tessl/pypi-google-cloud-private-ca
Google Cloud Private Certificate Authority API client library for certificate lifecycle management
—
Pending
certificate-authority-operations.mddocs/
Certificate Authority Operations
Complete certificate authority lifecycle management including creation, activation, disabling, enabling, and deletion. Supports both root and subordinate certificate authorities with comprehensive configuration options and state management.
Capabilities
Certificate Authority Creation
Creates a new certificate authority within a CA pool. Supports both root CAs (self-signed) and subordinate CAs (signed by another CA).
def create_certificate_authority(
self,
request: Union[CreateCertificateAuthorityRequest, dict] = None,
*,
parent: str = None,
certificate_authority: CertificateAuthority = None,
certificate_authority_id: str = None,
retry: OptionalRetry = gapic_v1.method.DEFAULT,
timeout: Union[float, object] = gapic_v1.method.DEFAULT,
metadata: Sequence[Tuple[str, Union[str, bytes]]] = (),
) -> operation.Operation:
"""
Create a new certificate authority.
Args:
request: The request object
parent: CA pool path (format: projects/{project}/locations/{location}/caPools/{ca_pool})
certificate_authority: CA configuration
certificate_authority_id: Unique CA identifier
retry: Retry configuration
timeout: Request timeout in seconds
metadata: Additional metadata
Returns:
operation.Operation: Long-running operation for CA creation
"""Certificate Authority Activation
Activates a certificate authority by providing the signed CA certificate. Required for subordinate CAs after creation.
def activate_certificate_authority(
self,
request: Union[ActivateCertificateAuthorityRequest, dict] = None,
*,
name: str = None,
retry: OptionalRetry = gapic_v1.method.DEFAULT,
timeout: Union[float, object] = gapic_v1.method.DEFAULT,
metadata: Sequence[Tuple[str, Union[str, bytes]]] = (),
) -> operation.Operation:
"""
Activate a certificate authority.
Args:
request: The request object containing activation details
name: CA resource name
retry: Retry configuration
timeout: Request timeout in seconds
metadata: Additional metadata
Returns:
operation.Operation: Long-running operation for CA activation
"""Certificate Authority State Management
Enables and disables certificate authorities to control their operational state without deletion.
def disable_certificate_authority(
self,
request: Union[DisableCertificateAuthorityRequest, dict] = None,
*,
name: str = None,
retry: OptionalRetry = gapic_v1.method.DEFAULT,
timeout: Union[float, object] = gapic_v1.method.DEFAULT,
metadata: Sequence[Tuple[str, Union[str, bytes]]] = (),
) -> operation.Operation:
"""
Disable a certificate authority.
Args:
request: The request object
name: CA resource name
retry: Retry configuration
timeout: Request timeout in seconds
metadata: Additional metadata
Returns:
operation.Operation: Long-running operation for disabling CA
"""
def enable_certificate_authority(
self,
request: Union[EnableCertificateAuthorityRequest, dict] = None,
*,
name: str = None,
retry: OptionalRetry = gapic_v1.method.DEFAULT,
timeout: Union[float, object] = gapic_v1.method.DEFAULT,
metadata: Sequence[Tuple[str, Union[str, bytes]]] = (),
) -> operation.Operation:
"""
Enable a certificate authority.
Args:
request: The request object
name: CA resource name
retry: Retry configuration
timeout: Request timeout in seconds
metadata: Additional metadata
Returns:
operation.Operation: Long-running operation for enabling CA
"""Certificate Authority Information
Retrieves certificate authority details and lists CAs within a pool.
def get_certificate_authority(
self,
request: Union[GetCertificateAuthorityRequest, dict] = None,
*,
name: str = None,
retry: OptionalRetry = gapic_v1.method.DEFAULT,
timeout: Union[float, object] = gapic_v1.method.DEFAULT,
metadata: Sequence[Tuple[str, Union[str, bytes]]] = (),
) -> CertificateAuthority:
"""
Get a certificate authority by name.
Args:
request: The request object
name: CA resource name
retry: Retry configuration
timeout: Request timeout in seconds
metadata: Additional metadata
Returns:
CertificateAuthority: The requested CA resource
"""
def list_certificate_authorities(
self,
request: Union[ListCertificateAuthoritiesRequest, dict] = None,
*,
parent: str = None,
retry: OptionalRetry = gapic_v1.method.DEFAULT,
timeout: Union[float, object] = gapic_v1.method.DEFAULT,
metadata: Sequence[Tuple[str, Union[str, bytes]]] = (),
) -> pagers.ListCertificateAuthoritiesPager:
"""
List certificate authorities in a CA pool.
Args:
request: The request object
parent: CA pool path
retry: Retry configuration
timeout: Request timeout in seconds
metadata: Additional metadata
Returns:
pagers.ListCertificateAuthoritiesPager: Paginated response of CAs
"""Certificate Authority CSR Operations
Fetches certificate signing requests for subordinate CAs that need external signing.
def fetch_certificate_authority_csr(
self,
request: Union[FetchCertificateAuthorityCsrRequest, dict] = None,
*,
name: str = None,
retry: OptionalRetry = gapic_v1.method.DEFAULT,
timeout: Union[float, object] = gapic_v1.method.DEFAULT,
metadata: Sequence[Tuple[str, Union[str, bytes]]] = (),
) -> FetchCertificateAuthorityCsrResponse:
"""
Fetch the certificate signing request for a CA.
Args:
request: The request object
name: CA resource name
retry: Retry configuration
timeout: Request timeout in seconds
metadata: Additional metadata
Returns:
FetchCertificateAuthorityCsrResponse: CSR in PEM format
"""Certificate Authority Lifecycle Management
Updates, deletes, and undeletes certificate authorities.
def update_certificate_authority(
self,
request: Union[UpdateCertificateAuthorityRequest, dict] = None,
*,
certificate_authority: CertificateAuthority = None,
update_mask: field_mask_pb2.FieldMask = None,
retry: OptionalRetry = gapic_v1.method.DEFAULT,
timeout: Union[float, object] = gapic_v1.method.DEFAULT,
metadata: Sequence[Tuple[str, Union[str, bytes]]] = (),
) -> operation.Operation:
"""
Update a certificate authority.
Args:
request: The request object
certificate_authority: CA with updated fields
update_mask: Fields to update
retry: Retry configuration
timeout: Request timeout in seconds
metadata: Additional metadata
Returns:
operation.Operation: Long-running operation for CA update
"""
def delete_certificate_authority(
self,
request: Union[DeleteCertificateAuthorityRequest, dict] = None,
*,
name: str = None,
retry: OptionalRetry = gapic_v1.method.DEFAULT,
timeout: Union[float, object] = gapic_v1.method.DEFAULT,
metadata: Sequence[Tuple[str, Union[str, bytes]]] = (),
) -> operation.Operation:
"""
Delete a certificate authority.
Args:
request: The request object
name: CA resource name
retry: Retry configuration
timeout: Request timeout in seconds
metadata: Additional metadata
Returns:
operation.Operation: Long-running operation for CA deletion
"""
def undelete_certificate_authority(
self,
request: Union[UndeleteCertificateAuthorityRequest, dict] = None,
*,
name: str = None,
retry: OptionalRetry = gapic_v1.method.DEFAULT,
timeout: Union[float, object] = gapic_v1.method.DEFAULT,
metadata: Sequence[Tuple[str, Union[str, bytes]]] = (),
) -> operation.Operation:
"""
Undelete a certificate authority.
Args:
request: The request object
name: CA resource name
retry: Retry configuration
timeout: Request timeout in seconds
metadata: Additional metadata
Returns:
operation.Operation: Long-running operation for CA undeletion
"""Request Types
class CreateCertificateAuthorityRequest:
"""Request to create a certificate authority."""
parent: str # CA pool path
certificate_authority_id: str # Unique CA identifier
certificate_authority: CertificateAuthority # CA configuration
request_id: str # Idempotency token
class ActivateCertificateAuthorityRequest:
"""Request to activate a certificate authority."""
name: str # CA resource name
pem_ca_certificate: str # Signed CA certificate in PEM format
subordinate_config: SubordinateConfig # Subordinate CA configuration
request_id: str # Idempotency token
class DisableCertificateAuthorityRequest:
"""Request to disable a certificate authority."""
name: str # CA resource name
request_id: str # Idempotency token
ignore_dependent_resources: bool # Ignore dependent resources
class EnableCertificateAuthorityRequest:
"""Request to enable a certificate authority."""
name: str # CA resource name
request_id: str # Idempotency token
class GetCertificateAuthorityRequest:
"""Request to get a certificate authority."""
name: str # CA resource name
class ListCertificateAuthoritiesRequest:
"""Request to list certificate authorities."""
parent: str # CA pool path
page_size: int # Maximum results per page
page_token: str # Pagination token
filter: str # Filter expression
order_by: str # Sort order
class FetchCertificateAuthorityCsrRequest:
"""Request to fetch CA certificate signing request."""
name: str # CA resource name
class UpdateCertificateAuthorityRequest:
"""Request to update a certificate authority."""
certificate_authority: CertificateAuthority # CA with updates
update_mask: field_mask_pb2.FieldMask # Fields to update
request_id: str # Idempotency token
class DeleteCertificateAuthorityRequest:
"""Request to delete a certificate authority."""
name: str # CA resource name
request_id: str # Idempotency token
ignore_dependent_resources: bool # Ignore dependent resources
skip_grace_period: bool # Skip deletion grace period
class UndeleteCertificateAuthorityRequest:
"""Request to undelete a certificate authority."""
name: str # CA resource name
request_id: str # Idempotency tokenCertificate Authority Resource Type
class CertificateAuthority:
"""A Certificate Authority that can issue certificates."""
name: str # Resource name
type_: Type # CA type (SELF_SIGNED or SUBORDINATE)
config: CertificateAuthorityConfig # CA configuration
lifetime: duration_pb2.Duration # CA lifetime
key_spec: KeySpec # Key specifications
subordinate_config: SubordinateConfig # Subordinate CA config (if applicable)
tier: Tier # Service tier (ENTERPRISE or DEVOPS)
state: State # Current CA state
pem_ca_certificates: List[str] # CA certificate chain (output only)
ca_certificate_descriptions: List[CertificateDescription] # Parsed CA details (output only)
gcs_bucket: str # Cloud Storage bucket for CRLs
access_urls: AccessUrls # CA access URLs (output only)
create_time: timestamp_pb2.Timestamp # Creation time (output only)
update_time: timestamp_pb2.Timestamp # Last update time (output only)
delete_time: timestamp_pb2.Timestamp # Deletion time (output only)
expire_time: timestamp_pb2.Timestamp # Expiration time (output only)
labels: Dict[str, str] # Resource labels
class CertificateAuthorityConfig:
"""Configuration for a Certificate Authority."""
subject_config: SubjectConfig # CA subject configuration
x509_config: X509Parameters # X.509 parameters
public_key: PublicKey # CA public key
class KeySpec:
"""Key specifications for CA."""
cloud_kms_key_version: str # Cloud KMS key version
algorithm: Algorithm # Key algorithm (RSA_PKCS1_2048_SHA256, etc.)
class SubordinateConfig:
"""Configuration for subordinate CAs."""
certificate_authority: str # Parent CA
pem_issuer_chain: List[str] # Issuer certificate chain
class AccessUrls:
"""Access URLs for the CA."""
ca_certificate_access_url: str # CA certificate download URL
crl_access_urls: List[str] # CRL download URLsUsage Examples
Creating a Root Certificate Authority
from google.cloud.security.privateca import (
CertificateAuthorityServiceClient,
CertificateAuthority,
CertificateAuthorityConfig,
KeySpec,
SubjectConfig,
X509Parameters
)
client = CertificateAuthorityServiceClient()
# Configure the CA
ca_config = CertificateAuthorityConfig(
subject_config=SubjectConfig(
subject={
"common_name": "My Root CA",
"organization": "My Company",
"country_code": "US"
}
),
x509_config=X509Parameters(
key_usage={
"base_key_usage": {
"cert_sign": True,
"crl_sign": True
},
"extended_key_usage": {
"server_auth": False,
"client_auth": False
}
},
ca_options={
"is_ca": True,
"max_issuer_path_length": 1
}
)
)
ca = CertificateAuthority(
type_=CertificateAuthority.Type.SELF_SIGNED,
config=ca_config,
lifetime={"seconds": 86400 * 365 * 10}, # 10 years
key_spec=KeySpec(algorithm=KeySpec.Algorithm.RSA_PKCS1_4096_SHA256),
tier=CertificateAuthority.Tier.ENTERPRISE
)
# Create the CA
parent = "projects/my-project/locations/us-central1/caPools/my-ca-pool"
operation = client.create_certificate_authority(
parent=parent,
certificate_authority_id="my-root-ca",
certificate_authority=ca
)
# Wait for completion
result = operation.result()
print(f"Created CA: {result.name}")Creating and Activating a Subordinate CA
# Create subordinate CA
subordinate_ca = CertificateAuthority(
type_=CertificateAuthority.Type.SUBORDINATE,
config=ca_config, # Similar config as above
lifetime={"seconds": 86400 * 365 * 5}, # 5 years
key_spec=KeySpec(algorithm=KeySpec.Algorithm.RSA_PKCS1_2048_SHA256),
tier=CertificateAuthority.Tier.ENTERPRISE
)
operation = client.create_certificate_authority(
parent=parent,
certificate_authority_id="my-subordinate-ca",
certificate_authority=subordinate_ca
)
created_ca = operation.result()
print(f"Created subordinate CA: {created_ca.name}")
# Fetch CSR for external signing
csr_response = client.fetch_certificate_authority_csr(name=created_ca.name)
print(f"CSR:\n{csr_response.pem_csr}")
# After getting the signed certificate from parent CA, activate it
signed_cert = "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----"
activation_operation = client.activate_certificate_authority(
name=created_ca.name,
pem_ca_certificate=signed_cert
)
activated_ca = activation_operation.result()
print(f"Activated CA: {activated_ca.name}")Managing CA State
ca_name = "projects/my-project/locations/us-central1/caPools/my-ca-pool/certificateAuthorities/my-ca"
# Disable CA
disable_op = client.disable_certificate_authority(name=ca_name)
disabled_ca = disable_op.result()
print(f"CA state: {disabled_ca.state}")
# Enable CA
enable_op = client.enable_certificate_authority(name=ca_name)
enabled_ca = enable_op.result()
print(f"CA state: {enabled_ca.state}")
# List all CAs in pool
parent = "projects/my-project/locations/us-central1/caPools/my-ca-pool"
cas = client.list_certificate_authorities(parent=parent)
for ca in cas:
print(f"CA: {ca.name}, State: {ca.state}, Type: {ca.type_}")Install with Tessl CLI
npx tessl i tessl/pypi-google-cloud-private-ca