8SrSSKJr SSKJr SSKJr SSKJr SSKJr SSKJ r SSKJ r SSK Jr SS K J r SS KJr SS KJr SS KJr SS KJr SSKJr SSKJr SSKJr SSKJr SSKJr SSKJr SSKrSrSr Sr!\RD"\RFRH5\RJ"SS\RL555r'g)zCreate a certificate.)absolute_import)division)unicode_literals)cryptokeyversions)base)certificate_utils) request_utils) exceptions)deps)flags)key_generation) pem_utils) resource_args) labels_util)concept_parsers)presentation_specs)log)filesNa7The path where the generated private key file should be written (in PEM format). Note: possession of this key file could allow anybody to act as this certificate's subject. Please make sure that you store this key file in a secure location at all times, and ensure that only authorized users have access to it.c[R"U5$![R[[4a& [ R "SRU55ef=f)Nz&Could not read provided CSR file '{}'.)rReadFileContentsErrorOSErrorIOErrorr BadFileExceptionformat)csr_files ,lib/surface/privateca/certificates/create.py_ReadCsrr.sS  ! !( ++ ++w (  % %077A s AAcU/U-n[R"U[R"U55 g![R[ [ 4a& [R"SRU55ef=f)Nz$Could not write certificate to '{}'.) rWriteFileContentsrPemChainForOutputrrrr rr)pem_cert issuing_chain cert_file pem_chains r_WritePemChainr&7si ]*I Iy'B'B9'MN ++w (  % %.55i@ s 14AA9c`\rSrSrSr\S5r\S5rSr \S5r Sr Sr S r S rg ) CreateAaBCreate a new certificate. ## EXAMPLES To create a certificate using a CSR: $ {command} frontend-server-tls \ --issuer-pool=my-pool --issuer-location=us-west1 \ --csr=./csr.pem \ --cert-output-file=./cert.pem \ --validity=P30D To create a certificate using a client-generated key: $ {command} frontend-server-tls \ --issuer-pool=my-pool --issuer-location=us-west1 \ --generate-key \ --key-output-file=./key \ --cert-output-file=./cert.pem \ --dns-san=www.example.com \ --use-preset-profile=leaf_server_tls c URSSSS9n[R"SSSS9RU5 [R"SS S SSS 9RU5 [R "US S S5 [ R"U5 URSSSS9nURSS9n[R"SSSS9RU5 [R"SSSS S9RU5 URSS9nURSSSS9nURSS9n[R"SSSSSSS9RU5 [R"S[SS9RU5 [R"SS SS9RU5 URS!SS9n[R"U5 URSS"S#9n[R"USS$S%9 [R"U5 [R"U5 S&n [R"[R "U ["R$"U [&R)5/5S'SS(9[R "S)["R*"S*5S+SSS,9[R "S-["R,"5S.US/9/S0S1/0S29RU5 UR.R1S35 g)4NTz Certificate persistence options.)mutexrequiredhelpz--cert-output-fileznThe path where the resulting PEM-encoded certificate chain file should be written (ordered from leaf to root).F)r-r,z--validate-onlyzIf this flag is set, the certificate resource will not be persisted and the returned certificate will not contain the pem_certificate field. store_true)r-actiondefaultr, certificateP30Dz30 dayszCertificate generation method.z4To issue a certificate from a CSR use the following:)r---csrz4A PEM-encoded certificate signing request file path.z--rdn-sequence-subjectzyIf this value is set then the issued certificate will use the subject found in the CSR preserving the exact RDN sequence.)r-hiddenr/z?Alternatively, you may describe the certificate and key to use.z]To describe the key that will be used for this certificate, use one of the following options.z.To generate a new key pair, use the following:--generate-keyzTUse this flag to have a new RSA-2048 private key securely generated on your machine. store_const)r-r/constr0r,z--key-output-filez--cazThe name of an existing certificate authority to use for issuing the certificate. If omitted, a certificate authority will be will be chosen from the CA pool by the service on your behalf.z&The subject names for the certificate.z1The x509 configuration used for this certificate.)r+r-r) is_ca_commanddefault_max_chain_length CERTIFICATEa5The name of the certificate to issue. If the certificate ID is omitted, a random identifier will be generated according to the following format: {YYYYMMDD}-{3 random alphanumeric characters}-{3 random alphanumeric characters}. The certificate ID is not required when the issuing CA pool is in the DevOps tier.)r, --templatecertificate_templateaEThe name of a certificate template to use for issuing this certificate, if desired. A template may overwrite parts of the certificate request, and the use of certificate templates may be required and/or regulated by the issuing CA Pool's CA Manager. The specified template must be in the same location as the issuing CA Pool.)r,prefixes--kms-key-versionz5An existing KMS key version backing this certificate.)groupz--template.locationzCERTIFICATE.issuer-location)command_level_fallthroughszyaml(certificateDescription)) add_grouprArgument AddToParserr AddValidityFlagrAddCreateLabelsFlags_KEY_OUTPUT_HELPAddSubjectFlagsAddInlineX509ParametersFlagsAddUsePresetProfilesFlagAddSubjectKeyIdFlagr ConceptParserrResourcePresentationSpecrCreateCertResourceSpecr(!_GenerateCertificateIdFallthrough%CreateCertificateTemplateResourceSpecCreateKmsKeyVersionResourceSpec display_info AddFormat) parserpersistence_groupcert_generation_group csr_group non_csr_group key_groupkey_generation_group subject_groupx509_parameters_groupcert_args rArgs Create.Args[s?((T(J) MM > k#$MM & k#$ &-C$$V,",,T(H-&// C0I MMLk)MM  Jk))33 N4M'' , (I%.. =/ MM * k&'MM"2Tk&'MM Ik&!++ 5,M -()33L4 &&UQ ""#89 f%H!!  7 744vGGIJ#    7 7CC**    7 7#==?G  9" H "$A#B$ I'Nk& !!"@AcL^STlU4Sjn[R"USSSS9$)NFc<>STl[R"5$)NT)id_fallthrough_was_usedrGenerateCertId)clssr FallthroughFn?Create._GenerateCertificateIdFallthrough..FallthroughFns$(c!  - - //r_zOPr_c8/nUR(dURS5 URS5(aURS5 U(aHSRU5n[ U5S:XaSOSn[ R "SRX4S95 g g ) zNPrints warnings if certain command-line args are used for an unpersisted cert.zcertificate IDlabelsz, waswerez{names} {verb} specified but will not be used since the issuing CA pool is in the DevOps tier, which does not expose certificate lifecycle.)namesverbN)rbappendrqjoinlenrwarningr)rdru unused_argsr}r~s r _PrintWarningsForUnpersistedCert'Create._PrintWarningsForUnpersistedCertsK  & &)* !!"ii $e+&!+Ud kk ##)66#Ar_cURRR5nUR(a;[R "S5up4[R "URU5 U$U(aV[R"U5n[R(a[UR5$[URS5$[R"/SQS5e)z]Fetches the public key associated with a non-CSR certificate request, as UTF-8 encoded bytes.izutf-8)r3r5r>zTo create a certificate, please specify either a CSR, the --generate-key flag to create a new key, or the --kms-key-version flag to use an existing KMS key.)CONCEPTSrpParse generate_keyr RSAKeyGenExportPrivateKeykey_output_filer GetPublicKeysixPY2bytespemr rr)rtrurp private_key public_keypublic_key_responses r _GetPublicKeyCreate._GetPublicKeysmm3399;O  . 8 8 >k%%d&:&:KH  -::?KWW #'' ((,,g6  6 6 :D r_cURU5nURR5nURR5UlX4RlURRR RURl[R"U5Ul [R"USS9Ul [R"X R5UlU$)NF)r8)rmessagesCertificateConfig PublicKey publicKeykeyFormatValueValuesEnumPEMrr ParseSubjectFlags subjectConfigParseX509Parameters x509ConfigParseSubjectKeyId subjectKeyId)rtrequestrurconfigs r_GenerateCertificateConfig!Create._GenerateCertificateConfig5s##D)J ]] , , .F}}..0F%"mm55KKOOF 2248F11$eLF11$ FF Mr_cZ[R"SS9Ul[R"SS9UlUR U5 UR RR5n[R"XRRR5nURR5nURR5UlUR5Ul[ R""U5URlX4RlUR)5R+5Ul[.R0"5UlUR4UlUR9S5(aUR:UlUR R>R5nU(aPUR@UR@:wa[BRD"SS5eUR+5URl#URH(ao[KURH5URl&URN(a9URRRPRRURl*O URWXA5URl,URRZR]U5nUR4(aU$SnUR^(aUSRaUR^5- nO[\RcU5 URd(aIUSRaURf5- n[iURdURjURf5 US - n[lRnRqU5 g) Nv1) api_versioncar;zMThe certificate template must be in the same location as the issuing CA Pool.zCreated Certificatez [{}]z and saved it to [{}].)9privateca_baseGetClientInstanceclientGetMessagesModulerrvrr1rrParseCreateArgs Certificate LabelsValue:PrivatecaProjectsLocationsCaPoolsCertificatesCreateRequestName certificateIdr ParseValidityFlaglifetimeryParent RelativeNameparentr GenerateRequestId requestId validate_only validateOnlyrqrissuingCertificateAuthorityIdro locationsIdr InvalidArgumentExceptioncertificateTemplatecsrrpemCsrrdn_sequence_subjectSubjectModeValueValuesEnum RDN_SEQUENCE subjectModerr'projects_locations_caPools_certificatesr(namerrpemCertificatecert_output_filer&pemCertificateChainrstatusPrint)rtrucert_refryr template_refr1status_messages rRun Create.RunAs 22tDDK"44FDMt}}((..0H  ( ( mm''33F PPR --335G$MMOG#(#:#:4#@G !'__&335GN%779G--G .2ggg+==))//1L  ! !X%9%9 911    1=0I0I0Kg- xx#+DHH#5g " " MM % % @ @ M M '$(#B#B $g ++EELLK   *N{'7'788n --d3!!/66t7L7LMMn  $ $  ) )    cNJJ^$r_)rrN)__name__ __module__ __qualname____firstlineno____doc__ staticmethodr] classmethodrNrvrrrr__static_attributes__r_rr(r(As^.NBNB`   Q"6 E%r_r()(r __future__rrrgooglecloudsdk.api_lib.cloudkmsr googlecloudsdk.api_lib.privatecarrrr googlecloudsdk.callioper googlecloudsdk.calliope.conceptsr $googlecloudsdk.command_lib.privatecar r rr$googlecloudsdk.command_lib.util.argsr(googlecloudsdk.command_lib.util.conceptsrrgooglecloudsdk.corergooglecloudsdk.core.utilrrrFrr& ReleaseTracks ReleaseTrackGADefaultUniverseOnly CreateCommandr(rr_rrs&'=C>:(.16?:><DG#* CD%%(()C%T  C%*C%r_