gcp.certificateauthority.Certificate
A Certificate corresponds to a signed X.509 certificate issued by a Certificate.
Note: The Certificate Authority that is referenced by this resource must be
tier = "ENTERPRISE"
Example Usage
Privateca Certificate Config
using System;
using System.Collections.Generic;
using System.IO;
using Pulumi;
using Gcp = Pulumi.Gcp;
private static string ReadFileBase64(string path) {
return Convert.ToBase64String(Encoding.UTF8.GetBytes(File.ReadAllText(path)))
}
return await Deployment.RunAsync(() =>
{
var defaultCaPool = new Gcp.CertificateAuthority.CaPool("defaultCaPool", new()
{
Location = "us-central1",
Tier = "ENTERPRISE",
});
var defaultAuthority = new Gcp.CertificateAuthority.Authority("defaultAuthority", new()
{
Location = "us-central1",
Pool = defaultCaPool.Name,
CertificateAuthorityId = "my-authority",
Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigArgs
{
SubjectConfig = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigArgs
{
Subject = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectArgs
{
Organization = "HashiCorp",
CommonName = "my-certificate-authority",
},
SubjectAltName = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectAltNameArgs
{
DnsNames = new[]
{
"hashicorp.com",
},
},
},
X509Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigArgs
{
CaOptions = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigCaOptionsArgs
{
IsCa = true,
},
KeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageArgs
{
BaseKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs
{
CertSign = true,
CrlSign = true,
},
ExtendedKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs
{
ServerAuth = true,
},
},
},
},
KeySpec = new Gcp.CertificateAuthority.Inputs.AuthorityKeySpecArgs
{
Algorithm = "RSA_PKCS1_4096_SHA256",
},
DeletionProtection = false,
SkipGracePeriod = true,
IgnoreActiveCertificatesOnDeletion = true,
});
var defaultCertificate = new Gcp.CertificateAuthority.Certificate("defaultCertificate", new()
{
Location = "us-central1",
Pool = defaultCaPool.Name,
CertificateAuthority = defaultAuthority.CertificateAuthorityId,
Lifetime = "86000s",
Config = new Gcp.CertificateAuthority.Inputs.CertificateConfigArgs
{
SubjectConfig = new Gcp.CertificateAuthority.Inputs.CertificateConfigSubjectConfigArgs
{
Subject = new Gcp.CertificateAuthority.Inputs.CertificateConfigSubjectConfigSubjectArgs
{
CommonName = "san1.example.com",
CountryCode = "us",
Organization = "google",
OrganizationalUnit = "enterprise",
Locality = "mountain view",
Province = "california",
StreetAddress = "1600 amphitheatre parkway",
},
SubjectAltName = new Gcp.CertificateAuthority.Inputs.CertificateConfigSubjectConfigSubjectAltNameArgs
{
EmailAddresses = new[]
{
"email@example.com",
},
IpAddresses = new[]
{
"127.0.0.1",
},
Uris = new[]
{
"http://www.ietf.org/rfc/rfc3986.txt",
},
},
},
X509Config = new Gcp.CertificateAuthority.Inputs.CertificateConfigX509ConfigArgs
{
CaOptions = new Gcp.CertificateAuthority.Inputs.CertificateConfigX509ConfigCaOptionsArgs
{
IsCa = true,
},
KeyUsage = new Gcp.CertificateAuthority.Inputs.CertificateConfigX509ConfigKeyUsageArgs
{
BaseKeyUsage = new Gcp.CertificateAuthority.Inputs.CertificateConfigX509ConfigKeyUsageBaseKeyUsageArgs
{
CrlSign = false,
DecipherOnly = false,
},
ExtendedKeyUsage = new Gcp.CertificateAuthority.Inputs.CertificateConfigX509ConfigKeyUsageExtendedKeyUsageArgs
{
ServerAuth = false,
},
},
NameConstraints = new Gcp.CertificateAuthority.Inputs.CertificateConfigX509ConfigNameConstraintsArgs
{
Critical = true,
PermittedDnsNames = new[]
{
"*.example.com",
},
ExcludedDnsNames = new[]
{
"*.deny.example.com",
},
PermittedIpRanges = new[]
{
"10.0.0.0/8",
},
ExcludedIpRanges = new[]
{
"10.1.1.0/24",
},
PermittedEmailAddresses = new[]
{
".example.com",
},
ExcludedEmailAddresses = new[]
{
".deny.example.com",
},
PermittedUris = new[]
{
".example.com",
},
ExcludedUris = new[]
{
".deny.example.com",
},
},
},
PublicKey = new Gcp.CertificateAuthority.Inputs.CertificateConfigPublicKeyArgs
{
Format = "PEM",
Key = ReadFileBase64("test-fixtures/rsa_public.pem"),
},
},
});
});
package main
import (
"encoding/base64"
"os"
"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/certificateauthority"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func filebase64OrPanic(path string) pulumi.StringPtrInput {
if fileData, err := os.ReadFile(path); err == nil {
return pulumi.String(base64.StdEncoding.EncodeToString(fileData[:]))
} else {
panic(err.Error())
}
}
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
defaultCaPool, err := certificateauthority.NewCaPool(ctx, "defaultCaPool", &certificateauthority.CaPoolArgs{
Location: pulumi.String("us-central1"),
Tier: pulumi.String("ENTERPRISE"),
})
if err != nil {
return err
}
defaultAuthority, err := certificateauthority.NewAuthority(ctx, "defaultAuthority", &certificateauthority.AuthorityArgs{
Location: pulumi.String("us-central1"),
Pool: defaultCaPool.Name,
CertificateAuthorityId: pulumi.String("my-authority"),
Config: &certificateauthority.AuthorityConfigArgs{
SubjectConfig: &certificateauthority.AuthorityConfigSubjectConfigArgs{
Subject: &certificateauthority.AuthorityConfigSubjectConfigSubjectArgs{
Organization: pulumi.String("HashiCorp"),
CommonName: pulumi.String("my-certificate-authority"),
},
SubjectAltName: &certificateauthority.AuthorityConfigSubjectConfigSubjectAltNameArgs{
DnsNames: pulumi.StringArray{
pulumi.String("hashicorp.com"),
},
},
},
X509Config: &certificateauthority.AuthorityConfigX509ConfigArgs{
CaOptions: &certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs{
IsCa: pulumi.Bool(true),
},
KeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs{
BaseKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs{
CertSign: pulumi.Bool(true),
CrlSign: pulumi.Bool(true),
},
ExtendedKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs{
ServerAuth: pulumi.Bool(true),
},
},
},
},
KeySpec: &certificateauthority.AuthorityKeySpecArgs{
Algorithm: pulumi.String("RSA_PKCS1_4096_SHA256"),
},
DeletionProtection: pulumi.Bool(false),
SkipGracePeriod: pulumi.Bool(true),
IgnoreActiveCertificatesOnDeletion: pulumi.Bool(true),
})
if err != nil {
return err
}
_, err = certificateauthority.NewCertificate(ctx, "defaultCertificate", &certificateauthority.CertificateArgs{
Location: pulumi.String("us-central1"),
Pool: defaultCaPool.Name,
CertificateAuthority: defaultAuthority.CertificateAuthorityId,
Lifetime: pulumi.String("86000s"),
Config: &certificateauthority.CertificateConfigArgs{
SubjectConfig: &certificateauthority.CertificateConfigSubjectConfigArgs{
Subject: &certificateauthority.CertificateConfigSubjectConfigSubjectArgs{
CommonName: pulumi.String("san1.example.com"),
CountryCode: pulumi.String("us"),
Organization: pulumi.String("google"),
OrganizationalUnit: pulumi.String("enterprise"),
Locality: pulumi.String("mountain view"),
Province: pulumi.String("california"),
StreetAddress: pulumi.String("1600 amphitheatre parkway"),
},
SubjectAltName: &certificateauthority.CertificateConfigSubjectConfigSubjectAltNameArgs{
EmailAddresses: pulumi.StringArray{
pulumi.String("email@example.com"),
},
IpAddresses: pulumi.StringArray{
pulumi.String("127.0.0.1"),
},
Uris: pulumi.StringArray{
pulumi.String("http://www.ietf.org/rfc/rfc3986.txt"),
},
},
},
X509Config: &certificateauthority.CertificateConfigX509ConfigArgs{
CaOptions: &certificateauthority.CertificateConfigX509ConfigCaOptionsArgs{
IsCa: pulumi.Bool(true),
},
KeyUsage: &certificateauthority.CertificateConfigX509ConfigKeyUsageArgs{
BaseKeyUsage: &certificateauthority.CertificateConfigX509ConfigKeyUsageBaseKeyUsageArgs{
CrlSign: pulumi.Bool(false),
DecipherOnly: pulumi.Bool(false),
},
ExtendedKeyUsage: &certificateauthority.CertificateConfigX509ConfigKeyUsageExtendedKeyUsageArgs{
ServerAuth: pulumi.Bool(false),
},
},
NameConstraints: &certificateauthority.CertificateConfigX509ConfigNameConstraintsArgs{
Critical: pulumi.Bool(true),
PermittedDnsNames: pulumi.StringArray{
pulumi.String("*.example.com"),
},
ExcludedDnsNames: pulumi.StringArray{
pulumi.String("*.deny.example.com"),
},
PermittedIpRanges: pulumi.StringArray{
pulumi.String("10.0.0.0/8"),
},
ExcludedIpRanges: pulumi.StringArray{
pulumi.String("10.1.1.0/24"),
},
PermittedEmailAddresses: pulumi.StringArray{
pulumi.String(".example.com"),
},
ExcludedEmailAddresses: pulumi.StringArray{
pulumi.String(".deny.example.com"),
},
PermittedUris: pulumi.StringArray{
pulumi.String(".example.com"),
},
ExcludedUris: pulumi.StringArray{
pulumi.String(".deny.example.com"),
},
},
},
PublicKey: &certificateauthority.CertificateConfigPublicKeyArgs{
Format: pulumi.String("PEM"),
Key: filebase64OrPanic("test-fixtures/rsa_public.pem"),
},
},
})
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.certificateauthority.CaPool;
import com.pulumi.gcp.certificateauthority.CaPoolArgs;
import com.pulumi.gcp.certificateauthority.Authority;
import com.pulumi.gcp.certificateauthority.AuthorityArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigSubjectArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigSubjectAltNameArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigCaOptionsArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityKeySpecArgs;
import com.pulumi.gcp.certificateauthority.Certificate;
import com.pulumi.gcp.certificateauthority.CertificateArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigSubjectConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigSubjectConfigSubjectArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigSubjectConfigSubjectAltNameArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigX509ConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigX509ConfigCaOptionsArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigX509ConfigKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigX509ConfigKeyUsageBaseKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigX509ConfigKeyUsageExtendedKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigX509ConfigNameConstraintsArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigPublicKeyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var defaultCaPool = new CaPool("defaultCaPool", CaPoolArgs.builder()
.location("us-central1")
.tier("ENTERPRISE")
.build());
var defaultAuthority = new Authority("defaultAuthority", AuthorityArgs.builder()
.location("us-central1")
.pool(defaultCaPool.name())
.certificateAuthorityId("my-authority")
.config(AuthorityConfigArgs.builder()
.subjectConfig(AuthorityConfigSubjectConfigArgs.builder()
.subject(AuthorityConfigSubjectConfigSubjectArgs.builder()
.organization("HashiCorp")
.commonName("my-certificate-authority")
.build())
.subjectAltName(AuthorityConfigSubjectConfigSubjectAltNameArgs.builder()
.dnsNames("hashicorp.com")
.build())
.build())
.x509Config(AuthorityConfigX509ConfigArgs.builder()
.caOptions(AuthorityConfigX509ConfigCaOptionsArgs.builder()
.isCa(true)
.build())
.keyUsage(AuthorityConfigX509ConfigKeyUsageArgs.builder()
.baseKeyUsage(AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs.builder()
.certSign(true)
.crlSign(true)
.build())
.extendedKeyUsage(AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs.builder()
.serverAuth(true)
.build())
.build())
.build())
.build())
.keySpec(AuthorityKeySpecArgs.builder()
.algorithm("RSA_PKCS1_4096_SHA256")
.build())
.deletionProtection(false)
.skipGracePeriod(true)
.ignoreActiveCertificatesOnDeletion(true)
.build());
var defaultCertificate = new Certificate("defaultCertificate", CertificateArgs.builder()
.location("us-central1")
.pool(defaultCaPool.name())
.certificateAuthority(defaultAuthority.certificateAuthorityId())
.lifetime("86000s")
.config(CertificateConfigArgs.builder()
.subjectConfig(CertificateConfigSubjectConfigArgs.builder()
.subject(CertificateConfigSubjectConfigSubjectArgs.builder()
.commonName("san1.example.com")
.countryCode("us")
.organization("google")
.organizationalUnit("enterprise")
.locality("mountain view")
.province("california")
.streetAddress("1600 amphitheatre parkway")
.build())
.subjectAltName(CertificateConfigSubjectConfigSubjectAltNameArgs.builder()
.emailAddresses("email@example.com")
.ipAddresses("127.0.0.1")
.uris("http://www.ietf.org/rfc/rfc3986.txt")
.build())
.build())
.x509Config(CertificateConfigX509ConfigArgs.builder()
.caOptions(CertificateConfigX509ConfigCaOptionsArgs.builder()
.isCa(true)
.build())
.keyUsage(CertificateConfigX509ConfigKeyUsageArgs.builder()
.baseKeyUsage(CertificateConfigX509ConfigKeyUsageBaseKeyUsageArgs.builder()
.crlSign(false)
.decipherOnly(false)
.build())
.extendedKeyUsage(CertificateConfigX509ConfigKeyUsageExtendedKeyUsageArgs.builder()
.serverAuth(false)
.build())
.build())
.nameConstraints(CertificateConfigX509ConfigNameConstraintsArgs.builder()
.critical(true)
.permittedDnsNames("*.example.com")
.excludedDnsNames("*.deny.example.com")
.permittedIpRanges("10.0.0.0/8")
.excludedIpRanges("10.1.1.0/24")
.permittedEmailAddresses(".example.com")
.excludedEmailAddresses(".deny.example.com")
.permittedUris(".example.com")
.excludedUris(".deny.example.com")
.build())
.build())
.publicKey(CertificateConfigPublicKeyArgs.builder()
.format("PEM")
.key(Base64.getEncoder().encodeToString(Files.readAllBytes(Paths.get("test-fixtures/rsa_public.pem"))))
.build())
.build())
.build());
}
}
import pulumi
import base64
import pulumi_gcp as gcp
default_ca_pool = gcp.certificateauthority.CaPool("defaultCaPool",
location="us-central1",
tier="ENTERPRISE")
default_authority = gcp.certificateauthority.Authority("defaultAuthority",
location="us-central1",
pool=default_ca_pool.name,
certificate_authority_id="my-authority",
config=gcp.certificateauthority.AuthorityConfigArgs(
subject_config=gcp.certificateauthority.AuthorityConfigSubjectConfigArgs(
subject=gcp.certificateauthority.AuthorityConfigSubjectConfigSubjectArgs(
organization="HashiCorp",
common_name="my-certificate-authority",
),
subject_alt_name=gcp.certificateauthority.AuthorityConfigSubjectConfigSubjectAltNameArgs(
dns_names=["hashicorp.com"],
),
),
x509_config=gcp.certificateauthority.AuthorityConfigX509ConfigArgs(
ca_options=gcp.certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs(
is_ca=True,
),
key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs(
base_key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs(
cert_sign=True,
crl_sign=True,
),
extended_key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs(
server_auth=True,
),
),
),
),
key_spec=gcp.certificateauthority.AuthorityKeySpecArgs(
algorithm="RSA_PKCS1_4096_SHA256",
),
deletion_protection=False,
skip_grace_period=True,
ignore_active_certificates_on_deletion=True)
default_certificate = gcp.certificateauthority.Certificate("defaultCertificate",
location="us-central1",
pool=default_ca_pool.name,
certificate_authority=default_authority.certificate_authority_id,
lifetime="86000s",
config=gcp.certificateauthority.CertificateConfigArgs(
subject_config=gcp.certificateauthority.CertificateConfigSubjectConfigArgs(
subject=gcp.certificateauthority.CertificateConfigSubjectConfigSubjectArgs(
common_name="san1.example.com",
country_code="us",
organization="google",
organizational_unit="enterprise",
locality="mountain view",
province="california",
street_address="1600 amphitheatre parkway",
),
subject_alt_name=gcp.certificateauthority.CertificateConfigSubjectConfigSubjectAltNameArgs(
email_addresses=["email@example.com"],
ip_addresses=["127.0.0.1"],
uris=["http://www.ietf.org/rfc/rfc3986.txt"],
),
),
x509_config=gcp.certificateauthority.CertificateConfigX509ConfigArgs(
ca_options=gcp.certificateauthority.CertificateConfigX509ConfigCaOptionsArgs(
is_ca=True,
),
key_usage=gcp.certificateauthority.CertificateConfigX509ConfigKeyUsageArgs(
base_key_usage=gcp.certificateauthority.CertificateConfigX509ConfigKeyUsageBaseKeyUsageArgs(
crl_sign=False,
decipher_only=False,
),
extended_key_usage=gcp.certificateauthority.CertificateConfigX509ConfigKeyUsageExtendedKeyUsageArgs(
server_auth=False,
),
),
name_constraints=gcp.certificateauthority.CertificateConfigX509ConfigNameConstraintsArgs(
critical=True,
permitted_dns_names=["*.example.com"],
excluded_dns_names=["*.deny.example.com"],
permitted_ip_ranges=["10.0.0.0/8"],
excluded_ip_ranges=["10.1.1.0/24"],
permitted_email_addresses=[".example.com"],
excluded_email_addresses=[".deny.example.com"],
permitted_uris=[".example.com"],
excluded_uris=[".deny.example.com"],
),
),
public_key=gcp.certificateauthority.CertificateConfigPublicKeyArgs(
format="PEM",
key=(lambda path: base64.b64encode(open(path).read().encode()).decode())("test-fixtures/rsa_public.pem"),
),
))
import * as pulumi from "@pulumi/pulumi";
import * as fs from "fs";
import * as gcp from "@pulumi/gcp";
const defaultCaPool = new gcp.certificateauthority.CaPool("defaultCaPool", {
location: "us-central1",
tier: "ENTERPRISE",
});
const defaultAuthority = new gcp.certificateauthority.Authority("defaultAuthority", {
location: "us-central1",
pool: defaultCaPool.name,
certificateAuthorityId: "my-authority",
config: {
subjectConfig: {
subject: {
organization: "HashiCorp",
commonName: "my-certificate-authority",
},
subjectAltName: {
dnsNames: ["hashicorp.com"],
},
},
x509Config: {
caOptions: {
isCa: true,
},
keyUsage: {
baseKeyUsage: {
certSign: true,
crlSign: true,
},
extendedKeyUsage: {
serverAuth: true,
},
},
},
},
keySpec: {
algorithm: "RSA_PKCS1_4096_SHA256",
},
deletionProtection: false,
skipGracePeriod: true,
ignoreActiveCertificatesOnDeletion: true,
});
const defaultCertificate = new gcp.certificateauthority.Certificate("defaultCertificate", {
location: "us-central1",
pool: defaultCaPool.name,
certificateAuthority: defaultAuthority.certificateAuthorityId,
lifetime: "86000s",
config: {
subjectConfig: {
subject: {
commonName: "san1.example.com",
countryCode: "us",
organization: "google",
organizationalUnit: "enterprise",
locality: "mountain view",
province: "california",
streetAddress: "1600 amphitheatre parkway",
},
subjectAltName: {
emailAddresses: ["email@example.com"],
ipAddresses: ["127.0.0.1"],
uris: ["http://www.ietf.org/rfc/rfc3986.txt"],
},
},
x509Config: {
caOptions: {
isCa: true,
},
keyUsage: {
baseKeyUsage: {
crlSign: false,
decipherOnly: false,
},
extendedKeyUsage: {
serverAuth: false,
},
},
nameConstraints: {
critical: true,
permittedDnsNames: ["*.example.com"],
excludedDnsNames: ["*.deny.example.com"],
permittedIpRanges: ["10.0.0.0/8"],
excludedIpRanges: ["10.1.1.0/24"],
permittedEmailAddresses: [".example.com"],
excludedEmailAddresses: [".deny.example.com"],
permittedUris: [".example.com"],
excludedUris: [".deny.example.com"],
},
},
publicKey: {
format: "PEM",
key: Buffer.from(fs.readFileSync("test-fixtures/rsa_public.pem"), 'binary').toString('base64'),
},
},
});
Coming soon!
Privateca Certificate With Template
using System.Collections.Generic;
using System.IO;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var defaultCaPool = new Gcp.CertificateAuthority.CaPool("defaultCaPool", new()
{
Location = "us-central1",
Tier = "ENTERPRISE",
});
var defaultCertificateTemplate = new Gcp.CertificateAuthority.CertificateTemplate("defaultCertificateTemplate", new()
{
Location = "us-central1",
Description = "An updated sample certificate template",
IdentityConstraints = new Gcp.CertificateAuthority.Inputs.CertificateTemplateIdentityConstraintsArgs
{
AllowSubjectAltNamesPassthrough = true,
AllowSubjectPassthrough = true,
CelExpression = new Gcp.CertificateAuthority.Inputs.CertificateTemplateIdentityConstraintsCelExpressionArgs
{
Description = "Always true",
Expression = "true",
Location = "any.file.anywhere",
Title = "Sample expression",
},
},
PassthroughExtensions = new Gcp.CertificateAuthority.Inputs.CertificateTemplatePassthroughExtensionsArgs
{
AdditionalExtensions = new[]
{
new Gcp.CertificateAuthority.Inputs.CertificateTemplatePassthroughExtensionsAdditionalExtensionArgs
{
ObjectIdPaths = new[]
{
1,
6,
},
},
},
KnownExtensions = new[]
{
"EXTENDED_KEY_USAGE",
},
},
PredefinedValues = new Gcp.CertificateAuthority.Inputs.CertificateTemplatePredefinedValuesArgs
{
AdditionalExtensions = new[]
{
new Gcp.CertificateAuthority.Inputs.CertificateTemplatePredefinedValuesAdditionalExtensionArgs
{
ObjectId = new Gcp.CertificateAuthority.Inputs.CertificateTemplatePredefinedValuesAdditionalExtensionObjectIdArgs
{
ObjectIdPaths = new[]
{
1,
6,
},
},
Value = "c3RyaW5nCg==",
Critical = true,
},
},
AiaOcspServers = new[]
{
"string",
},
CaOptions = new Gcp.CertificateAuthority.Inputs.CertificateTemplatePredefinedValuesCaOptionsArgs
{
IsCa = false,
MaxIssuerPathLength = 6,
},
KeyUsage = new Gcp.CertificateAuthority.Inputs.CertificateTemplatePredefinedValuesKeyUsageArgs
{
BaseKeyUsage = new Gcp.CertificateAuthority.Inputs.CertificateTemplatePredefinedValuesKeyUsageBaseKeyUsageArgs
{
CertSign = false,
ContentCommitment = true,
CrlSign = false,
DataEncipherment = true,
DecipherOnly = true,
DigitalSignature = true,
EncipherOnly = true,
KeyAgreement = true,
KeyEncipherment = true,
},
ExtendedKeyUsage = new Gcp.CertificateAuthority.Inputs.CertificateTemplatePredefinedValuesKeyUsageExtendedKeyUsageArgs
{
ClientAuth = true,
CodeSigning = true,
EmailProtection = true,
OcspSigning = true,
ServerAuth = true,
TimeStamping = true,
},
UnknownExtendedKeyUsages = new[]
{
new Gcp.CertificateAuthority.Inputs.CertificateTemplatePredefinedValuesKeyUsageUnknownExtendedKeyUsageArgs
{
ObjectIdPaths = new[]
{
1,
6,
},
},
},
},
PolicyIds = new[]
{
new Gcp.CertificateAuthority.Inputs.CertificateTemplatePredefinedValuesPolicyIdArgs
{
ObjectIdPaths = new[]
{
1,
6,
},
},
},
},
});
var defaultAuthority = new Gcp.CertificateAuthority.Authority("defaultAuthority", new()
{
Location = "us-central1",
Pool = defaultCaPool.Name,
CertificateAuthorityId = "my-authority",
Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigArgs
{
SubjectConfig = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigArgs
{
Subject = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectArgs
{
Organization = "HashiCorp",
CommonName = "my-certificate-authority",
},
SubjectAltName = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectAltNameArgs
{
DnsNames = new[]
{
"hashicorp.com",
},
},
},
X509Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigArgs
{
CaOptions = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigCaOptionsArgs
{
IsCa = true,
},
KeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageArgs
{
BaseKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs
{
CertSign = true,
CrlSign = true,
},
ExtendedKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs
{
ServerAuth = false,
},
},
},
},
KeySpec = new Gcp.CertificateAuthority.Inputs.AuthorityKeySpecArgs
{
Algorithm = "RSA_PKCS1_4096_SHA256",
},
DeletionProtection = false,
SkipGracePeriod = true,
IgnoreActiveCertificatesOnDeletion = true,
});
var defaultCertificate = new Gcp.CertificateAuthority.Certificate("defaultCertificate", new()
{
Location = "us-central1",
Pool = defaultCaPool.Name,
CertificateAuthority = defaultAuthority.CertificateAuthorityId,
Lifetime = "860s",
PemCsr = File.ReadAllText("test-fixtures/rsa_csr.pem"),
CertificateTemplate = defaultCertificateTemplate.Id,
});
});
package main
import (
"os"
"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/certificateauthority"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func readFileOrPanic(path string) pulumi.StringPtrInput {
data, err := os.ReadFile(path)
if err != nil {
panic(err.Error())
}
return pulumi.String(string(data))
}
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
defaultCaPool, err := certificateauthority.NewCaPool(ctx, "defaultCaPool", &certificateauthority.CaPoolArgs{
Location: pulumi.String("us-central1"),
Tier: pulumi.String("ENTERPRISE"),
})
if err != nil {
return err
}
defaultCertificateTemplate, err := certificateauthority.NewCertificateTemplate(ctx, "defaultCertificateTemplate", &certificateauthority.CertificateTemplateArgs{
Location: pulumi.String("us-central1"),
Description: pulumi.String("An updated sample certificate template"),
IdentityConstraints: &certificateauthority.CertificateTemplateIdentityConstraintsArgs{
AllowSubjectAltNamesPassthrough: pulumi.Bool(true),
AllowSubjectPassthrough: pulumi.Bool(true),
CelExpression: &certificateauthority.CertificateTemplateIdentityConstraintsCelExpressionArgs{
Description: pulumi.String("Always true"),
Expression: pulumi.String("true"),
Location: pulumi.String("any.file.anywhere"),
Title: pulumi.String("Sample expression"),
},
},
PassthroughExtensions: &certificateauthority.CertificateTemplatePassthroughExtensionsArgs{
AdditionalExtensions: certificateauthority.CertificateTemplatePassthroughExtensionsAdditionalExtensionArray{
&certificateauthority.CertificateTemplatePassthroughExtensionsAdditionalExtensionArgs{
ObjectIdPaths: pulumi.IntArray{
pulumi.Int(1),
pulumi.Int(6),
},
},
},
KnownExtensions: pulumi.StringArray{
pulumi.String("EXTENDED_KEY_USAGE"),
},
},
PredefinedValues: &certificateauthority.CertificateTemplatePredefinedValuesArgs{
AdditionalExtensions: certificateauthority.CertificateTemplatePredefinedValuesAdditionalExtensionArray{
&certificateauthority.CertificateTemplatePredefinedValuesAdditionalExtensionArgs{
ObjectId: &certificateauthority.CertificateTemplatePredefinedValuesAdditionalExtensionObjectIdArgs{
ObjectIdPaths: pulumi.IntArray{
pulumi.Int(1),
pulumi.Int(6),
},
},
Value: pulumi.String("c3RyaW5nCg=="),
Critical: pulumi.Bool(true),
},
},
AiaOcspServers: pulumi.StringArray{
pulumi.String("string"),
},
CaOptions: &certificateauthority.CertificateTemplatePredefinedValuesCaOptionsArgs{
IsCa: pulumi.Bool(false),
MaxIssuerPathLength: pulumi.Int(6),
},
KeyUsage: &certificateauthority.CertificateTemplatePredefinedValuesKeyUsageArgs{
BaseKeyUsage: &certificateauthority.CertificateTemplatePredefinedValuesKeyUsageBaseKeyUsageArgs{
CertSign: pulumi.Bool(false),
ContentCommitment: pulumi.Bool(true),
CrlSign: pulumi.Bool(false),
DataEncipherment: pulumi.Bool(true),
DecipherOnly: pulumi.Bool(true),
DigitalSignature: pulumi.Bool(true),
EncipherOnly: pulumi.Bool(true),
KeyAgreement: pulumi.Bool(true),
KeyEncipherment: pulumi.Bool(true),
},
ExtendedKeyUsage: &certificateauthority.CertificateTemplatePredefinedValuesKeyUsageExtendedKeyUsageArgs{
ClientAuth: pulumi.Bool(true),
CodeSigning: pulumi.Bool(true),
EmailProtection: pulumi.Bool(true),
OcspSigning: pulumi.Bool(true),
ServerAuth: pulumi.Bool(true),
TimeStamping: pulumi.Bool(true),
},
UnknownExtendedKeyUsages: certificateauthority.CertificateTemplatePredefinedValuesKeyUsageUnknownExtendedKeyUsageArray{
&certificateauthority.CertificateTemplatePredefinedValuesKeyUsageUnknownExtendedKeyUsageArgs{
ObjectIdPaths: pulumi.IntArray{
pulumi.Int(1),
pulumi.Int(6),
},
},
},
},
PolicyIds: certificateauthority.CertificateTemplatePredefinedValuesPolicyIdArray{
&certificateauthority.CertificateTemplatePredefinedValuesPolicyIdArgs{
ObjectIdPaths: pulumi.IntArray{
pulumi.Int(1),
pulumi.Int(6),
},
},
},
},
})
if err != nil {
return err
}
defaultAuthority, err := certificateauthority.NewAuthority(ctx, "defaultAuthority", &certificateauthority.AuthorityArgs{
Location: pulumi.String("us-central1"),
Pool: defaultCaPool.Name,
CertificateAuthorityId: pulumi.String("my-authority"),
Config: &certificateauthority.AuthorityConfigArgs{
SubjectConfig: &certificateauthority.AuthorityConfigSubjectConfigArgs{
Subject: &certificateauthority.AuthorityConfigSubjectConfigSubjectArgs{
Organization: pulumi.String("HashiCorp"),
CommonName: pulumi.String("my-certificate-authority"),
},
SubjectAltName: &certificateauthority.AuthorityConfigSubjectConfigSubjectAltNameArgs{
DnsNames: pulumi.StringArray{
pulumi.String("hashicorp.com"),
},
},
},
X509Config: &certificateauthority.AuthorityConfigX509ConfigArgs{
CaOptions: &certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs{
IsCa: pulumi.Bool(true),
},
KeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs{
BaseKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs{
CertSign: pulumi.Bool(true),
CrlSign: pulumi.Bool(true),
},
ExtendedKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs{
ServerAuth: pulumi.Bool(false),
},
},
},
},
KeySpec: &certificateauthority.AuthorityKeySpecArgs{
Algorithm: pulumi.String("RSA_PKCS1_4096_SHA256"),
},
DeletionProtection: pulumi.Bool(false),
SkipGracePeriod: pulumi.Bool(true),
IgnoreActiveCertificatesOnDeletion: pulumi.Bool(true),
})
if err != nil {
return err
}
_, err = certificateauthority.NewCertificate(ctx, "defaultCertificate", &certificateauthority.CertificateArgs{
Location: pulumi.String("us-central1"),
Pool: defaultCaPool.Name,
CertificateAuthority: defaultAuthority.CertificateAuthorityId,
Lifetime: pulumi.String("860s"),
PemCsr: readFileOrPanic("test-fixtures/rsa_csr.pem"),
CertificateTemplate: defaultCertificateTemplate.ID(),
})
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.certificateauthority.CaPool;
import com.pulumi.gcp.certificateauthority.CaPoolArgs;
import com.pulumi.gcp.certificateauthority.CertificateTemplate;
import com.pulumi.gcp.certificateauthority.CertificateTemplateArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateTemplateIdentityConstraintsArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateTemplateIdentityConstraintsCelExpressionArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateTemplatePassthroughExtensionsArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateTemplatePredefinedValuesArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateTemplatePredefinedValuesCaOptionsArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateTemplatePredefinedValuesKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateTemplatePredefinedValuesKeyUsageBaseKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateTemplatePredefinedValuesKeyUsageExtendedKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.Authority;
import com.pulumi.gcp.certificateauthority.AuthorityArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigSubjectArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigSubjectAltNameArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigCaOptionsArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityKeySpecArgs;
import com.pulumi.gcp.certificateauthority.Certificate;
import com.pulumi.gcp.certificateauthority.CertificateArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var defaultCaPool = new CaPool("defaultCaPool", CaPoolArgs.builder()
.location("us-central1")
.tier("ENTERPRISE")
.build());
var defaultCertificateTemplate = new CertificateTemplate("defaultCertificateTemplate", CertificateTemplateArgs.builder()
.location("us-central1")
.description("An updated sample certificate template")
.identityConstraints(CertificateTemplateIdentityConstraintsArgs.builder()
.allowSubjectAltNamesPassthrough(true)
.allowSubjectPassthrough(true)
.celExpression(CertificateTemplateIdentityConstraintsCelExpressionArgs.builder()
.description("Always true")
.expression("true")
.location("any.file.anywhere")
.title("Sample expression")
.build())
.build())
.passthroughExtensions(CertificateTemplatePassthroughExtensionsArgs.builder()
.additionalExtensions(CertificateTemplatePassthroughExtensionsAdditionalExtensionArgs.builder()
.objectIdPaths(
1,
6)
.build())
.knownExtensions("EXTENDED_KEY_USAGE")
.build())
.predefinedValues(CertificateTemplatePredefinedValuesArgs.builder()
.additionalExtensions(CertificateTemplatePredefinedValuesAdditionalExtensionArgs.builder()
.objectId(CertificateTemplatePredefinedValuesAdditionalExtensionObjectIdArgs.builder()
.objectIdPaths(
1,
6)
.build())
.value("c3RyaW5nCg==")
.critical(true)
.build())
.aiaOcspServers("string")
.caOptions(CertificateTemplatePredefinedValuesCaOptionsArgs.builder()
.isCa(false)
.maxIssuerPathLength(6)
.build())
.keyUsage(CertificateTemplatePredefinedValuesKeyUsageArgs.builder()
.baseKeyUsage(CertificateTemplatePredefinedValuesKeyUsageBaseKeyUsageArgs.builder()
.certSign(false)
.contentCommitment(true)
.crlSign(false)
.dataEncipherment(true)
.decipherOnly(true)
.digitalSignature(true)
.encipherOnly(true)
.keyAgreement(true)
.keyEncipherment(true)
.build())
.extendedKeyUsage(CertificateTemplatePredefinedValuesKeyUsageExtendedKeyUsageArgs.builder()
.clientAuth(true)
.codeSigning(true)
.emailProtection(true)
.ocspSigning(true)
.serverAuth(true)
.timeStamping(true)
.build())
.unknownExtendedKeyUsages(CertificateTemplatePredefinedValuesKeyUsageUnknownExtendedKeyUsageArgs.builder()
.objectIdPaths(
1,
6)
.build())
.build())
.policyIds(CertificateTemplatePredefinedValuesPolicyIdArgs.builder()
.objectIdPaths(
1,
6)
.build())
.build())
.build());
var defaultAuthority = new Authority("defaultAuthority", AuthorityArgs.builder()
.location("us-central1")
.pool(defaultCaPool.name())
.certificateAuthorityId("my-authority")
.config(AuthorityConfigArgs.builder()
.subjectConfig(AuthorityConfigSubjectConfigArgs.builder()
.subject(AuthorityConfigSubjectConfigSubjectArgs.builder()
.organization("HashiCorp")
.commonName("my-certificate-authority")
.build())
.subjectAltName(AuthorityConfigSubjectConfigSubjectAltNameArgs.builder()
.dnsNames("hashicorp.com")
.build())
.build())
.x509Config(AuthorityConfigX509ConfigArgs.builder()
.caOptions(AuthorityConfigX509ConfigCaOptionsArgs.builder()
.isCa(true)
.build())
.keyUsage(AuthorityConfigX509ConfigKeyUsageArgs.builder()
.baseKeyUsage(AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs.builder()
.certSign(true)
.crlSign(true)
.build())
.extendedKeyUsage(AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs.builder()
.serverAuth(false)
.build())
.build())
.build())
.build())
.keySpec(AuthorityKeySpecArgs.builder()
.algorithm("RSA_PKCS1_4096_SHA256")
.build())
.deletionProtection(false)
.skipGracePeriod(true)
.ignoreActiveCertificatesOnDeletion(true)
.build());
var defaultCertificate = new Certificate("defaultCertificate", CertificateArgs.builder()
.location("us-central1")
.pool(defaultCaPool.name())
.certificateAuthority(defaultAuthority.certificateAuthorityId())
.lifetime("860s")
.pemCsr(Files.readString(Paths.get("test-fixtures/rsa_csr.pem")))
.certificateTemplate(defaultCertificateTemplate.id())
.build());
}
}
import pulumi
import pulumi_gcp as gcp
default_ca_pool = gcp.certificateauthority.CaPool("defaultCaPool",
location="us-central1",
tier="ENTERPRISE")
default_certificate_template = gcp.certificateauthority.CertificateTemplate("defaultCertificateTemplate",
location="us-central1",
description="An updated sample certificate template",
identity_constraints=gcp.certificateauthority.CertificateTemplateIdentityConstraintsArgs(
allow_subject_alt_names_passthrough=True,
allow_subject_passthrough=True,
cel_expression=gcp.certificateauthority.CertificateTemplateIdentityConstraintsCelExpressionArgs(
description="Always true",
expression="true",
location="any.file.anywhere",
title="Sample expression",
),
),
passthrough_extensions=gcp.certificateauthority.CertificateTemplatePassthroughExtensionsArgs(
additional_extensions=[gcp.certificateauthority.CertificateTemplatePassthroughExtensionsAdditionalExtensionArgs(
object_id_paths=[
1,
6,
],
)],
known_extensions=["EXTENDED_KEY_USAGE"],
),
predefined_values=gcp.certificateauthority.CertificateTemplatePredefinedValuesArgs(
additional_extensions=[gcp.certificateauthority.CertificateTemplatePredefinedValuesAdditionalExtensionArgs(
object_id=gcp.certificateauthority.CertificateTemplatePredefinedValuesAdditionalExtensionObjectIdArgs(
object_id_paths=[
1,
6,
],
),
value="c3RyaW5nCg==",
critical=True,
)],
aia_ocsp_servers=["string"],
ca_options=gcp.certificateauthority.CertificateTemplatePredefinedValuesCaOptionsArgs(
is_ca=False,
max_issuer_path_length=6,
),
key_usage=gcp.certificateauthority.CertificateTemplatePredefinedValuesKeyUsageArgs(
base_key_usage=gcp.certificateauthority.CertificateTemplatePredefinedValuesKeyUsageBaseKeyUsageArgs(
cert_sign=False,
content_commitment=True,
crl_sign=False,
data_encipherment=True,
decipher_only=True,
digital_signature=True,
encipher_only=True,
key_agreement=True,
key_encipherment=True,
),
extended_key_usage=gcp.certificateauthority.CertificateTemplatePredefinedValuesKeyUsageExtendedKeyUsageArgs(
client_auth=True,
code_signing=True,
email_protection=True,
ocsp_signing=True,
server_auth=True,
time_stamping=True,
),
unknown_extended_key_usages=[gcp.certificateauthority.CertificateTemplatePredefinedValuesKeyUsageUnknownExtendedKeyUsageArgs(
object_id_paths=[
1,
6,
],
)],
),
policy_ids=[gcp.certificateauthority.CertificateTemplatePredefinedValuesPolicyIdArgs(
object_id_paths=[
1,
6,
],
)],
))
default_authority = gcp.certificateauthority.Authority("defaultAuthority",
location="us-central1",
pool=default_ca_pool.name,
certificate_authority_id="my-authority",
config=gcp.certificateauthority.AuthorityConfigArgs(
subject_config=gcp.certificateauthority.AuthorityConfigSubjectConfigArgs(
subject=gcp.certificateauthority.AuthorityConfigSubjectConfigSubjectArgs(
organization="HashiCorp",
common_name="my-certificate-authority",
),
subject_alt_name=gcp.certificateauthority.AuthorityConfigSubjectConfigSubjectAltNameArgs(
dns_names=["hashicorp.com"],
),
),
x509_config=gcp.certificateauthority.AuthorityConfigX509ConfigArgs(
ca_options=gcp.certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs(
is_ca=True,
),
key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs(
base_key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs(
cert_sign=True,
crl_sign=True,
),
extended_key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs(
server_auth=False,
),
),
),
),
key_spec=gcp.certificateauthority.AuthorityKeySpecArgs(
algorithm="RSA_PKCS1_4096_SHA256",
),
deletion_protection=False,
skip_grace_period=True,
ignore_active_certificates_on_deletion=True)
default_certificate = gcp.certificateauthority.Certificate("defaultCertificate",
location="us-central1",
pool=default_ca_pool.name,
certificate_authority=default_authority.certificate_authority_id,
lifetime="860s",
pem_csr=(lambda path: open(path).read())("test-fixtures/rsa_csr.pem"),
certificate_template=default_certificate_template.id)
import * as pulumi from "@pulumi/pulumi";
import * as fs from "fs";
import * as gcp from "@pulumi/gcp";
const defaultCaPool = new gcp.certificateauthority.CaPool("defaultCaPool", {
location: "us-central1",
tier: "ENTERPRISE",
});
const defaultCertificateTemplate = new gcp.certificateauthority.CertificateTemplate("defaultCertificateTemplate", {
location: "us-central1",
description: "An updated sample certificate template",
identityConstraints: {
allowSubjectAltNamesPassthrough: true,
allowSubjectPassthrough: true,
celExpression: {
description: "Always true",
expression: "true",
location: "any.file.anywhere",
title: "Sample expression",
},
},
passthroughExtensions: {
additionalExtensions: [{
objectIdPaths: [
1,
6,
],
}],
knownExtensions: ["EXTENDED_KEY_USAGE"],
},
predefinedValues: {
additionalExtensions: [{
objectId: {
objectIdPaths: [
1,
6,
],
},
value: "c3RyaW5nCg==",
critical: true,
}],
aiaOcspServers: ["string"],
caOptions: {
isCa: false,
maxIssuerPathLength: 6,
},
keyUsage: {
baseKeyUsage: {
certSign: false,
contentCommitment: true,
crlSign: false,
dataEncipherment: true,
decipherOnly: true,
digitalSignature: true,
encipherOnly: true,
keyAgreement: true,
keyEncipherment: true,
},
extendedKeyUsage: {
clientAuth: true,
codeSigning: true,
emailProtection: true,
ocspSigning: true,
serverAuth: true,
timeStamping: true,
},
unknownExtendedKeyUsages: [{
objectIdPaths: [
1,
6,
],
}],
},
policyIds: [{
objectIdPaths: [
1,
6,
],
}],
},
});
const defaultAuthority = new gcp.certificateauthority.Authority("defaultAuthority", {
location: "us-central1",
pool: defaultCaPool.name,
certificateAuthorityId: "my-authority",
config: {
subjectConfig: {
subject: {
organization: "HashiCorp",
commonName: "my-certificate-authority",
},
subjectAltName: {
dnsNames: ["hashicorp.com"],
},
},
x509Config: {
caOptions: {
isCa: true,
},
keyUsage: {
baseKeyUsage: {
certSign: true,
crlSign: true,
},
extendedKeyUsage: {
serverAuth: false,
},
},
},
},
keySpec: {
algorithm: "RSA_PKCS1_4096_SHA256",
},
deletionProtection: false,
skipGracePeriod: true,
ignoreActiveCertificatesOnDeletion: true,
});
const defaultCertificate = new gcp.certificateauthority.Certificate("defaultCertificate", {
location: "us-central1",
pool: defaultCaPool.name,
certificateAuthority: defaultAuthority.certificateAuthorityId,
lifetime: "860s",
pemCsr: fs.readFileSync("test-fixtures/rsa_csr.pem"),
certificateTemplate: defaultCertificateTemplate.id,
});
resources:
defaultCaPool:
type: gcp:certificateauthority:CaPool
properties:
location: us-central1
tier: ENTERPRISE
defaultCertificateTemplate:
type: gcp:certificateauthority:CertificateTemplate
properties:
location: us-central1
description: An updated sample certificate template
identityConstraints:
allowSubjectAltNamesPassthrough: true
allowSubjectPassthrough: true
celExpression:
description: Always true
expression: 'true'
location: any.file.anywhere
title: Sample expression
passthroughExtensions:
additionalExtensions:
- objectIdPaths:
- 1
- 6
knownExtensions:
- EXTENDED_KEY_USAGE
predefinedValues:
additionalExtensions:
- objectId:
objectIdPaths:
- 1
- 6
value: c3RyaW5nCg==
critical: true
aiaOcspServers:
- string
caOptions:
isCa: false
maxIssuerPathLength: 6
keyUsage:
baseKeyUsage:
certSign: false
contentCommitment: true
crlSign: false
dataEncipherment: true
decipherOnly: true
digitalSignature: true
encipherOnly: true
keyAgreement: true
keyEncipherment: true
extendedKeyUsage:
clientAuth: true
codeSigning: true
emailProtection: true
ocspSigning: true
serverAuth: true
timeStamping: true
unknownExtendedKeyUsages:
- objectIdPaths:
- 1
- 6
policyIds:
- objectIdPaths:
- 1
- 6
defaultAuthority:
type: gcp:certificateauthority:Authority
properties:
location: us-central1
pool: ${defaultCaPool.name}
certificateAuthorityId: my-authority
config:
subjectConfig:
subject:
organization: HashiCorp
commonName: my-certificate-authority
subjectAltName:
dnsNames:
- hashicorp.com
x509Config:
caOptions:
isCa: true
keyUsage:
baseKeyUsage:
certSign: true
crlSign: true
extendedKeyUsage:
serverAuth: false
keySpec:
algorithm: RSA_PKCS1_4096_SHA256
# Disable CA deletion related safe checks for easier cleanup.
deletionProtection: false
skipGracePeriod: true
ignoreActiveCertificatesOnDeletion: true
defaultCertificate:
type: gcp:certificateauthority:Certificate
properties:
location: us-central1
pool: ${defaultCaPool.name}
certificateAuthority: ${defaultAuthority.certificateAuthorityId}
lifetime: 860s
pemCsr:
fn::readFile: test-fixtures/rsa_csr.pem
certificateTemplate: ${defaultCertificateTemplate.id}
Privateca Certificate Csr
using System.Collections.Generic;
using System.IO;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var defaultCaPool = new Gcp.CertificateAuthority.CaPool("defaultCaPool", new()
{
Location = "us-central1",
Tier = "ENTERPRISE",
});
var defaultAuthority = new Gcp.CertificateAuthority.Authority("defaultAuthority", new()
{
Location = "us-central1",
Pool = defaultCaPool.Name,
CertificateAuthorityId = "my-authority",
Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigArgs
{
SubjectConfig = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigArgs
{
Subject = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectArgs
{
Organization = "HashiCorp",
CommonName = "my-certificate-authority",
},
SubjectAltName = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectAltNameArgs
{
DnsNames = new[]
{
"hashicorp.com",
},
},
},
X509Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigArgs
{
CaOptions = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigCaOptionsArgs
{
IsCa = true,
},
KeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageArgs
{
BaseKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs
{
CertSign = true,
CrlSign = true,
},
ExtendedKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs
{
ServerAuth = false,
},
},
},
},
KeySpec = new Gcp.CertificateAuthority.Inputs.AuthorityKeySpecArgs
{
Algorithm = "RSA_PKCS1_4096_SHA256",
},
DeletionProtection = false,
SkipGracePeriod = true,
IgnoreActiveCertificatesOnDeletion = true,
});
var defaultCertificate = new Gcp.CertificateAuthority.Certificate("defaultCertificate", new()
{
Location = "us-central1",
Pool = defaultCaPool.Name,
CertificateAuthority = defaultAuthority.CertificateAuthorityId,
Lifetime = "860s",
PemCsr = File.ReadAllText("test-fixtures/rsa_csr.pem"),
});
});
package main
import (
"os"
"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/certificateauthority"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func readFileOrPanic(path string) pulumi.StringPtrInput {
data, err := os.ReadFile(path)
if err != nil {
panic(err.Error())
}
return pulumi.String(string(data))
}
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
defaultCaPool, err := certificateauthority.NewCaPool(ctx, "defaultCaPool", &certificateauthority.CaPoolArgs{
Location: pulumi.String("us-central1"),
Tier: pulumi.String("ENTERPRISE"),
})
if err != nil {
return err
}
defaultAuthority, err := certificateauthority.NewAuthority(ctx, "defaultAuthority", &certificateauthority.AuthorityArgs{
Location: pulumi.String("us-central1"),
Pool: defaultCaPool.Name,
CertificateAuthorityId: pulumi.String("my-authority"),
Config: &certificateauthority.AuthorityConfigArgs{
SubjectConfig: &certificateauthority.AuthorityConfigSubjectConfigArgs{
Subject: &certificateauthority.AuthorityConfigSubjectConfigSubjectArgs{
Organization: pulumi.String("HashiCorp"),
CommonName: pulumi.String("my-certificate-authority"),
},
SubjectAltName: &certificateauthority.AuthorityConfigSubjectConfigSubjectAltNameArgs{
DnsNames: pulumi.StringArray{
pulumi.String("hashicorp.com"),
},
},
},
X509Config: &certificateauthority.AuthorityConfigX509ConfigArgs{
CaOptions: &certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs{
IsCa: pulumi.Bool(true),
},
KeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs{
BaseKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs{
CertSign: pulumi.Bool(true),
CrlSign: pulumi.Bool(true),
},
ExtendedKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs{
ServerAuth: pulumi.Bool(false),
},
},
},
},
KeySpec: &certificateauthority.AuthorityKeySpecArgs{
Algorithm: pulumi.String("RSA_PKCS1_4096_SHA256"),
},
DeletionProtection: pulumi.Bool(false),
SkipGracePeriod: pulumi.Bool(true),
IgnoreActiveCertificatesOnDeletion: pulumi.Bool(true),
})
if err != nil {
return err
}
_, err = certificateauthority.NewCertificate(ctx, "defaultCertificate", &certificateauthority.CertificateArgs{
Location: pulumi.String("us-central1"),
Pool: defaultCaPool.Name,
CertificateAuthority: defaultAuthority.CertificateAuthorityId,
Lifetime: pulumi.String("860s"),
PemCsr: readFileOrPanic("test-fixtures/rsa_csr.pem"),
})
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.certificateauthority.CaPool;
import com.pulumi.gcp.certificateauthority.CaPoolArgs;
import com.pulumi.gcp.certificateauthority.Authority;
import com.pulumi.gcp.certificateauthority.AuthorityArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigSubjectArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigSubjectAltNameArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigCaOptionsArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityKeySpecArgs;
import com.pulumi.gcp.certificateauthority.Certificate;
import com.pulumi.gcp.certificateauthority.CertificateArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var defaultCaPool = new CaPool("defaultCaPool", CaPoolArgs.builder()
.location("us-central1")
.tier("ENTERPRISE")
.build());
var defaultAuthority = new Authority("defaultAuthority", AuthorityArgs.builder()
.location("us-central1")
.pool(defaultCaPool.name())
.certificateAuthorityId("my-authority")
.config(AuthorityConfigArgs.builder()
.subjectConfig(AuthorityConfigSubjectConfigArgs.builder()
.subject(AuthorityConfigSubjectConfigSubjectArgs.builder()
.organization("HashiCorp")
.commonName("my-certificate-authority")
.build())
.subjectAltName(AuthorityConfigSubjectConfigSubjectAltNameArgs.builder()
.dnsNames("hashicorp.com")
.build())
.build())
.x509Config(AuthorityConfigX509ConfigArgs.builder()
.caOptions(AuthorityConfigX509ConfigCaOptionsArgs.builder()
.isCa(true)
.build())
.keyUsage(AuthorityConfigX509ConfigKeyUsageArgs.builder()
.baseKeyUsage(AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs.builder()
.certSign(true)
.crlSign(true)
.build())
.extendedKeyUsage(AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs.builder()
.serverAuth(false)
.build())
.build())
.build())
.build())
.keySpec(AuthorityKeySpecArgs.builder()
.algorithm("RSA_PKCS1_4096_SHA256")
.build())
.deletionProtection(false)
.skipGracePeriod(true)
.ignoreActiveCertificatesOnDeletion(true)
.build());
var defaultCertificate = new Certificate("defaultCertificate", CertificateArgs.builder()
.location("us-central1")
.pool(defaultCaPool.name())
.certificateAuthority(defaultAuthority.certificateAuthorityId())
.lifetime("860s")
.pemCsr(Files.readString(Paths.get("test-fixtures/rsa_csr.pem")))
.build());
}
}
import pulumi
import pulumi_gcp as gcp
default_ca_pool = gcp.certificateauthority.CaPool("defaultCaPool",
location="us-central1",
tier="ENTERPRISE")
default_authority = gcp.certificateauthority.Authority("defaultAuthority",
location="us-central1",
pool=default_ca_pool.name,
certificate_authority_id="my-authority",
config=gcp.certificateauthority.AuthorityConfigArgs(
subject_config=gcp.certificateauthority.AuthorityConfigSubjectConfigArgs(
subject=gcp.certificateauthority.AuthorityConfigSubjectConfigSubjectArgs(
organization="HashiCorp",
common_name="my-certificate-authority",
),
subject_alt_name=gcp.certificateauthority.AuthorityConfigSubjectConfigSubjectAltNameArgs(
dns_names=["hashicorp.com"],
),
),
x509_config=gcp.certificateauthority.AuthorityConfigX509ConfigArgs(
ca_options=gcp.certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs(
is_ca=True,
),
key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs(
base_key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs(
cert_sign=True,
crl_sign=True,
),
extended_key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs(
server_auth=False,
),
),
),
),
key_spec=gcp.certificateauthority.AuthorityKeySpecArgs(
algorithm="RSA_PKCS1_4096_SHA256",
),
deletion_protection=False,
skip_grace_period=True,
ignore_active_certificates_on_deletion=True)
default_certificate = gcp.certificateauthority.Certificate("defaultCertificate",
location="us-central1",
pool=default_ca_pool.name,
certificate_authority=default_authority.certificate_authority_id,
lifetime="860s",
pem_csr=(lambda path: open(path).read())("test-fixtures/rsa_csr.pem"))
import * as pulumi from "@pulumi/pulumi";
import * as fs from "fs";
import * as gcp from "@pulumi/gcp";
const defaultCaPool = new gcp.certificateauthority.CaPool("defaultCaPool", {
location: "us-central1",
tier: "ENTERPRISE",
});
const defaultAuthority = new gcp.certificateauthority.Authority("defaultAuthority", {
location: "us-central1",
pool: defaultCaPool.name,
certificateAuthorityId: "my-authority",
config: {
subjectConfig: {
subject: {
organization: "HashiCorp",
commonName: "my-certificate-authority",
},
subjectAltName: {
dnsNames: ["hashicorp.com"],
},
},
x509Config: {
caOptions: {
isCa: true,
},
keyUsage: {
baseKeyUsage: {
certSign: true,
crlSign: true,
},
extendedKeyUsage: {
serverAuth: false,
},
},
},
},
keySpec: {
algorithm: "RSA_PKCS1_4096_SHA256",
},
deletionProtection: false,
skipGracePeriod: true,
ignoreActiveCertificatesOnDeletion: true,
});
const defaultCertificate = new gcp.certificateauthority.Certificate("defaultCertificate", {
location: "us-central1",
pool: defaultCaPool.name,
certificateAuthority: defaultAuthority.certificateAuthorityId,
lifetime: "860s",
pemCsr: fs.readFileSync("test-fixtures/rsa_csr.pem"),
});
resources:
defaultCaPool:
type: gcp:certificateauthority:CaPool
properties:
location: us-central1
tier: ENTERPRISE
defaultAuthority:
type: gcp:certificateauthority:Authority
properties:
location: us-central1
pool: ${defaultCaPool.name}
certificateAuthorityId: my-authority
config:
subjectConfig:
subject:
organization: HashiCorp
commonName: my-certificate-authority
subjectAltName:
dnsNames:
- hashicorp.com
x509Config:
caOptions:
isCa: true
keyUsage:
baseKeyUsage:
certSign: true
crlSign: true
extendedKeyUsage:
serverAuth: false
keySpec:
algorithm: RSA_PKCS1_4096_SHA256
# Disable CA deletion related safe checks for easier cleanup.
deletionProtection: false
skipGracePeriod: true
ignoreActiveCertificatesOnDeletion: true
defaultCertificate:
type: gcp:certificateauthority:Certificate
properties:
location: us-central1
pool: ${defaultCaPool.name}
certificateAuthority: ${defaultAuthority.certificateAuthorityId}
lifetime: 860s
pemCsr:
fn::readFile: test-fixtures/rsa_csr.pem
Privateca Certificate No Authority
using System;
using System.Collections.Generic;
using System.IO;
using Pulumi;
using Gcp = Pulumi.Gcp;
private static string ReadFileBase64(string path) {
return Convert.ToBase64String(Encoding.UTF8.GetBytes(File.ReadAllText(path)))
}
return await Deployment.RunAsync(() =>
{
var defaultCaPool = new Gcp.CertificateAuthority.CaPool("defaultCaPool", new()
{
Location = "us-central1",
Tier = "ENTERPRISE",
});
var defaultAuthority = new Gcp.CertificateAuthority.Authority("defaultAuthority", new()
{
Location = "us-central1",
Pool = defaultCaPool.Name,
CertificateAuthorityId = "my-authority",
Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigArgs
{
SubjectConfig = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigArgs
{
Subject = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectArgs
{
Organization = "HashiCorp",
CommonName = "my-certificate-authority",
},
SubjectAltName = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectAltNameArgs
{
DnsNames = new[]
{
"hashicorp.com",
},
},
},
X509Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigArgs
{
CaOptions = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigCaOptionsArgs
{
IsCa = true,
},
KeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageArgs
{
BaseKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs
{
DigitalSignature = true,
CertSign = true,
CrlSign = true,
},
ExtendedKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs
{
ServerAuth = true,
},
},
},
},
Lifetime = "86400s",
KeySpec = new Gcp.CertificateAuthority.Inputs.AuthorityKeySpecArgs
{
Algorithm = "RSA_PKCS1_4096_SHA256",
},
DeletionProtection = false,
SkipGracePeriod = true,
IgnoreActiveCertificatesOnDeletion = true,
});
var defaultCertificate = new Gcp.CertificateAuthority.Certificate("defaultCertificate", new()
{
Location = "us-central1",
Pool = defaultCaPool.Name,
Lifetime = "860s",
Config = new Gcp.CertificateAuthority.Inputs.CertificateConfigArgs
{
SubjectConfig = new Gcp.CertificateAuthority.Inputs.CertificateConfigSubjectConfigArgs
{
Subject = new Gcp.CertificateAuthority.Inputs.CertificateConfigSubjectConfigSubjectArgs
{
CommonName = "san1.example.com",
CountryCode = "us",
Organization = "google",
OrganizationalUnit = "enterprise",
Locality = "mountain view",
Province = "california",
StreetAddress = "1600 amphitheatre parkway",
PostalCode = "94109",
},
},
X509Config = new Gcp.CertificateAuthority.Inputs.CertificateConfigX509ConfigArgs
{
CaOptions = new Gcp.CertificateAuthority.Inputs.CertificateConfigX509ConfigCaOptionsArgs
{
IsCa = false,
},
KeyUsage = new Gcp.CertificateAuthority.Inputs.CertificateConfigX509ConfigKeyUsageArgs
{
BaseKeyUsage = new Gcp.CertificateAuthority.Inputs.CertificateConfigX509ConfigKeyUsageBaseKeyUsageArgs
{
CrlSign = true,
},
ExtendedKeyUsage = new Gcp.CertificateAuthority.Inputs.CertificateConfigX509ConfigKeyUsageExtendedKeyUsageArgs
{
ServerAuth = true,
},
},
},
PublicKey = new Gcp.CertificateAuthority.Inputs.CertificateConfigPublicKeyArgs
{
Format = "PEM",
Key = ReadFileBase64("test-fixtures/rsa_public.pem"),
},
},
}, new CustomResourceOptions
{
DependsOn = new[]
{
defaultAuthority,
},
});
});
package main
import (
"encoding/base64"
"os"
"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/certificateauthority"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func filebase64OrPanic(path string) pulumi.StringPtrInput {
if fileData, err := os.ReadFile(path); err == nil {
return pulumi.String(base64.StdEncoding.EncodeToString(fileData[:]))
} else {
panic(err.Error())
}
}
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
defaultCaPool, err := certificateauthority.NewCaPool(ctx, "defaultCaPool", &certificateauthority.CaPoolArgs{
Location: pulumi.String("us-central1"),
Tier: pulumi.String("ENTERPRISE"),
})
if err != nil {
return err
}
defaultAuthority, err := certificateauthority.NewAuthority(ctx, "defaultAuthority", &certificateauthority.AuthorityArgs{
Location: pulumi.String("us-central1"),
Pool: defaultCaPool.Name,
CertificateAuthorityId: pulumi.String("my-authority"),
Config: &certificateauthority.AuthorityConfigArgs{
SubjectConfig: &certificateauthority.AuthorityConfigSubjectConfigArgs{
Subject: &certificateauthority.AuthorityConfigSubjectConfigSubjectArgs{
Organization: pulumi.String("HashiCorp"),
CommonName: pulumi.String("my-certificate-authority"),
},
SubjectAltName: &certificateauthority.AuthorityConfigSubjectConfigSubjectAltNameArgs{
DnsNames: pulumi.StringArray{
pulumi.String("hashicorp.com"),
},
},
},
X509Config: &certificateauthority.AuthorityConfigX509ConfigArgs{
CaOptions: &certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs{
IsCa: pulumi.Bool(true),
},
KeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs{
BaseKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs{
DigitalSignature: pulumi.Bool(true),
CertSign: pulumi.Bool(true),
CrlSign: pulumi.Bool(true),
},
ExtendedKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs{
ServerAuth: pulumi.Bool(true),
},
},
},
},
Lifetime: pulumi.String("86400s"),
KeySpec: &certificateauthority.AuthorityKeySpecArgs{
Algorithm: pulumi.String("RSA_PKCS1_4096_SHA256"),
},
DeletionProtection: pulumi.Bool(false),
SkipGracePeriod: pulumi.Bool(true),
IgnoreActiveCertificatesOnDeletion: pulumi.Bool(true),
})
if err != nil {
return err
}
_, err = certificateauthority.NewCertificate(ctx, "defaultCertificate", &certificateauthority.CertificateArgs{
Location: pulumi.String("us-central1"),
Pool: defaultCaPool.Name,
Lifetime: pulumi.String("860s"),
Config: &certificateauthority.CertificateConfigArgs{
SubjectConfig: &certificateauthority.CertificateConfigSubjectConfigArgs{
Subject: &certificateauthority.CertificateConfigSubjectConfigSubjectArgs{
CommonName: pulumi.String("san1.example.com"),
CountryCode: pulumi.String("us"),
Organization: pulumi.String("google"),
OrganizationalUnit: pulumi.String("enterprise"),
Locality: pulumi.String("mountain view"),
Province: pulumi.String("california"),
StreetAddress: pulumi.String("1600 amphitheatre parkway"),
PostalCode: pulumi.String("94109"),
},
},
X509Config: &certificateauthority.CertificateConfigX509ConfigArgs{
CaOptions: &certificateauthority.CertificateConfigX509ConfigCaOptionsArgs{
IsCa: pulumi.Bool(false),
},
KeyUsage: &certificateauthority.CertificateConfigX509ConfigKeyUsageArgs{
BaseKeyUsage: &certificateauthority.CertificateConfigX509ConfigKeyUsageBaseKeyUsageArgs{
CrlSign: pulumi.Bool(true),
},
ExtendedKeyUsage: &certificateauthority.CertificateConfigX509ConfigKeyUsageExtendedKeyUsageArgs{
ServerAuth: pulumi.Bool(true),
},
},
},
PublicKey: &certificateauthority.CertificateConfigPublicKeyArgs{
Format: pulumi.String("PEM"),
Key: filebase64OrPanic("test-fixtures/rsa_public.pem"),
},
},
}, pulumi.DependsOn([]pulumi.Resource{
defaultAuthority,
}))
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.certificateauthority.CaPool;
import com.pulumi.gcp.certificateauthority.CaPoolArgs;
import com.pulumi.gcp.certificateauthority.Authority;
import com.pulumi.gcp.certificateauthority.AuthorityArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigSubjectArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigSubjectAltNameArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigCaOptionsArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityKeySpecArgs;
import com.pulumi.gcp.certificateauthority.Certificate;
import com.pulumi.gcp.certificateauthority.CertificateArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigSubjectConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigSubjectConfigSubjectArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigX509ConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigX509ConfigCaOptionsArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigX509ConfigKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigX509ConfigKeyUsageBaseKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigX509ConfigKeyUsageExtendedKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigPublicKeyArgs;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var defaultCaPool = new CaPool("defaultCaPool", CaPoolArgs.builder()
.location("us-central1")
.tier("ENTERPRISE")
.build());
var defaultAuthority = new Authority("defaultAuthority", AuthorityArgs.builder()
.location("us-central1")
.pool(defaultCaPool.name())
.certificateAuthorityId("my-authority")
.config(AuthorityConfigArgs.builder()
.subjectConfig(AuthorityConfigSubjectConfigArgs.builder()
.subject(AuthorityConfigSubjectConfigSubjectArgs.builder()
.organization("HashiCorp")
.commonName("my-certificate-authority")
.build())
.subjectAltName(AuthorityConfigSubjectConfigSubjectAltNameArgs.builder()
.dnsNames("hashicorp.com")
.build())
.build())
.x509Config(AuthorityConfigX509ConfigArgs.builder()
.caOptions(AuthorityConfigX509ConfigCaOptionsArgs.builder()
.isCa(true)
.build())
.keyUsage(AuthorityConfigX509ConfigKeyUsageArgs.builder()
.baseKeyUsage(AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs.builder()
.digitalSignature(true)
.certSign(true)
.crlSign(true)
.build())
.extendedKeyUsage(AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs.builder()
.serverAuth(true)
.build())
.build())
.build())
.build())
.lifetime("86400s")
.keySpec(AuthorityKeySpecArgs.builder()
.algorithm("RSA_PKCS1_4096_SHA256")
.build())
.deletionProtection(false)
.skipGracePeriod(true)
.ignoreActiveCertificatesOnDeletion(true)
.build());
var defaultCertificate = new Certificate("defaultCertificate", CertificateArgs.builder()
.location("us-central1")
.pool(defaultCaPool.name())
.lifetime("860s")
.config(CertificateConfigArgs.builder()
.subjectConfig(CertificateConfigSubjectConfigArgs.builder()
.subject(CertificateConfigSubjectConfigSubjectArgs.builder()
.commonName("san1.example.com")
.countryCode("us")
.organization("google")
.organizationalUnit("enterprise")
.locality("mountain view")
.province("california")
.streetAddress("1600 amphitheatre parkway")
.postalCode("94109")
.build())
.build())
.x509Config(CertificateConfigX509ConfigArgs.builder()
.caOptions(CertificateConfigX509ConfigCaOptionsArgs.builder()
.isCa(false)
.build())
.keyUsage(CertificateConfigX509ConfigKeyUsageArgs.builder()
.baseKeyUsage(CertificateConfigX509ConfigKeyUsageBaseKeyUsageArgs.builder()
.crlSign(true)
.build())
.extendedKeyUsage(CertificateConfigX509ConfigKeyUsageExtendedKeyUsageArgs.builder()
.serverAuth(true)
.build())
.build())
.build())
.publicKey(CertificateConfigPublicKeyArgs.builder()
.format("PEM")
.key(Base64.getEncoder().encodeToString(Files.readAllBytes(Paths.get("test-fixtures/rsa_public.pem"))))
.build())
.build())
.build(), CustomResourceOptions.builder()
.dependsOn(defaultAuthority)
.build());
}
}
import pulumi
import base64
import pulumi_gcp as gcp
default_ca_pool = gcp.certificateauthority.CaPool("defaultCaPool",
location="us-central1",
tier="ENTERPRISE")
default_authority = gcp.certificateauthority.Authority("defaultAuthority",
location="us-central1",
pool=default_ca_pool.name,
certificate_authority_id="my-authority",
config=gcp.certificateauthority.AuthorityConfigArgs(
subject_config=gcp.certificateauthority.AuthorityConfigSubjectConfigArgs(
subject=gcp.certificateauthority.AuthorityConfigSubjectConfigSubjectArgs(
organization="HashiCorp",
common_name="my-certificate-authority",
),
subject_alt_name=gcp.certificateauthority.AuthorityConfigSubjectConfigSubjectAltNameArgs(
dns_names=["hashicorp.com"],
),
),
x509_config=gcp.certificateauthority.AuthorityConfigX509ConfigArgs(
ca_options=gcp.certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs(
is_ca=True,
),
key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs(
base_key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs(
digital_signature=True,
cert_sign=True,
crl_sign=True,
),
extended_key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs(
server_auth=True,
),
),
),
),
lifetime="86400s",
key_spec=gcp.certificateauthority.AuthorityKeySpecArgs(
algorithm="RSA_PKCS1_4096_SHA256",
),
deletion_protection=False,
skip_grace_period=True,
ignore_active_certificates_on_deletion=True)
default_certificate = gcp.certificateauthority.Certificate("defaultCertificate",
location="us-central1",
pool=default_ca_pool.name,
lifetime="860s",
config=gcp.certificateauthority.CertificateConfigArgs(
subject_config=gcp.certificateauthority.CertificateConfigSubjectConfigArgs(
subject=gcp.certificateauthority.CertificateConfigSubjectConfigSubjectArgs(
common_name="san1.example.com",
country_code="us",
organization="google",
organizational_unit="enterprise",
locality="mountain view",
province="california",
street_address="1600 amphitheatre parkway",
postal_code="94109",
),
),
x509_config=gcp.certificateauthority.CertificateConfigX509ConfigArgs(
ca_options=gcp.certificateauthority.CertificateConfigX509ConfigCaOptionsArgs(
is_ca=False,
),
key_usage=gcp.certificateauthority.CertificateConfigX509ConfigKeyUsageArgs(
base_key_usage=gcp.certificateauthority.CertificateConfigX509ConfigKeyUsageBaseKeyUsageArgs(
crl_sign=True,
),
extended_key_usage=gcp.certificateauthority.CertificateConfigX509ConfigKeyUsageExtendedKeyUsageArgs(
server_auth=True,
),
),
),
public_key=gcp.certificateauthority.CertificateConfigPublicKeyArgs(
format="PEM",
key=(lambda path: base64.b64encode(open(path).read().encode()).decode())("test-fixtures/rsa_public.pem"),
),
),
opts=pulumi.ResourceOptions(depends_on=[default_authority]))
import * as pulumi from "@pulumi/pulumi";
import * as fs from "fs";
import * as gcp from "@pulumi/gcp";
const defaultCaPool = new gcp.certificateauthority.CaPool("defaultCaPool", {
location: "us-central1",
tier: "ENTERPRISE",
});
const defaultAuthority = new gcp.certificateauthority.Authority("defaultAuthority", {
location: "us-central1",
pool: defaultCaPool.name,
certificateAuthorityId: "my-authority",
config: {
subjectConfig: {
subject: {
organization: "HashiCorp",
commonName: "my-certificate-authority",
},
subjectAltName: {
dnsNames: ["hashicorp.com"],
},
},
x509Config: {
caOptions: {
isCa: true,
},
keyUsage: {
baseKeyUsage: {
digitalSignature: true,
certSign: true,
crlSign: true,
},
extendedKeyUsage: {
serverAuth: true,
},
},
},
},
lifetime: "86400s",
keySpec: {
algorithm: "RSA_PKCS1_4096_SHA256",
},
deletionProtection: false,
skipGracePeriod: true,
ignoreActiveCertificatesOnDeletion: true,
});
const defaultCertificate = new gcp.certificateauthority.Certificate("defaultCertificate", {
location: "us-central1",
pool: defaultCaPool.name,
lifetime: "860s",
config: {
subjectConfig: {
subject: {
commonName: "san1.example.com",
countryCode: "us",
organization: "google",
organizationalUnit: "enterprise",
locality: "mountain view",
province: "california",
streetAddress: "1600 amphitheatre parkway",
postalCode: "94109",
},
},
x509Config: {
caOptions: {
isCa: false,
},
keyUsage: {
baseKeyUsage: {
crlSign: true,
},
extendedKeyUsage: {
serverAuth: true,
},
},
},
publicKey: {
format: "PEM",
key: Buffer.from(fs.readFileSync("test-fixtures/rsa_public.pem"), 'binary').toString('base64'),
},
},
}, {
dependsOn: [defaultAuthority],
});
Coming soon!
Create Certificate Resource
new Certificate(name: string, args: CertificateArgs, opts?: CustomResourceOptions);@overload
def Certificate(resource_name: str,
opts: Optional[ResourceOptions] = None,
certificate_authority: Optional[str] = None,
certificate_template: Optional[str] = None,
config: Optional[CertificateConfigArgs] = None,
labels: Optional[Mapping[str, str]] = None,
lifetime: Optional[str] = None,
location: Optional[str] = None,
name: Optional[str] = None,
pem_csr: Optional[str] = None,
pool: Optional[str] = None,
project: Optional[str] = None)
@overload
def Certificate(resource_name: str,
args: CertificateArgs,
opts: Optional[ResourceOptions] = None)func NewCertificate(ctx *Context, name string, args CertificateArgs, opts ...ResourceOption) (*Certificate, error)public Certificate(string name, CertificateArgs args, CustomResourceOptions? opts = null)
public Certificate(String name, CertificateArgs args)
public Certificate(String name, CertificateArgs args, CustomResourceOptions options)
type: gcp:certificateauthority:Certificate
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args CertificateArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args CertificateArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args CertificateArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args CertificateArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args CertificateArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Certificate Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
The Certificate resource accepts the following input properties:
- Location string
Location of the Certificate. A full list of valid locations can be found by running
gcloud privateca locations list.- Pool string
The name of the CaPool this Certificate belongs to.
- string
The Certificate Authority ID that should issue the certificate. For example, to issue a Certificate from a Certificate Authority with resource name
projects/my-project/locations/us-central1/caPools/my-pool/certificateAuthorities/my-ca, argumentpoolshould be set toprojects/my-project/locations/us-central1/caPools/my-pool, argumentcertificate_authorityshould be set tomy-ca.- Certificate
Template string The resource name for a CertificateTemplate used to issue this certificate, in the format
projects/*/locations/*/certificateTemplates/*. If this is specified, the caller must have the necessary permission to use this template. If this is omitted, no template will be used. This template must be in the same location as the Certificate.- Config
Certificate
Config Args The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.
- Labels Dictionary<string, string>
Labels with user-defined metadata to apply to this resource.
- Lifetime string
The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
- Name string
The name for this Certificate.
- Pem
Csr string Immutable. A pem-encoded X.509 certificate signing request (CSR).
- Project string
The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- Location string
Location of the Certificate. A full list of valid locations can be found by running
gcloud privateca locations list.- Pool string
The name of the CaPool this Certificate belongs to.
- string
The Certificate Authority ID that should issue the certificate. For example, to issue a Certificate from a Certificate Authority with resource name
projects/my-project/locations/us-central1/caPools/my-pool/certificateAuthorities/my-ca, argumentpoolshould be set toprojects/my-project/locations/us-central1/caPools/my-pool, argumentcertificate_authorityshould be set tomy-ca.- Certificate
Template string The resource name for a CertificateTemplate used to issue this certificate, in the format
projects/*/locations/*/certificateTemplates/*. If this is specified, the caller must have the necessary permission to use this template. If this is omitted, no template will be used. This template must be in the same location as the Certificate.- Config
Certificate
Config Args The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.
- Labels map[string]string
Labels with user-defined metadata to apply to this resource.
- Lifetime string
The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
- Name string
The name for this Certificate.
- Pem
Csr string Immutable. A pem-encoded X.509 certificate signing request (CSR).
- Project string
The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- location String
Location of the Certificate. A full list of valid locations can be found by running
gcloud privateca locations list.- pool String
The name of the CaPool this Certificate belongs to.
- String
The Certificate Authority ID that should issue the certificate. For example, to issue a Certificate from a Certificate Authority with resource name
projects/my-project/locations/us-central1/caPools/my-pool/certificateAuthorities/my-ca, argumentpoolshould be set toprojects/my-project/locations/us-central1/caPools/my-pool, argumentcertificate_authorityshould be set tomy-ca.- certificate
Template String The resource name for a CertificateTemplate used to issue this certificate, in the format
projects/*/locations/*/certificateTemplates/*. If this is specified, the caller must have the necessary permission to use this template. If this is omitted, no template will be used. This template must be in the same location as the Certificate.- config
Certificate
Config Args The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.
- labels Map<String,String>
Labels with user-defined metadata to apply to this resource.
- lifetime String
The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
- name String
The name for this Certificate.
- pem
Csr String Immutable. A pem-encoded X.509 certificate signing request (CSR).
- project String
The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- location string
Location of the Certificate. A full list of valid locations can be found by running
gcloud privateca locations list.- pool string
The name of the CaPool this Certificate belongs to.
- string
The Certificate Authority ID that should issue the certificate. For example, to issue a Certificate from a Certificate Authority with resource name
projects/my-project/locations/us-central1/caPools/my-pool/certificateAuthorities/my-ca, argumentpoolshould be set toprojects/my-project/locations/us-central1/caPools/my-pool, argumentcertificate_authorityshould be set tomy-ca.- certificate
Template string The resource name for a CertificateTemplate used to issue this certificate, in the format
projects/*/locations/*/certificateTemplates/*. If this is specified, the caller must have the necessary permission to use this template. If this is omitted, no template will be used. This template must be in the same location as the Certificate.- config
Certificate
Config Args The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.
- labels {[key: string]: string}
Labels with user-defined metadata to apply to this resource.
- lifetime string
The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
- name string
The name for this Certificate.
- pem
Csr string Immutable. A pem-encoded X.509 certificate signing request (CSR).
- project string
The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- location str
Location of the Certificate. A full list of valid locations can be found by running
gcloud privateca locations list.- pool str
The name of the CaPool this Certificate belongs to.
- str
The Certificate Authority ID that should issue the certificate. For example, to issue a Certificate from a Certificate Authority with resource name
projects/my-project/locations/us-central1/caPools/my-pool/certificateAuthorities/my-ca, argumentpoolshould be set toprojects/my-project/locations/us-central1/caPools/my-pool, argumentcertificate_authorityshould be set tomy-ca.- certificate_
template str The resource name for a CertificateTemplate used to issue this certificate, in the format
projects/*/locations/*/certificateTemplates/*. If this is specified, the caller must have the necessary permission to use this template. If this is omitted, no template will be used. This template must be in the same location as the Certificate.- config
Certificate
Config Args The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.
- labels Mapping[str, str]
Labels with user-defined metadata to apply to this resource.
- lifetime str
The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
- name str
The name for this Certificate.
- pem_
csr str Immutable. A pem-encoded X.509 certificate signing request (CSR).
- project str
The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- location String
Location of the Certificate. A full list of valid locations can be found by running
gcloud privateca locations list.- pool String
The name of the CaPool this Certificate belongs to.
- String
The Certificate Authority ID that should issue the certificate. For example, to issue a Certificate from a Certificate Authority with resource name
projects/my-project/locations/us-central1/caPools/my-pool/certificateAuthorities/my-ca, argumentpoolshould be set toprojects/my-project/locations/us-central1/caPools/my-pool, argumentcertificate_authorityshould be set tomy-ca.- certificate
Template String The resource name for a CertificateTemplate used to issue this certificate, in the format
projects/*/locations/*/certificateTemplates/*. If this is specified, the caller must have the necessary permission to use this template. If this is omitted, no template will be used. This template must be in the same location as the Certificate.- config Property Map
The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.
- labels Map<String>
Labels with user-defined metadata to apply to this resource.
- lifetime String
The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
- name String
The name for this Certificate.
- pem
Csr String Immutable. A pem-encoded X.509 certificate signing request (CSR).
- project String
The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
Outputs
All input properties are implicitly available as output properties. Additionally, the Certificate resource produces the following output properties:
- Certificate
Descriptions List<CertificateCertificate Description> Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.
- Create
Time string The time that this resource was created on the server. This is in RFC3339 text format.
- Id string
The provider-assigned unique ID for this managed resource.
- string
The resource name of the issuing CertificateAuthority in the format
projects/*/locations/*/caPools/*/certificateAuthorities/*.- Pem
Certificate string Output only. The pem-encoded, signed X.509 certificate.
- Pem
Certificate List<string>Chains The chain that may be used to verify the X.509 certificate. Expected to be in issuer-to-root order according to RFC 5246.
- Pem
Certificates List<string> (Deprecated) Required. Expected to be in leaf-to-root order according to RFC 5246.
Deprecated in favor of
pem_certificate_chain.- Revocation
Details List<CertificateRevocation Detail> Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.
- Update
Time string Output only. The time at which this CertificateAuthority was updated. This is in RFC3339 text format.
- Certificate
Descriptions []CertificateCertificate Description Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.
- Create
Time string The time that this resource was created on the server. This is in RFC3339 text format.
- Id string
The provider-assigned unique ID for this managed resource.
- string
The resource name of the issuing CertificateAuthority in the format
projects/*/locations/*/caPools/*/certificateAuthorities/*.- Pem
Certificate string Output only. The pem-encoded, signed X.509 certificate.
- Pem
Certificate []stringChains The chain that may be used to verify the X.509 certificate. Expected to be in issuer-to-root order according to RFC 5246.
- Pem
Certificates []string (Deprecated) Required. Expected to be in leaf-to-root order according to RFC 5246.
Deprecated in favor of
pem_certificate_chain.- Revocation
Details []CertificateRevocation Detail Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.
- Update
Time string Output only. The time at which this CertificateAuthority was updated. This is in RFC3339 text format.
- certificate
Descriptions List<CertificateCertificate Description> Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.
- create
Time String The time that this resource was created on the server. This is in RFC3339 text format.
- id String
The provider-assigned unique ID for this managed resource.
- String
The resource name of the issuing CertificateAuthority in the format
projects/*/locations/*/caPools/*/certificateAuthorities/*.- pem
Certificate String Output only. The pem-encoded, signed X.509 certificate.
- pem
Certificate List<String>Chains The chain that may be used to verify the X.509 certificate. Expected to be in issuer-to-root order according to RFC 5246.
- pem
Certificates List<String> (Deprecated) Required. Expected to be in leaf-to-root order according to RFC 5246.
Deprecated in favor of
pem_certificate_chain.- revocation
Details List<CertificateRevocation Detail> Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.
- update
Time String Output only. The time at which this CertificateAuthority was updated. This is in RFC3339 text format.
- certificate
Descriptions CertificateCertificate Description[] Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.
- create
Time string The time that this resource was created on the server. This is in RFC3339 text format.
- id string
The provider-assigned unique ID for this managed resource.
- string
The resource name of the issuing CertificateAuthority in the format
projects/*/locations/*/caPools/*/certificateAuthorities/*.- pem
Certificate string Output only. The pem-encoded, signed X.509 certificate.
- pem
Certificate string[]Chains The chain that may be used to verify the X.509 certificate. Expected to be in issuer-to-root order according to RFC 5246.
- pem
Certificates string[] (Deprecated) Required. Expected to be in leaf-to-root order according to RFC 5246.
Deprecated in favor of
pem_certificate_chain.- revocation
Details CertificateRevocation Detail[] Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.
- update
Time string Output only. The time at which this CertificateAuthority was updated. This is in RFC3339 text format.
- certificate_
descriptions Sequence[CertificateCertificate Description] Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.
- create_
time str The time that this resource was created on the server. This is in RFC3339 text format.
- id str
The provider-assigned unique ID for this managed resource.
- str
The resource name of the issuing CertificateAuthority in the format
projects/*/locations/*/caPools/*/certificateAuthorities/*.- pem_
certificate str Output only. The pem-encoded, signed X.509 certificate.
- pem_
certificate_ Sequence[str]chains The chain that may be used to verify the X.509 certificate. Expected to be in issuer-to-root order according to RFC 5246.
- pem_
certificates Sequence[str] (Deprecated) Required. Expected to be in leaf-to-root order according to RFC 5246.
Deprecated in favor of
pem_certificate_chain.- revocation_
details Sequence[CertificateRevocation Detail] Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.
- update_
time str Output only. The time at which this CertificateAuthority was updated. This is in RFC3339 text format.
- certificate
Descriptions List<Property Map> Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.
- create
Time String The time that this resource was created on the server. This is in RFC3339 text format.
- id String
The provider-assigned unique ID for this managed resource.
- String
The resource name of the issuing CertificateAuthority in the format
projects/*/locations/*/caPools/*/certificateAuthorities/*.- pem
Certificate String Output only. The pem-encoded, signed X.509 certificate.
- pem
Certificate List<String>Chains The chain that may be used to verify the X.509 certificate. Expected to be in issuer-to-root order according to RFC 5246.
- pem
Certificates List<String> (Deprecated) Required. Expected to be in leaf-to-root order according to RFC 5246.
Deprecated in favor of
pem_certificate_chain.- revocation
Details List<Property Map> Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.
- update
Time String Output only. The time at which this CertificateAuthority was updated. This is in RFC3339 text format.
Look up Existing Certificate Resource
Get an existing Certificate resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: CertificateState, opts?: CustomResourceOptions): Certificate@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
certificate_authority: Optional[str] = None,
certificate_descriptions: Optional[Sequence[CertificateCertificateDescriptionArgs]] = None,
certificate_template: Optional[str] = None,
config: Optional[CertificateConfigArgs] = None,
create_time: Optional[str] = None,
issuer_certificate_authority: Optional[str] = None,
labels: Optional[Mapping[str, str]] = None,
lifetime: Optional[str] = None,
location: Optional[str] = None,
name: Optional[str] = None,
pem_certificate: Optional[str] = None,
pem_certificate_chains: Optional[Sequence[str]] = None,
pem_certificates: Optional[Sequence[str]] = None,
pem_csr: Optional[str] = None,
pool: Optional[str] = None,
project: Optional[str] = None,
revocation_details: Optional[Sequence[CertificateRevocationDetailArgs]] = None,
update_time: Optional[str] = None) -> Certificatefunc GetCertificate(ctx *Context, name string, id IDInput, state *CertificateState, opts ...ResourceOption) (*Certificate, error)public static Certificate Get(string name, Input<string> id, CertificateState? state, CustomResourceOptions? opts = null)public static Certificate get(String name, Output<String> id, CertificateState state, CustomResourceOptions options)Resource lookup is not supported in YAML- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- string
The Certificate Authority ID that should issue the certificate. For example, to issue a Certificate from a Certificate Authority with resource name
projects/my-project/locations/us-central1/caPools/my-pool/certificateAuthorities/my-ca, argumentpoolshould be set toprojects/my-project/locations/us-central1/caPools/my-pool, argumentcertificate_authorityshould be set tomy-ca.- Certificate
Descriptions List<CertificateCertificate Description Args> Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.
- Certificate
Template string The resource name for a CertificateTemplate used to issue this certificate, in the format
projects/*/locations/*/certificateTemplates/*. If this is specified, the caller must have the necessary permission to use this template. If this is omitted, no template will be used. This template must be in the same location as the Certificate.- Config
Certificate
Config Args The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.
- Create
Time string The time that this resource was created on the server. This is in RFC3339 text format.
- string
The resource name of the issuing CertificateAuthority in the format
projects/*/locations/*/caPools/*/certificateAuthorities/*.- Labels Dictionary<string, string>
Labels with user-defined metadata to apply to this resource.
- Lifetime string
The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
- Location string
Location of the Certificate. A full list of valid locations can be found by running
gcloud privateca locations list.- Name string
The name for this Certificate.
- Pem
Certificate string Output only. The pem-encoded, signed X.509 certificate.
- Pem
Certificate List<string>Chains The chain that may be used to verify the X.509 certificate. Expected to be in issuer-to-root order according to RFC 5246.
- Pem
Certificates List<string> (Deprecated) Required. Expected to be in leaf-to-root order according to RFC 5246.
Deprecated in favor of
pem_certificate_chain.- Pem
Csr string Immutable. A pem-encoded X.509 certificate signing request (CSR).
- Pool string
The name of the CaPool this Certificate belongs to.
- Project string
The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- Revocation
Details List<CertificateRevocation Detail Args> Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.
- Update
Time string Output only. The time at which this CertificateAuthority was updated. This is in RFC3339 text format.
- string
The Certificate Authority ID that should issue the certificate. For example, to issue a Certificate from a Certificate Authority with resource name
projects/my-project/locations/us-central1/caPools/my-pool/certificateAuthorities/my-ca, argumentpoolshould be set toprojects/my-project/locations/us-central1/caPools/my-pool, argumentcertificate_authorityshould be set tomy-ca.- Certificate
Descriptions []CertificateCertificate Description Args Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.
- Certificate
Template string The resource name for a CertificateTemplate used to issue this certificate, in the format
projects/*/locations/*/certificateTemplates/*. If this is specified, the caller must have the necessary permission to use this template. If this is omitted, no template will be used. This template must be in the same location as the Certificate.- Config
Certificate
Config Args The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.
- Create
Time string The time that this resource was created on the server. This is in RFC3339 text format.
- string
The resource name of the issuing CertificateAuthority in the format
projects/*/locations/*/caPools/*/certificateAuthorities/*.- Labels map[string]string
Labels with user-defined metadata to apply to this resource.
- Lifetime string
The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
- Location string
Location of the Certificate. A full list of valid locations can be found by running
gcloud privateca locations list.- Name string
The name for this Certificate.
- Pem
Certificate string Output only. The pem-encoded, signed X.509 certificate.
- Pem
Certificate []stringChains The chain that may be used to verify the X.509 certificate. Expected to be in issuer-to-root order according to RFC 5246.
- Pem
Certificates []string (Deprecated) Required. Expected to be in leaf-to-root order according to RFC 5246.
Deprecated in favor of
pem_certificate_chain.- Pem
Csr string Immutable. A pem-encoded X.509 certificate signing request (CSR).
- Pool string
The name of the CaPool this Certificate belongs to.
- Project string
The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- Revocation
Details []CertificateRevocation Detail Args Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.
- Update
Time string Output only. The time at which this CertificateAuthority was updated. This is in RFC3339 text format.
- String
The Certificate Authority ID that should issue the certificate. For example, to issue a Certificate from a Certificate Authority with resource name
projects/my-project/locations/us-central1/caPools/my-pool/certificateAuthorities/my-ca, argumentpoolshould be set toprojects/my-project/locations/us-central1/caPools/my-pool, argumentcertificate_authorityshould be set tomy-ca.- certificate
Descriptions List<CertificateCertificate Description Args> Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.
- certificate
Template String The resource name for a CertificateTemplate used to issue this certificate, in the format
projects/*/locations/*/certificateTemplates/*. If this is specified, the caller must have the necessary permission to use this template. If this is omitted, no template will be used. This template must be in the same location as the Certificate.- config
Certificate
Config Args The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.
- create
Time String The time that this resource was created on the server. This is in RFC3339 text format.
- String
The resource name of the issuing CertificateAuthority in the format
projects/*/locations/*/caPools/*/certificateAuthorities/*.- labels Map<String,String>
Labels with user-defined metadata to apply to this resource.
- lifetime String
The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
- location String
Location of the Certificate. A full list of valid locations can be found by running
gcloud privateca locations list.- name String
The name for this Certificate.
- pem
Certificate String Output only. The pem-encoded, signed X.509 certificate.
- pem
Certificate List<String>Chains The chain that may be used to verify the X.509 certificate. Expected to be in issuer-to-root order according to RFC 5246.
- pem
Certificates List<String> (Deprecated) Required. Expected to be in leaf-to-root order according to RFC 5246.
Deprecated in favor of
pem_certificate_chain.- pem
Csr String Immutable. A pem-encoded X.509 certificate signing request (CSR).
- pool String
The name of the CaPool this Certificate belongs to.
- project String
The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- revocation
Details List<CertificateRevocation Detail Args> Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.
- update
Time String Output only. The time at which this CertificateAuthority was updated. This is in RFC3339 text format.
- string
The Certificate Authority ID that should issue the certificate. For example, to issue a Certificate from a Certificate Authority with resource name
projects/my-project/locations/us-central1/caPools/my-pool/certificateAuthorities/my-ca, argumentpoolshould be set toprojects/my-project/locations/us-central1/caPools/my-pool, argumentcertificate_authorityshould be set tomy-ca.- certificate
Descriptions CertificateCertificate Description Args[] Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.
- certificate
Template string The resource name for a CertificateTemplate used to issue this certificate, in the format
projects/*/locations/*/certificateTemplates/*. If this is specified, the caller must have the necessary permission to use this template. If this is omitted, no template will be used. This template must be in the same location as the Certificate.- config
Certificate
Config Args The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.
- create
Time string The time that this resource was created on the server. This is in RFC3339 text format.
- string
The resource name of the issuing CertificateAuthority in the format
projects/*/locations/*/caPools/*/certificateAuthorities/*.- labels {[key: string]: string}
Labels with user-defined metadata to apply to this resource.
- lifetime string
The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
- location string
Location of the Certificate. A full list of valid locations can be found by running
gcloud privateca locations list.- name string
The name for this Certificate.
- pem
Certificate string Output only. The pem-encoded, signed X.509 certificate.
- pem
Certificate string[]Chains The chain that may be used to verify the X.509 certificate. Expected to be in issuer-to-root order according to RFC 5246.
- pem
Certificates string[] (Deprecated) Required. Expected to be in leaf-to-root order according to RFC 5246.
Deprecated in favor of
pem_certificate_chain.- pem
Csr string Immutable. A pem-encoded X.509 certificate signing request (CSR).
- pool string
The name of the CaPool this Certificate belongs to.
- project string
The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- revocation
Details CertificateRevocation Detail Args[] Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.
- update
Time string Output only. The time at which this CertificateAuthority was updated. This is in RFC3339 text format.
- str
The Certificate Authority ID that should issue the certificate. For example, to issue a Certificate from a Certificate Authority with resource name
projects/my-project/locations/us-central1/caPools/my-pool/certificateAuthorities/my-ca, argumentpoolshould be set toprojects/my-project/locations/us-central1/caPools/my-pool, argumentcertificate_authorityshould be set tomy-ca.- certificate_
descriptions Sequence[CertificateCertificate Description Args] Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.
- certificate_
template str The resource name for a CertificateTemplate used to issue this certificate, in the format
projects/*/locations/*/certificateTemplates/*. If this is specified, the caller must have the necessary permission to use this template. If this is omitted, no template will be used. This template must be in the same location as the Certificate.- config
Certificate
Config Args The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.
- create_
time str The time that this resource was created on the server. This is in RFC3339 text format.
- str
The resource name of the issuing CertificateAuthority in the format
projects/*/locations/*/caPools/*/certificateAuthorities/*.- labels Mapping[str, str]
Labels with user-defined metadata to apply to this resource.
- lifetime str
The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
- location str
Location of the Certificate. A full list of valid locations can be found by running
gcloud privateca locations list.- name str
The name for this Certificate.
- pem_
certificate str Output only. The pem-encoded, signed X.509 certificate.
- pem_
certificate_ Sequence[str]chains The chain that may be used to verify the X.509 certificate. Expected to be in issuer-to-root order according to RFC 5246.
- pem_
certificates Sequence[str] (Deprecated) Required. Expected to be in leaf-to-root order according to RFC 5246.
Deprecated in favor of
pem_certificate_chain.- pem_
csr str Immutable. A pem-encoded X.509 certificate signing request (CSR).
- pool str
The name of the CaPool this Certificate belongs to.
- project str
The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- revocation_
details Sequence[CertificateRevocation Detail Args] Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.
- update_
time str Output only. The time at which this CertificateAuthority was updated. This is in RFC3339 text format.
- String
The Certificate Authority ID that should issue the certificate. For example, to issue a Certificate from a Certificate Authority with resource name
projects/my-project/locations/us-central1/caPools/my-pool/certificateAuthorities/my-ca, argumentpoolshould be set toprojects/my-project/locations/us-central1/caPools/my-pool, argumentcertificate_authorityshould be set tomy-ca.- certificate
Descriptions List<Property Map> Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.
- certificate
Template String The resource name for a CertificateTemplate used to issue this certificate, in the format
projects/*/locations/*/certificateTemplates/*. If this is specified, the caller must have the necessary permission to use this template. If this is omitted, no template will be used. This template must be in the same location as the Certificate.- config Property Map
The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.
- create
Time String The time that this resource was created on the server. This is in RFC3339 text format.
- String
The resource name of the issuing CertificateAuthority in the format
projects/*/locations/*/caPools/*/certificateAuthorities/*.- labels Map<String>
Labels with user-defined metadata to apply to this resource.
- lifetime String
The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
- location String
Location of the Certificate. A full list of valid locations can be found by running
gcloud privateca locations list.- name String
The name for this Certificate.
- pem
Certificate String Output only. The pem-encoded, signed X.509 certificate.
- pem
Certificate List<String>Chains The chain that may be used to verify the X.509 certificate. Expected to be in issuer-to-root order according to RFC 5246.
- pem
Certificates List<String> (Deprecated) Required. Expected to be in leaf-to-root order according to RFC 5246.
Deprecated in favor of
pem_certificate_chain.- pem
Csr String Immutable. A pem-encoded X.509 certificate signing request (CSR).
- pool String
The name of the CaPool this Certificate belongs to.
- project String
The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- revocation
Details List<Property Map> Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.
- update
Time String Output only. The time at which this CertificateAuthority was updated. This is in RFC3339 text format.
Supporting Types
CertificateCertificateDescription
- Aia
Issuing List<string>Certificate Urls (Output) Describes lists of issuer CA certificate URLs that appear in the "Authority Information Access" extension in the certificate.
-
List<Certificate
Certificate Description Authority Key Id> (Output) Identifies the subjectKeyId of the parent certificate, per https://tools.ietf.org/html/rfc5280#section-4.2.1.1 Structure is documented below.
- Cert
Fingerprints List<CertificateCertificate Description Cert Fingerprint> (Output) The hash of the x.509 certificate. Structure is documented below.
- Config
Values List<CertificateCertificate Description Config Value> (Output, Deprecated) Describes some of the technical fields in a certificate. Structure is documented below.
Deprecated in favor of
x509_description.- Crl
Distribution List<string>Points (Output) Describes a list of locations to obtain CRL information, i.e. the DistributionPoint.fullName described by https://tools.ietf.org/html/rfc5280#section-4.2.1.13
- Public
Keys List<CertificateCertificate Description Public Key> A PublicKey describes a public key. Structure is documented below.
- Subject
Descriptions List<CertificateCertificate Description Subject Description> (Output) Describes some of the values in a certificate that are related to the subject and lifetime. Structure is documented below.
- Subject
Key List<CertificateIds Certificate Description Subject Key Id> (Output) Provides a means of identifiying certificates that contain a particular public key, per https://tools.ietf.org/html/rfc5280#section-4.2.1.2. Structure is documented below.
- X509Descriptions
List<Certificate
Certificate Description X509Description> (Output) A structured description of the issued X.509 certificate. Structure is documented below.
- Aia
Issuing []stringCertificate Urls (Output) Describes lists of issuer CA certificate URLs that appear in the "Authority Information Access" extension in the certificate.
-
[]Certificate
Certificate Description Authority Key Id (Output) Identifies the subjectKeyId of the parent certificate, per https://tools.ietf.org/html/rfc5280#section-4.2.1.1 Structure is documented below.
- Cert
Fingerprints []CertificateCertificate Description Cert Fingerprint (Output) The hash of the x.509 certificate. Structure is documented below.
- Config
Values []CertificateCertificate Description Config Value (Output, Deprecated) Describes some of the technical fields in a certificate. Structure is documented below.
Deprecated in favor of
x509_description.- Crl
Distribution []stringPoints (Output) Describes a list of locations to obtain CRL information, i.e. the DistributionPoint.fullName described by https://tools.ietf.org/html/rfc5280#section-4.2.1.13
- Public
Keys []CertificateCertificate Description Public Key A PublicKey describes a public key. Structure is documented below.
- Subject
Descriptions []CertificateCertificate Description Subject Description (Output) Describes some of the values in a certificate that are related to the subject and lifetime. Structure is documented below.
- Subject
Key []CertificateIds Certificate Description Subject Key Id (Output) Provides a means of identifiying certificates that contain a particular public key, per https://tools.ietf.org/html/rfc5280#section-4.2.1.2. Structure is documented below.
- X509Descriptions
[]Certificate
Certificate Description X509Description (Output) A structured description of the issued X.509 certificate. Structure is documented below.
- aia
Issuing List<String>Certificate Urls (Output) Describes lists of issuer CA certificate URLs that appear in the "Authority Information Access" extension in the certificate.
-
List<Certificate
Certificate Description Authority Key Id> (Output) Identifies the subjectKeyId of the parent certificate, per https://tools.ietf.org/html/rfc5280#section-4.2.1.1 Structure is documented below.
- cert
Fingerprints List<CertificateCertificate Description Cert Fingerprint> (Output) The hash of the x.509 certificate. Structure is documented below.
- config
Values List<CertificateCertificate Description Config Value> (Output, Deprecated) Describes some of the technical fields in a certificate. Structure is documented below.
Deprecated in favor of
x509_description.- crl
Distribution List<String>Points (Output) Describes a list of locations to obtain CRL information, i.e. the DistributionPoint.fullName described by https://tools.ietf.org/html/rfc5280#section-4.2.1.13
- public
Keys List<CertificateCertificate Description Public Key> A PublicKey describes a public key. Structure is documented below.
- subject
Descriptions List<CertificateCertificate Description Subject Description> (Output) Describes some of the values in a certificate that are related to the subject and lifetime. Structure is documented below.
- subject
Key List<CertificateIds Certificate Description Subject Key Id> (Output) Provides a means of identifiying certificates that contain a particular public key, per https://tools.ietf.org/html/rfc5280#section-4.2.1.2. Structure is documented below.
- x509Descriptions
List<Certificate
Certificate Description X509Description> (Output) A structured description of the issued X.509 certificate. Structure is documented below.
- aia
Issuing string[]Certificate Urls (Output) Describes lists of issuer CA certificate URLs that appear in the "Authority Information Access" extension in the certificate.
-
Certificate
Certificate Description Authority Key Id[] (Output) Identifies the subjectKeyId of the parent certificate, per https://tools.ietf.org/html/rfc5280#section-4.2.1.1 Structure is documented below.
- cert
Fingerprints CertificateCertificate Description Cert Fingerprint[] (Output) The hash of the x.509 certificate. Structure is documented below.
- config
Values CertificateCertificate Description Config Value[] (Output, Deprecated) Describes some of the technical fields in a certificate. Structure is documented below.
Deprecated in favor of
x509_description.- crl
Distribution string[]Points (Output) Describes a list of locations to obtain CRL information, i.e. the DistributionPoint.fullName described by https://tools.ietf.org/html/rfc5280#section-4.2.1.13
- public
Keys CertificateCertificate Description Public Key[] A PublicKey describes a public key. Structure is documented below.
- subject
Descriptions CertificateCertificate Description Subject Description[] (Output) Describes some of the values in a certificate that are related to the subject and lifetime. Structure is documented below.
- subject
Key CertificateIds Certificate Description Subject Key Id[] (Output) Provides a means of identifiying certificates that contain a particular public key, per https://tools.ietf.org/html/rfc5280#section-4.2.1.2. Structure is documented below.
- x509Descriptions
Certificate
Certificate Description X509Description[] (Output) A structured description of the issued X.509 certificate. Structure is documented below.
- aia_
issuing_ Sequence[str]certificate_ urls (Output) Describes lists of issuer CA certificate URLs that appear in the "Authority Information Access" extension in the certificate.
-
Sequence[Certificate
Certificate Description Authority Key Id] (Output) Identifies the subjectKeyId of the parent certificate, per https://tools.ietf.org/html/rfc5280#section-4.2.1.1 Structure is documented below.
- cert_
fingerprints Sequence[CertificateCertificate Description Cert Fingerprint] (Output) The hash of the x.509 certificate. Structure is documented below.
- config_
values Sequence[CertificateCertificate Description Config Value] (Output, Deprecated) Describes some of the technical fields in a certificate. Structure is documented below.
Deprecated in favor of
x509_description.- crl_
distribution_ Sequence[str]points (Output) Describes a list of locations to obtain CRL information, i.e. the DistributionPoint.fullName described by https://tools.ietf.org/html/rfc5280#section-4.2.1.13
- public_
keys Sequence[CertificateCertificate Description Public Key] A PublicKey describes a public key. Structure is documented below.
- subject_
descriptions Sequence[CertificateCertificate Description Subject Description] (Output) Describes some of the values in a certificate that are related to the subject and lifetime. Structure is documented below.
- subject_
key_ Sequence[Certificateids Certificate Description Subject Key Id] (Output) Provides a means of identifiying certificates that contain a particular public key, per https://tools.ietf.org/html/rfc5280#section-4.2.1.2. Structure is documented below.
- x509_
descriptions Sequence[CertificateCertificate Description X509Description] (Output) A structured description of the issued X.509 certificate. Structure is documented below.
- aia
Issuing List<String>Certificate Urls (Output) Describes lists of issuer CA certificate URLs that appear in the "Authority Information Access" extension in the certificate.
- List<Property Map>
(Output) Identifies the subjectKeyId of the parent certificate, per https://tools.ietf.org/html/rfc5280#section-4.2.1.1 Structure is documented below.
- cert
Fingerprints List<Property Map> (Output) The hash of the x.509 certificate. Structure is documented below.
- config
Values List<Property Map> (Output, Deprecated) Describes some of the technical fields in a certificate. Structure is documented below.
Deprecated in favor of
x509_description.- crl
Distribution List<String>Points (Output) Describes a list of locations to obtain CRL information, i.e. the DistributionPoint.fullName described by https://tools.ietf.org/html/rfc5280#section-4.2.1.13
- public
Keys List<Property Map> A PublicKey describes a public key. Structure is documented below.
- subject
Descriptions List<Property Map> (Output) Describes some of the values in a certificate that are related to the subject and lifetime. Structure is documented below.
- subject
Key List<Property Map>Ids (Output) Provides a means of identifiying certificates that contain a particular public key, per https://tools.ietf.org/html/rfc5280#section-4.2.1.2. Structure is documented below.
- x509Descriptions List<Property Map>
(Output) A structured description of the issued X.509 certificate. Structure is documented below.
CertificateCertificateDescriptionAuthorityKeyId
- Key
Id string (Output) Optional. The value of this KeyId encoded in lowercase hexadecimal. This is most likely the 160 bit SHA-1 hash of the public key.
- Key
Id string (Output) Optional. The value of this KeyId encoded in lowercase hexadecimal. This is most likely the 160 bit SHA-1 hash of the public key.
- key
Id String (Output) Optional. The value of this KeyId encoded in lowercase hexadecimal. This is most likely the 160 bit SHA-1 hash of the public key.
- key
Id string (Output) Optional. The value of this KeyId encoded in lowercase hexadecimal. This is most likely the 160 bit SHA-1 hash of the public key.
- key_
id str (Output) Optional. The value of this KeyId encoded in lowercase hexadecimal. This is most likely the 160 bit SHA-1 hash of the public key.
- key
Id String (Output) Optional. The value of this KeyId encoded in lowercase hexadecimal. This is most likely the 160 bit SHA-1 hash of the public key.
CertificateCertificateDescriptionCertFingerprint
- Sha256Hash string
(Output) The SHA 256 hash, encoded in hexadecimal, of the DER x509 certificate.
- Sha256Hash string
(Output) The SHA 256 hash, encoded in hexadecimal, of the DER x509 certificate.
- sha256Hash String
(Output) The SHA 256 hash, encoded in hexadecimal, of the DER x509 certificate.
- sha256Hash string
(Output) The SHA 256 hash, encoded in hexadecimal, of the DER x509 certificate.
- sha256_
hash str (Output) The SHA 256 hash, encoded in hexadecimal, of the DER x509 certificate.
- sha256Hash String
(Output) The SHA 256 hash, encoded in hexadecimal, of the DER x509 certificate.
CertificateCertificateDescriptionConfigValue
- Key
Usages List<CertificateCertificate Description Config Value Key Usage> Indicates the intended use for keys that correspond to a certificate. Structure is documented below.
- Key
Usages []CertificateCertificate Description Config Value Key Usage Indicates the intended use for keys that correspond to a certificate. Structure is documented below.
- key
Usages List<CertificateCertificate Description Config Value Key Usage> Indicates the intended use for keys that correspond to a certificate. Structure is documented below.
- key
Usages CertificateCertificate Description Config Value Key Usage[] Indicates the intended use for keys that correspond to a certificate. Structure is documented below.
- key_
usages Sequence[CertificateCertificate Description Config Value Key Usage] Indicates the intended use for keys that correspond to a certificate. Structure is documented below.
- key
Usages List<Property Map> Indicates the intended use for keys that correspond to a certificate. Structure is documented below.
CertificateCertificateDescriptionConfigValueKeyUsage
- Base
Key List<CertificateUsages Certificate Description Config Value Key Usage Base Key Usage> Describes high-level ways in which a key may be used. Structure is documented below.
- Extended
Key List<CertificateUsages Certificate Description Config Value Key Usage Extended Key Usage> Describes high-level ways in which a key may be used. Structure is documented below.
- Unknown
Extended List<CertificateKey Usages Certificate Description Config Value Key Usage Unknown Extended Key Usage> An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.
- Base
Key []CertificateUsages Certificate Description Config Value Key Usage Base Key Usage Describes high-level ways in which a key may be used. Structure is documented below.
- Extended
Key []CertificateUsages Certificate Description Config Value Key Usage Extended Key Usage Describes high-level ways in which a key may be used. Structure is documented below.
- Unknown
Extended []CertificateKey Usages Certificate Description Config Value Key Usage Unknown Extended Key Usage An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.
- base
Key List<CertificateUsages Certificate Description Config Value Key Usage Base Key Usage> Describes high-level ways in which a key may be used. Structure is documented below.
- extended
Key List<CertificateUsages Certificate Description Config Value Key Usage Extended Key Usage> Describes high-level ways in which a key may be used. Structure is documented below.
- unknown
Extended List<CertificateKey Usages Certificate Description Config Value Key Usage Unknown Extended Key Usage> An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.
- base
Key CertificateUsages Certificate Description Config Value Key Usage Base Key Usage[] Describes high-level ways in which a key may be used. Structure is documented below.
- extended
Key CertificateUsages Certificate Description Config Value Key Usage Extended Key Usage[] Describes high-level ways in which a key may be used. Structure is documented below.
- unknown
Extended CertificateKey Usages Certificate Description Config Value Key Usage Unknown Extended Key Usage[] An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.
- base_
key_ Sequence[Certificateusages Certificate Description Config Value Key Usage Base Key Usage] Describes high-level ways in which a key may be used. Structure is documented below.
- extended_
key_ Sequence[Certificateusages Certificate Description Config Value Key Usage Extended Key Usage] Describes high-level ways in which a key may be used. Structure is documented below.
- unknown_
extended_ Sequence[Certificatekey_ usages Certificate Description Config Value Key Usage Unknown Extended Key Usage] An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.
- base
Key List<Property Map>Usages Describes high-level ways in which a key may be used. Structure is documented below.
- extended
Key List<Property Map>Usages Describes high-level ways in which a key may be used. Structure is documented below.
- unknown
Extended List<Property Map>Key Usages An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.
CertificateCertificateDescriptionConfigValueKeyUsageBaseKeyUsage
- Key
Usage List<CertificateOptions Certificate Description Config Value Key Usage Base Key Usage Key Usage Option> (Output) Describes high-level ways in which a key may be used. Structure is documented below.
- Key
Usage []CertificateOptions Certificate Description Config Value Key Usage Base Key Usage Key Usage Option (Output) Describes high-level ways in which a key may be used. Structure is documented below.
- key
Usage List<CertificateOptions Certificate Description Config Value Key Usage Base Key Usage Key Usage Option> (Output) Describes high-level ways in which a key may be used. Structure is documented below.
- key
Usage CertificateOptions Certificate Description Config Value Key Usage Base Key Usage Key Usage Option[] (Output) Describes high-level ways in which a key may be used. Structure is documented below.
- key_
usage_ Sequence[Certificateoptions Certificate Description Config Value Key Usage Base Key Usage Key Usage Option] (Output) Describes high-level ways in which a key may be used. Structure is documented below.
- key
Usage List<Property Map>Options (Output) Describes high-level ways in which a key may be used. Structure is documented below.
CertificateCertificateDescriptionConfigValueKeyUsageBaseKeyUsageKeyUsageOption
- Cert
Sign bool The key may be used to sign certificates.
- Content
Commitment bool The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
- Crl
Sign bool The key may be used sign certificate revocation lists.
- Data
Encipherment bool The key may be used to encipher data.
- Decipher
Only bool The key may be used to decipher only.
- Digital
Signature bool The key may be used for digital signatures.
- Encipher
Only bool The key may be used to encipher only.
- Key
Agreement bool The key may be used in a key agreement protocol.
- Key
Encipherment bool The key may be used to encipher other keys.
- Cert
Sign bool The key may be used to sign certificates.
- Content
Commitment bool The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
- Crl
Sign bool The key may be used sign certificate revocation lists.
- Data
Encipherment bool The key may be used to encipher data.
- Decipher
Only bool The key may be used to decipher only.
- Digital
Signature bool The key may be used for digital signatures.
- Encipher
Only bool The key may be used to encipher only.
- Key
Agreement bool The key may be used in a key agreement protocol.
- Key
Encipherment bool The key may be used to encipher other keys.
- cert
Sign Boolean The key may be used to sign certificates.
- content
Commitment Boolean The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
- crl
Sign Boolean The key may be used sign certificate revocation lists.
- data
Encipherment Boolean The key may be used to encipher data.
- decipher
Only Boolean The key may be used to decipher only.
- digital
Signature Boolean The key may be used for digital signatures.
- encipher
Only Boolean The key may be used to encipher only.
- key
Agreement Boolean The key may be used in a key agreement protocol.
- key
Encipherment Boolean The key may be used to encipher other keys.
- cert
Sign boolean The key may be used to sign certificates.
- content
Commitment boolean The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
- crl
Sign boolean The key may be used sign certificate revocation lists.
- data
Encipherment boolean The key may be used to encipher data.
- decipher
Only boolean The key may be used to decipher only.
- digital
Signature boolean The key may be used for digital signatures.
- encipher
Only boolean The key may be used to encipher only.
- key
Agreement boolean The key may be used in a key agreement protocol.
- key
Encipherment boolean The key may be used to encipher other keys.
- cert_
sign bool The key may be used to sign certificates.
- content_
commitment bool The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
- crl_
sign bool The key may be used sign certificate revocation lists.
- data_
encipherment bool The key may be used to encipher data.
- decipher_
only bool The key may be used to decipher only.
- digital_
signature bool The key may be used for digital signatures.
- encipher_
only bool The key may be used to encipher only.
- key_
agreement bool The key may be used in a key agreement protocol.
- key_
encipherment bool The key may be used to encipher other keys.
- cert
Sign Boolean The key may be used to sign certificates.
- content
Commitment Boolean The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
- crl
Sign Boolean The key may be used sign certificate revocation lists.
- data
Encipherment Boolean The key may be used to encipher data.
- decipher
Only Boolean The key may be used to decipher only.
- digital
Signature Boolean The key may be used for digital signatures.
- encipher
Only Boolean The key may be used to encipher only.
- key
Agreement Boolean The key may be used in a key agreement protocol.
- key
Encipherment Boolean The key may be used to encipher other keys.
CertificateCertificateDescriptionConfigValueKeyUsageExtendedKeyUsage
- Client
Auth bool Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
- Code
Signing bool Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
- Email
Protection bool Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
- Ocsp
Signing bool Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
- Server
Auth bool Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
- Time
Stamping bool Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".
- Client
Auth bool Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
- Code
Signing bool Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
- Email
Protection bool Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
- Ocsp
Signing bool Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
- Server
Auth bool Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
- Time
Stamping bool Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".
- client
Auth Boolean Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
- code
Signing Boolean Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
- email
Protection Boolean Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
- ocsp
Signing Boolean Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
- server
Auth Boolean Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
- time
Stamping Boolean Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".
- client
Auth boolean Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
- code
Signing boolean Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
- email
Protection boolean Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
- ocsp
Signing boolean Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
- server
Auth boolean Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
- time
Stamping boolean Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".
- client_
auth bool Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
- code_
signing bool Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
- email_
protection bool Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
- ocsp_
signing bool Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
- server_
auth bool Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
- time_
stamping bool Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".
- client
Auth Boolean Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
- code
Signing Boolean Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
- email
Protection Boolean Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
- ocsp
Signing Boolean Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
- server
Auth Boolean Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
- time
Stamping Boolean Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".
CertificateCertificateDescriptionConfigValueKeyUsageUnknownExtendedKeyUsage
- Obect
Ids List<CertificateCertificate Description Config Value Key Usage Unknown Extended Key Usage Obect Id> (Output) Required. Describes how some of the technical fields in a certificate should be populated. Structure is documented below.
- Obect
Ids []CertificateCertificate Description Config Value Key Usage Unknown Extended Key Usage Obect Id (Output) Required. Describes how some of the technical fields in a certificate should be populated. Structure is documented below.
- obect
Ids List<CertificateCertificate Description Config Value Key Usage Unknown Extended Key Usage Obect Id> (Output) Required. Describes how some of the technical fields in a certificate should be populated. Structure is documented below.
- obect
Ids CertificateCertificate Description Config Value Key Usage Unknown Extended Key Usage Obect Id[] (Output) Required. Describes how some of the technical fields in a certificate should be populated. Structure is documented below.
- obect_
ids Sequence[CertificateCertificate Description Config Value Key Usage Unknown Extended Key Usage Obect Id] (Output) Required. Describes how some of the technical fields in a certificate should be populated. Structure is documented below.
- obect
Ids List<Property Map> (Output) Required. Describes how some of the technical fields in a certificate should be populated. Structure is documented below.
CertificateCertificateDescriptionConfigValueKeyUsageUnknownExtendedKeyUsageObectId
- Object
Id List<int>Paths An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. (Required) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. (Required) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- Object
Id []intPaths An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. (Required) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. (Required) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object
Id List<Integer>Paths An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. (Required) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. (Required) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object
Id number[]Paths An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. (Required) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. (Required) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object_
id_ Sequence[int]paths An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. (Required) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. (Required) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object
Id List<Number>Paths An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. (Required) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. (Required) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
CertificateCertificateDescriptionPublicKey
- Format string
The format of the public key. Currently, only PEM format is supported. Possible values are
KEY_TYPE_UNSPECIFIEDandPEM.- Key string
Required. A public key. When this is specified in a request, the padding and encoding can be any of the options described by the respective 'KeyType' value. When this is generated by the service, it will always be an RFC 5280 SubjectPublicKeyInfo structure containing an algorithm identifier and a key. A base64-encoded string.
- Format string
The format of the public key. Currently, only PEM format is supported. Possible values are
KEY_TYPE_UNSPECIFIEDandPEM.- Key string
Required. A public key. When this is specified in a request, the padding and encoding can be any of the options described by the respective 'KeyType' value. When this is generated by the service, it will always be an RFC 5280 SubjectPublicKeyInfo structure containing an algorithm identifier and a key. A base64-encoded string.
- format String
The format of the public key. Currently, only PEM format is supported. Possible values are
KEY_TYPE_UNSPECIFIEDandPEM.- key String
Required. A public key. When this is specified in a request, the padding and encoding can be any of the options described by the respective 'KeyType' value. When this is generated by the service, it will always be an RFC 5280 SubjectPublicKeyInfo structure containing an algorithm identifier and a key. A base64-encoded string.
- format string
The format of the public key. Currently, only PEM format is supported. Possible values are
KEY_TYPE_UNSPECIFIEDandPEM.- key string
Required. A public key. When this is specified in a request, the padding and encoding can be any of the options described by the respective 'KeyType' value. When this is generated by the service, it will always be an RFC 5280 SubjectPublicKeyInfo structure containing an algorithm identifier and a key. A base64-encoded string.
- format str
The format of the public key. Currently, only PEM format is supported. Possible values are
KEY_TYPE_UNSPECIFIEDandPEM.- key str
Required. A public key. When this is specified in a request, the padding and encoding can be any of the options described by the respective 'KeyType' value. When this is generated by the service, it will always be an RFC 5280 SubjectPublicKeyInfo structure containing an algorithm identifier and a key. A base64-encoded string.
- format String
The format of the public key. Currently, only PEM format is supported. Possible values are
KEY_TYPE_UNSPECIFIEDandPEM.- key String
Required. A public key. When this is specified in a request, the padding and encoding can be any of the options described by the respective 'KeyType' value. When this is generated by the service, it will always be an RFC 5280 SubjectPublicKeyInfo structure containing an algorithm identifier and a key. A base64-encoded string.
CertificateCertificateDescriptionSubjectDescription
- Hex
Serial stringNumber (Output) The serial number encoded in lowercase hexadecimal.
- Lifetime string
The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
- Not
After stringTime (Output) The time at which the certificate expires.
- Not
Before stringTime (Output) The time at which the certificate becomes valid.
- Subject
Alt List<CertificateNames Certificate Description Subject Description Subject Alt Name> The subject alternative name fields. Structure is documented below.
- Subjects
List<Certificate
Certificate Description Subject Description Subject> Contains distinguished name fields such as the location and organization. Structure is documented below.
- Hex
Serial stringNumber (Output) The serial number encoded in lowercase hexadecimal.
- Lifetime string
The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
- Not
After stringTime (Output) The time at which the certificate expires.
- Not
Before stringTime (Output) The time at which the certificate becomes valid.
- Subject
Alt []CertificateNames Certificate Description Subject Description Subject Alt Name The subject alternative name fields. Structure is documented below.
- Subjects
[]Certificate
Certificate Description Subject Description Subject Contains distinguished name fields such as the location and organization. Structure is documented below.
- hex
Serial StringNumber (Output) The serial number encoded in lowercase hexadecimal.
- lifetime String
The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
- not
After StringTime (Output) The time at which the certificate expires.
- not
Before StringTime (Output) The time at which the certificate becomes valid.
- subject
Alt List<CertificateNames Certificate Description Subject Description Subject Alt Name> The subject alternative name fields. Structure is documented below.
- subjects
List<Certificate
Certificate Description Subject Description Subject> Contains distinguished name fields such as the location and organization. Structure is documented below.
- hex
Serial stringNumber (Output) The serial number encoded in lowercase hexadecimal.
- lifetime string
The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
- not
After stringTime (Output) The time at which the certificate expires.
- not
Before stringTime (Output) The time at which the certificate becomes valid.
- subject
Alt CertificateNames Certificate Description Subject Description Subject Alt Name[] The subject alternative name fields. Structure is documented below.
- subjects
Certificate
Certificate Description Subject Description Subject[] Contains distinguished name fields such as the location and organization. Structure is documented below.
- hex_
serial_ strnumber (Output) The serial number encoded in lowercase hexadecimal.
- lifetime str
The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
- not_
after_ strtime (Output) The time at which the certificate expires.
- not_
before_ strtime (Output) The time at which the certificate becomes valid.
- subject_
alt_ Sequence[Certificatenames Certificate Description Subject Description Subject Alt Name] The subject alternative name fields. Structure is documented below.
- subjects
Sequence[Certificate
Certificate Description Subject Description Subject] Contains distinguished name fields such as the location and organization. Structure is documented below.
- hex
Serial StringNumber (Output) The serial number encoded in lowercase hexadecimal.
- lifetime String
The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
- not
After StringTime (Output) The time at which the certificate expires.
- not
Before StringTime (Output) The time at which the certificate becomes valid.
- subject
Alt List<Property Map>Names The subject alternative name fields. Structure is documented below.
- subjects List<Property Map>
Contains distinguished name fields such as the location and organization. Structure is documented below.
CertificateCertificateDescriptionSubjectDescriptionSubject
- Common
Name string The common name of the distinguished name.
- Country
Code string The country code of the subject.
- Locality string
The locality or city of the subject.
- Organization string
The organization of the subject.
- Organizational
Unit string The organizational unit of the subject.
- Postal
Code string The postal code of the subject.
- Province string
The province, territory, or regional state of the subject.
- Street
Address string The street address of the subject.
- Common
Name string The common name of the distinguished name.
- Country
Code string The country code of the subject.
- Locality string
The locality or city of the subject.
- Organization string
The organization of the subject.
- Organizational
Unit string The organizational unit of the subject.
- Postal
Code string The postal code of the subject.
- Province string
The province, territory, or regional state of the subject.
- Street
Address string The street address of the subject.
- common
Name String The common name of the distinguished name.
- country
Code String The country code of the subject.
- locality String
The locality or city of the subject.
- organization String
The organization of the subject.
- organizational
Unit String The organizational unit of the subject.
- postal
Code String The postal code of the subject.
- province String
The province, territory, or regional state of the subject.
- street
Address String The street address of the subject.
- common
Name string The common name of the distinguished name.
- country
Code string The country code of the subject.
- locality string
The locality or city of the subject.
- organization string
The organization of the subject.
- organizational
Unit string The organizational unit of the subject.
- postal
Code string The postal code of the subject.
- province string
The province, territory, or regional state of the subject.
- street
Address string The street address of the subject.
- common_
name str The common name of the distinguished name.
- country_
code str The country code of the subject.
- locality str
The locality or city of the subject.
- organization str
The organization of the subject.
- organizational_
unit str The organizational unit of the subject.
- postal_
code str The postal code of the subject.
- province str
The province, territory, or regional state of the subject.
- street_
address str The street address of the subject.
- common
Name String The common name of the distinguished name.
- country
Code String The country code of the subject.
- locality String
The locality or city of the subject.
- organization String
The organization of the subject.
- organizational
Unit String The organizational unit of the subject.
- postal
Code String The postal code of the subject.
- province String
The province, territory, or regional state of the subject.
- street
Address String The street address of the subject.
CertificateCertificateDescriptionSubjectDescriptionSubjectAltName
- Custom
Sans List<CertificateCertificate Description Subject Description Subject Alt Name Custom San> (Output) Contains additional subject alternative name values. Structure is documented below.
- Dns
Names List<string> Contains only valid, fully-qualified host names.
- Email
Addresses List<string> Contains only valid RFC 2822 E-mail addresses.
- Ip
Addresses List<string> Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.
- Uris List<string>
Contains only valid RFC 3986 URIs.
- Custom
Sans []CertificateCertificate Description Subject Description Subject Alt Name Custom San (Output) Contains additional subject alternative name values. Structure is documented below.
- Dns
Names []string Contains only valid, fully-qualified host names.
- Email
Addresses []string Contains only valid RFC 2822 E-mail addresses.
- Ip
Addresses []string Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.
- Uris []string
Contains only valid RFC 3986 URIs.
- custom
Sans List<CertificateCertificate Description Subject Description Subject Alt Name Custom San> (Output) Contains additional subject alternative name values. Structure is documented below.
- dns
Names List<String> Contains only valid, fully-qualified host names.
- email
Addresses List<String> Contains only valid RFC 2822 E-mail addresses.
- ip
Addresses List<String> Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.
- uris List<String>
Contains only valid RFC 3986 URIs.
- custom
Sans CertificateCertificate Description Subject Description Subject Alt Name Custom San[] (Output) Contains additional subject alternative name values. Structure is documented below.
- dns
Names string[] Contains only valid, fully-qualified host names.
- email
Addresses string[] Contains only valid RFC 2822 E-mail addresses.
- ip
Addresses string[] Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.
- uris string[]
Contains only valid RFC 3986 URIs.
- custom_
sans Sequence[CertificateCertificate Description Subject Description Subject Alt Name Custom San] (Output) Contains additional subject alternative name values. Structure is documented below.
- dns_
names Sequence[str] Contains only valid, fully-qualified host names.
- email_
addresses Sequence[str] Contains only valid RFC 2822 E-mail addresses.
- ip_
addresses Sequence[str] Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.
- uris Sequence[str]
Contains only valid RFC 3986 URIs.
- custom
Sans List<Property Map> (Output) Contains additional subject alternative name values. Structure is documented below.
- dns
Names List<String> Contains only valid, fully-qualified host names.
- email
Addresses List<String> Contains only valid RFC 2822 E-mail addresses.
- ip
Addresses List<String> Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.
- uris List<String>
Contains only valid RFC 3986 URIs.
CertificateCertificateDescriptionSubjectDescriptionSubjectAltNameCustomSan
- Critical bool
Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error). (Required) Indicates whether or not the name constraints are marked critical.
- Obect
Ids List<CertificateCertificate Description Subject Description Subject Alt Name Custom San Obect Id> (Output) Required. Describes how some of the technical fields in a certificate should be populated. Structure is documented below.
- Value string
The value of this X.509 extension. A base64-encoded string.
- Critical bool
Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error). (Required) Indicates whether or not the name constraints are marked critical.
- Obect
Ids []CertificateCertificate Description Subject Description Subject Alt Name Custom San Obect Id (Output) Required. Describes how some of the technical fields in a certificate should be populated. Structure is documented below.
- Value string
The value of this X.509 extension. A base64-encoded string.
- critical Boolean
Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error). (Required) Indicates whether or not the name constraints are marked critical.
- obect
Ids List<CertificateCertificate Description Subject Description Subject Alt Name Custom San Obect Id> (Output) Required. Describes how some of the technical fields in a certificate should be populated. Structure is documented below.
- value String
The value of this X.509 extension. A base64-encoded string.
- critical boolean
Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error). (Required) Indicates whether or not the name constraints are marked critical.
- obect
Ids CertificateCertificate Description Subject Description Subject Alt Name Custom San Obect Id[] (Output) Required. Describes how some of the technical fields in a certificate should be populated. Structure is documented below.
- value string
The value of this X.509 extension. A base64-encoded string.
- critical bool
Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error). (Required) Indicates whether or not the name constraints are marked critical.
- obect_
ids Sequence[CertificateCertificate Description Subject Description Subject Alt Name Custom San Obect Id] (Output) Required. Describes how some of the technical fields in a certificate should be populated. Structure is documented below.
- value str
The value of this X.509 extension. A base64-encoded string.
- critical Boolean
Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error). (Required) Indicates whether or not the name constraints are marked critical.
- obect
Ids List<Property Map> (Output) Required. Describes how some of the technical fields in a certificate should be populated. Structure is documented below.
- value String
The value of this X.509 extension. A base64-encoded string.
CertificateCertificateDescriptionSubjectDescriptionSubjectAltNameCustomSanObectId
- Object
Id List<int>Paths An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. (Required) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. (Required) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- Object
Id []intPaths An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. (Required) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. (Required) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object
Id List<Integer>Paths An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. (Required) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. (Required) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object
Id number[]Paths An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. (Required) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. (Required) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object_
id_ Sequence[int]paths An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. (Required) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. (Required) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object
Id List<Number>Paths An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. (Required) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. (Required) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
CertificateCertificateDescriptionSubjectKeyId
- Key
Id string (Output) Optional. The value of this KeyId encoded in lowercase hexadecimal. This is most likely the 160 bit SHA-1 hash of the public key.
- Key
Id string (Output) Optional. The value of this KeyId encoded in lowercase hexadecimal. This is most likely the 160 bit SHA-1 hash of the public key.
- key
Id String (Output) Optional. The value of this KeyId encoded in lowercase hexadecimal. This is most likely the 160 bit SHA-1 hash of the public key.
- key
Id string (Output) Optional. The value of this KeyId encoded in lowercase hexadecimal. This is most likely the 160 bit SHA-1 hash of the public key.
- key_
id str (Output) Optional. The value of this KeyId encoded in lowercase hexadecimal. This is most likely the 160 bit SHA-1 hash of the public key.
- key
Id String (Output) Optional. The value of this KeyId encoded in lowercase hexadecimal. This is most likely the 160 bit SHA-1 hash of the public key.
CertificateCertificateDescriptionX509Description
- Additional
Extensions List<CertificateCertificate Description X509Description Additional Extension> Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.
- Aia
Ocsp List<string>Servers Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
- Ca
Options List<CertificateCertificate Description X509Description Ca Option> Describes values that are relevant in a CA certificate. Structure is documented below.
- Key
Usages List<CertificateCertificate Description X509Description Key Usage> Indicates the intended use for keys that correspond to a certificate. Structure is documented below.
- Name
Constraints List<CertificateCertificate Description X509Description Name Constraint> Describes the X.509 name constraints extension. Structure is documented below.
- Policy
Ids List<CertificateCertificate Description X509Description Policy Id> Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.
- Additional
Extensions []CertificateCertificate Description X509Description Additional Extension Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.
- Aia
Ocsp []stringServers Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
- Ca
Options []CertificateCertificate Description X509Description Ca Option Describes values that are relevant in a CA certificate. Structure is documented below.
- Key
Usages []CertificateCertificate Description X509Description Key Usage Indicates the intended use for keys that correspond to a certificate. Structure is documented below.
- Name
Constraints []CertificateCertificate Description X509Description Name Constraint Describes the X.509 name constraints extension. Structure is documented below.
- Policy
Ids []CertificateCertificate Description X509Description Policy Id Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.
- additional
Extensions List<CertificateCertificate Description X509Description Additional Extension> Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.
- aia
Ocsp List<String>Servers Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
- ca
Options List<CertificateCertificate Description X509Description Ca Option> Describes values that are relevant in a CA certificate. Structure is documented below.
- key
Usages List<CertificateCertificate Description X509Description Key Usage> Indicates the intended use for keys that correspond to a certificate. Structure is documented below.
- name
Constraints List<CertificateCertificate Description X509Description Name Constraint> Describes the X.509 name constraints extension. Structure is documented below.
- policy
Ids List<CertificateCertificate Description X509Description Policy Id> Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.
- additional
Extensions CertificateCertificate Description X509Description Additional Extension[] Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.
- aia
Ocsp string[]Servers Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
- ca
Options CertificateCertificate Description X509Description Ca Option[] Describes values that are relevant in a CA certificate. Structure is documented below.
- key
Usages CertificateCertificate Description X509Description Key Usage[] Indicates the intended use for keys that correspond to a certificate. Structure is documented below.
- name
Constraints CertificateCertificate Description X509Description Name Constraint[] Describes the X.509 name constraints extension. Structure is documented below.
- policy
Ids CertificateCertificate Description X509Description Policy Id[] Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.
- additional_
extensions Sequence[CertificateCertificate Description X509Description Additional Extension] Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.
- aia_
ocsp_ Sequence[str]servers Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
- ca_
options Sequence[CertificateCertificate Description X509Description Ca Option] Describes values that are relevant in a CA certificate. Structure is documented below.
- key_
usages Sequence[CertificateCertificate Description X509Description Key Usage] Indicates the intended use for keys that correspond to a certificate. Structure is documented below.
- name_
constraints Sequence[CertificateCertificate Description X509Description Name Constraint] Describes the X.509 name constraints extension. Structure is documented below.
- policy_
ids Sequence[CertificateCertificate Description X509Description Policy Id] Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.
- additional
Extensions List<Property Map> Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.
- aia
Ocsp List<String>Servers Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
- ca
Options List<Property Map> Describes values that are relevant in a CA certificate. Structure is documented below.
- key
Usages List<Property Map> Indicates the intended use for keys that correspond to a certificate. Structure is documented below.
- name
Constraints List<Property Map> Describes the X.509 name constraints extension. Structure is documented below.
- policy
Ids List<Property Map> Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.
CertificateCertificateDescriptionX509DescriptionAdditionalExtension
- Critical bool
Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
- Object
Ids List<CertificateCertificate Description X509Description Additional Extension Object Id> Describes values that are relevant in a CA certificate. Structure is documented below.
- Value string
The value of this X.509 extension. A base64-encoded string.
- Critical bool
Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
- Object
Ids []CertificateCertificate Description X509Description Additional Extension Object Id Describes values that are relevant in a CA certificate. Structure is documented below.
- Value string
The value of this X.509 extension. A base64-encoded string.
- critical Boolean
Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
- object
Ids List<CertificateCertificate Description X509Description Additional Extension Object Id> Describes values that are relevant in a CA certificate. Structure is documented below.
- value String
The value of this X.509 extension. A base64-encoded string.
- critical boolean
Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
- object
Ids CertificateCertificate Description X509Description Additional Extension Object Id[] Describes values that are relevant in a CA certificate. Structure is documented below.
- value string
The value of this X.509 extension. A base64-encoded string.
- critical bool
Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
- object_
ids Sequence[CertificateCertificate Description X509Description Additional Extension Object Id] Describes values that are relevant in a CA certificate. Structure is documented below.
- value str
The value of this X.509 extension. A base64-encoded string.
- critical Boolean
Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
- object
Ids List<Property Map> Describes values that are relevant in a CA certificate. Structure is documented below.
- value String
The value of this X.509 extension. A base64-encoded string.
CertificateCertificateDescriptionX509DescriptionAdditionalExtensionObjectId
- Object
Id List<int>Paths An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- Object
Id []intPaths An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object
Id List<Integer>Paths An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object
Id number[]Paths An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object_
id_ Sequence[int]paths An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object
Id List<Number>Paths An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
CertificateCertificateDescriptionX509DescriptionCaOption
- Is
Ca bool When true, the "CA" in Basic Constraints extension will be set to true.
- Max
Issuer intPath Length Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.
- Is
Ca bool When true, the "CA" in Basic Constraints extension will be set to true.
- Max
Issuer intPath Length Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.
- is
Ca Boolean When true, the "CA" in Basic Constraints extension will be set to true.
- max
Issuer IntegerPath Length Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.
- is
Ca boolean When true, the "CA" in Basic Constraints extension will be set to true.
- max
Issuer numberPath Length Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.
- is_
ca bool When true, the "CA" in Basic Constraints extension will be set to true.
- max_
issuer_ intpath_ length Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.
- is
Ca Boolean When true, the "CA" in Basic Constraints extension will be set to true.
- max
Issuer NumberPath Length Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.
CertificateCertificateDescriptionX509DescriptionKeyUsage
- Base
Key List<CertificateUsages Certificate Description X509Description Key Usage Base Key Usage> Describes high-level ways in which a key may be used. Structure is documented below.
- Extended
Key List<CertificateUsages Certificate Description X509Description Key Usage Extended Key Usage> Describes high-level ways in which a key may be used. Structure is documented below.
- Unknown
Extended List<CertificateKey Usages Certificate Description X509Description Key Usage Unknown Extended Key Usage> An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.
- Base
Key []CertificateUsages Certificate Description X509Description Key Usage Base Key Usage Describes high-level ways in which a key may be used. Structure is documented below.
- Extended
Key []CertificateUsages Certificate Description X509Description Key Usage Extended Key Usage Describes high-level ways in which a key may be used. Structure is documented below.
- Unknown
Extended []CertificateKey Usages Certificate Description X509Description Key Usage Unknown Extended Key Usage An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.
- base
Key List<CertificateUsages Certificate Description X509Description Key Usage Base Key Usage> Describes high-level ways in which a key may be used. Structure is documented below.
- extended
Key List<CertificateUsages Certificate Description X509Description Key Usage Extended Key Usage> Describes high-level ways in which a key may be used. Structure is documented below.
- unknown
Extended List<CertificateKey Usages Certificate Description X509Description Key Usage Unknown Extended Key Usage> An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.
- base
Key CertificateUsages Certificate Description X509Description Key Usage Base Key Usage[] Describes high-level ways in which a key may be used. Structure is documented below.
- extended
Key CertificateUsages Certificate Description X509Description Key Usage Extended Key Usage[] Describes high-level ways in which a key may be used. Structure is documented below.
- unknown
Extended CertificateKey Usages Certificate Description X509Description Key Usage Unknown Extended Key Usage[] An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.
- base_
key_ Sequence[Certificateusages Certificate Description X509Description Key Usage Base Key Usage] Describes high-level ways in which a key may be used. Structure is documented below.
- extended_
key_ Sequence[Certificateusages Certificate Description X509Description Key Usage Extended Key Usage] Describes high-level ways in which a key may be used. Structure is documented below.
- unknown_
extended_ Sequence[Certificatekey_ usages Certificate Description X509Description Key Usage Unknown Extended Key Usage] An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.
- base
Key List<Property Map>Usages Describes high-level ways in which a key may be used. Structure is documented below.
- extended
Key List<Property Map>Usages Describes high-level ways in which a key may be used. Structure is documented below.
- unknown
Extended List<Property Map>Key Usages An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.
CertificateCertificateDescriptionX509DescriptionKeyUsageBaseKeyUsage
- Cert
Sign bool The key may be used to sign certificates.
- Content
Commitment bool The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
- Crl
Sign bool The key may be used sign certificate revocation lists.
- Data
Encipherment bool The key may be used to encipher data.
- Decipher
Only bool The key may be used to decipher only.
- Digital
Signature bool The key may be used for digital signatures.
- Encipher
Only bool The key may be used to encipher only.
- Key
Agreement bool The key may be used in a key agreement protocol.
- Key
Encipherment bool The key may be used to encipher other keys.
- Cert
Sign bool The key may be used to sign certificates.
- Content
Commitment bool The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
- Crl
Sign bool The key may be used sign certificate revocation lists.
- Data
Encipherment bool The key may be used to encipher data.
- Decipher
Only bool The key may be used to decipher only.
- Digital
Signature bool The key may be used for digital signatures.
- Encipher
Only bool The key may be used to encipher only.
- Key
Agreement bool The key may be used in a key agreement protocol.
- Key
Encipherment bool The key may be used to encipher other keys.
- cert
Sign Boolean The key may be used to sign certificates.
- content
Commitment Boolean The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
- crl
Sign Boolean The key may be used sign certificate revocation lists.
- data
Encipherment Boolean The key may be used to encipher data.
- decipher
Only Boolean The key may be used to decipher only.
- digital
Signature Boolean The key may be used for digital signatures.
- encipher
Only Boolean The key may be used to encipher only.
- key
Agreement Boolean The key may be used in a key agreement protocol.
- key
Encipherment Boolean The key may be used to encipher other keys.
- cert
Sign boolean The key may be used to sign certificates.
- content
Commitment boolean The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
- crl
Sign boolean The key may be used sign certificate revocation lists.
- data
Encipherment boolean The key may be used to encipher data.
- decipher
Only boolean The key may be used to decipher only.
- digital
Signature boolean The key may be used for digital signatures.
- encipher
Only boolean The key may be used to encipher only.
- key
Agreement boolean The key may be used in a key agreement protocol.
- key
Encipherment boolean The key may be used to encipher other keys.
- cert_
sign bool The key may be used to sign certificates.
- content_
commitment bool The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
- crl_
sign bool The key may be used sign certificate revocation lists.
- data_
encipherment bool The key may be used to encipher data.
- decipher_
only bool The key may be used to decipher only.
- digital_
signature bool The key may be used for digital signatures.
- encipher_
only bool The key may be used to encipher only.
- key_
agreement bool The key may be used in a key agreement protocol.
- key_
encipherment bool The key may be used to encipher other keys.
- cert
Sign Boolean The key may be used to sign certificates.
- content
Commitment Boolean The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
- crl
Sign Boolean The key may be used sign certificate revocation lists.
- data
Encipherment Boolean The key may be used to encipher data.
- decipher
Only Boolean The key may be used to decipher only.
- digital
Signature Boolean The key may be used for digital signatures.
- encipher
Only Boolean The key may be used to encipher only.
- key
Agreement Boolean The key may be used in a key agreement protocol.
- key
Encipherment Boolean The key may be used to encipher other keys.
CertificateCertificateDescriptionX509DescriptionKeyUsageExtendedKeyUsage
- Client
Auth bool Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
- Code
Signing bool Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
- Email
Protection bool Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
- Ocsp
Signing bool Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
- Server
Auth bool Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
- Time
Stamping bool Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".
- Client
Auth bool Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
- Code
Signing bool Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
- Email
Protection bool Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
- Ocsp
Signing bool Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
- Server
Auth bool Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
- Time
Stamping bool Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".
- client
Auth Boolean Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
- code
Signing Boolean Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
- email
Protection Boolean Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
- ocsp
Signing Boolean Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
- server
Auth Boolean Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
- time
Stamping Boolean Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".
- client
Auth boolean Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
- code
Signing boolean Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
- email
Protection boolean Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
- ocsp
Signing boolean Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
- server
Auth boolean Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
- time
Stamping boolean Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".
- client_
auth bool Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
- code_
signing bool Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
- email_
protection bool Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
- ocsp_
signing bool Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
- server_
auth bool Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
- time_
stamping bool Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".
- client
Auth Boolean Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
- code
Signing Boolean Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
- email
Protection Boolean Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
- ocsp
Signing Boolean Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
- server
Auth Boolean Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
- time
Stamping Boolean Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".
CertificateCertificateDescriptionX509DescriptionKeyUsageUnknownExtendedKeyUsage
- Object
Id List<int>Paths An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- Object
Id []intPaths An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object
Id List<Integer>Paths An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object
Id number[]Paths An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object_
id_ Sequence[int]paths An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object
Id List<Number>Paths An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
CertificateCertificateDescriptionX509DescriptionNameConstraint
- Critical bool
Indicates whether or not the name constraints are marked critical.
- Excluded
Dns List<string>Names Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example,
example.com,www.example.com,www.sub.example.comwould satisfyexample.comwhileexample1.comdoes not.- Excluded
Email List<string>Addresses Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g.
.example.com) to indicate all email addresses in that domain.- Excluded
Ip List<string>Ranges Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
- Excluded
Uris List<string> Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like
.example.com)- Permitted
Dns List<string>Names Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example,
example.com,www.example.com,www.sub.example.comwould satisfyexample.comwhileexample1.comdoes not.- Permitted
Email List<string>Addresses Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g.
.example.com) to indicate all email addresses in that domain.- Permitted
Ip List<string>Ranges Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
- Permitted
Uris List<string> Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like
.example.com)
- Critical bool
Indicates whether or not the name constraints are marked critical.
- Excluded
Dns []stringNames Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example,
example.com,www.example.com,www.sub.example.comwould satisfyexample.comwhileexample1.comdoes not.- Excluded
Email []stringAddresses Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g.
.example.com) to indicate all email addresses in that domain.- Excluded
Ip []stringRanges Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
- Excluded
Uris []string Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like
.example.com)- Permitted
Dns []stringNames Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example,
example.com,www.example.com,www.sub.example.comwould satisfyexample.comwhileexample1.comdoes not.- Permitted
Email []stringAddresses Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g.
.example.com) to indicate all email addresses in that domain.- Permitted
Ip []stringRanges Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
- Permitted
Uris []string Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like
.example.com)
- critical Boolean
Indicates whether or not the name constraints are marked critical.
- excluded
Dns List<String>Names Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example,
example.com,www.example.com,www.sub.example.comwould satisfyexample.comwhileexample1.comdoes not.- excluded
Email List<String>Addresses Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g.
.example.com) to indicate all email addresses in that domain.- excluded
Ip List<String>Ranges Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
- excluded
Uris List<String> Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like
.example.com)- permitted
Dns List<String>Names Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example,
example.com,www.example.com,www.sub.example.comwould satisfyexample.comwhileexample1.comdoes not.- permitted
Email List<String>Addresses Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g.
.example.com) to indicate all email addresses in that domain.- permitted
Ip List<String>Ranges Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
- permitted
Uris List<String> Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like
.example.com)
- critical boolean
Indicates whether or not the name constraints are marked critical.
- excluded
Dns string[]Names Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example,
example.com,www.example.com,www.sub.example.comwould satisfyexample.comwhileexample1.comdoes not.- excluded
Email string[]Addresses Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g.
.example.com) to indicate all email addresses in that domain.- excluded
Ip string[]Ranges Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
- excluded
Uris string[] Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like
.example.com)- permitted
Dns string[]Names Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example,
example.com,www.example.com,www.sub.example.comwould satisfyexample.comwhileexample1.comdoes not.- permitted
Email string[]Addresses Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g.
.example.com) to indicate all email addresses in that domain.- permitted
Ip string[]Ranges Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
- permitted
Uris string[] Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like
.example.com)
- critical bool
Indicates whether or not the name constraints are marked critical.
- excluded_
dns_ Sequence[str]names Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example,
example.com,www.example.com,www.sub.example.comwould satisfyexample.comwhileexample1.comdoes not.- excluded_
email_ Sequence[str]addresses Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g.
.example.com) to indicate all email addresses in that domain.- excluded_
ip_ Sequence[str]ranges Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
- excluded_
uris Sequence[str] Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like
.example.com)- permitted_
dns_ Sequence[str]names Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example,
example.com,www.example.com,www.sub.example.comwould satisfyexample.comwhileexample1.comdoes not.- permitted_
email_ Sequence[str]addresses Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g.
.example.com) to indicate all email addresses in that domain.- permitted_
ip_ Sequence[str]ranges Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
- permitted_
uris Sequence[str] Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like
.example.com)
- critical Boolean
Indicates whether or not the name constraints are marked critical.
- excluded
Dns List<String>Names Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example,
example.com,www.example.com,www.sub.example.comwould satisfyexample.comwhileexample1.comdoes not.- excluded
Email List<String>Addresses Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g.
.example.com) to indicate all email addresses in that domain.- excluded
Ip List<String>Ranges Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
- excluded
Uris List<String> Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like
.example.com)- permitted
Dns List<String>Names Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example,
example.com,www.example.com,www.sub.example.comwould satisfyexample.comwhileexample1.comdoes not.- permitted
Email List<String>Addresses Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g.
.example.com) to indicate all email addresses in that domain.- permitted
Ip List<String>Ranges Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
- permitted
Uris List<String> Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like
.example.com)
CertificateCertificateDescriptionX509DescriptionPolicyId
- Object
Id List<int>Paths An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- Object
Id []intPaths An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object
Id List<Integer>Paths An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object
Id number[]Paths An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object_
id_ Sequence[int]paths An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object
Id List<Number>Paths An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
CertificateConfig
- Public
Key CertificateConfig Public Key A PublicKey describes a public key. Structure is documented below.
- Subject
Config CertificateConfig Subject Config Specifies some of the values in a certificate that are related to the subject. Structure is documented below.
- X509Config
Certificate
Config X509Config Describes how some of the technical X.509 fields in a certificate should be populated. Structure is documented below.
- Public
Key CertificateConfig Public Key A PublicKey describes a public key. Structure is documented below.
- Subject
Config CertificateConfig Subject Config Specifies some of the values in a certificate that are related to the subject. Structure is documented below.
- X509Config
Certificate
Config X509Config Describes how some of the technical X.509 fields in a certificate should be populated. Structure is documented below.
- public
Key CertificateConfig Public Key A PublicKey describes a public key. Structure is documented below.
- subject
Config CertificateConfig Subject Config Specifies some of the values in a certificate that are related to the subject. Structure is documented below.
- x509Config
Certificate
Config X509Config Describes how some of the technical X.509 fields in a certificate should be populated. Structure is documented below.
- public
Key CertificateConfig Public Key A PublicKey describes a public key. Structure is documented below.
- subject
Config CertificateConfig Subject Config Specifies some of the values in a certificate that are related to the subject. Structure is documented below.
- x509Config
Certificate
Config X509Config Describes how some of the technical X.509 fields in a certificate should be populated. Structure is documented below.
- public_
key CertificateConfig Public Key A PublicKey describes a public key. Structure is documented below.
- subject_
config CertificateConfig Subject Config Specifies some of the values in a certificate that are related to the subject. Structure is documented below.
- x509_
config CertificateConfig X509Config Describes how some of the technical X.509 fields in a certificate should be populated. Structure is documented below.
- public
Key Property Map A PublicKey describes a public key. Structure is documented below.
- subject
Config Property Map Specifies some of the values in a certificate that are related to the subject. Structure is documented below.
- x509Config Property Map
Describes how some of the technical X.509 fields in a certificate should be populated. Structure is documented below.
CertificateConfigPublicKey
- Format string
The format of the public key. Currently, only PEM format is supported. Possible values are
KEY_TYPE_UNSPECIFIEDandPEM.- Key string
Required. A public key. When this is specified in a request, the padding and encoding can be any of the options described by the respective 'KeyType' value. When this is generated by the service, it will always be an RFC 5280 SubjectPublicKeyInfo structure containing an algorithm identifier and a key. A base64-encoded string.
- Format string
The format of the public key. Currently, only PEM format is supported. Possible values are
KEY_TYPE_UNSPECIFIEDandPEM.- Key string
Required. A public key. When this is specified in a request, the padding and encoding can be any of the options described by the respective 'KeyType' value. When this is generated by the service, it will always be an RFC 5280 SubjectPublicKeyInfo structure containing an algorithm identifier and a key. A base64-encoded string.
- format String
The format of the public key. Currently, only PEM format is supported. Possible values are
KEY_TYPE_UNSPECIFIEDandPEM.- key String
Required. A public key. When this is specified in a request, the padding and encoding can be any of the options described by the respective 'KeyType' value. When this is generated by the service, it will always be an RFC 5280 SubjectPublicKeyInfo structure containing an algorithm identifier and a key. A base64-encoded string.
- format string
The format of the public key. Currently, only PEM format is supported. Possible values are
KEY_TYPE_UNSPECIFIEDandPEM.- key string
Required. A public key. When this is specified in a request, the padding and encoding can be any of the options described by the respective 'KeyType' value. When this is generated by the service, it will always be an RFC 5280 SubjectPublicKeyInfo structure containing an algorithm identifier and a key. A base64-encoded string.
- format str
The format of the public key. Currently, only PEM format is supported. Possible values are
KEY_TYPE_UNSPECIFIEDandPEM.- key str
Required. A public key. When this is specified in a request, the padding and encoding can be any of the options described by the respective 'KeyType' value. When this is generated by the service, it will always be an RFC 5280 SubjectPublicKeyInfo structure containing an algorithm identifier and a key. A base64-encoded string.
- format String
The format of the public key. Currently, only PEM format is supported. Possible values are
KEY_TYPE_UNSPECIFIEDandPEM.- key String
Required. A public key. When this is specified in a request, the padding and encoding can be any of the options described by the respective 'KeyType' value. When this is generated by the service, it will always be an RFC 5280 SubjectPublicKeyInfo structure containing an algorithm identifier and a key. A base64-encoded string.
CertificateConfigSubjectConfig
- Subject
Certificate
Config Subject Config Subject Contains distinguished name fields such as the location and organization. Structure is documented below.
- Subject
Alt CertificateName Config Subject Config Subject Alt Name The subject alternative name fields. Structure is documented below.
- Subject
Certificate
Config Subject Config Subject Contains distinguished name fields such as the location and organization. Structure is documented below.
- Subject
Alt CertificateName Config Subject Config Subject Alt Name The subject alternative name fields. Structure is documented below.
- subject
Certificate
Config Subject Config Subject Contains distinguished name fields such as the location and organization. Structure is documented below.
- subject
Alt CertificateName Config Subject Config Subject Alt Name The subject alternative name fields. Structure is documented below.
- subject
Certificate
Config Subject Config Subject Contains distinguished name fields such as the location and organization. Structure is documented below.
- subject
Alt CertificateName Config Subject Config Subject Alt Name The subject alternative name fields. Structure is documented below.
- subject
Certificate
Config Subject Config Subject Contains distinguished name fields such as the location and organization. Structure is documented below.
- subject_
alt_ Certificatename Config Subject Config Subject Alt Name The subject alternative name fields. Structure is documented below.
- subject Property Map
Contains distinguished name fields such as the location and organization. Structure is documented below.
- subject
Alt Property MapName The subject alternative name fields. Structure is documented below.
CertificateConfigSubjectConfigSubject
- Common
Name string The common name of the distinguished name.
- Organization string
The organization of the subject.
- Country
Code string The country code of the subject.
- Locality string
The locality or city of the subject.
- Organizational
Unit string The organizational unit of the subject.
- Postal
Code string The postal code of the subject.
- Province string
The province, territory, or regional state of the subject.
- Street
Address string The street address of the subject.
- Common
Name string The common name of the distinguished name.
- Organization string
The organization of the subject.
- Country
Code string The country code of the subject.
- Locality string
The locality or city of the subject.
- Organizational
Unit string The organizational unit of the subject.
- Postal
Code string The postal code of the subject.
- Province string
The province, territory, or regional state of the subject.
- Street
Address string The street address of the subject.
- common
Name String The common name of the distinguished name.
- organization String
The organization of the subject.
- country
Code String The country code of the subject.
- locality String
The locality or city of the subject.
- organizational
Unit String The organizational unit of the subject.
- postal
Code String The postal code of the subject.
- province String
The province, territory, or regional state of the subject.
- street
Address String The street address of the subject.
- common
Name string The common name of the distinguished name.
- organization string
The organization of the subject.
- country
Code string The country code of the subject.
- locality string
The locality or city of the subject.
- organizational
Unit string The organizational unit of the subject.
- postal
Code string The postal code of the subject.
- province string
The province, territory, or regional state of the subject.
- street
Address string The street address of the subject.
- common_
name str The common name of the distinguished name.
- organization str
The organization of the subject.
- country_
code str The country code of the subject.
- locality str
The locality or city of the subject.
- organizational_
unit str The organizational unit of the subject.
- postal_
code str The postal code of the subject.
- province str
The province, territory, or regional state of the subject.
- street_
address str The street address of the subject.
- common
Name String The common name of the distinguished name.
- organization String
The organization of the subject.
- country
Code String The country code of the subject.
- locality String
The locality or city of the subject.
- organizational
Unit String The organizational unit of the subject.
- postal
Code String The postal code of the subject.
- province String
The province, territory, or regional state of the subject.
- street
Address String The street address of the subject.
CertificateConfigSubjectConfigSubjectAltName
- Dns
Names List<string> Contains only valid, fully-qualified host names.
- Email
Addresses List<string> Contains only valid RFC 2822 E-mail addresses.
- Ip
Addresses List<string> Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.
- Uris List<string>
Contains only valid RFC 3986 URIs.
- Dns
Names []string Contains only valid, fully-qualified host names.
- Email
Addresses []string Contains only valid RFC 2822 E-mail addresses.
- Ip
Addresses []string Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.
- Uris []string
Contains only valid RFC 3986 URIs.
- dns
Names List<String> Contains only valid, fully-qualified host names.
- email
Addresses List<String> Contains only valid RFC 2822 E-mail addresses.
- ip
Addresses List<String> Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.
- uris List<String>
Contains only valid RFC 3986 URIs.
- dns
Names string[] Contains only valid, fully-qualified host names.
- email
Addresses string[] Contains only valid RFC 2822 E-mail addresses.
- ip
Addresses string[] Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.
- uris string[]
Contains only valid RFC 3986 URIs.
- dns_
names Sequence[str] Contains only valid, fully-qualified host names.
- email_
addresses Sequence[str] Contains only valid RFC 2822 E-mail addresses.
- ip_
addresses Sequence[str] Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.
- uris Sequence[str]
Contains only valid RFC 3986 URIs.
- dns
Names List<String> Contains only valid, fully-qualified host names.
- email
Addresses List<String> Contains only valid RFC 2822 E-mail addresses.
- ip
Addresses List<String> Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.
- uris List<String>
Contains only valid RFC 3986 URIs.
CertificateConfigX509Config
- Key
Usage CertificateConfig X509Config Key Usage Indicates the intended use for keys that correspond to a certificate. Structure is documented below.
- Additional
Extensions List<CertificateConfig X509Config Additional Extension> Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.
- Aia
Ocsp List<string>Servers Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
- Ca
Options CertificateConfig X509Config Ca Options Describes values that are relevant in a CA certificate. Structure is documented below.
- Name
Constraints CertificateConfig X509Config Name Constraints Describes the X.509 name constraints extension. Structure is documented below.
- Policy
Ids List<CertificateConfig X509Config Policy Id> Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.
- Key
Usage CertificateConfig X509Config Key Usage Indicates the intended use for keys that correspond to a certificate. Structure is documented below.
- Additional
Extensions []CertificateConfig X509Config Additional Extension Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.
- Aia
Ocsp []stringServers Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
- Ca
Options CertificateConfig X509Config Ca Options Describes values that are relevant in a CA certificate. Structure is documented below.
- Name
Constraints CertificateConfig X509Config Name Constraints Describes the X.509 name constraints extension. Structure is documented below.
- Policy
Ids []CertificateConfig X509Config Policy Id Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.
- key
Usage CertificateConfig X509Config Key Usage Indicates the intended use for keys that correspond to a certificate. Structure is documented below.
- additional
Extensions List<CertificateConfig X509Config Additional Extension> Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.
- aia
Ocsp List<String>Servers Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
- ca
Options CertificateConfig X509Config Ca Options Describes values that are relevant in a CA certificate. Structure is documented below.
- name
Constraints CertificateConfig X509Config Name Constraints Describes the X.509 name constraints extension. Structure is documented below.
- policy
Ids List<CertificateConfig X509Config Policy Id> Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.
- key
Usage CertificateConfig X509Config Key Usage Indicates the intended use for keys that correspond to a certificate. Structure is documented below.
- additional
Extensions CertificateConfig X509Config Additional Extension[] Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.
- aia
Ocsp string[]Servers Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
- ca
Options CertificateConfig X509Config Ca Options Describes values that are relevant in a CA certificate. Structure is documented below.
- name
Constraints CertificateConfig X509Config Name Constraints Describes the X.509 name constraints extension. Structure is documented below.
- policy
Ids CertificateConfig X509Config Policy Id[] Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.
- key_
usage CertificateConfig X509Config Key Usage Indicates the intended use for keys that correspond to a certificate. Structure is documented below.
- additional_
extensions Sequence[CertificateConfig X509Config Additional Extension] Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.
- aia_
ocsp_ Sequence[str]servers Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
- ca_
options CertificateConfig X509Config Ca Options Describes values that are relevant in a CA certificate. Structure is documented below.
- name_
constraints CertificateConfig X509Config Name Constraints Describes the X.509 name constraints extension. Structure is documented below.
- policy_
ids Sequence[CertificateConfig X509Config Policy Id] Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.
- key
Usage Property Map Indicates the intended use for keys that correspond to a certificate. Structure is documented below.
- additional
Extensions List<Property Map> Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.
- aia
Ocsp List<String>Servers Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
- ca
Options Property Map Describes values that are relevant in a CA certificate. Structure is documented below.
- name
Constraints Property Map Describes the X.509 name constraints extension. Structure is documented below.
- policy
Ids List<Property Map> Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.
CertificateConfigX509ConfigAdditionalExtension
- Critical bool
Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
- Object
Id CertificateConfig X509Config Additional Extension Object Id Describes values that are relevant in a CA certificate. Structure is documented below.
- Value string
The value of this X.509 extension. A base64-encoded string.
- Critical bool
Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
- Object
Id CertificateConfig X509Config Additional Extension Object Id Describes values that are relevant in a CA certificate. Structure is documented below.
- Value string
The value of this X.509 extension. A base64-encoded string.
- critical Boolean
Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
- object
Id CertificateConfig X509Config Additional Extension Object Id Describes values that are relevant in a CA certificate. Structure is documented below.
- value String
The value of this X.509 extension. A base64-encoded string.
- critical boolean
Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
- object
Id CertificateConfig X509Config Additional Extension Object Id Describes values that are relevant in a CA certificate. Structure is documented below.
- value string
The value of this X.509 extension. A base64-encoded string.
- critical bool
Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
- object_
id CertificateConfig X509Config Additional Extension Object Id Describes values that are relevant in a CA certificate. Structure is documented below.
- value str
The value of this X.509 extension. A base64-encoded string.
- critical Boolean
Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
- object
Id Property Map Describes values that are relevant in a CA certificate. Structure is documented below.
- value String
The value of this X.509 extension. A base64-encoded string.
CertificateConfigX509ConfigAdditionalExtensionObjectId
- Object
Id List<int>Paths An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- Object
Id []intPaths An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object
Id List<Integer>Paths An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object
Id number[]Paths An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object_
id_ Sequence[int]paths An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object
Id List<Number>Paths An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
CertificateConfigX509ConfigCaOptions
- Is
Ca bool When true, the "CA" in Basic Constraints extension will be set to true.
- Max
Issuer intPath Length Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.
- Non
Ca bool When true, the "CA" in Basic Constraints extension will be set to false. If both
is_caandnon_caare unset, the extension will be omitted from the CA certificate.- Zero
Max boolIssuer Path Length When true, the "path length constraint" in Basic Constraints extension will be set to 0. if both
max_issuer_path_lengthandzero_max_issuer_path_lengthare unset, the max path length will be omitted from the CA certificate.
- Is
Ca bool When true, the "CA" in Basic Constraints extension will be set to true.
- Max
Issuer intPath Length Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.
- Non
Ca bool When true, the "CA" in Basic Constraints extension will be set to false. If both
is_caandnon_caare unset, the extension will be omitted from the CA certificate.- Zero
Max boolIssuer Path Length When true, the "path length constraint" in Basic Constraints extension will be set to 0. if both
max_issuer_path_lengthandzero_max_issuer_path_lengthare unset, the max path length will be omitted from the CA certificate.
- is
Ca Boolean When true, the "CA" in Basic Constraints extension will be set to true.
- max
Issuer IntegerPath Length Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.
- non
Ca Boolean When true, the "CA" in Basic Constraints extension will be set to false. If both
is_caandnon_caare unset, the extension will be omitted from the CA certificate.- zero
Max BooleanIssuer Path Length When true, the "path length constraint" in Basic Constraints extension will be set to 0. if both
max_issuer_path_lengthandzero_max_issuer_path_lengthare unset, the max path length will be omitted from the CA certificate.
- is
Ca boolean When true, the "CA" in Basic Constraints extension will be set to true.
- max
Issuer numberPath Length Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.
- non
Ca boolean When true, the "CA" in Basic Constraints extension will be set to false. If both
is_caandnon_caare unset, the extension will be omitted from the CA certificate.- zero
Max booleanIssuer Path Length When true, the "path length constraint" in Basic Constraints extension will be set to 0. if both
max_issuer_path_lengthandzero_max_issuer_path_lengthare unset, the max path length will be omitted from the CA certificate.
- is_
ca bool When true, the "CA" in Basic Constraints extension will be set to true.
- max_
issuer_ intpath_ length Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.
- non_
ca bool When true, the "CA" in Basic Constraints extension will be set to false. If both
is_caandnon_caare unset, the extension will be omitted from the CA certificate.- zero_
max_ boolissuer_ path_ length When true, the "path length constraint" in Basic Constraints extension will be set to 0. if both
max_issuer_path_lengthandzero_max_issuer_path_lengthare unset, the max path length will be omitted from the CA certificate.
- is
Ca Boolean When true, the "CA" in Basic Constraints extension will be set to true.
- max
Issuer NumberPath Length Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.
- non
Ca Boolean When true, the "CA" in Basic Constraints extension will be set to false. If both
is_caandnon_caare unset, the extension will be omitted from the CA certificate.- zero
Max BooleanIssuer Path Length When true, the "path length constraint" in Basic Constraints extension will be set to 0. if both
max_issuer_path_lengthandzero_max_issuer_path_lengthare unset, the max path length will be omitted from the CA certificate.
CertificateConfigX509ConfigKeyUsage
- Base
Key CertificateUsage Config X509Config Key Usage Base Key Usage Describes high-level ways in which a key may be used. Structure is documented below.
- Extended
Key CertificateUsage Config X509Config Key Usage Extended Key Usage Describes high-level ways in which a key may be used. Structure is documented below.
- Unknown
Extended List<CertificateKey Usages Config X509Config Key Usage Unknown Extended Key Usage> An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.
- Base
Key CertificateUsage Config X509Config Key Usage Base Key Usage Describes high-level ways in which a key may be used. Structure is documented below.
- Extended
Key CertificateUsage Config X509Config Key Usage Extended Key Usage Describes high-level ways in which a key may be used. Structure is documented below.
- Unknown
Extended []CertificateKey Usages Config X509Config Key Usage Unknown Extended Key Usage An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.
- base
Key CertificateUsage Config X509Config Key Usage Base Key Usage Describes high-level ways in which a key may be used. Structure is documented below.
- extended
Key CertificateUsage Config X509Config Key Usage Extended Key Usage Describes high-level ways in which a key may be used. Structure is documented below.
- unknown
Extended List<CertificateKey Usages Config X509Config Key Usage Unknown Extended Key Usage> An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.
- base
Key CertificateUsage Config X509Config Key Usage Base Key Usage Describes high-level ways in which a key may be used. Structure is documented below.
- extended
Key CertificateUsage Config X509Config Key Usage Extended Key Usage Describes high-level ways in which a key may be used. Structure is documented below.
- unknown
Extended CertificateKey Usages Config X509Config Key Usage Unknown Extended Key Usage[] An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.
- base_
key_ Certificateusage Config X509Config Key Usage Base Key Usage Describes high-level ways in which a key may be used. Structure is documented below.
- extended_
key_ Certificateusage Config X509Config Key Usage Extended Key Usage Describes high-level ways in which a key may be used. Structure is documented below.
- unknown_
extended_ Sequence[Certificatekey_ usages Config X509Config Key Usage Unknown Extended Key Usage] An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.
- base
Key Property MapUsage Describes high-level ways in which a key may be used. Structure is documented below.
- extended
Key Property MapUsage Describes high-level ways in which a key may be used. Structure is documented below.
- unknown
Extended List<Property Map>Key Usages An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.
CertificateConfigX509ConfigKeyUsageBaseKeyUsage
- Cert
Sign bool The key may be used to sign certificates.
- Content
Commitment bool The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
- Crl
Sign bool The key may be used sign certificate revocation lists.
- Data
Encipherment bool The key may be used to encipher data.
- Decipher
Only bool The key may be used to decipher only.
- Digital
Signature bool The key may be used for digital signatures.
- Encipher
Only bool The key may be used to encipher only.
- Key
Agreement bool The key may be used in a key agreement protocol.
- Key
Encipherment bool The key may be used to encipher other keys.
- Cert
Sign bool The key may be used to sign certificates.
- Content
Commitment bool The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
- Crl
Sign bool The key may be used sign certificate revocation lists.
- Data
Encipherment bool The key may be used to encipher data.
- Decipher
Only bool The key may be used to decipher only.
- Digital
Signature bool The key may be used for digital signatures.
- Encipher
Only bool The key may be used to encipher only.
- Key
Agreement bool The key may be used in a key agreement protocol.
- Key
Encipherment bool The key may be used to encipher other keys.
- cert
Sign Boolean The key may be used to sign certificates.
- content
Commitment Boolean The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
- crl
Sign Boolean The key may be used sign certificate revocation lists.
- data
Encipherment Boolean The key may be used to encipher data.
- decipher
Only Boolean The key may be used to decipher only.
- digital
Signature Boolean The key may be used for digital signatures.
- encipher
Only Boolean The key may be used to encipher only.
- key
Agreement Boolean The key may be used in a key agreement protocol.
- key
Encipherment Boolean The key may be used to encipher other keys.
- cert
Sign boolean The key may be used to sign certificates.
- content
Commitment boolean The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
- crl
Sign boolean The key may be used sign certificate revocation lists.
- data
Encipherment boolean The key may be used to encipher data.
- decipher
Only boolean The key may be used to decipher only.
- digital
Signature boolean The key may be used for digital signatures.
- encipher
Only boolean The key may be used to encipher only.
- key
Agreement boolean The key may be used in a key agreement protocol.
- key
Encipherment boolean The key may be used to encipher other keys.
- cert_
sign bool The key may be used to sign certificates.
- content_
commitment bool The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
- crl_
sign bool The key may be used sign certificate revocation lists.
- data_
encipherment bool The key may be used to encipher data.
- decipher_
only bool The key may be used to decipher only.
- digital_
signature bool The key may be used for digital signatures.
- encipher_
only bool The key may be used to encipher only.
- key_
agreement bool The key may be used in a key agreement protocol.
- key_
encipherment bool The key may be used to encipher other keys.
- cert
Sign Boolean The key may be used to sign certificates.
- content
Commitment Boolean The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
- crl
Sign Boolean The key may be used sign certificate revocation lists.
- data
Encipherment Boolean The key may be used to encipher data.
- decipher
Only Boolean The key may be used to decipher only.
- digital
Signature Boolean The key may be used for digital signatures.
- encipher
Only Boolean The key may be used to encipher only.
- key
Agreement Boolean The key may be used in a key agreement protocol.
- key
Encipherment Boolean The key may be used to encipher other keys.
CertificateConfigX509ConfigKeyUsageExtendedKeyUsage
- Client
Auth bool Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
- Code
Signing bool Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
- Email
Protection bool Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
- Ocsp
Signing bool Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
- Server
Auth bool Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
- Time
Stamping bool Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".
- Client
Auth bool Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
- Code
Signing bool Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
- Email
Protection bool Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
- Ocsp
Signing bool Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
- Server
Auth