Docs Home
Google Cloud v8.14.0 published on Wednesday, Jan 15, 2025 by Pulumi
gcp.certificateauthority.Certificate
Explore with Pulumi AI
- Example Usage
- Privateca Certificate Generated Key
- Privateca Certificate With Template
- Privateca Certificate Csr
- Privateca Certificate No Authority
- Privateca Certificate Custom Ski
- Create Certificate Resource
- Constructor syntax
- Constructor example
- Certificate Resource Properties
- Inputs
- Outputs
- Look up Existing Certificate Resource
- Supporting Types
- Import
- Package Details
A Certificate corresponds to a signed X.509 certificate issued by a Certificate.
Note: The Certificate Authority that is referenced by this resource must be
tier = "ENTERPRISE"
Example Usage
Privateca Certificate Generated Key
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
import * as std from "@pulumi/std";
import * as tls from "@pulumi/tls";
const _default = new gcp.certificateauthority.CaPool("default", {
location: "us-central1",
name: "default",
tier: "ENTERPRISE",
});
const defaultAuthority = new gcp.certificateauthority.Authority("default", {
location: "us-central1",
pool: _default.name,
certificateAuthorityId: "my-authority",
config: {
subjectConfig: {
subject: {
organization: "HashiCorp",
commonName: "my-certificate-authority",
},
subjectAltName: {
dnsNames: ["hashicorp.com"],
},
},
x509Config: {
caOptions: {
isCa: true,
},
keyUsage: {
baseKeyUsage: {
certSign: true,
crlSign: true,
},
extendedKeyUsage: {
serverAuth: true,
},
},
},
},
keySpec: {
algorithm: "RSA_PKCS1_4096_SHA256",
},
deletionProtection: false,
skipGracePeriod: true,
ignoreActiveCertificatesOnDeletion: true,
});
const certKey = new tls.PrivateKey("cert_key", {algorithm: "RSA"});
const defaultCertificate = new gcp.certificateauthority.Certificate("default", {
location: "us-central1",
pool: _default.name,
certificateAuthority: defaultAuthority.certificateAuthorityId,
lifetime: "86000s",
name: "cert-1",
config: {
subjectConfig: {
subject: {
commonName: "san1.example.com",
countryCode: "us",
organization: "google",
organizationalUnit: "enterprise",
locality: "mountain view",
province: "california",
streetAddress: "1600 amphitheatre parkway",
},
subjectAltName: {
emailAddresses: ["email@example.com"],
ipAddresses: ["127.0.0.1"],
uris: ["http://www.ietf.org/rfc/rfc3986.txt"],
},
},
x509Config: {
caOptions: {
isCa: true,
},
keyUsage: {
baseKeyUsage: {
certSign: true,
crlSign: true,
},
extendedKeyUsage: {
serverAuth: false,
},
},
nameConstraints: {
critical: true,
permittedDnsNames: ["*.example.com"],
excludedDnsNames: ["*.deny.example.com"],
permittedIpRanges: ["10.0.0.0/8"],
excludedIpRanges: ["10.1.1.0/24"],
permittedEmailAddresses: [".example.com"],
excludedEmailAddresses: [".deny.example.com"],
permittedUris: [".example.com"],
excludedUris: [".deny.example.com"],
},
},
publicKey: {
format: "PEM",
key: std.base64encodeOutput({
input: certKey.publicKeyPem,
}).apply(invoke => invoke.result),
},
},
});
import pulumi
import pulumi_gcp as gcp
import pulumi_std as std
import pulumi_tls as tls
default = gcp.certificateauthority.CaPool("default",
location="us-central1",
name="default",
tier="ENTERPRISE")
default_authority = gcp.certificateauthority.Authority("default",
location="us-central1",
pool=default.name,
certificate_authority_id="my-authority",
config={
"subject_config": {
"subject": {
"organization": "HashiCorp",
"common_name": "my-certificate-authority",
},
"subject_alt_name": {
"dns_names": ["hashicorp.com"],
},
},
"x509_config": {
"ca_options": {
"is_ca": True,
},
"key_usage": {
"base_key_usage": {
"cert_sign": True,
"crl_sign": True,
},
"extended_key_usage": {
"server_auth": True,
},
},
},
},
key_spec={
"algorithm": "RSA_PKCS1_4096_SHA256",
},
deletion_protection=False,
skip_grace_period=True,
ignore_active_certificates_on_deletion=True)
cert_key = tls.PrivateKey("cert_key", algorithm="RSA")
default_certificate = gcp.certificateauthority.Certificate("default",
location="us-central1",
pool=default.name,
certificate_authority=default_authority.certificate_authority_id,
lifetime="86000s",
name="cert-1",
config={
"subject_config": {
"subject": {
"common_name": "san1.example.com",
"country_code": "us",
"organization": "google",
"organizational_unit": "enterprise",
"locality": "mountain view",
"province": "california",
"street_address": "1600 amphitheatre parkway",
},
"subject_alt_name": {
"email_addresses": ["email@example.com"],
"ip_addresses": ["127.0.0.1"],
"uris": ["http://www.ietf.org/rfc/rfc3986.txt"],
},
},
"x509_config": {
"ca_options": {
"is_ca": True,
},
"key_usage": {
"base_key_usage": {
"cert_sign": True,
"crl_sign": True,
},
"extended_key_usage": {
"server_auth": False,
},
},
"name_constraints": {
"critical": True,
"permitted_dns_names": ["*.example.com"],
"excluded_dns_names": ["*.deny.example.com"],
"permitted_ip_ranges": ["10.0.0.0/8"],
"excluded_ip_ranges": ["10.1.1.0/24"],
"permitted_email_addresses": [".example.com"],
"excluded_email_addresses": [".deny.example.com"],
"permitted_uris": [".example.com"],
"excluded_uris": [".deny.example.com"],
},
},
"public_key": {
"format": "PEM",
"key": std.base64encode_output(input=cert_key.public_key_pem).apply(lambda invoke: invoke.result),
},
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/certificateauthority"
"github.com/pulumi/pulumi-std/sdk/go/std"
"github.com/pulumi/pulumi-tls/sdk/v5/go/tls"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := certificateauthority.NewCaPool(ctx, "default", &certificateauthority.CaPoolArgs{
Location: pulumi.String("us-central1"),
Name: pulumi.String("default"),
Tier: pulumi.String("ENTERPRISE"),
})
if err != nil {
return err
}
defaultAuthority, err := certificateauthority.NewAuthority(ctx, "default", &certificateauthority.AuthorityArgs{
Location: pulumi.String("us-central1"),
Pool: _default.Name,
CertificateAuthorityId: pulumi.String("my-authority"),
Config: &certificateauthority.AuthorityConfigArgs{
SubjectConfig: &certificateauthority.AuthorityConfigSubjectConfigArgs{
Subject: &certificateauthority.AuthorityConfigSubjectConfigSubjectArgs{
Organization: pulumi.String("HashiCorp"),
CommonName: pulumi.String("my-certificate-authority"),
},
SubjectAltName: &certificateauthority.AuthorityConfigSubjectConfigSubjectAltNameArgs{
DnsNames: pulumi.StringArray{
pulumi.String("hashicorp.com"),
},
},
},
X509Config: &certificateauthority.AuthorityConfigX509ConfigArgs{
CaOptions: &certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs{
IsCa: pulumi.Bool(true),
},
KeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs{
BaseKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs{
CertSign: pulumi.Bool(true),
CrlSign: pulumi.Bool(true),
},
ExtendedKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs{
ServerAuth: pulumi.Bool(true),
},
},
},
},
KeySpec: &certificateauthority.AuthorityKeySpecArgs{
Algorithm: pulumi.String("RSA_PKCS1_4096_SHA256"),
},
DeletionProtection: pulumi.Bool(false),
SkipGracePeriod: pulumi.Bool(true),
IgnoreActiveCertificatesOnDeletion: pulumi.Bool(true),
})
if err != nil {
return err
}
certKey, err := tls.NewPrivateKey(ctx, "cert_key", &tls.PrivateKeyArgs{
Algorithm: pulumi.String("RSA"),
})
if err != nil {
return err
}
_, err = certificateauthority.NewCertificate(ctx, "default", &certificateauthority.CertificateArgs{
Location: pulumi.String("us-central1"),
Pool: _default.Name,
CertificateAuthority: defaultAuthority.CertificateAuthorityId,
Lifetime: pulumi.String("86000s"),
Name: pulumi.String("cert-1"),
Config: &certificateauthority.CertificateConfigArgs{
SubjectConfig: &certificateauthority.CertificateConfigSubjectConfigArgs{
Subject: &certificateauthority.CertificateConfigSubjectConfigSubjectArgs{
CommonName: pulumi.String("san1.example.com"),
CountryCode: pulumi.String("us"),
Organization: pulumi.String("google"),
OrganizationalUnit: pulumi.String("enterprise"),
Locality: pulumi.String("mountain view"),
Province: pulumi.String("california"),
StreetAddress: pulumi.String("1600 amphitheatre parkway"),
},
SubjectAltName: &certificateauthority.CertificateConfigSubjectConfigSubjectAltNameArgs{
EmailAddresses: pulumi.StringArray{
pulumi.String("email@example.com"),
},
IpAddresses: pulumi.StringArray{
pulumi.String("127.0.0.1"),
},
Uris: pulumi.StringArray{
pulumi.String("http://www.ietf.org/rfc/rfc3986.txt"),
},
},
},
X509Config: &certificateauthority.CertificateConfigX509ConfigArgs{
CaOptions: &certificateauthority.CertificateConfigX509ConfigCaOptionsArgs{
IsCa: pulumi.Bool(true),
},
KeyUsage: &certificateauthority.CertificateConfigX509ConfigKeyUsageArgs{
BaseKeyUsage: &certificateauthority.CertificateConfigX509ConfigKeyUsageBaseKeyUsageArgs{
CertSign: pulumi.Bool(true),
CrlSign: pulumi.Bool(true),
},
ExtendedKeyUsage: &certificateauthority.CertificateConfigX509ConfigKeyUsageExtendedKeyUsageArgs{
ServerAuth: pulumi.Bool(false),
},
},
NameConstraints: &certificateauthority.CertificateConfigX509ConfigNameConstraintsArgs{
Critical: pulumi.Bool(true),
PermittedDnsNames: pulumi.StringArray{
pulumi.String("*.example.com"),
},
ExcludedDnsNames: pulumi.StringArray{
pulumi.String("*.deny.example.com"),
},
PermittedIpRanges: pulumi.StringArray{
pulumi.String("10.0.0.0/8"),
},
ExcludedIpRanges: pulumi.StringArray{
pulumi.String("10.1.1.0/24"),
},
PermittedEmailAddresses: pulumi.StringArray{
pulumi.String(".example.com"),
},
ExcludedEmailAddresses: pulumi.StringArray{
pulumi.String(".deny.example.com"),
},
PermittedUris: pulumi.StringArray{
pulumi.String(".example.com"),
},
ExcludedUris: pulumi.StringArray{
pulumi.String(".deny.example.com"),
},
},
},
PublicKey: &certificateauthority.CertificateConfigPublicKeyArgs{
Format: pulumi.String("PEM"),
Key: std.Base64encodeOutput(ctx, std.Base64encodeOutputArgs{
Input: certKey.PublicKeyPem,
}, nil).ApplyT(func(invoke std.Base64encodeResult) (*string, error) {
return invoke.Result, nil
}).(pulumi.StringPtrOutput),
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
using Std = Pulumi.Std;
using Tls = Pulumi.Tls;
return await Deployment.RunAsync(() =>
{
var @default = new Gcp.CertificateAuthority.CaPool("default", new()
{
Location = "us-central1",
Name = "default",
Tier = "ENTERPRISE",
});
var defaultAuthority = new Gcp.CertificateAuthority.Authority("default", new()
{
Location = "us-central1",
Pool = @default.Name,
CertificateAuthorityId = "my-authority",
Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigArgs
{
SubjectConfig = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigArgs
{
Subject = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectArgs
{
Organization = "HashiCorp",
CommonName = "my-certificate-authority",
},
SubjectAltName = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectAltNameArgs
{
DnsNames = new[]
{
"hashicorp.com",
},
},
},
X509Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigArgs
{
CaOptions = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigCaOptionsArgs
{
IsCa = true,
},
KeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageArgs
{
BaseKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs
{
CertSign = true,
CrlSign = true,
},
ExtendedKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs
{
ServerAuth = true,
},
},
},
},
KeySpec = new Gcp.CertificateAuthority.Inputs.AuthorityKeySpecArgs
{
Algorithm = "RSA_PKCS1_4096_SHA256",
},
DeletionProtection = false,
SkipGracePeriod = true,
IgnoreActiveCertificatesOnDeletion = true,
});
var certKey = new Tls.PrivateKey("cert_key", new()
{
Algorithm = "RSA",
});
var defaultCertificate = new Gcp.CertificateAuthority.Certificate("default", new()
{
Location = "us-central1",
Pool = @default.Name,
CertificateAuthority = defaultAuthority.CertificateAuthorityId,
Lifetime = "86000s",
Name = "cert-1",
Config = new Gcp.CertificateAuthority.Inputs.CertificateConfigArgs
{
SubjectConfig = new Gcp.CertificateAuthority.Inputs.CertificateConfigSubjectConfigArgs
{
Subject = new Gcp.CertificateAuthority.Inputs.CertificateConfigSubjectConfigSubjectArgs
{
CommonName = "san1.example.com",
CountryCode = "us",
Organization = "google",
OrganizationalUnit = "enterprise",
Locality = "mountain view",
Province = "california",
StreetAddress = "1600 amphitheatre parkway",
},
SubjectAltName = new Gcp.CertificateAuthority.Inputs.CertificateConfigSubjectConfigSubjectAltNameArgs
{
EmailAddresses = new[]
{
"email@example.com",
},
IpAddresses = new[]
{
"127.0.0.1",
},
Uris = new[]
{
"http://www.ietf.org/rfc/rfc3986.txt",
},
},
},
X509Config = new Gcp.CertificateAuthority.Inputs.CertificateConfigX509ConfigArgs
{
CaOptions = new Gcp.CertificateAuthority.Inputs.CertificateConfigX509ConfigCaOptionsArgs
{
IsCa = true,
},
KeyUsage = new Gcp.CertificateAuthority.Inputs.CertificateConfigX509ConfigKeyUsageArgs
{
BaseKeyUsage = new Gcp.CertificateAuthority.Inputs.CertificateConfigX509ConfigKeyUsageBaseKeyUsageArgs
{
CertSign = true,
CrlSign = true,
},
ExtendedKeyUsage = new Gcp.CertificateAuthority.Inputs.CertificateConfigX509ConfigKeyUsageExtendedKeyUsageArgs
{
ServerAuth = false,
},
},
NameConstraints = new Gcp.CertificateAuthority.Inputs.CertificateConfigX509ConfigNameConstraintsArgs
{
Critical = true,
PermittedDnsNames = new[]
{
"*.example.com",
},
ExcludedDnsNames = new[]
{
"*.deny.example.com",
},
PermittedIpRanges = new[]
{
"10.0.0.0/8",
},
ExcludedIpRanges = new[]
{
"10.1.1.0/24",
},
PermittedEmailAddresses = new[]
{
".example.com",
},
ExcludedEmailAddresses = new[]
{
".deny.example.com",
},
PermittedUris = new[]
{
".example.com",
},
ExcludedUris = new[]
{
".deny.example.com",
},
},
},
PublicKey = new Gcp.CertificateAuthority.Inputs.CertificateConfigPublicKeyArgs
{
Format = "PEM",
Key = Std.Base64encode.Invoke(new()
{
Input = certKey.PublicKeyPem,
}).Apply(invoke => invoke.Result),
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.certificateauthority.CaPool;
import com.pulumi.gcp.certificateauthority.CaPoolArgs;
import com.pulumi.gcp.certificateauthority.Authority;
import com.pulumi.gcp.certificateauthority.AuthorityArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigSubjectArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigSubjectAltNameArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigCaOptionsArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityKeySpecArgs;
import com.pulumi.tls.PrivateKey;
import com.pulumi.tls.PrivateKeyArgs;
import com.pulumi.gcp.certificateauthority.Certificate;
import com.pulumi.gcp.certificateauthority.CertificateArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigSubjectConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigSubjectConfigSubjectArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigSubjectConfigSubjectAltNameArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigX509ConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigX509ConfigCaOptionsArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigX509ConfigKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigX509ConfigKeyUsageBaseKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigX509ConfigKeyUsageExtendedKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigX509ConfigNameConstraintsArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigPublicKeyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var default_ = new CaPool("default", CaPoolArgs.builder()
.location("us-central1")
.name("default")
.tier("ENTERPRISE")
.build());
var defaultAuthority = new Authority("defaultAuthority", AuthorityArgs.builder()
.location("us-central1")
.pool(default_.name())
.certificateAuthorityId("my-authority")
.config(AuthorityConfigArgs.builder()
.subjectConfig(AuthorityConfigSubjectConfigArgs.builder()
.subject(AuthorityConfigSubjectConfigSubjectArgs.builder()
.organization("HashiCorp")
.commonName("my-certificate-authority")
.build())
.subjectAltName(AuthorityConfigSubjectConfigSubjectAltNameArgs.builder()
.dnsNames("hashicorp.com")
.build())
.build())
.x509Config(AuthorityConfigX509ConfigArgs.builder()
.caOptions(AuthorityConfigX509ConfigCaOptionsArgs.builder()
.isCa(true)
.build())
.keyUsage(AuthorityConfigX509ConfigKeyUsageArgs.builder()
.baseKeyUsage(AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs.builder()
.certSign(true)
.crlSign(true)
.build())
.extendedKeyUsage(AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs.builder()
.serverAuth(true)
.build())
.build())
.build())
.build())
.keySpec(AuthorityKeySpecArgs.builder()
.algorithm("RSA_PKCS1_4096_SHA256")
.build())
.deletionProtection(false)
.skipGracePeriod(true)
.ignoreActiveCertificatesOnDeletion(true)
.build());
var certKey = new PrivateKey("certKey", PrivateKeyArgs.builder()
.algorithm("RSA")
.build());
var defaultCertificate = new Certificate("defaultCertificate", CertificateArgs.builder()
.location("us-central1")
.pool(default_.name())
.certificateAuthority(defaultAuthority.certificateAuthorityId())
.lifetime("86000s")
.name("cert-1")
.config(CertificateConfigArgs.builder()
.subjectConfig(CertificateConfigSubjectConfigArgs.builder()
.subject(CertificateConfigSubjectConfigSubjectArgs.builder()
.commonName("san1.example.com")
.countryCode("us")
.organization("google")
.organizationalUnit("enterprise")
.locality("mountain view")
.province("california")
.streetAddress("1600 amphitheatre parkway")
.build())
.subjectAltName(CertificateConfigSubjectConfigSubjectAltNameArgs.builder()
.emailAddresses("email@example.com")
.ipAddresses("127.0.0.1")
.uris("http://www.ietf.org/rfc/rfc3986.txt")
.build())
.build())
.x509Config(CertificateConfigX509ConfigArgs.builder()
.caOptions(CertificateConfigX509ConfigCaOptionsArgs.builder()
.isCa(true)
.build())
.keyUsage(CertificateConfigX509ConfigKeyUsageArgs.builder()
.baseKeyUsage(CertificateConfigX509ConfigKeyUsageBaseKeyUsageArgs.builder()
.certSign(true)
.crlSign(true)
.build())
.extendedKeyUsage(CertificateConfigX509ConfigKeyUsageExtendedKeyUsageArgs.builder()
.serverAuth(false)
.build())
.build())
.nameConstraints(CertificateConfigX509ConfigNameConstraintsArgs.builder()
.critical(true)
.permittedDnsNames("*.example.com")
.excludedDnsNames("*.deny.example.com")
.permittedIpRanges("10.0.0.0/8")
.excludedIpRanges("10.1.1.0/24")
.permittedEmailAddresses(".example.com")
.excludedEmailAddresses(".deny.example.com")
.permittedUris(".example.com")
.excludedUris(".deny.example.com")
.build())
.build())
.publicKey(CertificateConfigPublicKeyArgs.builder()
.format("PEM")
.key(StdFunctions.base64encode().applyValue(invoke -> invoke.result()))
.build())
.build())
.build());
}
}
resources:
default:
type: gcp:certificateauthority:CaPool
properties:
location: us-central1
name: default
tier: ENTERPRISE
defaultAuthority:
type: gcp:certificateauthority:Authority
name: default
properties:
location: us-central1
pool: ${default.name}
certificateAuthorityId: my-authority
config:
subjectConfig:
subject:
organization: HashiCorp
commonName: my-certificate-authority
subjectAltName:
dnsNames:
- hashicorp.com
x509Config:
caOptions:
isCa: true
keyUsage:
baseKeyUsage:
certSign: true
crlSign: true
extendedKeyUsage:
serverAuth: true
keySpec:
algorithm: RSA_PKCS1_4096_SHA256
deletionProtection: false
skipGracePeriod: true
ignoreActiveCertificatesOnDeletion: true
certKey:
type: tls:PrivateKey
name: cert_key
properties:
algorithm: RSA
defaultCertificate:
type: gcp:certificateauthority:Certificate
name: default
properties:
location: us-central1
pool: ${default.name}
certificateAuthority: ${defaultAuthority.certificateAuthorityId}
lifetime: 86000s
name: cert-1
config:
subjectConfig:
subject:
commonName: san1.example.com
countryCode: us
organization: google
organizationalUnit: enterprise
locality: mountain view
province: california
streetAddress: 1600 amphitheatre parkway
subjectAltName:
emailAddresses:
- email@example.com
ipAddresses:
- 127.0.0.1
uris:
- http://www.ietf.org/rfc/rfc3986.txt
x509Config:
caOptions:
isCa: true
keyUsage:
baseKeyUsage:
certSign: true
crlSign: true
extendedKeyUsage:
serverAuth: false
nameConstraints:
critical: true
permittedDnsNames:
- '*.example.com'
excludedDnsNames:
- '*.deny.example.com'
permittedIpRanges:
- 10.0.0.0/8
excludedIpRanges:
- 10.1.1.0/24
permittedEmailAddresses:
- .example.com
excludedEmailAddresses:
- .deny.example.com
permittedUris:
- .example.com
excludedUris:
- .deny.example.com
publicKey:
format: PEM
key:
fn::invoke:
function: std:base64encode
arguments:
input: ${certKey.publicKeyPem}
return: result
Privateca Certificate With Template
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
import * as std from "@pulumi/std";
const _default = new gcp.certificateauthority.CaPool("default", {
location: "us-central1",
name: "my-pool",
tier: "ENTERPRISE",
});
const defaultCertificateTemplate = new gcp.certificateauthority.CertificateTemplate("default", {
location: "us-central1",
name: "my-certificate-template",
description: "An updated sample certificate template",
identityConstraints: {
allowSubjectAltNamesPassthrough: true,
allowSubjectPassthrough: true,
celExpression: {
description: "Always true",
expression: "true",
location: "any.file.anywhere",
title: "Sample expression",
},
},
passthroughExtensions: {
additionalExtensions: [{
objectIdPaths: [
1,
6,
],
}],
knownExtensions: ["EXTENDED_KEY_USAGE"],
},
predefinedValues: {
additionalExtensions: [{
objectId: {
objectIdPaths: [
1,
6,
],
},
value: "c3RyaW5nCg==",
critical: true,
}],
aiaOcspServers: ["string"],
caOptions: {
isCa: false,
maxIssuerPathLength: 6,
},
keyUsage: {
baseKeyUsage: {
certSign: false,
contentCommitment: true,
crlSign: false,
dataEncipherment: true,
decipherOnly: true,
digitalSignature: true,
encipherOnly: true,
keyAgreement: true,
keyEncipherment: true,
},
extendedKeyUsage: {
clientAuth: true,
codeSigning: true,
emailProtection: true,
ocspSigning: true,
serverAuth: true,
timeStamping: true,
},
unknownExtendedKeyUsages: [{
objectIdPaths: [
1,
6,
],
}],
},
policyIds: [{
objectIdPaths: [
1,
6,
],
}],
},
});
const defaultAuthority = new gcp.certificateauthority.Authority("default", {
location: "us-central1",
pool: _default.name,
certificateAuthorityId: "my-authority",
config: {
subjectConfig: {
subject: {
organization: "HashiCorp",
commonName: "my-certificate-authority",
},
subjectAltName: {
dnsNames: ["hashicorp.com"],
},
},
x509Config: {
caOptions: {
isCa: true,
},
keyUsage: {
baseKeyUsage: {
certSign: true,
crlSign: true,
},
extendedKeyUsage: {
serverAuth: false,
},
},
},
},
keySpec: {
algorithm: "RSA_PKCS1_4096_SHA256",
},
deletionProtection: false,
skipGracePeriod: true,
ignoreActiveCertificatesOnDeletion: true,
});
const defaultCertificate = new gcp.certificateauthority.Certificate("default", {
location: "us-central1",
pool: _default.name,
certificateAuthority: defaultAuthority.certificateAuthorityId,
name: "my-certificate",
lifetime: "860s",
pemCsr: std.file({
input: "test-fixtures/rsa_csr.pem",
}).then(invoke => invoke.result),
certificateTemplate: defaultCertificateTemplate.id,
});
import pulumi
import pulumi_gcp as gcp
import pulumi_std as std
default = gcp.certificateauthority.CaPool("default",
location="us-central1",
name="my-pool",
tier="ENTERPRISE")
default_certificate_template = gcp.certificateauthority.CertificateTemplate("default",
location="us-central1",
name="my-certificate-template",
description="An updated sample certificate template",
identity_constraints={
"allow_subject_alt_names_passthrough": True,
"allow_subject_passthrough": True,
"cel_expression": {
"description": "Always true",
"expression": "true",
"location": "any.file.anywhere",
"title": "Sample expression",
},
},
passthrough_extensions={
"additional_extensions": [{
"object_id_paths": [
1,
6,
],
}],
"known_extensions": ["EXTENDED_KEY_USAGE"],
},
predefined_values={
"additional_extensions": [{
"object_id": {
"object_id_paths": [
1,
6,
],
},
"value": "c3RyaW5nCg==",
"critical": True,
}],
"aia_ocsp_servers": ["string"],
"ca_options": {
"is_ca": False,
"max_issuer_path_length": 6,
},
"key_usage": {
"base_key_usage": {
"cert_sign": False,
"content_commitment": True,
"crl_sign": False,
"data_encipherment": True,
"decipher_only": True,
"digital_signature": True,
"encipher_only": True,
"key_agreement": True,
"key_encipherment": True,
},
"extended_key_usage": {
"client_auth": True,
"code_signing": True,
"email_protection": True,
"ocsp_signing": True,
"server_auth": True,
"time_stamping": True,
},
"unknown_extended_key_usages": [{
"object_id_paths": [
1,
6,
],
}],
},
"policy_ids": [{
"object_id_paths": [
1,
6,
],
}],
})
default_authority = gcp.certificateauthority.Authority("default",
location="us-central1",
pool=default.name,
certificate_authority_id="my-authority",
config={
"subject_config": {
"subject": {
"organization": "HashiCorp",
"common_name": "my-certificate-authority",
},
"subject_alt_name": {
"dns_names": ["hashicorp.com"],
},
},
"x509_config": {
"ca_options": {
"is_ca": True,
},
"key_usage": {
"base_key_usage": {
"cert_sign": True,
"crl_sign": True,
},
"extended_key_usage": {
"server_auth": False,
},
},
},
},
key_spec={
"algorithm": "RSA_PKCS1_4096_SHA256",
},
deletion_protection=False,
skip_grace_period=True,
ignore_active_certificates_on_deletion=True)
default_certificate = gcp.certificateauthority.Certificate("default",
location="us-central1",
pool=default.name,
certificate_authority=default_authority.certificate_authority_id,
name="my-certificate",
lifetime="860s",
pem_csr=std.file(input="test-fixtures/rsa_csr.pem").result,
certificate_template=default_certificate_template.id)
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/certificateauthority"
"github.com/pulumi/pulumi-std/sdk/go/std"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := certificateauthority.NewCaPool(ctx, "default", &certificateauthority.CaPoolArgs{
Location: pulumi.String("us-central1"),
Name: pulumi.String("my-pool"),
Tier: pulumi.String("ENTERPRISE"),
})
if err != nil {
return err
}
defaultCertificateTemplate, err := certificateauthority.NewCertificateTemplate(ctx, "default", &certificateauthority.CertificateTemplateArgs{
Location: pulumi.String("us-central1"),
Name: pulumi.String("my-certificate-template"),
Description: pulumi.String("An updated sample certificate template"),
IdentityConstraints: &certificateauthority.CertificateTemplateIdentityConstraintsArgs{
AllowSubjectAltNamesPassthrough: pulumi.Bool(true),
AllowSubjectPassthrough: pulumi.Bool(true),
CelExpression: &certificateauthority.CertificateTemplateIdentityConstraintsCelExpressionArgs{
Description: pulumi.String("Always true"),
Expression: pulumi.String("true"),
Location: pulumi.String("any.file.anywhere"),
Title: pulumi.String("Sample expression"),
},
},
PassthroughExtensions: &certificateauthority.CertificateTemplatePassthroughExtensionsArgs{
AdditionalExtensions: certificateauthority.CertificateTemplatePassthroughExtensionsAdditionalExtensionArray{
&certificateauthority.CertificateTemplatePassthroughExtensionsAdditionalExtensionArgs{
ObjectIdPaths: pulumi.IntArray{
pulumi.Int(1),
pulumi.Int(6),
},
},
},
KnownExtensions: pulumi.StringArray{
pulumi.String("EXTENDED_KEY_USAGE"),
},
},
PredefinedValues: &certificateauthority.CertificateTemplatePredefinedValuesArgs{
AdditionalExtensions: certificateauthority.CertificateTemplatePredefinedValuesAdditionalExtensionArray{
&certificateauthority.CertificateTemplatePredefinedValuesAdditionalExtensionArgs{
ObjectId: &certificateauthority.CertificateTemplatePredefinedValuesAdditionalExtensionObjectIdArgs{
ObjectIdPaths: pulumi.IntArray{
pulumi.Int(1),
pulumi.Int(6),
},
},
Value: pulumi.String("c3RyaW5nCg=="),
Critical: pulumi.Bool(true),
},
},
AiaOcspServers: pulumi.StringArray{
pulumi.String("string"),
},
CaOptions: &certificateauthority.CertificateTemplatePredefinedValuesCaOptionsArgs{
IsCa: pulumi.Bool(false),
MaxIssuerPathLength: pulumi.Int(6),
},
KeyUsage: &certificateauthority.CertificateTemplatePredefinedValuesKeyUsageArgs{
BaseKeyUsage: &certificateauthority.CertificateTemplatePredefinedValuesKeyUsageBaseKeyUsageArgs{
CertSign: pulumi.Bool(false),
ContentCommitment: pulumi.Bool(true),
CrlSign: pulumi.Bool(false),
DataEncipherment: pulumi.Bool(true),
DecipherOnly: pulumi.Bool(true),
DigitalSignature: pulumi.Bool(true),
EncipherOnly: pulumi.Bool(true),
KeyAgreement: pulumi.Bool(true),
KeyEncipherment: pulumi.Bool(true),
},
ExtendedKeyUsage: &certificateauthority.CertificateTemplatePredefinedValuesKeyUsageExtendedKeyUsageArgs{
ClientAuth: pulumi.Bool(true),
CodeSigning: pulumi.Bool(true),
EmailProtection: pulumi.Bool(true),
OcspSigning: pulumi.Bool(true),
ServerAuth: pulumi.Bool(true),
TimeStamping: pulumi.Bool(true),
},
UnknownExtendedKeyUsages: certificateauthority.CertificateTemplatePredefinedValuesKeyUsageUnknownExtendedKeyUsageArray{
&certificateauthority.CertificateTemplatePredefinedValuesKeyUsageUnknownExtendedKeyUsageArgs{
ObjectIdPaths: pulumi.IntArray{
pulumi.Int(1),
pulumi.Int(6),
},
},
},
},
PolicyIds: certificateauthority.CertificateTemplatePredefinedValuesPolicyIdArray{
&certificateauthority.CertificateTemplatePredefinedValuesPolicyIdArgs{
ObjectIdPaths: pulumi.IntArray{
pulumi.Int(1),
pulumi.Int(6),
},
},
},
},
})
if err != nil {
return err
}
defaultAuthority, err := certificateauthority.NewAuthority(ctx, "default", &certificateauthority.AuthorityArgs{
Location: pulumi.String("us-central1"),
Pool: _default.Name,
CertificateAuthorityId: pulumi.String("my-authority"),
Config: &certificateauthority.AuthorityConfigArgs{
SubjectConfig: &certificateauthority.AuthorityConfigSubjectConfigArgs{
Subject: &certificateauthority.AuthorityConfigSubjectConfigSubjectArgs{
Organization: pulumi.String("HashiCorp"),
CommonName: pulumi.String("my-certificate-authority"),
},
SubjectAltName: &certificateauthority.AuthorityConfigSubjectConfigSubjectAltNameArgs{
DnsNames: pulumi.StringArray{
pulumi.String("hashicorp.com"),
},
},
},
X509Config: &certificateauthority.AuthorityConfigX509ConfigArgs{
CaOptions: &certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs{
IsCa: pulumi.Bool(true),
},
KeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs{
BaseKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs{
CertSign: pulumi.Bool(true),
CrlSign: pulumi.Bool(true),
},
ExtendedKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs{
ServerAuth: pulumi.Bool(false),
},
},
},
},
KeySpec: &certificateauthority.AuthorityKeySpecArgs{
Algorithm: pulumi.String("RSA_PKCS1_4096_SHA256"),
},
DeletionProtection: pulumi.Bool(false),
SkipGracePeriod: pulumi.Bool(true),
IgnoreActiveCertificatesOnDeletion: pulumi.Bool(true),
})
if err != nil {
return err
}
invokeFile, err := std.File(ctx, &std.FileArgs{
Input: "test-fixtures/rsa_csr.pem",
}, nil)
if err != nil {
return err
}
_, err = certificateauthority.NewCertificate(ctx, "default", &certificateauthority.CertificateArgs{
Location: pulumi.String("us-central1"),
Pool: _default.Name,
CertificateAuthority: defaultAuthority.CertificateAuthorityId,
Name: pulumi.String("my-certificate"),
Lifetime: pulumi.String("860s"),
PemCsr: pulumi.String(invokeFile.Result),
CertificateTemplate: defaultCertificateTemplate.ID(),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
using Std = Pulumi.Std;
return await Deployment.RunAsync(() =>
{
var @default = new Gcp.CertificateAuthority.CaPool("default", new()
{
Location = "us-central1",
Name = "my-pool",
Tier = "ENTERPRISE",
});
var defaultCertificateTemplate = new Gcp.CertificateAuthority.CertificateTemplate("default", new()
{
Location = "us-central1",
Name = "my-certificate-template",
Description = "An updated sample certificate template",
IdentityConstraints = new Gcp.CertificateAuthority.Inputs.CertificateTemplateIdentityConstraintsArgs
{
AllowSubjectAltNamesPassthrough = true,
AllowSubjectPassthrough = true,
CelExpression = new Gcp.CertificateAuthority.Inputs.CertificateTemplateIdentityConstraintsCelExpressionArgs
{
Description = "Always true",
Expression = "true",
Location = "any.file.anywhere",
Title = "Sample expression",
},
},
PassthroughExtensions = new Gcp.CertificateAuthority.Inputs.CertificateTemplatePassthroughExtensionsArgs
{
AdditionalExtensions = new[]
{
new Gcp.CertificateAuthority.Inputs.CertificateTemplatePassthroughExtensionsAdditionalExtensionArgs
{
ObjectIdPaths = new[]
{
1,
6,
},
},
},
KnownExtensions = new[]
{
"EXTENDED_KEY_USAGE",
},
},
PredefinedValues = new Gcp.CertificateAuthority.Inputs.CertificateTemplatePredefinedValuesArgs
{
AdditionalExtensions = new[]
{
new Gcp.CertificateAuthority.Inputs.CertificateTemplatePredefinedValuesAdditionalExtensionArgs
{
ObjectId = new Gcp.CertificateAuthority.Inputs.CertificateTemplatePredefinedValuesAdditionalExtensionObjectIdArgs
{
ObjectIdPaths = new[]
{
1,
6,
},
},
Value = "c3RyaW5nCg==",
Critical = true,
},
},
AiaOcspServers = new[]
{
"string",
},
CaOptions = new Gcp.CertificateAuthority.Inputs.CertificateTemplatePredefinedValuesCaOptionsArgs
{
IsCa = false,
MaxIssuerPathLength = 6,
},
KeyUsage = new Gcp.CertificateAuthority.Inputs.CertificateTemplatePredefinedValuesKeyUsageArgs
{
BaseKeyUsage = new Gcp.CertificateAuthority.Inputs.CertificateTemplatePredefinedValuesKeyUsageBaseKeyUsageArgs
{
CertSign = false,
ContentCommitment = true,
CrlSign = false,
DataEncipherment = true,
DecipherOnly = true,
DigitalSignature = true,
EncipherOnly = true,
KeyAgreement = true,
KeyEncipherment = true,
},
ExtendedKeyUsage = new Gcp.CertificateAuthority.Inputs.CertificateTemplatePredefinedValuesKeyUsageExtendedKeyUsageArgs
{
ClientAuth = true,
CodeSigning = true,
EmailProtection = true,
OcspSigning = true,
ServerAuth = true,
TimeStamping = true,
},
UnknownExtendedKeyUsages = new[]
{
new Gcp.CertificateAuthority.Inputs.CertificateTemplatePredefinedValuesKeyUsageUnknownExtendedKeyUsageArgs
{
ObjectIdPaths = new[]
{
1,
6,
},
},
},
},
PolicyIds = new[]
{
new Gcp.CertificateAuthority.Inputs.CertificateTemplatePredefinedValuesPolicyIdArgs
{
ObjectIdPaths = new[]
{
1,
6,
},
},
},
},
});
var defaultAuthority = new Gcp.CertificateAuthority.Authority("default", new()
{
Location = "us-central1",
Pool = @default.Name,
CertificateAuthorityId = "my-authority",
Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigArgs
{
SubjectConfig = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigArgs
{
Subject = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectArgs
{
Organization = "HashiCorp",
CommonName = "my-certificate-authority",
},
SubjectAltName = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectAltNameArgs
{
DnsNames = new[]
{
"hashicorp.com",
},
},
},
X509Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigArgs
{
CaOptions = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigCaOptionsArgs
{
IsCa = true,
},
KeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageArgs
{
BaseKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs
{
CertSign = true,
CrlSign = true,
},
ExtendedKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs
{
ServerAuth = false,
},
},
},
},
KeySpec = new Gcp.CertificateAuthority.Inputs.AuthorityKeySpecArgs
{
Algorithm = "RSA_PKCS1_4096_SHA256",
},
DeletionProtection = false,
SkipGracePeriod = true,
IgnoreActiveCertificatesOnDeletion = true,
});
var defaultCertificate = new Gcp.CertificateAuthority.Certificate("default", new()
{
Location = "us-central1",
Pool = @default.Name,
CertificateAuthority = defaultAuthority.CertificateAuthorityId,
Name = "my-certificate",
Lifetime = "860s",
PemCsr = Std.File.Invoke(new()
{
Input = "test-fixtures/rsa_csr.pem",
}).Apply(invoke => invoke.Result),
CertificateTemplate = defaultCertificateTemplate.Id,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.certificateauthority.CaPool;
import com.pulumi.gcp.certificateauthority.CaPoolArgs;
import com.pulumi.gcp.certificateauthority.CertificateTemplate;
import com.pulumi.gcp.certificateauthority.CertificateTemplateArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateTemplateIdentityConstraintsArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateTemplateIdentityConstraintsCelExpressionArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateTemplatePassthroughExtensionsArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateTemplatePredefinedValuesArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateTemplatePredefinedValuesCaOptionsArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateTemplatePredefinedValuesKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateTemplatePredefinedValuesKeyUsageBaseKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateTemplatePredefinedValuesKeyUsageExtendedKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.Authority;
import com.pulumi.gcp.certificateauthority.AuthorityArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigSubjectArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigSubjectAltNameArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigCaOptionsArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityKeySpecArgs;
import com.pulumi.gcp.certificateauthority.Certificate;
import com.pulumi.gcp.certificateauthority.CertificateArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var default_ = new CaPool("default", CaPoolArgs.builder()
.location("us-central1")
.name("my-pool")
.tier("ENTERPRISE")
.build());
var defaultCertificateTemplate = new CertificateTemplate("defaultCertificateTemplate", CertificateTemplateArgs.builder()
.location("us-central1")
.name("my-certificate-template")
.description("An updated sample certificate template")
.identityConstraints(CertificateTemplateIdentityConstraintsArgs.builder()
.allowSubjectAltNamesPassthrough(true)
.allowSubjectPassthrough(true)
.celExpression(CertificateTemplateIdentityConstraintsCelExpressionArgs.builder()
.description("Always true")
.expression("true")
.location("any.file.anywhere")
.title("Sample expression")
.build())
.build())
.passthroughExtensions(CertificateTemplatePassthroughExtensionsArgs.builder()
.additionalExtensions(CertificateTemplatePassthroughExtensionsAdditionalExtensionArgs.builder()
.objectIdPaths(
1,
6)
.build())
.knownExtensions("EXTENDED_KEY_USAGE")
.build())
.predefinedValues(CertificateTemplatePredefinedValuesArgs.builder()
.additionalExtensions(CertificateTemplatePredefinedValuesAdditionalExtensionArgs.builder()
.objectId(CertificateTemplatePredefinedValuesAdditionalExtensionObjectIdArgs.builder()
.objectIdPaths(
1,
6)
.build())
.value("c3RyaW5nCg==")
.critical(true)
.build())
.aiaOcspServers("string")
.caOptions(CertificateTemplatePredefinedValuesCaOptionsArgs.builder()
.isCa(false)
.maxIssuerPathLength(6)
.build())
.keyUsage(CertificateTemplatePredefinedValuesKeyUsageArgs.builder()
.baseKeyUsage(CertificateTemplatePredefinedValuesKeyUsageBaseKeyUsageArgs.builder()
.certSign(false)
.contentCommitment(true)
.crlSign(false)
.dataEncipherment(true)
.decipherOnly(true)
.digitalSignature(true)
.encipherOnly(true)
.keyAgreement(true)
.keyEncipherment(true)
.build())
.extendedKeyUsage(CertificateTemplatePredefinedValuesKeyUsageExtendedKeyUsageArgs.builder()
.clientAuth(true)
.codeSigning(true)
.emailProtection(true)
.ocspSigning(true)
.serverAuth(true)
.timeStamping(true)
.build())
.unknownExtendedKeyUsages(CertificateTemplatePredefinedValuesKeyUsageUnknownExtendedKeyUsageArgs.builder()
.objectIdPaths(
1,
6)
.build())
.build())
.policyIds(CertificateTemplatePredefinedValuesPolicyIdArgs.builder()
.objectIdPaths(
1,
6)
.build())
.build())
.build());
var defaultAuthority = new Authority("defaultAuthority", AuthorityArgs.builder()
.location("us-central1")
.pool(default_.name())
.certificateAuthorityId("my-authority")
.config(AuthorityConfigArgs.builder()
.subjectConfig(AuthorityConfigSubjectConfigArgs.builder()
.subject(AuthorityConfigSubjectConfigSubjectArgs.builder()
.organization("HashiCorp")
.commonName("my-certificate-authority")
.build())
.subjectAltName(AuthorityConfigSubjectConfigSubjectAltNameArgs.builder()
.dnsNames("hashicorp.com")
.build())
.build())
.x509Config(AuthorityConfigX509ConfigArgs.builder()
.caOptions(AuthorityConfigX509ConfigCaOptionsArgs.builder()
.isCa(true)
.build())
.keyUsage(AuthorityConfigX509ConfigKeyUsageArgs.builder()
.baseKeyUsage(AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs.builder()
.certSign(true)
.crlSign(true)
.build())
.extendedKeyUsage(AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs.builder()
.serverAuth(false)
.build())
.build())
.build())
.build())
.keySpec(AuthorityKeySpecArgs.builder()
.algorithm("RSA_PKCS1_4096_SHA256")
.build())
.deletionProtection(false)
.skipGracePeriod(true)
.ignoreActiveCertificatesOnDeletion(true)
.build());
var defaultCertificate = new Certificate("defaultCertificate", CertificateArgs.builder()
.location("us-central1")
.pool(default_.name())
.certificateAuthority(defaultAuthority.certificateAuthorityId())
.name("my-certificate")
.lifetime("860s")
.pemCsr(StdFunctions.file(FileArgs.builder()
.input("test-fixtures/rsa_csr.pem")
.build()).result())
.certificateTemplate(defaultCertificateTemplate.id())
.build());
}
}
resources:
default:
type: gcp:certificateauthority:CaPool
properties:
location: us-central1
name: my-pool
tier: ENTERPRISE
defaultCertificateTemplate:
type: gcp:certificateauthority:CertificateTemplate
name: default
properties:
location: us-central1
name: my-certificate-template
description: An updated sample certificate template
identityConstraints:
allowSubjectAltNamesPassthrough: true
allowSubjectPassthrough: true
celExpression:
description: Always true
expression: 'true'
location: any.file.anywhere
title: Sample expression
passthroughExtensions:
additionalExtensions:
- objectIdPaths:
- 1
- 6
knownExtensions:
- EXTENDED_KEY_USAGE
predefinedValues:
additionalExtensions:
- objectId:
objectIdPaths:
- 1
- 6
value: c3RyaW5nCg==
critical: true
aiaOcspServers:
- string
caOptions:
isCa: false
maxIssuerPathLength: 6
keyUsage:
baseKeyUsage:
certSign: false
contentCommitment: true
crlSign: false
dataEncipherment: true
decipherOnly: true
digitalSignature: true
encipherOnly: true
keyAgreement: true
keyEncipherment: true
extendedKeyUsage:
clientAuth: true
codeSigning: true
emailProtection: true
ocspSigning: true
serverAuth: true
timeStamping: true
unknownExtendedKeyUsages:
- objectIdPaths:
- 1
- 6
policyIds:
- objectIdPaths:
- 1
- 6
defaultAuthority:
type: gcp:certificateauthority:Authority
name: default
properties:
location: us-central1
pool: ${default.name}
certificateAuthorityId: my-authority
config:
subjectConfig:
subject:
organization: HashiCorp
commonName: my-certificate-authority
subjectAltName:
dnsNames:
- hashicorp.com
x509Config:
caOptions:
isCa: true
keyUsage:
baseKeyUsage:
certSign: true
crlSign: true
extendedKeyUsage:
serverAuth: false
keySpec:
algorithm: RSA_PKCS1_4096_SHA256
deletionProtection: false
skipGracePeriod: true
ignoreActiveCertificatesOnDeletion: true
defaultCertificate:
type: gcp:certificateauthority:Certificate
name: default
properties:
location: us-central1
pool: ${default.name}
certificateAuthority: ${defaultAuthority.certificateAuthorityId}
name: my-certificate
lifetime: 860s
pemCsr:
fn::invoke:
function: std:file
arguments:
input: test-fixtures/rsa_csr.pem
return: result
certificateTemplate: ${defaultCertificateTemplate.id}
Privateca Certificate Csr
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
import * as std from "@pulumi/std";
const _default = new gcp.certificateauthority.CaPool("default", {
location: "us-central1",
name: "my-pool",
tier: "ENTERPRISE",
});
const defaultAuthority = new gcp.certificateauthority.Authority("default", {
location: "us-central1",
pool: _default.name,
certificateAuthorityId: "my-authority",
config: {
subjectConfig: {
subject: {
organization: "HashiCorp",
commonName: "my-certificate-authority",
},
subjectAltName: {
dnsNames: ["hashicorp.com"],
},
},
x509Config: {
caOptions: {
isCa: true,
},
keyUsage: {
baseKeyUsage: {
certSign: true,
crlSign: true,
},
extendedKeyUsage: {
serverAuth: false,
},
},
},
},
keySpec: {
algorithm: "RSA_PKCS1_4096_SHA256",
},
deletionProtection: false,
skipGracePeriod: true,
ignoreActiveCertificatesOnDeletion: true,
});
const defaultCertificate = new gcp.certificateauthority.Certificate("default", {
location: "us-central1",
pool: _default.name,
certificateAuthority: defaultAuthority.certificateAuthorityId,
name: "my-certificate",
lifetime: "860s",
pemCsr: std.file({
input: "test-fixtures/rsa_csr.pem",
}).then(invoke => invoke.result),
});
import pulumi
import pulumi_gcp as gcp
import pulumi_std as std
default = gcp.certificateauthority.CaPool("default",
location="us-central1",
name="my-pool",
tier="ENTERPRISE")
default_authority = gcp.certificateauthority.Authority("default",
location="us-central1",
pool=default.name,
certificate_authority_id="my-authority",
config={
"subject_config": {
"subject": {
"organization": "HashiCorp",
"common_name": "my-certificate-authority",
},
"subject_alt_name": {
"dns_names": ["hashicorp.com"],
},
},
"x509_config": {
"ca_options": {
"is_ca": True,
},
"key_usage": {
"base_key_usage": {
"cert_sign": True,
"crl_sign": True,
},
"extended_key_usage": {
"server_auth": False,
},
},
},
},
key_spec={
"algorithm": "RSA_PKCS1_4096_SHA256",
},
deletion_protection=False,
skip_grace_period=True,
ignore_active_certificates_on_deletion=True)
default_certificate = gcp.certificateauthority.Certificate("default",
location="us-central1",
pool=default.name,
certificate_authority=default_authority.certificate_authority_id,
name="my-certificate",
lifetime="860s",
pem_csr=std.file(input="test-fixtures/rsa_csr.pem").result)
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/certificateauthority"
"github.com/pulumi/pulumi-std/sdk/go/std"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := certificateauthority.NewCaPool(ctx, "default", &certificateauthority.CaPoolArgs{
Location: pulumi.String("us-central1"),
Name: pulumi.String("my-pool"),
Tier: pulumi.String("ENTERPRISE"),
})
if err != nil {
return err
}
defaultAuthority, err := certificateauthority.NewAuthority(ctx, "default", &certificateauthority.AuthorityArgs{
Location: pulumi.String("us-central1"),
Pool: _default.Name,
CertificateAuthorityId: pulumi.String("my-authority"),
Config: &certificateauthority.AuthorityConfigArgs{
SubjectConfig: &certificateauthority.AuthorityConfigSubjectConfigArgs{
Subject: &certificateauthority.AuthorityConfigSubjectConfigSubjectArgs{
Organization: pulumi.String("HashiCorp"),
CommonName: pulumi.String("my-certificate-authority"),
},
SubjectAltName: &certificateauthority.AuthorityConfigSubjectConfigSubjectAltNameArgs{
DnsNames: pulumi.StringArray{
pulumi.String("hashicorp.com"),
},
},
},
X509Config: &certificateauthority.AuthorityConfigX509ConfigArgs{
CaOptions: &certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs{
IsCa: pulumi.Bool(true),
},
KeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs{
BaseKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs{
CertSign: pulumi.Bool(true),
CrlSign: pulumi.Bool(true),
},
ExtendedKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs{
ServerAuth: pulumi.Bool(false),
},
},
},
},
KeySpec: &certificateauthority.AuthorityKeySpecArgs{
Algorithm: pulumi.String("RSA_PKCS1_4096_SHA256"),
},
DeletionProtection: pulumi.Bool(false),
SkipGracePeriod: pulumi.Bool(true),
IgnoreActiveCertificatesOnDeletion: pulumi.Bool(true),
})
if err != nil {
return err
}
invokeFile, err := std.File(ctx, &std.FileArgs{
Input: "test-fixtures/rsa_csr.pem",
}, nil)
if err != nil {
return err
}
_, err = certificateauthority.NewCertificate(ctx, "default", &certificateauthority.CertificateArgs{
Location: pulumi.String("us-central1"),
Pool: _default.Name,
CertificateAuthority: defaultAuthority.CertificateAuthorityId,
Name: pulumi.String("my-certificate"),
Lifetime: pulumi.String("860s"),
PemCsr: pulumi.String(invokeFile.Result),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
using Std = Pulumi.Std;
return await Deployment.RunAsync(() =>
{
var @default = new Gcp.CertificateAuthority.CaPool("default", new()
{
Location = "us-central1",
Name = "my-pool",
Tier = "ENTERPRISE",
});
var defaultAuthority = new Gcp.CertificateAuthority.Authority("default", new()
{
Location = "us-central1",
Pool = @default.Name,
CertificateAuthorityId = "my-authority",
Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigArgs
{
SubjectConfig = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigArgs
{
Subject = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectArgs
{
Organization = "HashiCorp",
CommonName = "my-certificate-authority",
},
SubjectAltName = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectAltNameArgs
{
DnsNames = new[]
{
"hashicorp.com",
},
},
},
X509Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigArgs
{
CaOptions = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigCaOptionsArgs
{
IsCa = true,
},
KeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageArgs
{
BaseKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs
{
CertSign = true,
CrlSign = true,
},
ExtendedKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs
{
ServerAuth = false,
},
},
},
},
KeySpec = new Gcp.CertificateAuthority.Inputs.AuthorityKeySpecArgs
{
Algorithm = "RSA_PKCS1_4096_SHA256",
},
DeletionProtection = false,
SkipGracePeriod = true,
IgnoreActiveCertificatesOnDeletion = true,
});
var defaultCertificate = new Gcp.CertificateAuthority.Certificate("default", new()
{
Location = "us-central1",
Pool = @default.Name,
CertificateAuthority = defaultAuthority.CertificateAuthorityId,
Name = "my-certificate",
Lifetime = "860s",
PemCsr = Std.File.Invoke(new()
{
Input = "test-fixtures/rsa_csr.pem",
}).Apply(invoke => invoke.Result),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.certificateauthority.CaPool;
import com.pulumi.gcp.certificateauthority.CaPoolArgs;
import com.pulumi.gcp.certificateauthority.Authority;
import com.pulumi.gcp.certificateauthority.AuthorityArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigSubjectArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigSubjectAltNameArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigCaOptionsArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityKeySpecArgs;
import com.pulumi.gcp.certificateauthority.Certificate;
import com.pulumi.gcp.certificateauthority.CertificateArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var default_ = new CaPool("default", CaPoolArgs.builder()
.location("us-central1")
.name("my-pool")
.tier("ENTERPRISE")
.build());
var defaultAuthority = new Authority("defaultAuthority", AuthorityArgs.builder()
.location("us-central1")
.pool(default_.name())
.certificateAuthorityId("my-authority")
.config(AuthorityConfigArgs.builder()
.subjectConfig(AuthorityConfigSubjectConfigArgs.builder()
.subject(AuthorityConfigSubjectConfigSubjectArgs.builder()
.organization("HashiCorp")
.commonName("my-certificate-authority")
.build())
.subjectAltName(AuthorityConfigSubjectConfigSubjectAltNameArgs.builder()
.dnsNames("hashicorp.com")
.build())
.build())
.x509Config(AuthorityConfigX509ConfigArgs.builder()
.caOptions(AuthorityConfigX509ConfigCaOptionsArgs.builder()
.isCa(true)
.build())
.keyUsage(AuthorityConfigX509ConfigKeyUsageArgs.builder()
.baseKeyUsage(AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs.builder()
.certSign(true)
.crlSign(true)
.build())
.extendedKeyUsage(AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs.builder()
.serverAuth(false)
.build())
.build())
.build())
.build())
.keySpec(AuthorityKeySpecArgs.builder()
.algorithm("RSA_PKCS1_4096_SHA256")
.build())
.deletionProtection(false)
.skipGracePeriod(true)
.ignoreActiveCertificatesOnDeletion(true)
.build());
var defaultCertificate = new Certificate("defaultCertificate", CertificateArgs.builder()
.location("us-central1")
.pool(default_.name())
.certificateAuthority(defaultAuthority.certificateAuthorityId())
.name("my-certificate")
.lifetime("860s")
.pemCsr(StdFunctions.file(FileArgs.builder()
.input("test-fixtures/rsa_csr.pem")
.build()).result())
.build());
}
}
resources:
default:
type: gcp:certificateauthority:CaPool
properties:
location: us-central1
name: my-pool
tier: ENTERPRISE
defaultAuthority:
type: gcp:certificateauthority:Authority
name: default
properties:
location: us-central1
pool: ${default.name}
certificateAuthorityId: my-authority
config:
subjectConfig:
subject:
organization: HashiCorp
commonName: my-certificate-authority
subjectAltName:
dnsNames:
- hashicorp.com
x509Config:
caOptions:
isCa: true
keyUsage:
baseKeyUsage:
certSign: true
crlSign: true
extendedKeyUsage:
serverAuth: false
keySpec:
algorithm: RSA_PKCS1_4096_SHA256
deletionProtection: false
skipGracePeriod: true
ignoreActiveCertificatesOnDeletion: true
defaultCertificate:
type: gcp:certificateauthority:Certificate
name: default
properties:
location: us-central1
pool: ${default.name}
certificateAuthority: ${defaultAuthority.certificateAuthorityId}
name: my-certificate
lifetime: 860s
pemCsr:
fn::invoke:
function: std:file
arguments:
input: test-fixtures/rsa_csr.pem
return: result
Privateca Certificate No Authority
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
import * as std from "@pulumi/std";
const _default = new gcp.certificateauthority.CaPool("default", {
location: "us-central1",
name: "my-pool",
tier: "ENTERPRISE",
});
const defaultAuthority = new gcp.certificateauthority.Authority("default", {
location: "us-central1",
pool: _default.name,
certificateAuthorityId: "my-authority",
config: {
subjectConfig: {
subject: {
organization: "HashiCorp",
commonName: "my-certificate-authority",
},
subjectAltName: {
dnsNames: ["hashicorp.com"],
},
},
x509Config: {
caOptions: {
isCa: true,
},
keyUsage: {
baseKeyUsage: {
digitalSignature: true,
certSign: true,
crlSign: true,
},
extendedKeyUsage: {
serverAuth: true,
},
},
},
},
lifetime: "86400s",
keySpec: {
algorithm: "RSA_PKCS1_4096_SHA256",
},
deletionProtection: false,
skipGracePeriod: true,
ignoreActiveCertificatesOnDeletion: true,
});
const defaultCertificate = new gcp.certificateauthority.Certificate("default", {
location: "us-central1",
pool: _default.name,
name: "my-certificate",
lifetime: "860s",
config: {
subjectConfig: {
subject: {
commonName: "san1.example.com",
countryCode: "us",
organization: "google",
organizationalUnit: "enterprise",
locality: "mountain view",
province: "california",
streetAddress: "1600 amphitheatre parkway",
postalCode: "94109",
},
},
x509Config: {
caOptions: {
isCa: false,
},
keyUsage: {
baseKeyUsage: {
crlSign: true,
},
extendedKeyUsage: {
serverAuth: true,
},
},
},
publicKey: {
format: "PEM",
key: std.filebase64({
input: "test-fixtures/rsa_public.pem",
}).then(invoke => invoke.result),
},
},
}, {
dependsOn: [defaultAuthority],
});
import pulumi
import pulumi_gcp as gcp
import pulumi_std as std
default = gcp.certificateauthority.CaPool("default",
location="us-central1",
name="my-pool",
tier="ENTERPRISE")
default_authority = gcp.certificateauthority.Authority("default",
location="us-central1",
pool=default.name,
certificate_authority_id="my-authority",
config={
"subject_config": {
"subject": {
"organization": "HashiCorp",
"common_name": "my-certificate-authority",
},
"subject_alt_name": {
"dns_names": ["hashicorp.com"],
},
},
"x509_config": {
"ca_options": {
"is_ca": True,
},
"key_usage": {
"base_key_usage": {
"digital_signature": True,
"cert_sign": True,
"crl_sign": True,
},
"extended_key_usage": {
"server_auth": True,
},
},
},
},
lifetime="86400s",
key_spec={
"algorithm": "RSA_PKCS1_4096_SHA256",
},
deletion_protection=False,
skip_grace_period=True,
ignore_active_certificates_on_deletion=True)
default_certificate = gcp.certificateauthority.Certificate("default",
location="us-central1",
pool=default.name,
name="my-certificate",
lifetime="860s",
config={
"subject_config": {
"subject": {
"common_name": "san1.example.com",
"country_code": "us",
"organization": "google",
"organizational_unit": "enterprise",
"locality": "mountain view",
"province": "california",
"street_address": "1600 amphitheatre parkway",
"postal_code": "94109",
},
},
"x509_config": {
"ca_options": {
"is_ca": False,
},
"key_usage": {
"base_key_usage": {
"crl_sign": True,
},
"extended_key_usage": {
"server_auth": True,
},
},
},
"public_key": {
"format": "PEM",
"key": std.filebase64(input="test-fixtures/rsa_public.pem").result,
},
},
opts = pulumi.ResourceOptions(depends_on=[default_authority]))
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/certificateauthority"
"github.com/pulumi/pulumi-std/sdk/go/std"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := certificateauthority.NewCaPool(ctx, "default", &certificateauthority.CaPoolArgs{
Location: pulumi.String("us-central1"),
Name: pulumi.String("my-pool"),
Tier: pulumi.String("ENTERPRISE"),
})
if err != nil {
return err
}
defaultAuthority, err := certificateauthority.NewAuthority(ctx, "default", &certificateauthority.AuthorityArgs{
Location: pulumi.String("us-central1"),
Pool: _default.Name,
CertificateAuthorityId: pulumi.String("my-authority"),
Config: &certificateauthority.AuthorityConfigArgs{
SubjectConfig: &certificateauthority.AuthorityConfigSubjectConfigArgs{
Subject: &certificateauthority.AuthorityConfigSubjectConfigSubjectArgs{
Organization: pulumi.String("HashiCorp"),
CommonName: pulumi.String("my-certificate-authority"),
},
SubjectAltName: &certificateauthority.AuthorityConfigSubjectConfigSubjectAltNameArgs{
DnsNames: pulumi.StringArray{
pulumi.String("hashicorp.com"),
},
},
},
X509Config: &certificateauthority.AuthorityConfigX509ConfigArgs{
CaOptions: &certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs{
IsCa: pulumi.Bool(true),
},
KeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs{
BaseKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs{
DigitalSignature: pulumi.Bool(true),
CertSign: pulumi.Bool(true),
CrlSign: pulumi.Bool(true),
},
ExtendedKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs{
ServerAuth: pulumi.Bool(true),
},
},
},
},
Lifetime: pulumi.String("86400s"),
KeySpec: &certificateauthority.AuthorityKeySpecArgs{
Algorithm: pulumi.String("RSA_PKCS1_4096_SHA256"),
},
DeletionProtection: pulumi.Bool(false),
SkipGracePeriod: pulumi.Bool(true),
IgnoreActiveCertificatesOnDeletion: pulumi.Bool(true),
})
if err != nil {
return err
}
invokeFilebase64, err := std.Filebase64(ctx, &std.Filebase64Args{
Input: "test-fixtures/rsa_public.pem",
}, nil)
if err != nil {
return err
}
_, err = certificateauthority.NewCertificate(ctx, "default", &certificateauthority.CertificateArgs{
Location: pulumi.String("us-central1"),
Pool: _default.Name,
Name: pulumi.String("my-certificate"),
Lifetime: pulumi.String("860s"),
Config: &certificateauthority.CertificateConfigArgs{
SubjectConfig: &certificateauthority.CertificateConfigSubjectConfigArgs{
Subject: &certificateauthority.CertificateConfigSubjectConfigSubjectArgs{
CommonName: pulumi.String("san1.example.com"),
CountryCode: pulumi.String("us"),
Organization: pulumi.String("google"),
OrganizationalUnit: pulumi.String("enterprise"),
Locality: pulumi.String("mountain view"),
Province: pulumi.String("california"),
StreetAddress: pulumi.String("1600 amphitheatre parkway"),
PostalCode: pulumi.String("94109"),
},
},
X509Config: &certificateauthority.CertificateConfigX509ConfigArgs{
CaOptions: &certificateauthority.CertificateConfigX509ConfigCaOptionsArgs{
IsCa: pulumi.Bool(false),
},
KeyUsage: &certificateauthority.CertificateConfigX509ConfigKeyUsageArgs{
BaseKeyUsage: &certificateauthority.CertificateConfigX509ConfigKeyUsageBaseKeyUsageArgs{
CrlSign: pulumi.Bool(true),
},
ExtendedKeyUsage: &certificateauthority.CertificateConfigX509ConfigKeyUsageExtendedKeyUsageArgs{
ServerAuth: pulumi.Bool(true),
},
},
},
PublicKey: &certificateauthority.CertificateConfigPublicKeyArgs{
Format: pulumi.String("PEM"),
Key: pulumi.String(invokeFilebase64.Result),
},
},
}, pulumi.DependsOn([]pulumi.Resource{
defaultAuthority,
}))
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
using Std = Pulumi.Std;
return await Deployment.RunAsync(() =>
{
var @default = new Gcp.CertificateAuthority.CaPool("default", new()
{
Location = "us-central1",
Name = "my-pool",
Tier = "ENTERPRISE",
});
var defaultAuthority = new Gcp.CertificateAuthority.Authority("default", new()
{
Location = "us-central1",
Pool = @default.Name,
CertificateAuthorityId = "my-authority",
Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigArgs
{
SubjectConfig = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigArgs
{
Subject = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectArgs
{
Organization = "HashiCorp",
CommonName = "my-certificate-authority",
},
SubjectAltName = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectAltNameArgs
{
DnsNames = new[]
{
"hashicorp.com",
},
},
},
X509Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigArgs
{
CaOptions = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigCaOptionsArgs
{
IsCa = true,
},
KeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageArgs
{
BaseKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs
{
DigitalSignature = true,
CertSign = true,
CrlSign = true,
},
ExtendedKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs
{
ServerAuth = true,
},
},
},
},
Lifetime = "86400s",
KeySpec = new Gcp.CertificateAuthority.Inputs.AuthorityKeySpecArgs
{
Algorithm = "RSA_PKCS1_4096_SHA256",
},
DeletionProtection = false,
SkipGracePeriod = true,
IgnoreActiveCertificatesOnDeletion = true,
});
var defaultCertificate = new Gcp.CertificateAuthority.Certificate("default", new()
{
Location = "us-central1",
Pool = @default.Name,
Name = "my-certificate",
Lifetime = "860s",
Config = new Gcp.CertificateAuthority.Inputs.CertificateConfigArgs
{
SubjectConfig = new Gcp.CertificateAuthority.Inputs.CertificateConfigSubjectConfigArgs
{
Subject = new Gcp.CertificateAuthority.Inputs.CertificateConfigSubjectConfigSubjectArgs
{
CommonName = "san1.example.com",
CountryCode = "us",
Organization = "google",
OrganizationalUnit = "enterprise",
Locality = "mountain view",
Province = "california",
StreetAddress = "1600 amphitheatre parkway",
PostalCode = "94109",
},
},
X509Config = new Gcp.CertificateAuthority.Inputs.CertificateConfigX509ConfigArgs
{
CaOptions = new Gcp.CertificateAuthority.Inputs.CertificateConfigX509ConfigCaOptionsArgs
{
IsCa = false,
},
KeyUsage = new Gcp.CertificateAuthority.Inputs.CertificateConfigX509ConfigKeyUsageArgs
{
BaseKeyUsage = new Gcp.CertificateAuthority.Inputs.CertificateConfigX509ConfigKeyUsageBaseKeyUsageArgs
{
CrlSign = true,
},
ExtendedKeyUsage = new Gcp.CertificateAuthority.Inputs.CertificateConfigX509ConfigKeyUsageExtendedKeyUsageArgs
{
ServerAuth = true,
},
},
},
PublicKey = new Gcp.CertificateAuthority.Inputs.CertificateConfigPublicKeyArgs
{
Format = "PEM",
Key = Std.Filebase64.Invoke(new()
{
Input = "test-fixtures/rsa_public.pem",
}).Apply(invoke => invoke.Result),
},
},
}, new CustomResourceOptions
{
DependsOn =
{
defaultAuthority,
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.certificateauthority.CaPool;
import com.pulumi.gcp.certificateauthority.CaPoolArgs;
import com.pulumi.gcp.certificateauthority.Authority;
import com.pulumi.gcp.certificateauthority.AuthorityArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigSubjectArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigSubjectAltNameArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigCaOptionsArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityKeySpecArgs;
import com.pulumi.gcp.certificateauthority.Certificate;
import com.pulumi.gcp.certificateauthority.CertificateArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigSubjectConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigSubjectConfigSubjectArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigX509ConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigX509ConfigCaOptionsArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigX509ConfigKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigX509ConfigKeyUsageBaseKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigX509ConfigKeyUsageExtendedKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigPublicKeyArgs;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var default_ = new CaPool("default", CaPoolArgs.builder()
.location("us-central1")
.name("my-pool")
.tier("ENTERPRISE")
.build());
var defaultAuthority = new Authority("defaultAuthority", AuthorityArgs.builder()
.location("us-central1")
.pool(default_.name())
.certificateAuthorityId("my-authority")
.config(AuthorityConfigArgs.builder()
.subjectConfig(AuthorityConfigSubjectConfigArgs.builder()
.subject(AuthorityConfigSubjectConfigSubjectArgs.builder()
.organization("HashiCorp")
.commonName("my-certificate-authority")
.build())
.subjectAltName(AuthorityConfigSubjectConfigSubjectAltNameArgs.builder()
.dnsNames("hashicorp.com")
.build())
.build())
.x509Config(AuthorityConfigX509ConfigArgs.builder()
.caOptions(AuthorityConfigX509ConfigCaOptionsArgs.builder()
.isCa(true)
.build())
.keyUsage(AuthorityConfigX509ConfigKeyUsageArgs.builder()
.baseKeyUsage(AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs.builder()
.digitalSignature(true)
.certSign(true)
.crlSign(true)
.build())
.extendedKeyUsage(AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs.builder()
.serverAuth(true)
.build())
.build())
.build())
.build())
.lifetime("86400s")
.keySpec(AuthorityKeySpecArgs.builder()
.algorithm("RSA_PKCS1_4096_SHA256")
.build())
.deletionProtection(false)
.skipGracePeriod(true)
.ignoreActiveCertificatesOnDeletion(true)
.build());
var defaultCertificate = new Certificate("defaultCertificate", CertificateArgs.builder()
.location("us-central1")
.pool(default_.name())
.name("my-certificate")
.lifetime("860s")
.config(CertificateConfigArgs.builder()
.subjectConfig(CertificateConfigSubjectConfigArgs.builder()
.subject(CertificateConfigSubjectConfigSubjectArgs.builder()
.commonName("san1.example.com")
.countryCode("us")
.organization("google")
.organizationalUnit("enterprise")
.locality("mountain view")
.province("california")
.streetAddress("1600 amphitheatre parkway")
.postalCode("94109")
.build())
.build())
.x509Config(CertificateConfigX509ConfigArgs.builder()
.caOptions(CertificateConfigX509ConfigCaOptionsArgs.builder()
.isCa(false)
.build())
.keyUsage(CertificateConfigX509ConfigKeyUsageArgs.builder()
.baseKeyUsage(CertificateConfigX509ConfigKeyUsageBaseKeyUsageArgs.builder()
.crlSign(true)
.build())
.extendedKeyUsage(CertificateConfigX509ConfigKeyUsageExtendedKeyUsageArgs.builder()
.serverAuth(true)
.build())
.build())
.build())
.publicKey(CertificateConfigPublicKeyArgs.builder()
.format("PEM")
.key(StdFunctions.filebase64(Filebase64Args.builder()
.input("test-fixtures/rsa_public.pem")
.build()).result())
.build())
.build())
.build(), CustomResourceOptions.builder()
.dependsOn(defaultAuthority)
.build());
}
}
resources:
default:
type: gcp:certificateauthority:CaPool
properties:
location: us-central1
name: my-pool
tier: ENTERPRISE
defaultAuthority:
type: gcp:certificateauthority:Authority
name: default
properties:
location: us-central1
pool: ${default.name}
certificateAuthorityId: my-authority
config:
subjectConfig:
subject:
organization: HashiCorp
commonName: my-certificate-authority
subjectAltName:
dnsNames:
- hashicorp.com
x509Config:
caOptions:
isCa: true
keyUsage:
baseKeyUsage:
digitalSignature: true
certSign: true
crlSign: true
extendedKeyUsage:
serverAuth: true
lifetime: 86400s
keySpec:
algorithm: RSA_PKCS1_4096_SHA256
deletionProtection: false
skipGracePeriod: true
ignoreActiveCertificatesOnDeletion: true
defaultCertificate:
type: gcp:certificateauthority:Certificate
name: default
properties:
location: us-central1
pool: ${default.name}
name: my-certificate
lifetime: 860s
config:
subjectConfig:
subject:
commonName: san1.example.com
countryCode: us
organization: google
organizationalUnit: enterprise
locality: mountain view
province: california
streetAddress: 1600 amphitheatre parkway
postalCode: '94109'
x509Config:
caOptions:
isCa: false
keyUsage:
baseKeyUsage:
crlSign: true
extendedKeyUsage:
serverAuth: true
publicKey:
format: PEM
key:
fn::invoke:
function: std:filebase64
arguments:
input: test-fixtures/rsa_public.pem
return: result
options:
dependsOn:
- ${defaultAuthority}
Privateca Certificate Custom Ski
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
import * as std from "@pulumi/std";
const _default = new gcp.certificateauthority.CaPool("default", {
location: "us-central1",
name: "my-pool",
tier: "ENTERPRISE",
});
const defaultAuthority = new gcp.certificateauthority.Authority("default", {
location: "us-central1",
pool: _default.name,
certificateAuthorityId: "my-authority",
config: {
subjectConfig: {
subject: {
organization: "HashiCorp",
commonName: "my-certificate-authority",
},
subjectAltName: {
dnsNames: ["hashicorp.com"],
},
},
x509Config: {
caOptions: {
isCa: true,
},
keyUsage: {
baseKeyUsage: {
digitalSignature: true,
certSign: true,
crlSign: true,
},
extendedKeyUsage: {
serverAuth: true,
},
},
},
},
lifetime: "86400s",
keySpec: {
algorithm: "RSA_PKCS1_4096_SHA256",
},
deletionProtection: false,
skipGracePeriod: true,
ignoreActiveCertificatesOnDeletion: true,
});
const defaultCertificate = new gcp.certificateauthority.Certificate("default", {
location: "us-central1",
pool: _default.name,
name: "my-certificate",
lifetime: "860s",
config: {
subjectConfig: {
subject: {
commonName: "san1.example.com",
countryCode: "us",
organization: "google",
organizationalUnit: "enterprise",
locality: "mountain view",
province: "california",
streetAddress: "1600 amphitheatre parkway",
postalCode: "94109",
},
},
subjectKeyId: {
keyId: "4cf3372289b1d411b999dbb9ebcd44744b6b2fca",
},
x509Config: {
caOptions: {
isCa: false,
},
keyUsage: {
baseKeyUsage: {
crlSign: true,
},
extendedKeyUsage: {
serverAuth: true,
},
},
},
publicKey: {
format: "PEM",
key: std.filebase64({
input: "test-fixtures/rsa_public.pem",
}).then(invoke => invoke.result),
},
},
}, {
dependsOn: [defaultAuthority],
});
import pulumi
import pulumi_gcp as gcp
import pulumi_std as std
default = gcp.certificateauthority.CaPool("default",
location="us-central1",
name="my-pool",
tier="ENTERPRISE")
default_authority = gcp.certificateauthority.Authority("default",
location="us-central1",
pool=default.name,
certificate_authority_id="my-authority",
config={
"subject_config": {
"subject": {
"organization": "HashiCorp",
"common_name": "my-certificate-authority",
},
"subject_alt_name": {
"dns_names": ["hashicorp.com"],
},
},
"x509_config": {
"ca_options": {
"is_ca": True,
},
"key_usage": {
"base_key_usage": {
"digital_signature": True,
"cert_sign": True,
"crl_sign": True,
},
"extended_key_usage": {
"server_auth": True,
},
},
},
},
lifetime="86400s",
key_spec={
"algorithm": "RSA_PKCS1_4096_SHA256",
},
deletion_protection=False,
skip_grace_period=True,
ignore_active_certificates_on_deletion=True)
default_certificate = gcp.certificateauthority.Certificate("default",
location="us-central1",
pool=default.name,
name="my-certificate",
lifetime="860s",
config={
"subject_config": {
"subject": {
"common_name": "san1.example.com",
"country_code": "us",
"organization": "google",
"organizational_unit": "enterprise",
"locality": "mountain view",
"province": "california",
"street_address": "1600 amphitheatre parkway",
"postal_code": "94109",
},
},
"subject_key_id": {
"key_id": "4cf3372289b1d411b999dbb9ebcd44744b6b2fca",
},
"x509_config": {
"ca_options": {
"is_ca": False,
},
"key_usage": {
"base_key_usage": {
"crl_sign": True,
},
"extended_key_usage": {
"server_auth": True,
},
},
},
"public_key": {
"format": "PEM",
"key": std.filebase64(input="test-fixtures/rsa_public.pem").result,
},
},
opts = pulumi.ResourceOptions(depends_on=[default_authority]))
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/certificateauthority"
"github.com/pulumi/pulumi-std/sdk/go/std"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := certificateauthority.NewCaPool(ctx, "default", &certificateauthority.CaPoolArgs{
Location: pulumi.String("us-central1"),
Name: pulumi.String("my-pool"),
Tier: pulumi.String("ENTERPRISE"),
})
if err != nil {
return err
}
defaultAuthority, err := certificateauthority.NewAuthority(ctx, "default", &certificateauthority.AuthorityArgs{
Location: pulumi.String("us-central1"),
Pool: _default.Name,
CertificateAuthorityId: pulumi.String("my-authority"),
Config: &certificateauthority.AuthorityConfigArgs{
SubjectConfig: &certificateauthority.AuthorityConfigSubjectConfigArgs{
Subject: &certificateauthority.AuthorityConfigSubjectConfigSubjectArgs{
Organization: pulumi.String("HashiCorp"),
CommonName: pulumi.String("my-certificate-authority"),
},
SubjectAltName: &certificateauthority.AuthorityConfigSubjectConfigSubjectAltNameArgs{
DnsNames: pulumi.StringArray{
pulumi.String("hashicorp.com"),
},
},
},
X509Config: &certificateauthority.AuthorityConfigX509ConfigArgs{
CaOptions: &certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs{
IsCa: pulumi.Bool(true),
},
KeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs{
BaseKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs{
DigitalSignature: pulumi.Bool(true),
CertSign: pulumi.Bool(true),
CrlSign: pulumi.Bool(true),
},
ExtendedKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs{
ServerAuth: pulumi.Bool(true),
},
},
},
},
Lifetime: pulumi.String("86400s"),
KeySpec: &certificateauthority.AuthorityKeySpecArgs{
Algorithm: pulumi.String("RSA_PKCS1_4096_SHA256"),
},
DeletionProtection: pulumi.Bool(false),
SkipGracePeriod: pulumi.Bool(true),
IgnoreActiveCertificatesOnDeletion: pulumi.Bool(true),
})
if err != nil {
return err
}
invokeFilebase64, err := std.Filebase64(ctx, &std.Filebase64Args{
Input: "test-fixtures/rsa_public.pem",
}, nil)
if err != nil {
return err
}
_, err = certificateauthority.NewCertificate(ctx, "default", &certificateauthority.CertificateArgs{
Location: pulumi.String("us-central1"),
Pool: _default.Name,
Name: pulumi.String("my-certificate"),
Lifetime: pulumi.String("860s"),
Config: &certificateauthority.CertificateConfigArgs{
SubjectConfig: &certificateauthority.CertificateConfigSubjectConfigArgs{
Subject: &certificateauthority.CertificateConfigSubjectConfigSubjectArgs{
CommonName: pulumi.String("san1.example.com"),
CountryCode: pulumi.String("us"),
Organization: pulumi.String("google"),
OrganizationalUnit: pulumi.String("enterprise"),
Locality: pulumi.String("mountain view"),
Province: pulumi.String("california"),
StreetAddress: pulumi.String("1600 amphitheatre parkway"),
PostalCode: pulumi.String("94109"),
},
},
SubjectKeyId: &certificateauthority.CertificateConfigSubjectKeyIdArgs{
KeyId: pulumi.String("4cf3372289b1d411b999dbb9ebcd44744b6b2fca"),
},
X509Config: &certificateauthority.CertificateConfigX509ConfigArgs{
CaOptions: &certificateauthority.CertificateConfigX509ConfigCaOptionsArgs{
IsCa: pulumi.Bool(false),
},
KeyUsage: &certificateauthority.CertificateConfigX509ConfigKeyUsageArgs{
BaseKeyUsage: &certificateauthority.CertificateConfigX509ConfigKeyUsageBaseKeyUsageArgs{
CrlSign: pulumi.Bool(true),
},
ExtendedKeyUsage: &certificateauthority.CertificateConfigX509ConfigKeyUsageExtendedKeyUsageArgs{
ServerAuth: pulumi.Bool(true),
},
},
},
PublicKey: &certificateauthority.CertificateConfigPublicKeyArgs{
Format: pulumi.String("PEM"),
Key: pulumi.String(invokeFilebase64.Result),
},
},
}, pulumi.DependsOn([]pulumi.Resource{
defaultAuthority,
}))
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
using Std = Pulumi.Std;
return await Deployment.RunAsync(() =>
{
var @default = new Gcp.CertificateAuthority.CaPool("default", new()
{
Location = "us-central1",
Name = "my-pool",
Tier = "ENTERPRISE",
});
var defaultAuthority = new Gcp.CertificateAuthority.Authority("default", new()
{
Location = "us-central1",
Pool = @default.Name,
CertificateAuthorityId = "my-authority",
Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigArgs
{
SubjectConfig = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigArgs
{
Subject = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectArgs
{
Organization = "HashiCorp",
CommonName = "my-certificate-authority",
},
SubjectAltName = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectAltNameArgs
{
DnsNames = new[]
{
"hashicorp.com",
},
},
},
X509Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigArgs
{
CaOptions = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigCaOptionsArgs
{
IsCa = true,
},
KeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageArgs
{
BaseKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs
{
DigitalSignature = true,
CertSign = true,
CrlSign = true,
},
ExtendedKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs
{
ServerAuth = true,
},
},
},
},
Lifetime = "86400s",
KeySpec = new Gcp.CertificateAuthority.Inputs.AuthorityKeySpecArgs
{
Algorithm = "RSA_PKCS1_4096_SHA256",
},
DeletionProtection = false,
SkipGracePeriod = true,
IgnoreActiveCertificatesOnDeletion = true,
});
var defaultCertificate = new Gcp.CertificateAuthority.Certificate("default", new()
{
Location = "us-central1",
Pool = @default.Name,
Name = "my-certificate",
Lifetime = "860s",
Config = new Gcp.CertificateAuthority.Inputs.CertificateConfigArgs
{
SubjectConfig = new Gcp.CertificateAuthority.Inputs.CertificateConfigSubjectConfigArgs
{
Subject = new Gcp.CertificateAuthority.Inputs.CertificateConfigSubjectConfigSubjectArgs
{
CommonName = "san1.example.com",
CountryCode = "us",
Organization = "google",
OrganizationalUnit = "enterprise",
Locality = "mountain view",
Province = "california",
StreetAddress = "1600 amphitheatre parkway",
PostalCode = "94109",
},
},
SubjectKeyId = new Gcp.CertificateAuthority.Inputs.CertificateConfigSubjectKeyIdArgs
{
KeyId = "4cf3372289b1d411b999dbb9ebcd44744b6b2fca",
},
X509Config = new Gcp.CertificateAuthority.Inputs.CertificateConfigX509ConfigArgs
{
CaOptions = new Gcp.CertificateAuthority.Inputs.CertificateConfigX509ConfigCaOptionsArgs
{
IsCa = false,
},
KeyUsage = new Gcp.CertificateAuthority.Inputs.CertificateConfigX509ConfigKeyUsageArgs
{
BaseKeyUsage = new Gcp.CertificateAuthority.Inputs.CertificateConfigX509ConfigKeyUsageBaseKeyUsageArgs
{
CrlSign = true,
},
ExtendedKeyUsage = new Gcp.CertificateAuthority.Inputs.CertificateConfigX509ConfigKeyUsageExtendedKeyUsageArgs
{
ServerAuth = true,
},
},
},
PublicKey = new Gcp.CertificateAuthority.Inputs.CertificateConfigPublicKeyArgs
{
Format = "PEM",
Key = Std.Filebase64.Invoke(new()
{
Input = "test-fixtures/rsa_public.pem",
}).Apply(invoke => invoke.Result),
},
},
}, new CustomResourceOptions
{
DependsOn =
{
defaultAuthority,
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.certificateauthority.CaPool;
import com.pulumi.gcp.certificateauthority.CaPoolArgs;
import com.pulumi.gcp.certificateauthority.Authority;
import com.pulumi.gcp.certificateauthority.AuthorityArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigSubjectArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigSubjectAltNameArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigCaOptionsArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityKeySpecArgs;
import com.pulumi.gcp.certificateauthority.Certificate;
import com.pulumi.gcp.certificateauthority.CertificateArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigSubjectConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigSubjectConfigSubjectArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigSubjectKeyIdArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigX509ConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigX509ConfigCaOptionsArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigX509ConfigKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigX509ConfigKeyUsageBaseKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigX509ConfigKeyUsageExtendedKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigPublicKeyArgs;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var default_ = new CaPool("default", CaPoolArgs.builder()
.location("us-central1")
.name("my-pool")
.tier("ENTERPRISE")
.build());
var defaultAuthority = new Authority("defaultAuthority", AuthorityArgs.builder()
.location("us-central1")
.pool(default_.name())
.certificateAuthorityId("my-authority")
.config(AuthorityConfigArgs.builder()
.subjectConfig(AuthorityConfigSubjectConfigArgs.builder()
.subject(AuthorityConfigSubjectConfigSubjectArgs.builder()
.organization("HashiCorp")
.commonName("my-certificate-authority")
.build())
.subjectAltName(AuthorityConfigSubjectConfigSubjectAltNameArgs.builder()
.dnsNames("hashicorp.com")
.build())
.build())
.x509Config(AuthorityConfigX509ConfigArgs.builder()
.caOptions(AuthorityConfigX509ConfigCaOptionsArgs.builder()
.isCa(true)
.build())
.keyUsage(AuthorityConfigX509ConfigKeyUsageArgs.builder()
.baseKeyUsage(AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs.builder()
.digitalSignature(true)
.certSign(true)
.crlSign(true)
.build())
.extendedKeyUsage(AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs.builder()
.serverAuth(true)
.build())
.build())
.build())
.build())
.lifetime("86400s")
.keySpec(AuthorityKeySpecArgs.builder()
.algorithm("RSA_PKCS1_4096_SHA256")
.build())
.deletionProtection(false)
.skipGracePeriod(true)
.ignoreActiveCertificatesOnDeletion(true)
.build());
var defaultCertificate = new Certificate("defaultCertificate", CertificateArgs.builder()
.location("us-central1")
.pool(default_.name())
.name("my-certificate")
.lifetime("860s")
.config(CertificateConfigArgs.builder()
.subjectConfig(CertificateConfigSubjectConfigArgs.builder()
.subject(CertificateConfigSubjectConfigSubjectArgs.builder()
.commonName("san1.example.com")
.countryCode("us")
.organization("google")
.organizationalUnit("enterprise")
.locality("mountain view")
.province("california")
.streetAddress("1600 amphitheatre parkway")
.postalCode("94109")
.build())
.build())
.subjectKeyId(CertificateConfigSubjectKeyIdArgs.builder()
.keyId("4cf3372289b1d411b999dbb9ebcd44744b6b2fca")
.build())
.x509Config(CertificateConfigX509ConfigArgs.builder()
.caOptions(CertificateConfigX509ConfigCaOptionsArgs.builder()
.isCa(false)
.build())
.keyUsage(CertificateConfigX509ConfigKeyUsageArgs.builder()
.baseKeyUsage(CertificateConfigX509ConfigKeyUsageBaseKeyUsageArgs.builder()
.crlSign(true)
.build())
.extendedKeyUsage(CertificateConfigX509ConfigKeyUsageExtendedKeyUsageArgs.builder()
.serverAuth(true)
.build())
.build())
.build())
.publicKey(CertificateConfigPublicKeyArgs.builder()
.format("PEM")
.key(StdFunctions.filebase64(Filebase64Args.builder()
.input("test-fixtures/rsa_public.pem")
.build()).result())
.build())
.build())
.build(), CustomResourceOptions.builder()
.dependsOn(defaultAuthority)
.build());
}
}
resources:
default:
type: gcp:certificateauthority:CaPool
properties:
location: us-central1
name: my-pool
tier: ENTERPRISE
defaultAuthority:
type: gcp:certificateauthority:Authority
name: default
properties:
location: us-central1
pool: ${default.name}
certificateAuthorityId: my-authority
config:
subjectConfig:
subject:
organization: HashiCorp
commonName: my-certificate-authority
subjectAltName:
dnsNames:
- hashicorp.com
x509Config:
caOptions:
isCa: true
keyUsage:
baseKeyUsage:
digitalSignature: true
certSign: true
crlSign: true
extendedKeyUsage:
serverAuth: true
lifetime: 86400s
keySpec:
algorithm: RSA_PKCS1_4096_SHA256
deletionProtection: false
skipGracePeriod: true
ignoreActiveCertificatesOnDeletion: true
defaultCertificate:
type: gcp:certificateauthority:Certificate
name: default
properties:
location: us-central1
pool: ${default.name}
name: my-certificate
lifetime: 860s
config:
subjectConfig:
subject:
commonName: san1.example.com
countryCode: us
organization: google
organizationalUnit: enterprise
locality: mountain view
province: california
streetAddress: 1600 amphitheatre parkway
postalCode: '94109'
subjectKeyId:
keyId: 4cf3372289b1d411b999dbb9ebcd44744b6b2fca
x509Config:
caOptions:
isCa: false
keyUsage:
baseKeyUsage:
crlSign: true
extendedKeyUsage:
serverAuth: true
publicKey:
format: PEM
key:
fn::invoke:
function: std:filebase64
arguments:
input: test-fixtures/rsa_public.pem
return: result
options:
dependsOn:
- ${defaultAuthority}
Create Certificate Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new Certificate(name: string, args: CertificateArgs, opts?: CustomResourceOptions);@overload
def Certificate(resource_name: str,
args: CertificateArgs,
opts: Optional[ResourceOptions] = None)
@overload
def Certificate(resource_name: str,
opts: Optional[ResourceOptions] = None,
location: Optional[str] = None,
pool: Optional[str] = None,
certificate_authority: Optional[str] = None,
certificate_template: Optional[str] = None,
config: Optional[CertificateConfigArgs] = None,
labels: Optional[Mapping[str, str]] = None,
lifetime: Optional[str] = None,
name: Optional[str] = None,
pem_csr: Optional[str] = None,
project: Optional[str] = None)func NewCertificate(ctx *Context, name string, args CertificateArgs, opts ...ResourceOption) (*Certificate, error)public Certificate(string name, CertificateArgs args, CustomResourceOptions? opts = null)public Certificate(String name, CertificateArgs args)
public Certificate(String name, CertificateArgs args, CustomResourceOptions options)
type: gcp:certificateauthority:Certificate
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name
This property is required. string - The unique name of the resource.
- args
This property is required. CertificateArgs - The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name
This property is required. str - The unique name of the resource.
- args
This property is required. CertificateArgs - The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name
This property is required. string - The unique name of the resource.
- args
This property is required. CertificateArgs - The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name
This property is required. string - The unique name of the resource.
- args
This property is required. CertificateArgs - The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name
This property is required. String - The unique name of the resource.
- args
This property is required. CertificateArgs - The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var certificateResource = new Gcp.CertificateAuthority.Certificate("certificateResource", new()
{
Location = "string",
Pool = "string",
CertificateAuthority = "string",
CertificateTemplate = "string",
Config = new Gcp.CertificateAuthority.Inputs.CertificateConfigArgs
{
PublicKey = new Gcp.CertificateAuthority.Inputs.CertificateConfigPublicKeyArgs
{
Format = "string",
Key = "string",
},
SubjectConfig = new Gcp.CertificateAuthority.Inputs.CertificateConfigSubjectConfigArgs
{
Subject = new Gcp.CertificateAuthority.Inputs.CertificateConfigSubjectConfigSubjectArgs
{
CommonName = "string",
Organization = "string",
CountryCode = "string",
Locality = "string",
OrganizationalUnit = "string",
PostalCode = "string",
Province = "string",
StreetAddress = "string",
},
SubjectAltName = new Gcp.CertificateAuthority.Inputs.CertificateConfigSubjectConfigSubjectAltNameArgs
{
DnsNames = new[]
{
"string",
},
EmailAddresses = new[]
{
"string",
},
IpAddresses = new[]
{
"string",
},
Uris = new[]
{
"string",
},
},
},
X509Config = new Gcp.CertificateAuthority.Inputs.CertificateConfigX509ConfigArgs
{
KeyUsage = new Gcp.CertificateAuthority.Inputs.CertificateConfigX509ConfigKeyUsageArgs
{
BaseKeyUsage = new Gcp.CertificateAuthority.Inputs.CertificateConfigX509ConfigKeyUsageBaseKeyUsageArgs
{
CertSign = false,
ContentCommitment = false,
CrlSign = false,
DataEncipherment = false,
DecipherOnly = false,
DigitalSignature = false,
EncipherOnly = false,
KeyAgreement = false,
KeyEncipherment = false,
},
ExtendedKeyUsage = new Gcp.CertificateAuthority.Inputs.CertificateConfigX509ConfigKeyUsageExtendedKeyUsageArgs
{
ClientAuth = false,
CodeSigning = false,
EmailProtection = false,
OcspSigning = false,
ServerAuth = false,
TimeStamping = false,
},
UnknownExtendedKeyUsages = new[]
{
new Gcp.CertificateAuthority.Inputs.CertificateConfigX509ConfigKeyUsageUnknownExtendedKeyUsageArgs
{
ObjectIdPaths = new[]
{
0,
},
},
},
},
AdditionalExtensions = new[]
{
new Gcp.CertificateAuthority.Inputs.CertificateConfigX509ConfigAdditionalExtensionArgs
{
Critical = false,
ObjectId = new Gcp.CertificateAuthority.Inputs.CertificateConfigX509ConfigAdditionalExtensionObjectIdArgs
{
ObjectIdPaths = new[]
{
0,
},
},
Value = "string",
},
},
AiaOcspServers = new[]
{
"string",
},
CaOptions = new Gcp.CertificateAuthority.Inputs.CertificateConfigX509ConfigCaOptionsArgs
{
IsCa = false,
MaxIssuerPathLength = 0,
NonCa = false,
ZeroMaxIssuerPathLength = false,
},
NameConstraints = new Gcp.CertificateAuthority.Inputs.CertificateConfigX509ConfigNameConstraintsArgs
{
Critical = false,
ExcludedDnsNames = new[]
{
"string",
},
ExcludedEmailAddresses = new[]
{
"string",
},
ExcludedIpRanges = new[]
{
"string",
},
ExcludedUris = new[]
{
"string",
},
PermittedDnsNames = new[]
{
"string",
},
PermittedEmailAddresses = new[]
{
"string",
},
PermittedIpRanges = new[]
{
"string",
},
PermittedUris = new[]
{
"string",
},
},
PolicyIds = new[]
{
new Gcp.CertificateAuthority.Inputs.CertificateConfigX509ConfigPolicyIdArgs
{
ObjectIdPaths = new[]
{
0,
},
},
},
},
SubjectKeyId = new Gcp.CertificateAuthority.Inputs.CertificateConfigSubjectKeyIdArgs
{
KeyId = "string",
},
},
Labels =
{
{ "string", "string" },
},
Lifetime = "string",
Name = "string",
PemCsr = "string",
Project = "string",
});
example, err := certificateauthority.NewCertificate(ctx, "certificateResource", &certificateauthority.CertificateArgs{
Location: pulumi.String("string"),
Pool: pulumi.String("string"),
CertificateAuthority: pulumi.String("string"),
CertificateTemplate: pulumi.String("string"),
Config: &certificateauthority.CertificateConfigArgs{
PublicKey: &certificateauthority.CertificateConfigPublicKeyArgs{
Format: pulumi.String("string"),
Key: pulumi.String("string"),
},
SubjectConfig: &certificateauthority.CertificateConfigSubjectConfigArgs{
Subject: &certificateauthority.CertificateConfigSubjectConfigSubjectArgs{
CommonName: pulumi.String("string"),
Organization: pulumi.String("string"),
CountryCode: pulumi.String("string"),
Locality: pulumi.String("string"),
OrganizationalUnit: pulumi.String("string"),
PostalCode: pulumi.String("string"),
Province: pulumi.String("string"),
StreetAddress: pulumi.String("string"),
},
SubjectAltName: &certificateauthority.CertificateConfigSubjectConfigSubjectAltNameArgs{
DnsNames: pulumi.StringArray{
pulumi.String("string"),
},
EmailAddresses: pulumi.StringArray{
pulumi.String("string"),
},
IpAddresses: pulumi.StringArray{
pulumi.String("string"),
},
Uris: pulumi.StringArray{
pulumi.String("string"),
},
},
},
X509Config: &certificateauthority.CertificateConfigX509ConfigArgs{
KeyUsage: &certificateauthority.CertificateConfigX509ConfigKeyUsageArgs{
BaseKeyUsage: &certificateauthority.CertificateConfigX509ConfigKeyUsageBaseKeyUsageArgs{
CertSign: pulumi.Bool(false),
ContentCommitment: pulumi.Bool(false),
CrlSign: pulumi.Bool(false),
DataEncipherment: pulumi.Bool(false),
DecipherOnly: pulumi.Bool(false),
DigitalSignature: pulumi.Bool(false),
EncipherOnly: pulumi.Bool(false),
KeyAgreement: pulumi.Bool(false),
KeyEncipherment: pulumi.Bool(false),
},
ExtendedKeyUsage: &certificateauthority.CertificateConfigX509ConfigKeyUsageExtendedKeyUsageArgs{
ClientAuth: pulumi.Bool(false),
CodeSigning: pulumi.Bool(false),
EmailProtection: pulumi.Bool(false),
OcspSigning: pulumi.Bool(false),
ServerAuth: pulumi.Bool(false),
TimeStamping: pulumi.Bool(false),
},
UnknownExtendedKeyUsages: certificateauthority.CertificateConfigX509ConfigKeyUsageUnknownExtendedKeyUsageArray{
&certificateauthority.CertificateConfigX509ConfigKeyUsageUnknownExtendedKeyUsageArgs{
ObjectIdPaths: pulumi.IntArray{
pulumi.Int(0),
},
},
},
},
AdditionalExtensions: certificateauthority.CertificateConfigX509ConfigAdditionalExtensionArray{
&certificateauthority.CertificateConfigX509ConfigAdditionalExtensionArgs{
Critical: pulumi.Bool(false),
ObjectId: &certificateauthority.CertificateConfigX509ConfigAdditionalExtensionObjectIdArgs{
ObjectIdPaths: pulumi.IntArray{
pulumi.Int(0),
},
},
Value: pulumi.String("string"),
},
},
AiaOcspServers: pulumi.StringArray{
pulumi.String("string"),
},
CaOptions: &certificateauthority.CertificateConfigX509ConfigCaOptionsArgs{
IsCa: pulumi.Bool(false),
MaxIssuerPathLength: pulumi.Int(0),
NonCa: pulumi.Bool(false),
ZeroMaxIssuerPathLength: pulumi.Bool(false),
},
NameConstraints: &certificateauthority.CertificateConfigX509ConfigNameConstraintsArgs{
Critical: pulumi.Bool(false),
ExcludedDnsNames: pulumi.StringArray{
pulumi.String("string"),
},
ExcludedEmailAddresses: pulumi.StringArray{
pulumi.String("string"),
},
ExcludedIpRanges: pulumi.StringArray{
pulumi.String("string"),
},
ExcludedUris: pulumi.StringArray{
pulumi.String("string"),
},
PermittedDnsNames: pulumi.StringArray{
pulumi.String("string"),
},
PermittedEmailAddresses: pulumi.StringArray{
pulumi.String("string"),
},
PermittedIpRanges: pulumi.StringArray{
pulumi.String("string"),
},
PermittedUris: pulumi.StringArray{
pulumi.String("string"),
},
},
PolicyIds: certificateauthority.CertificateConfigX509ConfigPolicyIdArray{
&certificateauthority.CertificateConfigX509ConfigPolicyIdArgs{
ObjectIdPaths: pulumi.IntArray{
pulumi.Int(0),
},
},
},
},
SubjectKeyId: &certificateauthority.CertificateConfigSubjectKeyIdArgs{
KeyId: pulumi.String("string"),
},
},
Labels: pulumi.StringMap{
"string": pulumi.String("string"),
},
Lifetime: pulumi.String("string"),
Name: pulumi.String("string"),
PemCsr: pulumi.String("string"),
Project: pulumi.String("string"),
})
var certificateResource = new Certificate("certificateResource", CertificateArgs.builder()
.location("string")
.pool("string")
.certificateAuthority("string")
.certificateTemplate("string")
.config(CertificateConfigArgs.builder()
.publicKey(CertificateConfigPublicKeyArgs.builder()
.format("string")
.key("string")
.build())
.subjectConfig(CertificateConfigSubjectConfigArgs.builder()
.subject(CertificateConfigSubjectConfigSubjectArgs.builder()
.commonName("string")
.organization("string")
.countryCode("string")
.locality("string")
.organizationalUnit("string")
.postalCode("string")
.province("string")
.streetAddress("string")
.build())
.subjectAltName(CertificateConfigSubjectConfigSubjectAltNameArgs.builder()
.dnsNames("string")
.emailAddresses("string")
.ipAddresses("string")
.uris("string")
.build())
.build())
.x509Config(CertificateConfigX509ConfigArgs.builder()
.keyUsage(CertificateConfigX509ConfigKeyUsageArgs.builder()
.baseKeyUsage(CertificateConfigX509ConfigKeyUsageBaseKeyUsageArgs.builder()
.certSign(false)
.contentCommitment(false)
.crlSign(false)
.dataEncipherment(false)
.decipherOnly(false)
.digitalSignature(false)
.encipherOnly(false)
.keyAgreement(false)
.keyEncipherment(false)
.build())
.extendedKeyUsage(CertificateConfigX509ConfigKeyUsageExtendedKeyUsageArgs.builder()
.clientAuth(false)
.codeSigning(false)
.emailProtection(false)
.ocspSigning(false)
.serverAuth(false)
.timeStamping(false)
.build())
.unknownExtendedKeyUsages(CertificateConfigX509ConfigKeyUsageUnknownExtendedKeyUsageArgs.builder()
.objectIdPaths(0)
.build())
.build())
.additionalExtensions(CertificateConfigX509ConfigAdditionalExtensionArgs.builder()
.critical(false)
.objectId(CertificateConfigX509ConfigAdditionalExtensionObjectIdArgs.builder()
.objectIdPaths(0)
.build())
.value("string")
.build())
.aiaOcspServers("string")
.caOptions(CertificateConfigX509ConfigCaOptionsArgs.builder()
.isCa(false)
.maxIssuerPathLength(0)
.nonCa(false)
.zeroMaxIssuerPathLength(false)
.build())
.nameConstraints(CertificateConfigX509ConfigNameConstraintsArgs.builder()
.critical(false)
.excludedDnsNames("string")
.excludedEmailAddresses("string")
.excludedIpRanges("string")
.excludedUris("string")
.permittedDnsNames("string")
.permittedEmailAddresses("string")
.permittedIpRanges("string")
.permittedUris("string")
.build())
.policyIds(CertificateConfigX509ConfigPolicyIdArgs.builder()
.objectIdPaths(0)
.build())
.build())
.subjectKeyId(CertificateConfigSubjectKeyIdArgs.builder()
.keyId("string")
.build())
.build())
.labels(Map.of("string", "string"))
.lifetime("string")
.name("string")
.pemCsr("string")
.project("string")
.build());
certificate_resource = gcp.certificateauthority.Certificate("certificateResource",
location="string",
pool="string",
certificate_authority="string",
certificate_template="string",
config={
"public_key": {
"format": "string",
"key": "string",
},
"subject_config": {
"subject": {
"common_name": "string",
"organization": "string",
"country_code": "string",
"locality": "string",
"organizational_unit": "string",
"postal_code": "string",
"province": "string",
"street_address": "string",
},
"subject_alt_name": {
"dns_names": ["string"],
"email_addresses": ["string"],
"ip_addresses": ["string"],
"uris": ["string"],
},
},
"x509_config": {
"key_usage": {
"base_key_usage": {
"cert_sign": False,
"content_commitment": False,
"crl_sign": False,
"data_encipherment": False,
"decipher_only": False,
"digital_signature": False,
"encipher_only": False,
"key_agreement": False,
"key_encipherment": False,
},
"extended_key_usage": {
"client_auth": False,
"code_signing": False,
"email_protection": False,
"ocsp_signing": False,
"server_auth": False,
"time_stamping": False,
},
"unknown_extended_key_usages": [{
"object_id_paths": [0],
}],
},
"additional_extensions": [{
"critical": False,
"object_id": {
"object_id_paths": [0],
},
"value": "string",
}],
"aia_ocsp_servers": ["string"],
"ca_options": {
"is_ca": False,
"max_issuer_path_length": 0,
"non_ca": False,
"zero_max_issuer_path_length": False,
},
"name_constraints": {
"critical": False,
"excluded_dns_names": ["string"],
"excluded_email_addresses": ["string"],
"excluded_ip_ranges": ["string"],
"excluded_uris": ["string"],
"permitted_dns_names": ["string"],
"permitted_email_addresses": ["string"],
"permitted_ip_ranges": ["string"],
"permitted_uris": ["string"],
},
"policy_ids": [{
"object_id_paths": [0],
}],
},
"subject_key_id": {
"key_id": "string",
},
},
labels={
"string": "string",
},
lifetime="string",
name="string",
pem_csr="string",
project="string")
const certificateResource = new gcp.certificateauthority.Certificate("certificateResource", {
location: "string",
pool: "string",
certificateAuthority: "string",
certificateTemplate: "string",
config: {
publicKey: {
format: "string",
key: "string",
},
subjectConfig: {
subject: {
commonName: "string",
organization: "string",
countryCode: "string",
locality: "string",
organizationalUnit: "string",
postalCode: "string",
province: "string",
streetAddress: "string",
},
subjectAltName: {
dnsNames: ["string"],
emailAddresses: ["string"],
ipAddresses: ["string"],
uris: ["string"],
},
},
x509Config: {
keyUsage: {
baseKeyUsage: {
certSign: false,
contentCommitment: false,
crlSign: false,
dataEncipherment: false,
decipherOnly: false,
digitalSignature: false,
encipherOnly: false,
keyAgreement: false,
keyEncipherment: false,
},
extendedKeyUsage: {
clientAuth: false,
codeSigning: false,
emailProtection: false,
ocspSigning: false,
serverAuth: false,
timeStamping: false,
},
unknownExtendedKeyUsages: [{
objectIdPaths: [0],
}],
},
additionalExtensions: [{
critical: false,
objectId: {
objectIdPaths: [0],
},
value: "string",
}],
aiaOcspServers: ["string"],
caOptions: {
isCa: false,
maxIssuerPathLength: 0,
nonCa: false,
zeroMaxIssuerPathLength: false,
},
nameConstraints: {
critical: false,
excludedDnsNames: ["string"],
excludedEmailAddresses: ["string"],
excludedIpRanges: ["string"],
excludedUris: ["string"],
permittedDnsNames: ["string"],
permittedEmailAddresses: ["string"],
permittedIpRanges: ["string"],
permittedUris: ["string"],
},
policyIds: [{
objectIdPaths: [0],
}],
},
subjectKeyId: {
keyId: "string",
},
},
labels: {
string: "string",
},
lifetime: "string",
name: "string",
pemCsr: "string",
project: "string",
});
type: gcp:certificateauthority:Certificate
properties:
certificateAuthority: string
certificateTemplate: string
config:
publicKey:
format: string
key: string
subjectConfig:
subject:
commonName: string
countryCode: string
locality: string
organization: string
organizationalUnit: string
postalCode: string
province: string
streetAddress: string
subjectAltName:
dnsNames:
- string
emailAddresses:
- string
ipAddresses:
- string
uris:
- string
subjectKeyId:
keyId: string
x509Config:
additionalExtensions:
- critical: false
objectId:
objectIdPaths:
- 0
value: string
aiaOcspServers:
- string
caOptions:
isCa: false
maxIssuerPathLength: 0
nonCa: false
zeroMaxIssuerPathLength: false
keyUsage:
baseKeyUsage:
certSign: false
contentCommitment: false
crlSign: false
dataEncipherment: false
decipherOnly: false
digitalSignature: false
encipherOnly: false
keyAgreement: false
keyEncipherment: false
extendedKeyUsage:
clientAuth: false
codeSigning: false
emailProtection: false
ocspSigning: false
serverAuth: false
timeStamping: false
unknownExtendedKeyUsages:
- objectIdPaths:
- 0
nameConstraints:
critical: false
excludedDnsNames:
- string
excludedEmailAddresses:
- string
excludedIpRanges:
- string
excludedUris:
- string
permittedDnsNames:
- string
permittedEmailAddresses:
- string
permittedIpRanges:
- string
permittedUris:
- string
policyIds:
- objectIdPaths:
- 0
labels:
string: string
lifetime: string
location: string
name: string
pemCsr: string
pool: string
project: string
Certificate Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The Certificate resource accepts the following input properties:
- Location
string
This property is required. 
Changes to this property will trigger replacement. - Location of the Certificate. A full list of valid locations can be found by
running
gcloud privateca locations list. - Pool
string
This property is required. Changes to this property will trigger replacement. - The name of the CaPool this Certificate belongs to.
- The Certificate Authority ID that should issue the certificate. For example, to issue a Certificate from
a Certificate Authority with resource name
projects/my-project/locations/us-central1/caPools/my-pool/certificateAuthorities/my-ca, argumentpoolshould be set toprojects/my-project/locations/us-central1/caPools/my-pool, argumentcertificate_authorityshould be set tomy-ca. - Certificate
Template - The resource name for a CertificateTemplate used to issue this certificate,
in the format
projects/*/locations/*/certificateTemplates/*. If this is specified, the caller must have the necessary permission to use this template. If this is omitted, no template will be used. This template must be in the same location as the Certificate. - Config
Config - The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.
- Labels Dictionary<string, string>
Labels with user-defined metadata to apply to this resource.
Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field
effective_labelsfor all of the labels present on the resource.- Lifetime
- The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
- Name
- The name for this Certificate.
- Pem
Csr - Immutable. A pem-encoded X.509 certificate signing request (CSR).
- Project
- The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- Location
string
This property is required. Changes to this property will trigger replacement. - Location of the Certificate. A full list of valid locations can be found by
running
gcloud privateca locations list. - Pool
string
This property is required. Changes to this property will trigger replacement. - The name of the CaPool this Certificate belongs to.
- The Certificate Authority ID that should issue the certificate. For example, to issue a Certificate from
a Certificate Authority with resource name
projects/my-project/locations/us-central1/caPools/my-pool/certificateAuthorities/my-ca, argumentpoolshould be set toprojects/my-project/locations/us-central1/caPools/my-pool, argumentcertificate_authorityshould be set tomy-ca. - Certificate
Template - The resource name for a CertificateTemplate used to issue this certificate,
in the format
projects/*/locations/*/certificateTemplates/*. If this is specified, the caller must have the necessary permission to use this template. If this is omitted, no template will be used. This template must be in the same location as the Certificate. - Config
Config Args - The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.
- Labels map[string]string
Labels with user-defined metadata to apply to this resource.
Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field
effective_labelsfor all of the labels present on the resource.- Lifetime
- The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
- Name
- The name for this Certificate.
- Pem
Csr - Immutable. A pem-encoded X.509 certificate signing request (CSR).
- Project
- The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- location
String
This property is required. Changes to this property will trigger replacement. - Location of the Certificate. A full list of valid locations can be found by
running
gcloud privateca locations list. - pool
String
This property is required. Changes to this property will trigger replacement. - The name of the CaPool this Certificate belongs to.
- The Certificate Authority ID that should issue the certificate. For example, to issue a Certificate from
a Certificate Authority with resource name
projects/my-project/locations/us-central1/caPools/my-pool/certificateAuthorities/my-ca, argumentpoolshould be set toprojects/my-project/locations/us-central1/caPools/my-pool, argumentcertificate_authorityshould be set tomy-ca. - certificate
Template - The resource name for a CertificateTemplate used to issue this certificate,
in the format
projects/*/locations/*/certificateTemplates/*. If this is specified, the caller must have the necessary permission to use this template. If this is omitted, no template will be used. This template must be in the same location as the Certificate. - config
Config - The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.
- labels Map<String,String>
Labels with user-defined metadata to apply to this resource.
Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field
effective_labelsfor all of the labels present on the resource.- lifetime
- The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
- name
- The name for this Certificate.
- pem
Csr - Immutable. A pem-encoded X.509 certificate signing request (CSR).
- project
- The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- location
string
This property is required. Changes to this property will trigger replacement. - Location of the Certificate. A full list of valid locations can be found by
running
gcloud privateca locations list. - pool
string
This property is required. Changes to this property will trigger replacement. - The name of the CaPool this Certificate belongs to.
- The Certificate Authority ID that should issue the certificate. For example, to issue a Certificate from
a Certificate Authority with resource name
projects/my-project/locations/us-central1/caPools/my-pool/certificateAuthorities/my-ca, argumentpoolshould be set toprojects/my-project/locations/us-central1/caPools/my-pool, argumentcertificate_authorityshould be set tomy-ca. - certificate
Template - The resource name for a CertificateTemplate used to issue this certificate,
in the format
projects/*/locations/*/certificateTemplates/*. If this is specified, the caller must have the necessary permission to use this template. If this is omitted, no template will be used. This template must be in the same location as the Certificate. - config
Config - The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.
- labels {[key: string]: string}
Labels with user-defined metadata to apply to this resource.
Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field
effective_labelsfor all of the labels present on the resource.- lifetime
- The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
- name
- The name for this Certificate.
- pem
Csr - Immutable. A pem-encoded X.509 certificate signing request (CSR).
- project
- The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- location
str
This property is required. Changes to this property will trigger replacement. - Location of the Certificate. A full list of valid locations can be found by
running
gcloud privateca locations list. - pool
str
This property is required. Changes to this property will trigger replacement. - The name of the CaPool this Certificate belongs to.
- The Certificate Authority ID that should issue the certificate. For example, to issue a Certificate from
a Certificate Authority with resource name
projects/my-project/locations/us-central1/caPools/my-pool/certificateAuthorities/my-ca, argumentpoolshould be set toprojects/my-project/locations/us-central1/caPools/my-pool, argumentcertificate_authorityshould be set tomy-ca. - certificate_
template - The resource name for a CertificateTemplate used to issue this certificate,
in the format
projects/*/locations/*/certificateTemplates/*. If this is specified, the caller must have the necessary permission to use this template. If this is omitted, no template will be used. This template must be in the same location as the Certificate. - config
Config Args - The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.
- labels Mapping[str, str]
Labels with user-defined metadata to apply to this resource.
Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field
effective_labelsfor all of the labels present on the resource.- lifetime
- The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
- name
- The name for this Certificate.
- pem_
csr - Immutable. A pem-encoded X.509 certificate signing request (CSR).
- project
- The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- location
String
This property is required. Changes to this property will trigger replacement. - Location of the Certificate. A full list of valid locations can be found by
running
gcloud privateca locations list. - pool
String
This property is required. Changes to this property will trigger replacement. - The name of the CaPool this Certificate belongs to.
- The Certificate Authority ID that should issue the certificate. For example, to issue a Certificate from
a Certificate Authority with resource name
projects/my-project/locations/us-central1/caPools/my-pool/certificateAuthorities/my-ca, argumentpoolshould be set toprojects/my-project/locations/us-central1/caPools/my-pool, argumentcertificate_authorityshould be set tomy-ca. - certificate
Template - The resource name for a CertificateTemplate used to issue this certificate,
in the format
projects/*/locations/*/certificateTemplates/*. If this is specified, the caller must have the necessary permission to use this template. If this is omitted, no template will be used. This template must be in the same location as the Certificate. - config
- The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.
- labels Map<String>
Labels with user-defined metadata to apply to this resource.
Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field
effective_labelsfor all of the labels present on the resource.- lifetime
- The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
- name
- The name for this Certificate.
- pem
Csr - Immutable. A pem-encoded X.509 certificate signing request (CSR).
- project
- The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
Outputs
All input properties are implicitly available as output properties. Additionally, the Certificate resource produces the following output properties:
- Certificate
Descriptions List<CertificateCertificate Description> - Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.
- Create
Time string - The time that this resource was created on the server. This is in RFC3339 text format.
- Effective
Labels Dictionary<string, string> - All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
- Id string
- The provider-assigned unique ID for this managed resource.
- string
- The resource name of the issuing CertificateAuthority in the format
projects/*/locations/*/caPools/*/certificateAuthorities/*. - Pem
Certificate string - Output only. The pem-encoded, signed X.509 certificate.
- Pem
Certificate List<string>Chains - The chain that may be used to verify the X.509 certificate. Expected to be in issuer-to-root order according to RFC 5246.
- Pulumi
Labels Dictionary<string, string> - The combination of labels configured directly on the resource and default labels configured on the provider.
- Revocation
Details List<CertificateRevocation Detail> - Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.
- Update
Time string - Output only. The time at which this CertificateAuthority was updated. This is in RFC3339 text format.
- Certificate
Descriptions []CertificateCertificate Description - Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.
- Create
Time string - The time that this resource was created on the server. This is in RFC3339 text format.
- Effective
Labels map[string]string - All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
- Id string
- The provider-assigned unique ID for this managed resource.
- string
- The resource name of the issuing CertificateAuthority in the format
projects/*/locations/*/caPools/*/certificateAuthorities/*. - Pem
Certificate string - Output only. The pem-encoded, signed X.509 certificate.
- Pem
Certificate []stringChains - The chain that may be used to verify the X.509 certificate. Expected to be in issuer-to-root order according to RFC 5246.
- Pulumi
Labels map[string]string - The combination of labels configured directly on the resource and default labels configured on the provider.
- Revocation
Details []CertificateRevocation Detail - Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.
- Update
Time string - Output only. The time at which this CertificateAuthority was updated. This is in RFC3339 text format.
- certificate
Descriptions List<CertificateCertificate Description> - Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.
- create
Time String - The time that this resource was created on the server. This is in RFC3339 text format.
- effective
Labels Map<String,String> - All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
- id String
- The provider-assigned unique ID for this managed resource.
- String
- The resource name of the issuing CertificateAuthority in the format
projects/*/locations/*/caPools/*/certificateAuthorities/*. - pem
Certificate String - Output only. The pem-encoded, signed X.509 certificate.
- pem
Certificate List<String>Chains - The chain that may be used to verify the X.509 certificate. Expected to be in issuer-to-root order according to RFC 5246.
- pulumi
Labels Map<String,String> - The combination of labels configured directly on the resource and default labels configured on the provider.
- revocation
Details List<CertificateRevocation Detail> - Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.
- update
Time String - Output only. The time at which this CertificateAuthority was updated. This is in RFC3339 text format.
- certificate
Descriptions CertificateCertificate Description[] - Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.
- create
Time string - The time that this resource was created on the server. This is in RFC3339 text format.
- effective
Labels {[key: string]: string} - All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
- id string
- The provider-assigned unique ID for this managed resource.
- string
- The resource name of the issuing CertificateAuthority in the format
projects/*/locations/*/caPools/*/certificateAuthorities/*. - pem
Certificate string - Output only. The pem-encoded, signed X.509 certificate.
- pem
Certificate string[]Chains - The chain that may be used to verify the X.509 certificate. Expected to be in issuer-to-root order according to RFC 5246.
- pulumi
Labels {[key: string]: string} - The combination of labels configured directly on the resource and default labels configured on the provider.
- revocation
Details CertificateRevocation Detail[] - Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.
- update
Time string - Output only. The time at which this CertificateAuthority was updated. This is in RFC3339 text format.
- certificate_
descriptions Sequence[CertificateCertificate Description] - Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.
- create_
time str - The time that this resource was created on the server. This is in RFC3339 text format.
- effective_
labels Mapping[str, str] - All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
- id str
- The provider-assigned unique ID for this managed resource.
- str
- The resource name of the issuing CertificateAuthority in the format
projects/*/locations/*/caPools/*/certificateAuthorities/*. - pem_
certificate str - Output only. The pem-encoded, signed X.509 certificate.
- pem_
certificate_ Sequence[str]chains - The chain that may be used to verify the X.509 certificate. Expected to be in issuer-to-root order according to RFC 5246.
- pulumi_
labels Mapping[str, str] - The combination of labels configured directly on the resource and default labels configured on the provider.
- revocation_
details Sequence[CertificateRevocation Detail] - Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.
- update_
time str - Output only. The time at which this CertificateAuthority was updated. This is in RFC3339 text format.
- certificate
Descriptions List<Property Map> - Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.
- create
Time String - The time that this resource was created on the server. This is in RFC3339 text format.
- effective
Labels Map<String> - All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
- id String
- The provider-assigned unique ID for this managed resource.
- String
- The resource name of the issuing CertificateAuthority in the format
projects/*/locations/*/caPools/*/certificateAuthorities/*. - pem
Certificate String - Output only. The pem-encoded, signed X.509 certificate.
- pem
Certificate List<String>Chains - The chain that may be used to verify the X.509 certificate. Expected to be in issuer-to-root order according to RFC 5246.
- pulumi
Labels Map<String> - The combination of labels configured directly on the resource and default labels configured on the provider.
- revocation
Details List<Property Map> - Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.
- update
Time String - Output only. The time at which this CertificateAuthority was updated. This is in RFC3339 text format.
Look up Existing Certificate Resource
Get an existing Certificate resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: CertificateState, opts?: CustomResourceOptions): Certificate@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
certificate_authority: Optional[str] = None,
certificate_descriptions: Optional[Sequence[CertificateCertificateDescriptionArgs]] = None,
certificate_template: Optional[str] = None,
config: Optional[CertificateConfigArgs] = None,
create_time: Optional[str] = None,
effective_labels: Optional[Mapping[str, str]] = None,
issuer_certificate_authority: Optional[str] = None,
labels: Optional[Mapping[str, str]] = None,
lifetime: Optional[str] = None,
location: Optional[str] = None,
name: Optional[str] = None,
pem_certificate: Optional[str] = None,
pem_certificate_chains: Optional[Sequence[str]] = None,
pem_csr: Optional[str] = None,
pool: Optional[str] = None,
project: Optional[str] = None,
pulumi_labels: Optional[Mapping[str, str]] = None,
revocation_details: Optional[Sequence[CertificateRevocationDetailArgs]] = None,
update_time: Optional[str] = None) -> Certificatefunc GetCertificate(ctx *Context, name string, id IDInput, state *CertificateState, opts ...ResourceOption) (*Certificate, error)public static Certificate Get(string name, Input<string> id, CertificateState? state, CustomResourceOptions? opts = null)public static Certificate get(String name, Output<String> id, CertificateState state, CustomResourceOptions options)Resource lookup is not supported in YAML- name
This property is required. - The unique name of the resulting resource.
- id
This property is required. - The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
This property is required. - The unique name of the resulting resource.
- id
This property is required. - The unique provider ID of the resource to lookup.
- name
This property is required. - The unique name of the resulting resource.
- id
This property is required. - The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
This property is required. - The unique name of the resulting resource.
- id
This property is required. - The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
This property is required. - The unique name of the resulting resource.
- id
This property is required. - The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
The following state arguments are supported:
- The Certificate Authority ID that should issue the certificate. For example, to issue a Certificate from
a Certificate Authority with resource name
projects/my-project/locations/us-central1/caPools/my-pool/certificateAuthorities/my-ca, argumentpoolshould be set toprojects/my-project/locations/us-central1/caPools/my-pool, argumentcertificate_authorityshould be set tomy-ca. - Certificate
Descriptions List<CertificateCertificate Description> - Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.
- Certificate
Template - The resource name for a CertificateTemplate used to issue this certificate,
in the format
projects/*/locations/*/certificateTemplates/*. If this is specified, the caller must have the necessary permission to use this template. If this is omitted, no template will be used. This template must be in the same location as the Certificate. - Config
Config - The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.
- Create
Time string - The time that this resource was created on the server. This is in RFC3339 text format.
- Effective
Labels Dictionary<string, string> - All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
- string
- The resource name of the issuing CertificateAuthority in the format
projects/*/locations/*/caPools/*/certificateAuthorities/*. - Labels Dictionary<string, string>
Labels with user-defined metadata to apply to this resource.
Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field
effective_labelsfor all of the labels present on the resource.- Lifetime
- The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
- Location
- Location of the Certificate. A full list of valid locations can be found by
running
gcloud privateca locations list. - Name
- The name for this Certificate.
- Pem
Certificate string - Output only. The pem-encoded, signed X.509 certificate.
- Pem
Certificate List<string>Chains - The chain that may be used to verify the X.509 certificate. Expected to be in issuer-to-root order according to RFC 5246.
- Pem
Csr - Immutable. A pem-encoded X.509 certificate signing request (CSR).
- Pool
- The name of the CaPool this Certificate belongs to.
- Project
- The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- Pulumi
Labels Dictionary<string, string> - The combination of labels configured directly on the resource and default labels configured on the provider.
- Revocation
Details List<CertificateRevocation Detail> - Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.
- Update
Time string - Output only. The time at which this CertificateAuthority was updated. This is in RFC3339 text format.
- The Certificate Authority ID that should issue the certificate. For example, to issue a Certificate from
a Certificate Authority with resource name
projects/my-project/locations/us-central1/caPools/my-pool/certificateAuthorities/my-ca, argumentpoolshould be set toprojects/my-project/locations/us-central1/caPools/my-pool, argumentcertificate_authorityshould be set tomy-ca. - Certificate
Descriptions []CertificateCertificate Description Args - Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.
- Certificate
Template - The resource name for a CertificateTemplate used to issue this certificate,
in the format
projects/*/locations/*/certificateTemplates/*. If this is specified, the caller must have the necessary permission to use this template. If this is omitted, no template will be used. This template must be in the same location as the Certificate. - Config
Config Args - The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.
- Create
Time string - The time that this resource was created on the server. This is in RFC3339 text format.
- Effective
Labels map[string]string - All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
- string
- The resource name of the issuing CertificateAuthority in the format
projects/*/locations/*/caPools/*/certificateAuthorities/*. - Labels map[string]string
Labels with user-defined metadata to apply to this resource.
Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field
effective_labelsfor all of the labels present on the resource.- Lifetime
- The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
- Location
- Location of the Certificate. A full list of valid locations can be found by
running
gcloud privateca locations list. - Name
- The name for this Certificate.
- Pem
Certificate string - Output only. The pem-encoded, signed X.509 certificate.
- Pem
Certificate []stringChains - The chain that may be used to verify the X.509 certificate. Expected to be in issuer-to-root order according to RFC 5246.
- Pem
Csr - Immutable. A pem-encoded X.509 certificate signing request (CSR).
- Pool
- The name of the CaPool this Certificate belongs to.
- Project
- The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- Pulumi
Labels map[string]string - The combination of labels configured directly on the resource and default labels configured on the provider.
- Revocation
Details []CertificateRevocation Detail Args - Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.
- Update
Time string - Output only. The time at which this CertificateAuthority was updated. This is in RFC3339 text format.
- The Certificate Authority ID that should issue the certificate. For example, to issue a Certificate from
a Certificate Authority with resource name
projects/my-project/locations/us-central1/caPools/my-pool/certificateAuthorities/my-ca, argumentpoolshould be set toprojects/my-project/locations/us-central1/caPools/my-pool, argumentcertificate_authorityshould be set tomy-ca. - certificate
Descriptions List<CertificateCertificate Description> - Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.
- certificate
Template - The resource name for a CertificateTemplate used to issue this certificate,
in the format
projects/*/locations/*/certificateTemplates/*. If this is specified, the caller must have the necessary permission to use this template. If this is omitted, no template will be used. This template must be in the same location as the Certificate. - config
Config - The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.
- create
Time String - The time that this resource was created on the server. This is in RFC3339 text format.
- effective
Labels Map<String,String> - All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
- String
- The resource name of the issuing CertificateAuthority in the format
projects/*/locations/*/caPools/*/certificateAuthorities/*. - labels Map<String,String>
Labels with user-defined metadata to apply to this resource.
Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field
effective_labelsfor all of the labels present on the resource.- lifetime
- The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
- location
- Location of the Certificate. A full list of valid locations can be found by
running
gcloud privateca locations list. - name
- The name for this Certificate.
- pem
Certificate String - Output only. The pem-encoded, signed X.509 certificate.
- pem
Certificate List<String>Chains - The chain that may be used to verify the X.509 certificate. Expected to be in issuer-to-root order according to RFC 5246.
- pem
Csr - Immutable. A pem-encoded X.509 certificate signing request (CSR).
- pool
- The name of the CaPool this Certificate belongs to.
- project
- The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- pulumi
Labels Map<String,String> - The combination of labels configured directly on the resource and default labels configured on the provider.
- revocation
Details List<CertificateRevocation Detail> - Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.
- update
Time String - Output only. The time at which this CertificateAuthority was updated. This is in RFC3339 text format.
- The Certificate Authority ID that should issue the certificate. For example, to issue a Certificate from
a Certificate Authority with resource name
projects/my-project/locations/us-central1/caPools/my-pool/certificateAuthorities/my-ca, argumentpoolshould be set toprojects/my-project/locations/us-central1/caPools/my-pool, argumentcertificate_authorityshould be set tomy-ca. - certificate
Descriptions CertificateCertificate Description[] - Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.
- certificate
Template - The resource name for a CertificateTemplate used to issue this certificate,
in the format
projects/*/locations/*/certificateTemplates/*. If this is specified, the caller must have the necessary permission to use this template. If this is omitted, no template will be used. This template must be in the same location as the Certificate. - config
Config - The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.
- create
Time string - The time that this resource was created on the server. This is in RFC3339 text format.
- effective
Labels {[key: string]: string} - All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
- string
- The resource name of the issuing CertificateAuthority in the format
projects/*/locations/*/caPools/*/certificateAuthorities/*. - labels {[key: string]: string}
Labels with user-defined metadata to apply to this resource.
Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field
effective_labelsfor all of the labels present on the resource.- lifetime
- The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
- location
- Location of the Certificate. A full list of valid locations can be found by
running
gcloud privateca locations list. - name
- The name for this Certificate.
- pem
Certificate string - Output only. The pem-encoded, signed X.509 certificate.
- pem
Certificate string[]Chains - The chain that may be used to verify the X.509 certificate. Expected to be in issuer-to-root order according to RFC 5246.
- pem
Csr - Immutable. A pem-encoded X.509 certificate signing request (CSR).
- pool
- The name of the CaPool this Certificate belongs to.
- project
- The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- pulumi
Labels {[key: string]: string} - The combination of labels configured directly on the resource and default labels configured on the provider.
- revocation
Details CertificateRevocation Detail[] - Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.
- update
Time string - Output only. The time at which this CertificateAuthority was updated. This is in RFC3339 text format.
- The Certificate Authority ID that should issue the certificate. For example, to issue a Certificate from
a Certificate Authority with resource name
projects/my-project/locations/us-central1/caPools/my-pool/certificateAuthorities/my-ca, argumentpoolshould be set toprojects/my-project/locations/us-central1/caPools/my-pool, argumentcertificate_authorityshould be set tomy-ca. - certificate_
descriptions Sequence[CertificateCertificate Description Args] - Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.
- certificate_
template - The resource name for a CertificateTemplate used to issue this certificate,
in the format
projects/*/locations/*/certificateTemplates/*. If this is specified, the caller must have the necessary permission to use this template. If this is omitted, no template will be used. This template must be in the same location as the Certificate. - config
Config Args - The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.
- create_
time str - The time that this resource was created on the server. This is in RFC3339 text format.
- effective_
labels Mapping[str, str] - All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
- str
- The resource name of the issuing CertificateAuthority in the format
projects/*/locations/*/caPools/*/certificateAuthorities/*. - labels Mapping[str, str]
Labels with user-defined metadata to apply to this resource.
Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field
effective_labelsfor all of the labels present on the resource.- lifetime
- The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
- location
- Location of the Certificate. A full list of valid locations can be found by
running
gcloud privateca locations list. - name
- The name for this Certificate.
- pem_
certificate str - Output only. The pem-encoded, signed X.509 certificate.
- pem_
certificate_ Sequence[str]chains - The chain that may be used to verify the X.509 certificate. Expected to be in issuer-to-root order according to RFC 5246.
- pem_
csr - Immutable. A pem-encoded X.509 certificate signing request (CSR).
- pool
- The name of the CaPool this Certificate belongs to.
- project
- The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- pulumi_
labels Mapping[str, str] - The combination of labels configured directly on the resource and default labels configured on the provider.
- revocation_
details Sequence[CertificateRevocation Detail Args] - Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.
- update_
time str - Output only. The time at which this CertificateAuthority was updated. This is in RFC3339 text format.
- The Certificate Authority ID that should issue the certificate. For example, to issue a Certificate from
a Certificate Authority with resource name
projects/my-project/locations/us-central1/caPools/my-pool/certificateAuthorities/my-ca, argumentpoolshould be set toprojects/my-project/locations/us-central1/caPools/my-pool, argumentcertificate_authorityshould be set tomy-ca. - certificate
Descriptions List<Property Map> - Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.
- certificate
Template - The resource name for a CertificateTemplate used to issue this certificate,
in the format
projects/*/locations/*/certificateTemplates/*. If this is specified, the caller must have the necessary permission to use this template. If this is omitted, no template will be used. This template must be in the same location as the Certificate. - config
- The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.
- create
Time String - The time that this resource was created on the server. This is in RFC3339 text format.
- effective
Labels Map<String> - All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
- String
- The resource name of the issuing CertificateAuthority in the format
projects/*/locations/*/caPools/*/certificateAuthorities/*. - labels Map<String>
Labels with user-defined metadata to apply to this resource.
Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field
effective_labelsfor all of the labels present on the resource.- lifetime
- The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
- location
- Location of the Certificate. A full list of valid locations can be found by
running
gcloud privateca locations list. - name
- The name for this Certificate.
- pem
Certificate String - Output only. The pem-encoded, signed X.509 certificate.
- pem
Certificate List<String>Chains - The chain that may be used to verify the X.509 certificate. Expected to be in issuer-to-root order according to RFC 5246.
- pem
Csr - Immutable. A pem-encoded X.509 certificate signing request (CSR).
- pool
- The name of the CaPool this Certificate belongs to.
- project
- The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- pulumi
Labels Map<String> - The combination of labels configured directly on the resource and default labels configured on the provider.
- revocation
Details List<Property Map> - Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.
- update
Time String - Output only. The time at which this CertificateAuthority was updated. This is in RFC3339 text format.
Supporting Types
CertificateCertificateDescription, CertificateCertificateDescriptionArgs
, CertificateCertificateDescriptionArgs
- Aia
Issuing List<string>Certificate Urls - (Output) Describes lists of issuer CA certificate URLs that appear in the "Authority Information Access" extension in the certificate.
-
List<Certificate
Certificate Description Authority Key Id> - (Output) Identifies the subjectKeyId of the parent certificate, per https://tools.ietf.org/html/rfc5280#section-4.2.1.1 Structure is documented below.
- Cert
Fingerprints List<CertificateCertificate Description Cert Fingerprint> - (Output) The hash of the x.509 certificate. Structure is documented below.
- Crl
Distribution List<string>Points - (Output) Describes a list of locations to obtain CRL information, i.e. the DistributionPoint.fullName described by https://tools.ietf.org/html/rfc5280#section-4.2.1.13
- Public
Keys List<CertificateCertificate Description Public Key> - (Output) A PublicKey describes a public key. Structure is documented below.
- Subject
Descriptions List<CertificateCertificate Description Subject Description> - (Output) Describes some of the values in a certificate that are related to the subject and lifetime. Structure is documented below.
- Subject
Key List<CertificateIds Certificate Description Subject Key Id> - (Output) Provides a means of identifiying certificates that contain a particular public key, per https://tools.ietf.org/html/rfc5280#section-4.2.1.2. Structure is documented below.
- X509Descriptions
List<Certificate
Certificate Description X509Description> - (Output) A structured description of the issued X.509 certificate. Structure is documented below.
- Aia
Issuing []stringCertificate Urls - (Output) Describes lists of issuer CA certificate URLs that appear in the "Authority Information Access" extension in the certificate.
-
[]Certificate
Certificate Description Authority Key Id - (Output) Identifies the subjectKeyId of the parent certificate, per https://tools.ietf.org/html/rfc5280#section-4.2.1.1 Structure is documented below.
- Cert
Fingerprints []CertificateCertificate Description Cert Fingerprint - (Output) The hash of the x.509 certificate. Structure is documented below.
- Crl
Distribution []stringPoints - (Output) Describes a list of locations to obtain CRL information, i.e. the DistributionPoint.fullName described by https://tools.ietf.org/html/rfc5280#section-4.2.1.13
- Public
Keys []CertificateCertificate Description Public Key - (Output) A PublicKey describes a public key. Structure is documented below.
- Subject
Descriptions []CertificateCertificate Description Subject Description - (Output) Describes some of the values in a certificate that are related to the subject and lifetime. Structure is documented below.
- Subject
Key []CertificateIds Certificate Description Subject Key Id - (Output) Provides a means of identifiying certificates that contain a particular public key, per https://tools.ietf.org/html/rfc5280#section-4.2.1.2. Structure is documented below.
- X509Descriptions
[]Certificate
Certificate Description X509Description - (Output) A structured description of the issued X.509 certificate. Structure is documented below.
- aia
Issuing List<String>Certificate Urls - (Output) Describes lists of issuer CA certificate URLs that appear in the "Authority Information Access" extension in the certificate.
-
List<Certificate
Certificate Description Authority Key Id> - (Output) Identifies the subjectKeyId of the parent certificate, per https://tools.ietf.org/html/rfc5280#section-4.2.1.1 Structure is documented below.
- cert
Fingerprints List<CertificateCertificate Description Cert Fingerprint> - (Output) The hash of the x.509 certificate. Structure is documented below.
- crl
Distribution List<String>Points - (Output) Describes a list of locations to obtain CRL information, i.e. the DistributionPoint.fullName described by https://tools.ietf.org/html/rfc5280#section-4.2.1.13
- public
Keys List<CertificateCertificate Description Public Key> - (Output) A PublicKey describes a public key. Structure is documented below.
- subject
Descriptions List<CertificateCertificate Description Subject Description> - (Output) Describes some of the values in a certificate that are related to the subject and lifetime. Structure is documented below.
- subject
Key List<CertificateIds Certificate Description Subject Key Id> - (Output) Provides a means of identifiying certificates that contain a particular public key, per https://tools.ietf.org/html/rfc5280#section-4.2.1.2. Structure is documented below.
- x509Descriptions
List<Certificate
Certificate Description X509Description> - (Output) A structured description of the issued X.509 certificate. Structure is documented below.
- aia
Issuing string[]Certificate Urls - (Output) Describes lists of issuer CA certificate URLs that appear in the "Authority Information Access" extension in the certificate.
-
Certificate
Certificate Description Authority Key Id[] - (Output) Identifies the subjectKeyId of the parent certificate, per https://tools.ietf.org/html/rfc5280#section-4.2.1.1 Structure is documented below.
- cert
Fingerprints CertificateCertificate Description Cert Fingerprint[] - (Output) The hash of the x.509 certificate. Structure is documented below.
- crl
Distribution string[]Points - (Output) Describes a list of locations to obtain CRL information, i.e. the DistributionPoint.fullName described by https://tools.ietf.org/html/rfc5280#section-4.2.1.13
- public
Keys CertificateCertificate Description Public Key[] - (Output) A PublicKey describes a public key. Structure is documented below.
- subject
Descriptions CertificateCertificate Description Subject Description[] - (Output) Describes some of the values in a certificate that are related to the subject and lifetime. Structure is documented below.
- subject
Key CertificateIds Certificate Description Subject Key Id[] - (Output) Provides a means of identifiying certificates that contain a particular public key, per https://tools.ietf.org/html/rfc5280#section-4.2.1.2. Structure is documented below.
- x509Descriptions
Certificate
Certificate Description X509Description[] - (Output) A structured description of the issued X.509 certificate. Structure is documented below.
- aia_
issuing_ Sequence[str]certificate_ urls - (Output) Describes lists of issuer CA certificate URLs that appear in the "Authority Information Access" extension in the certificate.
-
Sequence[Certificate
Certificate Description Authority Key Id] - (Output) Identifies the subjectKeyId of the parent certificate, per https://tools.ietf.org/html/rfc5280#section-4.2.1.1 Structure is documented below.
- cert_
fingerprints Sequence[CertificateCertificate Description Cert Fingerprint] - (Output) The hash of the x.509 certificate. Structure is documented below.
- crl_
distribution_ Sequence[str]points - (Output) Describes a list of locations to obtain CRL information, i.e. the DistributionPoint.fullName described by https://tools.ietf.org/html/rfc5280#section-4.2.1.13
- public_
keys Sequence[CertificateCertificate Description Public Key] - (Output) A PublicKey describes a public key. Structure is documented below.
- subject_
descriptions Sequence[CertificateCertificate Description Subject Description] - (Output) Describes some of the values in a certificate that are related to the subject and lifetime. Structure is documented below.
- subject_
key_ Sequence[Certificateids Certificate Description Subject Key Id] - (Output) Provides a means of identifiying certificates that contain a particular public key, per https://tools.ietf.org/html/rfc5280#section-4.2.1.2. Structure is documented below.
- x509_
descriptions Sequence[CertificateCertificate Description X509Description] - (Output) A structured description of the issued X.509 certificate. Structure is documented below.
- aia
Issuing List<String>Certificate Urls - (Output) Describes lists of issuer CA certificate URLs that appear in the "Authority Information Access" extension in the certificate.
- List<Property Map>
- (Output) Identifies the subjectKeyId of the parent certificate, per https://tools.ietf.org/html/rfc5280#section-4.2.1.1 Structure is documented below.
- cert
Fingerprints List<Property Map> - (Output) The hash of the x.509 certificate. Structure is documented below.
- crl
Distribution List<String>Points - (Output) Describes a list of locations to obtain CRL information, i.e. the DistributionPoint.fullName described by https://tools.ietf.org/html/rfc5280#section-4.2.1.13
- public
Keys List<Property Map> - (Output) A PublicKey describes a public key. Structure is documented below.
- subject
Descriptions List<Property Map> - (Output) Describes some of the values in a certificate that are related to the subject and lifetime. Structure is documented below.
- subject
Key List<Property Map>Ids - (Output) Provides a means of identifiying certificates that contain a particular public key, per https://tools.ietf.org/html/rfc5280#section-4.2.1.2. Structure is documented below.
- x509Descriptions List<Property Map>
- (Output) A structured description of the issued X.509 certificate. Structure is documented below.
CertificateCertificateDescriptionAuthorityKeyId, CertificateCertificateDescriptionAuthorityKeyIdArgs
, CertificateCertificateDescriptionAuthorityKeyIdArgs
- Key
Id string - (Output) Optional. The value of this KeyId encoded in lowercase hexadecimal. This is most likely the 160 bit SHA-1 hash of the public key.
- Key
Id string - (Output) Optional. The value of this KeyId encoded in lowercase hexadecimal. This is most likely the 160 bit SHA-1 hash of the public key.
- key
Id String - (Output) Optional. The value of this KeyId encoded in lowercase hexadecimal. This is most likely the 160 bit SHA-1 hash of the public key.
- key
Id string - (Output) Optional. The value of this KeyId encoded in lowercase hexadecimal. This is most likely the 160 bit SHA-1 hash of the public key.
- key_
id str - (Output) Optional. The value of this KeyId encoded in lowercase hexadecimal. This is most likely the 160 bit SHA-1 hash of the public key.
- key
Id String - (Output) Optional. The value of this KeyId encoded in lowercase hexadecimal. This is most likely the 160 bit SHA-1 hash of the public key.
CertificateCertificateDescriptionCertFingerprint, CertificateCertificateDescriptionCertFingerprintArgs
, CertificateCertificateDescriptionCertFingerprintArgs
- Sha256Hash string
- (Output) The SHA 256 hash, encoded in hexadecimal, of the DER x509 certificate.
- Sha256Hash string
- (Output) The SHA 256 hash, encoded in hexadecimal, of the DER x509 certificate.
- sha256Hash String
- (Output) The SHA 256 hash, encoded in hexadecimal, of the DER x509 certificate.
- sha256Hash string
- (Output) The SHA 256 hash, encoded in hexadecimal, of the DER x509 certificate.
- sha256_
hash str - (Output) The SHA 256 hash, encoded in hexadecimal, of the DER x509 certificate.
- sha256Hash String
- (Output) The SHA 256 hash, encoded in hexadecimal, of the DER x509 certificate.
CertificateCertificateDescriptionPublicKey, CertificateCertificateDescriptionPublicKeyArgs
, CertificateCertificateDescriptionPublicKeyArgs
- Format string
- The format of the public key. Currently, only PEM format is supported.
Possible values are:
KEY_TYPE_UNSPECIFIED,PEM. - Key string
- Required. A public key. When this is specified in a request, the padding and encoding can be any of the options described by the respective 'KeyType' value. When this is generated by the service, it will always be an RFC 5280 SubjectPublicKeyInfo structure containing an algorithm identifier and a key. A base64-encoded string.
- Format string
- The format of the public key. Currently, only PEM format is supported.
Possible values are:
KEY_TYPE_UNSPECIFIED,PEM. - Key string
- Required. A public key. When this is specified in a request, the padding and encoding can be any of the options described by the respective 'KeyType' value. When this is generated by the service, it will always be an RFC 5280 SubjectPublicKeyInfo structure containing an algorithm identifier and a key. A base64-encoded string.
- format String
- The format of the public key. Currently, only PEM format is supported.
Possible values are:
KEY_TYPE_UNSPECIFIED,PEM. - key String
- Required. A public key. When this is specified in a request, the padding and encoding can be any of the options described by the respective 'KeyType' value. When this is generated by the service, it will always be an RFC 5280 SubjectPublicKeyInfo structure containing an algorithm identifier and a key. A base64-encoded string.
- format string
- The format of the public key. Currently, only PEM format is supported.
Possible values are:
KEY_TYPE_UNSPECIFIED,PEM. - key string
- Required. A public key. When this is specified in a request, the padding and encoding can be any of the options described by the respective 'KeyType' value. When this is generated by the service, it will always be an RFC 5280 SubjectPublicKeyInfo structure containing an algorithm identifier and a key. A base64-encoded string.
- format str
- The format of the public key. Currently, only PEM format is supported.
Possible values are:
KEY_TYPE_UNSPECIFIED,PEM. - key str
- Required. A public key. When this is specified in a request, the padding and encoding can be any of the options described by the respective 'KeyType' value. When this is generated by the service, it will always be an RFC 5280 SubjectPublicKeyInfo structure containing an algorithm identifier and a key. A base64-encoded string.
- format String
- The format of the public key. Currently, only PEM format is supported.
Possible values are:
KEY_TYPE_UNSPECIFIED,PEM. - key String
- Required. A public key. When this is specified in a request, the padding and encoding can be any of the options described by the respective 'KeyType' value. When this is generated by the service, it will always be an RFC 5280 SubjectPublicKeyInfo structure containing an algorithm identifier and a key. A base64-encoded string.
CertificateCertificateDescriptionSubjectDescription, CertificateCertificateDescriptionSubjectDescriptionArgs
, CertificateCertificateDescriptionSubjectDescriptionArgs
- Hex
Serial stringNumber - (Output) The serial number encoded in lowercase hexadecimal.
- Lifetime string
- The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
- Not
After stringTime - (Output) The time at which the certificate expires.
- Not
Before stringTime - (Output) The time at which the certificate becomes valid.
- Subject
Alt List<CertificateNames Certificate Description Subject Description Subject Alt Name> - (Output) The subject alternative name fields. Structure is documented below.
- Subjects
List<Certificate
Certificate Description Subject Description Subject> - (Output) Contains distinguished name fields such as the location and organization. Structure is documented below.
- Hex
Serial stringNumber - (Output) The serial number encoded in lowercase hexadecimal.
- Lifetime string
- The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
- Not
After stringTime - (Output) The time at which the certificate expires.
- Not
Before stringTime - (Output) The time at which the certificate becomes valid.
- Subject
Alt []CertificateNames Certificate Description Subject Description Subject Alt Name - (Output) The subject alternative name fields. Structure is documented below.
- Subjects
[]Certificate
Certificate Description Subject Description Subject - (Output) Contains distinguished name fields such as the location and organization. Structure is documented below.
- hex
Serial StringNumber - (Output) The serial number encoded in lowercase hexadecimal.
- lifetime String
- The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
- not
After StringTime - (Output) The time at which the certificate expires.
- not
Before StringTime - (Output) The time at which the certificate becomes valid.
- subject
Alt List<CertificateNames Certificate Description Subject Description Subject Alt Name> - (Output) The subject alternative name fields. Structure is documented below.
- subjects
List<Certificate
Certificate Description Subject Description Subject> - (Output) Contains distinguished name fields such as the location and organization. Structure is documented below.
- hex
Serial stringNumber - (Output) The serial number encoded in lowercase hexadecimal.
- lifetime string
- The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
- not
After stringTime - (Output) The time at which the certificate expires.
- not
Before stringTime - (Output) The time at which the certificate becomes valid.
- subject
Alt CertificateNames Certificate Description Subject Description Subject Alt Name[] - (Output) The subject alternative name fields. Structure is documented below.
- subjects
Certificate
Certificate Description Subject Description Subject[] - (Output) Contains distinguished name fields such as the location and organization. Structure is documented below.
- hex_
serial_ strnumber - (Output) The serial number encoded in lowercase hexadecimal.
- lifetime str
- The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
- not_
after_ strtime - (Output) The time at which the certificate expires.
- not_
before_ strtime - (Output) The time at which the certificate becomes valid.
- subject_
alt_ Sequence[Certificatenames Certificate Description Subject Description Subject Alt Name] - (Output) The subject alternative name fields. Structure is documented below.
- subjects
Sequence[Certificate
Certificate Description Subject Description Subject] - (Output) Contains distinguished name fields such as the location and organization. Structure is documented below.
- hex
Serial StringNumber - (Output) The serial number encoded in lowercase hexadecimal.
- lifetime String
- The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
- not
After StringTime - (Output) The time at which the certificate expires.
- not
Before StringTime - (Output) The time at which the certificate becomes valid.
- subject
Alt List<Property Map>Names - (Output) The subject alternative name fields. Structure is documented below.
- subjects List<Property Map>
- (Output) Contains distinguished name fields such as the location and organization. Structure is documented below.
CertificateCertificateDescriptionSubjectDescriptionSubject, CertificateCertificateDescriptionSubjectDescriptionSubjectArgs
, CertificateCertificateDescriptionSubjectDescriptionSubjectArgs
- Common
Name string - The common name of the distinguished name.
- Country
Code string - The country code of the subject.
- Locality string
- The locality or city of the subject.
- Organization string
- The organization of the subject.
- Organizational
Unit string - The organizational unit of the subject.
- Postal
Code string - The postal code of the subject.
- Province string
- The province, territory, or regional state of the subject.
- Street
Address string - The street address of the subject.
- Common
Name string - The common name of the distinguished name.
- Country
Code string - The country code of the subject.
- Locality string
- The locality or city of the subject.
- Organization string
- The organization of the subject.
- Organizational
Unit string - The organizational unit of the subject.
- Postal
Code string - The postal code of the subject.
- Province string
- The province, territory, or regional state of the subject.
- Street
Address string - The street address of the subject.
- common
Name String - The common name of the distinguished name.
- country
Code String - The country code of the subject.
- locality String
- The locality or city of the subject.
- organization String
- The organization of the subject.
- organizational
Unit String - The organizational unit of the subject.
- postal
Code String - The postal code of the subject.
- province String
- The province, territory, or regional state of the subject.
- street
Address String - The street address of the subject.
- common
Name string - The common name of the distinguished name.
- country
Code string - The country code of the subject.
- locality string
- The locality or city of the subject.
- organization string
- The organization of the subject.
- organizational
Unit string - The organizational unit of the subject.
- postal
Code string - The postal code of the subject.
- province string
- The province, territory, or regional state of the subject.
- street
Address string - The street address of the subject.
- common_
name str - The common name of the distinguished name.
- country_
code str - The country code of the subject.
- locality str
- The locality or city of the subject.
- organization str
- The organization of the subject.
- organizational_
unit str - The organizational unit of the subject.
- postal_
code str - The postal code of the subject.
- province str
- The province, territory, or regional state of the subject.
- street_
address str - The street address of the subject.
- common
Name String - The common name of the distinguished name.
- country
Code String - The country code of the subject.
- locality String
- The locality or city of the subject.
- organization String
- The organization of the subject.
- organizational
Unit String - The organizational unit of the subject.
- postal
Code String - The postal code of the subject.
- province String
- The province, territory, or regional state of the subject.
- street
Address String - The street address of the subject.
CertificateCertificateDescriptionSubjectDescriptionSubjectAltName, CertificateCertificateDescriptionSubjectDescriptionSubjectAltNameArgs
, CertificateCertificateDescriptionSubjectDescriptionSubjectAltNameArgs
- Custom
Sans List<CertificateCertificate Description Subject Description Subject Alt Name Custom San> - (Output) Contains additional subject alternative name values. Structure is documented below.
- Dns
Names List<string> - Contains only valid, fully-qualified host names.
- Email
Addresses List<string> - Contains only valid RFC 2822 E-mail addresses.
- Ip
Addresses List<string> - Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.
- Uris List<string>
- Contains only valid RFC 3986 URIs.
- Custom
Sans []CertificateCertificate Description Subject Description Subject Alt Name Custom San - (Output) Contains additional subject alternative name values. Structure is documented below.
- Dns
Names []string - Contains only valid, fully-qualified host names.
- Email
Addresses []string - Contains only valid RFC 2822 E-mail addresses.
- Ip
Addresses []string - Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.
- Uris []string
- Contains only valid RFC 3986 URIs.
- custom
Sans List<CertificateCertificate Description Subject Description Subject Alt Name Custom San> - (Output) Contains additional subject alternative name values. Structure is documented below.
- dns
Names List<String> - Contains only valid, fully-qualified host names.
- email
Addresses List<String> - Contains only valid RFC 2822 E-mail addresses.
- ip
Addresses List<String> - Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.
- uris List<String>
- Contains only valid RFC 3986 URIs.
- custom
Sans CertificateCertificate Description Subject Description Subject Alt Name Custom San[] - (Output) Contains additional subject alternative name values. Structure is documented below.
- dns
Names string[] - Contains only valid, fully-qualified host names.
- email
Addresses string[] - Contains only valid RFC 2822 E-mail addresses.
- ip
Addresses string[] - Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.
- uris string[]
- Contains only valid RFC 3986 URIs.
- custom_
sans Sequence[CertificateCertificate Description Subject Description Subject Alt Name Custom San] - (Output) Contains additional subject alternative name values. Structure is documented below.
- dns_
names Sequence[str] - Contains only valid, fully-qualified host names.
- email_
addresses Sequence[str] - Contains only valid RFC 2822 E-mail addresses.
- ip_
addresses Sequence[str] - Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.
- uris Sequence[str]
- Contains only valid RFC 3986 URIs.
- custom
Sans List<Property Map> - (Output) Contains additional subject alternative name values. Structure is documented below.
- dns
Names List<String> - Contains only valid, fully-qualified host names.
- email
Addresses List<String> - Contains only valid RFC 2822 E-mail addresses.
- ip
Addresses List<String> - Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.
- uris List<String>
- Contains only valid RFC 3986 URIs.
CertificateCertificateDescriptionSubjectDescriptionSubjectAltNameCustomSan, CertificateCertificateDescriptionSubjectDescriptionSubjectAltNameCustomSanArgs
, CertificateCertificateDescriptionSubjectDescriptionSubjectAltNameCustomSanArgs
- Critical bool
- (Output) Indicates whether or not the name constraints are marked critical.
- Obect
Ids List<CertificateCertificate Description Subject Description Subject Alt Name Custom San Obect Id> - (Output) Describes how some of the technical fields in a certificate should be populated. Structure is documented below.
- Value string
- The value of this X.509 extension. A base64-encoded string.
- Critical bool
- (Output) Indicates whether or not the name constraints are marked critical.
- Obect
Ids []CertificateCertificate Description Subject Description Subject Alt Name Custom San Obect Id - (Output) Describes how some of the technical fields in a certificate should be populated. Structure is documented below.
- Value string
- The value of this X.509 extension. A base64-encoded string.
- critical Boolean
- (Output) Indicates whether or not the name constraints are marked critical.
- obect
Ids List<CertificateCertificate Description Subject Description Subject Alt Name Custom San Obect Id> - (Output) Describes how some of the technical fields in a certificate should be populated. Structure is documented below.
- value String
- The value of this X.509 extension. A base64-encoded string.
- critical boolean
- (Output) Indicates whether or not the name constraints are marked critical.
- obect
Ids CertificateCertificate Description Subject Description Subject Alt Name Custom San Obect Id[] - (Output) Describes how some of the technical fields in a certificate should be populated. Structure is documented below.
- value string
- The value of this X.509 extension. A base64-encoded string.
- critical bool
- (Output) Indicates whether or not the name constraints are marked critical.
- obect_
ids Sequence[CertificateCertificate Description Subject Description Subject Alt Name Custom San Obect Id] - (Output) Describes how some of the technical fields in a certificate should be populated. Structure is documented below.
- value str
- The value of this X.509 extension. A base64-encoded string.
- critical Boolean
- (Output) Indicates whether or not the name constraints are marked critical.
- obect
Ids List<Property Map> - (Output) Describes how some of the technical fields in a certificate should be populated. Structure is documented below.
- value String
- The value of this X.509 extension. A base64-encoded string.
CertificateCertificateDescriptionSubjectDescriptionSubjectAltNameCustomSanObectId, CertificateCertificateDescriptionSubjectDescriptionSubjectAltNameCustomSanObectIdArgs
, CertificateCertificateDescriptionSubjectDescriptionSubjectAltNameCustomSanObectIdArgs
- Object
Id List<int>Paths - (Output) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- Object
Id []intPaths - (Output) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object
Id List<Integer>Paths - (Output) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object
Id number[]Paths - (Output) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object_
id_ Sequence[int]paths - (Output) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object
Id List<Number>Paths - (Output) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
CertificateCertificateDescriptionSubjectKeyId, CertificateCertificateDescriptionSubjectKeyIdArgs
, CertificateCertificateDescriptionSubjectKeyIdArgs
- Key
Id string - The value of the KeyId in lowercase hexadecimal.
- Key
Id string - The value of the KeyId in lowercase hexadecimal.
- key
Id String - The value of the KeyId in lowercase hexadecimal.
- key
Id string - The value of the KeyId in lowercase hexadecimal.
- key_
id str - The value of the KeyId in lowercase hexadecimal.
- key
Id String - The value of the KeyId in lowercase hexadecimal.
CertificateCertificateDescriptionX509Description, CertificateCertificateDescriptionX509DescriptionArgs
, CertificateCertificateDescriptionX509DescriptionArgs
- Additional
Extensions List<CertificateCertificate Description X509Description Additional Extension> - (Output) Describes custom X.509 extensions. Structure is documented below.
- Aia
Ocsp List<string>Servers - (Output) Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
- Ca
Options List<CertificateCertificate Description X509Description Ca Option> - (Output) Describes values that are relevant in a CA certificate. Structure is documented below.
- Key
Usages List<CertificateCertificate Description X509Description Key Usage> - (Output) Indicates the intended use for keys that correspond to a certificate. Structure is documented below.
- Name
Constraints List<CertificateCertificate Description X509Description Name Constraint> - (Output) Describes the X.509 name constraints extension. Structure is documented below.
- Policy
Ids List<CertificateCertificate Description X509Description Policy Id> - (Output) Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.
- Additional
Extensions []CertificateCertificate Description X509Description Additional Extension - (Output) Describes custom X.509 extensions. Structure is documented below.
- Aia
Ocsp []stringServers - (Output) Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
- Ca
Options []CertificateCertificate Description X509Description Ca Option - (Output) Describes values that are relevant in a CA certificate. Structure is documented below.
- Key
Usages []CertificateCertificate Description X509Description Key Usage - (Output) Indicates the intended use for keys that correspond to a certificate. Structure is documented below.
- Name
Constraints []CertificateCertificate Description X509Description Name Constraint - (Output) Describes the X.509 name constraints extension. Structure is documented below.
- Policy
Ids []CertificateCertificate Description X509Description Policy Id - (Output) Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.
- additional
Extensions List<CertificateCertificate Description X509Description Additional Extension> - (Output) Describes custom X.509 extensions. Structure is documented below.
- aia
Ocsp List<String>Servers - (Output) Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
- ca
Options List<CertificateCertificate Description X509Description Ca Option> - (Output) Describes values that are relevant in a CA certificate. Structure is documented below.
- key
Usages List<CertificateCertificate Description X509Description Key Usage> - (Output) Indicates the intended use for keys that correspond to a certificate. Structure is documented below.
- name
Constraints List<CertificateCertificate Description X509Description Name Constraint> - (Output) Describes the X.509 name constraints extension. Structure is documented below.
- policy
Ids List<CertificateCertificate Description X509Description Policy Id> - (Output) Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.
- additional
Extensions CertificateCertificate Description X509Description Additional Extension[] - (Output) Describes custom X.509 extensions. Structure is documented below.
- aia
Ocsp string[]Servers - (Output) Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
- ca
Options CertificateCertificate Description X509Description Ca Option[] - (Output) Describes values that are relevant in a CA certificate. Structure is documented below.
- key
Usages CertificateCertificate Description X509Description Key Usage[] - (Output) Indicates the intended use for keys that correspond to a certificate. Structure is documented below.
- name
Constraints CertificateCertificate Description X509Description Name Constraint[] - (Output) Describes the X.509 name constraints extension. Structure is documented below.
- policy
Ids CertificateCertificate Description X509Description Policy Id[] - (Output) Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.
- additional_
extensions Sequence[CertificateCertificate Description X509Description Additional Extension] - (Output) Describes custom X.509 extensions. Structure is documented below.
- aia_
ocsp_ Sequence[str]servers - (Output) Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
- ca_
options Sequence[CertificateCertificate Description X509Description Ca Option] - (Output) Describes values that are relevant in a CA certificate. Structure is documented below.
- key_
usages Sequence[CertificateCertificate Description X509Description Key Usage] - (Output) Indicates the intended use for keys that correspond to a certificate. Structure is documented below.
- name_
constraints Sequence[CertificateCertificate Description X509Description Name Constraint] - (Output) Describes the X.509 name constraints extension. Structure is documented below.
- policy_
ids Sequence[CertificateCertificate Description X509Description Policy Id] - (Output) Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.
- additional
Extensions List<Property Map> - (Output) Describes custom X.509 extensions. Structure is documented below.
- aia
Ocsp List<String>Servers - (Output) Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
- ca
Options List<Property Map> - (Output) Describes values that are relevant in a CA certificate. Structure is documented below.
- key
Usages List<Property Map> - (Output) Indicates the intended use for keys that correspond to a certificate. Structure is documented below.
- name
Constraints List<Property Map> - (Output) Describes the X.509 name constraints extension. Structure is documented below.
- policy
Ids List<Property Map> - (Output) Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.
CertificateCertificateDescriptionX509DescriptionAdditionalExtension, CertificateCertificateDescriptionX509DescriptionAdditionalExtensionArgs
, CertificateCertificateDescriptionX509DescriptionAdditionalExtensionArgs
- Critical bool
- Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
- Object
Ids List<CertificateCertificate Description X509Description Additional Extension Object Id> - Describes values that are relevant in a CA certificate. Structure is documented below.
- Value string
- The value of this X.509 extension. A base64-encoded string.
- Critical bool
- Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
- Object
Ids []CertificateCertificate Description X509Description Additional Extension Object Id - Describes values that are relevant in a CA certificate. Structure is documented below.
- Value string
- The value of this X.509 extension. A base64-encoded string.
- critical Boolean
- Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
- object
Ids List<CertificateCertificate Description X509Description Additional Extension Object Id> - Describes values that are relevant in a CA certificate. Structure is documented below.
- value String
- The value of this X.509 extension. A base64-encoded string.
- critical boolean
- Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
- object
Ids CertificateCertificate Description X509Description Additional Extension Object Id[] - Describes values that are relevant in a CA certificate. Structure is documented below.
- value string
- The value of this X.509 extension. A base64-encoded string.
- critical bool
- Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
- object_
ids Sequence[CertificateCertificate Description X509Description Additional Extension Object Id] - Describes values that are relevant in a CA certificate. Structure is documented below.
- value str
- The value of this X.509 extension. A base64-encoded string.
- critical Boolean
- Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
- object
Ids List<Property Map> - Describes values that are relevant in a CA certificate. Structure is documented below.
- value String
- The value of this X.509 extension. A base64-encoded string.
CertificateCertificateDescriptionX509DescriptionAdditionalExtensionObjectId, CertificateCertificateDescriptionX509DescriptionAdditionalExtensionObjectIdArgs
, CertificateCertificateDescriptionX509DescriptionAdditionalExtensionObjectIdArgs
- Object
Id List<int>Paths - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- Object
Id []intPaths - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object
Id List<Integer>Paths - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object
Id number[]Paths - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object_
id_ Sequence[int]paths - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object
Id List<Number>Paths - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
CertificateCertificateDescriptionX509DescriptionCaOption, CertificateCertificateDescriptionX509DescriptionCaOptionArgs
, CertificateCertificateDescriptionX509DescriptionCaOptionArgs
- Is
Ca bool - When true, the "CA" in Basic Constraints extension will be set to true.
- Max
Issuer intPath Length - Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.
- Is
Ca bool - When true, the "CA" in Basic Constraints extension will be set to true.
- Max
Issuer intPath Length - Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.
- is
Ca Boolean - When true, the "CA" in Basic Constraints extension will be set to true.
- max
Issuer IntegerPath Length - Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.
- is
Ca boolean - When true, the "CA" in Basic Constraints extension will be set to true.
- max
Issuer numberPath Length - Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.
- is_
ca bool - When true, the "CA" in Basic Constraints extension will be set to true.
- max_
issuer_ intpath_ length - Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.
- is
Ca Boolean - When true, the "CA" in Basic Constraints extension will be set to true.
- max
Issuer NumberPath Length - Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.
CertificateCertificateDescriptionX509DescriptionKeyUsage, CertificateCertificateDescriptionX509DescriptionKeyUsageArgs
, CertificateCertificateDescriptionX509DescriptionKeyUsageArgs
- Base
Key List<CertificateUsages Certificate Description X509Description Key Usage Base Key Usage> - Describes high-level ways in which a key may be used. Structure is documented below.
- Extended
Key List<CertificateUsages Certificate Description X509Description Key Usage Extended Key Usage> - Describes high-level ways in which a key may be used. Structure is documented below.
- Unknown
Extended List<CertificateKey Usages Certificate Description X509Description Key Usage Unknown Extended Key Usage> - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.
- Base
Key []CertificateUsages Certificate Description X509Description Key Usage Base Key Usage - Describes high-level ways in which a key may be used. Structure is documented below.
- Extended
Key []CertificateUsages Certificate Description X509Description Key Usage Extended Key Usage - Describes high-level ways in which a key may be used. Structure is documented below.
- Unknown
Extended []CertificateKey Usages Certificate Description X509Description Key Usage Unknown Extended Key Usage - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.
- base
Key List<CertificateUsages Certificate Description X509Description Key Usage Base Key Usage> - Describes high-level ways in which a key may be used. Structure is documented below.
- extended
Key List<CertificateUsages Certificate Description X509Description Key Usage Extended Key Usage> - Describes high-level ways in which a key may be used. Structure is documented below.
- unknown
Extended List<CertificateKey Usages Certificate Description X509Description Key Usage Unknown Extended Key Usage> - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.
- base
Key CertificateUsages Certificate Description X509Description Key Usage Base Key Usage[] - Describes high-level ways in which a key may be used. Structure is documented below.
- extended
Key CertificateUsages Certificate Description X509Description Key Usage Extended Key Usage[] - Describes high-level ways in which a key may be used. Structure is documented below.
- unknown
Extended CertificateKey Usages Certificate Description X509Description Key Usage Unknown Extended Key Usage[] - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.
- base_
key_ Sequence[Certificateusages Certificate Description X509Description Key Usage Base Key Usage] - Describes high-level ways in which a key may be used. Structure is documented below.
- extended_
key_ Sequence[Certificateusages Certificate Description X509Description Key Usage Extended Key Usage] - Describes high-level ways in which a key may be used. Structure is documented below.
- unknown_
extended_ Sequence[Certificatekey_ usages Certificate Description X509Description Key Usage Unknown Extended Key Usage] - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.
- base
Key List<Property Map>Usages - Describes high-level ways in which a key may be used. Structure is documented below.
- extended
Key List<Property Map>Usages - Describes high-level ways in which a key may be used. Structure is documented below.
- unknown
Extended List<Property Map>Key Usages - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.
CertificateCertificateDescriptionX509DescriptionKeyUsageBaseKeyUsage, CertificateCertificateDescriptionX509DescriptionKeyUsageBaseKeyUsageArgs
, CertificateCertificateDescriptionX509DescriptionKeyUsageBaseKeyUsageArgs
- Cert
Sign bool - The key may be used to sign certificates.
- Content
Commitment bool - The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
- Crl
Sign bool - The key may be used sign certificate revocation lists.
- Data
Encipherment bool - The key may be used to encipher data.
- Decipher
Only bool - The key may be used to decipher only.
- Digital
Signature bool - The key may be used for digital signatures.
- Encipher
Only bool - The key may be used to encipher only.
- Key
Agreement bool - The key may be used in a key agreement protocol.
- Key
Encipherment bool - The key may be used to encipher other keys.
- Cert
Sign bool - The key may be used to sign certificates.
- Content
Commitment bool - The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
- Crl
Sign bool - The key may be used sign certificate revocation lists.
- Data
Encipherment bool - The key may be used to encipher data.
- Decipher
Only bool - The key may be used to decipher only.
- Digital
Signature bool - The key may be used for digital signatures.
- Encipher
Only bool - The key may be used to encipher only.
- Key
Agreement bool - The key may be used in a key agreement protocol.
- Key
Encipherment bool - The key may be used to encipher other keys.
- cert
Sign Boolean - The key may be used to sign certificates.
- content
Commitment Boolean - The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
- crl
Sign Boolean - The key may be used sign certificate revocation lists.
- data
Encipherment Boolean - The key may be used to encipher data.
- decipher
Only Boolean - The key may be used to decipher only.
- digital
Signature Boolean - The key may be used for digital signatures.
- encipher
Only Boolean - The key may be used to encipher only.
- key
Agreement Boolean - The key may be used in a key agreement protocol.
- key
Encipherment Boolean - The key may be used to encipher other keys.
- cert
Sign boolean - The key may be used to sign certificates.
- content
Commitment boolean - The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
- crl
Sign boolean - The key may be used sign certificate revocation lists.
- data
Encipherment boolean - The key may be used to encipher data.
- decipher
Only boolean - The key may be used to decipher only.
- digital
Signature boolean - The key may be used for digital signatures.
- encipher
Only boolean - The key may be used to encipher only.
- key
Agreement boolean - The key may be used in a key agreement protocol.
- key
Encipherment boolean - The key may be used to encipher other keys.
- cert_
sign bool - The key may be used to sign certificates.
- content_
commitment bool - The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
- crl_
sign bool - The key may be used sign certificate revocation lists.
- data_
encipherment bool - The key may be used to encipher data.
- decipher_
only bool - The key may be used to decipher only.
- digital_
signature bool - The key may be used for digital signatures.
- encipher_
only bool - The key may be used to encipher only.
- key_
agreement bool - The key may be used in a key agreement protocol.
- key_
encipherment bool - The key may be used to encipher other keys.
- cert
Sign Boolean - The key may be used to sign certificates.
- content
Commitment Boolean - The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
- crl
Sign Boolean - The key may be used sign certificate revocation lists.
- data
Encipherment Boolean - The key may be used to encipher data.
- decipher
Only Boolean - The key may be used to decipher only.
- digital
Signature Boolean - The key may be used for digital signatures.
- encipher
Only Boolean - The key may be used to encipher only.
- key
Agreement Boolean - The key may be used in a key agreement protocol.
- key
Encipherment Boolean - The key may be used to encipher other keys.
CertificateCertificateDescriptionX509DescriptionKeyUsageExtendedKeyUsage, CertificateCertificateDescriptionX509DescriptionKeyUsageExtendedKeyUsageArgs
, CertificateCertificateDescriptionX509DescriptionKeyUsageExtendedKeyUsageArgs
- Client
Auth bool - Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
- Code
Signing bool - Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
- Email
Protection bool - Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
- Ocsp
Signing bool - Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
- Server
Auth bool - Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
- Time
Stamping bool - Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".
- Client
Auth bool - Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
- Code
Signing bool - Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
- Email
Protection bool - Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
- Ocsp
Signing bool - Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
- Server
Auth bool - Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
- Time
Stamping bool - Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".
- client
Auth Boolean - Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
- code
Signing Boolean - Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
- email
Protection Boolean - Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
- ocsp
Signing Boolean - Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
- server
Auth Boolean - Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
- time
Stamping Boolean - Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".
- client
Auth boolean - Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
- code
Signing boolean - Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
- email
Protection boolean - Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
- ocsp
Signing boolean - Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
- server
Auth boolean - Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
- time
Stamping boolean - Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".
- client_
auth bool - Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
- code_
signing bool - Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
- email_
protection bool - Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
- ocsp_
signing bool - Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
- server_
auth bool - Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
- time_
stamping bool - Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".
- client
Auth Boolean - Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
- code
Signing Boolean - Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
- email
Protection Boolean - Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
- ocsp
Signing Boolean - Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
- server
Auth Boolean - Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
- time
Stamping Boolean - Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".
CertificateCertificateDescriptionX509DescriptionKeyUsageUnknownExtendedKeyUsage, CertificateCertificateDescriptionX509DescriptionKeyUsageUnknownExtendedKeyUsageArgs
, CertificateCertificateDescriptionX509DescriptionKeyUsageUnknownExtendedKeyUsageArgs
- Object
Id List<int>Paths - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- Object
Id []intPaths - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object
Id List<Integer>Paths - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object
Id number[]Paths - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object_
id_ Sequence[int]paths - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object
Id List<Number>Paths - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
CertificateCertificateDescriptionX509DescriptionNameConstraint, CertificateCertificateDescriptionX509DescriptionNameConstraintArgs
, CertificateCertificateDescriptionX509DescriptionNameConstraintArgs
- Critical bool
- Indicates whether or not the name constraints are marked critical.
- Excluded
Dns List<string>Names - Contains excluded DNS names. Any DNS name that can be
constructed by simply adding zero or more labels to
the left-hand side of the name satisfies the name constraint.
For example,
example.com,www.example.com,www.sub.example.comwould satisfyexample.comwhileexample1.comdoes not. - Excluded
Email List<string>Addresses - Contains the excluded email addresses. The value can be a particular
email address, a hostname to indicate all email addresses on that host or
a domain with a leading period (e.g.
.example.com) to indicate all email addresses in that domain. - Excluded
Ip List<string>Ranges - Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
- Excluded
Uris List<string> - Contains the excluded URIs that apply to the host part of the name.
The value can be a hostname or a domain with a
leading period (like
.example.com) - Permitted
Dns List<string>Names - Contains permitted DNS names. Any DNS name that can be
constructed by simply adding zero or more labels to
the left-hand side of the name satisfies the name constraint.
For example,
example.com,www.example.com,www.sub.example.comwould satisfyexample.comwhileexample1.comdoes not. - Permitted
Email List<string>Addresses - Contains the permitted email addresses. The value can be a particular
email address, a hostname to indicate all email addresses on that host or
a domain with a leading period (e.g.
.example.com) to indicate all email addresses in that domain. - Permitted
Ip List<string>Ranges - Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
- Permitted
Uris List<string> - Contains the permitted URIs that apply to the host part of the name.
The value can be a hostname or a domain with a
leading period (like
.example.com)
- Critical bool
- Indicates whether or not the name constraints are marked critical.
- Excluded
Dns []stringNames - Contains excluded DNS names. Any DNS name that can be
constructed by simply adding zero or more labels to
the left-hand side of the name satisfies the name constraint.
For example,
example.com,www.example.com,www.sub.example.comwould satisfyexample.comwhileexample1.comdoes not. - Excluded
Email []stringAddresses - Contains the excluded email addresses. The value can be a particular
email address, a hostname to indicate all email addresses on that host or
a domain with a leading period (e.g.
.example.com) to indicate all email addresses in that domain. - Excluded
Ip []stringRanges - Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
- Excluded
Uris []string - Contains the excluded URIs that apply to the host part of the name.
The value can be a hostname or a domain with a
leading period (like
.example.com) - Permitted
Dns []stringNames - Contains permitted DNS names. Any DNS name that can be
constructed by simply adding zero or more labels to
the left-hand side of the name satisfies the name constraint.
For example,
example.com,www.example.com,www.sub.example.comwould satisfyexample.comwhileexample1.comdoes not. - Permitted
Email []stringAddresses - Contains the permitted email addresses. The value can be a particular
email address, a hostname to indicate all email addresses on that host or
a domain with a leading period (e.g.
.example.com) to indicate all email addresses in that domain. - Permitted
Ip []stringRanges - Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
- Permitted
Uris []string - Contains the permitted URIs that apply to the host part of the name.
The value can be a hostname or a domain with a
leading period (like
.example.com)
- critical Boolean
- Indicates whether or not the name constraints are marked critical.
- excluded
Dns List<String>Names - Contains excluded DNS names. Any DNS name that can be
constructed by simply adding zero or more labels to
the left-hand side of the name satisfies the name constraint.
For example,
example.com,www.example.com,www.sub.example.comwould satisfyexample.comwhileexample1.comdoes not. - excluded
Email List<String>Addresses - Contains the excluded email addresses. The value can be a particular
email address, a hostname to indicate all email addresses on that host or
a domain with a leading period (e.g.
.example.com) to indicate all email addresses in that domain. - excluded
Ip List<String>Ranges - Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
- excluded
Uris List<String> - Contains the excluded URIs that apply to the host part of the name.
The value can be a hostname or a domain with a
leading period (like
.example.com) - permitted
Dns List<String>Names - Contains permitted DNS names. Any DNS name that can be
constructed by simply adding zero or more labels to
the left-hand side of the name satisfies the name constraint.
For example,
example.com,www.example.com,www.sub.example.comwould satisfyexample.comwhileexample1.comdoes not. - permitted
Email List<String>Addresses - Contains the permitted email addresses. The value can be a particular
email address, a hostname to indicate all email addresses on that host or
a domain with a leading period (e.g.
.example.com) to indicate all email addresses in that domain. - permitted
Ip List<String>Ranges - Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
- permitted
Uris List<String> - Contains the permitted URIs that apply to the host part of the name.
The value can be a hostname or a domain with a
leading period (like
.example.com)
- critical boolean
- Indicates whether or not the name constraints are marked critical.
- excluded
Dns string[]Names - Contains excluded DNS names. Any DNS name that can be
constructed by simply adding zero or more labels to
the left-hand side of the name satisfies the name constraint.
For example,
example.com,www.example.com,www.sub.example.comwould satisfyexample.comwhileexample1.comdoes not. - excluded
Email string[]Addresses - Contains the excluded email addresses. The value can be a particular
email address, a hostname to indicate all email addresses on that host or
a domain with a leading period (e.g.
.example.com) to indicate all email addresses in that domain. - excluded
Ip string[]Ranges - Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
- excluded
Uris string[] - Contains the excluded URIs that apply to the host part of the name.
The value can be a hostname or a domain with a
leading period (like
.example.com) - permitted
Dns string[]Names - Contains permitted DNS names. Any DNS name that can be
constructed by simply adding zero or more labels to
the left-hand side of the name satisfies the name constraint.
For example,
example.com,www.example.com,www.sub.example.comwould satisfyexample.comwhileexample1.comdoes not. - permitted
Email string[]Addresses - Contains the permitted email addresses. The value can be a particular
email address, a hostname to indicate all email addresses on that host or
a domain with a leading period (e.g.
.example.com) to indicate all email addresses in that domain. - permitted
Ip string[]Ranges - Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
- permitted
Uris string[] - Contains the permitted URIs that apply to the host part of the name.
The value can be a hostname or a domain with a
leading period (like
.example.com)
- critical bool
- Indicates whether or not the name constraints are marked critical.
- excluded_
dns_ Sequence[str]names - Contains excluded DNS names. Any DNS name that can be
constructed by simply adding zero or more labels to
the left-hand side of the name satisfies the name constraint.
For example,
example.com,www.example.com,www.sub.example.comwould satisfyexample.comwhileexample1.comdoes not. - excluded_
email_ Sequence[str]addresses - Contains the excluded email addresses. The value can be a particular
email address, a hostname to indicate all email addresses on that host or
a domain with a leading period (e.g.
.example.com) to indicate all email addresses in that domain. - excluded_
ip_ Sequence[str]ranges - Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
- excluded_
uris Sequence[str] - Contains the excluded URIs that apply to the host part of the name.
The value can be a hostname or a domain with a
leading period (like
.example.com) - permitted_
dns_ Sequence[str]names - Contains permitted DNS names. Any DNS name that can be
constructed by simply adding zero or more labels to
the left-hand side of the name satisfies the name constraint.
For example,
example.com,www.example.com,www.sub.example.comwould satisfyexample.comwhileexample1.comdoes not. - permitted_
email_ Sequence[str]addresses - Contains the permitted email addresses. The value can be a particular
email address, a hostname to indicate all email addresses on that host or
a domain with a leading period (e.g.
.example.com) to indicate all email addresses in that domain. - permitted_
ip_ Sequence[str]ranges - Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
- permitted_
uris Sequence[str] - Contains the permitted URIs that apply to the host part of the name.
The value can be a hostname or a domain with a
leading period (like
.example.com)
- critical Boolean
- Indicates whether or not the name constraints are marked critical.
- excluded
Dns List<String>Names - Contains excluded DNS names. Any DNS name that can be
constructed by simply adding zero or more labels to
the left-hand side of the name satisfies the name constraint.
For example,
example.com,www.example.com,www.sub.example.comwould satisfyexample.comwhileexample1.comdoes not. - excluded
Email List<String>Addresses - Contains the excluded email addresses. The value can be a particular
email address, a hostname to indicate all email addresses on that host or
a domain with a leading period (e.g.
.example.com) to indicate all email addresses in that domain. - excluded
Ip List<String>Ranges - Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
- excluded
Uris List<String> - Contains the excluded URIs that apply to the host part of the name.
The value can be a hostname or a domain with a
leading period (like
.example.com) - permitted
Dns List<String>Names - Contains permitted DNS names. Any DNS name that can be
constructed by simply adding zero or more labels to
the left-hand side of the name satisfies the name constraint.
For example,
example.com,www.example.com,www.sub.example.comwould satisfyexample.comwhileexample1.comdoes not. - permitted
Email List<String>Addresses - Contains the permitted email addresses. The value can be a particular
email address, a hostname to indicate all email addresses on that host or
a domain with a leading period (e.g.
.example.com) to indicate all email addresses in that domain. - permitted
Ip List<String>Ranges - Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
- permitted
Uris List<String> - Contains the permitted URIs that apply to the host part of the name.
The value can be a hostname or a domain with a
leading period (like
.example.com)
CertificateCertificateDescriptionX509DescriptionPolicyId, CertificateCertificateDescriptionX509DescriptionPolicyIdArgs
, CertificateCertificateDescriptionX509DescriptionPolicyIdArgs
- Object
Id List<int>Paths - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- Object
Id []intPaths - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object
Id List<Integer>Paths - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object
Id number[]Paths - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object_
id_ Sequence[int]paths - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object
Id List<Number>Paths - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
CertificateConfig, CertificateConfigArgs
, CertificateConfigArgs
- Public
Key CertificateThis property is required. Changes to this property will trigger replacement.Config Public Key A PublicKey describes a public key. Structure is documented below.
The
x509_configblock supports:- Subject
Config CertificateThis property is required. Changes to this property will trigger replacement.Config Subject Config - Specifies some of the values in a certificate that are related to the subject. Structure is documented below.
- X509Config
Certificate
This property is required. Changes to this property will trigger replacement.Config X509Config - Describes how some of the technical X.509 fields in a certificate should be populated. Structure is documented below.
- Subject
Key Id Config Subject Key Id - When specified this provides a custom SKI to be used in the certificate. This should only be used to maintain a SKI of an existing CA originally created outside CA service, which was not generated using method (1) described in RFC 5280 section 4.2.1.2.. Structure is documented below.
- Public
Key CertificateThis property is required. Changes to this property will trigger replacement.Config Public Key A PublicKey describes a public key. Structure is documented below.
The
x509_configblock supports:- Subject
Config CertificateThis property is required. Changes to this property will trigger replacement.Config Subject Config - Specifies some of the values in a certificate that are related to the subject. Structure is documented below.
- X509Config
Certificate
This property is required. Changes to this property will trigger replacement.Config X509Config - Describes how some of the technical X.509 fields in a certificate should be populated. Structure is documented below.
- Subject
Key Id Config Subject Key Id - When specified this provides a custom SKI to be used in the certificate. This should only be used to maintain a SKI of an existing CA originally created outside CA service, which was not generated using method (1) described in RFC 5280 section 4.2.1.2.. Structure is documented below.
- public
Key CertificateThis property is required. Changes to this property will trigger replacement.Config Public Key A PublicKey describes a public key. Structure is documented below.
The
x509_configblock supports:- subject
Config CertificateThis property is required. Changes to this property will trigger replacement.Config Subject Config - Specifies some of the values in a certificate that are related to the subject. Structure is documented below.
- x509Config
Certificate
This property is required. Changes to this property will trigger replacement.Config X509Config - Describes how some of the technical X.509 fields in a certificate should be populated. Structure is documented below.
- subject
Key Id Config Subject Key Id - When specified this provides a custom SKI to be used in the certificate. This should only be used to maintain a SKI of an existing CA originally created outside CA service, which was not generated using method (1) described in RFC 5280 section 4.2.1.2.. Structure is documented below.
- public
Key CertificateThis property is required. Changes to this property will trigger replacement.Config Public Key A PublicKey describes a public key. Structure is documented below.
The
x509_configblock supports:- subject
Config CertificateThis property is required. Changes to this property will trigger replacement.Config Subject Config - Specifies some of the values in a certificate that are related to the subject. Structure is documented below.
- x509Config
Certificate
This property is required. Changes to this property will trigger replacement.Config X509Config - Describes how some of the technical X.509 fields in a certificate should be populated. Structure is documented below.
- subject
Key Id Config Subject Key Id - When specified this provides a custom SKI to be used in the certificate. This should only be used to maintain a SKI of an existing CA originally created outside CA service, which was not generated using method (1) described in RFC 5280 section 4.2.1.2.. Structure is documented below.
- public_
key CertificateThis property is required. Changes to this property will trigger replacement.Config Public Key A PublicKey describes a public key. Structure is documented below.
The
x509_configblock supports:- subject_
config CertificateThis property is required. Changes to this property will trigger replacement.Config Subject Config - Specifies some of the values in a certificate that are related to the subject. Structure is documented below.
- x509_
config CertificateThis property is required. Changes to this property will trigger replacement.Config X509Config - Describes how some of the technical X.509 fields in a certificate should be populated. Structure is documented below.
- subject_
key_ id Config Subject Key Id - When specified this provides a custom SKI to be used in the certificate. This should only be used to maintain a SKI of an existing CA originally created outside CA service, which was not generated using method (1) described in RFC 5280 section 4.2.1.2.. Structure is documented below.
- public
Key Property MapThis property is required. Changes to this property will trigger replacement. A PublicKey describes a public key. Structure is documented below.
The
x509_configblock supports:- subject
Config Property MapThis property is required. Changes to this property will trigger replacement. - Specifies some of the values in a certificate that are related to the subject. Structure is documented below.
- x509Config
Property Map
This property is required. Changes to this property will trigger replacement. - Describes how some of the technical X.509 fields in a certificate should be populated. Structure is documented below.
- subject
Key Id - When specified this provides a custom SKI to be used in the certificate. This should only be used to maintain a SKI of an existing CA originally created outside CA service, which was not generated using method (1) described in RFC 5280 section 4.2.1.2.. Structure is documented below.
CertificateConfigPublicKey, CertificateConfigPublicKeyArgs
, CertificateConfigPublicKeyArgs
- Format
string
This property is required. Changes to this property will trigger replacement. - The format of the public key. Currently, only PEM format is supported.
Possible values are:
KEY_TYPE_UNSPECIFIED,PEM. - Key
- Required. A public key. When this is specified in a request, the padding and encoding can be any of the options described by the respective 'KeyType' value. When this is generated by the service, it will always be an RFC 5280 SubjectPublicKeyInfo structure containing an algorithm identifier and a key. A base64-encoded string.
- Format
string
This property is required. Changes to this property will trigger replacement. - The format of the public key. Currently, only PEM format is supported.
Possible values are:
KEY_TYPE_UNSPECIFIED,PEM. - Key
- Required. A public key. When this is specified in a request, the padding and encoding can be any of the options described by the respective 'KeyType' value. When this is generated by the service, it will always be an RFC 5280 SubjectPublicKeyInfo structure containing an algorithm identifier and a key. A base64-encoded string.
- format
String
This property is required. Changes to this property will trigger replacement. - The format of the public key. Currently, only PEM format is supported.
Possible values are:
KEY_TYPE_UNSPECIFIED,PEM. - key
- Required. A public key. When this is specified in a request, the padding and encoding can be any of the options described by the respective 'KeyType' value. When this is generated by the service, it will always be an RFC 5280 SubjectPublicKeyInfo structure containing an algorithm identifier and a key. A base64-encoded string.
- format
string
This property is required. Changes to this property will trigger replacement. - The format of the public key. Currently, only PEM format is supported.
Possible values are:
KEY_TYPE_UNSPECIFIED,PEM. - key
- Required. A public key. When this is specified in a request, the padding and encoding can be any of the options described by the respective 'KeyType' value. When this is generated by the service, it will always be an RFC 5280 SubjectPublicKeyInfo structure containing an algorithm identifier and a key. A base64-encoded string.
- format
str
This property is required. Changes to this property will trigger replacement. - The format of the public key. Currently, only PEM format is supported.
Possible values are:
KEY_TYPE_UNSPECIFIED,PEM. - key
- Required. A public key. When this is specified in a request, the padding and encoding can be any of the options described by the respective 'KeyType' value. When this is generated by the service, it will always be an RFC 5280 SubjectPublicKeyInfo structure containing an algorithm identifier and a key. A base64-encoded string.
- format
String
This property is required. Changes to this property will trigger replacement. - The format of the public key. Currently, only PEM format is supported.
Possible values are:
KEY_TYPE_UNSPECIFIED,PEM. - key
- Required. A public key. When this is specified in a request, the padding and encoding can be any of the options described by the respective 'KeyType' value. When this is generated by the service, it will always be an RFC 5280 SubjectPublicKeyInfo structure containing an algorithm identifier and a key. A base64-encoded string.
CertificateConfigSubjectConfig, CertificateConfigSubjectConfigArgs
, CertificateConfigSubjectConfigArgs
- Subject
Certificate
This property is required. Changes to this property will trigger replacement.Config Subject Config Subject - Contains distinguished name fields such as the location and organization. Structure is documented below.
- Subject
Alt Name Config Subject Config Subject Alt Name - The subject alternative name fields. Structure is documented below.
- Subject
Certificate
This property is required. Changes to this property will trigger replacement.Config Subject Config Subject - Contains distinguished name fields such as the location and organization. Structure is documented below.
- Subject
Alt Name Config Subject Config Subject Alt Name - The subject alternative name fields. Structure is documented below.
- subject
Certificate
This property is required. Changes to this property will trigger replacement.Config Subject Config Subject - Contains distinguished name fields such as the location and organization. Structure is documented below.
- subject
Alt Name Config Subject Config Subject Alt Name - The subject alternative name fields. Structure is documented below.
- subject
Certificate
This property is required. Changes to this property will trigger replacement.Config Subject Config Subject - Contains distinguished name fields such as the location and organization. Structure is documented below.
- subject
Alt Name Config Subject Config Subject Alt Name - The subject alternative name fields. Structure is documented below.
- subject
Certificate
This property is required. Changes to this property will trigger replacement.Config Subject Config Subject - Contains distinguished name fields such as the location and organization. Structure is documented below.
- subject_
alt_ name Config Subject Config Subject Alt Name - The subject alternative name fields. Structure is documented below.
- subject
Property Map
This property is required. Changes to this property will trigger replacement. - Contains distinguished name fields such as the location and organization. Structure is documented below.
- subject
Alt Name - The subject alternative name fields. Structure is documented below.
CertificateConfigSubjectConfigSubject, CertificateConfigSubjectConfigSubjectArgs
, CertificateConfigSubjectConfigSubjectArgs
- Common
Name stringThis property is required. Changes to this property will trigger replacement. - The common name of the distinguished name.
- Organization
string
This property is required. Changes to this property will trigger replacement. - The organization of the subject.
- Country
Code - The country code of the subject.
- Locality
- The locality or city of the subject.
- Organizational
Unit - The organizational unit of the subject.
- Postal
Code - The postal code of the subject.
- Province
- The province, territory, or regional state of the subject.
- Street
Address - The street address of the subject.
- Common
Name stringThis property is required. Changes to this property will trigger replacement. - The common name of the distinguished name.
- Organization
string
This property is required. Changes to this property will trigger replacement. - The organization of the subject.
- Country
Code - The country code of the subject.
- Locality
- The locality or city of the subject.
- Organizational
Unit - The organizational unit of the subject.
- Postal
Code - The postal code of the subject.
- Province
- The province, territory, or regional state of the subject.
- Street
Address - The street address of the subject.
- common
Name StringThis property is required. Changes to this property will trigger replacement. - The common name of the distinguished name.
- organization
String
This property is required. Changes to this property will trigger replacement. - The organization of the subject.
- country
Code - The country code of the subject.
- locality
- The locality or city of the subject.
- organizational
Unit - The organizational unit of the subject.
- postal
Code - The postal code of the subject.
- province
- The province, territory, or regional state of the subject.
- street
Address - The street address of the subject.
- common
Name stringThis property is required. Changes to this property will trigger replacement. - The common name of the distinguished name.
- organization
string
This property is required. Changes to this property will trigger replacement. - The organization of the subject.
- country
Code - The country code of the subject.
- locality
- The locality or city of the subject.
- organizational
Unit - The organizational unit of the subject.
- postal
Code - The postal code of the subject.
- province
- The province, territory, or regional state of the subject.
- street
Address - The street address of the subject.
- common_
name strThis property is required. Changes to this property will trigger replacement. - The common name of the distinguished name.
- organization
str
This property is required. Changes to this property will trigger replacement. - The organization of the subject.
- country_
code - The country code of the subject.
- locality
- The locality or city of the subject.
- organizational_
unit - The organizational unit of the subject.
- postal_
code - The postal code of the subject.
- province
- The province, territory, or regional state of the subject.
- street_
address - The street address of the subject.
- common
Name StringThis property is required. Changes to this property will trigger replacement. - The common name of the distinguished name.
- organization
String
This property is required. Changes to this property will trigger replacement. - The organization of the subject.
- country
Code - The country code of the subject.
- locality
- The locality or city of the subject.
- organizational
Unit - The organizational unit of the subject.
- postal
Code - The postal code of the subject.
- province
- The province, territory, or regional state of the subject.
- street
Address - The street address of the subject.
CertificateConfigSubjectConfigSubjectAltName, CertificateConfigSubjectConfigSubjectAltNameArgs
, CertificateConfigSubjectConfigSubjectAltNameArgs
- Dns
Names - Contains only valid, fully-qualified host names.
- Email
Addresses - Contains only valid RFC 2822 E-mail addresses.
- Ip
Addresses - Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.
- Uris
- Contains only valid RFC 3986 URIs.
- Dns
Names - Contains only valid, fully-qualified host names.
- Email
Addresses - Contains only valid RFC 2822 E-mail addresses.
- Ip
Addresses - Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.
- Uris
- Contains only valid RFC 3986 URIs.
- dns
Names - Contains only valid, fully-qualified host names.
- email
Addresses - Contains only valid RFC 2822 E-mail addresses.
- ip
Addresses - Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.
- uris
- Contains only valid RFC 3986 URIs.
- dns
Names - Contains only valid, fully-qualified host names.
- email
Addresses - Contains only valid RFC 2822 E-mail addresses.
- ip
Addresses - Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.
- uris
- Contains only valid RFC 3986 URIs.
- dns_
names - Contains only valid, fully-qualified host names.
- email_
addresses - Contains only valid RFC 2822 E-mail addresses.
- ip_
addresses - Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.
- uris
- Contains only valid RFC 3986 URIs.
- dns
Names - Contains only valid, fully-qualified host names.
- email
Addresses - Contains only valid RFC 2822 E-mail addresses.
- ip
Addresses - Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.
- uris
- Contains only valid RFC 3986 URIs.
CertificateConfigSubjectKeyId, CertificateConfigSubjectKeyIdArgs
, CertificateConfigSubjectKeyIdArgs
- Key
Id - The value of the KeyId in lowercase hexadecimal.
- Key
Id - The value of the KeyId in lowercase hexadecimal.
- key
Id - The value of the KeyId in lowercase hexadecimal.
- key
Id - The value of the KeyId in lowercase hexadecimal.
- key_
id - The value of the KeyId in lowercase hexadecimal.
- key
Id - The value of the KeyId in lowercase hexadecimal.
CertificateConfigX509Config, CertificateConfigX509ConfigArgs
, CertificateConfigX509ConfigArgs
- Key
Usage CertificateThis property is required. Changes to this property will trigger replacement.Config X509Config Key Usage - (Output) Indicates the intended use for keys that correspond to a certificate. Structure is documented below.
- Additional
Extensions Config X509Config Additional Extension> - (Output) Describes custom X.509 extensions. Structure is documented below.
- Aia
Ocsp Servers - (Output) Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
- Ca
Options Config X509Config Ca Options - (Output) Describes values that are relevant in a CA certificate. Structure is documented below.
- Name
Constraints Config X509Config Name Constraints - (Output) Describes the X.509 name constraints extension. Structure is documented below.
- Policy
Ids Config X509Config Policy Id> - (Output) Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.
- Key
Usage CertificateThis property is required. Changes to this property will trigger replacement.Config X509Config Key Usage - (Output) Indicates the intended use for keys that correspond to a certificate. Structure is documented below.
- Additional
Extensions Config X509Config Additional Extension - (Output) Describes custom X.509 extensions. Structure is documented below.
- Aia
Ocsp Servers - (Output) Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
- Ca
Options Config X509Config Ca Options - (Output) Describes values that are relevant in a CA certificate. Structure is documented below.
- Name
Constraints Config X509Config Name Constraints - (Output) Describes the X.509 name constraints extension. Structure is documented below.
- Policy
Ids Config X509Config Policy Id - (Output) Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.
- key
Usage CertificateThis property is required. Changes to this property will trigger replacement.Config X509Config Key Usage - (Output) Indicates the intended use for keys that correspond to a certificate. Structure is documented below.
- additional
Extensions Config X509Config Additional Extension> - (Output) Describes custom X.509 extensions. Structure is documented below.
- aia
Ocsp Servers - (Output) Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
- ca
Options Config X509Config Ca Options - (Output) Describes values that are relevant in a CA certificate. Structure is documented below.
- name
Constraints Config X509Config Name Constraints - (Output) Describes the X.509 name constraints extension. Structure is documented below.
- policy
Ids Config X509Config Policy Id> - (Output) Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.
- key
Usage CertificateThis property is required. Changes to this property will trigger replacement.Config X509Config Key Usage - (Output) Indicates the intended use for keys that correspond to a certificate. Structure is documented below.
- additional
Extensions Config X509Config Additional Extension[] - (Output) Describes custom X.509 extensions. Structure is documented below.
- aia
Ocsp Servers - (Output) Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
- ca
Options Config X509Config Ca Options - (Output) Describes values that are relevant in a CA certificate. Structure is documented below.
- name
Constraints Config X509Config Name Constraints - (Output) Describes the X.509 name constraints extension. Structure is documented below.
- policy
Ids Config X509Config Policy Id[] - (Output) Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.
- key_
usage CertificateThis property is required. Changes to this property will trigger replacement.Config X509Config Key Usage - (Output) Indicates the intended use for keys that correspond to a certificate. Structure is documented below.
- additional_
extensions Config X509Config Additional Extension] - (Output) Describes custom X.509 extensions. Structure is documented below.
- aia_
ocsp_ servers - (Output) Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
- ca_
options Config X509Config Ca Options - (Output) Describes values that are relevant in a CA certificate. Structure is documented below.
- name_
constraints Config X509Config Name Constraints - (Output) Describes the X.509 name constraints extension. Structure is documented below.
- policy_
ids Config X509Config Policy Id] - (Output) Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.
- key
Usage Property MapThis property is required. Changes to this property will trigger replacement. - (Output) Indicates the intended use for keys that correspond to a certificate. Structure is documented below.
- additional
Extensions - (Output) Describes custom X.509 extensions. Structure is documented below.
- aia
Ocsp Servers - (Output) Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
- ca
Options - (Output) Describes values that are relevant in a CA certificate. Structure is documented below.
- name
Constraints - (Output) Describes the X.509 name constraints extension. Structure is documented below.
- policy
Ids - (Output) Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.
CertificateConfigX509ConfigAdditionalExtension, CertificateConfigX509ConfigAdditionalExtensionArgs
, CertificateConfigX509ConfigAdditionalExtensionArgs
- Critical
bool
This property is required. Changes to this property will trigger replacement. - Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
- Object
Id CertificateThis property is required. Changes to this property will trigger replacement.Config X509Config Additional Extension Object Id - Describes values that are relevant in a CA certificate. Structure is documented below.
- Value
string
This property is required. Changes to this property will trigger replacement. - The value of this X.509 extension. A base64-encoded string.
- Critical
bool
This property is required. Changes to this property will trigger replacement. - Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
- Object
Id CertificateThis property is required. Changes to this property will trigger replacement.Config X509Config Additional Extension Object Id - Describes values that are relevant in a CA certificate. Structure is documented below.
- Value
string
This property is required. Changes to this property will trigger replacement. - The value of this X.509 extension. A base64-encoded string.
- critical
Boolean
This property is required. Changes to this property will trigger replacement. - Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
- object
Id CertificateThis property is required. Changes to this property will trigger replacement.Config X509Config Additional Extension Object Id - Describes values that are relevant in a CA certificate. Structure is documented below.
- value
String
This property is required. Changes to this property will trigger replacement. - The value of this X.509 extension. A base64-encoded string.
- critical
boolean
This property is required. Changes to this property will trigger replacement. - Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
- object
Id CertificateThis property is required. Changes to this property will trigger replacement.Config X509Config Additional Extension Object Id - Describes values that are relevant in a CA certificate. Structure is documented below.
- value
string
This property is required. Changes to this property will trigger replacement. - The value of this X.509 extension. A base64-encoded string.
- critical
bool
This property is required. Changes to this property will trigger replacement. - Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
- object_
id CertificateThis property is required. Changes to this property will trigger replacement.Config X509Config Additional Extension Object Id - Describes values that are relevant in a CA certificate. Structure is documented below.
- value
str
This property is required. Changes to this property will trigger replacement. - The value of this X.509 extension. A base64-encoded string.
- critical
Boolean
This property is required. Changes to this property will trigger replacement. - Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
- object
Id Property MapThis property is required. Changes to this property will trigger replacement. - Describes values that are relevant in a CA certificate. Structure is documented below.
- value
String
This property is required. Changes to this property will trigger replacement. - The value of this X.509 extension. A base64-encoded string.
CertificateConfigX509ConfigAdditionalExtensionObjectId, CertificateConfigX509ConfigAdditionalExtensionObjectIdArgs
, CertificateConfigX509ConfigAdditionalExtensionObjectIdArgs
- Object
Id Paths List<int>This property is required. Changes to this property will trigger replacement. - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- Object
Id Paths []intThis property is required. Changes to this property will trigger replacement. - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object
Id Paths List<Integer>This property is required. Changes to this property will trigger replacement. - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object
Id Paths number[]This property is required. Changes to this property will trigger replacement. - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object_
id_ paths Sequence[int]This property is required. Changes to this property will trigger replacement. - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object
Id Paths List<Number>This property is required. Changes to this property will trigger replacement. - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
CertificateConfigX509ConfigCaOptions, CertificateConfigX509ConfigCaOptionsArgs
, CertificateConfigX509ConfigCaOptionsArgs
- Is
Ca - When true, the "CA" in Basic Constraints extension will be set to true.
- Max
Issuer Path Length - Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.
- Non
Ca - When true, the "CA" in Basic Constraints extension will be set to false.
If both
is_caandnon_caare unset, the extension will be omitted from the CA certificate. - Zero
Max Issuer Path Length - When true, the "path length constraint" in Basic Constraints extension will be set to 0.
if both
max_issuer_path_lengthandzero_max_issuer_path_lengthare unset, the max path length will be omitted from the CA certificate.
- Is
Ca - When true, the "CA" in Basic Constraints extension will be set to true.
- Max
Issuer Path Length - Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.
- Non
Ca - When true, the "CA" in Basic Constraints extension will be set to false.
If both
is_caandnon_caare unset, the extension will be omitted from the CA certificate. - Zero
Max Issuer Path Length - When true, the "path length constraint" in Basic Constraints extension will be set to 0.
if both
max_issuer_path_lengthandzero_max_issuer_path_lengthare unset, the max path length will be omitted from the CA certificate.
- is
Ca - When true, the "CA" in Basic Constraints extension will be set to true.
- max
Issuer Path Length - Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.
- non
Ca - When true, the "CA" in Basic Constraints extension will be set to false.
If both
is_caandnon_caare unset, the extension will be omitted from the CA certificate. - zero
Max Issuer Path Length - When true, the "path length constraint" in Basic Constraints extension will be set to 0.
if both
max_issuer_path_lengthandzero_max_issuer_path_lengthare unset, the max path length will be omitted from the CA certificate.
- is
Ca - When true, the "CA" in Basic Constraints extension will be set to true.
- max
Issuer Path Length - Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.
- non
Ca - When true, the "CA" in Basic Constraints extension will be set to false.
If both
is_caandnon_caare unset, the extension will be omitted from the CA certificate. - zero
Max Issuer Path Length - When true, the "path length constraint" in Basic Constraints extension will be set to 0.
if both
max_issuer_path_lengthandzero_max_issuer_path_lengthare unset, the max path length will be omitted from the CA certificate.
- is_
ca - When true, the "CA" in Basic Constraints extension will be set to true.
- max_
issuer_ path_ length - Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.
- non_
ca - When true, the "CA" in Basic Constraints extension will be set to false.
If both
is_caandnon_caare unset, the extension will be omitted from the CA certificate. - zero_
max_ issuer_ path_ length - When true, the "path length constraint" in Basic Constraints extension will be set to 0.
if both
max_issuer_path_lengthandzero_max_issuer_path_lengthare unset, the max path length will be omitted from the CA certificate.
- is
Ca - When true, the "CA" in Basic Constraints extension will be set to true.
- max
Issuer Path Length - Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.
- non
Ca - When true, the "CA" in Basic Constraints extension will be set to false.
If both
is_caandnon_caare unset, the extension will be omitted from the CA certificate. - zero
Max Issuer Path Length - When true, the "path length constraint" in Basic Constraints extension will be set to 0.
if both
max_issuer_path_lengthandzero_max_issuer_path_lengthare unset, the max path length will be omitted from the CA certificate.
CertificateConfigX509ConfigKeyUsage, CertificateConfigX509ConfigKeyUsageArgs
, CertificateConfigX509ConfigKeyUsageArgs
- Base
Key Usage CertificateThis property is required. Changes to this property will trigger replacement.Config X509Config Key Usage Base Key Usage - Describes high-level ways in which a key may be used. Structure is documented below.
- Extended
Key Usage CertificateThis property is required. Changes to this property will trigger replacement.Config X509Config Key Usage Extended Key Usage - Describes high-level ways in which a key may be used. Structure is documented below.
- Unknown
Extended Key Usages Config X509Config Key Usage Unknown Extended Key Usage> - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.
- Base
Key Usage CertificateThis property is required. Changes to this property will trigger replacement.Config X509Config Key Usage Base Key Usage - Describes high-level ways in which a key may be used. Structure is documented below.
- Extended
Key Usage CertificateThis property is required. Changes to this property will trigger replacement.Config X509Config Key Usage Extended Key Usage - Describes high-level ways in which a key may be used. Structure is documented below.
- Unknown
Extended Key Usages Config X509Config Key Usage Unknown Extended Key Usage - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.
- base
Key Usage CertificateThis property is required. Changes to this property will trigger replacement.Config X509Config Key Usage Base Key Usage - Describes high-level ways in which a key may be used. Structure is documented below.
- extended
Key Usage CertificateThis property is required. Changes to this property will trigger replacement.Config X509Config Key Usage Extended Key Usage - Describes high-level ways in which a key may be used. Structure is documented below.
- unknown
Extended Key Usages Config X509Config Key Usage Unknown Extended Key Usage> - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.
- base
Key Usage CertificateThis property is required. Changes to this property will trigger replacement.Config X509Config Key Usage Base Key Usage - Describes high-level ways in which a key may be used. Structure is documented below.
- extended
Key Usage CertificateThis property is required. Changes to this property will trigger replacement.Config X509Config Key Usage Extended Key Usage - Describes high-level ways in which a key may be used. Structure is documented below.
- unknown
Extended Key Usages Config X509Config Key Usage Unknown Extended Key Usage[] - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.
- base_
key_ usage CertificateThis property is required. Changes to this property will trigger replacement.Config X509Config Key Usage Base Key Usage - Describes high-level ways in which a key may be used. Structure is documented below.
- extended_
key_ usage CertificateThis property is required. Changes to this property will trigger replacement.Config X509Config Key Usage Extended Key Usage - Describes high-level ways in which a key may be used. Structure is documented below.
- unknown_
extended_ key_ usages Config X509Config Key Usage Unknown Extended Key Usage] - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.
- base
Key Usage Property MapThis property is required. Changes to this property will trigger replacement. - Describes high-level ways in which a key may be used. Structure is documented below.
- extended
Key Usage Property MapThis property is required. Changes to this property will trigger replacement. - Describes high-level ways in which a key may be used. Structure is documented below.
- unknown
Extended Key Usages - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.
CertificateConfigX509ConfigKeyUsageBaseKeyUsage, CertificateConfigX509ConfigKeyUsageBaseKeyUsageArgs
, CertificateConfigX509ConfigKeyUsageBaseKeyUsageArgs
- Cert
Sign - The key may be used to sign certificates.
- Content
Commitment - The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
- Crl
Sign - The key may be used sign certificate revocation lists.
- Data
Encipherment - The key may be used to encipher data.
- Decipher
Only - The key may be used to decipher only.
- Digital
Signature - The key may be used for digital signatures.
- Encipher
Only - The key may be used to encipher only.
- Key
Agreement - The key may be used in a key agreement protocol.
- Key
Encipherment - The key may be used to encipher other keys.
- Cert
Sign - The key may be used to sign certificates.
- Content
Commitment - The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
- Crl
Sign - The key may be used sign certificate revocation lists.
- Data
Encipherment - The key may be used to encipher data.
- Decipher
Only - The key may be used to decipher only.
- Digital
Signature - The key may be used for digital signatures.
- Encipher
Only - The key may be used to encipher only.
- Key
Agreement - The key may be used in a key agreement protocol.
- Key
Encipherment - The key may be used to encipher other keys.
- cert
Sign - The key may be used to sign certificates.
- content
Commitment - The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
- crl
Sign - The key may be used sign certificate revocation lists.
- data
Encipherment - The key may be used to encipher data.
- decipher
Only - The key may be used to decipher only.
- digital
Signature - The key may be used for digital signatures.
- encipher
Only - The key may be used to encipher only.
- key
Agreement - The key may be used in a key agreement protocol.
- key
Encipherment - The key may be used to encipher other keys.
- cert
Sign - The key may be used to sign certificates.
- content
Commitment - The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
- crl
Sign - The key may be used sign certificate revocation lists.
- data
Encipherment - The key may be used to encipher data.
- decipher
Only - The key may be used to decipher only.
- digital
Signature - The key may be used for digital signatures.
- encipher
Only - The key may be used to encipher only.
- key
Agreement - The key may be used in a key agreement protocol.
- key
Encipherment - The key may be used to encipher other keys.
- cert_
sign - The key may be used to sign certificates.
- content_
commitment - The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
- crl_
sign - The key may be used sign certificate revocation lists.
- data_
encipherment - The key may be used to encipher data.
- decipher_
only - The key may be used to decipher only.
- digital_
signature - The key may be used for digital signatures.
- encipher_
only - The key may be used to encipher only.
- key_
agreement - The key may be used in a key agreement protocol.
- key_
encipherment - The key may be used to encipher other keys.
- cert
Sign - The key may be used to sign certificates.
- content
Commitment - The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
- crl
Sign - The key may be used sign certificate revocation lists.
- data
Encipherment - The key may be used to encipher data.
- decipher
Only - The key may be used to decipher only.
- digital
Signature - The key may be used for digital signatures.
- encipher
Only - The key may be used to encipher only.
- key
Agreement - The key may be used in a key agreement protocol.
- key
Encipherment - The key may be used to encipher other keys.
CertificateConfigX509ConfigKeyUsageExtendedKeyUsage, CertificateConfigX509ConfigKeyUsageExtendedKeyUsageArgs
, CertificateConfigX509ConfigKeyUsageExtendedKeyUsageArgs
- Client
Auth - Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
- Code
Signing - Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
- Email
Protection - Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
- Ocsp
Signing - Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
- Server
Auth - Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
- Time
Stamping - Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".
- Client
Auth - Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
- Code
Signing - Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
- Email
Protection - Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
- Ocsp
Signing - Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
- Server
Auth - Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
- Time
Stamping - Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".
- client
Auth - Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
- code
Signing - Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
- email
Protection - Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
- ocsp
Signing - Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
- server
Auth - Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
- time
Stamping - Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".
- client
Auth - Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
- code
Signing - Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
- email
Protection - Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
- ocsp
Signing - Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
- server
Auth - Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
- time
Stamping - Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".
- client_
auth - Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
- code_
signing - Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
- email_
protection - Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
- ocsp_
signing - Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
- server_
auth - Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
- time_
stamping - Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".
- client
Auth - Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
- code
Signing - Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
- email
Protection - Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
- ocsp
Signing - Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
- server
Auth - Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
- time
Stamping - Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".
CertificateConfigX509ConfigKeyUsageUnknownExtendedKeyUsage, CertificateConfigX509ConfigKeyUsageUnknownExtendedKeyUsageArgs
, CertificateConfigX509ConfigKeyUsageUnknownExtendedKeyUsageArgs
- Object
Id Paths List<int>This property is required. Changes to this property will trigger replacement. - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- Object
Id Paths []intThis property is required. Changes to this property will trigger replacement. - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object
Id Paths List<Integer>This property is required. Changes to this property will trigger replacement. - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object
Id Paths number[]This property is required. Changes to this property will trigger replacement. - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object_
id_ paths Sequence[int]This property is required. Changes to this property will trigger replacement. - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object
Id Paths List<Number>This property is required. Changes to this property will trigger replacement. - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
CertificateConfigX509ConfigNameConstraints, CertificateConfigX509ConfigNameConstraintsArgs
, CertificateConfigX509ConfigNameConstraintsArgs
- Critical
bool
This property is required. Changes to this property will trigger replacement. - Indicates whether or not the name constraints are marked critical.
- Excluded
Dns Names - Contains excluded DNS names. Any DNS name that can be
constructed by simply adding zero or more labels to
the left-hand side of the name satisfies the name constraint.
For example,
example.com,www.example.com,www.sub.example.comwould satisfyexample.comwhileexample1.comdoes not. - Excluded
Email Addresses - Contains the excluded email addresses. The value can be a particular
email address, a hostname to indicate all email addresses on that host or
a domain with a leading period (e.g.
.example.com) to indicate all email addresses in that domain. - Excluded
Ip Ranges - Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
- Excluded
Uris - Contains the excluded URIs that apply to the host part of the name.
The value can be a hostname or a domain with a
leading period (like
.example.com) - Permitted
Dns Names - Contains permitted DNS names. Any DNS name that can be
constructed by simply adding zero or more labels to
the left-hand side of the name satisfies the name constraint.
For example,
example.com,www.example.com,www.sub.example.comwould satisfyexample.comwhileexample1.comdoes not. - Permitted
Email Addresses - Contains the permitted email addresses. The value can be a particular
email address, a hostname to indicate all email addresses on that host or
a domain with a leading period (e.g.
.example.com) to indicate all email addresses in that domain. - Permitted
Ip Ranges - Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
- Permitted
Uris - Contains the permitted URIs that apply to the host part of the name.
The value can be a hostname or a domain with a
leading period (like
.example.com)
- Critical
bool
This property is required. Changes to this property will trigger replacement. - Indicates whether or not the name constraints are marked critical.
- Excluded
Dns Names - Contains excluded DNS names. Any DNS name that can be
constructed by simply adding zero or more labels to
the left-hand side of the name satisfies the name constraint.
For example,
example.com,www.example.com,www.sub.example.comwould satisfyexample.comwhileexample1.comdoes not. - Excluded
Email Addresses - Contains the excluded email addresses. The value can be a particular
email address, a hostname to indicate all email addresses on that host or
a domain with a leading period (e.g.
.example.com) to indicate all email addresses in that domain. - Excluded
Ip Ranges - Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
- Excluded
Uris - Contains the excluded URIs that apply to the host part of the name.
The value can be a hostname or a domain with a
leading period (like
.example.com) - Permitted
Dns Names - Contains permitted DNS names. Any DNS name that can be
constructed by simply adding zero or more labels to
the left-hand side of the name satisfies the name constraint.
For example,
example.com,www.example.com,www.sub.example.comwould satisfyexample.comwhileexample1.comdoes not. - Permitted
Email Addresses - Contains the permitted email addresses. The value can be a particular
email address, a hostname to indicate all email addresses on that host or
a domain with a leading period (e.g.
.example.com) to indicate all email addresses in that domain. - Permitted
Ip Ranges - Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
- Permitted
Uris - Contains the permitted URIs that apply to the host part of the name.
The value can be a hostname or a domain with a
leading period (like
.example.com)
- critical
Boolean
This property is required. Changes to this property will trigger replacement. - Indicates whether or not the name constraints are marked critical.
- excluded
Dns Names - Contains excluded DNS names. Any DNS name that can be
constructed by simply adding zero or more labels to
the left-hand side of the name satisfies the name constraint.
For example,
example.com,www.example.com,www.sub.example.comwould satisfyexample.comwhileexample1.comdoes not. - excluded
Email Addresses - Contains the excluded email addresses. The value can be a particular
email address, a hostname to indicate all email addresses on that host or
a domain with a leading period (e.g.
.example.com) to indicate all email addresses in that domain. - excluded
Ip Ranges - Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
- excluded
Uris - Contains the excluded URIs that apply to the host part of the name.
The value can be a hostname or a domain with a
leading period (like
.example.com) - permitted
Dns Names - Contains permitted DNS names. Any DNS name that can be
constructed by simply adding zero or more labels to
the left-hand side of the name satisfies the name constraint.
For example,
example.com,www.example.com,www.sub.example.comwould satisfyexample.comwhileexample1.comdoes not. - permitted
Email Addresses - Contains the permitted email addresses. The value can be a particular
email address, a hostname to indicate all email addresses on that host or
a domain with a leading period (e.g.
.example.com) to indicate all email addresses in that domain. - permitted
Ip Ranges - Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
- permitted
Uris - Contains the permitted URIs that apply to the host part of the name.
The value can be a hostname or a domain with a
leading period (like
.example.com)
- critical
boolean
This property is required. Changes to this property will trigger replacement. - Indicates whether or not the name constraints are marked critical.
- excluded
Dns Names - Contains excluded DNS names. Any DNS name that can be
constructed by simply adding zero or more labels to
the left-hand side of the name satisfies the name constraint.
For example,
example.com,www.example.com,www.sub.example.comwould satisfyexample.comwhileexample1.comdoes not. - excluded
Email Addresses - Contains the excluded email addresses. The value can be a particular
email address, a hostname to indicate all email addresses on that host or
a domain with a leading period (e.g.
.example.com) to indicate all email addresses in that domain. - excluded
Ip Ranges - Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
- excluded
Uris - Contains the excluded URIs that apply to the host part of the name.
The value can be a hostname or a domain with a
leading period (like
.example.com) - permitted
Dns Names - Contains permitted DNS names. Any DNS name that can be
constructed by simply adding zero or more labels to
the left-hand side of the name satisfies the name constraint.
For example,
example.com,www.example.com,www.sub.example.comwould satisfyexample.comwhileexample1.comdoes not. - permitted
Email Addresses - Contains the permitted email addresses. The value can be a particular
email address, a hostname to indicate all email addresses on that host or
a domain with a leading period (e.g.
.example.com) to indicate all email addresses in that domain. - permitted
Ip Ranges - Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
- permitted
Uris - Contains the permitted URIs that apply to the host part of the name.
The value can be a hostname or a domain with a
leading period (like
.example.com)
- critical
bool
This property is required. Changes to this property will trigger replacement. - Indicates whether or not the name constraints are marked critical.
- excluded_
dns_ names - Contains excluded DNS names. Any DNS name that can be
constructed by simply adding zero or more labels to
the left-hand side of the name satisfies the name constraint.
For example,
example.com,www.example.com,www.sub.example.comwould satisfyexample.comwhileexample1.comdoes not. - excluded_
email_ addresses - Contains the excluded email addresses. The value can be a particular
email address, a hostname to indicate all email addresses on that host or
a domain with a leading period (e.g.
.example.com) to indicate all email addresses in that domain. - excluded_
ip_ ranges - Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
- excluded_
uris - Contains the excluded URIs that apply to the host part of the name.
The value can be a hostname or a domain with a
leading period (like
.example.com) - permitted_
dns_ names - Contains permitted DNS names. Any DNS name that can be
constructed by simply adding zero or more labels to
the left-hand side of the name satisfies the name constraint.
For example,
example.com,www.example.com,www.sub.example.comwould satisfyexample.comwhileexample1.comdoes not. - permitted_
email_ addresses - Contains the permitted email addresses. The value can be a particular
email address, a hostname to indicate all email addresses on that host or
a domain with a leading period (e.g.
.example.com) to indicate all email addresses in that domain. - permitted_
ip_ ranges - Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
- permitted_
uris - Contains the permitted URIs that apply to the host part of the name.
The value can be a hostname or a domain with a
leading period (like
.example.com)
- critical
Boolean
This property is required. Changes to this property will trigger replacement. - Indicates whether or not the name constraints are marked critical.
- excluded
Dns Names - Contains excluded DNS names. Any DNS name that can be
constructed by simply adding zero or more labels to
the left-hand side of the name satisfies the name constraint.
For example,
example.com,www.example.com,www.sub.example.comwould satisfyexample.comwhileexample1.comdoes not. - excluded
Email Addresses - Contains the excluded email addresses. The value can be a particular
email address, a hostname to indicate all email addresses on that host or
a domain with a leading period (e.g.
.example.com) to indicate all email addresses in that domain. - excluded
Ip Ranges - Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
- excluded
Uris - Contains the excluded URIs that apply to the host part of the name.
The value can be a hostname or a domain with a
leading period (like
.example.com) - permitted
Dns Names - Contains permitted DNS names. Any DNS name that can be
constructed by simply adding zero or more labels to
the left-hand side of the name satisfies the name constraint.
For example,
example.com,www.example.com,www.sub.example.comwould satisfyexample.comwhileexample1.comdoes not. - permitted
Email Addresses - Contains the permitted email addresses. The value can be a particular
email address, a hostname to indicate all email addresses on that host or
a domain with a leading period (e.g.
.example.com) to indicate all email addresses in that domain. - permitted
Ip Ranges - Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
- permitted
Uris - Contains the permitted URIs that apply to the host part of the name.
The value can be a hostname or a domain with a
leading period (like
.example.com)
CertificateConfigX509ConfigPolicyId, CertificateConfigX509ConfigPolicyIdArgs
, CertificateConfigX509ConfigPolicyIdArgs
- Object
Id Paths List<int>This property is required. Changes to this property will trigger replacement. - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- Object
Id Paths []intThis property is required. Changes to this property will trigger replacement. - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object
Id Paths List<Integer>This property is required. Changes to this property will trigger replacement. - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object
Id Paths number[]This property is required. Changes to this property will trigger replacement. - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object_
id_ paths Sequence[int]This property is required. Changes to this property will trigger replacement. - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object
Id Paths List<Number>This property is required. Changes to this property will trigger replacement. - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
CertificateRevocationDetail, CertificateRevocationDetailArgs
, CertificateRevocationDetailArgs
- Revocation
State string - (Output) Indicates why a Certificate was revoked.
- Revocation
Time string - (Output) The time at which this Certificate was revoked.
- Revocation
State string - (Output) Indicates why a Certificate was revoked.
- Revocation
Time string - (Output) The time at which this Certificate was revoked.
- revocation
State String - (Output) Indicates why a Certificate was revoked.
- revocation
Time String - (Output) The time at which this Certificate was revoked.
- revocation
State string - (Output) Indicates why a Certificate was revoked.
- revocation
Time string - (Output) The time at which this Certificate was revoked.
- revocation_
state str - (Output) Indicates why a Certificate was revoked.
- revocation_
time str - (Output) The time at which this Certificate was revoked.
- revocation
State String - (Output) Indicates why a Certificate was revoked.
- revocation
Time String - (Output) The time at which this Certificate was revoked.
Import
Certificate can be imported using any of these accepted formats:
projects/{{project}}/locations/{{location}}/caPools/{{pool}}/certificates/{{name}}{{project}}/{{location}}/{{pool}}/{{name}}{{location}}/{{pool}}/{{name}}
When using the pulumi import command, Certificate can be imported using one of the formats above. For example:
$ pulumi import gcp:certificateauthority/certificate:Certificate default projects/{{project}}/locations/{{location}}/caPools/{{pool}}/certificates/{{name}}
$ pulumi import gcp:certificateauthority/certificate:Certificate default {{project}}/{{location}}/{{pool}}/{{name}}
$ pulumi import gcp:certificateauthority/certificate:Certificate default {{location}}/{{pool}}/{{name}}
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- Google Cloud (GCP) Classic pulumi/pulumi-gcp
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
google-betaTerraform Provider.
- Example Usage
- Privateca Certificate Generated Key
- Privateca Certificate With Template
- Privateca Certificate Csr
- Privateca Certificate No Authority
- Privateca Certificate Custom Ski
- Create Certificate Resource
- Constructor syntax
- Constructor example
- Certificate Resource Properties
- Inputs
- Outputs
- Look up Existing Certificate Resource
- Supporting Types
- Import
- Package Details