Google Cloud (GCP) Classic

Pulumi Official
Package maintained by Pulumi
v6.32.0 published on Wednesday, Jul 20, 2022 by Pulumi

Authority

Import

CertificateAuthority can be imported using any of these accepted formats

 $ pulumi import gcp:certificateauthority/authority:Authority default projects/{{project}}/locations/{{location}}/caPools/{{pool}}/certificateAuthorities/{{certificate_authority_id}}
 $ pulumi import gcp:certificateauthority/authority:Authority default {{project}}/{{location}}/{{pool}}/{{certificate_authority_id}}
 $ pulumi import gcp:certificateauthority/authority:Authority default {{location}}/{{pool}}/{{certificate_authority_id}}

Example Usage

Privateca Certificate Authority Basic

using Pulumi;
using Gcp = Pulumi.Gcp;

class MyStack : Stack
{
    public MyStack()
    {
        var @default = new Gcp.CertificateAuthority.Authority("default", new Gcp.CertificateAuthority.AuthorityArgs
        {
            CertificateAuthorityId = "my-certificate-authority",
            Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigArgs
            {
                SubjectConfig = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigArgs
                {
                    Subject = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectArgs
                    {
                        CommonName = "my-certificate-authority",
                        Organization = "HashiCorp",
                    },
                    SubjectAltName = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectAltNameArgs
                    {
                        DnsNames = 
                        {
                            "hashicorp.com",
                        },
                    },
                },
                X509Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigArgs
                {
                    CaOptions = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigCaOptionsArgs
                    {
                        IsCa = true,
                        MaxIssuerPathLength = 10,
                    },
                    KeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageArgs
                    {
                        BaseKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs
                        {
                            CertSign = true,
                            ContentCommitment = true,
                            CrlSign = true,
                            DataEncipherment = true,
                            DecipherOnly = true,
                            DigitalSignature = true,
                            KeyAgreement = true,
                            KeyEncipherment = false,
                        },
                        ExtendedKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs
                        {
                            ClientAuth = false,
                            CodeSigning = true,
                            EmailProtection = true,
                            ServerAuth = true,
                            TimeStamping = true,
                        },
                    },
                },
            },
            DeletionProtection = true,
            KeySpec = new Gcp.CertificateAuthority.Inputs.AuthorityKeySpecArgs
            {
                Algorithm = "RSA_PKCS1_4096_SHA256",
            },
            Lifetime = "86400s",
            Location = "us-central1",
            Pool = "ca-pool",
        });
    }

}
package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/certificateauthority"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := certificateauthority.NewAuthority(ctx, "default", &certificateauthority.AuthorityArgs{
			CertificateAuthorityId: pulumi.String("my-certificate-authority"),
			Config: &certificateauthority.AuthorityConfigArgs{
				SubjectConfig: &certificateauthority.AuthorityConfigSubjectConfigArgs{
					Subject: &certificateauthority.AuthorityConfigSubjectConfigSubjectArgs{
						CommonName:   pulumi.String("my-certificate-authority"),
						Organization: pulumi.String("HashiCorp"),
					},
					SubjectAltName: &certificateauthority.AuthorityConfigSubjectConfigSubjectAltNameArgs{
						DnsNames: pulumi.StringArray{
							pulumi.String("hashicorp.com"),
						},
					},
				},
				X509Config: &certificateauthority.AuthorityConfigX509ConfigArgs{
					CaOptions: &certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs{
						IsCa:                pulumi.Bool(true),
						MaxIssuerPathLength: pulumi.Int(10),
					},
					KeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs{
						BaseKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs{
							CertSign:          pulumi.Bool(true),
							ContentCommitment: pulumi.Bool(true),
							CrlSign:           pulumi.Bool(true),
							DataEncipherment:  pulumi.Bool(true),
							DecipherOnly:      pulumi.Bool(true),
							DigitalSignature:  pulumi.Bool(true),
							KeyAgreement:      pulumi.Bool(true),
							KeyEncipherment:   pulumi.Bool(false),
						},
						ExtendedKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs{
							ClientAuth:      pulumi.Bool(false),
							CodeSigning:     pulumi.Bool(true),
							EmailProtection: pulumi.Bool(true),
							ServerAuth:      pulumi.Bool(true),
							TimeStamping:    pulumi.Bool(true),
						},
					},
				},
			},
			DeletionProtection: pulumi.Bool(true),
			KeySpec: &certificateauthority.AuthorityKeySpecArgs{
				Algorithm: pulumi.String("RSA_PKCS1_4096_SHA256"),
			},
			Lifetime: pulumi.String("86400s"),
			Location: pulumi.String("us-central1"),
			Pool:     pulumi.String("ca-pool"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}
package generated_program;

import java.util.*;
import java.io.*;
import java.nio.*;
import com.pulumi.*;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var default_ = new Authority("default", AuthorityArgs.builder()        
            .certificateAuthorityId("my-certificate-authority")
            .config(AuthorityConfigArgs.builder()
                .subjectConfig(AuthorityConfigSubjectConfigArgs.builder()
                    .subject(AuthorityConfigSubjectConfigSubjectArgs.builder()
                        .commonName("my-certificate-authority")
                        .organization("HashiCorp")
                        .build())
                    .subjectAltName(AuthorityConfigSubjectConfigSubjectAltNameArgs.builder()
                        .dnsNames("hashicorp.com")
                        .build())
                    .build())
                .x509Config(AuthorityConfigX509ConfigArgs.builder()
                    .caOptions(AuthorityConfigX509ConfigCaOptionsArgs.builder()
                        .isCa(true)
                        .maxIssuerPathLength(10)
                        .build())
                    .keyUsage(AuthorityConfigX509ConfigKeyUsageArgs.builder()
                        .baseKeyUsage(AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs.builder()
                            .certSign(true)
                            .contentCommitment(true)
                            .crlSign(true)
                            .dataEncipherment(true)
                            .decipherOnly(true)
                            .digitalSignature(true)
                            .keyAgreement(true)
                            .keyEncipherment(false)
                            .build())
                        .extendedKeyUsage(AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs.builder()
                            .clientAuth(false)
                            .codeSigning(true)
                            .emailProtection(true)
                            .serverAuth(true)
                            .timeStamping(true)
                            .build())
                        .build())
                    .build())
                .build())
            .deletionProtection("true")
            .keySpec(AuthorityKeySpecArgs.builder()
                .algorithm("RSA_PKCS1_4096_SHA256")
                .build())
            .lifetime("86400s")
            .location("us-central1")
            .pool("ca-pool")
            .build());

    }
}
import pulumi
import pulumi_gcp as gcp

default = gcp.certificateauthority.Authority("default",
    certificate_authority_id="my-certificate-authority",
    config=gcp.certificateauthority.AuthorityConfigArgs(
        subject_config=gcp.certificateauthority.AuthorityConfigSubjectConfigArgs(
            subject=gcp.certificateauthority.AuthorityConfigSubjectConfigSubjectArgs(
                common_name="my-certificate-authority",
                organization="HashiCorp",
            ),
            subject_alt_name=gcp.certificateauthority.AuthorityConfigSubjectConfigSubjectAltNameArgs(
                dns_names=["hashicorp.com"],
            ),
        ),
        x509_config=gcp.certificateauthority.AuthorityConfigX509ConfigArgs(
            ca_options=gcp.certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs(
                is_ca=True,
                max_issuer_path_length=10,
            ),
            key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs(
                base_key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs(
                    cert_sign=True,
                    content_commitment=True,
                    crl_sign=True,
                    data_encipherment=True,
                    decipher_only=True,
                    digital_signature=True,
                    key_agreement=True,
                    key_encipherment=False,
                ),
                extended_key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs(
                    client_auth=False,
                    code_signing=True,
                    email_protection=True,
                    server_auth=True,
                    time_stamping=True,
                ),
            ),
        ),
    ),
    deletion_protection=True,
    key_spec=gcp.certificateauthority.AuthorityKeySpecArgs(
        algorithm="RSA_PKCS1_4096_SHA256",
    ),
    lifetime="86400s",
    location="us-central1",
    pool="ca-pool")
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const defaultAuthority = new gcp.certificateauthority.Authority("default", {
    certificateAuthorityId: "my-certificate-authority",
    config: {
        subjectConfig: {
            subject: {
                commonName: "my-certificate-authority",
                organization: "HashiCorp",
            },
            subjectAltName: {
                dnsNames: ["hashicorp.com"],
            },
        },
        x509Config: {
            caOptions: {
                isCa: true,
                maxIssuerPathLength: 10,
            },
            keyUsage: {
                baseKeyUsage: {
                    certSign: true,
                    contentCommitment: true,
                    crlSign: true,
                    dataEncipherment: true,
                    decipherOnly: true,
                    digitalSignature: true,
                    keyAgreement: true,
                    keyEncipherment: false,
                },
                extendedKeyUsage: {
                    clientAuth: false,
                    codeSigning: true,
                    emailProtection: true,
                    serverAuth: true,
                    timeStamping: true,
                },
            },
        },
    },
    deletionProtection: true,
    keySpec: {
        algorithm: "RSA_PKCS1_4096_SHA256",
    },
    lifetime: "86400s",
    location: "us-central1",
    // This example assumes this pool already exists.
    // Pools cannot be deleted in normal test circumstances, so we depend on static pools
    pool: "ca-pool",
});
resources:
  default:
    type: gcp:certificateauthority:Authority
    properties:
      certificateAuthorityId: my-certificate-authority
      config:
        subjectConfig:
          subject:
            commonName: my-certificate-authority
            organization: HashiCorp
          subjectAltName:
            dnsNames:
              - hashicorp.com
        x509Config:
          caOptions:
            isCa: true
            maxIssuerPathLength: 10
          keyUsage:
            baseKeyUsage:
              certSign: true
              contentCommitment: true
              crlSign: true
              dataEncipherment: true
              decipherOnly: true
              digitalSignature: true
              keyAgreement: true
              keyEncipherment: false
            extendedKeyUsage:
              clientAuth: false
              codeSigning: true
              emailProtection: true
              serverAuth: true
              timeStamping: true
      deletionProtection: true
      keySpec:
        algorithm: RSA_PKCS1_4096_SHA256
      lifetime: 86400s
      location: us-central1
      pool: ca-pool

Privateca Certificate Authority Subordinate

using Pulumi;
using Gcp = Pulumi.Gcp;

class MyStack : Stack
{
    public MyStack()
    {
        var root_ca = new Gcp.CertificateAuthority.Authority("root-ca", new Gcp.CertificateAuthority.AuthorityArgs
        {
            Pool = "ca-pool",
            CertificateAuthorityId = "my-certificate-authority-root",
            Location = "us-central1",
            DeletionProtection = false,
            IgnoreActiveCertificatesOnDeletion = true,
            Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigArgs
            {
                SubjectConfig = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigArgs
                {
                    Subject = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectArgs
                    {
                        Organization = "HashiCorp",
                        CommonName = "my-certificate-authority",
                    },
                    SubjectAltName = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectAltNameArgs
                    {
                        DnsNames = 
                        {
                            "hashicorp.com",
                        },
                    },
                },
                X509Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigArgs
                {
                    CaOptions = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigCaOptionsArgs
                    {
                        IsCa = true,
                    },
                    KeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageArgs
                    {
                        BaseKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs
                        {
                            CertSign = true,
                            CrlSign = true,
                        },
                        ExtendedKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs
                        {
                            ServerAuth = false,
                        },
                    },
                },
            },
            KeySpec = new Gcp.CertificateAuthority.Inputs.AuthorityKeySpecArgs
            {
                Algorithm = "RSA_PKCS1_4096_SHA256",
            },
        });
        var @default = new Gcp.CertificateAuthority.Authority("default", new Gcp.CertificateAuthority.AuthorityArgs
        {
            Pool = "ca-pool",
            CertificateAuthorityId = "my-certificate-authority-sub",
            Location = "us-central1",
            DeletionProtection = true,
            SubordinateConfig = new Gcp.CertificateAuthority.Inputs.AuthoritySubordinateConfigArgs
            {
                CertificateAuthority = root_ca.Name,
            },
            Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigArgs
            {
                SubjectConfig = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigArgs
                {
                    Subject = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectArgs
                    {
                        Organization = "HashiCorp",
                        CommonName = "my-subordinate-authority",
                    },
                    SubjectAltName = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectAltNameArgs
                    {
                        DnsNames = 
                        {
                            "hashicorp.com",
                        },
                    },
                },
                X509Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigArgs
                {
                    CaOptions = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigCaOptionsArgs
                    {
                        IsCa = true,
                        MaxIssuerPathLength = 0,
                    },
                    KeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageArgs
                    {
                        BaseKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs
                        {
                            DigitalSignature = true,
                            ContentCommitment = true,
                            KeyEncipherment = false,
                            DataEncipherment = true,
                            KeyAgreement = true,
                            CertSign = true,
                            CrlSign = true,
                            DecipherOnly = true,
                        },
                        ExtendedKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs
                        {
                            ServerAuth = true,
                            ClientAuth = false,
                            EmailProtection = true,
                            CodeSigning = true,
                            TimeStamping = true,
                        },
                    },
                },
            },
            Lifetime = "86400s",
            KeySpec = new Gcp.CertificateAuthority.Inputs.AuthorityKeySpecArgs
            {
                Algorithm = "RSA_PKCS1_4096_SHA256",
            },
            Type = "SUBORDINATE",
        });
    }

}
package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/certificateauthority"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := certificateauthority.NewAuthority(ctx, "root-ca", &certificateauthority.AuthorityArgs{
			Pool:                               pulumi.String("ca-pool"),
			CertificateAuthorityId:             pulumi.String("my-certificate-authority-root"),
			Location:                           pulumi.String("us-central1"),
			DeletionProtection:                 pulumi.Bool(false),
			IgnoreActiveCertificatesOnDeletion: pulumi.Bool(true),
			Config: &certificateauthority.AuthorityConfigArgs{
				SubjectConfig: &certificateauthority.AuthorityConfigSubjectConfigArgs{
					Subject: &certificateauthority.AuthorityConfigSubjectConfigSubjectArgs{
						Organization: pulumi.String("HashiCorp"),
						CommonName:   pulumi.String("my-certificate-authority"),
					},
					SubjectAltName: &certificateauthority.AuthorityConfigSubjectConfigSubjectAltNameArgs{
						DnsNames: pulumi.StringArray{
							pulumi.String("hashicorp.com"),
						},
					},
				},
				X509Config: &certificateauthority.AuthorityConfigX509ConfigArgs{
					CaOptions: &certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs{
						IsCa: pulumi.Bool(true),
					},
					KeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs{
						BaseKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs{
							CertSign: pulumi.Bool(true),
							CrlSign:  pulumi.Bool(true),
						},
						ExtendedKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs{
							ServerAuth: pulumi.Bool(false),
						},
					},
				},
			},
			KeySpec: &certificateauthority.AuthorityKeySpecArgs{
				Algorithm: pulumi.String("RSA_PKCS1_4096_SHA256"),
			},
		})
		if err != nil {
			return err
		}
		_, err = certificateauthority.NewAuthority(ctx, "default", &certificateauthority.AuthorityArgs{
			Pool:                   pulumi.String("ca-pool"),
			CertificateAuthorityId: pulumi.String("my-certificate-authority-sub"),
			Location:               pulumi.String("us-central1"),
			DeletionProtection:     pulumi.Bool(true),
			SubordinateConfig: &certificateauthority.AuthoritySubordinateConfigArgs{
				CertificateAuthority: root_ca.Name,
			},
			Config: &certificateauthority.AuthorityConfigArgs{
				SubjectConfig: &certificateauthority.AuthorityConfigSubjectConfigArgs{
					Subject: &certificateauthority.AuthorityConfigSubjectConfigSubjectArgs{
						Organization: pulumi.String("HashiCorp"),
						CommonName:   pulumi.String("my-subordinate-authority"),
					},
					SubjectAltName: &certificateauthority.AuthorityConfigSubjectConfigSubjectAltNameArgs{
						DnsNames: pulumi.StringArray{
							pulumi.String("hashicorp.com"),
						},
					},
				},
				X509Config: &certificateauthority.AuthorityConfigX509ConfigArgs{
					CaOptions: &certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs{
						IsCa:                pulumi.Bool(true),
						MaxIssuerPathLength: pulumi.Int(0),
					},
					KeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs{
						BaseKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs{
							DigitalSignature:  pulumi.Bool(true),
							ContentCommitment: pulumi.Bool(true),
							KeyEncipherment:   pulumi.Bool(false),
							DataEncipherment:  pulumi.Bool(true),
							KeyAgreement:      pulumi.Bool(true),
							CertSign:          pulumi.Bool(true),
							CrlSign:           pulumi.Bool(true),
							DecipherOnly:      pulumi.Bool(true),
						},
						ExtendedKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs{
							ServerAuth:      pulumi.Bool(true),
							ClientAuth:      pulumi.Bool(false),
							EmailProtection: pulumi.Bool(true),
							CodeSigning:     pulumi.Bool(true),
							TimeStamping:    pulumi.Bool(true),
						},
					},
				},
			},
			Lifetime: pulumi.String("86400s"),
			KeySpec: &certificateauthority.AuthorityKeySpecArgs{
				Algorithm: pulumi.String("RSA_PKCS1_4096_SHA256"),
			},
			Type: pulumi.String("SUBORDINATE"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}
package generated_program;

import java.util.*;
import java.io.*;
import java.nio.*;
import com.pulumi.*;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var root_ca = new Authority("root-ca", AuthorityArgs.builder()        
            .pool("ca-pool")
            .certificateAuthorityId("my-certificate-authority-root")
            .location("us-central1")
            .deletionProtection(false)
            .ignoreActiveCertificatesOnDeletion(true)
            .config(AuthorityConfigArgs.builder()
                .subjectConfig(AuthorityConfigSubjectConfigArgs.builder()
                    .subject(AuthorityConfigSubjectConfigSubjectArgs.builder()
                        .organization("HashiCorp")
                        .commonName("my-certificate-authority")
                        .build())
                    .subjectAltName(AuthorityConfigSubjectConfigSubjectAltNameArgs.builder()
                        .dnsNames("hashicorp.com")
                        .build())
                    .build())
                .x509Config(AuthorityConfigX509ConfigArgs.builder()
                    .caOptions(AuthorityConfigX509ConfigCaOptionsArgs.builder()
                        .isCa(true)
                        .build())
                    .keyUsage(AuthorityConfigX509ConfigKeyUsageArgs.builder()
                        .baseKeyUsage(AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs.builder()
                            .certSign(true)
                            .crlSign(true)
                            .build())
                        .extendedKeyUsage(AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs.builder()
                            .serverAuth(false)
                            .build())
                        .build())
                    .build())
                .build())
            .keySpec(AuthorityKeySpecArgs.builder()
                .algorithm("RSA_PKCS1_4096_SHA256")
                .build())
            .build());

        var default_ = new Authority("default", AuthorityArgs.builder()        
            .pool("ca-pool")
            .certificateAuthorityId("my-certificate-authority-sub")
            .location("us-central1")
            .deletionProtection("true")
            .subordinateConfig(AuthoritySubordinateConfigArgs.builder()
                .certificateAuthority(root_ca.name())
                .build())
            .config(AuthorityConfigArgs.builder()
                .subjectConfig(AuthorityConfigSubjectConfigArgs.builder()
                    .subject(AuthorityConfigSubjectConfigSubjectArgs.builder()
                        .organization("HashiCorp")
                        .commonName("my-subordinate-authority")
                        .build())
                    .subjectAltName(AuthorityConfigSubjectConfigSubjectAltNameArgs.builder()
                        .dnsNames("hashicorp.com")
                        .build())
                    .build())
                .x509Config(AuthorityConfigX509ConfigArgs.builder()
                    .caOptions(AuthorityConfigX509ConfigCaOptionsArgs.builder()
                        .isCa(true)
                        .maxIssuerPathLength(0)
                        .build())
                    .keyUsage(AuthorityConfigX509ConfigKeyUsageArgs.builder()
                        .baseKeyUsage(AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs.builder()
                            .digitalSignature(true)
                            .contentCommitment(true)
                            .keyEncipherment(false)
                            .dataEncipherment(true)
                            .keyAgreement(true)
                            .certSign(true)
                            .crlSign(true)
                            .decipherOnly(true)
                            .build())
                        .extendedKeyUsage(AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs.builder()
                            .serverAuth(true)
                            .clientAuth(false)
                            .emailProtection(true)
                            .codeSigning(true)
                            .timeStamping(true)
                            .build())
                        .build())
                    .build())
                .build())
            .lifetime("86400s")
            .keySpec(AuthorityKeySpecArgs.builder()
                .algorithm("RSA_PKCS1_4096_SHA256")
                .build())
            .type("SUBORDINATE")
            .build());

    }
}
import pulumi
import pulumi_gcp as gcp

root_ca = gcp.certificateauthority.Authority("root-ca",
    pool="ca-pool",
    certificate_authority_id="my-certificate-authority-root",
    location="us-central1",
    deletion_protection=False,
    ignore_active_certificates_on_deletion=True,
    config=gcp.certificateauthority.AuthorityConfigArgs(
        subject_config=gcp.certificateauthority.AuthorityConfigSubjectConfigArgs(
            subject=gcp.certificateauthority.AuthorityConfigSubjectConfigSubjectArgs(
                organization="HashiCorp",
                common_name="my-certificate-authority",
            ),
            subject_alt_name=gcp.certificateauthority.AuthorityConfigSubjectConfigSubjectAltNameArgs(
                dns_names=["hashicorp.com"],
            ),
        ),
        x509_config=gcp.certificateauthority.AuthorityConfigX509ConfigArgs(
            ca_options=gcp.certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs(
                is_ca=True,
            ),
            key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs(
                base_key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs(
                    cert_sign=True,
                    crl_sign=True,
                ),
                extended_key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs(
                    server_auth=False,
                ),
            ),
        ),
    ),
    key_spec=gcp.certificateauthority.AuthorityKeySpecArgs(
        algorithm="RSA_PKCS1_4096_SHA256",
    ))
default = gcp.certificateauthority.Authority("default",
    pool="ca-pool",
    certificate_authority_id="my-certificate-authority-sub",
    location="us-central1",
    deletion_protection=True,
    subordinate_config=gcp.certificateauthority.AuthoritySubordinateConfigArgs(
        certificate_authority=root_ca.name,
    ),
    config=gcp.certificateauthority.AuthorityConfigArgs(
        subject_config=gcp.certificateauthority.AuthorityConfigSubjectConfigArgs(
            subject=gcp.certificateauthority.AuthorityConfigSubjectConfigSubjectArgs(
                organization="HashiCorp",
                common_name="my-subordinate-authority",
            ),
            subject_alt_name=gcp.certificateauthority.AuthorityConfigSubjectConfigSubjectAltNameArgs(
                dns_names=["hashicorp.com"],
            ),
        ),
        x509_config=gcp.certificateauthority.AuthorityConfigX509ConfigArgs(
            ca_options=gcp.certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs(
                is_ca=True,
                max_issuer_path_length=0,
            ),
            key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs(
                base_key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs(
                    digital_signature=True,
                    content_commitment=True,
                    key_encipherment=False,
                    data_encipherment=True,
                    key_agreement=True,
                    cert_sign=True,
                    crl_sign=True,
                    decipher_only=True,
                ),
                extended_key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs(
                    server_auth=True,
                    client_auth=False,
                    email_protection=True,
                    code_signing=True,
                    time_stamping=True,
                ),
            ),
        ),
    ),
    lifetime="86400s",
    key_spec=gcp.certificateauthority.AuthorityKeySpecArgs(
        algorithm="RSA_PKCS1_4096_SHA256",
    ),
    type="SUBORDINATE")
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const root_ca = new gcp.certificateauthority.Authority("root-ca", {
    pool: "ca-pool",
    certificateAuthorityId: "my-certificate-authority-root",
    location: "us-central1",
    deletionProtection: false,
    ignoreActiveCertificatesOnDeletion: true,
    config: {
        subjectConfig: {
            subject: {
                organization: "HashiCorp",
                commonName: "my-certificate-authority",
            },
            subjectAltName: {
                dnsNames: ["hashicorp.com"],
            },
        },
        x509Config: {
            caOptions: {
                isCa: true,
            },
            keyUsage: {
                baseKeyUsage: {
                    certSign: true,
                    crlSign: true,
                },
                extendedKeyUsage: {
                    serverAuth: false,
                },
            },
        },
    },
    keySpec: {
        algorithm: "RSA_PKCS1_4096_SHA256",
    },
});
const _default = new gcp.certificateauthority.Authority("default", {
    pool: "ca-pool",
    certificateAuthorityId: "my-certificate-authority-sub",
    location: "us-central1",
    deletionProtection: true,
    subordinateConfig: {
        certificateAuthority: root_ca.name,
    },
    config: {
        subjectConfig: {
            subject: {
                organization: "HashiCorp",
                commonName: "my-subordinate-authority",
            },
            subjectAltName: {
                dnsNames: ["hashicorp.com"],
            },
        },
        x509Config: {
            caOptions: {
                isCa: true,
                maxIssuerPathLength: 0,
            },
            keyUsage: {
                baseKeyUsage: {
                    digitalSignature: true,
                    contentCommitment: true,
                    keyEncipherment: false,
                    dataEncipherment: true,
                    keyAgreement: true,
                    certSign: true,
                    crlSign: true,
                    decipherOnly: true,
                },
                extendedKeyUsage: {
                    serverAuth: true,
                    clientAuth: false,
                    emailProtection: true,
                    codeSigning: true,
                    timeStamping: true,
                },
            },
        },
    },
    lifetime: "86400s",
    keySpec: {
        algorithm: "RSA_PKCS1_4096_SHA256",
    },
    type: "SUBORDINATE",
});
resources:
  root-ca:
    type: gcp:certificateauthority:Authority
    properties:
      pool: ca-pool
      certificateAuthorityId: my-certificate-authority-root
      location: us-central1
      deletionProtection: false
      ignoreActiveCertificatesOnDeletion: true
      config:
        subjectConfig:
          subject:
            organization: HashiCorp
            commonName: my-certificate-authority
          subjectAltName:
            dnsNames:
              - hashicorp.com
        x509Config:
          caOptions:
            isCa: true
          keyUsage:
            baseKeyUsage:
              certSign: true
              crlSign: true
            extendedKeyUsage:
              serverAuth: false
      keySpec:
        algorithm: RSA_PKCS1_4096_SHA256
  default:
    type: gcp:certificateauthority:Authority
    properties:
      pool: ca-pool
      certificateAuthorityId: my-certificate-authority-sub
      location: us-central1
      deletionProtection: true
      subordinateConfig:
        certificateAuthority: ${["root-ca"].name}
      config:
        subjectConfig:
          subject:
            organization: HashiCorp
            commonName: my-subordinate-authority
          subjectAltName:
            dnsNames:
              - hashicorp.com
        x509Config:
          caOptions:
            isCa: true
            maxIssuerPathLength: 0
          keyUsage:
            baseKeyUsage:
              digitalSignature: true
              contentCommitment: true
              keyEncipherment: false
              dataEncipherment: true
              keyAgreement: true
              certSign: true
              crlSign: true
              decipherOnly: true
            extendedKeyUsage:
              serverAuth: true
              clientAuth: false
              emailProtection: true
              codeSigning: true
              timeStamping: true
      lifetime: 86400s
      keySpec:
        algorithm: RSA_PKCS1_4096_SHA256
      type: SUBORDINATE

Privateca Certificate Authority Byo Key

using Pulumi;
using Gcp = Pulumi.Gcp;

class MyStack : Stack
{
    public MyStack()
    {
        var privatecaSa = new Gcp.Projects.ServiceIdentity("privatecaSa", new Gcp.Projects.ServiceIdentityArgs
        {
            Service = "privateca.googleapis.com",
        });
        var privatecaSaKeyuserSignerverifier = new Gcp.Kms.CryptoKeyIAMBinding("privatecaSaKeyuserSignerverifier", new Gcp.Kms.CryptoKeyIAMBindingArgs
        {
            CryptoKeyId = "projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key",
            Role = "roles/cloudkms.signerVerifier",
            Members = 
            {
                privatecaSa.Email.Apply(email => $"serviceAccount:{email}"),
            },
        });
        var privatecaSaKeyuserViewer = new Gcp.Kms.CryptoKeyIAMBinding("privatecaSaKeyuserViewer", new Gcp.Kms.CryptoKeyIAMBindingArgs
        {
            CryptoKeyId = "projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key",
            Role = "roles/viewer",
            Members = 
            {
                privatecaSa.Email.Apply(email => $"serviceAccount:{email}"),
            },
        });
        var @default = new Gcp.CertificateAuthority.Authority("default", new Gcp.CertificateAuthority.AuthorityArgs
        {
            Pool = "ca-pool",
            CertificateAuthorityId = "my-certificate-authority",
            Location = "us-central1",
            DeletionProtection = true,
            KeySpec = new Gcp.CertificateAuthority.Inputs.AuthorityKeySpecArgs
            {
                CloudKmsKeyVersion = "projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key/cryptoKeyVersions/1",
            },
            Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigArgs
            {
                SubjectConfig = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigArgs
                {
                    Subject = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectArgs
                    {
                        Organization = "Example, Org.",
                        CommonName = "Example Authority",
                    },
                },
                X509Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigArgs
                {
                    CaOptions = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigCaOptionsArgs
                    {
                        IsCa = true,
                        MaxIssuerPathLength = 10,
                    },
                    KeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageArgs
                    {
                        BaseKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs
                        {
                            CertSign = true,
                            CrlSign = true,
                        },
                        ExtendedKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs
                        {
                            ServerAuth = false,
                        },
                    },
                },
            },
        }, new CustomResourceOptions
        {
            DependsOn = 
            {
                privatecaSaKeyuserSignerverifier,
                privatecaSaKeyuserViewer,
            },
        });
    }

}
package main

import (
	"fmt"

	"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/certificateauthority"
	"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/kms"
	"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/projects"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		privatecaSa, err := projects.NewServiceIdentity(ctx, "privatecaSa", &projects.ServiceIdentityArgs{
			Service: pulumi.String("privateca.googleapis.com"),
		})
		if err != nil {
			return err
		}
		privatecaSaKeyuserSignerverifier, err := kms.NewCryptoKeyIAMBinding(ctx, "privatecaSaKeyuserSignerverifier", &kms.CryptoKeyIAMBindingArgs{
			CryptoKeyId: pulumi.String("projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key"),
			Role:        pulumi.String("roles/cloudkms.signerVerifier"),
			Members: pulumi.StringArray{
				privatecaSa.Email.ApplyT(func(email string) (string, error) {
					return fmt.Sprintf("%v%v", "serviceAccount:", email), nil
				}).(pulumi.StringOutput),
			},
		})
		if err != nil {
			return err
		}
		privatecaSaKeyuserViewer, err := kms.NewCryptoKeyIAMBinding(ctx, "privatecaSaKeyuserViewer", &kms.CryptoKeyIAMBindingArgs{
			CryptoKeyId: pulumi.String("projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key"),
			Role:        pulumi.String("roles/viewer"),
			Members: pulumi.StringArray{
				privatecaSa.Email.ApplyT(func(email string) (string, error) {
					return fmt.Sprintf("%v%v", "serviceAccount:", email), nil
				}).(pulumi.StringOutput),
			},
		})
		if err != nil {
			return err
		}
		_, err = certificateauthority.NewAuthority(ctx, "default", &certificateauthority.AuthorityArgs{
			Pool:                   pulumi.String("ca-pool"),
			CertificateAuthorityId: pulumi.String("my-certificate-authority"),
			Location:               pulumi.String("us-central1"),
			DeletionProtection:     pulumi.Bool(true),
			KeySpec: &certificateauthority.AuthorityKeySpecArgs{
				CloudKmsKeyVersion: pulumi.String("projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key/cryptoKeyVersions/1"),
			},
			Config: &certificateauthority.AuthorityConfigArgs{
				SubjectConfig: &certificateauthority.AuthorityConfigSubjectConfigArgs{
					Subject: &certificateauthority.AuthorityConfigSubjectConfigSubjectArgs{
						Organization: pulumi.String("Example, Org."),
						CommonName:   pulumi.String("Example Authority"),
					},
				},
				X509Config: &certificateauthority.AuthorityConfigX509ConfigArgs{
					CaOptions: &certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs{
						IsCa:                pulumi.Bool(true),
						MaxIssuerPathLength: pulumi.Int(10),
					},
					KeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs{
						BaseKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs{
							CertSign: pulumi.Bool(true),
							CrlSign:  pulumi.Bool(true),
						},
						ExtendedKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs{
							ServerAuth: pulumi.Bool(false),
						},
					},
				},
			},
		}, pulumi.DependsOn([]pulumi.Resource{
			privatecaSaKeyuserSignerverifier,
			privatecaSaKeyuserViewer,
		}))
		if err != nil {
			return err
		}
		return nil
	})
}
package generated_program;

import java.util.*;
import java.io.*;
import java.nio.*;
import com.pulumi.*;
import com.pulumi.resources.CustomResourceOptions;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var privatecaSa = new ServiceIdentity("privatecaSa", ServiceIdentityArgs.builder()        
            .service("privateca.googleapis.com")
            .build());

        var privatecaSaKeyuserSignerverifier = new CryptoKeyIAMBinding("privatecaSaKeyuserSignerverifier", CryptoKeyIAMBindingArgs.builder()        
            .cryptoKeyId("projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key")
            .role("roles/cloudkms.signerVerifier")
            .members(privatecaSa.email().apply(email -> String.format("serviceAccount:%s", email)))
            .build());

        var privatecaSaKeyuserViewer = new CryptoKeyIAMBinding("privatecaSaKeyuserViewer", CryptoKeyIAMBindingArgs.builder()        
            .cryptoKeyId("projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key")
            .role("roles/viewer")
            .members(privatecaSa.email().apply(email -> String.format("serviceAccount:%s", email)))
            .build());

        var default_ = new Authority("default", AuthorityArgs.builder()        
            .pool("ca-pool")
            .certificateAuthorityId("my-certificate-authority")
            .location("us-central1")
            .deletionProtection("true")
            .keySpec(AuthorityKeySpecArgs.builder()
                .cloudKmsKeyVersion("projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key/cryptoKeyVersions/1")
                .build())
            .config(AuthorityConfigArgs.builder()
                .subjectConfig(AuthorityConfigSubjectConfigArgs.builder()
                    .subject(AuthorityConfigSubjectConfigSubjectArgs.builder()
                        .organization("Example, Org.")
                        .commonName("Example Authority")
                        .build())
                    .build())
                .x509Config(AuthorityConfigX509ConfigArgs.builder()
                    .caOptions(AuthorityConfigX509ConfigCaOptionsArgs.builder()
                        .isCa(true)
                        .maxIssuerPathLength(10)
                        .build())
                    .keyUsage(AuthorityConfigX509ConfigKeyUsageArgs.builder()
                        .baseKeyUsage(AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs.builder()
                            .certSign(true)
                            .crlSign(true)
                            .build())
                        .extendedKeyUsage(AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs.builder()
                            .serverAuth(false)
                            .build())
                        .build())
                    .build())
                .build())
            .build(), CustomResourceOptions.builder()
                .dependsOn(                
                    privatecaSaKeyuserSignerverifier,
                    privatecaSaKeyuserViewer)
                .build());

    }
}
import pulumi
import pulumi_gcp as gcp

privateca_sa = gcp.projects.ServiceIdentity("privatecaSa", service="privateca.googleapis.com")
privateca_sa_keyuser_signerverifier = gcp.kms.CryptoKeyIAMBinding("privatecaSaKeyuserSignerverifier",
    crypto_key_id="projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key",
    role="roles/cloudkms.signerVerifier",
    members=[privateca_sa.email.apply(lambda email: f"serviceAccount:{email}")])
privateca_sa_keyuser_viewer = gcp.kms.CryptoKeyIAMBinding("privatecaSaKeyuserViewer",
    crypto_key_id="projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key",
    role="roles/viewer",
    members=[privateca_sa.email.apply(lambda email: f"serviceAccount:{email}")])
default = gcp.certificateauthority.Authority("default",
    pool="ca-pool",
    certificate_authority_id="my-certificate-authority",
    location="us-central1",
    deletion_protection=True,
    key_spec=gcp.certificateauthority.AuthorityKeySpecArgs(
        cloud_kms_key_version="projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key/cryptoKeyVersions/1",
    ),
    config=gcp.certificateauthority.AuthorityConfigArgs(
        subject_config=gcp.certificateauthority.AuthorityConfigSubjectConfigArgs(
            subject=gcp.certificateauthority.AuthorityConfigSubjectConfigSubjectArgs(
                organization="Example, Org.",
                common_name="Example Authority",
            ),
        ),
        x509_config=gcp.certificateauthority.AuthorityConfigX509ConfigArgs(
            ca_options=gcp.certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs(
                is_ca=True,
                max_issuer_path_length=10,
            ),
            key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs(
                base_key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs(
                    cert_sign=True,
                    crl_sign=True,
                ),
                extended_key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs(
                    server_auth=False,
                ),
            ),
        ),
    ),
    opts=pulumi.ResourceOptions(depends_on=[
            privateca_sa_keyuser_signerverifier,
            privateca_sa_keyuser_viewer,
        ]))
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const privatecaSa = new gcp.projects.ServiceIdentity("privatecaSa", {service: "privateca.googleapis.com"});
const privatecaSaKeyuserSignerverifier = new gcp.kms.CryptoKeyIAMBinding("privatecaSaKeyuserSignerverifier", {
    cryptoKeyId: "projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key",
    role: "roles/cloudkms.signerVerifier",
    members: [pulumi.interpolate`serviceAccount:${privatecaSa.email}`],
});
const privatecaSaKeyuserViewer = new gcp.kms.CryptoKeyIAMBinding("privatecaSaKeyuserViewer", {
    cryptoKeyId: "projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key",
    role: "roles/viewer",
    members: [pulumi.interpolate`serviceAccount:${privatecaSa.email}`],
});
const _default = new gcp.certificateauthority.Authority("default", {
    pool: "ca-pool",
    certificateAuthorityId: "my-certificate-authority",
    location: "us-central1",
    deletionProtection: true,
    keySpec: {
        cloudKmsKeyVersion: "projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key/cryptoKeyVersions/1",
    },
    config: {
        subjectConfig: {
            subject: {
                organization: "Example, Org.",
                commonName: "Example Authority",
            },
        },
        x509Config: {
            caOptions: {
                isCa: true,
                maxIssuerPathLength: 10,
            },
            keyUsage: {
                baseKeyUsage: {
                    certSign: true,
                    crlSign: true,
                },
                extendedKeyUsage: {
                    serverAuth: false,
                },
            },
        },
    },
}, {
    dependsOn: [
        privatecaSaKeyuserSignerverifier,
        privatecaSaKeyuserViewer,
    ],
});
resources:
  privatecaSa:
    type: gcp:projects:ServiceIdentity
    properties:
      service: privateca.googleapis.com
  privatecaSaKeyuserSignerverifier:
    type: gcp:kms:CryptoKeyIAMBinding
    properties:
      cryptoKeyId: projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key
      role: roles/cloudkms.signerVerifier
      members:
        - serviceAccount:${privatecaSa.email}
  privatecaSaKeyuserViewer:
    type: gcp:kms:CryptoKeyIAMBinding
    properties:
      cryptoKeyId: projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key
      role: roles/viewer
      members:
        - serviceAccount:${privatecaSa.email}
  default:
    type: gcp:certificateauthority:Authority
    properties:
      pool: ca-pool
      certificateAuthorityId: my-certificate-authority
      location: us-central1
      deletionProtection: true
      keySpec:
        cloudKmsKeyVersion: projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key/cryptoKeyVersions/1
      config:
        subjectConfig:
          subject:
            organization: Example, Org.
            commonName: Example Authority
        x509Config:
          caOptions:
            isCa: true
            maxIssuerPathLength: 10
          keyUsage:
            baseKeyUsage:
              certSign: true
              crlSign: true
            extendedKeyUsage:
              serverAuth: false
    options:
      dependson:
        - ${privatecaSaKeyuserSignerverifier}
        - ${privatecaSaKeyuserViewer}

Create a Authority Resource

new Authority(name: string, args: AuthorityArgs, opts?: CustomResourceOptions);
@overload
def Authority(resource_name: str,
              opts: Optional[ResourceOptions] = None,
              certificate_authority_id: Optional[str] = None,
              config: Optional[AuthorityConfigArgs] = None,
              deletion_protection: Optional[bool] = None,
              desired_state: Optional[str] = None,
              gcs_bucket: Optional[str] = None,
              ignore_active_certificates_on_deletion: Optional[bool] = None,
              key_spec: Optional[AuthorityKeySpecArgs] = None,
              labels: Optional[Mapping[str, str]] = None,
              lifetime: Optional[str] = None,
              location: Optional[str] = None,
              pem_ca_certificate: Optional[str] = None,
              pool: Optional[str] = None,
              project: Optional[str] = None,
              subordinate_config: Optional[AuthoritySubordinateConfigArgs] = None,
              type: Optional[str] = None)
@overload
def Authority(resource_name: str,
              args: AuthorityArgs,
              opts: Optional[ResourceOptions] = None)
func NewAuthority(ctx *Context, name string, args AuthorityArgs, opts ...ResourceOption) (*Authority, error)
public Authority(string name, AuthorityArgs args, CustomResourceOptions? opts = null)
public Authority(String name, AuthorityArgs args)
public Authority(String name, AuthorityArgs args, CustomResourceOptions options)
type: gcp:certificateauthority:Authority
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

name string
The unique name of the resource.
args AuthorityArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name str
The unique name of the resource.
args AuthorityArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name string
The unique name of the resource.
args AuthorityArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name string
The unique name of the resource.
args AuthorityArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
name String
The unique name of the resource.
args AuthorityArgs
The arguments to resource properties.
options CustomResourceOptions
Bag of options to control resource's behavior.

Authority Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

The Authority resource accepts the following input properties:

CertificateAuthorityId string

The user provided Resource ID for this Certificate Authority.

Config AuthorityConfigArgs

The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.

KeySpec AuthorityKeySpecArgs

Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR. Structure is documented below.

Location string

Location of the CertificateAuthority. A full list of valid locations can be found by running gcloud privateca locations list.

Pool string

The name of the CaPool this Certificate Authority belongs to.

DeletionProtection bool
DesiredState string

Desired state of the CertificateAuthority. Set this field to STAGED to create a STAGED root CA.

GcsBucket string

The name of a Cloud Storage bucket where this CertificateAuthority will publish content, such as the CA certificate and CRLs. This must be a bucket name, without any prefixes (such as gs://) or suffixes (such as .googleapis.com). For example, to use a bucket named my-bucket, you would simply specify my-bucket. If not specified, a managed bucket will be created.

IgnoreActiveCertificatesOnDeletion bool

This field allows the CA to be deleted even if the CA has active certs. Active certs include both unrevoked and unexpired certs. Use with care. Defaults to false.

Labels Dictionary<string, string>

Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

Lifetime string

The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".

PemCaCertificate string

The signed CA certificate issued from the subordinated CA's CSR. This is needed when activating the subordiante CA with a third party issuer.

Project string

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

SubordinateConfig AuthoritySubordinateConfigArgs

If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which describes its issuers. Structure is documented below.

Type string

The Type of this CertificateAuthority.

Note: For SUBORDINATE Certificate Authorities, they need to be activated before they can issue certificates. Default value is SELF_SIGNED. Possible values are SELF_SIGNED and SUBORDINATE.

CertificateAuthorityId string

The user provided Resource ID for this Certificate Authority.

Config AuthorityConfigArgs

The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.

KeySpec AuthorityKeySpecArgs

Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR. Structure is documented below.

Location string

Location of the CertificateAuthority. A full list of valid locations can be found by running gcloud privateca locations list.

Pool string

The name of the CaPool this Certificate Authority belongs to.

DeletionProtection bool
DesiredState string

Desired state of the CertificateAuthority. Set this field to STAGED to create a STAGED root CA.

GcsBucket string

The name of a Cloud Storage bucket where this CertificateAuthority will publish content, such as the CA certificate and CRLs. This must be a bucket name, without any prefixes (such as gs://) or suffixes (such as .googleapis.com). For example, to use a bucket named my-bucket, you would simply specify my-bucket. If not specified, a managed bucket will be created.

IgnoreActiveCertificatesOnDeletion bool

This field allows the CA to be deleted even if the CA has active certs. Active certs include both unrevoked and unexpired certs. Use with care. Defaults to false.

Labels map[string]string

Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

Lifetime string

The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".

PemCaCertificate string

The signed CA certificate issued from the subordinated CA's CSR. This is needed when activating the subordiante CA with a third party issuer.

Project string

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

SubordinateConfig AuthoritySubordinateConfigArgs

If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which describes its issuers. Structure is documented below.

Type string

The Type of this CertificateAuthority.

Note: For SUBORDINATE Certificate Authorities, they need to be activated before they can issue certificates. Default value is SELF_SIGNED. Possible values are SELF_SIGNED and SUBORDINATE.

certificateAuthorityId String

The user provided Resource ID for this Certificate Authority.

config AuthorityConfigArgs

The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.

keySpec AuthorityKeySpecArgs

Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR. Structure is documented below.

location String

Location of the CertificateAuthority. A full list of valid locations can be found by running gcloud privateca locations list.

pool String

The name of the CaPool this Certificate Authority belongs to.

deletionProtection Boolean
desiredState String

Desired state of the CertificateAuthority. Set this field to STAGED to create a STAGED root CA.

gcsBucket String

The name of a Cloud Storage bucket where this CertificateAuthority will publish content, such as the CA certificate and CRLs. This must be a bucket name, without any prefixes (such as gs://) or suffixes (such as .googleapis.com). For example, to use a bucket named my-bucket, you would simply specify my-bucket. If not specified, a managed bucket will be created.

ignoreActiveCertificatesOnDeletion Boolean

This field allows the CA to be deleted even if the CA has active certs. Active certs include both unrevoked and unexpired certs. Use with care. Defaults to false.

labels Map<String,String>

Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

lifetime String

The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".

pemCaCertificate String

The signed CA certificate issued from the subordinated CA's CSR. This is needed when activating the subordiante CA with a third party issuer.

project String

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

subordinateConfig AuthoritySubordinateConfigArgs

If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which describes its issuers. Structure is documented below.

type String

The Type of this CertificateAuthority.

Note: For SUBORDINATE Certificate Authorities, they need to be activated before they can issue certificates. Default value is SELF_SIGNED. Possible values are SELF_SIGNED and SUBORDINATE.

certificateAuthorityId string

The user provided Resource ID for this Certificate Authority.

config AuthorityConfigArgs

The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.

keySpec AuthorityKeySpecArgs

Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR. Structure is documented below.

location string

Location of the CertificateAuthority. A full list of valid locations can be found by running gcloud privateca locations list.

pool string

The name of the CaPool this Certificate Authority belongs to.

deletionProtection boolean
desiredState string

Desired state of the CertificateAuthority. Set this field to STAGED to create a STAGED root CA.

gcsBucket string

The name of a Cloud Storage bucket where this CertificateAuthority will publish content, such as the CA certificate and CRLs. This must be a bucket name, without any prefixes (such as gs://) or suffixes (such as .googleapis.com). For example, to use a bucket named my-bucket, you would simply specify my-bucket. If not specified, a managed bucket will be created.

ignoreActiveCertificatesOnDeletion boolean

This field allows the CA to be deleted even if the CA has active certs. Active certs include both unrevoked and unexpired certs. Use with care. Defaults to false.

labels {[key: string]: string}

Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

lifetime string

The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".

pemCaCertificate string

The signed CA certificate issued from the subordinated CA's CSR. This is needed when activating the subordiante CA with a third party issuer.

project string

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

subordinateConfig AuthoritySubordinateConfigArgs

If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which describes its issuers. Structure is documented below.

type string

The Type of this CertificateAuthority.

Note: For SUBORDINATE Certificate Authorities, they need to be activated before they can issue certificates. Default value is SELF_SIGNED. Possible values are SELF_SIGNED and SUBORDINATE.

certificate_authority_id str

The user provided Resource ID for this Certificate Authority.

config AuthorityConfigArgs

The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.

key_spec AuthorityKeySpecArgs

Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR. Structure is documented below.

location str

Location of the CertificateAuthority. A full list of valid locations can be found by running gcloud privateca locations list.

pool str

The name of the CaPool this Certificate Authority belongs to.

deletion_protection bool
desired_state str

Desired state of the CertificateAuthority. Set this field to STAGED to create a STAGED root CA.

gcs_bucket str

The name of a Cloud Storage bucket where this CertificateAuthority will publish content, such as the CA certificate and CRLs. This must be a bucket name, without any prefixes (such as gs://) or suffixes (such as .googleapis.com). For example, to use a bucket named my-bucket, you would simply specify my-bucket. If not specified, a managed bucket will be created.

ignore_active_certificates_on_deletion bool

This field allows the CA to be deleted even if the CA has active certs. Active certs include both unrevoked and unexpired certs. Use with care. Defaults to false.

labels Mapping[str, str]

Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

lifetime str

The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".

pem_ca_certificate str

The signed CA certificate issued from the subordinated CA's CSR. This is needed when activating the subordiante CA with a third party issuer.

project str

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

subordinate_config AuthoritySubordinateConfigArgs

If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which describes its issuers. Structure is documented below.

type str

The Type of this CertificateAuthority.

Note: For SUBORDINATE Certificate Authorities, they need to be activated before they can issue certificates. Default value is SELF_SIGNED. Possible values are SELF_SIGNED and SUBORDINATE.

certificateAuthorityId String

The user provided Resource ID for this Certificate Authority.

config Property Map

The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.

keySpec Property Map

Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR. Structure is documented below.

location String

Location of the CertificateAuthority. A full list of valid locations can be found by running gcloud privateca locations list.

pool String

The name of the CaPool this Certificate Authority belongs to.

deletionProtection Boolean
desiredState String

Desired state of the CertificateAuthority. Set this field to STAGED to create a STAGED root CA.

gcsBucket String

The name of a Cloud Storage bucket where this CertificateAuthority will publish content, such as the CA certificate and CRLs. This must be a bucket name, without any prefixes (such as gs://) or suffixes (such as .googleapis.com). For example, to use a bucket named my-bucket, you would simply specify my-bucket. If not specified, a managed bucket will be created.

ignoreActiveCertificatesOnDeletion Boolean

This field allows the CA to be deleted even if the CA has active certs. Active certs include both unrevoked and unexpired certs. Use with care. Defaults to false.

labels Map<String>

Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

lifetime String

The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".

pemCaCertificate String

The signed CA certificate issued from the subordinated CA's CSR. This is needed when activating the subordiante CA with a third party issuer.

project String

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

subordinateConfig Property Map

If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which describes its issuers. Structure is documented below.

type String

The Type of this CertificateAuthority.

Note: For SUBORDINATE Certificate Authorities, they need to be activated before they can issue certificates. Default value is SELF_SIGNED. Possible values are SELF_SIGNED and SUBORDINATE.

Outputs

All input properties are implicitly available as output properties. Additionally, the Authority resource produces the following output properties:

AccessUrls List<AuthorityAccessUrl>

URLs for accessing content published by this CA, such as the CA certificate and CRLs.

CreateTime string

The time at which this CertificateAuthority was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

Id string

The provider-assigned unique ID for this managed resource.

Name string

The resource name for this CertificateAuthority in the format projects//locations//certificateAuthorities/*.

PemCaCertificates List<string>

This CertificateAuthority's certificate chain, including the current CertificateAuthority's certificate. Ordered such that the root issuer is the final element (consistent with RFC 5246). For a self-signed CA, this will only list the current CertificateAuthority's certificate.

State string

The State for this CertificateAuthority.

UpdateTime string

The time at which this CertificateAuthority was updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

AccessUrls []AuthorityAccessUrl

URLs for accessing content published by this CA, such as the CA certificate and CRLs.

CreateTime string

The time at which this CertificateAuthority was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

Id string

The provider-assigned unique ID for this managed resource.

Name string

The resource name for this CertificateAuthority in the format projects//locations//certificateAuthorities/*.

PemCaCertificates []string

This CertificateAuthority's certificate chain, including the current CertificateAuthority's certificate. Ordered such that the root issuer is the final element (consistent with RFC 5246). For a self-signed CA, this will only list the current CertificateAuthority's certificate.

State string

The State for this CertificateAuthority.

UpdateTime string

The time at which this CertificateAuthority was updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

accessUrls List<AuthorityAccessUrl>

URLs for accessing content published by this CA, such as the CA certificate and CRLs.

createTime String

The time at which this CertificateAuthority was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

id String

The provider-assigned unique ID for this managed resource.

name String

The resource name for this CertificateAuthority in the format projects//locations//certificateAuthorities/*.

pemCaCertificates List<String>

This CertificateAuthority's certificate chain, including the current CertificateAuthority's certificate. Ordered such that the root issuer is the final element (consistent with RFC 5246). For a self-signed CA, this will only list the current CertificateAuthority's certificate.

state String

The State for this CertificateAuthority.

updateTime String

The time at which this CertificateAuthority was updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

accessUrls AuthorityAccessUrl[]

URLs for accessing content published by this CA, such as the CA certificate and CRLs.

createTime string

The time at which this CertificateAuthority was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

id string

The provider-assigned unique ID for this managed resource.

name string

The resource name for this CertificateAuthority in the format projects//locations//certificateAuthorities/*.

pemCaCertificates string[]

This CertificateAuthority's certificate chain, including the current CertificateAuthority's certificate. Ordered such that the root issuer is the final element (consistent with RFC 5246). For a self-signed CA, this will only list the current CertificateAuthority's certificate.

state string

The State for this CertificateAuthority.

updateTime string

The time at which this CertificateAuthority was updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

access_urls Sequence[AuthorityAccessUrl]

URLs for accessing content published by this CA, such as the CA certificate and CRLs.

create_time str

The time at which this CertificateAuthority was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

id str

The provider-assigned unique ID for this managed resource.

name str

The resource name for this CertificateAuthority in the format projects//locations//certificateAuthorities/*.

pem_ca_certificates Sequence[str]

This CertificateAuthority's certificate chain, including the current CertificateAuthority's certificate. Ordered such that the root issuer is the final element (consistent with RFC 5246). For a self-signed CA, this will only list the current CertificateAuthority's certificate.

state str

The State for this CertificateAuthority.

update_time str

The time at which this CertificateAuthority was updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

accessUrls List<Property Map>

URLs for accessing content published by this CA, such as the CA certificate and CRLs.

createTime String

The time at which this CertificateAuthority was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

id String

The provider-assigned unique ID for this managed resource.

name String

The resource name for this CertificateAuthority in the format projects//locations//certificateAuthorities/*.

pemCaCertificates List<String>

This CertificateAuthority's certificate chain, including the current CertificateAuthority's certificate. Ordered such that the root issuer is the final element (consistent with RFC 5246). For a self-signed CA, this will only list the current CertificateAuthority's certificate.

state String

The State for this CertificateAuthority.

updateTime String

The time at which this CertificateAuthority was updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

Look up an Existing Authority Resource

Get an existing Authority resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: AuthorityState, opts?: CustomResourceOptions): Authority
@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        access_urls: Optional[Sequence[AuthorityAccessUrlArgs]] = None,
        certificate_authority_id: Optional[str] = None,
        config: Optional[AuthorityConfigArgs] = None,
        create_time: Optional[str] = None,
        deletion_protection: Optional[bool] = None,
        desired_state: Optional[str] = None,
        gcs_bucket: Optional[str] = None,
        ignore_active_certificates_on_deletion: Optional[bool] = None,
        key_spec: Optional[AuthorityKeySpecArgs] = None,
        labels: Optional[Mapping[str, str]] = None,
        lifetime: Optional[str] = None,
        location: Optional[str] = None,
        name: Optional[str] = None,
        pem_ca_certificate: Optional[str] = None,
        pem_ca_certificates: Optional[Sequence[str]] = None,
        pool: Optional[str] = None,
        project: Optional[str] = None,
        state: Optional[str] = None,
        subordinate_config: Optional[AuthoritySubordinateConfigArgs] = None,
        type: Optional[str] = None,
        update_time: Optional[str] = None) -> Authority
func GetAuthority(ctx *Context, name string, id IDInput, state *AuthorityState, opts ...ResourceOption) (*Authority, error)
public static Authority Get(string name, Input<string> id, AuthorityState? state, CustomResourceOptions? opts = null)
public static Authority get(String name, Output<String> id, AuthorityState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
resource_name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
The following state arguments are supported:
AccessUrls List<AuthorityAccessUrlArgs>

URLs for accessing content published by this CA, such as the CA certificate and CRLs.

CertificateAuthorityId string

The user provided Resource ID for this Certificate Authority.

Config AuthorityConfigArgs

The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.

CreateTime string

The time at which this CertificateAuthority was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

DeletionProtection bool
DesiredState string

Desired state of the CertificateAuthority. Set this field to STAGED to create a STAGED root CA.

GcsBucket string

The name of a Cloud Storage bucket where this CertificateAuthority will publish content, such as the CA certificate and CRLs. This must be a bucket name, without any prefixes (such as gs://) or suffixes (such as .googleapis.com). For example, to use a bucket named my-bucket, you would simply specify my-bucket. If not specified, a managed bucket will be created.

IgnoreActiveCertificatesOnDeletion bool

This field allows the CA to be deleted even if the CA has active certs. Active certs include both unrevoked and unexpired certs. Use with care. Defaults to false.

KeySpec AuthorityKeySpecArgs

Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR. Structure is documented below.

Labels Dictionary<string, string>

Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

Lifetime string

The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".

Location string

Location of the CertificateAuthority. A full list of valid locations can be found by running gcloud privateca locations list.

Name string

The resource name for this CertificateAuthority in the format projects//locations//certificateAuthorities/*.

PemCaCertificate string

The signed CA certificate issued from the subordinated CA's CSR. This is needed when activating the subordiante CA with a third party issuer.

PemCaCertificates List<string>

This CertificateAuthority's certificate chain, including the current CertificateAuthority's certificate. Ordered such that the root issuer is the final element (consistent with RFC 5246). For a self-signed CA, this will only list the current CertificateAuthority's certificate.

Pool string

The name of the CaPool this Certificate Authority belongs to.

Project string

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

State string

The State for this CertificateAuthority.

SubordinateConfig AuthoritySubordinateConfigArgs

If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which describes its issuers. Structure is documented below.

Type string

The Type of this CertificateAuthority.

Note: For SUBORDINATE Certificate Authorities, they need to be activated before they can issue certificates. Default value is SELF_SIGNED. Possible values are SELF_SIGNED and SUBORDINATE.

UpdateTime string

The time at which this CertificateAuthority was updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

AccessUrls []AuthorityAccessUrlArgs

URLs for accessing content published by this CA, such as the CA certificate and CRLs.

CertificateAuthorityId string

The user provided Resource ID for this Certificate Authority.

Config AuthorityConfigArgs

The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.

CreateTime string

The time at which this CertificateAuthority was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

DeletionProtection bool
DesiredState string

Desired state of the CertificateAuthority. Set this field to STAGED to create a STAGED root CA.

GcsBucket string

The name of a Cloud Storage bucket where this CertificateAuthority will publish content, such as the CA certificate and CRLs. This must be a bucket name, without any prefixes (such as gs://) or suffixes (such as .googleapis.com). For example, to use a bucket named my-bucket, you would simply specify my-bucket. If not specified, a managed bucket will be created.

IgnoreActiveCertificatesOnDeletion bool

This field allows the CA to be deleted even if the CA has active certs. Active certs include both unrevoked and unexpired certs. Use with care. Defaults to false.

KeySpec AuthorityKeySpecArgs

Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR. Structure is documented below.

Labels map[string]string

Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

Lifetime string

The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".

Location string

Location of the CertificateAuthority. A full list of valid locations can be found by running gcloud privateca locations list.

Name string

The resource name for this CertificateAuthority in the format projects//locations//certificateAuthorities/*.

PemCaCertificate string

The signed CA certificate issued from the subordinated CA's CSR. This is needed when activating the subordiante CA with a third party issuer.

PemCaCertificates []string

This CertificateAuthority's certificate chain, including the current CertificateAuthority's certificate. Ordered such that the root issuer is the final element (consistent with RFC 5246). For a self-signed CA, this will only list the current CertificateAuthority's certificate.

Pool string

The name of the CaPool this Certificate Authority belongs to.

Project string

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

State string

The State for this CertificateAuthority.

SubordinateConfig AuthoritySubordinateConfigArgs

If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which describes its issuers. Structure is documented below.

Type string

The Type of this CertificateAuthority.

Note: For SUBORDINATE Certificate Authorities, they need to be activated before they can issue certificates. Default value is SELF_SIGNED. Possible values are SELF_SIGNED and SUBORDINATE.

UpdateTime string

The time at which this CertificateAuthority was updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

accessUrls List<AuthorityAccessUrlArgs>

URLs for accessing content published by this CA, such as the CA certificate and CRLs.

certificateAuthorityId String

The user provided Resource ID for this Certificate Authority.

config AuthorityConfigArgs

The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.

createTime String

The time at which this CertificateAuthority was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

deletionProtection Boolean
desiredState String

Desired state of the CertificateAuthority. Set this field to STAGED to create a STAGED root CA.

gcsBucket String

The name of a Cloud Storage bucket where this CertificateAuthority will publish content, such as the CA certificate and CRLs. This must be a bucket name, without any prefixes (such as gs://) or suffixes (such as .googleapis.com). For example, to use a bucket named my-bucket, you would simply specify my-bucket. If not specified, a managed bucket will be created.

ignoreActiveCertificatesOnDeletion Boolean

This field allows the CA to be deleted even if the CA has active certs. Active certs include both unrevoked and unexpired certs. Use with care. Defaults to false.

keySpec AuthorityKeySpecArgs

Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR. Structure is documented below.

labels Map<String,String>

Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

lifetime String

The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".

location String

Location of the CertificateAuthority. A full list of valid locations can be found by running gcloud privateca locations list.

name String

The resource name for this CertificateAuthority in the format projects//locations//certificateAuthorities/*.

pemCaCertificate String

The signed CA certificate issued from the subordinated CA's CSR. This is needed when activating the subordiante CA with a third party issuer.

pemCaCertificates List<String>

This CertificateAuthority's certificate chain, including the current CertificateAuthority's certificate. Ordered such that the root issuer is the final element (consistent with RFC 5246). For a self-signed CA, this will only list the current CertificateAuthority's certificate.

pool String

The name of the CaPool this Certificate Authority belongs to.

project String

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

state String

The State for this CertificateAuthority.

subordinateConfig AuthoritySubordinateConfigArgs

If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which describes its issuers. Structure is documented below.

type String

The Type of this CertificateAuthority.

Note: For SUBORDINATE Certificate Authorities, they need to be activated before they can issue certificates. Default value is SELF_SIGNED. Possible values are SELF_SIGNED and SUBORDINATE.

updateTime String

The time at which this CertificateAuthority was updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

accessUrls AuthorityAccessUrlArgs[]

URLs for accessing content published by this CA, such as the CA certificate and CRLs.

certificateAuthorityId string

The user provided Resource ID for this Certificate Authority.

config AuthorityConfigArgs

The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.

createTime string

The time at which this CertificateAuthority was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

deletionProtection boolean
desiredState string

Desired state of the CertificateAuthority. Set this field to STAGED to create a STAGED root CA.

gcsBucket string

The name of a Cloud Storage bucket where this CertificateAuthority will publish content, such as the CA certificate and CRLs. This must be a bucket name, without any prefixes (such as gs://) or suffixes (such as .googleapis.com). For example, to use a bucket named my-bucket, you would simply specify my-bucket. If not specified, a managed bucket will be created.

ignoreActiveCertificatesOnDeletion boolean

This field allows the CA to be deleted even if the CA has active certs. Active certs include both unrevoked and unexpired certs. Use with care. Defaults to false.

keySpec AuthorityKeySpecArgs

Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR. Structure is documented below.

labels {[key: string]: string}

Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

lifetime string

The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".

location string

Location of the CertificateAuthority. A full list of valid locations can be found by running gcloud privateca locations list.

name string

The resource name for this CertificateAuthority in the format projects//locations//certificateAuthorities/*.

pemCaCertificate string

The signed CA certificate issued from the subordinated CA's CSR. This is needed when activating the subordiante CA with a third party issuer.

pemCaCertificates string[]

This CertificateAuthority's certificate chain, including the current CertificateAuthority's certificate. Ordered such that the root issuer is the final element (consistent with RFC 5246). For a self-signed CA, this will only list the current CertificateAuthority's certificate.

pool string

The name of the CaPool this Certificate Authority belongs to.

project string

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

state string

The State for this CertificateAuthority.

subordinateConfig AuthoritySubordinateConfigArgs

If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which describes its issuers. Structure is documented below.

type string

The Type of this CertificateAuthority.

Note: For SUBORDINATE Certificate Authorities, they need to be activated before they can issue certificates. Default value is SELF_SIGNED. Possible values are SELF_SIGNED and SUBORDINATE.

updateTime string

The time at which this CertificateAuthority was updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

access_urls Sequence[AuthorityAccessUrlArgs]

URLs for accessing content published by this CA, such as the CA certificate and CRLs.

certificate_authority_id str

The user provided Resource ID for this Certificate Authority.

config AuthorityConfigArgs

The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.

create_time str

The time at which this CertificateAuthority was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

deletion_protection bool
desired_state str

Desired state of the CertificateAuthority. Set this field to STAGED to create a STAGED root CA.

gcs_bucket str

The name of a Cloud Storage bucket where this CertificateAuthority will publish content, such as the CA certificate and CRLs. This must be a bucket name, without any prefixes (such as gs://) or suffixes (such as .googleapis.com). For example, to use a bucket named my-bucket, you would simply specify my-bucket. If not specified, a managed bucket will be created.

ignore_active_certificates_on_deletion bool

This field allows the CA to be deleted even if the CA has active certs. Active certs include both unrevoked and unexpired certs. Use with care. Defaults to false.

key_spec AuthorityKeySpecArgs

Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR. Structure is documented below.

labels Mapping[str, str]

Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

lifetime str

The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".

location str

Location of the CertificateAuthority. A full list of valid locations can be found by running gcloud privateca locations list.

name str

The resource name for this CertificateAuthority in the format projects//locations//certificateAuthorities/*.

pem_ca_certificate str

The signed CA certificate issued from the subordinated CA's CSR. This is needed when activating the subordiante CA with a third party issuer.

pem_ca_certificates Sequence[str]

This CertificateAuthority's certificate chain, including the current CertificateAuthority's certificate. Ordered such that the root issuer is the final element (consistent with RFC 5246). For a self-signed CA, this will only list the current CertificateAuthority's certificate.

pool str

The name of the CaPool this Certificate Authority belongs to.

project str

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

state str

The State for this CertificateAuthority.

subordinate_config AuthoritySubordinateConfigArgs

If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which describes its issuers. Structure is documented below.

type str

The Type of this CertificateAuthority.

Note: For SUBORDINATE Certificate Authorities, they need to be activated before they can issue certificates. Default value is SELF_SIGNED. Possible values are SELF_SIGNED and SUBORDINATE.

update_time str

The time at which this CertificateAuthority was updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

accessUrls List<Property Map>

URLs for accessing content published by this CA, such as the CA certificate and CRLs.

certificateAuthorityId String

The user provided Resource ID for this Certificate Authority.

config Property Map

The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.

createTime String

The time at which this CertificateAuthority was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

deletionProtection Boolean
desiredState String

Desired state of the CertificateAuthority. Set this field to STAGED to create a STAGED root CA.

gcsBucket String

The name of a Cloud Storage bucket where this CertificateAuthority will publish content, such as the CA certificate and CRLs. This must be a bucket name, without any prefixes (such as gs://) or suffixes (such as .googleapis.com). For example, to use a bucket named my-bucket, you would simply specify my-bucket. If not specified, a managed bucket will be created.

ignoreActiveCertificatesOnDeletion Boolean

This field allows the CA to be deleted even if the CA has active certs. Active certs include both unrevoked and unexpired certs. Use with care. Defaults to false.

keySpec Property Map

Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR. Structure is documented below.

labels Map<String>

Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

lifetime String

The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".

location String

Location of the CertificateAuthority. A full list of valid locations can be found by running gcloud privateca locations list.

name String

The resource name for this CertificateAuthority in the format projects//locations//certificateAuthorities/*.

pemCaCertificate String

The signed CA certificate issued from the subordinated CA's CSR. This is needed when activating the subordiante CA with a third party issuer.

pemCaCertificates List<String>

This CertificateAuthority's certificate chain, including the current CertificateAuthority's certificate. Ordered such that the root issuer is the final element (consistent with RFC 5246). For a self-signed CA, this will only list the current CertificateAuthority's certificate.

pool String

The name of the CaPool this Certificate Authority belongs to.

project String

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

state String

The State for this CertificateAuthority.

subordinateConfig Property Map

If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which describes its issuers. Structure is documented below.

type String

The Type of this CertificateAuthority.

Note: For SUBORDINATE Certificate Authorities, they need to be activated before they can issue certificates. Default value is SELF_SIGNED. Possible values are SELF_SIGNED and SUBORDINATE.

updateTime String

The time at which this CertificateAuthority was updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

Supporting Types

AuthorityAccessUrl

AuthorityConfig

SubjectConfig AuthorityConfigSubjectConfig

Specifies some of the values in a certificate that are related to the subject. Structure is documented below.

X509Config AuthorityConfigX509Config

Describes how some of the technical X.509 fields in a certificate should be populated. Structure is documented below.

SubjectConfig AuthorityConfigSubjectConfig

Specifies some of the values in a certificate that are related to the subject. Structure is documented below.

X509Config AuthorityConfigX509Config

Describes how some of the technical X.509 fields in a certificate should be populated. Structure is documented below.

subjectConfig AuthorityConfigSubjectConfig

Specifies some of the values in a certificate that are related to the subject. Structure is documented below.

x509Config AuthorityConfigX509Config

Describes how some of the technical X.509 fields in a certificate should be populated. Structure is documented below.

subjectConfig AuthorityConfigSubjectConfig

Specifies some of the values in a certificate that are related to the subject. Structure is documented below.

x509Config AuthorityConfigX509Config

Describes how some of the technical X.509 fields in a certificate should be populated. Structure is documented below.

subject_config AuthorityConfigSubjectConfig

Specifies some of the values in a certificate that are related to the subject. Structure is documented below.

x509_config AuthorityConfigX509Config

Describes how some of the technical X.509 fields in a certificate should be populated. Structure is documented below.

subjectConfig Property Map

Specifies some of the values in a certificate that are related to the subject. Structure is documented below.

x509Config Property Map

Describes how some of the technical X.509 fields in a certificate should be populated. Structure is documented below.

AuthorityConfigSubjectConfig

Subject AuthorityConfigSubjectConfigSubject

Contains distinguished name fields such as the location and organization. Structure is documented below.

SubjectAltName AuthorityConfigSubjectConfigSubjectAltName

The subject alternative name fields. Structure is documented below.

Subject AuthorityConfigSubjectConfigSubject

Contains distinguished name fields such as the location and organization. Structure is documented below.

SubjectAltName AuthorityConfigSubjectConfigSubjectAltName

The subject alternative name fields. Structure is documented below.

subject AuthorityConfigSubjectConfigSubject

Contains distinguished name fields such as the location and organization. Structure is documented below.

subjectAltName AuthorityConfigSubjectConfigSubjectAltName

The subject alternative name fields. Structure is documented below.

subject AuthorityConfigSubjectConfigSubject

Contains distinguished name fields such as the location and organization. Structure is documented below.

subjectAltName AuthorityConfigSubjectConfigSubjectAltName

The subject alternative name fields. Structure is documented below.

subject AuthorityConfigSubjectConfigSubject

Contains distinguished name fields such as the location and organization. Structure is documented below.

subject_alt_name AuthorityConfigSubjectConfigSubjectAltName

The subject alternative name fields. Structure is documented below.

subject Property Map

Contains distinguished name fields such as the location and organization. Structure is documented below.

subjectAltName Property Map

The subject alternative name fields. Structure is documented below.

AuthorityConfigSubjectConfigSubject

CommonName string

The common name of the distinguished name.

Organization string

The organization of the subject.

CountryCode string

The country code of the subject.

Locality string

The locality or city of the subject.

OrganizationalUnit string

The organizational unit of the subject.

PostalCode string

The postal code of the subject.

Province string

The province, territory, or regional state of the subject.

StreetAddress string

The street address of the subject.

CommonName string

The common name of the distinguished name.

Organization string

The organization of the subject.

CountryCode string

The country code of the subject.

Locality string

The locality or city of the subject.

OrganizationalUnit string

The organizational unit of the subject.

PostalCode string

The postal code of the subject.

Province string

The province, territory, or regional state of the subject.

StreetAddress string

The street address of the subject.

commonName String

The common name of the distinguished name.

organization String

The organization of the subject.

countryCode String

The country code of the subject.

locality String

The locality or city of the subject.

organizationalUnit String

The organizational unit of the subject.

postalCode String

The postal code of the subject.

province String

The province, territory, or regional state of the subject.

streetAddress String

The street address of the subject.

commonName string

The common name of the distinguished name.

organization string

The organization of the subject.

countryCode string

The country code of the subject.

locality string

The locality or city of the subject.

organizationalUnit string

The organizational unit of the subject.

postalCode string

The postal code of the subject.

province string

The province, territory, or regional state of the subject.

streetAddress string

The street address of the subject.

common_name str

The common name of the distinguished name.

organization str

The organization of the subject.

country_code str

The country code of the subject.

locality str

The locality or city of the subject.

organizational_unit str

The organizational unit of the subject.

postal_code str

The postal code of the subject.

province str

The province, territory, or regional state of the subject.

street_address str

The street address of the subject.

commonName String

The common name of the distinguished name.

organization String

The organization of the subject.

countryCode String

The country code of the subject.

locality String

The locality or city of the subject.

organizationalUnit String

The organizational unit of the subject.

postalCode String

The postal code of the subject.

province String

The province, territory, or regional state of the subject.

streetAddress String

The street address of the subject.

AuthorityConfigSubjectConfigSubjectAltName

DnsNames List<string>

Contains only valid, fully-qualified host names.

EmailAddresses List<string>

Contains only valid RFC 2822 E-mail addresses.

IpAddresses List<string>

Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.

Uris List<string>

Contains only valid RFC 3986 URIs.

DnsNames []string

Contains only valid, fully-qualified host names.

EmailAddresses []string

Contains only valid RFC 2822 E-mail addresses.

IpAddresses []string

Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.

Uris []string

Contains only valid RFC 3986 URIs.

dnsNames List<String>

Contains only valid, fully-qualified host names.

emailAddresses List<String>

Contains only valid RFC 2822 E-mail addresses.

ipAddresses List<String>

Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.

uris List<String>

Contains only valid RFC 3986 URIs.

dnsNames string[]

Contains only valid, fully-qualified host names.

emailAddresses string[]

Contains only valid RFC 2822 E-mail addresses.

ipAddresses string[]

Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.

uris string[]

Contains only valid RFC 3986 URIs.

dns_names Sequence[str]

Contains only valid, fully-qualified host names.

email_addresses Sequence[str]

Contains only valid RFC 2822 E-mail addresses.

ip_addresses Sequence[str]

Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.

uris Sequence[str]

Contains only valid RFC 3986 URIs.

dnsNames List<String>

Contains only valid, fully-qualified host names.

emailAddresses List<String>

Contains only valid RFC 2822 E-mail addresses.

ipAddresses List<String>

Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.

uris List<String>

Contains only valid RFC 3986 URIs.

AuthorityConfigX509Config

CaOptions AuthorityConfigX509ConfigCaOptions

Describes values that are relevant in a CA certificate. Structure is documented below.

KeyUsage AuthorityConfigX509ConfigKeyUsage

Indicates the intended use for keys that correspond to a certificate. Structure is documented below.

AdditionalExtensions List<AuthorityConfigX509ConfigAdditionalExtension>

Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.

AiaOcspServers List<string>

Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.

PolicyIds List<AuthorityConfigX509ConfigPolicyId>

Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.

CaOptions AuthorityConfigX509ConfigCaOptions

Describes values that are relevant in a CA certificate. Structure is documented below.

KeyUsage AuthorityConfigX509ConfigKeyUsage

Indicates the intended use for keys that correspond to a certificate. Structure is documented below.

AdditionalExtensions []AuthorityConfigX509ConfigAdditionalExtension

Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.

AiaOcspServers []string

Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.

PolicyIds []AuthorityConfigX509ConfigPolicyId

Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.

caOptions AuthorityConfigX509ConfigCaOptions

Describes values that are relevant in a CA certificate. Structure is documented below.

keyUsage AuthorityConfigX509ConfigKeyUsage

Indicates the intended use for keys that correspond to a certificate. Structure is documented below.

additionalExtensions List<AuthorityConfigX509ConfigAdditionalExtension>

Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.

aiaOcspServers List<String>

Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.

policyIds List<AuthorityConfigX509ConfigPolicyId>

Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.

caOptions AuthorityConfigX509ConfigCaOptions

Describes values that are relevant in a CA certificate. Structure is documented below.

keyUsage AuthorityConfigX509ConfigKeyUsage

Indicates the intended use for keys that correspond to a certificate. Structure is documented below.

additionalExtensions AuthorityConfigX509ConfigAdditionalExtension[]

Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.

aiaOcspServers string[]

Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.

policyIds AuthorityConfigX509ConfigPolicyId[]

Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.

ca_options AuthorityConfigX509ConfigCaOptions

Describes values that are relevant in a CA certificate. Structure is documented below.

key_usage AuthorityConfigX509ConfigKeyUsage

Indicates the intended use for keys that correspond to a certificate. Structure is documented below.

additional_extensions Sequence[AuthorityConfigX509ConfigAdditionalExtension]

Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.

aia_ocsp_servers Sequence[str]

Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.

policy_ids Sequence[AuthorityConfigX509ConfigPolicyId]

Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.

caOptions Property Map

Describes values that are relevant in a CA certificate. Structure is documented below.

keyUsage Property Map

Indicates the intended use for keys that correspond to a certificate. Structure is documented below.

additionalExtensions List<Property Map>

Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.

aiaOcspServers List<String>

Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.

policyIds List<Property Map>

Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.

AuthorityConfigX509ConfigAdditionalExtension

Critical bool

Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).

ObjectId AuthorityConfigX509ConfigAdditionalExtensionObjectId

Describes values that are relevant in a CA certificate. Structure is documented below.

Value string

The value of this X.509 extension. A base64-encoded string.

Critical bool

Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).

ObjectId AuthorityConfigX509ConfigAdditionalExtensionObjectId

Describes values that are relevant in a CA certificate. Structure is documented below.

Value string

The value of this X.509 extension. A base64-encoded string.

critical Boolean

Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).

objectId AuthorityConfigX509ConfigAdditionalExtensionObjectId

Describes values that are relevant in a CA certificate. Structure is documented below.

value String

The value of this X.509 extension. A base64-encoded string.

critical boolean

Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).

objectId AuthorityConfigX509ConfigAdditionalExtensionObjectId

Describes values that are relevant in a CA certificate. Structure is documented below.

value string

The value of this X.509 extension. A base64-encoded string.

critical bool

Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).

object_id AuthorityConfigX509ConfigAdditionalExtensionObjectId

Describes values that are relevant in a CA certificate. Structure is documented below.

value str

The value of this X.509 extension. A base64-encoded string.

critical Boolean

Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).

objectId Property Map

Describes values that are relevant in a CA certificate. Structure is documented below.

value String

The value of this X.509 extension. A base64-encoded string.

AuthorityConfigX509ConfigAdditionalExtensionObjectId

ObjectIdPaths List<int>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

ObjectIdPaths []int

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

objectIdPaths List<Integer>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

objectIdPaths number[]

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

object_id_paths Sequence[int]

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

objectIdPaths List<Number>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

AuthorityConfigX509ConfigCaOptions

IsCa bool

When true, the "CA" in Basic Constraints extension will be set to true.

MaxIssuerPathLength int

Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.

NonCa bool

When true, the "CA" in Basic Constraints extension will be set to false. If both is_ca and non_ca are unset, the extension will be omitted from the CA certificate.

ZeroMaxIssuerPathLength bool

When true, the "path length constraint" in Basic Constraints extension will be set to 0. if both max_issuer_path_length and zero_max_issuer_path_length are unset, the max path length will be omitted from the CA certificate.

IsCa bool

When true, the "CA" in Basic Constraints extension will be set to true.

MaxIssuerPathLength int

Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.

NonCa bool

When true, the "CA" in Basic Constraints extension will be set to false. If both is_ca and non_ca are unset, the extension will be omitted from the CA certificate.

ZeroMaxIssuerPathLength bool

When true, the "path length constraint" in Basic Constraints extension will be set to 0. if both max_issuer_path_length and zero_max_issuer_path_length are unset, the max path length will be omitted from the CA certificate.

isCa Boolean

When true, the "CA" in Basic Constraints extension will be set to true.

maxIssuerPathLength Integer

Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.

nonCa Boolean

When true, the "CA" in Basic Constraints extension will be set to false. If both is_ca and non_ca are unset, the extension will be omitted from the CA certificate.

zeroMaxIssuerPathLength Boolean

When true, the "path length constraint" in Basic Constraints extension will be set to 0. if both max_issuer_path_length and zero_max_issuer_path_length are unset, the max path length will be omitted from the CA certificate.

isCa boolean

When true, the "CA" in Basic Constraints extension will be set to true.

maxIssuerPathLength number

Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.

nonCa boolean

When true, the "CA" in Basic Constraints extension will be set to false. If both is_ca and non_ca are unset, the extension will be omitted from the CA certificate.

zeroMaxIssuerPathLength boolean

When true, the "path length constraint" in Basic Constraints extension will be set to 0. if both max_issuer_path_length and zero_max_issuer_path_length are unset, the max path length will be omitted from the CA certificate.

is_ca bool

When true, the "CA" in Basic Constraints extension will be set to true.

max_issuer_path_length int

Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.

non_ca bool

When true, the "CA" in Basic Constraints extension will be set to false. If both is_ca and non_ca are unset, the extension will be omitted from the CA certificate.

zero_max_issuer_path_length bool

When true, the "path length constraint" in Basic Constraints extension will be set to 0. if both max_issuer_path_length and zero_max_issuer_path_length are unset, the max path length will be omitted from the CA certificate.

isCa Boolean

When true, the "CA" in Basic Constraints extension will be set to true.

maxIssuerPathLength Number

Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.

nonCa Boolean

When true, the "CA" in Basic Constraints extension will be set to false. If both is_ca and non_ca are unset, the extension will be omitted from the CA certificate.

zeroMaxIssuerPathLength Boolean

When true, the "path length constraint" in Basic Constraints extension will be set to 0. if both max_issuer_path_length and zero_max_issuer_path_length are unset, the max path length will be omitted from the CA certificate.

AuthorityConfigX509ConfigKeyUsage

BaseKeyUsage AuthorityConfigX509ConfigKeyUsageBaseKeyUsage

Describes high-level ways in which a key may be used. Structure is documented below.

ExtendedKeyUsage AuthorityConfigX509ConfigKeyUsageExtendedKeyUsage

Describes high-level ways in which a key may be used. Structure is documented below.

UnknownExtendedKeyUsages List<AuthorityConfigX509ConfigKeyUsageUnknownExtendedKeyUsage>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.

BaseKeyUsage AuthorityConfigX509ConfigKeyUsageBaseKeyUsage

Describes high-level ways in which a key may be used. Structure is documented below.

ExtendedKeyUsage AuthorityConfigX509ConfigKeyUsageExtendedKeyUsage

Describes high-level ways in which a key may be used. Structure is documented below.

UnknownExtendedKeyUsages []AuthorityConfigX509ConfigKeyUsageUnknownExtendedKeyUsage

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.

baseKeyUsage AuthorityConfigX509ConfigKeyUsageBaseKeyUsage

Describes high-level ways in which a key may be used. Structure is documented below.

extendedKeyUsage AuthorityConfigX509ConfigKeyUsageExtendedKeyUsage

Describes high-level ways in which a key may be used. Structure is documented below.

unknownExtendedKeyUsages List<AuthorityConfigX509ConfigKeyUsageUnknownExtendedKeyUsage>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.

baseKeyUsage AuthorityConfigX509ConfigKeyUsageBaseKeyUsage

Describes high-level ways in which a key may be used. Structure is documented below.

extendedKeyUsage AuthorityConfigX509ConfigKeyUsageExtendedKeyUsage

Describes high-level ways in which a key may be used. Structure is documented below.

unknownExtendedKeyUsages AuthorityConfigX509ConfigKeyUsageUnknownExtendedKeyUsage[]

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.

base_key_usage AuthorityConfigX509ConfigKeyUsageBaseKeyUsage

Describes high-level ways in which a key may be used. Structure is documented below.

extended_key_usage AuthorityConfigX509ConfigKeyUsageExtendedKeyUsage

Describes high-level ways in which a key may be used. Structure is documented below.

unknown_extended_key_usages Sequence[AuthorityConfigX509ConfigKeyUsageUnknownExtendedKeyUsage]

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.

baseKeyUsage Property Map

Describes high-level ways in which a key may be used. Structure is documented below.

extendedKeyUsage Property Map

Describes high-level ways in which a key may be used. Structure is documented below.

unknownExtendedKeyUsages List<Property Map>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.

AuthorityConfigX509ConfigKeyUsageBaseKeyUsage

CertSign bool

The key may be used to sign certificates.

ContentCommitment bool

The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".

CrlSign bool

The key may be used sign certificate revocation lists.

DataEncipherment bool

The key may be used to encipher data.

DecipherOnly bool

The key may be used to decipher only.

DigitalSignature bool

The key may be used for digital signatures.

EncipherOnly bool

The key may be used to encipher only.

KeyAgreement bool

The key may be used in a key agreement protocol.

KeyEncipherment bool

The key may be used to encipher other keys.

CertSign bool

The key may be used to sign certificates.

ContentCommitment bool

The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".

CrlSign bool

The key may be used sign certificate revocation lists.

DataEncipherment bool

The key may be used to encipher data.

DecipherOnly bool

The key may be used to decipher only.

DigitalSignature bool

The key may be used for digital signatures.

EncipherOnly bool

The key may be used to encipher only.

KeyAgreement bool

The key may be used in a key agreement protocol.

KeyEncipherment bool

The key may be used to encipher other keys.

certSign Boolean

The key may be used to sign certificates.

contentCommitment Boolean

The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".

crlSign Boolean

The key may be used sign certificate revocation lists.

dataEncipherment Boolean

The key may be used to encipher data.

decipherOnly Boolean

The key may be used to decipher only.

digitalSignature Boolean

The key may be used for digital signatures.

encipherOnly Boolean

The key may be used to encipher only.

keyAgreement Boolean

The key may be used in a key agreement protocol.

keyEncipherment Boolean

The key may be used to encipher other keys.

certSign boolean

The key may be used to sign certificates.

contentCommitment boolean

The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".

crlSign boolean

The key may be used sign certificate revocation lists.

dataEncipherment boolean

The key may be used to encipher data.

decipherOnly boolean

The key may be used to decipher only.

digitalSignature boolean

The key may be used for digital signatures.

encipherOnly boolean

The key may be used to encipher only.

keyAgreement boolean

The key may be used in a key agreement protocol.

keyEncipherment boolean

The key may be used to encipher other keys.

cert_sign bool

The key may be used to sign certificates.

content_commitment bool

The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".

crl_sign bool

The key may be used sign certificate revocation lists.

data_encipherment bool

The key may be used to encipher data.

decipher_only bool

The key may be used to decipher only.

digital_signature bool

The key may be used for digital signatures.

encipher_only bool

The key may be used to encipher only.

key_agreement bool

The key may be used in a key agreement protocol.

key_encipherment bool

The key may be used to encipher other keys.

certSign Boolean

The key may be used to sign certificates.

contentCommitment Boolean

The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".

crlSign Boolean

The key may be used sign certificate revocation lists.

dataEncipherment Boolean

The key may be used to encipher data.

decipherOnly Boolean

The key may be used to decipher only.

digitalSignature Boolean

The key may be used for digital signatures.

encipherOnly Boolean

The key may be used to encipher only.

keyAgreement Boolean

The key may be used in a key agreement protocol.

keyEncipherment Boolean

The key may be used to encipher other keys.

AuthorityConfigX509ConfigKeyUsageExtendedKeyUsage

ClientAuth bool

Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.

CodeSigning bool

Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".

EmailProtection bool

Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".

OcspSigning bool

Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".

ServerAuth bool

Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.

TimeStamping bool

Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".

ClientAuth bool

Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.

CodeSigning bool

Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".

EmailProtection bool

Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".

OcspSigning bool

Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".

ServerAuth bool

Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.

TimeStamping bool

Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".

clientAuth Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.

codeSigning Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".

emailProtection Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".

ocspSigning Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".

serverAuth Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.

timeStamping Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".

clientAuth boolean

Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.

codeSigning boolean

Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".

emailProtection boolean

Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".

ocspSigning boolean

Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".

serverAuth boolean

Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.

timeStamping boolean

Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".

client_auth bool

Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.

code_signing bool

Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".

email_protection bool

Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".

ocsp_signing bool

Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".

server_auth bool

Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.

time_stamping bool

Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".

clientAuth Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.

codeSigning Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".

emailProtection Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".

ocspSigning Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".

serverAuth Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.

timeStamping Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".

AuthorityConfigX509ConfigKeyUsageUnknownExtendedKeyUsage

ObjectIdPaths List<int>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

ObjectIdPaths []int

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

objectIdPaths List<Integer>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

objectIdPaths number[]

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

object_id_paths Sequence[int]

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

objectIdPaths List<Number>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

AuthorityConfigX509ConfigPolicyId

ObjectIdPaths List<int>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

ObjectIdPaths []int

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

objectIdPaths List<Integer>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

objectIdPaths number[]

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

object_id_paths Sequence[int]

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

objectIdPaths List<Number>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

AuthorityKeySpec

Algorithm string

The algorithm to use for creating a managed Cloud KMS key for a for a simplified experience. All managed keys will be have their ProtectionLevel as HSM. Possible values are SIGN_HASH_ALGORITHM_UNSPECIFIED, RSA_PSS_2048_SHA256, RSA_PSS_3072_SHA256, RSA_PSS_4096_SHA256, RSA_PKCS1_2048_SHA256, RSA_PKCS1_3072_SHA256, RSA_PKCS1_4096_SHA256, EC_P256_SHA256, and EC_P384_SHA384.

CloudKmsKeyVersion string

The resource name for an existing Cloud KMS CryptoKeyVersion in the format projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*.

Algorithm string

The algorithm to use for creating a managed Cloud KMS key for a for a simplified experience. All managed keys will be have their ProtectionLevel as HSM. Possible values are SIGN_HASH_ALGORITHM_UNSPECIFIED, RSA_PSS_2048_SHA256, RSA_PSS_3072_SHA256, RSA_PSS_4096_SHA256, RSA_PKCS1_2048_SHA256, RSA_PKCS1_3072_SHA256, RSA_PKCS1_4096_SHA256, EC_P256_SHA256, and EC_P384_SHA384.

CloudKmsKeyVersion string

The resource name for an existing Cloud KMS CryptoKeyVersion in the format projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*.

algorithm String

The algorithm to use for creating a managed Cloud KMS key for a for a simplified experience. All managed keys will be have their ProtectionLevel as HSM. Possible values are SIGN_HASH_ALGORITHM_UNSPECIFIED, RSA_PSS_2048_SHA256, RSA_PSS_3072_SHA256, RSA_PSS_4096_SHA256, RSA_PKCS1_2048_SHA256, RSA_PKCS1_3072_SHA256, RSA_PKCS1_4096_SHA256, EC_P256_SHA256, and EC_P384_SHA384.

cloudKmsKeyVersion String

The resource name for an existing Cloud KMS CryptoKeyVersion in the format projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*.

algorithm string

The algorithm to use for creating a managed Cloud KMS key for a for a simplified experience. All managed keys will be have their ProtectionLevel as HSM. Possible values are SIGN_HASH_ALGORITHM_UNSPECIFIED, RSA_PSS_2048_SHA256, RSA_PSS_3072_SHA256, RSA_PSS_4096_SHA256, RSA_PKCS1_2048_SHA256, RSA_PKCS1_3072_SHA256, RSA_PKCS1_4096_SHA256, EC_P256_SHA256, and EC_P384_SHA384.

cloudKmsKeyVersion string

The resource name for an existing Cloud KMS CryptoKeyVersion in the format projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*.

algorithm str

The algorithm to use for creating a managed Cloud KMS key for a for a simplified experience. All managed keys will be have their ProtectionLevel as HSM. Possible values are SIGN_HASH_ALGORITHM_UNSPECIFIED, RSA_PSS_2048_SHA256, RSA_PSS_3072_SHA256, RSA_PSS_4096_SHA256, RSA_PKCS1_2048_SHA256, RSA_PKCS1_3072_SHA256, RSA_PKCS1_4096_SHA256, EC_P256_SHA256, and EC_P384_SHA384.

cloud_kms_key_version str

The resource name for an existing Cloud KMS CryptoKeyVersion in the format projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*.

algorithm String

The algorithm to use for creating a managed Cloud KMS key for a for a simplified experience. All managed keys will be have their ProtectionLevel as HSM. Possible values are SIGN_HASH_ALGORITHM_UNSPECIFIED, RSA_PSS_2048_SHA256, RSA_PSS_3072_SHA256, RSA_PSS_4096_SHA256, RSA_PKCS1_2048_SHA256, RSA_PKCS1_3072_SHA256, RSA_PKCS1_4096_SHA256, EC_P256_SHA256, and EC_P384_SHA384.

cloudKmsKeyVersion String

The resource name for an existing Cloud KMS CryptoKeyVersion in the format projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*.

AuthoritySubordinateConfig

CertificateAuthority string

This can refer to a CertificateAuthority that was used to create a subordinate CertificateAuthority. This field is used for information and usability purposes only. The resource name is in the format projects/*/locations/*/caPools/*/certificateAuthorities/*.

PemIssuerChain AuthoritySubordinateConfigPemIssuerChain

Contains the PEM certificate chain for the issuers of this CertificateAuthority, but not pem certificate for this CA itself. Structure is documented below.

CertificateAuthority string

This can refer to a CertificateAuthority that was used to create a subordinate CertificateAuthority. This field is used for information and usability purposes only. The resource name is in the format projects/*/locations/*/caPools/*/certificateAuthorities/*.

PemIssuerChain AuthoritySubordinateConfigPemIssuerChain

Contains the PEM certificate chain for the issuers of this CertificateAuthority, but not pem certificate for this CA itself. Structure is documented below.

certificateAuthority String

This can refer to a CertificateAuthority that was used to create a subordinate CertificateAuthority. This field is used for information and usability purposes only. The resource name is in the format projects/*/locations/*/caPools/*/certificateAuthorities/*.

pemIssuerChain AuthoritySubordinateConfigPemIssuerChain

Contains the PEM certificate chain for the issuers of this CertificateAuthority, but not pem certificate for this CA itself. Structure is documented below.

certificateAuthority string

This can refer to a CertificateAuthority that was used to create a subordinate CertificateAuthority. This field is used for information and usability purposes only. The resource name is in the format projects/*/locations/*/caPools/*/certificateAuthorities/*.

pemIssuerChain AuthoritySubordinateConfigPemIssuerChain

Contains the PEM certificate chain for the issuers of this CertificateAuthority, but not pem certificate for this CA itself. Structure is documented below.

certificate_authority str

This can refer to a CertificateAuthority that was used to create a subordinate CertificateAuthority. This field is used for information and usability purposes only. The resource name is in the format projects/*/locations/*/caPools/*/certificateAuthorities/*.

pem_issuer_chain AuthoritySubordinateConfigPemIssuerChain

Contains the PEM certificate chain for the issuers of this CertificateAuthority, but not pem certificate for this CA itself. Structure is documented below.

certificateAuthority String

This can refer to a CertificateAuthority that was used to create a subordinate CertificateAuthority. This field is used for information and usability purposes only. The resource name is in the format projects/*/locations/*/caPools/*/certificateAuthorities/*.

pemIssuerChain Property Map

Contains the PEM certificate chain for the issuers of this CertificateAuthority, but not pem certificate for this CA itself. Structure is documented below.

AuthoritySubordinateConfigPemIssuerChain

PemCertificates List<string>

Expected to be in leaf-to-root order according to RFC 5246.

PemCertificates []string

Expected to be in leaf-to-root order according to RFC 5246.

pemCertificates List<String>

Expected to be in leaf-to-root order according to RFC 5246.

pemCertificates string[]

Expected to be in leaf-to-root order according to RFC 5246.

pem_certificates Sequence[str]

Expected to be in leaf-to-root order according to RFC 5246.

pemCertificates List<String>

Expected to be in leaf-to-root order according to RFC 5246.

Package Details

Repository
https://github.com/pulumi/pulumi-gcp
License
Apache-2.0
Notes

This Pulumi package is based on the google-beta Terraform Provider.