This product is not supported for your selected
Datadog site. (
).
gcp_privateca_certificate
ancestors
Type: UNORDERED_LIST_STRING
certificate_description
Type: STRUCT
Provider name: certificateDescription
Description: Output only. A structured description of the issued X.509 certificate.
aia_issuing_certificate_urls
Type: UNORDERED_LIST_STRING
Provider name: aiaIssuingCertificateUrls
Description: Describes lists of issuer CA certificate URLs that appear in the “Authority Information Access” extension in the certificate.
authority_key_id
Type: STRUCT
Provider name: authorityKeyId
Description: Identifies the subject_key_id of the parent certificate, per https://tools.ietf.org/html/rfc5280#section-4.2.1.1
key_id
Type: STRING
Provider name: keyId
Description: Optional. The value of this KeyId encoded in lowercase hexadecimal. This is most likely the 160 bit SHA-1 hash of the public key.
cert_fingerprint
Type: STRUCT
Provider name: certFingerprint
Description: The hash of the x.509 certificate.
sha256_hash
Type: STRING
Provider name: sha256Hash
Description: The SHA 256 hash, encoded in hexadecimal, of the DER x509 certificate.
crl_distribution_points
Type: UNORDERED_LIST_STRING
Provider name: crlDistributionPoints
Description: Describes a list of locations to obtain CRL information, i.e. the DistributionPoint.fullName described by https://tools.ietf.org/html/rfc5280#section-4.2.1.13
public_key
Type: STRUCT
Provider name: publicKey
Description: The public key that corresponds to an issued certificate.
format
Type: STRING
Provider name: format
Description: Required. The format of the public key.
Possible values:
KEY_FORMAT_UNSPECIFIED - Default unspecified value.
PEM - The key is PEM-encoded as defined in RFC 7468. It can be any of the following: a PEM-encoded PKCS#1/RFC 3447 RSAPublicKey structure, an RFC 5280 SubjectPublicKeyInfo or a PEM-encoded X.509 certificate signing request (CSR). If a SubjectPublicKeyInfo is specified, it can contain a A PEM-encoded PKCS#1/RFC 3447 RSAPublicKey or a NIST P-256/secp256r1/prime256v1 or P-384 key. If a CSR is specified, it will used solely for the purpose of extracting the public key. When generated by the service, it will always be an RFC 5280 SubjectPublicKeyInfo structure containing an algorithm identifier and a key.
subject_description
Type: STRUCT
Provider name: subjectDescription
Description: Describes some of the values in a certificate that are related to the subject and lifetime.
hex_serial_number
Type: STRING
Provider name: hexSerialNumber
Description: The serial number encoded in lowercase hexadecimal.
lifetime
Type: STRING
Provider name: lifetime
Description: For convenience, the actual lifetime of an issued certificate.
not_after_time
Type: TIMESTAMP
Provider name: notAfterTime
Description: The time after which the certificate is expired. Per RFC 5280, the validity period for a certificate is the period of time from not_before_time through not_after_time, inclusive. Corresponds to ’not_before_time’ + ’lifetime’ - 1 second.
not_before_time
Type: TIMESTAMP
Provider name: notBeforeTime
Description: The time at which the certificate becomes valid.
subject
Type: STRUCT
Provider name: subject
Description: Contains distinguished name fields such as the common name, location and / organization.
common_name
Type: STRING
Provider name: commonName
Description: The “common name” of the subject.
country_code
Type: STRING
Provider name: countryCode
Description: The country code of the subject.
locality
Type: STRING
Provider name: locality
Description: The locality or city of the subject.
organization
Type: STRING
Provider name: organization
Description: The organization of the subject.
organizational_unit
Type: STRING
Provider name: organizationalUnit
Description: The organizational_unit of the subject.
postal_code
Type: STRING
Provider name: postalCode
Description: The postal code of the subject.
province
Type: STRING
Provider name: province
Description: The province, territory, or regional state of the subject.
street_address
Type: STRING
Provider name: streetAddress
Description: The street address of the subject.
subject_alt_name
Type: STRUCT
Provider name: subjectAltName
Description: The subject alternative name fields.
custom_sans
Type: UNORDERED_LIST_STRUCT
Provider name: customSans
Description: Contains additional subject alternative name values. For each custom_san, the value field must contain an ASN.1 encoded UTF8String.
critical
Type: BOOLEAN
Provider name: critical
Description: Optional. Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
object_id
Type: STRUCT
Provider name: objectId
Description: Required. The OID for this X.509 extension.
object_id_path
Type: UNORDERED_LIST_INT32
Provider name: objectIdPath
Description: Required. The parts of an OID path. The most significant parts of the path come first.
dns_names
Type: UNORDERED_LIST_STRING
Provider name: dnsNames
Description: Contains only valid, fully-qualified host names.
email_addresses
Type: UNORDERED_LIST_STRING
Provider name: emailAddresses
Description: Contains only valid RFC 2822 E-mail addresses.
ip_addresses
Type: UNORDERED_LIST_STRING
Provider name: ipAddresses
Description: Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.
uris
Type: UNORDERED_LIST_STRING
Provider name: uris
Description: Contains only valid RFC 3986 URIs.
subject_key_id
Type: STRUCT
Provider name: subjectKeyId
Description: Provides a means of identifiying certificates that contain a particular public key, per https://tools.ietf.org/html/rfc5280#section-4.2.1.2.
key_id
Type: STRING
Provider name: keyId
Description: Optional. The value of this KeyId encoded in lowercase hexadecimal. This is most likely the 160 bit SHA-1 hash of the public key.
tbs_certificate_digest
Type: STRING
Provider name: tbsCertificateDigest
Description: The hash of the pre-signed certificate, which will be signed by the CA. Corresponds to the TBS Certificate in https://tools.ietf.org/html/rfc5280#section-4.1.2. The field will always be populated.
x509_description
Type: STRUCT
Provider name: x509Description
Description: Describes some of the technical X.509 fields in a certificate.
additional_extensions
Type: UNORDERED_LIST_STRUCT
Provider name: additionalExtensions
Description: Optional. Describes custom X.509 extensions.
critical
Type: BOOLEAN
Provider name: critical
Description: Optional. Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
object_id
Type: STRUCT
Provider name: objectId
Description: Required. The OID for this X.509 extension.
object_id_path
Type: UNORDERED_LIST_INT32
Provider name: objectIdPath
Description: Required. The parts of an OID path. The most significant parts of the path come first.
aia_ocsp_servers
Type: UNORDERED_LIST_STRING
Provider name: aiaOcspServers
Description: Optional. Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the “Authority Information Access” extension in the certificate.
ca_options
Type: STRUCT
Provider name: caOptions
Description: Optional. Describes options in this X509Parameters that are relevant in a CA certificate. If not specified, a default basic constraints extension with is_ca=false will be added for leaf certificates.
is_ca
Type: BOOLEAN
Provider name: isCa
Description: Optional. Refers to the “CA” boolean field in the X.509 extension. When this value is missing, the basic constraints extension will be omitted from the certificate.
max_issuer_path_length
Type: INT32
Provider name: maxIssuerPathLength
Description: Optional. Refers to the path length constraint field in the X.509 extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail. If this value is missing, the max path length will be omitted from the certificate.
key_usage
Type: STRUCT
Provider name: keyUsage
Description: Optional. Indicates the intended use for keys that correspond to a certificate.
base_key_usage
Type: STRUCT
Provider name: baseKeyUsage
Description: Describes high-level ways in which a key may be used.
cert_sign
Type: BOOLEAN
Provider name: certSign
Description: The key may be used to sign certificates.
content_commitment
Type: BOOLEAN
Provider name: contentCommitment
Description: The key may be used for cryptographic commitments. Note that this may also be referred to as “non-repudiation”.
crl_sign
Type: BOOLEAN
Provider name: crlSign
Description: The key may be used sign certificate revocation lists.
data_encipherment
Type: BOOLEAN
Provider name: dataEncipherment
Description: The key may be used to encipher data.
decipher_only
Type: BOOLEAN
Provider name: decipherOnly
Description: The key may be used to decipher only.
digital_signature
Type: BOOLEAN
Provider name: digitalSignature
Description: The key may be used for digital signatures.
encipher_only
Type: BOOLEAN
Provider name: encipherOnly
Description: The key may be used to encipher only.
key_agreement
Type: BOOLEAN
Provider name: keyAgreement
Description: The key may be used in a key agreement protocol.
key_encipherment
Type: BOOLEAN
Provider name: keyEncipherment
Description: The key may be used to encipher other keys.
extended_key_usage
Type: STRUCT
Provider name: extendedKeyUsage
Description: Detailed scenarios in which a key may be used.
client_auth
Type: BOOLEAN
Provider name: clientAuth
Description: Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as “TLS WWW client authentication”, though regularly used for non-WWW TLS.
code_signing
Type: BOOLEAN
Provider name: codeSigning
Description: Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as “Signing of downloadable executable code client authentication”.
email_protection
Type: BOOLEAN
Provider name: emailProtection
Description: Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as “Email protection”.
ocsp_signing
Type: BOOLEAN
Provider name: ocspSigning
Description: Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as “Signing OCSP responses”.
server_auth
Type: BOOLEAN
Provider name: serverAuth
Description: Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as “TLS WWW server authentication”, though regularly used for non-WWW TLS.
time_stamping
Type: BOOLEAN
Provider name: timeStamping
Description: Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as “Binding the hash of an object to a time”.
unknown_extended_key_usages
Type: UNORDERED_LIST_STRUCT
Provider name: unknownExtendedKeyUsages
Description: Used to describe extended key usages that are not listed in the KeyUsage.ExtendedKeyUsageOptions message.
object_id_path
Type: UNORDERED_LIST_INT32
Provider name: objectIdPath
Description: Required. The parts of an OID path. The most significant parts of the path come first.
name_constraints
Type: STRUCT
Provider name: nameConstraints
Description: Optional. Describes the X.509 name constraints extension.
critical
Type: BOOLEAN
Provider name: critical
Description: Indicates whether or not the name constraints are marked critical.
excluded_dns_names
Type: UNORDERED_LIST_STRING
Provider name: excludedDnsNames
Description: Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.
excluded_email_addresses
Type: UNORDERED_LIST_STRING
Provider name: excludedEmailAddresses
Description: Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.
excluded_ip_ranges
Type: UNORDERED_LIST_STRING
Provider name: excludedIpRanges
Description: Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
excluded_uris
Type: UNORDERED_LIST_STRING
Provider name: excludedUris
Description: Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)
permitted_dns_names
Type: UNORDERED_LIST_STRING
Provider name: permittedDnsNames
Description: Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.
permitted_email_addresses
Type: UNORDERED_LIST_STRING
Provider name: permittedEmailAddresses
Description: Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.
permitted_ip_ranges
Type: UNORDERED_LIST_STRING
Provider name: permittedIpRanges
Description: Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
permitted_uris
Type: UNORDERED_LIST_STRING
Provider name: permittedUris
Description: Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)
policy_ids
Type: UNORDERED_LIST_STRUCT
Provider name: policyIds
Description: Optional. Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4.
object_id_path
Type: UNORDERED_LIST_INT32
Provider name: objectIdPath
Description: Required. The parts of an OID path. The most significant parts of the path come first.
certificate_template
Type: STRING
Provider name: certificateTemplate
Description: Immutable. The resource name for a CertificateTemplate used to issue this certificate, in the format projects/*/locations/*/certificateTemplates/*. If this is specified, the caller must have the necessary permission to use this template. If this is omitted, no template will be used. This template must be in the same location as the Certificate.
config
Type: STRUCT
Provider name: config
Description: Immutable. A description of the certificate and key that does not require X.509 or ASN.1.
public_key
Type: STRUCT
Provider name: publicKey
Description: Optional. The public key that corresponds to this config. This is, for example, used when issuing Certificates, but not when creating a self-signed CertificateAuthority or CertificateAuthority CSR.
format
Type: STRING
Provider name: format
Description: Required. The format of the public key.
Possible values:
KEY_FORMAT_UNSPECIFIED - Default unspecified value.
PEM - The key is PEM-encoded as defined in RFC 7468. It can be any of the following: a PEM-encoded PKCS#1/RFC 3447 RSAPublicKey structure, an RFC 5280 SubjectPublicKeyInfo or a PEM-encoded X.509 certificate signing request (CSR). If a SubjectPublicKeyInfo is specified, it can contain a A PEM-encoded PKCS#1/RFC 3447 RSAPublicKey or a NIST P-256/secp256r1/prime256v1 or P-384 key. If a CSR is specified, it will used solely for the purpose of extracting the public key. When generated by the service, it will always be an RFC 5280 SubjectPublicKeyInfo structure containing an algorithm identifier and a key.
subject_config
Type: STRUCT
Provider name: subjectConfig
Description: Required. Specifies some of the values in a certificate that are related to the subject.
subject
Type: STRUCT
Provider name: subject
Description: Optional. Contains distinguished name fields such as the common name, location and organization.
common_name
Type: STRING
Provider name: commonName
Description: The “common name” of the subject.
country_code
Type: STRING
Provider name: countryCode
Description: The country code of the subject.
locality
Type: STRING
Provider name: locality
Description: The locality or city of the subject.
organization
Type: STRING
Provider name: organization
Description: The organization of the subject.
organizational_unit
Type: STRING
Provider name: organizationalUnit
Description: The organizational_unit of the subject.
postal_code
Type: STRING
Provider name: postalCode
Description: The postal code of the subject.
province
Type: STRING
Provider name: province
Description: The province, territory, or regional state of the subject.
street_address
Type: STRING
Provider name: streetAddress
Description: The street address of the subject.
subject_alt_name
Type: STRUCT
Provider name: subjectAltName
Description: Optional. The subject alternative name fields.
custom_sans
Type: UNORDERED_LIST_STRUCT
Provider name: customSans
Description: Contains additional subject alternative name values. For each custom_san, the value field must contain an ASN.1 encoded UTF8String.
critical
Type: BOOLEAN
Provider name: critical
Description: Optional. Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
object_id
Type: STRUCT
Provider name: objectId
Description: Required. The OID for this X.509 extension.
object_id_path
Type: UNORDERED_LIST_INT32
Provider name: objectIdPath
Description: Required. The parts of an OID path. The most significant parts of the path come first.
dns_names
Type: UNORDERED_LIST_STRING
Provider name: dnsNames
Description: Contains only valid, fully-qualified host names.
email_addresses
Type: UNORDERED_LIST_STRING
Provider name: emailAddresses
Description: Contains only valid RFC 2822 E-mail addresses.
ip_addresses
Type: UNORDERED_LIST_STRING
Provider name: ipAddresses
Description: Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.
uris
Type: UNORDERED_LIST_STRING
Provider name: uris
Description: Contains only valid RFC 3986 URIs.
subject_key_id
Type: STRUCT
Provider name: subjectKeyId
Description: Optional. When specified this provides a custom SKI to be used in the certificate. This should only be used to maintain a SKI of an existing CA originally created outside CA service, which was not generated using method (1) described in RFC 5280 section 4.2.1.2.
key_id
Type: STRING
Provider name: keyId
Description: Required. The value of this KeyId encoded in lowercase hexadecimal. This is most likely the 160 bit SHA-1 hash of the public key.
x509_config
Type: STRUCT
Provider name: x509Config
Description: Required. Describes how some of the technical X.509 fields in a certificate should be populated.
additional_extensions
Type: UNORDERED_LIST_STRUCT
Provider name: additionalExtensions
Description: Optional. Describes custom X.509 extensions.
critical
Type: BOOLEAN
Provider name: critical
Description: Optional. Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
object_id
Type: STRUCT
Provider name: objectId
Description: Required. The OID for this X.509 extension.
object_id_path
Type: UNORDERED_LIST_INT32
Provider name: objectIdPath
Description: Required. The parts of an OID path. The most significant parts of the path come first.
aia_ocsp_servers
Type: UNORDERED_LIST_STRING
Provider name: aiaOcspServers
Description: Optional. Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the “Authority Information Access” extension in the certificate.
ca_options
Type: STRUCT
Provider name: caOptions
Description: Optional. Describes options in this X509Parameters that are relevant in a CA certificate. If not specified, a default basic constraints extension with is_ca=false will be added for leaf certificates.
is_ca
Type: BOOLEAN
Provider name: isCa
Description: Optional. Refers to the “CA” boolean field in the X.509 extension. When this value is missing, the basic constraints extension will be omitted from the certificate.
max_issuer_path_length
Type: INT32
Provider name: maxIssuerPathLength
Description: Optional. Refers to the path length constraint field in the X.509 extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail. If this value is missing, the max path length will be omitted from the certificate.
key_usage
Type: STRUCT
Provider name: keyUsage
Description: Optional. Indicates the intended use for keys that correspond to a certificate.
base_key_usage
Type: STRUCT
Provider name: baseKeyUsage
Description: Describes high-level ways in which a key may be used.
cert_sign
Type: BOOLEAN
Provider name: certSign
Description: The key may be used to sign certificates.
content_commitment
Type: BOOLEAN
Provider name: contentCommitment
Description: The key may be used for cryptographic commitments. Note that this may also be referred to as “non-repudiation”.
crl_sign
Type: BOOLEAN
Provider name: crlSign
Description: The key may be used sign certificate revocation lists.
data_encipherment
Type: BOOLEAN
Provider name: dataEncipherment
Description: The key may be used to encipher data.
decipher_only
Type: BOOLEAN
Provider name: decipherOnly
Description: The key may be used to decipher only.
digital_signature
Type: BOOLEAN
Provider name: digitalSignature
Description: The key may be used for digital signatures.
encipher_only
Type: BOOLEAN
Provider name: encipherOnly
Description: The key may be used to encipher only.
key_agreement
Type: BOOLEAN
Provider name: keyAgreement
Description: The key may be used in a key agreement protocol.
key_encipherment
Type: BOOLEAN
Provider name: keyEncipherment
Description: The key may be used to encipher other keys.
extended_key_usage
Type: STRUCT
Provider name: extendedKeyUsage
Description: Detailed scenarios in which a key may be used.
client_auth
Type: BOOLEAN
Provider name: clientAuth
Description: Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as “TLS WWW client authentication”, though regularly used for non-WWW TLS.
code_signing
Type: BOOLEAN
Provider name: codeSigning
Description: Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as “Signing of downloadable executable code client authentication”.
email_protection
Type: BOOLEAN
Provider name: emailProtection
Description: Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as “Email protection”.
ocsp_signing
Type: BOOLEAN
Provider name: ocspSigning
Description: Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as “Signing OCSP responses”.
server_auth
Type: BOOLEAN
Provider name: serverAuth
Description: Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as “TLS WWW server authentication”, though regularly used for non-WWW TLS.
time_stamping
Type: BOOLEAN
Provider name: timeStamping
Description: Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as “Binding the hash of an object to a time”.
unknown_extended_key_usages
Type: UNORDERED_LIST_STRUCT
Provider name: unknownExtendedKeyUsages
Description: Used to describe extended key usages that are not listed in the KeyUsage.ExtendedKeyUsageOptions message.
object_id_path
Type: UNORDERED_LIST_INT32
Provider name: objectIdPath
Description: Required. The parts of an OID path. The most significant parts of the path come first.
name_constraints
Type: STRUCT
Provider name: nameConstraints
Description: Optional. Describes the X.509 name constraints extension.
critical
Type: BOOLEAN
Provider name: critical
Description: Indicates whether or not the name constraints are marked critical.
excluded_dns_names
Type: UNORDERED_LIST_STRING
Provider name: excludedDnsNames
Description: Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.
excluded_email_addresses
Type: UNORDERED_LIST_STRING
Provider name: excludedEmailAddresses
Description: Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.
excluded_ip_ranges
Type: UNORDERED_LIST_STRING
Provider name: excludedIpRanges
Description: Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
excluded_uris
Type: UNORDERED_LIST_STRING
Provider name: excludedUris
Description: Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)
permitted_dns_names
Type: UNORDERED_LIST_STRING
Provider name: permittedDnsNames
Description: Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.
permitted_email_addresses
Type: UNORDERED_LIST_STRING
Provider name: permittedEmailAddresses
Description: Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.
permitted_ip_ranges
Type: UNORDERED_LIST_STRING
Provider name: permittedIpRanges
Description: Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
permitted_uris
Type: UNORDERED_LIST_STRING
Provider name: permittedUris
Description: Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)
policy_ids
Type: UNORDERED_LIST_STRUCT
Provider name: policyIds
Description: Optional. Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4.
object_id_path
Type: UNORDERED_LIST_INT32
Provider name: objectIdPath
Description: Required. The parts of an OID path. The most significant parts of the path come first.
create_time
Type: TIMESTAMP
Provider name: createTime
Description: Output only. The time at which this Certificate was created.
issuer_certificate_authority
Type: STRING
Provider name: issuerCertificateAuthority
Description: Output only. The resource name of the issuing CertificateAuthority in the format projects/*/locations/*/caPools/*/certificateAuthorities/*.
labels
Type: UNORDERED_LIST_STRING
lifetime
Type: STRING
Provider name: lifetime
Description: Required. Immutable. The desired lifetime of a certificate. Used to create the “not_before_time” and “not_after_time” fields inside an X.509 certificate. Note that the lifetime may be truncated if it would extend past the life of any certificate authority in the issuing chain.
name
Type: STRING
Provider name: name
Description: Identifier. The resource name for this Certificate in the format projects/*/locations/*/caPools/*/certificates/*.
organization_id
Type: STRING
parent
Type: STRING
pem_certificate
Type: STRING
Provider name: pemCertificate
Description: Output only. The pem-encoded, signed X.509 certificate.
pem_certificate_chain
Type: UNORDERED_LIST_STRING
Provider name: pemCertificateChain
Description: Output only. The chain that may be used to verify the X.509 certificate. Expected to be in issuer-to-root order according to RFC 5246.
pem_csr
Type: STRING
Provider name: pemCsr
Description: Immutable. A pem-encoded X.509 certificate signing request (CSR).
project_id
Type: STRING
project_number
Type: STRING
resource_name
Type: STRING
revocation_details
Type: STRUCT
Provider name: revocationDetails
Description: Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present.
revocation_state
Type: STRING
Provider name: revocationState
Description: Indicates why a Certificate was revoked.
Possible values:
REVOCATION_REASON_UNSPECIFIED - Default unspecified value. This value does indicate that a Certificate has been revoked, but that a reason has not been recorded.
KEY_COMPROMISE - Key material for this Certificate may have leaked.
CERTIFICATE_AUTHORITY_COMPROMISE - The key material for a certificate authority in the issuing path may have leaked.
AFFILIATION_CHANGED - The subject or other attributes in this Certificate have changed.
SUPERSEDED - This Certificate has been superseded.
CESSATION_OF_OPERATION - This Certificate or entities in the issuing path have ceased to operate.
CERTIFICATE_HOLD - This Certificate should not be considered valid, it is expected that it may become valid in the future.
PRIVILEGE_WITHDRAWN - This Certificate no longer has permission to assert the listed attributes.
ATTRIBUTE_AUTHORITY_COMPROMISE - The authority which determines appropriate attributes for a Certificate may have been compromised.
revocation_time
Type: TIMESTAMP
Provider name: revocationTime
Description: The time at which this Certificate was revoked.
subject_mode
Type: STRING
Provider name: subjectMode
Description: Immutable. Specifies how the Certificate’s identity fields are to be decided. If this is omitted, the DEFAULT subject mode will be used.
Possible values:
SUBJECT_REQUEST_MODE_UNSPECIFIED - Not specified.
DEFAULT - The default mode used in most cases. Indicates that the certificate’s Subject and/or SubjectAltNames are specified in the certificate request. This mode requires the caller to have the privateca.certificates.create permission.
REFLECTED_SPIFFE - A mode reserved for special cases. Indicates that the certificate should have one SPIFFE SubjectAltNames set by the service based on the caller’s identity. This mode will ignore any explicitly specified Subject and/or SubjectAltNames in the certificate request. This mode requires the caller to have the privateca.certificates.createForSelf permission.
Type: UNORDERED_LIST_STRING
update_time
Type: TIMESTAMP
Provider name: updateTime
Description: Output only. The time at which this Certificate was updated.
