googlePrivatecaCertificate
A Certificate corresponds to a signed X.509 certificate issued by a Certificate.
\~> Note: The Certificate Authority that is referenced by this resource must be tier = "enterprise"
Example Usage - Privateca Certificate Config
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
const googlePrivatecaCaPoolDefault = new google.privatecaCaPool.PrivatecaCaPool(
this,
"default",
{
location: "us-central1",
name: "my-pool",
tier: "ENTERPRISE",
}
);
const googlePrivatecaCertificateAuthorityDefault =
new google.privatecaCertificateAuthority.PrivatecaCertificateAuthority(
this,
"default_1",
{
certificate_authority_id: "my-authority",
config: [
{
subject_config: [
{
subject: [
{
common_name: "my-certificate-authority",
organization: "HashiCorp",
},
],
subject_alt_name: [
{
dns_names: ["hashicorp.com"],
},
],
},
],
x509_config: [
{
ca_options: [
{
is_ca: true,
},
],
key_usage: [
{
base_key_usage: [
{
cert_sign: true,
crl_sign: true,
},
],
extended_key_usage: [
{
server_auth: true,
},
],
},
],
},
],
},
],
deletion_protection: false,
ignore_active_certificates_on_deletion: true,
key_spec: [
{
algorithm: "RSA_PKCS1_4096_SHA256",
},
],
location: "us-central1",
pool: googlePrivatecaCaPoolDefault.name,
skip_grace_period: true,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
googlePrivatecaCertificateAuthorityDefault.overrideLogicalId("default");
const googlePrivatecaCertificateDefault =
new google.privatecaCertificate.PrivatecaCertificate(this, "default_2", {
certificate_authority:
googlePrivatecaCertificateAuthorityDefault.certificateAuthorityId,
config: [
{
public_key: [
{
format: "PEM",
key: '${filebase64("test-fixtures/rsa_public.pem")}',
},
],
subject_config: [
{
subject: [
{
common_name: "san1.example.com",
country_code: "us",
locality: "mountain view",
organization: "google",
organizational_unit: "enterprise",
province: "california",
street_address: "1600 amphitheatre parkway",
},
],
subject_alt_name: [
{
email_addresses: ["email@example.com"],
ip_addresses: ["127.0.0.1"],
uris: ["http://www.ietf.org/rfc/rfc3986.txt"],
},
],
},
],
x509_config: [
{
ca_options: [
{
is_ca: true,
},
],
key_usage: [
{
base_key_usage: [
{
crl_sign: false,
decipher_only: false,
},
],
extended_key_usage: [
{
server_auth: false,
},
],
},
],
name_constraints: [
{
critical: true,
excluded_dns_names: ["*.deny.example.com"],
excluded_email_addresses: [".deny.example.com"],
excluded_ip_ranges: ["10.1.1.0/24"],
excluded_uris: [".deny.example.com"],
permitted_dns_names: ["*.example.com"],
permitted_email_addresses: [".example.com"],
permitted_ip_ranges: ["10.0.0.0/8"],
permitted_uris: [".example.com"],
},
],
},
],
},
],
lifetime: "86000s",
location: "us-central1",
name: "my-certificate",
pool: googlePrivatecaCaPoolDefault.name,
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
googlePrivatecaCertificateDefault.overrideLogicalId("default");
Example Usage - Privateca Certificate With Template
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
const googlePrivatecaCaPoolDefault = new google.privatecaCaPool.PrivatecaCaPool(
this,
"default",
{
location: "us-central1",
name: "my-pool",
tier: "ENTERPRISE",
}
);
const googlePrivatecaCertificateAuthorityDefault =
new google.privatecaCertificateAuthority.PrivatecaCertificateAuthority(
this,
"default_1",
{
certificate_authority_id: "my-authority",
config: [
{
subject_config: [
{
subject: [
{
common_name: "my-certificate-authority",
organization: "HashiCorp",
},
],
subject_alt_name: [
{
dns_names: ["hashicorp.com"],
},
],
},
],
x509_config: [
{
ca_options: [
{
is_ca: true,
},
],
key_usage: [
{
base_key_usage: [
{
cert_sign: true,
crl_sign: true,
},
],
extended_key_usage: [
{
server_auth: false,
},
],
},
],
},
],
},
],
deletion_protection: false,
ignore_active_certificates_on_deletion: true,
key_spec: [
{
algorithm: "RSA_PKCS1_4096_SHA256",
},
],
location: "us-central1",
pool: googlePrivatecaCaPoolDefault.name,
skip_grace_period: true,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
googlePrivatecaCertificateAuthorityDefault.overrideLogicalId("default");
const googlePrivatecaCertificateTemplateDefault =
new google.privatecaCertificateTemplate.PrivatecaCertificateTemplate(
this,
"default_2",
{
description: "An updated sample certificate template",
identity_constraints: [
{
allow_subject_alt_names_passthrough: true,
allow_subject_passthrough: true,
cel_expression: [
{
description: "Always true",
expression: "true",
location: "any.file.anywhere",
title: "Sample expression",
},
],
},
],
location: "us-central1",
name: "my-certificate-template",
passthrough_extensions: [
{
additional_extensions: [
{
object_id_path: [1, 6],
},
],
known_extensions: ["EXTENDED_KEY_USAGE"],
},
],
predefined_values: [
{
additional_extensions: [
{
critical: true,
object_id: [
{
object_id_path: [1, 6],
},
],
value: "c3RyaW5nCg==",
},
],
aia_ocsp_servers: ["string"],
ca_options: [
{
is_ca: false,
max_issuer_path_length: 6,
},
],
key_usage: [
{
base_key_usage: [
{
cert_sign: false,
content_commitment: true,
crl_sign: false,
data_encipherment: true,
decipher_only: true,
digital_signature: true,
encipher_only: true,
key_agreement: true,
key_encipherment: true,
},
],
extended_key_usage: [
{
client_auth: true,
code_signing: true,
email_protection: true,
ocsp_signing: true,
server_auth: true,
time_stamping: true,
},
],
unknown_extended_key_usages: [
{
object_id_path: [1, 6],
},
],
},
],
policy_ids: [
{
object_id_path: [1, 6],
},
],
},
],
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
googlePrivatecaCertificateTemplateDefault.overrideLogicalId("default");
const googlePrivatecaCertificateDefault =
new google.privatecaCertificate.PrivatecaCertificate(this, "default_3", {
certificate_authority:
googlePrivatecaCertificateAuthorityDefault.certificateAuthorityId,
certificate_template: googlePrivatecaCertificateTemplateDefault.id,
lifetime: "860s",
location: "us-central1",
name: "my-certificate",
pem_csr: '${file("test-fixtures/rsa_csr.pem")}',
pool: googlePrivatecaCaPoolDefault.name,
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
googlePrivatecaCertificateDefault.overrideLogicalId("default");
Example Usage - Privateca Certificate Csr
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
const googlePrivatecaCaPoolDefault = new google.privatecaCaPool.PrivatecaCaPool(
this,
"default",
{
location: "us-central1",
name: "my-pool",
tier: "ENTERPRISE",
}
);
const googlePrivatecaCertificateAuthorityDefault =
new google.privatecaCertificateAuthority.PrivatecaCertificateAuthority(
this,
"default_1",
{
certificate_authority_id: "my-authority",
config: [
{
subject_config: [
{
subject: [
{
common_name: "my-certificate-authority",
organization: "HashiCorp",
},
],
subject_alt_name: [
{
dns_names: ["hashicorp.com"],
},
],
},
],
x509_config: [
{
ca_options: [
{
is_ca: true,
},
],
key_usage: [
{
base_key_usage: [
{
cert_sign: true,
crl_sign: true,
},
],
extended_key_usage: [
{
server_auth: false,
},
],
},
],
},
],
},
],
deletion_protection: false,
ignore_active_certificates_on_deletion: true,
key_spec: [
{
algorithm: "RSA_PKCS1_4096_SHA256",
},
],
location: "us-central1",
pool: googlePrivatecaCaPoolDefault.name,
skip_grace_period: true,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
googlePrivatecaCertificateAuthorityDefault.overrideLogicalId("default");
const googlePrivatecaCertificateDefault =
new google.privatecaCertificate.PrivatecaCertificate(this, "default_2", {
certificate_authority:
googlePrivatecaCertificateAuthorityDefault.certificateAuthorityId,
lifetime: "860s",
location: "us-central1",
name: "my-certificate",
pem_csr: '${file("test-fixtures/rsa_csr.pem")}',
pool: googlePrivatecaCaPoolDefault.name,
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
googlePrivatecaCertificateDefault.overrideLogicalId("default");
Example Usage - Privateca Certificate No Authority
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
const googlePrivatecaCaPoolDefault = new google.privatecaCaPool.PrivatecaCaPool(
this,
"default",
{
location: "us-central1",
name: "my-pool",
tier: "ENTERPRISE",
}
);
const googlePrivatecaCertificateAuthorityDefault =
new google.privatecaCertificateAuthority.PrivatecaCertificateAuthority(
this,
"default_1",
{
certificate_authority_id: "my-authority",
config: [
{
subject_config: [
{
subject: [
{
common_name: "my-certificate-authority",
organization: "HashiCorp",
},
],
subject_alt_name: [
{
dns_names: ["hashicorp.com"],
},
],
},
],
x509_config: [
{
ca_options: [
{
is_ca: true,
},
],
key_usage: [
{
base_key_usage: [
{
cert_sign: true,
crl_sign: true,
digital_signature: true,
},
],
extended_key_usage: [
{
server_auth: true,
},
],
},
],
},
],
},
],
deletion_protection: false,
ignore_active_certificates_on_deletion: true,
key_spec: [
{
algorithm: "RSA_PKCS1_4096_SHA256",
},
],
lifetime: "86400s",
location: "us-central1",
pool: googlePrivatecaCaPoolDefault.name,
skip_grace_period: true,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
googlePrivatecaCertificateAuthorityDefault.overrideLogicalId("default");
const googlePrivatecaCertificateDefault =
new google.privatecaCertificate.PrivatecaCertificate(this, "default_2", {
config: [
{
public_key: [
{
format: "PEM",
key: '${filebase64("test-fixtures/rsa_public.pem")}',
},
],
subject_config: [
{
subject: [
{
common_name: "san1.example.com",
country_code: "us",
locality: "mountain view",
organization: "google",
organizational_unit: "enterprise",
postal_code: "94109",
province: "california",
street_address: "1600 amphitheatre parkway",
},
],
},
],
x509_config: [
{
ca_options: [
{
is_ca: false,
},
],
key_usage: [
{
base_key_usage: [
{
crl_sign: true,
},
],
extended_key_usage: [
{
server_auth: true,
},
],
},
],
},
],
},
],
depends_on: [`\${${googlePrivatecaCertificateAuthorityDefault.fqn}}`],
lifetime: "860s",
location: "us-central1",
name: "my-certificate",
pool: googlePrivatecaCaPoolDefault.name,
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
googlePrivatecaCertificateDefault.overrideLogicalId("default");
Argument Reference
The following arguments are supported:
-
pool- (Required) The name of the CaPool this Certificate belongs to. -
name- (Required) The name for this Certificate. -
location- (Required) Location of the Certificate. A full list of valid locations can be found by runninggcloudPrivatecaLocationsList.
-
lifetime- (Optional) The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s". -
certificateTemplate- (Optional) The resource name for a CertificateTemplate used to issue this certificate, in the formatprojects/*/locations/*/certificateTemplates/*. If this is specified, the caller must have the necessary permission to use this template. If this is omitted, no template will be used. This template must be in the same location as the Certificate. -
labels- (Optional) Labels with user-defined metadata to apply to this resource. -
pemCsr- (Optional) Immutable. A pem-encoded X.509 certificate signing request (CSR). -
config- (Optional) The config used to create a self-signed X.509 certificate or CSR. Structure is documented below. -
certificateAuthority- (Optional) The Certificate Authority ID that should issue the certificate. For example, to issue a Certificate from a Certificate Authority with resource nameprojects/myProject/locations/usCentral1/caPools/myPool/certificateAuthorities/myCa, argumentpoolshould be set toprojects/myProject/locations/usCentral1/caPools/myPool, argumentcertificateAuthorityshould be set tomyCa. -
project- (Optional) The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
-
x509Config- (Required) Describes how some of the technical X.509 fields in a certificate should be populated. Structure is documented below. -
subjectConfig- (Required) Specifies some of the values in a certificate that are related to the subject. Structure is documented below. -
publicKey- (Required) A PublicKey describes a public key. Structure is documented below.
The x509Config block supports:
-
additionalExtensions- (Optional) Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below. -
policyIds- (Optional) Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below. -
aiaOcspServers- (Optional) Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate. -
caOptions- (Optional) Describes values that are relevant in a CA certificate. Structure is documented below. -
keyUsage- (Required) Indicates the intended use for keys that correspond to a certificate. Structure is documented below. -
nameConstraints- (Optional) Describes the X.509 name constraints extension. Structure is documented below.
The additionalExtensions block supports:
-
critical- (Required) Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error). -
value- (Required) The value of this X.509 extension. A base64-encoded string. -
objectId- (Required) Describes values that are relevant in a CA certificate. Structure is documented below.
objectIdPath- (Required) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
objectIdPath- (Required) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
-
isCa- (Optional) When true, the "CA" in Basic Constraints extension will be set to true. -
nonCa- (Optional) When true, the "CA" in Basic Constraints extension will be set to false. If bothisCaandnonCaare unset, the extension will be omitted from the CA certificate. -
maxIssuerPathLength- (Optional) Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail. -
zeroMaxIssuerPathLength- (Optional) When true, the "path length constraint" in Basic Constraints extension will be set to 0. if bothmaxIssuerPathLengthandzeroMaxIssuerPathLengthare unset, the max path length will be omitted from the CA certificate.
-
baseKeyUsage- (Required) Describes high-level ways in which a key may be used. Structure is documented below. -
extendedKeyUsage- (Required) Describes high-level ways in which a key may be used. Structure is documented below. -
unknownExtendedKeyUsages- (Optional) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.
The baseKeyUsage block supports:
-
digitalSignature- (Optional) The key may be used for digital signatures. -
contentCommitment- (Optional) The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation". -
keyEncipherment- (Optional) The key may be used to encipher other keys. -
dataEncipherment- (Optional) The key may be used to encipher data. -
keyAgreement- (Optional) The key may be used in a key agreement protocol. -
certSign- (Optional) The key may be used to sign certificates. -
crlSign- (Optional) The key may be used sign certificate revocation lists. -
encipherOnly- (Optional) The key may be used to encipher only. -
decipherOnly- (Optional) The key may be used to decipher only.
The extendedKeyUsage block supports:
-
serverAuth- (Optional) Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS. -
clientAuth- (Optional) Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS. -
codeSigning- (Optional) Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication". -
emailProtection- (Optional) Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection". -
timeStamping- (Optional) Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time". -
ocspSigning- (Optional) Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
The unknownExtendedKeyUsages block supports:
objectIdPath- (Required) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
The nameConstraints block supports:
-
critical- (Required) Indicates whether or not the name constraints are marked critical. -
permittedDnsNames- (Optional) Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example,exampleCom,wwwExampleCom,wwwSubExampleComwould satisfyexampleComwhileexample1Comdoes not. -
excludedDnsNames- (Optional) Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example,exampleCom,wwwExampleCom,wwwSubExampleComwould satisfyexampleComwhileexample1Comdoes not. -
permittedIpRanges- (Optional) Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses. -
excludedIpRanges- (Optional) Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses. -
permittedEmailAddresses- (Optional) Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g.exampleCom) to indicate all email addresses in that domain. -
excludedEmailAddresses- (Optional) Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g.exampleCom) to indicate all email addresses in that domain. -
permittedUris- (Optional) Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (likeexampleCom) -
excludedUris- (Optional) Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (likeexampleCom)
The subjectConfig block supports:
-
subject- (Required) Contains distinguished name fields such as the location and organization. Structure is documented below. -
subjectAltName- (Optional) The subject alternative name fields. Structure is documented below.
-
countryCode- (Optional) The country code of the subject. -
organization- (Required) The organization of the subject. -
organizationalUnit- (Optional) The organizational unit of the subject. -
locality- (Optional) The locality or city of the subject. -
province- (Optional) The province, territory, or regional state of the subject. -
streetAddress- (Optional) The street address of the subject. -
postalCode- (Optional) The postal code of the subject. -
commonName- (Required) The common name of the distinguished name.
The subjectAltName block supports:
-
dnsNames- (Optional) Contains only valid, fully-qualified host names. -
uris- (Optional) Contains only valid RFC 3986 URIs. -
emailAddresses- (Optional) Contains only valid RFC 2822 E-mail addresses. -
ipAddresses- (Optional) Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.
-
key- (Optional) Required. A public key. When this is specified in a request, the padding and encoding can be any of the options described by the respective 'KeyType' value. When this is generated by the service, it will always be an RFC 5280 SubjectPublicKeyInfo structure containing an algorithm identifier and a key. A base64-encoded string. -
format- (Required) The format of the public key. Currently, only PEM format is supported. Possible values arekeyTypeUnspecifiedandpem.
Attributes Reference
In addition to the arguments listed above, the following computed attributes are exported:
-
id- an identifier for the resource with formatprojects/{{project}}/locations/{{location}}/caPools/{{pool}}/certificates/{{name}} -
issuerCertificateAuthority- The resource name of the issuing CertificateAuthority in the formatprojects/*/locations/*/caPools/*/certificateAuthorities/*. -
revocationDetails- Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below. -
pemCertificate- Output only. The pem-encoded, signed X.509 certificate. -
certificateDescription- Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below. -
pemCertificateChain- The chain that may be used to verify the X.509 certificate. Expected to be in issuer-to-root order according to RFC 5246. -
pemCertificates- (Deprecated) Required. Expected to be in leaf-to-root order according to RFC 5246. -
createTime- The time that this resource was created on the server. This is in RFC3339 text format. -
updateTime- Output only. The time at which this CertificateAuthority was updated. This is in RFC3339 text format.
The revocationDetails block contains:
-
revocationState- (Output) Indicates why a Certificate was revoked. -
revocationTime- (Output) The time at which this Certificate was revoked.
The certificateDescription block contains:
-
subjectDescription- (Output) Describes some of the values in a certificate that are related to the subject and lifetime. Structure is documented below. -
x509Description- (Output) A structured description of the issued X.509 certificate. Structure is documented below. -
configValues- (Output, Deprecated) Describes some of the technical fields in a certificate. Structure is documented below. -
publicKey- (Output) A PublicKey describes a public key. Structure is documented below. -
subjectKeyId- (Output) Provides a means of identifiying certificates that contain a particular public key, per https://tools.ietf.org/html/rfc5280#section-4.2.1.2. Structure is documented below. -
authorityKeyId- (Output) Identifies the subjectKeyId of the parent certificate, per https://tools.ietf.org/html/rfc5280#section-4.2.1.1 Structure is documented below. -
crlDistributionPoints- (Output) Describes a list of locations to obtain CRL information, i.e. the DistributionPoint.fullName described by https://tools.ietf.org/html/rfc5280#section-4.2.1.13 -
aiaIssuingCertificateUrls- (Output) Describes lists of issuer CA certificate URLs that appear in the "Authority Information Access" extension in the certificate. -
certFingerprint- (Output) The hash of the x.509 certificate. Structure is documented below.
The subjectDescription block contains:
-
subject- (Output) Contains distinguished name fields such as the location and organization. Structure is documented below. -
subjectAltName- (Output) The subject alternative name fields. Structure is documented below. -
hexSerialNumber- (Output) The serial number encoded in lowercase hexadecimal. -
lifetime- (Output) For convenience, the actual lifetime of an issued certificate. Corresponds to 'notAfterTime' - 'notBeforeTime'. -
notBeforeTime- (Output) The time at which the certificate becomes valid. -
notAfterTime- (Output) The time at which the certificate expires.
-
countryCode- (Output) The country code of the subject. -
organization- (Output) The organization of the subject. -
organizationalUnit- (Output) The organizationalUnit of the subject. -
locality- (Output) The locality or city of the subject. -
province- (Output) The province of the subject. -
streetAddress- (Output) The streetAddress or city of the subject. -
postalCode- (Output) The postalCode or city of the subject. -
commonName- (Output) The "common name" of the distinguished name.
The subjectAltName block contains:
-
dnsNames- (Output) Contains only valid, fully-qualified host names. -
uris- (Output) Contains only valid RFC 3986 URIs. -
emailAddresses- (Output) Contains only valid RFC 2822 E-mail addresses. -
ipAddresses- (Output) Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses. -
customSans- (Output) Contains additional subject alternative name values. Structure is documented below.
The customSans block contains:
-
obectId- (Output) Describes how some of the technical fields in a certificate should be populated. Structure is documented below. -
critical- (Output) Required. Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error). -
value- (Output) The value of this X.509 extension.
objectIdPath- (Output) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
The x509Description block contains:
-
additionalExtensions- (Output) Describes custom X.509 extensions. Structure is documented below. -
policyIds- (Output) Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below. -
aiaOcspServers- (Output) Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate. -
caOptions- (Output) Describes values that are relevant in a CA certificate. Structure is documented below. -
keyUsage- (Output) Indicates the intended use for keys that correspond to a certificate. Structure is documented below. -
nameConstraints- (Output) Describes the X.509 name constraints extension. Structure is documented below.
The additionalExtensions block contains:
-
critical- (Output) Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error). -
value- (Optional) The value of this X.509 extension. A base64-encoded string. -
objectId- (Output) Describes values that are relevant in a CA certificate. Structure is documented below.
objectIdPath- (Output) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
objectIdPath- (Output) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
-
isCa- (Output) When true, the "CA" in Basic Constraints extension will be set to true. -
maxIssuerPathLength- (Output) Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.
-
baseKeyUsage- (Output) Describes high-level ways in which a key may be used. Structure is documented below. -
extendedKeyUsage- (Output) Describes high-level ways in which a key may be used. Structure is documented below. -
unknownExtendedKeyUsages- (Output) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.
The baseKeyUsage block contains:
-
digitalSignature- (Output) The key may be used for digital signatures. -
contentCommitment- (Output) The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation". -
keyEncipherment- (Output) The key may be used to encipher other keys. -
dataEncipherment- (Output) The key may be used to encipher data. -
keyAgreement- (Output) The key may be used in a key agreement protocol. -
certSign- (Output) The key may be used to sign certificates. -
crlSign- (Output) The key may be used sign certificate revocation lists. -
encipherOnly- (Output) The key may be used to encipher only. -
decipherOnly- (Output) The key may be used to decipher only.
The extendedKeyUsage block contains:
-
serverAuth- (Output) Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS. -
clientAuth- (Output) Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS. -
codeSigning- (Output) Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication". -
emailProtection- (Output) Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection". -
timeStamping- (Output) Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time". -
ocspSigning- (Output) Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
The unknownExtendedKeyUsages block contains:
objectIdPath- (Output) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
The nameConstraints block contains:
-
critical- (Output) Indicates whether or not the name constraints are marked critical. -
permittedDnsNames- (Output) Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example,exampleCom,wwwExampleCom,wwwSubExampleComwould satisfyexampleComwhileexample1Comdoes not. -
excludedDnsNames- (Output) Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example,exampleCom,wwwExampleCom,wwwSubExampleComwould satisfyexampleComwhileexample1Comdoes not. -
permittedIpRanges- (Output) Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses. -
excludedIpRanges- (Output) Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses. -
permittedEmailAddresses- (Output) Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g.exampleCom) to indicate all email addresses in that domain. -
excludedEmailAddresses- (Output) Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g.exampleCom) to indicate all email addresses in that domain. -
permittedUris- (Output) Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (likeexampleCom) -
excludedUris- (Output) Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (likeexampleCom)
The configValues block contains:
keyUsage- (Output) Indicates the intended use for keys that correspond to a certificate. Structure is documented below.
-
baseKeyUsage- (Output) Describes high-level ways in which a key may be used. Structure is documented below. -
extendedKeyUsage- (Output) Describes high-level ways in which a key may be used. Structure is documented below. -
unknownExtendedKeyUsages- (Output) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.
The baseKeyUsage block contains:
keyUsageOptions- (Output) Describes high-level ways in which a key may be used. Structure is documented below.
The keyUsageOptions block contains:
-
digitalSignature- (Output) The key may be used for digital signatures. -
contentCommitment- (Output) The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation". -
keyEncipherment- (Output) The key may be used to encipher other keys. -
dataEncipherment- (Output) The key may be used to encipher data. -
keyAgreement- (Output) The key may be used in a key agreement protocol. -
certSign- (Output) The key may be used to sign certificates. -
crlSign- (Output) The key may be used sign certificate revocation lists. -
encipherOnly- (Output) The key may be used to encipher only. -
decipherOnly- (Output) The key may be used to decipher only.
The extendedKeyUsage block contains:
-
serverAuth- (Output) Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS. -
clientAuth- (Output) Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS. -
codeSigning- (Output) Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication". -
emailProtection- (Output) Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection". -
timeStamping- (Output) Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time". -
ocspSigning- (Output) Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
The unknownExtendedKeyUsages block contains:
obectId- (Output) Required. Describes how some of the technical fields in a certificate should be populated. Structure is documented below.
objectIdPath- (Output) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
-
key- (Output) Required. A public key. When this is specified in a request, the padding and encoding can be any of the options described by the respective 'KeyType' value. When this is generated by the service, it will always be an RFC 5280 SubjectPublicKeyInfo structure containing an algorithm identifier and a key. A base64-encoded string. -
format- (Output) The format of the public key. Currently, only PEM format is supported.
The subjectKeyId block contains:
keyId- (Output) Optional. The value of this KeyId encoded in lowercase hexadecimal. This is most likely the 160 bit SHA-1 hash of the public key.
The authorityKeyId block contains:
keyId- (Output) Optional. The value of this KeyId encoded in lowercase hexadecimal. This is most likely the 160 bit SHA-1 hash of the public key.
The certFingerprint block contains:
sha256Hash- (Output) The SHA 256 hash, encoded in hexadecimal, of the DER x509 certificate.
Timeouts
This resource provides the following Timeouts configuration options:
create- Default is 20 minutes.update- Default is 20 minutes.delete- Default is 20 minutes.
Import
Certificate can be imported using any of these accepted formats:
$ terraform import google_privateca_certificate.default projects/{{project}}/locations/{{location}}/caPools/{{pool}}/certificates/{{name}}
$ terraform import google_privateca_certificate.default {{project}}/{{location}}/{{pool}}/{{name}}
$ terraform import google_privateca_certificate.default {{location}}/{{pool}}/{{name}}
User Project Overrides
This resource supports User Project Overrides.