This product is not supported for your selected Datadog site. ().
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

gcp_privateca_ca_pool

ancestors

Type: UNORDERED_LIST_STRING

issuance_policy

Type: STRUCT
Provider name: issuancePolicy
Description: Optional. The IssuancePolicy to control how Certificates will be issued from this CaPool.

  • allowed_issuance_modes
    Type: STRUCT
    Provider name: allowedIssuanceModes
    Description: Optional. If specified, then only methods allowed in the IssuanceModes may be used to issue Certificates.
    • allow_config_based_issuance
      Type: BOOLEAN
      Provider name: allowConfigBasedIssuance
      Description: Optional. When true, allows callers to create Certificates by specifying a CertificateConfig.
    • allow_csr_based_issuance
      Type: BOOLEAN
      Provider name: allowCsrBasedIssuance
      Description: Optional. When true, allows callers to create Certificates by specifying a CSR.
  • allowed_key_types
    Type: UNORDERED_LIST_STRUCT
    Provider name: allowedKeyTypes
    Description: Optional. If any AllowedKeyType is specified, then the certificate request’s public key must match one of the key types listed here. Otherwise, any key may be used.
    • elliptic_curve
      Type: STRUCT
      Provider name: ellipticCurve
      Description: Represents an allowed Elliptic Curve key type.
      • signature_algorithm
        Type: STRING
        Provider name: signatureAlgorithm
        Description: Optional. A signature algorithm that must be used. If this is omitted, any EC-based signature algorithm will be allowed.
        Possible values:
        • EC_SIGNATURE_ALGORITHM_UNSPECIFIED - Not specified. Signifies that any signature algorithm may be used.
        • ECDSA_P256 - Refers to the Elliptic Curve Digital Signature Algorithm over the NIST P-256 curve.
        • ECDSA_P384 - Refers to the Elliptic Curve Digital Signature Algorithm over the NIST P-384 curve.
        • EDDSA_25519 - Refers to the Edwards-curve Digital Signature Algorithm over curve 25519, as described in RFC 8410.
    • rsa
      Type: STRUCT
      Provider name: rsa
      Description: Represents an allowed RSA key type.
      • max_modulus_size
        Type: INT64
        Provider name: maxModulusSize
        Description: Optional. The maximum allowed RSA modulus size (inclusive), in bits. If this is not set, or if set to zero, the service will not enforce an explicit upper bound on RSA modulus sizes.
      • min_modulus_size
        Type: INT64
        Provider name: minModulusSize
        Description: Optional. The minimum allowed RSA modulus size (inclusive), in bits. If this is not set, or if set to zero, the service-level min RSA modulus size will continue to apply.
  • backdate_duration
    Type: STRING
    Provider name: backdateDuration
    Description: Optional. The duration to backdate all certificates issued from this CaPool. If not set, the certificates will be issued with a not_before_time of the issuance time (i.e. the current time). If set, the certificates will be issued with a not_before_time of the issuance time minus the backdate_duration. The not_after_time will be adjusted to preserve the requested lifetime. The backdate_duration must be less than or equal to 48 hours.
  • baseline_values
    Type: STRUCT
    Provider name: baselineValues
    Description: Optional. A set of X.509 values that will be applied to all certificates issued through this CaPool. If a certificate request includes conflicting values for the same properties, they will be overwritten by the values defined here. If a certificate request uses a CertificateTemplate that defines conflicting predefined_values for the same properties, the certificate issuance request will fail.
    • additional_extensions
      Type: UNORDERED_LIST_STRUCT
      Provider name: additionalExtensions
      Description: Optional. Describes custom X.509 extensions.
      • critical
        Type: BOOLEAN
        Provider name: critical
        Description: Optional. Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
      • object_id
        Type: STRUCT
        Provider name: objectId
        Description: Required. The OID for this X.509 extension.
        • object_id_path
          Type: UNORDERED_LIST_INT32
          Provider name: objectIdPath
          Description: Required. The parts of an OID path. The most significant parts of the path come first.
    • aia_ocsp_servers
      Type: UNORDERED_LIST_STRING
      Provider name: aiaOcspServers
      Description: Optional. Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the “Authority Information Access” extension in the certificate.
    • ca_options
      Type: STRUCT
      Provider name: caOptions
      Description: Optional. Describes options in this X509Parameters that are relevant in a CA certificate. If not specified, a default basic constraints extension with is_ca=false will be added for leaf certificates.
      • is_ca
        Type: BOOLEAN
        Provider name: isCa
        Description: Optional. Refers to the “CA” boolean field in the X.509 extension. When this value is missing, the basic constraints extension will be omitted from the certificate.
      • max_issuer_path_length
        Type: INT32
        Provider name: maxIssuerPathLength
        Description: Optional. Refers to the path length constraint field in the X.509 extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail. If this value is missing, the max path length will be omitted from the certificate.
    • key_usage
      Type: STRUCT
      Provider name: keyUsage
      Description: Optional. Indicates the intended use for keys that correspond to a certificate.
      • base_key_usage
        Type: STRUCT
        Provider name: baseKeyUsage
        Description: Describes high-level ways in which a key may be used.
        • cert_sign
          Type: BOOLEAN
          Provider name: certSign
          Description: The key may be used to sign certificates.
        • content_commitment
          Type: BOOLEAN
          Provider name: contentCommitment
          Description: The key may be used for cryptographic commitments. Note that this may also be referred to as “non-repudiation”.
        • crl_sign
          Type: BOOLEAN
          Provider name: crlSign
          Description: The key may be used sign certificate revocation lists.
        • data_encipherment
          Type: BOOLEAN
          Provider name: dataEncipherment
          Description: The key may be used to encipher data.
        • decipher_only
          Type: BOOLEAN
          Provider name: decipherOnly
          Description: The key may be used to decipher only.
        • digital_signature
          Type: BOOLEAN
          Provider name: digitalSignature
          Description: The key may be used for digital signatures.
        • encipher_only
          Type: BOOLEAN
          Provider name: encipherOnly
          Description: The key may be used to encipher only.
        • key_agreement
          Type: BOOLEAN
          Provider name: keyAgreement
          Description: The key may be used in a key agreement protocol.
        • key_encipherment
          Type: BOOLEAN
          Provider name: keyEncipherment
          Description: The key may be used to encipher other keys.
      • extended_key_usage
        Type: STRUCT
        Provider name: extendedKeyUsage
        Description: Detailed scenarios in which a key may be used.
        • client_auth
          Type: BOOLEAN
          Provider name: clientAuth
          Description: Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as “TLS WWW client authentication”, though regularly used for non-WWW TLS.
        • code_signing
          Type: BOOLEAN
          Provider name: codeSigning
          Description: Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as “Signing of downloadable executable code client authentication”.
        • email_protection
          Type: BOOLEAN
          Provider name: emailProtection
          Description: Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as “Email protection”.
        • ocsp_signing
          Type: BOOLEAN
          Provider name: ocspSigning
          Description: Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as “Signing OCSP responses”.
        • server_auth
          Type: BOOLEAN
          Provider name: serverAuth
          Description: Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as “TLS WWW server authentication”, though regularly used for non-WWW TLS.
        • time_stamping
          Type: BOOLEAN
          Provider name: timeStamping
          Description: Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as “Binding the hash of an object to a time”.
      • unknown_extended_key_usages
        Type: UNORDERED_LIST_STRUCT
        Provider name: unknownExtendedKeyUsages
        Description: Used to describe extended key usages that are not listed in the KeyUsage.ExtendedKeyUsageOptions message.
        • object_id_path
          Type: UNORDERED_LIST_INT32
          Provider name: objectIdPath
          Description: Required. The parts of an OID path. The most significant parts of the path come first.
    • name_constraints
      Type: STRUCT
      Provider name: nameConstraints
      Description: Optional. Describes the X.509 name constraints extension.
      • critical
        Type: BOOLEAN
        Provider name: critical
        Description: Indicates whether or not the name constraints are marked critical.
      • excluded_dns_names
        Type: UNORDERED_LIST_STRING
        Provider name: excludedDnsNames
        Description: Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.
      • excluded_email_addresses
        Type: UNORDERED_LIST_STRING
        Provider name: excludedEmailAddresses
        Description: Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.
      • excluded_ip_ranges
        Type: UNORDERED_LIST_STRING
        Provider name: excludedIpRanges
        Description: Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
      • excluded_uris
        Type: UNORDERED_LIST_STRING
        Provider name: excludedUris
        Description: Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)
      • permitted_dns_names
        Type: UNORDERED_LIST_STRING
        Provider name: permittedDnsNames
        Description: Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.
      • permitted_email_addresses
        Type: UNORDERED_LIST_STRING
        Provider name: permittedEmailAddresses
        Description: Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.
      • permitted_ip_ranges
        Type: UNORDERED_LIST_STRING
        Provider name: permittedIpRanges
        Description: Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
      • permitted_uris
        Type: UNORDERED_LIST_STRING
        Provider name: permittedUris
        Description: Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)
    • policy_ids
      Type: UNORDERED_LIST_STRUCT
      Provider name: policyIds
      Description: Optional. Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4.
      • object_id_path
        Type: UNORDERED_LIST_INT32
        Provider name: objectIdPath
        Description: Required. The parts of an OID path. The most significant parts of the path come first.
  • identity_constraints
    Type: STRUCT
    Provider name: identityConstraints
    Description: Optional. Describes constraints on identities that may appear in Certificates issued through this CaPool. If this is omitted, then this CaPool will not add restrictions on a certificate’s identity.
    • allow_subject_alt_names_passthrough
      Type: BOOLEAN
      Provider name: allowSubjectAltNamesPassthrough
      Description: Required. If this is true, the SubjectAltNames extension may be copied from a certificate request into the signed certificate. Otherwise, the requested SubjectAltNames will be discarded.
    • allow_subject_passthrough
      Type: BOOLEAN
      Provider name: allowSubjectPassthrough
      Description: Required. If this is true, the Subject field may be copied from a certificate request into the signed certificate. Otherwise, the requested Subject will be discarded.
    • cel_expression
      Type: STRUCT
      Provider name: celExpression
      Description: Optional. A CEL expression that may be used to validate the resolved X.509 Subject and/or Subject Alternative Name before a certificate is signed. To see the full allowed syntax and some examples, see https://cloud.google.com/certificate-authority-service/docs/using-cel
      • description
        Type: STRING
        Provider name: description
        Description: Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
      • expression
        Type: STRING
        Provider name: expression
        Description: Textual representation of an expression in Common Expression Language syntax.
      • location
        Type: STRING
        Provider name: location
        Description: Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
      • title
        Type: STRING
        Provider name: title
        Description: Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
  • maximum_lifetime
    Type: STRING
    Provider name: maximumLifetime
    Description: Optional. The maximum lifetime allowed for issued Certificates. Note that if the issuing CertificateAuthority expires before a Certificate resource’s requested maximum_lifetime, the effective lifetime will be explicitly truncated to match it.
  • passthrough_extensions
    Type: STRUCT
    Provider name: passthroughExtensions
    Description: Optional. Describes the set of X.509 extensions that may appear in a Certificate issued through this CaPool. If a certificate request sets extensions that don’t appear in the passthrough_extensions, those extensions will be dropped. If a certificate request uses a CertificateTemplate with predefined_values that don’t appear here, the certificate issuance request will fail. If this is omitted, then this CaPool will not add restrictions on a certificate’s X.509 extensions. These constraints do not apply to X.509 extensions set in this CaPool’s baseline_values.
    • additional_extensions
      Type: UNORDERED_LIST_STRUCT
      Provider name: additionalExtensions
      Description: Optional. A set of ObjectIds identifying custom X.509 extensions. Will be combined with known_extensions to determine the full set of X.509 extensions.
      • object_id_path
        Type: UNORDERED_LIST_INT32
        Provider name: objectIdPath
        Description: Required. The parts of an OID path. The most significant parts of the path come first.
    • known_extensions
      Type: UNORDERED_LIST_STRING
      Provider name: knownExtensions
      Description: Optional. A set of named X.509 extensions. Will be combined with additional_extensions to determine the full set of X.509 extensions.

labels

Type: UNORDERED_LIST_STRING

name

Type: STRING
Provider name: name
Description: Identifier. The resource name for this CaPool in the format projects/*/locations/*/caPools/*.

organization_id

Type: STRING

parent

Type: STRING

project_id

Type: STRING

project_number

Type: STRING

publishing_options

Type: STRUCT
Provider name: publishingOptions
Description: Optional. The PublishingOptions to follow when issuing Certificates from any CertificateAuthority in this CaPool.

  • encoding_format
    Type: STRING
    Provider name: encodingFormat
    Description: Optional. Specifies the encoding format of each CertificateAuthority resource’s CA certificate and CRLs. If this is omitted, CA certificates and CRLs will be published in PEM.
    Possible values:
    • ENCODING_FORMAT_UNSPECIFIED - Not specified. By default, PEM format will be used.
    • PEM - The CertificateAuthority’s CA certificate and CRLs will be published in PEM format.
    • DER - The CertificateAuthority’s CA certificate and CRLs will be published in DER format.
  • publish_ca_cert
    Type: BOOLEAN
    Provider name: publishCaCert
    Description: Optional. When true, publishes each CertificateAuthority’s CA certificate and includes its URL in the “Authority Information Access” X.509 extension in all issued Certificates. If this is false, the CA certificate will not be published and the corresponding X.509 extension will not be written in issued certificates.
  • publish_crl
    Type: BOOLEAN
    Provider name: publishCrl
    Description: Optional. When true, publishes each CertificateAuthority’s CRL and includes its URL in the “CRL Distribution Points” X.509 extension in all issued Certificates. If this is false, CRLs will not be published and the corresponding X.509 extension will not be written in issued certificates. CRLs will expire 7 days from their creation. However, we will rebuild daily. CRLs are also rebuilt shortly after a certificate is revoked.

resource_name

Type: STRING

tags

Type: UNORDERED_LIST_STRING

tier

Type: STRING
Provider name: tier
Description: Required. Immutable. The Tier of this CaPool.
Possible values:

  • TIER_UNSPECIFIED - Not specified.
  • ENTERPRISE - Enterprise tier.
  • DEVOPS - DevOps tier.