tessl/pypi-google-cloud-private-ca
Google Cloud Private Certificate Authority API client library for certificate lifecycle management
—
Pending
ca-pool-management.mddocs/
CA Pool Management
Certificate Authority pool operations for organizing and managing multiple CAs. Pools provide organizational structure, shared configuration, and policy enforcement for certificate authorities within the same security domain.
Capabilities
CA Pool Creation
Creates a new CA pool with specified tier and configuration. Pools serve as containers for certificate authorities and define shared operational parameters.
def create_ca_pool(
self,
request: Union[CreateCaPoolRequest, dict] = None,
*,
parent: str = None,
ca_pool: CaPool = None,
ca_pool_id: str = None,
retry: OptionalRetry = gapic_v1.method.DEFAULT,
timeout: Union[float, object] = gapic_v1.method.DEFAULT,
metadata: Sequence[Tuple[str, Union[str, bytes]]] = (),
) -> operation.Operation:
"""
Create a new CA pool.
Args:
request: The request object
parent: Location path (format: projects/{project}/locations/{location})
ca_pool: CA pool configuration
ca_pool_id: Unique pool identifier
retry: Retry configuration
timeout: Request timeout in seconds
metadata: Additional metadata
Returns:
operation.Operation: Long-running operation for pool creation
"""CA Pool Information
Retrieves CA pool details and lists pools within a location.
def get_ca_pool(
self,
request: Union[GetCaPoolRequest, dict] = None,
*,
name: str = None,
retry: OptionalRetry = gapic_v1.method.DEFAULT,
timeout: Union[float, object] = gapic_v1.method.DEFAULT,
metadata: Sequence[Tuple[str, Union[str, bytes]]] = (),
) -> CaPool:
"""
Get a CA pool by name.
Args:
request: The request object
name: CA pool resource name
retry: Retry configuration
timeout: Request timeout in seconds
metadata: Additional metadata
Returns:
CaPool: The requested CA pool resource
"""
def list_ca_pools(
self,
request: Union[ListCaPoolsRequest, dict] = None,
*,
parent: str = None,
retry: OptionalRetry = gapic_v1.method.DEFAULT,
timeout: Union[float, object] = gapic_v1.method.DEFAULT,
metadata: Sequence[Tuple[str, Union[str, bytes]]] = (),
) -> pagers.ListCaPoolsPager:
"""
List CA pools in a location.
Args:
request: The request object
parent: Location path
retry: Retry configuration
timeout: Request timeout in seconds
metadata: Additional metadata
Returns:
pagers.ListCaPoolsPager: Paginated response of CA pools
"""CA Pool Updates and Deletion
Updates CA pool configuration and deletes pools when no longer needed.
def update_ca_pool(
self,
request: Union[UpdateCaPoolRequest, dict] = None,
*,
ca_pool: CaPool = None,
update_mask: field_mask_pb2.FieldMask = None,
retry: OptionalRetry = gapic_v1.method.DEFAULT,
timeout: Union[float, object] = gapic_v1.method.DEFAULT,
metadata: Sequence[Tuple[str, Union[str, bytes]]] = (),
) -> operation.Operation:
"""
Update a CA pool.
Args:
request: The request object
ca_pool: CA pool with updated fields
update_mask: Fields to update
retry: Retry configuration
timeout: Request timeout in seconds
metadata: Additional metadata
Returns:
operation.Operation: Long-running operation for pool update
"""
def delete_ca_pool(
self,
request: Union[DeleteCaPoolRequest, dict] = None,
*,
name: str = None,
retry: OptionalRetry = gapic_v1.method.DEFAULT,
timeout: Union[float, object] = gapic_v1.method.DEFAULT,
metadata: Sequence[Tuple[str, Union[str, bytes]]] = (),
) -> operation.Operation:
"""
Delete a CA pool.
Args:
request: The request object
name: CA pool resource name
retry: Retry configuration
timeout: Request timeout in seconds
metadata: Additional metadata
Returns:
operation.Operation: Long-running operation for pool deletion
"""CA Certificate Fetching
Fetches all CA certificates from a pool for client configuration and trust establishment.
def fetch_ca_certs(
self,
request: Union[FetchCaCertsRequest, dict] = None,
*,
ca_pool: str = None,
retry: OptionalRetry = gapic_v1.method.DEFAULT,
timeout: Union[float, object] = gapic_v1.method.DEFAULT,
metadata: Sequence[Tuple[str, Union[str, bytes]]] = (),
) -> FetchCaCertsResponse:
"""
Fetch CA certificates from a pool.
Args:
request: The request object
ca_pool: CA pool resource name
retry: Retry configuration
timeout: Request timeout in seconds
metadata: Additional metadata
Returns:
FetchCaCertsResponse: CA certificates in PEM format
"""Request Types
class CreateCaPoolRequest:
"""Request to create a CA pool."""
parent: str # Location path
ca_pool_id: str # Unique pool identifier
ca_pool: CaPool # Pool configuration
request_id: str # Idempotency token
class GetCaPoolRequest:
"""Request to get a CA pool."""
name: str # CA pool resource name
class ListCaPoolsRequest:
"""Request to list CA pools."""
parent: str # Location path
page_size: int # Maximum results per page
page_token: str # Pagination token
filter: str # Filter expression
order_by: str # Sort order
class UpdateCaPoolRequest:
"""Request to update a CA pool."""
ca_pool: CaPool # Pool with updates
update_mask: field_mask_pb2.FieldMask # Fields to update
request_id: str # Idempotency token
class DeleteCaPoolRequest:
"""Request to delete a CA pool."""
name: str # CA pool resource name
request_id: str # Idempotency token
ignore_dependent_resources: bool # Ignore dependent resources
class FetchCaCertsRequest:
"""Request to fetch CA certificates."""
ca_pool: str # CA pool resource name
request_id: str # Idempotency token
class FetchCaCertsResponse:
"""Response containing CA certificates."""
ca_certs: List[CaCert] # List of CA certificates
class CaCert:
"""A CA certificate with metadata."""
pem_certificate: str # PEM-encoded certificateCA Pool Resource Type
class CaPool:
"""A pool of Certificate Authorities."""
name: str # Resource name
tier: Tier # Service tier (ENTERPRISE or DEVOPS)
issuance_policy: IssuancePolicy # Certificate issuance policy
publishing_options: PublishingOptions # CRL and certificate publishing options
labels: Dict[str, str] # Resource labels
class IssuancePolicy:
"""Policy for certificate issuance."""
allowed_key_types: List[AllowedKeyType] # Permitted key types
maximum_lifetime: duration_pb2.Duration # Maximum certificate lifetime
allowed_issuance_modes: IssuanceModes # Allowed issuance modes
baseline_values: X509Parameters # Default X.509 parameters
identity_constraints: CertificateIdentityConstraints # Identity constraints
passthrough_extensions: CertificateExtensionConstraints # Extension constraints
class PublishingOptions:
"""Options for publishing certificates and CRLs."""
publish_ca_cert: bool # Publish CA certificate
publish_crl: bool # Publish CRL
ca_cert_access_url: str # CA certificate access URL (output only)
class AllowedKeyType:
"""Permitted key type specification."""
rsa: RsaKeyType # RSA key parameters
elliptic_curve: EcKeyType # Elliptic curve parameters
class RsaKeyType:
"""RSA key type specification."""
min_modulus_size: int # Minimum key size in bits
max_modulus_size: int # Maximum key size in bits
class EcKeyType:
"""Elliptic curve key type specification."""
signature_algorithm: EcSignatureAlgorithm # Signature algorithm
class IssuanceModes:
"""Allowed certificate issuance modes."""
allow_csr_based_issuance: bool # Allow CSR-based issuance
allow_config_based_issuance: bool # Allow config-based issuanceUsage Examples
Creating a CA Pool
from google.cloud.security.privateca import (
CertificateAuthorityServiceClient,
CaPool,
IssuancePolicy,
PublishingOptions,
AllowedKeyType,
RsaKeyType
)
client = CertificateAuthorityServiceClient()
# Configure issuance policy
issuance_policy = IssuancePolicy(
maximum_lifetime={"seconds": 86400 * 365}, # 1 year max
allowed_key_types=[
AllowedKeyType(
rsa=RsaKeyType(
min_modulus_size=2048,
max_modulus_size=4096
)
)
],
allowed_issuance_modes={
"allow_csr_based_issuance": True,
"allow_config_based_issuance": False
}
)
# Configure publishing options
publishing_options = PublishingOptions(
publish_ca_cert=True,
publish_crl=True
)
# Create the pool
ca_pool = CaPool(
tier=CaPool.Tier.ENTERPRISE,
issuance_policy=issuance_policy,
publishing_options=publishing_options,
labels={"environment": "production", "team": "security"}
)
parent = "projects/my-project/locations/us-central1"
operation = client.create_ca_pool(
parent=parent,
ca_pool_id="production-ca-pool",
ca_pool=ca_pool
)
result = operation.result()
print(f"Created CA pool: {result.name}")Listing and Managing CA Pools
# List all pools in location
parent = "projects/my-project/locations/us-central1"
pools = client.list_ca_pools(parent=parent)
for pool in pools:
print(f"Pool: {pool.name}")
print(f"Tier: {pool.tier}")
print(f"Labels: {pool.labels}")
# Get specific pool details
pool_name = "projects/my-project/locations/us-central1/caPools/production-ca-pool"
pool = client.get_ca_pool(name=pool_name)
print(f"Pool tier: {pool.tier}")
print(f"Max certificate lifetime: {pool.issuance_policy.maximum_lifetime}")
print(f"Publish CRL: {pool.publishing_options.publish_crl}")Updating CA Pool Configuration
from google.protobuf import field_mask_pb2
# Update pool labels and publishing options
pool_name = "projects/my-project/locations/us-central1/caPools/production-ca-pool"
updated_pool = CaPool(
name=pool_name,
labels={"environment": "production", "team": "security", "updated": "true"},
publishing_options=PublishingOptions(
publish_ca_cert=True,
publish_crl=False # Disable CRL publishing
)
)
update_mask = field_mask_pb2.FieldMask(
paths=["labels", "publishing_options.publish_crl"]
)
operation = client.update_ca_pool(
ca_pool=updated_pool,
update_mask=update_mask
)
result = operation.result()
print(f"Updated pool: {result.name}")
print(f"New labels: {result.labels}")Fetching CA Certificates
# Fetch all CA certificates from a pool
pool_name = "projects/my-project/locations/us-central1/caPools/production-ca-pool"
response = client.fetch_ca_certs(ca_pool=pool_name)
print(f"Found {len(response.ca_certs)} CA certificates:")
for ca_cert in response.ca_certs:
print(f"Certificate:\n{ca_cert.pem_certificate}")
# Save certificates to file for client configuration
with open("ca-certificates.pem", "w") as f:
for ca_cert in response.ca_certs:
f.write(ca_cert.pem_certificate)
f.write("\n")
print("CA certificates saved to ca-certificates.pem")Deleting a CA Pool
# Delete a CA pool (must be empty)
pool_name = "projects/my-project/locations/us-central1/caPools/old-pool"
operation = client.delete_ca_pool(
name=pool_name,
ignore_dependent_resources=False # Fail if pool contains CAs
)
try:
operation.result()
print(f"Deleted pool: {pool_name}")
except Exception as e:
print(f"Failed to delete pool: {e}")
# Pool likely contains CAs or certificatesInstall with Tessl CLI
npx tessl i tessl/pypi-google-cloud-private-ca