gcloud privateca templates create

NAME
gcloud privateca templates create - create a new certificate template
SYNOPSIS
gcloud privateca templates create (CERTIFICATE_TEMPLATE : --location=LOCATION) --copy-sans --copy-subject [--description=DESCRIPTION] [--identity-cel-expression=IDENTITY_CEL_EXPRESSION] [--labels=[KEY=VALUE,…]] [--maximum-lifetime=MAXIMUM_LIFETIME] [--predefined-values-file=PREDEFINED_VALUES_FILE] [--copy-all-requested-extensions     | --copy-extensions-by-oid=[OBJECT_ID,…] --copy-known-extensions=[KNOWN_EXTENSIONS,…]] [GCLOUD_WIDE_FLAG]
DESCRIPTION
Create a certificate template that enforces policy restrictions on certificate requestors. Using a certificate template, you can define restrictions on the kinds of Subjects/SANs and x509 extensions allowed from certificate requestors as well as a default set of x509 extensions that should be applied to all certificates using that template. These templates can be binded to IAM identities such that certain groups of requestors must use particular templates, allowing for fine-grained policy enforcements based on identity.

For more information and examples, see https://cloud.google.com/certificate-authority-service/docs/creating-certificate-template.

EXAMPLES
To create a template that prohibits any x509 extension from a requester, but permits custom subjects/SANs and defines the default x509 extensions, run:
gcloud privateca templates create restricted-template --location=us-west1 --copy-subject --copy-sans --predefined-values-file=x509_parameters.yaml

To create a template that allows requesters to specify only DNS names from requesters, use a custom CEL expression with a SAN only restriction:

gcloud privateca templates create dns-only-template --location=us-west1 --description="Restricts certificates to DNS SANs." --no-copy-subject --copy-sans --identity-cel-expression="subject_alt_names.all(san, san.type == DNS)"

To create a template that permits a requestor to specify extensions by OIDs, and subjects (but not SANs), with default x509 exensions:

gcloud privateca templates create mtls-only-extensions --location=us-west1 --copy-subject --no-copy-sans --predefined-values-file=mtls_cert_exts.yaml --copy-extensions-by-oid=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.1
POSITIONAL ARGUMENTS
CERTIFICATE TEMPLATE resource - The template to create. The arguments in this group can be used to specify the attributes of this resource. (NOTE) Some attributes are not given arguments in this group but can be set in other ways.

To set the project attribute:

  • provide the argument CERTIFICATE_TEMPLATE on the command line with a fully specified name;
  • provide the argument --project on the command line;
  • set the property core/project.

This must be specified.

CERTIFICATE_TEMPLATE
ID of the CERTIFICATE_TEMPLATE or fully qualified identifier for the CERTIFICATE_TEMPLATE.

To set the certificate template attribute:

  • provide the argument CERTIFICATE_TEMPLATE on the command line.

This positional argument must be specified if any of the other arguments in this group are specified.

--location=LOCATION
The location of the CERTIFICATE_TEMPLATE.

To set the location attribute:

  • provide the argument CERTIFICATE_TEMPLATE on the command line with a fully specified name;
  • provide the argument --location on the command line;
  • set the property privateca/location.
REQUIRED FLAGS
--copy-sans
If this is specified, the Subject Alternative Name extension from the certificate request will be copied into the signed certificate. Specify --no-copy-sans to drop any caller-specified SANs in the certificate request.
--copy-subject
If this is specified, the Subject from the certificate request will be copied into the signed certificate. Specify --no-copy-subject to drop any caller-specified subjects from the certificate request.
OPTIONAL FLAGS
--description=DESCRIPTION
A text description for the Certificate Template.
--identity-cel-expression=IDENTITY_CEL_EXPRESSION
A CEL expression that will be evaluated against the identity in the certificate before it is issued, and returns a boolean signifying whether the request should be allowed.
--labels=[KEY=VALUE,…]
List of label KEY=VALUE pairs to add.

Keys must start with a lowercase character and contain only hyphens (-), underscores (_), lowercase characters, and numbers. Values must contain only hyphens (-), underscores (_), lowercase characters, and numbers.

--maximum-lifetime=MAXIMUM_LIFETIME
If this is set, then issued certificate's lifetime will be truncated to the value provided. If the issuing CaPool's IssuancePolicy specifies a maximum lifetime the minimum of the two durations will be the maximum lifetime for the issued certificate. Note that if the issuing CertificateAuthority expires before a Certificate's requested maximum_lifetime, the effective lifetime will be explicitly truncated to match it.
--predefined-values-file=PREDEFINED_VALUES_FILE
A YAML file describing any predefined X.509 values set by this template. The provided extensions will be copied over to any certificate requests that use this template, taking precedent over any allowed extensions in the certificate request. The format of this file should be a YAML representation of the X509Parameters message, which is defined here: https://cloud.google.com/certificate-authority-service/docs/reference/rest/v1/X509Parameters. Some examples can be found here: https://cloud.google.com/certificate-authority-service/docs/creating-certificate-template
Constraints on requested X.509 extensions. If unspecified, all extensions from certificate request will be ignored when signing the certificate.

At most one of these can be specified:

--copy-all-requested-extensions
If this is set, all extensions specified in the certificate request will be copied into the signed certificate.
Specify exact x509 extensions to copy by OID or known extension.
--copy-extensions-by-oid=[OBJECT_ID,…]
If this is set, then extensions with the given OIDs will be copied from the certificate request into the signed certificate.
--copy-known-extensions=[KNOWN_EXTENSIONS,…]
If this is set, then the given extensions will be copied from the certificate request into the signed certificate. KNOWN_EXTENSIONS must be one of: base-key-usage, extended-key-usage, ca-options, policy-ids, aia-ocsp-servers.
GCLOUD WIDE FLAGS
These flags are available to all commands: --access-token-file, --account, --billing-project, --configuration, --flags-file, --flatten, --format, --help, --impersonate-service-account, --log-http, --project, --quiet, --trace-token, --user-output-enabled, --verbosity.

Run $ gcloud help for details.