| _key | core | string | |
| access_urls | core | json | Output only. URLs for accessing content published by this CA, such as the CA certificate and CRLs. |
| ancestors | core | array<string> | |
| ca_certificate_descriptions | core | json | Output only. A structured description of this CertificateAuthority's CA certificate and its issuers. Ordered as self-to-root. |
| config | core | json | Required. Immutable. The config used to create a self-signed X.509 certificate or CSR. |
| create_time | core | timestamp | Output only. The time at which this CertificateAuthority was created. |
| datadog_display_name | core | string | |
| delete_time | core | timestamp | Output only. The time at which this CertificateAuthority was soft deleted, if it is in the DELETED state. |
| expire_time | core | timestamp | Output only. The time at which this CertificateAuthority will be permanently purged, if it is in the DELETED state. |
| gcs_bucket | core | string | Immutable. The name of a Cloud Storage bucket where this CertificateAuthority will publish content, such as the CA certificate and CRLs. This must be a bucket name, without any prefixes (such as `gs://`) or suffixes (such as `.googleapis.com`). For example, to use a bucket named `my-bucket`, you would simply specify `my-bucket`. If not specified, a managed bucket will be created. |
| key_spec | core | json | Required. Immutable. Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR. |
| labels | core | array<string> | Optional. Labels with user-defined metadata. |
| lifetime | core | string | Required. Immutable. The desired lifetime of the CA certificate. Used to create the "not_before_time" and "not_after_time" fields inside an X.509 certificate. |
| name | core | string | Identifier. The resource name for this CertificateAuthority in the format `projects/*/locations/*/caPools/*/certificateAuthorities/*`. |
| organization_id | core | string | |
| parent | core | string | |
| pem_ca_certificates | core | array<string> | Output only. This CertificateAuthority's certificate chain, including the current CertificateAuthority's certificate. Ordered such that the root issuer is the final element (consistent with RFC 5246). For a self-signed CA, this will only list the current CertificateAuthority's certificate. |
| project_id | core | string | |
| project_number | core | string | |
| resource_name | core | string | |
| satisfies_pzi | core | bool | Output only. Reserved for future use. |
| satisfies_pzs | core | bool | Output only. Reserved for future use. |
| state | core | string | Output only. The State for this CertificateAuthority. |
| subordinate_config | core | json | Optional. If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which describes its issuers. This may be updated, but this CertificateAuthority must continue to validate. |
| tags | core | hstore | |
| tier | core | string | Output only. The CaPool.Tier of the CaPool that includes this CertificateAuthority. |
| type | core | string | Required. Immutable. The Type of this CertificateAuthority. |
| update_time | core | timestamp | Output only. The time at which this CertificateAuthority was last updated. |
| user_defined_access_urls | core | json | Optional. User-defined URLs for CA certificate and CRLs. The service does not publish content to these URLs. It is up to the user to mirror content to these URLs. |
