0
# Certificate Management
1
2
Core certificate lifecycle operations including creation, retrieval, listing, revocation, and metadata updates. Supports X.509 certificates with comprehensive configuration options, certificate signing requests (CSRs), and various certificate formats.
3
4
## Capabilities
5
6
### Certificate Creation
7
8
Creates a new certificate within a CA pool using either a certificate signing request (CSR) or automatic key generation. Supports various certificate types including end-entity certificates and certificate authorities.
9
10
```python { .api }
11
def create_certificate(
12
self,
13
request: Union[CreateCertificateRequest, dict] = None,
14
*,
15
parent: str = None,
16
certificate: Certificate = None,
17
certificate_id: str = None,
18
retry: OptionalRetry = gapic_v1.method.DEFAULT,
19
timeout: Union[float, object] = gapic_v1.method.DEFAULT,
20
metadata: Sequence[Tuple[str, Union[str, bytes]]] = (),
21
) -> Certificate:
22
"""
23
Create a new certificate in a CA pool.
24
25
Args:
26
request: The request object with certificate details
27
parent: CA pool path (format: projects/{project}/locations/{location}/caPools/{ca_pool})
28
certificate: Certificate configuration and CSR
29
certificate_id: Unique identifier for the certificate
30
retry: Retry configuration for the request
31
timeout: Request timeout in seconds
32
metadata: Additional metadata as (key, value) pairs as (key, value) pairs
33
34
Returns:
35
Certificate: The created certificate resource
36
37
Raises:
38
google.api_core.exceptions.GoogleAPIError: If the request fails
39
"""
40
```
41
42
### Certificate Retrieval
43
44
Retrieves a specific certificate by its resource name, including all certificate details, metadata, and current status.
45
46
```python { .api }
47
def get_certificate(
48
self,
49
request: Union[GetCertificateRequest, dict] = None,
50
*,
51
name: str = None,
52
retry: OptionalRetry = gapic_v1.method.DEFAULT,
53
timeout: Union[float, object] = gapic_v1.method.DEFAULT,
54
metadata: Sequence[Tuple[str, Union[str, bytes]]] = (),
55
) -> Certificate:
56
"""
57
Get a certificate by name.
58
59
Args:
60
request: The request object
61
name: Certificate resource name (format: projects/{project}/locations/{location}/caPools/{ca_pool}/certificates/{certificate})
62
retry: Retry configuration
63
timeout: Request timeout in seconds
64
metadata: Additional metadata as (key, value) pairs
65
66
Returns:
67
Certificate: The requested certificate resource
68
"""
69
```
70
71
### Certificate Listing
72
73
Lists certificates within a CA pool with optional filtering and pagination. Supports ordering by creation time and filtering by certificate state.
74
75
```python { .api }
76
def list_certificates(
77
self,
78
request: Union[ListCertificatesRequest, dict] = None,
79
*,
80
parent: str = None,
81
retry: OptionalRetry = gapic_v1.method.DEFAULT,
82
timeout: Union[float, object] = gapic_v1.method.DEFAULT,
83
metadata: Sequence[Tuple[str, Union[str, bytes]]] = (),
84
) -> pagers.ListCertificatesPager:
85
"""
86
List certificates in a CA pool.
87
88
Args:
89
request: The request object
90
parent: CA pool path
91
retry: Retry configuration
92
timeout: Request timeout in seconds
93
metadata: Additional metadata as (key, value) pairs
94
95
Returns:
96
pagers.ListCertificatesPager: Paginated response of certificates
97
"""
98
```
99
100
### Certificate Revocation
101
102
Revokes a certificate, marking it as invalid and adding it to the Certificate Revocation List (CRL). Supports various revocation reasons and immediate revocation.
103
104
```python { .api }
105
def revoke_certificate(
106
self,
107
request: Union[RevokeCertificateRequest, dict] = None,
108
*,
109
name: str = None,
110
retry: OptionalRetry = gapic_v1.method.DEFAULT,
111
timeout: Union[float, object] = gapic_v1.method.DEFAULT,
112
metadata: Sequence[Tuple[str, Union[str, bytes]]] = (),
113
) -> Certificate:
114
"""
115
Revoke a certificate.
116
117
Args:
118
request: The request object containing revocation details
119
name: Certificate resource name
120
retry: Retry configuration
121
timeout: Request timeout in seconds
122
metadata: Additional metadata as (key, value) pairs
123
124
Returns:
125
Certificate: The revoked certificate with updated status
126
"""
127
```
128
129
### Certificate Updates
130
131
Updates certificate metadata and labels. Note that certificate content cannot be modified after creation, only metadata fields.
132
133
```python { .api }
134
def update_certificate(
135
self,
136
request: Union[UpdateCertificateRequest, dict] = None,
137
*,
138
certificate: Certificate = None,
139
update_mask: field_mask_pb2.FieldMask = None,
140
retry: OptionalRetry = gapic_v1.method.DEFAULT,
141
timeout: Union[float, object] = gapic_v1.method.DEFAULT,
142
metadata: Sequence[Tuple[str, Union[str, bytes]]] = (),
143
) -> Certificate:
144
"""
145
Update certificate metadata.
146
147
Args:
148
request: The request object
149
certificate: Certificate with updated fields
150
update_mask: Fields to update
151
retry: Retry configuration
152
timeout: Request timeout in seconds
153
metadata: Additional metadata as (key, value) pairs
154
155
Returns:
156
Certificate: Updated certificate resource
157
"""
158
```
159
160
## Request Types
161
162
```python { .api }
163
class CreateCertificateRequest:
164
"""Request to create a certificate."""
165
parent: str # CA pool path
166
certificate_id: str # Unique certificate identifier
167
certificate: Certificate # Certificate configuration
168
request_id: str # Idempotency token
169
validate_only: bool # Validation-only mode
170
issuing_certificate_authority_id: str # Specific CA to use
171
172
class GetCertificateRequest:
173
"""Request to get a certificate."""
174
name: str # Certificate resource name
175
176
class ListCertificatesRequest:
177
"""Request to list certificates."""
178
parent: str # CA pool path
179
page_size: int # Maximum results per page
180
page_token: str # Pagination token
181
filter: str # Filter expression
182
order_by: str # Sort order
183
184
class RevokeCertificateRequest:
185
"""Request to revoke a certificate."""
186
name: str # Certificate resource name
187
reason: RevocationReason # Reason for revocation
188
request_id: str # Idempotency token
189
190
class UpdateCertificateRequest:
191
"""Request to update a certificate."""
192
certificate: Certificate # Certificate with updates
193
update_mask: field_mask_pb2.FieldMask # Fields to update
194
request_id: str # Idempotency token
195
```
196
197
## Certificate Resource Type
198
199
```python { .api }
200
class Certificate:
201
"""A certificate issued by a Certificate Authority."""
202
name: str # Resource name
203
pem_csr: str # PEM-encoded certificate signing request
204
config: CertificateConfig # Certificate configuration
205
lifetime: duration_pb2.Duration # Certificate lifetime
206
certificate_template: str # Template used
207
subject_mode: SubjectRequestMode # Subject handling mode
208
revocation_details: RevocationDetails # Revocation information (if revoked)
209
pem_certificate: str # PEM-encoded certificate (output only)
210
certificate_description: CertificateDescription # Parsed certificate details (output only)
211
pem_certificate_chain: List[str] # Certificate chain (output only)
212
create_time: timestamp_pb2.Timestamp # Creation time (output only)
213
update_time: timestamp_pb2.Timestamp # Last update time (output only)
214
labels: Dict[str, str] # Resource labels
215
216
class CertificateConfig:
217
"""Certificate configuration for creation."""
218
subject_config: SubjectConfig # Certificate subject
219
x509_config: X509Parameters # X.509 parameters
220
public_key: PublicKey # Public key (for CSR mode)
221
222
class RevocationDetails:
223
"""Details about certificate revocation."""
224
revocation_state: RevocationState # Current revocation state
225
revocation_time: timestamp_pb2.Timestamp # When revoked
226
revocation_reason: RevocationReason # Reason for revocation
227
```
228
229
## Usage Examples
230
231
### Creating a Certificate with CSR
232
233
```python
234
from google.cloud.security.privateca import CertificateAuthorityServiceClient
235
from google.cloud.security.privateca import Certificate, CertificateConfig
236
237
client = CertificateAuthorityServiceClient()
238
239
# Prepare certificate configuration
240
certificate = Certificate(
241
pem_csr="-----BEGIN CERTIFICATE REQUEST-----\n...\n-----END CERTIFICATE REQUEST-----",
242
lifetime={"seconds": 86400 * 365} # 1 year
243
)
244
245
# Create the certificate
246
parent = "projects/my-project/locations/us-central1/caPools/my-ca-pool"
247
response = client.create_certificate(
248
parent=parent,
249
certificate_id="my-certificate",
250
certificate=certificate
251
)
252
253
print(f"Created certificate: {response.name}")
254
print(f"PEM certificate:\n{response.pem_certificate}")
255
```
256
257
### Listing and Filtering Certificates
258
259
```python
260
# List all certificates
261
parent = "projects/my-project/locations/us-central1/caPools/my-ca-pool"
262
certificates = client.list_certificates(parent=parent)
263
264
for certificate in certificates:
265
print(f"Certificate: {certificate.name}")
266
print(f"Status: {certificate.revocation_details.revocation_state if certificate.revocation_details else 'ACTIVE'}")
267
268
# List with filtering
269
filtered_certificates = client.list_certificates(
270
parent=parent,
271
filter='labels.environment="production"',
272
order_by="create_time desc"
273
)
274
```
275
276
### Revoking a Certificate
277
278
```python
279
from google.cloud.security.privateca import RevokeCertificateRequest, RevocationReason
280
281
certificate_name = "projects/my-project/locations/us-central1/caPools/my-ca-pool/certificates/my-certificate"
282
283
revoked_cert = client.revoke_certificate(
284
name=certificate_name,
285
reason=RevocationReason.KEY_COMPROMISE
286
)
287
288
print(f"Certificate revoked: {revoked_cert.name}")
289
print(f"Revocation time: {revoked_cert.revocation_details.revocation_time}")
290
```