google-cloud-security-private_ca-v1 0.3.0 → 0.5.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/AUTHENTICATION.md +1 -1
- data/README.md +6 -6
- data/lib/google/cloud/security/private_ca/v1/certificate_authority_service/client.rb +415 -330
- data/lib/google/cloud/security/private_ca/v1/certificate_authority_service/operations.rb +15 -14
- data/lib/google/cloud/security/private_ca/v1/certificate_authority_service.rb +4 -3
- data/lib/google/cloud/security/private_ca/v1/version.rb +1 -1
- data/lib/google/cloud/security/private_ca/v1.rb +2 -2
- data/lib/google/cloud/security/privateca/v1/resources_pb.rb +14 -0
- data/lib/google/cloud/security/privateca/v1/service_services_pb.rb +64 -32
- data/proto_docs/google/api/client.rb +318 -0
- data/proto_docs/google/api/launch_stage.rb +71 -0
- data/proto_docs/google/cloud/security/privateca/v1/resources.rb +588 -302
- data/proto_docs/google/cloud/security/privateca/v1/service.rb +297 -223
- data/proto_docs/google/protobuf/empty.rb +0 -2
- data/proto_docs/google/rpc/status.rb +4 -2
- metadata +18 -16
@@ -22,77 +22,113 @@ module Google
|
|
22
22
|
module Security
|
23
23
|
module PrivateCA
|
24
24
|
module V1
|
25
|
-
# A
|
26
|
-
#
|
25
|
+
# A
|
26
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
|
27
|
+
# represents an individual Certificate Authority. A
|
28
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
|
29
|
+
# can be used to create
|
30
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}.
|
27
31
|
# @!attribute [r] name
|
28
32
|
# @return [::String]
|
29
|
-
# Output only. The resource name for this
|
30
|
-
#
|
33
|
+
# Output only. The resource name for this
|
34
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
|
35
|
+
# in the format `projects/*/locations/*/caPools/*/certificateAuthorities/*`.
|
31
36
|
# @!attribute [rw] type
|
32
37
|
# @return [::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority::Type]
|
33
|
-
# Required. Immutable. The
|
38
|
+
# Required. Immutable. The
|
39
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority::Type Type} of
|
40
|
+
# this
|
41
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}.
|
34
42
|
# @!attribute [rw] config
|
35
43
|
# @return [::Google::Cloud::Security::PrivateCA::V1::CertificateConfig]
|
36
|
-
# Required. Immutable. The config used to create a self-signed X.509
|
44
|
+
# Required. Immutable. The config used to create a self-signed X.509
|
45
|
+
# certificate or CSR.
|
37
46
|
# @!attribute [rw] lifetime
|
38
47
|
# @return [::Google::Protobuf::Duration]
|
39
|
-
# Required. Immutable. The desired lifetime of the CA certificate. Used to
|
40
|
-
# "not_before_time" and "not_after_time" fields inside an X.509
|
48
|
+
# Required. Immutable. The desired lifetime of the CA certificate. Used to
|
49
|
+
# create the "not_before_time" and "not_after_time" fields inside an X.509
|
41
50
|
# certificate.
|
42
51
|
# @!attribute [rw] key_spec
|
43
52
|
# @return [::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority::KeyVersionSpec]
|
44
|
-
# Required. Immutable. Used when issuing certificates for this
|
45
|
-
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
|
46
|
-
#
|
47
|
-
#
|
53
|
+
# Required. Immutable. Used when issuing certificates for this
|
54
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}.
|
55
|
+
# If this
|
56
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
|
57
|
+
# is a self-signed CertificateAuthority, this key is also used to sign the
|
58
|
+
# self-signed CA certificate. Otherwise, it is used to sign a CSR.
|
48
59
|
# @!attribute [rw] subordinate_config
|
49
60
|
# @return [::Google::Cloud::Security::PrivateCA::V1::SubordinateConfig]
|
50
|
-
# Optional. If this is a subordinate
|
51
|
-
#
|
52
|
-
#
|
61
|
+
# Optional. If this is a subordinate
|
62
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority},
|
63
|
+
# this field will be set with the subordinate configuration, which describes
|
64
|
+
# its issuers. This may be updated, but this
|
65
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
|
66
|
+
# must continue to validate.
|
53
67
|
# @!attribute [r] tier
|
54
68
|
# @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::Tier]
|
55
|
-
# Output only. The
|
69
|
+
# Output only. The
|
70
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CaPool::Tier CaPool.Tier} of the
|
71
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool} that includes this
|
56
72
|
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}.
|
57
73
|
# @!attribute [r] state
|
58
74
|
# @return [::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority::State]
|
59
|
-
# Output only. The
|
75
|
+
# Output only. The
|
76
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority::State State} for
|
77
|
+
# this
|
78
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}.
|
60
79
|
# @!attribute [r] pem_ca_certificates
|
61
80
|
# @return [::Array<::String>]
|
62
|
-
# Output only. This
|
63
|
-
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
|
64
|
-
#
|
65
|
-
#
|
81
|
+
# Output only. This
|
82
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
|
83
|
+
# certificate chain, including the current
|
84
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
|
85
|
+
# certificate. Ordered such that the root issuer is the final element
|
86
|
+
# (consistent with RFC 5246). For a self-signed CA, this will only list the
|
87
|
+
# current
|
88
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
|
89
|
+
# certificate.
|
66
90
|
# @!attribute [r] ca_certificate_descriptions
|
67
91
|
# @return [::Array<::Google::Cloud::Security::PrivateCA::V1::CertificateDescription>]
|
68
|
-
# Output only. A structured description of this
|
69
|
-
#
|
92
|
+
# Output only. A structured description of this
|
93
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
|
94
|
+
# CA certificate and its issuers. Ordered as self-to-root.
|
70
95
|
# @!attribute [rw] gcs_bucket
|
71
96
|
# @return [::String]
|
72
|
-
# Immutable. The name of a Cloud Storage bucket where this
|
73
|
-
#
|
74
|
-
#
|
97
|
+
# Immutable. The name of a Cloud Storage bucket where this
|
98
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
|
99
|
+
# will publish content, such as the CA certificate and CRLs. This must be a
|
100
|
+
# bucket name, without any prefixes (such as `gs://`) or suffixes (such as
|
75
101
|
# `.googleapis.com`). For example, to use a bucket named `my-bucket`, you
|
76
102
|
# would simply specify `my-bucket`. If not specified, a managed bucket will
|
77
103
|
# be created.
|
78
104
|
# @!attribute [r] access_urls
|
79
105
|
# @return [::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority::AccessUrls]
|
80
|
-
# Output only. URLs for accessing content published by this CA, such as the
|
81
|
-
# and CRLs.
|
106
|
+
# Output only. URLs for accessing content published by this CA, such as the
|
107
|
+
# CA certificate and CRLs.
|
82
108
|
# @!attribute [r] create_time
|
83
109
|
# @return [::Google::Protobuf::Timestamp]
|
84
|
-
# Output only. The time at which this
|
110
|
+
# Output only. The time at which this
|
111
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
|
112
|
+
# was created.
|
85
113
|
# @!attribute [r] update_time
|
86
114
|
# @return [::Google::Protobuf::Timestamp]
|
87
|
-
# Output only. The time at which this
|
115
|
+
# Output only. The time at which this
|
116
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
|
117
|
+
# was last updated.
|
88
118
|
# @!attribute [r] delete_time
|
89
119
|
# @return [::Google::Protobuf::Timestamp]
|
90
|
-
# Output only. The time at which this
|
91
|
-
#
|
120
|
+
# Output only. The time at which this
|
121
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
|
122
|
+
# was soft deleted, if it is in the
|
123
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority::State::DELETED DELETED}
|
124
|
+
# state.
|
92
125
|
# @!attribute [r] expire_time
|
93
126
|
# @return [::Google::Protobuf::Timestamp]
|
94
|
-
# Output only. The time at which this
|
95
|
-
#
|
127
|
+
# Output only. The time at which this
|
128
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
|
129
|
+
# will be permanently purged, if it is in the
|
130
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority::State::DELETED DELETED}
|
131
|
+
# state.
|
96
132
|
# @!attribute [rw] labels
|
97
133
|
# @return [::Google::Protobuf::Map{::String => ::String}]
|
98
134
|
# Optional. Labels with user-defined metadata.
|
@@ -100,21 +136,29 @@ module Google
|
|
100
136
|
include ::Google::Protobuf::MessageExts
|
101
137
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
102
138
|
|
103
|
-
# URLs where a
|
139
|
+
# URLs where a
|
140
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
|
141
|
+
# will publish content.
|
104
142
|
# @!attribute [rw] ca_certificate_access_url
|
105
143
|
# @return [::String]
|
106
|
-
# The URL where this
|
107
|
-
#
|
144
|
+
# The URL where this
|
145
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
|
146
|
+
# CA certificate is published. This will only be set for CAs that have been
|
147
|
+
# activated.
|
108
148
|
# @!attribute [rw] crl_access_urls
|
109
149
|
# @return [::Array<::String>]
|
110
|
-
# The URLs where this
|
111
|
-
#
|
150
|
+
# The URLs where this
|
151
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
|
152
|
+
# CRLs are published. This will only be set for CAs that have been
|
153
|
+
# activated.
|
112
154
|
class AccessUrls
|
113
155
|
include ::Google::Protobuf::MessageExts
|
114
156
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
115
157
|
end
|
116
158
|
|
117
|
-
# A Cloud KMS key configuration that a
|
159
|
+
# A Cloud KMS key configuration that a
|
160
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
|
161
|
+
# will use.
|
118
162
|
# @!attribute [rw] cloud_kms_key_version
|
119
163
|
# @return [::String]
|
120
164
|
# The resource name for an existing Cloud KMS CryptoKeyVersion in the
|
@@ -141,7 +185,9 @@ module Google
|
|
141
185
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
142
186
|
end
|
143
187
|
|
144
|
-
# The type of a
|
188
|
+
# The type of a
|
189
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority},
|
190
|
+
# indicating its issuing chain.
|
145
191
|
module Type
|
146
192
|
# Not specified.
|
147
193
|
TYPE_UNSPECIFIED = 0
|
@@ -149,42 +195,56 @@ module Google
|
|
149
195
|
# Self-signed CA.
|
150
196
|
SELF_SIGNED = 1
|
151
197
|
|
152
|
-
# Subordinate CA. Could be issued by a Private CA
|
198
|
+
# Subordinate CA. Could be issued by a Private CA
|
199
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
|
153
200
|
# or an unmanaged CA.
|
154
201
|
SUBORDINATE = 2
|
155
202
|
end
|
156
203
|
|
157
|
-
# The state of a
|
204
|
+
# The state of a
|
205
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority},
|
206
|
+
# indicating if it can be used.
|
158
207
|
module State
|
159
208
|
# Not specified.
|
160
209
|
STATE_UNSPECIFIED = 0
|
161
210
|
|
162
211
|
# Certificates can be issued from this CA. CRLs will be generated for this
|
163
|
-
# CA. The CA will be part of the
|
164
|
-
#
|
212
|
+
# CA. The CA will be part of the
|
213
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, and
|
214
|
+
# will be used to issue certificates from the
|
215
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
|
165
216
|
ENABLED = 1
|
166
217
|
|
167
218
|
# Certificates cannot be issued from this CA. CRLs will still be generated.
|
168
|
-
# The CA will be part of the
|
169
|
-
#
|
219
|
+
# The CA will be part of the
|
220
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, but
|
221
|
+
# will not be used to issue certificates from the
|
222
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
|
170
223
|
DISABLED = 2
|
171
224
|
|
172
225
|
# Certificates can be issued from this CA. CRLs will be generated for this
|
173
|
-
# CA. The CA will be part of the
|
174
|
-
#
|
226
|
+
# CA. The CA will be part of the
|
227
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, but
|
228
|
+
# will not be used to issue certificates from the
|
229
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
|
175
230
|
STAGED = 3
|
176
231
|
|
177
232
|
# Certificates cannot be issued from this CA. CRLs will not be generated.
|
178
|
-
# The CA will not be part of the
|
179
|
-
#
|
233
|
+
# The CA will not be part of the
|
234
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, and
|
235
|
+
# will not be used to issue certificates from the
|
236
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
|
180
237
|
AWAITING_USER_ACTIVATION = 4
|
181
238
|
|
182
239
|
# Certificates cannot be issued from this CA. CRLs will not be generated.
|
183
240
|
# The CA may still be recovered by calling
|
184
|
-
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthorityService::Client#undelete_certificate_authority CertificateAuthorityService.UndeleteCertificateAuthority}
|
241
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthorityService::Client#undelete_certificate_authority CertificateAuthorityService.UndeleteCertificateAuthority}
|
242
|
+
# before
|
185
243
|
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority#expire_time expire_time}.
|
186
|
-
# The CA will not be part of the
|
187
|
-
#
|
244
|
+
# The CA will not be part of the
|
245
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, and
|
246
|
+
# will not be used to issue certificates from the
|
247
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
|
188
248
|
DELETED = 5
|
189
249
|
end
|
190
250
|
|
@@ -228,26 +288,37 @@ module Google
|
|
228
288
|
end
|
229
289
|
|
230
290
|
# A {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool} represents a group of
|
231
|
-
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthorities}
|
232
|
-
#
|
233
|
-
# {::Google::Cloud::Security::PrivateCA::V1::
|
234
|
-
#
|
291
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthorities}
|
292
|
+
# that form a trust anchor. A
|
293
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool} can be used to manage
|
294
|
+
# issuance policies for one or more
|
295
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
|
296
|
+
# resources and to rotate CA certificates in and out of the trust anchor.
|
235
297
|
# @!attribute [r] name
|
236
298
|
# @return [::String]
|
237
|
-
# Output only. The resource name for this
|
238
|
-
# format
|
299
|
+
# Output only. The resource name for this
|
300
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool} in the format
|
301
|
+
# `projects/*/locations/*/caPools/*`.
|
239
302
|
# @!attribute [rw] tier
|
240
303
|
# @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::Tier]
|
241
|
-
# Required. Immutable. The
|
304
|
+
# Required. Immutable. The
|
305
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CaPool::Tier Tier} of this
|
306
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
|
242
307
|
# @!attribute [rw] issuance_policy
|
243
308
|
# @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy]
|
244
|
-
# Optional. The
|
245
|
-
#
|
309
|
+
# Optional. The
|
310
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy IssuancePolicy}
|
311
|
+
# to control how
|
312
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} will be
|
313
|
+
# issued from this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
|
246
314
|
# @!attribute [rw] publishing_options
|
247
315
|
# @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::PublishingOptions]
|
248
|
-
# Optional. The
|
249
|
-
# {::Google::Cloud::Security::PrivateCA::V1::
|
250
|
-
#
|
316
|
+
# Optional. The
|
317
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CaPool::PublishingOptions PublishingOptions}
|
318
|
+
# to follow when issuing
|
319
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} from any
|
320
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
|
321
|
+
# in this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
|
251
322
|
# @!attribute [rw] labels
|
252
323
|
# @return [::Google::Protobuf::Map{::String => ::String}]
|
253
324
|
# Optional. Labels with user-defined metadata.
|
@@ -255,83 +326,108 @@ module Google
|
|
255
326
|
include ::Google::Protobuf::MessageExts
|
256
327
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
257
328
|
|
258
|
-
# Options relating to the publication of each
|
259
|
-
#
|
260
|
-
#
|
261
|
-
#
|
329
|
+
# Options relating to the publication of each
|
330
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
|
331
|
+
# CA certificate and CRLs and their inclusion as extensions in issued
|
332
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}. The options
|
333
|
+
# set here apply to certificates issued by any
|
334
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
|
335
|
+
# in the {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
|
262
336
|
# @!attribute [rw] publish_ca_cert
|
263
337
|
# @return [::Boolean]
|
264
|
-
# Optional. When true, publishes each
|
265
|
-
#
|
266
|
-
#
|
267
|
-
#
|
268
|
-
#
|
338
|
+
# Optional. When true, publishes each
|
339
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
|
340
|
+
# CA certificate and includes its URL in the "Authority Information Access"
|
341
|
+
# X.509 extension in all issued
|
342
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}. If this
|
343
|
+
# is false, the CA certificate will not be published and the corresponding
|
344
|
+
# X.509 extension will not be written in issued certificates.
|
269
345
|
# @!attribute [rw] publish_crl
|
270
346
|
# @return [::Boolean]
|
271
|
-
# Optional. When true, publishes each
|
272
|
-
#
|
273
|
-
#
|
274
|
-
#
|
275
|
-
#
|
276
|
-
# CRLs will
|
277
|
-
#
|
347
|
+
# Optional. When true, publishes each
|
348
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
|
349
|
+
# CRL and includes its URL in the "CRL Distribution Points" X.509 extension
|
350
|
+
# in all issued
|
351
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}. If this
|
352
|
+
# is false, CRLs will not be published and the corresponding X.509
|
353
|
+
# extension will not be written in issued certificates. CRLs will expire 7
|
354
|
+
# days from their creation. However, we will rebuild daily. CRLs are also
|
355
|
+
# rebuilt shortly after a certificate is revoked.
|
278
356
|
class PublishingOptions
|
279
357
|
include ::Google::Protobuf::MessageExts
|
280
358
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
281
359
|
end
|
282
360
|
|
283
|
-
# Defines controls over all certificate issuance within a
|
361
|
+
# Defines controls over all certificate issuance within a
|
362
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
|
284
363
|
# @!attribute [rw] allowed_key_types
|
285
364
|
# @return [::Array<::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType>]
|
286
|
-
# Optional. If any
|
287
|
-
#
|
288
|
-
#
|
365
|
+
# Optional. If any
|
366
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType AllowedKeyType}
|
367
|
+
# is specified, then the certificate request's public key must match one of
|
368
|
+
# the key types listed here. Otherwise, any key may be used.
|
289
369
|
# @!attribute [rw] maximum_lifetime
|
290
370
|
# @return [::Google::Protobuf::Duration]
|
291
|
-
# Optional. The maximum lifetime allowed for issued
|
292
|
-
#
|
293
|
-
#
|
294
|
-
#
|
371
|
+
# Optional. The maximum lifetime allowed for issued
|
372
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}. Note that
|
373
|
+
# if the issuing
|
374
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
|
375
|
+
# expires before a
|
376
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate}'s requested
|
377
|
+
# maximum_lifetime, the effective lifetime will be explicitly truncated to
|
378
|
+
# match it.
|
295
379
|
# @!attribute [rw] allowed_issuance_modes
|
296
380
|
# @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::IssuanceModes]
|
297
|
-
# Optional. If specified, then only methods allowed in the
|
298
|
-
#
|
381
|
+
# Optional. If specified, then only methods allowed in the
|
382
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::IssuanceModes IssuanceModes}
|
383
|
+
# may be used to issue
|
384
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}.
|
299
385
|
# @!attribute [rw] baseline_values
|
300
386
|
# @return [::Google::Cloud::Security::PrivateCA::V1::X509Parameters]
|
301
|
-
# Optional. A set of X.509 values that will be applied to all certificates
|
302
|
-
# through this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
|
303
|
-
#
|
304
|
-
#
|
387
|
+
# Optional. A set of X.509 values that will be applied to all certificates
|
388
|
+
# issued through this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
|
389
|
+
# If a certificate request includes conflicting values for the same
|
390
|
+
# properties, they will be overwritten by the values defined here. If a
|
391
|
+
# certificate request uses a
|
392
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate CertificateTemplate}
|
305
393
|
# that defines conflicting
|
306
|
-
# {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate#predefined_values predefined_values}
|
307
|
-
# properties, the certificate issuance request will fail.
|
394
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate#predefined_values predefined_values}
|
395
|
+
# for the same properties, the certificate issuance request will fail.
|
308
396
|
# @!attribute [rw] identity_constraints
|
309
397
|
# @return [::Google::Cloud::Security::PrivateCA::V1::CertificateIdentityConstraints]
|
310
398
|
# Optional. Describes constraints on identities that may appear in
|
311
|
-
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} issued
|
312
|
-
#
|
313
|
-
#
|
399
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} issued
|
400
|
+
# through this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}. If this
|
401
|
+
# is omitted, then this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}
|
402
|
+
# will not add restrictions on a certificate's identity.
|
314
403
|
# @!attribute [rw] passthrough_extensions
|
315
404
|
# @return [::Google::Cloud::Security::PrivateCA::V1::CertificateExtensionConstraints]
|
316
405
|
# Optional. Describes the set of X.509 extensions that may appear in a
|
317
|
-
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued
|
318
|
-
#
|
406
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued
|
407
|
+
# through this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}. If a
|
408
|
+
# certificate request sets extensions that don't appear in the
|
409
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy#passthrough_extensions passthrough_extensions},
|
319
410
|
# those extensions will be dropped. If a certificate request uses a
|
320
|
-
# {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate CertificateTemplate}
|
321
|
-
#
|
322
|
-
#
|
323
|
-
#
|
324
|
-
#
|
325
|
-
#
|
411
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate CertificateTemplate}
|
412
|
+
# with
|
413
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate#predefined_values predefined_values}
|
414
|
+
# that don't appear here, the certificate issuance request will fail. If
|
415
|
+
# this is omitted, then this
|
416
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool} will not add
|
417
|
+
# restrictions on a certificate's X.509 extensions. These constraints do
|
418
|
+
# not apply to X.509 extensions set in this
|
419
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s
|
420
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy#baseline_values baseline_values}.
|
326
421
|
class IssuancePolicy
|
327
422
|
include ::Google::Protobuf::MessageExts
|
328
423
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
329
424
|
|
330
|
-
# Describes a "type" of key that may be used in a
|
331
|
-
#
|
332
|
-
#
|
333
|
-
#
|
334
|
-
#
|
425
|
+
# Describes a "type" of key that may be used in a
|
426
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued from
|
427
|
+
# a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}. Note that a single
|
428
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType AllowedKeyType}
|
429
|
+
# may refer to either a fully-qualified key algorithm, such as RSA 4096, or
|
430
|
+
# a family of key algorithms, such as any RSA key.
|
335
431
|
# @!attribute [rw] rsa
|
336
432
|
# @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::RsaKeyType]
|
337
433
|
# Represents an allowed RSA key type.
|
@@ -342,35 +438,39 @@ module Google
|
|
342
438
|
include ::Google::Protobuf::MessageExts
|
343
439
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
344
440
|
|
345
|
-
# Describes an RSA key that may be used in a
|
346
|
-
#
|
441
|
+
# Describes an RSA key that may be used in a
|
442
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued
|
443
|
+
# from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
|
347
444
|
# @!attribute [rw] min_modulus_size
|
348
445
|
# @return [::Integer]
|
349
|
-
# Optional. The minimum allowed RSA modulus size (inclusive), in bits.
|
350
|
-
# not set, or if set to zero, the service-level min RSA
|
351
|
-
# will continue to apply.
|
446
|
+
# Optional. The minimum allowed RSA modulus size (inclusive), in bits.
|
447
|
+
# If this is not set, or if set to zero, the service-level min RSA
|
448
|
+
# modulus size will continue to apply.
|
352
449
|
# @!attribute [rw] max_modulus_size
|
353
450
|
# @return [::Integer]
|
354
|
-
# Optional. The maximum allowed RSA modulus size (inclusive), in bits.
|
355
|
-
# not set, or if set to zero, the service will not enforce
|
356
|
-
# upper bound on RSA modulus sizes.
|
451
|
+
# Optional. The maximum allowed RSA modulus size (inclusive), in bits.
|
452
|
+
# If this is not set, or if set to zero, the service will not enforce
|
453
|
+
# an explicit upper bound on RSA modulus sizes.
|
357
454
|
class RsaKeyType
|
358
455
|
include ::Google::Protobuf::MessageExts
|
359
456
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
360
457
|
end
|
361
458
|
|
362
|
-
# Describes an Elliptic Curve key that may be used in a
|
363
|
-
#
|
459
|
+
# Describes an Elliptic Curve key that may be used in a
|
460
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued
|
461
|
+
# from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
|
364
462
|
# @!attribute [rw] signature_algorithm
|
365
463
|
# @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::EcKeyType::EcSignatureAlgorithm]
|
366
|
-
# Optional. A signature algorithm that must be used. If this is
|
367
|
-
# EC-based signature algorithm will be allowed.
|
464
|
+
# Optional. A signature algorithm that must be used. If this is
|
465
|
+
# omitted, any EC-based signature algorithm will be allowed.
|
368
466
|
class EcKeyType
|
369
467
|
include ::Google::Protobuf::MessageExts
|
370
468
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
371
469
|
|
372
470
|
# Describes an elliptic curve-based signature algorithm that may be
|
373
|
-
# used in a
|
471
|
+
# used in a
|
472
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued
|
473
|
+
# from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
|
374
474
|
module EcSignatureAlgorithm
|
375
475
|
# Not specified. Signifies that any signature algorithm may be used.
|
376
476
|
EC_SIGNATURE_ALGORITHM_UNSPECIFIED = 0
|
@@ -390,17 +490,21 @@ module Google
|
|
390
490
|
end
|
391
491
|
end
|
392
492
|
|
393
|
-
# {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::IssuanceModes IssuanceModes}
|
394
|
-
#
|
395
|
-
# {::Google::Cloud::Security::PrivateCA::V1::
|
493
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::IssuanceModes IssuanceModes}
|
494
|
+
# specifies the allowed ways in which
|
495
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} may be
|
496
|
+
# requested from this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
|
396
497
|
# @!attribute [rw] allow_csr_based_issuance
|
397
498
|
# @return [::Boolean]
|
398
|
-
# Optional. When true, allows callers to create
|
499
|
+
# Optional. When true, allows callers to create
|
500
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} by
|
399
501
|
# specifying a CSR.
|
400
502
|
# @!attribute [rw] allow_config_based_issuance
|
401
503
|
# @return [::Boolean]
|
402
|
-
# Optional. When true, allows callers to create
|
403
|
-
#
|
504
|
+
# Optional. When true, allows callers to create
|
505
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} by
|
506
|
+
# specifying a
|
507
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateConfig CertificateConfig}.
|
404
508
|
class IssuanceModes
|
405
509
|
include ::Google::Protobuf::MessageExts
|
406
510
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
@@ -416,8 +520,8 @@ module Google
|
|
416
520
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
417
521
|
end
|
418
522
|
|
419
|
-
# The tier of a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool},
|
420
|
-
# billing SKU.
|
523
|
+
# The tier of a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool},
|
524
|
+
# indicating its supported functionality and/or billing SKU.
|
421
525
|
module Tier
|
422
526
|
# Not specified.
|
423
527
|
TIER_UNSPECIFIED = 0
|
@@ -430,14 +534,15 @@ module Google
|
|
430
534
|
end
|
431
535
|
end
|
432
536
|
|
433
|
-
# A
|
434
|
-
#
|
435
|
-
#
|
537
|
+
# A
|
538
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateRevocationList CertificateRevocationList}
|
539
|
+
# corresponds to a signed X.509 certificate Revocation List (CRL). A CRL
|
540
|
+
# contains the serial numbers of certificates that should no longer be trusted.
|
436
541
|
# @!attribute [r] name
|
437
542
|
# @return [::String]
|
438
|
-
# Output only. The resource name for this
|
439
|
-
#
|
440
|
-
# `projects/*/locations/*/caPools/*certificateAuthorities/*/
|
543
|
+
# Output only. The resource name for this
|
544
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateRevocationList CertificateRevocationList}
|
545
|
+
# in the format `projects/*/locations/*/caPools/*certificateAuthorities/*/
|
441
546
|
# certificateRevocationLists/*`.
|
442
547
|
# @!attribute [r] sequence_number
|
443
548
|
# @return [::Integer]
|
@@ -453,18 +558,26 @@ module Google
|
|
453
558
|
# Output only. The location where 'pem_crl' can be accessed.
|
454
559
|
# @!attribute [r] state
|
455
560
|
# @return [::Google::Cloud::Security::PrivateCA::V1::CertificateRevocationList::State]
|
456
|
-
# Output only. The
|
561
|
+
# Output only. The
|
562
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateRevocationList::State State}
|
563
|
+
# for this
|
564
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateRevocationList CertificateRevocationList}.
|
457
565
|
# @!attribute [r] create_time
|
458
566
|
# @return [::Google::Protobuf::Timestamp]
|
459
|
-
# Output only. The time at which this
|
567
|
+
# Output only. The time at which this
|
568
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateRevocationList CertificateRevocationList}
|
569
|
+
# was created.
|
460
570
|
# @!attribute [r] update_time
|
461
571
|
# @return [::Google::Protobuf::Timestamp]
|
462
|
-
# Output only. The time at which this
|
572
|
+
# Output only. The time at which this
|
573
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateRevocationList CertificateRevocationList}
|
574
|
+
# was updated.
|
463
575
|
# @!attribute [r] revision_id
|
464
576
|
# @return [::String]
|
465
|
-
# Output only. The revision ID of this
|
466
|
-
#
|
467
|
-
#
|
577
|
+
# Output only. The revision ID of this
|
578
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateRevocationList CertificateRevocationList}.
|
579
|
+
# A new revision is committed whenever a new CRL is published. The format is
|
580
|
+
# an 8-character hexadecimal string.
|
468
581
|
# @!attribute [rw] labels
|
469
582
|
# @return [::Google::Protobuf::Map{::String => ::String}]
|
470
583
|
# Optional. Labels with user-defined metadata.
|
@@ -472,17 +585,22 @@ module Google
|
|
472
585
|
include ::Google::Protobuf::MessageExts
|
473
586
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
474
587
|
|
475
|
-
# Describes a revoked
|
588
|
+
# Describes a revoked
|
589
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate}.
|
476
590
|
# @!attribute [rw] certificate
|
477
591
|
# @return [::String]
|
478
|
-
# The resource name for the
|
479
|
-
#
|
592
|
+
# The resource name for the
|
593
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} in the
|
594
|
+
# format `projects/*/locations/*/caPools/*/certificates/*`.
|
480
595
|
# @!attribute [rw] hex_serial_number
|
481
596
|
# @return [::String]
|
482
|
-
# The serial number of the
|
597
|
+
# The serial number of the
|
598
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate}.
|
483
599
|
# @!attribute [rw] revocation_reason
|
484
600
|
# @return [::Google::Cloud::Security::PrivateCA::V1::RevocationReason]
|
485
|
-
# The reason the
|
601
|
+
# The reason the
|
602
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} was
|
603
|
+
# revoked.
|
486
604
|
class RevokedCertificate
|
487
605
|
include ::Google::Protobuf::MessageExts
|
488
606
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
@@ -497,58 +615,73 @@ module Google
|
|
497
615
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
498
616
|
end
|
499
617
|
|
500
|
-
# The state of a
|
618
|
+
# The state of a
|
619
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateRevocationList CertificateRevocationList},
|
620
|
+
# indicating if it is current.
|
501
621
|
module State
|
502
622
|
# Not specified.
|
503
623
|
STATE_UNSPECIFIED = 0
|
504
624
|
|
505
|
-
# The
|
625
|
+
# The
|
626
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateRevocationList CertificateRevocationList}
|
627
|
+
# is up to date.
|
506
628
|
ACTIVE = 1
|
507
629
|
|
508
|
-
# The
|
630
|
+
# The
|
631
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateRevocationList CertificateRevocationList}
|
632
|
+
# is no longer current.
|
509
633
|
SUPERSEDED = 2
|
510
634
|
end
|
511
635
|
end
|
512
636
|
|
513
|
-
# A {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} corresponds
|
637
|
+
# A {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} corresponds
|
638
|
+
# to a signed X.509 certificate issued by a
|
514
639
|
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}.
|
515
640
|
# @!attribute [r] name
|
516
641
|
# @return [::String]
|
517
|
-
# Output only. The resource name for this
|
642
|
+
# Output only. The resource name for this
|
643
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} in the format
|
518
644
|
# `projects/*/locations/*/caPools/*/certificates/*`.
|
519
645
|
# @!attribute [rw] pem_csr
|
520
646
|
# @return [::String]
|
521
647
|
# Immutable. A pem-encoded X.509 certificate signing request (CSR).
|
522
648
|
# @!attribute [rw] config
|
523
649
|
# @return [::Google::Cloud::Security::PrivateCA::V1::CertificateConfig]
|
524
|
-
# Immutable. A description of the certificate and key that does not require
|
525
|
-
# ASN.1.
|
650
|
+
# Immutable. A description of the certificate and key that does not require
|
651
|
+
# X.509 or ASN.1.
|
526
652
|
# @!attribute [r] issuer_certificate_authority
|
527
653
|
# @return [::String]
|
528
|
-
# Output only. The resource name of the issuing
|
529
|
-
#
|
654
|
+
# Output only. The resource name of the issuing
|
655
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
|
656
|
+
# in the format `projects/*/locations/*/caPools/*/certificateAuthorities/*`.
|
530
657
|
# @!attribute [rw] lifetime
|
531
658
|
# @return [::Google::Protobuf::Duration]
|
532
|
-
# Required. Immutable. The desired lifetime of a certificate. Used to create
|
533
|
-
# "not_before_time" and "not_after_time" fields inside an X.509
|
659
|
+
# Required. Immutable. The desired lifetime of a certificate. Used to create
|
660
|
+
# the "not_before_time" and "not_after_time" fields inside an X.509
|
534
661
|
# certificate. Note that the lifetime may be truncated if it would extend
|
535
662
|
# past the life of any certificate authority in the issuing chain.
|
536
663
|
# @!attribute [rw] certificate_template
|
537
664
|
# @return [::String]
|
538
|
-
# Immutable. The resource name for a
|
539
|
-
#
|
665
|
+
# Immutable. The resource name for a
|
666
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate CertificateTemplate}
|
667
|
+
# used to issue this certificate, in the format
|
540
668
|
# `projects/*/locations/*/certificateTemplates/*`.
|
541
669
|
# If this is specified, the caller must have the necessary permission to
|
542
670
|
# use this template. If this is omitted, no template will be used.
|
543
|
-
# This template must be in the same location as the
|
671
|
+
# This template must be in the same location as the
|
672
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate}.
|
544
673
|
# @!attribute [rw] subject_mode
|
545
674
|
# @return [::Google::Cloud::Security::PrivateCA::V1::SubjectRequestMode]
|
546
|
-
# Immutable. Specifies how the
|
547
|
-
#
|
675
|
+
# Immutable. Specifies how the
|
676
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate}'s identity
|
677
|
+
# fields are to be decided. If this is omitted, the `DEFAULT` subject mode
|
678
|
+
# will be used.
|
548
679
|
# @!attribute [r] revocation_details
|
549
680
|
# @return [::Google::Cloud::Security::PrivateCA::V1::Certificate::RevocationDetails]
|
550
|
-
# Output only. Details regarding the revocation of this
|
551
|
-
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate}
|
681
|
+
# Output only. Details regarding the revocation of this
|
682
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate}. This
|
683
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} is considered
|
684
|
+
# revoked if and only if this field is present.
|
552
685
|
# @!attribute [r] pem_certificate
|
553
686
|
# @return [::String]
|
554
687
|
# Output only. The pem-encoded, signed X.509 certificate.
|
@@ -557,14 +690,16 @@ module Google
|
|
557
690
|
# Output only. A structured description of the issued X.509 certificate.
|
558
691
|
# @!attribute [r] pem_certificate_chain
|
559
692
|
# @return [::Array<::String>]
|
560
|
-
# Output only. The chain that may be used to verify the X.509 certificate.
|
561
|
-
# in issuer-to-root order according to RFC 5246.
|
693
|
+
# Output only. The chain that may be used to verify the X.509 certificate.
|
694
|
+
# Expected to be in issuer-to-root order according to RFC 5246.
|
562
695
|
# @!attribute [r] create_time
|
563
696
|
# @return [::Google::Protobuf::Timestamp]
|
564
|
-
# Output only. The time at which this
|
697
|
+
# Output only. The time at which this
|
698
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} was created.
|
565
699
|
# @!attribute [r] update_time
|
566
700
|
# @return [::Google::Protobuf::Timestamp]
|
567
|
-
# Output only. The time at which this
|
701
|
+
# Output only. The time at which this
|
702
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} was updated.
|
568
703
|
# @!attribute [rw] labels
|
569
704
|
# @return [::Google::Protobuf::Map{::String => ::String}]
|
570
705
|
# Optional. Labels with user-defined metadata.
|
@@ -572,13 +707,18 @@ module Google
|
|
572
707
|
include ::Google::Protobuf::MessageExts
|
573
708
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
574
709
|
|
575
|
-
# Describes fields that are relavent to the revocation of a
|
710
|
+
# Describes fields that are relavent to the revocation of a
|
711
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate}.
|
576
712
|
# @!attribute [rw] revocation_state
|
577
713
|
# @return [::Google::Cloud::Security::PrivateCA::V1::RevocationReason]
|
578
|
-
# Indicates why a
|
714
|
+
# Indicates why a
|
715
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} was
|
716
|
+
# revoked.
|
579
717
|
# @!attribute [rw] revocation_time
|
580
718
|
# @return [::Google::Protobuf::Timestamp]
|
581
|
-
# The time at which this
|
719
|
+
# The time at which this
|
720
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} was
|
721
|
+
# revoked.
|
582
722
|
class RevocationDetails
|
583
723
|
include ::Google::Protobuf::MessageExts
|
584
724
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
@@ -594,47 +734,64 @@ module Google
|
|
594
734
|
end
|
595
735
|
end
|
596
736
|
|
597
|
-
# A
|
598
|
-
#
|
737
|
+
# A
|
738
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate CertificateTemplate}
|
739
|
+
# refers to a managed template for certificate issuance.
|
599
740
|
# @!attribute [r] name
|
600
741
|
# @return [::String]
|
601
|
-
# Output only. The resource name for this
|
602
|
-
#
|
742
|
+
# Output only. The resource name for this
|
743
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate CertificateTemplate}
|
744
|
+
# in the format `projects/*/locations/*/certificateTemplates/*`.
|
603
745
|
# @!attribute [rw] predefined_values
|
604
746
|
# @return [::Google::Cloud::Security::PrivateCA::V1::X509Parameters]
|
605
|
-
# Optional. A set of X.509 values that will be applied to all issued
|
606
|
-
# use this template. If the certificate request includes
|
607
|
-
# for the same properties, they will be overwritten by the
|
608
|
-
# here. If the issuing
|
747
|
+
# Optional. A set of X.509 values that will be applied to all issued
|
748
|
+
# certificates that use this template. If the certificate request includes
|
749
|
+
# conflicting values for the same properties, they will be overwritten by the
|
750
|
+
# values defined here. If the issuing
|
751
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s
|
752
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy IssuancePolicy}
|
609
753
|
# defines conflicting
|
610
|
-
# {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy#baseline_values baseline_values}
|
611
|
-
# properties, the certificate issuance request will fail.
|
754
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy#baseline_values baseline_values}
|
755
|
+
# for the same properties, the certificate issuance request will fail.
|
612
756
|
# @!attribute [rw] identity_constraints
|
613
757
|
# @return [::Google::Cloud::Security::PrivateCA::V1::CertificateIdentityConstraints]
|
614
758
|
# Optional. Describes constraints on identities that may be appear in
|
615
|
-
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} issued using
|
616
|
-
# then this template will not add
|
759
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} issued using
|
760
|
+
# this template. If this is omitted, then this template will not add
|
761
|
+
# restrictions on a certificate's identity.
|
617
762
|
# @!attribute [rw] passthrough_extensions
|
618
763
|
# @return [::Google::Cloud::Security::PrivateCA::V1::CertificateExtensionConstraints]
|
619
764
|
# Optional. Describes the set of X.509 extensions that may appear in a
|
620
|
-
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued using
|
621
|
-
#
|
622
|
-
# {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate
|
623
|
-
#
|
624
|
-
# {::Google::Cloud::Security::PrivateCA::V1::
|
625
|
-
#
|
626
|
-
#
|
627
|
-
#
|
628
|
-
#
|
765
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued using
|
766
|
+
# this
|
767
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate CertificateTemplate}.
|
768
|
+
# If a certificate request sets extensions that don't appear in the
|
769
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate#passthrough_extensions passthrough_extensions},
|
770
|
+
# those extensions will be dropped. If the issuing
|
771
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s
|
772
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy IssuancePolicy}
|
773
|
+
# defines
|
774
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy#baseline_values baseline_values}
|
775
|
+
# that don't appear here, the certificate issuance request will fail. If this
|
776
|
+
# is omitted, then this template will not add restrictions on a certificate's
|
777
|
+
# X.509 extensions. These constraints do not apply to X.509 extensions set in
|
778
|
+
# this
|
779
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate CertificateTemplate}'s
|
780
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate#predefined_values predefined_values}.
|
629
781
|
# @!attribute [rw] description
|
630
782
|
# @return [::String]
|
631
|
-
# Optional. A human-readable description of scenarios this template is
|
783
|
+
# Optional. A human-readable description of scenarios this template is
|
784
|
+
# intended for.
|
632
785
|
# @!attribute [r] create_time
|
633
786
|
# @return [::Google::Protobuf::Timestamp]
|
634
|
-
# Output only. The time at which this
|
787
|
+
# Output only. The time at which this
|
788
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate CertificateTemplate}
|
789
|
+
# was created.
|
635
790
|
# @!attribute [r] update_time
|
636
791
|
# @return [::Google::Protobuf::Timestamp]
|
637
|
-
# Output only. The time at which this
|
792
|
+
# Output only. The time at which this
|
793
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate CertificateTemplate}
|
794
|
+
# was updated.
|
638
795
|
# @!attribute [rw] labels
|
639
796
|
# @return [::Google::Protobuf::Map{::String => ::String}]
|
640
797
|
# Optional. Labels with user-defined metadata.
|
@@ -652,25 +809,31 @@ module Google
|
|
652
809
|
end
|
653
810
|
end
|
654
811
|
|
655
|
-
# An {::Google::Cloud::Security::PrivateCA::V1::X509Parameters X509Parameters} is
|
656
|
-
# X.509 certificate, such as the key
|
657
|
-
#
|
812
|
+
# An {::Google::Cloud::Security::PrivateCA::V1::X509Parameters X509Parameters} is
|
813
|
+
# used to describe certain fields of an X.509 certificate, such as the key
|
814
|
+
# usage fields, fields specific to CA certificates, certificate policy
|
815
|
+
# extensions and custom extensions.
|
658
816
|
# @!attribute [rw] key_usage
|
659
817
|
# @return [::Google::Cloud::Security::PrivateCA::V1::KeyUsage]
|
660
|
-
# Optional. Indicates the intended use for keys that correspond to a
|
818
|
+
# Optional. Indicates the intended use for keys that correspond to a
|
819
|
+
# certificate.
|
661
820
|
# @!attribute [rw] ca_options
|
662
821
|
# @return [::Google::Cloud::Security::PrivateCA::V1::X509Parameters::CaOptions]
|
663
|
-
# Optional. Describes options in this
|
664
|
-
#
|
822
|
+
# Optional. Describes options in this
|
823
|
+
# {::Google::Cloud::Security::PrivateCA::V1::X509Parameters X509Parameters} that
|
824
|
+
# are relevant in a CA certificate.
|
665
825
|
# @!attribute [rw] policy_ids
|
666
826
|
# @return [::Array<::Google::Cloud::Security::PrivateCA::V1::ObjectId>]
|
667
827
|
# Optional. Describes the X.509 certificate policy object identifiers, per
|
668
828
|
# https://tools.ietf.org/html/rfc5280#section-4.2.1.4.
|
669
829
|
# @!attribute [rw] aia_ocsp_servers
|
670
830
|
# @return [::Array<::String>]
|
671
|
-
# Optional. Describes Online Certificate Status Protocol (OCSP) endpoint
|
672
|
-
# that appear in the "Authority Information Access" extension in
|
673
|
-
# certificate.
|
831
|
+
# Optional. Describes Online Certificate Status Protocol (OCSP) endpoint
|
832
|
+
# addresses that appear in the "Authority Information Access" extension in
|
833
|
+
# the certificate.
|
834
|
+
# @!attribute [rw] name_constraints
|
835
|
+
# @return [::Google::Cloud::Security::PrivateCA::V1::X509Parameters::NameConstraints]
|
836
|
+
# Optional. Describes the X.509 name constraints extension.
|
674
837
|
# @!attribute [rw] additional_extensions
|
675
838
|
# @return [::Array<::Google::Cloud::Security::PrivateCA::V1::X509Extension>]
|
676
839
|
# Optional. Describes custom X.509 extensions.
|
@@ -681,8 +844,9 @@ module Google
|
|
681
844
|
# Describes values that are relevant in a CA certificate.
|
682
845
|
# @!attribute [rw] is_ca
|
683
846
|
# @return [::Boolean]
|
684
|
-
# Optional. Refers to the "CA" X.509 extension, which is a boolean value.
|
685
|
-
# value is missing, the extension will be omitted from the CA
|
847
|
+
# Optional. Refers to the "CA" X.509 extension, which is a boolean value.
|
848
|
+
# When this value is missing, the extension will be omitted from the CA
|
849
|
+
# certificate.
|
686
850
|
# @!attribute [rw] max_issuer_path_length
|
687
851
|
# @return [::Integer]
|
688
852
|
# Optional. Refers to the path length restriction X.509 extension. For a CA
|
@@ -695,20 +859,84 @@ module Google
|
|
695
859
|
include ::Google::Protobuf::MessageExts
|
696
860
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
697
861
|
end
|
862
|
+
|
863
|
+
# Describes the X.509 name constraints extension, per
|
864
|
+
# https://tools.ietf.org/html/rfc5280#section-4.2.1.10
|
865
|
+
# @!attribute [rw] critical
|
866
|
+
# @return [::Boolean]
|
867
|
+
# Indicates whether or not the name constraints are marked critical.
|
868
|
+
# @!attribute [rw] permitted_dns_names
|
869
|
+
# @return [::Array<::String>]
|
870
|
+
# Contains permitted DNS names. Any DNS name that can be
|
871
|
+
# constructed by simply adding zero or more labels to
|
872
|
+
# the left-hand side of the name satisfies the name constraint.
|
873
|
+
# For example, `example.com`, `www.example.com`, `www.sub.example.com`
|
874
|
+
# would satisfy `example.com` while `example1.com` does not.
|
875
|
+
# @!attribute [rw] excluded_dns_names
|
876
|
+
# @return [::Array<::String>]
|
877
|
+
# Contains excluded DNS names. Any DNS name that can be
|
878
|
+
# constructed by simply adding zero or more labels to
|
879
|
+
# the left-hand side of the name satisfies the name constraint.
|
880
|
+
# For example, `example.com`, `www.example.com`, `www.sub.example.com`
|
881
|
+
# would satisfy `example.com` while `example1.com` does not.
|
882
|
+
# @!attribute [rw] permitted_ip_ranges
|
883
|
+
# @return [::Array<::String>]
|
884
|
+
# Contains the permitted IP ranges. For IPv4 addresses, the ranges
|
885
|
+
# are expressed using CIDR notation as specified in RFC 4632.
|
886
|
+
# For IPv6 addresses, the ranges are expressed in similar encoding as IPv4
|
887
|
+
# addresses.
|
888
|
+
# @!attribute [rw] excluded_ip_ranges
|
889
|
+
# @return [::Array<::String>]
|
890
|
+
# Contains the excluded IP ranges. For IPv4 addresses, the ranges
|
891
|
+
# are expressed using CIDR notation as specified in RFC 4632.
|
892
|
+
# For IPv6 addresses, the ranges are expressed in similar encoding as IPv4
|
893
|
+
# addresses.
|
894
|
+
# @!attribute [rw] permitted_email_addresses
|
895
|
+
# @return [::Array<::String>]
|
896
|
+
# Contains the permitted email addresses. The value can be a particular
|
897
|
+
# email address, a hostname to indicate all email addresses on that host or
|
898
|
+
# a domain with a leading period (e.g. `.example.com`) to indicate
|
899
|
+
# all email addresses in that domain.
|
900
|
+
# @!attribute [rw] excluded_email_addresses
|
901
|
+
# @return [::Array<::String>]
|
902
|
+
# Contains the excluded email addresses. The value can be a particular
|
903
|
+
# email address, a hostname to indicate all email addresses on that host or
|
904
|
+
# a domain with a leading period (e.g. `.example.com`) to indicate
|
905
|
+
# all email addresses in that domain.
|
906
|
+
# @!attribute [rw] permitted_uris
|
907
|
+
# @return [::Array<::String>]
|
908
|
+
# Contains the permitted URIs that apply to the host part of the name.
|
909
|
+
# The value can be a hostname or a domain with a
|
910
|
+
# leading period (like `.example.com`)
|
911
|
+
# @!attribute [rw] excluded_uris
|
912
|
+
# @return [::Array<::String>]
|
913
|
+
# Contains the excluded URIs that apply to the host part of the name.
|
914
|
+
# The value can be a hostname or a domain with a
|
915
|
+
# leading period (like `.example.com`)
|
916
|
+
class NameConstraints
|
917
|
+
include ::Google::Protobuf::MessageExts
|
918
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
919
|
+
end
|
698
920
|
end
|
699
921
|
|
700
922
|
# Describes a subordinate CA's issuers. This is either a resource name to a
|
701
|
-
# known issuing
|
923
|
+
# known issuing
|
924
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority},
|
925
|
+
# or a PEM issuer certificate chain.
|
702
926
|
# @!attribute [rw] certificate_authority
|
703
927
|
# @return [::String]
|
704
|
-
# Required. This can refer to a
|
705
|
-
#
|
706
|
-
#
|
928
|
+
# Required. This can refer to a
|
929
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
|
930
|
+
# that was used to create a subordinate
|
931
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}.
|
932
|
+
# This field is used for information and usability purposes only. The
|
933
|
+
# resource name is in the format
|
707
934
|
# `projects/*/locations/*/caPools/*/certificateAuthorities/*`.
|
708
935
|
# @!attribute [rw] pem_issuer_chain
|
709
936
|
# @return [::Google::Cloud::Security::PrivateCA::V1::SubordinateConfig::SubordinateConfigChain]
|
710
937
|
# Required. Contains the PEM certificate chain for the issuers of this
|
711
|
-
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority},
|
938
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority},
|
939
|
+
# but not pem certificate for this CA itself.
|
712
940
|
class SubordinateConfig
|
713
941
|
include ::Google::Protobuf::MessageExts
|
714
942
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
@@ -724,7 +952,8 @@ module Google
|
|
724
952
|
end
|
725
953
|
end
|
726
954
|
|
727
|
-
# A {::Google::Cloud::Security::PrivateCA::V1::PublicKey PublicKey} describes a
|
955
|
+
# A {::Google::Cloud::Security::PrivateCA::V1::PublicKey PublicKey} describes a
|
956
|
+
# public key.
|
728
957
|
# @!attribute [rw] key
|
729
958
|
# @return [::String]
|
730
959
|
# Required. A public key. The padding and encoding
|
@@ -759,21 +988,27 @@ module Google
|
|
759
988
|
end
|
760
989
|
end
|
761
990
|
|
762
|
-
# A {::Google::Cloud::Security::PrivateCA::V1::CertificateConfig CertificateConfig}
|
763
|
-
#
|
991
|
+
# A {::Google::Cloud::Security::PrivateCA::V1::CertificateConfig CertificateConfig}
|
992
|
+
# describes an X.509 certificate or CSR that is to be created, as an
|
993
|
+
# alternative to using ASN.1.
|
764
994
|
# @!attribute [rw] subject_config
|
765
995
|
# @return [::Google::Cloud::Security::PrivateCA::V1::CertificateConfig::SubjectConfig]
|
766
|
-
# Required. Specifies some of the values in a certificate that are related to
|
767
|
-
# subject.
|
996
|
+
# Required. Specifies some of the values in a certificate that are related to
|
997
|
+
# the subject.
|
768
998
|
# @!attribute [rw] x509_config
|
769
999
|
# @return [::Google::Cloud::Security::PrivateCA::V1::X509Parameters]
|
770
|
-
# Required. Describes how some of the technical X.509 fields in a certificate
|
771
|
-
# populated.
|
1000
|
+
# Required. Describes how some of the technical X.509 fields in a certificate
|
1001
|
+
# should be populated.
|
772
1002
|
# @!attribute [rw] public_key
|
773
1003
|
# @return [::Google::Cloud::Security::PrivateCA::V1::PublicKey]
|
774
|
-
# Optional. The public key that corresponds to this config. This is, for
|
775
|
-
#
|
776
|
-
#
|
1004
|
+
# Optional. The public key that corresponds to this config. This is, for
|
1005
|
+
# example, used when issuing
|
1006
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}, but not
|
1007
|
+
# when creating a self-signed
|
1008
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
|
1009
|
+
# or
|
1010
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
|
1011
|
+
# CSR.
|
777
1012
|
class CertificateConfig
|
778
1013
|
include ::Google::Protobuf::MessageExts
|
779
1014
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
@@ -782,8 +1017,8 @@ module Google
|
|
782
1017
|
# alternative name fields in an X.509 certificate.
|
783
1018
|
# @!attribute [rw] subject
|
784
1019
|
# @return [::Google::Cloud::Security::PrivateCA::V1::Subject]
|
785
|
-
# Required. Contains distinguished name fields such as the common name,
|
786
|
-
# organization.
|
1020
|
+
# Required. Contains distinguished name fields such as the common name,
|
1021
|
+
# location and organization.
|
787
1022
|
# @!attribute [rw] subject_alt_name
|
788
1023
|
# @return [::Google::Cloud::Security::PrivateCA::V1::SubjectAltNames]
|
789
1024
|
# Optional. The subject alternative name fields.
|
@@ -793,8 +1028,10 @@ module Google
|
|
793
1028
|
end
|
794
1029
|
end
|
795
1030
|
|
796
|
-
# A
|
797
|
-
#
|
1031
|
+
# A
|
1032
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateDescription CertificateDescription}
|
1033
|
+
# describes an X.509 certificate or CSR that has been issued, as an alternative
|
1034
|
+
# to using ASN.1 / X.509.
|
798
1035
|
# @!attribute [rw] subject_description
|
799
1036
|
# @return [::Google::Cloud::Security::PrivateCA::V1::CertificateDescription::SubjectDescription]
|
800
1037
|
# Describes some of the values in a certificate that are related to the
|
@@ -862,8 +1099,8 @@ module Google
|
|
862
1099
|
# key.
|
863
1100
|
# @!attribute [rw] key_id
|
864
1101
|
# @return [::String]
|
865
|
-
# Optional. The value of this KeyId encoded in lowercase hexadecimal. This
|
866
|
-
# likely the 160 bit SHA-1 hash of the public key.
|
1102
|
+
# Optional. The value of this KeyId encoded in lowercase hexadecimal. This
|
1103
|
+
# is most likely the 160 bit SHA-1 hash of the public key.
|
867
1104
|
class KeyId
|
868
1105
|
include ::Google::Protobuf::MessageExts
|
869
1106
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
@@ -879,27 +1116,29 @@ module Google
|
|
879
1116
|
end
|
880
1117
|
end
|
881
1118
|
|
882
|
-
# An {::Google::Cloud::Security::PrivateCA::V1::ObjectId ObjectId} specifies an
|
883
|
-
# and describe types in ASN.1
|
1119
|
+
# An {::Google::Cloud::Security::PrivateCA::V1::ObjectId ObjectId} specifies an
|
1120
|
+
# object identifier (OID). These provide context and describe types in ASN.1
|
1121
|
+
# messages.
|
884
1122
|
# @!attribute [rw] object_id_path
|
885
1123
|
# @return [::Array<::Integer>]
|
886
|
-
# Required. The parts of an OID path. The most significant parts of the path
|
887
|
-
# first.
|
1124
|
+
# Required. The parts of an OID path. The most significant parts of the path
|
1125
|
+
# come first.
|
888
1126
|
class ObjectId
|
889
1127
|
include ::Google::Protobuf::MessageExts
|
890
1128
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
891
1129
|
end
|
892
1130
|
|
893
|
-
# An {::Google::Cloud::Security::PrivateCA::V1::X509Extension X509Extension}
|
894
|
-
#
|
1131
|
+
# An {::Google::Cloud::Security::PrivateCA::V1::X509Extension X509Extension}
|
1132
|
+
# specifies an X.509 extension, which may be used in different parts of X.509
|
1133
|
+
# objects like certificates, CSRs, and CRLs.
|
895
1134
|
# @!attribute [rw] object_id
|
896
1135
|
# @return [::Google::Cloud::Security::PrivateCA::V1::ObjectId]
|
897
1136
|
# Required. The OID for this X.509 extension.
|
898
1137
|
# @!attribute [rw] critical
|
899
1138
|
# @return [::Boolean]
|
900
|
-
# Optional. Indicates whether or not this extension is critical (i.e., if the
|
901
|
-
# does not know how to handle this extension, the client should
|
902
|
-
# to be an error).
|
1139
|
+
# Optional. Indicates whether or not this extension is critical (i.e., if the
|
1140
|
+
# client does not know how to handle this extension, the client should
|
1141
|
+
# consider this to be an error).
|
903
1142
|
# @!attribute [rw] value
|
904
1143
|
# @return [::String]
|
905
1144
|
# Required. The value of this X.509 extension.
|
@@ -908,8 +1147,8 @@ module Google
|
|
908
1147
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
909
1148
|
end
|
910
1149
|
|
911
|
-
# A {::Google::Cloud::Security::PrivateCA::V1::KeyUsage KeyUsage} describes key usage
|
912
|
-
# certificate.
|
1150
|
+
# A {::Google::Cloud::Security::PrivateCA::V1::KeyUsage KeyUsage} describes key usage
|
1151
|
+
# values that may appear in an X.509 certificate.
|
913
1152
|
# @!attribute [rw] base_key_usage
|
914
1153
|
# @return [::Google::Cloud::Security::PrivateCA::V1::KeyUsage::KeyUsageOptions]
|
915
1154
|
# Describes high-level ways in which a key may be used.
|
@@ -919,13 +1158,15 @@ module Google
|
|
919
1158
|
# @!attribute [rw] unknown_extended_key_usages
|
920
1159
|
# @return [::Array<::Google::Cloud::Security::PrivateCA::V1::ObjectId>]
|
921
1160
|
# Used to describe extended key usages that are not listed in the
|
922
|
-
# {::Google::Cloud::Security::PrivateCA::V1::KeyUsage::ExtendedKeyUsageOptions KeyUsage.ExtendedKeyUsageOptions}
|
1161
|
+
# {::Google::Cloud::Security::PrivateCA::V1::KeyUsage::ExtendedKeyUsageOptions KeyUsage.ExtendedKeyUsageOptions}
|
1162
|
+
# message.
|
923
1163
|
class KeyUsage
|
924
1164
|
include ::Google::Protobuf::MessageExts
|
925
1165
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
926
1166
|
|
927
|
-
# {::Google::Cloud::Security::PrivateCA::V1::KeyUsage::KeyUsageOptions KeyUsage.KeyUsageOptions}
|
928
|
-
# described in
|
1167
|
+
# {::Google::Cloud::Security::PrivateCA::V1::KeyUsage::KeyUsageOptions KeyUsage.KeyUsageOptions}
|
1168
|
+
# corresponds to the key usage values described in
|
1169
|
+
# https://tools.ietf.org/html/rfc5280#section-4.2.1.3.
|
929
1170
|
# @!attribute [rw] digital_signature
|
930
1171
|
# @return [::Boolean]
|
931
1172
|
# The key may be used for digital signatures.
|
@@ -959,8 +1200,9 @@ module Google
|
|
959
1200
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
960
1201
|
end
|
961
1202
|
|
962
|
-
# {::Google::Cloud::Security::PrivateCA::V1::KeyUsage::ExtendedKeyUsageOptions KeyUsage.ExtendedKeyUsageOptions}
|
963
|
-
# certain common OIDs that could be specified
|
1203
|
+
# {::Google::Cloud::Security::PrivateCA::V1::KeyUsage::ExtendedKeyUsageOptions KeyUsage.ExtendedKeyUsageOptions}
|
1204
|
+
# has fields that correspond to certain common OIDs that could be specified
|
1205
|
+
# as an extended key usage value.
|
964
1206
|
# @!attribute [rw] server_auth
|
965
1207
|
# @return [::Boolean]
|
966
1208
|
# Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW
|
@@ -991,8 +1233,8 @@ module Google
|
|
991
1233
|
end
|
992
1234
|
end
|
993
1235
|
|
994
|
-
# {::Google::Cloud::Security::PrivateCA::V1::Subject Subject} describes parts of a
|
995
|
-
# describes the subject of the certificate.
|
1236
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Subject Subject} describes parts of a
|
1237
|
+
# distinguished name that, in turn, describes the subject of the certificate.
|
996
1238
|
# @!attribute [rw] common_name
|
997
1239
|
# @return [::String]
|
998
1240
|
# The "common name" of the subject.
|
@@ -1022,9 +1264,10 @@ module Google
|
|
1022
1264
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
1023
1265
|
end
|
1024
1266
|
|
1025
|
-
# {::Google::Cloud::Security::PrivateCA::V1::SubjectAltNames SubjectAltNames}
|
1026
|
-
#
|
1027
|
-
# name" in the distinguished
|
1267
|
+
# {::Google::Cloud::Security::PrivateCA::V1::SubjectAltNames SubjectAltNames}
|
1268
|
+
# corresponds to a more modern way of listing what the asserted identity is in
|
1269
|
+
# a certificate (i.e., compared to the "common name" in the distinguished
|
1270
|
+
# name).
|
1028
1271
|
# @!attribute [rw] dns_names
|
1029
1272
|
# @return [::Array<::String>]
|
1030
1273
|
# Contains only valid, fully-qualified host names.
|
@@ -1047,24 +1290,31 @@ module Google
|
|
1047
1290
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
1048
1291
|
end
|
1049
1292
|
|
1050
|
-
# Describes constraints on a
|
1293
|
+
# Describes constraints on a
|
1294
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate}'s
|
1295
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Subject Subject} and
|
1051
1296
|
# {::Google::Cloud::Security::PrivateCA::V1::SubjectAltNames SubjectAltNames}.
|
1052
1297
|
# @!attribute [rw] cel_expression
|
1053
1298
|
# @return [::Google::Type::Expr]
|
1054
|
-
# Optional. A CEL expression that may be used to validate the resolved X.509
|
1055
|
-
# and/or Subject Alternative Name before a certificate is signed.
|
1056
|
-
#
|
1299
|
+
# Optional. A CEL expression that may be used to validate the resolved X.509
|
1300
|
+
# Subject and/or Subject Alternative Name before a certificate is signed. To
|
1301
|
+
# see the full allowed syntax and some examples, see
|
1057
1302
|
# https://cloud.google.com/certificate-authority-service/docs/using-cel
|
1058
1303
|
# @!attribute [rw] allow_subject_passthrough
|
1059
1304
|
# @return [::Boolean]
|
1060
|
-
# Required. If this is true, the
|
1061
|
-
#
|
1062
|
-
#
|
1305
|
+
# Required. If this is true, the
|
1306
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Subject Subject} field may be copied
|
1307
|
+
# from a certificate request into the signed certificate. Otherwise, the
|
1308
|
+
# requested {::Google::Cloud::Security::PrivateCA::V1::Subject Subject} will be
|
1309
|
+
# discarded.
|
1063
1310
|
# @!attribute [rw] allow_subject_alt_names_passthrough
|
1064
1311
|
# @return [::Boolean]
|
1065
|
-
# Required. If this is true, the
|
1066
|
-
#
|
1067
|
-
#
|
1312
|
+
# Required. If this is true, the
|
1313
|
+
# {::Google::Cloud::Security::PrivateCA::V1::SubjectAltNames SubjectAltNames}
|
1314
|
+
# extension may be copied from a certificate request into the signed
|
1315
|
+
# certificate. Otherwise, the requested
|
1316
|
+
# {::Google::Cloud::Security::PrivateCA::V1::SubjectAltNames SubjectAltNames} will
|
1317
|
+
# be discarded.
|
1068
1318
|
class CertificateIdentityConstraints
|
1069
1319
|
include ::Google::Protobuf::MessageExts
|
1070
1320
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
@@ -1075,111 +1325,147 @@ module Google
|
|
1075
1325
|
# @!attribute [rw] known_extensions
|
1076
1326
|
# @return [::Array<::Google::Cloud::Security::PrivateCA::V1::CertificateExtensionConstraints::KnownCertificateExtension>]
|
1077
1327
|
# Optional. A set of named X.509 extensions. Will be combined with
|
1078
|
-
# {::Google::Cloud::Security::PrivateCA::V1::CertificateExtensionConstraints#additional_extensions additional_extensions}
|
1328
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateExtensionConstraints#additional_extensions additional_extensions}
|
1329
|
+
# to determine the full set of X.509 extensions.
|
1079
1330
|
# @!attribute [rw] additional_extensions
|
1080
1331
|
# @return [::Array<::Google::Cloud::Security::PrivateCA::V1::ObjectId>]
|
1081
|
-
# Optional. A set of {::Google::Cloud::Security::PrivateCA::V1::ObjectId ObjectIds}
|
1082
|
-
# Will be combined with
|
1083
|
-
#
|
1332
|
+
# Optional. A set of {::Google::Cloud::Security::PrivateCA::V1::ObjectId ObjectIds}
|
1333
|
+
# identifying custom X.509 extensions. Will be combined with
|
1334
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateExtensionConstraints#known_extensions known_extensions}
|
1335
|
+
# to determine the full set of X.509 extensions.
|
1084
1336
|
class CertificateExtensionConstraints
|
1085
1337
|
include ::Google::Protobuf::MessageExts
|
1086
1338
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
1087
1339
|
|
1088
|
-
# Describes well-known X.509 extensions that can appear in a
|
1089
|
-
#
|
1340
|
+
# Describes well-known X.509 extensions that can appear in a
|
1341
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate}, not
|
1342
|
+
# including the
|
1343
|
+
# {::Google::Cloud::Security::PrivateCA::V1::SubjectAltNames SubjectAltNames}
|
1344
|
+
# extension.
|
1090
1345
|
module KnownCertificateExtension
|
1091
1346
|
# Not specified.
|
1092
1347
|
KNOWN_CERTIFICATE_EXTENSION_UNSPECIFIED = 0
|
1093
1348
|
|
1094
1349
|
# Refers to a certificate's Key Usage extension, as described in [RFC 5280
|
1095
1350
|
# section 4.2.1.3](https://tools.ietf.org/html/rfc5280#section-4.2.1.3).
|
1096
|
-
# This corresponds to the
|
1351
|
+
# This corresponds to the
|
1352
|
+
# {::Google::Cloud::Security::PrivateCA::V1::KeyUsage#base_key_usage KeyUsage.base_key_usage}
|
1353
|
+
# field.
|
1097
1354
|
BASE_KEY_USAGE = 1
|
1098
1355
|
|
1099
1356
|
# Refers to a certificate's Extended Key Usage extension, as described in
|
1100
1357
|
# [RFC 5280
|
1101
1358
|
# section 4.2.1.12](https://tools.ietf.org/html/rfc5280#section-4.2.1.12).
|
1102
|
-
# This corresponds to the
|
1359
|
+
# This corresponds to the
|
1360
|
+
# {::Google::Cloud::Security::PrivateCA::V1::KeyUsage#extended_key_usage KeyUsage.extended_key_usage}
|
1361
|
+
# message.
|
1103
1362
|
EXTENDED_KEY_USAGE = 2
|
1104
1363
|
|
1105
1364
|
# Refers to a certificate's Basic Constraints extension, as described in
|
1106
1365
|
# [RFC 5280
|
1107
1366
|
# section 4.2.1.9](https://tools.ietf.org/html/rfc5280#section-4.2.1.9).
|
1108
|
-
# This corresponds to the
|
1367
|
+
# This corresponds to the
|
1368
|
+
# {::Google::Cloud::Security::PrivateCA::V1::X509Parameters#ca_options X509Parameters.ca_options}
|
1369
|
+
# field.
|
1109
1370
|
CA_OPTIONS = 3
|
1110
1371
|
|
1111
1372
|
# Refers to a certificate's Policy object identifiers, as described in
|
1112
1373
|
# [RFC 5280
|
1113
1374
|
# section 4.2.1.4](https://tools.ietf.org/html/rfc5280#section-4.2.1.4).
|
1114
|
-
# This corresponds to the
|
1375
|
+
# This corresponds to the
|
1376
|
+
# {::Google::Cloud::Security::PrivateCA::V1::X509Parameters#policy_ids X509Parameters.policy_ids}
|
1377
|
+
# field.
|
1115
1378
|
POLICY_IDS = 4
|
1116
1379
|
|
1117
1380
|
# Refers to OCSP servers in a certificate's Authority Information Access
|
1118
1381
|
# extension, as described in
|
1119
1382
|
# [RFC 5280
|
1120
1383
|
# section 4.2.2.1](https://tools.ietf.org/html/rfc5280#section-4.2.2.1),
|
1121
|
-
# This corresponds to the
|
1384
|
+
# This corresponds to the
|
1385
|
+
# {::Google::Cloud::Security::PrivateCA::V1::X509Parameters#aia_ocsp_servers X509Parameters.aia_ocsp_servers}
|
1386
|
+
# field.
|
1122
1387
|
AIA_OCSP_SERVERS = 5
|
1388
|
+
|
1389
|
+
# Refers to Name Constraints extension as described in
|
1390
|
+
# [RFC 5280
|
1391
|
+
# section 4.2.1.10](https://tools.ietf.org/html/rfc5280#section-4.2.1.10)
|
1392
|
+
NAME_CONSTRAINTS = 6
|
1123
1393
|
end
|
1124
1394
|
end
|
1125
1395
|
|
1126
|
-
# A {::Google::Cloud::Security::PrivateCA::V1::RevocationReason RevocationReason}
|
1127
|
-
#
|
1128
|
-
#
|
1129
|
-
#
|
1130
|
-
#
|
1396
|
+
# A {::Google::Cloud::Security::PrivateCA::V1::RevocationReason RevocationReason}
|
1397
|
+
# indicates whether a
|
1398
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} has been
|
1399
|
+
# revoked, and the reason for revocation. These correspond to standard
|
1400
|
+
# revocation reasons from RFC 5280. Note that the enum labels and values in
|
1401
|
+
# this definition are not the same ASN.1 values defined in RFC 5280. These
|
1402
|
+
# values will be translated to the correct ASN.1 values when a CRL is created.
|
1131
1403
|
module RevocationReason
|
1132
|
-
# Default unspecified value. This value does indicate that a
|
1133
|
-
#
|
1404
|
+
# Default unspecified value. This value does indicate that a
|
1405
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} has been
|
1406
|
+
# revoked, but that a reason has not been recorded.
|
1134
1407
|
REVOCATION_REASON_UNSPECIFIED = 0
|
1135
1408
|
|
1136
|
-
# Key material for this
|
1409
|
+
# Key material for this
|
1410
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} may have
|
1411
|
+
# leaked.
|
1137
1412
|
KEY_COMPROMISE = 1
|
1138
1413
|
|
1139
1414
|
# The key material for a certificate authority in the issuing path may have
|
1140
1415
|
# leaked.
|
1141
1416
|
CERTIFICATE_AUTHORITY_COMPROMISE = 2
|
1142
1417
|
|
1143
|
-
# The subject or other attributes in this
|
1418
|
+
# The subject or other attributes in this
|
1419
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} have changed.
|
1144
1420
|
AFFILIATION_CHANGED = 3
|
1145
1421
|
|
1146
|
-
# This {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} has been
|
1422
|
+
# This {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} has been
|
1423
|
+
# superseded.
|
1147
1424
|
SUPERSEDED = 4
|
1148
1425
|
|
1149
|
-
# This {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} or
|
1150
|
-
# operate.
|
1426
|
+
# This {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} or
|
1427
|
+
# entities in the issuing path have ceased to operate.
|
1151
1428
|
CESSATION_OF_OPERATION = 5
|
1152
1429
|
|
1153
|
-
# This {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} should
|
1154
|
-
# may become valid in the
|
1430
|
+
# This {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} should
|
1431
|
+
# not be considered valid, it is expected that it may become valid in the
|
1432
|
+
# future.
|
1155
1433
|
CERTIFICATE_HOLD = 6
|
1156
1434
|
|
1157
|
-
# This {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} no
|
1158
|
-
# attributes.
|
1435
|
+
# This {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} no
|
1436
|
+
# longer has permission to assert the listed attributes.
|
1159
1437
|
PRIVILEGE_WITHDRAWN = 7
|
1160
1438
|
|
1161
|
-
# The authority which determines appropriate attributes for a
|
1162
|
-
# may have been
|
1439
|
+
# The authority which determines appropriate attributes for a
|
1440
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} may have been
|
1441
|
+
# compromised.
|
1163
1442
|
ATTRIBUTE_AUTHORITY_COMPROMISE = 8
|
1164
1443
|
end
|
1165
1444
|
|
1166
|
-
# Describes the way in which a
|
1167
|
-
# {::Google::Cloud::Security::PrivateCA::V1::
|
1445
|
+
# Describes the way in which a
|
1446
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate}'s
|
1447
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Subject Subject} and/or
|
1448
|
+
# {::Google::Cloud::Security::PrivateCA::V1::SubjectAltNames SubjectAltNames} will be
|
1449
|
+
# resolved.
|
1168
1450
|
module SubjectRequestMode
|
1169
1451
|
# Not specified.
|
1170
1452
|
SUBJECT_REQUEST_MODE_UNSPECIFIED = 0
|
1171
1453
|
|
1172
1454
|
# The default mode used in most cases. Indicates that the certificate's
|
1173
|
-
# {::Google::Cloud::Security::PrivateCA::V1::Subject Subject} and/or
|
1174
|
-
#
|
1175
|
-
#
|
1455
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Subject Subject} and/or
|
1456
|
+
# {::Google::Cloud::Security::PrivateCA::V1::SubjectAltNames SubjectAltNames} are
|
1457
|
+
# specified in the certificate request. This mode requires the caller to have
|
1458
|
+
# the `privateca.certificates.create` permission.
|
1176
1459
|
DEFAULT = 1
|
1177
1460
|
|
1178
1461
|
# A mode reserved for special cases. Indicates that the certificate should
|
1179
|
-
# have one or more SPIFFE
|
1180
|
-
#
|
1181
|
-
#
|
1182
|
-
#
|
1462
|
+
# have one or more SPIFFE
|
1463
|
+
# {::Google::Cloud::Security::PrivateCA::V1::SubjectAltNames SubjectAltNames} set
|
1464
|
+
# by the service based on the caller's identity. This mode will ignore any
|
1465
|
+
# explicitly specified {::Google::Cloud::Security::PrivateCA::V1::Subject Subject}
|
1466
|
+
# and/or
|
1467
|
+
# {::Google::Cloud::Security::PrivateCA::V1::SubjectAltNames SubjectAltNames} in
|
1468
|
+
# the certificate request. This mode requires the caller to have the
|
1183
1469
|
# `privateca.certificates.createForSelf` permission.
|
1184
1470
|
REFLECTED_SPIFFE = 2
|
1185
1471
|
end
|