0
# CA Pool Management
1
2
Certificate Authority pool operations for organizing and managing multiple CAs. Pools provide organizational structure, shared configuration, and policy enforcement for certificate authorities within the same security domain.
3
4
## Capabilities
5
6
### CA Pool Creation
7
8
Creates a new CA pool with specified tier and configuration. Pools serve as containers for certificate authorities and define shared operational parameters.
9
10
```python { .api }
11
def create_ca_pool(
12
self,
13
request: Union[CreateCaPoolRequest, dict] = None,
14
*,
15
parent: str = None,
16
ca_pool: CaPool = None,
17
ca_pool_id: str = None,
18
retry: OptionalRetry = gapic_v1.method.DEFAULT,
19
timeout: Union[float, object] = gapic_v1.method.DEFAULT,
20
metadata: Sequence[Tuple[str, Union[str, bytes]]] = (),
21
) -> operation.Operation:
22
"""
23
Create a new CA pool.
24
25
Args:
26
request: The request object
27
parent: Location path (format: projects/{project}/locations/{location})
28
ca_pool: CA pool configuration
29
ca_pool_id: Unique pool identifier
30
retry: Retry configuration
31
timeout: Request timeout in seconds
32
metadata: Additional metadata
33
34
Returns:
35
operation.Operation: Long-running operation for pool creation
36
"""
37
```
38
39
### CA Pool Information
40
41
Retrieves CA pool details and lists pools within a location.
42
43
```python { .api }
44
def get_ca_pool(
45
self,
46
request: Union[GetCaPoolRequest, dict] = None,
47
*,
48
name: str = None,
49
retry: OptionalRetry = gapic_v1.method.DEFAULT,
50
timeout: Union[float, object] = gapic_v1.method.DEFAULT,
51
metadata: Sequence[Tuple[str, Union[str, bytes]]] = (),
52
) -> CaPool:
53
"""
54
Get a CA pool by name.
55
56
Args:
57
request: The request object
58
name: CA pool resource name
59
retry: Retry configuration
60
timeout: Request timeout in seconds
61
metadata: Additional metadata
62
63
Returns:
64
CaPool: The requested CA pool resource
65
"""
66
67
def list_ca_pools(
68
self,
69
request: Union[ListCaPoolsRequest, dict] = None,
70
*,
71
parent: str = None,
72
retry: OptionalRetry = gapic_v1.method.DEFAULT,
73
timeout: Union[float, object] = gapic_v1.method.DEFAULT,
74
metadata: Sequence[Tuple[str, Union[str, bytes]]] = (),
75
) -> pagers.ListCaPoolsPager:
76
"""
77
List CA pools in a location.
78
79
Args:
80
request: The request object
81
parent: Location path
82
retry: Retry configuration
83
timeout: Request timeout in seconds
84
metadata: Additional metadata
85
86
Returns:
87
pagers.ListCaPoolsPager: Paginated response of CA pools
88
"""
89
```
90
91
### CA Pool Updates and Deletion
92
93
Updates CA pool configuration and deletes pools when no longer needed.
94
95
```python { .api }
96
def update_ca_pool(
97
self,
98
request: Union[UpdateCaPoolRequest, dict] = None,
99
*,
100
ca_pool: CaPool = None,
101
update_mask: field_mask_pb2.FieldMask = None,
102
retry: OptionalRetry = gapic_v1.method.DEFAULT,
103
timeout: Union[float, object] = gapic_v1.method.DEFAULT,
104
metadata: Sequence[Tuple[str, Union[str, bytes]]] = (),
105
) -> operation.Operation:
106
"""
107
Update a CA pool.
108
109
Args:
110
request: The request object
111
ca_pool: CA pool with updated fields
112
update_mask: Fields to update
113
retry: Retry configuration
114
timeout: Request timeout in seconds
115
metadata: Additional metadata
116
117
Returns:
118
operation.Operation: Long-running operation for pool update
119
"""
120
121
def delete_ca_pool(
122
self,
123
request: Union[DeleteCaPoolRequest, dict] = None,
124
*,
125
name: str = None,
126
retry: OptionalRetry = gapic_v1.method.DEFAULT,
127
timeout: Union[float, object] = gapic_v1.method.DEFAULT,
128
metadata: Sequence[Tuple[str, Union[str, bytes]]] = (),
129
) -> operation.Operation:
130
"""
131
Delete a CA pool.
132
133
Args:
134
request: The request object
135
name: CA pool resource name
136
retry: Retry configuration
137
timeout: Request timeout in seconds
138
metadata: Additional metadata
139
140
Returns:
141
operation.Operation: Long-running operation for pool deletion
142
"""
143
```
144
145
### CA Certificate Fetching
146
147
Fetches all CA certificates from a pool for client configuration and trust establishment.
148
149
```python { .api }
150
def fetch_ca_certs(
151
self,
152
request: Union[FetchCaCertsRequest, dict] = None,
153
*,
154
ca_pool: str = None,
155
retry: OptionalRetry = gapic_v1.method.DEFAULT,
156
timeout: Union[float, object] = gapic_v1.method.DEFAULT,
157
metadata: Sequence[Tuple[str, Union[str, bytes]]] = (),
158
) -> FetchCaCertsResponse:
159
"""
160
Fetch CA certificates from a pool.
161
162
Args:
163
request: The request object
164
ca_pool: CA pool resource name
165
retry: Retry configuration
166
timeout: Request timeout in seconds
167
metadata: Additional metadata
168
169
Returns:
170
FetchCaCertsResponse: CA certificates in PEM format
171
"""
172
```
173
174
## Request Types
175
176
```python { .api }
177
class CreateCaPoolRequest:
178
"""Request to create a CA pool."""
179
parent: str # Location path
180
ca_pool_id: str # Unique pool identifier
181
ca_pool: CaPool # Pool configuration
182
request_id: str # Idempotency token
183
184
class GetCaPoolRequest:
185
"""Request to get a CA pool."""
186
name: str # CA pool resource name
187
188
class ListCaPoolsRequest:
189
"""Request to list CA pools."""
190
parent: str # Location path
191
page_size: int # Maximum results per page
192
page_token: str # Pagination token
193
filter: str # Filter expression
194
order_by: str # Sort order
195
196
class UpdateCaPoolRequest:
197
"""Request to update a CA pool."""
198
ca_pool: CaPool # Pool with updates
199
update_mask: field_mask_pb2.FieldMask # Fields to update
200
request_id: str # Idempotency token
201
202
class DeleteCaPoolRequest:
203
"""Request to delete a CA pool."""
204
name: str # CA pool resource name
205
request_id: str # Idempotency token
206
ignore_dependent_resources: bool # Ignore dependent resources
207
208
class FetchCaCertsRequest:
209
"""Request to fetch CA certificates."""
210
ca_pool: str # CA pool resource name
211
request_id: str # Idempotency token
212
213
class FetchCaCertsResponse:
214
"""Response containing CA certificates."""
215
ca_certs: List[CaCert] # List of CA certificates
216
217
class CaCert:
218
"""A CA certificate with metadata."""
219
pem_certificate: str # PEM-encoded certificate
220
```
221
222
## CA Pool Resource Type
223
224
```python { .api }
225
class CaPool:
226
"""A pool of Certificate Authorities."""
227
name: str # Resource name
228
tier: Tier # Service tier (ENTERPRISE or DEVOPS)
229
issuance_policy: IssuancePolicy # Certificate issuance policy
230
publishing_options: PublishingOptions # CRL and certificate publishing options
231
labels: Dict[str, str] # Resource labels
232
233
class IssuancePolicy:
234
"""Policy for certificate issuance."""
235
allowed_key_types: List[AllowedKeyType] # Permitted key types
236
maximum_lifetime: duration_pb2.Duration # Maximum certificate lifetime
237
allowed_issuance_modes: IssuanceModes # Allowed issuance modes
238
baseline_values: X509Parameters # Default X.509 parameters
239
identity_constraints: CertificateIdentityConstraints # Identity constraints
240
passthrough_extensions: CertificateExtensionConstraints # Extension constraints
241
242
class PublishingOptions:
243
"""Options for publishing certificates and CRLs."""
244
publish_ca_cert: bool # Publish CA certificate
245
publish_crl: bool # Publish CRL
246
ca_cert_access_url: str # CA certificate access URL (output only)
247
248
class AllowedKeyType:
249
"""Permitted key type specification."""
250
rsa: RsaKeyType # RSA key parameters
251
elliptic_curve: EcKeyType # Elliptic curve parameters
252
253
class RsaKeyType:
254
"""RSA key type specification."""
255
min_modulus_size: int # Minimum key size in bits
256
max_modulus_size: int # Maximum key size in bits
257
258
class EcKeyType:
259
"""Elliptic curve key type specification."""
260
signature_algorithm: EcSignatureAlgorithm # Signature algorithm
261
262
class IssuanceModes:
263
"""Allowed certificate issuance modes."""
264
allow_csr_based_issuance: bool # Allow CSR-based issuance
265
allow_config_based_issuance: bool # Allow config-based issuance
266
```
267
268
## Usage Examples
269
270
### Creating a CA Pool
271
272
```python
273
from google.cloud.security.privateca import (
274
CertificateAuthorityServiceClient,
275
CaPool,
276
IssuancePolicy,
277
PublishingOptions,
278
AllowedKeyType,
279
RsaKeyType
280
)
281
282
client = CertificateAuthorityServiceClient()
283
284
# Configure issuance policy
285
issuance_policy = IssuancePolicy(
286
maximum_lifetime={"seconds": 86400 * 365}, # 1 year max
287
allowed_key_types=[
288
AllowedKeyType(
289
rsa=RsaKeyType(
290
min_modulus_size=2048,
291
max_modulus_size=4096
292
)
293
)
294
],
295
allowed_issuance_modes={
296
"allow_csr_based_issuance": True,
297
"allow_config_based_issuance": False
298
}
299
)
300
301
# Configure publishing options
302
publishing_options = PublishingOptions(
303
publish_ca_cert=True,
304
publish_crl=True
305
)
306
307
# Create the pool
308
ca_pool = CaPool(
309
tier=CaPool.Tier.ENTERPRISE,
310
issuance_policy=issuance_policy,
311
publishing_options=publishing_options,
312
labels={"environment": "production", "team": "security"}
313
)
314
315
parent = "projects/my-project/locations/us-central1"
316
operation = client.create_ca_pool(
317
parent=parent,
318
ca_pool_id="production-ca-pool",
319
ca_pool=ca_pool
320
)
321
322
result = operation.result()
323
print(f"Created CA pool: {result.name}")
324
```
325
326
### Listing and Managing CA Pools
327
328
```python
329
# List all pools in location
330
parent = "projects/my-project/locations/us-central1"
331
pools = client.list_ca_pools(parent=parent)
332
333
for pool in pools:
334
print(f"Pool: {pool.name}")
335
print(f"Tier: {pool.tier}")
336
print(f"Labels: {pool.labels}")
337
338
# Get specific pool details
339
pool_name = "projects/my-project/locations/us-central1/caPools/production-ca-pool"
340
pool = client.get_ca_pool(name=pool_name)
341
342
print(f"Pool tier: {pool.tier}")
343
print(f"Max certificate lifetime: {pool.issuance_policy.maximum_lifetime}")
344
print(f"Publish CRL: {pool.publishing_options.publish_crl}")
345
```
346
347
### Updating CA Pool Configuration
348
349
```python
350
from google.protobuf import field_mask_pb2
351
352
# Update pool labels and publishing options
353
pool_name = "projects/my-project/locations/us-central1/caPools/production-ca-pool"
354
355
updated_pool = CaPool(
356
name=pool_name,
357
labels={"environment": "production", "team": "security", "updated": "true"},
358
publishing_options=PublishingOptions(
359
publish_ca_cert=True,
360
publish_crl=False # Disable CRL publishing
361
)
362
)
363
364
update_mask = field_mask_pb2.FieldMask(
365
paths=["labels", "publishing_options.publish_crl"]
366
)
367
368
operation = client.update_ca_pool(
369
ca_pool=updated_pool,
370
update_mask=update_mask
371
)
372
373
result = operation.result()
374
print(f"Updated pool: {result.name}")
375
print(f"New labels: {result.labels}")
376
```
377
378
### Fetching CA Certificates
379
380
```python
381
# Fetch all CA certificates from a pool
382
pool_name = "projects/my-project/locations/us-central1/caPools/production-ca-pool"
383
response = client.fetch_ca_certs(ca_pool=pool_name)
384
385
print(f"Found {len(response.ca_certs)} CA certificates:")
386
for ca_cert in response.ca_certs:
387
print(f"Certificate:\n{ca_cert.pem_certificate}")
388
389
# Save certificates to file for client configuration
390
with open("ca-certificates.pem", "w") as f:
391
for ca_cert in response.ca_certs:
392
f.write(ca_cert.pem_certificate)
393
f.write("\n")
394
395
print("CA certificates saved to ca-certificates.pem")
396
```
397
398
### Deleting a CA Pool
399
400
```python
401
# Delete a CA pool (must be empty)
402
pool_name = "projects/my-project/locations/us-central1/caPools/old-pool"
403
404
operation = client.delete_ca_pool(
405
name=pool_name,
406
ignore_dependent_resources=False # Fail if pool contains CAs
407
)
408
409
try:
410
operation.result()
411
print(f"Deleted pool: {pool_name}")
412
except Exception as e:
413
print(f"Failed to delete pool: {e}")
414
# Pool likely contains CAs or certificates
415
```