diff --git a/google/cloud/security/privateca_v1/types/resources.py b/google/cloud/security/privateca_v1/types/resources.py
index 517eba0..0ce060d 100644
--- a/google/cloud/security/privateca_v1/types/resources.py
+++ b/google/cloud/security/privateca_v1/types/resources.py
@@ -103,9 +103,9 @@ class CertificateAuthority(proto.Message):
             Required. Immutable. The config used to
             create a self-signed X.509 certificate or CSR.
         lifetime (google.protobuf.duration_pb2.Duration):
-            Required. The desired lifetime of the CA certificate. Used
-            to create the "not_before_time" and "not_after_time" fields
-            inside an X.509 certificate.
+            Required. Immutable. The desired lifetime of the CA
+            certificate. Used to create the "not_before_time" and
+            "not_after_time" fields inside an X.509 certificate.
         key_spec (google.cloud.security.privateca_v1.types.CertificateAuthority.KeyVersionSpec):
             Required. Immutable. Used when issuing certificates for this
             [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority].
@@ -212,7 +212,7 @@ class SignHashAlgorithm(proto.Enum):
         [CryptoKeyVersionAlgorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm]
         values. For RSA signing algorithms, the PSS algorithms should be
         preferred, use PKCS1 algorithms if required for compatibility. For
-        further recommandations, see
+        further recommendations, see
         https://cloud.google.com/kms/docs/algorithms#algorithm_recommendations.
         """
         SIGN_HASH_ALGORITHM_UNSPECIFIED = 0
@@ -502,14 +502,14 @@ class RsaKeyType(proto.Message):
                 Attributes:
                     min_modulus_size (int):
                         Optional. The minimum allowed RSA modulus
-                        size, in bits. If this is not set, or if set to
-                        zero, the service-level min RSA modulus size
-                        will continue to apply.
+                        size (inclusive), in bits. If this is not set,
+                        or if set to zero, the service-level min RSA
+                        modulus size will continue to apply.
                     max_modulus_size (int):
                         Optional. The maximum allowed RSA modulus
-                        size, in bits. If this is not set, or if set to
-                        zero, the service will not enforce an explicit
-                        upper bound on RSA modulus sizes.
+                        size (inclusive), in bits. If this is not set,
+                        or if set to zero, the service will not enforce
+                        an explicit upper bound on RSA modulus sizes.
                 """
 
                 min_modulus_size = proto.Field(proto.INT64, number=1,)
@@ -987,7 +987,7 @@ class SubordinateConfig(proto.Message):
         certificate_authority (str):
             Required. This can refer to a
             [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority]
-            in the same project that was used to create a subordinate
+            that was used to create a subordinate
             [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority].
             This field is used for information and usability purposes
             only. The resource name is in the format
@@ -1410,8 +1410,9 @@ class SubjectAltNames(proto.Message):
             Contains only valid 32-bit IPv4 addresses or
             RFC 4291 IPv6 addresses.
         custom_sans (Sequence[google.cloud.security.privateca_v1.types.X509Extension]):
-            Contains additional subject alternative name
-            values.
+            Contains additional subject alternative name values. For
+            each custom_san, the ``value`` field must contain an ASN.1
+            encoded UTF8String.
     """
 
     dns_names = proto.RepeatedField(proto.STRING, number=1,)
diff --git a/google/cloud/security/privateca_v1/types/service.py b/google/cloud/security/privateca_v1/types/service.py
index eb964c9..b325945 100644
--- a/google/cloud/security/privateca_v1/types/service.py
+++ b/google/cloud/security/privateca_v1/types/service.py
@@ -95,11 +95,11 @@ class CreateCertificateRequest(proto.Message):
             minutes since the first request.
 
             For example, consider a situation where you make
-            an initial request and t he request times out.
-            If you make the request again with the same
-            request ID, the server can check if original
-            operation with the same request ID was received,
-            and if so, will ignore the second request. This
+            an initial request and the request times out. If
+            you make the request again with the same request
+            ID, the server can check if original operation
+            with the same request ID was received, and if
+            so, will ignore the second request. This
             prevents clients from accidentally creating
             duplicate commitments.
             The request ID must be a valid UUID with the
diff --git a/security-privateca-v1-py.tar.gz b/security-privateca-v1-py.tar.gz
new file mode 100644
index 0000000..e69de29