6SrSSKJr SSKJr SSKJr SSKJr SSKJr SSK Jr SSK J r SSK J r SS K Jr SS K Jr SS K Jr SS K Jr SS K Jr SSK Jr SSK Jr SSKJr SSKJr SSKJr SSKJr SSKJr SSKJr \R@\RB"\RDRF5"SS\RH555r%g)z/Create a new subordinate certificate authority.)absolute_import)division)unicode_literals)base) request_utils) exceptions)deps) create_utils)flags)iam) operations)p4sa) resource_args)storage) labels_util)concept_parsers)presentation_specs)log) console_io)filescT^\rSrSrSrU4Sjr\S5rSrSr Sr Sr S r U=r $) Create)aCreate a new subordinate certificate authority. ## EXAMPLES To create a subordinate CA named 'server-tls-1' whose issuer is on Private CA: $ {command} server-tls-1 \ --location=us-west1 --pool=my-pool \ --subject="CN=Example TLS CA, O=Google" \ --issuer-pool=other-pool --issuer-location=us-west1 \ --kms-key-version="projects/my-project-pki/locations/us-west1/keyRings/kr1/cryptoKeys/key2/cryptoKeyVersions/1" To create a subordinate CA named 'server-tls-1' whose issuer is located elsewhere: $ {command} server-tls-1 \ --location=us-west1 --pool=my-pool \ --subject="CN=Example TLS CA, O=Google" \ --create-csr \ --csr-output-file=./csr.pem \ --kms-key-version="projects/my-project-pki/locations/us-west1/keyRings/kr1/cryptoKeys/key2/cryptoKeyVersions/1" To create a subordinate CA named 'server-tls-1' chaining up to a root CA named 'prod-root' based on an existing CA: $ {command} server-tls-1 \ --location=us-west1 --pool=my-pool \ --issuer-pool=other-pool --issuer-location=us-west1 \ --from-ca=source-ca \ --kms-key-version="projects/my-project-pki/locations/us-west1/keyRings/kr1/cryptoKeys/key2/cryptoKeyVersions/1" c>[[U] "U0UD6 [R"SS9Ul[R "SS9Ulg)Nv1 api_version)superr__init__privateca_baseGetClientInstanceclientGetMessagesModulemessages)selfargskwargs __class__s ,lib/surface/privateca/subordinates/create.pyrCreate.__init__Ks; &$ $1&1 22tDDK"44FDMc`URSSS9nURSSSS9nURSSSS9nURSSSS9n[R"S S SS 9RU5 [R "[ R"S [R"S 5SSS9[ R"S[R"S5SSSSS0US9[ R"S[R"5SUS9[ R"S[R"S[R"S5[R/[R"S5/S9SSSSS .SS!9/5RU5 [R "USS"9 [R""US#S$9 [R$"U5 [R&"USS%S&9 [R("US'S(S)S*9 [*R,"U5 [R."U5 [R0"U5 URS+S,9n[R"S-S.S/SSSS09RU5 [R"S1S2SS 9RU5 [R2"U5 [R4"U5 g)3NTz^The key configuration used for the CA certificate. Defaults to a managed key if not specified.)mutexhelpFz4The X.509 configuration used for the CA certificate.)r-requiredr.z6The issuer configuration used for this CA certificate.z2The issuing resource used for this CA certificate.z --issuer-cazThe Certificate Authority ID of the CA to issue the subordinate CA certificate from. This ID is optional. If ommitted, any available ENABLED CA in the issuing CA pool will be chosen.)r.r/CERTIFICATE_AUTHORITYzCertificate Authorityz)The name of the subordinate CA to create.)r/z --issuer-poolIssuerz3The issuing CA Pool to use, if it is on Private CA.locationz--issuer-location)prefixesr/flag_name_overridesgroupz--kms-key-versionz$The KMS key version backing this CA.)r5z --from-caz source CAz --locationz--pool)location_fallthroughspool_id_fallthroughszAn existing CA from which to copy configuration values for the new CA. You can still override any of those values by explicitly providing the appropriate flags. The specified existing CA must be part of the same pool as the one being created.)projectr2pool)r4r3)subject_requiredzrsa-pkcs1-2048-sha256)defaultr) is_ca_commanddefault_max_chain_lengthCAP3Yz3 years) resource_name default_valuedefault_value_textzOIf the issuing CA is not hosted on Private CA, you must provide these settings:)r.z --create-csrz}Indicates that a CSR should be generated which can be signed by the issuing CA. This must be set if --issuer is not provided. store_const)r.actionconstr<r/z--csr-output-filezDThe path where the resulting PEM-encoded CSR file should be written.) add_grouprArgument AddToParserr ConceptParserrResourcePresentationSpecrCreateCertAuthorityResourceSpecCreateCaPoolResourceSpecCreateKmsKeyVersionResourceSpecr ArgFallthroughLOCATION_PROPERTY_FALLTHROUGHr AddSubjectFlagsAddKeyAlgorithmFlagAddUsePresetProfilesFlagAddInlineX509ParametersFlagsAddValidityFlagrAddCreateLabelsFlags AddBucketFlagAddSubjectKeyIdFlagAddAutoEnableFlagAddUserDefinedAccessUrlsFlags)parserkey_spec_groupx509_config_groupissuer_configuration_groupissuing_resource_groupoffline_issuer_groups r)Args Create.ArgsPs%% ,&N(( C) "(!1!1 E"2" 8AA AB  MM Nk&!!33 #  9 9'  8   33   2 28 < A/!)  33   9 9 ; 2  33   9 9'' 5!??''+&9&9(&C%D   A ! ' 5/#/^{6 &59 n6MN ""#45 && $  $$V,  f%5?? @  MM L k&'MM  k&' F# ''/r+cURRUURR[R"5S9S9nUR R RU5n[R"USSS9$)zEnable the given CA.) requestId)name!enableCertificateAuthorityRequestz Enabling CA.rr) r$DPrivatecaProjectsLocationsCaPoolsCertificateAuthoritiesEnableRequest!EnableCertificateAuthorityRequestrGenerateRequestIdr"1projects_locations_caPools_certificateAuthoritiesEnabler Await)r%ca_nameenable_request operations r)_EnableCertificateAuthority"Create._EnableCertificateAuthoritys|]]gg *.--*Y*Y#557+Z+ hN EELL     I~4 HHr+cUR(agUR5R5nURRR UR RUS95n[R"URUR 5(ag[R"SRUR5R55SS9$)z3Determines whether the CA should be enabled or not.T)parentFzThe CaPool [{}] has no enabled CAs and cannot issue any certificates until at least one CA is enabled. Would you like to also enable this CA?messager<) auto_enableParent RelativeNamer"rjListr$BPrivatecaProjectsLocationsCaPoolsCertificateAuthoritiesListRequestr HasEnabledCacertificateAuthoritiesrPromptContinueformatName)r%r&ca_ref ca_pool_name list_responses r)_ShouldEnableCaCreate._ShouldEnableCas  ==?//1LKKQQVV XX Y M   ,,dmm  $ $ ##)6&--/*>*>*@#A  r+c 8URRUURRUURRURR US9S9S9S9nUR R RU5n[R"USSS9$)zHActivates the given CA using the given certificate and issuing CA chain.)pemCertificates)pemIssuerChain)pemCaCertificatesubordinateConfig)re#activateCertificateAuthorityRequestzActivating CA.rr) r$FPrivatecaProjectsLocationsCaPoolsCertificateAuthoritiesActivateRequest#ActivateCertificateAuthorityRequestSubordinateConfigSubordinateConfigChainr"rjActivater rl)r%rmpem_cert issuer_chainactivate_requestros r)_ActivateCertificateAuthority$Create._ActivateCertificateAuthoritys}}kk ,0MM,],]%"mm==#}}CC$0 D >-^- l  EENN     I'7T JJr+c [R"USS9up#nUR5R5R5nURRR 5nU(aUR5OSnUR S5(d.UR S5(a[R"S/S5eURUR:Xa:[R"SSS9(d [RRS 5 g[ R""XW5 U(a_[ R$"U5 UR S 5(a UR&OSn[R("UR+5U5 Sn UR S 5(a1[,R."UR05n U R0Ul[4R6"U5n [4R8"XU 5 [:R<"UR>R@RCURDRGUURI5UR5R+5[JRL"5S 95S SS9 UR>R@ROURDRQUR+5S95n U RRn URT(ai[VRX"URZU 5 [RRSR]UR+5URZ55 gU(aUR S 5(a UR&OSn[R^"XLX5n URaUR+5U RbU Rd5 [RRSR]UR+555 URgX5(aURiUR+55 gg)NT)is_subordinate issuer_poolrvz --auto-enablezThe '--auto-enable' is only supported in the create command if an issuer resource is specified. You can use the '--auto-enable' command in the subordinate CA activate command.zThe new CA will be in the same CA pool as the issuer CA. All certificate authorities within a CA pool should be interchangeable. Do you want to continue?rtzAborted by user. issuer_cabucket)certificateAuthoritycertificateAuthorityIdrsrdzCreating Certificate Authority.rr)rez9Created Certificate Authority [{}] and saved CSR to '{}'.z#Created Certificate Authority [{}].)5r CreateCAFromArgsrwCONCEPTSkms_key_versionParse IsSpecifiedrInvalidArgumentExceptionrr:rr}rstatusPrintr *CheckCreateCertificateAuthorityPermissions!CheckCreateCertificatePermissionsrValidateIssuingPoolrxr%ValidateBucketForCertificateAuthorityr gcsBucketr GetOrCreateAddResourceRoleBindingsr rlr"rjrr$DPrivatecaProjectsLocationsCaPoolsCertificateAuthoritiesCreateRequestrrriFetchCPrivatecaProjectsLocationsCaPoolsCertificateAuthoritiesFetchRequestpemCsr create_csrrWriteFileContentscsr_output_filer~SignCsrrpemCertificatepemCertificateChainrrp)r%r&new_car issuer_ref project_refkey_version_ref kms_key_refr bucket_ref p4sa_email csr_responsecsrca_certificates r)Run Create.Runsb!-!>!> T"FJ --/((*113Kmm3399;O.=/((*4K   M * *t/?/? /N/N  / /  Q  499$  & &;  +,22;L ++J7%)$4$4[$A$A$..ti&&z'>'>'@)LJ !!@@Mj#**f!!+.J  *E EELL MM ^ ^%+'-{{}}}335'99; _   * ;;PPVV YY$$& Z L   C  d22C8 jj E L L!!#T%9%9   $($4$4[$A$A$..ti#++JYOn ((      ' '  , ,  jj / 6 6v7J7J7L M   d + + (()<)<)>? r+)r"r$)__name__ __module__ __qualname____firstlineno____doc__r staticmethodrarprrr__static_attributes__ __classcell__)r(s@r)rr)sB>G }0}0~ I6K(X X r+rN)&r __future__rrr googlecloudsdk.api_lib.privatecarr rgooglecloudsdk.callioper googlecloudsdk.calliope.conceptsr $googlecloudsdk.command_lib.privatecar r r r rrr$googlecloudsdk.command_lib.util.argsr(googlecloudsdk.command_lib.util.conceptsrrgooglecloudsdk.corergooglecloudsdk.core.consolergooglecloudsdk.core.utilrDefaultUniverseOnly ReleaseTracks ReleaseTrackGA CreateCommandrr+r)rs6&'C:(.1=64;5>8<DG#2*D%%((){ T  { *{ r+