google-cloud-security-private_ca-v1 0.1.0

data/proto_docs/google/cloud/security/privateca/v1/resources.rb

@@ -0,0 +1,1188 @@
+# frozen_string_literal: true
+
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Auto-generated by gapic-generator-ruby. DO NOT EDIT!
+
+
+module Google
+  module Cloud
+    module Security
+      module PrivateCA
+        module V1
+          # A {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority} represents an individual Certificate Authority.
+          # A {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority} can be used to create {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}.
+          # @!attribute [r] name
+          #   @return [::String]
+          #     Output only. The resource name for this {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority} in the
+          #     format `projects/*/locations/*/caPools/*/certificateAuthorities/*`.
+          # @!attribute [rw] type
+          #   @return [::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority::Type]
+          #     Required. Immutable. The {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority::Type Type} of this {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}.
+          # @!attribute [rw] config
+          #   @return [::Google::Cloud::Security::PrivateCA::V1::CertificateConfig]
+          #     Required. Immutable. The config used to create a self-signed X.509 certificate or CSR.
+          # @!attribute [rw] lifetime
+          #   @return [::Google::Protobuf::Duration]
+          #     Required. The desired lifetime of the CA certificate. Used to create the
+          #     "not_before_time" and "not_after_time" fields inside an X.509
+          #     certificate.
+          # @!attribute [rw] key_spec
+          #   @return [::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority::KeyVersionSpec]
+          #     Required. Immutable. Used when issuing certificates for this {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}. If this
+          #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority} is a self-signed CertificateAuthority, this key
+          #     is also used to sign the self-signed CA certificate. Otherwise, it
+          #     is used to sign a CSR.
+          # @!attribute [rw] subordinate_config
+          #   @return [::Google::Cloud::Security::PrivateCA::V1::SubordinateConfig]
+          #     Optional. If this is a subordinate {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}, this field will be set
+          #     with the subordinate configuration, which describes its issuers. This may
+          #     be updated, but this {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority} must continue to validate.
+          # @!attribute [r] tier
+          #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::Tier]
+          #     Output only. The {::Google::Cloud::Security::PrivateCA::V1::CaPool::Tier CaPool.Tier} of the {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool} that includes this
+          #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}.
+          # @!attribute [r] state
+          #   @return [::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority::State]
+          #     Output only. The {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority::State State} for this {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}.
+          # @!attribute [r] pem_ca_certificates
+          #   @return [::Array<::String>]
+          #     Output only. This {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s certificate chain, including the current
+          #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s certificate. Ordered such that the root issuer
+          #     is the final element (consistent with RFC 5246). For a self-signed CA, this
+          #     will only list the current {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s certificate.
+          # @!attribute [r] ca_certificate_descriptions
+          #   @return [::Array<::Google::Cloud::Security::PrivateCA::V1::CertificateDescription>]
+          #     Output only. A structured description of this {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s CA certificate
+          #     and its issuers. Ordered as self-to-root.
+          # @!attribute [rw] gcs_bucket
+          #   @return [::String]
+          #     Immutable. The name of a Cloud Storage bucket where this {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority} will
+          #     publish content, such as the CA certificate and CRLs. This must be a bucket
+          #     name, without any prefixes (such as `gs://`) or suffixes (such as
+          #     `.googleapis.com`). For example, to use a bucket named `my-bucket`, you
+          #     would simply specify `my-bucket`. If not specified, a managed bucket will
+          #     be created.
+          # @!attribute [r] access_urls
+          #   @return [::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority::AccessUrls]
+          #     Output only. URLs for accessing content published by this CA, such as the CA certificate
+          #     and CRLs.
+          # @!attribute [r] create_time
+          #   @return [::Google::Protobuf::Timestamp]
+          #     Output only. The time at which this {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority} was created.
+          # @!attribute [r] update_time
+          #   @return [::Google::Protobuf::Timestamp]
+          #     Output only. The time at which this {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority} was last updated.
+          # @!attribute [r] delete_time
+          #   @return [::Google::Protobuf::Timestamp]
+          #     Output only. The time at which this {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority} was soft deleted, if
+          #     it is in the {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority::State::DELETED DELETED} state.
+          # @!attribute [r] expire_time
+          #   @return [::Google::Protobuf::Timestamp]
+          #     Output only. The time at which this {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority} will be permanently purged,
+          #     if it is in the {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority::State::DELETED DELETED} state.
+          # @!attribute [rw] labels
+          #   @return [::Google::Protobuf::Map{::String => ::String}]
+          #     Optional. Labels with user-defined metadata.
+          class CertificateAuthority
+            include ::Google::Protobuf::MessageExts
+            extend ::Google::Protobuf::MessageExts::ClassMethods
+
+            # URLs where a {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority} will publish content.
+            # @!attribute [rw] ca_certificate_access_url
+            #   @return [::String]
+            #     The URL where this {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s CA certificate is
+            #     published. This will only be set for CAs that have been activated.
+            # @!attribute [rw] crl_access_urls
+            #   @return [::Array<::String>]
+            #     The URLs where this {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s CRLs are published. This
+            #     will only be set for CAs that have been activated.
+            class AccessUrls
+              include ::Google::Protobuf::MessageExts
+              extend ::Google::Protobuf::MessageExts::ClassMethods
+            end
+
+            # A Cloud KMS key configuration that a {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority} will use.
+            # @!attribute [rw] cloud_kms_key_version
+            #   @return [::String]
+            #     The resource name for an existing Cloud KMS CryptoKeyVersion in the
+            #     format
+            #     `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
+            #     This option enables full flexibility in the key's capabilities and
+            #     properties.
+            # @!attribute [rw] algorithm
+            #   @return [::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority::SignHashAlgorithm]
+            #     The algorithm to use for creating a managed Cloud KMS key for a for a
+            #     simplified experience. All managed keys will be have their
+            #     [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] as `HSM`.
+            class KeyVersionSpec
+              include ::Google::Protobuf::MessageExts
+              extend ::Google::Protobuf::MessageExts::ClassMethods
+            end
+
+            # @!attribute [rw] key
+            #   @return [::String]
+            # @!attribute [rw] value
+            #   @return [::String]
+            class LabelsEntry
+              include ::Google::Protobuf::MessageExts
+              extend ::Google::Protobuf::MessageExts::ClassMethods
+            end
+
+            # The type of a {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}, indicating its issuing chain.
+            module Type
+              # Not specified.
+              TYPE_UNSPECIFIED = 0
+
+              # Self-signed CA.
+              SELF_SIGNED = 1
+
+              # Subordinate CA. Could be issued by a Private CA {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
+              # or an unmanaged CA.
+              SUBORDINATE = 2
+            end
+
+            # The state of a {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}, indicating if it can be used.
+            module State
+              # Not specified.
+              STATE_UNSPECIFIED = 0
+
+              # Certificates can be issued from this CA. CRLs will be generated for this
+              # CA. The CA will be part of the {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, and will be
+              # used to issue certificates from the {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
+              ENABLED = 1
+
+              # Certificates cannot be issued from this CA. CRLs will still be generated.
+              # The CA will be part of the {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, but will not be
+              # used to issue certificates from the {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
+              DISABLED = 2
+
+              # Certificates can be issued from this CA. CRLs will be generated for this
+              # CA. The CA will be part of the {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, but will not
+              # be used to issue certificates from the {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
+              STAGED = 3
+
+              # Certificates cannot be issued from this CA. CRLs will not be generated.
+              # The CA will not be part of the {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, and will not be
+              # used to issue certificates from the {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
+              AWAITING_USER_ACTIVATION = 4
+
+              # Certificates cannot be issued from this CA. CRLs will not be generated.
+              # The CA may still be recovered by calling
+              # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthorityService::Client#undelete_certificate_authority CertificateAuthorityService.UndeleteCertificateAuthority} before
+              # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority#expire_time expire_time}.
+              # The CA will not be part of the {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, and will not be
+              # used to issue certificates from the {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
+              DELETED = 5
+            end
+
+            # The algorithm of a Cloud KMS CryptoKeyVersion of a
+            # [CryptoKey][google.cloud.kms.v1.CryptoKey] with the
+            # [CryptoKeyPurpose][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose] value
+            # `ASYMMETRIC_SIGN`. These values correspond to the
+            # [CryptoKeyVersionAlgorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm]
+            # values. For RSA signing algorithms, the PSS algorithms should be preferred,
+            # use PKCS1 algorithms if required for compatibility. For further
+            # recommandations, see
+            # https://cloud.google.com/kms/docs/algorithms#algorithm_recommendations.
+            module SignHashAlgorithm
+              # Not specified.
+              SIGN_HASH_ALGORITHM_UNSPECIFIED = 0
+
+              # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_2048_SHA256
+              RSA_PSS_2048_SHA256 = 1
+
+              # maps to CryptoKeyVersionAlgorithm. RSA_SIGN_PSS_3072_SHA256
+              RSA_PSS_3072_SHA256 = 2
+
+              # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_4096_SHA256
+              RSA_PSS_4096_SHA256 = 3
+
+              # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_2048_SHA256
+              RSA_PKCS1_2048_SHA256 = 6
+
+              # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_3072_SHA256
+              RSA_PKCS1_3072_SHA256 = 7
+
+              # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_4096_SHA256
+              RSA_PKCS1_4096_SHA256 = 8
+
+              # maps to CryptoKeyVersionAlgorithm.EC_SIGN_P256_SHA256
+              EC_P256_SHA256 = 4
+
+              # maps to CryptoKeyVersionAlgorithm.EC_SIGN_P384_SHA384
+              EC_P384_SHA384 = 5
+            end
+          end
+
+          # A {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool} represents a group of
+          # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthorities} that form a trust anchor. A
+          # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool} can be used to manage issuance policies for one or more
+          # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority} resources and to rotate CA certificates in and out
+          # of the trust anchor.
+          # @!attribute [r] name
+          #   @return [::String]
+          #     Output only. The resource name for this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool} in the
+          #     format `projects/*/locations/*/caPools/*`.
+          # @!attribute [rw] tier
+          #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::Tier]
+          #     Required. Immutable. The {::Google::Cloud::Security::PrivateCA::V1::CaPool::Tier Tier} of this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
+          # @!attribute [rw] issuance_policy
+          #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy]
+          #     Optional. The {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy IssuancePolicy} to control how {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}
+          #     will be issued from this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
+          # @!attribute [rw] publishing_options
+          #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::PublishingOptions]
+          #     Optional. The {::Google::Cloud::Security::PrivateCA::V1::CaPool::PublishingOptions PublishingOptions} to follow when issuing
+          #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} from any {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority} in this
+          #     {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
+          # @!attribute [rw] labels
+          #   @return [::Google::Protobuf::Map{::String => ::String}]
+          #     Optional. Labels with user-defined metadata.
+          class CaPool
+            include ::Google::Protobuf::MessageExts
+            extend ::Google::Protobuf::MessageExts::ClassMethods
+
+            # Options relating to the publication of each {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s CA
+            # certificate and CRLs and their inclusion as extensions in issued
+            # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}. The options set here apply to certificates
+            # issued by any {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority} in the {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
+            # @!attribute [rw] publish_ca_cert
+            #   @return [::Boolean]
+            #     Required. When true, publishes each {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s CA certificate and
+            #     includes its URL in the "Authority Information Access" X.509 extension
+            #     in all issued {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}. If this is false, the CA
+            #     certificate will not be published and the corresponding X.509 extension
+            #     will not be written in issued certificates.
+            # @!attribute [rw] publish_crl
+            #   @return [::Boolean]
+            #     Required. When true, publishes each {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s CRL and includes its
+            #     URL in the "CRL Distribution Points" X.509 extension in all issued
+            #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}. If this is false, CRLs will not be published
+            #     and the corresponding X.509 extension will not be written in issued
+            #     certificates.
+            #     CRLs will expire 7 days from their creation. However, we will rebuild
+            #     daily. CRLs are also rebuilt shortly after a certificate is revoked.
+            class PublishingOptions
+              include ::Google::Protobuf::MessageExts
+              extend ::Google::Protobuf::MessageExts::ClassMethods
+            end
+
+            # Defines controls over all certificate issuance within a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
+            # @!attribute [rw] allowed_key_types
+            #   @return [::Array<::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType>]
+            #     Optional. If any {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType AllowedKeyType} is specified, then the certificate request's
+            #     public key must match one of the key types listed here. Otherwise,
+            #     any key may be used.
+            # @!attribute [rw] maximum_lifetime
+            #   @return [::Google::Protobuf::Duration]
+            #     Optional. The maximum lifetime allowed for issued {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}. Note
+            #     that if the issuing {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority} expires before a
+            #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate}'s requested maximum_lifetime, the effective lifetime will
+            #     be explicitly truncated to match it.
+            # @!attribute [rw] allowed_issuance_modes
+            #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::IssuanceModes]
+            #     Optional. If specified, then only methods allowed in the {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::IssuanceModes IssuanceModes} may be
+            #     used to issue {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}.
+            # @!attribute [rw] baseline_values
+            #   @return [::Google::Cloud::Security::PrivateCA::V1::X509Parameters]
+            #     Optional. A set of X.509 values that will be applied to all certificates issued
+            #     through this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}. If a certificate request includes conflicting
+            #     values for the same properties, they will be overwritten by the values
+            #     defined here. If a certificate request uses a {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate CertificateTemplate}
+            #     that defines conflicting
+            #     {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate#predefined_values predefined_values} for the same
+            #     properties, the certificate issuance request will fail.
+            # @!attribute [rw] identity_constraints
+            #   @return [::Google::Cloud::Security::PrivateCA::V1::CertificateIdentityConstraints]
+            #     Optional. Describes constraints on identities that may appear in
+            #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} issued through this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
+            #     If this is omitted, then this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool} will not add restrictions on a
+            #     certificate's identity.
+            # @!attribute [rw] passthrough_extensions
+            #   @return [::Google::Cloud::Security::PrivateCA::V1::CertificateExtensionConstraints]
+            #     Optional. Describes the set of X.509 extensions that may appear in a
+            #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued through this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}. If a certificate request
+            #     sets extensions that don't appear in the {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy#passthrough_extensions passthrough_extensions},
+            #     those extensions will be dropped. If a certificate request uses a
+            #     {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate CertificateTemplate} with
+            #     {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate#predefined_values predefined_values} that don't
+            #     appear here, the certificate issuance request will fail. If this is
+            #     omitted, then this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool} will not add restrictions on a
+            #     certificate's X.509 extensions. These constraints do not apply to X.509
+            #     extensions set in this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy#baseline_values baseline_values}.
+            class IssuancePolicy
+              include ::Google::Protobuf::MessageExts
+              extend ::Google::Protobuf::MessageExts::ClassMethods
+
+              # Describes a "type" of key that may be used in a {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued
+              # from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
+              # Note that a single {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType AllowedKeyType} may refer to either a
+              # fully-qualified key algorithm, such as RSA 4096, or a family of key
+              # algorithms, such as any RSA key.
+              # @!attribute [rw] rsa
+              #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::RsaKeyType]
+              #     Represents an allowed RSA key type.
+              # @!attribute [rw] elliptic_curve
+              #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::EcKeyType]
+              #     Represents an allowed Elliptic Curve key type.
+              class AllowedKeyType
+                include ::Google::Protobuf::MessageExts
+                extend ::Google::Protobuf::MessageExts::ClassMethods
+
+                # Describes an RSA key that may be used in a {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued from
+                # a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
+                # @!attribute [rw] min_modulus_size
+                #   @return [::Integer]
+                #     Optional. The minimum allowed RSA modulus size, in bits. If this is not set,
+                #     or if set to zero, the service-level min RSA modulus size will
+                #     continue to apply.
+                # @!attribute [rw] max_modulus_size
+                #   @return [::Integer]
+                #     Optional. The maximum allowed RSA modulus size, in bits. If this is not set,
+                #     or if set to zero, the service will not enforce an explicit upper
+                #     bound on RSA modulus sizes.
+                class RsaKeyType
+                  include ::Google::Protobuf::MessageExts
+                  extend ::Google::Protobuf::MessageExts::ClassMethods
+                end
+
+                # Describes an Elliptic Curve key that may be used in a {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate}
+                # issued from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
+                # @!attribute [rw] signature_algorithm
+                #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::EcKeyType::EcSignatureAlgorithm]
+                #     Optional. A signature algorithm that must be used. If this is omitted, any
+                #     EC-based signature algorithm will be allowed.
+                class EcKeyType
+                  include ::Google::Protobuf::MessageExts
+                  extend ::Google::Protobuf::MessageExts::ClassMethods
+
+                  # Describes an elliptic curve-based signature algorithm that may be
+                  # used in a {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
+                  module EcSignatureAlgorithm
+                    # Not specified. Signifies that any signature algorithm may be used.
+                    EC_SIGNATURE_ALGORITHM_UNSPECIFIED = 0
+
+                    # Refers to the Elliptic Curve Digital Signature Algorithm over the
+                    # NIST P-256 curve.
+                    ECDSA_P256 = 1
+
+                    # Refers to the Elliptic Curve Digital Signature Algorithm over the
+                    # NIST P-384 curve.
+                    ECDSA_P384 = 2
+
+                    # Refers to the Edwards-curve Digital Signature Algorithm over curve
+                    # 25519, as described in RFC 8410.
+                    EDDSA_25519 = 3
+                  end
+                end
+              end
+
+              # {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::IssuanceModes IssuanceModes} specifies the allowed ways in which
+              # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} may be requested from this
+              # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
+              # @!attribute [rw] allow_csr_based_issuance
+              #   @return [::Boolean]
+              #     Required. When true, allows callers to create {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} by
+              #     specifying a CSR.
+              # @!attribute [rw] allow_config_based_issuance
+              #   @return [::Boolean]
+              #     Required. When true, allows callers to create {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} by
+              #     specifying a {::Google::Cloud::Security::PrivateCA::V1::CertificateConfig CertificateConfig}.
+              class IssuanceModes
+                include ::Google::Protobuf::MessageExts
+                extend ::Google::Protobuf::MessageExts::ClassMethods
+              end
+            end
+
+            # @!attribute [rw] key
+            #   @return [::String]
+            # @!attribute [rw] value
+            #   @return [::String]
+            class LabelsEntry
+              include ::Google::Protobuf::MessageExts
+              extend ::Google::Protobuf::MessageExts::ClassMethods
+            end
+
+            # The tier of a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}, indicating its supported functionality and/or
+            # billing SKU.
+            module Tier
+              # Not specified.
+              TIER_UNSPECIFIED = 0
+
+              # Enterprise tier.
+              ENTERPRISE = 1
+
+              # DevOps tier.
+              DEVOPS = 2
+            end
+          end
+
+          # A {::Google::Cloud::Security::PrivateCA::V1::CertificateRevocationList CertificateRevocationList} corresponds to a signed X.509 certificate
+          # Revocation List (CRL). A CRL contains the serial numbers of certificates that
+          # should no longer be trusted.
+          # @!attribute [r] name
+          #   @return [::String]
+          #     Output only. The resource name for this {::Google::Cloud::Security::PrivateCA::V1::CertificateRevocationList CertificateRevocationList} in
+          #     the format
+          #     `projects/*/locations/*/caPools/*certificateAuthorities/*/
+          #        certificateRevocationLists/*`.
+          # @!attribute [r] sequence_number
+          #   @return [::Integer]
+          #     Output only. The CRL sequence number that appears in pem_crl.
+          # @!attribute [r] revoked_certificates
+          #   @return [::Array<::Google::Cloud::Security::PrivateCA::V1::CertificateRevocationList::RevokedCertificate>]
+          #     Output only. The revoked serial numbers that appear in pem_crl.
+          # @!attribute [r] pem_crl
+          #   @return [::String]
+          #     Output only. The PEM-encoded X.509 CRL.
+          # @!attribute [r] access_url
+          #   @return [::String]
+          #     Output only. The location where 'pem_crl' can be accessed.
+          # @!attribute [r] state
+          #   @return [::Google::Cloud::Security::PrivateCA::V1::CertificateRevocationList::State]
+          #     Output only. The {::Google::Cloud::Security::PrivateCA::V1::CertificateRevocationList::State State} for this {::Google::Cloud::Security::PrivateCA::V1::CertificateRevocationList CertificateRevocationList}.
+          # @!attribute [r] create_time
+          #   @return [::Google::Protobuf::Timestamp]
+          #     Output only. The time at which this {::Google::Cloud::Security::PrivateCA::V1::CertificateRevocationList CertificateRevocationList} was created.
+          # @!attribute [r] update_time
+          #   @return [::Google::Protobuf::Timestamp]
+          #     Output only. The time at which this {::Google::Cloud::Security::PrivateCA::V1::CertificateRevocationList CertificateRevocationList} was updated.
+          # @!attribute [r] revision_id
+          #   @return [::String]
+          #     Output only. The revision ID of this {::Google::Cloud::Security::PrivateCA::V1::CertificateRevocationList CertificateRevocationList}. A new revision is
+          #     committed whenever a new CRL is published. The format is an 8-character
+          #     hexadecimal string.
+          # @!attribute [rw] labels
+          #   @return [::Google::Protobuf::Map{::String => ::String}]
+          #     Optional. Labels with user-defined metadata.
+          class CertificateRevocationList
+            include ::Google::Protobuf::MessageExts
+            extend ::Google::Protobuf::MessageExts::ClassMethods
+
+            # Describes a revoked {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate}.
+            # @!attribute [rw] certificate
+            #   @return [::String]
+            #     The resource name for the {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} in the format
+            #     `projects/*/locations/*/caPools/*/certificates/*`.
+            # @!attribute [rw] hex_serial_number
+            #   @return [::String]
+            #     The serial number of the {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate}.
+            # @!attribute [rw] revocation_reason
+            #   @return [::Google::Cloud::Security::PrivateCA::V1::RevocationReason]
+            #     The reason the {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} was revoked.
+            class RevokedCertificate
+              include ::Google::Protobuf::MessageExts
+              extend ::Google::Protobuf::MessageExts::ClassMethods
+            end
+
+            # @!attribute [rw] key
+            #   @return [::String]
+            # @!attribute [rw] value
+            #   @return [::String]
+            class LabelsEntry
+              include ::Google::Protobuf::MessageExts
+              extend ::Google::Protobuf::MessageExts::ClassMethods
+            end
+
+            # The state of a {::Google::Cloud::Security::PrivateCA::V1::CertificateRevocationList CertificateRevocationList}, indicating if it is current.
+            module State
+              # Not specified.
+              STATE_UNSPECIFIED = 0
+
+              # The {::Google::Cloud::Security::PrivateCA::V1::CertificateRevocationList CertificateRevocationList} is up to date.
+              ACTIVE = 1
+
+              # The {::Google::Cloud::Security::PrivateCA::V1::CertificateRevocationList CertificateRevocationList} is no longer current.
+              SUPERSEDED = 2
+            end
+          end
+
+          # A {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} corresponds to a signed X.509 certificate issued by a
+          # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}.
+          # @!attribute [r] name
+          #   @return [::String]
+          #     Output only. The resource name for this {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} in the format
+          #     `projects/*/locations/*/caPools/*/certificates/*`.
+          # @!attribute [rw] pem_csr
+          #   @return [::String]
+          #     Immutable. A pem-encoded X.509 certificate signing request (CSR).
+          # @!attribute [rw] config
+          #   @return [::Google::Cloud::Security::PrivateCA::V1::CertificateConfig]
+          #     Immutable. A description of the certificate and key that does not require X.509 or
+          #     ASN.1.
+          # @!attribute [r] issuer_certificate_authority
+          #   @return [::String]
+          #     Output only. The resource name of the issuing {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority} in the format
+          #     `projects/*/locations/*/caPools/*/certificateAuthorities/*`.
+          # @!attribute [rw] lifetime
+          #   @return [::Google::Protobuf::Duration]
+          #     Required. Immutable. The desired lifetime of a certificate. Used to create the
+          #     "not_before_time" and "not_after_time" fields inside an X.509
+          #     certificate. Note that the lifetime may be truncated if it would extend
+          #     past the life of any certificate authority in the issuing chain.
+          # @!attribute [rw] certificate_template
+          #   @return [::String]
+          #     Immutable. The resource name for a {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate CertificateTemplate} used to issue this
+          #     certificate, in the format
+          #     `projects/*/locations/*/certificateTemplates/*`.
+          #     If this is specified, the caller must have the necessary permission to
+          #     use this template. If this is omitted, no template will be used.
+          #     This template must be in the same location as the {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate}.
+          # @!attribute [rw] subject_mode
+          #   @return [::Google::Cloud::Security::PrivateCA::V1::SubjectRequestMode]
+          #     Immutable. Specifies how the {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate}'s identity fields are to be decided.
+          #     If this is omitted, the `DEFAULT` subject mode will be used.
+          # @!attribute [r] revocation_details
+          #   @return [::Google::Cloud::Security::PrivateCA::V1::Certificate::RevocationDetails]
+          #     Output only. Details regarding the revocation of this {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate}. This
+          #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} is considered revoked if and only if this field is present.
+          # @!attribute [r] pem_certificate
+          #   @return [::String]
+          #     Output only. The pem-encoded, signed X.509 certificate.
+          # @!attribute [r] certificate_description
+          #   @return [::Google::Cloud::Security::PrivateCA::V1::CertificateDescription]
+          #     Output only. A structured description of the issued X.509 certificate.
+          # @!attribute [r] pem_certificate_chain
+          #   @return [::Array<::String>]
+          #     Output only. The chain that may be used to verify the X.509 certificate. Expected to be
+          #     in issuer-to-root order according to RFC 5246.
+          # @!attribute [r] create_time
+          #   @return [::Google::Protobuf::Timestamp]
+          #     Output only. The time at which this {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} was created.
+          # @!attribute [r] update_time
+          #   @return [::Google::Protobuf::Timestamp]
+          #     Output only. The time at which this {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} was updated.
+          # @!attribute [rw] labels
+          #   @return [::Google::Protobuf::Map{::String => ::String}]
+          #     Optional. Labels with user-defined metadata.
+          class Certificate
+            include ::Google::Protobuf::MessageExts
+            extend ::Google::Protobuf::MessageExts::ClassMethods
+
+            # Describes fields that are relavent to the revocation of a {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate}.
+            # @!attribute [rw] revocation_state
+            #   @return [::Google::Cloud::Security::PrivateCA::V1::RevocationReason]
+            #     Indicates why a {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} was revoked.
+            # @!attribute [rw] revocation_time
+            #   @return [::Google::Protobuf::Timestamp]
+            #     The time at which this {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} was revoked.
+            class RevocationDetails
+              include ::Google::Protobuf::MessageExts
+              extend ::Google::Protobuf::MessageExts::ClassMethods
+            end
+
+            # @!attribute [rw] key
+            #   @return [::String]
+            # @!attribute [rw] value
+            #   @return [::String]
+            class LabelsEntry
+              include ::Google::Protobuf::MessageExts
+              extend ::Google::Protobuf::MessageExts::ClassMethods
+            end
+          end
+
+          # A {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate CertificateTemplate} refers to a managed template for certificate
+          # issuance.
+          # @!attribute [r] name
+          #   @return [::String]
+          #     Output only. The resource name for this {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate CertificateTemplate} in the format
+          #     `projects/*/locations/*/certificateTemplates/*`.
+          # @!attribute [rw] predefined_values
+          #   @return [::Google::Cloud::Security::PrivateCA::V1::X509Parameters]
+          #     Optional. A set of X.509 values that will be applied to all issued certificates that
+          #     use this template. If the certificate request includes conflicting values
+          #     for the same properties, they will be overwritten by the values defined
+          #     here. If the issuing {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy IssuancePolicy}
+          #     defines conflicting
+          #     {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy#baseline_values baseline_values} for the same
+          #     properties, the certificate issuance request will fail.
+          # @!attribute [rw] identity_constraints
+          #   @return [::Google::Cloud::Security::PrivateCA::V1::CertificateIdentityConstraints]
+          #     Optional. Describes constraints on identities that may be appear in
+          #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} issued using this template. If this is omitted,
+          #     then this template will not add restrictions on a certificate's identity.
+          # @!attribute [rw] passthrough_extensions
+          #   @return [::Google::Cloud::Security::PrivateCA::V1::CertificateExtensionConstraints]
+          #     Optional. Describes the set of X.509 extensions that may appear in a
+          #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued using this {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate CertificateTemplate}. If a certificate
+          #     request sets extensions that don't appear in the
+          #     {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate#passthrough_extensions passthrough_extensions}, those extensions will be dropped. If the
+          #     issuing {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy IssuancePolicy} defines
+          #     {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy#baseline_values baseline_values} that don't appear
+          #     here, the certificate issuance request will fail. If this is omitted, then
+          #     this template will not add restrictions on a certificate's X.509
+          #     extensions. These constraints do not apply to X.509 extensions set in this
+          #     {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate CertificateTemplate}'s {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate#predefined_values predefined_values}.
+          # @!attribute [rw] description
+          #   @return [::String]
+          #     Optional. A human-readable description of scenarios this template is intended for.
+          # @!attribute [r] create_time
+          #   @return [::Google::Protobuf::Timestamp]
+          #     Output only. The time at which this {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate CertificateTemplate} was created.
+          # @!attribute [r] update_time
+          #   @return [::Google::Protobuf::Timestamp]
+          #     Output only. The time at which this {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate CertificateTemplate} was updated.
+          # @!attribute [rw] labels
+          #   @return [::Google::Protobuf::Map{::String => ::String}]
+          #     Optional. Labels with user-defined metadata.
+          class CertificateTemplate
+            include ::Google::Protobuf::MessageExts
+            extend ::Google::Protobuf::MessageExts::ClassMethods
+
+            # @!attribute [rw] key
+            #   @return [::String]
+            # @!attribute [rw] value
+            #   @return [::String]
+            class LabelsEntry
+              include ::Google::Protobuf::MessageExts
+              extend ::Google::Protobuf::MessageExts::ClassMethods
+            end
+          end
+
+          # An {::Google::Cloud::Security::PrivateCA::V1::X509Parameters X509Parameters} is used to describe certain fields of an
+          # X.509 certificate, such as the key usage fields, fields specific to CA
+          # certificates, certificate policy extensions and custom extensions.
+          # @!attribute [rw] key_usage
+          #   @return [::Google::Cloud::Security::PrivateCA::V1::KeyUsage]
+          #     Optional. Indicates the intended use for keys that correspond to a certificate.
+          # @!attribute [rw] ca_options
+          #   @return [::Google::Cloud::Security::PrivateCA::V1::X509Parameters::CaOptions]
+          #     Optional. Describes options in this {::Google::Cloud::Security::PrivateCA::V1::X509Parameters X509Parameters} that are relevant in a CA
+          #     certificate.
+          # @!attribute [rw] policy_ids
+          #   @return [::Array<::Google::Cloud::Security::PrivateCA::V1::ObjectId>]
+          #     Optional. Describes the X.509 certificate policy object identifiers, per
+          #     https://tools.ietf.org/html/rfc5280#section-4.2.1.4.
+          # @!attribute [rw] aia_ocsp_servers
+          #   @return [::Array<::String>]
+          #     Optional. Describes Online Certificate Status Protocol (OCSP) endpoint addresses
+          #     that appear in the "Authority Information Access" extension in the
+          #     certificate.
+          # @!attribute [rw] additional_extensions
+          #   @return [::Array<::Google::Cloud::Security::PrivateCA::V1::X509Extension>]
+          #     Optional. Describes custom X.509 extensions.
+          class X509Parameters
+            include ::Google::Protobuf::MessageExts
+            extend ::Google::Protobuf::MessageExts::ClassMethods
+
+            # Describes values that are relevant in a CA certificate.
+            # @!attribute [rw] is_ca
+            #   @return [::Boolean]
+            #     Optional. Refers to the "CA" X.509 extension, which is a boolean value. When this
+            #     value is missing, the extension will be omitted from the CA certificate.
+            # @!attribute [rw] max_issuer_path_length
+            #   @return [::Integer]
+            #     Optional. Refers to the path length restriction X.509 extension. For a CA
+            #     certificate, this value describes the depth of subordinate CA
+            #     certificates that are allowed.
+            #     If this value is less than 0, the request will fail.
+            #     If this value is missing, the max path length will be omitted from the
+            #     CA certificate.
+            class CaOptions
+              include ::Google::Protobuf::MessageExts
+              extend ::Google::Protobuf::MessageExts::ClassMethods
+            end
+          end
+
+          # Describes a subordinate CA's issuers. This is either a resource name to a
+          # known issuing {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}, or a PEM issuer certificate chain.
+          # @!attribute [rw] certificate_authority
+          #   @return [::String]
+          #     Required. This can refer to a {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority} in the same project that
+          #     was used to create a subordinate {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}. This field
+          #     is used for information and usability purposes only. The resource name
+          #     is in the format
+          #     `projects/*/locations/*/caPools/*/certificateAuthorities/*`.
+          # @!attribute [rw] pem_issuer_chain
+          #   @return [::Google::Cloud::Security::PrivateCA::V1::SubordinateConfig::SubordinateConfigChain]
+          #     Required. Contains the PEM certificate chain for the issuers of this
+          #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}, but not pem certificate for this CA itself.
+          class SubordinateConfig
+            include ::Google::Protobuf::MessageExts
+            extend ::Google::Protobuf::MessageExts::ClassMethods
+
+            # This message describes a subordinate CA's issuer certificate chain. This
+            # wrapper exists for compatibility reasons.
+            # @!attribute [rw] pem_certificates
+            #   @return [::Array<::String>]
+            #     Required. Expected to be in leaf-to-root order according to RFC 5246.
+            class SubordinateConfigChain
+              include ::Google::Protobuf::MessageExts
+              extend ::Google::Protobuf::MessageExts::ClassMethods
+            end
+          end
+
+          # A {::Google::Cloud::Security::PrivateCA::V1::PublicKey PublicKey} describes a public key.
+          # @!attribute [rw] key
+          #   @return [::String]
+          #     Required. A public key. The padding and encoding
+          #     must match with the `KeyFormat` value specified for the `format` field.
+          # @!attribute [rw] format
+          #   @return [::Google::Cloud::Security::PrivateCA::V1::PublicKey::KeyFormat]
+          #     Required. The format of the public key.
+          class PublicKey
+            include ::Google::Protobuf::MessageExts
+            extend ::Google::Protobuf::MessageExts::ClassMethods
+
+            # Types of public keys formats that are supported. Currently, only `PEM`
+            # format is supported.
+            module KeyFormat
+              # Default unspecified value.
+              KEY_FORMAT_UNSPECIFIED = 0
+
+              # The key is PEM-encoded as defined in [RFC
+              # 7468](https://tools.ietf.org/html/rfc7468). It can be any of the
+              # following: a PEM-encoded PKCS#1/RFC 3447 RSAPublicKey
+              # structure, an RFC 5280
+              # [SubjectPublicKeyInfo](https://tools.ietf.org/html/rfc5280#section-4.1)
+              # or a PEM-encoded X.509 certificate signing request (CSR). If a
+              # [SubjectPublicKeyInfo](https://tools.ietf.org/html/rfc5280#section-4.1)
+              # is specified, it can contain a A PEM-encoded PKCS#1/RFC 3447 RSAPublicKey
+              # or a NIST P-256/secp256r1/prime256v1 or P-384 key. If a CSR is specified,
+              # it will used solely for the purpose of extracting the public key. When
+              # generated by the service, it will always be an RFC 5280
+              # [SubjectPublicKeyInfo](https://tools.ietf.org/html/rfc5280#section-4.1)
+              # structure containing an algorithm identifier and a key.
+              PEM = 1
+            end
+          end
+
+          # A {::Google::Cloud::Security::PrivateCA::V1::CertificateConfig CertificateConfig} describes an X.509 certificate or CSR that is to be
+          # created, as an alternative to using ASN.1.
+          # @!attribute [rw] subject_config
+          #   @return [::Google::Cloud::Security::PrivateCA::V1::CertificateConfig::SubjectConfig]
+          #     Required. Specifies some of the values in a certificate that are related to the
+          #     subject.
+          # @!attribute [rw] x509_config
+          #   @return [::Google::Cloud::Security::PrivateCA::V1::X509Parameters]
+          #     Required. Describes how some of the technical X.509 fields in a certificate should be
+          #     populated.
+          # @!attribute [rw] public_key
+          #   @return [::Google::Cloud::Security::PrivateCA::V1::PublicKey]
+          #     Optional. The public key that corresponds to this config. This is, for example, used
+          #     when issuing {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}, but not when creating a
+          #     self-signed {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority} or {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority} CSR.
+          class CertificateConfig
+            include ::Google::Protobuf::MessageExts
+            extend ::Google::Protobuf::MessageExts::ClassMethods
+
+            # These values are used to create the distinguished name and subject
+            # alternative name fields in an X.509 certificate.
+            # @!attribute [rw] subject
+            #   @return [::Google::Cloud::Security::PrivateCA::V1::Subject]
+            #     Required. Contains distinguished name fields such as the common name, location and
+            #     organization.
+            # @!attribute [rw] subject_alt_name
+            #   @return [::Google::Cloud::Security::PrivateCA::V1::SubjectAltNames]
+            #     Optional. The subject alternative name fields.
+            class SubjectConfig
+              include ::Google::Protobuf::MessageExts
+              extend ::Google::Protobuf::MessageExts::ClassMethods
+            end
+          end
+
+          # A {::Google::Cloud::Security::PrivateCA::V1::CertificateDescription CertificateDescription} describes an X.509 certificate or CSR that has
+          # been issued, as an alternative to using ASN.1 / X.509.
+          # @!attribute [rw] subject_description
+          #   @return [::Google::Cloud::Security::PrivateCA::V1::CertificateDescription::SubjectDescription]
+          #     Describes some of the values in a certificate that are related to the
+          #     subject and lifetime.
+          # @!attribute [rw] x509_description
+          #   @return [::Google::Cloud::Security::PrivateCA::V1::X509Parameters]
+          #     Describes some of the technical X.509 fields in a certificate.
+          # @!attribute [rw] public_key
+          #   @return [::Google::Cloud::Security::PrivateCA::V1::PublicKey]
+          #     The public key that corresponds to an issued certificate.
+          # @!attribute [rw] subject_key_id
+          #   @return [::Google::Cloud::Security::PrivateCA::V1::CertificateDescription::KeyId]
+          #     Provides a means of identifiying certificates that contain a particular
+          #     public key, per https://tools.ietf.org/html/rfc5280#section-4.2.1.2.
+          # @!attribute [rw] authority_key_id
+          #   @return [::Google::Cloud::Security::PrivateCA::V1::CertificateDescription::KeyId]
+          #     Identifies the subject_key_id of the parent certificate, per
+          #     https://tools.ietf.org/html/rfc5280#section-4.2.1.1
+          # @!attribute [rw] crl_distribution_points
+          #   @return [::Array<::String>]
+          #     Describes a list of locations to obtain CRL information, i.e.
+          #     the DistributionPoint.fullName described by
+          #     https://tools.ietf.org/html/rfc5280#section-4.2.1.13
+          # @!attribute [rw] aia_issuing_certificate_urls
+          #   @return [::Array<::String>]
+          #     Describes lists of issuer CA certificate URLs that appear in the
+          #     "Authority Information Access" extension in the certificate.
+          # @!attribute [rw] cert_fingerprint
+          #   @return [::Google::Cloud::Security::PrivateCA::V1::CertificateDescription::CertificateFingerprint]
+          #     The hash of the x.509 certificate.
+          class CertificateDescription
+            include ::Google::Protobuf::MessageExts
+            extend ::Google::Protobuf::MessageExts::ClassMethods
+
+            # These values describe fields in an issued X.509 certificate such as the
+            # distinguished name, subject alternative names, serial number, and lifetime.
+            # @!attribute [rw] subject
+            #   @return [::Google::Cloud::Security::PrivateCA::V1::Subject]
+            #     Contains distinguished name fields such as the common name, location and
+            #     / organization.
+            # @!attribute [rw] subject_alt_name
+            #   @return [::Google::Cloud::Security::PrivateCA::V1::SubjectAltNames]
+            #     The subject alternative name fields.
+            # @!attribute [rw] hex_serial_number
+            #   @return [::String]
+            #     The serial number encoded in lowercase hexadecimal.
+            # @!attribute [rw] lifetime
+            #   @return [::Google::Protobuf::Duration]
+            #     For convenience, the actual lifetime of an issued certificate.
+            #     Corresponds to 'not_after_time' - 'not_before_time'.
+            # @!attribute [rw] not_before_time
+            #   @return [::Google::Protobuf::Timestamp]
+            #     The time at which the certificate becomes valid.
+            # @!attribute [rw] not_after_time
+            #   @return [::Google::Protobuf::Timestamp]
+            #     The time at which the certificate expires.
+            class SubjectDescription
+              include ::Google::Protobuf::MessageExts
+              extend ::Google::Protobuf::MessageExts::ClassMethods
+            end
+
+            # A KeyId identifies a specific public key, usually by hashing the public
+            # key.
+            # @!attribute [rw] key_id
+            #   @return [::String]
+            #     Optional. The value of this KeyId encoded in lowercase hexadecimal. This is most
+            #     likely the 160 bit SHA-1 hash of the public key.
+            class KeyId
+              include ::Google::Protobuf::MessageExts
+              extend ::Google::Protobuf::MessageExts::ClassMethods
+            end
+
+            # A group of fingerprints for the x509 certificate.
+            # @!attribute [rw] sha256_hash
+            #   @return [::String]
+            #     The SHA 256 hash, encoded in hexadecimal, of the DER x509 certificate.
+            class CertificateFingerprint
+              include ::Google::Protobuf::MessageExts
+              extend ::Google::Protobuf::MessageExts::ClassMethods
+            end
+          end
+
+          # An {::Google::Cloud::Security::PrivateCA::V1::ObjectId ObjectId} specifies an object identifier (OID). These provide context
+          # and describe types in ASN.1 messages.
+          # @!attribute [rw] object_id_path
+          #   @return [::Array<::Integer>]
+          #     Required. The parts of an OID path. The most significant parts of the path come
+          #     first.
+          class ObjectId
+            include ::Google::Protobuf::MessageExts
+            extend ::Google::Protobuf::MessageExts::ClassMethods
+          end
+
+          # An {::Google::Cloud::Security::PrivateCA::V1::X509Extension X509Extension} specifies an X.509 extension, which may be used in
+          # different parts of X.509 objects like certificates, CSRs, and CRLs.
+          # @!attribute [rw] object_id
+          #   @return [::Google::Cloud::Security::PrivateCA::V1::ObjectId]
+          #     Required. The OID for this X.509 extension.
+          # @!attribute [rw] critical
+          #   @return [::Boolean]
+          #     Required. Indicates whether or not this extension is critical (i.e., if the client
+          #     does not know how to handle this extension, the client should consider this
+          #     to be an error).
+          # @!attribute [rw] value
+          #   @return [::String]
+          #     Required. The value of this X.509 extension.
+          class X509Extension
+            include ::Google::Protobuf::MessageExts
+            extend ::Google::Protobuf::MessageExts::ClassMethods
+          end
+
+          # A {::Google::Cloud::Security::PrivateCA::V1::KeyUsage KeyUsage} describes key usage values that may appear in an X.509
+          # certificate.
+          # @!attribute [rw] base_key_usage
+          #   @return [::Google::Cloud::Security::PrivateCA::V1::KeyUsage::KeyUsageOptions]
+          #     Describes high-level ways in which a key may be used.
+          # @!attribute [rw] extended_key_usage
+          #   @return [::Google::Cloud::Security::PrivateCA::V1::KeyUsage::ExtendedKeyUsageOptions]
+          #     Detailed scenarios in which a key may be used.
+          # @!attribute [rw] unknown_extended_key_usages
+          #   @return [::Array<::Google::Cloud::Security::PrivateCA::V1::ObjectId>]
+          #     Used to describe extended key usages that are not listed in the
+          #     {::Google::Cloud::Security::PrivateCA::V1::KeyUsage::ExtendedKeyUsageOptions KeyUsage.ExtendedKeyUsageOptions} message.
+          class KeyUsage
+            include ::Google::Protobuf::MessageExts
+            extend ::Google::Protobuf::MessageExts::ClassMethods
+
+            # {::Google::Cloud::Security::PrivateCA::V1::KeyUsage::KeyUsageOptions KeyUsage.KeyUsageOptions} corresponds to the key usage values
+            # described in https://tools.ietf.org/html/rfc5280#section-4.2.1.3.
+            # @!attribute [rw] digital_signature
+            #   @return [::Boolean]
+            #     The key may be used for digital signatures.
+            # @!attribute [rw] content_commitment
+            #   @return [::Boolean]
+            #     The key may be used for cryptographic commitments. Note that this may
+            #     also be referred to as "non-repudiation".
+            # @!attribute [rw] key_encipherment
+            #   @return [::Boolean]
+            #     The key may be used to encipher other keys.
+            # @!attribute [rw] data_encipherment
+            #   @return [::Boolean]
+            #     The key may be used to encipher data.
+            # @!attribute [rw] key_agreement
+            #   @return [::Boolean]
+            #     The key may be used in a key agreement protocol.
+            # @!attribute [rw] cert_sign
+            #   @return [::Boolean]
+            #     The key may be used to sign certificates.
+            # @!attribute [rw] crl_sign
+            #   @return [::Boolean]
+            #     The key may be used sign certificate revocation lists.
+            # @!attribute [rw] encipher_only
+            #   @return [::Boolean]
+            #     The key may be used to encipher only.
+            # @!attribute [rw] decipher_only
+            #   @return [::Boolean]
+            #     The key may be used to decipher only.
+            class KeyUsageOptions
+              include ::Google::Protobuf::MessageExts
+              extend ::Google::Protobuf::MessageExts::ClassMethods
+            end
+
+            # {::Google::Cloud::Security::PrivateCA::V1::KeyUsage::ExtendedKeyUsageOptions KeyUsage.ExtendedKeyUsageOptions} has fields that correspond to
+            # certain common OIDs that could be specified as an extended key usage value.
+            # @!attribute [rw] server_auth
+            #   @return [::Boolean]
+            #     Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW
+            #     server authentication", though regularly used for non-WWW TLS.
+            # @!attribute [rw] client_auth
+            #   @return [::Boolean]
+            #     Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW
+            #     client authentication", though regularly used for non-WWW TLS.
+            # @!attribute [rw] code_signing
+            #   @return [::Boolean]
+            #     Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of
+            #     downloadable executable code client authentication".
+            # @!attribute [rw] email_protection
+            #   @return [::Boolean]
+            #     Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email
+            #     protection".
+            # @!attribute [rw] time_stamping
+            #   @return [::Boolean]
+            #     Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding
+            #     the hash of an object to a time".
+            # @!attribute [rw] ocsp_signing
+            #   @return [::Boolean]
+            #     Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing
+            #     OCSP responses".
+            class ExtendedKeyUsageOptions
+              include ::Google::Protobuf::MessageExts
+              extend ::Google::Protobuf::MessageExts::ClassMethods
+            end
+          end
+
+          # {::Google::Cloud::Security::PrivateCA::V1::Subject Subject} describes parts of a distinguished name that, in turn,
+          # describes the subject of the certificate.
+          # @!attribute [rw] common_name
+          #   @return [::String]
+          #     The "common name" of the subject.
+          # @!attribute [rw] country_code
+          #   @return [::String]
+          #     The country code of the subject.
+          # @!attribute [rw] organization
+          #   @return [::String]
+          #     The organization of the subject.
+          # @!attribute [rw] organizational_unit
+          #   @return [::String]
+          #     The organizational_unit of the subject.
+          # @!attribute [rw] locality
+          #   @return [::String]
+          #     The locality or city of the subject.
+          # @!attribute [rw] province
+          #   @return [::String]
+          #     The province, territory, or regional state of the subject.
+          # @!attribute [rw] street_address
+          #   @return [::String]
+          #     The street address of the subject.
+          # @!attribute [rw] postal_code
+          #   @return [::String]
+          #     The postal code of the subject.
+          class Subject
+            include ::Google::Protobuf::MessageExts
+            extend ::Google::Protobuf::MessageExts::ClassMethods
+          end
+
+          # {::Google::Cloud::Security::PrivateCA::V1::SubjectAltNames SubjectAltNames} corresponds to a more modern way of listing what
+          # the asserted identity is in a certificate (i.e., compared to the "common
+          # name" in the distinguished name).
+          # @!attribute [rw] dns_names
+          #   @return [::Array<::String>]
+          #     Contains only valid, fully-qualified host names.
+          # @!attribute [rw] uris
+          #   @return [::Array<::String>]
+          #     Contains only valid RFC 3986 URIs.
+          # @!attribute [rw] email_addresses
+          #   @return [::Array<::String>]
+          #     Contains only valid RFC 2822 E-mail addresses.
+          # @!attribute [rw] ip_addresses
+          #   @return [::Array<::String>]
+          #     Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.
+          # @!attribute [rw] custom_sans
+          #   @return [::Array<::Google::Cloud::Security::PrivateCA::V1::X509Extension>]
+          #     Contains additional subject alternative name values.
+          class SubjectAltNames
+            include ::Google::Protobuf::MessageExts
+            extend ::Google::Protobuf::MessageExts::ClassMethods
+          end
+
+          # Describes constraints on a {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate}'s {::Google::Cloud::Security::PrivateCA::V1::Subject Subject} and
+          # {::Google::Cloud::Security::PrivateCA::V1::SubjectAltNames SubjectAltNames}.
+          # @!attribute [rw] cel_expression
+          #   @return [::Google::Type::Expr]
+          #     Optional. A CEL expression that may be used to validate the resolved X.509 Subject
+          #     and/or Subject Alternative Name before a certificate is signed.
+          #     To see the full allowed syntax and some examples, see
+          #     https://cloud.google.com/certificate-authority-service/docs/cel-guide
+          # @!attribute [rw] allow_subject_passthrough
+          #   @return [::Boolean]
+          #     Required. If this is true, the {::Google::Cloud::Security::PrivateCA::V1::Subject Subject} field may be copied from a certificate
+          #     request into the signed certificate. Otherwise, the requested {::Google::Cloud::Security::PrivateCA::V1::Subject Subject}
+          #     will be discarded. The bool is optional to indicate an unset field, which suggests a forgotten value that needs to be set by the caller.
+          # @!attribute [rw] allow_subject_alt_names_passthrough
+          #   @return [::Boolean]
+          #     Required. If this is true, the {::Google::Cloud::Security::PrivateCA::V1::SubjectAltNames SubjectAltNames} extension may be copied from a
+          #     certificate request into the signed certificate. Otherwise, the requested
+          #     {::Google::Cloud::Security::PrivateCA::V1::SubjectAltNames SubjectAltNames} will be discarded.
+          #     The bool is optional to indicate an unset field, which suggests a forgotten value that needs to be set by the caller.
+          class CertificateIdentityConstraints
+            include ::Google::Protobuf::MessageExts
+            extend ::Google::Protobuf::MessageExts::ClassMethods
+          end
+
+          # Describes a set of X.509 extensions that may be part of some certificate
+          # issuance controls.
+          # @!attribute [rw] known_extensions
+          #   @return [::Array<::Google::Cloud::Security::PrivateCA::V1::CertificateExtensionConstraints::KnownCertificateExtension>]
+          #     Optional. A set of named X.509 extensions. Will be combined with
+          #     {::Google::Cloud::Security::PrivateCA::V1::CertificateExtensionConstraints#additional_extensions additional_extensions} to determine the full set of X.509 extensions.
+          # @!attribute [rw] additional_extensions
+          #   @return [::Array<::Google::Cloud::Security::PrivateCA::V1::ObjectId>]
+          #     Optional. A set of {::Google::Cloud::Security::PrivateCA::V1::ObjectId ObjectIds} identifying custom X.509 extensions.
+          #     Will be combined with {::Google::Cloud::Security::PrivateCA::V1::CertificateExtensionConstraints#known_extensions known_extensions} to determine the full set of
+          #     X.509 extensions.
+          class CertificateExtensionConstraints
+            include ::Google::Protobuf::MessageExts
+            extend ::Google::Protobuf::MessageExts::ClassMethods
+
+            # Describes well-known X.509 extensions that can appear in a {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate},
+            # not including the {::Google::Cloud::Security::PrivateCA::V1::SubjectAltNames SubjectAltNames} extension.
+            module KnownCertificateExtension
+              # Not specified.
+              KNOWN_CERTIFICATE_EXTENSION_UNSPECIFIED = 0
+
+              # Refers to a certificate's Key Usage extension, as described in [RFC 5280
+              # section 4.2.1.3](https://tools.ietf.org/html/rfc5280#section-4.2.1.3).
+              # This corresponds to the {::Google::Cloud::Security::PrivateCA::V1::KeyUsage#base_key_usage KeyUsage.base_key_usage} field.
+              BASE_KEY_USAGE = 1
+
+              # Refers to a certificate's Extended Key Usage extension, as described in
+              # [RFC 5280
+              # section 4.2.1.12](https://tools.ietf.org/html/rfc5280#section-4.2.1.12).
+              # This corresponds to the {::Google::Cloud::Security::PrivateCA::V1::KeyUsage#extended_key_usage KeyUsage.extended_key_usage} message.
+              EXTENDED_KEY_USAGE = 2
+
+              # Refers to a certificate's Basic Constraints extension, as described in
+              # [RFC 5280
+              # section 4.2.1.9](https://tools.ietf.org/html/rfc5280#section-4.2.1.9).
+              # This corresponds to the {::Google::Cloud::Security::PrivateCA::V1::X509Parameters#ca_options X509Parameters.ca_options} field.
+              CA_OPTIONS = 3
+
+              # Refers to a certificate's Policy object identifiers, as described in
+              # [RFC 5280
+              # section 4.2.1.4](https://tools.ietf.org/html/rfc5280#section-4.2.1.4).
+              # This corresponds to the {::Google::Cloud::Security::PrivateCA::V1::X509Parameters#policy_ids X509Parameters.policy_ids} field.
+              POLICY_IDS = 4
+
+              # Refers to OCSP servers in a certificate's Authority Information Access
+              # extension, as described in
+              # [RFC 5280
+              # section 4.2.2.1](https://tools.ietf.org/html/rfc5280#section-4.2.2.1),
+              # This corresponds to the {::Google::Cloud::Security::PrivateCA::V1::X509Parameters#aia_ocsp_servers X509Parameters.aia_ocsp_servers} field.
+              AIA_OCSP_SERVERS = 5
+            end
+          end
+
+          # A {::Google::Cloud::Security::PrivateCA::V1::RevocationReason RevocationReason} indicates whether a {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} has been revoked,
+          # and the reason for revocation. These correspond to standard revocation
+          # reasons from RFC 5280. Note that the enum labels and values in this
+          # definition are not the same ASN.1 values defined in RFC 5280. These values
+          # will be translated to the correct ASN.1 values when a CRL is created.
+          module RevocationReason
+            # Default unspecified value. This value does indicate that a {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate}
+            # has been revoked, but that a reason has not been recorded.
+            REVOCATION_REASON_UNSPECIFIED = 0
+
+            # Key material for this {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} may have leaked.
+            KEY_COMPROMISE = 1
+
+            # The key material for a certificate authority in the issuing path may have
+            # leaked.
+            CERTIFICATE_AUTHORITY_COMPROMISE = 2
+
+            # The subject or other attributes in this {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} have changed.
+            AFFILIATION_CHANGED = 3
+
+            # This {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} has been superseded.
+            SUPERSEDED = 4
+
+            # This {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} or entities in the issuing path have ceased to
+            # operate.
+            CESSATION_OF_OPERATION = 5
+
+            # This {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} should not be considered valid, it is expected that it
+            # may become valid in the future.
+            CERTIFICATE_HOLD = 6
+
+            # This {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} no longer has permission to assert the listed
+            # attributes.
+            PRIVILEGE_WITHDRAWN = 7
+
+            # The authority which determines appropriate attributes for a {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate}
+            # may have been compromised.
+            ATTRIBUTE_AUTHORITY_COMPROMISE = 8
+          end
+
+          # Describes the way in which a {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate}'s {::Google::Cloud::Security::PrivateCA::V1::Subject Subject} and/or
+          # {::Google::Cloud::Security::PrivateCA::V1::SubjectAltNames SubjectAltNames} will be resolved.
+          module SubjectRequestMode
+            # Not specified.
+            SUBJECT_REQUEST_MODE_UNSPECIFIED = 0
+
+            # The default mode used in most cases. Indicates that the certificate's
+            # {::Google::Cloud::Security::PrivateCA::V1::Subject Subject} and/or {::Google::Cloud::Security::PrivateCA::V1::SubjectAltNames SubjectAltNames} are specified in the certificate
+            # request. This mode requires the caller to have the
+            # `privateca.certificates.create` permission.
+            DEFAULT = 1
+
+            # A mode reserved for special cases. Indicates that the certificate should
+            # have one or more SPIFFE {::Google::Cloud::Security::PrivateCA::V1::SubjectAltNames SubjectAltNames} set by the service based
+            # on the caller's identity. This mode will ignore any explicitly specified
+            # {::Google::Cloud::Security::PrivateCA::V1::Subject Subject} and/or {::Google::Cloud::Security::PrivateCA::V1::SubjectAltNames SubjectAltNames} in the certificate request.
+            # This mode requires the caller to have the
+            # `privateca.certificates.createForSelf` permission.
+            REFLECTED_SPIFFE = 2
+          end
+        end
+      end
+    end
+  end
+end