- NAME
-
- gcloud privateca templates create - create a new certificate template
- SYNOPSIS
-
-
gcloud privateca templates create
(CERTIFICATE_TEMPLATE
:--location
=LOCATION
)--copy-sans
--copy-subject
[--description
=DESCRIPTION
] [--identity-cel-expression
=IDENTITY_CEL_EXPRESSION
] [--labels
=[KEY
=VALUE
,…]] [--maximum-lifetime
=MAXIMUM_LIFETIME
] [--predefined-values-file
=PREDEFINED_VALUES_FILE
] [--copy-all-requested-extensions
|--copy-extensions-by-oid
=[OBJECT_ID
,…]--copy-known-extensions
=[KNOWN_EXTENSIONS
,…]] [GCLOUD_WIDE_FLAG …
]
-
- DESCRIPTION
-
Create a certificate template that enforces policy restrictions on certificate
requestors. Using a certificate template, you can define restrictions on the
kinds of Subjects/SANs and x509 extensions allowed from certificate requestors
as well as a default set of x509 extensions that should be applied to all
certificates using that template. These templates can be binded to IAM
identities such that certain groups of requestors must use particular templates,
allowing for fine-grained policy enforcements based on identity.
For more information and examples, see https://cloud.google.com/certificate-authority-service/docs/creating-certificate-template.
- EXAMPLES
-
To create a template that prohibits any x509 extension from a requester, but
permits custom subjects/SANs and defines the default x509 extensions, run:
gcloud privateca templates create restricted-template --location=us-west1 --copy-subject --copy-sans --predefined-values-file=x509_parameters.yaml
To create a template that allows requesters to specify only DNS names from requesters, use a custom CEL expression with a SAN only restriction:
gcloud privateca templates create dns-only-template --location=us-west1 --description="Restricts certificates to DNS SANs." --no-copy-subject --copy-sans --identity-cel-expression="subject_alt_names.all(san, san.type == DNS)"
To create a template that permits a requestor to specify extensions by OIDs, and subjects (but not SANs), with default x509 exensions:
gcloud privateca templates create mtls-only-extensions --location=us-west1 --copy-subject --no-copy-sans --predefined-values-file=mtls_cert_exts.yaml --copy-extensions-by-oid=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.1
- POSITIONAL ARGUMENTS
-
-
CERTIFICATE TEMPLATE resource - The template to create. The arguments in this
group can be used to specify the attributes of this resource. (NOTE) Some
attributes are not given arguments in this group but can be set in other ways.
To set the
project
attribute:-
provide the argument
CERTIFICATE_TEMPLATE
on the command line with a fully specified name; -
provide the argument
--project
on the command line; -
set the property
core/project
.
This must be specified.
CERTIFICATE_TEMPLATE
-
ID of the CERTIFICATE_TEMPLATE or fully qualified identifier for the
CERTIFICATE_TEMPLATE.
To set the
certificate template
attribute:-
provide the argument
CERTIFICATE_TEMPLATE
on the command line.
This positional argument must be specified if any of the other arguments in this group are specified.
-
provide the argument
--location
=LOCATION
-
The location of the CERTIFICATE_TEMPLATE.
To set the
location
attribute:-
provide the argument
CERTIFICATE_TEMPLATE
on the command line with a fully specified name; -
provide the argument
--location
on the command line; -
set the property
privateca/location
.
-
provide the argument
-
provide the argument
-
CERTIFICATE TEMPLATE resource - The template to create. The arguments in this
group can be used to specify the attributes of this resource. (NOTE) Some
attributes are not given arguments in this group but can be set in other ways.
- REQUIRED FLAGS
-
--copy-sans
- If this is specified, the Subject Alternative Name extension from the certificate request will be copied into the signed certificate. Specify --no-copy-sans to drop any caller-specified SANs in the certificate request.
--copy-subject
- If this is specified, the Subject from the certificate request will be copied into the signed certificate. Specify --no-copy-subject to drop any caller-specified subjects from the certificate request.
- OPTIONAL FLAGS
-
--description
=DESCRIPTION
- A text description for the Certificate Template.
--identity-cel-expression
=IDENTITY_CEL_EXPRESSION
- A CEL expression that will be evaluated against the identity in the certificate before it is issued, and returns a boolean signifying whether the request should be allowed.
--labels
=[KEY
=VALUE
,…]-
List of label KEY=VALUE pairs to add.
Keys must start with a lowercase character and contain only hyphens (
-
), underscores (_
), lowercase characters, and numbers. Values must contain only hyphens (-
), underscores (_
), lowercase characters, and numbers. --maximum-lifetime
=MAXIMUM_LIFETIME
- If this is set, then issued certificate's lifetime will be truncated to the value provided. If the issuing CaPool's IssuancePolicy specifies a maximum lifetime the minimum of the two durations will be the maximum lifetime for the issued certificate. Note that if the issuing CertificateAuthority expires before a Certificate's requested maximum_lifetime, the effective lifetime will be explicitly truncated to match it.
--predefined-values-file
=PREDEFINED_VALUES_FILE
- A YAML file describing any predefined X.509 values set by this template. The provided extensions will be copied over to any certificate requests that use this template, taking precedent over any allowed extensions in the certificate request. The format of this file should be a YAML representation of the X509Parameters message, which is defined here: https://cloud.google.com/certificate-authority-service/docs/reference/rest/v1/X509Parameters. Some examples can be found here: https://cloud.google.com/certificate-authority-service/docs/creating-certificate-template
-
Constraints on requested X.509 extensions. If unspecified, all extensions from
certificate request will be ignored when signing the certificate.
At most one of these can be specified:
--copy-all-requested-extensions
- If this is set, all extensions specified in the certificate request will be copied into the signed certificate.
-
Specify exact x509 extensions to copy by OID or known extension.
--copy-extensions-by-oid
=[OBJECT_ID
,…]- If this is set, then extensions with the given OIDs will be copied from the certificate request into the signed certificate.
--copy-known-extensions
=[KNOWN_EXTENSIONS
,…]-
If this is set, then the given extensions will be copied from the certificate
request into the signed certificate.
KNOWN_EXTENSIONS
must be one of:base-key-usage
,extended-key-usage
,ca-options
,policy-ids
,aia-ocsp-servers
.
- GCLOUD WIDE FLAGS
-
These flags are available to all commands:
--access-token-file
,--account
,--billing-project
,--configuration
,--flags-file
,--flatten
,--format
,--help
,--impersonate-service-account
,--log-http
,--project
,--quiet
,--trace-token
,--user-output-enabled
,--verbosity
.Run
$ gcloud help
for details.
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2024-04-02 UTC.