--- title: Certificate Authority description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: Docs > DDSQL Reference > Data Directory > Certificate Authority --- # Certificate Authority Certificate Authority in Google Cloud is a managed service that allows you to create, manage, and deploy private certificate authorities. It helps issue and manage SSL/TLS certificates for internal workloads, devices, and applications without relying on external certificate providers. This service simplifies certificate lifecycle management, improves security, and integrates with other Google Cloud services. ``` gcp.privateca_certificate_authority ``` ## Fields | Title | ID | Type | Data Type | Description | | --------------------------- | ---- | ------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------- | | _key | core | string | | access_urls | core | json | Output only. URLs for accessing content published by this CA, such as the CA certificate and CRLs. | | ancestors | core | array | | ca_certificate_descriptions | core | json | Output only. A structured description of this CertificateAuthority's CA certificate and its issuers. Ordered as self-to-root. | | config | core | json | Required. Immutable. The config used to create a self-signed X.509 certificate or CSR. | | create_time | core | timestamp | Output only. The time at which this CertificateAuthority was created. | | datadog_display_name | core | string | | delete_time | core | timestamp | Output only. The time at which this CertificateAuthority was soft deleted, if it is in the DELETED state. | | expire_time | core | timestamp | Output only. The time at which this CertificateAuthority will be permanently purged, if it is in the DELETED state. | | gcs_bucket | core | string | Immutable. The name of a Cloud Storage bucket where this CertificateAuthority will publish content, such as the CA certificate and CRLs. This must be a bucket name, without any prefixes (such as `gs://`) or suffixes (such as `.googleapis.com`). For example, to use a bucket named `my-bucket`, you would simply specify `my-bucket`. If not specified, a managed bucket will be created. | | key_spec | core | json | Required. Immutable. Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR. | | labels | core | array | Optional. Labels with user-defined metadata. | | lifetime | core | string | Required. Immutable. The desired lifetime of the CA certificate. Used to create the "not_before_time" and "not_after_time" fields inside an X.509 certificate. | | name | core | string | Identifier. The resource name for this CertificateAuthority in the format `projects/*/locations/*/caPools/*/certificateAuthorities/*`. | | organization_id | core | string | | parent | core | string | | pem_ca_certificates | core | array | Output only. This CertificateAuthority's certificate chain, including the current CertificateAuthority's certificate. Ordered such that the root issuer is the final element (consistent with RFC 5246). For a self-signed CA, this will only list the current CertificateAuthority's certificate. | | project_id | core | string | | project_number | core | string | | region_id | core | string | | resource_name | core | string | | satisfies_pzi | core | bool | Output only. Reserved for future use. | | satisfies_pzs | core | bool | Output only. Reserved for future use. | | state | core | string | Output only. The State for this CertificateAuthority. | | subordinate_config | core | json | Optional. If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which describes its issuers. This may be updated, but this CertificateAuthority must continue to validate. | | tags | core | hstore_csv | | tier | core | string | Output only. The CaPool.Tier of the CaPool that includes this CertificateAuthority. | | type | core | string | Required. Immutable. The Type of this CertificateAuthority. | | update_time | core | timestamp | Output only. The time at which this CertificateAuthority was last updated. | | user_defined_access_urls | core | json | Optional. User-defined URLs for CA certificate and CRLs. The service does not publish content to these URLs. It is up to the user to mirror content to these URLs. | | zone_id | core | string |