tessl/pypi-google-cloud-private-ca
Google Cloud Private Certificate Authority API client library for certificate lifecycle management
—
Pending
certificate-templates.mddocs/
Certificate Templates
Template-based certificate issuance with predefined configurations, constraints, and policies. Templates standardize certificate properties, enforce organizational policies, and simplify bulk certificate operations by providing reusable certificate configurations.
Capabilities
Certificate Template Creation
Creates a new certificate template with predefined X.509 parameters, subject constraints, and key usage specifications.
def create_certificate_template(
self,
request: Union[CreateCertificateTemplateRequest, dict] = None,
*,
parent: str = None,
certificate_template: CertificateTemplate = None,
certificate_template_id: str = None,
retry: OptionalRetry = gapic_v1.method.DEFAULT,
timeout: Union[float, object] = gapic_v1.method.DEFAULT,
metadata: Sequence[Tuple[str, Union[str, bytes]]] = (),
) -> operation.Operation:
"""
Create a new certificate template.
Args:
request: The request object
parent: Location path (format: projects/{project}/locations/{location})
certificate_template: Template configuration
certificate_template_id: Unique template identifier
retry: Retry configuration
timeout: Request timeout in seconds
metadata: Additional metadata
Returns:
operation.Operation: Long-running operation for template creation
"""Certificate Template Information
Retrieves certificate template details and lists templates within a location.
def get_certificate_template(
self,
request: Union[GetCertificateTemplateRequest, dict] = None,
*,
name: str = None,
retry: OptionalRetry = gapic_v1.method.DEFAULT,
timeout: Union[float, object] = gapic_v1.method.DEFAULT,
metadata: Sequence[Tuple[str, Union[str, bytes]]] = (),
) -> CertificateTemplate:
"""
Get a certificate template by name.
Args:
request: The request object
name: Template resource name
retry: Retry configuration
timeout: Request timeout in seconds
metadata: Additional metadata
Returns:
CertificateTemplate: The requested template resource
"""
def list_certificate_templates(
self,
request: Union[ListCertificateTemplatesRequest, dict] = None,
*,
parent: str = None,
retry: OptionalRetry = gapic_v1.method.DEFAULT,
timeout: Union[float, object] = gapic_v1.method.DEFAULT,
metadata: Sequence[Tuple[str, Union[str, bytes]]] = (),
) -> pagers.ListCertificateTemplatesPager:
"""
List certificate templates in a location.
Args:
request: The request object
parent: Location path
retry: Retry configuration
timeout: Request timeout in seconds
metadata: Additional metadata
Returns:
pagers.ListCertificateTemplatesPager: Paginated response of templates
"""Certificate Template Management
Updates and deletes certificate templates to maintain current organizational policies.
def update_certificate_template(
self,
request: Union[UpdateCertificateTemplateRequest, dict] = None,
*,
certificate_template: CertificateTemplate = None,
update_mask: field_mask_pb2.FieldMask = None,
retry: OptionalRetry = gapic_v1.method.DEFAULT,
timeout: Union[float, object] = gapic_v1.method.DEFAULT,
metadata: Sequence[Tuple[str, Union[str, bytes]]] = (),
) -> operation.Operation:
"""
Update a certificate template.
Args:
request: The request object
certificate_template: Template with updated fields
update_mask: Fields to update
retry: Retry configuration
timeout: Request timeout in seconds
metadata: Additional metadata
Returns:
operation.Operation: Long-running operation for template update
"""
def delete_certificate_template(
self,
request: Union[DeleteCertificateTemplateRequest, dict] = None,
*,
name: str = None,
retry: OptionalRetry = gapic_v1.method.DEFAULT,
timeout: Union[float, object] = gapic_v1.method.DEFAULT,
metadata: Sequence[Tuple[str, Union[str, bytes]]] = (),
) -> operation.Operation:
"""
Delete a certificate template.
Args:
request: The request object
name: Template resource name
retry: Retry configuration
timeout: Request timeout in seconds
metadata: Additional metadata
Returns:
operation.Operation: Long-running operation for template deletion
"""Request Types
class CreateCertificateTemplateRequest:
"""Request to create a certificate template."""
parent: str # Location path
certificate_template_id: str # Unique template identifier
certificate_template: CertificateTemplate # Template configuration
request_id: str # Idempotency token
class GetCertificateTemplateRequest:
"""Request to get a certificate template."""
name: str # Template resource name
class ListCertificateTemplatesRequest:
"""Request to list certificate templates."""
parent: str # Location path
page_size: int # Maximum results per page
page_token: str # Pagination token
filter: str # Filter expression
order_by: str # Sort order
class UpdateCertificateTemplateRequest:
"""Request to update a certificate template."""
certificate_template: CertificateTemplate # Template with updates
update_mask: field_mask_pb2.FieldMask # Fields to update
request_id: str # Idempotency token
class DeleteCertificateTemplateRequest:
"""Request to delete a certificate template."""
name: str # Template resource name
request_id: str # Idempotency tokenCertificate Template Resource Type
class CertificateTemplate:
"""A reusable template for certificate issuance."""
name: str # Resource name
predefined_values: X509Parameters # Default X.509 parameters
identity_constraints: CertificateIdentityConstraints # Subject constraints
passthrough_extensions: CertificateExtensionConstraints # Extension constraints
description: str # Human-readable description
create_time: timestamp_pb2.Timestamp # Creation time (output only)
update_time: timestamp_pb2.Timestamp # Last update time (output only)
labels: Dict[str, str] # Resource labels
class CertificateIdentityConstraints:
"""Constraints on certificate subject identity."""
cel_expression: expr_pb2.Expr # CEL expression for validation
allow_subject_passthrough: bool # Allow subject from CSR
allow_subject_alt_names_passthrough: bool # Allow SANs from CSR
class CertificateExtensionConstraints:
"""Constraints on certificate extensions."""
known_extensions: List[KnownCertificateExtension] # Known extension handling
additional_extensions: List[ObjectId] # Additional allowed extensions
class KnownCertificateExtension:
"""Handling for known certificate extensions."""
extension_type: KnownExtensionType # Extension type
is_critical: bool # Critical flag
passthrough: bool # Pass through from CSRUsage Examples
Creating a Web Server Certificate Template
from google.cloud.security.privateca import (
CertificateAuthorityServiceClient,
CertificateTemplate,
X509Parameters,
CertificateIdentityConstraints,
CertificateExtensionConstraints,
KeyUsage
)
client = CertificateAuthorityServiceClient()
# Define X.509 parameters for web server certificates
x509_params = X509Parameters(
key_usage=KeyUsage(
base_key_usage={
"digital_signature": True,
"key_encipherment": True
},
extended_key_usage={
"server_auth": True,
"client_auth": False
}
),
ca_options={"is_ca": False},
policy_ids=[
{"object_id_path": [1, 3, 6, 1, 4, 1, 11129, 2, 5, 3]} # CT precertificate
]
)
# Define identity constraints
identity_constraints = CertificateIdentityConstraints(
allow_subject_passthrough=True,
allow_subject_alt_names_passthrough=True
)
# Create the template
template = CertificateTemplate(
predefined_values=x509_params,
identity_constraints=identity_constraints,
description="Template for web server certificates with standard TLS configuration",
labels={"type": "web-server", "environment": "production"}
)
parent = "projects/my-project/locations/us-central1"
operation = client.create_certificate_template(
parent=parent,
certificate_template_id="web-server-template",
certificate_template=template
)
result = operation.result()
print(f"Created template: {result.name}")Creating a Client Authentication Template
# Define X.509 parameters for client authentication
client_x509_params = X509Parameters(
key_usage=KeyUsage(
base_key_usage={
"digital_signature": True,
"key_agreement": True
},
extended_key_usage={
"server_auth": False,
"client_auth": True,
"email_protection": True
}
),
ca_options={"is_ca": False}
)
# More restrictive identity constraints for client certs
client_identity_constraints = CertificateIdentityConstraints(
allow_subject_passthrough=False, # Enforce template subject
allow_subject_alt_names_passthrough=True
)
client_template = CertificateTemplate(
predefined_values=client_x509_params,
identity_constraints=client_identity_constraints,
description="Template for client authentication certificates",
labels={"type": "client-auth", "security-level": "high"}
)
operation = client.create_certificate_template(
parent=parent,
certificate_template_id="client-auth-template",
certificate_template=client_template
)
result = operation.result()
print(f"Created client template: {result.name}")Using Templates for Certificate Creation
from google.cloud.security.privateca import Certificate
# Create certificate using template
template_name = "projects/my-project/locations/us-central1/certificateTemplates/web-server-template"
certificate = Certificate(
certificate_template=template_name,
pem_csr="-----BEGIN CERTIFICATE REQUEST-----\n...\n-----END CERTIFICATE REQUEST-----",
lifetime={"seconds": 86400 * 90} # 90 days
)
parent = "projects/my-project/locations/us-central1/caPools/my-ca-pool"
created_cert = client.create_certificate(
parent=parent,
certificate_id="web-server-001",
certificate=certificate
)
print(f"Created certificate using template: {created_cert.name}")
print(f"Template used: {created_cert.certificate_template}")Managing Certificate Templates
# List all templates
parent = "projects/my-project/locations/us-central1"
templates = client.list_certificate_templates(parent=parent)
for template in templates:
print(f"Template: {template.name}")
print(f"Description: {template.description}")
print(f"Labels: {template.labels}")
# Update template description
template_name = "projects/my-project/locations/us-central1/certificateTemplates/web-server-template"
updated_template = CertificateTemplate(
name=template_name,
description="Updated: Template for web server certificates with enhanced security",
labels={"type": "web-server", "environment": "production", "version": "2.0"}
)
from google.protobuf import field_mask_pb2
update_mask = field_mask_pb2.FieldMask(paths=["description", "labels"])
operation = client.update_certificate_template(
certificate_template=updated_template,
update_mask=update_mask
)
result = operation.result()
print(f"Updated template: {result.name}")
# Delete template
old_template_name = "projects/my-project/locations/us-central1/certificateTemplates/old-template"
operation = client.delete_certificate_template(name=old_template_name)
operation.result()
print(f"Deleted template: {old_template_name}")Advanced Template with Extension Constraints
from google.type import expr_pb2
# Create template with CEL expression for validation
advanced_template = CertificateTemplate(
predefined_values=X509Parameters(
key_usage=KeyUsage(
base_key_usage={"digital_signature": True, "key_encipherment": True},
extended_key_usage={"server_auth": True}
)
),
identity_constraints=CertificateIdentityConstraints(
# Only allow certificates for specific domains
cel_expression=expr_pb2.Expr(
expression='subject_alt_names.all(san, san.type == DNS && (san.value.endsWith(".example.com") || san.value == "example.com"))'
),
allow_subject_passthrough=True,
allow_subject_alt_names_passthrough=True
),
passthrough_extensions=CertificateExtensionConstraints(
additional_extensions=[
{"object_id_path": [1, 3, 6, 1, 4, 1, 11129, 2, 4, 2]} # CT poison extension
]
),
description="Advanced template with domain validation and CT support",
labels={"type": "domain-validated", "ct-enabled": "true"}
)
operation = client.create_certificate_template(
parent=parent,
certificate_template_id="advanced-web-template",
certificate_template=advanced_template
)
result = operation.result()
print(f"Created advanced template: {result.name}")Install with Tessl CLI
npx tessl i tessl/pypi-google-cloud-private-ca