gcp.certificateauthority.CaPool

Location of the CaPool. A full list of valid locations can be found by running gcloud privateca locations list.

The Tier of this CaPool. Possible values are: ENTERPRISE, DEVOPS.

The IssuancePolicy to control how Certificates will be issued from this CaPool. Structure is documented below.

Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

The name for this CaPool.

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

The PublishingOptions to follow when issuing Certificates from any CertificateAuthority in this CaPool. Structure is documented below.

Location of the CaPool. A full list of valid locations can be found by running gcloud privateca locations list.

The Tier of this CaPool. Possible values are: ENTERPRISE, DEVOPS.

The IssuancePolicy to control how Certificates will be issued from this CaPool. Structure is documented below.

Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

The name for this CaPool.

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

The PublishingOptions to follow when issuing Certificates from any CertificateAuthority in this CaPool. Structure is documented below.

Location of the CaPool. A full list of valid locations can be found by running gcloud privateca locations list.

The Tier of this CaPool. Possible values are: ENTERPRISE, DEVOPS.

The IssuancePolicy to control how Certificates will be issued from this CaPool. Structure is documented below.

Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

The name for this CaPool.

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

The PublishingOptions to follow when issuing Certificates from any CertificateAuthority in this CaPool. Structure is documented below.

Location of the CaPool. A full list of valid locations can be found by running gcloud privateca locations list.

The Tier of this CaPool. Possible values are: ENTERPRISE, DEVOPS.

The IssuancePolicy to control how Certificates will be issued from this CaPool. Structure is documented below.

Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

The name for this CaPool.

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

The PublishingOptions to follow when issuing Certificates from any CertificateAuthority in this CaPool. Structure is documented below.

Location of the CaPool. A full list of valid locations can be found by running gcloud privateca locations list.

The Tier of this CaPool. Possible values are: ENTERPRISE, DEVOPS.

The IssuancePolicy to control how Certificates will be issued from this CaPool. Structure is documented below.

Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

The name for this CaPool.

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

The PublishingOptions to follow when issuing Certificates from any CertificateAuthority in this CaPool. Structure is documented below.

Location of the CaPool. A full list of valid locations can be found by running gcloud privateca locations list.

The Tier of this CaPool. Possible values are: ENTERPRISE, DEVOPS.

The IssuancePolicy to control how Certificates will be issued from this CaPool. Structure is documented below.

Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

The name for this CaPool.

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

The PublishingOptions to follow when issuing Certificates from any CertificateAuthority in this CaPool. Structure is documented below.

The provider-assigned unique ID for this managed resource.

The provider-assigned unique ID for this managed resource.

The provider-assigned unique ID for this managed resource.

The provider-assigned unique ID for this managed resource.

The provider-assigned unique ID for this managed resource.

The provider-assigned unique ID for this managed resource.

IssuanceModes specifies the allowed ways in which Certificates may be requested from this CaPool. Structure is documented below.

If any AllowedKeyType is specified, then the certificate request's public key must match one of the key types listed here. Otherwise, any key may be used. Structure is documented below.

A set of X.509 values that will be applied to all certificates issued through this CaPool. If a certificate request includes conflicting values for the same properties, they will be overwritten by the values defined here. If a certificate request uses a CertificateTemplate that defines conflicting predefinedValues for the same properties, the certificate issuance request will fail. Structure is documented below.

Describes constraints on identities that may appear in Certificates issued through this CaPool. If this is omitted, then this CaPool will not add restrictions on a certificate's identity. Structure is documented below.

The maximum lifetime allowed for issued Certificates. Note that if the issuing CertificateAuthority expires before a Certificate's requested maximumLifetime, the effective lifetime will be explicitly truncated to match it.

IssuanceModes specifies the allowed ways in which Certificates may be requested from this CaPool. Structure is documented below.

If any AllowedKeyType is specified, then the certificate request's public key must match one of the key types listed here. Otherwise, any key may be used. Structure is documented below.

A set of X.509 values that will be applied to all certificates issued through this CaPool. If a certificate request includes conflicting values for the same properties, they will be overwritten by the values defined here. If a certificate request uses a CertificateTemplate that defines conflicting predefinedValues for the same properties, the certificate issuance request will fail. Structure is documented below.

Describes constraints on identities that may appear in Certificates issued through this CaPool. If this is omitted, then this CaPool will not add restrictions on a certificate's identity. Structure is documented below.

The maximum lifetime allowed for issued Certificates. Note that if the issuing CertificateAuthority expires before a Certificate's requested maximumLifetime, the effective lifetime will be explicitly truncated to match it.

IssuanceModes specifies the allowed ways in which Certificates may be requested from this CaPool. Structure is documented below.

If any AllowedKeyType is specified, then the certificate request's public key must match one of the key types listed here. Otherwise, any key may be used. Structure is documented below.

A set of X.509 values that will be applied to all certificates issued through this CaPool. If a certificate request includes conflicting values for the same properties, they will be overwritten by the values defined here. If a certificate request uses a CertificateTemplate that defines conflicting predefinedValues for the same properties, the certificate issuance request will fail. Structure is documented below.

Describes constraints on identities that may appear in Certificates issued through this CaPool. If this is omitted, then this CaPool will not add restrictions on a certificate's identity. Structure is documented below.

The maximum lifetime allowed for issued Certificates. Note that if the issuing CertificateAuthority expires before a Certificate's requested maximumLifetime, the effective lifetime will be explicitly truncated to match it.

IssuanceModes specifies the allowed ways in which Certificates may be requested from this CaPool. Structure is documented below.

If any AllowedKeyType is specified, then the certificate request's public key must match one of the key types listed here. Otherwise, any key may be used. Structure is documented below.

A set of X.509 values that will be applied to all certificates issued through this CaPool. If a certificate request includes conflicting values for the same properties, they will be overwritten by the values defined here. If a certificate request uses a CertificateTemplate that defines conflicting predefinedValues for the same properties, the certificate issuance request will fail. Structure is documented below.

Describes constraints on identities that may appear in Certificates issued through this CaPool. If this is omitted, then this CaPool will not add restrictions on a certificate's identity. Structure is documented below.

The maximum lifetime allowed for issued Certificates. Note that if the issuing CertificateAuthority expires before a Certificate's requested maximumLifetime, the effective lifetime will be explicitly truncated to match it.

IssuanceModes specifies the allowed ways in which Certificates may be requested from this CaPool. Structure is documented below.

If any AllowedKeyType is specified, then the certificate request's public key must match one of the key types listed here. Otherwise, any key may be used. Structure is documented below.

A set of X.509 values that will be applied to all certificates issued through this CaPool. If a certificate request includes conflicting values for the same properties, they will be overwritten by the values defined here. If a certificate request uses a CertificateTemplate that defines conflicting predefinedValues for the same properties, the certificate issuance request will fail. Structure is documented below.

Describes constraints on identities that may appear in Certificates issued through this CaPool. If this is omitted, then this CaPool will not add restrictions on a certificate's identity. Structure is documented below.

The maximum lifetime allowed for issued Certificates. Note that if the issuing CertificateAuthority expires before a Certificate's requested maximumLifetime, the effective lifetime will be explicitly truncated to match it.

IssuanceModes specifies the allowed ways in which Certificates may be requested from this CaPool. Structure is documented below.

If any AllowedKeyType is specified, then the certificate request's public key must match one of the key types listed here. Otherwise, any key may be used. Structure is documented below.

A set of X.509 values that will be applied to all certificates issued through this CaPool. If a certificate request includes conflicting values for the same properties, they will be overwritten by the values defined here. If a certificate request uses a CertificateTemplate that defines conflicting predefinedValues for the same properties, the certificate issuance request will fail. Structure is documented below.

Describes constraints on identities that may appear in Certificates issued through this CaPool. If this is omitted, then this CaPool will not add restrictions on a certificate's identity. Structure is documented below.

The maximum lifetime allowed for issued Certificates. Note that if the issuing CertificateAuthority expires before a Certificate's requested maximumLifetime, the effective lifetime will be explicitly truncated to match it.

When true, allows callers to create Certificates by specifying a CertificateConfig.

When true, allows callers to create Certificates by specifying a CSR.

When true, allows callers to create Certificates by specifying a CertificateConfig.

When true, allows callers to create Certificates by specifying a CSR.

When true, allows callers to create Certificates by specifying a CertificateConfig.

When true, allows callers to create Certificates by specifying a CSR.

When true, allows callers to create Certificates by specifying a CertificateConfig.

When true, allows callers to create Certificates by specifying a CSR.

When true, allows callers to create Certificates by specifying a CertificateConfig.

When true, allows callers to create Certificates by specifying a CSR.

When true, allows callers to create Certificates by specifying a CertificateConfig.

When true, allows callers to create Certificates by specifying a CSR.

Represents an allowed Elliptic Curve key type. Structure is documented below.

Describes an RSA key that may be used in a Certificate issued from a CaPool. Structure is documented below.

Represents an allowed Elliptic Curve key type. Structure is documented below.

Describes an RSA key that may be used in a Certificate issued from a CaPool. Structure is documented below.

Represents an allowed Elliptic Curve key type. Structure is documented below.

Describes an RSA key that may be used in a Certificate issued from a CaPool. Structure is documented below.

Represents an allowed Elliptic Curve key type. Structure is documented below.

Describes an RSA key that may be used in a Certificate issued from a CaPool. Structure is documented below.

Represents an allowed Elliptic Curve key type. Structure is documented below.

Describes an RSA key that may be used in a Certificate issued from a CaPool. Structure is documented below.

Represents an allowed Elliptic Curve key type. Structure is documented below.

Describes an RSA key that may be used in a Certificate issued from a CaPool. Structure is documented below.

The algorithm used. Possible values are: ECDSA_P256, ECDSA_P384, EDDSA_25519.

The algorithm used. Possible values are: ECDSA_P256, ECDSA_P384, EDDSA_25519.

The algorithm used. Possible values are: ECDSA_P256, ECDSA_P384, EDDSA_25519.

The algorithm used. Possible values are: ECDSA_P256, ECDSA_P384, EDDSA_25519.

The algorithm used. Possible values are: ECDSA_P256, ECDSA_P384, EDDSA_25519.

The algorithm used. Possible values are: ECDSA_P256, ECDSA_P384, EDDSA_25519.

The maximum allowed RSA modulus size, in bits. If this is not set, or if set to zero, the service will not enforce an explicit upper bound on RSA modulus sizes.

The minimum allowed RSA modulus size, in bits. If this is not set, or if set to zero, the service-level min RSA modulus size will continue to apply.

The maximum allowed RSA modulus size, in bits. If this is not set, or if set to zero, the service will not enforce an explicit upper bound on RSA modulus sizes.

The minimum allowed RSA modulus size, in bits. If this is not set, or if set to zero, the service-level min RSA modulus size will continue to apply.

The maximum allowed RSA modulus size, in bits. If this is not set, or if set to zero, the service will not enforce an explicit upper bound on RSA modulus sizes.

The minimum allowed RSA modulus size, in bits. If this is not set, or if set to zero, the service-level min RSA modulus size will continue to apply.

The maximum allowed RSA modulus size, in bits. If this is not set, or if set to zero, the service will not enforce an explicit upper bound on RSA modulus sizes.

The minimum allowed RSA modulus size, in bits. If this is not set, or if set to zero, the service-level min RSA modulus size will continue to apply.

The maximum allowed RSA modulus size, in bits. If this is not set, or if set to zero, the service will not enforce an explicit upper bound on RSA modulus sizes.

The minimum allowed RSA modulus size, in bits. If this is not set, or if set to zero, the service-level min RSA modulus size will continue to apply.

The maximum allowed RSA modulus size, in bits. If this is not set, or if set to zero, the service will not enforce an explicit upper bound on RSA modulus sizes.

The minimum allowed RSA modulus size, in bits. If this is not set, or if set to zero, the service-level min RSA modulus size will continue to apply.

Describes values that are relevant in a CA certificate. Structure is documented below.

Indicates the intended use for keys that correspond to a certificate. Structure is documented below.

Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.

Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.

Describes the X.509 name constraints extension. Structure is documented below.

Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.

Describes values that are relevant in a CA certificate. Structure is documented below.

Indicates the intended use for keys that correspond to a certificate. Structure is documented below.

Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.

Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.

Describes the X.509 name constraints extension. Structure is documented below.

Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.

Describes values that are relevant in a CA certificate. Structure is documented below.

Indicates the intended use for keys that correspond to a certificate. Structure is documented below.

Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.

Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.

Describes the X.509 name constraints extension. Structure is documented below.

Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.

Describes values that are relevant in a CA certificate. Structure is documented below.

Indicates the intended use for keys that correspond to a certificate. Structure is documented below.

Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.

Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.

Describes the X.509 name constraints extension. Structure is documented below.

Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.

Describes values that are relevant in a CA certificate. Structure is documented below.

Indicates the intended use for keys that correspond to a certificate. Structure is documented below.

Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.

Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.

Describes the X.509 name constraints extension. Structure is documented below.

Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.

Describes values that are relevant in a CA certificate. Structure is documented below.

Indicates the intended use for keys that correspond to a certificate. Structure is documented below.

Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.

Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.

Describes the X.509 name constraints extension. Structure is documented below.

Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.

Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).

Describes values that are relevant in a CA certificate. Structure is documented below.

The value of this X.509 extension. A base64-encoded string.

Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).

Describes values that are relevant in a CA certificate. Structure is documented below.

The value of this X.509 extension. A base64-encoded string.

Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).

Describes values that are relevant in a CA certificate. Structure is documented below.

The value of this X.509 extension. A base64-encoded string.

Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).

Describes values that are relevant in a CA certificate. Structure is documented below.

The value of this X.509 extension. A base64-encoded string.

Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).

Describes values that are relevant in a CA certificate. Structure is documented below.

The value of this X.509 extension. A base64-encoded string.

Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).

Describes values that are relevant in a CA certificate. Structure is documented below.

The value of this X.509 extension. A base64-encoded string.

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

When true, the "CA" in Basic Constraints extension will be set to true.

Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.

When true, the "CA" in Basic Constraints extension will be set to false. If both is_ca and non_ca are unset, the extension will be omitted from the CA certificate.

When true, the "path length constraint" in Basic Constraints extension will be set to 0. if both max_issuer_path_length and zero_max_issuer_path_length are unset, the max path length will be omitted from the CA certificate.

When true, the "CA" in Basic Constraints extension will be set to true.

Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.

When true, the "CA" in Basic Constraints extension will be set to false. If both is_ca and non_ca are unset, the extension will be omitted from the CA certificate.

When true, the "path length constraint" in Basic Constraints extension will be set to 0. if both max_issuer_path_length and zero_max_issuer_path_length are unset, the max path length will be omitted from the CA certificate.

When true, the "CA" in Basic Constraints extension will be set to true.

Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.

When true, the "CA" in Basic Constraints extension will be set to false. If both is_ca and non_ca are unset, the extension will be omitted from the CA certificate.

When true, the "path length constraint" in Basic Constraints extension will be set to 0. if both max_issuer_path_length and zero_max_issuer_path_length are unset, the max path length will be omitted from the CA certificate.

When true, the "CA" in Basic Constraints extension will be set to true.

Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.

When true, the "CA" in Basic Constraints extension will be set to false. If both is_ca and non_ca are unset, the extension will be omitted from the CA certificate.

When true, the "path length constraint" in Basic Constraints extension will be set to 0. if both max_issuer_path_length and zero_max_issuer_path_length are unset, the max path length will be omitted from the CA certificate.

When true, the "CA" in Basic Constraints extension will be set to true.

Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.

When true, the "CA" in Basic Constraints extension will be set to false. If both is_ca and non_ca are unset, the extension will be omitted from the CA certificate.

When true, the "path length constraint" in Basic Constraints extension will be set to 0. if both max_issuer_path_length and zero_max_issuer_path_length are unset, the max path length will be omitted from the CA certificate.

When true, the "CA" in Basic Constraints extension will be set to true.

Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.

When true, the "CA" in Basic Constraints extension will be set to false. If both is_ca and non_ca are unset, the extension will be omitted from the CA certificate.

When true, the "path length constraint" in Basic Constraints extension will be set to 0. if both max_issuer_path_length and zero_max_issuer_path_length are unset, the max path length will be omitted from the CA certificate.

Describes high-level ways in which a key may be used. Structure is documented below.

Describes high-level ways in which a key may be used. Structure is documented below.

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.

Describes high-level ways in which a key may be used. Structure is documented below.

Describes high-level ways in which a key may be used. Structure is documented below.

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.

Describes high-level ways in which a key may be used. Structure is documented below.

Describes high-level ways in which a key may be used. Structure is documented below.

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.

Describes high-level ways in which a key may be used. Structure is documented below.

Describes high-level ways in which a key may be used. Structure is documented below.

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.

Describes high-level ways in which a key may be used. Structure is documented below.

Describes high-level ways in which a key may be used. Structure is documented below.

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.

Describes high-level ways in which a key may be used. Structure is documented below.

Describes high-level ways in which a key may be used. Structure is documented below.

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.

The key may be used to sign certificates.

The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".

The key may be used sign certificate revocation lists.

The key may be used to encipher data.

The key may be used to decipher only.

The key may be used for digital signatures.

The key may be used to encipher only.

The key may be used in a key agreement protocol.

The key may be used to encipher other keys.

The key may be used to sign certificates.

The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".

The key may be used sign certificate revocation lists.

The key may be used to encipher data.

The key may be used to decipher only.

The key may be used for digital signatures.

The key may be used to encipher only.

The key may be used in a key agreement protocol.

The key may be used to encipher other keys.

The key may be used to sign certificates.

The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".

The key may be used sign certificate revocation lists.

The key may be used to encipher data.

The key may be used to decipher only.

The key may be used for digital signatures.

The key may be used to encipher only.

The key may be used in a key agreement protocol.

The key may be used to encipher other keys.

The key may be used to sign certificates.

The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".

The key may be used sign certificate revocation lists.

The key may be used to encipher data.

The key may be used to decipher only.

The key may be used for digital signatures.

The key may be used to encipher only.

The key may be used in a key agreement protocol.

The key may be used to encipher other keys.

The key may be used to sign certificates.

The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".

The key may be used sign certificate revocation lists.

The key may be used to encipher data.

The key may be used to decipher only.

The key may be used for digital signatures.

The key may be used to encipher only.

The key may be used in a key agreement protocol.

The key may be used to encipher other keys.

The key may be used to sign certificates.

The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".

The key may be used sign certificate revocation lists.

The key may be used to encipher data.

The key may be used to decipher only.

The key may be used for digital signatures.

The key may be used to encipher only.

The key may be used in a key agreement protocol.

The key may be used to encipher other keys.

Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.

Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".

Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".

Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".

Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.

Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".

Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.

Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".

Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".

Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".

Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.

Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".

Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.

Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".

Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".

Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".

Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.

Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".

Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.

Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".

Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".

Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".

Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.

Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".

Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.

Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".

Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".

Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".

Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.

Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".

Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.

Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".

Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".

Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".

Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.

Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

Indicates whether or not the name constraints are marked critical.

Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.

Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.

Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.

Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)

Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.

Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.

Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.

Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)

Indicates whether or not the name constraints are marked critical.

Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.

Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.

Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.

Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)

Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.

Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.

Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.

Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)

Indicates whether or not the name constraints are marked critical.

Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.

Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.

Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.

Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)

Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.

Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.

Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.

Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)

Indicates whether or not the name constraints are marked critical.

Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.

Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.

Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.

Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)

Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.

Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.

Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.

Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)

Indicates whether or not the name constraints are marked critical.

Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.

Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.

Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.

Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)

Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.

Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.

Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.

Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)

Indicates whether or not the name constraints are marked critical.

Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.

Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.

Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.

Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)

Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.

Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.

Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.

Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

If this is set, the SubjectAltNames extension may be copied from a certificate request into the signed certificate. Otherwise, the requested SubjectAltNames will be discarded.

If this is set, the Subject field may be copied from a certificate request into the signed certificate. Otherwise, the requested Subject will be discarded.

A CEL expression that may be used to validate the resolved X.509 Subject and/or Subject Alternative Name before a certificate is signed. To see the full allowed syntax and some examples, see https://cloud.google.com/certificate-authority-service/docs/cel-guide Structure is documented below.

If this is set, the SubjectAltNames extension may be copied from a certificate request into the signed certificate. Otherwise, the requested SubjectAltNames will be discarded.

If this is set, the Subject field may be copied from a certificate request into the signed certificate. Otherwise, the requested Subject will be discarded.

A CEL expression that may be used to validate the resolved X.509 Subject and/or Subject Alternative Name before a certificate is signed. To see the full allowed syntax and some examples, see https://cloud.google.com/certificate-authority-service/docs/cel-guide Structure is documented below.

If this is set, the SubjectAltNames extension may be copied from a certificate request into the signed certificate. Otherwise, the requested SubjectAltNames will be discarded.

If this is set, the Subject field may be copied from a certificate request into the signed certificate. Otherwise, the requested Subject will be discarded.

A CEL expression that may be used to validate the resolved X.509 Subject and/or Subject Alternative Name before a certificate is signed. To see the full allowed syntax and some examples, see https://cloud.google.com/certificate-authority-service/docs/cel-guide Structure is documented below.

If this is set, the SubjectAltNames extension may be copied from a certificate request into the signed certificate. Otherwise, the requested SubjectAltNames will be discarded.

If this is set, the Subject field may be copied from a certificate request into the signed certificate. Otherwise, the requested Subject will be discarded.

A CEL expression that may be used to validate the resolved X.509 Subject and/or Subject Alternative Name before a certificate is signed. To see the full allowed syntax and some examples, see https://cloud.google.com/certificate-authority-service/docs/cel-guide Structure is documented below.

If this is set, the SubjectAltNames extension may be copied from a certificate request into the signed certificate. Otherwise, the requested SubjectAltNames will be discarded.

If this is set, the Subject field may be copied from a certificate request into the signed certificate. Otherwise, the requested Subject will be discarded.

A CEL expression that may be used to validate the resolved X.509 Subject and/or Subject Alternative Name before a certificate is signed. To see the full allowed syntax and some examples, see https://cloud.google.com/certificate-authority-service/docs/cel-guide Structure is documented below.

If this is set, the SubjectAltNames extension may be copied from a certificate request into the signed certificate. Otherwise, the requested SubjectAltNames will be discarded.

If this is set, the Subject field may be copied from a certificate request into the signed certificate. Otherwise, the requested Subject will be discarded.

A CEL expression that may be used to validate the resolved X.509 Subject and/or Subject Alternative Name before a certificate is signed. To see the full allowed syntax and some examples, see https://cloud.google.com/certificate-authority-service/docs/cel-guide Structure is documented below.

Textual representation of an expression in Common Expression Language syntax.

Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.

Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.

Textual representation of an expression in Common Expression Language syntax.

Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.

Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.