feat: [security] add allow_requester_specified_not_before_time and requested_not_before_time fields to PrivateCA v1 API

packages/google-cloud-security-privateca/protos/google/cloud/security/privateca/v1/resources.proto

@@ -1,4 +1,4 @@
-// Copyright 2025 Google LLC
+// Copyright 2026 Google LLC
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -505,16 +505,33 @@ message CaPool {
     repeated AllowedKeyType allowed_key_types = 1
         [(google.api.field_behavior) = OPTIONAL];
 
-    // Optional. The duration to backdate all certificates issued from this
-    // [CaPool][google.cloud.security.privateca.v1.CaPool]. If not set, the
-    // certificates will be issued with a not_before_time of the issuance time
-    // (i.e. the current time). If set, the certificates will be issued with a
-    // not_before_time of the issuance time minus the backdate_duration. The
-    // not_after_time will be adjusted to preserve the requested lifetime. The
-    // backdate_duration must be less than or equal to 48 hours.
+    // Optional. If set, all certificates issued from this
+    // [CaPool][google.cloud.security.privateca.v1.CaPool] will be backdated by
+    // this duration. The 'not_before_time' will be the issuance time minus this
+    // [backdate_duration][google.cloud.security.privateca.v1.CaPool.IssuancePolicy.backdate_duration],
+    // and the 'not_after_time' will be adjusted to preserve the requested
+    // lifetime. The maximum duration that a certificate can be backdated with
+    // these options is 48 hours in the past.
+    // This option cannot be set if
+    // [allow_requester_specified_not_before_time][google.cloud.security.privateca.v1.CaPool.IssuancePolicy.allow_requester_specified_not_before_time]
+    // is set.
     google.protobuf.Duration backdate_duration = 7
         [(google.api.field_behavior) = OPTIONAL];
 
+    // Optional. If set to true, allows requesters to specify the
+    // [requested_not_before_time][google.cloud.security.privateca.v1.Certificate.requested_not_before_time]
+    // field when creating a
+    // [Certificate][google.cloud.security.privateca.v1.Certificate].
+    // Certificates requested with this option enabled will have a
+    // 'not_before_time' equal to the value specified in the request. The
+    // 'not_after_time' will be adjusted to preserve the requested lifetime. The
+    // maximum time that a certificate can be backdated with these options is 48
+    // hours in the past. This option cannot be set if
+    // [backdate_duration][google.cloud.security.privateca.v1.CaPool.IssuancePolicy.backdate_duration]
+    // is set.
+    bool allow_requester_specified_not_before_time = 8
+        [(google.api.field_behavior) = OPTIONAL];
+
     // Optional. The maximum lifetime allowed for issued
     // [Certificates][google.cloud.security.privateca.v1.Certificate]. Note that
     // if the issuing
@@ -601,10 +618,24 @@ message CaPool {
   PublishingOptions publishing_options = 4
       [(google.api.field_behavior) = OPTIONAL];
 
+  // Optional. When
+  // [EncryptionSpec][google.cloud.security.privateca.v1.EncryptionSpec] is
+  // provided, the [Subject][google.cloud.security.privateca.v1.Subject],
+  // [SubjectAltNames][google.cloud.security.privateca.v1.SubjectAltNames], and
+  // the PEM-encoded certificate fields will be encrypted at rest.
+  EncryptionSpec encryption_spec = 8 [(google.api.field_behavior) = OPTIONAL];
+
   // Optional. Labels with user-defined metadata.
   map<string, string> labels = 5 [(google.api.field_behavior) = OPTIONAL];
 }
 
+// The configuration used for encrypting data at rest.
+message EncryptionSpec {
+  // The resource name for a Cloud KMS key in the format
+  // `projects/*/locations/*/keyRings/*/cryptoKeys/*`.
+  string cloud_kms_key = 1;
+}
+
 // A
 // [CertificateRevocationList][google.cloud.security.privateca.v1.CertificateRevocationList]
 // corresponds to a signed X.509 certificate Revocation List (CRL). A CRL
@@ -809,6 +840,23 @@ message Certificate {
 
   // Optional. Labels with user-defined metadata.
   map<string, string> labels = 14 [(google.api.field_behavior) = OPTIONAL];
+
+  // Optional. The requested
+  // [not_before_time][google.cloud.security.privateca.v1.CertificateDescription.SubjectDescription.not_before_time]
+  // of this [Certificate][google.cloud.security.privateca.v1.Certificate]. This
+  // field may only be set if the
+  // [CaPool.IssuancePolicy.allow_requester_specified_not_before_time][google.cloud.security.privateca.v1.CaPool.IssuancePolicy.allow_requester_specified_not_before_time]
+  // field is set to true for the issuing
+  // [CaPool][google.cloud.security.privateca.v1.CaPool].
+  //
+  // If this field is specified, the certificate will be issued with this
+  // 'not_before_time'. If this is not specified, the 'not_before_time' will be
+  // set to the issuance time or issuance time minus
+  // [backdate_duration][google.cloud.security.privateca.v1.CaPool.IssuancePolicy.backdate_duration]
+  // depending on the [CaPool][google.cloud.security.privateca.v1.CaPool]
+  // configuration.
+  google.protobuf.Timestamp requested_not_before_time = 15
+      [(google.api.field_behavior) = OPTIONAL];
 }
 
 // A

packages/google-cloud-security-privateca/protos/google/cloud/security/privateca/v1/service.proto

@@ -1,4 +1,4 @@
-// Copyright 2025 Google LLC
+// Copyright 2026 Google LLC
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -505,9 +505,18 @@ message GetCertificateRequest {
 // Request message for
 // [CertificateAuthorityService.ListCertificates][google.cloud.security.privateca.v1.CertificateAuthorityService.ListCertificates].
 message ListCertificatesRequest {
-  // Required. The resource name of the location associated with the
+  // Required. The resource name of the parent associated with the
   // [Certificates][google.cloud.security.privateca.v1.Certificate], in the
-  // format `projects/*/locations/*/caPools/*`.
+  // format `projects/*/locations/*/caPools/*`. The parent resource name can be
+  // in one of two forms:
+  //
+  // 1.  **Specific CA Pool:** To list certificates within a single CA Pool:
+  //     `projects/*/locations/*/caPools/*`
+  //
+  // 2.  **All CA Pools in a Location:** To list certificates across *all* CA
+  //     Pools in a given project and location, use the wildcard character (`-`)
+  //     in place of the CA Pool ID.
+  //     Example: `projects/*/locations/*/caPools/-`
   string parent = 1 [
     (google.api.field_behavior) = REQUIRED,
     (google.api.resource_reference) = {

packages/google-cloud-security-privateca/protos/protos.d.ts

@@ -600,6 +600,9 @@ export namespace google {
                         /** CaPool publishingOptions */
                         publishingOptions?: (google.cloud.security.privateca.v1.CaPool.IPublishingOptions|null);
 
+                        /** CaPool encryptionSpec */
+                        encryptionSpec?: (google.cloud.security.privateca.v1.IEncryptionSpec|null);
+
                         /** CaPool labels */
                         labels?: ({ [k: string]: string }|null);
                     }
@@ -625,6 +628,9 @@ export namespace google {
                         /** CaPool publishingOptions. */
                         public publishingOptions?: (google.cloud.security.privateca.v1.CaPool.IPublishingOptions|null);
 
+                        /** CaPool encryptionSpec. */
+                        public encryptionSpec?: (google.cloud.security.privateca.v1.IEncryptionSpec|null);
+
                         /** CaPool labels. */
                         public labels: { [k: string]: string };
 
@@ -843,6 +849,9 @@ export namespace google {
                             /** IssuancePolicy backdateDuration */
                             backdateDuration?: (google.protobuf.IDuration|null);
 
+                            /** IssuancePolicy allowRequesterSpecifiedNotBeforeTime */
+                            allowRequesterSpecifiedNotBeforeTime?: (boolean|null);
+
                             /** IssuancePolicy maximumLifetime */
                             maximumLifetime?: (google.protobuf.IDuration|null);
 
@@ -874,6 +883,9 @@ export namespace google {
                             /** IssuancePolicy backdateDuration. */
                             public backdateDuration?: (google.protobuf.IDuration|null);
 
+                            /** IssuancePolicy allowRequesterSpecifiedNotBeforeTime. */
+                            public allowRequesterSpecifiedNotBeforeTime: boolean;
+
                             /** IssuancePolicy maximumLifetime. */
                             public maximumLifetime?: (google.protobuf.IDuration|null);
 
@@ -1394,6 +1406,103 @@ export namespace google {
                         }
                     }
 
+                    /** Properties of an EncryptionSpec. */
+                    interface IEncryptionSpec {
+
+                        /** EncryptionSpec cloudKmsKey */
+                        cloudKmsKey?: (string|null);
+                    }
+
+                    /** Represents an EncryptionSpec. */
+                    class EncryptionSpec implements IEncryptionSpec {
+
+                        /**
+                         * Constructs a new EncryptionSpec.
+                         * @param [properties] Properties to set
+                         */
+                        constructor(properties?: google.cloud.security.privateca.v1.IEncryptionSpec);
+
+                        /** EncryptionSpec cloudKmsKey. */
+                        public cloudKmsKey: string;
+
+                        /**
+                         * Creates a new EncryptionSpec instance using the specified properties.
+                         * @param [properties] Properties to set
+                         * @returns EncryptionSpec instance
+                         */
+                        public static create(properties?: google.cloud.security.privateca.v1.IEncryptionSpec): google.cloud.security.privateca.v1.EncryptionSpec;
+
+                        /**
+                         * Encodes the specified EncryptionSpec message. Does not implicitly {@link google.cloud.security.privateca.v1.EncryptionSpec.verify|verify} messages.
+                         * @param message EncryptionSpec message or plain object to encode
+                         * @param [writer] Writer to encode to
+                         * @returns Writer
+                         */
+                        public static encode(message: google.cloud.security.privateca.v1.IEncryptionSpec, writer?: $protobuf.Writer): $protobuf.Writer;
+
+                        /**
+                         * Encodes the specified EncryptionSpec message, length delimited. Does not implicitly {@link google.cloud.security.privateca.v1.EncryptionSpec.verify|verify} messages.
+                         * @param message EncryptionSpec message or plain object to encode
+                         * @param [writer] Writer to encode to
+                         * @returns Writer
+                         */
+                        public static encodeDelimited(message: google.cloud.security.privateca.v1.IEncryptionSpec, writer?: $protobuf.Writer): $protobuf.Writer;
+
+                        /**
+                         * Decodes an EncryptionSpec message from the specified reader or buffer.
+                         * @param reader Reader or buffer to decode from
+                         * @param [length] Message length if known beforehand
+                         * @returns EncryptionSpec
+                         * @throws {Error} If the payload is not a reader or valid buffer
+                         * @throws {$protobuf.util.ProtocolError} If required fields are missing
+                         */
+                        public static decode(reader: ($protobuf.Reader|Uint8Array), length?: number): google.cloud.security.privateca.v1.EncryptionSpec;
+
+                        /**
+                         * Decodes an EncryptionSpec message from the specified reader or buffer, length delimited.
+                         * @param reader Reader or buffer to decode from
+                         * @returns EncryptionSpec
+                         * @throws {Error} If the payload is not a reader or valid buffer
+                         * @throws {$protobuf.util.ProtocolError} If required fields are missing
+                         */
+                        public static decodeDelimited(reader: ($protobuf.Reader|Uint8Array)): google.cloud.security.privateca.v1.EncryptionSpec;
+
+                        /**
+                         * Verifies an EncryptionSpec message.
+                         * @param message Plain object to verify
+                         * @returns `null` if valid, otherwise the reason why it is not
+                         */
+                        public static verify(message: { [k: string]: any }): (string|null);
+
+                        /**
+                         * Creates an EncryptionSpec message from a plain object. Also converts values to their respective internal types.
+                         * @param object Plain object
+                         * @returns EncryptionSpec
+                         */
+                        public static fromObject(object: { [k: string]: any }): google.cloud.security.privateca.v1.EncryptionSpec;
+
+                        /**
+                         * Creates a plain object from an EncryptionSpec message. Also converts values to other types if specified.
+                         * @param message EncryptionSpec
+                         * @param [options] Conversion options
+                         * @returns Plain object
+                         */
+                        public static toObject(message: google.cloud.security.privateca.v1.EncryptionSpec, options?: $protobuf.IConversionOptions): { [k: string]: any };
+
+                        /**
+                         * Converts this EncryptionSpec to JSON.
+                         * @returns JSON object
+                         */
+                        public toJSON(): { [k: string]: any };
+
+                        /**
+                         * Gets the default type url for EncryptionSpec
+                         * @param [typeUrlPrefix] your custom typeUrlPrefix(default "type.googleapis.com")
+                         * @returns The default type url
+                         */
+                        public static getTypeUrl(typeUrlPrefix?: string): string;
+                    }
+
                     /** Properties of a CertificateRevocationList. */
                     interface ICertificateRevocationList {
 
@@ -1708,6 +1817,9 @@ export namespace google {
 
                         /** Certificate labels */
                         labels?: ({ [k: string]: string }|null);
+
+                        /** Certificate requestedNotBeforeTime */
+                        requestedNotBeforeTime?: (google.protobuf.ITimestamp|null);
                     }
 
                     /** Represents a Certificate. */
@@ -1761,6 +1873,9 @@ export namespace google {
                         /** Certificate labels. */
                         public labels: { [k: string]: string };
 
+                        /** Certificate requestedNotBeforeTime. */
+                        public requestedNotBeforeTime?: (google.protobuf.ITimestamp|null);
+
                         /** Certificate certificateConfig. */
                         public certificateConfig?: ("pemCsr"|"config");