googleapis · ohmayr · Mar 12, 2024 · Mar 12, 2024 · Mar 12, 2024
@@ -2891,10 +2891,8 @@ async def fetch_ca_certs(
     ) -> service.FetchCaCertsResponse:
         r"""FetchCaCerts returns the current trust anchor for the
         [CaPool][google.cloud.security.privateca.v1.CaPool]. This will
-        include CA certificate chains for all ACTIVE
-        [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority]
-        resources in the
-        [CaPool][google.cloud.security.privateca.v1.CaPool].
+        include CA certificate chains for all Certificate Authorities in
+        the ENABLED, DISABLED, or STAGED states.
 
         .. code-block:: python
 

@@ -3395,10 +3395,8 @@ def fetch_ca_certs(
     ) -> service.FetchCaCertsResponse:
         r"""FetchCaCerts returns the current trust anchor for the
         [CaPool][google.cloud.security.privateca.v1.CaPool]. This will
-        include CA certificate chains for all ACTIVE
-        [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority]
-        resources in the
-        [CaPool][google.cloud.security.privateca.v1.CaPool].
+        include CA certificate chains for all Certificate Authorities in
+        the ENABLED, DISABLED, or STAGED states.
 
         .. code-block:: python
 

@@ -845,10 +845,8 @@ def fetch_ca_certs(
 
         FetchCaCerts returns the current trust anchor for the
         [CaPool][google.cloud.security.privateca.v1.CaPool]. This will
-        include CA certificate chains for all ACTIVE
-        [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority]
-        resources in the
-        [CaPool][google.cloud.security.privateca.v1.CaPool].
+        include CA certificate chains for all Certificate Authorities in
+        the ENABLED, DISABLED, or STAGED states.
 
         Returns:
             Callable[[~.FetchCaCertsRequest],

@@ -862,10 +862,8 @@ def fetch_ca_certs(
 
         FetchCaCerts returns the current trust anchor for the
         [CaPool][google.cloud.security.privateca.v1.CaPool]. This will
-        include CA certificate chains for all ACTIVE
-        [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority]
-        resources in the
-        [CaPool][google.cloud.security.privateca.v1.CaPool].
+        include CA certificate chains for all Certificate Authorities in
+        the ENABLED, DISABLED, or STAGED states.
 
         Returns:
             Callable[[~.FetchCaCertsRequest],

@@ -1209,6 +1209,23 @@ class CertificateTemplate(proto.Message):
             [CertificateTemplate][google.cloud.security.privateca.v1.CertificateTemplate]
             in the format
             ``projects/*/locations/*/certificateTemplates/*``.
+        maximum_lifetime (google.protobuf.duration_pb2.Duration):
+            Optional. The maximum lifetime allowed for issued
+            [Certificates][google.cloud.security.privateca.v1.Certificate]
+            that use this template. If the issuing
+            [CaPool][google.cloud.security.privateca.v1.CaPool]'s
+            [IssuancePolicy][google.cloud.security.privateca.v1.CaPool.IssuancePolicy]
+            specifies a
+            [maximum_lifetime][google.cloud.security.privateca.v1.CaPool.IssuancePolicy.maximum_lifetime]
+            the minimum of the two durations will be the maximum
+            lifetime for issued
+            [Certificates][google.cloud.security.privateca.v1.Certificate].
+            Note that if the issuing
+            [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority]
+            expires before a
+            [Certificate][google.cloud.security.privateca.v1.Certificate]'s
+            requested maximum_lifetime, the effective lifetime will be
+            explicitly truncated to match it.
         predefined_values (google.cloud.security.privateca_v1.types.X509Parameters):
             Optional. A set of X.509 values that will be applied to all
             issued certificates that use this template. If the
@@ -1267,6 +1284,11 @@ class CertificateTemplate(proto.Message):
         proto.STRING,
         number=1,
     )
+    maximum_lifetime: duration_pb2.Duration = proto.Field(
+        proto.MESSAGE,
+        number=9,
+        message=duration_pb2.Duration,
+    )
     predefined_values: "X509Parameters" = proto.Field(
         proto.MESSAGE,
         number=2,
@@ -1629,6 +1651,13 @@ class CertificateConfig(proto.Message):
             or
             [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority]
             CSR.
+        subject_key_id (google.cloud.security.privateca_v1.types.CertificateConfig.KeyId):
+            Optional. When specified this provides a
+            custom SKI to be used in the certificate. This
+            should only be used to maintain a SKI of an
+            existing CA originally created outside CAS,
+            which was not generated using method (1)
+            described in RFC 5280 section 4.2.1.2.
     """
 
     class SubjectConfig(proto.Message):
@@ -1637,7 +1666,7 @@ class SubjectConfig(proto.Message):
 
         Attributes:
             subject (google.cloud.security.privateca_v1.types.Subject):
-                Required. Contains distinguished name fields
+                Optional. Contains distinguished name fields
                 such as the common name, location and
                 organization.
             subject_alt_name (google.cloud.security.privateca_v1.types.SubjectAltNames):
@@ -1656,6 +1685,22 @@ class SubjectConfig(proto.Message):
             message="SubjectAltNames",
         )
 
+    class KeyId(proto.Message):
+        r"""A KeyId identifies a specific public key, usually by hashing
+        the public key.
+
+        Attributes:
+            key_id (str):
+                Required. The value of this KeyId encoded in
+                lowercase hexadecimal. This is most likely the
+                160 bit SHA-1 hash of the public key.
+        """
+
+        key_id: str = proto.Field(
+            proto.STRING,
+            number=1,
+        )
+
     subject_config: SubjectConfig = proto.Field(
         proto.MESSAGE,
         number=1,
@@ -1671,6 +1716,11 @@ class SubjectConfig(proto.Message):
         number=3,
         message="PublicKey",
     )
+    subject_key_id: KeyId = proto.Field(
+        proto.MESSAGE,
+        number=4,
+        message=KeyId,
+    )
 
 
 class CertificateDescription(proto.Message):

@@ -1112,11 +1112,10 @@ class FetchCaCertsResponse(proto.Message):
 
     Attributes:
         ca_certs (MutableSequence[google.cloud.security.privateca_v1.types.FetchCaCertsResponse.CertChain]):
-            The PEM encoded CA certificate chains of all
-            [ACTIVE][CertificateAuthority.State.ACTIVE]
-            [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority]
-            resources in this
-            [CaPool][google.cloud.security.privateca.v1.CaPool].
+            The PEM encoded CA certificate chains of all Certificate
+            Authorities in this
+            [CaPool][google.cloud.security.privateca.v1.CaPool] in the
+            ENABLED, DISABLED, or STAGED states.
     """
 
     class CertChain(proto.Message):

@@ -9566,6 +9566,7 @@ def test_create_certificate_rest(request_type):
                 "additional_extensions": {},
             },
             "public_key": {"key": b"key_blob", "format_": 1},
+            "subject_key_id": {"key_id": "key_id_value"},
         },
         "issuer_certificate_authority": "issuer_certificate_authority_value",
         "lifetime": {"seconds": 751, "nanos": 543},
@@ -11005,6 +11006,7 @@ def test_update_certificate_rest(request_type):
                 "additional_extensions": {},
             },
             "public_key": {"key": b"key_blob", "format_": 1},
+            "subject_key_id": {"key_id": "key_id_value"},
         },
         "issuer_certificate_authority": "issuer_certificate_authority_value",
         "lifetime": {"seconds": 751, "nanos": 543},
@@ -11796,6 +11798,7 @@ def test_create_certificate_authority_rest(request_type):
                 "additional_extensions": {},
             },
             "public_key": {"key": b"key_blob", "format_": 1},
+            "subject_key_id": {"key_id": "key_id_value"},
         },
         "lifetime": {"seconds": 751, "nanos": 543},
         "key_spec": {
@@ -14340,6 +14343,7 @@ def test_update_certificate_authority_rest(request_type):
                 "additional_extensions": {},
             },
             "public_key": {"key": b"key_blob", "format_": 1},
+            "subject_key_id": {"key_id": "key_id_value"},
         },
         "lifetime": {"seconds": 751, "nanos": 543},
         "key_spec": {
@@ -17833,6 +17837,7 @@ def test_create_certificate_template_rest(request_type):
     request_init = {"parent": "projects/sample1/locations/sample2"}
     request_init["certificate_template"] = {
         "name": "name_value",
+        "maximum_lifetime": {"seconds": 751, "nanos": 543},
         "predefined_values": {
             "key_usage": {
                 "base_key_usage": {
@@ -19184,6 +19189,7 @@ def test_update_certificate_template_rest(request_type):
     }
     request_init["certificate_template"] = {
         "name": "projects/sample1/locations/sample2/certificateTemplates/sample3",
+        "maximum_lifetime": {"seconds": 751, "nanos": 543},
         "predefined_values": {
             "key_usage": {
                 "base_key_usage": {