gcloud privateca templates update - update a certificate template

gcloud privateca templates update(CERTIFICATE_TEMPLATE :--location=LOCATION)[--copy-sans][--copy-subject][--description=DESCRIPTION][--identity-cel-expression=IDENTITY_CEL_EXPRESSION][--predefined-values-file=PREDEFINED_VALUES_FILE][--update-labels=[KEY=VALUE,…]][--clear-labels    |--remove-labels=[KEY,…]][--copy-all-requested-extensions    |--copy-extensions-by-oid=[OBJECT_ID,…]    |--drop-oid-extensions--copy-known-extensions=[KNOWN_EXTENSIONS,…]    |--drop-known-extensions][GCLOUD_WIDE_FLAG …]

gcloudprivatecatemplatesupdatedns-restricted--location=us-west1--predefined-values-file=x509_parameters.yaml

To update a template named "dns-restricted" to allow requestors to specifysubject:

gcloudprivatecatemplatesupdatedns-restricted--location=us-west1--copy-subject

To update a template named "dns-restricted" with allowed extension'base-key-usage' to allow requestors to specify additional x509 extension'extended-key-usage':

gcloudprivatecatemplatesupdatedns-restricted--location=us-west1--copy-known-extensions=base-key-usage,extended-key-usage

To update a template named "mtls-restricted" with allowed OID '1.1' to allowrequestors to specify alternative OIDS '2.2,3.3':

gcloudprivatecatemplatesupdatemtls-restricted--location=us-west1--copy-extensions-by-oid=2.2,3.3

CERTIFICATE TEMPLATE resource - The template to update. The arguments in thisgroup can be used to specify the attributes of this resource. (NOTE) Someattributes are not given arguments in this group but can be set in other ways.

To set theproject attribute:

• provide the argumentCERTIFICATE_TEMPLATE on the command line witha fully specified name;
• provide the argument--project on the command line;
• set the propertycore/project.

This must be specified.

CERTIFICATE_TEMPLATE

ID of the CERTIFICATE_TEMPLATE or fully qualified identifier for theCERTIFICATE_TEMPLATE.

To set thecertificate template attribute:

• provide the argumentCERTIFICATE_TEMPLATE on the command line.

This positional argument must be specified if any of the other arguments in thisgroup are specified.

--location=LOCATION

The location of the CERTIFICATE_TEMPLATE.

To set thelocation attribute:

• provide the argumentCERTIFICATE_TEMPLATE on the command line witha fully specified name;
• provide the argument--location on the command line;
• set the propertyprivateca/location.

--copy-sans

If this is specified, the Subject Alternative Name extension from thecertificate request will be copied into the signed certificate. Specify--no-copy-sans to drop any caller-specified SANs in the certificate request.

--copy-subject

If this is specified, the Subject from the certificate request will be copiedinto the signed certificate. Specify --no-copy-subject to drop anycaller-specified subjects from the certificate request.

--description=DESCRIPTION

A text description for the Certificate Template.

--identity-cel-expression=IDENTITY_CEL_EXPRESSION

A CEL expression that will be evaluated against the identity in the certificatebefore it is issued, and returns a boolean signifying whether the request shouldbe allowed.

--predefined-values-file=PREDEFINED_VALUES_FILE

A YAML file describing any predefined X.509 values set by this template. Theprovided extensions will be copied over to any certificate requests that usethis template, taking precedent over any allowed extensions in the certificaterequest. The format of this file should be a YAML representation of theX509Parameters message, which is defined here:https://cloud.google.com/certificate-authority-service/docs/reference/rest/v1/X509Parameters.Some examples can be found here:https://cloud.google.com/certificate-authority-service/docs/creating-certificate-template

--update-labels=[KEY=VALUE,…]

List of label KEY=VALUE pairs to update. If a label exists, its value ismodified. Otherwise, a new label is created.

Keys must start with a lowercase character and contain only hyphens(-), underscores (_), lowercase characters, andnumbers. Values must contain only hyphens (-), underscores(_), lowercase characters, and numbers.

At most one of these can be specified:

--clear-labels

Remove all labels. If--update-labels is also specified then--clear-labels is applied first.

For example, to remove all labels:

gcloudprivatecatemplatesupdate--clear-labels

To remove all existing labels and create two new labels,foo andbaz:

gcloudprivatecatemplatesupdate--clear-labels--update-labelsfoo=bar,baz=qux

--remove-labels=[KEY,…]

List of label keys to remove. If a label does not exist it is silently ignored.If--update-labels is also specified then--update-labels is applied first.

Constraints on requested X.509 extensions.

At most one of these can be specified:

--copy-all-requested-extensions

If this is set, all extensions, whether known or specified by OID, that arespecified in the certificate request will be copied into the signed certificate.

Or at least one of these can be specified:

Specify exact x509 extensions to copy by OID or known extension.

Constraints on unknown extensions by their OIDs.

At most one of these can be specified:

--copy-extensions-by-oid=[OBJECT_ID,…]

If this is set, then extensions with the given OIDs will be copied from thecertificate request into the signed certificate.

--drop-oid-extensions

If this is set, then all existing OID extensions will be removed from thetemplate, prohibiting any extensions specified by OIDs to be specified by therequester.

Constraints on known extensions.

At most one of these can be specified:

--copy-known-extensions=[KNOWN_EXTENSIONS,…]

If this is set, then the given extensions will be copied from the certificaterequest into the signed certificate.KNOWN_EXTENSIONSmust be one of:base-key-usage,extended-key-usage,ca-options,policy-ids,aia-ocsp-servers.

--drop-known-extensions

If this is set, then all known extensions will be removed from the template,prohibiting any known x509 extensions to be specified by the requester.

Run$gcloud help for details.