Google Cloud Native v0.32.0, Nov 29 23

Google Cloud Native is in preview. Google Cloud Classic is fully supported.

Google Cloud Native v0.32.0 published on Wednesday, Nov 29, 2023 by Pulumi

pulumi/pulumi-google-native

google-native.privateca/v1.CaPool

Explore with Pulumi AI

Google Cloud Native is in preview. Google Cloud Classic is fully supported.

Google Cloud Native v0.32.0 published on Wednesday, Nov 29, 2023 by Pulumi

pulumi/pulumi-google-native

Create CaPool Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new CaPool(name: string, args: CaPoolArgs, opts?: CustomResourceOptions);

@overload
def CaPool(resource_name: str,
           args: CaPoolArgs,
           opts: Optional[ResourceOptions] = None)

@overload
def CaPool(resource_name: str,
           opts: Optional[ResourceOptions] = None,
           ca_pool_id: Optional[str] = None,
           tier: Optional[CaPoolTier] = None,
           issuance_policy: Optional[IssuancePolicyArgs] = None,
           labels: Optional[Mapping[str, str]] = None,
           location: Optional[str] = None,
           project: Optional[str] = None,
           publishing_options: Optional[PublishingOptionsArgs] = None,
           request_id: Optional[str] = None)

func NewCaPool(ctx *Context, name string, args CaPoolArgs, opts ...ResourceOption) (*CaPool, error)

public CaPool(string name, CaPoolArgs args, CustomResourceOptions? opts = null)

public CaPool(String name, CaPoolArgs args)
public CaPool(String name, CaPoolArgs args, CustomResourceOptions options)

type: google-native:privateca/v1:CaPool
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args CaPoolArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args CaPoolArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args CaPoolArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args CaPoolArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args CaPoolArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Example

The following reference example uses placeholder values for all input properties.

var caPoolResource = new GoogleNative.Privateca.V1.CaPool("caPoolResource", new()
{
    CaPoolId = "string",
    Tier = GoogleNative.Privateca.V1.CaPoolTier.TierUnspecified,
    IssuancePolicy = new GoogleNative.Privateca.V1.Inputs.IssuancePolicyArgs
    {
        AllowedIssuanceModes = new GoogleNative.Privateca.V1.Inputs.IssuanceModesArgs
        {
            AllowConfigBasedIssuance = false,
            AllowCsrBasedIssuance = false,
        },
        AllowedKeyTypes = new[]
        {
            new GoogleNative.Privateca.V1.Inputs.AllowedKeyTypeArgs
            {
                EllipticCurve = new GoogleNative.Privateca.V1.Inputs.EcKeyTypeArgs
                {
                    SignatureAlgorithm = GoogleNative.Privateca.V1.EcKeyTypeSignatureAlgorithm.EcSignatureAlgorithmUnspecified,
                },
                Rsa = new GoogleNative.Privateca.V1.Inputs.RsaKeyTypeArgs
                {
                    MaxModulusSize = "string",
                    MinModulusSize = "string",
                },
            },
        },
        BaselineValues = new GoogleNative.Privateca.V1.Inputs.X509ParametersArgs
        {
            AdditionalExtensions = new[]
            {
                new GoogleNative.Privateca.V1.Inputs.X509ExtensionArgs
                {
                    ObjectId = new GoogleNative.Privateca.V1.Inputs.ObjectIdArgs
                    {
                        ObjectIdPath = new[]
                        {
                            0,
                        },
                    },
                    Value = "string",
                    Critical = false,
                },
            },
            AiaOcspServers = new[]
            {
                "string",
            },
            CaOptions = new GoogleNative.Privateca.V1.Inputs.CaOptionsArgs
            {
                IsCa = false,
                MaxIssuerPathLength = 0,
            },
            KeyUsage = new GoogleNative.Privateca.V1.Inputs.KeyUsageArgs
            {
                BaseKeyUsage = new GoogleNative.Privateca.V1.Inputs.KeyUsageOptionsArgs
                {
                    CertSign = false,
                    ContentCommitment = false,
                    CrlSign = false,
                    DataEncipherment = false,
                    DecipherOnly = false,
                    DigitalSignature = false,
                    EncipherOnly = false,
                    KeyAgreement = false,
                    KeyEncipherment = false,
                },
                ExtendedKeyUsage = new GoogleNative.Privateca.V1.Inputs.ExtendedKeyUsageOptionsArgs
                {
                    ClientAuth = false,
                    CodeSigning = false,
                    EmailProtection = false,
                    OcspSigning = false,
                    ServerAuth = false,
                    TimeStamping = false,
                },
                UnknownExtendedKeyUsages = new[]
                {
                    new GoogleNative.Privateca.V1.Inputs.ObjectIdArgs
                    {
                        ObjectIdPath = new[]
                        {
                            0,
                        },
                    },
                },
            },
            NameConstraints = new GoogleNative.Privateca.V1.Inputs.NameConstraintsArgs
            {
                Critical = false,
                ExcludedDnsNames = new[]
                {
                    "string",
                },
                ExcludedEmailAddresses = new[]
                {
                    "string",
                },
                ExcludedIpRanges = new[]
                {
                    "string",
                },
                ExcludedUris = new[]
                {
                    "string",
                },
                PermittedDnsNames = new[]
                {
                    "string",
                },
                PermittedEmailAddresses = new[]
                {
                    "string",
                },
                PermittedIpRanges = new[]
                {
                    "string",
                },
                PermittedUris = new[]
                {
                    "string",
                },
            },
            PolicyIds = new[]
            {
                new GoogleNative.Privateca.V1.Inputs.ObjectIdArgs
                {
                    ObjectIdPath = new[]
                    {
                        0,
                    },
                },
            },
        },
        IdentityConstraints = new GoogleNative.Privateca.V1.Inputs.CertificateIdentityConstraintsArgs
        {
            AllowSubjectAltNamesPassthrough = false,
            AllowSubjectPassthrough = false,
            CelExpression = new GoogleNative.Privateca.V1.Inputs.ExprArgs
            {
                Description = "string",
                Expression = "string",
                Location = "string",
                Title = "string",
            },
        },
        MaximumLifetime = "string",
        PassthroughExtensions = new GoogleNative.Privateca.V1.Inputs.CertificateExtensionConstraintsArgs
        {
            AdditionalExtensions = new[]
            {
                new GoogleNative.Privateca.V1.Inputs.ObjectIdArgs
                {
                    ObjectIdPath = new[]
                    {
                        0,
                    },
                },
            },
            KnownExtensions = new[]
            {
                GoogleNative.Privateca.V1.CertificateExtensionConstraintsKnownExtensionsItem.KnownCertificateExtensionUnspecified,
            },
        },
    },
    Labels = 
    {
        { "string", "string" },
    },
    Location = "string",
    Project = "string",
    PublishingOptions = new GoogleNative.Privateca.V1.Inputs.PublishingOptionsArgs
    {
        EncodingFormat = GoogleNative.Privateca.V1.PublishingOptionsEncodingFormat.EncodingFormatUnspecified,
        PublishCaCert = false,
        PublishCrl = false,
    },
    RequestId = "string",
});

example, err := privateca.NewCaPool(ctx, "caPoolResource", &privateca.CaPoolArgs{
CaPoolId: pulumi.String("string"),
Tier: privateca.CaPoolTierTierUnspecified,
IssuancePolicy: &privateca.IssuancePolicyArgs{
AllowedIssuanceModes: &privateca.IssuanceModesArgs{
AllowConfigBasedIssuance: pulumi.Bool(false),
AllowCsrBasedIssuance: pulumi.Bool(false),
},
AllowedKeyTypes: privateca.AllowedKeyTypeArray{
&privateca.AllowedKeyTypeArgs{
EllipticCurve: &privateca.EcKeyTypeArgs{
SignatureAlgorithm: privateca.EcKeyTypeSignatureAlgorithmEcSignatureAlgorithmUnspecified,
},
Rsa: &privateca.RsaKeyTypeArgs{
MaxModulusSize: pulumi.String("string"),
MinModulusSize: pulumi.String("string"),
},
},
},
BaselineValues: &privateca.X509ParametersArgs{
AdditionalExtensions: privateca.X509ExtensionArray{
&privateca.X509ExtensionArgs{
ObjectId: &privateca.ObjectIdArgs{
ObjectIdPath: pulumi.IntArray{
pulumi.Int(0),
},
},
Value: pulumi.String("string"),
Critical: pulumi.Bool(false),
},
},
AiaOcspServers: pulumi.StringArray{
pulumi.String("string"),
},
CaOptions: &privateca.CaOptionsArgs{
IsCa: pulumi.Bool(false),
MaxIssuerPathLength: pulumi.Int(0),
},
KeyUsage: &privateca.KeyUsageArgs{
BaseKeyUsage: &privateca.KeyUsageOptionsArgs{
CertSign: pulumi.Bool(false),
ContentCommitment: pulumi.Bool(false),
CrlSign: pulumi.Bool(false),
DataEncipherment: pulumi.Bool(false),
DecipherOnly: pulumi.Bool(false),
DigitalSignature: pulumi.Bool(false),
EncipherOnly: pulumi.Bool(false),
KeyAgreement: pulumi.Bool(false),
KeyEncipherment: pulumi.Bool(false),
},
ExtendedKeyUsage: &privateca.ExtendedKeyUsageOptionsArgs{
ClientAuth: pulumi.Bool(false),
CodeSigning: pulumi.Bool(false),
EmailProtection: pulumi.Bool(false),
OcspSigning: pulumi.Bool(false),
ServerAuth: pulumi.Bool(false),
TimeStamping: pulumi.Bool(false),
},
UnknownExtendedKeyUsages: privateca.ObjectIdArray{
&privateca.ObjectIdArgs{
ObjectIdPath: pulumi.IntArray{
pulumi.Int(0),
},
},
},
},
NameConstraints: &privateca.NameConstraintsArgs{
Critical: pulumi.Bool(false),
ExcludedDnsNames: pulumi.StringArray{
pulumi.String("string"),
},
ExcludedEmailAddresses: pulumi.StringArray{
pulumi.String("string"),
},
ExcludedIpRanges: pulumi.StringArray{
pulumi.String("string"),
},
ExcludedUris: pulumi.StringArray{
pulumi.String("string"),
},
PermittedDnsNames: pulumi.StringArray{
pulumi.String("string"),
},
PermittedEmailAddresses: pulumi.StringArray{
pulumi.String("string"),
},
PermittedIpRanges: pulumi.StringArray{
pulumi.String("string"),
},
PermittedUris: pulumi.StringArray{
pulumi.String("string"),
},
},
PolicyIds: privateca.ObjectIdArray{
&privateca.ObjectIdArgs{
ObjectIdPath: pulumi.IntArray{
pulumi.Int(0),
},
},
},
},
IdentityConstraints: &privateca.CertificateIdentityConstraintsArgs{
AllowSubjectAltNamesPassthrough: pulumi.Bool(false),
AllowSubjectPassthrough: pulumi.Bool(false),
CelExpression: &privateca.ExprArgs{
Description: pulumi.String("string"),
Expression: pulumi.String("string"),
Location: pulumi.String("string"),
Title: pulumi.String("string"),
},
},
MaximumLifetime: pulumi.String("string"),
PassthroughExtensions: &privateca.CertificateExtensionConstraintsArgs{
AdditionalExtensions: privateca.ObjectIdArray{
&privateca.ObjectIdArgs{
ObjectIdPath: pulumi.IntArray{
pulumi.Int(0),
},
},
},
KnownExtensions: privateca.CertificateExtensionConstraintsKnownExtensionsItemArray{
privateca.CertificateExtensionConstraintsKnownExtensionsItemKnownCertificateExtensionUnspecified,
},
},
},
Labels: pulumi.StringMap{
"string": pulumi.String("string"),
},
Location: pulumi.String("string"),
Project: pulumi.String("string"),
PublishingOptions: &privateca.PublishingOptionsArgs{
EncodingFormat: privateca.PublishingOptionsEncodingFormatEncodingFormatUnspecified,
PublishCaCert: pulumi.Bool(false),
PublishCrl: pulumi.Bool(false),
},
RequestId: pulumi.String("string"),
})

var caPoolResource = new CaPool("caPoolResource", CaPoolArgs.builder()        
    .caPoolId("string")
    .tier("TIER_UNSPECIFIED")
    .issuancePolicy(IssuancePolicyArgs.builder()
        .allowedIssuanceModes(IssuanceModesArgs.builder()
            .allowConfigBasedIssuance(false)
            .allowCsrBasedIssuance(false)
            .build())
        .allowedKeyTypes(AllowedKeyTypeArgs.builder()
            .ellipticCurve(EcKeyTypeArgs.builder()
                .signatureAlgorithm("EC_SIGNATURE_ALGORITHM_UNSPECIFIED")
                .build())
            .rsa(RsaKeyTypeArgs.builder()
                .maxModulusSize("string")
                .minModulusSize("string")
                .build())
            .build())
        .baselineValues(X509ParametersArgs.builder()
            .additionalExtensions(X509ExtensionArgs.builder()
                .objectId(ObjectIdArgs.builder()
                    .objectIdPath(0)
                    .build())
                .value("string")
                .critical(false)
                .build())
            .aiaOcspServers("string")
            .caOptions(CaOptionsArgs.builder()
                .isCa(false)
                .maxIssuerPathLength(0)
                .build())
            .keyUsage(KeyUsageArgs.builder()
                .baseKeyUsage(KeyUsageOptionsArgs.builder()
                    .certSign(false)
                    .contentCommitment(false)
                    .crlSign(false)
                    .dataEncipherment(false)
                    .decipherOnly(false)
                    .digitalSignature(false)
                    .encipherOnly(false)
                    .keyAgreement(false)
                    .keyEncipherment(false)
                    .build())
                .extendedKeyUsage(ExtendedKeyUsageOptionsArgs.builder()
                    .clientAuth(false)
                    .codeSigning(false)
                    .emailProtection(false)
                    .ocspSigning(false)
                    .serverAuth(false)
                    .timeStamping(false)
                    .build())
                .unknownExtendedKeyUsages(ObjectIdArgs.builder()
                    .objectIdPath(0)
                    .build())
                .build())
            .nameConstraints(NameConstraintsArgs.builder()
                .critical(false)
                .excludedDnsNames("string")
                .excludedEmailAddresses("string")
                .excludedIpRanges("string")
                .excludedUris("string")
                .permittedDnsNames("string")
                .permittedEmailAddresses("string")
                .permittedIpRanges("string")
                .permittedUris("string")
                .build())
            .policyIds(ObjectIdArgs.builder()
                .objectIdPath(0)
                .build())
            .build())
        .identityConstraints(CertificateIdentityConstraintsArgs.builder()
            .allowSubjectAltNamesPassthrough(false)
            .allowSubjectPassthrough(false)
            .celExpression(ExprArgs.builder()
                .description("string")
                .expression("string")
                .location("string")
                .title("string")
                .build())
            .build())
        .maximumLifetime("string")
        .passthroughExtensions(CertificateExtensionConstraintsArgs.builder()
            .additionalExtensions(ObjectIdArgs.builder()
                .objectIdPath(0)
                .build())
            .knownExtensions("KNOWN_CERTIFICATE_EXTENSION_UNSPECIFIED")
            .build())
        .build())
    .labels(Map.of("string", "string"))
    .location("string")
    .project("string")
    .publishingOptions(PublishingOptionsArgs.builder()
        .encodingFormat("ENCODING_FORMAT_UNSPECIFIED")
        .publishCaCert(false)
        .publishCrl(false)
        .build())
    .requestId("string")
    .build());

ca_pool_resource = google_native.privateca.v1.CaPool("caPoolResource",
    ca_pool_id="string",
    tier=google_native.privateca.v1.CaPoolTier.TIER_UNSPECIFIED,
    issuance_policy=google_native.privateca.v1.IssuancePolicyArgs(
        allowed_issuance_modes=google_native.privateca.v1.IssuanceModesArgs(
            allow_config_based_issuance=False,
            allow_csr_based_issuance=False,
        ),
        allowed_key_types=[google_native.privateca.v1.AllowedKeyTypeArgs(
            elliptic_curve=google_native.privateca.v1.EcKeyTypeArgs(
                signature_algorithm=google_native.privateca.v1.EcKeyTypeSignatureAlgorithm.EC_SIGNATURE_ALGORITHM_UNSPECIFIED,
            ),
            rsa=google_native.privateca.v1.RsaKeyTypeArgs(
                max_modulus_size="string",
                min_modulus_size="string",
            ),
        )],
        baseline_values=google_native.privateca.v1.X509ParametersArgs(
            additional_extensions=[google_native.privateca.v1.X509ExtensionArgs(
                object_id=google_native.privateca.v1.ObjectIdArgs(
                    object_id_path=[0],
                ),
                value="string",
                critical=False,
            )],
            aia_ocsp_servers=["string"],
            ca_options=google_native.privateca.v1.CaOptionsArgs(
                is_ca=False,
                max_issuer_path_length=0,
            ),
            key_usage=google_native.privateca.v1.KeyUsageArgs(
                base_key_usage=google_native.privateca.v1.KeyUsageOptionsArgs(
                    cert_sign=False,
                    content_commitment=False,
                    crl_sign=False,
                    data_encipherment=False,
                    decipher_only=False,
                    digital_signature=False,
                    encipher_only=False,
                    key_agreement=False,
                    key_encipherment=False,
                ),
                extended_key_usage=google_native.privateca.v1.ExtendedKeyUsageOptionsArgs(
                    client_auth=False,
                    code_signing=False,
                    email_protection=False,
                    ocsp_signing=False,
                    server_auth=False,
                    time_stamping=False,
                ),
                unknown_extended_key_usages=[google_native.privateca.v1.ObjectIdArgs(
                    object_id_path=[0],
                )],
            ),
            name_constraints=google_native.privateca.v1.NameConstraintsArgs(
                critical=False,
                excluded_dns_names=["string"],
                excluded_email_addresses=["string"],
                excluded_ip_ranges=["string"],
                excluded_uris=["string"],
                permitted_dns_names=["string"],
                permitted_email_addresses=["string"],
                permitted_ip_ranges=["string"],
                permitted_uris=["string"],
            ),
            policy_ids=[google_native.privateca.v1.ObjectIdArgs(
                object_id_path=[0],
            )],
        ),
        identity_constraints=google_native.privateca.v1.CertificateIdentityConstraintsArgs(
            allow_subject_alt_names_passthrough=False,
            allow_subject_passthrough=False,
            cel_expression=google_native.privateca.v1.ExprArgs(
                description="string",
                expression="string",
                location="string",
                title="string",
            ),
        ),
        maximum_lifetime="string",
        passthrough_extensions=google_native.privateca.v1.CertificateExtensionConstraintsArgs(
            additional_extensions=[google_native.privateca.v1.ObjectIdArgs(
                object_id_path=[0],
            )],
            known_extensions=[google_native.privateca.v1.CertificateExtensionConstraintsKnownExtensionsItem.KNOWN_CERTIFICATE_EXTENSION_UNSPECIFIED],
        ),
    ),
    labels={
        "string": "string",
    },
    location="string",
    project="string",
    publishing_options=google_native.privateca.v1.PublishingOptionsArgs(
        encoding_format=google_native.privateca.v1.PublishingOptionsEncodingFormat.ENCODING_FORMAT_UNSPECIFIED,
        publish_ca_cert=False,
        publish_crl=False,
    ),
    request_id="string")

const caPoolResource = new google_native.privateca.v1.CaPool("caPoolResource", {
    caPoolId: "string",
    tier: google_native.privateca.v1.CaPoolTier.TierUnspecified,
    issuancePolicy: {
        allowedIssuanceModes: {
            allowConfigBasedIssuance: false,
            allowCsrBasedIssuance: false,
        },
        allowedKeyTypes: [{
            ellipticCurve: {
                signatureAlgorithm: google_native.privateca.v1.EcKeyTypeSignatureAlgorithm.EcSignatureAlgorithmUnspecified,
            },
            rsa: {
                maxModulusSize: "string",
                minModulusSize: "string",
            },
        }],
        baselineValues: {
            additionalExtensions: [{
                objectId: {
                    objectIdPath: [0],
                },
                value: "string",
                critical: false,
            }],
            aiaOcspServers: ["string"],
            caOptions: {
                isCa: false,
                maxIssuerPathLength: 0,
            },
            keyUsage: {
                baseKeyUsage: {
                    certSign: false,
                    contentCommitment: false,
                    crlSign: false,
                    dataEncipherment: false,
                    decipherOnly: false,
                    digitalSignature: false,
                    encipherOnly: false,
                    keyAgreement: false,
                    keyEncipherment: false,
                },
                extendedKeyUsage: {
                    clientAuth: false,
                    codeSigning: false,
                    emailProtection: false,
                    ocspSigning: false,
                    serverAuth: false,
                    timeStamping: false,
                },
                unknownExtendedKeyUsages: [{
                    objectIdPath: [0],
                }],
            },
            nameConstraints: {
                critical: false,
                excludedDnsNames: ["string"],
                excludedEmailAddresses: ["string"],
                excludedIpRanges: ["string"],
                excludedUris: ["string"],
                permittedDnsNames: ["string"],
                permittedEmailAddresses: ["string"],
                permittedIpRanges: ["string"],
                permittedUris: ["string"],
            },
            policyIds: [{
                objectIdPath: [0],
            }],
        },
        identityConstraints: {
            allowSubjectAltNamesPassthrough: false,
            allowSubjectPassthrough: false,
            celExpression: {
                description: "string",
                expression: "string",
                location: "string",
                title: "string",
            },
        },
        maximumLifetime: "string",
        passthroughExtensions: {
            additionalExtensions: [{
                objectIdPath: [0],
            }],
            knownExtensions: [google_native.privateca.v1.CertificateExtensionConstraintsKnownExtensionsItem.KnownCertificateExtensionUnspecified],
        },
    },
    labels: {
        string: "string",
    },
    location: "string",
    project: "string",
    publishingOptions: {
        encodingFormat: google_native.privateca.v1.PublishingOptionsEncodingFormat.EncodingFormatUnspecified,
        publishCaCert: false,
        publishCrl: false,
    },
    requestId: "string",
});

type: google-native:privateca/v1:CaPool
properties:
    caPoolId: string
    issuancePolicy:
        allowedIssuanceModes:
            allowConfigBasedIssuance: false
            allowCsrBasedIssuance: false
        allowedKeyTypes:
            - ellipticCurve:
                signatureAlgorithm: EC_SIGNATURE_ALGORITHM_UNSPECIFIED
              rsa:
                maxModulusSize: string
                minModulusSize: string
        baselineValues:
            additionalExtensions:
                - critical: false
                  objectId:
                    objectIdPath:
                        - 0
                  value: string
            aiaOcspServers:
                - string
            caOptions:
                isCa: false
                maxIssuerPathLength: 0
            keyUsage:
                baseKeyUsage:
                    certSign: false
                    contentCommitment: false
                    crlSign: false
                    dataEncipherment: false
                    decipherOnly: false
                    digitalSignature: false
                    encipherOnly: false
                    keyAgreement: false
                    keyEncipherment: false
                extendedKeyUsage:
                    clientAuth: false
                    codeSigning: false
                    emailProtection: false
                    ocspSigning: false
                    serverAuth: false
                    timeStamping: false
                unknownExtendedKeyUsages:
                    - objectIdPath:
                        - 0
            nameConstraints:
                critical: false
                excludedDnsNames:
                    - string
                excludedEmailAddresses:
                    - string
                excludedIpRanges:
                    - string
                excludedUris:
                    - string
                permittedDnsNames:
                    - string
                permittedEmailAddresses:
                    - string
                permittedIpRanges:
                    - string
                permittedUris:
                    - string
            policyIds:
                - objectIdPath:
                    - 0
        identityConstraints:
            allowSubjectAltNamesPassthrough: false
            allowSubjectPassthrough: false
            celExpression:
                description: string
                expression: string
                location: string
                title: string
        maximumLifetime: string
        passthroughExtensions:
            additionalExtensions:
                - objectIdPath:
                    - 0
            knownExtensions:
                - KNOWN_CERTIFICATE_EXTENSION_UNSPECIFIED
    labels:
        string: string
    location: string
    project: string
    publishingOptions:
        encodingFormat: ENCODING_FORMAT_UNSPECIFIED
        publishCaCert: false
        publishCrl: false
    requestId: string
    tier: TIER_UNSPECIFIED

CaPool Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

The CaPool resource accepts the following input properties:

CaPoolId string: Required. It must be unique within a location and match the regular expression [a-zA-Z0-9_-]{1,63}
Tier Pulumi.GoogleNative.Privateca.V1.CaPoolTier: Immutable. The Tier of this CaPool.
IssuancePolicy Pulumi.GoogleNative.Privateca.V1.Inputs.IssuancePolicy: Optional. The IssuancePolicy to control how Certificates will be issued from this CaPool.
Labels Dictionary<string, string>: Optional. Labels with user-defined metadata.
Location string
Project string
PublishingOptions Pulumi.GoogleNative.Privateca.V1.Inputs.PublishingOptions: Optional. The PublishingOptions to follow when issuing Certificates from any CertificateAuthority in this CaPool.
RequestId string: Optional. An ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. The server will guarantee that for at least 60 minutes since the first request. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).

CaPoolId string: Required. It must be unique within a location and match the regular expression [a-zA-Z0-9_-]{1,63}
Tier CaPoolTier: Immutable. The Tier of this CaPool.
IssuancePolicy IssuancePolicyArgs: Optional. The IssuancePolicy to control how Certificates will be issued from this CaPool.
Labels map[string]string: Optional. Labels with user-defined metadata.
Location string
Project string
PublishingOptions PublishingOptionsArgs: Optional. The PublishingOptions to follow when issuing Certificates from any CertificateAuthority in this CaPool.
RequestId string: Optional. An ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. The server will guarantee that for at least 60 minutes since the first request. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).

caPoolId String: Required. It must be unique within a location and match the regular expression [a-zA-Z0-9_-]{1,63}
tier CaPoolTier: Immutable. The Tier of this CaPool.
issuancePolicy IssuancePolicy: Optional. The IssuancePolicy to control how Certificates will be issued from this CaPool.
labels Map<String,String>: Optional. Labels with user-defined metadata.
location String
project String
publishingOptions PublishingOptions: Optional. The PublishingOptions to follow when issuing Certificates from any CertificateAuthority in this CaPool.
requestId String: Optional. An ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. The server will guarantee that for at least 60 minutes since the first request. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).

caPoolId string: Required. It must be unique within a location and match the regular expression [a-zA-Z0-9_-]{1,63}
tier CaPoolTier: Immutable. The Tier of this CaPool.
issuancePolicy IssuancePolicy: Optional. The IssuancePolicy to control how Certificates will be issued from this CaPool.
labels {[key: string]: string}: Optional. Labels with user-defined metadata.
location string
project string
publishingOptions PublishingOptions: Optional. The PublishingOptions to follow when issuing Certificates from any CertificateAuthority in this CaPool.
requestId string: Optional. An ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. The server will guarantee that for at least 60 minutes since the first request. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).

ca_pool_id str: Required. It must be unique within a location and match the regular expression [a-zA-Z0-9_-]{1,63}
tier CaPoolTier: Immutable. The Tier of this CaPool.
issuance_policy IssuancePolicyArgs: Optional. The IssuancePolicy to control how Certificates will be issued from this CaPool.
labels Mapping[str, str]: Optional. Labels with user-defined metadata.
location str
project str
publishing_options PublishingOptionsArgs: Optional. The PublishingOptions to follow when issuing Certificates from any CertificateAuthority in this CaPool.
request_id str: Optional. An ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. The server will guarantee that for at least 60 minutes since the first request. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).

caPoolId String: Required. It must be unique within a location and match the regular expression [a-zA-Z0-9_-]{1,63}
tier "TIER_UNSPECIFIED" | "ENTERPRISE" | "DEVOPS": Immutable. The Tier of this CaPool.
issuancePolicy Property Map: Optional. The IssuancePolicy to control how Certificates will be issued from this CaPool.
labels Map<String>: Optional. Labels with user-defined metadata.
location String
project String
publishingOptions Property Map: Optional. The PublishingOptions to follow when issuing Certificates from any CertificateAuthority in this CaPool.
requestId String: Optional. An ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. The server will guarantee that for at least 60 minutes since the first request. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).

Outputs

All input properties are implicitly available as output properties. Additionally, the CaPool resource produces the following output properties:

Id string: The provider-assigned unique ID for this managed resource.
Name string: The resource name for this CaPool in the format projects/*/locations/*/caPools/*.

Id string: The provider-assigned unique ID for this managed resource.
Name string: The resource name for this CaPool in the format projects/*/locations/*/caPools/*.

id String: The provider-assigned unique ID for this managed resource.
name String: The resource name for this CaPool in the format projects/*/locations/*/caPools/*.

id string: The provider-assigned unique ID for this managed resource.
name string: The resource name for this CaPool in the format projects/*/locations/*/caPools/*.

id str: The provider-assigned unique ID for this managed resource.
name str: The resource name for this CaPool in the format projects/*/locations/*/caPools/*.

id String: The provider-assigned unique ID for this managed resource.
name String: The resource name for this CaPool in the format projects/*/locations/*/caPools/*.

Supporting Types

AllowedKeyType, AllowedKeyTypeArgs

EllipticCurve Pulumi.GoogleNative.Privateca.V1.Inputs.EcKeyType: Represents an allowed Elliptic Curve key type.
Rsa Pulumi.GoogleNative.Privateca.V1.Inputs.RsaKeyType: Represents an allowed RSA key type.

EllipticCurve EcKeyType: Represents an allowed Elliptic Curve key type.
Rsa RsaKeyType: Represents an allowed RSA key type.

ellipticCurve EcKeyType: Represents an allowed Elliptic Curve key type.
rsa RsaKeyType: Represents an allowed RSA key type.

ellipticCurve EcKeyType: Represents an allowed Elliptic Curve key type.
rsa RsaKeyType: Represents an allowed RSA key type.

elliptic_curve EcKeyType: Represents an allowed Elliptic Curve key type.
rsa RsaKeyType: Represents an allowed RSA key type.

ellipticCurve Property Map: Represents an allowed Elliptic Curve key type.
rsa Property Map: Represents an allowed RSA key type.

AllowedKeyTypeResponse, AllowedKeyTypeResponseArgs

EllipticCurve Pulumi.GoogleNative.Privateca.V1.Inputs.EcKeyTypeResponse: Represents an allowed Elliptic Curve key type.
Rsa Pulumi.GoogleNative.Privateca.V1.Inputs.RsaKeyTypeResponse: Represents an allowed RSA key type.

EllipticCurve EcKeyTypeResponse: Represents an allowed Elliptic Curve key type.
Rsa RsaKeyTypeResponse: Represents an allowed RSA key type.

ellipticCurve EcKeyTypeResponse: Represents an allowed Elliptic Curve key type.
rsa RsaKeyTypeResponse: Represents an allowed RSA key type.

ellipticCurve EcKeyTypeResponse: Represents an allowed Elliptic Curve key type.
rsa RsaKeyTypeResponse: Represents an allowed RSA key type.

elliptic_curve EcKeyTypeResponse: Represents an allowed Elliptic Curve key type.
rsa RsaKeyTypeResponse: Represents an allowed RSA key type.

ellipticCurve Property Map: Represents an allowed Elliptic Curve key type.
rsa Property Map: Represents an allowed RSA key type.

CaOptions, CaOptionsArgs

IsCa bool: Optional. Refers to the "CA" X.509 extension, which is a boolean value. When this value is missing, the extension will be omitted from the CA certificate.
MaxIssuerPathLength int: Optional. Refers to the path length restriction X.509 extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail. If this value is missing, the max path length will be omitted from the CA certificate.

IsCa bool: Optional. Refers to the "CA" X.509 extension, which is a boolean value. When this value is missing, the extension will be omitted from the CA certificate.
MaxIssuerPathLength int: Optional. Refers to the path length restriction X.509 extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail. If this value is missing, the max path length will be omitted from the CA certificate.

isCa Boolean: Optional. Refers to the "CA" X.509 extension, which is a boolean value. When this value is missing, the extension will be omitted from the CA certificate.
maxIssuerPathLength Integer: Optional. Refers to the path length restriction X.509 extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail. If this value is missing, the max path length will be omitted from the CA certificate.

isCa boolean: Optional. Refers to the "CA" X.509 extension, which is a boolean value. When this value is missing, the extension will be omitted from the CA certificate.
maxIssuerPathLength number: Optional. Refers to the path length restriction X.509 extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail. If this value is missing, the max path length will be omitted from the CA certificate.

is_ca bool: Optional. Refers to the "CA" X.509 extension, which is a boolean value. When this value is missing, the extension will be omitted from the CA certificate.
max_issuer_path_length int: Optional. Refers to the path length restriction X.509 extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail. If this value is missing, the max path length will be omitted from the CA certificate.

isCa Boolean: Optional. Refers to the "CA" X.509 extension, which is a boolean value. When this value is missing, the extension will be omitted from the CA certificate.
maxIssuerPathLength Number: Optional. Refers to the path length restriction X.509 extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail. If this value is missing, the max path length will be omitted from the CA certificate.

CaOptionsResponse, CaOptionsResponseArgs

IsCa bool: Optional. Refers to the "CA" X.509 extension, which is a boolean value. When this value is missing, the extension will be omitted from the CA certificate.
MaxIssuerPathLength int: Optional. Refers to the path length restriction X.509 extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail. If this value is missing, the max path length will be omitted from the CA certificate.

IsCa bool: Optional. Refers to the "CA" X.509 extension, which is a boolean value. When this value is missing, the extension will be omitted from the CA certificate.
MaxIssuerPathLength int: Optional. Refers to the path length restriction X.509 extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail. If this value is missing, the max path length will be omitted from the CA certificate.

isCa Boolean: Optional. Refers to the "CA" X.509 extension, which is a boolean value. When this value is missing, the extension will be omitted from the CA certificate.
maxIssuerPathLength Integer: Optional. Refers to the path length restriction X.509 extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail. If this value is missing, the max path length will be omitted from the CA certificate.

isCa boolean: Optional. Refers to the "CA" X.509 extension, which is a boolean value. When this value is missing, the extension will be omitted from the CA certificate.
maxIssuerPathLength number: Optional. Refers to the path length restriction X.509 extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail. If this value is missing, the max path length will be omitted from the CA certificate.

is_ca bool: Optional. Refers to the "CA" X.509 extension, which is a boolean value. When this value is missing, the extension will be omitted from the CA certificate.
max_issuer_path_length int: Optional. Refers to the path length restriction X.509 extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail. If this value is missing, the max path length will be omitted from the CA certificate.

isCa Boolean: Optional. Refers to the "CA" X.509 extension, which is a boolean value. When this value is missing, the extension will be omitted from the CA certificate.
maxIssuerPathLength Number: Optional. Refers to the path length restriction X.509 extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail. If this value is missing, the max path length will be omitted from the CA certificate.

CaPoolTier, CaPoolTierArgs

TierUnspecified: TIER_UNSPECIFIEDNot specified.
Enterprise: ENTERPRISEEnterprise tier.
Devops: DEVOPSDevOps tier.

CaPoolTierTierUnspecified: TIER_UNSPECIFIEDNot specified.
CaPoolTierEnterprise: ENTERPRISEEnterprise tier.
CaPoolTierDevops: DEVOPSDevOps tier.

TierUnspecified: TIER_UNSPECIFIEDNot specified.
Enterprise: ENTERPRISEEnterprise tier.
Devops: DEVOPSDevOps tier.

TierUnspecified: TIER_UNSPECIFIEDNot specified.
Enterprise: ENTERPRISEEnterprise tier.
Devops: DEVOPSDevOps tier.

TIER_UNSPECIFIED: TIER_UNSPECIFIEDNot specified.
ENTERPRISE: ENTERPRISEEnterprise tier.
DEVOPS: DEVOPSDevOps tier.

"TIER_UNSPECIFIED": TIER_UNSPECIFIEDNot specified.
"ENTERPRISE": ENTERPRISEEnterprise tier.
"DEVOPS": DEVOPSDevOps tier.

CertificateExtensionConstraints, CertificateExtensionConstraintsArgs

AdditionalExtensions List<Pulumi.GoogleNative.Privateca.V1.Inputs.ObjectId>: Optional. A set of ObjectIds identifying custom X.509 extensions. Will be combined with known_extensions to determine the full set of X.509 extensions.
KnownExtensions List<Pulumi.GoogleNative.Privateca.V1.CertificateExtensionConstraintsKnownExtensionsItem>: Optional. A set of named X.509 extensions. Will be combined with additional_extensions to determine the full set of X.509 extensions.

AdditionalExtensions []ObjectId: Optional. A set of ObjectIds identifying custom X.509 extensions. Will be combined with known_extensions to determine the full set of X.509 extensions.
KnownExtensions []CertificateExtensionConstraintsKnownExtensionsItem: Optional. A set of named X.509 extensions. Will be combined with additional_extensions to determine the full set of X.509 extensions.

additionalExtensions List<ObjectId>: Optional. A set of ObjectIds identifying custom X.509 extensions. Will be combined with known_extensions to determine the full set of X.509 extensions.
knownExtensions List<CertificateExtensionConstraintsKnownExtensionsItem>: Optional. A set of named X.509 extensions. Will be combined with additional_extensions to determine the full set of X.509 extensions.

additionalExtensions ObjectId[]: Optional. A set of ObjectIds identifying custom X.509 extensions. Will be combined with known_extensions to determine the full set of X.509 extensions.
knownExtensions CertificateExtensionConstraintsKnownExtensionsItem[]: Optional. A set of named X.509 extensions. Will be combined with additional_extensions to determine the full set of X.509 extensions.

additional_extensions Sequence[ObjectId]: Optional. A set of ObjectIds identifying custom X.509 extensions. Will be combined with known_extensions to determine the full set of X.509 extensions.
known_extensions Sequence[CertificateExtensionConstraintsKnownExtensionsItem]: Optional. A set of named X.509 extensions. Will be combined with additional_extensions to determine the full set of X.509 extensions.

additionalExtensions List<Property Map>: Optional. A set of ObjectIds identifying custom X.509 extensions. Will be combined with known_extensions to determine the full set of X.509 extensions.
knownExtensions List<"KNOWN_CERTIFICATE_EXTENSION_UNSPECIFIED" | "BASE_KEY_USAGE" | "EXTENDED_KEY_USAGE" | "CA_OPTIONS" | "POLICY_IDS" | "AIA_OCSP_SERVERS" | "NAME_CONSTRAINTS">: Optional. A set of named X.509 extensions. Will be combined with additional_extensions to determine the full set of X.509 extensions.

CertificateExtensionConstraintsKnownExtensionsItem, CertificateExtensionConstraintsKnownExtensionsItemArgs

KnownCertificateExtensionUnspecified: KNOWN_CERTIFICATE_EXTENSION_UNSPECIFIEDNot specified.
BaseKeyUsage: BASE_KEY_USAGERefers to a certificate's Key Usage extension, as described in RFC 5280 section 4.2.1.3. This corresponds to the KeyUsage.base_key_usage field.
ExtendedKeyUsage: EXTENDED_KEY_USAGERefers to a certificate's Extended Key Usage extension, as described in RFC 5280 section 4.2.1.12. This corresponds to the KeyUsage.extended_key_usage message.
CaOptions: CA_OPTIONSRefers to a certificate's Basic Constraints extension, as described in RFC 5280 section 4.2.1.9. This corresponds to the X509Parameters.ca_options field.
PolicyIds: POLICY_IDSRefers to a certificate's Policy object identifiers, as described in RFC 5280 section 4.2.1.4. This corresponds to the X509Parameters.policy_ids field.
AiaOcspServers: AIA_OCSP_SERVERSRefers to OCSP servers in a certificate's Authority Information Access extension, as described in RFC 5280 section 4.2.2.1, This corresponds to the X509Parameters.aia_ocsp_servers field.
NameConstraints: NAME_CONSTRAINTSRefers to Name Constraints extension as described in RFC 5280 section 4.2.1.10

CertificateExtensionConstraintsKnownExtensionsItemKnownCertificateExtensionUnspecified: KNOWN_CERTIFICATE_EXTENSION_UNSPECIFIEDNot specified.
CertificateExtensionConstraintsKnownExtensionsItemBaseKeyUsage: BASE_KEY_USAGERefers to a certificate's Key Usage extension, as described in RFC 5280 section 4.2.1.3. This corresponds to the KeyUsage.base_key_usage field.
CertificateExtensionConstraintsKnownExtensionsItemExtendedKeyUsage: EXTENDED_KEY_USAGERefers to a certificate's Extended Key Usage extension, as described in RFC 5280 section 4.2.1.12. This corresponds to the KeyUsage.extended_key_usage message.
CertificateExtensionConstraintsKnownExtensionsItemCaOptions: CA_OPTIONSRefers to a certificate's Basic Constraints extension, as described in RFC 5280 section 4.2.1.9. This corresponds to the X509Parameters.ca_options field.
CertificateExtensionConstraintsKnownExtensionsItemPolicyIds: POLICY_IDSRefers to a certificate's Policy object identifiers, as described in RFC 5280 section 4.2.1.4. This corresponds to the X509Parameters.policy_ids field.
CertificateExtensionConstraintsKnownExtensionsItemAiaOcspServers: AIA_OCSP_SERVERSRefers to OCSP servers in a certificate's Authority Information Access extension, as described in RFC 5280 section 4.2.2.1, This corresponds to the X509Parameters.aia_ocsp_servers field.
CertificateExtensionConstraintsKnownExtensionsItemNameConstraints: NAME_CONSTRAINTSRefers to Name Constraints extension as described in RFC 5280 section 4.2.1.10

KnownCertificateExtensionUnspecified: KNOWN_CERTIFICATE_EXTENSION_UNSPECIFIEDNot specified.
BaseKeyUsage: BASE_KEY_USAGERefers to a certificate's Key Usage extension, as described in RFC 5280 section 4.2.1.3. This corresponds to the KeyUsage.base_key_usage field.
ExtendedKeyUsage: EXTENDED_KEY_USAGERefers to a certificate's Extended Key Usage extension, as described in RFC 5280 section 4.2.1.12. This corresponds to the KeyUsage.extended_key_usage message.
CaOptions: CA_OPTIONSRefers to a certificate's Basic Constraints extension, as described in RFC 5280 section 4.2.1.9. This corresponds to the X509Parameters.ca_options field.
PolicyIds: POLICY_IDSRefers to a certificate's Policy object identifiers, as described in RFC 5280 section 4.2.1.4. This corresponds to the X509Parameters.policy_ids field.
AiaOcspServers: AIA_OCSP_SERVERSRefers to OCSP servers in a certificate's Authority Information Access extension, as described in RFC 5280 section 4.2.2.1, This corresponds to the X509Parameters.aia_ocsp_servers field.
NameConstraints: NAME_CONSTRAINTSRefers to Name Constraints extension as described in RFC 5280 section 4.2.1.10

KnownCertificateExtensionUnspecified: KNOWN_CERTIFICATE_EXTENSION_UNSPECIFIEDNot specified.
BaseKeyUsage: BASE_KEY_USAGERefers to a certificate's Key Usage extension, as described in RFC 5280 section 4.2.1.3. This corresponds to the KeyUsage.base_key_usage field.
ExtendedKeyUsage: EXTENDED_KEY_USAGERefers to a certificate's Extended Key Usage extension, as described in RFC 5280 section 4.2.1.12. This corresponds to the KeyUsage.extended_key_usage message.
CaOptions: CA_OPTIONSRefers to a certificate's Basic Constraints extension, as described in RFC 5280 section 4.2.1.9. This corresponds to the X509Parameters.ca_options field.
PolicyIds: POLICY_IDSRefers to a certificate's Policy object identifiers, as described in RFC 5280 section 4.2.1.4. This corresponds to the X509Parameters.policy_ids field.
AiaOcspServers: AIA_OCSP_SERVERSRefers to OCSP servers in a certificate's Authority Information Access extension, as described in RFC 5280 section 4.2.2.1, This corresponds to the X509Parameters.aia_ocsp_servers field.
NameConstraints: NAME_CONSTRAINTSRefers to Name Constraints extension as described in RFC 5280 section 4.2.1.10

KNOWN_CERTIFICATE_EXTENSION_UNSPECIFIED: KNOWN_CERTIFICATE_EXTENSION_UNSPECIFIEDNot specified.
BASE_KEY_USAGE: BASE_KEY_USAGERefers to a certificate's Key Usage extension, as described in RFC 5280 section 4.2.1.3. This corresponds to the KeyUsage.base_key_usage field.
EXTENDED_KEY_USAGE: EXTENDED_KEY_USAGERefers to a certificate's Extended Key Usage extension, as described in RFC 5280 section 4.2.1.12. This corresponds to the KeyUsage.extended_key_usage message.
CA_OPTIONS: CA_OPTIONSRefers to a certificate's Basic Constraints extension, as described in RFC 5280 section 4.2.1.9. This corresponds to the X509Parameters.ca_options field.
POLICY_IDS: POLICY_IDSRefers to a certificate's Policy object identifiers, as described in RFC 5280 section 4.2.1.4. This corresponds to the X509Parameters.policy_ids field.
AIA_OCSP_SERVERS: AIA_OCSP_SERVERSRefers to OCSP servers in a certificate's Authority Information Access extension, as described in RFC 5280 section 4.2.2.1, This corresponds to the X509Parameters.aia_ocsp_servers field.
NAME_CONSTRAINTS: NAME_CONSTRAINTSRefers to Name Constraints extension as described in RFC 5280 section 4.2.1.10

"KNOWN_CERTIFICATE_EXTENSION_UNSPECIFIED": KNOWN_CERTIFICATE_EXTENSION_UNSPECIFIEDNot specified.
"BASE_KEY_USAGE": BASE_KEY_USAGERefers to a certificate's Key Usage extension, as described in RFC 5280 section 4.2.1.3. This corresponds to the KeyUsage.base_key_usage field.
"EXTENDED_KEY_USAGE": EXTENDED_KEY_USAGERefers to a certificate's Extended Key Usage extension, as described in RFC 5280 section 4.2.1.12. This corresponds to the KeyUsage.extended_key_usage message.
"CA_OPTIONS": CA_OPTIONSRefers to a certificate's Basic Constraints extension, as described in RFC 5280 section 4.2.1.9. This corresponds to the X509Parameters.ca_options field.
"POLICY_IDS": POLICY_IDSRefers to a certificate's Policy object identifiers, as described in RFC 5280 section 4.2.1.4. This corresponds to the X509Parameters.policy_ids field.
"AIA_OCSP_SERVERS": AIA_OCSP_SERVERSRefers to OCSP servers in a certificate's Authority Information Access extension, as described in RFC 5280 section 4.2.2.1, This corresponds to the X509Parameters.aia_ocsp_servers field.
"NAME_CONSTRAINTS": NAME_CONSTRAINTSRefers to Name Constraints extension as described in RFC 5280 section 4.2.1.10

CertificateExtensionConstraintsResponse, CertificateExtensionConstraintsResponseArgs

AdditionalExtensions List<Pulumi.GoogleNative.Privateca.V1.Inputs.ObjectIdResponse>: Optional. A set of ObjectIds identifying custom X.509 extensions. Will be combined with known_extensions to determine the full set of X.509 extensions.
KnownExtensions List<string>: Optional. A set of named X.509 extensions. Will be combined with additional_extensions to determine the full set of X.509 extensions.

AdditionalExtensions []ObjectIdResponse: Optional. A set of ObjectIds identifying custom X.509 extensions. Will be combined with known_extensions to determine the full set of X.509 extensions.
KnownExtensions []string: Optional. A set of named X.509 extensions. Will be combined with additional_extensions to determine the full set of X.509 extensions.

additionalExtensions List<ObjectIdResponse>: Optional. A set of ObjectIds identifying custom X.509 extensions. Will be combined with known_extensions to determine the full set of X.509 extensions.
knownExtensions List<String>: Optional. A set of named X.509 extensions. Will be combined with additional_extensions to determine the full set of X.509 extensions.

additionalExtensions ObjectIdResponse[]: Optional. A set of ObjectIds identifying custom X.509 extensions. Will be combined with known_extensions to determine the full set of X.509 extensions.
knownExtensions string[]: Optional. A set of named X.509 extensions. Will be combined with additional_extensions to determine the full set of X.509 extensions.

additional_extensions Sequence[ObjectIdResponse]: Optional. A set of ObjectIds identifying custom X.509 extensions. Will be combined with known_extensions to determine the full set of X.509 extensions.
known_extensions Sequence[str]: Optional. A set of named X.509 extensions. Will be combined with additional_extensions to determine the full set of X.509 extensions.

additionalExtensions List<Property Map>: Optional. A set of ObjectIds identifying custom X.509 extensions. Will be combined with known_extensions to determine the full set of X.509 extensions.
knownExtensions List<String>: Optional. A set of named X.509 extensions. Will be combined with additional_extensions to determine the full set of X.509 extensions.

CertificateIdentityConstraints, CertificateIdentityConstraintsArgs

AllowSubjectAltNamesPassthrough bool: If this is true, the SubjectAltNames extension may be copied from a certificate request into the signed certificate. Otherwise, the requested SubjectAltNames will be discarded.
AllowSubjectPassthrough bool: If this is true, the Subject field may be copied from a certificate request into the signed certificate. Otherwise, the requested Subject will be discarded.
CelExpression Pulumi.GoogleNative.Privateca.V1.Inputs.Expr: Optional. A CEL expression that may be used to validate the resolved X.509 Subject and/or Subject Alternative Name before a certificate is signed. To see the full allowed syntax and some examples, see https://cloud.google.com/certificate-authority-service/docs/using-cel

AllowSubjectAltNamesPassthrough bool: If this is true, the SubjectAltNames extension may be copied from a certificate request into the signed certificate. Otherwise, the requested SubjectAltNames will be discarded.
AllowSubjectPassthrough bool: If this is true, the Subject field may be copied from a certificate request into the signed certificate. Otherwise, the requested Subject will be discarded.
CelExpression Expr: Optional. A CEL expression that may be used to validate the resolved X.509 Subject and/or Subject Alternative Name before a certificate is signed. To see the full allowed syntax and some examples, see https://cloud.google.com/certificate-authority-service/docs/using-cel

allowSubjectAltNamesPassthrough Boolean: If this is true, the SubjectAltNames extension may be copied from a certificate request into the signed certificate. Otherwise, the requested SubjectAltNames will be discarded.
allowSubjectPassthrough Boolean: If this is true, the Subject field may be copied from a certificate request into the signed certificate. Otherwise, the requested Subject will be discarded.
celExpression Expr: Optional. A CEL expression that may be used to validate the resolved X.509 Subject and/or Subject Alternative Name before a certificate is signed. To see the full allowed syntax and some examples, see https://cloud.google.com/certificate-authority-service/docs/using-cel

allowSubjectAltNamesPassthrough boolean: If this is true, the SubjectAltNames extension may be copied from a certificate request into the signed certificate. Otherwise, the requested SubjectAltNames will be discarded.
allowSubjectPassthrough boolean: If this is true, the Subject field may be copied from a certificate request into the signed certificate. Otherwise, the requested Subject will be discarded.
celExpression Expr: Optional. A CEL expression that may be used to validate the resolved X.509 Subject and/or Subject Alternative Name before a certificate is signed. To see the full allowed syntax and some examples, see https://cloud.google.com/certificate-authority-service/docs/using-cel

allow_subject_alt_names_passthrough bool: If this is true, the SubjectAltNames extension may be copied from a certificate request into the signed certificate. Otherwise, the requested SubjectAltNames will be discarded.
allow_subject_passthrough bool: If this is true, the Subject field may be copied from a certificate request into the signed certificate. Otherwise, the requested Subject will be discarded.
cel_expression Expr: Optional. A CEL expression that may be used to validate the resolved X.509 Subject and/or Subject Alternative Name before a certificate is signed. To see the full allowed syntax and some examples, see https://cloud.google.com/certificate-authority-service/docs/using-cel

allowSubjectAltNamesPassthrough Boolean: If this is true, the SubjectAltNames extension may be copied from a certificate request into the signed certificate. Otherwise, the requested SubjectAltNames will be discarded.
allowSubjectPassthrough Boolean: If this is true, the Subject field may be copied from a certificate request into the signed certificate. Otherwise, the requested Subject will be discarded.
celExpression Property Map: Optional. A CEL expression that may be used to validate the resolved X.509 Subject and/or Subject Alternative Name before a certificate is signed. To see the full allowed syntax and some examples, see https://cloud.google.com/certificate-authority-service/docs/using-cel

CertificateIdentityConstraintsResponse, CertificateIdentityConstraintsResponseArgs

AllowSubjectAltNamesPassthrough bool: If this is true, the SubjectAltNames extension may be copied from a certificate request into the signed certificate. Otherwise, the requested SubjectAltNames will be discarded.
AllowSubjectPassthrough bool: If this is true, the Subject field may be copied from a certificate request into the signed certificate. Otherwise, the requested Subject will be discarded.
CelExpression Pulumi.GoogleNative.Privateca.V1.Inputs.ExprResponse: Optional. A CEL expression that may be used to validate the resolved X.509 Subject and/or Subject Alternative Name before a certificate is signed. To see the full allowed syntax and some examples, see https://cloud.google.com/certificate-authority-service/docs/using-cel

AllowSubjectAltNamesPassthrough bool: If this is true, the SubjectAltNames extension may be copied from a certificate request into the signed certificate. Otherwise, the requested SubjectAltNames will be discarded.
AllowSubjectPassthrough bool: If this is true, the Subject field may be copied from a certificate request into the signed certificate. Otherwise, the requested Subject will be discarded.
CelExpression ExprResponse: Optional. A CEL expression that may be used to validate the resolved X.509 Subject and/or Subject Alternative Name before a certificate is signed. To see the full allowed syntax and some examples, see https://cloud.google.com/certificate-authority-service/docs/using-cel

allowSubjectAltNamesPassthrough Boolean: If this is true, the SubjectAltNames extension may be copied from a certificate request into the signed certificate. Otherwise, the requested SubjectAltNames will be discarded.
allowSubjectPassthrough Boolean: If this is true, the Subject field may be copied from a certificate request into the signed certificate. Otherwise, the requested Subject will be discarded.
celExpression ExprResponse: Optional. A CEL expression that may be used to validate the resolved X.509 Subject and/or Subject Alternative Name before a certificate is signed. To see the full allowed syntax and some examples, see https://cloud.google.com/certificate-authority-service/docs/using-cel

allowSubjectAltNamesPassthrough boolean: If this is true, the SubjectAltNames extension may be copied from a certificate request into the signed certificate. Otherwise, the requested SubjectAltNames will be discarded.
allowSubjectPassthrough boolean: If this is true, the Subject field may be copied from a certificate request into the signed certificate. Otherwise, the requested Subject will be discarded.
celExpression ExprResponse: Optional. A CEL expression that may be used to validate the resolved X.509 Subject and/or Subject Alternative Name before a certificate is signed. To see the full allowed syntax and some examples, see https://cloud.google.com/certificate-authority-service/docs/using-cel

allow_subject_alt_names_passthrough bool: If this is true, the SubjectAltNames extension may be copied from a certificate request into the signed certificate. Otherwise, the requested SubjectAltNames will be discarded.
allow_subject_passthrough bool: If this is true, the Subject field may be copied from a certificate request into the signed certificate. Otherwise, the requested Subject will be discarded.
cel_expression ExprResponse: Optional. A CEL expression that may be used to validate the resolved X.509 Subject and/or Subject Alternative Name before a certificate is signed. To see the full allowed syntax and some examples, see https://cloud.google.com/certificate-authority-service/docs/using-cel

allowSubjectAltNamesPassthrough Boolean: If this is true, the SubjectAltNames extension may be copied from a certificate request into the signed certificate. Otherwise, the requested SubjectAltNames will be discarded.
allowSubjectPassthrough Boolean: If this is true, the Subject field may be copied from a certificate request into the signed certificate. Otherwise, the requested Subject will be discarded.
celExpression Property Map: Optional. A CEL expression that may be used to validate the resolved X.509 Subject and/or Subject Alternative Name before a certificate is signed. To see the full allowed syntax and some examples, see https://cloud.google.com/certificate-authority-service/docs/using-cel

EcKeyType, EcKeyTypeArgs

SignatureAlgorithm Pulumi.GoogleNative.Privateca.V1.EcKeyTypeSignatureAlgorithm: Optional. A signature algorithm that must be used. If this is omitted, any EC-based signature algorithm will be allowed.

SignatureAlgorithm EcKeyTypeSignatureAlgorithm: Optional. A signature algorithm that must be used. If this is omitted, any EC-based signature algorithm will be allowed.

signatureAlgorithm EcKeyTypeSignatureAlgorithm: Optional. A signature algorithm that must be used. If this is omitted, any EC-based signature algorithm will be allowed.

signatureAlgorithm EcKeyTypeSignatureAlgorithm: Optional. A signature algorithm that must be used. If this is omitted, any EC-based signature algorithm will be allowed.

signature_algorithm EcKeyTypeSignatureAlgorithm: Optional. A signature algorithm that must be used. If this is omitted, any EC-based signature algorithm will be allowed.

signatureAlgorithm "EC_SIGNATURE_ALGORITHM_UNSPECIFIED" | "ECDSA_P256" | "ECDSA_P384" | "EDDSA_25519": Optional. A signature algorithm that must be used. If this is omitted, any EC-based signature algorithm will be allowed.

EcKeyTypeResponse, EcKeyTypeResponseArgs

SignatureAlgorithm string: Optional. A signature algorithm that must be used. If this is omitted, any EC-based signature algorithm will be allowed.

SignatureAlgorithm string: Optional. A signature algorithm that must be used. If this is omitted, any EC-based signature algorithm will be allowed.

signatureAlgorithm String: Optional. A signature algorithm that must be used. If this is omitted, any EC-based signature algorithm will be allowed.

signatureAlgorithm string: Optional. A signature algorithm that must be used. If this is omitted, any EC-based signature algorithm will be allowed.

signature_algorithm str: Optional. A signature algorithm that must be used. If this is omitted, any EC-based signature algorithm will be allowed.

signatureAlgorithm String: Optional. A signature algorithm that must be used. If this is omitted, any EC-based signature algorithm will be allowed.

EcKeyTypeSignatureAlgorithm, EcKeyTypeSignatureAlgorithmArgs

EcSignatureAlgorithmUnspecified: EC_SIGNATURE_ALGORITHM_UNSPECIFIEDNot specified. Signifies that any signature algorithm may be used.
EcdsaP256: ECDSA_P256Refers to the Elliptic Curve Digital Signature Algorithm over the NIST P-256 curve.
EcdsaP384: ECDSA_P384Refers to the Elliptic Curve Digital Signature Algorithm over the NIST P-384 curve.
Eddsa25519: EDDSA_25519Refers to the Edwards-curve Digital Signature Algorithm over curve 25519, as described in RFC 8410.

EcKeyTypeSignatureAlgorithmEcSignatureAlgorithmUnspecified: EC_SIGNATURE_ALGORITHM_UNSPECIFIEDNot specified. Signifies that any signature algorithm may be used.
EcKeyTypeSignatureAlgorithmEcdsaP256: ECDSA_P256Refers to the Elliptic Curve Digital Signature Algorithm over the NIST P-256 curve.
EcKeyTypeSignatureAlgorithmEcdsaP384: ECDSA_P384Refers to the Elliptic Curve Digital Signature Algorithm over the NIST P-384 curve.
EcKeyTypeSignatureAlgorithmEddsa25519: EDDSA_25519Refers to the Edwards-curve Digital Signature Algorithm over curve 25519, as described in RFC 8410.

EcSignatureAlgorithmUnspecified: EC_SIGNATURE_ALGORITHM_UNSPECIFIEDNot specified. Signifies that any signature algorithm may be used.
EcdsaP256: ECDSA_P256Refers to the Elliptic Curve Digital Signature Algorithm over the NIST P-256 curve.
EcdsaP384: ECDSA_P384Refers to the Elliptic Curve Digital Signature Algorithm over the NIST P-384 curve.
Eddsa25519: EDDSA_25519Refers to the Edwards-curve Digital Signature Algorithm over curve 25519, as described in RFC 8410.

EcSignatureAlgorithmUnspecified: EC_SIGNATURE_ALGORITHM_UNSPECIFIEDNot specified. Signifies that any signature algorithm may be used.
EcdsaP256: ECDSA_P256Refers to the Elliptic Curve Digital Signature Algorithm over the NIST P-256 curve.
EcdsaP384: ECDSA_P384Refers to the Elliptic Curve Digital Signature Algorithm over the NIST P-384 curve.
Eddsa25519: EDDSA_25519Refers to the Edwards-curve Digital Signature Algorithm over curve 25519, as described in RFC 8410.

EC_SIGNATURE_ALGORITHM_UNSPECIFIED: EC_SIGNATURE_ALGORITHM_UNSPECIFIEDNot specified. Signifies that any signature algorithm may be used.
ECDSA_P256: ECDSA_P256Refers to the Elliptic Curve Digital Signature Algorithm over the NIST P-256 curve.
ECDSA_P384: ECDSA_P384Refers to the Elliptic Curve Digital Signature Algorithm over the NIST P-384 curve.
EDDSA25519: EDDSA_25519Refers to the Edwards-curve Digital Signature Algorithm over curve 25519, as described in RFC 8410.

"EC_SIGNATURE_ALGORITHM_UNSPECIFIED": EC_SIGNATURE_ALGORITHM_UNSPECIFIEDNot specified. Signifies that any signature algorithm may be used.
"ECDSA_P256": ECDSA_P256Refers to the Elliptic Curve Digital Signature Algorithm over the NIST P-256 curve.
"ECDSA_P384": ECDSA_P384Refers to the Elliptic Curve Digital Signature Algorithm over the NIST P-384 curve.
"EDDSA_25519": EDDSA_25519Refers to the Edwards-curve Digital Signature Algorithm over curve 25519, as described in RFC 8410.

Expr, ExprArgs

Description string: Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
Expression string: Textual representation of an expression in Common Expression Language syntax.
Location string: Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
Title string: Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.

Description string: Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
Expression string: Textual representation of an expression in Common Expression Language syntax.
Location string: Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
Title string: Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.

description String: Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
expression String: Textual representation of an expression in Common Expression Language syntax.
location String: Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
title String: Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.

description string: Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
expression string: Textual representation of an expression in Common Expression Language syntax.
location string: Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
title string: Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.

description str: Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
expression str: Textual representation of an expression in Common Expression Language syntax.
location str: Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
title str: Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.

description String: Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
expression String: Textual representation of an expression in Common Expression Language syntax.
location String: Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
title String: Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.

ExprResponse, ExprResponseArgs

Description string: Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
Expression string: Textual representation of an expression in Common Expression Language syntax.
Location string: Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
Title string: Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.

Description string: Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
Expression string: Textual representation of an expression in Common Expression Language syntax.
Location string: Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
Title string: Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.

description String: Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
expression String: Textual representation of an expression in Common Expression Language syntax.
location String: Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
title String: Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.

description string: Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
expression string: Textual representation of an expression in Common Expression Language syntax.
location string: Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
title string: Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.

description str: Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
expression str: Textual representation of an expression in Common Expression Language syntax.
location str: Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
title str: Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.

description String: Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
expression String: Textual representation of an expression in Common Expression Language syntax.
location String: Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
title String: Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.

ExtendedKeyUsageOptions, ExtendedKeyUsageOptionsArgs

ClientAuth bool: Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
CodeSigning bool: Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
EmailProtection bool: Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
OcspSigning bool: Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
ServerAuth bool: Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
TimeStamping bool: Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".

ClientAuth bool: Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
CodeSigning bool: Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
EmailProtection bool: Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
OcspSigning bool: Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
ServerAuth bool: Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
TimeStamping bool: Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".

clientAuth Boolean: Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
codeSigning Boolean: Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
emailProtection Boolean: Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
ocspSigning Boolean: Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
serverAuth Boolean: Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
timeStamping Boolean: Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".

clientAuth boolean: Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
codeSigning boolean: Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
emailProtection boolean: Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
ocspSigning boolean: Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
serverAuth boolean: Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
timeStamping boolean: Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".

client_auth bool: Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
code_signing bool: Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
email_protection bool: Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
ocsp_signing bool: Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
server_auth bool: Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
time_stamping bool: Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".

clientAuth Boolean: Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
codeSigning Boolean: Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
emailProtection Boolean: Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
ocspSigning Boolean: Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
serverAuth Boolean: Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
timeStamping Boolean: Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".

ExtendedKeyUsageOptionsResponse, ExtendedKeyUsageOptionsResponseArgs

ClientAuth bool: Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
CodeSigning bool: Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
EmailProtection bool: Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
OcspSigning bool: Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
ServerAuth bool: Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
TimeStamping bool: Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".

ClientAuth bool: Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
CodeSigning bool: Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
EmailProtection bool: Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
OcspSigning bool: Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
ServerAuth bool: Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
TimeStamping bool: Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".

clientAuth Boolean: Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
codeSigning Boolean: Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
emailProtection Boolean: Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
ocspSigning Boolean: Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
serverAuth Boolean: Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
timeStamping Boolean: Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".

clientAuth boolean: Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
codeSigning boolean: Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
emailProtection boolean: Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
ocspSigning boolean: Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
serverAuth boolean: Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
timeStamping boolean: Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".

client_auth bool: Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
code_signing bool: Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
email_protection bool: Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
ocsp_signing bool: Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
server_auth bool: Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
time_stamping bool: Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".

clientAuth Boolean: Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
codeSigning Boolean: Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
emailProtection Boolean: Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
ocspSigning Boolean: Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
serverAuth Boolean: Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
timeStamping Boolean: Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".

IssuanceModes, IssuanceModesArgs

AllowConfigBasedIssuance bool: Optional. When true, allows callers to create Certificates by specifying a CertificateConfig.
AllowCsrBasedIssuance bool: Optional. When true, allows callers to create Certificates by specifying a CSR.

AllowConfigBasedIssuance bool: Optional. When true, allows callers to create Certificates by specifying a CertificateConfig.
AllowCsrBasedIssuance bool: Optional. When true, allows callers to create Certificates by specifying a CSR.

allowConfigBasedIssuance Boolean: Optional. When true, allows callers to create Certificates by specifying a CertificateConfig.
allowCsrBasedIssuance Boolean: Optional. When true, allows callers to create Certificates by specifying a CSR.

allowConfigBasedIssuance boolean: Optional. When true, allows callers to create Certificates by specifying a CertificateConfig.
allowCsrBasedIssuance boolean: Optional. When true, allows callers to create Certificates by specifying a CSR.

allow_config_based_issuance bool: Optional. When true, allows callers to create Certificates by specifying a CertificateConfig.
allow_csr_based_issuance bool: Optional. When true, allows callers to create Certificates by specifying a CSR.

allowConfigBasedIssuance Boolean: Optional. When true, allows callers to create Certificates by specifying a CertificateConfig.
allowCsrBasedIssuance Boolean: Optional. When true, allows callers to create Certificates by specifying a CSR.

IssuanceModesResponse, IssuanceModesResponseArgs

AllowConfigBasedIssuance bool: Optional. When true, allows callers to create Certificates by specifying a CertificateConfig.
AllowCsrBasedIssuance bool: Optional. When true, allows callers to create Certificates by specifying a CSR.

AllowConfigBasedIssuance bool: Optional. When true, allows callers to create Certificates by specifying a CertificateConfig.
AllowCsrBasedIssuance bool: Optional. When true, allows callers to create Certificates by specifying a CSR.

allowConfigBasedIssuance Boolean: Optional. When true, allows callers to create Certificates by specifying a CertificateConfig.
allowCsrBasedIssuance Boolean: Optional. When true, allows callers to create Certificates by specifying a CSR.

allowConfigBasedIssuance boolean: Optional. When true, allows callers to create Certificates by specifying a CertificateConfig.
allowCsrBasedIssuance boolean: Optional. When true, allows callers to create Certificates by specifying a CSR.

allow_config_based_issuance bool: Optional. When true, allows callers to create Certificates by specifying a CertificateConfig.
allow_csr_based_issuance bool: Optional. When true, allows callers to create Certificates by specifying a CSR.

allowConfigBasedIssuance Boolean: Optional. When true, allows callers to create Certificates by specifying a CertificateConfig.
allowCsrBasedIssuance Boolean: Optional. When true, allows callers to create Certificates by specifying a CSR.

IssuancePolicy, IssuancePolicyArgs

AllowedIssuanceModes Pulumi.GoogleNative.Privateca.V1.Inputs.IssuanceModes: Optional. If specified, then only methods allowed in the IssuanceModes may be used to issue Certificates.
AllowedKeyTypes List<Pulumi.GoogleNative.Privateca.V1.Inputs.AllowedKeyType>: Optional. If any AllowedKeyType is specified, then the certificate request's public key must match one of the key types listed here. Otherwise, any key may be used.
BaselineValues Pulumi.GoogleNative.Privateca.V1.Inputs.X509Parameters: Optional. A set of X.509 values that will be applied to all certificates issued through this CaPool. If a certificate request includes conflicting values for the same properties, they will be overwritten by the values defined here. If a certificate request uses a CertificateTemplate that defines conflicting predefined_values for the same properties, the certificate issuance request will fail.
IdentityConstraints Pulumi.GoogleNative.Privateca.V1.Inputs.CertificateIdentityConstraints: Optional. Describes constraints on identities that may appear in Certificates issued through this CaPool. If this is omitted, then this CaPool will not add restrictions on a certificate's identity.
MaximumLifetime string: Optional. The maximum lifetime allowed for issued Certificates. Note that if the issuing CertificateAuthority expires before a Certificate's requested maximum_lifetime, the effective lifetime will be explicitly truncated to match it.
PassthroughExtensions Pulumi.GoogleNative.Privateca.V1.Inputs.CertificateExtensionConstraints: Optional. Describes the set of X.509 extensions that may appear in a Certificate issued through this CaPool. If a certificate request sets extensions that don't appear in the passthrough_extensions, those extensions will be dropped. If a certificate request uses a CertificateTemplate with predefined_values that don't appear here, the certificate issuance request will fail. If this is omitted, then this CaPool will not add restrictions on a certificate's X.509 extensions. These constraints do not apply to X.509 extensions set in this CaPool's baseline_values.

AllowedIssuanceModes IssuanceModes: Optional. If specified, then only methods allowed in the IssuanceModes may be used to issue Certificates.
AllowedKeyTypes []AllowedKeyType: Optional. If any AllowedKeyType is specified, then the certificate request's public key must match one of the key types listed here. Otherwise, any key may be used.
BaselineValues X509Parameters: Optional. A set of X.509 values that will be applied to all certificates issued through this CaPool. If a certificate request includes conflicting values for the same properties, they will be overwritten by the values defined here. If a certificate request uses a CertificateTemplate that defines conflicting predefined_values for the same properties, the certificate issuance request will fail.
IdentityConstraints CertificateIdentityConstraints: Optional. Describes constraints on identities that may appear in Certificates issued through this CaPool. If this is omitted, then this CaPool will not add restrictions on a certificate's identity.
MaximumLifetime string: Optional. The maximum lifetime allowed for issued Certificates. Note that if the issuing CertificateAuthority expires before a Certificate's requested maximum_lifetime, the effective lifetime will be explicitly truncated to match it.
PassthroughExtensions CertificateExtensionConstraints: Optional. Describes the set of X.509 extensions that may appear in a Certificate issued through this CaPool. If a certificate request sets extensions that don't appear in the passthrough_extensions, those extensions will be dropped. If a certificate request uses a CertificateTemplate with predefined_values that don't appear here, the certificate issuance request will fail. If this is omitted, then this CaPool will not add restrictions on a certificate's X.509 extensions. These constraints do not apply to X.509 extensions set in this CaPool's baseline_values.

allowedIssuanceModes IssuanceModes: Optional. If specified, then only methods allowed in the IssuanceModes may be used to issue Certificates.
allowedKeyTypes List<AllowedKeyType>: Optional. If any AllowedKeyType is specified, then the certificate request's public key must match one of the key types listed here. Otherwise, any key may be used.
baselineValues X509Parameters: Optional. A set of X.509 values that will be applied to all certificates issued through this CaPool. If a certificate request includes conflicting values for the same properties, they will be overwritten by the values defined here. If a certificate request uses a CertificateTemplate that defines conflicting predefined_values for the same properties, the certificate issuance request will fail.
identityConstraints CertificateIdentityConstraints: Optional. Describes constraints on identities that may appear in Certificates issued through this CaPool. If this is omitted, then this CaPool will not add restrictions on a certificate's identity.
maximumLifetime String: Optional. The maximum lifetime allowed for issued Certificates. Note that if the issuing CertificateAuthority expires before a Certificate's requested maximum_lifetime, the effective lifetime will be explicitly truncated to match it.
passthroughExtensions CertificateExtensionConstraints: Optional. Describes the set of X.509 extensions that may appear in a Certificate issued through this CaPool. If a certificate request sets extensions that don't appear in the passthrough_extensions, those extensions will be dropped. If a certificate request uses a CertificateTemplate with predefined_values that don't appear here, the certificate issuance request will fail. If this is omitted, then this CaPool will not add restrictions on a certificate's X.509 extensions. These constraints do not apply to X.509 extensions set in this CaPool's baseline_values.

allowedIssuanceModes IssuanceModes: Optional. If specified, then only methods allowed in the IssuanceModes may be used to issue Certificates.
allowedKeyTypes AllowedKeyType[]: Optional. If any AllowedKeyType is specified, then the certificate request's public key must match one of the key types listed here. Otherwise, any key may be used.
baselineValues X509Parameters: Optional. A set of X.509 values that will be applied to all certificates issued through this CaPool. If a certificate request includes conflicting values for the same properties, they will be overwritten by the values defined here. If a certificate request uses a CertificateTemplate that defines conflicting predefined_values for the same properties, the certificate issuance request will fail.
identityConstraints CertificateIdentityConstraints: Optional. Describes constraints on identities that may appear in Certificates issued through this CaPool. If this is omitted, then this CaPool will not add restrictions on a certificate's identity.
maximumLifetime string: Optional. The maximum lifetime allowed for issued Certificates. Note that if the issuing CertificateAuthority expires before a Certificate's requested maximum_lifetime, the effective lifetime will be explicitly truncated to match it.
passthroughExtensions CertificateExtensionConstraints: Optional. Describes the set of X.509 extensions that may appear in a Certificate issued through this CaPool. If a certificate request sets extensions that don't appear in the passthrough_extensions, those extensions will be dropped. If a certificate request uses a CertificateTemplate with predefined_values that don't appear here, the certificate issuance request will fail. If this is omitted, then this CaPool will not add restrictions on a certificate's X.509 extensions. These constraints do not apply to X.509 extensions set in this CaPool's baseline_values.

allowed_issuance_modes IssuanceModes: Optional. If specified, then only methods allowed in the IssuanceModes may be used to issue Certificates.
allowed_key_types Sequence[AllowedKeyType]: Optional. If any AllowedKeyType is specified, then the certificate request's public key must match one of the key types listed here. Otherwise, any key may be used.
baseline_values X509Parameters: Optional. A set of X.509 values that will be applied to all certificates issued through this CaPool. If a certificate request includes conflicting values for the same properties, they will be overwritten by the values defined here. If a certificate request uses a CertificateTemplate that defines conflicting predefined_values for the same properties, the certificate issuance request will fail.
identity_constraints CertificateIdentityConstraints: Optional. Describes constraints on identities that may appear in Certificates issued through this CaPool. If this is omitted, then this CaPool will not add restrictions on a certificate's identity.
maximum_lifetime str: Optional. The maximum lifetime allowed for issued Certificates. Note that if the issuing CertificateAuthority expires before a Certificate's requested maximum_lifetime, the effective lifetime will be explicitly truncated to match it.
passthrough_extensions CertificateExtensionConstraints: Optional. Describes the set of X.509 extensions that may appear in a Certificate issued through this CaPool. If a certificate request sets extensions that don't appear in the passthrough_extensions, those extensions will be dropped. If a certificate request uses a CertificateTemplate with predefined_values that don't appear here, the certificate issuance request will fail. If this is omitted, then this CaPool will not add restrictions on a certificate's X.509 extensions. These constraints do not apply to X.509 extensions set in this CaPool's baseline_values.

allowedIssuanceModes Property Map: Optional. If specified, then only methods allowed in the IssuanceModes may be used to issue Certificates.
allowedKeyTypes List<Property Map>: Optional. If any AllowedKeyType is specified, then the certificate request's public key must match one of the key types listed here. Otherwise, any key may be used.
baselineValues Property Map: Optional. A set of X.509 values that will be applied to all certificates issued through this CaPool. If a certificate request includes conflicting values for the same properties, they will be overwritten by the values defined here. If a certificate request uses a CertificateTemplate that defines conflicting predefined_values for the same properties, the certificate issuance request will fail.
identityConstraints Property Map: Optional. Describes constraints on identities that may appear in Certificates issued through this CaPool. If this is omitted, then this CaPool will not add restrictions on a certificate's identity.
maximumLifetime String: Optional. The maximum lifetime allowed for issued Certificates. Note that if the issuing CertificateAuthority expires before a Certificate's requested maximum_lifetime, the effective lifetime will be explicitly truncated to match it.
passthroughExtensions Property Map: Optional. Describes the set of X.509 extensions that may appear in a Certificate issued through this CaPool. If a certificate request sets extensions that don't appear in the passthrough_extensions, those extensions will be dropped. If a certificate request uses a CertificateTemplate with predefined_values that don't appear here, the certificate issuance request will fail. If this is omitted, then this CaPool will not add restrictions on a certificate's X.509 extensions. These constraints do not apply to X.509 extensions set in this CaPool's baseline_values.

IssuancePolicyResponse, IssuancePolicyResponseArgs

AllowedIssuanceModes Pulumi.GoogleNative.Privateca.V1.Inputs.IssuanceModesResponse: Optional. If specified, then only methods allowed in the IssuanceModes may be used to issue Certificates.
AllowedKeyTypes List<Pulumi.GoogleNative.Privateca.V1.Inputs.AllowedKeyTypeResponse>: Optional. If any AllowedKeyType is specified, then the certificate request's public key must match one of the key types listed here. Otherwise, any key may be used.
BaselineValues Pulumi.GoogleNative.Privateca.V1.Inputs.X509ParametersResponse: Optional. A set of X.509 values that will be applied to all certificates issued through this CaPool. If a certificate request includes conflicting values for the same properties, they will be overwritten by the values defined here. If a certificate request uses a CertificateTemplate that defines conflicting predefined_values for the same properties, the certificate issuance request will fail.
IdentityConstraints Pulumi.GoogleNative.Privateca.V1.Inputs.CertificateIdentityConstraintsResponse: Optional. Describes constraints on identities that may appear in Certificates issued through this CaPool. If this is omitted, then this CaPool will not add restrictions on a certificate's identity.
MaximumLifetime string: Optional. The maximum lifetime allowed for issued Certificates. Note that if the issuing CertificateAuthority expires before a Certificate's requested maximum_lifetime, the effective lifetime will be explicitly truncated to match it.
PassthroughExtensions Pulumi.GoogleNative.Privateca.V1.Inputs.CertificateExtensionConstraintsResponse: Optional. Describes the set of X.509 extensions that may appear in a Certificate issued through this CaPool. If a certificate request sets extensions that don't appear in the passthrough_extensions, those extensions will be dropped. If a certificate request uses a CertificateTemplate with predefined_values that don't appear here, the certificate issuance request will fail. If this is omitted, then this CaPool will not add restrictions on a certificate's X.509 extensions. These constraints do not apply to X.509 extensions set in this CaPool's baseline_values.

AllowedIssuanceModes IssuanceModesResponse: Optional. If specified, then only methods allowed in the IssuanceModes may be used to issue Certificates.
AllowedKeyTypes []AllowedKeyTypeResponse: Optional. If any AllowedKeyType is specified, then the certificate request's public key must match one of the key types listed here. Otherwise, any key may be used.
BaselineValues X509ParametersResponse: Optional. A set of X.509 values that will be applied to all certificates issued through this CaPool. If a certificate request includes conflicting values for the same properties, they will be overwritten by the values defined here. If a certificate request uses a CertificateTemplate that defines conflicting predefined_values for the same properties, the certificate issuance request will fail.
IdentityConstraints CertificateIdentityConstraintsResponse: Optional. Describes constraints on identities that may appear in Certificates issued through this CaPool. If this is omitted, then this CaPool will not add restrictions on a certificate's identity.
MaximumLifetime string: Optional. The maximum lifetime allowed for issued Certificates. Note that if the issuing CertificateAuthority expires before a Certificate's requested maximum_lifetime, the effective lifetime will be explicitly truncated to match it.
PassthroughExtensions CertificateExtensionConstraintsResponse: Optional. Describes the set of X.509 extensions that may appear in a Certificate issued through this CaPool. If a certificate request sets extensions that don't appear in the passthrough_extensions, those extensions will be dropped. If a certificate request uses a CertificateTemplate with predefined_values that don't appear here, the certificate issuance request will fail. If this is omitted, then this CaPool will not add restrictions on a certificate's X.509 extensions. These constraints do not apply to X.509 extensions set in this CaPool's baseline_values.

allowedIssuanceModes IssuanceModesResponse: Optional. If specified, then only methods allowed in the IssuanceModes may be used to issue Certificates.
allowedKeyTypes List<AllowedKeyTypeResponse>: Optional. If any AllowedKeyType is specified, then the certificate request's public key must match one of the key types listed here. Otherwise, any key may be used.
baselineValues X509ParametersResponse: Optional. A set of X.509 values that will be applied to all certificates issued through this CaPool. If a certificate request includes conflicting values for the same properties, they will be overwritten by the values defined here. If a certificate request uses a CertificateTemplate that defines conflicting predefined_values for the same properties, the certificate issuance request will fail.
identityConstraints CertificateIdentityConstraintsResponse: Optional. Describes constraints on identities that may appear in Certificates issued through this CaPool. If this is omitted, then this CaPool will not add restrictions on a certificate's identity.
maximumLifetime String: Optional. The maximum lifetime allowed for issued Certificates. Note that if the issuing CertificateAuthority expires before a Certificate's requested maximum_lifetime, the effective lifetime will be explicitly truncated to match it.
passthroughExtensions CertificateExtensionConstraintsResponse: Optional. Describes the set of X.509 extensions that may appear in a Certificate issued through this CaPool. If a certificate request sets extensions that don't appear in the passthrough_extensions, those extensions will be dropped. If a certificate request uses a CertificateTemplate with predefined_values that don't appear here, the certificate issuance request will fail. If this is omitted, then this CaPool will not add restrictions on a certificate's X.509 extensions. These constraints do not apply to X.509 extensions set in this CaPool's baseline_values.

allowedIssuanceModes IssuanceModesResponse: Optional. If specified, then only methods allowed in the IssuanceModes may be used to issue Certificates.
allowedKeyTypes AllowedKeyTypeResponse[]: Optional. If any AllowedKeyType is specified, then the certificate request's public key must match one of the key types listed here. Otherwise, any key may be used.
baselineValues X509ParametersResponse: Optional. A set of X.509 values that will be applied to all certificates issued through this CaPool. If a certificate request includes conflicting values for the same properties, they will be overwritten by the values defined here. If a certificate request uses a CertificateTemplate that defines conflicting predefined_values for the same properties, the certificate issuance request will fail.
identityConstraints CertificateIdentityConstraintsResponse: Optional. Describes constraints on identities that may appear in Certificates issued through this CaPool. If this is omitted, then this CaPool will not add restrictions on a certificate's identity.
maximumLifetime string: Optional. The maximum lifetime allowed for issued Certificates. Note that if the issuing CertificateAuthority expires before a Certificate's requested maximum_lifetime, the effective lifetime will be explicitly truncated to match it.
passthroughExtensions CertificateExtensionConstraintsResponse: Optional. Describes the set of X.509 extensions that may appear in a Certificate issued through this CaPool. If a certificate request sets extensions that don't appear in the passthrough_extensions, those extensions will be dropped. If a certificate request uses a CertificateTemplate with predefined_values that don't appear here, the certificate issuance request will fail. If this is omitted, then this CaPool will not add restrictions on a certificate's X.509 extensions. These constraints do not apply to X.509 extensions set in this CaPool's baseline_values.

allowed_issuance_modes IssuanceModesResponse: Optional. If specified, then only methods allowed in the IssuanceModes may be used to issue Certificates.
allowed_key_types Sequence[AllowedKeyTypeResponse]: Optional. If any AllowedKeyType is specified, then the certificate request's public key must match one of the key types listed here. Otherwise, any key may be used.
baseline_values X509ParametersResponse: Optional. A set of X.509 values that will be applied to all certificates issued through this CaPool. If a certificate request includes conflicting values for the same properties, they will be overwritten by the values defined here. If a certificate request uses a CertificateTemplate that defines conflicting predefined_values for the same properties, the certificate issuance request will fail.
identity_constraints CertificateIdentityConstraintsResponse: Optional. Describes constraints on identities that may appear in Certificates issued through this CaPool. If this is omitted, then this CaPool will not add restrictions on a certificate's identity.
maximum_lifetime str: Optional. The maximum lifetime allowed for issued Certificates. Note that if the issuing CertificateAuthority expires before a Certificate's requested maximum_lifetime, the effective lifetime will be explicitly truncated to match it.
passthrough_extensions CertificateExtensionConstraintsResponse: Optional. Describes the set of X.509 extensions that may appear in a Certificate issued through this CaPool. If a certificate request sets extensions that don't appear in the passthrough_extensions, those extensions will be dropped. If a certificate request uses a CertificateTemplate with predefined_values that don't appear here, the certificate issuance request will fail. If this is omitted, then this CaPool will not add restrictions on a certificate's X.509 extensions. These constraints do not apply to X.509 extensions set in this CaPool's baseline_values.

allowedIssuanceModes Property Map: Optional. If specified, then only methods allowed in the IssuanceModes may be used to issue Certificates.
allowedKeyTypes List<Property Map>: Optional. If any AllowedKeyType is specified, then the certificate request's public key must match one of the key types listed here. Otherwise, any key may be used.
baselineValues Property Map: Optional. A set of X.509 values that will be applied to all certificates issued through this CaPool. If a certificate request includes conflicting values for the same properties, they will be overwritten by the values defined here. If a certificate request uses a CertificateTemplate that defines conflicting predefined_values for the same properties, the certificate issuance request will fail.
identityConstraints Property Map: Optional. Describes constraints on identities that may appear in Certificates issued through this CaPool. If this is omitted, then this CaPool will not add restrictions on a certificate's identity.
maximumLifetime String: Optional. The maximum lifetime allowed for issued Certificates. Note that if the issuing CertificateAuthority expires before a Certificate's requested maximum_lifetime, the effective lifetime will be explicitly truncated to match it.
passthroughExtensions Property Map: Optional. Describes the set of X.509 extensions that may appear in a Certificate issued through this CaPool. If a certificate request sets extensions that don't appear in the passthrough_extensions, those extensions will be dropped. If a certificate request uses a CertificateTemplate with predefined_values that don't appear here, the certificate issuance request will fail. If this is omitted, then this CaPool will not add restrictions on a certificate's X.509 extensions. These constraints do not apply to X.509 extensions set in this CaPool's baseline_values.

KeyUsage, KeyUsageArgs

BaseKeyUsage Pulumi.GoogleNative.Privateca.V1.Inputs.KeyUsageOptions: Describes high-level ways in which a key may be used.
ExtendedKeyUsage Pulumi.GoogleNative.Privateca.V1.Inputs.ExtendedKeyUsageOptions: Detailed scenarios in which a key may be used.
UnknownExtendedKeyUsages List<Pulumi.GoogleNative.Privateca.V1.Inputs.ObjectId>: Used to describe extended key usages that are not listed in the KeyUsage.ExtendedKeyUsageOptions message.

BaseKeyUsage KeyUsageOptions: Describes high-level ways in which a key may be used.
ExtendedKeyUsage ExtendedKeyUsageOptions: Detailed scenarios in which a key may be used.
UnknownExtendedKeyUsages []ObjectId: Used to describe extended key usages that are not listed in the KeyUsage.ExtendedKeyUsageOptions message.

baseKeyUsage KeyUsageOptions: Describes high-level ways in which a key may be used.
extendedKeyUsage ExtendedKeyUsageOptions: Detailed scenarios in which a key may be used.
unknownExtendedKeyUsages List<ObjectId>: Used to describe extended key usages that are not listed in the KeyUsage.ExtendedKeyUsageOptions message.

baseKeyUsage KeyUsageOptions: Describes high-level ways in which a key may be used.
extendedKeyUsage ExtendedKeyUsageOptions: Detailed scenarios in which a key may be used.
unknownExtendedKeyUsages ObjectId[]: Used to describe extended key usages that are not listed in the KeyUsage.ExtendedKeyUsageOptions message.

base_key_usage KeyUsageOptions: Describes high-level ways in which a key may be used.
extended_key_usage ExtendedKeyUsageOptions: Detailed scenarios in which a key may be used.
unknown_extended_key_usages Sequence[ObjectId]: Used to describe extended key usages that are not listed in the KeyUsage.ExtendedKeyUsageOptions message.

baseKeyUsage Property Map: Describes high-level ways in which a key may be used.
extendedKeyUsage Property Map: Detailed scenarios in which a key may be used.
unknownExtendedKeyUsages List<Property Map>: Used to describe extended key usages that are not listed in the KeyUsage.ExtendedKeyUsageOptions message.

KeyUsageOptions, KeyUsageOptionsArgs

CertSign bool: The key may be used to sign certificates.
ContentCommitment bool: The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
CrlSign bool: The key may be used sign certificate revocation lists.
DataEncipherment bool: The key may be used to encipher data.
DecipherOnly bool: The key may be used to decipher only.
DigitalSignature bool: The key may be used for digital signatures.
EncipherOnly bool: The key may be used to encipher only.
KeyAgreement bool: The key may be used in a key agreement protocol.
KeyEncipherment bool: The key may be used to encipher other keys.

CertSign bool: The key may be used to sign certificates.
ContentCommitment bool: The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
CrlSign bool: The key may be used sign certificate revocation lists.
DataEncipherment bool: The key may be used to encipher data.
DecipherOnly bool: The key may be used to decipher only.
DigitalSignature bool: The key may be used for digital signatures.
EncipherOnly bool: The key may be used to encipher only.
KeyAgreement bool: The key may be used in a key agreement protocol.
KeyEncipherment bool: The key may be used to encipher other keys.

certSign Boolean: The key may be used to sign certificates.
contentCommitment Boolean: The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
crlSign Boolean: The key may be used sign certificate revocation lists.
dataEncipherment Boolean: The key may be used to encipher data.
decipherOnly Boolean: The key may be used to decipher only.
digitalSignature Boolean: The key may be used for digital signatures.
encipherOnly Boolean: The key may be used to encipher only.
keyAgreement Boolean: The key may be used in a key agreement protocol.
keyEncipherment Boolean: The key may be used to encipher other keys.

certSign boolean: The key may be used to sign certificates.
contentCommitment boolean: The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
crlSign boolean: The key may be used sign certificate revocation lists.
dataEncipherment boolean: The key may be used to encipher data.
decipherOnly boolean: The key may be used to decipher only.
digitalSignature boolean: The key may be used for digital signatures.
encipherOnly boolean: The key may be used to encipher only.
keyAgreement boolean: The key may be used in a key agreement protocol.
keyEncipherment boolean: The key may be used to encipher other keys.

cert_sign bool: The key may be used to sign certificates.
content_commitment bool: The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
crl_sign bool: The key may be used sign certificate revocation lists.
data_encipherment bool: The key may be used to encipher data.
decipher_only bool: The key may be used to decipher only.
digital_signature bool: The key may be used for digital signatures.
encipher_only bool: The key may be used to encipher only.
key_agreement bool: The key may be used in a key agreement protocol.
key_encipherment bool: The key may be used to encipher other keys.

certSign Boolean: The key may be used to sign certificates.
contentCommitment Boolean: The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
crlSign Boolean: The key may be used sign certificate revocation lists.
dataEncipherment Boolean: The key may be used to encipher data.
decipherOnly Boolean: The key may be used to decipher only.
digitalSignature Boolean: The key may be used for digital signatures.
encipherOnly Boolean: The key may be used to encipher only.
keyAgreement Boolean: The key may be used in a key agreement protocol.
keyEncipherment Boolean: The key may be used to encipher other keys.

KeyUsageOptionsResponse, KeyUsageOptionsResponseArgs

CertSign bool: The key may be used to sign certificates.
ContentCommitment bool: The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
CrlSign bool: The key may be used sign certificate revocation lists.
DataEncipherment bool: The key may be used to encipher data.
DecipherOnly bool: The key may be used to decipher only.
DigitalSignature bool: The key may be used for digital signatures.
EncipherOnly bool: The key may be used to encipher only.
KeyAgreement bool: The key may be used in a key agreement protocol.
KeyEncipherment bool: The key may be used to encipher other keys.

CertSign bool: The key may be used to sign certificates.
ContentCommitment bool: The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
CrlSign bool: The key may be used sign certificate revocation lists.
DataEncipherment bool: The key may be used to encipher data.
DecipherOnly bool: The key may be used to decipher only.
DigitalSignature bool: The key may be used for digital signatures.
EncipherOnly bool: The key may be used to encipher only.
KeyAgreement bool: The key may be used in a key agreement protocol.
KeyEncipherment bool: The key may be used to encipher other keys.

certSign Boolean: The key may be used to sign certificates.
contentCommitment Boolean: The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
crlSign Boolean: The key may be used sign certificate revocation lists.
dataEncipherment Boolean: The key may be used to encipher data.
decipherOnly Boolean: The key may be used to decipher only.
digitalSignature Boolean: The key may be used for digital signatures.
encipherOnly Boolean: The key may be used to encipher only.
keyAgreement Boolean: The key may be used in a key agreement protocol.
keyEncipherment Boolean: The key may be used to encipher other keys.

certSign boolean: The key may be used to sign certificates.
contentCommitment boolean: The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
crlSign boolean: The key may be used sign certificate revocation lists.
dataEncipherment boolean: The key may be used to encipher data.
decipherOnly boolean: The key may be used to decipher only.
digitalSignature boolean: The key may be used for digital signatures.
encipherOnly boolean: The key may be used to encipher only.
keyAgreement boolean: The key may be used in a key agreement protocol.
keyEncipherment boolean: The key may be used to encipher other keys.

cert_sign bool: The key may be used to sign certificates.
content_commitment bool: The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
crl_sign bool: The key may be used sign certificate revocation lists.
data_encipherment bool: The key may be used to encipher data.
decipher_only bool: The key may be used to decipher only.
digital_signature bool: The key may be used for digital signatures.
encipher_only bool: The key may be used to encipher only.
key_agreement bool: The key may be used in a key agreement protocol.
key_encipherment bool: The key may be used to encipher other keys.

certSign Boolean: The key may be used to sign certificates.
contentCommitment Boolean: The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
crlSign Boolean: The key may be used sign certificate revocation lists.
dataEncipherment Boolean: The key may be used to encipher data.
decipherOnly Boolean: The key may be used to decipher only.
digitalSignature Boolean: The key may be used for digital signatures.
encipherOnly Boolean: The key may be used to encipher only.
keyAgreement Boolean: The key may be used in a key agreement protocol.
keyEncipherment Boolean: The key may be used to encipher other keys.

KeyUsageResponse, KeyUsageResponseArgs

BaseKeyUsage Pulumi.GoogleNative.Privateca.V1.Inputs.KeyUsageOptionsResponse: Describes high-level ways in which a key may be used.
ExtendedKeyUsage Pulumi.GoogleNative.Privateca.V1.Inputs.ExtendedKeyUsageOptionsResponse: Detailed scenarios in which a key may be used.
UnknownExtendedKeyUsages List<Pulumi.GoogleNative.Privateca.V1.Inputs.ObjectIdResponse>: Used to describe extended key usages that are not listed in the KeyUsage.ExtendedKeyUsageOptions message.

BaseKeyUsage KeyUsageOptionsResponse: Describes high-level ways in which a key may be used.
ExtendedKeyUsage ExtendedKeyUsageOptionsResponse: Detailed scenarios in which a key may be used.
UnknownExtendedKeyUsages []ObjectIdResponse: Used to describe extended key usages that are not listed in the KeyUsage.ExtendedKeyUsageOptions message.

baseKeyUsage KeyUsageOptionsResponse: Describes high-level ways in which a key may be used.
extendedKeyUsage ExtendedKeyUsageOptionsResponse: Detailed scenarios in which a key may be used.
unknownExtendedKeyUsages List<ObjectIdResponse>: Used to describe extended key usages that are not listed in the KeyUsage.ExtendedKeyUsageOptions message.

baseKeyUsage KeyUsageOptionsResponse: Describes high-level ways in which a key may be used.
extendedKeyUsage ExtendedKeyUsageOptionsResponse: Detailed scenarios in which a key may be used.
unknownExtendedKeyUsages ObjectIdResponse[]: Used to describe extended key usages that are not listed in the KeyUsage.ExtendedKeyUsageOptions message.

base_key_usage KeyUsageOptionsResponse: Describes high-level ways in which a key may be used.
extended_key_usage ExtendedKeyUsageOptionsResponse: Detailed scenarios in which a key may be used.
unknown_extended_key_usages Sequence[ObjectIdResponse]: Used to describe extended key usages that are not listed in the KeyUsage.ExtendedKeyUsageOptions message.

baseKeyUsage Property Map: Describes high-level ways in which a key may be used.
extendedKeyUsage Property Map: Detailed scenarios in which a key may be used.
unknownExtendedKeyUsages List<Property Map>: Used to describe extended key usages that are not listed in the KeyUsage.ExtendedKeyUsageOptions message.

NameConstraints, NameConstraintsArgs

Critical bool: Indicates whether or not the name constraints are marked critical.
ExcludedDnsNames List<string>: Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.
ExcludedEmailAddresses List<string>: Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.
ExcludedIpRanges List<string>: Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
ExcludedUris List<string>: Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)
PermittedDnsNames List<string>: Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.
PermittedEmailAddresses List<string>: Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.
PermittedIpRanges List<string>: Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
PermittedUris List<string>: Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)

Critical bool: Indicates whether or not the name constraints are marked critical.
ExcludedDnsNames []string: Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.
ExcludedEmailAddresses []string: Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.
ExcludedIpRanges []string: Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
ExcludedUris []string: Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)
PermittedDnsNames []string: Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.
PermittedEmailAddresses []string: Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.
PermittedIpRanges []string: Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
PermittedUris []string: Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)

critical Boolean: Indicates whether or not the name constraints are marked critical.
excludedDnsNames List<String>: Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.
excludedEmailAddresses List<String>: Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.
excludedIpRanges List<String>: Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
excludedUris List<String>: Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)
permittedDnsNames List<String>: Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.
permittedEmailAddresses List<String>: Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.
permittedIpRanges List<String>: Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
permittedUris List<String>: Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)

critical boolean: Indicates whether or not the name constraints are marked critical.
excludedDnsNames string[]: Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.
excludedEmailAddresses string[]: Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.
excludedIpRanges string[]: Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
excludedUris string[]: Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)
permittedDnsNames string[]: Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.
permittedEmailAddresses string[]: Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.
permittedIpRanges string[]: Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
permittedUris string[]: Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)

critical bool: Indicates whether or not the name constraints are marked critical.
excluded_dns_names Sequence[str]: Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.
excluded_email_addresses Sequence[str]: Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.
excluded_ip_ranges Sequence[str]: Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
excluded_uris Sequence[str]: Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)
permitted_dns_names Sequence[str]: Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.
permitted_email_addresses Sequence[str]: Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.
permitted_ip_ranges Sequence[str]: Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
permitted_uris Sequence[str]: Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)

critical Boolean: Indicates whether or not the name constraints are marked critical.
excludedDnsNames List<String>: Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.
excludedEmailAddresses List<String>: Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.
excludedIpRanges List<String>: Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
excludedUris List<String>: Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)
permittedDnsNames List<String>: Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.
permittedEmailAddresses List<String>: Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.
permittedIpRanges List<String>: Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
permittedUris List<String>: Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)

NameConstraintsResponse, NameConstraintsResponseArgs

Critical bool: Indicates whether or not the name constraints are marked critical.
ExcludedDnsNames List<string>: Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.
ExcludedEmailAddresses List<string>: Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.
ExcludedIpRanges List<string>: Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
ExcludedUris List<string>: Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)
PermittedDnsNames List<string>: Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.
PermittedEmailAddresses List<string>: Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.
PermittedIpRanges List<string>: Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
PermittedUris List<string>: Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)

Critical bool: Indicates whether or not the name constraints are marked critical.
ExcludedDnsNames []string: Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.
ExcludedEmailAddresses []string: Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.
ExcludedIpRanges []string: Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
ExcludedUris []string: Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)
PermittedDnsNames []string: Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.
PermittedEmailAddresses []string: Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.
PermittedIpRanges []string: Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
PermittedUris []string: Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)

critical Boolean: Indicates whether or not the name constraints are marked critical.
excludedDnsNames List<String>: Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.
excludedEmailAddresses List<String>: Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.
excludedIpRanges List<String>: Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
excludedUris List<String>: Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)
permittedDnsNames List<String>: Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.
permittedEmailAddresses List<String>: Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.
permittedIpRanges List<String>: Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
permittedUris List<String>: Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)

critical boolean: Indicates whether or not the name constraints are marked critical.
excludedDnsNames string[]: Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.
excludedEmailAddresses string[]: Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.
excludedIpRanges string[]: Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
excludedUris string[]: Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)
permittedDnsNames string[]: Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.
permittedEmailAddresses string[]: Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.
permittedIpRanges string[]: Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
permittedUris string[]: Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)

critical bool: Indicates whether or not the name constraints are marked critical.
excluded_dns_names Sequence[str]: Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.
excluded_email_addresses Sequence[str]: Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.
excluded_ip_ranges Sequence[str]: Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
excluded_uris Sequence[str]: Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)
permitted_dns_names Sequence[str]: Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.
permitted_email_addresses Sequence[str]: Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.
permitted_ip_ranges Sequence[str]: Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
permitted_uris Sequence[str]: Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)

critical Boolean: Indicates whether or not the name constraints are marked critical.
excludedDnsNames List<String>: Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.
excludedEmailAddresses List<String>: Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.
excludedIpRanges List<String>: Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
excludedUris List<String>: Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)
permittedDnsNames List<String>: Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.
permittedEmailAddresses List<String>: Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.
permittedIpRanges List<String>: Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
permittedUris List<String>: Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)

ObjectId, ObjectIdArgs

ObjectIdPath List<int>: The parts of an OID path. The most significant parts of the path come first.

ObjectIdPath []int: The parts of an OID path. The most significant parts of the path come first.

objectIdPath List<Integer>: The parts of an OID path. The most significant parts of the path come first.

objectIdPath number[]: The parts of an OID path. The most significant parts of the path come first.

object_id_path Sequence[int]: The parts of an OID path. The most significant parts of the path come first.

objectIdPath List<Number>: The parts of an OID path. The most significant parts of the path come first.

ObjectIdResponse, ObjectIdResponseArgs

ObjectIdPath List<int>: The parts of an OID path. The most significant parts of the path come first.

ObjectIdPath []int: The parts of an OID path. The most significant parts of the path come first.

objectIdPath List<Integer>: The parts of an OID path. The most significant parts of the path come first.

objectIdPath number[]: The parts of an OID path. The most significant parts of the path come first.

object_id_path Sequence[int]: The parts of an OID path. The most significant parts of the path come first.

objectIdPath List<Number>: The parts of an OID path. The most significant parts of the path come first.

PublishingOptions, PublishingOptionsArgs

EncodingFormat Pulumi.GoogleNative.Privateca.V1.PublishingOptionsEncodingFormat: Optional. Specifies the encoding format of each CertificateAuthority's CA certificate and CRLs. If this is omitted, CA certificates and CRLs will be published in PEM.
PublishCaCert bool: Optional. When true, publishes each CertificateAuthority's CA certificate and includes its URL in the "Authority Information Access" X.509 extension in all issued Certificates. If this is false, the CA certificate will not be published and the corresponding X.509 extension will not be written in issued certificates.
PublishCrl bool: Optional. When true, publishes each CertificateAuthority's CRL and includes its URL in the "CRL Distribution Points" X.509 extension in all issued Certificates. If this is false, CRLs will not be published and the corresponding X.509 extension will not be written in issued certificates. CRLs will expire 7 days from their creation. However, we will rebuild daily. CRLs are also rebuilt shortly after a certificate is revoked.

EncodingFormat PublishingOptionsEncodingFormat: Optional. Specifies the encoding format of each CertificateAuthority's CA certificate and CRLs. If this is omitted, CA certificates and CRLs will be published in PEM.
PublishCaCert bool: Optional. When true, publishes each CertificateAuthority's CA certificate and includes its URL in the "Authority Information Access" X.509 extension in all issued Certificates. If this is false, the CA certificate will not be published and the corresponding X.509 extension will not be written in issued certificates.
PublishCrl bool: Optional. When true, publishes each CertificateAuthority's CRL and includes its URL in the "CRL Distribution Points" X.509 extension in all issued Certificates. If this is false, CRLs will not be published and the corresponding X.509 extension will not be written in issued certificates. CRLs will expire 7 days from their creation. However, we will rebuild daily. CRLs are also rebuilt shortly after a certificate is revoked.

encodingFormat PublishingOptionsEncodingFormat: Optional. Specifies the encoding format of each CertificateAuthority's CA certificate and CRLs. If this is omitted, CA certificates and CRLs will be published in PEM.
publishCaCert Boolean: Optional. When true, publishes each CertificateAuthority's CA certificate and includes its URL in the "Authority Information Access" X.509 extension in all issued Certificates. If this is false, the CA certificate will not be published and the corresponding X.509 extension will not be written in issued certificates.
publishCrl Boolean: Optional. When true, publishes each CertificateAuthority's CRL and includes its URL in the "CRL Distribution Points" X.509 extension in all issued Certificates. If this is false, CRLs will not be published and the corresponding X.509 extension will not be written in issued certificates. CRLs will expire 7 days from their creation. However, we will rebuild daily. CRLs are also rebuilt shortly after a certificate is revoked.

encodingFormat PublishingOptionsEncodingFormat: Optional. Specifies the encoding format of each CertificateAuthority's CA certificate and CRLs. If this is omitted, CA certificates and CRLs will be published in PEM.
publishCaCert boolean: Optional. When true, publishes each CertificateAuthority's CA certificate and includes its URL in the "Authority Information Access" X.509 extension in all issued Certificates. If this is false, the CA certificate will not be published and the corresponding X.509 extension will not be written in issued certificates.
publishCrl boolean: Optional. When true, publishes each CertificateAuthority's CRL and includes its URL in the "CRL Distribution Points" X.509 extension in all issued Certificates. If this is false, CRLs will not be published and the corresponding X.509 extension will not be written in issued certificates. CRLs will expire 7 days from their creation. However, we will rebuild daily. CRLs are also rebuilt shortly after a certificate is revoked.

encoding_format PublishingOptionsEncodingFormat: Optional. Specifies the encoding format of each CertificateAuthority's CA certificate and CRLs. If this is omitted, CA certificates and CRLs will be published in PEM.
publish_ca_cert bool: Optional. When true, publishes each CertificateAuthority's CA certificate and includes its URL in the "Authority Information Access" X.509 extension in all issued Certificates. If this is false, the CA certificate will not be published and the corresponding X.509 extension will not be written in issued certificates.
publish_crl bool: Optional. When true, publishes each CertificateAuthority's CRL and includes its URL in the "CRL Distribution Points" X.509 extension in all issued Certificates. If this is false, CRLs will not be published and the corresponding X.509 extension will not be written in issued certificates. CRLs will expire 7 days from their creation. However, we will rebuild daily. CRLs are also rebuilt shortly after a certificate is revoked.

encodingFormat "ENCODING_FORMAT_UNSPECIFIED" | "PEM" | "DER": Optional. Specifies the encoding format of each CertificateAuthority's CA certificate and CRLs. If this is omitted, CA certificates and CRLs will be published in PEM.
publishCaCert Boolean: Optional. When true, publishes each CertificateAuthority's CA certificate and includes its URL in the "Authority Information Access" X.509 extension in all issued Certificates. If this is false, the CA certificate will not be published and the corresponding X.509 extension will not be written in issued certificates.
publishCrl Boolean: Optional. When true, publishes each CertificateAuthority's CRL and includes its URL in the "CRL Distribution Points" X.509 extension in all issued Certificates. If this is false, CRLs will not be published and the corresponding X.509 extension will not be written in issued certificates. CRLs will expire 7 days from their creation. However, we will rebuild daily. CRLs are also rebuilt shortly after a certificate is revoked.

PublishingOptionsEncodingFormat, PublishingOptionsEncodingFormatArgs

EncodingFormatUnspecified: ENCODING_FORMAT_UNSPECIFIEDNot specified. By default, PEM format will be used.
Pem: PEMThe CertificateAuthority's CA certificate and CRLs will be published in PEM format.
Der: DERThe CertificateAuthority's CA certificate and CRLs will be published in DER format.

PublishingOptionsEncodingFormatEncodingFormatUnspecified: ENCODING_FORMAT_UNSPECIFIEDNot specified. By default, PEM format will be used.
PublishingOptionsEncodingFormatPem: PEMThe CertificateAuthority's CA certificate and CRLs will be published in PEM format.
PublishingOptionsEncodingFormatDer: DERThe CertificateAuthority's CA certificate and CRLs will be published in DER format.

EncodingFormatUnspecified: ENCODING_FORMAT_UNSPECIFIEDNot specified. By default, PEM format will be used.
Pem: PEMThe CertificateAuthority's CA certificate and CRLs will be published in PEM format.
Der: DERThe CertificateAuthority's CA certificate and CRLs will be published in DER format.

EncodingFormatUnspecified: ENCODING_FORMAT_UNSPECIFIEDNot specified. By default, PEM format will be used.
Pem: PEMThe CertificateAuthority's CA certificate and CRLs will be published in PEM format.
Der: DERThe CertificateAuthority's CA certificate and CRLs will be published in DER format.

ENCODING_FORMAT_UNSPECIFIED: ENCODING_FORMAT_UNSPECIFIEDNot specified. By default, PEM format will be used.
PEM: PEMThe CertificateAuthority's CA certificate and CRLs will be published in PEM format.
DER: DERThe CertificateAuthority's CA certificate and CRLs will be published in DER format.

"ENCODING_FORMAT_UNSPECIFIED": ENCODING_FORMAT_UNSPECIFIEDNot specified. By default, PEM format will be used.
"PEM": PEMThe CertificateAuthority's CA certificate and CRLs will be published in PEM format.
"DER": DERThe CertificateAuthority's CA certificate and CRLs will be published in DER format.

PublishingOptionsResponse, PublishingOptionsResponseArgs

EncodingFormat string: Optional. Specifies the encoding format of each CertificateAuthority's CA certificate and CRLs. If this is omitted, CA certificates and CRLs will be published in PEM.
PublishCaCert bool: Optional. When true, publishes each CertificateAuthority's CA certificate and includes its URL in the "Authority Information Access" X.509 extension in all issued Certificates. If this is false, the CA certificate will not be published and the corresponding X.509 extension will not be written in issued certificates.
PublishCrl bool: Optional. When true, publishes each CertificateAuthority's CRL and includes its URL in the "CRL Distribution Points" X.509 extension in all issued Certificates. If this is false, CRLs will not be published and the corresponding X.509 extension will not be written in issued certificates. CRLs will expire 7 days from their creation. However, we will rebuild daily. CRLs are also rebuilt shortly after a certificate is revoked.

EncodingFormat string: Optional. Specifies the encoding format of each CertificateAuthority's CA certificate and CRLs. If this is omitted, CA certificates and CRLs will be published in PEM.
PublishCaCert bool: Optional. When true, publishes each CertificateAuthority's CA certificate and includes its URL in the "Authority Information Access" X.509 extension in all issued Certificates. If this is false, the CA certificate will not be published and the corresponding X.509 extension will not be written in issued certificates.
PublishCrl bool: Optional. When true, publishes each CertificateAuthority's CRL and includes its URL in the "CRL Distribution Points" X.509 extension in all issued Certificates. If this is false, CRLs will not be published and the corresponding X.509 extension will not be written in issued certificates. CRLs will expire 7 days from their creation. However, we will rebuild daily. CRLs are also rebuilt shortly after a certificate is revoked.

encodingFormat String: Optional. Specifies the encoding format of each CertificateAuthority's CA certificate and CRLs. If this is omitted, CA certificates and CRLs will be published in PEM.
publishCaCert Boolean: Optional. When true, publishes each CertificateAuthority's CA certificate and includes its URL in the "Authority Information Access" X.509 extension in all issued Certificates. If this is false, the CA certificate will not be published and the corresponding X.509 extension will not be written in issued certificates.
publishCrl Boolean: Optional. When true, publishes each CertificateAuthority's CRL and includes its URL in the "CRL Distribution Points" X.509 extension in all issued Certificates. If this is false, CRLs will not be published and the corresponding X.509 extension will not be written in issued certificates. CRLs will expire 7 days from their creation. However, we will rebuild daily. CRLs are also rebuilt shortly after a certificate is revoked.

encodingFormat string: Optional. Specifies the encoding format of each CertificateAuthority's CA certificate and CRLs. If this is omitted, CA certificates and CRLs will be published in PEM.
publishCaCert boolean: Optional. When true, publishes each CertificateAuthority's CA certificate and includes its URL in the "Authority Information Access" X.509 extension in all issued Certificates. If this is false, the CA certificate will not be published and the corresponding X.509 extension will not be written in issued certificates.
publishCrl boolean: Optional. When true, publishes each CertificateAuthority's CRL and includes its URL in the "CRL Distribution Points" X.509 extension in all issued Certificates. If this is false, CRLs will not be published and the corresponding X.509 extension will not be written in issued certificates. CRLs will expire 7 days from their creation. However, we will rebuild daily. CRLs are also rebuilt shortly after a certificate is revoked.

encoding_format str: Optional. Specifies the encoding format of each CertificateAuthority's CA certificate and CRLs. If this is omitted, CA certificates and CRLs will be published in PEM.
publish_ca_cert bool: Optional. When true, publishes each CertificateAuthority's CA certificate and includes its URL in the "Authority Information Access" X.509 extension in all issued Certificates. If this is false, the CA certificate will not be published and the corresponding X.509 extension will not be written in issued certificates.
publish_crl bool: Optional. When true, publishes each CertificateAuthority's CRL and includes its URL in the "CRL Distribution Points" X.509 extension in all issued Certificates. If this is false, CRLs will not be published and the corresponding X.509 extension will not be written in issued certificates. CRLs will expire 7 days from their creation. However, we will rebuild daily. CRLs are also rebuilt shortly after a certificate is revoked.

encodingFormat String: Optional. Specifies the encoding format of each CertificateAuthority's CA certificate and CRLs. If this is omitted, CA certificates and CRLs will be published in PEM.
publishCaCert Boolean: Optional. When true, publishes each CertificateAuthority's CA certificate and includes its URL in the "Authority Information Access" X.509 extension in all issued Certificates. If this is false, the CA certificate will not be published and the corresponding X.509 extension will not be written in issued certificates.
publishCrl Boolean: Optional. When true, publishes each CertificateAuthority's CRL and includes its URL in the "CRL Distribution Points" X.509 extension in all issued Certificates. If this is false, CRLs will not be published and the corresponding X.509 extension will not be written in issued certificates. CRLs will expire 7 days from their creation. However, we will rebuild daily. CRLs are also rebuilt shortly after a certificate is revoked.

RsaKeyType, RsaKeyTypeArgs

MaxModulusSize string: Optional. The maximum allowed RSA modulus size (inclusive), in bits. If this is not set, or if set to zero, the service will not enforce an explicit upper bound on RSA modulus sizes.
MinModulusSize string: Optional. The minimum allowed RSA modulus size (inclusive), in bits. If this is not set, or if set to zero, the service-level min RSA modulus size will continue to apply.

MaxModulusSize string: Optional. The maximum allowed RSA modulus size (inclusive), in bits. If this is not set, or if set to zero, the service will not enforce an explicit upper bound on RSA modulus sizes.
MinModulusSize string: Optional. The minimum allowed RSA modulus size (inclusive), in bits. If this is not set, or if set to zero, the service-level min RSA modulus size will continue to apply.

maxModulusSize String: Optional. The maximum allowed RSA modulus size (inclusive), in bits. If this is not set, or if set to zero, the service will not enforce an explicit upper bound on RSA modulus sizes.
minModulusSize String: Optional. The minimum allowed RSA modulus size (inclusive), in bits. If this is not set, or if set to zero, the service-level min RSA modulus size will continue to apply.

maxModulusSize string: Optional. The maximum allowed RSA modulus size (inclusive), in bits. If this is not set, or if set to zero, the service will not enforce an explicit upper bound on RSA modulus sizes.
minModulusSize string: Optional. The minimum allowed RSA modulus size (inclusive), in bits. If this is not set, or if set to zero, the service-level min RSA modulus size will continue to apply.

max_modulus_size str: Optional. The maximum allowed RSA modulus size (inclusive), in bits. If this is not set, or if set to zero, the service will not enforce an explicit upper bound on RSA modulus sizes.
min_modulus_size str: Optional. The minimum allowed RSA modulus size (inclusive), in bits. If this is not set, or if set to zero, the service-level min RSA modulus size will continue to apply.

maxModulusSize String: Optional. The maximum allowed RSA modulus size (inclusive), in bits. If this is not set, or if set to zero, the service will not enforce an explicit upper bound on RSA modulus sizes.
minModulusSize String: Optional. The minimum allowed RSA modulus size (inclusive), in bits. If this is not set, or if set to zero, the service-level min RSA modulus size will continue to apply.

RsaKeyTypeResponse, RsaKeyTypeResponseArgs

MaxModulusSize string: Optional. The maximum allowed RSA modulus size (inclusive), in bits. If this is not set, or if set to zero, the service will not enforce an explicit upper bound on RSA modulus sizes.
MinModulusSize string: Optional. The minimum allowed RSA modulus size (inclusive), in bits. If this is not set, or if set to zero, the service-level min RSA modulus size will continue to apply.

MaxModulusSize string: Optional. The maximum allowed RSA modulus size (inclusive), in bits. If this is not set, or if set to zero, the service will not enforce an explicit upper bound on RSA modulus sizes.
MinModulusSize string: Optional. The minimum allowed RSA modulus size (inclusive), in bits. If this is not set, or if set to zero, the service-level min RSA modulus size will continue to apply.

maxModulusSize String: Optional. The maximum allowed RSA modulus size (inclusive), in bits. If this is not set, or if set to zero, the service will not enforce an explicit upper bound on RSA modulus sizes.
minModulusSize String: Optional. The minimum allowed RSA modulus size (inclusive), in bits. If this is not set, or if set to zero, the service-level min RSA modulus size will continue to apply.

maxModulusSize string: Optional. The maximum allowed RSA modulus size (inclusive), in bits. If this is not set, or if set to zero, the service will not enforce an explicit upper bound on RSA modulus sizes.
minModulusSize string: Optional. The minimum allowed RSA modulus size (inclusive), in bits. If this is not set, or if set to zero, the service-level min RSA modulus size will continue to apply.

max_modulus_size str: Optional. The maximum allowed RSA modulus size (inclusive), in bits. If this is not set, or if set to zero, the service will not enforce an explicit upper bound on RSA modulus sizes.
min_modulus_size str: Optional. The minimum allowed RSA modulus size (inclusive), in bits. If this is not set, or if set to zero, the service-level min RSA modulus size will continue to apply.

maxModulusSize String: Optional. The maximum allowed RSA modulus size (inclusive), in bits. If this is not set, or if set to zero, the service will not enforce an explicit upper bound on RSA modulus sizes.
minModulusSize String: Optional. The minimum allowed RSA modulus size (inclusive), in bits. If this is not set, or if set to zero, the service-level min RSA modulus size will continue to apply.

X509Extension, X509ExtensionArgs

ObjectId Pulumi.GoogleNative.Privateca.V1.Inputs.ObjectId: The OID for this X.509 extension.
Value string: The value of this X.509 extension.
Critical bool: Optional. Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).

ObjectId ObjectId: The OID for this X.509 extension.
Value string: The value of this X.509 extension.
Critical bool: Optional. Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).

objectId ObjectId: The OID for this X.509 extension.
value String: The value of this X.509 extension.
critical Boolean: Optional. Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).

objectId ObjectId: The OID for this X.509 extension.
value string: The value of this X.509 extension.
critical boolean: Optional. Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).

object_id ObjectId: The OID for this X.509 extension.
value str: The value of this X.509 extension.
critical bool: Optional. Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).

objectId Property Map: The OID for this X.509 extension.
value String: The value of this X.509 extension.
critical Boolean: Optional. Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).

X509ExtensionResponse, X509ExtensionResponseArgs

Critical bool: Optional. Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
ObjectId Pulumi.GoogleNative.Privateca.V1.Inputs.ObjectIdResponse: The OID for this X.509 extension.
Value string: The value of this X.509 extension.

Critical bool: Optional. Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
ObjectId ObjectIdResponse: The OID for this X.509 extension.
Value string: The value of this X.509 extension.

critical Boolean: Optional. Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
objectId ObjectIdResponse: The OID for this X.509 extension.
value String: The value of this X.509 extension.

critical boolean: Optional. Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
objectId ObjectIdResponse: The OID for this X.509 extension.
value string: The value of this X.509 extension.

critical bool: Optional. Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
object_id ObjectIdResponse: The OID for this X.509 extension.
value str: The value of this X.509 extension.

critical Boolean: Optional. Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
objectId Property Map: The OID for this X.509 extension.
value String: The value of this X.509 extension.

X509Parameters, X509ParametersArgs

AdditionalExtensions List<Pulumi.GoogleNative.Privateca.V1.Inputs.X509Extension>: Optional. Describes custom X.509 extensions.
AiaOcspServers List<string>: Optional. Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
CaOptions Pulumi.GoogleNative.Privateca.V1.Inputs.CaOptions: Optional. Describes options in this X509Parameters that are relevant in a CA certificate.
KeyUsage Pulumi.GoogleNative.Privateca.V1.Inputs.KeyUsage: Optional. Indicates the intended use for keys that correspond to a certificate.
NameConstraints Pulumi.GoogleNative.Privateca.V1.Inputs.NameConstraints: Optional. Describes the X.509 name constraints extension.
PolicyIds List<Pulumi.GoogleNative.Privateca.V1.Inputs.ObjectId>: Optional. Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4.

AdditionalExtensions []X509Extension: Optional. Describes custom X.509 extensions.
AiaOcspServers []string: Optional. Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
CaOptions CaOptions: Optional. Describes options in this X509Parameters that are relevant in a CA certificate.
KeyUsage KeyUsage: Optional. Indicates the intended use for keys that correspond to a certificate.
NameConstraints NameConstraints: Optional. Describes the X.509 name constraints extension.
PolicyIds []ObjectId: Optional. Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4.

additionalExtensions List<X509Extension>: Optional. Describes custom X.509 extensions.
aiaOcspServers List<String>: Optional. Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
caOptions CaOptions: Optional. Describes options in this X509Parameters that are relevant in a CA certificate.
keyUsage KeyUsage: Optional. Indicates the intended use for keys that correspond to a certificate.
nameConstraints NameConstraints: Optional. Describes the X.509 name constraints extension.
policyIds List<ObjectId>: Optional. Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4.

additionalExtensions X509Extension[]: Optional. Describes custom X.509 extensions.
aiaOcspServers string[]: Optional. Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
caOptions CaOptions: Optional. Describes options in this X509Parameters that are relevant in a CA certificate.
keyUsage KeyUsage: Optional. Indicates the intended use for keys that correspond to a certificate.
nameConstraints NameConstraints: Optional. Describes the X.509 name constraints extension.
policyIds ObjectId[]: Optional. Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4.

additional_extensions Sequence[X509Extension]: Optional. Describes custom X.509 extensions.
aia_ocsp_servers Sequence[str]: Optional. Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
ca_options CaOptions: Optional. Describes options in this X509Parameters that are relevant in a CA certificate.
key_usage KeyUsage: Optional. Indicates the intended use for keys that correspond to a certificate.
name_constraints NameConstraints: Optional. Describes the X.509 name constraints extension.
policy_ids Sequence[ObjectId]: Optional. Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4.

additionalExtensions List<Property Map>: Optional. Describes custom X.509 extensions.
aiaOcspServers List<String>: Optional. Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
caOptions Property Map: Optional. Describes options in this X509Parameters that are relevant in a CA certificate.
keyUsage Property Map: Optional. Indicates the intended use for keys that correspond to a certificate.
nameConstraints Property Map: Optional. Describes the X.509 name constraints extension.
policyIds List<Property Map>: Optional. Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4.

X509ParametersResponse, X509ParametersResponseArgs

AdditionalExtensions List<Pulumi.GoogleNative.Privateca.V1.Inputs.X509ExtensionResponse>: Optional. Describes custom X.509 extensions.
AiaOcspServers List<string>: Optional. Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
CaOptions Pulumi.GoogleNative.Privateca.V1.Inputs.CaOptionsResponse: Optional. Describes options in this X509Parameters that are relevant in a CA certificate.
KeyUsage Pulumi.GoogleNative.Privateca.V1.Inputs.KeyUsageResponse: Optional. Indicates the intended use for keys that correspond to a certificate.
NameConstraints Pulumi.GoogleNative.Privateca.V1.Inputs.NameConstraintsResponse: Optional. Describes the X.509 name constraints extension.
PolicyIds List<Pulumi.GoogleNative.Privateca.V1.Inputs.ObjectIdResponse>: Optional. Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4.

AdditionalExtensions []X509ExtensionResponse: Optional. Describes custom X.509 extensions.
AiaOcspServers []string: Optional. Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
CaOptions CaOptionsResponse: Optional. Describes options in this X509Parameters that are relevant in a CA certificate.
KeyUsage KeyUsageResponse: Optional. Indicates the intended use for keys that correspond to a certificate.
NameConstraints NameConstraintsResponse: Optional. Describes the X.509 name constraints extension.
PolicyIds []ObjectIdResponse: Optional. Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4.

additionalExtensions List<X509ExtensionResponse>: Optional. Describes custom X.509 extensions.
aiaOcspServers List<String>: Optional. Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
caOptions CaOptionsResponse: Optional. Describes options in this X509Parameters that are relevant in a CA certificate.
keyUsage KeyUsageResponse: Optional. Indicates the intended use for keys that correspond to a certificate.
nameConstraints NameConstraintsResponse: Optional. Describes the X.509 name constraints extension.
policyIds List<ObjectIdResponse>: Optional. Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4.

additionalExtensions X509ExtensionResponse[]: Optional. Describes custom X.509 extensions.
aiaOcspServers string[]: Optional. Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
caOptions CaOptionsResponse: Optional. Describes options in this X509Parameters that are relevant in a CA certificate.
keyUsage KeyUsageResponse: Optional. Indicates the intended use for keys that correspond to a certificate.
nameConstraints NameConstraintsResponse: Optional. Describes the X.509 name constraints extension.
policyIds ObjectIdResponse[]: Optional. Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4.

additional_extensions Sequence[X509ExtensionResponse]: Optional. Describes custom X.509 extensions.
aia_ocsp_servers Sequence[str]: Optional. Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
ca_options CaOptionsResponse: Optional. Describes options in this X509Parameters that are relevant in a CA certificate.
key_usage KeyUsageResponse: Optional. Indicates the intended use for keys that correspond to a certificate.
name_constraints NameConstraintsResponse: Optional. Describes the X.509 name constraints extension.
policy_ids Sequence[ObjectIdResponse]: Optional. Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4.

additionalExtensions List<Property Map>: Optional. Describes custom X.509 extensions.
aiaOcspServers List<String>: Optional. Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
caOptions Property Map: Optional. Describes options in this X509Parameters that are relevant in a CA certificate.
keyUsage Property Map: Optional. Indicates the intended use for keys that correspond to a certificate.
nameConstraints Property Map: Optional. Describes the X.509 name constraints extension.
policyIds List<Property Map>: Optional. Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4.

Package Details

Repository: Google Cloud Native pulumi/pulumi-google-native
License: Apache-2.0

Google Cloud Native is in preview. Google Cloud Classic is fully supported.

Google Cloud Native v0.32.0 published on Wednesday, Nov 29, 2023 by Pulumi

pulumi/pulumi-google-native

google-native.privateca/v1.CaPool

On this page

On this page

Create CaPool Resource

Constructor syntax

Parameters

Example

CaPool Resource Properties

Inputs

Outputs

Supporting Types

AllowedKeyType, AllowedKeyTypeArgs

AllowedKeyTypeResponse, AllowedKeyTypeResponseArgs

CaOptions, CaOptionsArgs

CaOptionsResponse, CaOptionsResponseArgs

CaPoolTier, CaPoolTierArgs

CertificateExtensionConstraints, CertificateExtensionConstraintsArgs

CertificateExtensionConstraintsKnownExtensionsItem, CertificateExtensionConstraintsKnownExtensionsItemArgs

CertificateExtensionConstraintsResponse, CertificateExtensionConstraintsResponseArgs

CertificateIdentityConstraints, CertificateIdentityConstraintsArgs

CertificateIdentityConstraintsResponse, CertificateIdentityConstraintsResponseArgs

EcKeyType, EcKeyTypeArgs

EcKeyTypeResponse, EcKeyTypeResponseArgs

EcKeyTypeSignatureAlgorithm, EcKeyTypeSignatureAlgorithmArgs

Expr, ExprArgs

ExprResponse, ExprResponseArgs

ExtendedKeyUsageOptions, ExtendedKeyUsageOptionsArgs

ExtendedKeyUsageOptionsResponse, ExtendedKeyUsageOptionsResponseArgs

IssuanceModes, IssuanceModesArgs

IssuanceModesResponse, IssuanceModesResponseArgs

IssuancePolicy, IssuancePolicyArgs

IssuancePolicyResponse, IssuancePolicyResponseArgs

KeyUsage, KeyUsageArgs

KeyUsageOptions, KeyUsageOptionsArgs

KeyUsageOptionsResponse, KeyUsageOptionsResponseArgs

KeyUsageResponse, KeyUsageResponseArgs

NameConstraints, NameConstraintsArgs

NameConstraintsResponse, NameConstraintsResponseArgs

ObjectId, ObjectIdArgs

ObjectIdResponse, ObjectIdResponseArgs

PublishingOptions, PublishingOptionsArgs

PublishingOptionsEncodingFormat, PublishingOptionsEncodingFormatArgs

PublishingOptionsResponse, PublishingOptionsResponseArgs

RsaKeyType, RsaKeyTypeArgs

RsaKeyTypeResponse, RsaKeyTypeResponseArgs

X509Extension, X509ExtensionArgs

X509ExtensionResponse, X509ExtensionResponseArgs

X509Parameters, X509ParametersArgs

X509ParametersResponse, X509ParametersResponseArgs

Package Details

On this page

On this page