1. Packages
  2. Google Cloud (GCP) Classic
  3. API Docs
  4. certificateauthority
  5. Certificate
Google Cloud Classic v8.9.3 published on Monday, Nov 18, 2024 by Pulumi

gcp.certificateauthority.Certificate

Explore with Pulumi AI

gcp logo
Google Cloud Classic v8.9.3 published on Monday, Nov 18, 2024 by Pulumi

    A Certificate corresponds to a signed X.509 certificate issued by a Certificate.

    Note: The Certificate Authority that is referenced by this resource must be tier = "ENTERPRISE"

    Example Usage

    Privateca Certificate Generated Key

    import * as pulumi from "@pulumi/pulumi";
    import * as gcp from "@pulumi/gcp";
    import * as std from "@pulumi/std";
    import * as tls from "@pulumi/tls";
    
    const _default = new gcp.certificateauthority.CaPool("default", {
        location: "us-central1",
        name: "default",
        tier: "ENTERPRISE",
    });
    const defaultAuthority = new gcp.certificateauthority.Authority("default", {
        location: "us-central1",
        pool: _default.name,
        certificateAuthorityId: "my-authority",
        config: {
            subjectConfig: {
                subject: {
                    organization: "HashiCorp",
                    commonName: "my-certificate-authority",
                },
                subjectAltName: {
                    dnsNames: ["hashicorp.com"],
                },
            },
            x509Config: {
                caOptions: {
                    isCa: true,
                },
                keyUsage: {
                    baseKeyUsage: {
                        certSign: true,
                        crlSign: true,
                    },
                    extendedKeyUsage: {
                        serverAuth: true,
                    },
                },
            },
        },
        keySpec: {
            algorithm: "RSA_PKCS1_4096_SHA256",
        },
        deletionProtection: false,
        skipGracePeriod: true,
        ignoreActiveCertificatesOnDeletion: true,
    });
    const certKey = new tls.PrivateKey("cert_key", {algorithm: "RSA"});
    const defaultCertificate = new gcp.certificateauthority.Certificate("default", {
        location: "us-central1",
        pool: _default.name,
        certificateAuthority: defaultAuthority.certificateAuthorityId,
        lifetime: "86000s",
        name: "cert-1",
        config: {
            subjectConfig: {
                subject: {
                    commonName: "san1.example.com",
                    countryCode: "us",
                    organization: "google",
                    organizationalUnit: "enterprise",
                    locality: "mountain view",
                    province: "california",
                    streetAddress: "1600 amphitheatre parkway",
                },
                subjectAltName: {
                    emailAddresses: ["email@example.com"],
                    ipAddresses: ["127.0.0.1"],
                    uris: ["http://www.ietf.org/rfc/rfc3986.txt"],
                },
            },
            x509Config: {
                caOptions: {
                    isCa: true,
                },
                keyUsage: {
                    baseKeyUsage: {
                        certSign: true,
                        crlSign: true,
                    },
                    extendedKeyUsage: {
                        serverAuth: false,
                    },
                },
                nameConstraints: {
                    critical: true,
                    permittedDnsNames: ["*.example.com"],
                    excludedDnsNames: ["*.deny.example.com"],
                    permittedIpRanges: ["10.0.0.0/8"],
                    excludedIpRanges: ["10.1.1.0/24"],
                    permittedEmailAddresses: [".example.com"],
                    excludedEmailAddresses: [".deny.example.com"],
                    permittedUris: [".example.com"],
                    excludedUris: [".deny.example.com"],
                },
            },
            publicKey: {
                format: "PEM",
                key: std.base64encodeOutput({
                    input: certKey.publicKeyPem,
                }).apply(invoke => invoke.result),
            },
        },
    });
    
    import pulumi
    import pulumi_gcp as gcp
    import pulumi_std as std
    import pulumi_tls as tls
    
    default = gcp.certificateauthority.CaPool("default",
        location="us-central1",
        name="default",
        tier="ENTERPRISE")
    default_authority = gcp.certificateauthority.Authority("default",
        location="us-central1",
        pool=default.name,
        certificate_authority_id="my-authority",
        config={
            "subject_config": {
                "subject": {
                    "organization": "HashiCorp",
                    "common_name": "my-certificate-authority",
                },
                "subject_alt_name": {
                    "dns_names": ["hashicorp.com"],
                },
            },
            "x509_config": {
                "ca_options": {
                    "is_ca": True,
                },
                "key_usage": {
                    "base_key_usage": {
                        "cert_sign": True,
                        "crl_sign": True,
                    },
                    "extended_key_usage": {
                        "server_auth": True,
                    },
                },
            },
        },
        key_spec={
            "algorithm": "RSA_PKCS1_4096_SHA256",
        },
        deletion_protection=False,
        skip_grace_period=True,
        ignore_active_certificates_on_deletion=True)
    cert_key = tls.PrivateKey("cert_key", algorithm="RSA")
    default_certificate = gcp.certificateauthority.Certificate("default",
        location="us-central1",
        pool=default.name,
        certificate_authority=default_authority.certificate_authority_id,
        lifetime="86000s",
        name="cert-1",
        config={
            "subject_config": {
                "subject": {
                    "common_name": "san1.example.com",
                    "country_code": "us",
                    "organization": "google",
                    "organizational_unit": "enterprise",
                    "locality": "mountain view",
                    "province": "california",
                    "street_address": "1600 amphitheatre parkway",
                },
                "subject_alt_name": {
                    "email_addresses": ["email@example.com"],
                    "ip_addresses": ["127.0.0.1"],
                    "uris": ["http://www.ietf.org/rfc/rfc3986.txt"],
                },
            },
            "x509_config": {
                "ca_options": {
                    "is_ca": True,
                },
                "key_usage": {
                    "base_key_usage": {
                        "cert_sign": True,
                        "crl_sign": True,
                    },
                    "extended_key_usage": {
                        "server_auth": False,
                    },
                },
                "name_constraints": {
                    "critical": True,
                    "permitted_dns_names": ["*.example.com"],
                    "excluded_dns_names": ["*.deny.example.com"],
                    "permitted_ip_ranges": ["10.0.0.0/8"],
                    "excluded_ip_ranges": ["10.1.1.0/24"],
                    "permitted_email_addresses": [".example.com"],
                    "excluded_email_addresses": [".deny.example.com"],
                    "permitted_uris": [".example.com"],
                    "excluded_uris": [".deny.example.com"],
                },
            },
            "public_key": {
                "format": "PEM",
                "key": std.base64encode_output(input=cert_key.public_key_pem).apply(lambda invoke: invoke.result),
            },
        })
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/certificateauthority"
    	"github.com/pulumi/pulumi-std/sdk/go/std"
    	"github.com/pulumi/pulumi-tls/sdk/v5/go/tls"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := certificateauthority.NewCaPool(ctx, "default", &certificateauthority.CaPoolArgs{
    			Location: pulumi.String("us-central1"),
    			Name:     pulumi.String("default"),
    			Tier:     pulumi.String("ENTERPRISE"),
    		})
    		if err != nil {
    			return err
    		}
    		defaultAuthority, err := certificateauthority.NewAuthority(ctx, "default", &certificateauthority.AuthorityArgs{
    			Location:               pulumi.String("us-central1"),
    			Pool:                   _default.Name,
    			CertificateAuthorityId: pulumi.String("my-authority"),
    			Config: &certificateauthority.AuthorityConfigArgs{
    				SubjectConfig: &certificateauthority.AuthorityConfigSubjectConfigArgs{
    					Subject: &certificateauthority.AuthorityConfigSubjectConfigSubjectArgs{
    						Organization: pulumi.String("HashiCorp"),
    						CommonName:   pulumi.String("my-certificate-authority"),
    					},
    					SubjectAltName: &certificateauthority.AuthorityConfigSubjectConfigSubjectAltNameArgs{
    						DnsNames: pulumi.StringArray{
    							pulumi.String("hashicorp.com"),
    						},
    					},
    				},
    				X509Config: &certificateauthority.AuthorityConfigX509ConfigArgs{
    					CaOptions: &certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs{
    						IsCa: pulumi.Bool(true),
    					},
    					KeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs{
    						BaseKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs{
    							CertSign: pulumi.Bool(true),
    							CrlSign:  pulumi.Bool(true),
    						},
    						ExtendedKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs{
    							ServerAuth: pulumi.Bool(true),
    						},
    					},
    				},
    			},
    			KeySpec: &certificateauthority.AuthorityKeySpecArgs{
    				Algorithm: pulumi.String("RSA_PKCS1_4096_SHA256"),
    			},
    			DeletionProtection:                 pulumi.Bool(false),
    			SkipGracePeriod:                    pulumi.Bool(true),
    			IgnoreActiveCertificatesOnDeletion: pulumi.Bool(true),
    		})
    		if err != nil {
    			return err
    		}
    		certKey, err := tls.NewPrivateKey(ctx, "cert_key", &tls.PrivateKeyArgs{
    			Algorithm: pulumi.String("RSA"),
    		})
    		if err != nil {
    			return err
    		}
    		_, err = certificateauthority.NewCertificate(ctx, "default", &certificateauthority.CertificateArgs{
    			Location:             pulumi.String("us-central1"),
    			Pool:                 _default.Name,
    			CertificateAuthority: defaultAuthority.CertificateAuthorityId,
    			Lifetime:             pulumi.String("86000s"),
    			Name:                 pulumi.String("cert-1"),
    			Config: &certificateauthority.CertificateConfigArgs{
    				SubjectConfig: &certificateauthority.CertificateConfigSubjectConfigArgs{
    					Subject: &certificateauthority.CertificateConfigSubjectConfigSubjectArgs{
    						CommonName:         pulumi.String("san1.example.com"),
    						CountryCode:        pulumi.String("us"),
    						Organization:       pulumi.String("google"),
    						OrganizationalUnit: pulumi.String("enterprise"),
    						Locality:           pulumi.String("mountain view"),
    						Province:           pulumi.String("california"),
    						StreetAddress:      pulumi.String("1600 amphitheatre parkway"),
    					},
    					SubjectAltName: &certificateauthority.CertificateConfigSubjectConfigSubjectAltNameArgs{
    						EmailAddresses: pulumi.StringArray{
    							pulumi.String("email@example.com"),
    						},
    						IpAddresses: pulumi.StringArray{
    							pulumi.String("127.0.0.1"),
    						},
    						Uris: pulumi.StringArray{
    							pulumi.String("http://www.ietf.org/rfc/rfc3986.txt"),
    						},
    					},
    				},
    				X509Config: &certificateauthority.CertificateConfigX509ConfigArgs{
    					CaOptions: &certificateauthority.CertificateConfigX509ConfigCaOptionsArgs{
    						IsCa: pulumi.Bool(true),
    					},
    					KeyUsage: &certificateauthority.CertificateConfigX509ConfigKeyUsageArgs{
    						BaseKeyUsage: &certificateauthority.CertificateConfigX509ConfigKeyUsageBaseKeyUsageArgs{
    							CertSign: pulumi.Bool(true),
    							CrlSign:  pulumi.Bool(true),
    						},
    						ExtendedKeyUsage: &certificateauthority.CertificateConfigX509ConfigKeyUsageExtendedKeyUsageArgs{
    							ServerAuth: pulumi.Bool(false),
    						},
    					},
    					NameConstraints: &certificateauthority.CertificateConfigX509ConfigNameConstraintsArgs{
    						Critical: pulumi.Bool(true),
    						PermittedDnsNames: pulumi.StringArray{
    							pulumi.String("*.example.com"),
    						},
    						ExcludedDnsNames: pulumi.StringArray{
    							pulumi.String("*.deny.example.com"),
    						},
    						PermittedIpRanges: pulumi.StringArray{
    							pulumi.String("10.0.0.0/8"),
    						},
    						ExcludedIpRanges: pulumi.StringArray{
    							pulumi.String("10.1.1.0/24"),
    						},
    						PermittedEmailAddresses: pulumi.StringArray{
    							pulumi.String(".example.com"),
    						},
    						ExcludedEmailAddresses: pulumi.StringArray{
    							pulumi.String(".deny.example.com"),
    						},
    						PermittedUris: pulumi.StringArray{
    							pulumi.String(".example.com"),
    						},
    						ExcludedUris: pulumi.StringArray{
    							pulumi.String(".deny.example.com"),
    						},
    					},
    				},
    				PublicKey: &certificateauthority.CertificateConfigPublicKeyArgs{
    					Format: pulumi.String("PEM"),
    					Key: std.Base64encodeOutput(ctx, std.Base64encodeOutputArgs{
    						Input: certKey.PublicKeyPem,
    					}, nil).ApplyT(func(invoke std.Base64encodeResult) (*string, error) {
    						return invoke.Result, nil
    					}).(pulumi.StringPtrOutput),
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Gcp = Pulumi.Gcp;
    using Std = Pulumi.Std;
    using Tls = Pulumi.Tls;
    
    return await Deployment.RunAsync(() => 
    {
        var @default = new Gcp.CertificateAuthority.CaPool("default", new()
        {
            Location = "us-central1",
            Name = "default",
            Tier = "ENTERPRISE",
        });
    
        var defaultAuthority = new Gcp.CertificateAuthority.Authority("default", new()
        {
            Location = "us-central1",
            Pool = @default.Name,
            CertificateAuthorityId = "my-authority",
            Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigArgs
            {
                SubjectConfig = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigArgs
                {
                    Subject = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectArgs
                    {
                        Organization = "HashiCorp",
                        CommonName = "my-certificate-authority",
                    },
                    SubjectAltName = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectAltNameArgs
                    {
                        DnsNames = new[]
                        {
                            "hashicorp.com",
                        },
                    },
                },
                X509Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigArgs
                {
                    CaOptions = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigCaOptionsArgs
                    {
                        IsCa = true,
                    },
                    KeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageArgs
                    {
                        BaseKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs
                        {
                            CertSign = true,
                            CrlSign = true,
                        },
                        ExtendedKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs
                        {
                            ServerAuth = true,
                        },
                    },
                },
            },
            KeySpec = new Gcp.CertificateAuthority.Inputs.AuthorityKeySpecArgs
            {
                Algorithm = "RSA_PKCS1_4096_SHA256",
            },
            DeletionProtection = false,
            SkipGracePeriod = true,
            IgnoreActiveCertificatesOnDeletion = true,
        });
    
        var certKey = new Tls.PrivateKey("cert_key", new()
        {
            Algorithm = "RSA",
        });
    
        var defaultCertificate = new Gcp.CertificateAuthority.Certificate("default", new()
        {
            Location = "us-central1",
            Pool = @default.Name,
            CertificateAuthority = defaultAuthority.CertificateAuthorityId,
            Lifetime = "86000s",
            Name = "cert-1",
            Config = new Gcp.CertificateAuthority.Inputs.CertificateConfigArgs
            {
                SubjectConfig = new Gcp.CertificateAuthority.Inputs.CertificateConfigSubjectConfigArgs
                {
                    Subject = new Gcp.CertificateAuthority.Inputs.CertificateConfigSubjectConfigSubjectArgs
                    {
                        CommonName = "san1.example.com",
                        CountryCode = "us",
                        Organization = "google",
                        OrganizationalUnit = "enterprise",
                        Locality = "mountain view",
                        Province = "california",
                        StreetAddress = "1600 amphitheatre parkway",
                    },
                    SubjectAltName = new Gcp.CertificateAuthority.Inputs.CertificateConfigSubjectConfigSubjectAltNameArgs
                    {
                        EmailAddresses = new[]
                        {
                            "email@example.com",
                        },
                        IpAddresses = new[]
                        {
                            "127.0.0.1",
                        },
                        Uris = new[]
                        {
                            "http://www.ietf.org/rfc/rfc3986.txt",
                        },
                    },
                },
                X509Config = new Gcp.CertificateAuthority.Inputs.CertificateConfigX509ConfigArgs
                {
                    CaOptions = new Gcp.CertificateAuthority.Inputs.CertificateConfigX509ConfigCaOptionsArgs
                    {
                        IsCa = true,
                    },
                    KeyUsage = new Gcp.CertificateAuthority.Inputs.CertificateConfigX509ConfigKeyUsageArgs
                    {
                        BaseKeyUsage = new Gcp.CertificateAuthority.Inputs.CertificateConfigX509ConfigKeyUsageBaseKeyUsageArgs
                        {
                            CertSign = true,
                            CrlSign = true,
                        },
                        ExtendedKeyUsage = new Gcp.CertificateAuthority.Inputs.CertificateConfigX509ConfigKeyUsageExtendedKeyUsageArgs
                        {
                            ServerAuth = false,
                        },
                    },
                    NameConstraints = new Gcp.CertificateAuthority.Inputs.CertificateConfigX509ConfigNameConstraintsArgs
                    {
                        Critical = true,
                        PermittedDnsNames = new[]
                        {
                            "*.example.com",
                        },
                        ExcludedDnsNames = new[]
                        {
                            "*.deny.example.com",
                        },
                        PermittedIpRanges = new[]
                        {
                            "10.0.0.0/8",
                        },
                        ExcludedIpRanges = new[]
                        {
                            "10.1.1.0/24",
                        },
                        PermittedEmailAddresses = new[]
                        {
                            ".example.com",
                        },
                        ExcludedEmailAddresses = new[]
                        {
                            ".deny.example.com",
                        },
                        PermittedUris = new[]
                        {
                            ".example.com",
                        },
                        ExcludedUris = new[]
                        {
                            ".deny.example.com",
                        },
                    },
                },
                PublicKey = new Gcp.CertificateAuthority.Inputs.CertificateConfigPublicKeyArgs
                {
                    Format = "PEM",
                    Key = Std.Base64encode.Invoke(new()
                    {
                        Input = certKey.PublicKeyPem,
                    }).Apply(invoke => invoke.Result),
                },
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.gcp.certificateauthority.CaPool;
    import com.pulumi.gcp.certificateauthority.CaPoolArgs;
    import com.pulumi.gcp.certificateauthority.Authority;
    import com.pulumi.gcp.certificateauthority.AuthorityArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigSubjectArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigSubjectAltNameArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigCaOptionsArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityKeySpecArgs;
    import com.pulumi.tls.PrivateKey;
    import com.pulumi.tls.PrivateKeyArgs;
    import com.pulumi.gcp.certificateauthority.Certificate;
    import com.pulumi.gcp.certificateauthority.CertificateArgs;
    import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigArgs;
    import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigSubjectConfigArgs;
    import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigSubjectConfigSubjectArgs;
    import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigSubjectConfigSubjectAltNameArgs;
    import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigX509ConfigArgs;
    import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigX509ConfigCaOptionsArgs;
    import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigX509ConfigKeyUsageArgs;
    import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigX509ConfigKeyUsageBaseKeyUsageArgs;
    import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigX509ConfigKeyUsageExtendedKeyUsageArgs;
    import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigX509ConfigNameConstraintsArgs;
    import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigPublicKeyArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var default_ = new CaPool("default", CaPoolArgs.builder()
                .location("us-central1")
                .name("default")
                .tier("ENTERPRISE")
                .build());
    
            var defaultAuthority = new Authority("defaultAuthority", AuthorityArgs.builder()
                .location("us-central1")
                .pool(default_.name())
                .certificateAuthorityId("my-authority")
                .config(AuthorityConfigArgs.builder()
                    .subjectConfig(AuthorityConfigSubjectConfigArgs.builder()
                        .subject(AuthorityConfigSubjectConfigSubjectArgs.builder()
                            .organization("HashiCorp")
                            .commonName("my-certificate-authority")
                            .build())
                        .subjectAltName(AuthorityConfigSubjectConfigSubjectAltNameArgs.builder()
                            .dnsNames("hashicorp.com")
                            .build())
                        .build())
                    .x509Config(AuthorityConfigX509ConfigArgs.builder()
                        .caOptions(AuthorityConfigX509ConfigCaOptionsArgs.builder()
                            .isCa(true)
                            .build())
                        .keyUsage(AuthorityConfigX509ConfigKeyUsageArgs.builder()
                            .baseKeyUsage(AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs.builder()
                                .certSign(true)
                                .crlSign(true)
                                .build())
                            .extendedKeyUsage(AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs.builder()
                                .serverAuth(true)
                                .build())
                            .build())
                        .build())
                    .build())
                .keySpec(AuthorityKeySpecArgs.builder()
                    .algorithm("RSA_PKCS1_4096_SHA256")
                    .build())
                .deletionProtection(false)
                .skipGracePeriod(true)
                .ignoreActiveCertificatesOnDeletion(true)
                .build());
    
            var certKey = new PrivateKey("certKey", PrivateKeyArgs.builder()
                .algorithm("RSA")
                .build());
    
            var defaultCertificate = new Certificate("defaultCertificate", CertificateArgs.builder()
                .location("us-central1")
                .pool(default_.name())
                .certificateAuthority(defaultAuthority.certificateAuthorityId())
                .lifetime("86000s")
                .name("cert-1")
                .config(CertificateConfigArgs.builder()
                    .subjectConfig(CertificateConfigSubjectConfigArgs.builder()
                        .subject(CertificateConfigSubjectConfigSubjectArgs.builder()
                            .commonName("san1.example.com")
                            .countryCode("us")
                            .organization("google")
                            .organizationalUnit("enterprise")
                            .locality("mountain view")
                            .province("california")
                            .streetAddress("1600 amphitheatre parkway")
                            .build())
                        .subjectAltName(CertificateConfigSubjectConfigSubjectAltNameArgs.builder()
                            .emailAddresses("email@example.com")
                            .ipAddresses("127.0.0.1")
                            .uris("http://www.ietf.org/rfc/rfc3986.txt")
                            .build())
                        .build())
                    .x509Config(CertificateConfigX509ConfigArgs.builder()
                        .caOptions(CertificateConfigX509ConfigCaOptionsArgs.builder()
                            .isCa(true)
                            .build())
                        .keyUsage(CertificateConfigX509ConfigKeyUsageArgs.builder()
                            .baseKeyUsage(CertificateConfigX509ConfigKeyUsageBaseKeyUsageArgs.builder()
                                .certSign(true)
                                .crlSign(true)
                                .build())
                            .extendedKeyUsage(CertificateConfigX509ConfigKeyUsageExtendedKeyUsageArgs.builder()
                                .serverAuth(false)
                                .build())
                            .build())
                        .nameConstraints(CertificateConfigX509ConfigNameConstraintsArgs.builder()
                            .critical(true)
                            .permittedDnsNames("*.example.com")
                            .excludedDnsNames("*.deny.example.com")
                            .permittedIpRanges("10.0.0.0/8")
                            .excludedIpRanges("10.1.1.0/24")
                            .permittedEmailAddresses(".example.com")
                            .excludedEmailAddresses(".deny.example.com")
                            .permittedUris(".example.com")
                            .excludedUris(".deny.example.com")
                            .build())
                        .build())
                    .publicKey(CertificateConfigPublicKeyArgs.builder()
                        .format("PEM")
                        .key(StdFunctions.base64encode().applyValue(invoke -> invoke.result()))
                        .build())
                    .build())
                .build());
    
        }
    }
    
    resources:
      default:
        type: gcp:certificateauthority:CaPool
        properties:
          location: us-central1
          name: default
          tier: ENTERPRISE
      defaultAuthority:
        type: gcp:certificateauthority:Authority
        name: default
        properties:
          location: us-central1
          pool: ${default.name}
          certificateAuthorityId: my-authority
          config:
            subjectConfig:
              subject:
                organization: HashiCorp
                commonName: my-certificate-authority
              subjectAltName:
                dnsNames:
                  - hashicorp.com
            x509Config:
              caOptions:
                isCa: true
              keyUsage:
                baseKeyUsage:
                  certSign: true
                  crlSign: true
                extendedKeyUsage:
                  serverAuth: true
          keySpec:
            algorithm: RSA_PKCS1_4096_SHA256
          deletionProtection: false
          skipGracePeriod: true
          ignoreActiveCertificatesOnDeletion: true
      certKey:
        type: tls:PrivateKey
        name: cert_key
        properties:
          algorithm: RSA
      defaultCertificate:
        type: gcp:certificateauthority:Certificate
        name: default
        properties:
          location: us-central1
          pool: ${default.name}
          certificateAuthority: ${defaultAuthority.certificateAuthorityId}
          lifetime: 86000s
          name: cert-1
          config:
            subjectConfig:
              subject:
                commonName: san1.example.com
                countryCode: us
                organization: google
                organizationalUnit: enterprise
                locality: mountain view
                province: california
                streetAddress: 1600 amphitheatre parkway
              subjectAltName:
                emailAddresses:
                  - email@example.com
                ipAddresses:
                  - 127.0.0.1
                uris:
                  - http://www.ietf.org/rfc/rfc3986.txt
            x509Config:
              caOptions:
                isCa: true
              keyUsage:
                baseKeyUsage:
                  certSign: true
                  crlSign: true
                extendedKeyUsage:
                  serverAuth: false
              nameConstraints:
                critical: true
                permittedDnsNames:
                  - '*.example.com'
                excludedDnsNames:
                  - '*.deny.example.com'
                permittedIpRanges:
                  - 10.0.0.0/8
                excludedIpRanges:
                  - 10.1.1.0/24
                permittedEmailAddresses:
                  - .example.com
                excludedEmailAddresses:
                  - .deny.example.com
                permittedUris:
                  - .example.com
                excludedUris:
                  - .deny.example.com
            publicKey:
              format: PEM
              key:
                fn::invoke:
                  Function: std:base64encode
                  Arguments:
                    input: ${certKey.publicKeyPem}
                  Return: result
    

    Privateca Certificate With Template

    import * as pulumi from "@pulumi/pulumi";
    import * as gcp from "@pulumi/gcp";
    import * as std from "@pulumi/std";
    
    const _default = new gcp.certificateauthority.CaPool("default", {
        location: "us-central1",
        name: "my-pool",
        tier: "ENTERPRISE",
    });
    const defaultCertificateTemplate = new gcp.certificateauthority.CertificateTemplate("default", {
        location: "us-central1",
        name: "my-certificate-template",
        description: "An updated sample certificate template",
        identityConstraints: {
            allowSubjectAltNamesPassthrough: true,
            allowSubjectPassthrough: true,
            celExpression: {
                description: "Always true",
                expression: "true",
                location: "any.file.anywhere",
                title: "Sample expression",
            },
        },
        passthroughExtensions: {
            additionalExtensions: [{
                objectIdPaths: [
                    1,
                    6,
                ],
            }],
            knownExtensions: ["EXTENDED_KEY_USAGE"],
        },
        predefinedValues: {
            additionalExtensions: [{
                objectId: {
                    objectIdPaths: [
                        1,
                        6,
                    ],
                },
                value: "c3RyaW5nCg==",
                critical: true,
            }],
            aiaOcspServers: ["string"],
            caOptions: {
                isCa: false,
                maxIssuerPathLength: 6,
            },
            keyUsage: {
                baseKeyUsage: {
                    certSign: false,
                    contentCommitment: true,
                    crlSign: false,
                    dataEncipherment: true,
                    decipherOnly: true,
                    digitalSignature: true,
                    encipherOnly: true,
                    keyAgreement: true,
                    keyEncipherment: true,
                },
                extendedKeyUsage: {
                    clientAuth: true,
                    codeSigning: true,
                    emailProtection: true,
                    ocspSigning: true,
                    serverAuth: true,
                    timeStamping: true,
                },
                unknownExtendedKeyUsages: [{
                    objectIdPaths: [
                        1,
                        6,
                    ],
                }],
            },
            policyIds: [{
                objectIdPaths: [
                    1,
                    6,
                ],
            }],
        },
    });
    const defaultAuthority = new gcp.certificateauthority.Authority("default", {
        location: "us-central1",
        pool: _default.name,
        certificateAuthorityId: "my-authority",
        config: {
            subjectConfig: {
                subject: {
                    organization: "HashiCorp",
                    commonName: "my-certificate-authority",
                },
                subjectAltName: {
                    dnsNames: ["hashicorp.com"],
                },
            },
            x509Config: {
                caOptions: {
                    isCa: true,
                },
                keyUsage: {
                    baseKeyUsage: {
                        certSign: true,
                        crlSign: true,
                    },
                    extendedKeyUsage: {
                        serverAuth: false,
                    },
                },
            },
        },
        keySpec: {
            algorithm: "RSA_PKCS1_4096_SHA256",
        },
        deletionProtection: false,
        skipGracePeriod: true,
        ignoreActiveCertificatesOnDeletion: true,
    });
    const defaultCertificate = new gcp.certificateauthority.Certificate("default", {
        location: "us-central1",
        pool: _default.name,
        certificateAuthority: defaultAuthority.certificateAuthorityId,
        name: "my-certificate",
        lifetime: "860s",
        pemCsr: std.file({
            input: "test-fixtures/rsa_csr.pem",
        }).then(invoke => invoke.result),
        certificateTemplate: defaultCertificateTemplate.id,
    });
    
    import pulumi
    import pulumi_gcp as gcp
    import pulumi_std as std
    
    default = gcp.certificateauthority.CaPool("default",
        location="us-central1",
        name="my-pool",
        tier="ENTERPRISE")
    default_certificate_template = gcp.certificateauthority.CertificateTemplate("default",
        location="us-central1",
        name="my-certificate-template",
        description="An updated sample certificate template",
        identity_constraints={
            "allow_subject_alt_names_passthrough": True,
            "allow_subject_passthrough": True,
            "cel_expression": {
                "description": "Always true",
                "expression": "true",
                "location": "any.file.anywhere",
                "title": "Sample expression",
            },
        },
        passthrough_extensions={
            "additional_extensions": [{
                "object_id_paths": [
                    1,
                    6,
                ],
            }],
            "known_extensions": ["EXTENDED_KEY_USAGE"],
        },
        predefined_values={
            "additional_extensions": [{
                "object_id": {
                    "object_id_paths": [
                        1,
                        6,
                    ],
                },
                "value": "c3RyaW5nCg==",
                "critical": True,
            }],
            "aia_ocsp_servers": ["string"],
            "ca_options": {
                "is_ca": False,
                "max_issuer_path_length": 6,
            },
            "key_usage": {
                "base_key_usage": {
                    "cert_sign": False,
                    "content_commitment": True,
                    "crl_sign": False,
                    "data_encipherment": True,
                    "decipher_only": True,
                    "digital_signature": True,
                    "encipher_only": True,
                    "key_agreement": True,
                    "key_encipherment": True,
                },
                "extended_key_usage": {
                    "client_auth": True,
                    "code_signing": True,
                    "email_protection": True,
                    "ocsp_signing": True,
                    "server_auth": True,
                    "time_stamping": True,
                },
                "unknown_extended_key_usages": [{
                    "object_id_paths": [
                        1,
                        6,
                    ],
                }],
            },
            "policy_ids": [{
                "object_id_paths": [
                    1,
                    6,
                ],
            }],
        })
    default_authority = gcp.certificateauthority.Authority("default",
        location="us-central1",
        pool=default.name,
        certificate_authority_id="my-authority",
        config={
            "subject_config": {
                "subject": {
                    "organization": "HashiCorp",
                    "common_name": "my-certificate-authority",
                },
                "subject_alt_name": {
                    "dns_names": ["hashicorp.com"],
                },
            },
            "x509_config": {
                "ca_options": {
                    "is_ca": True,
                },
                "key_usage": {
                    "base_key_usage": {
                        "cert_sign": True,
                        "crl_sign": True,
                    },
                    "extended_key_usage": {
                        "server_auth": False,
                    },
                },
            },
        },
        key_spec={
            "algorithm": "RSA_PKCS1_4096_SHA256",
        },
        deletion_protection=False,
        skip_grace_period=True,
        ignore_active_certificates_on_deletion=True)
    default_certificate = gcp.certificateauthority.Certificate("default",
        location="us-central1",
        pool=default.name,
        certificate_authority=default_authority.certificate_authority_id,
        name="my-certificate",
        lifetime="860s",
        pem_csr=std.file(input="test-fixtures/rsa_csr.pem").result,
        certificate_template=default_certificate_template.id)
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/certificateauthority"
    	"github.com/pulumi/pulumi-std/sdk/go/std"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := certificateauthority.NewCaPool(ctx, "default", &certificateauthority.CaPoolArgs{
    			Location: pulumi.String("us-central1"),
    			Name:     pulumi.String("my-pool"),
    			Tier:     pulumi.String("ENTERPRISE"),
    		})
    		if err != nil {
    			return err
    		}
    		defaultCertificateTemplate, err := certificateauthority.NewCertificateTemplate(ctx, "default", &certificateauthority.CertificateTemplateArgs{
    			Location:    pulumi.String("us-central1"),
    			Name:        pulumi.String("my-certificate-template"),
    			Description: pulumi.String("An updated sample certificate template"),
    			IdentityConstraints: &certificateauthority.CertificateTemplateIdentityConstraintsArgs{
    				AllowSubjectAltNamesPassthrough: pulumi.Bool(true),
    				AllowSubjectPassthrough:         pulumi.Bool(true),
    				CelExpression: &certificateauthority.CertificateTemplateIdentityConstraintsCelExpressionArgs{
    					Description: pulumi.String("Always true"),
    					Expression:  pulumi.String("true"),
    					Location:    pulumi.String("any.file.anywhere"),
    					Title:       pulumi.String("Sample expression"),
    				},
    			},
    			PassthroughExtensions: &certificateauthority.CertificateTemplatePassthroughExtensionsArgs{
    				AdditionalExtensions: certificateauthority.CertificateTemplatePassthroughExtensionsAdditionalExtensionArray{
    					&certificateauthority.CertificateTemplatePassthroughExtensionsAdditionalExtensionArgs{
    						ObjectIdPaths: pulumi.IntArray{
    							pulumi.Int(1),
    							pulumi.Int(6),
    						},
    					},
    				},
    				KnownExtensions: pulumi.StringArray{
    					pulumi.String("EXTENDED_KEY_USAGE"),
    				},
    			},
    			PredefinedValues: &certificateauthority.CertificateTemplatePredefinedValuesArgs{
    				AdditionalExtensions: certificateauthority.CertificateTemplatePredefinedValuesAdditionalExtensionArray{
    					&certificateauthority.CertificateTemplatePredefinedValuesAdditionalExtensionArgs{
    						ObjectId: &certificateauthority.CertificateTemplatePredefinedValuesAdditionalExtensionObjectIdArgs{
    							ObjectIdPaths: pulumi.IntArray{
    								pulumi.Int(1),
    								pulumi.Int(6),
    							},
    						},
    						Value:    pulumi.String("c3RyaW5nCg=="),
    						Critical: pulumi.Bool(true),
    					},
    				},
    				AiaOcspServers: pulumi.StringArray{
    					pulumi.String("string"),
    				},
    				CaOptions: &certificateauthority.CertificateTemplatePredefinedValuesCaOptionsArgs{
    					IsCa:                pulumi.Bool(false),
    					MaxIssuerPathLength: pulumi.Int(6),
    				},
    				KeyUsage: &certificateauthority.CertificateTemplatePredefinedValuesKeyUsageArgs{
    					BaseKeyUsage: &certificateauthority.CertificateTemplatePredefinedValuesKeyUsageBaseKeyUsageArgs{
    						CertSign:          pulumi.Bool(false),
    						ContentCommitment: pulumi.Bool(true),
    						CrlSign:           pulumi.Bool(false),
    						DataEncipherment:  pulumi.Bool(true),
    						DecipherOnly:      pulumi.Bool(true),
    						DigitalSignature:  pulumi.Bool(true),
    						EncipherOnly:      pulumi.Bool(true),
    						KeyAgreement:      pulumi.Bool(true),
    						KeyEncipherment:   pulumi.Bool(true),
    					},
    					ExtendedKeyUsage: &certificateauthority.CertificateTemplatePredefinedValuesKeyUsageExtendedKeyUsageArgs{
    						ClientAuth:      pulumi.Bool(true),
    						CodeSigning:     pulumi.Bool(true),
    						EmailProtection: pulumi.Bool(true),
    						OcspSigning:     pulumi.Bool(true),
    						ServerAuth:      pulumi.Bool(true),
    						TimeStamping:    pulumi.Bool(true),
    					},
    					UnknownExtendedKeyUsages: certificateauthority.CertificateTemplatePredefinedValuesKeyUsageUnknownExtendedKeyUsageArray{
    						&certificateauthority.CertificateTemplatePredefinedValuesKeyUsageUnknownExtendedKeyUsageArgs{
    							ObjectIdPaths: pulumi.IntArray{
    								pulumi.Int(1),
    								pulumi.Int(6),
    							},
    						},
    					},
    				},
    				PolicyIds: certificateauthority.CertificateTemplatePredefinedValuesPolicyIdArray{
    					&certificateauthority.CertificateTemplatePredefinedValuesPolicyIdArgs{
    						ObjectIdPaths: pulumi.IntArray{
    							pulumi.Int(1),
    							pulumi.Int(6),
    						},
    					},
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		defaultAuthority, err := certificateauthority.NewAuthority(ctx, "default", &certificateauthority.AuthorityArgs{
    			Location:               pulumi.String("us-central1"),
    			Pool:                   _default.Name,
    			CertificateAuthorityId: pulumi.String("my-authority"),
    			Config: &certificateauthority.AuthorityConfigArgs{
    				SubjectConfig: &certificateauthority.AuthorityConfigSubjectConfigArgs{
    					Subject: &certificateauthority.AuthorityConfigSubjectConfigSubjectArgs{
    						Organization: pulumi.String("HashiCorp"),
    						CommonName:   pulumi.String("my-certificate-authority"),
    					},
    					SubjectAltName: &certificateauthority.AuthorityConfigSubjectConfigSubjectAltNameArgs{
    						DnsNames: pulumi.StringArray{
    							pulumi.String("hashicorp.com"),
    						},
    					},
    				},
    				X509Config: &certificateauthority.AuthorityConfigX509ConfigArgs{
    					CaOptions: &certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs{
    						IsCa: pulumi.Bool(true),
    					},
    					KeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs{
    						BaseKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs{
    							CertSign: pulumi.Bool(true),
    							CrlSign:  pulumi.Bool(true),
    						},
    						ExtendedKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs{
    							ServerAuth: pulumi.Bool(false),
    						},
    					},
    				},
    			},
    			KeySpec: &certificateauthority.AuthorityKeySpecArgs{
    				Algorithm: pulumi.String("RSA_PKCS1_4096_SHA256"),
    			},
    			DeletionProtection:                 pulumi.Bool(false),
    			SkipGracePeriod:                    pulumi.Bool(true),
    			IgnoreActiveCertificatesOnDeletion: pulumi.Bool(true),
    		})
    		if err != nil {
    			return err
    		}
    		invokeFile, err := std.File(ctx, &std.FileArgs{
    			Input: "test-fixtures/rsa_csr.pem",
    		}, nil)
    		if err != nil {
    			return err
    		}
    		_, err = certificateauthority.NewCertificate(ctx, "default", &certificateauthority.CertificateArgs{
    			Location:             pulumi.String("us-central1"),
    			Pool:                 _default.Name,
    			CertificateAuthority: defaultAuthority.CertificateAuthorityId,
    			Name:                 pulumi.String("my-certificate"),
    			Lifetime:             pulumi.String("860s"),
    			PemCsr:               pulumi.String(invokeFile.Result),
    			CertificateTemplate:  defaultCertificateTemplate.ID(),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Gcp = Pulumi.Gcp;
    using Std = Pulumi.Std;
    
    return await Deployment.RunAsync(() => 
    {
        var @default = new Gcp.CertificateAuthority.CaPool("default", new()
        {
            Location = "us-central1",
            Name = "my-pool",
            Tier = "ENTERPRISE",
        });
    
        var defaultCertificateTemplate = new Gcp.CertificateAuthority.CertificateTemplate("default", new()
        {
            Location = "us-central1",
            Name = "my-certificate-template",
            Description = "An updated sample certificate template",
            IdentityConstraints = new Gcp.CertificateAuthority.Inputs.CertificateTemplateIdentityConstraintsArgs
            {
                AllowSubjectAltNamesPassthrough = true,
                AllowSubjectPassthrough = true,
                CelExpression = new Gcp.CertificateAuthority.Inputs.CertificateTemplateIdentityConstraintsCelExpressionArgs
                {
                    Description = "Always true",
                    Expression = "true",
                    Location = "any.file.anywhere",
                    Title = "Sample expression",
                },
            },
            PassthroughExtensions = new Gcp.CertificateAuthority.Inputs.CertificateTemplatePassthroughExtensionsArgs
            {
                AdditionalExtensions = new[]
                {
                    new Gcp.CertificateAuthority.Inputs.CertificateTemplatePassthroughExtensionsAdditionalExtensionArgs
                    {
                        ObjectIdPaths = new[]
                        {
                            1,
                            6,
                        },
                    },
                },
                KnownExtensions = new[]
                {
                    "EXTENDED_KEY_USAGE",
                },
            },
            PredefinedValues = new Gcp.CertificateAuthority.Inputs.CertificateTemplatePredefinedValuesArgs
            {
                AdditionalExtensions = new[]
                {
                    new Gcp.CertificateAuthority.Inputs.CertificateTemplatePredefinedValuesAdditionalExtensionArgs
                    {
                        ObjectId = new Gcp.CertificateAuthority.Inputs.CertificateTemplatePredefinedValuesAdditionalExtensionObjectIdArgs
                        {
                            ObjectIdPaths = new[]
                            {
                                1,
                                6,
                            },
                        },
                        Value = "c3RyaW5nCg==",
                        Critical = true,
                    },
                },
                AiaOcspServers = new[]
                {
                    "string",
                },
                CaOptions = new Gcp.CertificateAuthority.Inputs.CertificateTemplatePredefinedValuesCaOptionsArgs
                {
                    IsCa = false,
                    MaxIssuerPathLength = 6,
                },
                KeyUsage = new Gcp.CertificateAuthority.Inputs.CertificateTemplatePredefinedValuesKeyUsageArgs
                {
                    BaseKeyUsage = new Gcp.CertificateAuthority.Inputs.CertificateTemplatePredefinedValuesKeyUsageBaseKeyUsageArgs
                    {
                        CertSign = false,
                        ContentCommitment = true,
                        CrlSign = false,
                        DataEncipherment = true,
                        DecipherOnly = true,
                        DigitalSignature = true,
                        EncipherOnly = true,
                        KeyAgreement = true,
                        KeyEncipherment = true,
                    },
                    ExtendedKeyUsage = new Gcp.CertificateAuthority.Inputs.CertificateTemplatePredefinedValuesKeyUsageExtendedKeyUsageArgs
                    {
                        ClientAuth = true,
                        CodeSigning = true,
                        EmailProtection = true,
                        OcspSigning = true,
                        ServerAuth = true,
                        TimeStamping = true,
                    },
                    UnknownExtendedKeyUsages = new[]
                    {
                        new Gcp.CertificateAuthority.Inputs.CertificateTemplatePredefinedValuesKeyUsageUnknownExtendedKeyUsageArgs
                        {
                            ObjectIdPaths = new[]
                            {
                                1,
                                6,
                            },
                        },
                    },
                },
                PolicyIds = new[]
                {
                    new Gcp.CertificateAuthority.Inputs.CertificateTemplatePredefinedValuesPolicyIdArgs
                    {
                        ObjectIdPaths = new[]
                        {
                            1,
                            6,
                        },
                    },
                },
            },
        });
    
        var defaultAuthority = new Gcp.CertificateAuthority.Authority("default", new()
        {
            Location = "us-central1",
            Pool = @default.Name,
            CertificateAuthorityId = "my-authority",
            Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigArgs
            {
                SubjectConfig = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigArgs
                {
                    Subject = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectArgs
                    {
                        Organization = "HashiCorp",
                        CommonName = "my-certificate-authority",
                    },
                    SubjectAltName = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectAltNameArgs
                    {
                        DnsNames = new[]
                        {
                            "hashicorp.com",
                        },
                    },
                },
                X509Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigArgs
                {
                    CaOptions = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigCaOptionsArgs
                    {
                        IsCa = true,
                    },
                    KeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageArgs
                    {
                        BaseKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs
                        {
                            CertSign = true,
                            CrlSign = true,
                        },
                        ExtendedKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs
                        {
                            ServerAuth = false,
                        },
                    },
                },
            },
            KeySpec = new Gcp.CertificateAuthority.Inputs.AuthorityKeySpecArgs
            {
                Algorithm = "RSA_PKCS1_4096_SHA256",
            },
            DeletionProtection = false,
            SkipGracePeriod = true,
            IgnoreActiveCertificatesOnDeletion = true,
        });
    
        var defaultCertificate = new Gcp.CertificateAuthority.Certificate("default", new()
        {
            Location = "us-central1",
            Pool = @default.Name,
            CertificateAuthority = defaultAuthority.CertificateAuthorityId,
            Name = "my-certificate",
            Lifetime = "860s",
            PemCsr = Std.File.Invoke(new()
            {
                Input = "test-fixtures/rsa_csr.pem",
            }).Apply(invoke => invoke.Result),
            CertificateTemplate = defaultCertificateTemplate.Id,
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.gcp.certificateauthority.CaPool;
    import com.pulumi.gcp.certificateauthority.CaPoolArgs;
    import com.pulumi.gcp.certificateauthority.CertificateTemplate;
    import com.pulumi.gcp.certificateauthority.CertificateTemplateArgs;
    import com.pulumi.gcp.certificateauthority.inputs.CertificateTemplateIdentityConstraintsArgs;
    import com.pulumi.gcp.certificateauthority.inputs.CertificateTemplateIdentityConstraintsCelExpressionArgs;
    import com.pulumi.gcp.certificateauthority.inputs.CertificateTemplatePassthroughExtensionsArgs;
    import com.pulumi.gcp.certificateauthority.inputs.CertificateTemplatePredefinedValuesArgs;
    import com.pulumi.gcp.certificateauthority.inputs.CertificateTemplatePredefinedValuesCaOptionsArgs;
    import com.pulumi.gcp.certificateauthority.inputs.CertificateTemplatePredefinedValuesKeyUsageArgs;
    import com.pulumi.gcp.certificateauthority.inputs.CertificateTemplatePredefinedValuesKeyUsageBaseKeyUsageArgs;
    import com.pulumi.gcp.certificateauthority.inputs.CertificateTemplatePredefinedValuesKeyUsageExtendedKeyUsageArgs;
    import com.pulumi.gcp.certificateauthority.Authority;
    import com.pulumi.gcp.certificateauthority.AuthorityArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigSubjectArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigSubjectAltNameArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigCaOptionsArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityKeySpecArgs;
    import com.pulumi.gcp.certificateauthority.Certificate;
    import com.pulumi.gcp.certificateauthority.CertificateArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var default_ = new CaPool("default", CaPoolArgs.builder()
                .location("us-central1")
                .name("my-pool")
                .tier("ENTERPRISE")
                .build());
    
            var defaultCertificateTemplate = new CertificateTemplate("defaultCertificateTemplate", CertificateTemplateArgs.builder()
                .location("us-central1")
                .name("my-certificate-template")
                .description("An updated sample certificate template")
                .identityConstraints(CertificateTemplateIdentityConstraintsArgs.builder()
                    .allowSubjectAltNamesPassthrough(true)
                    .allowSubjectPassthrough(true)
                    .celExpression(CertificateTemplateIdentityConstraintsCelExpressionArgs.builder()
                        .description("Always true")
                        .expression("true")
                        .location("any.file.anywhere")
                        .title("Sample expression")
                        .build())
                    .build())
                .passthroughExtensions(CertificateTemplatePassthroughExtensionsArgs.builder()
                    .additionalExtensions(CertificateTemplatePassthroughExtensionsAdditionalExtensionArgs.builder()
                        .objectIdPaths(                    
                            1,
                            6)
                        .build())
                    .knownExtensions("EXTENDED_KEY_USAGE")
                    .build())
                .predefinedValues(CertificateTemplatePredefinedValuesArgs.builder()
                    .additionalExtensions(CertificateTemplatePredefinedValuesAdditionalExtensionArgs.builder()
                        .objectId(CertificateTemplatePredefinedValuesAdditionalExtensionObjectIdArgs.builder()
                            .objectIdPaths(                        
                                1,
                                6)
                            .build())
                        .value("c3RyaW5nCg==")
                        .critical(true)
                        .build())
                    .aiaOcspServers("string")
                    .caOptions(CertificateTemplatePredefinedValuesCaOptionsArgs.builder()
                        .isCa(false)
                        .maxIssuerPathLength(6)
                        .build())
                    .keyUsage(CertificateTemplatePredefinedValuesKeyUsageArgs.builder()
                        .baseKeyUsage(CertificateTemplatePredefinedValuesKeyUsageBaseKeyUsageArgs.builder()
                            .certSign(false)
                            .contentCommitment(true)
                            .crlSign(false)
                            .dataEncipherment(true)
                            .decipherOnly(true)
                            .digitalSignature(true)
                            .encipherOnly(true)
                            .keyAgreement(true)
                            .keyEncipherment(true)
                            .build())
                        .extendedKeyUsage(CertificateTemplatePredefinedValuesKeyUsageExtendedKeyUsageArgs.builder()
                            .clientAuth(true)
                            .codeSigning(true)
                            .emailProtection(true)
                            .ocspSigning(true)
                            .serverAuth(true)
                            .timeStamping(true)
                            .build())
                        .unknownExtendedKeyUsages(CertificateTemplatePredefinedValuesKeyUsageUnknownExtendedKeyUsageArgs.builder()
                            .objectIdPaths(                        
                                1,
                                6)
                            .build())
                        .build())
                    .policyIds(CertificateTemplatePredefinedValuesPolicyIdArgs.builder()
                        .objectIdPaths(                    
                            1,
                            6)
                        .build())
                    .build())
                .build());
    
            var defaultAuthority = new Authority("defaultAuthority", AuthorityArgs.builder()
                .location("us-central1")
                .pool(default_.name())
                .certificateAuthorityId("my-authority")
                .config(AuthorityConfigArgs.builder()
                    .subjectConfig(AuthorityConfigSubjectConfigArgs.builder()
                        .subject(AuthorityConfigSubjectConfigSubjectArgs.builder()
                            .organization("HashiCorp")
                            .commonName("my-certificate-authority")
                            .build())
                        .subjectAltName(AuthorityConfigSubjectConfigSubjectAltNameArgs.builder()
                            .dnsNames("hashicorp.com")
                            .build())
                        .build())
                    .x509Config(AuthorityConfigX509ConfigArgs.builder()
                        .caOptions(AuthorityConfigX509ConfigCaOptionsArgs.builder()
                            .isCa(true)
                            .build())
                        .keyUsage(AuthorityConfigX509ConfigKeyUsageArgs.builder()
                            .baseKeyUsage(AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs.builder()
                                .certSign(true)
                                .crlSign(true)
                                .build())
                            .extendedKeyUsage(AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs.builder()
                                .serverAuth(false)
                                .build())
                            .build())
                        .build())
                    .build())
                .keySpec(AuthorityKeySpecArgs.builder()
                    .algorithm("RSA_PKCS1_4096_SHA256")
                    .build())
                .deletionProtection(false)
                .skipGracePeriod(true)
                .ignoreActiveCertificatesOnDeletion(true)
                .build());
    
            var defaultCertificate = new Certificate("defaultCertificate", CertificateArgs.builder()
                .location("us-central1")
                .pool(default_.name())
                .certificateAuthority(defaultAuthority.certificateAuthorityId())
                .name("my-certificate")
                .lifetime("860s")
                .pemCsr(StdFunctions.file(FileArgs.builder()
                    .input("test-fixtures/rsa_csr.pem")
                    .build()).result())
                .certificateTemplate(defaultCertificateTemplate.id())
                .build());
    
        }
    }
    
    resources:
      default:
        type: gcp:certificateauthority:CaPool
        properties:
          location: us-central1
          name: my-pool
          tier: ENTERPRISE
      defaultCertificateTemplate:
        type: gcp:certificateauthority:CertificateTemplate
        name: default
        properties:
          location: us-central1
          name: my-certificate-template
          description: An updated sample certificate template
          identityConstraints:
            allowSubjectAltNamesPassthrough: true
            allowSubjectPassthrough: true
            celExpression:
              description: Always true
              expression: 'true'
              location: any.file.anywhere
              title: Sample expression
          passthroughExtensions:
            additionalExtensions:
              - objectIdPaths:
                  - 1
                  - 6
            knownExtensions:
              - EXTENDED_KEY_USAGE
          predefinedValues:
            additionalExtensions:
              - objectId:
                  objectIdPaths:
                    - 1
                    - 6
                value: c3RyaW5nCg==
                critical: true
            aiaOcspServers:
              - string
            caOptions:
              isCa: false
              maxIssuerPathLength: 6
            keyUsage:
              baseKeyUsage:
                certSign: false
                contentCommitment: true
                crlSign: false
                dataEncipherment: true
                decipherOnly: true
                digitalSignature: true
                encipherOnly: true
                keyAgreement: true
                keyEncipherment: true
              extendedKeyUsage:
                clientAuth: true
                codeSigning: true
                emailProtection: true
                ocspSigning: true
                serverAuth: true
                timeStamping: true
              unknownExtendedKeyUsages:
                - objectIdPaths:
                    - 1
                    - 6
            policyIds:
              - objectIdPaths:
                  - 1
                  - 6
      defaultAuthority:
        type: gcp:certificateauthority:Authority
        name: default
        properties:
          location: us-central1
          pool: ${default.name}
          certificateAuthorityId: my-authority
          config:
            subjectConfig:
              subject:
                organization: HashiCorp
                commonName: my-certificate-authority
              subjectAltName:
                dnsNames:
                  - hashicorp.com
            x509Config:
              caOptions:
                isCa: true
              keyUsage:
                baseKeyUsage:
                  certSign: true
                  crlSign: true
                extendedKeyUsage:
                  serverAuth: false
          keySpec:
            algorithm: RSA_PKCS1_4096_SHA256
          deletionProtection: false
          skipGracePeriod: true
          ignoreActiveCertificatesOnDeletion: true
      defaultCertificate:
        type: gcp:certificateauthority:Certificate
        name: default
        properties:
          location: us-central1
          pool: ${default.name}
          certificateAuthority: ${defaultAuthority.certificateAuthorityId}
          name: my-certificate
          lifetime: 860s
          pemCsr:
            fn::invoke:
              Function: std:file
              Arguments:
                input: test-fixtures/rsa_csr.pem
              Return: result
          certificateTemplate: ${defaultCertificateTemplate.id}
    

    Privateca Certificate Csr

    import * as pulumi from "@pulumi/pulumi";
    import * as gcp from "@pulumi/gcp";
    import * as std from "@pulumi/std";
    
    const _default = new gcp.certificateauthority.CaPool("default", {
        location: "us-central1",
        name: "my-pool",
        tier: "ENTERPRISE",
    });
    const defaultAuthority = new gcp.certificateauthority.Authority("default", {
        location: "us-central1",
        pool: _default.name,
        certificateAuthorityId: "my-authority",
        config: {
            subjectConfig: {
                subject: {
                    organization: "HashiCorp",
                    commonName: "my-certificate-authority",
                },
                subjectAltName: {
                    dnsNames: ["hashicorp.com"],
                },
            },
            x509Config: {
                caOptions: {
                    isCa: true,
                },
                keyUsage: {
                    baseKeyUsage: {
                        certSign: true,
                        crlSign: true,
                    },
                    extendedKeyUsage: {
                        serverAuth: false,
                    },
                },
            },
        },
        keySpec: {
            algorithm: "RSA_PKCS1_4096_SHA256",
        },
        deletionProtection: false,
        skipGracePeriod: true,
        ignoreActiveCertificatesOnDeletion: true,
    });
    const defaultCertificate = new gcp.certificateauthority.Certificate("default", {
        location: "us-central1",
        pool: _default.name,
        certificateAuthority: defaultAuthority.certificateAuthorityId,
        name: "my-certificate",
        lifetime: "860s",
        pemCsr: std.file({
            input: "test-fixtures/rsa_csr.pem",
        }).then(invoke => invoke.result),
    });
    
    import pulumi
    import pulumi_gcp as gcp
    import pulumi_std as std
    
    default = gcp.certificateauthority.CaPool("default",
        location="us-central1",
        name="my-pool",
        tier="ENTERPRISE")
    default_authority = gcp.certificateauthority.Authority("default",
        location="us-central1",
        pool=default.name,
        certificate_authority_id="my-authority",
        config={
            "subject_config": {
                "subject": {
                    "organization": "HashiCorp",
                    "common_name": "my-certificate-authority",
                },
                "subject_alt_name": {
                    "dns_names": ["hashicorp.com"],
                },
            },
            "x509_config": {
                "ca_options": {
                    "is_ca": True,
                },
                "key_usage": {
                    "base_key_usage": {
                        "cert_sign": True,
                        "crl_sign": True,
                    },
                    "extended_key_usage": {
                        "server_auth": False,
                    },
                },
            },
        },
        key_spec={
            "algorithm": "RSA_PKCS1_4096_SHA256",
        },
        deletion_protection=False,
        skip_grace_period=True,
        ignore_active_certificates_on_deletion=True)
    default_certificate = gcp.certificateauthority.Certificate("default",
        location="us-central1",
        pool=default.name,
        certificate_authority=default_authority.certificate_authority_id,
        name="my-certificate",
        lifetime="860s",
        pem_csr=std.file(input="test-fixtures/rsa_csr.pem").result)
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/certificateauthority"
    	"github.com/pulumi/pulumi-std/sdk/go/std"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := certificateauthority.NewCaPool(ctx, "default", &certificateauthority.CaPoolArgs{
    			Location: pulumi.String("us-central1"),
    			Name:     pulumi.String("my-pool"),
    			Tier:     pulumi.String("ENTERPRISE"),
    		})
    		if err != nil {
    			return err
    		}
    		defaultAuthority, err := certificateauthority.NewAuthority(ctx, "default", &certificateauthority.AuthorityArgs{
    			Location:               pulumi.String("us-central1"),
    			Pool:                   _default.Name,
    			CertificateAuthorityId: pulumi.String("my-authority"),
    			Config: &certificateauthority.AuthorityConfigArgs{
    				SubjectConfig: &certificateauthority.AuthorityConfigSubjectConfigArgs{
    					Subject: &certificateauthority.AuthorityConfigSubjectConfigSubjectArgs{
    						Organization: pulumi.String("HashiCorp"),
    						CommonName:   pulumi.String("my-certificate-authority"),
    					},
    					SubjectAltName: &certificateauthority.AuthorityConfigSubjectConfigSubjectAltNameArgs{
    						DnsNames: pulumi.StringArray{
    							pulumi.String("hashicorp.com"),
    						},
    					},
    				},
    				X509Config: &certificateauthority.AuthorityConfigX509ConfigArgs{
    					CaOptions: &certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs{
    						IsCa: pulumi.Bool(true),
    					},
    					KeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs{
    						BaseKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs{
    							CertSign: pulumi.Bool(true),
    							CrlSign:  pulumi.Bool(true),
    						},
    						ExtendedKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs{
    							ServerAuth: pulumi.Bool(false),
    						},
    					},
    				},
    			},
    			KeySpec: &certificateauthority.AuthorityKeySpecArgs{
    				Algorithm: pulumi.String("RSA_PKCS1_4096_SHA256"),
    			},
    			DeletionProtection:                 pulumi.Bool(false),
    			SkipGracePeriod:                    pulumi.Bool(true),
    			IgnoreActiveCertificatesOnDeletion: pulumi.Bool(true),
    		})
    		if err != nil {
    			return err
    		}
    		invokeFile, err := std.File(ctx, &std.FileArgs{
    			Input: "test-fixtures/rsa_csr.pem",
    		}, nil)
    		if err != nil {
    			return err
    		}
    		_, err = certificateauthority.NewCertificate(ctx, "default", &certificateauthority.CertificateArgs{
    			Location:             pulumi.String("us-central1"),
    			Pool:                 _default.Name,
    			CertificateAuthority: defaultAuthority.CertificateAuthorityId,
    			Name:                 pulumi.String("my-certificate"),
    			Lifetime:             pulumi.String("860s"),
    			PemCsr:               pulumi.String(invokeFile.Result),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Gcp = Pulumi.Gcp;
    using Std = Pulumi.Std;
    
    return await Deployment.RunAsync(() => 
    {
        var @default = new Gcp.CertificateAuthority.CaPool("default", new()
        {
            Location = "us-central1",
            Name = "my-pool",
            Tier = "ENTERPRISE",
        });
    
        var defaultAuthority = new Gcp.CertificateAuthority.Authority("default", new()
        {
            Location = "us-central1",
            Pool = @default.Name,
            CertificateAuthorityId = "my-authority",
            Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigArgs
            {
                SubjectConfig = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigArgs
                {
                    Subject = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectArgs
                    {
                        Organization = "HashiCorp",
                        CommonName = "my-certificate-authority",
                    },
                    SubjectAltName = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectAltNameArgs
                    {
                        DnsNames = new[]
                        {
                            "hashicorp.com",
                        },
                    },
                },
                X509Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigArgs
                {
                    CaOptions = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigCaOptionsArgs
                    {
                        IsCa = true,
                    },
                    KeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageArgs
                    {
                        BaseKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs
                        {
                            CertSign = true,
                            CrlSign = true,
                        },
                        ExtendedKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs
                        {
                            ServerAuth = false,
                        },
                    },
                },
            },
            KeySpec = new Gcp.CertificateAuthority.Inputs.AuthorityKeySpecArgs
            {
                Algorithm = "RSA_PKCS1_4096_SHA256",
            },
            DeletionProtection = false,
            SkipGracePeriod = true,
            IgnoreActiveCertificatesOnDeletion = true,
        });
    
        var defaultCertificate = new Gcp.CertificateAuthority.Certificate("default", new()
        {
            Location = "us-central1",
            Pool = @default.Name,
            CertificateAuthority = defaultAuthority.CertificateAuthorityId,
            Name = "my-certificate",
            Lifetime = "860s",
            PemCsr = Std.File.Invoke(new()
            {
                Input = "test-fixtures/rsa_csr.pem",
            }).Apply(invoke => invoke.Result),
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.gcp.certificateauthority.CaPool;
    import com.pulumi.gcp.certificateauthority.CaPoolArgs;
    import com.pulumi.gcp.certificateauthority.Authority;
    import com.pulumi.gcp.certificateauthority.AuthorityArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigSubjectArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigSubjectAltNameArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigCaOptionsArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityKeySpecArgs;
    import com.pulumi.gcp.certificateauthority.Certificate;
    import com.pulumi.gcp.certificateauthority.CertificateArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var default_ = new CaPool("default", CaPoolArgs.builder()
                .location("us-central1")
                .name("my-pool")
                .tier("ENTERPRISE")
                .build());
    
            var defaultAuthority = new Authority("defaultAuthority", AuthorityArgs.builder()
                .location("us-central1")
                .pool(default_.name())
                .certificateAuthorityId("my-authority")
                .config(AuthorityConfigArgs.builder()
                    .subjectConfig(AuthorityConfigSubjectConfigArgs.builder()
                        .subject(AuthorityConfigSubjectConfigSubjectArgs.builder()
                            .organization("HashiCorp")
                            .commonName("my-certificate-authority")
                            .build())
                        .subjectAltName(AuthorityConfigSubjectConfigSubjectAltNameArgs.builder()
                            .dnsNames("hashicorp.com")
                            .build())
                        .build())
                    .x509Config(AuthorityConfigX509ConfigArgs.builder()
                        .caOptions(AuthorityConfigX509ConfigCaOptionsArgs.builder()
                            .isCa(true)
                            .build())
                        .keyUsage(AuthorityConfigX509ConfigKeyUsageArgs.builder()
                            .baseKeyUsage(AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs.builder()
                                .certSign(true)
                                .crlSign(true)
                                .build())
                            .extendedKeyUsage(AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs.builder()
                                .serverAuth(false)
                                .build())
                            .build())
                        .build())
                    .build())
                .keySpec(AuthorityKeySpecArgs.builder()
                    .algorithm("RSA_PKCS1_4096_SHA256")
                    .build())
                .deletionProtection(false)
                .skipGracePeriod(true)
                .ignoreActiveCertificatesOnDeletion(true)
                .build());
    
            var defaultCertificate = new Certificate("defaultCertificate", CertificateArgs.builder()
                .location("us-central1")
                .pool(default_.name())
                .certificateAuthority(defaultAuthority.certificateAuthorityId())
                .name("my-certificate")
                .lifetime("860s")
                .pemCsr(StdFunctions.file(FileArgs.builder()
                    .input("test-fixtures/rsa_csr.pem")
                    .build()).result())
                .build());
    
        }
    }
    
    resources:
      default:
        type: gcp:certificateauthority:CaPool
        properties:
          location: us-central1
          name: my-pool
          tier: ENTERPRISE
      defaultAuthority:
        type: gcp:certificateauthority:Authority
        name: default
        properties:
          location: us-central1
          pool: ${default.name}
          certificateAuthorityId: my-authority
          config:
            subjectConfig:
              subject:
                organization: HashiCorp
                commonName: my-certificate-authority
              subjectAltName:
                dnsNames:
                  - hashicorp.com
            x509Config:
              caOptions:
                isCa: true
              keyUsage:
                baseKeyUsage:
                  certSign: true
                  crlSign: true
                extendedKeyUsage:
                  serverAuth: false
          keySpec:
            algorithm: RSA_PKCS1_4096_SHA256
          deletionProtection: false
          skipGracePeriod: true
          ignoreActiveCertificatesOnDeletion: true
      defaultCertificate:
        type: gcp:certificateauthority:Certificate
        name: default
        properties:
          location: us-central1
          pool: ${default.name}
          certificateAuthority: ${defaultAuthority.certificateAuthorityId}
          name: my-certificate
          lifetime: 860s
          pemCsr:
            fn::invoke:
              Function: std:file
              Arguments:
                input: test-fixtures/rsa_csr.pem
              Return: result
    

    Privateca Certificate No Authority

    import * as pulumi from "@pulumi/pulumi";
    import * as gcp from "@pulumi/gcp";
    import * as std from "@pulumi/std";
    
    const _default = new gcp.certificateauthority.CaPool("default", {
        location: "us-central1",
        name: "my-pool",
        tier: "ENTERPRISE",
    });
    const defaultAuthority = new gcp.certificateauthority.Authority("default", {
        location: "us-central1",
        pool: _default.name,
        certificateAuthorityId: "my-authority",
        config: {
            subjectConfig: {
                subject: {
                    organization: "HashiCorp",
                    commonName: "my-certificate-authority",
                },
                subjectAltName: {
                    dnsNames: ["hashicorp.com"],
                },
            },
            x509Config: {
                caOptions: {
                    isCa: true,
                },
                keyUsage: {
                    baseKeyUsage: {
                        digitalSignature: true,
                        certSign: true,
                        crlSign: true,
                    },
                    extendedKeyUsage: {
                        serverAuth: true,
                    },
                },
            },
        },
        lifetime: "86400s",
        keySpec: {
            algorithm: "RSA_PKCS1_4096_SHA256",
        },
        deletionProtection: false,
        skipGracePeriod: true,
        ignoreActiveCertificatesOnDeletion: true,
    });
    const defaultCertificate = new gcp.certificateauthority.Certificate("default", {
        location: "us-central1",
        pool: _default.name,
        name: "my-certificate",
        lifetime: "860s",
        config: {
            subjectConfig: {
                subject: {
                    commonName: "san1.example.com",
                    countryCode: "us",
                    organization: "google",
                    organizationalUnit: "enterprise",
                    locality: "mountain view",
                    province: "california",
                    streetAddress: "1600 amphitheatre parkway",
                    postalCode: "94109",
                },
            },
            x509Config: {
                caOptions: {
                    isCa: false,
                },
                keyUsage: {
                    baseKeyUsage: {
                        crlSign: true,
                    },
                    extendedKeyUsage: {
                        serverAuth: true,
                    },
                },
            },
            publicKey: {
                format: "PEM",
                key: std.filebase64({
                    input: "test-fixtures/rsa_public.pem",
                }).then(invoke => invoke.result),
            },
        },
    }, {
        dependsOn: [defaultAuthority],
    });
    
    import pulumi
    import pulumi_gcp as gcp
    import pulumi_std as std
    
    default = gcp.certificateauthority.CaPool("default",
        location="us-central1",
        name="my-pool",
        tier="ENTERPRISE")
    default_authority = gcp.certificateauthority.Authority("default",
        location="us-central1",
        pool=default.name,
        certificate_authority_id="my-authority",
        config={
            "subject_config": {
                "subject": {
                    "organization": "HashiCorp",
                    "common_name": "my-certificate-authority",
                },
                "subject_alt_name": {
                    "dns_names": ["hashicorp.com"],
                },
            },
            "x509_config": {
                "ca_options": {
                    "is_ca": True,
                },
                "key_usage": {
                    "base_key_usage": {
                        "digital_signature": True,
                        "cert_sign": True,
                        "crl_sign": True,
                    },
                    "extended_key_usage": {
                        "server_auth": True,
                    },
                },
            },
        },
        lifetime="86400s",
        key_spec={
            "algorithm": "RSA_PKCS1_4096_SHA256",
        },
        deletion_protection=False,
        skip_grace_period=True,
        ignore_active_certificates_on_deletion=True)
    default_certificate = gcp.certificateauthority.Certificate("default",
        location="us-central1",
        pool=default.name,
        name="my-certificate",
        lifetime="860s",
        config={
            "subject_config": {
                "subject": {
                    "common_name": "san1.example.com",
                    "country_code": "us",
                    "organization": "google",
                    "organizational_unit": "enterprise",
                    "locality": "mountain view",
                    "province": "california",
                    "street_address": "1600 amphitheatre parkway",
                    "postal_code": "94109",
                },
            },
            "x509_config": {
                "ca_options": {
                    "is_ca": False,
                },
                "key_usage": {
                    "base_key_usage": {
                        "crl_sign": True,
                    },
                    "extended_key_usage": {
                        "server_auth": True,
                    },
                },
            },
            "public_key": {
                "format": "PEM",
                "key": std.filebase64(input="test-fixtures/rsa_public.pem").result,
            },
        },
        opts = pulumi.ResourceOptions(depends_on=[default_authority]))
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/certificateauthority"
    	"github.com/pulumi/pulumi-std/sdk/go/std"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := certificateauthority.NewCaPool(ctx, "default", &certificateauthority.CaPoolArgs{
    			Location: pulumi.String("us-central1"),
    			Name:     pulumi.String("my-pool"),
    			Tier:     pulumi.String("ENTERPRISE"),
    		})
    		if err != nil {
    			return err
    		}
    		defaultAuthority, err := certificateauthority.NewAuthority(ctx, "default", &certificateauthority.AuthorityArgs{
    			Location:               pulumi.String("us-central1"),
    			Pool:                   _default.Name,
    			CertificateAuthorityId: pulumi.String("my-authority"),
    			Config: &certificateauthority.AuthorityConfigArgs{
    				SubjectConfig: &certificateauthority.AuthorityConfigSubjectConfigArgs{
    					Subject: &certificateauthority.AuthorityConfigSubjectConfigSubjectArgs{
    						Organization: pulumi.String("HashiCorp"),
    						CommonName:   pulumi.String("my-certificate-authority"),
    					},
    					SubjectAltName: &certificateauthority.AuthorityConfigSubjectConfigSubjectAltNameArgs{
    						DnsNames: pulumi.StringArray{
    							pulumi.String("hashicorp.com"),
    						},
    					},
    				},
    				X509Config: &certificateauthority.AuthorityConfigX509ConfigArgs{
    					CaOptions: &certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs{
    						IsCa: pulumi.Bool(true),
    					},
    					KeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs{
    						BaseKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs{
    							DigitalSignature: pulumi.Bool(true),
    							CertSign:         pulumi.Bool(true),
    							CrlSign:          pulumi.Bool(true),
    						},
    						ExtendedKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs{
    							ServerAuth: pulumi.Bool(true),
    						},
    					},
    				},
    			},
    			Lifetime: pulumi.String("86400s"),
    			KeySpec: &certificateauthority.AuthorityKeySpecArgs{
    				Algorithm: pulumi.String("RSA_PKCS1_4096_SHA256"),
    			},
    			DeletionProtection:                 pulumi.Bool(false),
    			SkipGracePeriod:                    pulumi.Bool(true),
    			IgnoreActiveCertificatesOnDeletion: pulumi.Bool(true),
    		})
    		if err != nil {
    			return err
    		}
    		invokeFilebase64, err := std.Filebase64(ctx, &std.Filebase64Args{
    			Input: "test-fixtures/rsa_public.pem",
    		}, nil)
    		if err != nil {
    			return err
    		}
    		_, err = certificateauthority.NewCertificate(ctx, "default", &certificateauthority.CertificateArgs{
    			Location: pulumi.String("us-central1"),
    			Pool:     _default.Name,
    			Name:     pulumi.String("my-certificate"),
    			Lifetime: pulumi.String("860s"),
    			Config: &certificateauthority.CertificateConfigArgs{
    				SubjectConfig: &certificateauthority.CertificateConfigSubjectConfigArgs{
    					Subject: &certificateauthority.CertificateConfigSubjectConfigSubjectArgs{
    						CommonName:         pulumi.String("san1.example.com"),
    						CountryCode:        pulumi.String("us"),
    						Organization:       pulumi.String("google"),
    						OrganizationalUnit: pulumi.String("enterprise"),
    						Locality:           pulumi.String("mountain view"),
    						Province:           pulumi.String("california"),
    						StreetAddress:      pulumi.String("1600 amphitheatre parkway"),
    						PostalCode:         pulumi.String("94109"),
    					},
    				},
    				X509Config: &certificateauthority.CertificateConfigX509ConfigArgs{
    					CaOptions: &certificateauthority.CertificateConfigX509ConfigCaOptionsArgs{
    						IsCa: pulumi.Bool(false),
    					},
    					KeyUsage: &certificateauthority.CertificateConfigX509ConfigKeyUsageArgs{
    						BaseKeyUsage: &certificateauthority.CertificateConfigX509ConfigKeyUsageBaseKeyUsageArgs{
    							CrlSign: pulumi.Bool(true),
    						},
    						ExtendedKeyUsage: &certificateauthority.CertificateConfigX509ConfigKeyUsageExtendedKeyUsageArgs{
    							ServerAuth: pulumi.Bool(true),
    						},
    					},
    				},
    				PublicKey: &certificateauthority.CertificateConfigPublicKeyArgs{
    					Format: pulumi.String("PEM"),
    					Key:    pulumi.String(invokeFilebase64.Result),
    				},
    			},
    		}, pulumi.DependsOn([]pulumi.Resource{
    			defaultAuthority,
    		}))
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Gcp = Pulumi.Gcp;
    using Std = Pulumi.Std;
    
    return await Deployment.RunAsync(() => 
    {
        var @default = new Gcp.CertificateAuthority.CaPool("default", new()
        {
            Location = "us-central1",
            Name = "my-pool",
            Tier = "ENTERPRISE",
        });
    
        var defaultAuthority = new Gcp.CertificateAuthority.Authority("default", new()
        {
            Location = "us-central1",
            Pool = @default.Name,
            CertificateAuthorityId = "my-authority",
            Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigArgs
            {
                SubjectConfig = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigArgs
                {
                    Subject = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectArgs
                    {
                        Organization = "HashiCorp",
                        CommonName = "my-certificate-authority",
                    },
                    SubjectAltName = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectAltNameArgs
                    {
                        DnsNames = new[]
                        {
                            "hashicorp.com",
                        },
                    },
                },
                X509Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigArgs
                {
                    CaOptions = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigCaOptionsArgs
                    {
                        IsCa = true,
                    },
                    KeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageArgs
                    {
                        BaseKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs
                        {
                            DigitalSignature = true,
                            CertSign = true,
                            CrlSign = true,
                        },
                        ExtendedKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs
                        {
                            ServerAuth = true,
                        },
                    },
                },
            },
            Lifetime = "86400s",
            KeySpec = new Gcp.CertificateAuthority.Inputs.AuthorityKeySpecArgs
            {
                Algorithm = "RSA_PKCS1_4096_SHA256",
            },
            DeletionProtection = false,
            SkipGracePeriod = true,
            IgnoreActiveCertificatesOnDeletion = true,
        });
    
        var defaultCertificate = new Gcp.CertificateAuthority.Certificate("default", new()
        {
            Location = "us-central1",
            Pool = @default.Name,
            Name = "my-certificate",
            Lifetime = "860s",
            Config = new Gcp.CertificateAuthority.Inputs.CertificateConfigArgs
            {
                SubjectConfig = new Gcp.CertificateAuthority.Inputs.CertificateConfigSubjectConfigArgs
                {
                    Subject = new Gcp.CertificateAuthority.Inputs.CertificateConfigSubjectConfigSubjectArgs
                    {
                        CommonName = "san1.example.com",
                        CountryCode = "us",
                        Organization = "google",
                        OrganizationalUnit = "enterprise",
                        Locality = "mountain view",
                        Province = "california",
                        StreetAddress = "1600 amphitheatre parkway",
                        PostalCode = "94109",
                    },
                },
                X509Config = new Gcp.CertificateAuthority.Inputs.CertificateConfigX509ConfigArgs
                {
                    CaOptions = new Gcp.CertificateAuthority.Inputs.CertificateConfigX509ConfigCaOptionsArgs
                    {
                        IsCa = false,
                    },
                    KeyUsage = new Gcp.CertificateAuthority.Inputs.CertificateConfigX509ConfigKeyUsageArgs
                    {
                        BaseKeyUsage = new Gcp.CertificateAuthority.Inputs.CertificateConfigX509ConfigKeyUsageBaseKeyUsageArgs
                        {
                            CrlSign = true,
                        },
                        ExtendedKeyUsage = new Gcp.CertificateAuthority.Inputs.CertificateConfigX509ConfigKeyUsageExtendedKeyUsageArgs
                        {
                            ServerAuth = true,
                        },
                    },
                },
                PublicKey = new Gcp.CertificateAuthority.Inputs.CertificateConfigPublicKeyArgs
                {
                    Format = "PEM",
                    Key = Std.Filebase64.Invoke(new()
                    {
                        Input = "test-fixtures/rsa_public.pem",
                    }).Apply(invoke => invoke.Result),
                },
            },
        }, new CustomResourceOptions
        {
            DependsOn =
            {
                defaultAuthority,
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.gcp.certificateauthority.CaPool;
    import com.pulumi.gcp.certificateauthority.CaPoolArgs;
    import com.pulumi.gcp.certificateauthority.Authority;
    import com.pulumi.gcp.certificateauthority.AuthorityArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigSubjectArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigSubjectAltNameArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigCaOptionsArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityKeySpecArgs;
    import com.pulumi.gcp.certificateauthority.Certificate;
    import com.pulumi.gcp.certificateauthority.CertificateArgs;
    import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigArgs;
    import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigSubjectConfigArgs;
    import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigSubjectConfigSubjectArgs;
    import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigX509ConfigArgs;
    import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigX509ConfigCaOptionsArgs;
    import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigX509ConfigKeyUsageArgs;
    import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigX509ConfigKeyUsageBaseKeyUsageArgs;
    import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigX509ConfigKeyUsageExtendedKeyUsageArgs;
    import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigPublicKeyArgs;
    import com.pulumi.resources.CustomResourceOptions;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var default_ = new CaPool("default", CaPoolArgs.builder()
                .location("us-central1")
                .name("my-pool")
                .tier("ENTERPRISE")
                .build());
    
            var defaultAuthority = new Authority("defaultAuthority", AuthorityArgs.builder()
                .location("us-central1")
                .pool(default_.name())
                .certificateAuthorityId("my-authority")
                .config(AuthorityConfigArgs.builder()
                    .subjectConfig(AuthorityConfigSubjectConfigArgs.builder()
                        .subject(AuthorityConfigSubjectConfigSubjectArgs.builder()
                            .organization("HashiCorp")
                            .commonName("my-certificate-authority")
                            .build())
                        .subjectAltName(AuthorityConfigSubjectConfigSubjectAltNameArgs.builder()
                            .dnsNames("hashicorp.com")
                            .build())
                        .build())
                    .x509Config(AuthorityConfigX509ConfigArgs.builder()
                        .caOptions(AuthorityConfigX509ConfigCaOptionsArgs.builder()
                            .isCa(true)
                            .build())
                        .keyUsage(AuthorityConfigX509ConfigKeyUsageArgs.builder()
                            .baseKeyUsage(AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs.builder()
                                .digitalSignature(true)
                                .certSign(true)
                                .crlSign(true)
                                .build())
                            .extendedKeyUsage(AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs.builder()
                                .serverAuth(true)
                                .build())
                            .build())
                        .build())
                    .build())
                .lifetime("86400s")
                .keySpec(AuthorityKeySpecArgs.builder()
                    .algorithm("RSA_PKCS1_4096_SHA256")
                    .build())
                .deletionProtection(false)
                .skipGracePeriod(true)
                .ignoreActiveCertificatesOnDeletion(true)
                .build());
    
            var defaultCertificate = new Certificate("defaultCertificate", CertificateArgs.builder()
                .location("us-central1")
                .pool(default_.name())
                .name("my-certificate")
                .lifetime("860s")
                .config(CertificateConfigArgs.builder()
                    .subjectConfig(CertificateConfigSubjectConfigArgs.builder()
                        .subject(CertificateConfigSubjectConfigSubjectArgs.builder()
                            .commonName("san1.example.com")
                            .countryCode("us")
                            .organization("google")
                            .organizationalUnit("enterprise")
                            .locality("mountain view")
                            .province("california")
                            .streetAddress("1600 amphitheatre parkway")
                            .postalCode("94109")
                            .build())
                        .build())
                    .x509Config(CertificateConfigX509ConfigArgs.builder()
                        .caOptions(CertificateConfigX509ConfigCaOptionsArgs.builder()
                            .isCa(false)
                            .build())
                        .keyUsage(CertificateConfigX509ConfigKeyUsageArgs.builder()
                            .baseKeyUsage(CertificateConfigX509ConfigKeyUsageBaseKeyUsageArgs.builder()
                                .crlSign(true)
                                .build())
                            .extendedKeyUsage(CertificateConfigX509ConfigKeyUsageExtendedKeyUsageArgs.builder()
                                .serverAuth(true)
                                .build())
                            .build())
                        .build())
                    .publicKey(CertificateConfigPublicKeyArgs.builder()
                        .format("PEM")
                        .key(StdFunctions.filebase64(Filebase64Args.builder()
                            .input("test-fixtures/rsa_public.pem")
                            .build()).result())
                        .build())
                    .build())
                .build(), CustomResourceOptions.builder()
                    .dependsOn(defaultAuthority)
                    .build());
    
        }
    }
    
    resources:
      default:
        type: gcp:certificateauthority:CaPool
        properties:
          location: us-central1
          name: my-pool
          tier: ENTERPRISE
      defaultAuthority:
        type: gcp:certificateauthority:Authority
        name: default
        properties:
          location: us-central1
          pool: ${default.name}
          certificateAuthorityId: my-authority
          config:
            subjectConfig:
              subject:
                organization: HashiCorp
                commonName: my-certificate-authority
              subjectAltName:
                dnsNames:
                  - hashicorp.com
            x509Config:
              caOptions:
                isCa: true
              keyUsage:
                baseKeyUsage:
                  digitalSignature: true
                  certSign: true
                  crlSign: true
                extendedKeyUsage:
                  serverAuth: true
          lifetime: 86400s
          keySpec:
            algorithm: RSA_PKCS1_4096_SHA256
          deletionProtection: false
          skipGracePeriod: true
          ignoreActiveCertificatesOnDeletion: true
      defaultCertificate:
        type: gcp:certificateauthority:Certificate
        name: default
        properties:
          location: us-central1
          pool: ${default.name}
          name: my-certificate
          lifetime: 860s
          config:
            subjectConfig:
              subject:
                commonName: san1.example.com
                countryCode: us
                organization: google
                organizationalUnit: enterprise
                locality: mountain view
                province: california
                streetAddress: 1600 amphitheatre parkway
                postalCode: '94109'
            x509Config:
              caOptions:
                isCa: false
              keyUsage:
                baseKeyUsage:
                  crlSign: true
                extendedKeyUsage:
                  serverAuth: true
            publicKey:
              format: PEM
              key:
                fn::invoke:
                  Function: std:filebase64
                  Arguments:
                    input: test-fixtures/rsa_public.pem
                  Return: result
        options:
          dependson:
            - ${defaultAuthority}
    

    Privateca Certificate Custom Ski

    import * as pulumi from "@pulumi/pulumi";
    import * as gcp from "@pulumi/gcp";
    import * as std from "@pulumi/std";
    
    const _default = new gcp.certificateauthority.CaPool("default", {
        location: "us-central1",
        name: "my-pool",
        tier: "ENTERPRISE",
    });
    const defaultAuthority = new gcp.certificateauthority.Authority("default", {
        location: "us-central1",
        pool: _default.name,
        certificateAuthorityId: "my-authority",
        config: {
            subjectConfig: {
                subject: {
                    organization: "HashiCorp",
                    commonName: "my-certificate-authority",
                },
                subjectAltName: {
                    dnsNames: ["hashicorp.com"],
                },
            },
            x509Config: {
                caOptions: {
                    isCa: true,
                },
                keyUsage: {
                    baseKeyUsage: {
                        digitalSignature: true,
                        certSign: true,
                        crlSign: true,
                    },
                    extendedKeyUsage: {
                        serverAuth: true,
                    },
                },
            },
        },
        lifetime: "86400s",
        keySpec: {
            algorithm: "RSA_PKCS1_4096_SHA256",
        },
        deletionProtection: false,
        skipGracePeriod: true,
        ignoreActiveCertificatesOnDeletion: true,
    });
    const defaultCertificate = new gcp.certificateauthority.Certificate("default", {
        location: "us-central1",
        pool: _default.name,
        name: "my-certificate",
        lifetime: "860s",
        config: {
            subjectConfig: {
                subject: {
                    commonName: "san1.example.com",
                    countryCode: "us",
                    organization: "google",
                    organizationalUnit: "enterprise",
                    locality: "mountain view",
                    province: "california",
                    streetAddress: "1600 amphitheatre parkway",
                    postalCode: "94109",
                },
            },
            subjectKeyId: {
                keyId: "4cf3372289b1d411b999dbb9ebcd44744b6b2fca",
            },
            x509Config: {
                caOptions: {
                    isCa: false,
                },
                keyUsage: {
                    baseKeyUsage: {
                        crlSign: true,
                    },
                    extendedKeyUsage: {
                        serverAuth: true,
                    },
                },
            },
            publicKey: {
                format: "PEM",
                key: std.filebase64({
                    input: "test-fixtures/rsa_public.pem",
                }).then(invoke => invoke.result),
            },
        },
    }, {
        dependsOn: [defaultAuthority],
    });
    
    import pulumi
    import pulumi_gcp as gcp
    import pulumi_std as std
    
    default = gcp.certificateauthority.CaPool("default",
        location="us-central1",
        name="my-pool",
        tier="ENTERPRISE")
    default_authority = gcp.certificateauthority.Authority("default",
        location="us-central1",
        pool=default.name,
        certificate_authority_id="my-authority",
        config={
            "subject_config": {
                "subject": {
                    "organization": "HashiCorp",
                    "common_name": "my-certificate-authority",
                },
                "subject_alt_name": {
                    "dns_names": ["hashicorp.com"],
                },
            },
            "x509_config": {
                "ca_options": {
                    "is_ca": True,
                },
                "key_usage": {
                    "base_key_usage": {
                        "digital_signature": True,
                        "cert_sign": True,
                        "crl_sign": True,
                    },
                    "extended_key_usage": {
                        "server_auth": True,
                    },
                },
            },
        },
        lifetime="86400s",
        key_spec={
            "algorithm": "RSA_PKCS1_4096_SHA256",
        },
        deletion_protection=False,
        skip_grace_period=True,
        ignore_active_certificates_on_deletion=True)
    default_certificate = gcp.certificateauthority.Certificate("default",
        location="us-central1",
        pool=default.name,
        name="my-certificate",
        lifetime="860s",
        config={
            "subject_config": {
                "subject": {
                    "common_name": "san1.example.com",
                    "country_code": "us",
                    "organization": "google",
                    "organizational_unit": "enterprise",
                    "locality": "mountain view",
                    "province": "california",
                    "street_address": "1600 amphitheatre parkway",
                    "postal_code": "94109",
                },
            },
            "subject_key_id": {
                "key_id": "4cf3372289b1d411b999dbb9ebcd44744b6b2fca",
            },
            "x509_config": {
                "ca_options": {
                    "is_ca": False,
                },
                "key_usage": {
                    "base_key_usage": {
                        "crl_sign": True,
                    },
                    "extended_key_usage": {
                        "server_auth": True,
                    },
                },
            },
            "public_key": {
                "format": "PEM",
                "key": std.filebase64(input="test-fixtures/rsa_public.pem").result,
            },
        },
        opts = pulumi.ResourceOptions(depends_on=[default_authority]))
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/certificateauthority"
    	"github.com/pulumi/pulumi-std/sdk/go/std"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := certificateauthority.NewCaPool(ctx, "default", &certificateauthority.CaPoolArgs{
    			Location: pulumi.String("us-central1"),
    			Name:     pulumi.String("my-pool"),
    			Tier:     pulumi.String("ENTERPRISE"),
    		})
    		if err != nil {
    			return err
    		}
    		defaultAuthority, err := certificateauthority.NewAuthority(ctx, "default", &certificateauthority.AuthorityArgs{
    			Location:               pulumi.String("us-central1"),
    			Pool:                   _default.Name,
    			CertificateAuthorityId: pulumi.String("my-authority"),
    			Config: &certificateauthority.AuthorityConfigArgs{
    				SubjectConfig: &certificateauthority.AuthorityConfigSubjectConfigArgs{
    					Subject: &certificateauthority.AuthorityConfigSubjectConfigSubjectArgs{
    						Organization: pulumi.String("HashiCorp"),
    						CommonName:   pulumi.String("my-certificate-authority"),
    					},
    					SubjectAltName: &certificateauthority.AuthorityConfigSubjectConfigSubjectAltNameArgs{
    						DnsNames: pulumi.StringArray{
    							pulumi.String("hashicorp.com"),
    						},
    					},
    				},
    				X509Config: &certificateauthority.AuthorityConfigX509ConfigArgs{
    					CaOptions: &certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs{
    						IsCa: pulumi.Bool(true),
    					},
    					KeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs{
    						BaseKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs{
    							DigitalSignature: pulumi.Bool(true),
    							CertSign:         pulumi.Bool(true),
    							CrlSign:          pulumi.Bool(true),
    						},
    						ExtendedKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs{
    							ServerAuth: pulumi.Bool(true),
    						},
    					},
    				},
    			},
    			Lifetime: pulumi.String("86400s"),
    			KeySpec: &certificateauthority.AuthorityKeySpecArgs{
    				Algorithm: pulumi.String("RSA_PKCS1_4096_SHA256"),
    			},
    			DeletionProtection:                 pulumi.Bool(false),
    			SkipGracePeriod:                    pulumi.Bool(true),
    			IgnoreActiveCertificatesOnDeletion: pulumi.Bool(true),
    		})
    		if err != nil {
    			return err
    		}
    		invokeFilebase64, err := std.Filebase64(ctx, &std.Filebase64Args{
    			Input: "test-fixtures/rsa_public.pem",
    		}, nil)
    		if err != nil {
    			return err
    		}
    		_, err = certificateauthority.NewCertificate(ctx, "default", &certificateauthority.CertificateArgs{
    			Location: pulumi.String("us-central1"),
    			Pool:     _default.Name,
    			Name:     pulumi.String("my-certificate"),
    			Lifetime: pulumi.String("860s"),
    			Config: &certificateauthority.CertificateConfigArgs{
    				SubjectConfig: &certificateauthority.CertificateConfigSubjectConfigArgs{
    					Subject: &certificateauthority.CertificateConfigSubjectConfigSubjectArgs{
    						CommonName:         pulumi.String("san1.example.com"),
    						CountryCode:        pulumi.String("us"),
    						Organization:       pulumi.String("google"),
    						OrganizationalUnit: pulumi.String("enterprise"),
    						Locality:           pulumi.String("mountain view"),
    						Province:           pulumi.String("california"),
    						StreetAddress:      pulumi.String("1600 amphitheatre parkway"),
    						PostalCode:         pulumi.String("94109"),
    					},
    				},
    				SubjectKeyId: &certificateauthority.CertificateConfigSubjectKeyIdArgs{
    					KeyId: pulumi.String("4cf3372289b1d411b999dbb9ebcd44744b6b2fca"),
    				},
    				X509Config: &certificateauthority.CertificateConfigX509ConfigArgs{
    					CaOptions: &certificateauthority.CertificateConfigX509ConfigCaOptionsArgs{
    						IsCa: pulumi.Bool(false),
    					},
    					KeyUsage: &certificateauthority.CertificateConfigX509ConfigKeyUsageArgs{
    						BaseKeyUsage: &certificateauthority.CertificateConfigX509ConfigKeyUsageBaseKeyUsageArgs{
    							CrlSign: pulumi.Bool(true),
    						},
    						ExtendedKeyUsage: &certificateauthority.CertificateConfigX509ConfigKeyUsageExtendedKeyUsageArgs{
    							ServerAuth: pulumi.Bool(true),
    						},
    					},
    				},
    				PublicKey: &certificateauthority.CertificateConfigPublicKeyArgs{
    					Format: pulumi.String("PEM"),
    					Key:    pulumi.String(invokeFilebase64.Result),
    				},
    			},
    		}, pulumi.DependsOn([]pulumi.Resource{
    			defaultAuthority,
    		}))
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Gcp = Pulumi.Gcp;
    using Std = Pulumi.Std;
    
    return await Deployment.RunAsync(() => 
    {
        var @default = new Gcp.CertificateAuthority.CaPool("default", new()
        {
            Location = "us-central1",
            Name = "my-pool",
            Tier = "ENTERPRISE",
        });
    
        var defaultAuthority = new Gcp.CertificateAuthority.Authority("default", new()
        {
            Location = "us-central1",
            Pool = @default.Name,
            CertificateAuthorityId = "my-authority",
            Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigArgs
            {
                SubjectConfig = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigArgs
                {
                    Subject = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectArgs
                    {
                        Organization = "HashiCorp",
                        CommonName = "my-certificate-authority",
                    },
                    SubjectAltName = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectAltNameArgs
                    {
                        DnsNames = new[]
                        {
                            "hashicorp.com",
                        },
                    },
                },
                X509Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigArgs
                {
                    CaOptions = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigCaOptionsArgs
                    {
                        IsCa = true,
                    },
                    KeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageArgs
                    {
                        BaseKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs
                        {
                            DigitalSignature = true,
                            CertSign = true,
                            CrlSign = true,
                        },
                        ExtendedKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs
                        {
                            ServerAuth = true,
                        },
                    },
                },
            },
            Lifetime = "86400s",
            KeySpec = new Gcp.CertificateAuthority.Inputs.AuthorityKeySpecArgs
            {
                Algorithm = "RSA_PKCS1_4096_SHA256",
            },
            DeletionProtection = false,
            SkipGracePeriod = true,
            IgnoreActiveCertificatesOnDeletion = true,
        });
    
        var defaultCertificate = new Gcp.CertificateAuthority.Certificate("default", new()
        {
            Location = "us-central1",
            Pool = @default.Name,
            Name = "my-certificate",
            Lifetime = "860s",
            Config = new Gcp.CertificateAuthority.Inputs.CertificateConfigArgs
            {
                SubjectConfig = new Gcp.CertificateAuthority.Inputs.CertificateConfigSubjectConfigArgs
                {
                    Subject = new Gcp.CertificateAuthority.Inputs.CertificateConfigSubjectConfigSubjectArgs
                    {
                        CommonName = "san1.example.com",
                        CountryCode = "us",
                        Organization = "google",
                        OrganizationalUnit = "enterprise",
                        Locality = "mountain view",
                        Province = "california",
                        StreetAddress = "1600 amphitheatre parkway",
                        PostalCode = "94109",
                    },
                },
                SubjectKeyId = new Gcp.CertificateAuthority.Inputs.CertificateConfigSubjectKeyIdArgs
                {
                    KeyId = "4cf3372289b1d411b999dbb9ebcd44744b6b2fca",
                },
                X509Config = new Gcp.CertificateAuthority.Inputs.CertificateConfigX509ConfigArgs
                {
                    CaOptions = new Gcp.CertificateAuthority.Inputs.CertificateConfigX509ConfigCaOptionsArgs
                    {
                        IsCa = false,
                    },
                    KeyUsage = new Gcp.CertificateAuthority.Inputs.CertificateConfigX509ConfigKeyUsageArgs
                    {
                        BaseKeyUsage = new Gcp.CertificateAuthority.Inputs.CertificateConfigX509ConfigKeyUsageBaseKeyUsageArgs
                        {
                            CrlSign = true,
                        },
                        ExtendedKeyUsage = new Gcp.CertificateAuthority.Inputs.CertificateConfigX509ConfigKeyUsageExtendedKeyUsageArgs
                        {
                            ServerAuth = true,
                        },
                    },
                },
                PublicKey = new Gcp.CertificateAuthority.Inputs.CertificateConfigPublicKeyArgs
                {
                    Format = "PEM",
                    Key = Std.Filebase64.Invoke(new()
                    {
                        Input = "test-fixtures/rsa_public.pem",
                    }).Apply(invoke => invoke.Result),
                },
            },
        }, new CustomResourceOptions
        {
            DependsOn =
            {
                defaultAuthority,
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.gcp.certificateauthority.CaPool;
    import com.pulumi.gcp.certificateauthority.CaPoolArgs;
    import com.pulumi.gcp.certificateauthority.Authority;
    import com.pulumi.gcp.certificateauthority.AuthorityArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigSubjectArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigSubjectAltNameArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigCaOptionsArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityKeySpecArgs;
    import com.pulumi.gcp.certificateauthority.Certificate;
    import com.pulumi.gcp.certificateauthority.CertificateArgs;
    import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigArgs;
    import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigSubjectConfigArgs;
    import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigSubjectConfigSubjectArgs;
    import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigSubjectKeyIdArgs;
    import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigX509ConfigArgs;
    import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigX509ConfigCaOptionsArgs;
    import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigX509ConfigKeyUsageArgs;
    import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigX509ConfigKeyUsageBaseKeyUsageArgs;
    import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigX509ConfigKeyUsageExtendedKeyUsageArgs;
    import com.pulumi.gcp.certificateauthority.inputs.CertificateConfigPublicKeyArgs;
    import com.pulumi.resources.CustomResourceOptions;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var default_ = new CaPool("default", CaPoolArgs.builder()
                .location("us-central1")
                .name("my-pool")
                .tier("ENTERPRISE")
                .build());
    
            var defaultAuthority = new Authority("defaultAuthority", AuthorityArgs.builder()
                .location("us-central1")
                .pool(default_.name())
                .certificateAuthorityId("my-authority")
                .config(AuthorityConfigArgs.builder()
                    .subjectConfig(AuthorityConfigSubjectConfigArgs.builder()
                        .subject(AuthorityConfigSubjectConfigSubjectArgs.builder()
                            .organization("HashiCorp")
                            .commonName("my-certificate-authority")
                            .build())
                        .subjectAltName(AuthorityConfigSubjectConfigSubjectAltNameArgs.builder()
                            .dnsNames("hashicorp.com")
                            .build())
                        .build())
                    .x509Config(AuthorityConfigX509ConfigArgs.builder()
                        .caOptions(AuthorityConfigX509ConfigCaOptionsArgs.builder()
                            .isCa(true)
                            .build())
                        .keyUsage(AuthorityConfigX509ConfigKeyUsageArgs.builder()
                            .baseKeyUsage(AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs.builder()
                                .digitalSignature(true)
                                .certSign(true)
                                .crlSign(true)
                                .build())
                            .extendedKeyUsage(AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs.builder()
                                .serverAuth(true)
                                .build())
                            .build())
                        .build())
                    .build())
                .lifetime("86400s")
                .keySpec(AuthorityKeySpecArgs.builder()
                    .algorithm("RSA_PKCS1_4096_SHA256")
                    .build())
                .deletionProtection(false)
                .skipGracePeriod(true)
                .ignoreActiveCertificatesOnDeletion(true)
                .build());
    
            var defaultCertificate = new Certificate("defaultCertificate", CertificateArgs.builder()
                .location("us-central1")
                .pool(default_.name())
                .name("my-certificate")
                .lifetime("860s")
                .config(CertificateConfigArgs.builder()
                    .subjectConfig(CertificateConfigSubjectConfigArgs.builder()
                        .subject(CertificateConfigSubjectConfigSubjectArgs.builder()
                            .commonName("san1.example.com")
                            .countryCode("us")
                            .organization("google")
                            .organizationalUnit("enterprise")
                            .locality("mountain view")
                            .province("california")
                            .streetAddress("1600 amphitheatre parkway")
                            .postalCode("94109")
                            .build())
                        .build())
                    .subjectKeyId(CertificateConfigSubjectKeyIdArgs.builder()
                        .keyId("4cf3372289b1d411b999dbb9ebcd44744b6b2fca")
                        .build())
                    .x509Config(CertificateConfigX509ConfigArgs.builder()
                        .caOptions(CertificateConfigX509ConfigCaOptionsArgs.builder()
                            .isCa(false)
                            .build())
                        .keyUsage(CertificateConfigX509ConfigKeyUsageArgs.builder()
                            .baseKeyUsage(CertificateConfigX509ConfigKeyUsageBaseKeyUsageArgs.builder()
                                .crlSign(true)
                                .build())
                            .extendedKeyUsage(CertificateConfigX509ConfigKeyUsageExtendedKeyUsageArgs.builder()
                                .serverAuth(true)
                                .build())
                            .build())
                        .build())
                    .publicKey(CertificateConfigPublicKeyArgs.builder()
                        .format("PEM")
                        .key(StdFunctions.filebase64(Filebase64Args.builder()
                            .input("test-fixtures/rsa_public.pem")
                            .build()).result())
                        .build())
                    .build())
                .build(), CustomResourceOptions.builder()
                    .dependsOn(defaultAuthority)
                    .build());
    
        }
    }
    
    resources:
      default:
        type: gcp:certificateauthority:CaPool
        properties:
          location: us-central1
          name: my-pool
          tier: ENTERPRISE
      defaultAuthority:
        type: gcp:certificateauthority:Authority
        name: default
        properties:
          location: us-central1
          pool: ${default.name}
          certificateAuthorityId: my-authority
          config:
            subjectConfig:
              subject:
                organization: HashiCorp
                commonName: my-certificate-authority
              subjectAltName:
                dnsNames:
                  - hashicorp.com
            x509Config:
              caOptions:
                isCa: true
              keyUsage:
                baseKeyUsage:
                  digitalSignature: true
                  certSign: true
                  crlSign: true
                extendedKeyUsage:
                  serverAuth: true
          lifetime: 86400s
          keySpec:
            algorithm: RSA_PKCS1_4096_SHA256
          deletionProtection: false
          skipGracePeriod: true
          ignoreActiveCertificatesOnDeletion: true
      defaultCertificate:
        type: gcp:certificateauthority:Certificate
        name: default
        properties:
          location: us-central1
          pool: ${default.name}
          name: my-certificate
          lifetime: 860s
          config:
            subjectConfig:
              subject:
                commonName: san1.example.com
                countryCode: us
                organization: google
                organizationalUnit: enterprise
                locality: mountain view
                province: california
                streetAddress: 1600 amphitheatre parkway
                postalCode: '94109'
            subjectKeyId:
              keyId: 4cf3372289b1d411b999dbb9ebcd44744b6b2fca
            x509Config:
              caOptions:
                isCa: false
              keyUsage:
                baseKeyUsage:
                  crlSign: true
                extendedKeyUsage:
                  serverAuth: true
            publicKey:
              format: PEM
              key:
                fn::invoke:
                  Function: std:filebase64
                  Arguments:
                    input: test-fixtures/rsa_public.pem
                  Return: result
        options:
          dependson:
            - ${defaultAuthority}
    

    Create Certificate Resource

    Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

    Constructor syntax

    new Certificate(name: string, args: CertificateArgs, opts?: CustomResourceOptions);
    @overload
    def Certificate(resource_name: str,
                    args: CertificateArgs,
                    opts: Optional[ResourceOptions] = None)
    
    @overload
    def Certificate(resource_name: str,
                    opts: Optional[ResourceOptions] = None,
                    location: Optional[str] = None,
                    pool: Optional[str] = None,
                    certificate_authority: Optional[str] = None,
                    certificate_template: Optional[str] = None,
                    config: Optional[CertificateConfigArgs] = None,
                    labels: Optional[Mapping[str, str]] = None,
                    lifetime: Optional[str] = None,
                    name: Optional[str] = None,
                    pem_csr: Optional[str] = None,
                    project: Optional[str] = None)
    func NewCertificate(ctx *Context, name string, args CertificateArgs, opts ...ResourceOption) (*Certificate, error)
    public Certificate(string name, CertificateArgs args, CustomResourceOptions? opts = null)
    public Certificate(String name, CertificateArgs args)
    public Certificate(String name, CertificateArgs args, CustomResourceOptions options)
    
    type: gcp:certificateauthority:Certificate
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    

    Parameters

    name string
    The unique name of the resource.
    args CertificateArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args CertificateArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args CertificateArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args CertificateArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args CertificateArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Constructor example

    The following reference example uses placeholder values for all input properties.

    var certificateResource = new Gcp.CertificateAuthority.Certificate("certificateResource", new()
    {
        Location = "string",
        Pool = "string",
        CertificateAuthority = "string",
        CertificateTemplate = "string",
        Config = new Gcp.CertificateAuthority.Inputs.CertificateConfigArgs
        {
            PublicKey = new Gcp.CertificateAuthority.Inputs.CertificateConfigPublicKeyArgs
            {
                Format = "string",
                Key = "string",
            },
            SubjectConfig = new Gcp.CertificateAuthority.Inputs.CertificateConfigSubjectConfigArgs
            {
                Subject = new Gcp.CertificateAuthority.Inputs.CertificateConfigSubjectConfigSubjectArgs
                {
                    CommonName = "string",
                    Organization = "string",
                    CountryCode = "string",
                    Locality = "string",
                    OrganizationalUnit = "string",
                    PostalCode = "string",
                    Province = "string",
                    StreetAddress = "string",
                },
                SubjectAltName = new Gcp.CertificateAuthority.Inputs.CertificateConfigSubjectConfigSubjectAltNameArgs
                {
                    DnsNames = new[]
                    {
                        "string",
                    },
                    EmailAddresses = new[]
                    {
                        "string",
                    },
                    IpAddresses = new[]
                    {
                        "string",
                    },
                    Uris = new[]
                    {
                        "string",
                    },
                },
            },
            X509Config = new Gcp.CertificateAuthority.Inputs.CertificateConfigX509ConfigArgs
            {
                KeyUsage = new Gcp.CertificateAuthority.Inputs.CertificateConfigX509ConfigKeyUsageArgs
                {
                    BaseKeyUsage = new Gcp.CertificateAuthority.Inputs.CertificateConfigX509ConfigKeyUsageBaseKeyUsageArgs
                    {
                        CertSign = false,
                        ContentCommitment = false,
                        CrlSign = false,
                        DataEncipherment = false,
                        DecipherOnly = false,
                        DigitalSignature = false,
                        EncipherOnly = false,
                        KeyAgreement = false,
                        KeyEncipherment = false,
                    },
                    ExtendedKeyUsage = new Gcp.CertificateAuthority.Inputs.CertificateConfigX509ConfigKeyUsageExtendedKeyUsageArgs
                    {
                        ClientAuth = false,
                        CodeSigning = false,
                        EmailProtection = false,
                        OcspSigning = false,
                        ServerAuth = false,
                        TimeStamping = false,
                    },
                    UnknownExtendedKeyUsages = new[]
                    {
                        new Gcp.CertificateAuthority.Inputs.CertificateConfigX509ConfigKeyUsageUnknownExtendedKeyUsageArgs
                        {
                            ObjectIdPaths = new[]
                            {
                                0,
                            },
                        },
                    },
                },
                AdditionalExtensions = new[]
                {
                    new Gcp.CertificateAuthority.Inputs.CertificateConfigX509ConfigAdditionalExtensionArgs
                    {
                        Critical = false,
                        ObjectId = new Gcp.CertificateAuthority.Inputs.CertificateConfigX509ConfigAdditionalExtensionObjectIdArgs
                        {
                            ObjectIdPaths = new[]
                            {
                                0,
                            },
                        },
                        Value = "string",
                    },
                },
                AiaOcspServers = new[]
                {
                    "string",
                },
                CaOptions = new Gcp.CertificateAuthority.Inputs.CertificateConfigX509ConfigCaOptionsArgs
                {
                    IsCa = false,
                    MaxIssuerPathLength = 0,
                    NonCa = false,
                    ZeroMaxIssuerPathLength = false,
                },
                NameConstraints = new Gcp.CertificateAuthority.Inputs.CertificateConfigX509ConfigNameConstraintsArgs
                {
                    Critical = false,
                    ExcludedDnsNames = new[]
                    {
                        "string",
                    },
                    ExcludedEmailAddresses = new[]
                    {
                        "string",
                    },
                    ExcludedIpRanges = new[]
                    {
                        "string",
                    },
                    ExcludedUris = new[]
                    {
                        "string",
                    },
                    PermittedDnsNames = new[]
                    {
                        "string",
                    },
                    PermittedEmailAddresses = new[]
                    {
                        "string",
                    },
                    PermittedIpRanges = new[]
                    {
                        "string",
                    },
                    PermittedUris = new[]
                    {
                        "string",
                    },
                },
                PolicyIds = new[]
                {
                    new Gcp.CertificateAuthority.Inputs.CertificateConfigX509ConfigPolicyIdArgs
                    {
                        ObjectIdPaths = new[]
                        {
                            0,
                        },
                    },
                },
            },
            SubjectKeyId = new Gcp.CertificateAuthority.Inputs.CertificateConfigSubjectKeyIdArgs
            {
                KeyId = "string",
            },
        },
        Labels = 
        {
            { "string", "string" },
        },
        Lifetime = "string",
        Name = "string",
        PemCsr = "string",
        Project = "string",
    });
    
    example, err := certificateauthority.NewCertificate(ctx, "certificateResource", &certificateauthority.CertificateArgs{
    	Location:             pulumi.String("string"),
    	Pool:                 pulumi.String("string"),
    	CertificateAuthority: pulumi.String("string"),
    	CertificateTemplate:  pulumi.String("string"),
    	Config: &certificateauthority.CertificateConfigArgs{
    		PublicKey: &certificateauthority.CertificateConfigPublicKeyArgs{
    			Format: pulumi.String("string"),
    			Key:    pulumi.String("string"),
    		},
    		SubjectConfig: &certificateauthority.CertificateConfigSubjectConfigArgs{
    			Subject: &certificateauthority.CertificateConfigSubjectConfigSubjectArgs{
    				CommonName:         pulumi.String("string"),
    				Organization:       pulumi.String("string"),
    				CountryCode:        pulumi.String("string"),
    				Locality:           pulumi.String("string"),
    				OrganizationalUnit: pulumi.String("string"),
    				PostalCode:         pulumi.String("string"),
    				Province:           pulumi.String("string"),
    				StreetAddress:      pulumi.String("string"),
    			},
    			SubjectAltName: &certificateauthority.CertificateConfigSubjectConfigSubjectAltNameArgs{
    				DnsNames: pulumi.StringArray{
    					pulumi.String("string"),
    				},
    				EmailAddresses: pulumi.StringArray{
    					pulumi.String("string"),
    				},
    				IpAddresses: pulumi.StringArray{
    					pulumi.String("string"),
    				},
    				Uris: pulumi.StringArray{
    					pulumi.String("string"),
    				},
    			},
    		},
    		X509Config: &certificateauthority.CertificateConfigX509ConfigArgs{
    			KeyUsage: &certificateauthority.CertificateConfigX509ConfigKeyUsageArgs{
    				BaseKeyUsage: &certificateauthority.CertificateConfigX509ConfigKeyUsageBaseKeyUsageArgs{
    					CertSign:          pulumi.Bool(false),
    					ContentCommitment: pulumi.Bool(false),
    					CrlSign:           pulumi.Bool(false),
    					DataEncipherment:  pulumi.Bool(false),
    					DecipherOnly:      pulumi.Bool(false),
    					DigitalSignature:  pulumi.Bool(false),
    					EncipherOnly:      pulumi.Bool(false),
    					KeyAgreement:      pulumi.Bool(false),
    					KeyEncipherment:   pulumi.Bool(false),
    				},
    				ExtendedKeyUsage: &certificateauthority.CertificateConfigX509ConfigKeyUsageExtendedKeyUsageArgs{
    					ClientAuth:      pulumi.Bool(false),
    					CodeSigning:     pulumi.Bool(false),
    					EmailProtection: pulumi.Bool(false),
    					OcspSigning:     pulumi.Bool(false),
    					ServerAuth:      pulumi.Bool(false),
    					TimeStamping:    pulumi.Bool(false),
    				},
    				UnknownExtendedKeyUsages: certificateauthority.CertificateConfigX509ConfigKeyUsageUnknownExtendedKeyUsageArray{
    					&certificateauthority.CertificateConfigX509ConfigKeyUsageUnknownExtendedKeyUsageArgs{
    						ObjectIdPaths: pulumi.IntArray{
    							pulumi.Int(0),
    						},
    					},
    				},
    			},
    			AdditionalExtensions: certificateauthority.CertificateConfigX509ConfigAdditionalExtensionArray{
    				&certificateauthority.CertificateConfigX509ConfigAdditionalExtensionArgs{
    					Critical: pulumi.Bool(false),
    					ObjectId: &certificateauthority.CertificateConfigX509ConfigAdditionalExtensionObjectIdArgs{
    						ObjectIdPaths: pulumi.IntArray{
    							pulumi.Int(0),
    						},
    					},
    					Value: pulumi.String("string"),
    				},
    			},
    			AiaOcspServers: pulumi.StringArray{
    				pulumi.String("string"),
    			},
    			CaOptions: &certificateauthority.CertificateConfigX509ConfigCaOptionsArgs{
    				IsCa:                    pulumi.Bool(false),
    				MaxIssuerPathLength:     pulumi.Int(0),
    				NonCa:                   pulumi.Bool(false),
    				ZeroMaxIssuerPathLength: pulumi.Bool(false),
    			},
    			NameConstraints: &certificateauthority.CertificateConfigX509ConfigNameConstraintsArgs{
    				Critical: pulumi.Bool(false),
    				ExcludedDnsNames: pulumi.StringArray{
    					pulumi.String("string"),
    				},
    				ExcludedEmailAddresses: pulumi.StringArray{
    					pulumi.String("string"),
    				},
    				ExcludedIpRanges: pulumi.StringArray{
    					pulumi.String("string"),
    				},
    				ExcludedUris: pulumi.StringArray{
    					pulumi.String("string"),
    				},
    				PermittedDnsNames: pulumi.StringArray{
    					pulumi.String("string"),
    				},
    				PermittedEmailAddresses: pulumi.StringArray{
    					pulumi.String("string"),
    				},
    				PermittedIpRanges: pulumi.StringArray{
    					pulumi.String("string"),
    				},
    				PermittedUris: pulumi.StringArray{
    					pulumi.String("string"),
    				},
    			},
    			PolicyIds: certificateauthority.CertificateConfigX509ConfigPolicyIdArray{
    				&certificateauthority.CertificateConfigX509ConfigPolicyIdArgs{
    					ObjectIdPaths: pulumi.IntArray{
    						pulumi.Int(0),
    					},
    				},
    			},
    		},
    		SubjectKeyId: &certificateauthority.CertificateConfigSubjectKeyIdArgs{
    			KeyId: pulumi.String("string"),
    		},
    	},
    	Labels: pulumi.StringMap{
    		"string": pulumi.String("string"),
    	},
    	Lifetime: pulumi.String("string"),
    	Name:     pulumi.String("string"),
    	PemCsr:   pulumi.String("string"),
    	Project:  pulumi.String("string"),
    })
    
    var certificateResource = new Certificate("certificateResource", CertificateArgs.builder()
        .location("string")
        .pool("string")
        .certificateAuthority("string")
        .certificateTemplate("string")
        .config(CertificateConfigArgs.builder()
            .publicKey(CertificateConfigPublicKeyArgs.builder()
                .format("string")
                .key("string")
                .build())
            .subjectConfig(CertificateConfigSubjectConfigArgs.builder()
                .subject(CertificateConfigSubjectConfigSubjectArgs.builder()
                    .commonName("string")
                    .organization("string")
                    .countryCode("string")
                    .locality("string")
                    .organizationalUnit("string")
                    .postalCode("string")
                    .province("string")
                    .streetAddress("string")
                    .build())
                .subjectAltName(CertificateConfigSubjectConfigSubjectAltNameArgs.builder()
                    .dnsNames("string")
                    .emailAddresses("string")
                    .ipAddresses("string")
                    .uris("string")
                    .build())
                .build())
            .x509Config(CertificateConfigX509ConfigArgs.builder()
                .keyUsage(CertificateConfigX509ConfigKeyUsageArgs.builder()
                    .baseKeyUsage(CertificateConfigX509ConfigKeyUsageBaseKeyUsageArgs.builder()
                        .certSign(false)
                        .contentCommitment(false)
                        .crlSign(false)
                        .dataEncipherment(false)
                        .decipherOnly(false)
                        .digitalSignature(false)
                        .encipherOnly(false)
                        .keyAgreement(false)
                        .keyEncipherment(false)
                        .build())
                    .extendedKeyUsage(CertificateConfigX509ConfigKeyUsageExtendedKeyUsageArgs.builder()
                        .clientAuth(false)
                        .codeSigning(false)
                        .emailProtection(false)
                        .ocspSigning(false)
                        .serverAuth(false)
                        .timeStamping(false)
                        .build())
                    .unknownExtendedKeyUsages(CertificateConfigX509ConfigKeyUsageUnknownExtendedKeyUsageArgs.builder()
                        .objectIdPaths(0)
                        .build())
                    .build())
                .additionalExtensions(CertificateConfigX509ConfigAdditionalExtensionArgs.builder()
                    .critical(false)
                    .objectId(CertificateConfigX509ConfigAdditionalExtensionObjectIdArgs.builder()
                        .objectIdPaths(0)
                        .build())
                    .value("string")
                    .build())
                .aiaOcspServers("string")
                .caOptions(CertificateConfigX509ConfigCaOptionsArgs.builder()
                    .isCa(false)
                    .maxIssuerPathLength(0)
                    .nonCa(false)
                    .zeroMaxIssuerPathLength(false)
                    .build())
                .nameConstraints(CertificateConfigX509ConfigNameConstraintsArgs.builder()
                    .critical(false)
                    .excludedDnsNames("string")
                    .excludedEmailAddresses("string")
                    .excludedIpRanges("string")
                    .excludedUris("string")
                    .permittedDnsNames("string")
                    .permittedEmailAddresses("string")
                    .permittedIpRanges("string")
                    .permittedUris("string")
                    .build())
                .policyIds(CertificateConfigX509ConfigPolicyIdArgs.builder()
                    .objectIdPaths(0)
                    .build())
                .build())
            .subjectKeyId(CertificateConfigSubjectKeyIdArgs.builder()
                .keyId("string")
                .build())
            .build())
        .labels(Map.of("string", "string"))
        .lifetime("string")
        .name("string")
        .pemCsr("string")
        .project("string")
        .build());
    
    certificate_resource = gcp.certificateauthority.Certificate("certificateResource",
        location="string",
        pool="string",
        certificate_authority="string",
        certificate_template="string",
        config={
            "public_key": {
                "format": "string",
                "key": "string",
            },
            "subject_config": {
                "subject": {
                    "common_name": "string",
                    "organization": "string",
                    "country_code": "string",
                    "locality": "string",
                    "organizational_unit": "string",
                    "postal_code": "string",
                    "province": "string",
                    "street_address": "string",
                },
                "subject_alt_name": {
                    "dns_names": ["string"],
                    "email_addresses": ["string"],
                    "ip_addresses": ["string"],
                    "uris": ["string"],
                },
            },
            "x509_config": {
                "key_usage": {
                    "base_key_usage": {
                        "cert_sign": False,
                        "content_commitment": False,
                        "crl_sign": False,
                        "data_encipherment": False,
                        "decipher_only": False,
                        "digital_signature": False,
                        "encipher_only": False,
                        "key_agreement": False,
                        "key_encipherment": False,
                    },
                    "extended_key_usage": {
                        "client_auth": False,
                        "code_signing": False,
                        "email_protection": False,
                        "ocsp_signing": False,
                        "server_auth": False,
                        "time_stamping": False,
                    },
                    "unknown_extended_key_usages": [{
                        "object_id_paths": [0],
                    }],
                },
                "additional_extensions": [{
                    "critical": False,
                    "object_id": {
                        "object_id_paths": [0],
                    },
                    "value": "string",
                }],
                "aia_ocsp_servers": ["string"],
                "ca_options": {
                    "is_ca": False,
                    "max_issuer_path_length": 0,
                    "non_ca": False,
                    "zero_max_issuer_path_length": False,
                },
                "name_constraints": {
                    "critical": False,
                    "excluded_dns_names": ["string"],
                    "excluded_email_addresses": ["string"],
                    "excluded_ip_ranges": ["string"],
                    "excluded_uris": ["string"],
                    "permitted_dns_names": ["string"],
                    "permitted_email_addresses": ["string"],
                    "permitted_ip_ranges": ["string"],
                    "permitted_uris": ["string"],
                },
                "policy_ids": [{
                    "object_id_paths": [0],
                }],
            },
            "subject_key_id": {
                "key_id": "string",
            },
        },
        labels={
            "string": "string",
        },
        lifetime="string",
        name="string",
        pem_csr="string",
        project="string")
    
    const certificateResource = new gcp.certificateauthority.Certificate("certificateResource", {
        location: "string",
        pool: "string",
        certificateAuthority: "string",
        certificateTemplate: "string",
        config: {
            publicKey: {
                format: "string",
                key: "string",
            },
            subjectConfig: {
                subject: {
                    commonName: "string",
                    organization: "string",
                    countryCode: "string",
                    locality: "string",
                    organizationalUnit: "string",
                    postalCode: "string",
                    province: "string",
                    streetAddress: "string",
                },
                subjectAltName: {
                    dnsNames: ["string"],
                    emailAddresses: ["string"],
                    ipAddresses: ["string"],
                    uris: ["string"],
                },
            },
            x509Config: {
                keyUsage: {
                    baseKeyUsage: {
                        certSign: false,
                        contentCommitment: false,
                        crlSign: false,
                        dataEncipherment: false,
                        decipherOnly: false,
                        digitalSignature: false,
                        encipherOnly: false,
                        keyAgreement: false,
                        keyEncipherment: false,
                    },
                    extendedKeyUsage: {
                        clientAuth: false,
                        codeSigning: false,
                        emailProtection: false,
                        ocspSigning: false,
                        serverAuth: false,
                        timeStamping: false,
                    },
                    unknownExtendedKeyUsages: [{
                        objectIdPaths: [0],
                    }],
                },
                additionalExtensions: [{
                    critical: false,
                    objectId: {
                        objectIdPaths: [0],
                    },
                    value: "string",
                }],
                aiaOcspServers: ["string"],
                caOptions: {
                    isCa: false,
                    maxIssuerPathLength: 0,
                    nonCa: false,
                    zeroMaxIssuerPathLength: false,
                },
                nameConstraints: {
                    critical: false,
                    excludedDnsNames: ["string"],
                    excludedEmailAddresses: ["string"],
                    excludedIpRanges: ["string"],
                    excludedUris: ["string"],
                    permittedDnsNames: ["string"],
                    permittedEmailAddresses: ["string"],
                    permittedIpRanges: ["string"],
                    permittedUris: ["string"],
                },
                policyIds: [{
                    objectIdPaths: [0],
                }],
            },
            subjectKeyId: {
                keyId: "string",
            },
        },
        labels: {
            string: "string",
        },
        lifetime: "string",
        name: "string",
        pemCsr: "string",
        project: "string",
    });
    
    type: gcp:certificateauthority:Certificate
    properties:
        certificateAuthority: string
        certificateTemplate: string
        config:
            publicKey:
                format: string
                key: string
            subjectConfig:
                subject:
                    commonName: string
                    countryCode: string
                    locality: string
                    organization: string
                    organizationalUnit: string
                    postalCode: string
                    province: string
                    streetAddress: string
                subjectAltName:
                    dnsNames:
                        - string
                    emailAddresses:
                        - string
                    ipAddresses:
                        - string
                    uris:
                        - string
            subjectKeyId:
                keyId: string
            x509Config:
                additionalExtensions:
                    - critical: false
                      objectId:
                        objectIdPaths:
                            - 0
                      value: string
                aiaOcspServers:
                    - string
                caOptions:
                    isCa: false
                    maxIssuerPathLength: 0
                    nonCa: false
                    zeroMaxIssuerPathLength: false
                keyUsage:
                    baseKeyUsage:
                        certSign: false
                        contentCommitment: false
                        crlSign: false
                        dataEncipherment: false
                        decipherOnly: false
                        digitalSignature: false
                        encipherOnly: false
                        keyAgreement: false
                        keyEncipherment: false
                    extendedKeyUsage:
                        clientAuth: false
                        codeSigning: false
                        emailProtection: false
                        ocspSigning: false
                        serverAuth: false
                        timeStamping: false
                    unknownExtendedKeyUsages:
                        - objectIdPaths:
                            - 0
                nameConstraints:
                    critical: false
                    excludedDnsNames:
                        - string
                    excludedEmailAddresses:
                        - string
                    excludedIpRanges:
                        - string
                    excludedUris:
                        - string
                    permittedDnsNames:
                        - string
                    permittedEmailAddresses:
                        - string
                    permittedIpRanges:
                        - string
                    permittedUris:
                        - string
                policyIds:
                    - objectIdPaths:
                        - 0
        labels:
            string: string
        lifetime: string
        location: string
        name: string
        pemCsr: string
        pool: string
        project: string
    

    Certificate Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

    The Certificate resource accepts the following input properties:

    Location string
    Location of the Certificate. A full list of valid locations can be found by running gcloud privateca locations list.


    Pool string
    The name of the CaPool this Certificate belongs to.
    CertificateAuthority string
    The Certificate Authority ID that should issue the certificate. For example, to issue a Certificate from a Certificate Authority with resource name projects/my-project/locations/us-central1/caPools/my-pool/certificateAuthorities/my-ca, argument pool should be set to projects/my-project/locations/us-central1/caPools/my-pool, argument certificate_authority should be set to my-ca.
    CertificateTemplate string
    The resource name for a CertificateTemplate used to issue this certificate, in the format projects/*/locations/*/certificateTemplates/*. If this is specified, the caller must have the necessary permission to use this template. If this is omitted, no template will be used. This template must be in the same location as the Certificate.
    Config CertificateConfig
    The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.
    Labels Dictionary<string, string>

    Labels with user-defined metadata to apply to this resource.

    Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field effective_labels for all of the labels present on the resource.

    Lifetime string
    The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
    Name string
    The name for this Certificate.
    PemCsr string
    Immutable. A pem-encoded X.509 certificate signing request (CSR).
    Project string
    The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
    Location string
    Location of the Certificate. A full list of valid locations can be found by running gcloud privateca locations list.


    Pool string
    The name of the CaPool this Certificate belongs to.
    CertificateAuthority string
    The Certificate Authority ID that should issue the certificate. For example, to issue a Certificate from a Certificate Authority with resource name projects/my-project/locations/us-central1/caPools/my-pool/certificateAuthorities/my-ca, argument pool should be set to projects/my-project/locations/us-central1/caPools/my-pool, argument certificate_authority should be set to my-ca.
    CertificateTemplate string
    The resource name for a CertificateTemplate used to issue this certificate, in the format projects/*/locations/*/certificateTemplates/*. If this is specified, the caller must have the necessary permission to use this template. If this is omitted, no template will be used. This template must be in the same location as the Certificate.
    Config CertificateConfigArgs
    The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.
    Labels map[string]string

    Labels with user-defined metadata to apply to this resource.

    Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field effective_labels for all of the labels present on the resource.

    Lifetime string
    The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
    Name string
    The name for this Certificate.
    PemCsr string
    Immutable. A pem-encoded X.509 certificate signing request (CSR).
    Project string
    The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
    location String
    Location of the Certificate. A full list of valid locations can be found by running gcloud privateca locations list.


    pool String
    The name of the CaPool this Certificate belongs to.
    certificateAuthority String
    The Certificate Authority ID that should issue the certificate. For example, to issue a Certificate from a Certificate Authority with resource name projects/my-project/locations/us-central1/caPools/my-pool/certificateAuthorities/my-ca, argument pool should be set to projects/my-project/locations/us-central1/caPools/my-pool, argument certificate_authority should be set to my-ca.
    certificateTemplate String
    The resource name for a CertificateTemplate used to issue this certificate, in the format projects/*/locations/*/certificateTemplates/*. If this is specified, the caller must have the necessary permission to use this template. If this is omitted, no template will be used. This template must be in the same location as the Certificate.
    config CertificateConfig
    The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.
    labels Map<String,String>

    Labels with user-defined metadata to apply to this resource.

    Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field effective_labels for all of the labels present on the resource.

    lifetime String
    The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
    name String
    The name for this Certificate.
    pemCsr String
    Immutable. A pem-encoded X.509 certificate signing request (CSR).
    project String
    The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
    location string
    Location of the Certificate. A full list of valid locations can be found by running gcloud privateca locations list.


    pool string
    The name of the CaPool this Certificate belongs to.
    certificateAuthority string
    The Certificate Authority ID that should issue the certificate. For example, to issue a Certificate from a Certificate Authority with resource name projects/my-project/locations/us-central1/caPools/my-pool/certificateAuthorities/my-ca, argument pool should be set to projects/my-project/locations/us-central1/caPools/my-pool, argument certificate_authority should be set to my-ca.
    certificateTemplate string
    The resource name for a CertificateTemplate used to issue this certificate, in the format projects/*/locations/*/certificateTemplates/*. If this is specified, the caller must have the necessary permission to use this template. If this is omitted, no template will be used. This template must be in the same location as the Certificate.
    config CertificateConfig
    The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.
    labels {[key: string]: string}

    Labels with user-defined metadata to apply to this resource.

    Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field effective_labels for all of the labels present on the resource.

    lifetime string
    The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
    name string
    The name for this Certificate.
    pemCsr string
    Immutable. A pem-encoded X.509 certificate signing request (CSR).
    project string
    The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
    location str
    Location of the Certificate. A full list of valid locations can be found by running gcloud privateca locations list.


    pool str
    The name of the CaPool this Certificate belongs to.
    certificate_authority str
    The Certificate Authority ID that should issue the certificate. For example, to issue a Certificate from a Certificate Authority with resource name projects/my-project/locations/us-central1/caPools/my-pool/certificateAuthorities/my-ca, argument pool should be set to projects/my-project/locations/us-central1/caPools/my-pool, argument certificate_authority should be set to my-ca.
    certificate_template str
    The resource name for a CertificateTemplate used to issue this certificate, in the format projects/*/locations/*/certificateTemplates/*. If this is specified, the caller must have the necessary permission to use this template. If this is omitted, no template will be used. This template must be in the same location as the Certificate.
    config CertificateConfigArgs
    The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.
    labels Mapping[str, str]

    Labels with user-defined metadata to apply to this resource.

    Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field effective_labels for all of the labels present on the resource.

    lifetime str
    The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
    name str
    The name for this Certificate.
    pem_csr str
    Immutable. A pem-encoded X.509 certificate signing request (CSR).
    project str
    The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
    location String
    Location of the Certificate. A full list of valid locations can be found by running gcloud privateca locations list.


    pool String
    The name of the CaPool this Certificate belongs to.
    certificateAuthority String
    The Certificate Authority ID that should issue the certificate. For example, to issue a Certificate from a Certificate Authority with resource name projects/my-project/locations/us-central1/caPools/my-pool/certificateAuthorities/my-ca, argument pool should be set to projects/my-project/locations/us-central1/caPools/my-pool, argument certificate_authority should be set to my-ca.
    certificateTemplate String
    The resource name for a CertificateTemplate used to issue this certificate, in the format projects/*/locations/*/certificateTemplates/*. If this is specified, the caller must have the necessary permission to use this template. If this is omitted, no template will be used. This template must be in the same location as the Certificate.
    config Property Map
    The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.
    labels Map<String>

    Labels with user-defined metadata to apply to this resource.

    Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field effective_labels for all of the labels present on the resource.

    lifetime String
    The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
    name String
    The name for this Certificate.
    pemCsr String
    Immutable. A pem-encoded X.509 certificate signing request (CSR).
    project String
    The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the Certificate resource produces the following output properties:

    CertificateDescriptions List<CertificateCertificateDescription>
    Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.
    CreateTime string
    The time that this resource was created on the server. This is in RFC3339 text format.
    EffectiveLabels Dictionary<string, string>
    All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
    Id string
    The provider-assigned unique ID for this managed resource.
    IssuerCertificateAuthority string
    The resource name of the issuing CertificateAuthority in the format projects/*/locations/*/caPools/*/certificateAuthorities/*.
    PemCertificate string
    Output only. The pem-encoded, signed X.509 certificate.
    PemCertificateChains List<string>
    The chain that may be used to verify the X.509 certificate. Expected to be in issuer-to-root order according to RFC 5246.
    PulumiLabels Dictionary<string, string>
    The combination of labels configured directly on the resource and default labels configured on the provider.
    RevocationDetails List<CertificateRevocationDetail>
    Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.
    UpdateTime string
    Output only. The time at which this CertificateAuthority was updated. This is in RFC3339 text format.
    CertificateDescriptions []CertificateCertificateDescription
    Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.
    CreateTime string
    The time that this resource was created on the server. This is in RFC3339 text format.
    EffectiveLabels map[string]string
    All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
    Id string
    The provider-assigned unique ID for this managed resource.
    IssuerCertificateAuthority string
    The resource name of the issuing CertificateAuthority in the format projects/*/locations/*/caPools/*/certificateAuthorities/*.
    PemCertificate string
    Output only. The pem-encoded, signed X.509 certificate.
    PemCertificateChains []string
    The chain that may be used to verify the X.509 certificate. Expected to be in issuer-to-root order according to RFC 5246.
    PulumiLabels map[string]string
    The combination of labels configured directly on the resource and default labels configured on the provider.
    RevocationDetails []CertificateRevocationDetail
    Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.
    UpdateTime string
    Output only. The time at which this CertificateAuthority was updated. This is in RFC3339 text format.
    certificateDescriptions List<CertificateCertificateDescription>
    Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.
    createTime String
    The time that this resource was created on the server. This is in RFC3339 text format.
    effectiveLabels Map<String,String>
    All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
    id String
    The provider-assigned unique ID for this managed resource.
    issuerCertificateAuthority String
    The resource name of the issuing CertificateAuthority in the format projects/*/locations/*/caPools/*/certificateAuthorities/*.
    pemCertificate String
    Output only. The pem-encoded, signed X.509 certificate.
    pemCertificateChains List<String>
    The chain that may be used to verify the X.509 certificate. Expected to be in issuer-to-root order according to RFC 5246.
    pulumiLabels Map<String,String>
    The combination of labels configured directly on the resource and default labels configured on the provider.
    revocationDetails List<CertificateRevocationDetail>
    Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.
    updateTime String
    Output only. The time at which this CertificateAuthority was updated. This is in RFC3339 text format.
    certificateDescriptions CertificateCertificateDescription[]
    Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.
    createTime string
    The time that this resource was created on the server. This is in RFC3339 text format.
    effectiveLabels {[key: string]: string}
    All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
    id string
    The provider-assigned unique ID for this managed resource.
    issuerCertificateAuthority string
    The resource name of the issuing CertificateAuthority in the format projects/*/locations/*/caPools/*/certificateAuthorities/*.
    pemCertificate string
    Output only. The pem-encoded, signed X.509 certificate.
    pemCertificateChains string[]
    The chain that may be used to verify the X.509 certificate. Expected to be in issuer-to-root order according to RFC 5246.
    pulumiLabels {[key: string]: string}
    The combination of labels configured directly on the resource and default labels configured on the provider.
    revocationDetails CertificateRevocationDetail[]
    Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.
    updateTime string
    Output only. The time at which this CertificateAuthority was updated. This is in RFC3339 text format.
    certificate_descriptions Sequence[CertificateCertificateDescription]
    Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.
    create_time str
    The time that this resource was created on the server. This is in RFC3339 text format.
    effective_labels Mapping[str, str]
    All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
    id str
    The provider-assigned unique ID for this managed resource.
    issuer_certificate_authority str
    The resource name of the issuing CertificateAuthority in the format projects/*/locations/*/caPools/*/certificateAuthorities/*.
    pem_certificate str
    Output only. The pem-encoded, signed X.509 certificate.
    pem_certificate_chains Sequence[str]
    The chain that may be used to verify the X.509 certificate. Expected to be in issuer-to-root order according to RFC 5246.
    pulumi_labels Mapping[str, str]
    The combination of labels configured directly on the resource and default labels configured on the provider.
    revocation_details Sequence[CertificateRevocationDetail]
    Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.
    update_time str
    Output only. The time at which this CertificateAuthority was updated. This is in RFC3339 text format.
    certificateDescriptions List<Property Map>
    Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.
    createTime String
    The time that this resource was created on the server. This is in RFC3339 text format.
    effectiveLabels Map<String>
    All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
    id String
    The provider-assigned unique ID for this managed resource.
    issuerCertificateAuthority String
    The resource name of the issuing CertificateAuthority in the format projects/*/locations/*/caPools/*/certificateAuthorities/*.
    pemCertificate String
    Output only. The pem-encoded, signed X.509 certificate.
    pemCertificateChains List<String>
    The chain that may be used to verify the X.509 certificate. Expected to be in issuer-to-root order according to RFC 5246.
    pulumiLabels Map<String>
    The combination of labels configured directly on the resource and default labels configured on the provider.
    revocationDetails List<Property Map>
    Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.
    updateTime String
    Output only. The time at which this CertificateAuthority was updated. This is in RFC3339 text format.

    Look up Existing Certificate Resource

    Get an existing Certificate resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: CertificateState, opts?: CustomResourceOptions): Certificate
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            certificate_authority: Optional[str] = None,
            certificate_descriptions: Optional[Sequence[CertificateCertificateDescriptionArgs]] = None,
            certificate_template: Optional[str] = None,
            config: Optional[CertificateConfigArgs] = None,
            create_time: Optional[str] = None,
            effective_labels: Optional[Mapping[str, str]] = None,
            issuer_certificate_authority: Optional[str] = None,
            labels: Optional[Mapping[str, str]] = None,
            lifetime: Optional[str] = None,
            location: Optional[str] = None,
            name: Optional[str] = None,
            pem_certificate: Optional[str] = None,
            pem_certificate_chains: Optional[Sequence[str]] = None,
            pem_csr: Optional[str] = None,
            pool: Optional[str] = None,
            project: Optional[str] = None,
            pulumi_labels: Optional[Mapping[str, str]] = None,
            revocation_details: Optional[Sequence[CertificateRevocationDetailArgs]] = None,
            update_time: Optional[str] = None) -> Certificate
    func GetCertificate(ctx *Context, name string, id IDInput, state *CertificateState, opts ...ResourceOption) (*Certificate, error)
    public static Certificate Get(string name, Input<string> id, CertificateState? state, CustomResourceOptions? opts = null)
    public static Certificate get(String name, Output<String> id, CertificateState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    CertificateAuthority string
    The Certificate Authority ID that should issue the certificate. For example, to issue a Certificate from a Certificate Authority with resource name projects/my-project/locations/us-central1/caPools/my-pool/certificateAuthorities/my-ca, argument pool should be set to projects/my-project/locations/us-central1/caPools/my-pool, argument certificate_authority should be set to my-ca.
    CertificateDescriptions List<CertificateCertificateDescription>
    Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.
    CertificateTemplate string
    The resource name for a CertificateTemplate used to issue this certificate, in the format projects/*/locations/*/certificateTemplates/*. If this is specified, the caller must have the necessary permission to use this template. If this is omitted, no template will be used. This template must be in the same location as the Certificate.
    Config CertificateConfig
    The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.
    CreateTime string
    The time that this resource was created on the server. This is in RFC3339 text format.
    EffectiveLabels Dictionary<string, string>
    All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
    IssuerCertificateAuthority string
    The resource name of the issuing CertificateAuthority in the format projects/*/locations/*/caPools/*/certificateAuthorities/*.
    Labels Dictionary<string, string>

    Labels with user-defined metadata to apply to this resource.

    Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field effective_labels for all of the labels present on the resource.

    Lifetime string
    The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
    Location string
    Location of the Certificate. A full list of valid locations can be found by running gcloud privateca locations list.


    Name string
    The name for this Certificate.
    PemCertificate string
    Output only. The pem-encoded, signed X.509 certificate.
    PemCertificateChains List<string>
    The chain that may be used to verify the X.509 certificate. Expected to be in issuer-to-root order according to RFC 5246.
    PemCsr string
    Immutable. A pem-encoded X.509 certificate signing request (CSR).
    Pool string
    The name of the CaPool this Certificate belongs to.
    Project string
    The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
    PulumiLabels Dictionary<string, string>
    The combination of labels configured directly on the resource and default labels configured on the provider.
    RevocationDetails List<CertificateRevocationDetail>
    Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.
    UpdateTime string
    Output only. The time at which this CertificateAuthority was updated. This is in RFC3339 text format.
    CertificateAuthority string
    The Certificate Authority ID that should issue the certificate. For example, to issue a Certificate from a Certificate Authority with resource name projects/my-project/locations/us-central1/caPools/my-pool/certificateAuthorities/my-ca, argument pool should be set to projects/my-project/locations/us-central1/caPools/my-pool, argument certificate_authority should be set to my-ca.
    CertificateDescriptions []CertificateCertificateDescriptionArgs
    Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.
    CertificateTemplate string
    The resource name for a CertificateTemplate used to issue this certificate, in the format projects/*/locations/*/certificateTemplates/*. If this is specified, the caller must have the necessary permission to use this template. If this is omitted, no template will be used. This template must be in the same location as the Certificate.
    Config CertificateConfigArgs
    The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.
    CreateTime string
    The time that this resource was created on the server. This is in RFC3339 text format.
    EffectiveLabels map[string]string
    All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
    IssuerCertificateAuthority string
    The resource name of the issuing CertificateAuthority in the format projects/*/locations/*/caPools/*/certificateAuthorities/*.
    Labels map[string]string

    Labels with user-defined metadata to apply to this resource.

    Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field effective_labels for all of the labels present on the resource.

    Lifetime string
    The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
    Location string
    Location of the Certificate. A full list of valid locations can be found by running gcloud privateca locations list.


    Name string
    The name for this Certificate.
    PemCertificate string
    Output only. The pem-encoded, signed X.509 certificate.
    PemCertificateChains []string
    The chain that may be used to verify the X.509 certificate. Expected to be in issuer-to-root order according to RFC 5246.
    PemCsr string
    Immutable. A pem-encoded X.509 certificate signing request (CSR).
    Pool string
    The name of the CaPool this Certificate belongs to.
    Project string
    The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
    PulumiLabels map[string]string
    The combination of labels configured directly on the resource and default labels configured on the provider.
    RevocationDetails []CertificateRevocationDetailArgs
    Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.
    UpdateTime string
    Output only. The time at which this CertificateAuthority was updated. This is in RFC3339 text format.
    certificateAuthority String
    The Certificate Authority ID that should issue the certificate. For example, to issue a Certificate from a Certificate Authority with resource name projects/my-project/locations/us-central1/caPools/my-pool/certificateAuthorities/my-ca, argument pool should be set to projects/my-project/locations/us-central1/caPools/my-pool, argument certificate_authority should be set to my-ca.
    certificateDescriptions List<CertificateCertificateDescription>
    Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.
    certificateTemplate String
    The resource name for a CertificateTemplate used to issue this certificate, in the format projects/*/locations/*/certificateTemplates/*. If this is specified, the caller must have the necessary permission to use this template. If this is omitted, no template will be used. This template must be in the same location as the Certificate.
    config CertificateConfig
    The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.
    createTime String
    The time that this resource was created on the server. This is in RFC3339 text format.
    effectiveLabels Map<String,String>
    All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
    issuerCertificateAuthority String
    The resource name of the issuing CertificateAuthority in the format projects/*/locations/*/caPools/*/certificateAuthorities/*.
    labels Map<String,String>

    Labels with user-defined metadata to apply to this resource.

    Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field effective_labels for all of the labels present on the resource.

    lifetime String
    The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
    location String
    Location of the Certificate. A full list of valid locations can be found by running gcloud privateca locations list.


    name String
    The name for this Certificate.
    pemCertificate String
    Output only. The pem-encoded, signed X.509 certificate.
    pemCertificateChains List<String>
    The chain that may be used to verify the X.509 certificate. Expected to be in issuer-to-root order according to RFC 5246.
    pemCsr String
    Immutable. A pem-encoded X.509 certificate signing request (CSR).
    pool String
    The name of the CaPool this Certificate belongs to.
    project String
    The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
    pulumiLabels Map<String,String>
    The combination of labels configured directly on the resource and default labels configured on the provider.
    revocationDetails List<CertificateRevocationDetail>
    Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.
    updateTime String
    Output only. The time at which this CertificateAuthority was updated. This is in RFC3339 text format.
    certificateAuthority string
    The Certificate Authority ID that should issue the certificate. For example, to issue a Certificate from a Certificate Authority with resource name projects/my-project/locations/us-central1/caPools/my-pool/certificateAuthorities/my-ca, argument pool should be set to projects/my-project/locations/us-central1/caPools/my-pool, argument certificate_authority should be set to my-ca.
    certificateDescriptions CertificateCertificateDescription[]
    Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.
    certificateTemplate string
    The resource name for a CertificateTemplate used to issue this certificate, in the format projects/*/locations/*/certificateTemplates/*. If this is specified, the caller must have the necessary permission to use this template. If this is omitted, no template will be used. This template must be in the same location as the Certificate.
    config CertificateConfig
    The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.
    createTime string
    The time that this resource was created on the server. This is in RFC3339 text format.
    effectiveLabels {[key: string]: string}
    All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
    issuerCertificateAuthority string
    The resource name of the issuing CertificateAuthority in the format projects/*/locations/*/caPools/*/certificateAuthorities/*.
    labels {[key: string]: string}

    Labels with user-defined metadata to apply to this resource.

    Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field effective_labels for all of the labels present on the resource.

    lifetime string
    The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
    location string
    Location of the Certificate. A full list of valid locations can be found by running gcloud privateca locations list.


    name string
    The name for this Certificate.
    pemCertificate string
    Output only. The pem-encoded, signed X.509 certificate.
    pemCertificateChains string[]
    The chain that may be used to verify the X.509 certificate. Expected to be in issuer-to-root order according to RFC 5246.
    pemCsr string
    Immutable. A pem-encoded X.509 certificate signing request (CSR).
    pool string
    The name of the CaPool this Certificate belongs to.
    project string
    The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
    pulumiLabels {[key: string]: string}
    The combination of labels configured directly on the resource and default labels configured on the provider.
    revocationDetails CertificateRevocationDetail[]
    Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.
    updateTime string
    Output only. The time at which this CertificateAuthority was updated. This is in RFC3339 text format.
    certificate_authority str
    The Certificate Authority ID that should issue the certificate. For example, to issue a Certificate from a Certificate Authority with resource name projects/my-project/locations/us-central1/caPools/my-pool/certificateAuthorities/my-ca, argument pool should be set to projects/my-project/locations/us-central1/caPools/my-pool, argument certificate_authority should be set to my-ca.
    certificate_descriptions Sequence[CertificateCertificateDescriptionArgs]
    Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.
    certificate_template str
    The resource name for a CertificateTemplate used to issue this certificate, in the format projects/*/locations/*/certificateTemplates/*. If this is specified, the caller must have the necessary permission to use this template. If this is omitted, no template will be used. This template must be in the same location as the Certificate.
    config CertificateConfigArgs
    The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.
    create_time str
    The time that this resource was created on the server. This is in RFC3339 text format.
    effective_labels Mapping[str, str]
    All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
    issuer_certificate_authority str
    The resource name of the issuing CertificateAuthority in the format projects/*/locations/*/caPools/*/certificateAuthorities/*.
    labels Mapping[str, str]

    Labels with user-defined metadata to apply to this resource.

    Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field effective_labels for all of the labels present on the resource.

    lifetime str
    The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
    location str
    Location of the Certificate. A full list of valid locations can be found by running gcloud privateca locations list.


    name str
    The name for this Certificate.
    pem_certificate str
    Output only. The pem-encoded, signed X.509 certificate.
    pem_certificate_chains Sequence[str]
    The chain that may be used to verify the X.509 certificate. Expected to be in issuer-to-root order according to RFC 5246.
    pem_csr str
    Immutable. A pem-encoded X.509 certificate signing request (CSR).
    pool str
    The name of the CaPool this Certificate belongs to.
    project str
    The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
    pulumi_labels Mapping[str, str]
    The combination of labels configured directly on the resource and default labels configured on the provider.
    revocation_details Sequence[CertificateRevocationDetailArgs]
    Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.
    update_time str
    Output only. The time at which this CertificateAuthority was updated. This is in RFC3339 text format.
    certificateAuthority String
    The Certificate Authority ID that should issue the certificate. For example, to issue a Certificate from a Certificate Authority with resource name projects/my-project/locations/us-central1/caPools/my-pool/certificateAuthorities/my-ca, argument pool should be set to projects/my-project/locations/us-central1/caPools/my-pool, argument certificate_authority should be set to my-ca.
    certificateDescriptions List<Property Map>
    Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.
    certificateTemplate String
    The resource name for a CertificateTemplate used to issue this certificate, in the format projects/*/locations/*/certificateTemplates/*. If this is specified, the caller must have the necessary permission to use this template. If this is omitted, no template will be used. This template must be in the same location as the Certificate.
    config Property Map
    The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.
    createTime String
    The time that this resource was created on the server. This is in RFC3339 text format.
    effectiveLabels Map<String>
    All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
    issuerCertificateAuthority String
    The resource name of the issuing CertificateAuthority in the format projects/*/locations/*/caPools/*/certificateAuthorities/*.
    labels Map<String>

    Labels with user-defined metadata to apply to this resource.

    Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field effective_labels for all of the labels present on the resource.

    lifetime String
    The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
    location String
    Location of the Certificate. A full list of valid locations can be found by running gcloud privateca locations list.


    name String
    The name for this Certificate.
    pemCertificate String
    Output only. The pem-encoded, signed X.509 certificate.
    pemCertificateChains List<String>
    The chain that may be used to verify the X.509 certificate. Expected to be in issuer-to-root order according to RFC 5246.
    pemCsr String
    Immutable. A pem-encoded X.509 certificate signing request (CSR).
    pool String
    The name of the CaPool this Certificate belongs to.
    project String
    The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
    pulumiLabels Map<String>
    The combination of labels configured directly on the resource and default labels configured on the provider.
    revocationDetails List<Property Map>
    Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.
    updateTime String
    Output only. The time at which this CertificateAuthority was updated. This is in RFC3339 text format.

    Supporting Types

    CertificateCertificateDescription, CertificateCertificateDescriptionArgs

    AiaIssuingCertificateUrls List<string>
    (Output) Describes lists of issuer CA certificate URLs that appear in the "Authority Information Access" extension in the certificate.
    AuthorityKeyIds List<CertificateCertificateDescriptionAuthorityKeyId>
    (Output) Identifies the subjectKeyId of the parent certificate, per https://tools.ietf.org/html/rfc5280#section-4.2.1.1 Structure is documented below.
    CertFingerprints List<CertificateCertificateDescriptionCertFingerprint>
    (Output) The hash of the x.509 certificate. Structure is documented below.
    CrlDistributionPoints List<string>
    (Output) Describes a list of locations to obtain CRL information, i.e. the DistributionPoint.fullName described by https://tools.ietf.org/html/rfc5280#section-4.2.1.13
    PublicKeys List<CertificateCertificateDescriptionPublicKey>
    (Output) A PublicKey describes a public key. Structure is documented below.
    SubjectDescriptions List<CertificateCertificateDescriptionSubjectDescription>
    (Output) Describes some of the values in a certificate that are related to the subject and lifetime. Structure is documented below.
    SubjectKeyIds List<CertificateCertificateDescriptionSubjectKeyId>
    (Output) Provides a means of identifiying certificates that contain a particular public key, per https://tools.ietf.org/html/rfc5280#section-4.2.1.2. Structure is documented below.
    X509Descriptions List<CertificateCertificateDescriptionX509Description>
    (Output) A structured description of the issued X.509 certificate. Structure is documented below.
    AiaIssuingCertificateUrls []string
    (Output) Describes lists of issuer CA certificate URLs that appear in the "Authority Information Access" extension in the certificate.
    AuthorityKeyIds []CertificateCertificateDescriptionAuthorityKeyId
    (Output) Identifies the subjectKeyId of the parent certificate, per https://tools.ietf.org/html/rfc5280#section-4.2.1.1 Structure is documented below.
    CertFingerprints []CertificateCertificateDescriptionCertFingerprint
    (Output) The hash of the x.509 certificate. Structure is documented below.
    CrlDistributionPoints []string
    (Output) Describes a list of locations to obtain CRL information, i.e. the DistributionPoint.fullName described by https://tools.ietf.org/html/rfc5280#section-4.2.1.13
    PublicKeys []CertificateCertificateDescriptionPublicKey
    (Output) A PublicKey describes a public key. Structure is documented below.
    SubjectDescriptions []CertificateCertificateDescriptionSubjectDescription
    (Output) Describes some of the values in a certificate that are related to the subject and lifetime. Structure is documented below.
    SubjectKeyIds []CertificateCertificateDescriptionSubjectKeyId
    (Output) Provides a means of identifiying certificates that contain a particular public key, per https://tools.ietf.org/html/rfc5280#section-4.2.1.2. Structure is documented below.
    X509Descriptions []CertificateCertificateDescriptionX509Description
    (Output) A structured description of the issued X.509 certificate. Structure is documented below.
    aiaIssuingCertificateUrls List<String>
    (Output) Describes lists of issuer CA certificate URLs that appear in the "Authority Information Access" extension in the certificate.
    authorityKeyIds List<CertificateCertificateDescriptionAuthorityKeyId>
    (Output) Identifies the subjectKeyId of the parent certificate, per https://tools.ietf.org/html/rfc5280#section-4.2.1.1 Structure is documented below.
    certFingerprints List<CertificateCertificateDescriptionCertFingerprint>
    (Output) The hash of the x.509 certificate. Structure is documented below.
    crlDistributionPoints List<String>
    (Output) Describes a list of locations to obtain CRL information, i.e. the DistributionPoint.fullName described by https://tools.ietf.org/html/rfc5280#section-4.2.1.13
    publicKeys List<CertificateCertificateDescriptionPublicKey>
    (Output) A PublicKey describes a public key. Structure is documented below.
    subjectDescriptions List<CertificateCertificateDescriptionSubjectDescription>
    (Output) Describes some of the values in a certificate that are related to the subject and lifetime. Structure is documented below.
    subjectKeyIds List<CertificateCertificateDescriptionSubjectKeyId>
    (Output) Provides a means of identifiying certificates that contain a particular public key, per https://tools.ietf.org/html/rfc5280#section-4.2.1.2. Structure is documented below.
    x509Descriptions List<CertificateCertificateDescriptionX509Description>
    (Output) A structured description of the issued X.509 certificate. Structure is documented below.
    aiaIssuingCertificateUrls string[]
    (Output) Describes lists of issuer CA certificate URLs that appear in the "Authority Information Access" extension in the certificate.
    authorityKeyIds CertificateCertificateDescriptionAuthorityKeyId[]
    (Output) Identifies the subjectKeyId of the parent certificate, per https://tools.ietf.org/html/rfc5280#section-4.2.1.1 Structure is documented below.
    certFingerprints CertificateCertificateDescriptionCertFingerprint[]
    (Output) The hash of the x.509 certificate. Structure is documented below.
    crlDistributionPoints string[]
    (Output) Describes a list of locations to obtain CRL information, i.e. the DistributionPoint.fullName described by https://tools.ietf.org/html/rfc5280#section-4.2.1.13
    publicKeys CertificateCertificateDescriptionPublicKey[]
    (Output) A PublicKey describes a public key. Structure is documented below.
    subjectDescriptions CertificateCertificateDescriptionSubjectDescription[]
    (Output) Describes some of the values in a certificate that are related to the subject and lifetime. Structure is documented below.
    subjectKeyIds CertificateCertificateDescriptionSubjectKeyId[]
    (Output) Provides a means of identifiying certificates that contain a particular public key, per https://tools.ietf.org/html/rfc5280#section-4.2.1.2. Structure is documented below.
    x509Descriptions CertificateCertificateDescriptionX509Description[]
    (Output) A structured description of the issued X.509 certificate. Structure is documented below.
    aia_issuing_certificate_urls Sequence[str]
    (Output) Describes lists of issuer CA certificate URLs that appear in the "Authority Information Access" extension in the certificate.
    authority_key_ids Sequence[CertificateCertificateDescriptionAuthorityKeyId]
    (Output) Identifies the subjectKeyId of the parent certificate, per https://tools.ietf.org/html/rfc5280#section-4.2.1.1 Structure is documented below.
    cert_fingerprints Sequence[CertificateCertificateDescriptionCertFingerprint]
    (Output) The hash of the x.509 certificate. Structure is documented below.
    crl_distribution_points Sequence[str]
    (Output) Describes a list of locations to obtain CRL information, i.e. the DistributionPoint.fullName described by https://tools.ietf.org/html/rfc5280#section-4.2.1.13
    public_keys Sequence[CertificateCertificateDescriptionPublicKey]
    (Output) A PublicKey describes a public key. Structure is documented below.
    subject_descriptions Sequence[CertificateCertificateDescriptionSubjectDescription]
    (Output) Describes some of the values in a certificate that are related to the subject and lifetime. Structure is documented below.
    subject_key_ids Sequence[CertificateCertificateDescriptionSubjectKeyId]
    (Output) Provides a means of identifiying certificates that contain a particular public key, per https://tools.ietf.org/html/rfc5280#section-4.2.1.2. Structure is documented below.
    x509_descriptions Sequence[CertificateCertificateDescriptionX509Description]
    (Output) A structured description of the issued X.509 certificate. Structure is documented below.
    aiaIssuingCertificateUrls List<String>
    (Output) Describes lists of issuer CA certificate URLs that appear in the "Authority Information Access" extension in the certificate.
    authorityKeyIds List<Property Map>
    (Output) Identifies the subjectKeyId of the parent certificate, per https://tools.ietf.org/html/rfc5280#section-4.2.1.1 Structure is documented below.
    certFingerprints List<Property Map>
    (Output) The hash of the x.509 certificate. Structure is documented below.
    crlDistributionPoints List<String>
    (Output) Describes a list of locations to obtain CRL information, i.e. the DistributionPoint.fullName described by https://tools.ietf.org/html/rfc5280#section-4.2.1.13
    publicKeys List<Property Map>
    (Output) A PublicKey describes a public key. Structure is documented below.
    subjectDescriptions List<Property Map>
    (Output) Describes some of the values in a certificate that are related to the subject and lifetime. Structure is documented below.
    subjectKeyIds List<Property Map>
    (Output) Provides a means of identifiying certificates that contain a particular public key, per https://tools.ietf.org/html/rfc5280#section-4.2.1.2. Structure is documented below.
    x509Descriptions List<Property Map>
    (Output) A structured description of the issued X.509 certificate. Structure is documented below.

    CertificateCertificateDescriptionAuthorityKeyId, CertificateCertificateDescriptionAuthorityKeyIdArgs

    KeyId string
    (Output) Optional. The value of this KeyId encoded in lowercase hexadecimal. This is most likely the 160 bit SHA-1 hash of the public key.
    KeyId string
    (Output) Optional. The value of this KeyId encoded in lowercase hexadecimal. This is most likely the 160 bit SHA-1 hash of the public key.
    keyId String
    (Output) Optional. The value of this KeyId encoded in lowercase hexadecimal. This is most likely the 160 bit SHA-1 hash of the public key.
    keyId string
    (Output) Optional. The value of this KeyId encoded in lowercase hexadecimal. This is most likely the 160 bit SHA-1 hash of the public key.
    key_id str
    (Output) Optional. The value of this KeyId encoded in lowercase hexadecimal. This is most likely the 160 bit SHA-1 hash of the public key.
    keyId String
    (Output) Optional. The value of this KeyId encoded in lowercase hexadecimal. This is most likely the 160 bit SHA-1 hash of the public key.

    CertificateCertificateDescriptionCertFingerprint, CertificateCertificateDescriptionCertFingerprintArgs

    Sha256Hash string
    (Output) The SHA 256 hash, encoded in hexadecimal, of the DER x509 certificate.
    Sha256Hash string
    (Output) The SHA 256 hash, encoded in hexadecimal, of the DER x509 certificate.
    sha256Hash String
    (Output) The SHA 256 hash, encoded in hexadecimal, of the DER x509 certificate.
    sha256Hash string
    (Output) The SHA 256 hash, encoded in hexadecimal, of the DER x509 certificate.
    sha256_hash str
    (Output) The SHA 256 hash, encoded in hexadecimal, of the DER x509 certificate.
    sha256Hash String
    (Output) The SHA 256 hash, encoded in hexadecimal, of the DER x509 certificate.

    CertificateCertificateDescriptionPublicKey, CertificateCertificateDescriptionPublicKeyArgs

    Format string
    The format of the public key. Currently, only PEM format is supported. Possible values are: KEY_TYPE_UNSPECIFIED, PEM.
    Key string
    Required. A public key. When this is specified in a request, the padding and encoding can be any of the options described by the respective 'KeyType' value. When this is generated by the service, it will always be an RFC 5280 SubjectPublicKeyInfo structure containing an algorithm identifier and a key. A base64-encoded string.
    Format string
    The format of the public key. Currently, only PEM format is supported. Possible values are: KEY_TYPE_UNSPECIFIED, PEM.
    Key string
    Required. A public key. When this is specified in a request, the padding and encoding can be any of the options described by the respective 'KeyType' value. When this is generated by the service, it will always be an RFC 5280 SubjectPublicKeyInfo structure containing an algorithm identifier and a key. A base64-encoded string.
    format String
    The format of the public key. Currently, only PEM format is supported. Possible values are: KEY_TYPE_UNSPECIFIED, PEM.
    key String
    Required. A public key. When this is specified in a request, the padding and encoding can be any of the options described by the respective 'KeyType' value. When this is generated by the service, it will always be an RFC 5280 SubjectPublicKeyInfo structure containing an algorithm identifier and a key. A base64-encoded string.
    format string
    The format of the public key. Currently, only PEM format is supported. Possible values are: KEY_TYPE_UNSPECIFIED, PEM.
    key string
    Required. A public key. When this is specified in a request, the padding and encoding can be any of the options described by the respective 'KeyType' value. When this is generated by the service, it will always be an RFC 5280 SubjectPublicKeyInfo structure containing an algorithm identifier and a key. A base64-encoded string.
    format str
    The format of the public key. Currently, only PEM format is supported. Possible values are: KEY_TYPE_UNSPECIFIED, PEM.
    key str
    Required. A public key. When this is specified in a request, the padding and encoding can be any of the options described by the respective 'KeyType' value. When this is generated by the service, it will always be an RFC 5280 SubjectPublicKeyInfo structure containing an algorithm identifier and a key. A base64-encoded string.
    format String
    The format of the public key. Currently, only PEM format is supported. Possible values are: KEY_TYPE_UNSPECIFIED, PEM.
    key String
    Required. A public key. When this is specified in a request, the padding and encoding can be any of the options described by the respective 'KeyType' value. When this is generated by the service, it will always be an RFC 5280 SubjectPublicKeyInfo structure containing an algorithm identifier and a key. A base64-encoded string.

    CertificateCertificateDescriptionSubjectDescription, CertificateCertificateDescriptionSubjectDescriptionArgs

    HexSerialNumber string
    (Output) The serial number encoded in lowercase hexadecimal.
    Lifetime string
    The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
    NotAfterTime string
    (Output) The time at which the certificate expires.
    NotBeforeTime string
    (Output) The time at which the certificate becomes valid.
    SubjectAltNames List<CertificateCertificateDescriptionSubjectDescriptionSubjectAltName>
    (Output) The subject alternative name fields. Structure is documented below.
    Subjects List<CertificateCertificateDescriptionSubjectDescriptionSubject>
    (Output) Contains distinguished name fields such as the location and organization. Structure is documented below.
    HexSerialNumber string
    (Output) The serial number encoded in lowercase hexadecimal.
    Lifetime string
    The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
    NotAfterTime string
    (Output) The time at which the certificate expires.
    NotBeforeTime string
    (Output) The time at which the certificate becomes valid.
    SubjectAltNames []CertificateCertificateDescriptionSubjectDescriptionSubjectAltName
    (Output) The subject alternative name fields. Structure is documented below.
    Subjects []CertificateCertificateDescriptionSubjectDescriptionSubject
    (Output) Contains distinguished name fields such as the location and organization. Structure is documented below.
    hexSerialNumber String
    (Output) The serial number encoded in lowercase hexadecimal.
    lifetime String
    The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
    notAfterTime String
    (Output) The time at which the certificate expires.
    notBeforeTime String
    (Output) The time at which the certificate becomes valid.
    subjectAltNames List<CertificateCertificateDescriptionSubjectDescriptionSubjectAltName>
    (Output) The subject alternative name fields. Structure is documented below.
    subjects List<CertificateCertificateDescriptionSubjectDescriptionSubject>
    (Output) Contains distinguished name fields such as the location and organization. Structure is documented below.
    hexSerialNumber string
    (Output) The serial number encoded in lowercase hexadecimal.
    lifetime string
    The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
    notAfterTime string
    (Output) The time at which the certificate expires.
    notBeforeTime string
    (Output) The time at which the certificate becomes valid.
    subjectAltNames CertificateCertificateDescriptionSubjectDescriptionSubjectAltName[]
    (Output) The subject alternative name fields. Structure is documented below.
    subjects CertificateCertificateDescriptionSubjectDescriptionSubject[]
    (Output) Contains distinguished name fields such as the location and organization. Structure is documented below.
    hex_serial_number str
    (Output) The serial number encoded in lowercase hexadecimal.
    lifetime str
    The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
    not_after_time str
    (Output) The time at which the certificate expires.
    not_before_time str
    (Output) The time at which the certificate becomes valid.
    subject_alt_names Sequence[CertificateCertificateDescriptionSubjectDescriptionSubjectAltName]
    (Output) The subject alternative name fields. Structure is documented below.
    subjects Sequence[CertificateCertificateDescriptionSubjectDescriptionSubject]
    (Output) Contains distinguished name fields such as the location and organization. Structure is documented below.
    hexSerialNumber String
    (Output) The serial number encoded in lowercase hexadecimal.
    lifetime String
    The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
    notAfterTime String
    (Output) The time at which the certificate expires.
    notBeforeTime String
    (Output) The time at which the certificate becomes valid.
    subjectAltNames List<Property Map>
    (Output) The subject alternative name fields. Structure is documented below.
    subjects List<Property Map>
    (Output) Contains distinguished name fields such as the location and organization. Structure is documented below.

    CertificateCertificateDescriptionSubjectDescriptionSubject, CertificateCertificateDescriptionSubjectDescriptionSubjectArgs

    CommonName string
    The common name of the distinguished name.
    CountryCode string
    The country code of the subject.
    Locality string
    The locality or city of the subject.
    Organization string
    The organization of the subject.
    OrganizationalUnit string
    The organizational unit of the subject.
    PostalCode string
    The postal code of the subject.
    Province string
    The province, territory, or regional state of the subject.
    StreetAddress string
    The street address of the subject.
    CommonName string
    The common name of the distinguished name.
    CountryCode string
    The country code of the subject.
    Locality string
    The locality or city of the subject.
    Organization string
    The organization of the subject.
    OrganizationalUnit string
    The organizational unit of the subject.
    PostalCode string
    The postal code of the subject.
    Province string
    The province, territory, or regional state of the subject.
    StreetAddress string
    The street address of the subject.
    commonName String
    The common name of the distinguished name.
    countryCode String
    The country code of the subject.
    locality String
    The locality or city of the subject.
    organization String
    The organization of the subject.
    organizationalUnit String
    The organizational unit of the subject.
    postalCode String
    The postal code of the subject.
    province String
    The province, territory, or regional state of the subject.
    streetAddress String
    The street address of the subject.
    commonName string
    The common name of the distinguished name.
    countryCode string
    The country code of the subject.
    locality string
    The locality or city of the subject.
    organization string
    The organization of the subject.
    organizationalUnit string
    The organizational unit of the subject.
    postalCode string
    The postal code of the subject.
    province string
    The province, territory, or regional state of the subject.
    streetAddress string
    The street address of the subject.
    common_name str
    The common name of the distinguished name.
    country_code str
    The country code of the subject.
    locality str
    The locality or city of the subject.
    organization str
    The organization of the subject.
    organizational_unit str
    The organizational unit of the subject.
    postal_code str
    The postal code of the subject.
    province str
    The province, territory, or regional state of the subject.
    street_address str
    The street address of the subject.
    commonName String
    The common name of the distinguished name.
    countryCode String
    The country code of the subject.
    locality String
    The locality or city of the subject.
    organization String
    The organization of the subject.
    organizationalUnit String
    The organizational unit of the subject.
    postalCode String
    The postal code of the subject.
    province String
    The province, territory, or regional state of the subject.
    streetAddress String
    The street address of the subject.

    CertificateCertificateDescriptionSubjectDescriptionSubjectAltName, CertificateCertificateDescriptionSubjectDescriptionSubjectAltNameArgs

    CustomSans List<CertificateCertificateDescriptionSubjectDescriptionSubjectAltNameCustomSan>
    (Output) Contains additional subject alternative name values. Structure is documented below.
    DnsNames List<string>
    Contains only valid, fully-qualified host names.
    EmailAddresses List<string>
    Contains only valid RFC 2822 E-mail addresses.
    IpAddresses List<string>
    Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.
    Uris List<string>
    Contains only valid RFC 3986 URIs.
    CustomSans []CertificateCertificateDescriptionSubjectDescriptionSubjectAltNameCustomSan
    (Output) Contains additional subject alternative name values. Structure is documented below.
    DnsNames []string
    Contains only valid, fully-qualified host names.
    EmailAddresses []string
    Contains only valid RFC 2822 E-mail addresses.
    IpAddresses []string
    Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.
    Uris []string
    Contains only valid RFC 3986 URIs.
    customSans List<CertificateCertificateDescriptionSubjectDescriptionSubjectAltNameCustomSan>
    (Output) Contains additional subject alternative name values. Structure is documented below.
    dnsNames List<String>
    Contains only valid, fully-qualified host names.
    emailAddresses List<String>
    Contains only valid RFC 2822 E-mail addresses.
    ipAddresses List<String>
    Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.
    uris List<String>
    Contains only valid RFC 3986 URIs.
    customSans CertificateCertificateDescriptionSubjectDescriptionSubjectAltNameCustomSan[]
    (Output) Contains additional subject alternative name values. Structure is documented below.
    dnsNames string[]
    Contains only valid, fully-qualified host names.
    emailAddresses string[]
    Contains only valid RFC 2822 E-mail addresses.
    ipAddresses string[]
    Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.
    uris string[]
    Contains only valid RFC 3986 URIs.
    custom_sans Sequence[CertificateCertificateDescriptionSubjectDescriptionSubjectAltNameCustomSan]
    (Output) Contains additional subject alternative name values. Structure is documented below.
    dns_names Sequence[str]
    Contains only valid, fully-qualified host names.
    email_addresses Sequence[str]
    Contains only valid RFC 2822 E-mail addresses.
    ip_addresses Sequence[str]
    Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.
    uris Sequence[str]
    Contains only valid RFC 3986 URIs.
    customSans List<Property Map>
    (Output) Contains additional subject alternative name values. Structure is documented below.
    dnsNames List<String>
    Contains only valid, fully-qualified host names.
    emailAddresses List<String>
    Contains only valid RFC 2822 E-mail addresses.
    ipAddresses List<String>
    Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.
    uris List<String>
    Contains only valid RFC 3986 URIs.

    CertificateCertificateDescriptionSubjectDescriptionSubjectAltNameCustomSan, CertificateCertificateDescriptionSubjectDescriptionSubjectAltNameCustomSanArgs

    Critical bool
    (Output) Indicates whether or not the name constraints are marked critical.
    ObectIds List<CertificateCertificateDescriptionSubjectDescriptionSubjectAltNameCustomSanObectId>
    (Output) Describes how some of the technical fields in a certificate should be populated. Structure is documented below.
    Value string
    The value of this X.509 extension. A base64-encoded string.
    Critical bool
    (Output) Indicates whether or not the name constraints are marked critical.
    ObectIds []CertificateCertificateDescriptionSubjectDescriptionSubjectAltNameCustomSanObectId
    (Output) Describes how some of the technical fields in a certificate should be populated. Structure is documented below.
    Value string
    The value of this X.509 extension. A base64-encoded string.
    critical Boolean
    (Output) Indicates whether or not the name constraints are marked critical.
    obectIds List<CertificateCertificateDescriptionSubjectDescriptionSubjectAltNameCustomSanObectId>
    (Output) Describes how some of the technical fields in a certificate should be populated. Structure is documented below.
    value String
    The value of this X.509 extension. A base64-encoded string.
    critical boolean
    (Output) Indicates whether or not the name constraints are marked critical.
    obectIds CertificateCertificateDescriptionSubjectDescriptionSubjectAltNameCustomSanObectId[]
    (Output) Describes how some of the technical fields in a certificate should be populated. Structure is documented below.
    value string
    The value of this X.509 extension. A base64-encoded string.
    critical bool
    (Output) Indicates whether or not the name constraints are marked critical.
    obect_ids Sequence[CertificateCertificateDescriptionSubjectDescriptionSubjectAltNameCustomSanObectId]
    (Output) Describes how some of the technical fields in a certificate should be populated. Structure is documented below.
    value str
    The value of this X.509 extension. A base64-encoded string.
    critical Boolean
    (Output) Indicates whether or not the name constraints are marked critical.
    obectIds List<Property Map>
    (Output) Describes how some of the technical fields in a certificate should be populated. Structure is documented below.
    value String
    The value of this X.509 extension. A base64-encoded string.

    CertificateCertificateDescriptionSubjectDescriptionSubjectAltNameCustomSanObectId, CertificateCertificateDescriptionSubjectDescriptionSubjectAltNameCustomSanObectIdArgs

    ObjectIdPaths List<int>
    (Output) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
    ObjectIdPaths []int
    (Output) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
    objectIdPaths List<Integer>
    (Output) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
    objectIdPaths number[]
    (Output) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
    object_id_paths Sequence[int]
    (Output) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
    objectIdPaths List<Number>
    (Output) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

    CertificateCertificateDescriptionSubjectKeyId, CertificateCertificateDescriptionSubjectKeyIdArgs

    KeyId string
    The value of the KeyId in lowercase hexidecimal.
    KeyId string
    The value of the KeyId in lowercase hexidecimal.
    keyId String
    The value of the KeyId in lowercase hexidecimal.
    keyId string
    The value of the KeyId in lowercase hexidecimal.
    key_id str
    The value of the KeyId in lowercase hexidecimal.
    keyId String
    The value of the KeyId in lowercase hexidecimal.

    CertificateCertificateDescriptionX509Description, CertificateCertificateDescriptionX509DescriptionArgs

    AdditionalExtensions List<CertificateCertificateDescriptionX509DescriptionAdditionalExtension>
    (Output) Describes custom X.509 extensions. Structure is documented below.
    AiaOcspServers List<string>
    (Output) Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
    CaOptions List<CertificateCertificateDescriptionX509DescriptionCaOption>
    (Output) Describes values that are relevant in a CA certificate. Structure is documented below.
    KeyUsages List<CertificateCertificateDescriptionX509DescriptionKeyUsage>
    (Output) Indicates the intended use for keys that correspond to a certificate. Structure is documented below.
    NameConstraints List<CertificateCertificateDescriptionX509DescriptionNameConstraint>
    (Output) Describes the X.509 name constraints extension. Structure is documented below.
    PolicyIds List<CertificateCertificateDescriptionX509DescriptionPolicyId>
    (Output) Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.
    AdditionalExtensions []CertificateCertificateDescriptionX509DescriptionAdditionalExtension
    (Output) Describes custom X.509 extensions. Structure is documented below.
    AiaOcspServers []string
    (Output) Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
    CaOptions []CertificateCertificateDescriptionX509DescriptionCaOption
    (Output) Describes values that are relevant in a CA certificate. Structure is documented below.
    KeyUsages []CertificateCertificateDescriptionX509DescriptionKeyUsage
    (Output) Indicates the intended use for keys that correspond to a certificate. Structure is documented below.
    NameConstraints []CertificateCertificateDescriptionX509DescriptionNameConstraint
    (Output) Describes the X.509 name constraints extension. Structure is documented below.
    PolicyIds []CertificateCertificateDescriptionX509DescriptionPolicyId
    (Output) Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.
    additionalExtensions List<CertificateCertificateDescriptionX509DescriptionAdditionalExtension>
    (Output) Describes custom X.509 extensions. Structure is documented below.
    aiaOcspServers List<String>
    (Output) Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
    caOptions List<CertificateCertificateDescriptionX509DescriptionCaOption>
    (Output) Describes values that are relevant in a CA certificate. Structure is documented below.
    keyUsages List<CertificateCertificateDescriptionX509DescriptionKeyUsage>
    (Output) Indicates the intended use for keys that correspond to a certificate. Structure is documented below.
    nameConstraints List<CertificateCertificateDescriptionX509DescriptionNameConstraint>
    (Output) Describes the X.509 name constraints extension. Structure is documented below.
    policyIds List<CertificateCertificateDescriptionX509DescriptionPolicyId>
    (Output) Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.
    additionalExtensions CertificateCertificateDescriptionX509DescriptionAdditionalExtension[]
    (Output) Describes custom X.509 extensions. Structure is documented below.
    aiaOcspServers string[]
    (Output) Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
    caOptions CertificateCertificateDescriptionX509DescriptionCaOption[]
    (Output) Describes values that are relevant in a CA certificate. Structure is documented below.
    keyUsages CertificateCertificateDescriptionX509DescriptionKeyUsage[]
    (Output) Indicates the intended use for keys that correspond to a certificate. Structure is documented below.
    nameConstraints CertificateCertificateDescriptionX509DescriptionNameConstraint[]
    (Output) Describes the X.509 name constraints extension. Structure is documented below.
    policyIds CertificateCertificateDescriptionX509DescriptionPolicyId[]
    (Output) Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.
    additional_extensions Sequence[CertificateCertificateDescriptionX509DescriptionAdditionalExtension]
    (Output) Describes custom X.509 extensions. Structure is documented below.
    aia_ocsp_servers Sequence[str]
    (Output) Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
    ca_options Sequence[CertificateCertificateDescriptionX509DescriptionCaOption]
    (Output) Describes values that are relevant in a CA certificate. Structure is documented below.
    key_usages Sequence[CertificateCertificateDescriptionX509DescriptionKeyUsage]
    (Output) Indicates the intended use for keys that correspond to a certificate. Structure is documented below.
    name_constraints Sequence[CertificateCertificateDescriptionX509DescriptionNameConstraint]
    (Output) Describes the X.509 name constraints extension. Structure is documented below.
    policy_ids Sequence[CertificateCertificateDescriptionX509DescriptionPolicyId]
    (Output) Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.
    additionalExtensions List<Property Map>
    (Output) Describes custom X.509 extensions. Structure is documented below.
    aiaOcspServers List<String>
    (Output) Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
    caOptions List<Property Map>
    (Output) Describes values that are relevant in a CA certificate. Structure is documented below.
    keyUsages List<Property Map>
    (Output) Indicates the intended use for keys that correspond to a certificate. Structure is documented below.
    nameConstraints List<Property Map>
    (Output) Describes the X.509 name constraints extension. Structure is documented below.
    policyIds List<Property Map>
    (Output) Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.

    CertificateCertificateDescriptionX509DescriptionAdditionalExtension, CertificateCertificateDescriptionX509DescriptionAdditionalExtensionArgs

    Critical bool
    Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
    ObjectIds List<CertificateCertificateDescriptionX509DescriptionAdditionalExtensionObjectId>
    Describes values that are relevant in a CA certificate. Structure is documented below.
    Value string
    The value of this X.509 extension. A base64-encoded string.
    Critical bool
    Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
    ObjectIds []CertificateCertificateDescriptionX509DescriptionAdditionalExtensionObjectId
    Describes values that are relevant in a CA certificate. Structure is documented below.
    Value string
    The value of this X.509 extension. A base64-encoded string.
    critical Boolean
    Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
    objectIds List<CertificateCertificateDescriptionX509DescriptionAdditionalExtensionObjectId>
    Describes values that are relevant in a CA certificate. Structure is documented below.
    value String
    The value of this X.509 extension. A base64-encoded string.
    critical boolean
    Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
    objectIds CertificateCertificateDescriptionX509DescriptionAdditionalExtensionObjectId[]
    Describes values that are relevant in a CA certificate. Structure is documented below.
    value string
    The value of this X.509 extension. A base64-encoded string.
    critical bool
    Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
    object_ids Sequence[CertificateCertificateDescriptionX509DescriptionAdditionalExtensionObjectId]
    Describes values that are relevant in a CA certificate. Structure is documented below.
    value str
    The value of this X.509 extension. A base64-encoded string.
    critical Boolean
    Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
    objectIds List<Property Map>
    Describes values that are relevant in a CA certificate. Structure is documented below.
    value String
    The value of this X.509 extension. A base64-encoded string.

    CertificateCertificateDescriptionX509DescriptionAdditionalExtensionObjectId, CertificateCertificateDescriptionX509DescriptionAdditionalExtensionObjectIdArgs

    ObjectIdPaths List<int>
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
    ObjectIdPaths []int
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
    objectIdPaths List<Integer>
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
    objectIdPaths number[]
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
    object_id_paths Sequence[int]
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
    objectIdPaths List<Number>
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

    CertificateCertificateDescriptionX509DescriptionCaOption, CertificateCertificateDescriptionX509DescriptionCaOptionArgs

    IsCa bool
    When true, the "CA" in Basic Constraints extension will be set to true.
    MaxIssuerPathLength int
    Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.
    IsCa bool
    When true, the "CA" in Basic Constraints extension will be set to true.
    MaxIssuerPathLength int
    Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.
    isCa Boolean
    When true, the "CA" in Basic Constraints extension will be set to true.
    maxIssuerPathLength Integer
    Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.
    isCa boolean
    When true, the "CA" in Basic Constraints extension will be set to true.
    maxIssuerPathLength number
    Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.
    is_ca bool
    When true, the "CA" in Basic Constraints extension will be set to true.
    max_issuer_path_length int
    Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.
    isCa Boolean
    When true, the "CA" in Basic Constraints extension will be set to true.
    maxIssuerPathLength Number
    Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.

    CertificateCertificateDescriptionX509DescriptionKeyUsage, CertificateCertificateDescriptionX509DescriptionKeyUsageArgs

    BaseKeyUsages List<CertificateCertificateDescriptionX509DescriptionKeyUsageBaseKeyUsage>
    Describes high-level ways in which a key may be used. Structure is documented below.
    ExtendedKeyUsages List<CertificateCertificateDescriptionX509DescriptionKeyUsageExtendedKeyUsage>
    Describes high-level ways in which a key may be used. Structure is documented below.
    UnknownExtendedKeyUsages List<CertificateCertificateDescriptionX509DescriptionKeyUsageUnknownExtendedKeyUsage>
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.
    BaseKeyUsages []CertificateCertificateDescriptionX509DescriptionKeyUsageBaseKeyUsage
    Describes high-level ways in which a key may be used. Structure is documented below.
    ExtendedKeyUsages []CertificateCertificateDescriptionX509DescriptionKeyUsageExtendedKeyUsage
    Describes high-level ways in which a key may be used. Structure is documented below.
    UnknownExtendedKeyUsages []CertificateCertificateDescriptionX509DescriptionKeyUsageUnknownExtendedKeyUsage
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.
    baseKeyUsages List<CertificateCertificateDescriptionX509DescriptionKeyUsageBaseKeyUsage>
    Describes high-level ways in which a key may be used. Structure is documented below.
    extendedKeyUsages List<CertificateCertificateDescriptionX509DescriptionKeyUsageExtendedKeyUsage>
    Describes high-level ways in which a key may be used. Structure is documented below.
    unknownExtendedKeyUsages List<CertificateCertificateDescriptionX509DescriptionKeyUsageUnknownExtendedKeyUsage>
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.
    baseKeyUsages CertificateCertificateDescriptionX509DescriptionKeyUsageBaseKeyUsage[]
    Describes high-level ways in which a key may be used. Structure is documented below.
    extendedKeyUsages CertificateCertificateDescriptionX509DescriptionKeyUsageExtendedKeyUsage[]
    Describes high-level ways in which a key may be used. Structure is documented below.
    unknownExtendedKeyUsages CertificateCertificateDescriptionX509DescriptionKeyUsageUnknownExtendedKeyUsage[]
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.
    base_key_usages Sequence[CertificateCertificateDescriptionX509DescriptionKeyUsageBaseKeyUsage]
    Describes high-level ways in which a key may be used. Structure is documented below.
    extended_key_usages Sequence[CertificateCertificateDescriptionX509DescriptionKeyUsageExtendedKeyUsage]
    Describes high-level ways in which a key may be used. Structure is documented below.
    unknown_extended_key_usages Sequence[CertificateCertificateDescriptionX509DescriptionKeyUsageUnknownExtendedKeyUsage]
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.
    baseKeyUsages List<Property Map>
    Describes high-level ways in which a key may be used. Structure is documented below.
    extendedKeyUsages List<Property Map>
    Describes high-level ways in which a key may be used. Structure is documented below.
    unknownExtendedKeyUsages List<Property Map>
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.

    CertificateCertificateDescriptionX509DescriptionKeyUsageBaseKeyUsage, CertificateCertificateDescriptionX509DescriptionKeyUsageBaseKeyUsageArgs

    CertSign bool
    The key may be used to sign certificates.
    ContentCommitment bool
    The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
    CrlSign bool
    The key may be used sign certificate revocation lists.
    DataEncipherment bool
    The key may be used to encipher data.
    DecipherOnly bool
    The key may be used to decipher only.
    DigitalSignature bool
    The key may be used for digital signatures.
    EncipherOnly bool
    The key may be used to encipher only.
    KeyAgreement bool
    The key may be used in a key agreement protocol.
    KeyEncipherment bool
    The key may be used to encipher other keys.
    CertSign bool
    The key may be used to sign certificates.
    ContentCommitment bool
    The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
    CrlSign bool
    The key may be used sign certificate revocation lists.
    DataEncipherment bool
    The key may be used to encipher data.
    DecipherOnly bool
    The key may be used to decipher only.
    DigitalSignature bool
    The key may be used for digital signatures.
    EncipherOnly bool
    The key may be used to encipher only.
    KeyAgreement bool
    The key may be used in a key agreement protocol.
    KeyEncipherment bool
    The key may be used to encipher other keys.
    certSign Boolean
    The key may be used to sign certificates.
    contentCommitment Boolean
    The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
    crlSign Boolean
    The key may be used sign certificate revocation lists.
    dataEncipherment Boolean
    The key may be used to encipher data.
    decipherOnly Boolean
    The key may be used to decipher only.
    digitalSignature Boolean
    The key may be used for digital signatures.
    encipherOnly Boolean
    The key may be used to encipher only.
    keyAgreement Boolean
    The key may be used in a key agreement protocol.
    keyEncipherment Boolean
    The key may be used to encipher other keys.
    certSign boolean
    The key may be used to sign certificates.
    contentCommitment boolean
    The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
    crlSign boolean
    The key may be used sign certificate revocation lists.
    dataEncipherment boolean
    The key may be used to encipher data.
    decipherOnly boolean
    The key may be used to decipher only.
    digitalSignature boolean
    The key may be used for digital signatures.
    encipherOnly boolean
    The key may be used to encipher only.
    keyAgreement boolean
    The key may be used in a key agreement protocol.
    keyEncipherment boolean
    The key may be used to encipher other keys.
    cert_sign bool
    The key may be used to sign certificates.
    content_commitment bool
    The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
    crl_sign bool
    The key may be used sign certificate revocation lists.
    data_encipherment bool
    The key may be used to encipher data.
    decipher_only bool
    The key may be used to decipher only.
    digital_signature bool
    The key may be used for digital signatures.
    encipher_only bool
    The key may be used to encipher only.
    key_agreement bool
    The key may be used in a key agreement protocol.
    key_encipherment bool
    The key may be used to encipher other keys.
    certSign Boolean
    The key may be used to sign certificates.
    contentCommitment Boolean
    The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
    crlSign Boolean
    The key may be used sign certificate revocation lists.
    dataEncipherment Boolean
    The key may be used to encipher data.
    decipherOnly Boolean
    The key may be used to decipher only.
    digitalSignature Boolean
    The key may be used for digital signatures.
    encipherOnly Boolean
    The key may be used to encipher only.
    keyAgreement Boolean
    The key may be used in a key agreement protocol.
    keyEncipherment Boolean
    The key may be used to encipher other keys.

    CertificateCertificateDescriptionX509DescriptionKeyUsageExtendedKeyUsage, CertificateCertificateDescriptionX509DescriptionKeyUsageExtendedKeyUsageArgs

    ClientAuth bool
    Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
    CodeSigning bool
    Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
    EmailProtection bool
    Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
    OcspSigning bool
    Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
    ServerAuth bool
    Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
    TimeStamping bool
    Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".
    ClientAuth bool
    Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
    CodeSigning bool
    Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
    EmailProtection bool
    Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
    OcspSigning bool
    Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
    ServerAuth bool
    Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
    TimeStamping bool
    Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".
    clientAuth Boolean
    Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
    codeSigning Boolean
    Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
    emailProtection Boolean
    Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
    ocspSigning Boolean
    Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
    serverAuth Boolean
    Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
    timeStamping Boolean
    Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".
    clientAuth boolean
    Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
    codeSigning boolean
    Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
    emailProtection boolean
    Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
    ocspSigning boolean
    Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
    serverAuth boolean
    Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
    timeStamping boolean
    Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".
    client_auth bool
    Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
    code_signing bool
    Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
    email_protection bool
    Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
    ocsp_signing bool
    Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
    server_auth bool
    Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
    time_stamping bool
    Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".
    clientAuth Boolean
    Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
    codeSigning Boolean
    Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
    emailProtection Boolean
    Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
    ocspSigning Boolean
    Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
    serverAuth Boolean
    Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
    timeStamping Boolean
    Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".

    CertificateCertificateDescriptionX509DescriptionKeyUsageUnknownExtendedKeyUsage, CertificateCertificateDescriptionX509DescriptionKeyUsageUnknownExtendedKeyUsageArgs

    ObjectIdPaths List<int>
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
    ObjectIdPaths []int
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
    objectIdPaths List<Integer>
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
    objectIdPaths number[]
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
    object_id_paths Sequence[int]
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
    objectIdPaths List<Number>
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

    CertificateCertificateDescriptionX509DescriptionNameConstraint, CertificateCertificateDescriptionX509DescriptionNameConstraintArgs

    Critical bool
    Indicates whether or not the name constraints are marked critical.
    ExcludedDnsNames List<string>
    Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.
    ExcludedEmailAddresses List<string>
    Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.
    ExcludedIpRanges List<string>
    Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
    ExcludedUris List<string>
    Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)
    PermittedDnsNames List<string>
    Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.
    PermittedEmailAddresses List<string>
    Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.
    PermittedIpRanges List<string>
    Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
    PermittedUris List<string>
    Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)
    Critical bool
    Indicates whether or not the name constraints are marked critical.
    ExcludedDnsNames []string
    Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.
    ExcludedEmailAddresses []string
    Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.
    ExcludedIpRanges []string
    Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
    ExcludedUris []string
    Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)
    PermittedDnsNames []string
    Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.
    PermittedEmailAddresses []string
    Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.
    PermittedIpRanges []string
    Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
    PermittedUris []string
    Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)
    critical Boolean
    Indicates whether or not the name constraints are marked critical.
    excludedDnsNames List<String>
    Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.
    excludedEmailAddresses List<String>
    Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.
    excludedIpRanges List<String>
    Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
    excludedUris List<String>
    Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)
    permittedDnsNames List<String>
    Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.
    permittedEmailAddresses List<String>
    Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.
    permittedIpRanges List<String>
    Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
    permittedUris List<String>
    Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)
    critical boolean
    Indicates whether or not the name constraints are marked critical.
    excludedDnsNames string[]
    Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.
    excludedEmailAddresses string[]
    Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.
    excludedIpRanges string[]
    Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
    excludedUris string[]
    Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)
    permittedDnsNames string[]
    Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.
    permittedEmailAddresses string[]
    Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.
    permittedIpRanges string[]
    Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
    permittedUris string[]
    Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)
    critical bool
    Indicates whether or not the name constraints are marked critical.
    excluded_dns_names Sequence[str]
    Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.
    excluded_email_addresses Sequence[str]
    Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.
    excluded_ip_ranges Sequence[str]
    Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
    excluded_uris Sequence[str]
    Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)
    permitted_dns_names Sequence[str]
    Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.
    permitted_email_addresses Sequence[str]
    Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.
    permitted_ip_ranges Sequence[str]
    Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
    permitted_uris Sequence[str]
    Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)
    critical Boolean
    Indicates whether or not the name constraints are marked critical.
    excludedDnsNames List<String>
    Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.
    excludedEmailAddresses List<String>
    Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.
    excludedIpRanges List<String>
    Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
    excludedUris List<String>
    Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)
    permittedDnsNames List<String>
    Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.
    permittedEmailAddresses List<String>
    Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.
    permittedIpRanges List<String>
    Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
    permittedUris List<String>
    Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)

    CertificateCertificateDescriptionX509DescriptionPolicyId, CertificateCertificateDescriptionX509DescriptionPolicyIdArgs

    ObjectIdPaths List<int>
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
    ObjectIdPaths []int
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
    objectIdPaths List<Integer>
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
    objectIdPaths number[]
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
    object_id_paths Sequence[int]
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
    objectIdPaths List<Number>
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

    CertificateConfig, CertificateConfigArgs

    PublicKey CertificateConfigPublicKey

    A PublicKey describes a public key. Structure is documented below.

    The x509_config block supports:

    SubjectConfig CertificateConfigSubjectConfig
    Specifies some of the values in a certificate that are related to the subject. Structure is documented below.
    X509Config CertificateConfigX509Config
    Describes how some of the technical X.509 fields in a certificate should be populated. Structure is documented below.
    SubjectKeyId CertificateConfigSubjectKeyId
    When specified this provides a custom SKI to be used in the certificate. This should only be used to maintain a SKI of an existing CA originally created outside CA service, which was not generated using method (1) described in RFC 5280 section 4.2.1.2.. Structure is documented below.
    PublicKey CertificateConfigPublicKey

    A PublicKey describes a public key. Structure is documented below.

    The x509_config block supports:

    SubjectConfig CertificateConfigSubjectConfig
    Specifies some of the values in a certificate that are related to the subject. Structure is documented below.
    X509Config CertificateConfigX509Config
    Describes how some of the technical X.509 fields in a certificate should be populated. Structure is documented below.
    SubjectKeyId CertificateConfigSubjectKeyId
    When specified this provides a custom SKI to be used in the certificate. This should only be used to maintain a SKI of an existing CA originally created outside CA service, which was not generated using method (1) described in RFC 5280 section 4.2.1.2.. Structure is documented below.
    publicKey CertificateConfigPublicKey

    A PublicKey describes a public key. Structure is documented below.

    The x509_config block supports:

    subjectConfig CertificateConfigSubjectConfig
    Specifies some of the values in a certificate that are related to the subject. Structure is documented below.
    x509Config CertificateConfigX509Config
    Describes how some of the technical X.509 fields in a certificate should be populated. Structure is documented below.
    subjectKeyId CertificateConfigSubjectKeyId
    When specified this provides a custom SKI to be used in the certificate. This should only be used to maintain a SKI of an existing CA originally created outside CA service, which was not generated using method (1) described in RFC 5280 section 4.2.1.2.. Structure is documented below.
    publicKey CertificateConfigPublicKey

    A PublicKey describes a public key. Structure is documented below.

    The x509_config block supports:

    subjectConfig CertificateConfigSubjectConfig
    Specifies some of the values in a certificate that are related to the subject. Structure is documented below.
    x509Config CertificateConfigX509Config
    Describes how some of the technical X.509 fields in a certificate should be populated. Structure is documented below.
    subjectKeyId CertificateConfigSubjectKeyId
    When specified this provides a custom SKI to be used in the certificate. This should only be used to maintain a SKI of an existing CA originally created outside CA service, which was not generated using method (1) described in RFC 5280 section 4.2.1.2.. Structure is documented below.
    public_key CertificateConfigPublicKey

    A PublicKey describes a public key. Structure is documented below.

    The x509_config block supports:

    subject_config CertificateConfigSubjectConfig
    Specifies some of the values in a certificate that are related to the subject. Structure is documented below.
    x509_config CertificateConfigX509Config
    Describes how some of the technical X.509 fields in a certificate should be populated. Structure is documented below.
    subject_key_id CertificateConfigSubjectKeyId
    When specified this provides a custom SKI to be used in the certificate. This should only be used to maintain a SKI of an existing CA originally created outside CA service, which was not generated using method (1) described in RFC 5280 section 4.2.1.2.. Structure is documented below.
    publicKey Property Map

    A PublicKey describes a public key. Structure is documented below.

    The x509_config block supports:

    subjectConfig Property Map
    Specifies some of the values in a certificate that are related to the subject. Structure is documented below.
    x509Config Property Map
    Describes how some of the technical X.509 fields in a certificate should be populated. Structure is documented below.
    subjectKeyId Property Map
    When specified this provides a custom SKI to be used in the certificate. This should only be used to maintain a SKI of an existing CA originally created outside CA service, which was not generated using method (1) described in RFC 5280 section 4.2.1.2.. Structure is documented below.

    CertificateConfigPublicKey, CertificateConfigPublicKeyArgs

    Format string
    The format of the public key. Currently, only PEM format is supported. Possible values are: KEY_TYPE_UNSPECIFIED, PEM.
    Key string
    Required. A public key. When this is specified in a request, the padding and encoding can be any of the options described by the respective 'KeyType' value. When this is generated by the service, it will always be an RFC 5280 SubjectPublicKeyInfo structure containing an algorithm identifier and a key. A base64-encoded string.
    Format string
    The format of the public key. Currently, only PEM format is supported. Possible values are: KEY_TYPE_UNSPECIFIED, PEM.
    Key string
    Required. A public key. When this is specified in a request, the padding and encoding can be any of the options described by the respective 'KeyType' value. When this is generated by the service, it will always be an RFC 5280 SubjectPublicKeyInfo structure containing an algorithm identifier and a key. A base64-encoded string.
    format String
    The format of the public key. Currently, only PEM format is supported. Possible values are: KEY_TYPE_UNSPECIFIED, PEM.
    key String
    Required. A public key. When this is specified in a request, the padding and encoding can be any of the options described by the respective 'KeyType' value. When this is generated by the service, it will always be an RFC 5280 SubjectPublicKeyInfo structure containing an algorithm identifier and a key. A base64-encoded string.
    format string
    The format of the public key. Currently, only PEM format is supported. Possible values are: KEY_TYPE_UNSPECIFIED, PEM.
    key string
    Required. A public key. When this is specified in a request, the padding and encoding can be any of the options described by the respective 'KeyType' value. When this is generated by the service, it will always be an RFC 5280 SubjectPublicKeyInfo structure containing an algorithm identifier and a key. A base64-encoded string.
    format str
    The format of the public key. Currently, only PEM format is supported. Possible values are: KEY_TYPE_UNSPECIFIED, PEM.
    key str
    Required. A public key. When this is specified in a request, the padding and encoding can be any of the options described by the respective 'KeyType' value. When this is generated by the service, it will always be an RFC 5280 SubjectPublicKeyInfo structure containing an algorithm identifier and a key. A base64-encoded string.
    format String
    The format of the public key. Currently, only PEM format is supported. Possible values are: KEY_TYPE_UNSPECIFIED, PEM.
    key String
    Required. A public key. When this is specified in a request, the padding and encoding can be any of the options described by the respective 'KeyType' value. When this is generated by the service, it will always be an RFC 5280 SubjectPublicKeyInfo structure containing an algorithm identifier and a key. A base64-encoded string.

    CertificateConfigSubjectConfig, CertificateConfigSubjectConfigArgs

    Subject CertificateConfigSubjectConfigSubject
    Contains distinguished name fields such as the location and organization. Structure is documented below.
    SubjectAltName CertificateConfigSubjectConfigSubjectAltName
    The subject alternative name fields. Structure is documented below.
    Subject CertificateConfigSubjectConfigSubject
    Contains distinguished name fields such as the location and organization. Structure is documented below.
    SubjectAltName CertificateConfigSubjectConfigSubjectAltName
    The subject alternative name fields. Structure is documented below.
    subject CertificateConfigSubjectConfigSubject
    Contains distinguished name fields such as the location and organization. Structure is documented below.
    subjectAltName CertificateConfigSubjectConfigSubjectAltName
    The subject alternative name fields. Structure is documented below.
    subject CertificateConfigSubjectConfigSubject
    Contains distinguished name fields such as the location and organization. Structure is documented below.
    subjectAltName CertificateConfigSubjectConfigSubjectAltName
    The subject alternative name fields. Structure is documented below.
    subject CertificateConfigSubjectConfigSubject
    Contains distinguished name fields such as the location and organization. Structure is documented below.
    subject_alt_name CertificateConfigSubjectConfigSubjectAltName
    The subject alternative name fields. Structure is documented below.
    subject Property Map
    Contains distinguished name fields such as the location and organization. Structure is documented below.
    subjectAltName Property Map
    The subject alternative name fields. Structure is documented below.

    CertificateConfigSubjectConfigSubject, CertificateConfigSubjectConfigSubjectArgs

    CommonName string
    The common name of the distinguished name.
    Organization string
    The organization of the subject.
    CountryCode string
    The country code of the subject.
    Locality string
    The locality or city of the subject.
    OrganizationalUnit string
    The organizational unit of the subject.
    PostalCode string
    The postal code of the subject.
    Province string
    The province, territory, or regional state of the subject.
    StreetAddress string
    The street address of the subject.
    CommonName string
    The common name of the distinguished name.
    Organization string
    The organization of the subject.
    CountryCode string
    The country code of the subject.
    Locality string
    The locality or city of the subject.
    OrganizationalUnit string
    The organizational unit of the subject.
    PostalCode string
    The postal code of the subject.
    Province string
    The province, territory, or regional state of the subject.
    StreetAddress string
    The street address of the subject.
    commonName String
    The common name of the distinguished name.
    organization String
    The organization of the subject.
    countryCode String
    The country code of the subject.
    locality String
    The locality or city of the subject.
    organizationalUnit String
    The organizational unit of the subject.
    postalCode String
    The postal code of the subject.
    province String
    The province, territory, or regional state of the subject.
    streetAddress String
    The street address of the subject.
    commonName string
    The common name of the distinguished name.
    organization string
    The organization of the subject.
    countryCode string
    The country code of the subject.
    locality string
    The locality or city of the subject.
    organizationalUnit string
    The organizational unit of the subject.
    postalCode string
    The postal code of the subject.
    province string
    The province, territory, or regional state of the subject.
    streetAddress string
    The street address of the subject.
    common_name str
    The common name of the distinguished name.
    organization str
    The organization of the subject.
    country_code str
    The country code of the subject.
    locality str
    The locality or city of the subject.
    organizational_unit str
    The organizational unit of the subject.
    postal_code str
    The postal code of the subject.
    province str
    The province, territory, or regional state of the subject.
    street_address str
    The street address of the subject.
    commonName String
    The common name of the distinguished name.
    organization String
    The organization of the subject.
    countryCode String
    The country code of the subject.
    locality String
    The locality or city of the subject.
    organizationalUnit String
    The organizational unit of the subject.
    postalCode String
    The postal code of the subject.
    province String
    The province, territory, or regional state of the subject.
    streetAddress String
    The street address of the subject.

    CertificateConfigSubjectConfigSubjectAltName, CertificateConfigSubjectConfigSubjectAltNameArgs

    DnsNames List<string>
    Contains only valid, fully-qualified host names.
    EmailAddresses List<string>
    Contains only valid RFC 2822 E-mail addresses.
    IpAddresses List<string>
    Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.
    Uris List<string>
    Contains only valid RFC 3986 URIs.
    DnsNames []string
    Contains only valid, fully-qualified host names.
    EmailAddresses []string
    Contains only valid RFC 2822 E-mail addresses.
    IpAddresses []string
    Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.
    Uris []string
    Contains only valid RFC 3986 URIs.
    dnsNames List<String>
    Contains only valid, fully-qualified host names.
    emailAddresses List<String>
    Contains only valid RFC 2822 E-mail addresses.
    ipAddresses List<String>
    Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.
    uris List<String>
    Contains only valid RFC 3986 URIs.
    dnsNames string[]
    Contains only valid, fully-qualified host names.
    emailAddresses string[]
    Contains only valid RFC 2822 E-mail addresses.
    ipAddresses string[]
    Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.
    uris string[]
    Contains only valid RFC 3986 URIs.
    dns_names Sequence[str]
    Contains only valid, fully-qualified host names.
    email_addresses Sequence[str]
    Contains only valid RFC 2822 E-mail addresses.
    ip_addresses Sequence[str]
    Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.
    uris Sequence[str]
    Contains only valid RFC 3986 URIs.
    dnsNames List<String>
    Contains only valid, fully-qualified host names.
    emailAddresses List<String>
    Contains only valid RFC 2822 E-mail addresses.
    ipAddresses List<String>
    Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.
    uris List<String>
    Contains only valid RFC 3986 URIs.

    CertificateConfigSubjectKeyId, CertificateConfigSubjectKeyIdArgs

    KeyId string
    The value of the KeyId in lowercase hexidecimal.
    KeyId string
    The value of the KeyId in lowercase hexidecimal.
    keyId String
    The value of the KeyId in lowercase hexidecimal.
    keyId string
    The value of the KeyId in lowercase hexidecimal.
    key_id str
    The value of the KeyId in lowercase hexidecimal.
    keyId String
    The value of the KeyId in lowercase hexidecimal.

    CertificateConfigX509Config, CertificateConfigX509ConfigArgs

    KeyUsage CertificateConfigX509ConfigKeyUsage
    (Output) Indicates the intended use for keys that correspond to a certificate. Structure is documented below.
    AdditionalExtensions List<CertificateConfigX509ConfigAdditionalExtension>
    (Output) Describes custom X.509 extensions. Structure is documented below.
    AiaOcspServers List<string>
    (Output) Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
    CaOptions CertificateConfigX509ConfigCaOptions
    (Output) Describes values that are relevant in a CA certificate. Structure is documented below.
    NameConstraints CertificateConfigX509ConfigNameConstraints
    (Output) Describes the X.509 name constraints extension. Structure is documented below.
    PolicyIds List<CertificateConfigX509ConfigPolicyId>
    (Output) Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.
    KeyUsage CertificateConfigX509ConfigKeyUsage
    (Output) Indicates the intended use for keys that correspond to a certificate. Structure is documented below.
    AdditionalExtensions []CertificateConfigX509ConfigAdditionalExtension
    (Output) Describes custom X.509 extensions. Structure is documented below.
    AiaOcspServers []string
    (Output) Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
    CaOptions CertificateConfigX509ConfigCaOptions
    (Output) Describes values that are relevant in a CA certificate. Structure is documented below.
    NameConstraints CertificateConfigX509ConfigNameConstraints
    (Output) Describes the X.509 name constraints extension. Structure is documented below.
    PolicyIds []CertificateConfigX509ConfigPolicyId
    (Output) Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.
    keyUsage CertificateConfigX509ConfigKeyUsage
    (Output) Indicates the intended use for keys that correspond to a certificate. Structure is documented below.
    additionalExtensions List<CertificateConfigX509ConfigAdditionalExtension>
    (Output) Describes custom X.509 extensions. Structure is documented below.
    aiaOcspServers List<String>
    (Output) Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
    caOptions CertificateConfigX509ConfigCaOptions
    (Output) Describes values that are relevant in a CA certificate. Structure is documented below.
    nameConstraints CertificateConfigX509ConfigNameConstraints
    (Output) Describes the X.509 name constraints extension. Structure is documented below.
    policyIds List<CertificateConfigX509ConfigPolicyId>
    (Output) Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.
    keyUsage CertificateConfigX509ConfigKeyUsage
    (Output) Indicates the intended use for keys that correspond to a certificate. Structure is documented below.
    additionalExtensions CertificateConfigX509ConfigAdditionalExtension[]
    (Output) Describes custom X.509 extensions. Structure is documented below.
    aiaOcspServers string[]
    (Output) Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
    caOptions CertificateConfigX509ConfigCaOptions
    (Output) Describes values that are relevant in a CA certificate. Structure is documented below.
    nameConstraints CertificateConfigX509ConfigNameConstraints
    (Output) Describes the X.509 name constraints extension. Structure is documented below.
    policyIds CertificateConfigX509ConfigPolicyId[]
    (Output) Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.
    key_usage CertificateConfigX509ConfigKeyUsage
    (Output) Indicates the intended use for keys that correspond to a certificate. Structure is documented below.
    additional_extensions Sequence[CertificateConfigX509ConfigAdditionalExtension]
    (Output) Describes custom X.509 extensions. Structure is documented below.
    aia_ocsp_servers Sequence[str]
    (Output) Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
    ca_options CertificateConfigX509ConfigCaOptions
    (Output) Describes values that are relevant in a CA certificate. Structure is documented below.
    name_constraints CertificateConfigX509ConfigNameConstraints
    (Output) Describes the X.509 name constraints extension. Structure is documented below.
    policy_ids Sequence[CertificateConfigX509ConfigPolicyId]
    (Output) Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.
    keyUsage Property Map
    (Output) Indicates the intended use for keys that correspond to a certificate. Structure is documented below.
    additionalExtensions List<Property Map>
    (Output) Describes custom X.509 extensions. Structure is documented below.
    aiaOcspServers List<String>
    (Output) Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
    caOptions Property Map
    (Output) Describes values that are relevant in a CA certificate. Structure is documented below.
    nameConstraints Property Map
    (Output) Describes the X.509 name constraints extension. Structure is documented below.
    policyIds List<Property Map>
    (Output) Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.

    CertificateConfigX509ConfigAdditionalExtension, CertificateConfigX509ConfigAdditionalExtensionArgs

    Critical bool
    Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
    ObjectId CertificateConfigX509ConfigAdditionalExtensionObjectId
    Describes values that are relevant in a CA certificate. Structure is documented below.
    Value string
    The value of this X.509 extension. A base64-encoded string.
    Critical bool
    Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
    ObjectId CertificateConfigX509ConfigAdditionalExtensionObjectId
    Describes values that are relevant in a CA certificate. Structure is documented below.
    Value string
    The value of this X.509 extension. A base64-encoded string.
    critical Boolean
    Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
    objectId CertificateConfigX509ConfigAdditionalExtensionObjectId
    Describes values that are relevant in a CA certificate. Structure is documented below.
    value String
    The value of this X.509 extension. A base64-encoded string.
    critical boolean
    Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
    objectId CertificateConfigX509ConfigAdditionalExtensionObjectId
    Describes values that are relevant in a CA certificate. Structure is documented below.
    value string
    The value of this X.509 extension. A base64-encoded string.
    critical bool
    Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
    object_id CertificateConfigX509ConfigAdditionalExtensionObjectId
    Describes values that are relevant in a CA certificate. Structure is documented below.
    value str
    The value of this X.509 extension. A base64-encoded string.
    critical Boolean
    Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
    objectId Property Map
    Describes values that are relevant in a CA certificate. Structure is documented below.
    value String
    The value of this X.509 extension. A base64-encoded string.

    CertificateConfigX509ConfigAdditionalExtensionObjectId, CertificateConfigX509ConfigAdditionalExtensionObjectIdArgs

    ObjectIdPaths List<int>
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
    ObjectIdPaths []int
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
    objectIdPaths List<Integer>
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
    objectIdPaths number[]
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
    object_id_paths Sequence[int]
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
    objectIdPaths List<Number>
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

    CertificateConfigX509ConfigCaOptions, CertificateConfigX509ConfigCaOptionsArgs

    IsCa bool
    When true, the "CA" in Basic Constraints extension will be set to true.
    MaxIssuerPathLength int
    Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.
    NonCa bool
    When true, the "CA" in Basic Constraints extension will be set to false. If both is_ca and non_ca are unset, the extension will be omitted from the CA certificate.
    ZeroMaxIssuerPathLength bool
    When true, the "path length constraint" in Basic Constraints extension will be set to 0. if both max_issuer_path_length and zero_max_issuer_path_length are unset, the max path length will be omitted from the CA certificate.
    IsCa bool
    When true, the "CA" in Basic Constraints extension will be set to true.
    MaxIssuerPathLength int
    Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.
    NonCa bool
    When true, the "CA" in Basic Constraints extension will be set to false. If both is_ca and non_ca are unset, the extension will be omitted from the CA certificate.
    ZeroMaxIssuerPathLength bool
    When true, the "path length constraint" in Basic Constraints extension will be set to 0. if both max_issuer_path_length and zero_max_issuer_path_length are unset, the max path length will be omitted from the CA certificate.
    isCa Boolean
    When true, the "CA" in Basic Constraints extension will be set to true.
    maxIssuerPathLength Integer
    Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.
    nonCa Boolean
    When true, the "CA" in Basic Constraints extension will be set to false. If both is_ca and non_ca are unset, the extension will be omitted from the CA certificate.
    zeroMaxIssuerPathLength Boolean
    When true, the "path length constraint" in Basic Constraints extension will be set to 0. if both max_issuer_path_length and zero_max_issuer_path_length are unset, the max path length will be omitted from the CA certificate.
    isCa boolean
    When true, the "CA" in Basic Constraints extension will be set to true.
    maxIssuerPathLength number
    Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.
    nonCa boolean
    When true, the "CA" in Basic Constraints extension will be set to false. If both is_ca and non_ca are unset, the extension will be omitted from the CA certificate.
    zeroMaxIssuerPathLength boolean
    When true, the "path length constraint" in Basic Constraints extension will be set to 0. if both max_issuer_path_length and zero_max_issuer_path_length are unset, the max path length will be omitted from the CA certificate.
    is_ca bool
    When true, the "CA" in Basic Constraints extension will be set to true.
    max_issuer_path_length int
    Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.
    non_ca bool
    When true, the "CA" in Basic Constraints extension will be set to false. If both is_ca and non_ca are unset, the extension will be omitted from the CA certificate.
    zero_max_issuer_path_length bool
    When true, the "path length constraint" in Basic Constraints extension will be set to 0. if both max_issuer_path_length and zero_max_issuer_path_length are unset, the max path length will be omitted from the CA certificate.
    isCa Boolean
    When true, the "CA" in Basic Constraints extension will be set to true.
    maxIssuerPathLength Number
    Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.
    nonCa Boolean
    When true, the "CA" in Basic Constraints extension will be set to false. If both is_ca and non_ca are unset, the extension will be omitted from the CA certificate.
    zeroMaxIssuerPathLength Boolean
    When true, the "path length constraint" in Basic Constraints extension will be set to 0. if both max_issuer_path_length and zero_max_issuer_path_length are unset, the max path length will be omitted from the CA certificate.

    CertificateConfigX509ConfigKeyUsage, CertificateConfigX509ConfigKeyUsageArgs

    BaseKeyUsage CertificateConfigX509ConfigKeyUsageBaseKeyUsage
    Describes high-level ways in which a key may be used. Structure is documented below.
    ExtendedKeyUsage CertificateConfigX509ConfigKeyUsageExtendedKeyUsage
    Describes high-level ways in which a key may be used. Structure is documented below.
    UnknownExtendedKeyUsages List<CertificateConfigX509ConfigKeyUsageUnknownExtendedKeyUsage>
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.
    BaseKeyUsage CertificateConfigX509ConfigKeyUsageBaseKeyUsage
    Describes high-level ways in which a key may be used. Structure is documented below.
    ExtendedKeyUsage CertificateConfigX509ConfigKeyUsageExtendedKeyUsage
    Describes high-level ways in which a key may be used. Structure is documented below.
    UnknownExtendedKeyUsages []CertificateConfigX509ConfigKeyUsageUnknownExtendedKeyUsage
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.
    baseKeyUsage CertificateConfigX509ConfigKeyUsageBaseKeyUsage
    Describes high-level ways in which a key may be used. Structure is documented below.
    extendedKeyUsage CertificateConfigX509ConfigKeyUsageExtendedKeyUsage
    Describes high-level ways in which a key may be used. Structure is documented below.
    unknownExtendedKeyUsages List<CertificateConfigX509ConfigKeyUsageUnknownExtendedKeyUsage>
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.
    baseKeyUsage CertificateConfigX509ConfigKeyUsageBaseKeyUsage
    Describes high-level ways in which a key may be used. Structure is documented below.
    extendedKeyUsage CertificateConfigX509ConfigKeyUsageExtendedKeyUsage
    Describes high-level ways in which a key may be used. Structure is documented below.
    unknownExtendedKeyUsages CertificateConfigX509ConfigKeyUsageUnknownExtendedKeyUsage[]
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.
    base_key_usage CertificateConfigX509ConfigKeyUsageBaseKeyUsage
    Describes high-level ways in which a key may be used. Structure is documented below.
    extended_key_usage CertificateConfigX509ConfigKeyUsageExtendedKeyUsage
    Describes high-level ways in which a key may be used. Structure is documented below.
    unknown_extended_key_usages Sequence[CertificateConfigX509ConfigKeyUsageUnknownExtendedKeyUsage]
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.
    baseKeyUsage Property Map
    Describes high-level ways in which a key may be used. Structure is documented below.
    extendedKeyUsage Property Map
    Describes high-level ways in which a key may be used. Structure is documented below.
    unknownExtendedKeyUsages List<Property Map>
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.

    CertificateConfigX509ConfigKeyUsageBaseKeyUsage, CertificateConfigX509ConfigKeyUsageBaseKeyUsageArgs

    CertSign bool
    The key may be used to sign certificates.
    ContentCommitment bool
    The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
    CrlSign bool
    The key may be used sign certificate revocation lists.
    DataEncipherment bool
    The key may be used to encipher data.
    DecipherOnly bool
    The key may be used to decipher only.
    DigitalSignature bool
    The key may be used for digital signatures.
    EncipherOnly bool
    The key may be used to encipher only.
    KeyAgreement bool
    The key may be used in a key agreement protocol.
    KeyEncipherment bool
    The key may be used to encipher other keys.
    CertSign bool
    The key may be used to sign certificates.
    ContentCommitment bool
    The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
    CrlSign bool
    The key may be used sign certificate revocation lists.
    DataEncipherment bool
    The key may be used to encipher data.
    DecipherOnly bool
    The key may be used to decipher only.
    DigitalSignature bool
    The key may be used for digital signatures.
    EncipherOnly bool
    The key may be used to encipher only.
    KeyAgreement bool
    The key may be used in a key agreement protocol.
    KeyEncipherment bool
    The key may be used to encipher other keys.
    certSign Boolean
    The key may be used to sign certificates.
    contentCommitment Boolean
    The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
    crlSign Boolean
    The key may be used sign certificate revocation lists.
    dataEncipherment Boolean
    The key may be used to encipher data.
    decipherOnly Boolean
    The key may be used to decipher only.
    digitalSignature Boolean
    The key may be used for digital signatures.
    encipherOnly Boolean
    The key may be used to encipher only.
    keyAgreement Boolean
    The key may be used in a key agreement protocol.
    keyEncipherment Boolean
    The key may be used to encipher other keys.
    certSign boolean
    The key may be used to sign certificates.
    contentCommitment boolean
    The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
    crlSign boolean
    The key may be used sign certificate revocation lists.
    dataEncipherment boolean
    The key may be used to encipher data.
    decipherOnly boolean
    The key may be used to decipher only.
    digitalSignature boolean
    The key may be used for digital signatures.
    encipherOnly boolean
    The key may be used to encipher only.
    keyAgreement boolean
    The key may be used in a key agreement protocol.
    keyEncipherment boolean
    The key may be used to encipher other keys.
    cert_sign bool
    The key may be used to sign certificates.
    content_commitment bool
    The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
    crl_sign bool
    The key may be used sign certificate revocation lists.
    data_encipherment bool
    The key may be used to encipher data.
    decipher_only bool
    The key may be used to decipher only.
    digital_signature bool
    The key may be used for digital signatures.
    encipher_only bool
    The key may be used to encipher only.
    key_agreement bool
    The key may be used in a key agreement protocol.
    key_encipherment bool
    The key may be used to encipher other keys.
    certSign Boolean
    The key may be used to sign certificates.
    contentCommitment Boolean
    The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
    crlSign Boolean
    The key may be used sign certificate revocation lists.
    dataEncipherment Boolean
    The key may be used to encipher data.
    decipherOnly Boolean
    The key may be used to decipher only.
    digitalSignature Boolean
    The key may be used for digital signatures.
    encipherOnly Boolean
    The key may be used to encipher only.
    keyAgreement Boolean
    The key may be used in a key agreement protocol.
    keyEncipherment Boolean
    The key may be used to encipher other keys.

    CertificateConfigX509ConfigKeyUsageExtendedKeyUsage, CertificateConfigX509ConfigKeyUsageExtendedKeyUsageArgs

    ClientAuth bool
    Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
    CodeSigning bool
    Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
    EmailProtection bool
    Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
    OcspSigning bool
    Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
    ServerAuth bool
    Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
    TimeStamping bool
    Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".
    ClientAuth bool
    Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
    CodeSigning bool
    Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
    EmailProtection bool
    Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
    OcspSigning bool
    Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
    ServerAuth bool
    Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
    TimeStamping bool
    Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".
    clientAuth Boolean
    Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
    codeSigning Boolean
    Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
    emailProtection Boolean
    Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
    ocspSigning Boolean
    Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
    serverAuth Boolean
    Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
    timeStamping Boolean
    Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".
    clientAuth boolean
    Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
    codeSigning boolean
    Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
    emailProtection boolean
    Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
    ocspSigning boolean
    Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
    serverAuth boolean
    Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
    timeStamping boolean
    Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".
    client_auth bool
    Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
    code_signing bool
    Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
    email_protection bool
    Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
    ocsp_signing bool
    Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
    server_auth bool
    Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
    time_stamping bool
    Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".
    clientAuth Boolean
    Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
    codeSigning Boolean
    Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
    emailProtection Boolean
    Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
    ocspSigning Boolean
    Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
    serverAuth Boolean
    Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
    timeStamping Boolean
    Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".

    CertificateConfigX509ConfigKeyUsageUnknownExtendedKeyUsage, CertificateConfigX509ConfigKeyUsageUnknownExtendedKeyUsageArgs

    ObjectIdPaths List<int>
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
    ObjectIdPaths []int
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
    objectIdPaths List<Integer>
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
    objectIdPaths number[]
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
    object_id_paths Sequence[int]
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
    objectIdPaths List<Number>
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

    CertificateConfigX509ConfigNameConstraints, CertificateConfigX509ConfigNameConstraintsArgs

    Critical bool
    Indicates whether or not the name constraints are marked critical.
    ExcludedDnsNames List<string>
    Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.
    ExcludedEmailAddresses List<string>
    Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.
    ExcludedIpRanges List<string>
    Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
    ExcludedUris List<string>
    Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)
    PermittedDnsNames List<string>
    Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.
    PermittedEmailAddresses List<string>
    Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.
    PermittedIpRanges List<string>
    Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
    PermittedUris List<string>
    Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)
    Critical bool
    Indicates whether or not the name constraints are marked critical.
    ExcludedDnsNames []string
    Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.
    ExcludedEmailAddresses []string
    Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.
    ExcludedIpRanges []string
    Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
    ExcludedUris []string
    Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)
    PermittedDnsNames []string
    Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.
    PermittedEmailAddresses []string
    Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.
    PermittedIpRanges []string
    Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
    PermittedUris []string
    Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)
    critical Boolean
    Indicates whether or not the name constraints are marked critical.
    excludedDnsNames List<String>
    Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.
    excludedEmailAddresses List<String>
    Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.
    excludedIpRanges List<String>
    Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
    excludedUris List<String>
    Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)
    permittedDnsNames List<String>
    Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.
    permittedEmailAddresses List<String>
    Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.
    permittedIpRanges List<String>
    Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
    permittedUris List<String>
    Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)
    critical boolean
    Indicates whether or not the name constraints are marked critical.
    excludedDnsNames string[]
    Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.
    excludedEmailAddresses string[]
    Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.
    excludedIpRanges string[]
    Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
    excludedUris string[]
    Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)
    permittedDnsNames string[]
    Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.
    permittedEmailAddresses string[]
    Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.
    permittedIpRanges string[]
    Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
    permittedUris string[]
    Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)
    critical bool
    Indicates whether or not the name constraints are marked critical.
    excluded_dns_names Sequence[str]
    Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.
    excluded_email_addresses Sequence[str]
    Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.
    excluded_ip_ranges Sequence[str]
    Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
    excluded_uris Sequence[str]
    Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)
    permitted_dns_names Sequence[str]
    Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.
    permitted_email_addresses Sequence[str]
    Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.
    permitted_ip_ranges Sequence[str]
    Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
    permitted_uris Sequence[str]
    Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)
    critical Boolean
    Indicates whether or not the name constraints are marked critical.
    excludedDnsNames List<String>
    Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.
    excludedEmailAddresses List<String>
    Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.
    excludedIpRanges List<String>
    Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
    excludedUris List<String>
    Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)
    permittedDnsNames List<String>
    Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.
    permittedEmailAddresses List<String>
    Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.
    permittedIpRanges List<String>
    Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
    permittedUris List<String>
    Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)

    CertificateConfigX509ConfigPolicyId, CertificateConfigX509ConfigPolicyIdArgs

    ObjectIdPaths List<int>
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
    ObjectIdPaths []int
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
    objectIdPaths List<Integer>
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
    objectIdPaths number[]
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
    object_id_paths Sequence[int]
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
    objectIdPaths List<Number>
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

    CertificateRevocationDetail, CertificateRevocationDetailArgs

    RevocationState string
    (Output) Indicates why a Certificate was revoked.
    RevocationTime string
    (Output) The time at which this Certificate was revoked.
    RevocationState string
    (Output) Indicates why a Certificate was revoked.
    RevocationTime string
    (Output) The time at which this Certificate was revoked.
    revocationState String
    (Output) Indicates why a Certificate was revoked.
    revocationTime String
    (Output) The time at which this Certificate was revoked.
    revocationState string
    (Output) Indicates why a Certificate was revoked.
    revocationTime string
    (Output) The time at which this Certificate was revoked.
    revocation_state str
    (Output) Indicates why a Certificate was revoked.
    revocation_time str
    (Output) The time at which this Certificate was revoked.
    revocationState String
    (Output) Indicates why a Certificate was revoked.
    revocationTime String
    (Output) The time at which this Certificate was revoked.

    Import

    Certificate can be imported using any of these accepted formats:

    • projects/{{project}}/locations/{{location}}/caPools/{{pool}}/certificates/{{name}}

    • {{project}}/{{location}}/{{pool}}/{{name}}

    • {{location}}/{{pool}}/{{name}}

    When using the pulumi import command, Certificate can be imported using one of the formats above. For example:

    $ pulumi import gcp:certificateauthority/certificate:Certificate default projects/{{project}}/locations/{{location}}/caPools/{{pool}}/certificates/{{name}}
    
    $ pulumi import gcp:certificateauthority/certificate:Certificate default {{project}}/{{location}}/{{pool}}/{{name}}
    
    $ pulumi import gcp:certificateauthority/certificate:Certificate default {{location}}/{{pool}}/{{name}}
    

    To learn more about importing existing cloud resources, see Importing resources.

    Package Details

    Repository
    Google Cloud (GCP) Classic pulumi/pulumi-gcp
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the google-beta Terraform Provider.
    gcp logo
    Google Cloud Classic v8.9.3 published on Monday, Nov 18, 2024 by Pulumi