From 5c4102b50d76b7f6f581f9863e31959db6b648b8 Mon Sep 17 00:00:00 2001
From: salmaan rashid <salrashid123@gmail.com>
Date: Fri, 7 Aug 2020 14:52:47 -0400
Subject: [PATCH] add

---
 CONTRIBUTING.md                               |   28 +
 LICENSE                                       |    2 +-
 Makefile                                      |   61 +
 README.md                                     |  369 +-
 backend.go                                    |  209 +
 backend_test.go                               |  256 ++
 cmd/vault-plugin-secrets-gcppca/main.go       |   51 +
 config.go                                     |  100 +
 config_test.go                                |  285 ++
 go.mod                                        |   35 +
 go.sum                                        |  445 +++
 helpers.go                                    |  104 +
 lib/cloud.google.com/go/LICENSE               |  202 +
 .../certificate_authority_client.go           | 2200 +++++++++++
 .../go/security/privateca/apiv1alpha1/doc.go  |  102 +
 .../go/security/privateca/apiv1alpha1/go.mod  |    4 +
 .../cloud/security/privateca/v1alpha1/go.mod  |    3 +
 .../privateca/v1alpha1/resources.pb.go        | 2834 ++++++++++++++
 .../security/privateca/v1alpha1/service.pb.go | 3368 +++++++++++++++++
 path_config.go                                |  154 +
 path_config_test.go                           |  238 ++
 path_csr.go                                   |  206 +
 path_generatekey.go                           |  540 +++
 scripts/dev.sh                                |   45 +
 version/cmd/main.go                           |   39 +
 version/version.go                            |   34 +
 26 files changed, 11911 insertions(+), 3 deletions(-)
 create mode 100644 CONTRIBUTING.md
 create mode 100644 Makefile
 create mode 100644 backend.go
 create mode 100644 backend_test.go
 create mode 100644 cmd/vault-plugin-secrets-gcppca/main.go
 create mode 100644 config.go
 create mode 100644 config_test.go
 create mode 100644 go.mod
 create mode 100644 go.sum
 create mode 100644 helpers.go
 create mode 100644 lib/cloud.google.com/go/LICENSE
 create mode 100644 lib/cloud.google.com/go/security/privateca/apiv1alpha1/certificate_authority_client.go
 create mode 100644 lib/cloud.google.com/go/security/privateca/apiv1alpha1/doc.go
 create mode 100644 lib/cloud.google.com/go/security/privateca/apiv1alpha1/go.mod
 create mode 100644 lib/google.golang.org/genproto/googleapis/cloud/security/privateca/v1alpha1/go.mod
 create mode 100644 lib/google.golang.org/genproto/googleapis/cloud/security/privateca/v1alpha1/resources.pb.go
 create mode 100644 lib/google.golang.org/genproto/googleapis/cloud/security/privateca/v1alpha1/service.pb.go
 create mode 100644 path_config.go
 create mode 100644 path_config_test.go
 create mode 100644 path_csr.go
 create mode 100644 path_generatekey.go
 create mode 100755 scripts/dev.sh
 create mode 100644 version/cmd/main.go
 create mode 100644 version/version.go

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
new file mode 100644
index 0000000..ebbb59e
--- /dev/null
+++ b/CONTRIBUTING.md
@@ -0,0 +1,28 @@
+# How to Contribute
+
+We'd love to accept your patches and contributions to this project. There are
+just a few small guidelines you need to follow.
+
+## Contributor License Agreement
+
+Contributions to this project must be accompanied by a Contributor License
+Agreement. You (or your employer) retain the copyright to your contribution;
+this simply gives us permission to use and redistribute your contributions as
+part of the project. Head over to <https://cla.developers.google.com/> to see
+your current agreements on file or to sign a new one.
+
+You generally only need to submit a CLA once, so if you've already submitted one
+(even if it was for a different project), you probably don't need to do it
+again.
+
+## Code reviews
+
+All submissions, including submissions by project members, require review. We
+use GitHub pull requests for this purpose. Consult
+[GitHub Help](https://help.github.com/articles/about-pull-requests/) for more
+information on using pull requests.
+
+## Community Guidelines
+
+This project follows
+[Google's Open Source Community Guidelines](https://opensource.google.com/conduct/).
\ No newline at end of file
diff --git a/LICENSE b/LICENSE
index 261eeb9..7dc8f78 100644
--- a/LICENSE
+++ b/LICENSE
@@ -186,7 +186,7 @@
       same "printed page" as the copyright notice for easier
       identification within third-party archives.
 
-   Copyright [yyyy] [name of copyright owner]
+   Copyright [2020] [Google LLC]
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.
diff --git a/Makefile b/Makefile
new file mode 100644
index 0000000..46f9281
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,61 @@
+GOMAXPROCS = 4
+
+PROJECT    = "github.com/salrashid123/vault-plugin-secrets-gcpca"
+NAME       = $(shell go run version/cmd/main.go name)
+VERSION    = $(shell go run version/cmd/main.go version)
+COMMIT     = $(shell git rev-parse --short HEAD)
+
+GOFMT_FILES?=$$(find . -name '*.go' | grep -v vendor)
+
+LDFLAGS = \
+	-s \
+	-w \
+	-X ${PROJECT}/version.GitCommit=${COMMIT}
+
+# XC_* are the platforms for cross-compiling. Customize these values to suit
+# your needs.
+XC_OS      = darwin linux windows
+XC_ARCH    = 386 amd64
+XC_EXCLUDE =
+
+# default is the default make command
+default: dev
+
+fmt:
+	gofmt -w $(GOFMT_FILES)
+
+# deps updates the project deps using golang/dep
+deps:
+	@dep ensure -v -update
+.PHONY: deps
+
+# dev builds and installs the plugin for local development
+dev:
+	@env \
+		CGO_ENABLED=0 \
+		go install \
+			-ldflags="${LDFLAGS}" \
+			./cmd/...
+.PHONY: dev
+
+# test runs the tests
+test:
+	@go test -timeout=60s -parallel=10 ./...
+.PHONY: test
+
+# xc compiles all the binaries using the local go installation
+xc:
+	@for OS in $(XC_OS); do \
+		for ARCH in $(XC_ARCH); do \
+			env \
+				CGO_ENABLED=0 \
+				GOOS=$${OS} \
+				GOARCH=$${ARCH} \
+				go build \
+					-a \
+					-o "pkg/$${OS}_$${ARCH}/${NAME}" \
+					-ldflags "${LDFLAGS}"
+					./cmd/... ; \
+		done \
+	done
+.PHONY: xc
diff --git a/README.md b/README.md
index e635637..6b43d74 100644
--- a/README.md
+++ b/README.md
@@ -1,2 +1,367 @@
-# vault-plugin-secrets-gcppca
-Vault Plugin:  Google Cloud Platform CA Service
+
+# Vault Plugin:  Google Cloud Platform CA Service
+
+This is a backend plugin to be used with [Hashicorp Vault](https://www.github.com/hashicorp/vault) to provide certificates issued by [Google Cloud Platform Certificate Authority Service](https://cloud.google.com/certificate-authority-service/docs)
+
+
+> This is not an officially supported Google product
+
+## Usage
+
+This guide assumes you have already installed Vault and have a basic understanding of how Vault works as well as basics of GCP Certificate Authority Service. Otherwise, first read this guide on how to [get started with Vault](https://www.vaultproject.io/intro/getting-started/install.html) as well as [Google Cloud Platform Certificate Authority Service](https://cloud.google.com/certificate-authority-service/docs).
+
+This plugin will issue certificates through Vault where either the privateKey and Certificate Signing Request (CSR) gets generated by the plugin or where the CSR is provided _to_ the plugin.  Plugin will not manage the CA or Subordinate CA lifecycle (create/delete CA, etc) for GCP CA Service. 
+
+> This plugin is *not* packaged with Vault and must be added in manually.
+
+### QuickStart
+
+For quick-start, you can either use the pre-built plugin binary or build and run Vault in "dev" mode:
+
+### Dev
+
+To compile the plugin and run the dev server, you will need `go 1.11+` and `make`
+
+```bash
+export GOBIN=`pwd`/bin
+make fmt
+make dev
+
+vault server -dev -dev-plugin-dir=./bin --log-level=debug
+```
+
+Make sure you have setup a private CA with a Certificate Authority and your user or serviceAccount Vault runs as has access to generate and/or revoke certificates.  By default, Vault will use `Application Default Credentials` but you can override that per mount path.
+
+It is recommended to create a IAM Custom Role to the Vault ServiceAccount with the minimum permission it would need to operate.  For more information on how to setup this custom role, see relevant section below.
+
+In a new window in the same directory, configure Vault to use the plugin and enable/mount it at a path.
+
+```bash
+export VAULT_ADDR='http://localhost:8200'
+export SHASUM=$(shasum -a 256 "bin/vault-plugin-secrets-gcppca" | cut -d " " -f1)
+
+vault plugin register \
+    -sha256="${SHASUM}" \
+    -command="vault-plugin-secrets-gcppca" \
+    secret vault-plugin-secrets-gcppca
+
+vault secrets enable -path="gcppca" \
+   --description='Vault CA Service Plugin' \
+   --plugin-name='vault-plugin-secrets-gcppca' plugin
+```
+
+Note, `scripts.dev.sh` script runs the above commands and runs vault in the background.
+
+To issue certificates, you need to first define a profile (config) for the mount path and then define and use a Vault policy.
+
+1. Define a config profile
+
+A profile dictates the specifications of the CA a specific Vault mount will use.  In the example used here, the mount path is `gcppca` with the CA of `prod-root`
+
+```bash
+vault write gcppca/config \
+	issuer="prod-root" \
+	location="us-central1" \
+	project="your-project-id"  
+```
+
+2. Generate and use Vault policy
+
+Once the config has been defined, this plugin can be used in two modes:
+
+a) `Generated`: a key-pair and CSR is generated within `Vault` and the CSR signed by `CA Service` 
+
+or
+
+b) `Provided`: Certificate Request `CSR` is provided to the plugin.
+
+Under no circumstance does this plugin retain the private key for any certificate.
+
+- The sub-path under `<mount>/issue-with-genkey/` is intended for Vault generated keys.
+
+- The sub-path under `<mount>/issue-with-csr/` is intended for user-provided CSR
+
+This plugin will create a certificate within GCP CA Service with a certificate `Name` using the final path parameter in the Vault resource path.  For example, `gcppca/issue-with-genkey/my_tls_cert_rsa_1` will create a GCP CA Service Resource path `projects/your-project-id/locations/us-central1/certificateAuthorities/prod-root/certificates/my_tls_cert_rsa_1`.  This is the actual CA Service unique name for the certificate and cannot be reused once created.
+
+Deleting the key in Vault will revoke the certificate in CA Service which also means the same name cannot be reused.
+
+### Vault Generated
+
+To generate a certificate keypair on vault, first apply a configuration that allows Vault to reference which CA to sign against 
+
+The configuration below will generate a certificate called `my_tls_cert_rsa_1` within CA Service using a GCP CA `prod-root` that was defined earlier by specifying `gcppca/config`.
+
+Apply the config and acquire a `VAULT_TOKEN` based off of those policies.
+
+```bash
+vault policy write genkey-policy -<<EOF
+path "gcppca/issue-with-genkey/my_tls_cert_rsa_1" {
+    capabilities = ["update", "delete"]
+    allowed_parameters = {    
+      "key_type" = ["rsa"]
+      "validity"= ["P30D"]
+      "dns_san" = ["client.domain.com,client2.domain.com"]        
+      "subject" = ["C=US,ST=California,L=Mountain View,O=Google LLC,CN=google.com"]
+      "reusable_config" = ["leaf-server-tls"]     
+  }
+}
+EOF
+```
+
+An end-user will use their existing credentials to acquire a new VAULT_TOKEN authorized for that policy
+
+```bash
+export VAULT_ADDR='http://localhost:8200'
+vault token create -policy=genkey-policy
+
+export VAULT_TOKEN=s.vs2D...
+
+vault write gcppca/issue-with-genkey/my_tls_cert_rsa_1 \
+	key_type="rsa" \
+	validity="P30D" \
+	dns_san="client.domain.com,client2.domain.com" \
+	subject="C=US,ST=California,L=Mountain View,O=Google LLC,CN=google.com"  \
+	reusable_config="leaf-server-tls" 
+```
+
+The output will be Public Certificate and PrivateKey
+
+```
+Key        Value
+---        -----
+privkey    -----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAA...
+pubcert    -----BEGIN CERTIFICATE-----
+MIIEHTCCA8...
+```
+
+### Provided CSR
+
+For user-provided CSR, first apply a configuration that allows Vault to use a CSR that is provided.  This is done by using the `<mount>/issue-with-csr/`  path
+
+As before, the CA configuration was defined earlier at the root mount path (eg, `gcppca/`)
+
+Apply the config and acquire a `VAULT_TOKEN` based off of those policies
+
+```bash
+vault policy write csr-policy -<<EOF
+path "gcppca/issue-with-csr/my_csr_cert_1" {
+    capabilities = ["update", "delete"]
+    allowed_parameters = {    
+      "validity"= ["P30D"]
+      "pem_csr" = []  
+  }
+}
+EOF
+```
+
+Use the appropriate token to create a certificate given a CSR (`my_csr.pem`)
+
+```bash
+openssl req  \
+    -out my_csr.pem \
+    -newkey rsa:2048 \
+    -keyout my_key.pem \
+    -nodes \
+    -new -sha256 \
+    -subj "/C=US/ST=California/L=Mountain View/O=Google/OU=Enterprise/CN=some.domain.com"
+ openssl req -in my_csr.pem -noout -text
+```
+
+```bash
+vault token create -policy=csr-policy
+export VAULT_TOKEN=...
+
+vault write gcppca/issue-with-csr/my_csr_cert_1 \
+	validity="P30D" \
+	pem_csr=@my_csr.pem
+```
+
+The output would be just the Public Key
+
+```
+Key        Value
+---        -----
+pubcert    -----BEGIN CERTIFICATE-----
+MIID2DCCA36gA
+```
+
+### Options
+
+Plugin configuration supports various options that are common and mode-specific options
+
+#### Common Options
+
+| Option | Description |
+|:------------|-------------|
+| **`validity`** | `string` validity of the issued certificate (default: `P30d`) |
+| **`labels`** | `[]string` list of GCP labels to apply to the certificate (format `k1=v1,k2=v2`) |
+
+#### Generated (/issue-with-genkey/) Options
+
+| Option | Description |
+|:------------|-------------|
+| **`key_type`** | `string` what type of key to generate (default: `rsa`; either `rsa` or `ecdsa`; cannot be specified if `csr` is set) |
+| **`key_usage`** | `[]string` what are the `key_usage` settings (default: `[]`) |
+| **`extended_key_usage`** | `[]string` what are the `extended_key_usage` settings (default: `[]`)   |
+| **`reusable_config`** | `string` reusable_config to use (cannot be set if `key_usage`,`extended_key_usage` is set; default `[]`) |
+| **`subject`** | `string` subject field value (must be in canonical format `C=,ST=,L=,O=,CN=`)|
+| **`dns_san`** | `[]string` list of `dns_san` to use |
+| **`email_san`** | `[]string` list of `email_san` to use |
+| **`ip_san`** | `[]string` list of `ip_san` to use |
+| **`uri_san`** | `[]string` list of `uri_san` to use |
+| **`is_ca_cert`** | `bool` whether this certificate is for a CA or not. |
+| **`max_chain_length`** | `int` Maximum depth of subordinate CAs allowed under this CA for a CA certificate.|
+
+#### CSR (/issue-with-csr/) Options
+
+| Option | Description |
+|:------------|-------------|
+| **`pem_csr`** | `string` contents of the CSR in PEM format |
+
+Sample usage 
+
+The following policies describe usage of `reusable_config` and `key_usage` options.  
+
+`reusable_config` options:
+
+```bash
+vault policy write genkey-reusable-policy -<<EOF
+path "gcppca/issue-with-genkey/my_tls_cert_ecdsa_1" {
+    capabilities = ["create", "update", "delete"]
+    allowed_parameters = {    
+      "key_type" = ["ecdsa"]
+      "validity"= ["P30D"]
+      "dns_san" = ["client.domain.com,client2.domain.com"]        
+      "subject" = ["C=US,ST=California,L=Mountain View,O=Google LLC,CN=google.com"]
+      "reusable_config" = ["leaf-server-tls"]     
+  }
+}
+EOF
+```
+
+`key_usages` option:
+
+```bash
+vault policy write genkey-usage-policy -<<EOF
+path "gcppca/issue-with-genkey/my_tls_cert_encipher_1" {
+    capabilities = ["create", "update", "delete"]
+    allowed_parameters = {    
+      "validity"= ["P30D"]
+      "dns_san" = ["client.domain.com,client2.domain.com"]        
+      "subject" = ["C=US,ST=California,L=Mountain View,O=Google LLC,CN=google.com"]
+      "key_usages" = ["encipher_only"]      
+  }
+}
+EOF
+```
+
+When a derived VAULT_TOKEN is used with `vault write gcppca/issue-with-genkey/..` operations, you must provide the _exact_ parameters defined in the policy.  For example
+
+```bash
+vault write gcppca/issue-with-genkey/my_tls_cert_ecdsa_1 \
+	key_type="ecdsa" \
+	validity="P30D" \
+	dns_san="client.domain.com,client2.domain.com" \
+	subject="C=US,ST=California,L=Mountain View,O=Google LLC,CN=google.com"  \
+	reusable_config="leaf-server-tls"
+```
+
+### Revoke Certificates
+
+Simply run the inverse function `vault delete ..` to revoke a certificate with the exact same parameters as the `vault write ..` operation.
+
+### Prebuilt binary
+
+To install, download `vault-plugin-secrets-gcpca` from the "Releases" page on github.  You can compare the SHA provided there against reference in the upstream repository at anytime.
+
+- Copy to the [Vault plugin directory](https://www.vaultproject.io/docs/configuration#plugin_directory)
+
+- Register the Plugin (remember to update `path/to/vault/plugins/`). 
+
+```bash
+export SHASUM=$(curl -s https://github.com/salrashid123/vault-plugin-secrets-gcppca/releases/download/v1.0.0/checksum.sha256)
+
+vault plugin register \
+    -sha256="${SHASUM}" \
+    -command="vault-plugin-secrets-gcppca" \
+    secret vault-plugin-secrets-gcppca  
+
+vault secrets enable -path="gcppca" \
+ --description='Vault CA Service Plugin' \
+ --plugin-name='vault-plugin-secrets-gcppca' plugin
+```
+
+Note, the "Release" pages in this repo contains the `sha256` images
+
+If you are running Vault in production and use your own TLS certificate for client connections to vault, you must register the plugin and configure it to use the TLS CA you use. For example,if your vault `server.conf` shows:
+
+```hcl
+listener "tcp" {
+  address = "vault.domain.com:8200"
+  tls_cert_file = "/path/to/tls_crt_vault.pem"
+  tls_key_file = "/path/to/tls_key_vault.pem"
+}
+api_addr = "https://vault.domain.com:8200"
+plugin_directory = "/path/to/vault/plugins"
+```
+
+Then register the plugin and specify the the path to the TLS CA certificate Vault server was configured to use.
+
+In the following, if Vault Server's TLS Certificate (`/path/to/tls_crt_vault.pem`) was signed by (`/path/to/tls_cacert.pem`), specify a path to that using the (`-args="-ca-cert=..."`) option
+
+
+```bash
+export VAULT_CACERT=/path/to/tls_cacert.pem
+
+vault plugin register \
+    -sha256="${SHASUM}" \
+    -command="vault-plugin-secrets-gcppca" \
+    -args="-ca-cert=$VAULT_CACERT" secret vault-plugin-secrets-gcppca
+```
+
+### Specify credentials per mount
+
+By default, the plugin will use `Application Default Credentials` to access GCP CA.  If you need different credentials per mount, you can specify that using the `config/` path of the mount point.  For example, to specify a credential file JSON certificate for the `gcppca` mount:
+
+```
+vault write gcppca/config \
+  credentials=@/path/to/svc_account.json 
+```
+
+### Custom IAM Role for Vault
+
+The following custom role will set the equired permissions this plugin uses:
+
+Create a file `vault-custom-role.yaml` (remember to replace the `$PROJECT_ID` variable)
+
+```yaml
+includedPermissions:
+- privateca.certificates.create
+- privateca.certificates.update
+name: projects/$PROJECT_ID/roles/VaultCAServiceRole
+stage: GA
+title: VaultCAServiceRole
+```
+
+Create a custom role:
+
+```bash
+gcloud iam roles create vaultCAServiceRole --project=$PROJECT_ID \
+  --file=ocsp-custom-role.yaml
+```
+
+Finally assign this role to the Vault ServiceAccount.
+
+### Future Enhancements
+
+- Vault plugin to Create and Manage CA Policy ([CertificateAuthorityPolicy](https://cloud.google.com/certificate-authority-service/docs/reference/rest/v1alpha1/projects.locations.certificateAuthorities#certificateauthoritypolicy)).
+
+### Vault Acceptance Tests
+
+`TODO`
+
+### Other Docs
+
+- [Building a Vault Secure Plugin](https://www.hashicorp.com/blog/building-a-vault-secure-plugin/)
+- [Building Plugin Backends](https://learn.hashicorp.com/vault/secrets-management/plugin-backends)
diff --git a/backend.go b/backend.go
new file mode 100644
index 0000000..65a237a
--- /dev/null
+++ b/backend.go
@@ -0,0 +1,209 @@
+// Copyright 2020 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package gcppca
+
+import (
+	"context"
+	"sync"
+	"time"
+
+	"github.com/hashicorp/errwrap"
+	"github.com/hashicorp/vault/sdk/framework"
+	"github.com/hashicorp/vault/sdk/helper/useragent"
+	"github.com/hashicorp/vault/sdk/logical"
+	"golang.org/x/oauth2/google"
+	"google.golang.org/api/option"
+
+	pcaapi "cloud.google.com/go/security/privateca/apialpha1"
+)
+
+var (
+	defaultClientLifetime = 30 * time.Minute
+)
+
+// ref: https://github.com/hashicorp/vault-plugin-secrets-gcpkms/blob/master/backend.go
+
+type backend struct {
+	*framework.Backend
+
+	// pcaClient is the actual client for connecting to PrivateCA. It is cached on
+	// the backend for efficiency.
+	pcaClient           *pcaapi.CertificateAuthorityClient
+	pcaClientCreateTime time.Time
+	pcaClientLifetime   time.Duration
+	pcaClientLock       sync.RWMutex
+
+	// ctx and ctxCancel are used to control overall plugin shutdown. These
+	// contexts are given to any client libraries or requests that should be
+	// terminated during plugin termination.
+	ctx       context.Context
+	ctxCancel context.CancelFunc
+	ctxLock   sync.Mutex
+}
+
+// Factory returns a configured instance of the backend.
+func Factory(ctx context.Context, c *logical.BackendConfig) (logical.Backend, error) {
+	b := Backend()
+	if err := b.Setup(ctx, c); err != nil {
+		return nil, err
+	}
+	return b, nil
+}
+
+// Backend returns a configured instance of the backend.
+func Backend() *backend {
+	var b backend
+
+	b.pcaClientLifetime = defaultClientLifetime
+	b.ctx, b.ctxCancel = context.WithCancel(context.Background())
+
+	b.Backend = &framework.Backend{
+		BackendType: logical.TypeLogical,
+		Help: "The GCP CA secrets engine provides issuing and revoking GCP CA based " +
+			"certificates.",
+
+		Paths: []*framework.Path{
+			b.pathConfig(),
+			b.pathGenerateKey(),
+			b.pathCSR(),
+		},
+
+		Invalidate: b.invalidate,
+		Clean:      b.clean,
+	}
+
+	return &b
+}
+
+// clean cancels the shared contexts. This is called just before unmounting
+// the plugin.
+func (b *backend) clean(_ context.Context) {
+	b.ctxLock.Lock()
+	b.ctxCancel()
+	b.ctxLock.Unlock()
+}
+
+// invalidate resets the plugin. This is called when a key is updated via
+// replication.
+func (b *backend) invalidate(ctx context.Context, key string) {
+	switch key {
+	case "config":
+		b.ResetClient()
+	}
+}
+
+// ResetClient closes any connected clients.
+func (b *backend) ResetClient() {
+	b.pcaClientLock.Lock()
+	b.resetClient()
+	b.pcaClientLock.Unlock()
+}
+
+// resetClient rests the underlying client. The caller is responsible for
+// acquiring and releasing locks. This method is not safe to call concurrently.
+func (b *backend) resetClient() {
+	if b.pcaClient != nil {
+		b.pcaClient.Close()
+		b.pcaClient = nil
+	}
+
+	b.pcaClientCreateTime = time.Unix(0, 0).UTC()
+}
+
+// PrivateCA creates a new client for talking to the GCP PrivateCA service.
+func (b *backend) PCAClient(s logical.Storage) (*pcaapi.CertificateAuthorityClient, func(), error) {
+	// If the client already exists and is valid, return it
+	b.pcaClientLock.RLock()
+	if b.pcaClient != nil && time.Now().UTC().Sub(b.pcaClientCreateTime) < b.pcaClientLifetime {
+		closer := func() { b.pcaClientLock.RUnlock() }
+		return b.pcaClient, closer, nil
+	}
+	b.pcaClientLock.RUnlock()
+
+	// Acquire a full lock. Since all invocations acquire a read lock and defer
+	// the release of that lock, this will block until all clients are no longer
+	// in use. At that point, we can acquire a globally exclusive lock to close
+	// any connections and create a new client.
+	b.pcaClientLock.Lock()
+
+	b.Logger().Debug("Creating new PrivateCA client")
+
+	// Attempt to close an existing client if we have one.
+	b.resetClient()
+
+	// Get the config
+	config, err := b.Config(b.ctx, s)
+	if err != nil {
+		b.pcaClientLock.Unlock()
+		return nil, nil, err
+	}
+
+	// If credentials were provided, use those. Otherwise fall back to the
+	// default application credentials.
+	var creds *google.Credentials
+	if config.Credentials != "" {
+		creds, err = google.CredentialsFromJSON(b.ctx, []byte(config.Credentials), config.Scopes...)
+		if err != nil {
+			b.pcaClientLock.Unlock()
+			return nil, nil, errwrap.Wrapf("failed to parse credentials: {{err}}", err)
+		}
+	} else {
+		creds, err = google.FindDefaultCredentials(b.ctx, config.Scopes...)
+		if err != nil {
+			b.pcaClientLock.Unlock()
+			return nil, nil, errwrap.Wrapf("failed to get default token source: {{err}}", err)
+		}
+	}
+
+	// Create and return the GCP CA client with a custom user agent.
+	client, err := pcaapi.NewCertificateAuthorityClient(b.ctx,
+		option.WithCredentials(creds),
+		option.WithScopes(config.Scopes...),
+		option.WithUserAgent(useragent.String()),
+	)
+	if err != nil {
+		b.pcaClientLock.Unlock()
+		return nil, nil, errwrap.Wrapf("failed to create PrivateCA client: {{err}}", err)
+	}
+
+	// Cache the client
+	b.pcaClient = client
+	b.pcaClientCreateTime = time.Now().UTC()
+	b.pcaClientLock.Unlock()
+
+	b.pcaClientLock.RLock()
+	closer := func() { b.pcaClientLock.RUnlock() }
+	return client, closer, nil
+}
+
+// Config parses and returns the configuration data from the storage backend.
+// Even when no user-defined data exists in storage, a Config is returned with
+// the default values.
+func (b *backend) Config(ctx context.Context, s logical.Storage) (*Config, error) {
+	c := DefaultConfig()
+
+	entry, err := s.Get(ctx, "config")
+	if err != nil {
+		return nil, errwrap.Wrapf("failed to get configuration from storage: {{err}}", err)
+	}
+	if entry == nil || len(entry.Value) == 0 {
+		return c, nil
+	}
+
+	if err := entry.DecodeJSON(&c); err != nil {
+		return nil, errwrap.Wrapf("failed to decode configuration: {{err}}", err)
+	}
+	return c, nil
+}
diff --git a/backend_test.go b/backend_test.go
new file mode 100644
index 0000000..15b9058
--- /dev/null
+++ b/backend_test.go
@@ -0,0 +1,256 @@
+// Copyright 2020 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package gcppca
+
+import (
+	"context"
+	"reflect"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/hashicorp/vault/sdk/helper/useragent"
+	"github.com/hashicorp/vault/sdk/logical"
+	"google.golang.org/api/option"
+	"google.golang.org/grpc/connectivity"
+
+	pcaapi "cloud.google.com/go/security/privateca/apialpha1"
+	hclog "github.com/hashicorp/go-hclog"
+)
+
+// testBackend creates a new isolated instance of the backend for testing.
+func testBackend(tb testing.TB) (*backend, logical.Storage) {
+	tb.Helper()
+
+	config := logical.TestBackendConfig()
+	config.StorageView = new(logical.InmemStorage)
+	config.Logger = hclog.NewNullLogger()
+
+	b, err := Factory(context.Background(), config)
+	if err != nil {
+		tb.Fatal(err)
+	}
+	return b.(*backend), config.StorageView
+}
+
+// testFieldValidation verifies the given path has field validation.
+func testFieldValidation(tb testing.TB, op logical.Operation, pth string) {
+	tb.Helper()
+
+	b, storage := testBackend(tb)
+	_, err := b.HandleRequest(context.Background(), &logical.Request{
+		Storage:   storage,
+		Operation: op,
+		Path:      pth,
+		Data: map[string]interface{}{
+			"literally-never-a-key": true,
+		},
+	})
+	if err == nil {
+		tb.Error("expected error")
+	}
+	if !strings.Contains(err.Error(), "unknown field") {
+		tb.Error(err)
+	}
+}
+
+// testPCAClient creates a new Certificate Service client with the default scopes and user
+// agent.
+func testPCAClient(tb testing.TB) *pcaapi.CertificateAuthorityClient {
+	tb.Helper()
+
+	ctx := context.Background()
+	kmsClient, err := pcaapi.NewCertificateAuthorityClient(ctx,
+		option.WithScopes(defaultScope),
+		option.WithUserAgent(useragent.String()),
+	)
+	if err != nil {
+		tb.Fatalf("failed to create kms client: %s", err)
+	}
+
+	return kmsClient
+}
+
+func TestBackend_PCAClient(t *testing.T) {
+	t.Parallel()
+
+	t.Run("allows_concurrent_reads", func(t *testing.T) {
+		t.Parallel()
+
+		b, storage := testBackend(t)
+
+		_, closer1, err := b.PCAClient(storage)
+		if err != nil {
+			t.Fatal(err)
+		}
+		defer closer1()
+
+		doneCh := make(chan struct{})
+		go func() {
+			_, closer2, err := b.PCAClient(storage)
+			if err != nil {
+				t.Fatal(err)
+			}
+			defer closer2()
+			close(doneCh)
+		}()
+
+		select {
+		case <-doneCh:
+		case <-time.After(1 * time.Second):
+			t.Errorf("client was not available")
+		}
+	})
+
+	t.Run("caches", func(t *testing.T) {
+		t.Parallel()
+
+		b, storage := testBackend(t)
+
+		client1, closer1, err := b.PCAClient(storage)
+		if err != nil {
+			t.Fatal(err)
+		}
+		defer closer1()
+
+		client2, closer2, err := b.PCAClient(storage)
+		if err != nil {
+			t.Fatal(err)
+		}
+		defer closer2()
+
+		// Note: not a bug; literally checking object equality
+		if client1 != client2 {
+			t.Errorf("expected %#v to be %#v", client1, client2)
+		}
+	})
+
+	t.Run("expires", func(t *testing.T) {
+		t.Parallel()
+
+		b, storage := testBackend(t)
+		b.pcaClientLifetime = 50 * time.Millisecond
+
+		client1, closer1, err := b.PCAClient(storage)
+		if err != nil {
+			t.Fatal(err)
+		}
+		closer1()
+
+		time.Sleep(100 * time.Millisecond)
+
+		client2, closer2, err := b.PCAClient(storage)
+		if err != nil {
+			t.Fatal(err)
+		}
+		closer2()
+
+		if client1 == client2 {
+			t.Errorf("expected %#v to not be %#v", client1, client2)
+		}
+	})
+}
+
+func TestBackend_ResetClient(t *testing.T) {
+	t.Parallel()
+
+	t.Run("closes_client", func(t *testing.T) {
+		t.Parallel()
+
+		b, storage := testBackend(t)
+
+		client, closer, err := b.PCAClient(storage)
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		// Verify the client is "open"
+		if client.Connection().GetState() == connectivity.Shutdown {
+			t.Fatalf("connection is already stopped")
+		}
+
+		// Stop read lock
+		closer()
+
+		// Reset the clients
+		b.ResetClient()
+
+		// Verify the client closed
+		if state := client.Connection().GetState(); state != connectivity.Shutdown {
+			t.Errorf("expected client to be closed, was: %v", state)
+		}
+	})
+}
+
+func TestBackend_Config(t *testing.T) {
+	t.Parallel()
+
+	cases := []struct {
+		name string
+		c    []byte
+		e    *Config
+		err  bool
+	}{
+		{
+			"default",
+			nil,
+			DefaultConfig(),
+			false,
+		},
+		{
+			"saved",
+			[]byte(`{"credentials":"foo", "scopes":["bar"]}`),
+			&Config{
+				Credentials: "foo",
+				Scopes:      []string{"bar"},
+			},
+			false,
+		},
+		{
+			"invalid",
+			[]byte(`{x`),
+			nil,
+			true,
+		},
+	}
+
+	for _, tc := range cases {
+		tc := tc
+
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			b, storage := testBackend(t)
+
+			if tc.c != nil {
+				if err := storage.Put(context.Background(), &logical.StorageEntry{
+					Key:   "config",
+					Value: tc.c,
+				}); err != nil {
+					t.Fatal(err)
+				}
+			}
+
+			c, err := b.Config(context.Background(), storage)
+			if (err != nil) != tc.err {
+				t.Fatal(err)
+			}
+
+			if !reflect.DeepEqual(c, tc.e) {
+				t.Errorf("expected %#v to be %#v", c, tc.e)
+			}
+		})
+	}
+}
diff --git a/cmd/vault-plugin-secrets-gcppca/main.go b/cmd/vault-plugin-secrets-gcppca/main.go
new file mode 100644
index 0000000..9e8fb6d
--- /dev/null
+++ b/cmd/vault-plugin-secrets-gcppca/main.go
@@ -0,0 +1,51 @@
+// Copyright 2020 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package main
+
+import (
+	"os"
+
+	hclog "github.com/hashicorp/go-hclog"
+	"github.com/hashicorp/vault/api"
+	"github.com/hashicorp/vault/sdk/plugin"
+	gcppca "github.com/salrashid123/vault-plugin-secrets-gcppca"
+)
+
+func main() {
+	logger := hclog.New(&hclog.LoggerOptions{})
+
+	defer func() {
+		if r := recover(); r != nil {
+			logger.Error("plugin paniced", "error", r)
+			os.Exit(1)
+		}
+	}()
+
+	meta := &api.PluginAPIClientMeta{}
+
+	flags := meta.FlagSet()
+	flags.Parse(os.Args[1:])
+
+	tlsConfig := meta.GetTLSConfig()
+	tlsProviderFunc := api.VaultPluginTLSProvider(tlsConfig)
+
+	if err := plugin.Serve(&plugin.ServeOpts{
+		BackendFactoryFunc: gcppca.Factory,
+		TLSProviderFunc:    tlsProviderFunc,
+	}); err != nil {
+		logger.Error("plugin shutting down", "error", err)
+		os.Exit(1)
+	}
+}
diff --git a/config.go b/config.go
new file mode 100644
index 0000000..cfc44e7
--- /dev/null
+++ b/config.go
@@ -0,0 +1,100 @@
+// Copyright 2020 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package gcppca
+
+import (
+	"errors"
+	"strings"
+
+	"github.com/hashicorp/vault/sdk/framework"
+	"github.com/hashicorp/vault/sdk/helper/strutil"
+)
+
+const (
+	defaultScope = "https://www.googleapis.com/auth/cloud-platform"
+)
+
+// ref: https://github.com/hashicorp/vault-plugin-secrets-gcpkms/blob/master/config.go
+
+// Config is the stored configuration.
+type Config struct {
+	Credentials string   `json:"credentials"`
+	Scopes      []string `json:"scopes"`
+	Issuer      string   `json:"issuer"`
+	Location    string   `json:"location"`
+	Project     string   `json:"project"`
+}
+
+// DefaultConfig returns a config with the default values.
+func DefaultConfig() *Config {
+	return &Config{
+		Scopes: []string{defaultScope},
+	}
+}
+
+// Update updates the configuration from the given field data.
+func (c *Config) Update(d *framework.FieldData) (bool, error) {
+	if d == nil {
+		return false, nil
+	}
+
+	changed := false
+
+	if v, ok := d.GetOk("credentials"); ok {
+		nv := strings.TrimSpace(v.(string))
+		if nv != c.Credentials {
+			c.Credentials = nv
+			changed = true
+		}
+	}
+
+	if v, ok := d.GetOk("scopes"); ok {
+		nv := strutil.RemoveDuplicates(v.([]string), true)
+		if !strutil.EquivalentSlices(nv, c.Scopes) {
+			c.Scopes = nv
+			changed = true
+		}
+	}
+
+	if v, ok := d.GetOk("issuer"); ok {
+		nv := strings.TrimSpace(v.(string))
+		if nv != c.Issuer {
+			c.Issuer = nv
+			changed = true
+		}
+	}
+
+	if v, ok := d.GetOk("location"); ok {
+		nv := strings.TrimSpace(v.(string))
+		if nv != c.Location {
+			c.Location = nv
+			changed = true
+		}
+	}
+
+	if v, ok := d.GetOk("project"); ok {
+		nv := strings.TrimSpace(v.(string))
+		if nv != c.Project {
+			c.Project = nv
+			changed = true
+		}
+	}
+
+	if c.Issuer == "" || c.Location == "" || c.Project == "" {
+		return true, errors.New("Must specify Issuer, Location and Project in config ")
+	}
+
+	return changed, nil
+}
diff --git a/config_test.go b/config_test.go
new file mode 100644
index 0000000..6ffe0eb
--- /dev/null
+++ b/config_test.go
@@ -0,0 +1,285 @@
+// Copyright 2020 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package gcppca
+
+import (
+	"reflect"
+	"testing"
+
+	"github.com/hashicorp/vault/sdk/framework"
+)
+
+func TestConfig_Update(t *testing.T) {
+	t.Parallel()
+
+	cases := []struct {
+		name    string
+		new     *Config
+		d       *framework.FieldData
+		r       *Config
+		changed bool
+		err     bool
+	}{
+		{
+			"empty",
+			&Config{},
+			nil,
+			&Config{},
+			false,
+			false,
+		},
+		{
+			"expect_project",
+			&Config{
+				Credentials: "creds",
+				Issuer:      "iss",
+				Location:    "us-central1",
+			},
+			&framework.FieldData{
+				Raw: map[string]interface{}{
+					"credentials": "creds",
+					"issuer":      "iss",
+					"location":    "us-central1",
+				},
+			},
+			&Config{
+				Credentials: "creds",
+				Issuer:      "iss",
+				Location:    "us-central1",
+			},
+			true,
+			true,
+		},
+		{
+			"expect_issuer",
+			&Config{
+				Credentials: "creds",
+				Project:     "project",
+				Location:    "us-central1",
+			},
+			&framework.FieldData{
+				Raw: map[string]interface{}{
+					"credentials": "creds",
+					"project":     "project",
+					"location":    "us-central1",
+				},
+			},
+			&Config{
+				Credentials: "creds",
+				Project:     "project",
+				Location:    "us-central1",
+			},
+			true,
+			true,
+		},
+		{
+			"expect_location",
+			&Config{
+				Credentials: "creds",
+				Project:     "project",
+				Issuer:      "iss",
+			},
+			&framework.FieldData{
+				Raw: map[string]interface{}{
+					"credentials": "creds",
+					"issuer":      "iss",
+					"project":     "project",
+				},
+			},
+			&Config{
+				Credentials: "creds",
+				Project:     "project",
+				Issuer:      "iss",
+			},
+			true,
+			true,
+		},
+		{
+			"keeps_existing",
+			&Config{
+				Credentials: "creds",
+				Project:     "project",
+				Issuer:      "iss",
+				Location:    "us-central1",
+			},
+			nil,
+			&Config{
+				Credentials: "creds",
+				Project:     "project",
+				Issuer:      "iss",
+				Location:    "us-central1",
+			},
+			false,
+			false,
+		},
+		{
+			"overwrites_changes",
+			&Config{
+				Credentials: "creds",
+				Project:     "project",
+				Issuer:      "iss",
+				Location:    "us-central1",
+			},
+			&framework.FieldData{
+				Raw: map[string]interface{}{
+					"credentials": "foo",
+					"project":     "project",
+					"issuer":      "iss",
+					"location":    "us-central1",
+				},
+			},
+			&Config{
+				Credentials: "foo",
+				Project:     "project",
+				Issuer:      "iss",
+				Location:    "us-central1",
+			},
+			true,
+			false,
+		},
+		{
+			"overwrites_and_new",
+			&Config{
+				Credentials: "creds",
+				Project:     "project",
+				Issuer:      "iss",
+				Location:    "us-central1",
+			},
+			&framework.FieldData{
+				Raw: map[string]interface{}{
+					"credentials": "foo",
+					"scopes":      "bar",
+					"project":     "project",
+					"issuer":      "iss",
+					"location":    "us-central1",
+				},
+			},
+			&Config{
+				Credentials: "foo",
+				Scopes:      []string{"bar"},
+				Project:     "project",
+				Issuer:      "iss",
+				Location:    "us-central1",
+			},
+			true,
+			false,
+		},
+		{
+			"no_changes_order",
+			&Config{
+				Scopes:   []string{"bar", "foo"},
+				Project:  "project",
+				Issuer:   "iss",
+				Location: "us-central1",
+			},
+			&framework.FieldData{
+				Raw: map[string]interface{}{
+					"scopes":   "foo,bar",
+					"project":  "project",
+					"issuer":   "iss",
+					"location": "us-central1",
+				},
+			},
+			&Config{
+				Scopes:   []string{"bar", "foo"},
+				Project:  "project",
+				Issuer:   "iss",
+				Location: "us-central1",
+			},
+			false,
+			false,
+		},
+		{
+			"no_changes_caps",
+			&Config{
+				Scopes:   []string{"bar", "foo"},
+				Project:  "project",
+				Issuer:   "iss",
+				Location: "us-central1",
+			},
+			&framework.FieldData{
+				Raw: map[string]interface{}{
+					"scopes":   "FOO,baR",
+					"project":  "project",
+					"issuer":   "iss",
+					"location": "us-central1",
+				},
+			},
+			&Config{
+				Scopes:   []string{"bar", "foo"},
+				Project:  "project",
+				Issuer:   "iss",
+				Location: "us-central1",
+			},
+			false,
+			false,
+		},
+		{
+			"no_changes_dupes",
+			&Config{
+				Scopes:   []string{"bar", "foo"},
+				Project:  "project",
+				Issuer:   "iss",
+				Location: "us-central1",
+			},
+			&framework.FieldData{
+				Raw: map[string]interface{}{
+					"scopes":   "foo, foo, foo, bar",
+					"project":  "project",
+					"issuer":   "iss",
+					"location": "us-central1",
+				},
+			},
+			&Config{
+				Scopes:   []string{"bar", "foo"},
+				Project:  "project",
+				Issuer:   "iss",
+				Location: "us-central1",
+			},
+			false,
+			false,
+		},
+	}
+
+	for _, tc := range cases {
+		tc := tc
+
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			if tc.d != nil {
+				var b backend
+				tc.d.Schema = b.pathConfig().Fields
+			}
+
+			changed, err := tc.new.Update(tc.d)
+			if (err != nil) != tc.err {
+				t.Fatal(err)
+			}
+
+			if changed != tc.changed {
+				t.Errorf("expected %t to be %t", changed, tc.changed)
+			}
+
+			if v, exp := tc.new.Scopes, tc.r.Scopes; !reflect.DeepEqual(v, exp) {
+				t.Errorf("expected %q to be %q", v, exp)
+			}
+
+			if v, exp := tc.new.Credentials, tc.r.Credentials; v != exp {
+				t.Errorf("expected %q to be %q", v, exp)
+			}
+		})
+	}
+}
diff --git a/go.mod b/go.mod
new file mode 100644
index 0000000..8932c99
--- /dev/null
+++ b/go.mod
@@ -0,0 +1,35 @@
+module github.com/salrashid123/vault-plugin-secrets-gcppca
+
+go 1.12
+
+require (
+	cloud.google.com/go v0.56.0
+	cloud.google.com/go/security/privateca/apialpha1 v0.0.0
+	github.com/armon/go-radix v1.0.0 // indirect
+	github.com/gammazero/deque v0.0.0-20190130191400-2afb3858e9c7 // indirect
+	github.com/gammazero/workerpool v0.0.0-20190406235159-88d534f22b56
+	github.com/golang/protobuf v1.3.5
+	github.com/google/uuid v1.1.1
+	github.com/hashicorp/errwrap v1.0.0
+	github.com/hashicorp/go-hclog v0.12.0
+	github.com/hashicorp/go-multierror v1.0.0
+	github.com/hashicorp/go-version v1.2.0 // indirect
+	github.com/hashicorp/vault/api v1.0.5-0.20200215224050-f6547fa8e820
+	github.com/hashicorp/vault/sdk v0.1.14-0.20200215224050-f6547fa8e820
+	github.com/hashicorp/yamux v0.0.0-20181012175058-2f1d1f20f75d // indirect
+	github.com/jeffchao/backoff v0.0.0-20140404060208-9d7fd7aa17f2
+	github.com/kr/pretty v0.1.0 // indirect
+	github.com/satori/go.uuid v1.2.0
+	golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d
+	golang.org/x/text v0.3.2 // indirect
+	google.golang.org/api v0.23.0
+	google.golang.org/genproto v0.0.0-20200331122359-1ee6d9798940
+	google.golang.org/genproto/googleapis/cloud/security/privateca/v1alpha1 v0.0.0
+	google.golang.org/grpc v1.28.0
+	gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 // indirect
+
+)
+
+replace cloud.google.com/go/security/privateca/apialpha1 => ./lib/cloud.google.com/go/security/privateca/apiv1alpha1
+
+replace google.golang.org/genproto/googleapis/cloud/security/privateca/v1alpha1 => ./lib/google.golang.org/genproto/googleapis/cloud/security/privateca/v1alpha1
diff --git a/go.sum b/go.sum
new file mode 100644
index 0000000..4bb4548
--- /dev/null
+++ b/go.sum
@@ -0,0 +1,445 @@
+cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
+cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
+cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU=
+cloud.google.com/go v0.39.0 h1:UgQP9na6OTfp4dsAiz/eFpFA1C6tPdH5wiRdi19tuMw=
+cloud.google.com/go v0.39.0/go.mod h1:rVLT6fkc8chs9sfPtFc1SBH6em7n+ZoXaG+87tDISts=
+cloud.google.com/go v0.44.1/go.mod h1:iSa0KzasP4Uvy3f1mN/7PiObzGgflwredwwASm/v6AU=
+cloud.google.com/go v0.44.2/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY=
+cloud.google.com/go v0.45.1/go.mod h1:RpBamKRgapWJb87xiFSdk4g1CME7QZg3uwTez+TSTjc=
+cloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg0=
+cloud.google.com/go v0.50.0/go.mod h1:r9sluTvynVuxRIOHXQEHMFffphuXHOMZMycpNR5e6To=
+cloud.google.com/go v0.52.0/go.mod h1:pXajvRH/6o3+F9jDHZWQ5PbGhn+o8w9qiu/CffaVdO4=
+cloud.google.com/go v0.53.0/go.mod h1:fp/UouUEsRkN6ryDKNW/Upv/JBKnv6WDthjR6+vze6M=
+cloud.google.com/go v0.56.0 h1:WRz29PgAsVEyPSDHyk+0fpEkwEFyfhHn+JbksT6gIL4=
+cloud.google.com/go v0.56.0/go.mod h1:jr7tqZxxKOVYizybht9+26Z/gUq7tiRzu+ACVAMbKVk=
+cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o=
+cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE=
+cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc=
+cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE=
+cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk=
+cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I=
+cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw=
+cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA=
+cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw=
+cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0ZeosJ0Rtdos=
+cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk=
+dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
+github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
+github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
+github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ=
+github.com/armon/go-metrics v0.3.0/go.mod h1:zXjbSimjXTd7vOpY8B0/2LpvNvDoXBuplAD+gJD3GYs=
+github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310 h1:BUAU3CGlLvorLI26FmByPp2eC2qla6E1Tw+scpcg/to=
+github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
+github.com/armon/go-radix v1.0.0 h1:F4z6KzEeeQIMeLFa97iZU6vupzoecKdU5TX24SNppXI=
+github.com/armon/go-radix v1.0.0/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
+github.com/aws/aws-sdk-go v1.25.37/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
+github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
+github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs=
+github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
+github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
+github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
+github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
+github.com/circonus-labs/circonus-gometrics v2.3.1+incompatible/go.mod h1:nmEj6Dob7S7YxXgwXpfOuvO54S+tGdZdw9fuRZt25Ag=
+github.com/circonus-labs/circonusllhist v0.1.3/go.mod h1:kMXHVDlOchFAehlya5ePtbp5jckzBHf4XRpQvBOLI+I=
+github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
+github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
+github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
+github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
+github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
+github.com/fatih/color v1.7.0 h1:DkWD4oS2D8LGGgTQ6IvwJJXSL5Vp2ffcQg58nFV38Ys=
+github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
+github.com/fatih/structs v1.1.0 h1:Q7juDM0QtcnhCpeyLGQKyg4TOIghuNXrkL32pHAUMxo=
+github.com/fatih/structs v1.1.0/go.mod h1:9NiDSp5zOcgEDl+j00MP/WkGVPOlPRLejGD8Ga6PJ7M=
+github.com/gammazero/deque v0.0.0-20190130191400-2afb3858e9c7 h1:D2LrfOPgGHQprIxmsTpxtzhpmF66HoM6rXSmcqaX7h8=
+github.com/gammazero/deque v0.0.0-20190130191400-2afb3858e9c7/go.mod h1:GeIq9qoE43YdGnDXURnmKTnGg15pQz4mYkXSTChbneI=
+github.com/gammazero/workerpool v0.0.0-20190406235159-88d534f22b56 h1:VzbudKn/nvxYKOdzgkEBS6SSreRjAgoJ+ZeS4wPFkgc=
+github.com/gammazero/workerpool v0.0.0-20190406235159-88d534f22b56/go.mod h1:w9RqFVO2BM3xwWEcAB8Fwp0OviTBBEiRmSBDfbXnd3w=
+github.com/go-asn1-ber/asn1-ber v1.3.1/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
+github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
+github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
+github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
+github.com/go-ldap/ldap/v3 v3.1.3/go.mod h1:3rbOH3jRS2u6jg2rJnKAMLE/xQyCKIveG2Sa/Cohzb8=
+github.com/go-test/deep v1.0.2-0.20181118220953-042da051cf31 h1:28FVBuwkwowZMjbA7M0wXsI6t3PYulRTMio3SO+eKCM=
+github.com/go-test/deep v1.0.2-0.20181118220953-042da051cf31/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA=
+github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b h1:VKtxabqXZkF25pY9ekfRL6a582T4P37/31XEstQ5p58=
+github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
+github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
+github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
+github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e h1:1r7pUrabqp18hOBcwBwiTsbnFeTZHV9eER/QT5JVZxY=
+github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
+github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
+github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
+github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y=
+github.com/golang/mock v1.4.0/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
+github.com/golang/mock v1.4.3/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
+github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.3.1 h1:YF8+flBXS5eO826T4nzqPrxfhQThhXl0YzfuUPu4SBg=
+github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.3.2 h1:6nsPYzhq5kReh6QImI3k5qWzO4PEbvbIW2cwSfR/6xs=
+github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
+github.com/golang/protobuf v1.3.5 h1:F768QJ1E9tib+q5Sc8MkdJi1RxLTbRcTf8LJV56aRls=
+github.com/golang/protobuf v1.3.5/go.mod h1:6O5/vntMXwX2lRkT1hjjk0nAC1IDOTvTlVgjlRvqsdk=
+github.com/golang/snappy v0.0.1 h1:Qgr9rKW7uDUkrbSmQeiDsGa8SjGyCOGtuasMWwvp2P4=
+github.com/golang/snappy v0.0.1/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
+github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
+github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
+github.com/google/go-cmp v0.2.0 h1:+dTQ8DZQJz0Mb/HjFlkptS1FeQ4cWSnN941F8aEG4SQ=
+github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
+github.com/google/go-cmp v0.3.0 h1:crn/baboCvb5fXaQ0IJ1SGTsTVrWpDsCWC8EGETZijY=
+github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
+github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
+github.com/google/go-cmp v0.4.0 h1:xsAVV57WRhGj6kEIi8ReJzQlHHqcBYCElAvkovg3B/4=
+github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
+github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
+github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
+github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
+github.com/google/pprof v0.0.0-20200212024743-f11f1df84d12/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
+github.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
+github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
+github.com/google/uuid v1.1.1 h1:Gkbcsh/GbpXz7lPftLA3P6TYMwjCLYm83jiFQZF/3gY=
+github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/googleapis/gax-go/v2 v2.0.4 h1:hU4mGcQI4DaAYW+IbTun+2qEZVFxK0ySjQLTbS0VQKc=
+github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
+github.com/googleapis/gax-go/v2 v2.0.5 h1:sjZBwGj9Jlw33ImPtvFviGYvseOtDM7hkSKB7+Tv3SM=
+github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
+github.com/hashicorp/errwrap v1.0.0 h1:hLrqtEDnRye3+sgx6z4qVLNuviH3MR5aQ0ykNJa/UYA=
+github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
+github.com/hashicorp/go-cleanhttp v0.5.0/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80=
+github.com/hashicorp/go-cleanhttp v0.5.1 h1:dH3aiDG9Jvb5r5+bYHsikaOUIpcM0xvgMXVoDkXMzJM=
+github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80=
+github.com/hashicorp/go-hclog v0.0.0-20180709165350-ff2cf002a8dd/go.mod h1:9bjs9uLqI8l75knNv3lV1kA55veR+WUPSiKIWcQHudI=
+github.com/hashicorp/go-hclog v0.9.2 h1:CG6TE5H9/JXsFWJCfoIVpKFIkFe6ysEuHirp4DxCsHI=
+github.com/hashicorp/go-hclog v0.9.2/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ=
+github.com/hashicorp/go-hclog v0.12.0 h1:d4QkX8FRTYaKaCZBoXYY8zJX2BXjWxurN/GA2tkrmZM=
+github.com/hashicorp/go-hclog v0.12.0/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ=
+github.com/hashicorp/go-immutable-radix v1.0.0 h1:AKDB1HM5PWEA7i4nhcpwOrO2byshxBjXVn/J/3+z5/0=
+github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60=
+github.com/hashicorp/go-kms-wrapping/entropy v0.1.0 h1:xuTi5ZwjimfpvpL09jDE71smCBRpnF5xfo871BSX4gs=
+github.com/hashicorp/go-kms-wrapping/entropy v0.1.0/go.mod h1:d1g9WGtAunDNpek8jUIEJnBlbgKS1N2Q61QkHiZyR1g=
+github.com/hashicorp/go-multierror v1.0.0 h1:iVjPR7a6H0tWELX5NxNe7bYopibicUzc7uPribsnS6o=
+github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk=
+github.com/hashicorp/go-plugin v1.0.1 h1:4OtAfUGbnKC6yS48p0CtMX2oFYtzFZVv6rok3cRWgnE=
+github.com/hashicorp/go-plugin v1.0.1/go.mod h1:++UyYGoz3o5w9ZzAdZxtQKrWWP+iqPBn3cQptSMzBuY=
+github.com/hashicorp/go-retryablehttp v0.5.3/go.mod h1:9B5zBasrRhHXnJnui7y6sL7es7NDiJgTc6Er0maI1Xs=
+github.com/hashicorp/go-retryablehttp v0.6.2 h1:bHM2aVXwBtBJWxHtkSrWuI4umABCUczs52eiUS9nSiw=
+github.com/hashicorp/go-retryablehttp v0.6.2/go.mod h1:gEx6HMUGxYYhJScX7W1Il64m6cc2C1mDaW3NQ9sY1FY=
+github.com/hashicorp/go-rootcerts v1.0.1 h1:DMo4fmknnz0E0evoNYnV48RjWndOsmd6OW+09R3cEP8=
+github.com/hashicorp/go-rootcerts v1.0.1/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8=
+github.com/hashicorp/go-sockaddr v1.0.2 h1:ztczhD1jLxIRjVejw8gFomI1BQZOe2WoVOu0SyteCQc=
+github.com/hashicorp/go-sockaddr v1.0.2/go.mod h1:rB4wwRAUzs07qva3c5SdrY/NEtAUjGlgmH/UkBUC97A=
+github.com/hashicorp/go-uuid v1.0.0/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
+github.com/hashicorp/go-uuid v1.0.2 h1:cfejS+Tpcp13yd5nYHWDI6qVCny6wyX2Mt5SGur2IGE=
+github.com/hashicorp/go-uuid v1.0.2/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
+github.com/hashicorp/go-version v1.1.0 h1:bPIoEKD27tNdebFGGxxYwcL4nepeY4j1QP23PFRGzg0=
+github.com/hashicorp/go-version v1.1.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
+github.com/hashicorp/go-version v1.2.0 h1:3vNe/fWF5CBgRIguda1meWhsZHy3m8gCJ5wx+dIzX/E=
+github.com/hashicorp/go-version v1.2.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
+github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
+github.com/hashicorp/golang-lru v0.5.1 h1:0hERBMJE1eitiLkihrMvRVBYAkpHzc/J3QdDN+dAcgU=
+github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
+github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4=
+github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
+github.com/hashicorp/vault/api v1.0.5-0.20200215224050-f6547fa8e820 h1:biZidYDDEWnuOI9mXnJre8lwHKhb5ym85aSXk3oz/dc=
+github.com/hashicorp/vault/api v1.0.5-0.20200215224050-f6547fa8e820/go.mod h1:3f12BMfgDGjTsTtIUj+ZKZwSobQpZtYGFIEehOv5z1o=
+github.com/hashicorp/vault/sdk v0.1.14-0.20200215195600-2ca765f0a500 h1:tiMX2ewq4ble+e2zENzBvaH2dMoFHe80NbnrF5Ir9Kk=
+github.com/hashicorp/vault/sdk v0.1.14-0.20200215195600-2ca765f0a500/go.mod h1:WX57W2PwkrOPQ6rVQk+dy5/htHIaB4aBM70EwKThu10=
+github.com/hashicorp/vault/sdk v0.1.14-0.20200215224050-f6547fa8e820 h1:TmDZ1sS6gU0hFeFlFuyJVUwRPEzifZIHCBeS2WF2uSc=
+github.com/hashicorp/vault/sdk v0.1.14-0.20200215224050-f6547fa8e820/go.mod h1:WX57W2PwkrOPQ6rVQk+dy5/htHIaB4aBM70EwKThu10=
+github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb/go.mod h1:+NfK9FKeTrX5uv1uIXGdwYDTeHna2qgaIlx54MXqjAM=
+github.com/hashicorp/yamux v0.0.0-20181012175058-2f1d1f20f75d h1:kJCB4vdITiW1eC1vq2e6IsrXKrZit1bv/TDYFGMp4BQ=
+github.com/hashicorp/yamux v0.0.0-20181012175058-2f1d1f20f75d/go.mod h1:+NfK9FKeTrX5uv1uIXGdwYDTeHna2qgaIlx54MXqjAM=
+github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
+github.com/jeffchao/backoff v0.0.0-20140404060208-9d7fd7aa17f2 h1:mex1izRBCD+7WjieGgRdy7e651vD/lvB1bD9vNE/3K4=
+github.com/jeffchao/backoff v0.0.0-20140404060208-9d7fd7aa17f2/go.mod h1:xkfESuHriIekR+4RoV+fu91j/CfnYM29Zi2tMFw5iD4=
+github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k=
+github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
+github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
+github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
+github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
+github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
+github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
+github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
+github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
+github.com/mattn/go-colorable v0.1.4 h1:snbPLB8fVfU9iwbbo30TPtbLRzwWu6aJS6Xh4eaaviA=
+github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
+github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
+github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
+github.com/mattn/go-isatty v0.0.10 h1:qxFzApOv4WsAL965uUPIsXzAKCZxN2p9UqdhFS4ZW10=
+github.com/mattn/go-isatty v0.0.10/go.mod h1:qgIWMr58cqv1PHHyhnkY9lrL7etaEgOFcMEpPG5Rm84=
+github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
+github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc=
+github.com/mitchellh/copystructure v1.0.0/go.mod h1:SNtv71yrdKgLRyLFxmLdkAbkKEFWgYaq1OVrnRcwhnw=
+github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
+github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
+github.com/mitchellh/go-testing-interface v0.0.0-20171004221916-a61a99592b77/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI=
+github.com/mitchellh/go-testing-interface v1.0.0 h1:fzU/JVNcaqHQEcVFAKeR41fkiLdIPrefOvVG1VZ96U0=
+github.com/mitchellh/go-testing-interface v1.0.0/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI=
+github.com/mitchellh/go-wordwrap v1.0.0/go.mod h1:ZXFpozHsX6DPmq2I0TCekCxypsnAUbP2oI0UX1GXzOo=
+github.com/mitchellh/mapstructure v1.1.2 h1:fmNYVwqnSfB9mZU6OS2O6GsXM+wcskZDuKQzvN1EDeE=
+github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
+github.com/mitchellh/reflectwalk v1.0.0/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
+github.com/oklog/run v1.0.0 h1:Ru7dDtJNOyC66gQ5dQmaCa0qIsAUFY3sFpK1Xk8igrw=
+github.com/oklog/run v1.0.0/go.mod h1:dlhp/R75TPv97u0XWUtDeV/lRKWPKSdTuV0TZvrmrQA=
+github.com/pascaldekloe/goe v0.1.0/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
+github.com/pierrec/lz4 v2.0.5+incompatible h1:2xWsjqPFWcplujydGg4WmhC/6fZqK42wMM8aXeqhl0I=
+github.com/pierrec/lz4 v2.0.5+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY=
+github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI=
+github.com/prometheus/client_golang v0.9.2/go.mod h1:OsXs2jCmiKlQ1lTBmv21f2mNfw4xf/QclQDMrYNZzcM=
+github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
+github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
+github.com/prometheus/common v0.0.0-20181126121408-4724e9255275/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro=
+github.com/prometheus/procfs v0.0.0-20181204211112-1dc9a6cbc91a/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
+github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
+github.com/ryanuber/columnize v2.1.0+incompatible/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
+github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkBk=
+github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc=
+github.com/satori/go.uuid v1.2.0 h1:0uYX9dsZ2yD7q2RtLRtPSdGDWzjeM3TbMJP9utgA0ww=
+github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
+github.com/stretchr/testify v1.3.0 h1:TivCn/peBQ7UY8ooIcPgZFpTNSz0Q2U6UrFlUfqbe0Q=
+github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
+github.com/tv42/httpunix v0.0.0-20150427012821-b75d8614f926/go.mod h1:9ESjWnEqriFuLhtthL60Sar/7RFoluCcXsuvEwTV5KM=
+github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+go.opencensus.io v0.21.0 h1:mU6zScU4U1YAFPHEHYk+3JC4SY7JxgkqS10ZOSyksNg=
+go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
+go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
+go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
+go.opencensus.io v0.22.3 h1:8sGtKOrtQqkN1bp2AtX+misvLIlOmsEsNd+9NIcPEm8=
+go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2 h1:VklqNMn3ovrHsnt90PveolxSbWFaJdECFbxSq0Mqo2M=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20190418165655-df01cb2cc480/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE=
+golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20190513172903-22d7a77e9e5f h1:R423Cnkcp5JABoeemiGEPlt9tHXFfw5kvc0yqlxRPWo=
+golang.org/x/crypto v0.0.0-20190513172903-22d7a77e9e5f/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550 h1:ObdrDkeb4kJdCP557AjRjq69pTHfNouLtWZG7j9rPN8=
+golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
+golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
+golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
+golang.org/x/exp v0.0.0-20190829153037-c13cbed26979/go.mod h1:86+5VVa7VpoJ4kLfm080zCjGlMRFzhUhsZKEZO7MGek=
+golang.org/x/exp v0.0.0-20191030013958-a1ab85dbe136/go.mod h1:JXzH8nQsPlswgeRAPE3MuO9GYsAcnJvJ4vnMwN/5qkY=
+golang.org/x/exp v0.0.0-20191129062945-2f5052295587/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
+golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
+golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
+golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM=
+golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU=
+golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
+golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
+golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
+golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
+golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
+golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
+golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
+golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
+golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
+golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs=
+golang.org/x/lint v0.0.0-20200130185559-910be7a94367/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
+golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
+golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE=
+golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o=
+golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc=
+golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY=
+golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
+golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
+golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20181201002055-351d144fa1fc/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190311183353-d8887717615a h1:oWX7TPOiFAMXLq8o0ikBYfCJVlRHBcsciT5bXOrH628=
+golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3 h1:0GoQqolDA55aaLxZyTzK/Y2ePZzZTUrRacwib7cNsYQ=
+golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7 h1:fHDIZ2oxGnUZRN6WgWFCbYBjH9uqVPRCUVUDhs0wnbA=
+golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200222125558-5a598a2470a0/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e h1:3G+cUijn7XD+S4eJFddp53Pv7+slrESplyjG25HgL+k=
+golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
+golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
+golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
+golang.org/x/oauth2 v0.0.0-20190402181905-9f3314589c9a h1:tImsplftrFpALCYumobsd0K86vlAs/eXGFms2txfJfA=
+golang.org/x/oauth2 v0.0.0-20190402181905-9f3314589c9a/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
+golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45 h1:SVwTIAaPC2U/AvvLNZ2a7OVsmBpC8L5BlwK1whH3hm0=
+golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
+golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
+golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d h1:TzXSXBo42m9gQenoE3b9BGiEpg5IG2JkU5FkPIawgtw=
+golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
+golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190129075346-302c3dd5f1cc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190403152447-81d4e9dc473e h1:nFYrTHrdrAOpShe27kaFHjsqYSEQ0KWqdWLu3xuZJts=
+golang.org/x/sys v0.0.0-20190403152447-81d4e9dc473e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191008105621-543471e840be h1:QAcqgptGM8IQBC9K/RC4o+O9YmqEm0diQn9QmZw/0mU=
+golang.org/x/sys v0.0.0-20191008105621-543471e840be/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200122134326-e047566fdf82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200212091648-12a6c2dcc1e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200331124033-c3d80250170d h1:nc5K6ox/4lTFbMVSL9WRR81ixkcwXThoiF6yf+R9scA=
+golang.org/x/sys v0.0.0-20200331124033-c3d80250170d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs=
+golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
+golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/time v0.0.0-20190308202827-9d24e82272b4 h1:SvFZT6jyqRaOeXpc5h/JSfZenJ2O330aBsf7JfSUXmQ=
+golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/time v0.0.0-20191024005414-555d28b269f0 h1:/5xXl8Y5W96D+TtHSlonuFqGHIWVuyCkGJLwGh9JJFs=
+golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
+golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
+golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
+golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
+golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
+golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
+golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
+golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
+golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
+golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
+golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20191113191852-77e3bb0ad9e7/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20191115202509-3a792d9c32b2/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20191125144606-a911d9008d1f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20191130070609-6e064ea0cf2d/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20191216173652-a0e659d51361/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20191227053925-7b8e75db28f4/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20200117161641-43d50277825c/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20200122220014-bf1340f18c4a/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20200204074204-1cc6d1ef6c74/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20200207183749-b753a1ba74fa/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20200212150539-ea181f53ac56/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20200224181240-023911ca70b2/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20200331025713-a30bf2db82d4/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
+google.golang.org/api v0.5.0 h1:lj9SyhMzyoa38fgFF0oO2T6pjs5IzkLPKfVtxpyCRMM=
+google.golang.org/api v0.5.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
+google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M=
+google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
+google.golang.org/api v0.9.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
+google.golang.org/api v0.10.0 h1:7tmAxx3oKE98VMZ+SBZzvYYWRQ9HODBxmC8mXUsraSQ=
+google.golang.org/api v0.10.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
+google.golang.org/api v0.13.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
+google.golang.org/api v0.14.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
+google.golang.org/api v0.15.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
+google.golang.org/api v0.17.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
+google.golang.org/api v0.18.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
+google.golang.org/api v0.20.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
+google.golang.org/api v0.23.0 h1:YlvGEOq2NA2my8cZ/9V8BcEO9okD48FlJcdqN0xJL3s=
+google.golang.org/api v0.23.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE=
+google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
+google.golang.org/appengine v1.4.0 h1:/wp5JvzpHIxhs/dumFmF7BXTf3Z+dd4uXta4kVyO508=
+google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
+google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
+google.golang.org/appengine v1.6.0 h1:Tfd7cKwKbFRsI8RMAD3oqqw7JPFRrvFlOsfbgVkjOOw=
+google.golang.org/appengine v1.6.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
+google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0=
+google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
+google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
+google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
+google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
+google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
+google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
+google.golang.org/genproto v0.0.0-20190508193815-b515fa19cec8/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
+google.golang.org/genproto v0.0.0-20190513181449-d00d292a067c h1:m9avZ3wyOWBR0fLC+qWbMBulk+Jiiqelngssgp8jfIs=
+google.golang.org/genproto v0.0.0-20190513181449-d00d292a067c/go.mod h1:z3L6/3dTEVtUr6QSP8miRzeRqwQOioJ9I66odjN4I7s=
+google.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
+google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55 h1:gSJIx1SDwno+2ElGhA4+qG2zF97qiUzTM+rQ0klBOcE=
+google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
+google.golang.org/genproto v0.0.0-20190911173649-1774047e7e51/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8=
+google.golang.org/genproto v0.0.0-20191108220845-16a3f7862a1a/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
+google.golang.org/genproto v0.0.0-20191115194625-c23dd37a84c9/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
+google.golang.org/genproto v0.0.0-20191216164720-4f79533eabd1/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
+google.golang.org/genproto v0.0.0-20191230161307-f3c370f40bfb/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
+google.golang.org/genproto v0.0.0-20200115191322-ca5a22157cba/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
+google.golang.org/genproto v0.0.0-20200122232147-0452cf42e150/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
+google.golang.org/genproto v0.0.0-20200204135345-fa8e72b47b90/go.mod h1:GmwEX6Z4W5gMy59cAlVYjN9JhxgbQH6Gn+gFDQe2lzA=
+google.golang.org/genproto v0.0.0-20200212174721-66ed5ce911ce/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
+google.golang.org/genproto v0.0.0-20200224152610-e50cd9704f63/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
+google.golang.org/genproto v0.0.0-20200331122359-1ee6d9798940 h1:MRHtG0U6SnaUb+s+LhNE1qt1FQ1wlhqr5E4usBKC0uA=
+google.golang.org/genproto v0.0.0-20200331122359-1ee6d9798940/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
+google.golang.org/genproto v0.0.0-20200430143042-b979b6f78d84 h1:pSLkPbrjnPyLDYUO2VM9mDLqo2V6CFBY84lFSZAfoi4=
+google.golang.org/grpc v1.14.0/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw=
+google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
+google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
+google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
+google.golang.org/grpc v1.22.0 h1:J0UbZOIrCAl+fpTOf8YLs4dJo8L/owV4LYVtAXQoPkw=
+google.golang.org/grpc v1.22.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
+google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
+google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
+google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
+google.golang.org/grpc v1.27.0 h1:rRYRFMVgRv6E0D70Skyfsr28tDXIuuPZyWGMPdMcnXg=
+google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
+google.golang.org/grpc v1.27.1/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
+google.golang.org/grpc v1.28.0 h1:bO/TA4OxCOummhSf10siHuG7vJOiwh7SpRpFZDkOgl4=
+google.golang.org/grpc v1.28.0/go.mod h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKal+60=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY=
+gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
+gopkg.in/square/go-jose.v2 v2.3.1 h1:SK5KegNXmKmqE342YYN2qPHEnUYeoMiXXl1poUlI+o4=
+gopkg.in/square/go-jose.v2 v2.3.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
+gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
+honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
+rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
+rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
+rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
diff --git a/helpers.go b/helpers.go
new file mode 100644
index 0000000..5f4efbc
--- /dev/null
+++ b/helpers.go
@@ -0,0 +1,104 @@
+// Copyright 2020 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package gcppca
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"regexp"
+	"sort"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/hashicorp/vault/sdk/framework"
+	"github.com/hashicorp/vault/sdk/logical"
+)
+
+// withFieldValidator wraps an OperationFunc and validates the user-supplied
+// fields match the schema.
+func withFieldValidator(f framework.OperationFunc) framework.OperationFunc {
+	return func(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
+		if err := validateFields(req, d); err != nil {
+			return nil, logical.CodedError(400, err.Error())
+		}
+		return f(ctx, req, d)
+	}
+}
+
+// validateFields verifies that no bad arguments were given to the request.
+func validateFields(req *logical.Request, data *framework.FieldData) error {
+	var unknownFields []string
+	for k := range req.Data {
+		if _, ok := data.Schema[k]; !ok {
+			unknownFields = append(unknownFields, k)
+		}
+	}
+
+	switch len(unknownFields) {
+	case 0:
+		return nil
+	case 1:
+		return fmt.Errorf("unknown field: %s", unknownFields[0])
+	default:
+		sort.Strings(unknownFields)
+		return fmt.Errorf("unknown fields: %s", strings.Join(unknownFields, ","))
+	}
+}
+
+// errMissingFields is a helper to return an error when required fields are
+// missing.
+func errMissingFields(f ...string) error {
+	return logical.CodedError(400, fmt.Sprintf(
+		"missing required field(s): %q", f))
+}
+
+// https://stackoverflow.com/questions/28125963/golang-parse-time-duration
+var durationRegex = regexp.MustCompile(`P([\d\.]+Y)?([\d\.]+M)?([\d\.]+D)?T?([\d\.]+H)?([\d\.]+M)?([\d\.]+?S)?`)
+
+// ParseDuration converts a ISO8601 duration into a time.Duration
+func parseDuration(str string) (time.Duration, error) {
+	matches := durationRegex.FindStringSubmatch(str)
+	if len(matches) == 0 {
+		return 0, errors.New("Invalid duration, must be ISO8601 format")
+	}
+	years := parseDurationPart(matches[1], time.Hour*24*365)
+	months := parseDurationPart(matches[2], time.Hour*24*30)
+	days := parseDurationPart(matches[3], time.Hour*24)
+	hours := parseDurationPart(matches[4], time.Hour)
+	minutes := parseDurationPart(matches[5], time.Second*60)
+	seconds := parseDurationPart(matches[6], time.Second)
+
+	return time.Duration(years + months + days + hours + minutes + seconds), nil
+}
+
+func parseDurationPart(value string, unit time.Duration) time.Duration {
+	if len(value) != 0 {
+		if parsed, err := strconv.ParseFloat(value[:len(value)-1], 64); err == nil {
+			return time.Duration(float64(unit) * parsed)
+		}
+	}
+	return 0
+}
+
+func contains(s []string, e string) bool {
+	for _, a := range s {
+		if a == e {
+			return true
+		}
+	}
+	return false
+}
diff --git a/lib/cloud.google.com/go/LICENSE b/lib/cloud.google.com/go/LICENSE
new file mode 100644
index 0000000..7212fdb
--- /dev/null
+++ b/lib/cloud.google.com/go/LICENSE
@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright 2029 Google LLC
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
diff --git a/lib/cloud.google.com/go/security/privateca/apiv1alpha1/certificate_authority_client.go b/lib/cloud.google.com/go/security/privateca/apiv1alpha1/certificate_authority_client.go
new file mode 100644
index 0000000..6b516dc
--- /dev/null
+++ b/lib/cloud.google.com/go/security/privateca/apiv1alpha1/certificate_authority_client.go
@@ -0,0 +1,2200 @@
+// Copyright 2020 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Code generated by protoc-gen-go_gapic. DO NOT EDIT.
+
+package privateca
+
+import (
+	"context"
+	"fmt"
+	"math"
+	"net/url"
+	"time"
+
+	"cloud.google.com/go/longrunning"
+	lroauto "cloud.google.com/go/longrunning/autogen"
+	"github.com/golang/protobuf/proto"
+	gax "github.com/googleapis/gax-go/v2"
+	"google.golang.org/api/iterator"
+	"google.golang.org/api/option"
+	gtransport "google.golang.org/api/transport/grpc"
+	privatecapb "google.golang.org/genproto/googleapis/cloud/security/privateca/v1alpha1"
+	longrunningpb "google.golang.org/genproto/googleapis/longrunning"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/metadata"
+)
+
+var newCertificateAuthorityClientHook clientHook
+
+// CertificateAuthorityCallOptions contains the retry settings for each method of CertificateAuthorityClient.
+type CertificateAuthorityCallOptions struct {
+	ListCertificateAuthorities         []gax.CallOption
+	ListCertificateRevocationLists     []gax.CallOption
+	ListCertificates                   []gax.CallOption
+	ListReusableConfigs                []gax.CallOption
+	GetCertificateAuthority            []gax.CallOption
+	GetCertificateRevocationList       []gax.CallOption
+	GetCertificate                     []gax.CallOption
+	GetReusableConfig                  []gax.CallOption
+	CreateCertificateAuthority         []gax.CallOption
+	CreateCertificateRevocationList    []gax.CallOption
+	CreateCertificate                  []gax.CallOption
+	CreateReusableConfig               []gax.CallOption
+	UpdateCertificateAuthority         []gax.CallOption
+	UpdateCertificateRevocationList    []gax.CallOption
+	UpdateCertificate                  []gax.CallOption
+	UpdateReusableConfig               []gax.CallOption
+	DeleteCertificateAuthority         []gax.CallOption
+	GetCertificateAuthorityCsr         []gax.CallOption
+	ActivateCertificateAuthority       []gax.CallOption
+	DisableCertificateAuthority        []gax.CallOption
+	EnableCertificateAuthority         []gax.CallOption
+	ScheduleDeleteCertificateAuthority []gax.CallOption
+	RestoreCertificateAuthority        []gax.CallOption
+	RevokeCertificate                  []gax.CallOption
+	PublishCertificateRevocationList   []gax.CallOption
+}
+
+func defaultCertificateAuthorityClientOptions() []option.ClientOption {
+	return []option.ClientOption{
+		option.WithEndpoint("privateca.googleapis.com:443"),
+		option.WithGRPCDialOption(grpc.WithDisableServiceConfig()),
+		option.WithScopes(DefaultAuthScopes()...),
+		option.WithGRPCDialOption(grpc.WithDefaultCallOptions(
+			grpc.MaxCallRecvMsgSize(math.MaxInt32))),
+	}
+}
+
+func defaultCertificateAuthorityCallOptions() *CertificateAuthorityCallOptions {
+	return &CertificateAuthorityCallOptions{
+		ListCertificateAuthorities: []gax.CallOption{
+			gax.WithRetry(func() gax.Retryer {
+				return gax.OnCodes([]codes.Code{
+					codes.Unknown,
+					codes.Unavailable,
+					codes.DeadlineExceeded,
+				}, gax.Backoff{
+					Initial:    100 * time.Millisecond,
+					Max:        60000 * time.Millisecond,
+					Multiplier: 1.30,
+				})
+			}),
+		},
+		ListCertificateRevocationLists: []gax.CallOption{
+			gax.WithRetry(func() gax.Retryer {
+				return gax.OnCodes([]codes.Code{
+					codes.Unknown,
+					codes.Unavailable,
+					codes.DeadlineExceeded,
+				}, gax.Backoff{
+					Initial:    100 * time.Millisecond,
+					Max:        60000 * time.Millisecond,
+					Multiplier: 1.30,
+				})
+			}),
+		},
+		ListCertificates: []gax.CallOption{
+			gax.WithRetry(func() gax.Retryer {
+				return gax.OnCodes([]codes.Code{
+					codes.Unknown,
+					codes.Unavailable,
+					codes.DeadlineExceeded,
+				}, gax.Backoff{
+					Initial:    100 * time.Millisecond,
+					Max:        60000 * time.Millisecond,
+					Multiplier: 1.30,
+				})
+			}),
+		},
+		ListReusableConfigs: []gax.CallOption{
+			gax.WithRetry(func() gax.Retryer {
+				return gax.OnCodes([]codes.Code{
+					codes.Unknown,
+					codes.Unavailable,
+					codes.DeadlineExceeded,
+				}, gax.Backoff{
+					Initial:    100 * time.Millisecond,
+					Max:        60000 * time.Millisecond,
+					Multiplier: 1.30,
+				})
+			}),
+		},
+		GetCertificateAuthority: []gax.CallOption{
+			gax.WithRetry(func() gax.Retryer {
+				return gax.OnCodes([]codes.Code{
+					codes.Unknown,
+					codes.Unavailable,
+					codes.DeadlineExceeded,
+				}, gax.Backoff{
+					Initial:    100 * time.Millisecond,
+					Max:        60000 * time.Millisecond,
+					Multiplier: 1.30,
+				})
+			}),
+		},
+		GetCertificateRevocationList: []gax.CallOption{
+			gax.WithRetry(func() gax.Retryer {
+				return gax.OnCodes([]codes.Code{
+					codes.Unknown,
+					codes.Unavailable,
+					codes.DeadlineExceeded,
+				}, gax.Backoff{
+					Initial:    100 * time.Millisecond,
+					Max:        60000 * time.Millisecond,
+					Multiplier: 1.30,
+				})
+			}),
+		},
+		GetCertificate: []gax.CallOption{
+			gax.WithRetry(func() gax.Retryer {
+				return gax.OnCodes([]codes.Code{
+					codes.Unknown,
+					codes.Unavailable,
+					codes.DeadlineExceeded,
+				}, gax.Backoff{
+					Initial:    100 * time.Millisecond,
+					Max:        60000 * time.Millisecond,
+					Multiplier: 1.30,
+				})
+			}),
+		},
+		GetReusableConfig: []gax.CallOption{
+			gax.WithRetry(func() gax.Retryer {
+				return gax.OnCodes([]codes.Code{
+					codes.Unknown,
+					codes.Unavailable,
+					codes.DeadlineExceeded,
+				}, gax.Backoff{
+					Initial:    100 * time.Millisecond,
+					Max:        60000 * time.Millisecond,
+					Multiplier: 1.30,
+				})
+			}),
+		},
+		CreateCertificateAuthority: []gax.CallOption{
+			gax.WithRetry(func() gax.Retryer {
+				return gax.OnCodes([]codes.Code{
+					codes.Unknown,
+					codes.Unavailable,
+					codes.DeadlineExceeded,
+				}, gax.Backoff{
+					Initial:    100 * time.Millisecond,
+					Max:        60000 * time.Millisecond,
+					Multiplier: 1.30,
+				})
+			}),
+		},
+		CreateCertificateRevocationList: []gax.CallOption{
+			gax.WithRetry(func() gax.Retryer {
+				return gax.OnCodes([]codes.Code{
+					codes.Unknown,
+					codes.Unavailable,
+					codes.DeadlineExceeded,
+				}, gax.Backoff{
+					Initial:    100 * time.Millisecond,
+					Max:        60000 * time.Millisecond,
+					Multiplier: 1.30,
+				})
+			}),
+		},
+		CreateCertificate: []gax.CallOption{
+			gax.WithRetry(func() gax.Retryer {
+				return gax.OnCodes([]codes.Code{
+					codes.Unknown,
+					codes.Unavailable,
+					codes.DeadlineExceeded,
+				}, gax.Backoff{
+					Initial:    100 * time.Millisecond,
+					Max:        60000 * time.Millisecond,
+					Multiplier: 1.30,
+				})
+			}),
+		},
+		CreateReusableConfig: []gax.CallOption{
+			gax.WithRetry(func() gax.Retryer {
+				return gax.OnCodes([]codes.Code{
+					codes.Unknown,
+					codes.Unavailable,
+					codes.DeadlineExceeded,
+				}, gax.Backoff{
+					Initial:    100 * time.Millisecond,
+					Max:        60000 * time.Millisecond,
+					Multiplier: 1.30,
+				})
+			}),
+		},
+		UpdateCertificateAuthority: []gax.CallOption{
+			gax.WithRetry(func() gax.Retryer {
+				return gax.OnCodes([]codes.Code{
+					codes.Unknown,
+					codes.Unavailable,
+					codes.DeadlineExceeded,
+				}, gax.Backoff{
+					Initial:    100 * time.Millisecond,
+					Max:        60000 * time.Millisecond,
+					Multiplier: 1.30,
+				})
+			}),
+		},
+		UpdateCertificateRevocationList: []gax.CallOption{
+			gax.WithRetry(func() gax.Retryer {
+				return gax.OnCodes([]codes.Code{
+					codes.Unknown,
+					codes.Unavailable,
+					codes.DeadlineExceeded,
+				}, gax.Backoff{
+					Initial:    100 * time.Millisecond,
+					Max:        60000 * time.Millisecond,
+					Multiplier: 1.30,
+				})
+			}),
+		},
+		UpdateCertificate: []gax.CallOption{
+			gax.WithRetry(func() gax.Retryer {
+				return gax.OnCodes([]codes.Code{
+					codes.Unknown,
+					codes.Unavailable,
+					codes.DeadlineExceeded,
+				}, gax.Backoff{
+					Initial:    100 * time.Millisecond,
+					Max:        60000 * time.Millisecond,
+					Multiplier: 1.30,
+				})
+			}),
+		},
+		UpdateReusableConfig: []gax.CallOption{
+			gax.WithRetry(func() gax.Retryer {
+				return gax.OnCodes([]codes.Code{
+					codes.Unknown,
+					codes.Unavailable,
+					codes.DeadlineExceeded,
+				}, gax.Backoff{
+					Initial:    100 * time.Millisecond,
+					Max:        60000 * time.Millisecond,
+					Multiplier: 1.30,
+				})
+			}),
+		},
+		DeleteCertificateAuthority: []gax.CallOption{
+			gax.WithRetry(func() gax.Retryer {
+				return gax.OnCodes([]codes.Code{
+					codes.Unknown,
+					codes.Unavailable,
+					codes.DeadlineExceeded,
+				}, gax.Backoff{
+					Initial:    100 * time.Millisecond,
+					Max:        60000 * time.Millisecond,
+					Multiplier: 1.30,
+				})
+			}),
+		},
+		GetCertificateAuthorityCsr: []gax.CallOption{
+			gax.WithRetry(func() gax.Retryer {
+				return gax.OnCodes([]codes.Code{
+					codes.Unknown,
+					codes.Unavailable,
+					codes.DeadlineExceeded,
+				}, gax.Backoff{
+					Initial:    100 * time.Millisecond,
+					Max:        60000 * time.Millisecond,
+					Multiplier: 1.30,
+				})
+			}),
+		},
+		ActivateCertificateAuthority: []gax.CallOption{
+			gax.WithRetry(func() gax.Retryer {
+				return gax.OnCodes([]codes.Code{
+					codes.Unknown,
+					codes.Unavailable,
+					codes.DeadlineExceeded,
+				}, gax.Backoff{
+					Initial:    100 * time.Millisecond,
+					Max:        60000 * time.Millisecond,
+					Multiplier: 1.30,
+				})
+			}),
+		},
+		DisableCertificateAuthority:        []gax.CallOption{},
+		EnableCertificateAuthority:         []gax.CallOption{},
+		ScheduleDeleteCertificateAuthority: []gax.CallOption{},
+		RestoreCertificateAuthority:        []gax.CallOption{},
+		RevokeCertificate: []gax.CallOption{
+			gax.WithRetry(func() gax.Retryer {
+				return gax.OnCodes([]codes.Code{
+					codes.Unknown,
+					codes.Unavailable,
+					codes.DeadlineExceeded,
+				}, gax.Backoff{
+					Initial:    100 * time.Millisecond,
+					Max:        60000 * time.Millisecond,
+					Multiplier: 1.30,
+				})
+			}),
+		},
+		PublishCertificateRevocationList: []gax.CallOption{},
+	}
+}
+
+// CertificateAuthorityClient is a client for interacting with Certificate Authority Service API.
+//
+// Methods, except Close, may be called concurrently. However, fields must not be modified concurrently with method calls.
+type CertificateAuthorityClient struct {
+	// Connection pool of gRPC connections to the service.
+	connPool gtransport.ConnPool
+
+	// The gRPC API client.
+	certificateAuthorityClient privatecapb.CertificateAuthorityServiceClient
+
+	// LROClient is used internally to handle longrunning operations.
+	// It is exposed so that its CallOptions can be modified if required.
+	// Users should not Close this client.
+	LROClient *lroauto.OperationsClient
+
+	// The call options for this service.
+	CallOptions *CertificateAuthorityCallOptions
+
+	// The x-goog-* metadata to be sent with each request.
+	xGoogMetadata metadata.MD
+}
+
+// NewCertificateAuthorityClient creates a new certificate authority service client.
+//
+// [Certificate Authority Service][google.cloud.security.privateca.v1alpha1.CertificateAuthorityService] manages private
+// certificate authorities and issued certificates.
+func NewCertificateAuthorityClient(ctx context.Context, opts ...option.ClientOption) (*CertificateAuthorityClient, error) {
+	clientOpts := defaultCertificateAuthorityClientOptions()
+
+	if newCertificateAuthorityClientHook != nil {
+		hookOpts, err := newCertificateAuthorityClientHook(ctx, clientHookParams{})
+		if err != nil {
+			return nil, err
+		}
+		clientOpts = append(clientOpts, hookOpts...)
+	}
+
+	connPool, err := gtransport.DialPool(ctx, append(clientOpts, opts...)...)
+	if err != nil {
+		return nil, err
+	}
+	c := &CertificateAuthorityClient{
+		connPool:    connPool,
+		CallOptions: defaultCertificateAuthorityCallOptions(),
+
+		certificateAuthorityClient: privatecapb.NewCertificateAuthorityServiceClient(connPool),
+	}
+	c.setGoogleClientInfo()
+
+	c.LROClient, err = lroauto.NewOperationsClient(ctx, gtransport.WithConnPool(connPool))
+	if err != nil {
+		// This error "should not happen", since we are just reusing old connection pool
+		// and never actually need to dial.
+		// If this does happen, we could leak connp. However, we cannot close conn:
+		// If the user invoked the constructor with option.WithGRPCConn,
+		// we would close a connection that's still in use.
+		// TODO: investigate error conditions.
+		return nil, err
+	}
+	return c, nil
+}
+
+// Connection returns a connection to the API service.
+//
+// Deprecated.
+func (c *CertificateAuthorityClient) Connection() *grpc.ClientConn {
+	return c.connPool.Conn()
+}
+
+// Close closes the connection to the API service. The user should invoke this when
+// the client is no longer required.
+func (c *CertificateAuthorityClient) Close() error {
+	return c.connPool.Close()
+}
+
+// setGoogleClientInfo sets the name and version of the application in
+// the `x-goog-api-client` header passed on each request. Intended for
+// use by Google-written clients.
+func (c *CertificateAuthorityClient) setGoogleClientInfo(keyval ...string) {
+	kv := append([]string{"gl-go", versionGo()}, keyval...)
+	kv = append(kv, "gapic", versionClient, "gax", gax.Version, "grpc", grpc.Version)
+	c.xGoogMetadata = metadata.Pairs("x-goog-api-client", gax.XGoogHeader(kv...))
+}
+
+// ListCertificateAuthorities lists CertificateAuthorities.
+func (c *CertificateAuthorityClient) ListCertificateAuthorities(ctx context.Context, req *privatecapb.ListCertificateAuthoritiesRequest, opts ...gax.CallOption) *CertificateAuthorityIterator {
+	md := metadata.Pairs("x-goog-request-params", fmt.Sprintf("%s=%v", "parent", url.QueryEscape(req.GetParent())))
+	ctx = insertMetadata(ctx, c.xGoogMetadata, md)
+	opts = append(c.CallOptions.ListCertificateAuthorities[0:len(c.CallOptions.ListCertificateAuthorities):len(c.CallOptions.ListCertificateAuthorities)], opts...)
+	it := &CertificateAuthorityIterator{}
+	req = proto.Clone(req).(*privatecapb.ListCertificateAuthoritiesRequest)
+	it.InternalFetch = func(pageSize int, pageToken string) ([]*privatecapb.CertificateAuthority, string, error) {
+		var resp *privatecapb.ListCertificateAuthoritiesResponse
+		req.PageToken = pageToken
+		if pageSize > math.MaxInt32 {
+			req.PageSize = math.MaxInt32
+		} else {
+			req.PageSize = int32(pageSize)
+		}
+		err := gax.Invoke(ctx, func(ctx context.Context, settings gax.CallSettings) error {
+			var err error
+			resp, err = c.certificateAuthorityClient.ListCertificateAuthorities(ctx, req, settings.GRPC...)
+			return err
+		}, opts...)
+		if err != nil {
+			return nil, "", err
+		}
+
+		it.Response = resp
+		return resp.CertificateAuthorities, resp.NextPageToken, nil
+	}
+	fetch := func(pageSize int, pageToken string) (string, error) {
+		items, nextPageToken, err := it.InternalFetch(pageSize, pageToken)
+		if err != nil {
+			return "", err
+		}
+		it.items = append(it.items, items...)
+		return nextPageToken, nil
+	}
+	it.pageInfo, it.nextFunc = iterator.NewPageInfo(fetch, it.bufLen, it.takeBuf)
+	it.pageInfo.MaxSize = int(req.PageSize)
+	it.pageInfo.Token = req.PageToken
+	return it
+}
+
+// ListCertificateRevocationLists lists CertificateRevocationLists.
+func (c *CertificateAuthorityClient) ListCertificateRevocationLists(ctx context.Context, req *privatecapb.ListCertificateRevocationListsRequest, opts ...gax.CallOption) *CertificateRevocationListIterator {
+	md := metadata.Pairs("x-goog-request-params", fmt.Sprintf("%s=%v", "parent", url.QueryEscape(req.GetParent())))
+	ctx = insertMetadata(ctx, c.xGoogMetadata, md)
+	opts = append(c.CallOptions.ListCertificateRevocationLists[0:len(c.CallOptions.ListCertificateRevocationLists):len(c.CallOptions.ListCertificateRevocationLists)], opts...)
+	it := &CertificateRevocationListIterator{}
+	req = proto.Clone(req).(*privatecapb.ListCertificateRevocationListsRequest)
+	it.InternalFetch = func(pageSize int, pageToken string) ([]*privatecapb.CertificateRevocationList, string, error) {
+		var resp *privatecapb.ListCertificateRevocationListsResponse
+		req.PageToken = pageToken
+		if pageSize > math.MaxInt32 {
+			req.PageSize = math.MaxInt32
+		} else {
+			req.PageSize = int32(pageSize)
+		}
+		err := gax.Invoke(ctx, func(ctx context.Context, settings gax.CallSettings) error {
+			var err error
+			resp, err = c.certificateAuthorityClient.ListCertificateRevocationLists(ctx, req, settings.GRPC...)
+			return err
+		}, opts...)
+		if err != nil {
+			return nil, "", err
+		}
+
+		it.Response = resp
+		return resp.CertificateRevocationLists, resp.NextPageToken, nil
+	}
+	fetch := func(pageSize int, pageToken string) (string, error) {
+		items, nextPageToken, err := it.InternalFetch(pageSize, pageToken)
+		if err != nil {
+			return "", err
+		}
+		it.items = append(it.items, items...)
+		return nextPageToken, nil
+	}
+	it.pageInfo, it.nextFunc = iterator.NewPageInfo(fetch, it.bufLen, it.takeBuf)
+	it.pageInfo.MaxSize = int(req.PageSize)
+	it.pageInfo.Token = req.PageToken
+	return it
+}
+
+// ListCertificates lists Certificates.
+func (c *CertificateAuthorityClient) ListCertificates(ctx context.Context, req *privatecapb.ListCertificatesRequest, opts ...gax.CallOption) *CertificateIterator {
+	md := metadata.Pairs("x-goog-request-params", fmt.Sprintf("%s=%v", "parent", url.QueryEscape(req.GetParent())))
+	ctx = insertMetadata(ctx, c.xGoogMetadata, md)
+	opts = append(c.CallOptions.ListCertificates[0:len(c.CallOptions.ListCertificates):len(c.CallOptions.ListCertificates)], opts...)
+	it := &CertificateIterator{}
+	req = proto.Clone(req).(*privatecapb.ListCertificatesRequest)
+	it.InternalFetch = func(pageSize int, pageToken string) ([]*privatecapb.Certificate, string, error) {
+		var resp *privatecapb.ListCertificatesResponse
+		req.PageToken = pageToken
+		if pageSize > math.MaxInt32 {
+			req.PageSize = math.MaxInt32
+		} else {
+			req.PageSize = int32(pageSize)
+		}
+		err := gax.Invoke(ctx, func(ctx context.Context, settings gax.CallSettings) error {
+			var err error
+			resp, err = c.certificateAuthorityClient.ListCertificates(ctx, req, settings.GRPC...)
+			return err
+		}, opts...)
+		if err != nil {
+			return nil, "", err
+		}
+
+		it.Response = resp
+		return resp.Certificates, resp.NextPageToken, nil
+	}
+	fetch := func(pageSize int, pageToken string) (string, error) {
+		items, nextPageToken, err := it.InternalFetch(pageSize, pageToken)
+		if err != nil {
+			return "", err
+		}
+		it.items = append(it.items, items...)
+		return nextPageToken, nil
+	}
+	it.pageInfo, it.nextFunc = iterator.NewPageInfo(fetch, it.bufLen, it.takeBuf)
+	it.pageInfo.MaxSize = int(req.PageSize)
+	it.pageInfo.Token = req.PageToken
+	return it
+}
+
+// ListReusableConfigs lists ReusableConfigs.
+func (c *CertificateAuthorityClient) ListReusableConfigs(ctx context.Context, req *privatecapb.ListReusableConfigsRequest, opts ...gax.CallOption) *ReusableConfigIterator {
+	md := metadata.Pairs("x-goog-request-params", fmt.Sprintf("%s=%v", "parent", url.QueryEscape(req.GetParent())))
+	ctx = insertMetadata(ctx, c.xGoogMetadata, md)
+	opts = append(c.CallOptions.ListReusableConfigs[0:len(c.CallOptions.ListReusableConfigs):len(c.CallOptions.ListReusableConfigs)], opts...)
+	it := &ReusableConfigIterator{}
+	req = proto.Clone(req).(*privatecapb.ListReusableConfigsRequest)
+	it.InternalFetch = func(pageSize int, pageToken string) ([]*privatecapb.ReusableConfig, string, error) {
+		var resp *privatecapb.ListReusableConfigsResponse
+		req.PageToken = pageToken
+		if pageSize > math.MaxInt32 {
+			req.PageSize = math.MaxInt32
+		} else {
+			req.PageSize = int32(pageSize)
+		}
+		err := gax.Invoke(ctx, func(ctx context.Context, settings gax.CallSettings) error {
+			var err error
+			resp, err = c.certificateAuthorityClient.ListReusableConfigs(ctx, req, settings.GRPC...)
+			return err
+		}, opts...)
+		if err != nil {
+			return nil, "", err
+		}
+
+		it.Response = resp
+		return resp.ReusableConfigs, resp.NextPageToken, nil
+	}
+	fetch := func(pageSize int, pageToken string) (string, error) {
+		items, nextPageToken, err := it.InternalFetch(pageSize, pageToken)
+		if err != nil {
+			return "", err
+		}
+		it.items = append(it.items, items...)
+		return nextPageToken, nil
+	}
+	it.pageInfo, it.nextFunc = iterator.NewPageInfo(fetch, it.bufLen, it.takeBuf)
+	it.pageInfo.MaxSize = int(req.PageSize)
+	it.pageInfo.Token = req.PageToken
+	return it
+}
+
+// GetCertificateAuthority returns a CertificateAuthority.
+func (c *CertificateAuthorityClient) GetCertificateAuthority(ctx context.Context, req *privatecapb.GetCertificateAuthorityRequest, opts ...gax.CallOption) (*privatecapb.CertificateAuthority, error) {
+	md := metadata.Pairs("x-goog-request-params", fmt.Sprintf("%s=%v", "name", url.QueryEscape(req.GetName())))
+	ctx = insertMetadata(ctx, c.xGoogMetadata, md)
+	opts = append(c.CallOptions.GetCertificateAuthority[0:len(c.CallOptions.GetCertificateAuthority):len(c.CallOptions.GetCertificateAuthority)], opts...)
+	var resp *privatecapb.CertificateAuthority
+	err := gax.Invoke(ctx, func(ctx context.Context, settings gax.CallSettings) error {
+		var err error
+		resp, err = c.certificateAuthorityClient.GetCertificateAuthority(ctx, req, settings.GRPC...)
+		return err
+	}, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return resp, nil
+}
+
+// GetCertificateRevocationList returns a CertificateRevocationList.
+func (c *CertificateAuthorityClient) GetCertificateRevocationList(ctx context.Context, req *privatecapb.GetCertificateRevocationListRequest, opts ...gax.CallOption) (*privatecapb.CertificateRevocationList, error) {
+	md := metadata.Pairs("x-goog-request-params", fmt.Sprintf("%s=%v", "name", url.QueryEscape(req.GetName())))
+	ctx = insertMetadata(ctx, c.xGoogMetadata, md)
+	opts = append(c.CallOptions.GetCertificateRevocationList[0:len(c.CallOptions.GetCertificateRevocationList):len(c.CallOptions.GetCertificateRevocationList)], opts...)
+	var resp *privatecapb.CertificateRevocationList
+	err := gax.Invoke(ctx, func(ctx context.Context, settings gax.CallSettings) error {
+		var err error
+		resp, err = c.certificateAuthorityClient.GetCertificateRevocationList(ctx, req, settings.GRPC...)
+		return err
+	}, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return resp, nil
+}
+
+// GetCertificate returns a Certificate.
+func (c *CertificateAuthorityClient) GetCertificate(ctx context.Context, req *privatecapb.GetCertificateRequest, opts ...gax.CallOption) (*privatecapb.Certificate, error) {
+	md := metadata.Pairs("x-goog-request-params", fmt.Sprintf("%s=%v", "name", url.QueryEscape(req.GetName())))
+	ctx = insertMetadata(ctx, c.xGoogMetadata, md)
+	opts = append(c.CallOptions.GetCertificate[0:len(c.CallOptions.GetCertificate):len(c.CallOptions.GetCertificate)], opts...)
+	var resp *privatecapb.Certificate
+	err := gax.Invoke(ctx, func(ctx context.Context, settings gax.CallSettings) error {
+		var err error
+		resp, err = c.certificateAuthorityClient.GetCertificate(ctx, req, settings.GRPC...)
+		return err
+	}, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return resp, nil
+}
+
+// GetReusableConfig returns a ReusableConfig.
+func (c *CertificateAuthorityClient) GetReusableConfig(ctx context.Context, req *privatecapb.GetReusableConfigRequest, opts ...gax.CallOption) (*privatecapb.ReusableConfig, error) {
+	md := metadata.Pairs("x-goog-request-params", fmt.Sprintf("%s=%v", "name", url.QueryEscape(req.GetName())))
+	ctx = insertMetadata(ctx, c.xGoogMetadata, md)
+	opts = append(c.CallOptions.GetReusableConfig[0:len(c.CallOptions.GetReusableConfig):len(c.CallOptions.GetReusableConfig)], opts...)
+	var resp *privatecapb.ReusableConfig
+	err := gax.Invoke(ctx, func(ctx context.Context, settings gax.CallSettings) error {
+		var err error
+		resp, err = c.certificateAuthorityClient.GetReusableConfig(ctx, req, settings.GRPC...)
+		return err
+	}, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return resp, nil
+}
+
+// CreateCertificateAuthority create a new CertificateAuthority in a given Project and Location.
+func (c *CertificateAuthorityClient) CreateCertificateAuthority(ctx context.Context, req *privatecapb.CreateCertificateAuthorityRequest, opts ...gax.CallOption) (*CreateCertificateAuthorityOperation, error) {
+	md := metadata.Pairs("x-goog-request-params", fmt.Sprintf("%s=%v", "parent", url.QueryEscape(req.GetParent())))
+	ctx = insertMetadata(ctx, c.xGoogMetadata, md)
+	opts = append(c.CallOptions.CreateCertificateAuthority[0:len(c.CallOptions.CreateCertificateAuthority):len(c.CallOptions.CreateCertificateAuthority)], opts...)
+	var resp *longrunningpb.Operation
+	err := gax.Invoke(ctx, func(ctx context.Context, settings gax.CallSettings) error {
+		var err error
+		resp, err = c.certificateAuthorityClient.CreateCertificateAuthority(ctx, req, settings.GRPC...)
+		return err
+	}, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return &CreateCertificateAuthorityOperation{
+		lro: longrunning.InternalNewOperation(c.LROClient, resp),
+	}, nil
+}
+
+// CreateCertificateRevocationList create a new CertificateRevocationList in a given Project, Location
+// for a particular CertificateAuthority.
+func (c *CertificateAuthorityClient) CreateCertificateRevocationList(ctx context.Context, req *privatecapb.CreateCertificateRevocationListRequest, opts ...gax.CallOption) (*CreateCertificateRevocationListOperation, error) {
+	md := metadata.Pairs("x-goog-request-params", fmt.Sprintf("%s=%v", "parent", url.QueryEscape(req.GetParent())))
+	ctx = insertMetadata(ctx, c.xGoogMetadata, md)
+	opts = append(c.CallOptions.CreateCertificateRevocationList[0:len(c.CallOptions.CreateCertificateRevocationList):len(c.CallOptions.CreateCertificateRevocationList)], opts...)
+	var resp *longrunningpb.Operation
+	err := gax.Invoke(ctx, func(ctx context.Context, settings gax.CallSettings) error {
+		var err error
+		resp, err = c.certificateAuthorityClient.CreateCertificateRevocationList(ctx, req, settings.GRPC...)
+		return err
+	}, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return &CreateCertificateRevocationListOperation{
+		lro: longrunning.InternalNewOperation(c.LROClient, resp),
+	}, nil
+}
+
+// CreateCertificate create a new Certificate in a given Project, Location from a particular
+// CertificateAuthority.
+func (c *CertificateAuthorityClient) CreateCertificate(ctx context.Context, req *privatecapb.CreateCertificateRequest, opts ...gax.CallOption) (*CreateCertificateOperation, error) {
+	md := metadata.Pairs("x-goog-request-params", fmt.Sprintf("%s=%v", "parent", url.QueryEscape(req.GetParent())))
+	ctx = insertMetadata(ctx, c.xGoogMetadata, md)
+	opts = append(c.CallOptions.CreateCertificate[0:len(c.CallOptions.CreateCertificate):len(c.CallOptions.CreateCertificate)], opts...)
+	var resp *longrunningpb.Operation
+	err := gax.Invoke(ctx, func(ctx context.Context, settings gax.CallSettings) error {
+		var err error
+		resp, err = c.certificateAuthorityClient.CreateCertificate(ctx, req, settings.GRPC...)
+		return err
+	}, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return &CreateCertificateOperation{
+		lro: longrunning.InternalNewOperation(c.LROClient, resp),
+	}, nil
+}
+
+// CreateReusableConfig create a new ReusableConfig in a given Project and Location.
+func (c *CertificateAuthorityClient) CreateReusableConfig(ctx context.Context, req *privatecapb.CreateReusableConfigRequest, opts ...gax.CallOption) (*CreateReusableConfigOperation, error) {
+	md := metadata.Pairs("x-goog-request-params", fmt.Sprintf("%s=%v", "parent", url.QueryEscape(req.GetParent())))
+	ctx = insertMetadata(ctx, c.xGoogMetadata, md)
+	opts = append(c.CallOptions.CreateReusableConfig[0:len(c.CallOptions.CreateReusableConfig):len(c.CallOptions.CreateReusableConfig)], opts...)
+	var resp *longrunningpb.Operation
+	err := gax.Invoke(ctx, func(ctx context.Context, settings gax.CallSettings) error {
+		var err error
+		resp, err = c.certificateAuthorityClient.CreateReusableConfig(ctx, req, settings.GRPC...)
+		return err
+	}, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return &CreateReusableConfigOperation{
+		lro: longrunning.InternalNewOperation(c.LROClient, resp),
+	}, nil
+}
+
+// UpdateCertificateAuthority update a CertificateAuthority.
+func (c *CertificateAuthorityClient) UpdateCertificateAuthority(ctx context.Context, req *privatecapb.UpdateCertificateAuthorityRequest, opts ...gax.CallOption) (*UpdateCertificateAuthorityOperation, error) {
+	md := metadata.Pairs("x-goog-request-params", fmt.Sprintf("%s=%v", "certificate_authority.name", url.QueryEscape(req.GetCertificateAuthority().GetName())))
+	ctx = insertMetadata(ctx, c.xGoogMetadata, md)
+	opts = append(c.CallOptions.UpdateCertificateAuthority[0:len(c.CallOptions.UpdateCertificateAuthority):len(c.CallOptions.UpdateCertificateAuthority)], opts...)
+	var resp *longrunningpb.Operation
+	err := gax.Invoke(ctx, func(ctx context.Context, settings gax.CallSettings) error {
+		var err error
+		resp, err = c.certificateAuthorityClient.UpdateCertificateAuthority(ctx, req, settings.GRPC...)
+		return err
+	}, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return &UpdateCertificateAuthorityOperation{
+		lro: longrunning.InternalNewOperation(c.LROClient, resp),
+	}, nil
+}
+
+// UpdateCertificateRevocationList update a CertificateRevocationList.
+func (c *CertificateAuthorityClient) UpdateCertificateRevocationList(ctx context.Context, req *privatecapb.UpdateCertificateRevocationListRequest, opts ...gax.CallOption) (*UpdateCertificateRevocationListOperation, error) {
+	md := metadata.Pairs("x-goog-request-params", fmt.Sprintf("%s=%v", "certificate_revocation_list.name", url.QueryEscape(req.GetCertificateRevocationList().GetName())))
+	ctx = insertMetadata(ctx, c.xGoogMetadata, md)
+	opts = append(c.CallOptions.UpdateCertificateRevocationList[0:len(c.CallOptions.UpdateCertificateRevocationList):len(c.CallOptions.UpdateCertificateRevocationList)], opts...)
+	var resp *longrunningpb.Operation
+	err := gax.Invoke(ctx, func(ctx context.Context, settings gax.CallSettings) error {
+		var err error
+		resp, err = c.certificateAuthorityClient.UpdateCertificateRevocationList(ctx, req, settings.GRPC...)
+		return err
+	}, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return &UpdateCertificateRevocationListOperation{
+		lro: longrunning.InternalNewOperation(c.LROClient, resp),
+	}, nil
+}
+
+// UpdateCertificate update a Certificate.
+func (c *CertificateAuthorityClient) UpdateCertificate(ctx context.Context, req *privatecapb.UpdateCertificateRequest, opts ...gax.CallOption) (*UpdateCertificateOperation, error) {
+	md := metadata.Pairs("x-goog-request-params", fmt.Sprintf("%s=%v", "certificate.name", url.QueryEscape(req.GetCertificate().GetName())))
+	ctx = insertMetadata(ctx, c.xGoogMetadata, md)
+	opts = append(c.CallOptions.UpdateCertificate[0:len(c.CallOptions.UpdateCertificate):len(c.CallOptions.UpdateCertificate)], opts...)
+	var resp *longrunningpb.Operation
+	err := gax.Invoke(ctx, func(ctx context.Context, settings gax.CallSettings) error {
+		var err error
+		resp, err = c.certificateAuthorityClient.UpdateCertificate(ctx, req, settings.GRPC...)
+		return err
+	}, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return &UpdateCertificateOperation{
+		lro: longrunning.InternalNewOperation(c.LROClient, resp),
+	}, nil
+}
+
+// UpdateReusableConfig update a ReusableConfig.
+func (c *CertificateAuthorityClient) UpdateReusableConfig(ctx context.Context, req *privatecapb.UpdateReusableConfigRequest, opts ...gax.CallOption) (*UpdateReusableConfigOperation, error) {
+	md := metadata.Pairs("x-goog-request-params", fmt.Sprintf("%s=%v", "reusable_config.name", url.QueryEscape(req.GetReusableConfig().GetName())))
+	ctx = insertMetadata(ctx, c.xGoogMetadata, md)
+	opts = append(c.CallOptions.UpdateReusableConfig[0:len(c.CallOptions.UpdateReusableConfig):len(c.CallOptions.UpdateReusableConfig)], opts...)
+	var resp *longrunningpb.Operation
+	err := gax.Invoke(ctx, func(ctx context.Context, settings gax.CallSettings) error {
+		var err error
+		resp, err = c.certificateAuthorityClient.UpdateReusableConfig(ctx, req, settings.GRPC...)
+		return err
+	}, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return &UpdateReusableConfigOperation{
+		lro: longrunning.InternalNewOperation(c.LROClient, resp),
+	}, nil
+}
+
+// DeleteCertificateAuthority deletes a specific CertificateAuthority. Once deleted, the
+// CertificateAuthority will no longer issue Certificates
+// and CertificateRevocationLists.
+func (c *CertificateAuthorityClient) DeleteCertificateAuthority(ctx context.Context, req *privatecapb.DeleteCertificateAuthorityRequest, opts ...gax.CallOption) (*DeleteCertificateAuthorityOperation, error) {
+	md := metadata.Pairs("x-goog-request-params", fmt.Sprintf("%s=%v", "name", url.QueryEscape(req.GetName())))
+	ctx = insertMetadata(ctx, c.xGoogMetadata, md)
+	opts = append(c.CallOptions.DeleteCertificateAuthority[0:len(c.CallOptions.DeleteCertificateAuthority):len(c.CallOptions.DeleteCertificateAuthority)], opts...)
+	var resp *longrunningpb.Operation
+	err := gax.Invoke(ctx, func(ctx context.Context, settings gax.CallSettings) error {
+		var err error
+		resp, err = c.certificateAuthorityClient.DeleteCertificateAuthority(ctx, req, settings.GRPC...)
+		return err
+	}, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return &DeleteCertificateAuthorityOperation{
+		lro: longrunning.InternalNewOperation(c.LROClient, resp),
+	}, nil
+}
+
+// GetCertificateAuthorityCsr get the CSR for a pending CertificateAuthority.
+func (c *CertificateAuthorityClient) GetCertificateAuthorityCsr(ctx context.Context, req *privatecapb.GetCertificateAuthorityCsrRequest, opts ...gax.CallOption) (*privatecapb.GetCertificateAuthorityCsrResponse, error) {
+	md := metadata.Pairs("x-goog-request-params", fmt.Sprintf("%s=%v", "name", url.QueryEscape(req.GetName())))
+	ctx = insertMetadata(ctx, c.xGoogMetadata, md)
+	opts = append(c.CallOptions.GetCertificateAuthorityCsr[0:len(c.CallOptions.GetCertificateAuthorityCsr):len(c.CallOptions.GetCertificateAuthorityCsr)], opts...)
+	var resp *privatecapb.GetCertificateAuthorityCsrResponse
+	err := gax.Invoke(ctx, func(ctx context.Context, settings gax.CallSettings) error {
+		var err error
+		resp, err = c.certificateAuthorityClient.GetCertificateAuthorityCsr(ctx, req, settings.GRPC...)
+		return err
+	}, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return resp, nil
+}
+
+// ActivateCertificateAuthority activate a pending CertificateAuthority.
+func (c *CertificateAuthorityClient) ActivateCertificateAuthority(ctx context.Context, req *privatecapb.ActivateCertificateAuthorityRequest, opts ...gax.CallOption) (*ActivateCertificateAuthorityOperation, error) {
+	md := metadata.Pairs("x-goog-request-params", fmt.Sprintf("%s=%v", "name", url.QueryEscape(req.GetName())))
+	ctx = insertMetadata(ctx, c.xGoogMetadata, md)
+	opts = append(c.CallOptions.ActivateCertificateAuthority[0:len(c.CallOptions.ActivateCertificateAuthority):len(c.CallOptions.ActivateCertificateAuthority)], opts...)
+	var resp *longrunningpb.Operation
+	err := gax.Invoke(ctx, func(ctx context.Context, settings gax.CallSettings) error {
+		var err error
+		resp, err = c.certificateAuthorityClient.ActivateCertificateAuthority(ctx, req, settings.GRPC...)
+		return err
+	}, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return &ActivateCertificateAuthorityOperation{
+		lro: longrunning.InternalNewOperation(c.LROClient, resp),
+	}, nil
+}
+
+// DisableCertificateAuthority disable a CertificateAuthority.
+func (c *CertificateAuthorityClient) DisableCertificateAuthority(ctx context.Context, req *privatecapb.DisableCertificateAuthorityRequest, opts ...gax.CallOption) (*DisableCertificateAuthorityOperation, error) {
+	md := metadata.Pairs("x-goog-request-params", fmt.Sprintf("%s=%v", "name", url.QueryEscape(req.GetName())))
+	ctx = insertMetadata(ctx, c.xGoogMetadata, md)
+	opts = append(c.CallOptions.DisableCertificateAuthority[0:len(c.CallOptions.DisableCertificateAuthority):len(c.CallOptions.DisableCertificateAuthority)], opts...)
+	var resp *longrunningpb.Operation
+	err := gax.Invoke(ctx, func(ctx context.Context, settings gax.CallSettings) error {
+		var err error
+		resp, err = c.certificateAuthorityClient.DisableCertificateAuthority(ctx, req, settings.GRPC...)
+		return err
+	}, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return &DisableCertificateAuthorityOperation{
+		lro: longrunning.InternalNewOperation(c.LROClient, resp),
+	}, nil
+}
+
+// EnableCertificateAuthority enable a CertificateAuthority.
+func (c *CertificateAuthorityClient) EnableCertificateAuthority(ctx context.Context, req *privatecapb.EnableCertificateAuthorityRequest, opts ...gax.CallOption) (*EnableCertificateAuthorityOperation, error) {
+	md := metadata.Pairs("x-goog-request-params", fmt.Sprintf("%s=%v", "name", url.QueryEscape(req.GetName())))
+	ctx = insertMetadata(ctx, c.xGoogMetadata, md)
+	opts = append(c.CallOptions.EnableCertificateAuthority[0:len(c.CallOptions.EnableCertificateAuthority):len(c.CallOptions.EnableCertificateAuthority)], opts...)
+	var resp *longrunningpb.Operation
+	err := gax.Invoke(ctx, func(ctx context.Context, settings gax.CallSettings) error {
+		var err error
+		resp, err = c.certificateAuthorityClient.EnableCertificateAuthority(ctx, req, settings.GRPC...)
+		return err
+	}, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return &EnableCertificateAuthorityOperation{
+		lro: longrunning.InternalNewOperation(c.LROClient, resp),
+	}, nil
+}
+
+// ScheduleDeleteCertificateAuthority schedule a CertificateAuthority for deletion.
+func (c *CertificateAuthorityClient) ScheduleDeleteCertificateAuthority(ctx context.Context, req *privatecapb.ScheduleDeleteCertificateAuthorityRequest, opts ...gax.CallOption) (*ScheduleDeleteCertificateAuthorityOperation, error) {
+	md := metadata.Pairs("x-goog-request-params", fmt.Sprintf("%s=%v", "name", url.QueryEscape(req.GetName())))
+	ctx = insertMetadata(ctx, c.xGoogMetadata, md)
+	opts = append(c.CallOptions.ScheduleDeleteCertificateAuthority[0:len(c.CallOptions.ScheduleDeleteCertificateAuthority):len(c.CallOptions.ScheduleDeleteCertificateAuthority)], opts...)
+	var resp *longrunningpb.Operation
+	err := gax.Invoke(ctx, func(ctx context.Context, settings gax.CallSettings) error {
+		var err error
+		resp, err = c.certificateAuthorityClient.ScheduleDeleteCertificateAuthority(ctx, req, settings.GRPC...)
+		return err
+	}, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return &ScheduleDeleteCertificateAuthorityOperation{
+		lro: longrunning.InternalNewOperation(c.LROClient, resp),
+	}, nil
+}
+
+// RestoreCertificateAuthority restore a CertificateAuthority that is scheduled for deletion.
+func (c *CertificateAuthorityClient) RestoreCertificateAuthority(ctx context.Context, req *privatecapb.RestoreCertificateAuthorityRequest, opts ...gax.CallOption) (*RestoreCertificateAuthorityOperation, error) {
+	md := metadata.Pairs("x-goog-request-params", fmt.Sprintf("%s=%v", "name", url.QueryEscape(req.GetName())))
+	ctx = insertMetadata(ctx, c.xGoogMetadata, md)
+	opts = append(c.CallOptions.RestoreCertificateAuthority[0:len(c.CallOptions.RestoreCertificateAuthority):len(c.CallOptions.RestoreCertificateAuthority)], opts...)
+	var resp *longrunningpb.Operation
+	err := gax.Invoke(ctx, func(ctx context.Context, settings gax.CallSettings) error {
+		var err error
+		resp, err = c.certificateAuthorityClient.RestoreCertificateAuthority(ctx, req, settings.GRPC...)
+		return err
+	}, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return &RestoreCertificateAuthorityOperation{
+		lro: longrunning.InternalNewOperation(c.LROClient, resp),
+	}, nil
+}
+
+// RevokeCertificate revoke a Certificate.
+func (c *CertificateAuthorityClient) RevokeCertificate(ctx context.Context, req *privatecapb.RevokeCertificateRequest, opts ...gax.CallOption) (*RevokeCertificateOperation, error) {
+	md := metadata.Pairs("x-goog-request-params", fmt.Sprintf("%s=%v", "name", url.QueryEscape(req.GetName())))
+	ctx = insertMetadata(ctx, c.xGoogMetadata, md)
+	opts = append(c.CallOptions.RevokeCertificate[0:len(c.CallOptions.RevokeCertificate):len(c.CallOptions.RevokeCertificate)], opts...)
+	var resp *longrunningpb.Operation
+	err := gax.Invoke(ctx, func(ctx context.Context, settings gax.CallSettings) error {
+		var err error
+		resp, err = c.certificateAuthorityClient.RevokeCertificate(ctx, req, settings.GRPC...)
+		return err
+	}, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return &RevokeCertificateOperation{
+		lro: longrunning.InternalNewOperation(c.LROClient, resp),
+	}, nil
+}
+
+// PublishCertificateRevocationList publish a CertificateRevocationList.
+func (c *CertificateAuthorityClient) PublishCertificateRevocationList(ctx context.Context, req *privatecapb.PublishCertificateRevocationListRequest, opts ...gax.CallOption) (*privatecapb.PublishCertificateRevocationListResponse, error) {
+	md := metadata.Pairs("x-goog-request-params", fmt.Sprintf("%s=%v", "name", url.QueryEscape(req.GetName())))
+	ctx = insertMetadata(ctx, c.xGoogMetadata, md)
+	opts = append(c.CallOptions.PublishCertificateRevocationList[0:len(c.CallOptions.PublishCertificateRevocationList):len(c.CallOptions.PublishCertificateRevocationList)], opts...)
+	var resp *privatecapb.PublishCertificateRevocationListResponse
+	err := gax.Invoke(ctx, func(ctx context.Context, settings gax.CallSettings) error {
+		var err error
+		resp, err = c.certificateAuthorityClient.PublishCertificateRevocationList(ctx, req, settings.GRPC...)
+		return err
+	}, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return resp, nil
+}
+
+// ActivateCertificateAuthorityOperation manages a long-running operation from ActivateCertificateAuthority.
+type ActivateCertificateAuthorityOperation struct {
+	lro *longrunning.Operation
+}
+
+// ActivateCertificateAuthorityOperation returns a new ActivateCertificateAuthorityOperation from a given name.
+// The name must be that of a previously created ActivateCertificateAuthorityOperation, possibly from a different process.
+func (c *CertificateAuthorityClient) ActivateCertificateAuthorityOperation(name string) *ActivateCertificateAuthorityOperation {
+	return &ActivateCertificateAuthorityOperation{
+		lro: longrunning.InternalNewOperation(c.LROClient, &longrunningpb.Operation{Name: name}),
+	}
+}
+
+// Wait blocks until the long-running operation is completed, returning the response and any errors encountered.
+//
+// See documentation of Poll for error-handling information.
+func (op *ActivateCertificateAuthorityOperation) Wait(ctx context.Context, opts ...gax.CallOption) (*privatecapb.CertificateAuthority, error) {
+	var resp privatecapb.CertificateAuthority
+	if err := op.lro.WaitWithInterval(ctx, &resp, time.Minute, opts...); err != nil {
+		return nil, err
+	}
+	return &resp, nil
+}
+
+// Poll fetches the latest state of the long-running operation.
+//
+// Poll also fetches the latest metadata, which can be retrieved by Metadata.
+//
+// If Poll fails, the error is returned and op is unmodified. If Poll succeeds and
+// the operation has completed with failure, the error is returned and op.Done will return true.
+// If Poll succeeds and the operation has completed successfully,
+// op.Done will return true, and the response of the operation is returned.
+// If Poll succeeds and the operation has not completed, the returned response and error are both nil.
+func (op *ActivateCertificateAuthorityOperation) Poll(ctx context.Context, opts ...gax.CallOption) (*privatecapb.CertificateAuthority, error) {
+	var resp privatecapb.CertificateAuthority
+	if err := op.lro.Poll(ctx, &resp, opts...); err != nil {
+		return nil, err
+	}
+	if !op.Done() {
+		return nil, nil
+	}
+	return &resp, nil
+}
+
+// Metadata returns metadata associated with the long-running operation.
+// Metadata itself does not contact the server, but Poll does.
+// To get the latest metadata, call this method after a successful call to Poll.
+// If the metadata is not available, the returned metadata and error are both nil.
+func (op *ActivateCertificateAuthorityOperation) Metadata() (*privatecapb.OperationMetadata, error) {
+	var meta privatecapb.OperationMetadata
+	if err := op.lro.Metadata(&meta); err == longrunning.ErrNoMetadata {
+		return nil, nil
+	} else if err != nil {
+		return nil, err
+	}
+	return &meta, nil
+}
+
+// Done reports whether the long-running operation has completed.
+func (op *ActivateCertificateAuthorityOperation) Done() bool {
+	return op.lro.Done()
+}
+
+// Name returns the name of the long-running operation.
+// The name is assigned by the server and is unique within the service from which the operation is created.
+func (op *ActivateCertificateAuthorityOperation) Name() string {
+	return op.lro.Name()
+}
+
+// CreateCertificateOperation manages a long-running operation from CreateCertificate.
+type CreateCertificateOperation struct {
+	lro *longrunning.Operation
+}
+
+// CreateCertificateOperation returns a new CreateCertificateOperation from a given name.
+// The name must be that of a previously created CreateCertificateOperation, possibly from a different process.
+func (c *CertificateAuthorityClient) CreateCertificateOperation(name string) *CreateCertificateOperation {
+	return &CreateCertificateOperation{
+		lro: longrunning.InternalNewOperation(c.LROClient, &longrunningpb.Operation{Name: name}),
+	}
+}
+
+// Wait blocks until the long-running operation is completed, returning the response and any errors encountered.
+//
+// See documentation of Poll for error-handling information.
+func (op *CreateCertificateOperation) Wait(ctx context.Context, opts ...gax.CallOption) (*privatecapb.Certificate, error) {
+	var resp privatecapb.Certificate
+	if err := op.lro.WaitWithInterval(ctx, &resp, time.Minute, opts...); err != nil {
+		return nil, err
+	}
+	return &resp, nil
+}
+
+// Poll fetches the latest state of the long-running operation.
+//
+// Poll also fetches the latest metadata, which can be retrieved by Metadata.
+//
+// If Poll fails, the error is returned and op is unmodified. If Poll succeeds and
+// the operation has completed with failure, the error is returned and op.Done will return true.
+// If Poll succeeds and the operation has completed successfully,
+// op.Done will return true, and the response of the operation is returned.
+// If Poll succeeds and the operation has not completed, the returned response and error are both nil.
+func (op *CreateCertificateOperation) Poll(ctx context.Context, opts ...gax.CallOption) (*privatecapb.Certificate, error) {
+	var resp privatecapb.Certificate
+	if err := op.lro.Poll(ctx, &resp, opts...); err != nil {
+		return nil, err
+	}
+	if !op.Done() {
+		return nil, nil
+	}
+	return &resp, nil
+}
+
+// Metadata returns metadata associated with the long-running operation.
+// Metadata itself does not contact the server, but Poll does.
+// To get the latest metadata, call this method after a successful call to Poll.
+// If the metadata is not available, the returned metadata and error are both nil.
+func (op *CreateCertificateOperation) Metadata() (*privatecapb.OperationMetadata, error) {
+	var meta privatecapb.OperationMetadata
+	if err := op.lro.Metadata(&meta); err == longrunning.ErrNoMetadata {
+		return nil, nil
+	} else if err != nil {
+		return nil, err
+	}
+	return &meta, nil
+}
+
+// Done reports whether the long-running operation has completed.
+func (op *CreateCertificateOperation) Done() bool {
+	return op.lro.Done()
+}
+
+// Name returns the name of the long-running operation.
+// The name is assigned by the server and is unique within the service from which the operation is created.
+func (op *CreateCertificateOperation) Name() string {
+	return op.lro.Name()
+}
+
+// CreateCertificateAuthorityOperation manages a long-running operation from CreateCertificateAuthority.
+type CreateCertificateAuthorityOperation struct {
+	lro *longrunning.Operation
+}
+
+// CreateCertificateAuthorityOperation returns a new CreateCertificateAuthorityOperation from a given name.
+// The name must be that of a previously created CreateCertificateAuthorityOperation, possibly from a different process.
+func (c *CertificateAuthorityClient) CreateCertificateAuthorityOperation(name string) *CreateCertificateAuthorityOperation {
+	return &CreateCertificateAuthorityOperation{
+		lro: longrunning.InternalNewOperation(c.LROClient, &longrunningpb.Operation{Name: name}),
+	}
+}
+
+// Wait blocks until the long-running operation is completed, returning the response and any errors encountered.
+//
+// See documentation of Poll for error-handling information.
+func (op *CreateCertificateAuthorityOperation) Wait(ctx context.Context, opts ...gax.CallOption) (*privatecapb.CertificateAuthority, error) {
+	var resp privatecapb.CertificateAuthority
+	if err := op.lro.WaitWithInterval(ctx, &resp, time.Minute, opts...); err != nil {
+		return nil, err
+	}
+	return &resp, nil
+}
+
+// Poll fetches the latest state of the long-running operation.
+//
+// Poll also fetches the latest metadata, which can be retrieved by Metadata.
+//
+// If Poll fails, the error is returned and op is unmodified. If Poll succeeds and
+// the operation has completed with failure, the error is returned and op.Done will return true.
+// If Poll succeeds and the operation has completed successfully,
+// op.Done will return true, and the response of the operation is returned.
+// If Poll succeeds and the operation has not completed, the returned response and error are both nil.
+func (op *CreateCertificateAuthorityOperation) Poll(ctx context.Context, opts ...gax.CallOption) (*privatecapb.CertificateAuthority, error) {
+	var resp privatecapb.CertificateAuthority
+	if err := op.lro.Poll(ctx, &resp, opts...); err != nil {
+		return nil, err
+	}
+	if !op.Done() {
+		return nil, nil
+	}
+	return &resp, nil
+}
+
+// Metadata returns metadata associated with the long-running operation.
+// Metadata itself does not contact the server, but Poll does.
+// To get the latest metadata, call this method after a successful call to Poll.
+// If the metadata is not available, the returned metadata and error are both nil.
+func (op *CreateCertificateAuthorityOperation) Metadata() (*privatecapb.OperationMetadata, error) {
+	var meta privatecapb.OperationMetadata
+	if err := op.lro.Metadata(&meta); err == longrunning.ErrNoMetadata {
+		return nil, nil
+	} else if err != nil {
+		return nil, err
+	}
+	return &meta, nil
+}
+
+// Done reports whether the long-running operation has completed.
+func (op *CreateCertificateAuthorityOperation) Done() bool {
+	return op.lro.Done()
+}
+
+// Name returns the name of the long-running operation.
+// The name is assigned by the server and is unique within the service from which the operation is created.
+func (op *CreateCertificateAuthorityOperation) Name() string {
+	return op.lro.Name()
+}
+
+// CreateCertificateRevocationListOperation manages a long-running operation from CreateCertificateRevocationList.
+type CreateCertificateRevocationListOperation struct {
+	lro *longrunning.Operation
+}
+
+// CreateCertificateRevocationListOperation returns a new CreateCertificateRevocationListOperation from a given name.
+// The name must be that of a previously created CreateCertificateRevocationListOperation, possibly from a different process.
+func (c *CertificateAuthorityClient) CreateCertificateRevocationListOperation(name string) *CreateCertificateRevocationListOperation {
+	return &CreateCertificateRevocationListOperation{
+		lro: longrunning.InternalNewOperation(c.LROClient, &longrunningpb.Operation{Name: name}),
+	}
+}
+
+// Wait blocks until the long-running operation is completed, returning the response and any errors encountered.
+//
+// See documentation of Poll for error-handling information.
+func (op *CreateCertificateRevocationListOperation) Wait(ctx context.Context, opts ...gax.CallOption) (*privatecapb.CertificateRevocationList, error) {
+	var resp privatecapb.CertificateRevocationList
+	if err := op.lro.WaitWithInterval(ctx, &resp, time.Minute, opts...); err != nil {
+		return nil, err
+	}
+	return &resp, nil
+}
+
+// Poll fetches the latest state of the long-running operation.
+//
+// Poll also fetches the latest metadata, which can be retrieved by Metadata.
+//
+// If Poll fails, the error is returned and op is unmodified. If Poll succeeds and
+// the operation has completed with failure, the error is returned and op.Done will return true.
+// If Poll succeeds and the operation has completed successfully,
+// op.Done will return true, and the response of the operation is returned.
+// If Poll succeeds and the operation has not completed, the returned response and error are both nil.
+func (op *CreateCertificateRevocationListOperation) Poll(ctx context.Context, opts ...gax.CallOption) (*privatecapb.CertificateRevocationList, error) {
+	var resp privatecapb.CertificateRevocationList
+	if err := op.lro.Poll(ctx, &resp, opts...); err != nil {
+		return nil, err
+	}
+	if !op.Done() {
+		return nil, nil
+	}
+	return &resp, nil
+}
+
+// Metadata returns metadata associated with the long-running operation.
+// Metadata itself does not contact the server, but Poll does.
+// To get the latest metadata, call this method after a successful call to Poll.
+// If the metadata is not available, the returned metadata and error are both nil.
+func (op *CreateCertificateRevocationListOperation) Metadata() (*privatecapb.OperationMetadata, error) {
+	var meta privatecapb.OperationMetadata
+	if err := op.lro.Metadata(&meta); err == longrunning.ErrNoMetadata {
+		return nil, nil
+	} else if err != nil {
+		return nil, err
+	}
+	return &meta, nil
+}
+
+// Done reports whether the long-running operation has completed.
+func (op *CreateCertificateRevocationListOperation) Done() bool {
+	return op.lro.Done()
+}
+
+// Name returns the name of the long-running operation.
+// The name is assigned by the server and is unique within the service from which the operation is created.
+func (op *CreateCertificateRevocationListOperation) Name() string {
+	return op.lro.Name()
+}
+
+// CreateReusableConfigOperation manages a long-running operation from CreateReusableConfig.
+type CreateReusableConfigOperation struct {
+	lro *longrunning.Operation
+}
+
+// CreateReusableConfigOperation returns a new CreateReusableConfigOperation from a given name.
+// The name must be that of a previously created CreateReusableConfigOperation, possibly from a different process.
+func (c *CertificateAuthorityClient) CreateReusableConfigOperation(name string) *CreateReusableConfigOperation {
+	return &CreateReusableConfigOperation{
+		lro: longrunning.InternalNewOperation(c.LROClient, &longrunningpb.Operation{Name: name}),
+	}
+}
+
+// Wait blocks until the long-running operation is completed, returning the response and any errors encountered.
+//
+// See documentation of Poll for error-handling information.
+func (op *CreateReusableConfigOperation) Wait(ctx context.Context, opts ...gax.CallOption) (*privatecapb.ReusableConfig, error) {
+	var resp privatecapb.ReusableConfig
+	if err := op.lro.WaitWithInterval(ctx, &resp, time.Minute, opts...); err != nil {
+		return nil, err
+	}
+	return &resp, nil
+}
+
+// Poll fetches the latest state of the long-running operation.
+//
+// Poll also fetches the latest metadata, which can be retrieved by Metadata.
+//
+// If Poll fails, the error is returned and op is unmodified. If Poll succeeds and
+// the operation has completed with failure, the error is returned and op.Done will return true.
+// If Poll succeeds and the operation has completed successfully,
+// op.Done will return true, and the response of the operation is returned.
+// If Poll succeeds and the operation has not completed, the returned response and error are both nil.
+func (op *CreateReusableConfigOperation) Poll(ctx context.Context, opts ...gax.CallOption) (*privatecapb.ReusableConfig, error) {
+	var resp privatecapb.ReusableConfig
+	if err := op.lro.Poll(ctx, &resp, opts...); err != nil {
+		return nil, err
+	}
+	if !op.Done() {
+		return nil, nil
+	}
+	return &resp, nil
+}
+
+// Metadata returns metadata associated with the long-running operation.
+// Metadata itself does not contact the server, but Poll does.
+// To get the latest metadata, call this method after a successful call to Poll.
+// If the metadata is not available, the returned metadata and error are both nil.
+func (op *CreateReusableConfigOperation) Metadata() (*privatecapb.OperationMetadata, error) {
+	var meta privatecapb.OperationMetadata
+	if err := op.lro.Metadata(&meta); err == longrunning.ErrNoMetadata {
+		return nil, nil
+	} else if err != nil {
+		return nil, err
+	}
+	return &meta, nil
+}
+
+// Done reports whether the long-running operation has completed.
+func (op *CreateReusableConfigOperation) Done() bool {
+	return op.lro.Done()
+}
+
+// Name returns the name of the long-running operation.
+// The name is assigned by the server and is unique within the service from which the operation is created.
+func (op *CreateReusableConfigOperation) Name() string {
+	return op.lro.Name()
+}
+
+// DeleteCertificateAuthorityOperation manages a long-running operation from DeleteCertificateAuthority.
+type DeleteCertificateAuthorityOperation struct {
+	lro *longrunning.Operation
+}
+
+// DeleteCertificateAuthorityOperation returns a new DeleteCertificateAuthorityOperation from a given name.
+// The name must be that of a previously created DeleteCertificateAuthorityOperation, possibly from a different process.
+func (c *CertificateAuthorityClient) DeleteCertificateAuthorityOperation(name string) *DeleteCertificateAuthorityOperation {
+	return &DeleteCertificateAuthorityOperation{
+		lro: longrunning.InternalNewOperation(c.LROClient, &longrunningpb.Operation{Name: name}),
+	}
+}
+
+// Wait blocks until the long-running operation is completed, returning the response and any errors encountered.
+//
+// See documentation of Poll for error-handling information.
+func (op *DeleteCertificateAuthorityOperation) Wait(ctx context.Context, opts ...gax.CallOption) error {
+	return op.lro.WaitWithInterval(ctx, nil, time.Minute, opts...)
+}
+
+// Poll fetches the latest state of the long-running operation.
+//
+// Poll also fetches the latest metadata, which can be retrieved by Metadata.
+//
+// If Poll fails, the error is returned and op is unmodified. If Poll succeeds and
+// the operation has completed with failure, the error is returned and op.Done will return true.
+// If Poll succeeds and the operation has completed successfully,
+// op.Done will return true, and the response of the operation is returned.
+// If Poll succeeds and the operation has not completed, the returned response and error are both nil.
+func (op *DeleteCertificateAuthorityOperation) Poll(ctx context.Context, opts ...gax.CallOption) error {
+	return op.lro.Poll(ctx, nil, opts...)
+}
+
+// Metadata returns metadata associated with the long-running operation.
+// Metadata itself does not contact the server, but Poll does.
+// To get the latest metadata, call this method after a successful call to Poll.
+// If the metadata is not available, the returned metadata and error are both nil.
+func (op *DeleteCertificateAuthorityOperation) Metadata() (*privatecapb.OperationMetadata, error) {
+	var meta privatecapb.OperationMetadata
+	if err := op.lro.Metadata(&meta); err == longrunning.ErrNoMetadata {
+		return nil, nil
+	} else if err != nil {
+		return nil, err
+	}
+	return &meta, nil
+}
+
+// Done reports whether the long-running operation has completed.
+func (op *DeleteCertificateAuthorityOperation) Done() bool {
+	return op.lro.Done()
+}
+
+// Name returns the name of the long-running operation.
+// The name is assigned by the server and is unique within the service from which the operation is created.
+func (op *DeleteCertificateAuthorityOperation) Name() string {
+	return op.lro.Name()
+}
+
+// DisableCertificateAuthorityOperation manages a long-running operation from DisableCertificateAuthority.
+type DisableCertificateAuthorityOperation struct {
+	lro *longrunning.Operation
+}
+
+// DisableCertificateAuthorityOperation returns a new DisableCertificateAuthorityOperation from a given name.
+// The name must be that of a previously created DisableCertificateAuthorityOperation, possibly from a different process.
+func (c *CertificateAuthorityClient) DisableCertificateAuthorityOperation(name string) *DisableCertificateAuthorityOperation {
+	return &DisableCertificateAuthorityOperation{
+		lro: longrunning.InternalNewOperation(c.LROClient, &longrunningpb.Operation{Name: name}),
+	}
+}
+
+// Wait blocks until the long-running operation is completed, returning the response and any errors encountered.
+//
+// See documentation of Poll for error-handling information.
+func (op *DisableCertificateAuthorityOperation) Wait(ctx context.Context, opts ...gax.CallOption) (*privatecapb.CertificateAuthority, error) {
+	var resp privatecapb.CertificateAuthority
+	if err := op.lro.WaitWithInterval(ctx, &resp, time.Minute, opts...); err != nil {
+		return nil, err
+	}
+	return &resp, nil
+}
+
+// Poll fetches the latest state of the long-running operation.
+//
+// Poll also fetches the latest metadata, which can be retrieved by Metadata.
+//
+// If Poll fails, the error is returned and op is unmodified. If Poll succeeds and
+// the operation has completed with failure, the error is returned and op.Done will return true.
+// If Poll succeeds and the operation has completed successfully,
+// op.Done will return true, and the response of the operation is returned.
+// If Poll succeeds and the operation has not completed, the returned response and error are both nil.
+func (op *DisableCertificateAuthorityOperation) Poll(ctx context.Context, opts ...gax.CallOption) (*privatecapb.CertificateAuthority, error) {
+	var resp privatecapb.CertificateAuthority
+	if err := op.lro.Poll(ctx, &resp, opts...); err != nil {
+		return nil, err
+	}
+	if !op.Done() {
+		return nil, nil
+	}
+	return &resp, nil
+}
+
+// Metadata returns metadata associated with the long-running operation.
+// Metadata itself does not contact the server, but Poll does.
+// To get the latest metadata, call this method after a successful call to Poll.
+// If the metadata is not available, the returned metadata and error are both nil.
+func (op *DisableCertificateAuthorityOperation) Metadata() (*privatecapb.OperationMetadata, error) {
+	var meta privatecapb.OperationMetadata
+	if err := op.lro.Metadata(&meta); err == longrunning.ErrNoMetadata {
+		return nil, nil
+	} else if err != nil {
+		return nil, err
+	}
+	return &meta, nil
+}
+
+// Done reports whether the long-running operation has completed.
+func (op *DisableCertificateAuthorityOperation) Done() bool {
+	return op.lro.Done()
+}
+
+// Name returns the name of the long-running operation.
+// The name is assigned by the server and is unique within the service from which the operation is created.
+func (op *DisableCertificateAuthorityOperation) Name() string {
+	return op.lro.Name()
+}
+
+// EnableCertificateAuthorityOperation manages a long-running operation from EnableCertificateAuthority.
+type EnableCertificateAuthorityOperation struct {
+	lro *longrunning.Operation
+}
+
+// EnableCertificateAuthorityOperation returns a new EnableCertificateAuthorityOperation from a given name.
+// The name must be that of a previously created EnableCertificateAuthorityOperation, possibly from a different process.
+func (c *CertificateAuthorityClient) EnableCertificateAuthorityOperation(name string) *EnableCertificateAuthorityOperation {
+	return &EnableCertificateAuthorityOperation{
+		lro: longrunning.InternalNewOperation(c.LROClient, &longrunningpb.Operation{Name: name}),
+	}
+}
+
+// Wait blocks until the long-running operation is completed, returning the response and any errors encountered.
+//
+// See documentation of Poll for error-handling information.
+func (op *EnableCertificateAuthorityOperation) Wait(ctx context.Context, opts ...gax.CallOption) (*privatecapb.CertificateAuthority, error) {
+	var resp privatecapb.CertificateAuthority
+	if err := op.lro.WaitWithInterval(ctx, &resp, time.Minute, opts...); err != nil {
+		return nil, err
+	}
+	return &resp, nil
+}
+
+// Poll fetches the latest state of the long-running operation.
+//
+// Poll also fetches the latest metadata, which can be retrieved by Metadata.
+//
+// If Poll fails, the error is returned and op is unmodified. If Poll succeeds and
+// the operation has completed with failure, the error is returned and op.Done will return true.
+// If Poll succeeds and the operation has completed successfully,
+// op.Done will return true, and the response of the operation is returned.
+// If Poll succeeds and the operation has not completed, the returned response and error are both nil.
+func (op *EnableCertificateAuthorityOperation) Poll(ctx context.Context, opts ...gax.CallOption) (*privatecapb.CertificateAuthority, error) {
+	var resp privatecapb.CertificateAuthority
+	if err := op.lro.Poll(ctx, &resp, opts...); err != nil {
+		return nil, err
+	}
+	if !op.Done() {
+		return nil, nil
+	}
+	return &resp, nil
+}
+
+// Metadata returns metadata associated with the long-running operation.
+// Metadata itself does not contact the server, but Poll does.
+// To get the latest metadata, call this method after a successful call to Poll.
+// If the metadata is not available, the returned metadata and error are both nil.
+func (op *EnableCertificateAuthorityOperation) Metadata() (*privatecapb.OperationMetadata, error) {
+	var meta privatecapb.OperationMetadata
+	if err := op.lro.Metadata(&meta); err == longrunning.ErrNoMetadata {
+		return nil, nil
+	} else if err != nil {
+		return nil, err
+	}
+	return &meta, nil
+}
+
+// Done reports whether the long-running operation has completed.
+func (op *EnableCertificateAuthorityOperation) Done() bool {
+	return op.lro.Done()
+}
+
+// Name returns the name of the long-running operation.
+// The name is assigned by the server and is unique within the service from which the operation is created.
+func (op *EnableCertificateAuthorityOperation) Name() string {
+	return op.lro.Name()
+}
+
+// RestoreCertificateAuthorityOperation manages a long-running operation from RestoreCertificateAuthority.
+type RestoreCertificateAuthorityOperation struct {
+	lro *longrunning.Operation
+}
+
+// RestoreCertificateAuthorityOperation returns a new RestoreCertificateAuthorityOperation from a given name.
+// The name must be that of a previously created RestoreCertificateAuthorityOperation, possibly from a different process.
+func (c *CertificateAuthorityClient) RestoreCertificateAuthorityOperation(name string) *RestoreCertificateAuthorityOperation {
+	return &RestoreCertificateAuthorityOperation{
+		lro: longrunning.InternalNewOperation(c.LROClient, &longrunningpb.Operation{Name: name}),
+	}
+}
+
+// Wait blocks until the long-running operation is completed, returning the response and any errors encountered.
+//
+// See documentation of Poll for error-handling information.
+func (op *RestoreCertificateAuthorityOperation) Wait(ctx context.Context, opts ...gax.CallOption) (*privatecapb.CertificateAuthority, error) {
+	var resp privatecapb.CertificateAuthority
+	if err := op.lro.WaitWithInterval(ctx, &resp, time.Minute, opts...); err != nil {
+		return nil, err
+	}
+	return &resp, nil
+}
+
+// Poll fetches the latest state of the long-running operation.
+//
+// Poll also fetches the latest metadata, which can be retrieved by Metadata.
+//
+// If Poll fails, the error is returned and op is unmodified. If Poll succeeds and
+// the operation has completed with failure, the error is returned and op.Done will return true.
+// If Poll succeeds and the operation has completed successfully,
+// op.Done will return true, and the response of the operation is returned.
+// If Poll succeeds and the operation has not completed, the returned response and error are both nil.
+func (op *RestoreCertificateAuthorityOperation) Poll(ctx context.Context, opts ...gax.CallOption) (*privatecapb.CertificateAuthority, error) {
+	var resp privatecapb.CertificateAuthority
+	if err := op.lro.Poll(ctx, &resp, opts...); err != nil {
+		return nil, err
+	}
+	if !op.Done() {
+		return nil, nil
+	}
+	return &resp, nil
+}
+
+// Metadata returns metadata associated with the long-running operation.
+// Metadata itself does not contact the server, but Poll does.
+// To get the latest metadata, call this method after a successful call to Poll.
+// If the metadata is not available, the returned metadata and error are both nil.
+func (op *RestoreCertificateAuthorityOperation) Metadata() (*privatecapb.OperationMetadata, error) {
+	var meta privatecapb.OperationMetadata
+	if err := op.lro.Metadata(&meta); err == longrunning.ErrNoMetadata {
+		return nil, nil
+	} else if err != nil {
+		return nil, err
+	}
+	return &meta, nil
+}
+
+// Done reports whether the long-running operation has completed.
+func (op *RestoreCertificateAuthorityOperation) Done() bool {
+	return op.lro.Done()
+}
+
+// Name returns the name of the long-running operation.
+// The name is assigned by the server and is unique within the service from which the operation is created.
+func (op *RestoreCertificateAuthorityOperation) Name() string {
+	return op.lro.Name()
+}
+
+// RevokeCertificateOperation manages a long-running operation from RevokeCertificate.
+type RevokeCertificateOperation struct {
+	lro *longrunning.Operation
+}
+
+// RevokeCertificateOperation returns a new RevokeCertificateOperation from a given name.
+// The name must be that of a previously created RevokeCertificateOperation, possibly from a different process.
+func (c *CertificateAuthorityClient) RevokeCertificateOperation(name string) *RevokeCertificateOperation {
+	return &RevokeCertificateOperation{
+		lro: longrunning.InternalNewOperation(c.LROClient, &longrunningpb.Operation{Name: name}),
+	}
+}
+
+// Wait blocks until the long-running operation is completed, returning the response and any errors encountered.
+//
+// See documentation of Poll for error-handling information.
+func (op *RevokeCertificateOperation) Wait(ctx context.Context, opts ...gax.CallOption) (*privatecapb.Certificate, error) {
+	var resp privatecapb.Certificate
+	if err := op.lro.WaitWithInterval(ctx, &resp, time.Minute, opts...); err != nil {
+		return nil, err
+	}
+	return &resp, nil
+}
+
+// Poll fetches the latest state of the long-running operation.
+//
+// Poll also fetches the latest metadata, which can be retrieved by Metadata.
+//
+// If Poll fails, the error is returned and op is unmodified. If Poll succeeds and
+// the operation has completed with failure, the error is returned and op.Done will return true.
+// If Poll succeeds and the operation has completed successfully,
+// op.Done will return true, and the response of the operation is returned.
+// If Poll succeeds and the operation has not completed, the returned response and error are both nil.
+func (op *RevokeCertificateOperation) Poll(ctx context.Context, opts ...gax.CallOption) (*privatecapb.Certificate, error) {
+	var resp privatecapb.Certificate
+	if err := op.lro.Poll(ctx, &resp, opts...); err != nil {
+		return nil, err
+	}
+	if !op.Done() {
+		return nil, nil
+	}
+	return &resp, nil
+}
+
+// Metadata returns metadata associated with the long-running operation.
+// Metadata itself does not contact the server, but Poll does.
+// To get the latest metadata, call this method after a successful call to Poll.
+// If the metadata is not available, the returned metadata and error are both nil.
+func (op *RevokeCertificateOperation) Metadata() (*privatecapb.OperationMetadata, error) {
+	var meta privatecapb.OperationMetadata
+	if err := op.lro.Metadata(&meta); err == longrunning.ErrNoMetadata {
+		return nil, nil
+	} else if err != nil {
+		return nil, err
+	}
+	return &meta, nil
+}
+
+// Done reports whether the long-running operation has completed.
+func (op *RevokeCertificateOperation) Done() bool {
+	return op.lro.Done()
+}
+
+// Name returns the name of the long-running operation.
+// The name is assigned by the server and is unique within the service from which the operation is created.
+func (op *RevokeCertificateOperation) Name() string {
+	return op.lro.Name()
+}
+
+// ScheduleDeleteCertificateAuthorityOperation manages a long-running operation from ScheduleDeleteCertificateAuthority.
+type ScheduleDeleteCertificateAuthorityOperation struct {
+	lro *longrunning.Operation
+}
+
+// ScheduleDeleteCertificateAuthorityOperation returns a new ScheduleDeleteCertificateAuthorityOperation from a given name.
+// The name must be that of a previously created ScheduleDeleteCertificateAuthorityOperation, possibly from a different process.
+func (c *CertificateAuthorityClient) ScheduleDeleteCertificateAuthorityOperation(name string) *ScheduleDeleteCertificateAuthorityOperation {
+	return &ScheduleDeleteCertificateAuthorityOperation{
+		lro: longrunning.InternalNewOperation(c.LROClient, &longrunningpb.Operation{Name: name}),
+	}
+}
+
+// Wait blocks until the long-running operation is completed, returning the response and any errors encountered.
+//
+// See documentation of Poll for error-handling information.
+func (op *ScheduleDeleteCertificateAuthorityOperation) Wait(ctx context.Context, opts ...gax.CallOption) (*privatecapb.CertificateAuthority, error) {
+	var resp privatecapb.CertificateAuthority
+	if err := op.lro.WaitWithInterval(ctx, &resp, time.Minute, opts...); err != nil {
+		return nil, err
+	}
+	return &resp, nil
+}
+
+// Poll fetches the latest state of the long-running operation.
+//
+// Poll also fetches the latest metadata, which can be retrieved by Metadata.
+//
+// If Poll fails, the error is returned and op is unmodified. If Poll succeeds and
+// the operation has completed with failure, the error is returned and op.Done will return true.
+// If Poll succeeds and the operation has completed successfully,
+// op.Done will return true, and the response of the operation is returned.
+// If Poll succeeds and the operation has not completed, the returned response and error are both nil.
+func (op *ScheduleDeleteCertificateAuthorityOperation) Poll(ctx context.Context, opts ...gax.CallOption) (*privatecapb.CertificateAuthority, error) {
+	var resp privatecapb.CertificateAuthority
+	if err := op.lro.Poll(ctx, &resp, opts...); err != nil {
+		return nil, err
+	}
+	if !op.Done() {
+		return nil, nil
+	}
+	return &resp, nil
+}
+
+// Metadata returns metadata associated with the long-running operation.
+// Metadata itself does not contact the server, but Poll does.
+// To get the latest metadata, call this method after a successful call to Poll.
+// If the metadata is not available, the returned metadata and error are both nil.
+func (op *ScheduleDeleteCertificateAuthorityOperation) Metadata() (*privatecapb.OperationMetadata, error) {
+	var meta privatecapb.OperationMetadata
+	if err := op.lro.Metadata(&meta); err == longrunning.ErrNoMetadata {
+		return nil, nil
+	} else if err != nil {
+		return nil, err
+	}
+	return &meta, nil
+}
+
+// Done reports whether the long-running operation has completed.
+func (op *ScheduleDeleteCertificateAuthorityOperation) Done() bool {
+	return op.lro.Done()
+}
+
+// Name returns the name of the long-running operation.
+// The name is assigned by the server and is unique within the service from which the operation is created.
+func (op *ScheduleDeleteCertificateAuthorityOperation) Name() string {
+	return op.lro.Name()
+}
+
+// UpdateCertificateOperation manages a long-running operation from UpdateCertificate.
+type UpdateCertificateOperation struct {
+	lro *longrunning.Operation
+}
+
+// UpdateCertificateOperation returns a new UpdateCertificateOperation from a given name.
+// The name must be that of a previously created UpdateCertificateOperation, possibly from a different process.
+func (c *CertificateAuthorityClient) UpdateCertificateOperation(name string) *UpdateCertificateOperation {
+	return &UpdateCertificateOperation{
+		lro: longrunning.InternalNewOperation(c.LROClient, &longrunningpb.Operation{Name: name}),
+	}
+}
+
+// Wait blocks until the long-running operation is completed, returning the response and any errors encountered.
+//
+// See documentation of Poll for error-handling information.
+func (op *UpdateCertificateOperation) Wait(ctx context.Context, opts ...gax.CallOption) (*privatecapb.Certificate, error) {
+	var resp privatecapb.Certificate
+	if err := op.lro.WaitWithInterval(ctx, &resp, time.Minute, opts...); err != nil {
+		return nil, err
+	}
+	return &resp, nil
+}
+
+// Poll fetches the latest state of the long-running operation.
+//
+// Poll also fetches the latest metadata, which can be retrieved by Metadata.
+//
+// If Poll fails, the error is returned and op is unmodified. If Poll succeeds and
+// the operation has completed with failure, the error is returned and op.Done will return true.
+// If Poll succeeds and the operation has completed successfully,
+// op.Done will return true, and the response of the operation is returned.
+// If Poll succeeds and the operation has not completed, the returned response and error are both nil.
+func (op *UpdateCertificateOperation) Poll(ctx context.Context, opts ...gax.CallOption) (*privatecapb.Certificate, error) {
+	var resp privatecapb.Certificate
+	if err := op.lro.Poll(ctx, &resp, opts...); err != nil {
+		return nil, err
+	}
+	if !op.Done() {
+		return nil, nil
+	}
+	return &resp, nil
+}
+
+// Metadata returns metadata associated with the long-running operation.
+// Metadata itself does not contact the server, but Poll does.
+// To get the latest metadata, call this method after a successful call to Poll.
+// If the metadata is not available, the returned metadata and error are both nil.
+func (op *UpdateCertificateOperation) Metadata() (*privatecapb.OperationMetadata, error) {
+	var meta privatecapb.OperationMetadata
+	if err := op.lro.Metadata(&meta); err == longrunning.ErrNoMetadata {
+		return nil, nil
+	} else if err != nil {
+		return nil, err
+	}
+	return &meta, nil
+}
+
+// Done reports whether the long-running operation has completed.
+func (op *UpdateCertificateOperation) Done() bool {
+	return op.lro.Done()
+}
+
+// Name returns the name of the long-running operation.
+// The name is assigned by the server and is unique within the service from which the operation is created.
+func (op *UpdateCertificateOperation) Name() string {
+	return op.lro.Name()
+}
+
+// UpdateCertificateAuthorityOperation manages a long-running operation from UpdateCertificateAuthority.
+type UpdateCertificateAuthorityOperation struct {
+	lro *longrunning.Operation
+}
+
+// UpdateCertificateAuthorityOperation returns a new UpdateCertificateAuthorityOperation from a given name.
+// The name must be that of a previously created UpdateCertificateAuthorityOperation, possibly from a different process.
+func (c *CertificateAuthorityClient) UpdateCertificateAuthorityOperation(name string) *UpdateCertificateAuthorityOperation {
+	return &UpdateCertificateAuthorityOperation{
+		lro: longrunning.InternalNewOperation(c.LROClient, &longrunningpb.Operation{Name: name}),
+	}
+}
+
+// Wait blocks until the long-running operation is completed, returning the response and any errors encountered.
+//
+// See documentation of Poll for error-handling information.
+func (op *UpdateCertificateAuthorityOperation) Wait(ctx context.Context, opts ...gax.CallOption) (*privatecapb.CertificateAuthority, error) {
+	var resp privatecapb.CertificateAuthority
+	if err := op.lro.WaitWithInterval(ctx, &resp, time.Minute, opts...); err != nil {
+		return nil, err
+	}
+	return &resp, nil
+}
+
+// Poll fetches the latest state of the long-running operation.
+//
+// Poll also fetches the latest metadata, which can be retrieved by Metadata.
+//
+// If Poll fails, the error is returned and op is unmodified. If Poll succeeds and
+// the operation has completed with failure, the error is returned and op.Done will return true.
+// If Poll succeeds and the operation has completed successfully,
+// op.Done will return true, and the response of the operation is returned.
+// If Poll succeeds and the operation has not completed, the returned response and error are both nil.
+func (op *UpdateCertificateAuthorityOperation) Poll(ctx context.Context, opts ...gax.CallOption) (*privatecapb.CertificateAuthority, error) {
+	var resp privatecapb.CertificateAuthority
+	if err := op.lro.Poll(ctx, &resp, opts...); err != nil {
+		return nil, err
+	}
+	if !op.Done() {
+		return nil, nil
+	}
+	return &resp, nil
+}
+
+// Metadata returns metadata associated with the long-running operation.
+// Metadata itself does not contact the server, but Poll does.
+// To get the latest metadata, call this method after a successful call to Poll.
+// If the metadata is not available, the returned metadata and error are both nil.
+func (op *UpdateCertificateAuthorityOperation) Metadata() (*privatecapb.OperationMetadata, error) {
+	var meta privatecapb.OperationMetadata
+	if err := op.lro.Metadata(&meta); err == longrunning.ErrNoMetadata {
+		return nil, nil
+	} else if err != nil {
+		return nil, err
+	}
+	return &meta, nil
+}
+
+// Done reports whether the long-running operation has completed.
+func (op *UpdateCertificateAuthorityOperation) Done() bool {
+	return op.lro.Done()
+}
+
+// Name returns the name of the long-running operation.
+// The name is assigned by the server and is unique within the service from which the operation is created.
+func (op *UpdateCertificateAuthorityOperation) Name() string {
+	return op.lro.Name()
+}
+
+// UpdateCertificateRevocationListOperation manages a long-running operation from UpdateCertificateRevocationList.
+type UpdateCertificateRevocationListOperation struct {
+	lro *longrunning.Operation
+}
+
+// UpdateCertificateRevocationListOperation returns a new UpdateCertificateRevocationListOperation from a given name.
+// The name must be that of a previously created UpdateCertificateRevocationListOperation, possibly from a different process.
+func (c *CertificateAuthorityClient) UpdateCertificateRevocationListOperation(name string) *UpdateCertificateRevocationListOperation {
+	return &UpdateCertificateRevocationListOperation{
+		lro: longrunning.InternalNewOperation(c.LROClient, &longrunningpb.Operation{Name: name}),
+	}
+}
+
+// Wait blocks until the long-running operation is completed, returning the response and any errors encountered.
+//
+// See documentation of Poll for error-handling information.
+func (op *UpdateCertificateRevocationListOperation) Wait(ctx context.Context, opts ...gax.CallOption) (*privatecapb.CertificateRevocationList, error) {
+	var resp privatecapb.CertificateRevocationList
+	if err := op.lro.WaitWithInterval(ctx, &resp, time.Minute, opts...); err != nil {
+		return nil, err
+	}
+	return &resp, nil
+}
+
+// Poll fetches the latest state of the long-running operation.
+//
+// Poll also fetches the latest metadata, which can be retrieved by Metadata.
+//
+// If Poll fails, the error is returned and op is unmodified. If Poll succeeds and
+// the operation has completed with failure, the error is returned and op.Done will return true.
+// If Poll succeeds and the operation has completed successfully,
+// op.Done will return true, and the response of the operation is returned.
+// If Poll succeeds and the operation has not completed, the returned response and error are both nil.
+func (op *UpdateCertificateRevocationListOperation) Poll(ctx context.Context, opts ...gax.CallOption) (*privatecapb.CertificateRevocationList, error) {
+	var resp privatecapb.CertificateRevocationList
+	if err := op.lro.Poll(ctx, &resp, opts...); err != nil {
+		return nil, err
+	}
+	if !op.Done() {
+		return nil, nil
+	}
+	return &resp, nil
+}
+
+// Metadata returns metadata associated with the long-running operation.
+// Metadata itself does not contact the server, but Poll does.
+// To get the latest metadata, call this method after a successful call to Poll.
+// If the metadata is not available, the returned metadata and error are both nil.
+func (op *UpdateCertificateRevocationListOperation) Metadata() (*privatecapb.OperationMetadata, error) {
+	var meta privatecapb.OperationMetadata
+	if err := op.lro.Metadata(&meta); err == longrunning.ErrNoMetadata {
+		return nil, nil
+	} else if err != nil {
+		return nil, err
+	}
+	return &meta, nil
+}
+
+// Done reports whether the long-running operation has completed.
+func (op *UpdateCertificateRevocationListOperation) Done() bool {
+	return op.lro.Done()
+}
+
+// Name returns the name of the long-running operation.
+// The name is assigned by the server and is unique within the service from which the operation is created.
+func (op *UpdateCertificateRevocationListOperation) Name() string {
+	return op.lro.Name()
+}
+
+// UpdateReusableConfigOperation manages a long-running operation from UpdateReusableConfig.
+type UpdateReusableConfigOperation struct {
+	lro *longrunning.Operation
+}
+
+// UpdateReusableConfigOperation returns a new UpdateReusableConfigOperation from a given name.
+// The name must be that of a previously created UpdateReusableConfigOperation, possibly from a different process.
+func (c *CertificateAuthorityClient) UpdateReusableConfigOperation(name string) *UpdateReusableConfigOperation {
+	return &UpdateReusableConfigOperation{
+		lro: longrunning.InternalNewOperation(c.LROClient, &longrunningpb.Operation{Name: name}),
+	}
+}
+
+// Wait blocks until the long-running operation is completed, returning the response and any errors encountered.
+//
+// See documentation of Poll for error-handling information.
+func (op *UpdateReusableConfigOperation) Wait(ctx context.Context, opts ...gax.CallOption) (*privatecapb.ReusableConfig, error) {
+	var resp privatecapb.ReusableConfig
+	if err := op.lro.WaitWithInterval(ctx, &resp, time.Minute, opts...); err != nil {
+		return nil, err
+	}
+	return &resp, nil
+}
+
+// Poll fetches the latest state of the long-running operation.
+//
+// Poll also fetches the latest metadata, which can be retrieved by Metadata.
+//
+// If Poll fails, the error is returned and op is unmodified. If Poll succeeds and
+// the operation has completed with failure, the error is returned and op.Done will return true.
+// If Poll succeeds and the operation has completed successfully,
+// op.Done will return true, and the response of the operation is returned.
+// If Poll succeeds and the operation has not completed, the returned response and error are both nil.
+func (op *UpdateReusableConfigOperation) Poll(ctx context.Context, opts ...gax.CallOption) (*privatecapb.ReusableConfig, error) {
+	var resp privatecapb.ReusableConfig
+	if err := op.lro.Poll(ctx, &resp, opts...); err != nil {
+		return nil, err
+	}
+	if !op.Done() {
+		return nil, nil
+	}
+	return &resp, nil
+}
+
+// Metadata returns metadata associated with the long-running operation.
+// Metadata itself does not contact the server, but Poll does.
+// To get the latest metadata, call this method after a successful call to Poll.
+// If the metadata is not available, the returned metadata and error are both nil.
+func (op *UpdateReusableConfigOperation) Metadata() (*privatecapb.OperationMetadata, error) {
+	var meta privatecapb.OperationMetadata
+	if err := op.lro.Metadata(&meta); err == longrunning.ErrNoMetadata {
+		return nil, nil
+	} else if err != nil {
+		return nil, err
+	}
+	return &meta, nil
+}
+
+// Done reports whether the long-running operation has completed.
+func (op *UpdateReusableConfigOperation) Done() bool {
+	return op.lro.Done()
+}
+
+// Name returns the name of the long-running operation.
+// The name is assigned by the server and is unique within the service from which the operation is created.
+func (op *UpdateReusableConfigOperation) Name() string {
+	return op.lro.Name()
+}
+
+// CertificateAuthorityIterator manages a stream of *privatecapb.CertificateAuthority.
+type CertificateAuthorityIterator struct {
+	items    []*privatecapb.CertificateAuthority
+	pageInfo *iterator.PageInfo
+	nextFunc func() error
+
+	// Response is the raw response for the current page.
+	// It must be cast to the RPC response type.
+	// Calling Next() or InternalFetch() updates this value.
+	Response interface{}
+
+	// InternalFetch is for use by the Google Cloud Libraries only.
+	// It is not part of the stable interface of this package.
+	//
+	// InternalFetch returns results from a single call to the underlying RPC.
+	// The number of results is no greater than pageSize.
+	// If there are no more results, nextPageToken is empty and err is nil.
+	InternalFetch func(pageSize int, pageToken string) (results []*privatecapb.CertificateAuthority, nextPageToken string, err error)
+}
+
+// PageInfo supports pagination. See the google.golang.org/api/iterator package for details.
+func (it *CertificateAuthorityIterator) PageInfo() *iterator.PageInfo {
+	return it.pageInfo
+}
+
+// Next returns the next result. Its second return value is iterator.Done if there are no more
+// results. Once Next returns Done, all subsequent calls will return Done.
+func (it *CertificateAuthorityIterator) Next() (*privatecapb.CertificateAuthority, error) {
+	var item *privatecapb.CertificateAuthority
+	if err := it.nextFunc(); err != nil {
+		return item, err
+	}
+	item = it.items[0]
+	it.items = it.items[1:]
+	return item, nil
+}
+
+func (it *CertificateAuthorityIterator) bufLen() int {
+	return len(it.items)
+}
+
+func (it *CertificateAuthorityIterator) takeBuf() interface{} {
+	b := it.items
+	it.items = nil
+	return b
+}
+
+// CertificateIterator manages a stream of *privatecapb.Certificate.
+type CertificateIterator struct {
+	items    []*privatecapb.Certificate
+	pageInfo *iterator.PageInfo
+	nextFunc func() error
+
+	// Response is the raw response for the current page.
+	// It must be cast to the RPC response type.
+	// Calling Next() or InternalFetch() updates this value.
+	Response interface{}
+
+	// InternalFetch is for use by the Google Cloud Libraries only.
+	// It is not part of the stable interface of this package.
+	//
+	// InternalFetch returns results from a single call to the underlying RPC.
+	// The number of results is no greater than pageSize.
+	// If there are no more results, nextPageToken is empty and err is nil.
+	InternalFetch func(pageSize int, pageToken string) (results []*privatecapb.Certificate, nextPageToken string, err error)
+}
+
+// PageInfo supports pagination. See the google.golang.org/api/iterator package for details.
+func (it *CertificateIterator) PageInfo() *iterator.PageInfo {
+	return it.pageInfo
+}
+
+// Next returns the next result. Its second return value is iterator.Done if there are no more
+// results. Once Next returns Done, all subsequent calls will return Done.
+func (it *CertificateIterator) Next() (*privatecapb.Certificate, error) {
+	var item *privatecapb.Certificate
+	if err := it.nextFunc(); err != nil {
+		return item, err
+	}
+	item = it.items[0]
+	it.items = it.items[1:]
+	return item, nil
+}
+
+func (it *CertificateIterator) bufLen() int {
+	return len(it.items)
+}
+
+func (it *CertificateIterator) takeBuf() interface{} {
+	b := it.items
+	it.items = nil
+	return b
+}
+
+// CertificateRevocationListIterator manages a stream of *privatecapb.CertificateRevocationList.
+type CertificateRevocationListIterator struct {
+	items    []*privatecapb.CertificateRevocationList
+	pageInfo *iterator.PageInfo
+	nextFunc func() error
+
+	// Response is the raw response for the current page.
+	// It must be cast to the RPC response type.
+	// Calling Next() or InternalFetch() updates this value.
+	Response interface{}
+
+	// InternalFetch is for use by the Google Cloud Libraries only.
+	// It is not part of the stable interface of this package.
+	//
+	// InternalFetch returns results from a single call to the underlying RPC.
+	// The number of results is no greater than pageSize.
+	// If there are no more results, nextPageToken is empty and err is nil.
+	InternalFetch func(pageSize int, pageToken string) (results []*privatecapb.CertificateRevocationList, nextPageToken string, err error)
+}
+
+// PageInfo supports pagination. See the google.golang.org/api/iterator package for details.
+func (it *CertificateRevocationListIterator) PageInfo() *iterator.PageInfo {
+	return it.pageInfo
+}
+
+// Next returns the next result. Its second return value is iterator.Done if there are no more
+// results. Once Next returns Done, all subsequent calls will return Done.
+func (it *CertificateRevocationListIterator) Next() (*privatecapb.CertificateRevocationList, error) {
+	var item *privatecapb.CertificateRevocationList
+	if err := it.nextFunc(); err != nil {
+		return item, err
+	}
+	item = it.items[0]
+	it.items = it.items[1:]
+	return item, nil
+}
+
+func (it *CertificateRevocationListIterator) bufLen() int {
+	return len(it.items)
+}
+
+func (it *CertificateRevocationListIterator) takeBuf() interface{} {
+	b := it.items
+	it.items = nil
+	return b
+}
+
+// ReusableConfigIterator manages a stream of *privatecapb.ReusableConfig.
+type ReusableConfigIterator struct {
+	items    []*privatecapb.ReusableConfig
+	pageInfo *iterator.PageInfo
+	nextFunc func() error
+
+	// Response is the raw response for the current page.
+	// It must be cast to the RPC response type.
+	// Calling Next() or InternalFetch() updates this value.
+	Response interface{}
+
+	// InternalFetch is for use by the Google Cloud Libraries only.
+	// It is not part of the stable interface of this package.
+	//
+	// InternalFetch returns results from a single call to the underlying RPC.
+	// The number of results is no greater than pageSize.
+	// If there are no more results, nextPageToken is empty and err is nil.
+	InternalFetch func(pageSize int, pageToken string) (results []*privatecapb.ReusableConfig, nextPageToken string, err error)
+}
+
+// PageInfo supports pagination. See the google.golang.org/api/iterator package for details.
+func (it *ReusableConfigIterator) PageInfo() *iterator.PageInfo {
+	return it.pageInfo
+}
+
+// Next returns the next result. Its second return value is iterator.Done if there are no more
+// results. Once Next returns Done, all subsequent calls will return Done.
+func (it *ReusableConfigIterator) Next() (*privatecapb.ReusableConfig, error) {
+	var item *privatecapb.ReusableConfig
+	if err := it.nextFunc(); err != nil {
+		return item, err
+	}
+	item = it.items[0]
+	it.items = it.items[1:]
+	return item, nil
+}
+
+func (it *ReusableConfigIterator) bufLen() int {
+	return len(it.items)
+}
+
+func (it *ReusableConfigIterator) takeBuf() interface{} {
+	b := it.items
+	it.items = nil
+	return b
+}
diff --git a/lib/cloud.google.com/go/security/privateca/apiv1alpha1/doc.go b/lib/cloud.google.com/go/security/privateca/apiv1alpha1/doc.go
new file mode 100644
index 0000000..b158e65
--- /dev/null
+++ b/lib/cloud.google.com/go/security/privateca/apiv1alpha1/doc.go
@@ -0,0 +1,102 @@
+// Copyright 2020 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Code generated by protoc-gen-go_gapic. DO NOT EDIT.
+
+// Package privateca is an auto-generated package for the
+// Certificate Authority Service API.
+//
+// Use of Context
+//
+// The ctx passed to NewClient is used for authentication requests and
+// for creating the underlying connection, but is not used for subsequent calls.
+// Individual methods on the client use the ctx given to them.
+//
+// To close the open connection, use the Close() method.
+//
+// For information about setting deadlines, reusing contexts, and more
+// please visit godoc.org/cloud.google.com/go.
+package privateca // import "cloud.google.com/go/security/privateca/apiv1alpha1"
+
+import (
+	"context"
+	"runtime"
+	"strings"
+	"unicode"
+
+	"google.golang.org/api/option"
+	"google.golang.org/grpc/metadata"
+)
+
+// For more information on implementing a client constructor hook, see
+// https://github.com/googleapis/google-cloud-go/wiki/Customizing-constructors.
+type clientHookParams struct{}
+type clientHook func(context.Context, clientHookParams) ([]option.ClientOption, error)
+
+const versionClient = "UNKNOWN"
+
+func insertMetadata(ctx context.Context, mds ...metadata.MD) context.Context {
+	out, _ := metadata.FromOutgoingContext(ctx)
+	out = out.Copy()
+	for _, md := range mds {
+		for k, v := range md {
+			out[k] = append(out[k], v...)
+		}
+	}
+	return metadata.NewOutgoingContext(ctx, out)
+}
+
+// DefaultAuthScopes reports the default set of authentication scopes to use with this package.
+func DefaultAuthScopes() []string {
+	return []string{
+		"https://www.googleapis.com/auth/cloud-platform",
+	}
+}
+
+// versionGo returns the Go runtime version. The returned string
+// has no whitespace, suitable for reporting in header.
+func versionGo() string {
+	const develPrefix = "devel +"
+
+	s := runtime.Version()
+	if strings.HasPrefix(s, develPrefix) {
+		s = s[len(develPrefix):]
+		if p := strings.IndexFunc(s, unicode.IsSpace); p >= 0 {
+			s = s[:p]
+		}
+		return s
+	}
+
+	notSemverRune := func(r rune) bool {
+		return !strings.ContainsRune("0123456789.", r)
+	}
+
+	if strings.HasPrefix(s, "go1") {
+		s = s[2:]
+		var prerelease string
+		if p := strings.IndexFunc(s, notSemverRune); p >= 0 {
+			s, prerelease = s[:p], s[p:]
+		}
+		if strings.HasSuffix(s, ".") {
+			s += "0"
+		} else if strings.Count(s, ".") < 2 {
+			s += ".0"
+		}
+		if prerelease != "" {
+			s += "-" + prerelease
+		}
+		return s
+	}
+	return "UNKNOWN"
+}
diff --git a/lib/cloud.google.com/go/security/privateca/apiv1alpha1/go.mod b/lib/cloud.google.com/go/security/privateca/apiv1alpha1/go.mod
new file mode 100644
index 0000000..27a2b44
--- /dev/null
+++ b/lib/cloud.google.com/go/security/privateca/apiv1alpha1/go.mod
@@ -0,0 +1,4 @@
+module privateca
+
+go 1.14
+
diff --git a/lib/google.golang.org/genproto/googleapis/cloud/security/privateca/v1alpha1/go.mod b/lib/google.golang.org/genproto/googleapis/cloud/security/privateca/v1alpha1/go.mod
new file mode 100644
index 0000000..8bffeee
--- /dev/null
+++ b/lib/google.golang.org/genproto/googleapis/cloud/security/privateca/v1alpha1/go.mod
@@ -0,0 +1,3 @@
+module privateca
+
+go 1.14
diff --git a/lib/google.golang.org/genproto/googleapis/cloud/security/privateca/v1alpha1/resources.pb.go b/lib/google.golang.org/genproto/googleapis/cloud/security/privateca/v1alpha1/resources.pb.go
new file mode 100644
index 0000000..ab25f69
--- /dev/null
+++ b/lib/google.golang.org/genproto/googleapis/cloud/security/privateca/v1alpha1/resources.pb.go
@@ -0,0 +1,2834 @@
+// Code generated by protoc-gen-go. DO NOT EDIT.
+// source: google/cloud/security/privateca/v1alpha1/resources.proto
+
+package privateca
+
+import (
+	fmt "fmt"
+	proto "github.com/golang/protobuf/proto"
+	duration "github.com/golang/protobuf/ptypes/duration"
+	timestamp "github.com/golang/protobuf/ptypes/timestamp"
+	wrappers "github.com/golang/protobuf/ptypes/wrappers"
+	_ "google.golang.org/genproto/googleapis/api/annotations"
+	math "math"
+)
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ = proto.Marshal
+var _ = fmt.Errorf
+var _ = math.Inf
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the proto package it is being compiled against.
+// A compilation error at this line likely means your copy of the
+// proto package needs to be updated.
+const _ = proto.ProtoPackageIsVersion3 // please upgrade the proto package
+
+// A [RevocationReason][google.cloud.security.privateca.v1alpha1.RevocationReason] indicates whether a [Certificate][google.cloud.security.privateca.v1alpha1.Certificate] has been revoked,
+// and the reason for revocation. These are standard revocation reasons from RFC
+// 5280.
+type RevocationReason int32
+
+const (
+	// Default unspecified value. This value does indicate that a [Certificate][google.cloud.security.privateca.v1alpha1.Certificate]
+	// has been revoked, but that a reason has not been recorded.
+	RevocationReason_REVOCATION_REASON_UNSPECIFIED RevocationReason = 0
+	// Key material for this [Certificate][google.cloud.security.privateca.v1alpha1.Certificate] may have leaked.
+	RevocationReason_KEY_COMPROMISE RevocationReason = 1
+	// The key material for a certificate authority in the issuing path may have
+	// leaked.
+	RevocationReason_CERTIFICATE_AUTHORITY_COMPROMISE RevocationReason = 2
+	// The subject or other attributes in this [Certificate][google.cloud.security.privateca.v1alpha1.Certificate] have changed.
+	RevocationReason_AFFILIATION_CHANGED RevocationReason = 3
+	// This [Certificate][google.cloud.security.privateca.v1alpha1.Certificate] has been superseded.
+	RevocationReason_SUPERSEDED RevocationReason = 4
+	// This [Certificate][google.cloud.security.privateca.v1alpha1.Certificate] or entities in the issuing path have ceased to
+	// operate.
+	RevocationReason_CESSATION_OF_OPERATION RevocationReason = 5
+	// This [Certificate][google.cloud.security.privateca.v1alpha1.Certificate] should not be considered valid, it is expected that it
+	// may become valid in the future.
+	RevocationReason_CERTIFICATE_HOLD RevocationReason = 6
+	// This [Certificate][google.cloud.security.privateca.v1alpha1.Certificate] no longer has permission to assert the listed
+	// attributes.
+	RevocationReason_PRIVILEGE_WITHDRAWN RevocationReason = 7
+	// The authority which determines appropriate attributes for a [Certificate][google.cloud.security.privateca.v1alpha1.Certificate]
+	// may have been compromised.
+	RevocationReason_ATTRIBUTE_AUTHORITY_COMPROMISE RevocationReason = 8
+)
+
+var RevocationReason_name = map[int32]string{
+	0: "REVOCATION_REASON_UNSPECIFIED",
+	1: "KEY_COMPROMISE",
+	2: "CERTIFICATE_AUTHORITY_COMPROMISE",
+	3: "AFFILIATION_CHANGED",
+	4: "SUPERSEDED",
+	5: "CESSATION_OF_OPERATION",
+	6: "CERTIFICATE_HOLD",
+	7: "PRIVILEGE_WITHDRAWN",
+	8: "ATTRIBUTE_AUTHORITY_COMPROMISE",
+}
+
+var RevocationReason_value = map[string]int32{
+	"REVOCATION_REASON_UNSPECIFIED":    0,
+	"KEY_COMPROMISE":                   1,
+	"CERTIFICATE_AUTHORITY_COMPROMISE": 2,
+	"AFFILIATION_CHANGED":              3,
+	"SUPERSEDED":                       4,
+	"CESSATION_OF_OPERATION":           5,
+	"CERTIFICATE_HOLD":                 6,
+	"PRIVILEGE_WITHDRAWN":              7,
+	"ATTRIBUTE_AUTHORITY_COMPROMISE":   8,
+}
+
+func (x RevocationReason) String() string {
+	return proto.EnumName(RevocationReason_name, int32(x))
+}
+
+func (RevocationReason) EnumDescriptor() ([]byte, []int) {
+	return fileDescriptor_6299e860b09b0827, []int{0}
+}
+
+// The type of a [CertificateAuthority][google.cloud.security.privateca.v1alpha1.CertificateAuthority], indicating its issuing chain.
+type CertificateAuthority_Type int32
+
+const (
+	// Not specified.
+	CertificateAuthority_TYPE_UNSPECIFIED CertificateAuthority_Type = 0
+	// Self-signed CA.
+	CertificateAuthority_SELF_SIGNED CertificateAuthority_Type = 1
+	// Subordinate CA. Could be issued by a Private CA [CertificateAuthority][google.cloud.security.privateca.v1alpha1.CertificateAuthority]
+	// or an unmanaged CA.
+	CertificateAuthority_SUBORDINATE CertificateAuthority_Type = 2
+)
+
+var CertificateAuthority_Type_name = map[int32]string{
+	0: "TYPE_UNSPECIFIED",
+	1: "SELF_SIGNED",
+	2: "SUBORDINATE",
+}
+
+var CertificateAuthority_Type_value = map[string]int32{
+	"TYPE_UNSPECIFIED": 0,
+	"SELF_SIGNED":      1,
+	"SUBORDINATE":      2,
+}
+
+func (x CertificateAuthority_Type) String() string {
+	return proto.EnumName(CertificateAuthority_Type_name, int32(x))
+}
+
+func (CertificateAuthority_Type) EnumDescriptor() ([]byte, []int) {
+	return fileDescriptor_6299e860b09b0827, []int{0, 0}
+}
+
+// The state of a [CertificateAuthority][google.cloud.security.privateca.v1alpha1.CertificateAuthority], indicating if it can be used.
+type CertificateAuthority_State int32
+
+const (
+	// Not specified.
+	CertificateAuthority_STATE_UNSPECIFIED CertificateAuthority_State = 0
+	// Certificates can be issued from this CA. CRLs will be generated for this
+	// CA.
+	CertificateAuthority_ENABLED CertificateAuthority_State = 1
+	// Certificates cannot be issued from this CA. CRLs will still be generated.
+	CertificateAuthority_DISABLED CertificateAuthority_State = 2
+	// Certificates cannot be issued from this CA. CRLs will not be generated.
+	CertificateAuthority_PENDING_ACTIVATION CertificateAuthority_State = 3
+	// Certificates cannot be issued from this CA. CRLs will not be generated.
+	CertificateAuthority_PENDING_DELETION CertificateAuthority_State = 4
+)
+
+var CertificateAuthority_State_name = map[int32]string{
+	0: "STATE_UNSPECIFIED",
+	1: "ENABLED",
+	2: "DISABLED",
+	3: "PENDING_ACTIVATION",
+	4: "PENDING_DELETION",
+}
+
+var CertificateAuthority_State_value = map[string]int32{
+	"STATE_UNSPECIFIED":  0,
+	"ENABLED":            1,
+	"DISABLED":           2,
+	"PENDING_ACTIVATION": 3,
+	"PENDING_DELETION":   4,
+}
+
+func (x CertificateAuthority_State) String() string {
+	return proto.EnumName(CertificateAuthority_State_name, int32(x))
+}
+
+func (CertificateAuthority_State) EnumDescriptor() ([]byte, []int) {
+	return fileDescriptor_6299e860b09b0827, []int{0, 1}
+}
+
+// The state of a [CertificateRevocationList][google.cloud.security.privateca.v1alpha1.CertificateRevocationList], indicating if it is current.
+type CertificateRevocationList_State int32
+
+const (
+	// Not specified.
+	CertificateRevocationList_STATE_UNSPECIFIED CertificateRevocationList_State = 0
+	// The [CertificateRevocationList][google.cloud.security.privateca.v1alpha1.CertificateRevocationList] is up to date.
+	CertificateRevocationList_ACTIVE CertificateRevocationList_State = 1
+	// The [CertificateRevocationList][google.cloud.security.privateca.v1alpha1.CertificateRevocationList] is no longer current.
+	CertificateRevocationList_SUPERSEDED CertificateRevocationList_State = 2
+)
+
+var CertificateRevocationList_State_name = map[int32]string{
+	0: "STATE_UNSPECIFIED",
+	1: "ACTIVE",
+	2: "SUPERSEDED",
+}
+
+var CertificateRevocationList_State_value = map[string]int32{
+	"STATE_UNSPECIFIED": 0,
+	"ACTIVE":            1,
+	"SUPERSEDED":        2,
+}
+
+func (x CertificateRevocationList_State) String() string {
+	return proto.EnumName(CertificateRevocationList_State_name, int32(x))
+}
+
+func (CertificateRevocationList_State) EnumDescriptor() ([]byte, []int) {
+	return fileDescriptor_6299e860b09b0827, []int{1, 0}
+}
+
+// Types of public keys that are supported.
+// At a minimum, we support RSA and ECDSA, for the key sizes or curves listed:
+// https://cloud.google.com/kms/docs/algorithms#asymmetric_signing_algorithms
+type PublicKey_KeyType int32
+
+const (
+	// Default unspecified value.
+	PublicKey_KEY_TYPE_UNSPECIFIED PublicKey_KeyType = 0
+	// A PEM-encoded PKCS#1/RFC 3447 RSAPrivateKey structure.
+	PublicKey_PEM_RSA_KEY PublicKey_KeyType = 1
+	// A PEM-encoded compressed NIST P-256/secp256r1/prime256v1 or P-384 key.
+	PublicKey_PEM_EC_KEY PublicKey_KeyType = 2
+)
+
+var PublicKey_KeyType_name = map[int32]string{
+	0: "KEY_TYPE_UNSPECIFIED",
+	1: "PEM_RSA_KEY",
+	2: "PEM_EC_KEY",
+}
+
+var PublicKey_KeyType_value = map[string]int32{
+	"KEY_TYPE_UNSPECIFIED": 0,
+	"PEM_RSA_KEY":          1,
+	"PEM_EC_KEY":           2,
+}
+
+func (x PublicKey_KeyType) String() string {
+	return proto.EnumName(PublicKey_KeyType_name, int32(x))
+}
+
+func (PublicKey_KeyType) EnumDescriptor() ([]byte, []int) {
+	return fileDescriptor_6299e860b09b0827, []int{6, 0}
+}
+
+// A [CertificateAuthority][google.cloud.security.privateca.v1alpha1.CertificateAuthority] represents an individual Certificate Authority.
+// A [CertificateAuthority][google.cloud.security.privateca.v1alpha1.CertificateAuthority] can be used to create [Certificates][google.cloud.security.privateca.v1alpha1.Certificate].
+type CertificateAuthority struct {
+	// Output only. The resource name for this [CertificateAuthority][google.cloud.security.privateca.v1alpha1.CertificateAuthority] in the
+	// format `projects/*/locations/*/certificateAuthorities/*`.
+	Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
+	// Immutable. The [Type][google.cloud.security.privateca.v1alpha1.CertificateAuthority.Type] of this [CertificateAuthority][google.cloud.security.privateca.v1alpha1.CertificateAuthority].
+	Type CertificateAuthority_Type `protobuf:"varint,2,opt,name=type,proto3,enum=google.cloud.security.privateca.v1alpha1.CertificateAuthority_Type" json:"type,omitempty"`
+	// Immutable. The config used to create a self-signed X.509 certificate or CSR.
+	Config *CertificateConfig `protobuf:"bytes,3,opt,name=config,proto3" json:"config,omitempty"`
+	// Required. The desired lifetime of the CA certificate. Used to create the
+	// "not_before_time" and "not_after_time" fields inside an X.509
+	// certificate.
+	Lifetime *duration.Duration `protobuf:"bytes,4,opt,name=lifetime,proto3" json:"lifetime,omitempty"`
+	// Required. Immutable. The resource name for the Cloud KMS CryptoKeyVersion in the
+	// format
+	// `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`. Used
+	// when issuing certificates for this [CertificateAuthority][google.cloud.security.privateca.v1alpha1.CertificateAuthority]. If this
+	// [CertificateAuthority][google.cloud.security.privateca.v1alpha1.CertificateAuthority] is a self-signed CertificateAuthority, this key
+	// version is also used to sign the self-signed CA certificate. Otherwise,
+	// it is used to sign a CSR.
+	CloudKmsKeyVersion string `protobuf:"bytes,5,opt,name=cloud_kms_key_version,json=cloudKmsKeyVersion,proto3" json:"cloud_kms_key_version,omitempty"`
+	// Optional. The [CertificateAuthorityPolicy][google.cloud.security.privateca.v1alpha1.CertificateAuthority.CertificateAuthorityPolicy] to enforce when issuing
+	// [Certificates][google.cloud.security.privateca.v1alpha1.Certificate] from this [CertificateAuthority][google.cloud.security.privateca.v1alpha1.CertificateAuthority].
+	CertificatePolicy *CertificateAuthority_CertificateAuthorityPolicy `protobuf:"bytes,6,opt,name=certificate_policy,json=certificatePolicy,proto3" json:"certificate_policy,omitempty"`
+	// Optional. The [IssuingOptions][google.cloud.security.privateca.v1alpha1.CertificateAuthority.IssuingOptions] to follow when issuing [Certificates][google.cloud.security.privateca.v1alpha1.Certificate]
+	// from this [CertificateAuthority][google.cloud.security.privateca.v1alpha1.CertificateAuthority].
+	IssuingOptions *CertificateAuthority_IssuingOptions `protobuf:"bytes,7,opt,name=issuing_options,json=issuingOptions,proto3" json:"issuing_options,omitempty"`
+	// Optional. This [CertificateAuthority][google.cloud.security.privateca.v1alpha1.CertificateAuthority]'s issuer chain. If self-signed, will be the
+	// same as 'pem_cert'. This may be updated (e.g., if an issuer's cert was
+	// replaced). Expected to be in issuer-to-root order according to RFC 5246.
+	PemIssuerCertChain []string `protobuf:"bytes,8,rep,name=pem_issuer_cert_chain,json=pemIssuerCertChain,proto3" json:"pem_issuer_cert_chain,omitempty"`
+	// Output only. The [State][google.cloud.security.privateca.v1alpha1.CertificateAuthority.State] for this [CertificateAuthority][google.cloud.security.privateca.v1alpha1.CertificateAuthority].
+	State CertificateAuthority_State `protobuf:"varint,9,opt,name=state,proto3,enum=google.cloud.security.privateca.v1alpha1.CertificateAuthority_State" json:"state,omitempty"`
+	// Output only. This [CertificateAuthority][google.cloud.security.privateca.v1alpha1.CertificateAuthority]'s CA cert.
+	PemCert string `protobuf:"bytes,10,opt,name=pem_cert,json=pemCert,proto3" json:"pem_cert,omitempty"`
+	// Output only. A structured description of this [CertificateAuthority][google.cloud.security.privateca.v1alpha1.CertificateAuthority]'s CA cert.
+	CaCertificateDescription *CertificateDescription `protobuf:"bytes,11,opt,name=ca_certificate_description,json=caCertificateDescription,proto3" json:"ca_certificate_description,omitempty"`
+	// Required. Immutable. The name of a Cloud Storage bucket where this [CertificateAuthority][google.cloud.security.privateca.v1alpha1.CertificateAuthority] will
+	// publish content, such as the CA certificate and CRLs. This must be a bucket
+	// name, without any prefixes (such as `gs://`) or suffixes (such as
+	// `.googleapis.com`). For example, to use a bucket named `my-bucket`, you
+	// would simply specify `my-bucket`.
+	GcsBucket string `protobuf:"bytes,12,opt,name=gcs_bucket,json=gcsBucket,proto3" json:"gcs_bucket,omitempty"`
+	// Output only. URLs for accessing content published by this CA, such as the CA certificate
+	// and CRLs.
+	AccessUrls *CertificateAuthority_AccessUrls `protobuf:"bytes,13,opt,name=access_urls,json=accessUrls,proto3" json:"access_urls,omitempty"`
+	// Output only. The time at which this [CertificateAuthority][google.cloud.security.privateca.v1alpha1.CertificateAuthority] was created.
+	CreateTime *timestamp.Timestamp `protobuf:"bytes,14,opt,name=create_time,json=createTime,proto3" json:"create_time,omitempty"`
+	// Output only. The time at which this [CertificateAuthority][google.cloud.security.privateca.v1alpha1.CertificateAuthority] was updated.
+	UpdateTime *timestamp.Timestamp `protobuf:"bytes,15,opt,name=update_time,json=updateTime,proto3" json:"update_time,omitempty"`
+	// Output only. The time at which this [CertificateAuthority][google.cloud.security.privateca.v1alpha1.CertificateAuthority] will be deleted, if
+	// scheduled for deletion.
+	DeletionTime *timestamp.Timestamp `protobuf:"bytes,17,opt,name=deletion_time,json=deletionTime,proto3" json:"deletion_time,omitempty"`
+	// Optional. Labels with user-defined metadata.
+	Labels               map[string]string `protobuf:"bytes,16,rep,name=labels,proto3" json:"labels,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+	XXX_NoUnkeyedLiteral struct{}          `json:"-"`
+	XXX_unrecognized     []byte            `json:"-"`
+	XXX_sizecache        int32             `json:"-"`
+}
+
+func (m *CertificateAuthority) Reset()         { *m = CertificateAuthority{} }
+func (m *CertificateAuthority) String() string { return proto.CompactTextString(m) }
+func (*CertificateAuthority) ProtoMessage()    {}
+func (*CertificateAuthority) Descriptor() ([]byte, []int) {
+	return fileDescriptor_6299e860b09b0827, []int{0}
+}
+
+func (m *CertificateAuthority) XXX_Unmarshal(b []byte) error {
+	return xxx_messageInfo_CertificateAuthority.Unmarshal(m, b)
+}
+func (m *CertificateAuthority) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	return xxx_messageInfo_CertificateAuthority.Marshal(b, m, deterministic)
+}
+func (m *CertificateAuthority) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_CertificateAuthority.Merge(m, src)
+}
+func (m *CertificateAuthority) XXX_Size() int {
+	return xxx_messageInfo_CertificateAuthority.Size(m)
+}
+func (m *CertificateAuthority) XXX_DiscardUnknown() {
+	xxx_messageInfo_CertificateAuthority.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_CertificateAuthority proto.InternalMessageInfo
+
+func (m *CertificateAuthority) GetName() string {
+	if m != nil {
+		return m.Name
+	}
+	return ""
+}
+
+func (m *CertificateAuthority) GetType() CertificateAuthority_Type {
+	if m != nil {
+		return m.Type
+	}
+	return CertificateAuthority_TYPE_UNSPECIFIED
+}
+
+func (m *CertificateAuthority) GetConfig() *CertificateConfig {
+	if m != nil {
+		return m.Config
+	}
+	return nil
+}
+
+func (m *CertificateAuthority) GetLifetime() *duration.Duration {
+	if m != nil {
+		return m.Lifetime
+	}
+	return nil
+}
+
+func (m *CertificateAuthority) GetCloudKmsKeyVersion() string {
+	if m != nil {
+		return m.CloudKmsKeyVersion
+	}
+	return ""
+}
+
+func (m *CertificateAuthority) GetCertificatePolicy() *CertificateAuthority_CertificateAuthorityPolicy {
+	if m != nil {
+		return m.CertificatePolicy
+	}
+	return nil
+}
+
+func (m *CertificateAuthority) GetIssuingOptions() *CertificateAuthority_IssuingOptions {
+	if m != nil {
+		return m.IssuingOptions
+	}
+	return nil
+}
+
+func (m *CertificateAuthority) GetPemIssuerCertChain() []string {
+	if m != nil {
+		return m.PemIssuerCertChain
+	}
+	return nil
+}
+
+func (m *CertificateAuthority) GetState() CertificateAuthority_State {
+	if m != nil {
+		return m.State
+	}
+	return CertificateAuthority_STATE_UNSPECIFIED
+}
+
+func (m *CertificateAuthority) GetPemCert() string {
+	if m != nil {
+		return m.PemCert
+	}
+	return ""
+}
+
+func (m *CertificateAuthority) GetCaCertificateDescription() *CertificateDescription {
+	if m != nil {
+		return m.CaCertificateDescription
+	}
+	return nil
+}
+
+func (m *CertificateAuthority) GetGcsBucket() string {
+	if m != nil {
+		return m.GcsBucket
+	}
+	return ""
+}
+
+func (m *CertificateAuthority) GetAccessUrls() *CertificateAuthority_AccessUrls {
+	if m != nil {
+		return m.AccessUrls
+	}
+	return nil
+}
+
+func (m *CertificateAuthority) GetCreateTime() *timestamp.Timestamp {
+	if m != nil {
+		return m.CreateTime
+	}
+	return nil
+}
+
+func (m *CertificateAuthority) GetUpdateTime() *timestamp.Timestamp {
+	if m != nil {
+		return m.UpdateTime
+	}
+	return nil
+}
+
+func (m *CertificateAuthority) GetDeletionTime() *timestamp.Timestamp {
+	if m != nil {
+		return m.DeletionTime
+	}
+	return nil
+}
+
+func (m *CertificateAuthority) GetLabels() map[string]string {
+	if m != nil {
+		return m.Labels
+	}
+	return nil
+}
+
+// Options that affect all certificates issued by a [CertificateAuthority][google.cloud.security.privateca.v1alpha1.CertificateAuthority].
+type CertificateAuthority_IssuingOptions struct {
+	// Required. When true, includes a URL to the issuing CA certificate in the
+	// "authority information access" X.509 extension.
+	IncludeCaCertUrl bool `protobuf:"varint,1,opt,name=include_ca_cert_url,json=includeCaCertUrl,proto3" json:"include_ca_cert_url,omitempty"`
+	// Required. When true, includes a URL to the CRL corresponding to certificates
+	// issued from a [CertificateAuthority][google.cloud.security.privateca.v1alpha1.CertificateAuthority].
+	// CRLs will expire 7 days from their creation. However, we will rebuild
+	// daily. CRLs are also rebuilt shortly after a certificate is revoked.
+	IncludeCrlAccessUrl  bool     `protobuf:"varint,2,opt,name=include_crl_access_url,json=includeCrlAccessUrl,proto3" json:"include_crl_access_url,omitempty"`
+	XXX_NoUnkeyedLiteral struct{} `json:"-"`
+	XXX_unrecognized     []byte   `json:"-"`
+	XXX_sizecache        int32    `json:"-"`
+}
+
+func (m *CertificateAuthority_IssuingOptions) Reset()         { *m = CertificateAuthority_IssuingOptions{} }
+func (m *CertificateAuthority_IssuingOptions) String() string { return proto.CompactTextString(m) }
+func (*CertificateAuthority_IssuingOptions) ProtoMessage()    {}
+func (*CertificateAuthority_IssuingOptions) Descriptor() ([]byte, []int) {
+	return fileDescriptor_6299e860b09b0827, []int{0, 0}
+}
+
+func (m *CertificateAuthority_IssuingOptions) XXX_Unmarshal(b []byte) error {
+	return xxx_messageInfo_CertificateAuthority_IssuingOptions.Unmarshal(m, b)
+}
+func (m *CertificateAuthority_IssuingOptions) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	return xxx_messageInfo_CertificateAuthority_IssuingOptions.Marshal(b, m, deterministic)
+}
+func (m *CertificateAuthority_IssuingOptions) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_CertificateAuthority_IssuingOptions.Merge(m, src)
+}
+func (m *CertificateAuthority_IssuingOptions) XXX_Size() int {
+	return xxx_messageInfo_CertificateAuthority_IssuingOptions.Size(m)
+}
+func (m *CertificateAuthority_IssuingOptions) XXX_DiscardUnknown() {
+	xxx_messageInfo_CertificateAuthority_IssuingOptions.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_CertificateAuthority_IssuingOptions proto.InternalMessageInfo
+
+func (m *CertificateAuthority_IssuingOptions) GetIncludeCaCertUrl() bool {
+	if m != nil {
+		return m.IncludeCaCertUrl
+	}
+	return false
+}
+
+func (m *CertificateAuthority_IssuingOptions) GetIncludeCrlAccessUrl() bool {
+	if m != nil {
+		return m.IncludeCrlAccessUrl
+	}
+	return false
+}
+
+// The issuing policy for a [CertificateAuthority][google.cloud.security.privateca.v1alpha1.CertificateAuthority].
+// [Certificates][google.cloud.security.privateca.v1alpha1.Certificate] will not be successfully issued from this
+// [CertificateAuthority][google.cloud.security.privateca.v1alpha1.CertificateAuthority] if they violate the policy.
+type CertificateAuthority_CertificateAuthorityPolicy struct {
+	// Allowed configurations or a single configuration for all issued
+	// certificates.
+	//
+	// Types that are valid to be assigned to ConfigPolicy:
+	//	*CertificateAuthority_CertificateAuthorityPolicy_AllowedConfigList_
+	//	*CertificateAuthority_CertificateAuthorityPolicy_OverwriteConfigValues
+	ConfigPolicy isCertificateAuthority_CertificateAuthorityPolicy_ConfigPolicy `protobuf_oneof:"config_policy"`
+	// Optional. If any [Subject][google.cloud.security.privateca.v1alpha1.Subject] is specified here, then all
+	// [Certificates][google.cloud.security.privateca.v1alpha1.Certificate] issued by the [CertificateAuthority][google.cloud.security.privateca.v1alpha1.CertificateAuthority] must
+	// match at least one listed [Subject][google.cloud.security.privateca.v1alpha1.Subject]. If a [Subject][google.cloud.security.privateca.v1alpha1.Subject] has an empty
+	// field, any value will be allowed for that field.
+	AllowedLocationsAndOrganizations []*Subject `protobuf:"bytes,2,rep,name=allowed_locations_and_organizations,json=allowedLocationsAndOrganizations,proto3" json:"allowed_locations_and_organizations,omitempty"`
+	// Optional. If any value is specified here, then all
+	// [Certificates][google.cloud.security.privateca.v1alpha1.Certificate] issued by the [CertificateAuthority][google.cloud.security.privateca.v1alpha1.CertificateAuthority] must
+	// match at least one listed value. If no value is specified, all values
+	// will be allowed for this fied. Glob patterns are also supported.
+	AllowedCommonNames []string `protobuf:"bytes,7,rep,name=allowed_common_names,json=allowedCommonNames,proto3" json:"allowed_common_names,omitempty"`
+	// Optional. If a [AllowedSubjectAltNames][google.cloud.security.privateca.v1alpha1.CertificateAuthority.CertificateAuthorityPolicy.AllowedSubjectAltNames] is specified here, then all
+	// [Certificates][google.cloud.security.privateca.v1alpha1.Certificate] issued by the [CertificateAuthority][google.cloud.security.privateca.v1alpha1.CertificateAuthority] must
+	// match [AllowedSubjectAltNames][google.cloud.security.privateca.v1alpha1.CertificateAuthority.CertificateAuthorityPolicy.AllowedSubjectAltNames]. If no value
+	// is specified, any value will be allowed for the [SubjectAltNames][google.cloud.security.privateca.v1alpha1.SubjectAltNames]
+	// field.
+	AllowedSans *CertificateAuthority_CertificateAuthorityPolicy_AllowedSubjectAltNames `protobuf:"bytes,8,opt,name=allowed_sans,json=allowedSans,proto3" json:"allowed_sans,omitempty"`
+	// Optional. The maximum lifetime allowed by the [CertificateAuthority][google.cloud.security.privateca.v1alpha1.CertificateAuthority]. Note that
+	// if the any part if the issuing chain expires before a [Certificate][google.cloud.security.privateca.v1alpha1.Certificate]'s
+	// requested maximum_lifetime, the effective lifetime will be explicitly
+	// truncated.
+	MaximumLifetime      *duration.Duration `protobuf:"bytes,4,opt,name=maximum_lifetime,json=maximumLifetime,proto3" json:"maximum_lifetime,omitempty"`
+	XXX_NoUnkeyedLiteral struct{}           `json:"-"`
+	XXX_unrecognized     []byte             `json:"-"`
+	XXX_sizecache        int32              `json:"-"`
+}
+
+func (m *CertificateAuthority_CertificateAuthorityPolicy) Reset() {
+	*m = CertificateAuthority_CertificateAuthorityPolicy{}
+}
+func (m *CertificateAuthority_CertificateAuthorityPolicy) String() string {
+	return proto.CompactTextString(m)
+}
+func (*CertificateAuthority_CertificateAuthorityPolicy) ProtoMessage() {}
+func (*CertificateAuthority_CertificateAuthorityPolicy) Descriptor() ([]byte, []int) {
+	return fileDescriptor_6299e860b09b0827, []int{0, 1}
+}
+
+func (m *CertificateAuthority_CertificateAuthorityPolicy) XXX_Unmarshal(b []byte) error {
+	return xxx_messageInfo_CertificateAuthority_CertificateAuthorityPolicy.Unmarshal(m, b)
+}
+func (m *CertificateAuthority_CertificateAuthorityPolicy) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	return xxx_messageInfo_CertificateAuthority_CertificateAuthorityPolicy.Marshal(b, m, deterministic)
+}
+func (m *CertificateAuthority_CertificateAuthorityPolicy) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_CertificateAuthority_CertificateAuthorityPolicy.Merge(m, src)
+}
+func (m *CertificateAuthority_CertificateAuthorityPolicy) XXX_Size() int {
+	return xxx_messageInfo_CertificateAuthority_CertificateAuthorityPolicy.Size(m)
+}
+func (m *CertificateAuthority_CertificateAuthorityPolicy) XXX_DiscardUnknown() {
+	xxx_messageInfo_CertificateAuthority_CertificateAuthorityPolicy.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_CertificateAuthority_CertificateAuthorityPolicy proto.InternalMessageInfo
+
+type isCertificateAuthority_CertificateAuthorityPolicy_ConfigPolicy interface {
+	isCertificateAuthority_CertificateAuthorityPolicy_ConfigPolicy()
+}
+
+type CertificateAuthority_CertificateAuthorityPolicy_AllowedConfigList_ struct {
+	AllowedConfigList *CertificateAuthority_CertificateAuthorityPolicy_AllowedConfigList `protobuf:"bytes,5,opt,name=allowed_config_list,json=allowedConfigList,proto3,oneof"`
+}
+
+type CertificateAuthority_CertificateAuthorityPolicy_OverwriteConfigValues struct {
+	OverwriteConfigValues *ReusableConfigWrapper `protobuf:"bytes,6,opt,name=overwrite_config_values,json=overwriteConfigValues,proto3,oneof"`
+}
+
+func (*CertificateAuthority_CertificateAuthorityPolicy_AllowedConfigList_) isCertificateAuthority_CertificateAuthorityPolicy_ConfigPolicy() {
+}
+
+func (*CertificateAuthority_CertificateAuthorityPolicy_OverwriteConfigValues) isCertificateAuthority_CertificateAuthorityPolicy_ConfigPolicy() {
+}
+
+func (m *CertificateAuthority_CertificateAuthorityPolicy) GetConfigPolicy() isCertificateAuthority_CertificateAuthorityPolicy_ConfigPolicy {
+	if m != nil {
+		return m.ConfigPolicy
+	}
+	return nil
+}
+
+func (m *CertificateAuthority_CertificateAuthorityPolicy) GetAllowedConfigList() *CertificateAuthority_CertificateAuthorityPolicy_AllowedConfigList {
+	if x, ok := m.GetConfigPolicy().(*CertificateAuthority_CertificateAuthorityPolicy_AllowedConfigList_); ok {
+		return x.AllowedConfigList
+	}
+	return nil
+}
+
+func (m *CertificateAuthority_CertificateAuthorityPolicy) GetOverwriteConfigValues() *ReusableConfigWrapper {
+	if x, ok := m.GetConfigPolicy().(*CertificateAuthority_CertificateAuthorityPolicy_OverwriteConfigValues); ok {
+		return x.OverwriteConfigValues
+	}
+	return nil
+}
+
+func (m *CertificateAuthority_CertificateAuthorityPolicy) GetAllowedLocationsAndOrganizations() []*Subject {
+	if m != nil {
+		return m.AllowedLocationsAndOrganizations
+	}
+	return nil
+}
+
+func (m *CertificateAuthority_CertificateAuthorityPolicy) GetAllowedCommonNames() []string {
+	if m != nil {
+		return m.AllowedCommonNames
+	}
+	return nil
+}
+
+func (m *CertificateAuthority_CertificateAuthorityPolicy) GetAllowedSans() *CertificateAuthority_CertificateAuthorityPolicy_AllowedSubjectAltNames {
+	if m != nil {
+		return m.AllowedSans
+	}
+	return nil
+}
+
+func (m *CertificateAuthority_CertificateAuthorityPolicy) GetMaximumLifetime() *duration.Duration {
+	if m != nil {
+		return m.MaximumLifetime
+	}
+	return nil
+}
+
+// XXX_OneofWrappers is for the internal use of the proto package.
+func (*CertificateAuthority_CertificateAuthorityPolicy) XXX_OneofWrappers() []interface{} {
+	return []interface{}{
+		(*CertificateAuthority_CertificateAuthorityPolicy_AllowedConfigList_)(nil),
+		(*CertificateAuthority_CertificateAuthorityPolicy_OverwriteConfigValues)(nil),
+	}
+}
+
+type CertificateAuthority_CertificateAuthorityPolicy_AllowedConfigList struct {
+	// Required. All [Certificates][google.cloud.security.privateca.v1alpha1.Certificate] issued by the [CertificateAuthority][google.cloud.security.privateca.v1alpha1.CertificateAuthority]
+	// must match at least one listed [ReusableConfigWrapper][google.cloud.security.privateca.v1alpha1.ReusableConfigWrapper]. If a
+	// [ReusableConfigWrapper][google.cloud.security.privateca.v1alpha1.ReusableConfigWrapper] has an empty field, any value will be
+	// allowed for that field.
+	AllowedConfigValues  []*ReusableConfigWrapper `protobuf:"bytes,1,rep,name=allowed_config_values,json=allowedConfigValues,proto3" json:"allowed_config_values,omitempty"`
+	XXX_NoUnkeyedLiteral struct{}                 `json:"-"`
+	XXX_unrecognized     []byte                   `json:"-"`
+	XXX_sizecache        int32                    `json:"-"`
+}
+
+func (m *CertificateAuthority_CertificateAuthorityPolicy_AllowedConfigList) Reset() {
+	*m = CertificateAuthority_CertificateAuthorityPolicy_AllowedConfigList{}
+}
+func (m *CertificateAuthority_CertificateAuthorityPolicy_AllowedConfigList) String() string {
+	return proto.CompactTextString(m)
+}
+func (*CertificateAuthority_CertificateAuthorityPolicy_AllowedConfigList) ProtoMessage() {}
+func (*CertificateAuthority_CertificateAuthorityPolicy_AllowedConfigList) Descriptor() ([]byte, []int) {
+	return fileDescriptor_6299e860b09b0827, []int{0, 1, 0}
+}
+
+func (m *CertificateAuthority_CertificateAuthorityPolicy_AllowedConfigList) XXX_Unmarshal(b []byte) error {
+	return xxx_messageInfo_CertificateAuthority_CertificateAuthorityPolicy_AllowedConfigList.Unmarshal(m, b)
+}
+func (m *CertificateAuthority_CertificateAuthorityPolicy_AllowedConfigList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	return xxx_messageInfo_CertificateAuthority_CertificateAuthorityPolicy_AllowedConfigList.Marshal(b, m, deterministic)
+}
+func (m *CertificateAuthority_CertificateAuthorityPolicy_AllowedConfigList) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_CertificateAuthority_CertificateAuthorityPolicy_AllowedConfigList.Merge(m, src)
+}
+func (m *CertificateAuthority_CertificateAuthorityPolicy_AllowedConfigList) XXX_Size() int {
+	return xxx_messageInfo_CertificateAuthority_CertificateAuthorityPolicy_AllowedConfigList.Size(m)
+}
+func (m *CertificateAuthority_CertificateAuthorityPolicy_AllowedConfigList) XXX_DiscardUnknown() {
+	xxx_messageInfo_CertificateAuthority_CertificateAuthorityPolicy_AllowedConfigList.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_CertificateAuthority_CertificateAuthorityPolicy_AllowedConfigList proto.InternalMessageInfo
+
+func (m *CertificateAuthority_CertificateAuthorityPolicy_AllowedConfigList) GetAllowedConfigValues() []*ReusableConfigWrapper {
+	if m != nil {
+		return m.AllowedConfigValues
+	}
+	return nil
+}
+
+// [AllowedSubjectAltNames][google.cloud.security.privateca.v1alpha1.CertificateAuthority.CertificateAuthorityPolicy.AllowedSubjectAltNames] specifies the allowed values for
+// [SubjectAltNames][google.cloud.security.privateca.v1alpha1.SubjectAltNames] by the [CertificateAuthority][google.cloud.security.privateca.v1alpha1.CertificateAuthority] when issuing
+// [Certificates][google.cloud.security.privateca.v1alpha1.Certificate].
+type CertificateAuthority_CertificateAuthorityPolicy_AllowedSubjectAltNames struct {
+	// Contains valid, fully-qualified host names. Glob patterns are also
+	// supported. To allow an explicit wildcard certificate, escape with
+	// backlash (i.e. "\*").
+	// E.g. for globbed entries: '*bar.com' will allow foo.bar.com, but not
+	// *.bar.com, unless the [allow_globbing_dns_wildcards][google.cloud.security.privateca.v1alpha1.CertificateAuthority.CertificateAuthorityPolicy.AllowedSubjectAltNames.allow_globbing_dns_wildcards] field is set.
+	// E.g. for wildcard entries: '\*.bar.com' will allow '*.bar.com', but not
+	// 'foo.bar.com'.
+	AllowedDnsNames []string `protobuf:"bytes,1,rep,name=allowed_dns_names,json=allowedDnsNames,proto3" json:"allowed_dns_names,omitempty"`
+	// Contains valid RFC 3986 URIs. Glob patterns are also supported. To
+	// match across path seperators (i.e. '/') use the double star glob
+	// pattern (i.e. '**').
+	AllowedUris []string `protobuf:"bytes,2,rep,name=allowed_uris,json=allowedUris,proto3" json:"allowed_uris,omitempty"`
+	// Contains valid RFC 2822 E-mail addresses. Glob patterns are also
+	// supported.
+	AllowedEmailAddresses []string `protobuf:"bytes,3,rep,name=allowed_email_addresses,json=allowedEmailAddresses,proto3" json:"allowed_email_addresses,omitempty"`
+	// Contains valid 32-bit IPv4 addresses and subnet ranges or RFC 4291 IPv6
+	// addresses and subnet ranges. Subnet ranges are specified using the
+	// '/' notation (e.g. 10.0.0.0/8, 2001:700:300:1800::/64). Glob patterns
+	// are supported only for ip address entries (i.e. not for subnet ranges).
+	AllowedIps []string `protobuf:"bytes,4,rep,name=allowed_ips,json=allowedIps,proto3" json:"allowed_ips,omitempty"`
+	// Specifies if glob patterns used for [allowed_dns_names][google.cloud.security.privateca.v1alpha1.CertificateAuthority.CertificateAuthorityPolicy.AllowedSubjectAltNames.allowed_dns_names] allows
+	// wildcard certificates.
+	AllowGlobbingDnsWildcards bool `protobuf:"varint,5,opt,name=allow_globbing_dns_wildcards,json=allowGlobbingDnsWildcards,proto3" json:"allow_globbing_dns_wildcards,omitempty"`
+	// Specifies if to allow custom X509Extension values.
+	AllowCustomSans      bool     `protobuf:"varint,6,opt,name=allow_custom_sans,json=allowCustomSans,proto3" json:"allow_custom_sans,omitempty"`
+	XXX_NoUnkeyedLiteral struct{} `json:"-"`
+	XXX_unrecognized     []byte   `json:"-"`
+	XXX_sizecache        int32    `json:"-"`
+}
+
+func (m *CertificateAuthority_CertificateAuthorityPolicy_AllowedSubjectAltNames) Reset() {
+	*m = CertificateAuthority_CertificateAuthorityPolicy_AllowedSubjectAltNames{}
+}
+func (m *CertificateAuthority_CertificateAuthorityPolicy_AllowedSubjectAltNames) String() string {
+	return proto.CompactTextString(m)
+}
+func (*CertificateAuthority_CertificateAuthorityPolicy_AllowedSubjectAltNames) ProtoMessage() {}
+func (*CertificateAuthority_CertificateAuthorityPolicy_AllowedSubjectAltNames) Descriptor() ([]byte, []int) {
+	return fileDescriptor_6299e860b09b0827, []int{0, 1, 1}
+}
+
+func (m *CertificateAuthority_CertificateAuthorityPolicy_AllowedSubjectAltNames) XXX_Unmarshal(b []byte) error {
+	return xxx_messageInfo_CertificateAuthority_CertificateAuthorityPolicy_AllowedSubjectAltNames.Unmarshal(m, b)
+}
+func (m *CertificateAuthority_CertificateAuthorityPolicy_AllowedSubjectAltNames) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	return xxx_messageInfo_CertificateAuthority_CertificateAuthorityPolicy_AllowedSubjectAltNames.Marshal(b, m, deterministic)
+}
+func (m *CertificateAuthority_CertificateAuthorityPolicy_AllowedSubjectAltNames) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_CertificateAuthority_CertificateAuthorityPolicy_AllowedSubjectAltNames.Merge(m, src)
+}
+func (m *CertificateAuthority_CertificateAuthorityPolicy_AllowedSubjectAltNames) XXX_Size() int {
+	return xxx_messageInfo_CertificateAuthority_CertificateAuthorityPolicy_AllowedSubjectAltNames.Size(m)
+}
+func (m *CertificateAuthority_CertificateAuthorityPolicy_AllowedSubjectAltNames) XXX_DiscardUnknown() {
+	xxx_messageInfo_CertificateAuthority_CertificateAuthorityPolicy_AllowedSubjectAltNames.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_CertificateAuthority_CertificateAuthorityPolicy_AllowedSubjectAltNames proto.InternalMessageInfo
+
+func (m *CertificateAuthority_CertificateAuthorityPolicy_AllowedSubjectAltNames) GetAllowedDnsNames() []string {
+	if m != nil {
+		return m.AllowedDnsNames
+	}
+	return nil
+}
+
+func (m *CertificateAuthority_CertificateAuthorityPolicy_AllowedSubjectAltNames) GetAllowedUris() []string {
+	if m != nil {
+		return m.AllowedUris
+	}
+	return nil
+}
+
+func (m *CertificateAuthority_CertificateAuthorityPolicy_AllowedSubjectAltNames) GetAllowedEmailAddresses() []string {
+	if m != nil {
+		return m.AllowedEmailAddresses
+	}
+	return nil
+}
+
+func (m *CertificateAuthority_CertificateAuthorityPolicy_AllowedSubjectAltNames) GetAllowedIps() []string {
+	if m != nil {
+		return m.AllowedIps
+	}
+	return nil
+}
+
+func (m *CertificateAuthority_CertificateAuthorityPolicy_AllowedSubjectAltNames) GetAllowGlobbingDnsWildcards() bool {
+	if m != nil {
+		return m.AllowGlobbingDnsWildcards
+	}
+	return false
+}
+
+func (m *CertificateAuthority_CertificateAuthorityPolicy_AllowedSubjectAltNames) GetAllowCustomSans() bool {
+	if m != nil {
+		return m.AllowCustomSans
+	}
+	return false
+}
+
+// URLs where a [CertificateAuthority][google.cloud.security.privateca.v1alpha1.CertificateAuthority] will publish content.
+type CertificateAuthority_AccessUrls struct {
+	// The URL where this [CertificateAuthority][google.cloud.security.privateca.v1alpha1.CertificateAuthority]'s CA certificate is
+	// published. This will only be set for CAs that have been activated.
+	CaCertificateAccessUrl string `protobuf:"bytes,1,opt,name=ca_certificate_access_url,json=caCertificateAccessUrl,proto3" json:"ca_certificate_access_url,omitempty"`
+	// The URL where this [CertificateAuthority][google.cloud.security.privateca.v1alpha1.CertificateAuthority]'s CRLs are published. This
+	// will only be set for CAs that have been activated.
+	CrlAccessUrl         string   `protobuf:"bytes,2,opt,name=crl_access_url,json=crlAccessUrl,proto3" json:"crl_access_url,omitempty"`
+	XXX_NoUnkeyedLiteral struct{} `json:"-"`
+	XXX_unrecognized     []byte   `json:"-"`
+	XXX_sizecache        int32    `json:"-"`
+}
+
+func (m *CertificateAuthority_AccessUrls) Reset()         { *m = CertificateAuthority_AccessUrls{} }
+func (m *CertificateAuthority_AccessUrls) String() string { return proto.CompactTextString(m) }
+func (*CertificateAuthority_AccessUrls) ProtoMessage()    {}
+func (*CertificateAuthority_AccessUrls) Descriptor() ([]byte, []int) {
+	return fileDescriptor_6299e860b09b0827, []int{0, 2}
+}
+
+func (m *CertificateAuthority_AccessUrls) XXX_Unmarshal(b []byte) error {
+	return xxx_messageInfo_CertificateAuthority_AccessUrls.Unmarshal(m, b)
+}
+func (m *CertificateAuthority_AccessUrls) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	return xxx_messageInfo_CertificateAuthority_AccessUrls.Marshal(b, m, deterministic)
+}
+func (m *CertificateAuthority_AccessUrls) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_CertificateAuthority_AccessUrls.Merge(m, src)
+}
+func (m *CertificateAuthority_AccessUrls) XXX_Size() int {
+	return xxx_messageInfo_CertificateAuthority_AccessUrls.Size(m)
+}
+func (m *CertificateAuthority_AccessUrls) XXX_DiscardUnknown() {
+	xxx_messageInfo_CertificateAuthority_AccessUrls.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_CertificateAuthority_AccessUrls proto.InternalMessageInfo
+
+func (m *CertificateAuthority_AccessUrls) GetCaCertificateAccessUrl() string {
+	if m != nil {
+		return m.CaCertificateAccessUrl
+	}
+	return ""
+}
+
+func (m *CertificateAuthority_AccessUrls) GetCrlAccessUrl() string {
+	if m != nil {
+		return m.CrlAccessUrl
+	}
+	return ""
+}
+
+// A [CertificateRevocationList][google.cloud.security.privateca.v1alpha1.CertificateRevocationList] corresponds to a signed X.509 certificate
+// Revocation List (CRL). A CRL contains the serial numbers of certificates that
+// should no longer be trusted.
+type CertificateRevocationList struct {
+	// Output only. The resource path for this [CertificateRevocationList][google.cloud.security.privateca.v1alpha1.CertificateRevocationList] in
+	// the format
+	// `projects/*/locations/*/certificateAuthorities/*/
+	//    certificateRevocationLists/*`.
+	Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
+	// Output only. The CRL sequence number that appears in pem_crl.
+	SequenceNumber int64 `protobuf:"varint,2,opt,name=sequence_number,json=sequenceNumber,proto3" json:"sequence_number,omitempty"`
+	// Output only. The revoked serial numbers that appear in pem_crl.
+	RevokedCertificates []*CertificateRevocationList_RevokedCertificate `protobuf:"bytes,3,rep,name=revoked_certificates,json=revokedCertificates,proto3" json:"revoked_certificates,omitempty"`
+	// Output only. The PEM-encoded X.509 CRL.
+	PemCrl string `protobuf:"bytes,4,opt,name=pem_crl,json=pemCrl,proto3" json:"pem_crl,omitempty"`
+	// Output only. The location where 'pem_crl' can be accessed.
+	AccessUrl string `protobuf:"bytes,5,opt,name=access_url,json=accessUrl,proto3" json:"access_url,omitempty"`
+	// Output only. The [State][google.cloud.security.privateca.v1alpha1.CertificateRevocationList.State] for this [CertificateRevocationList][google.cloud.security.privateca.v1alpha1.CertificateRevocationList].
+	State CertificateRevocationList_State `protobuf:"varint,6,opt,name=state,proto3,enum=google.cloud.security.privateca.v1alpha1.CertificateRevocationList_State" json:"state,omitempty"`
+	// Output only. The time at which this [CertificateRevocationList][google.cloud.security.privateca.v1alpha1.CertificateRevocationList] was created.
+	CreateTime *timestamp.Timestamp `protobuf:"bytes,7,opt,name=create_time,json=createTime,proto3" json:"create_time,omitempty"`
+	// Output only. The time at which this [CertificateRevocationList][google.cloud.security.privateca.v1alpha1.CertificateRevocationList] was updated.
+	UpdateTime *timestamp.Timestamp `protobuf:"bytes,8,opt,name=update_time,json=updateTime,proto3" json:"update_time,omitempty"`
+	// Optional. Labels with user-defined metadata.
+	Labels               map[string]string `protobuf:"bytes,9,rep,name=labels,proto3" json:"labels,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+	XXX_NoUnkeyedLiteral struct{}          `json:"-"`
+	XXX_unrecognized     []byte            `json:"-"`
+	XXX_sizecache        int32             `json:"-"`
+}
+
+func (m *CertificateRevocationList) Reset()         { *m = CertificateRevocationList{} }
+func (m *CertificateRevocationList) String() string { return proto.CompactTextString(m) }
+func (*CertificateRevocationList) ProtoMessage()    {}
+func (*CertificateRevocationList) Descriptor() ([]byte, []int) {
+	return fileDescriptor_6299e860b09b0827, []int{1}
+}
+
+func (m *CertificateRevocationList) XXX_Unmarshal(b []byte) error {
+	return xxx_messageInfo_CertificateRevocationList.Unmarshal(m, b)
+}
+func (m *CertificateRevocationList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	return xxx_messageInfo_CertificateRevocationList.Marshal(b, m, deterministic)
+}
+func (m *CertificateRevocationList) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_CertificateRevocationList.Merge(m, src)
+}
+func (m *CertificateRevocationList) XXX_Size() int {
+	return xxx_messageInfo_CertificateRevocationList.Size(m)
+}
+func (m *CertificateRevocationList) XXX_DiscardUnknown() {
+	xxx_messageInfo_CertificateRevocationList.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_CertificateRevocationList proto.InternalMessageInfo
+
+func (m *CertificateRevocationList) GetName() string {
+	if m != nil {
+		return m.Name
+	}
+	return ""
+}
+
+func (m *CertificateRevocationList) GetSequenceNumber() int64 {
+	if m != nil {
+		return m.SequenceNumber
+	}
+	return 0
+}
+
+func (m *CertificateRevocationList) GetRevokedCertificates() []*CertificateRevocationList_RevokedCertificate {
+	if m != nil {
+		return m.RevokedCertificates
+	}
+	return nil
+}
+
+func (m *CertificateRevocationList) GetPemCrl() string {
+	if m != nil {
+		return m.PemCrl
+	}
+	return ""
+}
+
+func (m *CertificateRevocationList) GetAccessUrl() string {
+	if m != nil {
+		return m.AccessUrl
+	}
+	return ""
+}
+
+func (m *CertificateRevocationList) GetState() CertificateRevocationList_State {
+	if m != nil {
+		return m.State
+	}
+	return CertificateRevocationList_STATE_UNSPECIFIED
+}
+
+func (m *CertificateRevocationList) GetCreateTime() *timestamp.Timestamp {
+	if m != nil {
+		return m.CreateTime
+	}
+	return nil
+}
+
+func (m *CertificateRevocationList) GetUpdateTime() *timestamp.Timestamp {
+	if m != nil {
+		return m.UpdateTime
+	}
+	return nil
+}
+
+func (m *CertificateRevocationList) GetLabels() map[string]string {
+	if m != nil {
+		return m.Labels
+	}
+	return nil
+}
+
+// Describes a revoked [Certificate][google.cloud.security.privateca.v1alpha1.Certificate].
+type CertificateRevocationList_RevokedCertificate struct {
+	// The resource path for the [Certificate][google.cloud.security.privateca.v1alpha1.Certificate] in the format
+	// `projects/*/locations/*/certificateAuthorities/*/certificates/*`.
+	Certificate string `protobuf:"bytes,1,opt,name=certificate,proto3" json:"certificate,omitempty"`
+	// The serial number of the [Certificate][google.cloud.security.privateca.v1alpha1.Certificate].
+	SerialNumber string `protobuf:"bytes,2,opt,name=serial_number,json=serialNumber,proto3" json:"serial_number,omitempty"`
+	// The reason the [Certificate][google.cloud.security.privateca.v1alpha1.Certificate] was revoked.
+	RevocationReason     RevocationReason `protobuf:"varint,3,opt,name=revocation_reason,json=revocationReason,proto3,enum=google.cloud.security.privateca.v1alpha1.RevocationReason" json:"revocation_reason,omitempty"`
+	XXX_NoUnkeyedLiteral struct{}         `json:"-"`
+	XXX_unrecognized     []byte           `json:"-"`
+	XXX_sizecache        int32            `json:"-"`
+}
+
+func (m *CertificateRevocationList_RevokedCertificate) Reset() {
+	*m = CertificateRevocationList_RevokedCertificate{}
+}
+func (m *CertificateRevocationList_RevokedCertificate) String() string {
+	return proto.CompactTextString(m)
+}
+func (*CertificateRevocationList_RevokedCertificate) ProtoMessage() {}
+func (*CertificateRevocationList_RevokedCertificate) Descriptor() ([]byte, []int) {
+	return fileDescriptor_6299e860b09b0827, []int{1, 0}
+}
+
+func (m *CertificateRevocationList_RevokedCertificate) XXX_Unmarshal(b []byte) error {
+	return xxx_messageInfo_CertificateRevocationList_RevokedCertificate.Unmarshal(m, b)
+}
+func (m *CertificateRevocationList_RevokedCertificate) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	return xxx_messageInfo_CertificateRevocationList_RevokedCertificate.Marshal(b, m, deterministic)
+}
+func (m *CertificateRevocationList_RevokedCertificate) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_CertificateRevocationList_RevokedCertificate.Merge(m, src)
+}
+func (m *CertificateRevocationList_RevokedCertificate) XXX_Size() int {
+	return xxx_messageInfo_CertificateRevocationList_RevokedCertificate.Size(m)
+}
+func (m *CertificateRevocationList_RevokedCertificate) XXX_DiscardUnknown() {
+	xxx_messageInfo_CertificateRevocationList_RevokedCertificate.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_CertificateRevocationList_RevokedCertificate proto.InternalMessageInfo
+
+func (m *CertificateRevocationList_RevokedCertificate) GetCertificate() string {
+	if m != nil {
+		return m.Certificate
+	}
+	return ""
+}
+
+func (m *CertificateRevocationList_RevokedCertificate) GetSerialNumber() string {
+	if m != nil {
+		return m.SerialNumber
+	}
+	return ""
+}
+
+func (m *CertificateRevocationList_RevokedCertificate) GetRevocationReason() RevocationReason {
+	if m != nil {
+		return m.RevocationReason
+	}
+	return RevocationReason_REVOCATION_REASON_UNSPECIFIED
+}
+
+// A [Certificate][google.cloud.security.privateca.v1alpha1.Certificate] corresponds to a signed X.509 certificate issued by a
+// [CertificateAuthority][google.cloud.security.privateca.v1alpha1.CertificateAuthority].
+type Certificate struct {
+	// Output only. The resource path for this [Certificate][google.cloud.security.privateca.v1alpha1.Certificate] in the format
+	// `projects/*/locations/*/certificateAuthorities/*/certificates/*`.
+	Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
+	// The config used to create a signed X.509 certificate.
+	//
+	// Types that are valid to be assigned to CertificateConfig:
+	//	*Certificate_PemCsr
+	//	*Certificate_Config
+	CertificateConfig isCertificate_CertificateConfig `protobuf_oneof:"certificate_config"`
+	// Required. The desired lifetime of a certificate. Used to create the
+	// "not_before_time" and "not_after_time" fields inside an X.509
+	// certificate. Note that the lifetime may be truncated if it would extend
+	// past the life of any certificate authority in the issuing chain.
+	Lifetime *duration.Duration `protobuf:"bytes,4,opt,name=lifetime,proto3" json:"lifetime,omitempty"`
+	// Output only. Details regarding the revocation of this [Certificate][google.cloud.security.privateca.v1alpha1.Certificate]. This
+	// [Certificate][google.cloud.security.privateca.v1alpha1.Certificate] is considered revoked if and only if this field is present.
+	RevocationDetails *Certificate_RevocationDetails `protobuf:"bytes,5,opt,name=revocation_details,json=revocationDetails,proto3" json:"revocation_details,omitempty"`
+	// Output only. The pem-encoded, signed X.509 certificate.
+	PemCertificate string `protobuf:"bytes,6,opt,name=pem_certificate,json=pemCertificate,proto3" json:"pem_certificate,omitempty"`
+	// Output only. A structured description of the issued X.509 certificate.
+	CertificateDescription *CertificateDescription `protobuf:"bytes,7,opt,name=certificate_description,json=certificateDescription,proto3" json:"certificate_description,omitempty"`
+	// Output only. The chain that may be used to verify the X.509 certificate. Expected to be
+	// in issuer-to-root order according to RFC 5246.
+	PemCertificateChain []string `protobuf:"bytes,8,rep,name=pem_certificate_chain,json=pemCertificateChain,proto3" json:"pem_certificate_chain,omitempty"`
+	// Output only. The time at which this [Certificate][google.cloud.security.privateca.v1alpha1.Certificate] was created.
+	CreateTime *timestamp.Timestamp `protobuf:"bytes,9,opt,name=create_time,json=createTime,proto3" json:"create_time,omitempty"`
+	// Output only. The time at which this [Certificate][google.cloud.security.privateca.v1alpha1.Certificate] was updated.
+	UpdateTime *timestamp.Timestamp `protobuf:"bytes,10,opt,name=update_time,json=updateTime,proto3" json:"update_time,omitempty"`
+	// Optional. Labels with user-defined metadata.
+	Labels               map[string]string `protobuf:"bytes,11,rep,name=labels,proto3" json:"labels,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+	XXX_NoUnkeyedLiteral struct{}          `json:"-"`
+	XXX_unrecognized     []byte            `json:"-"`
+	XXX_sizecache        int32             `json:"-"`
+}
+
+func (m *Certificate) Reset()         { *m = Certificate{} }
+func (m *Certificate) String() string { return proto.CompactTextString(m) }
+func (*Certificate) ProtoMessage()    {}
+func (*Certificate) Descriptor() ([]byte, []int) {
+	return fileDescriptor_6299e860b09b0827, []int{2}
+}
+
+func (m *Certificate) XXX_Unmarshal(b []byte) error {
+	return xxx_messageInfo_Certificate.Unmarshal(m, b)
+}
+func (m *Certificate) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	return xxx_messageInfo_Certificate.Marshal(b, m, deterministic)
+}
+func (m *Certificate) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_Certificate.Merge(m, src)
+}
+func (m *Certificate) XXX_Size() int {
+	return xxx_messageInfo_Certificate.Size(m)
+}
+func (m *Certificate) XXX_DiscardUnknown() {
+	xxx_messageInfo_Certificate.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_Certificate proto.InternalMessageInfo
+
+func (m *Certificate) GetName() string {
+	if m != nil {
+		return m.Name
+	}
+	return ""
+}
+
+type isCertificate_CertificateConfig interface {
+	isCertificate_CertificateConfig()
+}
+
+type Certificate_PemCsr struct {
+	PemCsr string `protobuf:"bytes,2,opt,name=pem_csr,json=pemCsr,proto3,oneof"`
+}
+
+type Certificate_Config struct {
+	Config *CertificateConfig `protobuf:"bytes,3,opt,name=config,proto3,oneof"`
+}
+
+func (*Certificate_PemCsr) isCertificate_CertificateConfig() {}
+
+func (*Certificate_Config) isCertificate_CertificateConfig() {}
+
+func (m *Certificate) GetCertificateConfig() isCertificate_CertificateConfig {
+	if m != nil {
+		return m.CertificateConfig
+	}
+	return nil
+}
+
+func (m *Certificate) GetPemCsr() string {
+	if x, ok := m.GetCertificateConfig().(*Certificate_PemCsr); ok {
+		return x.PemCsr
+	}
+	return ""
+}
+
+func (m *Certificate) GetConfig() *CertificateConfig {
+	if x, ok := m.GetCertificateConfig().(*Certificate_Config); ok {
+		return x.Config
+	}
+	return nil
+}
+
+func (m *Certificate) GetLifetime() *duration.Duration {
+	if m != nil {
+		return m.Lifetime
+	}
+	return nil
+}
+
+func (m *Certificate) GetRevocationDetails() *Certificate_RevocationDetails {
+	if m != nil {
+		return m.RevocationDetails
+	}
+	return nil
+}
+
+func (m *Certificate) GetPemCertificate() string {
+	if m != nil {
+		return m.PemCertificate
+	}
+	return ""
+}
+
+func (m *Certificate) GetCertificateDescription() *CertificateDescription {
+	if m != nil {
+		return m.CertificateDescription
+	}
+	return nil
+}
+
+func (m *Certificate) GetPemCertificateChain() []string {
+	if m != nil {
+		return m.PemCertificateChain
+	}
+	return nil
+}
+
+func (m *Certificate) GetCreateTime() *timestamp.Timestamp {
+	if m != nil {
+		return m.CreateTime
+	}
+	return nil
+}
+
+func (m *Certificate) GetUpdateTime() *timestamp.Timestamp {
+	if m != nil {
+		return m.UpdateTime
+	}
+	return nil
+}
+
+func (m *Certificate) GetLabels() map[string]string {
+	if m != nil {
+		return m.Labels
+	}
+	return nil
+}
+
+// XXX_OneofWrappers is for the internal use of the proto package.
+func (*Certificate) XXX_OneofWrappers() []interface{} {
+	return []interface{}{
+		(*Certificate_PemCsr)(nil),
+		(*Certificate_Config)(nil),
+	}
+}
+
+// Describes fields that are relavent to the revocation of a [Certificate][google.cloud.security.privateca.v1alpha1.Certificate].
+type Certificate_RevocationDetails struct {
+	// Indicates why a [Certificate][google.cloud.security.privateca.v1alpha1.Certificate] was revoked.
+	RevocationState RevocationReason `protobuf:"varint,1,opt,name=revocation_state,json=revocationState,proto3,enum=google.cloud.security.privateca.v1alpha1.RevocationReason" json:"revocation_state,omitempty"`
+	// The time at which this [Certificate][google.cloud.security.privateca.v1alpha1.Certificate] was revoked.
+	RevocationTime       *timestamp.Timestamp `protobuf:"bytes,2,opt,name=revocation_time,json=revocationTime,proto3" json:"revocation_time,omitempty"`
+	XXX_NoUnkeyedLiteral struct{}             `json:"-"`
+	XXX_unrecognized     []byte               `json:"-"`
+	XXX_sizecache        int32                `json:"-"`
+}
+
+func (m *Certificate_RevocationDetails) Reset()         { *m = Certificate_RevocationDetails{} }
+func (m *Certificate_RevocationDetails) String() string { return proto.CompactTextString(m) }
+func (*Certificate_RevocationDetails) ProtoMessage()    {}
+func (*Certificate_RevocationDetails) Descriptor() ([]byte, []int) {
+	return fileDescriptor_6299e860b09b0827, []int{2, 0}
+}
+
+func (m *Certificate_RevocationDetails) XXX_Unmarshal(b []byte) error {
+	return xxx_messageInfo_Certificate_RevocationDetails.Unmarshal(m, b)
+}
+func (m *Certificate_RevocationDetails) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	return xxx_messageInfo_Certificate_RevocationDetails.Marshal(b, m, deterministic)
+}
+func (m *Certificate_RevocationDetails) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_Certificate_RevocationDetails.Merge(m, src)
+}
+func (m *Certificate_RevocationDetails) XXX_Size() int {
+	return xxx_messageInfo_Certificate_RevocationDetails.Size(m)
+}
+func (m *Certificate_RevocationDetails) XXX_DiscardUnknown() {
+	xxx_messageInfo_Certificate_RevocationDetails.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_Certificate_RevocationDetails proto.InternalMessageInfo
+
+func (m *Certificate_RevocationDetails) GetRevocationState() RevocationReason {
+	if m != nil {
+		return m.RevocationState
+	}
+	return RevocationReason_REVOCATION_REASON_UNSPECIFIED
+}
+
+func (m *Certificate_RevocationDetails) GetRevocationTime() *timestamp.Timestamp {
+	if m != nil {
+		return m.RevocationTime
+	}
+	return nil
+}
+
+// A [ReusableConfig][google.cloud.security.privateca.v1alpha1.ReusableConfig] refers to a managed [ReusableConfigValues][google.cloud.security.privateca.v1alpha1.ReusableConfigValues]. Those, in
+// turn, are used to describe certain fields of an X.509 certificate, such as
+// the key usage fields, fields specific to CA certificates, certificate policy
+// extensions and custom extensions.
+type ReusableConfig struct {
+	// Output only. The resource path for this [ReusableConfig][google.cloud.security.privateca.v1alpha1.ReusableConfig] in the format
+	// `projects/*/locations/*/reusableConfigs/*`.
+	Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
+	// Required. The config values.
+	Values *ReusableConfigValues `protobuf:"bytes,2,opt,name=values,proto3" json:"values,omitempty"`
+	// Optional. A human-readable description of scenarios these ReusableConfigValues may be
+	// compatible with.
+	Description string `protobuf:"bytes,6,opt,name=description,proto3" json:"description,omitempty"`
+	// Output only. The time at which this [ReusableConfig][google.cloud.security.privateca.v1alpha1.ReusableConfig] was created.
+	CreateTime *timestamp.Timestamp `protobuf:"bytes,3,opt,name=create_time,json=createTime,proto3" json:"create_time,omitempty"`
+	// Output only. The time at which this [ReusableConfig][google.cloud.security.privateca.v1alpha1.ReusableConfig] was updated.
+	UpdateTime *timestamp.Timestamp `protobuf:"bytes,4,opt,name=update_time,json=updateTime,proto3" json:"update_time,omitempty"`
+	// Optional. Labels with user-defined metadata.
+	Labels               map[string]string `protobuf:"bytes,5,rep,name=labels,proto3" json:"labels,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+	XXX_NoUnkeyedLiteral struct{}          `json:"-"`
+	XXX_unrecognized     []byte            `json:"-"`
+	XXX_sizecache        int32             `json:"-"`
+}
+
+func (m *ReusableConfig) Reset()         { *m = ReusableConfig{} }
+func (m *ReusableConfig) String() string { return proto.CompactTextString(m) }
+func (*ReusableConfig) ProtoMessage()    {}
+func (*ReusableConfig) Descriptor() ([]byte, []int) {
+	return fileDescriptor_6299e860b09b0827, []int{3}
+}
+
+func (m *ReusableConfig) XXX_Unmarshal(b []byte) error {
+	return xxx_messageInfo_ReusableConfig.Unmarshal(m, b)
+}
+func (m *ReusableConfig) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	return xxx_messageInfo_ReusableConfig.Marshal(b, m, deterministic)
+}
+func (m *ReusableConfig) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_ReusableConfig.Merge(m, src)
+}
+func (m *ReusableConfig) XXX_Size() int {
+	return xxx_messageInfo_ReusableConfig.Size(m)
+}
+func (m *ReusableConfig) XXX_DiscardUnknown() {
+	xxx_messageInfo_ReusableConfig.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_ReusableConfig proto.InternalMessageInfo
+
+func (m *ReusableConfig) GetName() string {
+	if m != nil {
+		return m.Name
+	}
+	return ""
+}
+
+func (m *ReusableConfig) GetValues() *ReusableConfigValues {
+	if m != nil {
+		return m.Values
+	}
+	return nil
+}
+
+func (m *ReusableConfig) GetDescription() string {
+	if m != nil {
+		return m.Description
+	}
+	return ""
+}
+
+func (m *ReusableConfig) GetCreateTime() *timestamp.Timestamp {
+	if m != nil {
+		return m.CreateTime
+	}
+	return nil
+}
+
+func (m *ReusableConfig) GetUpdateTime() *timestamp.Timestamp {
+	if m != nil {
+		return m.UpdateTime
+	}
+	return nil
+}
+
+func (m *ReusableConfig) GetLabels() map[string]string {
+	if m != nil {
+		return m.Labels
+	}
+	return nil
+}
+
+// A [ReusableConfigValues][google.cloud.security.privateca.v1alpha1.ReusableConfigValues] is used to describe certain fields of an
+// X.509 certificate, such as the key usage fields, fields specific to CA
+// certificates, certificate policy extensions and custom extensions.
+type ReusableConfigValues struct {
+	// Optional. Indicates the intended use for keys that correspond to a certificate.
+	KeyUsage *KeyUsage `protobuf:"bytes,1,opt,name=key_usage,json=keyUsage,proto3" json:"key_usage,omitempty"`
+	// Optional. Describes options in this [ReusableConfigValues][google.cloud.security.privateca.v1alpha1.ReusableConfigValues] that are
+	// relevant in a CA certificate.
+	CaOptions *ReusableConfigValues_CaOptions `protobuf:"bytes,2,opt,name=ca_options,json=caOptions,proto3" json:"ca_options,omitempty"`
+	// Optional. Describes the X.509 certificate policy object identifiers, per
+	// https://tools.ietf.org/html/rfc5280#section-4.2.1.4rfc5280
+	PolicyIds []*ObjectId `protobuf:"bytes,3,rep,name=policy_ids,json=policyIds,proto3" json:"policy_ids,omitempty"`
+	// Optional. Describes custom X.509 extensions.
+	AdditionalExtensions []*X509Extension `protobuf:"bytes,4,rep,name=additional_extensions,json=additionalExtensions,proto3" json:"additional_extensions,omitempty"`
+	// Optional. Describes a list of locations to obtain CRL information, i.e.
+	// the DistributionPoint.fullName described by
+	// https://tools.ietf.org/html/rfc5280#section-4.2.1.13
+	CrlDistributionPoints []string `protobuf:"bytes,5,rep,name=crl_distribution_points,json=crlDistributionPoints,proto3" json:"crl_distribution_points,omitempty"`
+	// Optional. Describes how to access information and services for the issuer of the
+	//  certificate.
+	AuthorityInformationAccess *ReusableConfigValues_AuthorityInformationAccess `protobuf:"bytes,6,opt,name=authority_information_access,json=authorityInformationAccess,proto3" json:"authority_information_access,omitempty"`
+	XXX_NoUnkeyedLiteral       struct{}                                         `json:"-"`
+	XXX_unrecognized           []byte                                           `json:"-"`
+	XXX_sizecache              int32                                            `json:"-"`
+}
+
+func (m *ReusableConfigValues) Reset()         { *m = ReusableConfigValues{} }
+func (m *ReusableConfigValues) String() string { return proto.CompactTextString(m) }
+func (*ReusableConfigValues) ProtoMessage()    {}
+func (*ReusableConfigValues) Descriptor() ([]byte, []int) {
+	return fileDescriptor_6299e860b09b0827, []int{4}
+}
+
+func (m *ReusableConfigValues) XXX_Unmarshal(b []byte) error {
+	return xxx_messageInfo_ReusableConfigValues.Unmarshal(m, b)
+}
+func (m *ReusableConfigValues) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	return xxx_messageInfo_ReusableConfigValues.Marshal(b, m, deterministic)
+}
+func (m *ReusableConfigValues) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_ReusableConfigValues.Merge(m, src)
+}
+func (m *ReusableConfigValues) XXX_Size() int {
+	return xxx_messageInfo_ReusableConfigValues.Size(m)
+}
+func (m *ReusableConfigValues) XXX_DiscardUnknown() {
+	xxx_messageInfo_ReusableConfigValues.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_ReusableConfigValues proto.InternalMessageInfo
+
+func (m *ReusableConfigValues) GetKeyUsage() *KeyUsage {
+	if m != nil {
+		return m.KeyUsage
+	}
+	return nil
+}
+
+func (m *ReusableConfigValues) GetCaOptions() *ReusableConfigValues_CaOptions {
+	if m != nil {
+		return m.CaOptions
+	}
+	return nil
+}
+
+func (m *ReusableConfigValues) GetPolicyIds() []*ObjectId {
+	if m != nil {
+		return m.PolicyIds
+	}
+	return nil
+}
+
+func (m *ReusableConfigValues) GetAdditionalExtensions() []*X509Extension {
+	if m != nil {
+		return m.AdditionalExtensions
+	}
+	return nil
+}
+
+func (m *ReusableConfigValues) GetCrlDistributionPoints() []string {
+	if m != nil {
+		return m.CrlDistributionPoints
+	}
+	return nil
+}
+
+func (m *ReusableConfigValues) GetAuthorityInformationAccess() *ReusableConfigValues_AuthorityInformationAccess {
+	if m != nil {
+		return m.AuthorityInformationAccess
+	}
+	return nil
+}
+
+// Describes values that are relevant in a CA certificate.
+type ReusableConfigValues_CaOptions struct {
+	// Optional. Refers to the "CA" X.509 extension, which is a boolean value. When this
+	// value is missing, the extension will be omitted from the CA certificate.
+	IsCa *wrappers.BoolValue `protobuf:"bytes,1,opt,name=is_ca,json=isCa,proto3" json:"is_ca,omitempty"`
+	// Optional. Refers to the path length restriction X.509 extension. For a CA
+	// certificate, this value describes the depth of subordinate CA
+	// certificates that are allowed.
+	// If this value is less than 0, the request will fail.
+	// If this value is missing, the max path length will be omitted from the
+	// CA certificate.
+	MaxIssuerPathLength  *wrappers.Int32Value `protobuf:"bytes,2,opt,name=max_issuer_path_length,json=maxIssuerPathLength,proto3" json:"max_issuer_path_length,omitempty"`
+	XXX_NoUnkeyedLiteral struct{}             `json:"-"`
+	XXX_unrecognized     []byte               `json:"-"`
+	XXX_sizecache        int32                `json:"-"`
+}
+
+func (m *ReusableConfigValues_CaOptions) Reset()         { *m = ReusableConfigValues_CaOptions{} }
+func (m *ReusableConfigValues_CaOptions) String() string { return proto.CompactTextString(m) }
+func (*ReusableConfigValues_CaOptions) ProtoMessage()    {}
+func (*ReusableConfigValues_CaOptions) Descriptor() ([]byte, []int) {
+	return fileDescriptor_6299e860b09b0827, []int{4, 0}
+}
+
+func (m *ReusableConfigValues_CaOptions) XXX_Unmarshal(b []byte) error {
+	return xxx_messageInfo_ReusableConfigValues_CaOptions.Unmarshal(m, b)
+}
+func (m *ReusableConfigValues_CaOptions) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	return xxx_messageInfo_ReusableConfigValues_CaOptions.Marshal(b, m, deterministic)
+}
+func (m *ReusableConfigValues_CaOptions) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_ReusableConfigValues_CaOptions.Merge(m, src)
+}
+func (m *ReusableConfigValues_CaOptions) XXX_Size() int {
+	return xxx_messageInfo_ReusableConfigValues_CaOptions.Size(m)
+}
+func (m *ReusableConfigValues_CaOptions) XXX_DiscardUnknown() {
+	xxx_messageInfo_ReusableConfigValues_CaOptions.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_ReusableConfigValues_CaOptions proto.InternalMessageInfo
+
+func (m *ReusableConfigValues_CaOptions) GetIsCa() *wrappers.BoolValue {
+	if m != nil {
+		return m.IsCa
+	}
+	return nil
+}
+
+func (m *ReusableConfigValues_CaOptions) GetMaxIssuerPathLength() *wrappers.Int32Value {
+	if m != nil {
+		return m.MaxIssuerPathLength
+	}
+	return nil
+}
+
+// Describes how to access information and services for the issuer of the
+// certificate, per https://tools.ietf.org/html/rfc5280#section-4.2.2.1
+type ReusableConfigValues_AuthorityInformationAccess struct {
+	// Optional. The referenced CA issuers description is intended to aid certificate
+	// users in the selection of a certification path that terminates at a
+	// point trusted by the certificate user.
+	IssuingCertificateUrls []string `protobuf:"bytes,1,rep,name=issuing_certificate_urls,json=issuingCertificateUrls,proto3" json:"issuing_certificate_urls,omitempty"`
+	// Optional. Used when revocation information for the
+	// certificate containing this extension is available using the Online
+	// Certificate Status Protocol (OCSP)
+	OcspServers          []string `protobuf:"bytes,2,rep,name=ocsp_servers,json=ocspServers,proto3" json:"ocsp_servers,omitempty"`
+	XXX_NoUnkeyedLiteral struct{} `json:"-"`
+	XXX_unrecognized     []byte   `json:"-"`
+	XXX_sizecache        int32    `json:"-"`
+}
+
+func (m *ReusableConfigValues_AuthorityInformationAccess) Reset() {
+	*m = ReusableConfigValues_AuthorityInformationAccess{}
+}
+func (m *ReusableConfigValues_AuthorityInformationAccess) String() string {
+	return proto.CompactTextString(m)
+}
+func (*ReusableConfigValues_AuthorityInformationAccess) ProtoMessage() {}
+func (*ReusableConfigValues_AuthorityInformationAccess) Descriptor() ([]byte, []int) {
+	return fileDescriptor_6299e860b09b0827, []int{4, 1}
+}
+
+func (m *ReusableConfigValues_AuthorityInformationAccess) XXX_Unmarshal(b []byte) error {
+	return xxx_messageInfo_ReusableConfigValues_AuthorityInformationAccess.Unmarshal(m, b)
+}
+func (m *ReusableConfigValues_AuthorityInformationAccess) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	return xxx_messageInfo_ReusableConfigValues_AuthorityInformationAccess.Marshal(b, m, deterministic)
+}
+func (m *ReusableConfigValues_AuthorityInformationAccess) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_ReusableConfigValues_AuthorityInformationAccess.Merge(m, src)
+}
+func (m *ReusableConfigValues_AuthorityInformationAccess) XXX_Size() int {
+	return xxx_messageInfo_ReusableConfigValues_AuthorityInformationAccess.Size(m)
+}
+func (m *ReusableConfigValues_AuthorityInformationAccess) XXX_DiscardUnknown() {
+	xxx_messageInfo_ReusableConfigValues_AuthorityInformationAccess.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_ReusableConfigValues_AuthorityInformationAccess proto.InternalMessageInfo
+
+func (m *ReusableConfigValues_AuthorityInformationAccess) GetIssuingCertificateUrls() []string {
+	if m != nil {
+		return m.IssuingCertificateUrls
+	}
+	return nil
+}
+
+func (m *ReusableConfigValues_AuthorityInformationAccess) GetOcspServers() []string {
+	if m != nil {
+		return m.OcspServers
+	}
+	return nil
+}
+
+// A [ReusableConfigWrapper][google.cloud.security.privateca.v1alpha1.ReusableConfigWrapper] describes values that may assist in creating an
+// X.509 certificate, or a reference to a pre-defined set of values.
+type ReusableConfigWrapper struct {
+	// Reusable or inline config values.
+	//
+	// Types that are valid to be assigned to ConfigValues:
+	//	*ReusableConfigWrapper_ReusableConfig
+	//	*ReusableConfigWrapper_ReusableConfigValues
+	ConfigValues         isReusableConfigWrapper_ConfigValues `protobuf_oneof:"config_values"`
+	XXX_NoUnkeyedLiteral struct{}                             `json:"-"`
+	XXX_unrecognized     []byte                               `json:"-"`
+	XXX_sizecache        int32                                `json:"-"`
+}
+
+func (m *ReusableConfigWrapper) Reset()         { *m = ReusableConfigWrapper{} }
+func (m *ReusableConfigWrapper) String() string { return proto.CompactTextString(m) }
+func (*ReusableConfigWrapper) ProtoMessage()    {}
+func (*ReusableConfigWrapper) Descriptor() ([]byte, []int) {
+	return fileDescriptor_6299e860b09b0827, []int{5}
+}
+
+func (m *ReusableConfigWrapper) XXX_Unmarshal(b []byte) error {
+	return xxx_messageInfo_ReusableConfigWrapper.Unmarshal(m, b)
+}
+func (m *ReusableConfigWrapper) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	return xxx_messageInfo_ReusableConfigWrapper.Marshal(b, m, deterministic)
+}
+func (m *ReusableConfigWrapper) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_ReusableConfigWrapper.Merge(m, src)
+}
+func (m *ReusableConfigWrapper) XXX_Size() int {
+	return xxx_messageInfo_ReusableConfigWrapper.Size(m)
+}
+func (m *ReusableConfigWrapper) XXX_DiscardUnknown() {
+	xxx_messageInfo_ReusableConfigWrapper.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_ReusableConfigWrapper proto.InternalMessageInfo
+
+type isReusableConfigWrapper_ConfigValues interface {
+	isReusableConfigWrapper_ConfigValues()
+}
+
+type ReusableConfigWrapper_ReusableConfig struct {
+	ReusableConfig string `protobuf:"bytes,1,opt,name=reusable_config,json=reusableConfig,proto3,oneof"`
+}
+
+type ReusableConfigWrapper_ReusableConfigValues struct {
+	ReusableConfigValues *ReusableConfigValues `protobuf:"bytes,2,opt,name=reusable_config_values,json=reusableConfigValues,proto3,oneof"`
+}
+
+func (*ReusableConfigWrapper_ReusableConfig) isReusableConfigWrapper_ConfigValues() {}
+
+func (*ReusableConfigWrapper_ReusableConfigValues) isReusableConfigWrapper_ConfigValues() {}
+
+func (m *ReusableConfigWrapper) GetConfigValues() isReusableConfigWrapper_ConfigValues {
+	if m != nil {
+		return m.ConfigValues
+	}
+	return nil
+}
+
+func (m *ReusableConfigWrapper) GetReusableConfig() string {
+	if x, ok := m.GetConfigValues().(*ReusableConfigWrapper_ReusableConfig); ok {
+		return x.ReusableConfig
+	}
+	return ""
+}
+
+func (m *ReusableConfigWrapper) GetReusableConfigValues() *ReusableConfigValues {
+	if x, ok := m.GetConfigValues().(*ReusableConfigWrapper_ReusableConfigValues); ok {
+		return x.ReusableConfigValues
+	}
+	return nil
+}
+
+// XXX_OneofWrappers is for the internal use of the proto package.
+func (*ReusableConfigWrapper) XXX_OneofWrappers() []interface{} {
+	return []interface{}{
+		(*ReusableConfigWrapper_ReusableConfig)(nil),
+		(*ReusableConfigWrapper_ReusableConfigValues)(nil),
+	}
+}
+
+// A [PublicKey][google.cloud.security.privateca.v1alpha1.PublicKey] describes a public key.
+type PublicKey struct {
+	// Required. The type of public key.
+	Type PublicKey_KeyType `protobuf:"varint,1,opt,name=type,proto3,enum=google.cloud.security.privateca.v1alpha1.PublicKey_KeyType" json:"type,omitempty"`
+	// Required. A public key. Padding and encoding varies by 'KeyType' and is described
+	// along with the KeyType values.
+	Key                  []byte   `protobuf:"bytes,2,opt,name=key,proto3" json:"key,omitempty"`
+	XXX_NoUnkeyedLiteral struct{} `json:"-"`
+	XXX_unrecognized     []byte   `json:"-"`
+	XXX_sizecache        int32    `json:"-"`
+}
+
+func (m *PublicKey) Reset()         { *m = PublicKey{} }
+func (m *PublicKey) String() string { return proto.CompactTextString(m) }
+func (*PublicKey) ProtoMessage()    {}
+func (*PublicKey) Descriptor() ([]byte, []int) {
+	return fileDescriptor_6299e860b09b0827, []int{6}
+}
+
+func (m *PublicKey) XXX_Unmarshal(b []byte) error {
+	return xxx_messageInfo_PublicKey.Unmarshal(m, b)
+}
+func (m *PublicKey) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	return xxx_messageInfo_PublicKey.Marshal(b, m, deterministic)
+}
+func (m *PublicKey) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_PublicKey.Merge(m, src)
+}
+func (m *PublicKey) XXX_Size() int {
+	return xxx_messageInfo_PublicKey.Size(m)
+}
+func (m *PublicKey) XXX_DiscardUnknown() {
+	xxx_messageInfo_PublicKey.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_PublicKey proto.InternalMessageInfo
+
+func (m *PublicKey) GetType() PublicKey_KeyType {
+	if m != nil {
+		return m.Type
+	}
+	return PublicKey_KEY_TYPE_UNSPECIFIED
+}
+
+func (m *PublicKey) GetKey() []byte {
+	if m != nil {
+		return m.Key
+	}
+	return nil
+}
+
+// A [CertificateConfig][google.cloud.security.privateca.v1alpha1.CertificateConfig] describes an X.509 certificate or CSR that is to be
+// created, as an alternative to using ASN.1.
+type CertificateConfig struct {
+	// Required. Specifies some of the values in a certificate that are related to the
+	// subject.
+	SubjectConfig *CertificateConfig_SubjectConfig `protobuf:"bytes,1,opt,name=subject_config,json=subjectConfig,proto3" json:"subject_config,omitempty"`
+	// Required. Describes how some of the technical fields in a certificate should be
+	// populated.
+	ReusableConfig *ReusableConfigWrapper `protobuf:"bytes,2,opt,name=reusable_config,json=reusableConfig,proto3" json:"reusable_config,omitempty"`
+	// Optional. The public key that corresponds to this config. This is, for example, used
+	// when issuing [Certificates][google.cloud.security.privateca.v1alpha1.Certificate], but not when creating a
+	// self-signed [CertificateAuthority][google.cloud.security.privateca.v1alpha1.CertificateAuthority] or [CertificateAuthority][google.cloud.security.privateca.v1alpha1.CertificateAuthority] CSR.
+	PublicKey            *PublicKey `protobuf:"bytes,3,opt,name=public_key,json=publicKey,proto3" json:"public_key,omitempty"`
+	XXX_NoUnkeyedLiteral struct{}   `json:"-"`
+	XXX_unrecognized     []byte     `json:"-"`
+	XXX_sizecache        int32      `json:"-"`
+}
+
+func (m *CertificateConfig) Reset()         { *m = CertificateConfig{} }
+func (m *CertificateConfig) String() string { return proto.CompactTextString(m) }
+func (*CertificateConfig) ProtoMessage()    {}
+func (*CertificateConfig) Descriptor() ([]byte, []int) {
+	return fileDescriptor_6299e860b09b0827, []int{7}
+}
+
+func (m *CertificateConfig) XXX_Unmarshal(b []byte) error {
+	return xxx_messageInfo_CertificateConfig.Unmarshal(m, b)
+}
+func (m *CertificateConfig) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	return xxx_messageInfo_CertificateConfig.Marshal(b, m, deterministic)
+}
+func (m *CertificateConfig) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_CertificateConfig.Merge(m, src)
+}
+func (m *CertificateConfig) XXX_Size() int {
+	return xxx_messageInfo_CertificateConfig.Size(m)
+}
+func (m *CertificateConfig) XXX_DiscardUnknown() {
+	xxx_messageInfo_CertificateConfig.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_CertificateConfig proto.InternalMessageInfo
+
+func (m *CertificateConfig) GetSubjectConfig() *CertificateConfig_SubjectConfig {
+	if m != nil {
+		return m.SubjectConfig
+	}
+	return nil
+}
+
+func (m *CertificateConfig) GetReusableConfig() *ReusableConfigWrapper {
+	if m != nil {
+		return m.ReusableConfig
+	}
+	return nil
+}
+
+func (m *CertificateConfig) GetPublicKey() *PublicKey {
+	if m != nil {
+		return m.PublicKey
+	}
+	return nil
+}
+
+// These values are used to create the distinguished name and subject
+// alternative name fields in an X.509 certificate.
+type CertificateConfig_SubjectConfig struct {
+	// Required. Contains distinguished name fields such as the location and organization.
+	Subject *Subject `protobuf:"bytes,1,opt,name=subject,proto3" json:"subject,omitempty"`
+	// Optional. The "common name" of the distinguished name.
+	CommonName string `protobuf:"bytes,2,opt,name=common_name,json=commonName,proto3" json:"common_name,omitempty"`
+	// Optional. The subject alternative name fields.
+	SubjectAltName       *SubjectAltNames `protobuf:"bytes,3,opt,name=subject_alt_name,json=subjectAltName,proto3" json:"subject_alt_name,omitempty"`
+	XXX_NoUnkeyedLiteral struct{}         `json:"-"`
+	XXX_unrecognized     []byte           `json:"-"`
+	XXX_sizecache        int32            `json:"-"`
+}
+
+func (m *CertificateConfig_SubjectConfig) Reset()         { *m = CertificateConfig_SubjectConfig{} }
+func (m *CertificateConfig_SubjectConfig) String() string { return proto.CompactTextString(m) }
+func (*CertificateConfig_SubjectConfig) ProtoMessage()    {}
+func (*CertificateConfig_SubjectConfig) Descriptor() ([]byte, []int) {
+	return fileDescriptor_6299e860b09b0827, []int{7, 0}
+}
+
+func (m *CertificateConfig_SubjectConfig) XXX_Unmarshal(b []byte) error {
+	return xxx_messageInfo_CertificateConfig_SubjectConfig.Unmarshal(m, b)
+}
+func (m *CertificateConfig_SubjectConfig) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	return xxx_messageInfo_CertificateConfig_SubjectConfig.Marshal(b, m, deterministic)
+}
+func (m *CertificateConfig_SubjectConfig) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_CertificateConfig_SubjectConfig.Merge(m, src)
+}
+func (m *CertificateConfig_SubjectConfig) XXX_Size() int {
+	return xxx_messageInfo_CertificateConfig_SubjectConfig.Size(m)
+}
+func (m *CertificateConfig_SubjectConfig) XXX_DiscardUnknown() {
+	xxx_messageInfo_CertificateConfig_SubjectConfig.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_CertificateConfig_SubjectConfig proto.InternalMessageInfo
+
+func (m *CertificateConfig_SubjectConfig) GetSubject() *Subject {
+	if m != nil {
+		return m.Subject
+	}
+	return nil
+}
+
+func (m *CertificateConfig_SubjectConfig) GetCommonName() string {
+	if m != nil {
+		return m.CommonName
+	}
+	return ""
+}
+
+func (m *CertificateConfig_SubjectConfig) GetSubjectAltName() *SubjectAltNames {
+	if m != nil {
+		return m.SubjectAltName
+	}
+	return nil
+}
+
+// A [CertificateDescription][google.cloud.security.privateca.v1alpha1.CertificateDescription] describes an X.509 certificate or CSR that has
+// been issued, as an alternative to using ASN.1 / X.509.
+type CertificateDescription struct {
+	// Describes some of the values in a certificate that are related to the
+	// subject and lifetime.
+	SubjectDescription *CertificateDescription_SubjectDescription `protobuf:"bytes,1,opt,name=subject_description,json=subjectDescription,proto3" json:"subject_description,omitempty"`
+	// Describes some of the technical fields in a certificate.
+	ConfigValues *ReusableConfigValues `protobuf:"bytes,2,opt,name=config_values,json=configValues,proto3" json:"config_values,omitempty"`
+	// The public key that corresponds to an issued certificate.
+	PublicKey *PublicKey `protobuf:"bytes,3,opt,name=public_key,json=publicKey,proto3" json:"public_key,omitempty"`
+	// Provides a means of identifiying certificates that contain a particular
+	// public key, per https://tools.ietf.org/html/rfc5280#section-4.2.1.2.
+	SubjectKeyId *CertificateDescription_KeyId `protobuf:"bytes,4,opt,name=subject_key_id,json=subjectKeyId,proto3" json:"subject_key_id,omitempty"`
+	// Identifies the subject_key_id of the parent certificate, per
+	// https://tools.ietf.org/html/rfc5280#section-4.2.1.1
+	AuthorityKeyId       *CertificateDescription_KeyId `protobuf:"bytes,5,opt,name=authority_key_id,json=authorityKeyId,proto3" json:"authority_key_id,omitempty"`
+	XXX_NoUnkeyedLiteral struct{}                      `json:"-"`
+	XXX_unrecognized     []byte                        `json:"-"`
+	XXX_sizecache        int32                         `json:"-"`
+}
+
+func (m *CertificateDescription) Reset()         { *m = CertificateDescription{} }
+func (m *CertificateDescription) String() string { return proto.CompactTextString(m) }
+func (*CertificateDescription) ProtoMessage()    {}
+func (*CertificateDescription) Descriptor() ([]byte, []int) {
+	return fileDescriptor_6299e860b09b0827, []int{8}
+}
+
+func (m *CertificateDescription) XXX_Unmarshal(b []byte) error {
+	return xxx_messageInfo_CertificateDescription.Unmarshal(m, b)
+}
+func (m *CertificateDescription) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	return xxx_messageInfo_CertificateDescription.Marshal(b, m, deterministic)
+}
+func (m *CertificateDescription) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_CertificateDescription.Merge(m, src)
+}
+func (m *CertificateDescription) XXX_Size() int {
+	return xxx_messageInfo_CertificateDescription.Size(m)
+}
+func (m *CertificateDescription) XXX_DiscardUnknown() {
+	xxx_messageInfo_CertificateDescription.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_CertificateDescription proto.InternalMessageInfo
+
+func (m *CertificateDescription) GetSubjectDescription() *CertificateDescription_SubjectDescription {
+	if m != nil {
+		return m.SubjectDescription
+	}
+	return nil
+}
+
+func (m *CertificateDescription) GetConfigValues() *ReusableConfigValues {
+	if m != nil {
+		return m.ConfigValues
+	}
+	return nil
+}
+
+func (m *CertificateDescription) GetPublicKey() *PublicKey {
+	if m != nil {
+		return m.PublicKey
+	}
+	return nil
+}
+
+func (m *CertificateDescription) GetSubjectKeyId() *CertificateDescription_KeyId {
+	if m != nil {
+		return m.SubjectKeyId
+	}
+	return nil
+}
+
+func (m *CertificateDescription) GetAuthorityKeyId() *CertificateDescription_KeyId {
+	if m != nil {
+		return m.AuthorityKeyId
+	}
+	return nil
+}
+
+// These values describe fields in an issued X.509 certificate such as the
+// distinguished name, subject alternative names, serial number, and lifetime.
+type CertificateDescription_SubjectDescription struct {
+	// Contains distinguished name fields such as the location and organization.
+	Subject *Subject `protobuf:"bytes,1,opt,name=subject,proto3" json:"subject,omitempty"`
+	// The "common name" of the distinguished name.
+	CommonName string `protobuf:"bytes,2,opt,name=common_name,json=commonName,proto3" json:"common_name,omitempty"`
+	// The subject alternative name fields.
+	SubjectAltName *SubjectAltNames `protobuf:"bytes,3,opt,name=subject_alt_name,json=subjectAltName,proto3" json:"subject_alt_name,omitempty"`
+	// The serial number encoded in lowercase hexadecimal.
+	HexSerialNumber string `protobuf:"bytes,4,opt,name=hex_serial_number,json=hexSerialNumber,proto3" json:"hex_serial_number,omitempty"`
+	// For convenience, the actual lifetime of an issued certificate.
+	// Corresponds to 'not_after_time' - 'not_before_time'.
+	Lifetime *duration.Duration `protobuf:"bytes,5,opt,name=lifetime,proto3" json:"lifetime,omitempty"`
+	// The time at which the certificate becomes valid.
+	NotBeforeTime *timestamp.Timestamp `protobuf:"bytes,6,opt,name=not_before_time,json=notBeforeTime,proto3" json:"not_before_time,omitempty"`
+	// The time at which the certificate expires.
+	NotAfterTime         *timestamp.Timestamp `protobuf:"bytes,7,opt,name=not_after_time,json=notAfterTime,proto3" json:"not_after_time,omitempty"`
+	XXX_NoUnkeyedLiteral struct{}             `json:"-"`
+	XXX_unrecognized     []byte               `json:"-"`
+	XXX_sizecache        int32                `json:"-"`
+}
+
+func (m *CertificateDescription_SubjectDescription) Reset() {
+	*m = CertificateDescription_SubjectDescription{}
+}
+func (m *CertificateDescription_SubjectDescription) String() string {
+	return proto.CompactTextString(m)
+}
+func (*CertificateDescription_SubjectDescription) ProtoMessage() {}
+func (*CertificateDescription_SubjectDescription) Descriptor() ([]byte, []int) {
+	return fileDescriptor_6299e860b09b0827, []int{8, 0}
+}
+
+func (m *CertificateDescription_SubjectDescription) XXX_Unmarshal(b []byte) error {
+	return xxx_messageInfo_CertificateDescription_SubjectDescription.Unmarshal(m, b)
+}
+func (m *CertificateDescription_SubjectDescription) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	return xxx_messageInfo_CertificateDescription_SubjectDescription.Marshal(b, m, deterministic)
+}
+func (m *CertificateDescription_SubjectDescription) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_CertificateDescription_SubjectDescription.Merge(m, src)
+}
+func (m *CertificateDescription_SubjectDescription) XXX_Size() int {
+	return xxx_messageInfo_CertificateDescription_SubjectDescription.Size(m)
+}
+func (m *CertificateDescription_SubjectDescription) XXX_DiscardUnknown() {
+	xxx_messageInfo_CertificateDescription_SubjectDescription.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_CertificateDescription_SubjectDescription proto.InternalMessageInfo
+
+func (m *CertificateDescription_SubjectDescription) GetSubject() *Subject {
+	if m != nil {
+		return m.Subject
+	}
+	return nil
+}
+
+func (m *CertificateDescription_SubjectDescription) GetCommonName() string {
+	if m != nil {
+		return m.CommonName
+	}
+	return ""
+}
+
+func (m *CertificateDescription_SubjectDescription) GetSubjectAltName() *SubjectAltNames {
+	if m != nil {
+		return m.SubjectAltName
+	}
+	return nil
+}
+
+func (m *CertificateDescription_SubjectDescription) GetHexSerialNumber() string {
+	if m != nil {
+		return m.HexSerialNumber
+	}
+	return ""
+}
+
+func (m *CertificateDescription_SubjectDescription) GetLifetime() *duration.Duration {
+	if m != nil {
+		return m.Lifetime
+	}
+	return nil
+}
+
+func (m *CertificateDescription_SubjectDescription) GetNotBeforeTime() *timestamp.Timestamp {
+	if m != nil {
+		return m.NotBeforeTime
+	}
+	return nil
+}
+
+func (m *CertificateDescription_SubjectDescription) GetNotAfterTime() *timestamp.Timestamp {
+	if m != nil {
+		return m.NotAfterTime
+	}
+	return nil
+}
+
+// A KeyId identifies a specific public key, usually by hashing the public
+// key.
+type CertificateDescription_KeyId struct {
+	// Optional. The value of this KeyId encoded in lowercase hexadecimal. This is most
+	// likely the 160 bit SHA-1 hash of the public key.
+	KeyId                string   `protobuf:"bytes,1,opt,name=key_id,json=keyId,proto3" json:"key_id,omitempty"`
+	XXX_NoUnkeyedLiteral struct{} `json:"-"`
+	XXX_unrecognized     []byte   `json:"-"`
+	XXX_sizecache        int32    `json:"-"`
+}
+
+func (m *CertificateDescription_KeyId) Reset()         { *m = CertificateDescription_KeyId{} }
+func (m *CertificateDescription_KeyId) String() string { return proto.CompactTextString(m) }
+func (*CertificateDescription_KeyId) ProtoMessage()    {}
+func (*CertificateDescription_KeyId) Descriptor() ([]byte, []int) {
+	return fileDescriptor_6299e860b09b0827, []int{8, 1}
+}
+
+func (m *CertificateDescription_KeyId) XXX_Unmarshal(b []byte) error {
+	return xxx_messageInfo_CertificateDescription_KeyId.Unmarshal(m, b)
+}
+func (m *CertificateDescription_KeyId) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	return xxx_messageInfo_CertificateDescription_KeyId.Marshal(b, m, deterministic)
+}
+func (m *CertificateDescription_KeyId) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_CertificateDescription_KeyId.Merge(m, src)
+}
+func (m *CertificateDescription_KeyId) XXX_Size() int {
+	return xxx_messageInfo_CertificateDescription_KeyId.Size(m)
+}
+func (m *CertificateDescription_KeyId) XXX_DiscardUnknown() {
+	xxx_messageInfo_CertificateDescription_KeyId.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_CertificateDescription_KeyId proto.InternalMessageInfo
+
+func (m *CertificateDescription_KeyId) GetKeyId() string {
+	if m != nil {
+		return m.KeyId
+	}
+	return ""
+}
+
+// An [ObjectId][google.cloud.security.privateca.v1alpha1.ObjectId] specifies an object identifier (OID). These provide context
+// and describe types in ASN.1 messages.
+type ObjectId struct {
+	// Required. The parts of an OID path. The most significant parts of the path come
+	// first.
+	ObjectIdPath         []int32  `protobuf:"varint,1,rep,packed,name=object_id_path,json=objectIdPath,proto3" json:"object_id_path,omitempty"`
+	XXX_NoUnkeyedLiteral struct{} `json:"-"`
+	XXX_unrecognized     []byte   `json:"-"`
+	XXX_sizecache        int32    `json:"-"`
+}
+
+func (m *ObjectId) Reset()         { *m = ObjectId{} }
+func (m *ObjectId) String() string { return proto.CompactTextString(m) }
+func (*ObjectId) ProtoMessage()    {}
+func (*ObjectId) Descriptor() ([]byte, []int) {
+	return fileDescriptor_6299e860b09b0827, []int{9}
+}
+
+func (m *ObjectId) XXX_Unmarshal(b []byte) error {
+	return xxx_messageInfo_ObjectId.Unmarshal(m, b)
+}
+func (m *ObjectId) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	return xxx_messageInfo_ObjectId.Marshal(b, m, deterministic)
+}
+func (m *ObjectId) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_ObjectId.Merge(m, src)
+}
+func (m *ObjectId) XXX_Size() int {
+	return xxx_messageInfo_ObjectId.Size(m)
+}
+func (m *ObjectId) XXX_DiscardUnknown() {
+	xxx_messageInfo_ObjectId.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_ObjectId proto.InternalMessageInfo
+
+func (m *ObjectId) GetObjectIdPath() []int32 {
+	if m != nil {
+		return m.ObjectIdPath
+	}
+	return nil
+}
+
+// An [X509Extension][google.cloud.security.privateca.v1alpha1.X509Extension] specifies an X.509 extension, which may be used in
+// different parts of X.509 objects like certificates, CSRs, and CRLs.
+type X509Extension struct {
+	// Required. The OID for this X.509 extension.
+	ObjectId *ObjectId `protobuf:"bytes,1,opt,name=object_id,json=objectId,proto3" json:"object_id,omitempty"`
+	// Required. Indicates whether or not this extension is critical (i.e., if the client
+	// does not know how to handle this extension, the client should consider this
+	// to be an error).
+	Critical bool `protobuf:"varint,2,opt,name=critical,proto3" json:"critical,omitempty"`
+	// Required. The value of this X.509 extension.
+	Value                []byte   `protobuf:"bytes,3,opt,name=value,proto3" json:"value,omitempty"`
+	XXX_NoUnkeyedLiteral struct{} `json:"-"`
+	XXX_unrecognized     []byte   `json:"-"`
+	XXX_sizecache        int32    `json:"-"`
+}
+
+func (m *X509Extension) Reset()         { *m = X509Extension{} }
+func (m *X509Extension) String() string { return proto.CompactTextString(m) }
+func (*X509Extension) ProtoMessage()    {}
+func (*X509Extension) Descriptor() ([]byte, []int) {
+	return fileDescriptor_6299e860b09b0827, []int{10}
+}
+
+func (m *X509Extension) XXX_Unmarshal(b []byte) error {
+	return xxx_messageInfo_X509Extension.Unmarshal(m, b)
+}
+func (m *X509Extension) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	return xxx_messageInfo_X509Extension.Marshal(b, m, deterministic)
+}
+func (m *X509Extension) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_X509Extension.Merge(m, src)
+}
+func (m *X509Extension) XXX_Size() int {
+	return xxx_messageInfo_X509Extension.Size(m)
+}
+func (m *X509Extension) XXX_DiscardUnknown() {
+	xxx_messageInfo_X509Extension.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_X509Extension proto.InternalMessageInfo
+
+func (m *X509Extension) GetObjectId() *ObjectId {
+	if m != nil {
+		return m.ObjectId
+	}
+	return nil
+}
+
+func (m *X509Extension) GetCritical() bool {
+	if m != nil {
+		return m.Critical
+	}
+	return false
+}
+
+func (m *X509Extension) GetValue() []byte {
+	if m != nil {
+		return m.Value
+	}
+	return nil
+}
+
+// A [KeyUsage][google.cloud.security.privateca.v1alpha1.KeyUsage] describes key usage values that may appear in an X.509
+// certificate.
+type KeyUsage struct {
+	// Describes high-level ways in which a key may be used.
+	BaseKeyUsage *KeyUsage_KeyUsageOptions `protobuf:"bytes,1,opt,name=base_key_usage,json=baseKeyUsage,proto3" json:"base_key_usage,omitempty"`
+	// Detailed scenarios in which a key may be used.
+	ExtendedKeyUsage *KeyUsage_ExtendedKeyUsageOptions `protobuf:"bytes,2,opt,name=extended_key_usage,json=extendedKeyUsage,proto3" json:"extended_key_usage,omitempty"`
+	// Used to describe extended key usages that are not listed in the
+	// [KeyUsage.ExtendedKeyUsageOptions][google.cloud.security.privateca.v1alpha1.KeyUsage.ExtendedKeyUsageOptions] message.
+	UnknownExtendedKeyUsages []*ObjectId `protobuf:"bytes,3,rep,name=unknown_extended_key_usages,json=unknownExtendedKeyUsages,proto3" json:"unknown_extended_key_usages,omitempty"`
+	XXX_NoUnkeyedLiteral     struct{}    `json:"-"`
+	XXX_unrecognized         []byte      `json:"-"`
+	XXX_sizecache            int32       `json:"-"`
+}
+
+func (m *KeyUsage) Reset()         { *m = KeyUsage{} }
+func (m *KeyUsage) String() string { return proto.CompactTextString(m) }
+func (*KeyUsage) ProtoMessage()    {}
+func (*KeyUsage) Descriptor() ([]byte, []int) {
+	return fileDescriptor_6299e860b09b0827, []int{11}
+}
+
+func (m *KeyUsage) XXX_Unmarshal(b []byte) error {
+	return xxx_messageInfo_KeyUsage.Unmarshal(m, b)
+}
+func (m *KeyUsage) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	return xxx_messageInfo_KeyUsage.Marshal(b, m, deterministic)
+}
+func (m *KeyUsage) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_KeyUsage.Merge(m, src)
+}
+func (m *KeyUsage) XXX_Size() int {
+	return xxx_messageInfo_KeyUsage.Size(m)
+}
+func (m *KeyUsage) XXX_DiscardUnknown() {
+	xxx_messageInfo_KeyUsage.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_KeyUsage proto.InternalMessageInfo
+
+func (m *KeyUsage) GetBaseKeyUsage() *KeyUsage_KeyUsageOptions {
+	if m != nil {
+		return m.BaseKeyUsage
+	}
+	return nil
+}
+
+func (m *KeyUsage) GetExtendedKeyUsage() *KeyUsage_ExtendedKeyUsageOptions {
+	if m != nil {
+		return m.ExtendedKeyUsage
+	}
+	return nil
+}
+
+func (m *KeyUsage) GetUnknownExtendedKeyUsages() []*ObjectId {
+	if m != nil {
+		return m.UnknownExtendedKeyUsages
+	}
+	return nil
+}
+
+// [KeyUsage.KeyUsageOptions][google.cloud.security.privateca.v1alpha1.KeyUsage.KeyUsageOptions] corresponds to the key usage values
+// described in https://tools.ietf.org/html/rfc5280#section-4.2.1.3.
+type KeyUsage_KeyUsageOptions struct {
+	// The key may be used for digital signatures.
+	DigitalSignature bool `protobuf:"varint,1,opt,name=digital_signature,json=digitalSignature,proto3" json:"digital_signature,omitempty"`
+	// The key may be used for cryptographic commitments. Note that this may
+	// also be referred to as "non-repudiation".
+	ContentCommitment bool `protobuf:"varint,2,opt,name=content_commitment,json=contentCommitment,proto3" json:"content_commitment,omitempty"`
+	// The key may be used to encipher other keys.
+	KeyEncipherment bool `protobuf:"varint,3,opt,name=key_encipherment,json=keyEncipherment,proto3" json:"key_encipherment,omitempty"`
+	// The key may be used to encipher data.
+	DataEncipherment bool `protobuf:"varint,4,opt,name=data_encipherment,json=dataEncipherment,proto3" json:"data_encipherment,omitempty"`
+	// The key may be used in a key agreement protocol.
+	KeyAgreement bool `protobuf:"varint,5,opt,name=key_agreement,json=keyAgreement,proto3" json:"key_agreement,omitempty"`
+	// The key may be used to sign certificates.
+	CertSign bool `protobuf:"varint,6,opt,name=cert_sign,json=certSign,proto3" json:"cert_sign,omitempty"`
+	// The key may be used sign certificate revocation lists.
+	CrlSign bool `protobuf:"varint,7,opt,name=crl_sign,json=crlSign,proto3" json:"crl_sign,omitempty"`
+	// The key may be used to encipher only.
+	EncipherOnly bool `protobuf:"varint,8,opt,name=encipher_only,json=encipherOnly,proto3" json:"encipher_only,omitempty"`
+	// The key may be used to decipher only.
+	DecipherOnly         bool     `protobuf:"varint,9,opt,name=decipher_only,json=decipherOnly,proto3" json:"decipher_only,omitempty"`
+	XXX_NoUnkeyedLiteral struct{} `json:"-"`
+	XXX_unrecognized     []byte   `json:"-"`
+	XXX_sizecache        int32    `json:"-"`
+}
+
+func (m *KeyUsage_KeyUsageOptions) Reset()         { *m = KeyUsage_KeyUsageOptions{} }
+func (m *KeyUsage_KeyUsageOptions) String() string { return proto.CompactTextString(m) }
+func (*KeyUsage_KeyUsageOptions) ProtoMessage()    {}
+func (*KeyUsage_KeyUsageOptions) Descriptor() ([]byte, []int) {
+	return fileDescriptor_6299e860b09b0827, []int{11, 0}
+}
+
+func (m *KeyUsage_KeyUsageOptions) XXX_Unmarshal(b []byte) error {
+	return xxx_messageInfo_KeyUsage_KeyUsageOptions.Unmarshal(m, b)
+}
+func (m *KeyUsage_KeyUsageOptions) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	return xxx_messageInfo_KeyUsage_KeyUsageOptions.Marshal(b, m, deterministic)
+}
+func (m *KeyUsage_KeyUsageOptions) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_KeyUsage_KeyUsageOptions.Merge(m, src)
+}
+func (m *KeyUsage_KeyUsageOptions) XXX_Size() int {
+	return xxx_messageInfo_KeyUsage_KeyUsageOptions.Size(m)
+}
+func (m *KeyUsage_KeyUsageOptions) XXX_DiscardUnknown() {
+	xxx_messageInfo_KeyUsage_KeyUsageOptions.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_KeyUsage_KeyUsageOptions proto.InternalMessageInfo
+
+func (m *KeyUsage_KeyUsageOptions) GetDigitalSignature() bool {
+	if m != nil {
+		return m.DigitalSignature
+	}
+	return false
+}
+
+func (m *KeyUsage_KeyUsageOptions) GetContentCommitment() bool {
+	if m != nil {
+		return m.ContentCommitment
+	}
+	return false
+}
+
+func (m *KeyUsage_KeyUsageOptions) GetKeyEncipherment() bool {
+	if m != nil {
+		return m.KeyEncipherment
+	}
+	return false
+}
+
+func (m *KeyUsage_KeyUsageOptions) GetDataEncipherment() bool {
+	if m != nil {
+		return m.DataEncipherment
+	}
+	return false
+}
+
+func (m *KeyUsage_KeyUsageOptions) GetKeyAgreement() bool {
+	if m != nil {
+		return m.KeyAgreement
+	}
+	return false
+}
+
+func (m *KeyUsage_KeyUsageOptions) GetCertSign() bool {
+	if m != nil {
+		return m.CertSign
+	}
+	return false
+}
+
+func (m *KeyUsage_KeyUsageOptions) GetCrlSign() bool {
+	if m != nil {
+		return m.CrlSign
+	}
+	return false
+}
+
+func (m *KeyUsage_KeyUsageOptions) GetEncipherOnly() bool {
+	if m != nil {
+		return m.EncipherOnly
+	}
+	return false
+}
+
+func (m *KeyUsage_KeyUsageOptions) GetDecipherOnly() bool {
+	if m != nil {
+		return m.DecipherOnly
+	}
+	return false
+}
+
+// [KeyUsage.ExtendedKeyUsageOptions][google.cloud.security.privateca.v1alpha1.KeyUsage.ExtendedKeyUsageOptions] has fields that correspond to
+// certain common OIDs that could be specified as an extended key usage value.
+type KeyUsage_ExtendedKeyUsageOptions struct {
+	// Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW
+	// server authentication", though regularly used for non-WWW TLS.
+	ServerAuth bool `protobuf:"varint,1,opt,name=server_auth,json=serverAuth,proto3" json:"server_auth,omitempty"`
+	// Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW
+	// client authentication", though regularly used for non-WWW TLS.
+	ClientAuth bool `protobuf:"varint,2,opt,name=client_auth,json=clientAuth,proto3" json:"client_auth,omitempty"`
+	// Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of
+	// downloadable executable code client authentication".
+	CodeSigning bool `protobuf:"varint,3,opt,name=code_signing,json=codeSigning,proto3" json:"code_signing,omitempty"`
+	// Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email
+	// protection".
+	EmailProtection bool `protobuf:"varint,4,opt,name=email_protection,json=emailProtection,proto3" json:"email_protection,omitempty"`
+	// Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding
+	// the hash of an object to a time".
+	TimeStamping bool `protobuf:"varint,5,opt,name=time_stamping,json=timeStamping,proto3" json:"time_stamping,omitempty"`
+	// Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing
+	// OCSP responses".
+	OcspSigning          bool     `protobuf:"varint,6,opt,name=ocsp_signing,json=ocspSigning,proto3" json:"ocsp_signing,omitempty"`
+	XXX_NoUnkeyedLiteral struct{} `json:"-"`
+	XXX_unrecognized     []byte   `json:"-"`
+	XXX_sizecache        int32    `json:"-"`
+}
+
+func (m *KeyUsage_ExtendedKeyUsageOptions) Reset()         { *m = KeyUsage_ExtendedKeyUsageOptions{} }
+func (m *KeyUsage_ExtendedKeyUsageOptions) String() string { return proto.CompactTextString(m) }
+func (*KeyUsage_ExtendedKeyUsageOptions) ProtoMessage()    {}
+func (*KeyUsage_ExtendedKeyUsageOptions) Descriptor() ([]byte, []int) {
+	return fileDescriptor_6299e860b09b0827, []int{11, 1}
+}
+
+func (m *KeyUsage_ExtendedKeyUsageOptions) XXX_Unmarshal(b []byte) error {
+	return xxx_messageInfo_KeyUsage_ExtendedKeyUsageOptions.Unmarshal(m, b)
+}
+func (m *KeyUsage_ExtendedKeyUsageOptions) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	return xxx_messageInfo_KeyUsage_ExtendedKeyUsageOptions.Marshal(b, m, deterministic)
+}
+func (m *KeyUsage_ExtendedKeyUsageOptions) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_KeyUsage_ExtendedKeyUsageOptions.Merge(m, src)
+}
+func (m *KeyUsage_ExtendedKeyUsageOptions) XXX_Size() int {
+	return xxx_messageInfo_KeyUsage_ExtendedKeyUsageOptions.Size(m)
+}
+func (m *KeyUsage_ExtendedKeyUsageOptions) XXX_DiscardUnknown() {
+	xxx_messageInfo_KeyUsage_ExtendedKeyUsageOptions.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_KeyUsage_ExtendedKeyUsageOptions proto.InternalMessageInfo
+
+func (m *KeyUsage_ExtendedKeyUsageOptions) GetServerAuth() bool {
+	if m != nil {
+		return m.ServerAuth
+	}
+	return false
+}
+
+func (m *KeyUsage_ExtendedKeyUsageOptions) GetClientAuth() bool {
+	if m != nil {
+		return m.ClientAuth
+	}
+	return false
+}
+
+func (m *KeyUsage_ExtendedKeyUsageOptions) GetCodeSigning() bool {
+	if m != nil {
+		return m.CodeSigning
+	}
+	return false
+}
+
+func (m *KeyUsage_ExtendedKeyUsageOptions) GetEmailProtection() bool {
+	if m != nil {
+		return m.EmailProtection
+	}
+	return false
+}
+
+func (m *KeyUsage_ExtendedKeyUsageOptions) GetTimeStamping() bool {
+	if m != nil {
+		return m.TimeStamping
+	}
+	return false
+}
+
+func (m *KeyUsage_ExtendedKeyUsageOptions) GetOcspSigning() bool {
+	if m != nil {
+		return m.OcspSigning
+	}
+	return false
+}
+
+// [Subject][google.cloud.security.privateca.v1alpha1.Subject] describes parts of a distinguished name that, in turn,
+// describes the subject of the certificate.
+type Subject struct {
+	// The country code of the subject.
+	CountryCode string `protobuf:"bytes,1,opt,name=country_code,json=countryCode,proto3" json:"country_code,omitempty"`
+	// The organization of the subject.
+	Organization string `protobuf:"bytes,2,opt,name=organization,proto3" json:"organization,omitempty"`
+	// The organizational_unit of the subject.
+	OrganizationalUnit string `protobuf:"bytes,3,opt,name=organizational_unit,json=organizationalUnit,proto3" json:"organizational_unit,omitempty"`
+	// The locality or city of the subject.
+	Locality string `protobuf:"bytes,4,opt,name=locality,proto3" json:"locality,omitempty"`
+	// The province, territory, or regional state of the subject.
+	Province string `protobuf:"bytes,5,opt,name=province,proto3" json:"province,omitempty"`
+	// The street address of the subject.
+	StreetAddress string `protobuf:"bytes,6,opt,name=street_address,json=streetAddress,proto3" json:"street_address,omitempty"`
+	// The postal code of the subject.
+	PostalCode           string   `protobuf:"bytes,7,opt,name=postal_code,json=postalCode,proto3" json:"postal_code,omitempty"`
+	XXX_NoUnkeyedLiteral struct{} `json:"-"`
+	XXX_unrecognized     []byte   `json:"-"`
+	XXX_sizecache        int32    `json:"-"`
+}
+
+func (m *Subject) Reset()         { *m = Subject{} }
+func (m *Subject) String() string { return proto.CompactTextString(m) }
+func (*Subject) ProtoMessage()    {}
+func (*Subject) Descriptor() ([]byte, []int) {
+	return fileDescriptor_6299e860b09b0827, []int{12}
+}
+
+func (m *Subject) XXX_Unmarshal(b []byte) error {
+	return xxx_messageInfo_Subject.Unmarshal(m, b)
+}
+func (m *Subject) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	return xxx_messageInfo_Subject.Marshal(b, m, deterministic)
+}
+func (m *Subject) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_Subject.Merge(m, src)
+}
+func (m *Subject) XXX_Size() int {
+	return xxx_messageInfo_Subject.Size(m)
+}
+func (m *Subject) XXX_DiscardUnknown() {
+	xxx_messageInfo_Subject.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_Subject proto.InternalMessageInfo
+
+func (m *Subject) GetCountryCode() string {
+	if m != nil {
+		return m.CountryCode
+	}
+	return ""
+}
+
+func (m *Subject) GetOrganization() string {
+	if m != nil {
+		return m.Organization
+	}
+	return ""
+}
+
+func (m *Subject) GetOrganizationalUnit() string {
+	if m != nil {
+		return m.OrganizationalUnit
+	}
+	return ""
+}
+
+func (m *Subject) GetLocality() string {
+	if m != nil {
+		return m.Locality
+	}
+	return ""
+}
+
+func (m *Subject) GetProvince() string {
+	if m != nil {
+		return m.Province
+	}
+	return ""
+}
+
+func (m *Subject) GetStreetAddress() string {
+	if m != nil {
+		return m.StreetAddress
+	}
+	return ""
+}
+
+func (m *Subject) GetPostalCode() string {
+	if m != nil {
+		return m.PostalCode
+	}
+	return ""
+}
+
+// [SubjectAltNames][google.cloud.security.privateca.v1alpha1.SubjectAltNames] corresponds to a more modern way of listing what
+// the asserted identity is in a certificate (i.e., compared to the "common
+// name" in the distinguished name).
+type SubjectAltNames struct {
+	// Contains only valid, fully-qualified host names.
+	DnsNames []string `protobuf:"bytes,1,rep,name=dns_names,json=dnsNames,proto3" json:"dns_names,omitempty"`
+	// Contains only valid RFC 3986 URIs.
+	Uris []string `protobuf:"bytes,2,rep,name=uris,proto3" json:"uris,omitempty"`
+	// Contains only valid RFC 2822 E-mail addresses.
+	EmailAddresses []string `protobuf:"bytes,3,rep,name=email_addresses,json=emailAddresses,proto3" json:"email_addresses,omitempty"`
+	// Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.
+	IpAddresses []string `protobuf:"bytes,4,rep,name=ip_addresses,json=ipAddresses,proto3" json:"ip_addresses,omitempty"`
+	// Contains additional subject alternative name values.
+	CustomSans           []*X509Extension `protobuf:"bytes,5,rep,name=custom_sans,json=customSans,proto3" json:"custom_sans,omitempty"`
+	XXX_NoUnkeyedLiteral struct{}         `json:"-"`
+	XXX_unrecognized     []byte           `json:"-"`
+	XXX_sizecache        int32            `json:"-"`
+}
+
+func (m *SubjectAltNames) Reset()         { *m = SubjectAltNames{} }
+func (m *SubjectAltNames) String() string { return proto.CompactTextString(m) }
+func (*SubjectAltNames) ProtoMessage()    {}
+func (*SubjectAltNames) Descriptor() ([]byte, []int) {
+	return fileDescriptor_6299e860b09b0827, []int{13}
+}
+
+func (m *SubjectAltNames) XXX_Unmarshal(b []byte) error {
+	return xxx_messageInfo_SubjectAltNames.Unmarshal(m, b)
+}
+func (m *SubjectAltNames) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	return xxx_messageInfo_SubjectAltNames.Marshal(b, m, deterministic)
+}
+func (m *SubjectAltNames) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_SubjectAltNames.Merge(m, src)
+}
+func (m *SubjectAltNames) XXX_Size() int {
+	return xxx_messageInfo_SubjectAltNames.Size(m)
+}
+func (m *SubjectAltNames) XXX_DiscardUnknown() {
+	xxx_messageInfo_SubjectAltNames.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_SubjectAltNames proto.InternalMessageInfo
+
+func (m *SubjectAltNames) GetDnsNames() []string {
+	if m != nil {
+		return m.DnsNames
+	}
+	return nil
+}
+
+func (m *SubjectAltNames) GetUris() []string {
+	if m != nil {
+		return m.Uris
+	}
+	return nil
+}
+
+func (m *SubjectAltNames) GetEmailAddresses() []string {
+	if m != nil {
+		return m.EmailAddresses
+	}
+	return nil
+}
+
+func (m *SubjectAltNames) GetIpAddresses() []string {
+	if m != nil {
+		return m.IpAddresses
+	}
+	return nil
+}
+
+func (m *SubjectAltNames) GetCustomSans() []*X509Extension {
+	if m != nil {
+		return m.CustomSans
+	}
+	return nil
+}
+
+func init() {
+	proto.RegisterEnum("google.cloud.security.privateca.v1alpha1.RevocationReason", RevocationReason_name, RevocationReason_value)
+	proto.RegisterEnum("google.cloud.security.privateca.v1alpha1.CertificateAuthority_Type", CertificateAuthority_Type_name, CertificateAuthority_Type_value)
+	proto.RegisterEnum("google.cloud.security.privateca.v1alpha1.CertificateAuthority_State", CertificateAuthority_State_name, CertificateAuthority_State_value)
+	proto.RegisterEnum("google.cloud.security.privateca.v1alpha1.CertificateRevocationList_State", CertificateRevocationList_State_name, CertificateRevocationList_State_value)
+	proto.RegisterEnum("google.cloud.security.privateca.v1alpha1.PublicKey_KeyType", PublicKey_KeyType_name, PublicKey_KeyType_value)
+	proto.RegisterType((*CertificateAuthority)(nil), "google.cloud.security.privateca.v1alpha1.CertificateAuthority")
+	proto.RegisterMapType((map[string]string)(nil), "google.cloud.security.privateca.v1alpha1.CertificateAuthority.LabelsEntry")
+	proto.RegisterType((*CertificateAuthority_IssuingOptions)(nil), "google.cloud.security.privateca.v1alpha1.CertificateAuthority.IssuingOptions")
+	proto.RegisterType((*CertificateAuthority_CertificateAuthorityPolicy)(nil), "google.cloud.security.privateca.v1alpha1.CertificateAuthority.CertificateAuthorityPolicy")
+	proto.RegisterType((*CertificateAuthority_CertificateAuthorityPolicy_AllowedConfigList)(nil), "google.cloud.security.privateca.v1alpha1.CertificateAuthority.CertificateAuthorityPolicy.AllowedConfigList")
+	proto.RegisterType((*CertificateAuthority_CertificateAuthorityPolicy_AllowedSubjectAltNames)(nil), "google.cloud.security.privateca.v1alpha1.CertificateAuthority.CertificateAuthorityPolicy.AllowedSubjectAltNames")
+	proto.RegisterType((*CertificateAuthority_AccessUrls)(nil), "google.cloud.security.privateca.v1alpha1.CertificateAuthority.AccessUrls")
+	proto.RegisterType((*CertificateRevocationList)(nil), "google.cloud.security.privateca.v1alpha1.CertificateRevocationList")
+	proto.RegisterMapType((map[string]string)(nil), "google.cloud.security.privateca.v1alpha1.CertificateRevocationList.LabelsEntry")
+	proto.RegisterType((*CertificateRevocationList_RevokedCertificate)(nil), "google.cloud.security.privateca.v1alpha1.CertificateRevocationList.RevokedCertificate")
+	proto.RegisterType((*Certificate)(nil), "google.cloud.security.privateca.v1alpha1.Certificate")
+	proto.RegisterMapType((map[string]string)(nil), "google.cloud.security.privateca.v1alpha1.Certificate.LabelsEntry")
+	proto.RegisterType((*Certificate_RevocationDetails)(nil), "google.cloud.security.privateca.v1alpha1.Certificate.RevocationDetails")
+	proto.RegisterType((*ReusableConfig)(nil), "google.cloud.security.privateca.v1alpha1.ReusableConfig")
+	proto.RegisterMapType((map[string]string)(nil), "google.cloud.security.privateca.v1alpha1.ReusableConfig.LabelsEntry")
+	proto.RegisterType((*ReusableConfigValues)(nil), "google.cloud.security.privateca.v1alpha1.ReusableConfigValues")
+	proto.RegisterType((*ReusableConfigValues_CaOptions)(nil), "google.cloud.security.privateca.v1alpha1.ReusableConfigValues.CaOptions")
+	proto.RegisterType((*ReusableConfigValues_AuthorityInformationAccess)(nil), "google.cloud.security.privateca.v1alpha1.ReusableConfigValues.AuthorityInformationAccess")
+	proto.RegisterType((*ReusableConfigWrapper)(nil), "google.cloud.security.privateca.v1alpha1.ReusableConfigWrapper")
+	proto.RegisterType((*PublicKey)(nil), "google.cloud.security.privateca.v1alpha1.PublicKey")
+	proto.RegisterType((*CertificateConfig)(nil), "google.cloud.security.privateca.v1alpha1.CertificateConfig")
+	proto.RegisterType((*CertificateConfig_SubjectConfig)(nil), "google.cloud.security.privateca.v1alpha1.CertificateConfig.SubjectConfig")
+	proto.RegisterType((*CertificateDescription)(nil), "google.cloud.security.privateca.v1alpha1.CertificateDescription")
+	proto.RegisterType((*CertificateDescription_SubjectDescription)(nil), "google.cloud.security.privateca.v1alpha1.CertificateDescription.SubjectDescription")
+	proto.RegisterType((*CertificateDescription_KeyId)(nil), "google.cloud.security.privateca.v1alpha1.CertificateDescription.KeyId")
+	proto.RegisterType((*ObjectId)(nil), "google.cloud.security.privateca.v1alpha1.ObjectId")
+	proto.RegisterType((*X509Extension)(nil), "google.cloud.security.privateca.v1alpha1.X509Extension")
+	proto.RegisterType((*KeyUsage)(nil), "google.cloud.security.privateca.v1alpha1.KeyUsage")
+	proto.RegisterType((*KeyUsage_KeyUsageOptions)(nil), "google.cloud.security.privateca.v1alpha1.KeyUsage.KeyUsageOptions")
+	proto.RegisterType((*KeyUsage_ExtendedKeyUsageOptions)(nil), "google.cloud.security.privateca.v1alpha1.KeyUsage.ExtendedKeyUsageOptions")
+	proto.RegisterType((*Subject)(nil), "google.cloud.security.privateca.v1alpha1.Subject")
+	proto.RegisterType((*SubjectAltNames)(nil), "google.cloud.security.privateca.v1alpha1.SubjectAltNames")
+}
+
+func init() {
+	proto.RegisterFile("google/cloud/security/privateca/v1alpha1/resources.proto", fileDescriptor_6299e860b09b0827)
+}
+
+var fileDescriptor_6299e860b09b0827 = []byte{
+	// 3486 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xb4, 0x5a, 0x4d, 0x70, 0x1b, 0x47,
+	0x76, 0xd6, 0x80, 0x04, 0x09, 0x3c, 0x80, 0x20, 0xd8, 0xfc, 0x03, 0x21, 0x45, 0xa2, 0x20, 0x39,
+	0x96, 0x1d, 0x1b, 0x88, 0xe8, 0x28, 0xb6, 0xe4, 0x8a, 0x6d, 0x10, 0x18, 0x89, 0x30, 0x29, 0x12,
+	0x19, 0x80, 0x94, 0xe5, 0xa4, 0x32, 0xd5, 0x9c, 0x69, 0x82, 0x13, 0x0e, 0x66, 0xa0, 0xe9, 0x01,
+	0x45, 0x44, 0x25, 0x57, 0xa5, 0x9c, 0x94, 0x0f, 0x29, 0x27, 0x39, 0x3a, 0x87, 0x54, 0x25, 0x39,
+	0xe4, 0x90, 0xaa, 0x54, 0xe5, 0x96, 0xdb, 0xee, 0xc5, 0xe5, 0xda, 0xf2, 0x69, 0x2f, 0x7b, 0xd8,
+	0x9b, 0x8f, 0x5b, 0xaa, 0xbd, 0xec, 0x6d, 0x8f, 0x5b, 0xfd, 0x33, 0x83, 0x01, 0x48, 0x96, 0x48,
+	0x82, 0xba, 0x61, 0x5e, 0xbf, 0x7e, 0xef, 0xf5, 0xeb, 0xd7, 0x5f, 0xbf, 0xf7, 0x1a, 0xf0, 0x51,
+	0xcb, 0x75, 0x5b, 0x36, 0x29, 0x19, 0xb6, 0xdb, 0x35, 0x4b, 0x94, 0x18, 0x5d, 0xcf, 0xf2, 0x7b,
+	0xa5, 0x8e, 0x67, 0x1d, 0x62, 0x9f, 0x18, 0xb8, 0x74, 0x78, 0x17, 0xdb, 0x9d, 0x7d, 0x7c, 0xb7,
+	0xe4, 0x11, 0xea, 0x76, 0x3d, 0x83, 0xd0, 0x62, 0xc7, 0x73, 0x7d, 0x17, 0xdd, 0x11, 0x33, 0x8b,
+	0x7c, 0x66, 0x31, 0x98, 0x59, 0x0c, 0x67, 0x16, 0x83, 0x99, 0xf9, 0x1b, 0x52, 0x07, 0xee, 0x58,
+	0xa5, 0x3d, 0x8b, 0xd8, 0xa6, 0xbe, 0x4b, 0xf6, 0xf1, 0xa1, 0xe5, 0x7a, 0x42, 0x54, 0x7e, 0x29,
+	0xc2, 0x10, 0xa8, 0x91, 0x43, 0xd7, 0xe5, 0x10, 0xff, 0xda, 0xed, 0xee, 0x95, 0xcc, 0xae, 0x87,
+	0x7d, 0xcb, 0x75, 0xe4, 0xf8, 0x8d, 0xe1, 0x71, 0xdf, 0x6a, 0x13, 0xea, 0xe3, 0x76, 0xe7, 0x34,
+	0x01, 0xcf, 0x3d, 0xdc, 0xe9, 0x10, 0x4f, 0x2e, 0x23, 0x7f, 0x2d, 0xa2, 0x1b, 0x3b, 0x8e, 0xeb,
+	0x73, 0xe9, 0x72, 0xb4, 0xf0, 0xaf, 0x4b, 0x30, 0x57, 0x21, 0x9e, 0x6f, 0xed, 0x59, 0x06, 0xf6,
+	0x49, 0xb9, 0xeb, 0xef, 0xbb, 0x6c, 0x99, 0x68, 0x11, 0xc6, 0x1d, 0xdc, 0x26, 0x39, 0x65, 0x59,
+	0xb9, 0x93, 0x5c, 0x1d, 0xfb, 0xa9, 0x3c, 0xa6, 0x71, 0x02, 0xfa, 0x6b, 0x18, 0xf7, 0x7b, 0x1d,
+	0x92, 0x8b, 0x2d, 0x2b, 0x77, 0x32, 0x2b, 0x95, 0xe2, 0x59, 0xbd, 0x54, 0x3c, 0x49, 0x4d, 0xb1,
+	0xd9, 0xeb, 0x10, 0x26, 0x3d, 0xae, 0x71, 0xa9, 0xe8, 0x0b, 0x98, 0x30, 0x5c, 0x67, 0xcf, 0x6a,
+	0xe5, 0xc6, 0x96, 0x95, 0x3b, 0xa9, 0x95, 0x8f, 0x2f, 0x24, 0xbf, 0xc2, 0x45, 0x08, 0xb9, 0x52,
+	0x1e, 0x7a, 0x00, 0x09, 0xdb, 0xda, 0x23, 0xcc, 0x7d, 0xb9, 0x71, 0x2e, 0x7b, 0x29, 0x90, 0x1d,
+	0xb8, 0xae, 0x58, 0x95, 0xbe, 0x67, 0x33, 0x63, 0x5a, 0xc8, 0x8f, 0xee, 0xc3, 0x3c, 0xd7, 0xaf,
+	0x1f, 0xb4, 0xa9, 0x7e, 0x40, 0x7a, 0xfa, 0x21, 0xf1, 0xa8, 0xe5, 0x3a, 0xb9, 0x38, 0xf7, 0xce,
+	0xc4, 0x4f, 0xe5, 0x38, 0x9b, 0x80, 0x38, 0xd3, 0x7a, 0x9b, 0xae, 0x93, 0xde, 0x8e, 0xe0, 0x40,
+	0xdf, 0x2a, 0x80, 0x8c, 0xbe, 0x65, 0x7a, 0xc7, 0xb5, 0x2d, 0xa3, 0x97, 0x9b, 0xe0, 0x16, 0x3c,
+	0x1d, 0xd1, 0x7b, 0x27, 0x11, 0xeb, 0x5c, 0x01, 0x5b, 0x81, 0xa2, 0xcd, 0x44, 0x34, 0x0b, 0x3a,
+	0x7a, 0x01, 0xd3, 0x16, 0xa5, 0x5d, 0xcb, 0x69, 0xe9, 0x6e, 0x87, 0x47, 0x42, 0x6e, 0x92, 0xdb,
+	0xf2, 0x78, 0x44, 0x5b, 0x6a, 0x42, 0xea, 0x96, 0x10, 0x2a, 0xf4, 0x67, 0xac, 0x01, 0x22, 0xfa,
+	0x73, 0x98, 0xef, 0x90, 0xb6, 0xce, 0xa8, 0xc4, 0xd3, 0x99, 0x71, 0xba, 0xb1, 0x8f, 0x2d, 0x27,
+	0x97, 0x58, 0x1e, 0x13, 0x51, 0xa6, 0x68, 0xa8, 0x43, 0xda, 0x35, 0xce, 0xc0, 0xd4, 0x54, 0xd8,
+	0x30, 0xd2, 0x21, 0x4e, 0x7d, 0xec, 0x93, 0x5c, 0x92, 0x07, 0x5d, 0x75, 0x44, 0x53, 0x1b, 0x4c,
+	0x96, 0x88, 0x69, 0x21, 0x17, 0x5d, 0x87, 0x04, 0x33, 0x8c, 0x59, 0x94, 0x83, 0x7e, 0xc4, 0x4f,
+	0x76, 0x48, 0x9b, 0x49, 0x40, 0x5f, 0x2b, 0x90, 0x37, 0xb0, 0x1e, 0xdd, 0x48, 0x93, 0x50, 0xc3,
+	0xb3, 0xf8, 0xc2, 0x72, 0x29, 0xee, 0xc1, 0xcf, 0x2e, 0x64, 0x56, 0xb5, 0x2f, 0x47, 0x28, 0xcd,
+	0x19, 0xf8, 0xe4, 0x61, 0xf4, 0x16, 0x40, 0xcb, 0xa0, 0xfa, 0x6e, 0xd7, 0x38, 0x20, 0x7e, 0x2e,
+	0x3d, 0x10, 0x7b, 0xc9, 0x96, 0x41, 0x57, 0xf9, 0x00, 0x72, 0x21, 0x85, 0x0d, 0x83, 0x50, 0xaa,
+	0x77, 0x3d, 0x9b, 0xe6, 0xa6, 0xb8, 0x71, 0xb5, 0x11, 0x7d, 0x56, 0xe6, 0x12, 0xb7, 0x3d, 0x9b,
+	0x0a, 0x2b, 0x01, 0x87, 0x04, 0xf4, 0x19, 0xa4, 0x0c, 0x8f, 0x30, 0xa7, 0xf0, 0xd3, 0x95, 0xe1,
+	0x0a, 0xf3, 0xc7, 0x4e, 0x57, 0x33, 0x40, 0x2e, 0x29, 0x41, 0xcc, 0x61, 0x54, 0x26, 0xa1, 0xdb,
+	0x31, 0x43, 0x09, 0xd3, 0x67, 0x94, 0x20, 0xe6, 0x70, 0x09, 0x55, 0x98, 0x32, 0x89, 0x4d, 0x98,
+	0x9f, 0x84, 0x8c, 0x99, 0xb3, 0xc9, 0x48, 0x07, 0xb3, 0xb8, 0x94, 0x16, 0x4c, 0xd8, 0x78, 0x97,
+	0xd8, 0x34, 0x97, 0x5d, 0x1e, 0xbb, 0x93, 0x5a, 0xf9, 0x7c, 0x44, 0xaf, 0x6d, 0x70, 0x61, 0xaa,
+	0xe3, 0x7b, 0xf2, 0x44, 0x4a, 0xf1, 0xf9, 0xaf, 0x20, 0x33, 0x78, 0x60, 0xd0, 0x0a, 0xcc, 0x5a,
+	0x8e, 0x61, 0x77, 0x4d, 0xa2, 0xcb, 0x48, 0x63, 0xdb, 0xc7, 0xf1, 0x37, 0x21, 0xf0, 0x28, 0x2b,
+	0xc7, 0x2b, 0x3c, 0x3e, 0xb6, 0x3d, 0x1b, 0x7d, 0x04, 0x0b, 0xe1, 0x1c, 0xcf, 0xd6, 0xfb, 0xbb,
+	0xce, 0xd1, 0x59, 0x4e, 0x0b, 0xc4, 0x56, 0x3c, 0x3b, 0xdc, 0xc4, 0xfc, 0xff, 0x27, 0x21, 0x7f,
+	0x3a, 0x7a, 0xa0, 0xff, 0x52, 0x60, 0x16, 0xdb, 0xb6, 0xfb, 0x9c, 0x98, 0xba, 0xc0, 0x4f, 0xdd,
+	0xb6, 0xa8, 0xcf, 0xf1, 0x2e, 0xb5, 0x72, 0xf0, 0xc6, 0x60, 0xab, 0x58, 0x16, 0x4a, 0x05, 0x80,
+	0x6f, 0x58, 0xd4, 0xe7, 0x6e, 0x5b, 0xbb, 0xa2, 0xcd, 0xe0, 0xe1, 0x11, 0xf4, 0x15, 0x2c, 0xba,
+	0x87, 0xc4, 0x7b, 0xee, 0x59, 0x3e, 0x09, 0xac, 0x3c, 0xc4, 0x76, 0x97, 0x50, 0x09, 0xaf, 0x9f,
+	0x9e, 0xdd, 0x4e, 0x8d, 0x74, 0x29, 0xde, 0xb5, 0xe5, 0xcd, 0xf1, 0x44, 0x5c, 0xa1, 0x81, 0xee,
+	0xf9, 0x50, 0x8d, 0x18, 0xde, 0xe1, 0x4a, 0xd0, 0x3f, 0x2a, 0x70, 0x2b, 0x70, 0x92, 0xed, 0x1a,
+	0xe2, 0x5e, 0xd5, 0xb1, 0x63, 0xea, 0xae, 0xd7, 0xc2, 0x8e, 0xf5, 0x77, 0x82, 0x92, 0x8b, 0xf1,
+	0x50, 0xba, 0x7b, 0x76, 0x63, 0x1a, 0xdd, 0xdd, 0xbf, 0x25, 0x86, 0x58, 0xba, 0xb6, 0x2c, 0x55,
+	0x6c, 0x04, 0x1a, 0xca, 0x8e, 0xb9, 0x15, 0x95, 0x8f, 0xee, 0xc1, 0x5c, 0x7f, 0xaf, 0xda, 0x6d,
+	0xd7, 0xd1, 0xd9, 0x45, 0xcd, 0x70, 0xbd, 0x0f, 0xaa, 0xa1, 0xf7, 0xd8, 0xf8, 0x26, 0x1b, 0x46,
+	0xdf, 0x29, 0x90, 0x0e, 0xe6, 0x51, 0xec, 0xd0, 0x5c, 0x82, 0x3b, 0xad, 0xf3, 0xc6, 0x37, 0x57,
+	0x2e, 0xaf, 0x6c, 0xfb, 0xdc, 0x10, 0x61, 0x61, 0x4a, 0x9a, 0xd2, 0xc0, 0x0e, 0x45, 0x35, 0xc8,
+	0xb6, 0xf1, 0x91, 0xd5, 0xee, 0xb6, 0xf5, 0x73, 0xdd, 0xd9, 0x8a, 0x36, 0x2d, 0xe7, 0x6d, 0xc8,
+	0x69, 0xf9, 0x6f, 0x15, 0x98, 0x39, 0x16, 0x54, 0xe8, 0x08, 0xe6, 0x87, 0xc2, 0x5b, 0x06, 0x8e,
+	0xc2, 0xf7, 0xea, 0x32, 0x02, 0x27, 0xa6, 0xcd, 0x0e, 0x84, 0xac, 0x08, 0x9a, 0xfc, 0xff, 0xc6,
+	0x60, 0xe1, 0x64, 0x3f, 0xa0, 0x77, 0x21, 0x08, 0x72, 0xdd, 0x74, 0xa8, 0xdc, 0x44, 0x66, 0x50,
+	0x52, 0x9b, 0x96, 0x03, 0x55, 0x87, 0x0a, 0xde, 0x9b, 0xfd, 0xbd, 0xeb, 0x7a, 0x96, 0x88, 0xb1,
+	0x64, 0xe8, 0xc4, 0x6d, 0xcf, 0x62, 0x97, 0xed, 0x62, 0xc0, 0x42, 0xda, 0xd8, 0xb2, 0x75, 0x6c,
+	0x9a, 0x1e, 0xa1, 0x94, 0xd0, 0xdc, 0x18, 0xe7, 0x0e, 0x5c, 0xa0, 0xb2, 0xd1, 0x72, 0x30, 0x88,
+	0x6e, 0x40, 0x20, 0x46, 0xb7, 0x3a, 0x34, 0x37, 0xce, 0x79, 0x41, 0x92, 0x6a, 0x1d, 0x8a, 0x3e,
+	0x85, 0x6b, 0xfc, 0x4b, 0x6f, 0xd9, 0xee, 0xee, 0x2e, 0xcb, 0x24, 0x98, 0xb9, 0xcf, 0x2d, 0xdb,
+	0x34, 0xb0, 0x67, 0x52, 0x0e, 0x12, 0x09, 0x6d, 0x89, 0xf3, 0x3c, 0x92, 0x2c, 0x55, 0x87, 0x3e,
+	0x09, 0x18, 0xc2, 0x85, 0xea, 0x46, 0x97, 0xfa, 0x6e, 0x5b, 0x44, 0xdf, 0x04, 0x9f, 0x25, 0x16,
+	0x5a, 0xe1, 0x74, 0x16, 0x0a, 0xab, 0xd3, 0x30, 0x25, 0x77, 0x48, 0x64, 0x4e, 0xf9, 0x36, 0x40,
+	0xff, 0x2e, 0x42, 0xf7, 0x61, 0x69, 0xe8, 0x5e, 0x8e, 0x80, 0x20, 0xcf, 0x5d, 0xb5, 0x85, 0x81,
+	0xfb, 0x34, 0x9c, 0x8b, 0x6e, 0x43, 0xe6, 0x04, 0xd0, 0x4c, 0x6a, 0x69, 0x23, 0x0a, 0x94, 0xf7,
+	0x21, 0x15, 0x01, 0x71, 0x94, 0x85, 0xb1, 0x03, 0xd2, 0x93, 0x92, 0xd9, 0x4f, 0x34, 0x07, 0x71,
+	0x1e, 0x3b, 0x72, 0xb6, 0xf8, 0x78, 0x10, 0xfb, 0x48, 0x29, 0x7c, 0x02, 0xe3, 0x2c, 0xbd, 0x45,
+	0x73, 0x90, 0x6d, 0x3e, 0xad, 0xab, 0xfa, 0xf6, 0x66, 0xa3, 0xae, 0x56, 0x6a, 0x0f, 0x6b, 0x6a,
+	0x35, 0x7b, 0x05, 0x4d, 0x43, 0xaa, 0xa1, 0x6e, 0x3c, 0xd4, 0x1b, 0xb5, 0x47, 0x9b, 0x6a, 0x35,
+	0xab, 0x70, 0xc2, 0xf6, 0xea, 0x96, 0x56, 0xad, 0x6d, 0x96, 0x9b, 0x6a, 0x36, 0x56, 0x68, 0x41,
+	0x9c, 0x67, 0x2a, 0x68, 0x1e, 0x66, 0x1a, 0xcd, 0x72, 0x73, 0x58, 0x42, 0x0a, 0x26, 0xd5, 0xcd,
+	0xf2, 0xea, 0x06, 0x9f, 0x9d, 0x86, 0x44, 0xb5, 0xd6, 0x10, 0x5f, 0x31, 0xb4, 0x00, 0xa8, 0xae,
+	0x6e, 0x56, 0x6b, 0x9b, 0x8f, 0xf4, 0x72, 0xa5, 0x59, 0xdb, 0x29, 0x37, 0x6b, 0x5b, 0x9b, 0xd9,
+	0x31, 0x66, 0x4a, 0x40, 0xaf, 0xaa, 0x1b, 0x2a, 0xa7, 0x8e, 0x3f, 0xf8, 0x27, 0xe5, 0x55, 0xf9,
+	0x1b, 0x05, 0xde, 0xef, 0x87, 0xb7, 0x08, 0x7f, 0xdc, 0xb1, 0x68, 0xd1, 0x70, 0xdb, 0xa5, 0x13,
+	0x2b, 0x84, 0x9d, 0x8e, 0xe7, 0xb2, 0xf8, 0xa5, 0xa5, 0x17, 0xf2, 0xd7, 0xcb, 0x52, 0x08, 0x83,
+	0xa5, 0x17, 0xc1, 0xcf, 0x97, 0x25, 0xe3, 0xf8, 0x6c, 0x8b, 0xd0, 0xd2, 0x8b, 0x81, 0x5d, 0x0b,
+	0xc4, 0xbe, 0x2c, 0x7c, 0x97, 0x84, 0xa5, 0x88, 0x42, 0x8d, 0x1c, 0x4a, 0x49, 0xfc, 0xe4, 0x9e,
+	0x5a, 0x97, 0xbc, 0x07, 0xd3, 0x94, 0x3c, 0xeb, 0x12, 0xc7, 0x20, 0xba, 0xd3, 0x6d, 0xef, 0x12,
+	0x8f, 0xef, 0xc8, 0x98, 0xe0, 0xc9, 0x04, 0x63, 0x9b, 0x7c, 0x08, 0xfd, 0xb3, 0x02, 0x73, 0x1e,
+	0x39, 0x74, 0x0f, 0x18, 0x02, 0xf4, 0x95, 0x89, 0xa3, 0x91, 0x5a, 0xd9, 0xb9, 0x10, 0x08, 0x0e,
+	0x9a, 0x5a, 0xd4, 0x84, 0xfc, 0x08, 0x83, 0xb0, 0x65, 0xd6, 0x3b, 0x36, 0x40, 0xd1, 0x35, 0x98,
+	0xe4, 0x19, 0xa8, 0x67, 0x73, 0xa4, 0x93, 0x4b, 0x9b, 0x60, 0x09, 0xa8, 0x67, 0xa3, 0x02, 0x40,
+	0x24, 0x4e, 0xe3, 0x7d, 0x86, 0x64, 0x98, 0x86, 0x21, 0x33, 0x48, 0x92, 0x27, 0x78, 0x92, 0x5c,
+	0xbb, 0x8c, 0x25, 0x1c, 0xcf, 0x94, 0x87, 0x72, 0xbd, 0xc9, 0x91, 0x73, 0xbd, 0xc4, 0xf9, 0x73,
+	0x3d, 0x3b, 0xcc, 0xd2, 0x92, 0x7c, 0xb7, 0xb6, 0x2e, 0x63, 0xa9, 0xa7, 0xa6, 0x6a, 0xdf, 0x2b,
+	0x80, 0x8e, 0x6f, 0x25, 0x5a, 0x86, 0x54, 0x24, 0x70, 0x24, 0x22, 0x44, 0x49, 0xe8, 0x16, 0x4c,
+	0x51, 0xe2, 0x59, 0xd8, 0x8e, 0xc6, 0x63, 0x52, 0x4b, 0x0b, 0xa2, 0x0c, 0xc4, 0x16, 0xcc, 0x78,
+	0xa1, 0x21, 0xba, 0x47, 0x30, 0x75, 0x1d, 0x5e, 0xfb, 0x66, 0x56, 0x1e, 0x9c, 0xe7, 0x16, 0x0a,
+	0x44, 0x68, 0x5c, 0x82, 0x96, 0xf5, 0x86, 0x28, 0xa3, 0x00, 0xd9, 0x83, 0xd7, 0x00, 0x11, 0xc0,
+	0x04, 0x47, 0x19, 0x35, 0xab, 0xa0, 0x0c, 0x40, 0x63, 0xbb, 0xae, 0x6a, 0x0d, 0xb5, 0xca, 0x90,
+	0xe8, 0xc1, 0x8f, 0xca, 0xab, 0xf2, 0x0f, 0x0a, 0xac, 0x9c, 0x05, 0x5b, 0x86, 0x8e, 0xfa, 0xbf,
+	0x28, 0x6f, 0x06, 0x61, 0xa2, 0xec, 0x83, 0x2a, 0x87, 0xa6, 0x44, 0x36, 0x86, 0x65, 0xbf, 0x2f,
+	0x0b, 0xbf, 0x4e, 0x42, 0x2a, 0x1a, 0x03, 0xa7, 0x82, 0xd1, 0x75, 0x79, 0x9a, 0xa9, 0xdc, 0x74,
+	0xde, 0x8a, 0x58, 0xbb, 0x22, 0xce, 0x33, 0xf5, 0xd0, 0x97, 0x97, 0xdd, 0xe6, 0x60, 0xb2, 0x2f,
+	0xa1, 0xd1, 0xf1, 0x02, 0x50, 0x64, 0xd1, 0x26, 0xf1, 0xb1, 0x65, 0x53, 0x99, 0xf5, 0x3f, 0xba,
+	0x90, 0x8d, 0x91, 0xd0, 0xac, 0x0a, 0x71, 0xc2, 0x4f, 0x91, 0xa8, 0x97, 0x74, 0x86, 0xe0, 0x41,
+	0x11, 0x1e, 0x9c, 0xaa, 0x89, 0xbe, 0x63, 0x33, 0xb2, 0x16, 0x0f, 0x7c, 0xff, 0x15, 0x2c, 0x9e,
+	0x56, 0x8e, 0x4f, 0x5e, 0x66, 0x39, 0xbe, 0x60, 0x9c, 0x5c, 0x8c, 0x7f, 0x28, 0x7a, 0x19, 0x51,
+	0x1b, 0x86, 0x7a, 0x19, 0x63, 0xda, 0xec, 0xa0, 0xcd, 0xa2, 0x99, 0x31, 0x84, 0xa0, 0xc9, 0x91,
+	0x11, 0x14, 0xce, 0x8f, 0xa0, 0x7f, 0x13, 0x22, 0x68, 0x8a, 0x23, 0x68, 0xf9, 0x62, 0x7b, 0x7b,
+	0x2a, 0x66, 0xfe, 0x5c, 0x81, 0x99, 0x63, 0x1b, 0x8f, 0x08, 0x44, 0x60, 0x49, 0x17, 0x97, 0x95,
+	0x32, 0x32, 0xd4, 0x4d, 0xf7, 0x65, 0x0a, 0x94, 0xaa, 0x40, 0x84, 0x24, 0x5c, 0x14, 0x7b, 0x9d,
+	0x8b, 0xb4, 0x4c, 0x7f, 0x0a, 0x23, 0x8e, 0x00, 0x97, 0x0f, 0xfe, 0x5d, 0x79, 0x55, 0xfe, 0x37,
+	0x05, 0x6e, 0x9f, 0x05, 0xf2, 0xd0, 0xb3, 0x37, 0x8f, 0x71, 0x83, 0x4c, 0x2f, 0x57, 0xe7, 0x06,
+	0x3b, 0x92, 0x02, 0x36, 0x0a, 0xbf, 0x18, 0x87, 0xcc, 0x60, 0x31, 0x73, 0x3a, 0xbc, 0xfd, 0x15,
+	0x4c, 0xc8, 0x7a, 0x49, 0x38, 0xf6, 0x93, 0x8b, 0xd6, 0x4b, 0xa2, 0x28, 0x12, 0x28, 0x24, 0x45,
+	0xa2, 0xb7, 0x20, 0x15, 0x3d, 0xcc, 0x21, 0x04, 0x28, 0x5a, 0x94, 0x3e, 0x7c, 0x8c, 0xc6, 0x46,
+	0x3e, 0x46, 0xe3, 0xe7, 0x3f, 0x46, 0x38, 0x3c, 0x46, 0x71, 0x7e, 0x8c, 0xaa, 0x17, 0xf5, 0xc3,
+	0xe9, 0x27, 0x69, 0x84, 0x38, 0x7c, 0xfe, 0xaa, 0xec, 0xc3, 0xdb, 0xa7, 0x46, 0xe1, 0xd0, 0x66,
+	0xd7, 0xce, 0x1a, 0x88, 0xde, 0xc0, 0x3c, 0x5a, 0x7a, 0x11, 0x10, 0x64, 0x24, 0xbd, 0x2c, 0xfc,
+	0xf7, 0x24, 0xcc, 0x9d, 0xb4, 0xcf, 0xa8, 0x09, 0xc9, 0x03, 0xd2, 0xd3, 0xbb, 0x14, 0xb7, 0x44,
+	0x54, 0xa5, 0x56, 0x56, 0xce, 0xee, 0xb2, 0x75, 0xd2, 0xdb, 0x66, 0x33, 0x85, 0x83, 0x12, 0x07,
+	0xf2, 0x13, 0xd9, 0x00, 0x06, 0x0e, 0xbb, 0xd9, 0x22, 0x22, 0xd7, 0x46, 0x8b, 0xc8, 0x62, 0x05,
+	0x0f, 0x34, 0xb2, 0x93, 0x46, 0xf0, 0x8d, 0x76, 0x00, 0x44, 0x25, 0xaa, 0x5b, 0x66, 0x50, 0x2e,
+	0x9c, 0x63, 0x11, 0x5b, 0xbc, 0xe6, 0xaf, 0x99, 0x52, 0xae, 0x10, 0x55, 0x33, 0x29, 0x7a, 0x06,
+	0xf3, 0xd8, 0x34, 0x2d, 0xa6, 0x04, 0xdb, 0x3a, 0x39, 0xf2, 0x89, 0x43, 0xf9, 0x82, 0xc6, 0xb9,
+	0x8a, 0x0f, 0xcf, 0xae, 0xe2, 0x8b, 0x7b, 0x7f, 0x7a, 0x5f, 0x0d, 0xe6, 0x0b, 0x3d, 0x73, 0x7d,
+	0xd1, 0xe1, 0x08, 0x45, 0x1f, 0xc3, 0x22, 0xab, 0x80, 0x4d, 0x8b, 0xfa, 0x9e, 0xb5, 0xdb, 0xe5,
+	0x70, 0xd9, 0x71, 0x2d, 0xc7, 0x17, 0xf1, 0x2c, 0x4f, 0xdd, 0xbc, 0xe1, 0xd9, 0xd5, 0x08, 0x4b,
+	0x9d, 0x73, 0xa0, 0xff, 0x50, 0xe0, 0x5a, 0x88, 0x37, 0xba, 0xe5, 0xec, 0xb9, 0x5e, 0x5b, 0x20,
+	0xae, 0x28, 0x49, 0xce, 0xff, 0xc4, 0x71, 0xe2, 0x46, 0x84, 0xf5, 0x66, 0xad, 0xaf, 0x41, 0x54,
+	0xe7, 0xc2, 0xba, 0x3c, 0x3e, 0x95, 0x21, 0xff, 0x9d, 0x02, 0xc9, 0x70, 0x23, 0xd1, 0x9f, 0x41,
+	0xdc, 0xa2, 0xba, 0x81, 0x65, 0xe0, 0x1d, 0x3f, 0xe8, 0xab, 0xae, 0x6b, 0x73, 0xad, 0x42, 0xf2,
+	0xb8, 0x45, 0x2b, 0x18, 0x6d, 0xc3, 0x42, 0x1b, 0x1f, 0x05, 0x4f, 0x16, 0x1d, 0xec, 0xef, 0xeb,
+	0x36, 0x71, 0x5a, 0xfe, 0xbe, 0x0c, 0xb4, 0xab, 0xc7, 0xc4, 0xd4, 0x1c, 0xff, 0x83, 0x95, 0x88,
+	0x9c, 0xd9, 0x36, 0x3e, 0x12, 0x0f, 0x1a, 0x75, 0xec, 0xef, 0x6f, 0xf0, 0xc9, 0xf9, 0xaf, 0x15,
+	0xc8, 0x9f, 0xbe, 0x34, 0xf4, 0x17, 0x90, 0x0b, 0x5e, 0x69, 0xa2, 0x50, 0xcd, 0xfb, 0xf9, 0x4a,
+	0x7f, 0x6b, 0x16, 0x24, 0x53, 0xe4, 0x42, 0xe1, 0x5d, 0x91, 0x3f, 0x86, 0xb4, 0x6b, 0xd0, 0x8e,
+	0x4e, 0x89, 0x77, 0x48, 0x3c, 0xd9, 0x1d, 0x92, 0x18, 0xca, 0x06, 0x1a, 0x82, 0x5e, 0xf8, 0x95,
+	0x02, 0xf3, 0x27, 0x36, 0xb0, 0x50, 0x91, 0xdd, 0xa1, 0x03, 0xc7, 0xba, 0x7f, 0x0b, 0xc4, 0xd6,
+	0xae, 0xb0, 0xeb, 0x72, 0x00, 0x3d, 0x5e, 0xc0, 0xc2, 0x10, 0xbf, 0x7e, 0xe9, 0x37, 0xc4, 0xda,
+	0x15, 0x6d, 0xce, 0x3b, 0x69, 0xb0, 0xdf, 0x23, 0x12, 0x3a, 0x0b, 0x3f, 0x53, 0x20, 0x59, 0xef,
+	0xee, 0xda, 0x96, 0xb1, 0x4e, 0x7a, 0xa8, 0x29, 0x5f, 0x2c, 0x45, 0xaa, 0x71, 0x8e, 0x54, 0x3b,
+	0x14, 0xc1, 0xa0, 0x27, 0x78, 0xa9, 0x8c, 0xc9, 0x97, 0xca, 0x79, 0x81, 0xc4, 0x6c, 0x79, 0x69,
+	0x41, 0x67, 0xdf, 0x85, 0x2a, 0x4c, 0x4a, 0x66, 0x94, 0x83, 0xb9, 0x75, 0xf5, 0xa9, 0x7e, 0x72,
+	0xef, 0xa7, 0xae, 0x3e, 0xd6, 0xb5, 0x46, 0x59, 0x5f, 0x57, 0x9f, 0x8a, 0xaa, 0x89, 0x11, 0xd4,
+	0x0a, 0xff, 0x8e, 0x15, 0x7e, 0x18, 0x87, 0x99, 0x63, 0x89, 0x3e, 0xea, 0x42, 0x86, 0x8a, 0x9e,
+	0x61, 0x74, 0x4f, 0x2e, 0xfa, 0xb6, 0x23, 0x6f, 0x1e, 0xd9, 0x85, 0xec, 0xd7, 0x12, 0x31, 0x6d,
+	0x8a, 0x46, 0x69, 0xa8, 0x7d, 0x3c, 0x16, 0x62, 0x97, 0xd6, 0x5f, 0x8f, 0x1d, 0x0b, 0xa5, 0x27,
+	0x00, 0x1d, 0xee, 0x78, 0x9d, 0xf9, 0x57, 0xdc, 0xeb, 0x1f, 0x5c, 0x60, 0xd3, 0x02, 0x84, 0x0d,
+	0xbe, 0xf3, 0xbf, 0x53, 0x60, 0x6a, 0x60, 0xb5, 0xa8, 0x0e, 0x93, 0x72, 0xa9, 0xd2, 0x93, 0x17,
+	0x6b, 0xd2, 0xc7, 0xb4, 0x40, 0x0c, 0xba, 0x0d, 0xa9, 0x48, 0x0f, 0xbe, 0x5f, 0xfc, 0x29, 0x1a,
+	0x18, 0x61, 0xef, 0x1d, 0xed, 0x43, 0x36, 0xd8, 0x48, 0x6c, 0xfb, 0x82, 0x55, 0x2c, 0xf4, 0xfe,
+	0xb9, 0x0d, 0x18, 0x6c, 0xa3, 0x07, 0x01, 0x22, 0xa9, 0x85, 0xff, 0x4b, 0xc0, 0xc2, 0x29, 0xaf,
+	0x89, 0xff, 0xa0, 0xc0, 0x6c, 0x60, 0x45, 0x34, 0xe1, 0x12, 0x9e, 0x68, 0x8c, 0x5a, 0x3d, 0x05,
+	0xf6, 0x45, 0x48, 0x1a, 0xa2, 0xc7, 0x68, 0xc8, 0x18, 0x3a, 0xbc, 0x97, 0x03, 0x18, 0x5a, 0xda,
+	0x88, 0x26, 0x1e, 0xda, 0x25, 0xc5, 0x54, 0x24, 0x9c, 0x90, 0xdd, 0x3f, 0x8d, 0x2c, 0xa9, 0xb1,
+	0x4c, 0x99, 0x41, 0x3e, 0x1c, 0xd9, 0x73, 0xeb, 0xa4, 0x57, 0x33, 0xb5, 0xb4, 0x94, 0xce, 0xbf,
+	0x50, 0x07, 0xb2, 0xfd, 0xdb, 0x56, 0xea, 0x8b, 0x5f, 0xaa, 0xbe, 0x4c, 0x28, 0x9f, 0x7f, 0xe7,
+	0x7f, 0x39, 0x06, 0xe8, 0xf8, 0x1e, 0xa2, 0xf5, 0xd1, 0xcf, 0x4c, 0xff, 0xb8, 0xdc, 0x38, 0xe1,
+	0xb8, 0x0c, 0x9c, 0x14, 0xe3, 0x0d, 0x9c, 0x94, 0xe1, 0x43, 0x82, 0xde, 0x85, 0x99, 0x7d, 0x72,
+	0xa4, 0x0f, 0x36, 0xeb, 0x78, 0x17, 0x56, 0x9b, 0xde, 0x27, 0x47, 0x8d, 0x68, 0xbf, 0xee, 0x5e,
+	0xa4, 0xbb, 0x12, 0x7f, 0x4d, 0x77, 0x25, 0xd2, 0x58, 0x59, 0x85, 0x69, 0xc7, 0xf5, 0xf5, 0x5d,
+	0xb2, 0xe7, 0x7a, 0xb2, 0xde, 0x98, 0x78, 0x6d, 0x4d, 0x3a, 0xe5, 0xb8, 0xfe, 0x2a, 0x9f, 0x21,
+	0xeb, 0x95, 0x0c, 0x93, 0x81, 0xf7, 0x7c, 0xe2, 0x9d, 0xb1, 0xfb, 0xaa, 0xa5, 0x1d, 0xd7, 0x2f,
+	0xb3, 0x09, 0xbc, 0xa8, 0xbd, 0x05, 0x71, 0x11, 0x4d, 0x79, 0x98, 0x90, 0x31, 0xa4, 0xf4, 0x11,
+	0x2a, 0x7e, 0xc0, 0xc6, 0x0a, 0xf7, 0x20, 0x11, 0x24, 0xa9, 0xe8, 0x1d, 0xc8, 0xb8, 0xc2, 0xfb,
+	0x96, 0xc9, 0x93, 0x1f, 0x9e, 0x7d, 0xc4, 0x05, 0xe8, 0xa5, 0x5d, 0xc9, 0xc6, 0xf2, 0x9a, 0xc2,
+	0x7f, 0x2a, 0x30, 0x35, 0x90, 0x79, 0xb2, 0x6c, 0x3f, 0x9c, 0x7c, 0xfe, 0x6c, 0x3f, 0x9a, 0x28,
+	0xc7, 0xb4, 0x44, 0xa0, 0x0b, 0xdd, 0x80, 0x84, 0xc1, 0x6a, 0x5f, 0x03, 0x0f, 0xbc, 0x72, 0x87,
+	0x44, 0xb4, 0x14, 0x14, 0x44, 0x63, 0xfd, 0xab, 0x59, 0x50, 0x0a, 0xdf, 0x4f, 0x42, 0x22, 0xa8,
+	0x22, 0xd0, 0x3e, 0x64, 0x76, 0x31, 0x25, 0xfa, 0x70, 0x45, 0xb2, 0x7a, 0xfe, 0x8a, 0x24, 0xfc,
+	0x21, 0x73, 0x4d, 0x2d, 0xcd, 0x24, 0x87, 0x9a, 0x8e, 0x00, 0xf1, 0x7c, 0xde, 0x24, 0x66, 0x44,
+	0x9b, 0xc0, 0xb9, 0xcf, 0x2f, 0xa0, 0x4d, 0x95, 0xc2, 0x86, 0xb5, 0x66, 0xc9, 0xd0, 0x00, 0x7a,
+	0x06, 0x57, 0xbb, 0xce, 0x81, 0xe3, 0x3e, 0x77, 0xf4, 0xe3, 0x16, 0x8c, 0x50, 0xbd, 0x68, 0x39,
+	0x29, 0x76, 0xd8, 0x14, 0x9a, 0xff, 0x6d, 0x0c, 0xa6, 0x87, 0x0c, 0x43, 0x7f, 0x02, 0x33, 0xa6,
+	0xd5, 0xb2, 0x7c, 0x6c, 0xeb, 0xd4, 0x6a, 0x39, 0xd8, 0xef, 0x7a, 0xc2, 0xdb, 0x09, 0x2d, 0x2b,
+	0x07, 0x1a, 0x01, 0x1d, 0xbd, 0x0f, 0xc8, 0x70, 0x1d, 0x9f, 0x38, 0x3e, 0x7f, 0xce, 0xb6, 0xfc,
+	0x36, 0x71, 0x7c, 0xb1, 0xd5, 0xda, 0x8c, 0x1c, 0xa9, 0x84, 0x03, 0xe8, 0x1d, 0xc8, 0xb2, 0x15,
+	0x11, 0xc7, 0xb0, 0x3a, 0xfb, 0xc4, 0xe3, 0xcc, 0x63, 0xe2, 0x2d, 0xf1, 0x80, 0xf4, 0xd4, 0x08,
+	0x99, 0x9b, 0x81, 0x7d, 0x3c, 0xc8, 0x3b, 0x2e, 0xcd, 0xc0, 0x3e, 0x1e, 0x60, 0xbe, 0x05, 0x53,
+	0x4c, 0x2e, 0x6e, 0x79, 0x84, 0x70, 0x46, 0xf1, 0xac, 0x99, 0x3e, 0x20, 0xbd, 0x72, 0x40, 0x43,
+	0x57, 0x21, 0xc9, 0xff, 0xa9, 0xc1, 0x56, 0x25, 0x5f, 0x30, 0x13, 0x8c, 0xc0, 0x56, 0x83, 0x96,
+	0x58, 0xa4, 0x8a, 0x15, 0xf3, 0x93, 0x9a, 0xd0, 0x26, 0x0d, 0x8f, 0x2f, 0x94, 0x09, 0x0f, 0x8c,
+	0xd0, 0x5d, 0xc7, 0xee, 0xf1, 0x57, 0x90, 0x84, 0x96, 0x0e, 0x88, 0x5b, 0x8e, 0xdd, 0x63, 0x4c,
+	0x26, 0x89, 0x32, 0x25, 0x05, 0x53, 0x40, 0x64, 0x4c, 0x2c, 0xa9, 0x59, 0x3c, 0x25, 0x1e, 0x18,
+	0xba, 0x8a, 0x0a, 0x80, 0x37, 0x86, 0xa4, 0xc3, 0x41, 0x90, 0x58, 0xf1, 0xc1, 0xe1, 0xd7, 0xb6,
+	0x98, 0xa7, 0x39, 0x83, 0xf0, 0x31, 0x08, 0x12, 0x67, 0xb8, 0x09, 0x69, 0xc3, 0x35, 0x09, 0x5f,
+	0x83, 0xe5, 0xb4, 0xa4, 0x63, 0x53, 0x8c, 0xd6, 0x10, 0x24, 0xe6, 0x7f, 0xf1, 0xbc, 0xcc, 0xd0,
+	0x87, 0x18, 0x3c, 0x85, 0x10, 0x3e, 0x9d, 0xe6, 0xf4, 0x7a, 0x48, 0x66, 0x0b, 0x62, 0xb0, 0xa5,
+	0x73, 0x68, 0x62, 0xe2, 0xa4, 0x4b, 0x19, 0xb1, 0x21, 0x69, 0x4c, 0xa5, 0xa8, 0x5d, 0xa4, 0x4a,
+	0xe1, 0x55, 0x51, 0xb6, 0x08, 0x52, 0xe1, 0xef, 0x63, 0x30, 0x29, 0x31, 0x5d, 0x58, 0xd8, 0x75,
+	0x7c, 0xaf, 0xa7, 0x33, 0xab, 0xc2, 0x77, 0x18, 0x41, 0xab, 0xb8, 0x26, 0x41, 0x05, 0x48, 0x47,
+	0xff, 0x90, 0x11, 0x3c, 0xc3, 0x44, 0x69, 0xa8, 0x04, 0xb3, 0xd1, 0x6f, 0x6c, 0xeb, 0x5d, 0xc7,
+	0x12, 0x81, 0x94, 0xd4, 0xd0, 0xe0, 0xd0, 0xb6, 0x63, 0xf9, 0x28, 0x0f, 0x09, 0xdb, 0x35, 0xb0,
+	0x6d, 0xf9, 0x3d, 0x79, 0x55, 0x84, 0xdf, 0x6c, 0xac, 0xe3, 0xb9, 0x87, 0x96, 0x63, 0x88, 0x3b,
+	0x22, 0xa9, 0x85, 0xdf, 0xe8, 0x2d, 0xc8, 0x50, 0xdf, 0x23, 0xc4, 0x0f, 0x9e, 0xe3, 0x45, 0x83,
+	0x4b, 0x9b, 0x12, 0x54, 0xf9, 0x0c, 0xcf, 0x76, 0xa6, 0xe3, 0x52, 0x76, 0x60, 0xf8, 0xaa, 0x26,
+	0xc5, 0xc5, 0x28, 0x48, 0x6c, 0x51, 0x85, 0xdf, 0x28, 0x30, 0x3d, 0xfc, 0x07, 0x82, 0xab, 0x90,
+	0x1c, 0xfe, 0xe3, 0x40, 0xc2, 0x0c, 0xfe, 0x31, 0x80, 0x60, 0x3c, 0xf2, 0x4f, 0x01, 0xfe, 0x1b,
+	0xbd, 0x0d, 0xd3, 0x27, 0xff, 0x35, 0x20, 0x43, 0x06, 0xff, 0x13, 0x70, 0x13, 0xd2, 0x56, 0x27,
+	0xc2, 0x25, 0xfe, 0x14, 0x90, 0xb2, 0x3a, 0x7d, 0x96, 0x2f, 0x20, 0x15, 0x7d, 0xce, 0x8f, 0x8f,
+	0xd4, 0xb5, 0xd0, 0xc0, 0x08, 0xff, 0x02, 0xf0, 0xee, 0x37, 0x31, 0xc8, 0x0e, 0x77, 0x7d, 0xd1,
+	0x4d, 0xf8, 0x23, 0x4d, 0xdd, 0xd9, 0xaa, 0xf0, 0x97, 0x6d, 0x5d, 0x53, 0xcb, 0x8d, 0xad, 0xcd,
+	0xa1, 0x2a, 0x0b, 0x41, 0x86, 0xd5, 0x5f, 0x95, 0xad, 0xc7, 0x75, 0x6d, 0xeb, 0x71, 0xad, 0xa1,
+	0x66, 0x15, 0x74, 0x1b, 0x96, 0x2b, 0xaa, 0xd6, 0xac, 0x3d, 0xac, 0x55, 0xca, 0x4d, 0x55, 0x2f,
+	0x6f, 0x37, 0xd7, 0xb6, 0xb4, 0x5a, 0x73, 0x80, 0x2b, 0x86, 0x16, 0x61, 0xb6, 0xfc, 0xf0, 0x61,
+	0x6d, 0xa3, 0x26, 0xa4, 0x57, 0xd6, 0xca, 0x9b, 0x8f, 0xd4, 0x6a, 0x76, 0x6c, 0xe8, 0x75, 0x6b,
+	0x1c, 0xe5, 0x61, 0xa1, 0xa2, 0x36, 0x1a, 0x82, 0x6d, 0xeb, 0xa1, 0xbe, 0x55, 0x57, 0x35, 0xf1,
+	0xd6, 0x1e, 0x47, 0x73, 0x90, 0x8d, 0xaa, 0x5a, 0xdb, 0xda, 0xa8, 0x66, 0x27, 0x98, 0xe8, 0xba,
+	0x56, 0xdb, 0xa9, 0x6d, 0xa8, 0x8f, 0x54, 0xfd, 0x49, 0xad, 0xb9, 0x56, 0xd5, 0xca, 0x4f, 0x36,
+	0xb3, 0x93, 0xa8, 0x00, 0xd7, 0xcb, 0xcd, 0xa6, 0x56, 0x5b, 0xdd, 0x3e, 0xcd, 0xae, 0xc4, 0xea,
+	0x8f, 0x0a, 0xbc, 0x67, 0xb8, 0xed, 0x33, 0x3b, 0x75, 0x75, 0xb1, 0x2e, 0x68, 0x15, 0xac, 0x05,
+	0xff, 0x6e, 0x66, 0xe7, 0xd1, 0xad, 0x2b, 0x5f, 0xfe, 0xa5, 0x14, 0xd2, 0x72, 0x6d, 0xec, 0xb4,
+	0x8a, 0xae, 0xd7, 0x2a, 0xb5, 0x88, 0xc3, 0x53, 0x88, 0x52, 0xbf, 0x53, 0xf8, 0xfa, 0xff, 0x4d,
+	0x7f, 0x1c, 0x92, 0x7e, 0xaf, 0x28, 0xff, 0x13, 0xbb, 0xf3, 0x48, 0x88, 0xad, 0x70, 0xdb, 0x1a,
+	0x81, 0x6d, 0x81, 0x1d, 0xe5, 0xe2, 0xce, 0xdd, 0x32, 0x9f, 0xb7, 0x3b, 0xc1, 0x75, 0x7d, 0xf0,
+	0x87, 0x00, 0x00, 0x00, 0xff, 0xff, 0x0f, 0x36, 0x95, 0xe4, 0xa2, 0x2d, 0x00, 0x00,
+}
diff --git a/lib/google.golang.org/genproto/googleapis/cloud/security/privateca/v1alpha1/service.pb.go b/lib/google.golang.org/genproto/googleapis/cloud/security/privateca/v1alpha1/service.pb.go
new file mode 100644
index 0000000..f136105
--- /dev/null
+++ b/lib/google.golang.org/genproto/googleapis/cloud/security/privateca/v1alpha1/service.pb.go
@@ -0,0 +1,3368 @@
+// Code generated by protoc-gen-go. DO NOT EDIT.
+// source: google/cloud/security/privateca/v1alpha1/service.proto
+
+package privateca
+
+import (
+	context "context"
+	fmt "fmt"
+	proto "github.com/golang/protobuf/proto"
+	timestamp "github.com/golang/protobuf/ptypes/timestamp"
+	_ "google.golang.org/genproto/googleapis/api/annotations"
+	longrunning "google.golang.org/genproto/googleapis/longrunning"
+	field_mask "google.golang.org/genproto/protobuf/field_mask"
+	grpc "google.golang.org/grpc"
+	codes "google.golang.org/grpc/codes"
+	status "google.golang.org/grpc/status"
+	math "math"
+)
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ = proto.Marshal
+var _ = fmt.Errorf
+var _ = math.Inf
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the proto package it is being compiled against.
+// A compilation error at this line likely means your copy of the
+// proto package needs to be updated.
+const _ = proto.ProtoPackageIsVersion3 // please upgrade the proto package
+
+// Request message for
+// [CertificateAuthorityService.ListCertificateAuthorities][google.cloud.security.privateca.v1alpha1.CertificateAuthorityService.ListCertificateAuthorities].
+type ListCertificateAuthoritiesRequest struct {
+	// Required. The resource name of the location associated with the
+	// [CertificateAuthorities][google.cloud.security.privateca.v1alpha1.CertificateAuthority], in the format
+	// `projects/*/locations/*`.
+	Parent string `protobuf:"bytes,1,opt,name=parent,proto3" json:"parent,omitempty"`
+	// Optional. Limit on the number of [CertificateAuthorities][google.cloud.security.privateca.v1alpha1.CertificateAuthority] to
+	// include in the response.
+	// Further [CertificateAuthorities][google.cloud.security.privateca.v1alpha1.CertificateAuthority] can subsequently be
+	// obtained by including the
+	// [ListCertificateAuthoritiesResponse.next_page_token][google.cloud.security.privateca.v1alpha1.ListCertificateAuthoritiesResponse.next_page_token] in a subsequent
+	// request. If unspecified, the server will pick an appropriate default.
+	PageSize int32 `protobuf:"varint,2,opt,name=page_size,json=pageSize,proto3" json:"page_size,omitempty"`
+	// Optional. Pagination token, returned earlier via
+	// [ListCertificateAuthoritiesResponse.next_page_token][google.cloud.security.privateca.v1alpha1.ListCertificateAuthoritiesResponse.next_page_token].
+	PageToken string `protobuf:"bytes,3,opt,name=page_token,json=pageToken,proto3" json:"page_token,omitempty"`
+	// Optional. Only include resources that match the filter in the response.
+	Filter string `protobuf:"bytes,4,opt,name=filter,proto3" json:"filter,omitempty"`
+	// Optional. Specify how the results should be sorted.
+	OrderBy              string   `protobuf:"bytes,5,opt,name=order_by,json=orderBy,proto3" json:"order_by,omitempty"`
+	XXX_NoUnkeyedLiteral struct{} `json:"-"`
+	XXX_unrecognized     []byte   `json:"-"`
+	XXX_sizecache        int32    `json:"-"`
+}
+
+func (m *ListCertificateAuthoritiesRequest) Reset()         { *m = ListCertificateAuthoritiesRequest{} }
+func (m *ListCertificateAuthoritiesRequest) String() string { return proto.CompactTextString(m) }
+func (*ListCertificateAuthoritiesRequest) ProtoMessage()    {}
+func (*ListCertificateAuthoritiesRequest) Descriptor() ([]byte, []int) {
+	return fileDescriptor_0a2d125abc43e0c9, []int{0}
+}
+
+func (m *ListCertificateAuthoritiesRequest) XXX_Unmarshal(b []byte) error {
+	return xxx_messageInfo_ListCertificateAuthoritiesRequest.Unmarshal(m, b)
+}
+func (m *ListCertificateAuthoritiesRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	return xxx_messageInfo_ListCertificateAuthoritiesRequest.Marshal(b, m, deterministic)
+}
+func (m *ListCertificateAuthoritiesRequest) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_ListCertificateAuthoritiesRequest.Merge(m, src)
+}
+func (m *ListCertificateAuthoritiesRequest) XXX_Size() int {
+	return xxx_messageInfo_ListCertificateAuthoritiesRequest.Size(m)
+}
+func (m *ListCertificateAuthoritiesRequest) XXX_DiscardUnknown() {
+	xxx_messageInfo_ListCertificateAuthoritiesRequest.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_ListCertificateAuthoritiesRequest proto.InternalMessageInfo
+
+func (m *ListCertificateAuthoritiesRequest) GetParent() string {
+	if m != nil {
+		return m.Parent
+	}
+	return ""
+}
+
+func (m *ListCertificateAuthoritiesRequest) GetPageSize() int32 {
+	if m != nil {
+		return m.PageSize
+	}
+	return 0
+}
+
+func (m *ListCertificateAuthoritiesRequest) GetPageToken() string {
+	if m != nil {
+		return m.PageToken
+	}
+	return ""
+}
+
+func (m *ListCertificateAuthoritiesRequest) GetFilter() string {
+	if m != nil {
+		return m.Filter
+	}
+	return ""
+}
+
+func (m *ListCertificateAuthoritiesRequest) GetOrderBy() string {
+	if m != nil {
+		return m.OrderBy
+	}
+	return ""
+}
+
+// Request message for
+// [CertificateAuthorityService.ListCertificateRevocationLists][google.cloud.security.privateca.v1alpha1.CertificateAuthorityService.ListCertificateRevocationLists].
+type ListCertificateRevocationListsRequest struct {
+	// Required. The resource name of the location associated with the
+	// [CertificateRevocationLists][google.cloud.security.privateca.v1alpha1.CertificateRevocationList], in the format
+	// `projects/*/locations/*/certificateauthorities/*`.
+	Parent string `protobuf:"bytes,1,opt,name=parent,proto3" json:"parent,omitempty"`
+	// Optional. Limit on the number of
+	// [CertificateRevocationLists][google.cloud.security.privateca.v1alpha1.CertificateRevocationList] to include in the
+	// response. Further [CertificateRevocationLists][google.cloud.security.privateca.v1alpha1.CertificateRevocationList]
+	// can subsequently be obtained by including the
+	// [ListCertificateRevocationListsResponse.next_page_token][google.cloud.security.privateca.v1alpha1.ListCertificateRevocationListsResponse.next_page_token] in a subsequent
+	// request. If unspecified, the server will pick an appropriate default.
+	PageSize int32 `protobuf:"varint,2,opt,name=page_size,json=pageSize,proto3" json:"page_size,omitempty"`
+	// Optional. Pagination token, returned earlier via
+	// [ListCertificateRevocationListsResponse.next_page_token][google.cloud.security.privateca.v1alpha1.ListCertificateRevocationListsResponse.next_page_token].
+	PageToken string `protobuf:"bytes,3,opt,name=page_token,json=pageToken,proto3" json:"page_token,omitempty"`
+	// Optional. Only include resources that match the filter in the response.
+	Filter string `protobuf:"bytes,4,opt,name=filter,proto3" json:"filter,omitempty"`
+	// Optional. Specify how the results should be sorted.
+	OrderBy              string   `protobuf:"bytes,5,opt,name=order_by,json=orderBy,proto3" json:"order_by,omitempty"`
+	XXX_NoUnkeyedLiteral struct{} `json:"-"`
+	XXX_unrecognized     []byte   `json:"-"`
+	XXX_sizecache        int32    `json:"-"`
+}
+
+func (m *ListCertificateRevocationListsRequest) Reset()         { *m = ListCertificateRevocationListsRequest{} }
+func (m *ListCertificateRevocationListsRequest) String() string { return proto.CompactTextString(m) }
+func (*ListCertificateRevocationListsRequest) ProtoMessage()    {}
+func (*ListCertificateRevocationListsRequest) Descriptor() ([]byte, []int) {
+	return fileDescriptor_0a2d125abc43e0c9, []int{1}
+}
+
+func (m *ListCertificateRevocationListsRequest) XXX_Unmarshal(b []byte) error {
+	return xxx_messageInfo_ListCertificateRevocationListsRequest.Unmarshal(m, b)
+}
+func (m *ListCertificateRevocationListsRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	return xxx_messageInfo_ListCertificateRevocationListsRequest.Marshal(b, m, deterministic)
+}
+func (m *ListCertificateRevocationListsRequest) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_ListCertificateRevocationListsRequest.Merge(m, src)
+}
+func (m *ListCertificateRevocationListsRequest) XXX_Size() int {
+	return xxx_messageInfo_ListCertificateRevocationListsRequest.Size(m)
+}
+func (m *ListCertificateRevocationListsRequest) XXX_DiscardUnknown() {
+	xxx_messageInfo_ListCertificateRevocationListsRequest.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_ListCertificateRevocationListsRequest proto.InternalMessageInfo
+
+func (m *ListCertificateRevocationListsRequest) GetParent() string {
+	if m != nil {
+		return m.Parent
+	}
+	return ""
+}
+
+func (m *ListCertificateRevocationListsRequest) GetPageSize() int32 {
+	if m != nil {
+		return m.PageSize
+	}
+	return 0
+}
+
+func (m *ListCertificateRevocationListsRequest) GetPageToken() string {
+	if m != nil {
+		return m.PageToken
+	}
+	return ""
+}
+
+func (m *ListCertificateRevocationListsRequest) GetFilter() string {
+	if m != nil {
+		return m.Filter
+	}
+	return ""
+}
+
+func (m *ListCertificateRevocationListsRequest) GetOrderBy() string {
+	if m != nil {
+		return m.OrderBy
+	}
+	return ""
+}
+
+// Request message for [CertificateAuthorityService.ListCertificates][google.cloud.security.privateca.v1alpha1.CertificateAuthorityService.ListCertificates].
+type ListCertificatesRequest struct {
+	// Required. The resource name of the location associated with the
+	// [Certificates][google.cloud.security.privateca.v1alpha1.Certificate], in the format
+	// `projects/*/locations/*/certificateauthorities/*`.
+	Parent string `protobuf:"bytes,1,opt,name=parent,proto3" json:"parent,omitempty"`
+	// Optional. Limit on the number of
+	// [Certificates][google.cloud.security.privateca.v1alpha1.Certificate] to include in the
+	// response. Further [Certificates][google.cloud.security.privateca.v1alpha1.Certificate] can subsequently be obtained
+	// by including the
+	// [ListCertificatesResponse.next_page_token][google.cloud.security.privateca.v1alpha1.ListCertificatesResponse.next_page_token] in a subsequent
+	// request. If unspecified, the server will pick an appropriate default.
+	PageSize int32 `protobuf:"varint,2,opt,name=page_size,json=pageSize,proto3" json:"page_size,omitempty"`
+	// Optional. Pagination token, returned earlier via
+	// [ListCertificatesResponse.next_page_token][google.cloud.security.privateca.v1alpha1.ListCertificatesResponse.next_page_token].
+	PageToken string `protobuf:"bytes,3,opt,name=page_token,json=pageToken,proto3" json:"page_token,omitempty"`
+	// Optional. Only include resources that match the filter in the response.
+	Filter string `protobuf:"bytes,4,opt,name=filter,proto3" json:"filter,omitempty"`
+	// Optional. Specify how the results should be sorted.
+	OrderBy              string   `protobuf:"bytes,5,opt,name=order_by,json=orderBy,proto3" json:"order_by,omitempty"`
+	XXX_NoUnkeyedLiteral struct{} `json:"-"`
+	XXX_unrecognized     []byte   `json:"-"`
+	XXX_sizecache        int32    `json:"-"`
+}
+
+func (m *ListCertificatesRequest) Reset()         { *m = ListCertificatesRequest{} }
+func (m *ListCertificatesRequest) String() string { return proto.CompactTextString(m) }
+func (*ListCertificatesRequest) ProtoMessage()    {}
+func (*ListCertificatesRequest) Descriptor() ([]byte, []int) {
+	return fileDescriptor_0a2d125abc43e0c9, []int{2}
+}
+
+func (m *ListCertificatesRequest) XXX_Unmarshal(b []byte) error {
+	return xxx_messageInfo_ListCertificatesRequest.Unmarshal(m, b)
+}
+func (m *ListCertificatesRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	return xxx_messageInfo_ListCertificatesRequest.Marshal(b, m, deterministic)
+}
+func (m *ListCertificatesRequest) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_ListCertificatesRequest.Merge(m, src)
+}
+func (m *ListCertificatesRequest) XXX_Size() int {
+	return xxx_messageInfo_ListCertificatesRequest.Size(m)
+}
+func (m *ListCertificatesRequest) XXX_DiscardUnknown() {
+	xxx_messageInfo_ListCertificatesRequest.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_ListCertificatesRequest proto.InternalMessageInfo
+
+func (m *ListCertificatesRequest) GetParent() string {
+	if m != nil {
+		return m.Parent
+	}
+	return ""
+}
+
+func (m *ListCertificatesRequest) GetPageSize() int32 {
+	if m != nil {
+		return m.PageSize
+	}
+	return 0
+}
+
+func (m *ListCertificatesRequest) GetPageToken() string {
+	if m != nil {
+		return m.PageToken
+	}
+	return ""
+}
+
+func (m *ListCertificatesRequest) GetFilter() string {
+	if m != nil {
+		return m.Filter
+	}
+	return ""
+}
+
+func (m *ListCertificatesRequest) GetOrderBy() string {
+	if m != nil {
+		return m.OrderBy
+	}
+	return ""
+}
+
+// Request message for
+// [CertificateAuthorityService.ListReusableConfigs][google.cloud.security.privateca.v1alpha1.CertificateAuthorityService.ListReusableConfigs].
+type ListReusableConfigsRequest struct {
+	// Required. The resource name of the location associated with the
+	// [ReusableConfigs][google.cloud.security.privateca.v1alpha1.ReusableConfig], in the format
+	// `projects/*/locations/*`.
+	Parent string `protobuf:"bytes,1,opt,name=parent,proto3" json:"parent,omitempty"`
+	// Optional. Limit on the number of
+	// [ReusableConfigs][google.cloud.security.privateca.v1alpha1.ReusableConfig] to include in the response.
+	// Further [ReusableConfigs][google.cloud.security.privateca.v1alpha1.ReusableConfig] can subsequently be
+	// obtained by including the
+	// [ListReusableConfigsResponse.next_page_token][google.cloud.security.privateca.v1alpha1.ListReusableConfigsResponse.next_page_token] in a subsequent request. If
+	// unspecified, the server will pick an appropriate default.
+	PageSize int32 `protobuf:"varint,2,opt,name=page_size,json=pageSize,proto3" json:"page_size,omitempty"`
+	// Optional. Pagination token, returned earlier via
+	// [ListReusableConfigsResponse.next_page_token][google.cloud.security.privateca.v1alpha1.ListReusableConfigsResponse.next_page_token].
+	PageToken string `protobuf:"bytes,3,opt,name=page_token,json=pageToken,proto3" json:"page_token,omitempty"`
+	// Optional. Only include resources that match the filter in the response.
+	Filter string `protobuf:"bytes,4,opt,name=filter,proto3" json:"filter,omitempty"`
+	// Optional. Specify how the results should be sorted.
+	OrderBy              string   `protobuf:"bytes,5,opt,name=order_by,json=orderBy,proto3" json:"order_by,omitempty"`
+	XXX_NoUnkeyedLiteral struct{} `json:"-"`
+	XXX_unrecognized     []byte   `json:"-"`
+	XXX_sizecache        int32    `json:"-"`
+}
+
+func (m *ListReusableConfigsRequest) Reset()         { *m = ListReusableConfigsRequest{} }
+func (m *ListReusableConfigsRequest) String() string { return proto.CompactTextString(m) }
+func (*ListReusableConfigsRequest) ProtoMessage()    {}
+func (*ListReusableConfigsRequest) Descriptor() ([]byte, []int) {
+	return fileDescriptor_0a2d125abc43e0c9, []int{3}
+}
+
+func (m *ListReusableConfigsRequest) XXX_Unmarshal(b []byte) error {
+	return xxx_messageInfo_ListReusableConfigsRequest.Unmarshal(m, b)
+}
+func (m *ListReusableConfigsRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	return xxx_messageInfo_ListReusableConfigsRequest.Marshal(b, m, deterministic)
+}
+func (m *ListReusableConfigsRequest) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_ListReusableConfigsRequest.Merge(m, src)
+}
+func (m *ListReusableConfigsRequest) XXX_Size() int {
+	return xxx_messageInfo_ListReusableConfigsRequest.Size(m)
+}
+func (m *ListReusableConfigsRequest) XXX_DiscardUnknown() {
+	xxx_messageInfo_ListReusableConfigsRequest.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_ListReusableConfigsRequest proto.InternalMessageInfo
+
+func (m *ListReusableConfigsRequest) GetParent() string {
+	if m != nil {
+		return m.Parent
+	}
+	return ""
+}
+
+func (m *ListReusableConfigsRequest) GetPageSize() int32 {
+	if m != nil {
+		return m.PageSize
+	}
+	return 0
+}
+
+func (m *ListReusableConfigsRequest) GetPageToken() string {
+	if m != nil {
+		return m.PageToken
+	}
+	return ""
+}
+
+func (m *ListReusableConfigsRequest) GetFilter() string {
+	if m != nil {
+		return m.Filter
+	}
+	return ""
+}
+
+func (m *ListReusableConfigsRequest) GetOrderBy() string {
+	if m != nil {
+		return m.OrderBy
+	}
+	return ""
+}
+
+// Response message for
+// [CertificateAuthorityService.ListCertificateAuthorities][google.cloud.security.privateca.v1alpha1.CertificateAuthorityService.ListCertificateAuthorities].
+type ListCertificateAuthoritiesResponse struct {
+	// The list of [CertificateAuthorities][google.cloud.security.privateca.v1alpha1.CertificateAuthority].
+	CertificateAuthorities []*CertificateAuthority `protobuf:"bytes,1,rep,name=certificate_authorities,json=certificateAuthorities,proto3" json:"certificate_authorities,omitempty"`
+	// A token to retrieve next page of results. Pass this value in
+	// [ListCertificateAuthoritiesRequest.next_page_token][] to retrieve the next
+	// page of results.
+	NextPageToken string `protobuf:"bytes,2,opt,name=next_page_token,json=nextPageToken,proto3" json:"next_page_token,omitempty"`
+	// A list of locations (e.g. "us-west1") that could not be reached.
+	Unreachable          []string `protobuf:"bytes,3,rep,name=unreachable,proto3" json:"unreachable,omitempty"`
+	XXX_NoUnkeyedLiteral struct{} `json:"-"`
+	XXX_unrecognized     []byte   `json:"-"`
+	XXX_sizecache        int32    `json:"-"`
+}
+
+func (m *ListCertificateAuthoritiesResponse) Reset()         { *m = ListCertificateAuthoritiesResponse{} }
+func (m *ListCertificateAuthoritiesResponse) String() string { return proto.CompactTextString(m) }
+func (*ListCertificateAuthoritiesResponse) ProtoMessage()    {}
+func (*ListCertificateAuthoritiesResponse) Descriptor() ([]byte, []int) {
+	return fileDescriptor_0a2d125abc43e0c9, []int{4}
+}
+
+func (m *ListCertificateAuthoritiesResponse) XXX_Unmarshal(b []byte) error {
+	return xxx_messageInfo_ListCertificateAuthoritiesResponse.Unmarshal(m, b)
+}
+func (m *ListCertificateAuthoritiesResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	return xxx_messageInfo_ListCertificateAuthoritiesResponse.Marshal(b, m, deterministic)
+}
+func (m *ListCertificateAuthoritiesResponse) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_ListCertificateAuthoritiesResponse.Merge(m, src)
+}
+func (m *ListCertificateAuthoritiesResponse) XXX_Size() int {
+	return xxx_messageInfo_ListCertificateAuthoritiesResponse.Size(m)
+}
+func (m *ListCertificateAuthoritiesResponse) XXX_DiscardUnknown() {
+	xxx_messageInfo_ListCertificateAuthoritiesResponse.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_ListCertificateAuthoritiesResponse proto.InternalMessageInfo
+
+func (m *ListCertificateAuthoritiesResponse) GetCertificateAuthorities() []*CertificateAuthority {
+	if m != nil {
+		return m.CertificateAuthorities
+	}
+	return nil
+}
+
+func (m *ListCertificateAuthoritiesResponse) GetNextPageToken() string {
+	if m != nil {
+		return m.NextPageToken
+	}
+	return ""
+}
+
+func (m *ListCertificateAuthoritiesResponse) GetUnreachable() []string {
+	if m != nil {
+		return m.Unreachable
+	}
+	return nil
+}
+
+// Response message for
+// [CertificateAuthorityService.ListCertificateRevocationLists][google.cloud.security.privateca.v1alpha1.CertificateAuthorityService.ListCertificateRevocationLists].
+type ListCertificateRevocationListsResponse struct {
+	// The list of [CertificateRevocationLists][google.cloud.security.privateca.v1alpha1.CertificateRevocationList].
+	CertificateRevocationLists []*CertificateRevocationList `protobuf:"bytes,1,rep,name=certificate_revocation_lists,json=certificateRevocationLists,proto3" json:"certificate_revocation_lists,omitempty"`
+	// A token to retrieve next page of results. Pass this value in
+	// [ListCertificateRevocationListsRequest.next_page_token][] to retrieve the
+	// next page of results.
+	NextPageToken string `protobuf:"bytes,2,opt,name=next_page_token,json=nextPageToken,proto3" json:"next_page_token,omitempty"`
+	// A list of locations (e.g. "us-west1") that could not be reached.
+	Unreachable          []string `protobuf:"bytes,3,rep,name=unreachable,proto3" json:"unreachable,omitempty"`
+	XXX_NoUnkeyedLiteral struct{} `json:"-"`
+	XXX_unrecognized     []byte   `json:"-"`
+	XXX_sizecache        int32    `json:"-"`
+}
+
+func (m *ListCertificateRevocationListsResponse) Reset() {
+	*m = ListCertificateRevocationListsResponse{}
+}
+func (m *ListCertificateRevocationListsResponse) String() string { return proto.CompactTextString(m) }
+func (*ListCertificateRevocationListsResponse) ProtoMessage()    {}
+func (*ListCertificateRevocationListsResponse) Descriptor() ([]byte, []int) {
+	return fileDescriptor_0a2d125abc43e0c9, []int{5}
+}
+
+func (m *ListCertificateRevocationListsResponse) XXX_Unmarshal(b []byte) error {
+	return xxx_messageInfo_ListCertificateRevocationListsResponse.Unmarshal(m, b)
+}
+func (m *ListCertificateRevocationListsResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	return xxx_messageInfo_ListCertificateRevocationListsResponse.Marshal(b, m, deterministic)
+}
+func (m *ListCertificateRevocationListsResponse) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_ListCertificateRevocationListsResponse.Merge(m, src)
+}
+func (m *ListCertificateRevocationListsResponse) XXX_Size() int {
+	return xxx_messageInfo_ListCertificateRevocationListsResponse.Size(m)
+}
+func (m *ListCertificateRevocationListsResponse) XXX_DiscardUnknown() {
+	xxx_messageInfo_ListCertificateRevocationListsResponse.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_ListCertificateRevocationListsResponse proto.InternalMessageInfo
+
+func (m *ListCertificateRevocationListsResponse) GetCertificateRevocationLists() []*CertificateRevocationList {
+	if m != nil {
+		return m.CertificateRevocationLists
+	}
+	return nil
+}
+
+func (m *ListCertificateRevocationListsResponse) GetNextPageToken() string {
+	if m != nil {
+		return m.NextPageToken
+	}
+	return ""
+}
+
+func (m *ListCertificateRevocationListsResponse) GetUnreachable() []string {
+	if m != nil {
+		return m.Unreachable
+	}
+	return nil
+}
+
+// Response message for [CertificateAuthorityService.ListCertificates][google.cloud.security.privateca.v1alpha1.CertificateAuthorityService.ListCertificates].
+type ListCertificatesResponse struct {
+	// The list of [Certificates][google.cloud.security.privateca.v1alpha1.Certificate].
+	Certificates []*Certificate `protobuf:"bytes,1,rep,name=certificates,proto3" json:"certificates,omitempty"`
+	// A token to retrieve next page of results. Pass this value in
+	// [ListCertificatesRequest.next_page_token][] to retrieve the
+	// next page of results.
+	NextPageToken string `protobuf:"bytes,2,opt,name=next_page_token,json=nextPageToken,proto3" json:"next_page_token,omitempty"`
+	// A list of locations (e.g. "us-west1") that could not be reached.
+	Unreachable          []string `protobuf:"bytes,3,rep,name=unreachable,proto3" json:"unreachable,omitempty"`
+	XXX_NoUnkeyedLiteral struct{} `json:"-"`
+	XXX_unrecognized     []byte   `json:"-"`
+	XXX_sizecache        int32    `json:"-"`
+}
+
+func (m *ListCertificatesResponse) Reset()         { *m = ListCertificatesResponse{} }
+func (m *ListCertificatesResponse) String() string { return proto.CompactTextString(m) }
+func (*ListCertificatesResponse) ProtoMessage()    {}
+func (*ListCertificatesResponse) Descriptor() ([]byte, []int) {
+	return fileDescriptor_0a2d125abc43e0c9, []int{6}
+}
+
+func (m *ListCertificatesResponse) XXX_Unmarshal(b []byte) error {
+	return xxx_messageInfo_ListCertificatesResponse.Unmarshal(m, b)
+}
+func (m *ListCertificatesResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	return xxx_messageInfo_ListCertificatesResponse.Marshal(b, m, deterministic)
+}
+func (m *ListCertificatesResponse) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_ListCertificatesResponse.Merge(m, src)
+}
+func (m *ListCertificatesResponse) XXX_Size() int {
+	return xxx_messageInfo_ListCertificatesResponse.Size(m)
+}
+func (m *ListCertificatesResponse) XXX_DiscardUnknown() {
+	xxx_messageInfo_ListCertificatesResponse.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_ListCertificatesResponse proto.InternalMessageInfo
+
+func (m *ListCertificatesResponse) GetCertificates() []*Certificate {
+	if m != nil {
+		return m.Certificates
+	}
+	return nil
+}
+
+func (m *ListCertificatesResponse) GetNextPageToken() string {
+	if m != nil {
+		return m.NextPageToken
+	}
+	return ""
+}
+
+func (m *ListCertificatesResponse) GetUnreachable() []string {
+	if m != nil {
+		return m.Unreachable
+	}
+	return nil
+}
+
+// Response message for
+// [CertificateAuthorityService.ListReusableConfigs][google.cloud.security.privateca.v1alpha1.CertificateAuthorityService.ListReusableConfigs].
+type ListReusableConfigsResponse struct {
+	// The list of [ReusableConfigs][google.cloud.security.privateca.v1alpha1.ReusableConfig].
+	ReusableConfigs []*ReusableConfig `protobuf:"bytes,1,rep,name=reusable_configs,json=reusableConfigs,proto3" json:"reusable_configs,omitempty"`
+	// A token to retrieve next page of results. Pass this value in
+	// [ListReusableConfigsRequest.next_page_token][] to retrieve
+	// the next page of results.
+	NextPageToken string `protobuf:"bytes,2,opt,name=next_page_token,json=nextPageToken,proto3" json:"next_page_token,omitempty"`
+	// A list of locations (e.g. "us-west1") that could not be reached.
+	Unreachable          []string `protobuf:"bytes,3,rep,name=unreachable,proto3" json:"unreachable,omitempty"`
+	XXX_NoUnkeyedLiteral struct{} `json:"-"`
+	XXX_unrecognized     []byte   `json:"-"`
+	XXX_sizecache        int32    `json:"-"`
+}
+
+func (m *ListReusableConfigsResponse) Reset()         { *m = ListReusableConfigsResponse{} }
+func (m *ListReusableConfigsResponse) String() string { return proto.CompactTextString(m) }
+func (*ListReusableConfigsResponse) ProtoMessage()    {}
+func (*ListReusableConfigsResponse) Descriptor() ([]byte, []int) {
+	return fileDescriptor_0a2d125abc43e0c9, []int{7}
+}
+
+func (m *ListReusableConfigsResponse) XXX_Unmarshal(b []byte) error {
+	return xxx_messageInfo_ListReusableConfigsResponse.Unmarshal(m, b)
+}
+func (m *ListReusableConfigsResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	return xxx_messageInfo_ListReusableConfigsResponse.Marshal(b, m, deterministic)
+}
+func (m *ListReusableConfigsResponse) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_ListReusableConfigsResponse.Merge(m, src)
+}
+func (m *ListReusableConfigsResponse) XXX_Size() int {
+	return xxx_messageInfo_ListReusableConfigsResponse.Size(m)
+}
+func (m *ListReusableConfigsResponse) XXX_DiscardUnknown() {
+	xxx_messageInfo_ListReusableConfigsResponse.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_ListReusableConfigsResponse proto.InternalMessageInfo
+
+func (m *ListReusableConfigsResponse) GetReusableConfigs() []*ReusableConfig {
+	if m != nil {
+		return m.ReusableConfigs
+	}
+	return nil
+}
+
+func (m *ListReusableConfigsResponse) GetNextPageToken() string {
+	if m != nil {
+		return m.NextPageToken
+	}
+	return ""
+}
+
+func (m *ListReusableConfigsResponse) GetUnreachable() []string {
+	if m != nil {
+		return m.Unreachable
+	}
+	return nil
+}
+
+// Request message for [CertificateAuthorityService.GetCertificateAuthority][google.cloud.security.privateca.v1alpha1.CertificateAuthorityService.GetCertificateAuthority].
+type GetCertificateAuthorityRequest struct {
+	// Required. The [name][google.cloud.security.privateca.v1alpha1.CertificateAuthority.name] of the [CertificateAuthority][google.cloud.security.privateca.v1alpha1.CertificateAuthority] to
+	// get.
+	Name                 string   `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
+	XXX_NoUnkeyedLiteral struct{} `json:"-"`
+	XXX_unrecognized     []byte   `json:"-"`
+	XXX_sizecache        int32    `json:"-"`
+}
+
+func (m *GetCertificateAuthorityRequest) Reset()         { *m = GetCertificateAuthorityRequest{} }
+func (m *GetCertificateAuthorityRequest) String() string { return proto.CompactTextString(m) }
+func (*GetCertificateAuthorityRequest) ProtoMessage()    {}
+func (*GetCertificateAuthorityRequest) Descriptor() ([]byte, []int) {
+	return fileDescriptor_0a2d125abc43e0c9, []int{8}
+}
+
+func (m *GetCertificateAuthorityRequest) XXX_Unmarshal(b []byte) error {
+	return xxx_messageInfo_GetCertificateAuthorityRequest.Unmarshal(m, b)
+}
+func (m *GetCertificateAuthorityRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	return xxx_messageInfo_GetCertificateAuthorityRequest.Marshal(b, m, deterministic)
+}
+func (m *GetCertificateAuthorityRequest) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_GetCertificateAuthorityRequest.Merge(m, src)
+}
+func (m *GetCertificateAuthorityRequest) XXX_Size() int {
+	return xxx_messageInfo_GetCertificateAuthorityRequest.Size(m)
+}
+func (m *GetCertificateAuthorityRequest) XXX_DiscardUnknown() {
+	xxx_messageInfo_GetCertificateAuthorityRequest.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_GetCertificateAuthorityRequest proto.InternalMessageInfo
+
+func (m *GetCertificateAuthorityRequest) GetName() string {
+	if m != nil {
+		return m.Name
+	}
+	return ""
+}
+
+// Request message for
+// [CertificateAuthorityService.GetCertificateRevocationList][google.cloud.security.privateca.v1alpha1.CertificateAuthorityService.GetCertificateRevocationList].
+type GetCertificateRevocationListRequest struct {
+	// Required. The [name][google.cloud.security.privateca.v1alpha1.CertificateRevocationList.name] of the
+	// [CertificateRevocationList][google.cloud.security.privateca.v1alpha1.CertificateRevocationList] to get.
+	Name                 string   `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
+	XXX_NoUnkeyedLiteral struct{} `json:"-"`
+	XXX_unrecognized     []byte   `json:"-"`
+	XXX_sizecache        int32    `json:"-"`
+}
+
+func (m *GetCertificateRevocationListRequest) Reset()         { *m = GetCertificateRevocationListRequest{} }
+func (m *GetCertificateRevocationListRequest) String() string { return proto.CompactTextString(m) }
+func (*GetCertificateRevocationListRequest) ProtoMessage()    {}
+func (*GetCertificateRevocationListRequest) Descriptor() ([]byte, []int) {
+	return fileDescriptor_0a2d125abc43e0c9, []int{9}
+}
+
+func (m *GetCertificateRevocationListRequest) XXX_Unmarshal(b []byte) error {
+	return xxx_messageInfo_GetCertificateRevocationListRequest.Unmarshal(m, b)
+}
+func (m *GetCertificateRevocationListRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	return xxx_messageInfo_GetCertificateRevocationListRequest.Marshal(b, m, deterministic)
+}
+func (m *GetCertificateRevocationListRequest) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_GetCertificateRevocationListRequest.Merge(m, src)
+}
+func (m *GetCertificateRevocationListRequest) XXX_Size() int {
+	return xxx_messageInfo_GetCertificateRevocationListRequest.Size(m)
+}
+func (m *GetCertificateRevocationListRequest) XXX_DiscardUnknown() {
+	xxx_messageInfo_GetCertificateRevocationListRequest.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_GetCertificateRevocationListRequest proto.InternalMessageInfo
+
+func (m *GetCertificateRevocationListRequest) GetName() string {
+	if m != nil {
+		return m.Name
+	}
+	return ""
+}
+
+// Request message for
+// [CertificateAuthorityService.GetCertificate][google.cloud.security.privateca.v1alpha1.CertificateAuthorityService.GetCertificate].
+type GetCertificateRequest struct {
+	// Required. The [name][google.cloud.security.privateca.v1alpha1.Certificate.name] of the [Certificate][google.cloud.security.privateca.v1alpha1.Certificate] to get.
+	Name                 string   `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
+	XXX_NoUnkeyedLiteral struct{} `json:"-"`
+	XXX_unrecognized     []byte   `json:"-"`
+	XXX_sizecache        int32    `json:"-"`
+}
+
+func (m *GetCertificateRequest) Reset()         { *m = GetCertificateRequest{} }
+func (m *GetCertificateRequest) String() string { return proto.CompactTextString(m) }
+func (*GetCertificateRequest) ProtoMessage()    {}
+func (*GetCertificateRequest) Descriptor() ([]byte, []int) {
+	return fileDescriptor_0a2d125abc43e0c9, []int{10}
+}
+
+func (m *GetCertificateRequest) XXX_Unmarshal(b []byte) error {
+	return xxx_messageInfo_GetCertificateRequest.Unmarshal(m, b)
+}
+func (m *GetCertificateRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	return xxx_messageInfo_GetCertificateRequest.Marshal(b, m, deterministic)
+}
+func (m *GetCertificateRequest) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_GetCertificateRequest.Merge(m, src)
+}
+func (m *GetCertificateRequest) XXX_Size() int {
+	return xxx_messageInfo_GetCertificateRequest.Size(m)
+}
+func (m *GetCertificateRequest) XXX_DiscardUnknown() {
+	xxx_messageInfo_GetCertificateRequest.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_GetCertificateRequest proto.InternalMessageInfo
+
+func (m *GetCertificateRequest) GetName() string {
+	if m != nil {
+		return m.Name
+	}
+	return ""
+}
+
+// Request message for
+// [CertificateAuthorityService.GetReusableConfig][google.cloud.security.privateca.v1alpha1.CertificateAuthorityService.GetReusableConfig].
+type GetReusableConfigRequest struct {
+	// Required. The [name][ReusableConfigs.name] of the [ReusableConfigs][] to get.
+	Name                 string   `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
+	XXX_NoUnkeyedLiteral struct{} `json:"-"`
+	XXX_unrecognized     []byte   `json:"-"`
+	XXX_sizecache        int32    `json:"-"`
+}
+
+func (m *GetReusableConfigRequest) Reset()         { *m = GetReusableConfigRequest{} }
+func (m *GetReusableConfigRequest) String() string { return proto.CompactTextString(m) }
+func (*GetReusableConfigRequest) ProtoMessage()    {}
+func (*GetReusableConfigRequest) Descriptor() ([]byte, []int) {
+	return fileDescriptor_0a2d125abc43e0c9, []int{11}
+}
+
+func (m *GetReusableConfigRequest) XXX_Unmarshal(b []byte) error {
+	return xxx_messageInfo_GetReusableConfigRequest.Unmarshal(m, b)
+}
+func (m *GetReusableConfigRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	return xxx_messageInfo_GetReusableConfigRequest.Marshal(b, m, deterministic)
+}
+func (m *GetReusableConfigRequest) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_GetReusableConfigRequest.Merge(m, src)
+}
+func (m *GetReusableConfigRequest) XXX_Size() int {
+	return xxx_messageInfo_GetReusableConfigRequest.Size(m)
+}
+func (m *GetReusableConfigRequest) XXX_DiscardUnknown() {
+	xxx_messageInfo_GetReusableConfigRequest.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_GetReusableConfigRequest proto.InternalMessageInfo
+
+func (m *GetReusableConfigRequest) GetName() string {
+	if m != nil {
+		return m.Name
+	}
+	return ""
+}
+
+// Request message for
+// [CertificateAuthorityService.CreateCertificateAuthority][google.cloud.security.privateca.v1alpha1.CertificateAuthorityService.CreateCertificateAuthority].
+type CreateCertificateAuthorityRequest struct {
+	// Required. The resource name of the location associated with the
+	// [CertificateAuthorities][google.cloud.security.privateca.v1alpha1.CertificateAuthority], in the format
+	// `projects/*/locations/*`.
+	Parent string `protobuf:"bytes,1,opt,name=parent,proto3" json:"parent,omitempty"`
+	// Required. It must be unique within a location and match the regular
+	// expression `[a-zA-Z0-9_-]{1,63}`
+	CertificateAuthorityId string `protobuf:"bytes,2,opt,name=certificate_authority_id,json=certificateAuthorityId,proto3" json:"certificate_authority_id,omitempty"`
+	// Required. A [CertificateAuthority][google.cloud.security.privateca.v1alpha1.CertificateAuthority] with initial field values.
+	CertificateAuthority *CertificateAuthority `protobuf:"bytes,3,opt,name=certificate_authority,json=certificateAuthority,proto3" json:"certificate_authority,omitempty"`
+	// Optional. An ID to identify requests. Specify a unique request ID so that if you must
+	// retry your request, the server will know to ignore the request if it has
+	// already been completed. The server will guarantee that for at least 60
+	// minutes since the first request.
+	//
+	// For example, consider a situation where you make an initial request and t
+	// he request times out. If you make the request again with the same request
+	// ID, the server can check if original operation with the same request ID
+	// was received, and if so, will ignore the second request. This prevents
+	// clients from accidentally creating duplicate commitments.
+	//
+	// The request ID must be a valid UUID with the exception that zero UUID is
+	// not supported (00000000-0000-0000-0000-000000000000).
+	RequestId            string   `protobuf:"bytes,4,opt,name=request_id,json=requestId,proto3" json:"request_id,omitempty"`
+	XXX_NoUnkeyedLiteral struct{} `json:"-"`
+	XXX_unrecognized     []byte   `json:"-"`
+	XXX_sizecache        int32    `json:"-"`
+}
+
+func (m *CreateCertificateAuthorityRequest) Reset()         { *m = CreateCertificateAuthorityRequest{} }
+func (m *CreateCertificateAuthorityRequest) String() string { return proto.CompactTextString(m) }
+func (*CreateCertificateAuthorityRequest) ProtoMessage()    {}
+func (*CreateCertificateAuthorityRequest) Descriptor() ([]byte, []int) {
+	return fileDescriptor_0a2d125abc43e0c9, []int{12}
+}
+
+func (m *CreateCertificateAuthorityRequest) XXX_Unmarshal(b []byte) error {
+	return xxx_messageInfo_CreateCertificateAuthorityRequest.Unmarshal(m, b)
+}
+func (m *CreateCertificateAuthorityRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	return xxx_messageInfo_CreateCertificateAuthorityRequest.Marshal(b, m, deterministic)
+}
+func (m *CreateCertificateAuthorityRequest) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_CreateCertificateAuthorityRequest.Merge(m, src)
+}
+func (m *CreateCertificateAuthorityRequest) XXX_Size() int {
+	return xxx_messageInfo_CreateCertificateAuthorityRequest.Size(m)
+}
+func (m *CreateCertificateAuthorityRequest) XXX_DiscardUnknown() {
+	xxx_messageInfo_CreateCertificateAuthorityRequest.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_CreateCertificateAuthorityRequest proto.InternalMessageInfo
+
+func (m *CreateCertificateAuthorityRequest) GetParent() string {
+	if m != nil {
+		return m.Parent
+	}
+	return ""
+}
+
+func (m *CreateCertificateAuthorityRequest) GetCertificateAuthorityId() string {
+	if m != nil {
+		return m.CertificateAuthorityId
+	}
+	return ""
+}
+
+func (m *CreateCertificateAuthorityRequest) GetCertificateAuthority() *CertificateAuthority {
+	if m != nil {
+		return m.CertificateAuthority
+	}
+	return nil
+}
+
+func (m *CreateCertificateAuthorityRequest) GetRequestId() string {
+	if m != nil {
+		return m.RequestId
+	}
+	return ""
+}
+
+// Request message for
+// [CertificateAuthorityService.CreateCertificateRevocationList][google.cloud.security.privateca.v1alpha1.CertificateAuthorityService.CreateCertificateRevocationList].
+type CreateCertificateRevocationListRequest struct {
+	// Required. The resource name of the location and [CertificateAuthority][google.cloud.security.privateca.v1alpha1.CertificateAuthority]
+	// associated with the [CertificateRevocationList][google.cloud.security.privateca.v1alpha1.CertificateRevocationList], in the format
+	// `projects/*/locations/*/certificateAuthorities/*`.
+	Parent string `protobuf:"bytes,1,opt,name=parent,proto3" json:"parent,omitempty"`
+	// Required. It must be unique within a location and match the regular expression
+	// `[a-zA-Z0-9_-]{1,63}`
+	CertificateRevocationListId string `protobuf:"bytes,2,opt,name=certificate_revocation_list_id,json=certificateRevocationListId,proto3" json:"certificate_revocation_list_id,omitempty"`
+	// Required. A [CertificateRevocationList][google.cloud.security.privateca.v1alpha1.CertificateRevocationList] with initial field values.
+	CertificateRevocationList *CertificateRevocationList `protobuf:"bytes,3,opt,name=certificate_revocation_list,json=certificateRevocationList,proto3" json:"certificate_revocation_list,omitempty"`
+	// Optional. An ID to identify requests. Specify a unique request ID so that if you must
+	// retry your request, the server will know to ignore the request if it has
+	// already been completed. The server will guarantee that for at least 60
+	// minutes since the first request.
+	//
+	// For example, consider a situation where you make an initial request and t
+	// he request times out. If you make the request again with the same request
+	// ID, the server can check if original operation with the same request ID
+	// was received, and if so, will ignore the second request. This prevents
+	// clients from accidentally creating duplicate commitments.
+	//
+	// The request ID must be a valid UUID with the exception that zero UUID is
+	// not supported (00000000-0000-0000-0000-000000000000).
+	RequestId            string   `protobuf:"bytes,4,opt,name=request_id,json=requestId,proto3" json:"request_id,omitempty"`
+	XXX_NoUnkeyedLiteral struct{} `json:"-"`
+	XXX_unrecognized     []byte   `json:"-"`
+	XXX_sizecache        int32    `json:"-"`
+}
+
+func (m *CreateCertificateRevocationListRequest) Reset() {
+	*m = CreateCertificateRevocationListRequest{}
+}
+func (m *CreateCertificateRevocationListRequest) String() string { return proto.CompactTextString(m) }
+func (*CreateCertificateRevocationListRequest) ProtoMessage()    {}
+func (*CreateCertificateRevocationListRequest) Descriptor() ([]byte, []int) {
+	return fileDescriptor_0a2d125abc43e0c9, []int{13}
+}
+
+func (m *CreateCertificateRevocationListRequest) XXX_Unmarshal(b []byte) error {
+	return xxx_messageInfo_CreateCertificateRevocationListRequest.Unmarshal(m, b)
+}
+func (m *CreateCertificateRevocationListRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	return xxx_messageInfo_CreateCertificateRevocationListRequest.Marshal(b, m, deterministic)
+}
+func (m *CreateCertificateRevocationListRequest) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_CreateCertificateRevocationListRequest.Merge(m, src)
+}
+func (m *CreateCertificateRevocationListRequest) XXX_Size() int {
+	return xxx_messageInfo_CreateCertificateRevocationListRequest.Size(m)
+}
+func (m *CreateCertificateRevocationListRequest) XXX_DiscardUnknown() {
+	xxx_messageInfo_CreateCertificateRevocationListRequest.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_CreateCertificateRevocationListRequest proto.InternalMessageInfo
+
+func (m *CreateCertificateRevocationListRequest) GetParent() string {
+	if m != nil {
+		return m.Parent
+	}
+	return ""
+}
+
+func (m *CreateCertificateRevocationListRequest) GetCertificateRevocationListId() string {
+	if m != nil {
+		return m.CertificateRevocationListId
+	}
+	return ""
+}
+
+func (m *CreateCertificateRevocationListRequest) GetCertificateRevocationList() *CertificateRevocationList {
+	if m != nil {
+		return m.CertificateRevocationList
+	}
+	return nil
+}
+
+func (m *CreateCertificateRevocationListRequest) GetRequestId() string {
+	if m != nil {
+		return m.RequestId
+	}
+	return ""
+}
+
+// Request message for [CertificateAuthorityService.CreateCertificate][google.cloud.security.privateca.v1alpha1.CertificateAuthorityService.CreateCertificate].
+type CreateCertificateRequest struct {
+	// Required. The resource name of the location and [CertificateAuthority][google.cloud.security.privateca.v1alpha1.CertificateAuthority]
+	// associated with the [Certificate][google.cloud.security.privateca.v1alpha1.Certificate], in the format
+	// `projects/*/locations/*/certificateAuthorities/*`.
+	Parent string `protobuf:"bytes,1,opt,name=parent,proto3" json:"parent,omitempty"`
+	// Required. It must be unique within a location and match the regular
+	// expression `[a-zA-Z0-9_-]{1,63}`
+	CertificateId string `protobuf:"bytes,2,opt,name=certificate_id,json=certificateId,proto3" json:"certificate_id,omitempty"`
+	// Required. A [Certificate][google.cloud.security.privateca.v1alpha1.Certificate] with initial field values.
+	Certificate *Certificate `protobuf:"bytes,3,opt,name=certificate,proto3" json:"certificate,omitempty"`
+	// Optional. An ID to identify requests. Specify a unique request ID so that if you must
+	// retry your request, the server will know to ignore the request if it has
+	// already been completed. The server will guarantee that for at least 60
+	// minutes since the first request.
+	//
+	// For example, consider a situation where you make an initial request and t
+	// he request times out. If you make the request again with the same request
+	// ID, the server can check if original operation with the same request ID
+	// was received, and if so, will ignore the second request. This prevents
+	// clients from accidentally creating duplicate commitments.
+	//
+	// The request ID must be a valid UUID with the exception that zero UUID is
+	// not supported (00000000-0000-0000-0000-000000000000).
+	RequestId            string   `protobuf:"bytes,4,opt,name=request_id,json=requestId,proto3" json:"request_id,omitempty"`
+	XXX_NoUnkeyedLiteral struct{} `json:"-"`
+	XXX_unrecognized     []byte   `json:"-"`
+	XXX_sizecache        int32    `json:"-"`
+}
+
+func (m *CreateCertificateRequest) Reset()         { *m = CreateCertificateRequest{} }
+func (m *CreateCertificateRequest) String() string { return proto.CompactTextString(m) }
+func (*CreateCertificateRequest) ProtoMessage()    {}
+func (*CreateCertificateRequest) Descriptor() ([]byte, []int) {
+	return fileDescriptor_0a2d125abc43e0c9, []int{14}
+}
+
+func (m *CreateCertificateRequest) XXX_Unmarshal(b []byte) error {
+	return xxx_messageInfo_CreateCertificateRequest.Unmarshal(m, b)
+}
+func (m *CreateCertificateRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	return xxx_messageInfo_CreateCertificateRequest.Marshal(b, m, deterministic)
+}
+func (m *CreateCertificateRequest) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_CreateCertificateRequest.Merge(m, src)
+}
+func (m *CreateCertificateRequest) XXX_Size() int {
+	return xxx_messageInfo_CreateCertificateRequest.Size(m)
+}
+func (m *CreateCertificateRequest) XXX_DiscardUnknown() {
+	xxx_messageInfo_CreateCertificateRequest.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_CreateCertificateRequest proto.InternalMessageInfo
+
+func (m *CreateCertificateRequest) GetParent() string {
+	if m != nil {
+		return m.Parent
+	}
+	return ""
+}
+
+func (m *CreateCertificateRequest) GetCertificateId() string {
+	if m != nil {
+		return m.CertificateId
+	}
+	return ""
+}
+
+func (m *CreateCertificateRequest) GetCertificate() *Certificate {
+	if m != nil {
+		return m.Certificate
+	}
+	return nil
+}
+
+func (m *CreateCertificateRequest) GetRequestId() string {
+	if m != nil {
+		return m.RequestId
+	}
+	return ""
+}
+
+// Request message for
+// [CertificateAuthorityService.CreateReusableConfig][google.cloud.security.privateca.v1alpha1.CertificateAuthorityService.CreateReusableConfig].
+type CreateReusableConfigRequest struct {
+	// Required. The resource name of the location associated with the
+	// [ReusableConfig][google.cloud.security.privateca.v1alpha1.ReusableConfig], in the format
+	// `projects/*/locations/*`.
+	Parent string `protobuf:"bytes,1,opt,name=parent,proto3" json:"parent,omitempty"`
+	// Required. It must be unique within a location and match the regular
+	// expression `[a-zA-Z0-9_-]{1,63}`
+	ReusableConfigId string `protobuf:"bytes,2,opt,name=reusable_config_id,json=reusableConfigId,proto3" json:"reusable_config_id,omitempty"`
+	// Required. A [ReusableConfig][google.cloud.security.privateca.v1alpha1.ReusableConfig] with initial field values.
+	ReusableConfig *ReusableConfig `protobuf:"bytes,3,opt,name=reusable_config,json=reusableConfig,proto3" json:"reusable_config,omitempty"`
+	// Optional. An ID to identify requests. Specify a unique request ID so that if you must
+	// retry your request, the server will know to ignore the request if it has
+	// already been completed. The server will guarantee that for at least 60
+	// minutes since the first request.
+	//
+	// For example, consider a situation where you make an initial request and t
+	// he request times out. If you make the request again with the same request
+	// ID, the server can check if original operation with the same request ID
+	// was received, and if so, will ignore the second request. This prevents
+	// clients from accidentally creating duplicate commitments.
+	//
+	// The request ID must be a valid UUID with the exception that zero UUID is
+	// not supported (00000000-0000-0000-0000-000000000000).
+	RequestId            string   `protobuf:"bytes,4,opt,name=request_id,json=requestId,proto3" json:"request_id,omitempty"`
+	XXX_NoUnkeyedLiteral struct{} `json:"-"`
+	XXX_unrecognized     []byte   `json:"-"`
+	XXX_sizecache        int32    `json:"-"`
+}
+
+func (m *CreateReusableConfigRequest) Reset()         { *m = CreateReusableConfigRequest{} }
+func (m *CreateReusableConfigRequest) String() string { return proto.CompactTextString(m) }
+func (*CreateReusableConfigRequest) ProtoMessage()    {}
+func (*CreateReusableConfigRequest) Descriptor() ([]byte, []int) {
+	return fileDescriptor_0a2d125abc43e0c9, []int{15}
+}
+
+func (m *CreateReusableConfigRequest) XXX_Unmarshal(b []byte) error {
+	return xxx_messageInfo_CreateReusableConfigRequest.Unmarshal(m, b)
+}
+func (m *CreateReusableConfigRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	return xxx_messageInfo_CreateReusableConfigRequest.Marshal(b, m, deterministic)
+}
+func (m *CreateReusableConfigRequest) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_CreateReusableConfigRequest.Merge(m, src)
+}
+func (m *CreateReusableConfigRequest) XXX_Size() int {
+	return xxx_messageInfo_CreateReusableConfigRequest.Size(m)
+}
+func (m *CreateReusableConfigRequest) XXX_DiscardUnknown() {
+	xxx_messageInfo_CreateReusableConfigRequest.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_CreateReusableConfigRequest proto.InternalMessageInfo
+
+func (m *CreateReusableConfigRequest) GetParent() string {
+	if m != nil {
+		return m.Parent
+	}
+	return ""
+}
+
+func (m *CreateReusableConfigRequest) GetReusableConfigId() string {
+	if m != nil {
+		return m.ReusableConfigId
+	}
+	return ""
+}
+
+func (m *CreateReusableConfigRequest) GetReusableConfig() *ReusableConfig {
+	if m != nil {
+		return m.ReusableConfig
+	}
+	return nil
+}
+
+func (m *CreateReusableConfigRequest) GetRequestId() string {
+	if m != nil {
+		return m.RequestId
+	}
+	return ""
+}
+
+// Request message for
+// [CertificateAuthorityService.UpdateCertificateAuthority][google.cloud.security.privateca.v1alpha1.CertificateAuthorityService.UpdateCertificateAuthority].
+type UpdateCertificateAuthorityRequest struct {
+	// Required. [CertificateAuthority][google.cloud.security.privateca.v1alpha1.CertificateAuthority] with updated values.
+	CertificateAuthority *CertificateAuthority `protobuf:"bytes,1,opt,name=certificate_authority,json=certificateAuthority,proto3" json:"certificate_authority,omitempty"`
+	// Required. A list of fields to be updated in this request.
+	UpdateMask *field_mask.FieldMask `protobuf:"bytes,2,opt,name=update_mask,json=updateMask,proto3" json:"update_mask,omitempty"`
+	// Optional. An ID to identify requests. Specify a unique request ID so that if you must
+	// retry your request, the server will know to ignore the request if it has
+	// already been completed. The server will guarantee that for at least 60
+	// minutes since the first request.
+	//
+	// For example, consider a situation where you make an initial request and t
+	// he request times out. If you make the request again with the same request
+	// ID, the server can check if original operation with the same request ID
+	// was received, and if so, will ignore the second request. This prevents
+	// clients from accidentally creating duplicate commitments.
+	//
+	// The request ID must be a valid UUID with the exception that zero UUID is
+	// not supported (00000000-0000-0000-0000-000000000000).
+	RequestId            string   `protobuf:"bytes,3,opt,name=request_id,json=requestId,proto3" json:"request_id,omitempty"`
+	XXX_NoUnkeyedLiteral struct{} `json:"-"`
+	XXX_unrecognized     []byte   `json:"-"`
+	XXX_sizecache        int32    `json:"-"`
+}
+
+func (m *UpdateCertificateAuthorityRequest) Reset()         { *m = UpdateCertificateAuthorityRequest{} }
+func (m *UpdateCertificateAuthorityRequest) String() string { return proto.CompactTextString(m) }
+func (*UpdateCertificateAuthorityRequest) ProtoMessage()    {}
+func (*UpdateCertificateAuthorityRequest) Descriptor() ([]byte, []int) {
+	return fileDescriptor_0a2d125abc43e0c9, []int{16}
+}
+
+func (m *UpdateCertificateAuthorityRequest) XXX_Unmarshal(b []byte) error {
+	return xxx_messageInfo_UpdateCertificateAuthorityRequest.Unmarshal(m, b)
+}
+func (m *UpdateCertificateAuthorityRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	return xxx_messageInfo_UpdateCertificateAuthorityRequest.Marshal(b, m, deterministic)
+}
+func (m *UpdateCertificateAuthorityRequest) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_UpdateCertificateAuthorityRequest.Merge(m, src)
+}
+func (m *UpdateCertificateAuthorityRequest) XXX_Size() int {
+	return xxx_messageInfo_UpdateCertificateAuthorityRequest.Size(m)
+}
+func (m *UpdateCertificateAuthorityRequest) XXX_DiscardUnknown() {
+	xxx_messageInfo_UpdateCertificateAuthorityRequest.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_UpdateCertificateAuthorityRequest proto.InternalMessageInfo
+
+func (m *UpdateCertificateAuthorityRequest) GetCertificateAuthority() *CertificateAuthority {
+	if m != nil {
+		return m.CertificateAuthority
+	}
+	return nil
+}
+
+func (m *UpdateCertificateAuthorityRequest) GetUpdateMask() *field_mask.FieldMask {
+	if m != nil {
+		return m.UpdateMask
+	}
+	return nil
+}
+
+func (m *UpdateCertificateAuthorityRequest) GetRequestId() string {
+	if m != nil {
+		return m.RequestId
+	}
+	return ""
+}
+
+// Request message for
+// [CertificateAuthorityService.UpdateCertificateRevocationList][google.cloud.security.privateca.v1alpha1.CertificateAuthorityService.UpdateCertificateRevocationList].
+type UpdateCertificateRevocationListRequest struct {
+	// Required. [CertificateRevocationList][google.cloud.security.privateca.v1alpha1.CertificateRevocationList] with updated values.
+	CertificateRevocationList *CertificateRevocationList `protobuf:"bytes,1,opt,name=certificate_revocation_list,json=certificateRevocationList,proto3" json:"certificate_revocation_list,omitempty"`
+	// Required. A list of fields to be updated in this request.
+	UpdateMask *field_mask.FieldMask `protobuf:"bytes,2,opt,name=update_mask,json=updateMask,proto3" json:"update_mask,omitempty"`
+	// Optional. An ID to identify requests. Specify a unique request ID so that if you must
+	// retry your request, the server will know to ignore the request if it has
+	// already been completed. The server will guarantee that for at least 60
+	// minutes since the first request.
+	//
+	// For example, consider a situation where you make an initial request and t
+	// he request times out. If you make the request again with the same request
+	// ID, the server can check if original operation with the same request ID
+	// was received, and if so, will ignore the second request. This prevents
+	// clients from accidentally creating duplicate commitments.
+	//
+	// The request ID must be a valid UUID with the exception that zero UUID is
+	// not supported (00000000-0000-0000-0000-000000000000).
+	RequestId            string   `protobuf:"bytes,3,opt,name=request_id,json=requestId,proto3" json:"request_id,omitempty"`
+	XXX_NoUnkeyedLiteral struct{} `json:"-"`
+	XXX_unrecognized     []byte   `json:"-"`
+	XXX_sizecache        int32    `json:"-"`
+}
+
+func (m *UpdateCertificateRevocationListRequest) Reset() {
+	*m = UpdateCertificateRevocationListRequest{}
+}
+func (m *UpdateCertificateRevocationListRequest) String() string { return proto.CompactTextString(m) }
+func (*UpdateCertificateRevocationListRequest) ProtoMessage()    {}
+func (*UpdateCertificateRevocationListRequest) Descriptor() ([]byte, []int) {
+	return fileDescriptor_0a2d125abc43e0c9, []int{17}
+}
+
+func (m *UpdateCertificateRevocationListRequest) XXX_Unmarshal(b []byte) error {
+	return xxx_messageInfo_UpdateCertificateRevocationListRequest.Unmarshal(m, b)
+}
+func (m *UpdateCertificateRevocationListRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	return xxx_messageInfo_UpdateCertificateRevocationListRequest.Marshal(b, m, deterministic)
+}
+func (m *UpdateCertificateRevocationListRequest) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_UpdateCertificateRevocationListRequest.Merge(m, src)
+}
+func (m *UpdateCertificateRevocationListRequest) XXX_Size() int {
+	return xxx_messageInfo_UpdateCertificateRevocationListRequest.Size(m)
+}
+func (m *UpdateCertificateRevocationListRequest) XXX_DiscardUnknown() {
+	xxx_messageInfo_UpdateCertificateRevocationListRequest.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_UpdateCertificateRevocationListRequest proto.InternalMessageInfo
+
+func (m *UpdateCertificateRevocationListRequest) GetCertificateRevocationList() *CertificateRevocationList {
+	if m != nil {
+		return m.CertificateRevocationList
+	}
+	return nil
+}
+
+func (m *UpdateCertificateRevocationListRequest) GetUpdateMask() *field_mask.FieldMask {
+	if m != nil {
+		return m.UpdateMask
+	}
+	return nil
+}
+
+func (m *UpdateCertificateRevocationListRequest) GetRequestId() string {
+	if m != nil {
+		return m.RequestId
+	}
+	return ""
+}
+
+// Request message for [CertificateAuthorityService.UpdateCertificate][google.cloud.security.privateca.v1alpha1.CertificateAuthorityService.UpdateCertificate].
+type UpdateCertificateRequest struct {
+	// Required. [Certificate][google.cloud.security.privateca.v1alpha1.Certificate] with updated values.
+	Certificate *Certificate `protobuf:"bytes,1,opt,name=certificate,proto3" json:"certificate,omitempty"`
+	// Required. A list of fields to be updated in this request.
+	UpdateMask *field_mask.FieldMask `protobuf:"bytes,2,opt,name=update_mask,json=updateMask,proto3" json:"update_mask,omitempty"`
+	// Optional. An ID to identify requests. Specify a unique request ID so that if you must
+	// retry your request, the server will know to ignore the request if it has
+	// already been completed. The server will guarantee that for at least 60
+	// minutes since the first request.
+	//
+	// For example, consider a situation where you make an initial request and t
+	// he request times out. If you make the request again with the same request
+	// ID, the server can check if original operation with the same request ID
+	// was received, and if so, will ignore the second request. This prevents
+	// clients from accidentally creating duplicate commitments.
+	//
+	// The request ID must be a valid UUID with the exception that zero UUID is
+	// not supported (00000000-0000-0000-0000-000000000000).
+	RequestId            string   `protobuf:"bytes,3,opt,name=request_id,json=requestId,proto3" json:"request_id,omitempty"`
+	XXX_NoUnkeyedLiteral struct{} `json:"-"`
+	XXX_unrecognized     []byte   `json:"-"`
+	XXX_sizecache        int32    `json:"-"`
+}
+
+func (m *UpdateCertificateRequest) Reset()         { *m = UpdateCertificateRequest{} }
+func (m *UpdateCertificateRequest) String() string { return proto.CompactTextString(m) }
+func (*UpdateCertificateRequest) ProtoMessage()    {}
+func (*UpdateCertificateRequest) Descriptor() ([]byte, []int) {
+	return fileDescriptor_0a2d125abc43e0c9, []int{18}
+}
+
+func (m *UpdateCertificateRequest) XXX_Unmarshal(b []byte) error {
+	return xxx_messageInfo_UpdateCertificateRequest.Unmarshal(m, b)
+}
+func (m *UpdateCertificateRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	return xxx_messageInfo_UpdateCertificateRequest.Marshal(b, m, deterministic)
+}
+func (m *UpdateCertificateRequest) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_UpdateCertificateRequest.Merge(m, src)
+}
+func (m *UpdateCertificateRequest) XXX_Size() int {
+	return xxx_messageInfo_UpdateCertificateRequest.Size(m)
+}
+func (m *UpdateCertificateRequest) XXX_DiscardUnknown() {
+	xxx_messageInfo_UpdateCertificateRequest.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_UpdateCertificateRequest proto.InternalMessageInfo
+
+func (m *UpdateCertificateRequest) GetCertificate() *Certificate {
+	if m != nil {
+		return m.Certificate
+	}
+	return nil
+}
+
+func (m *UpdateCertificateRequest) GetUpdateMask() *field_mask.FieldMask {
+	if m != nil {
+		return m.UpdateMask
+	}
+	return nil
+}
+
+func (m *UpdateCertificateRequest) GetRequestId() string {
+	if m != nil {
+		return m.RequestId
+	}
+	return ""
+}
+
+// Request message for
+// [CertificateAuthorityService.UpdateReusableConfig][google.cloud.security.privateca.v1alpha1.CertificateAuthorityService.UpdateReusableConfig].
+type UpdateReusableConfigRequest struct {
+	// Required. [ReusableConfig][google.cloud.security.privateca.v1alpha1.ReusableConfig] with updated values.
+	ReusableConfig *ReusableConfig `protobuf:"bytes,1,opt,name=reusable_config,json=reusableConfig,proto3" json:"reusable_config,omitempty"`
+	// Required. A list of fields to be updated in this request.
+	UpdateMask *field_mask.FieldMask `protobuf:"bytes,2,opt,name=update_mask,json=updateMask,proto3" json:"update_mask,omitempty"`
+	// Optional. An ID to identify requests. Specify a unique request ID so that if you must
+	// retry your request, the server will know to ignore the request if it has
+	// already been completed. The server will guarantee that for at least 60
+	// minutes since the first request.
+	//
+	// For example, consider a situation where you make an initial request and t
+	// he request times out. If you make the request again with the same request
+	// ID, the server can check if original operation with the same request ID
+	// was received, and if so, will ignore the second request. This prevents
+	// clients from accidentally creating duplicate commitments.
+	//
+	// The request ID must be a valid UUID with the exception that zero UUID is
+	// not supported (00000000-0000-0000-0000-000000000000).
+	RequestId            string   `protobuf:"bytes,3,opt,name=request_id,json=requestId,proto3" json:"request_id,omitempty"`
+	XXX_NoUnkeyedLiteral struct{} `json:"-"`
+	XXX_unrecognized     []byte   `json:"-"`
+	XXX_sizecache        int32    `json:"-"`
+}
+
+func (m *UpdateReusableConfigRequest) Reset()         { *m = UpdateReusableConfigRequest{} }
+func (m *UpdateReusableConfigRequest) String() string { return proto.CompactTextString(m) }
+func (*UpdateReusableConfigRequest) ProtoMessage()    {}
+func (*UpdateReusableConfigRequest) Descriptor() ([]byte, []int) {
+	return fileDescriptor_0a2d125abc43e0c9, []int{19}
+}
+
+func (m *UpdateReusableConfigRequest) XXX_Unmarshal(b []byte) error {
+	return xxx_messageInfo_UpdateReusableConfigRequest.Unmarshal(m, b)
+}
+func (m *UpdateReusableConfigRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	return xxx_messageInfo_UpdateReusableConfigRequest.Marshal(b, m, deterministic)
+}
+func (m *UpdateReusableConfigRequest) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_UpdateReusableConfigRequest.Merge(m, src)
+}
+func (m *UpdateReusableConfigRequest) XXX_Size() int {
+	return xxx_messageInfo_UpdateReusableConfigRequest.Size(m)
+}
+func (m *UpdateReusableConfigRequest) XXX_DiscardUnknown() {
+	xxx_messageInfo_UpdateReusableConfigRequest.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_UpdateReusableConfigRequest proto.InternalMessageInfo
+
+func (m *UpdateReusableConfigRequest) GetReusableConfig() *ReusableConfig {
+	if m != nil {
+		return m.ReusableConfig
+	}
+	return nil
+}
+
+func (m *UpdateReusableConfigRequest) GetUpdateMask() *field_mask.FieldMask {
+	if m != nil {
+		return m.UpdateMask
+	}
+	return nil
+}
+
+func (m *UpdateReusableConfigRequest) GetRequestId() string {
+	if m != nil {
+		return m.RequestId
+	}
+	return ""
+}
+
+// Request message for
+// [CertificateAuthorityService.DeleteCertificateAuthority][google.cloud.security.privateca.v1alpha1.CertificateAuthorityService.DeleteCertificateAuthority].
+type DeleteCertificateAuthorityRequest struct {
+	// Required. The resource name for this [CertificateAuthority][google.cloud.security.privateca.v1alpha1.CertificateAuthority] in the
+	// format `projects/*/locations/*/certificateAuthorities/*`.
+	Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
+	// Optional. An ID to identify requests. Specify a unique request ID so that if you must
+	// retry your request, the server will know to ignore the request if it has
+	// already been completed. The server will guarantee that for at least 60
+	// minutes since the first request.
+	//
+	// For example, consider a situation where you make an initial request and t
+	// he request times out. If you make the request again with the same request
+	// ID, the server can check if original operation with the same request ID
+	// was received, and if so, will ignore the second request. This prevents
+	// clients from accidentally creating duplicate commitments.
+	//
+	// The request ID must be a valid UUID with the exception that zero UUID is
+	// not supported (00000000-0000-0000-0000-000000000000).
+	RequestId            string   `protobuf:"bytes,2,opt,name=request_id,json=requestId,proto3" json:"request_id,omitempty"`
+	XXX_NoUnkeyedLiteral struct{} `json:"-"`
+	XXX_unrecognized     []byte   `json:"-"`
+	XXX_sizecache        int32    `json:"-"`
+}
+
+func (m *DeleteCertificateAuthorityRequest) Reset()         { *m = DeleteCertificateAuthorityRequest{} }
+func (m *DeleteCertificateAuthorityRequest) String() string { return proto.CompactTextString(m) }
+func (*DeleteCertificateAuthorityRequest) ProtoMessage()    {}
+func (*DeleteCertificateAuthorityRequest) Descriptor() ([]byte, []int) {
+	return fileDescriptor_0a2d125abc43e0c9, []int{20}
+}
+
+func (m *DeleteCertificateAuthorityRequest) XXX_Unmarshal(b []byte) error {
+	return xxx_messageInfo_DeleteCertificateAuthorityRequest.Unmarshal(m, b)
+}
+func (m *DeleteCertificateAuthorityRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	return xxx_messageInfo_DeleteCertificateAuthorityRequest.Marshal(b, m, deterministic)
+}
+func (m *DeleteCertificateAuthorityRequest) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_DeleteCertificateAuthorityRequest.Merge(m, src)
+}
+func (m *DeleteCertificateAuthorityRequest) XXX_Size() int {
+	return xxx_messageInfo_DeleteCertificateAuthorityRequest.Size(m)
+}
+func (m *DeleteCertificateAuthorityRequest) XXX_DiscardUnknown() {
+	xxx_messageInfo_DeleteCertificateAuthorityRequest.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_DeleteCertificateAuthorityRequest proto.InternalMessageInfo
+
+func (m *DeleteCertificateAuthorityRequest) GetName() string {
+	if m != nil {
+		return m.Name
+	}
+	return ""
+}
+
+func (m *DeleteCertificateAuthorityRequest) GetRequestId() string {
+	if m != nil {
+		return m.RequestId
+	}
+	return ""
+}
+
+// Request message for
+// [CertificateAuthorityService.GetCertificateAuthorityCsr][google.cloud.security.privateca.v1alpha1.CertificateAuthorityService.GetCertificateAuthorityCsr].
+type GetCertificateAuthorityCsrRequest struct {
+	// Required. The resource name for this [CertificateAuthority][google.cloud.security.privateca.v1alpha1.CertificateAuthority] in the
+	// format `projects/*/locations/*/certificateAuthorities/*`.
+	Name                 string   `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
+	XXX_NoUnkeyedLiteral struct{} `json:"-"`
+	XXX_unrecognized     []byte   `json:"-"`
+	XXX_sizecache        int32    `json:"-"`
+}
+
+func (m *GetCertificateAuthorityCsrRequest) Reset()         { *m = GetCertificateAuthorityCsrRequest{} }
+func (m *GetCertificateAuthorityCsrRequest) String() string { return proto.CompactTextString(m) }
+func (*GetCertificateAuthorityCsrRequest) ProtoMessage()    {}
+func (*GetCertificateAuthorityCsrRequest) Descriptor() ([]byte, []int) {
+	return fileDescriptor_0a2d125abc43e0c9, []int{21}
+}
+
+func (m *GetCertificateAuthorityCsrRequest) XXX_Unmarshal(b []byte) error {
+	return xxx_messageInfo_GetCertificateAuthorityCsrRequest.Unmarshal(m, b)
+}
+func (m *GetCertificateAuthorityCsrRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	return xxx_messageInfo_GetCertificateAuthorityCsrRequest.Marshal(b, m, deterministic)
+}
+func (m *GetCertificateAuthorityCsrRequest) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_GetCertificateAuthorityCsrRequest.Merge(m, src)
+}
+func (m *GetCertificateAuthorityCsrRequest) XXX_Size() int {
+	return xxx_messageInfo_GetCertificateAuthorityCsrRequest.Size(m)
+}
+func (m *GetCertificateAuthorityCsrRequest) XXX_DiscardUnknown() {
+	xxx_messageInfo_GetCertificateAuthorityCsrRequest.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_GetCertificateAuthorityCsrRequest proto.InternalMessageInfo
+
+func (m *GetCertificateAuthorityCsrRequest) GetName() string {
+	if m != nil {
+		return m.Name
+	}
+	return ""
+}
+
+// Response message for
+// [CertificateAuthorityService.GetCertificateAuthorityCsr][google.cloud.security.privateca.v1alpha1.CertificateAuthorityService.GetCertificateAuthorityCsr].
+type GetCertificateAuthorityCsrResponse struct {
+	// Output only. The PEM-encoded signed certificate signing request (CSR).
+	PemCsr               string   `protobuf:"bytes,1,opt,name=pem_csr,json=pemCsr,proto3" json:"pem_csr,omitempty"`
+	XXX_NoUnkeyedLiteral struct{} `json:"-"`
+	XXX_unrecognized     []byte   `json:"-"`
+	XXX_sizecache        int32    `json:"-"`
+}
+
+func (m *GetCertificateAuthorityCsrResponse) Reset()         { *m = GetCertificateAuthorityCsrResponse{} }
+func (m *GetCertificateAuthorityCsrResponse) String() string { return proto.CompactTextString(m) }
+func (*GetCertificateAuthorityCsrResponse) ProtoMessage()    {}
+func (*GetCertificateAuthorityCsrResponse) Descriptor() ([]byte, []int) {
+	return fileDescriptor_0a2d125abc43e0c9, []int{22}
+}
+
+func (m *GetCertificateAuthorityCsrResponse) XXX_Unmarshal(b []byte) error {
+	return xxx_messageInfo_GetCertificateAuthorityCsrResponse.Unmarshal(m, b)
+}
+func (m *GetCertificateAuthorityCsrResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	return xxx_messageInfo_GetCertificateAuthorityCsrResponse.Marshal(b, m, deterministic)
+}
+func (m *GetCertificateAuthorityCsrResponse) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_GetCertificateAuthorityCsrResponse.Merge(m, src)
+}
+func (m *GetCertificateAuthorityCsrResponse) XXX_Size() int {
+	return xxx_messageInfo_GetCertificateAuthorityCsrResponse.Size(m)
+}
+func (m *GetCertificateAuthorityCsrResponse) XXX_DiscardUnknown() {
+	xxx_messageInfo_GetCertificateAuthorityCsrResponse.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_GetCertificateAuthorityCsrResponse proto.InternalMessageInfo
+
+func (m *GetCertificateAuthorityCsrResponse) GetPemCsr() string {
+	if m != nil {
+		return m.PemCsr
+	}
+	return ""
+}
+
+// Request message for
+// [CertificateAuthorityService.ActivateCertificateAuthority][google.cloud.security.privateca.v1alpha1.CertificateAuthorityService.ActivateCertificateAuthority].
+type ActivateCertificateAuthorityRequest struct {
+	// Required. The resource name for this [CertificateAuthority][google.cloud.security.privateca.v1alpha1.CertificateAuthority] in the
+	// format `projects/*/locations/*/certificateAuthorities/*`.
+	Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
+	// Required. The signed CA certificate issued from
+	// [GetCertificateAuthorityCsrResponse.pem_csr][google.cloud.security.privateca.v1alpha1.GetCertificateAuthorityCsrResponse.pem_csr].
+	PemCaCertificate string `protobuf:"bytes,2,opt,name=pem_ca_certificate,json=pemCaCertificate,proto3" json:"pem_ca_certificate,omitempty"`
+	// Required. Must include the issuer of 'pem_ca_certificate', and any further issuers
+	// until the self-signed CA. Expected to be in issuer-to-root order according
+	// to RFC 5246.
+	PemCaCertificateChain []string `protobuf:"bytes,3,rep,name=pem_ca_certificate_chain,json=pemCaCertificateChain,proto3" json:"pem_ca_certificate_chain,omitempty"`
+	// Optional. An ID to identify requests. Specify a unique request ID so that if you must
+	// retry your request, the server will know to ignore the request if it has
+	// already been completed. The server will guarantee that for at least 60
+	// minutes since the first request.
+	//
+	// For example, consider a situation where you make an initial request and t
+	// he request times out. If you make the request again with the same request
+	// ID, the server can check if original operation with the same request ID
+	// was received, and if so, will ignore the second request. This prevents
+	// clients from accidentally creating duplicate commitments.
+	//
+	// The request ID must be a valid UUID with the exception that zero UUID is
+	// not supported (00000000-0000-0000-0000-000000000000).
+	RequestId            string   `protobuf:"bytes,4,opt,name=request_id,json=requestId,proto3" json:"request_id,omitempty"`
+	XXX_NoUnkeyedLiteral struct{} `json:"-"`
+	XXX_unrecognized     []byte   `json:"-"`
+	XXX_sizecache        int32    `json:"-"`
+}
+
+func (m *ActivateCertificateAuthorityRequest) Reset()         { *m = ActivateCertificateAuthorityRequest{} }
+func (m *ActivateCertificateAuthorityRequest) String() string { return proto.CompactTextString(m) }
+func (*ActivateCertificateAuthorityRequest) ProtoMessage()    {}
+func (*ActivateCertificateAuthorityRequest) Descriptor() ([]byte, []int) {
+	return fileDescriptor_0a2d125abc43e0c9, []int{23}
+}
+
+func (m *ActivateCertificateAuthorityRequest) XXX_Unmarshal(b []byte) error {
+	return xxx_messageInfo_ActivateCertificateAuthorityRequest.Unmarshal(m, b)
+}
+func (m *ActivateCertificateAuthorityRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	return xxx_messageInfo_ActivateCertificateAuthorityRequest.Marshal(b, m, deterministic)
+}
+func (m *ActivateCertificateAuthorityRequest) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_ActivateCertificateAuthorityRequest.Merge(m, src)
+}
+func (m *ActivateCertificateAuthorityRequest) XXX_Size() int {
+	return xxx_messageInfo_ActivateCertificateAuthorityRequest.Size(m)
+}
+func (m *ActivateCertificateAuthorityRequest) XXX_DiscardUnknown() {
+	xxx_messageInfo_ActivateCertificateAuthorityRequest.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_ActivateCertificateAuthorityRequest proto.InternalMessageInfo
+
+func (m *ActivateCertificateAuthorityRequest) GetName() string {
+	if m != nil {
+		return m.Name
+	}
+	return ""
+}
+
+func (m *ActivateCertificateAuthorityRequest) GetPemCaCertificate() string {
+	if m != nil {
+		return m.PemCaCertificate
+	}
+	return ""
+}
+
+func (m *ActivateCertificateAuthorityRequest) GetPemCaCertificateChain() []string {
+	if m != nil {
+		return m.PemCaCertificateChain
+	}
+	return nil
+}
+
+func (m *ActivateCertificateAuthorityRequest) GetRequestId() string {
+	if m != nil {
+		return m.RequestId
+	}
+	return ""
+}
+
+// Request message for
+// [CertificateAuthorityService.DisableCertificateAuthority][google.cloud.security.privateca.v1alpha1.CertificateAuthorityService.DisableCertificateAuthority].
+type DisableCertificateAuthorityRequest struct {
+	// Required. The resource name for this [CertificateAuthority][google.cloud.security.privateca.v1alpha1.CertificateAuthority] in the
+	// format `projects/*/locations/*/certificateAuthorities/*`.
+	Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
+	// Optional. An ID to identify requests. Specify a unique request ID so that if you must
+	// retry your request, the server will know to ignore the request if it has
+	// already been completed. The server will guarantee that for at least 60
+	// minutes since the first request.
+	//
+	// For example, consider a situation where you make an initial request and t
+	// he request times out. If you make the request again with the same request
+	// ID, the server can check if original operation with the same request ID
+	// was received, and if so, will ignore the second request. This prevents
+	// clients from accidentally creating duplicate commitments.
+	//
+	// The request ID must be a valid UUID with the exception that zero UUID is
+	// not supported (00000000-0000-0000-0000-000000000000).
+	RequestId            string   `protobuf:"bytes,2,opt,name=request_id,json=requestId,proto3" json:"request_id,omitempty"`
+	XXX_NoUnkeyedLiteral struct{} `json:"-"`
+	XXX_unrecognized     []byte   `json:"-"`
+	XXX_sizecache        int32    `json:"-"`
+}
+
+func (m *DisableCertificateAuthorityRequest) Reset()         { *m = DisableCertificateAuthorityRequest{} }
+func (m *DisableCertificateAuthorityRequest) String() string { return proto.CompactTextString(m) }
+func (*DisableCertificateAuthorityRequest) ProtoMessage()    {}
+func (*DisableCertificateAuthorityRequest) Descriptor() ([]byte, []int) {
+	return fileDescriptor_0a2d125abc43e0c9, []int{24}
+}
+
+func (m *DisableCertificateAuthorityRequest) XXX_Unmarshal(b []byte) error {
+	return xxx_messageInfo_DisableCertificateAuthorityRequest.Unmarshal(m, b)
+}
+func (m *DisableCertificateAuthorityRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	return xxx_messageInfo_DisableCertificateAuthorityRequest.Marshal(b, m, deterministic)
+}
+func (m *DisableCertificateAuthorityRequest) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_DisableCertificateAuthorityRequest.Merge(m, src)
+}
+func (m *DisableCertificateAuthorityRequest) XXX_Size() int {
+	return xxx_messageInfo_DisableCertificateAuthorityRequest.Size(m)
+}
+func (m *DisableCertificateAuthorityRequest) XXX_DiscardUnknown() {
+	xxx_messageInfo_DisableCertificateAuthorityRequest.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_DisableCertificateAuthorityRequest proto.InternalMessageInfo
+
+func (m *DisableCertificateAuthorityRequest) GetName() string {
+	if m != nil {
+		return m.Name
+	}
+	return ""
+}
+
+func (m *DisableCertificateAuthorityRequest) GetRequestId() string {
+	if m != nil {
+		return m.RequestId
+	}
+	return ""
+}
+
+// Request message for
+// [CertificateAuthorityService.EnableCertificateAuthority][google.cloud.security.privateca.v1alpha1.CertificateAuthorityService.EnableCertificateAuthority].
+type EnableCertificateAuthorityRequest struct {
+	// Required. The resource name for this [CertificateAuthority][google.cloud.security.privateca.v1alpha1.CertificateAuthority] in the
+	// format `projects/*/locations/*/certificateAuthorities/*`.
+	Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
+	// Optional. An ID to identify requests. Specify a unique request ID so that if you must
+	// retry your request, the server will know to ignore the request if it has
+	// already been completed. The server will guarantee that for at least 60
+	// minutes since the first request.
+	//
+	// For example, consider a situation where you make an initial request and t
+	// he request times out. If you make the request again with the same request
+	// ID, the server can check if original operation with the same request ID
+	// was received, and if so, will ignore the second request. This prevents
+	// clients from accidentally creating duplicate commitments.
+	//
+	// The request ID must be a valid UUID with the exception that zero UUID is
+	// not supported (00000000-0000-0000-0000-000000000000).
+	RequestId            string   `protobuf:"bytes,2,opt,name=request_id,json=requestId,proto3" json:"request_id,omitempty"`
+	XXX_NoUnkeyedLiteral struct{} `json:"-"`
+	XXX_unrecognized     []byte   `json:"-"`
+	XXX_sizecache        int32    `json:"-"`
+}
+
+func (m *EnableCertificateAuthorityRequest) Reset()         { *m = EnableCertificateAuthorityRequest{} }
+func (m *EnableCertificateAuthorityRequest) String() string { return proto.CompactTextString(m) }
+func (*EnableCertificateAuthorityRequest) ProtoMessage()    {}
+func (*EnableCertificateAuthorityRequest) Descriptor() ([]byte, []int) {
+	return fileDescriptor_0a2d125abc43e0c9, []int{25}
+}
+
+func (m *EnableCertificateAuthorityRequest) XXX_Unmarshal(b []byte) error {
+	return xxx_messageInfo_EnableCertificateAuthorityRequest.Unmarshal(m, b)
+}
+func (m *EnableCertificateAuthorityRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	return xxx_messageInfo_EnableCertificateAuthorityRequest.Marshal(b, m, deterministic)
+}
+func (m *EnableCertificateAuthorityRequest) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_EnableCertificateAuthorityRequest.Merge(m, src)
+}
+func (m *EnableCertificateAuthorityRequest) XXX_Size() int {
+	return xxx_messageInfo_EnableCertificateAuthorityRequest.Size(m)
+}
+func (m *EnableCertificateAuthorityRequest) XXX_DiscardUnknown() {
+	xxx_messageInfo_EnableCertificateAuthorityRequest.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_EnableCertificateAuthorityRequest proto.InternalMessageInfo
+
+func (m *EnableCertificateAuthorityRequest) GetName() string {
+	if m != nil {
+		return m.Name
+	}
+	return ""
+}
+
+func (m *EnableCertificateAuthorityRequest) GetRequestId() string {
+	if m != nil {
+		return m.RequestId
+	}
+	return ""
+}
+
+// Request message for
+// [CertificateAuthorityService.ScheduleDeleteCertificateAuthority][google.cloud.security.privateca.v1alpha1.CertificateAuthorityService.ScheduleDeleteCertificateAuthority].
+type ScheduleDeleteCertificateAuthorityRequest struct {
+	// Required. The resource name for this [CertificateAuthority][google.cloud.security.privateca.v1alpha1.CertificateAuthority] in the
+	// format `projects/*/locations/*/certificateAuthorities/*`.
+	Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
+	// Optional. An ID to identify requests. Specify a unique request ID so that if you must
+	// retry your request, the server will know to ignore the request if it has
+	// already been completed. The server will guarantee that for at least 60
+	// minutes since the first request.
+	//
+	// For example, consider a situation where you make an initial request and t
+	// he request times out. If you make the request again with the same request
+	// ID, the server can check if original operation with the same request ID
+	// was received, and if so, will ignore the second request. This prevents
+	// clients from accidentally creating duplicate commitments.
+	//
+	// The request ID must be a valid UUID with the exception that zero UUID is
+	// not supported (00000000-0000-0000-0000-000000000000).
+	RequestId            string   `protobuf:"bytes,2,opt,name=request_id,json=requestId,proto3" json:"request_id,omitempty"`
+	XXX_NoUnkeyedLiteral struct{} `json:"-"`
+	XXX_unrecognized     []byte   `json:"-"`
+	XXX_sizecache        int32    `json:"-"`
+}
+
+func (m *ScheduleDeleteCertificateAuthorityRequest) Reset() {
+	*m = ScheduleDeleteCertificateAuthorityRequest{}
+}
+func (m *ScheduleDeleteCertificateAuthorityRequest) String() string {
+	return proto.CompactTextString(m)
+}
+func (*ScheduleDeleteCertificateAuthorityRequest) ProtoMessage() {}
+func (*ScheduleDeleteCertificateAuthorityRequest) Descriptor() ([]byte, []int) {
+	return fileDescriptor_0a2d125abc43e0c9, []int{26}
+}
+
+func (m *ScheduleDeleteCertificateAuthorityRequest) XXX_Unmarshal(b []byte) error {
+	return xxx_messageInfo_ScheduleDeleteCertificateAuthorityRequest.Unmarshal(m, b)
+}
+func (m *ScheduleDeleteCertificateAuthorityRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	return xxx_messageInfo_ScheduleDeleteCertificateAuthorityRequest.Marshal(b, m, deterministic)
+}
+func (m *ScheduleDeleteCertificateAuthorityRequest) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_ScheduleDeleteCertificateAuthorityRequest.Merge(m, src)
+}
+func (m *ScheduleDeleteCertificateAuthorityRequest) XXX_Size() int {
+	return xxx_messageInfo_ScheduleDeleteCertificateAuthorityRequest.Size(m)
+}
+func (m *ScheduleDeleteCertificateAuthorityRequest) XXX_DiscardUnknown() {
+	xxx_messageInfo_ScheduleDeleteCertificateAuthorityRequest.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_ScheduleDeleteCertificateAuthorityRequest proto.InternalMessageInfo
+
+func (m *ScheduleDeleteCertificateAuthorityRequest) GetName() string {
+	if m != nil {
+		return m.Name
+	}
+	return ""
+}
+
+func (m *ScheduleDeleteCertificateAuthorityRequest) GetRequestId() string {
+	if m != nil {
+		return m.RequestId
+	}
+	return ""
+}
+
+// Request message for
+// [CertificateAuthorityService.RestoreCertificateAuthority][google.cloud.security.privateca.v1alpha1.CertificateAuthorityService.RestoreCertificateAuthority].
+type RestoreCertificateAuthorityRequest struct {
+	// Required. The resource name for this [CertificateAuthority][google.cloud.security.privateca.v1alpha1.CertificateAuthority] in the
+	// format `projects/*/locations/*/certificateAuthorities/*`.
+	Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
+	// Optional. An ID to identify requests. Specify a unique request ID so that if you must
+	// retry your request, the server will know to ignore the request if it has
+	// already been completed. The server will guarantee that for at least 60
+	// minutes since the first request.
+	//
+	// For example, consider a situation where you make an initial request and t
+	// he request times out. If you make the request again with the same request
+	// ID, the server can check if original operation with the same request ID
+	// was received, and if so, will ignore the second request. This prevents
+	// clients from accidentally creating duplicate commitments.
+	//
+	// The request ID must be a valid UUID with the exception that zero UUID is
+	// not supported (00000000-0000-0000-0000-000000000000).
+	RequestId            string   `protobuf:"bytes,2,opt,name=request_id,json=requestId,proto3" json:"request_id,omitempty"`
+	XXX_NoUnkeyedLiteral struct{} `json:"-"`
+	XXX_unrecognized     []byte   `json:"-"`
+	XXX_sizecache        int32    `json:"-"`
+}
+
+func (m *RestoreCertificateAuthorityRequest) Reset()         { *m = RestoreCertificateAuthorityRequest{} }
+func (m *RestoreCertificateAuthorityRequest) String() string { return proto.CompactTextString(m) }
+func (*RestoreCertificateAuthorityRequest) ProtoMessage()    {}
+func (*RestoreCertificateAuthorityRequest) Descriptor() ([]byte, []int) {
+	return fileDescriptor_0a2d125abc43e0c9, []int{27}
+}
+
+func (m *RestoreCertificateAuthorityRequest) XXX_Unmarshal(b []byte) error {
+	return xxx_messageInfo_RestoreCertificateAuthorityRequest.Unmarshal(m, b)
+}
+func (m *RestoreCertificateAuthorityRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	return xxx_messageInfo_RestoreCertificateAuthorityRequest.Marshal(b, m, deterministic)
+}
+func (m *RestoreCertificateAuthorityRequest) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_RestoreCertificateAuthorityRequest.Merge(m, src)
+}
+func (m *RestoreCertificateAuthorityRequest) XXX_Size() int {
+	return xxx_messageInfo_RestoreCertificateAuthorityRequest.Size(m)
+}
+func (m *RestoreCertificateAuthorityRequest) XXX_DiscardUnknown() {
+	xxx_messageInfo_RestoreCertificateAuthorityRequest.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_RestoreCertificateAuthorityRequest proto.InternalMessageInfo
+
+func (m *RestoreCertificateAuthorityRequest) GetName() string {
+	if m != nil {
+		return m.Name
+	}
+	return ""
+}
+
+func (m *RestoreCertificateAuthorityRequest) GetRequestId() string {
+	if m != nil {
+		return m.RequestId
+	}
+	return ""
+}
+
+// Request message for
+// [CertificateAuthorityService.RevokeCertificate][google.cloud.security.privateca.v1alpha1.CertificateAuthorityService.RevokeCertificate].
+type RevokeCertificateRequest struct {
+	// Required. The resource name for this [Certificate][google.cloud.security.privateca.v1alpha1.Certificate] in the
+	// format `projects/*/locations/*/certificateAuthorities/*/certificates/*`.
+	Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
+	// Required. The [RevocationReason][google.cloud.security.privateca.v1alpha1.RevocationReason] for revoking this certificate.
+	Reason RevocationReason `protobuf:"varint,2,opt,name=reason,proto3,enum=google.cloud.security.privateca.v1alpha1.RevocationReason" json:"reason,omitempty"`
+	// Optional. An ID to identify requests. Specify a unique request ID so that if you must
+	// retry your request, the server will know to ignore the request if it has
+	// already been completed. The server will guarantee that for at least 60
+	// minutes since the first request.
+	//
+	// For example, consider a situation where you make an initial request and t
+	// he request times out. If you make the request again with the same request
+	// ID, the server can check if original operation with the same request ID
+	// was received, and if so, will ignore the second request. This prevents
+	// clients from accidentally creating duplicate commitments.
+	//
+	// The request ID must be a valid UUID with the exception that zero UUID is
+	// not supported (00000000-0000-0000-0000-000000000000).
+	RequestId            string   `protobuf:"bytes,3,opt,name=request_id,json=requestId,proto3" json:"request_id,omitempty"`
+	XXX_NoUnkeyedLiteral struct{} `json:"-"`
+	XXX_unrecognized     []byte   `json:"-"`
+	XXX_sizecache        int32    `json:"-"`
+}
+
+func (m *RevokeCertificateRequest) Reset()         { *m = RevokeCertificateRequest{} }
+func (m *RevokeCertificateRequest) String() string { return proto.CompactTextString(m) }
+func (*RevokeCertificateRequest) ProtoMessage()    {}
+func (*RevokeCertificateRequest) Descriptor() ([]byte, []int) {
+	return fileDescriptor_0a2d125abc43e0c9, []int{28}
+}
+
+func (m *RevokeCertificateRequest) XXX_Unmarshal(b []byte) error {
+	return xxx_messageInfo_RevokeCertificateRequest.Unmarshal(m, b)
+}
+func (m *RevokeCertificateRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	return xxx_messageInfo_RevokeCertificateRequest.Marshal(b, m, deterministic)
+}
+func (m *RevokeCertificateRequest) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_RevokeCertificateRequest.Merge(m, src)
+}
+func (m *RevokeCertificateRequest) XXX_Size() int {
+	return xxx_messageInfo_RevokeCertificateRequest.Size(m)
+}
+func (m *RevokeCertificateRequest) XXX_DiscardUnknown() {
+	xxx_messageInfo_RevokeCertificateRequest.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_RevokeCertificateRequest proto.InternalMessageInfo
+
+func (m *RevokeCertificateRequest) GetName() string {
+	if m != nil {
+		return m.Name
+	}
+	return ""
+}
+
+func (m *RevokeCertificateRequest) GetReason() RevocationReason {
+	if m != nil {
+		return m.Reason
+	}
+	return RevocationReason_REVOCATION_REASON_UNSPECIFIED
+}
+
+func (m *RevokeCertificateRequest) GetRequestId() string {
+	if m != nil {
+		return m.RequestId
+	}
+	return ""
+}
+
+// Request message for
+// [CertificateAuthorityService.PublishCertificateRevocationList][google.cloud.security.privateca.v1alpha1.CertificateAuthorityService.PublishCertificateRevocationList].
+type PublishCertificateRevocationListRequest struct {
+	// Required. The resource name of the location and [CertificateAuthority][google.cloud.security.privateca.v1alpha1.CertificateAuthority], in the
+	// format `projects/*/locations/*/certificateAuthorities/*`.
+	Name                 string   `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
+	XXX_NoUnkeyedLiteral struct{} `json:"-"`
+	XXX_unrecognized     []byte   `json:"-"`
+	XXX_sizecache        int32    `json:"-"`
+}
+
+func (m *PublishCertificateRevocationListRequest) Reset() {
+	*m = PublishCertificateRevocationListRequest{}
+}
+func (m *PublishCertificateRevocationListRequest) String() string { return proto.CompactTextString(m) }
+func (*PublishCertificateRevocationListRequest) ProtoMessage()    {}
+func (*PublishCertificateRevocationListRequest) Descriptor() ([]byte, []int) {
+	return fileDescriptor_0a2d125abc43e0c9, []int{29}
+}
+
+func (m *PublishCertificateRevocationListRequest) XXX_Unmarshal(b []byte) error {
+	return xxx_messageInfo_PublishCertificateRevocationListRequest.Unmarshal(m, b)
+}
+func (m *PublishCertificateRevocationListRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	return xxx_messageInfo_PublishCertificateRevocationListRequest.Marshal(b, m, deterministic)
+}
+func (m *PublishCertificateRevocationListRequest) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_PublishCertificateRevocationListRequest.Merge(m, src)
+}
+func (m *PublishCertificateRevocationListRequest) XXX_Size() int {
+	return xxx_messageInfo_PublishCertificateRevocationListRequest.Size(m)
+}
+func (m *PublishCertificateRevocationListRequest) XXX_DiscardUnknown() {
+	xxx_messageInfo_PublishCertificateRevocationListRequest.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_PublishCertificateRevocationListRequest proto.InternalMessageInfo
+
+func (m *PublishCertificateRevocationListRequest) GetName() string {
+	if m != nil {
+		return m.Name
+	}
+	return ""
+}
+
+// Response message for
+// [CertificateAuthorityService.PublishCertificateRevocationList][google.cloud.security.privateca.v1alpha1.CertificateAuthorityService.PublishCertificateRevocationList].
+type PublishCertificateRevocationListResponse struct {
+	// Output only. The PEM-encoded signed certificate revocation list (CRL).
+	PemCrl               string   `protobuf:"bytes,1,opt,name=pem_crl,json=pemCrl,proto3" json:"pem_crl,omitempty"`
+	XXX_NoUnkeyedLiteral struct{} `json:"-"`
+	XXX_unrecognized     []byte   `json:"-"`
+	XXX_sizecache        int32    `json:"-"`
+}
+
+func (m *PublishCertificateRevocationListResponse) Reset() {
+	*m = PublishCertificateRevocationListResponse{}
+}
+func (m *PublishCertificateRevocationListResponse) String() string { return proto.CompactTextString(m) }
+func (*PublishCertificateRevocationListResponse) ProtoMessage()    {}
+func (*PublishCertificateRevocationListResponse) Descriptor() ([]byte, []int) {
+	return fileDescriptor_0a2d125abc43e0c9, []int{30}
+}
+
+func (m *PublishCertificateRevocationListResponse) XXX_Unmarshal(b []byte) error {
+	return xxx_messageInfo_PublishCertificateRevocationListResponse.Unmarshal(m, b)
+}
+func (m *PublishCertificateRevocationListResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	return xxx_messageInfo_PublishCertificateRevocationListResponse.Marshal(b, m, deterministic)
+}
+func (m *PublishCertificateRevocationListResponse) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_PublishCertificateRevocationListResponse.Merge(m, src)
+}
+func (m *PublishCertificateRevocationListResponse) XXX_Size() int {
+	return xxx_messageInfo_PublishCertificateRevocationListResponse.Size(m)
+}
+func (m *PublishCertificateRevocationListResponse) XXX_DiscardUnknown() {
+	xxx_messageInfo_PublishCertificateRevocationListResponse.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_PublishCertificateRevocationListResponse proto.InternalMessageInfo
+
+func (m *PublishCertificateRevocationListResponse) GetPemCrl() string {
+	if m != nil {
+		return m.PemCrl
+	}
+	return ""
+}
+
+// Represents the metadata of the long-running operation.
+type OperationMetadata struct {
+	// Output only. The time the operation was created.
+	CreateTime *timestamp.Timestamp `protobuf:"bytes,1,opt,name=create_time,json=createTime,proto3" json:"create_time,omitempty"`
+	// Output only. The time the operation finished running.
+	EndTime *timestamp.Timestamp `protobuf:"bytes,2,opt,name=end_time,json=endTime,proto3" json:"end_time,omitempty"`
+	// Output only. Server-defined resource path for the target of the operation.
+	Target string `protobuf:"bytes,3,opt,name=target,proto3" json:"target,omitempty"`
+	// Output only. Name of the verb executed by the operation.
+	Verb string `protobuf:"bytes,4,opt,name=verb,proto3" json:"verb,omitempty"`
+	// Output only. Human-readable status of the operation, if any.
+	StatusMessage string `protobuf:"bytes,5,opt,name=status_message,json=statusMessage,proto3" json:"status_message,omitempty"`
+	// Output only. Identifies whether the user has requested cancellation
+	// of the operation. Operations that have successfully been cancelled
+	// have [Operation.error][] value with a [google.rpc.Status.code][google.rpc.Status.code] of 1,
+	// corresponding to `Code.CANCELLED`.
+	RequestedCancellation bool `protobuf:"varint,6,opt,name=requested_cancellation,json=requestedCancellation,proto3" json:"requested_cancellation,omitempty"`
+	// Output only. API version used to start the operation.
+	ApiVersion           string   `protobuf:"bytes,7,opt,name=api_version,json=apiVersion,proto3" json:"api_version,omitempty"`
+	XXX_NoUnkeyedLiteral struct{} `json:"-"`
+	XXX_unrecognized     []byte   `json:"-"`
+	XXX_sizecache        int32    `json:"-"`
+}
+
+func (m *OperationMetadata) Reset()         { *m = OperationMetadata{} }
+func (m *OperationMetadata) String() string { return proto.CompactTextString(m) }
+func (*OperationMetadata) ProtoMessage()    {}
+func (*OperationMetadata) Descriptor() ([]byte, []int) {
+	return fileDescriptor_0a2d125abc43e0c9, []int{31}
+}
+
+func (m *OperationMetadata) XXX_Unmarshal(b []byte) error {
+	return xxx_messageInfo_OperationMetadata.Unmarshal(m, b)
+}
+func (m *OperationMetadata) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	return xxx_messageInfo_OperationMetadata.Marshal(b, m, deterministic)
+}
+func (m *OperationMetadata) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_OperationMetadata.Merge(m, src)
+}
+func (m *OperationMetadata) XXX_Size() int {
+	return xxx_messageInfo_OperationMetadata.Size(m)
+}
+func (m *OperationMetadata) XXX_DiscardUnknown() {
+	xxx_messageInfo_OperationMetadata.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_OperationMetadata proto.InternalMessageInfo
+
+func (m *OperationMetadata) GetCreateTime() *timestamp.Timestamp {
+	if m != nil {
+		return m.CreateTime
+	}
+	return nil
+}
+
+func (m *OperationMetadata) GetEndTime() *timestamp.Timestamp {
+	if m != nil {
+		return m.EndTime
+	}
+	return nil
+}
+
+func (m *OperationMetadata) GetTarget() string {
+	if m != nil {
+		return m.Target
+	}
+	return ""
+}
+
+func (m *OperationMetadata) GetVerb() string {
+	if m != nil {
+		return m.Verb
+	}
+	return ""
+}
+
+func (m *OperationMetadata) GetStatusMessage() string {
+	if m != nil {
+		return m.StatusMessage
+	}
+	return ""
+}
+
+func (m *OperationMetadata) GetRequestedCancellation() bool {
+	if m != nil {
+		return m.RequestedCancellation
+	}
+	return false
+}
+
+func (m *OperationMetadata) GetApiVersion() string {
+	if m != nil {
+		return m.ApiVersion
+	}
+	return ""
+}
+
+func init() {
+	proto.RegisterType((*ListCertificateAuthoritiesRequest)(nil), "google.cloud.security.privateca.v1alpha1.ListCertificateAuthoritiesRequest")
+	proto.RegisterType((*ListCertificateRevocationListsRequest)(nil), "google.cloud.security.privateca.v1alpha1.ListCertificateRevocationListsRequest")
+	proto.RegisterType((*ListCertificatesRequest)(nil), "google.cloud.security.privateca.v1alpha1.ListCertificatesRequest")
+	proto.RegisterType((*ListReusableConfigsRequest)(nil), "google.cloud.security.privateca.v1alpha1.ListReusableConfigsRequest")
+	proto.RegisterType((*ListCertificateAuthoritiesResponse)(nil), "google.cloud.security.privateca.v1alpha1.ListCertificateAuthoritiesResponse")
+	proto.RegisterType((*ListCertificateRevocationListsResponse)(nil), "google.cloud.security.privateca.v1alpha1.ListCertificateRevocationListsResponse")
+	proto.RegisterType((*ListCertificatesResponse)(nil), "google.cloud.security.privateca.v1alpha1.ListCertificatesResponse")
+	proto.RegisterType((*ListReusableConfigsResponse)(nil), "google.cloud.security.privateca.v1alpha1.ListReusableConfigsResponse")
+	proto.RegisterType((*GetCertificateAuthorityRequest)(nil), "google.cloud.security.privateca.v1alpha1.GetCertificateAuthorityRequest")
+	proto.RegisterType((*GetCertificateRevocationListRequest)(nil), "google.cloud.security.privateca.v1alpha1.GetCertificateRevocationListRequest")
+	proto.RegisterType((*GetCertificateRequest)(nil), "google.cloud.security.privateca.v1alpha1.GetCertificateRequest")
+	proto.RegisterType((*GetReusableConfigRequest)(nil), "google.cloud.security.privateca.v1alpha1.GetReusableConfigRequest")
+	proto.RegisterType((*CreateCertificateAuthorityRequest)(nil), "google.cloud.security.privateca.v1alpha1.CreateCertificateAuthorityRequest")
+	proto.RegisterType((*CreateCertificateRevocationListRequest)(nil), "google.cloud.security.privateca.v1alpha1.CreateCertificateRevocationListRequest")
+	proto.RegisterType((*CreateCertificateRequest)(nil), "google.cloud.security.privateca.v1alpha1.CreateCertificateRequest")
+	proto.RegisterType((*CreateReusableConfigRequest)(nil), "google.cloud.security.privateca.v1alpha1.CreateReusableConfigRequest")
+	proto.RegisterType((*UpdateCertificateAuthorityRequest)(nil), "google.cloud.security.privateca.v1alpha1.UpdateCertificateAuthorityRequest")
+	proto.RegisterType((*UpdateCertificateRevocationListRequest)(nil), "google.cloud.security.privateca.v1alpha1.UpdateCertificateRevocationListRequest")
+	proto.RegisterType((*UpdateCertificateRequest)(nil), "google.cloud.security.privateca.v1alpha1.UpdateCertificateRequest")
+	proto.RegisterType((*UpdateReusableConfigRequest)(nil), "google.cloud.security.privateca.v1alpha1.UpdateReusableConfigRequest")
+	proto.RegisterType((*DeleteCertificateAuthorityRequest)(nil), "google.cloud.security.privateca.v1alpha1.DeleteCertificateAuthorityRequest")
+	proto.RegisterType((*GetCertificateAuthorityCsrRequest)(nil), "google.cloud.security.privateca.v1alpha1.GetCertificateAuthorityCsrRequest")
+	proto.RegisterType((*GetCertificateAuthorityCsrResponse)(nil), "google.cloud.security.privateca.v1alpha1.GetCertificateAuthorityCsrResponse")
+	proto.RegisterType((*ActivateCertificateAuthorityRequest)(nil), "google.cloud.security.privateca.v1alpha1.ActivateCertificateAuthorityRequest")
+	proto.RegisterType((*DisableCertificateAuthorityRequest)(nil), "google.cloud.security.privateca.v1alpha1.DisableCertificateAuthorityRequest")
+	proto.RegisterType((*EnableCertificateAuthorityRequest)(nil), "google.cloud.security.privateca.v1alpha1.EnableCertificateAuthorityRequest")
+	proto.RegisterType((*ScheduleDeleteCertificateAuthorityRequest)(nil), "google.cloud.security.privateca.v1alpha1.ScheduleDeleteCertificateAuthorityRequest")
+	proto.RegisterType((*RestoreCertificateAuthorityRequest)(nil), "google.cloud.security.privateca.v1alpha1.RestoreCertificateAuthorityRequest")
+	proto.RegisterType((*RevokeCertificateRequest)(nil), "google.cloud.security.privateca.v1alpha1.RevokeCertificateRequest")
+	proto.RegisterType((*PublishCertificateRevocationListRequest)(nil), "google.cloud.security.privateca.v1alpha1.PublishCertificateRevocationListRequest")
+	proto.RegisterType((*PublishCertificateRevocationListResponse)(nil), "google.cloud.security.privateca.v1alpha1.PublishCertificateRevocationListResponse")
+	proto.RegisterType((*OperationMetadata)(nil), "google.cloud.security.privateca.v1alpha1.OperationMetadata")
+}
+
+func init() {
+	proto.RegisterFile("google/cloud/security/privateca/v1alpha1/service.proto", fileDescriptor_0a2d125abc43e0c9)
+}
+
+var fileDescriptor_0a2d125abc43e0c9 = []byte{
+	// 2433 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xdc, 0x5b, 0xdd, 0x6f, 0xdc, 0x58,
+	0xd9, 0xd7, 0xf1, 0x74, 0xd3, 0xf6, 0xc9, 0xdb, 0xb4, 0x3d, 0x6f, 0xbb, 0x9d, 0x7a, 0x4a, 0x3b,
+	0x71, 0x97, 0x36, 0x89, 0xb2, 0x33, 0x4a, 0xa0, 0x68, 0x77, 0x96, 0x85, 0x3a, 0xd3, 0xd2, 0x84,
+	0x4d, 0x36, 0xe9, 0xa4, 0x04, 0x95, 0xfd, 0x18, 0x1c, 0xcf, 0xc9, 0xc4, 0x1b, 0x8f, 0x6d, 0x6c,
+	0x4f, 0xba, 0x59, 0x96, 0x0f, 0x01, 0x5b, 0xad, 0x00, 0xa9, 0x12, 0x7b, 0xc1, 0xc7, 0x0d, 0x20,
+	0x96, 0x15, 0x02, 0x71, 0xc5, 0x1f, 0x80, 0xd0, 0x8a, 0x9b, 0x08, 0x21, 0x04, 0xe2, 0x82, 0x22,
+	0xa1, 0x0a, 0x21, 0x01, 0x5a, 0x09, 0x71, 0x81, 0x04, 0x14, 0x21, 0x21, 0xfb, 0x78, 0x66, 0x6c,
+	0xcf, 0xf1, 0xd8, 0x9e, 0x99, 0x44, 0xd1, 0x5e, 0xe6, 0x9c, 0xf3, 0x7c, 0xfd, 0x7c, 0x9e, 0xdf,
+	0x39, 0xe7, 0x79, 0x32, 0xf0, 0x81, 0xba, 0xae, 0xd7, 0x55, 0x52, 0x94, 0x55, 0xbd, 0x59, 0x2b,
+	0x5a, 0x44, 0x6e, 0x9a, 0x8a, 0xbd, 0x53, 0x34, 0x4c, 0x65, 0x5b, 0xb2, 0x89, 0x2c, 0x15, 0xb7,
+	0x67, 0x24, 0xd5, 0xd8, 0x94, 0x66, 0x8a, 0x16, 0x31, 0xb7, 0x15, 0x99, 0x14, 0x0c, 0x53, 0xb7,
+	0x75, 0x3c, 0x41, 0xe5, 0x0a, 0xae, 0x5c, 0xa1, 0x25, 0x57, 0x68, 0xcb, 0x15, 0x5a, 0x72, 0xfc,
+	0x39, 0xcf, 0x82, 0x64, 0x28, 0x45, 0x49, 0xd3, 0x74, 0x5b, 0xb2, 0x15, 0x5d, 0xb3, 0xa8, 0x1e,
+	0xfe, 0x8c, 0x6f, 0x56, 0x56, 0x15, 0xa2, 0xd9, 0xde, 0xc4, 0x05, 0xdf, 0xc4, 0x86, 0x42, 0xd4,
+	0x5a, 0x75, 0x9d, 0x6c, 0x4a, 0xdb, 0x8a, 0x6e, 0x7a, 0x0b, 0xce, 0xfa, 0x16, 0x98, 0xc4, 0xd2,
+	0x9b, 0x66, 0xcb, 0x39, 0xfe, 0x89, 0xc4, 0x41, 0xb5, 0x04, 0x5b, 0xee, 0x5c, 0xf4, 0x24, 0x55,
+	0x5d, 0xab, 0x9b, 0x4d, 0x4d, 0x53, 0xb4, 0x7a, 0x51, 0x37, 0x88, 0x19, 0xf0, 0x39, 0xef, 0x2d,
+	0x72, 0xff, 0x5a, 0x6f, 0x6e, 0x78, 0xfe, 0x35, 0x24, 0x6b, 0x2b, 0xe4, 0x7c, 0x7b, 0x85, 0xad,
+	0x34, 0x88, 0x65, 0x4b, 0x0d, 0x83, 0x2e, 0x10, 0xfe, 0x8a, 0x60, 0x7c, 0x51, 0xb1, 0xec, 0x32,
+	0x31, 0x6d, 0x65, 0x43, 0x91, 0x25, 0x9b, 0x88, 0x4d, 0x7b, 0x53, 0x37, 0x15, 0x5b, 0x21, 0x56,
+	0x85, 0x7c, 0xaa, 0x49, 0x2c, 0x1b, 0x8b, 0x30, 0x62, 0x48, 0x26, 0xd1, 0xec, 0x2c, 0xca, 0xa3,
+	0x89, 0xa3, 0x73, 0x93, 0x0f, 0x44, 0xee, 0xa1, 0x78, 0x11, 0xc6, 0x55, 0x5d, 0xf6, 0x3c, 0xa2,
+	0x86, 0x24, 0x43, 0xb1, 0x0a, 0xb2, 0xde, 0x28, 0x2e, 0x7a, 0x13, 0x15, 0x4f, 0x10, 0xe7, 0xe1,
+	0xa8, 0x21, 0xd5, 0x49, 0xd5, 0x52, 0x5e, 0x21, 0x59, 0x2e, 0x8f, 0x26, 0x1e, 0x99, 0xcb, 0x3c,
+	0x10, 0x51, 0xe5, 0x88, 0x33, 0xba, 0xaa, 0xbc, 0x42, 0xb0, 0x00, 0xe0, 0xae, 0xb0, 0xf5, 0x2d,
+	0xa2, 0x65, 0x33, 0xae, 0x21, 0x77, 0x89, 0x2b, 0x78, 0xcb, 0x19, 0xc5, 0x39, 0x18, 0xd9, 0x50,
+	0x54, 0x9b, 0x98, 0xd9, 0x43, 0x9d, 0x79, 0x6f, 0x08, 0x9f, 0x87, 0x23, 0xba, 0x59, 0x23, 0x66,
+	0x75, 0x7d, 0x27, 0xfb, 0x48, 0x67, 0xfa, 0xb0, 0x3b, 0x38, 0xb7, 0x23, 0xfc, 0x1b, 0xc1, 0x7b,
+	0x43, 0xb1, 0x56, 0xc8, 0xb6, 0xe7, 0xa8, 0x33, 0xd1, 0x8e, 0x77, 0x29, 0x14, 0xef, 0x15, 0x37,
+	0xde, 0x22, 0x3c, 0xde, 0xd9, 0x56, 0xa1, 0x78, 0x19, 0xf8, 0xed, 0x1c, 0xa4, 0xd8, 0xdf, 0x41,
+	0x70, 0x26, 0x14, 0xfb, 0xbb, 0x38, 0xda, 0x3f, 0x22, 0xe0, 0x9d, 0x68, 0x2b, 0xa4, 0x69, 0x49,
+	0xeb, 0x2a, 0x29, 0xeb, 0xda, 0x86, 0x52, 0x7f, 0x97, 0x6d, 0xe7, 0x3f, 0x23, 0x10, 0x7a, 0xa5,
+	0xae, 0x65, 0xe8, 0x9a, 0x45, 0xf0, 0x1d, 0x38, 0x23, 0x77, 0x56, 0x54, 0xa5, 0xce, 0x92, 0x2c,
+	0xca, 0x67, 0x26, 0x46, 0x67, 0x3f, 0x54, 0x48, 0x4a, 0xa1, 0x05, 0xe6, 0x77, 0x7f, 0x54, 0x66,
+	0x3a, 0x80, 0x2f, 0xc1, 0x71, 0x8d, 0xbc, 0x6c, 0x57, 0x7d, 0x28, 0x38, 0x40, 0x1d, 0xad, 0x1c,
+	0x73, 0x86, 0x57, 0xda, 0x20, 0xe4, 0x61, 0xb4, 0xa9, 0x99, 0x44, 0x92, 0x37, 0x9d, 0x4f, 0x95,
+	0xcd, 0xe4, 0x33, 0x13, 0x47, 0x2b, 0xfe, 0x21, 0xe1, 0x21, 0x82, 0x4b, 0x71, 0x89, 0xeb, 0x45,
+	0xfb, 0x1a, 0x82, 0x73, 0xfe, 0x70, 0xcd, 0xf6, 0xba, 0xaa, 0xea, 0x2c, 0xf4, 0x62, 0x2e, 0xf7,
+	0x15, 0x73, 0xd0, 0x68, 0x85, 0x97, 0x23, 0xfd, 0x19, 0x62, 0xf0, 0x3f, 0x45, 0x90, 0xed, 0xce,
+	0x5c, 0x2f, 0xdc, 0xdb, 0xf0, 0x7f, 0x3e, 0x27, 0x5a, 0xd1, 0x5d, 0xe9, 0x2f, 0xba, 0x80, 0xaa,
+	0x21, 0x46, 0xf0, 0x0b, 0x04, 0x39, 0x66, 0x36, 0x7a, 0x41, 0xc8, 0x70, 0xc2, 0xf4, 0xa6, 0xaa,
+	0x32, 0x9d, 0xf3, 0x02, 0x79, 0x22, 0x79, 0x20, 0x41, 0xe5, 0x95, 0xe3, 0x66, 0xd0, 0xd8, 0x10,
+	0xc3, 0xd9, 0x82, 0xf3, 0x37, 0x88, 0xcd, 0x4c, 0x05, 0x8f, 0x5f, 0x16, 0xe0, 0x90, 0x26, 0x35,
+	0xc8, 0x60, 0x74, 0xea, 0xaa, 0x10, 0x9a, 0x70, 0x31, 0x68, 0x2c, 0xb4, 0x07, 0x3d, 0x8b, 0xcf,
+	0x06, 0x2c, 0x96, 0x5c, 0x8b, 0xef, 0x87, 0xd9, 0x24, 0x16, 0x43, 0x0a, 0xa9, 0xd9, 0xdb, 0x70,
+	0x3a, 0x6c, 0x96, 0x1a, 0xba, 0x1a, 0x30, 0x34, 0xed, 0x1a, 0xba, 0x04, 0x8f, 0x25, 0x32, 0x44,
+	0x55, 0x57, 0x21, 0x7b, 0x83, 0x84, 0xf6, 0x42, 0x4b, 0x7b, 0x39, 0xa0, 0xbd, 0xe8, 0x6a, 0x9f,
+	0x84, 0xcb, 0x91, 0xda, 0x43, 0x5a, 0xa8, 0x81, 0xb7, 0x39, 0x18, 0x2f, 0x9b, 0x44, 0xb2, 0x49,
+	0xaf, 0x6f, 0x34, 0x84, 0x33, 0xe0, 0x69, 0xc8, 0xb2, 0x98, 0x75, 0xa7, 0xaa, 0xd4, 0xe8, 0xde,
+	0x72, 0x08, 0x9b, 0x63, 0xf2, 0xe3, 0xce, 0x42, 0x0d, 0xbf, 0x0c, 0xa7, 0x99, 0xe2, 0xee, 0x59,
+	0x31, 0x30, 0x2d, 0x53, 0xdb, 0xa7, 0x58, 0xb6, 0x9d, 0xa3, 0xc9, 0xa4, 0x30, 0x38, 0xae, 0xfa,
+	0x8e, 0x9e, 0xa3, 0xde, 0xf0, 0x42, 0x4d, 0xf8, 0x3b, 0x07, 0x97, 0xba, 0x50, 0x64, 0x6f, 0xbe,
+	0x21, 0xdf, 0x1f, 0xe6, 0xe1, 0x7c, 0x0f, 0x06, 0x0f, 0x81, 0x9b, 0x8b, 0xe4, 0xe0, 0x85, 0x1a,
+	0x7e, 0x1d, 0x41, 0xae, 0x87, 0x2a, 0x0f, 0xe8, 0x61, 0x9c, 0x05, 0xd4, 0x99, 0xb3, 0x91, 0xce,
+	0x24, 0x82, 0xfc, 0xeb, 0x1c, 0x64, 0x19, 0x90, 0xef, 0x09, 0xc8, 0x53, 0x30, 0xe6, 0x47, 0x26,
+	0x08, 0xea, 0x31, 0xdf, 0xd4, 0x42, 0x0d, 0x3f, 0x0f, 0xa3, 0xbe, 0x01, 0x0f, 0xb5, 0xfe, 0xce,
+	0x18, 0xaa, 0xdf, 0xaf, 0x2e, 0x11, 0x32, 0xdf, 0xe6, 0x20, 0x47, 0x91, 0x61, 0xf3, 0xc6, 0x10,
+	0x92, 0x79, 0x06, 0x70, 0xe8, 0x10, 0x0a, 0x81, 0x72, 0x22, 0x78, 0xa2, 0x2c, 0xd4, 0xf0, 0x06,
+	0x1c, 0x0f, 0x89, 0x78, 0xd8, 0xf4, 0x7d, 0x6c, 0x51, 0x4b, 0x63, 0x41, 0x4b, 0x89, 0x10, 0xfa,
+	0x22, 0x07, 0xe3, 0x1f, 0x33, 0x6a, 0x31, 0xa4, 0x17, 0x49, 0x39, 0x68, 0xaf, 0x29, 0xe7, 0x2a,
+	0x8c, 0x36, 0x5d, 0xf7, 0xdc, 0xd7, 0xa9, 0x8b, 0xeb, 0xe8, 0x2c, 0xdf, 0xb2, 0xd7, 0x7a, 0x9e,
+	0x16, 0x3e, 0xe2, 0x3c, 0x60, 0x97, 0x24, 0x6b, 0x8b, 0xea, 0x02, 0x2a, 0xe3, 0x0c, 0x84, 0x50,
+	0xc8, 0x30, 0x51, 0xf8, 0x26, 0x07, 0x97, 0xba, 0x50, 0x60, 0x93, 0x56, 0x1c, 0x37, 0xa0, 0xfd,
+	0xe3, 0x86, 0xfd, 0xc1, 0xe6, 0x0f, 0x08, 0xb2, 0x0c, 0x6c, 0x28, 0x1a, 0xa1, 0x14, 0x47, 0xc3,
+	0x4d, 0xf1, 0xfd, 0x09, 0xf0, 0x1d, 0x04, 0x39, 0x1a, 0x20, 0x9b, 0x24, 0x18, 0xe9, 0x8a, 0xf6,
+	0x22, 0x5d, 0xf7, 0x27, 0xda, 0xaf, 0x21, 0x18, 0xbf, 0x46, 0x54, 0xd2, 0x3b, 0xe1, 0x87, 0x77,
+	0x13, 0x0d, 0x39, 0xc5, 0x31, 0x9d, 0xd2, 0x60, 0x3c, 0xe2, 0x6a, 0x5c, 0xb6, 0xcc, 0x3d, 0xb8,
+	0x1d, 0xcf, 0x81, 0xd0, 0xcb, 0x9e, 0xf7, 0xbe, 0x38, 0x07, 0x87, 0x0d, 0xd2, 0xa8, 0xca, 0x96,
+	0xe9, 0xd9, 0xcc, 0x3c, 0x10, 0x33, 0x95, 0x11, 0x83, 0x34, 0xca, 0x96, 0x29, 0xbc, 0xc6, 0xc1,
+	0x45, 0x51, 0xb6, 0x5d, 0xe3, 0xfb, 0x04, 0xe5, 0x0c, 0x60, 0xd7, 0x21, 0xa9, 0xea, 0x4f, 0x3a,
+	0xff, 0x59, 0xe3, 0xf8, 0x26, 0xf9, 0x34, 0xe0, 0x0f, 0x42, 0xb6, 0x5b, 0xa4, 0x2a, 0x6f, 0x4a,
+	0x8a, 0x46, 0xdf, 0x28, 0x54, 0xf0, 0x74, 0x58, 0xb0, 0xec, 0xac, 0x48, 0x74, 0x82, 0xbc, 0x81,
+	0x40, 0xb8, 0xa6, 0xd0, 0x8d, 0x7c, 0x70, 0x76, 0x94, 0xb3, 0xcd, 0xaf, 0x6b, 0x07, 0xcc, 0xa9,
+	0x6f, 0x21, 0x98, 0x5c, 0x95, 0x37, 0x49, 0xad, 0xa9, 0x92, 0x03, 0x97, 0x83, 0xce, 0x77, 0xac,
+	0x10, 0xcb, 0xd6, 0xcd, 0x83, 0xe4, 0xd5, 0xef, 0x10, 0x64, 0x9d, 0x63, 0x6f, 0x8b, 0xec, 0xc5,
+	0xa3, 0x12, 0x7f, 0x1c, 0x46, 0x4c, 0x22, 0x59, 0x3a, 0x7d, 0xd4, 0x8f, 0xcd, 0x96, 0xd2, 0x50,
+	0x7a, 0xeb, 0x30, 0xae, 0xb8, 0x1a, 0x68, 0x22, 0x79, 0xea, 0x12, 0x51, 0xb1, 0x0d, 0x97, 0x57,
+	0x9a, 0xeb, 0xaa, 0x62, 0x6d, 0xc6, 0xde, 0x3a, 0x86, 0xc8, 0x7d, 0xf3, 0x30, 0x11, 0x6f, 0x35,
+	0xc4, 0x80, 0xa6, 0xda, 0xc5, 0x80, 0xa6, 0x2a, 0xfc, 0x96, 0x83, 0x93, 0xcb, 0xad, 0xde, 0xc2,
+	0x12, 0xb1, 0xa5, 0x9a, 0x64, 0x4b, 0xce, 0x31, 0x26, 0xbb, 0x57, 0xee, 0xaa, 0xad, 0x34, 0x5a,
+	0x57, 0x82, 0xee, 0x63, 0xec, 0x56, 0xab, 0xa1, 0x40, 0x75, 0x02, 0x95, 0x71, 0x46, 0x71, 0x09,
+	0x8e, 0x10, 0xad, 0x46, 0xc5, 0xb9, 0x64, 0xe2, 0x87, 0x89, 0x56, 0x73, 0x65, 0x73, 0x30, 0x62,
+	0x4b, 0x66, 0x9d, 0xd8, 0x1d, 0xcc, 0x33, 0x15, 0x6f, 0x08, 0x9f, 0x81, 0x43, 0xdb, 0xc4, 0x5c,
+	0xef, 0x10, 0x59, 0xa6, 0xe2, 0x0e, 0x38, 0xaf, 0x1a, 0xcb, 0x96, 0xec, 0xa6, 0x55, 0x6d, 0x10,
+	0xcb, 0x92, 0xea, 0xa4, 0x53, 0x38, 0xcd, 0x54, 0x8e, 0xd1, 0xa9, 0x25, 0x3a, 0x83, 0x4b, 0xf0,
+	0xa8, 0xf7, 0x09, 0x49, 0xad, 0x2a, 0x4b, 0x9a, 0x4c, 0x54, 0xd5, 0x45, 0x20, 0x3b, 0x92, 0x47,
+	0x13, 0x47, 0xa8, 0xcc, 0xe9, 0xf6, 0x92, 0xb2, 0x6f, 0x05, 0x7e, 0x0c, 0x46, 0x25, 0x43, 0xa9,
+	0x6e, 0x13, 0xd3, 0x72, 0x04, 0x0e, 0x77, 0x8c, 0x80, 0x64, 0x28, 0x6b, 0x74, 0x78, 0xf6, 0xee,
+	0x93, 0x90, 0x63, 0x7d, 0xc0, 0x55, 0xda, 0xc0, 0xc2, 0x5f, 0xe6, 0x68, 0x95, 0x9a, 0x5d, 0xc0,
+	0xc5, 0xcf, 0x24, 0xdf, 0xc3, 0xb1, 0x1d, 0x1c, 0x7e, 0x71, 0x38, 0xca, 0xe8, 0x7e, 0x12, 0x6e,
+	0xde, 0x17, 0xbd, 0x77, 0xd3, 0x17, 0x7e, 0xf3, 0xa7, 0x37, 0xb8, 0x39, 0x7c, 0xb5, 0xd3, 0xc9,
+	0xfa, 0x34, 0x9d, 0x78, 0xda, 0x30, 0xf5, 0x97, 0x88, 0x6c, 0x5b, 0xc5, 0xa9, 0x62, 0xfb, 0x15,
+	0x56, 0x9c, 0xfa, 0x4c, 0x31, 0xa2, 0x5a, 0xfc, 0x13, 0x0e, 0xce, 0xf7, 0xae, 0xf1, 0xe2, 0xe5,
+	0xbe, 0x63, 0x60, 0xb7, 0x79, 0xf8, 0x95, 0xe1, 0x29, 0xf4, 0x80, 0xd1, 0x82, 0xc0, 0x54, 0xf1,
+	0x0b, 0x49, 0x81, 0x89, 0xc0, 0x25, 0x84, 0x58, 0x18, 0x92, 0xff, 0x20, 0x38, 0x11, 0x2e, 0x0e,
+	0x63, 0xb1, 0xef, 0xb0, 0xda, 0xc8, 0xcc, 0x0d, 0xa2, 0xc2, 0xc3, 0xe2, 0x93, 0x41, 0x2c, 0x6e,
+	0xe2, 0xe5, 0xe1, 0x62, 0x61, 0xe1, 0xbf, 0x21, 0xf8, 0x7f, 0x46, 0x61, 0x19, 0x5f, 0x4b, 0xe7,
+	0x3d, 0xbb, 0x4b, 0xc4, 0x5f, 0x1f, 0x50, 0x8b, 0x07, 0xc3, 0x47, 0x83, 0x30, 0x3c, 0x85, 0x9f,
+	0x4c, 0x9e, 0x2b, 0xe1, 0x22, 0xf6, 0x3f, 0x10, 0x9c, 0x89, 0xb8, 0xf0, 0xe2, 0xf9, 0xe4, 0xee,
+	0xf6, 0x2e, 0x5f, 0xf3, 0x03, 0x96, 0x01, 0x84, 0xe5, 0xfb, 0xa2, 0x7b, 0x44, 0x31, 0xb8, 0xc1,
+	0x19, 0x4e, 0xfd, 0xd1, 0xf1, 0x77, 0x38, 0x38, 0xd7, 0xab, 0x0a, 0x8e, 0x97, 0xfa, 0x8d, 0x9d,
+	0x79, 0x4a, 0xf3, 0xc3, 0x78, 0xf5, 0x0b, 0xaa, 0x1f, 0x85, 0x20, 0x11, 0xf4, 0x83, 0x42, 0x0f,
+	0x16, 0x70, 0x20, 0xfa, 0x0b, 0x82, 0xb1, 0x60, 0x68, 0xf8, 0xc3, 0xfd, 0x83, 0x42, 0x61, 0xe8,
+	0xef, 0xfd, 0x2f, 0xbc, 0xe8, 0x0f, 0x3c, 0x98, 0xf5, 0x83, 0x06, 0xee, 0x86, 0xfa, 0x7b, 0x04,
+	0x27, 0xbb, 0x3a, 0x08, 0x78, 0x2e, 0x55, 0xb4, 0xcc, 0x0a, 0x01, 0xdf, 0x77, 0x21, 0x40, 0x98,
+	0xf7, 0xc7, 0x1c, 0x4c, 0xf1, 0x5e, 0x31, 0x87, 0xf2, 0xdb, 0x89, 0xee, 0x97, 0x1c, 0xf0, 0xd1,
+	0xdd, 0x8b, 0x34, 0x97, 0x82, 0xd8, 0x1e, 0x08, 0xff, 0x9e, 0x96, 0x32, 0xdf, 0x7f, 0x99, 0x14,
+	0xda, 0x37, 0x41, 0xe1, 0x6d, 0xb4, 0x2b, 0x4e, 0xc2, 0x29, 0xa6, 0x1f, 0xdd, 0x17, 0xc6, 0xfb,
+	0xe2, 0x15, 0xca, 0x66, 0xd3, 0xcc, 0x12, 0xe3, 0x74, 0x54, 0xab, 0xc4, 0x85, 0xec, 0xb6, 0x30,
+	0xf0, 0x0d, 0xa2, 0xc4, 0x2e, 0x6d, 0xe2, 0xaf, 0x66, 0xe0, 0x42, 0x4c, 0x23, 0x03, 0xaf, 0x0c,
+	0x80, 0x2a, 0x9b, 0x42, 0x62, 0xa0, 0xfd, 0x27, 0xda, 0x15, 0x0b, 0x70, 0x36, 0xda, 0x23, 0x16,
+	0xbe, 0x22, 0x03, 0xdf, 0x50, 0xd9, 0x72, 0xba, 0x77, 0xe7, 0xc4, 0xc5, 0xfa, 0x55, 0x61, 0x6f,
+	0x2f, 0x25, 0xa5, 0x5e, 0x75, 0x55, 0xfc, 0x26, 0x07, 0x27, 0xbb, 0x30, 0x4c, 0x93, 0xbd, 0x51,
+	0x1d, 0x92, 0x38, 0xc8, 0x7f, 0x84, 0x76, 0xc5, 0x3c, 0x8c, 0xfa, 0xad, 0xb2, 0x40, 0x1e, 0xef,
+	0x06, 0x79, 0x3a, 0xd8, 0x29, 0x71, 0x41, 0x7c, 0x51, 0x18, 0xf6, 0x6d, 0xa6, 0x14, 0x28, 0x99,
+	0x7e, 0x8f, 0x83, 0x53, 0xac, 0x8e, 0x07, 0xbe, 0x9e, 0x16, 0x29, 0x36, 0xd5, 0xc5, 0x80, 0xf5,
+	0x26, 0xda, 0x15, 0x2f, 0xc2, 0x58, 0xc8, 0x36, 0x0b, 0xaf, 0x49, 0x0f, 0xaf, 0x50, 0x69, 0x75,
+	0xba, 0xbb, 0x99, 0xe2, 0xe2, 0xb6, 0x28, 0xf4, 0x7f, 0xfd, 0x29, 0x85, 0xeb, 0xb7, 0xf8, 0x57,
+	0x1c, 0xf0, 0xd1, 0x5d, 0x8f, 0x34, 0x64, 0x19, 0xdb, 0x3b, 0x89, 0x43, 0xec, 0xe7, 0x29, 0xc9,
+	0x72, 0x9c, 0xcd, 0x92, 0xbe, 0xca, 0xb1, 0x8b, 0x97, 0x3e, 0xbb, 0xe6, 0xc3, 0x8b, 0x29, 0x53,
+	0xe8, 0xeb, 0x52, 0x15, 0x45, 0x97, 0xf7, 0x32, 0x70, 0x21, 0xa6, 0x85, 0x92, 0x86, 0x2e, 0x93,
+	0x75, 0x63, 0xe2, 0xc0, 0x7d, 0xd8, 0x0f, 0x5d, 0x5e, 0xee, 0xc5, 0x93, 0x61, 0x9c, 0xbf, 0x81,
+	0x66, 0x77, 0x22, 0x80, 0x0e, 0x89, 0x16, 0x86, 0x7f, 0x7b, 0xeb, 0xcd, 0x98, 0x6f, 0x71, 0x70,
+	0xb2, 0x0b, 0xc6, 0x34, 0x8c, 0x19, 0xd5, 0xf5, 0x89, 0x43, 0xfd, 0xc7, 0xc9, 0x18, 0xd3, 0xff,
+	0xef, 0x65, 0x5d, 0xb8, 0xbe, 0x34, 0xfb, 0x1c, 0x1b, 0xd6, 0xc2, 0x30, 0xee, 0x82, 0x41, 0xce,
+	0xfc, 0x3e, 0x07, 0xa7, 0x58, 0x0d, 0xa0, 0x34, 0x9c, 0xd9, 0xa3, 0x81, 0x14, 0x07, 0xd7, 0x5b,
+	0x89, 0x39, 0x33, 0x17, 0x26, 0xcb, 0x30, 0x6a, 0xcf, 0xcf, 0x2e, 0xf8, 0x50, 0x0b, 0xad, 0x2e,
+	0xa4, 0xbb, 0x51, 0x76, 0xb3, 0xe6, 0x5d, 0x0e, 0xf8, 0xe8, 0xb2, 0x75, 0x1a, 0xd6, 0x8c, 0x2d,
+	0x7e, 0xc7, 0x61, 0xf6, 0xea, 0xae, 0x38, 0x05, 0xa7, 0xc3, 0x45, 0xc1, 0xeb, 0x0d, 0x23, 0x82,
+	0x35, 0x7d, 0xef, 0xca, 0xa9, 0xc1, 0xdf, 0x95, 0xf7, 0x38, 0xe0, 0xa3, 0xfb, 0x47, 0x69, 0x80,
+	0x88, 0xed, 0x7a, 0xa5, 0x29, 0xc0, 0xc5, 0xb7, 0xb4, 0x84, 0x35, 0x3f, 0x14, 0x0b, 0xf8, 0xc6,
+	0xa0, 0x50, 0x94, 0xea, 0xc4, 0x76, 0x42, 0xbe, 0xc7, 0xc1, 0xb9, 0x5e, 0xcd, 0xb0, 0x34, 0x2f,
+	0xed, 0x04, 0x4d, 0xb5, 0xb8, 0xed, 0xf1, 0xf9, 0x54, 0x87, 0xaa, 0x0b, 0xc6, 0xb3, 0xc2, 0xc2,
+	0xc0, 0x60, 0x48, 0x9e, 0xe7, 0x25, 0x34, 0x85, 0xbf, 0xc2, 0x41, 0xae, 0x47, 0x5b, 0x0c, 0xa7,
+	0xf8, 0xae, 0xf1, 0xdd, 0xb5, 0x38, 0x3c, 0x3e, 0x97, 0x1a, 0x8e, 0x25, 0x61, 0x7e, 0x60, 0x38,
+	0x6a, 0xd4, 0x6f, 0x07, 0x8d, 0xd7, 0x39, 0xe0, 0xa3, 0xdb, 0x71, 0x69, 0x32, 0x26, 0xb6, 0xa9,
+	0x17, 0x87, 0xc5, 0x67, 0x53, 0x63, 0xb1, 0x28, 0x0c, 0x9e, 0x27, 0x44, 0x6b, 0x41, 0xf1, 0x5d,
+	0x0e, 0x84, 0xf8, 0x26, 0x20, 0x5e, 0x4d, 0x0e, 0x49, 0xe2, 0x96, 0x62, 0x1c, 0x34, 0x77, 0xd3,
+	0xa7, 0xcd, 0x2d, 0x61, 0x79, 0x60, 0x6c, 0xac, 0x80, 0xff, 0xad, 0xe4, 0xe9, 0xd1, 0x8b, 0x4c,
+	0x93, 0x3c, 0xf1, 0x2d, 0xcd, 0x83, 0x99, 0x3c, 0x26, 0xf5, 0xdb, 0x41, 0xe3, 0xbf, 0x08, 0x4e,
+	0x76, 0xf5, 0x40, 0xd3, 0x5c, 0xe4, 0xa2, 0x1a, 0xa8, 0x71, 0x91, 0x7f, 0x29, 0xc9, 0x45, 0xce,
+	0x8d, 0xf8, 0x39, 0x61, 0x6d, 0xc8, 0xe5, 0xba, 0x92, 0xe9, 0x3a, 0xed, 0xc4, 0xff, 0x03, 0x0e,
+	0xf2, 0x71, 0x2d, 0x4b, 0x7c, 0x33, 0x39, 0x1c, 0x09, 0x9b, 0xae, 0x7c, 0x65, 0x98, 0x2a, 0xbd,
+	0x03, 0xf8, 0x05, 0xff, 0x01, 0xbc, 0x22, 0x3c, 0x33, 0xf0, 0x3e, 0x31, 0x3c, 0xcb, 0xa6, 0x5a,
+	0x42, 0x53, 0xfc, 0xe2, 0xae, 0x98, 0x8d, 0x6a, 0x0a, 0xff, 0x5a, 0x2c, 0x6c, 0xda, 0xb6, 0x61,
+	0x95, 0x8a, 0xc5, 0x3b, 0x77, 0xee, 0x84, 0x3b, 0xc6, 0xce, 0x4b, 0x8e, 0xfe, 0xde, 0xec, 0x71,
+	0x43, 0x95, 0xec, 0x0d, 0xdd, 0x6c, 0xcc, 0xfd, 0x0c, 0xc1, 0xb4, 0xac, 0x37, 0x12, 0xc3, 0x30,
+	0x37, 0xb6, 0x42, 0xc7, 0xca, 0xd2, 0x8a, 0x73, 0x27, 0x5b, 0x41, 0x9f, 0xb8, 0xe9, 0xc9, 0xd6,
+	0x75, 0x55, 0xd2, 0xea, 0x05, 0xdd, 0xac, 0x17, 0xeb, 0x44, 0x73, 0x6f, 0x6c, 0xc5, 0x8e, 0x07,
+	0xf1, 0x3f, 0x74, 0x7b, 0xaa, 0x3d, 0xf4, 0x2f, 0x84, 0x7e, 0xc8, 0x4d, 0xdc, 0xa0, 0x6a, 0xcb,
+	0xae, 0x4b, 0xab, 0x2d, 0x97, 0x5a, 0xe6, 0xc5, 0xc2, 0xda, 0x8c, 0xe8, 0xca, 0xad, 0x8f, 0xb8,
+	0xb6, 0xde, 0xf7, 0xbf, 0x00, 0x00, 0x00, 0xff, 0xff, 0xdd, 0x3d, 0x47, 0xe8, 0x28, 0x38, 0x00,
+	0x00,
+}
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ context.Context
+var _ grpc.ClientConnInterface
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the grpc package it is being compiled against.
+const _ = grpc.SupportPackageIsVersion6
+
+// CertificateAuthorityServiceClient is the client API for CertificateAuthorityService service.
+//
+// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://godoc.org/google.golang.org/grpc#ClientConn.NewStream.
+type CertificateAuthorityServiceClient interface {
+	// Lists [CertificateAuthorities][google.cloud.security.privateca.v1alpha1.CertificateAuthority].
+	ListCertificateAuthorities(ctx context.Context, in *ListCertificateAuthoritiesRequest, opts ...grpc.CallOption) (*ListCertificateAuthoritiesResponse, error)
+	// Lists [CertificateRevocationLists][google.cloud.security.privateca.v1alpha1.CertificateRevocationList].
+	ListCertificateRevocationLists(ctx context.Context, in *ListCertificateRevocationListsRequest, opts ...grpc.CallOption) (*ListCertificateRevocationListsResponse, error)
+	// Lists [Certificates][google.cloud.security.privateca.v1alpha1.Certificate].
+	ListCertificates(ctx context.Context, in *ListCertificatesRequest, opts ...grpc.CallOption) (*ListCertificatesResponse, error)
+	// Lists [ReusableConfigs][google.cloud.security.privateca.v1alpha1.ReusableConfig].
+	ListReusableConfigs(ctx context.Context, in *ListReusableConfigsRequest, opts ...grpc.CallOption) (*ListReusableConfigsResponse, error)
+	// Returns a [CertificateAuthority][google.cloud.security.privateca.v1alpha1.CertificateAuthority].
+	GetCertificateAuthority(ctx context.Context, in *GetCertificateAuthorityRequest, opts ...grpc.CallOption) (*CertificateAuthority, error)
+	// Returns a [CertificateRevocationList][google.cloud.security.privateca.v1alpha1.CertificateRevocationList].
+	GetCertificateRevocationList(ctx context.Context, in *GetCertificateRevocationListRequest, opts ...grpc.CallOption) (*CertificateRevocationList, error)
+	// Returns a [Certificate][google.cloud.security.privateca.v1alpha1.Certificate].
+	GetCertificate(ctx context.Context, in *GetCertificateRequest, opts ...grpc.CallOption) (*Certificate, error)
+	// Returns a [ReusableConfig][google.cloud.security.privateca.v1alpha1.ReusableConfig].
+	GetReusableConfig(ctx context.Context, in *GetReusableConfigRequest, opts ...grpc.CallOption) (*ReusableConfig, error)
+	// Create a new [CertificateAuthority][google.cloud.security.privateca.v1alpha1.CertificateAuthority] in a given Project and Location.
+	CreateCertificateAuthority(ctx context.Context, in *CreateCertificateAuthorityRequest, opts ...grpc.CallOption) (*longrunning.Operation, error)
+	// Create a new [CertificateRevocationList][google.cloud.security.privateca.v1alpha1.CertificateRevocationList] in a given Project, Location
+	// for a particular [CertificateAuthority][google.cloud.security.privateca.v1alpha1.CertificateAuthority].
+	CreateCertificateRevocationList(ctx context.Context, in *CreateCertificateRevocationListRequest, opts ...grpc.CallOption) (*longrunning.Operation, error)
+	// Create a new [Certificate][google.cloud.security.privateca.v1alpha1.Certificate] in a given Project, Location from a particular
+	// [CertificateAuthority][google.cloud.security.privateca.v1alpha1.CertificateAuthority].
+	CreateCertificate(ctx context.Context, in *CreateCertificateRequest, opts ...grpc.CallOption) (*longrunning.Operation, error)
+	// Create a new [ReusableConfig][google.cloud.security.privateca.v1alpha1.ReusableConfig] in a given Project and Location.
+	CreateReusableConfig(ctx context.Context, in *CreateReusableConfigRequest, opts ...grpc.CallOption) (*longrunning.Operation, error)
+	// Update a [CertificateAuthority][google.cloud.security.privateca.v1alpha1.CertificateAuthority].
+	UpdateCertificateAuthority(ctx context.Context, in *UpdateCertificateAuthorityRequest, opts ...grpc.CallOption) (*longrunning.Operation, error)
+	// Update a [CertificateRevocationList][google.cloud.security.privateca.v1alpha1.CertificateRevocationList].
+	UpdateCertificateRevocationList(ctx context.Context, in *UpdateCertificateRevocationListRequest, opts ...grpc.CallOption) (*longrunning.Operation, error)
+	// Update a [Certificate][google.cloud.security.privateca.v1alpha1.Certificate].
+	UpdateCertificate(ctx context.Context, in *UpdateCertificateRequest, opts ...grpc.CallOption) (*longrunning.Operation, error)
+	// Update a [ReusableConfig][google.cloud.security.privateca.v1alpha1.ReusableConfig].
+	UpdateReusableConfig(ctx context.Context, in *UpdateReusableConfigRequest, opts ...grpc.CallOption) (*longrunning.Operation, error)
+	// Deletes a specific [CertificateAuthority][google.cloud.security.privateca.v1alpha1.CertificateAuthority]. Once deleted, the
+	// [CertificateAuthority][google.cloud.security.privateca.v1alpha1.CertificateAuthority] will no longer issue [Certificates][google.cloud.security.privateca.v1alpha1.Certificate]
+	// and [CertificateRevocationLists][google.cloud.security.privateca.v1alpha1.CertificateRevocationList].
+	DeleteCertificateAuthority(ctx context.Context, in *DeleteCertificateAuthorityRequest, opts ...grpc.CallOption) (*longrunning.Operation, error)
+	// Get the CSR for a pending [CertificateAuthority][google.cloud.security.privateca.v1alpha1.CertificateAuthority].
+	GetCertificateAuthorityCsr(ctx context.Context, in *GetCertificateAuthorityCsrRequest, opts ...grpc.CallOption) (*GetCertificateAuthorityCsrResponse, error)
+	// Activate a pending [CertificateAuthority][google.cloud.security.privateca.v1alpha1.CertificateAuthority].
+	ActivateCertificateAuthority(ctx context.Context, in *ActivateCertificateAuthorityRequest, opts ...grpc.CallOption) (*longrunning.Operation, error)
+	// Disable a [CertificateAuthority][google.cloud.security.privateca.v1alpha1.CertificateAuthority].
+	DisableCertificateAuthority(ctx context.Context, in *DisableCertificateAuthorityRequest, opts ...grpc.CallOption) (*longrunning.Operation, error)
+	// Enable a [CertificateAuthority][google.cloud.security.privateca.v1alpha1.CertificateAuthority].
+	EnableCertificateAuthority(ctx context.Context, in *EnableCertificateAuthorityRequest, opts ...grpc.CallOption) (*longrunning.Operation, error)
+	// Schedule a [CertificateAuthority][google.cloud.security.privateca.v1alpha1.CertificateAuthority] for deletion.
+	ScheduleDeleteCertificateAuthority(ctx context.Context, in *ScheduleDeleteCertificateAuthorityRequest, opts ...grpc.CallOption) (*longrunning.Operation, error)
+	// Restore a [CertificateAuthority][google.cloud.security.privateca.v1alpha1.CertificateAuthority] that is scheduled for deletion.
+	RestoreCertificateAuthority(ctx context.Context, in *RestoreCertificateAuthorityRequest, opts ...grpc.CallOption) (*longrunning.Operation, error)
+	// Revoke a [Certificate][google.cloud.security.privateca.v1alpha1.Certificate].
+	RevokeCertificate(ctx context.Context, in *RevokeCertificateRequest, opts ...grpc.CallOption) (*longrunning.Operation, error)
+	// Publish a [CertificateRevocationList][google.cloud.security.privateca.v1alpha1.CertificateRevocationList].
+	PublishCertificateRevocationList(ctx context.Context, in *PublishCertificateRevocationListRequest, opts ...grpc.CallOption) (*PublishCertificateRevocationListResponse, error)
+}
+
+type certificateAuthorityServiceClient struct {
+	cc grpc.ClientConnInterface
+}
+
+func NewCertificateAuthorityServiceClient(cc grpc.ClientConnInterface) CertificateAuthorityServiceClient {
+	return &certificateAuthorityServiceClient{cc}
+}
+
+func (c *certificateAuthorityServiceClient) ListCertificateAuthorities(ctx context.Context, in *ListCertificateAuthoritiesRequest, opts ...grpc.CallOption) (*ListCertificateAuthoritiesResponse, error) {
+	out := new(ListCertificateAuthoritiesResponse)
+	err := c.cc.Invoke(ctx, "/google.cloud.security.privateca.v1alpha1.CertificateAuthorityService/ListCertificateAuthorities", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *certificateAuthorityServiceClient) ListCertificateRevocationLists(ctx context.Context, in *ListCertificateRevocationListsRequest, opts ...grpc.CallOption) (*ListCertificateRevocationListsResponse, error) {
+	out := new(ListCertificateRevocationListsResponse)
+	err := c.cc.Invoke(ctx, "/google.cloud.security.privateca.v1alpha1.CertificateAuthorityService/ListCertificateRevocationLists", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *certificateAuthorityServiceClient) ListCertificates(ctx context.Context, in *ListCertificatesRequest, opts ...grpc.CallOption) (*ListCertificatesResponse, error) {
+	out := new(ListCertificatesResponse)
+	err := c.cc.Invoke(ctx, "/google.cloud.security.privateca.v1alpha1.CertificateAuthorityService/ListCertificates", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *certificateAuthorityServiceClient) ListReusableConfigs(ctx context.Context, in *ListReusableConfigsRequest, opts ...grpc.CallOption) (*ListReusableConfigsResponse, error) {
+	out := new(ListReusableConfigsResponse)
+	err := c.cc.Invoke(ctx, "/google.cloud.security.privateca.v1alpha1.CertificateAuthorityService/ListReusableConfigs", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *certificateAuthorityServiceClient) GetCertificateAuthority(ctx context.Context, in *GetCertificateAuthorityRequest, opts ...grpc.CallOption) (*CertificateAuthority, error) {
+	out := new(CertificateAuthority)
+	err := c.cc.Invoke(ctx, "/google.cloud.security.privateca.v1alpha1.CertificateAuthorityService/GetCertificateAuthority", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *certificateAuthorityServiceClient) GetCertificateRevocationList(ctx context.Context, in *GetCertificateRevocationListRequest, opts ...grpc.CallOption) (*CertificateRevocationList, error) {
+	out := new(CertificateRevocationList)
+	err := c.cc.Invoke(ctx, "/google.cloud.security.privateca.v1alpha1.CertificateAuthorityService/GetCertificateRevocationList", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *certificateAuthorityServiceClient) GetCertificate(ctx context.Context, in *GetCertificateRequest, opts ...grpc.CallOption) (*Certificate, error) {
+	out := new(Certificate)
+	err := c.cc.Invoke(ctx, "/google.cloud.security.privateca.v1alpha1.CertificateAuthorityService/GetCertificate", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *certificateAuthorityServiceClient) GetReusableConfig(ctx context.Context, in *GetReusableConfigRequest, opts ...grpc.CallOption) (*ReusableConfig, error) {
+	out := new(ReusableConfig)
+	err := c.cc.Invoke(ctx, "/google.cloud.security.privateca.v1alpha1.CertificateAuthorityService/GetReusableConfig", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *certificateAuthorityServiceClient) CreateCertificateAuthority(ctx context.Context, in *CreateCertificateAuthorityRequest, opts ...grpc.CallOption) (*longrunning.Operation, error) {
+	out := new(longrunning.Operation)
+	err := c.cc.Invoke(ctx, "/google.cloud.security.privateca.v1alpha1.CertificateAuthorityService/CreateCertificateAuthority", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *certificateAuthorityServiceClient) CreateCertificateRevocationList(ctx context.Context, in *CreateCertificateRevocationListRequest, opts ...grpc.CallOption) (*longrunning.Operation, error) {
+	out := new(longrunning.Operation)
+	err := c.cc.Invoke(ctx, "/google.cloud.security.privateca.v1alpha1.CertificateAuthorityService/CreateCertificateRevocationList", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *certificateAuthorityServiceClient) CreateCertificate(ctx context.Context, in *CreateCertificateRequest, opts ...grpc.CallOption) (*longrunning.Operation, error) {
+	out := new(longrunning.Operation)
+	err := c.cc.Invoke(ctx, "/google.cloud.security.privateca.v1alpha1.CertificateAuthorityService/CreateCertificate", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *certificateAuthorityServiceClient) CreateReusableConfig(ctx context.Context, in *CreateReusableConfigRequest, opts ...grpc.CallOption) (*longrunning.Operation, error) {
+	out := new(longrunning.Operation)
+	err := c.cc.Invoke(ctx, "/google.cloud.security.privateca.v1alpha1.CertificateAuthorityService/CreateReusableConfig", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *certificateAuthorityServiceClient) UpdateCertificateAuthority(ctx context.Context, in *UpdateCertificateAuthorityRequest, opts ...grpc.CallOption) (*longrunning.Operation, error) {
+	out := new(longrunning.Operation)
+	err := c.cc.Invoke(ctx, "/google.cloud.security.privateca.v1alpha1.CertificateAuthorityService/UpdateCertificateAuthority", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *certificateAuthorityServiceClient) UpdateCertificateRevocationList(ctx context.Context, in *UpdateCertificateRevocationListRequest, opts ...grpc.CallOption) (*longrunning.Operation, error) {
+	out := new(longrunning.Operation)
+	err := c.cc.Invoke(ctx, "/google.cloud.security.privateca.v1alpha1.CertificateAuthorityService/UpdateCertificateRevocationList", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *certificateAuthorityServiceClient) UpdateCertificate(ctx context.Context, in *UpdateCertificateRequest, opts ...grpc.CallOption) (*longrunning.Operation, error) {
+	out := new(longrunning.Operation)
+	err := c.cc.Invoke(ctx, "/google.cloud.security.privateca.v1alpha1.CertificateAuthorityService/UpdateCertificate", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *certificateAuthorityServiceClient) UpdateReusableConfig(ctx context.Context, in *UpdateReusableConfigRequest, opts ...grpc.CallOption) (*longrunning.Operation, error) {
+	out := new(longrunning.Operation)
+	err := c.cc.Invoke(ctx, "/google.cloud.security.privateca.v1alpha1.CertificateAuthorityService/UpdateReusableConfig", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *certificateAuthorityServiceClient) DeleteCertificateAuthority(ctx context.Context, in *DeleteCertificateAuthorityRequest, opts ...grpc.CallOption) (*longrunning.Operation, error) {
+	out := new(longrunning.Operation)
+	err := c.cc.Invoke(ctx, "/google.cloud.security.privateca.v1alpha1.CertificateAuthorityService/DeleteCertificateAuthority", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *certificateAuthorityServiceClient) GetCertificateAuthorityCsr(ctx context.Context, in *GetCertificateAuthorityCsrRequest, opts ...grpc.CallOption) (*GetCertificateAuthorityCsrResponse, error) {
+	out := new(GetCertificateAuthorityCsrResponse)
+	err := c.cc.Invoke(ctx, "/google.cloud.security.privateca.v1alpha1.CertificateAuthorityService/GetCertificateAuthorityCsr", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *certificateAuthorityServiceClient) ActivateCertificateAuthority(ctx context.Context, in *ActivateCertificateAuthorityRequest, opts ...grpc.CallOption) (*longrunning.Operation, error) {
+	out := new(longrunning.Operation)
+	err := c.cc.Invoke(ctx, "/google.cloud.security.privateca.v1alpha1.CertificateAuthorityService/ActivateCertificateAuthority", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *certificateAuthorityServiceClient) DisableCertificateAuthority(ctx context.Context, in *DisableCertificateAuthorityRequest, opts ...grpc.CallOption) (*longrunning.Operation, error) {
+	out := new(longrunning.Operation)
+	err := c.cc.Invoke(ctx, "/google.cloud.security.privateca.v1alpha1.CertificateAuthorityService/DisableCertificateAuthority", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *certificateAuthorityServiceClient) EnableCertificateAuthority(ctx context.Context, in *EnableCertificateAuthorityRequest, opts ...grpc.CallOption) (*longrunning.Operation, error) {
+	out := new(longrunning.Operation)
+	err := c.cc.Invoke(ctx, "/google.cloud.security.privateca.v1alpha1.CertificateAuthorityService/EnableCertificateAuthority", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *certificateAuthorityServiceClient) ScheduleDeleteCertificateAuthority(ctx context.Context, in *ScheduleDeleteCertificateAuthorityRequest, opts ...grpc.CallOption) (*longrunning.Operation, error) {
+	out := new(longrunning.Operation)
+	err := c.cc.Invoke(ctx, "/google.cloud.security.privateca.v1alpha1.CertificateAuthorityService/ScheduleDeleteCertificateAuthority", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *certificateAuthorityServiceClient) RestoreCertificateAuthority(ctx context.Context, in *RestoreCertificateAuthorityRequest, opts ...grpc.CallOption) (*longrunning.Operation, error) {
+	out := new(longrunning.Operation)
+	err := c.cc.Invoke(ctx, "/google.cloud.security.privateca.v1alpha1.CertificateAuthorityService/RestoreCertificateAuthority", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *certificateAuthorityServiceClient) RevokeCertificate(ctx context.Context, in *RevokeCertificateRequest, opts ...grpc.CallOption) (*longrunning.Operation, error) {
+	out := new(longrunning.Operation)
+	err := c.cc.Invoke(ctx, "/google.cloud.security.privateca.v1alpha1.CertificateAuthorityService/RevokeCertificate", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *certificateAuthorityServiceClient) PublishCertificateRevocationList(ctx context.Context, in *PublishCertificateRevocationListRequest, opts ...grpc.CallOption) (*PublishCertificateRevocationListResponse, error) {
+	out := new(PublishCertificateRevocationListResponse)
+	err := c.cc.Invoke(ctx, "/google.cloud.security.privateca.v1alpha1.CertificateAuthorityService/PublishCertificateRevocationList", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+// CertificateAuthorityServiceServer is the server API for CertificateAuthorityService service.
+type CertificateAuthorityServiceServer interface {
+	// Lists [CertificateAuthorities][google.cloud.security.privateca.v1alpha1.CertificateAuthority].
+	ListCertificateAuthorities(context.Context, *ListCertificateAuthoritiesRequest) (*ListCertificateAuthoritiesResponse, error)
+	// Lists [CertificateRevocationLists][google.cloud.security.privateca.v1alpha1.CertificateRevocationList].
+	ListCertificateRevocationLists(context.Context, *ListCertificateRevocationListsRequest) (*ListCertificateRevocationListsResponse, error)
+	// Lists [Certificates][google.cloud.security.privateca.v1alpha1.Certificate].
+	ListCertificates(context.Context, *ListCertificatesRequest) (*ListCertificatesResponse, error)
+	// Lists [ReusableConfigs][google.cloud.security.privateca.v1alpha1.ReusableConfig].
+	ListReusableConfigs(context.Context, *ListReusableConfigsRequest) (*ListReusableConfigsResponse, error)
+	// Returns a [CertificateAuthority][google.cloud.security.privateca.v1alpha1.CertificateAuthority].
+	GetCertificateAuthority(context.Context, *GetCertificateAuthorityRequest) (*CertificateAuthority, error)
+	// Returns a [CertificateRevocationList][google.cloud.security.privateca.v1alpha1.CertificateRevocationList].
+	GetCertificateRevocationList(context.Context, *GetCertificateRevocationListRequest) (*CertificateRevocationList, error)
+	// Returns a [Certificate][google.cloud.security.privateca.v1alpha1.Certificate].
+	GetCertificate(context.Context, *GetCertificateRequest) (*Certificate, error)
+	// Returns a [ReusableConfig][google.cloud.security.privateca.v1alpha1.ReusableConfig].
+	GetReusableConfig(context.Context, *GetReusableConfigRequest) (*ReusableConfig, error)
+	// Create a new [CertificateAuthority][google.cloud.security.privateca.v1alpha1.CertificateAuthority] in a given Project and Location.
+	CreateCertificateAuthority(context.Context, *CreateCertificateAuthorityRequest) (*longrunning.Operation, error)
+	// Create a new [CertificateRevocationList][google.cloud.security.privateca.v1alpha1.CertificateRevocationList] in a given Project, Location
+	// for a particular [CertificateAuthority][google.cloud.security.privateca.v1alpha1.CertificateAuthority].
+	CreateCertificateRevocationList(context.Context, *CreateCertificateRevocationListRequest) (*longrunning.Operation, error)
+	// Create a new [Certificate][google.cloud.security.privateca.v1alpha1.Certificate] in a given Project, Location from a particular
+	// [CertificateAuthority][google.cloud.security.privateca.v1alpha1.CertificateAuthority].
+	CreateCertificate(context.Context, *CreateCertificateRequest) (*longrunning.Operation, error)
+	// Create a new [ReusableConfig][google.cloud.security.privateca.v1alpha1.ReusableConfig] in a given Project and Location.
+	CreateReusableConfig(context.Context, *CreateReusableConfigRequest) (*longrunning.Operation, error)
+	// Update a [CertificateAuthority][google.cloud.security.privateca.v1alpha1.CertificateAuthority].
+	UpdateCertificateAuthority(context.Context, *UpdateCertificateAuthorityRequest) (*longrunning.Operation, error)
+	// Update a [CertificateRevocationList][google.cloud.security.privateca.v1alpha1.CertificateRevocationList].
+	UpdateCertificateRevocationList(context.Context, *UpdateCertificateRevocationListRequest) (*longrunning.Operation, error)
+	// Update a [Certificate][google.cloud.security.privateca.v1alpha1.Certificate].
+	UpdateCertificate(context.Context, *UpdateCertificateRequest) (*longrunning.Operation, error)
+	// Update a [ReusableConfig][google.cloud.security.privateca.v1alpha1.ReusableConfig].
+	UpdateReusableConfig(context.Context, *UpdateReusableConfigRequest) (*longrunning.Operation, error)
+	// Deletes a specific [CertificateAuthority][google.cloud.security.privateca.v1alpha1.CertificateAuthority]. Once deleted, the
+	// [CertificateAuthority][google.cloud.security.privateca.v1alpha1.CertificateAuthority] will no longer issue [Certificates][google.cloud.security.privateca.v1alpha1.Certificate]
+	// and [CertificateRevocationLists][google.cloud.security.privateca.v1alpha1.CertificateRevocationList].
+	DeleteCertificateAuthority(context.Context, *DeleteCertificateAuthorityRequest) (*longrunning.Operation, error)
+	// Get the CSR for a pending [CertificateAuthority][google.cloud.security.privateca.v1alpha1.CertificateAuthority].
+	GetCertificateAuthorityCsr(context.Context, *GetCertificateAuthorityCsrRequest) (*GetCertificateAuthorityCsrResponse, error)
+	// Activate a pending [CertificateAuthority][google.cloud.security.privateca.v1alpha1.CertificateAuthority].
+	ActivateCertificateAuthority(context.Context, *ActivateCertificateAuthorityRequest) (*longrunning.Operation, error)
+	// Disable a [CertificateAuthority][google.cloud.security.privateca.v1alpha1.CertificateAuthority].
+	DisableCertificateAuthority(context.Context, *DisableCertificateAuthorityRequest) (*longrunning.Operation, error)
+	// Enable a [CertificateAuthority][google.cloud.security.privateca.v1alpha1.CertificateAuthority].
+	EnableCertificateAuthority(context.Context, *EnableCertificateAuthorityRequest) (*longrunning.Operation, error)
+	// Schedule a [CertificateAuthority][google.cloud.security.privateca.v1alpha1.CertificateAuthority] for deletion.
+	ScheduleDeleteCertificateAuthority(context.Context, *ScheduleDeleteCertificateAuthorityRequest) (*longrunning.Operation, error)
+	// Restore a [CertificateAuthority][google.cloud.security.privateca.v1alpha1.CertificateAuthority] that is scheduled for deletion.
+	RestoreCertificateAuthority(context.Context, *RestoreCertificateAuthorityRequest) (*longrunning.Operation, error)
+	// Revoke a [Certificate][google.cloud.security.privateca.v1alpha1.Certificate].
+	RevokeCertificate(context.Context, *RevokeCertificateRequest) (*longrunning.Operation, error)
+	// Publish a [CertificateRevocationList][google.cloud.security.privateca.v1alpha1.CertificateRevocationList].
+	PublishCertificateRevocationList(context.Context, *PublishCertificateRevocationListRequest) (*PublishCertificateRevocationListResponse, error)
+}
+
+// UnimplementedCertificateAuthorityServiceServer can be embedded to have forward compatible implementations.
+type UnimplementedCertificateAuthorityServiceServer struct {
+}
+
+func (*UnimplementedCertificateAuthorityServiceServer) ListCertificateAuthorities(ctx context.Context, req *ListCertificateAuthoritiesRequest) (*ListCertificateAuthoritiesResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method ListCertificateAuthorities not implemented")
+}
+func (*UnimplementedCertificateAuthorityServiceServer) ListCertificateRevocationLists(ctx context.Context, req *ListCertificateRevocationListsRequest) (*ListCertificateRevocationListsResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method ListCertificateRevocationLists not implemented")
+}
+func (*UnimplementedCertificateAuthorityServiceServer) ListCertificates(ctx context.Context, req *ListCertificatesRequest) (*ListCertificatesResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method ListCertificates not implemented")
+}
+func (*UnimplementedCertificateAuthorityServiceServer) ListReusableConfigs(ctx context.Context, req *ListReusableConfigsRequest) (*ListReusableConfigsResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method ListReusableConfigs not implemented")
+}
+func (*UnimplementedCertificateAuthorityServiceServer) GetCertificateAuthority(ctx context.Context, req *GetCertificateAuthorityRequest) (*CertificateAuthority, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method GetCertificateAuthority not implemented")
+}
+func (*UnimplementedCertificateAuthorityServiceServer) GetCertificateRevocationList(ctx context.Context, req *GetCertificateRevocationListRequest) (*CertificateRevocationList, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method GetCertificateRevocationList not implemented")
+}
+func (*UnimplementedCertificateAuthorityServiceServer) GetCertificate(ctx context.Context, req *GetCertificateRequest) (*Certificate, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method GetCertificate not implemented")
+}
+func (*UnimplementedCertificateAuthorityServiceServer) GetReusableConfig(ctx context.Context, req *GetReusableConfigRequest) (*ReusableConfig, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method GetReusableConfig not implemented")
+}
+func (*UnimplementedCertificateAuthorityServiceServer) CreateCertificateAuthority(ctx context.Context, req *CreateCertificateAuthorityRequest) (*longrunning.Operation, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method CreateCertificateAuthority not implemented")
+}
+func (*UnimplementedCertificateAuthorityServiceServer) CreateCertificateRevocationList(ctx context.Context, req *CreateCertificateRevocationListRequest) (*longrunning.Operation, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method CreateCertificateRevocationList not implemented")
+}
+func (*UnimplementedCertificateAuthorityServiceServer) CreateCertificate(ctx context.Context, req *CreateCertificateRequest) (*longrunning.Operation, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method CreateCertificate not implemented")
+}
+func (*UnimplementedCertificateAuthorityServiceServer) CreateReusableConfig(ctx context.Context, req *CreateReusableConfigRequest) (*longrunning.Operation, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method CreateReusableConfig not implemented")
+}
+func (*UnimplementedCertificateAuthorityServiceServer) UpdateCertificateAuthority(ctx context.Context, req *UpdateCertificateAuthorityRequest) (*longrunning.Operation, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method UpdateCertificateAuthority not implemented")
+}
+func (*UnimplementedCertificateAuthorityServiceServer) UpdateCertificateRevocationList(ctx context.Context, req *UpdateCertificateRevocationListRequest) (*longrunning.Operation, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method UpdateCertificateRevocationList not implemented")
+}
+func (*UnimplementedCertificateAuthorityServiceServer) UpdateCertificate(ctx context.Context, req *UpdateCertificateRequest) (*longrunning.Operation, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method UpdateCertificate not implemented")
+}
+func (*UnimplementedCertificateAuthorityServiceServer) UpdateReusableConfig(ctx context.Context, req *UpdateReusableConfigRequest) (*longrunning.Operation, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method UpdateReusableConfig not implemented")
+}
+func (*UnimplementedCertificateAuthorityServiceServer) DeleteCertificateAuthority(ctx context.Context, req *DeleteCertificateAuthorityRequest) (*longrunning.Operation, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method DeleteCertificateAuthority not implemented")
+}
+func (*UnimplementedCertificateAuthorityServiceServer) GetCertificateAuthorityCsr(ctx context.Context, req *GetCertificateAuthorityCsrRequest) (*GetCertificateAuthorityCsrResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method GetCertificateAuthorityCsr not implemented")
+}
+func (*UnimplementedCertificateAuthorityServiceServer) ActivateCertificateAuthority(ctx context.Context, req *ActivateCertificateAuthorityRequest) (*longrunning.Operation, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method ActivateCertificateAuthority not implemented")
+}
+func (*UnimplementedCertificateAuthorityServiceServer) DisableCertificateAuthority(ctx context.Context, req *DisableCertificateAuthorityRequest) (*longrunning.Operation, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method DisableCertificateAuthority not implemented")
+}
+func (*UnimplementedCertificateAuthorityServiceServer) EnableCertificateAuthority(ctx context.Context, req *EnableCertificateAuthorityRequest) (*longrunning.Operation, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method EnableCertificateAuthority not implemented")
+}
+func (*UnimplementedCertificateAuthorityServiceServer) ScheduleDeleteCertificateAuthority(ctx context.Context, req *ScheduleDeleteCertificateAuthorityRequest) (*longrunning.Operation, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method ScheduleDeleteCertificateAuthority not implemented")
+}
+func (*UnimplementedCertificateAuthorityServiceServer) RestoreCertificateAuthority(ctx context.Context, req *RestoreCertificateAuthorityRequest) (*longrunning.Operation, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method RestoreCertificateAuthority not implemented")
+}
+func (*UnimplementedCertificateAuthorityServiceServer) RevokeCertificate(ctx context.Context, req *RevokeCertificateRequest) (*longrunning.Operation, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method RevokeCertificate not implemented")
+}
+func (*UnimplementedCertificateAuthorityServiceServer) PublishCertificateRevocationList(ctx context.Context, req *PublishCertificateRevocationListRequest) (*PublishCertificateRevocationListResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method PublishCertificateRevocationList not implemented")
+}
+
+func RegisterCertificateAuthorityServiceServer(s *grpc.Server, srv CertificateAuthorityServiceServer) {
+	s.RegisterService(&_CertificateAuthorityService_serviceDesc, srv)
+}
+
+func _CertificateAuthorityService_ListCertificateAuthorities_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(ListCertificateAuthoritiesRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(CertificateAuthorityServiceServer).ListCertificateAuthorities(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/google.cloud.security.privateca.v1alpha1.CertificateAuthorityService/ListCertificateAuthorities",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(CertificateAuthorityServiceServer).ListCertificateAuthorities(ctx, req.(*ListCertificateAuthoritiesRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _CertificateAuthorityService_ListCertificateRevocationLists_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(ListCertificateRevocationListsRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(CertificateAuthorityServiceServer).ListCertificateRevocationLists(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/google.cloud.security.privateca.v1alpha1.CertificateAuthorityService/ListCertificateRevocationLists",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(CertificateAuthorityServiceServer).ListCertificateRevocationLists(ctx, req.(*ListCertificateRevocationListsRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _CertificateAuthorityService_ListCertificates_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(ListCertificatesRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(CertificateAuthorityServiceServer).ListCertificates(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/google.cloud.security.privateca.v1alpha1.CertificateAuthorityService/ListCertificates",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(CertificateAuthorityServiceServer).ListCertificates(ctx, req.(*ListCertificatesRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _CertificateAuthorityService_ListReusableConfigs_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(ListReusableConfigsRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(CertificateAuthorityServiceServer).ListReusableConfigs(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/google.cloud.security.privateca.v1alpha1.CertificateAuthorityService/ListReusableConfigs",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(CertificateAuthorityServiceServer).ListReusableConfigs(ctx, req.(*ListReusableConfigsRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _CertificateAuthorityService_GetCertificateAuthority_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(GetCertificateAuthorityRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(CertificateAuthorityServiceServer).GetCertificateAuthority(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/google.cloud.security.privateca.v1alpha1.CertificateAuthorityService/GetCertificateAuthority",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(CertificateAuthorityServiceServer).GetCertificateAuthority(ctx, req.(*GetCertificateAuthorityRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _CertificateAuthorityService_GetCertificateRevocationList_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(GetCertificateRevocationListRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(CertificateAuthorityServiceServer).GetCertificateRevocationList(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/google.cloud.security.privateca.v1alpha1.CertificateAuthorityService/GetCertificateRevocationList",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(CertificateAuthorityServiceServer).GetCertificateRevocationList(ctx, req.(*GetCertificateRevocationListRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _CertificateAuthorityService_GetCertificate_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(GetCertificateRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(CertificateAuthorityServiceServer).GetCertificate(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/google.cloud.security.privateca.v1alpha1.CertificateAuthorityService/GetCertificate",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(CertificateAuthorityServiceServer).GetCertificate(ctx, req.(*GetCertificateRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _CertificateAuthorityService_GetReusableConfig_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(GetReusableConfigRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(CertificateAuthorityServiceServer).GetReusableConfig(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/google.cloud.security.privateca.v1alpha1.CertificateAuthorityService/GetReusableConfig",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(CertificateAuthorityServiceServer).GetReusableConfig(ctx, req.(*GetReusableConfigRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _CertificateAuthorityService_CreateCertificateAuthority_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(CreateCertificateAuthorityRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(CertificateAuthorityServiceServer).CreateCertificateAuthority(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/google.cloud.security.privateca.v1alpha1.CertificateAuthorityService/CreateCertificateAuthority",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(CertificateAuthorityServiceServer).CreateCertificateAuthority(ctx, req.(*CreateCertificateAuthorityRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _CertificateAuthorityService_CreateCertificateRevocationList_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(CreateCertificateRevocationListRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(CertificateAuthorityServiceServer).CreateCertificateRevocationList(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/google.cloud.security.privateca.v1alpha1.CertificateAuthorityService/CreateCertificateRevocationList",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(CertificateAuthorityServiceServer).CreateCertificateRevocationList(ctx, req.(*CreateCertificateRevocationListRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _CertificateAuthorityService_CreateCertificate_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(CreateCertificateRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(CertificateAuthorityServiceServer).CreateCertificate(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/google.cloud.security.privateca.v1alpha1.CertificateAuthorityService/CreateCertificate",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(CertificateAuthorityServiceServer).CreateCertificate(ctx, req.(*CreateCertificateRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _CertificateAuthorityService_CreateReusableConfig_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(CreateReusableConfigRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(CertificateAuthorityServiceServer).CreateReusableConfig(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/google.cloud.security.privateca.v1alpha1.CertificateAuthorityService/CreateReusableConfig",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(CertificateAuthorityServiceServer).CreateReusableConfig(ctx, req.(*CreateReusableConfigRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _CertificateAuthorityService_UpdateCertificateAuthority_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(UpdateCertificateAuthorityRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(CertificateAuthorityServiceServer).UpdateCertificateAuthority(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/google.cloud.security.privateca.v1alpha1.CertificateAuthorityService/UpdateCertificateAuthority",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(CertificateAuthorityServiceServer).UpdateCertificateAuthority(ctx, req.(*UpdateCertificateAuthorityRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _CertificateAuthorityService_UpdateCertificateRevocationList_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(UpdateCertificateRevocationListRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(CertificateAuthorityServiceServer).UpdateCertificateRevocationList(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/google.cloud.security.privateca.v1alpha1.CertificateAuthorityService/UpdateCertificateRevocationList",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(CertificateAuthorityServiceServer).UpdateCertificateRevocationList(ctx, req.(*UpdateCertificateRevocationListRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _CertificateAuthorityService_UpdateCertificate_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(UpdateCertificateRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(CertificateAuthorityServiceServer).UpdateCertificate(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/google.cloud.security.privateca.v1alpha1.CertificateAuthorityService/UpdateCertificate",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(CertificateAuthorityServiceServer).UpdateCertificate(ctx, req.(*UpdateCertificateRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _CertificateAuthorityService_UpdateReusableConfig_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(UpdateReusableConfigRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(CertificateAuthorityServiceServer).UpdateReusableConfig(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/google.cloud.security.privateca.v1alpha1.CertificateAuthorityService/UpdateReusableConfig",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(CertificateAuthorityServiceServer).UpdateReusableConfig(ctx, req.(*UpdateReusableConfigRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _CertificateAuthorityService_DeleteCertificateAuthority_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(DeleteCertificateAuthorityRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(CertificateAuthorityServiceServer).DeleteCertificateAuthority(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/google.cloud.security.privateca.v1alpha1.CertificateAuthorityService/DeleteCertificateAuthority",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(CertificateAuthorityServiceServer).DeleteCertificateAuthority(ctx, req.(*DeleteCertificateAuthorityRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _CertificateAuthorityService_GetCertificateAuthorityCsr_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(GetCertificateAuthorityCsrRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(CertificateAuthorityServiceServer).GetCertificateAuthorityCsr(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/google.cloud.security.privateca.v1alpha1.CertificateAuthorityService/GetCertificateAuthorityCsr",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(CertificateAuthorityServiceServer).GetCertificateAuthorityCsr(ctx, req.(*GetCertificateAuthorityCsrRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _CertificateAuthorityService_ActivateCertificateAuthority_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(ActivateCertificateAuthorityRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(CertificateAuthorityServiceServer).ActivateCertificateAuthority(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/google.cloud.security.privateca.v1alpha1.CertificateAuthorityService/ActivateCertificateAuthority",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(CertificateAuthorityServiceServer).ActivateCertificateAuthority(ctx, req.(*ActivateCertificateAuthorityRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _CertificateAuthorityService_DisableCertificateAuthority_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(DisableCertificateAuthorityRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(CertificateAuthorityServiceServer).DisableCertificateAuthority(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/google.cloud.security.privateca.v1alpha1.CertificateAuthorityService/DisableCertificateAuthority",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(CertificateAuthorityServiceServer).DisableCertificateAuthority(ctx, req.(*DisableCertificateAuthorityRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _CertificateAuthorityService_EnableCertificateAuthority_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(EnableCertificateAuthorityRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(CertificateAuthorityServiceServer).EnableCertificateAuthority(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/google.cloud.security.privateca.v1alpha1.CertificateAuthorityService/EnableCertificateAuthority",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(CertificateAuthorityServiceServer).EnableCertificateAuthority(ctx, req.(*EnableCertificateAuthorityRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _CertificateAuthorityService_ScheduleDeleteCertificateAuthority_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(ScheduleDeleteCertificateAuthorityRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(CertificateAuthorityServiceServer).ScheduleDeleteCertificateAuthority(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/google.cloud.security.privateca.v1alpha1.CertificateAuthorityService/ScheduleDeleteCertificateAuthority",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(CertificateAuthorityServiceServer).ScheduleDeleteCertificateAuthority(ctx, req.(*ScheduleDeleteCertificateAuthorityRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _CertificateAuthorityService_RestoreCertificateAuthority_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(RestoreCertificateAuthorityRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(CertificateAuthorityServiceServer).RestoreCertificateAuthority(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/google.cloud.security.privateca.v1alpha1.CertificateAuthorityService/RestoreCertificateAuthority",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(CertificateAuthorityServiceServer).RestoreCertificateAuthority(ctx, req.(*RestoreCertificateAuthorityRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _CertificateAuthorityService_RevokeCertificate_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(RevokeCertificateRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(CertificateAuthorityServiceServer).RevokeCertificate(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/google.cloud.security.privateca.v1alpha1.CertificateAuthorityService/RevokeCertificate",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(CertificateAuthorityServiceServer).RevokeCertificate(ctx, req.(*RevokeCertificateRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _CertificateAuthorityService_PublishCertificateRevocationList_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(PublishCertificateRevocationListRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(CertificateAuthorityServiceServer).PublishCertificateRevocationList(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/google.cloud.security.privateca.v1alpha1.CertificateAuthorityService/PublishCertificateRevocationList",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(CertificateAuthorityServiceServer).PublishCertificateRevocationList(ctx, req.(*PublishCertificateRevocationListRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+var _CertificateAuthorityService_serviceDesc = grpc.ServiceDesc{
+	ServiceName: "google.cloud.security.privateca.v1alpha1.CertificateAuthorityService",
+	HandlerType: (*CertificateAuthorityServiceServer)(nil),
+	Methods: []grpc.MethodDesc{
+		{
+			MethodName: "ListCertificateAuthorities",
+			Handler:    _CertificateAuthorityService_ListCertificateAuthorities_Handler,
+		},
+		{
+			MethodName: "ListCertificateRevocationLists",
+			Handler:    _CertificateAuthorityService_ListCertificateRevocationLists_Handler,
+		},
+		{
+			MethodName: "ListCertificates",
+			Handler:    _CertificateAuthorityService_ListCertificates_Handler,
+		},
+		{
+			MethodName: "ListReusableConfigs",
+			Handler:    _CertificateAuthorityService_ListReusableConfigs_Handler,
+		},
+		{
+			MethodName: "GetCertificateAuthority",
+			Handler:    _CertificateAuthorityService_GetCertificateAuthority_Handler,
+		},
+		{
+			MethodName: "GetCertificateRevocationList",
+			Handler:    _CertificateAuthorityService_GetCertificateRevocationList_Handler,
+		},
+		{
+			MethodName: "GetCertificate",
+			Handler:    _CertificateAuthorityService_GetCertificate_Handler,
+		},
+		{
+			MethodName: "GetReusableConfig",
+			Handler:    _CertificateAuthorityService_GetReusableConfig_Handler,
+		},
+		{
+			MethodName: "CreateCertificateAuthority",
+			Handler:    _CertificateAuthorityService_CreateCertificateAuthority_Handler,
+		},
+		{
+			MethodName: "CreateCertificateRevocationList",
+			Handler:    _CertificateAuthorityService_CreateCertificateRevocationList_Handler,
+		},
+		{
+			MethodName: "CreateCertificate",
+			Handler:    _CertificateAuthorityService_CreateCertificate_Handler,
+		},
+		{
+			MethodName: "CreateReusableConfig",
+			Handler:    _CertificateAuthorityService_CreateReusableConfig_Handler,
+		},
+		{
+			MethodName: "UpdateCertificateAuthority",
+			Handler:    _CertificateAuthorityService_UpdateCertificateAuthority_Handler,
+		},
+		{
+			MethodName: "UpdateCertificateRevocationList",
+			Handler:    _CertificateAuthorityService_UpdateCertificateRevocationList_Handler,
+		},
+		{
+			MethodName: "UpdateCertificate",
+			Handler:    _CertificateAuthorityService_UpdateCertificate_Handler,
+		},
+		{
+			MethodName: "UpdateReusableConfig",
+			Handler:    _CertificateAuthorityService_UpdateReusableConfig_Handler,
+		},
+		{
+			MethodName: "DeleteCertificateAuthority",
+			Handler:    _CertificateAuthorityService_DeleteCertificateAuthority_Handler,
+		},
+		{
+			MethodName: "GetCertificateAuthorityCsr",
+			Handler:    _CertificateAuthorityService_GetCertificateAuthorityCsr_Handler,
+		},
+		{
+			MethodName: "ActivateCertificateAuthority",
+			Handler:    _CertificateAuthorityService_ActivateCertificateAuthority_Handler,
+		},
+		{
+			MethodName: "DisableCertificateAuthority",
+			Handler:    _CertificateAuthorityService_DisableCertificateAuthority_Handler,
+		},
+		{
+			MethodName: "EnableCertificateAuthority",
+			Handler:    _CertificateAuthorityService_EnableCertificateAuthority_Handler,
+		},
+		{
+			MethodName: "ScheduleDeleteCertificateAuthority",
+			Handler:    _CertificateAuthorityService_ScheduleDeleteCertificateAuthority_Handler,
+		},
+		{
+			MethodName: "RestoreCertificateAuthority",
+			Handler:    _CertificateAuthorityService_RestoreCertificateAuthority_Handler,
+		},
+		{
+			MethodName: "RevokeCertificate",
+			Handler:    _CertificateAuthorityService_RevokeCertificate_Handler,
+		},
+		{
+			MethodName: "PublishCertificateRevocationList",
+			Handler:    _CertificateAuthorityService_PublishCertificateRevocationList_Handler,
+		},
+	},
+	Streams:  []grpc.StreamDesc{},
+	Metadata: "google/cloud/security/privateca/v1alpha1/service.proto",
+}
diff --git a/path_config.go b/path_config.go
new file mode 100644
index 0000000..9b76cbf
--- /dev/null
+++ b/path_config.go
@@ -0,0 +1,154 @@
+// Copyright 2020 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package gcppca
+
+import (
+	"context"
+
+	"github.com/hashicorp/errwrap"
+	"github.com/hashicorp/vault/sdk/framework"
+	"github.com/hashicorp/vault/sdk/logical"
+)
+
+// pathConfig defines the gcppca/config base path on the backend.
+func (b *backend) pathConfig() *framework.Path {
+	return &framework.Path{
+		Pattern: "config",
+
+		HelpSynopsis:    "Configure the GCP CA Service secrets engine",
+		HelpDescription: "Configure the GCP CA Service secrets engine credentials",
+
+		Fields: map[string]*framework.FieldSchema{
+			"credentials": &framework.FieldSchema{
+				Type: framework.TypeString,
+				Description: `
+The credentials to use for authenticating to Google Cloud. Leave this blank to
+use the Default Application Credentials or instance metadata authentication.
+`,
+			},
+
+			"scopes": &framework.FieldSchema{
+				Type:    framework.TypeCommaStringSlice,
+				Default: []string{"https://www.googleapis.com/auth/cloud-platform"},
+				Description: `
+The list of full-URL scopes to request when authenticating. By default, this
+requests https://www.googleapis.com/auth/cloud-platform.
+`,
+			},
+			"issuer": &framework.FieldSchema{
+				Type:        framework.TypeString,
+				Description: `Issuer or CA Service or Subordinate should apply to`,
+			},
+			"location": &framework.FieldSchema{
+				Type: framework.TypeString,
+				// AllowedValues is currently not enforced by the framework..
+				//AllowedValues: []interface{}{"europe-west1", "us-central1", "us-east1", "us-west1"},
+				Description: `Location of the CA Service or`,
+			},
+			"project": &framework.FieldSchema{
+				Type:        framework.TypeString,
+				Description: `GCP ProjectID for the CA Service`,
+			},
+		},
+
+		ExistenceCheck: b.pathConfigExists,
+
+		Callbacks: map[logical.Operation]framework.OperationFunc{
+			logical.CreateOperation: withFieldValidator(b.pathConfigWrite),
+			logical.ReadOperation:   withFieldValidator(b.pathConfigRead),
+			logical.UpdateOperation: withFieldValidator(b.pathConfigWrite),
+			logical.DeleteOperation: withFieldValidator(b.pathConfigDelete),
+		},
+	}
+}
+
+// pathConfigExists checks if the configuration exists.
+func (b *backend) pathConfigExists(ctx context.Context, req *logical.Request, _ *framework.FieldData) (bool, error) {
+	entry, err := req.Storage.Get(ctx, "config")
+	if err != nil {
+		return false, errwrap.Wrapf("failed to get configuration from storage: {{err}}", err)
+	}
+	if entry == nil || len(entry.Value) == 0 {
+		return false, nil
+	}
+	return true, nil
+}
+
+// pathConfigRead corresponds to READ gcppca/config and is used to
+// read the current configuration.
+func (b *backend) pathConfigRead(ctx context.Context, req *logical.Request, _ *framework.FieldData) (*logical.Response, error) {
+	c, err := b.Config(ctx, req.Storage)
+	if err != nil {
+		return nil, err
+	}
+
+	// dont' return credentials, they may show svc account JSON info!
+	return &logical.Response{
+		Data: map[string]interface{}{
+			"project":  c.Project,
+			"location": c.Location,
+			"issuer":   c.Issuer,
+			"scopes":   c.Scopes,
+		},
+	}, nil
+}
+
+// pathConfigWrite corresponds to both CREATE and UPDATE gcppca/config and is
+// used to create or update the current configuration.
+func (b *backend) pathConfigWrite(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
+	// Get the current configuration, if it exists
+	c, err := b.Config(ctx, req.Storage)
+	if err != nil {
+		return nil, err
+	}
+
+	// Update the configuration
+	changed, err := c.Update(d)
+	if err != nil {
+		return nil, logical.CodedError(400, err.Error())
+	}
+
+	// Only do the following if the config is different
+	if changed {
+		// Generate a new storage entry
+		entry, err := logical.StorageEntryJSON("config", c)
+		if err != nil {
+			return nil, errwrap.Wrapf("failed to generate JSON configuration: {{err}}", err)
+		}
+
+		// Save the storage entry
+		if err := req.Storage.Put(ctx, entry); err != nil {
+			return nil, errwrap.Wrapf("failed to persist configuration to storage: {{err}}", err)
+		}
+
+		// Invalidate existing client so it reads the new configuration
+		b.ResetClient()
+	}
+
+	return nil, nil
+}
+
+// pathConfigDelete corresponds to DELETE gcppca/config and is used to delete
+// all the configuration.
+func (b *backend) pathConfigDelete(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
+	if err := req.Storage.Delete(ctx, "config"); err != nil {
+		return nil, errwrap.Wrapf("failed to delete from storage: {{err}}", err)
+	}
+
+	// Invalidate existing client so it reads the new configuration
+	b.ResetClient()
+
+	return nil, nil
+}
diff --git a/path_config_test.go b/path_config_test.go
new file mode 100644
index 0000000..02160c3
--- /dev/null
+++ b/path_config_test.go
@@ -0,0 +1,238 @@
+// Copyright 2020 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package gcppca
+
+import (
+	"context"
+	"reflect"
+	"testing"
+
+	"github.com/hashicorp/vault/sdk/logical"
+)
+
+func TestBackend_PathConfigRead(t *testing.T) {
+	t.Parallel()
+
+	t.Run("field_validation", func(t *testing.T) {
+		t.Parallel()
+		testFieldValidation(t, logical.ReadOperation, "config")
+	})
+
+	t.Run("not_exist", func(t *testing.T) {
+		t.Parallel()
+
+		b, storage := testBackend(t)
+		ctx := context.Background()
+		resp, err := b.HandleRequest(ctx, &logical.Request{
+			Storage:   storage,
+			Operation: logical.ReadOperation,
+			Path:      "config",
+		})
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		if _, ok := resp.Data["scopes"]; !ok {
+			t.Errorf("expected %q to include %q", resp.Data, "scopes")
+		}
+	})
+
+	t.Run("exist", func(t *testing.T) {
+		t.Parallel()
+
+		b, storage := testBackend(t)
+
+		entry, err := logical.StorageEntryJSON("config", &Config{
+			Scopes:      []string{"foo"},
+			Credentials: "creds",
+		})
+		if err != nil {
+			t.Fatal(err)
+		}
+		if err := storage.Put(context.Background(), entry); err != nil {
+			t.Fatal(err)
+		}
+
+		ctx := context.Background()
+		resp, err := b.HandleRequest(ctx, &logical.Request{
+			Storage:   storage,
+			Operation: logical.ReadOperation,
+			Path:      "config",
+		})
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		if v, exp := resp.Data["scopes"].([]string), []string{"foo"}; !reflect.DeepEqual(v, exp) {
+			t.Errorf("expected %q to be %q", v, exp)
+		}
+
+		if _, ok := resp.Data["credentials"]; ok {
+			t.Errorf("should not return credentials")
+		}
+	})
+}
+
+func TestBackend_PathConfigUpdate(t *testing.T) {
+	t.Parallel()
+
+	t.Run("field_validation", func(t *testing.T) {
+		t.Parallel()
+		testFieldValidation(t, logical.UpdateOperation, "config")
+	})
+
+	t.Run("not_exist", func(t *testing.T) {
+		t.Parallel()
+
+		b, storage := testBackend(t)
+		if _, err := b.HandleRequest(context.Background(), &logical.Request{
+			Storage:   storage,
+			Operation: logical.UpdateOperation,
+			Path:      "config",
+			Data: map[string]interface{}{
+				"scopes":      "foo,bar",
+				"credentials": "creds",
+				"issuer":      "iss",
+				"project":     "project",
+				"location":    "us-central1",
+			},
+		}); err != nil {
+			t.Fatal(err)
+		}
+
+		config, err := b.Config(context.Background(), storage)
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		if v, exp := config.Credentials, "creds"; v != exp {
+			t.Errorf("expected %q to be %q", v, exp)
+		}
+
+		if v, exp := config.Scopes, []string{"bar", "foo"}; !reflect.DeepEqual(v, exp) {
+			t.Errorf("expected %q to be %q", v, exp)
+		}
+	})
+
+	t.Run("exist", func(t *testing.T) {
+		t.Parallel()
+
+		b, storage := testBackend(t)
+
+		entry, err := logical.StorageEntryJSON("config", &Config{
+			Scopes:      []string{"foo"},
+			Credentials: "creds",
+			Issuer:      "iss",
+			Project:     "project",
+			Location:    "us-central1",
+		})
+		if err != nil {
+			t.Fatal(err)
+		}
+		if err := storage.Put(context.Background(), entry); err != nil {
+			t.Fatal(err)
+		}
+
+		if _, err := b.HandleRequest(context.Background(), &logical.Request{
+			Storage:   storage,
+			Operation: logical.UpdateOperation,
+			Path:      "config",
+			Data: map[string]interface{}{
+				"scopes":      "foo,bar",
+				"credentials": "new-creds",
+			},
+		}); err != nil {
+			t.Fatal(err)
+		}
+
+		config, err := b.Config(context.Background(), storage)
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		if v, exp := config.Credentials, "new-creds"; v != exp {
+			t.Errorf("expected %q to be %q", v, exp)
+		}
+
+		if v, exp := config.Scopes, []string{"bar", "foo"}; !reflect.DeepEqual(v, exp) {
+			t.Errorf("expected %q to be %q", v, exp)
+		}
+	})
+}
+
+func TestBackend_PathConfigDelete(t *testing.T) {
+	t.Parallel()
+
+	t.Run("field_validation", func(t *testing.T) {
+		t.Parallel()
+		testFieldValidation(t, logical.DeleteOperation, "config")
+	})
+
+	t.Run("not_exist", func(t *testing.T) {
+		t.Parallel()
+
+		b, storage := testBackend(t)
+		if _, err := b.HandleRequest(context.Background(), &logical.Request{
+			Storage:   storage,
+			Operation: logical.DeleteOperation,
+			Path:      "config",
+		}); err != nil {
+			t.Fatal(err)
+		}
+
+		config, err := b.Config(context.Background(), storage)
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		if def := DefaultConfig(); !reflect.DeepEqual(config, def) {
+			t.Errorf("expected %v to be %v", config, def)
+		}
+	})
+
+	t.Run("exist", func(t *testing.T) {
+		t.Parallel()
+
+		b, storage := testBackend(t)
+
+		entry, err := logical.StorageEntryJSON("config", &Config{
+			Scopes:      []string{"foo"},
+			Credentials: "creds",
+		})
+		if err != nil {
+			t.Fatal(err)
+		}
+		if err := storage.Put(context.Background(), entry); err != nil {
+			t.Fatal(err)
+		}
+
+		if _, err := b.HandleRequest(context.Background(), &logical.Request{
+			Storage:   storage,
+			Operation: logical.DeleteOperation,
+			Path:      "config",
+		}); err != nil {
+			t.Fatal(err)
+		}
+
+		config, err := b.Config(context.Background(), storage)
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		if def := DefaultConfig(); !reflect.DeepEqual(config, def) {
+			t.Errorf("expected %v to be %v", config, def)
+		}
+	})
+}
diff --git a/path_csr.go b/path_csr.go
new file mode 100644
index 0000000..ec8d7b4
--- /dev/null
+++ b/path_csr.go
@@ -0,0 +1,206 @@
+// Copyright 2020 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package gcppca
+
+import (
+	"context"
+	"crypto/x509"
+	"encoding/pem"
+	"fmt"
+	"time"
+
+	"github.com/golang/protobuf/ptypes"
+	"github.com/hashicorp/vault/sdk/framework"
+	"github.com/hashicorp/vault/sdk/logical"
+	privatecapb "google.golang.org/genproto/googleapis/cloud/security/privateca/v1alpha1"
+)
+
+func (b *backend) pathCSR() *framework.Path {
+	return &framework.Path{
+		Pattern: "issue-with-csr/" + framework.GenericNameRegex("name"),
+
+		HelpSynopsis:    "Provide CSR to Vault",
+		HelpDescription: `Provide Vault with CSR; sign it using Private CA`,
+
+		Fields: map[string]*framework.FieldSchema{
+			"name": &framework.FieldSchema{
+				Type:        framework.TypeString,
+				Description: `Certificate Name value`,
+			},
+			"labels": &framework.FieldSchema{
+				Type:        framework.TypeMap,
+				Description: `Lables for the certificate`,
+			},
+			"pem_csr": &framework.FieldSchema{
+				Type:        framework.TypeString,
+				Description: `CSR PEM contents`,
+			},
+			"validity": &framework.FieldSchema{
+				Type: framework.TypeString,
+				Description: `The validity of this certificate, as an ISO8601 duration. Defaults to	30 days. (P30D)`,
+				Default: "P30D",
+			},
+		},
+
+		Callbacks: map[logical.Operation]framework.OperationFunc{
+			logical.CreateOperation: withFieldValidator(b.pathCSRWrite),
+			logical.UpdateOperation: withFieldValidator(b.pathCSRWrite),
+			logical.DeleteOperation: withFieldValidator(b.pathCSRDelete),
+		},
+	}
+}
+
+func (b *backend) pathCSRWrite(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
+	var name string
+	var csrPEM string
+	var labels map[string]string
+
+	name = d.Get("name").(string)
+	if v, ok := d.GetOk("labels"); ok {
+		labels = v.(map[string]string)
+	}
+
+	var validity time.Duration
+	if v, ok := d.GetOk("validity"); ok {
+		var err error
+		validity, err = parseDuration(v.(string))
+		if err != nil {
+			return logical.ErrorResponse(fmt.Sprintf("Unable to parse validity period %s %v", v.(string), err)), logical.ErrInvalidRequest
+		}
+	}
+
+	if v, ok := d.GetOk("pem_csr"); ok {
+		csrPEM = v.(string)
+	} else {
+		return logical.ErrorResponse("PEM contents cannot be empty"), logical.ErrInvalidRequest
+	}
+
+	// Check if this is a valid PEM formatted CSR
+	block, _ := pem.Decode([]byte(csrPEM))
+	csrParsed, err := x509.ParseCertificateRequest(block.Bytes)
+	if err != nil {
+		return logical.ErrorResponse(fmt.Sprintf("Unable to parse CSR %v", err)), logical.ErrInvalidRequest
+	} else {
+		b.Logger().Debug("Parsed CSR with Subject: %v", csrParsed.Subject)
+	}
+
+	// First read the configuration settings that define the specifications of the CA
+	cfg, err := b.Config(ctx, req.Storage)
+	if err != nil {
+		return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest
+	}
+
+	issuer := cfg.Issuer
+	projectID := cfg.Project
+	location := cfg.Location
+
+	pcaClient, closer, err := b.PCAClient(req.Storage)
+	if err != nil {
+		return nil, err
+	}
+	defer closer()
+
+	parent := fmt.Sprintf("projects/%s/locations/%s/certificateAuthorities/%s", projectID, location, issuer)
+
+	creq := &privatecapb.CreateCertificateRequest{
+		Parent:        parent,
+		CertificateId: name,
+		Certificate: &privatecapb.Certificate{
+			Labels:   labels,
+			Lifetime: ptypes.DurationProto(validity),
+			CertificateConfig: &privatecapb.Certificate_PemCsr{
+				PemCsr: string(csrPEM),
+			},
+		},
+	}
+
+	op, err := pcaClient.CreateCertificate(ctx, creq)
+	if err != nil {
+		return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest
+	}
+
+	cresp, err := op.Wait(ctx)
+	if err != nil {
+		return logical.ErrorResponse(fmt.Sprintf("Could not create CSR based Certificate: %s  certspec: %v", name, err)), logical.ErrInvalidRequest
+	}
+
+	return &logical.Response{
+		Data: map[string]interface{}{
+			"pubcert": cresp.GetPemCertificate(),
+		},
+	}, nil
+}
+
+func (b *backend) pathCSRDelete(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
+	var name string
+	name = d.Get("name").(string)
+	cfg, err := b.Config(ctx, req.Storage)
+	if err != nil {
+		return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest
+	}
+
+	issuer := cfg.Issuer
+	projectID := cfg.Project
+	location := cfg.Location
+
+	if issuer == "" || projectID == "" || location == "" {
+		return logical.ErrorResponse("Configuration settings not found: Issuer, ProjectID and Location must be set in <mount>/config"), logical.ErrInvalidRequest
+	}
+
+	pcaClient, closer, err := b.PCAClient(req.Storage)
+	if err != nil {
+		return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest
+	}
+	defer closer()
+
+	b.Logger().Debug("Attempting to see if this cert exists %v", issuer, name)
+
+	parent := fmt.Sprintf("projects/%s/locations/%s/certificateAuthorities/%s/certificates/%s", projectID, location, issuer, name)
+	getReq := &privatecapb.GetCertificateRequest{
+		Name: parent,
+	}
+	gcert, err := pcaClient.GetCertificate(ctx, getReq)
+	if err != nil {
+		b.Logger().Debug("CertificateName doesn't exist..this maybe an anonymous cert exiting [", issuer, "]  certspec: ", name)
+		// not sure what to return here, err or nil
+		//return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest
+		return &logical.Response{}, nil
+	}
+
+	if gcert.RevocationDetails != nil {
+		b.Logger().Debug("Certificate already Revoked [", name+"]  certspec: ", gcert.RevocationDetails.RevocationState.String)
+		// not sure what to return here, err or nil
+		//return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest
+		return &logical.Response{}, nil
+	}
+
+	b.Logger().Debug("Revoking Certificate %s", parent)
+	crev := &privatecapb.RevokeCertificateRequest{
+		Name:   parent,
+		Reason: privatecapb.RevocationReason_CESSATION_OF_OPERATION,
+	}
+	op, err := pcaClient.RevokeCertificate(ctx, crev)
+	if err != nil {
+		return logical.ErrorResponse("Error revoking certificate"), logical.ErrInvalidRequest
+	}
+
+	crevresp, err := op.Wait(ctx)
+	if err != nil {
+		return logical.ErrorResponse("Error revoking certificate"), logical.ErrInvalidRequest
+	}
+	b.Logger().Debug("Certificate Revoked %s", crevresp.Name)
+
+	return &logical.Response{}, nil
+}
diff --git a/path_generatekey.go b/path_generatekey.go
new file mode 100644
index 0000000..5c9e8e4
--- /dev/null
+++ b/path_generatekey.go
@@ -0,0 +1,540 @@
+// Copyright 2020 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package gcppca
+
+import (
+	"context"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"encoding/pem"
+	"fmt"
+	"strings"
+	"time"
+
+	privateca "cloud.google.com/go/security/privateca/apialpha1"
+	"github.com/golang/protobuf/ptypes"
+	"github.com/golang/protobuf/ptypes/wrappers"
+	"github.com/hashicorp/vault/sdk/framework"
+	"github.com/hashicorp/vault/sdk/logical"
+	"google.golang.org/api/iterator"
+	privatecapb "google.golang.org/genproto/googleapis/cloud/security/privateca/v1alpha1"
+)
+
+const (
+
+	// key_usage
+	digital_signature  = "digital_signature"
+	content_commitment = "content_commitment"
+	key_encipherment   = "key_encipherment"
+	data_encipherment  = "data_encipherment"
+	key_agreement      = "key_agreement"
+	cert_sign          = "cert_sign"
+	crl_sign           = "crl_sign"
+	encipher_only      = "encipher_only"
+	decipher_only      = "decipher_only"
+
+	// key_types
+	key_type_rsa   = "rsa"
+	key_type_ecdsa = "ecdsa"
+
+	// extended_key_usage
+	server_auth      = "server_auth"
+	client_auth      = "client_auth"
+	code_signing     = "code_signing"
+	email_protection = "email_protection"
+	time_stamping    = "time_stamping"
+	ocsp_signing     = "ocsp_signing"
+)
+
+var (
+	valid_key_types  = []string{key_type_rsa, key_type_ecdsa}
+	valid_key_usages = []string{digital_signature, content_commitment, key_encipherment, data_encipherment,
+		key_agreement, cert_sign, crl_sign, encipher_only, decipher_only}
+	valid_extended_key_usages = []string{server_auth, client_auth, code_signing, email_protection,
+		time_stamping, ocsp_signing}
+	valid_reusable_config = []string{} // derived from api
+)
+
+func (b *backend) pathGenerateKey() *framework.Path {
+	return &framework.Path{
+		Pattern: "issue-with-genkey/" + framework.GenericNameRegex("name"),
+
+		HelpSynopsis:    "Generate CSR on Vault",
+		HelpDescription: `Generate CSR on Vault; sign it using Private CA`,
+
+		Fields: map[string]*framework.FieldSchema{
+			"name": &framework.FieldSchema{
+				Type:        framework.TypeString,
+				Description: `Certificate Name`,
+			},
+			"labels": &framework.FieldSchema{
+				Type:        framework.TypeMap,
+				Description: `Lables for the certificate`,
+			},
+			"key_type": &framework.FieldSchema{
+				Type:        framework.TypeString,
+				Description: `Generate RSA or ECDSA key`,
+				Default:     "rsa",
+			},
+			"dns_san": &framework.FieldSchema{
+				Type:        framework.TypeCommaStringSlice,
+				Description: `DNS SAN values`,
+			},
+			"email_san": &framework.FieldSchema{
+				Type:        framework.TypeCommaStringSlice,
+				Description: `Email SAN values`,
+			},
+			"ip_san": &framework.FieldSchema{
+				Type:        framework.TypeCommaStringSlice,
+				Description: `IP SAN values`,
+			},
+			"uri_san": &framework.FieldSchema{
+				Type:        framework.TypeCommaStringSlice,
+				Description: `URI SAN values`,
+			},
+			"subject": &framework.FieldSchema{
+				Type:        framework.TypeCommaStringSlice,
+				Description: `Subject (C=US,ST=California,L=Mountain View,O=Google LLC,CN=google.com)`,
+			},
+			"key_usages": &framework.FieldSchema{
+				Type: framework.TypeCommaStringSlice,
+				Description: `One of:  digital_signature, content_commitment, key_encipherment,
+				data_encipherment, key_agreement, cert_sign, crl_sign,
+				encipher_only, decipher_only.`,
+			},
+			"extended_key_usages": &framework.FieldSchema{
+				Type: framework.TypeCommaStringSlice,
+				Description: `One of:  server_auth, client_auth,
+				code_signing, email_protection, time_stamping, ocsp_signing`,
+			},
+			"reusable_config": &framework.FieldSchema{
+				Type:        framework.TypeString,
+				Description: `Reusable Config Name`,
+			},
+			"max_chain_length": &framework.FieldSchema{
+				Type: framework.TypeInt,
+				Description: `Maximum depth of subordinate CAs allowed under this CA for a CA
+				certificate.`,
+			},
+			"is_ca_cert": &framework.FieldSchema{
+				Type:        framework.TypeBool,
+				Description: `is-ca-cert`,
+			},
+			"validity": &framework.FieldSchema{
+				Type: framework.TypeString,
+				Description: `The validity of this certificate, as an ISO8601 duration. Defaults to	30 days. (P30D)`,
+				Default: "P30D",
+			},
+		},
+
+		Callbacks: map[logical.Operation]framework.OperationFunc{
+			logical.CreateOperation: withFieldValidator(b.pathGenerateKeyWrite),
+			logical.UpdateOperation: withFieldValidator(b.pathGenerateKeyWrite),
+			logical.DeleteOperation: withFieldValidator(b.pathGenerateKeyDelete),
+		},
+	}
+}
+
+func (b *backend) pathGenerateKeyWrite(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
+	var name string
+
+	var dnsSAN []string
+	var key_type string
+	var emailSAN []string
+	var ipSAN []string
+	var uriSAN []string
+	var key_usages []string
+	var extended_key_usages []string
+	var reusable_config string
+	var validity time.Duration
+	var labels map[string]string
+	var is_ca_cert bool
+
+	name = d.Get("name").(string)
+
+	b.Logger().Debug(fmt.Sprintf("Start generatecert for %s", name))
+
+	// First read the configuration settings that define the specifications of the CA
+	cfg, err := b.Config(ctx, req.Storage)
+	if err != nil {
+		return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest
+	}
+
+	issuer := cfg.Issuer
+	projectID := cfg.Project
+	location := cfg.Location
+
+	if issuer == "" || projectID == "" || location == "" {
+		return logical.ErrorResponse("Configuration settings not found: Issuer, ProjectID and Location must be set in <mount>/config"), logical.ErrInvalidRequest
+	}
+
+	pcaClient, closer, err := b.PCAClient(req.Storage)
+	if err != nil {
+		return nil, err
+	}
+	defer closer()
+
+	if v, ok := d.GetOk("dns_san"); ok {
+		dnsSAN = v.([]string)
+	}
+
+	if v, ok := d.GetOk("key_type"); ok {
+		if !contains(valid_key_types, v.(string)) {
+			return logical.ErrorResponse("key_type must be either rsa or ecdsa"), logical.ErrInvalidRequest
+		}
+
+	}
+	key_type = d.Get("key_type").(string)
+
+	if v, ok := d.GetOk("labels"); ok {
+		labels = v.(map[string]string)
+	}
+
+	if v, ok := d.GetOk("email_san"); ok {
+		emailSAN = v.([]string)
+	}
+
+	if v, ok := d.GetOk("ip_san"); ok {
+		ipSAN = v.([]string)
+	}
+
+	if v, ok := d.GetOk("uri_san"); ok {
+		uriSAN = v.([]string)
+	}
+
+	subjectValues := make(map[string]string)
+	if v, ok := d.GetOk("subject"); ok {
+		subjstr := v.([]string)
+		for _, match := range subjstr {
+			val := strings.Split(match, "=")
+			if len(val) != 2 {
+				return logical.ErrorResponse("Invalid Subject field in Request"), logical.ErrInvalidRequest
+			}
+			switch strings.ToUpper(val[0]) {
+			case "C":
+				subjectValues["country"] = strings.TrimSpace(val[1])
+			case "O":
+				subjectValues["organization"] = strings.TrimSpace(val[1])
+			case "OU":
+				subjectValues["organizationunit"] = strings.TrimSpace(val[1])
+			case "L":
+				subjectValues["locality"] = strings.TrimSpace(val[1])
+			case "ST":
+				subjectValues["province"] = strings.TrimSpace(val[1])
+			case "CN":
+				subjectValues["cn"] = strings.TrimSpace(val[1])
+			}
+		}
+	}
+
+	valid_reusable_config, err := b.getReusableConfigs(ctx, pcaClient, location)
+	if err != nil {
+		return logical.ErrorResponse("Could not recall reusable configs from CA Service "), logical.ErrInvalidRequest
+	}
+
+	if v, ok := d.GetOk("reusable_config"); ok {
+		if !contains(valid_reusable_config, v.(string)) {
+			return logical.ErrorResponse("Invalid reusable configs, must one of ", valid_reusable_config), logical.ErrInvalidRequest
+		}
+		reusable_config = v.(string)
+	}
+
+	if v, ok := d.GetOk("key_usages"); ok {
+		for _, usage := range v.([]string) {
+			if !contains(valid_key_usages, usage) {
+				return logical.ErrorResponse("Invalid key_usages, must one of ", valid_key_usages), logical.ErrInvalidRequest
+			}
+		}
+		key_usages = v.([]string)
+	}
+
+	if v, ok := d.GetOk("extended_key_usages"); ok {
+		for _, usage := range v.([]string) {
+			if !contains(valid_key_usages, usage) {
+				return logical.ErrorResponse("Invalid extended_key_usages, must one of ", valid_extended_key_usages), logical.ErrInvalidRequest
+			}
+		}
+		extended_key_usages = v.([]string)
+	}
+
+	if len(reusable_config) > 0 && (len(key_usages) > 0 || len(extended_key_usages) > 0) {
+		b.Logger().Error("Either reusable config or (key_usages|extended_key_usage) must be specified")
+		return logical.ErrorResponse("Either reusable config or (key_usages|extended_key_usage) must be specified"), logical.ErrInvalidRequest
+	}
+
+	if v, ok := d.GetOk("is_ca_cert"); ok {
+		is_ca_cert = v.(bool)
+	}
+
+	if v, ok := d.GetOk("validity"); ok {
+		var err error
+		validity, err = parseDuration(v.(string))
+		if err != nil {
+			return logical.ErrorResponse(fmt.Sprintf("Unable to parse validity period %s %v", v.(string), err)), logical.ErrInvalidRequest
+		}
+	}
+
+	var pubkey *privatecapb.PublicKey
+	var publicKeyDer []byte
+	var privPEM []byte
+
+	if key_type == "rsa" {
+		priv, err := rsa.GenerateKey(rand.Reader, 2048)
+		if err != nil {
+			return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest
+		}
+
+		privPEM = pem.EncodeToMemory(
+			&pem.Block{
+				Type:  "RSA PRIVATE KEY",
+				Bytes: x509.MarshalPKCS1PrivateKey(priv),
+			},
+		)
+		publicKeyDer, err = x509.MarshalPKIXPublicKey(&priv.PublicKey)
+		if err != nil {
+			b.Logger().Error("Unable to marshall RSA publicKey %v", err)
+			return logical.ErrorResponse(fmt.Sprintf("Unable to get marshall RSA publicKey %v", err)), logical.ErrInvalidRequest
+		}
+
+		pubkey = &privatecapb.PublicKey{
+			Type: privatecapb.PublicKey_PEM_RSA_KEY,
+			Key:  publicKeyDer,
+		}
+	} else {
+
+		pubkeyCurve := elliptic.P256()
+		privecdsa, err := ecdsa.GenerateKey(pubkeyCurve, rand.Reader)
+
+		x509Encoded, err := x509.MarshalECPrivateKey(privecdsa)
+		if err != nil {
+			b.Logger().Error("Unable to marshall EC Privatekey %v", err)
+			return logical.ErrorResponse(fmt.Sprintf("Unable to marshall EC Privatekey %v", err)), logical.ErrInvalidRequest
+		}
+		privPEM = pem.EncodeToMemory(
+			&pem.Block{
+				Type:  "EC PRIVATE KEY",
+				Bytes: x509Encoded,
+			})
+		if err != nil {
+			return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest
+		}
+
+		publicKeyDer, err = x509.MarshalPKIXPublicKey(&privecdsa.PublicKey)
+		if err != nil {
+			b.Logger().Error("Unable to get publicKey %v", err)
+			return logical.ErrorResponse(fmt.Sprintf("Unable to get publicKey %v", err)), logical.ErrInvalidRequest
+		}
+		pubkey = &privatecapb.PublicKey{
+			Type: privatecapb.PublicKey_PEM_EC_KEY,
+			Key:  publicKeyDer,
+		}
+
+	}
+
+	pubPem := pem.EncodeToMemory(
+		&pem.Block{
+			Type:  "PUBLIC KEY",
+			Bytes: publicKeyDer,
+		},
+	)
+	pubkey.Key = pubPem
+
+	var rcfgw privatecapb.ReusableConfigWrapper
+
+	if len(reusable_config) > 0 {
+		reusableConfigProject := "privateca-data"
+		reusableConfigName := fmt.Sprintf("projects/%s/locations/%s/reusableConfigs/%s", reusableConfigProject, location, reusable_config)
+		rcfgw.ConfigValues = &privatecapb.ReusableConfigWrapper_ReusableConfig{
+			ReusableConfig: reusableConfigName,
+		}
+	} else {
+		caOptions := &privatecapb.ReusableConfigValues_CaOptions{}
+		if is_ca_cert {
+			caOptions.IsCa = &wrappers.BoolValue{
+				Value: is_ca_cert,
+			}
+			// TODO: the path length attribute isn't shown in the cert thats issued...
+			if v, ok := d.GetOk("max_chain_length"); ok {
+				caOptions.MaxIssuerPathLength = &wrappers.Int32Value{
+					Value: int32(v.(int)),
+				}
+			}
+		}
+		// meh, ther's much more elegant way than iterating like this
+		// dont be lazy, sal
+		rcfgw.ConfigValues = &privatecapb.ReusableConfigWrapper_ReusableConfigValues{
+			ReusableConfigValues: &privatecapb.ReusableConfigValues{
+				CaOptions: caOptions,
+				KeyUsage: &privatecapb.KeyUsage{
+					BaseKeyUsage: &privatecapb.KeyUsage_KeyUsageOptions{
+						DigitalSignature:  contains(key_usages, digital_signature),
+						ContentCommitment: contains(key_usages, content_commitment),
+						KeyEncipherment:   contains(key_usages, key_encipherment),
+						DataEncipherment:  contains(key_usages, data_encipherment),
+						KeyAgreement:      contains(key_usages, key_agreement),
+						CertSign:          contains(key_usages, cert_sign),
+						CrlSign:           contains(key_usages, cert_sign),
+						EncipherOnly:      contains(key_usages, encipher_only),
+						DecipherOnly:      contains(key_usages, decipher_only),
+					},
+					ExtendedKeyUsage: &privatecapb.KeyUsage_ExtendedKeyUsageOptions{
+						ServerAuth:      contains(extended_key_usages, server_auth),
+						ClientAuth:      contains(extended_key_usages, client_auth),
+						CodeSigning:     contains(extended_key_usages, code_signing),
+						EmailProtection: contains(extended_key_usages, email_protection),
+						TimeStamping:    contains(extended_key_usages, time_stamping),
+						OcspSigning:     contains(extended_key_usages, ocsp_signing),
+					},
+				},
+			},
+		}
+	}
+
+	parent := fmt.Sprintf("projects/%s/locations/%s/certificateAuthorities/%s", projectID, location, issuer)
+	creq := &privatecapb.CreateCertificateRequest{
+		Parent:        parent,
+		CertificateId: name,
+		Certificate: &privatecapb.Certificate{
+			Lifetime: ptypes.DurationProto(validity),
+			Labels:   labels,
+			CertificateConfig: &privatecapb.Certificate_Config{
+				Config: &privatecapb.CertificateConfig{
+					PublicKey: pubkey,
+					SubjectConfig: &privatecapb.CertificateConfig_SubjectConfig{
+						Subject: &privatecapb.Subject{
+							Organization:       subjectValues["organization"],
+							OrganizationalUnit: subjectValues["organizationunit"],
+							Locality:           subjectValues["locality"],
+							Province:           subjectValues["province"],
+							CountryCode:        subjectValues["country"],
+						},
+						CommonName: subjectValues["cn"],
+						SubjectAltName: &privatecapb.SubjectAltNames{
+							DnsNames:       dnsSAN,
+							Uris:           uriSAN,
+							EmailAddresses: emailSAN,
+							IpAddresses:    ipSAN,
+						},
+					},
+					ReusableConfig: &rcfgw,
+				},
+			},
+		},
+	}
+
+	op, err := pcaClient.CreateCertificate(ctx, creq)
+	if err != nil {
+		return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest
+	}
+
+	cresp, err := op.Wait(ctx)
+	if err != nil {
+		return logical.ErrorResponse(fmt.Sprintf("Could not create Certificate: [%s] certspec %v", name, err)), logical.ErrInvalidRequest
+	}
+
+	return &logical.Response{
+		Data: map[string]interface{}{
+			"pubcert": cresp.GetPemCertificate(),
+			"privkey": string(privPEM),
+		},
+	}, nil
+}
+
+func (b *backend) pathGenerateKeyDelete(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
+	var name string
+
+	name = d.Get("name").(string)
+	ccfg, err := b.Config(ctx, req.Storage)
+	if err != nil {
+		return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest
+	}
+
+	issuer := ccfg.Issuer
+	projectID := ccfg.Project
+	location := ccfg.Location
+
+	pcaClient, closer, err := b.PCAClient(req.Storage)
+	if err != nil {
+		return nil, err
+	}
+	defer closer()
+
+	b.Logger().Debug("Attempting to see if cert exists issuer:", issuer, "name:", name)
+
+	parent := fmt.Sprintf("projects/%s/locations/%s/certificateAuthorities/%s/certificates/%s", projectID, location, issuer, name)
+	getReq := &privatecapb.GetCertificateRequest{
+		Name: parent,
+	}
+	gcert, err := pcaClient.GetCertificate(ctx, getReq)
+	if err != nil {
+		b.Logger().Debug("CertificateName doesn't exist..this maybe an anonymous cert, exiting  certspec:", issuer, "name[", name, "]")
+		// not sure what to return here, err or nil
+		//return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest
+		return &logical.Response{}, nil
+	}
+
+	if gcert.RevocationDetails != nil {
+		b.Logger().Debug("Certificate already Revoked [", name, "] certspec: [", gcert.RevocationDetails.RevocationState.String, "]")
+		// not sure what to return here, err or nil
+		//return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest
+		return &logical.Response{}, nil
+	}
+
+	b.Logger().Debug("Revoking Certificate", parent)
+	crev := &privatecapb.RevokeCertificateRequest{
+		Name:   parent,
+		Reason: privatecapb.RevocationReason_CESSATION_OF_OPERATION,
+	}
+	op, err := pcaClient.RevokeCertificate(ctx, crev)
+	if err != nil {
+		return logical.ErrorResponse("Error revoking certificate +v", err), logical.ErrInvalidRequest
+	}
+
+	crevresp, err := op.Wait(ctx)
+	if err != nil {
+		return logical.ErrorResponse(fmt.Sprintf("Error Revoking Certificate %v", err)), logical.ErrInvalidRequest
+	}
+	b.Logger().Debug("Certificate Revoked %s", crevresp.Name)
+
+	return &logical.Response{}, nil
+}
+
+func (b *backend) getReusableConfigs(ctx context.Context, pcaClient *privateca.CertificateAuthorityClient, location string) (values []string, err error) {
+
+	var valid_reusable_config []string
+	parent := fmt.Sprintf("projects/%s/locations/%s/reusableConfigs", "privateca-data", location)
+
+	rcreq := &privatecapb.ListReusableConfigsRequest{
+		Parent: parent,
+	}
+	it := pcaClient.ListReusableConfigs(ctx, rcreq)
+	for {
+		cfg, err := it.Next()
+		if err == iterator.Done {
+			break
+		}
+		if err != nil {
+			return []string{}, err
+		}
+		n := cfg.Name
+		ss := strings.Split(n, "/")
+		s := ss[len(ss)-1]
+		valid_reusable_config = append(valid_reusable_config, s)
+	}
+	return valid_reusable_config, nil
+}
diff --git a/scripts/dev.sh b/scripts/dev.sh
new file mode 100755
index 0000000..c1509c0
--- /dev/null
+++ b/scripts/dev.sh
@@ -0,0 +1,45 @@
+#!/usr/bin/env bash
+# Copyright 2020 Google LLC
+# 
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+# 
+#     https://www.apache.org/licenses/LICENSE-2.0
+# 
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -e
+
+export GRPC_GO_LOG_VERBOSITY_LEVEL=2
+export GRPC_GO_LOG_SEVERITY_LEVEL=info
+
+pkill vault || true
+
+make dev
+mkdir -p bin/
+cp "$GOPATH/bin/vault-plugin-secrets-gcppca" bin/
+
+vault server \
+  -log-level=warn \
+  -dev \
+  -dev-plugin-dir="$(pwd)/bin" &
+VAULT_PID=$!
+sleep 2
+
+
+
+export SHASUM=$(shasum -a 256 "bin/vault-plugin-secrets-gcppca" | cut -d " " -f1)
+
+vault plugin register \
+    -sha256="${SHASUM}" \
+    -command="vault-plugin-secrets-gcppca" \
+    secret vault-plugin-secrets-gcppca
+
+vault secrets enable -path="gcppca" \
+   --description='Vault CA Service Plugin' \
+   --plugin-name='vault-plugin-secrets-gcppca' plugin
\ No newline at end of file
diff --git a/version/cmd/main.go b/version/cmd/main.go
new file mode 100644
index 0000000..22e6735
--- /dev/null
+++ b/version/cmd/main.go
@@ -0,0 +1,39 @@
+// Copyright 2020 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package main
+
+import (
+	"fmt"
+	"log"
+	"os"
+
+	"github.com/salrashid123/vault-plugin-secrets-gcppca/version"
+)
+
+func main() {
+	args := os.Args[1:]
+	if len(args) < 1 {
+		log.Fatal("missing argument")
+	}
+
+	switch args[0] {
+	case "name":
+		fmt.Printf("%s", version.Name)
+	case "version":
+		fmt.Printf("%s", version.Version)
+	default:
+		log.Fatalf("unknown arg %q", args[0])
+	}
+}
diff --git a/version/version.go b/version/version.go
new file mode 100644
index 0000000..23e2e73
--- /dev/null
+++ b/version/version.go
@@ -0,0 +1,34 @@
+// Copyright 2020 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package version
+
+import "fmt"
+
+const (
+	// Name is the name of the plugin.
+	Name = "vault-plugin-secrets-gcppca"
+
+	// Version is the version of the release.
+	Version = "0.0.1"
+)
+
+var (
+	// GitCommit is the specific git commit of the plugin. This is completed by
+	// the compiler.
+	GitCommit string
+
+	// HumanVersion is the human-formatted version of the plugin.
+	HumanVersion = fmt.Sprintf("%s v%s (%s)", Name, Version, GitCommit)
+)