public sealed class CertificateIdentityConstraints : IMessage<CertificateIdentityConstraints>, IEquatable<CertificateIdentityConstraints>, IDeepCloneable<CertificateIdentityConstraints>, IBufferMessage, IMessage
Reference documentation and code samples for the Certificate Authority v1 API class CertificateIdentityConstraints.
Describes constraints on a
[Certificate][google.cloud.security.privateca.v1.Certificate]'s
[Subject][google.cloud.security.privateca.v1.Subject] and
[SubjectAltNames][google.cloud.security.privateca.v1.SubjectAltNames].
public bool AllowSubjectAltNamesPassthrough { get; set; }
Required. If this is true, the
[SubjectAltNames][google.cloud.security.privateca.v1.SubjectAltNames]
extension may be copied from a certificate request into the signed
certificate. Otherwise, the requested
[SubjectAltNames][google.cloud.security.privateca.v1.SubjectAltNames] will
be discarded.
Required. If this is true, the
[Subject][google.cloud.security.privateca.v1.Subject] field may be copied
from a certificate request into the signed certificate. Otherwise, the
requested [Subject][google.cloud.security.privateca.v1.Subject] will be
discarded.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-07 UTC."],[[["\u003cp\u003eThe latest version of the \u003ccode\u003eCertificateIdentityConstraints\u003c/code\u003e API is 3.9.0, with documentation also available for versions ranging from 3.8.0 down to 1.0.0.\u003c/p\u003e\n"],["\u003cp\u003e\u003ccode\u003eCertificateIdentityConstraints\u003c/code\u003e is a class within the \u003ccode\u003eGoogle.Cloud.Security.PrivateCA.V1\u003c/code\u003e namespace, used to define constraints on a certificate's Subject and SubjectAltNames.\u003c/p\u003e\n"],["\u003cp\u003eThis class allows configuring whether the Subject and SubjectAltNames can be copied from a certificate request, using the properties \u003ccode\u003eAllowSubjectPassthrough\u003c/code\u003e and \u003ccode\u003eAllowSubjectAltNamesPassthrough\u003c/code\u003e respectively.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003eCertificateIdentityConstraints\u003c/code\u003e class allows for custom validation of X.509 Subjects and Subject Alternative Names using a CEL expression, via the \u003ccode\u003eCelExpression\u003c/code\u003e property.\u003c/p\u003e\n"]]],[],null,["# Certificate Authority v1 API - Class CertificateIdentityConstraints (3.10.0)\n\nVersion latestkeyboard_arrow_down\n\n- [3.10.0 (latest)](/dotnet/docs/reference/Google.Cloud.Security.PrivateCA.V1/latest/Google.Cloud.Security.PrivateCA.V1.CertificateIdentityConstraints)\n- [3.9.0](/dotnet/docs/reference/Google.Cloud.Security.PrivateCA.V1/3.9.0/Google.Cloud.Security.PrivateCA.V1.CertificateIdentityConstraints)\n- [3.8.0](/dotnet/docs/reference/Google.Cloud.Security.PrivateCA.V1/3.8.0/Google.Cloud.Security.PrivateCA.V1.CertificateIdentityConstraints)\n- [3.7.0](/dotnet/docs/reference/Google.Cloud.Security.PrivateCA.V1/3.7.0/Google.Cloud.Security.PrivateCA.V1.CertificateIdentityConstraints)\n- [3.6.0](/dotnet/docs/reference/Google.Cloud.Security.PrivateCA.V1/3.6.0/Google.Cloud.Security.PrivateCA.V1.CertificateIdentityConstraints)\n- [3.5.0](/dotnet/docs/reference/Google.Cloud.Security.PrivateCA.V1/3.5.0/Google.Cloud.Security.PrivateCA.V1.CertificateIdentityConstraints)\n- [3.4.0](/dotnet/docs/reference/Google.Cloud.Security.PrivateCA.V1/3.4.0/Google.Cloud.Security.PrivateCA.V1.CertificateIdentityConstraints)\n- [3.3.0](/dotnet/docs/reference/Google.Cloud.Security.PrivateCA.V1/3.3.0/Google.Cloud.Security.PrivateCA.V1.CertificateIdentityConstraints)\n- [3.2.0](/dotnet/docs/reference/Google.Cloud.Security.PrivateCA.V1/3.2.0/Google.Cloud.Security.PrivateCA.V1.CertificateIdentityConstraints)\n- [3.1.0](/dotnet/docs/reference/Google.Cloud.Security.PrivateCA.V1/3.1.0/Google.Cloud.Security.PrivateCA.V1.CertificateIdentityConstraints)\n- [3.0.0](/dotnet/docs/reference/Google.Cloud.Security.PrivateCA.V1/3.0.0/Google.Cloud.Security.PrivateCA.V1.CertificateIdentityConstraints)\n- [2.3.0](/dotnet/docs/reference/Google.Cloud.Security.PrivateCA.V1/2.3.0/Google.Cloud.Security.PrivateCA.V1.CertificateIdentityConstraints)\n- [2.2.0](/dotnet/docs/reference/Google.Cloud.Security.PrivateCA.V1/2.2.0/Google.Cloud.Security.PrivateCA.V1.CertificateIdentityConstraints)\n- [2.1.0](/dotnet/docs/reference/Google.Cloud.Security.PrivateCA.V1/2.1.0/Google.Cloud.Security.PrivateCA.V1.CertificateIdentityConstraints)\n- [2.0.0](/dotnet/docs/reference/Google.Cloud.Security.PrivateCA.V1/2.0.0/Google.Cloud.Security.PrivateCA.V1.CertificateIdentityConstraints)\n- [1.0.0](/dotnet/docs/reference/Google.Cloud.Security.PrivateCA.V1/1.0.0/Google.Cloud.Security.PrivateCA.V1.CertificateIdentityConstraints) \n\n public sealed class CertificateIdentityConstraints : IMessage\u003cCertificateIdentityConstraints\u003e, IEquatable\u003cCertificateIdentityConstraints\u003e, IDeepCloneable\u003cCertificateIdentityConstraints\u003e, IBufferMessage, IMessage\n\nReference documentation and code samples for the Certificate Authority v1 API class CertificateIdentityConstraints.\n\nDescribes constraints on a\n\\[Certificate\\]\\[google.cloud.security.privateca.v1.Certificate\\]'s\n\\[Subject\\]\\[google.cloud.security.privateca.v1.Subject\\] and\n\\[SubjectAltNames\\]\\[google.cloud.security.privateca.v1.SubjectAltNames\\]. \n\nInheritance\n-----------\n\n[object](https://learn.microsoft.com/dotnet/api/system.object) \\\u003e CertificateIdentityConstraints \n\nImplements\n----------\n\n[IMessage](https://cloud.google.com/dotnet/docs/reference/Google.Protobuf/latest/Google.Protobuf.IMessage-1.html)[CertificateIdentityConstraints](/dotnet/docs/reference/Google.Cloud.Security.PrivateCA.V1/latest/Google.Cloud.Security.PrivateCA.V1.CertificateIdentityConstraints), [IEquatable](https://learn.microsoft.com/dotnet/api/system.iequatable-1)[CertificateIdentityConstraints](/dotnet/docs/reference/Google.Cloud.Security.PrivateCA.V1/latest/Google.Cloud.Security.PrivateCA.V1.CertificateIdentityConstraints), [IDeepCloneable](https://cloud.google.com/dotnet/docs/reference/Google.Protobuf/latest/Google.Protobuf.IDeepCloneable-1.html)[CertificateIdentityConstraints](/dotnet/docs/reference/Google.Cloud.Security.PrivateCA.V1/latest/Google.Cloud.Security.PrivateCA.V1.CertificateIdentityConstraints), [IBufferMessage](https://cloud.google.com/dotnet/docs/reference/Google.Protobuf/latest/Google.Protobuf.IBufferMessage.html), [IMessage](https://cloud.google.com/dotnet/docs/reference/Google.Protobuf/latest/Google.Protobuf.IMessage.html) \n\nInherited Members\n-----------------\n\n[object.GetHashCode()](https://learn.microsoft.com/dotnet/api/system.object.gethashcode) \n[object.GetType()](https://learn.microsoft.com/dotnet/api/system.object.gettype) \n[object.ToString()](https://learn.microsoft.com/dotnet/api/system.object.tostring)\n\nNamespace\n---------\n\n[Google.Cloud.Security.PrivateCA.V1](/dotnet/docs/reference/Google.Cloud.Security.PrivateCA.V1/latest/Google.Cloud.Security.PrivateCA.V1)\n\nAssembly\n--------\n\nGoogle.Cloud.Security.PrivateCA.V1.dll\n\nConstructors\n------------\n\n### CertificateIdentityConstraints()\n\n public CertificateIdentityConstraints()\n\n### CertificateIdentityConstraints(CertificateIdentityConstraints)\n\n public CertificateIdentityConstraints(CertificateIdentityConstraints other)\n\nProperties\n----------\n\n### AllowSubjectAltNamesPassthrough\n\n public bool AllowSubjectAltNamesPassthrough { get; set; }\n\nRequired. If this is true, the\n\\[SubjectAltNames\\]\\[google.cloud.security.privateca.v1.SubjectAltNames\\]\nextension may be copied from a certificate request into the signed\ncertificate. Otherwise, the requested\n\\[SubjectAltNames\\]\\[google.cloud.security.privateca.v1.SubjectAltNames\\] will\nbe discarded.\n\n### AllowSubjectPassthrough\n\n public bool AllowSubjectPassthrough { get; set; }\n\nRequired. If this is true, the\n\\[Subject\\]\\[google.cloud.security.privateca.v1.Subject\\] field may be copied\nfrom a certificate request into the signed certificate. Otherwise, the\nrequested \\[Subject\\]\\[google.cloud.security.privateca.v1.Subject\\] will be\ndiscarded.\n\n### CelExpression\n\n public Expr CelExpression { get; set; }\n\nOptional. A CEL expression that may be used to validate the resolved X.509\nSubject and/or Subject Alternative Name before a certificate is signed. To\nsee the full allowed syntax and some examples, see\n\u003chttps://cloud.google.com/certificate-authority-service/docs/using-cel\u003e\n\n### HasAllowSubjectAltNamesPassthrough\n\n public bool HasAllowSubjectAltNamesPassthrough { get; }\n\nGets whether the \"allow_subject_alt_names_passthrough\" field is set\n\n### HasAllowSubjectPassthrough\n\n public bool HasAllowSubjectPassthrough { get; }\n\nGets whether the \"allow_subject_passthrough\" field is set"]]
