File: //snap/google-cloud-cli/current/help/man/man1/gcloud_privateca_templates_update.1
.TH "GCLOUD_PRIVATECA_TEMPLATES_UPDATE" 1
.SH "NAME"
.HP
gcloud privateca templates update \- update a certificate template
.SH "SYNOPSIS"
.HP
\f5gcloud privateca templates update\fR (\fICERTIFICATE_TEMPLATE\fR\ :\ \fB\-\-location\fR=\fILOCATION\fR) [\fB\-\-copy\-sans\fR] [\fB\-\-copy\-subject\fR] [\fB\-\-description\fR=\fIDESCRIPTION\fR] [\fB\-\-identity\-cel\-expression\fR=\fIIDENTITY_CEL_EXPRESSION\fR] [\fB\-\-predefined\-values\-file\fR=\fIPREDEFINED_VALUES_FILE\fR] [\fB\-\-update\-labels\fR=[\fIKEY\fR=\fIVALUE\fR,...]] [\fB\-\-clear\-labels\fR\ |\ \fB\-\-remove\-labels\fR=[\fIKEY\fR,...]] [\fB\-\-copy\-all\-requested\-extensions\fR\ |\ \fB\-\-copy\-extensions\-by\-oid\fR=[\fIOBJECT_ID\fR,...]\ |\ \fB\-\-drop\-oid\-extensions\fR\ \fB\-\-copy\-known\-extensions\fR=[\fIKNOWN_EXTENSIONS\fR,...]\ |\ \fB\-\-drop\-known\-extensions\fR] [\fIGCLOUD_WIDE_FLAG\ ...\fR]
.SH "DESCRIPTION"
Update a certificate template.
.SH "EXAMPLES"
To update a template named "dns\-restricted" with new default x509 extensions:
.RS 2m
$ gcloud privateca templates update dns\-restricted \e
\-\-location=us\-west1 \e
\-\-predefined\-values\-file=x509_parameters.yaml
.RE
To update a template named "dns\-restricted" to allow requestors to specify
subject:
.RS 2m
$ gcloud privateca templates update dns\-restricted \e
\-\-location=us\-west1 \-\-copy\-subject
.RE
To update a template named "dns\-restricted" with allowed extension
\'base\-key\-usage' to allow requestors to specify additional x509 extension
\'extended\-key\-usage':
.RS 2m
$ gcloud privateca templates update dns\-restricted \e
\-\-location=us\-west1 \e
\-\-copy\-known\-extensions=base\-key\-usage,extended\-key\-usage
.RE
To update a template named "mtls\-restricted" with allowed OID '1.1' to allow
requestors to specify alternative OIDS '2.2,3.3':
.RS 2m
$ gcloud privateca templates update mtls\-restricted \e
\-\-location=us\-west1 \-\-copy\-extensions\-by\-oid=2.2,3.3
.RE
.SH "POSITIONAL ARGUMENTS"
.RS 2m
.TP 2m
CERTIFICATE TEMPLATE resource \- The template to update. The arguments in this
group can be used to specify the attributes of this resource. (NOTE) Some
attributes are not given arguments in this group but can be set in other ways.
To set the \f5project\fR attribute:
.RS 2m
.IP "\(em" 2m
provide the argument \f5CERTIFICATE_TEMPLATE\fR on the command line with a fully
specified name;
.IP "\(em" 2m
provide the argument \f5\-\-project\fR on the command line;
.IP "\(em" 2m
set the property \f5core/project\fR.
.RE
.sp
This must be specified.
.RS 2m
.TP 2m
\fICERTIFICATE_TEMPLATE\fR
ID of the CERTIFICATE_TEMPLATE or fully qualified identifier for the
CERTIFICATE_TEMPLATE.
To set the \f5certificate template\fR attribute:
.RS 2m
.IP "\(bu" 2m
provide the argument \f5CERTIFICATE_TEMPLATE\fR on the command line.
.RE
.sp
This positional argument must be specified if any of the other arguments in this
group are specified.
.TP 2m
\fB\-\-location\fR=\fILOCATION\fR
The location of the CERTIFICATE_TEMPLATE.
To set the \f5location\fR attribute:
.RS 2m
.IP "\(bu" 2m
provide the argument \f5CERTIFICATE_TEMPLATE\fR on the command line with a fully
specified name;
.IP "\(bu" 2m
provide the argument \f5\-\-location\fR on the command line;
.IP "\(bu" 2m
set the property \f5privateca/location\fR.
.RE
.sp
.RE
.RE
.sp
.SH "FLAGS"
.RS 2m
.TP 2m
\fB\-\-copy\-sans\fR
If this is specified, the Subject Alternative Name extension from the
certificate request will be copied into the signed certificate. Specify
\-\-no\-copy\-sans to drop any caller\-specified SANs in the certificate
request.
.TP 2m
\fB\-\-copy\-subject\fR
If this is specified, the Subject from the certificate request will be copied
into the signed certificate. Specify \-\-no\-copy\-subject to drop any
caller\-specified subjects from the certificate request.
.TP 2m
\fB\-\-description\fR=\fIDESCRIPTION\fR
A text description for the Certificate Template.
.TP 2m
\fB\-\-identity\-cel\-expression\fR=\fIIDENTITY_CEL_EXPRESSION\fR
A CEL expression that will be evaluated against the identity in the certificate
before it is issued, and returns a boolean signifying whether the request should
be allowed.
.TP 2m
\fB\-\-predefined\-values\-file\fR=\fIPREDEFINED_VALUES_FILE\fR
A YAML file describing any predefined X.509 values set by this template. The
provided extensions will be copied over to any certificate requests that use
this template, taking precedent over any allowed extensions in the certificate
request. The format of this file should be a YAML representation of the
X509Parameters message, which is defined here:
https://cloud.google.com/certificate\-authority\-service/docs/reference/rest/v1/X509Parameters.
Some examples can be found here:
https://cloud.google.com/certificate\-authority\-service/docs/creating\-certificate\-template
.TP 2m
\fB\-\-update\-labels\fR=[\fIKEY\fR=\fIVALUE\fR,...]
List of label KEY=VALUE pairs to update. If a label exists, its value is
modified. Otherwise, a new label is created.
Keys must start with a lowercase character and contain only hyphens (\f5\-\fR),
underscores (\f5_\fR), lowercase characters, and numbers. Values must contain
only hyphens (\f5\-\fR), underscores (\f5_\fR), lowercase characters, and
numbers.
.TP 2m
At most one of these can be specified:
.RS 2m
.TP 2m
\fB\-\-clear\-labels\fR
Remove all labels. If \f5\-\-update\-labels\fR is also specified then
\f5\-\-clear\-labels\fR is applied first.
For example, to remove all labels:
.RS 2m
$ gcloud privateca templates update \-\-clear\-labels
.RE
To remove all existing labels and create two new labels, \f5\fIfoo\fR\fR and
\f5\fIbaz\fR\fR:
.RS 2m
$ gcloud privateca templates update \-\-clear\-labels \e
\-\-update\-labels foo=bar,baz=qux
.RE
.TP 2m
\fB\-\-remove\-labels\fR=[\fIKEY\fR,...]
List of label keys to remove. If a label does not exist it is silently ignored.
If \f5\-\-update\-labels\fR is also specified then \f5\-\-update\-labels\fR is
applied first.
.RE
.sp
.TP 2m
Constraints on requested X.509 extensions.
At most one of these can be specified:
.RS 2m
.TP 2m
\fB\-\-copy\-all\-requested\-extensions\fR
If this is set, all extensions, whether known or specified by OID, that are
specified in the certificate request will be copied into the signed certificate.
.TP 2m
Specify exact x509 extensions to copy by OID or known extension.
.RS 2m
.TP 2m
Constraints on unknown extensions by their OIDs.
At most one of these can be specified:
.RS 2m
.TP 2m
\fB\-\-copy\-extensions\-by\-oid\fR=[\fIOBJECT_ID\fR,...]
If this is set, then extensions with the given OIDs will be copied from the
certificate request into the signed certificate.
.TP 2m
\fB\-\-drop\-oid\-extensions\fR
If this is set, then all existing OID extensions will be removed from the
template, prohibiting any extensions specified by OIDs to be specified by the
requester.
.RE
.sp
.TP 2m
Constraints on known extensions.
At most one of these can be specified:
.RS 2m
.TP 2m
\fB\-\-copy\-known\-extensions\fR=[\fIKNOWN_EXTENSIONS\fR,...]
If this is set, then the given extensions will be copied from the certificate
request into the signed certificate. \fIKNOWN_EXTENSIONS\fR must be one of:
\fBbase\-key\-usage\fR, \fBextended\-key\-usage\fR, \fBca\-options\fR,
\fBpolicy\-ids\fR, \fBaia\-ocsp\-servers\fR.
.TP 2m
\fB\-\-drop\-known\-extensions\fR
If this is set, then all known extensions will be removed from the template,
prohibiting any known x509 extensions to be specified by the requester.
.RE
.RE
.RE
.RE
.sp
.SH "GCLOUD WIDE FLAGS"
These flags are available to all commands: \-\-access\-token\-file, \-\-account,
\-\-billing\-project, \-\-configuration, \-\-flags\-file, \-\-flatten,
\-\-format, \-\-help, \-\-impersonate\-service\-account, \-\-log\-http,
\-\-project, \-\-quiet, \-\-trace\-token, \-\-user\-output\-enabled,
\-\-verbosity.
Run \fB$ gcloud help\fR for details.