CertificateAuthority(mapping=None, *, ignore_unknown_fields=False, **kwargs)A CertificateAuthority represents an individual Certificate Authority. A CertificateAuthority can be used to create Certificates.
Attributes | |
|---|---|
| Name | Description |
name |
str
Output only. The resource name for this CertificateAuthority in the format projects/*/locations/*/caPools/*/certificateAuthorities/*.
|
type_ |
google.cloud.security.privateca_v1.types.CertificateAuthority.Type
Required. Immutable. The Type of this CertificateAuthority. |
config |
google.cloud.security.privateca_v1.types.CertificateConfig
Required. Immutable. The config used to create a self-signed X.509 certificate or CSR. |
lifetime |
google.protobuf.duration_pb2.Duration
Required. Immutable. The desired lifetime of the CA certificate. Used to create the "not_before_time" and "not_after_time" fields inside an X.509 certificate. |
key_spec |
google.cloud.security.privateca_v1.types.CertificateAuthority.KeyVersionSpec
Required. Immutable. Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR. |
subordinate_config |
google.cloud.security.privateca_v1.types.SubordinateConfig
Optional. If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which describes its issuers. This may be updated, but this CertificateAuthority must continue to validate. |
tier |
google.cloud.security.privateca_v1.types.CaPool.Tier
Output only. The CaPool.Tier of the CaPool that includes this CertificateAuthority. |
state |
google.cloud.security.privateca_v1.types.CertificateAuthority.State
Output only. The State for this CertificateAuthority. |
pem_ca_certificates |
MutableSequence[str]
Output only. This CertificateAuthority's certificate chain, including the current CertificateAuthority's certificate. Ordered such that the root issuer is the final element (consistent with RFC 5246). For a self-signed CA, this will only list the current CertificateAuthority's certificate. |
ca_certificate_descriptions |
MutableSequence[google.cloud.security.privateca_v1.types.CertificateDescription]
Output only. A structured description of this CertificateAuthority's CA certificate and its issuers. Ordered as self-to-root. |
gcs_bucket |
str
Immutable. The name of a Cloud Storage bucket where this CertificateAuthority will publish content, such as the CA certificate and CRLs. This must be a bucket name, without any prefixes (such as gs://) or suffixes (such as .googleapis.com). For
example, to use a bucket named my-bucket, you would
simply specify my-bucket. If not specified, a managed
bucket will be created.
|
access_urls |
google.cloud.security.privateca_v1.types.CertificateAuthority.AccessUrls
Output only. URLs for accessing content published by this CA, such as the CA certificate and CRLs. |
create_time |
google.protobuf.timestamp_pb2.Timestamp
Output only. The time at which this CertificateAuthority was created. |
update_time |
google.protobuf.timestamp_pb2.Timestamp
Output only. The time at which this CertificateAuthority was last updated. |
delete_time |
google.protobuf.timestamp_pb2.Timestamp
Output only. The time at which this CertificateAuthority was soft deleted, if it is in the DELETED state. |
expire_time |
google.protobuf.timestamp_pb2.Timestamp
Output only. The time at which this CertificateAuthority will be permanently purged, if it is in the DELETED state. |
labels |
MutableMapping[str, str]
Optional. Labels with user-defined metadata. |
Classes
AccessUrls
AccessUrls(mapping=None, *, ignore_unknown_fields=False, **kwargs)URLs where a CertificateAuthority will publish content.
KeyVersionSpec
KeyVersionSpec(mapping=None, *, ignore_unknown_fields=False, **kwargs)A Cloud KMS key configuration that a CertificateAuthority will use.
This message has oneof_ fields (mutually exclusive fields).
For each oneof, at most one member field can be set at the same time.
Setting any member of the oneof automatically clears all other
members.
.. _oneof: https://proto-plus-python.readthedocs.io/en/stable/fields.html#oneofs-mutually-exclusive-fields
LabelsEntry
LabelsEntry(mapping=None, *, ignore_unknown_fields=False, **kwargs)The abstract base class for a message.
| Parameters | |
|---|---|
| Name | Description |
kwargs |
dict
Keys and values corresponding to the fields of the message. |
mapping |
Union[dict,
A dictionary or message to be used to determine the values for this message. |
ignore_unknown_fields |
Optional(bool)
If True, do not raise errors for unknown fields. Only applied if |
SignHashAlgorithm
SignHashAlgorithm(value)The algorithm of a Cloud KMS CryptoKeyVersion of a
CryptoKey with the
CryptoKeyPurpose
value ASYMMETRIC_SIGN. These values correspond to the
CryptoKeyVersionAlgorithm
values. For RSA signing algorithms, the PSS algorithms should be
preferred, use PKCS1 algorithms if required for compatibility. For
further recommendations, see
https://cloud.google.com/kms/docs/algorithms#algorithm_recommendations.
Values: SIGN_HASH_ALGORITHM_UNSPECIFIED (0): Not specified. RSA_PSS_2048_SHA256 (1): maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_2048_SHA256 RSA_PSS_3072_SHA256 (2): maps to CryptoKeyVersionAlgorithm. RSA_SIGN_PSS_3072_SHA256 RSA_PSS_4096_SHA256 (3): maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_4096_SHA256 RSA_PKCS1_2048_SHA256 (6): maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_2048_SHA256 RSA_PKCS1_3072_SHA256 (7): maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_3072_SHA256 RSA_PKCS1_4096_SHA256 (8): maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_4096_SHA256 EC_P256_SHA256 (4): maps to CryptoKeyVersionAlgorithm.EC_SIGN_P256_SHA256 EC_P384_SHA384 (5): maps to CryptoKeyVersionAlgorithm.EC_SIGN_P384_SHA384
State
State(value)The state of a CertificateAuthority, indicating if it can be used.
Values: STATE_UNSPECIFIED (0): Not specified. ENABLED (1): Certificates can be issued from this CA. CRLs will be generated for this CA. The CA will be part of the CaPool's trust anchor, and will be used to issue certificates from the CaPool. DISABLED (2): Certificates cannot be issued from this CA. CRLs will still be generated. The CA will be part of the CaPool's trust anchor, but will not be used to issue certificates from the CaPool. STAGED (3): Certificates can be issued from this CA. CRLs will be generated for this CA. The CA will be part of the CaPool's trust anchor, but will not be used to issue certificates from the CaPool. AWAITING_USER_ACTIVATION (4): Certificates cannot be issued from this CA. CRLs will not be generated. The CA will not be part of the CaPool's trust anchor, and will not be used to issue certificates from the CaPool. DELETED (5): Certificates cannot be issued from this CA. CRLs will not be generated. The CA may still be recovered by calling CertificateAuthorityService.UndeleteCertificateAuthority before expire_time. The CA will not be part of the CaPool's trust anchor, and will not be used to issue certificates from the CaPool.
Type
Type(value)The type of a CertificateAuthority, indicating its issuing chain.
Values: TYPE_UNSPECIFIED (0): Not specified. SELF_SIGNED (1): Self-signed CA. SUBORDINATE (2): Subordinate CA. Could be issued by a Private CA CertificateAuthority or an unmanaged CA.