def create_ca_pool(project_id: str, location: str, ca_pool_name: str) -> None:
"""
Create a Certificate Authority pool. All certificates created under this CA pool will
follow the same issuance policy, IAM policies,etc.,
Args:
project_id: project ID or project number of the Cloud project you want to use.
location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.
ca_pool_name: a unique name for the ca pool.
"""
caServiceClient = privateca_v1.CertificateAuthorityServiceClient()
ca_pool = privateca_v1.CaPool(
# Set the tier (see: https://cloud.google.com/certificate-authority-service/docs/tiers).
tier=privateca_v1.CaPool.Tier.ENTERPRISE, )
location_path = caServiceClient.common_location_path(project_id, location)
# Create the pool request.
request = privateca_v1.CreateCaPoolRequest(
parent=location_path,
ca_pool_id=ca_pool_name,
ca_pool=ca_pool,
)
# Create the CA pool.
operation = caServiceClient.create_ca_pool(request=request)
print("Operation result:", operation.result())
def sample_update_ca_pool():
# Create a client
client = privateca_v1.CertificateAuthorityServiceClient()
# Initialize request argument(s)
ca_pool = privateca_v1.CaPool()
ca_pool.tier = "DEVOPS"
request = privateca_v1.UpdateCaPoolRequest(ca_pool=ca_pool, )
# Make the request
operation = client.update_ca_pool(request=request)
print("Waiting for operation to complete...")
response = operation.result()
# Handle the response
print(response)
async def sample_create_ca_pool():
# Create a client
client = privateca_v1.CertificateAuthorityServiceAsyncClient()
# Initialize request argument(s)
ca_pool = privateca_v1.CaPool()
ca_pool.tier = "DEVOPS"
request = privateca_v1.CreateCaPoolRequest(
parent="parent_value",
ca_pool_id="ca_pool_id_value",
ca_pool=ca_pool,
)
# Make the request
operation = client.create_ca_pool(request=request)
print("Waiting for operation to complete...")
response = await operation.result()
# Handle the response
print(response)
def update_ca_pool_issuance_policy(
project_id: str,
location: str,
ca_pool_name: str,
) -> None:
"""
Update the issuance policy for a CA Pool. All certificates issued from this CA Pool should
meet the issuance policy
Args:
project_id: project ID or project number of the Cloud project you want to use.
location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.
ca_pool_name: a unique name for the ca pool.
"""
caServiceClient = privateca_v1.CertificateAuthorityServiceClient()
ca_pool_path = caServiceClient.ca_pool_path(project_id, location,
ca_pool_name)
# Set the updated issuance policy for the CA Pool.
# This particular issuance policy allows only SANs that
# have DNS Names as "us.google.org" or ending in ".google.com". */
expr = expr_pb2.Expr(
expression=
'subject_alt_names.all(san, san.type == DNS && (san.value == "us.google.org" || san.value.endsWith(".google.com")) )'
)
issuance_policy = privateca_v1.CaPool.IssuancePolicy(
identity_constraints=privateca_v1.CertificateIdentityConstraints(
allow_subject_passthrough=True,
allow_subject_alt_names_passthrough=True,
cel_expression=expr,
), )
ca_pool = privateca_v1.CaPool(
name=ca_pool_path,
issuance_policy=issuance_policy,
)
# 1. Set the CA pool with updated values.
# 2. Set the update mask to specify which properties of the CA Pool should be updated.
# Only the properties specified in the mask will be updated. Make sure that the mask fields
# match the updated issuance policy.
# For more info on constructing path for update mask, see:
# https://cloud.google.com/certificate-authority-service/docs/reference/rest/v1/projects.locations.caPools#issuancepolicy */
request = privateca_v1.UpdateCaPoolRequest(
ca_pool=ca_pool,
update_mask=field_mask_pb2.FieldMask(paths=[
"issuance_policy.identity_constraints.allow_subject_alt_names_passthrough",
"issuance_policy.identity_constraints.allow_subject_passthrough",
"issuance_policy.identity_constraints.cel_expression",
], ),
)
operation = caServiceClient.update_ca_pool(request=request)
result = operation.result()
print("Operation result", result)
# Get the CA Pool's issuance policy and verify if the fields have been successfully updated.
issuance_policy = caServiceClient.get_ca_pool(
name=ca_pool_path).issuance_policy
# Similarly, you can check for other modified fields as well.
if (issuance_policy.identity_constraints.allow_subject_passthrough
and issuance_policy.identity_constraints.
allow_subject_alt_names_passthrough):
print("CA Pool Issuance policy has been updated successfully!")
return
print("Error in updating CA Pool Issuance policy! Please try again!")