HEX
Server: Apache/2.4.65 (Ubuntu)
System: Linux ielts-store-v2 6.8.0-1036-gcp #38~22.04.1-Ubuntu SMP Thu Aug 14 01:19:18 UTC 2025 x86_64
User: root (0)
PHP: 7.2.34-54+ubuntu20.04.1+deb.sury.org+1
Disabled: pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,
$ pwd: /snap/google-cloud-cli/current/help/man/man1/
Upload Files
File: //snap/google-cloud-cli/current/help/man/man1/gcloud_privateca_subordinates_create.1
.TH "GCLOUD_PRIVATECA_SUBORDINATES_CREATE" 1



.SH "NAME"
.HP
gcloud privateca subordinates create \- create a new subordinate certificate authority



.SH "SYNOPSIS"
.HP
\f5gcloud privateca subordinates create\fR (\fICERTIFICATE_AUTHORITY\fR\ :\ \fB\-\-location\fR=\fILOCATION\fR\ \fB\-\-pool\fR=\fIPOOL\fR) (\fB\-\-create\-csr\fR\ \fB\-\-csr\-output\-file\fR=\fICSR_OUTPUT_FILE\fR\ |\ [\fB\-\-issuer\-pool\fR=\fIISSUER_POOL\fR\ :\ \fB\-\-issuer\-location\fR=\fIISSUER_LOCATION\fR]) [\fB\-\-auto\-enable\fR] [\fB\-\-bucket\fR=\fIBUCKET\fR] [\fB\-\-custom\-aia\-urls\fR=[\fICUSTOM_AIA_URLS\fR,...]] [\fB\-\-custom\-cdp\-urls\fR=[\fICUSTOM_CDP_URLS\fR,...]] [\fB\-\-dns\-san\fR=[\fIDNS_SAN\fR,...]] [\fB\-\-email\-san\fR=[\fIEMAIL_SAN\fR,...]] [\fB\-\-from\-ca\fR=\fIFROM_CA\fR] [\fB\-\-ip\-san\fR=[\fIIP_SAN\fR,...]] [\fB\-\-issuer\-ca\fR=\fIISSUER_CA\fR] [\fB\-\-labels\fR=[\fIKEY\fR=\fIVALUE\fR,...]] [\fB\-\-subject\fR=[\fISUBJECT\fR,...]] [\fB\-\-subject\-key\-id\fR=\fISUBJECT_KEY_ID\fR] [\fB\-\-uri\-san\fR=[\fIURI_SAN\fR,...]] [\fB\-\-validity\fR=\fIVALIDITY\fR;\ default="P3Y"] [\fB\-\-key\-algorithm\fR=\fIKEY_ALGORITHM\fR;\ default="rsa\-pkcs1\-2048\-sha256"\ |\ [\fB\-\-kms\-key\-version\fR=\fIKMS_KEY_VERSION\fR\ :\ \fB\-\-kms\-key\fR=\fIKMS_KEY\fR\ \fB\-\-kms\-keyring\fR=\fIKMS_KEYRING\fR\ \fB\-\-kms\-location\fR=\fIKMS_LOCATION\fR\ \fB\-\-kms\-project\fR=\fIKMS_PROJECT\fR]] [\fB\-\-use\-preset\-profile\fR=\fIUSE_PRESET_PROFILE\fR\ |\ \fB\-\-extended\-key\-usages\fR=[\fIEXTENDED_KEY_USAGES\fR,...]\ \fB\-\-key\-usages\fR=[\fIKEY_USAGES\fR,...]\ \fB\-\-max\-chain\-length\fR=\fIMAX_CHAIN_LENGTH\fR\ |\ \fB\-\-unconstrained\-chain\-length\fR\ \fB\-\-no\-name\-constraints\-critical\fR\ \fB\-\-name\-excluded\-dns\fR=[\fINAME_EXCLUDED_DNS\fR,...]\ \fB\-\-name\-excluded\-email\fR=[\fINAME_EXCLUDED_EMAIL\fR,...]\ \fB\-\-name\-excluded\-ip\fR=[\fINAME_EXCLUDED_IP\fR,...]\ \fB\-\-name\-excluded\-uri\fR=[\fINAME_EXCLUDED_URI\fR,...]\ \fB\-\-name\-permitted\-dns\fR=[\fINAME_PERMITTED_DNS\fR,...]\ \fB\-\-name\-permitted\-email\fR=[\fINAME_PERMITTED_EMAIL\fR,...]\ \fB\-\-name\-permitted\-ip\fR=[\fINAME_PERMITTED_IP\fR,...]\ \fB\-\-name\-permitted\-uri\fR=[\fINAME_PERMITTED_URI\fR,...]] [\fIGCLOUD_WIDE_FLAG\ ...\fR]



.SH "EXAMPLES"

To create a subordinate CA named 'server\-tls\-1' whose issuer is on Private CA:

.RS 2m
$ gcloud privateca subordinates create server\-tls\-1 \e
    \-\-location=us\-west1 \-\-pool=my\-pool \e
    \-\-subject="CN=Example TLS CA, O=Google" \e
    \-\-issuer\-pool=other\-pool \-\-issuer\-location=us\-west1 \e
    \-\-kms\-key\-version="projects/my\-project\-pki/locations/us\-west1/ke\e
yRings/kr1/cryptoKeys/key2/cryptoKeyVersions/1"
.RE

To create a subordinate CA named 'server\-tls\-1' whose issuer is located
elsewhere:

.RS 2m
$ gcloud privateca subordinates create server\-tls\-1 \e
    \-\-location=us\-west1 \-\-pool=my\-pool \e
    \-\-subject="CN=Example TLS CA, O=Google" \-\-create\-csr \e
    \-\-csr\-output\-file=./csr.pem \e
    \-\-kms\-key\-version="projects/my\-project\-pki/locations/us\-west1/ke\e
yRings/kr1/cryptoKeys/key2/cryptoKeyVersions/1"
.RE

To create a subordinate CA named 'server\-tls\-1' chaining up to a root CA named
\'prod\-root' based on an existing CA:

.RS 2m
$ gcloud privateca subordinates create server\-tls\-1 \e
    \-\-location=us\-west1 \-\-pool=my\-pool \-\-issuer\-pool=other\-pool \e
    \-\-issuer\-location=us\-west1 \-\-from\-ca=source\-ca \e
    \-\-kms\-key\-version="projects/my\-project\-pki/locations/us\-west1/ke\e
yRings/kr1/cryptoKeys/key2/cryptoKeyVersions/1"
.RE



.SH "POSITIONAL ARGUMENTS"

.RS 2m
.TP 2m

Certificate Authority resource \- The name of the subordinate CA to create. The
arguments in this group can be used to specify the attributes of this resource.
(NOTE) Some attributes are not given arguments in this group but can be set in
other ways.

To set the \f5project\fR attribute:
.RS 2m
.IP "\(em" 2m
provide the argument \f5CERTIFICATE_AUTHORITY\fR on the command line with a
fully specified name;
.IP "\(em" 2m
provide the argument \f5\-\-project\fR on the command line;
.IP "\(em" 2m
set the property \f5core/project\fR.
.RE
.sp

This must be specified.


.RS 2m
.TP 2m
\fICERTIFICATE_AUTHORITY\fR

ID of the Certificate Authority or fully qualified identifier for the
Certificate Authority.

To set the \f5certificate_authority\fR attribute:
.RS 2m
.IP "\(bu" 2m
provide the argument \f5CERTIFICATE_AUTHORITY\fR on the command line.
.RE
.sp

This positional argument must be specified if any of the other arguments in this
group are specified.

.TP 2m
\fB\-\-location\fR=\fILOCATION\fR

The location of the Certificate Authority.

To set the \f5location\fR attribute:
.RS 2m
.IP "\(bu" 2m
provide the argument \f5CERTIFICATE_AUTHORITY\fR on the command line with a
fully specified name;
.IP "\(bu" 2m
provide the argument \f5\-\-location\fR on the command line;
.IP "\(bu" 2m
set the property \f5privateca/location\fR.
.RE
.sp

.TP 2m
\fB\-\-pool\fR=\fIPOOL\fR

The parent CA Pool of the Certificate Authority.

To set the \f5pool\fR attribute:
.RS 2m
.IP "\(bu" 2m
provide the argument \f5CERTIFICATE_AUTHORITY\fR on the command line with a
fully specified name;
.IP "\(bu" 2m
provide the argument \f5\-\-pool\fR on the command line.
.RE
.sp


.RE
.RE
.sp

.SH "REQUIRED FLAGS"

.RS 2m
.TP 2m

The issuer configuration used for this CA certificate.

Exactly one of these must be specified:


.RS 2m
.TP 2m

If the issuing CA is not hosted on Private CA, you must provide these settings:


.RS 2m
.TP 2m
\fB\-\-create\-csr\fR

Indicates that a CSR should be generated which can be signed by the issuing CA.
This must be set if \-\-issuer is not provided.

This flag argument must be specified if any of the other arguments in this group
are specified.

.TP 2m
\fB\-\-csr\-output\-file\fR=\fICSR_OUTPUT_FILE\fR

The path where the resulting PEM\-encoded CSR file should be written.

This flag argument must be specified if any of the other arguments in this group
are specified.

.RE
.sp
.TP 2m

The issuing resource used for this CA certificate.


.RS 2m
.TP 2m

Issuer resource \- The issuing CA Pool to use, if it is on Private CA. The
arguments in this group can be used to specify the attributes of this resource.
(NOTE) Some attributes are not given arguments in this group but can be set in
other ways.

To set the \f5project\fR attribute:
.RS 2m
.IP "\(em" 2m
provide the argument \f5\-\-issuer\-pool\fR on the command line with a fully
specified name;
.IP "\(em" 2m
provide the argument \f5\-\-project\fR on the command line;
.IP "\(em" 2m
set the property \f5core/project\fR.
.RE
.sp


.RS 2m
.TP 2m
\fB\-\-issuer\-pool\fR=\fIISSUER_POOL\fR

ID of the Issuer or fully qualified identifier for the Issuer.

To set the \f5pool\fR attribute:
.RS 2m
.IP "\(bu" 2m
provide the argument \f5\-\-issuer\-pool\fR on the command line.
.RE
.sp

This flag argument must be specified if any of the other arguments in this group
are specified.

.TP 2m
\fB\-\-issuer\-location\fR=\fIISSUER_LOCATION\fR

The location of the Issuer.

To set the \f5location\fR attribute:
.RS 2m
.IP "\(bu" 2m
provide the argument \f5\-\-issuer\-pool\fR on the command line with a fully
specified name;
.IP "\(bu" 2m
provide the argument \f5\-\-issuer\-location\fR on the command line;
.IP "\(bu" 2m
set the property \f5privateca/location\fR.
.RE
.sp


.RE
.RE
.RE
.RE
.sp

.SH "OPTIONAL FLAGS"

.RS 2m
.TP 2m
\fB\-\-auto\-enable\fR

If this flag is set, the Certificate Authority will be automatically enabled
upon creation.

.TP 2m
\fB\-\-bucket\fR=\fIBUCKET\fR

The name of an existing storage bucket to use for storing the CA certificates
and CRLs for CAs in this pool. If omitted, a new bucket will be created and
managed by the service on your behalf.

.TP 2m
\fB\-\-custom\-aia\-urls\fR=[\fICUSTOM_AIA_URLS\fR,...]

One or more comma\-separated URLs that will be added to the Authority
Information Access extension in the issued certificate. These URLs are where the
issuer CA certificate is located.

.TP 2m
\fB\-\-custom\-cdp\-urls\fR=[\fICUSTOM_CDP_URLS\fR,...]

One or more comma\-separated URLs that will be added to the CRL Distribution
Points (CDP) extension in the issued certificate. These URLs are where CRL
information is located.

.TP 2m
\fB\-\-dns\-san\fR=[\fIDNS_SAN\fR,...]

One or more comma\-separated DNS Subject Alternative Names.

.TP 2m
\fB\-\-email\-san\fR=[\fIEMAIL_SAN\fR,...]

One or more comma\-separated email Subject Alternative Names.

.TP 2m

Source CA resource \- An existing CA from which to copy configuration values for
the new CA. You can still override any of those values by explicitly providing
the appropriate flags. The specified existing CA must be part of the same pool
as the one being created. This represents a Cloud resource. (NOTE) Some
attributes are not given arguments in this group but can be set in other ways.

To set the \f5project\fR attribute:
.RS 2m
.IP "\(em" 2m
provide the argument \f5\-\-from\-ca\fR on the command line with a fully
specified name;
.IP "\(em" 2m
provide the argument \f5\-\-project\fR on the command line;
.IP "\(em" 2m
set the property \f5core/project\fR.
.RE
.sp

To set the \f5location\fR attribute:
.RS 2m
.IP "\(em" 2m
provide the argument \f5\-\-from\-ca\fR on the command line with a fully
specified name;
.IP "\(em" 2m
provide the argument \f5\-\-location\fR on the command line;
.IP "\(em" 2m
set the property \f5privateca/location\fR.
.RE
.sp

To set the \f5pool\fR attribute:
.RS 2m
.IP "\(em" 2m
provide the argument \f5\-\-from\-ca\fR on the command line with a fully
specified name;
.IP "\(em" 2m
provide the argument \f5\-\-pool\fR on the command line.
.RE
.sp


.RS 2m
.TP 2m
\fB\-\-from\-ca\fR=\fIFROM_CA\fR

ID of the source CA or fully qualified identifier for the source CA.

To set the \f5certificate_authority\fR attribute:
.RS 2m
.IP "\(bu" 2m
provide the argument \f5\-\-from\-ca\fR on the command line.
.RE
.sp

.RE
.sp
.TP 2m
\fB\-\-ip\-san\fR=[\fIIP_SAN\fR,...]

One or more comma\-separated IP Subject Alternative Names.

.TP 2m
\fB\-\-issuer\-ca\fR=\fIISSUER_CA\fR

The Certificate Authority ID of the CA to issue the subordinate CA certificate
from. This ID is optional. If ommitted, any available ENABLED CA in the issuing
CA pool will be chosen.

.TP 2m
\fB\-\-labels\fR=[\fIKEY\fR=\fIVALUE\fR,...]

List of label KEY=VALUE pairs to add.

Keys must start with a lowercase character and contain only hyphens (\f5\-\fR),
underscores (\f5_\fR), lowercase characters, and numbers. Values must contain
only hyphens (\f5\-\fR), underscores (\f5_\fR), lowercase characters, and
numbers.

.TP 2m
\fB\-\-subject\fR=[\fISUBJECT\fR,...]

X.501 name of the certificate subject. Example: \-\-subject
"C=US,ST=California,L=Mountain View,O=Google LLC,CN=google.com"

.TP 2m
\fB\-\-subject\-key\-id\fR=\fISUBJECT_KEY_ID\fR

Optional field to specify subject key ID for certificate. DO NOT USE except to
maintain a previously established identifier for a public key, whose SKI was not
generated using method (1) described in RFC 5280 section 4.2.1.2.

.TP 2m
\fB\-\-uri\-san\fR=[\fIURI_SAN\fR,...]

One or more comma\-separated URI Subject Alternative Names.

.TP 2m
\fB\-\-validity\fR=\fIVALIDITY\fR; default="P3Y"

The validity of this CA, as an ISO8601 duration. Defaults to 3 years.

.TP 2m

The key configuration used for the CA certificate. Defaults to a managed key if
not specified.

At most one of these can be specified:


.RS 2m
.TP 2m
\fB\-\-key\-algorithm\fR=\fIKEY_ALGORITHM\fR; default="rsa\-pkcs1\-2048\-sha256"

The crypto algorithm to use for creating a managed KMS key for the Certificate
Authority. The default is \fBrsa\-pkcs1\-2048\-sha256\fR. \fIKEY_ALGORITHM\fR
must be one of: \fBec\-p256\-sha256\fR, \fBec\-p384\-sha384\fR,
\fBrsa\-pkcs1\-2048\-sha256\fR, \fBrsa\-pkcs1\-3072\-sha256\fR,
\fBrsa\-pkcs1\-4096\-sha256\fR, \fBrsa\-pss\-2048\-sha256\fR,
\fBrsa\-pss\-3072\-sha256\fR, \fBrsa\-pss\-4096\-sha256\fR.

.TP 2m

Key version resource \- The KMS key version backing this CA. The arguments in
this group can be used to specify the attributes of this resource.


.RS 2m
.TP 2m
\fB\-\-kms\-key\-version\fR=\fIKMS_KEY_VERSION\fR

ID of the key version or fully qualified identifier for the key version.

To set the \f5kms\-key\-version\fR attribute:
.RS 2m
.IP "\(em" 2m
provide the argument \f5\-\-kms\-key\-version\fR on the command line.
.RE
.sp

This flag argument must be specified if any of the other arguments in this group
are specified.

.TP 2m
\fB\-\-kms\-key\fR=\fIKMS_KEY\fR

The KMS key of the key version.

To set the \f5kms\-key\fR attribute:
.RS 2m
.IP "\(em" 2m
provide the argument \f5\-\-kms\-key\-version\fR on the command line with a
fully specified name;
.IP "\(em" 2m
provide the argument \f5\-\-kms\-key\fR on the command line.
.RE
.sp

.TP 2m
\fB\-\-kms\-keyring\fR=\fIKMS_KEYRING\fR

The KMS keyring of the key version.

To set the \f5kms\-keyring\fR attribute:
.RS 2m
.IP "\(em" 2m
provide the argument \f5\-\-kms\-key\-version\fR on the command line with a
fully specified name;
.IP "\(em" 2m
provide the argument \f5\-\-kms\-keyring\fR on the command line.
.RE
.sp

.TP 2m
\fB\-\-kms\-location\fR=\fIKMS_LOCATION\fR

The location of the key version.

To set the \f5kms\-location\fR attribute:
.RS 2m
.IP "\(em" 2m
provide the argument \f5\-\-kms\-key\-version\fR on the command line with a
fully specified name;
.IP "\(em" 2m
provide the argument \f5\-\-kms\-location\fR on the command line;
.IP "\(em" 2m
provide the argument \f5location\fR on the command line;
.IP "\(em" 2m
set the property \f5privateca/location\fR.
.RE
.sp

.TP 2m
\fB\-\-kms\-project\fR=\fIKMS_PROJECT\fR

The project containing the key version.

To set the \f5kms\-project\fR attribute:
.RS 2m
.IP "\(em" 2m
provide the argument \f5\-\-kms\-key\-version\fR on the command line with a
fully specified name;
.IP "\(em" 2m
provide the argument \f5\-\-kms\-project\fR on the command line;
.IP "\(em" 2m
provide the argument \f5project\fR on the command line;
.IP "\(em" 2m
set the property \f5core/project\fR.
.RE
.sp

.RE
.RE
.sp
.TP 2m

The X.509 configuration used for the CA certificate.

At most one of these can be specified:


.RS 2m
.TP 2m
\fB\-\-use\-preset\-profile\fR=\fIUSE_PRESET_PROFILE\fR

The name of an existing preset profile used to encapsulate X.509 parameter
values. USE_PRESET_PROFILE must be one of: leaf_client_tls, leaf_code_signing,
leaf_mtls, leaf_server_tls, leaf_smime, root_unconstrained,
subordinate_client_tls_pathlen_0, subordinate_code_signing_pathlen_0,
subordinate_mtls_pathlen_0, subordinate_server_tls_pathlen_0,
subordinate_smime_pathlen_0, subordinate_unconstrained_pathlen_0.

For more information, see
https://cloud.google.com/certificate\-authority\-service/docs/certificate\-profile.

.TP 2m
\fB\-\-extended\-key\-usages\fR=[\fIEXTENDED_KEY_USAGES\fR,...]

The list of extended key usages for this CA. This can only be provided if
\f5\-\-use\-preset\-profile\fR is not provided. \fIEXTENDED_KEY_USAGES\fR must
be one of: \fBserver_auth\fR, \fBclient_auth\fR, \fBcode_signing\fR,
\fBemail_protection\fR, \fBtime_stamping\fR, \fBocsp_signing\fR.

.TP 2m
\fB\-\-key\-usages\fR=[\fIKEY_USAGES\fR,...]

The list of key usages for this CA. This can only be provided if
\f5\-\-use\-preset\-profile\fR is not provided. \fIKEY_USAGES\fR must be one of:
\fBdigital_signature\fR, \fBcontent_commitment\fR, \fBkey_encipherment\fR,
\fBdata_encipherment\fR, \fBkey_agreement\fR, \fBcert_sign\fR, \fBcrl_sign\fR,
\fBencipher_only\fR, \fBdecipher_only\fR.

.TP 2m

At most one of these can be specified:


.RS 2m
.TP 2m
\fB\-\-max\-chain\-length\fR=\fIMAX_CHAIN_LENGTH\fR

Maximum depth of subordinate CAs allowed under this CA for a CA certificate.
This can only be provided if neither \f5\-\-use\-preset\-profile\fR nor
\f5\-\-unconstrained\-chain\-length\fR are provided.

.TP 2m
\fB\-\-unconstrained\-chain\-length\fR

If set, allows an unbounded number of subordinate CAs under this newly issued CA
certificate. This can only be provided if neither \f5\-\-use\-preset\-profile\fR
nor \f5\-\-max\-chain\-length\fR are provided.

.RE
.sp
.TP 2m

The x509 name constraints configurations


.RS 2m
.TP 2m
\fB\-\-name\-constraints\-critical\fR

Indicates whether or not name constraints are marked as critical. Name
constraints are considered critical unless explicitly set to false. Enabled by
default, use \fB\-\-no\-name\-constraints\-critical\fR to disable.

.TP 2m
\fB\-\-name\-excluded\-dns\fR=[\fINAME_EXCLUDED_DNS\fR,...]

One or more comma\-separated DNS names which are excluded from being issued
certificates. Any DNS name that can be constructed by simply adding zero or more
labels to the left\-hand side of the name satisfies the name constraint. For
example, \f5example.com\fR, \f5www.example.com\fR, \f5www.sub.example.com\fR
would satisfy \f5example.com\fR, while \f5example1.com\fR does not.

.TP 2m
\fB\-\-name\-excluded\-email\fR=[\fINAME_EXCLUDED_EMAIL\fR,...]

One or more comma\-separated emails which are excluded from being issued
certificates. The value can be a particular email address, a hostname to
indicate all email addresses on that host or a domain with a leading period
(e.g. \f5.example.com\fR) to indicate all email addresses in that domain.

.TP 2m
\fB\-\-name\-excluded\-ip\fR=[\fINAME_EXCLUDED_IP\fR,...]

One or more comma\-separated IP ranges which are excluded from being issued
certificates. For IPv4 addresses, the ranges are expressed using CIDR notation
as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in
similar encoding as IPv4

.TP 2m
\fB\-\-name\-excluded\-uri\fR=[\fINAME_EXCLUDED_URI\fR,...]

One or more comma\-separated URIs which are excluded from being issued
certificates. The value can be a hostname or a domain with a leading period
(like \f5.example.com\fR)

.TP 2m
\fB\-\-name\-permitted\-dns\fR=[\fINAME_PERMITTED_DNS\fR,...]

One or more comma\-separated DNS names which are permitted to be issued
certificates. Any DNS name that can be constructed by simply adding zero or more
labels to the left\-hand side of the name satisfies the name constraint. For
example, \f5example.com\fR, \f5www.example.com\fR, \f5www.sub.example.com\fR
would satisfy \f5example.com\fR, while \f5example1.com\fR does not.

.TP 2m
\fB\-\-name\-permitted\-email\fR=[\fINAME_PERMITTED_EMAIL\fR,...]

One or more comma\-separated email addresses which are permitted to be issued
certificates. The value can be a particular email address, a hostname to
indicate all email addresses on that host or a domain with a leading period
(e.g. \f5.example.com\fR) to indicate all email addresses in that domain.

.TP 2m
\fB\-\-name\-permitted\-ip\fR=[\fINAME_PERMITTED_IP\fR,...]

One or more comma\-separated IP ranges which are permitted to be issued
certificates. For IPv4 addresses, the ranges are expressed using CIDR notation
as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in
similar encoding as IPv4

.TP 2m
\fB\-\-name\-permitted\-uri\fR=[\fINAME_PERMITTED_URI\fR,...]

One or more comma\-separated URIs which are permitted to be issued certificates.
The value can be a hostname or a domain with a leading period (like
\f5.example.com\fR)


.RE
.RE
.RE
.sp

.SH "GCLOUD WIDE FLAGS"

These flags are available to all commands: \-\-access\-token\-file, \-\-account,
\-\-billing\-project, \-\-configuration, \-\-flags\-file, \-\-flatten,
\-\-format, \-\-help, \-\-impersonate\-service\-account, \-\-log\-http,
\-\-project, \-\-quiet, \-\-trace\-token, \-\-user\-output\-enabled,
\-\-verbosity.

Run \fB$ gcloud help\fR for details.
@ Telegram