Class: Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority

Inherits:

Object

• Object
• Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority

Extended by:

Protobuf::MessageExts::ClassMethods

Includes:

Protobuf::MessageExts

Defined in:

proto_docs/google/cloud/security/privateca/v1beta1/resources.rb

Overview

A CertificateAuthority represents an individual Certificate Authority. A CertificateAuthority can be used to create Certificates.

Defined Under Namespace

Modules: SignHashAlgorithm, State, Tier, Type Classes: AccessUrls, CertificateAuthorityPolicy, IssuingOptions, KeyVersionSpec, LabelsEntry

Instance Attribute Summary

• #access_urls ⇒ ::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::AccessUrls readonly

  Output only.

• #ca_certificate_descriptions ⇒ ::Array<::Google::Cloud::Security::PrivateCA::V1beta1::CertificateDescription> readonly

  Output only.

• #certificate_policy ⇒ ::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy

  Optional.

• #config ⇒ ::Google::Cloud::Security::PrivateCA::V1beta1::CertificateConfig

  Required.

• #create_time ⇒ ::Google::Protobuf::Timestamp readonly

  Output only.

• #delete_time ⇒ ::Google::Protobuf::Timestamp readonly

  Output only.

• #gcs_bucket ⇒ ::String

  Immutable.

• #issuing_options ⇒ ::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::IssuingOptions

  Optional.

• #key_spec ⇒ ::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::KeyVersionSpec

  Required.

• #labels ⇒ ::Google::Protobuf::Map{::String => ::String}

  Optional.

• #lifetime ⇒ ::Google::Protobuf::Duration

  Required.

• #name ⇒ ::String readonly

  Output only.

• #pem_ca_certificates ⇒ ::Array<::String> readonly

  Output only.

• #state ⇒ ::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::State readonly

  Output only.

• #subordinate_config ⇒ ::Google::Cloud::Security::PrivateCA::V1beta1::SubordinateConfig

  Optional.

• #tier ⇒ ::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::Tier

  Required.

• #type ⇒ ::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::Type

  Required.

• #update_time ⇒ ::Google::Protobuf::Timestamp readonly

  Output only.

Instance Attribute Details

#access_urls ⇒ ::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::AccessUrls (readonly)

Returns Output only. URLs for accessing content published by this CA, such as the CA certificate and CRLs.

Returns:

• (::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::AccessUrls) —

  Output only. URLs for accessing content published by this CA, such as the CA certificate and CRLs.

# File 'proto_docs/google/cloud/security/privateca/v1beta1/resources.rb', line 102

class CertificateAuthority
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Options that affect all certificates issued by a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}.
  # @!attribute [rw] include_ca_cert_url
  #   @return [::Boolean]
  #     Required. When true, includes a URL to the issuing CA certificate in the
  #     "authority information access" X.509 extension.
  # @!attribute [rw] include_crl_access_url
  #   @return [::Boolean]
  #     Required. When true, includes a URL to the CRL corresponding to certificates
  #     issued from a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}.
  #     CRLs will expire 7 days from their creation. However, we will rebuild
  #     daily. CRLs are also rebuilt shortly after a certificate is revoked.
  class IssuingOptions
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # The issuing policy for a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}.
  # {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} will not be successfully issued from this
  # {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} if they violate the policy.
  # @!attribute [rw] allowed_config_list
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedConfigList]
  #     Optional. All {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}
  #     must match at least one listed {::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper ReusableConfigWrapper} in the list.
  # @!attribute [rw] overwrite_config_values
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper]
  #     Optional. All {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}
  #     will use the provided configuration values, overwriting any requested
  #     configuration values.
  # @!attribute [rw] allowed_locations_and_organizations
  #   @return [::Array<::Google::Cloud::Security::PrivateCA::V1beta1::Subject>]
  #     Optional. If any {::Google::Cloud::Security::PrivateCA::V1beta1::Subject Subject} is specified here, then all
  #     {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} must
  #     match at least one listed {::Google::Cloud::Security::PrivateCA::V1beta1::Subject Subject}. If a {::Google::Cloud::Security::PrivateCA::V1beta1::Subject Subject} has an empty
  #     field, any value will be allowed for that field.
  # @!attribute [rw] allowed_common_names
  #   @return [::Array<::String>]
  #     Optional. If any value is specified here, then all
  #     {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} must
  #     match at least one listed value. If no value is specified, all values
  #     will be allowed for this fied. Glob patterns are also supported.
  # @!attribute [rw] allowed_sans
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames]
  #     Optional. If a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames AllowedSubjectAltNames} is specified here, then all
  #     {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} must
  #     match {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames AllowedSubjectAltNames}. If no value or an empty value
  #     is specified, any value will be allowed for the {::Google::Cloud::Security::PrivateCA::V1beta1::SubjectAltNames SubjectAltNames}
  #     field.
  # @!attribute [rw] maximum_lifetime
  #   @return [::Google::Protobuf::Duration]
  #     Optional. The maximum lifetime allowed by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}. Note that
  #     if the any part if the issuing chain expires before a {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificate}'s
  #     requested maximum_lifetime, the effective lifetime will be explicitly
  #     truncated.
  # @!attribute [rw] allowed_issuance_modes
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::IssuanceModes]
  #     Optional. If specified, then only methods allowed in the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::IssuanceModes IssuanceModes} may be
  #     used to issue {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates}.
  class CertificateAuthorityPolicy
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # @!attribute [rw] allowed_config_values
    #   @return [::Array<::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper>]
    #     Required. All {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}
    #     must match at least one listed {::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper ReusableConfigWrapper}. If a
    #     {::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper ReusableConfigWrapper} has an empty field, any value will be
    #     allowed for that field.
    class AllowedConfigList
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames AllowedSubjectAltNames} specifies the allowed values for
    # {::Google::Cloud::Security::PrivateCA::V1beta1::SubjectAltNames SubjectAltNames} by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} when issuing
    # {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates}.
    # @!attribute [rw] allowed_dns_names
    #   @return [::Array<::String>]
    #     Optional. Contains valid, fully-qualified host names. Glob patterns are also
    #     supported. To allow an explicit wildcard certificate, escape with
    #     backlash (i.e. `\*`).
    #     E.g. for globbed entries: `*bar.com` will allow `foo.bar.com`, but not
    #     `*.bar.com`, unless the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames#allow_globbing_dns_wildcards allow_globbing_dns_wildcards} field is set.
    #     E.g. for wildcard entries: `\*.bar.com` will allow `*.bar.com`, but not
    #     `foo.bar.com`.
    # @!attribute [rw] allowed_uris
    #   @return [::Array<::String>]
    #     Optional. Contains valid RFC 3986 URIs. Glob patterns are also supported. To
    #     match across path seperators (i.e. '/') use the double star glob
    #     pattern (i.e. '**').
    # @!attribute [rw] allowed_email_addresses
    #   @return [::Array<::String>]
    #     Optional. Contains valid RFC 2822 E-mail addresses. Glob patterns are also
    #     supported.
    # @!attribute [rw] allowed_ips
    #   @return [::Array<::String>]
    #     Optional. Contains valid 32-bit IPv4 addresses and subnet ranges or RFC 4291 IPv6
    #     addresses and subnet ranges. Subnet ranges are specified using the
    #     '/' notation (e.g. 10.0.0.0/8, 2001:700:300:1800::/64). Glob patterns
    #     are supported only for ip address entries (i.e. not for subnet ranges).
    # @!attribute [rw] allow_globbing_dns_wildcards
    #   @return [::Boolean]
    #     Optional. Specifies if glob patterns used for {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames#allowed_dns_names allowed_dns_names} allows
    #     wildcard certificates.
    # @!attribute [rw] allow_custom_sans
    #   @return [::Boolean]
    #     Optional. Specifies if to allow custom X509Extension values.
    class AllowedSubjectAltNames
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::IssuanceModes IssuanceModes} specifies the allowed ways in which
    # {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} may be requested from this
    # {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}.
    # @!attribute [rw] allow_csr_based_issuance
    #   @return [::Boolean]
    #     Required. When true, allows callers to create {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} by
    #     specifying a CSR.
    # @!attribute [rw] allow_config_based_issuance
    #   @return [::Boolean]
    #     Required. When true, allows callers to create {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} by
    #     specifying a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateConfig CertificateConfig}.
    class IssuanceModes
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end
  end

  # URLs where a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} will publish content.
  # @!attribute [rw] ca_certificate_access_url
  #   @return [::String]
  #     The URL where this {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}'s CA certificate is
  #     published. This will only be set for CAs that have been activated.
  # @!attribute [rw] crl_access_url
  #   @return [::String]
  #     The URL where this {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}'s CRLs are published. This
  #     will only be set for CAs that have been activated.
  class AccessUrls
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # A Cloud KMS key configuration that a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} will use.
  # @!attribute [rw] cloud_kms_key_version
  #   @return [::String]
  #     Required. The resource name for an existing Cloud KMS CryptoKeyVersion in the
  #     format
  #     `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
  #     This option enables full flexibility in the key's capabilities and
  #     properties.
  # @!attribute [rw] algorithm
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::SignHashAlgorithm]
  #     Required. The algorithm to use for creating a managed Cloud KMS key for a for a
  #     simplified experience. All managed keys will be have their
  #     [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] as `HSM`.
  class KeyVersionSpec
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # @!attribute [rw] key
  #   @return [::String]
  # @!attribute [rw] value
  #   @return [::String]
  class LabelsEntry
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # The type of a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}, indicating its issuing chain.
  module Type
    # Not specified.
    TYPE_UNSPECIFIED = 0

    # Self-signed CA.
    SELF_SIGNED = 1

    # Subordinate CA. Could be issued by a Private CA {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}
    # or an unmanaged CA.
    SUBORDINATE = 2
  end

  # The tier of a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}, indicating its supported
  # functionality and/or billing SKU.
  module Tier
    # Not specified.
    TIER_UNSPECIFIED = 0

    # Enterprise tier.
    ENTERPRISE = 1

    # DevOps tier.
    DEVOPS = 2
  end

  # The state of a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}, indicating if it can be used.
  module State
    # Not specified.
    STATE_UNSPECIFIED = 0

    # Certificates can be issued from this CA. CRLs will be generated for this
    # CA.
    ENABLED = 1

    # Certificates cannot be issued from this CA. CRLs will still be generated.
    DISABLED = 2

    # Certificates cannot be issued from this CA. CRLs will not be generated.
    PENDING_ACTIVATION = 3

    # Certificates cannot be issued from this CA. CRLs will not be generated.
    PENDING_DELETION = 4
  end

  # The algorithm of a Cloud KMS CryptoKeyVersion of a
  # [CryptoKey][google.cloud.kms.v1.CryptoKey] with the
  # [CryptoKeyPurpose][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose] value
  # `ASYMMETRIC_SIGN`. These values correspond to the
  # [CryptoKeyVersionAlgorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm]
  # values. For RSA signing algorithms, the PSS algorithms should be preferred,
  # use PKCS1 algorithms if required for compatibility. For further
  # recommandations, see
  # https://cloud.google.com/kms/docs/algorithms#algorithm_recommendations.
  module SignHashAlgorithm
    # Not specified.
    SIGN_HASH_ALGORITHM_UNSPECIFIED = 0

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_2048_SHA256
    RSA_PSS_2048_SHA256 = 1

    # maps to CryptoKeyVersionAlgorithm. RSA_SIGN_PSS_3072_SHA256
    RSA_PSS_3072_SHA256 = 2

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_4096_SHA256
    RSA_PSS_4096_SHA256 = 3

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_2048_SHA256
    RSA_PKCS1_2048_SHA256 = 6

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_3072_SHA256
    RSA_PKCS1_3072_SHA256 = 7

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_4096_SHA256
    RSA_PKCS1_4096_SHA256 = 8

    # maps to CryptoKeyVersionAlgorithm.EC_SIGN_P256_SHA256
    EC_P256_SHA256 = 4

    # maps to CryptoKeyVersionAlgorithm.EC_SIGN_P384_SHA384
    EC_P384_SHA384 = 5
  end
end

#ca_certificate_descriptions ⇒ ::Array<::Google::Cloud::Security::PrivateCA::V1beta1::CertificateDescription> (readonly)

Returns Output only. A structured description of this CertificateAuthority's CA certificate and its issuers. Ordered as self-to-root.

Returns:

• (::Array<::Google::Cloud::Security::PrivateCA::V1beta1::CertificateDescription>) —

  Output only. A structured description of this CertificateAuthority's CA certificate and its issuers. Ordered as self-to-root.

# File 'proto_docs/google/cloud/security/privateca/v1beta1/resources.rb', line 102

class CertificateAuthority
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Options that affect all certificates issued by a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}.
  # @!attribute [rw] include_ca_cert_url
  #   @return [::Boolean]
  #     Required. When true, includes a URL to the issuing CA certificate in the
  #     "authority information access" X.509 extension.
  # @!attribute [rw] include_crl_access_url
  #   @return [::Boolean]
  #     Required. When true, includes a URL to the CRL corresponding to certificates
  #     issued from a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}.
  #     CRLs will expire 7 days from their creation. However, we will rebuild
  #     daily. CRLs are also rebuilt shortly after a certificate is revoked.
  class IssuingOptions
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # The issuing policy for a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}.
  # {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} will not be successfully issued from this
  # {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} if they violate the policy.
  # @!attribute [rw] allowed_config_list
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedConfigList]
  #     Optional. All {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}
  #     must match at least one listed {::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper ReusableConfigWrapper} in the list.
  # @!attribute [rw] overwrite_config_values
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper]
  #     Optional. All {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}
  #     will use the provided configuration values, overwriting any requested
  #     configuration values.
  # @!attribute [rw] allowed_locations_and_organizations
  #   @return [::Array<::Google::Cloud::Security::PrivateCA::V1beta1::Subject>]
  #     Optional. If any {::Google::Cloud::Security::PrivateCA::V1beta1::Subject Subject} is specified here, then all
  #     {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} must
  #     match at least one listed {::Google::Cloud::Security::PrivateCA::V1beta1::Subject Subject}. If a {::Google::Cloud::Security::PrivateCA::V1beta1::Subject Subject} has an empty
  #     field, any value will be allowed for that field.
  # @!attribute [rw] allowed_common_names
  #   @return [::Array<::String>]
  #     Optional. If any value is specified here, then all
  #     {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} must
  #     match at least one listed value. If no value is specified, all values
  #     will be allowed for this fied. Glob patterns are also supported.
  # @!attribute [rw] allowed_sans
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames]
  #     Optional. If a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames AllowedSubjectAltNames} is specified here, then all
  #     {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} must
  #     match {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames AllowedSubjectAltNames}. If no value or an empty value
  #     is specified, any value will be allowed for the {::Google::Cloud::Security::PrivateCA::V1beta1::SubjectAltNames SubjectAltNames}
  #     field.
  # @!attribute [rw] maximum_lifetime
  #   @return [::Google::Protobuf::Duration]
  #     Optional. The maximum lifetime allowed by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}. Note that
  #     if the any part if the issuing chain expires before a {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificate}'s
  #     requested maximum_lifetime, the effective lifetime will be explicitly
  #     truncated.
  # @!attribute [rw] allowed_issuance_modes
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::IssuanceModes]
  #     Optional. If specified, then only methods allowed in the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::IssuanceModes IssuanceModes} may be
  #     used to issue {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates}.
  class CertificateAuthorityPolicy
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # @!attribute [rw] allowed_config_values
    #   @return [::Array<::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper>]
    #     Required. All {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}
    #     must match at least one listed {::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper ReusableConfigWrapper}. If a
    #     {::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper ReusableConfigWrapper} has an empty field, any value will be
    #     allowed for that field.
    class AllowedConfigList
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames AllowedSubjectAltNames} specifies the allowed values for
    # {::Google::Cloud::Security::PrivateCA::V1beta1::SubjectAltNames SubjectAltNames} by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} when issuing
    # {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates}.
    # @!attribute [rw] allowed_dns_names
    #   @return [::Array<::String>]
    #     Optional. Contains valid, fully-qualified host names. Glob patterns are also
    #     supported. To allow an explicit wildcard certificate, escape with
    #     backlash (i.e. `\*`).
    #     E.g. for globbed entries: `*bar.com` will allow `foo.bar.com`, but not
    #     `*.bar.com`, unless the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames#allow_globbing_dns_wildcards allow_globbing_dns_wildcards} field is set.
    #     E.g. for wildcard entries: `\*.bar.com` will allow `*.bar.com`, but not
    #     `foo.bar.com`.
    # @!attribute [rw] allowed_uris
    #   @return [::Array<::String>]
    #     Optional. Contains valid RFC 3986 URIs. Glob patterns are also supported. To
    #     match across path seperators (i.e. '/') use the double star glob
    #     pattern (i.e. '**').
    # @!attribute [rw] allowed_email_addresses
    #   @return [::Array<::String>]
    #     Optional. Contains valid RFC 2822 E-mail addresses. Glob patterns are also
    #     supported.
    # @!attribute [rw] allowed_ips
    #   @return [::Array<::String>]
    #     Optional. Contains valid 32-bit IPv4 addresses and subnet ranges or RFC 4291 IPv6
    #     addresses and subnet ranges. Subnet ranges are specified using the
    #     '/' notation (e.g. 10.0.0.0/8, 2001:700:300:1800::/64). Glob patterns
    #     are supported only for ip address entries (i.e. not for subnet ranges).
    # @!attribute [rw] allow_globbing_dns_wildcards
    #   @return [::Boolean]
    #     Optional. Specifies if glob patterns used for {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames#allowed_dns_names allowed_dns_names} allows
    #     wildcard certificates.
    # @!attribute [rw] allow_custom_sans
    #   @return [::Boolean]
    #     Optional. Specifies if to allow custom X509Extension values.
    class AllowedSubjectAltNames
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::IssuanceModes IssuanceModes} specifies the allowed ways in which
    # {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} may be requested from this
    # {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}.
    # @!attribute [rw] allow_csr_based_issuance
    #   @return [::Boolean]
    #     Required. When true, allows callers to create {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} by
    #     specifying a CSR.
    # @!attribute [rw] allow_config_based_issuance
    #   @return [::Boolean]
    #     Required. When true, allows callers to create {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} by
    #     specifying a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateConfig CertificateConfig}.
    class IssuanceModes
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end
  end

  # URLs where a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} will publish content.
  # @!attribute [rw] ca_certificate_access_url
  #   @return [::String]
  #     The URL where this {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}'s CA certificate is
  #     published. This will only be set for CAs that have been activated.
  # @!attribute [rw] crl_access_url
  #   @return [::String]
  #     The URL where this {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}'s CRLs are published. This
  #     will only be set for CAs that have been activated.
  class AccessUrls
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # A Cloud KMS key configuration that a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} will use.
  # @!attribute [rw] cloud_kms_key_version
  #   @return [::String]
  #     Required. The resource name for an existing Cloud KMS CryptoKeyVersion in the
  #     format
  #     `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
  #     This option enables full flexibility in the key's capabilities and
  #     properties.
  # @!attribute [rw] algorithm
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::SignHashAlgorithm]
  #     Required. The algorithm to use for creating a managed Cloud KMS key for a for a
  #     simplified experience. All managed keys will be have their
  #     [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] as `HSM`.
  class KeyVersionSpec
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # @!attribute [rw] key
  #   @return [::String]
  # @!attribute [rw] value
  #   @return [::String]
  class LabelsEntry
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # The type of a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}, indicating its issuing chain.
  module Type
    # Not specified.
    TYPE_UNSPECIFIED = 0

    # Self-signed CA.
    SELF_SIGNED = 1

    # Subordinate CA. Could be issued by a Private CA {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}
    # or an unmanaged CA.
    SUBORDINATE = 2
  end

  # The tier of a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}, indicating its supported
  # functionality and/or billing SKU.
  module Tier
    # Not specified.
    TIER_UNSPECIFIED = 0

    # Enterprise tier.
    ENTERPRISE = 1

    # DevOps tier.
    DEVOPS = 2
  end

  # The state of a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}, indicating if it can be used.
  module State
    # Not specified.
    STATE_UNSPECIFIED = 0

    # Certificates can be issued from this CA. CRLs will be generated for this
    # CA.
    ENABLED = 1

    # Certificates cannot be issued from this CA. CRLs will still be generated.
    DISABLED = 2

    # Certificates cannot be issued from this CA. CRLs will not be generated.
    PENDING_ACTIVATION = 3

    # Certificates cannot be issued from this CA. CRLs will not be generated.
    PENDING_DELETION = 4
  end

  # The algorithm of a Cloud KMS CryptoKeyVersion of a
  # [CryptoKey][google.cloud.kms.v1.CryptoKey] with the
  # [CryptoKeyPurpose][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose] value
  # `ASYMMETRIC_SIGN`. These values correspond to the
  # [CryptoKeyVersionAlgorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm]
  # values. For RSA signing algorithms, the PSS algorithms should be preferred,
  # use PKCS1 algorithms if required for compatibility. For further
  # recommandations, see
  # https://cloud.google.com/kms/docs/algorithms#algorithm_recommendations.
  module SignHashAlgorithm
    # Not specified.
    SIGN_HASH_ALGORITHM_UNSPECIFIED = 0

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_2048_SHA256
    RSA_PSS_2048_SHA256 = 1

    # maps to CryptoKeyVersionAlgorithm. RSA_SIGN_PSS_3072_SHA256
    RSA_PSS_3072_SHA256 = 2

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_4096_SHA256
    RSA_PSS_4096_SHA256 = 3

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_2048_SHA256
    RSA_PKCS1_2048_SHA256 = 6

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_3072_SHA256
    RSA_PKCS1_3072_SHA256 = 7

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_4096_SHA256
    RSA_PKCS1_4096_SHA256 = 8

    # maps to CryptoKeyVersionAlgorithm.EC_SIGN_P256_SHA256
    EC_P256_SHA256 = 4

    # maps to CryptoKeyVersionAlgorithm.EC_SIGN_P384_SHA384
    EC_P384_SHA384 = 5
  end
end

#certificate_policy ⇒ ::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy

Returns Optional. The CertificateAuthorityPolicy to enforce when issuing Certificates from this CertificateAuthority.

Returns:

• (::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy) —

  Optional. The CertificateAuthorityPolicy to enforce when issuing Certificates from this CertificateAuthority.

# File 'proto_docs/google/cloud/security/privateca/v1beta1/resources.rb', line 102

class CertificateAuthority
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Options that affect all certificates issued by a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}.
  # @!attribute [rw] include_ca_cert_url
  #   @return [::Boolean]
  #     Required. When true, includes a URL to the issuing CA certificate in the
  #     "authority information access" X.509 extension.
  # @!attribute [rw] include_crl_access_url
  #   @return [::Boolean]
  #     Required. When true, includes a URL to the CRL corresponding to certificates
  #     issued from a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}.
  #     CRLs will expire 7 days from their creation. However, we will rebuild
  #     daily. CRLs are also rebuilt shortly after a certificate is revoked.
  class IssuingOptions
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # The issuing policy for a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}.
  # {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} will not be successfully issued from this
  # {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} if they violate the policy.
  # @!attribute [rw] allowed_config_list
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedConfigList]
  #     Optional. All {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}
  #     must match at least one listed {::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper ReusableConfigWrapper} in the list.
  # @!attribute [rw] overwrite_config_values
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper]
  #     Optional. All {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}
  #     will use the provided configuration values, overwriting any requested
  #     configuration values.
  # @!attribute [rw] allowed_locations_and_organizations
  #   @return [::Array<::Google::Cloud::Security::PrivateCA::V1beta1::Subject>]
  #     Optional. If any {::Google::Cloud::Security::PrivateCA::V1beta1::Subject Subject} is specified here, then all
  #     {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} must
  #     match at least one listed {::Google::Cloud::Security::PrivateCA::V1beta1::Subject Subject}. If a {::Google::Cloud::Security::PrivateCA::V1beta1::Subject Subject} has an empty
  #     field, any value will be allowed for that field.
  # @!attribute [rw] allowed_common_names
  #   @return [::Array<::String>]
  #     Optional. If any value is specified here, then all
  #     {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} must
  #     match at least one listed value. If no value is specified, all values
  #     will be allowed for this fied. Glob patterns are also supported.
  # @!attribute [rw] allowed_sans
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames]
  #     Optional. If a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames AllowedSubjectAltNames} is specified here, then all
  #     {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} must
  #     match {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames AllowedSubjectAltNames}. If no value or an empty value
  #     is specified, any value will be allowed for the {::Google::Cloud::Security::PrivateCA::V1beta1::SubjectAltNames SubjectAltNames}
  #     field.
  # @!attribute [rw] maximum_lifetime
  #   @return [::Google::Protobuf::Duration]
  #     Optional. The maximum lifetime allowed by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}. Note that
  #     if the any part if the issuing chain expires before a {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificate}'s
  #     requested maximum_lifetime, the effective lifetime will be explicitly
  #     truncated.
  # @!attribute [rw] allowed_issuance_modes
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::IssuanceModes]
  #     Optional. If specified, then only methods allowed in the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::IssuanceModes IssuanceModes} may be
  #     used to issue {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates}.
  class CertificateAuthorityPolicy
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # @!attribute [rw] allowed_config_values
    #   @return [::Array<::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper>]
    #     Required. All {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}
    #     must match at least one listed {::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper ReusableConfigWrapper}. If a
    #     {::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper ReusableConfigWrapper} has an empty field, any value will be
    #     allowed for that field.
    class AllowedConfigList
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames AllowedSubjectAltNames} specifies the allowed values for
    # {::Google::Cloud::Security::PrivateCA::V1beta1::SubjectAltNames SubjectAltNames} by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} when issuing
    # {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates}.
    # @!attribute [rw] allowed_dns_names
    #   @return [::Array<::String>]
    #     Optional. Contains valid, fully-qualified host names. Glob patterns are also
    #     supported. To allow an explicit wildcard certificate, escape with
    #     backlash (i.e. `\*`).
    #     E.g. for globbed entries: `*bar.com` will allow `foo.bar.com`, but not
    #     `*.bar.com`, unless the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames#allow_globbing_dns_wildcards allow_globbing_dns_wildcards} field is set.
    #     E.g. for wildcard entries: `\*.bar.com` will allow `*.bar.com`, but not
    #     `foo.bar.com`.
    # @!attribute [rw] allowed_uris
    #   @return [::Array<::String>]
    #     Optional. Contains valid RFC 3986 URIs. Glob patterns are also supported. To
    #     match across path seperators (i.e. '/') use the double star glob
    #     pattern (i.e. '**').
    # @!attribute [rw] allowed_email_addresses
    #   @return [::Array<::String>]
    #     Optional. Contains valid RFC 2822 E-mail addresses. Glob patterns are also
    #     supported.
    # @!attribute [rw] allowed_ips
    #   @return [::Array<::String>]
    #     Optional. Contains valid 32-bit IPv4 addresses and subnet ranges or RFC 4291 IPv6
    #     addresses and subnet ranges. Subnet ranges are specified using the
    #     '/' notation (e.g. 10.0.0.0/8, 2001:700:300:1800::/64). Glob patterns
    #     are supported only for ip address entries (i.e. not for subnet ranges).
    # @!attribute [rw] allow_globbing_dns_wildcards
    #   @return [::Boolean]
    #     Optional. Specifies if glob patterns used for {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames#allowed_dns_names allowed_dns_names} allows
    #     wildcard certificates.
    # @!attribute [rw] allow_custom_sans
    #   @return [::Boolean]
    #     Optional. Specifies if to allow custom X509Extension values.
    class AllowedSubjectAltNames
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::IssuanceModes IssuanceModes} specifies the allowed ways in which
    # {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} may be requested from this
    # {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}.
    # @!attribute [rw] allow_csr_based_issuance
    #   @return [::Boolean]
    #     Required. When true, allows callers to create {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} by
    #     specifying a CSR.
    # @!attribute [rw] allow_config_based_issuance
    #   @return [::Boolean]
    #     Required. When true, allows callers to create {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} by
    #     specifying a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateConfig CertificateConfig}.
    class IssuanceModes
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end
  end

  # URLs where a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} will publish content.
  # @!attribute [rw] ca_certificate_access_url
  #   @return [::String]
  #     The URL where this {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}'s CA certificate is
  #     published. This will only be set for CAs that have been activated.
  # @!attribute [rw] crl_access_url
  #   @return [::String]
  #     The URL where this {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}'s CRLs are published. This
  #     will only be set for CAs that have been activated.
  class AccessUrls
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # A Cloud KMS key configuration that a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} will use.
  # @!attribute [rw] cloud_kms_key_version
  #   @return [::String]
  #     Required. The resource name for an existing Cloud KMS CryptoKeyVersion in the
  #     format
  #     `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
  #     This option enables full flexibility in the key's capabilities and
  #     properties.
  # @!attribute [rw] algorithm
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::SignHashAlgorithm]
  #     Required. The algorithm to use for creating a managed Cloud KMS key for a for a
  #     simplified experience. All managed keys will be have their
  #     [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] as `HSM`.
  class KeyVersionSpec
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # @!attribute [rw] key
  #   @return [::String]
  # @!attribute [rw] value
  #   @return [::String]
  class LabelsEntry
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # The type of a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}, indicating its issuing chain.
  module Type
    # Not specified.
    TYPE_UNSPECIFIED = 0

    # Self-signed CA.
    SELF_SIGNED = 1

    # Subordinate CA. Could be issued by a Private CA {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}
    # or an unmanaged CA.
    SUBORDINATE = 2
  end

  # The tier of a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}, indicating its supported
  # functionality and/or billing SKU.
  module Tier
    # Not specified.
    TIER_UNSPECIFIED = 0

    # Enterprise tier.
    ENTERPRISE = 1

    # DevOps tier.
    DEVOPS = 2
  end

  # The state of a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}, indicating if it can be used.
  module State
    # Not specified.
    STATE_UNSPECIFIED = 0

    # Certificates can be issued from this CA. CRLs will be generated for this
    # CA.
    ENABLED = 1

    # Certificates cannot be issued from this CA. CRLs will still be generated.
    DISABLED = 2

    # Certificates cannot be issued from this CA. CRLs will not be generated.
    PENDING_ACTIVATION = 3

    # Certificates cannot be issued from this CA. CRLs will not be generated.
    PENDING_DELETION = 4
  end

  # The algorithm of a Cloud KMS CryptoKeyVersion of a
  # [CryptoKey][google.cloud.kms.v1.CryptoKey] with the
  # [CryptoKeyPurpose][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose] value
  # `ASYMMETRIC_SIGN`. These values correspond to the
  # [CryptoKeyVersionAlgorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm]
  # values. For RSA signing algorithms, the PSS algorithms should be preferred,
  # use PKCS1 algorithms if required for compatibility. For further
  # recommandations, see
  # https://cloud.google.com/kms/docs/algorithms#algorithm_recommendations.
  module SignHashAlgorithm
    # Not specified.
    SIGN_HASH_ALGORITHM_UNSPECIFIED = 0

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_2048_SHA256
    RSA_PSS_2048_SHA256 = 1

    # maps to CryptoKeyVersionAlgorithm. RSA_SIGN_PSS_3072_SHA256
    RSA_PSS_3072_SHA256 = 2

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_4096_SHA256
    RSA_PSS_4096_SHA256 = 3

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_2048_SHA256
    RSA_PKCS1_2048_SHA256 = 6

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_3072_SHA256
    RSA_PKCS1_3072_SHA256 = 7

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_4096_SHA256
    RSA_PKCS1_4096_SHA256 = 8

    # maps to CryptoKeyVersionAlgorithm.EC_SIGN_P256_SHA256
    EC_P256_SHA256 = 4

    # maps to CryptoKeyVersionAlgorithm.EC_SIGN_P384_SHA384
    EC_P384_SHA384 = 5
  end
end

#config ⇒ ::Google::Cloud::Security::PrivateCA::V1beta1::CertificateConfig

Returns Required. Immutable. The config used to create a self-signed X.509 certificate or CSR.

Returns:

• (::Google::Cloud::Security::PrivateCA::V1beta1::CertificateConfig) —

  Required. Immutable. The config used to create a self-signed X.509 certificate or CSR.

# File 'proto_docs/google/cloud/security/privateca/v1beta1/resources.rb', line 102

class CertificateAuthority
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Options that affect all certificates issued by a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}.
  # @!attribute [rw] include_ca_cert_url
  #   @return [::Boolean]
  #     Required. When true, includes a URL to the issuing CA certificate in the
  #     "authority information access" X.509 extension.
  # @!attribute [rw] include_crl_access_url
  #   @return [::Boolean]
  #     Required. When true, includes a URL to the CRL corresponding to certificates
  #     issued from a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}.
  #     CRLs will expire 7 days from their creation. However, we will rebuild
  #     daily. CRLs are also rebuilt shortly after a certificate is revoked.
  class IssuingOptions
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # The issuing policy for a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}.
  # {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} will not be successfully issued from this
  # {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} if they violate the policy.
  # @!attribute [rw] allowed_config_list
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedConfigList]
  #     Optional. All {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}
  #     must match at least one listed {::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper ReusableConfigWrapper} in the list.
  # @!attribute [rw] overwrite_config_values
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper]
  #     Optional. All {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}
  #     will use the provided configuration values, overwriting any requested
  #     configuration values.
  # @!attribute [rw] allowed_locations_and_organizations
  #   @return [::Array<::Google::Cloud::Security::PrivateCA::V1beta1::Subject>]
  #     Optional. If any {::Google::Cloud::Security::PrivateCA::V1beta1::Subject Subject} is specified here, then all
  #     {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} must
  #     match at least one listed {::Google::Cloud::Security::PrivateCA::V1beta1::Subject Subject}. If a {::Google::Cloud::Security::PrivateCA::V1beta1::Subject Subject} has an empty
  #     field, any value will be allowed for that field.
  # @!attribute [rw] allowed_common_names
  #   @return [::Array<::String>]
  #     Optional. If any value is specified here, then all
  #     {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} must
  #     match at least one listed value. If no value is specified, all values
  #     will be allowed for this fied. Glob patterns are also supported.
  # @!attribute [rw] allowed_sans
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames]
  #     Optional. If a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames AllowedSubjectAltNames} is specified here, then all
  #     {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} must
  #     match {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames AllowedSubjectAltNames}. If no value or an empty value
  #     is specified, any value will be allowed for the {::Google::Cloud::Security::PrivateCA::V1beta1::SubjectAltNames SubjectAltNames}
  #     field.
  # @!attribute [rw] maximum_lifetime
  #   @return [::Google::Protobuf::Duration]
  #     Optional. The maximum lifetime allowed by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}. Note that
  #     if the any part if the issuing chain expires before a {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificate}'s
  #     requested maximum_lifetime, the effective lifetime will be explicitly
  #     truncated.
  # @!attribute [rw] allowed_issuance_modes
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::IssuanceModes]
  #     Optional. If specified, then only methods allowed in the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::IssuanceModes IssuanceModes} may be
  #     used to issue {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates}.
  class CertificateAuthorityPolicy
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # @!attribute [rw] allowed_config_values
    #   @return [::Array<::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper>]
    #     Required. All {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}
    #     must match at least one listed {::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper ReusableConfigWrapper}. If a
    #     {::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper ReusableConfigWrapper} has an empty field, any value will be
    #     allowed for that field.
    class AllowedConfigList
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames AllowedSubjectAltNames} specifies the allowed values for
    # {::Google::Cloud::Security::PrivateCA::V1beta1::SubjectAltNames SubjectAltNames} by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} when issuing
    # {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates}.
    # @!attribute [rw] allowed_dns_names
    #   @return [::Array<::String>]
    #     Optional. Contains valid, fully-qualified host names. Glob patterns are also
    #     supported. To allow an explicit wildcard certificate, escape with
    #     backlash (i.e. `\*`).
    #     E.g. for globbed entries: `*bar.com` will allow `foo.bar.com`, but not
    #     `*.bar.com`, unless the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames#allow_globbing_dns_wildcards allow_globbing_dns_wildcards} field is set.
    #     E.g. for wildcard entries: `\*.bar.com` will allow `*.bar.com`, but not
    #     `foo.bar.com`.
    # @!attribute [rw] allowed_uris
    #   @return [::Array<::String>]
    #     Optional. Contains valid RFC 3986 URIs. Glob patterns are also supported. To
    #     match across path seperators (i.e. '/') use the double star glob
    #     pattern (i.e. '**').
    # @!attribute [rw] allowed_email_addresses
    #   @return [::Array<::String>]
    #     Optional. Contains valid RFC 2822 E-mail addresses. Glob patterns are also
    #     supported.
    # @!attribute [rw] allowed_ips
    #   @return [::Array<::String>]
    #     Optional. Contains valid 32-bit IPv4 addresses and subnet ranges or RFC 4291 IPv6
    #     addresses and subnet ranges. Subnet ranges are specified using the
    #     '/' notation (e.g. 10.0.0.0/8, 2001:700:300:1800::/64). Glob patterns
    #     are supported only for ip address entries (i.e. not for subnet ranges).
    # @!attribute [rw] allow_globbing_dns_wildcards
    #   @return [::Boolean]
    #     Optional. Specifies if glob patterns used for {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames#allowed_dns_names allowed_dns_names} allows
    #     wildcard certificates.
    # @!attribute [rw] allow_custom_sans
    #   @return [::Boolean]
    #     Optional. Specifies if to allow custom X509Extension values.
    class AllowedSubjectAltNames
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::IssuanceModes IssuanceModes} specifies the allowed ways in which
    # {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} may be requested from this
    # {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}.
    # @!attribute [rw] allow_csr_based_issuance
    #   @return [::Boolean]
    #     Required. When true, allows callers to create {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} by
    #     specifying a CSR.
    # @!attribute [rw] allow_config_based_issuance
    #   @return [::Boolean]
    #     Required. When true, allows callers to create {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} by
    #     specifying a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateConfig CertificateConfig}.
    class IssuanceModes
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end
  end

  # URLs where a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} will publish content.
  # @!attribute [rw] ca_certificate_access_url
  #   @return [::String]
  #     The URL where this {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}'s CA certificate is
  #     published. This will only be set for CAs that have been activated.
  # @!attribute [rw] crl_access_url
  #   @return [::String]
  #     The URL where this {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}'s CRLs are published. This
  #     will only be set for CAs that have been activated.
  class AccessUrls
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # A Cloud KMS key configuration that a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} will use.
  # @!attribute [rw] cloud_kms_key_version
  #   @return [::String]
  #     Required. The resource name for an existing Cloud KMS CryptoKeyVersion in the
  #     format
  #     `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
  #     This option enables full flexibility in the key's capabilities and
  #     properties.
  # @!attribute [rw] algorithm
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::SignHashAlgorithm]
  #     Required. The algorithm to use for creating a managed Cloud KMS key for a for a
  #     simplified experience. All managed keys will be have their
  #     [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] as `HSM`.
  class KeyVersionSpec
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # @!attribute [rw] key
  #   @return [::String]
  # @!attribute [rw] value
  #   @return [::String]
  class LabelsEntry
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # The type of a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}, indicating its issuing chain.
  module Type
    # Not specified.
    TYPE_UNSPECIFIED = 0

    # Self-signed CA.
    SELF_SIGNED = 1

    # Subordinate CA. Could be issued by a Private CA {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}
    # or an unmanaged CA.
    SUBORDINATE = 2
  end

  # The tier of a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}, indicating its supported
  # functionality and/or billing SKU.
  module Tier
    # Not specified.
    TIER_UNSPECIFIED = 0

    # Enterprise tier.
    ENTERPRISE = 1

    # DevOps tier.
    DEVOPS = 2
  end

  # The state of a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}, indicating if it can be used.
  module State
    # Not specified.
    STATE_UNSPECIFIED = 0

    # Certificates can be issued from this CA. CRLs will be generated for this
    # CA.
    ENABLED = 1

    # Certificates cannot be issued from this CA. CRLs will still be generated.
    DISABLED = 2

    # Certificates cannot be issued from this CA. CRLs will not be generated.
    PENDING_ACTIVATION = 3

    # Certificates cannot be issued from this CA. CRLs will not be generated.
    PENDING_DELETION = 4
  end

  # The algorithm of a Cloud KMS CryptoKeyVersion of a
  # [CryptoKey][google.cloud.kms.v1.CryptoKey] with the
  # [CryptoKeyPurpose][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose] value
  # `ASYMMETRIC_SIGN`. These values correspond to the
  # [CryptoKeyVersionAlgorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm]
  # values. For RSA signing algorithms, the PSS algorithms should be preferred,
  # use PKCS1 algorithms if required for compatibility. For further
  # recommandations, see
  # https://cloud.google.com/kms/docs/algorithms#algorithm_recommendations.
  module SignHashAlgorithm
    # Not specified.
    SIGN_HASH_ALGORITHM_UNSPECIFIED = 0

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_2048_SHA256
    RSA_PSS_2048_SHA256 = 1

    # maps to CryptoKeyVersionAlgorithm. RSA_SIGN_PSS_3072_SHA256
    RSA_PSS_3072_SHA256 = 2

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_4096_SHA256
    RSA_PSS_4096_SHA256 = 3

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_2048_SHA256
    RSA_PKCS1_2048_SHA256 = 6

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_3072_SHA256
    RSA_PKCS1_3072_SHA256 = 7

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_4096_SHA256
    RSA_PKCS1_4096_SHA256 = 8

    # maps to CryptoKeyVersionAlgorithm.EC_SIGN_P256_SHA256
    EC_P256_SHA256 = 4

    # maps to CryptoKeyVersionAlgorithm.EC_SIGN_P384_SHA384
    EC_P384_SHA384 = 5
  end
end

#create_time ⇒ ::Google::Protobuf::Timestamp (readonly)

Returns Output only. The time at which this CertificateAuthority was created.

Returns:

• (::Google::Protobuf::Timestamp) —

  Output only. The time at which this CertificateAuthority was created.

# File 'proto_docs/google/cloud/security/privateca/v1beta1/resources.rb', line 102

class CertificateAuthority
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Options that affect all certificates issued by a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}.
  # @!attribute [rw] include_ca_cert_url
  #   @return [::Boolean]
  #     Required. When true, includes a URL to the issuing CA certificate in the
  #     "authority information access" X.509 extension.
  # @!attribute [rw] include_crl_access_url
  #   @return [::Boolean]
  #     Required. When true, includes a URL to the CRL corresponding to certificates
  #     issued from a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}.
  #     CRLs will expire 7 days from their creation. However, we will rebuild
  #     daily. CRLs are also rebuilt shortly after a certificate is revoked.
  class IssuingOptions
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # The issuing policy for a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}.
  # {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} will not be successfully issued from this
  # {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} if they violate the policy.
  # @!attribute [rw] allowed_config_list
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedConfigList]
  #     Optional. All {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}
  #     must match at least one listed {::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper ReusableConfigWrapper} in the list.
  # @!attribute [rw] overwrite_config_values
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper]
  #     Optional. All {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}
  #     will use the provided configuration values, overwriting any requested
  #     configuration values.
  # @!attribute [rw] allowed_locations_and_organizations
  #   @return [::Array<::Google::Cloud::Security::PrivateCA::V1beta1::Subject>]
  #     Optional. If any {::Google::Cloud::Security::PrivateCA::V1beta1::Subject Subject} is specified here, then all
  #     {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} must
  #     match at least one listed {::Google::Cloud::Security::PrivateCA::V1beta1::Subject Subject}. If a {::Google::Cloud::Security::PrivateCA::V1beta1::Subject Subject} has an empty
  #     field, any value will be allowed for that field.
  # @!attribute [rw] allowed_common_names
  #   @return [::Array<::String>]
  #     Optional. If any value is specified here, then all
  #     {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} must
  #     match at least one listed value. If no value is specified, all values
  #     will be allowed for this fied. Glob patterns are also supported.
  # @!attribute [rw] allowed_sans
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames]
  #     Optional. If a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames AllowedSubjectAltNames} is specified here, then all
  #     {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} must
  #     match {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames AllowedSubjectAltNames}. If no value or an empty value
  #     is specified, any value will be allowed for the {::Google::Cloud::Security::PrivateCA::V1beta1::SubjectAltNames SubjectAltNames}
  #     field.
  # @!attribute [rw] maximum_lifetime
  #   @return [::Google::Protobuf::Duration]
  #     Optional. The maximum lifetime allowed by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}. Note that
  #     if the any part if the issuing chain expires before a {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificate}'s
  #     requested maximum_lifetime, the effective lifetime will be explicitly
  #     truncated.
  # @!attribute [rw] allowed_issuance_modes
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::IssuanceModes]
  #     Optional. If specified, then only methods allowed in the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::IssuanceModes IssuanceModes} may be
  #     used to issue {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates}.
  class CertificateAuthorityPolicy
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # @!attribute [rw] allowed_config_values
    #   @return [::Array<::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper>]
    #     Required. All {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}
    #     must match at least one listed {::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper ReusableConfigWrapper}. If a
    #     {::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper ReusableConfigWrapper} has an empty field, any value will be
    #     allowed for that field.
    class AllowedConfigList
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames AllowedSubjectAltNames} specifies the allowed values for
    # {::Google::Cloud::Security::PrivateCA::V1beta1::SubjectAltNames SubjectAltNames} by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} when issuing
    # {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates}.
    # @!attribute [rw] allowed_dns_names
    #   @return [::Array<::String>]
    #     Optional. Contains valid, fully-qualified host names. Glob patterns are also
    #     supported. To allow an explicit wildcard certificate, escape with
    #     backlash (i.e. `\*`).
    #     E.g. for globbed entries: `*bar.com` will allow `foo.bar.com`, but not
    #     `*.bar.com`, unless the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames#allow_globbing_dns_wildcards allow_globbing_dns_wildcards} field is set.
    #     E.g. for wildcard entries: `\*.bar.com` will allow `*.bar.com`, but not
    #     `foo.bar.com`.
    # @!attribute [rw] allowed_uris
    #   @return [::Array<::String>]
    #     Optional. Contains valid RFC 3986 URIs. Glob patterns are also supported. To
    #     match across path seperators (i.e. '/') use the double star glob
    #     pattern (i.e. '**').
    # @!attribute [rw] allowed_email_addresses
    #   @return [::Array<::String>]
    #     Optional. Contains valid RFC 2822 E-mail addresses. Glob patterns are also
    #     supported.
    # @!attribute [rw] allowed_ips
    #   @return [::Array<::String>]
    #     Optional. Contains valid 32-bit IPv4 addresses and subnet ranges or RFC 4291 IPv6
    #     addresses and subnet ranges. Subnet ranges are specified using the
    #     '/' notation (e.g. 10.0.0.0/8, 2001:700:300:1800::/64). Glob patterns
    #     are supported only for ip address entries (i.e. not for subnet ranges).
    # @!attribute [rw] allow_globbing_dns_wildcards
    #   @return [::Boolean]
    #     Optional. Specifies if glob patterns used for {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames#allowed_dns_names allowed_dns_names} allows
    #     wildcard certificates.
    # @!attribute [rw] allow_custom_sans
    #   @return [::Boolean]
    #     Optional. Specifies if to allow custom X509Extension values.
    class AllowedSubjectAltNames
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::IssuanceModes IssuanceModes} specifies the allowed ways in which
    # {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} may be requested from this
    # {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}.
    # @!attribute [rw] allow_csr_based_issuance
    #   @return [::Boolean]
    #     Required. When true, allows callers to create {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} by
    #     specifying a CSR.
    # @!attribute [rw] allow_config_based_issuance
    #   @return [::Boolean]
    #     Required. When true, allows callers to create {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} by
    #     specifying a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateConfig CertificateConfig}.
    class IssuanceModes
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end
  end

  # URLs where a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} will publish content.
  # @!attribute [rw] ca_certificate_access_url
  #   @return [::String]
  #     The URL where this {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}'s CA certificate is
  #     published. This will only be set for CAs that have been activated.
  # @!attribute [rw] crl_access_url
  #   @return [::String]
  #     The URL where this {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}'s CRLs are published. This
  #     will only be set for CAs that have been activated.
  class AccessUrls
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # A Cloud KMS key configuration that a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} will use.
  # @!attribute [rw] cloud_kms_key_version
  #   @return [::String]
  #     Required. The resource name for an existing Cloud KMS CryptoKeyVersion in the
  #     format
  #     `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
  #     This option enables full flexibility in the key's capabilities and
  #     properties.
  # @!attribute [rw] algorithm
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::SignHashAlgorithm]
  #     Required. The algorithm to use for creating a managed Cloud KMS key for a for a
  #     simplified experience. All managed keys will be have their
  #     [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] as `HSM`.
  class KeyVersionSpec
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # @!attribute [rw] key
  #   @return [::String]
  # @!attribute [rw] value
  #   @return [::String]
  class LabelsEntry
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # The type of a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}, indicating its issuing chain.
  module Type
    # Not specified.
    TYPE_UNSPECIFIED = 0

    # Self-signed CA.
    SELF_SIGNED = 1

    # Subordinate CA. Could be issued by a Private CA {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}
    # or an unmanaged CA.
    SUBORDINATE = 2
  end

  # The tier of a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}, indicating its supported
  # functionality and/or billing SKU.
  module Tier
    # Not specified.
    TIER_UNSPECIFIED = 0

    # Enterprise tier.
    ENTERPRISE = 1

    # DevOps tier.
    DEVOPS = 2
  end

  # The state of a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}, indicating if it can be used.
  module State
    # Not specified.
    STATE_UNSPECIFIED = 0

    # Certificates can be issued from this CA. CRLs will be generated for this
    # CA.
    ENABLED = 1

    # Certificates cannot be issued from this CA. CRLs will still be generated.
    DISABLED = 2

    # Certificates cannot be issued from this CA. CRLs will not be generated.
    PENDING_ACTIVATION = 3

    # Certificates cannot be issued from this CA. CRLs will not be generated.
    PENDING_DELETION = 4
  end

  # The algorithm of a Cloud KMS CryptoKeyVersion of a
  # [CryptoKey][google.cloud.kms.v1.CryptoKey] with the
  # [CryptoKeyPurpose][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose] value
  # `ASYMMETRIC_SIGN`. These values correspond to the
  # [CryptoKeyVersionAlgorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm]
  # values. For RSA signing algorithms, the PSS algorithms should be preferred,
  # use PKCS1 algorithms if required for compatibility. For further
  # recommandations, see
  # https://cloud.google.com/kms/docs/algorithms#algorithm_recommendations.
  module SignHashAlgorithm
    # Not specified.
    SIGN_HASH_ALGORITHM_UNSPECIFIED = 0

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_2048_SHA256
    RSA_PSS_2048_SHA256 = 1

    # maps to CryptoKeyVersionAlgorithm. RSA_SIGN_PSS_3072_SHA256
    RSA_PSS_3072_SHA256 = 2

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_4096_SHA256
    RSA_PSS_4096_SHA256 = 3

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_2048_SHA256
    RSA_PKCS1_2048_SHA256 = 6

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_3072_SHA256
    RSA_PKCS1_3072_SHA256 = 7

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_4096_SHA256
    RSA_PKCS1_4096_SHA256 = 8

    # maps to CryptoKeyVersionAlgorithm.EC_SIGN_P256_SHA256
    EC_P256_SHA256 = 4

    # maps to CryptoKeyVersionAlgorithm.EC_SIGN_P384_SHA384
    EC_P384_SHA384 = 5
  end
end

#delete_time ⇒ ::Google::Protobuf::Timestamp (readonly)

Returns Output only. The time at which this CertificateAuthority will be deleted, if scheduled for deletion.

Returns:

• (::Google::Protobuf::Timestamp) —

  Output only. The time at which this CertificateAuthority will be deleted, if scheduled for deletion.

# File 'proto_docs/google/cloud/security/privateca/v1beta1/resources.rb', line 102

class CertificateAuthority
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Options that affect all certificates issued by a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}.
  # @!attribute [rw] include_ca_cert_url
  #   @return [::Boolean]
  #     Required. When true, includes a URL to the issuing CA certificate in the
  #     "authority information access" X.509 extension.
  # @!attribute [rw] include_crl_access_url
  #   @return [::Boolean]
  #     Required. When true, includes a URL to the CRL corresponding to certificates
  #     issued from a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}.
  #     CRLs will expire 7 days from their creation. However, we will rebuild
  #     daily. CRLs are also rebuilt shortly after a certificate is revoked.
  class IssuingOptions
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # The issuing policy for a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}.
  # {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} will not be successfully issued from this
  # {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} if they violate the policy.
  # @!attribute [rw] allowed_config_list
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedConfigList]
  #     Optional. All {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}
  #     must match at least one listed {::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper ReusableConfigWrapper} in the list.
  # @!attribute [rw] overwrite_config_values
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper]
  #     Optional. All {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}
  #     will use the provided configuration values, overwriting any requested
  #     configuration values.
  # @!attribute [rw] allowed_locations_and_organizations
  #   @return [::Array<::Google::Cloud::Security::PrivateCA::V1beta1::Subject>]
  #     Optional. If any {::Google::Cloud::Security::PrivateCA::V1beta1::Subject Subject} is specified here, then all
  #     {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} must
  #     match at least one listed {::Google::Cloud::Security::PrivateCA::V1beta1::Subject Subject}. If a {::Google::Cloud::Security::PrivateCA::V1beta1::Subject Subject} has an empty
  #     field, any value will be allowed for that field.
  # @!attribute [rw] allowed_common_names
  #   @return [::Array<::String>]
  #     Optional. If any value is specified here, then all
  #     {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} must
  #     match at least one listed value. If no value is specified, all values
  #     will be allowed for this fied. Glob patterns are also supported.
  # @!attribute [rw] allowed_sans
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames]
  #     Optional. If a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames AllowedSubjectAltNames} is specified here, then all
  #     {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} must
  #     match {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames AllowedSubjectAltNames}. If no value or an empty value
  #     is specified, any value will be allowed for the {::Google::Cloud::Security::PrivateCA::V1beta1::SubjectAltNames SubjectAltNames}
  #     field.
  # @!attribute [rw] maximum_lifetime
  #   @return [::Google::Protobuf::Duration]
  #     Optional. The maximum lifetime allowed by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}. Note that
  #     if the any part if the issuing chain expires before a {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificate}'s
  #     requested maximum_lifetime, the effective lifetime will be explicitly
  #     truncated.
  # @!attribute [rw] allowed_issuance_modes
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::IssuanceModes]
  #     Optional. If specified, then only methods allowed in the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::IssuanceModes IssuanceModes} may be
  #     used to issue {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates}.
  class CertificateAuthorityPolicy
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # @!attribute [rw] allowed_config_values
    #   @return [::Array<::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper>]
    #     Required. All {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}
    #     must match at least one listed {::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper ReusableConfigWrapper}. If a
    #     {::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper ReusableConfigWrapper} has an empty field, any value will be
    #     allowed for that field.
    class AllowedConfigList
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames AllowedSubjectAltNames} specifies the allowed values for
    # {::Google::Cloud::Security::PrivateCA::V1beta1::SubjectAltNames SubjectAltNames} by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} when issuing
    # {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates}.
    # @!attribute [rw] allowed_dns_names
    #   @return [::Array<::String>]
    #     Optional. Contains valid, fully-qualified host names. Glob patterns are also
    #     supported. To allow an explicit wildcard certificate, escape with
    #     backlash (i.e. `\*`).
    #     E.g. for globbed entries: `*bar.com` will allow `foo.bar.com`, but not
    #     `*.bar.com`, unless the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames#allow_globbing_dns_wildcards allow_globbing_dns_wildcards} field is set.
    #     E.g. for wildcard entries: `\*.bar.com` will allow `*.bar.com`, but not
    #     `foo.bar.com`.
    # @!attribute [rw] allowed_uris
    #   @return [::Array<::String>]
    #     Optional. Contains valid RFC 3986 URIs. Glob patterns are also supported. To
    #     match across path seperators (i.e. '/') use the double star glob
    #     pattern (i.e. '**').
    # @!attribute [rw] allowed_email_addresses
    #   @return [::Array<::String>]
    #     Optional. Contains valid RFC 2822 E-mail addresses. Glob patterns are also
    #     supported.
    # @!attribute [rw] allowed_ips
    #   @return [::Array<::String>]
    #     Optional. Contains valid 32-bit IPv4 addresses and subnet ranges or RFC 4291 IPv6
    #     addresses and subnet ranges. Subnet ranges are specified using the
    #     '/' notation (e.g. 10.0.0.0/8, 2001:700:300:1800::/64). Glob patterns
    #     are supported only for ip address entries (i.e. not for subnet ranges).
    # @!attribute [rw] allow_globbing_dns_wildcards
    #   @return [::Boolean]
    #     Optional. Specifies if glob patterns used for {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames#allowed_dns_names allowed_dns_names} allows
    #     wildcard certificates.
    # @!attribute [rw] allow_custom_sans
    #   @return [::Boolean]
    #     Optional. Specifies if to allow custom X509Extension values.
    class AllowedSubjectAltNames
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::IssuanceModes IssuanceModes} specifies the allowed ways in which
    # {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} may be requested from this
    # {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}.
    # @!attribute [rw] allow_csr_based_issuance
    #   @return [::Boolean]
    #     Required. When true, allows callers to create {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} by
    #     specifying a CSR.
    # @!attribute [rw] allow_config_based_issuance
    #   @return [::Boolean]
    #     Required. When true, allows callers to create {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} by
    #     specifying a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateConfig CertificateConfig}.
    class IssuanceModes
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end
  end

  # URLs where a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} will publish content.
  # @!attribute [rw] ca_certificate_access_url
  #   @return [::String]
  #     The URL where this {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}'s CA certificate is
  #     published. This will only be set for CAs that have been activated.
  # @!attribute [rw] crl_access_url
  #   @return [::String]
  #     The URL where this {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}'s CRLs are published. This
  #     will only be set for CAs that have been activated.
  class AccessUrls
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # A Cloud KMS key configuration that a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} will use.
  # @!attribute [rw] cloud_kms_key_version
  #   @return [::String]
  #     Required. The resource name for an existing Cloud KMS CryptoKeyVersion in the
  #     format
  #     `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
  #     This option enables full flexibility in the key's capabilities and
  #     properties.
  # @!attribute [rw] algorithm
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::SignHashAlgorithm]
  #     Required. The algorithm to use for creating a managed Cloud KMS key for a for a
  #     simplified experience. All managed keys will be have their
  #     [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] as `HSM`.
  class KeyVersionSpec
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # @!attribute [rw] key
  #   @return [::String]
  # @!attribute [rw] value
  #   @return [::String]
  class LabelsEntry
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # The type of a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}, indicating its issuing chain.
  module Type
    # Not specified.
    TYPE_UNSPECIFIED = 0

    # Self-signed CA.
    SELF_SIGNED = 1

    # Subordinate CA. Could be issued by a Private CA {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}
    # or an unmanaged CA.
    SUBORDINATE = 2
  end

  # The tier of a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}, indicating its supported
  # functionality and/or billing SKU.
  module Tier
    # Not specified.
    TIER_UNSPECIFIED = 0

    # Enterprise tier.
    ENTERPRISE = 1

    # DevOps tier.
    DEVOPS = 2
  end

  # The state of a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}, indicating if it can be used.
  module State
    # Not specified.
    STATE_UNSPECIFIED = 0

    # Certificates can be issued from this CA. CRLs will be generated for this
    # CA.
    ENABLED = 1

    # Certificates cannot be issued from this CA. CRLs will still be generated.
    DISABLED = 2

    # Certificates cannot be issued from this CA. CRLs will not be generated.
    PENDING_ACTIVATION = 3

    # Certificates cannot be issued from this CA. CRLs will not be generated.
    PENDING_DELETION = 4
  end

  # The algorithm of a Cloud KMS CryptoKeyVersion of a
  # [CryptoKey][google.cloud.kms.v1.CryptoKey] with the
  # [CryptoKeyPurpose][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose] value
  # `ASYMMETRIC_SIGN`. These values correspond to the
  # [CryptoKeyVersionAlgorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm]
  # values. For RSA signing algorithms, the PSS algorithms should be preferred,
  # use PKCS1 algorithms if required for compatibility. For further
  # recommandations, see
  # https://cloud.google.com/kms/docs/algorithms#algorithm_recommendations.
  module SignHashAlgorithm
    # Not specified.
    SIGN_HASH_ALGORITHM_UNSPECIFIED = 0

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_2048_SHA256
    RSA_PSS_2048_SHA256 = 1

    # maps to CryptoKeyVersionAlgorithm. RSA_SIGN_PSS_3072_SHA256
    RSA_PSS_3072_SHA256 = 2

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_4096_SHA256
    RSA_PSS_4096_SHA256 = 3

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_2048_SHA256
    RSA_PKCS1_2048_SHA256 = 6

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_3072_SHA256
    RSA_PKCS1_3072_SHA256 = 7

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_4096_SHA256
    RSA_PKCS1_4096_SHA256 = 8

    # maps to CryptoKeyVersionAlgorithm.EC_SIGN_P256_SHA256
    EC_P256_SHA256 = 4

    # maps to CryptoKeyVersionAlgorithm.EC_SIGN_P384_SHA384
    EC_P384_SHA384 = 5
  end
end

#gcs_bucket ⇒ ::String

Returns Immutable. The name of a Cloud Storage bucket where this CertificateAuthority will publish content, such as the CA certificate and CRLs. This must be a bucket name, without any prefixes (such as gs://) or suffixes (such as .googleapis.com). For example, to use a bucket named my-bucket, you would simply specify my-bucket. If not specified, a managed bucket will be created.

Returns:

• (::String) —

  Immutable. The name of a Cloud Storage bucket where this CertificateAuthority will publish content, such as the CA certificate and CRLs. This must be a bucket name, without any prefixes (such as gs://) or suffixes (such as .googleapis.com). For example, to use a bucket named my-bucket, you would simply specify my-bucket. If not specified, a managed bucket will be created.

# File 'proto_docs/google/cloud/security/privateca/v1beta1/resources.rb', line 102

class CertificateAuthority
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Options that affect all certificates issued by a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}.
  # @!attribute [rw] include_ca_cert_url
  #   @return [::Boolean]
  #     Required. When true, includes a URL to the issuing CA certificate in the
  #     "authority information access" X.509 extension.
  # @!attribute [rw] include_crl_access_url
  #   @return [::Boolean]
  #     Required. When true, includes a URL to the CRL corresponding to certificates
  #     issued from a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}.
  #     CRLs will expire 7 days from their creation. However, we will rebuild
  #     daily. CRLs are also rebuilt shortly after a certificate is revoked.
  class IssuingOptions
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # The issuing policy for a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}.
  # {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} will not be successfully issued from this
  # {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} if they violate the policy.
  # @!attribute [rw] allowed_config_list
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedConfigList]
  #     Optional. All {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}
  #     must match at least one listed {::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper ReusableConfigWrapper} in the list.
  # @!attribute [rw] overwrite_config_values
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper]
  #     Optional. All {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}
  #     will use the provided configuration values, overwriting any requested
  #     configuration values.
  # @!attribute [rw] allowed_locations_and_organizations
  #   @return [::Array<::Google::Cloud::Security::PrivateCA::V1beta1::Subject>]
  #     Optional. If any {::Google::Cloud::Security::PrivateCA::V1beta1::Subject Subject} is specified here, then all
  #     {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} must
  #     match at least one listed {::Google::Cloud::Security::PrivateCA::V1beta1::Subject Subject}. If a {::Google::Cloud::Security::PrivateCA::V1beta1::Subject Subject} has an empty
  #     field, any value will be allowed for that field.
  # @!attribute [rw] allowed_common_names
  #   @return [::Array<::String>]
  #     Optional. If any value is specified here, then all
  #     {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} must
  #     match at least one listed value. If no value is specified, all values
  #     will be allowed for this fied. Glob patterns are also supported.
  # @!attribute [rw] allowed_sans
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames]
  #     Optional. If a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames AllowedSubjectAltNames} is specified here, then all
  #     {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} must
  #     match {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames AllowedSubjectAltNames}. If no value or an empty value
  #     is specified, any value will be allowed for the {::Google::Cloud::Security::PrivateCA::V1beta1::SubjectAltNames SubjectAltNames}
  #     field.
  # @!attribute [rw] maximum_lifetime
  #   @return [::Google::Protobuf::Duration]
  #     Optional. The maximum lifetime allowed by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}. Note that
  #     if the any part if the issuing chain expires before a {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificate}'s
  #     requested maximum_lifetime, the effective lifetime will be explicitly
  #     truncated.
  # @!attribute [rw] allowed_issuance_modes
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::IssuanceModes]
  #     Optional. If specified, then only methods allowed in the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::IssuanceModes IssuanceModes} may be
  #     used to issue {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates}.
  class CertificateAuthorityPolicy
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # @!attribute [rw] allowed_config_values
    #   @return [::Array<::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper>]
    #     Required. All {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}
    #     must match at least one listed {::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper ReusableConfigWrapper}. If a
    #     {::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper ReusableConfigWrapper} has an empty field, any value will be
    #     allowed for that field.
    class AllowedConfigList
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames AllowedSubjectAltNames} specifies the allowed values for
    # {::Google::Cloud::Security::PrivateCA::V1beta1::SubjectAltNames SubjectAltNames} by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} when issuing
    # {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates}.
    # @!attribute [rw] allowed_dns_names
    #   @return [::Array<::String>]
    #     Optional. Contains valid, fully-qualified host names. Glob patterns are also
    #     supported. To allow an explicit wildcard certificate, escape with
    #     backlash (i.e. `\*`).
    #     E.g. for globbed entries: `*bar.com` will allow `foo.bar.com`, but not
    #     `*.bar.com`, unless the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames#allow_globbing_dns_wildcards allow_globbing_dns_wildcards} field is set.
    #     E.g. for wildcard entries: `\*.bar.com` will allow `*.bar.com`, but not
    #     `foo.bar.com`.
    # @!attribute [rw] allowed_uris
    #   @return [::Array<::String>]
    #     Optional. Contains valid RFC 3986 URIs. Glob patterns are also supported. To
    #     match across path seperators (i.e. '/') use the double star glob
    #     pattern (i.e. '**').
    # @!attribute [rw] allowed_email_addresses
    #   @return [::Array<::String>]
    #     Optional. Contains valid RFC 2822 E-mail addresses. Glob patterns are also
    #     supported.
    # @!attribute [rw] allowed_ips
    #   @return [::Array<::String>]
    #     Optional. Contains valid 32-bit IPv4 addresses and subnet ranges or RFC 4291 IPv6
    #     addresses and subnet ranges. Subnet ranges are specified using the
    #     '/' notation (e.g. 10.0.0.0/8, 2001:700:300:1800::/64). Glob patterns
    #     are supported only for ip address entries (i.e. not for subnet ranges).
    # @!attribute [rw] allow_globbing_dns_wildcards
    #   @return [::Boolean]
    #     Optional. Specifies if glob patterns used for {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames#allowed_dns_names allowed_dns_names} allows
    #     wildcard certificates.
    # @!attribute [rw] allow_custom_sans
    #   @return [::Boolean]
    #     Optional. Specifies if to allow custom X509Extension values.
    class AllowedSubjectAltNames
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::IssuanceModes IssuanceModes} specifies the allowed ways in which
    # {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} may be requested from this
    # {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}.
    # @!attribute [rw] allow_csr_based_issuance
    #   @return [::Boolean]
    #     Required. When true, allows callers to create {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} by
    #     specifying a CSR.
    # @!attribute [rw] allow_config_based_issuance
    #   @return [::Boolean]
    #     Required. When true, allows callers to create {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} by
    #     specifying a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateConfig CertificateConfig}.
    class IssuanceModes
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end
  end

  # URLs where a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} will publish content.
  # @!attribute [rw] ca_certificate_access_url
  #   @return [::String]
  #     The URL where this {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}'s CA certificate is
  #     published. This will only be set for CAs that have been activated.
  # @!attribute [rw] crl_access_url
  #   @return [::String]
  #     The URL where this {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}'s CRLs are published. This
  #     will only be set for CAs that have been activated.
  class AccessUrls
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # A Cloud KMS key configuration that a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} will use.
  # @!attribute [rw] cloud_kms_key_version
  #   @return [::String]
  #     Required. The resource name for an existing Cloud KMS CryptoKeyVersion in the
  #     format
  #     `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
  #     This option enables full flexibility in the key's capabilities and
  #     properties.
  # @!attribute [rw] algorithm
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::SignHashAlgorithm]
  #     Required. The algorithm to use for creating a managed Cloud KMS key for a for a
  #     simplified experience. All managed keys will be have their
  #     [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] as `HSM`.
  class KeyVersionSpec
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # @!attribute [rw] key
  #   @return [::String]
  # @!attribute [rw] value
  #   @return [::String]
  class LabelsEntry
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # The type of a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}, indicating its issuing chain.
  module Type
    # Not specified.
    TYPE_UNSPECIFIED = 0

    # Self-signed CA.
    SELF_SIGNED = 1

    # Subordinate CA. Could be issued by a Private CA {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}
    # or an unmanaged CA.
    SUBORDINATE = 2
  end

  # The tier of a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}, indicating its supported
  # functionality and/or billing SKU.
  module Tier
    # Not specified.
    TIER_UNSPECIFIED = 0

    # Enterprise tier.
    ENTERPRISE = 1

    # DevOps tier.
    DEVOPS = 2
  end

  # The state of a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}, indicating if it can be used.
  module State
    # Not specified.
    STATE_UNSPECIFIED = 0

    # Certificates can be issued from this CA. CRLs will be generated for this
    # CA.
    ENABLED = 1

    # Certificates cannot be issued from this CA. CRLs will still be generated.
    DISABLED = 2

    # Certificates cannot be issued from this CA. CRLs will not be generated.
    PENDING_ACTIVATION = 3

    # Certificates cannot be issued from this CA. CRLs will not be generated.
    PENDING_DELETION = 4
  end

  # The algorithm of a Cloud KMS CryptoKeyVersion of a
  # [CryptoKey][google.cloud.kms.v1.CryptoKey] with the
  # [CryptoKeyPurpose][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose] value
  # `ASYMMETRIC_SIGN`. These values correspond to the
  # [CryptoKeyVersionAlgorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm]
  # values. For RSA signing algorithms, the PSS algorithms should be preferred,
  # use PKCS1 algorithms if required for compatibility. For further
  # recommandations, see
  # https://cloud.google.com/kms/docs/algorithms#algorithm_recommendations.
  module SignHashAlgorithm
    # Not specified.
    SIGN_HASH_ALGORITHM_UNSPECIFIED = 0

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_2048_SHA256
    RSA_PSS_2048_SHA256 = 1

    # maps to CryptoKeyVersionAlgorithm. RSA_SIGN_PSS_3072_SHA256
    RSA_PSS_3072_SHA256 = 2

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_4096_SHA256
    RSA_PSS_4096_SHA256 = 3

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_2048_SHA256
    RSA_PKCS1_2048_SHA256 = 6

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_3072_SHA256
    RSA_PKCS1_3072_SHA256 = 7

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_4096_SHA256
    RSA_PKCS1_4096_SHA256 = 8

    # maps to CryptoKeyVersionAlgorithm.EC_SIGN_P256_SHA256
    EC_P256_SHA256 = 4

    # maps to CryptoKeyVersionAlgorithm.EC_SIGN_P384_SHA384
    EC_P384_SHA384 = 5
  end
end

#issuing_options ⇒ ::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::IssuingOptions

Returns Optional. The IssuingOptions to follow when issuing Certificates from this CertificateAuthority.

Returns:

• (::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::IssuingOptions) —

  Optional. The IssuingOptions to follow when issuing Certificates from this CertificateAuthority.

# File 'proto_docs/google/cloud/security/privateca/v1beta1/resources.rb', line 102

class CertificateAuthority
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Options that affect all certificates issued by a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}.
  # @!attribute [rw] include_ca_cert_url
  #   @return [::Boolean]
  #     Required. When true, includes a URL to the issuing CA certificate in the
  #     "authority information access" X.509 extension.
  # @!attribute [rw] include_crl_access_url
  #   @return [::Boolean]
  #     Required. When true, includes a URL to the CRL corresponding to certificates
  #     issued from a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}.
  #     CRLs will expire 7 days from their creation. However, we will rebuild
  #     daily. CRLs are also rebuilt shortly after a certificate is revoked.
  class IssuingOptions
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # The issuing policy for a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}.
  # {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} will not be successfully issued from this
  # {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} if they violate the policy.
  # @!attribute [rw] allowed_config_list
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedConfigList]
  #     Optional. All {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}
  #     must match at least one listed {::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper ReusableConfigWrapper} in the list.
  # @!attribute [rw] overwrite_config_values
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper]
  #     Optional. All {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}
  #     will use the provided configuration values, overwriting any requested
  #     configuration values.
  # @!attribute [rw] allowed_locations_and_organizations
  #   @return [::Array<::Google::Cloud::Security::PrivateCA::V1beta1::Subject>]
  #     Optional. If any {::Google::Cloud::Security::PrivateCA::V1beta1::Subject Subject} is specified here, then all
  #     {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} must
  #     match at least one listed {::Google::Cloud::Security::PrivateCA::V1beta1::Subject Subject}. If a {::Google::Cloud::Security::PrivateCA::V1beta1::Subject Subject} has an empty
  #     field, any value will be allowed for that field.
  # @!attribute [rw] allowed_common_names
  #   @return [::Array<::String>]
  #     Optional. If any value is specified here, then all
  #     {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} must
  #     match at least one listed value. If no value is specified, all values
  #     will be allowed for this fied. Glob patterns are also supported.
  # @!attribute [rw] allowed_sans
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames]
  #     Optional. If a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames AllowedSubjectAltNames} is specified here, then all
  #     {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} must
  #     match {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames AllowedSubjectAltNames}. If no value or an empty value
  #     is specified, any value will be allowed for the {::Google::Cloud::Security::PrivateCA::V1beta1::SubjectAltNames SubjectAltNames}
  #     field.
  # @!attribute [rw] maximum_lifetime
  #   @return [::Google::Protobuf::Duration]
  #     Optional. The maximum lifetime allowed by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}. Note that
  #     if the any part if the issuing chain expires before a {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificate}'s
  #     requested maximum_lifetime, the effective lifetime will be explicitly
  #     truncated.
  # @!attribute [rw] allowed_issuance_modes
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::IssuanceModes]
  #     Optional. If specified, then only methods allowed in the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::IssuanceModes IssuanceModes} may be
  #     used to issue {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates}.
  class CertificateAuthorityPolicy
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # @!attribute [rw] allowed_config_values
    #   @return [::Array<::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper>]
    #     Required. All {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}
    #     must match at least one listed {::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper ReusableConfigWrapper}. If a
    #     {::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper ReusableConfigWrapper} has an empty field, any value will be
    #     allowed for that field.
    class AllowedConfigList
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames AllowedSubjectAltNames} specifies the allowed values for
    # {::Google::Cloud::Security::PrivateCA::V1beta1::SubjectAltNames SubjectAltNames} by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} when issuing
    # {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates}.
    # @!attribute [rw] allowed_dns_names
    #   @return [::Array<::String>]
    #     Optional. Contains valid, fully-qualified host names. Glob patterns are also
    #     supported. To allow an explicit wildcard certificate, escape with
    #     backlash (i.e. `\*`).
    #     E.g. for globbed entries: `*bar.com` will allow `foo.bar.com`, but not
    #     `*.bar.com`, unless the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames#allow_globbing_dns_wildcards allow_globbing_dns_wildcards} field is set.
    #     E.g. for wildcard entries: `\*.bar.com` will allow `*.bar.com`, but not
    #     `foo.bar.com`.
    # @!attribute [rw] allowed_uris
    #   @return [::Array<::String>]
    #     Optional. Contains valid RFC 3986 URIs. Glob patterns are also supported. To
    #     match across path seperators (i.e. '/') use the double star glob
    #     pattern (i.e. '**').
    # @!attribute [rw] allowed_email_addresses
    #   @return [::Array<::String>]
    #     Optional. Contains valid RFC 2822 E-mail addresses. Glob patterns are also
    #     supported.
    # @!attribute [rw] allowed_ips
    #   @return [::Array<::String>]
    #     Optional. Contains valid 32-bit IPv4 addresses and subnet ranges or RFC 4291 IPv6
    #     addresses and subnet ranges. Subnet ranges are specified using the
    #     '/' notation (e.g. 10.0.0.0/8, 2001:700:300:1800::/64). Glob patterns
    #     are supported only for ip address entries (i.e. not for subnet ranges).
    # @!attribute [rw] allow_globbing_dns_wildcards
    #   @return [::Boolean]
    #     Optional. Specifies if glob patterns used for {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames#allowed_dns_names allowed_dns_names} allows
    #     wildcard certificates.
    # @!attribute [rw] allow_custom_sans
    #   @return [::Boolean]
    #     Optional. Specifies if to allow custom X509Extension values.
    class AllowedSubjectAltNames
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::IssuanceModes IssuanceModes} specifies the allowed ways in which
    # {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} may be requested from this
    # {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}.
    # @!attribute [rw] allow_csr_based_issuance
    #   @return [::Boolean]
    #     Required. When true, allows callers to create {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} by
    #     specifying a CSR.
    # @!attribute [rw] allow_config_based_issuance
    #   @return [::Boolean]
    #     Required. When true, allows callers to create {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} by
    #     specifying a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateConfig CertificateConfig}.
    class IssuanceModes
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end
  end

  # URLs where a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} will publish content.
  # @!attribute [rw] ca_certificate_access_url
  #   @return [::String]
  #     The URL where this {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}'s CA certificate is
  #     published. This will only be set for CAs that have been activated.
  # @!attribute [rw] crl_access_url
  #   @return [::String]
  #     The URL where this {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}'s CRLs are published. This
  #     will only be set for CAs that have been activated.
  class AccessUrls
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # A Cloud KMS key configuration that a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} will use.
  # @!attribute [rw] cloud_kms_key_version
  #   @return [::String]
  #     Required. The resource name for an existing Cloud KMS CryptoKeyVersion in the
  #     format
  #     `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
  #     This option enables full flexibility in the key's capabilities and
  #     properties.
  # @!attribute [rw] algorithm
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::SignHashAlgorithm]
  #     Required. The algorithm to use for creating a managed Cloud KMS key for a for a
  #     simplified experience. All managed keys will be have their
  #     [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] as `HSM`.
  class KeyVersionSpec
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # @!attribute [rw] key
  #   @return [::String]
  # @!attribute [rw] value
  #   @return [::String]
  class LabelsEntry
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # The type of a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}, indicating its issuing chain.
  module Type
    # Not specified.
    TYPE_UNSPECIFIED = 0

    # Self-signed CA.
    SELF_SIGNED = 1

    # Subordinate CA. Could be issued by a Private CA {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}
    # or an unmanaged CA.
    SUBORDINATE = 2
  end

  # The tier of a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}, indicating its supported
  # functionality and/or billing SKU.
  module Tier
    # Not specified.
    TIER_UNSPECIFIED = 0

    # Enterprise tier.
    ENTERPRISE = 1

    # DevOps tier.
    DEVOPS = 2
  end

  # The state of a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}, indicating if it can be used.
  module State
    # Not specified.
    STATE_UNSPECIFIED = 0

    # Certificates can be issued from this CA. CRLs will be generated for this
    # CA.
    ENABLED = 1

    # Certificates cannot be issued from this CA. CRLs will still be generated.
    DISABLED = 2

    # Certificates cannot be issued from this CA. CRLs will not be generated.
    PENDING_ACTIVATION = 3

    # Certificates cannot be issued from this CA. CRLs will not be generated.
    PENDING_DELETION = 4
  end

  # The algorithm of a Cloud KMS CryptoKeyVersion of a
  # [CryptoKey][google.cloud.kms.v1.CryptoKey] with the
  # [CryptoKeyPurpose][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose] value
  # `ASYMMETRIC_SIGN`. These values correspond to the
  # [CryptoKeyVersionAlgorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm]
  # values. For RSA signing algorithms, the PSS algorithms should be preferred,
  # use PKCS1 algorithms if required for compatibility. For further
  # recommandations, see
  # https://cloud.google.com/kms/docs/algorithms#algorithm_recommendations.
  module SignHashAlgorithm
    # Not specified.
    SIGN_HASH_ALGORITHM_UNSPECIFIED = 0

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_2048_SHA256
    RSA_PSS_2048_SHA256 = 1

    # maps to CryptoKeyVersionAlgorithm. RSA_SIGN_PSS_3072_SHA256
    RSA_PSS_3072_SHA256 = 2

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_4096_SHA256
    RSA_PSS_4096_SHA256 = 3

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_2048_SHA256
    RSA_PKCS1_2048_SHA256 = 6

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_3072_SHA256
    RSA_PKCS1_3072_SHA256 = 7

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_4096_SHA256
    RSA_PKCS1_4096_SHA256 = 8

    # maps to CryptoKeyVersionAlgorithm.EC_SIGN_P256_SHA256
    EC_P256_SHA256 = 4

    # maps to CryptoKeyVersionAlgorithm.EC_SIGN_P384_SHA384
    EC_P384_SHA384 = 5
  end
end

#key_spec ⇒ ::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::KeyVersionSpec

Returns Required. Immutable. Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR.

Returns:

• (::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::KeyVersionSpec) —

  Required. Immutable. Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR.

# File 'proto_docs/google/cloud/security/privateca/v1beta1/resources.rb', line 102

class CertificateAuthority
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Options that affect all certificates issued by a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}.
  # @!attribute [rw] include_ca_cert_url
  #   @return [::Boolean]
  #     Required. When true, includes a URL to the issuing CA certificate in the
  #     "authority information access" X.509 extension.
  # @!attribute [rw] include_crl_access_url
  #   @return [::Boolean]
  #     Required. When true, includes a URL to the CRL corresponding to certificates
  #     issued from a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}.
  #     CRLs will expire 7 days from their creation. However, we will rebuild
  #     daily. CRLs are also rebuilt shortly after a certificate is revoked.
  class IssuingOptions
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # The issuing policy for a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}.
  # {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} will not be successfully issued from this
  # {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} if they violate the policy.
  # @!attribute [rw] allowed_config_list
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedConfigList]
  #     Optional. All {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}
  #     must match at least one listed {::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper ReusableConfigWrapper} in the list.
  # @!attribute [rw] overwrite_config_values
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper]
  #     Optional. All {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}
  #     will use the provided configuration values, overwriting any requested
  #     configuration values.
  # @!attribute [rw] allowed_locations_and_organizations
  #   @return [::Array<::Google::Cloud::Security::PrivateCA::V1beta1::Subject>]
  #     Optional. If any {::Google::Cloud::Security::PrivateCA::V1beta1::Subject Subject} is specified here, then all
  #     {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} must
  #     match at least one listed {::Google::Cloud::Security::PrivateCA::V1beta1::Subject Subject}. If a {::Google::Cloud::Security::PrivateCA::V1beta1::Subject Subject} has an empty
  #     field, any value will be allowed for that field.
  # @!attribute [rw] allowed_common_names
  #   @return [::Array<::String>]
  #     Optional. If any value is specified here, then all
  #     {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} must
  #     match at least one listed value. If no value is specified, all values
  #     will be allowed for this fied. Glob patterns are also supported.
  # @!attribute [rw] allowed_sans
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames]
  #     Optional. If a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames AllowedSubjectAltNames} is specified here, then all
  #     {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} must
  #     match {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames AllowedSubjectAltNames}. If no value or an empty value
  #     is specified, any value will be allowed for the {::Google::Cloud::Security::PrivateCA::V1beta1::SubjectAltNames SubjectAltNames}
  #     field.
  # @!attribute [rw] maximum_lifetime
  #   @return [::Google::Protobuf::Duration]
  #     Optional. The maximum lifetime allowed by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}. Note that
  #     if the any part if the issuing chain expires before a {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificate}'s
  #     requested maximum_lifetime, the effective lifetime will be explicitly
  #     truncated.
  # @!attribute [rw] allowed_issuance_modes
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::IssuanceModes]
  #     Optional. If specified, then only methods allowed in the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::IssuanceModes IssuanceModes} may be
  #     used to issue {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates}.
  class CertificateAuthorityPolicy
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # @!attribute [rw] allowed_config_values
    #   @return [::Array<::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper>]
    #     Required. All {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}
    #     must match at least one listed {::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper ReusableConfigWrapper}. If a
    #     {::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper ReusableConfigWrapper} has an empty field, any value will be
    #     allowed for that field.
    class AllowedConfigList
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames AllowedSubjectAltNames} specifies the allowed values for
    # {::Google::Cloud::Security::PrivateCA::V1beta1::SubjectAltNames SubjectAltNames} by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} when issuing
    # {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates}.
    # @!attribute [rw] allowed_dns_names
    #   @return [::Array<::String>]
    #     Optional. Contains valid, fully-qualified host names. Glob patterns are also
    #     supported. To allow an explicit wildcard certificate, escape with
    #     backlash (i.e. `\*`).
    #     E.g. for globbed entries: `*bar.com` will allow `foo.bar.com`, but not
    #     `*.bar.com`, unless the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames#allow_globbing_dns_wildcards allow_globbing_dns_wildcards} field is set.
    #     E.g. for wildcard entries: `\*.bar.com` will allow `*.bar.com`, but not
    #     `foo.bar.com`.
    # @!attribute [rw] allowed_uris
    #   @return [::Array<::String>]
    #     Optional. Contains valid RFC 3986 URIs. Glob patterns are also supported. To
    #     match across path seperators (i.e. '/') use the double star glob
    #     pattern (i.e. '**').
    # @!attribute [rw] allowed_email_addresses
    #   @return [::Array<::String>]
    #     Optional. Contains valid RFC 2822 E-mail addresses. Glob patterns are also
    #     supported.
    # @!attribute [rw] allowed_ips
    #   @return [::Array<::String>]
    #     Optional. Contains valid 32-bit IPv4 addresses and subnet ranges or RFC 4291 IPv6
    #     addresses and subnet ranges. Subnet ranges are specified using the
    #     '/' notation (e.g. 10.0.0.0/8, 2001:700:300:1800::/64). Glob patterns
    #     are supported only for ip address entries (i.e. not for subnet ranges).
    # @!attribute [rw] allow_globbing_dns_wildcards
    #   @return [::Boolean]
    #     Optional. Specifies if glob patterns used for {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames#allowed_dns_names allowed_dns_names} allows
    #     wildcard certificates.
    # @!attribute [rw] allow_custom_sans
    #   @return [::Boolean]
    #     Optional. Specifies if to allow custom X509Extension values.
    class AllowedSubjectAltNames
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::IssuanceModes IssuanceModes} specifies the allowed ways in which
    # {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} may be requested from this
    # {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}.
    # @!attribute [rw] allow_csr_based_issuance
    #   @return [::Boolean]
    #     Required. When true, allows callers to create {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} by
    #     specifying a CSR.
    # @!attribute [rw] allow_config_based_issuance
    #   @return [::Boolean]
    #     Required. When true, allows callers to create {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} by
    #     specifying a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateConfig CertificateConfig}.
    class IssuanceModes
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end
  end

  # URLs where a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} will publish content.
  # @!attribute [rw] ca_certificate_access_url
  #   @return [::String]
  #     The URL where this {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}'s CA certificate is
  #     published. This will only be set for CAs that have been activated.
  # @!attribute [rw] crl_access_url
  #   @return [::String]
  #     The URL where this {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}'s CRLs are published. This
  #     will only be set for CAs that have been activated.
  class AccessUrls
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # A Cloud KMS key configuration that a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} will use.
  # @!attribute [rw] cloud_kms_key_version
  #   @return [::String]
  #     Required. The resource name for an existing Cloud KMS CryptoKeyVersion in the
  #     format
  #     `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
  #     This option enables full flexibility in the key's capabilities and
  #     properties.
  # @!attribute [rw] algorithm
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::SignHashAlgorithm]
  #     Required. The algorithm to use for creating a managed Cloud KMS key for a for a
  #     simplified experience. All managed keys will be have their
  #     [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] as `HSM`.
  class KeyVersionSpec
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # @!attribute [rw] key
  #   @return [::String]
  # @!attribute [rw] value
  #   @return [::String]
  class LabelsEntry
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # The type of a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}, indicating its issuing chain.
  module Type
    # Not specified.
    TYPE_UNSPECIFIED = 0

    # Self-signed CA.
    SELF_SIGNED = 1

    # Subordinate CA. Could be issued by a Private CA {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}
    # or an unmanaged CA.
    SUBORDINATE = 2
  end

  # The tier of a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}, indicating its supported
  # functionality and/or billing SKU.
  module Tier
    # Not specified.
    TIER_UNSPECIFIED = 0

    # Enterprise tier.
    ENTERPRISE = 1

    # DevOps tier.
    DEVOPS = 2
  end

  # The state of a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}, indicating if it can be used.
  module State
    # Not specified.
    STATE_UNSPECIFIED = 0

    # Certificates can be issued from this CA. CRLs will be generated for this
    # CA.
    ENABLED = 1

    # Certificates cannot be issued from this CA. CRLs will still be generated.
    DISABLED = 2

    # Certificates cannot be issued from this CA. CRLs will not be generated.
    PENDING_ACTIVATION = 3

    # Certificates cannot be issued from this CA. CRLs will not be generated.
    PENDING_DELETION = 4
  end

  # The algorithm of a Cloud KMS CryptoKeyVersion of a
  # [CryptoKey][google.cloud.kms.v1.CryptoKey] with the
  # [CryptoKeyPurpose][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose] value
  # `ASYMMETRIC_SIGN`. These values correspond to the
  # [CryptoKeyVersionAlgorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm]
  # values. For RSA signing algorithms, the PSS algorithms should be preferred,
  # use PKCS1 algorithms if required for compatibility. For further
  # recommandations, see
  # https://cloud.google.com/kms/docs/algorithms#algorithm_recommendations.
  module SignHashAlgorithm
    # Not specified.
    SIGN_HASH_ALGORITHM_UNSPECIFIED = 0

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_2048_SHA256
    RSA_PSS_2048_SHA256 = 1

    # maps to CryptoKeyVersionAlgorithm. RSA_SIGN_PSS_3072_SHA256
    RSA_PSS_3072_SHA256 = 2

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_4096_SHA256
    RSA_PSS_4096_SHA256 = 3

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_2048_SHA256
    RSA_PKCS1_2048_SHA256 = 6

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_3072_SHA256
    RSA_PKCS1_3072_SHA256 = 7

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_4096_SHA256
    RSA_PKCS1_4096_SHA256 = 8

    # maps to CryptoKeyVersionAlgorithm.EC_SIGN_P256_SHA256
    EC_P256_SHA256 = 4

    # maps to CryptoKeyVersionAlgorithm.EC_SIGN_P384_SHA384
    EC_P384_SHA384 = 5
  end
end

#labels ⇒ ::Google::Protobuf::Map{::String => ::String}

Returns Optional. Labels with user-defined metadata.

Returns:

• (::Google::Protobuf::Map{::String => ::String}) —

  Optional. Labels with user-defined metadata.

# File 'proto_docs/google/cloud/security/privateca/v1beta1/resources.rb', line 102

class CertificateAuthority
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Options that affect all certificates issued by a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}.
  # @!attribute [rw] include_ca_cert_url
  #   @return [::Boolean]
  #     Required. When true, includes a URL to the issuing CA certificate in the
  #     "authority information access" X.509 extension.
  # @!attribute [rw] include_crl_access_url
  #   @return [::Boolean]
  #     Required. When true, includes a URL to the CRL corresponding to certificates
  #     issued from a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}.
  #     CRLs will expire 7 days from their creation. However, we will rebuild
  #     daily. CRLs are also rebuilt shortly after a certificate is revoked.
  class IssuingOptions
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # The issuing policy for a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}.
  # {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} will not be successfully issued from this
  # {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} if they violate the policy.
  # @!attribute [rw] allowed_config_list
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedConfigList]
  #     Optional. All {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}
  #     must match at least one listed {::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper ReusableConfigWrapper} in the list.
  # @!attribute [rw] overwrite_config_values
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper]
  #     Optional. All {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}
  #     will use the provided configuration values, overwriting any requested
  #     configuration values.
  # @!attribute [rw] allowed_locations_and_organizations
  #   @return [::Array<::Google::Cloud::Security::PrivateCA::V1beta1::Subject>]
  #     Optional. If any {::Google::Cloud::Security::PrivateCA::V1beta1::Subject Subject} is specified here, then all
  #     {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} must
  #     match at least one listed {::Google::Cloud::Security::PrivateCA::V1beta1::Subject Subject}. If a {::Google::Cloud::Security::PrivateCA::V1beta1::Subject Subject} has an empty
  #     field, any value will be allowed for that field.
  # @!attribute [rw] allowed_common_names
  #   @return [::Array<::String>]
  #     Optional. If any value is specified here, then all
  #     {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} must
  #     match at least one listed value. If no value is specified, all values
  #     will be allowed for this fied. Glob patterns are also supported.
  # @!attribute [rw] allowed_sans
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames]
  #     Optional. If a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames AllowedSubjectAltNames} is specified here, then all
  #     {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} must
  #     match {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames AllowedSubjectAltNames}. If no value or an empty value
  #     is specified, any value will be allowed for the {::Google::Cloud::Security::PrivateCA::V1beta1::SubjectAltNames SubjectAltNames}
  #     field.
  # @!attribute [rw] maximum_lifetime
  #   @return [::Google::Protobuf::Duration]
  #     Optional. The maximum lifetime allowed by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}. Note that
  #     if the any part if the issuing chain expires before a {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificate}'s
  #     requested maximum_lifetime, the effective lifetime will be explicitly
  #     truncated.
  # @!attribute [rw] allowed_issuance_modes
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::IssuanceModes]
  #     Optional. If specified, then only methods allowed in the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::IssuanceModes IssuanceModes} may be
  #     used to issue {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates}.
  class CertificateAuthorityPolicy
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # @!attribute [rw] allowed_config_values
    #   @return [::Array<::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper>]
    #     Required. All {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}
    #     must match at least one listed {::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper ReusableConfigWrapper}. If a
    #     {::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper ReusableConfigWrapper} has an empty field, any value will be
    #     allowed for that field.
    class AllowedConfigList
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames AllowedSubjectAltNames} specifies the allowed values for
    # {::Google::Cloud::Security::PrivateCA::V1beta1::SubjectAltNames SubjectAltNames} by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} when issuing
    # {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates}.
    # @!attribute [rw] allowed_dns_names
    #   @return [::Array<::String>]
    #     Optional. Contains valid, fully-qualified host names. Glob patterns are also
    #     supported. To allow an explicit wildcard certificate, escape with
    #     backlash (i.e. `\*`).
    #     E.g. for globbed entries: `*bar.com` will allow `foo.bar.com`, but not
    #     `*.bar.com`, unless the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames#allow_globbing_dns_wildcards allow_globbing_dns_wildcards} field is set.
    #     E.g. for wildcard entries: `\*.bar.com` will allow `*.bar.com`, but not
    #     `foo.bar.com`.
    # @!attribute [rw] allowed_uris
    #   @return [::Array<::String>]
    #     Optional. Contains valid RFC 3986 URIs. Glob patterns are also supported. To
    #     match across path seperators (i.e. '/') use the double star glob
    #     pattern (i.e. '**').
    # @!attribute [rw] allowed_email_addresses
    #   @return [::Array<::String>]
    #     Optional. Contains valid RFC 2822 E-mail addresses. Glob patterns are also
    #     supported.
    # @!attribute [rw] allowed_ips
    #   @return [::Array<::String>]
    #     Optional. Contains valid 32-bit IPv4 addresses and subnet ranges or RFC 4291 IPv6
    #     addresses and subnet ranges. Subnet ranges are specified using the
    #     '/' notation (e.g. 10.0.0.0/8, 2001:700:300:1800::/64). Glob patterns
    #     are supported only for ip address entries (i.e. not for subnet ranges).
    # @!attribute [rw] allow_globbing_dns_wildcards
    #   @return [::Boolean]
    #     Optional. Specifies if glob patterns used for {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames#allowed_dns_names allowed_dns_names} allows
    #     wildcard certificates.
    # @!attribute [rw] allow_custom_sans
    #   @return [::Boolean]
    #     Optional. Specifies if to allow custom X509Extension values.
    class AllowedSubjectAltNames
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::IssuanceModes IssuanceModes} specifies the allowed ways in which
    # {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} may be requested from this
    # {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}.
    # @!attribute [rw] allow_csr_based_issuance
    #   @return [::Boolean]
    #     Required. When true, allows callers to create {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} by
    #     specifying a CSR.
    # @!attribute [rw] allow_config_based_issuance
    #   @return [::Boolean]
    #     Required. When true, allows callers to create {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} by
    #     specifying a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateConfig CertificateConfig}.
    class IssuanceModes
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end
  end

  # URLs where a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} will publish content.
  # @!attribute [rw] ca_certificate_access_url
  #   @return [::String]
  #     The URL where this {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}'s CA certificate is
  #     published. This will only be set for CAs that have been activated.
  # @!attribute [rw] crl_access_url
  #   @return [::String]
  #     The URL where this {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}'s CRLs are published. This
  #     will only be set for CAs that have been activated.
  class AccessUrls
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # A Cloud KMS key configuration that a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} will use.
  # @!attribute [rw] cloud_kms_key_version
  #   @return [::String]
  #     Required. The resource name for an existing Cloud KMS CryptoKeyVersion in the
  #     format
  #     `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
  #     This option enables full flexibility in the key's capabilities and
  #     properties.
  # @!attribute [rw] algorithm
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::SignHashAlgorithm]
  #     Required. The algorithm to use for creating a managed Cloud KMS key for a for a
  #     simplified experience. All managed keys will be have their
  #     [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] as `HSM`.
  class KeyVersionSpec
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # @!attribute [rw] key
  #   @return [::String]
  # @!attribute [rw] value
  #   @return [::String]
  class LabelsEntry
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # The type of a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}, indicating its issuing chain.
  module Type
    # Not specified.
    TYPE_UNSPECIFIED = 0

    # Self-signed CA.
    SELF_SIGNED = 1

    # Subordinate CA. Could be issued by a Private CA {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}
    # or an unmanaged CA.
    SUBORDINATE = 2
  end

  # The tier of a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}, indicating its supported
  # functionality and/or billing SKU.
  module Tier
    # Not specified.
    TIER_UNSPECIFIED = 0

    # Enterprise tier.
    ENTERPRISE = 1

    # DevOps tier.
    DEVOPS = 2
  end

  # The state of a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}, indicating if it can be used.
  module State
    # Not specified.
    STATE_UNSPECIFIED = 0

    # Certificates can be issued from this CA. CRLs will be generated for this
    # CA.
    ENABLED = 1

    # Certificates cannot be issued from this CA. CRLs will still be generated.
    DISABLED = 2

    # Certificates cannot be issued from this CA. CRLs will not be generated.
    PENDING_ACTIVATION = 3

    # Certificates cannot be issued from this CA. CRLs will not be generated.
    PENDING_DELETION = 4
  end

  # The algorithm of a Cloud KMS CryptoKeyVersion of a
  # [CryptoKey][google.cloud.kms.v1.CryptoKey] with the
  # [CryptoKeyPurpose][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose] value
  # `ASYMMETRIC_SIGN`. These values correspond to the
  # [CryptoKeyVersionAlgorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm]
  # values. For RSA signing algorithms, the PSS algorithms should be preferred,
  # use PKCS1 algorithms if required for compatibility. For further
  # recommandations, see
  # https://cloud.google.com/kms/docs/algorithms#algorithm_recommendations.
  module SignHashAlgorithm
    # Not specified.
    SIGN_HASH_ALGORITHM_UNSPECIFIED = 0

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_2048_SHA256
    RSA_PSS_2048_SHA256 = 1

    # maps to CryptoKeyVersionAlgorithm. RSA_SIGN_PSS_3072_SHA256
    RSA_PSS_3072_SHA256 = 2

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_4096_SHA256
    RSA_PSS_4096_SHA256 = 3

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_2048_SHA256
    RSA_PKCS1_2048_SHA256 = 6

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_3072_SHA256
    RSA_PKCS1_3072_SHA256 = 7

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_4096_SHA256
    RSA_PKCS1_4096_SHA256 = 8

    # maps to CryptoKeyVersionAlgorithm.EC_SIGN_P256_SHA256
    EC_P256_SHA256 = 4

    # maps to CryptoKeyVersionAlgorithm.EC_SIGN_P384_SHA384
    EC_P384_SHA384 = 5
  end
end

#lifetime ⇒ ::Google::Protobuf::Duration

Returns Required. The desired lifetime of the CA certificate. Used to create the "not_before_time" and "not_after_time" fields inside an X.509 certificate.

Returns:

• (::Google::Protobuf::Duration) —

  Required. The desired lifetime of the CA certificate. Used to create the "not_before_time" and "not_after_time" fields inside an X.509 certificate.

# File 'proto_docs/google/cloud/security/privateca/v1beta1/resources.rb', line 102

class CertificateAuthority
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Options that affect all certificates issued by a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}.
  # @!attribute [rw] include_ca_cert_url
  #   @return [::Boolean]
  #     Required. When true, includes a URL to the issuing CA certificate in the
  #     "authority information access" X.509 extension.
  # @!attribute [rw] include_crl_access_url
  #   @return [::Boolean]
  #     Required. When true, includes a URL to the CRL corresponding to certificates
  #     issued from a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}.
  #     CRLs will expire 7 days from their creation. However, we will rebuild
  #     daily. CRLs are also rebuilt shortly after a certificate is revoked.
  class IssuingOptions
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # The issuing policy for a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}.
  # {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} will not be successfully issued from this
  # {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} if they violate the policy.
  # @!attribute [rw] allowed_config_list
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedConfigList]
  #     Optional. All {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}
  #     must match at least one listed {::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper ReusableConfigWrapper} in the list.
  # @!attribute [rw] overwrite_config_values
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper]
  #     Optional. All {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}
  #     will use the provided configuration values, overwriting any requested
  #     configuration values.
  # @!attribute [rw] allowed_locations_and_organizations
  #   @return [::Array<::Google::Cloud::Security::PrivateCA::V1beta1::Subject>]
  #     Optional. If any {::Google::Cloud::Security::PrivateCA::V1beta1::Subject Subject} is specified here, then all
  #     {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} must
  #     match at least one listed {::Google::Cloud::Security::PrivateCA::V1beta1::Subject Subject}. If a {::Google::Cloud::Security::PrivateCA::V1beta1::Subject Subject} has an empty
  #     field, any value will be allowed for that field.
  # @!attribute [rw] allowed_common_names
  #   @return [::Array<::String>]
  #     Optional. If any value is specified here, then all
  #     {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} must
  #     match at least one listed value. If no value is specified, all values
  #     will be allowed for this fied. Glob patterns are also supported.
  # @!attribute [rw] allowed_sans
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames]
  #     Optional. If a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames AllowedSubjectAltNames} is specified here, then all
  #     {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} must
  #     match {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames AllowedSubjectAltNames}. If no value or an empty value
  #     is specified, any value will be allowed for the {::Google::Cloud::Security::PrivateCA::V1beta1::SubjectAltNames SubjectAltNames}
  #     field.
  # @!attribute [rw] maximum_lifetime
  #   @return [::Google::Protobuf::Duration]
  #     Optional. The maximum lifetime allowed by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}. Note that
  #     if the any part if the issuing chain expires before a {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificate}'s
  #     requested maximum_lifetime, the effective lifetime will be explicitly
  #     truncated.
  # @!attribute [rw] allowed_issuance_modes
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::IssuanceModes]
  #     Optional. If specified, then only methods allowed in the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::IssuanceModes IssuanceModes} may be
  #     used to issue {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates}.
  class CertificateAuthorityPolicy
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # @!attribute [rw] allowed_config_values
    #   @return [::Array<::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper>]
    #     Required. All {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}
    #     must match at least one listed {::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper ReusableConfigWrapper}. If a
    #     {::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper ReusableConfigWrapper} has an empty field, any value will be
    #     allowed for that field.
    class AllowedConfigList
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames AllowedSubjectAltNames} specifies the allowed values for
    # {::Google::Cloud::Security::PrivateCA::V1beta1::SubjectAltNames SubjectAltNames} by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} when issuing
    # {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates}.
    # @!attribute [rw] allowed_dns_names
    #   @return [::Array<::String>]
    #     Optional. Contains valid, fully-qualified host names. Glob patterns are also
    #     supported. To allow an explicit wildcard certificate, escape with
    #     backlash (i.e. `\*`).
    #     E.g. for globbed entries: `*bar.com` will allow `foo.bar.com`, but not
    #     `*.bar.com`, unless the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames#allow_globbing_dns_wildcards allow_globbing_dns_wildcards} field is set.
    #     E.g. for wildcard entries: `\*.bar.com` will allow `*.bar.com`, but not
    #     `foo.bar.com`.
    # @!attribute [rw] allowed_uris
    #   @return [::Array<::String>]
    #     Optional. Contains valid RFC 3986 URIs. Glob patterns are also supported. To
    #     match across path seperators (i.e. '/') use the double star glob
    #     pattern (i.e. '**').
    # @!attribute [rw] allowed_email_addresses
    #   @return [::Array<::String>]
    #     Optional. Contains valid RFC 2822 E-mail addresses. Glob patterns are also
    #     supported.
    # @!attribute [rw] allowed_ips
    #   @return [::Array<::String>]
    #     Optional. Contains valid 32-bit IPv4 addresses and subnet ranges or RFC 4291 IPv6
    #     addresses and subnet ranges. Subnet ranges are specified using the
    #     '/' notation (e.g. 10.0.0.0/8, 2001:700:300:1800::/64). Glob patterns
    #     are supported only for ip address entries (i.e. not for subnet ranges).
    # @!attribute [rw] allow_globbing_dns_wildcards
    #   @return [::Boolean]
    #     Optional. Specifies if glob patterns used for {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames#allowed_dns_names allowed_dns_names} allows
    #     wildcard certificates.
    # @!attribute [rw] allow_custom_sans
    #   @return [::Boolean]
    #     Optional. Specifies if to allow custom X509Extension values.
    class AllowedSubjectAltNames
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::IssuanceModes IssuanceModes} specifies the allowed ways in which
    # {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} may be requested from this
    # {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}.
    # @!attribute [rw] allow_csr_based_issuance
    #   @return [::Boolean]
    #     Required. When true, allows callers to create {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} by
    #     specifying a CSR.
    # @!attribute [rw] allow_config_based_issuance
    #   @return [::Boolean]
    #     Required. When true, allows callers to create {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} by
    #     specifying a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateConfig CertificateConfig}.
    class IssuanceModes
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end
  end

  # URLs where a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} will publish content.
  # @!attribute [rw] ca_certificate_access_url
  #   @return [::String]
  #     The URL where this {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}'s CA certificate is
  #     published. This will only be set for CAs that have been activated.
  # @!attribute [rw] crl_access_url
  #   @return [::String]
  #     The URL where this {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}'s CRLs are published. This
  #     will only be set for CAs that have been activated.
  class AccessUrls
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # A Cloud KMS key configuration that a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} will use.
  # @!attribute [rw] cloud_kms_key_version
  #   @return [::String]
  #     Required. The resource name for an existing Cloud KMS CryptoKeyVersion in the
  #     format
  #     `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
  #     This option enables full flexibility in the key's capabilities and
  #     properties.
  # @!attribute [rw] algorithm
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::SignHashAlgorithm]
  #     Required. The algorithm to use for creating a managed Cloud KMS key for a for a
  #     simplified experience. All managed keys will be have their
  #     [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] as `HSM`.
  class KeyVersionSpec
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # @!attribute [rw] key
  #   @return [::String]
  # @!attribute [rw] value
  #   @return [::String]
  class LabelsEntry
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # The type of a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}, indicating its issuing chain.
  module Type
    # Not specified.
    TYPE_UNSPECIFIED = 0

    # Self-signed CA.
    SELF_SIGNED = 1

    # Subordinate CA. Could be issued by a Private CA {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}
    # or an unmanaged CA.
    SUBORDINATE = 2
  end

  # The tier of a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}, indicating its supported
  # functionality and/or billing SKU.
  module Tier
    # Not specified.
    TIER_UNSPECIFIED = 0

    # Enterprise tier.
    ENTERPRISE = 1

    # DevOps tier.
    DEVOPS = 2
  end

  # The state of a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}, indicating if it can be used.
  module State
    # Not specified.
    STATE_UNSPECIFIED = 0

    # Certificates can be issued from this CA. CRLs will be generated for this
    # CA.
    ENABLED = 1

    # Certificates cannot be issued from this CA. CRLs will still be generated.
    DISABLED = 2

    # Certificates cannot be issued from this CA. CRLs will not be generated.
    PENDING_ACTIVATION = 3

    # Certificates cannot be issued from this CA. CRLs will not be generated.
    PENDING_DELETION = 4
  end

  # The algorithm of a Cloud KMS CryptoKeyVersion of a
  # [CryptoKey][google.cloud.kms.v1.CryptoKey] with the
  # [CryptoKeyPurpose][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose] value
  # `ASYMMETRIC_SIGN`. These values correspond to the
  # [CryptoKeyVersionAlgorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm]
  # values. For RSA signing algorithms, the PSS algorithms should be preferred,
  # use PKCS1 algorithms if required for compatibility. For further
  # recommandations, see
  # https://cloud.google.com/kms/docs/algorithms#algorithm_recommendations.
  module SignHashAlgorithm
    # Not specified.
    SIGN_HASH_ALGORITHM_UNSPECIFIED = 0

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_2048_SHA256
    RSA_PSS_2048_SHA256 = 1

    # maps to CryptoKeyVersionAlgorithm. RSA_SIGN_PSS_3072_SHA256
    RSA_PSS_3072_SHA256 = 2

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_4096_SHA256
    RSA_PSS_4096_SHA256 = 3

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_2048_SHA256
    RSA_PKCS1_2048_SHA256 = 6

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_3072_SHA256
    RSA_PKCS1_3072_SHA256 = 7

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_4096_SHA256
    RSA_PKCS1_4096_SHA256 = 8

    # maps to CryptoKeyVersionAlgorithm.EC_SIGN_P256_SHA256
    EC_P256_SHA256 = 4

    # maps to CryptoKeyVersionAlgorithm.EC_SIGN_P384_SHA384
    EC_P384_SHA384 = 5
  end
end

#name ⇒ ::String (readonly)

Returns Output only. The resource name for this CertificateAuthority in the format projects/*/locations/*/certificateAuthorities/*.

Returns:

• (::String) —

  Output only. The resource name for this CertificateAuthority in the format projects/*/locations/*/certificateAuthorities/*.

# File 'proto_docs/google/cloud/security/privateca/v1beta1/resources.rb', line 102

class CertificateAuthority
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Options that affect all certificates issued by a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}.
  # @!attribute [rw] include_ca_cert_url
  #   @return [::Boolean]
  #     Required. When true, includes a URL to the issuing CA certificate in the
  #     "authority information access" X.509 extension.
  # @!attribute [rw] include_crl_access_url
  #   @return [::Boolean]
  #     Required. When true, includes a URL to the CRL corresponding to certificates
  #     issued from a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}.
  #     CRLs will expire 7 days from their creation. However, we will rebuild
  #     daily. CRLs are also rebuilt shortly after a certificate is revoked.
  class IssuingOptions
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # The issuing policy for a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}.
  # {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} will not be successfully issued from this
  # {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} if they violate the policy.
  # @!attribute [rw] allowed_config_list
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedConfigList]
  #     Optional. All {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}
  #     must match at least one listed {::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper ReusableConfigWrapper} in the list.
  # @!attribute [rw] overwrite_config_values
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper]
  #     Optional. All {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}
  #     will use the provided configuration values, overwriting any requested
  #     configuration values.
  # @!attribute [rw] allowed_locations_and_organizations
  #   @return [::Array<::Google::Cloud::Security::PrivateCA::V1beta1::Subject>]
  #     Optional. If any {::Google::Cloud::Security::PrivateCA::V1beta1::Subject Subject} is specified here, then all
  #     {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} must
  #     match at least one listed {::Google::Cloud::Security::PrivateCA::V1beta1::Subject Subject}. If a {::Google::Cloud::Security::PrivateCA::V1beta1::Subject Subject} has an empty
  #     field, any value will be allowed for that field.
  # @!attribute [rw] allowed_common_names
  #   @return [::Array<::String>]
  #     Optional. If any value is specified here, then all
  #     {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} must
  #     match at least one listed value. If no value is specified, all values
  #     will be allowed for this fied. Glob patterns are also supported.
  # @!attribute [rw] allowed_sans
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames]
  #     Optional. If a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames AllowedSubjectAltNames} is specified here, then all
  #     {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} must
  #     match {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames AllowedSubjectAltNames}. If no value or an empty value
  #     is specified, any value will be allowed for the {::Google::Cloud::Security::PrivateCA::V1beta1::SubjectAltNames SubjectAltNames}
  #     field.
  # @!attribute [rw] maximum_lifetime
  #   @return [::Google::Protobuf::Duration]
  #     Optional. The maximum lifetime allowed by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}. Note that
  #     if the any part if the issuing chain expires before a {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificate}'s
  #     requested maximum_lifetime, the effective lifetime will be explicitly
  #     truncated.
  # @!attribute [rw] allowed_issuance_modes
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::IssuanceModes]
  #     Optional. If specified, then only methods allowed in the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::IssuanceModes IssuanceModes} may be
  #     used to issue {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates}.
  class CertificateAuthorityPolicy
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # @!attribute [rw] allowed_config_values
    #   @return [::Array<::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper>]
    #     Required. All {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}
    #     must match at least one listed {::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper ReusableConfigWrapper}. If a
    #     {::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper ReusableConfigWrapper} has an empty field, any value will be
    #     allowed for that field.
    class AllowedConfigList
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames AllowedSubjectAltNames} specifies the allowed values for
    # {::Google::Cloud::Security::PrivateCA::V1beta1::SubjectAltNames SubjectAltNames} by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} when issuing
    # {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates}.
    # @!attribute [rw] allowed_dns_names
    #   @return [::Array<::String>]
    #     Optional. Contains valid, fully-qualified host names. Glob patterns are also
    #     supported. To allow an explicit wildcard certificate, escape with
    #     backlash (i.e. `\*`).
    #     E.g. for globbed entries: `*bar.com` will allow `foo.bar.com`, but not
    #     `*.bar.com`, unless the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames#allow_globbing_dns_wildcards allow_globbing_dns_wildcards} field is set.
    #     E.g. for wildcard entries: `\*.bar.com` will allow `*.bar.com`, but not
    #     `foo.bar.com`.
    # @!attribute [rw] allowed_uris
    #   @return [::Array<::String>]
    #     Optional. Contains valid RFC 3986 URIs. Glob patterns are also supported. To
    #     match across path seperators (i.e. '/') use the double star glob
    #     pattern (i.e. '**').
    # @!attribute [rw] allowed_email_addresses
    #   @return [::Array<::String>]
    #     Optional. Contains valid RFC 2822 E-mail addresses. Glob patterns are also
    #     supported.
    # @!attribute [rw] allowed_ips
    #   @return [::Array<::String>]
    #     Optional. Contains valid 32-bit IPv4 addresses and subnet ranges or RFC 4291 IPv6
    #     addresses and subnet ranges. Subnet ranges are specified using the
    #     '/' notation (e.g. 10.0.0.0/8, 2001:700:300:1800::/64). Glob patterns
    #     are supported only for ip address entries (i.e. not for subnet ranges).
    # @!attribute [rw] allow_globbing_dns_wildcards
    #   @return [::Boolean]
    #     Optional. Specifies if glob patterns used for {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames#allowed_dns_names allowed_dns_names} allows
    #     wildcard certificates.
    # @!attribute [rw] allow_custom_sans
    #   @return [::Boolean]
    #     Optional. Specifies if to allow custom X509Extension values.
    class AllowedSubjectAltNames
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::IssuanceModes IssuanceModes} specifies the allowed ways in which
    # {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} may be requested from this
    # {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}.
    # @!attribute [rw] allow_csr_based_issuance
    #   @return [::Boolean]
    #     Required. When true, allows callers to create {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} by
    #     specifying a CSR.
    # @!attribute [rw] allow_config_based_issuance
    #   @return [::Boolean]
    #     Required. When true, allows callers to create {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} by
    #     specifying a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateConfig CertificateConfig}.
    class IssuanceModes
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end
  end

  # URLs where a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} will publish content.
  # @!attribute [rw] ca_certificate_access_url
  #   @return [::String]
  #     The URL where this {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}'s CA certificate is
  #     published. This will only be set for CAs that have been activated.
  # @!attribute [rw] crl_access_url
  #   @return [::String]
  #     The URL where this {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}'s CRLs are published. This
  #     will only be set for CAs that have been activated.
  class AccessUrls
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # A Cloud KMS key configuration that a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} will use.
  # @!attribute [rw] cloud_kms_key_version
  #   @return [::String]
  #     Required. The resource name for an existing Cloud KMS CryptoKeyVersion in the
  #     format
  #     `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
  #     This option enables full flexibility in the key's capabilities and
  #     properties.
  # @!attribute [rw] algorithm
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::SignHashAlgorithm]
  #     Required. The algorithm to use for creating a managed Cloud KMS key for a for a
  #     simplified experience. All managed keys will be have their
  #     [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] as `HSM`.
  class KeyVersionSpec
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # @!attribute [rw] key
  #   @return [::String]
  # @!attribute [rw] value
  #   @return [::String]
  class LabelsEntry
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # The type of a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}, indicating its issuing chain.
  module Type
    # Not specified.
    TYPE_UNSPECIFIED = 0

    # Self-signed CA.
    SELF_SIGNED = 1

    # Subordinate CA. Could be issued by a Private CA {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}
    # or an unmanaged CA.
    SUBORDINATE = 2
  end

  # The tier of a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}, indicating its supported
  # functionality and/or billing SKU.
  module Tier
    # Not specified.
    TIER_UNSPECIFIED = 0

    # Enterprise tier.
    ENTERPRISE = 1

    # DevOps tier.
    DEVOPS = 2
  end

  # The state of a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}, indicating if it can be used.
  module State
    # Not specified.
    STATE_UNSPECIFIED = 0

    # Certificates can be issued from this CA. CRLs will be generated for this
    # CA.
    ENABLED = 1

    # Certificates cannot be issued from this CA. CRLs will still be generated.
    DISABLED = 2

    # Certificates cannot be issued from this CA. CRLs will not be generated.
    PENDING_ACTIVATION = 3

    # Certificates cannot be issued from this CA. CRLs will not be generated.
    PENDING_DELETION = 4
  end

  # The algorithm of a Cloud KMS CryptoKeyVersion of a
  # [CryptoKey][google.cloud.kms.v1.CryptoKey] with the
  # [CryptoKeyPurpose][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose] value
  # `ASYMMETRIC_SIGN`. These values correspond to the
  # [CryptoKeyVersionAlgorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm]
  # values. For RSA signing algorithms, the PSS algorithms should be preferred,
  # use PKCS1 algorithms if required for compatibility. For further
  # recommandations, see
  # https://cloud.google.com/kms/docs/algorithms#algorithm_recommendations.
  module SignHashAlgorithm
    # Not specified.
    SIGN_HASH_ALGORITHM_UNSPECIFIED = 0

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_2048_SHA256
    RSA_PSS_2048_SHA256 = 1

    # maps to CryptoKeyVersionAlgorithm. RSA_SIGN_PSS_3072_SHA256
    RSA_PSS_3072_SHA256 = 2

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_4096_SHA256
    RSA_PSS_4096_SHA256 = 3

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_2048_SHA256
    RSA_PKCS1_2048_SHA256 = 6

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_3072_SHA256
    RSA_PKCS1_3072_SHA256 = 7

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_4096_SHA256
    RSA_PKCS1_4096_SHA256 = 8

    # maps to CryptoKeyVersionAlgorithm.EC_SIGN_P256_SHA256
    EC_P256_SHA256 = 4

    # maps to CryptoKeyVersionAlgorithm.EC_SIGN_P384_SHA384
    EC_P384_SHA384 = 5
  end
end

#pem_ca_certificates ⇒ ::Array<::String> (readonly)

Returns Output only. This CertificateAuthority's certificate chain, including the current CertificateAuthority's certificate. Ordered such that the root issuer is the final element (consistent with RFC 5246). For a self-signed CA, this will only list the current CertificateAuthority's certificate.

Returns:

• (::Array<::String>) —

  Output only. This CertificateAuthority's certificate chain, including the current CertificateAuthority's certificate. Ordered such that the root issuer is the final element (consistent with RFC 5246). For a self-signed CA, this will only list the current CertificateAuthority's certificate.

# File 'proto_docs/google/cloud/security/privateca/v1beta1/resources.rb', line 102

class CertificateAuthority
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Options that affect all certificates issued by a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}.
  # @!attribute [rw] include_ca_cert_url
  #   @return [::Boolean]
  #     Required. When true, includes a URL to the issuing CA certificate in the
  #     "authority information access" X.509 extension.
  # @!attribute [rw] include_crl_access_url
  #   @return [::Boolean]
  #     Required. When true, includes a URL to the CRL corresponding to certificates
  #     issued from a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}.
  #     CRLs will expire 7 days from their creation. However, we will rebuild
  #     daily. CRLs are also rebuilt shortly after a certificate is revoked.
  class IssuingOptions
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # The issuing policy for a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}.
  # {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} will not be successfully issued from this
  # {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} if they violate the policy.
  # @!attribute [rw] allowed_config_list
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedConfigList]
  #     Optional. All {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}
  #     must match at least one listed {::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper ReusableConfigWrapper} in the list.
  # @!attribute [rw] overwrite_config_values
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper]
  #     Optional. All {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}
  #     will use the provided configuration values, overwriting any requested
  #     configuration values.
  # @!attribute [rw] allowed_locations_and_organizations
  #   @return [::Array<::Google::Cloud::Security::PrivateCA::V1beta1::Subject>]
  #     Optional. If any {::Google::Cloud::Security::PrivateCA::V1beta1::Subject Subject} is specified here, then all
  #     {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} must
  #     match at least one listed {::Google::Cloud::Security::PrivateCA::V1beta1::Subject Subject}. If a {::Google::Cloud::Security::PrivateCA::V1beta1::Subject Subject} has an empty
  #     field, any value will be allowed for that field.
  # @!attribute [rw] allowed_common_names
  #   @return [::Array<::String>]
  #     Optional. If any value is specified here, then all
  #     {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} must
  #     match at least one listed value. If no value is specified, all values
  #     will be allowed for this fied. Glob patterns are also supported.
  # @!attribute [rw] allowed_sans
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames]
  #     Optional. If a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames AllowedSubjectAltNames} is specified here, then all
  #     {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} must
  #     match {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames AllowedSubjectAltNames}. If no value or an empty value
  #     is specified, any value will be allowed for the {::Google::Cloud::Security::PrivateCA::V1beta1::SubjectAltNames SubjectAltNames}
  #     field.
  # @!attribute [rw] maximum_lifetime
  #   @return [::Google::Protobuf::Duration]
  #     Optional. The maximum lifetime allowed by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}. Note that
  #     if the any part if the issuing chain expires before a {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificate}'s
  #     requested maximum_lifetime, the effective lifetime will be explicitly
  #     truncated.
  # @!attribute [rw] allowed_issuance_modes
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::IssuanceModes]
  #     Optional. If specified, then only methods allowed in the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::IssuanceModes IssuanceModes} may be
  #     used to issue {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates}.
  class CertificateAuthorityPolicy
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # @!attribute [rw] allowed_config_values
    #   @return [::Array<::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper>]
    #     Required. All {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}
    #     must match at least one listed {::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper ReusableConfigWrapper}. If a
    #     {::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper ReusableConfigWrapper} has an empty field, any value will be
    #     allowed for that field.
    class AllowedConfigList
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames AllowedSubjectAltNames} specifies the allowed values for
    # {::Google::Cloud::Security::PrivateCA::V1beta1::SubjectAltNames SubjectAltNames} by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} when issuing
    # {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates}.
    # @!attribute [rw] allowed_dns_names
    #   @return [::Array<::String>]
    #     Optional. Contains valid, fully-qualified host names. Glob patterns are also
    #     supported. To allow an explicit wildcard certificate, escape with
    #     backlash (i.e. `\*`).
    #     E.g. for globbed entries: `*bar.com` will allow `foo.bar.com`, but not
    #     `*.bar.com`, unless the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames#allow_globbing_dns_wildcards allow_globbing_dns_wildcards} field is set.
    #     E.g. for wildcard entries: `\*.bar.com` will allow `*.bar.com`, but not
    #     `foo.bar.com`.
    # @!attribute [rw] allowed_uris
    #   @return [::Array<::String>]
    #     Optional. Contains valid RFC 3986 URIs. Glob patterns are also supported. To
    #     match across path seperators (i.e. '/') use the double star glob
    #     pattern (i.e. '**').
    # @!attribute [rw] allowed_email_addresses
    #   @return [::Array<::String>]
    #     Optional. Contains valid RFC 2822 E-mail addresses. Glob patterns are also
    #     supported.
    # @!attribute [rw] allowed_ips
    #   @return [::Array<::String>]
    #     Optional. Contains valid 32-bit IPv4 addresses and subnet ranges or RFC 4291 IPv6
    #     addresses and subnet ranges. Subnet ranges are specified using the
    #     '/' notation (e.g. 10.0.0.0/8, 2001:700:300:1800::/64). Glob patterns
    #     are supported only for ip address entries (i.e. not for subnet ranges).
    # @!attribute [rw] allow_globbing_dns_wildcards
    #   @return [::Boolean]
    #     Optional. Specifies if glob patterns used for {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames#allowed_dns_names allowed_dns_names} allows
    #     wildcard certificates.
    # @!attribute [rw] allow_custom_sans
    #   @return [::Boolean]
    #     Optional. Specifies if to allow custom X509Extension values.
    class AllowedSubjectAltNames
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::IssuanceModes IssuanceModes} specifies the allowed ways in which
    # {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} may be requested from this
    # {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}.
    # @!attribute [rw] allow_csr_based_issuance
    #   @return [::Boolean]
    #     Required. When true, allows callers to create {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} by
    #     specifying a CSR.
    # @!attribute [rw] allow_config_based_issuance
    #   @return [::Boolean]
    #     Required. When true, allows callers to create {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} by
    #     specifying a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateConfig CertificateConfig}.
    class IssuanceModes
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end
  end

  # URLs where a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} will publish content.
  # @!attribute [rw] ca_certificate_access_url
  #   @return [::String]
  #     The URL where this {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}'s CA certificate is
  #     published. This will only be set for CAs that have been activated.
  # @!attribute [rw] crl_access_url
  #   @return [::String]
  #     The URL where this {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}'s CRLs are published. This
  #     will only be set for CAs that have been activated.
  class AccessUrls
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # A Cloud KMS key configuration that a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} will use.
  # @!attribute [rw] cloud_kms_key_version
  #   @return [::String]
  #     Required. The resource name for an existing Cloud KMS CryptoKeyVersion in the
  #     format
  #     `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
  #     This option enables full flexibility in the key's capabilities and
  #     properties.
  # @!attribute [rw] algorithm
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::SignHashAlgorithm]
  #     Required. The algorithm to use for creating a managed Cloud KMS key for a for a
  #     simplified experience. All managed keys will be have their
  #     [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] as `HSM`.
  class KeyVersionSpec
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # @!attribute [rw] key
  #   @return [::String]
  # @!attribute [rw] value
  #   @return [::String]
  class LabelsEntry
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # The type of a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}, indicating its issuing chain.
  module Type
    # Not specified.
    TYPE_UNSPECIFIED = 0

    # Self-signed CA.
    SELF_SIGNED = 1

    # Subordinate CA. Could be issued by a Private CA {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}
    # or an unmanaged CA.
    SUBORDINATE = 2
  end

  # The tier of a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}, indicating its supported
  # functionality and/or billing SKU.
  module Tier
    # Not specified.
    TIER_UNSPECIFIED = 0

    # Enterprise tier.
    ENTERPRISE = 1

    # DevOps tier.
    DEVOPS = 2
  end

  # The state of a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}, indicating if it can be used.
  module State
    # Not specified.
    STATE_UNSPECIFIED = 0

    # Certificates can be issued from this CA. CRLs will be generated for this
    # CA.
    ENABLED = 1

    # Certificates cannot be issued from this CA. CRLs will still be generated.
    DISABLED = 2

    # Certificates cannot be issued from this CA. CRLs will not be generated.
    PENDING_ACTIVATION = 3

    # Certificates cannot be issued from this CA. CRLs will not be generated.
    PENDING_DELETION = 4
  end

  # The algorithm of a Cloud KMS CryptoKeyVersion of a
  # [CryptoKey][google.cloud.kms.v1.CryptoKey] with the
  # [CryptoKeyPurpose][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose] value
  # `ASYMMETRIC_SIGN`. These values correspond to the
  # [CryptoKeyVersionAlgorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm]
  # values. For RSA signing algorithms, the PSS algorithms should be preferred,
  # use PKCS1 algorithms if required for compatibility. For further
  # recommandations, see
  # https://cloud.google.com/kms/docs/algorithms#algorithm_recommendations.
  module SignHashAlgorithm
    # Not specified.
    SIGN_HASH_ALGORITHM_UNSPECIFIED = 0

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_2048_SHA256
    RSA_PSS_2048_SHA256 = 1

    # maps to CryptoKeyVersionAlgorithm. RSA_SIGN_PSS_3072_SHA256
    RSA_PSS_3072_SHA256 = 2

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_4096_SHA256
    RSA_PSS_4096_SHA256 = 3

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_2048_SHA256
    RSA_PKCS1_2048_SHA256 = 6

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_3072_SHA256
    RSA_PKCS1_3072_SHA256 = 7

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_4096_SHA256
    RSA_PKCS1_4096_SHA256 = 8

    # maps to CryptoKeyVersionAlgorithm.EC_SIGN_P256_SHA256
    EC_P256_SHA256 = 4

    # maps to CryptoKeyVersionAlgorithm.EC_SIGN_P384_SHA384
    EC_P384_SHA384 = 5
  end
end

#state ⇒ ::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::State (readonly)

Returns Output only. The State for this CertificateAuthority.

Returns:

• (::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::State) —

  Output only. The State for this CertificateAuthority.

# File 'proto_docs/google/cloud/security/privateca/v1beta1/resources.rb', line 102

class CertificateAuthority
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Options that affect all certificates issued by a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}.
  # @!attribute [rw] include_ca_cert_url
  #   @return [::Boolean]
  #     Required. When true, includes a URL to the issuing CA certificate in the
  #     "authority information access" X.509 extension.
  # @!attribute [rw] include_crl_access_url
  #   @return [::Boolean]
  #     Required. When true, includes a URL to the CRL corresponding to certificates
  #     issued from a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}.
  #     CRLs will expire 7 days from their creation. However, we will rebuild
  #     daily. CRLs are also rebuilt shortly after a certificate is revoked.
  class IssuingOptions
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # The issuing policy for a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}.
  # {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} will not be successfully issued from this
  # {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} if they violate the policy.
  # @!attribute [rw] allowed_config_list
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedConfigList]
  #     Optional. All {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}
  #     must match at least one listed {::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper ReusableConfigWrapper} in the list.
  # @!attribute [rw] overwrite_config_values
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper]
  #     Optional. All {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}
  #     will use the provided configuration values, overwriting any requested
  #     configuration values.
  # @!attribute [rw] allowed_locations_and_organizations
  #   @return [::Array<::Google::Cloud::Security::PrivateCA::V1beta1::Subject>]
  #     Optional. If any {::Google::Cloud::Security::PrivateCA::V1beta1::Subject Subject} is specified here, then all
  #     {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} must
  #     match at least one listed {::Google::Cloud::Security::PrivateCA::V1beta1::Subject Subject}. If a {::Google::Cloud::Security::PrivateCA::V1beta1::Subject Subject} has an empty
  #     field, any value will be allowed for that field.
  # @!attribute [rw] allowed_common_names
  #   @return [::Array<::String>]
  #     Optional. If any value is specified here, then all
  #     {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} must
  #     match at least one listed value. If no value is specified, all values
  #     will be allowed for this fied. Glob patterns are also supported.
  # @!attribute [rw] allowed_sans
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames]
  #     Optional. If a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames AllowedSubjectAltNames} is specified here, then all
  #     {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} must
  #     match {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames AllowedSubjectAltNames}. If no value or an empty value
  #     is specified, any value will be allowed for the {::Google::Cloud::Security::PrivateCA::V1beta1::SubjectAltNames SubjectAltNames}
  #     field.
  # @!attribute [rw] maximum_lifetime
  #   @return [::Google::Protobuf::Duration]
  #     Optional. The maximum lifetime allowed by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}. Note that
  #     if the any part if the issuing chain expires before a {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificate}'s
  #     requested maximum_lifetime, the effective lifetime will be explicitly
  #     truncated.
  # @!attribute [rw] allowed_issuance_modes
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::IssuanceModes]
  #     Optional. If specified, then only methods allowed in the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::IssuanceModes IssuanceModes} may be
  #     used to issue {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates}.
  class CertificateAuthorityPolicy
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # @!attribute [rw] allowed_config_values
    #   @return [::Array<::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper>]
    #     Required. All {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}
    #     must match at least one listed {::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper ReusableConfigWrapper}. If a
    #     {::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper ReusableConfigWrapper} has an empty field, any value will be
    #     allowed for that field.
    class AllowedConfigList
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames AllowedSubjectAltNames} specifies the allowed values for
    # {::Google::Cloud::Security::PrivateCA::V1beta1::SubjectAltNames SubjectAltNames} by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} when issuing
    # {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates}.
    # @!attribute [rw] allowed_dns_names
    #   @return [::Array<::String>]
    #     Optional. Contains valid, fully-qualified host names. Glob patterns are also
    #     supported. To allow an explicit wildcard certificate, escape with
    #     backlash (i.e. `\*`).
    #     E.g. for globbed entries: `*bar.com` will allow `foo.bar.com`, but not
    #     `*.bar.com`, unless the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames#allow_globbing_dns_wildcards allow_globbing_dns_wildcards} field is set.
    #     E.g. for wildcard entries: `\*.bar.com` will allow `*.bar.com`, but not
    #     `foo.bar.com`.
    # @!attribute [rw] allowed_uris
    #   @return [::Array<::String>]
    #     Optional. Contains valid RFC 3986 URIs. Glob patterns are also supported. To
    #     match across path seperators (i.e. '/') use the double star glob
    #     pattern (i.e. '**').
    # @!attribute [rw] allowed_email_addresses
    #   @return [::Array<::String>]
    #     Optional. Contains valid RFC 2822 E-mail addresses. Glob patterns are also
    #     supported.
    # @!attribute [rw] allowed_ips
    #   @return [::Array<::String>]
    #     Optional. Contains valid 32-bit IPv4 addresses and subnet ranges or RFC 4291 IPv6
    #     addresses and subnet ranges. Subnet ranges are specified using the
    #     '/' notation (e.g. 10.0.0.0/8, 2001:700:300:1800::/64). Glob patterns
    #     are supported only for ip address entries (i.e. not for subnet ranges).
    # @!attribute [rw] allow_globbing_dns_wildcards
    #   @return [::Boolean]
    #     Optional. Specifies if glob patterns used for {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames#allowed_dns_names allowed_dns_names} allows
    #     wildcard certificates.
    # @!attribute [rw] allow_custom_sans
    #   @return [::Boolean]
    #     Optional. Specifies if to allow custom X509Extension values.
    class AllowedSubjectAltNames
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::IssuanceModes IssuanceModes} specifies the allowed ways in which
    # {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} may be requested from this
    # {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}.
    # @!attribute [rw] allow_csr_based_issuance
    #   @return [::Boolean]
    #     Required. When true, allows callers to create {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} by
    #     specifying a CSR.
    # @!attribute [rw] allow_config_based_issuance
    #   @return [::Boolean]
    #     Required. When true, allows callers to create {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} by
    #     specifying a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateConfig CertificateConfig}.
    class IssuanceModes
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end
  end

  # URLs where a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} will publish content.
  # @!attribute [rw] ca_certificate_access_url
  #   @return [::String]
  #     The URL where this {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}'s CA certificate is
  #     published. This will only be set for CAs that have been activated.
  # @!attribute [rw] crl_access_url
  #   @return [::String]
  #     The URL where this {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}'s CRLs are published. This
  #     will only be set for CAs that have been activated.
  class AccessUrls
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # A Cloud KMS key configuration that a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} will use.
  # @!attribute [rw] cloud_kms_key_version
  #   @return [::String]
  #     Required. The resource name for an existing Cloud KMS CryptoKeyVersion in the
  #     format
  #     `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
  #     This option enables full flexibility in the key's capabilities and
  #     properties.
  # @!attribute [rw] algorithm
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::SignHashAlgorithm]
  #     Required. The algorithm to use for creating a managed Cloud KMS key for a for a
  #     simplified experience. All managed keys will be have their
  #     [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] as `HSM`.
  class KeyVersionSpec
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # @!attribute [rw] key
  #   @return [::String]
  # @!attribute [rw] value
  #   @return [::String]
  class LabelsEntry
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # The type of a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}, indicating its issuing chain.
  module Type
    # Not specified.
    TYPE_UNSPECIFIED = 0

    # Self-signed CA.
    SELF_SIGNED = 1

    # Subordinate CA. Could be issued by a Private CA {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}
    # or an unmanaged CA.
    SUBORDINATE = 2
  end

  # The tier of a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}, indicating its supported
  # functionality and/or billing SKU.
  module Tier
    # Not specified.
    TIER_UNSPECIFIED = 0

    # Enterprise tier.
    ENTERPRISE = 1

    # DevOps tier.
    DEVOPS = 2
  end

  # The state of a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}, indicating if it can be used.
  module State
    # Not specified.
    STATE_UNSPECIFIED = 0

    # Certificates can be issued from this CA. CRLs will be generated for this
    # CA.
    ENABLED = 1

    # Certificates cannot be issued from this CA. CRLs will still be generated.
    DISABLED = 2

    # Certificates cannot be issued from this CA. CRLs will not be generated.
    PENDING_ACTIVATION = 3

    # Certificates cannot be issued from this CA. CRLs will not be generated.
    PENDING_DELETION = 4
  end

  # The algorithm of a Cloud KMS CryptoKeyVersion of a
  # [CryptoKey][google.cloud.kms.v1.CryptoKey] with the
  # [CryptoKeyPurpose][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose] value
  # `ASYMMETRIC_SIGN`. These values correspond to the
  # [CryptoKeyVersionAlgorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm]
  # values. For RSA signing algorithms, the PSS algorithms should be preferred,
  # use PKCS1 algorithms if required for compatibility. For further
  # recommandations, see
  # https://cloud.google.com/kms/docs/algorithms#algorithm_recommendations.
  module SignHashAlgorithm
    # Not specified.
    SIGN_HASH_ALGORITHM_UNSPECIFIED = 0

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_2048_SHA256
    RSA_PSS_2048_SHA256 = 1

    # maps to CryptoKeyVersionAlgorithm. RSA_SIGN_PSS_3072_SHA256
    RSA_PSS_3072_SHA256 = 2

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_4096_SHA256
    RSA_PSS_4096_SHA256 = 3

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_2048_SHA256
    RSA_PKCS1_2048_SHA256 = 6

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_3072_SHA256
    RSA_PKCS1_3072_SHA256 = 7

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_4096_SHA256
    RSA_PKCS1_4096_SHA256 = 8

    # maps to CryptoKeyVersionAlgorithm.EC_SIGN_P256_SHA256
    EC_P256_SHA256 = 4

    # maps to CryptoKeyVersionAlgorithm.EC_SIGN_P384_SHA384
    EC_P384_SHA384 = 5
  end
end

#subordinate_config ⇒ ::Google::Cloud::Security::PrivateCA::V1beta1::SubordinateConfig

Returns Optional. If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which describes its issuers. This may be updated, but this CertificateAuthority must continue to validate.

Returns:

• (::Google::Cloud::Security::PrivateCA::V1beta1::SubordinateConfig) —

  Optional. If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which describes its issuers. This may be updated, but this CertificateAuthority must continue to validate.

# File 'proto_docs/google/cloud/security/privateca/v1beta1/resources.rb', line 102

class CertificateAuthority
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Options that affect all certificates issued by a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}.
  # @!attribute [rw] include_ca_cert_url
  #   @return [::Boolean]
  #     Required. When true, includes a URL to the issuing CA certificate in the
  #     "authority information access" X.509 extension.
  # @!attribute [rw] include_crl_access_url
  #   @return [::Boolean]
  #     Required. When true, includes a URL to the CRL corresponding to certificates
  #     issued from a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}.
  #     CRLs will expire 7 days from their creation. However, we will rebuild
  #     daily. CRLs are also rebuilt shortly after a certificate is revoked.
  class IssuingOptions
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # The issuing policy for a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}.
  # {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} will not be successfully issued from this
  # {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} if they violate the policy.
  # @!attribute [rw] allowed_config_list
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedConfigList]
  #     Optional. All {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}
  #     must match at least one listed {::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper ReusableConfigWrapper} in the list.
  # @!attribute [rw] overwrite_config_values
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper]
  #     Optional. All {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}
  #     will use the provided configuration values, overwriting any requested
  #     configuration values.
  # @!attribute [rw] allowed_locations_and_organizations
  #   @return [::Array<::Google::Cloud::Security::PrivateCA::V1beta1::Subject>]
  #     Optional. If any {::Google::Cloud::Security::PrivateCA::V1beta1::Subject Subject} is specified here, then all
  #     {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} must
  #     match at least one listed {::Google::Cloud::Security::PrivateCA::V1beta1::Subject Subject}. If a {::Google::Cloud::Security::PrivateCA::V1beta1::Subject Subject} has an empty
  #     field, any value will be allowed for that field.
  # @!attribute [rw] allowed_common_names
  #   @return [::Array<::String>]
  #     Optional. If any value is specified here, then all
  #     {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} must
  #     match at least one listed value. If no value is specified, all values
  #     will be allowed for this fied. Glob patterns are also supported.
  # @!attribute [rw] allowed_sans
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames]
  #     Optional. If a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames AllowedSubjectAltNames} is specified here, then all
  #     {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} must
  #     match {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames AllowedSubjectAltNames}. If no value or an empty value
  #     is specified, any value will be allowed for the {::Google::Cloud::Security::PrivateCA::V1beta1::SubjectAltNames SubjectAltNames}
  #     field.
  # @!attribute [rw] maximum_lifetime
  #   @return [::Google::Protobuf::Duration]
  #     Optional. The maximum lifetime allowed by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}. Note that
  #     if the any part if the issuing chain expires before a {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificate}'s
  #     requested maximum_lifetime, the effective lifetime will be explicitly
  #     truncated.
  # @!attribute [rw] allowed_issuance_modes
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::IssuanceModes]
  #     Optional. If specified, then only methods allowed in the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::IssuanceModes IssuanceModes} may be
  #     used to issue {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates}.
  class CertificateAuthorityPolicy
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # @!attribute [rw] allowed_config_values
    #   @return [::Array<::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper>]
    #     Required. All {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}
    #     must match at least one listed {::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper ReusableConfigWrapper}. If a
    #     {::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper ReusableConfigWrapper} has an empty field, any value will be
    #     allowed for that field.
    class AllowedConfigList
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames AllowedSubjectAltNames} specifies the allowed values for
    # {::Google::Cloud::Security::PrivateCA::V1beta1::SubjectAltNames SubjectAltNames} by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} when issuing
    # {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates}.
    # @!attribute [rw] allowed_dns_names
    #   @return [::Array<::String>]
    #     Optional. Contains valid, fully-qualified host names. Glob patterns are also
    #     supported. To allow an explicit wildcard certificate, escape with
    #     backlash (i.e. `\*`).
    #     E.g. for globbed entries: `*bar.com` will allow `foo.bar.com`, but not
    #     `*.bar.com`, unless the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames#allow_globbing_dns_wildcards allow_globbing_dns_wildcards} field is set.
    #     E.g. for wildcard entries: `\*.bar.com` will allow `*.bar.com`, but not
    #     `foo.bar.com`.
    # @!attribute [rw] allowed_uris
    #   @return [::Array<::String>]
    #     Optional. Contains valid RFC 3986 URIs. Glob patterns are also supported. To
    #     match across path seperators (i.e. '/') use the double star glob
    #     pattern (i.e. '**').
    # @!attribute [rw] allowed_email_addresses
    #   @return [::Array<::String>]
    #     Optional. Contains valid RFC 2822 E-mail addresses. Glob patterns are also
    #     supported.
    # @!attribute [rw] allowed_ips
    #   @return [::Array<::String>]
    #     Optional. Contains valid 32-bit IPv4 addresses and subnet ranges or RFC 4291 IPv6
    #     addresses and subnet ranges. Subnet ranges are specified using the
    #     '/' notation (e.g. 10.0.0.0/8, 2001:700:300:1800::/64). Glob patterns
    #     are supported only for ip address entries (i.e. not for subnet ranges).
    # @!attribute [rw] allow_globbing_dns_wildcards
    #   @return [::Boolean]
    #     Optional. Specifies if glob patterns used for {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames#allowed_dns_names allowed_dns_names} allows
    #     wildcard certificates.
    # @!attribute [rw] allow_custom_sans
    #   @return [::Boolean]
    #     Optional. Specifies if to allow custom X509Extension values.
    class AllowedSubjectAltNames
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::IssuanceModes IssuanceModes} specifies the allowed ways in which
    # {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} may be requested from this
    # {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}.
    # @!attribute [rw] allow_csr_based_issuance
    #   @return [::Boolean]
    #     Required. When true, allows callers to create {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} by
    #     specifying a CSR.
    # @!attribute [rw] allow_config_based_issuance
    #   @return [::Boolean]
    #     Required. When true, allows callers to create {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} by
    #     specifying a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateConfig CertificateConfig}.
    class IssuanceModes
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end
  end

  # URLs where a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} will publish content.
  # @!attribute [rw] ca_certificate_access_url
  #   @return [::String]
  #     The URL where this {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}'s CA certificate is
  #     published. This will only be set for CAs that have been activated.
  # @!attribute [rw] crl_access_url
  #   @return [::String]
  #     The URL where this {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}'s CRLs are published. This
  #     will only be set for CAs that have been activated.
  class AccessUrls
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # A Cloud KMS key configuration that a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} will use.
  # @!attribute [rw] cloud_kms_key_version
  #   @return [::String]
  #     Required. The resource name for an existing Cloud KMS CryptoKeyVersion in the
  #     format
  #     `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
  #     This option enables full flexibility in the key's capabilities and
  #     properties.
  # @!attribute [rw] algorithm
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::SignHashAlgorithm]
  #     Required. The algorithm to use for creating a managed Cloud KMS key for a for a
  #     simplified experience. All managed keys will be have their
  #     [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] as `HSM`.
  class KeyVersionSpec
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # @!attribute [rw] key
  #   @return [::String]
  # @!attribute [rw] value
  #   @return [::String]
  class LabelsEntry
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # The type of a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}, indicating its issuing chain.
  module Type
    # Not specified.
    TYPE_UNSPECIFIED = 0

    # Self-signed CA.
    SELF_SIGNED = 1

    # Subordinate CA. Could be issued by a Private CA {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}
    # or an unmanaged CA.
    SUBORDINATE = 2
  end

  # The tier of a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}, indicating its supported
  # functionality and/or billing SKU.
  module Tier
    # Not specified.
    TIER_UNSPECIFIED = 0

    # Enterprise tier.
    ENTERPRISE = 1

    # DevOps tier.
    DEVOPS = 2
  end

  # The state of a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}, indicating if it can be used.
  module State
    # Not specified.
    STATE_UNSPECIFIED = 0

    # Certificates can be issued from this CA. CRLs will be generated for this
    # CA.
    ENABLED = 1

    # Certificates cannot be issued from this CA. CRLs will still be generated.
    DISABLED = 2

    # Certificates cannot be issued from this CA. CRLs will not be generated.
    PENDING_ACTIVATION = 3

    # Certificates cannot be issued from this CA. CRLs will not be generated.
    PENDING_DELETION = 4
  end

  # The algorithm of a Cloud KMS CryptoKeyVersion of a
  # [CryptoKey][google.cloud.kms.v1.CryptoKey] with the
  # [CryptoKeyPurpose][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose] value
  # `ASYMMETRIC_SIGN`. These values correspond to the
  # [CryptoKeyVersionAlgorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm]
  # values. For RSA signing algorithms, the PSS algorithms should be preferred,
  # use PKCS1 algorithms if required for compatibility. For further
  # recommandations, see
  # https://cloud.google.com/kms/docs/algorithms#algorithm_recommendations.
  module SignHashAlgorithm
    # Not specified.
    SIGN_HASH_ALGORITHM_UNSPECIFIED = 0

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_2048_SHA256
    RSA_PSS_2048_SHA256 = 1

    # maps to CryptoKeyVersionAlgorithm. RSA_SIGN_PSS_3072_SHA256
    RSA_PSS_3072_SHA256 = 2

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_4096_SHA256
    RSA_PSS_4096_SHA256 = 3

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_2048_SHA256
    RSA_PKCS1_2048_SHA256 = 6

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_3072_SHA256
    RSA_PKCS1_3072_SHA256 = 7

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_4096_SHA256
    RSA_PKCS1_4096_SHA256 = 8

    # maps to CryptoKeyVersionAlgorithm.EC_SIGN_P256_SHA256
    EC_P256_SHA256 = 4

    # maps to CryptoKeyVersionAlgorithm.EC_SIGN_P384_SHA384
    EC_P384_SHA384 = 5
  end
end

#tier ⇒ ::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::Tier

Returns Required. Immutable. The Tier of this CertificateAuthority.

Returns:

• (::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::Tier) —

  Required. Immutable. The Tier of this CertificateAuthority.

# File 'proto_docs/google/cloud/security/privateca/v1beta1/resources.rb', line 102

class CertificateAuthority
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Options that affect all certificates issued by a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}.
  # @!attribute [rw] include_ca_cert_url
  #   @return [::Boolean]
  #     Required. When true, includes a URL to the issuing CA certificate in the
  #     "authority information access" X.509 extension.
  # @!attribute [rw] include_crl_access_url
  #   @return [::Boolean]
  #     Required. When true, includes a URL to the CRL corresponding to certificates
  #     issued from a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}.
  #     CRLs will expire 7 days from their creation. However, we will rebuild
  #     daily. CRLs are also rebuilt shortly after a certificate is revoked.
  class IssuingOptions
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # The issuing policy for a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}.
  # {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} will not be successfully issued from this
  # {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} if they violate the policy.
  # @!attribute [rw] allowed_config_list
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedConfigList]
  #     Optional. All {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}
  #     must match at least one listed {::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper ReusableConfigWrapper} in the list.
  # @!attribute [rw] overwrite_config_values
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper]
  #     Optional. All {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}
  #     will use the provided configuration values, overwriting any requested
  #     configuration values.
  # @!attribute [rw] allowed_locations_and_organizations
  #   @return [::Array<::Google::Cloud::Security::PrivateCA::V1beta1::Subject>]
  #     Optional. If any {::Google::Cloud::Security::PrivateCA::V1beta1::Subject Subject} is specified here, then all
  #     {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} must
  #     match at least one listed {::Google::Cloud::Security::PrivateCA::V1beta1::Subject Subject}. If a {::Google::Cloud::Security::PrivateCA::V1beta1::Subject Subject} has an empty
  #     field, any value will be allowed for that field.
  # @!attribute [rw] allowed_common_names
  #   @return [::Array<::String>]
  #     Optional. If any value is specified here, then all
  #     {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} must
  #     match at least one listed value. If no value is specified, all values
  #     will be allowed for this fied. Glob patterns are also supported.
  # @!attribute [rw] allowed_sans
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames]
  #     Optional. If a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames AllowedSubjectAltNames} is specified here, then all
  #     {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} must
  #     match {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames AllowedSubjectAltNames}. If no value or an empty value
  #     is specified, any value will be allowed for the {::Google::Cloud::Security::PrivateCA::V1beta1::SubjectAltNames SubjectAltNames}
  #     field.
  # @!attribute [rw] maximum_lifetime
  #   @return [::Google::Protobuf::Duration]
  #     Optional. The maximum lifetime allowed by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}. Note that
  #     if the any part if the issuing chain expires before a {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificate}'s
  #     requested maximum_lifetime, the effective lifetime will be explicitly
  #     truncated.
  # @!attribute [rw] allowed_issuance_modes
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::IssuanceModes]
  #     Optional. If specified, then only methods allowed in the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::IssuanceModes IssuanceModes} may be
  #     used to issue {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates}.
  class CertificateAuthorityPolicy
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # @!attribute [rw] allowed_config_values
    #   @return [::Array<::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper>]
    #     Required. All {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}
    #     must match at least one listed {::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper ReusableConfigWrapper}. If a
    #     {::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper ReusableConfigWrapper} has an empty field, any value will be
    #     allowed for that field.
    class AllowedConfigList
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames AllowedSubjectAltNames} specifies the allowed values for
    # {::Google::Cloud::Security::PrivateCA::V1beta1::SubjectAltNames SubjectAltNames} by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} when issuing
    # {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates}.
    # @!attribute [rw] allowed_dns_names
    #   @return [::Array<::String>]
    #     Optional. Contains valid, fully-qualified host names. Glob patterns are also
    #     supported. To allow an explicit wildcard certificate, escape with
    #     backlash (i.e. `\*`).
    #     E.g. for globbed entries: `*bar.com` will allow `foo.bar.com`, but not
    #     `*.bar.com`, unless the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames#allow_globbing_dns_wildcards allow_globbing_dns_wildcards} field is set.
    #     E.g. for wildcard entries: `\*.bar.com` will allow `*.bar.com`, but not
    #     `foo.bar.com`.
    # @!attribute [rw] allowed_uris
    #   @return [::Array<::String>]
    #     Optional. Contains valid RFC 3986 URIs. Glob patterns are also supported. To
    #     match across path seperators (i.e. '/') use the double star glob
    #     pattern (i.e. '**').
    # @!attribute [rw] allowed_email_addresses
    #   @return [::Array<::String>]
    #     Optional. Contains valid RFC 2822 E-mail addresses. Glob patterns are also
    #     supported.
    # @!attribute [rw] allowed_ips
    #   @return [::Array<::String>]
    #     Optional. Contains valid 32-bit IPv4 addresses and subnet ranges or RFC 4291 IPv6
    #     addresses and subnet ranges. Subnet ranges are specified using the
    #     '/' notation (e.g. 10.0.0.0/8, 2001:700:300:1800::/64). Glob patterns
    #     are supported only for ip address entries (i.e. not for subnet ranges).
    # @!attribute [rw] allow_globbing_dns_wildcards
    #   @return [::Boolean]
    #     Optional. Specifies if glob patterns used for {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames#allowed_dns_names allowed_dns_names} allows
    #     wildcard certificates.
    # @!attribute [rw] allow_custom_sans
    #   @return [::Boolean]
    #     Optional. Specifies if to allow custom X509Extension values.
    class AllowedSubjectAltNames
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::IssuanceModes IssuanceModes} specifies the allowed ways in which
    # {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} may be requested from this
    # {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}.
    # @!attribute [rw] allow_csr_based_issuance
    #   @return [::Boolean]
    #     Required. When true, allows callers to create {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} by
    #     specifying a CSR.
    # @!attribute [rw] allow_config_based_issuance
    #   @return [::Boolean]
    #     Required. When true, allows callers to create {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} by
    #     specifying a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateConfig CertificateConfig}.
    class IssuanceModes
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end
  end

  # URLs where a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} will publish content.
  # @!attribute [rw] ca_certificate_access_url
  #   @return [::String]
  #     The URL where this {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}'s CA certificate is
  #     published. This will only be set for CAs that have been activated.
  # @!attribute [rw] crl_access_url
  #   @return [::String]
  #     The URL where this {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}'s CRLs are published. This
  #     will only be set for CAs that have been activated.
  class AccessUrls
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # A Cloud KMS key configuration that a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} will use.
  # @!attribute [rw] cloud_kms_key_version
  #   @return [::String]
  #     Required. The resource name for an existing Cloud KMS CryptoKeyVersion in the
  #     format
  #     `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
  #     This option enables full flexibility in the key's capabilities and
  #     properties.
  # @!attribute [rw] algorithm
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::SignHashAlgorithm]
  #     Required. The algorithm to use for creating a managed Cloud KMS key for a for a
  #     simplified experience. All managed keys will be have their
  #     [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] as `HSM`.
  class KeyVersionSpec
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # @!attribute [rw] key
  #   @return [::String]
  # @!attribute [rw] value
  #   @return [::String]
  class LabelsEntry
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # The type of a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}, indicating its issuing chain.
  module Type
    # Not specified.
    TYPE_UNSPECIFIED = 0

    # Self-signed CA.
    SELF_SIGNED = 1

    # Subordinate CA. Could be issued by a Private CA {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}
    # or an unmanaged CA.
    SUBORDINATE = 2
  end

  # The tier of a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}, indicating its supported
  # functionality and/or billing SKU.
  module Tier
    # Not specified.
    TIER_UNSPECIFIED = 0

    # Enterprise tier.
    ENTERPRISE = 1

    # DevOps tier.
    DEVOPS = 2
  end

  # The state of a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}, indicating if it can be used.
  module State
    # Not specified.
    STATE_UNSPECIFIED = 0

    # Certificates can be issued from this CA. CRLs will be generated for this
    # CA.
    ENABLED = 1

    # Certificates cannot be issued from this CA. CRLs will still be generated.
    DISABLED = 2

    # Certificates cannot be issued from this CA. CRLs will not be generated.
    PENDING_ACTIVATION = 3

    # Certificates cannot be issued from this CA. CRLs will not be generated.
    PENDING_DELETION = 4
  end

  # The algorithm of a Cloud KMS CryptoKeyVersion of a
  # [CryptoKey][google.cloud.kms.v1.CryptoKey] with the
  # [CryptoKeyPurpose][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose] value
  # `ASYMMETRIC_SIGN`. These values correspond to the
  # [CryptoKeyVersionAlgorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm]
  # values. For RSA signing algorithms, the PSS algorithms should be preferred,
  # use PKCS1 algorithms if required for compatibility. For further
  # recommandations, see
  # https://cloud.google.com/kms/docs/algorithms#algorithm_recommendations.
  module SignHashAlgorithm
    # Not specified.
    SIGN_HASH_ALGORITHM_UNSPECIFIED = 0

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_2048_SHA256
    RSA_PSS_2048_SHA256 = 1

    # maps to CryptoKeyVersionAlgorithm. RSA_SIGN_PSS_3072_SHA256
    RSA_PSS_3072_SHA256 = 2

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_4096_SHA256
    RSA_PSS_4096_SHA256 = 3

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_2048_SHA256
    RSA_PKCS1_2048_SHA256 = 6

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_3072_SHA256
    RSA_PKCS1_3072_SHA256 = 7

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_4096_SHA256
    RSA_PKCS1_4096_SHA256 = 8

    # maps to CryptoKeyVersionAlgorithm.EC_SIGN_P256_SHA256
    EC_P256_SHA256 = 4

    # maps to CryptoKeyVersionAlgorithm.EC_SIGN_P384_SHA384
    EC_P384_SHA384 = 5
  end
end

#type ⇒ ::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::Type

Returns Required. Immutable. The Type of this CertificateAuthority.

Returns:

• (::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::Type) —

  Required. Immutable. The Type of this CertificateAuthority.

# File 'proto_docs/google/cloud/security/privateca/v1beta1/resources.rb', line 102

class CertificateAuthority
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Options that affect all certificates issued by a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}.
  # @!attribute [rw] include_ca_cert_url
  #   @return [::Boolean]
  #     Required. When true, includes a URL to the issuing CA certificate in the
  #     "authority information access" X.509 extension.
  # @!attribute [rw] include_crl_access_url
  #   @return [::Boolean]
  #     Required. When true, includes a URL to the CRL corresponding to certificates
  #     issued from a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}.
  #     CRLs will expire 7 days from their creation. However, we will rebuild
  #     daily. CRLs are also rebuilt shortly after a certificate is revoked.
  class IssuingOptions
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # The issuing policy for a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}.
  # {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} will not be successfully issued from this
  # {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} if they violate the policy.
  # @!attribute [rw] allowed_config_list
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedConfigList]
  #     Optional. All {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}
  #     must match at least one listed {::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper ReusableConfigWrapper} in the list.
  # @!attribute [rw] overwrite_config_values
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper]
  #     Optional. All {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}
  #     will use the provided configuration values, overwriting any requested
  #     configuration values.
  # @!attribute [rw] allowed_locations_and_organizations
  #   @return [::Array<::Google::Cloud::Security::PrivateCA::V1beta1::Subject>]
  #     Optional. If any {::Google::Cloud::Security::PrivateCA::V1beta1::Subject Subject} is specified here, then all
  #     {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} must
  #     match at least one listed {::Google::Cloud::Security::PrivateCA::V1beta1::Subject Subject}. If a {::Google::Cloud::Security::PrivateCA::V1beta1::Subject Subject} has an empty
  #     field, any value will be allowed for that field.
  # @!attribute [rw] allowed_common_names
  #   @return [::Array<::String>]
  #     Optional. If any value is specified here, then all
  #     {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} must
  #     match at least one listed value. If no value is specified, all values
  #     will be allowed for this fied. Glob patterns are also supported.
  # @!attribute [rw] allowed_sans
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames]
  #     Optional. If a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames AllowedSubjectAltNames} is specified here, then all
  #     {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} must
  #     match {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames AllowedSubjectAltNames}. If no value or an empty value
  #     is specified, any value will be allowed for the {::Google::Cloud::Security::PrivateCA::V1beta1::SubjectAltNames SubjectAltNames}
  #     field.
  # @!attribute [rw] maximum_lifetime
  #   @return [::Google::Protobuf::Duration]
  #     Optional. The maximum lifetime allowed by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}. Note that
  #     if the any part if the issuing chain expires before a {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificate}'s
  #     requested maximum_lifetime, the effective lifetime will be explicitly
  #     truncated.
  # @!attribute [rw] allowed_issuance_modes
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::IssuanceModes]
  #     Optional. If specified, then only methods allowed in the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::IssuanceModes IssuanceModes} may be
  #     used to issue {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates}.
  class CertificateAuthorityPolicy
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # @!attribute [rw] allowed_config_values
    #   @return [::Array<::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper>]
    #     Required. All {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}
    #     must match at least one listed {::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper ReusableConfigWrapper}. If a
    #     {::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper ReusableConfigWrapper} has an empty field, any value will be
    #     allowed for that field.
    class AllowedConfigList
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames AllowedSubjectAltNames} specifies the allowed values for
    # {::Google::Cloud::Security::PrivateCA::V1beta1::SubjectAltNames SubjectAltNames} by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} when issuing
    # {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates}.
    # @!attribute [rw] allowed_dns_names
    #   @return [::Array<::String>]
    #     Optional. Contains valid, fully-qualified host names. Glob patterns are also
    #     supported. To allow an explicit wildcard certificate, escape with
    #     backlash (i.e. `\*`).
    #     E.g. for globbed entries: `*bar.com` will allow `foo.bar.com`, but not
    #     `*.bar.com`, unless the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames#allow_globbing_dns_wildcards allow_globbing_dns_wildcards} field is set.
    #     E.g. for wildcard entries: `\*.bar.com` will allow `*.bar.com`, but not
    #     `foo.bar.com`.
    # @!attribute [rw] allowed_uris
    #   @return [::Array<::String>]
    #     Optional. Contains valid RFC 3986 URIs. Glob patterns are also supported. To
    #     match across path seperators (i.e. '/') use the double star glob
    #     pattern (i.e. '**').
    # @!attribute [rw] allowed_email_addresses
    #   @return [::Array<::String>]
    #     Optional. Contains valid RFC 2822 E-mail addresses. Glob patterns are also
    #     supported.
    # @!attribute [rw] allowed_ips
    #   @return [::Array<::String>]
    #     Optional. Contains valid 32-bit IPv4 addresses and subnet ranges or RFC 4291 IPv6
    #     addresses and subnet ranges. Subnet ranges are specified using the
    #     '/' notation (e.g. 10.0.0.0/8, 2001:700:300:1800::/64). Glob patterns
    #     are supported only for ip address entries (i.e. not for subnet ranges).
    # @!attribute [rw] allow_globbing_dns_wildcards
    #   @return [::Boolean]
    #     Optional. Specifies if glob patterns used for {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames#allowed_dns_names allowed_dns_names} allows
    #     wildcard certificates.
    # @!attribute [rw] allow_custom_sans
    #   @return [::Boolean]
    #     Optional. Specifies if to allow custom X509Extension values.
    class AllowedSubjectAltNames
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::IssuanceModes IssuanceModes} specifies the allowed ways in which
    # {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} may be requested from this
    # {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}.
    # @!attribute [rw] allow_csr_based_issuance
    #   @return [::Boolean]
    #     Required. When true, allows callers to create {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} by
    #     specifying a CSR.
    # @!attribute [rw] allow_config_based_issuance
    #   @return [::Boolean]
    #     Required. When true, allows callers to create {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} by
    #     specifying a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateConfig CertificateConfig}.
    class IssuanceModes
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end
  end

  # URLs where a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} will publish content.
  # @!attribute [rw] ca_certificate_access_url
  #   @return [::String]
  #     The URL where this {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}'s CA certificate is
  #     published. This will only be set for CAs that have been activated.
  # @!attribute [rw] crl_access_url
  #   @return [::String]
  #     The URL where this {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}'s CRLs are published. This
  #     will only be set for CAs that have been activated.
  class AccessUrls
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # A Cloud KMS key configuration that a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} will use.
  # @!attribute [rw] cloud_kms_key_version
  #   @return [::String]
  #     Required. The resource name for an existing Cloud KMS CryptoKeyVersion in the
  #     format
  #     `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
  #     This option enables full flexibility in the key's capabilities and
  #     properties.
  # @!attribute [rw] algorithm
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::SignHashAlgorithm]
  #     Required. The algorithm to use for creating a managed Cloud KMS key for a for a
  #     simplified experience. All managed keys will be have their
  #     [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] as `HSM`.
  class KeyVersionSpec
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # @!attribute [rw] key
  #   @return [::String]
  # @!attribute [rw] value
  #   @return [::String]
  class LabelsEntry
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # The type of a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}, indicating its issuing chain.
  module Type
    # Not specified.
    TYPE_UNSPECIFIED = 0

    # Self-signed CA.
    SELF_SIGNED = 1

    # Subordinate CA. Could be issued by a Private CA {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}
    # or an unmanaged CA.
    SUBORDINATE = 2
  end

  # The tier of a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}, indicating its supported
  # functionality and/or billing SKU.
  module Tier
    # Not specified.
    TIER_UNSPECIFIED = 0

    # Enterprise tier.
    ENTERPRISE = 1

    # DevOps tier.
    DEVOPS = 2
  end

  # The state of a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}, indicating if it can be used.
  module State
    # Not specified.
    STATE_UNSPECIFIED = 0

    # Certificates can be issued from this CA. CRLs will be generated for this
    # CA.
    ENABLED = 1

    # Certificates cannot be issued from this CA. CRLs will still be generated.
    DISABLED = 2

    # Certificates cannot be issued from this CA. CRLs will not be generated.
    PENDING_ACTIVATION = 3

    # Certificates cannot be issued from this CA. CRLs will not be generated.
    PENDING_DELETION = 4
  end

  # The algorithm of a Cloud KMS CryptoKeyVersion of a
  # [CryptoKey][google.cloud.kms.v1.CryptoKey] with the
  # [CryptoKeyPurpose][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose] value
  # `ASYMMETRIC_SIGN`. These values correspond to the
  # [CryptoKeyVersionAlgorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm]
  # values. For RSA signing algorithms, the PSS algorithms should be preferred,
  # use PKCS1 algorithms if required for compatibility. For further
  # recommandations, see
  # https://cloud.google.com/kms/docs/algorithms#algorithm_recommendations.
  module SignHashAlgorithm
    # Not specified.
    SIGN_HASH_ALGORITHM_UNSPECIFIED = 0

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_2048_SHA256
    RSA_PSS_2048_SHA256 = 1

    # maps to CryptoKeyVersionAlgorithm. RSA_SIGN_PSS_3072_SHA256
    RSA_PSS_3072_SHA256 = 2

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_4096_SHA256
    RSA_PSS_4096_SHA256 = 3

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_2048_SHA256
    RSA_PKCS1_2048_SHA256 = 6

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_3072_SHA256
    RSA_PKCS1_3072_SHA256 = 7

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_4096_SHA256
    RSA_PKCS1_4096_SHA256 = 8

    # maps to CryptoKeyVersionAlgorithm.EC_SIGN_P256_SHA256
    EC_P256_SHA256 = 4

    # maps to CryptoKeyVersionAlgorithm.EC_SIGN_P384_SHA384
    EC_P384_SHA384 = 5
  end
end

#update_time ⇒ ::Google::Protobuf::Timestamp (readonly)

Returns Output only. The time at which this CertificateAuthority was updated.

Returns:

• (::Google::Protobuf::Timestamp) —

  Output only. The time at which this CertificateAuthority was updated.

# File 'proto_docs/google/cloud/security/privateca/v1beta1/resources.rb', line 102

class CertificateAuthority
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Options that affect all certificates issued by a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}.
  # @!attribute [rw] include_ca_cert_url
  #   @return [::Boolean]
  #     Required. When true, includes a URL to the issuing CA certificate in the
  #     "authority information access" X.509 extension.
  # @!attribute [rw] include_crl_access_url
  #   @return [::Boolean]
  #     Required. When true, includes a URL to the CRL corresponding to certificates
  #     issued from a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}.
  #     CRLs will expire 7 days from their creation. However, we will rebuild
  #     daily. CRLs are also rebuilt shortly after a certificate is revoked.
  class IssuingOptions
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # The issuing policy for a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}.
  # {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} will not be successfully issued from this
  # {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} if they violate the policy.
  # @!attribute [rw] allowed_config_list
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedConfigList]
  #     Optional. All {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}
  #     must match at least one listed {::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper ReusableConfigWrapper} in the list.
  # @!attribute [rw] overwrite_config_values
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper]
  #     Optional. All {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}
  #     will use the provided configuration values, overwriting any requested
  #     configuration values.
  # @!attribute [rw] allowed_locations_and_organizations
  #   @return [::Array<::Google::Cloud::Security::PrivateCA::V1beta1::Subject>]
  #     Optional. If any {::Google::Cloud::Security::PrivateCA::V1beta1::Subject Subject} is specified here, then all
  #     {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} must
  #     match at least one listed {::Google::Cloud::Security::PrivateCA::V1beta1::Subject Subject}. If a {::Google::Cloud::Security::PrivateCA::V1beta1::Subject Subject} has an empty
  #     field, any value will be allowed for that field.
  # @!attribute [rw] allowed_common_names
  #   @return [::Array<::String>]
  #     Optional. If any value is specified here, then all
  #     {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} must
  #     match at least one listed value. If no value is specified, all values
  #     will be allowed for this fied. Glob patterns are also supported.
  # @!attribute [rw] allowed_sans
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames]
  #     Optional. If a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames AllowedSubjectAltNames} is specified here, then all
  #     {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} must
  #     match {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames AllowedSubjectAltNames}. If no value or an empty value
  #     is specified, any value will be allowed for the {::Google::Cloud::Security::PrivateCA::V1beta1::SubjectAltNames SubjectAltNames}
  #     field.
  # @!attribute [rw] maximum_lifetime
  #   @return [::Google::Protobuf::Duration]
  #     Optional. The maximum lifetime allowed by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}. Note that
  #     if the any part if the issuing chain expires before a {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificate}'s
  #     requested maximum_lifetime, the effective lifetime will be explicitly
  #     truncated.
  # @!attribute [rw] allowed_issuance_modes
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::IssuanceModes]
  #     Optional. If specified, then only methods allowed in the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::IssuanceModes IssuanceModes} may be
  #     used to issue {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates}.
  class CertificateAuthorityPolicy
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # @!attribute [rw] allowed_config_values
    #   @return [::Array<::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper>]
    #     Required. All {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} issued by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}
    #     must match at least one listed {::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper ReusableConfigWrapper}. If a
    #     {::Google::Cloud::Security::PrivateCA::V1beta1::ReusableConfigWrapper ReusableConfigWrapper} has an empty field, any value will be
    #     allowed for that field.
    class AllowedConfigList
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames AllowedSubjectAltNames} specifies the allowed values for
    # {::Google::Cloud::Security::PrivateCA::V1beta1::SubjectAltNames SubjectAltNames} by the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} when issuing
    # {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates}.
    # @!attribute [rw] allowed_dns_names
    #   @return [::Array<::String>]
    #     Optional. Contains valid, fully-qualified host names. Glob patterns are also
    #     supported. To allow an explicit wildcard certificate, escape with
    #     backlash (i.e. `\*`).
    #     E.g. for globbed entries: `*bar.com` will allow `foo.bar.com`, but not
    #     `*.bar.com`, unless the {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames#allow_globbing_dns_wildcards allow_globbing_dns_wildcards} field is set.
    #     E.g. for wildcard entries: `\*.bar.com` will allow `*.bar.com`, but not
    #     `foo.bar.com`.
    # @!attribute [rw] allowed_uris
    #   @return [::Array<::String>]
    #     Optional. Contains valid RFC 3986 URIs. Glob patterns are also supported. To
    #     match across path seperators (i.e. '/') use the double star glob
    #     pattern (i.e. '**').
    # @!attribute [rw] allowed_email_addresses
    #   @return [::Array<::String>]
    #     Optional. Contains valid RFC 2822 E-mail addresses. Glob patterns are also
    #     supported.
    # @!attribute [rw] allowed_ips
    #   @return [::Array<::String>]
    #     Optional. Contains valid 32-bit IPv4 addresses and subnet ranges or RFC 4291 IPv6
    #     addresses and subnet ranges. Subnet ranges are specified using the
    #     '/' notation (e.g. 10.0.0.0/8, 2001:700:300:1800::/64). Glob patterns
    #     are supported only for ip address entries (i.e. not for subnet ranges).
    # @!attribute [rw] allow_globbing_dns_wildcards
    #   @return [::Boolean]
    #     Optional. Specifies if glob patterns used for {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::AllowedSubjectAltNames#allowed_dns_names allowed_dns_names} allows
    #     wildcard certificates.
    # @!attribute [rw] allow_custom_sans
    #   @return [::Boolean]
    #     Optional. Specifies if to allow custom X509Extension values.
    class AllowedSubjectAltNames
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::CertificateAuthorityPolicy::IssuanceModes IssuanceModes} specifies the allowed ways in which
    # {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} may be requested from this
    # {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}.
    # @!attribute [rw] allow_csr_based_issuance
    #   @return [::Boolean]
    #     Required. When true, allows callers to create {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} by
    #     specifying a CSR.
    # @!attribute [rw] allow_config_based_issuance
    #   @return [::Boolean]
    #     Required. When true, allows callers to create {::Google::Cloud::Security::PrivateCA::V1beta1::Certificate Certificates} by
    #     specifying a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateConfig CertificateConfig}.
    class IssuanceModes
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end
  end

  # URLs where a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} will publish content.
  # @!attribute [rw] ca_certificate_access_url
  #   @return [::String]
  #     The URL where this {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}'s CA certificate is
  #     published. This will only be set for CAs that have been activated.
  # @!attribute [rw] crl_access_url
  #   @return [::String]
  #     The URL where this {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}'s CRLs are published. This
  #     will only be set for CAs that have been activated.
  class AccessUrls
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # A Cloud KMS key configuration that a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority} will use.
  # @!attribute [rw] cloud_kms_key_version
  #   @return [::String]
  #     Required. The resource name for an existing Cloud KMS CryptoKeyVersion in the
  #     format
  #     `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
  #     This option enables full flexibility in the key's capabilities and
  #     properties.
  # @!attribute [rw] algorithm
  #   @return [::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority::SignHashAlgorithm]
  #     Required. The algorithm to use for creating a managed Cloud KMS key for a for a
  #     simplified experience. All managed keys will be have their
  #     [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] as `HSM`.
  class KeyVersionSpec
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # @!attribute [rw] key
  #   @return [::String]
  # @!attribute [rw] value
  #   @return [::String]
  class LabelsEntry
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # The type of a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}, indicating its issuing chain.
  module Type
    # Not specified.
    TYPE_UNSPECIFIED = 0

    # Self-signed CA.
    SELF_SIGNED = 1

    # Subordinate CA. Could be issued by a Private CA {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}
    # or an unmanaged CA.
    SUBORDINATE = 2
  end

  # The tier of a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}, indicating its supported
  # functionality and/or billing SKU.
  module Tier
    # Not specified.
    TIER_UNSPECIFIED = 0

    # Enterprise tier.
    ENTERPRISE = 1

    # DevOps tier.
    DEVOPS = 2
  end

  # The state of a {::Google::Cloud::Security::PrivateCA::V1beta1::CertificateAuthority CertificateAuthority}, indicating if it can be used.
  module State
    # Not specified.
    STATE_UNSPECIFIED = 0

    # Certificates can be issued from this CA. CRLs will be generated for this
    # CA.
    ENABLED = 1

    # Certificates cannot be issued from this CA. CRLs will still be generated.
    DISABLED = 2

    # Certificates cannot be issued from this CA. CRLs will not be generated.
    PENDING_ACTIVATION = 3

    # Certificates cannot be issued from this CA. CRLs will not be generated.
    PENDING_DELETION = 4
  end

  # The algorithm of a Cloud KMS CryptoKeyVersion of a
  # [CryptoKey][google.cloud.kms.v1.CryptoKey] with the
  # [CryptoKeyPurpose][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose] value
  # `ASYMMETRIC_SIGN`. These values correspond to the
  # [CryptoKeyVersionAlgorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm]
  # values. For RSA signing algorithms, the PSS algorithms should be preferred,
  # use PKCS1 algorithms if required for compatibility. For further
  # recommandations, see
  # https://cloud.google.com/kms/docs/algorithms#algorithm_recommendations.
  module SignHashAlgorithm
    # Not specified.
    SIGN_HASH_ALGORITHM_UNSPECIFIED = 0

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_2048_SHA256
    RSA_PSS_2048_SHA256 = 1

    # maps to CryptoKeyVersionAlgorithm. RSA_SIGN_PSS_3072_SHA256
    RSA_PSS_3072_SHA256 = 2

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_4096_SHA256
    RSA_PSS_4096_SHA256 = 3

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_2048_SHA256
    RSA_PKCS1_2048_SHA256 = 6

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_3072_SHA256
    RSA_PKCS1_3072_SHA256 = 7

    # maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_4096_SHA256
    RSA_PKCS1_4096_SHA256 = 8

    # maps to CryptoKeyVersionAlgorithm.EC_SIGN_P256_SHA256
    EC_P256_SHA256 = 4

    # maps to CryptoKeyVersionAlgorithm.EC_SIGN_P384_SHA384
    EC_P384_SHA384 = 5
  end
end