Certificate Authority v1 API - Class CaPool.Types.IssuancePolicy (3.10.0)

Reference documentation and code samples for the Certificate Authority v1 API class CaPool.Types.IssuancePolicy.

Defines controls over all certificate issuance within a [CaPool][google.cloud.security.privateca.v1.CaPool].

Optional. If specified, then only methods allowed in the [IssuanceModes][google.cloud.security.privateca.v1.CaPool.IssuancePolicy.IssuanceModes] may be used to issue [Certificates][google.cloud.security.privateca.v1.Certificate].

Optional. If any [AllowedKeyType][google.cloud.security.privateca.v1.CaPool.IssuancePolicy.AllowedKeyType] is specified, then the certificate request's public key must match one of the key types listed here. Otherwise, any key may be used.

Optional. The duration to backdate all certificates issued from this [CaPool][google.cloud.security.privateca.v1.CaPool]. If not set, the certificates will be issued with a not_before_time of the issuance time (i.e. the current time). If set, the certificates will be issued with a not_before_time of the issuance time minus the backdate_duration. The not_after_time will be adjusted to preserve the requested lifetime. The backdate_duration must be less than or equal to 48 hours.

Optional. A set of X.509 values that will be applied to all certificates issued through this [CaPool][google.cloud.security.privateca.v1.CaPool]. If a certificate request includes conflicting values for the same properties, they will be overwritten by the values defined here. If a certificate request uses a [CertificateTemplate][google.cloud.security.privateca.v1.CertificateTemplate] that defines conflicting [predefined_values][google.cloud.security.privateca.v1.CertificateTemplate.predefined_values] for the same properties, the certificate issuance request will fail.

Optional. Describes constraints on identities that may appear in [Certificates][google.cloud.security.privateca.v1.Certificate] issued through this [CaPool][google.cloud.security.privateca.v1.CaPool]. If this is omitted, then this [CaPool][google.cloud.security.privateca.v1.CaPool] will not add restrictions on a certificate's identity.

Optional. The maximum lifetime allowed for issued [Certificates][google.cloud.security.privateca.v1.Certificate]. Note that if the issuing [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority] expires before a [Certificate][google.cloud.security.privateca.v1.Certificate] resource's requested maximum_lifetime, the effective lifetime will be explicitly truncated to match it.

Optional. Describes the set of X.509 extensions that may appear in a [Certificate][google.cloud.security.privateca.v1.Certificate] issued through this [CaPool][google.cloud.security.privateca.v1.CaPool]. If a certificate request sets extensions that don't appear in the [passthrough_extensions][google.cloud.security.privateca.v1.CaPool.IssuancePolicy.passthrough_extensions], those extensions will be dropped. If a certificate request uses a [CertificateTemplate][google.cloud.security.privateca.v1.CertificateTemplate] with [predefined_values][google.cloud.security.privateca.v1.CertificateTemplate.predefined_values] that don't appear here, the certificate issuance request will fail. If this is omitted, then this [CaPool][google.cloud.security.privateca.v1.CaPool] will not add restrictions on a certificate's X.509 extensions. These constraints do not apply to X.509 extensions set in this [CaPool][google.cloud.security.privateca.v1.CaPool]'s [baseline_values][google.cloud.security.privateca.v1.CaPool.IssuancePolicy.baseline_values].