Class: Google::Cloud::Security::PrivateCA::V1::CaPool

Inherits:

Object

• Object
• Google::Cloud::Security::PrivateCA::V1::CaPool

Extended by:

Protobuf::MessageExts::ClassMethods

Includes:

Protobuf::MessageExts

Defined in:

proto_docs/google/cloud/security/privateca/v1/resources.rb

Overview

A CaPool represents a group of CertificateAuthorities that form a trust anchor. A CaPool can be used to manage issuance policies for one or more CertificateAuthority resources and to rotate CA certificates in and out of the trust anchor.

Defined Under Namespace

Modules: Tier Classes: IssuancePolicy, LabelsEntry, PublishingOptions

Instance Attribute Summary

• #issuance_policy ⇒ ::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy

  Optional.

• #labels ⇒ ::Google::Protobuf::Map{::String => ::String}

  Optional.

• #name ⇒ ::String

  Identifier.

• #publishing_options ⇒ ::Google::Cloud::Security::PrivateCA::V1::CaPool::PublishingOptions

  Optional.

• #tier ⇒ ::Google::Cloud::Security::PrivateCA::V1::CaPool::Tier

  Required.

Instance Attribute Details

#issuance_policy ⇒ ::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy

Returns Optional. The IssuancePolicy to control how Certificates will be issued from this CaPool.

Returns:

• (::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy) —

  Optional. The IssuancePolicy to control how Certificates will be issued from this CaPool.

# File 'proto_docs/google/cloud/security/privateca/v1/resources.rb', line 363

class CaPool
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Options relating to the publication of each
  # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
  # CA certificate and CRLs and their inclusion as extensions in issued
  # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}. The options
  # set here apply to certificates issued by any
  # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
  # in the {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
  # @!attribute [rw] publish_ca_cert
  #   @return [::Boolean]
  #     Optional. When true, publishes each
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
  #     CA certificate and includes its URL in the "Authority Information Access"
  #     X.509 extension in all issued
  #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}. If this
  #     is false, the CA certificate will not be published and the corresponding
  #     X.509 extension will not be written in issued certificates.
  # @!attribute [rw] publish_crl
  #   @return [::Boolean]
  #     Optional. When true, publishes each
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
  #     CRL and includes its URL in the "CRL Distribution Points" X.509 extension
  #     in all issued
  #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}. If this
  #     is false, CRLs will not be published and the corresponding X.509
  #     extension will not be written in issued certificates. CRLs will expire 7
  #     days from their creation. However, we will rebuild daily. CRLs are also
  #     rebuilt shortly after a certificate is revoked.
  # @!attribute [rw] encoding_format
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::PublishingOptions::EncodingFormat]
  #     Optional. Specifies the encoding format of each
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
  #     resource's CA certificate and CRLs. If this is omitted, CA certificates
  #     and CRLs will be published in PEM.
  class PublishingOptions
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # Supported encoding formats for publishing.
    module EncodingFormat
      # Not specified. By default, PEM format will be used.
      ENCODING_FORMAT_UNSPECIFIED = 0

      # The
      # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
      # CA certificate and CRLs will be published in PEM format.
      PEM = 1

      # The
      # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
      # CA certificate and CRLs will be published in DER format.
      DER = 2
    end
  end

  # Defines controls over all certificate issuance within a
  # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
  # @!attribute [rw] allowed_key_types
  #   @return [::Array<::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType>]
  #     Optional. If any
  #     {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType AllowedKeyType}
  #     is specified, then the certificate request's public key must match one of
  #     the key types listed here. Otherwise, any key may be used.
  # @!attribute [rw] backdate_duration
  #   @return [::Google::Protobuf::Duration]
  #     Optional. The duration to backdate all certificates issued from this
  #     {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}. If not set, the
  #     certificates will be issued with a not_before_time of the issuance time
  #     (i.e. the current time). If set, the certificates will be issued with a
  #     not_before_time of the issuance time minus the backdate_duration. The
  #     not_after_time will be adjusted to preserve the requested lifetime. The
  #     backdate_duration must be less than or equal to 48 hours.
  # @!attribute [rw] maximum_lifetime
  #   @return [::Google::Protobuf::Duration]
  #     Optional. The maximum lifetime allowed for issued
  #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}. Note that
  #     if the issuing
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
  #     expires before a
  #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} resource's
  #     requested maximum_lifetime, the effective lifetime will be explicitly
  #     truncated to match it.
  # @!attribute [rw] allowed_issuance_modes
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::IssuanceModes]
  #     Optional. If specified, then only methods allowed in the
  #     {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::IssuanceModes IssuanceModes}
  #     may be used to issue
  #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}.
  # @!attribute [rw] baseline_values
  #   @return [::Google::Cloud::Security::PrivateCA::V1::X509Parameters]
  #     Optional. A set of X.509 values that will be applied to all certificates
  #     issued through this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
  #     If a certificate request includes conflicting values for the same
  #     properties, they will be overwritten by the values defined here. If a
  #     certificate request uses a
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate CertificateTemplate}
  #     that defines conflicting
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate#predefined_values predefined_values}
  #     for the same properties, the certificate issuance request will fail.
  # @!attribute [rw] identity_constraints
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CertificateIdentityConstraints]
  #     Optional. Describes constraints on identities that may appear in
  #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} issued
  #     through this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}. If this
  #     is omitted, then this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}
  #     will not add restrictions on a certificate's identity.
  # @!attribute [rw] passthrough_extensions
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CertificateExtensionConstraints]
  #     Optional. Describes the set of X.509 extensions that may appear in a
  #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued
  #     through this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}. If a
  #     certificate request sets extensions that don't appear in the
  #     {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy#passthrough_extensions passthrough_extensions},
  #     those extensions will be dropped. If a certificate request uses a
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate CertificateTemplate}
  #     with
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate#predefined_values predefined_values}
  #     that don't appear here, the certificate issuance request will fail. If
  #     this is omitted, then this
  #     {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool} will not add
  #     restrictions on a certificate's X.509 extensions. These constraints do
  #     not apply to X.509 extensions set in this
  #     {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s
  #     {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy#baseline_values baseline_values}.
  class IssuancePolicy
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # Describes a "type" of key that may be used in a
    # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued from
    # a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}. Note that a single
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType AllowedKeyType}
    # may refer to either a fully-qualified key algorithm, such as RSA 4096, or
    # a family of key algorithms, such as any RSA key.
    # @!attribute [rw] rsa
    #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::RsaKeyType]
    #     Represents an allowed RSA key type.
    #
    #     Note: The following fields are mutually exclusive: `rsa`, `elliptic_curve`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] elliptic_curve
    #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::EcKeyType]
    #     Represents an allowed Elliptic Curve key type.
    #
    #     Note: The following fields are mutually exclusive: `elliptic_curve`, `rsa`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    class AllowedKeyType
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # Describes an RSA key that may be used in a
      # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued
      # from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
      # @!attribute [rw] min_modulus_size
      #   @return [::Integer]
      #     Optional. The minimum allowed RSA modulus size (inclusive), in bits.
      #     If this is not set, or if set to zero, the service-level min RSA
      #     modulus size will continue to apply.
      # @!attribute [rw] max_modulus_size
      #   @return [::Integer]
      #     Optional. The maximum allowed RSA modulus size (inclusive), in bits.
      #     If this is not set, or if set to zero, the service will not enforce
      #     an explicit upper bound on RSA modulus sizes.
      class RsaKeyType
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # Describes an Elliptic Curve key that may be used in a
      # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued
      # from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
      # @!attribute [rw] signature_algorithm
      #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::EcKeyType::EcSignatureAlgorithm]
      #     Optional. A signature algorithm that must be used. If this is
      #     omitted, any EC-based signature algorithm will be allowed.
      class EcKeyType
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods

        # Describes an elliptic curve-based signature algorithm that may be
        # used in a
        # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued
        # from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
        module EcSignatureAlgorithm
          # Not specified. Signifies that any signature algorithm may be used.
          EC_SIGNATURE_ALGORITHM_UNSPECIFIED = 0

          # Refers to the Elliptic Curve Digital Signature Algorithm over the
          # NIST P-256 curve.
          ECDSA_P256 = 1

          # Refers to the Elliptic Curve Digital Signature Algorithm over the
          # NIST P-384 curve.
          ECDSA_P384 = 2

          # Refers to the Edwards-curve Digital Signature Algorithm over curve
          # 25519, as described in RFC 8410.
          EDDSA_25519 = 3
        end
      end
    end

    # {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::IssuanceModes IssuanceModes}
    # specifies the allowed ways in which
    # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} may be
    # requested from this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    # @!attribute [rw] allow_csr_based_issuance
    #   @return [::Boolean]
    #     Optional. When true, allows callers to create
    #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} by
    #     specifying a CSR.
    # @!attribute [rw] allow_config_based_issuance
    #   @return [::Boolean]
    #     Optional. When true, allows callers to create
    #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} by
    #     specifying a
    #     {::Google::Cloud::Security::PrivateCA::V1::CertificateConfig CertificateConfig}.
    class IssuanceModes
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end
  end

  # @!attribute [rw] key
  #   @return [::String]
  # @!attribute [rw] value
  #   @return [::String]
  class LabelsEntry
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # The tier of a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool},
  # indicating its supported functionality and/or billing SKU.
  module Tier
    # Not specified.
    TIER_UNSPECIFIED = 0

    # Enterprise tier.
    ENTERPRISE = 1

    # DevOps tier.
    DEVOPS = 2
  end
end

#labels ⇒ ::Google::Protobuf::Map{::String => ::String}

Returns Optional. Labels with user-defined metadata.

Returns:

• (::Google::Protobuf::Map{::String => ::String}) —

  Optional. Labels with user-defined metadata.

# File 'proto_docs/google/cloud/security/privateca/v1/resources.rb', line 363

class CaPool
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Options relating to the publication of each
  # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
  # CA certificate and CRLs and their inclusion as extensions in issued
  # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}. The options
  # set here apply to certificates issued by any
  # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
  # in the {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
  # @!attribute [rw] publish_ca_cert
  #   @return [::Boolean]
  #     Optional. When true, publishes each
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
  #     CA certificate and includes its URL in the "Authority Information Access"
  #     X.509 extension in all issued
  #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}. If this
  #     is false, the CA certificate will not be published and the corresponding
  #     X.509 extension will not be written in issued certificates.
  # @!attribute [rw] publish_crl
  #   @return [::Boolean]
  #     Optional. When true, publishes each
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
  #     CRL and includes its URL in the "CRL Distribution Points" X.509 extension
  #     in all issued
  #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}. If this
  #     is false, CRLs will not be published and the corresponding X.509
  #     extension will not be written in issued certificates. CRLs will expire 7
  #     days from their creation. However, we will rebuild daily. CRLs are also
  #     rebuilt shortly after a certificate is revoked.
  # @!attribute [rw] encoding_format
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::PublishingOptions::EncodingFormat]
  #     Optional. Specifies the encoding format of each
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
  #     resource's CA certificate and CRLs. If this is omitted, CA certificates
  #     and CRLs will be published in PEM.
  class PublishingOptions
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # Supported encoding formats for publishing.
    module EncodingFormat
      # Not specified. By default, PEM format will be used.
      ENCODING_FORMAT_UNSPECIFIED = 0

      # The
      # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
      # CA certificate and CRLs will be published in PEM format.
      PEM = 1

      # The
      # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
      # CA certificate and CRLs will be published in DER format.
      DER = 2
    end
  end

  # Defines controls over all certificate issuance within a
  # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
  # @!attribute [rw] allowed_key_types
  #   @return [::Array<::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType>]
  #     Optional. If any
  #     {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType AllowedKeyType}
  #     is specified, then the certificate request's public key must match one of
  #     the key types listed here. Otherwise, any key may be used.
  # @!attribute [rw] backdate_duration
  #   @return [::Google::Protobuf::Duration]
  #     Optional. The duration to backdate all certificates issued from this
  #     {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}. If not set, the
  #     certificates will be issued with a not_before_time of the issuance time
  #     (i.e. the current time). If set, the certificates will be issued with a
  #     not_before_time of the issuance time minus the backdate_duration. The
  #     not_after_time will be adjusted to preserve the requested lifetime. The
  #     backdate_duration must be less than or equal to 48 hours.
  # @!attribute [rw] maximum_lifetime
  #   @return [::Google::Protobuf::Duration]
  #     Optional. The maximum lifetime allowed for issued
  #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}. Note that
  #     if the issuing
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
  #     expires before a
  #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} resource's
  #     requested maximum_lifetime, the effective lifetime will be explicitly
  #     truncated to match it.
  # @!attribute [rw] allowed_issuance_modes
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::IssuanceModes]
  #     Optional. If specified, then only methods allowed in the
  #     {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::IssuanceModes IssuanceModes}
  #     may be used to issue
  #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}.
  # @!attribute [rw] baseline_values
  #   @return [::Google::Cloud::Security::PrivateCA::V1::X509Parameters]
  #     Optional. A set of X.509 values that will be applied to all certificates
  #     issued through this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
  #     If a certificate request includes conflicting values for the same
  #     properties, they will be overwritten by the values defined here. If a
  #     certificate request uses a
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate CertificateTemplate}
  #     that defines conflicting
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate#predefined_values predefined_values}
  #     for the same properties, the certificate issuance request will fail.
  # @!attribute [rw] identity_constraints
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CertificateIdentityConstraints]
  #     Optional. Describes constraints on identities that may appear in
  #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} issued
  #     through this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}. If this
  #     is omitted, then this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}
  #     will not add restrictions on a certificate's identity.
  # @!attribute [rw] passthrough_extensions
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CertificateExtensionConstraints]
  #     Optional. Describes the set of X.509 extensions that may appear in a
  #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued
  #     through this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}. If a
  #     certificate request sets extensions that don't appear in the
  #     {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy#passthrough_extensions passthrough_extensions},
  #     those extensions will be dropped. If a certificate request uses a
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate CertificateTemplate}
  #     with
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate#predefined_values predefined_values}
  #     that don't appear here, the certificate issuance request will fail. If
  #     this is omitted, then this
  #     {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool} will not add
  #     restrictions on a certificate's X.509 extensions. These constraints do
  #     not apply to X.509 extensions set in this
  #     {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s
  #     {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy#baseline_values baseline_values}.
  class IssuancePolicy
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # Describes a "type" of key that may be used in a
    # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued from
    # a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}. Note that a single
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType AllowedKeyType}
    # may refer to either a fully-qualified key algorithm, such as RSA 4096, or
    # a family of key algorithms, such as any RSA key.
    # @!attribute [rw] rsa
    #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::RsaKeyType]
    #     Represents an allowed RSA key type.
    #
    #     Note: The following fields are mutually exclusive: `rsa`, `elliptic_curve`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] elliptic_curve
    #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::EcKeyType]
    #     Represents an allowed Elliptic Curve key type.
    #
    #     Note: The following fields are mutually exclusive: `elliptic_curve`, `rsa`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    class AllowedKeyType
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # Describes an RSA key that may be used in a
      # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued
      # from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
      # @!attribute [rw] min_modulus_size
      #   @return [::Integer]
      #     Optional. The minimum allowed RSA modulus size (inclusive), in bits.
      #     If this is not set, or if set to zero, the service-level min RSA
      #     modulus size will continue to apply.
      # @!attribute [rw] max_modulus_size
      #   @return [::Integer]
      #     Optional. The maximum allowed RSA modulus size (inclusive), in bits.
      #     If this is not set, or if set to zero, the service will not enforce
      #     an explicit upper bound on RSA modulus sizes.
      class RsaKeyType
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # Describes an Elliptic Curve key that may be used in a
      # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued
      # from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
      # @!attribute [rw] signature_algorithm
      #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::EcKeyType::EcSignatureAlgorithm]
      #     Optional. A signature algorithm that must be used. If this is
      #     omitted, any EC-based signature algorithm will be allowed.
      class EcKeyType
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods

        # Describes an elliptic curve-based signature algorithm that may be
        # used in a
        # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued
        # from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
        module EcSignatureAlgorithm
          # Not specified. Signifies that any signature algorithm may be used.
          EC_SIGNATURE_ALGORITHM_UNSPECIFIED = 0

          # Refers to the Elliptic Curve Digital Signature Algorithm over the
          # NIST P-256 curve.
          ECDSA_P256 = 1

          # Refers to the Elliptic Curve Digital Signature Algorithm over the
          # NIST P-384 curve.
          ECDSA_P384 = 2

          # Refers to the Edwards-curve Digital Signature Algorithm over curve
          # 25519, as described in RFC 8410.
          EDDSA_25519 = 3
        end
      end
    end

    # {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::IssuanceModes IssuanceModes}
    # specifies the allowed ways in which
    # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} may be
    # requested from this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    # @!attribute [rw] allow_csr_based_issuance
    #   @return [::Boolean]
    #     Optional. When true, allows callers to create
    #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} by
    #     specifying a CSR.
    # @!attribute [rw] allow_config_based_issuance
    #   @return [::Boolean]
    #     Optional. When true, allows callers to create
    #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} by
    #     specifying a
    #     {::Google::Cloud::Security::PrivateCA::V1::CertificateConfig CertificateConfig}.
    class IssuanceModes
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end
  end

  # @!attribute [rw] key
  #   @return [::String]
  # @!attribute [rw] value
  #   @return [::String]
  class LabelsEntry
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # The tier of a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool},
  # indicating its supported functionality and/or billing SKU.
  module Tier
    # Not specified.
    TIER_UNSPECIFIED = 0

    # Enterprise tier.
    ENTERPRISE = 1

    # DevOps tier.
    DEVOPS = 2
  end
end

#name ⇒ ::String

Returns Identifier. The resource name for this CaPool in the format projects/*/locations/*/caPools/*.

Returns:

• (::String) —

  Identifier. The resource name for this CaPool in the format projects/*/locations/*/caPools/*.

# File 'proto_docs/google/cloud/security/privateca/v1/resources.rb', line 363

class CaPool
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Options relating to the publication of each
  # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
  # CA certificate and CRLs and their inclusion as extensions in issued
  # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}. The options
  # set here apply to certificates issued by any
  # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
  # in the {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
  # @!attribute [rw] publish_ca_cert
  #   @return [::Boolean]
  #     Optional. When true, publishes each
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
  #     CA certificate and includes its URL in the "Authority Information Access"
  #     X.509 extension in all issued
  #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}. If this
  #     is false, the CA certificate will not be published and the corresponding
  #     X.509 extension will not be written in issued certificates.
  # @!attribute [rw] publish_crl
  #   @return [::Boolean]
  #     Optional. When true, publishes each
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
  #     CRL and includes its URL in the "CRL Distribution Points" X.509 extension
  #     in all issued
  #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}. If this
  #     is false, CRLs will not be published and the corresponding X.509
  #     extension will not be written in issued certificates. CRLs will expire 7
  #     days from their creation. However, we will rebuild daily. CRLs are also
  #     rebuilt shortly after a certificate is revoked.
  # @!attribute [rw] encoding_format
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::PublishingOptions::EncodingFormat]
  #     Optional. Specifies the encoding format of each
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
  #     resource's CA certificate and CRLs. If this is omitted, CA certificates
  #     and CRLs will be published in PEM.
  class PublishingOptions
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # Supported encoding formats for publishing.
    module EncodingFormat
      # Not specified. By default, PEM format will be used.
      ENCODING_FORMAT_UNSPECIFIED = 0

      # The
      # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
      # CA certificate and CRLs will be published in PEM format.
      PEM = 1

      # The
      # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
      # CA certificate and CRLs will be published in DER format.
      DER = 2
    end
  end

  # Defines controls over all certificate issuance within a
  # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
  # @!attribute [rw] allowed_key_types
  #   @return [::Array<::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType>]
  #     Optional. If any
  #     {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType AllowedKeyType}
  #     is specified, then the certificate request's public key must match one of
  #     the key types listed here. Otherwise, any key may be used.
  # @!attribute [rw] backdate_duration
  #   @return [::Google::Protobuf::Duration]
  #     Optional. The duration to backdate all certificates issued from this
  #     {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}. If not set, the
  #     certificates will be issued with a not_before_time of the issuance time
  #     (i.e. the current time). If set, the certificates will be issued with a
  #     not_before_time of the issuance time minus the backdate_duration. The
  #     not_after_time will be adjusted to preserve the requested lifetime. The
  #     backdate_duration must be less than or equal to 48 hours.
  # @!attribute [rw] maximum_lifetime
  #   @return [::Google::Protobuf::Duration]
  #     Optional. The maximum lifetime allowed for issued
  #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}. Note that
  #     if the issuing
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
  #     expires before a
  #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} resource's
  #     requested maximum_lifetime, the effective lifetime will be explicitly
  #     truncated to match it.
  # @!attribute [rw] allowed_issuance_modes
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::IssuanceModes]
  #     Optional. If specified, then only methods allowed in the
  #     {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::IssuanceModes IssuanceModes}
  #     may be used to issue
  #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}.
  # @!attribute [rw] baseline_values
  #   @return [::Google::Cloud::Security::PrivateCA::V1::X509Parameters]
  #     Optional. A set of X.509 values that will be applied to all certificates
  #     issued through this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
  #     If a certificate request includes conflicting values for the same
  #     properties, they will be overwritten by the values defined here. If a
  #     certificate request uses a
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate CertificateTemplate}
  #     that defines conflicting
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate#predefined_values predefined_values}
  #     for the same properties, the certificate issuance request will fail.
  # @!attribute [rw] identity_constraints
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CertificateIdentityConstraints]
  #     Optional. Describes constraints on identities that may appear in
  #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} issued
  #     through this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}. If this
  #     is omitted, then this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}
  #     will not add restrictions on a certificate's identity.
  # @!attribute [rw] passthrough_extensions
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CertificateExtensionConstraints]
  #     Optional. Describes the set of X.509 extensions that may appear in a
  #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued
  #     through this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}. If a
  #     certificate request sets extensions that don't appear in the
  #     {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy#passthrough_extensions passthrough_extensions},
  #     those extensions will be dropped. If a certificate request uses a
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate CertificateTemplate}
  #     with
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate#predefined_values predefined_values}
  #     that don't appear here, the certificate issuance request will fail. If
  #     this is omitted, then this
  #     {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool} will not add
  #     restrictions on a certificate's X.509 extensions. These constraints do
  #     not apply to X.509 extensions set in this
  #     {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s
  #     {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy#baseline_values baseline_values}.
  class IssuancePolicy
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # Describes a "type" of key that may be used in a
    # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued from
    # a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}. Note that a single
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType AllowedKeyType}
    # may refer to either a fully-qualified key algorithm, such as RSA 4096, or
    # a family of key algorithms, such as any RSA key.
    # @!attribute [rw] rsa
    #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::RsaKeyType]
    #     Represents an allowed RSA key type.
    #
    #     Note: The following fields are mutually exclusive: `rsa`, `elliptic_curve`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] elliptic_curve
    #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::EcKeyType]
    #     Represents an allowed Elliptic Curve key type.
    #
    #     Note: The following fields are mutually exclusive: `elliptic_curve`, `rsa`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    class AllowedKeyType
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # Describes an RSA key that may be used in a
      # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued
      # from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
      # @!attribute [rw] min_modulus_size
      #   @return [::Integer]
      #     Optional. The minimum allowed RSA modulus size (inclusive), in bits.
      #     If this is not set, or if set to zero, the service-level min RSA
      #     modulus size will continue to apply.
      # @!attribute [rw] max_modulus_size
      #   @return [::Integer]
      #     Optional. The maximum allowed RSA modulus size (inclusive), in bits.
      #     If this is not set, or if set to zero, the service will not enforce
      #     an explicit upper bound on RSA modulus sizes.
      class RsaKeyType
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # Describes an Elliptic Curve key that may be used in a
      # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued
      # from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
      # @!attribute [rw] signature_algorithm
      #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::EcKeyType::EcSignatureAlgorithm]
      #     Optional. A signature algorithm that must be used. If this is
      #     omitted, any EC-based signature algorithm will be allowed.
      class EcKeyType
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods

        # Describes an elliptic curve-based signature algorithm that may be
        # used in a
        # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued
        # from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
        module EcSignatureAlgorithm
          # Not specified. Signifies that any signature algorithm may be used.
          EC_SIGNATURE_ALGORITHM_UNSPECIFIED = 0

          # Refers to the Elliptic Curve Digital Signature Algorithm over the
          # NIST P-256 curve.
          ECDSA_P256 = 1

          # Refers to the Elliptic Curve Digital Signature Algorithm over the
          # NIST P-384 curve.
          ECDSA_P384 = 2

          # Refers to the Edwards-curve Digital Signature Algorithm over curve
          # 25519, as described in RFC 8410.
          EDDSA_25519 = 3
        end
      end
    end

    # {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::IssuanceModes IssuanceModes}
    # specifies the allowed ways in which
    # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} may be
    # requested from this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    # @!attribute [rw] allow_csr_based_issuance
    #   @return [::Boolean]
    #     Optional. When true, allows callers to create
    #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} by
    #     specifying a CSR.
    # @!attribute [rw] allow_config_based_issuance
    #   @return [::Boolean]
    #     Optional. When true, allows callers to create
    #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} by
    #     specifying a
    #     {::Google::Cloud::Security::PrivateCA::V1::CertificateConfig CertificateConfig}.
    class IssuanceModes
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end
  end

  # @!attribute [rw] key
  #   @return [::String]
  # @!attribute [rw] value
  #   @return [::String]
  class LabelsEntry
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # The tier of a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool},
  # indicating its supported functionality and/or billing SKU.
  module Tier
    # Not specified.
    TIER_UNSPECIFIED = 0

    # Enterprise tier.
    ENTERPRISE = 1

    # DevOps tier.
    DEVOPS = 2
  end
end

#publishing_options ⇒ ::Google::Cloud::Security::PrivateCA::V1::CaPool::PublishingOptions

Returns Optional. The PublishingOptions to follow when issuing Certificates from any CertificateAuthority in this CaPool.

Returns:

• (::Google::Cloud::Security::PrivateCA::V1::CaPool::PublishingOptions) —

  Optional. The PublishingOptions to follow when issuing Certificates from any CertificateAuthority in this CaPool.

# File 'proto_docs/google/cloud/security/privateca/v1/resources.rb', line 363

class CaPool
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Options relating to the publication of each
  # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
  # CA certificate and CRLs and their inclusion as extensions in issued
  # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}. The options
  # set here apply to certificates issued by any
  # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
  # in the {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
  # @!attribute [rw] publish_ca_cert
  #   @return [::Boolean]
  #     Optional. When true, publishes each
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
  #     CA certificate and includes its URL in the "Authority Information Access"
  #     X.509 extension in all issued
  #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}. If this
  #     is false, the CA certificate will not be published and the corresponding
  #     X.509 extension will not be written in issued certificates.
  # @!attribute [rw] publish_crl
  #   @return [::Boolean]
  #     Optional. When true, publishes each
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
  #     CRL and includes its URL in the "CRL Distribution Points" X.509 extension
  #     in all issued
  #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}. If this
  #     is false, CRLs will not be published and the corresponding X.509
  #     extension will not be written in issued certificates. CRLs will expire 7
  #     days from their creation. However, we will rebuild daily. CRLs are also
  #     rebuilt shortly after a certificate is revoked.
  # @!attribute [rw] encoding_format
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::PublishingOptions::EncodingFormat]
  #     Optional. Specifies the encoding format of each
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
  #     resource's CA certificate and CRLs. If this is omitted, CA certificates
  #     and CRLs will be published in PEM.
  class PublishingOptions
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # Supported encoding formats for publishing.
    module EncodingFormat
      # Not specified. By default, PEM format will be used.
      ENCODING_FORMAT_UNSPECIFIED = 0

      # The
      # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
      # CA certificate and CRLs will be published in PEM format.
      PEM = 1

      # The
      # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
      # CA certificate and CRLs will be published in DER format.
      DER = 2
    end
  end

  # Defines controls over all certificate issuance within a
  # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
  # @!attribute [rw] allowed_key_types
  #   @return [::Array<::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType>]
  #     Optional. If any
  #     {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType AllowedKeyType}
  #     is specified, then the certificate request's public key must match one of
  #     the key types listed here. Otherwise, any key may be used.
  # @!attribute [rw] backdate_duration
  #   @return [::Google::Protobuf::Duration]
  #     Optional. The duration to backdate all certificates issued from this
  #     {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}. If not set, the
  #     certificates will be issued with a not_before_time of the issuance time
  #     (i.e. the current time). If set, the certificates will be issued with a
  #     not_before_time of the issuance time minus the backdate_duration. The
  #     not_after_time will be adjusted to preserve the requested lifetime. The
  #     backdate_duration must be less than or equal to 48 hours.
  # @!attribute [rw] maximum_lifetime
  #   @return [::Google::Protobuf::Duration]
  #     Optional. The maximum lifetime allowed for issued
  #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}. Note that
  #     if the issuing
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
  #     expires before a
  #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} resource's
  #     requested maximum_lifetime, the effective lifetime will be explicitly
  #     truncated to match it.
  # @!attribute [rw] allowed_issuance_modes
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::IssuanceModes]
  #     Optional. If specified, then only methods allowed in the
  #     {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::IssuanceModes IssuanceModes}
  #     may be used to issue
  #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}.
  # @!attribute [rw] baseline_values
  #   @return [::Google::Cloud::Security::PrivateCA::V1::X509Parameters]
  #     Optional. A set of X.509 values that will be applied to all certificates
  #     issued through this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
  #     If a certificate request includes conflicting values for the same
  #     properties, they will be overwritten by the values defined here. If a
  #     certificate request uses a
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate CertificateTemplate}
  #     that defines conflicting
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate#predefined_values predefined_values}
  #     for the same properties, the certificate issuance request will fail.
  # @!attribute [rw] identity_constraints
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CertificateIdentityConstraints]
  #     Optional. Describes constraints on identities that may appear in
  #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} issued
  #     through this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}. If this
  #     is omitted, then this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}
  #     will not add restrictions on a certificate's identity.
  # @!attribute [rw] passthrough_extensions
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CertificateExtensionConstraints]
  #     Optional. Describes the set of X.509 extensions that may appear in a
  #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued
  #     through this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}. If a
  #     certificate request sets extensions that don't appear in the
  #     {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy#passthrough_extensions passthrough_extensions},
  #     those extensions will be dropped. If a certificate request uses a
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate CertificateTemplate}
  #     with
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate#predefined_values predefined_values}
  #     that don't appear here, the certificate issuance request will fail. If
  #     this is omitted, then this
  #     {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool} will not add
  #     restrictions on a certificate's X.509 extensions. These constraints do
  #     not apply to X.509 extensions set in this
  #     {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s
  #     {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy#baseline_values baseline_values}.
  class IssuancePolicy
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # Describes a "type" of key that may be used in a
    # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued from
    # a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}. Note that a single
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType AllowedKeyType}
    # may refer to either a fully-qualified key algorithm, such as RSA 4096, or
    # a family of key algorithms, such as any RSA key.
    # @!attribute [rw] rsa
    #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::RsaKeyType]
    #     Represents an allowed RSA key type.
    #
    #     Note: The following fields are mutually exclusive: `rsa`, `elliptic_curve`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] elliptic_curve
    #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::EcKeyType]
    #     Represents an allowed Elliptic Curve key type.
    #
    #     Note: The following fields are mutually exclusive: `elliptic_curve`, `rsa`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    class AllowedKeyType
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # Describes an RSA key that may be used in a
      # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued
      # from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
      # @!attribute [rw] min_modulus_size
      #   @return [::Integer]
      #     Optional. The minimum allowed RSA modulus size (inclusive), in bits.
      #     If this is not set, or if set to zero, the service-level min RSA
      #     modulus size will continue to apply.
      # @!attribute [rw] max_modulus_size
      #   @return [::Integer]
      #     Optional. The maximum allowed RSA modulus size (inclusive), in bits.
      #     If this is not set, or if set to zero, the service will not enforce
      #     an explicit upper bound on RSA modulus sizes.
      class RsaKeyType
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # Describes an Elliptic Curve key that may be used in a
      # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued
      # from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
      # @!attribute [rw] signature_algorithm
      #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::EcKeyType::EcSignatureAlgorithm]
      #     Optional. A signature algorithm that must be used. If this is
      #     omitted, any EC-based signature algorithm will be allowed.
      class EcKeyType
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods

        # Describes an elliptic curve-based signature algorithm that may be
        # used in a
        # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued
        # from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
        module EcSignatureAlgorithm
          # Not specified. Signifies that any signature algorithm may be used.
          EC_SIGNATURE_ALGORITHM_UNSPECIFIED = 0

          # Refers to the Elliptic Curve Digital Signature Algorithm over the
          # NIST P-256 curve.
          ECDSA_P256 = 1

          # Refers to the Elliptic Curve Digital Signature Algorithm over the
          # NIST P-384 curve.
          ECDSA_P384 = 2

          # Refers to the Edwards-curve Digital Signature Algorithm over curve
          # 25519, as described in RFC 8410.
          EDDSA_25519 = 3
        end
      end
    end

    # {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::IssuanceModes IssuanceModes}
    # specifies the allowed ways in which
    # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} may be
    # requested from this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    # @!attribute [rw] allow_csr_based_issuance
    #   @return [::Boolean]
    #     Optional. When true, allows callers to create
    #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} by
    #     specifying a CSR.
    # @!attribute [rw] allow_config_based_issuance
    #   @return [::Boolean]
    #     Optional. When true, allows callers to create
    #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} by
    #     specifying a
    #     {::Google::Cloud::Security::PrivateCA::V1::CertificateConfig CertificateConfig}.
    class IssuanceModes
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end
  end

  # @!attribute [rw] key
  #   @return [::String]
  # @!attribute [rw] value
  #   @return [::String]
  class LabelsEntry
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # The tier of a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool},
  # indicating its supported functionality and/or billing SKU.
  module Tier
    # Not specified.
    TIER_UNSPECIFIED = 0

    # Enterprise tier.
    ENTERPRISE = 1

    # DevOps tier.
    DEVOPS = 2
  end
end

#tier ⇒ ::Google::Cloud::Security::PrivateCA::V1::CaPool::Tier

Returns Required. Immutable. The Tier of this CaPool.

Returns:

• (::Google::Cloud::Security::PrivateCA::V1::CaPool::Tier) —

  Required. Immutable. The Tier of this CaPool.

# File 'proto_docs/google/cloud/security/privateca/v1/resources.rb', line 363

class CaPool
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Options relating to the publication of each
  # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
  # CA certificate and CRLs and their inclusion as extensions in issued
  # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}. The options
  # set here apply to certificates issued by any
  # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
  # in the {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
  # @!attribute [rw] publish_ca_cert
  #   @return [::Boolean]
  #     Optional. When true, publishes each
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
  #     CA certificate and includes its URL in the "Authority Information Access"
  #     X.509 extension in all issued
  #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}. If this
  #     is false, the CA certificate will not be published and the corresponding
  #     X.509 extension will not be written in issued certificates.
  # @!attribute [rw] publish_crl
  #   @return [::Boolean]
  #     Optional. When true, publishes each
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
  #     CRL and includes its URL in the "CRL Distribution Points" X.509 extension
  #     in all issued
  #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}. If this
  #     is false, CRLs will not be published and the corresponding X.509
  #     extension will not be written in issued certificates. CRLs will expire 7
  #     days from their creation. However, we will rebuild daily. CRLs are also
  #     rebuilt shortly after a certificate is revoked.
  # @!attribute [rw] encoding_format
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::PublishingOptions::EncodingFormat]
  #     Optional. Specifies the encoding format of each
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
  #     resource's CA certificate and CRLs. If this is omitted, CA certificates
  #     and CRLs will be published in PEM.
  class PublishingOptions
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # Supported encoding formats for publishing.
    module EncodingFormat
      # Not specified. By default, PEM format will be used.
      ENCODING_FORMAT_UNSPECIFIED = 0

      # The
      # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
      # CA certificate and CRLs will be published in PEM format.
      PEM = 1

      # The
      # {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}'s
      # CA certificate and CRLs will be published in DER format.
      DER = 2
    end
  end

  # Defines controls over all certificate issuance within a
  # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
  # @!attribute [rw] allowed_key_types
  #   @return [::Array<::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType>]
  #     Optional. If any
  #     {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType AllowedKeyType}
  #     is specified, then the certificate request's public key must match one of
  #     the key types listed here. Otherwise, any key may be used.
  # @!attribute [rw] backdate_duration
  #   @return [::Google::Protobuf::Duration]
  #     Optional. The duration to backdate all certificates issued from this
  #     {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}. If not set, the
  #     certificates will be issued with a not_before_time of the issuance time
  #     (i.e. the current time). If set, the certificates will be issued with a
  #     not_before_time of the issuance time minus the backdate_duration. The
  #     not_after_time will be adjusted to preserve the requested lifetime. The
  #     backdate_duration must be less than or equal to 48 hours.
  # @!attribute [rw] maximum_lifetime
  #   @return [::Google::Protobuf::Duration]
  #     Optional. The maximum lifetime allowed for issued
  #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}. Note that
  #     if the issuing
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthority CertificateAuthority}
  #     expires before a
  #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} resource's
  #     requested maximum_lifetime, the effective lifetime will be explicitly
  #     truncated to match it.
  # @!attribute [rw] allowed_issuance_modes
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::IssuanceModes]
  #     Optional. If specified, then only methods allowed in the
  #     {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::IssuanceModes IssuanceModes}
  #     may be used to issue
  #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates}.
  # @!attribute [rw] baseline_values
  #   @return [::Google::Cloud::Security::PrivateCA::V1::X509Parameters]
  #     Optional. A set of X.509 values that will be applied to all certificates
  #     issued through this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
  #     If a certificate request includes conflicting values for the same
  #     properties, they will be overwritten by the values defined here. If a
  #     certificate request uses a
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate CertificateTemplate}
  #     that defines conflicting
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate#predefined_values predefined_values}
  #     for the same properties, the certificate issuance request will fail.
  # @!attribute [rw] identity_constraints
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CertificateIdentityConstraints]
  #     Optional. Describes constraints on identities that may appear in
  #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} issued
  #     through this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}. If this
  #     is omitted, then this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}
  #     will not add restrictions on a certificate's identity.
  # @!attribute [rw] passthrough_extensions
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CertificateExtensionConstraints]
  #     Optional. Describes the set of X.509 extensions that may appear in a
  #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued
  #     through this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}. If a
  #     certificate request sets extensions that don't appear in the
  #     {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy#passthrough_extensions passthrough_extensions},
  #     those extensions will be dropped. If a certificate request uses a
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate CertificateTemplate}
  #     with
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateTemplate#predefined_values predefined_values}
  #     that don't appear here, the certificate issuance request will fail. If
  #     this is omitted, then this
  #     {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool} will not add
  #     restrictions on a certificate's X.509 extensions. These constraints do
  #     not apply to X.509 extensions set in this
  #     {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}'s
  #     {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy#baseline_values baseline_values}.
  class IssuancePolicy
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # Describes a "type" of key that may be used in a
    # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued from
    # a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}. Note that a single
    # {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType AllowedKeyType}
    # may refer to either a fully-qualified key algorithm, such as RSA 4096, or
    # a family of key algorithms, such as any RSA key.
    # @!attribute [rw] rsa
    #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::RsaKeyType]
    #     Represents an allowed RSA key type.
    #
    #     Note: The following fields are mutually exclusive: `rsa`, `elliptic_curve`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] elliptic_curve
    #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::EcKeyType]
    #     Represents an allowed Elliptic Curve key type.
    #
    #     Note: The following fields are mutually exclusive: `elliptic_curve`, `rsa`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    class AllowedKeyType
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # Describes an RSA key that may be used in a
      # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued
      # from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
      # @!attribute [rw] min_modulus_size
      #   @return [::Integer]
      #     Optional. The minimum allowed RSA modulus size (inclusive), in bits.
      #     If this is not set, or if set to zero, the service-level min RSA
      #     modulus size will continue to apply.
      # @!attribute [rw] max_modulus_size
      #   @return [::Integer]
      #     Optional. The maximum allowed RSA modulus size (inclusive), in bits.
      #     If this is not set, or if set to zero, the service will not enforce
      #     an explicit upper bound on RSA modulus sizes.
      class RsaKeyType
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # Describes an Elliptic Curve key that may be used in a
      # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued
      # from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
      # @!attribute [rw] signature_algorithm
      #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::EcKeyType::EcSignatureAlgorithm]
      #     Optional. A signature algorithm that must be used. If this is
      #     omitted, any EC-based signature algorithm will be allowed.
      class EcKeyType
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods

        # Describes an elliptic curve-based signature algorithm that may be
        # used in a
        # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued
        # from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
        module EcSignatureAlgorithm
          # Not specified. Signifies that any signature algorithm may be used.
          EC_SIGNATURE_ALGORITHM_UNSPECIFIED = 0

          # Refers to the Elliptic Curve Digital Signature Algorithm over the
          # NIST P-256 curve.
          ECDSA_P256 = 1

          # Refers to the Elliptic Curve Digital Signature Algorithm over the
          # NIST P-384 curve.
          ECDSA_P384 = 2

          # Refers to the Edwards-curve Digital Signature Algorithm over curve
          # 25519, as described in RFC 8410.
          EDDSA_25519 = 3
        end
      end
    end

    # {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::IssuanceModes IssuanceModes}
    # specifies the allowed ways in which
    # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} may be
    # requested from this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    # @!attribute [rw] allow_csr_based_issuance
    #   @return [::Boolean]
    #     Optional. When true, allows callers to create
    #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} by
    #     specifying a CSR.
    # @!attribute [rw] allow_config_based_issuance
    #   @return [::Boolean]
    #     Optional. When true, allows callers to create
    #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} by
    #     specifying a
    #     {::Google::Cloud::Security::PrivateCA::V1::CertificateConfig CertificateConfig}.
    class IssuanceModes
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end
  end

  # @!attribute [rw] key
  #   @return [::String]
  # @!attribute [rw] value
  #   @return [::String]
  class LabelsEntry
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # The tier of a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool},
  # indicating its supported functionality and/or billing SKU.
  module Tier
    # Not specified.
    TIER_UNSPECIFIED = 0

    # Enterprise tier.
    ENTERPRISE = 1

    # DevOps tier.
    DEVOPS = 2
  end
end