Certificate Manager Private CA API, REST: Policy.Create
Creates a policy for the specified certificate authority.
A policy defines the rules and constraints for issuing certificates within a certificate authority.
For example, you can specify allowed or disallowed key usages, extensions, and subject fields.
HTTP request
POST https://private-ca.certificate-manager.api.cloud.yandex.net/privateca/v1/policies
Body parameters
{
"certificateAuthorityId": "string",
"name": "string",
"subjectPolicy": {
"country": "string",
"organization": "string",
"organizationalUnit": "string",
"distinguishedNameQualifier": "string",
"stateOrProvince": "string",
"commonName": "string",
"emailAddress": "string",
"serialNumber": "string",
"locality": "string",
"title": "string",
"surname": "string",
"givenName": "string",
"initials": "string",
"generationQualifier": "string"
},
"sanPolicy": {
"otherNameOid": "string",
"rfc_822Name": "string",
"dnsName": "string",
"directoryName": "string",
"ediPartyName": {
"nameAssigner": "string",
"partyName": "string"
},
"uniformResourceIdentifier": "string",
"ipAddress": "string",
"registeredId": "string"
},
// Includes only one of the fields `keyUsagesWhiteList`, `keyUsagesBlackList`
"keyUsagesWhiteList": {
"keyUsage": [
"string"
]
},
"keyUsagesBlackList": {
"keyUsage": [
"string"
]
},
// end of the list of possible fields
// Includes only one of the fields `extendedKeyUsagesWhiteList`, `extendedKeyUsagesBlackList`
"extendedKeyUsagesWhiteList": {
"extendedKeyUsage": [
"string"
]
},
"extendedKeyUsagesBlackList": {
"extendedKeyUsage": [
"string"
]
},
// end of the list of possible fields
// Includes only one of the fields `extensionWhiteList`, `extensionBlackList`
"extensionWhiteList": {
"extensionOid": [
"string"
]
},
"extensionBlackList": {
"extensionOid": [
"string"
]
}
// end of the list of possible fields
}
Request message for creating a policy.
Field |
Description |
certificateAuthorityId |
string Required field. ID of the certificate authority to create a policy for. |
name |
string Name of the policy. |
subjectPolicy |
Policy for the subject field of the certificate. |
sanPolicy |
Policy for the subject alternative name (SAN) field of the certificate. |
keyUsagesWhiteList |
Whitelist of allowed key usages. Includes only one of the fields Policy for key usages. |
keyUsagesBlackList |
Blacklist of disallowed key usages. Includes only one of the fields Policy for key usages. |
extendedKeyUsagesWhiteList |
Whitelist of allowed extended key usages. Includes only one of the fields Policy for extended key usages. |
extendedKeyUsagesBlackList |
Blacklist of disallowed extended key usages. Includes only one of the fields Policy for extended key usages. |
extensionWhiteList |
Whitelist of allowed extensions. Includes only one of the fields Policy for extensions. |
extensionBlackList |
Blacklist of disallowed extensions. Includes only one of the fields Policy for extensions. |
SubjectPolicy
Policy for the subject field of a certificate. Each string field could be a regexp
Field |
Description |
country |
string Allowed country name in the subject field. |
organization |
string Allowed organization name in the subject field. |
organizationalUnit |
string Allowed organizational unit name in the subject field. |
distinguishedNameQualifier |
string Allowed distinguished name qualifier in the subject field. |
stateOrProvince |
string Allowed state or province name in the subject field. |
commonName |
string Allowed common name in the subject field. |
emailAddress |
string Allowed email address in the subject field. |
serialNumber |
string Allowed serial number in the subject field. |
locality |
string Allowed locality name in the subject field. |
title |
string Allowed title in the subject field. |
surname |
string Allowed surname in the subject field. |
givenName |
string Allowed given name in the subject field. |
initials |
string Allowed initials in the subject field. |
generationQualifier |
string Allowed generation qualifier in the subject field. |
SubjectAlternativeNamePolicy
Policy for the Subject Alternative Name (SAN) field of a certificate. Each string field could be a regexp
Field |
Description |
otherNameOid |
string Allowed OIDs of the other name in the SAN field. |
rfc_822Name |
string Allowed RFC 822 names (email addresses) in the SAN field. |
dnsName |
string Allowed DNS names in the SAN field. |
directoryName |
string Allowed directory names in the SAN field. |
ediPartyName |
Allowed EDI party names in the SAN field. |
uniformResourceIdentifier |
string Allowed URIs in the SAN field. |
ipAddress |
string Allowed IP addresses in the SAN field. |
registeredId |
string Allowed registered IDs in the SAN field. |
EdiPartyName
Field |
Description |
nameAssigner |
string Specifies the entity or authority that assigned the partyName |
partyName |
string The actual identifier of the EDI party |
KeyUsagePolicy
Policy for key usages in a certificate.
Field |
Description |
keyUsage[] |
enum (KeyUsageExtension) List of key usages that are allowed or disallowed.
|
ExtendedKeyUsagePolicy
Policy for extended key usages in a certificate.
Field |
Description |
extendedKeyUsage[] |
enum (ExtendedKeyUsageExtension) List of extended key usages that are allowed or disallowed.
|
ExtensionPolicy
Policy for certificate extensions.
Field |
Description |
extensionOid[] |
string List of extension OIDs that are allowed or disallowed. |
Response
HTTP Code: 200 - OK
{
"id": "string",
"description": "string",
"createdAt": "string",
"createdBy": "string",
"modifiedAt": "string",
"done": "boolean",
"metadata": {
"id": "string"
},
// Includes only one of the fields `error`, `response`
"error": {
"code": "integer",
"message": "string",
"details": [
"object"
]
},
"response": {
"id": "string",
"certificateAuthorityId": "string",
"name": "string",
"subjectPolicy": {
"country": "string",
"organization": "string",
"organizationalUnit": "string",
"distinguishedNameQualifier": "string",
"stateOrProvince": "string",
"commonName": "string",
"emailAddress": "string",
"serialNumber": "string",
"locality": "string",
"title": "string",
"surname": "string",
"givenName": "string",
"initials": "string",
"generationQualifier": "string"
},
"sanPolicy": {
"otherNameOid": "string",
"rfc_822Name": "string",
"dnsName": "string",
"directoryName": "string",
"ediPartyName": {
"nameAssigner": "string",
"partyName": "string"
},
"uniformResourceIdentifier": "string",
"ipAddress": "string",
"registeredId": "string"
},
// Includes only one of the fields `keyUsagesWhiteList`, `keyUsagesBlackList`
"keyUsagesWhiteList": {
"keyUsage": [
"string"
]
},
"keyUsagesBlackList": {
"keyUsage": [
"string"
]
},
// end of the list of possible fields
// Includes only one of the fields `extendedKeyUsagesWhiteList`, `extendedKeyUsagesBlackList`
"extendedKeyUsagesWhiteList": {
"extendedKeyUsage": [
"string"
]
},
"extendedKeyUsagesBlackList": {
"extendedKeyUsage": [
"string"
]
},
// end of the list of possible fields
// Includes only one of the fields `extensionWhiteList`, `extensionBlackList`
"extensionWhiteList": {
"extensionOid": [
"string"
]
},
"extensionBlackList": {
"extensionOid": [
"string"
]
},
// end of the list of possible fields
"createdAt": "string",
"updatedAt": "string"
}
// end of the list of possible fields
}
An Operation resource. For more information, see Operation.
Field |
Description |
id |
string ID of the operation. |
description |
string Description of the operation. 0-256 characters long. |
createdAt |
string (date-time) Creation timestamp. String in RFC3339 To work with values in this field, use the APIs described in the |
createdBy |
string ID of the user or service account who initiated the operation. |
modifiedAt |
string (date-time) The time when the Operation resource was last modified. String in RFC3339 To work with values in this field, use the APIs described in the |
done |
boolean If the value is |
metadata |
Service-specific metadata associated with the operation. |
error |
The error result of the operation in case of failure or cancellation. Includes only one of the fields The operation result. |
response |
The normal response of the operation in case of success. Includes only one of the fields The operation result. |
CreatePolicyMetadata
Metadata for the CreatePolicy operation.
Field |
Description |
id |
string ID of the policy being created. |
Status
The error result of the operation in case of failure or cancellation.
Field |
Description |
code |
integer (int32) Error code. An enum value of google.rpc.Code |
message |
string An error message. |
details[] |
object A list of messages that carry the error details. |
Policy
A policy defines the rules and constraints for issuing certificates within a certificate authority.
Field |
Description |
id |
string ID of the policy. |
certificateAuthorityId |
string ID of the certificate authority the policy belongs to. |
name |
string Name of the policy. |
subjectPolicy |
Policy for the subject field of the certificate. |
sanPolicy |
Policy for the Subject Alternative Name (SAN) extension of the certificate. |
keyUsagesWhiteList |
Whitelist of allowed key usages. Includes only one of the fields Policy for key usages. |
keyUsagesBlackList |
Blacklist of disallowed key usages. Includes only one of the fields Policy for key usages. |
extendedKeyUsagesWhiteList |
Whitelist of allowed extended key usages. Includes only one of the fields Policy for extended key usages. |
extendedKeyUsagesBlackList |
Blacklist of disallowed extended key usages. Includes only one of the fields Policy for extended key usages. |
extensionWhiteList |
Whitelist of allowed extensions. Includes only one of the fields Policy for certificate extensions. |
extensionBlackList |
Blacklist of disallowed extensions. Includes only one of the fields Policy for certificate extensions. |
createdAt |
string (date-time) Timestamp when the policy was created. String in RFC3339 To work with values in this field, use the APIs described in the |
updatedAt |
string (date-time) Timestamp when the policy was last updated. String in RFC3339 To work with values in this field, use the APIs described in the |
SubjectPolicy
Policy for the subject field of a certificate. Each string field could be a regexp
Field |
Description |
country |
string Allowed country name in the subject field. |
organization |
string Allowed organization name in the subject field. |
organizationalUnit |
string Allowed organizational unit name in the subject field. |
distinguishedNameQualifier |
string Allowed distinguished name qualifier in the subject field. |
stateOrProvince |
string Allowed state or province name in the subject field. |
commonName |
string Allowed common name in the subject field. |
emailAddress |
string Allowed email address in the subject field. |
serialNumber |
string Allowed serial number in the subject field. |
locality |
string Allowed locality name in the subject field. |
title |
string Allowed title in the subject field. |
surname |
string Allowed surname in the subject field. |
givenName |
string Allowed given name in the subject field. |
initials |
string Allowed initials in the subject field. |
generationQualifier |
string Allowed generation qualifier in the subject field. |
SubjectAlternativeNamePolicy
Policy for the Subject Alternative Name (SAN) field of a certificate. Each string field could be a regexp
Field |
Description |
otherNameOid |
string Allowed OIDs of the other name in the SAN field. |
rfc_822Name |
string Allowed RFC 822 names (email addresses) in the SAN field. |
dnsName |
string Allowed DNS names in the SAN field. |
directoryName |
string Allowed directory names in the SAN field. |
ediPartyName |
Allowed EDI party names in the SAN field. |
uniformResourceIdentifier |
string Allowed URIs in the SAN field. |
ipAddress |
string Allowed IP addresses in the SAN field. |
registeredId |
string Allowed registered IDs in the SAN field. |
EdiPartyName
Field |
Description |
nameAssigner |
string Specifies the entity or authority that assigned the partyName |
partyName |
string The actual identifier of the EDI party |
KeyUsagePolicy
Policy for key usages in a certificate.
Field |
Description |
keyUsage[] |
enum (KeyUsageExtension) List of key usages that are allowed or disallowed.
|
ExtendedKeyUsagePolicy
Policy for extended key usages in a certificate.
Field |
Description |
extendedKeyUsage[] |
enum (ExtendedKeyUsageExtension) List of extended key usages that are allowed or disallowed.
|
ExtensionPolicy
Policy for certificate extensions.
Field |
Description |
extensionOid[] |
string List of extension OIDs that are allowed or disallowed. |