certificate_authorities
Creates, updates, deletes, gets or lists a certificate_authorities resource.
Overview
| Name | certificate_authorities |
| Type | Resource |
| Id | google.privateca.certificate_authorities |
Fields
The following fields are returned by SELECT queries:
- fetch
- get
- list
Successful response
| Name | Datatype | Description |
|---|---|---|
pemCsr | string | Output only. The PEM-encoded signed certificate signing request (CSR). |
Successful response
| Name | Datatype | Description |
|---|---|---|
name | string | Identifier. The resource name for this CertificateAuthority in the format projects/*/locations/*/caPools/*/certificateAuthorities/*. |
accessUrls | object | Output only. URLs for accessing content published by this CA, such as the CA certificate and CRLs. (id: AccessUrls) |
caCertificateDescriptions | array | Output only. A structured description of this CertificateAuthority's CA certificate and its issuers. Ordered as self-to-root. |
config | object | Required. Immutable. The config used to create a self-signed X.509 certificate or CSR. (id: CertificateConfig) |
createTime | string (google-datetime) | Output only. The time at which this CertificateAuthority was created. |
deleteTime | string (google-datetime) | Output only. The time at which this CertificateAuthority was soft deleted, if it is in the DELETED state. |
expireTime | string (google-datetime) | Output only. The time at which this CertificateAuthority will be permanently purged, if it is in the DELETED state. |
gcsBucket | string | Immutable. The name of a Cloud Storage bucket where this CertificateAuthority will publish content, such as the CA certificate and CRLs. This must be a bucket name, without any prefixes (such as gs://) or suffixes (such as .googleapis.com). For example, to use a bucket named my-bucket, you would simply specify my-bucket. If not specified, a managed bucket will be created. |
keySpec | object | Required. Immutable. Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR. (id: KeyVersionSpec) |
labels | object | Optional. Labels with user-defined metadata. |
lifetime | string (google-duration) | Required. Immutable. The desired lifetime of the CA certificate. Used to create the "not_before_time" and "not_after_time" fields inside an X.509 certificate. |
pemCaCertificates | array | Output only. This CertificateAuthority's certificate chain, including the current CertificateAuthority's certificate. Ordered such that the root issuer is the final element (consistent with RFC 5246). For a self-signed CA, this will only list the current CertificateAuthority's certificate. |
satisfiesPzi | boolean | Output only. Reserved for future use. |
satisfiesPzs | boolean | Output only. Reserved for future use. |
state | string | Output only. The State for this CertificateAuthority. |
subordinateConfig | object | Optional. If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which describes its issuers. This may be updated, but this CertificateAuthority must continue to validate. (id: SubordinateConfig) |
tier | string | Output only. The CaPool.Tier of the CaPool that includes this CertificateAuthority. |
type | string | Required. Immutable. The Type of this CertificateAuthority. |
updateTime | string (google-datetime) | Output only. The time at which this CertificateAuthority was last updated. |
userDefinedAccessUrls | object | Optional. User-defined URLs for CA certificate and CRLs. The service does not publish content to these URLs. It is up to the user to mirror content to these URLs. (id: UserDefinedAccessUrls) |
Successful response
| Name | Datatype | Description |
|---|---|---|
name | string | Identifier. The resource name for this CertificateAuthority in the format projects/*/locations/*/caPools/*/certificateAuthorities/*. |
accessUrls | object | Output only. URLs for accessing content published by this CA, such as the CA certificate and CRLs. (id: AccessUrls) |
caCertificateDescriptions | array | Output only. A structured description of this CertificateAuthority's CA certificate and its issuers. Ordered as self-to-root. |
config | object | Required. Immutable. The config used to create a self-signed X.509 certificate or CSR. (id: CertificateConfig) |
createTime | string (google-datetime) | Output only. The time at which this CertificateAuthority was created. |
deleteTime | string (google-datetime) | Output only. The time at which this CertificateAuthority was soft deleted, if it is in the DELETED state. |
expireTime | string (google-datetime) | Output only. The time at which this CertificateAuthority will be permanently purged, if it is in the DELETED state. |
gcsBucket | string | Immutable. The name of a Cloud Storage bucket where this CertificateAuthority will publish content, such as the CA certificate and CRLs. This must be a bucket name, without any prefixes (such as gs://) or suffixes (such as .googleapis.com). For example, to use a bucket named my-bucket, you would simply specify my-bucket. If not specified, a managed bucket will be created. |
keySpec | object | Required. Immutable. Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR. (id: KeyVersionSpec) |
labels | object | Optional. Labels with user-defined metadata. |
lifetime | string (google-duration) | Required. Immutable. The desired lifetime of the CA certificate. Used to create the "not_before_time" and "not_after_time" fields inside an X.509 certificate. |
pemCaCertificates | array | Output only. This CertificateAuthority's certificate chain, including the current CertificateAuthority's certificate. Ordered such that the root issuer is the final element (consistent with RFC 5246). For a self-signed CA, this will only list the current CertificateAuthority's certificate. |
satisfiesPzi | boolean | Output only. Reserved for future use. |
satisfiesPzs | boolean | Output only. Reserved for future use. |
state | string | Output only. The State for this CertificateAuthority. |
subordinateConfig | object | Optional. If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which describes its issuers. This may be updated, but this CertificateAuthority must continue to validate. (id: SubordinateConfig) |
tier | string | Output only. The CaPool.Tier of the CaPool that includes this CertificateAuthority. |
type | string | Required. Immutable. The Type of this CertificateAuthority. |
updateTime | string (google-datetime) | Output only. The time at which this CertificateAuthority was last updated. |
userDefinedAccessUrls | object | Optional. User-defined URLs for CA certificate and CRLs. The service does not publish content to these URLs. It is up to the user to mirror content to these URLs. (id: UserDefinedAccessUrls) |
Methods
The following methods are available for this resource:
| Name | Accessible by | Required Params | Optional Params | Description |
|---|---|---|---|---|
fetch | select | projectsId, locationsId, caPoolsId, certificateAuthoritiesId | Fetch a certificate signing request (CSR) from a CertificateAuthority that is in state AWAITING_USER_ACTIVATION and is of type SUBORDINATE. The CSR must then be signed by the desired parent Certificate Authority, which could be another CertificateAuthority resource, or could be an on-prem certificate authority. See also ActivateCertificateAuthority. | |
get | select | projectsId, locationsId, caPoolsId, certificateAuthoritiesId | Returns a CertificateAuthority. | |
list | select | projectsId, locationsId, caPoolsId | pageSize, pageToken, filter, orderBy | Lists CertificateAuthorities. |
create | insert | projectsId, locationsId, caPoolsId | certificateAuthorityId, requestId | Create a new CertificateAuthority in a given Project and Location. |
patch | update | projectsId, locationsId, caPoolsId, certificateAuthoritiesId | updateMask, requestId | Update a CertificateAuthority. |
delete | delete | projectsId, locationsId, caPoolsId, certificateAuthoritiesId | requestId, ignoreActiveCertificates, skipGracePeriod, ignoreDependentResources | Delete a CertificateAuthority. |
activate | exec | projectsId, locationsId, caPoolsId, certificateAuthoritiesId | Activate a CertificateAuthority that is in state AWAITING_USER_ACTIVATION and is of type SUBORDINATE. After the parent Certificate Authority signs a certificate signing request from FetchCertificateAuthorityCsr, this method can complete the activation process. | |
disable | exec | projectsId, locationsId, caPoolsId, certificateAuthoritiesId | Disable a CertificateAuthority. | |
enable | exec | projectsId, locationsId, caPoolsId, certificateAuthoritiesId | Enable a CertificateAuthority. | |
undelete | exec | projectsId, locationsId, caPoolsId, certificateAuthoritiesId | Undelete a CertificateAuthority that has been deleted. |
Parameters
Parameters can be passed in the WHERE clause of a query. Check the Methods section to see which parameters are required or optional for each operation.
| Name | Datatype | Description |
|---|---|---|
caPoolsId | string | |
certificateAuthoritiesId | string | |
locationsId | string | |
projectsId | string | |
certificateAuthorityId | string | |
filter | string | |
ignoreActiveCertificates | boolean | |
ignoreDependentResources | boolean | |
orderBy | string | |
pageSize | integer (int32) | |
pageToken | string | |
requestId | string | |
skipGracePeriod | boolean | |
updateMask | string (google-fieldmask) |
SELECT examples
- fetch
- get
- list
Fetch a certificate signing request (CSR) from a CertificateAuthority that is in state AWAITING_USER_ACTIVATION and is of type SUBORDINATE. The CSR must then be signed by the desired parent Certificate Authority, which could be another CertificateAuthority resource, or could be an on-prem certificate authority. See also ActivateCertificateAuthority.
SELECT
pemCsr
FROM google.privateca.certificate_authorities
WHERE projectsId = '{{ projectsId }}' -- required
AND locationsId = '{{ locationsId }}' -- required
AND caPoolsId = '{{ caPoolsId }}' -- required
AND certificateAuthoritiesId = '{{ certificateAuthoritiesId }}' -- required;
Returns a CertificateAuthority.
SELECT
name,
accessUrls,
caCertificateDescriptions,
config,
createTime,
deleteTime,
expireTime,
gcsBucket,
keySpec,
labels,
lifetime,
pemCaCertificates,
satisfiesPzi,
satisfiesPzs,
state,
subordinateConfig,
tier,
type,
updateTime,
userDefinedAccessUrls
FROM google.privateca.certificate_authorities
WHERE projectsId = '{{ projectsId }}' -- required
AND locationsId = '{{ locationsId }}' -- required
AND caPoolsId = '{{ caPoolsId }}' -- required
AND certificateAuthoritiesId = '{{ certificateAuthoritiesId }}' -- required;
Lists CertificateAuthorities.
SELECT
name,
accessUrls,
caCertificateDescriptions,
config,
createTime,
deleteTime,
expireTime,
gcsBucket,
keySpec,
labels,
lifetime,
pemCaCertificates,
satisfiesPzi,
satisfiesPzs,
state,
subordinateConfig,
tier,
type,
updateTime,
userDefinedAccessUrls
FROM google.privateca.certificate_authorities
WHERE projectsId = '{{ projectsId }}' -- required
AND locationsId = '{{ locationsId }}' -- required
AND caPoolsId = '{{ caPoolsId }}' -- required
AND pageSize = '{{ pageSize }}'
AND pageToken = '{{ pageToken }}'
AND filter = '{{ filter }}'
AND orderBy = '{{ orderBy }}';
INSERT examples
- create
- Manifest
Create a new CertificateAuthority in a given Project and Location.
INSERT INTO google.privateca.certificate_authorities (
data__name,
data__type,
data__config,
data__lifetime,
data__keySpec,
data__subordinateConfig,
data__gcsBucket,
data__labels,
data__userDefinedAccessUrls,
projectsId,
locationsId,
caPoolsId,
certificateAuthorityId,
requestId
)
SELECT
'{{ name }}',
'{{ type }}',
'{{ config }}',
'{{ lifetime }}',
'{{ keySpec }}',
'{{ subordinateConfig }}',
'{{ gcsBucket }}',
'{{ labels }}',
'{{ userDefinedAccessUrls }}',
'{{ projectsId }}',
'{{ locationsId }}',
'{{ caPoolsId }}',
'{{ certificateAuthorityId }}',
'{{ requestId }}'
RETURNING
name,
done,
error,
metadata,
response
;
# Description fields are for documentation purposes
- name: certificate_authorities
props:
- name: projectsId
value: string
description: Required parameter for the certificate_authorities resource.
- name: locationsId
value: string
description: Required parameter for the certificate_authorities resource.
- name: caPoolsId
value: string
description: Required parameter for the certificate_authorities resource.
- name: name
value: string
description: >
Identifier. The resource name for this CertificateAuthority in the format `projects/*/locations/*/caPools/*/certificateAuthorities/*`.
- name: type
value: string
description: >
Required. Immutable. The Type of this CertificateAuthority.
valid_values: ['TYPE_UNSPECIFIED', 'SELF_SIGNED', 'SUBORDINATE']
- name: config
value: object
description: >
Required. Immutable. The config used to create a self-signed X.509 certificate or CSR.
- name: lifetime
value: string
description: >
Required. Immutable. The desired lifetime of the CA certificate. Used to create the "not_before_time" and "not_after_time" fields inside an X.509 certificate.
- name: keySpec
value: object
description: >
Required. Immutable. Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR.
- name: subordinateConfig
value: object
description: >
Optional. If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which describes its issuers. This may be updated, but this CertificateAuthority must continue to validate.
- name: gcsBucket
value: string
description: >
Immutable. The name of a Cloud Storage bucket where this CertificateAuthority will publish content, such as the CA certificate and CRLs. This must be a bucket name, without any prefixes (such as `gs://`) or suffixes (such as `.googleapis.com`). For example, to use a bucket named `my-bucket`, you would simply specify `my-bucket`. If not specified, a managed bucket will be created.
- name: labels
value: object
description: >
Optional. Labels with user-defined metadata.
- name: userDefinedAccessUrls
value: object
description: >
Optional. User-defined URLs for CA certificate and CRLs. The service does not publish content to these URLs. It is up to the user to mirror content to these URLs.
- name: certificateAuthorityId
value: string
- name: requestId
value: string
UPDATE examples
- patch
Update a CertificateAuthority.
UPDATE google.privateca.certificate_authorities
SET
data__name = '{{ name }}',
data__type = '{{ type }}',
data__config = '{{ config }}',
data__lifetime = '{{ lifetime }}',
data__keySpec = '{{ keySpec }}',
data__subordinateConfig = '{{ subordinateConfig }}',
data__gcsBucket = '{{ gcsBucket }}',
data__labels = '{{ labels }}',
data__userDefinedAccessUrls = '{{ userDefinedAccessUrls }}'
WHERE
projectsId = '{{ projectsId }}' --required
AND locationsId = '{{ locationsId }}' --required
AND caPoolsId = '{{ caPoolsId }}' --required
AND certificateAuthoritiesId = '{{ certificateAuthoritiesId }}' --required
AND updateMask = '{{ updateMask}}'
AND requestId = '{{ requestId}}'
RETURNING
name,
done,
error,
metadata,
response;
DELETE examples
- delete
Delete a CertificateAuthority.
DELETE FROM google.privateca.certificate_authorities
WHERE projectsId = '{{ projectsId }}' --required
AND locationsId = '{{ locationsId }}' --required
AND caPoolsId = '{{ caPoolsId }}' --required
AND certificateAuthoritiesId = '{{ certificateAuthoritiesId }}' --required
AND requestId = '{{ requestId }}'
AND ignoreActiveCertificates = '{{ ignoreActiveCertificates }}'
AND skipGracePeriod = '{{ skipGracePeriod }}'
AND ignoreDependentResources = '{{ ignoreDependentResources }}';
Lifecycle Methods
- activate
- disable
- enable
- undelete
Activate a CertificateAuthority that is in state AWAITING_USER_ACTIVATION and is of type SUBORDINATE. After the parent Certificate Authority signs a certificate signing request from FetchCertificateAuthorityCsr, this method can complete the activation process.
EXEC google.privateca.certificate_authorities.activate
@projectsId='{{ projectsId }}' --required,
@locationsId='{{ locationsId }}' --required,
@caPoolsId='{{ caPoolsId }}' --required,
@certificateAuthoritiesId='{{ certificateAuthoritiesId }}' --required
@@json=
'{
"pemCaCertificate": "{{ pemCaCertificate }}",
"subordinateConfig": "{{ subordinateConfig }}",
"requestId": "{{ requestId }}"
}';
Disable a CertificateAuthority.
EXEC google.privateca.certificate_authorities.disable
@projectsId='{{ projectsId }}' --required,
@locationsId='{{ locationsId }}' --required,
@caPoolsId='{{ caPoolsId }}' --required,
@certificateAuthoritiesId='{{ certificateAuthoritiesId }}' --required
@@json=
'{
"requestId": "{{ requestId }}",
"ignoreDependentResources": {{ ignoreDependentResources }}
}';
Enable a CertificateAuthority.
EXEC google.privateca.certificate_authorities.enable
@projectsId='{{ projectsId }}' --required,
@locationsId='{{ locationsId }}' --required,
@caPoolsId='{{ caPoolsId }}' --required,
@certificateAuthoritiesId='{{ certificateAuthoritiesId }}' --required
@@json=
'{
"requestId": "{{ requestId }}"
}';
Undelete a CertificateAuthority that has been deleted.
EXEC google.privateca.certificate_authorities.undelete
@projectsId='{{ projectsId }}' --required,
@locationsId='{{ locationsId }}' --required,
@caPoolsId='{{ caPoolsId }}' --required,
@certificateAuthoritiesId='{{ certificateAuthoritiesId }}' --required
@@json=
'{
"requestId": "{{ requestId }}"
}';