Google Certificate Authority Service Privateca Certificate
This page shows how to write Terraform for Certificate Authority Service Privateca Certificate and write them securely.
google_privateca_certificate (Terraform)
The Privateca Certificate in Certificate Authority Service can be configured in Terraform with the resource name google_privateca_certificate
. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
An example could not be found in GitHub.
Parameters
The following arguments are supported:
pool
- (Required) The name of the CaPool this Certificate belongs to.name
- (Required) The name for this Certificate.location
- (Required) Location of the Certificate. A full list of valid locations can be found by runninggcloud privateca locations list
.
lifetime
- (Optional) The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".certificate_template
- (Optional) The resource name for a CertificateTemplate used to issue this certificate, in the formatprojects/*/locations/*/certificateTemplates/*
. If this is specified, the caller must have the necessary permission to use this template. If this is omitted, no template will be used. This template must be in the same location as the Certificate.labels
- (Optional) Labels with user-defined metadata to apply to this resource.pem_csr
- (Optional) Immutable. A pem-encoded X.509 certificate signing request (CSR).config
- (Optional) The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.certificate_authority
- (Optional) Certificate Authority name.project
- (Optional) The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
The config
block supports:
x509_config
- (Required) Describes how some of the technical X.509 fields in a certificate should be populated. Structure is documented below.subject_config
- (Required) Specifies some of the values in a certificate that are related to the subject. Structure is documented below.public_key
- (Required) A PublicKey describes a public key. Structure is documented below.
The x509_config
block supports:
additional_extensions
- (Optional) Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.policy_ids
- (Optional) Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.aia_ocsp_servers
- (Optional) Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.ca_options
- (Optional) Describes values that are relevant in a CA certificate. Structure is documented below.key_usage
- (Required) Indicates the intended use for keys that correspond to a certificate. Structure is documented below.
The additional_extensions
block supports:
critical
- (Required) Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).value
- (Required) The value of this X.509 extension. A base64-encoded string.object_id
- (Required) Describes values that are relevant in a CA certificate. Structure is documented below.
The object_id
block supports:
object_id_path
- (Required) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
The policy_ids
block supports:
object_id_path
- (Required) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
The ca_options
block supports:
is_ca
- (Optional) Refers to the "CA" X.509 extension, which is a boolean value. When this value is missing, the extension will be omitted from the CA certificate.max_issuer_path_length
- (Optional) Refers to the path length restriction X.509 extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail. If this value is missing, the max path length will be omitted from the CA certificate.
The key_usage
block supports:
base_key_usage
- (Required) Describes high-level ways in which a key may be used. Structure is documented below.extended_key_usage
- (Required) Describes high-level ways in which a key may be used. Structure is documented below.unknown_extended_key_usages
- (Optional) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.
The base_key_usage
block supports:
digital_signature
- (Optional) The key may be used for digital signatures.content_commitment
- (Optional) The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".key_encipherment
- (Optional) The key may be used to encipher other keys.data_encipherment
- (Optional) The key may be used to encipher data.key_agreement
- (Optional) The key may be used in a key agreement protocol.cert_sign
- (Optional) The key may be used to sign certificates.crl_sign
- (Optional) The key may be used sign certificate revocation lists.encipher_only
- (Optional) The key may be used to encipher only.decipher_only
- (Optional) The key may be used to decipher only.
The extended_key_usage
block supports:
server_auth
- (Optional) Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.client_auth
- (Optional) Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.code_signing
- (Optional) Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".email_protection
- (Optional) Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".time_stamping
- (Optional) Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".ocsp_signing
- (Optional) Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
The unknown_extended_key_usages
block supports:
object_id_path
- (Required) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
The subject_config
block supports:
subject
- (Required) Contains distinguished name fields such as the location and organization. Structure is documented below.subject_alt_name
- (Optional) The subject alternative name fields. Structure is documented below.
The subject
block supports:
country_code
- (Optional) The country code of the subject.organization
- (Required) The organization of the subject.organizational_unit
- (Optional) The organizational unit of the subject.locality
- (Optional) The locality or city of the subject.province
- (Optional) The province, territory, or regional state of the subject.street_address
- (Optional) The street address of the subject.postal_code
- (Optional) The postal code of the subject.common_name
- (Required) The common name of the distinguished name.
The subject_alt_name
block supports:
dns_names
- (Optional) Contains only valid, fully-qualified host names.uris
- (Optional) Contains only valid RFC 3986 URIs.email_addresses
- (Optional) Contains only valid RFC 2822 E-mail addresses.ip_addresses
- (Optional) Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.
The public_key
block supports:
key
- (Optional) Required. A public key. When this is specified in a request, the padding and encoding can be any of the options described by the respective 'KeyType' value. When this is generated by the service, it will always be an RFC 5280 SubjectPublicKeyInfo structure containing an algorithm identifier and a key. A base64-encoded string.format
- (Required) The format of the public key. Currently, only PEM format is supported. Possible values areKEY_TYPE_UNSPECIFIED
andPEM
.
In addition to the arguments listed above, the following computed attributes are exported:
id
- an identifier for the resource with formatprojects/[[project]]/locations/[[location]]/caPools/[[pool]]/certificates/[[name]]
revocation_details
- Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.pem_certificate
- Output only. The pem-encoded, signed X.509 certificate.certificate_description
- Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. Structure is documented below.pem_certificates
- Required. Expected to be in leaf-to-root order according to RFC 5246.create_time
- The time that this resource was created on the server. This is in RFC3339 text format.update_time
- Output only. The time at which this CertificateAuthority was updated. This is in RFC3339 text format.
revocation_state
- Indicates why a Certificate was revoked.revocation_time
- The time at which this Certificate was revoked.
subject_description
- Describes some of the values in a certificate that are related to the subject and lifetime. Structure is documented below.config_values
- Describes some of the technical fields in a certificate. Structure is documented below.public_key
- A PublicKey describes a public key. Structure is documented below.subject_key_id
- Provides a means of identifiying certificates that contain a particular public key, per https://tools.ietf.org/html/rfc5280#section-4.2.1.2. Structure is documented below.authority_key_id
- Identifies the subjectKeyId of the parent certificate, per https://tools.ietf.org/html/rfc5280#section-4.2.1.1 Structure is documented below.crl_distribution_points
- Describes a list of locations to obtain CRL information, i.e. the DistributionPoint.fullName described by https://tools.ietf.org/html/rfc5280#section-4.2.1.13aia_issuing_certificate_urls
- Describes lists of issuer CA certificate URLs that appear in the "Authority Information Access" extension in the certificate.cert_fingerprint
- The hash of the x.509 certificate. Structure is documented below.
subject
- Contains distinguished name fields such as the location and organization. Structure is documented below.subject_alt_name
- The subject alternative name fields. Structure is documented below.hex_serial_number
- The serial number encoded in lowercase hexadecimal.lifetime
- For convenience, the actual lifetime of an issued certificate. Corresponds to 'notAfterTime' - 'notBeforeTime'.not_before_time
- The time at which the certificate becomes valid.not_after_time
- The time at which the certificate expires.
country_code
- The country code of the subject.organization
- The organization of the subject.organizational_unit
- The organizationalUnit of the subject.locality
- The locality or city of the subject.province
- The province of the subject.street_address
- The streetAddress or city of the subject.postal_code
- The postalCode or city of the subject.common_name
- The "common name" of the distinguished name.
dns_names
- Contains only valid, fully-qualified host names.uris
- Contains only valid RFC 3986 URIs.email_addresses
- Contains only valid RFC 2822 E-mail addresses.ip_addresses
- Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.custom_sans
- Contains additional subject alternative name values. Structure is documented below.
obect_id
- Describes how some of the technical fields in a certificate should be populated. Structure is documented below.critical
- Required. Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).value
- The value of this X.509 extension.
object_id_path
- An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
key_usage
- Indicates the intended use for keys that correspond to a certificate. Structure is documented below.
base_key_usage
- Describes high-level ways in which a key may be used. Structure is documented below.extended_key_usage
- Describes high-level ways in which a key may be used. Structure is documented below.unknown_extended_key_usages
- An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.
key_usage_options
- Describes high-level ways in which a key may be used. Structure is documented below.
digital_signature
- The key may be used for digital signatures.content_commitment
- The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".key_encipherment
- The key may be used to encipher other keys.data_encipherment
- The key may be used to encipher data.key_agreement
- The key may be used in a key agreement protocol.cert_sign
- The key may be used to sign certificates.crl_sign
- The key may be used sign certificate revocation lists.encipher_only
- The key may be used to encipher only.decipher_only
- The key may be used to decipher only.
server_auth
- Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.client_auth
- Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.code_signing
- Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".email_protection
- Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".time_stamping
- Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".ocsp_signing
- Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
obect_id
- Required. Describes how some of the technical fields in a certificate should be populated. Structure is documented below.
object_id_path
- An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
key
- Required. A public key. When this is specified in a request, the padding and encoding can be any of the options described by the respective 'KeyType' value. When this is generated by the service, it will always be an RFC 5280 SubjectPublicKeyInfo structure containing an algorithm identifier and a key. A base64-encoded string.format
- The format of the public key. Currently, only PEM format is supported.
key_id
- Optional. The value of this KeyId encoded in lowercase hexadecimal. This is most likely the 160 bit SHA-1 hash of the public key.
key_id
- Optional. The value of this KeyId encoded in lowercase hexadecimal. This is most likely the 160 bit SHA-1 hash of the public key.
sha256_hash
- The SHA 256 hash, encoded in hexadecimal, of the DER x509 certificate.
Explanation in Terraform Registry
A Certificate corresponds to a signed X.509 certificate issued by a Certificate.
Note: The Certificate Authority that is referenced by this resource must be
tier = "ENTERPRISE"