.SrSSKJr SSKJr SSKJr SSKJr SSKJr SSK Jr SSK J r SSK J r SS K J r SS KJr SS KJr \R$"\R&R(5"S S \R*55rg)"Create a new certificate template.)absolute_import)division)unicode_literals)base) request_utils)flags) operations) resource_args) labels_util)logc8\rSrSrSrSSS.r\S5rSrSr g ) Createra Create a certificate template that enforces policy restrictions on certificate requestors. Using a certificate template, you can define restrictions on the kinds of Subjects/SANs and x509 extensions allowed from certificate requestors as well as a default set of x509 extensions that should be applied to all certificates using that template. These templates can be binded to IAM identities such that certain groups of requestors must use particular templates, allowing for fine-grained policy enforcements based on identity. For more information and examples, see https://cloud.google.com/certificate-authority-service/docs/creating-certificate-template. a To create a template that prohibits any x509 extension from a requester, but permits custom subjects/SANs and defines the default x509 extensions, run: $ {command} restricted-template --location=us-west1 --copy-subject --copy-sans --predefined-values-file=x509_parameters.yaml To create a template that allows requesters to specify only DNS names from requesters, use a custom CEL expression with a SAN only restriction: $ {command} dns-only-template --location=us-west1 --description="Restricts certificates to DNS SANs." --no-copy-subject --copy-sans --identity-cel-expression="subject_alt_names.all(san, san.type == DNS)" To create a template that permits a requestor to specify extensions by OIDs, and subjects (but not SANs), with default x509 exensions: $ {command} mtls-only-extensions --location=us-west1 --copy-subject --no-copy-sans --predefined-values-file=mtls_cert_exts.yaml --copy-extensions-by-oid=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.1 ) DESCRIPTIONEXAMPLEScV[R"US5 [R"SSS9R U5 [ R "U5 [ R"U5 [ R"U5 [ R"U5 [R"U5 g)Nz to createz --descriptionz0A text description for the Certificate Template.)help) r +AddCertificateTemplatePositionalResourceArgrArgument AddToParserr AddPredefinedValuesFileFlagAddIdentityConstraintsFlagsAddExtensionConstraintsFlagsAddMaximumLifetimeFlagr AddCreateLabelsFlags)parsers )lib/surface/privateca/templates/create.pyArgs Create.ArgsEs}==f>IKMM ?AAL B %%f- %%f- &&v.   ($$V,c [R"S5n[R"S5nURRR 5n[ R"U5 UR[ R"U5[ R"U5[ R"U5URS5(a UROS[ R"U5S9nURR!UR#UR%5R'5UR)5U[*R,"5S95n[.R0"USSS9n[.R2"XsR5n[4R6R9SR;UR<55 g)Nv1 description)predefinedValuesidentityConstraintspassthroughExtensionsr$maximumLifetime)parentcertificateTemplateIdcertificateTemplate requestIdzCreating Certificate Template.) api_versionz"Created Certificate Template [{}].)privateca_baseGetClientInstanceGetMessagesModuleCONCEPTScertificate_templateParser ValidateIdentityConstraintsCertificateTemplateParsePredefinedValuesParseIdentityConstraintsParseExtensionConstraints IsSpecifiedr$ParseMaximumLifetime'projects_locations_certificateTemplatesr;PrivatecaProjectsLocationsCertificateTemplatesCreateRequestParent RelativeNameNamerGenerateRequestIdr AwaitGetMessageFromResponser statusPrintformatname) selfargsclientmessagescert_template_refnew_cert_template operationcert_template_response cert_templates rRun Create.RunSsr  - -d 3F//5H ::@@B %%d+ 4444T:!::4@#==dC   M * *$$ 22485>>EELL$++-::<"3"8"8": 1#557 M 9:I(--3G55 < <>MJJ9@@r!N) __name__ __module__ __qualname____firstlineno____doc__ detailed_help staticmethodrrP__static_attributes__rRr!rrrs0+   -D - -r!rN)rW __future__rrr googlecloudsdk.api_lib.privatecarr.rgooglecloudsdk.calliope$googlecloudsdk.command_lib.privatecar r r $googlecloudsdk.command_lib.util.argsr googlecloudsdk.corer ReleaseTracks ReleaseTrackGA CreateCommandrrRr!rresf)&'C:(6;><#D%%(()RT  R*Rr!