Google Certificate Authority Service Privateca Certificate Authority

google_privateca_certificate_authority (Terraform)

The Privateca Certificate Authority in Certificate Authority Service can be configured in Terraform with the resource name google_privateca_certificate_authority. The following sections describe 1 example of how to use the resource and its parameters.

Example Usage from GitHub

resource "google_privateca_certificate_authority" "this" {
    count = var.tls_disabled == true ? 0 : 1
  provider                 = google-beta
  location                 = var.ca_issuer_location
  project                  = var.project
  certificate_authority_id = local.boundary_name

Parameters

The following arguments are supported:

• location - (Required) Location of the CertificateAuthority. A full list of valid locations can be found by running gcloud privateca locations list.

• certificate_authority_id - (Required) The user provided Resource ID for this Certificate Authority.

• pool - (Required) The name of the CaPool this Certificate Authority belongs to.

• config - (Required) The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.

• key_spec - (Required) Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR. Structure is documented below.

The config block supports:

• x509_config - (Required) Describes how some of the technical X.509 fields in a certificate should be populated. Structure is documented below.

• subject_config - (Required) Specifies some of the values in a certificate that are related to the subject. Structure is documented below.

The x509_config block supports:

• additional_extensions - (Optional) Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.

• policy_ids - (Optional) Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.

• aia_ocsp_servers - (Optional) Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.

• ca_options - (Required) Describes values that are relevant in a CA certificate. Structure is documented below.

• key_usage - (Required) Indicates the intended use for keys that correspond to a certificate. Structure is documented below.

The additional_extensions block supports:

• critical - (Required) Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).

• value - (Required) The value of this X.509 extension. A base64-encoded string.

• object_id - (Required) Describes values that are relevant in a CA certificate. Structure is documented below.

The object_id block supports:

• object_id_path - (Required) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

The policy_ids block supports:

• object_id_path - (Required) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

The ca_options block supports:

• is_ca - (Required) Refers to the "CA" X.509 extension, which is a boolean value. When this value is missing, the extension will be omitted from the CA certificate.

• max_issuer_path_length - (Optional) Refers to the path length restriction X.509 extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail. If this value is missing, the max path length will be omitted from the CA certificate.

The key_usage block supports:

• base_key_usage - (Required) Describes high-level ways in which a key may be used. Structure is documented below.

• extended_key_usage - (Required) Describes high-level ways in which a key may be used. Structure is documented below.

• unknown_extended_key_usages - (Optional) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.

The base_key_usage block supports:

• digital_signature - (Optional) The key may be used for digital signatures.

• content_commitment - (Optional) The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".

• key_encipherment - (Optional) The key may be used to encipher other keys.

• data_encipherment - (Optional) The key may be used to encipher data.

• key_agreement - (Optional) The key may be used in a key agreement protocol.

• cert_sign - (Optional) The key may be used to sign certificates.

• crl_sign - (Optional) The key may be used sign certificate revocation lists.

• encipher_only - (Optional) The key may be used to encipher only.

• decipher_only - (Optional) The key may be used to decipher only.

The extended_key_usage block supports:

• server_auth - (Optional) Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.

• client_auth - (Optional) Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.

• code_signing - (Optional) Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".

• email_protection - (Optional) Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".

• time_stamping - (Optional) Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".

• ocsp_signing - (Optional) Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".

The unknown_extended_key_usages block supports:

• object_id_path - (Required) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

The subject_config block supports:

• subject - (Required) Contains distinguished name fields such as the location and organization. Structure is documented below.

• subject_alt_name - (Optional) The subject alternative name fields. Structure is documented below.

The subject block supports:

• country_code - (Optional) The country code of the subject.

• organization - (Required) The organization of the subject.

• organizational_unit - (Optional) The organizational unit of the subject.

• locality - (Optional) The locality or city of the subject.

• province - (Optional) The province, territory, or regional state of the subject.

• street_address - (Optional) The street address of the subject.

• postal_code - (Optional) The postal code of the subject.

• common_name - (Required) The common name of the distinguished name.

The subject_alt_name block supports:

• dns_names - (Optional) Contains only valid, fully-qualified host names.

• uris - (Optional) Contains only valid RFC 3986 URIs.

• email_addresses - (Optional) Contains only valid RFC 2822 E-mail addresses.

• ip_addresses - (Optional) Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.

The key_spec block supports:

• cloud_kms_key_version - (Optional) The resource name for an existing Cloud KMS CryptoKeyVersion in the format projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*.

• algorithm - (Optional) The algorithm to use for creating a managed Cloud KMS key for a for a simplified experience. All managed keys will be have their ProtectionLevel as HSM. Possible values are SIGN_HASH_ALGORITHM_UNSPECIFIED, RSA_PSS_2048_SHA256, RSA_PSS_3072_SHA256, RSA_PSS_4096_SHA256, RSA_PKCS1_2048_SHA256, RSA_PKCS1_3072_SHA256, RSA_PKCS1_4096_SHA256, EC_P256_SHA256, and EC_P384_SHA384.

---

• ignore_active_certificates_on_deletion - (Optional) This field allows the CA to be deleted even if the CA has active certs. Active certs include both unrevoked and unexpired certs. Use with care. Defaults to false.

• type - (Optional) The Type of this CertificateAuthority.

  Note: For SUBORDINATE Certificate Authorities, they need to be manually activated (via Cloud Console of gcloud) before they can issue certificates. Default value is SELF_SIGNED. Possible values are SELF_SIGNED and SUBORDINATE.

• lifetime - (Optional) The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".

• gcs_bucket - (Optional) The name of a Cloud Storage bucket where this CertificateAuthority will publish content, such as the CA certificate and CRLs. This must be a bucket name, without any prefixes (such as gs://) or suffixes (such as .googleapis.com). For example, to use a bucket named my-bucket, you would simply specify my-bucket. If not specified, a managed bucket will be created.

• labels - (Optional) Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: [ "name": "wrench", "mass": "1.3kg", "count": "3" ].

• project - (Optional) The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

In addition to the arguments listed above, the following computed attributes are exported:

• id - an identifier for the resource with format projects/[[project]]/locations/[[location]]/caPools/[[pool]]/certificateAuthorities/[[certificate_authority_id]]

• name - The resource name for this CertificateAuthority in the format projects//locations//certificateAuthorities/*.

• state - The State for this CertificateAuthority.

• pem_ca_certificates - This CertificateAuthority's certificate chain, including the current CertificateAuthority's certificate. Ordered such that the root issuer is the final element (consistent with RFC 5246). For a self-signed CA, this will only list the current CertificateAuthority's certificate.

• access_urls - URLs for accessing content published by this CA, such as the CA certificate and CRLs. Structure is documented below.

• create_time - The time at which this CertificateAuthority was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

• update_time - The time at which this CertificateAuthority was updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

The `access_urls` block contains:

• ca_certificate_access_url - The URL where this CertificateAuthority's CA certificate is published. This will only be set for CAs that have been activated.

• crl_access_url - The URL where this CertificateAuthority's CRLs are published. This will only be set for CAs that have been activated.

Explanation in Terraform Registry

A CertificateAuthority represents an individual Certificate Authority. A CertificateAuthority can be used to create Certificates. To get more information about CertificateAuthority, see:

• API documentation
• How-to Guides
  • Official Documentation