File: //snap/google-cloud-cli/396/help/man/man1/gcloud_privateca_templates_create.1
.TH "GCLOUD_PRIVATECA_TEMPLATES_CREATE" 1
.SH "NAME"
.HP
gcloud privateca templates create \- create a new certificate template
.SH "SYNOPSIS"
.HP
\f5gcloud privateca templates create\fR (\fICERTIFICATE_TEMPLATE\fR\ :\ \fB\-\-location\fR=\fILOCATION\fR) \fB\-\-copy\-sans\fR \fB\-\-copy\-subject\fR [\fB\-\-description\fR=\fIDESCRIPTION\fR] [\fB\-\-identity\-cel\-expression\fR=\fIIDENTITY_CEL_EXPRESSION\fR] [\fB\-\-labels\fR=[\fIKEY\fR=\fIVALUE\fR,...]] [\fB\-\-maximum\-lifetime\fR=\fIMAXIMUM_LIFETIME\fR] [\fB\-\-predefined\-values\-file\fR=\fIPREDEFINED_VALUES_FILE\fR] [\fB\-\-copy\-all\-requested\-extensions\fR\ |\ \fB\-\-copy\-extensions\-by\-oid\fR=[\fIOBJECT_ID\fR,...]\ \fB\-\-copy\-known\-extensions\fR=[\fIKNOWN_EXTENSIONS\fR,...]] [\fIGCLOUD_WIDE_FLAG\ ...\fR]
.SH "DESCRIPTION"
Create a certificate template that enforces policy restrictions on certificate
requestors. Using a certificate template, you can define restrictions on the
kinds of Subjects/SANs and x509 extensions allowed from certificate requestors
as well as a default set of x509 extensions that should be applied to all
certificates using that template. These templates can be binded to IAM
identities such that certain groups of requestors must use particular templates,
allowing for fine\-grained policy enforcements based on identity.
For more information and examples, see
https://cloud.google.com/certificate\-authority\-service/docs/creating\-certificate\-template.
.SH "EXAMPLES"
To create a template that prohibits any x509 extension from a requester, but
permits custom subjects/SANs and defines the default x509 extensions, run:
.RS 2m
$ gcloud privateca templates create restricted\-template \e
\-\-location=us\-west1 \-\-copy\-subject \-\-copy\-sans \e
\-\-predefined\-values\-file=x509_parameters.yaml
.RE
To create a template that allows requesters to specify only DNS names from
requesters, use a custom CEL expression with a SAN only restriction:
.RS 2m
$ gcloud privateca templates create dns\-only\-template \e
\-\-location=us\-west1 \e
\-\-description="Restricts certificates to DNS SANs." \e
\-\-no\-copy\-subject \-\-copy\-sans \e
\-\-identity\-cel\-expression="subject_alt_names.all(san, san.type \e
== DNS)"
.RE
To create a template that permits a requestor to specify extensions by OIDs, and
subjects (but not SANs), with default x509 exensions:
.RS 2m
$ gcloud privateca templates create mtls\-only\-extensions \e
\-\-location=us\-west1 \-\-copy\-subject \-\-no\-copy\-sans \e
\-\-predefined\-values\-file=mtls_cert_exts.yaml \e
\-\-copy\-extensions\-by\-oid=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.1
.RE
.SH "POSITIONAL ARGUMENTS"
.RS 2m
.TP 2m
CERTIFICATE TEMPLATE resource \- The template to create. The arguments in this
group can be used to specify the attributes of this resource. (NOTE) Some
attributes are not given arguments in this group but can be set in other ways.
To set the \f5project\fR attribute:
.RS 2m
.IP "\(em" 2m
provide the argument \f5CERTIFICATE_TEMPLATE\fR on the command line with a fully
specified name;
.IP "\(em" 2m
provide the argument \f5\-\-project\fR on the command line;
.IP "\(em" 2m
set the property \f5core/project\fR.
.RE
.sp
This must be specified.
.RS 2m
.TP 2m
\fICERTIFICATE_TEMPLATE\fR
ID of the CERTIFICATE_TEMPLATE or fully qualified identifier for the
CERTIFICATE_TEMPLATE.
To set the \f5certificate template\fR attribute:
.RS 2m
.IP "\(bu" 2m
provide the argument \f5CERTIFICATE_TEMPLATE\fR on the command line.
.RE
.sp
This positional argument must be specified if any of the other arguments in this
group are specified.
.TP 2m
\fB\-\-location\fR=\fILOCATION\fR
The location of the CERTIFICATE_TEMPLATE.
To set the \f5location\fR attribute:
.RS 2m
.IP "\(bu" 2m
provide the argument \f5CERTIFICATE_TEMPLATE\fR on the command line with a fully
specified name;
.IP "\(bu" 2m
provide the argument \f5\-\-location\fR on the command line;
.IP "\(bu" 2m
set the property \f5privateca/location\fR.
.RE
.sp
.RE
.RE
.sp
.SH "REQUIRED FLAGS"
.RS 2m
.TP 2m
\fB\-\-copy\-sans\fR
If this is specified, the Subject Alternative Name extension from the
certificate request will be copied into the signed certificate. Specify
\-\-no\-copy\-sans to drop any caller\-specified SANs in the certificate
request.
.TP 2m
\fB\-\-copy\-subject\fR
If this is specified, the Subject from the certificate request will be copied
into the signed certificate. Specify \-\-no\-copy\-subject to drop any
caller\-specified subjects from the certificate request.
.RE
.sp
.SH "OPTIONAL FLAGS"
.RS 2m
.TP 2m
\fB\-\-description\fR=\fIDESCRIPTION\fR
A text description for the Certificate Template.
.TP 2m
\fB\-\-identity\-cel\-expression\fR=\fIIDENTITY_CEL_EXPRESSION\fR
A CEL expression that will be evaluated against the identity in the certificate
before it is issued, and returns a boolean signifying whether the request should
be allowed.
.TP 2m
\fB\-\-labels\fR=[\fIKEY\fR=\fIVALUE\fR,...]
List of label KEY=VALUE pairs to add.
Keys must start with a lowercase character and contain only hyphens (\f5\-\fR),
underscores (\f5_\fR), lowercase characters, and numbers. Values must contain
only hyphens (\f5\-\fR), underscores (\f5_\fR), lowercase characters, and
numbers.
.TP 2m
\fB\-\-maximum\-lifetime\fR=\fIMAXIMUM_LIFETIME\fR
If this is set, then issued certificate's lifetime will be truncated to the
value provided. If the issuing CaPool's IssuancePolicy specifies a maximum
lifetime the minimum of the two durations will be the maximum lifetime for the
issued certificate. Note that if the issuing CertificateAuthority expires before
a Certificate's requested maximum_lifetime, the effective lifetime will be
explicitly truncated to match it.
.TP 2m
\fB\-\-predefined\-values\-file\fR=\fIPREDEFINED_VALUES_FILE\fR
A YAML file describing any predefined X.509 values set by this template. The
provided extensions will be copied over to any certificate requests that use
this template, taking precedent over any allowed extensions in the certificate
request. The format of this file should be a YAML representation of the
X509Parameters message, which is defined here:
https://cloud.google.com/certificate\-authority\-service/docs/reference/rest/v1/X509Parameters.
Some examples can be found here:
https://cloud.google.com/certificate\-authority\-service/docs/creating\-certificate\-template
.TP 2m
Constraints on requested X.509 extensions. If unspecified, all extensions from
certificate request will be ignored when signing the certificate.
At most one of these can be specified:
.RS 2m
.TP 2m
\fB\-\-copy\-all\-requested\-extensions\fR
If this is set, all extensions specified in the certificate request will be
copied into the signed certificate.
.TP 2m
Specify exact x509 extensions to copy by OID or known extension.
.RS 2m
.TP 2m
\fB\-\-copy\-extensions\-by\-oid\fR=[\fIOBJECT_ID\fR,...]
If this is set, then extensions with the given OIDs will be copied from the
certificate request into the signed certificate.
.TP 2m
\fB\-\-copy\-known\-extensions\fR=[\fIKNOWN_EXTENSIONS\fR,...]
If this is set, then the given extensions will be copied from the certificate
request into the signed certificate. \fIKNOWN_EXTENSIONS\fR must be one of:
\fBbase\-key\-usage\fR, \fBextended\-key\-usage\fR, \fBca\-options\fR,
\fBpolicy\-ids\fR, \fBaia\-ocsp\-servers\fR.
.RE
.RE
.RE
.sp
.SH "GCLOUD WIDE FLAGS"
These flags are available to all commands: \-\-access\-token\-file, \-\-account,
\-\-billing\-project, \-\-configuration, \-\-flags\-file, \-\-flatten,
\-\-format, \-\-help, \-\-impersonate\-service\-account, \-\-log\-http,
\-\-project, \-\-quiet, \-\-trace\-token, \-\-user\-output\-enabled,
\-\-verbosity.
Run \fB$ gcloud help\fR for details.