google-cloud-security-private_ca-v1 0.4.0 → 0.5.0

data/proto_docs/google/cloud/security/privateca/v1/resources.rb

@@ -22,77 +22,113 @@ module Google
     module Security
       module PrivateCA
         module V1
-          # A {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority} represents an individual Certificate Authority.
-          # A {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority} can be used to create {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}.
+          # A
+          # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
+          # represents an individual Certificate Authority. A
+          # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
+          # can be used to create
+          # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}.
           # @!attribute [r] name
           #   @return [::String]
-          #     Output only. The resource name for this {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority} in the
-          #     format `projects/*/locations/*/caPools/*/certificateAuthorities/*`.
+          #     Output only. The resource name for this
+          #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
+          #     in the format `projects/*/locations/*/caPools/*/certificateAuthorities/*`.
           # @!attribute [rw] type
           #   @return [::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority::Type]
-          #     Required. Immutable. The {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority::Type Type} of this {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}.
+          #     Required. Immutable. The
+          #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority::Type Type} of
+          #     this
+          #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}.
           # @!attribute [rw] config
           #   @return [::Google::Cloud::Security::PrivateCA::V1::CertificateConfig]
-          #     Required. Immutable. The config used to create a self-signed X.509 certificate or CSR.
+          #     Required. Immutable. The config used to create a self-signed X.509
+          #     certificate or CSR.
           # @!attribute [rw] lifetime
           #   @return [::Google::Protobuf::Duration]
-          #     Required. Immutable. The desired lifetime of the CA certificate. Used to create the
-          #     "not_before_time" and "not_after_time" fields inside an X.509
+          #     Required. Immutable. The desired lifetime of the CA certificate. Used to
+          #     create the "not_before_time" and "not_after_time" fields inside an X.509
           #     certificate.
           # @!attribute [rw] key_spec
           #   @return [::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority::KeyVersionSpec]
-          #     Required. Immutable. Used when issuing certificates for this {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}. If this
-          #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority} is a self-signed CertificateAuthority, this key
-          #     is also used to sign the self-signed CA certificate. Otherwise, it
-          #     is used to sign a CSR.
+          #     Required. Immutable. Used when issuing certificates for this
+          #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}.
+          #     If this
+          #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
+          #     is a self-signed CertificateAuthority, this key is also used to sign the
+          #     self-signed CA certificate. Otherwise, it is used to sign a CSR.
           # @!attribute [rw] subordinate_config
           #   @return [::Google::Cloud::Security::PrivateCA::V1::SubordinateConfig]
-          #     Optional. If this is a subordinate {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}, this field will be set
-          #     with the subordinate configuration, which describes its issuers. This may
-          #     be updated, but this {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority} must continue to validate.
+          #     Optional. If this is a subordinate
+          #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority},
+          #     this field will be set with the subordinate configuration, which describes
+          #     its issuers. This may be updated, but this
+          #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
+          #     must continue to validate.
           # @!attribute [r] tier
           #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::Tier]
-          #     Output only. The {::Google::Cloud::Security::PrivateCA::V1::CaPool::Tier CaPool.Tier} of the {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool} that includes this
+          #     Output only. The
+          #     {::Google::Cloud::Security::PrivateCA::V1::CaPool::Tier CaPool.Tier} of the
+          #     {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool} that includes this
           #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}.
           # @!attribute [r] state
           #   @return [::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority::State]
-          #     Output only. The {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority::State State} for this {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}.
+          #     Output only. The
+          #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority::State State} for
+          #     this
+          #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}.
           # @!attribute [r] pem_ca_certificates
           #   @return [::Array<::String>]
-          #     Output only. This {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s certificate chain, including the current
-          #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s certificate. Ordered such that the root issuer
-          #     is the final element (consistent with RFC 5246). For a self-signed CA, this
-          #     will only list the current {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s certificate.
+          #     Output only. This
+          #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
+          #     certificate chain, including the current
+          #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
+          #     certificate. Ordered such that the root issuer is the final element
+          #     (consistent with RFC 5246). For a self-signed CA, this will only list the
+          #     current
+          #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
+          #     certificate.
           # @!attribute [r] ca_certificate_descriptions
           #   @return [::Array<::Google::Cloud::Security::PrivateCA::V1::CertificateDescription>]
-          #     Output only. A structured description of this {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s CA certificate
-          #     and its issuers. Ordered as self-to-root.
+          #     Output only. A structured description of this
+          #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
+          #     CA certificate and its issuers. Ordered as self-to-root.
           # @!attribute [rw] gcs_bucket
           #   @return [::String]
-          #     Immutable. The name of a Cloud Storage bucket where this {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority} will
-          #     publish content, such as the CA certificate and CRLs. This must be a bucket
-          #     name, without any prefixes (such as `gs://`) or suffixes (such as
+          #     Immutable. The name of a Cloud Storage bucket where this
+          #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
+          #     will publish content, such as the CA certificate and CRLs. This must be a
+          #     bucket name, without any prefixes (such as `gs://`) or suffixes (such as
           #     `.googleapis.com`). For example, to use a bucket named `my-bucket`, you
           #     would simply specify `my-bucket`. If not specified, a managed bucket will
           #     be created.
           # @!attribute [r] access_urls
           #   @return [::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority::AccessUrls]
-          #     Output only. URLs for accessing content published by this CA, such as the CA certificate
-          #     and CRLs.
+          #     Output only. URLs for accessing content published by this CA, such as the
+          #     CA certificate and CRLs.
           # @!attribute [r] create_time
           #   @return [::Google::Protobuf::Timestamp]
-          #     Output only. The time at which this {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority} was created.
+          #     Output only. The time at which this
+          #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
+          #     was created.
           # @!attribute [r] update_time
           #   @return [::Google::Protobuf::Timestamp]
-          #     Output only. The time at which this {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority} was last updated.
+          #     Output only. The time at which this
+          #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
+          #     was last updated.
           # @!attribute [r] delete_time
           #   @return [::Google::Protobuf::Timestamp]
-          #     Output only. The time at which this {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority} was soft deleted, if
-          #     it is in the {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority::State::DELETED DELETED} state.
+          #     Output only. The time at which this
+          #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
+          #     was soft deleted, if it is in the
+          #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority::State::DELETED DELETED}
+          #     state.
           # @!attribute [r] expire_time
           #   @return [::Google::Protobuf::Timestamp]
-          #     Output only. The time at which this {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority} will be permanently purged,
-          #     if it is in the {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority::State::DELETED DELETED} state.
+          #     Output only. The time at which this
+          #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
+          #     will be permanently purged, if it is in the
+          #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority::State::DELETED DELETED}
+          #     state.
           # @!attribute [rw] labels
           #   @return [::Google::Protobuf::Map{::String => ::String}]
           #     Optional. Labels with user-defined metadata.
@@ -100,21 +136,29 @@ module Google
             include ::Google::Protobuf::MessageExts
             extend ::Google::Protobuf::MessageExts::ClassMethods
 
-            # URLs where a {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority} will publish content.
+            # URLs where a
+            # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
+            # will publish content.
             # @!attribute [rw] ca_certificate_access_url
             #   @return [::String]
-            #     The URL where this {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s CA certificate is
-            #     published. This will only be set for CAs that have been activated.
+            #     The URL where this
+            #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
+            #     CA certificate is published. This will only be set for CAs that have been
+            #     activated.
             # @!attribute [rw] crl_access_urls
             #   @return [::Array<::String>]
-            #     The URLs where this {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s CRLs are published. This
-            #     will only be set for CAs that have been activated.
+            #     The URLs where this
+            #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
+            #     CRLs are published. This will only be set for CAs that have been
+            #     activated.
             class AccessUrls
               include ::Google::Protobuf::MessageExts
               extend ::Google::Protobuf::MessageExts::ClassMethods
             end
 
-            # A Cloud KMS key configuration that a {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority} will use.
+            # A Cloud KMS key configuration that a
+            # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
+            # will use.
             # @!attribute [rw] cloud_kms_key_version
             #   @return [::String]
             #     The resource name for an existing Cloud KMS CryptoKeyVersion in the
@@ -141,7 +185,9 @@ module Google
               extend ::Google::Protobuf::MessageExts::ClassMethods
             end
 
-            # The type of a {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}, indicating its issuing chain.
+            # The type of a
+            # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority},
+            # indicating its issuing chain.
             module Type
               # Not specified.
               TYPE_UNSPECIFIED = 0
@@ -149,42 +195,56 @@ module Google
               # Self-signed CA.
               SELF_SIGNED = 1
 
-              # Subordinate CA. Could be issued by a Private CA {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
+              # Subordinate CA. Could be issued by a Private CA
+              # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
               # or an unmanaged CA.
               SUBORDINATE = 2
             end
 
-            # The state of a {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}, indicating if it can be used.
+            # The state of a
+            # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority},
+            # indicating if it can be used.
             module State
               # Not specified.
               STATE_UNSPECIFIED = 0
 
               # Certificates can be issued from this CA. CRLs will be generated for this
-              # CA. The CA will be part of the {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, and will be
-              # used to issue certificates from the {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
+              # CA. The CA will be part of the
+              # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, and
+              # will be used to issue certificates from the
+              # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
               ENABLED = 1
 
               # Certificates cannot be issued from this CA. CRLs will still be generated.
-              # The CA will be part of the {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, but will not be
-              # used to issue certificates from the {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
+              # The CA will be part of the
+              # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, but
+              # will not be used to issue certificates from the
+              # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
               DISABLED = 2
 
               # Certificates can be issued from this CA. CRLs will be generated for this
-              # CA. The CA will be part of the {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, but will not
-              # be used to issue certificates from the {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
+              # CA. The CA will be part of the
+              # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, but
+              # will not be used to issue certificates from the
+              # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
               STAGED = 3
 
               # Certificates cannot be issued from this CA. CRLs will not be generated.
-              # The CA will not be part of the {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, and will not be
-              # used to issue certificates from the {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
+              # The CA will not be part of the
+              # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, and
+              # will not be used to issue certificates from the
+              # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
               AWAITING_USER_ACTIVATION = 4
 
               # Certificates cannot be issued from this CA. CRLs will not be generated.
               # The CA may still be recovered by calling
-              # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthorityService::Client#undelete_certificate_authority CertificateAuthorityService.UndeleteCertificateAuthority} before
+              # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthorityService::Client#undelete_certificate_authority CertificateAuthorityService.UndeleteCertificateAuthority}
+              # before
               # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority#expire_time expire_time}.
-              # The CA will not be part of the {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, and will not be
-              # used to issue certificates from the {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
+              # The CA will not be part of the
+              # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, and
+              # will not be used to issue certificates from the
+              # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
               DELETED = 5
             end
 
@@ -228,26 +288,37 @@ module Google
           end
 
           # A {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool} represents a group of
-          # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthorities} that form a trust anchor. A
-          # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool} can be used to manage issuance policies for one or more
-          # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority} resources and to rotate CA certificates in and out
-          # of the trust anchor.
+          # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthorities}
+          # that form a trust anchor. A
+          # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool} can be used to manage
+          # issuance policies for one or more
+          # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
+          # resources and to rotate CA certificates in and out of the trust anchor.
           # @!attribute [r] name
           #   @return [::String]
-          #     Output only. The resource name for this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool} in the
-          #     format `projects/*/locations/*/caPools/*`.
+          #     Output only. The resource name for this
+          #     {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool} in the format
+          #     `projects/*/locations/*/caPools/*`.
           # @!attribute [rw] tier
           #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::Tier]
-          #     Required. Immutable. The {::Google::Cloud::Security::PrivateCA::V1::CaPool::Tier Tier} of this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
+          #     Required. Immutable. The
+          #     {::Google::Cloud::Security::PrivateCA::V1::CaPool::Tier Tier} of this
+          #     {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
           # @!attribute [rw] issuance_policy
           #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy]
-          #     Optional. The {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy IssuancePolicy} to control how {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}
-          #     will be issued from this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
+          #     Optional. The
+          #     {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy IssuancePolicy}
+          #     to control how
+          #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} will be
+          #     issued from this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
           # @!attribute [rw] publishing_options
           #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::PublishingOptions]
-          #     Optional. The {::Google::Cloud::Security::PrivateCA::V1::CaPool::PublishingOptions PublishingOptions} to follow when issuing
-          #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} from any {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority} in this
-          #     {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
+          #     Optional. The
+          #     {::Google::Cloud::Security::PrivateCA::V1::CaPool::PublishingOptions PublishingOptions}
+          #     to follow when issuing
+          #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} from any
+          #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
+          #     in this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
           # @!attribute [rw] labels
           #   @return [::Google::Protobuf::Map{::String => ::String}]
           #     Optional. Labels with user-defined metadata.
@@ -255,83 +326,108 @@ module Google
             include ::Google::Protobuf::MessageExts
             extend ::Google::Protobuf::MessageExts::ClassMethods
 
-            # Options relating to the publication of each {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s CA
-            # certificate and CRLs and their inclusion as extensions in issued
-            # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}. The options set here apply to certificates
-            # issued by any {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority} in the {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
+            # Options relating to the publication of each
+            # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
+            # CA certificate and CRLs and their inclusion as extensions in issued
+            # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}. The options
+            # set here apply to certificates issued by any
+            # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
+            # in the {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
             # @!attribute [rw] publish_ca_cert
             #   @return [::Boolean]
-            #     Optional. When true, publishes each {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s CA certificate and
-            #     includes its URL in the "Authority Information Access" X.509 extension
-            #     in all issued {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}. If this is false, the CA
-            #     certificate will not be published and the corresponding X.509 extension
-            #     will not be written in issued certificates.
+            #     Optional. When true, publishes each
+            #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
+            #     CA certificate and includes its URL in the "Authority Information Access"
+            #     X.509 extension in all issued
+            #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}. If this
+            #     is false, the CA certificate will not be published and the corresponding
+            #     X.509 extension will not be written in issued certificates.
             # @!attribute [rw] publish_crl
             #   @return [::Boolean]
-            #     Optional. When true, publishes each {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s CRL and includes its
-            #     URL in the "CRL Distribution Points" X.509 extension in all issued
-            #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}. If this is false, CRLs will not be published
-            #     and the corresponding X.509 extension will not be written in issued
-            #     certificates.
-            #     CRLs will expire 7 days from their creation. However, we will rebuild
-            #     daily. CRLs are also rebuilt shortly after a certificate is revoked.
+            #     Optional. When true, publishes each
+            #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
+            #     CRL and includes its URL in the "CRL Distribution Points" X.509 extension
+            #     in all issued
+            #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}. If this
+            #     is false, CRLs will not be published and the corresponding X.509
+            #     extension will not be written in issued certificates. CRLs will expire 7
+            #     days from their creation. However, we will rebuild daily. CRLs are also
+            #     rebuilt shortly after a certificate is revoked.
             class PublishingOptions
               include ::Google::Protobuf::MessageExts
               extend ::Google::Protobuf::MessageExts::ClassMethods
             end
 
-            # Defines controls over all certificate issuance within a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
+            # Defines controls over all certificate issuance within a
+            # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
             # @!attribute [rw] allowed_key_types
             #   @return [::Array<::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType>]
-            #     Optional. If any {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType AllowedKeyType} is specified, then the certificate request's
-            #     public key must match one of the key types listed here. Otherwise,
-            #     any key may be used.
+            #     Optional. If any
+            #     {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType AllowedKeyType}
+            #     is specified, then the certificate request's public key must match one of
+            #     the key types listed here. Otherwise, any key may be used.
             # @!attribute [rw] maximum_lifetime
             #   @return [::Google::Protobuf::Duration]
-            #     Optional. The maximum lifetime allowed for issued {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}. Note
-            #     that if the issuing {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority} expires before a
-            #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate}'s requested maximum_lifetime, the effective lifetime will
-            #     be explicitly truncated to match it.
+            #     Optional. The maximum lifetime allowed for issued
+            #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}. Note that
+            #     if the issuing
+            #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
+            #     expires before a
+            #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate}'s requested
+            #     maximum_lifetime, the effective lifetime will be explicitly truncated to
+            #     match it.
             # @!attribute [rw] allowed_issuance_modes
             #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::IssuanceModes]
-            #     Optional. If specified, then only methods allowed in the {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::IssuanceModes IssuanceModes} may be
-            #     used to issue {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}.
+            #     Optional. If specified, then only methods allowed in the
+            #     {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::IssuanceModes IssuanceModes}
+            #     may be used to issue
+            #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}.
             # @!attribute [rw] baseline_values
             #   @return [::Google::Cloud::Security::PrivateCA::V1::X509Parameters]
-            #     Optional. A set of X.509 values that will be applied to all certificates issued
-            #     through this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}. If a certificate request includes conflicting
-            #     values for the same properties, they will be overwritten by the values
-            #     defined here. If a certificate request uses a {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate CertificateTemplate}
+            #     Optional. A set of X.509 values that will be applied to all certificates
+            #     issued through this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
+            #     If a certificate request includes conflicting values for the same
+            #     properties, they will be overwritten by the values defined here. If a
+            #     certificate request uses a
+            #     {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate CertificateTemplate}
             #     that defines conflicting
-            #     {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate#predefined_values predefined_values} for the same
-            #     properties, the certificate issuance request will fail.
+            #     {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate#predefined_values predefined_values}
+            #     for the same properties, the certificate issuance request will fail.
             # @!attribute [rw] identity_constraints
             #   @return [::Google::Cloud::Security::PrivateCA::V1::CertificateIdentityConstraints]
             #     Optional. Describes constraints on identities that may appear in
-            #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} issued through this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
-            #     If this is omitted, then this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool} will not add restrictions on a
-            #     certificate's identity.
+            #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} issued
+            #     through this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}. If this
+            #     is omitted, then this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}
+            #     will not add restrictions on a certificate's identity.
             # @!attribute [rw] passthrough_extensions
             #   @return [::Google::Cloud::Security::PrivateCA::V1::CertificateExtensionConstraints]
             #     Optional. Describes the set of X.509 extensions that may appear in a
-            #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued through this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}. If a certificate request
-            #     sets extensions that don't appear in the {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy#passthrough_extensions passthrough_extensions},
+            #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued
+            #     through this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}. If a
+            #     certificate request sets extensions that don't appear in the
+            #     {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy#passthrough_extensions passthrough_extensions},
             #     those extensions will be dropped. If a certificate request uses a
-            #     {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate CertificateTemplate} with
-            #     {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate#predefined_values predefined_values} that don't
-            #     appear here, the certificate issuance request will fail. If this is
-            #     omitted, then this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool} will not add restrictions on a
-            #     certificate's X.509 extensions. These constraints do not apply to X.509
-            #     extensions set in this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy#baseline_values baseline_values}.
+            #     {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate CertificateTemplate}
+            #     with
+            #     {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate#predefined_values predefined_values}
+            #     that don't appear here, the certificate issuance request will fail. If
+            #     this is omitted, then this
+            #     {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool} will not add
+            #     restrictions on a certificate's X.509 extensions. These constraints do
+            #     not apply to X.509 extensions set in this
+            #     {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s
+            #     {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy#baseline_values baseline_values}.
             class IssuancePolicy
               include ::Google::Protobuf::MessageExts
               extend ::Google::Protobuf::MessageExts::ClassMethods
 
-              # Describes a "type" of key that may be used in a {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued
-              # from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
-              # Note that a single {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType AllowedKeyType} may refer to either a
-              # fully-qualified key algorithm, such as RSA 4096, or a family of key
-              # algorithms, such as any RSA key.
+              # Describes a "type" of key that may be used in a
+              # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued from
+              # a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}. Note that a single
+              # {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType AllowedKeyType}
+              # may refer to either a fully-qualified key algorithm, such as RSA 4096, or
+              # a family of key algorithms, such as any RSA key.
               # @!attribute [rw] rsa
               #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::RsaKeyType]
               #     Represents an allowed RSA key type.
@@ -342,35 +438,39 @@ module Google
                 include ::Google::Protobuf::MessageExts
                 extend ::Google::Protobuf::MessageExts::ClassMethods
 
-                # Describes an RSA key that may be used in a {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued from
-                # a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
+                # Describes an RSA key that may be used in a
+                # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued
+                # from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
                 # @!attribute [rw] min_modulus_size
                 #   @return [::Integer]
-                #     Optional. The minimum allowed RSA modulus size (inclusive), in bits. If this is
-                #     not set, or if set to zero, the service-level min RSA modulus size
-                #     will continue to apply.
+                #     Optional. The minimum allowed RSA modulus size (inclusive), in bits.
+                #     If this is not set, or if set to zero, the service-level min RSA
+                #     modulus size will continue to apply.
                 # @!attribute [rw] max_modulus_size
                 #   @return [::Integer]
-                #     Optional. The maximum allowed RSA modulus size (inclusive), in bits. If this is
-                #     not set, or if set to zero, the service will not enforce an explicit
-                #     upper bound on RSA modulus sizes.
+                #     Optional. The maximum allowed RSA modulus size (inclusive), in bits.
+                #     If this is not set, or if set to zero, the service will not enforce
+                #     an explicit upper bound on RSA modulus sizes.
                 class RsaKeyType
                   include ::Google::Protobuf::MessageExts
                   extend ::Google::Protobuf::MessageExts::ClassMethods
                 end
 
-                # Describes an Elliptic Curve key that may be used in a {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate}
-                # issued from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
+                # Describes an Elliptic Curve key that may be used in a
+                # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued
+                # from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
                 # @!attribute [rw] signature_algorithm
                 #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::EcKeyType::EcSignatureAlgorithm]
-                #     Optional. A signature algorithm that must be used. If this is omitted, any
-                #     EC-based signature algorithm will be allowed.
+                #     Optional. A signature algorithm that must be used. If this is
+                #     omitted, any EC-based signature algorithm will be allowed.
                 class EcKeyType
                   include ::Google::Protobuf::MessageExts
                   extend ::Google::Protobuf::MessageExts::ClassMethods
 
                   # Describes an elliptic curve-based signature algorithm that may be
-                  # used in a {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
+                  # used in a
+                  # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued
+                  # from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
                   module EcSignatureAlgorithm
                     # Not specified. Signifies that any signature algorithm may be used.
                     EC_SIGNATURE_ALGORITHM_UNSPECIFIED = 0
@@ -390,17 +490,21 @@ module Google
                 end
               end
 
-              # {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::IssuanceModes IssuanceModes} specifies the allowed ways in which
-              # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} may be requested from this
-              # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
+              # {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::IssuanceModes IssuanceModes}
+              # specifies the allowed ways in which
+              # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} may be
+              # requested from this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
               # @!attribute [rw] allow_csr_based_issuance
               #   @return [::Boolean]
-              #     Optional. When true, allows callers to create {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} by
+              #     Optional. When true, allows callers to create
+              #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} by
               #     specifying a CSR.
               # @!attribute [rw] allow_config_based_issuance
               #   @return [::Boolean]
-              #     Optional. When true, allows callers to create {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} by
-              #     specifying a {::Google::Cloud::Security::PrivateCA::V1::CertificateConfig CertificateConfig}.
+              #     Optional. When true, allows callers to create
+              #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} by
+              #     specifying a
+              #     {::Google::Cloud::Security::PrivateCA::V1::CertificateConfig CertificateConfig}.
               class IssuanceModes
                 include ::Google::Protobuf::MessageExts
                 extend ::Google::Protobuf::MessageExts::ClassMethods
@@ -416,8 +520,8 @@ module Google
               extend ::Google::Protobuf::MessageExts::ClassMethods
             end
 
-            # The tier of a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}, indicating its supported functionality and/or
-            # billing SKU.
+            # The tier of a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool},
+            # indicating its supported functionality and/or billing SKU.
             module Tier
               # Not specified.
               TIER_UNSPECIFIED = 0
@@ -430,14 +534,15 @@ module Google
             end
           end
 
-          # A {::Google::Cloud::Security::PrivateCA::V1::CertificateRevocationList CertificateRevocationList} corresponds to a signed X.509 certificate
-          # Revocation List (CRL). A CRL contains the serial numbers of certificates that
-          # should no longer be trusted.
+          # A
+          # {::Google::Cloud::Security::PrivateCA::V1::CertificateRevocationList CertificateRevocationList}
+          # corresponds to a signed X.509 certificate Revocation List (CRL). A CRL
+          # contains the serial numbers of certificates that should no longer be trusted.
           # @!attribute [r] name
           #   @return [::String]
-          #     Output only. The resource name for this {::Google::Cloud::Security::PrivateCA::V1::CertificateRevocationList CertificateRevocationList} in
-          #     the format
-          #     `projects/*/locations/*/caPools/*certificateAuthorities/*/
+          #     Output only. The resource name for this
+          #     {::Google::Cloud::Security::PrivateCA::V1::CertificateRevocationList CertificateRevocationList}
+          #     in the format `projects/*/locations/*/caPools/*certificateAuthorities/*/
           #        certificateRevocationLists/*`.
           # @!attribute [r] sequence_number
           #   @return [::Integer]
@@ -453,18 +558,26 @@ module Google
           #     Output only. The location where 'pem_crl' can be accessed.
           # @!attribute [r] state
           #   @return [::Google::Cloud::Security::PrivateCA::V1::CertificateRevocationList::State]
-          #     Output only. The {::Google::Cloud::Security::PrivateCA::V1::CertificateRevocationList::State State} for this {::Google::Cloud::Security::PrivateCA::V1::CertificateRevocationList CertificateRevocationList}.
+          #     Output only. The
+          #     {::Google::Cloud::Security::PrivateCA::V1::CertificateRevocationList::State State}
+          #     for this
+          #     {::Google::Cloud::Security::PrivateCA::V1::CertificateRevocationList CertificateRevocationList}.
           # @!attribute [r] create_time
           #   @return [::Google::Protobuf::Timestamp]
-          #     Output only. The time at which this {::Google::Cloud::Security::PrivateCA::V1::CertificateRevocationList CertificateRevocationList} was created.
+          #     Output only. The time at which this
+          #     {::Google::Cloud::Security::PrivateCA::V1::CertificateRevocationList CertificateRevocationList}
+          #     was created.
           # @!attribute [r] update_time
           #   @return [::Google::Protobuf::Timestamp]
-          #     Output only. The time at which this {::Google::Cloud::Security::PrivateCA::V1::CertificateRevocationList CertificateRevocationList} was updated.
+          #     Output only. The time at which this
+          #     {::Google::Cloud::Security::PrivateCA::V1::CertificateRevocationList CertificateRevocationList}
+          #     was updated.
           # @!attribute [r] revision_id
           #   @return [::String]
-          #     Output only. The revision ID of this {::Google::Cloud::Security::PrivateCA::V1::CertificateRevocationList CertificateRevocationList}. A new revision is
-          #     committed whenever a new CRL is published. The format is an 8-character
-          #     hexadecimal string.
+          #     Output only. The revision ID of this
+          #     {::Google::Cloud::Security::PrivateCA::V1::CertificateRevocationList CertificateRevocationList}.
+          #     A new revision is committed whenever a new CRL is published. The format is
+          #     an 8-character hexadecimal string.
           # @!attribute [rw] labels
           #   @return [::Google::Protobuf::Map{::String => ::String}]
           #     Optional. Labels with user-defined metadata.
@@ -472,17 +585,22 @@ module Google
             include ::Google::Protobuf::MessageExts
             extend ::Google::Protobuf::MessageExts::ClassMethods
 
-            # Describes a revoked {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate}.
+            # Describes a revoked
+            # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate}.
             # @!attribute [rw] certificate
             #   @return [::String]
-            #     The resource name for the {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} in the format
-            #     `projects/*/locations/*/caPools/*/certificates/*`.
+            #     The resource name for the
+            #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} in the
+            #     format `projects/*/locations/*/caPools/*/certificates/*`.
             # @!attribute [rw] hex_serial_number
             #   @return [::String]
-            #     The serial number of the {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate}.
+            #     The serial number of the
+            #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate}.
             # @!attribute [rw] revocation_reason
             #   @return [::Google::Cloud::Security::PrivateCA::V1::RevocationReason]
-            #     The reason the {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} was revoked.
+            #     The reason the
+            #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} was
+            #     revoked.
             class RevokedCertificate
               include ::Google::Protobuf::MessageExts
               extend ::Google::Protobuf::MessageExts::ClassMethods
@@ -497,58 +615,73 @@ module Google
               extend ::Google::Protobuf::MessageExts::ClassMethods
             end
 
-            # The state of a {::Google::Cloud::Security::PrivateCA::V1::CertificateRevocationList CertificateRevocationList}, indicating if it is current.
+            # The state of a
+            # {::Google::Cloud::Security::PrivateCA::V1::CertificateRevocationList CertificateRevocationList},
+            # indicating if it is current.
             module State
               # Not specified.
               STATE_UNSPECIFIED = 0
 
-              # The {::Google::Cloud::Security::PrivateCA::V1::CertificateRevocationList CertificateRevocationList} is up to date.
+              # The
+              # {::Google::Cloud::Security::PrivateCA::V1::CertificateRevocationList CertificateRevocationList}
+              # is up to date.
               ACTIVE = 1
 
-              # The {::Google::Cloud::Security::PrivateCA::V1::CertificateRevocationList CertificateRevocationList} is no longer current.
+              # The
+              # {::Google::Cloud::Security::PrivateCA::V1::CertificateRevocationList CertificateRevocationList}
+              # is no longer current.
               SUPERSEDED = 2
             end
           end
 
-          # A {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} corresponds to a signed X.509 certificate issued by a
+          # A {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} corresponds
+          # to a signed X.509 certificate issued by a
           # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}.
           # @!attribute [r] name
           #   @return [::String]
-          #     Output only. The resource name for this {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} in the format
+          #     Output only. The resource name for this
+          #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} in the format
           #     `projects/*/locations/*/caPools/*/certificates/*`.
           # @!attribute [rw] pem_csr
           #   @return [::String]
           #     Immutable. A pem-encoded X.509 certificate signing request (CSR).
           # @!attribute [rw] config
           #   @return [::Google::Cloud::Security::PrivateCA::V1::CertificateConfig]
-          #     Immutable. A description of the certificate and key that does not require X.509 or
-          #     ASN.1.
+          #     Immutable. A description of the certificate and key that does not require
+          #     X.509 or ASN.1.
           # @!attribute [r] issuer_certificate_authority
           #   @return [::String]
-          #     Output only. The resource name of the issuing {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority} in the format
-          #     `projects/*/locations/*/caPools/*/certificateAuthorities/*`.
+          #     Output only. The resource name of the issuing
+          #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
+          #     in the format `projects/*/locations/*/caPools/*/certificateAuthorities/*`.
           # @!attribute [rw] lifetime
           #   @return [::Google::Protobuf::Duration]
-          #     Required. Immutable. The desired lifetime of a certificate. Used to create the
-          #     "not_before_time" and "not_after_time" fields inside an X.509
+          #     Required. Immutable. The desired lifetime of a certificate. Used to create
+          #     the "not_before_time" and "not_after_time" fields inside an X.509
           #     certificate. Note that the lifetime may be truncated if it would extend
           #     past the life of any certificate authority in the issuing chain.
           # @!attribute [rw] certificate_template
           #   @return [::String]
-          #     Immutable. The resource name for a {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate CertificateTemplate} used to issue this
-          #     certificate, in the format
+          #     Immutable. The resource name for a
+          #     {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate CertificateTemplate}
+          #     used to issue this certificate, in the format
           #     `projects/*/locations/*/certificateTemplates/*`.
           #     If this is specified, the caller must have the necessary permission to
           #     use this template. If this is omitted, no template will be used.
-          #     This template must be in the same location as the {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate}.
+          #     This template must be in the same location as the
+          #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate}.
           # @!attribute [rw] subject_mode
           #   @return [::Google::Cloud::Security::PrivateCA::V1::SubjectRequestMode]
-          #     Immutable. Specifies how the {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate}'s identity fields are to be decided.
-          #     If this is omitted, the `DEFAULT` subject mode will be used.
+          #     Immutable. Specifies how the
+          #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate}'s identity
+          #     fields are to be decided. If this is omitted, the `DEFAULT` subject mode
+          #     will be used.
           # @!attribute [r] revocation_details
           #   @return [::Google::Cloud::Security::PrivateCA::V1::Certificate::RevocationDetails]
-          #     Output only. Details regarding the revocation of this {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate}. This
-          #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} is considered revoked if and only if this field is present.
+          #     Output only. Details regarding the revocation of this
+          #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate}. This
+          #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} is considered
+          #     revoked if and only if this field is present.
           # @!attribute [r] pem_certificate
           #   @return [::String]
           #     Output only. The pem-encoded, signed X.509 certificate.
@@ -557,14 +690,16 @@ module Google
           #     Output only. A structured description of the issued X.509 certificate.
           # @!attribute [r] pem_certificate_chain
           #   @return [::Array<::String>]
-          #     Output only. The chain that may be used to verify the X.509 certificate. Expected to be
-          #     in issuer-to-root order according to RFC 5246.
+          #     Output only. The chain that may be used to verify the X.509 certificate.
+          #     Expected to be in issuer-to-root order according to RFC 5246.
           # @!attribute [r] create_time
           #   @return [::Google::Protobuf::Timestamp]
-          #     Output only. The time at which this {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} was created.
+          #     Output only. The time at which this
+          #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} was created.
           # @!attribute [r] update_time
           #   @return [::Google::Protobuf::Timestamp]
-          #     Output only. The time at which this {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} was updated.
+          #     Output only. The time at which this
+          #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} was updated.
           # @!attribute [rw] labels
           #   @return [::Google::Protobuf::Map{::String => ::String}]
           #     Optional. Labels with user-defined metadata.
@@ -572,13 +707,18 @@ module Google
             include ::Google::Protobuf::MessageExts
             extend ::Google::Protobuf::MessageExts::ClassMethods
 
-            # Describes fields that are relavent to the revocation of a {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate}.
+            # Describes fields that are relavent to the revocation of a
+            # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate}.
             # @!attribute [rw] revocation_state
             #   @return [::Google::Cloud::Security::PrivateCA::V1::RevocationReason]
-            #     Indicates why a {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} was revoked.
+            #     Indicates why a
+            #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} was
+            #     revoked.
             # @!attribute [rw] revocation_time
             #   @return [::Google::Protobuf::Timestamp]
-            #     The time at which this {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} was revoked.
+            #     The time at which this
+            #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} was
+            #     revoked.
             class RevocationDetails
               include ::Google::Protobuf::MessageExts
               extend ::Google::Protobuf::MessageExts::ClassMethods
@@ -594,47 +734,64 @@ module Google
             end
           end
 
-          # A {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate CertificateTemplate} refers to a managed template for certificate
-          # issuance.
+          # A
+          # {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate CertificateTemplate}
+          # refers to a managed template for certificate issuance.
           # @!attribute [r] name
           #   @return [::String]
-          #     Output only. The resource name for this {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate CertificateTemplate} in the format
-          #     `projects/*/locations/*/certificateTemplates/*`.
+          #     Output only. The resource name for this
+          #     {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate CertificateTemplate}
+          #     in the format `projects/*/locations/*/certificateTemplates/*`.
           # @!attribute [rw] predefined_values
           #   @return [::Google::Cloud::Security::PrivateCA::V1::X509Parameters]
-          #     Optional. A set of X.509 values that will be applied to all issued certificates that
-          #     use this template. If the certificate request includes conflicting values
-          #     for the same properties, they will be overwritten by the values defined
-          #     here. If the issuing {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy IssuancePolicy}
+          #     Optional. A set of X.509 values that will be applied to all issued
+          #     certificates that use this template. If the certificate request includes
+          #     conflicting values for the same properties, they will be overwritten by the
+          #     values defined here. If the issuing
+          #     {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s
+          #     {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy IssuancePolicy}
           #     defines conflicting
-          #     {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy#baseline_values baseline_values} for the same
-          #     properties, the certificate issuance request will fail.
+          #     {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy#baseline_values baseline_values}
+          #     for the same properties, the certificate issuance request will fail.
           # @!attribute [rw] identity_constraints
           #   @return [::Google::Cloud::Security::PrivateCA::V1::CertificateIdentityConstraints]
           #     Optional. Describes constraints on identities that may be appear in
-          #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} issued using this template. If this is omitted,
-          #     then this template will not add restrictions on a certificate's identity.
+          #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} issued using
+          #     this template. If this is omitted, then this template will not add
+          #     restrictions on a certificate's identity.
           # @!attribute [rw] passthrough_extensions
           #   @return [::Google::Cloud::Security::PrivateCA::V1::CertificateExtensionConstraints]
           #     Optional. Describes the set of X.509 extensions that may appear in a
-          #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued using this {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate CertificateTemplate}. If a certificate
-          #     request sets extensions that don't appear in the
-          #     {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate#passthrough_extensions passthrough_extensions}, those extensions will be dropped. If the
-          #     issuing {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy IssuancePolicy} defines
-          #     {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy#baseline_values baseline_values} that don't appear
-          #     here, the certificate issuance request will fail. If this is omitted, then
-          #     this template will not add restrictions on a certificate's X.509
-          #     extensions. These constraints do not apply to X.509 extensions set in this
-          #     {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate CertificateTemplate}'s {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate#predefined_values predefined_values}.
+          #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued using
+          #     this
+          #     {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate CertificateTemplate}.
+          #     If a certificate request sets extensions that don't appear in the
+          #     {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate#passthrough_extensions passthrough_extensions},
+          #     those extensions will be dropped. If the issuing
+          #     {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s
+          #     {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy IssuancePolicy}
+          #     defines
+          #     {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy#baseline_values baseline_values}
+          #     that don't appear here, the certificate issuance request will fail. If this
+          #     is omitted, then this template will not add restrictions on a certificate's
+          #     X.509 extensions. These constraints do not apply to X.509 extensions set in
+          #     this
+          #     {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate CertificateTemplate}'s
+          #     {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate#predefined_values predefined_values}.
           # @!attribute [rw] description
           #   @return [::String]
-          #     Optional. A human-readable description of scenarios this template is intended for.
+          #     Optional. A human-readable description of scenarios this template is
+          #     intended for.
           # @!attribute [r] create_time
           #   @return [::Google::Protobuf::Timestamp]
-          #     Output only. The time at which this {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate CertificateTemplate} was created.
+          #     Output only. The time at which this
+          #     {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate CertificateTemplate}
+          #     was created.
           # @!attribute [r] update_time
           #   @return [::Google::Protobuf::Timestamp]
-          #     Output only. The time at which this {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate CertificateTemplate} was updated.
+          #     Output only. The time at which this
+          #     {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate CertificateTemplate}
+          #     was updated.
           # @!attribute [rw] labels
           #   @return [::Google::Protobuf::Map{::String => ::String}]
           #     Optional. Labels with user-defined metadata.
@@ -652,25 +809,31 @@ module Google
             end
           end
 
-          # An {::Google::Cloud::Security::PrivateCA::V1::X509Parameters X509Parameters} is used to describe certain fields of an
-          # X.509 certificate, such as the key usage fields, fields specific to CA
-          # certificates, certificate policy extensions and custom extensions.
+          # An {::Google::Cloud::Security::PrivateCA::V1::X509Parameters X509Parameters} is
+          # used to describe certain fields of an X.509 certificate, such as the key
+          # usage fields, fields specific to CA certificates, certificate policy
+          # extensions and custom extensions.
           # @!attribute [rw] key_usage
           #   @return [::Google::Cloud::Security::PrivateCA::V1::KeyUsage]
-          #     Optional. Indicates the intended use for keys that correspond to a certificate.
+          #     Optional. Indicates the intended use for keys that correspond to a
+          #     certificate.
           # @!attribute [rw] ca_options
           #   @return [::Google::Cloud::Security::PrivateCA::V1::X509Parameters::CaOptions]
-          #     Optional. Describes options in this {::Google::Cloud::Security::PrivateCA::V1::X509Parameters X509Parameters} that are relevant in a CA
-          #     certificate.
+          #     Optional. Describes options in this
+          #     {::Google::Cloud::Security::PrivateCA::V1::X509Parameters X509Parameters} that
+          #     are relevant in a CA certificate.
           # @!attribute [rw] policy_ids
           #   @return [::Array<::Google::Cloud::Security::PrivateCA::V1::ObjectId>]
           #     Optional. Describes the X.509 certificate policy object identifiers, per
           #     https://tools.ietf.org/html/rfc5280#section-4.2.1.4.
           # @!attribute [rw] aia_ocsp_servers
           #   @return [::Array<::String>]
-          #     Optional. Describes Online Certificate Status Protocol (OCSP) endpoint addresses
-          #     that appear in the "Authority Information Access" extension in the
-          #     certificate.
+          #     Optional. Describes Online Certificate Status Protocol (OCSP) endpoint
+          #     addresses that appear in the "Authority Information Access" extension in
+          #     the certificate.
+          # @!attribute [rw] name_constraints
+          #   @return [::Google::Cloud::Security::PrivateCA::V1::X509Parameters::NameConstraints]
+          #     Optional. Describes the X.509 name constraints extension.
           # @!attribute [rw] additional_extensions
           #   @return [::Array<::Google::Cloud::Security::PrivateCA::V1::X509Extension>]
           #     Optional. Describes custom X.509 extensions.
@@ -681,8 +844,9 @@ module Google
             # Describes values that are relevant in a CA certificate.
             # @!attribute [rw] is_ca
             #   @return [::Boolean]
-            #     Optional. Refers to the "CA" X.509 extension, which is a boolean value. When this
-            #     value is missing, the extension will be omitted from the CA certificate.
+            #     Optional. Refers to the "CA" X.509 extension, which is a boolean value.
+            #     When this value is missing, the extension will be omitted from the CA
+            #     certificate.
             # @!attribute [rw] max_issuer_path_length
             #   @return [::Integer]
             #     Optional. Refers to the path length restriction X.509 extension. For a CA
@@ -695,20 +859,84 @@ module Google
               include ::Google::Protobuf::MessageExts
               extend ::Google::Protobuf::MessageExts::ClassMethods
             end
+
+            # Describes the X.509 name constraints extension, per
+            # https://tools.ietf.org/html/rfc5280#section-4.2.1.10
+            # @!attribute [rw] critical
+            #   @return [::Boolean]
+            #     Indicates whether or not the name constraints are marked critical.
+            # @!attribute [rw] permitted_dns_names
+            #   @return [::Array<::String>]
+            #     Contains permitted DNS names. Any DNS name that can be
+            #     constructed by simply adding zero or more labels to
+            #     the left-hand side of the name satisfies the name constraint.
+            #     For example, `example.com`, `www.example.com`, `www.sub.example.com`
+            #     would satisfy `example.com` while `example1.com` does not.
+            # @!attribute [rw] excluded_dns_names
+            #   @return [::Array<::String>]
+            #     Contains excluded DNS names. Any DNS name that can be
+            #     constructed by simply adding zero or more labels to
+            #     the left-hand side of the name satisfies the name constraint.
+            #     For example, `example.com`, `www.example.com`, `www.sub.example.com`
+            #     would satisfy `example.com` while `example1.com` does not.
+            # @!attribute [rw] permitted_ip_ranges
+            #   @return [::Array<::String>]
+            #     Contains the permitted IP ranges. For IPv4 addresses, the ranges
+            #     are expressed using CIDR notation as specified in RFC 4632.
+            #     For IPv6 addresses, the ranges are expressed in similar encoding as IPv4
+            #     addresses.
+            # @!attribute [rw] excluded_ip_ranges
+            #   @return [::Array<::String>]
+            #     Contains the excluded IP ranges. For IPv4 addresses, the ranges
+            #     are expressed using CIDR notation as specified in RFC 4632.
+            #     For IPv6 addresses, the ranges are expressed in similar encoding as IPv4
+            #     addresses.
+            # @!attribute [rw] permitted_email_addresses
+            #   @return [::Array<::String>]
+            #     Contains the permitted email addresses. The value can be a particular
+            #     email address, a hostname to indicate all email addresses on that host or
+            #     a domain with a leading period (e.g. `.example.com`) to indicate
+            #     all email addresses in that domain.
+            # @!attribute [rw] excluded_email_addresses
+            #   @return [::Array<::String>]
+            #     Contains the excluded email addresses. The value can be a particular
+            #     email address, a hostname to indicate all email addresses on that host or
+            #     a domain with a leading period (e.g. `.example.com`) to indicate
+            #     all email addresses in that domain.
+            # @!attribute [rw] permitted_uris
+            #   @return [::Array<::String>]
+            #     Contains the permitted URIs that apply to the host part of the name.
+            #     The value can be a hostname or a domain with a
+            #     leading period (like `.example.com`)
+            # @!attribute [rw] excluded_uris
+            #   @return [::Array<::String>]
+            #     Contains the excluded URIs that apply to the host part of the name.
+            #     The value can be a hostname or a domain with a
+            #     leading period (like `.example.com`)
+            class NameConstraints
+              include ::Google::Protobuf::MessageExts
+              extend ::Google::Protobuf::MessageExts::ClassMethods
+            end
           end
 
           # Describes a subordinate CA's issuers. This is either a resource name to a
-          # known issuing {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}, or a PEM issuer certificate chain.
+          # known issuing
+          # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority},
+          # or a PEM issuer certificate chain.
           # @!attribute [rw] certificate_authority
           #   @return [::String]
-          #     Required. This can refer to a {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority} that was used to create a
-          #     subordinate {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}. This field is used for information
-          #     and usability purposes only. The resource name is in the format
+          #     Required. This can refer to a
+          #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
+          #     that was used to create a subordinate
+          #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}.
+          #     This field is used for information and usability purposes only. The
+          #     resource name is in the format
           #     `projects/*/locations/*/caPools/*/certificateAuthorities/*`.
           # @!attribute [rw] pem_issuer_chain
           #   @return [::Google::Cloud::Security::PrivateCA::V1::SubordinateConfig::SubordinateConfigChain]
           #     Required. Contains the PEM certificate chain for the issuers of this
-          #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}, but not pem certificate for this CA itself.
+          #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority},
+          #     but not pem certificate for this CA itself.
           class SubordinateConfig
             include ::Google::Protobuf::MessageExts
             extend ::Google::Protobuf::MessageExts::ClassMethods
@@ -724,7 +952,8 @@ module Google
             end
           end
 
-          # A {::Google::Cloud::Security::PrivateCA::V1::PublicKey PublicKey} describes a public key.
+          # A {::Google::Cloud::Security::PrivateCA::V1::PublicKey PublicKey} describes a
+          # public key.
           # @!attribute [rw] key
           #   @return [::String]
           #     Required. A public key. The padding and encoding
@@ -759,21 +988,27 @@ module Google
             end
           end
 
-          # A {::Google::Cloud::Security::PrivateCA::V1::CertificateConfig CertificateConfig} describes an X.509 certificate or CSR that is to be
-          # created, as an alternative to using ASN.1.
+          # A {::Google::Cloud::Security::PrivateCA::V1::CertificateConfig CertificateConfig}
+          # describes an X.509 certificate or CSR that is to be created, as an
+          # alternative to using ASN.1.
           # @!attribute [rw] subject_config
           #   @return [::Google::Cloud::Security::PrivateCA::V1::CertificateConfig::SubjectConfig]
-          #     Required. Specifies some of the values in a certificate that are related to the
-          #     subject.
+          #     Required. Specifies some of the values in a certificate that are related to
+          #     the subject.
           # @!attribute [rw] x509_config
           #   @return [::Google::Cloud::Security::PrivateCA::V1::X509Parameters]
-          #     Required. Describes how some of the technical X.509 fields in a certificate should be
-          #     populated.
+          #     Required. Describes how some of the technical X.509 fields in a certificate
+          #     should be populated.
           # @!attribute [rw] public_key
           #   @return [::Google::Cloud::Security::PrivateCA::V1::PublicKey]
-          #     Optional. The public key that corresponds to this config. This is, for example, used
-          #     when issuing {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}, but not when creating a
-          #     self-signed {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority} or {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority} CSR.
+          #     Optional. The public key that corresponds to this config. This is, for
+          #     example, used when issuing
+          #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}, but not
+          #     when creating a self-signed
+          #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
+          #     or
+          #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
+          #     CSR.
           class CertificateConfig
             include ::Google::Protobuf::MessageExts
             extend ::Google::Protobuf::MessageExts::ClassMethods
@@ -782,8 +1017,8 @@ module Google
             # alternative name fields in an X.509 certificate.
             # @!attribute [rw] subject
             #   @return [::Google::Cloud::Security::PrivateCA::V1::Subject]
-            #     Required. Contains distinguished name fields such as the common name, location and
-            #     organization.
+            #     Required. Contains distinguished name fields such as the common name,
+            #     location and organization.
             # @!attribute [rw] subject_alt_name
             #   @return [::Google::Cloud::Security::PrivateCA::V1::SubjectAltNames]
             #     Optional. The subject alternative name fields.
@@ -793,8 +1028,10 @@ module Google
             end
           end
 
-          # A {::Google::Cloud::Security::PrivateCA::V1::CertificateDescription CertificateDescription} describes an X.509 certificate or CSR that has
-          # been issued, as an alternative to using ASN.1 / X.509.
+          # A
+          # {::Google::Cloud::Security::PrivateCA::V1::CertificateDescription CertificateDescription}
+          # describes an X.509 certificate or CSR that has been issued, as an alternative
+          # to using ASN.1 / X.509.
           # @!attribute [rw] subject_description
           #   @return [::Google::Cloud::Security::PrivateCA::V1::CertificateDescription::SubjectDescription]
           #     Describes some of the values in a certificate that are related to the
@@ -862,8 +1099,8 @@ module Google
             # key.
             # @!attribute [rw] key_id
             #   @return [::String]
-            #     Optional. The value of this KeyId encoded in lowercase hexadecimal. This is most
-            #     likely the 160 bit SHA-1 hash of the public key.
+            #     Optional. The value of this KeyId encoded in lowercase hexadecimal. This
+            #     is most likely the 160 bit SHA-1 hash of the public key.
             class KeyId
               include ::Google::Protobuf::MessageExts
               extend ::Google::Protobuf::MessageExts::ClassMethods
@@ -879,27 +1116,29 @@ module Google
             end
           end
 
-          # An {::Google::Cloud::Security::PrivateCA::V1::ObjectId ObjectId} specifies an object identifier (OID). These provide context
-          # and describe types in ASN.1 messages.
+          # An {::Google::Cloud::Security::PrivateCA::V1::ObjectId ObjectId} specifies an
+          # object identifier (OID). These provide context and describe types in ASN.1
+          # messages.
           # @!attribute [rw] object_id_path
           #   @return [::Array<::Integer>]
-          #     Required. The parts of an OID path. The most significant parts of the path come
-          #     first.
+          #     Required. The parts of an OID path. The most significant parts of the path
+          #     come first.
           class ObjectId
             include ::Google::Protobuf::MessageExts
             extend ::Google::Protobuf::MessageExts::ClassMethods
           end
 
-          # An {::Google::Cloud::Security::PrivateCA::V1::X509Extension X509Extension} specifies an X.509 extension, which may be used in
-          # different parts of X.509 objects like certificates, CSRs, and CRLs.
+          # An {::Google::Cloud::Security::PrivateCA::V1::X509Extension X509Extension}
+          # specifies an X.509 extension, which may be used in different parts of X.509
+          # objects like certificates, CSRs, and CRLs.
           # @!attribute [rw] object_id
           #   @return [::Google::Cloud::Security::PrivateCA::V1::ObjectId]
           #     Required. The OID for this X.509 extension.
           # @!attribute [rw] critical
           #   @return [::Boolean]
-          #     Optional. Indicates whether or not this extension is critical (i.e., if the client
-          #     does not know how to handle this extension, the client should consider this
-          #     to be an error).
+          #     Optional. Indicates whether or not this extension is critical (i.e., if the
+          #     client does not know how to handle this extension, the client should
+          #     consider this to be an error).
           # @!attribute [rw] value
           #   @return [::String]
           #     Required. The value of this X.509 extension.
@@ -908,8 +1147,8 @@ module Google
             extend ::Google::Protobuf::MessageExts::ClassMethods
           end
 
-          # A {::Google::Cloud::Security::PrivateCA::V1::KeyUsage KeyUsage} describes key usage values that may appear in an X.509
-          # certificate.
+          # A {::Google::Cloud::Security::PrivateCA::V1::KeyUsage KeyUsage} describes key usage
+          # values that may appear in an X.509 certificate.
           # @!attribute [rw] base_key_usage
           #   @return [::Google::Cloud::Security::PrivateCA::V1::KeyUsage::KeyUsageOptions]
           #     Describes high-level ways in which a key may be used.
@@ -919,13 +1158,15 @@ module Google
           # @!attribute [rw] unknown_extended_key_usages
           #   @return [::Array<::Google::Cloud::Security::PrivateCA::V1::ObjectId>]
           #     Used to describe extended key usages that are not listed in the
-          #     {::Google::Cloud::Security::PrivateCA::V1::KeyUsage::ExtendedKeyUsageOptions KeyUsage.ExtendedKeyUsageOptions} message.
+          #     {::Google::Cloud::Security::PrivateCA::V1::KeyUsage::ExtendedKeyUsageOptions KeyUsage.ExtendedKeyUsageOptions}
+          #     message.
           class KeyUsage
             include ::Google::Protobuf::MessageExts
             extend ::Google::Protobuf::MessageExts::ClassMethods
 
-            # {::Google::Cloud::Security::PrivateCA::V1::KeyUsage::KeyUsageOptions KeyUsage.KeyUsageOptions} corresponds to the key usage values
-            # described in https://tools.ietf.org/html/rfc5280#section-4.2.1.3.
+            # {::Google::Cloud::Security::PrivateCA::V1::KeyUsage::KeyUsageOptions KeyUsage.KeyUsageOptions}
+            # corresponds to the key usage values described in
+            # https://tools.ietf.org/html/rfc5280#section-4.2.1.3.
             # @!attribute [rw] digital_signature
             #   @return [::Boolean]
             #     The key may be used for digital signatures.
@@ -959,8 +1200,9 @@ module Google
               extend ::Google::Protobuf::MessageExts::ClassMethods
             end
 
-            # {::Google::Cloud::Security::PrivateCA::V1::KeyUsage::ExtendedKeyUsageOptions KeyUsage.ExtendedKeyUsageOptions} has fields that correspond to
-            # certain common OIDs that could be specified as an extended key usage value.
+            # {::Google::Cloud::Security::PrivateCA::V1::KeyUsage::ExtendedKeyUsageOptions KeyUsage.ExtendedKeyUsageOptions}
+            # has fields that correspond to certain common OIDs that could be specified
+            # as an extended key usage value.
             # @!attribute [rw] server_auth
             #   @return [::Boolean]
             #     Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW
@@ -991,8 +1233,8 @@ module Google
             end
           end
 
-          # {::Google::Cloud::Security::PrivateCA::V1::Subject Subject} describes parts of a distinguished name that, in turn,
-          # describes the subject of the certificate.
+          # {::Google::Cloud::Security::PrivateCA::V1::Subject Subject} describes parts of a
+          # distinguished name that, in turn, describes the subject of the certificate.
           # @!attribute [rw] common_name
           #   @return [::String]
           #     The "common name" of the subject.
@@ -1022,9 +1264,10 @@ module Google
             extend ::Google::Protobuf::MessageExts::ClassMethods
           end
 
-          # {::Google::Cloud::Security::PrivateCA::V1::SubjectAltNames SubjectAltNames} corresponds to a more modern way of listing what
-          # the asserted identity is in a certificate (i.e., compared to the "common
-          # name" in the distinguished name).
+          # {::Google::Cloud::Security::PrivateCA::V1::SubjectAltNames SubjectAltNames}
+          # corresponds to a more modern way of listing what the asserted identity is in
+          # a certificate (i.e., compared to the "common name" in the distinguished
+          # name).
           # @!attribute [rw] dns_names
           #   @return [::Array<::String>]
           #     Contains only valid, fully-qualified host names.
@@ -1047,24 +1290,31 @@ module Google
             extend ::Google::Protobuf::MessageExts::ClassMethods
           end
 
-          # Describes constraints on a {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate}'s {::Google::Cloud::Security::PrivateCA::V1::Subject Subject} and
+          # Describes constraints on a
+          # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate}'s
+          # {::Google::Cloud::Security::PrivateCA::V1::Subject Subject} and
           # {::Google::Cloud::Security::PrivateCA::V1::SubjectAltNames SubjectAltNames}.
           # @!attribute [rw] cel_expression
           #   @return [::Google::Type::Expr]
-          #     Optional. A CEL expression that may be used to validate the resolved X.509 Subject
-          #     and/or Subject Alternative Name before a certificate is signed.
-          #     To see the full allowed syntax and some examples, see
+          #     Optional. A CEL expression that may be used to validate the resolved X.509
+          #     Subject and/or Subject Alternative Name before a certificate is signed. To
+          #     see the full allowed syntax and some examples, see
           #     https://cloud.google.com/certificate-authority-service/docs/using-cel
           # @!attribute [rw] allow_subject_passthrough
           #   @return [::Boolean]
-          #     Required. If this is true, the {::Google::Cloud::Security::PrivateCA::V1::Subject Subject} field may be copied from a certificate
-          #     request into the signed certificate. Otherwise, the requested {::Google::Cloud::Security::PrivateCA::V1::Subject Subject}
-          #     will be discarded.
+          #     Required. If this is true, the
+          #     {::Google::Cloud::Security::PrivateCA::V1::Subject Subject} field may be copied
+          #     from a certificate request into the signed certificate. Otherwise, the
+          #     requested {::Google::Cloud::Security::PrivateCA::V1::Subject Subject} will be
+          #     discarded.
           # @!attribute [rw] allow_subject_alt_names_passthrough
           #   @return [::Boolean]
-          #     Required. If this is true, the {::Google::Cloud::Security::PrivateCA::V1::SubjectAltNames SubjectAltNames} extension may be copied from a
-          #     certificate request into the signed certificate. Otherwise, the requested
-          #     {::Google::Cloud::Security::PrivateCA::V1::SubjectAltNames SubjectAltNames} will be discarded.
+          #     Required. If this is true, the
+          #     {::Google::Cloud::Security::PrivateCA::V1::SubjectAltNames SubjectAltNames}
+          #     extension may be copied from a certificate request into the signed
+          #     certificate. Otherwise, the requested
+          #     {::Google::Cloud::Security::PrivateCA::V1::SubjectAltNames SubjectAltNames} will
+          #     be discarded.
           class CertificateIdentityConstraints
             include ::Google::Protobuf::MessageExts
             extend ::Google::Protobuf::MessageExts::ClassMethods
@@ -1075,111 +1325,147 @@ module Google
           # @!attribute [rw] known_extensions
           #   @return [::Array<::Google::Cloud::Security::PrivateCA::V1::CertificateExtensionConstraints::KnownCertificateExtension>]
           #     Optional. A set of named X.509 extensions. Will be combined with
-          #     {::Google::Cloud::Security::PrivateCA::V1::CertificateExtensionConstraints#additional_extensions additional_extensions} to determine the full set of X.509 extensions.
+          #     {::Google::Cloud::Security::PrivateCA::V1::CertificateExtensionConstraints#additional_extensions additional_extensions}
+          #     to determine the full set of X.509 extensions.
           # @!attribute [rw] additional_extensions
           #   @return [::Array<::Google::Cloud::Security::PrivateCA::V1::ObjectId>]
-          #     Optional. A set of {::Google::Cloud::Security::PrivateCA::V1::ObjectId ObjectIds} identifying custom X.509 extensions.
-          #     Will be combined with {::Google::Cloud::Security::PrivateCA::V1::CertificateExtensionConstraints#known_extensions known_extensions} to determine the full set of
-          #     X.509 extensions.
+          #     Optional. A set of {::Google::Cloud::Security::PrivateCA::V1::ObjectId ObjectIds}
+          #     identifying custom X.509 extensions. Will be combined with
+          #     {::Google::Cloud::Security::PrivateCA::V1::CertificateExtensionConstraints#known_extensions known_extensions}
+          #     to determine the full set of X.509 extensions.
           class CertificateExtensionConstraints
             include ::Google::Protobuf::MessageExts
             extend ::Google::Protobuf::MessageExts::ClassMethods
 
-            # Describes well-known X.509 extensions that can appear in a {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate},
-            # not including the {::Google::Cloud::Security::PrivateCA::V1::SubjectAltNames SubjectAltNames} extension.
+            # Describes well-known X.509 extensions that can appear in a
+            # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate}, not
+            # including the
+            # {::Google::Cloud::Security::PrivateCA::V1::SubjectAltNames SubjectAltNames}
+            # extension.
             module KnownCertificateExtension
               # Not specified.
               KNOWN_CERTIFICATE_EXTENSION_UNSPECIFIED = 0
 
               # Refers to a certificate's Key Usage extension, as described in [RFC 5280
               # section 4.2.1.3](https://tools.ietf.org/html/rfc5280#section-4.2.1.3).
-              # This corresponds to the {::Google::Cloud::Security::PrivateCA::V1::KeyUsage#base_key_usage KeyUsage.base_key_usage} field.
+              # This corresponds to the
+              # {::Google::Cloud::Security::PrivateCA::V1::KeyUsage#base_key_usage KeyUsage.base_key_usage}
+              # field.
               BASE_KEY_USAGE = 1
 
               # Refers to a certificate's Extended Key Usage extension, as described in
               # [RFC 5280
               # section 4.2.1.12](https://tools.ietf.org/html/rfc5280#section-4.2.1.12).
-              # This corresponds to the {::Google::Cloud::Security::PrivateCA::V1::KeyUsage#extended_key_usage KeyUsage.extended_key_usage} message.
+              # This corresponds to the
+              # {::Google::Cloud::Security::PrivateCA::V1::KeyUsage#extended_key_usage KeyUsage.extended_key_usage}
+              # message.
               EXTENDED_KEY_USAGE = 2
 
               # Refers to a certificate's Basic Constraints extension, as described in
               # [RFC 5280
               # section 4.2.1.9](https://tools.ietf.org/html/rfc5280#section-4.2.1.9).
-              # This corresponds to the {::Google::Cloud::Security::PrivateCA::V1::X509Parameters#ca_options X509Parameters.ca_options} field.
+              # This corresponds to the
+              # {::Google::Cloud::Security::PrivateCA::V1::X509Parameters#ca_options X509Parameters.ca_options}
+              # field.
               CA_OPTIONS = 3
 
               # Refers to a certificate's Policy object identifiers, as described in
               # [RFC 5280
               # section 4.2.1.4](https://tools.ietf.org/html/rfc5280#section-4.2.1.4).
-              # This corresponds to the {::Google::Cloud::Security::PrivateCA::V1::X509Parameters#policy_ids X509Parameters.policy_ids} field.
+              # This corresponds to the
+              # {::Google::Cloud::Security::PrivateCA::V1::X509Parameters#policy_ids X509Parameters.policy_ids}
+              # field.
               POLICY_IDS = 4
 
               # Refers to OCSP servers in a certificate's Authority Information Access
               # extension, as described in
               # [RFC 5280
               # section 4.2.2.1](https://tools.ietf.org/html/rfc5280#section-4.2.2.1),
-              # This corresponds to the {::Google::Cloud::Security::PrivateCA::V1::X509Parameters#aia_ocsp_servers X509Parameters.aia_ocsp_servers} field.
+              # This corresponds to the
+              # {::Google::Cloud::Security::PrivateCA::V1::X509Parameters#aia_ocsp_servers X509Parameters.aia_ocsp_servers}
+              # field.
               AIA_OCSP_SERVERS = 5
+
+              # Refers to Name Constraints extension as described in
+              # [RFC 5280
+              # section 4.2.1.10](https://tools.ietf.org/html/rfc5280#section-4.2.1.10)
+              NAME_CONSTRAINTS = 6
             end
           end
 
-          # A {::Google::Cloud::Security::PrivateCA::V1::RevocationReason RevocationReason} indicates whether a {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} has been revoked,
-          # and the reason for revocation. These correspond to standard revocation
-          # reasons from RFC 5280. Note that the enum labels and values in this
-          # definition are not the same ASN.1 values defined in RFC 5280. These values
-          # will be translated to the correct ASN.1 values when a CRL is created.
+          # A {::Google::Cloud::Security::PrivateCA::V1::RevocationReason RevocationReason}
+          # indicates whether a
+          # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} has been
+          # revoked, and the reason for revocation. These correspond to standard
+          # revocation reasons from RFC 5280. Note that the enum labels and values in
+          # this definition are not the same ASN.1 values defined in RFC 5280. These
+          # values will be translated to the correct ASN.1 values when a CRL is created.
           module RevocationReason
-            # Default unspecified value. This value does indicate that a {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate}
-            # has been revoked, but that a reason has not been recorded.
+            # Default unspecified value. This value does indicate that a
+            # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} has been
+            # revoked, but that a reason has not been recorded.
             REVOCATION_REASON_UNSPECIFIED = 0
 
-            # Key material for this {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} may have leaked.
+            # Key material for this
+            # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} may have
+            # leaked.
             KEY_COMPROMISE = 1
 
             # The key material for a certificate authority in the issuing path may have
             # leaked.
             CERTIFICATE_AUTHORITY_COMPROMISE = 2
 
-            # The subject or other attributes in this {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} have changed.
+            # The subject or other attributes in this
+            # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} have changed.
             AFFILIATION_CHANGED = 3
 
-            # This {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} has been superseded.
+            # This {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} has been
+            # superseded.
             SUPERSEDED = 4
 
-            # This {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} or entities in the issuing path have ceased to
-            # operate.
+            # This {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} or
+            # entities in the issuing path have ceased to operate.
             CESSATION_OF_OPERATION = 5
 
-            # This {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} should not be considered valid, it is expected that it
-            # may become valid in the future.
+            # This {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} should
+            # not be considered valid, it is expected that it may become valid in the
+            # future.
             CERTIFICATE_HOLD = 6
 
-            # This {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} no longer has permission to assert the listed
-            # attributes.
+            # This {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} no
+            # longer has permission to assert the listed attributes.
             PRIVILEGE_WITHDRAWN = 7
 
-            # The authority which determines appropriate attributes for a {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate}
-            # may have been compromised.
+            # The authority which determines appropriate attributes for a
+            # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} may have been
+            # compromised.
             ATTRIBUTE_AUTHORITY_COMPROMISE = 8
           end
 
-          # Describes the way in which a {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate}'s {::Google::Cloud::Security::PrivateCA::V1::Subject Subject} and/or
-          # {::Google::Cloud::Security::PrivateCA::V1::SubjectAltNames SubjectAltNames} will be resolved.
+          # Describes the way in which a
+          # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate}'s
+          # {::Google::Cloud::Security::PrivateCA::V1::Subject Subject} and/or
+          # {::Google::Cloud::Security::PrivateCA::V1::SubjectAltNames SubjectAltNames} will be
+          # resolved.
           module SubjectRequestMode
             # Not specified.
             SUBJECT_REQUEST_MODE_UNSPECIFIED = 0
 
             # The default mode used in most cases. Indicates that the certificate's
-            # {::Google::Cloud::Security::PrivateCA::V1::Subject Subject} and/or {::Google::Cloud::Security::PrivateCA::V1::SubjectAltNames SubjectAltNames} are specified in the certificate
-            # request. This mode requires the caller to have the
-            # `privateca.certificates.create` permission.
+            # {::Google::Cloud::Security::PrivateCA::V1::Subject Subject} and/or
+            # {::Google::Cloud::Security::PrivateCA::V1::SubjectAltNames SubjectAltNames} are
+            # specified in the certificate request. This mode requires the caller to have
+            # the `privateca.certificates.create` permission.
             DEFAULT = 1
 
             # A mode reserved for special cases. Indicates that the certificate should
-            # have one or more SPIFFE {::Google::Cloud::Security::PrivateCA::V1::SubjectAltNames SubjectAltNames} set by the service based
-            # on the caller's identity. This mode will ignore any explicitly specified
-            # {::Google::Cloud::Security::PrivateCA::V1::Subject Subject} and/or {::Google::Cloud::Security::PrivateCA::V1::SubjectAltNames SubjectAltNames} in the certificate request.
-            # This mode requires the caller to have the
+            # have one or more SPIFFE
+            # {::Google::Cloud::Security::PrivateCA::V1::SubjectAltNames SubjectAltNames} set
+            # by the service based on the caller's identity. This mode will ignore any
+            # explicitly specified {::Google::Cloud::Security::PrivateCA::V1::Subject Subject}
+            # and/or
+            # {::Google::Cloud::Security::PrivateCA::V1::SubjectAltNames SubjectAltNames} in
+            # the certificate request. This mode requires the caller to have the
             # `privateca.certificates.createForSelf` permission.
             REFLECTED_SPIFFE = 2
           end