tessl/pypi-google-cloud-private-ca
Google Cloud Private Certificate Authority API client library for certificate lifecycle management
—
Pending
certificate-management.mddocs/
Certificate Management
Core certificate lifecycle operations including creation, retrieval, listing, revocation, and metadata updates. Supports X.509 certificates with comprehensive configuration options, certificate signing requests (CSRs), and various certificate formats.
Capabilities
Certificate Creation
Creates a new certificate within a CA pool using either a certificate signing request (CSR) or automatic key generation. Supports various certificate types including end-entity certificates and certificate authorities.
def create_certificate(
self,
request: Union[CreateCertificateRequest, dict] = None,
*,
parent: str = None,
certificate: Certificate = None,
certificate_id: str = None,
retry: OptionalRetry = gapic_v1.method.DEFAULT,
timeout: Union[float, object] = gapic_v1.method.DEFAULT,
metadata: Sequence[Tuple[str, Union[str, bytes]]] = (),
) -> Certificate:
"""
Create a new certificate in a CA pool.
Args:
request: The request object with certificate details
parent: CA pool path (format: projects/{project}/locations/{location}/caPools/{ca_pool})
certificate: Certificate configuration and CSR
certificate_id: Unique identifier for the certificate
retry: Retry configuration for the request
timeout: Request timeout in seconds
metadata: Additional metadata as (key, value) pairs as (key, value) pairs
Returns:
Certificate: The created certificate resource
Raises:
google.api_core.exceptions.GoogleAPIError: If the request fails
"""Certificate Retrieval
Retrieves a specific certificate by its resource name, including all certificate details, metadata, and current status.
def get_certificate(
self,
request: Union[GetCertificateRequest, dict] = None,
*,
name: str = None,
retry: OptionalRetry = gapic_v1.method.DEFAULT,
timeout: Union[float, object] = gapic_v1.method.DEFAULT,
metadata: Sequence[Tuple[str, Union[str, bytes]]] = (),
) -> Certificate:
"""
Get a certificate by name.
Args:
request: The request object
name: Certificate resource name (format: projects/{project}/locations/{location}/caPools/{ca_pool}/certificates/{certificate})
retry: Retry configuration
timeout: Request timeout in seconds
metadata: Additional metadata as (key, value) pairs
Returns:
Certificate: The requested certificate resource
"""Certificate Listing
Lists certificates within a CA pool with optional filtering and pagination. Supports ordering by creation time and filtering by certificate state.
def list_certificates(
self,
request: Union[ListCertificatesRequest, dict] = None,
*,
parent: str = None,
retry: OptionalRetry = gapic_v1.method.DEFAULT,
timeout: Union[float, object] = gapic_v1.method.DEFAULT,
metadata: Sequence[Tuple[str, Union[str, bytes]]] = (),
) -> pagers.ListCertificatesPager:
"""
List certificates in a CA pool.
Args:
request: The request object
parent: CA pool path
retry: Retry configuration
timeout: Request timeout in seconds
metadata: Additional metadata as (key, value) pairs
Returns:
pagers.ListCertificatesPager: Paginated response of certificates
"""Certificate Revocation
Revokes a certificate, marking it as invalid and adding it to the Certificate Revocation List (CRL). Supports various revocation reasons and immediate revocation.
def revoke_certificate(
self,
request: Union[RevokeCertificateRequest, dict] = None,
*,
name: str = None,
retry: OptionalRetry = gapic_v1.method.DEFAULT,
timeout: Union[float, object] = gapic_v1.method.DEFAULT,
metadata: Sequence[Tuple[str, Union[str, bytes]]] = (),
) -> Certificate:
"""
Revoke a certificate.
Args:
request: The request object containing revocation details
name: Certificate resource name
retry: Retry configuration
timeout: Request timeout in seconds
metadata: Additional metadata as (key, value) pairs
Returns:
Certificate: The revoked certificate with updated status
"""Certificate Updates
Updates certificate metadata and labels. Note that certificate content cannot be modified after creation, only metadata fields.
def update_certificate(
self,
request: Union[UpdateCertificateRequest, dict] = None,
*,
certificate: Certificate = None,
update_mask: field_mask_pb2.FieldMask = None,
retry: OptionalRetry = gapic_v1.method.DEFAULT,
timeout: Union[float, object] = gapic_v1.method.DEFAULT,
metadata: Sequence[Tuple[str, Union[str, bytes]]] = (),
) -> Certificate:
"""
Update certificate metadata.
Args:
request: The request object
certificate: Certificate with updated fields
update_mask: Fields to update
retry: Retry configuration
timeout: Request timeout in seconds
metadata: Additional metadata as (key, value) pairs
Returns:
Certificate: Updated certificate resource
"""Request Types
class CreateCertificateRequest:
"""Request to create a certificate."""
parent: str # CA pool path
certificate_id: str # Unique certificate identifier
certificate: Certificate # Certificate configuration
request_id: str # Idempotency token
validate_only: bool # Validation-only mode
issuing_certificate_authority_id: str # Specific CA to use
class GetCertificateRequest:
"""Request to get a certificate."""
name: str # Certificate resource name
class ListCertificatesRequest:
"""Request to list certificates."""
parent: str # CA pool path
page_size: int # Maximum results per page
page_token: str # Pagination token
filter: str # Filter expression
order_by: str # Sort order
class RevokeCertificateRequest:
"""Request to revoke a certificate."""
name: str # Certificate resource name
reason: RevocationReason # Reason for revocation
request_id: str # Idempotency token
class UpdateCertificateRequest:
"""Request to update a certificate."""
certificate: Certificate # Certificate with updates
update_mask: field_mask_pb2.FieldMask # Fields to update
request_id: str # Idempotency tokenCertificate Resource Type
class Certificate:
"""A certificate issued by a Certificate Authority."""
name: str # Resource name
pem_csr: str # PEM-encoded certificate signing request
config: CertificateConfig # Certificate configuration
lifetime: duration_pb2.Duration # Certificate lifetime
certificate_template: str # Template used
subject_mode: SubjectRequestMode # Subject handling mode
revocation_details: RevocationDetails # Revocation information (if revoked)
pem_certificate: str # PEM-encoded certificate (output only)
certificate_description: CertificateDescription # Parsed certificate details (output only)
pem_certificate_chain: List[str] # Certificate chain (output only)
create_time: timestamp_pb2.Timestamp # Creation time (output only)
update_time: timestamp_pb2.Timestamp # Last update time (output only)
labels: Dict[str, str] # Resource labels
class CertificateConfig:
"""Certificate configuration for creation."""
subject_config: SubjectConfig # Certificate subject
x509_config: X509Parameters # X.509 parameters
public_key: PublicKey # Public key (for CSR mode)
class RevocationDetails:
"""Details about certificate revocation."""
revocation_state: RevocationState # Current revocation state
revocation_time: timestamp_pb2.Timestamp # When revoked
revocation_reason: RevocationReason # Reason for revocationUsage Examples
Creating a Certificate with CSR
from google.cloud.security.privateca import CertificateAuthorityServiceClient
from google.cloud.security.privateca import Certificate, CertificateConfig
client = CertificateAuthorityServiceClient()
# Prepare certificate configuration
certificate = Certificate(
pem_csr="-----BEGIN CERTIFICATE REQUEST-----\n...\n-----END CERTIFICATE REQUEST-----",
lifetime={"seconds": 86400 * 365} # 1 year
)
# Create the certificate
parent = "projects/my-project/locations/us-central1/caPools/my-ca-pool"
response = client.create_certificate(
parent=parent,
certificate_id="my-certificate",
certificate=certificate
)
print(f"Created certificate: {response.name}")
print(f"PEM certificate:\n{response.pem_certificate}")Listing and Filtering Certificates
# List all certificates
parent = "projects/my-project/locations/us-central1/caPools/my-ca-pool"
certificates = client.list_certificates(parent=parent)
for certificate in certificates:
print(f"Certificate: {certificate.name}")
print(f"Status: {certificate.revocation_details.revocation_state if certificate.revocation_details else 'ACTIVE'}")
# List with filtering
filtered_certificates = client.list_certificates(
parent=parent,
filter='labels.environment="production"',
order_by="create_time desc"
)Revoking a Certificate
from google.cloud.security.privateca import RevokeCertificateRequest, RevocationReason
certificate_name = "projects/my-project/locations/us-central1/caPools/my-ca-pool/certificates/my-certificate"
revoked_cert = client.revoke_certificate(
name=certificate_name,
reason=RevocationReason.KEY_COMPROMISE
)
print(f"Certificate revoked: {revoked_cert.name}")
print(f"Revocation time: {revoked_cert.revocation_details.revocation_time}")Install with Tessl CLI
npx tessl i tessl/pypi-google-cloud-private-ca