certificates

Creates, updates, deletes, gets or lists a certificates resource.

Overview

Name	`certificates`
Type	Resource
Id	`google.privateca.certificates`

Fields

The following fields are returned by SELECT queries:

get
list

Successful response

Name	Datatype	Description
`name`	`string`	Identifier. The resource name for this Certificate in the format `projects//locations//caPools//certificates/`.
`certificateDescription`	`object`	Output only. A structured description of the issued X.509 certificate. (id: CertificateDescription)
`certificateTemplate`	`string`	Immutable. The resource name for a CertificateTemplate used to issue this certificate, in the format `projects//locations//certificateTemplates/*`. If this is specified, the caller must have the necessary permission to use this template. If this is omitted, no template will be used. This template must be in the same location as the Certificate.
`config`	`object`	Immutable. A description of the certificate and key that does not require X.509 or ASN.1. (id: CertificateConfig)
`createTime`	`string (google-datetime)`	Output only. The time at which this Certificate was created.
`issuerCertificateAuthority`	`string`	Output only. The resource name of the issuing CertificateAuthority in the format `projects//locations//caPools//certificateAuthorities/`.
`labels`	`object`	Optional. Labels with user-defined metadata.
`lifetime`	`string (google-duration)`	Required. Immutable. The desired lifetime of a certificate. Used to create the "not_before_time" and "not_after_time" fields inside an X.509 certificate. Note that the lifetime may be truncated if it would extend past the life of any certificate authority in the issuing chain.
`pemCertificate`	`string`	Output only. The pem-encoded, signed X.509 certificate.
`pemCertificateChain`	`array`	Output only. The chain that may be used to verify the X.509 certificate. Expected to be in issuer-to-root order according to RFC 5246.
`pemCsr`	`string`	Immutable. A pem-encoded X.509 certificate signing request (CSR).
`revocationDetails`	`object`	Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. (id: RevocationDetails)
`subjectMode`	`string`	Immutable. Specifies how the Certificate's identity fields are to be decided. If this is omitted, the `DEFAULT` subject mode will be used.
`updateTime`	`string (google-datetime)`	Output only. The time at which this Certificate was updated.

Successful response

Name	Datatype	Description
`name`	`string`	Identifier. The resource name for this Certificate in the format `projects//locations//caPools//certificates/`.
`certificateDescription`	`object`	Output only. A structured description of the issued X.509 certificate. (id: CertificateDescription)
`certificateTemplate`	`string`	Immutable. The resource name for a CertificateTemplate used to issue this certificate, in the format `projects//locations//certificateTemplates/*`. If this is specified, the caller must have the necessary permission to use this template. If this is omitted, no template will be used. This template must be in the same location as the Certificate.
`config`	`object`	Immutable. A description of the certificate and key that does not require X.509 or ASN.1. (id: CertificateConfig)
`createTime`	`string (google-datetime)`	Output only. The time at which this Certificate was created.
`issuerCertificateAuthority`	`string`	Output only. The resource name of the issuing CertificateAuthority in the format `projects//locations//caPools//certificateAuthorities/`.
`labels`	`object`	Optional. Labels with user-defined metadata.
`lifetime`	`string (google-duration)`	Required. Immutable. The desired lifetime of a certificate. Used to create the "not_before_time" and "not_after_time" fields inside an X.509 certificate. Note that the lifetime may be truncated if it would extend past the life of any certificate authority in the issuing chain.
`pemCertificate`	`string`	Output only. The pem-encoded, signed X.509 certificate.
`pemCertificateChain`	`array`	Output only. The chain that may be used to verify the X.509 certificate. Expected to be in issuer-to-root order according to RFC 5246.
`pemCsr`	`string`	Immutable. A pem-encoded X.509 certificate signing request (CSR).
`revocationDetails`	`object`	Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. (id: RevocationDetails)
`subjectMode`	`string`	Immutable. Specifies how the Certificate's identity fields are to be decided. If this is omitted, the `DEFAULT` subject mode will be used.
`updateTime`	`string (google-datetime)`	Output only. The time at which this Certificate was updated.

Methods

The following methods are available for this resource:

Name	Accessible by	Required Params	Optional Params	Description
`get`	`select`	`projectsId`, `locationsId`, `caPoolsId`, `certificatesId`		Returns a Certificate.
`list`	`select`	`projectsId`, `locationsId`, `caPoolsId`	`pageSize`, `pageToken`, `filter`, `orderBy`	Lists Certificates.
`create`	`insert`	`projectsId`, `locationsId`, `caPoolsId`	`certificateId`, `requestId`, `validateOnly`, `issuingCertificateAuthorityId`	Create a new Certificate in a given Project, Location from a particular CaPool.
`patch`	`update`	`projectsId`, `locationsId`, `caPoolsId`, `certificatesId`	`updateMask`, `requestId`	Update a Certificate. Currently, the only field you can update is the labels field.
`revoke`	`exec`	`projectsId`, `locationsId`, `caPoolsId`, `certificatesId`		Revoke a Certificate.

Parameters

Parameters can be passed in the WHERE clause of a query. Check the Methods section to see which parameters are required or optional for each operation.

Name	Datatype	Description
`caPoolsId`	`string`
`certificatesId`	`string`
`locationsId`	`string`
`projectsId`	`string`
`certificateId`	`string`
`filter`	`string`
`issuingCertificateAuthorityId`	`string`
`orderBy`	`string`
`pageSize`	`integer (int32)`
`pageToken`	`string`
`requestId`	`string`
`updateMask`	`string (google-fieldmask)`
`validateOnly`	`boolean`

`SELECT` examples

get
list

Returns a Certificate.

SELECT
name,
certificateDescription,
certificateTemplate,
config,
createTime,
issuerCertificateAuthority,
labels,
lifetime,
pemCertificate,
pemCertificateChain,
pemCsr,
revocationDetails,
subjectMode,
updateTime
FROM google.privateca.certificates
WHERE projectsId = '{{ projectsId }}' -- required
AND locationsId = '{{ locationsId }}' -- required
AND caPoolsId = '{{ caPoolsId }}' -- required
AND certificatesId = '{{ certificatesId }}' -- required;

Lists Certificates.

SELECT
name,
certificateDescription,
certificateTemplate,
config,
createTime,
issuerCertificateAuthority,
labels,
lifetime,
pemCertificate,
pemCertificateChain,
pemCsr,
revocationDetails,
subjectMode,
updateTime
FROM google.privateca.certificates
WHERE projectsId = '{{ projectsId }}' -- required
AND locationsId = '{{ locationsId }}' -- required
AND caPoolsId = '{{ caPoolsId }}' -- required
AND pageSize = '{{ pageSize }}'
AND pageToken = '{{ pageToken }}'
AND filter = '{{ filter }}'
AND orderBy = '{{ orderBy }}';

`INSERT` examples

create
Manifest

Create a new Certificate in a given Project, Location from a particular CaPool.

INSERT INTO google.privateca.certificates (
data__name,
data__pemCsr,
data__config,
data__lifetime,
data__certificateTemplate,
data__subjectMode,
data__labels,
projectsId,
locationsId,
caPoolsId,
certificateId,
requestId,
validateOnly,
issuingCertificateAuthorityId
)
SELECT 
'{{ name }}',
'{{ pemCsr }}',
'{{ config }}',
'{{ lifetime }}',
'{{ certificateTemplate }}',
'{{ subjectMode }}',
'{{ labels }}',
'{{ projectsId }}',
'{{ locationsId }}',
'{{ caPoolsId }}',
'{{ certificateId }}',
'{{ requestId }}',
'{{ validateOnly }}',
'{{ issuingCertificateAuthorityId }}'
RETURNING
name,
certificateDescription,
certificateTemplate,
config,
createTime,
issuerCertificateAuthority,
labels,
lifetime,
pemCertificate,
pemCertificateChain,
pemCsr,
revocationDetails,
subjectMode,
updateTime
;

# Description fields are for documentation purposes
- name: certificates
  props:
    - name: projectsId
      value: string
      description: Required parameter for the certificates resource.
    - name: locationsId
      value: string
      description: Required parameter for the certificates resource.
    - name: caPoolsId
      value: string
      description: Required parameter for the certificates resource.
    - name: name
      value: string
      description: >
        Identifier. The resource name for this Certificate in the format `projects/*/locations/*/caPools/*/certificates/*`.
        
    - name: pemCsr
      value: string
      description: >
        Immutable. A pem-encoded X.509 certificate signing request (CSR).
        
    - name: config
      value: object
      description: >
        Immutable. A description of the certificate and key that does not require X.509 or ASN.1.
        
    - name: lifetime
      value: string
      description: >
        Required. Immutable. The desired lifetime of a certificate. Used to create the "not_before_time" and "not_after_time" fields inside an X.509 certificate. Note that the lifetime may be truncated if it would extend past the life of any certificate authority in the issuing chain.
        
    - name: certificateTemplate
      value: string
      description: >
        Immutable. The resource name for a CertificateTemplate used to issue this certificate, in the format `projects/*/locations/*/certificateTemplates/*`. If this is specified, the caller must have the necessary permission to use this template. If this is omitted, no template will be used. This template must be in the same location as the Certificate.
        
    - name: subjectMode
      value: string
      description: >
        Immutable. Specifies how the Certificate's identity fields are to be decided. If this is omitted, the `DEFAULT` subject mode will be used.
        
      valid_values: ['SUBJECT_REQUEST_MODE_UNSPECIFIED', 'DEFAULT', 'RDN_SEQUENCE', 'REFLECTED_SPIFFE']
    - name: labels
      value: object
      description: >
        Optional. Labels with user-defined metadata.
        
    - name: certificateId
      value: string
    - name: requestId
      value: string
    - name: validateOnly
      value: boolean
    - name: issuingCertificateAuthorityId
      value: string

`UPDATE` examples

patch

Update a Certificate. Currently, the only field you can update is the labels field.

UPDATE google.privateca.certificates
SET 
data__name = '{{ name }}',
data__pemCsr = '{{ pemCsr }}',
data__config = '{{ config }}',
data__lifetime = '{{ lifetime }}',
data__certificateTemplate = '{{ certificateTemplate }}',
data__subjectMode = '{{ subjectMode }}',
data__labels = '{{ labels }}'
WHERE 
projectsId = '{{ projectsId }}' --required
AND locationsId = '{{ locationsId }}' --required
AND caPoolsId = '{{ caPoolsId }}' --required
AND certificatesId = '{{ certificatesId }}' --required
AND updateMask = '{{ updateMask}}'
AND requestId = '{{ requestId}}'
RETURNING
name,
certificateDescription,
certificateTemplate,
config,
createTime,
issuerCertificateAuthority,
labels,
lifetime,
pemCertificate,
pemCertificateChain,
pemCsr,
revocationDetails,
subjectMode,
updateTime;

Lifecycle Methods

revoke

Revoke a Certificate.

EXEC google.privateca.certificates.revoke 
@projectsId='{{ projectsId }}' --required, 
@locationsId='{{ locationsId }}' --required, 
@caPoolsId='{{ caPoolsId }}' --required, 
@certificatesId='{{ certificatesId }}' --required 
@@json=
'{
"reason": "{{ reason }}", 
"requestId": "{{ requestId }}"
}';

Overview​

Fields​

Methods​

Parameters​

SELECT examples​

INSERT examples​

UPDATE examples​

Lifecycle Methods​