google-cloud-security-private_ca-v1 0.4.0 → 0.5.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/AUTHENTICATION.md +1 -1
- data/README.md +1 -1
- data/lib/google/cloud/security/private_ca/v1/certificate_authority_service/client.rb +415 -330
- data/lib/google/cloud/security/private_ca/v1/certificate_authority_service/operations.rb +12 -14
- data/lib/google/cloud/security/private_ca/v1/certificate_authority_service.rb +4 -3
- data/lib/google/cloud/security/private_ca/v1/version.rb +1 -1
- data/lib/google/cloud/security/private_ca/v1.rb +2 -2
- data/lib/google/cloud/security/privateca/v1/resources_pb.rb +14 -0
- data/lib/google/cloud/security/privateca/v1/service_services_pb.rb +64 -32
- data/proto_docs/google/api/client.rb +318 -0
- data/proto_docs/google/api/launch_stage.rb +71 -0
- data/proto_docs/google/cloud/security/privateca/v1/resources.rb +588 -302
- data/proto_docs/google/cloud/security/privateca/v1/service.rb +297 -223
- data/proto_docs/google/protobuf/empty.rb +0 -2
- data/proto_docs/google/rpc/status.rb +4 -2
- metadata +11 -9
@@ -22,77 +22,113 @@ module Google
|
|
22
22
|
module Security
|
23
23
|
module PrivateCA
|
24
24
|
module V1
|
25
|
-
# A
|
26
|
-
#
|
25
|
+
# A
|
26
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
|
27
|
+
# represents an individual Certificate Authority. A
|
28
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
|
29
|
+
# can be used to create
|
30
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}.
|
27
31
|
# @!attribute [r] name
|
28
32
|
# @return [::String]
|
29
|
-
# Output only. The resource name for this
|
30
|
-
#
|
33
|
+
# Output only. The resource name for this
|
34
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
|
35
|
+
# in the format `projects/*/locations/*/caPools/*/certificateAuthorities/*`.
|
31
36
|
# @!attribute [rw] type
|
32
37
|
# @return [::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority::Type]
|
33
|
-
# Required. Immutable. The
|
38
|
+
# Required. Immutable. The
|
39
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority::Type Type} of
|
40
|
+
# this
|
41
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}.
|
34
42
|
# @!attribute [rw] config
|
35
43
|
# @return [::Google::Cloud::Security::PrivateCA::V1::CertificateConfig]
|
36
|
-
# Required. Immutable. The config used to create a self-signed X.509
|
44
|
+
# Required. Immutable. The config used to create a self-signed X.509
|
45
|
+
# certificate or CSR.
|
37
46
|
# @!attribute [rw] lifetime
|
38
47
|
# @return [::Google::Protobuf::Duration]
|
39
|
-
# Required. Immutable. The desired lifetime of the CA certificate. Used to
|
40
|
-
# "not_before_time" and "not_after_time" fields inside an X.509
|
48
|
+
# Required. Immutable. The desired lifetime of the CA certificate. Used to
|
49
|
+
# create the "not_before_time" and "not_after_time" fields inside an X.509
|
41
50
|
# certificate.
|
42
51
|
# @!attribute [rw] key_spec
|
43
52
|
# @return [::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority::KeyVersionSpec]
|
44
|
-
# Required. Immutable. Used when issuing certificates for this
|
45
|
-
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
|
46
|
-
#
|
47
|
-
#
|
53
|
+
# Required. Immutable. Used when issuing certificates for this
|
54
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}.
|
55
|
+
# If this
|
56
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
|
57
|
+
# is a self-signed CertificateAuthority, this key is also used to sign the
|
58
|
+
# self-signed CA certificate. Otherwise, it is used to sign a CSR.
|
48
59
|
# @!attribute [rw] subordinate_config
|
49
60
|
# @return [::Google::Cloud::Security::PrivateCA::V1::SubordinateConfig]
|
50
|
-
# Optional. If this is a subordinate
|
51
|
-
#
|
52
|
-
#
|
61
|
+
# Optional. If this is a subordinate
|
62
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority},
|
63
|
+
# this field will be set with the subordinate configuration, which describes
|
64
|
+
# its issuers. This may be updated, but this
|
65
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
|
66
|
+
# must continue to validate.
|
53
67
|
# @!attribute [r] tier
|
54
68
|
# @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::Tier]
|
55
|
-
# Output only. The
|
69
|
+
# Output only. The
|
70
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CaPool::Tier CaPool.Tier} of the
|
71
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool} that includes this
|
56
72
|
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}.
|
57
73
|
# @!attribute [r] state
|
58
74
|
# @return [::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority::State]
|
59
|
-
# Output only. The
|
75
|
+
# Output only. The
|
76
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority::State State} for
|
77
|
+
# this
|
78
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}.
|
60
79
|
# @!attribute [r] pem_ca_certificates
|
61
80
|
# @return [::Array<::String>]
|
62
|
-
# Output only. This
|
63
|
-
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
|
64
|
-
#
|
65
|
-
#
|
81
|
+
# Output only. This
|
82
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
|
83
|
+
# certificate chain, including the current
|
84
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
|
85
|
+
# certificate. Ordered such that the root issuer is the final element
|
86
|
+
# (consistent with RFC 5246). For a self-signed CA, this will only list the
|
87
|
+
# current
|
88
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
|
89
|
+
# certificate.
|
66
90
|
# @!attribute [r] ca_certificate_descriptions
|
67
91
|
# @return [::Array<::Google::Cloud::Security::PrivateCA::V1::CertificateDescription>]
|
68
|
-
# Output only. A structured description of this
|
69
|
-
#
|
92
|
+
# Output only. A structured description of this
|
93
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
|
94
|
+
# CA certificate and its issuers. Ordered as self-to-root.
|
70
95
|
# @!attribute [rw] gcs_bucket
|
71
96
|
# @return [::String]
|
72
|
-
# Immutable. The name of a Cloud Storage bucket where this
|
73
|
-
#
|
74
|
-
#
|
97
|
+
# Immutable. The name of a Cloud Storage bucket where this
|
98
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
|
99
|
+
# will publish content, such as the CA certificate and CRLs. This must be a
|
100
|
+
# bucket name, without any prefixes (such as `gs://`) or suffixes (such as
|
75
101
|
# `.googleapis.com`). For example, to use a bucket named `my-bucket`, you
|
76
102
|
# would simply specify `my-bucket`. If not specified, a managed bucket will
|
77
103
|
# be created.
|
78
104
|
# @!attribute [r] access_urls
|
79
105
|
# @return [::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority::AccessUrls]
|
80
|
-
# Output only. URLs for accessing content published by this CA, such as the
|
81
|
-
# and CRLs.
|
106
|
+
# Output only. URLs for accessing content published by this CA, such as the
|
107
|
+
# CA certificate and CRLs.
|
82
108
|
# @!attribute [r] create_time
|
83
109
|
# @return [::Google::Protobuf::Timestamp]
|
84
|
-
# Output only. The time at which this
|
110
|
+
# Output only. The time at which this
|
111
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
|
112
|
+
# was created.
|
85
113
|
# @!attribute [r] update_time
|
86
114
|
# @return [::Google::Protobuf::Timestamp]
|
87
|
-
# Output only. The time at which this
|
115
|
+
# Output only. The time at which this
|
116
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
|
117
|
+
# was last updated.
|
88
118
|
# @!attribute [r] delete_time
|
89
119
|
# @return [::Google::Protobuf::Timestamp]
|
90
|
-
# Output only. The time at which this
|
91
|
-
#
|
120
|
+
# Output only. The time at which this
|
121
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
|
122
|
+
# was soft deleted, if it is in the
|
123
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority::State::DELETED DELETED}
|
124
|
+
# state.
|
92
125
|
# @!attribute [r] expire_time
|
93
126
|
# @return [::Google::Protobuf::Timestamp]
|
94
|
-
# Output only. The time at which this
|
95
|
-
#
|
127
|
+
# Output only. The time at which this
|
128
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
|
129
|
+
# will be permanently purged, if it is in the
|
130
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority::State::DELETED DELETED}
|
131
|
+
# state.
|
96
132
|
# @!attribute [rw] labels
|
97
133
|
# @return [::Google::Protobuf::Map{::String => ::String}]
|
98
134
|
# Optional. Labels with user-defined metadata.
|
@@ -100,21 +136,29 @@ module Google
|
|
100
136
|
include ::Google::Protobuf::MessageExts
|
101
137
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
102
138
|
|
103
|
-
# URLs where a
|
139
|
+
# URLs where a
|
140
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
|
141
|
+
# will publish content.
|
104
142
|
# @!attribute [rw] ca_certificate_access_url
|
105
143
|
# @return [::String]
|
106
|
-
# The URL where this
|
107
|
-
#
|
144
|
+
# The URL where this
|
145
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
|
146
|
+
# CA certificate is published. This will only be set for CAs that have been
|
147
|
+
# activated.
|
108
148
|
# @!attribute [rw] crl_access_urls
|
109
149
|
# @return [::Array<::String>]
|
110
|
-
# The URLs where this
|
111
|
-
#
|
150
|
+
# The URLs where this
|
151
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
|
152
|
+
# CRLs are published. This will only be set for CAs that have been
|
153
|
+
# activated.
|
112
154
|
class AccessUrls
|
113
155
|
include ::Google::Protobuf::MessageExts
|
114
156
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
115
157
|
end
|
116
158
|
|
117
|
-
# A Cloud KMS key configuration that a
|
159
|
+
# A Cloud KMS key configuration that a
|
160
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
|
161
|
+
# will use.
|
118
162
|
# @!attribute [rw] cloud_kms_key_version
|
119
163
|
# @return [::String]
|
120
164
|
# The resource name for an existing Cloud KMS CryptoKeyVersion in the
|
@@ -141,7 +185,9 @@ module Google
|
|
141
185
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
142
186
|
end
|
143
187
|
|
144
|
-
# The type of a
|
188
|
+
# The type of a
|
189
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority},
|
190
|
+
# indicating its issuing chain.
|
145
191
|
module Type
|
146
192
|
# Not specified.
|
147
193
|
TYPE_UNSPECIFIED = 0
|
@@ -149,42 +195,56 @@ module Google
|
|
149
195
|
# Self-signed CA.
|
150
196
|
SELF_SIGNED = 1
|
151
197
|
|
152
|
-
# Subordinate CA. Could be issued by a Private CA
|
198
|
+
# Subordinate CA. Could be issued by a Private CA
|
199
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
|
153
200
|
# or an unmanaged CA.
|
154
201
|
SUBORDINATE = 2
|
155
202
|
end
|
156
203
|
|
157
|
-
# The state of a
|
204
|
+
# The state of a
|
205
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority},
|
206
|
+
# indicating if it can be used.
|
158
207
|
module State
|
159
208
|
# Not specified.
|
160
209
|
STATE_UNSPECIFIED = 0
|
161
210
|
|
162
211
|
# Certificates can be issued from this CA. CRLs will be generated for this
|
163
|
-
# CA. The CA will be part of the
|
164
|
-
#
|
212
|
+
# CA. The CA will be part of the
|
213
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, and
|
214
|
+
# will be used to issue certificates from the
|
215
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
|
165
216
|
ENABLED = 1
|
166
217
|
|
167
218
|
# Certificates cannot be issued from this CA. CRLs will still be generated.
|
168
|
-
# The CA will be part of the
|
169
|
-
#
|
219
|
+
# The CA will be part of the
|
220
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, but
|
221
|
+
# will not be used to issue certificates from the
|
222
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
|
170
223
|
DISABLED = 2
|
171
224
|
|
172
225
|
# Certificates can be issued from this CA. CRLs will be generated for this
|
173
|
-
# CA. The CA will be part of the
|
174
|
-
#
|
226
|
+
# CA. The CA will be part of the
|
227
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, but
|
228
|
+
# will not be used to issue certificates from the
|
229
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
|
175
230
|
STAGED = 3
|
176
231
|
|
177
232
|
# Certificates cannot be issued from this CA. CRLs will not be generated.
|
178
|
-
# The CA will not be part of the
|
179
|
-
#
|
233
|
+
# The CA will not be part of the
|
234
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, and
|
235
|
+
# will not be used to issue certificates from the
|
236
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
|
180
237
|
AWAITING_USER_ACTIVATION = 4
|
181
238
|
|
182
239
|
# Certificates cannot be issued from this CA. CRLs will not be generated.
|
183
240
|
# The CA may still be recovered by calling
|
184
|
-
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthorityService::Client#undelete_certificate_authority CertificateAuthorityService.UndeleteCertificateAuthority}
|
241
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthorityService::Client#undelete_certificate_authority CertificateAuthorityService.UndeleteCertificateAuthority}
|
242
|
+
# before
|
185
243
|
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority#expire_time expire_time}.
|
186
|
-
# The CA will not be part of the
|
187
|
-
#
|
244
|
+
# The CA will not be part of the
|
245
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, and
|
246
|
+
# will not be used to issue certificates from the
|
247
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
|
188
248
|
DELETED = 5
|
189
249
|
end
|
190
250
|
|
@@ -228,26 +288,37 @@ module Google
|
|
228
288
|
end
|
229
289
|
|
230
290
|
# A {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool} represents a group of
|
231
|
-
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthorities}
|
232
|
-
#
|
233
|
-
# {::Google::Cloud::Security::PrivateCA::V1::
|
234
|
-
#
|
291
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthorities}
|
292
|
+
# that form a trust anchor. A
|
293
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool} can be used to manage
|
294
|
+
# issuance policies for one or more
|
295
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
|
296
|
+
# resources and to rotate CA certificates in and out of the trust anchor.
|
235
297
|
# @!attribute [r] name
|
236
298
|
# @return [::String]
|
237
|
-
# Output only. The resource name for this
|
238
|
-
# format
|
299
|
+
# Output only. The resource name for this
|
300
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool} in the format
|
301
|
+
# `projects/*/locations/*/caPools/*`.
|
239
302
|
# @!attribute [rw] tier
|
240
303
|
# @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::Tier]
|
241
|
-
# Required. Immutable. The
|
304
|
+
# Required. Immutable. The
|
305
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CaPool::Tier Tier} of this
|
306
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
|
242
307
|
# @!attribute [rw] issuance_policy
|
243
308
|
# @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy]
|
244
|
-
# Optional. The
|
245
|
-
#
|
309
|
+
# Optional. The
|
310
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy IssuancePolicy}
|
311
|
+
# to control how
|
312
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} will be
|
313
|
+
# issued from this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
|
246
314
|
# @!attribute [rw] publishing_options
|
247
315
|
# @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::PublishingOptions]
|
248
|
-
# Optional. The
|
249
|
-
# {::Google::Cloud::Security::PrivateCA::V1::
|
250
|
-
#
|
316
|
+
# Optional. The
|
317
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CaPool::PublishingOptions PublishingOptions}
|
318
|
+
# to follow when issuing
|
319
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} from any
|
320
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
|
321
|
+
# in this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
|
251
322
|
# @!attribute [rw] labels
|
252
323
|
# @return [::Google::Protobuf::Map{::String => ::String}]
|
253
324
|
# Optional. Labels with user-defined metadata.
|
@@ -255,83 +326,108 @@ module Google
|
|
255
326
|
include ::Google::Protobuf::MessageExts
|
256
327
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
257
328
|
|
258
|
-
# Options relating to the publication of each
|
259
|
-
#
|
260
|
-
#
|
261
|
-
#
|
329
|
+
# Options relating to the publication of each
|
330
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
|
331
|
+
# CA certificate and CRLs and their inclusion as extensions in issued
|
332
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}. The options
|
333
|
+
# set here apply to certificates issued by any
|
334
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
|
335
|
+
# in the {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
|
262
336
|
# @!attribute [rw] publish_ca_cert
|
263
337
|
# @return [::Boolean]
|
264
|
-
# Optional. When true, publishes each
|
265
|
-
#
|
266
|
-
#
|
267
|
-
#
|
268
|
-
#
|
338
|
+
# Optional. When true, publishes each
|
339
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
|
340
|
+
# CA certificate and includes its URL in the "Authority Information Access"
|
341
|
+
# X.509 extension in all issued
|
342
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}. If this
|
343
|
+
# is false, the CA certificate will not be published and the corresponding
|
344
|
+
# X.509 extension will not be written in issued certificates.
|
269
345
|
# @!attribute [rw] publish_crl
|
270
346
|
# @return [::Boolean]
|
271
|
-
# Optional. When true, publishes each
|
272
|
-
#
|
273
|
-
#
|
274
|
-
#
|
275
|
-
#
|
276
|
-
# CRLs will
|
277
|
-
#
|
347
|
+
# Optional. When true, publishes each
|
348
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
|
349
|
+
# CRL and includes its URL in the "CRL Distribution Points" X.509 extension
|
350
|
+
# in all issued
|
351
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}. If this
|
352
|
+
# is false, CRLs will not be published and the corresponding X.509
|
353
|
+
# extension will not be written in issued certificates. CRLs will expire 7
|
354
|
+
# days from their creation. However, we will rebuild daily. CRLs are also
|
355
|
+
# rebuilt shortly after a certificate is revoked.
|
278
356
|
class PublishingOptions
|
279
357
|
include ::Google::Protobuf::MessageExts
|
280
358
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
281
359
|
end
|
282
360
|
|
283
|
-
# Defines controls over all certificate issuance within a
|
361
|
+
# Defines controls over all certificate issuance within a
|
362
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
|
284
363
|
# @!attribute [rw] allowed_key_types
|
285
364
|
# @return [::Array<::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType>]
|
286
|
-
# Optional. If any
|
287
|
-
#
|
288
|
-
#
|
365
|
+
# Optional. If any
|
366
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType AllowedKeyType}
|
367
|
+
# is specified, then the certificate request's public key must match one of
|
368
|
+
# the key types listed here. Otherwise, any key may be used.
|
289
369
|
# @!attribute [rw] maximum_lifetime
|
290
370
|
# @return [::Google::Protobuf::Duration]
|
291
|
-
# Optional. The maximum lifetime allowed for issued
|
292
|
-
#
|
293
|
-
#
|
294
|
-
#
|
371
|
+
# Optional. The maximum lifetime allowed for issued
|
372
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}. Note that
|
373
|
+
# if the issuing
|
374
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
|
375
|
+
# expires before a
|
376
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate}'s requested
|
377
|
+
# maximum_lifetime, the effective lifetime will be explicitly truncated to
|
378
|
+
# match it.
|
295
379
|
# @!attribute [rw] allowed_issuance_modes
|
296
380
|
# @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::IssuanceModes]
|
297
|
-
# Optional. If specified, then only methods allowed in the
|
298
|
-
#
|
381
|
+
# Optional. If specified, then only methods allowed in the
|
382
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::IssuanceModes IssuanceModes}
|
383
|
+
# may be used to issue
|
384
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}.
|
299
385
|
# @!attribute [rw] baseline_values
|
300
386
|
# @return [::Google::Cloud::Security::PrivateCA::V1::X509Parameters]
|
301
|
-
# Optional. A set of X.509 values that will be applied to all certificates
|
302
|
-
# through this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
|
303
|
-
#
|
304
|
-
#
|
387
|
+
# Optional. A set of X.509 values that will be applied to all certificates
|
388
|
+
# issued through this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
|
389
|
+
# If a certificate request includes conflicting values for the same
|
390
|
+
# properties, they will be overwritten by the values defined here. If a
|
391
|
+
# certificate request uses a
|
392
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate CertificateTemplate}
|
305
393
|
# that defines conflicting
|
306
|
-
# {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate#predefined_values predefined_values}
|
307
|
-
# properties, the certificate issuance request will fail.
|
394
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate#predefined_values predefined_values}
|
395
|
+
# for the same properties, the certificate issuance request will fail.
|
308
396
|
# @!attribute [rw] identity_constraints
|
309
397
|
# @return [::Google::Cloud::Security::PrivateCA::V1::CertificateIdentityConstraints]
|
310
398
|
# Optional. Describes constraints on identities that may appear in
|
311
|
-
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} issued
|
312
|
-
#
|
313
|
-
#
|
399
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} issued
|
400
|
+
# through this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}. If this
|
401
|
+
# is omitted, then this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}
|
402
|
+
# will not add restrictions on a certificate's identity.
|
314
403
|
# @!attribute [rw] passthrough_extensions
|
315
404
|
# @return [::Google::Cloud::Security::PrivateCA::V1::CertificateExtensionConstraints]
|
316
405
|
# Optional. Describes the set of X.509 extensions that may appear in a
|
317
|
-
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued
|
318
|
-
#
|
406
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued
|
407
|
+
# through this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}. If a
|
408
|
+
# certificate request sets extensions that don't appear in the
|
409
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy#passthrough_extensions passthrough_extensions},
|
319
410
|
# those extensions will be dropped. If a certificate request uses a
|
320
|
-
# {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate CertificateTemplate}
|
321
|
-
#
|
322
|
-
#
|
323
|
-
#
|
324
|
-
#
|
325
|
-
#
|
411
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate CertificateTemplate}
|
412
|
+
# with
|
413
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate#predefined_values predefined_values}
|
414
|
+
# that don't appear here, the certificate issuance request will fail. If
|
415
|
+
# this is omitted, then this
|
416
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool} will not add
|
417
|
+
# restrictions on a certificate's X.509 extensions. These constraints do
|
418
|
+
# not apply to X.509 extensions set in this
|
419
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s
|
420
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy#baseline_values baseline_values}.
|
326
421
|
class IssuancePolicy
|
327
422
|
include ::Google::Protobuf::MessageExts
|
328
423
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
329
424
|
|
330
|
-
# Describes a "type" of key that may be used in a
|
331
|
-
#
|
332
|
-
#
|
333
|
-
#
|
334
|
-
#
|
425
|
+
# Describes a "type" of key that may be used in a
|
426
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued from
|
427
|
+
# a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}. Note that a single
|
428
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType AllowedKeyType}
|
429
|
+
# may refer to either a fully-qualified key algorithm, such as RSA 4096, or
|
430
|
+
# a family of key algorithms, such as any RSA key.
|
335
431
|
# @!attribute [rw] rsa
|
336
432
|
# @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::RsaKeyType]
|
337
433
|
# Represents an allowed RSA key type.
|
@@ -342,35 +438,39 @@ module Google
|
|
342
438
|
include ::Google::Protobuf::MessageExts
|
343
439
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
344
440
|
|
345
|
-
# Describes an RSA key that may be used in a
|
346
|
-
#
|
441
|
+
# Describes an RSA key that may be used in a
|
442
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued
|
443
|
+
# from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
|
347
444
|
# @!attribute [rw] min_modulus_size
|
348
445
|
# @return [::Integer]
|
349
|
-
# Optional. The minimum allowed RSA modulus size (inclusive), in bits.
|
350
|
-
# not set, or if set to zero, the service-level min RSA
|
351
|
-
# will continue to apply.
|
446
|
+
# Optional. The minimum allowed RSA modulus size (inclusive), in bits.
|
447
|
+
# If this is not set, or if set to zero, the service-level min RSA
|
448
|
+
# modulus size will continue to apply.
|
352
449
|
# @!attribute [rw] max_modulus_size
|
353
450
|
# @return [::Integer]
|
354
|
-
# Optional. The maximum allowed RSA modulus size (inclusive), in bits.
|
355
|
-
# not set, or if set to zero, the service will not enforce
|
356
|
-
# upper bound on RSA modulus sizes.
|
451
|
+
# Optional. The maximum allowed RSA modulus size (inclusive), in bits.
|
452
|
+
# If this is not set, or if set to zero, the service will not enforce
|
453
|
+
# an explicit upper bound on RSA modulus sizes.
|
357
454
|
class RsaKeyType
|
358
455
|
include ::Google::Protobuf::MessageExts
|
359
456
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
360
457
|
end
|
361
458
|
|
362
|
-
# Describes an Elliptic Curve key that may be used in a
|
363
|
-
#
|
459
|
+
# Describes an Elliptic Curve key that may be used in a
|
460
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued
|
461
|
+
# from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
|
364
462
|
# @!attribute [rw] signature_algorithm
|
365
463
|
# @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::EcKeyType::EcSignatureAlgorithm]
|
366
|
-
# Optional. A signature algorithm that must be used. If this is
|
367
|
-
# EC-based signature algorithm will be allowed.
|
464
|
+
# Optional. A signature algorithm that must be used. If this is
|
465
|
+
# omitted, any EC-based signature algorithm will be allowed.
|
368
466
|
class EcKeyType
|
369
467
|
include ::Google::Protobuf::MessageExts
|
370
468
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
371
469
|
|
372
470
|
# Describes an elliptic curve-based signature algorithm that may be
|
373
|
-
# used in a
|
471
|
+
# used in a
|
472
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued
|
473
|
+
# from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
|
374
474
|
module EcSignatureAlgorithm
|
375
475
|
# Not specified. Signifies that any signature algorithm may be used.
|
376
476
|
EC_SIGNATURE_ALGORITHM_UNSPECIFIED = 0
|
@@ -390,17 +490,21 @@ module Google
|
|
390
490
|
end
|
391
491
|
end
|
392
492
|
|
393
|
-
# {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::IssuanceModes IssuanceModes}
|
394
|
-
#
|
395
|
-
# {::Google::Cloud::Security::PrivateCA::V1::
|
493
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::IssuanceModes IssuanceModes}
|
494
|
+
# specifies the allowed ways in which
|
495
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} may be
|
496
|
+
# requested from this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
|
396
497
|
# @!attribute [rw] allow_csr_based_issuance
|
397
498
|
# @return [::Boolean]
|
398
|
-
# Optional. When true, allows callers to create
|
499
|
+
# Optional. When true, allows callers to create
|
500
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} by
|
399
501
|
# specifying a CSR.
|
400
502
|
# @!attribute [rw] allow_config_based_issuance
|
401
503
|
# @return [::Boolean]
|
402
|
-
# Optional. When true, allows callers to create
|
403
|
-
#
|
504
|
+
# Optional. When true, allows callers to create
|
505
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} by
|
506
|
+
# specifying a
|
507
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateConfig CertificateConfig}.
|
404
508
|
class IssuanceModes
|
405
509
|
include ::Google::Protobuf::MessageExts
|
406
510
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
@@ -416,8 +520,8 @@ module Google
|
|
416
520
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
417
521
|
end
|
418
522
|
|
419
|
-
# The tier of a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool},
|
420
|
-
# billing SKU.
|
523
|
+
# The tier of a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool},
|
524
|
+
# indicating its supported functionality and/or billing SKU.
|
421
525
|
module Tier
|
422
526
|
# Not specified.
|
423
527
|
TIER_UNSPECIFIED = 0
|
@@ -430,14 +534,15 @@ module Google
|
|
430
534
|
end
|
431
535
|
end
|
432
536
|
|
433
|
-
# A
|
434
|
-
#
|
435
|
-
#
|
537
|
+
# A
|
538
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateRevocationList CertificateRevocationList}
|
539
|
+
# corresponds to a signed X.509 certificate Revocation List (CRL). A CRL
|
540
|
+
# contains the serial numbers of certificates that should no longer be trusted.
|
436
541
|
# @!attribute [r] name
|
437
542
|
# @return [::String]
|
438
|
-
# Output only. The resource name for this
|
439
|
-
#
|
440
|
-
# `projects/*/locations/*/caPools/*certificateAuthorities/*/
|
543
|
+
# Output only. The resource name for this
|
544
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateRevocationList CertificateRevocationList}
|
545
|
+
# in the format `projects/*/locations/*/caPools/*certificateAuthorities/*/
|
441
546
|
# certificateRevocationLists/*`.
|
442
547
|
# @!attribute [r] sequence_number
|
443
548
|
# @return [::Integer]
|
@@ -453,18 +558,26 @@ module Google
|
|
453
558
|
# Output only. The location where 'pem_crl' can be accessed.
|
454
559
|
# @!attribute [r] state
|
455
560
|
# @return [::Google::Cloud::Security::PrivateCA::V1::CertificateRevocationList::State]
|
456
|
-
# Output only. The
|
561
|
+
# Output only. The
|
562
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateRevocationList::State State}
|
563
|
+
# for this
|
564
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateRevocationList CertificateRevocationList}.
|
457
565
|
# @!attribute [r] create_time
|
458
566
|
# @return [::Google::Protobuf::Timestamp]
|
459
|
-
# Output only. The time at which this
|
567
|
+
# Output only. The time at which this
|
568
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateRevocationList CertificateRevocationList}
|
569
|
+
# was created.
|
460
570
|
# @!attribute [r] update_time
|
461
571
|
# @return [::Google::Protobuf::Timestamp]
|
462
|
-
# Output only. The time at which this
|
572
|
+
# Output only. The time at which this
|
573
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateRevocationList CertificateRevocationList}
|
574
|
+
# was updated.
|
463
575
|
# @!attribute [r] revision_id
|
464
576
|
# @return [::String]
|
465
|
-
# Output only. The revision ID of this
|
466
|
-
#
|
467
|
-
#
|
577
|
+
# Output only. The revision ID of this
|
578
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateRevocationList CertificateRevocationList}.
|
579
|
+
# A new revision is committed whenever a new CRL is published. The format is
|
580
|
+
# an 8-character hexadecimal string.
|
468
581
|
# @!attribute [rw] labels
|
469
582
|
# @return [::Google::Protobuf::Map{::String => ::String}]
|
470
583
|
# Optional. Labels with user-defined metadata.
|
@@ -472,17 +585,22 @@ module Google
|
|
472
585
|
include ::Google::Protobuf::MessageExts
|
473
586
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
474
587
|
|
475
|
-
# Describes a revoked
|
588
|
+
# Describes a revoked
|
589
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate}.
|
476
590
|
# @!attribute [rw] certificate
|
477
591
|
# @return [::String]
|
478
|
-
# The resource name for the
|
479
|
-
#
|
592
|
+
# The resource name for the
|
593
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} in the
|
594
|
+
# format `projects/*/locations/*/caPools/*/certificates/*`.
|
480
595
|
# @!attribute [rw] hex_serial_number
|
481
596
|
# @return [::String]
|
482
|
-
# The serial number of the
|
597
|
+
# The serial number of the
|
598
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate}.
|
483
599
|
# @!attribute [rw] revocation_reason
|
484
600
|
# @return [::Google::Cloud::Security::PrivateCA::V1::RevocationReason]
|
485
|
-
# The reason the
|
601
|
+
# The reason the
|
602
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} was
|
603
|
+
# revoked.
|
486
604
|
class RevokedCertificate
|
487
605
|
include ::Google::Protobuf::MessageExts
|
488
606
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
@@ -497,58 +615,73 @@ module Google
|
|
497
615
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
498
616
|
end
|
499
617
|
|
500
|
-
# The state of a
|
618
|
+
# The state of a
|
619
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateRevocationList CertificateRevocationList},
|
620
|
+
# indicating if it is current.
|
501
621
|
module State
|
502
622
|
# Not specified.
|
503
623
|
STATE_UNSPECIFIED = 0
|
504
624
|
|
505
|
-
# The
|
625
|
+
# The
|
626
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateRevocationList CertificateRevocationList}
|
627
|
+
# is up to date.
|
506
628
|
ACTIVE = 1
|
507
629
|
|
508
|
-
# The
|
630
|
+
# The
|
631
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateRevocationList CertificateRevocationList}
|
632
|
+
# is no longer current.
|
509
633
|
SUPERSEDED = 2
|
510
634
|
end
|
511
635
|
end
|
512
636
|
|
513
|
-
# A {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} corresponds
|
637
|
+
# A {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} corresponds
|
638
|
+
# to a signed X.509 certificate issued by a
|
514
639
|
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}.
|
515
640
|
# @!attribute [r] name
|
516
641
|
# @return [::String]
|
517
|
-
# Output only. The resource name for this
|
642
|
+
# Output only. The resource name for this
|
643
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} in the format
|
518
644
|
# `projects/*/locations/*/caPools/*/certificates/*`.
|
519
645
|
# @!attribute [rw] pem_csr
|
520
646
|
# @return [::String]
|
521
647
|
# Immutable. A pem-encoded X.509 certificate signing request (CSR).
|
522
648
|
# @!attribute [rw] config
|
523
649
|
# @return [::Google::Cloud::Security::PrivateCA::V1::CertificateConfig]
|
524
|
-
# Immutable. A description of the certificate and key that does not require
|
525
|
-
# ASN.1.
|
650
|
+
# Immutable. A description of the certificate and key that does not require
|
651
|
+
# X.509 or ASN.1.
|
526
652
|
# @!attribute [r] issuer_certificate_authority
|
527
653
|
# @return [::String]
|
528
|
-
# Output only. The resource name of the issuing
|
529
|
-
#
|
654
|
+
# Output only. The resource name of the issuing
|
655
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
|
656
|
+
# in the format `projects/*/locations/*/caPools/*/certificateAuthorities/*`.
|
530
657
|
# @!attribute [rw] lifetime
|
531
658
|
# @return [::Google::Protobuf::Duration]
|
532
|
-
# Required. Immutable. The desired lifetime of a certificate. Used to create
|
533
|
-
# "not_before_time" and "not_after_time" fields inside an X.509
|
659
|
+
# Required. Immutable. The desired lifetime of a certificate. Used to create
|
660
|
+
# the "not_before_time" and "not_after_time" fields inside an X.509
|
534
661
|
# certificate. Note that the lifetime may be truncated if it would extend
|
535
662
|
# past the life of any certificate authority in the issuing chain.
|
536
663
|
# @!attribute [rw] certificate_template
|
537
664
|
# @return [::String]
|
538
|
-
# Immutable. The resource name for a
|
539
|
-
#
|
665
|
+
# Immutable. The resource name for a
|
666
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate CertificateTemplate}
|
667
|
+
# used to issue this certificate, in the format
|
540
668
|
# `projects/*/locations/*/certificateTemplates/*`.
|
541
669
|
# If this is specified, the caller must have the necessary permission to
|
542
670
|
# use this template. If this is omitted, no template will be used.
|
543
|
-
# This template must be in the same location as the
|
671
|
+
# This template must be in the same location as the
|
672
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate}.
|
544
673
|
# @!attribute [rw] subject_mode
|
545
674
|
# @return [::Google::Cloud::Security::PrivateCA::V1::SubjectRequestMode]
|
546
|
-
# Immutable. Specifies how the
|
547
|
-
#
|
675
|
+
# Immutable. Specifies how the
|
676
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate}'s identity
|
677
|
+
# fields are to be decided. If this is omitted, the `DEFAULT` subject mode
|
678
|
+
# will be used.
|
548
679
|
# @!attribute [r] revocation_details
|
549
680
|
# @return [::Google::Cloud::Security::PrivateCA::V1::Certificate::RevocationDetails]
|
550
|
-
# Output only. Details regarding the revocation of this
|
551
|
-
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate}
|
681
|
+
# Output only. Details regarding the revocation of this
|
682
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate}. This
|
683
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} is considered
|
684
|
+
# revoked if and only if this field is present.
|
552
685
|
# @!attribute [r] pem_certificate
|
553
686
|
# @return [::String]
|
554
687
|
# Output only. The pem-encoded, signed X.509 certificate.
|
@@ -557,14 +690,16 @@ module Google
|
|
557
690
|
# Output only. A structured description of the issued X.509 certificate.
|
558
691
|
# @!attribute [r] pem_certificate_chain
|
559
692
|
# @return [::Array<::String>]
|
560
|
-
# Output only. The chain that may be used to verify the X.509 certificate.
|
561
|
-
# in issuer-to-root order according to RFC 5246.
|
693
|
+
# Output only. The chain that may be used to verify the X.509 certificate.
|
694
|
+
# Expected to be in issuer-to-root order according to RFC 5246.
|
562
695
|
# @!attribute [r] create_time
|
563
696
|
# @return [::Google::Protobuf::Timestamp]
|
564
|
-
# Output only. The time at which this
|
697
|
+
# Output only. The time at which this
|
698
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} was created.
|
565
699
|
# @!attribute [r] update_time
|
566
700
|
# @return [::Google::Protobuf::Timestamp]
|
567
|
-
# Output only. The time at which this
|
701
|
+
# Output only. The time at which this
|
702
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} was updated.
|
568
703
|
# @!attribute [rw] labels
|
569
704
|
# @return [::Google::Protobuf::Map{::String => ::String}]
|
570
705
|
# Optional. Labels with user-defined metadata.
|
@@ -572,13 +707,18 @@ module Google
|
|
572
707
|
include ::Google::Protobuf::MessageExts
|
573
708
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
574
709
|
|
575
|
-
# Describes fields that are relavent to the revocation of a
|
710
|
+
# Describes fields that are relavent to the revocation of a
|
711
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate}.
|
576
712
|
# @!attribute [rw] revocation_state
|
577
713
|
# @return [::Google::Cloud::Security::PrivateCA::V1::RevocationReason]
|
578
|
-
# Indicates why a
|
714
|
+
# Indicates why a
|
715
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} was
|
716
|
+
# revoked.
|
579
717
|
# @!attribute [rw] revocation_time
|
580
718
|
# @return [::Google::Protobuf::Timestamp]
|
581
|
-
# The time at which this
|
719
|
+
# The time at which this
|
720
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} was
|
721
|
+
# revoked.
|
582
722
|
class RevocationDetails
|
583
723
|
include ::Google::Protobuf::MessageExts
|
584
724
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
@@ -594,47 +734,64 @@ module Google
|
|
594
734
|
end
|
595
735
|
end
|
596
736
|
|
597
|
-
# A
|
598
|
-
#
|
737
|
+
# A
|
738
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate CertificateTemplate}
|
739
|
+
# refers to a managed template for certificate issuance.
|
599
740
|
# @!attribute [r] name
|
600
741
|
# @return [::String]
|
601
|
-
# Output only. The resource name for this
|
602
|
-
#
|
742
|
+
# Output only. The resource name for this
|
743
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate CertificateTemplate}
|
744
|
+
# in the format `projects/*/locations/*/certificateTemplates/*`.
|
603
745
|
# @!attribute [rw] predefined_values
|
604
746
|
# @return [::Google::Cloud::Security::PrivateCA::V1::X509Parameters]
|
605
|
-
# Optional. A set of X.509 values that will be applied to all issued
|
606
|
-
# use this template. If the certificate request includes
|
607
|
-
# for the same properties, they will be overwritten by the
|
608
|
-
# here. If the issuing
|
747
|
+
# Optional. A set of X.509 values that will be applied to all issued
|
748
|
+
# certificates that use this template. If the certificate request includes
|
749
|
+
# conflicting values for the same properties, they will be overwritten by the
|
750
|
+
# values defined here. If the issuing
|
751
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s
|
752
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy IssuancePolicy}
|
609
753
|
# defines conflicting
|
610
|
-
# {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy#baseline_values baseline_values}
|
611
|
-
# properties, the certificate issuance request will fail.
|
754
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy#baseline_values baseline_values}
|
755
|
+
# for the same properties, the certificate issuance request will fail.
|
612
756
|
# @!attribute [rw] identity_constraints
|
613
757
|
# @return [::Google::Cloud::Security::PrivateCA::V1::CertificateIdentityConstraints]
|
614
758
|
# Optional. Describes constraints on identities that may be appear in
|
615
|
-
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} issued using
|
616
|
-
# then this template will not add
|
759
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} issued using
|
760
|
+
# this template. If this is omitted, then this template will not add
|
761
|
+
# restrictions on a certificate's identity.
|
617
762
|
# @!attribute [rw] passthrough_extensions
|
618
763
|
# @return [::Google::Cloud::Security::PrivateCA::V1::CertificateExtensionConstraints]
|
619
764
|
# Optional. Describes the set of X.509 extensions that may appear in a
|
620
|
-
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued using
|
621
|
-
#
|
622
|
-
# {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate
|
623
|
-
#
|
624
|
-
# {::Google::Cloud::Security::PrivateCA::V1::
|
625
|
-
#
|
626
|
-
#
|
627
|
-
#
|
628
|
-
#
|
765
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued using
|
766
|
+
# this
|
767
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate CertificateTemplate}.
|
768
|
+
# If a certificate request sets extensions that don't appear in the
|
769
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate#passthrough_extensions passthrough_extensions},
|
770
|
+
# those extensions will be dropped. If the issuing
|
771
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s
|
772
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy IssuancePolicy}
|
773
|
+
# defines
|
774
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy#baseline_values baseline_values}
|
775
|
+
# that don't appear here, the certificate issuance request will fail. If this
|
776
|
+
# is omitted, then this template will not add restrictions on a certificate's
|
777
|
+
# X.509 extensions. These constraints do not apply to X.509 extensions set in
|
778
|
+
# this
|
779
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate CertificateTemplate}'s
|
780
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate#predefined_values predefined_values}.
|
629
781
|
# @!attribute [rw] description
|
630
782
|
# @return [::String]
|
631
|
-
# Optional. A human-readable description of scenarios this template is
|
783
|
+
# Optional. A human-readable description of scenarios this template is
|
784
|
+
# intended for.
|
632
785
|
# @!attribute [r] create_time
|
633
786
|
# @return [::Google::Protobuf::Timestamp]
|
634
|
-
# Output only. The time at which this
|
787
|
+
# Output only. The time at which this
|
788
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate CertificateTemplate}
|
789
|
+
# was created.
|
635
790
|
# @!attribute [r] update_time
|
636
791
|
# @return [::Google::Protobuf::Timestamp]
|
637
|
-
# Output only. The time at which this
|
792
|
+
# Output only. The time at which this
|
793
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate CertificateTemplate}
|
794
|
+
# was updated.
|
638
795
|
# @!attribute [rw] labels
|
639
796
|
# @return [::Google::Protobuf::Map{::String => ::String}]
|
640
797
|
# Optional. Labels with user-defined metadata.
|
@@ -652,25 +809,31 @@ module Google
|
|
652
809
|
end
|
653
810
|
end
|
654
811
|
|
655
|
-
# An {::Google::Cloud::Security::PrivateCA::V1::X509Parameters X509Parameters} is
|
656
|
-
# X.509 certificate, such as the key
|
657
|
-
#
|
812
|
+
# An {::Google::Cloud::Security::PrivateCA::V1::X509Parameters X509Parameters} is
|
813
|
+
# used to describe certain fields of an X.509 certificate, such as the key
|
814
|
+
# usage fields, fields specific to CA certificates, certificate policy
|
815
|
+
# extensions and custom extensions.
|
658
816
|
# @!attribute [rw] key_usage
|
659
817
|
# @return [::Google::Cloud::Security::PrivateCA::V1::KeyUsage]
|
660
|
-
# Optional. Indicates the intended use for keys that correspond to a
|
818
|
+
# Optional. Indicates the intended use for keys that correspond to a
|
819
|
+
# certificate.
|
661
820
|
# @!attribute [rw] ca_options
|
662
821
|
# @return [::Google::Cloud::Security::PrivateCA::V1::X509Parameters::CaOptions]
|
663
|
-
# Optional. Describes options in this
|
664
|
-
#
|
822
|
+
# Optional. Describes options in this
|
823
|
+
# {::Google::Cloud::Security::PrivateCA::V1::X509Parameters X509Parameters} that
|
824
|
+
# are relevant in a CA certificate.
|
665
825
|
# @!attribute [rw] policy_ids
|
666
826
|
# @return [::Array<::Google::Cloud::Security::PrivateCA::V1::ObjectId>]
|
667
827
|
# Optional. Describes the X.509 certificate policy object identifiers, per
|
668
828
|
# https://tools.ietf.org/html/rfc5280#section-4.2.1.4.
|
669
829
|
# @!attribute [rw] aia_ocsp_servers
|
670
830
|
# @return [::Array<::String>]
|
671
|
-
# Optional. Describes Online Certificate Status Protocol (OCSP) endpoint
|
672
|
-
# that appear in the "Authority Information Access" extension in
|
673
|
-
# certificate.
|
831
|
+
# Optional. Describes Online Certificate Status Protocol (OCSP) endpoint
|
832
|
+
# addresses that appear in the "Authority Information Access" extension in
|
833
|
+
# the certificate.
|
834
|
+
# @!attribute [rw] name_constraints
|
835
|
+
# @return [::Google::Cloud::Security::PrivateCA::V1::X509Parameters::NameConstraints]
|
836
|
+
# Optional. Describes the X.509 name constraints extension.
|
674
837
|
# @!attribute [rw] additional_extensions
|
675
838
|
# @return [::Array<::Google::Cloud::Security::PrivateCA::V1::X509Extension>]
|
676
839
|
# Optional. Describes custom X.509 extensions.
|
@@ -681,8 +844,9 @@ module Google
|
|
681
844
|
# Describes values that are relevant in a CA certificate.
|
682
845
|
# @!attribute [rw] is_ca
|
683
846
|
# @return [::Boolean]
|
684
|
-
# Optional. Refers to the "CA" X.509 extension, which is a boolean value.
|
685
|
-
# value is missing, the extension will be omitted from the CA
|
847
|
+
# Optional. Refers to the "CA" X.509 extension, which is a boolean value.
|
848
|
+
# When this value is missing, the extension will be omitted from the CA
|
849
|
+
# certificate.
|
686
850
|
# @!attribute [rw] max_issuer_path_length
|
687
851
|
# @return [::Integer]
|
688
852
|
# Optional. Refers to the path length restriction X.509 extension. For a CA
|
@@ -695,20 +859,84 @@ module Google
|
|
695
859
|
include ::Google::Protobuf::MessageExts
|
696
860
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
697
861
|
end
|
862
|
+
|
863
|
+
# Describes the X.509 name constraints extension, per
|
864
|
+
# https://tools.ietf.org/html/rfc5280#section-4.2.1.10
|
865
|
+
# @!attribute [rw] critical
|
866
|
+
# @return [::Boolean]
|
867
|
+
# Indicates whether or not the name constraints are marked critical.
|
868
|
+
# @!attribute [rw] permitted_dns_names
|
869
|
+
# @return [::Array<::String>]
|
870
|
+
# Contains permitted DNS names. Any DNS name that can be
|
871
|
+
# constructed by simply adding zero or more labels to
|
872
|
+
# the left-hand side of the name satisfies the name constraint.
|
873
|
+
# For example, `example.com`, `www.example.com`, `www.sub.example.com`
|
874
|
+
# would satisfy `example.com` while `example1.com` does not.
|
875
|
+
# @!attribute [rw] excluded_dns_names
|
876
|
+
# @return [::Array<::String>]
|
877
|
+
# Contains excluded DNS names. Any DNS name that can be
|
878
|
+
# constructed by simply adding zero or more labels to
|
879
|
+
# the left-hand side of the name satisfies the name constraint.
|
880
|
+
# For example, `example.com`, `www.example.com`, `www.sub.example.com`
|
881
|
+
# would satisfy `example.com` while `example1.com` does not.
|
882
|
+
# @!attribute [rw] permitted_ip_ranges
|
883
|
+
# @return [::Array<::String>]
|
884
|
+
# Contains the permitted IP ranges. For IPv4 addresses, the ranges
|
885
|
+
# are expressed using CIDR notation as specified in RFC 4632.
|
886
|
+
# For IPv6 addresses, the ranges are expressed in similar encoding as IPv4
|
887
|
+
# addresses.
|
888
|
+
# @!attribute [rw] excluded_ip_ranges
|
889
|
+
# @return [::Array<::String>]
|
890
|
+
# Contains the excluded IP ranges. For IPv4 addresses, the ranges
|
891
|
+
# are expressed using CIDR notation as specified in RFC 4632.
|
892
|
+
# For IPv6 addresses, the ranges are expressed in similar encoding as IPv4
|
893
|
+
# addresses.
|
894
|
+
# @!attribute [rw] permitted_email_addresses
|
895
|
+
# @return [::Array<::String>]
|
896
|
+
# Contains the permitted email addresses. The value can be a particular
|
897
|
+
# email address, a hostname to indicate all email addresses on that host or
|
898
|
+
# a domain with a leading period (e.g. `.example.com`) to indicate
|
899
|
+
# all email addresses in that domain.
|
900
|
+
# @!attribute [rw] excluded_email_addresses
|
901
|
+
# @return [::Array<::String>]
|
902
|
+
# Contains the excluded email addresses. The value can be a particular
|
903
|
+
# email address, a hostname to indicate all email addresses on that host or
|
904
|
+
# a domain with a leading period (e.g. `.example.com`) to indicate
|
905
|
+
# all email addresses in that domain.
|
906
|
+
# @!attribute [rw] permitted_uris
|
907
|
+
# @return [::Array<::String>]
|
908
|
+
# Contains the permitted URIs that apply to the host part of the name.
|
909
|
+
# The value can be a hostname or a domain with a
|
910
|
+
# leading period (like `.example.com`)
|
911
|
+
# @!attribute [rw] excluded_uris
|
912
|
+
# @return [::Array<::String>]
|
913
|
+
# Contains the excluded URIs that apply to the host part of the name.
|
914
|
+
# The value can be a hostname or a domain with a
|
915
|
+
# leading period (like `.example.com`)
|
916
|
+
class NameConstraints
|
917
|
+
include ::Google::Protobuf::MessageExts
|
918
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
919
|
+
end
|
698
920
|
end
|
699
921
|
|
700
922
|
# Describes a subordinate CA's issuers. This is either a resource name to a
|
701
|
-
# known issuing
|
923
|
+
# known issuing
|
924
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority},
|
925
|
+
# or a PEM issuer certificate chain.
|
702
926
|
# @!attribute [rw] certificate_authority
|
703
927
|
# @return [::String]
|
704
|
-
# Required. This can refer to a
|
705
|
-
#
|
706
|
-
#
|
928
|
+
# Required. This can refer to a
|
929
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
|
930
|
+
# that was used to create a subordinate
|
931
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}.
|
932
|
+
# This field is used for information and usability purposes only. The
|
933
|
+
# resource name is in the format
|
707
934
|
# `projects/*/locations/*/caPools/*/certificateAuthorities/*`.
|
708
935
|
# @!attribute [rw] pem_issuer_chain
|
709
936
|
# @return [::Google::Cloud::Security::PrivateCA::V1::SubordinateConfig::SubordinateConfigChain]
|
710
937
|
# Required. Contains the PEM certificate chain for the issuers of this
|
711
|
-
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority},
|
938
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority},
|
939
|
+
# but not pem certificate for this CA itself.
|
712
940
|
class SubordinateConfig
|
713
941
|
include ::Google::Protobuf::MessageExts
|
714
942
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
@@ -724,7 +952,8 @@ module Google
|
|
724
952
|
end
|
725
953
|
end
|
726
954
|
|
727
|
-
# A {::Google::Cloud::Security::PrivateCA::V1::PublicKey PublicKey} describes a
|
955
|
+
# A {::Google::Cloud::Security::PrivateCA::V1::PublicKey PublicKey} describes a
|
956
|
+
# public key.
|
728
957
|
# @!attribute [rw] key
|
729
958
|
# @return [::String]
|
730
959
|
# Required. A public key. The padding and encoding
|
@@ -759,21 +988,27 @@ module Google
|
|
759
988
|
end
|
760
989
|
end
|
761
990
|
|
762
|
-
# A {::Google::Cloud::Security::PrivateCA::V1::CertificateConfig CertificateConfig}
|
763
|
-
#
|
991
|
+
# A {::Google::Cloud::Security::PrivateCA::V1::CertificateConfig CertificateConfig}
|
992
|
+
# describes an X.509 certificate or CSR that is to be created, as an
|
993
|
+
# alternative to using ASN.1.
|
764
994
|
# @!attribute [rw] subject_config
|
765
995
|
# @return [::Google::Cloud::Security::PrivateCA::V1::CertificateConfig::SubjectConfig]
|
766
|
-
# Required. Specifies some of the values in a certificate that are related to
|
767
|
-
# subject.
|
996
|
+
# Required. Specifies some of the values in a certificate that are related to
|
997
|
+
# the subject.
|
768
998
|
# @!attribute [rw] x509_config
|
769
999
|
# @return [::Google::Cloud::Security::PrivateCA::V1::X509Parameters]
|
770
|
-
# Required. Describes how some of the technical X.509 fields in a certificate
|
771
|
-
# populated.
|
1000
|
+
# Required. Describes how some of the technical X.509 fields in a certificate
|
1001
|
+
# should be populated.
|
772
1002
|
# @!attribute [rw] public_key
|
773
1003
|
# @return [::Google::Cloud::Security::PrivateCA::V1::PublicKey]
|
774
|
-
# Optional. The public key that corresponds to this config. This is, for
|
775
|
-
#
|
776
|
-
#
|
1004
|
+
# Optional. The public key that corresponds to this config. This is, for
|
1005
|
+
# example, used when issuing
|
1006
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}, but not
|
1007
|
+
# when creating a self-signed
|
1008
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
|
1009
|
+
# or
|
1010
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
|
1011
|
+
# CSR.
|
777
1012
|
class CertificateConfig
|
778
1013
|
include ::Google::Protobuf::MessageExts
|
779
1014
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
@@ -782,8 +1017,8 @@ module Google
|
|
782
1017
|
# alternative name fields in an X.509 certificate.
|
783
1018
|
# @!attribute [rw] subject
|
784
1019
|
# @return [::Google::Cloud::Security::PrivateCA::V1::Subject]
|
785
|
-
# Required. Contains distinguished name fields such as the common name,
|
786
|
-
# organization.
|
1020
|
+
# Required. Contains distinguished name fields such as the common name,
|
1021
|
+
# location and organization.
|
787
1022
|
# @!attribute [rw] subject_alt_name
|
788
1023
|
# @return [::Google::Cloud::Security::PrivateCA::V1::SubjectAltNames]
|
789
1024
|
# Optional. The subject alternative name fields.
|
@@ -793,8 +1028,10 @@ module Google
|
|
793
1028
|
end
|
794
1029
|
end
|
795
1030
|
|
796
|
-
# A
|
797
|
-
#
|
1031
|
+
# A
|
1032
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateDescription CertificateDescription}
|
1033
|
+
# describes an X.509 certificate or CSR that has been issued, as an alternative
|
1034
|
+
# to using ASN.1 / X.509.
|
798
1035
|
# @!attribute [rw] subject_description
|
799
1036
|
# @return [::Google::Cloud::Security::PrivateCA::V1::CertificateDescription::SubjectDescription]
|
800
1037
|
# Describes some of the values in a certificate that are related to the
|
@@ -862,8 +1099,8 @@ module Google
|
|
862
1099
|
# key.
|
863
1100
|
# @!attribute [rw] key_id
|
864
1101
|
# @return [::String]
|
865
|
-
# Optional. The value of this KeyId encoded in lowercase hexadecimal. This
|
866
|
-
# likely the 160 bit SHA-1 hash of the public key.
|
1102
|
+
# Optional. The value of this KeyId encoded in lowercase hexadecimal. This
|
1103
|
+
# is most likely the 160 bit SHA-1 hash of the public key.
|
867
1104
|
class KeyId
|
868
1105
|
include ::Google::Protobuf::MessageExts
|
869
1106
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
@@ -879,27 +1116,29 @@ module Google
|
|
879
1116
|
end
|
880
1117
|
end
|
881
1118
|
|
882
|
-
# An {::Google::Cloud::Security::PrivateCA::V1::ObjectId ObjectId} specifies an
|
883
|
-
# and describe types in ASN.1
|
1119
|
+
# An {::Google::Cloud::Security::PrivateCA::V1::ObjectId ObjectId} specifies an
|
1120
|
+
# object identifier (OID). These provide context and describe types in ASN.1
|
1121
|
+
# messages.
|
884
1122
|
# @!attribute [rw] object_id_path
|
885
1123
|
# @return [::Array<::Integer>]
|
886
|
-
# Required. The parts of an OID path. The most significant parts of the path
|
887
|
-
# first.
|
1124
|
+
# Required. The parts of an OID path. The most significant parts of the path
|
1125
|
+
# come first.
|
888
1126
|
class ObjectId
|
889
1127
|
include ::Google::Protobuf::MessageExts
|
890
1128
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
891
1129
|
end
|
892
1130
|
|
893
|
-
# An {::Google::Cloud::Security::PrivateCA::V1::X509Extension X509Extension}
|
894
|
-
#
|
1131
|
+
# An {::Google::Cloud::Security::PrivateCA::V1::X509Extension X509Extension}
|
1132
|
+
# specifies an X.509 extension, which may be used in different parts of X.509
|
1133
|
+
# objects like certificates, CSRs, and CRLs.
|
895
1134
|
# @!attribute [rw] object_id
|
896
1135
|
# @return [::Google::Cloud::Security::PrivateCA::V1::ObjectId]
|
897
1136
|
# Required. The OID for this X.509 extension.
|
898
1137
|
# @!attribute [rw] critical
|
899
1138
|
# @return [::Boolean]
|
900
|
-
# Optional. Indicates whether or not this extension is critical (i.e., if the
|
901
|
-
# does not know how to handle this extension, the client should
|
902
|
-
# to be an error).
|
1139
|
+
# Optional. Indicates whether or not this extension is critical (i.e., if the
|
1140
|
+
# client does not know how to handle this extension, the client should
|
1141
|
+
# consider this to be an error).
|
903
1142
|
# @!attribute [rw] value
|
904
1143
|
# @return [::String]
|
905
1144
|
# Required. The value of this X.509 extension.
|
@@ -908,8 +1147,8 @@ module Google
|
|
908
1147
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
909
1148
|
end
|
910
1149
|
|
911
|
-
# A {::Google::Cloud::Security::PrivateCA::V1::KeyUsage KeyUsage} describes key usage
|
912
|
-
# certificate.
|
1150
|
+
# A {::Google::Cloud::Security::PrivateCA::V1::KeyUsage KeyUsage} describes key usage
|
1151
|
+
# values that may appear in an X.509 certificate.
|
913
1152
|
# @!attribute [rw] base_key_usage
|
914
1153
|
# @return [::Google::Cloud::Security::PrivateCA::V1::KeyUsage::KeyUsageOptions]
|
915
1154
|
# Describes high-level ways in which a key may be used.
|
@@ -919,13 +1158,15 @@ module Google
|
|
919
1158
|
# @!attribute [rw] unknown_extended_key_usages
|
920
1159
|
# @return [::Array<::Google::Cloud::Security::PrivateCA::V1::ObjectId>]
|
921
1160
|
# Used to describe extended key usages that are not listed in the
|
922
|
-
# {::Google::Cloud::Security::PrivateCA::V1::KeyUsage::ExtendedKeyUsageOptions KeyUsage.ExtendedKeyUsageOptions}
|
1161
|
+
# {::Google::Cloud::Security::PrivateCA::V1::KeyUsage::ExtendedKeyUsageOptions KeyUsage.ExtendedKeyUsageOptions}
|
1162
|
+
# message.
|
923
1163
|
class KeyUsage
|
924
1164
|
include ::Google::Protobuf::MessageExts
|
925
1165
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
926
1166
|
|
927
|
-
# {::Google::Cloud::Security::PrivateCA::V1::KeyUsage::KeyUsageOptions KeyUsage.KeyUsageOptions}
|
928
|
-
# described in
|
1167
|
+
# {::Google::Cloud::Security::PrivateCA::V1::KeyUsage::KeyUsageOptions KeyUsage.KeyUsageOptions}
|
1168
|
+
# corresponds to the key usage values described in
|
1169
|
+
# https://tools.ietf.org/html/rfc5280#section-4.2.1.3.
|
929
1170
|
# @!attribute [rw] digital_signature
|
930
1171
|
# @return [::Boolean]
|
931
1172
|
# The key may be used for digital signatures.
|
@@ -959,8 +1200,9 @@ module Google
|
|
959
1200
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
960
1201
|
end
|
961
1202
|
|
962
|
-
# {::Google::Cloud::Security::PrivateCA::V1::KeyUsage::ExtendedKeyUsageOptions KeyUsage.ExtendedKeyUsageOptions}
|
963
|
-
# certain common OIDs that could be specified
|
1203
|
+
# {::Google::Cloud::Security::PrivateCA::V1::KeyUsage::ExtendedKeyUsageOptions KeyUsage.ExtendedKeyUsageOptions}
|
1204
|
+
# has fields that correspond to certain common OIDs that could be specified
|
1205
|
+
# as an extended key usage value.
|
964
1206
|
# @!attribute [rw] server_auth
|
965
1207
|
# @return [::Boolean]
|
966
1208
|
# Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW
|
@@ -991,8 +1233,8 @@ module Google
|
|
991
1233
|
end
|
992
1234
|
end
|
993
1235
|
|
994
|
-
# {::Google::Cloud::Security::PrivateCA::V1::Subject Subject} describes parts of a
|
995
|
-
# describes the subject of the certificate.
|
1236
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Subject Subject} describes parts of a
|
1237
|
+
# distinguished name that, in turn, describes the subject of the certificate.
|
996
1238
|
# @!attribute [rw] common_name
|
997
1239
|
# @return [::String]
|
998
1240
|
# The "common name" of the subject.
|
@@ -1022,9 +1264,10 @@ module Google
|
|
1022
1264
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
1023
1265
|
end
|
1024
1266
|
|
1025
|
-
# {::Google::Cloud::Security::PrivateCA::V1::SubjectAltNames SubjectAltNames}
|
1026
|
-
#
|
1027
|
-
# name" in the distinguished
|
1267
|
+
# {::Google::Cloud::Security::PrivateCA::V1::SubjectAltNames SubjectAltNames}
|
1268
|
+
# corresponds to a more modern way of listing what the asserted identity is in
|
1269
|
+
# a certificate (i.e., compared to the "common name" in the distinguished
|
1270
|
+
# name).
|
1028
1271
|
# @!attribute [rw] dns_names
|
1029
1272
|
# @return [::Array<::String>]
|
1030
1273
|
# Contains only valid, fully-qualified host names.
|
@@ -1047,24 +1290,31 @@ module Google
|
|
1047
1290
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
1048
1291
|
end
|
1049
1292
|
|
1050
|
-
# Describes constraints on a
|
1293
|
+
# Describes constraints on a
|
1294
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate}'s
|
1295
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Subject Subject} and
|
1051
1296
|
# {::Google::Cloud::Security::PrivateCA::V1::SubjectAltNames SubjectAltNames}.
|
1052
1297
|
# @!attribute [rw] cel_expression
|
1053
1298
|
# @return [::Google::Type::Expr]
|
1054
|
-
# Optional. A CEL expression that may be used to validate the resolved X.509
|
1055
|
-
# and/or Subject Alternative Name before a certificate is signed.
|
1056
|
-
#
|
1299
|
+
# Optional. A CEL expression that may be used to validate the resolved X.509
|
1300
|
+
# Subject and/or Subject Alternative Name before a certificate is signed. To
|
1301
|
+
# see the full allowed syntax and some examples, see
|
1057
1302
|
# https://cloud.google.com/certificate-authority-service/docs/using-cel
|
1058
1303
|
# @!attribute [rw] allow_subject_passthrough
|
1059
1304
|
# @return [::Boolean]
|
1060
|
-
# Required. If this is true, the
|
1061
|
-
#
|
1062
|
-
#
|
1305
|
+
# Required. If this is true, the
|
1306
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Subject Subject} field may be copied
|
1307
|
+
# from a certificate request into the signed certificate. Otherwise, the
|
1308
|
+
# requested {::Google::Cloud::Security::PrivateCA::V1::Subject Subject} will be
|
1309
|
+
# discarded.
|
1063
1310
|
# @!attribute [rw] allow_subject_alt_names_passthrough
|
1064
1311
|
# @return [::Boolean]
|
1065
|
-
# Required. If this is true, the
|
1066
|
-
#
|
1067
|
-
#
|
1312
|
+
# Required. If this is true, the
|
1313
|
+
# {::Google::Cloud::Security::PrivateCA::V1::SubjectAltNames SubjectAltNames}
|
1314
|
+
# extension may be copied from a certificate request into the signed
|
1315
|
+
# certificate. Otherwise, the requested
|
1316
|
+
# {::Google::Cloud::Security::PrivateCA::V1::SubjectAltNames SubjectAltNames} will
|
1317
|
+
# be discarded.
|
1068
1318
|
class CertificateIdentityConstraints
|
1069
1319
|
include ::Google::Protobuf::MessageExts
|
1070
1320
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
@@ -1075,111 +1325,147 @@ module Google
|
|
1075
1325
|
# @!attribute [rw] known_extensions
|
1076
1326
|
# @return [::Array<::Google::Cloud::Security::PrivateCA::V1::CertificateExtensionConstraints::KnownCertificateExtension>]
|
1077
1327
|
# Optional. A set of named X.509 extensions. Will be combined with
|
1078
|
-
# {::Google::Cloud::Security::PrivateCA::V1::CertificateExtensionConstraints#additional_extensions additional_extensions}
|
1328
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateExtensionConstraints#additional_extensions additional_extensions}
|
1329
|
+
# to determine the full set of X.509 extensions.
|
1079
1330
|
# @!attribute [rw] additional_extensions
|
1080
1331
|
# @return [::Array<::Google::Cloud::Security::PrivateCA::V1::ObjectId>]
|
1081
|
-
# Optional. A set of {::Google::Cloud::Security::PrivateCA::V1::ObjectId ObjectIds}
|
1082
|
-
# Will be combined with
|
1083
|
-
#
|
1332
|
+
# Optional. A set of {::Google::Cloud::Security::PrivateCA::V1::ObjectId ObjectIds}
|
1333
|
+
# identifying custom X.509 extensions. Will be combined with
|
1334
|
+
# {::Google::Cloud::Security::PrivateCA::V1::CertificateExtensionConstraints#known_extensions known_extensions}
|
1335
|
+
# to determine the full set of X.509 extensions.
|
1084
1336
|
class CertificateExtensionConstraints
|
1085
1337
|
include ::Google::Protobuf::MessageExts
|
1086
1338
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
1087
1339
|
|
1088
|
-
# Describes well-known X.509 extensions that can appear in a
|
1089
|
-
#
|
1340
|
+
# Describes well-known X.509 extensions that can appear in a
|
1341
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate}, not
|
1342
|
+
# including the
|
1343
|
+
# {::Google::Cloud::Security::PrivateCA::V1::SubjectAltNames SubjectAltNames}
|
1344
|
+
# extension.
|
1090
1345
|
module KnownCertificateExtension
|
1091
1346
|
# Not specified.
|
1092
1347
|
KNOWN_CERTIFICATE_EXTENSION_UNSPECIFIED = 0
|
1093
1348
|
|
1094
1349
|
# Refers to a certificate's Key Usage extension, as described in [RFC 5280
|
1095
1350
|
# section 4.2.1.3](https://tools.ietf.org/html/rfc5280#section-4.2.1.3).
|
1096
|
-
# This corresponds to the
|
1351
|
+
# This corresponds to the
|
1352
|
+
# {::Google::Cloud::Security::PrivateCA::V1::KeyUsage#base_key_usage KeyUsage.base_key_usage}
|
1353
|
+
# field.
|
1097
1354
|
BASE_KEY_USAGE = 1
|
1098
1355
|
|
1099
1356
|
# Refers to a certificate's Extended Key Usage extension, as described in
|
1100
1357
|
# [RFC 5280
|
1101
1358
|
# section 4.2.1.12](https://tools.ietf.org/html/rfc5280#section-4.2.1.12).
|
1102
|
-
# This corresponds to the
|
1359
|
+
# This corresponds to the
|
1360
|
+
# {::Google::Cloud::Security::PrivateCA::V1::KeyUsage#extended_key_usage KeyUsage.extended_key_usage}
|
1361
|
+
# message.
|
1103
1362
|
EXTENDED_KEY_USAGE = 2
|
1104
1363
|
|
1105
1364
|
# Refers to a certificate's Basic Constraints extension, as described in
|
1106
1365
|
# [RFC 5280
|
1107
1366
|
# section 4.2.1.9](https://tools.ietf.org/html/rfc5280#section-4.2.1.9).
|
1108
|
-
# This corresponds to the
|
1367
|
+
# This corresponds to the
|
1368
|
+
# {::Google::Cloud::Security::PrivateCA::V1::X509Parameters#ca_options X509Parameters.ca_options}
|
1369
|
+
# field.
|
1109
1370
|
CA_OPTIONS = 3
|
1110
1371
|
|
1111
1372
|
# Refers to a certificate's Policy object identifiers, as described in
|
1112
1373
|
# [RFC 5280
|
1113
1374
|
# section 4.2.1.4](https://tools.ietf.org/html/rfc5280#section-4.2.1.4).
|
1114
|
-
# This corresponds to the
|
1375
|
+
# This corresponds to the
|
1376
|
+
# {::Google::Cloud::Security::PrivateCA::V1::X509Parameters#policy_ids X509Parameters.policy_ids}
|
1377
|
+
# field.
|
1115
1378
|
POLICY_IDS = 4
|
1116
1379
|
|
1117
1380
|
# Refers to OCSP servers in a certificate's Authority Information Access
|
1118
1381
|
# extension, as described in
|
1119
1382
|
# [RFC 5280
|
1120
1383
|
# section 4.2.2.1](https://tools.ietf.org/html/rfc5280#section-4.2.2.1),
|
1121
|
-
# This corresponds to the
|
1384
|
+
# This corresponds to the
|
1385
|
+
# {::Google::Cloud::Security::PrivateCA::V1::X509Parameters#aia_ocsp_servers X509Parameters.aia_ocsp_servers}
|
1386
|
+
# field.
|
1122
1387
|
AIA_OCSP_SERVERS = 5
|
1388
|
+
|
1389
|
+
# Refers to Name Constraints extension as described in
|
1390
|
+
# [RFC 5280
|
1391
|
+
# section 4.2.1.10](https://tools.ietf.org/html/rfc5280#section-4.2.1.10)
|
1392
|
+
NAME_CONSTRAINTS = 6
|
1123
1393
|
end
|
1124
1394
|
end
|
1125
1395
|
|
1126
|
-
# A {::Google::Cloud::Security::PrivateCA::V1::RevocationReason RevocationReason}
|
1127
|
-
#
|
1128
|
-
#
|
1129
|
-
#
|
1130
|
-
#
|
1396
|
+
# A {::Google::Cloud::Security::PrivateCA::V1::RevocationReason RevocationReason}
|
1397
|
+
# indicates whether a
|
1398
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} has been
|
1399
|
+
# revoked, and the reason for revocation. These correspond to standard
|
1400
|
+
# revocation reasons from RFC 5280. Note that the enum labels and values in
|
1401
|
+
# this definition are not the same ASN.1 values defined in RFC 5280. These
|
1402
|
+
# values will be translated to the correct ASN.1 values when a CRL is created.
|
1131
1403
|
module RevocationReason
|
1132
|
-
# Default unspecified value. This value does indicate that a
|
1133
|
-
#
|
1404
|
+
# Default unspecified value. This value does indicate that a
|
1405
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} has been
|
1406
|
+
# revoked, but that a reason has not been recorded.
|
1134
1407
|
REVOCATION_REASON_UNSPECIFIED = 0
|
1135
1408
|
|
1136
|
-
# Key material for this
|
1409
|
+
# Key material for this
|
1410
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} may have
|
1411
|
+
# leaked.
|
1137
1412
|
KEY_COMPROMISE = 1
|
1138
1413
|
|
1139
1414
|
# The key material for a certificate authority in the issuing path may have
|
1140
1415
|
# leaked.
|
1141
1416
|
CERTIFICATE_AUTHORITY_COMPROMISE = 2
|
1142
1417
|
|
1143
|
-
# The subject or other attributes in this
|
1418
|
+
# The subject or other attributes in this
|
1419
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} have changed.
|
1144
1420
|
AFFILIATION_CHANGED = 3
|
1145
1421
|
|
1146
|
-
# This {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} has been
|
1422
|
+
# This {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} has been
|
1423
|
+
# superseded.
|
1147
1424
|
SUPERSEDED = 4
|
1148
1425
|
|
1149
|
-
# This {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} or
|
1150
|
-
# operate.
|
1426
|
+
# This {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} or
|
1427
|
+
# entities in the issuing path have ceased to operate.
|
1151
1428
|
CESSATION_OF_OPERATION = 5
|
1152
1429
|
|
1153
|
-
# This {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} should
|
1154
|
-
# may become valid in the
|
1430
|
+
# This {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} should
|
1431
|
+
# not be considered valid, it is expected that it may become valid in the
|
1432
|
+
# future.
|
1155
1433
|
CERTIFICATE_HOLD = 6
|
1156
1434
|
|
1157
|
-
# This {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} no
|
1158
|
-
# attributes.
|
1435
|
+
# This {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} no
|
1436
|
+
# longer has permission to assert the listed attributes.
|
1159
1437
|
PRIVILEGE_WITHDRAWN = 7
|
1160
1438
|
|
1161
|
-
# The authority which determines appropriate attributes for a
|
1162
|
-
# may have been
|
1439
|
+
# The authority which determines appropriate attributes for a
|
1440
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} may have been
|
1441
|
+
# compromised.
|
1163
1442
|
ATTRIBUTE_AUTHORITY_COMPROMISE = 8
|
1164
1443
|
end
|
1165
1444
|
|
1166
|
-
# Describes the way in which a
|
1167
|
-
# {::Google::Cloud::Security::PrivateCA::V1::
|
1445
|
+
# Describes the way in which a
|
1446
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate}'s
|
1447
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Subject Subject} and/or
|
1448
|
+
# {::Google::Cloud::Security::PrivateCA::V1::SubjectAltNames SubjectAltNames} will be
|
1449
|
+
# resolved.
|
1168
1450
|
module SubjectRequestMode
|
1169
1451
|
# Not specified.
|
1170
1452
|
SUBJECT_REQUEST_MODE_UNSPECIFIED = 0
|
1171
1453
|
|
1172
1454
|
# The default mode used in most cases. Indicates that the certificate's
|
1173
|
-
# {::Google::Cloud::Security::PrivateCA::V1::Subject Subject} and/or
|
1174
|
-
#
|
1175
|
-
#
|
1455
|
+
# {::Google::Cloud::Security::PrivateCA::V1::Subject Subject} and/or
|
1456
|
+
# {::Google::Cloud::Security::PrivateCA::V1::SubjectAltNames SubjectAltNames} are
|
1457
|
+
# specified in the certificate request. This mode requires the caller to have
|
1458
|
+
# the `privateca.certificates.create` permission.
|
1176
1459
|
DEFAULT = 1
|
1177
1460
|
|
1178
1461
|
# A mode reserved for special cases. Indicates that the certificate should
|
1179
|
-
# have one or more SPIFFE
|
1180
|
-
#
|
1181
|
-
#
|
1182
|
-
#
|
1462
|
+
# have one or more SPIFFE
|
1463
|
+
# {::Google::Cloud::Security::PrivateCA::V1::SubjectAltNames SubjectAltNames} set
|
1464
|
+
# by the service based on the caller's identity. This mode will ignore any
|
1465
|
+
# explicitly specified {::Google::Cloud::Security::PrivateCA::V1::Subject Subject}
|
1466
|
+
# and/or
|
1467
|
+
# {::Google::Cloud::Security::PrivateCA::V1::SubjectAltNames SubjectAltNames} in
|
1468
|
+
# the certificate request. This mode requires the caller to have the
|
1183
1469
|
# `privateca.certificates.createForSelf` permission.
|
1184
1470
|
REFLECTED_SPIFFE = 2
|
1185
1471
|
end
|