1
0
Fork 0
mirror of https://github.com/imjasonh/gcloud-help synced 2026-07-08 10:35:03 +00:00
gcloud-help/gcloud/privateca/templates/create
2024-04-03 09:23:31 +00:00

165 lines
7.4 KiB
Text

NAME
gcloud privateca templates create - create a new certificate template
SYNOPSIS
gcloud privateca templates create
(CERTIFICATE_TEMPLATE : --location=LOCATION) --copy-sans --copy-subject
[--description=DESCRIPTION]
[--identity-cel-expression=IDENTITY_CEL_EXPRESSION]
[--labels=[KEY=VALUE,...]] [--maximum-lifetime=MAXIMUM_LIFETIME]
[--predefined-values-file=PREDEFINED_VALUES_FILE]
[--copy-all-requested-extensions
| --copy-extensions-by-oid=[OBJECT_ID,...]
--copy-known-extensions=[KNOWN_EXTENSIONS,...]]
[GCLOUD_WIDE_FLAG ...]
DESCRIPTION
Create a certificate template that enforces policy restrictions on
certificate requestors. Using a certificate template, you can define
restrictions on the kinds of Subjects/SANs and x509 extensions allowed from
certificate requestors as well as a default set of x509 extensions that
should be applied to all certificates using that template. These templates
can be binded to IAM identities such that certain groups of requestors must
use particular templates, allowing for fine-grained policy enforcements
based on identity.
For more information and examples, see
https://cloud.google.com/certificate-authority-service/docs/creating-certificate-template.
EXAMPLES
To create a template that prohibits any x509 extension from a requester,
but permits custom subjects/SANs and defines the default x509 extensions,
run:
$ gcloud privateca templates create restricted-template \
--location=us-west1 --copy-subject --copy-sans \
--predefined-values-file=x509_parameters.yaml
To create a template that allows requesters to specify only DNS names from
requesters, use a custom CEL expression with a SAN only restriction:
$ gcloud privateca templates create dns-only-template \
--location=us-west1 \
--description="Restricts certificates to DNS SANs." \
--no-copy-subject --copy-sans \
--identity-cel-expression="subject_alt_names.all(san, san.type \
== DNS)"
To create a template that permits a requestor to specify extensions by
OIDs, and subjects (but not SANs), with default x509 exensions:
$ gcloud privateca templates create mtls-only-extensions \
--location=us-west1 --copy-subject --no-copy-sans \
--predefined-values-file=mtls_cert_exts.yaml \
--copy-extensions-by-oid=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.1
POSITIONAL ARGUMENTS
CERTIFICATE TEMPLATE resource - The template to create. The arguments in
this group can be used to specify the attributes of this resource. (NOTE)
Some attributes are not given arguments in this group but can be set in
other ways.
To set the project attribute:
◆ provide the argument CERTIFICATE_TEMPLATE on the command line with a
fully specified name;
◆ provide the argument --project on the command line;
◆ set the property core/project.
This must be specified.
CERTIFICATE_TEMPLATE
ID of the CERTIFICATE_TEMPLATE or fully qualified identifier for the
CERTIFICATE_TEMPLATE.
To set the certificate template attribute:
▸ provide the argument CERTIFICATE_TEMPLATE on the command line.
This positional argument must be specified if any of the other
arguments in this group are specified.
--location=LOCATION
The location of the CERTIFICATE_TEMPLATE.
To set the location attribute:
▸ provide the argument CERTIFICATE_TEMPLATE on the command line
with a fully specified name;
▸ provide the argument --location on the command line;
▸ set the property privateca/location.
REQUIRED FLAGS
--copy-sans
If this is specified, the Subject Alternative Name extension from the
certificate request will be copied into the signed certificate. Specify
--no-copy-sans to drop any caller-specified SANs in the certificate
request.
--copy-subject
If this is specified, the Subject from the certificate request will be
copied into the signed certificate. Specify --no-copy-subject to drop
any caller-specified subjects from the certificate request.
OPTIONAL FLAGS
--description=DESCRIPTION
A text description for the Certificate Template.
--identity-cel-expression=IDENTITY_CEL_EXPRESSION
A CEL expression that will be evaluated against the identity in the
certificate before it is issued, and returns a boolean signifying
whether the request should be allowed.
--labels=[KEY=VALUE,...]
List of label KEY=VALUE pairs to add.
Keys must start with a lowercase character and contain only hyphens
(-), underscores (_), lowercase characters, and numbers. Values must
contain only hyphens (-), underscores (_), lowercase characters, and
numbers.
--maximum-lifetime=MAXIMUM_LIFETIME
If this is set, then issued certificate's lifetime will be truncated to
the value provided. If the issuing CaPool's IssuancePolicy specifies a
maximum lifetime the minimum of the two durations will be the maximum
lifetime for the issued certificate. Note that if the issuing
CertificateAuthority expires before a Certificate's requested
maximum_lifetime, the effective lifetime will be explicitly truncated
to match it.
--predefined-values-file=PREDEFINED_VALUES_FILE
A YAML file describing any predefined X.509 values set by this
template. The provided extensions will be copied over to any
certificate requests that use this template, taking precedent over any
allowed extensions in the certificate request. The format of this file
should be a YAML representation of the X509Parameters message, which is
defined here:
https://cloud.google.com/certificate-authority-service/docs/reference/rest/v1/X509Parameters.
Some examples can be found here:
https://cloud.google.com/certificate-authority-service/docs/creating-certificate-template
Constraints on requested X.509 extensions. If unspecified, all extensions
from certificate request will be ignored when signing the certificate.
At most one of these can be specified:
--copy-all-requested-extensions
If this is set, all extensions specified in the certificate request
will be copied into the signed certificate.
Specify exact x509 extensions to copy by OID or known extension.
--copy-extensions-by-oid=[OBJECT_ID,...]
If this is set, then extensions with the given OIDs will be copied
from the certificate request into the signed certificate.
--copy-known-extensions=[KNOWN_EXTENSIONS,...]
If this is set, then the given extensions will be copied from the
certificate request into the signed certificate. KNOWN_EXTENSIONS
must be one of: base-key-usage, extended-key-usage, ca-options,
policy-ids, aia-ocsp-servers.
GCLOUD WIDE FLAGS
These flags are available to all commands: --access-token-file, --account,
--billing-project, --configuration, --flags-file, --flatten, --format,
--help, --impersonate-service-account, --log-http, --project, --quiet,
--trace-token, --user-output-enabled, --verbosity.
Run $ gcloud help for details.