gcloud privateca templates update - update a certificate template
gcloud privateca templates update (CERTIFICATE_TEMPLATE : --location=LOCATION) [--copy-sans] [--copy-subject] [--description=DESCRIPTION] [--identity-cel-expression=IDENTITY_CEL_EXPRESSION] [--predefined-values-file=PREDEFINED_VALUES_FILE] [--update-labels=[KEY=VALUE,...]] [--clear-labels | --remove-labels=[KEY,...]] [--copy-all-requested-extensions | --copy-extensions-by-oid=[OBJECT_ID,...] | --drop-oid-extensions --copy-known-extensions=[KNOWN_EXTENSIONS,...] | --drop-known-extensions] [GCLOUD_WIDE_FLAG ...]
Update a certificate template.
To update a template named "dns-restricted" with new default x509 extensions:
$ gcloud privateca templates update dns-restricted \ --location=us-west1 \ --predefined-values-file=x509_parameters.yaml
To update a template named "dns-restricted" to allow requestors to specify subject:
$ gcloud privateca templates update dns-restricted \ --location=us-west1 --copy-subject
To update a template named "dns-restricted" with allowed extension 'base-key-usage' to allow requestors to specify additional x509 extension 'extended-key-usage':
$ gcloud privateca templates update dns-restricted \ --location=us-west1 \ --copy-known-extensions=base-key-usage,extended-key-usage
To update a template named "mtls-restricted" with allowed OID '1.1' to allow requestors to specify alternative OIDS '2.2,3.3':
$ gcloud privateca templates update mtls-restricted \ --location=us-west1 --copy-extensions-by-oid=2.2,3.3
- CERTIFICATE TEMPLATE resource - The template to update. The arguments in this
group can be used to specify the attributes of this resource. (NOTE) Some attributes are not given arguments in this group but can be set in other ways. To set the project attribute:
- —
provide the argument CERTIFICATE_TEMPLATE on the command line with a fully specified name;
- —
provide the argument --project on the command line;
- —
set the property core/project.
This must be specified.
- CERTIFICATE_TEMPLATE
ID of the CERTIFICATE_TEMPLATE or fully qualified identifier for the CERTIFICATE_TEMPLATE. To set the certificate template attribute:
provide the argument CERTIFICATE_TEMPLATE on the command line.
This positional argument must be specified if any of the other arguments in this group are specified.
- --location=LOCATION
The location of the CERTIFICATE_TEMPLATE. To set the location attribute:
provide the argument CERTIFICATE_TEMPLATE on the command line with a fully specified name;
provide the argument --location on the command line;
set the property privateca/location.
- --copy-sans
If this is specified, the Subject Alternative Name extension from the certificate request will be copied into the signed certificate. Specify --no-copy-sans to drop any caller-specified SANs in the certificate request.
- --copy-subject
If this is specified, the Subject from the certificate request will be copied into the signed certificate. Specify --no-copy-subject to drop any caller-specified subjects from the certificate request.
- --description=DESCRIPTION
A text description for the Certificate Template.
- --identity-cel-expression=IDENTITY_CEL_EXPRESSION
A CEL expression that will be evaluated against the identity in the certificate before it is issued, and returns a boolean signifying whether the request should be allowed.
- --predefined-values-file=PREDEFINED_VALUES_FILE
A YAML file describing any predefined X.509 values set by this template. The provided extensions will be copied over to any certificate requests that use this template, taking precedent over any allowed extensions in the certificate request. The format of this file should be a YAML representation of the X509Parameters message, which is defined here: https://cloud.google.com/certificate-authority-service/docs/reference/rest/v1/X509Parameters. Some examples can be found here: https://cloud.google.com/certificate-authority-service/docs/creating-certificate-template
- --update-labels=[KEY=VALUE,...]
List of label KEY=VALUE pairs to update. If a label exists, its value is modified. Otherwise, a new label is created.
Keys must start with a lowercase character and contain only hyphens (-), underscores (_), lowercase characters, and numbers. Values must contain only hyphens (-), underscores (_), lowercase characters, and numbers.
- At most one of these can be specified:
- --clear-labels
Remove all labels. If --update-labels is also specified then --clear-labels is applied first.
For example, to remove all labels:
$ gcloud privateca templates update --clear-labels
To remove all existing labels and create two new labels, foo and baz:
$ gcloud privateca templates update --clear-labels \ --update-labels foo=bar,baz=qux
- --remove-labels=[KEY,...]
List of label keys to remove. If a label does not exist it is silently ignored. If --update-labels is also specified then --update-labels is applied first.
- Constraints on requested X.509 extensions.
At most one of these can be specified:
- --copy-all-requested-extensions
If this is set, all extensions, whether known or specified by OID, that are specified in the certificate request will be copied into the signed certificate.
- Specify exact x509 extensions to copy by OID or known extension.
- Constraints on unknown extensions by their OIDs.
At most one of these can be specified:
- --copy-extensions-by-oid=[OBJECT_ID,...]
If this is set, then extensions with the given OIDs will be copied from the certificate request into the signed certificate.
- --drop-oid-extensions
If this is set, then all existing OID extensions will be removed from the template, prohibiting any extensions specified by OIDs to be specified by the requester.
- Constraints on known extensions.
At most one of these can be specified:
- --copy-known-extensions=[KNOWN_EXTENSIONS,...]
If this is set, then the given extensions will be copied from the certificate request into the signed certificate. KNOWN_EXTENSIONS must be one of: base-key-usage, extended-key-usage, ca-options, policy-ids, aia-ocsp-servers.
- --drop-known-extensions
If this is set, then all known extensions will be removed from the template, prohibiting any known x509 extensions to be specified by the requester.
These flags are available to all commands: --access-token-file, --account, --billing-project, --configuration, --flags-file, --flatten, --format, --help, --impersonate-service-account, --log-http, --project, --quiet, --trace-token, --user-output-enabled, --verbosity.
Run $ gcloud help for details.