---
title: Getting Started with Datadog
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: Docs > Infrastructure > Datadog Resource Catalog
---

# gcp_privateca_certificate_template{% #gcp_privateca_certificate_template %}

## `ancestors`{% #ancestors %}

**Type**: `UNORDERED_LIST_STRING`

## `create_time`{% #create_time %}

**Type**: `TIMESTAMP`**Provider name**: `createTime`**Description**: Output only. The time at which this CertificateTemplate was created.

## `description`{% #description %}

**Type**: `STRING`**Provider name**: `description`**Description**: Optional. A human-readable description of scenarios this template is intended for.

## `identity_constraints`{% #identity_constraints %}

**Type**: `STRUCT`**Provider name**: `identityConstraints`**Description**: Optional. Describes constraints on identities that may be appear in Certificates issued using this template. If this is omitted, then this template will not add restrictions on a certificate's identity.

- `allow_subject_alt_names_passthrough`**Type**: `BOOLEAN`**Provider name**: `allowSubjectAltNamesPassthrough`**Description**: Required. If this is true, the SubjectAltNames extension may be copied from a certificate request into the signed certificate. Otherwise, the requested SubjectAltNames will be discarded.
- `allow_subject_passthrough`**Type**: `BOOLEAN`**Provider name**: `allowSubjectPassthrough`**Description**: Required. If this is true, the Subject field may be copied from a certificate request into the signed certificate. Otherwise, the requested Subject will be discarded.
- `cel_expression`**Type**: `STRUCT`**Provider name**: `celExpression`**Description**: Optional. A CEL expression that may be used to validate the resolved X.509 Subject and/or Subject Alternative Name before a certificate is signed. To see the full allowed syntax and some examples, see [https://cloud.google.com/certificate-authority-service/docs/using-cel](https://cloud.google.com/certificate-authority-service/docs/using-cel)
  - `description`**Type**: `STRING`**Provider name**: `description`**Description**: Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
  - `expression`**Type**: `STRING`**Provider name**: `expression`**Description**: Textual representation of an expression in Common Expression Language syntax.
  - `location`**Type**: `STRING`**Provider name**: `location`**Description**: Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
  - `title`**Type**: `STRING`**Provider name**: `title`**Description**: Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.

## `labels`{% #labels %}

**Type**: `UNORDERED_LIST_STRING`

## `maximum_lifetime`{% #maximum_lifetime %}

**Type**: `STRING`**Provider name**: `maximumLifetime`**Description**: Optional. The maximum lifetime allowed for issued Certificates that use this template. If the issuing CaPool resource's IssuancePolicy specifies a maximum_lifetime the minimum of the two durations will be the maximum lifetime for issued Certificates. Note that if the issuing CertificateAuthority expires before a Certificate's requested maximum_lifetime, the effective lifetime will be explicitly truncated to match it.

## `name`{% #name %}

**Type**: `STRING`**Provider name**: `name`**Description**: Identifier. The resource name for this CertificateTemplate in the format `projects/*/locations/*/certificateTemplates/*`.

## `organization_id`{% #organization_id %}

**Type**: `STRING`

## `parent`{% #parent %}

**Type**: `STRING`

## `passthrough_extensions`{% #passthrough_extensions %}

**Type**: `STRUCT`**Provider name**: `passthroughExtensions`**Description**: Optional. Describes the set of X.509 extensions that may appear in a Certificate issued using this CertificateTemplate. If a certificate request sets extensions that don't appear in the passthrough_extensions, those extensions will be dropped. If the issuing CaPool's IssuancePolicy defines baseline_values that don't appear here, the certificate issuance request will fail. If this is omitted, then this template will not add restrictions on a certificate's X.509 extensions. These constraints do not apply to X.509 extensions set in this CertificateTemplate's predefined_values.

- `additional_extensions`**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `additionalExtensions`**Description**: Optional. A set of ObjectIds identifying custom X.509 extensions. Will be combined with known_extensions to determine the full set of X.509 extensions.
  - `object_id_path`**Type**: `UNORDERED_LIST_INT32`**Provider name**: `objectIdPath`**Description**: Required. The parts of an OID path. The most significant parts of the path come first.
- `known_extensions`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `knownExtensions`**Description**: Optional. A set of named X.509 extensions. Will be combined with additional_extensions to determine the full set of X.509 extensions.

## `predefined_values`{% #predefined_values %}

**Type**: `STRUCT`**Provider name**: `predefinedValues`**Description**: Optional. A set of X.509 values that will be applied to all issued certificates that use this template. If the certificate request includes conflicting values for the same properties, they will be overwritten by the values defined here. If the issuing CaPool's IssuancePolicy defines conflicting baseline_values for the same properties, the certificate issuance request will fail.

- `additional_extensions`**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `additionalExtensions`**Description**: Optional. Describes custom X.509 extensions.
  - `critical`**Type**: `BOOLEAN`**Provider name**: `critical`**Description**: Optional. Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
  - `object_id`**Type**: `STRUCT`**Provider name**: `objectId`**Description**: Required. The OID for this X.509 extension.
    - `object_id_path`**Type**: `UNORDERED_LIST_INT32`**Provider name**: `objectIdPath`**Description**: Required. The parts of an OID path. The most significant parts of the path come first.
- `aia_ocsp_servers`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `aiaOcspServers`**Description**: Optional. Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
- `ca_options`**Type**: `STRUCT`**Provider name**: `caOptions`**Description**: Optional. Describes options in this X509Parameters that are relevant in a CA certificate. If not specified, a default basic constraints extension with `is_ca=false` will be added for leaf certificates.
  - `is_ca`**Type**: `BOOLEAN`**Provider name**: `isCa`**Description**: Optional. Refers to the "CA" boolean field in the X.509 extension. When this value is missing, the basic constraints extension will be omitted from the certificate.
  - `max_issuer_path_length`**Type**: `INT32`**Provider name**: `maxIssuerPathLength`**Description**: Optional. Refers to the path length constraint field in the X.509 extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail. If this value is missing, the max path length will be omitted from the certificate.
- `key_usage`**Type**: `STRUCT`**Provider name**: `keyUsage`**Description**: Optional. Indicates the intended use for keys that correspond to a certificate.
  - `base_key_usage`**Type**: `STRUCT`**Provider name**: `baseKeyUsage`**Description**: Describes high-level ways in which a key may be used.
    - `cert_sign`**Type**: `BOOLEAN`**Provider name**: `certSign`**Description**: The key may be used to sign certificates.
    - `content_commitment`**Type**: `BOOLEAN`**Provider name**: `contentCommitment`**Description**: The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
    - `crl_sign`**Type**: `BOOLEAN`**Provider name**: `crlSign`**Description**: The key may be used sign certificate revocation lists.
    - `data_encipherment`**Type**: `BOOLEAN`**Provider name**: `dataEncipherment`**Description**: The key may be used to encipher data.
    - `decipher_only`**Type**: `BOOLEAN`**Provider name**: `decipherOnly`**Description**: The key may be used to decipher only.
    - `digital_signature`**Type**: `BOOLEAN`**Provider name**: `digitalSignature`**Description**: The key may be used for digital signatures.
    - `encipher_only`**Type**: `BOOLEAN`**Provider name**: `encipherOnly`**Description**: The key may be used to encipher only.
    - `key_agreement`**Type**: `BOOLEAN`**Provider name**: `keyAgreement`**Description**: The key may be used in a key agreement protocol.
    - `key_encipherment`**Type**: `BOOLEAN`**Provider name**: `keyEncipherment`**Description**: The key may be used to encipher other keys.
  - `extended_key_usage`**Type**: `STRUCT`**Provider name**: `extendedKeyUsage`**Description**: Detailed scenarios in which a key may be used.
    - `client_auth`**Type**: `BOOLEAN`**Provider name**: `clientAuth`**Description**: Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
    - `code_signing`**Type**: `BOOLEAN`**Provider name**: `codeSigning`**Description**: Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
    - `email_protection`**Type**: `BOOLEAN`**Provider name**: `emailProtection`**Description**: Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
    - `ocsp_signing`**Type**: `BOOLEAN`**Provider name**: `ocspSigning`**Description**: Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
    - `server_auth`**Type**: `BOOLEAN`**Provider name**: `serverAuth`**Description**: Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
    - `time_stamping`**Type**: `BOOLEAN`**Provider name**: `timeStamping`**Description**: Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".
  - `unknown_extended_key_usages`**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `unknownExtendedKeyUsages`**Description**: Used to describe extended key usages that are not listed in the KeyUsage.ExtendedKeyUsageOptions message.
    - `object_id_path`**Type**: `UNORDERED_LIST_INT32`**Provider name**: `objectIdPath`**Description**: Required. The parts of an OID path. The most significant parts of the path come first.
- `name_constraints`**Type**: `STRUCT`**Provider name**: `nameConstraints`**Description**: Optional. Describes the X.509 name constraints extension.
  - `critical`**Type**: `BOOLEAN`**Provider name**: `critical`**Description**: Indicates whether or not the name constraints are marked critical.
  - `excluded_dns_names`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `excludedDnsNames`**Description**: Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, `example.com`, `www.example.com`, `www.sub.example.com` would satisfy `example.com` while `example1.com` does not.
  - `excluded_email_addresses`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `excludedEmailAddresses`**Description**: Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. `.example.com`) to indicate all email addresses in that domain.
  - `excluded_ip_ranges`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `excludedIpRanges`**Description**: Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
  - `excluded_uris`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `excludedUris`**Description**: Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like `.example.com`)
  - `permitted_dns_names`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `permittedDnsNames`**Description**: Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, `example.com`, `www.example.com`, `www.sub.example.com` would satisfy `example.com` while `example1.com` does not.
  - `permitted_email_addresses`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `permittedEmailAddresses`**Description**: Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. `.example.com`) to indicate all email addresses in that domain.
  - `permitted_ip_ranges`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `permittedIpRanges`**Description**: Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
  - `permitted_uris`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `permittedUris`**Description**: Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like `.example.com`)
- `policy_ids`**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `policyIds`**Description**: Optional. Describes the X.509 certificate policy object identifiers, per [https://tools.ietf.org/html/rfc5280#section-4.2.1.4](https://tools.ietf.org/html/rfc5280#section-4.2.1.4).
  - `object_id_path`**Type**: `UNORDERED_LIST_INT32`**Provider name**: `objectIdPath`**Description**: Required. The parts of an OID path. The most significant parts of the path come first.

## `project_id`{% #project_id %}

**Type**: `STRING`

## `project_number`{% #project_number %}

**Type**: `STRING`

## `region_id`{% #region_id %}

**Type**: `STRING`

## `resource_name`{% #resource_name %}

**Type**: `STRING`

## `tags`{% #tags %}

**Type**: `UNORDERED_LIST_STRING`

## `update_time`{% #update_time %}

**Type**: `TIMESTAMP`**Provider name**: `updateTime`**Description**: Output only. The time at which this CertificateTemplate was updated.

## `zone_id`{% #zone_id %}

**Type**: `STRING`