def revoke_certificate(
project_id: str,
location: str,
ca_pool_name: str,
certificate_name: str,
) -> None:
"""
Revoke an issued certificate. Once revoked, the certificate will become invalid and will expire post its lifetime.
Args:
project_id: project ID or project number of the Cloud project you want to use.
location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.
ca_pool_name: name for the CA pool which contains the certificate.
certificate_name: name of the certificate to be revoked.
"""
caServiceClient = privateca_v1.CertificateAuthorityServiceClient()
# Create Certificate Path.
certificate_path = caServiceClient.certificate_path(
project_id, location, ca_pool_name, certificate_name)
# Create Revoke Certificate Request and specify the appropriate revocation reason.
request = privateca_v1.RevokeCertificateRequest(
name=certificate_path,
reason=privateca_v1.RevocationReason.PRIVILEGE_WITHDRAWN)
result = caServiceClient.revoke_certificate(request=request)
print("Certificate revoke result:", result)
def create_ca_pool(project_id: str, location: str, ca_pool_name: str) -> None:
"""
Create a Certificate Authority pool. All certificates created under this CA pool will
follow the same issuance policy, IAM policies,etc.,
Args:
project_id: project ID or project number of the Cloud project you want to use.
location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.
ca_pool_name: a unique name for the ca pool.
"""
caServiceClient = privateca_v1.CertificateAuthorityServiceClient()
ca_pool = privateca_v1.CaPool(
# Set the tier (see: https://cloud.google.com/certificate-authority-service/docs/tiers).
tier=privateca_v1.CaPool.Tier.ENTERPRISE, )
location_path = caServiceClient.common_location_path(project_id, location)
# Create the pool request.
request = privateca_v1.CreateCaPoolRequest(
parent=location_path,
ca_pool_id=ca_pool_name,
ca_pool=ca_pool,
)
# Create the CA pool.
operation = caServiceClient.create_ca_pool(request=request)
print("Operation result:", operation.result())
def filter_certificates(project_id: str, location: str, ca_pool_name: str,
filter_condition: str) -> None:
"""
Filter certificates based on a condition and list them.
Args:
project_id: project ID or project number of the Cloud project you want to use.
location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.
ca_pool_name: name of the CA pool which contains the certificates to be listed.
"""
caServiceClient = privateca_v1.CertificateAuthorityServiceClient()
ca_pool_path = caServiceClient.ca_pool_path(project_id, location,
ca_pool_name)
# Create the certificate request and set the filter condition.
request = privateca_v1.ListCertificatesRequest(
parent=ca_pool_path,
filter=filter_condition,
)
# Retrieve and print the certificate names.
print("Available certificates: ")
for cert in caServiceClient.list_certificates(request=request):
print(f"- {cert.name}")
def delete_certificate_template(
project_id: str,
location: str,
certificate_template_id: str,
) -> None:
"""
Delete the certificate template present in the given project and location.
Args:
project_id: project ID or project number of the Cloud project you want to use.
location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.
certificate_template_id: set a unique name for the certificate template.
"""
caServiceClient = privateca_v1.CertificateAuthorityServiceClient()
# Request to delete a certificate template.
request = privateca_v1.DeleteCertificateTemplateRequest(
name=caServiceClient.certificate_template_path(
project_id,
location,
certificate_template_id,
))
operation = caServiceClient.delete_certificate_template(request=request)
result = operation.result()
print("Operation result", result)
print("Deleted certificate template:", certificate_template_id)
def update_certificate_template(
project_id: str,
location: str,
certificate_template_id: str,
) -> None:
"""
Update an existing certificate template.
Args:
project_id: project ID or project number of the Cloud project you want to use.
location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.
certificate_template_id: set a unique name for the certificate template.
"""
caServiceClient = privateca_v1.CertificateAuthorityServiceClient()
certificate_name = caServiceClient.certificate_template_path(
project_id,
location,
certificate_template_id,
)
# Set the parent name and the properties to be updated.
certificate_template = privateca_v1.CertificateTemplate(
name=certificate_name,
identity_constraints=privateca_v1.CertificateIdentityConstraints(
allow_subject_passthrough=False,
allow_subject_alt_names_passthrough=True,
),
)
# Set the mask corresponding to the properties updated above.
field_mask = field_mask_pb2.FieldMask(paths=[
"identity_constraints.allow_subject_alt_names_passthrough",
"identity_constraints.allow_subject_passthrough",
], )
# Set the new template.
# Set the mask to specify which properties of the template should be updated.
request = privateca_v1.UpdateCertificateTemplateRequest(
certificate_template=certificate_template,
update_mask=field_mask,
)
operation = caServiceClient.update_certificate_template(request=request)
result = operation.result()
print("Operation result", result)
# Get the updated certificate template and check if the properties have been updated.
cert_identity_constraints = caServiceClient.get_certificate_template(
name=certificate_name).identity_constraints
if (not cert_identity_constraints.allow_subject_passthrough
and cert_identity_constraints.allow_subject_alt_names_passthrough):
print("Successfully updated the certificate template!")
return
print("Error in updating certificate template!")
def create_certificate_template(
project_id: str,
location: str,
certificate_template_id: str,
) -> None:
"""
Create a Certificate template. These templates can be reused for common
certificate issuance scenarios.
Args:
project_id: project ID or project number of the Cloud project you want to use.
location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.
certificate_template_id: set a unique name for the certificate template.
"""
caServiceClient = privateca_v1.CertificateAuthorityServiceClient()
# Describes any predefined X.509 values set by this template.
# The provided extensions are copied over to certificate requests that use this template.
x509_parameters = privateca_v1.X509Parameters(
key_usage=privateca_v1.KeyUsage(
base_key_usage=privateca_v1.KeyUsage.KeyUsageOptions(
digital_signature=True,
key_encipherment=True,
),
extended_key_usage=privateca_v1.KeyUsage.ExtendedKeyUsageOptions(
server_auth=True, ),
),
ca_options=privateca_v1.X509Parameters.CaOptions(is_ca=False, ),
)
# CEL expression that is evaluated against the Subject and
# Subject Alternative Name of the certificate before it is issued.
expr = expr_pb2.Expr(
expression="subject_alt_names.all(san, san.type == DNS)")
# Set the certificate issuance schema.
certificate_template = privateca_v1.CertificateTemplate(
predefined_values=x509_parameters,
identity_constraints=privateca_v1.CertificateIdentityConstraints(
cel_expression=expr,
allow_subject_passthrough=False,
allow_subject_alt_names_passthrough=False,
),
)
# Request to create a certificate template.
request = privateca_v1.CreateCertificateTemplateRequest(
parent=caServiceClient.common_location_path(project_id, location),
certificate_template=certificate_template,
certificate_template_id=certificate_template_id,
)
operation = caServiceClient.create_certificate_template(request=request)
result = operation.result()
print("Operation result:", result)
def sample_get_certificate_authority():
# Create a client
client = privateca_v1.CertificateAuthorityServiceClient()
# Initialize request argument(s)
request = privateca_v1.GetCertificateAuthorityRequest(name="name_value", )
# Make the request
response = client.get_certificate_authority(request=request)
# Handle the response
print(response)
def sample_fetch_certificate_authority_csr():
# Create a client
client = privateca_v1.CertificateAuthorityServiceClient()
# Initialize request argument(s)
request = privateca_v1.FetchCertificateAuthorityCsrRequest(
name="name_value", )
# Make the request
response = client.fetch_certificate_authority_csr(request=request)
# Handle the response
print(response)
def sample_list_ca_pools():
# Create a client
client = privateca_v1.CertificateAuthorityServiceClient()
# Initialize request argument(s)
request = privateca_v1.ListCaPoolsRequest(parent="parent_value", )
# Make the request
page_result = client.list_ca_pools(request=request)
# Handle the response
for response in page_result:
print(response)
def create_certificate_csr(
project_id: str,
location: str,
ca_pool_name: str,
ca_name: str,
certificate_name: str,
certificate_lifetime: int,
pem_csr: str,
) -> None:
"""
Create a Certificate which is issued by the specified Certificate Authority (CA).
The certificate details and the public key is provided as a Certificate Signing Request (CSR).
Args:
project_id: project ID or project number of the Cloud project you want to use.
location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.
ca_pool_name: set a unique name for the CA pool.
ca_name: the name of the certificate authority to sign the CSR.
certificate_name: set a unique name for the certificate.
certificate_lifetime: the validity of the certificate in seconds.
pem_csr: set the Certificate Issuing Request in the pem encoded format.
"""
ca_service_client = privateca_v1.CertificateAuthorityServiceClient()
# The public key used to sign the certificate can be generated using any crypto library/framework.
# Also you can use Cloud KMS to retrieve an already created public key.
# For more info, see: https://cloud.google.com/kms/docs/retrieve-public-key.
# Create certificate with CSR.
# The pem_csr contains the public key and the domain details required.
certificate = privateca_v1.Certificate(
pem_csr=pem_csr,
lifetime=duration_pb2.Duration(seconds=certificate_lifetime),
)
# Create the Certificate Request.
# Set the CA which is responsible for creating the certificate with the provided CSR.
request = privateca_v1.CreateCertificateRequest(
parent=ca_service_client.ca_pool_path(project_id, location,
ca_pool_name),
certificate_id=certificate_name,
certificate=certificate,
issuing_certificate_authority_id=ca_name,
)
response = ca_service_client.create_certificate(request=request)
print(f"Certificate created successfully: {response.name}")
# Get the signed certificate and the issuer chain list.
print(f"Signed certificate: {response.pem_certificate}")
print(f"Issuer chain list: {response.pem_certificate_chain}")
def sample_fetch_ca_certs():
# Create a client
client = privateca_v1.CertificateAuthorityServiceClient()
# Initialize request argument(s)
request = privateca_v1.FetchCaCertsRequest(
ca_pool="ca_pool_value",
)
# Make the request
response = client.fetch_ca_certs(request=request)
# Handle the response
print(response)
def delete_certificate_authority(project_id: str, location: str,
ca_pool_name: str, ca_name: str) -> None:
"""
Delete the Certificate Authority from the specified CA pool.
Before deletion, the CA must be disabled and must not contain any active certificates.
Args:
project_id: project ID or project number of the Cloud project you want to use.
location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.
ca_pool_name: the name of the CA pool under which the CA is present.
ca_name: the name of the CA to be deleted.
"""
caServiceClient = privateca_v1.CertificateAuthorityServiceClient()
ca_path = caServiceClient.certificate_authority_path(
project_id, location, ca_pool_name, ca_name)
# Check if the CA is enabled.
ca_state = caServiceClient.get_certificate_authority(name=ca_path).state
print(ca_state)
if ca_state == privateca_v1.CertificateAuthority.State.ENABLED:
print(
"Please disable the Certificate Authority before deletion ! Current state:",
ca_state,
)
# Create the DeleteCertificateAuthorityRequest.
# Setting the ignore_active_certificates to True will delete the CA
# even if it contains active certificates. Care should be taken to re-anchor
# the certificates to new CA before deleting.
request = privateca_v1.DeleteCertificateAuthorityRequest(
name=ca_path, ignore_active_certificates=False)
# Delete the Certificate Authority.
operation = caServiceClient.delete_certificate_authority(request=request)
result = operation.result()
print("Operation result", result)
# Get the current CA state.
ca_state = caServiceClient.get_certificate_authority(name=ca_path).state
# Check if the CA has been deleted.
if ca_state == privateca_v1.CertificateAuthority.State.DELETED:
print("Successfully deleted Certificate Authority:", ca_name)
else:
print(
"Unable to delete Certificate Authority. Please try again ! Current state:",
ca_state,
)
def sample_update_certificate():
# Create a client
client = privateca_v1.CertificateAuthorityServiceClient()
# Initialize request argument(s)
certificate = privateca_v1.Certificate()
certificate.pem_csr = "pem_csr_value"
request = privateca_v1.UpdateCertificateRequest(certificate=certificate, )
# Make the request
response = client.update_certificate(request=request)
# Handle the response
print(response)
def sample_revoke_certificate():
# Create a client
client = privateca_v1.CertificateAuthorityServiceClient()
# Initialize request argument(s)
request = privateca_v1.RevokeCertificateRequest(
name="name_value",
reason="ATTRIBUTE_AUTHORITY_COMPROMISE",
)
# Make the request
response = client.revoke_certificate(request=request)
# Handle the response
print(response)
def sample_update_certificate_revocation_list():
# Create a client
client = privateca_v1.CertificateAuthorityServiceClient()
# Initialize request argument(s)
request = privateca_v1.UpdateCertificateRevocationListRequest()
# Make the request
operation = client.update_certificate_revocation_list(request=request)
print("Waiting for operation to complete...")
response = operation.result()
# Handle the response
print(response)
def sample_delete_ca_pool():
# Create a client
client = privateca_v1.CertificateAuthorityServiceClient()
# Initialize request argument(s)
request = privateca_v1.DeleteCaPoolRequest(name="name_value", )
# Make the request
operation = client.delete_ca_pool(request=request)
print("Waiting for operation to complete...")
response = operation.result()
# Handle the response
print(response)
def update_ca_label(
project_id: str,
location: str,
ca_pool_name: str,
ca_name: str,
) -> None:
"""
Update the labels in a certificate authority.
Args:
project_id: project ID or project number of the Cloud project you want to use.
location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.
ca_pool_name: set it to the CA Pool under which the CA should be updated.
ca_name: unique name for the CA.
"""
caServiceClient = privateca_v1.CertificateAuthorityServiceClient()
# Set the parent path and the new labels.
ca_parent = caServiceClient.certificate_authority_path(
project_id, location, ca_pool_name, ca_name)
certificate_authority = privateca_v1.CertificateAuthority(
name=ca_parent,
labels={"env": "test"},
)
# Create a request to update the CA.
request = privateca_v1.UpdateCertificateAuthorityRequest(
certificate_authority=certificate_authority,
update_mask=field_mask_pb2.FieldMask(paths=["labels"]),
)
operation = caServiceClient.update_certificate_authority(request=request)
result = operation.result()
print("Operation result:", result)
# Get the updated CA and check if it contains the new label.
certificate_authority = caServiceClient.get_certificate_authority(
name=ca_parent)
if ("env" in certificate_authority.labels
and certificate_authority.labels["env"] == "test"):
print("Successfully updated the labels !")
def sample_update_ca_pool():
# Create a client
client = privateca_v1.CertificateAuthorityServiceClient()
# Initialize request argument(s)
ca_pool = privateca_v1.CaPool()
ca_pool.tier = "DEVOPS"
request = privateca_v1.UpdateCaPoolRequest(ca_pool=ca_pool, )
# Make the request
operation = client.update_ca_pool(request=request)
print("Waiting for operation to complete...")
response = operation.result()
# Handle the response
print(response)
def sample_create_certificate_template():
# Create a client
client = privateca_v1.CertificateAuthorityServiceClient()
# Initialize request argument(s)
request = privateca_v1.CreateCertificateTemplateRequest(
parent="parent_value",
certificate_template_id="certificate_template_id_value",
)
# Make the request
operation = client.create_certificate_template(request=request)
print("Waiting for operation to complete...")
response = operation.result()
# Handle the response
print(response)
def undelete_certificate_authority(project_id: str, location: str,
ca_pool_name: str, ca_name: str) -> None:
"""
Restore a deleted CA, if still within the grace period of 30 days.
Args:
project_id: project ID or project number of the Cloud project you want to use.
location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.
ca_pool_name: the name of the CA pool under which the deleted CA is present.
ca_name: the name of the CA to be restored (undeleted).
"""
caServiceClient = privateca_v1.CertificateAuthorityServiceClient()
ca_path = caServiceClient.certificate_authority_path(
project_id, location, ca_pool_name, ca_name)
# Confirm if the CA is in DELETED stage.
ca_state = caServiceClient.get_certificate_authority(name=ca_path).state
if ca_state != privateca_v1.CertificateAuthority.State.DELETED:
print("CA is not deleted !")
return
# Create the Request.
request = privateca_v1.UndeleteCertificateAuthorityRequest(name=ca_path)
# Undelete the CA.
operation = caServiceClient.undelete_certificate_authority(request=request)
result = operation.result()
print("Operation result", result)
# Get the current CA state.
ca_state = caServiceClient.get_certificate_authority(name=ca_path).state
# CA state changes from DELETED to DISABLED if successfully restored.
# Confirm if the CA is DISABLED.
if ca_state == privateca_v1.CertificateAuthority.State.DISABLED:
print("Successfully undeleted Certificate Authority:", ca_name)
else:
print(
"Unable to restore the Certificate Authority! Please try again! Current state:",
ca_state,
)
def list_certificate_authorities(project_id: str, location: str,
ca_pool_name: str) -> None:
"""
List all Certificate authorities present in the given CA Pool.
Args:
project_id: project ID or project number of the Cloud project you want to use.
location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.
ca_pool_name: the name of the CA pool under which the CAs to be listed are present.
"""
caServiceClient = privateca_v1.CertificateAuthorityServiceClient()
ca_pool_path = caServiceClient.ca_pool_path(project_id, location,
ca_pool_name)
# List the CA name and its corresponding state.
for ca in caServiceClient.list_certificate_authorities(
parent=ca_pool_path):
print(ca.name, "is", ca.state)
def sample_update_certificate_authority():
# Create a client
client = privateca_v1.CertificateAuthorityServiceClient()
# Initialize request argument(s)
certificate_authority = privateca_v1.CertificateAuthority()
certificate_authority.type_ = "SUBORDINATE"
certificate_authority.key_spec.cloud_kms_key_version = "cloud_kms_key_version_value"
request = privateca_v1.UpdateCertificateAuthorityRequest(
certificate_authority=certificate_authority, )
# Make the request
operation = client.update_certificate_authority(request=request)
print("Waiting for operation to complete...")
response = operation.result()
# Handle the response
print(response)
def list_certificate_templates(project_id: str, location: str) -> None:
"""
List the certificate templates present in the given project and location.
Args:
project_id: project ID or project number of the Cloud project you want to use.
location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.
"""
caServiceClient = privateca_v1.CertificateAuthorityServiceClient()
# List Templates Request.
request = privateca_v1.ListCertificateTemplatesRequest(
parent=caServiceClient.common_location_path(project_id, location),
)
print("Available certificate templates:")
for certificate_template in caServiceClient.list_certificate_templates(
request=request
):
print(certificate_template.name)
def list_ca_pools(project_id: str, location: str) -> None:
"""
List all CA pools present in the given project and location.
Args:
project_id: project ID or project number of the Cloud project you want to use.
location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.
"""
caServiceClient = privateca_v1.CertificateAuthorityServiceClient()
location_path = caServiceClient.common_location_path(project_id, location)
request = privateca_v1.ListCaPoolsRequest(parent=location_path)
print("Available CA pools:")
for ca_pool in caServiceClient.list_ca_pools(request=request):
ca_pool_name = ca_pool.name
# ca_pool.name represents the full resource name of the
# format 'projects/{project-id}/locations/{location}/ca-pools/{ca-pool-name}'.
# Hence stripping it down to just pool name.
print(caServiceClient.parse_ca_pool_path(ca_pool_name)["ca_pool"])
def delete_ca_pool(project_id: str, location: str, ca_pool_name: str) -> None:
"""
Delete the CA pool as mentioned by the ca_pool_name.
Before deleting the pool, all CAs in the pool MUST BE deleted.
Args:
project_id: project ID or project number of the Cloud project you want to use.
location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.
ca_pool_name: the name of the CA pool to be deleted.
"""
caServiceClient = privateca_v1.CertificateAuthorityServiceClient()
ca_pool_path = caServiceClient.ca_pool_path(project_id, location,
ca_pool_name)
# Create the Delete request.
request = privateca_v1.DeleteCaPoolRequest(name=ca_pool_path)
# Delete the CA Pool.
caServiceClient.delete_ca_pool(request=request)
print("Deleted CA Pool:", ca_pool_name)
def list_certificates(
project_id: str,
location: str,
ca_pool_name: str,
) -> None:
"""
List Certificates present in the given CA pool.
Args:
project_id: project ID or project number of the Cloud project you want to use.
location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.
ca_pool_name: name of the CA pool which contains the certificates to be listed.
"""
caServiceClient = privateca_v1.CertificateAuthorityServiceClient()
ca_pool_path = caServiceClient.ca_pool_path(project_id, location,
ca_pool_name)
# Retrieve and print the certificate names.
print(f"Available certificates in CA pool {ca_pool_name}:")
for certificate in caServiceClient.list_certificates(parent=ca_pool_path):
print(certificate.name)
def sample_activate_certificate_authority():
# Create a client
client = privateca_v1.CertificateAuthorityServiceClient()
# Initialize request argument(s)
subordinate_config = privateca_v1.SubordinateConfig()
subordinate_config.certificate_authority = "certificate_authority_value"
request = privateca_v1.ActivateCertificateAuthorityRequest(
name="name_value",
pem_ca_certificate="pem_ca_certificate_value",
subordinate_config=subordinate_config,
)
# Make the request
operation = client.activate_certificate_authority(request=request)
print("Waiting for operation to complete...")
response = operation.result()
# Handle the response
print(response)
def update_ca_pool_issuance_policy(
project_id: str,
location: str,
ca_pool_name: str,
) -> None:
"""
Update the issuance policy for a CA Pool. All certificates issued from this CA Pool should
meet the issuance policy
Args:
project_id: project ID or project number of the Cloud project you want to use.
location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.
ca_pool_name: a unique name for the ca pool.
"""
caServiceClient = privateca_v1.CertificateAuthorityServiceClient()
ca_pool_path = caServiceClient.ca_pool_path(project_id, location,
ca_pool_name)
# Set the updated issuance policy for the CA Pool.
# This particular issuance policy allows only SANs that
# have DNS Names as "us.google.org" or ending in ".google.com". */
expr = expr_pb2.Expr(
expression=
'subject_alt_names.all(san, san.type == DNS && (san.value == "us.google.org" || san.value.endsWith(".google.com")) )'
)
issuance_policy = privateca_v1.CaPool.IssuancePolicy(
identity_constraints=privateca_v1.CertificateIdentityConstraints(
allow_subject_passthrough=True,
allow_subject_alt_names_passthrough=True,
cel_expression=expr,
), )
ca_pool = privateca_v1.CaPool(
name=ca_pool_path,
issuance_policy=issuance_policy,
)
# 1. Set the CA pool with updated values.
# 2. Set the update mask to specify which properties of the CA Pool should be updated.
# Only the properties specified in the mask will be updated. Make sure that the mask fields
# match the updated issuance policy.
# For more info on constructing path for update mask, see:
# https://cloud.google.com/certificate-authority-service/docs/reference/rest/v1/projects.locations.caPools#issuancepolicy */
request = privateca_v1.UpdateCaPoolRequest(
ca_pool=ca_pool,
update_mask=field_mask_pb2.FieldMask(paths=[
"issuance_policy.identity_constraints.allow_subject_alt_names_passthrough",
"issuance_policy.identity_constraints.allow_subject_passthrough",
"issuance_policy.identity_constraints.cel_expression",
], ),
)
operation = caServiceClient.update_ca_pool(request=request)
result = operation.result()
print("Operation result", result)
# Get the CA Pool's issuance policy and verify if the fields have been successfully updated.
issuance_policy = caServiceClient.get_ca_pool(
name=ca_pool_path).issuance_policy
# Similarly, you can check for other modified fields as well.
if (issuance_policy.identity_constraints.allow_subject_passthrough
and issuance_policy.identity_constraints.
allow_subject_alt_names_passthrough):
print("CA Pool Issuance policy has been updated successfully!")
return
print("Error in updating CA Pool Issuance policy! Please try again!")
def test_subordinate_certificate_authority(certificate_authority,
capsys: typing.Any) -> None:
CSR_CERT_NAME = generate_name()
SUBORDINATE_CA_NAME = generate_name()
CA_POOL_NAME, ROOT_CA_NAME = certificate_authority
# 1. Create a Subordinate Certificate Authority.
create_subordinate_ca(
PROJECT,
LOCATION,
CA_POOL_NAME,
SUBORDINATE_CA_NAME,
COMMON_NAME,
ORGANIZATION,
DOMAIN_NAME,
CA_DURATION,
)
# 2. Fetch CSR of the given CA.
ca_service_client = privateca_v1.CertificateAuthorityServiceClient()
ca_path = ca_service_client.certificate_authority_path(
PROJECT, LOCATION, CA_POOL_NAME, SUBORDINATE_CA_NAME)
response = ca_service_client.fetch_certificate_authority_csr(name=ca_path)
pem_csr = response.pem_csr
# 3. Sign the CSR and create a certificate.
create_certificate_csr(
PROJECT,
LOCATION,
CA_POOL_NAME,
ROOT_CA_NAME,
CSR_CERT_NAME,
CERTIFICATE_LIFETIME,
pem_csr,
)
# 4. Get certificate PEM format
certificate_name = ca_service_client.certificate_path(
PROJECT, LOCATION, CA_POOL_NAME, CSR_CERT_NAME)
pem_certificate = ca_service_client.get_certificate(
name=certificate_name).pem_certificate
# 5. Activate Subordinate CA
activate_subordinate_ca(
PROJECT,
LOCATION,
CA_POOL_NAME,
SUBORDINATE_CA_NAME,
pem_certificate,
ROOT_CA_NAME,
)
revoke_certificate(
PROJECT,
LOCATION,
CA_POOL_NAME,
CSR_CERT_NAME,
)
out, _ = capsys.readouterr()
assert re.search(
f'Operation result: name: "projects/{PROJECT}/locations/{LOCATION}/caPools/{CA_POOL_NAME}/certificateAuthorities/{SUBORDINATE_CA_NAME}"',
out,
)
assert "Certificate created successfully" in out
assert f"Current state: {privateca_v1.CertificateAuthority.State.STAGED}" in out
def create_certificate_authority(
project_id: str,
location: str,
ca_pool_name: str,
ca_name: str,
common_name: str,
organization: str,
ca_duration: int,
) -> None:
"""
Create Certificate Authority which is the root CA in the given CA Pool. This CA will be
responsible for signing certificates within this pool.
Args:
project_id: project ID or project number of the Cloud project you want to use.
location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.
ca_pool_name: set it to the CA Pool under which the CA should be created.
ca_name: unique name for the CA.
common_name: a title for your certificate authority.
organization: the name of your company for your certificate authority.
ca_duration: the validity of the certificate authority in seconds.
"""
caServiceClient = privateca_v1.CertificateAuthorityServiceClient()
# Set the types of Algorithm used to create a cloud KMS key.
key_version_spec = privateca_v1.CertificateAuthority.KeyVersionSpec(
algorithm=privateca_v1.CertificateAuthority.SignHashAlgorithm.
RSA_PKCS1_4096_SHA256)
# Set CA subject config.
subject_config = privateca_v1.CertificateConfig.SubjectConfig(
subject=privateca_v1.Subject(common_name=common_name,
organization=organization))
# Set the key usage options for X.509 fields.
x509_parameters = privateca_v1.X509Parameters(
key_usage=privateca_v1.KeyUsage(
base_key_usage=privateca_v1.KeyUsage.KeyUsageOptions(
crl_sign=True,
cert_sign=True,
)),
ca_options=privateca_v1.X509Parameters.CaOptions(is_ca=True, ),
)
# Set certificate authority settings.
certificate_authority = privateca_v1.CertificateAuthority(
# CertificateAuthority.Type.SELF_SIGNED denotes that this CA is a root CA.
type_=privateca_v1.CertificateAuthority.Type.SELF_SIGNED,
key_spec=key_version_spec,
config=privateca_v1.CertificateConfig(
subject_config=subject_config,
x509_config=x509_parameters,
),
lifetime=duration_pb2.Duration(seconds=ca_duration),
)
ca_pool_path = caServiceClient.ca_pool_path(project_id, location,
ca_pool_name)
# Create the CertificateAuthorityRequest.
request = privateca_v1.CreateCertificateAuthorityRequest(
parent=ca_pool_path,
certificate_authority_id=ca_name,
certificate_authority=certificate_authority,
)
operation = caServiceClient.create_certificate_authority(request=request)
result = operation.result()
print("Operation result:", result)
