Certificate Manager Private CA API, gRPC: PrivateCaService.GenerateCertificateAuthority
Generates a new Certificate Authority (CA).
This endpoint creates a new CA with given properties and cryptographic settings.
gRPC request
rpc GenerateCertificateAuthority (GenerateCertificateAuthorityRequest) returns (operation.Operation)
GenerateCertificateAuthorityRequest
{
"folder_id": "string",
"parent_certificate_authority_id": "string",
"name": "string",
"description": "string",
"subject_spec": {
"base_rdn": {
"country": "string",
"organization": "string",
"organizational_unit": "string",
"distinguished_name_qualifier": "string",
"state_or_province": "string",
"common_name": "string",
"email_address": "string"
},
"additional_rdn": {
"serial_number": "string",
"locality": "string",
"title": "string",
"surname": "string",
"given_name": "string",
"initials": "string",
"generation_qualifier": "string"
}
},
"algorithm": "Algorithm",
"path_len": "int64",
"key_usage": [
"KeyUsageExtension"
],
"extended_key_usage": [
"ExtendedKeyUsageExtension"
],
"ttl_days": "int64",
"end_entities_ttl_limit_days": "int64",
"template_id": "string",
"enable_crl": "bool",
"enable_ocsp": "bool",
"deletion_protection": "bool"
}
Request to generate a new Certificate Authority (CA).
Field |
Description |
folder_id |
string Required field. Folder ID where the CA is being created. |
parent_certificate_authority_id |
string Optional. If set intermediate CA would be generated and signed on parent CA |
name |
string Required field. The name of the Certificate Authority. |
description |
string An optional description of the Certificate Authority. |
subject_spec |
Required field. The subject (e.g., common name, organization, etc.) for the CA. |
algorithm |
enum Algorithm Required field. The algorithm for the asymmetric key generation (e.g., RSA, ECC).
|
path_len |
int64 The maximum length of the certificate chain. |
key_usage[] |
enum KeyUsageExtension Key usage (e.g., keyEncipherment, digitalSignature).
|
extended_key_usage[] |
enum ExtendedKeyUsageExtension Extended key usage (e.g., serverAuth, clientAuth).
|
ttl_days |
int64 The Time-To-Live (TTL) in days for the CA. |
end_entities_ttl_limit_days |
int64 TTL limit in days for end-entities signed by the CA. |
template_id |
string Optional template ID to fill certificate fields with template data. Explicitly defined parameters is preferred |
enable_crl |
bool Enable Certificate Revocation List (CRL) support. |
enable_ocsp |
bool Enable Online Certificate Status Protocol (OCSP) support. |
deletion_protection |
bool Protect the CA from accidental deletion. Deny deletion of ca if set |
Subject
Subject field of certificate https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6
Field |
Description |
base_rdn |
Required field. Most used field of subject |
additional_rdn |
Additional fields of subject |
BaseRDN
https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.4
Field |
Description |
country |
string Two letter county code |
organization |
string Organization name in arbitrary form |
organizational_unit |
string Organizational unit name in arbitrary form |
distinguished_name_qualifier |
string Distinguished name qualifier |
state_or_province |
string State or province name in arbitrary form |
common_name |
string Common name. For tls certificates it is domain usually. |
email_address |
string Email address of certificate owner |
AdditionalRDN
https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.4
Field |
Description |
serial_number |
string Serial number of certificate subject in arbitrary form. Don't confuse with certificate serial number. |
locality |
string Locality of certificate subject in arbitrary form. |
title |
string Title of certificate subject in arbitrary form. |
surname |
string Surname of certificate subject in arbitrary form. |
given_name |
string Given name of certificate subject in arbitrary form. |
initials |
string Initials of certificate subject in arbitrary form. |
generation_qualifier |
string Generation qualifier of certificate subject in arbitrary form. |
operation.Operation
{
"id": "string",
"description": "string",
"created_at": "google.protobuf.Timestamp",
"created_by": "string",
"modified_at": "google.protobuf.Timestamp",
"done": "bool",
"metadata": {
"certificate_authority_id": "string"
},
// Includes only one of the fields `error`, `response`
"error": "google.rpc.Status",
"response": {
"id": "string",
"folder_id": "string",
"name": "string",
"description": "string",
"parent_certificate_authority_id": "string",
"status": "Status",
"issued_at": "google.protobuf.Timestamp",
"not_after": "google.protobuf.Timestamp",
"not_before": "google.protobuf.Timestamp",
"crl_endpoint": "string",
"end_entities_ttl_limit_days": "int64",
"deletion_protection": "bool",
"created_at": "google.protobuf.Timestamp",
"updated_at": "google.protobuf.Timestamp"
}
// end of the list of possible fields
}
An Operation resource. For more information, see Operation.
Field |
Description |
id |
string ID of the operation. |
description |
string Description of the operation. 0-256 characters long. |
created_at |
Creation timestamp. |
created_by |
string ID of the user or service account who initiated the operation. |
modified_at |
The time when the Operation resource was last modified. |
done |
bool If the value is |
metadata |
GenerateCertificateAuthorityMetadata Service-specific metadata associated with the operation. |
error |
The error result of the operation in case of failure or cancellation. Includes only one of the fields The operation result. |
response |
The normal response of the operation in case of success. Includes only one of the fields The operation result. |
GenerateCertificateAuthorityMetadata
Metadata for the GenerateCertificateAuthority operation.
Field |
Description |
certificate_authority_id |
string ID of the Certificate Authority being created. |
CertificateAuthority
A certificate authority (CA) used to sign certificates.
Field |
Description |
id |
string ID of the certificate authority. |
folder_id |
string ID of the folder that the certificate authority belongs to. |
name |
string Name of the certificate authority. |
description |
string Description of the certificate authority. |
parent_certificate_authority_id |
string ID of the parent certificate authority that signed this certificate authority if any. |
status |
enum Status Status of the certificate authority.
|
issued_at |
Time when the certificate authority was issued. |
not_after |
Time after which the certificate authority is not valid. |
not_before |
Time before which the certificate authority is not valid. |
crl_endpoint |
string Endpoint of the certificate revocation list (CRL) for the certificate authority. |
end_entities_ttl_limit_days |
int64 Maximum allowed TTL (in days) for end-entity certificates issued by this CA. |
deletion_protection |
bool Flag that protects deletion of the certificate authority. |
created_at |
Time when the certificate authority was created. |
updated_at |
Time when the certificate authority was last updated. |