Google Cloud (GCP) Classic

Pulumi Official
Package maintained by Pulumi
v6.32.0 published on Wednesday, Jul 20, 2022 by Pulumi

Certificate

A Certificate corresponds to a signed X.509 certificate issued by a Certificate.

Note: The Certificate Authority that is referenced by this resource must be tier = "ENTERPRISE"

Example Usage

Privateca Certificate Config

using System;
using System.IO;
using Pulumi;
using Gcp = Pulumi.Gcp;

class MyStack : Stack
{
	private static string ReadFileBase64(string path) {
		return Convert.ToBase64String(Encoding.UTF8.GetBytes(File.ReadAllText(path)))
	}

    public MyStack()
    {
        var test_ca = new Gcp.CertificateAuthority.Authority("test-ca", new Gcp.CertificateAuthority.AuthorityArgs
        {
            CertificateAuthorityId = "my-certificate-authority",
            Location = "us-central1",
            Pool = "",
            IgnoreActiveCertificatesOnDeletion = true,
            DeletionProtection = false,
            Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigArgs
            {
                SubjectConfig = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigArgs
                {
                    Subject = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectArgs
                    {
                        Organization = "HashiCorp",
                        CommonName = "my-certificate-authority",
                    },
                    SubjectAltName = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectAltNameArgs
                    {
                        DnsNames = 
                        {
                            "hashicorp.com",
                        },
                    },
                },
                X509Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigArgs
                {
                    CaOptions = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigCaOptionsArgs
                    {
                        IsCa = true,
                    },
                    KeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageArgs
                    {
                        BaseKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs
                        {
                            CertSign = true,
                            CrlSign = true,
                        },
                        ExtendedKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs
                        {
                            ServerAuth = true,
                        },
                    },
                },
            },
            KeySpec = new Gcp.CertificateAuthority.Inputs.AuthorityKeySpecArgs
            {
                Algorithm = "RSA_PKCS1_4096_SHA256",
            },
        });
        var @default = new Gcp.CertificateAuthority.Certificate("default", new Gcp.CertificateAuthority.CertificateArgs
        {
            Pool = "",
            Location = "us-central1",
            CertificateAuthority = test_ca.CertificateAuthorityId,
            Lifetime = "860s",
            Config = new Gcp.CertificateAuthority.Inputs.CertificateConfigArgs
            {
                SubjectConfig = new Gcp.CertificateAuthority.Inputs.CertificateConfigSubjectConfigArgs
                {
                    Subject = new Gcp.CertificateAuthority.Inputs.CertificateConfigSubjectConfigSubjectArgs
                    {
                        CommonName = "san1.example.com",
                        CountryCode = "us",
                        Organization = "google",
                        OrganizationalUnit = "enterprise",
                        Locality = "mountain view",
                        Province = "california",
                        StreetAddress = "1600 amphitheatre parkway",
                    },
                    SubjectAltName = new Gcp.CertificateAuthority.Inputs.CertificateConfigSubjectConfigSubjectAltNameArgs
                    {
                        EmailAddresses = 
                        {
                            "email@example.com",
                        },
                        IpAddresses = 
                        {
                            "127.0.0.1",
                        },
                        Uris = 
                        {
                            "http://www.ietf.org/rfc/rfc3986.txt",
                        },
                    },
                },
                X509Config = new Gcp.CertificateAuthority.Inputs.CertificateConfigX509ConfigArgs
                {
                    CaOptions = new Gcp.CertificateAuthority.Inputs.CertificateConfigX509ConfigCaOptionsArgs
                    {
                        IsCa = false,
                    },
                    KeyUsage = new Gcp.CertificateAuthority.Inputs.CertificateConfigX509ConfigKeyUsageArgs
                    {
                        BaseKeyUsage = new Gcp.CertificateAuthority.Inputs.CertificateConfigX509ConfigKeyUsageBaseKeyUsageArgs
                        {
                            CrlSign = false,
                            DecipherOnly = false,
                        },
                        ExtendedKeyUsage = new Gcp.CertificateAuthority.Inputs.CertificateConfigX509ConfigKeyUsageExtendedKeyUsageArgs
                        {
                            ServerAuth = false,
                        },
                    },
                },
                PublicKey = new Gcp.CertificateAuthority.Inputs.CertificateConfigPublicKeyArgs
                {
                    Format = "PEM",
                    Key = ReadFileBase64("test-fixtures/rsa_public.pem"),
                },
            },
        });
    }

}
package main

import (
	"encoding/base64"
	"io/ioutil"

	"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/certificateauthority"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func filebase64OrPanic(path string) pulumi.StringPtrInput {
	if fileData, err := ioutil.ReadFile(path); err == nil {
		return pulumi.String(base64.StdEncoding.EncodeToString(fileData[:]))
	} else {
		panic(err.Error())
	}
}

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := certificateauthority.NewAuthority(ctx, "test-ca", &certificateauthority.AuthorityArgs{
			CertificateAuthorityId:             pulumi.String("my-certificate-authority"),
			Location:                           pulumi.String("us-central1"),
			Pool:                               pulumi.String(""),
			IgnoreActiveCertificatesOnDeletion: pulumi.Bool(true),
			DeletionProtection:                 pulumi.Bool(false),
			Config: &certificateauthority.AuthorityConfigArgs{
				SubjectConfig: &certificateauthority.AuthorityConfigSubjectConfigArgs{
					Subject: &certificateauthority.AuthorityConfigSubjectConfigSubjectArgs{
						Organization: pulumi.String("HashiCorp"),
						CommonName:   pulumi.String("my-certificate-authority"),
					},
					SubjectAltName: &certificateauthority.AuthorityConfigSubjectConfigSubjectAltNameArgs{
						DnsNames: pulumi.StringArray{
							pulumi.String("hashicorp.com"),
						},
					},
				},
				X509Config: &certificateauthority.AuthorityConfigX509ConfigArgs{
					CaOptions: &certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs{
						IsCa: pulumi.Bool(true),
					},
					KeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs{
						BaseKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs{
							CertSign: pulumi.Bool(true),
							CrlSign:  pulumi.Bool(true),
						},
						ExtendedKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs{
							ServerAuth: pulumi.Bool(true),
						},
					},
				},
			},
			KeySpec: &certificateauthority.AuthorityKeySpecArgs{
				Algorithm: pulumi.String("RSA_PKCS1_4096_SHA256"),
			},
		})
		if err != nil {
			return err
		}
		_, err = certificateauthority.NewCertificate(ctx, "default", &certificateauthority.CertificateArgs{
			Pool:                 pulumi.String(""),
			Location:             pulumi.String("us-central1"),
			CertificateAuthority: test_ca.CertificateAuthorityId,
			Lifetime:             pulumi.String("860s"),
			Config: &certificateauthority.CertificateConfigArgs{
				SubjectConfig: &certificateauthority.CertificateConfigSubjectConfigArgs{
					Subject: &certificateauthority.CertificateConfigSubjectConfigSubjectArgs{
						CommonName:         pulumi.String("san1.example.com"),
						CountryCode:        pulumi.String("us"),
						Organization:       pulumi.String("google"),
						OrganizationalUnit: pulumi.String("enterprise"),
						Locality:           pulumi.String("mountain view"),
						Province:           pulumi.String("california"),
						StreetAddress:      pulumi.String("1600 amphitheatre parkway"),
					},
					SubjectAltName: &certificateauthority.CertificateConfigSubjectConfigSubjectAltNameArgs{
						EmailAddresses: pulumi.StringArray{
							pulumi.String("email@example.com"),
						},
						IpAddresses: pulumi.StringArray{
							pulumi.String("127.0.0.1"),
						},
						Uris: pulumi.StringArray{
							pulumi.String("http://www.ietf.org/rfc/rfc3986.txt"),
						},
					},
				},
				X509Config: &certificateauthority.CertificateConfigX509ConfigArgs{
					CaOptions: &certificateauthority.CertificateConfigX509ConfigCaOptionsArgs{
						IsCa: pulumi.Bool(false),
					},
					KeyUsage: &certificateauthority.CertificateConfigX509ConfigKeyUsageArgs{
						BaseKeyUsage: &certificateauthority.CertificateConfigX509ConfigKeyUsageBaseKeyUsageArgs{
							CrlSign:      pulumi.Bool(false),
							DecipherOnly: pulumi.Bool(false),
						},
						ExtendedKeyUsage: &certificateauthority.CertificateConfigX509ConfigKeyUsageExtendedKeyUsageArgs{
							ServerAuth: pulumi.Bool(false),
						},
					},
				},
				PublicKey: &certificateauthority.CertificateConfigPublicKeyArgs{
					Format: pulumi.String("PEM"),
					Key:    filebase64OrPanic("test-fixtures/rsa_public.pem"),
				},
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}
package generated_program;

import java.util.*;
import java.io.*;
import java.nio.*;
import com.pulumi.*;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var test_ca = new Authority("test-ca", AuthorityArgs.builder()        
            .certificateAuthorityId("my-certificate-authority")
            .location("us-central1")
            .pool("")
            .ignoreActiveCertificatesOnDeletion(true)
            .deletionProtection(false)
            .config(AuthorityConfigArgs.builder()
                .subjectConfig(AuthorityConfigSubjectConfigArgs.builder()
                    .subject(AuthorityConfigSubjectConfigSubjectArgs.builder()
                        .organization("HashiCorp")
                        .commonName("my-certificate-authority")
                        .build())
                    .subjectAltName(AuthorityConfigSubjectConfigSubjectAltNameArgs.builder()
                        .dnsNames("hashicorp.com")
                        .build())
                    .build())
                .x509Config(AuthorityConfigX509ConfigArgs.builder()
                    .caOptions(AuthorityConfigX509ConfigCaOptionsArgs.builder()
                        .isCa(true)
                        .build())
                    .keyUsage(AuthorityConfigX509ConfigKeyUsageArgs.builder()
                        .baseKeyUsage(AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs.builder()
                            .certSign(true)
                            .crlSign(true)
                            .build())
                        .extendedKeyUsage(AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs.builder()
                            .serverAuth(true)
                            .build())
                        .build())
                    .build())
                .build())
            .keySpec(AuthorityKeySpecArgs.builder()
                .algorithm("RSA_PKCS1_4096_SHA256")
                .build())
            .build());

        var default_ = new Certificate("default", CertificateArgs.builder()        
            .pool("")
            .location("us-central1")
            .certificateAuthority(test_ca.certificateAuthorityId())
            .lifetime("860s")
            .config(CertificateConfigArgs.builder()
                .subjectConfig(CertificateConfigSubjectConfigArgs.builder()
                    .subject(CertificateConfigSubjectConfigSubjectArgs.builder()
                        .commonName("san1.example.com")
                        .countryCode("us")
                        .organization("google")
                        .organizationalUnit("enterprise")
                        .locality("mountain view")
                        .province("california")
                        .streetAddress("1600 amphitheatre parkway")
                        .build())
                    .subjectAltName(CertificateConfigSubjectConfigSubjectAltNameArgs.builder()
                        .emailAddresses("email@example.com")
                        .ipAddresses("127.0.0.1")
                        .uris("http://www.ietf.org/rfc/rfc3986.txt")
                        .build())
                    .build())
                .x509Config(CertificateConfigX509ConfigArgs.builder()
                    .caOptions(CertificateConfigX509ConfigCaOptionsArgs.builder()
                        .isCa(false)
                        .build())
                    .keyUsage(CertificateConfigX509ConfigKeyUsageArgs.builder()
                        .baseKeyUsage(CertificateConfigX509ConfigKeyUsageBaseKeyUsageArgs.builder()
                            .crlSign(false)
                            .decipherOnly(false)
                            .build())
                        .extendedKeyUsage(CertificateConfigX509ConfigKeyUsageExtendedKeyUsageArgs.builder()
                            .serverAuth(false)
                            .build())
                        .build())
                    .build())
                .publicKey(CertificateConfigPublicKeyArgs.builder()
                    .format("PEM")
                    .key(Base64.getEncoder().encodeToString(Files.readAllBytes(Paths.get("test-fixtures/rsa_public.pem"))))
                    .build())
                .build())
            .build());

    }
}
import pulumi
import base64
import pulumi_gcp as gcp

test_ca = gcp.certificateauthority.Authority("test-ca",
    certificate_authority_id="my-certificate-authority",
    location="us-central1",
    pool="",
    ignore_active_certificates_on_deletion=True,
    deletion_protection=False,
    config=gcp.certificateauthority.AuthorityConfigArgs(
        subject_config=gcp.certificateauthority.AuthorityConfigSubjectConfigArgs(
            subject=gcp.certificateauthority.AuthorityConfigSubjectConfigSubjectArgs(
                organization="HashiCorp",
                common_name="my-certificate-authority",
            ),
            subject_alt_name=gcp.certificateauthority.AuthorityConfigSubjectConfigSubjectAltNameArgs(
                dns_names=["hashicorp.com"],
            ),
        ),
        x509_config=gcp.certificateauthority.AuthorityConfigX509ConfigArgs(
            ca_options=gcp.certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs(
                is_ca=True,
            ),
            key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs(
                base_key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs(
                    cert_sign=True,
                    crl_sign=True,
                ),
                extended_key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs(
                    server_auth=True,
                ),
            ),
        ),
    ),
    key_spec=gcp.certificateauthority.AuthorityKeySpecArgs(
        algorithm="RSA_PKCS1_4096_SHA256",
    ))
default = gcp.certificateauthority.Certificate("default",
    pool="",
    location="us-central1",
    certificate_authority=test_ca.certificate_authority_id,
    lifetime="860s",
    config=gcp.certificateauthority.CertificateConfigArgs(
        subject_config=gcp.certificateauthority.CertificateConfigSubjectConfigArgs(
            subject=gcp.certificateauthority.CertificateConfigSubjectConfigSubjectArgs(
                common_name="san1.example.com",
                country_code="us",
                organization="google",
                organizational_unit="enterprise",
                locality="mountain view",
                province="california",
                street_address="1600 amphitheatre parkway",
            ),
            subject_alt_name=gcp.certificateauthority.CertificateConfigSubjectConfigSubjectAltNameArgs(
                email_addresses=["email@example.com"],
                ip_addresses=["127.0.0.1"],
                uris=["http://www.ietf.org/rfc/rfc3986.txt"],
            ),
        ),
        x509_config=gcp.certificateauthority.CertificateConfigX509ConfigArgs(
            ca_options=gcp.certificateauthority.CertificateConfigX509ConfigCaOptionsArgs(
                is_ca=False,
            ),
            key_usage=gcp.certificateauthority.CertificateConfigX509ConfigKeyUsageArgs(
                base_key_usage=gcp.certificateauthority.CertificateConfigX509ConfigKeyUsageBaseKeyUsageArgs(
                    crl_sign=False,
                    decipher_only=False,
                ),
                extended_key_usage=gcp.certificateauthority.CertificateConfigX509ConfigKeyUsageExtendedKeyUsageArgs(
                    server_auth=False,
                ),
            ),
        ),
        public_key=gcp.certificateauthority.CertificateConfigPublicKeyArgs(
            format="PEM",
            key=(lambda path: base64.b64encode(open(path).read().encode()).decode())("test-fixtures/rsa_public.pem"),
        ),
    ))
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
import * from "fs";

const test_ca = new gcp.certificateauthority.Authority("test-ca", {
    certificateAuthorityId: "my-certificate-authority",
    location: "us-central1",
    pool: "",
    ignoreActiveCertificatesOnDeletion: true,
    deletionProtection: false,
    config: {
        subjectConfig: {
            subject: {
                organization: "HashiCorp",
                commonName: "my-certificate-authority",
            },
            subjectAltName: {
                dnsNames: ["hashicorp.com"],
            },
        },
        x509Config: {
            caOptions: {
                isCa: true,
            },
            keyUsage: {
                baseKeyUsage: {
                    certSign: true,
                    crlSign: true,
                },
                extendedKeyUsage: {
                    serverAuth: true,
                },
            },
        },
    },
    keySpec: {
        algorithm: "RSA_PKCS1_4096_SHA256",
    },
});
const _default = new gcp.certificateauthority.Certificate("default", {
    pool: "",
    location: "us-central1",
    certificateAuthority: test_ca.certificateAuthorityId,
    lifetime: "860s",
    config: {
        subjectConfig: {
            subject: {
                commonName: "san1.example.com",
                countryCode: "us",
                organization: "google",
                organizationalUnit: "enterprise",
                locality: "mountain view",
                province: "california",
                streetAddress: "1600 amphitheatre parkway",
            },
            subjectAltName: {
                emailAddresses: ["email@example.com"],
                ipAddresses: ["127.0.0.1"],
                uris: ["http://www.ietf.org/rfc/rfc3986.txt"],
            },
        },
        x509Config: {
            caOptions: {
                isCa: false,
            },
            keyUsage: {
                baseKeyUsage: {
                    crlSign: false,
                    decipherOnly: false,
                },
                extendedKeyUsage: {
                    serverAuth: false,
                },
            },
        },
        publicKey: {
            format: "PEM",
            key: Buffer.from(fs.readFileSync("test-fixtures/rsa_public.pem"), 'binary').toString('base64'),
        },
    },
});

Coming soon!

Privateca Certificate With Template

using System.IO;
using Pulumi;
using Gcp = Pulumi.Gcp;

class MyStack : Stack
{
    public MyStack()
    {
        var template = new Gcp.CertificateAuthority.CertificateTemplate("template", new Gcp.CertificateAuthority.CertificateTemplateArgs
        {
            Location = "us-central1",
            Description = "An updated sample certificate template",
            IdentityConstraints = new Gcp.CertificateAuthority.Inputs.CertificateTemplateIdentityConstraintsArgs
            {
                AllowSubjectAltNamesPassthrough = true,
                AllowSubjectPassthrough = true,
                CelExpression = new Gcp.CertificateAuthority.Inputs.CertificateTemplateIdentityConstraintsCelExpressionArgs
                {
                    Description = "Always true",
                    Expression = "true",
                    Location = "any.file.anywhere",
                    Title = "Sample expression",
                },
            },
            PassthroughExtensions = new Gcp.CertificateAuthority.Inputs.CertificateTemplatePassthroughExtensionsArgs
            {
                AdditionalExtensions = 
                {
                    new Gcp.CertificateAuthority.Inputs.CertificateTemplatePassthroughExtensionsAdditionalExtensionArgs
                    {
                        ObjectIdPaths = 
                        {
                            1,
                            6,
                        },
                    },
                },
                KnownExtensions = 
                {
                    "EXTENDED_KEY_USAGE",
                },
            },
            PredefinedValues = new Gcp.CertificateAuthority.Inputs.CertificateTemplatePredefinedValuesArgs
            {
                AdditionalExtensions = 
                {
                    new Gcp.CertificateAuthority.Inputs.CertificateTemplatePredefinedValuesAdditionalExtensionArgs
                    {
                        ObjectId = new Gcp.CertificateAuthority.Inputs.CertificateTemplatePredefinedValuesAdditionalExtensionObjectIdArgs
                        {
                            ObjectIdPaths = 
                            {
                                1,
                                6,
                            },
                        },
                        Value = "c3RyaW5nCg==",
                        Critical = true,
                    },
                },
                AiaOcspServers = 
                {
                    "string",
                },
                CaOptions = new Gcp.CertificateAuthority.Inputs.CertificateTemplatePredefinedValuesCaOptionsArgs
                {
                    IsCa = false,
                    MaxIssuerPathLength = 6,
                },
                KeyUsage = new Gcp.CertificateAuthority.Inputs.CertificateTemplatePredefinedValuesKeyUsageArgs
                {
                    BaseKeyUsage = new Gcp.CertificateAuthority.Inputs.CertificateTemplatePredefinedValuesKeyUsageBaseKeyUsageArgs
                    {
                        CertSign = false,
                        ContentCommitment = true,
                        CrlSign = false,
                        DataEncipherment = true,
                        DecipherOnly = true,
                        DigitalSignature = true,
                        EncipherOnly = true,
                        KeyAgreement = true,
                        KeyEncipherment = true,
                    },
                    ExtendedKeyUsage = new Gcp.CertificateAuthority.Inputs.CertificateTemplatePredefinedValuesKeyUsageExtendedKeyUsageArgs
                    {
                        ClientAuth = true,
                        CodeSigning = true,
                        EmailProtection = true,
                        OcspSigning = true,
                        ServerAuth = true,
                        TimeStamping = true,
                    },
                    UnknownExtendedKeyUsages = 
                    {
                        new Gcp.CertificateAuthority.Inputs.CertificateTemplatePredefinedValuesKeyUsageUnknownExtendedKeyUsageArgs
                        {
                            ObjectIdPaths = 
                            {
                                1,
                                6,
                            },
                        },
                    },
                },
                PolicyIds = 
                {
                    new Gcp.CertificateAuthority.Inputs.CertificateTemplatePredefinedValuesPolicyIdArgs
                    {
                        ObjectIdPaths = 
                        {
                            1,
                            6,
                        },
                    },
                },
            },
        });
        var test_ca = new Gcp.CertificateAuthority.Authority("test-ca", new Gcp.CertificateAuthority.AuthorityArgs
        {
            Pool = "",
            CertificateAuthorityId = "my-certificate-authority",
            Location = "us-central1",
            DeletionProtection = false,
            Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigArgs
            {
                SubjectConfig = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigArgs
                {
                    Subject = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectArgs
                    {
                        Organization = "HashiCorp",
                        CommonName = "my-certificate-authority",
                    },
                    SubjectAltName = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectAltNameArgs
                    {
                        DnsNames = 
                        {
                            "hashicorp.com",
                        },
                    },
                },
                X509Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigArgs
                {
                    CaOptions = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigCaOptionsArgs
                    {
                        IsCa = true,
                    },
                    KeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageArgs
                    {
                        BaseKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs
                        {
                            CertSign = true,
                            CrlSign = true,
                        },
                        ExtendedKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs
                        {
                            ServerAuth = false,
                        },
                    },
                },
            },
            KeySpec = new Gcp.CertificateAuthority.Inputs.AuthorityKeySpecArgs
            {
                Algorithm = "RSA_PKCS1_4096_SHA256",
            },
        });
        var @default = new Gcp.CertificateAuthority.Certificate("default", new Gcp.CertificateAuthority.CertificateArgs
        {
            Pool = "",
            Location = "us-central1",
            CertificateAuthority = test_ca.CertificateAuthorityId,
            Lifetime = "860s",
            PemCsr = File.ReadAllText("test-fixtures/rsa_csr.pem"),
            CertificateTemplate = template.Id,
        });
    }

}
package main

import (
	"io/ioutil"

	"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/certificateauthority"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func readFileOrPanic(path string) pulumi.StringPtrInput {
	data, err := ioutil.ReadFile(path)
	if err != nil {
		panic(err.Error())
	}
	return pulumi.String(string(data))
}

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		template, err := certificateauthority.NewCertificateTemplate(ctx, "template", &certificateauthority.CertificateTemplateArgs{
			Location:    pulumi.String("us-central1"),
			Description: pulumi.String("An updated sample certificate template"),
			IdentityConstraints: &certificateauthority.CertificateTemplateIdentityConstraintsArgs{
				AllowSubjectAltNamesPassthrough: pulumi.Bool(true),
				AllowSubjectPassthrough:         pulumi.Bool(true),
				CelExpression: &certificateauthority.CertificateTemplateIdentityConstraintsCelExpressionArgs{
					Description: pulumi.String("Always true"),
					Expression:  pulumi.String("true"),
					Location:    pulumi.String("any.file.anywhere"),
					Title:       pulumi.String("Sample expression"),
				},
			},
			PassthroughExtensions: &certificateauthority.CertificateTemplatePassthroughExtensionsArgs{
				AdditionalExtensions: certificateauthority.CertificateTemplatePassthroughExtensionsAdditionalExtensionArray{
					&certificateauthority.CertificateTemplatePassthroughExtensionsAdditionalExtensionArgs{
						ObjectIdPaths: pulumi.IntArray{
							pulumi.Int(1),
							pulumi.Int(6),
						},
					},
				},
				KnownExtensions: pulumi.StringArray{
					pulumi.String("EXTENDED_KEY_USAGE"),
				},
			},
			PredefinedValues: &certificateauthority.CertificateTemplatePredefinedValuesArgs{
				AdditionalExtensions: certificateauthority.CertificateTemplatePredefinedValuesAdditionalExtensionArray{
					&certificateauthority.CertificateTemplatePredefinedValuesAdditionalExtensionArgs{
						ObjectId: &certificateauthority.CertificateTemplatePredefinedValuesAdditionalExtensionObjectIdArgs{
							ObjectIdPaths: pulumi.IntArray{
								pulumi.Int(1),
								pulumi.Int(6),
							},
						},
						Value:    pulumi.String("c3RyaW5nCg=="),
						Critical: pulumi.Bool(true),
					},
				},
				AiaOcspServers: pulumi.StringArray{
					pulumi.String("string"),
				},
				CaOptions: &certificateauthority.CertificateTemplatePredefinedValuesCaOptionsArgs{
					IsCa:                pulumi.Bool(false),
					MaxIssuerPathLength: pulumi.Int(6),
				},
				KeyUsage: &certificateauthority.CertificateTemplatePredefinedValuesKeyUsageArgs{
					BaseKeyUsage: &certificateauthority.CertificateTemplatePredefinedValuesKeyUsageBaseKeyUsageArgs{
						CertSign:          pulumi.Bool(false),
						ContentCommitment: pulumi.Bool(true),
						CrlSign:           pulumi.Bool(false),
						DataEncipherment:  pulumi.Bool(true),
						DecipherOnly:      pulumi.Bool(true),
						DigitalSignature:  pulumi.Bool(true),
						EncipherOnly:      pulumi.Bool(true),
						KeyAgreement:      pulumi.Bool(true),
						KeyEncipherment:   pulumi.Bool(true),
					},
					ExtendedKeyUsage: &certificateauthority.CertificateTemplatePredefinedValuesKeyUsageExtendedKeyUsageArgs{
						ClientAuth:      pulumi.Bool(true),
						CodeSigning:     pulumi.Bool(true),
						EmailProtection: pulumi.Bool(true),
						OcspSigning:     pulumi.Bool(true),
						ServerAuth:      pulumi.Bool(true),
						TimeStamping:    pulumi.Bool(true),
					},
					UnknownExtendedKeyUsages: certificateauthority.CertificateTemplatePredefinedValuesKeyUsageUnknownExtendedKeyUsageArray{
						&certificateauthority.CertificateTemplatePredefinedValuesKeyUsageUnknownExtendedKeyUsageArgs{
							ObjectIdPaths: pulumi.IntArray{
								pulumi.Int(1),
								pulumi.Int(6),
							},
						},
					},
				},
				PolicyIds: certificateauthority.CertificateTemplatePredefinedValuesPolicyIdArray{
					&certificateauthority.CertificateTemplatePredefinedValuesPolicyIdArgs{
						ObjectIdPaths: pulumi.IntArray{
							pulumi.Int(1),
							pulumi.Int(6),
						},
					},
				},
			},
		})
		if err != nil {
			return err
		}
		_, err = certificateauthority.NewAuthority(ctx, "test-ca", &certificateauthority.AuthorityArgs{
			Pool:                   pulumi.String(""),
			CertificateAuthorityId: pulumi.String("my-certificate-authority"),
			Location:               pulumi.String("us-central1"),
			DeletionProtection:     pulumi.Bool(false),
			Config: &certificateauthority.AuthorityConfigArgs{
				SubjectConfig: &certificateauthority.AuthorityConfigSubjectConfigArgs{
					Subject: &certificateauthority.AuthorityConfigSubjectConfigSubjectArgs{
						Organization: pulumi.String("HashiCorp"),
						CommonName:   pulumi.String("my-certificate-authority"),
					},
					SubjectAltName: &certificateauthority.AuthorityConfigSubjectConfigSubjectAltNameArgs{
						DnsNames: pulumi.StringArray{
							pulumi.String("hashicorp.com"),
						},
					},
				},
				X509Config: &certificateauthority.AuthorityConfigX509ConfigArgs{
					CaOptions: &certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs{
						IsCa: pulumi.Bool(true),
					},
					KeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs{
						BaseKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs{
							CertSign: pulumi.Bool(true),
							CrlSign:  pulumi.Bool(true),
						},
						ExtendedKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs{
							ServerAuth: pulumi.Bool(false),
						},
					},
				},
			},
			KeySpec: &certificateauthority.AuthorityKeySpecArgs{
				Algorithm: pulumi.String("RSA_PKCS1_4096_SHA256"),
			},
		})
		if err != nil {
			return err
		}
		_, err = certificateauthority.NewCertificate(ctx, "default", &certificateauthority.CertificateArgs{
			Pool:                 pulumi.String(""),
			Location:             pulumi.String("us-central1"),
			CertificateAuthority: test_ca.CertificateAuthorityId,
			Lifetime:             pulumi.String("860s"),
			PemCsr:               readFileOrPanic("test-fixtures/rsa_csr.pem"),
			CertificateTemplate:  template.ID(),
		})
		if err != nil {
			return err
		}
		return nil
	})
}
package generated_program;

import java.util.*;
import java.io.*;
import java.nio.*;
import com.pulumi.*;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var template = new CertificateTemplate("template", CertificateTemplateArgs.builder()        
            .location("us-central1")
            .description("An updated sample certificate template")
            .identityConstraints(CertificateTemplateIdentityConstraintsArgs.builder()
                .allowSubjectAltNamesPassthrough(true)
                .allowSubjectPassthrough(true)
                .celExpression(CertificateTemplateIdentityConstraintsCelExpressionArgs.builder()
                    .description("Always true")
                    .expression("true")
                    .location("any.file.anywhere")
                    .title("Sample expression")
                    .build())
                .build())
            .passthroughExtensions(CertificateTemplatePassthroughExtensionsArgs.builder()
                .additionalExtensions(CertificateTemplatePassthroughExtensionsAdditionalExtensionArgs.builder()
                    .objectIdPaths(                    
                        1,
                        6)
                    .build())
                .knownExtensions("EXTENDED_KEY_USAGE")
                .build())
            .predefinedValues(CertificateTemplatePredefinedValuesArgs.builder()
                .additionalExtensions(CertificateTemplatePredefinedValuesAdditionalExtensionArgs.builder()
                    .objectId(CertificateTemplatePredefinedValuesAdditionalExtensionObjectIdArgs.builder()
                        .objectIdPaths(                        
                            1,
                            6)
                        .build())
                    .value("c3RyaW5nCg==")
                    .critical(true)
                    .build())
                .aiaOcspServers("string")
                .caOptions(CertificateTemplatePredefinedValuesCaOptionsArgs.builder()
                    .isCa(false)
                    .maxIssuerPathLength(6)
                    .build())
                .keyUsage(CertificateTemplatePredefinedValuesKeyUsageArgs.builder()
                    .baseKeyUsage(CertificateTemplatePredefinedValuesKeyUsageBaseKeyUsageArgs.builder()
                        .certSign(false)
                        .contentCommitment(true)
                        .crlSign(false)
                        .dataEncipherment(true)
                        .decipherOnly(true)
                        .digitalSignature(true)
                        .encipherOnly(true)
                        .keyAgreement(true)
                        .keyEncipherment(true)
                        .build())
                    .extendedKeyUsage(CertificateTemplatePredefinedValuesKeyUsageExtendedKeyUsageArgs.builder()
                        .clientAuth(true)
                        .codeSigning(true)
                        .emailProtection(true)
                        .ocspSigning(true)
                        .serverAuth(true)
                        .timeStamping(true)
                        .build())
                    .unknownExtendedKeyUsages(CertificateTemplatePredefinedValuesKeyUsageUnknownExtendedKeyUsageArgs.builder()
                        .objectIdPaths(                        
                            1,
                            6)
                        .build())
                    .build())
                .policyIds(CertificateTemplatePredefinedValuesPolicyIdArgs.builder()
                    .objectIdPaths(                    
                        1,
                        6)
                    .build())
                .build())
            .build());

        var test_ca = new Authority("test-ca", AuthorityArgs.builder()        
            .pool("")
            .certificateAuthorityId("my-certificate-authority")
            .location("us-central1")
            .deletionProtection(false)
            .config(AuthorityConfigArgs.builder()
                .subjectConfig(AuthorityConfigSubjectConfigArgs.builder()
                    .subject(AuthorityConfigSubjectConfigSubjectArgs.builder()
                        .organization("HashiCorp")
                        .commonName("my-certificate-authority")
                        .build())
                    .subjectAltName(AuthorityConfigSubjectConfigSubjectAltNameArgs.builder()
                        .dnsNames("hashicorp.com")
                        .build())
                    .build())
                .x509Config(AuthorityConfigX509ConfigArgs.builder()
                    .caOptions(AuthorityConfigX509ConfigCaOptionsArgs.builder()
                        .isCa(true)
                        .build())
                    .keyUsage(AuthorityConfigX509ConfigKeyUsageArgs.builder()
                        .baseKeyUsage(AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs.builder()
                            .certSign(true)
                            .crlSign(true)
                            .build())
                        .extendedKeyUsage(AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs.builder()
                            .serverAuth(false)
                            .build())
                        .build())
                    .build())
                .build())
            .keySpec(AuthorityKeySpecArgs.builder()
                .algorithm("RSA_PKCS1_4096_SHA256")
                .build())
            .build());

        var default_ = new Certificate("default", CertificateArgs.builder()        
            .pool("")
            .location("us-central1")
            .certificateAuthority(test_ca.certificateAuthorityId())
            .lifetime("860s")
            .pemCsr(Files.readString("test-fixtures/rsa_csr.pem"))
            .certificateTemplate(template.id())
            .build());

    }
}
import pulumi
import pulumi_gcp as gcp

template = gcp.certificateauthority.CertificateTemplate("template",
    location="us-central1",
    description="An updated sample certificate template",
    identity_constraints=gcp.certificateauthority.CertificateTemplateIdentityConstraintsArgs(
        allow_subject_alt_names_passthrough=True,
        allow_subject_passthrough=True,
        cel_expression=gcp.certificateauthority.CertificateTemplateIdentityConstraintsCelExpressionArgs(
            description="Always true",
            expression="true",
            location="any.file.anywhere",
            title="Sample expression",
        ),
    ),
    passthrough_extensions=gcp.certificateauthority.CertificateTemplatePassthroughExtensionsArgs(
        additional_extensions=[gcp.certificateauthority.CertificateTemplatePassthroughExtensionsAdditionalExtensionArgs(
            object_id_paths=[
                1,
                6,
            ],
        )],
        known_extensions=["EXTENDED_KEY_USAGE"],
    ),
    predefined_values=gcp.certificateauthority.CertificateTemplatePredefinedValuesArgs(
        additional_extensions=[gcp.certificateauthority.CertificateTemplatePredefinedValuesAdditionalExtensionArgs(
            object_id=gcp.certificateauthority.CertificateTemplatePredefinedValuesAdditionalExtensionObjectIdArgs(
                object_id_paths=[
                    1,
                    6,
                ],
            ),
            value="c3RyaW5nCg==",
            critical=True,
        )],
        aia_ocsp_servers=["string"],
        ca_options=gcp.certificateauthority.CertificateTemplatePredefinedValuesCaOptionsArgs(
            is_ca=False,
            max_issuer_path_length=6,
        ),
        key_usage=gcp.certificateauthority.CertificateTemplatePredefinedValuesKeyUsageArgs(
            base_key_usage=gcp.certificateauthority.CertificateTemplatePredefinedValuesKeyUsageBaseKeyUsageArgs(
                cert_sign=False,
                content_commitment=True,
                crl_sign=False,
                data_encipherment=True,
                decipher_only=True,
                digital_signature=True,
                encipher_only=True,
                key_agreement=True,
                key_encipherment=True,
            ),
            extended_key_usage=gcp.certificateauthority.CertificateTemplatePredefinedValuesKeyUsageExtendedKeyUsageArgs(
                client_auth=True,
                code_signing=True,
                email_protection=True,
                ocsp_signing=True,
                server_auth=True,
                time_stamping=True,
            ),
            unknown_extended_key_usages=[gcp.certificateauthority.CertificateTemplatePredefinedValuesKeyUsageUnknownExtendedKeyUsageArgs(
                object_id_paths=[
                    1,
                    6,
                ],
            )],
        ),
        policy_ids=[gcp.certificateauthority.CertificateTemplatePredefinedValuesPolicyIdArgs(
            object_id_paths=[
                1,
                6,
            ],
        )],
    ))
test_ca = gcp.certificateauthority.Authority("test-ca",
    pool="",
    certificate_authority_id="my-certificate-authority",
    location="us-central1",
    deletion_protection=False,
    config=gcp.certificateauthority.AuthorityConfigArgs(
        subject_config=gcp.certificateauthority.AuthorityConfigSubjectConfigArgs(
            subject=gcp.certificateauthority.AuthorityConfigSubjectConfigSubjectArgs(
                organization="HashiCorp",
                common_name="my-certificate-authority",
            ),
            subject_alt_name=gcp.certificateauthority.AuthorityConfigSubjectConfigSubjectAltNameArgs(
                dns_names=["hashicorp.com"],
            ),
        ),
        x509_config=gcp.certificateauthority.AuthorityConfigX509ConfigArgs(
            ca_options=gcp.certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs(
                is_ca=True,
            ),
            key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs(
                base_key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs(
                    cert_sign=True,
                    crl_sign=True,
                ),
                extended_key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs(
                    server_auth=False,
                ),
            ),
        ),
    ),
    key_spec=gcp.certificateauthority.AuthorityKeySpecArgs(
        algorithm="RSA_PKCS1_4096_SHA256",
    ))
default = gcp.certificateauthority.Certificate("default",
    pool="",
    location="us-central1",
    certificate_authority=test_ca.certificate_authority_id,
    lifetime="860s",
    pem_csr=(lambda path: open(path).read())("test-fixtures/rsa_csr.pem"),
    certificate_template=template.id)
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
import * from "fs";

const template = new gcp.certificateauthority.CertificateTemplate("template", {
    location: "us-central1",
    description: "An updated sample certificate template",
    identityConstraints: {
        allowSubjectAltNamesPassthrough: true,
        allowSubjectPassthrough: true,
        celExpression: {
            description: "Always true",
            expression: "true",
            location: "any.file.anywhere",
            title: "Sample expression",
        },
    },
    passthroughExtensions: {
        additionalExtensions: [{
            objectIdPaths: [
                1,
                6,
            ],
        }],
        knownExtensions: ["EXTENDED_KEY_USAGE"],
    },
    predefinedValues: {
        additionalExtensions: [{
            objectId: {
                objectIdPaths: [
                    1,
                    6,
                ],
            },
            value: "c3RyaW5nCg==",
            critical: true,
        }],
        aiaOcspServers: ["string"],
        caOptions: {
            isCa: false,
            maxIssuerPathLength: 6,
        },
        keyUsage: {
            baseKeyUsage: {
                certSign: false,
                contentCommitment: true,
                crlSign: false,
                dataEncipherment: true,
                decipherOnly: true,
                digitalSignature: true,
                encipherOnly: true,
                keyAgreement: true,
                keyEncipherment: true,
            },
            extendedKeyUsage: {
                clientAuth: true,
                codeSigning: true,
                emailProtection: true,
                ocspSigning: true,
                serverAuth: true,
                timeStamping: true,
            },
            unknownExtendedKeyUsages: [{
                objectIdPaths: [
                    1,
                    6,
                ],
            }],
        },
        policyIds: [{
            objectIdPaths: [
                1,
                6,
            ],
        }],
    },
});
const test_ca = new gcp.certificateauthority.Authority("test-ca", {
    pool: "",
    certificateAuthorityId: "my-certificate-authority",
    location: "us-central1",
    deletionProtection: false,
    config: {
        subjectConfig: {
            subject: {
                organization: "HashiCorp",
                commonName: "my-certificate-authority",
            },
            subjectAltName: {
                dnsNames: ["hashicorp.com"],
            },
        },
        x509Config: {
            caOptions: {
                isCa: true,
            },
            keyUsage: {
                baseKeyUsage: {
                    certSign: true,
                    crlSign: true,
                },
                extendedKeyUsage: {
                    serverAuth: false,
                },
            },
        },
    },
    keySpec: {
        algorithm: "RSA_PKCS1_4096_SHA256",
    },
});
const _default = new gcp.certificateauthority.Certificate("default", {
    pool: "",
    location: "us-central1",
    certificateAuthority: test_ca.certificateAuthorityId,
    lifetime: "860s",
    pemCsr: fs.readFileSync("test-fixtures/rsa_csr.pem"),
    certificateTemplate: template.id,
});

Coming soon!

Privateca Certificate Csr

using System.IO;
using Pulumi;
using Gcp = Pulumi.Gcp;

class MyStack : Stack
{
    public MyStack()
    {
        var test_ca = new Gcp.CertificateAuthority.Authority("test-ca", new Gcp.CertificateAuthority.AuthorityArgs
        {
            Pool = "",
            CertificateAuthorityId = "my-certificate-authority",
            Location = "us-central1",
            DeletionProtection = false,
            Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigArgs
            {
                SubjectConfig = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigArgs
                {
                    Subject = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectArgs
                    {
                        Organization = "HashiCorp",
                        CommonName = "my-certificate-authority",
                    },
                    SubjectAltName = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectAltNameArgs
                    {
                        DnsNames = 
                        {
                            "hashicorp.com",
                        },
                    },
                },
                X509Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigArgs
                {
                    CaOptions = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigCaOptionsArgs
                    {
                        IsCa = true,
                    },
                    KeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageArgs
                    {
                        BaseKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs
                        {
                            CertSign = true,
                            CrlSign = true,
                        },
                        ExtendedKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs
                        {
                            ServerAuth = false,
                        },
                    },
                },
            },
            KeySpec = new Gcp.CertificateAuthority.Inputs.AuthorityKeySpecArgs
            {
                Algorithm = "RSA_PKCS1_4096_SHA256",
            },
        });
        var @default = new Gcp.CertificateAuthority.Certificate("default", new Gcp.CertificateAuthority.CertificateArgs
        {
            Pool = "",
            Location = "us-central1",
            CertificateAuthority = test_ca.CertificateAuthorityId,
            Lifetime = "860s",
            PemCsr = File.ReadAllText("test-fixtures/rsa_csr.pem"),
        });
    }

}
package main

import (
	"io/ioutil"

	"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/certificateauthority"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func readFileOrPanic(path string) pulumi.StringPtrInput {
	data, err := ioutil.ReadFile(path)
	if err != nil {
		panic(err.Error())
	}
	return pulumi.String(string(data))
}

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := certificateauthority.NewAuthority(ctx, "test-ca", &certificateauthority.AuthorityArgs{
			Pool:                   pulumi.String(""),
			CertificateAuthorityId: pulumi.String("my-certificate-authority"),
			Location:               pulumi.String("us-central1"),
			DeletionProtection:     pulumi.Bool(false),
			Config: &certificateauthority.AuthorityConfigArgs{
				SubjectConfig: &certificateauthority.AuthorityConfigSubjectConfigArgs{
					Subject: &certificateauthority.AuthorityConfigSubjectConfigSubjectArgs{
						Organization: pulumi.String("HashiCorp"),
						CommonName:   pulumi.String("my-certificate-authority"),
					},
					SubjectAltName: &certificateauthority.AuthorityConfigSubjectConfigSubjectAltNameArgs{
						DnsNames: pulumi.StringArray{
							pulumi.String("hashicorp.com"),
						},
					},
				},
				X509Config: &certificateauthority.AuthorityConfigX509ConfigArgs{
					CaOptions: &certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs{
						IsCa: pulumi.Bool(true),
					},
					KeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs{
						BaseKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs{
							CertSign: pulumi.Bool(true),
							CrlSign:  pulumi.Bool(true),
						},
						ExtendedKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs{
							ServerAuth: pulumi.Bool(false),
						},
					},
				},
			},
			KeySpec: &certificateauthority.AuthorityKeySpecArgs{
				Algorithm: pulumi.String("RSA_PKCS1_4096_SHA256"),
			},
		})
		if err != nil {
			return err
		}
		_, err = certificateauthority.NewCertificate(ctx, "default", &certificateauthority.CertificateArgs{
			Pool:                 pulumi.String(""),
			Location:             pulumi.String("us-central1"),
			CertificateAuthority: test_ca.CertificateAuthorityId,
			Lifetime:             pulumi.String("860s"),
			PemCsr:               readFileOrPanic("test-fixtures/rsa_csr.pem"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}
package generated_program;

import java.util.*;
import java.io.*;
import java.nio.*;
import com.pulumi.*;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var test_ca = new Authority("test-ca", AuthorityArgs.builder()        
            .pool("")
            .certificateAuthorityId("my-certificate-authority")
            .location("us-central1")
            .deletionProtection(false)
            .config(AuthorityConfigArgs.builder()
                .subjectConfig(AuthorityConfigSubjectConfigArgs.builder()
                    .subject(AuthorityConfigSubjectConfigSubjectArgs.builder()
                        .organization("HashiCorp")
                        .commonName("my-certificate-authority")
                        .build())
                    .subjectAltName(AuthorityConfigSubjectConfigSubjectAltNameArgs.builder()
                        .dnsNames("hashicorp.com")
                        .build())
                    .build())
                .x509Config(AuthorityConfigX509ConfigArgs.builder()
                    .caOptions(AuthorityConfigX509ConfigCaOptionsArgs.builder()
                        .isCa(true)
                        .build())
                    .keyUsage(AuthorityConfigX509ConfigKeyUsageArgs.builder()
                        .baseKeyUsage(AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs.builder()
                            .certSign(true)
                            .crlSign(true)
                            .build())
                        .extendedKeyUsage(AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs.builder()
                            .serverAuth(false)
                            .build())
                        .build())
                    .build())
                .build())
            .keySpec(AuthorityKeySpecArgs.builder()
                .algorithm("RSA_PKCS1_4096_SHA256")
                .build())
            .build());

        var default_ = new Certificate("default", CertificateArgs.builder()        
            .pool("")
            .location("us-central1")
            .certificateAuthority(test_ca.certificateAuthorityId())
            .lifetime("860s")
            .pemCsr(Files.readString("test-fixtures/rsa_csr.pem"))
            .build());

    }
}
import pulumi
import pulumi_gcp as gcp

test_ca = gcp.certificateauthority.Authority("test-ca",
    pool="",
    certificate_authority_id="my-certificate-authority",
    location="us-central1",
    deletion_protection=False,
    config=gcp.certificateauthority.AuthorityConfigArgs(
        subject_config=gcp.certificateauthority.AuthorityConfigSubjectConfigArgs(
            subject=gcp.certificateauthority.AuthorityConfigSubjectConfigSubjectArgs(
                organization="HashiCorp",
                common_name="my-certificate-authority",
            ),
            subject_alt_name=gcp.certificateauthority.AuthorityConfigSubjectConfigSubjectAltNameArgs(
                dns_names=["hashicorp.com"],
            ),
        ),
        x509_config=gcp.certificateauthority.AuthorityConfigX509ConfigArgs(
            ca_options=gcp.certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs(
                is_ca=True,
            ),
            key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs(
                base_key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs(
                    cert_sign=True,
                    crl_sign=True,
                ),
                extended_key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs(
                    server_auth=False,
                ),
            ),
        ),
    ),
    key_spec=gcp.certificateauthority.AuthorityKeySpecArgs(
        algorithm="RSA_PKCS1_4096_SHA256",
    ))
default = gcp.certificateauthority.Certificate("default",
    pool="",
    location="us-central1",
    certificate_authority=test_ca.certificate_authority_id,
    lifetime="860s",
    pem_csr=(lambda path: open(path).read())("test-fixtures/rsa_csr.pem"))
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
import * from "fs";

const test_ca = new gcp.certificateauthority.Authority("test-ca", {
    pool: "",
    certificateAuthorityId: "my-certificate-authority",
    location: "us-central1",
    deletionProtection: false,
    config: {
        subjectConfig: {
            subject: {
                organization: "HashiCorp",
                commonName: "my-certificate-authority",
            },
            subjectAltName: {
                dnsNames: ["hashicorp.com"],
            },
        },
        x509Config: {
            caOptions: {
                isCa: true,
            },
            keyUsage: {
                baseKeyUsage: {
                    certSign: true,
                    crlSign: true,
                },
                extendedKeyUsage: {
                    serverAuth: false,
                },
            },
        },
    },
    keySpec: {
        algorithm: "RSA_PKCS1_4096_SHA256",
    },
});
const _default = new gcp.certificateauthority.Certificate("default", {
    pool: "",
    location: "us-central1",
    certificateAuthority: test_ca.certificateAuthorityId,
    lifetime: "860s",
    pemCsr: fs.readFileSync("test-fixtures/rsa_csr.pem"),
});

Coming soon!

Privateca Certificate No Authority

using System;
using System.IO;
using Pulumi;
using Gcp = Pulumi.Gcp;

class MyStack : Stack
{
	private static string ReadFileBase64(string path) {
		return Convert.ToBase64String(Encoding.UTF8.GetBytes(File.ReadAllText(path)))
	}

    public MyStack()
    {
        var authority = new Gcp.CertificateAuthority.Authority("authority", new Gcp.CertificateAuthority.AuthorityArgs
        {
            Pool = "",
            CertificateAuthorityId = "my-authority",
            Location = "us-central1",
            DeletionProtection = false,
            Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigArgs
            {
                SubjectConfig = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigArgs
                {
                    Subject = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectArgs
                    {
                        Organization = "HashiCorp",
                        CommonName = "my-certificate-authority",
                    },
                    SubjectAltName = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectAltNameArgs
                    {
                        DnsNames = 
                        {
                            "hashicorp.com",
                        },
                    },
                },
                X509Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigArgs
                {
                    CaOptions = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigCaOptionsArgs
                    {
                        IsCa = true,
                    },
                    KeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageArgs
                    {
                        BaseKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs
                        {
                            DigitalSignature = true,
                            CertSign = true,
                            CrlSign = true,
                        },
                        ExtendedKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs
                        {
                            ServerAuth = true,
                        },
                    },
                },
            },
            Lifetime = "86400s",
            KeySpec = new Gcp.CertificateAuthority.Inputs.AuthorityKeySpecArgs
            {
                Algorithm = "RSA_PKCS1_4096_SHA256",
            },
        });
        var @default = new Gcp.CertificateAuthority.Certificate("default", new Gcp.CertificateAuthority.CertificateArgs
        {
            Pool = "",
            Location = "us-central1",
            Lifetime = "860s",
            Config = new Gcp.CertificateAuthority.Inputs.CertificateConfigArgs
            {
                SubjectConfig = new Gcp.CertificateAuthority.Inputs.CertificateConfigSubjectConfigArgs
                {
                    Subject = new Gcp.CertificateAuthority.Inputs.CertificateConfigSubjectConfigSubjectArgs
                    {
                        CommonName = "san1.example.com",
                        CountryCode = "us",
                        Organization = "google",
                        OrganizationalUnit = "enterprise",
                        Locality = "mountain view",
                        Province = "california",
                        StreetAddress = "1600 amphitheatre parkway",
                        PostalCode = "94109",
                    },
                },
                X509Config = new Gcp.CertificateAuthority.Inputs.CertificateConfigX509ConfigArgs
                {
                    CaOptions = new Gcp.CertificateAuthority.Inputs.CertificateConfigX509ConfigCaOptionsArgs
                    {
                        IsCa = false,
                    },
                    KeyUsage = new Gcp.CertificateAuthority.Inputs.CertificateConfigX509ConfigKeyUsageArgs
                    {
                        BaseKeyUsage = new Gcp.CertificateAuthority.Inputs.CertificateConfigX509ConfigKeyUsageBaseKeyUsageArgs
                        {
                            CrlSign = true,
                        },
                        ExtendedKeyUsage = new Gcp.CertificateAuthority.Inputs.CertificateConfigX509ConfigKeyUsageExtendedKeyUsageArgs
                        {
                            ServerAuth = true,
                        },
                    },
                },
                PublicKey = new Gcp.CertificateAuthority.Inputs.CertificateConfigPublicKeyArgs
                {
                    Format = "PEM",
                    Key = ReadFileBase64("test-fixtures/rsa_public.pem"),
                },
            },
        }, new CustomResourceOptions
        {
            DependsOn = 
            {
                authority,
            },
        });
    }

}
package main

import (
	"encoding/base64"
	"io/ioutil"

	"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/certificateauthority"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func filebase64OrPanic(path string) pulumi.StringPtrInput {
	if fileData, err := ioutil.ReadFile(path); err == nil {
		return pulumi.String(base64.StdEncoding.EncodeToString(fileData[:]))
	} else {
		panic(err.Error())
	}
}

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		authority, err := certificateauthority.NewAuthority(ctx, "authority", &certificateauthority.AuthorityArgs{
			Pool:                   pulumi.String(""),
			CertificateAuthorityId: pulumi.String("my-authority"),
			Location:               pulumi.String("us-central1"),
			DeletionProtection:     pulumi.Bool(false),
			Config: &certificateauthority.AuthorityConfigArgs{
				SubjectConfig: &certificateauthority.AuthorityConfigSubjectConfigArgs{
					Subject: &certificateauthority.AuthorityConfigSubjectConfigSubjectArgs{
						Organization: pulumi.String("HashiCorp"),
						CommonName:   pulumi.String("my-certificate-authority"),
					},
					SubjectAltName: &certificateauthority.AuthorityConfigSubjectConfigSubjectAltNameArgs{
						DnsNames: pulumi.StringArray{
							pulumi.String("hashicorp.com"),
						},
					},
				},
				X509Config: &certificateauthority.AuthorityConfigX509ConfigArgs{
					CaOptions: &certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs{
						IsCa: pulumi.Bool(true),
					},
					KeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs{
						BaseKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs{
							DigitalSignature: pulumi.Bool(true),
							CertSign:         pulumi.Bool(true),
							CrlSign:          pulumi.Bool(true),
						},
						ExtendedKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs{
							ServerAuth: pulumi.Bool(true),
						},
					},
				},
			},
			Lifetime: pulumi.String("86400s"),
			KeySpec: &certificateauthority.AuthorityKeySpecArgs{
				Algorithm: pulumi.String("RSA_PKCS1_4096_SHA256"),
			},
		})
		if err != nil {
			return err
		}
		_, err = certificateauthority.NewCertificate(ctx, "default", &certificateauthority.CertificateArgs{
			Pool:     pulumi.String(""),
			Location: pulumi.String("us-central1"),
			Lifetime: pulumi.String("860s"),
			Config: &certificateauthority.CertificateConfigArgs{
				SubjectConfig: &certificateauthority.CertificateConfigSubjectConfigArgs{
					Subject: &certificateauthority.CertificateConfigSubjectConfigSubjectArgs{
						CommonName:         pulumi.String("san1.example.com"),
						CountryCode:        pulumi.String("us"),
						Organization:       pulumi.String("google"),
						OrganizationalUnit: pulumi.String("enterprise"),
						Locality:           pulumi.String("mountain view"),
						Province:           pulumi.String("california"),
						StreetAddress:      pulumi.String("1600 amphitheatre parkway"),
						PostalCode:         pulumi.String("94109"),
					},
				},
				X509Config: &certificateauthority.CertificateConfigX509ConfigArgs{
					CaOptions: &certificateauthority.CertificateConfigX509ConfigCaOptionsArgs{
						IsCa: pulumi.Bool(false),
					},
					KeyUsage: &certificateauthority.CertificateConfigX509ConfigKeyUsageArgs{
						BaseKeyUsage: &certificateauthority.CertificateConfigX509ConfigKeyUsageBaseKeyUsageArgs{
							CrlSign: pulumi.Bool(true),
						},
						ExtendedKeyUsage: &certificateauthority.CertificateConfigX509ConfigKeyUsageExtendedKeyUsageArgs{
							ServerAuth: pulumi.Bool(true),
						},
					},
				},
				PublicKey: &certificateauthority.CertificateConfigPublicKeyArgs{
					Format: pulumi.String("PEM"),
					Key:    filebase64OrPanic("test-fixtures/rsa_public.pem"),
				},
			},
		}, pulumi.DependsOn([]pulumi.Resource{
			authority,
		}))
		if err != nil {
			return err
		}
		return nil
	})
}
package generated_program;

import java.util.*;
import java.io.*;
import java.nio.*;
import com.pulumi.*;
import com.pulumi.resources.CustomResourceOptions;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var authority = new Authority("authority", AuthorityArgs.builder()        
            .pool("")
            .certificateAuthorityId("my-authority")
            .location("us-central1")
            .deletionProtection(false)
            .config(AuthorityConfigArgs.builder()
                .subjectConfig(AuthorityConfigSubjectConfigArgs.builder()
                    .subject(AuthorityConfigSubjectConfigSubjectArgs.builder()
                        .organization("HashiCorp")
                        .commonName("my-certificate-authority")
                        .build())
                    .subjectAltName(AuthorityConfigSubjectConfigSubjectAltNameArgs.builder()
                        .dnsNames("hashicorp.com")
                        .build())
                    .build())
                .x509Config(AuthorityConfigX509ConfigArgs.builder()
                    .caOptions(AuthorityConfigX509ConfigCaOptionsArgs.builder()
                        .isCa(true)
                        .build())
                    .keyUsage(AuthorityConfigX509ConfigKeyUsageArgs.builder()
                        .baseKeyUsage(AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs.builder()
                            .digitalSignature(true)
                            .certSign(true)
                            .crlSign(true)
                            .build())
                        .extendedKeyUsage(AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs.builder()
                            .serverAuth(true)
                            .build())
                        .build())
                    .build())
                .build())
            .lifetime("86400s")
            .keySpec(AuthorityKeySpecArgs.builder()
                .algorithm("RSA_PKCS1_4096_SHA256")
                .build())
            .build());

        var default_ = new Certificate("default", CertificateArgs.builder()        
            .pool("")
            .location("us-central1")
            .lifetime("860s")
            .config(CertificateConfigArgs.builder()
                .subjectConfig(CertificateConfigSubjectConfigArgs.builder()
                    .subject(CertificateConfigSubjectConfigSubjectArgs.builder()
                        .commonName("san1.example.com")
                        .countryCode("us")
                        .organization("google")
                        .organizationalUnit("enterprise")
                        .locality("mountain view")
                        .province("california")
                        .streetAddress("1600 amphitheatre parkway")
                        .postalCode("94109")
                        .build())
                    .build())
                .x509Config(CertificateConfigX509ConfigArgs.builder()
                    .caOptions(CertificateConfigX509ConfigCaOptionsArgs.builder()
                        .isCa(false)
                        .build())
                    .keyUsage(CertificateConfigX509ConfigKeyUsageArgs.builder()
                        .baseKeyUsage(CertificateConfigX509ConfigKeyUsageBaseKeyUsageArgs.builder()
                            .crlSign(true)
                            .build())
                        .extendedKeyUsage(CertificateConfigX509ConfigKeyUsageExtendedKeyUsageArgs.builder()
                            .serverAuth(true)
                            .build())
                        .build())
                    .build())
                .publicKey(CertificateConfigPublicKeyArgs.builder()
                    .format("PEM")
                    .key(Base64.getEncoder().encodeToString(Files.readAllBytes(Paths.get("test-fixtures/rsa_public.pem"))))
                    .build())
                .build())
            .build(), CustomResourceOptions.builder()
                .dependsOn(authority)
                .build());

    }
}
import pulumi
import base64
import pulumi_gcp as gcp

authority = gcp.certificateauthority.Authority("authority",
    pool="",
    certificate_authority_id="my-authority",
    location="us-central1",
    deletion_protection=False,
    config=gcp.certificateauthority.AuthorityConfigArgs(
        subject_config=gcp.certificateauthority.AuthorityConfigSubjectConfigArgs(
            subject=gcp.certificateauthority.AuthorityConfigSubjectConfigSubjectArgs(
                organization="HashiCorp",
                common_name="my-certificate-authority",
            ),
            subject_alt_name=gcp.certificateauthority.AuthorityConfigSubjectConfigSubjectAltNameArgs(
                dns_names=["hashicorp.com"],
            ),
        ),
        x509_config=gcp.certificateauthority.AuthorityConfigX509ConfigArgs(
            ca_options=gcp.certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs(
                is_ca=True,
            ),
            key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs(
                base_key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs(
                    digital_signature=True,
                    cert_sign=True,
                    crl_sign=True,
                ),
                extended_key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs(
                    server_auth=True,
                ),
            ),
        ),
    ),
    lifetime="86400s",
    key_spec=gcp.certificateauthority.AuthorityKeySpecArgs(
        algorithm="RSA_PKCS1_4096_SHA256",
    ))
default = gcp.certificateauthority.Certificate("default",
    pool="",
    location="us-central1",
    lifetime="860s",
    config=gcp.certificateauthority.CertificateConfigArgs(
        subject_config=gcp.certificateauthority.CertificateConfigSubjectConfigArgs(
            subject=gcp.certificateauthority.CertificateConfigSubjectConfigSubjectArgs(
                common_name="san1.example.com",
                country_code="us",
                organization="google",
                organizational_unit="enterprise",
                locality="mountain view",
                province="california",
                street_address="1600 amphitheatre parkway",
                postal_code="94109",
            ),
        ),
        x509_config=gcp.certificateauthority.CertificateConfigX509ConfigArgs(
            ca_options=gcp.certificateauthority.CertificateConfigX509ConfigCaOptionsArgs(
                is_ca=False,
            ),
            key_usage=gcp.certificateauthority.CertificateConfigX509ConfigKeyUsageArgs(
                base_key_usage=gcp.certificateauthority.CertificateConfigX509ConfigKeyUsageBaseKeyUsageArgs(
                    crl_sign=True,
                ),
                extended_key_usage=gcp.certificateauthority.CertificateConfigX509ConfigKeyUsageExtendedKeyUsageArgs(
                    server_auth=True,
                ),
            ),
        ),
        public_key=gcp.certificateauthority.CertificateConfigPublicKeyArgs(
            format="PEM",
            key=(lambda path: base64.b64encode(open(path).read().encode()).decode())("test-fixtures/rsa_public.pem"),
        ),
    ),
    opts=pulumi.ResourceOptions(depends_on=[authority]))
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
import * from "fs";

const authority = new gcp.certificateauthority.Authority("authority", {
    pool: "",
    certificateAuthorityId: "my-authority",
    location: "us-central1",
    deletionProtection: false,
    config: {
        subjectConfig: {
            subject: {
                organization: "HashiCorp",
                commonName: "my-certificate-authority",
            },
            subjectAltName: {
                dnsNames: ["hashicorp.com"],
            },
        },
        x509Config: {
            caOptions: {
                isCa: true,
            },
            keyUsage: {
                baseKeyUsage: {
                    digitalSignature: true,
                    certSign: true,
                    crlSign: true,
                },
                extendedKeyUsage: {
                    serverAuth: true,
                },
            },
        },
    },
    lifetime: "86400s",
    keySpec: {
        algorithm: "RSA_PKCS1_4096_SHA256",
    },
});
const _default = new gcp.certificateauthority.Certificate("default", {
    pool: "",
    location: "us-central1",
    lifetime: "860s",
    config: {
        subjectConfig: {
            subject: {
                commonName: "san1.example.com",
                countryCode: "us",
                organization: "google",
                organizationalUnit: "enterprise",
                locality: "mountain view",
                province: "california",
                streetAddress: "1600 amphitheatre parkway",
                postalCode: "94109",
            },
        },
        x509Config: {
            caOptions: {
                isCa: false,
            },
            keyUsage: {
                baseKeyUsage: {
                    crlSign: true,
                },
                extendedKeyUsage: {
                    serverAuth: true,
                },
            },
        },
        publicKey: {
            format: "PEM",
            key: Buffer.from(fs.readFileSync("test-fixtures/rsa_public.pem"), 'binary').toString('base64'),
        },
    },
}, {
    dependsOn: [authority],
});

Coming soon!

Create a Certificate Resource

new Certificate(name: string, args: CertificateArgs, opts?: CustomResourceOptions);
@overload
def Certificate(resource_name: str,
                opts: Optional[ResourceOptions] = None,
                certificate_authority: Optional[str] = None,
                certificate_template: Optional[str] = None,
                config: Optional[CertificateConfigArgs] = None,
                labels: Optional[Mapping[str, str]] = None,
                lifetime: Optional[str] = None,
                location: Optional[str] = None,
                name: Optional[str] = None,
                pem_csr: Optional[str] = None,
                pool: Optional[str] = None,
                project: Optional[str] = None)
@overload
def Certificate(resource_name: str,
                args: CertificateArgs,
                opts: Optional[ResourceOptions] = None)
func NewCertificate(ctx *Context, name string, args CertificateArgs, opts ...ResourceOption) (*Certificate, error)
public Certificate(string name, CertificateArgs args, CustomResourceOptions? opts = null)
public Certificate(String name, CertificateArgs args)
public Certificate(String name, CertificateArgs args, CustomResourceOptions options)
type: gcp:certificateauthority:Certificate
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

name string
The unique name of the resource.
args CertificateArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name str
The unique name of the resource.
args CertificateArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name string
The unique name of the resource.
args CertificateArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name string
The unique name of the resource.
args CertificateArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
name String
The unique name of the resource.
args CertificateArgs
The arguments to resource properties.
options CustomResourceOptions
Bag of options to control resource's behavior.

Certificate Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

The Certificate resource accepts the following input properties:

Location string

Location of the Certificate. A full list of valid locations can be found by running gcloud privateca locations list.

Pool string

The name of the CaPool this Certificate belongs to.

CertificateAuthority string

The Certificate Authority ID that should issue the certificate. For example, to issue a Certificate from a Certificate Authority with resource name projects/my-project/locations/us-central1/caPools/my-pool/certificateAuthorities/my-ca, argument pool should be set to projects/my-project/locations/us-central1/caPools/my-pool, argument certificate_authority should be set to my-ca.

CertificateTemplate string

The resource name for a CertificateTemplate used to issue this certificate, in the format projects/*/locations/*/certificateTemplates/*. If this is specified, the caller must have the necessary permission to use this template. If this is omitted, no template will be used. This template must be in the same location as the Certificate.

Config CertificateConfigArgs

The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.

Labels Dictionary<string, string>

Labels with user-defined metadata to apply to this resource.

Lifetime string

The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".

Name string

The name for this Certificate.

PemCsr string

Immutable. A pem-encoded X.509 certificate signing request (CSR).

Project string

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

Location string

Location of the Certificate. A full list of valid locations can be found by running gcloud privateca locations list.

Pool string

The name of the CaPool this Certificate belongs to.

CertificateAuthority string

The Certificate Authority ID that should issue the certificate. For example, to issue a Certificate from a Certificate Authority with resource name projects/my-project/locations/us-central1/caPools/my-pool/certificateAuthorities/my-ca, argument pool should be set to projects/my-project/locations/us-central1/caPools/my-pool, argument certificate_authority should be set to my-ca.

CertificateTemplate string

The resource name for a CertificateTemplate used to issue this certificate, in the format projects/*/locations/*/certificateTemplates/*. If this is specified, the caller must have the necessary permission to use this template. If this is omitted, no template will be used. This template must be in the same location as the Certificate.

Config CertificateConfigArgs

The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.

Labels map[string]string

Labels with user-defined metadata to apply to this resource.

Lifetime string

The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".

Name string

The name for this Certificate.

PemCsr string

Immutable. A pem-encoded X.509 certificate signing request (CSR).

Project string

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

location String

Location of the Certificate. A full list of valid locations can be found by running gcloud privateca locations list.

pool String

The name of the CaPool this Certificate belongs to.

certificateAuthority String

The Certificate Authority ID that should issue the certificate. For example, to issue a Certificate from a Certificate Authority with resource name projects/my-project/locations/us-central1/caPools/my-pool/certificateAuthorities/my-ca, argument pool should be set to projects/my-project/locations/us-central1/caPools/my-pool, argument certificate_authority should be set to my-ca.

certificateTemplate String

The resource name for a CertificateTemplate used to issue this certificate, in the format projects/*/locations/*/certificateTemplates/*. If this is specified, the caller must have the necessary permission to use this template. If this is omitted, no template will be used. This template must be in the same location as the Certificate.

config CertificateConfigArgs

The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.

labels Map<String,String>

Labels with user-defined metadata to apply to this resource.

lifetime String

The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".

name String

The name for this Certificate.

pemCsr String

Immutable. A pem-encoded X.509 certificate signing request (CSR).

project String

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

location string

Location of the Certificate. A full list of valid locations can be found by running gcloud privateca locations list.

pool string

The name of the CaPool this Certificate belongs to.

certificateAuthority string

The Certificate Authority ID that should issue the certificate. For example, to issue a Certificate from a Certificate Authority with resource name projects/my-project/locations/us-central1/caPools/my-pool/certificateAuthorities/my-ca, argument pool should be set to projects/my-project/locations/us-central1/caPools/my-pool, argument certificate_authority should be set to my-ca.

certificateTemplate string

The resource name for a CertificateTemplate used to issue this certificate, in the format projects/*/locations/*/certificateTemplates/*. If this is specified, the caller must have the necessary permission to use this template. If this is omitted, no template will be used. This template must be in the same location as the Certificate.

config CertificateConfigArgs

The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.

labels {[key: string]: string}

Labels with user-defined metadata to apply to this resource.

lifetime string

The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".

name string

The name for this Certificate.

pemCsr string

Immutable. A pem-encoded X.509 certificate signing request (CSR).

project string

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

location str

Location of the Certificate. A full list of valid locations can be found by running gcloud privateca locations list.

pool str

The name of the CaPool this Certificate belongs to.

certificate_authority str

The Certificate Authority ID that should issue the certificate. For example, to issue a Certificate from a Certificate Authority with resource name projects/my-project/locations/us-central1/caPools/my-pool/certificateAuthorities/my-ca, argument pool should be set to projects/my-project/locations/us-central1/caPools/my-pool, argument certificate_authority should be set to my-ca.

certificate_template str

The resource name for a CertificateTemplate used to issue this certificate, in the format projects/*/locations/*/certificateTemplates/*. If this is specified, the caller must have the necessary permission to use this template. If this is omitted, no template will be used. This template must be in the same location as the Certificate.

config CertificateConfigArgs

The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.

labels Mapping[str, str]

Labels with user-defined metadata to apply to this resource.

lifetime str

The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".

name str

The name for this Certificate.

pem_csr str

Immutable. A pem-encoded X.509 certificate signing request (CSR).

project str

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

location String

Location of the Certificate. A full list of valid locations can be found by running gcloud privateca locations list.

pool String

The name of the CaPool this Certificate belongs to.

certificateAuthority String

The Certificate Authority ID that should issue the certificate. For example, to issue a Certificate from a Certificate Authority with resource name projects/my-project/locations/us-central1/caPools/my-pool/certificateAuthorities/my-ca, argument pool should be set to projects/my-project/locations/us-central1/caPools/my-pool, argument certificate_authority should be set to my-ca.

certificateTemplate String

The resource name for a CertificateTemplate used to issue this certificate, in the format projects/*/locations/*/certificateTemplates/*. If this is specified, the caller must have the necessary permission to use this template. If this is omitted, no template will be used. This template must be in the same location as the Certificate.

config Property Map

The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.

labels Map<String>

Labels with user-defined metadata to apply to this resource.

lifetime String

The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".

name String

The name for this Certificate.

pemCsr String

Immutable. A pem-encoded X.509 certificate signing request (CSR).

project String

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

Outputs

All input properties are implicitly available as output properties. Additionally, the Certificate resource produces the following output properties:

CertificateDescriptions List<CertificateCertificateDescription>

Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present.

CreateTime string

The time that this resource was created on the server. This is in RFC3339 text format.

Id string

The provider-assigned unique ID for this managed resource.

IssuerCertificateAuthority string

The resource name of the issuing CertificateAuthority in the format 'projects//locations//caPools//certificateAuthorities/'.

PemCertificate string

Output only. The pem-encoded, signed X.509 certificate.

PemCertificateChains List<string>

The chain that may be used to verify the X.509 certificate. Expected to be in issuer-to-root order according to RFC 5246.

PemCertificates List<string>

Required. Expected to be in leaf-to-root order according to RFC 5246.

Deprecated:

Deprecated in favor of pem_certificate_chain.

RevocationDetails List<CertificateRevocationDetail>

Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present.

UpdateTime string

Output only. The time at which this CertificateAuthority was updated. This is in RFC3339 text format.

CertificateDescriptions []CertificateCertificateDescription

Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present.

CreateTime string

The time that this resource was created on the server. This is in RFC3339 text format.

Id string

The provider-assigned unique ID for this managed resource.

IssuerCertificateAuthority string

The resource name of the issuing CertificateAuthority in the format 'projects//locations//caPools//certificateAuthorities/'.

PemCertificate string

Output only. The pem-encoded, signed X.509 certificate.

PemCertificateChains []string

The chain that may be used to verify the X.509 certificate. Expected to be in issuer-to-root order according to RFC 5246.

PemCertificates []string

Required. Expected to be in leaf-to-root order according to RFC 5246.

Deprecated:

Deprecated in favor of pem_certificate_chain.

RevocationDetails []CertificateRevocationDetail

Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present.

UpdateTime string

Output only. The time at which this CertificateAuthority was updated. This is in RFC3339 text format.

certificateDescriptions List<CertificateCertificateDescription>

Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present.

createTime String

The time that this resource was created on the server. This is in RFC3339 text format.

id String

The provider-assigned unique ID for this managed resource.

issuerCertificateAuthority String

The resource name of the issuing CertificateAuthority in the format 'projects//locations//caPools//certificateAuthorities/'.

pemCertificate String

Output only. The pem-encoded, signed X.509 certificate.

pemCertificateChains List<String>

The chain that may be used to verify the X.509 certificate. Expected to be in issuer-to-root order according to RFC 5246.

pemCertificates List<String>

Required. Expected to be in leaf-to-root order according to RFC 5246.

Deprecated:

Deprecated in favor of pem_certificate_chain.

revocationDetails List<CertificateRevocationDetail>

Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present.

updateTime String

Output only. The time at which this CertificateAuthority was updated. This is in RFC3339 text format.

certificateDescriptions CertificateCertificateDescription[]

Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present.

createTime string

The time that this resource was created on the server. This is in RFC3339 text format.

id string

The provider-assigned unique ID for this managed resource.

issuerCertificateAuthority string

The resource name of the issuing CertificateAuthority in the format 'projects//locations//caPools//certificateAuthorities/'.

pemCertificate string

Output only. The pem-encoded, signed X.509 certificate.

pemCertificateChains string[]

The chain that may be used to verify the X.509 certificate. Expected to be in issuer-to-root order according to RFC 5246.

pemCertificates string[]

Required. Expected to be in leaf-to-root order according to RFC 5246.

Deprecated:

Deprecated in favor of pem_certificate_chain.

revocationDetails CertificateRevocationDetail[]

Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present.

updateTime string

Output only. The time at which this CertificateAuthority was updated. This is in RFC3339 text format.

certificate_descriptions Sequence[CertificateCertificateDescription]

Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present.

create_time str

The time that this resource was created on the server. This is in RFC3339 text format.

id str

The provider-assigned unique ID for this managed resource.

issuer_certificate_authority str

The resource name of the issuing CertificateAuthority in the format 'projects//locations//caPools//certificateAuthorities/'.

pem_certificate str

Output only. The pem-encoded, signed X.509 certificate.

pem_certificate_chains Sequence[str]

The chain that may be used to verify the X.509 certificate. Expected to be in issuer-to-root order according to RFC 5246.

pem_certificates Sequence[str]

Required. Expected to be in leaf-to-root order according to RFC 5246.

Deprecated:

Deprecated in favor of pem_certificate_chain.

revocation_details Sequence[CertificateRevocationDetail]

Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present.

update_time str

Output only. The time at which this CertificateAuthority was updated. This is in RFC3339 text format.

certificateDescriptions List<Property Map>

Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present.

createTime String

The time that this resource was created on the server. This is in RFC3339 text format.

id String

The provider-assigned unique ID for this managed resource.

issuerCertificateAuthority String

The resource name of the issuing CertificateAuthority in the format 'projects//locations//caPools//certificateAuthorities/'.

pemCertificate String

Output only. The pem-encoded, signed X.509 certificate.

pemCertificateChains List<String>

The chain that may be used to verify the X.509 certificate. Expected to be in issuer-to-root order according to RFC 5246.

pemCertificates List<String>

Required. Expected to be in leaf-to-root order according to RFC 5246.

Deprecated:

Deprecated in favor of pem_certificate_chain.

revocationDetails List<Property Map>

Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present.

updateTime String

Output only. The time at which this CertificateAuthority was updated. This is in RFC3339 text format.

Look up an Existing Certificate Resource

Get an existing Certificate resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: CertificateState, opts?: CustomResourceOptions): Certificate
@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        certificate_authority: Optional[str] = None,
        certificate_descriptions: Optional[Sequence[CertificateCertificateDescriptionArgs]] = None,
        certificate_template: Optional[str] = None,
        config: Optional[CertificateConfigArgs] = None,
        create_time: Optional[str] = None,
        issuer_certificate_authority: Optional[str] = None,
        labels: Optional[Mapping[str, str]] = None,
        lifetime: Optional[str] = None,
        location: Optional[str] = None,
        name: Optional[str] = None,
        pem_certificate: Optional[str] = None,
        pem_certificate_chains: Optional[Sequence[str]] = None,
        pem_certificates: Optional[Sequence[str]] = None,
        pem_csr: Optional[str] = None,
        pool: Optional[str] = None,
        project: Optional[str] = None,
        revocation_details: Optional[Sequence[CertificateRevocationDetailArgs]] = None,
        update_time: Optional[str] = None) -> Certificate
func GetCertificate(ctx *Context, name string, id IDInput, state *CertificateState, opts ...ResourceOption) (*Certificate, error)
public static Certificate Get(string name, Input<string> id, CertificateState? state, CustomResourceOptions? opts = null)
public static Certificate get(String name, Output<String> id, CertificateState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
resource_name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
The following state arguments are supported:
CertificateAuthority string

The Certificate Authority ID that should issue the certificate. For example, to issue a Certificate from a Certificate Authority with resource name projects/my-project/locations/us-central1/caPools/my-pool/certificateAuthorities/my-ca, argument pool should be set to projects/my-project/locations/us-central1/caPools/my-pool, argument certificate_authority should be set to my-ca.

CertificateDescriptions List<CertificateCertificateDescriptionArgs>

Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present.

CertificateTemplate string

The resource name for a CertificateTemplate used to issue this certificate, in the format projects/*/locations/*/certificateTemplates/*. If this is specified, the caller must have the necessary permission to use this template. If this is omitted, no template will be used. This template must be in the same location as the Certificate.

Config CertificateConfigArgs

The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.

CreateTime string

The time that this resource was created on the server. This is in RFC3339 text format.

IssuerCertificateAuthority string

The resource name of the issuing CertificateAuthority in the format 'projects//locations//caPools//certificateAuthorities/'.

Labels Dictionary<string, string>

Labels with user-defined metadata to apply to this resource.

Lifetime string

The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".

Location string

Location of the Certificate. A full list of valid locations can be found by running gcloud privateca locations list.

Name string

The name for this Certificate.

PemCertificate string

Output only. The pem-encoded, signed X.509 certificate.

PemCertificateChains List<string>

The chain that may be used to verify the X.509 certificate. Expected to be in issuer-to-root order according to RFC 5246.

PemCertificates List<string>

Required. Expected to be in leaf-to-root order according to RFC 5246.

Deprecated:

Deprecated in favor of pem_certificate_chain.

PemCsr string

Immutable. A pem-encoded X.509 certificate signing request (CSR).

Pool string

The name of the CaPool this Certificate belongs to.

Project string

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

RevocationDetails List<CertificateRevocationDetailArgs>

Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present.

UpdateTime string

Output only. The time at which this CertificateAuthority was updated. This is in RFC3339 text format.

CertificateAuthority string

The Certificate Authority ID that should issue the certificate. For example, to issue a Certificate from a Certificate Authority with resource name projects/my-project/locations/us-central1/caPools/my-pool/certificateAuthorities/my-ca, argument pool should be set to projects/my-project/locations/us-central1/caPools/my-pool, argument certificate_authority should be set to my-ca.

CertificateDescriptions []CertificateCertificateDescriptionArgs

Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present.

CertificateTemplate string

The resource name for a CertificateTemplate used to issue this certificate, in the format projects/*/locations/*/certificateTemplates/*. If this is specified, the caller must have the necessary permission to use this template. If this is omitted, no template will be used. This template must be in the same location as the Certificate.

Config CertificateConfigArgs

The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.

CreateTime string

The time that this resource was created on the server. This is in RFC3339 text format.

IssuerCertificateAuthority string

The resource name of the issuing CertificateAuthority in the format 'projects//locations//caPools//certificateAuthorities/'.

Labels map[string]string

Labels with user-defined metadata to apply to this resource.

Lifetime string

The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".

Location string

Location of the Certificate. A full list of valid locations can be found by running gcloud privateca locations list.

Name string

The name for this Certificate.

PemCertificate string

Output only. The pem-encoded, signed X.509 certificate.

PemCertificateChains []string

The chain that may be used to verify the X.509 certificate. Expected to be in issuer-to-root order according to RFC 5246.

PemCertificates []string

Required. Expected to be in leaf-to-root order according to RFC 5246.

Deprecated:

Deprecated in favor of pem_certificate_chain.

PemCsr string

Immutable. A pem-encoded X.509 certificate signing request (CSR).

Pool string

The name of the CaPool this Certificate belongs to.

Project string

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

RevocationDetails []CertificateRevocationDetailArgs

Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present.

UpdateTime string

Output only. The time at which this CertificateAuthority was updated. This is in RFC3339 text format.

certificateAuthority String

The Certificate Authority ID that should issue the certificate. For example, to issue a Certificate from a Certificate Authority with resource name projects/my-project/locations/us-central1/caPools/my-pool/certificateAuthorities/my-ca, argument pool should be set to projects/my-project/locations/us-central1/caPools/my-pool, argument certificate_authority should be set to my-ca.

certificateDescriptions List<CertificateCertificateDescriptionArgs>

Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present.

certificateTemplate String

The resource name for a CertificateTemplate used to issue this certificate, in the format projects/*/locations/*/certificateTemplates/*. If this is specified, the caller must have the necessary permission to use this template. If this is omitted, no template will be used. This template must be in the same location as the Certificate.

config CertificateConfigArgs

The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.

createTime String

The time that this resource was created on the server. This is in RFC3339 text format.

issuerCertificateAuthority String

The resource name of the issuing CertificateAuthority in the format 'projects//locations//caPools//certificateAuthorities/'.

labels Map<String,String>

Labels with user-defined metadata to apply to this resource.

lifetime String

The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".

location String

Location of the Certificate. A full list of valid locations can be found by running gcloud privateca locations list.

name String

The name for this Certificate.

pemCertificate String

Output only. The pem-encoded, signed X.509 certificate.

pemCertificateChains List<String>

The chain that may be used to verify the X.509 certificate. Expected to be in issuer-to-root order according to RFC 5246.

pemCertificates List<String>

Required. Expected to be in leaf-to-root order according to RFC 5246.

Deprecated:

Deprecated in favor of pem_certificate_chain.

pemCsr String

Immutable. A pem-encoded X.509 certificate signing request (CSR).

pool String

The name of the CaPool this Certificate belongs to.

project String

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

revocationDetails List<CertificateRevocationDetailArgs>

Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present.

updateTime String

Output only. The time at which this CertificateAuthority was updated. This is in RFC3339 text format.

certificateAuthority string

The Certificate Authority ID that should issue the certificate. For example, to issue a Certificate from a Certificate Authority with resource name projects/my-project/locations/us-central1/caPools/my-pool/certificateAuthorities/my-ca, argument pool should be set to projects/my-project/locations/us-central1/caPools/my-pool, argument certificate_authority should be set to my-ca.

certificateDescriptions CertificateCertificateDescriptionArgs[]

Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present.

certificateTemplate string

The resource name for a CertificateTemplate used to issue this certificate, in the format projects/*/locations/*/certificateTemplates/*. If this is specified, the caller must have the necessary permission to use this template. If this is omitted, no template will be used. This template must be in the same location as the Certificate.

config CertificateConfigArgs

The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.

createTime string

The time that this resource was created on the server. This is in RFC3339 text format.

issuerCertificateAuthority string

The resource name of the issuing CertificateAuthority in the format 'projects//locations//caPools//certificateAuthorities/'.

labels {[key: string]: string}

Labels with user-defined metadata to apply to this resource.

lifetime string

The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".

location string

Location of the Certificate. A full list of valid locations can be found by running gcloud privateca locations list.

name string

The name for this Certificate.

pemCertificate string

Output only. The pem-encoded, signed X.509 certificate.

pemCertificateChains string[]

The chain that may be used to verify the X.509 certificate. Expected to be in issuer-to-root order according to RFC 5246.

pemCertificates string[]

Required. Expected to be in leaf-to-root order according to RFC 5246.

Deprecated:

Deprecated in favor of pem_certificate_chain.

pemCsr string

Immutable. A pem-encoded X.509 certificate signing request (CSR).

pool string

The name of the CaPool this Certificate belongs to.

project string

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

revocationDetails CertificateRevocationDetailArgs[]

Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present.

updateTime string

Output only. The time at which this CertificateAuthority was updated. This is in RFC3339 text format.

certificate_authority str

The Certificate Authority ID that should issue the certificate. For example, to issue a Certificate from a Certificate Authority with resource name projects/my-project/locations/us-central1/caPools/my-pool/certificateAuthorities/my-ca, argument pool should be set to projects/my-project/locations/us-central1/caPools/my-pool, argument certificate_authority should be set to my-ca.

certificate_descriptions Sequence[CertificateCertificateDescriptionArgs]

Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present.

certificate_template str

The resource name for a CertificateTemplate used to issue this certificate, in the format projects/*/locations/*/certificateTemplates/*. If this is specified, the caller must have the necessary permission to use this template. If this is omitted, no template will be used. This template must be in the same location as the Certificate.

config CertificateConfigArgs

The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.

create_time str

The time that this resource was created on the server. This is in RFC3339 text format.

issuer_certificate_authority str

The resource name of the issuing CertificateAuthority in the format 'projects//locations//caPools//certificateAuthorities/'.

labels Mapping[str, str]

Labels with user-defined metadata to apply to this resource.

lifetime str

The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".

location str

Location of the Certificate. A full list of valid locations can be found by running gcloud privateca locations list.

name str

The name for this Certificate.

pem_certificate str

Output only. The pem-encoded, signed X.509 certificate.

pem_certificate_chains Sequence[str]

The chain that may be used to verify the X.509 certificate. Expected to be in issuer-to-root order according to RFC 5246.

pem_certificates Sequence[str]

Required. Expected to be in leaf-to-root order according to RFC 5246.

Deprecated:

Deprecated in favor of pem_certificate_chain.

pem_csr str

Immutable. A pem-encoded X.509 certificate signing request (CSR).

pool str

The name of the CaPool this Certificate belongs to.

project str

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

revocation_details Sequence[CertificateRevocationDetailArgs]

Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present.

update_time str

Output only. The time at which this CertificateAuthority was updated. This is in RFC3339 text format.

certificateAuthority String

The Certificate Authority ID that should issue the certificate. For example, to issue a Certificate from a Certificate Authority with resource name projects/my-project/locations/us-central1/caPools/my-pool/certificateAuthorities/my-ca, argument pool should be set to projects/my-project/locations/us-central1/caPools/my-pool, argument certificate_authority should be set to my-ca.

certificateDescriptions List<Property Map>

Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present.

certificateTemplate String

The resource name for a CertificateTemplate used to issue this certificate, in the format projects/*/locations/*/certificateTemplates/*. If this is specified, the caller must have the necessary permission to use this template. If this is omitted, no template will be used. This template must be in the same location as the Certificate.

config Property Map

The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.

createTime String

The time that this resource was created on the server. This is in RFC3339 text format.

issuerCertificateAuthority String

The resource name of the issuing CertificateAuthority in the format 'projects//locations//caPools//certificateAuthorities/'.

labels Map<String>

Labels with user-defined metadata to apply to this resource.

lifetime String

The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".

location String

Location of the Certificate. A full list of valid locations can be found by running gcloud privateca locations list.

name String

The name for this Certificate.

pemCertificate String

Output only. The pem-encoded, signed X.509 certificate.

pemCertificateChains List<String>

The chain that may be used to verify the X.509 certificate. Expected to be in issuer-to-root order according to RFC 5246.

pemCertificates List<String>

Required. Expected to be in leaf-to-root order according to RFC 5246.

Deprecated:

Deprecated in favor of pem_certificate_chain.

pemCsr String

Immutable. A pem-encoded X.509 certificate signing request (CSR).

pool String

The name of the CaPool this Certificate belongs to.

project String

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

revocationDetails List<Property Map>

Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present.

updateTime String

Output only. The time at which this CertificateAuthority was updated. This is in RFC3339 text format.

Supporting Types

CertificateCertificateDescription

CertificateCertificateDescriptionAuthorityKeyId

KeyId string
KeyId string
keyId String
keyId string
key_id str
keyId String

CertificateCertificateDescriptionCertFingerprint

Sha256Hash string
Sha256Hash string
sha256Hash String
sha256Hash string
sha256Hash String

CertificateCertificateDescriptionConfigValue

KeyUsages List<CertificateCertificateDescriptionConfigValueKeyUsage>

Indicates the intended use for keys that correspond to a certificate. Structure is documented below.

KeyUsages []CertificateCertificateDescriptionConfigValueKeyUsage

Indicates the intended use for keys that correspond to a certificate. Structure is documented below.

keyUsages List<CertificateCertificateDescriptionConfigValueKeyUsage>

Indicates the intended use for keys that correspond to a certificate. Structure is documented below.

keyUsages CertificateCertificateDescriptionConfigValueKeyUsage[]

Indicates the intended use for keys that correspond to a certificate. Structure is documented below.

key_usages Sequence[CertificateCertificateDescriptionConfigValueKeyUsage]

Indicates the intended use for keys that correspond to a certificate. Structure is documented below.

keyUsages List<Property Map>

Indicates the intended use for keys that correspond to a certificate. Structure is documented below.

CertificateCertificateDescriptionConfigValueKeyUsage

BaseKeyUsages List<CertificateCertificateDescriptionConfigValueKeyUsageBaseKeyUsage>

Describes high-level ways in which a key may be used. Structure is documented below.

ExtendedKeyUsages List<CertificateCertificateDescriptionConfigValueKeyUsageExtendedKeyUsage>

Describes high-level ways in which a key may be used. Structure is documented below.

UnknownExtendedKeyUsages List<CertificateCertificateDescriptionConfigValueKeyUsageUnknownExtendedKeyUsage>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.

BaseKeyUsages []CertificateCertificateDescriptionConfigValueKeyUsageBaseKeyUsage

Describes high-level ways in which a key may be used. Structure is documented below.

ExtendedKeyUsages []CertificateCertificateDescriptionConfigValueKeyUsageExtendedKeyUsage

Describes high-level ways in which a key may be used. Structure is documented below.

UnknownExtendedKeyUsages []CertificateCertificateDescriptionConfigValueKeyUsageUnknownExtendedKeyUsage

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.

baseKeyUsages List<CertificateCertificateDescriptionConfigValueKeyUsageBaseKeyUsage>

Describes high-level ways in which a key may be used. Structure is documented below.

extendedKeyUsages List<CertificateCertificateDescriptionConfigValueKeyUsageExtendedKeyUsage>

Describes high-level ways in which a key may be used. Structure is documented below.

unknownExtendedKeyUsages List<CertificateCertificateDescriptionConfigValueKeyUsageUnknownExtendedKeyUsage>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.

baseKeyUsages CertificateCertificateDescriptionConfigValueKeyUsageBaseKeyUsage[]

Describes high-level ways in which a key may be used. Structure is documented below.

extendedKeyUsages CertificateCertificateDescriptionConfigValueKeyUsageExtendedKeyUsage[]

Describes high-level ways in which a key may be used. Structure is documented below.

unknownExtendedKeyUsages CertificateCertificateDescriptionConfigValueKeyUsageUnknownExtendedKeyUsage[]

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.

base_key_usages Sequence[CertificateCertificateDescriptionConfigValueKeyUsageBaseKeyUsage]

Describes high-level ways in which a key may be used. Structure is documented below.

extended_key_usages Sequence[CertificateCertificateDescriptionConfigValueKeyUsageExtendedKeyUsage]

Describes high-level ways in which a key may be used. Structure is documented below.

unknown_extended_key_usages Sequence[CertificateCertificateDescriptionConfigValueKeyUsageUnknownExtendedKeyUsage]

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.

baseKeyUsages List<Property Map>

Describes high-level ways in which a key may be used. Structure is documented below.

extendedKeyUsages List<Property Map>

Describes high-level ways in which a key may be used. Structure is documented below.

unknownExtendedKeyUsages List<Property Map>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.

CertificateCertificateDescriptionConfigValueKeyUsageBaseKeyUsage

CertificateCertificateDescriptionConfigValueKeyUsageBaseKeyUsageKeyUsageOption

CertSign bool

The key may be used to sign certificates.

ContentCommitment bool

The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".

CrlSign bool

The key may be used sign certificate revocation lists.

DataEncipherment bool

The key may be used to encipher data.

DecipherOnly bool

The key may be used to decipher only.

DigitalSignature bool

The key may be used for digital signatures.

EncipherOnly bool

The key may be used to encipher only.

KeyAgreement bool

The key may be used in a key agreement protocol.

KeyEncipherment bool

The key may be used to encipher other keys.

CertSign bool

The key may be used to sign certificates.

ContentCommitment bool

The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".

CrlSign bool

The key may be used sign certificate revocation lists.

DataEncipherment bool

The key may be used to encipher data.

DecipherOnly bool

The key may be used to decipher only.

DigitalSignature bool

The key may be used for digital signatures.

EncipherOnly bool

The key may be used to encipher only.

KeyAgreement bool

The key may be used in a key agreement protocol.

KeyEncipherment bool

The key may be used to encipher other keys.

certSign Boolean

The key may be used to sign certificates.

contentCommitment Boolean

The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".

crlSign Boolean

The key may be used sign certificate revocation lists.

dataEncipherment Boolean

The key may be used to encipher data.

decipherOnly Boolean

The key may be used to decipher only.

digitalSignature Boolean

The key may be used for digital signatures.

encipherOnly Boolean

The key may be used to encipher only.

keyAgreement Boolean

The key may be used in a key agreement protocol.

keyEncipherment Boolean

The key may be used to encipher other keys.

certSign boolean

The key may be used to sign certificates.

contentCommitment boolean

The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".

crlSign boolean

The key may be used sign certificate revocation lists.

dataEncipherment boolean

The key may be used to encipher data.

decipherOnly boolean

The key may be used to decipher only.

digitalSignature boolean

The key may be used for digital signatures.

encipherOnly boolean

The key may be used to encipher only.

keyAgreement boolean

The key may be used in a key agreement protocol.

keyEncipherment boolean

The key may be used to encipher other keys.

cert_sign bool

The key may be used to sign certificates.

content_commitment bool

The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".

crl_sign bool

The key may be used sign certificate revocation lists.

data_encipherment bool

The key may be used to encipher data.

decipher_only bool

The key may be used to decipher only.

digital_signature bool

The key may be used for digital signatures.

encipher_only bool

The key may be used to encipher only.

key_agreement bool

The key may be used in a key agreement protocol.

key_encipherment bool

The key may be used to encipher other keys.

certSign Boolean

The key may be used to sign certificates.

contentCommitment Boolean

The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".

crlSign Boolean

The key may be used sign certificate revocation lists.

dataEncipherment Boolean

The key may be used to encipher data.

decipherOnly Boolean

The key may be used to decipher only.

digitalSignature Boolean

The key may be used for digital signatures.

encipherOnly Boolean

The key may be used to encipher only.

keyAgreement Boolean

The key may be used in a key agreement protocol.

keyEncipherment Boolean

The key may be used to encipher other keys.

CertificateCertificateDescriptionConfigValueKeyUsageExtendedKeyUsage

ClientAuth bool

Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.

CodeSigning bool

Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".

EmailProtection bool

Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".

OcspSigning bool

Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".

ServerAuth bool

Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.

TimeStamping bool

Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".

ClientAuth bool

Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.

CodeSigning bool

Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".

EmailProtection bool

Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".

OcspSigning bool

Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".

ServerAuth bool

Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.

TimeStamping bool

Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".

clientAuth Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.

codeSigning Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".

emailProtection Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".

ocspSigning Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".

serverAuth Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.

timeStamping Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".

clientAuth boolean

Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.

codeSigning boolean

Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".

emailProtection boolean

Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".

ocspSigning boolean

Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".

serverAuth boolean

Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.

timeStamping boolean

Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".

client_auth bool

Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.

code_signing bool

Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".

email_protection bool

Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".

ocsp_signing bool

Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".

server_auth bool

Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.

time_stamping bool

Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".

clientAuth Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.

codeSigning Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".

emailProtection Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".

ocspSigning Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".

serverAuth Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.

timeStamping Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".

CertificateCertificateDescriptionConfigValueKeyUsageUnknownExtendedKeyUsage

CertificateCertificateDescriptionConfigValueKeyUsageUnknownExtendedKeyUsageObectId

ObjectIdPaths List<int>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

ObjectIdPaths []int

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

objectIdPaths List<Integer>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

objectIdPaths number[]

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

object_id_paths Sequence[int]

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

objectIdPaths List<Number>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

CertificateCertificateDescriptionPublicKey

Format string

The format of the public key. Currently, only PEM format is supported. Possible values are KEY_TYPE_UNSPECIFIED and PEM.

Key string

Required. A public key. When this is specified in a request, the padding and encoding can be any of the options described by the respective 'KeyType' value. When this is generated by the service, it will always be an RFC 5280 SubjectPublicKeyInfo structure containing an algorithm identifier and a key. A base64-encoded string.

Format string

The format of the public key. Currently, only PEM format is supported. Possible values are KEY_TYPE_UNSPECIFIED and PEM.

Key string

Required. A public key. When this is specified in a request, the padding and encoding can be any of the options described by the respective 'KeyType' value. When this is generated by the service, it will always be an RFC 5280 SubjectPublicKeyInfo structure containing an algorithm identifier and a key. A base64-encoded string.

format String

The format of the public key. Currently, only PEM format is supported. Possible values are KEY_TYPE_UNSPECIFIED and PEM.

key String

Required. A public key. When this is specified in a request, the padding and encoding can be any of the options described by the respective 'KeyType' value. When this is generated by the service, it will always be an RFC 5280 SubjectPublicKeyInfo structure containing an algorithm identifier and a key. A base64-encoded string.

format string

The format of the public key. Currently, only PEM format is supported. Possible values are KEY_TYPE_UNSPECIFIED and PEM.

key string

Required. A public key. When this is specified in a request, the padding and encoding can be any of the options described by the respective 'KeyType' value. When this is generated by the service, it will always be an RFC 5280 SubjectPublicKeyInfo structure containing an algorithm identifier and a key. A base64-encoded string.

format str

The format of the public key. Currently, only PEM format is supported. Possible values are KEY_TYPE_UNSPECIFIED and PEM.

key str

Required. A public key. When this is specified in a request, the padding and encoding can be any of the options described by the respective 'KeyType' value. When this is generated by the service, it will always be an RFC 5280 SubjectPublicKeyInfo structure containing an algorithm identifier and a key. A base64-encoded string.

format String

The format of the public key. Currently, only PEM format is supported. Possible values are KEY_TYPE_UNSPECIFIED and PEM.

key String

Required. A public key. When this is specified in a request, the padding and encoding can be any of the options described by the respective 'KeyType' value. When this is generated by the service, it will always be an RFC 5280 SubjectPublicKeyInfo structure containing an algorithm identifier and a key. A base64-encoded string.

CertificateCertificateDescriptionSubjectDescription

HexSerialNumber string
Lifetime string

The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".

NotAfterTime string
NotBeforeTime string
SubjectAltNames List<CertificateCertificateDescriptionSubjectDescriptionSubjectAltName>

The subject alternative name fields. Structure is documented below.

Subjects List<CertificateCertificateDescriptionSubjectDescriptionSubject>

Contains distinguished name fields such as the location and organization. Structure is documented below.

HexSerialNumber string
Lifetime string

The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".

NotAfterTime string
NotBeforeTime string
SubjectAltNames []CertificateCertificateDescriptionSubjectDescriptionSubjectAltName

The subject alternative name fields. Structure is documented below.

Subjects []CertificateCertificateDescriptionSubjectDescriptionSubject

Contains distinguished name fields such as the location and organization. Structure is documented below.

hexSerialNumber String
lifetime String

The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".

notAfterTime String
notBeforeTime String
subjectAltNames List<CertificateCertificateDescriptionSubjectDescriptionSubjectAltName>

The subject alternative name fields. Structure is documented below.

subjects List<CertificateCertificateDescriptionSubjectDescriptionSubject>

Contains distinguished name fields such as the location and organization. Structure is documented below.

hexSerialNumber string
lifetime string

The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".

notAfterTime string
notBeforeTime string
subjectAltNames CertificateCertificateDescriptionSubjectDescriptionSubjectAltName[]

The subject alternative name fields. Structure is documented below.

subjects CertificateCertificateDescriptionSubjectDescriptionSubject[]

Contains distinguished name fields such as the location and organization. Structure is documented below.

hex_serial_number str
lifetime str

The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".

not_after_time str
not_before_time str
subject_alt_names Sequence[CertificateCertificateDescriptionSubjectDescriptionSubjectAltName]

The subject alternative name fields. Structure is documented below.

subjects Sequence[CertificateCertificateDescriptionSubjectDescriptionSubject]

Contains distinguished name fields such as the location and organization. Structure is documented below.

hexSerialNumber String
lifetime String

The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".

notAfterTime String
notBeforeTime String
subjectAltNames List<Property Map>

The subject alternative name fields. Structure is documented below.

subjects List<Property Map>

Contains distinguished name fields such as the location and organization. Structure is documented below.

CertificateCertificateDescriptionSubjectDescriptionSubject

CommonName string

The common name of the distinguished name.

CountryCode string

The country code of the subject.

Locality string

The locality or city of the subject.

Organization string

The organization of the subject.

OrganizationalUnit string

The organizational unit of the subject.

PostalCode string

The postal code of the subject.

Province string

The province, territory, or regional state of the subject.

StreetAddress string

The street address of the subject.

CommonName string

The common name of the distinguished name.

CountryCode string

The country code of the subject.

Locality string

The locality or city of the subject.

Organization string

The organization of the subject.

OrganizationalUnit string

The organizational unit of the subject.

PostalCode string

The postal code of the subject.

Province string

The province, territory, or regional state of the subject.

StreetAddress string

The street address of the subject.

commonName String

The common name of the distinguished name.

countryCode String

The country code of the subject.

locality String

The locality or city of the subject.

organization String

The organization of the subject.

organizationalUnit String

The organizational unit of the subject.

postalCode String

The postal code of the subject.

province String

The province, territory, or regional state of the subject.

streetAddress String

The street address of the subject.

commonName string

The common name of the distinguished name.

countryCode string

The country code of the subject.

locality string

The locality or city of the subject.

organization string

The organization of the subject.

organizationalUnit string

The organizational unit of the subject.

postalCode string

The postal code of the subject.

province string

The province, territory, or regional state of the subject.

streetAddress string

The street address of the subject.

common_name str

The common name of the distinguished name.

country_code str

The country code of the subject.

locality str

The locality or city of the subject.

organization str

The organization of the subject.

organizational_unit str

The organizational unit of the subject.

postal_code str

The postal code of the subject.

province str

The province, territory, or regional state of the subject.

street_address str

The street address of the subject.

commonName String

The common name of the distinguished name.

countryCode String

The country code of the subject.

locality String

The locality or city of the subject.

organization String

The organization of the subject.

organizationalUnit String

The organizational unit of the subject.

postalCode String

The postal code of the subject.

province String

The province, territory, or regional state of the subject.

streetAddress String

The street address of the subject.

CertificateCertificateDescriptionSubjectDescriptionSubjectAltName

CustomSans List<CertificateCertificateDescriptionSubjectDescriptionSubjectAltNameCustomSan>
DnsNames List<string>

Contains only valid, fully-qualified host names.

EmailAddresses List<string>

Contains only valid RFC 2822 E-mail addresses.

IpAddresses List<string>

Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.

Uris List<string>

Contains only valid RFC 3986 URIs.

CustomSans []CertificateCertificateDescriptionSubjectDescriptionSubjectAltNameCustomSan
DnsNames []string

Contains only valid, fully-qualified host names.

EmailAddresses []string

Contains only valid RFC 2822 E-mail addresses.

IpAddresses []string

Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.

Uris []string

Contains only valid RFC 3986 URIs.

customSans List<CertificateCertificateDescriptionSubjectDescriptionSubjectAltNameCustomSan>
dnsNames List<String>

Contains only valid, fully-qualified host names.

emailAddresses List<String>

Contains only valid RFC 2822 E-mail addresses.

ipAddresses List<String>

Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.

uris List<String>

Contains only valid RFC 3986 URIs.

customSans CertificateCertificateDescriptionSubjectDescriptionSubjectAltNameCustomSan[]
dnsNames string[]

Contains only valid, fully-qualified host names.

emailAddresses string[]

Contains only valid RFC 2822 E-mail addresses.

ipAddresses string[]

Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.

uris string[]

Contains only valid RFC 3986 URIs.

custom_sans Sequence[CertificateCertificateDescriptionSubjectDescriptionSubjectAltNameCustomSan]
dns_names Sequence[str]

Contains only valid, fully-qualified host names.

email_addresses Sequence[str]

Contains only valid RFC 2822 E-mail addresses.

ip_addresses Sequence[str]

Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.

uris Sequence[str]

Contains only valid RFC 3986 URIs.

customSans List<Property Map>
dnsNames List<String>

Contains only valid, fully-qualified host names.

emailAddresses List<String>

Contains only valid RFC 2822 E-mail addresses.

ipAddresses List<String>

Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.

uris List<String>

Contains only valid RFC 3986 URIs.

CertificateCertificateDescriptionSubjectDescriptionSubjectAltNameCustomSan

Critical bool

Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).

ObectIds List<CertificateCertificateDescriptionSubjectDescriptionSubjectAltNameCustomSanObectId>
Value string

The value of this X.509 extension. A base64-encoded string.

Critical bool

Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).

ObectIds []CertificateCertificateDescriptionSubjectDescriptionSubjectAltNameCustomSanObectId
Value string

The value of this X.509 extension. A base64-encoded string.

critical Boolean

Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).

obectIds List<CertificateCertificateDescriptionSubjectDescriptionSubjectAltNameCustomSanObectId>
value String

The value of this X.509 extension. A base64-encoded string.

critical boolean

Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).

obectIds CertificateCertificateDescriptionSubjectDescriptionSubjectAltNameCustomSanObectId[]
value string

The value of this X.509 extension. A base64-encoded string.

critical bool

Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).

obect_ids Sequence[CertificateCertificateDescriptionSubjectDescriptionSubjectAltNameCustomSanObectId]
value str

The value of this X.509 extension. A base64-encoded string.

critical Boolean

Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).

obectIds List<Property Map>
value String

The value of this X.509 extension. A base64-encoded string.

CertificateCertificateDescriptionSubjectDescriptionSubjectAltNameCustomSanObectId

ObjectIdPaths List<int>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

ObjectIdPaths []int

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

objectIdPaths List<Integer>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

objectIdPaths number[]

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

object_id_paths Sequence[int]

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

objectIdPaths List<Number>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

CertificateCertificateDescriptionSubjectKeyId

KeyId string
KeyId string
keyId String
keyId string
key_id str
keyId String

CertificateCertificateDescriptionX509Description

AdditionalExtensions List<CertificateCertificateDescriptionX509DescriptionAdditionalExtension>

Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.

AiaOcspServers List<string>

Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.

CaOptions List<CertificateCertificateDescriptionX509DescriptionCaOption>

Describes values that are relevant in a CA certificate. Structure is documented below.

KeyUsages List<CertificateCertificateDescriptionX509DescriptionKeyUsage>

Indicates the intended use for keys that correspond to a certificate. Structure is documented below.

PolicyIds List<CertificateCertificateDescriptionX509DescriptionPolicyId>

Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.

AdditionalExtensions []CertificateCertificateDescriptionX509DescriptionAdditionalExtension

Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.

AiaOcspServers []string

Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.

CaOptions []CertificateCertificateDescriptionX509DescriptionCaOption

Describes values that are relevant in a CA certificate. Structure is documented below.

KeyUsages []CertificateCertificateDescriptionX509DescriptionKeyUsage

Indicates the intended use for keys that correspond to a certificate. Structure is documented below.

PolicyIds []CertificateCertificateDescriptionX509DescriptionPolicyId

Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.

additionalExtensions List<CertificateCertificateDescriptionX509DescriptionAdditionalExtension>

Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.

aiaOcspServers List<String>

Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.

caOptions List<CertificateCertificateDescriptionX509DescriptionCaOption>

Describes values that are relevant in a CA certificate. Structure is documented below.

keyUsages List<CertificateCertificateDescriptionX509DescriptionKeyUsage>

Indicates the intended use for keys that correspond to a certificate. Structure is documented below.

policyIds List<CertificateCertificateDescriptionX509DescriptionPolicyId>

Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.

additionalExtensions CertificateCertificateDescriptionX509DescriptionAdditionalExtension[]

Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.

aiaOcspServers string[]

Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.

caOptions CertificateCertificateDescriptionX509DescriptionCaOption[]

Describes values that are relevant in a CA certificate. Structure is documented below.

keyUsages CertificateCertificateDescriptionX509DescriptionKeyUsage[]

Indicates the intended use for keys that correspond to a certificate. Structure is documented below.

policyIds CertificateCertificateDescriptionX509DescriptionPolicyId[]

Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.

additional_extensions Sequence[CertificateCertificateDescriptionX509DescriptionAdditionalExtension]

Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.

aia_ocsp_servers Sequence[str]

Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.

ca_options Sequence[CertificateCertificateDescriptionX509DescriptionCaOption]

Describes values that are relevant in a CA certificate. Structure is documented below.

key_usages Sequence[CertificateCertificateDescriptionX509DescriptionKeyUsage]

Indicates the intended use for keys that correspond to a certificate. Structure is documented below.

policy_ids Sequence[CertificateCertificateDescriptionX509DescriptionPolicyId]

Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.

additionalExtensions List<Property Map>

Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.

aiaOcspServers List<String>

Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.

caOptions List<Property Map>

Describes values that are relevant in a CA certificate. Structure is documented below.

keyUsages List<Property Map>

Indicates the intended use for keys that correspond to a certificate. Structure is documented below.

policyIds List<Property Map>

Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.

CertificateCertificateDescriptionX509DescriptionAdditionalExtension

Critical bool

Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).

ObjectIds List<CertificateCertificateDescriptionX509DescriptionAdditionalExtensionObjectId>

Describes values that are relevant in a CA certificate. Structure is documented below.

Value string

The value of this X.509 extension. A base64-encoded string.

Critical bool

Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).

ObjectIds []CertificateCertificateDescriptionX509DescriptionAdditionalExtensionObjectId

Describes values that are relevant in a CA certificate. Structure is documented below.

Value string

The value of this X.509 extension. A base64-encoded string.

critical Boolean

Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).

objectIds List<CertificateCertificateDescriptionX509DescriptionAdditionalExtensionObjectId>

Describes values that are relevant in a CA certificate. Structure is documented below.

value String

The value of this X.509 extension. A base64-encoded string.

critical boolean

Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).

objectIds CertificateCertificateDescriptionX509DescriptionAdditionalExtensionObjectId[]

Describes values that are relevant in a CA certificate. Structure is documented below.

value string

The value of this X.509 extension. A base64-encoded string.

critical bool

Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).

object_ids Sequence[CertificateCertificateDescriptionX509DescriptionAdditionalExtensionObjectId]

Describes values that are relevant in a CA certificate. Structure is documented below.

value str

The value of this X.509 extension. A base64-encoded string.

critical Boolean

Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).

objectIds List<Property Map>

Describes values that are relevant in a CA certificate. Structure is documented below.

value String

The value of this X.509 extension. A base64-encoded string.

CertificateCertificateDescriptionX509DescriptionAdditionalExtensionObjectId

ObjectIdPaths List<int>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

ObjectIdPaths []int

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

objectIdPaths List<Integer>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

objectIdPaths number[]

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

object_id_paths Sequence[int]

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

objectIdPaths List<Number>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

CertificateCertificateDescriptionX509DescriptionCaOption

IsCa bool

When true, the "CA" in Basic Constraints extension will be set to true.

MaxIssuerPathLength int

Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.

IsCa bool

When true, the "CA" in Basic Constraints extension will be set to true.

MaxIssuerPathLength int

Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.

isCa Boolean

When true, the "CA" in Basic Constraints extension will be set to true.

maxIssuerPathLength Integer

Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.

isCa boolean

When true, the "CA" in Basic Constraints extension will be set to true.

maxIssuerPathLength number

Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.

is_ca bool

When true, the "CA" in Basic Constraints extension will be set to true.

max_issuer_path_length int

Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.

isCa Boolean

When true, the "CA" in Basic Constraints extension will be set to true.

maxIssuerPathLength Number

Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.

CertificateCertificateDescriptionX509DescriptionKeyUsage

BaseKeyUsages List<CertificateCertificateDescriptionX509DescriptionKeyUsageBaseKeyUsage>

Describes high-level ways in which a key may be used. Structure is documented below.

ExtendedKeyUsages List<CertificateCertificateDescriptionX509DescriptionKeyUsageExtendedKeyUsage>

Describes high-level ways in which a key may be used. Structure is documented below.

UnknownExtendedKeyUsages List<CertificateCertificateDescriptionX509DescriptionKeyUsageUnknownExtendedKeyUsage>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.

BaseKeyUsages []CertificateCertificateDescriptionX509DescriptionKeyUsageBaseKeyUsage

Describes high-level ways in which a key may be used. Structure is documented below.

ExtendedKeyUsages []CertificateCertificateDescriptionX509DescriptionKeyUsageExtendedKeyUsage

Describes high-level ways in which a key may be used. Structure is documented below.

UnknownExtendedKeyUsages []CertificateCertificateDescriptionX509DescriptionKeyUsageUnknownExtendedKeyUsage

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.

baseKeyUsages List<CertificateCertificateDescriptionX509DescriptionKeyUsageBaseKeyUsage>

Describes high-level ways in which a key may be used. Structure is documented below.

extendedKeyUsages List<CertificateCertificateDescriptionX509DescriptionKeyUsageExtendedKeyUsage>

Describes high-level ways in which a key may be used. Structure is documented below.

unknownExtendedKeyUsages List<CertificateCertificateDescriptionX509DescriptionKeyUsageUnknownExtendedKeyUsage>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.

baseKeyUsages CertificateCertificateDescriptionX509DescriptionKeyUsageBaseKeyUsage[]

Describes high-level ways in which a key may be used. Structure is documented below.

extendedKeyUsages CertificateCertificateDescriptionX509DescriptionKeyUsageExtendedKeyUsage[]

Describes high-level ways in which a key may be used. Structure is documented below.

unknownExtendedKeyUsages CertificateCertificateDescriptionX509DescriptionKeyUsageUnknownExtendedKeyUsage[]

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.

base_key_usages Sequence[CertificateCertificateDescriptionX509DescriptionKeyUsageBaseKeyUsage]

Describes high-level ways in which a key may be used. Structure is documented below.

extended_key_usages Sequence[CertificateCertificateDescriptionX509DescriptionKeyUsageExtendedKeyUsage]

Describes high-level ways in which a key may be used. Structure is documented below.

unknown_extended_key_usages Sequence[CertificateCertificateDescriptionX509DescriptionKeyUsageUnknownExtendedKeyUsage]

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.

baseKeyUsages List<Property Map>

Describes high-level ways in which a key may be used. Structure is documented below.

extendedKeyUsages List<Property Map>

Describes high-level ways in which a key may be used. Structure is documented below.

unknownExtendedKeyUsages List<Property Map>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.

CertificateCertificateDescriptionX509DescriptionKeyUsageBaseKeyUsage

CertSign bool

The key may be used to sign certificates.

ContentCommitment bool

The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".

CrlSign bool

The key may be used sign certificate revocation lists.

DataEncipherment bool

The key may be used to encipher data.

DecipherOnly bool

The key may be used to decipher only.

DigitalSignature bool

The key may be used for digital signatures.

EncipherOnly bool

The key may be used to encipher only.

KeyAgreement bool

The key may be used in a key agreement protocol.

KeyEncipherment bool

The key may be used to encipher other keys.

CertSign bool

The key may be used to sign certificates.

ContentCommitment bool

The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".

CrlSign bool

The key may be used sign certificate revocation lists.

DataEncipherment bool

The key may be used to encipher data.

DecipherOnly bool

The key may be used to decipher only.

DigitalSignature bool

The key may be used for digital signatures.

EncipherOnly bool

The key may be used to encipher only.

KeyAgreement bool

The key may be used in a key agreement protocol.

KeyEncipherment bool

The key may be used to encipher other keys.

certSign Boolean

The key may be used to sign certificates.

contentCommitment Boolean

The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".

crlSign Boolean

The key may be used sign certificate revocation lists.

dataEncipherment Boolean

The key may be used to encipher data.

decipherOnly Boolean

The key may be used to decipher only.

digitalSignature Boolean

The key may be used for digital signatures.

encipherOnly Boolean

The key may be used to encipher only.

keyAgreement Boolean

The key may be used in a key agreement protocol.

keyEncipherment Boolean

The key may be used to encipher other keys.

certSign boolean

The key may be used to sign certificates.

contentCommitment boolean

The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".

crlSign boolean

The key may be used sign certificate revocation lists.

dataEncipherment boolean

The key may be used to encipher data.

decipherOnly boolean

The key may be used to decipher only.

digitalSignature boolean

The key may be used for digital signatures.

encipherOnly boolean

The key may be used to encipher only.

keyAgreement boolean

The key may be used in a key agreement protocol.

keyEncipherment boolean

The key may be used to encipher other keys.

cert_sign bool

The key may be used to sign certificates.

content_commitment bool

The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".

crl_sign bool

The key may be used sign certificate revocation lists.

data_encipherment bool

The key may be used to encipher data.

decipher_only bool

The key may be used to decipher only.

digital_signature bool

The key may be used for digital signatures.

encipher_only bool

The key may be used to encipher only.

key_agreement bool

The key may be used in a key agreement protocol.

key_encipherment bool

The key may be used to encipher other keys.

certSign Boolean

The key may be used to sign certificates.

contentCommitment Boolean

The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".

crlSign Boolean

The key may be used sign certificate revocation lists.

dataEncipherment Boolean

The key may be used to encipher data.

decipherOnly Boolean

The key may be used to decipher only.

digitalSignature Boolean

The key may be used for digital signatures.

encipherOnly Boolean

The key may be used to encipher only.

keyAgreement Boolean

The key may be used in a key agreement protocol.

keyEncipherment Boolean

The key may be used to encipher other keys.

CertificateCertificateDescriptionX509DescriptionKeyUsageExtendedKeyUsage

ClientAuth bool

Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.

CodeSigning bool

Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".

EmailProtection bool

Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".

OcspSigning bool

Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".

ServerAuth bool

Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.

TimeStamping bool

Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".

ClientAuth bool

Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.

CodeSigning bool

Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".

EmailProtection bool

Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".

OcspSigning bool

Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".

ServerAuth bool

Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.

TimeStamping bool

Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".

clientAuth Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.

codeSigning Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".

emailProtection Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".

ocspSigning Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".

serverAuth Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.

timeStamping Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".

clientAuth boolean

Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.

codeSigning boolean

Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".

emailProtection boolean

Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".

ocspSigning boolean

Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".

serverAuth boolean

Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.

timeStamping boolean

Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".

client_auth bool

Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.

code_signing bool

Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".

email_protection bool

Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".

ocsp_signing bool

Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".

server_auth bool

Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.

time_stamping bool

Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".

clientAuth Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.

codeSigning Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".

emailProtection Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".

ocspSigning Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".

serverAuth Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.

timeStamping Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".

CertificateCertificateDescriptionX509DescriptionKeyUsageUnknownExtendedKeyUsage

ObjectIdPaths List<int>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

ObjectIdPaths []int

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

objectIdPaths List<Integer>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

objectIdPaths number[]

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

object_id_paths Sequence[int]

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

objectIdPaths List<Number>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

CertificateCertificateDescriptionX509DescriptionPolicyId

ObjectIdPaths List<int>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

ObjectIdPaths []int

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

objectIdPaths List<Integer>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

objectIdPaths number[]

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

object_id_paths Sequence[int]

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

objectIdPaths List<Number>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

CertificateConfig

PublicKey CertificateConfigPublicKey

A PublicKey describes a public key. Structure is documented below.

SubjectConfig CertificateConfigSubjectConfig

Specifies some of the values in a certificate that are related to the subject. Structure is documented below.

X509Config CertificateConfigX509Config

Describes how some of the technical X.509 fields in a certificate should be populated. Structure is documented below.

PublicKey CertificateConfigPublicKey

A PublicKey describes a public key. Structure is documented below.

SubjectConfig CertificateConfigSubjectConfig

Specifies some of the values in a certificate that are related to the subject. Structure is documented below.

X509Config CertificateConfigX509Config

Describes how some of the technical X.509 fields in a certificate should be populated. Structure is documented below.

publicKey CertificateConfigPublicKey

A PublicKey describes a public key. Structure is documented below.

subjectConfig CertificateConfigSubjectConfig

Specifies some of the values in a certificate that are related to the subject. Structure is documented below.

x509Config CertificateConfigX509Config

Describes how some of the technical X.509 fields in a certificate should be populated. Structure is documented below.

publicKey CertificateConfigPublicKey

A PublicKey describes a public key. Structure is documented below.

subjectConfig CertificateConfigSubjectConfig

Specifies some of the values in a certificate that are related to the subject. Structure is documented below.

x509Config CertificateConfigX509Config

Describes how some of the technical X.509 fields in a certificate should be populated. Structure is documented below.

public_key CertificateConfigPublicKey

A PublicKey describes a public key. Structure is documented below.

subject_config CertificateConfigSubjectConfig

Specifies some of the values in a certificate that are related to the subject. Structure is documented below.

x509_config CertificateConfigX509Config

Describes how some of the technical X.509 fields in a certificate should be populated. Structure is documented below.

publicKey Property Map

A PublicKey describes a public key. Structure is documented below.

subjectConfig Property Map

Specifies some of the values in a certificate that are related to the subject. Structure is documented below.

x509Config Property Map

Describes how some of the technical X.509 fields in a certificate should be populated. Structure is documented below.

CertificateConfigPublicKey

Format string

The format of the public key. Currently, only PEM format is supported. Possible values are KEY_TYPE_UNSPECIFIED and PEM.

Key string

Required. A public key. When this is specified in a request, the padding and encoding can be any of the options described by the respective 'KeyType' value. When this is generated by the service, it will always be an RFC 5280 SubjectPublicKeyInfo structure containing an algorithm identifier and a key. A base64-encoded string.

Format string

The format of the public key. Currently, only PEM format is supported. Possible values are KEY_TYPE_UNSPECIFIED and PEM.

Key string

Required. A public key. When this is specified in a request, the padding and encoding can be any of the options described by the respective 'KeyType' value. When this is generated by the service, it will always be an RFC 5280 SubjectPublicKeyInfo structure containing an algorithm identifier and a key. A base64-encoded string.

format String

The format of the public key. Currently, only PEM format is supported. Possible values are KEY_TYPE_UNSPECIFIED and PEM.

key String

Required. A public key. When this is specified in a request, the padding and encoding can be any of the options described by the respective 'KeyType' value. When this is generated by the service, it will always be an RFC 5280 SubjectPublicKeyInfo structure containing an algorithm identifier and a key. A base64-encoded string.

format string

The format of the public key. Currently, only PEM format is supported. Possible values are KEY_TYPE_UNSPECIFIED and PEM.

key string

Required. A public key. When this is specified in a request, the padding and encoding can be any of the options described by the respective 'KeyType' value. When this is generated by the service, it will always be an RFC 5280 SubjectPublicKeyInfo structure containing an algorithm identifier and a key. A base64-encoded string.

format str

The format of the public key. Currently, only PEM format is supported. Possible values are KEY_TYPE_UNSPECIFIED and PEM.

key str

Required. A public key. When this is specified in a request, the padding and encoding can be any of the options described by the respective 'KeyType' value. When this is generated by the service, it will always be an RFC 5280 SubjectPublicKeyInfo structure containing an algorithm identifier and a key. A base64-encoded string.

format String

The format of the public key. Currently, only PEM format is supported. Possible values are KEY_TYPE_UNSPECIFIED and PEM.

key String

Required. A public key. When this is specified in a request, the padding and encoding can be any of the options described by the respective 'KeyType' value. When this is generated by the service, it will always be an RFC 5280 SubjectPublicKeyInfo structure containing an algorithm identifier and a key. A base64-encoded string.

CertificateConfigSubjectConfig

Subject CertificateConfigSubjectConfigSubject

Contains distinguished name fields such as the location and organization. Structure is documented below.

SubjectAltName CertificateConfigSubjectConfigSubjectAltName

The subject alternative name fields. Structure is documented below.

Subject CertificateConfigSubjectConfigSubject

Contains distinguished name fields such as the location and organization. Structure is documented below.

SubjectAltName CertificateConfigSubjectConfigSubjectAltName

The subject alternative name fields. Structure is documented below.

subject CertificateConfigSubjectConfigSubject

Contains distinguished name fields such as the location and organization. Structure is documented below.

subjectAltName CertificateConfigSubjectConfigSubjectAltName

The subject alternative name fields. Structure is documented below.

subject CertificateConfigSubjectConfigSubject

Contains distinguished name fields such as the location and organization. Structure is documented below.

subjectAltName CertificateConfigSubjectConfigSubjectAltName

The subject alternative name fields. Structure is documented below.

subject CertificateConfigSubjectConfigSubject

Contains distinguished name fields such as the location and organization. Structure is documented below.

subject_alt_name CertificateConfigSubjectConfigSubjectAltName

The subject alternative name fields. Structure is documented below.

subject Property Map

Contains distinguished name fields such as the location and organization. Structure is documented below.

subjectAltName Property Map

The subject alternative name fields. Structure is documented below.

CertificateConfigSubjectConfigSubject

CommonName string

The common name of the distinguished name.

Organization string

The organization of the subject.

CountryCode string

The country code of the subject.

Locality string

The locality or city of the subject.

OrganizationalUnit string

The organizational unit of the subject.

PostalCode string

The postal code of the subject.

Province string

The province, territory, or regional state of the subject.

StreetAddress string

The street address of the subject.

CommonName string

The common name of the distinguished name.

Organization string

The organization of the subject.

CountryCode string

The country code of the subject.

Locality string

The locality or city of the subject.

OrganizationalUnit string

The organizational unit of the subject.

PostalCode string

The postal code of the subject.

Province string

The province, territory, or regional state of the subject.

StreetAddress string

The street address of the subject.

commonName String

The common name of the distinguished name.

organization String

The organization of the subject.

countryCode String

The country code of the subject.

locality String

The locality or city of the subject.

organizationalUnit String

The organizational unit of the subject.

postalCode String

The postal code of the subject.

province String

The province, territory, or regional state of the subject.

streetAddress String

The street address of the subject.

commonName string

The common name of the distinguished name.

organization string

The organization of the subject.

countryCode string

The country code of the subject.

locality string

The locality or city of the subject.

organizationalUnit string

The organizational unit of the subject.

postalCode string

The postal code of the subject.

province string

The province, territory, or regional state of the subject.

streetAddress string

The street address of the subject.

common_name str

The common name of the distinguished name.

organization str

The organization of the subject.

country_code str

The country code of the subject.

locality str

The locality or city of the subject.

organizational_unit str

The organizational unit of the subject.

postal_code str

The postal code of the subject.

province str

The province, territory, or regional state of the subject.

street_address str

The street address of the subject.

commonName String

The common name of the distinguished name.

organization String

The organization of the subject.

countryCode String

The country code of the subject.

locality String

The locality or city of the subject.

organizationalUnit String

The organizational unit of the subject.

postalCode String

The postal code of the subject.

province String

The province, territory, or regional state of the subject.

streetAddress String

The street address of the subject.

CertificateConfigSubjectConfigSubjectAltName

DnsNames List<string>

Contains only valid, fully-qualified host names.

EmailAddresses List<string>

Contains only valid RFC 2822 E-mail addresses.

IpAddresses List<string>

Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.

Uris List<string>

Contains only valid RFC 3986 URIs.

DnsNames []string

Contains only valid, fully-qualified host names.

EmailAddresses []string

Contains only valid RFC 2822 E-mail addresses.

IpAddresses []string

Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.

Uris []string

Contains only valid RFC 3986 URIs.

dnsNames List<String>

Contains only valid, fully-qualified host names.

emailAddresses List<String>

Contains only valid RFC 2822 E-mail addresses.

ipAddresses List<String>

Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.

uris List<String>

Contains only valid RFC 3986 URIs.

dnsNames string[]

Contains only valid, fully-qualified host names.

emailAddresses string[]

Contains only valid RFC 2822 E-mail addresses.

ipAddresses string[]

Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.

uris string[]

Contains only valid RFC 3986 URIs.

dns_names Sequence[str]

Contains only valid, fully-qualified host names.

email_addresses Sequence[str]

Contains only valid RFC 2822 E-mail addresses.

ip_addresses Sequence[str]

Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.

uris Sequence[str]

Contains only valid RFC 3986 URIs.

dnsNames List<String>

Contains only valid, fully-qualified host names.

emailAddresses List<String>

Contains only valid RFC 2822 E-mail addresses.

ipAddresses List<String>

Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.

uris List<String>

Contains only valid RFC 3986 URIs.

CertificateConfigX509Config

KeyUsage CertificateConfigX509ConfigKeyUsage

Indicates the intended use for keys that correspond to a certificate. Structure is documented below.

AdditionalExtensions List<CertificateConfigX509ConfigAdditionalExtension>

Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.

AiaOcspServers List<string>

Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.

CaOptions CertificateConfigX509ConfigCaOptions

Describes values that are relevant in a CA certificate. Structure is documented below.

PolicyIds List<CertificateConfigX509ConfigPolicyId>

Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.

KeyUsage CertificateConfigX509ConfigKeyUsage

Indicates the intended use for keys that correspond to a certificate. Structure is documented below.

AdditionalExtensions []CertificateConfigX509ConfigAdditionalExtension

Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.

AiaOcspServers []string

Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.

CaOptions CertificateConfigX509ConfigCaOptions

Describes values that are relevant in a CA certificate. Structure is documented below.

PolicyIds []CertificateConfigX509ConfigPolicyId

Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.

keyUsage CertificateConfigX509ConfigKeyUsage

Indicates the intended use for keys that correspond to a certificate. Structure is documented below.

additionalExtensions List<CertificateConfigX509ConfigAdditionalExtension>

Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.

aiaOcspServers List<String>

Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.

caOptions CertificateConfigX509ConfigCaOptions

Describes values that are relevant in a CA certificate. Structure is documented below.

policyIds List<CertificateConfigX509ConfigPolicyId>

Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.

keyUsage CertificateConfigX509ConfigKeyUsage

Indicates the intended use for keys that correspond to a certificate. Structure is documented below.

additionalExtensions CertificateConfigX509ConfigAdditionalExtension[]

Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.

aiaOcspServers string[]

Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.

caOptions CertificateConfigX509ConfigCaOptions

Describes values that are relevant in a CA certificate. Structure is documented below.

policyIds CertificateConfigX509ConfigPolicyId[]

Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.

key_usage CertificateConfigX509ConfigKeyUsage

Indicates the intended use for keys that correspond to a certificate. Structure is documented below.

additional_extensions Sequence[CertificateConfigX509ConfigAdditionalExtension]

Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.

aia_ocsp_servers Sequence[str]

Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.

ca_options CertificateConfigX509ConfigCaOptions

Describes values that are relevant in a CA certificate. Structure is documented below.

policy_ids Sequence[CertificateConfigX509ConfigPolicyId]

Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.

keyUsage Property Map

Indicates the intended use for keys that correspond to a certificate. Structure is documented below.

additionalExtensions List<Property Map>

Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.

aiaOcspServers List<String>

Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.

caOptions Property Map

Describes values that are relevant in a CA certificate. Structure is documented below.

policyIds List<Property Map>

Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.

CertificateConfigX509ConfigAdditionalExtension

Critical bool

Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).

ObjectId CertificateConfigX509ConfigAdditionalExtensionObjectId

Describes values that are relevant in a CA certificate. Structure is documented below.

Value string

The value of this X.509 extension. A base64-encoded string.

Critical bool

Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).

ObjectId CertificateConfigX509ConfigAdditionalExtensionObjectId

Describes values that are relevant in a CA certificate. Structure is documented below.

Value string

The value of this X.509 extension. A base64-encoded string.

critical Boolean

Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).

objectId CertificateConfigX509ConfigAdditionalExtensionObjectId

Describes values that are relevant in a CA certificate. Structure is documented below.

value String

The value of this X.509 extension. A base64-encoded string.

critical boolean

Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).

objectId CertificateConfigX509ConfigAdditionalExtensionObjectId

Describes values that are relevant in a CA certificate. Structure is documented below.

value string

The value of this X.509 extension. A base64-encoded string.

critical bool

Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).

object_id CertificateConfigX509ConfigAdditionalExtensionObjectId

Describes values that are relevant in a CA certificate. Structure is documented below.

value str

The value of this X.509 extension. A base64-encoded string.

critical Boolean

Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).

objectId Property Map

Describes values that are relevant in a CA certificate. Structure is documented below.

value String

The value of this X.509 extension. A base64-encoded string.

CertificateConfigX509ConfigAdditionalExtensionObjectId

ObjectIdPaths List<int>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

ObjectIdPaths []int

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

objectIdPaths List<Integer>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

objectIdPaths number[]

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

object_id_paths Sequence[int]

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

objectIdPaths List<Number>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

CertificateConfigX509ConfigCaOptions

IsCa bool

When true, the "CA" in Basic Constraints extension will be set to true.

MaxIssuerPathLength int

Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.

NonCa bool

When true, the "CA" in Basic Constraints extension will be set to false. If both is_ca and non_ca are unset, the extension will be omitted from the CA certificate.

ZeroMaxIssuerPathLength bool

When true, the "path length constraint" in Basic Constraints extension will be set to 0. if both max_issuer_path_length and zero_max_issuer_path_length are unset, the max path length will be omitted from the CA certificate.

IsCa bool

When true, the "CA" in Basic Constraints extension will be set to true.

MaxIssuerPathLength int

Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.

NonCa bool

When true, the "CA" in Basic Constraints extension will be set to false. If both is_ca and non_ca are unset, the extension will be omitted from the CA certificate.

ZeroMaxIssuerPathLength bool

When true, the "path length constraint" in Basic Constraints extension will be set to 0. if both max_issuer_path_length and zero_max_issuer_path_length are unset, the max path length will be omitted from the CA certificate.

isCa Boolean

When true, the "CA" in Basic Constraints extension will be set to true.

maxIssuerPathLength Integer

Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.

nonCa Boolean

When true, the "CA" in Basic Constraints extension will be set to false. If both is_ca and non_ca are unset, the extension will be omitted from the CA certificate.

zeroMaxIssuerPathLength Boolean

When true, the "path length constraint" in Basic Constraints extension will be set to 0. if both max_issuer_path_length and zero_max_issuer_path_length are unset, the max path length will be omitted from the CA certificate.

isCa boolean

When true, the "CA" in Basic Constraints extension will be set to true.

maxIssuerPathLength number

Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.

nonCa boolean

When true, the "CA" in Basic Constraints extension will be set to false. If both is_ca and non_ca are unset, the extension will be omitted from the CA certificate.

zeroMaxIssuerPathLength boolean

When true, the "path length constraint" in Basic Constraints extension will be set to 0. if both max_issuer_path_length and zero_max_issuer_path_length are unset, the max path length will be omitted from the CA certificate.

is_ca bool

When true, the "CA" in Basic Constraints extension will be set to true.

max_issuer_path_length int

Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.

non_ca bool

When true, the "CA" in Basic Constraints extension will be set to false. If both is_ca and non_ca are unset, the extension will be omitted from the CA certificate.

zero_max_issuer_path_length bool

When true, the "path length constraint" in Basic Constraints extension will be set to 0. if both max_issuer_path_length and zero_max_issuer_path_length are unset, the max path length will be omitted from the CA certificate.

isCa Boolean

When true, the "CA" in Basic Constraints extension will be set to true.

maxIssuerPathLength Number

Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.

nonCa Boolean

When true, the "CA" in Basic Constraints extension will be set to false. If both is_ca and non_ca are unset, the extension will be omitted from the CA certificate.

zeroMaxIssuerPathLength Boolean

When true, the "path length constraint" in Basic Constraints extension will be set to 0. if both max_issuer_path_length and zero_max_issuer_path_length are unset, the max path length will be omitted from the CA certificate.

CertificateConfigX509ConfigKeyUsage

BaseKeyUsage CertificateConfigX509ConfigKeyUsageBaseKeyUsage

Describes high-level ways in which a key may be used. Structure is documented below.

ExtendedKeyUsage CertificateConfigX509ConfigKeyUsageExtendedKeyUsage

Describes high-level ways in which a key may be used. Structure is documented below.

UnknownExtendedKeyUsages List<CertificateConfigX509ConfigKeyUsageUnknownExtendedKeyUsage>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.

BaseKeyUsage CertificateConfigX509ConfigKeyUsageBaseKeyUsage

Describes high-level ways in which a key may be used. Structure is documented below.

ExtendedKeyUsage CertificateConfigX509ConfigKeyUsageExtendedKeyUsage

Describes high-level ways in which a key may be used. Structure is documented below.

UnknownExtendedKeyUsages []CertificateConfigX509ConfigKeyUsageUnknownExtendedKeyUsage

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.

baseKeyUsage CertificateConfigX509ConfigKeyUsageBaseKeyUsage

Describes high-level ways in which a key may be used. Structure is documented below.

extendedKeyUsage CertificateConfigX509ConfigKeyUsageExtendedKeyUsage

Describes high-level ways in which a key may be used. Structure is documented below.

unknownExtendedKeyUsages List<CertificateConfigX509ConfigKeyUsageUnknownExtendedKeyUsage>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.

baseKeyUsage CertificateConfigX509ConfigKeyUsageBaseKeyUsage

Describes high-level ways in which a key may be used. Structure is documented below.

extendedKeyUsage CertificateConfigX509ConfigKeyUsageExtendedKeyUsage

Describes high-level ways in which a key may be used. Structure is documented below.

unknownExtendedKeyUsages CertificateConfigX509ConfigKeyUsageUnknownExtendedKeyUsage[]

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.

base_key_usage CertificateConfigX509ConfigKeyUsageBaseKeyUsage

Describes high-level ways in which a key may be used. Structure is documented below.

extended_key_usage CertificateConfigX509ConfigKeyUsageExtendedKeyUsage

Describes high-level ways in which a key may be used. Structure is documented below.

unknown_extended_key_usages Sequence[CertificateConfigX509ConfigKeyUsageUnknownExtendedKeyUsage]

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.

baseKeyUsage Property Map

Describes high-level ways in which a key may be used. Structure is documented below.

extendedKeyUsage Property Map

Describes high-level ways in which a key may be used. Structure is documented below.

unknownExtendedKeyUsages List<Property Map>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.

CertificateConfigX509ConfigKeyUsageBaseKeyUsage

CertSign bool

The key may be used to sign certificates.

ContentCommitment bool

The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".

CrlSign bool

The key may be used sign certificate revocation lists.

DataEncipherment bool

The key may be used to encipher data.

DecipherOnly bool

The key may be used to decipher only.

DigitalSignature bool

The key may be used for digital signatures.

EncipherOnly bool

The key may be used to encipher only.

KeyAgreement bool

The key may be used in a key agreement protocol.

KeyEncipherment bool

The key may be used to encipher other keys.

CertSign bool

The key may be used to sign certificates.

ContentCommitment bool

The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".

CrlSign bool

The key may be used sign certificate revocation lists.

DataEncipherment bool

The key may be used to encipher data.

DecipherOnly bool

The key may be used to decipher only.

DigitalSignature bool

The key may be used for digital signatures.

EncipherOnly bool

The key may be used to encipher only.

KeyAgreement bool

The key may be used in a key agreement protocol.

KeyEncipherment bool

The key may be used to encipher other keys.

certSign Boolean

The key may be used to sign certificates.

contentCommitment Boolean

The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".

crlSign Boolean

The key may be used sign certificate revocation lists.

dataEncipherment Boolean

The key may be used to encipher data.

decipherOnly Boolean

The key may be used to decipher only.

digitalSignature Boolean

The key may be used for digital signatures.

encipherOnly Boolean

The key may be used to encipher only.

keyAgreement Boolean

The key may be used in a key agreement protocol.

keyEncipherment Boolean

The key may be used to encipher other keys.

certSign boolean

The key may be used to sign certificates.

contentCommitment boolean

The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".

crlSign boolean

The key may be used sign certificate revocation lists.

dataEncipherment boolean

The key may be used to encipher data.

decipherOnly boolean

The key may be used to decipher only.

digitalSignature boolean

The key may be used for digital signatures.

encipherOnly boolean

The key may be used to encipher only.

keyAgreement boolean

The key may be used in a key agreement protocol.

keyEncipherment boolean

The key may be used to encipher other keys.

cert_sign bool

The key may be used to sign certificates.

content_commitment bool

The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".

crl_sign bool

The key may be used sign certificate revocation lists.

data_encipherment bool

The key may be used to encipher data.

decipher_only bool

The key may be used to decipher only.

digital_signature bool

The key may be used for digital signatures.

encipher_only bool

The key may be used to encipher only.

key_agreement bool

The key may be used in a key agreement protocol.

key_encipherment bool

The key may be used to encipher other keys.

certSign Boolean

The key may be used to sign certificates.

contentCommitment Boolean

The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".

crlSign Boolean

The key may be used sign certificate revocation lists.

dataEncipherment Boolean

The key may be used to encipher data.

decipherOnly Boolean

The key may be used to decipher only.

digitalSignature Boolean

The key may be used for digital signatures.

encipherOnly Boolean

The key may be used to encipher only.

keyAgreement Boolean

The key may be used in a key agreement protocol.

keyEncipherment Boolean

The key may be used to encipher other keys.

CertificateConfigX509ConfigKeyUsageExtendedKeyUsage

ClientAuth bool

Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.

CodeSigning bool

Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".

EmailProtection bool

Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".

OcspSigning bool

Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".

ServerAuth bool

Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.

TimeStamping bool

Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".

ClientAuth bool

Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.

CodeSigning bool

Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".

EmailProtection bool

Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".

OcspSigning bool

Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".

ServerAuth bool

Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.

TimeStamping bool

Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".

clientAuth Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.

codeSigning Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".

emailProtection Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".

ocspSigning Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".

serverAuth Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.

timeStamping Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".

clientAuth boolean

Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.

codeSigning boolean

Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".

emailProtection boolean

Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".

ocspSigning boolean

Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".

serverAuth boolean

Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.

timeStamping boolean

Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".

client_auth bool

Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.

code_signing bool

Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".

email_protection bool

Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".

ocsp_signing bool

Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".

server_auth bool

Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.

time_stamping bool

Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".

clientAuth Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.

codeSigning Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".

emailProtection Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".

ocspSigning Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".

serverAuth Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.

timeStamping Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".

CertificateConfigX509ConfigKeyUsageUnknownExtendedKeyUsage

ObjectIdPaths List<int>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

ObjectIdPaths []int

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

objectIdPaths List<Integer>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

objectIdPaths number[]

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

object_id_paths Sequence[int]

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

objectIdPaths List<Number>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

CertificateConfigX509ConfigPolicyId

ObjectIdPaths List<int>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

ObjectIdPaths []int

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

objectIdPaths List<Integer>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

objectIdPaths number[]

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

object_id_paths Sequence[int]

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

objectIdPaths List<Number>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

CertificateRevocationDetail

Import

Certificate can be imported using any of these accepted formats

 $ pulumi import gcp:certificateauthority/certificate:Certificate default projects/{{project}}/locations/{{location}}/caPools/{{pool}}/certificates/{{name}}
 $ pulumi import gcp:certificateauthority/certificate:Certificate default {{project}}/{{location}}/{{pool}}/{{name}}
 $ pulumi import gcp:certificateauthority/certificate:Certificate default {{location}}/{{pool}}/{{name}}

Package Details

Repository
https://github.com/pulumi/pulumi-gcp
License
Apache-2.0
Notes

This Pulumi package is based on the google-beta Terraform Provider.