gcp_privateca_certificate_authority

access_urls

Type: STRUCT
Provider name: accessUrls
Description: Output only. URLs for accessing content published by this CA, such as the CA certificate and CRLs.

  • ca_certificate_access_url
    Type: STRING
    Provider name: caCertificateAccessUrl
    Description: The URL where this CertificateAuthority’s CA certificate is published. This will only be set for CAs that have been activated.
  • crl_access_urls
    Type: UNORDERED_LIST_STRING
    Provider name: crlAccessUrls
    Description: The URLs where this CertificateAuthority’s CRLs are published. This will only be set for CAs that have been activated.

ancestors

Type: UNORDERED_LIST_STRING

ca_certificate_descriptions

Type: UNORDERED_LIST_STRUCT
Provider name: caCertificateDescriptions
Description: Output only. A structured description of this CertificateAuthority’s CA certificate and its issuers. Ordered as self-to-root.

  • aia_issuing_certificate_urls
    Type: UNORDERED_LIST_STRING
    Provider name: aiaIssuingCertificateUrls
    Description: Describes lists of issuer CA certificate URLs that appear in the “Authority Information Access” extension in the certificate.
  • authority_key_id
    Type: STRUCT
    Provider name: authorityKeyId
    Description: Identifies the subject_key_id of the parent certificate, per https://tools.ietf.org/html/rfc5280#section-4.2.1.1
    • key_id
      Type: STRING
      Provider name: keyId
      Description: Optional. The value of this KeyId encoded in lowercase hexadecimal. This is most likely the 160 bit SHA-1 hash of the public key.
  • cert_fingerprint
    Type: STRUCT
    Provider name: certFingerprint
    Description: The hash of the x.509 certificate.
    • sha256_hash
      Type: STRING
      Provider name: sha256Hash
      Description: The SHA 256 hash, encoded in hexadecimal, of the DER x509 certificate.
  • crl_distribution_points
    Type: UNORDERED_LIST_STRING
    Provider name: crlDistributionPoints
    Description: Describes a list of locations to obtain CRL information, i.e. the DistributionPoint.fullName described by https://tools.ietf.org/html/rfc5280#section-4.2.1.13
  • public_key
    Type: STRUCT
    Provider name: publicKey
    Description: The public key that corresponds to an issued certificate.
    • format
      Type: STRING
      Provider name: format
      Description: Required. The format of the public key.
      Possible values:
      • KEY_FORMAT_UNSPECIFIED - Default unspecified value.
      • PEM - The key is PEM-encoded as defined in RFC 7468. It can be any of the following: a PEM-encoded PKCS#1/RFC 3447 RSAPublicKey structure, an RFC 5280 SubjectPublicKeyInfo or a PEM-encoded X.509 certificate signing request (CSR). If a SubjectPublicKeyInfo is specified, it can contain a A PEM-encoded PKCS#1/RFC 3447 RSAPublicKey or a NIST P-256/secp256r1/prime256v1 or P-384 key. If a CSR is specified, it will used solely for the purpose of extracting the public key. When generated by the service, it will always be an RFC 5280 SubjectPublicKeyInfo structure containing an algorithm identifier and a key.
  • subject_description
    Type: STRUCT
    Provider name: subjectDescription
    Description: Describes some of the values in a certificate that are related to the subject and lifetime.
    • hex_serial_number
      Type: STRING
      Provider name: hexSerialNumber
      Description: The serial number encoded in lowercase hexadecimal.
    • lifetime
      Type: STRING
      Provider name: lifetime
      Description: For convenience, the actual lifetime of an issued certificate.
    • not_after_time
      Type: TIMESTAMP
      Provider name: notAfterTime
      Description: The time after which the certificate is expired. Per RFC 5280, the validity period for a certificate is the period of time from not_before_time through not_after_time, inclusive. Corresponds to ’not_before_time’ + ’lifetime’ - 1 second.
    • not_before_time
      Type: TIMESTAMP
      Provider name: notBeforeTime
      Description: The time at which the certificate becomes valid.
    • subject
      Type: STRUCT
      Provider name: subject
      Description: Contains distinguished name fields such as the common name, location and / organization.
      • common_name
        Type: STRING
        Provider name: commonName
        Description: The “common name” of the subject.
      • country_code
        Type: STRING
        Provider name: countryCode
        Description: The country code of the subject.
      • locality
        Type: STRING
        Provider name: locality
        Description: The locality or city of the subject.
      • organization
        Type: STRING
        Provider name: organization
        Description: The organization of the subject.
      • organizational_unit
        Type: STRING
        Provider name: organizationalUnit
        Description: The organizational_unit of the subject.
      • postal_code
        Type: STRING
        Provider name: postalCode
        Description: The postal code of the subject.
      • province
        Type: STRING
        Provider name: province
        Description: The province, territory, or regional state of the subject.
      • street_address
        Type: STRING
        Provider name: streetAddress
        Description: The street address of the subject.
    • subject_alt_name
      Type: STRUCT
      Provider name: subjectAltName
      Description: The subject alternative name fields.
      • custom_sans
        Type: UNORDERED_LIST_STRUCT
        Provider name: customSans
        Description: Contains additional subject alternative name values. For each custom_san, the value field must contain an ASN.1 encoded UTF8String.
        • critical
          Type: BOOLEAN
          Provider name: critical
          Description: Optional. Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
        • object_id
          Type: STRUCT
          Provider name: objectId
          Description: Required. The OID for this X.509 extension.
          • object_id_path
            Type: UNORDERED_LIST_INT32
            Provider name: objectIdPath
            Description: Required. The parts of an OID path. The most significant parts of the path come first.
      • dns_names
        Type: UNORDERED_LIST_STRING
        Provider name: dnsNames
        Description: Contains only valid, fully-qualified host names.
      • email_addresses
        Type: UNORDERED_LIST_STRING
        Provider name: emailAddresses
        Description: Contains only valid RFC 2822 E-mail addresses.
      • ip_addresses
        Type: UNORDERED_LIST_STRING
        Provider name: ipAddresses
        Description: Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.
      • uris
        Type: UNORDERED_LIST_STRING
        Provider name: uris
        Description: Contains only valid RFC 3986 URIs.
  • subject_key_id
    Type: STRUCT
    Provider name: subjectKeyId
    Description: Provides a means of identifiying certificates that contain a particular public key, per https://tools.ietf.org/html/rfc5280#section-4.2.1.2.
    • key_id
      Type: STRING
      Provider name: keyId
      Description: Optional. The value of this KeyId encoded in lowercase hexadecimal. This is most likely the 160 bit SHA-1 hash of the public key.
  • tbs_certificate_digest
    Type: STRING
    Provider name: tbsCertificateDigest
    Description: The hash of the pre-signed certificate, which will be signed by the CA. Corresponds to the TBS Certificate in https://tools.ietf.org/html/rfc5280#section-4.1.2. The field will always be populated.
  • x509_description
    Type: STRUCT
    Provider name: x509Description
    Description: Describes some of the technical X.509 fields in a certificate.
    • additional_extensions
      Type: UNORDERED_LIST_STRUCT
      Provider name: additionalExtensions
      Description: Optional. Describes custom X.509 extensions.
      • critical
        Type: BOOLEAN
        Provider name: critical
        Description: Optional. Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
      • object_id
        Type: STRUCT
        Provider name: objectId
        Description: Required. The OID for this X.509 extension.
        • object_id_path
          Type: UNORDERED_LIST_INT32
          Provider name: objectIdPath
          Description: Required. The parts of an OID path. The most significant parts of the path come first.
    • aia_ocsp_servers
      Type: UNORDERED_LIST_STRING
      Provider name: aiaOcspServers
      Description: Optional. Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the “Authority Information Access” extension in the certificate.
    • ca_options
      Type: STRUCT
      Provider name: caOptions
      Description: Optional. Describes options in this X509Parameters that are relevant in a CA certificate. If not specified, a default basic constraints extension with is_ca=false will be added for leaf certificates.
      • is_ca
        Type: BOOLEAN
        Provider name: isCa
        Description: Optional. Refers to the “CA” boolean field in the X.509 extension. When this value is missing, the basic constraints extension will be omitted from the certificate.
      • max_issuer_path_length
        Type: INT32
        Provider name: maxIssuerPathLength
        Description: Optional. Refers to the path length constraint field in the X.509 extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail. If this value is missing, the max path length will be omitted from the certificate.
    • key_usage
      Type: STRUCT
      Provider name: keyUsage
      Description: Optional. Indicates the intended use for keys that correspond to a certificate.
      • base_key_usage
        Type: STRUCT
        Provider name: baseKeyUsage
        Description: Describes high-level ways in which a key may be used.
        • cert_sign
          Type: BOOLEAN
          Provider name: certSign
          Description: The key may be used to sign certificates.
        • content_commitment
          Type: BOOLEAN
          Provider name: contentCommitment
          Description: The key may be used for cryptographic commitments. Note that this may also be referred to as “non-repudiation”.
        • crl_sign
          Type: BOOLEAN
          Provider name: crlSign
          Description: The key may be used sign certificate revocation lists.
        • data_encipherment
          Type: BOOLEAN
          Provider name: dataEncipherment
          Description: The key may be used to encipher data.
        • decipher_only
          Type: BOOLEAN
          Provider name: decipherOnly
          Description: The key may be used to decipher only.
        • digital_signature
          Type: BOOLEAN
          Provider name: digitalSignature
          Description: The key may be used for digital signatures.
        • encipher_only
          Type: BOOLEAN
          Provider name: encipherOnly
          Description: The key may be used to encipher only.
        • key_agreement
          Type: BOOLEAN
          Provider name: keyAgreement
          Description: The key may be used in a key agreement protocol.
        • key_encipherment
          Type: BOOLEAN
          Provider name: keyEncipherment
          Description: The key may be used to encipher other keys.
      • extended_key_usage
        Type: STRUCT
        Provider name: extendedKeyUsage
        Description: Detailed scenarios in which a key may be used.
        • client_auth
          Type: BOOLEAN
          Provider name: clientAuth
          Description: Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as “TLS WWW client authentication”, though regularly used for non-WWW TLS.
        • code_signing
          Type: BOOLEAN
          Provider name: codeSigning
          Description: Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as “Signing of downloadable executable code client authentication”.
        • email_protection
          Type: BOOLEAN
          Provider name: emailProtection
          Description: Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as “Email protection”.
        • ocsp_signing
          Type: BOOLEAN
          Provider name: ocspSigning
          Description: Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as “Signing OCSP responses”.
        • server_auth
          Type: BOOLEAN
          Provider name: serverAuth
          Description: Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as “TLS WWW server authentication”, though regularly used for non-WWW TLS.
        • time_stamping
          Type: BOOLEAN
          Provider name: timeStamping
          Description: Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as “Binding the hash of an object to a time”.
      • unknown_extended_key_usages
        Type: UNORDERED_LIST_STRUCT
        Provider name: unknownExtendedKeyUsages
        Description: Used to describe extended key usages that are not listed in the KeyUsage.ExtendedKeyUsageOptions message.
        • object_id_path
          Type: UNORDERED_LIST_INT32
          Provider name: objectIdPath
          Description: Required. The parts of an OID path. The most significant parts of the path come first.
    • name_constraints
      Type: STRUCT
      Provider name: nameConstraints
      Description: Optional. Describes the X.509 name constraints extension.
      • critical
        Type: BOOLEAN
        Provider name: critical
        Description: Indicates whether or not the name constraints are marked critical.
      • excluded_dns_names
        Type: UNORDERED_LIST_STRING
        Provider name: excludedDnsNames
        Description: Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.
      • excluded_email_addresses
        Type: UNORDERED_LIST_STRING
        Provider name: excludedEmailAddresses
        Description: Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.
      • excluded_ip_ranges
        Type: UNORDERED_LIST_STRING
        Provider name: excludedIpRanges
        Description: Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
      • excluded_uris
        Type: UNORDERED_LIST_STRING
        Provider name: excludedUris
        Description: Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)
      • permitted_dns_names
        Type: UNORDERED_LIST_STRING
        Provider name: permittedDnsNames
        Description: Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.
      • permitted_email_addresses
        Type: UNORDERED_LIST_STRING
        Provider name: permittedEmailAddresses
        Description: Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.
      • permitted_ip_ranges
        Type: UNORDERED_LIST_STRING
        Provider name: permittedIpRanges
        Description: Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
      • permitted_uris
        Type: UNORDERED_LIST_STRING
        Provider name: permittedUris
        Description: Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)
    • policy_ids
      Type: UNORDERED_LIST_STRUCT
      Provider name: policyIds
      Description: Optional. Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4.
      • object_id_path
        Type: UNORDERED_LIST_INT32
        Provider name: objectIdPath
        Description: Required. The parts of an OID path. The most significant parts of the path come first.

config

Type: STRUCT
Provider name: config
Description: Required. Immutable. The config used to create a self-signed X.509 certificate or CSR.

  • public_key
    Type: STRUCT
    Provider name: publicKey
    Description: Optional. The public key that corresponds to this config. This is, for example, used when issuing Certificates, but not when creating a self-signed CertificateAuthority or CertificateAuthority CSR.
    • format
      Type: STRING
      Provider name: format
      Description: Required. The format of the public key.
      Possible values:
      • KEY_FORMAT_UNSPECIFIED - Default unspecified value.
      • PEM - The key is PEM-encoded as defined in RFC 7468. It can be any of the following: a PEM-encoded PKCS#1/RFC 3447 RSAPublicKey structure, an RFC 5280 SubjectPublicKeyInfo or a PEM-encoded X.509 certificate signing request (CSR). If a SubjectPublicKeyInfo is specified, it can contain a A PEM-encoded PKCS#1/RFC 3447 RSAPublicKey or a NIST P-256/secp256r1/prime256v1 or P-384 key. If a CSR is specified, it will used solely for the purpose of extracting the public key. When generated by the service, it will always be an RFC 5280 SubjectPublicKeyInfo structure containing an algorithm identifier and a key.
  • subject_config
    Type: STRUCT
    Provider name: subjectConfig
    Description: Required. Specifies some of the values in a certificate that are related to the subject.
    • subject
      Type: STRUCT
      Provider name: subject
      Description: Optional. Contains distinguished name fields such as the common name, location and organization.
      • common_name
        Type: STRING
        Provider name: commonName
        Description: The “common name” of the subject.
      • country_code
        Type: STRING
        Provider name: countryCode
        Description: The country code of the subject.
      • locality
        Type: STRING
        Provider name: locality
        Description: The locality or city of the subject.
      • organization
        Type: STRING
        Provider name: organization
        Description: The organization of the subject.
      • organizational_unit
        Type: STRING
        Provider name: organizationalUnit
        Description: The organizational_unit of the subject.
      • postal_code
        Type: STRING
        Provider name: postalCode
        Description: The postal code of the subject.
      • province
        Type: STRING
        Provider name: province
        Description: The province, territory, or regional state of the subject.
      • street_address
        Type: STRING
        Provider name: streetAddress
        Description: The street address of the subject.
    • subject_alt_name
      Type: STRUCT
      Provider name: subjectAltName
      Description: Optional. The subject alternative name fields.
      • custom_sans
        Type: UNORDERED_LIST_STRUCT
        Provider name: customSans
        Description: Contains additional subject alternative name values. For each custom_san, the value field must contain an ASN.1 encoded UTF8String.
        • critical
          Type: BOOLEAN
          Provider name: critical
          Description: Optional. Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
        • object_id
          Type: STRUCT
          Provider name: objectId
          Description: Required. The OID for this X.509 extension.
          • object_id_path
            Type: UNORDERED_LIST_INT32
            Provider name: objectIdPath
            Description: Required. The parts of an OID path. The most significant parts of the path come first.
      • dns_names
        Type: UNORDERED_LIST_STRING
        Provider name: dnsNames
        Description: Contains only valid, fully-qualified host names.
      • email_addresses
        Type: UNORDERED_LIST_STRING
        Provider name: emailAddresses
        Description: Contains only valid RFC 2822 E-mail addresses.
      • ip_addresses
        Type: UNORDERED_LIST_STRING
        Provider name: ipAddresses
        Description: Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.
      • uris
        Type: UNORDERED_LIST_STRING
        Provider name: uris
        Description: Contains only valid RFC 3986 URIs.
  • subject_key_id
    Type: STRUCT
    Provider name: subjectKeyId
    Description: Optional. When specified this provides a custom SKI to be used in the certificate. This should only be used to maintain a SKI of an existing CA originally created outside CA service, which was not generated using method (1) described in RFC 5280 section 4.2.1.2.
    • key_id
      Type: STRING
      Provider name: keyId
      Description: Required. The value of this KeyId encoded in lowercase hexadecimal. This is most likely the 160 bit SHA-1 hash of the public key.
  • x509_config
    Type: STRUCT
    Provider name: x509Config
    Description: Required. Describes how some of the technical X.509 fields in a certificate should be populated.
    • additional_extensions
      Type: UNORDERED_LIST_STRUCT
      Provider name: additionalExtensions
      Description: Optional. Describes custom X.509 extensions.
      • critical
        Type: BOOLEAN
        Provider name: critical
        Description: Optional. Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
      • object_id
        Type: STRUCT
        Provider name: objectId
        Description: Required. The OID for this X.509 extension.
        • object_id_path
          Type: UNORDERED_LIST_INT32
          Provider name: objectIdPath
          Description: Required. The parts of an OID path. The most significant parts of the path come first.
    • aia_ocsp_servers
      Type: UNORDERED_LIST_STRING
      Provider name: aiaOcspServers
      Description: Optional. Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the “Authority Information Access” extension in the certificate.
    • ca_options
      Type: STRUCT
      Provider name: caOptions
      Description: Optional. Describes options in this X509Parameters that are relevant in a CA certificate. If not specified, a default basic constraints extension with is_ca=false will be added for leaf certificates.
      • is_ca
        Type: BOOLEAN
        Provider name: isCa
        Description: Optional. Refers to the “CA” boolean field in the X.509 extension. When this value is missing, the basic constraints extension will be omitted from the certificate.
      • max_issuer_path_length
        Type: INT32
        Provider name: maxIssuerPathLength
        Description: Optional. Refers to the path length constraint field in the X.509 extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail. If this value is missing, the max path length will be omitted from the certificate.
    • key_usage
      Type: STRUCT
      Provider name: keyUsage
      Description: Optional. Indicates the intended use for keys that correspond to a certificate.
      • base_key_usage
        Type: STRUCT
        Provider name: baseKeyUsage
        Description: Describes high-level ways in which a key may be used.
        • cert_sign
          Type: BOOLEAN
          Provider name: certSign
          Description: The key may be used to sign certificates.
        • content_commitment
          Type: BOOLEAN
          Provider name: contentCommitment
          Description: The key may be used for cryptographic commitments. Note that this may also be referred to as “non-repudiation”.
        • crl_sign
          Type: BOOLEAN
          Provider name: crlSign
          Description: The key may be used sign certificate revocation lists.
        • data_encipherment
          Type: BOOLEAN
          Provider name: dataEncipherment
          Description: The key may be used to encipher data.
        • decipher_only
          Type: BOOLEAN
          Provider name: decipherOnly
          Description: The key may be used to decipher only.
        • digital_signature
          Type: BOOLEAN
          Provider name: digitalSignature
          Description: The key may be used for digital signatures.
        • encipher_only
          Type: BOOLEAN
          Provider name: encipherOnly
          Description: The key may be used to encipher only.
        • key_agreement
          Type: BOOLEAN
          Provider name: keyAgreement
          Description: The key may be used in a key agreement protocol.
        • key_encipherment
          Type: BOOLEAN
          Provider name: keyEncipherment
          Description: The key may be used to encipher other keys.
      • extended_key_usage
        Type: STRUCT
        Provider name: extendedKeyUsage
        Description: Detailed scenarios in which a key may be used.
        • client_auth
          Type: BOOLEAN
          Provider name: clientAuth
          Description: Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as “TLS WWW client authentication”, though regularly used for non-WWW TLS.
        • code_signing
          Type: BOOLEAN
          Provider name: codeSigning
          Description: Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as “Signing of downloadable executable code client authentication”.
        • email_protection
          Type: BOOLEAN
          Provider name: emailProtection
          Description: Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as “Email protection”.
        • ocsp_signing
          Type: BOOLEAN
          Provider name: ocspSigning
          Description: Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as “Signing OCSP responses”.
        • server_auth
          Type: BOOLEAN
          Provider name: serverAuth
          Description: Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as “TLS WWW server authentication”, though regularly used for non-WWW TLS.
        • time_stamping
          Type: BOOLEAN
          Provider name: timeStamping
          Description: Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as “Binding the hash of an object to a time”.
      • unknown_extended_key_usages
        Type: UNORDERED_LIST_STRUCT
        Provider name: unknownExtendedKeyUsages
        Description: Used to describe extended key usages that are not listed in the KeyUsage.ExtendedKeyUsageOptions message.
        • object_id_path
          Type: UNORDERED_LIST_INT32
          Provider name: objectIdPath
          Description: Required. The parts of an OID path. The most significant parts of the path come first.
    • name_constraints
      Type: STRUCT
      Provider name: nameConstraints
      Description: Optional. Describes the X.509 name constraints extension.
      • critical
        Type: BOOLEAN
        Provider name: critical
        Description: Indicates whether or not the name constraints are marked critical.
      • excluded_dns_names
        Type: UNORDERED_LIST_STRING
        Provider name: excludedDnsNames
        Description: Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.
      • excluded_email_addresses
        Type: UNORDERED_LIST_STRING
        Provider name: excludedEmailAddresses
        Description: Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.
      • excluded_ip_ranges
        Type: UNORDERED_LIST_STRING
        Provider name: excludedIpRanges
        Description: Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
      • excluded_uris
        Type: UNORDERED_LIST_STRING
        Provider name: excludedUris
        Description: Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)
      • permitted_dns_names
        Type: UNORDERED_LIST_STRING
        Provider name: permittedDnsNames
        Description: Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.
      • permitted_email_addresses
        Type: UNORDERED_LIST_STRING
        Provider name: permittedEmailAddresses
        Description: Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.
      • permitted_ip_ranges
        Type: UNORDERED_LIST_STRING
        Provider name: permittedIpRanges
        Description: Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
      • permitted_uris
        Type: UNORDERED_LIST_STRING
        Provider name: permittedUris
        Description: Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)
    • policy_ids
      Type: UNORDERED_LIST_STRUCT
      Provider name: policyIds
      Description: Optional. Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4.
      • object_id_path
        Type: UNORDERED_LIST_INT32
        Provider name: objectIdPath
        Description: Required. The parts of an OID path. The most significant parts of the path come first.

create_time

Type: TIMESTAMP
Provider name: createTime
Description: Output only. The time at which this CertificateAuthority was created.

delete_time

Type: TIMESTAMP
Provider name: deleteTime
Description: Output only. The time at which this CertificateAuthority was soft deleted, if it is in the DELETED state.

expire_time

Type: TIMESTAMP
Provider name: expireTime
Description: Output only. The time at which this CertificateAuthority will be permanently purged, if it is in the DELETED state.

gcs_bucket

Type: STRING
Provider name: gcsBucket
Description: Immutable. The name of a Cloud Storage bucket where this CertificateAuthority will publish content, such as the CA certificate and CRLs. This must be a bucket name, without any prefixes (such as gs://) or suffixes (such as .googleapis.com). For example, to use a bucket named my-bucket, you would simply specify my-bucket. If not specified, a managed bucket will be created.

key_spec

Type: STRUCT
Provider name: keySpec
Description: Required. Immutable. Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR.

  • algorithm
    Type: STRING
    Provider name: algorithm
    Description: The algorithm to use for creating a managed Cloud KMS key for a for a simplified experience. All managed keys will be have their ProtectionLevel as HSM.
    Possible values:
    • SIGN_HASH_ALGORITHM_UNSPECIFIED - Not specified.
    • RSA_PSS_2048_SHA256 - maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_2048_SHA256
    • RSA_PSS_3072_SHA256 - maps to CryptoKeyVersionAlgorithm. RSA_SIGN_PSS_3072_SHA256
    • RSA_PSS_4096_SHA256 - maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_4096_SHA256
    • RSA_PKCS1_2048_SHA256 - maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_2048_SHA256
    • RSA_PKCS1_3072_SHA256 - maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_3072_SHA256
    • RSA_PKCS1_4096_SHA256 - maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_4096_SHA256
    • EC_P256_SHA256 - maps to CryptoKeyVersionAlgorithm.EC_SIGN_P256_SHA256
    • EC_P384_SHA384 - maps to CryptoKeyVersionAlgorithm.EC_SIGN_P384_SHA384
  • cloud_kms_key_version
    Type: STRING
    Provider name: cloudKmsKeyVersion
    Description: The resource name for an existing Cloud KMS CryptoKeyVersion in the format projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*. This option enables full flexibility in the key’s capabilities and properties.

labels

Type: UNORDERED_LIST_STRING

lifetime

Type: STRING
Provider name: lifetime
Description: Required. Immutable. The desired lifetime of the CA certificate. Used to create the “not_before_time” and “not_after_time” fields inside an X.509 certificate.

name

Type: STRING
Provider name: name
Description: Identifier. The resource name for this CertificateAuthority in the format projects/*/locations/*/caPools/*/certificateAuthorities/*.

organization_id

Type: STRING

parent

Type: STRING

pem_ca_certificates

Type: UNORDERED_LIST_STRING
Provider name: pemCaCertificates
Description: Output only. This CertificateAuthority’s certificate chain, including the current CertificateAuthority’s certificate. Ordered such that the root issuer is the final element (consistent with RFC 5246). For a self-signed CA, this will only list the current CertificateAuthority’s certificate.

project_id

Type: STRING

project_number

Type: STRING

resource_name

Type: STRING

satisfies_pzi

Type: BOOLEAN
Provider name: satisfiesPzi
Description: Output only. Reserved for future use.

satisfies_pzs

Type: BOOLEAN
Provider name: satisfiesPzs
Description: Output only. Reserved for future use.

state

Type: STRING
Provider name: state
Description: Output only. The State for this CertificateAuthority.
Possible values:

  • STATE_UNSPECIFIED - Not specified.
  • ENABLED - Certificates can be issued from this CA. CRLs will be generated for this CA. The CA will be part of the CaPool’s trust anchor, and will be used to issue certificates from the CaPool.
  • DISABLED - Certificates cannot be issued from this CA. CRLs will still be generated. The CA will be part of the CaPool’s trust anchor, but will not be used to issue certificates from the CaPool.
  • STAGED - Certificates can be issued from this CA. CRLs will be generated for this CA. The CA will be part of the CaPool’s trust anchor, but will not be used to issue certificates from the CaPool.
  • AWAITING_USER_ACTIVATION - Certificates cannot be issued from this CA. CRLs will not be generated. The CA will not be part of the CaPool’s trust anchor, and will not be used to issue certificates from the CaPool.
  • DELETED - Certificates cannot be issued from this CA. CRLs will not be generated. The CA may still be recovered by calling CertificateAuthorityService.UndeleteCertificateAuthority before expire_time. The CA will not be part of the CaPool’s trust anchor, and will not be used to issue certificates from the CaPool.

subordinate_config

Type: STRUCT
Provider name: subordinateConfig
Description: Optional. If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which describes its issuers. This may be updated, but this CertificateAuthority must continue to validate.

  • certificate_authority
    Type: STRING
    Provider name: certificateAuthority
    Description: Required. This can refer to a CertificateAuthority that was used to create a subordinate CertificateAuthority. This field is used for information and usability purposes only. The resource name is in the format projects/*/locations/*/caPools/*/certificateAuthorities/*.
  • pem_issuer_chain
    Type: STRUCT
    Provider name: pemIssuerChain
    Description: Required. Contains the PEM certificate chain for the issuers of this CertificateAuthority, but not pem certificate for this CA itself.
    • pem_certificates
      Type: UNORDERED_LIST_STRING
      Provider name: pemCertificates
      Description: Required. Expected to be in leaf-to-root order according to RFC 5246.

tags

Type: UNORDERED_LIST_STRING

tier

Type: STRING
Provider name: tier
Description: Output only. The CaPool.Tier of the CaPool that includes this CertificateAuthority.
Possible values:

  • TIER_UNSPECIFIED - Not specified.
  • ENTERPRISE - Enterprise tier.
  • DEVOPS - DevOps tier.

type

Type: STRING
Provider name: type
Description: Required. Immutable. The Type of this CertificateAuthority.
Possible values:

  • TYPE_UNSPECIFIED - Not specified.
  • SELF_SIGNED - Self-signed CA.
  • SUBORDINATE - Subordinate CA. Could be issued by a Private CA CertificateAuthority or an unmanaged CA.

update_time

Type: TIMESTAMP
Provider name: updateTime
Description: Output only. The time at which this CertificateAuthority was last updated.

user_defined_access_urls

Type: STRUCT
Provider name: userDefinedAccessUrls
Description: Optional. User-defined URLs for CA certificate and CRLs. The service does not publish content to these URLs. It is up to the user to mirror content to these URLs.

  • aia_issuing_certificate_urls
    Type: UNORDERED_LIST_STRING
    Provider name: aiaIssuingCertificateUrls
    Description: Optional. A list of URLs where the issuer CA certificate may be downloaded, which appears in the “Authority Information Access” extension in the certificate. If specified, the default Cloud Storage URLs will be omitted.
  • crl_access_urls
    Type: UNORDERED_LIST_STRING
    Provider name: crlAccessUrls
    Description: Optional. A list of URLs where to obtain CRL information, i.e. the DistributionPoint.fullName described by https://tools.ietf.org/html/rfc5280#section-4.2.1.13. If specified, the default Cloud Storage URLs will be omitted.