gcp.certificateauthority.CaPool
Explore with Pulumi AI
A CaPool represents a group of CertificateAuthorities that form a trust anchor. A CaPool can be used to manage issuance policies for one or more CertificateAuthority resources and to rotate CA certificates in and out of the trust anchor.
Example Usage
Privateca Capool Basic
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var @default = new Gcp.CertificateAuthority.CaPool("default", new()
{
Labels =
{
{ "foo", "bar" },
},
Location = "us-central1",
PublishingOptions = new Gcp.CertificateAuthority.Inputs.CaPoolPublishingOptionsArgs
{
PublishCaCert = true,
PublishCrl = true,
},
Tier = "ENTERPRISE",
});
});
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/certificateauthority"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := certificateauthority.NewCaPool(ctx, "default", &certificateauthority.CaPoolArgs{
Labels: pulumi.StringMap{
"foo": pulumi.String("bar"),
},
Location: pulumi.String("us-central1"),
PublishingOptions: &certificateauthority.CaPoolPublishingOptionsArgs{
PublishCaCert: pulumi.Bool(true),
PublishCrl: pulumi.Bool(true),
},
Tier: pulumi.String("ENTERPRISE"),
})
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.certificateauthority.CaPool;
import com.pulumi.gcp.certificateauthority.CaPoolArgs;
import com.pulumi.gcp.certificateauthority.inputs.CaPoolPublishingOptionsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var default_ = new CaPool("default", CaPoolArgs.builder()
.labels(Map.of("foo", "bar"))
.location("us-central1")
.publishingOptions(CaPoolPublishingOptionsArgs.builder()
.publishCaCert(true)
.publishCrl(true)
.build())
.tier("ENTERPRISE")
.build());
}
}
import pulumi
import pulumi_gcp as gcp
default = gcp.certificateauthority.CaPool("default",
labels={
"foo": "bar",
},
location="us-central1",
publishing_options=gcp.certificateauthority.CaPoolPublishingOptionsArgs(
publish_ca_cert=True,
publish_crl=True,
),
tier="ENTERPRISE")
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const _default = new gcp.certificateauthority.CaPool("default", {
labels: {
foo: "bar",
},
location: "us-central1",
publishingOptions: {
publishCaCert: true,
publishCrl: true,
},
tier: "ENTERPRISE",
});
resources:
default:
type: gcp:certificateauthority:CaPool
properties:
labels:
foo: bar
location: us-central1
publishingOptions:
publishCaCert: true
publishCrl: true
tier: ENTERPRISE
Privateca Capool All Fields
Coming soon!
Coming soon!
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.certificateauthority.CaPool;
import com.pulumi.gcp.certificateauthority.CaPoolArgs;
import com.pulumi.gcp.certificateauthority.inputs.CaPoolIssuancePolicyArgs;
import com.pulumi.gcp.certificateauthority.inputs.CaPoolIssuancePolicyAllowedIssuanceModesArgs;
import com.pulumi.gcp.certificateauthority.inputs.CaPoolIssuancePolicyBaselineValuesArgs;
import com.pulumi.gcp.certificateauthority.inputs.CaPoolIssuancePolicyBaselineValuesCaOptionsArgs;
import com.pulumi.gcp.certificateauthority.inputs.CaPoolIssuancePolicyBaselineValuesKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.CaPoolIssuancePolicyBaselineValuesKeyUsageBaseKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.CaPoolIssuancePolicyBaselineValuesKeyUsageExtendedKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.CaPoolIssuancePolicyBaselineValuesNameConstraintsArgs;
import com.pulumi.gcp.certificateauthority.inputs.CaPoolIssuancePolicyIdentityConstraintsArgs;
import com.pulumi.gcp.certificateauthority.inputs.CaPoolIssuancePolicyIdentityConstraintsCelExpressionArgs;
import com.pulumi.gcp.certificateauthority.inputs.CaPoolPublishingOptionsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var default_ = new CaPool("default", CaPoolArgs.builder()
.issuancePolicy(CaPoolIssuancePolicyArgs.builder()
.allowedIssuanceModes(CaPoolIssuancePolicyAllowedIssuanceModesArgs.builder()
.allowConfigBasedIssuance(true)
.allowCsrBasedIssuance(true)
.build())
.allowedKeyTypes(
CaPoolIssuancePolicyAllowedKeyTypeArgs.builder()
.ellipticCurve(CaPoolIssuancePolicyAllowedKeyTypeEllipticCurveArgs.builder()
.signatureAlgorithm("ECDSA_P256")
.build())
.build(),
CaPoolIssuancePolicyAllowedKeyTypeArgs.builder()
.rsa(CaPoolIssuancePolicyAllowedKeyTypeRsaArgs.builder()
.maxModulusSize(10)
.minModulusSize(5)
.build())
.build())
.baselineValues(CaPoolIssuancePolicyBaselineValuesArgs.builder()
.additionalExtensions(CaPoolIssuancePolicyBaselineValuesAdditionalExtensionArgs.builder()
.critical(true)
.objectId(CaPoolIssuancePolicyBaselineValuesAdditionalExtensionObjectIdArgs.builder()
.objectIdPath(
1,
7)
.build())
.value("asdf")
.build())
.aiaOcspServers("example.com")
.caOptions(CaPoolIssuancePolicyBaselineValuesCaOptionsArgs.builder()
.isCa(true)
.maxIssuerPathLength(10)
.build())
.keyUsage(CaPoolIssuancePolicyBaselineValuesKeyUsageArgs.builder()
.baseKeyUsage(CaPoolIssuancePolicyBaselineValuesKeyUsageBaseKeyUsageArgs.builder()
.certSign(false)
.contentCommitment(true)
.crlSign(true)
.dataEncipherment(true)
.decipherOnly(true)
.digitalSignature(true)
.keyAgreement(true)
.keyEncipherment(false)
.build())
.extendedKeyUsage(CaPoolIssuancePolicyBaselineValuesKeyUsageExtendedKeyUsageArgs.builder()
.clientAuth(false)
.codeSigning(true)
.emailProtection(true)
.serverAuth(true)
.timeStamping(true)
.build())
.build())
.nameConstraints(CaPoolIssuancePolicyBaselineValuesNameConstraintsArgs.builder()
.critical(true)
.excludedDnsNames(
"*.deny.example1.com",
"*.deny.example2.com")
.excludedEmailAddresses(
".deny.example1.com",
".deny.example2.com")
.excludedIpRanges(
"10.1.1.0/24",
"11.1.1.0/24")
.excludedUris(
".deny.example1.com",
".deny.example2.com")
.permittedDnsNames(
"*.example1.com",
"*.example2.com")
.permittedEmailAddresses(
".example1.com",
".example2.com")
.permittedIpRanges(
"10.0.0.0/8",
"11.0.0.0/8")
.permittedUris(
".example1.com",
".example2.com")
.build())
.policyIds(
CaPoolIssuancePolicyBaselineValuesPolicyIdArgs.builder()
.objectIdPath(
1,
5)
.build(),
CaPoolIssuancePolicyBaselineValuesPolicyIdArgs.builder()
.objectIdPath(
1,
5,
7)
.build())
.build())
.identityConstraints(CaPoolIssuancePolicyIdentityConstraintsArgs.builder()
.allowSubjectAltNamesPassthrough(true)
.allowSubjectPassthrough(true)
.celExpression(CaPoolIssuancePolicyIdentityConstraintsCelExpressionArgs.builder()
.expression("subject_alt_names.all(san, san.type == DNS || san.type == EMAIL )")
.title("My title")
.build())
.build())
.maximumLifetime("50000s")
.build())
.labels(Map.of("foo", "bar"))
.location("us-central1")
.publishingOptions(CaPoolPublishingOptionsArgs.builder()
.encodingFormat("PEM")
.publishCaCert(false)
.publishCrl(true)
.build())
.tier("ENTERPRISE")
.build());
}
}
Coming soon!
Coming soon!
resources:
default:
type: gcp:certificateauthority:CaPool
properties:
issuancePolicy:
allowedIssuanceModes:
allowConfigBasedIssuance: true
allowCsrBasedIssuance: true
allowedKeyTypes:
- ellipticCurve:
signatureAlgorithm: ECDSA_P256
- rsa:
maxModulusSize: 10
minModulusSize: 5
baselineValues:
additionalExtensions:
- critical: true
objectId:
objectIdPath:
- 1
- 7
value: asdf
aiaOcspServers:
- example.com
caOptions:
isCa: true
maxIssuerPathLength: 10
keyUsage:
baseKeyUsage:
certSign: false
contentCommitment: true
crlSign: true
dataEncipherment: true
decipherOnly: true
digitalSignature: true
keyAgreement: true
keyEncipherment: false
extendedKeyUsage:
clientAuth: false
codeSigning: true
emailProtection: true
serverAuth: true
timeStamping: true
nameConstraints:
critical: true
excludedDnsNames:
- '*.deny.example1.com'
- '*.deny.example2.com'
excludedEmailAddresses:
- .deny.example1.com
- .deny.example2.com
excludedIpRanges:
- 10.1.1.0/24
- 11.1.1.0/24
excludedUris:
- .deny.example1.com
- .deny.example2.com
permittedDnsNames:
- '*.example1.com'
- '*.example2.com'
permittedEmailAddresses:
- .example1.com
- .example2.com
permittedIpRanges:
- 10.0.0.0/8
- 11.0.0.0/8
permittedUris:
- .example1.com
- .example2.com
policyIds:
- objectIdPath:
- 1
- 5
- objectIdPath:
- 1
- 5
- 7
identityConstraints:
allowSubjectAltNamesPassthrough: true
allowSubjectPassthrough: true
celExpression:
expression: subject_alt_names.all(san, san.type == DNS || san.type == EMAIL )
title: My title
maximumLifetime: 50000s
labels:
foo: bar
location: us-central1
publishingOptions:
encodingFormat: PEM
publishCaCert: false
publishCrl: true
tier: ENTERPRISE
Create CaPool Resource
new CaPool(name: string, args: CaPoolArgs, opts?: CustomResourceOptions);
@overload
def CaPool(resource_name: str,
opts: Optional[ResourceOptions] = None,
issuance_policy: Optional[CaPoolIssuancePolicyArgs] = None,
labels: Optional[Mapping[str, str]] = None,
location: Optional[str] = None,
name: Optional[str] = None,
project: Optional[str] = None,
publishing_options: Optional[CaPoolPublishingOptionsArgs] = None,
tier: Optional[str] = None)
@overload
def CaPool(resource_name: str,
args: CaPoolArgs,
opts: Optional[ResourceOptions] = None)
func NewCaPool(ctx *Context, name string, args CaPoolArgs, opts ...ResourceOption) (*CaPool, error)
public CaPool(string name, CaPoolArgs args, CustomResourceOptions? opts = null)
public CaPool(String name, CaPoolArgs args)
public CaPool(String name, CaPoolArgs args, CustomResourceOptions options)
type: gcp:certificateauthority:CaPool
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args CaPoolArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args CaPoolArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args CaPoolArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args CaPoolArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args CaPoolArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
CaPool Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
The CaPool resource accepts the following input properties:
- Location string
Location of the CaPool. A full list of valid locations can be found by running
gcloud privateca locations list
.- Tier string
The Tier of this CaPool. Possible values are:
ENTERPRISE
,DEVOPS
.- Issuance
Policy CaPool Issuance Policy Args The IssuancePolicy to control how Certificates will be issued from this CaPool. Structure is documented below.
- Labels Dictionary<string, string>
Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
- Name string
The name for this CaPool.
- Project string
The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- Publishing
Options CaPool Publishing Options Args The PublishingOptions to follow when issuing Certificates from any CertificateAuthority in this CaPool. Structure is documented below.
- Location string
Location of the CaPool. A full list of valid locations can be found by running
gcloud privateca locations list
.- Tier string
The Tier of this CaPool. Possible values are:
ENTERPRISE
,DEVOPS
.- Issuance
Policy CaPool Issuance Policy Args The IssuancePolicy to control how Certificates will be issued from this CaPool. Structure is documented below.
- Labels map[string]string
Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
- Name string
The name for this CaPool.
- Project string
The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- Publishing
Options CaPool Publishing Options Args The PublishingOptions to follow when issuing Certificates from any CertificateAuthority in this CaPool. Structure is documented below.
- location String
Location of the CaPool. A full list of valid locations can be found by running
gcloud privateca locations list
.- tier String
The Tier of this CaPool. Possible values are:
ENTERPRISE
,DEVOPS
.- issuance
Policy CaPool Issuance Policy Args The IssuancePolicy to control how Certificates will be issued from this CaPool. Structure is documented below.
- labels Map<String,String>
Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
- name String
The name for this CaPool.
- project String
The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- publishing
Options CaPool Publishing Options Args The PublishingOptions to follow when issuing Certificates from any CertificateAuthority in this CaPool. Structure is documented below.
- location string
Location of the CaPool. A full list of valid locations can be found by running
gcloud privateca locations list
.- tier string
The Tier of this CaPool. Possible values are:
ENTERPRISE
,DEVOPS
.- issuance
Policy CaPool Issuance Policy Args The IssuancePolicy to control how Certificates will be issued from this CaPool. Structure is documented below.
- labels {[key: string]: string}
Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
- name string
The name for this CaPool.
- project string
The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- publishing
Options CaPool Publishing Options Args The PublishingOptions to follow when issuing Certificates from any CertificateAuthority in this CaPool. Structure is documented below.
- location str
Location of the CaPool. A full list of valid locations can be found by running
gcloud privateca locations list
.- tier str
The Tier of this CaPool. Possible values are:
ENTERPRISE
,DEVOPS
.- issuance_
policy CaPool Issuance Policy Args The IssuancePolicy to control how Certificates will be issued from this CaPool. Structure is documented below.
- labels Mapping[str, str]
Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
- name str
The name for this CaPool.
- project str
The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- publishing_
options CaPool Publishing Options Args The PublishingOptions to follow when issuing Certificates from any CertificateAuthority in this CaPool. Structure is documented below.
- location String
Location of the CaPool. A full list of valid locations can be found by running
gcloud privateca locations list
.- tier String
The Tier of this CaPool. Possible values are:
ENTERPRISE
,DEVOPS
.- issuance
Policy Property Map The IssuancePolicy to control how Certificates will be issued from this CaPool. Structure is documented below.
- labels Map<String>
Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
- name String
The name for this CaPool.
- project String
The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- publishing
Options Property Map The PublishingOptions to follow when issuing Certificates from any CertificateAuthority in this CaPool. Structure is documented below.
Outputs
All input properties are implicitly available as output properties. Additionally, the CaPool resource produces the following output properties:
- Id string
The provider-assigned unique ID for this managed resource.
- Id string
The provider-assigned unique ID for this managed resource.
- id String
The provider-assigned unique ID for this managed resource.
- id string
The provider-assigned unique ID for this managed resource.
- id str
The provider-assigned unique ID for this managed resource.
- id String
The provider-assigned unique ID for this managed resource.
Look up Existing CaPool Resource
Get an existing CaPool resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: CaPoolState, opts?: CustomResourceOptions): CaPool
@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
issuance_policy: Optional[CaPoolIssuancePolicyArgs] = None,
labels: Optional[Mapping[str, str]] = None,
location: Optional[str] = None,
name: Optional[str] = None,
project: Optional[str] = None,
publishing_options: Optional[CaPoolPublishingOptionsArgs] = None,
tier: Optional[str] = None) -> CaPool
func GetCaPool(ctx *Context, name string, id IDInput, state *CaPoolState, opts ...ResourceOption) (*CaPool, error)
public static CaPool Get(string name, Input<string> id, CaPoolState? state, CustomResourceOptions? opts = null)
public static CaPool get(String name, Output<String> id, CaPoolState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Issuance
Policy CaPool Issuance Policy Args The IssuancePolicy to control how Certificates will be issued from this CaPool. Structure is documented below.
- Labels Dictionary<string, string>
Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
- Location string
Location of the CaPool. A full list of valid locations can be found by running
gcloud privateca locations list
.- Name string
The name for this CaPool.
- Project string
The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- Publishing
Options CaPool Publishing Options Args The PublishingOptions to follow when issuing Certificates from any CertificateAuthority in this CaPool. Structure is documented below.
- Tier string
The Tier of this CaPool. Possible values are:
ENTERPRISE
,DEVOPS
.
- Issuance
Policy CaPool Issuance Policy Args The IssuancePolicy to control how Certificates will be issued from this CaPool. Structure is documented below.
- Labels map[string]string
Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
- Location string
Location of the CaPool. A full list of valid locations can be found by running
gcloud privateca locations list
.- Name string
The name for this CaPool.
- Project string
The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- Publishing
Options CaPool Publishing Options Args The PublishingOptions to follow when issuing Certificates from any CertificateAuthority in this CaPool. Structure is documented below.
- Tier string
The Tier of this CaPool. Possible values are:
ENTERPRISE
,DEVOPS
.
- issuance
Policy CaPool Issuance Policy Args The IssuancePolicy to control how Certificates will be issued from this CaPool. Structure is documented below.
- labels Map<String,String>
Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
- location String
Location of the CaPool. A full list of valid locations can be found by running
gcloud privateca locations list
.- name String
The name for this CaPool.
- project String
The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- publishing
Options CaPool Publishing Options Args The PublishingOptions to follow when issuing Certificates from any CertificateAuthority in this CaPool. Structure is documented below.
- tier String
The Tier of this CaPool. Possible values are:
ENTERPRISE
,DEVOPS
.
- issuance
Policy CaPool Issuance Policy Args The IssuancePolicy to control how Certificates will be issued from this CaPool. Structure is documented below.
- labels {[key: string]: string}
Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
- location string
Location of the CaPool. A full list of valid locations can be found by running
gcloud privateca locations list
.- name string
The name for this CaPool.
- project string
The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- publishing
Options CaPool Publishing Options Args The PublishingOptions to follow when issuing Certificates from any CertificateAuthority in this CaPool. Structure is documented below.
- tier string
The Tier of this CaPool. Possible values are:
ENTERPRISE
,DEVOPS
.
- issuance_
policy CaPool Issuance Policy Args The IssuancePolicy to control how Certificates will be issued from this CaPool. Structure is documented below.
- labels Mapping[str, str]
Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
- location str
Location of the CaPool. A full list of valid locations can be found by running
gcloud privateca locations list
.- name str
The name for this CaPool.
- project str
The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- publishing_
options CaPool Publishing Options Args The PublishingOptions to follow when issuing Certificates from any CertificateAuthority in this CaPool. Structure is documented below.
- tier str
The Tier of this CaPool. Possible values are:
ENTERPRISE
,DEVOPS
.
- issuance
Policy Property Map The IssuancePolicy to control how Certificates will be issued from this CaPool. Structure is documented below.
- labels Map<String>
Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
- location String
Location of the CaPool. A full list of valid locations can be found by running
gcloud privateca locations list
.- name String
The name for this CaPool.
- project String
The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- publishing
Options Property Map The PublishingOptions to follow when issuing Certificates from any CertificateAuthority in this CaPool. Structure is documented below.
- tier String
The Tier of this CaPool. Possible values are:
ENTERPRISE
,DEVOPS
.
Supporting Types
CaPoolIssuancePolicy
- Allowed
Issuance CaModes Pool Issuance Policy Allowed Issuance Modes IssuanceModes specifies the allowed ways in which Certificates may be requested from this CaPool. Structure is documented below.
- Allowed
Key List<CaTypes Pool Issuance Policy Allowed Key Type> If any AllowedKeyType is specified, then the certificate request's public key must match one of the key types listed here. Otherwise, any key may be used. Structure is documented below.
- Baseline
Values CaPool Issuance Policy Baseline Values A set of X.509 values that will be applied to all certificates issued through this CaPool. If a certificate request includes conflicting values for the same properties, they will be overwritten by the values defined here. If a certificate request uses a CertificateTemplate that defines conflicting predefinedValues for the same properties, the certificate issuance request will fail. Structure is documented below.
- Identity
Constraints CaPool Issuance Policy Identity Constraints Describes constraints on identities that may appear in Certificates issued through this CaPool. If this is omitted, then this CaPool will not add restrictions on a certificate's identity. Structure is documented below.
- Maximum
Lifetime string The maximum lifetime allowed for issued Certificates. Note that if the issuing CertificateAuthority expires before a Certificate's requested maximumLifetime, the effective lifetime will be explicitly truncated to match it.
- Allowed
Issuance CaModes Pool Issuance Policy Allowed Issuance Modes IssuanceModes specifies the allowed ways in which Certificates may be requested from this CaPool. Structure is documented below.
- Allowed
Key []CaTypes Pool Issuance Policy Allowed Key Type If any AllowedKeyType is specified, then the certificate request's public key must match one of the key types listed here. Otherwise, any key may be used. Structure is documented below.
- Baseline
Values CaPool Issuance Policy Baseline Values A set of X.509 values that will be applied to all certificates issued through this CaPool. If a certificate request includes conflicting values for the same properties, they will be overwritten by the values defined here. If a certificate request uses a CertificateTemplate that defines conflicting predefinedValues for the same properties, the certificate issuance request will fail. Structure is documented below.
- Identity
Constraints CaPool Issuance Policy Identity Constraints Describes constraints on identities that may appear in Certificates issued through this CaPool. If this is omitted, then this CaPool will not add restrictions on a certificate's identity. Structure is documented below.
- Maximum
Lifetime string The maximum lifetime allowed for issued Certificates. Note that if the issuing CertificateAuthority expires before a Certificate's requested maximumLifetime, the effective lifetime will be explicitly truncated to match it.
- allowed
Issuance CaModes Pool Issuance Policy Allowed Issuance Modes IssuanceModes specifies the allowed ways in which Certificates may be requested from this CaPool. Structure is documented below.
- allowed
Key List<CaTypes Pool Issuance Policy Allowed Key Type> If any AllowedKeyType is specified, then the certificate request's public key must match one of the key types listed here. Otherwise, any key may be used. Structure is documented below.
- baseline
Values CaPool Issuance Policy Baseline Values A set of X.509 values that will be applied to all certificates issued through this CaPool. If a certificate request includes conflicting values for the same properties, they will be overwritten by the values defined here. If a certificate request uses a CertificateTemplate that defines conflicting predefinedValues for the same properties, the certificate issuance request will fail. Structure is documented below.
- identity
Constraints CaPool Issuance Policy Identity Constraints Describes constraints on identities that may appear in Certificates issued through this CaPool. If this is omitted, then this CaPool will not add restrictions on a certificate's identity. Structure is documented below.
- maximum
Lifetime String The maximum lifetime allowed for issued Certificates. Note that if the issuing CertificateAuthority expires before a Certificate's requested maximumLifetime, the effective lifetime will be explicitly truncated to match it.
- allowed
Issuance CaModes Pool Issuance Policy Allowed Issuance Modes IssuanceModes specifies the allowed ways in which Certificates may be requested from this CaPool. Structure is documented below.
- allowed
Key CaTypes Pool Issuance Policy Allowed Key Type[] If any AllowedKeyType is specified, then the certificate request's public key must match one of the key types listed here. Otherwise, any key may be used. Structure is documented below.
- baseline
Values CaPool Issuance Policy Baseline Values A set of X.509 values that will be applied to all certificates issued through this CaPool. If a certificate request includes conflicting values for the same properties, they will be overwritten by the values defined here. If a certificate request uses a CertificateTemplate that defines conflicting predefinedValues for the same properties, the certificate issuance request will fail. Structure is documented below.
- identity
Constraints CaPool Issuance Policy Identity Constraints Describes constraints on identities that may appear in Certificates issued through this CaPool. If this is omitted, then this CaPool will not add restrictions on a certificate's identity. Structure is documented below.
- maximum
Lifetime string The maximum lifetime allowed for issued Certificates. Note that if the issuing CertificateAuthority expires before a Certificate's requested maximumLifetime, the effective lifetime will be explicitly truncated to match it.
- allowed_
issuance_ Camodes Pool Issuance Policy Allowed Issuance Modes IssuanceModes specifies the allowed ways in which Certificates may be requested from this CaPool. Structure is documented below.
- allowed_
key_ Sequence[Catypes Pool Issuance Policy Allowed Key Type] If any AllowedKeyType is specified, then the certificate request's public key must match one of the key types listed here. Otherwise, any key may be used. Structure is documented below.
- baseline_
values CaPool Issuance Policy Baseline Values A set of X.509 values that will be applied to all certificates issued through this CaPool. If a certificate request includes conflicting values for the same properties, they will be overwritten by the values defined here. If a certificate request uses a CertificateTemplate that defines conflicting predefinedValues for the same properties, the certificate issuance request will fail. Structure is documented below.
- identity_
constraints CaPool Issuance Policy Identity Constraints Describes constraints on identities that may appear in Certificates issued through this CaPool. If this is omitted, then this CaPool will not add restrictions on a certificate's identity. Structure is documented below.
- maximum_
lifetime str The maximum lifetime allowed for issued Certificates. Note that if the issuing CertificateAuthority expires before a Certificate's requested maximumLifetime, the effective lifetime will be explicitly truncated to match it.
- allowed
Issuance Property MapModes IssuanceModes specifies the allowed ways in which Certificates may be requested from this CaPool. Structure is documented below.
- allowed
Key List<Property Map>Types If any AllowedKeyType is specified, then the certificate request's public key must match one of the key types listed here. Otherwise, any key may be used. Structure is documented below.
- baseline
Values Property Map A set of X.509 values that will be applied to all certificates issued through this CaPool. If a certificate request includes conflicting values for the same properties, they will be overwritten by the values defined here. If a certificate request uses a CertificateTemplate that defines conflicting predefinedValues for the same properties, the certificate issuance request will fail. Structure is documented below.
- identity
Constraints Property Map Describes constraints on identities that may appear in Certificates issued through this CaPool. If this is omitted, then this CaPool will not add restrictions on a certificate's identity. Structure is documented below.
- maximum
Lifetime String The maximum lifetime allowed for issued Certificates. Note that if the issuing CertificateAuthority expires before a Certificate's requested maximumLifetime, the effective lifetime will be explicitly truncated to match it.
CaPoolIssuancePolicyAllowedIssuanceModes
- Allow
Config boolBased Issuance When true, allows callers to create Certificates by specifying a CertificateConfig.
- Allow
Csr boolBased Issuance When true, allows callers to create Certificates by specifying a CSR.
- Allow
Config boolBased Issuance When true, allows callers to create Certificates by specifying a CertificateConfig.
- Allow
Csr boolBased Issuance When true, allows callers to create Certificates by specifying a CSR.
- allow
Config BooleanBased Issuance When true, allows callers to create Certificates by specifying a CertificateConfig.
- allow
Csr BooleanBased Issuance When true, allows callers to create Certificates by specifying a CSR.
- allow
Config booleanBased Issuance When true, allows callers to create Certificates by specifying a CertificateConfig.
- allow
Csr booleanBased Issuance When true, allows callers to create Certificates by specifying a CSR.
- allow_
config_ boolbased_ issuance When true, allows callers to create Certificates by specifying a CertificateConfig.
- allow_
csr_ boolbased_ issuance When true, allows callers to create Certificates by specifying a CSR.
- allow
Config BooleanBased Issuance When true, allows callers to create Certificates by specifying a CertificateConfig.
- allow
Csr BooleanBased Issuance When true, allows callers to create Certificates by specifying a CSR.
CaPoolIssuancePolicyAllowedKeyType
- Elliptic
Curve CaPool Issuance Policy Allowed Key Type Elliptic Curve Represents an allowed Elliptic Curve key type. Structure is documented below.
- Rsa
Ca
Pool Issuance Policy Allowed Key Type Rsa Describes an RSA key that may be used in a Certificate issued from a CaPool. Structure is documented below.
- Elliptic
Curve CaPool Issuance Policy Allowed Key Type Elliptic Curve Represents an allowed Elliptic Curve key type. Structure is documented below.
- Rsa
Ca
Pool Issuance Policy Allowed Key Type Rsa Describes an RSA key that may be used in a Certificate issued from a CaPool. Structure is documented below.
- elliptic
Curve CaPool Issuance Policy Allowed Key Type Elliptic Curve Represents an allowed Elliptic Curve key type. Structure is documented below.
- rsa
Ca
Pool Issuance Policy Allowed Key Type Rsa Describes an RSA key that may be used in a Certificate issued from a CaPool. Structure is documented below.
- elliptic
Curve CaPool Issuance Policy Allowed Key Type Elliptic Curve Represents an allowed Elliptic Curve key type. Structure is documented below.
- rsa
Ca
Pool Issuance Policy Allowed Key Type Rsa Describes an RSA key that may be used in a Certificate issued from a CaPool. Structure is documented below.
- elliptic_
curve CaPool Issuance Policy Allowed Key Type Elliptic Curve Represents an allowed Elliptic Curve key type. Structure is documented below.
- rsa
Ca
Pool Issuance Policy Allowed Key Type Rsa Describes an RSA key that may be used in a Certificate issued from a CaPool. Structure is documented below.
- elliptic
Curve Property Map Represents an allowed Elliptic Curve key type. Structure is documented below.
- rsa Property Map
Describes an RSA key that may be used in a Certificate issued from a CaPool. Structure is documented below.
CaPoolIssuancePolicyAllowedKeyTypeEllipticCurve
- Signature
Algorithm string The algorithm used. Possible values are:
ECDSA_P256
,ECDSA_P384
,EDDSA_25519
.
- Signature
Algorithm string The algorithm used. Possible values are:
ECDSA_P256
,ECDSA_P384
,EDDSA_25519
.
- signature
Algorithm String The algorithm used. Possible values are:
ECDSA_P256
,ECDSA_P384
,EDDSA_25519
.
- signature
Algorithm string The algorithm used. Possible values are:
ECDSA_P256
,ECDSA_P384
,EDDSA_25519
.
- signature_
algorithm str The algorithm used. Possible values are:
ECDSA_P256
,ECDSA_P384
,EDDSA_25519
.
- signature
Algorithm String The algorithm used. Possible values are:
ECDSA_P256
,ECDSA_P384
,EDDSA_25519
.
CaPoolIssuancePolicyAllowedKeyTypeRsa
- Max
Modulus stringSize The maximum allowed RSA modulus size, in bits. If this is not set, or if set to zero, the service will not enforce an explicit upper bound on RSA modulus sizes.
- Min
Modulus stringSize The minimum allowed RSA modulus size, in bits. If this is not set, or if set to zero, the service-level min RSA modulus size will continue to apply.
- Max
Modulus stringSize The maximum allowed RSA modulus size, in bits. If this is not set, or if set to zero, the service will not enforce an explicit upper bound on RSA modulus sizes.
- Min
Modulus stringSize The minimum allowed RSA modulus size, in bits. If this is not set, or if set to zero, the service-level min RSA modulus size will continue to apply.
- max
Modulus StringSize The maximum allowed RSA modulus size, in bits. If this is not set, or if set to zero, the service will not enforce an explicit upper bound on RSA modulus sizes.
- min
Modulus StringSize The minimum allowed RSA modulus size, in bits. If this is not set, or if set to zero, the service-level min RSA modulus size will continue to apply.
- max
Modulus stringSize The maximum allowed RSA modulus size, in bits. If this is not set, or if set to zero, the service will not enforce an explicit upper bound on RSA modulus sizes.
- min
Modulus stringSize The minimum allowed RSA modulus size, in bits. If this is not set, or if set to zero, the service-level min RSA modulus size will continue to apply.
- max_
modulus_ strsize The maximum allowed RSA modulus size, in bits. If this is not set, or if set to zero, the service will not enforce an explicit upper bound on RSA modulus sizes.
- min_
modulus_ strsize The minimum allowed RSA modulus size, in bits. If this is not set, or if set to zero, the service-level min RSA modulus size will continue to apply.
- max
Modulus StringSize The maximum allowed RSA modulus size, in bits. If this is not set, or if set to zero, the service will not enforce an explicit upper bound on RSA modulus sizes.
- min
Modulus StringSize The minimum allowed RSA modulus size, in bits. If this is not set, or if set to zero, the service-level min RSA modulus size will continue to apply.
CaPoolIssuancePolicyBaselineValues
- Ca
Options CaPool Issuance Policy Baseline Values Ca Options Describes values that are relevant in a CA certificate. Structure is documented below.
- Key
Usage CaPool Issuance Policy Baseline Values Key Usage Indicates the intended use for keys that correspond to a certificate. Structure is documented below.
- Additional
Extensions List<CaPool Issuance Policy Baseline Values Additional Extension> Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.
- Aia
Ocsp List<string>Servers Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
- Name
Constraints CaPool Issuance Policy Baseline Values Name Constraints Describes the X.509 name constraints extension. Structure is documented below.
- Policy
Ids List<CaPool Issuance Policy Baseline Values Policy Id> Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.
- Ca
Options CaPool Issuance Policy Baseline Values Ca Options Describes values that are relevant in a CA certificate. Structure is documented below.
- Key
Usage CaPool Issuance Policy Baseline Values Key Usage Indicates the intended use for keys that correspond to a certificate. Structure is documented below.
- Additional
Extensions []CaPool Issuance Policy Baseline Values Additional Extension Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.
- Aia
Ocsp []stringServers Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
- Name
Constraints CaPool Issuance Policy Baseline Values Name Constraints Describes the X.509 name constraints extension. Structure is documented below.
- Policy
Ids []CaPool Issuance Policy Baseline Values Policy Id Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.
- ca
Options CaPool Issuance Policy Baseline Values Ca Options Describes values that are relevant in a CA certificate. Structure is documented below.
- key
Usage CaPool Issuance Policy Baseline Values Key Usage Indicates the intended use for keys that correspond to a certificate. Structure is documented below.
- additional
Extensions List<CaPool Issuance Policy Baseline Values Additional Extension> Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.
- aia
Ocsp List<String>Servers Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
- name
Constraints CaPool Issuance Policy Baseline Values Name Constraints Describes the X.509 name constraints extension. Structure is documented below.
- policy
Ids List<CaPool Issuance Policy Baseline Values Policy Id> Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.
- ca
Options CaPool Issuance Policy Baseline Values Ca Options Describes values that are relevant in a CA certificate. Structure is documented below.
- key
Usage CaPool Issuance Policy Baseline Values Key Usage Indicates the intended use for keys that correspond to a certificate. Structure is documented below.
- additional
Extensions CaPool Issuance Policy Baseline Values Additional Extension[] Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.
- aia
Ocsp string[]Servers Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
- name
Constraints CaPool Issuance Policy Baseline Values Name Constraints Describes the X.509 name constraints extension. Structure is documented below.
- policy
Ids CaPool Issuance Policy Baseline Values Policy Id[] Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.
- ca_
options CaPool Issuance Policy Baseline Values Ca Options Describes values that are relevant in a CA certificate. Structure is documented below.
- key_
usage CaPool Issuance Policy Baseline Values Key Usage Indicates the intended use for keys that correspond to a certificate. Structure is documented below.
- additional_
extensions Sequence[CaPool Issuance Policy Baseline Values Additional Extension] Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.
- aia_
ocsp_ Sequence[str]servers Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
- name_
constraints CaPool Issuance Policy Baseline Values Name Constraints Describes the X.509 name constraints extension. Structure is documented below.
- policy_
ids Sequence[CaPool Issuance Policy Baseline Values Policy Id] Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.
- ca
Options Property Map Describes values that are relevant in a CA certificate. Structure is documented below.
- key
Usage Property Map Indicates the intended use for keys that correspond to a certificate. Structure is documented below.
- additional
Extensions List<Property Map> Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.
- aia
Ocsp List<String>Servers Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
- name
Constraints Property Map Describes the X.509 name constraints extension. Structure is documented below.
- policy
Ids List<Property Map> Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.
CaPoolIssuancePolicyBaselineValuesAdditionalExtension
- Critical bool
Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
- Object
Id CaPool Issuance Policy Baseline Values Additional Extension Object Id Describes values that are relevant in a CA certificate. Structure is documented below.
- Value string
The value of this X.509 extension. A base64-encoded string.
- Critical bool
Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
- Object
Id CaPool Issuance Policy Baseline Values Additional Extension Object Id Describes values that are relevant in a CA certificate. Structure is documented below.
- Value string
The value of this X.509 extension. A base64-encoded string.
- critical Boolean
Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
- object
Id CaPool Issuance Policy Baseline Values Additional Extension Object Id Describes values that are relevant in a CA certificate. Structure is documented below.
- value String
The value of this X.509 extension. A base64-encoded string.
- critical boolean
Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
- object
Id CaPool Issuance Policy Baseline Values Additional Extension Object Id Describes values that are relevant in a CA certificate. Structure is documented below.
- value string
The value of this X.509 extension. A base64-encoded string.
- critical bool
Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
- object_
id CaPool Issuance Policy Baseline Values Additional Extension Object Id Describes values that are relevant in a CA certificate. Structure is documented below.
- value str
The value of this X.509 extension. A base64-encoded string.
- critical Boolean
Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
- object
Id Property Map Describes values that are relevant in a CA certificate. Structure is documented below.
- value String
The value of this X.509 extension. A base64-encoded string.
CaPoolIssuancePolicyBaselineValuesAdditionalExtensionObjectId
- Object
Id List<int>Paths An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- Object
Id []intPaths An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object
Id List<Integer>Paths An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object
Id number[]Paths An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object_
id_ Sequence[int]paths An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object
Id List<Number>Paths An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
CaPoolIssuancePolicyBaselineValuesCaOptions
- Is
Ca bool When true, the "CA" in Basic Constraints extension will be set to true.
- Max
Issuer intPath Length Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.
- Non
Ca bool When true, the "CA" in Basic Constraints extension will be set to false. If both
is_ca
andnon_ca
are unset, the extension will be omitted from the CA certificate.- Zero
Max boolIssuer Path Length When true, the "path length constraint" in Basic Constraints extension will be set to 0. if both
max_issuer_path_length
andzero_max_issuer_path_length
are unset, the max path length will be omitted from the CA certificate.
- Is
Ca bool When true, the "CA" in Basic Constraints extension will be set to true.
- Max
Issuer intPath Length Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.
- Non
Ca bool When true, the "CA" in Basic Constraints extension will be set to false. If both
is_ca
andnon_ca
are unset, the extension will be omitted from the CA certificate.- Zero
Max boolIssuer Path Length When true, the "path length constraint" in Basic Constraints extension will be set to 0. if both
max_issuer_path_length
andzero_max_issuer_path_length
are unset, the max path length will be omitted from the CA certificate.
- is
Ca Boolean When true, the "CA" in Basic Constraints extension will be set to true.
- max
Issuer IntegerPath Length Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.
- non
Ca Boolean When true, the "CA" in Basic Constraints extension will be set to false. If both
is_ca
andnon_ca
are unset, the extension will be omitted from the CA certificate.- zero
Max BooleanIssuer Path Length When true, the "path length constraint" in Basic Constraints extension will be set to 0. if both
max_issuer_path_length
andzero_max_issuer_path_length
are unset, the max path length will be omitted from the CA certificate.
- is
Ca boolean When true, the "CA" in Basic Constraints extension will be set to true.
- max
Issuer numberPath Length Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.
- non
Ca boolean When true, the "CA" in Basic Constraints extension will be set to false. If both
is_ca
andnon_ca
are unset, the extension will be omitted from the CA certificate.- zero
Max booleanIssuer Path Length When true, the "path length constraint" in Basic Constraints extension will be set to 0. if both
max_issuer_path_length
andzero_max_issuer_path_length
are unset, the max path length will be omitted from the CA certificate.
- is_
ca bool When true, the "CA" in Basic Constraints extension will be set to true.
- max_
issuer_ intpath_ length Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.
- non_
ca bool When true, the "CA" in Basic Constraints extension will be set to false. If both
is_ca
andnon_ca
are unset, the extension will be omitted from the CA certificate.- zero_
max_ boolissuer_ path_ length When true, the "path length constraint" in Basic Constraints extension will be set to 0. if both
max_issuer_path_length
andzero_max_issuer_path_length
are unset, the max path length will be omitted from the CA certificate.
- is
Ca Boolean When true, the "CA" in Basic Constraints extension will be set to true.
- max
Issuer NumberPath Length Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.
- non
Ca Boolean When true, the "CA" in Basic Constraints extension will be set to false. If both
is_ca
andnon_ca
are unset, the extension will be omitted from the CA certificate.- zero
Max BooleanIssuer Path Length When true, the "path length constraint" in Basic Constraints extension will be set to 0. if both
max_issuer_path_length
andzero_max_issuer_path_length
are unset, the max path length will be omitted from the CA certificate.
CaPoolIssuancePolicyBaselineValuesKeyUsage
- Base
Key CaUsage Pool Issuance Policy Baseline Values Key Usage Base Key Usage Describes high-level ways in which a key may be used. Structure is documented below.
- Extended
Key CaUsage Pool Issuance Policy Baseline Values Key Usage Extended Key Usage Describes high-level ways in which a key may be used. Structure is documented below.
- Unknown
Extended List<CaKey Usages Pool Issuance Policy Baseline Values Key Usage Unknown Extended Key Usage> An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.
- Base
Key CaUsage Pool Issuance Policy Baseline Values Key Usage Base Key Usage Describes high-level ways in which a key may be used. Structure is documented below.
- Extended
Key CaUsage Pool Issuance Policy Baseline Values Key Usage Extended Key Usage Describes high-level ways in which a key may be used. Structure is documented below.
- Unknown
Extended []CaKey Usages Pool Issuance Policy Baseline Values Key Usage Unknown Extended Key Usage An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.
- base
Key CaUsage Pool Issuance Policy Baseline Values Key Usage Base Key Usage Describes high-level ways in which a key may be used. Structure is documented below.
- extended
Key CaUsage Pool Issuance Policy Baseline Values Key Usage Extended Key Usage Describes high-level ways in which a key may be used. Structure is documented below.
- unknown
Extended List<CaKey Usages Pool Issuance Policy Baseline Values Key Usage Unknown Extended Key Usage> An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.
- base
Key CaUsage Pool Issuance Policy Baseline Values Key Usage Base Key Usage Describes high-level ways in which a key may be used. Structure is documented below.
- extended
Key CaUsage Pool Issuance Policy Baseline Values Key Usage Extended Key Usage Describes high-level ways in which a key may be used. Structure is documented below.
- unknown
Extended CaKey Usages Pool Issuance Policy Baseline Values Key Usage Unknown Extended Key Usage[] An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.
- base_
key_ Causage Pool Issuance Policy Baseline Values Key Usage Base Key Usage Describes high-level ways in which a key may be used. Structure is documented below.
- extended_
key_ Causage Pool Issuance Policy Baseline Values Key Usage Extended Key Usage Describes high-level ways in which a key may be used. Structure is documented below.
- unknown_
extended_ Sequence[Cakey_ usages Pool Issuance Policy Baseline Values Key Usage Unknown Extended Key Usage] An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.
- base
Key Property MapUsage Describes high-level ways in which a key may be used. Structure is documented below.
- extended
Key Property MapUsage Describes high-level ways in which a key may be used. Structure is documented below.
- unknown
Extended List<Property Map>Key Usages An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.
CaPoolIssuancePolicyBaselineValuesKeyUsageBaseKeyUsage
- Cert
Sign bool The key may be used to sign certificates.
- Content
Commitment bool The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
- Crl
Sign bool The key may be used sign certificate revocation lists.
- Data
Encipherment bool The key may be used to encipher data.
- Decipher
Only bool The key may be used to decipher only.
- Digital
Signature bool The key may be used for digital signatures.
- Encipher
Only bool The key may be used to encipher only.
- Key
Agreement bool The key may be used in a key agreement protocol.
- Key
Encipherment bool The key may be used to encipher other keys.
- Cert
Sign bool The key may be used to sign certificates.
- Content
Commitment bool The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
- Crl
Sign bool The key may be used sign certificate revocation lists.
- Data
Encipherment bool The key may be used to encipher data.
- Decipher
Only bool The key may be used to decipher only.
- Digital
Signature bool The key may be used for digital signatures.
- Encipher
Only bool The key may be used to encipher only.
- Key
Agreement bool The key may be used in a key agreement protocol.
- Key
Encipherment bool The key may be used to encipher other keys.
- cert
Sign Boolean The key may be used to sign certificates.
- content
Commitment Boolean The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
- crl
Sign Boolean The key may be used sign certificate revocation lists.
- data
Encipherment Boolean The key may be used to encipher data.
- decipher
Only Boolean The key may be used to decipher only.
- digital
Signature Boolean The key may be used for digital signatures.
- encipher
Only Boolean The key may be used to encipher only.
- key
Agreement Boolean The key may be used in a key agreement protocol.
- key
Encipherment Boolean The key may be used to encipher other keys.
- cert
Sign boolean The key may be used to sign certificates.
- content
Commitment boolean The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
- crl
Sign boolean The key may be used sign certificate revocation lists.
- data
Encipherment boolean The key may be used to encipher data.
- decipher
Only boolean The key may be used to decipher only.
- digital
Signature boolean The key may be used for digital signatures.
- encipher
Only boolean The key may be used to encipher only.
- key
Agreement boolean The key may be used in a key agreement protocol.
- key
Encipherment boolean The key may be used to encipher other keys.
- cert_
sign bool The key may be used to sign certificates.
- content_
commitment bool The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
- crl_
sign bool The key may be used sign certificate revocation lists.
- data_
encipherment bool The key may be used to encipher data.
- decipher_
only bool The key may be used to decipher only.
- digital_
signature bool The key may be used for digital signatures.
- encipher_
only bool The key may be used to encipher only.
- key_
agreement bool The key may be used in a key agreement protocol.
- key_
encipherment bool The key may be used to encipher other keys.
- cert
Sign Boolean The key may be used to sign certificates.
- content
Commitment Boolean The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
- crl
Sign Boolean The key may be used sign certificate revocation lists.
- data
Encipherment Boolean The key may be used to encipher data.
- decipher
Only Boolean The key may be used to decipher only.
- digital
Signature Boolean The key may be used for digital signatures.
- encipher
Only Boolean The key may be used to encipher only.
- key
Agreement Boolean The key may be used in a key agreement protocol.
- key
Encipherment Boolean The key may be used to encipher other keys.
CaPoolIssuancePolicyBaselineValuesKeyUsageExtendedKeyUsage
- Client
Auth bool Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
- Code
Signing bool Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
- Email
Protection bool Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
- Ocsp
Signing bool Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
- Server
Auth bool Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
- Time
Stamping bool Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".
- Client
Auth bool Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
- Code
Signing bool Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
- Email
Protection bool Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
- Ocsp
Signing bool Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
- Server
Auth bool Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
- Time
Stamping bool Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".
- client
Auth Boolean Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
- code
Signing Boolean Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
- email
Protection Boolean Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
- ocsp
Signing Boolean Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
- server
Auth Boolean Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
- time
Stamping Boolean Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".
- client
Auth boolean Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
- code
Signing boolean Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
- email
Protection boolean Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
- ocsp
Signing boolean Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
- server
Auth boolean Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
- time
Stamping boolean Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".
- client_
auth bool Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
- code_
signing bool Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
- email_
protection bool Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
- ocsp_
signing bool Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
- server_
auth bool Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
- time_
stamping bool Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".
- client
Auth Boolean Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
- code
Signing Boolean Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
- email
Protection Boolean Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
- ocsp
Signing Boolean Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
- server
Auth Boolean Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
- time
Stamping Boolean Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".
CaPoolIssuancePolicyBaselineValuesKeyUsageUnknownExtendedKeyUsage
- Object
Id List<int>Paths An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- Object
Id []intPaths An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object
Id List<Integer>Paths An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object
Id number[]Paths An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object_
id_ Sequence[int]paths An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object
Id List<Number>Paths An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
CaPoolIssuancePolicyBaselineValuesNameConstraints
- Critical bool
Indicates whether or not the name constraints are marked critical.
- Excluded
Dns List<string>Names Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example,
example.com
,www.example.com
,www.sub.example.com
would satisfyexample.com
whileexample1.com
does not.- Excluded
Email List<string>Addresses Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g.
.example.com
) to indicate all email addresses in that domain.- Excluded
Ip List<string>Ranges Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
- Excluded
Uris List<string> Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like
.example.com
)- Permitted
Dns List<string>Names Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example,
example.com
,www.example.com
,www.sub.example.com
would satisfyexample.com
whileexample1.com
does not.- Permitted
Email List<string>Addresses Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g.
.example.com
) to indicate all email addresses in that domain.- Permitted
Ip List<string>Ranges Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
- Permitted
Uris List<string> Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like
.example.com
)
- Critical bool
Indicates whether or not the name constraints are marked critical.
- Excluded
Dns []stringNames Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example,
example.com
,www.example.com
,www.sub.example.com
would satisfyexample.com
whileexample1.com
does not.- Excluded
Email []stringAddresses Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g.
.example.com
) to indicate all email addresses in that domain.- Excluded
Ip []stringRanges Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
- Excluded
Uris []string Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like
.example.com
)- Permitted
Dns []stringNames Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example,
example.com
,www.example.com
,www.sub.example.com
would satisfyexample.com
whileexample1.com
does not.- Permitted
Email []stringAddresses Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g.
.example.com
) to indicate all email addresses in that domain.- Permitted
Ip []stringRanges Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
- Permitted
Uris []string Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like
.example.com
)
- critical Boolean
Indicates whether or not the name constraints are marked critical.
- excluded
Dns List<String>Names Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example,
example.com
,www.example.com
,www.sub.example.com
would satisfyexample.com
whileexample1.com
does not.- excluded
Email List<String>Addresses Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g.
.example.com
) to indicate all email addresses in that domain.- excluded
Ip List<String>Ranges Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
- excluded
Uris List<String> Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like
.example.com
)- permitted
Dns List<String>Names Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example,
example.com
,www.example.com
,www.sub.example.com
would satisfyexample.com
whileexample1.com
does not.- permitted
Email List<String>Addresses Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g.
.example.com
) to indicate all email addresses in that domain.- permitted
Ip List<String>Ranges Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
- permitted
Uris List<String> Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like
.example.com
)
- critical boolean
Indicates whether or not the name constraints are marked critical.
- excluded
Dns string[]Names Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example,
example.com
,www.example.com
,www.sub.example.com
would satisfyexample.com
whileexample1.com
does not.- excluded
Email string[]Addresses Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g.
.example.com
) to indicate all email addresses in that domain.- excluded
Ip string[]Ranges Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
- excluded
Uris string[] Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like
.example.com
)- permitted
Dns string[]Names Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example,
example.com
,www.example.com
,www.sub.example.com
would satisfyexample.com
whileexample1.com
does not.- permitted
Email string[]Addresses Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g.
.example.com
) to indicate all email addresses in that domain.- permitted
Ip string[]Ranges Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
- permitted
Uris string[] Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like
.example.com
)
- critical bool
Indicates whether or not the name constraints are marked critical.
- excluded_
dns_ Sequence[str]names Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example,
example.com
,www.example.com
,www.sub.example.com
would satisfyexample.com
whileexample1.com
does not.- excluded_
email_ Sequence[str]addresses Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g.
.example.com
) to indicate all email addresses in that domain.- excluded_
ip_ Sequence[str]ranges Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
- excluded_
uris Sequence[str] Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like
.example.com
)- permitted_
dns_ Sequence[str]names Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example,
example.com
,www.example.com
,www.sub.example.com
would satisfyexample.com
whileexample1.com
does not.- permitted_
email_ Sequence[str]addresses Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g.
.example.com
) to indicate all email addresses in that domain.- permitted_
ip_ Sequence[str]ranges Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
- permitted_
uris Sequence[str] Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like
.example.com
)
- critical Boolean
Indicates whether or not the name constraints are marked critical.
- excluded
Dns List<String>Names Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example,
example.com
,www.example.com
,www.sub.example.com
would satisfyexample.com
whileexample1.com
does not.- excluded
Email List<String>Addresses Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g.
.example.com
) to indicate all email addresses in that domain.- excluded
Ip List<String>Ranges Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
- excluded
Uris List<String> Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like
.example.com
)- permitted
Dns List<String>Names Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example,
example.com
,www.example.com
,www.sub.example.com
would satisfyexample.com
whileexample1.com
does not.- permitted
Email List<String>Addresses Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g.
.example.com
) to indicate all email addresses in that domain.- permitted
Ip List<String>Ranges Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
- permitted
Uris List<String> Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like
.example.com
)
CaPoolIssuancePolicyBaselineValuesPolicyId
- Object
Id List<int>Paths An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- Object
Id []intPaths An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object
Id List<Integer>Paths An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object
Id number[]Paths An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object_
id_ Sequence[int]paths An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object
Id List<Number>Paths An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
CaPoolIssuancePolicyIdentityConstraints
- Allow
Subject boolAlt Names Passthrough If this is set, the SubjectAltNames extension may be copied from a certificate request into the signed certificate. Otherwise, the requested SubjectAltNames will be discarded.
- Allow
Subject boolPassthrough If this is set, the Subject field may be copied from a certificate request into the signed certificate. Otherwise, the requested Subject will be discarded.
- Cel
Expression CaPool Issuance Policy Identity Constraints Cel Expression A CEL expression that may be used to validate the resolved X.509 Subject and/or Subject Alternative Name before a certificate is signed. To see the full allowed syntax and some examples, see https://cloud.google.com/certificate-authority-service/docs/cel-guide Structure is documented below.
- Allow
Subject boolAlt Names Passthrough If this is set, the SubjectAltNames extension may be copied from a certificate request into the signed certificate. Otherwise, the requested SubjectAltNames will be discarded.
- Allow
Subject boolPassthrough If this is set, the Subject field may be copied from a certificate request into the signed certificate. Otherwise, the requested Subject will be discarded.
- Cel
Expression CaPool Issuance Policy Identity Constraints Cel Expression A CEL expression that may be used to validate the resolved X.509 Subject and/or Subject Alternative Name before a certificate is signed. To see the full allowed syntax and some examples, see https://cloud.google.com/certificate-authority-service/docs/cel-guide Structure is documented below.
- allow
Subject BooleanAlt Names Passthrough If this is set, the SubjectAltNames extension may be copied from a certificate request into the signed certificate. Otherwise, the requested SubjectAltNames will be discarded.
- allow
Subject BooleanPassthrough If this is set, the Subject field may be copied from a certificate request into the signed certificate. Otherwise, the requested Subject will be discarded.
- cel
Expression CaPool Issuance Policy Identity Constraints Cel Expression A CEL expression that may be used to validate the resolved X.509 Subject and/or Subject Alternative Name before a certificate is signed. To see the full allowed syntax and some examples, see https://cloud.google.com/certificate-authority-service/docs/cel-guide Structure is documented below.
- allow
Subject booleanAlt Names Passthrough If this is set, the SubjectAltNames extension may be copied from a certificate request into the signed certificate. Otherwise, the requested SubjectAltNames will be discarded.
- allow
Subject booleanPassthrough If this is set, the Subject field may be copied from a certificate request into the signed certificate. Otherwise, the requested Subject will be discarded.
- cel
Expression CaPool Issuance Policy Identity Constraints Cel Expression A CEL expression that may be used to validate the resolved X.509 Subject and/or Subject Alternative Name before a certificate is signed. To see the full allowed syntax and some examples, see https://cloud.google.com/certificate-authority-service/docs/cel-guide Structure is documented below.
- allow_
subject_ boolalt_ names_ passthrough If this is set, the SubjectAltNames extension may be copied from a certificate request into the signed certificate. Otherwise, the requested SubjectAltNames will be discarded.
- allow_
subject_ boolpassthrough If this is set, the Subject field may be copied from a certificate request into the signed certificate. Otherwise, the requested Subject will be discarded.
- cel_
expression CaPool Issuance Policy Identity Constraints Cel Expression A CEL expression that may be used to validate the resolved X.509 Subject and/or Subject Alternative Name before a certificate is signed. To see the full allowed syntax and some examples, see https://cloud.google.com/certificate-authority-service/docs/cel-guide Structure is documented below.
- allow
Subject BooleanAlt Names Passthrough If this is set, the SubjectAltNames extension may be copied from a certificate request into the signed certificate. Otherwise, the requested SubjectAltNames will be discarded.
- allow
Subject BooleanPassthrough If this is set, the Subject field may be copied from a certificate request into the signed certificate. Otherwise, the requested Subject will be discarded.
- cel
Expression Property Map A CEL expression that may be used to validate the resolved X.509 Subject and/or Subject Alternative Name before a certificate is signed. To see the full allowed syntax and some examples, see https://cloud.google.com/certificate-authority-service/docs/cel-guide Structure is documented below.
CaPoolIssuancePolicyIdentityConstraintsCelExpression
- Expression string
Textual representation of an expression in Common Expression Language syntax.
- Description string
Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
- Location string
String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
- Title string
Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
- Expression string
Textual representation of an expression in Common Expression Language syntax.
- Description string
Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
- Location string
String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
- Title string
Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
- expression String
Textual representation of an expression in Common Expression Language syntax.
- description String
Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
- location String
String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
- title String
Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
- expression string
Textual representation of an expression in Common Expression Language syntax.
- description string
Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
- location string
String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
- title string
Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
- expression str
Textual representation of an expression in Common Expression Language syntax.
- description str
Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
- location str
String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
- title str
Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
- expression String
Textual representation of an expression in Common Expression Language syntax.
- description String
Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
- location String
String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
- title String
Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
CaPoolPublishingOptions
- Publish
Ca boolCert When true, publishes each CertificateAuthority's CA certificate and includes its URL in the "Authority Information Access" X.509 extension in all issued Certificates. If this is false, the CA certificate will not be published and the corresponding X.509 extension will not be written in issued certificates.
- Publish
Crl bool When true, publishes each CertificateAuthority's CRL and includes its URL in the "CRL Distribution Points" X.509 extension in all issued Certificates. If this is false, CRLs will not be published and the corresponding X.509 extension will not be written in issued certificates. CRLs will expire 7 days from their creation. However, we will rebuild daily. CRLs are also rebuilt shortly after a certificate is revoked.
- Encoding
Format string Specifies the encoding format of each CertificateAuthority's CA certificate and CRLs. If this is omitted, CA certificates and CRLs will be published in PEM. Possible values are:
PEM
,DER
.
- Publish
Ca boolCert When true, publishes each CertificateAuthority's CA certificate and includes its URL in the "Authority Information Access" X.509 extension in all issued Certificates. If this is false, the CA certificate will not be published and the corresponding X.509 extension will not be written in issued certificates.
- Publish
Crl bool When true, publishes each CertificateAuthority's CRL and includes its URL in the "CRL Distribution Points" X.509 extension in all issued Certificates. If this is false, CRLs will not be published and the corresponding X.509 extension will not be written in issued certificates. CRLs will expire 7 days from their creation. However, we will rebuild daily. CRLs are also rebuilt shortly after a certificate is revoked.
- Encoding
Format string Specifies the encoding format of each CertificateAuthority's CA certificate and CRLs. If this is omitted, CA certificates and CRLs will be published in PEM. Possible values are:
PEM
,DER
.
- publish
Ca BooleanCert When true, publishes each CertificateAuthority's CA certificate and includes its URL in the "Authority Information Access" X.509 extension in all issued Certificates. If this is false, the CA certificate will not be published and the corresponding X.509 extension will not be written in issued certificates.
- publish
Crl Boolean When true, publishes each CertificateAuthority's CRL and includes its URL in the "CRL Distribution Points" X.509 extension in all issued Certificates. If this is false, CRLs will not be published and the corresponding X.509 extension will not be written in issued certificates. CRLs will expire 7 days from their creation. However, we will rebuild daily. CRLs are also rebuilt shortly after a certificate is revoked.
- encoding
Format String Specifies the encoding format of each CertificateAuthority's CA certificate and CRLs. If this is omitted, CA certificates and CRLs will be published in PEM. Possible values are:
PEM
,DER
.
- publish
Ca booleanCert When true, publishes each CertificateAuthority's CA certificate and includes its URL in the "Authority Information Access" X.509 extension in all issued Certificates. If this is false, the CA certificate will not be published and the corresponding X.509 extension will not be written in issued certificates.
- publish
Crl boolean When true, publishes each CertificateAuthority's CRL and includes its URL in the "CRL Distribution Points" X.509 extension in all issued Certificates. If this is false, CRLs will not be published and the corresponding X.509 extension will not be written in issued certificates. CRLs will expire 7 days from their creation. However, we will rebuild daily. CRLs are also rebuilt shortly after a certificate is revoked.
- encoding
Format string Specifies the encoding format of each CertificateAuthority's CA certificate and CRLs. If this is omitted, CA certificates and CRLs will be published in PEM. Possible values are:
PEM
,DER
.
- publish_
ca_ boolcert When true, publishes each CertificateAuthority's CA certificate and includes its URL in the "Authority Information Access" X.509 extension in all issued Certificates. If this is false, the CA certificate will not be published and the corresponding X.509 extension will not be written in issued certificates.
- publish_
crl bool When true, publishes each CertificateAuthority's CRL and includes its URL in the "CRL Distribution Points" X.509 extension in all issued Certificates. If this is false, CRLs will not be published and the corresponding X.509 extension will not be written in issued certificates. CRLs will expire 7 days from their creation. However, we will rebuild daily. CRLs are also rebuilt shortly after a certificate is revoked.
- encoding_
format str Specifies the encoding format of each CertificateAuthority's CA certificate and CRLs. If this is omitted, CA certificates and CRLs will be published in PEM. Possible values are:
PEM
,DER
.
- publish
Ca BooleanCert When true, publishes each CertificateAuthority's CA certificate and includes its URL in the "Authority Information Access" X.509 extension in all issued Certificates. If this is false, the CA certificate will not be published and the corresponding X.509 extension will not be written in issued certificates.
- publish
Crl Boolean When true, publishes each CertificateAuthority's CRL and includes its URL in the "CRL Distribution Points" X.509 extension in all issued Certificates. If this is false, CRLs will not be published and the corresponding X.509 extension will not be written in issued certificates. CRLs will expire 7 days from their creation. However, we will rebuild daily. CRLs are also rebuilt shortly after a certificate is revoked.
- encoding
Format String Specifies the encoding format of each CertificateAuthority's CA certificate and CRLs. If this is omitted, CA certificates and CRLs will be published in PEM. Possible values are:
PEM
,DER
.
Import
CaPool can be imported using any of these accepted formats
$ pulumi import gcp:certificateauthority/caPool:CaPool default projects/{{project}}/locations/{{location}}/caPools/{{name}}
$ pulumi import gcp:certificateauthority/caPool:CaPool default {{project}}/{{location}}/{{name}}
$ pulumi import gcp:certificateauthority/caPool:CaPool default {{location}}/{{name}}
Package Details
- Repository
- Google Cloud (GCP) Classic pulumi/pulumi-gcp
- License
- Apache-2.0
- Notes
This Pulumi package is based on the
google-beta
Terraform Provider.