google_privateca_certificate_template

Certificate Authority Service provides reusable and parameterized templates that you can use for common certificate issuance scenarios. A certificate template represents a relatively static and well-defined certificate issuance schema within an organization. A certificate template can essentially become a full-fledged vertical certificate issuance framework.

For more information, see:

Example Usage - basic_certificate_template

An example of a basic privateca certificate template

resource "google_privateca_certificate_template" "primary" {
  location    = "us-west1"
  name        = "template"
  description = "An updated sample certificate template"

  identity_constraints {
    allow_subject_alt_names_passthrough = true
    allow_subject_passthrough           = true

    cel_expression {
      description = "Always true"
      expression  = "true"
      location    = "any.file.anywhere"
      title       = "Sample expression"
    }
  }

  passthrough_extensions {
    additional_extensions {
      object_id_path = [1, 6]
    }

    known_extensions = ["EXTENDED_KEY_USAGE"]
  }

  predefined_values {
    additional_extensions {
      object_id {
        object_id_path = [1, 6]
      }

      value    = "c3RyaW5nCg=="
      critical = true
    }

    aia_ocsp_servers = ["string"]

    ca_options {
      is_ca                  = false
      max_issuer_path_length = 6
    }

    key_usage {
      base_key_usage {
        cert_sign          = false
        content_commitment = true
        crl_sign           = false
        data_encipherment  = true
        decipher_only      = true
        digital_signature  = true
        encipher_only      = true
        key_agreement      = true
        key_encipherment   = true
      }

      extended_key_usage {
        client_auth      = true
        code_signing     = true
        email_protection = true
        ocsp_signing     = true
        server_auth      = true
        time_stamping    = true
      }

      unknown_extended_key_usages {
        object_id_path = [1, 6]
      }
    }

    policy_ids {
      object_id_path = [1, 6]
    }
  }

  project = "my-project-name"

  labels = {
    label-two = "value-two"
  }
}

Argument Reference

The following arguments are supported:

The object_id block supports:


Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field effective_labels for all of the labels present on the resource.

The identity_constraints block supports:

The cel_expression block supports:

The passthrough_extensions block supports:

The additional_extensions block supports:

The predefined_values block supports:

The additional_extensions block supports:

The ca_options block supports:

The key_usage block supports:

The base_key_usage block supports:

The extended_key_usage block supports:

The unknown_extended_key_usages block supports:

The policy_ids block supports:

Attributes Reference

In addition to the arguments listed above, the following computed attributes are exported:

Timeouts

This resource provides the following Timeouts configuration options:

Import

CertificateTemplate can be imported using any of these accepted formats:

In Terraform v1.5.0 and later, use an import block to import CertificateTemplate using one of the formats above. For example:

import {
  id = "projects/{{project}}/locations/{{location}}/certificateTemplates/{{name}}"
  to = google_privateca_certificate_template.default
}

When using the terraform import command, CertificateTemplate can be imported using one of the formats above. For example:

$ terraform import google_privateca_certificate_template.default projects/{{project}}/locations/{{location}}/certificateTemplates/{{name}}
$ terraform import google_privateca_certificate_template.default {{project}}/{{location}}/{{name}}
$ terraform import google_privateca_certificate_template.default {{location}}/{{name}}