grpc1.45.2/third_party/googleapis/google/cloud/security/privateca/v1/service.proto

// Copyright 2021 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

syntax = "proto3";

package google.cloud.security.privateca.v1;

import "google/api/annotations.proto";
import "google/api/client.proto";
import "google/api/field_behavior.proto";
import "google/api/resource.proto";
import "google/cloud/security/privateca/v1/resources.proto";
import "google/longrunning/operations.proto";
import "google/protobuf/duration.proto";
import "google/protobuf/field_mask.proto";
import "google/protobuf/timestamp.proto";

option cc_enable_arenas = true;
option csharp_namespace = "Google.Cloud.Security.PrivateCA.V1";
option go_package = "google.golang.org/genproto/googleapis/cloud/security/privateca/v1;privateca";
option java_multiple_files = true;
option java_outer_classname = "PrivateCaProto";
option java_package = "com.google.cloud.security.privateca.v1";
option php_namespace = "Google\\Cloud\\Security\\PrivateCA\\V1";
option ruby_package = "Google::Cloud::Security::PrivateCA::V1";

// [Certificate Authority Service][google.cloud.security.privateca.v1.CertificateAuthorityService] manages private
// certificate authorities and issued certificates.
service CertificateAuthorityService {
  option (google.api.default_host) = "privateca.googleapis.com";
  option (google.api.oauth_scopes) = "https://www.googleapis.com/auth/cloud-platform";

  // Create a new [Certificate][google.cloud.security.privateca.v1.Certificate] in a given Project, Location from a particular
  // [CaPool][google.cloud.security.privateca.v1.CaPool].
  rpc CreateCertificate(CreateCertificateRequest) returns (Certificate) {
    option (google.api.http) = {
      post: "/v1/{parent=projects/*/locations/*/caPools/*}/certificates"
      body: "certificate"
    };
    option (google.api.method_signature) = "parent,certificate,certificate_id";
  }

  // Returns a [Certificate][google.cloud.security.privateca.v1.Certificate].
  rpc GetCertificate(GetCertificateRequest) returns (Certificate) {
    option (google.api.http) = {
      get: "/v1/{name=projects/*/locations/*/caPools/*/certificates/*}"
    };
    option (google.api.method_signature) = "name";
  }

  // Lists [Certificates][google.cloud.security.privateca.v1.Certificate].
  rpc ListCertificates(ListCertificatesRequest) returns (ListCertificatesResponse) {
    option (google.api.http) = {
      get: "/v1/{parent=projects/*/locations/*/caPools/*}/certificates"
    };
    option (google.api.method_signature) = "parent";
  }

  // Revoke a [Certificate][google.cloud.security.privateca.v1.Certificate].
  rpc RevokeCertificate(RevokeCertificateRequest) returns (Certificate) {
    option (google.api.http) = {
      post: "/v1/{name=projects/*/locations/*/caPools/*/certificates/*}:revoke"
      body: "*"
    };
    option (google.api.method_signature) = "name";
  }

  // Update a [Certificate][google.cloud.security.privateca.v1.Certificate]. Currently, the only field you can update is the
  // [labels][google.cloud.security.privateca.v1.Certificate.labels] field.
  rpc UpdateCertificate(UpdateCertificateRequest) returns (Certificate) {
    option (google.api.http) = {
      patch: "/v1/{certificate.name=projects/*/locations/*/caPools/*/certificates/*}"
      body: "certificate"
    };
    option (google.api.method_signature) = "certificate,update_mask";
  }

  // Activate a [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority] that is in state
  // [AWAITING_USER_ACTIVATION][google.cloud.security.privateca.v1.CertificateAuthority.State.AWAITING_USER_ACTIVATION]
  // and is of type [SUBORDINATE][google.cloud.security.privateca.v1.CertificateAuthority.Type.SUBORDINATE]. After
  // the parent Certificate Authority signs a certificate signing request from
  // [FetchCertificateAuthorityCsr][google.cloud.security.privateca.v1.CertificateAuthorityService.FetchCertificateAuthorityCsr], this method can complete the activation
  // process.
  rpc ActivateCertificateAuthority(ActivateCertificateAuthorityRequest) returns (google.longrunning.Operation) {
    option (google.api.http) = {
      post: "/v1/{name=projects/*/locations/*/caPools/*/certificateAuthorities/*}:activate"
      body: "*"
    };
    option (google.api.method_signature) = "name";
    option (google.longrunning.operation_info) = {
      response_type: "CertificateAuthority"
      metadata_type: "OperationMetadata"
    };
  }

  // Create a new [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority] in a given Project and Location.
  rpc CreateCertificateAuthority(CreateCertificateAuthorityRequest) returns (google.longrunning.Operation) {
    option (google.api.http) = {
      post: "/v1/{parent=projects/*/locations/*/caPools/*}/certificateAuthorities"
      body: "certificate_authority"
    };
    option (google.api.method_signature) = "parent,certificate_authority,certificate_authority_id";
    option (google.longrunning.operation_info) = {
      response_type: "CertificateAuthority"
      metadata_type: "OperationMetadata"
    };
  }

  // Disable a [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority].
  rpc DisableCertificateAuthority(DisableCertificateAuthorityRequest) returns (google.longrunning.Operation) {
    option (google.api.http) = {
      post: "/v1/{name=projects/*/locations/*/caPools/*/certificateAuthorities/*}:disable"
      body: "*"
    };
    option (google.api.method_signature) = "name";
    option (google.longrunning.operation_info) = {
      response_type: "CertificateAuthority"
      metadata_type: "OperationMetadata"
    };
  }

  // Enable a [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority].
  rpc EnableCertificateAuthority(EnableCertificateAuthorityRequest) returns (google.longrunning.Operation) {
    option (google.api.http) = {
      post: "/v1/{name=projects/*/locations/*/caPools/*/certificateAuthorities/*}:enable"
      body: "*"
    };
    option (google.api.method_signature) = "name";
    option (google.longrunning.operation_info) = {
      response_type: "CertificateAuthority"
      metadata_type: "OperationMetadata"
    };
  }

  // Fetch a certificate signing request (CSR) from a [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority]
  // that is in state
  // [AWAITING_USER_ACTIVATION][google.cloud.security.privateca.v1.CertificateAuthority.State.AWAITING_USER_ACTIVATION]
  // and is of type [SUBORDINATE][google.cloud.security.privateca.v1.CertificateAuthority.Type.SUBORDINATE]. The
  // CSR must then be signed by the desired parent Certificate Authority, which
  // could be another [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority] resource, or could be an on-prem
  // certificate authority. See also [ActivateCertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthorityService.ActivateCertificateAuthority].
  rpc FetchCertificateAuthorityCsr(FetchCertificateAuthorityCsrRequest) returns (FetchCertificateAuthorityCsrResponse) {
    option (google.api.http) = {
      get: "/v1/{name=projects/*/locations/*/caPools/*/certificateAuthorities/*}:fetch"
    };
    option (google.api.method_signature) = "name";
  }

  // Returns a [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority].
  rpc GetCertificateAuthority(GetCertificateAuthorityRequest) returns (CertificateAuthority) {
    option (google.api.http) = {
      get: "/v1/{name=projects/*/locations/*/caPools/*/certificateAuthorities/*}"
    };
    option (google.api.method_signature) = "name";
  }

  // Lists [CertificateAuthorities][google.cloud.security.privateca.v1.CertificateAuthority].
  rpc ListCertificateAuthorities(ListCertificateAuthoritiesRequest) returns (ListCertificateAuthoritiesResponse) {
    option (google.api.http) = {
      get: "/v1/{parent=projects/*/locations/*/caPools/*}/certificateAuthorities"
    };
    option (google.api.method_signature) = "parent";
  }

  // Undelete a [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority] that has been deleted.
  rpc UndeleteCertificateAuthority(UndeleteCertificateAuthorityRequest) returns (google.longrunning.Operation) {
    option (google.api.http) = {
      post: "/v1/{name=projects/*/locations/*/caPools/*/certificateAuthorities/*}:undelete"
      body: "*"
    };
    option (google.api.method_signature) = "name";
    option (google.longrunning.operation_info) = {
      response_type: "CertificateAuthority"
      metadata_type: "OperationMetadata"
    };
  }

  // Delete a [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority].
  rpc DeleteCertificateAuthority(DeleteCertificateAuthorityRequest) returns (google.longrunning.Operation) {
    option (google.api.http) = {
      delete: "/v1/{name=projects/*/locations/*/caPools/*/certificateAuthorities/*}"
    };
    option (google.api.method_signature) = "name";
    option (google.longrunning.operation_info) = {
      response_type: "CertificateAuthority"
      metadata_type: "OperationMetadata"
    };
  }

  // Update a [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority].
  rpc UpdateCertificateAuthority(UpdateCertificateAuthorityRequest) returns (google.longrunning.Operation) {
    option (google.api.http) = {
      patch: "/v1/{certificate_authority.name=projects/*/locations/*/caPools/*/certificateAuthorities/*}"
      body: "certificate_authority"
    };
    option (google.api.method_signature) = "certificate_authority,update_mask";
    option (google.longrunning.operation_info) = {
      response_type: "CertificateAuthority"
      metadata_type: "OperationMetadata"
    };
  }

  // Create a [CaPool][google.cloud.security.privateca.v1.CaPool].
  rpc CreateCaPool(CreateCaPoolRequest) returns (google.longrunning.Operation) {
    option (google.api.http) = {
      post: "/v1/{parent=projects/*/locations/*}/caPools"
      body: "ca_pool"
    };
    option (google.api.method_signature) = "parent,ca_pool,ca_pool_id";
    option (google.longrunning.operation_info) = {
      response_type: "CaPool"
      metadata_type: "OperationMetadata"
    };
  }

  // Update a [CaPool][google.cloud.security.privateca.v1.CaPool].
  rpc UpdateCaPool(UpdateCaPoolRequest) returns (google.longrunning.Operation) {
    option (google.api.http) = {
      patch: "/v1/{ca_pool.name=projects/*/locations/*/caPools/*}"
      body: "ca_pool"
    };
    option (google.api.method_signature) = "ca_pool,update_mask";
    option (google.longrunning.operation_info) = {
      response_type: "CaPool"
      metadata_type: "OperationMetadata"
    };
  }

  // Returns a [CaPool][google.cloud.security.privateca.v1.CaPool].
  rpc GetCaPool(GetCaPoolRequest) returns (CaPool) {
    option (google.api.http) = {
      get: "/v1/{name=projects/*/locations/*/caPools/*}"
    };
    option (google.api.method_signature) = "name";
  }

  // Lists [CaPools][google.cloud.security.privateca.v1.CaPool].
  rpc ListCaPools(ListCaPoolsRequest) returns (ListCaPoolsResponse) {
    option (google.api.http) = {
      get: "/v1/{parent=projects/*/locations/*}/caPools"
    };
    option (google.api.method_signature) = "parent";
  }

  // Delete a [CaPool][google.cloud.security.privateca.v1.CaPool].
  rpc DeleteCaPool(DeleteCaPoolRequest) returns (google.longrunning.Operation) {
    option (google.api.http) = {
      delete: "/v1/{name=projects/*/locations/*/caPools/*}"
    };
    option (google.api.method_signature) = "name";
    option (google.longrunning.operation_info) = {
      response_type: "google.protobuf.Empty"
      metadata_type: "OperationMetadata"
    };
  }

  // FetchCaCerts returns the current trust anchor for the [CaPool][google.cloud.security.privateca.v1.CaPool]. This will
  // include CA certificate chains for all ACTIVE [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority]
  // resources in the [CaPool][google.cloud.security.privateca.v1.CaPool].
  rpc FetchCaCerts(FetchCaCertsRequest) returns (FetchCaCertsResponse) {
    option (google.api.http) = {
      post: "/v1/{ca_pool=projects/*/locations/*/caPools/*}:fetchCaCerts"
      body: "*"
    };
    option (google.api.method_signature) = "ca_pool";
  }

  // Returns a [CertificateRevocationList][google.cloud.security.privateca.v1.CertificateRevocationList].
  rpc GetCertificateRevocationList(GetCertificateRevocationListRequest) returns (CertificateRevocationList) {
    option (google.api.http) = {
      get: "/v1/{name=projects/*/locations/*/caPools/*/certificateAuthorities/*/certificateRevocationLists/*}"
    };
    option (google.api.method_signature) = "name";
  }

  // Lists [CertificateRevocationLists][google.cloud.security.privateca.v1.CertificateRevocationList].
  rpc ListCertificateRevocationLists(ListCertificateRevocationListsRequest) returns (ListCertificateRevocationListsResponse) {
    option (google.api.http) = {
      get: "/v1/{parent=projects/*/locations/*/caPools/*/certificateAuthorities/*}/certificateRevocationLists"
    };
    option (google.api.method_signature) = "parent";
  }

  // Update a [CertificateRevocationList][google.cloud.security.privateca.v1.CertificateRevocationList].
  rpc UpdateCertificateRevocationList(UpdateCertificateRevocationListRequest) returns (google.longrunning.Operation) {
    option (google.api.http) = {
      patch: "/v1/{certificate_revocation_list.name=projects/*/locations/*/caPools/*/certificateAuthorities/*/certificateRevocationLists/*}"
      body: "certificate_revocation_list"
    };
    option (google.api.method_signature) = "certificate_revocation_list,update_mask";
    option (google.longrunning.operation_info) = {
      response_type: "CertificateRevocationList"
      metadata_type: "OperationMetadata"
    };
  }

  // Create a new [CertificateTemplate][google.cloud.security.privateca.v1.CertificateTemplate] in a given Project and Location.
  rpc CreateCertificateTemplate(CreateCertificateTemplateRequest) returns (google.longrunning.Operation) {
    option (google.api.http) = {
      post: "/v1/{parent=projects/*/locations/*}/certificateTemplates"
      body: "certificate_template"
    };
    option (google.api.method_signature) = "parent,certificate_template,certificate_template_id";
    option (google.longrunning.operation_info) = {
      response_type: "CertificateTemplate"
      metadata_type: "OperationMetadata"
    };
  }

  // DeleteCertificateTemplate deletes a [CertificateTemplate][google.cloud.security.privateca.v1.CertificateTemplate].
  rpc DeleteCertificateTemplate(DeleteCertificateTemplateRequest) returns (google.longrunning.Operation) {
    option (google.api.http) = {
      delete: "/v1/{name=projects/*/locations/*/certificateTemplates/*}"
    };
    option (google.api.method_signature) = "name";
    option (google.longrunning.operation_info) = {
      response_type: "google.protobuf.Empty"
      metadata_type: "google.cloud.security.privateca.v1.OperationMetadata"
    };
  }

  // Returns a [CertificateTemplate][google.cloud.security.privateca.v1.CertificateTemplate].
  rpc GetCertificateTemplate(GetCertificateTemplateRequest) returns (CertificateTemplate) {
    option (google.api.http) = {
      get: "/v1/{name=projects/*/locations/*/certificateTemplates/*}"
    };
    option (google.api.method_signature) = "name";
  }

  // Lists [CertificateTemplates][google.cloud.security.privateca.v1.CertificateTemplate].
  rpc ListCertificateTemplates(ListCertificateTemplatesRequest) returns (ListCertificateTemplatesResponse) {
    option (google.api.http) = {
      get: "/v1/{parent=projects/*/locations/*}/certificateTemplates"
    };
    option (google.api.method_signature) = "parent";
  }

  // Update a [CertificateTemplate][google.cloud.security.privateca.v1.CertificateTemplate].
  rpc UpdateCertificateTemplate(UpdateCertificateTemplateRequest) returns (google.longrunning.Operation) {
    option (google.api.http) = {
      patch: "/v1/{certificate_template.name=projects/*/locations/*/certificateTemplates/*}"
      body: "certificate_template"
    };
    option (google.api.method_signature) = "certificate_template,update_mask";
    option (google.longrunning.operation_info) = {
      response_type: "CertificateTemplate"
      metadata_type: "OperationMetadata"
    };
  }
}

// Request message for [CertificateAuthorityService.CreateCertificate][google.cloud.security.privateca.v1.CertificateAuthorityService.CreateCertificate].
message CreateCertificateRequest {
  // Required. The resource name of the [CaPool][google.cloud.security.privateca.v1.CaPool] associated with the [Certificate][google.cloud.security.privateca.v1.Certificate],
  // in the format `projects/*/locations/*/caPools/*`.
  string parent = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "privateca.googleapis.com/CaPool"
    }
  ];

  // Optional. It must be unique within a location and match the regular
  // expression `[a-zA-Z0-9_-]{1,63}`. This field is required when using a
  // [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority] in the Enterprise [CertificateAuthority.Tier][],
  // but is optional and its value is ignored otherwise.
  string certificate_id = 2 [(google.api.field_behavior) = OPTIONAL];

  // Required. A [Certificate][google.cloud.security.privateca.v1.Certificate] with initial field values.
  Certificate certificate = 3 [(google.api.field_behavior) = REQUIRED];

  // Optional. An ID to identify requests. Specify a unique request ID so that if you must
  // retry your request, the server will know to ignore the request if it has
  // already been completed. The server will guarantee that for at least 60
  // minutes since the first request.
  //
  // For example, consider a situation where you make an initial request and t
  // he request times out. If you make the request again with the same request
  // ID, the server can check if original operation with the same request ID
  // was received, and if so, will ignore the second request. This prevents
  // clients from accidentally creating duplicate commitments.
  //
  // The request ID must be a valid UUID with the exception that zero UUID is
  // not supported (00000000-0000-0000-0000-000000000000).
  string request_id = 4 [(google.api.field_behavior) = OPTIONAL];

  // Optional. If this is true, no [Certificate][google.cloud.security.privateca.v1.Certificate] resource will be persisted regardless
  // of the [CaPool][google.cloud.security.privateca.v1.CaPool]'s [tier][google.cloud.security.privateca.v1.CaPool.tier], and the returned [Certificate][google.cloud.security.privateca.v1.Certificate]
  // will not contain the [pem_certificate][google.cloud.security.privateca.v1.Certificate.pem_certificate] field.
  bool validate_only = 5 [(google.api.field_behavior) = OPTIONAL];

  // Optional. The resource ID of the [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority] that should issue the
  // certificate.  This optional field will ignore the load-balancing scheme of
  // the Pool and directly issue the certificate from the CA with the specified
  // ID, contained in the same [CaPool][google.cloud.security.privateca.v1.CaPool] referenced by `parent`. Per-CA quota
  // rules apply. If left empty, a [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority] will be chosen from
  // the [CaPool][google.cloud.security.privateca.v1.CaPool] by the service. For example, to issue a [Certificate][google.cloud.security.privateca.v1.Certificate] from
  // a Certificate Authority with resource name
  // "projects/my-project/locations/us-central1/caPools/my-pool/certificateAuthorities/my-ca",
  // you can set the [parent][google.cloud.security.privateca.v1.CreateCertificateRequest.parent] to
  // "projects/my-project/locations/us-central1/caPools/my-pool" and the
  // [issuing_certificate_authority_id][google.cloud.security.privateca.v1.CreateCertificateRequest.issuing_certificate_authority_id] to "my-ca".
  string issuing_certificate_authority_id = 6 [(google.api.field_behavior) = OPTIONAL];
}

// Request message for
// [CertificateAuthorityService.GetCertificate][google.cloud.security.privateca.v1.CertificateAuthorityService.GetCertificate].
message GetCertificateRequest {
  // Required. The [name][google.cloud.security.privateca.v1.Certificate.name] of the [Certificate][google.cloud.security.privateca.v1.Certificate] to get.
  string name = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "privateca.googleapis.com/Certificate"
    }
  ];
}

// Request message for [CertificateAuthorityService.ListCertificates][google.cloud.security.privateca.v1.CertificateAuthorityService.ListCertificates].
message ListCertificatesRequest {
  // Required. The resource name of the location associated with the
  // [Certificates][google.cloud.security.privateca.v1.Certificate], in the format
  // `projects/*/locations/*/caPools/*`.
  string parent = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "privateca.googleapis.com/CaPool"
    }
  ];

  // Optional. Limit on the number of
  // [Certificates][google.cloud.security.privateca.v1.Certificate] to include in the
  // response. Further [Certificates][google.cloud.security.privateca.v1.Certificate] can subsequently be obtained
  // by including the
  // [ListCertificatesResponse.next_page_token][google.cloud.security.privateca.v1.ListCertificatesResponse.next_page_token] in a subsequent
  // request. If unspecified, the server will pick an appropriate default.
  int32 page_size = 2 [(google.api.field_behavior) = OPTIONAL];

  // Optional. Pagination token, returned earlier via
  // [ListCertificatesResponse.next_page_token][google.cloud.security.privateca.v1.ListCertificatesResponse.next_page_token].
  string page_token = 3 [(google.api.field_behavior) = OPTIONAL];

  // Optional. Only include resources that match the filter in the response. For details
  // on supported filters and syntax, see [Certificates Filtering
  // documentation](https://cloud.google.com/certificate-authority-service/docs/sorting-filtering-certificates#filtering_support).
  string filter = 4 [(google.api.field_behavior) = OPTIONAL];

  // Optional. Specify how the results should be sorted. For details on supported fields
  // and syntax, see [Certificates Sorting
  // documentation](https://cloud.google.com/certificate-authority-service/docs/sorting-filtering-certificates#sorting_support).
  string order_by = 5 [(google.api.field_behavior) = OPTIONAL];
}

// Response message for [CertificateAuthorityService.ListCertificates][google.cloud.security.privateca.v1.CertificateAuthorityService.ListCertificates].
message ListCertificatesResponse {
  // The list of [Certificates][google.cloud.security.privateca.v1.Certificate].
  repeated Certificate certificates = 1;

  // A token to retrieve next page of results. Pass this value in
  // [ListCertificatesRequest.next_page_token][] to retrieve the
  // next page of results.
  string next_page_token = 2;

  // A list of locations (e.g. "us-west1") that could not be reached.
  repeated string unreachable = 3;
}

// Request message for
// [CertificateAuthorityService.RevokeCertificate][google.cloud.security.privateca.v1.CertificateAuthorityService.RevokeCertificate].
message RevokeCertificateRequest {
  // Required. The resource name for this [Certificate][google.cloud.security.privateca.v1.Certificate] in the
  // format
  // `projects/*/locations/*/caPools/*/certificates/*`.
  string name = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "privateca.googleapis.com/Certificate"
    }
  ];

  // Required. The [RevocationReason][google.cloud.security.privateca.v1.RevocationReason] for revoking this certificate.
  RevocationReason reason = 2 [(google.api.field_behavior) = REQUIRED];

  // Optional. An ID to identify requests. Specify a unique request ID so that if you must
  // retry your request, the server will know to ignore the request if it has
  // already been completed. The server will guarantee that for at least 60
  // minutes since the first request.
  //
  // For example, consider a situation where you make an initial request and t
  // he request times out. If you make the request again with the same request
  // ID, the server can check if original operation with the same request ID
  // was received, and if so, will ignore the second request. This prevents
  // clients from accidentally creating duplicate commitments.
  //
  // The request ID must be a valid UUID with the exception that zero UUID is
  // not supported (00000000-0000-0000-0000-000000000000).
  string request_id = 3 [(google.api.field_behavior) = OPTIONAL];
}

// Request message for [CertificateAuthorityService.UpdateCertificate][google.cloud.security.privateca.v1.CertificateAuthorityService.UpdateCertificate].
message UpdateCertificateRequest {
  // Required. [Certificate][google.cloud.security.privateca.v1.Certificate] with updated values.
  Certificate certificate = 1 [(google.api.field_behavior) = REQUIRED];

  // Required. A list of fields to be updated in this request.
  google.protobuf.FieldMask update_mask = 2 [(google.api.field_behavior) = REQUIRED];

  // Optional. An ID to identify requests. Specify a unique request ID so that if you must
  // retry your request, the server will know to ignore the request if it has
  // already been completed. The server will guarantee that for at least 60
  // minutes since the first request.
  //
  // For example, consider a situation where you make an initial request and t
  // he request times out. If you make the request again with the same request
  // ID, the server can check if original operation with the same request ID
  // was received, and if so, will ignore the second request. This prevents
  // clients from accidentally creating duplicate commitments.
  //
  // The request ID must be a valid UUID with the exception that zero UUID is
  // not supported (00000000-0000-0000-0000-000000000000).
  string request_id = 3 [(google.api.field_behavior) = OPTIONAL];
}

// Request message for
// [CertificateAuthorityService.ActivateCertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthorityService.ActivateCertificateAuthority].
message ActivateCertificateAuthorityRequest {
  // Required. The resource name for this [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority] in the
  // format `projects/*/locations/*/caPools/*/certificateAuthorities/*`.
  string name = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "privateca.googleapis.com/CertificateAuthority"
    }
  ];

  // Required. The signed CA certificate issued from
  // [FetchCertificateAuthorityCsrResponse.pem_csr][google.cloud.security.privateca.v1.FetchCertificateAuthorityCsrResponse.pem_csr].
  string pem_ca_certificate = 2 [(google.api.field_behavior) = REQUIRED];

  // Required. Must include information about the issuer of 'pem_ca_certificate', and any
  // further issuers until the self-signed CA.
  SubordinateConfig subordinate_config = 3 [(google.api.field_behavior) = REQUIRED];

  // Optional. An ID to identify requests. Specify a unique request ID so that if you must
  // retry your request, the server will know to ignore the request if it has
  // already been completed. The server will guarantee that for at least 60
  // minutes since the first request.
  //
  // For example, consider a situation where you make an initial request and t
  // he request times out. If you make the request again with the same request
  // ID, the server can check if original operation with the same request ID
  // was received, and if so, will ignore the second request. This prevents
  // clients from accidentally creating duplicate commitments.
  //
  // The request ID must be a valid UUID with the exception that zero UUID is
  // not supported (00000000-0000-0000-0000-000000000000).
  string request_id = 4 [(google.api.field_behavior) = OPTIONAL];
}

// Request message for
// [CertificateAuthorityService.CreateCertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthorityService.CreateCertificateAuthority].
message CreateCertificateAuthorityRequest {
  // Required. The resource name of the [CaPool][google.cloud.security.privateca.v1.CaPool] associated with the
  // [CertificateAuthorities][google.cloud.security.privateca.v1.CertificateAuthority], in the format
  // `projects/*/locations/*/caPools/*`.
  string parent = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "privateca.googleapis.com/CaPool"
    }
  ];

  // Required. It must be unique within a location and match the regular
  // expression `[a-zA-Z0-9_-]{1,63}`
  string certificate_authority_id = 2 [(google.api.field_behavior) = REQUIRED];

  // Required. A [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority] with initial field values.
  CertificateAuthority certificate_authority = 3 [(google.api.field_behavior) = REQUIRED];

  // Optional. An ID to identify requests. Specify a unique request ID so that if you must
  // retry your request, the server will know to ignore the request if it has
  // already been completed. The server will guarantee that for at least 60
  // minutes since the first request.
  //
  // For example, consider a situation where you make an initial request and t
  // he request times out. If you make the request again with the same request
  // ID, the server can check if original operation with the same request ID
  // was received, and if so, will ignore the second request. This prevents
  // clients from accidentally creating duplicate commitments.
  //
  // The request ID must be a valid UUID with the exception that zero UUID is
  // not supported (00000000-0000-0000-0000-000000000000).
  string request_id = 4 [(google.api.field_behavior) = OPTIONAL];
}

// Request message for
// [CertificateAuthorityService.DisableCertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthorityService.DisableCertificateAuthority].
message DisableCertificateAuthorityRequest {
  // Required. The resource name for this [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority] in the
  // format `projects/*/locations/*/caPools/*/certificateAuthorities/*`.
  string name = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "privateca.googleapis.com/CertificateAuthority"
    }
  ];

  // Optional. An ID to identify requests. Specify a unique request ID so that if you must
  // retry your request, the server will know to ignore the request if it has
  // already been completed. The server will guarantee that for at least 60
  // minutes since the first request.
  //
  // For example, consider a situation where you make an initial request and t
  // he request times out. If you make the request again with the same request
  // ID, the server can check if original operation with the same request ID
  // was received, and if so, will ignore the second request. This prevents
  // clients from accidentally creating duplicate commitments.
  //
  // The request ID must be a valid UUID with the exception that zero UUID is
  // not supported (00000000-0000-0000-0000-000000000000).
  string request_id = 2 [(google.api.field_behavior) = OPTIONAL];
}

// Request message for
// [CertificateAuthorityService.EnableCertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthorityService.EnableCertificateAuthority].
message EnableCertificateAuthorityRequest {
  // Required. The resource name for this [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority] in the
  // format `projects/*/locations/*/caPools/*/certificateAuthorities/*`.
  string name = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "privateca.googleapis.com/CertificateAuthority"
    }
  ];

  // Optional. An ID to identify requests. Specify a unique request ID so that if you must
  // retry your request, the server will know to ignore the request if it has
  // already been completed. The server will guarantee that for at least 60
  // minutes since the first request.
  //
  // For example, consider a situation where you make an initial request and t
  // he request times out. If you make the request again with the same request
  // ID, the server can check if original operation with the same request ID
  // was received, and if so, will ignore the second request. This prevents
  // clients from accidentally creating duplicate commitments.
  //
  // The request ID must be a valid UUID with the exception that zero UUID is
  // not supported (00000000-0000-0000-0000-000000000000).
  string request_id = 2 [(google.api.field_behavior) = OPTIONAL];
}

// Request message for
// [CertificateAuthorityService.FetchCertificateAuthorityCsr][google.cloud.security.privateca.v1.CertificateAuthorityService.FetchCertificateAuthorityCsr].
message FetchCertificateAuthorityCsrRequest {
  // Required. The resource name for this [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority] in the
  // format `projects/*/locations/*/caPools/*/certificateAuthorities/*`.
  string name = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "privateca.googleapis.com/CertificateAuthority"
    }
  ];
}

// Response message for
// [CertificateAuthorityService.FetchCertificateAuthorityCsr][google.cloud.security.privateca.v1.CertificateAuthorityService.FetchCertificateAuthorityCsr].
message FetchCertificateAuthorityCsrResponse {
  // Output only. The PEM-encoded signed certificate signing request (CSR).
  string pem_csr = 1 [(google.api.field_behavior) = OUTPUT_ONLY];
}

// Request message for [CertificateAuthorityService.GetCertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthorityService.GetCertificateAuthority].
message GetCertificateAuthorityRequest {
  // Required. The [name][google.cloud.security.privateca.v1.CertificateAuthority.name] of the [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority] to
  // get.
  string name = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "privateca.googleapis.com/CertificateAuthority"
    }
  ];
}

// Request message for
// [CertificateAuthorityService.ListCertificateAuthorities][google.cloud.security.privateca.v1.CertificateAuthorityService.ListCertificateAuthorities].
message ListCertificateAuthoritiesRequest {
  // Required. The resource name of the [CaPool][google.cloud.security.privateca.v1.CaPool] associated with the
  // [CertificateAuthorities][google.cloud.security.privateca.v1.CertificateAuthority], in the format
  // `projects/*/locations/*/caPools/*`.
  string parent = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "privateca.googleapis.com/CaPool"
    }
  ];

  // Optional. Limit on the number of [CertificateAuthorities][google.cloud.security.privateca.v1.CertificateAuthority] to
  // include in the response.
  // Further [CertificateAuthorities][google.cloud.security.privateca.v1.CertificateAuthority] can subsequently be
  // obtained by including the
  // [ListCertificateAuthoritiesResponse.next_page_token][google.cloud.security.privateca.v1.ListCertificateAuthoritiesResponse.next_page_token] in a subsequent
  // request. If unspecified, the server will pick an appropriate default.
  int32 page_size = 2 [(google.api.field_behavior) = OPTIONAL];

  // Optional. Pagination token, returned earlier via
  // [ListCertificateAuthoritiesResponse.next_page_token][google.cloud.security.privateca.v1.ListCertificateAuthoritiesResponse.next_page_token].
  string page_token = 3 [(google.api.field_behavior) = OPTIONAL];

  // Optional. Only include resources that match the filter in the response.
  string filter = 4 [(google.api.field_behavior) = OPTIONAL];

  // Optional. Specify how the results should be sorted.
  string order_by = 5 [(google.api.field_behavior) = OPTIONAL];
}

// Response message for
// [CertificateAuthorityService.ListCertificateAuthorities][google.cloud.security.privateca.v1.CertificateAuthorityService.ListCertificateAuthorities].
message ListCertificateAuthoritiesResponse {
  // The list of [CertificateAuthorities][google.cloud.security.privateca.v1.CertificateAuthority].
  repeated CertificateAuthority certificate_authorities = 1;

  // A token to retrieve next page of results. Pass this value in
  // [ListCertificateAuthoritiesRequest.next_page_token][] to retrieve the next
  // page of results.
  string next_page_token = 2;

  // A list of locations (e.g. "us-west1") that could not be reached.
  repeated string unreachable = 3;
}

// Request message for
// [CertificateAuthorityService.UndeleteCertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthorityService.UndeleteCertificateAuthority].
message UndeleteCertificateAuthorityRequest {
  // Required. The resource name for this [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority] in the
  // format `projects/*/locations/*/caPools/*/certificateAuthorities/*`.
  string name = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "privateca.googleapis.com/CertificateAuthority"
    }
  ];

  // Optional. An ID to identify requests. Specify a unique request ID so that if you must
  // retry your request, the server will know to ignore the request if it has
  // already been completed. The server will guarantee that for at least 60
  // minutes since the first request.
  //
  // For example, consider a situation where you make an initial request and t
  // he request times out. If you make the request again with the same request
  // ID, the server can check if original operation with the same request ID
  // was received, and if so, will ignore the second request. This prevents
  // clients from accidentally creating duplicate commitments.
  //
  // The request ID must be a valid UUID with the exception that zero UUID is
  // not supported (00000000-0000-0000-0000-000000000000).
  string request_id = 2 [(google.api.field_behavior) = OPTIONAL];
}

// Request message for
// [CertificateAuthorityService.DeleteCertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthorityService.DeleteCertificateAuthority].
message DeleteCertificateAuthorityRequest {
  // Required. The resource name for this [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority] in the
  // format `projects/*/locations/*/caPools/*/certificateAuthorities/*`.
  string name = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "privateca.googleapis.com/CertificateAuthority"
    }
  ];

  // Optional. An ID to identify requests. Specify a unique request ID so that if you must
  // retry your request, the server will know to ignore the request if it has
  // already been completed. The server will guarantee that for at least 60
  // minutes since the first request.
  //
  // For example, consider a situation where you make an initial request and t
  // he request times out. If you make the request again with the same request
  // ID, the server can check if original operation with the same request ID
  // was received, and if so, will ignore the second request. This prevents
  // clients from accidentally creating duplicate commitments.
  //
  // The request ID must be a valid UUID with the exception that zero UUID is
  // not supported (00000000-0000-0000-0000-000000000000).
  string request_id = 2 [(google.api.field_behavior) = OPTIONAL];

  // Optional. This field allows the CA to be deleted even if the CA has
  // active certs. Active certs include both unrevoked and unexpired certs.
  bool ignore_active_certificates = 4 [(google.api.field_behavior) = OPTIONAL];
}

// Request message for
// [CertificateAuthorityService.UpdateCertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthorityService.UpdateCertificateAuthority].
message UpdateCertificateAuthorityRequest {
  // Required. [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority] with updated values.
  CertificateAuthority certificate_authority = 1 [(google.api.field_behavior) = REQUIRED];

  // Required. A list of fields to be updated in this request.
  google.protobuf.FieldMask update_mask = 2 [(google.api.field_behavior) = REQUIRED];

  // Optional. An ID to identify requests. Specify a unique request ID so that if you must
  // retry your request, the server will know to ignore the request if it has
  // already been completed. The server will guarantee that for at least 60
  // minutes since the first request.
  //
  // For example, consider a situation where you make an initial request and t
  // he request times out. If you make the request again with the same request
  // ID, the server can check if original operation with the same request ID
  // was received, and if so, will ignore the second request. This prevents
  // clients from accidentally creating duplicate commitments.
  //
  // The request ID must be a valid UUID with the exception that zero UUID is
  // not supported (00000000-0000-0000-0000-000000000000).
  string request_id = 3 [(google.api.field_behavior) = OPTIONAL];
}

// Request message for
// [CertificateAuthorityService.CreateCaPool][google.cloud.security.privateca.v1.CertificateAuthorityService.CreateCaPool].
message CreateCaPoolRequest {
  // Required. The resource name of the location associated with the
  // [CaPool][google.cloud.security.privateca.v1.CaPool], in the format `projects/*/locations/*`.
  string parent = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "locations.googleapis.com/Location"
    }
  ];

  // Required. It must be unique within a location and match the regular
  // expression `[a-zA-Z0-9_-]{1,63}`
  string ca_pool_id = 2 [(google.api.field_behavior) = REQUIRED];

  // Required. A [CaPool][google.cloud.security.privateca.v1.CaPool] with initial field values.
  CaPool ca_pool = 3 [(google.api.field_behavior) = REQUIRED];

  // Optional. An ID to identify requests. Specify a unique request ID so that if you must
  // retry your request, the server will know to ignore the request if it has
  // already been completed. The server will guarantee that for at least 60
  // minutes since the first request.
  //
  // For example, consider a situation where you make an initial request and t
  // he request times out. If you make the request again with the same request
  // ID, the server can check if original operation with the same request ID
  // was received, and if so, will ignore the second request. This prevents
  // clients from accidentally creating duplicate commitments.
  //
  // The request ID must be a valid UUID with the exception that zero UUID is
  // not supported (00000000-0000-0000-0000-000000000000).
  string request_id = 4 [(google.api.field_behavior) = OPTIONAL];
}

// Request message for
// [CertificateAuthorityService.UpdateCaPool][google.cloud.security.privateca.v1.CertificateAuthorityService.UpdateCaPool].
message UpdateCaPoolRequest {
  // Required. [CaPool][google.cloud.security.privateca.v1.CaPool] with updated values.
  CaPool ca_pool = 1 [(google.api.field_behavior) = REQUIRED];

  // Required. A list of fields to be updated in this request.
  google.protobuf.FieldMask update_mask = 2 [(google.api.field_behavior) = REQUIRED];

  // Optional. An ID to identify requests. Specify a unique request ID so that if you must
  // retry your request, the server will know to ignore the request if it has
  // already been completed. The server will guarantee that for at least 60
  // minutes since the first request.
  //
  // For example, consider a situation where you make an initial request and t
  // he request times out. If you make the request again with the same request
  // ID, the server can check if original operation with the same request ID
  // was received, and if so, will ignore the second request. This prevents
  // clients from accidentally creating duplicate commitments.
  //
  // The request ID must be a valid UUID with the exception that zero UUID is
  // not supported (00000000-0000-0000-0000-000000000000).
  string request_id = 3 [(google.api.field_behavior) = OPTIONAL];
}

// Request message for
// [CertificateAuthorityService.DeleteCaPool][google.cloud.security.privateca.v1.CertificateAuthorityService.DeleteCaPool].
message DeleteCaPoolRequest {
  // Required. The resource name for this [CaPool][google.cloud.security.privateca.v1.CaPool] in the
  // format `projects/*/locations/*/caPools/*`.
  string name = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "privateca.googleapis.com/CaPool"
    }
  ];

  // Optional. An ID to identify requests. Specify a unique request ID so that if you must
  // retry your request, the server will know to ignore the request if it has
  // already been completed. The server will guarantee that for at least 60
  // minutes since the first request.
  //
  // For example, consider a situation where you make an initial request and t
  // he request times out. If you make the request again with the same request
  // ID, the server can check if original operation with the same request ID
  // was received, and if so, will ignore the second request. This prevents
  // clients from accidentally creating duplicate commitments.
  //
  // The request ID must be a valid UUID with the exception that zero UUID is
  // not supported (00000000-0000-0000-0000-000000000000).
  string request_id = 2 [(google.api.field_behavior) = OPTIONAL];
}

// Request message for
// [CertificateAuthorityService.FetchCaCerts][google.cloud.security.privateca.v1.CertificateAuthorityService.FetchCaCerts].
message FetchCaCertsRequest {
  // Required. The resource name for the [CaPool][google.cloud.security.privateca.v1.CaPool] in the
  // format `projects/*/locations/*/caPools/*`.
  string ca_pool = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "privateca.googleapis.com/CaPool"
    }
  ];

  // Optional. An ID to identify requests. Specify a unique request ID so that if you must
  // retry your request, the server will know to ignore the request if it has
  // already been completed. The server will guarantee that for at least 60
  // minutes since the first request.
  //
  // For example, consider a situation where you make an initial request and t
  // he request times out. If you make the request again with the same request
  // ID, the server can check if original operation with the same request ID
  // was received, and if so, will ignore the second request. This prevents
  // clients from accidentally creating duplicate commitments.
  //
  // The request ID must be a valid UUID with the exception that zero UUID is
  // not supported (00000000-0000-0000-0000-000000000000).
  string request_id = 2 [(google.api.field_behavior) = OPTIONAL];
}

// Response message for
// [CertificateAuthorityService.FetchCaCerts][google.cloud.security.privateca.v1.CertificateAuthorityService.FetchCaCerts].
message FetchCaCertsResponse {
  message CertChain {
    // The certificates that form the CA chain, from leaf to root order.
    repeated string certificates = 1;
  }

  // The PEM encoded CA certificate chains of all
  // [ACTIVE][CertificateAuthority.State.ACTIVE] [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority]
  // resources in this [CaPool][google.cloud.security.privateca.v1.CaPool].
  repeated CertChain ca_certs = 1;
}

// Request message for [CertificateAuthorityService.GetCaPool][google.cloud.security.privateca.v1.CertificateAuthorityService.GetCaPool].
message GetCaPoolRequest {
  // Required. The [name][google.cloud.security.privateca.v1.CaPool.name] of the [CaPool][google.cloud.security.privateca.v1.CaPool] to get.
  string name = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "privateca.googleapis.com/CaPool"
    }
  ];
}

// Request message for
// [CertificateAuthorityService.ListCaPools][google.cloud.security.privateca.v1.CertificateAuthorityService.ListCaPools].
message ListCaPoolsRequest {
  // Required. The resource name of the location associated with the
  // [CaPools][google.cloud.security.privateca.v1.CaPool], in the format
  // `projects/*/locations/*`.
  string parent = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "locations.googleapis.com/Location"
    }
  ];

  // Optional. Limit on the number of [CaPools][google.cloud.security.privateca.v1.CaPool] to
  // include in the response.
  // Further [CaPools][google.cloud.security.privateca.v1.CaPool] can subsequently be
  // obtained by including the
  // [ListCaPoolsResponse.next_page_token][google.cloud.security.privateca.v1.ListCaPoolsResponse.next_page_token] in a subsequent
  // request. If unspecified, the server will pick an appropriate default.
  int32 page_size = 2 [(google.api.field_behavior) = OPTIONAL];

  // Optional. Pagination token, returned earlier via
  // [ListCaPoolsResponse.next_page_token][google.cloud.security.privateca.v1.ListCaPoolsResponse.next_page_token].
  string page_token = 3 [(google.api.field_behavior) = OPTIONAL];

  // Optional. Only include resources that match the filter in the response.
  string filter = 4 [(google.api.field_behavior) = OPTIONAL];

  // Optional. Specify how the results should be sorted.
  string order_by = 5 [(google.api.field_behavior) = OPTIONAL];
}

// Response message for
// [CertificateAuthorityService.ListCaPools][google.cloud.security.privateca.v1.CertificateAuthorityService.ListCaPools].
message ListCaPoolsResponse {
  // The list of [CaPools][google.cloud.security.privateca.v1.CaPool].
  repeated CaPool ca_pools = 1;

  // A token to retrieve next page of results. Pass this value in
  // [ListCertificateAuthoritiesRequest.next_page_token][] to retrieve the next
  // page of results.
  string next_page_token = 2;

  // A list of locations (e.g. "us-west1") that could not be reached.
  repeated string unreachable = 3;
}

// Request message for
// [CertificateAuthorityService.GetCertificateRevocationList][google.cloud.security.privateca.v1.CertificateAuthorityService.GetCertificateRevocationList].
message GetCertificateRevocationListRequest {
  // Required. The [name][google.cloud.security.privateca.v1.CertificateRevocationList.name] of the
  // [CertificateRevocationList][google.cloud.security.privateca.v1.CertificateRevocationList] to get.
  string name = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "privateca.googleapis.com/CertificateRevocationList"
    }
  ];
}

// Request message for
// [CertificateAuthorityService.ListCertificateRevocationLists][google.cloud.security.privateca.v1.CertificateAuthorityService.ListCertificateRevocationLists].
message ListCertificateRevocationListsRequest {
  // Required. The resource name of the location associated with the
  // [CertificateRevocationLists][google.cloud.security.privateca.v1.CertificateRevocationList], in the format
  // `projects/*/locations/*/caPools/*/certificateAuthorities/*`.
  string parent = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "privateca.googleapis.com/CertificateAuthority"
    }
  ];

  // Optional. Limit on the number of
  // [CertificateRevocationLists][google.cloud.security.privateca.v1.CertificateRevocationList] to include in the
  // response. Further [CertificateRevocationLists][google.cloud.security.privateca.v1.CertificateRevocationList]
  // can subsequently be obtained by including the
  // [ListCertificateRevocationListsResponse.next_page_token][google.cloud.security.privateca.v1.ListCertificateRevocationListsResponse.next_page_token] in a subsequent
  // request. If unspecified, the server will pick an appropriate default.
  int32 page_size = 2 [(google.api.field_behavior) = OPTIONAL];

  // Optional. Pagination token, returned earlier via
  // [ListCertificateRevocationListsResponse.next_page_token][google.cloud.security.privateca.v1.ListCertificateRevocationListsResponse.next_page_token].
  string page_token = 3 [(google.api.field_behavior) = OPTIONAL];

  // Optional. Only include resources that match the filter in the response.
  string filter = 4 [(google.api.field_behavior) = OPTIONAL];

  // Optional. Specify how the results should be sorted.
  string order_by = 5 [(google.api.field_behavior) = OPTIONAL];
}

// Response message for
// [CertificateAuthorityService.ListCertificateRevocationLists][google.cloud.security.privateca.v1.CertificateAuthorityService.ListCertificateRevocationLists].
message ListCertificateRevocationListsResponse {
  // The list of [CertificateRevocationLists][google.cloud.security.privateca.v1.CertificateRevocationList].
  repeated CertificateRevocationList certificate_revocation_lists = 1;

  // A token to retrieve next page of results. Pass this value in
  // [ListCertificateRevocationListsRequest.next_page_token][] to retrieve the
  // next page of results.
  string next_page_token = 2;

  // A list of locations (e.g. "us-west1") that could not be reached.
  repeated string unreachable = 3;
}

// Request message for
// [CertificateAuthorityService.UpdateCertificateRevocationList][google.cloud.security.privateca.v1.CertificateAuthorityService.UpdateCertificateRevocationList].
message UpdateCertificateRevocationListRequest {
  // Required. [CertificateRevocationList][google.cloud.security.privateca.v1.CertificateRevocationList] with updated values.
  CertificateRevocationList certificate_revocation_list = 1 [(google.api.field_behavior) = REQUIRED];

  // Required. A list of fields to be updated in this request.
  google.protobuf.FieldMask update_mask = 2 [(google.api.field_behavior) = REQUIRED];

  // Optional. An ID to identify requests. Specify a unique request ID so that if you must
  // retry your request, the server will know to ignore the request if it has
  // already been completed. The server will guarantee that for at least 60
  // minutes since the first request.
  //
  // For example, consider a situation where you make an initial request and t
  // he request times out. If you make the request again with the same request
  // ID, the server can check if original operation with the same request ID
  // was received, and if so, will ignore the second request. This prevents
  // clients from accidentally creating duplicate commitments.
  //
  // The request ID must be a valid UUID with the exception that zero UUID is
  // not supported (00000000-0000-0000-0000-000000000000).
  string request_id = 3 [(google.api.field_behavior) = OPTIONAL];
}

// Request message for
// [CertificateAuthorityService.CreateCertificateTemplate][google.cloud.security.privateca.v1.CertificateAuthorityService.CreateCertificateTemplate].
message CreateCertificateTemplateRequest {
  // Required. The resource name of the location associated with the
  // [CertificateTemplate][google.cloud.security.privateca.v1.CertificateTemplate], in the format
  // `projects/*/locations/*`.
  string parent = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "locations.googleapis.com/Location"
    }
  ];

  // Required. It must be unique within a location and match the regular
  // expression `[a-zA-Z0-9_-]{1,63}`
  string certificate_template_id = 2 [(google.api.field_behavior) = REQUIRED];

  // Required. A [CertificateTemplate][google.cloud.security.privateca.v1.CertificateTemplate] with initial field values.
  CertificateTemplate certificate_template = 3 [(google.api.field_behavior) = REQUIRED];

  // Optional. An ID to identify requests. Specify a unique request ID so that if you must
  // retry your request, the server will know to ignore the request if it has
  // already been completed. The server will guarantee that for at least 60
  // minutes since the first request.
  //
  // For example, consider a situation where you make an initial request and t
  // he request times out. If you make the request again with the same request
  // ID, the server can check if original operation with the same request ID
  // was received, and if so, will ignore the second request. This prevents
  // clients from accidentally creating duplicate commitments.
  //
  // The request ID must be a valid UUID with the exception that zero UUID is
  // not supported (00000000-0000-0000-0000-000000000000).
  string request_id = 4 [(google.api.field_behavior) = OPTIONAL];
}

// Request message for
// [CertificateAuthorityService.DeleteCertificateTemplate][google.cloud.security.privateca.v1.CertificateAuthorityService.DeleteCertificateTemplate].
message DeleteCertificateTemplateRequest {
  // Required. The resource name for this [CertificateTemplate][google.cloud.security.privateca.v1.CertificateTemplate] in the format
  // `projects/*/locations/*/certificateTemplates/*`.
  string name = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "privateca.googleapis.com/CertificateTemplate"
    }
  ];

  // Optional. An ID to identify requests. Specify a unique request ID so that if you must
  // retry your request, the server will know to ignore the request if it has
  // already been completed. The server will guarantee that for at least 60
  // minutes since the first request.
  //
  // For example, consider a situation where you make an initial request and t
  // he request times out. If you make the request again with the same request
  // ID, the server can check if original operation with the same request ID
  // was received, and if so, will ignore the second request. This prevents
  // clients from accidentally creating duplicate commitments.
  //
  // The request ID must be a valid UUID with the exception that zero UUID is
  // not supported (00000000-0000-0000-0000-000000000000).
  string request_id = 2 [(google.api.field_behavior) = OPTIONAL];
}

// Request message for
// [CertificateAuthorityService.GetCertificateTemplate][google.cloud.security.privateca.v1.CertificateAuthorityService.GetCertificateTemplate].
message GetCertificateTemplateRequest {
  // Required. The [name][google.cloud.security.privateca.v1.CertificateTemplate.name] of the [CertificateTemplate][google.cloud.security.privateca.v1.CertificateTemplate] to
  // get.
  string name = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "privateca.googleapis.com/CertificateTemplate"
    }
  ];
}

// Request message for
// [CertificateAuthorityService.ListCertificateTemplates][google.cloud.security.privateca.v1.CertificateAuthorityService.ListCertificateTemplates].
message ListCertificateTemplatesRequest {
  // Required. The resource name of the location associated with the
  // [CertificateTemplates][google.cloud.security.privateca.v1.CertificateTemplate], in the format
  // `projects/*/locations/*`.
  string parent = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "locations.googleapis.com/Location"
    }
  ];

  // Optional. Limit on the number of
  // [CertificateTemplates][google.cloud.security.privateca.v1.CertificateTemplate] to include in the response.
  // Further [CertificateTemplates][google.cloud.security.privateca.v1.CertificateTemplate] can subsequently be
  // obtained by including the
  // [ListCertificateTemplatesResponse.next_page_token][google.cloud.security.privateca.v1.ListCertificateTemplatesResponse.next_page_token] in a subsequent
  // request. If unspecified, the server will pick an appropriate default.
  int32 page_size = 2 [(google.api.field_behavior) = OPTIONAL];

  // Optional. Pagination token, returned earlier via
  // [ListCertificateTemplatesResponse.next_page_token][google.cloud.security.privateca.v1.ListCertificateTemplatesResponse.next_page_token].
  string page_token = 3 [(google.api.field_behavior) = OPTIONAL];

  // Optional. Only include resources that match the filter in the response.
  string filter = 4 [(google.api.field_behavior) = OPTIONAL];

  // Optional. Specify how the results should be sorted.
  string order_by = 5 [(google.api.field_behavior) = OPTIONAL];
}

// Response message for
// [CertificateAuthorityService.ListCertificateTemplates][google.cloud.security.privateca.v1.CertificateAuthorityService.ListCertificateTemplates].
message ListCertificateTemplatesResponse {
  // The list of [CertificateTemplates][google.cloud.security.privateca.v1.CertificateTemplate].
  repeated CertificateTemplate certificate_templates = 1;

  // A token to retrieve next page of results. Pass this value in
  // [ListCertificateTemplatesRequest.next_page_token][] to retrieve
  // the next page of results.
  string next_page_token = 2;

  // A list of locations (e.g. "us-west1") that could not be reached.
  repeated string unreachable = 3;
}

// Request message for
// [CertificateAuthorityService.UpdateCertificateTemplate][google.cloud.security.privateca.v1.CertificateAuthorityService.UpdateCertificateTemplate].
message UpdateCertificateTemplateRequest {
  // Required. [CertificateTemplate][google.cloud.security.privateca.v1.CertificateTemplate] with updated values.
  CertificateTemplate certificate_template = 1 [(google.api.field_behavior) = REQUIRED];

  // Required. A list of fields to be updated in this request.
  google.protobuf.FieldMask update_mask = 2 [(google.api.field_behavior) = REQUIRED];

  // Optional. An ID to identify requests. Specify a unique request ID so that if you must
  // retry your request, the server will know to ignore the request if it has
  // already been completed. The server will guarantee that for at least 60
  // minutes since the first request.
  //
  // For example, consider a situation where you make an initial request and t
  // he request times out. If you make the request again with the same request
  // ID, the server can check if original operation with the same request ID
  // was received, and if so, will ignore the second request. This prevents
  // clients from accidentally creating duplicate commitments.
  //
  // The request ID must be a valid UUID with the exception that zero UUID is
  // not supported (00000000-0000-0000-0000-000000000000).
  string request_id = 3 [(google.api.field_behavior) = OPTIONAL];
}

// Represents the metadata of the long-running operation.
message OperationMetadata {
  // Output only. The time the operation was created.
  google.protobuf.Timestamp create_time = 1 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. The time the operation finished running.
  google.protobuf.Timestamp end_time = 2 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. Server-defined resource path for the target of the operation.
  string target = 3 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. Name of the verb executed by the operation.
  string verb = 4 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. Human-readable status of the operation, if any.
  string status_message = 5 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. Identifies whether the user has requested cancellation
  // of the operation. Operations that have successfully been cancelled
  // have [Operation.error][] value with a [google.rpc.Status.code][google.rpc.Status.code] of 1,
  // corresponding to `Code.CANCELLED`.
  bool requested_cancellation = 6 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. API version used to start the operation.
  string api_version = 7 [(google.api.field_behavior) = OUTPUT_ONLY];
}