NAME
    gcloud privateca certificates create - create a new certificate

SYNOPSIS
    gcloud privateca certificates create
        [[CERTIFICATE]
          --issuer-location=ISSUER_LOCATION --issuer-pool=ISSUER_POOL]
        (--cert-output-file=CERT_OUTPUT_FILE | --validate-only)
        ([--csr=CSR : --rdn-sequence-subject] | [(--dns-san=[DNS_SAN,...]
          --email-san=[EMAIL_SAN,...] --ip-san=[IP_SAN,...]
          --subject=[SUBJECT,...] --uri-san=[URI_SAN,...])
          (--generate-key --key-output-file=KEY_OUTPUT_FILE
          | [--kms-key-version=KMS_KEY_VERSION : --kms-key=KMS_KEY
          --kms-keyring=KMS_KEYRING
          --kms-location=KMS_LOCATION --kms-project=KMS_PROJECT])
          : --use-preset-profile=USE_PRESET_PROFILE
          | --extended-key-usages=[EXTENDED_KEY_USAGES,...] --is-ca-cert
          --key-usages=[KEY_USAGES,...] --max-chain-length=MAX_CHAIN_LENGTH
          | --unconstrained-chain-length --no-name-constraints-critical
          --name-excluded-dns=[NAME_EXCLUDED_DNS,...]
          --name-excluded-email=[NAME_EXCLUDED_EMAIL,...]
          --name-excluded-ip=[NAME_EXCLUDED_IP,...]
          --name-excluded-uri=[NAME_EXCLUDED_URI,...]
          --name-permitted-dns=[NAME_PERMITTED_DNS,...]
          --name-permitted-email=[NAME_PERMITTED_EMAIL,...]
          --name-permitted-ip=[NAME_PERMITTED_IP,...]
          --name-permitted-uri=[NAME_PERMITTED_URI,...]]) [--ca=CA]
        [--labels=[KEY=VALUE,...]] [--subject-key-id=SUBJECT_KEY_ID]
        [--validity=VALIDITY; default="P30D"]
        [--template=TEMPLATE : --template-location=TEMPLATE_LOCATION]
        [GCLOUD_WIDE_FLAG ...]

EXAMPLES
    To create a certificate using a CSR:

        $ gcloud privateca certificates create frontend-server-tls \
          --issuer-pool=my-pool --issuer-location=us-west1 \
          --csr=./csr.pem --cert-output-file=./cert.pem --validity=P30D

    To create a certificate using a client-generated key:

        $ gcloud privateca certificates create frontend-server-tls \
          --issuer-pool=my-pool --issuer-location=us-west1 \
          --generate-key --key-output-file=./key \
          --cert-output-file=./cert.pem --dns-san=www.example.com \
          --use-preset-profile=leaf_server_tls

POSITIONAL ARGUMENTS
     CERTIFICATE resource - The name of the certificate to issue. If the
     certificate ID is omitted, a random identifier will be generated according
     to the following format: {YYYYMMDD}-{3 random alphanumeric characters}-{3
     random alphanumeric characters}. The certificate ID is not required when
     the issuing CA pool is in the DevOps tier. The arguments in this group can
     be used to specify the attributes of this resource. (NOTE) Some attributes
     are not given arguments in this group but can be set in other ways.

     To set the project attribute:
      ◆ provide the argument CERTIFICATE on the command line with a fully
        specified name;
      ◆ certificate id will default to an automatically generated id with a
        fully specified name;
      ◆ provide the argument --project on the command line;
      ◆ set the property core/project.

     [CERTIFICATE]
        ID of the CERTIFICATE or fully qualified identifier for the
        CERTIFICATE.

        To set the certificate attribute:
        ◆ provide the argument CERTIFICATE on the command line;
        ◆ certificate id will default to an automatically generated id.

     --issuer-location=ISSUER_LOCATION
        The location of the CERTIFICATE.

        To set the issuer-location attribute:
        ◆ provide the argument CERTIFICATE on the command line with a fully
          specified name;
        ◆ certificate id will default to an automatically generated id with a
          fully specified name;
        ◆ provide the argument --issuer-location on the command line;
        ◆ set the property privateca/location.

     --issuer-pool=ISSUER_POOL
        The parent CA Pool of the CERTIFICATE.

        To set the issuer-pool attribute:
        ◆ provide the argument CERTIFICATE on the command line with a fully
          specified name;
        ◆ certificate id will default to an automatically generated id with a
          fully specified name;
        ◆ provide the argument --issuer-pool on the command line.

REQUIRED FLAGS
     Certificate persistence options.

     Exactly one of these must be specified:

       --cert-output-file=CERT_OUTPUT_FILE
          The path where the resulting PEM-encoded certificate chain file
          should be written (ordered from leaf to root).

       --validate-only
          If this flag is set, the certificate resource will not be persisted
          and the returned certificate will not contain the pem_certificate
          field.

     Certificate generation method.

     Exactly one of these must be specified:

       To issue a certificate from a CSR use the following:

       --csr=CSR
          A PEM-encoded certificate signing request file path.

          This flag argument must be specified if any of the other arguments in
          this group are specified.

       --rdn-sequence-subject
          If this value is set then the issued certificate will use the subject
          found in the CSR preserving the exact RDN sequence.

       Alternatively, you may describe the certificate and key to use.

       The subject names for the certificate.

       At least one of these must be specified:

         --dns-san=[DNS_SAN,...]
            One or more comma-separated DNS Subject Alternative Names.

         --email-san=[EMAIL_SAN,...]
            One or more comma-separated email Subject Alternative Names.

         --ip-san=[IP_SAN,...]
            One or more comma-separated IP Subject Alternative Names.

         --subject=[SUBJECT,...]
            X.501 name of the certificate subject. Example: --subject
            "C=US,ST=California,L=Mountain View,O=Google LLC,CN=google.com"

         --uri-san=[URI_SAN,...]
            One or more comma-separated URI Subject Alternative Names.

       To describe the key that will be used for this certificate, use one of
       the following options.

       Exactly one of these must be specified:

         To generate a new key pair, use the following:

         --generate-key
            Use this flag to have a new RSA-2048 private key securely generated
            on your machine.

            This flag argument must be specified if any of the other arguments
            in this group are specified.

         --key-output-file=KEY_OUTPUT_FILE
            The path where the generated private key file should be written (in
            PEM format).

            Note: possession of this key file could allow anybody to act as
            this certificate's subject. Please make sure that you store this
            key file in a secure location at all times, and ensure that only
            authorized users have access to it.

            This flag argument must be specified if any of the other arguments
            in this group are specified.

         Key version resource - An existing KMS key version backing this
         certificate. The arguments in this group can be used to specify the
         attributes of this resource.

         --kms-key-version=KMS_KEY_VERSION
            ID of the key version or fully qualified identifier for the key
            version.

            To set the kms-key-version attribute:
            ▫ provide the argument --kms-key-version on the command line.

            This flag argument must be specified if any of the other arguments
            in this group are specified.

         --kms-key=KMS_KEY
            The KMS key of the key version.

            To set the kms-key attribute:
            ▫ provide the argument --kms-key-version on the command line with
              a fully specified name;
            ▫ provide the argument --kms-key on the command line.

         --kms-keyring=KMS_KEYRING
            The KMS keyring of the key version.

            To set the kms-keyring attribute:
            ▫ provide the argument --kms-key-version on the command line with
              a fully specified name;
            ▫ provide the argument --kms-keyring on the command line.

         --kms-location=KMS_LOCATION
            The location of the key version.

            To set the kms-location attribute:
            ▫ provide the argument --kms-key-version on the command line with
              a fully specified name;
            ▫ provide the argument --kms-location on the command line;
            ▫ provide the argument location on the command line;
            ▫ set the property privateca/location.

         --kms-project=KMS_PROJECT
            The project containing the key version.

            To set the kms-project attribute:
            ▫ provide the argument --kms-key-version on the command line with
              a fully specified name;
            ▫ provide the argument --kms-project on the command line;
            ▫ provide the argument project on the command line;
            ▫ set the property core/project.

       The x509 configuration used for this certificate.

       At most one of these can be specified:

         --use-preset-profile=USE_PRESET_PROFILE
            The name of an existing preset profile used to encapsulate X.509
            parameter values. USE_PRESET_PROFILE must be one of:
            leaf_client_tls, leaf_code_signing, leaf_mtls, leaf_server_tls,
            leaf_smime, root_unconstrained, subordinate_client_tls_pathlen_0,
            subordinate_code_signing_pathlen_0, subordinate_mtls_pathlen_0,
            subordinate_server_tls_pathlen_0, subordinate_smime_pathlen_0,
            subordinate_unconstrained_pathlen_0.

            For more information, see
            https://cloud.google.com/certificate-authority-service/docs/certificate-profile.

         Or at least one of these can be specified:

           --extended-key-usages=[EXTENDED_KEY_USAGES,...]
              The list of extended key usages for this certificate. This can
              only be provided if --use-preset-profile is not provided.
              EXTENDED_KEY_USAGES must be one of: server_auth, client_auth,
              code_signing, email_protection, time_stamping, ocsp_signing.

           --is-ca-cert
              Whether this certificate is for a CertificateAuthority or not.
              Indicates the Certificate Authority field in the x509 basic
              constraints extension.

           --key-usages=[KEY_USAGES,...]
              The list of key usages for this certificate. This can only be
              provided if --use-preset-profile is not provided. KEY_USAGES must
              be one of: digital_signature, content_commitment,
              key_encipherment, data_encipherment, key_agreement, cert_sign,
              crl_sign, encipher_only, decipher_only.

           At most one of these can be specified:

             --max-chain-length=MAX_CHAIN_LENGTH
                Maximum depth of subordinate CAs allowed under this CA for a CA
                certificate. This can only be provided if neither
                --use-preset-profile nor --unconstrained-chain-length are
                provided.

             --unconstrained-chain-length
                If set, allows an unbounded number of subordinate CAs under
                this newly issued CA certificate. This can only be provided if
                neither --use-preset-profile nor --max-chain-length are
                provided.

           The x509 name constraints configurations

           --name-constraints-critical
              Indicates whether or not name constraints are marked as critical.
              Name constraints are considered critical unless explicitly set to
              false. Enabled by default, use --no-name-constraints-critical to
              disable.

           --name-excluded-dns=[NAME_EXCLUDED_DNS,...]
              One or more comma-separated DNS names which are excluded from
              being issued certificates. Any DNS name that can be constructed
              by simply adding zero or more labels to the left-hand side of the
              name satisfies the name constraint. For example, example.com,
              www.example.com, www.sub.example.com would satisfy example.com,
              while example1.com does not.

           --name-excluded-email=[NAME_EXCLUDED_EMAIL,...]
              One or more comma-separated emails which are excluded from being
              issued certificates. The value can be a particular email address,
              a hostname to indicate all email addresses on that host or a
              domain with a leading period (e.g. .example.com) to indicate all
              email addresses in that domain.

           --name-excluded-ip=[NAME_EXCLUDED_IP,...]
              One or more comma-separated IP ranges which are excluded from
              being issued certificates. For IPv4 addresses, the ranges are
              expressed using CIDR notation as specified in RFC 4632. For IPv6
              addresses, the ranges are expressed in similar encoding as IPv4

           --name-excluded-uri=[NAME_EXCLUDED_URI,...]
              One or more comma-separated URIs which are excluded from being
              issued certificates. The value can be a hostname or a domain with
              a leading period (like .example.com)

           --name-permitted-dns=[NAME_PERMITTED_DNS,...]
              One or more comma-separated DNS names which are permitted to be
              issued certificates. Any DNS name that can be constructed by
              simply adding zero or more labels to the left-hand side of the
              name satisfies the name constraint. For example, example.com,
              www.example.com, www.sub.example.com would satisfy example.com,
              while example1.com does not.

           --name-permitted-email=[NAME_PERMITTED_EMAIL,...]
              One or more comma-separated email addresses which are permitted
              to be issued certificates. The value can be a particular email
              address, a hostname to indicate all email addresses on that host
              or a domain with a leading period (e.g. .example.com) to indicate
              all email addresses in that domain.

           --name-permitted-ip=[NAME_PERMITTED_IP,...]
              One or more comma-separated IP ranges which are permitted to be
              issued certificates. For IPv4 addresses, the ranges are expressed
              using CIDR notation as specified in RFC 4632. For IPv6 addresses,
              the ranges are expressed in similar encoding as IPv4

           --name-permitted-uri=[NAME_PERMITTED_URI,...]
              One or more comma-separated URIs which are permitted to be issued
              certificates. The value can be a hostname or a domain with a
              leading period (like .example.com)

OPTIONAL FLAGS
     --ca=CA
        The name of an existing certificate authority to use for issuing the
        certificate. If omitted, a certificate authority will be will be chosen
        from the CA pool by the service on your behalf.

     --labels=[KEY=VALUE,...]
        List of label KEY=VALUE pairs to add.

        Keys must start with a lowercase character and contain only hyphens
        (-), underscores (_), lowercase characters, and numbers. Values must
        contain only hyphens (-), underscores (_), lowercase characters, and
        numbers.

     --subject-key-id=SUBJECT_KEY_ID
        Optional field to specify subject key ID for certificate. DO NOT USE
        except to maintain a previously established identifier for a public
        key, whose SKI was not generated using method (1) described in RFC 5280
        section 4.2.1.2.

     --validity=VALIDITY; default="P30D"
        The validity of this certificate, as an ISO8601 duration. Defaults to
        30 days.

     Certificate template resource - The name of a certificate template to use
     for issuing this certificate, if desired. A template may overwrite parts
     of the certificate request, and the use of certificate templates may be
     required and/or regulated by the issuing CA Pool's CA Manager. The
     specified template must be in the same location as the issuing CA Pool.
     The arguments in this group can be used to specify the attributes of this
     resource. (NOTE) Some attributes are not given arguments in this group but
     can be set in other ways.

     To set the project attribute:
      ◆ provide the argument --template on the command line with a fully
        specified name;
      ◆ provide the argument --project on the command line;
      ◆ set the property core/project.

     --template=TEMPLATE
        ID of the certificate_template or fully qualified identifier for the
        certificate_template.

        To set the certificate template attribute:
        ◆ provide the argument --template on the command line.

        This flag argument must be specified if any of the other arguments in
        this group are specified.

     --template-location=TEMPLATE_LOCATION
        The location of the certificate_template.

        To set the location attribute:
        ◆ provide the argument --template on the command line with a fully
          specified name;
        ◆ provide the argument --template-location on the command line;
        ◆ provide the argument --issuer-location on the command line;
        ◆ set the property privateca/location.

GCLOUD WIDE FLAGS
    These flags are available to all commands: --access-token-file, --account,
    --billing-project, --configuration, --flags-file, --flatten, --format,
    --help, --impersonate-service-account, --log-http, --project, --quiet,
    --trace-token, --user-output-enabled, --verbosity.

    Run $ gcloud help for details.
