NAME
    gcloud privateca templates create - create a new certificate template

SYNOPSIS
    gcloud privateca templates create
        (CERTIFICATE_TEMPLATE : --location=LOCATION) --copy-sans --copy-subject
        [--description=DESCRIPTION]
        [--identity-cel-expression=IDENTITY_CEL_EXPRESSION]
        [--labels=[KEY=VALUE,...]] [--maximum-lifetime=MAXIMUM_LIFETIME]
        [--predefined-values-file=PREDEFINED_VALUES_FILE]
        [--copy-all-requested-extensions
          | --copy-extensions-by-oid=[OBJECT_ID,...]
          --copy-known-extensions=[KNOWN_EXTENSIONS,...]]
        [GCLOUD_WIDE_FLAG ...]

DESCRIPTION
    Create a certificate template that enforces policy restrictions on
    certificate requestors. Using a certificate template, you can define
    restrictions on the kinds of Subjects/SANs and x509 extensions allowed from
    certificate requestors as well as a default set of x509 extensions that
    should be applied to all certificates using that template. These templates
    can be binded to IAM identities such that certain groups of requestors must
    use particular templates, allowing for fine-grained policy enforcements
    based on identity.

    For more information and examples, see
    https://cloud.google.com/certificate-authority-service/docs/creating-certificate-template.

EXAMPLES
    To create a template that prohibits any x509 extension from a requester,
    but permits custom subjects/SANs and defines the default x509 extensions,
    run:

        $ gcloud privateca templates create restricted-template \
            --location=us-west1 --copy-subject --copy-sans \
            --predefined-values-file=x509_parameters.yaml

    To create a template that allows requesters to specify only DNS names from
    requesters, use a custom CEL expression with a SAN only restriction:

        $ gcloud privateca templates create dns-only-template \
            --location=us-west1 \
            --description="Restricts certificates to DNS SANs." \
            --no-copy-subject --copy-sans \
            --identity-cel-expression="subject_alt_names.all(san, san.type \
        == DNS)"

    To create a template that permits a requestor to specify extensions by
    OIDs, and subjects (but not SANs), with default x509 exensions:

        $ gcloud privateca templates create mtls-only-extensions \
            --location=us-west1 --copy-subject --no-copy-sans \
            --predefined-values-file=mtls_cert_exts.yaml \
            --copy-extensions-by-oid=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.1

POSITIONAL ARGUMENTS
     CERTIFICATE TEMPLATE resource - The template to create. The arguments in
     this group can be used to specify the attributes of this resource. (NOTE)
     Some attributes are not given arguments in this group but can be set in
     other ways.

     To set the project attribute:
      ◆ provide the argument CERTIFICATE_TEMPLATE on the command line with a
        fully specified name;
      ◆ provide the argument --project on the command line;
      ◆ set the property core/project.

     This must be specified.

       CERTIFICATE_TEMPLATE
          ID of the CERTIFICATE_TEMPLATE or fully qualified identifier for the
          CERTIFICATE_TEMPLATE.

          To set the certificate template attribute:
          ▸ provide the argument CERTIFICATE_TEMPLATE on the command line.

          This positional argument must be specified if any of the other
          arguments in this group are specified.

       --location=LOCATION
          The location of the CERTIFICATE_TEMPLATE.

          To set the location attribute:
          ▸ provide the argument CERTIFICATE_TEMPLATE on the command line
            with a fully specified name;
          ▸ provide the argument --location on the command line;
          ▸ set the property privateca/location.

REQUIRED FLAGS
     --copy-sans
        If this is specified, the Subject Alternative Name extension from the
        certificate request will be copied into the signed certificate. Specify
        --no-copy-sans to drop any caller-specified SANs in the certificate
        request.

     --copy-subject
        If this is specified, the Subject from the certificate request will be
        copied into the signed certificate. Specify --no-copy-subject to drop
        any caller-specified subjects from the certificate request.

OPTIONAL FLAGS
     --description=DESCRIPTION
        A text description for the Certificate Template.

     --identity-cel-expression=IDENTITY_CEL_EXPRESSION
        A CEL expression that will be evaluated against the identity in the
        certificate before it is issued, and returns a boolean signifying
        whether the request should be allowed.

     --labels=[KEY=VALUE,...]
        List of label KEY=VALUE pairs to add.

        Keys must start with a lowercase character and contain only hyphens
        (-), underscores (_), lowercase characters, and numbers. Values must
        contain only hyphens (-), underscores (_), lowercase characters, and
        numbers.

     --maximum-lifetime=MAXIMUM_LIFETIME
        If this is set, then issued certificate's lifetime will be truncated to
        the value provided. If the issuing CaPool's IssuancePolicy specifies a
        maximum lifetime the minimum of the two durations will be the maximum
        lifetime for the issued certificate. Note that if the issuing
        CertificateAuthority expires before a Certificate's requested
        maximum_lifetime, the effective lifetime will be explicitly truncated
        to match it.

     --predefined-values-file=PREDEFINED_VALUES_FILE
        A YAML file describing any predefined X.509 values set by this
        template. The provided extensions will be copied over to any
        certificate requests that use this template, taking precedent over any
        allowed extensions in the certificate request. The format of this file
        should be a YAML representation of the X509Parameters message, which is
        defined here:
        https://cloud.google.com/certificate-authority-service/docs/reference/rest/v1/X509Parameters.
        Some examples can be found here:
        https://cloud.google.com/certificate-authority-service/docs/creating-certificate-template

     Constraints on requested X.509 extensions. If unspecified, all extensions
     from certificate request will be ignored when signing the certificate.

     At most one of these can be specified:

       --copy-all-requested-extensions
          If this is set, all extensions specified in the certificate request
          will be copied into the signed certificate.

       Or at least one of these can be specified:

         Specify exact x509 extensions to copy by OID or known extension.

         --copy-extensions-by-oid=[OBJECT_ID,...]
            If this is set, then extensions with the given OIDs will be copied
            from the certificate request into the signed certificate.

         --copy-known-extensions=[KNOWN_EXTENSIONS,...]
            If this is set, then the given extensions will be copied from the
            certificate request into the signed certificate. KNOWN_EXTENSIONS
            must be one of: base-key-usage, extended-key-usage, ca-options,
            policy-ids, aia-ocsp-servers.

GCLOUD WIDE FLAGS
    These flags are available to all commands: --access-token-file, --account,
    --billing-project, --configuration, --flags-file, --flatten, --format,
    --help, --impersonate-service-account, --log-http, --project, --quiet,
    --trace-token, --user-output-enabled, --verbosity.

    Run $ gcloud help for details.
