Class: Google::Cloud::Security::PrivateCA::V1::CaPool

Inherits:
Object
  • Object
show all
Extended by:
Protobuf::MessageExts::ClassMethods
Includes:
Protobuf::MessageExts
Defined in:
proto_docs/google/cloud/security/privateca/v1/resources.rb

Overview

A CaPool represents a group of CertificateAuthorities that form a trust anchor. A CaPool can be used to manage issuance policies for one or more CertificateAuthority resources and to rotate CA certificates in and out of the trust anchor.

Defined Under Namespace

Modules: Tier Classes: IssuancePolicy, LabelsEntry, PublishingOptions

Instance Attribute Summary collapse

Instance Attribute Details

#issuance_policy::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy

Returns Optional. The IssuancePolicy to control how Certificates will be issued from this CaPool.

Returns:



254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
# File 'proto_docs/google/cloud/security/privateca/v1/resources.rb', line 254

class CaPool
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Options relating to the publication of each {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s CA
  # certificate and CRLs and their inclusion as extensions in issued
  # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}. The options set here apply to certificates
  # issued by any {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority} in the {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
  # @!attribute [rw] publish_ca_cert
  #   @return [::Boolean]
  #     Optional. When true, publishes each {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s CA certificate and
  #     includes its URL in the "Authority Information Access" X.509 extension
  #     in all issued {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}. If this is false, the CA
  #     certificate will not be published and the corresponding X.509 extension
  #     will not be written in issued certificates.
  # @!attribute [rw] publish_crl
  #   @return [::Boolean]
  #     Optional. When true, publishes each {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s CRL and includes its
  #     URL in the "CRL Distribution Points" X.509 extension in all issued
  #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}. If this is false, CRLs will not be published
  #     and the corresponding X.509 extension will not be written in issued
  #     certificates.
  #     CRLs will expire 7 days from their creation. However, we will rebuild
  #     daily. CRLs are also rebuilt shortly after a certificate is revoked.
  class PublishingOptions
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # Defines controls over all certificate issuance within a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
  # @!attribute [rw] allowed_key_types
  #   @return [::Array<::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType>]
  #     Optional. If any {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType AllowedKeyType} is specified, then the certificate request's
  #     public key must match one of the key types listed here. Otherwise,
  #     any key may be used.
  # @!attribute [rw] maximum_lifetime
  #   @return [::Google::Protobuf::Duration]
  #     Optional. The maximum lifetime allowed for issued {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}. Note
  #     that if the issuing {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority} expires before a
  #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate}'s requested maximum_lifetime, the effective lifetime will
  #     be explicitly truncated to match it.
  # @!attribute [rw] allowed_issuance_modes
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::IssuanceModes]
  #     Optional. If specified, then only methods allowed in the {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::IssuanceModes IssuanceModes} may be
  #     used to issue {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}.
  # @!attribute [rw] baseline_values
  #   @return [::Google::Cloud::Security::PrivateCA::V1::X509Parameters]
  #     Optional. A set of X.509 values that will be applied to all certificates issued
  #     through this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}. If a certificate request includes conflicting
  #     values for the same properties, they will be overwritten by the values
  #     defined here. If a certificate request uses a {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate CertificateTemplate}
  #     that defines conflicting
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate#predefined_values predefined_values} for the same
  #     properties, the certificate issuance request will fail.
  # @!attribute [rw] identity_constraints
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CertificateIdentityConstraints]
  #     Optional. Describes constraints on identities that may appear in
  #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} issued through this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
  #     If this is omitted, then this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool} will not add restrictions on a
  #     certificate's identity.
  # @!attribute [rw] passthrough_extensions
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CertificateExtensionConstraints]
  #     Optional. Describes the set of X.509 extensions that may appear in a
  #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued through this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}. If a certificate request
  #     sets extensions that don't appear in the {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy#passthrough_extensions passthrough_extensions},
  #     those extensions will be dropped. If a certificate request uses a
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate CertificateTemplate} with
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate#predefined_values predefined_values} that don't
  #     appear here, the certificate issuance request will fail. If this is
  #     omitted, then this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool} will not add restrictions on a
  #     certificate's X.509 extensions. These constraints do not apply to X.509
  #     extensions set in this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy#baseline_values baseline_values}.
  class IssuancePolicy
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # Describes a "type" of key that may be used in a {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued
    # from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    # Note that a single {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType AllowedKeyType} may refer to either a
    # fully-qualified key algorithm, such as RSA 4096, or a family of key
    # algorithms, such as any RSA key.
    # @!attribute [rw] rsa
    #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::RsaKeyType]
    #     Represents an allowed RSA key type.
    # @!attribute [rw] elliptic_curve
    #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::EcKeyType]
    #     Represents an allowed Elliptic Curve key type.
    class AllowedKeyType
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # Describes an RSA key that may be used in a {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued from
      # a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
      # @!attribute [rw] min_modulus_size
      #   @return [::Integer]
      #     Optional. The minimum allowed RSA modulus size, in bits. If this is not set,
      #     or if set to zero, the service-level min RSA modulus size will
      #     continue to apply.
      # @!attribute [rw] max_modulus_size
      #   @return [::Integer]
      #     Optional. The maximum allowed RSA modulus size, in bits. If this is not set,
      #     or if set to zero, the service will not enforce an explicit upper
      #     bound on RSA modulus sizes.
      class RsaKeyType
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # Describes an Elliptic Curve key that may be used in a {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate}
      # issued from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
      # @!attribute [rw] signature_algorithm
      #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::EcKeyType::EcSignatureAlgorithm]
      #     Optional. A signature algorithm that must be used. If this is omitted, any
      #     EC-based signature algorithm will be allowed.
      class EcKeyType
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods

        # Describes an elliptic curve-based signature algorithm that may be
        # used in a {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
        module EcSignatureAlgorithm
          # Not specified. Signifies that any signature algorithm may be used.
          EC_SIGNATURE_ALGORITHM_UNSPECIFIED = 0

          # Refers to the Elliptic Curve Digital Signature Algorithm over the
          # NIST P-256 curve.
          ECDSA_P256 = 1

          # Refers to the Elliptic Curve Digital Signature Algorithm over the
          # NIST P-384 curve.
          ECDSA_P384 = 2

          # Refers to the Edwards-curve Digital Signature Algorithm over curve
          # 25519, as described in RFC 8410.
          EDDSA_25519 = 3
        end
      end
    end

    # {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::IssuanceModes IssuanceModes} specifies the allowed ways in which
    # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} may be requested from this
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    # @!attribute [rw] allow_csr_based_issuance
    #   @return [::Boolean]
    #     Optional. When true, allows callers to create {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} by
    #     specifying a CSR.
    # @!attribute [rw] allow_config_based_issuance
    #   @return [::Boolean]
    #     Optional. When true, allows callers to create {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} by
    #     specifying a {::Google::Cloud::Security::PrivateCA::V1::CertificateConfig CertificateConfig}.
    class IssuanceModes
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end
  end

  # @!attribute [rw] key
  #   @return [::String]
  # @!attribute [rw] value
  #   @return [::String]
  class LabelsEntry
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # The tier of a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}, indicating its supported functionality and/or
  # billing SKU.
  module Tier
    # Not specified.
    TIER_UNSPECIFIED = 0

    # Enterprise tier.
    ENTERPRISE = 1

    # DevOps tier.
    DEVOPS = 2
  end
end

#labels::Google::Protobuf::Map{::String => ::String}

Returns Optional. Labels with user-defined metadata.

Returns:

  • (::Google::Protobuf::Map{::String => ::String})

    Optional. Labels with user-defined metadata.



254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
# File 'proto_docs/google/cloud/security/privateca/v1/resources.rb', line 254

class CaPool
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Options relating to the publication of each {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s CA
  # certificate and CRLs and their inclusion as extensions in issued
  # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}. The options set here apply to certificates
  # issued by any {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority} in the {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
  # @!attribute [rw] publish_ca_cert
  #   @return [::Boolean]
  #     Optional. When true, publishes each {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s CA certificate and
  #     includes its URL in the "Authority Information Access" X.509 extension
  #     in all issued {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}. If this is false, the CA
  #     certificate will not be published and the corresponding X.509 extension
  #     will not be written in issued certificates.
  # @!attribute [rw] publish_crl
  #   @return [::Boolean]
  #     Optional. When true, publishes each {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s CRL and includes its
  #     URL in the "CRL Distribution Points" X.509 extension in all issued
  #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}. If this is false, CRLs will not be published
  #     and the corresponding X.509 extension will not be written in issued
  #     certificates.
  #     CRLs will expire 7 days from their creation. However, we will rebuild
  #     daily. CRLs are also rebuilt shortly after a certificate is revoked.
  class PublishingOptions
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # Defines controls over all certificate issuance within a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
  # @!attribute [rw] allowed_key_types
  #   @return [::Array<::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType>]
  #     Optional. If any {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType AllowedKeyType} is specified, then the certificate request's
  #     public key must match one of the key types listed here. Otherwise,
  #     any key may be used.
  # @!attribute [rw] maximum_lifetime
  #   @return [::Google::Protobuf::Duration]
  #     Optional. The maximum lifetime allowed for issued {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}. Note
  #     that if the issuing {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority} expires before a
  #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate}'s requested maximum_lifetime, the effective lifetime will
  #     be explicitly truncated to match it.
  # @!attribute [rw] allowed_issuance_modes
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::IssuanceModes]
  #     Optional. If specified, then only methods allowed in the {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::IssuanceModes IssuanceModes} may be
  #     used to issue {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}.
  # @!attribute [rw] baseline_values
  #   @return [::Google::Cloud::Security::PrivateCA::V1::X509Parameters]
  #     Optional. A set of X.509 values that will be applied to all certificates issued
  #     through this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}. If a certificate request includes conflicting
  #     values for the same properties, they will be overwritten by the values
  #     defined here. If a certificate request uses a {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate CertificateTemplate}
  #     that defines conflicting
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate#predefined_values predefined_values} for the same
  #     properties, the certificate issuance request will fail.
  # @!attribute [rw] identity_constraints
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CertificateIdentityConstraints]
  #     Optional. Describes constraints on identities that may appear in
  #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} issued through this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
  #     If this is omitted, then this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool} will not add restrictions on a
  #     certificate's identity.
  # @!attribute [rw] passthrough_extensions
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CertificateExtensionConstraints]
  #     Optional. Describes the set of X.509 extensions that may appear in a
  #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued through this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}. If a certificate request
  #     sets extensions that don't appear in the {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy#passthrough_extensions passthrough_extensions},
  #     those extensions will be dropped. If a certificate request uses a
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate CertificateTemplate} with
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate#predefined_values predefined_values} that don't
  #     appear here, the certificate issuance request will fail. If this is
  #     omitted, then this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool} will not add restrictions on a
  #     certificate's X.509 extensions. These constraints do not apply to X.509
  #     extensions set in this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy#baseline_values baseline_values}.
  class IssuancePolicy
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # Describes a "type" of key that may be used in a {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued
    # from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    # Note that a single {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType AllowedKeyType} may refer to either a
    # fully-qualified key algorithm, such as RSA 4096, or a family of key
    # algorithms, such as any RSA key.
    # @!attribute [rw] rsa
    #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::RsaKeyType]
    #     Represents an allowed RSA key type.
    # @!attribute [rw] elliptic_curve
    #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::EcKeyType]
    #     Represents an allowed Elliptic Curve key type.
    class AllowedKeyType
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # Describes an RSA key that may be used in a {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued from
      # a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
      # @!attribute [rw] min_modulus_size
      #   @return [::Integer]
      #     Optional. The minimum allowed RSA modulus size, in bits. If this is not set,
      #     or if set to zero, the service-level min RSA modulus size will
      #     continue to apply.
      # @!attribute [rw] max_modulus_size
      #   @return [::Integer]
      #     Optional. The maximum allowed RSA modulus size, in bits. If this is not set,
      #     or if set to zero, the service will not enforce an explicit upper
      #     bound on RSA modulus sizes.
      class RsaKeyType
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # Describes an Elliptic Curve key that may be used in a {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate}
      # issued from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
      # @!attribute [rw] signature_algorithm
      #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::EcKeyType::EcSignatureAlgorithm]
      #     Optional. A signature algorithm that must be used. If this is omitted, any
      #     EC-based signature algorithm will be allowed.
      class EcKeyType
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods

        # Describes an elliptic curve-based signature algorithm that may be
        # used in a {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
        module EcSignatureAlgorithm
          # Not specified. Signifies that any signature algorithm may be used.
          EC_SIGNATURE_ALGORITHM_UNSPECIFIED = 0

          # Refers to the Elliptic Curve Digital Signature Algorithm over the
          # NIST P-256 curve.
          ECDSA_P256 = 1

          # Refers to the Elliptic Curve Digital Signature Algorithm over the
          # NIST P-384 curve.
          ECDSA_P384 = 2

          # Refers to the Edwards-curve Digital Signature Algorithm over curve
          # 25519, as described in RFC 8410.
          EDDSA_25519 = 3
        end
      end
    end

    # {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::IssuanceModes IssuanceModes} specifies the allowed ways in which
    # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} may be requested from this
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    # @!attribute [rw] allow_csr_based_issuance
    #   @return [::Boolean]
    #     Optional. When true, allows callers to create {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} by
    #     specifying a CSR.
    # @!attribute [rw] allow_config_based_issuance
    #   @return [::Boolean]
    #     Optional. When true, allows callers to create {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} by
    #     specifying a {::Google::Cloud::Security::PrivateCA::V1::CertificateConfig CertificateConfig}.
    class IssuanceModes
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end
  end

  # @!attribute [rw] key
  #   @return [::String]
  # @!attribute [rw] value
  #   @return [::String]
  class LabelsEntry
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # The tier of a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}, indicating its supported functionality and/or
  # billing SKU.
  module Tier
    # Not specified.
    TIER_UNSPECIFIED = 0

    # Enterprise tier.
    ENTERPRISE = 1

    # DevOps tier.
    DEVOPS = 2
  end
end

#name::String (readonly)

Returns Output only. The resource name for this CaPool in the format projects/*/locations/*/caPools/*.

Returns:

  • (::String)

    Output only. The resource name for this CaPool in the format projects/*/locations/*/caPools/*.



254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
# File 'proto_docs/google/cloud/security/privateca/v1/resources.rb', line 254

class CaPool
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Options relating to the publication of each {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s CA
  # certificate and CRLs and their inclusion as extensions in issued
  # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}. The options set here apply to certificates
  # issued by any {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority} in the {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
  # @!attribute [rw] publish_ca_cert
  #   @return [::Boolean]
  #     Optional. When true, publishes each {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s CA certificate and
  #     includes its URL in the "Authority Information Access" X.509 extension
  #     in all issued {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}. If this is false, the CA
  #     certificate will not be published and the corresponding X.509 extension
  #     will not be written in issued certificates.
  # @!attribute [rw] publish_crl
  #   @return [::Boolean]
  #     Optional. When true, publishes each {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s CRL and includes its
  #     URL in the "CRL Distribution Points" X.509 extension in all issued
  #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}. If this is false, CRLs will not be published
  #     and the corresponding X.509 extension will not be written in issued
  #     certificates.
  #     CRLs will expire 7 days from their creation. However, we will rebuild
  #     daily. CRLs are also rebuilt shortly after a certificate is revoked.
  class PublishingOptions
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # Defines controls over all certificate issuance within a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
  # @!attribute [rw] allowed_key_types
  #   @return [::Array<::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType>]
  #     Optional. If any {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType AllowedKeyType} is specified, then the certificate request's
  #     public key must match one of the key types listed here. Otherwise,
  #     any key may be used.
  # @!attribute [rw] maximum_lifetime
  #   @return [::Google::Protobuf::Duration]
  #     Optional. The maximum lifetime allowed for issued {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}. Note
  #     that if the issuing {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority} expires before a
  #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate}'s requested maximum_lifetime, the effective lifetime will
  #     be explicitly truncated to match it.
  # @!attribute [rw] allowed_issuance_modes
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::IssuanceModes]
  #     Optional. If specified, then only methods allowed in the {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::IssuanceModes IssuanceModes} may be
  #     used to issue {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}.
  # @!attribute [rw] baseline_values
  #   @return [::Google::Cloud::Security::PrivateCA::V1::X509Parameters]
  #     Optional. A set of X.509 values that will be applied to all certificates issued
  #     through this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}. If a certificate request includes conflicting
  #     values for the same properties, they will be overwritten by the values
  #     defined here. If a certificate request uses a {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate CertificateTemplate}
  #     that defines conflicting
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate#predefined_values predefined_values} for the same
  #     properties, the certificate issuance request will fail.
  # @!attribute [rw] identity_constraints
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CertificateIdentityConstraints]
  #     Optional. Describes constraints on identities that may appear in
  #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} issued through this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
  #     If this is omitted, then this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool} will not add restrictions on a
  #     certificate's identity.
  # @!attribute [rw] passthrough_extensions
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CertificateExtensionConstraints]
  #     Optional. Describes the set of X.509 extensions that may appear in a
  #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued through this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}. If a certificate request
  #     sets extensions that don't appear in the {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy#passthrough_extensions passthrough_extensions},
  #     those extensions will be dropped. If a certificate request uses a
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate CertificateTemplate} with
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate#predefined_values predefined_values} that don't
  #     appear here, the certificate issuance request will fail. If this is
  #     omitted, then this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool} will not add restrictions on a
  #     certificate's X.509 extensions. These constraints do not apply to X.509
  #     extensions set in this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy#baseline_values baseline_values}.
  class IssuancePolicy
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # Describes a "type" of key that may be used in a {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued
    # from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    # Note that a single {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType AllowedKeyType} may refer to either a
    # fully-qualified key algorithm, such as RSA 4096, or a family of key
    # algorithms, such as any RSA key.
    # @!attribute [rw] rsa
    #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::RsaKeyType]
    #     Represents an allowed RSA key type.
    # @!attribute [rw] elliptic_curve
    #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::EcKeyType]
    #     Represents an allowed Elliptic Curve key type.
    class AllowedKeyType
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # Describes an RSA key that may be used in a {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued from
      # a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
      # @!attribute [rw] min_modulus_size
      #   @return [::Integer]
      #     Optional. The minimum allowed RSA modulus size, in bits. If this is not set,
      #     or if set to zero, the service-level min RSA modulus size will
      #     continue to apply.
      # @!attribute [rw] max_modulus_size
      #   @return [::Integer]
      #     Optional. The maximum allowed RSA modulus size, in bits. If this is not set,
      #     or if set to zero, the service will not enforce an explicit upper
      #     bound on RSA modulus sizes.
      class RsaKeyType
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # Describes an Elliptic Curve key that may be used in a {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate}
      # issued from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
      # @!attribute [rw] signature_algorithm
      #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::EcKeyType::EcSignatureAlgorithm]
      #     Optional. A signature algorithm that must be used. If this is omitted, any
      #     EC-based signature algorithm will be allowed.
      class EcKeyType
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods

        # Describes an elliptic curve-based signature algorithm that may be
        # used in a {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
        module EcSignatureAlgorithm
          # Not specified. Signifies that any signature algorithm may be used.
          EC_SIGNATURE_ALGORITHM_UNSPECIFIED = 0

          # Refers to the Elliptic Curve Digital Signature Algorithm over the
          # NIST P-256 curve.
          ECDSA_P256 = 1

          # Refers to the Elliptic Curve Digital Signature Algorithm over the
          # NIST P-384 curve.
          ECDSA_P384 = 2

          # Refers to the Edwards-curve Digital Signature Algorithm over curve
          # 25519, as described in RFC 8410.
          EDDSA_25519 = 3
        end
      end
    end

    # {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::IssuanceModes IssuanceModes} specifies the allowed ways in which
    # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} may be requested from this
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    # @!attribute [rw] allow_csr_based_issuance
    #   @return [::Boolean]
    #     Optional. When true, allows callers to create {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} by
    #     specifying a CSR.
    # @!attribute [rw] allow_config_based_issuance
    #   @return [::Boolean]
    #     Optional. When true, allows callers to create {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} by
    #     specifying a {::Google::Cloud::Security::PrivateCA::V1::CertificateConfig CertificateConfig}.
    class IssuanceModes
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end
  end

  # @!attribute [rw] key
  #   @return [::String]
  # @!attribute [rw] value
  #   @return [::String]
  class LabelsEntry
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # The tier of a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}, indicating its supported functionality and/or
  # billing SKU.
  module Tier
    # Not specified.
    TIER_UNSPECIFIED = 0

    # Enterprise tier.
    ENTERPRISE = 1

    # DevOps tier.
    DEVOPS = 2
  end
end

#publishing_options::Google::Cloud::Security::PrivateCA::V1::CaPool::PublishingOptions

Returns Optional. The PublishingOptions to follow when issuing Certificates from any CertificateAuthority in this CaPool.



254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
# File 'proto_docs/google/cloud/security/privateca/v1/resources.rb', line 254

class CaPool
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Options relating to the publication of each {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s CA
  # certificate and CRLs and their inclusion as extensions in issued
  # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}. The options set here apply to certificates
  # issued by any {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority} in the {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
  # @!attribute [rw] publish_ca_cert
  #   @return [::Boolean]
  #     Optional. When true, publishes each {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s CA certificate and
  #     includes its URL in the "Authority Information Access" X.509 extension
  #     in all issued {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}. If this is false, the CA
  #     certificate will not be published and the corresponding X.509 extension
  #     will not be written in issued certificates.
  # @!attribute [rw] publish_crl
  #   @return [::Boolean]
  #     Optional. When true, publishes each {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s CRL and includes its
  #     URL in the "CRL Distribution Points" X.509 extension in all issued
  #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}. If this is false, CRLs will not be published
  #     and the corresponding X.509 extension will not be written in issued
  #     certificates.
  #     CRLs will expire 7 days from their creation. However, we will rebuild
  #     daily. CRLs are also rebuilt shortly after a certificate is revoked.
  class PublishingOptions
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # Defines controls over all certificate issuance within a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
  # @!attribute [rw] allowed_key_types
  #   @return [::Array<::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType>]
  #     Optional. If any {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType AllowedKeyType} is specified, then the certificate request's
  #     public key must match one of the key types listed here. Otherwise,
  #     any key may be used.
  # @!attribute [rw] maximum_lifetime
  #   @return [::Google::Protobuf::Duration]
  #     Optional. The maximum lifetime allowed for issued {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}. Note
  #     that if the issuing {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority} expires before a
  #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate}'s requested maximum_lifetime, the effective lifetime will
  #     be explicitly truncated to match it.
  # @!attribute [rw] allowed_issuance_modes
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::IssuanceModes]
  #     Optional. If specified, then only methods allowed in the {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::IssuanceModes IssuanceModes} may be
  #     used to issue {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}.
  # @!attribute [rw] baseline_values
  #   @return [::Google::Cloud::Security::PrivateCA::V1::X509Parameters]
  #     Optional. A set of X.509 values that will be applied to all certificates issued
  #     through this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}. If a certificate request includes conflicting
  #     values for the same properties, they will be overwritten by the values
  #     defined here. If a certificate request uses a {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate CertificateTemplate}
  #     that defines conflicting
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate#predefined_values predefined_values} for the same
  #     properties, the certificate issuance request will fail.
  # @!attribute [rw] identity_constraints
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CertificateIdentityConstraints]
  #     Optional. Describes constraints on identities that may appear in
  #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} issued through this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
  #     If this is omitted, then this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool} will not add restrictions on a
  #     certificate's identity.
  # @!attribute [rw] passthrough_extensions
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CertificateExtensionConstraints]
  #     Optional. Describes the set of X.509 extensions that may appear in a
  #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued through this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}. If a certificate request
  #     sets extensions that don't appear in the {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy#passthrough_extensions passthrough_extensions},
  #     those extensions will be dropped. If a certificate request uses a
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate CertificateTemplate} with
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate#predefined_values predefined_values} that don't
  #     appear here, the certificate issuance request will fail. If this is
  #     omitted, then this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool} will not add restrictions on a
  #     certificate's X.509 extensions. These constraints do not apply to X.509
  #     extensions set in this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy#baseline_values baseline_values}.
  class IssuancePolicy
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # Describes a "type" of key that may be used in a {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued
    # from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    # Note that a single {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType AllowedKeyType} may refer to either a
    # fully-qualified key algorithm, such as RSA 4096, or a family of key
    # algorithms, such as any RSA key.
    # @!attribute [rw] rsa
    #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::RsaKeyType]
    #     Represents an allowed RSA key type.
    # @!attribute [rw] elliptic_curve
    #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::EcKeyType]
    #     Represents an allowed Elliptic Curve key type.
    class AllowedKeyType
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # Describes an RSA key that may be used in a {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued from
      # a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
      # @!attribute [rw] min_modulus_size
      #   @return [::Integer]
      #     Optional. The minimum allowed RSA modulus size, in bits. If this is not set,
      #     or if set to zero, the service-level min RSA modulus size will
      #     continue to apply.
      # @!attribute [rw] max_modulus_size
      #   @return [::Integer]
      #     Optional. The maximum allowed RSA modulus size, in bits. If this is not set,
      #     or if set to zero, the service will not enforce an explicit upper
      #     bound on RSA modulus sizes.
      class RsaKeyType
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # Describes an Elliptic Curve key that may be used in a {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate}
      # issued from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
      # @!attribute [rw] signature_algorithm
      #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::EcKeyType::EcSignatureAlgorithm]
      #     Optional. A signature algorithm that must be used. If this is omitted, any
      #     EC-based signature algorithm will be allowed.
      class EcKeyType
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods

        # Describes an elliptic curve-based signature algorithm that may be
        # used in a {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
        module EcSignatureAlgorithm
          # Not specified. Signifies that any signature algorithm may be used.
          EC_SIGNATURE_ALGORITHM_UNSPECIFIED = 0

          # Refers to the Elliptic Curve Digital Signature Algorithm over the
          # NIST P-256 curve.
          ECDSA_P256 = 1

          # Refers to the Elliptic Curve Digital Signature Algorithm over the
          # NIST P-384 curve.
          ECDSA_P384 = 2

          # Refers to the Edwards-curve Digital Signature Algorithm over curve
          # 25519, as described in RFC 8410.
          EDDSA_25519 = 3
        end
      end
    end

    # {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::IssuanceModes IssuanceModes} specifies the allowed ways in which
    # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} may be requested from this
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    # @!attribute [rw] allow_csr_based_issuance
    #   @return [::Boolean]
    #     Optional. When true, allows callers to create {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} by
    #     specifying a CSR.
    # @!attribute [rw] allow_config_based_issuance
    #   @return [::Boolean]
    #     Optional. When true, allows callers to create {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} by
    #     specifying a {::Google::Cloud::Security::PrivateCA::V1::CertificateConfig CertificateConfig}.
    class IssuanceModes
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end
  end

  # @!attribute [rw] key
  #   @return [::String]
  # @!attribute [rw] value
  #   @return [::String]
  class LabelsEntry
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # The tier of a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}, indicating its supported functionality and/or
  # billing SKU.
  module Tier
    # Not specified.
    TIER_UNSPECIFIED = 0

    # Enterprise tier.
    ENTERPRISE = 1

    # DevOps tier.
    DEVOPS = 2
  end
end

#tier::Google::Cloud::Security::PrivateCA::V1::CaPool::Tier

Returns Required. Immutable. The Tier of this CaPool.

Returns:



254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
# File 'proto_docs/google/cloud/security/privateca/v1/resources.rb', line 254

class CaPool
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Options relating to the publication of each {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s CA
  # certificate and CRLs and their inclusion as extensions in issued
  # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}. The options set here apply to certificates
  # issued by any {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority} in the {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
  # @!attribute [rw] publish_ca_cert
  #   @return [::Boolean]
  #     Optional. When true, publishes each {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s CA certificate and
  #     includes its URL in the "Authority Information Access" X.509 extension
  #     in all issued {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}. If this is false, the CA
  #     certificate will not be published and the corresponding X.509 extension
  #     will not be written in issued certificates.
  # @!attribute [rw] publish_crl
  #   @return [::Boolean]
  #     Optional. When true, publishes each {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s CRL and includes its
  #     URL in the "CRL Distribution Points" X.509 extension in all issued
  #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}. If this is false, CRLs will not be published
  #     and the corresponding X.509 extension will not be written in issued
  #     certificates.
  #     CRLs will expire 7 days from their creation. However, we will rebuild
  #     daily. CRLs are also rebuilt shortly after a certificate is revoked.
  class PublishingOptions
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # Defines controls over all certificate issuance within a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
  # @!attribute [rw] allowed_key_types
  #   @return [::Array<::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType>]
  #     Optional. If any {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType AllowedKeyType} is specified, then the certificate request's
  #     public key must match one of the key types listed here. Otherwise,
  #     any key may be used.
  # @!attribute [rw] maximum_lifetime
  #   @return [::Google::Protobuf::Duration]
  #     Optional. The maximum lifetime allowed for issued {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}. Note
  #     that if the issuing {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority} expires before a
  #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate}'s requested maximum_lifetime, the effective lifetime will
  #     be explicitly truncated to match it.
  # @!attribute [rw] allowed_issuance_modes
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::IssuanceModes]
  #     Optional. If specified, then only methods allowed in the {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::IssuanceModes IssuanceModes} may be
  #     used to issue {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}.
  # @!attribute [rw] baseline_values
  #   @return [::Google::Cloud::Security::PrivateCA::V1::X509Parameters]
  #     Optional. A set of X.509 values that will be applied to all certificates issued
  #     through this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}. If a certificate request includes conflicting
  #     values for the same properties, they will be overwritten by the values
  #     defined here. If a certificate request uses a {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate CertificateTemplate}
  #     that defines conflicting
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate#predefined_values predefined_values} for the same
  #     properties, the certificate issuance request will fail.
  # @!attribute [rw] identity_constraints
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CertificateIdentityConstraints]
  #     Optional. Describes constraints on identities that may appear in
  #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} issued through this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
  #     If this is omitted, then this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool} will not add restrictions on a
  #     certificate's identity.
  # @!attribute [rw] passthrough_extensions
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CertificateExtensionConstraints]
  #     Optional. Describes the set of X.509 extensions that may appear in a
  #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued through this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}. If a certificate request
  #     sets extensions that don't appear in the {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy#passthrough_extensions passthrough_extensions},
  #     those extensions will be dropped. If a certificate request uses a
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate CertificateTemplate} with
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate#predefined_values predefined_values} that don't
  #     appear here, the certificate issuance request will fail. If this is
  #     omitted, then this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool} will not add restrictions on a
  #     certificate's X.509 extensions. These constraints do not apply to X.509
  #     extensions set in this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy#baseline_values baseline_values}.
  class IssuancePolicy
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # Describes a "type" of key that may be used in a {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued
    # from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    # Note that a single {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType AllowedKeyType} may refer to either a
    # fully-qualified key algorithm, such as RSA 4096, or a family of key
    # algorithms, such as any RSA key.
    # @!attribute [rw] rsa
    #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::RsaKeyType]
    #     Represents an allowed RSA key type.
    # @!attribute [rw] elliptic_curve
    #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::EcKeyType]
    #     Represents an allowed Elliptic Curve key type.
    class AllowedKeyType
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # Describes an RSA key that may be used in a {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued from
      # a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
      # @!attribute [rw] min_modulus_size
      #   @return [::Integer]
      #     Optional. The minimum allowed RSA modulus size, in bits. If this is not set,
      #     or if set to zero, the service-level min RSA modulus size will
      #     continue to apply.
      # @!attribute [rw] max_modulus_size
      #   @return [::Integer]
      #     Optional. The maximum allowed RSA modulus size, in bits. If this is not set,
      #     or if set to zero, the service will not enforce an explicit upper
      #     bound on RSA modulus sizes.
      class RsaKeyType
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # Describes an Elliptic Curve key that may be used in a {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate}
      # issued from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
      # @!attribute [rw] signature_algorithm
      #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::EcKeyType::EcSignatureAlgorithm]
      #     Optional. A signature algorithm that must be used. If this is omitted, any
      #     EC-based signature algorithm will be allowed.
      class EcKeyType
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods

        # Describes an elliptic curve-based signature algorithm that may be
        # used in a {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
        module EcSignatureAlgorithm
          # Not specified. Signifies that any signature algorithm may be used.
          EC_SIGNATURE_ALGORITHM_UNSPECIFIED = 0

          # Refers to the Elliptic Curve Digital Signature Algorithm over the
          # NIST P-256 curve.
          ECDSA_P256 = 1

          # Refers to the Elliptic Curve Digital Signature Algorithm over the
          # NIST P-384 curve.
          ECDSA_P384 = 2

          # Refers to the Edwards-curve Digital Signature Algorithm over curve
          # 25519, as described in RFC 8410.
          EDDSA_25519 = 3
        end
      end
    end

    # {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::IssuanceModes IssuanceModes} specifies the allowed ways in which
    # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} may be requested from this
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    # @!attribute [rw] allow_csr_based_issuance
    #   @return [::Boolean]
    #     Optional. When true, allows callers to create {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} by
    #     specifying a CSR.
    # @!attribute [rw] allow_config_based_issuance
    #   @return [::Boolean]
    #     Optional. When true, allows callers to create {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} by
    #     specifying a {::Google::Cloud::Security::PrivateCA::V1::CertificateConfig CertificateConfig}.
    class IssuanceModes
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end
  end

  # @!attribute [rw] key
  #   @return [::String]
  # @!attribute [rw] value
  #   @return [::String]
  class LabelsEntry
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # The tier of a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}, indicating its supported functionality and/or
  # billing SKU.
  module Tier
    # Not specified.
    TIER_UNSPECIFIED = 0

    # Enterprise tier.
    ENTERPRISE = 1

    # DevOps tier.
    DEVOPS = 2
  end
end