- Certificate Authority Service
Contact Us Start free
- Home
- Certificate Authority Service
- Documentation
- Guides
This page describes how to create a root certificate authority (CA) in a CA pool.
A root CA is at the top of a public key infrastructure (PKI) hierarchy and isresponsible for forming the trust anchor of the PKI. To properly participate anduse certificates in a PKI, a device, software, or component needs to trust the PKI.This is accomplished by configuring the device, software, or component to trust the root CA.As a result, all the certificates issued by the root CA are trusted.
Before you begin
- Make sure you have the CA Service Operation Manager(
roles/privateca.caManager
) or the CA Service Admin(roles/privateca.admin
) IAM role. For information, seeConfigure IAM policies. - Create a CA pool.
- Determine your CA settings.
Create a root CA
A root CA has a self-signed certificate that you must distribute to the truststores of your clients. The root CA's certificate is at the top of thecertificate chain. No other CA can revoke the CA certificate. The CRL of theroot CA applies only to the other certificates the root CA issued, but not toitself.
Console
To create a root CA, do the following.
Go to the Certificate Authority Service page inthe Google Cloud console.
Go to Certificate Authority Service
Click the CA manager tab.
Click Create CA.
Select CA type
To configure the permanent settings of the CA, such as tier, location,lifetime, and the operational state at creation, do the following:
- Select Root CA.
- In the Valid for field, enter the duration for which you want thecertificates issued by the CA certificate to be valid.
- Optional: select a tier for the CA.
- Click Region and in the list, select the location where you want tocreate the CA. We recommend creating the CA geographically nearyour application's clients. For more information, see Choosing the bestlocation.
Optional: Select the operational state of the CA to be created in.
Optional: Click Certificate profile. In the list, select thecertificate profile that matches the type of certificates you want theCA to issue.
Click Next.
- In the Organization (O) field, enter the name of your company.
- Optional: In the Organization unit (OU) field, enter the company subdivision or business unit.
- Optional: In the Country name field, enter a two letter country code.
- Optional: In the State or province name field, enter the name of your state.
- Optional: In the Locality name field, enter the name of your city.
- In the CA common name (CN) field, enter the CA name.
- In the Pool ID field, enter the CA pool name. You cannot change the CA pool after creating the CA.
- Click Next.
- Choose the key algorithm that best meets your needs. For information about deciding the suitable key algorithm, see Choose a key algorithm.
- Click Next.
The following steps are optional. If you skip these steps, the default settings apply.
- Choose whether you want to use a Google-managed or a self-managed Cloud Storage bucket.
- Choose whether you want to disable the publication of certificate revocation lists (CRLs) and CA certificates to the Cloud Storage bucket.
- Click Next.
If you don't select a self-managed Cloud Storage bucket, CA Service creates a Google-managed bucket in the same location as the CA.
The publication of CRL and CA certificate on a Cloud Storage bucket is enabled by default. To disable these settings, click the toggles.
The following steps are optional.
If you want to add labels to the CA, do the following:
- Click addAdd item.
- In the Key 1 field, enter the label key.
- In the Value 1 field, enter the label value.
- If you want to add another label, click addAdd item. Then, add the label key and value as mentioned in steps 2 and 3.
- Click Next.
Carefully review all the settings, then click Create to create the CA.
gcloud
To create a CA pool, run the following command:
gcloud privateca pools create POOL_ID
Replace POOL_ID with the name of the CA pool.
For more information, see Create a CApool.
For more information about this
gcloud
command, seegcloud privateca pools create.Create a new root CA in the CA pool you created.
gcloud privateca roots create ROOT_CA_ID --pool=POOL_ID \ --key-algorithm=KEY_ALGORITHM \ --subject="CN=my-ca, O=Test LLC"
Replace the following:
- ROOT_CA_ID: The name of the CA.
- POOL_ID: The name of the CA pool.
- KEY_ALGORITHM: The algorithm to use for creating aCloud KMS key. This flag is optional. If you don't includethis flag, the key algorithm defaults to
rsa-pkcs1-4096-sha256
. Formore information, see --key-algorithm flag.
By default, the CA is created in the
STAGED
state. To enable a CA bydefault, include the--auto-enable
flag.If you want to use a customer-managed Cloud Storage bucket forpublishing CA certificates and CRLs, add
--bucket bucket-name
to the command. Replace bucket-name with thename of the Cloud Storage bucket.To see the exhaustive list of settings, run the following command:
gcloud privateca roots create --help
Terraform
To create a root CA using a Google-owned and Google-managed key, use the following sampleconfiguration:
resource "google_privateca_certificate_authority" "default" { // This example assumes this pool already exists. // Pools cannot be deleted in normal test circ*mstances, so we depend on static pools pool = "my-pool" certificate_authority_id = "my-certificate-authority-hashicorp" location = "us-central1" deletion_protection = false # set to true to prevent destruction of the resource config { subject_config { subject { organization = "HashiCorp" common_name = "my-certificate-authority" } subject_alt_name { dns_names = ["hashicorp.com"] } } x509_config { ca_options { is_ca = true max_issuer_path_length = 10 } key_usage { base_key_usage { digital_signature = true content_commitment = true key_encipherment = false data_encipherment = true key_agreement = true cert_sign = true crl_sign = true decipher_only = true } extended_key_usage { server_auth = true client_auth = false email_protection = true code_signing = true time_stamping = true } } } } lifetime = "86400s" key_spec { algorithm = "RSA_PKCS1_4096_SHA256" }}
To create a root CA using a self-managed key, use the following sampleconfiguration:
resource "google_project_service_identity" "privateca_sa" { provider = google-beta service = "privateca.googleapis.com"}resource "google_kms_crypto_key_iam_binding" "privateca_sa_keyuser_signerverifier" { crypto_key_id = "projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key" role = "roles/cloudkms.signerVerifier" members = [ "serviceAccount:${google_project_service_identity.privateca_sa.email}", ]}resource "google_kms_crypto_key_iam_binding" "privateca_sa_keyuser_viewer" { crypto_key_id = "projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key" role = "roles/viewer" members = [ "serviceAccount:${google_project_service_identity.privateca_sa.email}", ]}resource "google_privateca_certificate_authority" "default" { // This example assumes this pool already exists. // Pools cannot be deleted in normal test circ*mstances, so we depend on static pools pool = "ca-pool" certificate_authority_id = "my-certificate-authority" location = "us-central1" deletion_protection = false # set to true to prevent destruction of the resource key_spec { cloud_kms_key_version = "projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key/cryptoKeyVersions/1" } config { subject_config { subject { organization = "Example, Org." common_name = "Example Authority" } } x509_config { ca_options { # is_ca *MUST* be true for certificate authorities is_ca = true max_issuer_path_length = 10 } key_usage { base_key_usage { # cert_sign and crl_sign *MUST* be true for certificate authorities cert_sign = true crl_sign = true } extended_key_usage { server_auth = false } } } } depends_on = [ google_kms_crypto_key_iam_binding.privateca_sa_keyuser_signerverifier, google_kms_crypto_key_iam_binding.privateca_sa_keyuser_viewer, ]}
Go
To authenticate to CA Service, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
import ("context""fmt""io"privateca "cloud.google.com/go/security/privateca/apiv1""cloud.google.com/go/security/privateca/apiv1/privatecapb""google.golang.org/protobuf/types/known/durationpb")// Create Certificate Authority which is the root CA in the given CA Pool. This CA will be// responsible for signing certificates within this pool.func createCa(w io.Writer,projectId string,location string,caPoolId string,caId string,caCommonName string,org string,caDuration int64) error {// projectId := "your_project_id"// location := "us-central1"// For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.// caPoolId := "ca-pool-id"// The CA Pool id under which the CA should be created.// caId := "ca-id"// A unique id/name for the ca.// caCommonName := "ca-name"// A common name for your certificate authority.// org := "ca-org"// The name of your company for your certificate authority.// ca_duration := int64(31536000)// The validity of the certificate authority in seconds.ctx := context.Background()caClient, err := privateca.NewCertificateAuthorityClient(ctx)if err != nil {return fmt.Errorf("NewCertificateAuthorityClient creation failed: %w", err)}defer caClient.Close()// Set the types of Algorithm used to create a cloud KMS key.keySpec := &privatecapb.CertificateAuthority_KeyVersionSpec{KeyVersion: &privatecapb.CertificateAuthority_KeyVersionSpec_Algorithm{Algorithm: privatecapb.CertificateAuthority_RSA_PKCS1_2048_SHA256,},}// Set CA subject config.subjectConfig := &privatecapb.CertificateConfig_SubjectConfig{Subject: &privatecapb.Subject{CommonName: caCommonName,Organization: org,},}// Set the key usage options for X.509 fields.isCa := truex509Parameters := &privatecapb.X509Parameters{KeyUsage: &privatecapb.KeyUsage{BaseKeyUsage: &privatecapb.KeyUsage_KeyUsageOptions{CrlSign: true,CertSign: true,},},CaOptions: &privatecapb.X509Parameters_CaOptions{IsCa: &isCa,},}// Set certificate authority settings.// Type: SELF_SIGNED denotes that this CA is a root CA.ca := &privatecapb.CertificateAuthority{Type: privatecapb.CertificateAuthority_SELF_SIGNED,KeySpec: keySpec,Config: &privatecapb.CertificateConfig{SubjectConfig: subjectConfig,X509Config: x509Parameters,},Lifetime: &durationpb.Duration{Seconds: caDuration,},}fullCaPoolName := fmt.Sprintf("projects/%s/locations/%s/caPools/%s", projectId, location, caPoolId)// Create the CreateCertificateAuthorityRequest.// See https://pkg.go.dev/cloud.google.com/go/security/privateca/apiv1/privatecapb#CreateCertificateAuthorityRequest.req := &privatecapb.CreateCertificateAuthorityRequest{Parent: fullCaPoolName,CertificateAuthorityId: caId,CertificateAuthority: ca,}op, err := caClient.CreateCertificateAuthority(ctx, req)if err != nil {return fmt.Errorf("CreateCertificateAuthority failed: %w", err)}if _, err = op.Wait(ctx); err != nil {return fmt.Errorf("CreateCertificateAuthority failed during wait: %w", err)}fmt.Fprintf(w, "CA %s created", caId)return nil}
Java
To authenticate to CA Service, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
import com.google.api.core.ApiFuture;import com.google.cloud.security.privateca.v1.CaPoolName;import com.google.cloud.security.privateca.v1.CertificateAuthority;import com.google.cloud.security.privateca.v1.CertificateAuthority.KeyVersionSpec;import com.google.cloud.security.privateca.v1.CertificateAuthority.SignHashAlgorithm;import com.google.cloud.security.privateca.v1.CertificateAuthorityServiceClient;import com.google.cloud.security.privateca.v1.CertificateConfig;import com.google.cloud.security.privateca.v1.CertificateConfig.SubjectConfig;import com.google.cloud.security.privateca.v1.CreateCertificateAuthorityRequest;import com.google.cloud.security.privateca.v1.KeyUsage;import com.google.cloud.security.privateca.v1.KeyUsage.KeyUsageOptions;import com.google.cloud.security.privateca.v1.Subject;import com.google.cloud.security.privateca.v1.X509Parameters;import com.google.cloud.security.privateca.v1.X509Parameters.CaOptions;import com.google.longrunning.Operation;import com.google.protobuf.Duration;import java.io.IOException;import java.util.concurrent.ExecutionException;public class CreateCertificateAuthority { public static void main(String[] args) throws InterruptedException, ExecutionException, IOException { // TODO(developer): Replace these variables before running the sample. // location: For a list of locations, see: // https://cloud.google.com/certificate-authority-service/docs/locations // poolId: Set it to the CA Pool under which the CA should be created. // certificateAuthorityName: Unique name for the CA. String project = "your-project-id"; String location = "ca-location"; String poolId = "ca-pool-id"; String certificateAuthorityName = "certificate-authority-name"; createCertificateAuthority(project, location, poolId, certificateAuthorityName); } // Create Certificate Authority which is the root CA in the given CA Pool. public static void createCertificateAuthority( String project, String location, String poolId, String certificateAuthorityName) throws InterruptedException, ExecutionException, IOException { // Initialize client that will be used to send requests. This client only needs to be created // once, and can be reused for multiple requests. After completing all of your requests, call // the `certificateAuthorityServiceClient.close()` method on the client to safely // clean up any remaining background resources. try (CertificateAuthorityServiceClient certificateAuthorityServiceClient = CertificateAuthorityServiceClient.create()) { String commonName = "common-name"; String orgName = "org-name"; int caDuration = 100000; // Validity of this CA in seconds. // Set the type of Algorithm. KeyVersionSpec keyVersionSpec = KeyVersionSpec.newBuilder().setAlgorithm(SignHashAlgorithm.RSA_PKCS1_4096_SHA256).build(); // Set CA subject config. SubjectConfig subjectConfig = SubjectConfig.newBuilder() .setSubject( Subject.newBuilder().setCommonName(commonName).setOrganization(orgName).build()) .build(); // Set the key usage options for X.509 fields. X509Parameters x509Parameters = X509Parameters.newBuilder() .setKeyUsage( KeyUsage.newBuilder() .setBaseKeyUsage( KeyUsageOptions.newBuilder().setCrlSign(true).setCertSign(true).build()) .build()) .setCaOptions(CaOptions.newBuilder().setIsCa(true).build()) .build(); // Set certificate authority settings. CertificateAuthority certificateAuthority = CertificateAuthority.newBuilder() // CertificateAuthority.Type.SELF_SIGNED denotes that this CA is a root CA. .setType(CertificateAuthority.Type.SELF_SIGNED) .setKeySpec(keyVersionSpec) .setConfig( CertificateConfig.newBuilder() .setSubjectConfig(subjectConfig) .setX509Config(x509Parameters) .build()) // Set the CA validity duration. .setLifetime(Duration.newBuilder().setSeconds(caDuration).build()) .build(); // Create the CertificateAuthorityRequest. CreateCertificateAuthorityRequest certificateAuthorityRequest = CreateCertificateAuthorityRequest.newBuilder() .setParent(CaPoolName.of(project, location, poolId).toString()) .setCertificateAuthorityId(certificateAuthorityName) .setCertificateAuthority(certificateAuthority) .build(); // Create Certificate Authority. ApiFuture<Operation> futureCall = certificateAuthorityServiceClient .createCertificateAuthorityCallable() .futureCall(certificateAuthorityRequest); Operation response = futureCall.get(); if (response.hasError()) { System.out.println("Error while creating CA !" + response.getError()); return; } System.out.println( "Certificate Authority created successfully : " + certificateAuthorityName); } }}
Python
To authenticate to CA Service, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
import google.cloud.security.privateca_v1 as privateca_v1from google.protobuf import duration_pb2def create_certificate_authority( project_id: str, location: str, ca_pool_name: str, ca_name: str, common_name: str, organization: str, ca_duration: int,) -> None: """ Create Certificate Authority which is the root CA in the given CA Pool. This CA will be responsible for signing certificates within this pool. Args: project_id: project ID or project number of the Cloud project you want to use. location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations. ca_pool_name: set it to the CA Pool under which the CA should be created. ca_name: unique name for the CA. common_name: a title for your certificate authority. organization: the name of your company for your certificate authority. ca_duration: the validity of the certificate authority in seconds. """ caServiceClient = privateca_v1.CertificateAuthorityServiceClient() # Set the types of Algorithm used to create a cloud KMS key. key_version_spec = privateca_v1.CertificateAuthority.KeyVersionSpec( algorithm=privateca_v1.CertificateAuthority.SignHashAlgorithm.RSA_PKCS1_4096_SHA256 ) # Set CA subject config. subject_config = privateca_v1.CertificateConfig.SubjectConfig( subject=privateca_v1.Subject(common_name=common_name, organization=organization) ) # Set the key usage options for X.509 fields. x509_parameters = privateca_v1.X509Parameters( key_usage=privateca_v1.KeyUsage( base_key_usage=privateca_v1.KeyUsage.KeyUsageOptions( crl_sign=True, cert_sign=True, ) ), ca_options=privateca_v1.X509Parameters.CaOptions( is_ca=True, ), ) # Set certificate authority settings. certificate_authority = privateca_v1.CertificateAuthority( # CertificateAuthority.Type.SELF_SIGNED denotes that this CA is a root CA. type_=privateca_v1.CertificateAuthority.Type.SELF_SIGNED, key_spec=key_version_spec, config=privateca_v1.CertificateConfig( subject_config=subject_config, x509_config=x509_parameters, ), lifetime=duration_pb2.Duration(seconds=ca_duration), ) ca_pool_path = caServiceClient.ca_pool_path(project_id, location, ca_pool_name) # Create the CertificateAuthorityRequest. request = privateca_v1.CreateCertificateAuthorityRequest( parent=ca_pool_path, certificate_authority_id=ca_name, certificate_authority=certificate_authority, ) operation = caServiceClient.create_certificate_authority(request=request) result = operation.result() print("Operation result:", result)
REST API
Create a root CA.
HTTP method and URL:
POST https://privateca.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/caPools/POOL_ID/certificateAuthorities?certificate_authority_id=ROOT_CA_ID
Request JSON body:
{"type": "SELF_SIGNED","lifetime": { "seconds": 315576000, "nanos": 0},"config": { "subject_config": { "subject": { "organization": "ORGANIZATION_NAME", "common_name": "COMMON_NAME" } }, "x509_config":{ "ca_options":{ "is_ca":true }, "key_usage":{ "base_key_usage":{ "cert_sign":true, "crl_sign":true } } }},"key_spec":{ "algorithm":"RSA_PKCS1_4096_SHA256"}}
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Save the request body in a file named
request.json
, and execute the following command:curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://privateca.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/caPools/POOL_ID/certificateAuthorities?certificate_authority_id=ROOT_CA_ID"PowerShell (Windows)
Save the request body in a file named
request.json
, and execute the following command:$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }Invoke-WebRequest `
-Method POST `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://privateca.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/caPools/POOL_ID/certificateAuthorities?certificate_authority_id=ROOT_CA_ID" | Select-Object -Expand ContentYou should receive a JSON response similar to the following:
{ "name": "projects/PROJECT_ID/locations/LOCATION/operations/operation-UUID", "metadata": {...}, "done": false}
Poll the operation until it has completed.
HTTP method and URL:
GET https://privateca.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/operations/operation-UUID
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Execute the following command:
curl -X GET \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
"https://privateca.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/operations/operation-UUID"PowerShell (Windows)
Execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }Invoke-WebRequest `
-Method GET `
-Headers $headers `
-Uri "https://privateca.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/operations/operation-UUID" | Select-Object -Expand ContentYou should receive a JSON response similar to the following:
{ "name": "projects/PROJECT_ID/locations/LOCATION/operations/operation-UUID", "metadata": {...}, "done": true, "response": { "@type": "type.googleapis.com/google.cloud.security.privateca.v1.CertificateAuthority", "name": "...", }}
After you have verified that the CA works as expected, you can enable it tostart issuing load-balanced certificates for the CA pool.
Enable a root CA
gcloud
To enable a root CA, run the following gcloud
command:
gcloud privateca roots enable ROOT_CA_ID --pool=POOL_ID
Replace the following:
- ROOT_CA_ID: The name of the CA.
- POOL_ID: The name of the CA pool.
Terraform
If you use Terraform to create a root CA, the root CA is enabled on creation. To create a root CA in the STAGED
state, setthe desired_state
field to STAGED
when creating the CA.
You can set the desired_state
field to ENABLED
or DISABLED
after CA creation.
Go
To authenticate to CA Service, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
import ("context""fmt""io"privateca "cloud.google.com/go/security/privateca/apiv1""cloud.google.com/go/security/privateca/apiv1/privatecapb")// Enable the Certificate Authority present in the given ca pool.// CA cannot be enabled if it has been already deleted.func enableCa(w io.Writer, projectId string, location string, caPoolId string, caId string) error {// projectId := "your_project_id"// location := "us-central1"// For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.// caPoolId := "ca-pool-id"// The id of the CA pool under which the CA is present.// caId := "ca-id"// The id of the CA to be enabled.ctx := context.Background()caClient, err := privateca.NewCertificateAuthorityClient(ctx)if err != nil {return fmt.Errorf("NewCertificateAuthorityClient creation failed: %w", err)}defer caClient.Close()fullCaName := fmt.Sprintf("projects/%s/locations/%s/caPools/%s/certificateAuthorities/%s",projectId, location, caPoolId, caId)// Create the EnableCertificateAuthorityRequest.// See https://pkg.go.dev/cloud.google.com/go/security/privateca/apiv1/privatecapb#EnableCertificateAuthorityRequest.req := &privatecapb.EnableCertificateAuthorityRequest{Name: fullCaName}op, err := caClient.EnableCertificateAuthority(ctx, req)if err != nil {return fmt.Errorf("EnableCertificateAuthority failed: %w", err)}var caResp *privatecapb.CertificateAuthorityif caResp, err = op.Wait(ctx); err != nil {return fmt.Errorf("EnableCertificateAuthority failed during wait: %w", err)}if caResp.State != privatecapb.CertificateAuthority_ENABLED {return fmt.Errorf("unable to enable Certificate Authority. Current state: %s", caResp.State.String())}fmt.Fprintf(w, "Successfully enabled Certificate Authority: %s.", caId)return nil}
Java
To authenticate to CA Service, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
import com.google.api.core.ApiFuture;import com.google.cloud.security.privateca.v1.CertificateAuthority.State;import com.google.cloud.security.privateca.v1.CertificateAuthorityName;import com.google.cloud.security.privateca.v1.CertificateAuthorityServiceClient;import com.google.cloud.security.privateca.v1.EnableCertificateAuthorityRequest;import com.google.longrunning.Operation;import java.io.IOException;import java.util.concurrent.ExecutionException;public class EnableCertificateAuthority { public static void main(String[] args) throws InterruptedException, ExecutionException, IOException { // TODO(developer): Replace these variables before running the sample. // location: For a list of locations, see: // https://cloud.google.com/certificate-authority-service/docs/locations // poolId: The id of the CA pool under which the CA is present. // certificateAuthorityName: The name of the CA to be enabled. String project = "your-project-id"; String location = "ca-location"; String poolId = "ca-pool-id"; String certificateAuthorityName = "certificate-authority-name"; enableCertificateAuthority(project, location, poolId, certificateAuthorityName); } // Enable the Certificate Authority present in the given ca pool. // CA cannot be enabled if it has been already deleted. public static void enableCertificateAuthority( String project, String location, String poolId, String certificateAuthorityName) throws IOException, ExecutionException, InterruptedException { try (CertificateAuthorityServiceClient certificateAuthorityServiceClient = CertificateAuthorityServiceClient.create()) { // Create the Certificate Authority Name. CertificateAuthorityName certificateAuthorityParent = CertificateAuthorityName.newBuilder() .setProject(project) .setLocation(location) .setCaPool(poolId) .setCertificateAuthority(certificateAuthorityName) .build(); // Create the Enable Certificate Authority Request. EnableCertificateAuthorityRequest enableCertificateAuthorityRequest = EnableCertificateAuthorityRequest.newBuilder() .setName(certificateAuthorityParent.toString()) .build(); // Enable the Certificate Authority. ApiFuture<Operation> futureCall = certificateAuthorityServiceClient .enableCertificateAuthorityCallable() .futureCall(enableCertificateAuthorityRequest); Operation response = futureCall.get(); if (response.hasError()) { System.out.println("Error while enabling Certificate Authority !" + response.getError()); return; } // Get the current CA state. State caState = certificateAuthorityServiceClient .getCertificateAuthority(certificateAuthorityParent) .getState(); // Check if the CA is enabled. if (caState == State.ENABLED) { System.out.println("Enabled Certificate Authority : " + certificateAuthorityName); } else { System.out.println( "Cannot enable the Certificate Authority ! Current CA State: " + caState); } } }}
Python
To authenticate to CA Service, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
import google.cloud.security.privateca_v1 as privateca_v1def enable_certificate_authority( project_id: str, location: str, ca_pool_name: str, ca_name: str) -> None: """ Enable the Certificate Authority present in the given ca pool. CA cannot be enabled if it has been already deleted. Args: project_id: project ID or project number of the Cloud project you want to use. location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations. ca_pool_name: the name of the CA pool under which the CA is present. ca_name: the name of the CA to be enabled. """ caServiceClient = privateca_v1.CertificateAuthorityServiceClient() ca_path = caServiceClient.certificate_authority_path( project_id, location, ca_pool_name, ca_name ) # Create the Enable Certificate Authority Request. request = privateca_v1.EnableCertificateAuthorityRequest( name=ca_path, ) # Enable the Certificate Authority. operation = caServiceClient.enable_certificate_authority(request=request) operation.result() # Get the current CA state. ca_state = caServiceClient.get_certificate_authority(name=ca_path).state # Check if the CA is enabled. if ca_state == privateca_v1.CertificateAuthority.State.ENABLED: print("Enabled Certificate Authority:", ca_name) else: print("Cannot enable the Certificate Authority ! Current CA State:", ca_state)
REST API
Enable the CA to issue certificates from the CA pool.
HTTP method and URL:
POST https://privateca.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/caPools/POOL_ID/certificateAuthorities/ROOT_CA_ID:enable
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Execute the following command:
curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d "" \
"https://privateca.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/caPools/POOL_ID/certificateAuthorities/ROOT_CA_ID:enable"PowerShell (Windows)
Execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }Invoke-WebRequest `
-Method POST `
-Headers $headers `
-Uri "https://privateca.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/caPools/POOL_ID/certificateAuthorities/ROOT_CA_ID:enable" | Select-Object -Expand ContentYou should receive a JSON response similar to the following:
{ "name": "projects/PROJECT_ID/locations/LOCATION/operations/operation-UUID", "metadata": {...}, "done": false}
Poll the operation until it has completed.
HTTP method and URL:
GET https://privateca.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/operations/operation-UUID
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Execute the following command:
curl -X GET \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
"https://privateca.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/operations/operation-UUID"PowerShell (Windows)
Execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }Invoke-WebRequest `
-Method GET `
-Headers $headers `
-Uri "https://privateca.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/operations/operation-UUID" | Select-Object -Expand ContentYou should receive a JSON response similar to the following:
{ "name": "projects/PROJECT_ID/locations/LOCATION/operations/operation-UUID", "metadata": {...}, "done": true, "response": { "@type": "type.googleapis.com/google.cloud.security.privateca.v1.CertificateAuthority", "name": "...", }}
Test a CA
To verify that a CA is able to issue certificates, request a certificate fromthe associated CA pool and explicitly mention the name of the CA you want totest using the --ca
flag.
You can use the following methods to request a certificate from a CA pool:
- Have CA Service create a private or public key for you.
- Generate your own private or public key and submit a Certificate Signing Request (CSR).
It is easier to use an auto-generated private key or public key to request acertificate from a CA in a CA pool. This section provides information ontesting a CA using that method.
To use an auto-generated private key or public key to request a certificatefrom a CA in a CA pool, run the following gcloud
command:
gcloud privateca certificates create \ --issuer-pool=POOL_ID \ --ca=ROOT_CA_ID \ --generate-key \ --key-output-file=KEY_FILENAME \ --cert-output-file=CERT_FILENAME \ --dns-san=DNS_NAME
Replace the following:
- POOL_ID: The name of the CA pool.
- ROOT_CA_ID: The unique identifier of the CA that you want to test.
- KEY_FILENAME: The file where the generated key is written in PEM format.
- CERT_FILENAME: The file where the resulting PEM-encoded certificate chain file is written. The order of the certificate chain is from leaf to root.
DNS_NAME: One or more comma-separated DNS Subject Alternative Names (SANs).
The
--generate-key
flag generates a new RSA-2048 private key on your machine.
To use a Certificate Signing Request (CSR) to request a certificate from a CA ina CA pool, or for more information about requesting certificates, seeRequest a certificate and view issued certificates.
Clone certificate authorities
To clone an existing CA to renew that CA, or to create a new CA with the sameconfiguration, run the following command:
gcloud privateca roots create NEW_CA_ID --pool=POOL_ID \ --from-ca=EXISTING_CA_ID \ --key-algorithm "ec-p384-sha384"
Replace the following:
- NEW_CA_ID: The unique identifier of the new CA.
- POOL_ID: The name of the CA pool in which you wantto create the new CA.
The --from-ca
flag is supported for root and subordinate CA creation. Theexisting CA must be in the same CA pool as the new CA.
The --key-algorithm
flag copies all CA configuration from the existing CA(except for the Cloud KMS key version and Cloud Storage bucket). However,you can still override any of the configuration values in the new CA byexplicitly providing the appropriate flag. For example, you can stillspecify `--subject SUBJECT to use a new subject.
If you omit the --key-algorithm
flag, the algorithm defaults to:
rsa-pkcs1-4096-sha256
for root CAs.rsa-pkcs1-2048-sha256
for subordinate CAs.
For more information about this gcloud
command, seegcloud privateca roots create.
What's next
- Learn how to create a subordinate CA.
- Learn how to request certificates.
- Learn about templates and issuance policies.
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2024-09-10 UTC.
[{ "type": "thumb-down", "id": "hardToUnderstand", "label":"Hard to understand" },{ "type": "thumb-down", "id": "incorrectInformationOrSampleCode", "label":"Incorrect information or sample code" },{ "type": "thumb-down", "id": "missingTheInformationSamplesINeed", "label":"Missing the information/samples I need" },{ "type": "thumb-down", "id": "otherDown", "label":"Other" }] [{ "type": "thumb-up", "id": "easyToUnderstand", "label":"Easy to understand" },{ "type": "thumb-up", "id": "solvedMyProblem", "label":"Solved my problem" },{ "type": "thumb-up", "id": "otherUp", "label":"Other" }] {"lastModified": "Last updated 2024-09-10 UTC."}