Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4.

config.x509Config.policyIds[]

Optional

object

config.x509Config.policyIds[].objectIdPath

Required*

list (integer)

Immutable. Required. The parts of an OID path. The most significant parts of the path come first.

config.x509Config.policyIds[].objectIdPath[]

Required*

integer

gcsBucketRef

Optional

object

Immutable.

gcsBucketRef.external

Optional

string

Immutable. The name of a Cloud Storage bucket where this CertificateAuthority will publish content, such as the CA certificate and CRLs. This must be a bucket name, without any prefixes (such as `gs://`) or suffixes (such as `.googleapis.com`). For example, to use a bucket named `my-bucket`, you would simply specify `my-bucket`. If not specified, a managed bucket will be created. Allowed value: The Google Cloud resource name of a `StorageBucket` resource (format: `{{name}}`).

gcsBucketRef.name

Optional

string

Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

gcsBucketRef.namespace

Optional

string

Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/

keySpec

Required

object

Immutable. Required. Immutable. Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR.

keySpec.algorithm

Optional

string

Immutable. The algorithm to use for creating a managed Cloud KMS key for a for a simplified experience. All managed keys will be have their ProtectionLevel as `HSM`. Possible values: RSA_PSS_2048_SHA256, RSA_PSS_3072_SHA256, RSA_PSS_4096_SHA256, RSA_PKCS1_2048_SHA256, RSA_PKCS1_3072_SHA256, RSA_PKCS1_4096_SHA256, EC_P256_SHA256, EC_P384_SHA384

keySpec.cloudKmsKeyVersionRef

Optional

object

Immutable.

keySpec.cloudKmsKeyVersionRef.external

Optional

string

The resource name for an existing Cloud KMS CryptoKeyVersion in the format `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`. This option enables full flexibility in the key's capabilities and properties.

keySpec.cloudKmsKeyVersionRef.name

Optional

string

[WARNING] KMSCryptoKeyVersion not yet supported in Config Connector, use 'external' field to reference existing resources. Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

keySpec.cloudKmsKeyVersionRef.namespace

Optional

string

Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/

lifetime

Required

string

Immutable. Required. The desired lifetime of the CA certificate. Used to create the "not_before_time" and "not_after_time" fields inside an X.509 certificate.

location

Required

string

Immutable. The location for the resource

projectRef

Required

object

Immutable. The Project that this resource belongs to.

projectRef.external

Optional

string

The project for the resource Allowed value: The Google Cloud resource name of a `Project` resource (format: `projects/{{name}}`).

projectRef.name

Optional

string

Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

projectRef.namespace

Optional

string

Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/

resourceID

Optional

string

Immutable. Optional. The name of the resource. Used for creation and acquisition. When unset, the value of `metadata.name` is used as the default.

type

Required

string

Immutable. Required. Immutable. The Type of this CertificateAuthority. Possible values: SELF_SIGNED, SUBORDINATE

* Field is required when parent field is specified

Status

Schema

accessUrls:
  caCertificateAccessUrl: string
  crlAccessUrls:
  - string
caCertificateDescriptions:
- aiaIssuingCertificateUrls:
  - string
  authorityKeyId:
    keyId: string
  certFingerprint:
    sha256Hash: string
  crlDistributionPoints:
  - string
  publicKey:
    format: string
    key: string
  subjectDescription:
    hexSerialNumber: string
    lifetime: string
    notAfterTime: string
    notBeforeTime: string
    subject:
      commonName: string
      countryCode: string
      locality: string
      organization: string
      organizationalUnit: string
      postalCode: string
      province: string
      streetAddress: string
    subjectAltName:
      customSans:
      - critical: boolean
        objectId:
          objectIdPath:
          - integer
        value: string
      dnsNames:
      - string
      emailAddresses:
      - string
      ipAddresses:
      - string
      uris:
      - string
  subjectKeyId:
    keyId: string
  x509Description:
    additionalExtensions:
    - critical: boolean
      objectId:
        objectIdPath:
        - integer
      value: string
    aiaOcspServers:
    - string
    caOptions:
      isCa: boolean
      maxIssuerPathLength: integer
    keyUsage:
      baseKeyUsage:
        certSign: boolean
        contentCommitment: boolean
        crlSign: boolean
        dataEncipherment: boolean
        decipherOnly: boolean
        digitalSignature: boolean
        encipherOnly: boolean
        keyAgreement: boolean
        keyEncipherment: boolean
      extendedKeyUsage:
        clientAuth: boolean
        codeSigning: boolean
        emailProtection: boolean
        ocspSigning: boolean
        serverAuth: boolean
        timeStamping: boolean
      unknownExtendedKeyUsages:
      - objectIdPath:
        - integer
    policyIds:
    - objectIdPath:
      - integer
conditions:
- lastTransitionTime: string
  message: string
  reason: string
  status: string
  type: string
config:
  publicKey:
    format: string
    key: string
  x509Config:
    aiaOcspServers:
    - string
createTime: string
deleteTime: string
expireTime: string
observedGeneration: integer
pemCaCertificates:
- string
state: string
subordinateConfig:
  certificateAuthority: string
  pemIssuerChain:
    pemCertificates:
    - string
tier: string
updateTime: string
Fields
accessUrls

object

Output only. URLs for accessing content published by this CA, such as the CA certificate and CRLs.

accessUrls.caCertificateAccessUrl

string

The URL where this CertificateAuthority's CA certificate is published. This will only be set for CAs that have been activated.

accessUrls.crlAccessUrls

list (string)

The URLs where this CertificateAuthority's CRLs are published. This will only be set for CAs that have been activated.

accessUrls.crlAccessUrls[]

string

caCertificateDescriptions

list (object)

Output only. A structured description of this CertificateAuthority's CA certificate and its issuers. Ordered as self-to-root.

caCertificateDescriptions[]

object

caCertificateDescriptions[].aiaIssuingCertificateUrls

list (string)

Describes lists of issuer CA certificate URLs that appear in the "Authority Information Access" extension in the certificate.

caCertificateDescriptions[].aiaIssuingCertificateUrls[]

string

caCertificateDescriptions[].authorityKeyId

object

Identifies the subject_key_id of the parent certificate, per https://tools.ietf.org/html/rfc5280#section-4.2.1.1

caCertificateDescriptions[].authorityKeyId.keyId

string

Optional. The value of this KeyId encoded in lowercase hexadecimal. This is most likely the 160 bit SHA-1 hash of the public key.

caCertificateDescriptions[].certFingerprint

object

The hash of the x.509 certificate.

caCertificateDescriptions[].certFingerprint.sha256Hash

string

The SHA 256 hash, encoded in hexadecimal, of the DER x509 certificate.

caCertificateDescriptions[].crlDistributionPoints

list (string)

Describes a list of locations to obtain CRL information, i.e. the DistributionPoint.fullName described by https://tools.ietf.org/html/rfc5280#section-4.2.1.13

caCertificateDescriptions[].crlDistributionPoints[]

string

caCertificateDescriptions[].publicKey

object

The public key that corresponds to an issued certificate.

caCertificateDescriptions[].publicKey.format

string

Required. The format of the public key. Possible values: PEM

caCertificateDescriptions[].publicKey.key

string

Required. A public key. The padding and encoding must match with the `KeyFormat` value specified for the `format` field.

caCertificateDescriptions[].subjectDescription

object

Describes some of the values in a certificate that are related to the subject and lifetime.

caCertificateDescriptions[].subjectDescription.hexSerialNumber

string

The serial number encoded in lowercase hexadecimal.

caCertificateDescriptions[].subjectDescription.lifetime

string

For convenience, the actual lifetime of an issued certificate.

caCertificateDescriptions[].subjectDescription.notAfterTime

string

The time after which the certificate is expired. Per RFC 5280, the validity period for a certificate is the period of time from not_before_time through not_after_time, inclusive. Corresponds to 'not_before_time' + 'lifetime' - 1 second.

caCertificateDescriptions[].subjectDescription.notBeforeTime

string

The time at which the certificate becomes valid.

caCertificateDescriptions[].subjectDescription.subject

object

Contains distinguished name fields such as the common name, location and organization.

caCertificateDescriptions[].subjectDescription.subject.commonName

string

The "common name" of the subject.

caCertificateDescriptions[].subjectDescription.subject.countryCode

string

The country code of the subject.

caCertificateDescriptions[].subjectDescription.subject.locality

string

The locality or city of the subject.

caCertificateDescriptions[].subjectDescription.subject.organization

string

The organization of the subject.

caCertificateDescriptions[].subjectDescription.subject.organizationalUnit

string

The organizational_unit of the subject.

caCertificateDescriptions[].subjectDescription.subject.postalCode

string

The postal code of the subject.

caCertificateDescriptions[].subjectDescription.subject.province

string

The province, territory, or regional state of the subject.

caCertificateDescriptions[].subjectDescription.subject.streetAddress

string

The street address of the subject.

caCertificateDescriptions[].subjectDescription.subjectAltName

object

The subject alternative name fields.

caCertificateDescriptions[].subjectDescription.subjectAltName.customSans

list (object)

Contains additional subject alternative name values.

caCertificateDescriptions[].subjectDescription.subjectAltName.customSans[]

object

caCertificateDescriptions[].subjectDescription.subjectAltName.customSans[].critical

boolean

Optional. Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).

caCertificateDescriptions[].subjectDescription.subjectAltName.customSans[].objectId

object

Required. The OID for this X.509 extension.

caCertificateDescriptions[].subjectDescription.subjectAltName.customSans[].objectId.objectIdPath

list (integer)

Required. The parts of an OID path. The most significant parts of the path come first.

caCertificateDescriptions[].subjectDescription.subjectAltName.customSans[].objectId.objectIdPath[]

integer

caCertificateDescriptions[].subjectDescription.subjectAltName.customSans[].value

string

Required. The value of this X.509 extension.

caCertificateDescriptions[].subjectDescription.subjectAltName.dnsNames

list (string)

Contains only valid, fully-qualified host names.

caCertificateDescriptions[].subjectDescription.subjectAltName.dnsNames[]

string

caCertificateDescriptions[].subjectDescription.subjectAltName.emailAddresses

list (string)

Contains only valid RFC 2822 E-mail addresses.

caCertificateDescriptions[].subjectDescription.subjectAltName.emailAddresses[]

string

caCertificateDescriptions[].subjectDescription.subjectAltName.ipAddresses

list (string)

Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.

caCertificateDescriptions[].subjectDescription.subjectAltName.ipAddresses[]

string

caCertificateDescriptions[].subjectDescription.subjectAltName.uris

list (string)

Contains only valid RFC 3986 URIs.

caCertificateDescriptions[].subjectDescription.subjectAltName.uris[]

string

caCertificateDescriptions[].subjectKeyId

object

Provides a means of identifiying certificates that contain a particular public key, per https://tools.ietf.org/html/rfc5280#section-4.2.1.2.

caCertificateDescriptions[].subjectKeyId.keyId

string

Optional. The value of this KeyId encoded in lowercase hexadecimal. This is most likely the 160 bit SHA-1 hash of the public key.

caCertificateDescriptions[].x509Description

object

Describes some of the technical X.509 fields in a certificate.

caCertificateDescriptions[].x509Description.additionalExtensions

list (object)

Optional. Describes custom X.509 extensions.

caCertificateDescriptions[].x509Description.additionalExtensions[]

object

caCertificateDescriptions[].x509Description.additionalExtensions[].critical

boolean

Optional. Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).

caCertificateDescriptions[].x509Description.additionalExtensions[].objectId

object

Required. The OID for this X.509 extension.

caCertificateDescriptions[].x509Description.additionalExtensions[].objectId.objectIdPath

list (integer)

Required. The parts of an OID path. The most significant parts of the path come first.

caCertificateDescriptions[].x509Description.additionalExtensions[].objectId.objectIdPath[]

integer

caCertificateDescriptions[].x509Description.additionalExtensions[].value

string

Required. The value of this X.509 extension.

caCertificateDescriptions[].x509Description.aiaOcspServers

list (string)

Optional. Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.

caCertificateDescriptions[].x509Description.aiaOcspServers[]

string

caCertificateDescriptions[].x509Description.caOptions

object

Optional. Describes options in this X509Parameters that are relevant in a CA certificate.

caCertificateDescriptions[].x509Description.caOptions.isCa

boolean

Optional. Refers to the "CA" X.509 extension, which is a boolean value. When this value is missing, the extension will be omitted from the CA certificate.

caCertificateDescriptions[].x509Description.caOptions.maxIssuerPathLength

integer

Optional. Refers to the path length restriction X.509 extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail. If this value is missing, the max path length will be omitted from the CA certificate.

caCertificateDescriptions[].x509Description.keyUsage

object

Optional. Indicates the intended use for keys that correspond to a certificate.

caCertificateDescriptions[].x509Description.keyUsage.baseKeyUsage

object

Describes high-level ways in which a key may be used.

caCertificateDescriptions[].x509Description.keyUsage.baseKeyUsage.certSign

boolean

The key may be used to sign certificates.

caCertificateDescriptions[].x509Description.keyUsage.baseKeyUsage.contentCommitment

boolean

The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".

caCertificateDescriptions[].x509Description.keyUsage.baseKeyUsage.crlSign

boolean

The key may be used sign certificate revocation lists.

caCertificateDescriptions[].x509Description.keyUsage.baseKeyUsage.dataEncipherment

boolean

The key may be used to encipher data.

caCertificateDescriptions[].x509Description.keyUsage.baseKeyUsage.decipherOnly

boolean

The key may be used to decipher only.

caCertificateDescriptions[].x509Description.keyUsage.baseKeyUsage.digitalSignature

boolean

The key may be used for digital signatures.

caCertificateDescriptions[].x509Description.keyUsage.baseKeyUsage.encipherOnly

boolean

The key may be used to encipher only.

caCertificateDescriptions[].x509Description.keyUsage.baseKeyUsage.keyAgreement

boolean

The key may be used in a key agreement protocol.

caCertificateDescriptions[].x509Description.keyUsage.baseKeyUsage.keyEncipherment

boolean

The key may be used to encipher other keys.

caCertificateDescriptions[].x509Description.keyUsage.extendedKeyUsage

object

Detailed scenarios in which a key may be used.

caCertificateDescriptions[].x509Description.keyUsage.extendedKeyUsage.clientAuth

boolean

Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.

caCertificateDescriptions[].x509Description.keyUsage.extendedKeyUsage.codeSigning

boolean

Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".

caCertificateDescriptions[].x509Description.keyUsage.extendedKeyUsage.emailProtection

boolean

Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".

caCertificateDescriptions[].x509Description.keyUsage.extendedKeyUsage.ocspSigning

boolean

Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".

caCertificateDescriptions[].x509Description.keyUsage.extendedKeyUsage.serverAuth

boolean

Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.

caCertificateDescriptions[].x509Description.keyUsage.extendedKeyUsage.timeStamping

boolean

Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".

caCertificateDescriptions[].x509Description.keyUsage.unknownExtendedKeyUsages

list (object)

Used to describe extended key usages that are not listed in the KeyUsage.ExtendedKeyUsageOptions message.

caCertificateDescriptions[].x509Description.keyUsage.unknownExtendedKeyUsages[]

object

caCertificateDescriptions[].x509Description.keyUsage.unknownExtendedKeyUsages[].objectIdPath

list (integer)

Required. The parts of an OID path. The most significant parts of the path come first.

caCertificateDescriptions[].x509Description.keyUsage.unknownExtendedKeyUsages[].objectIdPath[]

integer

caCertificateDescriptions[].x509Description.policyIds

list (object)

Optional. Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4.

caCertificateDescriptions[].x509Description.policyIds[]

object

caCertificateDescriptions[].x509Description.policyIds[].objectIdPath

list (integer)

Required. The parts of an OID path. The most significant parts of the path come first.

caCertificateDescriptions[].x509Description.policyIds[].objectIdPath[]

integer

conditions

list (object)

Conditions represent the latest available observation of the resource's current state.

conditions[]

object

conditions[].lastTransitionTime

string

Last time the condition transitioned from one status to another.

conditions[].message

string

Human-readable message indicating details about last transition.

conditions[].reason

string

Unique, one-word, CamelCase reason for the condition's last transition.

conditions[].status

string

Status is the status of the condition. Can be True, False, Unknown.

conditions[].type

string

Type is the type of the condition.

config

object

config.publicKey

object

Optional. The public key that corresponds to this config. This is, for example, used when issuing Certificates, but not when creating a self-signed CertificateAuthority or CertificateAuthority CSR.

config.publicKey.format

string

Required. The format of the public key. Possible values: PEM

config.publicKey.key

string

Required. A public key. The padding and encoding must match with the `KeyFormat` value specified for the `format` field.

config.x509Config

object

config.x509Config.aiaOcspServers

list (string)

Optional. Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.

config.x509Config.aiaOcspServers[]

string

createTime

string

Output only. The time at which this CertificateAuthority was created.

deleteTime

string

Output only. The time at which this CertificateAuthority was soft deleted, if it is in the DELETED state.

expireTime

string

Output only. The time at which this CertificateAuthority will be permanently purged, if it is in the DELETED state.

observedGeneration

integer

ObservedGeneration is the generation of the resource that was most recently observed by the Config Connector controller. If this is equal to metadata.generation, then that means that the current reported status reflects the most recent desired state of the resource.

pemCaCertificates

list (string)

Output only. This CertificateAuthority's certificate chain, including the current CertificateAuthority's certificate. Ordered such that the root issuer is the final element (consistent with RFC 5246). For a self-signed CA, this will only list the current CertificateAuthority's certificate.

pemCaCertificates[]

string

state

string

Output only. The State for this CertificateAuthority. Possible values: ENABLED, DISABLED, STAGED, AWAITING_USER_ACTIVATION, DELETED

subordinateConfig

object

Optional. If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which describes its issuers. This may be updated, but this CertificateAuthority must continue to validate.

subordinateConfig.certificateAuthority

string

Required. This can refer to a CertificateAuthority in the same project that was used to create a subordinate CertificateAuthority. This field is used for information and usability purposes only. The resource name is in the format `projects/*/locations/*/caPools/*/certificateAuthorities/*`.

subordinateConfig.pemIssuerChain

object

Required. Contains the PEM certificate chain for the issuers of this CertificateAuthority, but not pem certificate for this CA itself.

subordinateConfig.pemIssuerChain.pemCertificates

list (string)

Required. Expected to be in leaf-to-root order according to RFC 5246.

subordinateConfig.pemIssuerChain.pemCertificates[]

string

tier

string

Output only. The CaPool.Tier of the CaPool that includes this CertificateAuthority. Possible values: ENTERPRISE, DEVOPS

updateTime

string

Output only. The time at which this CertificateAuthority was last updated.

Sample YAML(s)

Typical Use Case

# Copyright 2021 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

apiVersion: privateca.cnrm.cloud.google.com/v1beta1
kind: PrivateCACertificateAuthority
metadata:
  labels:
    label-two: "value-two"
  name: privatecacertificateauthority-sample
spec:
  projectRef:
    # Replace ${PROJECT_ID?} with your project ID.
    external: projects/${PROJECT_ID?}
  location: "us-central1"
  type: SELF_SIGNED
  caPoolRef:
    name: privatecacertificateauthority-dep
  lifetime: 86400s
  config:
    subjectConfig:
      subject:
        organization: Example
        commonName: my-certificate-authority
      subjectAltName:
        dnsNames:
        - example.com
    x509Config:
      caOptions:
        isCa: true
      keyUsage:
        baseKeyUsage:
          certSign: true
          crlSign: true
      extendedKeyUsage:
        serverAuth: true
  keySpec:
    algorithm: RSA_PKCS1_4096_SHA256
---
apiVersion: privateca.cnrm.cloud.google.com/v1beta1
kind: PrivateCACAPool
metadata:
  labels:
    label-two: "value-two"
  name: privatecacertificateauthority-dep
  # PrivateCACertificateAuthority cannot be deleted immediately, and must wait
  # 30 days in a 'DELETED' status before it is fully deleted. Since a PrivateCACAPool
  # with a PrivateCACertificateAuthority in 'DELETED' status cannot be deleted
  # itself, we abandon this resource on deletion.
  annotations:
    cnrm.cloud.google.com/deletion-policy: "abandon"
spec:
  projectRef:
    # Replace ${PROJECT_ID?} with your project ID.
    external: projects/${PROJECT_ID?}
  location: "us-central1"
  tier: ENTERPRISE
  issuancePolicy:
    allowedKeyTypes:
    - rsa:
        minModulusSize: 64
        maxModulusSize: 128
    - ellipticCurve:
        signatureAlgorithm: ECDSA_P384
    maximumLifetime: 43200s
    allowedIssuanceModes:
      allowCsrBasedIssuance: true
      allowConfigBasedIssuance: false
    baselineValues:
      keyUsage:
        baseKeyUsage:
          digitalSignature: false
          contentCommitment: false
          keyEncipherment: false
          dataEncipherment: false
          keyAgreement: false
          certSign: false
          crlSign: false
          encipherOnly: false
          decipherOnly: false
        extendedKeyUsage:
          serverAuth: false
          clientAuth: false
          codeSigning: false
          emailProtection: false
          timeStamping: false
          ocspSigning: false
        unknownExtendedKeyUsages:
        - objectIdPath:
          - 1
          - 7
      caOptions:
        isCa: false
        maxIssuerPathLength: 7
      policyIds:
      - objectIdPath:
        - 1
        - 7
      aiaOcspServers:
      - string
      additionalExtensions:
      - objectId:
          objectIdPath:
          - 1
          - 7
        critical: false
        value: c3RyaW5nCg==
    identityConstraints:
      celExpression:
        title: Sample expression
        description: Always false
        expression: 'false'
        location: devops.ca_pool.json
      allowSubjectPassthrough: false
      allowSubjectAltNamesPassthrough: false
    passthroughExtensions:
      knownExtensions:
      - BASE_KEY_USAGE
      additionalExtensions:
      - objectIdPath:
        - 1
        - 7