0
# Certificate Templates
1
2
Template-based certificate issuance with predefined configurations, constraints, and policies. Templates standardize certificate properties, enforce organizational policies, and simplify bulk certificate operations by providing reusable certificate configurations.
3
4
## Capabilities
5
6
### Certificate Template Creation
7
8
Creates a new certificate template with predefined X.509 parameters, subject constraints, and key usage specifications.
9
10
```python { .api }
11
def create_certificate_template(
12
self,
13
request: Union[CreateCertificateTemplateRequest, dict] = None,
14
*,
15
parent: str = None,
16
certificate_template: CertificateTemplate = None,
17
certificate_template_id: str = None,
18
retry: OptionalRetry = gapic_v1.method.DEFAULT,
19
timeout: Union[float, object] = gapic_v1.method.DEFAULT,
20
metadata: Sequence[Tuple[str, Union[str, bytes]]] = (),
21
) -> operation.Operation:
22
"""
23
Create a new certificate template.
24
25
Args:
26
request: The request object
27
parent: Location path (format: projects/{project}/locations/{location})
28
certificate_template: Template configuration
29
certificate_template_id: Unique template identifier
30
retry: Retry configuration
31
timeout: Request timeout in seconds
32
metadata: Additional metadata
33
34
Returns:
35
operation.Operation: Long-running operation for template creation
36
"""
37
```
38
39
### Certificate Template Information
40
41
Retrieves certificate template details and lists templates within a location.
42
43
```python { .api }
44
def get_certificate_template(
45
self,
46
request: Union[GetCertificateTemplateRequest, dict] = None,
47
*,
48
name: str = None,
49
retry: OptionalRetry = gapic_v1.method.DEFAULT,
50
timeout: Union[float, object] = gapic_v1.method.DEFAULT,
51
metadata: Sequence[Tuple[str, Union[str, bytes]]] = (),
52
) -> CertificateTemplate:
53
"""
54
Get a certificate template by name.
55
56
Args:
57
request: The request object
58
name: Template resource name
59
retry: Retry configuration
60
timeout: Request timeout in seconds
61
metadata: Additional metadata
62
63
Returns:
64
CertificateTemplate: The requested template resource
65
"""
66
67
def list_certificate_templates(
68
self,
69
request: Union[ListCertificateTemplatesRequest, dict] = None,
70
*,
71
parent: str = None,
72
retry: OptionalRetry = gapic_v1.method.DEFAULT,
73
timeout: Union[float, object] = gapic_v1.method.DEFAULT,
74
metadata: Sequence[Tuple[str, Union[str, bytes]]] = (),
75
) -> pagers.ListCertificateTemplatesPager:
76
"""
77
List certificate templates in a location.
78
79
Args:
80
request: The request object
81
parent: Location path
82
retry: Retry configuration
83
timeout: Request timeout in seconds
84
metadata: Additional metadata
85
86
Returns:
87
pagers.ListCertificateTemplatesPager: Paginated response of templates
88
"""
89
```
90
91
### Certificate Template Management
92
93
Updates and deletes certificate templates to maintain current organizational policies.
94
95
```python { .api }
96
def update_certificate_template(
97
self,
98
request: Union[UpdateCertificateTemplateRequest, dict] = None,
99
*,
100
certificate_template: CertificateTemplate = None,
101
update_mask: field_mask_pb2.FieldMask = None,
102
retry: OptionalRetry = gapic_v1.method.DEFAULT,
103
timeout: Union[float, object] = gapic_v1.method.DEFAULT,
104
metadata: Sequence[Tuple[str, Union[str, bytes]]] = (),
105
) -> operation.Operation:
106
"""
107
Update a certificate template.
108
109
Args:
110
request: The request object
111
certificate_template: Template with updated fields
112
update_mask: Fields to update
113
retry: Retry configuration
114
timeout: Request timeout in seconds
115
metadata: Additional metadata
116
117
Returns:
118
operation.Operation: Long-running operation for template update
119
"""
120
121
def delete_certificate_template(
122
self,
123
request: Union[DeleteCertificateTemplateRequest, dict] = None,
124
*,
125
name: str = None,
126
retry: OptionalRetry = gapic_v1.method.DEFAULT,
127
timeout: Union[float, object] = gapic_v1.method.DEFAULT,
128
metadata: Sequence[Tuple[str, Union[str, bytes]]] = (),
129
) -> operation.Operation:
130
"""
131
Delete a certificate template.
132
133
Args:
134
request: The request object
135
name: Template resource name
136
retry: Retry configuration
137
timeout: Request timeout in seconds
138
metadata: Additional metadata
139
140
Returns:
141
operation.Operation: Long-running operation for template deletion
142
"""
143
```
144
145
## Request Types
146
147
```python { .api }
148
class CreateCertificateTemplateRequest:
149
"""Request to create a certificate template."""
150
parent: str # Location path
151
certificate_template_id: str # Unique template identifier
152
certificate_template: CertificateTemplate # Template configuration
153
request_id: str # Idempotency token
154
155
class GetCertificateTemplateRequest:
156
"""Request to get a certificate template."""
157
name: str # Template resource name
158
159
class ListCertificateTemplatesRequest:
160
"""Request to list certificate templates."""
161
parent: str # Location path
162
page_size: int # Maximum results per page
163
page_token: str # Pagination token
164
filter: str # Filter expression
165
order_by: str # Sort order
166
167
class UpdateCertificateTemplateRequest:
168
"""Request to update a certificate template."""
169
certificate_template: CertificateTemplate # Template with updates
170
update_mask: field_mask_pb2.FieldMask # Fields to update
171
request_id: str # Idempotency token
172
173
class DeleteCertificateTemplateRequest:
174
"""Request to delete a certificate template."""
175
name: str # Template resource name
176
request_id: str # Idempotency token
177
```
178
179
## Certificate Template Resource Type
180
181
```python { .api }
182
class CertificateTemplate:
183
"""A reusable template for certificate issuance."""
184
name: str # Resource name
185
predefined_values: X509Parameters # Default X.509 parameters
186
identity_constraints: CertificateIdentityConstraints # Subject constraints
187
passthrough_extensions: CertificateExtensionConstraints # Extension constraints
188
description: str # Human-readable description
189
create_time: timestamp_pb2.Timestamp # Creation time (output only)
190
update_time: timestamp_pb2.Timestamp # Last update time (output only)
191
labels: Dict[str, str] # Resource labels
192
193
class CertificateIdentityConstraints:
194
"""Constraints on certificate subject identity."""
195
cel_expression: expr_pb2.Expr # CEL expression for validation
196
allow_subject_passthrough: bool # Allow subject from CSR
197
allow_subject_alt_names_passthrough: bool # Allow SANs from CSR
198
199
class CertificateExtensionConstraints:
200
"""Constraints on certificate extensions."""
201
known_extensions: List[KnownCertificateExtension] # Known extension handling
202
additional_extensions: List[ObjectId] # Additional allowed extensions
203
204
class KnownCertificateExtension:
205
"""Handling for known certificate extensions."""
206
extension_type: KnownExtensionType # Extension type
207
is_critical: bool # Critical flag
208
passthrough: bool # Pass through from CSR
209
```
210
211
## Usage Examples
212
213
### Creating a Web Server Certificate Template
214
215
```python
216
from google.cloud.security.privateca import (
217
CertificateAuthorityServiceClient,
218
CertificateTemplate,
219
X509Parameters,
220
CertificateIdentityConstraints,
221
CertificateExtensionConstraints,
222
KeyUsage
223
)
224
225
client = CertificateAuthorityServiceClient()
226
227
# Define X.509 parameters for web server certificates
228
x509_params = X509Parameters(
229
key_usage=KeyUsage(
230
base_key_usage={
231
"digital_signature": True,
232
"key_encipherment": True
233
},
234
extended_key_usage={
235
"server_auth": True,
236
"client_auth": False
237
}
238
),
239
ca_options={"is_ca": False},
240
policy_ids=[
241
{"object_id_path": [1, 3, 6, 1, 4, 1, 11129, 2, 5, 3]} # CT precertificate
242
]
243
)
244
245
# Define identity constraints
246
identity_constraints = CertificateIdentityConstraints(
247
allow_subject_passthrough=True,
248
allow_subject_alt_names_passthrough=True
249
)
250
251
# Create the template
252
template = CertificateTemplate(
253
predefined_values=x509_params,
254
identity_constraints=identity_constraints,
255
description="Template for web server certificates with standard TLS configuration",
256
labels={"type": "web-server", "environment": "production"}
257
)
258
259
parent = "projects/my-project/locations/us-central1"
260
operation = client.create_certificate_template(
261
parent=parent,
262
certificate_template_id="web-server-template",
263
certificate_template=template
264
)
265
266
result = operation.result()
267
print(f"Created template: {result.name}")
268
```
269
270
### Creating a Client Authentication Template
271
272
```python
273
# Define X.509 parameters for client authentication
274
client_x509_params = X509Parameters(
275
key_usage=KeyUsage(
276
base_key_usage={
277
"digital_signature": True,
278
"key_agreement": True
279
},
280
extended_key_usage={
281
"server_auth": False,
282
"client_auth": True,
283
"email_protection": True
284
}
285
),
286
ca_options={"is_ca": False}
287
)
288
289
# More restrictive identity constraints for client certs
290
client_identity_constraints = CertificateIdentityConstraints(
291
allow_subject_passthrough=False, # Enforce template subject
292
allow_subject_alt_names_passthrough=True
293
)
294
295
client_template = CertificateTemplate(
296
predefined_values=client_x509_params,
297
identity_constraints=client_identity_constraints,
298
description="Template for client authentication certificates",
299
labels={"type": "client-auth", "security-level": "high"}
300
)
301
302
operation = client.create_certificate_template(
303
parent=parent,
304
certificate_template_id="client-auth-template",
305
certificate_template=client_template
306
)
307
308
result = operation.result()
309
print(f"Created client template: {result.name}")
310
```
311
312
### Using Templates for Certificate Creation
313
314
```python
315
from google.cloud.security.privateca import Certificate
316
317
# Create certificate using template
318
template_name = "projects/my-project/locations/us-central1/certificateTemplates/web-server-template"
319
320
certificate = Certificate(
321
certificate_template=template_name,
322
pem_csr="-----BEGIN CERTIFICATE REQUEST-----\n...\n-----END CERTIFICATE REQUEST-----",
323
lifetime={"seconds": 86400 * 90} # 90 days
324
)
325
326
parent = "projects/my-project/locations/us-central1/caPools/my-ca-pool"
327
created_cert = client.create_certificate(
328
parent=parent,
329
certificate_id="web-server-001",
330
certificate=certificate
331
)
332
333
print(f"Created certificate using template: {created_cert.name}")
334
print(f"Template used: {created_cert.certificate_template}")
335
```
336
337
### Managing Certificate Templates
338
339
```python
340
# List all templates
341
parent = "projects/my-project/locations/us-central1"
342
templates = client.list_certificate_templates(parent=parent)
343
344
for template in templates:
345
print(f"Template: {template.name}")
346
print(f"Description: {template.description}")
347
print(f"Labels: {template.labels}")
348
349
# Update template description
350
template_name = "projects/my-project/locations/us-central1/certificateTemplates/web-server-template"
351
352
updated_template = CertificateTemplate(
353
name=template_name,
354
description="Updated: Template for web server certificates with enhanced security",
355
labels={"type": "web-server", "environment": "production", "version": "2.0"}
356
)
357
358
from google.protobuf import field_mask_pb2
359
update_mask = field_mask_pb2.FieldMask(paths=["description", "labels"])
360
361
operation = client.update_certificate_template(
362
certificate_template=updated_template,
363
update_mask=update_mask
364
)
365
366
result = operation.result()
367
print(f"Updated template: {result.name}")
368
369
# Delete template
370
old_template_name = "projects/my-project/locations/us-central1/certificateTemplates/old-template"
371
operation = client.delete_certificate_template(name=old_template_name)
372
operation.result()
373
print(f"Deleted template: {old_template_name}")
374
```
375
376
### Advanced Template with Extension Constraints
377
378
```python
379
from google.type import expr_pb2
380
381
# Create template with CEL expression for validation
382
advanced_template = CertificateTemplate(
383
predefined_values=X509Parameters(
384
key_usage=KeyUsage(
385
base_key_usage={"digital_signature": True, "key_encipherment": True},
386
extended_key_usage={"server_auth": True}
387
)
388
),
389
identity_constraints=CertificateIdentityConstraints(
390
# Only allow certificates for specific domains
391
cel_expression=expr_pb2.Expr(
392
expression='subject_alt_names.all(san, san.type == DNS && (san.value.endsWith(".example.com") || san.value == "example.com"))'
393
),
394
allow_subject_passthrough=True,
395
allow_subject_alt_names_passthrough=True
396
),
397
passthrough_extensions=CertificateExtensionConstraints(
398
additional_extensions=[
399
{"object_id_path": [1, 3, 6, 1, 4, 1, 11129, 2, 4, 2]} # CT poison extension
400
]
401
),
402
description="Advanced template with domain validation and CT support",
403
labels={"type": "domain-validated", "ct-enabled": "true"}
404
)
405
406
operation = client.create_certificate_template(
407
parent=parent,
408
certificate_template_id="advanced-web-template",
409
certificate_template=advanced_template
410
)
411
412
result = operation.result()
413
print(f"Created advanced template: {result.name}")
414
```