GoogleCloudPlatform
diff --git a/‎privateca/cloud-client/src/main/java/privateca/ActivateSubordinateCa.java
+133 b/‎privateca/cloud-client/src/main/java/privateca/ActivateSubordinateCa.java
+133
diff --git a/‎privateca/cloud-client/src/main/java/privateca/CreateCertificate_CSR.java
+108 b/‎privateca/cloud-client/src/main/java/privateca/CreateCertificate_CSR.java
+108
diff --git a/‎privateca/cloud-client/src/main/java/privateca/CreateSubordinateCa.java
+132 b/‎privateca/cloud-client/src/main/java/privateca/CreateSubordinateCa.java
+132
@@ -0,0 +1,133 @@
+/*
+ * Copyright 2021 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package privateca;
+
+// [START privateca_activate_subordinateca]
+
+import com.google.api.core.ApiFuture;
+import com.google.cloud.security.privateca.v1.ActivateCertificateAuthorityRequest;
+import com.google.cloud.security.privateca.v1.CertificateAuthorityName;
+import com.google.cloud.security.privateca.v1.CertificateAuthorityServiceClient;
+import com.google.cloud.security.privateca.v1.SubordinateConfig;
+import com.google.longrunning.Operation;
+import java.io.IOException;
+import java.util.concurrent.ExecutionException;
+import java.util.concurrent.TimeUnit;
+
+public class ActivateSubordinateCa {
+
+  public static void main(String[] args)
+      throws InterruptedException, ExecutionException, IOException {
+    // TODO(developer): Replace these variables before running the sample.
+
+    // location: For a list of locations, see:
+    // https://cloud.google.com/certificate-authority-service/docs/locations
+    // pool_Id: Set a unique id for the CA pool.
+    // subordinateCaName: The CA to be activated.
+    // pemCACertificate: The signed certificate, obtained by signing the CSR.
+    String project = "your-project-id";
+    String location = "ca-location";
+    String pool_Id = "ca-pool-id";
+    String subordinateCaName = "subordinate-certificate-authority-name";
+    String pemCACertificate =
+        "-----BEGIN CERTIFICATE-----\n" + "sample-pem-certificate\n" + "-----END CERTIFICATE-----";
+
+    // certificateAuthorityName: The name of the certificate authority which signed the CSR.
+    // If an external CA (CA not present in Google Cloud) was used for signing,
+    // then use the CA's issuerCertificateChain.
+    String certificateAuthorityName = "certificate-authority-name";
+
+    activateSubordinateCA(
+        project, location, pool_Id, certificateAuthorityName, subordinateCaName, pemCACertificate);
+  }
+
+  // Activate a subordinate CA.
+  // *Prerequisite*: Get the CSR of the subordinate CA signed by another CA. Pass in the signed
+  // certificate and (issuer CA's name or the issuer CA's Certificate chain).
+  // *Post*: After activating the subordinate CA, it should be enabled before issuing certificates.
+  public static void activateSubordinateCA(
+      String project,
+      String location,
+      String pool_Id,
+      String certificateAuthorityName,
+      String subordinateCaName,
+      String pemCACertificate)
+      throws ExecutionException, InterruptedException, IOException {
+    // Initialize client that will be used to send requests. This client only needs to be created
+    // once, and can be reused for multiple requests. After completing all of your requests, call
+    // the `certificateAuthorityServiceClient.close()` method on the client to safely
+    // clean up any remaining background resources.
+    try (CertificateAuthorityServiceClient certificateAuthorityServiceClient =
+        CertificateAuthorityServiceClient.create()) {
+      // Subordinate CA parent.
+      String subordinateCaParent =
+          CertificateAuthorityName.of(project, location, pool_Id, subordinateCaName).toString();
+
+      // Construct the "Activate CA Request".
+      ActivateCertificateAuthorityRequest activateCertificateAuthorityRequest =
+          ActivateCertificateAuthorityRequest.newBuilder()
+              .setName(subordinateCaParent)
+              // The signed certificate.
+              .setPemCaCertificate(pemCACertificate)
+              .setSubordinateConfig(
+                  SubordinateConfig.newBuilder()
+                      // Follow one of the below methods:
+
+                      // Method 1: If issuer CA is in Google Cloud, set the Certificate Authority
+                      // Name.
+                      .setCertificateAuthority(
+                          CertificateAuthorityName.of(
+                                  project, location, pool_Id, certificateAuthorityName)
+                              .toString())
+
+                      // Method 2: If issuer CA is external to Google Cloud, set the issuer's
+                      // certificate chain.
+                      // The certificate chain of the CA (which signed the CSR) from leaf to root.
+                      // .setPemIssuerChain(
+                      //     SubordinateConfigChain.newBuilder()
+                      //         .addAllPemCertificates(issuerCertificateChain)
+                      //         .build())
+
+                      .build())
+              .build();
+
+      // Activate the CA.
+      ApiFuture<Operation> futureCall =
+          certificateAuthorityServiceClient
+              .activateCertificateAuthorityCallable()
+              .futureCall(activateCertificateAuthorityRequest);
+
+      Operation response = futureCall.get();
+
+      if (response.hasError()) {
+        System.out.println("Error while activating the subordinate CA! " + response.getError());
+        return;
+      }
+
+      System.out.println(
+          "Subordinate Certificate Authority activated successfully ! !" + subordinateCaName);
+      TimeUnit.SECONDS.sleep(3);
+      // The current state will be STAGED.
+      // The Subordinate CA has to be ENABLED before issuing certificates.
+      System.out.println(
+          "Current State: "
+              + certificateAuthorityServiceClient
+                  .getCertificateAuthority(subordinateCaParent)
+                  .getState());
+    }
+  }
+}
+// [END privateca_activate_subordinateca]
@@ -0,0 +1,108 @@
+/*
+ * Copyright 2021 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package privateca;
+
+// [START privateca_create_certificate_csr]
+
+import com.google.api.core.ApiFuture;
+import com.google.cloud.security.privateca.v1.CaPoolName;
+import com.google.cloud.security.privateca.v1.Certificate;
+import com.google.cloud.security.privateca.v1.CertificateAuthorityServiceClient;
+import com.google.cloud.security.privateca.v1.CreateCertificateRequest;
+import com.google.protobuf.Duration;
+import java.io.IOException;
+import java.util.concurrent.ExecutionException;
+
+public class CreateCertificate_CSR {
+
+  public static void main(String[] args)
+      throws IOException, ExecutionException, InterruptedException {
+    // TODO(developer): Replace these variables before running the sample.
+
+    // location: For a list of locations, see:
+    // https://cloud.google.com/certificate-authority-service/docs/locations
+    // pool_Id: Set a unique id for the CA pool.
+    // certificateAuthorityName: The name of the certificate authority to sign the CSR.
+    // certificateName: Set a unique name for the certificate.
+    // pemCSR: Set the Certificate Issuing Request in the pem encoded format.
+    String project = "your-project-id";
+    String location = "ca-location";
+    String pool_Id = "ca-pool-id";
+    String certificateAuthorityName = "certificate-authority-name";
+    String certificateName = "certificate-name";
+    String pemCSR =
+        "-----BEGIN CERTIFICATE REQUEST-----\n"
+            + "sample-pem-csr-format\n"
+            + "-----END CERTIFICATE REQUEST-----";
+
+    createCertificateWithCSR(
+        project, location, pool_Id, certificateAuthorityName, certificateName, pemCSR);
+  }
+
+  // Create a Certificate which is issued by the specified Certificate Authority.
+  // The certificate details and the public key is provided as a CSR (Certificate Signing Request).
+  public static void createCertificateWithCSR(
+      String project,
+      String location,
+      String pool_Id,
+      String certificateAuthorityName,
+      String certificateName,
+      String pemCSR)
+      throws IOException, ExecutionException, InterruptedException {
+    // Initialize client that will be used to send requests. This client only needs to be created
+    // once, and can be reused for multiple requests. After completing all of your requests, call
+    // the `certificateAuthorityServiceClient.close()` method on the client to safely
+    // clean up any remaining background resources.
+    try (CertificateAuthorityServiceClient certificateAuthorityServiceClient =
+        CertificateAuthorityServiceClient.create()) {
+      // certificateLifetime: The validity of the certificate in seconds.
+      long certificateLifetime = 1000L;
+
+      // Create certificate with CSR.
+      // The pemCSR contains the public key and the domain details required.
+      Certificate certificate =
+          Certificate.newBuilder()
+              .setPemCsr(pemCSR)
+              .setLifetime(Duration.newBuilder().setSeconds(certificateLifetime).build())
+              .build();
+
+      // Create the Certificate Request.
+      // Set the CA which is responsible for creating the certificate with the provided CSR.
+      CreateCertificateRequest certificateRequest =
+          CreateCertificateRequest.newBuilder()
+              .setParent(CaPoolName.of(project, location, pool_Id).toString())
+              .setIssuingCertificateAuthorityId(certificateAuthorityName)
+              .setCertificateId(certificateName)
+              .setCertificate(certificate)
+              .build();
+
+      // Get the certificate response.
+      ApiFuture<Certificate> future =
+          certificateAuthorityServiceClient
+              .createCertificateCallable()
+              .futureCall(certificateRequest);
+
+      Certificate certificateResponse = future.get();
+
+      System.out.println("Certificate created successfully : " + certificateResponse.getName());
+
+      // Get the signed certificate and the issuer chain list.
+      System.out.println("Signed certificate:\n " + certificateResponse.getPemCertificate());
+      System.out.println("Issuer chain list:\n" + certificateResponse.getPemCertificateChainList());
+    }
+  }
+}
+// [END privateca_create_certificate_csr]
@@ -0,0 +1,132 @@
+/*
+ * Copyright 2021 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package privateca;
+
+// [START privateca_create_subordinateca]
+
+import com.google.api.core.ApiFuture;
+import com.google.cloud.security.privateca.v1.CaPoolName;
+import com.google.cloud.security.privateca.v1.CertificateAuthority;
+import com.google.cloud.security.privateca.v1.CertificateAuthority.KeyVersionSpec;
+import com.google.cloud.security.privateca.v1.CertificateAuthority.SignHashAlgorithm;
+import com.google.cloud.security.privateca.v1.CertificateAuthorityServiceClient;
+import com.google.cloud.security.privateca.v1.CertificateConfig;
+import com.google.cloud.security.privateca.v1.CertificateConfig.SubjectConfig;
+import com.google.cloud.security.privateca.v1.CreateCertificateAuthorityRequest;
+import com.google.cloud.security.privateca.v1.KeyUsage;
+import com.google.cloud.security.privateca.v1.KeyUsage.KeyUsageOptions;
+import com.google.cloud.security.privateca.v1.Subject;
+import com.google.cloud.security.privateca.v1.X509Parameters;
+import com.google.cloud.security.privateca.v1.X509Parameters.CaOptions;
+import com.google.longrunning.Operation;
+import com.google.protobuf.Duration;
+import java.io.IOException;
+import java.util.concurrent.ExecutionException;
+
+public class CreateSubordinateCa {
+
+  public static void main(String[] args)
+      throws InterruptedException, ExecutionException, IOException {
+    // TODO(developer): Replace these variables before running the sample.
+    // location: For a list of locations, see:
+    // https://cloud.google.com/certificate-authority-service/docs/locations
+    // pool_Id: Set it to the CA Pool under which the CA should be created.
+    // subordinateCaName: Unique name for the Subordinate CA.
+    String project = "your-project-id";
+    String location = "ca-location";
+    String pool_Id = "ca-pool-id";
+    String subordinateCaName = "subordinate-certificate-authority-name";
+
+    createSubordinateCertificateAuthority(project, location, pool_Id, subordinateCaName);
+  }
+
+  public static void createSubordinateCertificateAuthority(
+      String project, String location, String pool_Id, String subordinateCaName)
+      throws IOException, ExecutionException, InterruptedException {
+    // Initialize client that will be used to send requests. This client only needs to be created
+    // once, and can be reused for multiple requests. After completing all of your requests, call
+    // the `certificateAuthorityServiceClient.close()` method on the client to safely
+    // clean up any remaining background resources.
+    try (CertificateAuthorityServiceClient certificateAuthorityServiceClient =
+        CertificateAuthorityServiceClient.create()) {
+
+      String commonName = "common-name";
+      String orgName = "csr-org-name";
+      int caDuration = 100000; // Validity of this CA in seconds.
+
+      // Set the type of Algorithm.
+      KeyVersionSpec keyVersionSpec =
+          KeyVersionSpec.newBuilder().setAlgorithm(SignHashAlgorithm.RSA_PKCS1_4096_SHA256).build();
+
+      // Set CA subject config.
+      SubjectConfig subjectConfig =
+          SubjectConfig.newBuilder()
+              .setSubject(
+                  Subject.newBuilder().setCommonName(commonName).setOrganization(orgName).build())
+              .build();
+
+      //  Set the key usage options for X.509 fields.
+      X509Parameters x509Parameters =
+          X509Parameters.newBuilder()
+              .setKeyUsage(
+                  KeyUsage.newBuilder()
+                      .setBaseKeyUsage(
+                          KeyUsageOptions.newBuilder().setCrlSign(true).setCertSign(true).build())
+                      .build())
+              .setCaOptions(CaOptions.newBuilder().setIsCa(true).build())
+              .build();
+
+      // Set certificate authority settings.
+      CertificateAuthority subCertificateAuthority =
+          CertificateAuthority.newBuilder()
+              .setType(CertificateAuthority.Type.SUBORDINATE)
+              .setKeySpec(keyVersionSpec)
+              .setConfig(
+                  CertificateConfig.newBuilder()
+                      .setSubjectConfig(subjectConfig)
+                      .setX509Config(x509Parameters)
+                      .build())
+              // Set the CA validity duration.
+              .setLifetime(Duration.newBuilder().setSeconds(caDuration).build())
+              .build();
+
+      // Create the CertificateAuthorityRequest.
+      CreateCertificateAuthorityRequest subCertificateAuthorityRequest =
+          CreateCertificateAuthorityRequest.newBuilder()
+              .setParent(CaPoolName.of(project, location, pool_Id).toString())
+              .setCertificateAuthorityId(subordinateCaName)
+              .setCertificateAuthority(subCertificateAuthority)
+              .build();
+
+      // Create Subordinate CA.
+      ApiFuture<Operation> futureCall =
+          certificateAuthorityServiceClient
+              .createCertificateAuthorityCallable()
+              .futureCall(subCertificateAuthorityRequest);
+
+      Operation response = futureCall.get();
+
+      if (response.hasError()) {
+        System.out.println("Error while creating Subordinate CA !" + response.getError());
+        return;
+      }
+
+      System.out.println(
+          "Subordinate Certificate Authority created successfully : " + subordinateCaName);
+    }
+  }
+}
+// [END privateca_create_subordinateca]