gcp.certificateauthority.Certificate

A Certificate corresponds to a signed X.509 certificate issued by a Certificate.

Note: The Certificate Authority that is referenced by this resource must be tier = "ENTERPRISE"

Example Usage

Privateca Certificate Config

using System;
using System.Collections.Generic;
using System.IO;
using Pulumi;
using Gcp = Pulumi.Gcp;

	private static string ReadFileBase64(string path) {
		return Convert.ToBase64String(Encoding.UTF8.GetBytes(File.ReadAllText(path)))
	}

return await Deployment.RunAsync(() => 
{
    var defaultCaPool = new Gcp.CertificateAuthority.CaPool("defaultCaPool", new()
    {
        Location = "us-central1",
        Tier = "ENTERPRISE",
    });

    var defaultAuthority = new Gcp.CertificateAuthority.Authority("defaultAuthority", new()
    {
        Location = "us-central1",
        Pool = defaultCaPool.Name,
        CertificateAuthorityId = "my-authority",
        Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigArgs
        {
            SubjectConfig = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigArgs
            {
                Subject = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectArgs
                {
                    Organization = "HashiCorp",
                    CommonName = "my-certificate-authority",
                },
                SubjectAltName = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectAltNameArgs
                {
                    DnsNames = new[]
                    {
                        "hashicorp.com",
                    },
                },
            },
            X509Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigArgs
            {
                CaOptions = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigCaOptionsArgs
                {
                    IsCa = true,
                },
                KeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageArgs
                {
                    BaseKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs
                    {
                        CertSign = true,
                        CrlSign = true,
                    },
                    ExtendedKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs
                    {
                        ServerAuth = true,
                    },
                },
            },
        },
        KeySpec = new Gcp.CertificateAuthority.Inputs.AuthorityKeySpecArgs
        {
            Algorithm = "RSA_PKCS1_4096_SHA256",
        },
        DeletionProtection = false,
        SkipGracePeriod = true,
        IgnoreActiveCertificatesOnDeletion = true,
    });

    var defaultCertificate = new Gcp.CertificateAuthority.Certificate("defaultCertificate", new()
    {
        Location = "us-central1",
        Pool = defaultCaPool.Name,
        CertificateAuthority = defaultAuthority.CertificateAuthorityId,
        Lifetime = "86000s",
        Config = new Gcp.CertificateAuthority.Inputs.CertificateConfigArgs
        {
            SubjectConfig = new Gcp.CertificateAuthority.Inputs.CertificateConfigSubjectConfigArgs
            {
                Subject = new Gcp.CertificateAuthority.Inputs.CertificateConfigSubjectConfigSubjectArgs
                {
                    CommonName = "san1.example.com",
                    CountryCode = "us",
                    Organization = "google",
                    OrganizationalUnit = "enterprise",
                    Locality = "mountain view",
                    Province = "california",
                    StreetAddress = "1600 amphitheatre parkway",
                },
                SubjectAltName = new Gcp.CertificateAuthority.Inputs.CertificateConfigSubjectConfigSubjectAltNameArgs
                {
                    EmailAddresses = new[]
                    {
                        "email@example.com",
                    },
                    IpAddresses = new[]
                    {
                        "127.0.0.1",
                    },
                    Uris = new[]
                    {
                        "http://www.ietf.org/rfc/rfc3986.txt",
                    },
                },
            },
            X509Config = new Gcp.CertificateAuthority.Inputs.CertificateConfigX509ConfigArgs
            {
                CaOptions = new Gcp.CertificateAuthority.Inputs.CertificateConfigX509ConfigCaOptionsArgs
                {
                    IsCa = true,
                },
                KeyUsage = new Gcp.CertificateAuthority.Inputs.CertificateConfigX509ConfigKeyUsageArgs
                {
                    BaseKeyUsage = new Gcp.CertificateAuthority.Inputs.CertificateConfigX509ConfigKeyUsageBaseKeyUsageArgs
                    {
                        CrlSign = false,
                        DecipherOnly = false,
                    },
                    ExtendedKeyUsage = new Gcp.CertificateAuthority.Inputs.CertificateConfigX509ConfigKeyUsageExtendedKeyUsageArgs
                    {
                        ServerAuth = false,
                    },
                },
                NameConstraints = new Gcp.CertificateAuthority.Inputs.CertificateConfigX509ConfigNameConstraintsArgs
                {
                    Critical = true,
                    PermittedDnsNames = new[]
                    {
                        "*.example.com",
                    },
                    ExcludedDnsNames = new[]
                    {
                        "*.deny.example.com",
                    },
                    PermittedIpRanges = new[]
                    {
                        "10.0.0.0/8",
                    },
                    ExcludedIpRanges = new[]
                    {
                        "10.1.1.0/24",
                    },
                    PermittedEmailAddresses = new[]
                    {
                        ".example.com",
                    },
                    ExcludedEmailAddresses = new[]
                    {
                        ".deny.example.com",
                    },
                    PermittedUris = new[]
                    {
                        ".example.com",
                    },
                    ExcludedUris = new[]
                    {
                        ".deny.example.com",
                    },
                },
            },
            PublicKey = new Gcp.CertificateAuthority.Inputs.CertificateConfigPublicKeyArgs
            {
                Format = "PEM",
                Key = ReadFileBase64("test-fixtures/rsa_public.pem"),
            },
        },
    });

});
package main

import (
	"encoding/base64"
	"os"

	"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/certificateauthority"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func filebase64OrPanic(path string) pulumi.StringPtrInput {
	if fileData, err := os.ReadFile(path); err == nil {
		return pulumi.String(base64.StdEncoding.EncodeToString(fileData[:]))
	} else {
		panic(err.Error())
	}
}

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		defaultCaPool, err := certificateauthority.NewCaPool(ctx, "defaultCaPool", &certificateauthority.CaPoolArgs{
			Location: pulumi.String("us-central1"),
			Tier:     pulumi.String("ENTERPRISE"),
		})
		if err != nil {
			return err
		}
		defaultAuthority, err := certificateauthority.NewAuthority(ctx, "defaultAuthority", &certificateauthority.AuthorityArgs{
			Location:               pulumi.String("us-central1"),
			Pool:                   defaultCaPool.Name,
			CertificateAuthorityId: pulumi.String("my-authority"),
			Config: &certificateauthority.AuthorityConfigArgs{
				SubjectConfig: &certificateauthority.AuthorityConfigSubjectConfigArgs{
					Subject: &certificateauthority.AuthorityConfigSubjectConfigSubjectArgs{
						Organization: pulumi.String("HashiCorp"),
						CommonName:   pulumi.String("my-certificate-authority"),
					},
					SubjectAltName: &certificateauthority.AuthorityConfigSubjectConfigSubjectAltNameArgs{
						DnsNames: pulumi.StringArray{
							pulumi.String("hashicorp.com"),
						},
					},
				},
				X509Config: &certificateauthority.AuthorityConfigX509ConfigArgs{
					CaOptions: &certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs{
						IsCa: pulumi.Bool(true),
					},
					KeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs{
						BaseKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs{
							CertSign: pulumi.Bool(true),
							CrlSign:  pulumi.Bool(true),
						},
						ExtendedKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs{
							ServerAuth: pulumi.Bool(true),
						},
					},
				},
			},
			KeySpec: &certificateauthority.AuthorityKeySpecArgs{
				Algorithm: pulumi.String("RSA_PKCS1_4096_SHA256"),
			},
			DeletionProtection:                 pulumi.Bool(false),
			SkipGracePeriod:                    pulumi.Bool(true),
			IgnoreActiveCertificatesOnDeletion: pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		_, err = certificateauthority.NewCertificate(ctx, "defaultCertificate", &certificateauthority.CertificateArgs{
			Location:             pulumi.String("us-central1"),
			Pool:                 defaultCaPool.Name,
			CertificateAuthority: defaultAuthority.CertificateAuthorityId,
			Lifetime:             pulumi.String("86000s"),
			Config: &certificateauthority.CertificateConfigArgs{
				SubjectConfig: &certificateauthority.CertificateConfigSubjectConfigArgs{
					Subject: &certificateauthority.CertificateConfigSubjectConfigSubjectArgs{
						CommonName:         pulumi.String("san1.example.com"),
						CountryCode:        pulumi.String("us"),
						Organization:       pulumi.String("google"),
						OrganizationalUnit: pulumi.String("enterprise"),
						Locality:           pulumi.String("mountain view"),
						Province:           pulumi.String("california"),
						StreetAddress:      pulumi.String("1600 amphitheatre parkway"),
					},
					SubjectAltName: &certificateauthority.CertificateConfigSubjectConfigSubjectAltNameArgs{
						EmailAddresses: pulumi.StringArray{
							pulumi.String("email@example.com"),
						},
						IpAddresses: pulumi.StringArray{
							pulumi.String("127.0.0.1"),
						},
						Uris: pulumi.StringArray{
							pulumi.String("http://www.ietf.org/rfc/rfc3986.txt"),
						},
					},
				},
				X509Config: &certificateauthority.CertificateConfigX509ConfigArgs{
					CaOptions: &certificateauthority.CertificateConfigX509ConfigCaOptionsArgs{
						IsCa: pulumi.Bool(true),
					},
					KeyUsage: &certificateauthority.CertificateConfigX509ConfigKeyUsageArgs{
						BaseKeyUsage: &certificateauthority.CertificateConfigX509ConfigKeyUsageBaseKeyUsageArgs{
							CrlSign:      pulumi.Bool(false),
							DecipherOnly: pulumi.Bool(false),
						},
						ExtendedKeyUsage: &certificateauthority.CertificateConfigX509ConfigKeyUsageExtendedKeyUsageArgs{
							ServerAuth: pulumi.Bool(false),
						},
					},
					NameConstraints: &certificateauthority.CertificateConfigX509ConfigNameConstraintsArgs{
						Critical: pulumi.Bool(true),
						PermittedDnsNames: pulumi.StringArray{
							pulumi.String("*.example.com"),
						},
						ExcludedDnsNames: pulumi.StringArray{
							pulumi.String("*.deny.example.com"),
						},
						PermittedIpRanges: pulumi.StringArray{
							pulumi.String("10.0.0.0/8"),
						},
						ExcludedIpRanges: pulumi.StringArray{
							pulumi.String("10.1.1.0/24"),
						},
						PermittedEmailAddresses: pulumi.StringArray{
							pulumi.String(".example.com"),
						},
						ExcludedEmailAddresses: pulumi.StringArray{
							pulumi.String(".deny.example.com"),
						},
						PermittedUris: pulumi.StringArray{
							pulumi.String(".example.com"),
						},
						ExcludedUris: pulumi.StringArray{
							pulumi.String(".deny.example.com"),
						},
					},
				},
				PublicKey: &certificateauthority.CertificateConfigPublicKeyArgs{
					Format: pulumi.String("PEM"),
					Key:    filebase64OrPanic("test-fixtures/rsa_public.pem"),
				},
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.certificateauthority.CaPool;
import com.pulumi.gcp.certificateauthority.CaPoolArgs;
import com.pulumi.gcp.certificateauthority.Authority;
import com.pulumi.gcp.certificateauthority.AuthorityArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigSubjectArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigSubjectAltNameArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigCaOptionsArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityKeySpecArgs;
import com.pulumi.gcp.certificateauthority.Certificate;
import com.pulumi.gcp.certificateauthority.CertificateArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigSubjectConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigSubjectConfigSubjectArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigSubjectConfigSubjectAltNameArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigX509ConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigX509ConfigCaOptionsArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigX509ConfigKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigX509ConfigKeyUsageBaseKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigX509ConfigKeyUsageExtendedKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigX509ConfigNameConstraintsArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigPublicKeyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var defaultCaPool = new CaPool("defaultCaPool", CaPoolArgs.builder()        
            .location("us-central1")
            .tier("ENTERPRISE")
            .build());

        var defaultAuthority = new Authority("defaultAuthority", AuthorityArgs.builder()        
            .location("us-central1")
            .pool(defaultCaPool.name())
            .certificateAuthorityId("my-authority")
            .config(AuthorityConfigArgs.builder()
                .subjectConfig(AuthorityConfigSubjectConfigArgs.builder()
                    .subject(AuthorityConfigSubjectConfigSubjectArgs.builder()
                        .organization("HashiCorp")
                        .commonName("my-certificate-authority")
                        .build())
                    .subjectAltName(AuthorityConfigSubjectConfigSubjectAltNameArgs.builder()
                        .dnsNames("hashicorp.com")
                        .build())
                    .build())
                .x509Config(AuthorityConfigX509ConfigArgs.builder()
                    .caOptions(AuthorityConfigX509ConfigCaOptionsArgs.builder()
                        .isCa(true)
                        .build())
                    .keyUsage(AuthorityConfigX509ConfigKeyUsageArgs.builder()
                        .baseKeyUsage(AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs.builder()
                            .certSign(true)
                            .crlSign(true)
                            .build())
                        .extendedKeyUsage(AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs.builder()
                            .serverAuth(true)
                            .build())
                        .build())
                    .build())
                .build())
            .keySpec(AuthorityKeySpecArgs.builder()
                .algorithm("RSA_PKCS1_4096_SHA256")
                .build())
            .deletionProtection(false)
            .skipGracePeriod(true)
            .ignoreActiveCertificatesOnDeletion(true)
            .build());

        var defaultCertificate = new Certificate("defaultCertificate", CertificateArgs.builder()        
            .location("us-central1")
            .pool(defaultCaPool.name())
            .certificateAuthority(defaultAuthority.certificateAuthorityId())
            .lifetime("86000s")
            .config(CertificateConfigArgs.builder()
                .subjectConfig(CertificateConfigSubjectConfigArgs.builder()
                    .subject(CertificateConfigSubjectConfigSubjectArgs.builder()
                        .commonName("san1.example.com")
                        .countryCode("us")
                        .organization("google")
                        .organizationalUnit("enterprise")
                        .locality("mountain view")
                        .province("california")
                        .streetAddress("1600 amphitheatre parkway")
                        .build())
                    .subjectAltName(CertificateConfigSubjectConfigSubjectAltNameArgs.builder()
                        .emailAddresses("email@example.com")
                        .ipAddresses("127.0.0.1")
                        .uris("http://www.ietf.org/rfc/rfc3986.txt")
                        .build())
                    .build())
                .x509Config(CertificateConfigX509ConfigArgs.builder()
                    .caOptions(CertificateConfigX509ConfigCaOptionsArgs.builder()
                        .isCa(true)
                        .build())
                    .keyUsage(CertificateConfigX509ConfigKeyUsageArgs.builder()
                        .baseKeyUsage(CertificateConfigX509ConfigKeyUsageBaseKeyUsageArgs.builder()
                            .crlSign(false)
                            .decipherOnly(false)
                            .build())
                        .extendedKeyUsage(CertificateConfigX509ConfigKeyUsageExtendedKeyUsageArgs.builder()
                            .serverAuth(false)
                            .build())
                        .build())
                    .nameConstraints(CertificateConfigX509ConfigNameConstraintsArgs.builder()
                        .critical(true)
                        .permittedDnsNames("*.example.com")
                        .excludedDnsNames("*.deny.example.com")
                        .permittedIpRanges("10.0.0.0/8")
                        .excludedIpRanges("10.1.1.0/24")
                        .permittedEmailAddresses(".example.com")
                        .excludedEmailAddresses(".deny.example.com")
                        .permittedUris(".example.com")
                        .excludedUris(".deny.example.com")
                        .build())
                    .build())
                .publicKey(CertificateConfigPublicKeyArgs.builder()
                    .format("PEM")
                    .key(Base64.getEncoder().encodeToString(Files.readAllBytes(Paths.get("test-fixtures/rsa_public.pem"))))
                    .build())
                .build())
            .build());

    }
}
import pulumi
import base64
import pulumi_gcp as gcp

default_ca_pool = gcp.certificateauthority.CaPool("defaultCaPool",
    location="us-central1",
    tier="ENTERPRISE")
default_authority = gcp.certificateauthority.Authority("defaultAuthority",
    location="us-central1",
    pool=default_ca_pool.name,
    certificate_authority_id="my-authority",
    config=gcp.certificateauthority.AuthorityConfigArgs(
        subject_config=gcp.certificateauthority.AuthorityConfigSubjectConfigArgs(
            subject=gcp.certificateauthority.AuthorityConfigSubjectConfigSubjectArgs(
                organization="HashiCorp",
                common_name="my-certificate-authority",
            ),
            subject_alt_name=gcp.certificateauthority.AuthorityConfigSubjectConfigSubjectAltNameArgs(
                dns_names=["hashicorp.com"],
            ),
        ),
        x509_config=gcp.certificateauthority.AuthorityConfigX509ConfigArgs(
            ca_options=gcp.certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs(
                is_ca=True,
            ),
            key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs(
                base_key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs(
                    cert_sign=True,
                    crl_sign=True,
                ),
                extended_key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs(
                    server_auth=True,
                ),
            ),
        ),
    ),
    key_spec=gcp.certificateauthority.AuthorityKeySpecArgs(
        algorithm="RSA_PKCS1_4096_SHA256",
    ),
    deletion_protection=False,
    skip_grace_period=True,
    ignore_active_certificates_on_deletion=True)
default_certificate = gcp.certificateauthority.Certificate("defaultCertificate",
    location="us-central1",
    pool=default_ca_pool.name,
    certificate_authority=default_authority.certificate_authority_id,
    lifetime="86000s",
    config=gcp.certificateauthority.CertificateConfigArgs(
        subject_config=gcp.certificateauthority.CertificateConfigSubjectConfigArgs(
            subject=gcp.certificateauthority.CertificateConfigSubjectConfigSubjectArgs(
                common_name="san1.example.com",
                country_code="us",
                organization="google",
                organizational_unit="enterprise",
                locality="mountain view",
                province="california",
                street_address="1600 amphitheatre parkway",
            ),
            subject_alt_name=gcp.certificateauthority.CertificateConfigSubjectConfigSubjectAltNameArgs(
                email_addresses=["email@example.com"],
                ip_addresses=["127.0.0.1"],
                uris=["http://www.ietf.org/rfc/rfc3986.txt"],
            ),
        ),
        x509_config=gcp.certificateauthority.CertificateConfigX509ConfigArgs(
            ca_options=gcp.certificateauthority.CertificateConfigX509ConfigCaOptionsArgs(
                is_ca=True,
            ),
            key_usage=gcp.certificateauthority.CertificateConfigX509ConfigKeyUsageArgs(
                base_key_usage=gcp.certificateauthority.CertificateConfigX509ConfigKeyUsageBaseKeyUsageArgs(
                    crl_sign=False,
                    decipher_only=False,
                ),
                extended_key_usage=gcp.certificateauthority.CertificateConfigX509ConfigKeyUsageExtendedKeyUsageArgs(
                    server_auth=False,
                ),
            ),
            name_constraints=gcp.certificateauthority.CertificateConfigX509ConfigNameConstraintsArgs(
                critical=True,
                permitted_dns_names=["*.example.com"],
                excluded_dns_names=["*.deny.example.com"],
                permitted_ip_ranges=["10.0.0.0/8"],
                excluded_ip_ranges=["10.1.1.0/24"],
                permitted_email_addresses=[".example.com"],
                excluded_email_addresses=[".deny.example.com"],
                permitted_uris=[".example.com"],
                excluded_uris=[".deny.example.com"],
            ),
        ),
        public_key=gcp.certificateauthority.CertificateConfigPublicKeyArgs(
            format="PEM",
            key=(lambda path: base64.b64encode(open(path).read().encode()).decode())("test-fixtures/rsa_public.pem"),
        ),
    ))
import * as pulumi from "@pulumi/pulumi";
import * as fs from "fs";
import * as gcp from "@pulumi/gcp";

const defaultCaPool = new gcp.certificateauthority.CaPool("defaultCaPool", {
    location: "us-central1",
    tier: "ENTERPRISE",
});
const defaultAuthority = new gcp.certificateauthority.Authority("defaultAuthority", {
    location: "us-central1",
    pool: defaultCaPool.name,
    certificateAuthorityId: "my-authority",
    config: {
        subjectConfig: {
            subject: {
                organization: "HashiCorp",
                commonName: "my-certificate-authority",
            },
            subjectAltName: {
                dnsNames: ["hashicorp.com"],
            },
        },
        x509Config: {
            caOptions: {
                isCa: true,
            },
            keyUsage: {
                baseKeyUsage: {
                    certSign: true,
                    crlSign: true,
                },
                extendedKeyUsage: {
                    serverAuth: true,
                },
            },
        },
    },
    keySpec: {
        algorithm: "RSA_PKCS1_4096_SHA256",
    },
    deletionProtection: false,
    skipGracePeriod: true,
    ignoreActiveCertificatesOnDeletion: true,
});
const defaultCertificate = new gcp.certificateauthority.Certificate("defaultCertificate", {
    location: "us-central1",
    pool: defaultCaPool.name,
    certificateAuthority: defaultAuthority.certificateAuthorityId,
    lifetime: "86000s",
    config: {
        subjectConfig: {
            subject: {
                commonName: "san1.example.com",
                countryCode: "us",
                organization: "google",
                organizationalUnit: "enterprise",
                locality: "mountain view",
                province: "california",
                streetAddress: "1600 amphitheatre parkway",
            },
            subjectAltName: {
                emailAddresses: ["email@example.com"],
                ipAddresses: ["127.0.0.1"],
                uris: ["http://www.ietf.org/rfc/rfc3986.txt"],
            },
        },
        x509Config: {
            caOptions: {
                isCa: true,
            },
            keyUsage: {
                baseKeyUsage: {
                    crlSign: false,
                    decipherOnly: false,
                },
                extendedKeyUsage: {
                    serverAuth: false,
                },
            },
            nameConstraints: {
                critical: true,
                permittedDnsNames: ["*.example.com"],
                excludedDnsNames: ["*.deny.example.com"],
                permittedIpRanges: ["10.0.0.0/8"],
                excludedIpRanges: ["10.1.1.0/24"],
                permittedEmailAddresses: [".example.com"],
                excludedEmailAddresses: [".deny.example.com"],
                permittedUris: [".example.com"],
                excludedUris: [".deny.example.com"],
            },
        },
        publicKey: {
            format: "PEM",
            key: Buffer.from(fs.readFileSync("test-fixtures/rsa_public.pem"), 'binary').toString('base64'),
        },
    },
});

Coming soon!

Privateca Certificate With Template

using System.Collections.Generic;
using System.IO;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var defaultCaPool = new Gcp.CertificateAuthority.CaPool("defaultCaPool", new()
    {
        Location = "us-central1",
        Tier = "ENTERPRISE",
    });

    var defaultCertificateTemplate = new Gcp.CertificateAuthority.CertificateTemplate("defaultCertificateTemplate", new()
    {
        Location = "us-central1",
        Description = "An updated sample certificate template",
        IdentityConstraints = new Gcp.CertificateAuthority.Inputs.CertificateTemplateIdentityConstraintsArgs
        {
            AllowSubjectAltNamesPassthrough = true,
            AllowSubjectPassthrough = true,
            CelExpression = new Gcp.CertificateAuthority.Inputs.CertificateTemplateIdentityConstraintsCelExpressionArgs
            {
                Description = "Always true",
                Expression = "true",
                Location = "any.file.anywhere",
                Title = "Sample expression",
            },
        },
        PassthroughExtensions = new Gcp.CertificateAuthority.Inputs.CertificateTemplatePassthroughExtensionsArgs
        {
            AdditionalExtensions = new[]
            {
                new Gcp.CertificateAuthority.Inputs.CertificateTemplatePassthroughExtensionsAdditionalExtensionArgs
                {
                    ObjectIdPaths = new[]
                    {
                        1,
                        6,
                    },
                },
            },
            KnownExtensions = new[]
            {
                "EXTENDED_KEY_USAGE",
            },
        },
        PredefinedValues = new Gcp.CertificateAuthority.Inputs.CertificateTemplatePredefinedValuesArgs
        {
            AdditionalExtensions = new[]
            {
                new Gcp.CertificateAuthority.Inputs.CertificateTemplatePredefinedValuesAdditionalExtensionArgs
                {
                    ObjectId = new Gcp.CertificateAuthority.Inputs.CertificateTemplatePredefinedValuesAdditionalExtensionObjectIdArgs
                    {
                        ObjectIdPaths = new[]
                        {
                            1,
                            6,
                        },
                    },
                    Value = "c3RyaW5nCg==",
                    Critical = true,
                },
            },
            AiaOcspServers = new[]
            {
                "string",
            },
            CaOptions = new Gcp.CertificateAuthority.Inputs.CertificateTemplatePredefinedValuesCaOptionsArgs
            {
                IsCa = false,
                MaxIssuerPathLength = 6,
            },
            KeyUsage = new Gcp.CertificateAuthority.Inputs.CertificateTemplatePredefinedValuesKeyUsageArgs
            {
                BaseKeyUsage = new Gcp.CertificateAuthority.Inputs.CertificateTemplatePredefinedValuesKeyUsageBaseKeyUsageArgs
                {
                    CertSign = false,
                    ContentCommitment = true,
                    CrlSign = false,
                    DataEncipherment = true,
                    DecipherOnly = true,
                    DigitalSignature = true,
                    EncipherOnly = true,
                    KeyAgreement = true,
                    KeyEncipherment = true,
                },
                ExtendedKeyUsage = new Gcp.CertificateAuthority.Inputs.CertificateTemplatePredefinedValuesKeyUsageExtendedKeyUsageArgs
                {
                    ClientAuth = true,
                    CodeSigning = true,
                    EmailProtection = true,
                    OcspSigning = true,
                    ServerAuth = true,
                    TimeStamping = true,
                },
                UnknownExtendedKeyUsages = new[]
                {
                    new Gcp.CertificateAuthority.Inputs.CertificateTemplatePredefinedValuesKeyUsageUnknownExtendedKeyUsageArgs
                    {
                        ObjectIdPaths = new[]
                        {
                            1,
                            6,
                        },
                    },
                },
            },
            PolicyIds = new[]
            {
                new Gcp.CertificateAuthority.Inputs.CertificateTemplatePredefinedValuesPolicyIdArgs
                {
                    ObjectIdPaths = new[]
                    {
                        1,
                        6,
                    },
                },
            },
        },
    });

    var defaultAuthority = new Gcp.CertificateAuthority.Authority("defaultAuthority", new()
    {
        Location = "us-central1",
        Pool = defaultCaPool.Name,
        CertificateAuthorityId = "my-authority",
        Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigArgs
        {
            SubjectConfig = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigArgs
            {
                Subject = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectArgs
                {
                    Organization = "HashiCorp",
                    CommonName = "my-certificate-authority",
                },
                SubjectAltName = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectAltNameArgs
                {
                    DnsNames = new[]
                    {
                        "hashicorp.com",
                    },
                },
            },
            X509Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigArgs
            {
                CaOptions = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigCaOptionsArgs
                {
                    IsCa = true,
                },
                KeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageArgs
                {
                    BaseKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs
                    {
                        CertSign = true,
                        CrlSign = true,
                    },
                    ExtendedKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs
                    {
                        ServerAuth = false,
                    },
                },
            },
        },
        KeySpec = new Gcp.CertificateAuthority.Inputs.AuthorityKeySpecArgs
        {
            Algorithm = "RSA_PKCS1_4096_SHA256",
        },
        DeletionProtection = false,
        SkipGracePeriod = true,
        IgnoreActiveCertificatesOnDeletion = true,
    });

    var defaultCertificate = new Gcp.CertificateAuthority.Certificate("defaultCertificate", new()
    {
        Location = "us-central1",
        Pool = defaultCaPool.Name,
        CertificateAuthority = defaultAuthority.CertificateAuthorityId,
        Lifetime = "860s",
        PemCsr = File.ReadAllText("test-fixtures/rsa_csr.pem"),
        CertificateTemplate = defaultCertificateTemplate.Id,
    });

});
package main

import (
	"os"

	"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/certificateauthority"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func readFileOrPanic(path string) pulumi.StringPtrInput {
	data, err := os.ReadFile(path)
	if err != nil {
		panic(err.Error())
	}
	return pulumi.String(string(data))
}

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		defaultCaPool, err := certificateauthority.NewCaPool(ctx, "defaultCaPool", &certificateauthority.CaPoolArgs{
			Location: pulumi.String("us-central1"),
			Tier:     pulumi.String("ENTERPRISE"),
		})
		if err != nil {
			return err
		}
		defaultCertificateTemplate, err := certificateauthority.NewCertificateTemplate(ctx, "defaultCertificateTemplate", &certificateauthority.CertificateTemplateArgs{
			Location:    pulumi.String("us-central1"),
			Description: pulumi.String("An updated sample certificate template"),
			IdentityConstraints: &certificateauthority.CertificateTemplateIdentityConstraintsArgs{
				AllowSubjectAltNamesPassthrough: pulumi.Bool(true),
				AllowSubjectPassthrough:         pulumi.Bool(true),
				CelExpression: &certificateauthority.CertificateTemplateIdentityConstraintsCelExpressionArgs{
					Description: pulumi.String("Always true"),
					Expression:  pulumi.String("true"),
					Location:    pulumi.String("any.file.anywhere"),
					Title:       pulumi.String("Sample expression"),
				},
			},
			PassthroughExtensions: &certificateauthority.CertificateTemplatePassthroughExtensionsArgs{
				AdditionalExtensions: certificateauthority.CertificateTemplatePassthroughExtensionsAdditionalExtensionArray{
					&certificateauthority.CertificateTemplatePassthroughExtensionsAdditionalExtensionArgs{
						ObjectIdPaths: pulumi.IntArray{
							pulumi.Int(1),
							pulumi.Int(6),
						},
					},
				},
				KnownExtensions: pulumi.StringArray{
					pulumi.String("EXTENDED_KEY_USAGE"),
				},
			},
			PredefinedValues: &certificateauthority.CertificateTemplatePredefinedValuesArgs{
				AdditionalExtensions: certificateauthority.CertificateTemplatePredefinedValuesAdditionalExtensionArray{
					&certificateauthority.CertificateTemplatePredefinedValuesAdditionalExtensionArgs{
						ObjectId: &certificateauthority.CertificateTemplatePredefinedValuesAdditionalExtensionObjectIdArgs{
							ObjectIdPaths: pulumi.IntArray{
								pulumi.Int(1),
								pulumi.Int(6),
							},
						},
						Value:    pulumi.String("c3RyaW5nCg=="),
						Critical: pulumi.Bool(true),
					},
				},
				AiaOcspServers: pulumi.StringArray{
					pulumi.String("string"),
				},
				CaOptions: &certificateauthority.CertificateTemplatePredefinedValuesCaOptionsArgs{
					IsCa:                pulumi.Bool(false),
					MaxIssuerPathLength: pulumi.Int(6),
				},
				KeyUsage: &certificateauthority.CertificateTemplatePredefinedValuesKeyUsageArgs{
					BaseKeyUsage: &certificateauthority.CertificateTemplatePredefinedValuesKeyUsageBaseKeyUsageArgs{
						CertSign:          pulumi.Bool(false),
						ContentCommitment: pulumi.Bool(true),
						CrlSign:           pulumi.Bool(false),
						DataEncipherment:  pulumi.Bool(true),
						DecipherOnly:      pulumi.Bool(true),
						DigitalSignature:  pulumi.Bool(true),
						EncipherOnly:      pulumi.Bool(true),
						KeyAgreement:      pulumi.Bool(true),
						KeyEncipherment:   pulumi.Bool(true),
					},
					ExtendedKeyUsage: &certificateauthority.CertificateTemplatePredefinedValuesKeyUsageExtendedKeyUsageArgs{
						ClientAuth:      pulumi.Bool(true),
						CodeSigning:     pulumi.Bool(true),
						EmailProtection: pulumi.Bool(true),
						OcspSigning:     pulumi.Bool(true),
						ServerAuth:      pulumi.Bool(true),
						TimeStamping:    pulumi.Bool(true),
					},
					UnknownExtendedKeyUsages: certificateauthority.CertificateTemplatePredefinedValuesKeyUsageUnknownExtendedKeyUsageArray{
						&certificateauthority.CertificateTemplatePredefinedValuesKeyUsageUnknownExtendedKeyUsageArgs{
							ObjectIdPaths: pulumi.IntArray{
								pulumi.Int(1),
								pulumi.Int(6),
							},
						},
					},
				},
				PolicyIds: certificateauthority.CertificateTemplatePredefinedValuesPolicyIdArray{
					&certificateauthority.CertificateTemplatePredefinedValuesPolicyIdArgs{
						ObjectIdPaths: pulumi.IntArray{
							pulumi.Int(1),
							pulumi.Int(6),
						},
					},
				},
			},
		})
		if err != nil {
			return err
		}
		defaultAuthority, err := certificateauthority.NewAuthority(ctx, "defaultAuthority", &certificateauthority.AuthorityArgs{
			Location:               pulumi.String("us-central1"),
			Pool:                   defaultCaPool.Name,
			CertificateAuthorityId: pulumi.String("my-authority"),
			Config: &certificateauthority.AuthorityConfigArgs{
				SubjectConfig: &certificateauthority.AuthorityConfigSubjectConfigArgs{
					Subject: &certificateauthority.AuthorityConfigSubjectConfigSubjectArgs{
						Organization: pulumi.String("HashiCorp"),
						CommonName:   pulumi.String("my-certificate-authority"),
					},
					SubjectAltName: &certificateauthority.AuthorityConfigSubjectConfigSubjectAltNameArgs{
						DnsNames: pulumi.StringArray{
							pulumi.String("hashicorp.com"),
						},
					},
				},
				X509Config: &certificateauthority.AuthorityConfigX509ConfigArgs{
					CaOptions: &certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs{
						IsCa: pulumi.Bool(true),
					},
					KeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs{
						BaseKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs{
							CertSign: pulumi.Bool(true),
							CrlSign:  pulumi.Bool(true),
						},
						ExtendedKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs{
							ServerAuth: pulumi.Bool(false),
						},
					},
				},
			},
			KeySpec: &certificateauthority.AuthorityKeySpecArgs{
				Algorithm: pulumi.String("RSA_PKCS1_4096_SHA256"),
			},
			DeletionProtection:                 pulumi.Bool(false),
			SkipGracePeriod:                    pulumi.Bool(true),
			IgnoreActiveCertificatesOnDeletion: pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		_, err = certificateauthority.NewCertificate(ctx, "defaultCertificate", &certificateauthority.CertificateArgs{
			Location:             pulumi.String("us-central1"),
			Pool:                 defaultCaPool.Name,
			CertificateAuthority: defaultAuthority.CertificateAuthorityId,
			Lifetime:             pulumi.String("860s"),
			PemCsr:               readFileOrPanic("test-fixtures/rsa_csr.pem"),
			CertificateTemplate:  defaultCertificateTemplate.ID(),
		})
		if err != nil {
			return err
		}
		return nil
	})
}
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.certificateauthority.CaPool;
import com.pulumi.gcp.certificateauthority.CaPoolArgs;
import com.pulumi.gcp.certificateauthority.CertificateTemplate;
import com.pulumi.gcp.certificateauthority.CertificateTemplateArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateTemplateIdentityConstraintsArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateTemplateIdentityConstraintsCelExpressionArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateTemplatePassthroughExtensionsArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateTemplatePredefinedValuesArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateTemplatePredefinedValuesCaOptionsArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateTemplatePredefinedValuesKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateTemplatePredefinedValuesKeyUsageBaseKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateTemplatePredefinedValuesKeyUsageExtendedKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.Authority;
import com.pulumi.gcp.certificateauthority.AuthorityArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigSubjectArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigSubjectAltNameArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigCaOptionsArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityKeySpecArgs;
import com.pulumi.gcp.certificateauthority.Certificate;
import com.pulumi.gcp.certificateauthority.CertificateArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var defaultCaPool = new CaPool("defaultCaPool", CaPoolArgs.builder()        
            .location("us-central1")
            .tier("ENTERPRISE")
            .build());

        var defaultCertificateTemplate = new CertificateTemplate("defaultCertificateTemplate", CertificateTemplateArgs.builder()        
            .location("us-central1")
            .description("An updated sample certificate template")
            .identityConstraints(CertificateTemplateIdentityConstraintsArgs.builder()
                .allowSubjectAltNamesPassthrough(true)
                .allowSubjectPassthrough(true)
                .celExpression(CertificateTemplateIdentityConstraintsCelExpressionArgs.builder()
                    .description("Always true")
                    .expression("true")
                    .location("any.file.anywhere")
                    .title("Sample expression")
                    .build())
                .build())
            .passthroughExtensions(CertificateTemplatePassthroughExtensionsArgs.builder()
                .additionalExtensions(CertificateTemplatePassthroughExtensionsAdditionalExtensionArgs.builder()
                    .objectIdPaths(                    
                        1,
                        6)
                    .build())
                .knownExtensions("EXTENDED_KEY_USAGE")
                .build())
            .predefinedValues(CertificateTemplatePredefinedValuesArgs.builder()
                .additionalExtensions(CertificateTemplatePredefinedValuesAdditionalExtensionArgs.builder()
                    .objectId(CertificateTemplatePredefinedValuesAdditionalExtensionObjectIdArgs.builder()
                        .objectIdPaths(                        
                            1,
                            6)
                        .build())
                    .value("c3RyaW5nCg==")
                    .critical(true)
                    .build())
                .aiaOcspServers("string")
                .caOptions(CertificateTemplatePredefinedValuesCaOptionsArgs.builder()
                    .isCa(false)
                    .maxIssuerPathLength(6)
                    .build())
                .keyUsage(CertificateTemplatePredefinedValuesKeyUsageArgs.builder()
                    .baseKeyUsage(CertificateTemplatePredefinedValuesKeyUsageBaseKeyUsageArgs.builder()
                        .certSign(false)
                        .contentCommitment(true)
                        .crlSign(false)
                        .dataEncipherment(true)
                        .decipherOnly(true)
                        .digitalSignature(true)
                        .encipherOnly(true)
                        .keyAgreement(true)
                        .keyEncipherment(true)
                        .build())
                    .extendedKeyUsage(CertificateTemplatePredefinedValuesKeyUsageExtendedKeyUsageArgs.builder()
                        .clientAuth(true)
                        .codeSigning(true)
                        .emailProtection(true)
                        .ocspSigning(true)
                        .serverAuth(true)
                        .timeStamping(true)
                        .build())
                    .unknownExtendedKeyUsages(CertificateTemplatePredefinedValuesKeyUsageUnknownExtendedKeyUsageArgs.builder()
                        .objectIdPaths(                        
                            1,
                            6)
                        .build())
                    .build())
                .policyIds(CertificateTemplatePredefinedValuesPolicyIdArgs.builder()
                    .objectIdPaths(                    
                        1,
                        6)
                    .build())
                .build())
            .build());

        var defaultAuthority = new Authority("defaultAuthority", AuthorityArgs.builder()        
            .location("us-central1")
            .pool(defaultCaPool.name())
            .certificateAuthorityId("my-authority")
            .config(AuthorityConfigArgs.builder()
                .subjectConfig(AuthorityConfigSubjectConfigArgs.builder()
                    .subject(AuthorityConfigSubjectConfigSubjectArgs.builder()
                        .organization("HashiCorp")
                        .commonName("my-certificate-authority")
                        .build())
                    .subjectAltName(AuthorityConfigSubjectConfigSubjectAltNameArgs.builder()
                        .dnsNames("hashicorp.com")
                        .build())
                    .build())
                .x509Config(AuthorityConfigX509ConfigArgs.builder()
                    .caOptions(AuthorityConfigX509ConfigCaOptionsArgs.builder()
                        .isCa(true)
                        .build())
                    .keyUsage(AuthorityConfigX509ConfigKeyUsageArgs.builder()
                        .baseKeyUsage(AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs.builder()
                            .certSign(true)
                            .crlSign(true)
                            .build())
                        .extendedKeyUsage(AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs.builder()
                            .serverAuth(false)
                            .build())
                        .build())
                    .build())
                .build())
            .keySpec(AuthorityKeySpecArgs.builder()
                .algorithm("RSA_PKCS1_4096_SHA256")
                .build())
            .deletionProtection(false)
            .skipGracePeriod(true)
            .ignoreActiveCertificatesOnDeletion(true)
            .build());

        var defaultCertificate = new Certificate("defaultCertificate", CertificateArgs.builder()        
            .location("us-central1")
            .pool(defaultCaPool.name())
            .certificateAuthority(defaultAuthority.certificateAuthorityId())
            .lifetime("860s")
            .pemCsr(Files.readString(Paths.get("test-fixtures/rsa_csr.pem")))
            .certificateTemplate(defaultCertificateTemplate.id())
            .build());

    }
}
import pulumi
import pulumi_gcp as gcp

default_ca_pool = gcp.certificateauthority.CaPool("defaultCaPool",
    location="us-central1",
    tier="ENTERPRISE")
default_certificate_template = gcp.certificateauthority.CertificateTemplate("defaultCertificateTemplate",
    location="us-central1",
    description="An updated sample certificate template",
    identity_constraints=gcp.certificateauthority.CertificateTemplateIdentityConstraintsArgs(
        allow_subject_alt_names_passthrough=True,
        allow_subject_passthrough=True,
        cel_expression=gcp.certificateauthority.CertificateTemplateIdentityConstraintsCelExpressionArgs(
            description="Always true",
            expression="true",
            location="any.file.anywhere",
            title="Sample expression",
        ),
    ),
    passthrough_extensions=gcp.certificateauthority.CertificateTemplatePassthroughExtensionsArgs(
        additional_extensions=[gcp.certificateauthority.CertificateTemplatePassthroughExtensionsAdditionalExtensionArgs(
            object_id_paths=[
                1,
                6,
            ],
        )],
        known_extensions=["EXTENDED_KEY_USAGE"],
    ),
    predefined_values=gcp.certificateauthority.CertificateTemplatePredefinedValuesArgs(
        additional_extensions=[gcp.certificateauthority.CertificateTemplatePredefinedValuesAdditionalExtensionArgs(
            object_id=gcp.certificateauthority.CertificateTemplatePredefinedValuesAdditionalExtensionObjectIdArgs(
                object_id_paths=[
                    1,
                    6,
                ],
            ),
            value="c3RyaW5nCg==",
            critical=True,
        )],
        aia_ocsp_servers=["string"],
        ca_options=gcp.certificateauthority.CertificateTemplatePredefinedValuesCaOptionsArgs(
            is_ca=False,
            max_issuer_path_length=6,
        ),
        key_usage=gcp.certificateauthority.CertificateTemplatePredefinedValuesKeyUsageArgs(
            base_key_usage=gcp.certificateauthority.CertificateTemplatePredefinedValuesKeyUsageBaseKeyUsageArgs(
                cert_sign=False,
                content_commitment=True,
                crl_sign=False,
                data_encipherment=True,
                decipher_only=True,
                digital_signature=True,
                encipher_only=True,
                key_agreement=True,
                key_encipherment=True,
            ),
            extended_key_usage=gcp.certificateauthority.CertificateTemplatePredefinedValuesKeyUsageExtendedKeyUsageArgs(
                client_auth=True,
                code_signing=True,
                email_protection=True,
                ocsp_signing=True,
                server_auth=True,
                time_stamping=True,
            ),
            unknown_extended_key_usages=[gcp.certificateauthority.CertificateTemplatePredefinedValuesKeyUsageUnknownExtendedKeyUsageArgs(
                object_id_paths=[
                    1,
                    6,
                ],
            )],
        ),
        policy_ids=[gcp.certificateauthority.CertificateTemplatePredefinedValuesPolicyIdArgs(
            object_id_paths=[
                1,
                6,
            ],
        )],
    ))
default_authority = gcp.certificateauthority.Authority("defaultAuthority",
    location="us-central1",
    pool=default_ca_pool.name,
    certificate_authority_id="my-authority",
    config=gcp.certificateauthority.AuthorityConfigArgs(
        subject_config=gcp.certificateauthority.AuthorityConfigSubjectConfigArgs(
            subject=gcp.certificateauthority.AuthorityConfigSubjectConfigSubjectArgs(
                organization="HashiCorp",
                common_name="my-certificate-authority",
            ),
            subject_alt_name=gcp.certificateauthority.AuthorityConfigSubjectConfigSubjectAltNameArgs(
                dns_names=["hashicorp.com"],
            ),
        ),
        x509_config=gcp.certificateauthority.AuthorityConfigX509ConfigArgs(
            ca_options=gcp.certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs(
                is_ca=True,
            ),
            key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs(
                base_key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs(
                    cert_sign=True,
                    crl_sign=True,
                ),
                extended_key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs(
                    server_auth=False,
                ),
            ),
        ),
    ),
    key_spec=gcp.certificateauthority.AuthorityKeySpecArgs(
        algorithm="RSA_PKCS1_4096_SHA256",
    ),
    deletion_protection=False,
    skip_grace_period=True,
    ignore_active_certificates_on_deletion=True)
default_certificate = gcp.certificateauthority.Certificate("defaultCertificate",
    location="us-central1",
    pool=default_ca_pool.name,
    certificate_authority=default_authority.certificate_authority_id,
    lifetime="860s",
    pem_csr=(lambda path: open(path).read())("test-fixtures/rsa_csr.pem"),
    certificate_template=default_certificate_template.id)
import * as pulumi from "@pulumi/pulumi";
import * as fs from "fs";
import * as gcp from "@pulumi/gcp";

const defaultCaPool = new gcp.certificateauthority.CaPool("defaultCaPool", {
    location: "us-central1",
    tier: "ENTERPRISE",
});
const defaultCertificateTemplate = new gcp.certificateauthority.CertificateTemplate("defaultCertificateTemplate", {
    location: "us-central1",
    description: "An updated sample certificate template",
    identityConstraints: {
        allowSubjectAltNamesPassthrough: true,
        allowSubjectPassthrough: true,
        celExpression: {
            description: "Always true",
            expression: "true",
            location: "any.file.anywhere",
            title: "Sample expression",
        },
    },
    passthroughExtensions: {
        additionalExtensions: [{
            objectIdPaths: [
                1,
                6,
            ],
        }],
        knownExtensions: ["EXTENDED_KEY_USAGE"],
    },
    predefinedValues: {
        additionalExtensions: [{
            objectId: {
                objectIdPaths: [
                    1,
                    6,
                ],
            },
            value: "c3RyaW5nCg==",
            critical: true,
        }],
        aiaOcspServers: ["string"],
        caOptions: {
            isCa: false,
            maxIssuerPathLength: 6,
        },
        keyUsage: {
            baseKeyUsage: {
                certSign: false,
                contentCommitment: true,
                crlSign: false,
                dataEncipherment: true,
                decipherOnly: true,
                digitalSignature: true,
                encipherOnly: true,
                keyAgreement: true,
                keyEncipherment: true,
            },
            extendedKeyUsage: {
                clientAuth: true,
                codeSigning: true,
                emailProtection: true,
                ocspSigning: true,
                serverAuth: true,
                timeStamping: true,
            },
            unknownExtendedKeyUsages: [{
                objectIdPaths: [
                    1,
                    6,
                ],
            }],
        },
        policyIds: [{
            objectIdPaths: [
                1,
                6,
            ],
        }],
    },
});
const defaultAuthority = new gcp.certificateauthority.Authority("defaultAuthority", {
    location: "us-central1",
    pool: defaultCaPool.name,
    certificateAuthorityId: "my-authority",
    config: {
        subjectConfig: {
            subject: {
                organization: "HashiCorp",
                commonName: "my-certificate-authority",
            },
            subjectAltName: {
                dnsNames: ["hashicorp.com"],
            },
        },
        x509Config: {
            caOptions: {
                isCa: true,
            },
            keyUsage: {
                baseKeyUsage: {
                    certSign: true,
                    crlSign: true,
                },
                extendedKeyUsage: {
                    serverAuth: false,
                },
            },
        },
    },
    keySpec: {
        algorithm: "RSA_PKCS1_4096_SHA256",
    },
    deletionProtection: false,
    skipGracePeriod: true,
    ignoreActiveCertificatesOnDeletion: true,
});
const defaultCertificate = new gcp.certificateauthority.Certificate("defaultCertificate", {
    location: "us-central1",
    pool: defaultCaPool.name,
    certificateAuthority: defaultAuthority.certificateAuthorityId,
    lifetime: "860s",
    pemCsr: fs.readFileSync("test-fixtures/rsa_csr.pem"),
    certificateTemplate: defaultCertificateTemplate.id,
});
resources:
  defaultCaPool:
    type: gcp:certificateauthority:CaPool
    properties:
      location: us-central1
      tier: ENTERPRISE
  defaultCertificateTemplate:
    type: gcp:certificateauthority:CertificateTemplate
    properties:
      location: us-central1
      description: An updated sample certificate template
      identityConstraints:
        allowSubjectAltNamesPassthrough: true
        allowSubjectPassthrough: true
        celExpression:
          description: Always true
          expression: 'true'
          location: any.file.anywhere
          title: Sample expression
      passthroughExtensions:
        additionalExtensions:
          - objectIdPaths:
              - 1
              - 6
        knownExtensions:
          - EXTENDED_KEY_USAGE
      predefinedValues:
        additionalExtensions:
          - objectId:
              objectIdPaths:
                - 1
                - 6
            value: c3RyaW5nCg==
            critical: true
        aiaOcspServers:
          - string
        caOptions:
          isCa: false
          maxIssuerPathLength: 6
        keyUsage:
          baseKeyUsage:
            certSign: false
            contentCommitment: true
            crlSign: false
            dataEncipherment: true
            decipherOnly: true
            digitalSignature: true
            encipherOnly: true
            keyAgreement: true
            keyEncipherment: true
          extendedKeyUsage:
            clientAuth: true
            codeSigning: true
            emailProtection: true
            ocspSigning: true
            serverAuth: true
            timeStamping: true
          unknownExtendedKeyUsages:
            - objectIdPaths:
                - 1
                - 6
        policyIds:
          - objectIdPaths:
              - 1
              - 6
  defaultAuthority:
    type: gcp:certificateauthority:Authority
    properties:
      location: us-central1
      pool: ${defaultCaPool.name}
      certificateAuthorityId: my-authority
      config:
        subjectConfig:
          subject:
            organization: HashiCorp
            commonName: my-certificate-authority
          subjectAltName:
            dnsNames:
              - hashicorp.com
        x509Config:
          caOptions:
            isCa: true
          keyUsage:
            baseKeyUsage:
              certSign: true
              crlSign: true
            extendedKeyUsage:
              serverAuth: false
      keySpec:
        algorithm: RSA_PKCS1_4096_SHA256
      # Disable CA deletion related safe checks for easier cleanup.
      deletionProtection: false
      skipGracePeriod: true
      ignoreActiveCertificatesOnDeletion: true
  defaultCertificate:
    type: gcp:certificateauthority:Certificate
    properties:
      location: us-central1
      pool: ${defaultCaPool.name}
      certificateAuthority: ${defaultAuthority.certificateAuthorityId}
      lifetime: 860s
      pemCsr:
        fn::readFile: test-fixtures/rsa_csr.pem
      certificateTemplate: ${defaultCertificateTemplate.id}

Privateca Certificate Csr

using System.Collections.Generic;
using System.IO;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var defaultCaPool = new Gcp.CertificateAuthority.CaPool("defaultCaPool", new()
    {
        Location = "us-central1",
        Tier = "ENTERPRISE",
    });

    var defaultAuthority = new Gcp.CertificateAuthority.Authority("defaultAuthority", new()
    {
        Location = "us-central1",
        Pool = defaultCaPool.Name,
        CertificateAuthorityId = "my-authority",
        Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigArgs
        {
            SubjectConfig = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigArgs
            {
                Subject = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectArgs
                {
                    Organization = "HashiCorp",
                    CommonName = "my-certificate-authority",
                },
                SubjectAltName = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectAltNameArgs
                {
                    DnsNames = new[]
                    {
                        "hashicorp.com",
                    },
                },
            },
            X509Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigArgs
            {
                CaOptions = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigCaOptionsArgs
                {
                    IsCa = true,
                },
                KeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageArgs
                {
                    BaseKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs
                    {
                        CertSign = true,
                        CrlSign = true,
                    },
                    ExtendedKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs
                    {
                        ServerAuth = false,
                    },
                },
            },
        },
        KeySpec = new Gcp.CertificateAuthority.Inputs.AuthorityKeySpecArgs
        {
            Algorithm = "RSA_PKCS1_4096_SHA256",
        },
        DeletionProtection = false,
        SkipGracePeriod = true,
        IgnoreActiveCertificatesOnDeletion = true,
    });

    var defaultCertificate = new Gcp.CertificateAuthority.Certificate("defaultCertificate", new()
    {
        Location = "us-central1",
        Pool = defaultCaPool.Name,
        CertificateAuthority = defaultAuthority.CertificateAuthorityId,
        Lifetime = "860s",
        PemCsr = File.ReadAllText("test-fixtures/rsa_csr.pem"),
    });

});
package main

import (
	"os"

	"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/certificateauthority"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func readFileOrPanic(path string) pulumi.StringPtrInput {
	data, err := os.ReadFile(path)
	if err != nil {
		panic(err.Error())
	}
	return pulumi.String(string(data))
}

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		defaultCaPool, err := certificateauthority.NewCaPool(ctx, "defaultCaPool", &certificateauthority.CaPoolArgs{
			Location: pulumi.String("us-central1"),
			Tier:     pulumi.String("ENTERPRISE"),
		})
		if err != nil {
			return err
		}
		defaultAuthority, err := certificateauthority.NewAuthority(ctx, "defaultAuthority", &certificateauthority.AuthorityArgs{
			Location:               pulumi.String("us-central1"),
			Pool:                   defaultCaPool.Name,
			CertificateAuthorityId: pulumi.String("my-authority"),
			Config: &certificateauthority.AuthorityConfigArgs{
				SubjectConfig: &certificateauthority.AuthorityConfigSubjectConfigArgs{
					Subject: &certificateauthority.AuthorityConfigSubjectConfigSubjectArgs{
						Organization: pulumi.String("HashiCorp"),
						CommonName:   pulumi.String("my-certificate-authority"),
					},
					SubjectAltName: &certificateauthority.AuthorityConfigSubjectConfigSubjectAltNameArgs{
						DnsNames: pulumi.StringArray{
							pulumi.String("hashicorp.com"),
						},
					},
				},
				X509Config: &certificateauthority.AuthorityConfigX509ConfigArgs{
					CaOptions: &certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs{
						IsCa: pulumi.Bool(true),
					},
					KeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs{
						BaseKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs{
							CertSign: pulumi.Bool(true),
							CrlSign:  pulumi.Bool(true),
						},
						ExtendedKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs{
							ServerAuth: pulumi.Bool(false),
						},
					},
				},
			},
			KeySpec: &certificateauthority.AuthorityKeySpecArgs{
				Algorithm: pulumi.String("RSA_PKCS1_4096_SHA256"),
			},
			DeletionProtection:                 pulumi.Bool(false),
			SkipGracePeriod:                    pulumi.Bool(true),
			IgnoreActiveCertificatesOnDeletion: pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		_, err = certificateauthority.NewCertificate(ctx, "defaultCertificate", &certificateauthority.CertificateArgs{
			Location:             pulumi.String("us-central1"),
			Pool:                 defaultCaPool.Name,
			CertificateAuthority: defaultAuthority.CertificateAuthorityId,
			Lifetime:             pulumi.String("860s"),
			PemCsr:               readFileOrPanic("test-fixtures/rsa_csr.pem"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.certificateauthority.CaPool;
import com.pulumi.gcp.certificateauthority.CaPoolArgs;
import com.pulumi.gcp.certificateauthority.Authority;
import com.pulumi.gcp.certificateauthority.AuthorityArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigSubjectArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigSubjectAltNameArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigCaOptionsArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityKeySpecArgs;
import com.pulumi.gcp.certificateauthority.Certificate;
import com.pulumi.gcp.certificateauthority.CertificateArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var defaultCaPool = new CaPool("defaultCaPool", CaPoolArgs.builder()        
            .location("us-central1")
            .tier("ENTERPRISE")
            .build());

        var defaultAuthority = new Authority("defaultAuthority", AuthorityArgs.builder()        
            .location("us-central1")
            .pool(defaultCaPool.name())
            .certificateAuthorityId("my-authority")
            .config(AuthorityConfigArgs.builder()
                .subjectConfig(AuthorityConfigSubjectConfigArgs.builder()
                    .subject(AuthorityConfigSubjectConfigSubjectArgs.builder()
                        .organization("HashiCorp")
                        .commonName("my-certificate-authority")
                        .build())
                    .subjectAltName(AuthorityConfigSubjectConfigSubjectAltNameArgs.builder()
                        .dnsNames("hashicorp.com")
                        .build())
                    .build())
                .x509Config(AuthorityConfigX509ConfigArgs.builder()
                    .caOptions(AuthorityConfigX509ConfigCaOptionsArgs.builder()
                        .isCa(true)
                        .build())
                    .keyUsage(AuthorityConfigX509ConfigKeyUsageArgs.builder()
                        .baseKeyUsage(AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs.builder()
                            .certSign(true)
                            .crlSign(true)
                            .build())
                        .extendedKeyUsage(AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs.builder()
                            .serverAuth(false)
                            .build())
                        .build())
                    .build())
                .build())
            .keySpec(AuthorityKeySpecArgs.builder()
                .algorithm("RSA_PKCS1_4096_SHA256")
                .build())
            .deletionProtection(false)
            .skipGracePeriod(true)
            .ignoreActiveCertificatesOnDeletion(true)
            .build());

        var defaultCertificate = new Certificate("defaultCertificate", CertificateArgs.builder()        
            .location("us-central1")
            .pool(defaultCaPool.name())
            .certificateAuthority(defaultAuthority.certificateAuthorityId())
            .lifetime("860s")
            .pemCsr(Files.readString(Paths.get("test-fixtures/rsa_csr.pem")))
            .build());

    }
}
import pulumi
import pulumi_gcp as gcp

default_ca_pool = gcp.certificateauthority.CaPool("defaultCaPool",
    location="us-central1",
    tier="ENTERPRISE")
default_authority = gcp.certificateauthority.Authority("defaultAuthority",
    location="us-central1",
    pool=default_ca_pool.name,
    certificate_authority_id="my-authority",
    config=gcp.certificateauthority.AuthorityConfigArgs(
        subject_config=gcp.certificateauthority.AuthorityConfigSubjectConfigArgs(
            subject=gcp.certificateauthority.AuthorityConfigSubjectConfigSubjectArgs(
                organization="HashiCorp",
                common_name="my-certificate-authority",
            ),
            subject_alt_name=gcp.certificateauthority.AuthorityConfigSubjectConfigSubjectAltNameArgs(
                dns_names=["hashicorp.com"],
            ),
        ),
        x509_config=gcp.certificateauthority.AuthorityConfigX509ConfigArgs(
            ca_options=gcp.certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs(
                is_ca=True,
            ),
            key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs(
                base_key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs(
                    cert_sign=True,
                    crl_sign=True,
                ),
                extended_key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs(
                    server_auth=False,
                ),
            ),
        ),
    ),
    key_spec=gcp.certificateauthority.AuthorityKeySpecArgs(
        algorithm="RSA_PKCS1_4096_SHA256",
    ),
    deletion_protection=False,
    skip_grace_period=True,
    ignore_active_certificates_on_deletion=True)
default_certificate = gcp.certificateauthority.Certificate("defaultCertificate",
    location="us-central1",
    pool=default_ca_pool.name,
    certificate_authority=default_authority.certificate_authority_id,
    lifetime="860s",
    pem_csr=(lambda path: open(path).read())("test-fixtures/rsa_csr.pem"))
import * as pulumi from "@pulumi/pulumi";
import * as fs from "fs";
import * as gcp from "@pulumi/gcp";

const defaultCaPool = new gcp.certificateauthority.CaPool("defaultCaPool", {
    location: "us-central1",
    tier: "ENTERPRISE",
});
const defaultAuthority = new gcp.certificateauthority.Authority("defaultAuthority", {
    location: "us-central1",
    pool: defaultCaPool.name,
    certificateAuthorityId: "my-authority",
    config: {
        subjectConfig: {
            subject: {
                organization: "HashiCorp",
                commonName: "my-certificate-authority",
            },
            subjectAltName: {
                dnsNames: ["hashicorp.com"],
            },
        },
        x509Config: {
            caOptions: {
                isCa: true,
            },
            keyUsage: {
                baseKeyUsage: {
                    certSign: true,
                    crlSign: true,
                },
                extendedKeyUsage: {
                    serverAuth: false,
                },
            },
        },
    },
    keySpec: {
        algorithm: "RSA_PKCS1_4096_SHA256",
    },
    deletionProtection: false,
    skipGracePeriod: true,
    ignoreActiveCertificatesOnDeletion: true,
});
const defaultCertificate = new gcp.certificateauthority.Certificate("defaultCertificate", {
    location: "us-central1",
    pool: defaultCaPool.name,
    certificateAuthority: defaultAuthority.certificateAuthorityId,
    lifetime: "860s",
    pemCsr: fs.readFileSync("test-fixtures/rsa_csr.pem"),
});
resources:
  defaultCaPool:
    type: gcp:certificateauthority:CaPool
    properties:
      location: us-central1
      tier: ENTERPRISE
  defaultAuthority:
    type: gcp:certificateauthority:Authority
    properties:
      location: us-central1
      pool: ${defaultCaPool.name}
      certificateAuthorityId: my-authority
      config:
        subjectConfig:
          subject:
            organization: HashiCorp
            commonName: my-certificate-authority
          subjectAltName:
            dnsNames:
              - hashicorp.com
        x509Config:
          caOptions:
            isCa: true
          keyUsage:
            baseKeyUsage:
              certSign: true
              crlSign: true
            extendedKeyUsage:
              serverAuth: false
      keySpec:
        algorithm: RSA_PKCS1_4096_SHA256
      # Disable CA deletion related safe checks for easier cleanup.
      deletionProtection: false
      skipGracePeriod: true
      ignoreActiveCertificatesOnDeletion: true
  defaultCertificate:
    type: gcp:certificateauthority:Certificate
    properties:
      location: us-central1
      pool: ${defaultCaPool.name}
      certificateAuthority: ${defaultAuthority.certificateAuthorityId}
      lifetime: 860s
      pemCsr:
        fn::readFile: test-fixtures/rsa_csr.pem

Privateca Certificate No Authority

using System;
using System.Collections.Generic;
using System.IO;
using Pulumi;
using Gcp = Pulumi.Gcp;

	private static string ReadFileBase64(string path) {
		return Convert.ToBase64String(Encoding.UTF8.GetBytes(File.ReadAllText(path)))
	}

return await Deployment.RunAsync(() => 
{
    var defaultCaPool = new Gcp.CertificateAuthority.CaPool("defaultCaPool", new()
    {
        Location = "us-central1",
        Tier = "ENTERPRISE",
    });

    var defaultAuthority = new Gcp.CertificateAuthority.Authority("defaultAuthority", new()
    {
        Location = "us-central1",
        Pool = defaultCaPool.Name,
        CertificateAuthorityId = "my-authority",
        Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigArgs
        {
            SubjectConfig = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigArgs
            {
                Subject = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectArgs
                {
                    Organization = "HashiCorp",
                    CommonName = "my-certificate-authority",
                },
                SubjectAltName = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectAltNameArgs
                {
                    DnsNames = new[]
                    {
                        "hashicorp.com",
                    },
                },
            },
            X509Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigArgs
            {
                CaOptions = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigCaOptionsArgs
                {
                    IsCa = true,
                },
                KeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageArgs
                {
                    BaseKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs
                    {
                        DigitalSignature = true,
                        CertSign = true,
                        CrlSign = true,
                    },
                    ExtendedKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs
                    {
                        ServerAuth = true,
                    },
                },
            },
        },
        Lifetime = "86400s",
        KeySpec = new Gcp.CertificateAuthority.Inputs.AuthorityKeySpecArgs
        {
            Algorithm = "RSA_PKCS1_4096_SHA256",
        },
        DeletionProtection = false,
        SkipGracePeriod = true,
        IgnoreActiveCertificatesOnDeletion = true,
    });

    var defaultCertificate = new Gcp.CertificateAuthority.Certificate("defaultCertificate", new()
    {
        Location = "us-central1",
        Pool = defaultCaPool.Name,
        Lifetime = "860s",
        Config = new Gcp.CertificateAuthority.Inputs.CertificateConfigArgs
        {
            SubjectConfig = new Gcp.CertificateAuthority.Inputs.CertificateConfigSubjectConfigArgs
            {
                Subject = new Gcp.CertificateAuthority.Inputs.CertificateConfigSubjectConfigSubjectArgs
                {
                    CommonName = "san1.example.com",
                    CountryCode = "us",
                    Organization = "google",
                    OrganizationalUnit = "enterprise",
                    Locality = "mountain view",
                    Province = "california",
                    StreetAddress = "1600 amphitheatre parkway",
                    PostalCode = "94109",
                },
            },
            X509Config = new Gcp.CertificateAuthority.Inputs.CertificateConfigX509ConfigArgs
            {
                CaOptions = new Gcp.CertificateAuthority.Inputs.CertificateConfigX509ConfigCaOptionsArgs
                {
                    IsCa = false,
                },
                KeyUsage = new Gcp.CertificateAuthority.Inputs.CertificateConfigX509ConfigKeyUsageArgs
                {
                    BaseKeyUsage = new Gcp.CertificateAuthority.Inputs.CertificateConfigX509ConfigKeyUsageBaseKeyUsageArgs
                    {
                        CrlSign = true,
                    },
                    ExtendedKeyUsage = new Gcp.CertificateAuthority.Inputs.CertificateConfigX509ConfigKeyUsageExtendedKeyUsageArgs
                    {
                        ServerAuth = true,
                    },
                },
            },
            PublicKey = new Gcp.CertificateAuthority.Inputs.CertificateConfigPublicKeyArgs
            {
                Format = "PEM",
                Key = ReadFileBase64("test-fixtures/rsa_public.pem"),
            },
        },
    }, new CustomResourceOptions
    {
        DependsOn = new[]
        {
            defaultAuthority,
        },
    });

});
package main

import (
	"encoding/base64"
	"os"

	"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/certificateauthority"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func filebase64OrPanic(path string) pulumi.StringPtrInput {
	if fileData, err := os.ReadFile(path); err == nil {
		return pulumi.String(base64.StdEncoding.EncodeToString(fileData[:]))
	} else {
		panic(err.Error())
	}
}

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		defaultCaPool, err := certificateauthority.NewCaPool(ctx, "defaultCaPool", &certificateauthority.CaPoolArgs{
			Location: pulumi.String("us-central1"),
			Tier:     pulumi.String("ENTERPRISE"),
		})
		if err != nil {
			return err
		}
		defaultAuthority, err := certificateauthority.NewAuthority(ctx, "defaultAuthority", &certificateauthority.AuthorityArgs{
			Location:               pulumi.String("us-central1"),
			Pool:                   defaultCaPool.Name,
			CertificateAuthorityId: pulumi.String("my-authority"),
			Config: &certificateauthority.AuthorityConfigArgs{
				SubjectConfig: &certificateauthority.AuthorityConfigSubjectConfigArgs{
					Subject: &certificateauthority.AuthorityConfigSubjectConfigSubjectArgs{
						Organization: pulumi.String("HashiCorp"),
						CommonName:   pulumi.String("my-certificate-authority"),
					},
					SubjectAltName: &certificateauthority.AuthorityConfigSubjectConfigSubjectAltNameArgs{
						DnsNames: pulumi.StringArray{
							pulumi.String("hashicorp.com"),
						},
					},
				},
				X509Config: &certificateauthority.AuthorityConfigX509ConfigArgs{
					CaOptions: &certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs{
						IsCa: pulumi.Bool(true),
					},
					KeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs{
						BaseKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs{
							DigitalSignature: pulumi.Bool(true),
							CertSign:         pulumi.Bool(true),
							CrlSign:          pulumi.Bool(true),
						},
						ExtendedKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs{
							ServerAuth: pulumi.Bool(true),
						},
					},
				},
			},
			Lifetime: pulumi.String("86400s"),
			KeySpec: &certificateauthority.AuthorityKeySpecArgs{
				Algorithm: pulumi.String("RSA_PKCS1_4096_SHA256"),
			},
			DeletionProtection:                 pulumi.Bool(false),
			SkipGracePeriod:                    pulumi.Bool(true),
			IgnoreActiveCertificatesOnDeletion: pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		_, err = certificateauthority.NewCertificate(ctx, "defaultCertificate", &certificateauthority.CertificateArgs{
			Location: pulumi.String("us-central1"),
			Pool:     defaultCaPool.Name,
			Lifetime: pulumi.String("860s"),
			Config: &certificateauthority.CertificateConfigArgs{
				SubjectConfig: &certificateauthority.CertificateConfigSubjectConfigArgs{
					Subject: &certificateauthority.CertificateConfigSubjectConfigSubjectArgs{
						CommonName:         pulumi.String("san1.example.com"),
						CountryCode:        pulumi.String("us"),
						Organization:       pulumi.String("google"),
						OrganizationalUnit: pulumi.String("enterprise"),
						Locality:           pulumi.String("mountain view"),
						Province:           pulumi.String("california"),
						StreetAddress:      pulumi.String("1600 amphitheatre parkway"),
						PostalCode:         pulumi.String("94109"),
					},
				},
				X509Config: &certificateauthority.CertificateConfigX509ConfigArgs{
					CaOptions: &certificateauthority.CertificateConfigX509ConfigCaOptionsArgs{
						IsCa: pulumi.Bool(false),
					},
					KeyUsage: &certificateauthority.CertificateConfigX509ConfigKeyUsageArgs{
						BaseKeyUsage: &certificateauthority.CertificateConfigX509ConfigKeyUsageBaseKeyUsageArgs{
							CrlSign: pulumi.Bool(true),
						},
						ExtendedKeyUsage: &certificateauthority.CertificateConfigX509ConfigKeyUsageExtendedKeyUsageArgs{
							ServerAuth: pulumi.Bool(true),
						},
					},
				},
				PublicKey: &certificateauthority.CertificateConfigPublicKeyArgs{
					Format: pulumi.String("PEM"),
					Key:    filebase64OrPanic("test-fixtures/rsa_public.pem"),
				},
			},
		}, pulumi.DependsOn([]pulumi.Resource{
			defaultAuthority,
		}))
		if err != nil {
			return err
		}
		return nil
	})
}
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.certificateauthority.CaPool;
import com.pulumi.gcp.certificateauthority.CaPoolArgs;
import com.pulumi.gcp.certificateauthority.Authority;
import com.pulumi.gcp.certificateauthority.AuthorityArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigSubjectArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigSubjectAltNameArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigCaOptionsArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityKeySpecArgs;
import com.pulumi.gcp.certificateauthority.Certificate;
import com.pulumi.gcp.certificateauthority.CertificateArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigSubjectConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigSubjectConfigSubjectArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigX509ConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigX509ConfigCaOptionsArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigX509ConfigKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigX509ConfigKeyUsageBaseKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigX509ConfigKeyUsageExtendedKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigPublicKeyArgs;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var defaultCaPool = new CaPool("defaultCaPool", CaPoolArgs.builder()        
            .location("us-central1")
            .tier("ENTERPRISE")
            .build());

        var defaultAuthority = new Authority("defaultAuthority", AuthorityArgs.builder()        
            .location("us-central1")
            .pool(defaultCaPool.name())
            .certificateAuthorityId("my-authority")
            .config(AuthorityConfigArgs.builder()
                .subjectConfig(AuthorityConfigSubjectConfigArgs.builder()
                    .subject(AuthorityConfigSubjectConfigSubjectArgs.builder()
                        .organization("HashiCorp")
                        .commonName("my-certificate-authority")
                        .build())
                    .subjectAltName(AuthorityConfigSubjectConfigSubjectAltNameArgs.builder()
                        .dnsNames("hashicorp.com")
                        .build())
                    .build())
                .x509Config(AuthorityConfigX509ConfigArgs.builder()
                    .caOptions(AuthorityConfigX509ConfigCaOptionsArgs.builder()
                        .isCa(true)
                        .build())
                    .keyUsage(AuthorityConfigX509ConfigKeyUsageArgs.builder()
                        .baseKeyUsage(AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs.builder()
                            .digitalSignature(true)
                            .certSign(true)
                            .crlSign(true)
                            .build())
                        .extendedKeyUsage(AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs.builder()
                            .serverAuth(true)
                            .build())
                        .build())
                    .build())
                .build())
            .lifetime("86400s")
            .keySpec(AuthorityKeySpecArgs.builder()
                .algorithm("RSA_PKCS1_4096_SHA256")
                .build())
            .deletionProtection(false)
            .skipGracePeriod(true)
            .ignoreActiveCertificatesOnDeletion(true)
            .build());

        var defaultCertificate = new Certificate("defaultCertificate", CertificateArgs.builder()        
            .location("us-central1")
            .pool(defaultCaPool.name())
            .lifetime("860s")
            .config(CertificateConfigArgs.builder()
                .subjectConfig(CertificateConfigSubjectConfigArgs.builder()
                    .subject(CertificateConfigSubjectConfigSubjectArgs.builder()
                        .commonName("san1.example.com")
                        .countryCode("us")
                        .organization("google")
                        .organizationalUnit("enterprise")
                        .locality("mountain view")
                        .province("california")
                        .streetAddress("1600 amphitheatre parkway")
                        .postalCode("94109")
                        .build())
                    .build())
                .x509Config(CertificateConfigX509ConfigArgs.builder()
                    .caOptions(CertificateConfigX509ConfigCaOptionsArgs.builder()
                        .isCa(false)
                        .build())
                    .keyUsage(CertificateConfigX509ConfigKeyUsageArgs.builder()
                        .baseKeyUsage(CertificateConfigX509ConfigKeyUsageBaseKeyUsageArgs.builder()
                            .crlSign(true)
                            .build())
                        .extendedKeyUsage(CertificateConfigX509ConfigKeyUsageExtendedKeyUsageArgs.builder()
                            .serverAuth(true)
                            .build())
                        .build())
                    .build())
                .publicKey(CertificateConfigPublicKeyArgs.builder()
                    .format("PEM")
                    .key(Base64.getEncoder().encodeToString(Files.readAllBytes(Paths.get("test-fixtures/rsa_public.pem"))))
                    .build())
                .build())
            .build(), CustomResourceOptions.builder()
                .dependsOn(defaultAuthority)
                .build());

    }
}
import pulumi
import base64
import pulumi_gcp as gcp

default_ca_pool = gcp.certificateauthority.CaPool("defaultCaPool",
    location="us-central1",
    tier="ENTERPRISE")
default_authority = gcp.certificateauthority.Authority("defaultAuthority",
    location="us-central1",
    pool=default_ca_pool.name,
    certificate_authority_id="my-authority",
    config=gcp.certificateauthority.AuthorityConfigArgs(
        subject_config=gcp.certificateauthority.AuthorityConfigSubjectConfigArgs(
            subject=gcp.certificateauthority.AuthorityConfigSubjectConfigSubjectArgs(
                organization="HashiCorp",
                common_name="my-certificate-authority",
            ),
            subject_alt_name=gcp.certificateauthority.AuthorityConfigSubjectConfigSubjectAltNameArgs(
                dns_names=["hashicorp.com"],
            ),
        ),
        x509_config=gcp.certificateauthority.AuthorityConfigX509ConfigArgs(
            ca_options=gcp.certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs(
                is_ca=True,
            ),
            key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs(
                base_key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs(
                    digital_signature=True,
                    cert_sign=True,
                    crl_sign=True,
                ),
                extended_key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs(
                    server_auth=True,
                ),
            ),
        ),
    ),
    lifetime="86400s",
    key_spec=gcp.certificateauthority.AuthorityKeySpecArgs(
        algorithm="RSA_PKCS1_4096_SHA256",
    ),
    deletion_protection=False,
    skip_grace_period=True,
    ignore_active_certificates_on_deletion=True)
default_certificate = gcp.certificateauthority.Certificate("defaultCertificate",
    location="us-central1",
    pool=default_ca_pool.name,
    lifetime="860s",
    config=gcp.certificateauthority.CertificateConfigArgs(
        subject_config=gcp.certificateauthority.CertificateConfigSubjectConfigArgs(
            subject=gcp.certificateauthority.CertificateConfigSubjectConfigSubjectArgs(
                common_name="san1.example.com",
                country_code="us",
                organization="google",
                organizational_unit="enterprise",
                locality="mountain view",
                province="california",
                street_address="1600 amphitheatre parkway",
                postal_code="94109",
            ),
        ),
        x509_config=gcp.certificateauthority.CertificateConfigX509ConfigArgs(
            ca_options=gcp.certificateauthority.CertificateConfigX509ConfigCaOptionsArgs(
                is_ca=False,
            ),
            key_usage=gcp.certificateauthority.CertificateConfigX509ConfigKeyUsageArgs(
                base_key_usage=gcp.certificateauthority.CertificateConfigX509ConfigKeyUsageBaseKeyUsageArgs(
                    crl_sign=True,
                ),
                extended_key_usage=gcp.certificateauthority.CertificateConfigX509ConfigKeyUsageExtendedKeyUsageArgs(
                    server_auth=True,
                ),
            ),
        ),
        public_key=gcp.certificateauthority.CertificateConfigPublicKeyArgs(
            format="PEM",
            key=(lambda path: base64.b64encode(open(path).read().encode()).decode())("test-fixtures/rsa_public.pem"),
        ),
    ),
    opts=pulumi.ResourceOptions(depends_on=[default_authority]))
import * as pulumi from "@pulumi/pulumi";
import * as fs from "fs";
import * as gcp from "@pulumi/gcp";

const defaultCaPool = new gcp.certificateauthority.CaPool("defaultCaPool", {
    location: "us-central1",
    tier: "ENTERPRISE",
});
const defaultAuthority = new gcp.certificateauthority.Authority("defaultAuthority", {
    location: "us-central1",
    pool: defaultCaPool.name,
    certificateAuthorityId: "my-authority",
    config: {
        subjectConfig: {
            subject: {
                organization: "HashiCorp",
                commonName: "my-certificate-authority",
            },
            subjectAltName: {
                dnsNames: ["hashicorp.com"],
            },
        },
        x509Config: {
            caOptions: {
                isCa: true,
            },
            keyUsage: {
                baseKeyUsage: {
                    digitalSignature: true,
                    certSign: true,
                    crlSign: true,
                },
                extendedKeyUsage: {
                    serverAuth: true,
                },
            },
        },
    },
    lifetime: "86400s",
    keySpec: {
        algorithm: "RSA_PKCS1_4096_SHA256",
    },
    deletionProtection: false,
    skipGracePeriod: true,
    ignoreActiveCertificatesOnDeletion: true,
});
const defaultCertificate = new gcp.certificateauthority.Certificate("defaultCertificate", {
    location: "us-central1",
    pool: defaultCaPool.name,
    lifetime: "860s",
    config: {
        subjectConfig: {
            subject: {
                commonName: "san1.example.com",
                countryCode: "us",
                organization: "google",
                organizationalUnit: "enterprise",
                locality: "mountain view",
                province: "california",
                streetAddress: "1600 amphitheatre parkway",
                postalCode: "94109",
            },
        },
        x509Config: {
            caOptions: {
                isCa: false,
            },
            keyUsage: {
                baseKeyUsage: {
                    crlSign: true,
                },
                extendedKeyUsage: {
                    serverAuth: true,
                },
            },
        },
        publicKey: {
            format: "PEM",
            key: Buffer.from(fs.readFileSync("test-fixtures/rsa_public.pem"), 'binary').toString('base64'),
        },
    },
}, {
    dependsOn: [defaultAuthority],
});

Coming soon!

Create Certificate Resource

new Certificate(name: string, args: CertificateArgs, opts?: CustomResourceOptions);
@overload
def Certificate(resource_name: str,
                opts: Optional[ResourceOptions] = None,
                certificate_authority: Optional[str] = None,
                certificate_template: Optional[str] = None,
                config: Optional[CertificateConfigArgs] = None,
                labels: Optional[Mapping[str, str]] = None,
                lifetime: Optional[str] = None,
                location: Optional[str] = None,
                name: Optional[str] = None,
                pem_csr: Optional[str] = None,
                pool: Optional[str] = None,
                project: Optional[str] = None)
@overload
def Certificate(resource_name: str,
                args: CertificateArgs,
                opts: Optional[ResourceOptions] = None)
func NewCertificate(ctx *Context, name string, args CertificateArgs, opts ...ResourceOption) (*Certificate, error)
public Certificate(string name, CertificateArgs args, CustomResourceOptions? opts = null)
public Certificate(String name, CertificateArgs args)
public Certificate(String name, CertificateArgs args, CustomResourceOptions options)
type: gcp:certificateauthority:Certificate
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

name string
The unique name of the resource.
args CertificateArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name str
The unique name of the resource.
args CertificateArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name string
The unique name of the resource.
args CertificateArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name string
The unique name of the resource.
args CertificateArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
name String
The unique name of the resource.
args CertificateArgs
The arguments to resource properties.
options CustomResourceOptions
Bag of options to control resource's behavior.

Certificate Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

The Certificate resource accepts the following input properties:

Location string

Location of the Certificate. A full list of valid locations can be found by running gcloud privateca locations list.

Pool string

The name of the CaPool this Certificate belongs to.

CertificateAuthority string

The Certificate Authority ID that should issue the certificate. For example, to issue a Certificate from a Certificate Authority with resource name projects/my-project/locations/us-central1/caPools/my-pool/certificateAuthorities/my-ca, argument pool should be set to projects/my-project/locations/us-central1/caPools/my-pool, argument certificate_authority should be set to my-ca.

CertificateTemplate string

The resource name for a CertificateTemplate used to issue this certificate, in the format projects/*/locations/*/certificateTemplates/*. If this is specified, the caller must have the necessary permission to use this template. If this is omitted, no template will be used. This template must be in the same location as the Certificate.

Config CertificateConfigArgs

The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.

Labels Dictionary<string, string>

Labels with user-defined metadata to apply to this resource.

Lifetime string

The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".

Name string

The name for this Certificate.

PemCsr string

Immutable. A pem-encoded X.509 certificate signing request (CSR).

Project string

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

Location string

Location of the Certificate. A full list of valid locations can be found by running gcloud privateca locations list.

Pool string

The name of the CaPool this Certificate belongs to.

CertificateAuthority string

The Certificate Authority ID that should issue the certificate. For example, to issue a Certificate from a Certificate Authority with resource name projects/my-project/locations/us-central1/caPools/my-pool/certificateAuthorities/my-ca, argument pool should be set to projects/my-project/locations/us-central1/caPools/my-pool, argument certificate_authority should be set to my-ca.

CertificateTemplate string

The resource name for a CertificateTemplate used to issue this certificate, in the format projects/*/locations/*/certificateTemplates/*. If this is specified, the caller must have the necessary permission to use this template. If this is omitted, no template will be used. This template must be in the same location as the Certificate.

Config CertificateConfigArgs

The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.

Labels map[string]string

Labels with user-defined metadata to apply to this resource.

Lifetime string

The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".

Name string

The name for this Certificate.

PemCsr string

Immutable. A pem-encoded X.509 certificate signing request (CSR).

Project string

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

location String

Location of the Certificate. A full list of valid locations can be found by running gcloud privateca locations list.

pool String

The name of the CaPool this Certificate belongs to.

certificateAuthority String

The Certificate Authority ID that should issue the certificate. For example, to issue a Certificate from a Certificate Authority with resource name projects/my-project/locations/us-central1/caPools/my-pool/certificateAuthorities/my-ca, argument pool should be set to projects/my-project/locations/us-central1/caPools/my-pool, argument certificate_authority should be set to my-ca.

certificateTemplate String

The resource name for a CertificateTemplate used to issue this certificate, in the format projects/*/locations/*/certificateTemplates/*. If this is specified, the caller must have the necessary permission to use this template. If this is omitted, no template will be used. This template must be in the same location as the Certificate.

config CertificateConfigArgs

The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.

labels Map<String,String>

Labels with user-defined metadata to apply to this resource.

lifetime String

The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".

name String

The name for this Certificate.

pemCsr String

Immutable. A pem-encoded X.509 certificate signing request (CSR).

project String

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

location string

Location of the Certificate. A full list of valid locations can be found by running gcloud privateca locations list.

pool string

The name of the CaPool this Certificate belongs to.

certificateAuthority string

The Certificate Authority ID that should issue the certificate. For example, to issue a Certificate from a Certificate Authority with resource name projects/my-project/locations/us-central1/caPools/my-pool/certificateAuthorities/my-ca, argument pool should be set to projects/my-project/locations/us-central1/caPools/my-pool, argument certificate_authority should be set to my-ca.

certificateTemplate string

The resource name for a CertificateTemplate used to issue this certificate, in the format projects/*/locations/*/certificateTemplates/*. If this is specified, the caller must have the necessary permission to use this template. If this is omitted, no template will be used. This template must be in the same location as the Certificate.

config CertificateConfigArgs

The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.

labels {[key: string]: string}

Labels with user-defined metadata to apply to this resource.

lifetime string

The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".

name string

The name for this Certificate.

pemCsr string

Immutable. A pem-encoded X.509 certificate signing request (CSR).

project string

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

location str

Location of the Certificate. A full list of valid locations can be found by running gcloud privateca locations list.

pool str

The name of the CaPool this Certificate belongs to.

certificate_authority str

The Certificate Authority ID that should issue the certificate. For example, to issue a Certificate from a Certificate Authority with resource name projects/my-project/locations/us-central1/caPools/my-pool/certificateAuthorities/my-ca, argument pool should be set to projects/my-project/locations/us-central1/caPools/my-pool, argument certificate_authority should be set to my-ca.

certificate_template str

The resource name for a CertificateTemplate used to issue this certificate, in the format projects/*/locations/*/certificateTemplates/*. If this is specified, the caller must have the necessary permission to use this template. If this is omitted, no template will be used. This template must be in the same location as the Certificate.

config CertificateConfigArgs

The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.

labels Mapping[str, str]

Labels with user-defined metadata to apply to this resource.

lifetime str

The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".

name str

The name for this Certificate.

pem_csr str

Immutable. A pem-encoded X.509 certificate signing request (CSR).

project str

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

location String

Location of the Certificate. A full list of valid locations can be found by running gcloud privateca locations list.

pool String

The name of the CaPool this Certificate belongs to.

certificateAuthority String

The Certificate Authority ID that should issue the certificate. For example, to issue a Certificate from a Certificate Authority with resource name projects/my-project/locations/us-central1/caPools/my-pool/certificateAuthorities/my-ca, argument pool should be set to projects/my-project/locations/us-central1/caPools/my-pool, argument certificate_authority should be set to my-ca.

certificateTemplate String

The resource name for a CertificateTemplate used to issue this certificate, in the format projects/*/locations/*/certificateTemplates/*. If this is specified, the caller must have the necessary permission to use this template. If this is omitted, no template will be used. This template must be in the same location as the Certificate.

config Property Map

The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.

labels Map<String>

Labels with user-defined metadata to apply to this resource.

lifetime String

The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".

name String

The name for this Certificate.

pemCsr String

Immutable. A pem-encoded X.509 certificate signing request (CSR).

project String

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

Outputs

All input properties are implicitly available as output properties. Additionally, the Certificate resource produces the following output properties:

CertificateDescriptions List<CertificateCertificateDescription>

Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.

CreateTime string

The time that this resource was created on the server. This is in RFC3339 text format.

Id string

The provider-assigned unique ID for this managed resource.

IssuerCertificateAuthority string

The resource name of the issuing CertificateAuthority in the format projects/*/locations/*/caPools/*/certificateAuthorities/*.

PemCertificate string

Output only. The pem-encoded, signed X.509 certificate.

PemCertificateChains List<string>

The chain that may be used to verify the X.509 certificate. Expected to be in issuer-to-root order according to RFC 5246.

PemCertificates List<string>

(Deprecated) Required. Expected to be in leaf-to-root order according to RFC 5246.

Deprecated:

Deprecated in favor of pem_certificate_chain.

RevocationDetails List<CertificateRevocationDetail>

Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.

UpdateTime string

Output only. The time at which this CertificateAuthority was updated. This is in RFC3339 text format.

CertificateDescriptions []CertificateCertificateDescription

Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.

CreateTime string

The time that this resource was created on the server. This is in RFC3339 text format.

Id string

The provider-assigned unique ID for this managed resource.

IssuerCertificateAuthority string

The resource name of the issuing CertificateAuthority in the format projects/*/locations/*/caPools/*/certificateAuthorities/*.

PemCertificate string

Output only. The pem-encoded, signed X.509 certificate.

PemCertificateChains []string

The chain that may be used to verify the X.509 certificate. Expected to be in issuer-to-root order according to RFC 5246.

PemCertificates []string

(Deprecated) Required. Expected to be in leaf-to-root order according to RFC 5246.

Deprecated:

Deprecated in favor of pem_certificate_chain.

RevocationDetails []CertificateRevocationDetail

Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.

UpdateTime string

Output only. The time at which this CertificateAuthority was updated. This is in RFC3339 text format.

certificateDescriptions List<CertificateCertificateDescription>

Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.

createTime String

The time that this resource was created on the server. This is in RFC3339 text format.

id String

The provider-assigned unique ID for this managed resource.

issuerCertificateAuthority String

The resource name of the issuing CertificateAuthority in the format projects/*/locations/*/caPools/*/certificateAuthorities/*.

pemCertificate String

Output only. The pem-encoded, signed X.509 certificate.

pemCertificateChains List<String>

The chain that may be used to verify the X.509 certificate. Expected to be in issuer-to-root order according to RFC 5246.

pemCertificates List<String>

(Deprecated) Required. Expected to be in leaf-to-root order according to RFC 5246.

Deprecated:

Deprecated in favor of pem_certificate_chain.

revocationDetails List<CertificateRevocationDetail>

Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.

updateTime String

Output only. The time at which this CertificateAuthority was updated. This is in RFC3339 text format.

certificateDescriptions CertificateCertificateDescription[]

Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.

createTime string

The time that this resource was created on the server. This is in RFC3339 text format.

id string

The provider-assigned unique ID for this managed resource.

issuerCertificateAuthority string

The resource name of the issuing CertificateAuthority in the format projects/*/locations/*/caPools/*/certificateAuthorities/*.

pemCertificate string

Output only. The pem-encoded, signed X.509 certificate.

pemCertificateChains string[]

The chain that may be used to verify the X.509 certificate. Expected to be in issuer-to-root order according to RFC 5246.

pemCertificates string[]

(Deprecated) Required. Expected to be in leaf-to-root order according to RFC 5246.

Deprecated:

Deprecated in favor of pem_certificate_chain.

revocationDetails CertificateRevocationDetail[]

Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.

updateTime string

Output only. The time at which this CertificateAuthority was updated. This is in RFC3339 text format.

certificate_descriptions Sequence[CertificateCertificateDescription]

Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.

create_time str

The time that this resource was created on the server. This is in RFC3339 text format.

id str

The provider-assigned unique ID for this managed resource.

issuer_certificate_authority str

The resource name of the issuing CertificateAuthority in the format projects/*/locations/*/caPools/*/certificateAuthorities/*.

pem_certificate str

Output only. The pem-encoded, signed X.509 certificate.

pem_certificate_chains Sequence[str]

The chain that may be used to verify the X.509 certificate. Expected to be in issuer-to-root order according to RFC 5246.

pem_certificates Sequence[str]

(Deprecated) Required. Expected to be in leaf-to-root order according to RFC 5246.

Deprecated:

Deprecated in favor of pem_certificate_chain.

revocation_details Sequence[CertificateRevocationDetail]

Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.

update_time str

Output only. The time at which this CertificateAuthority was updated. This is in RFC3339 text format.

certificateDescriptions List<Property Map>

Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.

createTime String

The time that this resource was created on the server. This is in RFC3339 text format.

id String

The provider-assigned unique ID for this managed resource.

issuerCertificateAuthority String

The resource name of the issuing CertificateAuthority in the format projects/*/locations/*/caPools/*/certificateAuthorities/*.

pemCertificate String

Output only. The pem-encoded, signed X.509 certificate.

pemCertificateChains List<String>

The chain that may be used to verify the X.509 certificate. Expected to be in issuer-to-root order according to RFC 5246.

pemCertificates List<String>

(Deprecated) Required. Expected to be in leaf-to-root order according to RFC 5246.

Deprecated:

Deprecated in favor of pem_certificate_chain.

revocationDetails List<Property Map>

Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.

updateTime String

Output only. The time at which this CertificateAuthority was updated. This is in RFC3339 text format.

Look up Existing Certificate Resource

Get an existing Certificate resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: CertificateState, opts?: CustomResourceOptions): Certificate
@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        certificate_authority: Optional[str] = None,
        certificate_descriptions: Optional[Sequence[CertificateCertificateDescriptionArgs]] = None,
        certificate_template: Optional[str] = None,
        config: Optional[CertificateConfigArgs] = None,
        create_time: Optional[str] = None,
        issuer_certificate_authority: Optional[str] = None,
        labels: Optional[Mapping[str, str]] = None,
        lifetime: Optional[str] = None,
        location: Optional[str] = None,
        name: Optional[str] = None,
        pem_certificate: Optional[str] = None,
        pem_certificate_chains: Optional[Sequence[str]] = None,
        pem_certificates: Optional[Sequence[str]] = None,
        pem_csr: Optional[str] = None,
        pool: Optional[str] = None,
        project: Optional[str] = None,
        revocation_details: Optional[Sequence[CertificateRevocationDetailArgs]] = None,
        update_time: Optional[str] = None) -> Certificate
func GetCertificate(ctx *Context, name string, id IDInput, state *CertificateState, opts ...ResourceOption) (*Certificate, error)
public static Certificate Get(string name, Input<string> id, CertificateState? state, CustomResourceOptions? opts = null)
public static Certificate get(String name, Output<String> id, CertificateState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
resource_name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
The following state arguments are supported:
CertificateAuthority string

The Certificate Authority ID that should issue the certificate. For example, to issue a Certificate from a Certificate Authority with resource name projects/my-project/locations/us-central1/caPools/my-pool/certificateAuthorities/my-ca, argument pool should be set to projects/my-project/locations/us-central1/caPools/my-pool, argument certificate_authority should be set to my-ca.

CertificateDescriptions List<CertificateCertificateDescriptionArgs>

Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.

CertificateTemplate string

The resource name for a CertificateTemplate used to issue this certificate, in the format projects/*/locations/*/certificateTemplates/*. If this is specified, the caller must have the necessary permission to use this template. If this is omitted, no template will be used. This template must be in the same location as the Certificate.

Config CertificateConfigArgs

The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.

CreateTime string

The time that this resource was created on the server. This is in RFC3339 text format.

IssuerCertificateAuthority string

The resource name of the issuing CertificateAuthority in the format projects/*/locations/*/caPools/*/certificateAuthorities/*.

Labels Dictionary<string, string>

Labels with user-defined metadata to apply to this resource.

Lifetime string

The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".

Location string

Location of the Certificate. A full list of valid locations can be found by running gcloud privateca locations list.

Name string

The name for this Certificate.

PemCertificate string

Output only. The pem-encoded, signed X.509 certificate.

PemCertificateChains List<string>

The chain that may be used to verify the X.509 certificate. Expected to be in issuer-to-root order according to RFC 5246.

PemCertificates List<string>

(Deprecated) Required. Expected to be in leaf-to-root order according to RFC 5246.

Deprecated:

Deprecated in favor of pem_certificate_chain.

PemCsr string

Immutable. A pem-encoded X.509 certificate signing request (CSR).

Pool string

The name of the CaPool this Certificate belongs to.

Project string

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

RevocationDetails List<CertificateRevocationDetailArgs>

Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.

UpdateTime string

Output only. The time at which this CertificateAuthority was updated. This is in RFC3339 text format.

CertificateAuthority string

The Certificate Authority ID that should issue the certificate. For example, to issue a Certificate from a Certificate Authority with resource name projects/my-project/locations/us-central1/caPools/my-pool/certificateAuthorities/my-ca, argument pool should be set to projects/my-project/locations/us-central1/caPools/my-pool, argument certificate_authority should be set to my-ca.

CertificateDescriptions []CertificateCertificateDescriptionArgs

Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.

CertificateTemplate string

The resource name for a CertificateTemplate used to issue this certificate, in the format projects/*/locations/*/certificateTemplates/*. If this is specified, the caller must have the necessary permission to use this template. If this is omitted, no template will be used. This template must be in the same location as the Certificate.

Config CertificateConfigArgs

The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.

CreateTime string

The time that this resource was created on the server. This is in RFC3339 text format.

IssuerCertificateAuthority string

The resource name of the issuing CertificateAuthority in the format projects/*/locations/*/caPools/*/certificateAuthorities/*.

Labels map[string]string

Labels with user-defined metadata to apply to this resource.

Lifetime string

The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".

Location string

Location of the Certificate. A full list of valid locations can be found by running gcloud privateca locations list.

Name string

The name for this Certificate.

PemCertificate string

Output only. The pem-encoded, signed X.509 certificate.

PemCertificateChains []string

The chain that may be used to verify the X.509 certificate. Expected to be in issuer-to-root order according to RFC 5246.

PemCertificates []string

(Deprecated) Required. Expected to be in leaf-to-root order according to RFC 5246.

Deprecated:

Deprecated in favor of pem_certificate_chain.

PemCsr string

Immutable. A pem-encoded X.509 certificate signing request (CSR).

Pool string

The name of the CaPool this Certificate belongs to.

Project string

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

RevocationDetails []CertificateRevocationDetailArgs

Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.

UpdateTime string

Output only. The time at which this CertificateAuthority was updated. This is in RFC3339 text format.

certificateAuthority String

The Certificate Authority ID that should issue the certificate. For example, to issue a Certificate from a Certificate Authority with resource name projects/my-project/locations/us-central1/caPools/my-pool/certificateAuthorities/my-ca, argument pool should be set to projects/my-project/locations/us-central1/caPools/my-pool, argument certificate_authority should be set to my-ca.

certificateDescriptions List<CertificateCertificateDescriptionArgs>

Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.

certificateTemplate String

The resource name for a CertificateTemplate used to issue this certificate, in the format projects/*/locations/*/certificateTemplates/*. If this is specified, the caller must have the necessary permission to use this template. If this is omitted, no template will be used. This template must be in the same location as the Certificate.

config CertificateConfigArgs

The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.

createTime String

The time that this resource was created on the server. This is in RFC3339 text format.

issuerCertificateAuthority String

The resource name of the issuing CertificateAuthority in the format projects/*/locations/*/caPools/*/certificateAuthorities/*.

labels Map<String,String>

Labels with user-defined metadata to apply to this resource.

lifetime String

The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".

location String

Location of the Certificate. A full list of valid locations can be found by running gcloud privateca locations list.

name String

The name for this Certificate.

pemCertificate String

Output only. The pem-encoded, signed X.509 certificate.

pemCertificateChains List<String>

The chain that may be used to verify the X.509 certificate. Expected to be in issuer-to-root order according to RFC 5246.

pemCertificates List<String>

(Deprecated) Required. Expected to be in leaf-to-root order according to RFC 5246.

Deprecated:

Deprecated in favor of pem_certificate_chain.

pemCsr String

Immutable. A pem-encoded X.509 certificate signing request (CSR).

pool String

The name of the CaPool this Certificate belongs to.

project String

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

revocationDetails List<CertificateRevocationDetailArgs>

Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.

updateTime String

Output only. The time at which this CertificateAuthority was updated. This is in RFC3339 text format.

certificateAuthority string

The Certificate Authority ID that should issue the certificate. For example, to issue a Certificate from a Certificate Authority with resource name projects/my-project/locations/us-central1/caPools/my-pool/certificateAuthorities/my-ca, argument pool should be set to projects/my-project/locations/us-central1/caPools/my-pool, argument certificate_authority should be set to my-ca.

certificateDescriptions CertificateCertificateDescriptionArgs[]

Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.

certificateTemplate string

The resource name for a CertificateTemplate used to issue this certificate, in the format projects/*/locations/*/certificateTemplates/*. If this is specified, the caller must have the necessary permission to use this template. If this is omitted, no template will be used. This template must be in the same location as the Certificate.

config CertificateConfigArgs

The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.

createTime string

The time that this resource was created on the server. This is in RFC3339 text format.

issuerCertificateAuthority string

The resource name of the issuing CertificateAuthority in the format projects/*/locations/*/caPools/*/certificateAuthorities/*.

labels {[key: string]: string}

Labels with user-defined metadata to apply to this resource.

lifetime string

The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".

location string

Location of the Certificate. A full list of valid locations can be found by running gcloud privateca locations list.

name string

The name for this Certificate.

pemCertificate string

Output only. The pem-encoded, signed X.509 certificate.

pemCertificateChains string[]

The chain that may be used to verify the X.509 certificate. Expected to be in issuer-to-root order according to RFC 5246.

pemCertificates string[]

(Deprecated) Required. Expected to be in leaf-to-root order according to RFC 5246.

Deprecated:

Deprecated in favor of pem_certificate_chain.

pemCsr string

Immutable. A pem-encoded X.509 certificate signing request (CSR).

pool string

The name of the CaPool this Certificate belongs to.

project string

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

revocationDetails CertificateRevocationDetailArgs[]

Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.

updateTime string

Output only. The time at which this CertificateAuthority was updated. This is in RFC3339 text format.

certificate_authority str

The Certificate Authority ID that should issue the certificate. For example, to issue a Certificate from a Certificate Authority with resource name projects/my-project/locations/us-central1/caPools/my-pool/certificateAuthorities/my-ca, argument pool should be set to projects/my-project/locations/us-central1/caPools/my-pool, argument certificate_authority should be set to my-ca.

certificate_descriptions Sequence[CertificateCertificateDescriptionArgs]

Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.

certificate_template str

The resource name for a CertificateTemplate used to issue this certificate, in the format projects/*/locations/*/certificateTemplates/*. If this is specified, the caller must have the necessary permission to use this template. If this is omitted, no template will be used. This template must be in the same location as the Certificate.

config CertificateConfigArgs

The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.

create_time str

The time that this resource was created on the server. This is in RFC3339 text format.

issuer_certificate_authority str

The resource name of the issuing CertificateAuthority in the format projects/*/locations/*/caPools/*/certificateAuthorities/*.

labels Mapping[str, str]

Labels with user-defined metadata to apply to this resource.

lifetime str

The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".

location str

Location of the Certificate. A full list of valid locations can be found by running gcloud privateca locations list.

name str

The name for this Certificate.

pem_certificate str

Output only. The pem-encoded, signed X.509 certificate.

pem_certificate_chains Sequence[str]

The chain that may be used to verify the X.509 certificate. Expected to be in issuer-to-root order according to RFC 5246.

pem_certificates Sequence[str]

(Deprecated) Required. Expected to be in leaf-to-root order according to RFC 5246.

Deprecated:

Deprecated in favor of pem_certificate_chain.

pem_csr str

Immutable. A pem-encoded X.509 certificate signing request (CSR).

pool str

The name of the CaPool this Certificate belongs to.

project str

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

revocation_details Sequence[CertificateRevocationDetailArgs]

Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.

update_time str

Output only. The time at which this CertificateAuthority was updated. This is in RFC3339 text format.

certificateAuthority String

The Certificate Authority ID that should issue the certificate. For example, to issue a Certificate from a Certificate Authority with resource name projects/my-project/locations/us-central1/caPools/my-pool/certificateAuthorities/my-ca, argument pool should be set to projects/my-project/locations/us-central1/caPools/my-pool, argument certificate_authority should be set to my-ca.

certificateDescriptions List<Property Map>

Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.

certificateTemplate String

The resource name for a CertificateTemplate used to issue this certificate, in the format projects/*/locations/*/certificateTemplates/*. If this is specified, the caller must have the necessary permission to use this template. If this is omitted, no template will be used. This template must be in the same location as the Certificate.

config Property Map

The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.

createTime String

The time that this resource was created on the server. This is in RFC3339 text format.

issuerCertificateAuthority String

The resource name of the issuing CertificateAuthority in the format projects/*/locations/*/caPools/*/certificateAuthorities/*.

labels Map<String>

Labels with user-defined metadata to apply to this resource.

lifetime String

The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".

location String

Location of the Certificate. A full list of valid locations can be found by running gcloud privateca locations list.

name String

The name for this Certificate.

pemCertificate String

Output only. The pem-encoded, signed X.509 certificate.

pemCertificateChains List<String>

The chain that may be used to verify the X.509 certificate. Expected to be in issuer-to-root order according to RFC 5246.

pemCertificates List<String>

(Deprecated) Required. Expected to be in leaf-to-root order according to RFC 5246.

Deprecated:

Deprecated in favor of pem_certificate_chain.

pemCsr String

Immutable. A pem-encoded X.509 certificate signing request (CSR).

pool String

The name of the CaPool this Certificate belongs to.

project String

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

revocationDetails List<Property Map>

Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.

updateTime String

Output only. The time at which this CertificateAuthority was updated. This is in RFC3339 text format.

Supporting Types

CertificateCertificateDescription

AiaIssuingCertificateUrls List<string>

(Output) Describes lists of issuer CA certificate URLs that appear in the "Authority Information Access" extension in the certificate.

AuthorityKeyIds List<CertificateCertificateDescriptionAuthorityKeyId>

(Output) Identifies the subjectKeyId of the parent certificate, per https://tools.ietf.org/html/rfc5280#section-4.2.1.1 Structure is documented below.

CertFingerprints List<CertificateCertificateDescriptionCertFingerprint>

(Output) The hash of the x.509 certificate. Structure is documented below.

ConfigValues List<CertificateCertificateDescriptionConfigValue>

(Output, Deprecated) Describes some of the technical fields in a certificate. Structure is documented below.

Deprecated:

Deprecated in favor of x509_description.

CrlDistributionPoints List<string>

(Output) Describes a list of locations to obtain CRL information, i.e. the DistributionPoint.fullName described by https://tools.ietf.org/html/rfc5280#section-4.2.1.13

PublicKeys List<CertificateCertificateDescriptionPublicKey>

A PublicKey describes a public key. Structure is documented below.

SubjectDescriptions List<CertificateCertificateDescriptionSubjectDescription>

(Output) Describes some of the values in a certificate that are related to the subject and lifetime. Structure is documented below.

SubjectKeyIds List<CertificateCertificateDescriptionSubjectKeyId>

(Output) Provides a means of identifiying certificates that contain a particular public key, per https://tools.ietf.org/html/rfc5280#section-4.2.1.2. Structure is documented below.

X509Descriptions List<CertificateCertificateDescriptionX509Description>

(Output) A structured description of the issued X.509 certificate. Structure is documented below.

AiaIssuingCertificateUrls []string

(Output) Describes lists of issuer CA certificate URLs that appear in the "Authority Information Access" extension in the certificate.

AuthorityKeyIds []CertificateCertificateDescriptionAuthorityKeyId

(Output) Identifies the subjectKeyId of the parent certificate, per https://tools.ietf.org/html/rfc5280#section-4.2.1.1 Structure is documented below.

CertFingerprints []CertificateCertificateDescriptionCertFingerprint

(Output) The hash of the x.509 certificate. Structure is documented below.

ConfigValues []CertificateCertificateDescriptionConfigValue

(Output, Deprecated) Describes some of the technical fields in a certificate. Structure is documented below.

Deprecated:

Deprecated in favor of x509_description.

CrlDistributionPoints []string

(Output) Describes a list of locations to obtain CRL information, i.e. the DistributionPoint.fullName described by https://tools.ietf.org/html/rfc5280#section-4.2.1.13

PublicKeys []CertificateCertificateDescriptionPublicKey

A PublicKey describes a public key. Structure is documented below.

SubjectDescriptions []CertificateCertificateDescriptionSubjectDescription

(Output) Describes some of the values in a certificate that are related to the subject and lifetime. Structure is documented below.

SubjectKeyIds []CertificateCertificateDescriptionSubjectKeyId

(Output) Provides a means of identifiying certificates that contain a particular public key, per https://tools.ietf.org/html/rfc5280#section-4.2.1.2. Structure is documented below.

X509Descriptions []CertificateCertificateDescriptionX509Description

(Output) A structured description of the issued X.509 certificate. Structure is documented below.

aiaIssuingCertificateUrls List<String>

(Output) Describes lists of issuer CA certificate URLs that appear in the "Authority Information Access" extension in the certificate.

authorityKeyIds List<CertificateCertificateDescriptionAuthorityKeyId>

(Output) Identifies the subjectKeyId of the parent certificate, per https://tools.ietf.org/html/rfc5280#section-4.2.1.1 Structure is documented below.

certFingerprints List<CertificateCertificateDescriptionCertFingerprint>

(Output) The hash of the x.509 certificate. Structure is documented below.

configValues List<CertificateCertificateDescriptionConfigValue>

(Output, Deprecated) Describes some of the technical fields in a certificate. Structure is documented below.

Deprecated:

Deprecated in favor of x509_description.

crlDistributionPoints List<String>

(Output) Describes a list of locations to obtain CRL information, i.e. the DistributionPoint.fullName described by https://tools.ietf.org/html/rfc5280#section-4.2.1.13

publicKeys List<CertificateCertificateDescriptionPublicKey>

A PublicKey describes a public key. Structure is documented below.

subjectDescriptions List<CertificateCertificateDescriptionSubjectDescription>

(Output) Describes some of the values in a certificate that are related to the subject and lifetime. Structure is documented below.

subjectKeyIds List<CertificateCertificateDescriptionSubjectKeyId>

(Output) Provides a means of identifiying certificates that contain a particular public key, per https://tools.ietf.org/html/rfc5280#section-4.2.1.2. Structure is documented below.

x509Descriptions List<CertificateCertificateDescriptionX509Description>

(Output) A structured description of the issued X.509 certificate. Structure is documented below.

aiaIssuingCertificateUrls string[]

(Output) Describes lists of issuer CA certificate URLs that appear in the "Authority Information Access" extension in the certificate.

authorityKeyIds CertificateCertificateDescriptionAuthorityKeyId[]

(Output) Identifies the subjectKeyId of the parent certificate, per https://tools.ietf.org/html/rfc5280#section-4.2.1.1 Structure is documented below.

certFingerprints CertificateCertificateDescriptionCertFingerprint[]

(Output) The hash of the x.509 certificate. Structure is documented below.

configValues CertificateCertificateDescriptionConfigValue[]

(Output, Deprecated) Describes some of the technical fields in a certificate. Structure is documented below.

Deprecated:

Deprecated in favor of x509_description.

crlDistributionPoints string[]

(Output) Describes a list of locations to obtain CRL information, i.e. the DistributionPoint.fullName described by https://tools.ietf.org/html/rfc5280#section-4.2.1.13

publicKeys CertificateCertificateDescriptionPublicKey[]

A PublicKey describes a public key. Structure is documented below.

subjectDescriptions CertificateCertificateDescriptionSubjectDescription[]

(Output) Describes some of the values in a certificate that are related to the subject and lifetime. Structure is documented below.

subjectKeyIds CertificateCertificateDescriptionSubjectKeyId[]

(Output) Provides a means of identifiying certificates that contain a particular public key, per https://tools.ietf.org/html/rfc5280#section-4.2.1.2. Structure is documented below.

x509Descriptions CertificateCertificateDescriptionX509Description[]

(Output) A structured description of the issued X.509 certificate. Structure is documented below.

aia_issuing_certificate_urls Sequence[str]

(Output) Describes lists of issuer CA certificate URLs that appear in the "Authority Information Access" extension in the certificate.

authority_key_ids Sequence[CertificateCertificateDescriptionAuthorityKeyId]

(Output) Identifies the subjectKeyId of the parent certificate, per https://tools.ietf.org/html/rfc5280#section-4.2.1.1 Structure is documented below.

cert_fingerprints Sequence[CertificateCertificateDescriptionCertFingerprint]

(Output) The hash of the x.509 certificate. Structure is documented below.

config_values Sequence[CertificateCertificateDescriptionConfigValue]

(Output, Deprecated) Describes some of the technical fields in a certificate. Structure is documented below.

Deprecated:

Deprecated in favor of x509_description.

crl_distribution_points Sequence[str]

(Output) Describes a list of locations to obtain CRL information, i.e. the DistributionPoint.fullName described by https://tools.ietf.org/html/rfc5280#section-4.2.1.13

public_keys Sequence[CertificateCertificateDescriptionPublicKey]

A PublicKey describes a public key. Structure is documented below.

subject_descriptions Sequence[CertificateCertificateDescriptionSubjectDescription]

(Output) Describes some of the values in a certificate that are related to the subject and lifetime. Structure is documented below.

subject_key_ids Sequence[CertificateCertificateDescriptionSubjectKeyId]

(Output) Provides a means of identifiying certificates that contain a particular public key, per https://tools.ietf.org/html/rfc5280#section-4.2.1.2. Structure is documented below.

x509_descriptions Sequence[CertificateCertificateDescriptionX509Description]

(Output) A structured description of the issued X.509 certificate. Structure is documented below.

aiaIssuingCertificateUrls List<String>

(Output) Describes lists of issuer CA certificate URLs that appear in the "Authority Information Access" extension in the certificate.

authorityKeyIds List<Property Map>

(Output) Identifies the subjectKeyId of the parent certificate, per https://tools.ietf.org/html/rfc5280#section-4.2.1.1 Structure is documented below.

certFingerprints List<Property Map>

(Output) The hash of the x.509 certificate. Structure is documented below.

configValues List<Property Map>

(Output, Deprecated) Describes some of the technical fields in a certificate. Structure is documented below.

Deprecated:

Deprecated in favor of x509_description.

crlDistributionPoints List<String>

(Output) Describes a list of locations to obtain CRL information, i.e. the DistributionPoint.fullName described by https://tools.ietf.org/html/rfc5280#section-4.2.1.13

publicKeys List<Property Map>

A PublicKey describes a public key. Structure is documented below.

subjectDescriptions List<Property Map>

(Output) Describes some of the values in a certificate that are related to the subject and lifetime. Structure is documented below.

subjectKeyIds List<Property Map>

(Output) Provides a means of identifiying certificates that contain a particular public key, per https://tools.ietf.org/html/rfc5280#section-4.2.1.2. Structure is documented below.

x509Descriptions List<Property Map>

(Output) A structured description of the issued X.509 certificate. Structure is documented below.

CertificateCertificateDescriptionAuthorityKeyId

KeyId string

(Output) Optional. The value of this KeyId encoded in lowercase hexadecimal. This is most likely the 160 bit SHA-1 hash of the public key.

KeyId string

(Output) Optional. The value of this KeyId encoded in lowercase hexadecimal. This is most likely the 160 bit SHA-1 hash of the public key.

keyId String

(Output) Optional. The value of this KeyId encoded in lowercase hexadecimal. This is most likely the 160 bit SHA-1 hash of the public key.

keyId string

(Output) Optional. The value of this KeyId encoded in lowercase hexadecimal. This is most likely the 160 bit SHA-1 hash of the public key.

key_id str

(Output) Optional. The value of this KeyId encoded in lowercase hexadecimal. This is most likely the 160 bit SHA-1 hash of the public key.

keyId String

(Output) Optional. The value of this KeyId encoded in lowercase hexadecimal. This is most likely the 160 bit SHA-1 hash of the public key.

CertificateCertificateDescriptionCertFingerprint

Sha256Hash string

(Output) The SHA 256 hash, encoded in hexadecimal, of the DER x509 certificate.

Sha256Hash string

(Output) The SHA 256 hash, encoded in hexadecimal, of the DER x509 certificate.

sha256Hash String

(Output) The SHA 256 hash, encoded in hexadecimal, of the DER x509 certificate.

sha256Hash string

(Output) The SHA 256 hash, encoded in hexadecimal, of the DER x509 certificate.

sha256_hash str

(Output) The SHA 256 hash, encoded in hexadecimal, of the DER x509 certificate.

sha256Hash String

(Output) The SHA 256 hash, encoded in hexadecimal, of the DER x509 certificate.

CertificateCertificateDescriptionConfigValue

KeyUsages List<CertificateCertificateDescriptionConfigValueKeyUsage>

Indicates the intended use for keys that correspond to a certificate. Structure is documented below.

KeyUsages []CertificateCertificateDescriptionConfigValueKeyUsage

Indicates the intended use for keys that correspond to a certificate. Structure is documented below.

keyUsages List<CertificateCertificateDescriptionConfigValueKeyUsage>

Indicates the intended use for keys that correspond to a certificate. Structure is documented below.

keyUsages CertificateCertificateDescriptionConfigValueKeyUsage[]

Indicates the intended use for keys that correspond to a certificate. Structure is documented below.

key_usages Sequence[CertificateCertificateDescriptionConfigValueKeyUsage]

Indicates the intended use for keys that correspond to a certificate. Structure is documented below.

keyUsages List<Property Map>

Indicates the intended use for keys that correspond to a certificate. Structure is documented below.

CertificateCertificateDescriptionConfigValueKeyUsage

BaseKeyUsages List<CertificateCertificateDescriptionConfigValueKeyUsageBaseKeyUsage>

Describes high-level ways in which a key may be used. Structure is documented below.

ExtendedKeyUsages List<CertificateCertificateDescriptionConfigValueKeyUsageExtendedKeyUsage>

Describes high-level ways in which a key may be used. Structure is documented below.

UnknownExtendedKeyUsages List<CertificateCertificateDescriptionConfigValueKeyUsageUnknownExtendedKeyUsage>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.

BaseKeyUsages []CertificateCertificateDescriptionConfigValueKeyUsageBaseKeyUsage

Describes high-level ways in which a key may be used. Structure is documented below.

ExtendedKeyUsages []CertificateCertificateDescriptionConfigValueKeyUsageExtendedKeyUsage

Describes high-level ways in which a key may be used. Structure is documented below.

UnknownExtendedKeyUsages []CertificateCertificateDescriptionConfigValueKeyUsageUnknownExtendedKeyUsage

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.

baseKeyUsages List<CertificateCertificateDescriptionConfigValueKeyUsageBaseKeyUsage>

Describes high-level ways in which a key may be used. Structure is documented below.

extendedKeyUsages List<CertificateCertificateDescriptionConfigValueKeyUsageExtendedKeyUsage>

Describes high-level ways in which a key may be used. Structure is documented below.

unknownExtendedKeyUsages List<CertificateCertificateDescriptionConfigValueKeyUsageUnknownExtendedKeyUsage>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.

baseKeyUsages CertificateCertificateDescriptionConfigValueKeyUsageBaseKeyUsage[]

Describes high-level ways in which a key may be used. Structure is documented below.

extendedKeyUsages CertificateCertificateDescriptionConfigValueKeyUsageExtendedKeyUsage[]

Describes high-level ways in which a key may be used. Structure is documented below.

unknownExtendedKeyUsages CertificateCertificateDescriptionConfigValueKeyUsageUnknownExtendedKeyUsage[]

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.

base_key_usages Sequence[CertificateCertificateDescriptionConfigValueKeyUsageBaseKeyUsage]

Describes high-level ways in which a key may be used. Structure is documented below.

extended_key_usages Sequence[CertificateCertificateDescriptionConfigValueKeyUsageExtendedKeyUsage]

Describes high-level ways in which a key may be used. Structure is documented below.

unknown_extended_key_usages Sequence[CertificateCertificateDescriptionConfigValueKeyUsageUnknownExtendedKeyUsage]

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.

baseKeyUsages List<Property Map>

Describes high-level ways in which a key may be used. Structure is documented below.

extendedKeyUsages List<Property Map>

Describes high-level ways in which a key may be used. Structure is documented below.

unknownExtendedKeyUsages List<Property Map>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.

CertificateCertificateDescriptionConfigValueKeyUsageBaseKeyUsage

KeyUsageOptions List<CertificateCertificateDescriptionConfigValueKeyUsageBaseKeyUsageKeyUsageOption>

(Output) Describes high-level ways in which a key may be used. Structure is documented below.

KeyUsageOptions []CertificateCertificateDescriptionConfigValueKeyUsageBaseKeyUsageKeyUsageOption

(Output) Describes high-level ways in which a key may be used. Structure is documented below.

keyUsageOptions List<CertificateCertificateDescriptionConfigValueKeyUsageBaseKeyUsageKeyUsageOption>

(Output) Describes high-level ways in which a key may be used. Structure is documented below.

keyUsageOptions CertificateCertificateDescriptionConfigValueKeyUsageBaseKeyUsageKeyUsageOption[]

(Output) Describes high-level ways in which a key may be used. Structure is documented below.

key_usage_options Sequence[CertificateCertificateDescriptionConfigValueKeyUsageBaseKeyUsageKeyUsageOption]

(Output) Describes high-level ways in which a key may be used. Structure is documented below.

keyUsageOptions List<Property Map>

(Output) Describes high-level ways in which a key may be used. Structure is documented below.

CertificateCertificateDescriptionConfigValueKeyUsageBaseKeyUsageKeyUsageOption

CertSign bool

The key may be used to sign certificates.

ContentCommitment bool

The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".

CrlSign bool

The key may be used sign certificate revocation lists.

DataEncipherment bool

The key may be used to encipher data.

DecipherOnly bool

The key may be used to decipher only.

DigitalSignature bool

The key may be used for digital signatures.

EncipherOnly bool

The key may be used to encipher only.

KeyAgreement bool

The key may be used in a key agreement protocol.

KeyEncipherment bool

The key may be used to encipher other keys.

CertSign bool

The key may be used to sign certificates.

ContentCommitment bool

The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".

CrlSign bool

The key may be used sign certificate revocation lists.

DataEncipherment bool

The key may be used to encipher data.

DecipherOnly bool

The key may be used to decipher only.

DigitalSignature bool

The key may be used for digital signatures.

EncipherOnly bool

The key may be used to encipher only.

KeyAgreement bool

The key may be used in a key agreement protocol.

KeyEncipherment bool

The key may be used to encipher other keys.

certSign Boolean

The key may be used to sign certificates.

contentCommitment Boolean

The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".

crlSign Boolean

The key may be used sign certificate revocation lists.

dataEncipherment Boolean

The key may be used to encipher data.

decipherOnly Boolean

The key may be used to decipher only.

digitalSignature Boolean

The key may be used for digital signatures.

encipherOnly Boolean

The key may be used to encipher only.

keyAgreement Boolean

The key may be used in a key agreement protocol.

keyEncipherment Boolean

The key may be used to encipher other keys.

certSign boolean

The key may be used to sign certificates.

contentCommitment boolean

The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".

crlSign boolean

The key may be used sign certificate revocation lists.

dataEncipherment boolean

The key may be used to encipher data.

decipherOnly boolean

The key may be used to decipher only.

digitalSignature boolean

The key may be used for digital signatures.

encipherOnly boolean

The key may be used to encipher only.

keyAgreement boolean

The key may be used in a key agreement protocol.

keyEncipherment boolean

The key may be used to encipher other keys.

cert_sign bool

The key may be used to sign certificates.

content_commitment bool

The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".

crl_sign bool

The key may be used sign certificate revocation lists.

data_encipherment bool

The key may be used to encipher data.

decipher_only bool

The key may be used to decipher only.

digital_signature bool

The key may be used for digital signatures.

encipher_only bool

The key may be used to encipher only.

key_agreement bool

The key may be used in a key agreement protocol.

key_encipherment bool

The key may be used to encipher other keys.

certSign Boolean

The key may be used to sign certificates.

contentCommitment Boolean

The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".

crlSign Boolean

The key may be used sign certificate revocation lists.

dataEncipherment Boolean

The key may be used to encipher data.

decipherOnly Boolean

The key may be used to decipher only.

digitalSignature Boolean

The key may be used for digital signatures.

encipherOnly Boolean

The key may be used to encipher only.

keyAgreement Boolean

The key may be used in a key agreement protocol.

keyEncipherment Boolean

The key may be used to encipher other keys.

CertificateCertificateDescriptionConfigValueKeyUsageExtendedKeyUsage

ClientAuth bool

Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.

CodeSigning bool

Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".

EmailProtection bool

Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".

OcspSigning bool

Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".

ServerAuth bool

Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.

TimeStamping bool

Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".

ClientAuth bool

Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.

CodeSigning bool

Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".

EmailProtection bool

Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".

OcspSigning bool

Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".

ServerAuth bool

Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.

TimeStamping bool

Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".

clientAuth Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.

codeSigning Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".

emailProtection Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".

ocspSigning Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".

serverAuth Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.

timeStamping Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".

clientAuth boolean

Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.

codeSigning boolean

Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".

emailProtection boolean

Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".

ocspSigning boolean

Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".

serverAuth boolean

Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.

timeStamping boolean

Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".

client_auth bool

Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.

code_signing bool

Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".

email_protection bool

Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".

ocsp_signing bool

Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".

server_auth bool

Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.

time_stamping bool

Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".

clientAuth Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.

codeSigning Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".

emailProtection Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".

ocspSigning Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".

serverAuth Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.

timeStamping Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".

CertificateCertificateDescriptionConfigValueKeyUsageUnknownExtendedKeyUsage

ObectIds List<CertificateCertificateDescriptionConfigValueKeyUsageUnknownExtendedKeyUsageObectId>

(Output) Required. Describes how some of the technical fields in a certificate should be populated. Structure is documented below.

ObectIds []CertificateCertificateDescriptionConfigValueKeyUsageUnknownExtendedKeyUsageObectId

(Output) Required. Describes how some of the technical fields in a certificate should be populated. Structure is documented below.

obectIds List<CertificateCertificateDescriptionConfigValueKeyUsageUnknownExtendedKeyUsageObectId>

(Output) Required. Describes how some of the technical fields in a certificate should be populated. Structure is documented below.

obectIds CertificateCertificateDescriptionConfigValueKeyUsageUnknownExtendedKeyUsageObectId[]

(Output) Required. Describes how some of the technical fields in a certificate should be populated. Structure is documented below.

obect_ids Sequence[CertificateCertificateDescriptionConfigValueKeyUsageUnknownExtendedKeyUsageObectId]

(Output) Required. Describes how some of the technical fields in a certificate should be populated. Structure is documented below.

obectIds List<Property Map>

(Output) Required. Describes how some of the technical fields in a certificate should be populated. Structure is documented below.

CertificateCertificateDescriptionConfigValueKeyUsageUnknownExtendedKeyUsageObectId

ObjectIdPaths List<int>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. (Required) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. (Required) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

ObjectIdPaths []int

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. (Required) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. (Required) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

objectIdPaths List<Integer>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. (Required) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. (Required) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

objectIdPaths number[]

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. (Required) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. (Required) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

object_id_paths Sequence[int]

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. (Required) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. (Required) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

objectIdPaths List<Number>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. (Required) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. (Required) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

CertificateCertificateDescriptionPublicKey

Format string

The format of the public key. Currently, only PEM format is supported. Possible values are KEY_TYPE_UNSPECIFIED and PEM.

Key string

Required. A public key. When this is specified in a request, the padding and encoding can be any of the options described by the respective 'KeyType' value. When this is generated by the service, it will always be an RFC 5280 SubjectPublicKeyInfo structure containing an algorithm identifier and a key. A base64-encoded string.

Format string

The format of the public key. Currently, only PEM format is supported. Possible values are KEY_TYPE_UNSPECIFIED and PEM.

Key string

Required. A public key. When this is specified in a request, the padding and encoding can be any of the options described by the respective 'KeyType' value. When this is generated by the service, it will always be an RFC 5280 SubjectPublicKeyInfo structure containing an algorithm identifier and a key. A base64-encoded string.

format String

The format of the public key. Currently, only PEM format is supported. Possible values are KEY_TYPE_UNSPECIFIED and PEM.

key String

Required. A public key. When this is specified in a request, the padding and encoding can be any of the options described by the respective 'KeyType' value. When this is generated by the service, it will always be an RFC 5280 SubjectPublicKeyInfo structure containing an algorithm identifier and a key. A base64-encoded string.

format string

The format of the public key. Currently, only PEM format is supported. Possible values are KEY_TYPE_UNSPECIFIED and PEM.

key string

Required. A public key. When this is specified in a request, the padding and encoding can be any of the options described by the respective 'KeyType' value. When this is generated by the service, it will always be an RFC 5280 SubjectPublicKeyInfo structure containing an algorithm identifier and a key. A base64-encoded string.

format str

The format of the public key. Currently, only PEM format is supported. Possible values are KEY_TYPE_UNSPECIFIED and PEM.

key str

Required. A public key. When this is specified in a request, the padding and encoding can be any of the options described by the respective 'KeyType' value. When this is generated by the service, it will always be an RFC 5280 SubjectPublicKeyInfo structure containing an algorithm identifier and a key. A base64-encoded string.

format String

The format of the public key. Currently, only PEM format is supported. Possible values are KEY_TYPE_UNSPECIFIED and PEM.

key String

Required. A public key. When this is specified in a request, the padding and encoding can be any of the options described by the respective 'KeyType' value. When this is generated by the service, it will always be an RFC 5280 SubjectPublicKeyInfo structure containing an algorithm identifier and a key. A base64-encoded string.

CertificateCertificateDescriptionSubjectDescription

HexSerialNumber string

(Output) The serial number encoded in lowercase hexadecimal.

Lifetime string

The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".

NotAfterTime string

(Output) The time at which the certificate expires.

NotBeforeTime string

(Output) The time at which the certificate becomes valid.

SubjectAltNames List<CertificateCertificateDescriptionSubjectDescriptionSubjectAltName>

The subject alternative name fields. Structure is documented below.

Subjects List<CertificateCertificateDescriptionSubjectDescriptionSubject>

Contains distinguished name fields such as the location and organization. Structure is documented below.

HexSerialNumber string

(Output) The serial number encoded in lowercase hexadecimal.

Lifetime string

The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".

NotAfterTime string

(Output) The time at which the certificate expires.

NotBeforeTime string

(Output) The time at which the certificate becomes valid.

SubjectAltNames []CertificateCertificateDescriptionSubjectDescriptionSubjectAltName

The subject alternative name fields. Structure is documented below.

Subjects []CertificateCertificateDescriptionSubjectDescriptionSubject

Contains distinguished name fields such as the location and organization. Structure is documented below.

hexSerialNumber String

(Output) The serial number encoded in lowercase hexadecimal.

lifetime String

The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".

notAfterTime String

(Output) The time at which the certificate expires.

notBeforeTime String

(Output) The time at which the certificate becomes valid.

subjectAltNames List<CertificateCertificateDescriptionSubjectDescriptionSubjectAltName>

The subject alternative name fields. Structure is documented below.

subjects List<CertificateCertificateDescriptionSubjectDescriptionSubject>

Contains distinguished name fields such as the location and organization. Structure is documented below.

hexSerialNumber string

(Output) The serial number encoded in lowercase hexadecimal.

lifetime string

The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".

notAfterTime string

(Output) The time at which the certificate expires.

notBeforeTime string

(Output) The time at which the certificate becomes valid.

subjectAltNames CertificateCertificateDescriptionSubjectDescriptionSubjectAltName[]

The subject alternative name fields. Structure is documented below.

subjects CertificateCertificateDescriptionSubjectDescriptionSubject[]

Contains distinguished name fields such as the location and organization. Structure is documented below.

hex_serial_number str

(Output) The serial number encoded in lowercase hexadecimal.

lifetime str

The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".

not_after_time str

(Output) The time at which the certificate expires.

not_before_time str

(Output) The time at which the certificate becomes valid.

subject_alt_names Sequence[CertificateCertificateDescriptionSubjectDescriptionSubjectAltName]

The subject alternative name fields. Structure is documented below.

subjects Sequence[CertificateCertificateDescriptionSubjectDescriptionSubject]

Contains distinguished name fields such as the location and organization. Structure is documented below.

hexSerialNumber String

(Output) The serial number encoded in lowercase hexadecimal.

lifetime String

The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".

notAfterTime String

(Output) The time at which the certificate expires.

notBeforeTime String

(Output) The time at which the certificate becomes valid.

subjectAltNames List<Property Map>

The subject alternative name fields. Structure is documented below.

subjects List<Property Map>

Contains distinguished name fields such as the location and organization. Structure is documented below.

CertificateCertificateDescriptionSubjectDescriptionSubject

CommonName string

The common name of the distinguished name.

CountryCode string

The country code of the subject.

Locality string

The locality or city of the subject.

Organization string

The organization of the subject.

OrganizationalUnit string

The organizational unit of the subject.

PostalCode string

The postal code of the subject.

Province string

The province, territory, or regional state of the subject.

StreetAddress string

The street address of the subject.

CommonName string

The common name of the distinguished name.

CountryCode string

The country code of the subject.

Locality string

The locality or city of the subject.

Organization string

The organization of the subject.

OrganizationalUnit string

The organizational unit of the subject.

PostalCode string

The postal code of the subject.

Province string

The province, territory, or regional state of the subject.

StreetAddress string

The street address of the subject.

commonName String

The common name of the distinguished name.

countryCode String

The country code of the subject.

locality String

The locality or city of the subject.

organization String

The organization of the subject.

organizationalUnit String

The organizational unit of the subject.

postalCode String

The postal code of the subject.

province String

The province, territory, or regional state of the subject.

streetAddress String

The street address of the subject.

commonName string

The common name of the distinguished name.

countryCode string

The country code of the subject.

locality string

The locality or city of the subject.

organization string

The organization of the subject.

organizationalUnit string

The organizational unit of the subject.

postalCode string

The postal code of the subject.

province string

The province, territory, or regional state of the subject.

streetAddress string

The street address of the subject.

common_name str

The common name of the distinguished name.

country_code str

The country code of the subject.

locality str

The locality or city of the subject.

organization str

The organization of the subject.

organizational_unit str

The organizational unit of the subject.

postal_code str

The postal code of the subject.

province str

The province, territory, or regional state of the subject.

street_address str

The street address of the subject.

commonName String

The common name of the distinguished name.

countryCode String

The country code of the subject.

locality String

The locality or city of the subject.

organization String

The organization of the subject.

organizationalUnit String

The organizational unit of the subject.

postalCode String

The postal code of the subject.

province String

The province, territory, or regional state of the subject.

streetAddress String

The street address of the subject.

CertificateCertificateDescriptionSubjectDescriptionSubjectAltName

CustomSans List<CertificateCertificateDescriptionSubjectDescriptionSubjectAltNameCustomSan>

(Output) Contains additional subject alternative name values. Structure is documented below.

DnsNames List<string>

Contains only valid, fully-qualified host names.

EmailAddresses List<string>

Contains only valid RFC 2822 E-mail addresses.

IpAddresses List<string>

Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.

Uris List<string>

Contains only valid RFC 3986 URIs.

CustomSans []CertificateCertificateDescriptionSubjectDescriptionSubjectAltNameCustomSan

(Output) Contains additional subject alternative name values. Structure is documented below.

DnsNames []string

Contains only valid, fully-qualified host names.

EmailAddresses []string

Contains only valid RFC 2822 E-mail addresses.

IpAddresses []string

Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.

Uris []string

Contains only valid RFC 3986 URIs.

customSans List<CertificateCertificateDescriptionSubjectDescriptionSubjectAltNameCustomSan>

(Output) Contains additional subject alternative name values. Structure is documented below.

dnsNames List<String>

Contains only valid, fully-qualified host names.

emailAddresses List<String>

Contains only valid RFC 2822 E-mail addresses.

ipAddresses List<String>

Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.

uris List<String>

Contains only valid RFC 3986 URIs.

customSans CertificateCertificateDescriptionSubjectDescriptionSubjectAltNameCustomSan[]

(Output) Contains additional subject alternative name values. Structure is documented below.

dnsNames string[]

Contains only valid, fully-qualified host names.

emailAddresses string[]

Contains only valid RFC 2822 E-mail addresses.

ipAddresses string[]

Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.

uris string[]

Contains only valid RFC 3986 URIs.

custom_sans Sequence[CertificateCertificateDescriptionSubjectDescriptionSubjectAltNameCustomSan]

(Output) Contains additional subject alternative name values. Structure is documented below.

dns_names Sequence[str]

Contains only valid, fully-qualified host names.

email_addresses Sequence[str]

Contains only valid RFC 2822 E-mail addresses.

ip_addresses Sequence[str]

Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.

uris Sequence[str]

Contains only valid RFC 3986 URIs.

customSans List<Property Map>

(Output) Contains additional subject alternative name values. Structure is documented below.

dnsNames List<String>

Contains only valid, fully-qualified host names.

emailAddresses List<String>

Contains only valid RFC 2822 E-mail addresses.

ipAddresses List<String>

Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.

uris List<String>

Contains only valid RFC 3986 URIs.

CertificateCertificateDescriptionSubjectDescriptionSubjectAltNameCustomSan

Critical bool

Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error). (Required) Indicates whether or not the name constraints are marked critical.

ObectIds List<CertificateCertificateDescriptionSubjectDescriptionSubjectAltNameCustomSanObectId>

(Output) Required. Describes how some of the technical fields in a certificate should be populated. Structure is documented below.

Value string

The value of this X.509 extension. A base64-encoded string.

Critical bool

Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error). (Required) Indicates whether or not the name constraints are marked critical.

ObectIds []CertificateCertificateDescriptionSubjectDescriptionSubjectAltNameCustomSanObectId

(Output) Required. Describes how some of the technical fields in a certificate should be populated. Structure is documented below.

Value string

The value of this X.509 extension. A base64-encoded string.

critical Boolean

Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error). (Required) Indicates whether or not the name constraints are marked critical.

obectIds List<CertificateCertificateDescriptionSubjectDescriptionSubjectAltNameCustomSanObectId>

(Output) Required. Describes how some of the technical fields in a certificate should be populated. Structure is documented below.

value String

The value of this X.509 extension. A base64-encoded string.

critical boolean

Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error). (Required) Indicates whether or not the name constraints are marked critical.

obectIds CertificateCertificateDescriptionSubjectDescriptionSubjectAltNameCustomSanObectId[]

(Output) Required. Describes how some of the technical fields in a certificate should be populated. Structure is documented below.

value string

The value of this X.509 extension. A base64-encoded string.

critical bool

Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error). (Required) Indicates whether or not the name constraints are marked critical.

obect_ids Sequence[CertificateCertificateDescriptionSubjectDescriptionSubjectAltNameCustomSanObectId]

(Output) Required. Describes how some of the technical fields in a certificate should be populated. Structure is documented below.

value str

The value of this X.509 extension. A base64-encoded string.

critical Boolean

Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error). (Required) Indicates whether or not the name constraints are marked critical.

obectIds List<Property Map>

(Output) Required. Describes how some of the technical fields in a certificate should be populated. Structure is documented below.

value String

The value of this X.509 extension. A base64-encoded string.

CertificateCertificateDescriptionSubjectDescriptionSubjectAltNameCustomSanObectId

ObjectIdPaths List<int>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. (Required) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. (Required) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

ObjectIdPaths []int

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. (Required) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. (Required) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

objectIdPaths List<Integer>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. (Required) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. (Required) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

objectIdPaths number[]

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. (Required) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. (Required) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

object_id_paths Sequence[int]

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. (Required) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. (Required) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

objectIdPaths List<Number>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. (Required) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. (Required) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

CertificateCertificateDescriptionSubjectKeyId

KeyId string

(Output) Optional. The value of this KeyId encoded in lowercase hexadecimal. This is most likely the 160 bit SHA-1 hash of the public key.

KeyId string

(Output) Optional. The value of this KeyId encoded in lowercase hexadecimal. This is most likely the 160 bit SHA-1 hash of the public key.

keyId String

(Output) Optional. The value of this KeyId encoded in lowercase hexadecimal. This is most likely the 160 bit SHA-1 hash of the public key.

keyId string

(Output) Optional. The value of this KeyId encoded in lowercase hexadecimal. This is most likely the 160 bit SHA-1 hash of the public key.

key_id str

(Output) Optional. The value of this KeyId encoded in lowercase hexadecimal. This is most likely the 160 bit SHA-1 hash of the public key.

keyId String

(Output) Optional. The value of this KeyId encoded in lowercase hexadecimal. This is most likely the 160 bit SHA-1 hash of the public key.

CertificateCertificateDescriptionX509Description

AdditionalExtensions List<CertificateCertificateDescriptionX509DescriptionAdditionalExtension>

Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.

AiaOcspServers List<string>

Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.

CaOptions List<CertificateCertificateDescriptionX509DescriptionCaOption>

Describes values that are relevant in a CA certificate. Structure is documented below.

KeyUsages List<CertificateCertificateDescriptionX509DescriptionKeyUsage>

Indicates the intended use for keys that correspond to a certificate. Structure is documented below.

NameConstraints List<CertificateCertificateDescriptionX509DescriptionNameConstraint>

Describes the X.509 name constraints extension. Structure is documented below.

PolicyIds List<CertificateCertificateDescriptionX509DescriptionPolicyId>

Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.

AdditionalExtensions []CertificateCertificateDescriptionX509DescriptionAdditionalExtension

Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.

AiaOcspServers []string

Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.

CaOptions []CertificateCertificateDescriptionX509DescriptionCaOption

Describes values that are relevant in a CA certificate. Structure is documented below.

KeyUsages []CertificateCertificateDescriptionX509DescriptionKeyUsage

Indicates the intended use for keys that correspond to a certificate. Structure is documented below.

NameConstraints []CertificateCertificateDescriptionX509DescriptionNameConstraint

Describes the X.509 name constraints extension. Structure is documented below.

PolicyIds []CertificateCertificateDescriptionX509DescriptionPolicyId

Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.

additionalExtensions List<CertificateCertificateDescriptionX509DescriptionAdditionalExtension>

Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.

aiaOcspServers List<String>

Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.

caOptions List<CertificateCertificateDescriptionX509DescriptionCaOption>

Describes values that are relevant in a CA certificate. Structure is documented below.

keyUsages List<CertificateCertificateDescriptionX509DescriptionKeyUsage>

Indicates the intended use for keys that correspond to a certificate. Structure is documented below.

nameConstraints List<CertificateCertificateDescriptionX509DescriptionNameConstraint>

Describes the X.509 name constraints extension. Structure is documented below.

policyIds List<CertificateCertificateDescriptionX509DescriptionPolicyId>

Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.

additionalExtensions CertificateCertificateDescriptionX509DescriptionAdditionalExtension[]

Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.

aiaOcspServers string[]

Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.

caOptions CertificateCertificateDescriptionX509DescriptionCaOption[]

Describes values that are relevant in a CA certificate. Structure is documented below.

keyUsages CertificateCertificateDescriptionX509DescriptionKeyUsage[]

Indicates the intended use for keys that correspond to a certificate. Structure is documented below.

nameConstraints CertificateCertificateDescriptionX509DescriptionNameConstraint[]

Describes the X.509 name constraints extension. Structure is documented below.

policyIds CertificateCertificateDescriptionX509DescriptionPolicyId[]

Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.

additional_extensions Sequence[CertificateCertificateDescriptionX509DescriptionAdditionalExtension]

Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.

aia_ocsp_servers Sequence[str]

Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.

ca_options Sequence[CertificateCertificateDescriptionX509DescriptionCaOption]

Describes values that are relevant in a CA certificate. Structure is documented below.

key_usages Sequence[CertificateCertificateDescriptionX509DescriptionKeyUsage]

Indicates the intended use for keys that correspond to a certificate. Structure is documented below.

name_constraints Sequence[CertificateCertificateDescriptionX509DescriptionNameConstraint]

Describes the X.509 name constraints extension. Structure is documented below.

policy_ids Sequence[CertificateCertificateDescriptionX509DescriptionPolicyId]

Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.

additionalExtensions List<Property Map>

Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.

aiaOcspServers List<String>

Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.

caOptions List<Property Map>

Describes values that are relevant in a CA certificate. Structure is documented below.

keyUsages List<Property Map>

Indicates the intended use for keys that correspond to a certificate. Structure is documented below.

nameConstraints List<Property Map>

Describes the X.509 name constraints extension. Structure is documented below.

policyIds List<Property Map>

Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.

CertificateCertificateDescriptionX509DescriptionAdditionalExtension

Critical bool

Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).

ObjectIds List<CertificateCertificateDescriptionX509DescriptionAdditionalExtensionObjectId>

Describes values that are relevant in a CA certificate. Structure is documented below.

Value string

The value of this X.509 extension. A base64-encoded string.

Critical bool

Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).

ObjectIds []CertificateCertificateDescriptionX509DescriptionAdditionalExtensionObjectId

Describes values that are relevant in a CA certificate. Structure is documented below.

Value string

The value of this X.509 extension. A base64-encoded string.

critical Boolean

Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).

objectIds List<CertificateCertificateDescriptionX509DescriptionAdditionalExtensionObjectId>

Describes values that are relevant in a CA certificate. Structure is documented below.

value String

The value of this X.509 extension. A base64-encoded string.

critical boolean

Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).

objectIds CertificateCertificateDescriptionX509DescriptionAdditionalExtensionObjectId[]

Describes values that are relevant in a CA certificate. Structure is documented below.

value string

The value of this X.509 extension. A base64-encoded string.

critical bool

Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).

object_ids Sequence[CertificateCertificateDescriptionX509DescriptionAdditionalExtensionObjectId]

Describes values that are relevant in a CA certificate. Structure is documented below.

value str

The value of this X.509 extension. A base64-encoded string.

critical Boolean

Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).

objectIds List<Property Map>

Describes values that are relevant in a CA certificate. Structure is documented below.

value String

The value of this X.509 extension. A base64-encoded string.

CertificateCertificateDescriptionX509DescriptionAdditionalExtensionObjectId

ObjectIdPaths List<int>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

ObjectIdPaths []int

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

objectIdPaths List<Integer>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

objectIdPaths number[]

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

object_id_paths Sequence[int]

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

objectIdPaths List<Number>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

CertificateCertificateDescriptionX509DescriptionCaOption

IsCa bool

When true, the "CA" in Basic Constraints extension will be set to true.

MaxIssuerPathLength int

Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.

IsCa bool

When true, the "CA" in Basic Constraints extension will be set to true.

MaxIssuerPathLength int

Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.

isCa Boolean

When true, the "CA" in Basic Constraints extension will be set to true.

maxIssuerPathLength Integer

Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.

isCa boolean

When true, the "CA" in Basic Constraints extension will be set to true.

maxIssuerPathLength number

Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.

is_ca bool

When true, the "CA" in Basic Constraints extension will be set to true.

max_issuer_path_length int

Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.

isCa Boolean

When true, the "CA" in Basic Constraints extension will be set to true.

maxIssuerPathLength Number

Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.

CertificateCertificateDescriptionX509DescriptionKeyUsage

BaseKeyUsages List<CertificateCertificateDescriptionX509DescriptionKeyUsageBaseKeyUsage>

Describes high-level ways in which a key may be used. Structure is documented below.

ExtendedKeyUsages List<CertificateCertificateDescriptionX509DescriptionKeyUsageExtendedKeyUsage>

Describes high-level ways in which a key may be used. Structure is documented below.

UnknownExtendedKeyUsages List<CertificateCertificateDescriptionX509DescriptionKeyUsageUnknownExtendedKeyUsage>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.

BaseKeyUsages []CertificateCertificateDescriptionX509DescriptionKeyUsageBaseKeyUsage

Describes high-level ways in which a key may be used. Structure is documented below.

ExtendedKeyUsages []CertificateCertificateDescriptionX509DescriptionKeyUsageExtendedKeyUsage

Describes high-level ways in which a key may be used. Structure is documented below.

UnknownExtendedKeyUsages []CertificateCertificateDescriptionX509DescriptionKeyUsageUnknownExtendedKeyUsage

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.

baseKeyUsages List<CertificateCertificateDescriptionX509DescriptionKeyUsageBaseKeyUsage>

Describes high-level ways in which a key may be used. Structure is documented below.

extendedKeyUsages List<CertificateCertificateDescriptionX509DescriptionKeyUsageExtendedKeyUsage>

Describes high-level ways in which a key may be used. Structure is documented below.

unknownExtendedKeyUsages List<CertificateCertificateDescriptionX509DescriptionKeyUsageUnknownExtendedKeyUsage>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.

baseKeyUsages CertificateCertificateDescriptionX509DescriptionKeyUsageBaseKeyUsage[]

Describes high-level ways in which a key may be used. Structure is documented below.

extendedKeyUsages CertificateCertificateDescriptionX509DescriptionKeyUsageExtendedKeyUsage[]

Describes high-level ways in which a key may be used. Structure is documented below.

unknownExtendedKeyUsages CertificateCertificateDescriptionX509DescriptionKeyUsageUnknownExtendedKeyUsage[]

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.

base_key_usages Sequence[CertificateCertificateDescriptionX509DescriptionKeyUsageBaseKeyUsage]

Describes high-level ways in which a key may be used. Structure is documented below.

extended_key_usages Sequence[CertificateCertificateDescriptionX509DescriptionKeyUsageExtendedKeyUsage]

Describes high-level ways in which a key may be used. Structure is documented below.

unknown_extended_key_usages Sequence[CertificateCertificateDescriptionX509DescriptionKeyUsageUnknownExtendedKeyUsage]

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.

baseKeyUsages List<Property Map>

Describes high-level ways in which a key may be used. Structure is documented below.

extendedKeyUsages List<Property Map>

Describes high-level ways in which a key may be used. Structure is documented below.

unknownExtendedKeyUsages List<Property Map>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.

CertificateCertificateDescriptionX509DescriptionKeyUsageBaseKeyUsage

CertSign bool

The key may be used to sign certificates.

ContentCommitment bool

The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".

CrlSign bool

The key may be used sign certificate revocation lists.

DataEncipherment bool

The key may be used to encipher data.

DecipherOnly bool

The key may be used to decipher only.

DigitalSignature bool

The key may be used for digital signatures.

EncipherOnly bool

The key may be used to encipher only.

KeyAgreement bool

The key may be used in a key agreement protocol.

KeyEncipherment bool

The key may be used to encipher other keys.

CertSign bool

The key may be used to sign certificates.

ContentCommitment bool

The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".

CrlSign bool

The key may be used sign certificate revocation lists.

DataEncipherment bool

The key may be used to encipher data.

DecipherOnly bool

The key may be used to decipher only.

DigitalSignature bool

The key may be used for digital signatures.

EncipherOnly bool

The key may be used to encipher only.

KeyAgreement bool

The key may be used in a key agreement protocol.

KeyEncipherment bool

The key may be used to encipher other keys.

certSign Boolean

The key may be used to sign certificates.

contentCommitment Boolean

The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".

crlSign Boolean

The key may be used sign certificate revocation lists.

dataEncipherment Boolean

The key may be used to encipher data.

decipherOnly Boolean

The key may be used to decipher only.

digitalSignature Boolean

The key may be used for digital signatures.

encipherOnly Boolean

The key may be used to encipher only.

keyAgreement Boolean

The key may be used in a key agreement protocol.

keyEncipherment Boolean

The key may be used to encipher other keys.

certSign boolean

The key may be used to sign certificates.

contentCommitment boolean

The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".

crlSign boolean

The key may be used sign certificate revocation lists.

dataEncipherment boolean

The key may be used to encipher data.

decipherOnly boolean

The key may be used to decipher only.

digitalSignature boolean

The key may be used for digital signatures.

encipherOnly boolean

The key may be used to encipher only.

keyAgreement boolean

The key may be used in a key agreement protocol.

keyEncipherment boolean

The key may be used to encipher other keys.

cert_sign bool

The key may be used to sign certificates.

content_commitment bool

The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".

crl_sign bool

The key may be used sign certificate revocation lists.

data_encipherment bool

The key may be used to encipher data.

decipher_only bool

The key may be used to decipher only.

digital_signature bool

The key may be used for digital signatures.

encipher_only bool

The key may be used to encipher only.

key_agreement bool

The key may be used in a key agreement protocol.

key_encipherment bool

The key may be used to encipher other keys.

certSign Boolean

The key may be used to sign certificates.

contentCommitment Boolean

The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".

crlSign Boolean

The key may be used sign certificate revocation lists.

dataEncipherment Boolean

The key may be used to encipher data.

decipherOnly Boolean

The key may be used to decipher only.

digitalSignature Boolean

The key may be used for digital signatures.

encipherOnly Boolean

The key may be used to encipher only.

keyAgreement Boolean

The key may be used in a key agreement protocol.

keyEncipherment Boolean

The key may be used to encipher other keys.

CertificateCertificateDescriptionX509DescriptionKeyUsageExtendedKeyUsage

ClientAuth bool

Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.

CodeSigning bool

Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".

EmailProtection bool

Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".

OcspSigning bool

Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".

ServerAuth bool

Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.

TimeStamping bool

Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".

ClientAuth bool

Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.

CodeSigning bool

Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".

EmailProtection bool

Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".

OcspSigning bool

Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".

ServerAuth bool

Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.

TimeStamping bool

Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".

clientAuth Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.

codeSigning Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".

emailProtection Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".

ocspSigning Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".

serverAuth Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.

timeStamping Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".

clientAuth boolean

Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.

codeSigning boolean

Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".

emailProtection boolean

Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".

ocspSigning boolean

Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".

serverAuth boolean

Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.

timeStamping boolean

Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".

client_auth bool

Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.

code_signing bool

Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".

email_protection bool

Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".

ocsp_signing bool

Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".

server_auth bool

Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.

time_stamping bool

Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".

clientAuth Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.

codeSigning Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".

emailProtection Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".

ocspSigning Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".

serverAuth Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.

timeStamping Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".

CertificateCertificateDescriptionX509DescriptionKeyUsageUnknownExtendedKeyUsage

ObjectIdPaths List<int>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

ObjectIdPaths []int

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

objectIdPaths List<Integer>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

objectIdPaths number[]

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

object_id_paths Sequence[int]

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

objectIdPaths List<Number>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

CertificateCertificateDescriptionX509DescriptionNameConstraint

Critical bool

Indicates whether or not the name constraints are marked critical.

ExcludedDnsNames List<string>

Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.

ExcludedEmailAddresses List<string>

Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.

ExcludedIpRanges List<string>

Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.

ExcludedUris List<string>

Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)

PermittedDnsNames List<string>

Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.

PermittedEmailAddresses List<string>

Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.

PermittedIpRanges List<string>

Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.

PermittedUris List<string>

Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)

Critical bool

Indicates whether or not the name constraints are marked critical.

ExcludedDnsNames []string

Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.

ExcludedEmailAddresses []string

Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.

ExcludedIpRanges []string

Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.

ExcludedUris []string

Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)

PermittedDnsNames []string

Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.

PermittedEmailAddresses []string

Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.

PermittedIpRanges []string

Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.

PermittedUris []string

Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)

critical Boolean

Indicates whether or not the name constraints are marked critical.

excludedDnsNames List<String>

Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.

excludedEmailAddresses List<String>

Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.

excludedIpRanges List<String>

Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.

excludedUris List<String>

Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)

permittedDnsNames List<String>

Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.

permittedEmailAddresses List<String>

Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.

permittedIpRanges List<String>

Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.

permittedUris List<String>

Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)

critical boolean

Indicates whether or not the name constraints are marked critical.

excludedDnsNames string[]

Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.

excludedEmailAddresses string[]

Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.

excludedIpRanges string[]

Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.

excludedUris string[]

Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)

permittedDnsNames string[]

Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.

permittedEmailAddresses string[]

Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.

permittedIpRanges string[]

Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.

permittedUris string[]

Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)

critical bool

Indicates whether or not the name constraints are marked critical.

excluded_dns_names Sequence[str]

Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.

excluded_email_addresses Sequence[str]

Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.

excluded_ip_ranges Sequence[str]

Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.

excluded_uris Sequence[str]

Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)

permitted_dns_names Sequence[str]

Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.

permitted_email_addresses Sequence[str]

Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.

permitted_ip_ranges Sequence[str]

Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.

permitted_uris Sequence[str]

Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)

critical Boolean

Indicates whether or not the name constraints are marked critical.

excludedDnsNames List<String>

Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.

excludedEmailAddresses List<String>

Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.

excludedIpRanges List<String>

Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.

excludedUris List<String>

Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)

permittedDnsNames List<String>

Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.

permittedEmailAddresses List<String>

Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.

permittedIpRanges List<String>

Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.

permittedUris List<String>

Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)

CertificateCertificateDescriptionX509DescriptionPolicyId

ObjectIdPaths List<int>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

ObjectIdPaths []int

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

objectIdPaths List<Integer>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

objectIdPaths number[]

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

object_id_paths Sequence[int]

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

objectIdPaths List<Number>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

CertificateConfig

PublicKey CertificateConfigPublicKey

A PublicKey describes a public key. Structure is documented below.

SubjectConfig CertificateConfigSubjectConfig

Specifies some of the values in a certificate that are related to the subject. Structure is documented below.

X509Config CertificateConfigX509Config

Describes how some of the technical X.509 fields in a certificate should be populated. Structure is documented below.

PublicKey CertificateConfigPublicKey

A PublicKey describes a public key. Structure is documented below.

SubjectConfig CertificateConfigSubjectConfig

Specifies some of the values in a certificate that are related to the subject. Structure is documented below.

X509Config CertificateConfigX509Config

Describes how some of the technical X.509 fields in a certificate should be populated. Structure is documented below.

publicKey CertificateConfigPublicKey

A PublicKey describes a public key. Structure is documented below.

subjectConfig CertificateConfigSubjectConfig

Specifies some of the values in a certificate that are related to the subject. Structure is documented below.

x509Config CertificateConfigX509Config

Describes how some of the technical X.509 fields in a certificate should be populated. Structure is documented below.

publicKey CertificateConfigPublicKey

A PublicKey describes a public key. Structure is documented below.

subjectConfig CertificateConfigSubjectConfig

Specifies some of the values in a certificate that are related to the subject. Structure is documented below.

x509Config CertificateConfigX509Config

Describes how some of the technical X.509 fields in a certificate should be populated. Structure is documented below.

public_key CertificateConfigPublicKey

A PublicKey describes a public key. Structure is documented below.

subject_config CertificateConfigSubjectConfig

Specifies some of the values in a certificate that are related to the subject. Structure is documented below.

x509_config CertificateConfigX509Config

Describes how some of the technical X.509 fields in a certificate should be populated. Structure is documented below.

publicKey Property Map

A PublicKey describes a public key. Structure is documented below.

subjectConfig Property Map

Specifies some of the values in a certificate that are related to the subject. Structure is documented below.

x509Config Property Map

Describes how some of the technical X.509 fields in a certificate should be populated. Structure is documented below.

CertificateConfigPublicKey

Format string

The format of the public key. Currently, only PEM format is supported. Possible values are KEY_TYPE_UNSPECIFIED and PEM.

Key string

Required. A public key. When this is specified in a request, the padding and encoding can be any of the options described by the respective 'KeyType' value. When this is generated by the service, it will always be an RFC 5280 SubjectPublicKeyInfo structure containing an algorithm identifier and a key. A base64-encoded string.

Format string

The format of the public key. Currently, only PEM format is supported. Possible values are KEY_TYPE_UNSPECIFIED and PEM.

Key string

Required. A public key. When this is specified in a request, the padding and encoding can be any of the options described by the respective 'KeyType' value. When this is generated by the service, it will always be an RFC 5280 SubjectPublicKeyInfo structure containing an algorithm identifier and a key. A base64-encoded string.

format String

The format of the public key. Currently, only PEM format is supported. Possible values are KEY_TYPE_UNSPECIFIED and PEM.

key String

Required. A public key. When this is specified in a request, the padding and encoding can be any of the options described by the respective 'KeyType' value. When this is generated by the service, it will always be an RFC 5280 SubjectPublicKeyInfo structure containing an algorithm identifier and a key. A base64-encoded string.

format string

The format of the public key. Currently, only PEM format is supported. Possible values are KEY_TYPE_UNSPECIFIED and PEM.

key string

Required. A public key. When this is specified in a request, the padding and encoding can be any of the options described by the respective 'KeyType' value. When this is generated by the service, it will always be an RFC 5280 SubjectPublicKeyInfo structure containing an algorithm identifier and a key. A base64-encoded string.

format str

The format of the public key. Currently, only PEM format is supported. Possible values are KEY_TYPE_UNSPECIFIED and PEM.

key str

Required. A public key. When this is specified in a request, the padding and encoding can be any of the options described by the respective 'KeyType' value. When this is generated by the service, it will always be an RFC 5280 SubjectPublicKeyInfo structure containing an algorithm identifier and a key. A base64-encoded string.

format String

The format of the public key. Currently, only PEM format is supported. Possible values are KEY_TYPE_UNSPECIFIED and PEM.

key String

Required. A public key. When this is specified in a request, the padding and encoding can be any of the options described by the respective 'KeyType' value. When this is generated by the service, it will always be an RFC 5280 SubjectPublicKeyInfo structure containing an algorithm identifier and a key. A base64-encoded string.

CertificateConfigSubjectConfig

Subject CertificateConfigSubjectConfigSubject

Contains distinguished name fields such as the location and organization. Structure is documented below.

SubjectAltName CertificateConfigSubjectConfigSubjectAltName

The subject alternative name fields. Structure is documented below.

Subject CertificateConfigSubjectConfigSubject

Contains distinguished name fields such as the location and organization. Structure is documented below.

SubjectAltName CertificateConfigSubjectConfigSubjectAltName

The subject alternative name fields. Structure is documented below.

subject CertificateConfigSubjectConfigSubject

Contains distinguished name fields such as the location and organization. Structure is documented below.

subjectAltName CertificateConfigSubjectConfigSubjectAltName

The subject alternative name fields. Structure is documented below.

subject CertificateConfigSubjectConfigSubject

Contains distinguished name fields such as the location and organization. Structure is documented below.

subjectAltName CertificateConfigSubjectConfigSubjectAltName

The subject alternative name fields. Structure is documented below.

subject CertificateConfigSubjectConfigSubject

Contains distinguished name fields such as the location and organization. Structure is documented below.

subject_alt_name CertificateConfigSubjectConfigSubjectAltName

The subject alternative name fields. Structure is documented below.

subject Property Map

Contains distinguished name fields such as the location and organization. Structure is documented below.

subjectAltName Property Map

The subject alternative name fields. Structure is documented below.

CertificateConfigSubjectConfigSubject

CommonName string

The common name of the distinguished name.

Organization string

The organization of the subject.

CountryCode string

The country code of the subject.

Locality string

The locality or city of the subject.

OrganizationalUnit string

The organizational unit of the subject.

PostalCode string

The postal code of the subject.

Province string

The province, territory, or regional state of the subject.

StreetAddress string

The street address of the subject.

CommonName string

The common name of the distinguished name.

Organization string

The organization of the subject.

CountryCode string

The country code of the subject.

Locality string

The locality or city of the subject.

OrganizationalUnit string

The organizational unit of the subject.

PostalCode string

The postal code of the subject.

Province string

The province, territory, or regional state of the subject.

StreetAddress string

The street address of the subject.

commonName String

The common name of the distinguished name.

organization String

The organization of the subject.

countryCode String

The country code of the subject.

locality String

The locality or city of the subject.

organizationalUnit String

The organizational unit of the subject.

postalCode String

The postal code of the subject.

province String

The province, territory, or regional state of the subject.

streetAddress String

The street address of the subject.

commonName string

The common name of the distinguished name.

organization string

The organization of the subject.

countryCode string

The country code of the subject.

locality string

The locality or city of the subject.

organizationalUnit string

The organizational unit of the subject.

postalCode string

The postal code of the subject.

province string

The province, territory, or regional state of the subject.

streetAddress string

The street address of the subject.

common_name str

The common name of the distinguished name.

organization str

The organization of the subject.

country_code str

The country code of the subject.

locality str

The locality or city of the subject.

organizational_unit str

The organizational unit of the subject.

postal_code str

The postal code of the subject.

province str

The province, territory, or regional state of the subject.

street_address str

The street address of the subject.

commonName String

The common name of the distinguished name.

organization String

The organization of the subject.

countryCode String

The country code of the subject.

locality String

The locality or city of the subject.

organizationalUnit String

The organizational unit of the subject.

postalCode String

The postal code of the subject.

province String

The province, territory, or regional state of the subject.

streetAddress String

The street address of the subject.

CertificateConfigSubjectConfigSubjectAltName

DnsNames List<string>

Contains only valid, fully-qualified host names.

EmailAddresses List<string>

Contains only valid RFC 2822 E-mail addresses.

IpAddresses List<string>

Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.

Uris List<string>

Contains only valid RFC 3986 URIs.

DnsNames []string

Contains only valid, fully-qualified host names.

EmailAddresses []string

Contains only valid RFC 2822 E-mail addresses.

IpAddresses []string

Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.

Uris []string

Contains only valid RFC 3986 URIs.

dnsNames List<String>

Contains only valid, fully-qualified host names.

emailAddresses List<String>

Contains only valid RFC 2822 E-mail addresses.

ipAddresses List<String>

Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.

uris List<String>

Contains only valid RFC 3986 URIs.

dnsNames string[]

Contains only valid, fully-qualified host names.

emailAddresses string[]

Contains only valid RFC 2822 E-mail addresses.

ipAddresses string[]

Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.

uris string[]

Contains only valid RFC 3986 URIs.

dns_names Sequence[str]

Contains only valid, fully-qualified host names.

email_addresses Sequence[str]

Contains only valid RFC 2822 E-mail addresses.

ip_addresses Sequence[str]

Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.

uris Sequence[str]

Contains only valid RFC 3986 URIs.

dnsNames List<String>

Contains only valid, fully-qualified host names.

emailAddresses List<String>

Contains only valid RFC 2822 E-mail addresses.

ipAddresses List<String>

Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.

uris List<String>

Contains only valid RFC 3986 URIs.

CertificateConfigX509Config

KeyUsage CertificateConfigX509ConfigKeyUsage

Indicates the intended use for keys that correspond to a certificate. Structure is documented below.

AdditionalExtensions List<CertificateConfigX509ConfigAdditionalExtension>

Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.

AiaOcspServers List<string>

Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.

CaOptions CertificateConfigX509ConfigCaOptions

Describes values that are relevant in a CA certificate. Structure is documented below.

NameConstraints CertificateConfigX509ConfigNameConstraints

Describes the X.509 name constraints extension. Structure is documented below.

PolicyIds List<CertificateConfigX509ConfigPolicyId>

Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.

KeyUsage CertificateConfigX509ConfigKeyUsage

Indicates the intended use for keys that correspond to a certificate. Structure is documented below.

AdditionalExtensions []CertificateConfigX509ConfigAdditionalExtension

Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.

AiaOcspServers []string

Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.

CaOptions CertificateConfigX509ConfigCaOptions

Describes values that are relevant in a CA certificate. Structure is documented below.

NameConstraints CertificateConfigX509ConfigNameConstraints

Describes the X.509 name constraints extension. Structure is documented below.

PolicyIds []CertificateConfigX509ConfigPolicyId

Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.

keyUsage CertificateConfigX509ConfigKeyUsage

Indicates the intended use for keys that correspond to a certificate. Structure is documented below.

additionalExtensions List<CertificateConfigX509ConfigAdditionalExtension>

Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.

aiaOcspServers List<String>

Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.

caOptions CertificateConfigX509ConfigCaOptions

Describes values that are relevant in a CA certificate. Structure is documented below.

nameConstraints CertificateConfigX509ConfigNameConstraints

Describes the X.509 name constraints extension. Structure is documented below.

policyIds List<CertificateConfigX509ConfigPolicyId>

Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.

keyUsage CertificateConfigX509ConfigKeyUsage

Indicates the intended use for keys that correspond to a certificate. Structure is documented below.

additionalExtensions CertificateConfigX509ConfigAdditionalExtension[]

Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.

aiaOcspServers string[]

Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.

caOptions CertificateConfigX509ConfigCaOptions

Describes values that are relevant in a CA certificate. Structure is documented below.

nameConstraints CertificateConfigX509ConfigNameConstraints

Describes the X.509 name constraints extension. Structure is documented below.

policyIds CertificateConfigX509ConfigPolicyId[]

Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.

key_usage CertificateConfigX509ConfigKeyUsage

Indicates the intended use for keys that correspond to a certificate. Structure is documented below.

additional_extensions Sequence[CertificateConfigX509ConfigAdditionalExtension]

Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.

aia_ocsp_servers Sequence[str]

Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.

ca_options CertificateConfigX509ConfigCaOptions

Describes values that are relevant in a CA certificate. Structure is documented below.

name_constraints CertificateConfigX509ConfigNameConstraints

Describes the X.509 name constraints extension. Structure is documented below.

policy_ids Sequence[CertificateConfigX509ConfigPolicyId]

Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.

keyUsage Property Map

Indicates the intended use for keys that correspond to a certificate. Structure is documented below.

additionalExtensions List<Property Map>

Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.

aiaOcspServers List<String>

Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.

caOptions Property Map

Describes values that are relevant in a CA certificate. Structure is documented below.

nameConstraints Property Map

Describes the X.509 name constraints extension. Structure is documented below.

policyIds List<Property Map>

Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.

CertificateConfigX509ConfigAdditionalExtension

Critical bool

Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).

ObjectId CertificateConfigX509ConfigAdditionalExtensionObjectId

Describes values that are relevant in a CA certificate. Structure is documented below.

Value string

The value of this X.509 extension. A base64-encoded string.

Critical bool

Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).

ObjectId CertificateConfigX509ConfigAdditionalExtensionObjectId

Describes values that are relevant in a CA certificate. Structure is documented below.

Value string

The value of this X.509 extension. A base64-encoded string.

critical Boolean

Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).

objectId CertificateConfigX509ConfigAdditionalExtensionObjectId

Describes values that are relevant in a CA certificate. Structure is documented below.

value String

The value of this X.509 extension. A base64-encoded string.

critical boolean

Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).

objectId CertificateConfigX509ConfigAdditionalExtensionObjectId

Describes values that are relevant in a CA certificate. Structure is documented below.

value string

The value of this X.509 extension. A base64-encoded string.

critical bool

Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).

object_id CertificateConfigX509ConfigAdditionalExtensionObjectId

Describes values that are relevant in a CA certificate. Structure is documented below.

value str

The value of this X.509 extension. A base64-encoded string.

critical Boolean

Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).

objectId Property Map

Describes values that are relevant in a CA certificate. Structure is documented below.

value String

The value of this X.509 extension. A base64-encoded string.

CertificateConfigX509ConfigAdditionalExtensionObjectId

ObjectIdPaths List<int>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

ObjectIdPaths []int

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

objectIdPaths List<Integer>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

objectIdPaths number[]

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

object_id_paths Sequence[int]

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

objectIdPaths List<Number>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

CertificateConfigX509ConfigCaOptions

IsCa bool

When true, the "CA" in Basic Constraints extension will be set to true.

MaxIssuerPathLength int

Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.

NonCa bool

When true, the "CA" in Basic Constraints extension will be set to false. If both is_ca and non_ca are unset, the extension will be omitted from the CA certificate.

ZeroMaxIssuerPathLength bool

When true, the "path length constraint" in Basic Constraints extension will be set to 0. if both max_issuer_path_length and zero_max_issuer_path_length are unset, the max path length will be omitted from the CA certificate.

IsCa bool

When true, the "CA" in Basic Constraints extension will be set to true.

MaxIssuerPathLength int

Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.

NonCa bool

When true, the "CA" in Basic Constraints extension will be set to false. If both is_ca and non_ca are unset, the extension will be omitted from the CA certificate.

ZeroMaxIssuerPathLength bool

When true, the "path length constraint" in Basic Constraints extension will be set to 0. if both max_issuer_path_length and zero_max_issuer_path_length are unset, the max path length will be omitted from the CA certificate.

isCa Boolean

When true, the "CA" in Basic Constraints extension will be set to true.

maxIssuerPathLength Integer

Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.

nonCa Boolean

When true, the "CA" in Basic Constraints extension will be set to false. If both is_ca and non_ca are unset, the extension will be omitted from the CA certificate.

zeroMaxIssuerPathLength Boolean

When true, the "path length constraint" in Basic Constraints extension will be set to 0. if both max_issuer_path_length and zero_max_issuer_path_length are unset, the max path length will be omitted from the CA certificate.

isCa boolean

When true, the "CA" in Basic Constraints extension will be set to true.

maxIssuerPathLength number

Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.

nonCa boolean

When true, the "CA" in Basic Constraints extension will be set to false. If both is_ca and non_ca are unset, the extension will be omitted from the CA certificate.

zeroMaxIssuerPathLength boolean

When true, the "path length constraint" in Basic Constraints extension will be set to 0. if both max_issuer_path_length and zero_max_issuer_path_length are unset, the max path length will be omitted from the CA certificate.

is_ca bool

When true, the "CA" in Basic Constraints extension will be set to true.

max_issuer_path_length int

Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.

non_ca bool

When true, the "CA" in Basic Constraints extension will be set to false. If both is_ca and non_ca are unset, the extension will be omitted from the CA certificate.

zero_max_issuer_path_length bool

When true, the "path length constraint" in Basic Constraints extension will be set to 0. if both max_issuer_path_length and zero_max_issuer_path_length are unset, the max path length will be omitted from the CA certificate.

isCa Boolean

When true, the "CA" in Basic Constraints extension will be set to true.

maxIssuerPathLength Number

Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.

nonCa Boolean

When true, the "CA" in Basic Constraints extension will be set to false. If both is_ca and non_ca are unset, the extension will be omitted from the CA certificate.

zeroMaxIssuerPathLength Boolean

When true, the "path length constraint" in Basic Constraints extension will be set to 0. if both max_issuer_path_length and zero_max_issuer_path_length are unset, the max path length will be omitted from the CA certificate.

CertificateConfigX509ConfigKeyUsage

BaseKeyUsage CertificateConfigX509ConfigKeyUsageBaseKeyUsage

Describes high-level ways in which a key may be used. Structure is documented below.

ExtendedKeyUsage CertificateConfigX509ConfigKeyUsageExtendedKeyUsage

Describes high-level ways in which a key may be used. Structure is documented below.

UnknownExtendedKeyUsages List<CertificateConfigX509ConfigKeyUsageUnknownExtendedKeyUsage>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.

BaseKeyUsage CertificateConfigX509ConfigKeyUsageBaseKeyUsage

Describes high-level ways in which a key may be used. Structure is documented below.

ExtendedKeyUsage CertificateConfigX509ConfigKeyUsageExtendedKeyUsage

Describes high-level ways in which a key may be used. Structure is documented below.

UnknownExtendedKeyUsages []CertificateConfigX509ConfigKeyUsageUnknownExtendedKeyUsage

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.

baseKeyUsage CertificateConfigX509ConfigKeyUsageBaseKeyUsage

Describes high-level ways in which a key may be used. Structure is documented below.

extendedKeyUsage CertificateConfigX509ConfigKeyUsageExtendedKeyUsage

Describes high-level ways in which a key may be used. Structure is documented below.

unknownExtendedKeyUsages List<CertificateConfigX509ConfigKeyUsageUnknownExtendedKeyUsage>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.

baseKeyUsage CertificateConfigX509ConfigKeyUsageBaseKeyUsage

Describes high-level ways in which a key may be used. Structure is documented below.

extendedKeyUsage CertificateConfigX509ConfigKeyUsageExtendedKeyUsage

Describes high-level ways in which a key may be used. Structure is documented below.

unknownExtendedKeyUsages CertificateConfigX509ConfigKeyUsageUnknownExtendedKeyUsage[]

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.

base_key_usage CertificateConfigX509ConfigKeyUsageBaseKeyUsage

Describes high-level ways in which a key may be used. Structure is documented below.

extended_key_usage CertificateConfigX509ConfigKeyUsageExtendedKeyUsage

Describes high-level ways in which a key may be used. Structure is documented below.

unknown_extended_key_usages Sequence[CertificateConfigX509ConfigKeyUsageUnknownExtendedKeyUsage]

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.

baseKeyUsage Property Map

Describes high-level ways in which a key may be used. Structure is documented below.

extendedKeyUsage Property Map

Describes high-level ways in which a key may be used. Structure is documented below.

unknownExtendedKeyUsages List<Property Map>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.

CertificateConfigX509ConfigKeyUsageBaseKeyUsage

CertSign bool

The key may be used to sign certificates.

ContentCommitment bool

The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".

CrlSign bool

The key may be used sign certificate revocation lists.

DataEncipherment bool

The key may be used to encipher data.

DecipherOnly bool

The key may be used to decipher only.

DigitalSignature bool

The key may be used for digital signatures.

EncipherOnly bool

The key may be used to encipher only.

KeyAgreement bool

The key may be used in a key agreement protocol.

KeyEncipherment bool

The key may be used to encipher other keys.

CertSign bool

The key may be used to sign certificates.

ContentCommitment bool

The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".

CrlSign bool

The key may be used sign certificate revocation lists.

DataEncipherment bool

The key may be used to encipher data.

DecipherOnly bool

The key may be used to decipher only.

DigitalSignature bool

The key may be used for digital signatures.

EncipherOnly bool

The key may be used to encipher only.

KeyAgreement bool

The key may be used in a key agreement protocol.

KeyEncipherment bool

The key may be used to encipher other keys.

certSign Boolean

The key may be used to sign certificates.

contentCommitment Boolean

The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".

crlSign Boolean

The key may be used sign certificate revocation lists.

dataEncipherment Boolean

The key may be used to encipher data.

decipherOnly Boolean

The key may be used to decipher only.

digitalSignature Boolean

The key may be used for digital signatures.

encipherOnly Boolean

The key may be used to encipher only.

keyAgreement Boolean

The key may be used in a key agreement protocol.

keyEncipherment Boolean

The key may be used to encipher other keys.

certSign boolean

The key may be used to sign certificates.

contentCommitment boolean

The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".

crlSign boolean

The key may be used sign certificate revocation lists.

dataEncipherment boolean

The key may be used to encipher data.

decipherOnly boolean

The key may be used to decipher only.

digitalSignature boolean

The key may be used for digital signatures.

encipherOnly boolean

The key may be used to encipher only.

keyAgreement boolean

The key may be used in a key agreement protocol.

keyEncipherment boolean

The key may be used to encipher other keys.

cert_sign bool

The key may be used to sign certificates.

content_commitment bool

The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".

crl_sign bool

The key may be used sign certificate revocation lists.

data_encipherment bool

The key may be used to encipher data.

decipher_only bool

The key may be used to decipher only.

digital_signature bool

The key may be used for digital signatures.

encipher_only bool

The key may be used to encipher only.

key_agreement bool

The key may be used in a key agreement protocol.

key_encipherment bool

The key may be used to encipher other keys.

certSign Boolean

The key may be used to sign certificates.

contentCommitment Boolean

The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".

crlSign Boolean

The key may be used sign certificate revocation lists.

dataEncipherment Boolean

The key may be used to encipher data.

decipherOnly Boolean

The key may be used to decipher only.

digitalSignature Boolean

The key may be used for digital signatures.

encipherOnly Boolean

The key may be used to encipher only.

keyAgreement Boolean

The key may be used in a key agreement protocol.

keyEncipherment Boolean

The key may be used to encipher other keys.

CertificateConfigX509ConfigKeyUsageExtendedKeyUsage

ClientAuth bool

Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.

CodeSigning bool

Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".

EmailProtection bool

Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".

OcspSigning bool

Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".

ServerAuth bool

Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.

TimeStamping bool

Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".

ClientAuth bool

Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.

CodeSigning bool

Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".

EmailProtection bool

Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".

OcspSigning bool

Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".

ServerAuth