def revoke_certificate( project_id: str, location: str, ca_pool_name: str, certificate_name: str, ) -> None: """ Revoke an issued certificate. Once revoked, the certificate will become invalid and will expire post its lifetime. Args: project_id: project ID or project number of the Cloud project you want to use. location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations. ca_pool_name: name for the CA pool which contains the certificate. certificate_name: name of the certificate to be revoked. """ caServiceClient = privateca_v1.CertificateAuthorityServiceClient() # Create Certificate Path. certificate_path = caServiceClient.certificate_path( project_id, location, ca_pool_name, certificate_name) # Create Revoke Certificate Request and specify the appropriate revocation reason. request = privateca_v1.RevokeCertificateRequest( name=certificate_path, reason=privateca_v1.RevocationReason.PRIVILEGE_WITHDRAWN) result = caServiceClient.revoke_certificate(request=request) print("Certificate revoke result:", result)
def create_ca_pool(project_id: str, location: str, ca_pool_name: str) -> None: """ Create a Certificate Authority pool. All certificates created under this CA pool will follow the same issuance policy, IAM policies,etc., Args: project_id: project ID or project number of the Cloud project you want to use. location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations. ca_pool_name: a unique name for the ca pool. """ caServiceClient = privateca_v1.CertificateAuthorityServiceClient() ca_pool = privateca_v1.CaPool( # Set the tier (see: https://cloud.google.com/certificate-authority-service/docs/tiers). tier=privateca_v1.CaPool.Tier.ENTERPRISE, ) location_path = caServiceClient.common_location_path(project_id, location) # Create the pool request. request = privateca_v1.CreateCaPoolRequest( parent=location_path, ca_pool_id=ca_pool_name, ca_pool=ca_pool, ) # Create the CA pool. operation = caServiceClient.create_ca_pool(request=request) print("Operation result:", operation.result())
def filter_certificates(project_id: str, location: str, ca_pool_name: str, filter_condition: str) -> None: """ Filter certificates based on a condition and list them. Args: project_id: project ID or project number of the Cloud project you want to use. location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations. ca_pool_name: name of the CA pool which contains the certificates to be listed. """ caServiceClient = privateca_v1.CertificateAuthorityServiceClient() ca_pool_path = caServiceClient.ca_pool_path(project_id, location, ca_pool_name) # Create the certificate request and set the filter condition. request = privateca_v1.ListCertificatesRequest( parent=ca_pool_path, filter=filter_condition, ) # Retrieve and print the certificate names. print("Available certificates: ") for cert in caServiceClient.list_certificates(request=request): print(f"- {cert.name}")
def delete_certificate_template( project_id: str, location: str, certificate_template_id: str, ) -> None: """ Delete the certificate template present in the given project and location. Args: project_id: project ID or project number of the Cloud project you want to use. location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations. certificate_template_id: set a unique name for the certificate template. """ caServiceClient = privateca_v1.CertificateAuthorityServiceClient() # Request to delete a certificate template. request = privateca_v1.DeleteCertificateTemplateRequest( name=caServiceClient.certificate_template_path( project_id, location, certificate_template_id, )) operation = caServiceClient.delete_certificate_template(request=request) result = operation.result() print("Operation result", result) print("Deleted certificate template:", certificate_template_id)
def update_certificate_template( project_id: str, location: str, certificate_template_id: str, ) -> None: """ Update an existing certificate template. Args: project_id: project ID or project number of the Cloud project you want to use. location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations. certificate_template_id: set a unique name for the certificate template. """ caServiceClient = privateca_v1.CertificateAuthorityServiceClient() certificate_name = caServiceClient.certificate_template_path( project_id, location, certificate_template_id, ) # Set the parent name and the properties to be updated. certificate_template = privateca_v1.CertificateTemplate( name=certificate_name, identity_constraints=privateca_v1.CertificateIdentityConstraints( allow_subject_passthrough=False, allow_subject_alt_names_passthrough=True, ), ) # Set the mask corresponding to the properties updated above. field_mask = field_mask_pb2.FieldMask(paths=[ "identity_constraints.allow_subject_alt_names_passthrough", "identity_constraints.allow_subject_passthrough", ], ) # Set the new template. # Set the mask to specify which properties of the template should be updated. request = privateca_v1.UpdateCertificateTemplateRequest( certificate_template=certificate_template, update_mask=field_mask, ) operation = caServiceClient.update_certificate_template(request=request) result = operation.result() print("Operation result", result) # Get the updated certificate template and check if the properties have been updated. cert_identity_constraints = caServiceClient.get_certificate_template( name=certificate_name).identity_constraints if (not cert_identity_constraints.allow_subject_passthrough and cert_identity_constraints.allow_subject_alt_names_passthrough): print("Successfully updated the certificate template!") return print("Error in updating certificate template!")
def create_certificate_template( project_id: str, location: str, certificate_template_id: str, ) -> None: """ Create a Certificate template. These templates can be reused for common certificate issuance scenarios. Args: project_id: project ID or project number of the Cloud project you want to use. location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations. certificate_template_id: set a unique name for the certificate template. """ caServiceClient = privateca_v1.CertificateAuthorityServiceClient() # Describes any predefined X.509 values set by this template. # The provided extensions are copied over to certificate requests that use this template. x509_parameters = privateca_v1.X509Parameters( key_usage=privateca_v1.KeyUsage( base_key_usage=privateca_v1.KeyUsage.KeyUsageOptions( digital_signature=True, key_encipherment=True, ), extended_key_usage=privateca_v1.KeyUsage.ExtendedKeyUsageOptions( server_auth=True, ), ), ca_options=privateca_v1.X509Parameters.CaOptions(is_ca=False, ), ) # CEL expression that is evaluated against the Subject and # Subject Alternative Name of the certificate before it is issued. expr = expr_pb2.Expr( expression="subject_alt_names.all(san, san.type == DNS)") # Set the certificate issuance schema. certificate_template = privateca_v1.CertificateTemplate( predefined_values=x509_parameters, identity_constraints=privateca_v1.CertificateIdentityConstraints( cel_expression=expr, allow_subject_passthrough=False, allow_subject_alt_names_passthrough=False, ), ) # Request to create a certificate template. request = privateca_v1.CreateCertificateTemplateRequest( parent=caServiceClient.common_location_path(project_id, location), certificate_template=certificate_template, certificate_template_id=certificate_template_id, ) operation = caServiceClient.create_certificate_template(request=request) result = operation.result() print("Operation result:", result)
def sample_get_certificate_authority(): # Create a client client = privateca_v1.CertificateAuthorityServiceClient() # Initialize request argument(s) request = privateca_v1.GetCertificateAuthorityRequest(name="name_value", ) # Make the request response = client.get_certificate_authority(request=request) # Handle the response print(response)
def sample_fetch_certificate_authority_csr(): # Create a client client = privateca_v1.CertificateAuthorityServiceClient() # Initialize request argument(s) request = privateca_v1.FetchCertificateAuthorityCsrRequest( name="name_value", ) # Make the request response = client.fetch_certificate_authority_csr(request=request) # Handle the response print(response)
def sample_list_ca_pools(): # Create a client client = privateca_v1.CertificateAuthorityServiceClient() # Initialize request argument(s) request = privateca_v1.ListCaPoolsRequest(parent="parent_value", ) # Make the request page_result = client.list_ca_pools(request=request) # Handle the response for response in page_result: print(response)
def create_certificate_csr( project_id: str, location: str, ca_pool_name: str, ca_name: str, certificate_name: str, certificate_lifetime: int, pem_csr: str, ) -> None: """ Create a Certificate which is issued by the specified Certificate Authority (CA). The certificate details and the public key is provided as a Certificate Signing Request (CSR). Args: project_id: project ID or project number of the Cloud project you want to use. location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations. ca_pool_name: set a unique name for the CA pool. ca_name: the name of the certificate authority to sign the CSR. certificate_name: set a unique name for the certificate. certificate_lifetime: the validity of the certificate in seconds. pem_csr: set the Certificate Issuing Request in the pem encoded format. """ ca_service_client = privateca_v1.CertificateAuthorityServiceClient() # The public key used to sign the certificate can be generated using any crypto library/framework. # Also you can use Cloud KMS to retrieve an already created public key. # For more info, see: https://cloud.google.com/kms/docs/retrieve-public-key. # Create certificate with CSR. # The pem_csr contains the public key and the domain details required. certificate = privateca_v1.Certificate( pem_csr=pem_csr, lifetime=duration_pb2.Duration(seconds=certificate_lifetime), ) # Create the Certificate Request. # Set the CA which is responsible for creating the certificate with the provided CSR. request = privateca_v1.CreateCertificateRequest( parent=ca_service_client.ca_pool_path(project_id, location, ca_pool_name), certificate_id=certificate_name, certificate=certificate, issuing_certificate_authority_id=ca_name, ) response = ca_service_client.create_certificate(request=request) print(f"Certificate created successfully: {response.name}") # Get the signed certificate and the issuer chain list. print(f"Signed certificate: {response.pem_certificate}") print(f"Issuer chain list: {response.pem_certificate_chain}")
def sample_fetch_ca_certs(): # Create a client client = privateca_v1.CertificateAuthorityServiceClient() # Initialize request argument(s) request = privateca_v1.FetchCaCertsRequest( ca_pool="ca_pool_value", ) # Make the request response = client.fetch_ca_certs(request=request) # Handle the response print(response)
def delete_certificate_authority(project_id: str, location: str, ca_pool_name: str, ca_name: str) -> None: """ Delete the Certificate Authority from the specified CA pool. Before deletion, the CA must be disabled and must not contain any active certificates. Args: project_id: project ID or project number of the Cloud project you want to use. location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations. ca_pool_name: the name of the CA pool under which the CA is present. ca_name: the name of the CA to be deleted. """ caServiceClient = privateca_v1.CertificateAuthorityServiceClient() ca_path = caServiceClient.certificate_authority_path( project_id, location, ca_pool_name, ca_name) # Check if the CA is enabled. ca_state = caServiceClient.get_certificate_authority(name=ca_path).state print(ca_state) if ca_state == privateca_v1.CertificateAuthority.State.ENABLED: print( "Please disable the Certificate Authority before deletion ! Current state:", ca_state, ) # Create the DeleteCertificateAuthorityRequest. # Setting the ignore_active_certificates to True will delete the CA # even if it contains active certificates. Care should be taken to re-anchor # the certificates to new CA before deleting. request = privateca_v1.DeleteCertificateAuthorityRequest( name=ca_path, ignore_active_certificates=False) # Delete the Certificate Authority. operation = caServiceClient.delete_certificate_authority(request=request) result = operation.result() print("Operation result", result) # Get the current CA state. ca_state = caServiceClient.get_certificate_authority(name=ca_path).state # Check if the CA has been deleted. if ca_state == privateca_v1.CertificateAuthority.State.DELETED: print("Successfully deleted Certificate Authority:", ca_name) else: print( "Unable to delete Certificate Authority. Please try again ! Current state:", ca_state, )
def sample_update_certificate(): # Create a client client = privateca_v1.CertificateAuthorityServiceClient() # Initialize request argument(s) certificate = privateca_v1.Certificate() certificate.pem_csr = "pem_csr_value" request = privateca_v1.UpdateCertificateRequest(certificate=certificate, ) # Make the request response = client.update_certificate(request=request) # Handle the response print(response)
def sample_revoke_certificate(): # Create a client client = privateca_v1.CertificateAuthorityServiceClient() # Initialize request argument(s) request = privateca_v1.RevokeCertificateRequest( name="name_value", reason="ATTRIBUTE_AUTHORITY_COMPROMISE", ) # Make the request response = client.revoke_certificate(request=request) # Handle the response print(response)
def sample_update_certificate_revocation_list(): # Create a client client = privateca_v1.CertificateAuthorityServiceClient() # Initialize request argument(s) request = privateca_v1.UpdateCertificateRevocationListRequest() # Make the request operation = client.update_certificate_revocation_list(request=request) print("Waiting for operation to complete...") response = operation.result() # Handle the response print(response)
def sample_delete_ca_pool(): # Create a client client = privateca_v1.CertificateAuthorityServiceClient() # Initialize request argument(s) request = privateca_v1.DeleteCaPoolRequest(name="name_value", ) # Make the request operation = client.delete_ca_pool(request=request) print("Waiting for operation to complete...") response = operation.result() # Handle the response print(response)
def update_ca_label( project_id: str, location: str, ca_pool_name: str, ca_name: str, ) -> None: """ Update the labels in a certificate authority. Args: project_id: project ID or project number of the Cloud project you want to use. location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations. ca_pool_name: set it to the CA Pool under which the CA should be updated. ca_name: unique name for the CA. """ caServiceClient = privateca_v1.CertificateAuthorityServiceClient() # Set the parent path and the new labels. ca_parent = caServiceClient.certificate_authority_path( project_id, location, ca_pool_name, ca_name) certificate_authority = privateca_v1.CertificateAuthority( name=ca_parent, labels={"env": "test"}, ) # Create a request to update the CA. request = privateca_v1.UpdateCertificateAuthorityRequest( certificate_authority=certificate_authority, update_mask=field_mask_pb2.FieldMask(paths=["labels"]), ) operation = caServiceClient.update_certificate_authority(request=request) result = operation.result() print("Operation result:", result) # Get the updated CA and check if it contains the new label. certificate_authority = caServiceClient.get_certificate_authority( name=ca_parent) if ("env" in certificate_authority.labels and certificate_authority.labels["env"] == "test"): print("Successfully updated the labels !")
def sample_update_ca_pool(): # Create a client client = privateca_v1.CertificateAuthorityServiceClient() # Initialize request argument(s) ca_pool = privateca_v1.CaPool() ca_pool.tier = "DEVOPS" request = privateca_v1.UpdateCaPoolRequest(ca_pool=ca_pool, ) # Make the request operation = client.update_ca_pool(request=request) print("Waiting for operation to complete...") response = operation.result() # Handle the response print(response)
def sample_create_certificate_template(): # Create a client client = privateca_v1.CertificateAuthorityServiceClient() # Initialize request argument(s) request = privateca_v1.CreateCertificateTemplateRequest( parent="parent_value", certificate_template_id="certificate_template_id_value", ) # Make the request operation = client.create_certificate_template(request=request) print("Waiting for operation to complete...") response = operation.result() # Handle the response print(response)
def undelete_certificate_authority(project_id: str, location: str, ca_pool_name: str, ca_name: str) -> None: """ Restore a deleted CA, if still within the grace period of 30 days. Args: project_id: project ID or project number of the Cloud project you want to use. location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations. ca_pool_name: the name of the CA pool under which the deleted CA is present. ca_name: the name of the CA to be restored (undeleted). """ caServiceClient = privateca_v1.CertificateAuthorityServiceClient() ca_path = caServiceClient.certificate_authority_path( project_id, location, ca_pool_name, ca_name) # Confirm if the CA is in DELETED stage. ca_state = caServiceClient.get_certificate_authority(name=ca_path).state if ca_state != privateca_v1.CertificateAuthority.State.DELETED: print("CA is not deleted !") return # Create the Request. request = privateca_v1.UndeleteCertificateAuthorityRequest(name=ca_path) # Undelete the CA. operation = caServiceClient.undelete_certificate_authority(request=request) result = operation.result() print("Operation result", result) # Get the current CA state. ca_state = caServiceClient.get_certificate_authority(name=ca_path).state # CA state changes from DELETED to DISABLED if successfully restored. # Confirm if the CA is DISABLED. if ca_state == privateca_v1.CertificateAuthority.State.DISABLED: print("Successfully undeleted Certificate Authority:", ca_name) else: print( "Unable to restore the Certificate Authority! Please try again! Current state:", ca_state, )
def list_certificate_authorities(project_id: str, location: str, ca_pool_name: str) -> None: """ List all Certificate authorities present in the given CA Pool. Args: project_id: project ID or project number of the Cloud project you want to use. location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations. ca_pool_name: the name of the CA pool under which the CAs to be listed are present. """ caServiceClient = privateca_v1.CertificateAuthorityServiceClient() ca_pool_path = caServiceClient.ca_pool_path(project_id, location, ca_pool_name) # List the CA name and its corresponding state. for ca in caServiceClient.list_certificate_authorities( parent=ca_pool_path): print(ca.name, "is", ca.state)
def sample_update_certificate_authority(): # Create a client client = privateca_v1.CertificateAuthorityServiceClient() # Initialize request argument(s) certificate_authority = privateca_v1.CertificateAuthority() certificate_authority.type_ = "SUBORDINATE" certificate_authority.key_spec.cloud_kms_key_version = "cloud_kms_key_version_value" request = privateca_v1.UpdateCertificateAuthorityRequest( certificate_authority=certificate_authority, ) # Make the request operation = client.update_certificate_authority(request=request) print("Waiting for operation to complete...") response = operation.result() # Handle the response print(response)
def list_certificate_templates(project_id: str, location: str) -> None: """ List the certificate templates present in the given project and location. Args: project_id: project ID or project number of the Cloud project you want to use. location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations. """ caServiceClient = privateca_v1.CertificateAuthorityServiceClient() # List Templates Request. request = privateca_v1.ListCertificateTemplatesRequest( parent=caServiceClient.common_location_path(project_id, location), ) print("Available certificate templates:") for certificate_template in caServiceClient.list_certificate_templates( request=request ): print(certificate_template.name)
def list_ca_pools(project_id: str, location: str) -> None: """ List all CA pools present in the given project and location. Args: project_id: project ID or project number of the Cloud project you want to use. location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations. """ caServiceClient = privateca_v1.CertificateAuthorityServiceClient() location_path = caServiceClient.common_location_path(project_id, location) request = privateca_v1.ListCaPoolsRequest(parent=location_path) print("Available CA pools:") for ca_pool in caServiceClient.list_ca_pools(request=request): ca_pool_name = ca_pool.name # ca_pool.name represents the full resource name of the # format 'projects/{project-id}/locations/{location}/ca-pools/{ca-pool-name}'. # Hence stripping it down to just pool name. print(caServiceClient.parse_ca_pool_path(ca_pool_name)["ca_pool"])
def delete_ca_pool(project_id: str, location: str, ca_pool_name: str) -> None: """ Delete the CA pool as mentioned by the ca_pool_name. Before deleting the pool, all CAs in the pool MUST BE deleted. Args: project_id: project ID or project number of the Cloud project you want to use. location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations. ca_pool_name: the name of the CA pool to be deleted. """ caServiceClient = privateca_v1.CertificateAuthorityServiceClient() ca_pool_path = caServiceClient.ca_pool_path(project_id, location, ca_pool_name) # Create the Delete request. request = privateca_v1.DeleteCaPoolRequest(name=ca_pool_path) # Delete the CA Pool. caServiceClient.delete_ca_pool(request=request) print("Deleted CA Pool:", ca_pool_name)
def list_certificates( project_id: str, location: str, ca_pool_name: str, ) -> None: """ List Certificates present in the given CA pool. Args: project_id: project ID or project number of the Cloud project you want to use. location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations. ca_pool_name: name of the CA pool which contains the certificates to be listed. """ caServiceClient = privateca_v1.CertificateAuthorityServiceClient() ca_pool_path = caServiceClient.ca_pool_path(project_id, location, ca_pool_name) # Retrieve and print the certificate names. print(f"Available certificates in CA pool {ca_pool_name}:") for certificate in caServiceClient.list_certificates(parent=ca_pool_path): print(certificate.name)
def sample_activate_certificate_authority(): # Create a client client = privateca_v1.CertificateAuthorityServiceClient() # Initialize request argument(s) subordinate_config = privateca_v1.SubordinateConfig() subordinate_config.certificate_authority = "certificate_authority_value" request = privateca_v1.ActivateCertificateAuthorityRequest( name="name_value", pem_ca_certificate="pem_ca_certificate_value", subordinate_config=subordinate_config, ) # Make the request operation = client.activate_certificate_authority(request=request) print("Waiting for operation to complete...") response = operation.result() # Handle the response print(response)
def update_ca_pool_issuance_policy( project_id: str, location: str, ca_pool_name: str, ) -> None: """ Update the issuance policy for a CA Pool. All certificates issued from this CA Pool should meet the issuance policy Args: project_id: project ID or project number of the Cloud project you want to use. location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations. ca_pool_name: a unique name for the ca pool. """ caServiceClient = privateca_v1.CertificateAuthorityServiceClient() ca_pool_path = caServiceClient.ca_pool_path(project_id, location, ca_pool_name) # Set the updated issuance policy for the CA Pool. # This particular issuance policy allows only SANs that # have DNS Names as "us.google.org" or ending in ".google.com". */ expr = expr_pb2.Expr( expression= 'subject_alt_names.all(san, san.type == DNS && (san.value == "us.google.org" || san.value.endsWith(".google.com")) )' ) issuance_policy = privateca_v1.CaPool.IssuancePolicy( identity_constraints=privateca_v1.CertificateIdentityConstraints( allow_subject_passthrough=True, allow_subject_alt_names_passthrough=True, cel_expression=expr, ), ) ca_pool = privateca_v1.CaPool( name=ca_pool_path, issuance_policy=issuance_policy, ) # 1. Set the CA pool with updated values. # 2. Set the update mask to specify which properties of the CA Pool should be updated. # Only the properties specified in the mask will be updated. Make sure that the mask fields # match the updated issuance policy. # For more info on constructing path for update mask, see: # https://cloud.google.com/certificate-authority-service/docs/reference/rest/v1/projects.locations.caPools#issuancepolicy */ request = privateca_v1.UpdateCaPoolRequest( ca_pool=ca_pool, update_mask=field_mask_pb2.FieldMask(paths=[ "issuance_policy.identity_constraints.allow_subject_alt_names_passthrough", "issuance_policy.identity_constraints.allow_subject_passthrough", "issuance_policy.identity_constraints.cel_expression", ], ), ) operation = caServiceClient.update_ca_pool(request=request) result = operation.result() print("Operation result", result) # Get the CA Pool's issuance policy and verify if the fields have been successfully updated. issuance_policy = caServiceClient.get_ca_pool( name=ca_pool_path).issuance_policy # Similarly, you can check for other modified fields as well. if (issuance_policy.identity_constraints.allow_subject_passthrough and issuance_policy.identity_constraints. allow_subject_alt_names_passthrough): print("CA Pool Issuance policy has been updated successfully!") return print("Error in updating CA Pool Issuance policy! Please try again!")
def test_subordinate_certificate_authority(certificate_authority, capsys: typing.Any) -> None: CSR_CERT_NAME = generate_name() SUBORDINATE_CA_NAME = generate_name() CA_POOL_NAME, ROOT_CA_NAME = certificate_authority # 1. Create a Subordinate Certificate Authority. create_subordinate_ca( PROJECT, LOCATION, CA_POOL_NAME, SUBORDINATE_CA_NAME, COMMON_NAME, ORGANIZATION, DOMAIN_NAME, CA_DURATION, ) # 2. Fetch CSR of the given CA. ca_service_client = privateca_v1.CertificateAuthorityServiceClient() ca_path = ca_service_client.certificate_authority_path( PROJECT, LOCATION, CA_POOL_NAME, SUBORDINATE_CA_NAME) response = ca_service_client.fetch_certificate_authority_csr(name=ca_path) pem_csr = response.pem_csr # 3. Sign the CSR and create a certificate. create_certificate_csr( PROJECT, LOCATION, CA_POOL_NAME, ROOT_CA_NAME, CSR_CERT_NAME, CERTIFICATE_LIFETIME, pem_csr, ) # 4. Get certificate PEM format certificate_name = ca_service_client.certificate_path( PROJECT, LOCATION, CA_POOL_NAME, CSR_CERT_NAME) pem_certificate = ca_service_client.get_certificate( name=certificate_name).pem_certificate # 5. Activate Subordinate CA activate_subordinate_ca( PROJECT, LOCATION, CA_POOL_NAME, SUBORDINATE_CA_NAME, pem_certificate, ROOT_CA_NAME, ) revoke_certificate( PROJECT, LOCATION, CA_POOL_NAME, CSR_CERT_NAME, ) out, _ = capsys.readouterr() assert re.search( f'Operation result: name: "projects/{PROJECT}/locations/{LOCATION}/caPools/{CA_POOL_NAME}/certificateAuthorities/{SUBORDINATE_CA_NAME}"', out, ) assert "Certificate created successfully" in out assert f"Current state: {privateca_v1.CertificateAuthority.State.STAGED}" in out
def create_certificate_authority( project_id: str, location: str, ca_pool_name: str, ca_name: str, common_name: str, organization: str, ca_duration: int, ) -> None: """ Create Certificate Authority which is the root CA in the given CA Pool. This CA will be responsible for signing certificates within this pool. Args: project_id: project ID or project number of the Cloud project you want to use. location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations. ca_pool_name: set it to the CA Pool under which the CA should be created. ca_name: unique name for the CA. common_name: a title for your certificate authority. organization: the name of your company for your certificate authority. ca_duration: the validity of the certificate authority in seconds. """ caServiceClient = privateca_v1.CertificateAuthorityServiceClient() # Set the types of Algorithm used to create a cloud KMS key. key_version_spec = privateca_v1.CertificateAuthority.KeyVersionSpec( algorithm=privateca_v1.CertificateAuthority.SignHashAlgorithm. RSA_PKCS1_4096_SHA256) # Set CA subject config. subject_config = privateca_v1.CertificateConfig.SubjectConfig( subject=privateca_v1.Subject(common_name=common_name, organization=organization)) # Set the key usage options for X.509 fields. x509_parameters = privateca_v1.X509Parameters( key_usage=privateca_v1.KeyUsage( base_key_usage=privateca_v1.KeyUsage.KeyUsageOptions( crl_sign=True, cert_sign=True, )), ca_options=privateca_v1.X509Parameters.CaOptions(is_ca=True, ), ) # Set certificate authority settings. certificate_authority = privateca_v1.CertificateAuthority( # CertificateAuthority.Type.SELF_SIGNED denotes that this CA is a root CA. type_=privateca_v1.CertificateAuthority.Type.SELF_SIGNED, key_spec=key_version_spec, config=privateca_v1.CertificateConfig( subject_config=subject_config, x509_config=x509_parameters, ), lifetime=duration_pb2.Duration(seconds=ca_duration), ) ca_pool_path = caServiceClient.ca_pool_path(project_id, location, ca_pool_name) # Create the CertificateAuthorityRequest. request = privateca_v1.CreateCertificateAuthorityRequest( parent=ca_pool_path, certificate_authority_id=ca_name, certificate_authority=certificate_authority, ) operation = caServiceClient.create_certificate_authority(request=request) result = operation.result() print("Operation result:", result)