Class: Google::Cloud::Security::PrivateCA::V1::CertificateAuthority

Inherits:

Object

• Object
• Google::Cloud::Security::PrivateCA::V1::CertificateAuthority

Extended by:

Protobuf::MessageExts::ClassMethods

Includes:

Protobuf::MessageExts

Defined in:

proto_docs/google/cloud/security/privateca/v1/resources.rb

Overview

A CertificateAuthority represents an individual Certificate Authority. A CertificateAuthority can be used to create Certificates.

Defined Under Namespace

Modules: SignHashAlgorithm, State, Type Classes: AccessUrls, KeyVersionSpec, LabelsEntry

Instance Attribute Summary

• #access_urls ⇒ ::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority::AccessUrls readonly

  Output only.

• #ca_certificate_descriptions ⇒ ::Array<::Google::Cloud::Security::PrivateCA::V1::CertificateDescription> readonly

  Output only.

• #config ⇒ ::Google::Cloud::Security::PrivateCA::V1::CertificateConfig

  Required.

• #create_time ⇒ ::Google::Protobuf::Timestamp readonly

  Output only.

• #delete_time ⇒ ::Google::Protobuf::Timestamp readonly

  Output only.

• #expire_time ⇒ ::Google::Protobuf::Timestamp readonly

  Output only.

• #gcs_bucket ⇒ ::String

  Immutable.

• #key_spec ⇒ ::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority::KeyVersionSpec

  Required.

• #labels ⇒ ::Google::Protobuf::Map{::String => ::String}

  Optional.

• #lifetime ⇒ ::Google::Protobuf::Duration

  Required.

• #name ⇒ ::String readonly

  Output only.

• #pem_ca_certificates ⇒ ::Array<::String> readonly

  Output only.

• #state ⇒ ::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority::State readonly

  Output only.

• #subordinate_config ⇒ ::Google::Cloud::Security::PrivateCA::V1::SubordinateConfig

  Optional.

• #tier ⇒ ::Google::Cloud::Security::PrivateCA::V1::CaPool::Tier readonly

  Output only.

• #type ⇒ ::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority::Type

  Required.

• #update_time ⇒ ::Google::Protobuf::Timestamp readonly

  Output only.

Instance Attribute Details

#access_urls ⇒ ::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority::AccessUrls (readonly)

Returns Output only. URLs for accessing content published by this CA, such as the CA certificate and CRLs.

Returns:

• (::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority::AccessUrls) —

  Output only. URLs for accessing content published by this CA, such as the CA certificate and CRLs.

# File 'proto_docs/google/cloud/security/privateca/v1/resources.rb', line 135

class CertificateAuthority
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # URLs where a
  # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
  # will publish content.
  # @!attribute [rw] ca_certificate_access_url
  #   @return [::String]
  #     The URL where this
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
  #     CA certificate is published. This will only be set for CAs that have been
  #     activated.
  # @!attribute [rw] crl_access_urls
  #   @return [::Array<::String>]
  #     The URLs where this
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
  #     CRLs are published. This will only be set for CAs that have been
  #     activated.
  class AccessUrls
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # A Cloud KMS key configuration that a
  # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
  # will use.
  # @!attribute [rw] cloud_kms_key_version
  #   @return [::String]
  #     The resource name for an existing Cloud KMS CryptoKeyVersion in the
  #     format
  #     `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
  #     This option enables full flexibility in the key's capabilities and
  #     properties.
  # @!attribute [rw] algorithm
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority::SignHashAlgorithm]
  #     The algorithm to use for creating a managed Cloud KMS key for a for a
  #     simplified experience. All managed keys will be have their
  #     [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] as `HSM`.
  class KeyVersionSpec
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # @!attribute [rw] key
  #   @return [::String]
  # @!attribute [rw] value
  #   @return [::String]
  class LabelsEntry
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # The type of a
  # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority},
  # indicating its issuing chain.
  module Type
    # Not specified.
    TYPE_UNSPECIFIED = 0

    # Self-signed CA.
    SELF_SIGNED = 1

    # Subordinate CA. Could be issued by a Private CA
    # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
    # or an unmanaged CA.
    SUBORDINATE = 2
  end

  # The state of a
  # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority},
  # indicating if it can be used.
  module State
    # Not specified.
    STATE_UNSPECIFIED = 0

    # Certificates can be issued from this CA. CRLs will be generated for this
    # CA. The CA will be part of the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, and
    # will be used to issue certificates from the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    ENABLED = 1

    # Certificates cannot be issued from this CA. CRLs will still be generated.
    # The CA will be part of the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, but
    # will not be used to issue certificates from the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    DISABLED = 2

    # Certificates can be issued from this CA. CRLs will be generated for this
    # CA. The CA will be part of the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, but
    # will not be used to issue certificates from the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    STAGED = 3

    # Certificates cannot be issued from this CA. CRLs will not be generated.
    # The CA will not be part of the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, and
    # will not be used to issue certificates from the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    AWAITING_USER_ACTIVATION = 4

    # Certificates cannot be issued from this CA. CRLs will not be generated.
    # The CA may still be recovered by calling
    # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthorityService::Client#undelete_certificate_authority CertificateAuthorityService.UndeleteCertificateAuthority}
    # before
    # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority#expire_time expire_time}.
    # The CA will not be part of the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, and
    # will not be used to issue certificates from the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    DELETED = 5
  end

  # The algorithm of a Cloud KMS CryptoKeyVersion of a
  # [CryptoKey][google.cloud.kms.v1.CryptoKey] with the
  # [CryptoKeyPurpose][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose] value
  # `ASYMMETRIC_SIGN`. These values correspond to the
  # [CryptoKeyVersionAlgorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm]
  # values. For RSA signing algorithms, the PSS algorithms should be preferred,
  # use PKCS1 algorithms if required for compatibility. For further
  # recommendations, see
  # https://cloud.google.com/kms/docs/algorithms#algorithm_recommendations.
  module SignHashAlgorithm
    # Not specified.
    SIGN_HASH_ALGORITHM_UNSPECIFIED = 0

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_2048_SHA256
    RSA_PSS_2048_SHA256 = 1

    # maps to CryptoKeyVersionAlgorithm. RSA_SIGN_PSS_3072_SHA256
    RSA_PSS_3072_SHA256 = 2

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_4096_SHA256
    RSA_PSS_4096_SHA256 = 3

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_2048_SHA256
    RSA_PKCS1_2048_SHA256 = 6

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_3072_SHA256
    RSA_PKCS1_3072_SHA256 = 7

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_4096_SHA256
    RSA_PKCS1_4096_SHA256 = 8

    # maps to CryptoKeyVersionAlgorithm.EC_SIGN_P256_SHA256
    EC_P256_SHA256 = 4

    # maps to CryptoKeyVersionAlgorithm.EC_SIGN_P384_SHA384
    EC_P384_SHA384 = 5
  end
end

#ca_certificate_descriptions ⇒ ::Array<::Google::Cloud::Security::PrivateCA::V1::CertificateDescription> (readonly)

Returns Output only. A structured description of this CertificateAuthority's CA certificate and its issuers. Ordered as self-to-root.

Returns:

• (::Array<::Google::Cloud::Security::PrivateCA::V1::CertificateDescription>) —

  Output only. A structured description of this CertificateAuthority's CA certificate and its issuers. Ordered as self-to-root.

# File 'proto_docs/google/cloud/security/privateca/v1/resources.rb', line 135

class CertificateAuthority
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # URLs where a
  # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
  # will publish content.
  # @!attribute [rw] ca_certificate_access_url
  #   @return [::String]
  #     The URL where this
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
  #     CA certificate is published. This will only be set for CAs that have been
  #     activated.
  # @!attribute [rw] crl_access_urls
  #   @return [::Array<::String>]
  #     The URLs where this
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
  #     CRLs are published. This will only be set for CAs that have been
  #     activated.
  class AccessUrls
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # A Cloud KMS key configuration that a
  # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
  # will use.
  # @!attribute [rw] cloud_kms_key_version
  #   @return [::String]
  #     The resource name for an existing Cloud KMS CryptoKeyVersion in the
  #     format
  #     `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
  #     This option enables full flexibility in the key's capabilities and
  #     properties.
  # @!attribute [rw] algorithm
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority::SignHashAlgorithm]
  #     The algorithm to use for creating a managed Cloud KMS key for a for a
  #     simplified experience. All managed keys will be have their
  #     [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] as `HSM`.
  class KeyVersionSpec
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # @!attribute [rw] key
  #   @return [::String]
  # @!attribute [rw] value
  #   @return [::String]
  class LabelsEntry
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # The type of a
  # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority},
  # indicating its issuing chain.
  module Type
    # Not specified.
    TYPE_UNSPECIFIED = 0

    # Self-signed CA.
    SELF_SIGNED = 1

    # Subordinate CA. Could be issued by a Private CA
    # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
    # or an unmanaged CA.
    SUBORDINATE = 2
  end

  # The state of a
  # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority},
  # indicating if it can be used.
  module State
    # Not specified.
    STATE_UNSPECIFIED = 0

    # Certificates can be issued from this CA. CRLs will be generated for this
    # CA. The CA will be part of the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, and
    # will be used to issue certificates from the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    ENABLED = 1

    # Certificates cannot be issued from this CA. CRLs will still be generated.
    # The CA will be part of the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, but
    # will not be used to issue certificates from the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    DISABLED = 2

    # Certificates can be issued from this CA. CRLs will be generated for this
    # CA. The CA will be part of the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, but
    # will not be used to issue certificates from the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    STAGED = 3

    # Certificates cannot be issued from this CA. CRLs will not be generated.
    # The CA will not be part of the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, and
    # will not be used to issue certificates from the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    AWAITING_USER_ACTIVATION = 4

    # Certificates cannot be issued from this CA. CRLs will not be generated.
    # The CA may still be recovered by calling
    # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthorityService::Client#undelete_certificate_authority CertificateAuthorityService.UndeleteCertificateAuthority}
    # before
    # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority#expire_time expire_time}.
    # The CA will not be part of the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, and
    # will not be used to issue certificates from the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    DELETED = 5
  end

  # The algorithm of a Cloud KMS CryptoKeyVersion of a
  # [CryptoKey][google.cloud.kms.v1.CryptoKey] with the
  # [CryptoKeyPurpose][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose] value
  # `ASYMMETRIC_SIGN`. These values correspond to the
  # [CryptoKeyVersionAlgorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm]
  # values. For RSA signing algorithms, the PSS algorithms should be preferred,
  # use PKCS1 algorithms if required for compatibility. For further
  # recommendations, see
  # https://cloud.google.com/kms/docs/algorithms#algorithm_recommendations.
  module SignHashAlgorithm
    # Not specified.
    SIGN_HASH_ALGORITHM_UNSPECIFIED = 0

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_2048_SHA256
    RSA_PSS_2048_SHA256 = 1

    # maps to CryptoKeyVersionAlgorithm. RSA_SIGN_PSS_3072_SHA256
    RSA_PSS_3072_SHA256 = 2

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_4096_SHA256
    RSA_PSS_4096_SHA256 = 3

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_2048_SHA256
    RSA_PKCS1_2048_SHA256 = 6

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_3072_SHA256
    RSA_PKCS1_3072_SHA256 = 7

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_4096_SHA256
    RSA_PKCS1_4096_SHA256 = 8

    # maps to CryptoKeyVersionAlgorithm.EC_SIGN_P256_SHA256
    EC_P256_SHA256 = 4

    # maps to CryptoKeyVersionAlgorithm.EC_SIGN_P384_SHA384
    EC_P384_SHA384 = 5
  end
end

#config ⇒ ::Google::Cloud::Security::PrivateCA::V1::CertificateConfig

Returns Required. Immutable. The config used to create a self-signed X.509 certificate or CSR.

Returns:

• (::Google::Cloud::Security::PrivateCA::V1::CertificateConfig) —

  Required. Immutable. The config used to create a self-signed X.509 certificate or CSR.

# File 'proto_docs/google/cloud/security/privateca/v1/resources.rb', line 135

class CertificateAuthority
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # URLs where a
  # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
  # will publish content.
  # @!attribute [rw] ca_certificate_access_url
  #   @return [::String]
  #     The URL where this
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
  #     CA certificate is published. This will only be set for CAs that have been
  #     activated.
  # @!attribute [rw] crl_access_urls
  #   @return [::Array<::String>]
  #     The URLs where this
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
  #     CRLs are published. This will only be set for CAs that have been
  #     activated.
  class AccessUrls
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # A Cloud KMS key configuration that a
  # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
  # will use.
  # @!attribute [rw] cloud_kms_key_version
  #   @return [::String]
  #     The resource name for an existing Cloud KMS CryptoKeyVersion in the
  #     format
  #     `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
  #     This option enables full flexibility in the key's capabilities and
  #     properties.
  # @!attribute [rw] algorithm
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority::SignHashAlgorithm]
  #     The algorithm to use for creating a managed Cloud KMS key for a for a
  #     simplified experience. All managed keys will be have their
  #     [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] as `HSM`.
  class KeyVersionSpec
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # @!attribute [rw] key
  #   @return [::String]
  # @!attribute [rw] value
  #   @return [::String]
  class LabelsEntry
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # The type of a
  # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority},
  # indicating its issuing chain.
  module Type
    # Not specified.
    TYPE_UNSPECIFIED = 0

    # Self-signed CA.
    SELF_SIGNED = 1

    # Subordinate CA. Could be issued by a Private CA
    # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
    # or an unmanaged CA.
    SUBORDINATE = 2
  end

  # The state of a
  # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority},
  # indicating if it can be used.
  module State
    # Not specified.
    STATE_UNSPECIFIED = 0

    # Certificates can be issued from this CA. CRLs will be generated for this
    # CA. The CA will be part of the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, and
    # will be used to issue certificates from the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    ENABLED = 1

    # Certificates cannot be issued from this CA. CRLs will still be generated.
    # The CA will be part of the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, but
    # will not be used to issue certificates from the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    DISABLED = 2

    # Certificates can be issued from this CA. CRLs will be generated for this
    # CA. The CA will be part of the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, but
    # will not be used to issue certificates from the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    STAGED = 3

    # Certificates cannot be issued from this CA. CRLs will not be generated.
    # The CA will not be part of the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, and
    # will not be used to issue certificates from the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    AWAITING_USER_ACTIVATION = 4

    # Certificates cannot be issued from this CA. CRLs will not be generated.
    # The CA may still be recovered by calling
    # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthorityService::Client#undelete_certificate_authority CertificateAuthorityService.UndeleteCertificateAuthority}
    # before
    # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority#expire_time expire_time}.
    # The CA will not be part of the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, and
    # will not be used to issue certificates from the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    DELETED = 5
  end

  # The algorithm of a Cloud KMS CryptoKeyVersion of a
  # [CryptoKey][google.cloud.kms.v1.CryptoKey] with the
  # [CryptoKeyPurpose][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose] value
  # `ASYMMETRIC_SIGN`. These values correspond to the
  # [CryptoKeyVersionAlgorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm]
  # values. For RSA signing algorithms, the PSS algorithms should be preferred,
  # use PKCS1 algorithms if required for compatibility. For further
  # recommendations, see
  # https://cloud.google.com/kms/docs/algorithms#algorithm_recommendations.
  module SignHashAlgorithm
    # Not specified.
    SIGN_HASH_ALGORITHM_UNSPECIFIED = 0

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_2048_SHA256
    RSA_PSS_2048_SHA256 = 1

    # maps to CryptoKeyVersionAlgorithm. RSA_SIGN_PSS_3072_SHA256
    RSA_PSS_3072_SHA256 = 2

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_4096_SHA256
    RSA_PSS_4096_SHA256 = 3

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_2048_SHA256
    RSA_PKCS1_2048_SHA256 = 6

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_3072_SHA256
    RSA_PKCS1_3072_SHA256 = 7

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_4096_SHA256
    RSA_PKCS1_4096_SHA256 = 8

    # maps to CryptoKeyVersionAlgorithm.EC_SIGN_P256_SHA256
    EC_P256_SHA256 = 4

    # maps to CryptoKeyVersionAlgorithm.EC_SIGN_P384_SHA384
    EC_P384_SHA384 = 5
  end
end

#create_time ⇒ ::Google::Protobuf::Timestamp (readonly)

Returns Output only. The time at which this CertificateAuthority was created.

Returns:

• (::Google::Protobuf::Timestamp) —

  Output only. The time at which this CertificateAuthority was created.

# File 'proto_docs/google/cloud/security/privateca/v1/resources.rb', line 135

class CertificateAuthority
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # URLs where a
  # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
  # will publish content.
  # @!attribute [rw] ca_certificate_access_url
  #   @return [::String]
  #     The URL where this
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
  #     CA certificate is published. This will only be set for CAs that have been
  #     activated.
  # @!attribute [rw] crl_access_urls
  #   @return [::Array<::String>]
  #     The URLs where this
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
  #     CRLs are published. This will only be set for CAs that have been
  #     activated.
  class AccessUrls
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # A Cloud KMS key configuration that a
  # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
  # will use.
  # @!attribute [rw] cloud_kms_key_version
  #   @return [::String]
  #     The resource name for an existing Cloud KMS CryptoKeyVersion in the
  #     format
  #     `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
  #     This option enables full flexibility in the key's capabilities and
  #     properties.
  # @!attribute [rw] algorithm
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority::SignHashAlgorithm]
  #     The algorithm to use for creating a managed Cloud KMS key for a for a
  #     simplified experience. All managed keys will be have their
  #     [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] as `HSM`.
  class KeyVersionSpec
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # @!attribute [rw] key
  #   @return [::String]
  # @!attribute [rw] value
  #   @return [::String]
  class LabelsEntry
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # The type of a
  # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority},
  # indicating its issuing chain.
  module Type
    # Not specified.
    TYPE_UNSPECIFIED = 0

    # Self-signed CA.
    SELF_SIGNED = 1

    # Subordinate CA. Could be issued by a Private CA
    # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
    # or an unmanaged CA.
    SUBORDINATE = 2
  end

  # The state of a
  # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority},
  # indicating if it can be used.
  module State
    # Not specified.
    STATE_UNSPECIFIED = 0

    # Certificates can be issued from this CA. CRLs will be generated for this
    # CA. The CA will be part of the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, and
    # will be used to issue certificates from the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    ENABLED = 1

    # Certificates cannot be issued from this CA. CRLs will still be generated.
    # The CA will be part of the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, but
    # will not be used to issue certificates from the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    DISABLED = 2

    # Certificates can be issued from this CA. CRLs will be generated for this
    # CA. The CA will be part of the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, but
    # will not be used to issue certificates from the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    STAGED = 3

    # Certificates cannot be issued from this CA. CRLs will not be generated.
    # The CA will not be part of the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, and
    # will not be used to issue certificates from the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    AWAITING_USER_ACTIVATION = 4

    # Certificates cannot be issued from this CA. CRLs will not be generated.
    # The CA may still be recovered by calling
    # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthorityService::Client#undelete_certificate_authority CertificateAuthorityService.UndeleteCertificateAuthority}
    # before
    # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority#expire_time expire_time}.
    # The CA will not be part of the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, and
    # will not be used to issue certificates from the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    DELETED = 5
  end

  # The algorithm of a Cloud KMS CryptoKeyVersion of a
  # [CryptoKey][google.cloud.kms.v1.CryptoKey] with the
  # [CryptoKeyPurpose][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose] value
  # `ASYMMETRIC_SIGN`. These values correspond to the
  # [CryptoKeyVersionAlgorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm]
  # values. For RSA signing algorithms, the PSS algorithms should be preferred,
  # use PKCS1 algorithms if required for compatibility. For further
  # recommendations, see
  # https://cloud.google.com/kms/docs/algorithms#algorithm_recommendations.
  module SignHashAlgorithm
    # Not specified.
    SIGN_HASH_ALGORITHM_UNSPECIFIED = 0

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_2048_SHA256
    RSA_PSS_2048_SHA256 = 1

    # maps to CryptoKeyVersionAlgorithm. RSA_SIGN_PSS_3072_SHA256
    RSA_PSS_3072_SHA256 = 2

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_4096_SHA256
    RSA_PSS_4096_SHA256 = 3

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_2048_SHA256
    RSA_PKCS1_2048_SHA256 = 6

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_3072_SHA256
    RSA_PKCS1_3072_SHA256 = 7

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_4096_SHA256
    RSA_PKCS1_4096_SHA256 = 8

    # maps to CryptoKeyVersionAlgorithm.EC_SIGN_P256_SHA256
    EC_P256_SHA256 = 4

    # maps to CryptoKeyVersionAlgorithm.EC_SIGN_P384_SHA384
    EC_P384_SHA384 = 5
  end
end

#delete_time ⇒ ::Google::Protobuf::Timestamp (readonly)

Returns Output only. The time at which this CertificateAuthority was soft deleted, if it is in the DELETED state.

Returns:

• (::Google::Protobuf::Timestamp) —

  Output only. The time at which this CertificateAuthority was soft deleted, if it is in the DELETED state.

# File 'proto_docs/google/cloud/security/privateca/v1/resources.rb', line 135

class CertificateAuthority
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # URLs where a
  # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
  # will publish content.
  # @!attribute [rw] ca_certificate_access_url
  #   @return [::String]
  #     The URL where this
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
  #     CA certificate is published. This will only be set for CAs that have been
  #     activated.
  # @!attribute [rw] crl_access_urls
  #   @return [::Array<::String>]
  #     The URLs where this
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
  #     CRLs are published. This will only be set for CAs that have been
  #     activated.
  class AccessUrls
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # A Cloud KMS key configuration that a
  # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
  # will use.
  # @!attribute [rw] cloud_kms_key_version
  #   @return [::String]
  #     The resource name for an existing Cloud KMS CryptoKeyVersion in the
  #     format
  #     `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
  #     This option enables full flexibility in the key's capabilities and
  #     properties.
  # @!attribute [rw] algorithm
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority::SignHashAlgorithm]
  #     The algorithm to use for creating a managed Cloud KMS key for a for a
  #     simplified experience. All managed keys will be have their
  #     [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] as `HSM`.
  class KeyVersionSpec
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # @!attribute [rw] key
  #   @return [::String]
  # @!attribute [rw] value
  #   @return [::String]
  class LabelsEntry
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # The type of a
  # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority},
  # indicating its issuing chain.
  module Type
    # Not specified.
    TYPE_UNSPECIFIED = 0

    # Self-signed CA.
    SELF_SIGNED = 1

    # Subordinate CA. Could be issued by a Private CA
    # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
    # or an unmanaged CA.
    SUBORDINATE = 2
  end

  # The state of a
  # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority},
  # indicating if it can be used.
  module State
    # Not specified.
    STATE_UNSPECIFIED = 0

    # Certificates can be issued from this CA. CRLs will be generated for this
    # CA. The CA will be part of the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, and
    # will be used to issue certificates from the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    ENABLED = 1

    # Certificates cannot be issued from this CA. CRLs will still be generated.
    # The CA will be part of the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, but
    # will not be used to issue certificates from the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    DISABLED = 2

    # Certificates can be issued from this CA. CRLs will be generated for this
    # CA. The CA will be part of the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, but
    # will not be used to issue certificates from the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    STAGED = 3

    # Certificates cannot be issued from this CA. CRLs will not be generated.
    # The CA will not be part of the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, and
    # will not be used to issue certificates from the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    AWAITING_USER_ACTIVATION = 4

    # Certificates cannot be issued from this CA. CRLs will not be generated.
    # The CA may still be recovered by calling
    # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthorityService::Client#undelete_certificate_authority CertificateAuthorityService.UndeleteCertificateAuthority}
    # before
    # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority#expire_time expire_time}.
    # The CA will not be part of the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, and
    # will not be used to issue certificates from the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    DELETED = 5
  end

  # The algorithm of a Cloud KMS CryptoKeyVersion of a
  # [CryptoKey][google.cloud.kms.v1.CryptoKey] with the
  # [CryptoKeyPurpose][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose] value
  # `ASYMMETRIC_SIGN`. These values correspond to the
  # [CryptoKeyVersionAlgorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm]
  # values. For RSA signing algorithms, the PSS algorithms should be preferred,
  # use PKCS1 algorithms if required for compatibility. For further
  # recommendations, see
  # https://cloud.google.com/kms/docs/algorithms#algorithm_recommendations.
  module SignHashAlgorithm
    # Not specified.
    SIGN_HASH_ALGORITHM_UNSPECIFIED = 0

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_2048_SHA256
    RSA_PSS_2048_SHA256 = 1

    # maps to CryptoKeyVersionAlgorithm. RSA_SIGN_PSS_3072_SHA256
    RSA_PSS_3072_SHA256 = 2

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_4096_SHA256
    RSA_PSS_4096_SHA256 = 3

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_2048_SHA256
    RSA_PKCS1_2048_SHA256 = 6

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_3072_SHA256
    RSA_PKCS1_3072_SHA256 = 7

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_4096_SHA256
    RSA_PKCS1_4096_SHA256 = 8

    # maps to CryptoKeyVersionAlgorithm.EC_SIGN_P256_SHA256
    EC_P256_SHA256 = 4

    # maps to CryptoKeyVersionAlgorithm.EC_SIGN_P384_SHA384
    EC_P384_SHA384 = 5
  end
end

#expire_time ⇒ ::Google::Protobuf::Timestamp (readonly)

Returns Output only. The time at which this CertificateAuthority will be permanently purged, if it is in the DELETED state.

Returns:

• (::Google::Protobuf::Timestamp) —

  Output only. The time at which this CertificateAuthority will be permanently purged, if it is in the DELETED state.

# File 'proto_docs/google/cloud/security/privateca/v1/resources.rb', line 135

class CertificateAuthority
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # URLs where a
  # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
  # will publish content.
  # @!attribute [rw] ca_certificate_access_url
  #   @return [::String]
  #     The URL where this
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
  #     CA certificate is published. This will only be set for CAs that have been
  #     activated.
  # @!attribute [rw] crl_access_urls
  #   @return [::Array<::String>]
  #     The URLs where this
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
  #     CRLs are published. This will only be set for CAs that have been
  #     activated.
  class AccessUrls
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # A Cloud KMS key configuration that a
  # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
  # will use.
  # @!attribute [rw] cloud_kms_key_version
  #   @return [::String]
  #     The resource name for an existing Cloud KMS CryptoKeyVersion in the
  #     format
  #     `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
  #     This option enables full flexibility in the key's capabilities and
  #     properties.
  # @!attribute [rw] algorithm
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority::SignHashAlgorithm]
  #     The algorithm to use for creating a managed Cloud KMS key for a for a
  #     simplified experience. All managed keys will be have their
  #     [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] as `HSM`.
  class KeyVersionSpec
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # @!attribute [rw] key
  #   @return [::String]
  # @!attribute [rw] value
  #   @return [::String]
  class LabelsEntry
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # The type of a
  # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority},
  # indicating its issuing chain.
  module Type
    # Not specified.
    TYPE_UNSPECIFIED = 0

    # Self-signed CA.
    SELF_SIGNED = 1

    # Subordinate CA. Could be issued by a Private CA
    # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
    # or an unmanaged CA.
    SUBORDINATE = 2
  end

  # The state of a
  # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority},
  # indicating if it can be used.
  module State
    # Not specified.
    STATE_UNSPECIFIED = 0

    # Certificates can be issued from this CA. CRLs will be generated for this
    # CA. The CA will be part of the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, and
    # will be used to issue certificates from the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    ENABLED = 1

    # Certificates cannot be issued from this CA. CRLs will still be generated.
    # The CA will be part of the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, but
    # will not be used to issue certificates from the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    DISABLED = 2

    # Certificates can be issued from this CA. CRLs will be generated for this
    # CA. The CA will be part of the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, but
    # will not be used to issue certificates from the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    STAGED = 3

    # Certificates cannot be issued from this CA. CRLs will not be generated.
    # The CA will not be part of the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, and
    # will not be used to issue certificates from the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    AWAITING_USER_ACTIVATION = 4

    # Certificates cannot be issued from this CA. CRLs will not be generated.
    # The CA may still be recovered by calling
    # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthorityService::Client#undelete_certificate_authority CertificateAuthorityService.UndeleteCertificateAuthority}
    # before
    # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority#expire_time expire_time}.
    # The CA will not be part of the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, and
    # will not be used to issue certificates from the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    DELETED = 5
  end

  # The algorithm of a Cloud KMS CryptoKeyVersion of a
  # [CryptoKey][google.cloud.kms.v1.CryptoKey] with the
  # [CryptoKeyPurpose][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose] value
  # `ASYMMETRIC_SIGN`. These values correspond to the
  # [CryptoKeyVersionAlgorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm]
  # values. For RSA signing algorithms, the PSS algorithms should be preferred,
  # use PKCS1 algorithms if required for compatibility. For further
  # recommendations, see
  # https://cloud.google.com/kms/docs/algorithms#algorithm_recommendations.
  module SignHashAlgorithm
    # Not specified.
    SIGN_HASH_ALGORITHM_UNSPECIFIED = 0

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_2048_SHA256
    RSA_PSS_2048_SHA256 = 1

    # maps to CryptoKeyVersionAlgorithm. RSA_SIGN_PSS_3072_SHA256
    RSA_PSS_3072_SHA256 = 2

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_4096_SHA256
    RSA_PSS_4096_SHA256 = 3

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_2048_SHA256
    RSA_PKCS1_2048_SHA256 = 6

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_3072_SHA256
    RSA_PKCS1_3072_SHA256 = 7

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_4096_SHA256
    RSA_PKCS1_4096_SHA256 = 8

    # maps to CryptoKeyVersionAlgorithm.EC_SIGN_P256_SHA256
    EC_P256_SHA256 = 4

    # maps to CryptoKeyVersionAlgorithm.EC_SIGN_P384_SHA384
    EC_P384_SHA384 = 5
  end
end

#gcs_bucket ⇒ ::String

Returns Immutable. The name of a Cloud Storage bucket where this CertificateAuthority will publish content, such as the CA certificate and CRLs. This must be a bucket name, without any prefixes (such as gs://) or suffixes (such as .googleapis.com). For example, to use a bucket named my-bucket, you would simply specify my-bucket. If not specified, a managed bucket will be created.

Returns:

• (::String) —

  Immutable. The name of a Cloud Storage bucket where this CertificateAuthority will publish content, such as the CA certificate and CRLs. This must be a bucket name, without any prefixes (such as gs://) or suffixes (such as .googleapis.com). For example, to use a bucket named my-bucket, you would simply specify my-bucket. If not specified, a managed bucket will be created.

# File 'proto_docs/google/cloud/security/privateca/v1/resources.rb', line 135

class CertificateAuthority
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # URLs where a
  # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
  # will publish content.
  # @!attribute [rw] ca_certificate_access_url
  #   @return [::String]
  #     The URL where this
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
  #     CA certificate is published. This will only be set for CAs that have been
  #     activated.
  # @!attribute [rw] crl_access_urls
  #   @return [::Array<::String>]
  #     The URLs where this
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
  #     CRLs are published. This will only be set for CAs that have been
  #     activated.
  class AccessUrls
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # A Cloud KMS key configuration that a
  # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
  # will use.
  # @!attribute [rw] cloud_kms_key_version
  #   @return [::String]
  #     The resource name for an existing Cloud KMS CryptoKeyVersion in the
  #     format
  #     `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
  #     This option enables full flexibility in the key's capabilities and
  #     properties.
  # @!attribute [rw] algorithm
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority::SignHashAlgorithm]
  #     The algorithm to use for creating a managed Cloud KMS key for a for a
  #     simplified experience. All managed keys will be have their
  #     [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] as `HSM`.
  class KeyVersionSpec
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # @!attribute [rw] key
  #   @return [::String]
  # @!attribute [rw] value
  #   @return [::String]
  class LabelsEntry
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # The type of a
  # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority},
  # indicating its issuing chain.
  module Type
    # Not specified.
    TYPE_UNSPECIFIED = 0

    # Self-signed CA.
    SELF_SIGNED = 1

    # Subordinate CA. Could be issued by a Private CA
    # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
    # or an unmanaged CA.
    SUBORDINATE = 2
  end

  # The state of a
  # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority},
  # indicating if it can be used.
  module State
    # Not specified.
    STATE_UNSPECIFIED = 0

    # Certificates can be issued from this CA. CRLs will be generated for this
    # CA. The CA will be part of the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, and
    # will be used to issue certificates from the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    ENABLED = 1

    # Certificates cannot be issued from this CA. CRLs will still be generated.
    # The CA will be part of the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, but
    # will not be used to issue certificates from the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    DISABLED = 2

    # Certificates can be issued from this CA. CRLs will be generated for this
    # CA. The CA will be part of the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, but
    # will not be used to issue certificates from the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    STAGED = 3

    # Certificates cannot be issued from this CA. CRLs will not be generated.
    # The CA will not be part of the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, and
    # will not be used to issue certificates from the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    AWAITING_USER_ACTIVATION = 4

    # Certificates cannot be issued from this CA. CRLs will not be generated.
    # The CA may still be recovered by calling
    # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthorityService::Client#undelete_certificate_authority CertificateAuthorityService.UndeleteCertificateAuthority}
    # before
    # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority#expire_time expire_time}.
    # The CA will not be part of the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, and
    # will not be used to issue certificates from the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    DELETED = 5
  end

  # The algorithm of a Cloud KMS CryptoKeyVersion of a
  # [CryptoKey][google.cloud.kms.v1.CryptoKey] with the
  # [CryptoKeyPurpose][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose] value
  # `ASYMMETRIC_SIGN`. These values correspond to the
  # [CryptoKeyVersionAlgorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm]
  # values. For RSA signing algorithms, the PSS algorithms should be preferred,
  # use PKCS1 algorithms if required for compatibility. For further
  # recommendations, see
  # https://cloud.google.com/kms/docs/algorithms#algorithm_recommendations.
  module SignHashAlgorithm
    # Not specified.
    SIGN_HASH_ALGORITHM_UNSPECIFIED = 0

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_2048_SHA256
    RSA_PSS_2048_SHA256 = 1

    # maps to CryptoKeyVersionAlgorithm. RSA_SIGN_PSS_3072_SHA256
    RSA_PSS_3072_SHA256 = 2

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_4096_SHA256
    RSA_PSS_4096_SHA256 = 3

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_2048_SHA256
    RSA_PKCS1_2048_SHA256 = 6

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_3072_SHA256
    RSA_PKCS1_3072_SHA256 = 7

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_4096_SHA256
    RSA_PKCS1_4096_SHA256 = 8

    # maps to CryptoKeyVersionAlgorithm.EC_SIGN_P256_SHA256
    EC_P256_SHA256 = 4

    # maps to CryptoKeyVersionAlgorithm.EC_SIGN_P384_SHA384
    EC_P384_SHA384 = 5
  end
end

#key_spec ⇒ ::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority::KeyVersionSpec

Returns Required. Immutable. Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR.

Returns:

• (::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority::KeyVersionSpec) —

  Required. Immutable. Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR.

# File 'proto_docs/google/cloud/security/privateca/v1/resources.rb', line 135

class CertificateAuthority
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # URLs where a
  # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
  # will publish content.
  # @!attribute [rw] ca_certificate_access_url
  #   @return [::String]
  #     The URL where this
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
  #     CA certificate is published. This will only be set for CAs that have been
  #     activated.
  # @!attribute [rw] crl_access_urls
  #   @return [::Array<::String>]
  #     The URLs where this
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
  #     CRLs are published. This will only be set for CAs that have been
  #     activated.
  class AccessUrls
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # A Cloud KMS key configuration that a
  # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
  # will use.
  # @!attribute [rw] cloud_kms_key_version
  #   @return [::String]
  #     The resource name for an existing Cloud KMS CryptoKeyVersion in the
  #     format
  #     `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
  #     This option enables full flexibility in the key's capabilities and
  #     properties.
  # @!attribute [rw] algorithm
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority::SignHashAlgorithm]
  #     The algorithm to use for creating a managed Cloud KMS key for a for a
  #     simplified experience. All managed keys will be have their
  #     [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] as `HSM`.
  class KeyVersionSpec
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # @!attribute [rw] key
  #   @return [::String]
  # @!attribute [rw] value
  #   @return [::String]
  class LabelsEntry
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # The type of a
  # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority},
  # indicating its issuing chain.
  module Type
    # Not specified.
    TYPE_UNSPECIFIED = 0

    # Self-signed CA.
    SELF_SIGNED = 1

    # Subordinate CA. Could be issued by a Private CA
    # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
    # or an unmanaged CA.
    SUBORDINATE = 2
  end

  # The state of a
  # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority},
  # indicating if it can be used.
  module State
    # Not specified.
    STATE_UNSPECIFIED = 0

    # Certificates can be issued from this CA. CRLs will be generated for this
    # CA. The CA will be part of the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, and
    # will be used to issue certificates from the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    ENABLED = 1

    # Certificates cannot be issued from this CA. CRLs will still be generated.
    # The CA will be part of the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, but
    # will not be used to issue certificates from the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    DISABLED = 2

    # Certificates can be issued from this CA. CRLs will be generated for this
    # CA. The CA will be part of the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, but
    # will not be used to issue certificates from the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    STAGED = 3

    # Certificates cannot be issued from this CA. CRLs will not be generated.
    # The CA will not be part of the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, and
    # will not be used to issue certificates from the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    AWAITING_USER_ACTIVATION = 4

    # Certificates cannot be issued from this CA. CRLs will not be generated.
    # The CA may still be recovered by calling
    # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthorityService::Client#undelete_certificate_authority CertificateAuthorityService.UndeleteCertificateAuthority}
    # before
    # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority#expire_time expire_time}.
    # The CA will not be part of the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, and
    # will not be used to issue certificates from the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    DELETED = 5
  end

  # The algorithm of a Cloud KMS CryptoKeyVersion of a
  # [CryptoKey][google.cloud.kms.v1.CryptoKey] with the
  # [CryptoKeyPurpose][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose] value
  # `ASYMMETRIC_SIGN`. These values correspond to the
  # [CryptoKeyVersionAlgorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm]
  # values. For RSA signing algorithms, the PSS algorithms should be preferred,
  # use PKCS1 algorithms if required for compatibility. For further
  # recommendations, see
  # https://cloud.google.com/kms/docs/algorithms#algorithm_recommendations.
  module SignHashAlgorithm
    # Not specified.
    SIGN_HASH_ALGORITHM_UNSPECIFIED = 0

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_2048_SHA256
    RSA_PSS_2048_SHA256 = 1

    # maps to CryptoKeyVersionAlgorithm. RSA_SIGN_PSS_3072_SHA256
    RSA_PSS_3072_SHA256 = 2

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_4096_SHA256
    RSA_PSS_4096_SHA256 = 3

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_2048_SHA256
    RSA_PKCS1_2048_SHA256 = 6

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_3072_SHA256
    RSA_PKCS1_3072_SHA256 = 7

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_4096_SHA256
    RSA_PKCS1_4096_SHA256 = 8

    # maps to CryptoKeyVersionAlgorithm.EC_SIGN_P256_SHA256
    EC_P256_SHA256 = 4

    # maps to CryptoKeyVersionAlgorithm.EC_SIGN_P384_SHA384
    EC_P384_SHA384 = 5
  end
end

#labels ⇒ ::Google::Protobuf::Map{::String => ::String}

Returns Optional. Labels with user-defined metadata.

Returns:

• (::Google::Protobuf::Map{::String => ::String}) —

  Optional. Labels with user-defined metadata.

# File 'proto_docs/google/cloud/security/privateca/v1/resources.rb', line 135

class CertificateAuthority
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # URLs where a
  # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
  # will publish content.
  # @!attribute [rw] ca_certificate_access_url
  #   @return [::String]
  #     The URL where this
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
  #     CA certificate is published. This will only be set for CAs that have been
  #     activated.
  # @!attribute [rw] crl_access_urls
  #   @return [::Array<::String>]
  #     The URLs where this
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
  #     CRLs are published. This will only be set for CAs that have been
  #     activated.
  class AccessUrls
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # A Cloud KMS key configuration that a
  # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
  # will use.
  # @!attribute [rw] cloud_kms_key_version
  #   @return [::String]
  #     The resource name for an existing Cloud KMS CryptoKeyVersion in the
  #     format
  #     `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
  #     This option enables full flexibility in the key's capabilities and
  #     properties.
  # @!attribute [rw] algorithm
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority::SignHashAlgorithm]
  #     The algorithm to use for creating a managed Cloud KMS key for a for a
  #     simplified experience. All managed keys will be have their
  #     [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] as `HSM`.
  class KeyVersionSpec
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # @!attribute [rw] key
  #   @return [::String]
  # @!attribute [rw] value
  #   @return [::String]
  class LabelsEntry
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # The type of a
  # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority},
  # indicating its issuing chain.
  module Type
    # Not specified.
    TYPE_UNSPECIFIED = 0

    # Self-signed CA.
    SELF_SIGNED = 1

    # Subordinate CA. Could be issued by a Private CA
    # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
    # or an unmanaged CA.
    SUBORDINATE = 2
  end

  # The state of a
  # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority},
  # indicating if it can be used.
  module State
    # Not specified.
    STATE_UNSPECIFIED = 0

    # Certificates can be issued from this CA. CRLs will be generated for this
    # CA. The CA will be part of the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, and
    # will be used to issue certificates from the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    ENABLED = 1

    # Certificates cannot be issued from this CA. CRLs will still be generated.
    # The CA will be part of the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, but
    # will not be used to issue certificates from the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    DISABLED = 2

    # Certificates can be issued from this CA. CRLs will be generated for this
    # CA. The CA will be part of the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, but
    # will not be used to issue certificates from the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    STAGED = 3

    # Certificates cannot be issued from this CA. CRLs will not be generated.
    # The CA will not be part of the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, and
    # will not be used to issue certificates from the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    AWAITING_USER_ACTIVATION = 4

    # Certificates cannot be issued from this CA. CRLs will not be generated.
    # The CA may still be recovered by calling
    # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthorityService::Client#undelete_certificate_authority CertificateAuthorityService.UndeleteCertificateAuthority}
    # before
    # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority#expire_time expire_time}.
    # The CA will not be part of the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, and
    # will not be used to issue certificates from the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    DELETED = 5
  end

  # The algorithm of a Cloud KMS CryptoKeyVersion of a
  # [CryptoKey][google.cloud.kms.v1.CryptoKey] with the
  # [CryptoKeyPurpose][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose] value
  # `ASYMMETRIC_SIGN`. These values correspond to the
  # [CryptoKeyVersionAlgorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm]
  # values. For RSA signing algorithms, the PSS algorithms should be preferred,
  # use PKCS1 algorithms if required for compatibility. For further
  # recommendations, see
  # https://cloud.google.com/kms/docs/algorithms#algorithm_recommendations.
  module SignHashAlgorithm
    # Not specified.
    SIGN_HASH_ALGORITHM_UNSPECIFIED = 0

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_2048_SHA256
    RSA_PSS_2048_SHA256 = 1

    # maps to CryptoKeyVersionAlgorithm. RSA_SIGN_PSS_3072_SHA256
    RSA_PSS_3072_SHA256 = 2

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_4096_SHA256
    RSA_PSS_4096_SHA256 = 3

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_2048_SHA256
    RSA_PKCS1_2048_SHA256 = 6

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_3072_SHA256
    RSA_PKCS1_3072_SHA256 = 7

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_4096_SHA256
    RSA_PKCS1_4096_SHA256 = 8

    # maps to CryptoKeyVersionAlgorithm.EC_SIGN_P256_SHA256
    EC_P256_SHA256 = 4

    # maps to CryptoKeyVersionAlgorithm.EC_SIGN_P384_SHA384
    EC_P384_SHA384 = 5
  end
end

#lifetime ⇒ ::Google::Protobuf::Duration

Returns Required. Immutable. The desired lifetime of the CA certificate. Used to create the "not_before_time" and "not_after_time" fields inside an X.509 certificate.

Returns:

• (::Google::Protobuf::Duration) —

  Required. Immutable. The desired lifetime of the CA certificate. Used to create the "not_before_time" and "not_after_time" fields inside an X.509 certificate.

# File 'proto_docs/google/cloud/security/privateca/v1/resources.rb', line 135

class CertificateAuthority
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # URLs where a
  # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
  # will publish content.
  # @!attribute [rw] ca_certificate_access_url
  #   @return [::String]
  #     The URL where this
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
  #     CA certificate is published. This will only be set for CAs that have been
  #     activated.
  # @!attribute [rw] crl_access_urls
  #   @return [::Array<::String>]
  #     The URLs where this
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
  #     CRLs are published. This will only be set for CAs that have been
  #     activated.
  class AccessUrls
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # A Cloud KMS key configuration that a
  # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
  # will use.
  # @!attribute [rw] cloud_kms_key_version
  #   @return [::String]
  #     The resource name for an existing Cloud KMS CryptoKeyVersion in the
  #     format
  #     `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
  #     This option enables full flexibility in the key's capabilities and
  #     properties.
  # @!attribute [rw] algorithm
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority::SignHashAlgorithm]
  #     The algorithm to use for creating a managed Cloud KMS key for a for a
  #     simplified experience. All managed keys will be have their
  #     [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] as `HSM`.
  class KeyVersionSpec
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # @!attribute [rw] key
  #   @return [::String]
  # @!attribute [rw] value
  #   @return [::String]
  class LabelsEntry
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # The type of a
  # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority},
  # indicating its issuing chain.
  module Type
    # Not specified.
    TYPE_UNSPECIFIED = 0

    # Self-signed CA.
    SELF_SIGNED = 1

    # Subordinate CA. Could be issued by a Private CA
    # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
    # or an unmanaged CA.
    SUBORDINATE = 2
  end

  # The state of a
  # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority},
  # indicating if it can be used.
  module State
    # Not specified.
    STATE_UNSPECIFIED = 0

    # Certificates can be issued from this CA. CRLs will be generated for this
    # CA. The CA will be part of the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, and
    # will be used to issue certificates from the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    ENABLED = 1

    # Certificates cannot be issued from this CA. CRLs will still be generated.
    # The CA will be part of the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, but
    # will not be used to issue certificates from the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    DISABLED = 2

    # Certificates can be issued from this CA. CRLs will be generated for this
    # CA. The CA will be part of the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, but
    # will not be used to issue certificates from the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    STAGED = 3

    # Certificates cannot be issued from this CA. CRLs will not be generated.
    # The CA will not be part of the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, and
    # will not be used to issue certificates from the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    AWAITING_USER_ACTIVATION = 4

    # Certificates cannot be issued from this CA. CRLs will not be generated.
    # The CA may still be recovered by calling
    # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthorityService::Client#undelete_certificate_authority CertificateAuthorityService.UndeleteCertificateAuthority}
    # before
    # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority#expire_time expire_time}.
    # The CA will not be part of the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, and
    # will not be used to issue certificates from the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    DELETED = 5
  end

  # The algorithm of a Cloud KMS CryptoKeyVersion of a
  # [CryptoKey][google.cloud.kms.v1.CryptoKey] with the
  # [CryptoKeyPurpose][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose] value
  # `ASYMMETRIC_SIGN`. These values correspond to the
  # [CryptoKeyVersionAlgorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm]
  # values. For RSA signing algorithms, the PSS algorithms should be preferred,
  # use PKCS1 algorithms if required for compatibility. For further
  # recommendations, see
  # https://cloud.google.com/kms/docs/algorithms#algorithm_recommendations.
  module SignHashAlgorithm
    # Not specified.
    SIGN_HASH_ALGORITHM_UNSPECIFIED = 0

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_2048_SHA256
    RSA_PSS_2048_SHA256 = 1

    # maps to CryptoKeyVersionAlgorithm. RSA_SIGN_PSS_3072_SHA256
    RSA_PSS_3072_SHA256 = 2

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_4096_SHA256
    RSA_PSS_4096_SHA256 = 3

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_2048_SHA256
    RSA_PKCS1_2048_SHA256 = 6

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_3072_SHA256
    RSA_PKCS1_3072_SHA256 = 7

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_4096_SHA256
    RSA_PKCS1_4096_SHA256 = 8

    # maps to CryptoKeyVersionAlgorithm.EC_SIGN_P256_SHA256
    EC_P256_SHA256 = 4

    # maps to CryptoKeyVersionAlgorithm.EC_SIGN_P384_SHA384
    EC_P384_SHA384 = 5
  end
end

#name ⇒ ::String (readonly)

Returns Output only. The resource name for this CertificateAuthority in the format projects/*/locations/*/caPools/*/certificateAuthorities/*.

Returns:

• (::String) —

  Output only. The resource name for this CertificateAuthority in the format projects/*/locations/*/caPools/*/certificateAuthorities/*.

# File 'proto_docs/google/cloud/security/privateca/v1/resources.rb', line 135

class CertificateAuthority
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # URLs where a
  # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
  # will publish content.
  # @!attribute [rw] ca_certificate_access_url
  #   @return [::String]
  #     The URL where this
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
  #     CA certificate is published. This will only be set for CAs that have been
  #     activated.
  # @!attribute [rw] crl_access_urls
  #   @return [::Array<::String>]
  #     The URLs where this
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
  #     CRLs are published. This will only be set for CAs that have been
  #     activated.
  class AccessUrls
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # A Cloud KMS key configuration that a
  # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
  # will use.
  # @!attribute [rw] cloud_kms_key_version
  #   @return [::String]
  #     The resource name for an existing Cloud KMS CryptoKeyVersion in the
  #     format
  #     `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
  #     This option enables full flexibility in the key's capabilities and
  #     properties.
  # @!attribute [rw] algorithm
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority::SignHashAlgorithm]
  #     The algorithm to use for creating a managed Cloud KMS key for a for a
  #     simplified experience. All managed keys will be have their
  #     [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] as `HSM`.
  class KeyVersionSpec
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # @!attribute [rw] key
  #   @return [::String]
  # @!attribute [rw] value
  #   @return [::String]
  class LabelsEntry
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # The type of a
  # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority},
  # indicating its issuing chain.
  module Type
    # Not specified.
    TYPE_UNSPECIFIED = 0

    # Self-signed CA.
    SELF_SIGNED = 1

    # Subordinate CA. Could be issued by a Private CA
    # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
    # or an unmanaged CA.
    SUBORDINATE = 2
  end

  # The state of a
  # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority},
  # indicating if it can be used.
  module State
    # Not specified.
    STATE_UNSPECIFIED = 0

    # Certificates can be issued from this CA. CRLs will be generated for this
    # CA. The CA will be part of the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, and
    # will be used to issue certificates from the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    ENABLED = 1

    # Certificates cannot be issued from this CA. CRLs will still be generated.
    # The CA will be part of the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, but
    # will not be used to issue certificates from the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    DISABLED = 2

    # Certificates can be issued from this CA. CRLs will be generated for this
    # CA. The CA will be part of the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, but
    # will not be used to issue certificates from the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    STAGED = 3

    # Certificates cannot be issued from this CA. CRLs will not be generated.
    # The CA will not be part of the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, and
    # will not be used to issue certificates from the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    AWAITING_USER_ACTIVATION = 4

    # Certificates cannot be issued from this CA. CRLs will not be generated.
    # The CA may still be recovered by calling
    # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthorityService::Client#undelete_certificate_authority CertificateAuthorityService.UndeleteCertificateAuthority}
    # before
    # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority#expire_time expire_time}.
    # The CA will not be part of the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, and
    # will not be used to issue certificates from the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    DELETED = 5
  end

  # The algorithm of a Cloud KMS CryptoKeyVersion of a
  # [CryptoKey][google.cloud.kms.v1.CryptoKey] with the
  # [CryptoKeyPurpose][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose] value
  # `ASYMMETRIC_SIGN`. These values correspond to the
  # [CryptoKeyVersionAlgorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm]
  # values. For RSA signing algorithms, the PSS algorithms should be preferred,
  # use PKCS1 algorithms if required for compatibility. For further
  # recommendations, see
  # https://cloud.google.com/kms/docs/algorithms#algorithm_recommendations.
  module SignHashAlgorithm
    # Not specified.
    SIGN_HASH_ALGORITHM_UNSPECIFIED = 0

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_2048_SHA256
    RSA_PSS_2048_SHA256 = 1

    # maps to CryptoKeyVersionAlgorithm. RSA_SIGN_PSS_3072_SHA256
    RSA_PSS_3072_SHA256 = 2

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_4096_SHA256
    RSA_PSS_4096_SHA256 = 3

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_2048_SHA256
    RSA_PKCS1_2048_SHA256 = 6

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_3072_SHA256
    RSA_PKCS1_3072_SHA256 = 7

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_4096_SHA256
    RSA_PKCS1_4096_SHA256 = 8

    # maps to CryptoKeyVersionAlgorithm.EC_SIGN_P256_SHA256
    EC_P256_SHA256 = 4

    # maps to CryptoKeyVersionAlgorithm.EC_SIGN_P384_SHA384
    EC_P384_SHA384 = 5
  end
end

#pem_ca_certificates ⇒ ::Array<::String> (readonly)

Returns Output only. This CertificateAuthority's certificate chain, including the current CertificateAuthority's certificate. Ordered such that the root issuer is the final element (consistent with RFC 5246). For a self-signed CA, this will only list the current CertificateAuthority's certificate.

Returns:

• (::Array<::String>) —

  Output only. This CertificateAuthority's certificate chain, including the current CertificateAuthority's certificate. Ordered such that the root issuer is the final element (consistent with RFC 5246). For a self-signed CA, this will only list the current CertificateAuthority's certificate.

# File 'proto_docs/google/cloud/security/privateca/v1/resources.rb', line 135

class CertificateAuthority
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # URLs where a
  # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
  # will publish content.
  # @!attribute [rw] ca_certificate_access_url
  #   @return [::String]
  #     The URL where this
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
  #     CA certificate is published. This will only be set for CAs that have been
  #     activated.
  # @!attribute [rw] crl_access_urls
  #   @return [::Array<::String>]
  #     The URLs where this
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
  #     CRLs are published. This will only be set for CAs that have been
  #     activated.
  class AccessUrls
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # A Cloud KMS key configuration that a
  # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
  # will use.
  # @!attribute [rw] cloud_kms_key_version
  #   @return [::String]
  #     The resource name for an existing Cloud KMS CryptoKeyVersion in the
  #     format
  #     `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
  #     This option enables full flexibility in the key's capabilities and
  #     properties.
  # @!attribute [rw] algorithm
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority::SignHashAlgorithm]
  #     The algorithm to use for creating a managed Cloud KMS key for a for a
  #     simplified experience. All managed keys will be have their
  #     [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] as `HSM`.
  class KeyVersionSpec
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # @!attribute [rw] key
  #   @return [::String]
  # @!attribute [rw] value
  #   @return [::String]
  class LabelsEntry
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # The type of a
  # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority},
  # indicating its issuing chain.
  module Type
    # Not specified.
    TYPE_UNSPECIFIED = 0

    # Self-signed CA.
    SELF_SIGNED = 1

    # Subordinate CA. Could be issued by a Private CA
    # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
    # or an unmanaged CA.
    SUBORDINATE = 2
  end

  # The state of a
  # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority},
  # indicating if it can be used.
  module State
    # Not specified.
    STATE_UNSPECIFIED = 0

    # Certificates can be issued from this CA. CRLs will be generated for this
    # CA. The CA will be part of the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, and
    # will be used to issue certificates from the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    ENABLED = 1

    # Certificates cannot be issued from this CA. CRLs will still be generated.
    # The CA will be part of the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, but
    # will not be used to issue certificates from the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    DISABLED = 2

    # Certificates can be issued from this CA. CRLs will be generated for this
    # CA. The CA will be part of the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, but
    # will not be used to issue certificates from the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    STAGED = 3

    # Certificates cannot be issued from this CA. CRLs will not be generated.
    # The CA will not be part of the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, and
    # will not be used to issue certificates from the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    AWAITING_USER_ACTIVATION = 4

    # Certificates cannot be issued from this CA. CRLs will not be generated.
    # The CA may still be recovered by calling
    # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthorityService::Client#undelete_certificate_authority CertificateAuthorityService.UndeleteCertificateAuthority}
    # before
    # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority#expire_time expire_time}.
    # The CA will not be part of the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, and
    # will not be used to issue certificates from the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    DELETED = 5
  end

  # The algorithm of a Cloud KMS CryptoKeyVersion of a
  # [CryptoKey][google.cloud.kms.v1.CryptoKey] with the
  # [CryptoKeyPurpose][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose] value
  # `ASYMMETRIC_SIGN`. These values correspond to the
  # [CryptoKeyVersionAlgorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm]
  # values. For RSA signing algorithms, the PSS algorithms should be preferred,
  # use PKCS1 algorithms if required for compatibility. For further
  # recommendations, see
  # https://cloud.google.com/kms/docs/algorithms#algorithm_recommendations.
  module SignHashAlgorithm
    # Not specified.
    SIGN_HASH_ALGORITHM_UNSPECIFIED = 0

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_2048_SHA256
    RSA_PSS_2048_SHA256 = 1

    # maps to CryptoKeyVersionAlgorithm. RSA_SIGN_PSS_3072_SHA256
    RSA_PSS_3072_SHA256 = 2

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_4096_SHA256
    RSA_PSS_4096_SHA256 = 3

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_2048_SHA256
    RSA_PKCS1_2048_SHA256 = 6

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_3072_SHA256
    RSA_PKCS1_3072_SHA256 = 7

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_4096_SHA256
    RSA_PKCS1_4096_SHA256 = 8

    # maps to CryptoKeyVersionAlgorithm.EC_SIGN_P256_SHA256
    EC_P256_SHA256 = 4

    # maps to CryptoKeyVersionAlgorithm.EC_SIGN_P384_SHA384
    EC_P384_SHA384 = 5
  end
end

#state ⇒ ::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority::State (readonly)

Returns Output only. The State for this CertificateAuthority.

Returns:

• (::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority::State) —

  Output only. The State for this CertificateAuthority.

# File 'proto_docs/google/cloud/security/privateca/v1/resources.rb', line 135

class CertificateAuthority
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # URLs where a
  # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
  # will publish content.
  # @!attribute [rw] ca_certificate_access_url
  #   @return [::String]
  #     The URL where this
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
  #     CA certificate is published. This will only be set for CAs that have been
  #     activated.
  # @!attribute [rw] crl_access_urls
  #   @return [::Array<::String>]
  #     The URLs where this
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
  #     CRLs are published. This will only be set for CAs that have been
  #     activated.
  class AccessUrls
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # A Cloud KMS key configuration that a
  # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
  # will use.
  # @!attribute [rw] cloud_kms_key_version
  #   @return [::String]
  #     The resource name for an existing Cloud KMS CryptoKeyVersion in the
  #     format
  #     `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
  #     This option enables full flexibility in the key's capabilities and
  #     properties.
  # @!attribute [rw] algorithm
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority::SignHashAlgorithm]
  #     The algorithm to use for creating a managed Cloud KMS key for a for a
  #     simplified experience. All managed keys will be have their
  #     [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] as `HSM`.
  class KeyVersionSpec
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # @!attribute [rw] key
  #   @return [::String]
  # @!attribute [rw] value
  #   @return [::String]
  class LabelsEntry
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # The type of a
  # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority},
  # indicating its issuing chain.
  module Type
    # Not specified.
    TYPE_UNSPECIFIED = 0

    # Self-signed CA.
    SELF_SIGNED = 1

    # Subordinate CA. Could be issued by a Private CA
    # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
    # or an unmanaged CA.
    SUBORDINATE = 2
  end

  # The state of a
  # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority},
  # indicating if it can be used.
  module State
    # Not specified.
    STATE_UNSPECIFIED = 0

    # Certificates can be issued from this CA. CRLs will be generated for this
    # CA. The CA will be part of the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, and
    # will be used to issue certificates from the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    ENABLED = 1

    # Certificates cannot be issued from this CA. CRLs will still be generated.
    # The CA will be part of the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, but
    # will not be used to issue certificates from the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    DISABLED = 2

    # Certificates can be issued from this CA. CRLs will be generated for this
    # CA. The CA will be part of the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, but
    # will not be used to issue certificates from the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    STAGED = 3

    # Certificates cannot be issued from this CA. CRLs will not be generated.
    # The CA will not be part of the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, and
    # will not be used to issue certificates from the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    AWAITING_USER_ACTIVATION = 4

    # Certificates cannot be issued from this CA. CRLs will not be generated.
    # The CA may still be recovered by calling
    # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthorityService::Client#undelete_certificate_authority CertificateAuthorityService.UndeleteCertificateAuthority}
    # before
    # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority#expire_time expire_time}.
    # The CA will not be part of the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, and
    # will not be used to issue certificates from the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    DELETED = 5
  end

  # The algorithm of a Cloud KMS CryptoKeyVersion of a
  # [CryptoKey][google.cloud.kms.v1.CryptoKey] with the
  # [CryptoKeyPurpose][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose] value
  # `ASYMMETRIC_SIGN`. These values correspond to the
  # [CryptoKeyVersionAlgorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm]
  # values. For RSA signing algorithms, the PSS algorithms should be preferred,
  # use PKCS1 algorithms if required for compatibility. For further
  # recommendations, see
  # https://cloud.google.com/kms/docs/algorithms#algorithm_recommendations.
  module SignHashAlgorithm
    # Not specified.
    SIGN_HASH_ALGORITHM_UNSPECIFIED = 0

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_2048_SHA256
    RSA_PSS_2048_SHA256 = 1

    # maps to CryptoKeyVersionAlgorithm. RSA_SIGN_PSS_3072_SHA256
    RSA_PSS_3072_SHA256 = 2

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_4096_SHA256
    RSA_PSS_4096_SHA256 = 3

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_2048_SHA256
    RSA_PKCS1_2048_SHA256 = 6

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_3072_SHA256
    RSA_PKCS1_3072_SHA256 = 7

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_4096_SHA256
    RSA_PKCS1_4096_SHA256 = 8

    # maps to CryptoKeyVersionAlgorithm.EC_SIGN_P256_SHA256
    EC_P256_SHA256 = 4

    # maps to CryptoKeyVersionAlgorithm.EC_SIGN_P384_SHA384
    EC_P384_SHA384 = 5
  end
end

#subordinate_config ⇒ ::Google::Cloud::Security::PrivateCA::V1::SubordinateConfig

Returns Optional. If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which describes its issuers. This may be updated, but this CertificateAuthority must continue to validate.

Returns:

• (::Google::Cloud::Security::PrivateCA::V1::SubordinateConfig) —

  Optional. If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which describes its issuers. This may be updated, but this CertificateAuthority must continue to validate.

# File 'proto_docs/google/cloud/security/privateca/v1/resources.rb', line 135

class CertificateAuthority
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # URLs where a
  # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
  # will publish content.
  # @!attribute [rw] ca_certificate_access_url
  #   @return [::String]
  #     The URL where this
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
  #     CA certificate is published. This will only be set for CAs that have been
  #     activated.
  # @!attribute [rw] crl_access_urls
  #   @return [::Array<::String>]
  #     The URLs where this
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
  #     CRLs are published. This will only be set for CAs that have been
  #     activated.
  class AccessUrls
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # A Cloud KMS key configuration that a
  # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
  # will use.
  # @!attribute [rw] cloud_kms_key_version
  #   @return [::String]
  #     The resource name for an existing Cloud KMS CryptoKeyVersion in the
  #     format
  #     `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
  #     This option enables full flexibility in the key's capabilities and
  #     properties.
  # @!attribute [rw] algorithm
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority::SignHashAlgorithm]
  #     The algorithm to use for creating a managed Cloud KMS key for a for a
  #     simplified experience. All managed keys will be have their
  #     [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] as `HSM`.
  class KeyVersionSpec
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # @!attribute [rw] key
  #   @return [::String]
  # @!attribute [rw] value
  #   @return [::String]
  class LabelsEntry
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # The type of a
  # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority},
  # indicating its issuing chain.
  module Type
    # Not specified.
    TYPE_UNSPECIFIED = 0

    # Self-signed CA.
    SELF_SIGNED = 1

    # Subordinate CA. Could be issued by a Private CA
    # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
    # or an unmanaged CA.
    SUBORDINATE = 2
  end

  # The state of a
  # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority},
  # indicating if it can be used.
  module State
    # Not specified.
    STATE_UNSPECIFIED = 0

    # Certificates can be issued from this CA. CRLs will be generated for this
    # CA. The CA will be part of the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, and
    # will be used to issue certificates from the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    ENABLED = 1

    # Certificates cannot be issued from this CA. CRLs will still be generated.
    # The CA will be part of the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, but
    # will not be used to issue certificates from the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    DISABLED = 2

    # Certificates can be issued from this CA. CRLs will be generated for this
    # CA. The CA will be part of the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, but
    # will not be used to issue certificates from the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    STAGED = 3

    # Certificates cannot be issued from this CA. CRLs will not be generated.
    # The CA will not be part of the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, and
    # will not be used to issue certificates from the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    AWAITING_USER_ACTIVATION = 4

    # Certificates cannot be issued from this CA. CRLs will not be generated.
    # The CA may still be recovered by calling
    # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthorityService::Client#undelete_certificate_authority CertificateAuthorityService.UndeleteCertificateAuthority}
    # before
    # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority#expire_time expire_time}.
    # The CA will not be part of the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, and
    # will not be used to issue certificates from the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    DELETED = 5
  end

  # The algorithm of a Cloud KMS CryptoKeyVersion of a
  # [CryptoKey][google.cloud.kms.v1.CryptoKey] with the
  # [CryptoKeyPurpose][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose] value
  # `ASYMMETRIC_SIGN`. These values correspond to the
  # [CryptoKeyVersionAlgorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm]
  # values. For RSA signing algorithms, the PSS algorithms should be preferred,
  # use PKCS1 algorithms if required for compatibility. For further
  # recommendations, see
  # https://cloud.google.com/kms/docs/algorithms#algorithm_recommendations.
  module SignHashAlgorithm
    # Not specified.
    SIGN_HASH_ALGORITHM_UNSPECIFIED = 0

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_2048_SHA256
    RSA_PSS_2048_SHA256 = 1

    # maps to CryptoKeyVersionAlgorithm. RSA_SIGN_PSS_3072_SHA256
    RSA_PSS_3072_SHA256 = 2

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_4096_SHA256
    RSA_PSS_4096_SHA256 = 3

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_2048_SHA256
    RSA_PKCS1_2048_SHA256 = 6

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_3072_SHA256
    RSA_PKCS1_3072_SHA256 = 7

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_4096_SHA256
    RSA_PKCS1_4096_SHA256 = 8

    # maps to CryptoKeyVersionAlgorithm.EC_SIGN_P256_SHA256
    EC_P256_SHA256 = 4

    # maps to CryptoKeyVersionAlgorithm.EC_SIGN_P384_SHA384
    EC_P384_SHA384 = 5
  end
end

#tier ⇒ ::Google::Cloud::Security::PrivateCA::V1::CaPool::Tier (readonly)

Returns Output only. The CaPool.Tier of the CaPool that includes this CertificateAuthority.

Returns:

• (::Google::Cloud::Security::PrivateCA::V1::CaPool::Tier) —

  Output only. The CaPool.Tier of the CaPool that includes this CertificateAuthority.

# File 'proto_docs/google/cloud/security/privateca/v1/resources.rb', line 135

class CertificateAuthority
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # URLs where a
  # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
  # will publish content.
  # @!attribute [rw] ca_certificate_access_url
  #   @return [::String]
  #     The URL where this
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
  #     CA certificate is published. This will only be set for CAs that have been
  #     activated.
  # @!attribute [rw] crl_access_urls
  #   @return [::Array<::String>]
  #     The URLs where this
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
  #     CRLs are published. This will only be set for CAs that have been
  #     activated.
  class AccessUrls
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # A Cloud KMS key configuration that a
  # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
  # will use.
  # @!attribute [rw] cloud_kms_key_version
  #   @return [::String]
  #     The resource name for an existing Cloud KMS CryptoKeyVersion in the
  #     format
  #     `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
  #     This option enables full flexibility in the key's capabilities and
  #     properties.
  # @!attribute [rw] algorithm
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority::SignHashAlgorithm]
  #     The algorithm to use for creating a managed Cloud KMS key for a for a
  #     simplified experience. All managed keys will be have their
  #     [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] as `HSM`.
  class KeyVersionSpec
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # @!attribute [rw] key
  #   @return [::String]
  # @!attribute [rw] value
  #   @return [::String]
  class LabelsEntry
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # The type of a
  # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority},
  # indicating its issuing chain.
  module Type
    # Not specified.
    TYPE_UNSPECIFIED = 0

    # Self-signed CA.
    SELF_SIGNED = 1

    # Subordinate CA. Could be issued by a Private CA
    # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
    # or an unmanaged CA.
    SUBORDINATE = 2
  end

  # The state of a
  # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority},
  # indicating if it can be used.
  module State
    # Not specified.
    STATE_UNSPECIFIED = 0

    # Certificates can be issued from this CA. CRLs will be generated for this
    # CA. The CA will be part of the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, and
    # will be used to issue certificates from the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    ENABLED = 1

    # Certificates cannot be issued from this CA. CRLs will still be generated.
    # The CA will be part of the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, but
    # will not be used to issue certificates from the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    DISABLED = 2

    # Certificates can be issued from this CA. CRLs will be generated for this
    # CA. The CA will be part of the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, but
    # will not be used to issue certificates from the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    STAGED = 3

    # Certificates cannot be issued from this CA. CRLs will not be generated.
    # The CA will not be part of the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, and
    # will not be used to issue certificates from the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    AWAITING_USER_ACTIVATION = 4

    # Certificates cannot be issued from this CA. CRLs will not be generated.
    # The CA may still be recovered by calling
    # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthorityService::Client#undelete_certificate_authority CertificateAuthorityService.UndeleteCertificateAuthority}
    # before
    # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority#expire_time expire_time}.
    # The CA will not be part of the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, and
    # will not be used to issue certificates from the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    DELETED = 5
  end

  # The algorithm of a Cloud KMS CryptoKeyVersion of a
  # [CryptoKey][google.cloud.kms.v1.CryptoKey] with the
  # [CryptoKeyPurpose][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose] value
  # `ASYMMETRIC_SIGN`. These values correspond to the
  # [CryptoKeyVersionAlgorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm]
  # values. For RSA signing algorithms, the PSS algorithms should be preferred,
  # use PKCS1 algorithms if required for compatibility. For further
  # recommendations, see
  # https://cloud.google.com/kms/docs/algorithms#algorithm_recommendations.
  module SignHashAlgorithm
    # Not specified.
    SIGN_HASH_ALGORITHM_UNSPECIFIED = 0

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_2048_SHA256
    RSA_PSS_2048_SHA256 = 1

    # maps to CryptoKeyVersionAlgorithm. RSA_SIGN_PSS_3072_SHA256
    RSA_PSS_3072_SHA256 = 2

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_4096_SHA256
    RSA_PSS_4096_SHA256 = 3

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_2048_SHA256
    RSA_PKCS1_2048_SHA256 = 6

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_3072_SHA256
    RSA_PKCS1_3072_SHA256 = 7

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_4096_SHA256
    RSA_PKCS1_4096_SHA256 = 8

    # maps to CryptoKeyVersionAlgorithm.EC_SIGN_P256_SHA256
    EC_P256_SHA256 = 4

    # maps to CryptoKeyVersionAlgorithm.EC_SIGN_P384_SHA384
    EC_P384_SHA384 = 5
  end
end

#type ⇒ ::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority::Type

Returns Required. Immutable. The Type of this CertificateAuthority.

Returns:

• (::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority::Type) —

  Required. Immutable. The Type of this CertificateAuthority.

# File 'proto_docs/google/cloud/security/privateca/v1/resources.rb', line 135

class CertificateAuthority
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # URLs where a
  # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
  # will publish content.
  # @!attribute [rw] ca_certificate_access_url
  #   @return [::String]
  #     The URL where this
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
  #     CA certificate is published. This will only be set for CAs that have been
  #     activated.
  # @!attribute [rw] crl_access_urls
  #   @return [::Array<::String>]
  #     The URLs where this
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
  #     CRLs are published. This will only be set for CAs that have been
  #     activated.
  class AccessUrls
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # A Cloud KMS key configuration that a
  # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
  # will use.
  # @!attribute [rw] cloud_kms_key_version
  #   @return [::String]
  #     The resource name for an existing Cloud KMS CryptoKeyVersion in the
  #     format
  #     `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
  #     This option enables full flexibility in the key's capabilities and
  #     properties.
  # @!attribute [rw] algorithm
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority::SignHashAlgorithm]
  #     The algorithm to use for creating a managed Cloud KMS key for a for a
  #     simplified experience. All managed keys will be have their
  #     [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] as `HSM`.
  class KeyVersionSpec
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # @!attribute [rw] key
  #   @return [::String]
  # @!attribute [rw] value
  #   @return [::String]
  class LabelsEntry
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # The type of a
  # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority},
  # indicating its issuing chain.
  module Type
    # Not specified.
    TYPE_UNSPECIFIED = 0

    # Self-signed CA.
    SELF_SIGNED = 1

    # Subordinate CA. Could be issued by a Private CA
    # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
    # or an unmanaged CA.
    SUBORDINATE = 2
  end

  # The state of a
  # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority},
  # indicating if it can be used.
  module State
    # Not specified.
    STATE_UNSPECIFIED = 0

    # Certificates can be issued from this CA. CRLs will be generated for this
    # CA. The CA will be part of the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, and
    # will be used to issue certificates from the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    ENABLED = 1

    # Certificates cannot be issued from this CA. CRLs will still be generated.
    # The CA will be part of the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, but
    # will not be used to issue certificates from the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    DISABLED = 2

    # Certificates can be issued from this CA. CRLs will be generated for this
    # CA. The CA will be part of the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, but
    # will not be used to issue certificates from the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    STAGED = 3

    # Certificates cannot be issued from this CA. CRLs will not be generated.
    # The CA will not be part of the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, and
    # will not be used to issue certificates from the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    AWAITING_USER_ACTIVATION = 4

    # Certificates cannot be issued from this CA. CRLs will not be generated.
    # The CA may still be recovered by calling
    # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthorityService::Client#undelete_certificate_authority CertificateAuthorityService.UndeleteCertificateAuthority}
    # before
    # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority#expire_time expire_time}.
    # The CA will not be part of the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, and
    # will not be used to issue certificates from the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    DELETED = 5
  end

  # The algorithm of a Cloud KMS CryptoKeyVersion of a
  # [CryptoKey][google.cloud.kms.v1.CryptoKey] with the
  # [CryptoKeyPurpose][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose] value
  # `ASYMMETRIC_SIGN`. These values correspond to the
  # [CryptoKeyVersionAlgorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm]
  # values. For RSA signing algorithms, the PSS algorithms should be preferred,
  # use PKCS1 algorithms if required for compatibility. For further
  # recommendations, see
  # https://cloud.google.com/kms/docs/algorithms#algorithm_recommendations.
  module SignHashAlgorithm
    # Not specified.
    SIGN_HASH_ALGORITHM_UNSPECIFIED = 0

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_2048_SHA256
    RSA_PSS_2048_SHA256 = 1

    # maps to CryptoKeyVersionAlgorithm. RSA_SIGN_PSS_3072_SHA256
    RSA_PSS_3072_SHA256 = 2

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_4096_SHA256
    RSA_PSS_4096_SHA256 = 3

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_2048_SHA256
    RSA_PKCS1_2048_SHA256 = 6

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_3072_SHA256
    RSA_PKCS1_3072_SHA256 = 7

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_4096_SHA256
    RSA_PKCS1_4096_SHA256 = 8

    # maps to CryptoKeyVersionAlgorithm.EC_SIGN_P256_SHA256
    EC_P256_SHA256 = 4

    # maps to CryptoKeyVersionAlgorithm.EC_SIGN_P384_SHA384
    EC_P384_SHA384 = 5
  end
end

#update_time ⇒ ::Google::Protobuf::Timestamp (readonly)

Returns Output only. The time at which this CertificateAuthority was last updated.

Returns:

• (::Google::Protobuf::Timestamp) —

  Output only. The time at which this CertificateAuthority was last updated.

# File 'proto_docs/google/cloud/security/privateca/v1/resources.rb', line 135

class CertificateAuthority
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # URLs where a
  # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
  # will publish content.
  # @!attribute [rw] ca_certificate_access_url
  #   @return [::String]
  #     The URL where this
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
  #     CA certificate is published. This will only be set for CAs that have been
  #     activated.
  # @!attribute [rw] crl_access_urls
  #   @return [::Array<::String>]
  #     The URLs where this
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
  #     CRLs are published. This will only be set for CAs that have been
  #     activated.
  class AccessUrls
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # A Cloud KMS key configuration that a
  # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
  # will use.
  # @!attribute [rw] cloud_kms_key_version
  #   @return [::String]
  #     The resource name for an existing Cloud KMS CryptoKeyVersion in the
  #     format
  #     `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
  #     This option enables full flexibility in the key's capabilities and
  #     properties.
  # @!attribute [rw] algorithm
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority::SignHashAlgorithm]
  #     The algorithm to use for creating a managed Cloud KMS key for a for a
  #     simplified experience. All managed keys will be have their
  #     [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] as `HSM`.
  class KeyVersionSpec
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # @!attribute [rw] key
  #   @return [::String]
  # @!attribute [rw] value
  #   @return [::String]
  class LabelsEntry
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # The type of a
  # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority},
  # indicating its issuing chain.
  module Type
    # Not specified.
    TYPE_UNSPECIFIED = 0

    # Self-signed CA.
    SELF_SIGNED = 1

    # Subordinate CA. Could be issued by a Private CA
    # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
    # or an unmanaged CA.
    SUBORDINATE = 2
  end

  # The state of a
  # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority},
  # indicating if it can be used.
  module State
    # Not specified.
    STATE_UNSPECIFIED = 0

    # Certificates can be issued from this CA. CRLs will be generated for this
    # CA. The CA will be part of the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, and
    # will be used to issue certificates from the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    ENABLED = 1

    # Certificates cannot be issued from this CA. CRLs will still be generated.
    # The CA will be part of the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, but
    # will not be used to issue certificates from the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    DISABLED = 2

    # Certificates can be issued from this CA. CRLs will be generated for this
    # CA. The CA will be part of the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, but
    # will not be used to issue certificates from the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    STAGED = 3

    # Certificates cannot be issued from this CA. CRLs will not be generated.
    # The CA will not be part of the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, and
    # will not be used to issue certificates from the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    AWAITING_USER_ACTIVATION = 4

    # Certificates cannot be issued from this CA. CRLs will not be generated.
    # The CA may still be recovered by calling
    # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthorityService::Client#undelete_certificate_authority CertificateAuthorityService.UndeleteCertificateAuthority}
    # before
    # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority#expire_time expire_time}.
    # The CA will not be part of the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s trust anchor, and
    # will not be used to issue certificates from the
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    DELETED = 5
  end

  # The algorithm of a Cloud KMS CryptoKeyVersion of a
  # [CryptoKey][google.cloud.kms.v1.CryptoKey] with the
  # [CryptoKeyPurpose][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose] value
  # `ASYMMETRIC_SIGN`. These values correspond to the
  # [CryptoKeyVersionAlgorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm]
  # values. For RSA signing algorithms, the PSS algorithms should be preferred,
  # use PKCS1 algorithms if required for compatibility. For further
  # recommendations, see
  # https://cloud.google.com/kms/docs/algorithms#algorithm_recommendations.
  module SignHashAlgorithm
    # Not specified.
    SIGN_HASH_ALGORITHM_UNSPECIFIED = 0

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_2048_SHA256
    RSA_PSS_2048_SHA256 = 1

    # maps to CryptoKeyVersionAlgorithm. RSA_SIGN_PSS_3072_SHA256
    RSA_PSS_3072_SHA256 = 2

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_4096_SHA256
    RSA_PSS_4096_SHA256 = 3

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_2048_SHA256
    RSA_PKCS1_2048_SHA256 = 6

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_3072_SHA256
    RSA_PKCS1_3072_SHA256 = 7

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_4096_SHA256
    RSA_PKCS1_4096_SHA256 = 8

    # maps to CryptoKeyVersionAlgorithm.EC_SIGN_P256_SHA256
    EC_P256_SHA256 = 4

    # maps to CryptoKeyVersionAlgorithm.EC_SIGN_P384_SHA384
    EC_P384_SHA384 = 5
  end
end