Create a root certificate authority  |  Certificate Authority Service  |  Google Cloud (2024)

Table of Contents
Before you begin Create a root CA Console gcloud Terraform Go Java Python REST API Enable a root CA gcloud Terraform Go Java Python REST API Test a CA Clone certificate authorities What's next Why Google Products and pricing Solutions Resources Engage
Sign in
  • Certificate Authority Service

Contact Us Start free
  • Home
  • Certificate Authority Service
  • Documentation
  • Guides
Stay organized with collections Save and categorize content based on your preferences.

This page describes how to create a root certificate authority (CA) in a CA pool.

A root CA is at the top of a public key infrastructure (PKI) hierarchy and isresponsible for forming the trust anchor of the PKI. To properly participate anduse certificates in a PKI, a device, software, or component needs to trust the PKI.This is accomplished by configuring the device, software, or component to trust the root CA.As a result, all the certificates issued by the root CA are trusted.

Before you begin

  • Make sure you have the CA Service Operation Manager(roles/privateca.caManager) or the CA Service Admin(roles/privateca.admin) IAM role. For information, seeConfigure IAM policies.
  • Create a CA pool.
  • Determine your CA settings.

Create a root CA

A root CA has a self-signed certificate that you must distribute to the truststores of your clients. The root CA's certificate is at the top of thecertificate chain. No other CA can revoke the CA certificate. The CRL of theroot CA applies only to the other certificates the root CA issued, but not toitself.

Console

To create a root CA, do the following.

  1. Go to the Certificate Authority Service page inthe Google Cloud console.

    Go to Certificate Authority Service

  2. Click the CA manager tab.

  3. Click Create CA.

Select CA type

To configure the permanent settings of the CA, such as tier, location,lifetime, and the operational state at creation, do the following:

  1. Select Root CA.
  2. In the Valid for field, enter the duration for which you want thecertificates issued by the CA certificate to be valid.
  3. Optional: select a tier for the CA.
  4. Click Region and in the list, select the location where you want tocreate the CA. We recommend creating the CA geographically nearyour application's clients. For more information, see Choosing the bestlocation.

  5. Optional: Select the operational state of the CA to be created in.

    Create a root certificate authority | Certificate Authority Service | Google Cloud (3) Create a root certificate authority | Certificate Authority Service | Google Cloud (4)

  6. Optional: Click Certificate profile. In the list, select thecertificate profile that matches the type of certificates you want theCA to issue.

  7. Click Next.

Configure CA subject name
  1. In the Organization (O) field, enter the name of your company.
  2. Optional: In the Organization unit (OU) field, enter the company subdivision or business unit.
  3. Optional: In the Country name field, enter a two letter country code.
  4. Optional: In the State or province name field, enter the name of your state.
  5. Optional: In the Locality name field, enter the name of your city.
  6. In the CA common name (CN) field, enter the CA name.
  7. In the Pool ID field, enter the CA pool name. You cannot change the CA pool after creating the CA.
  8. Click Next.
Configure CA key size and algorithm
  1. Choose the key algorithm that best meets your needs. For information about deciding the suitable key algorithm, see Choose a key algorithm.
  2. Click Next.
Configure CA artifacts

The following steps are optional. If you skip these steps, the default settings apply.

  1. Choose whether you want to use a Google-managed or a self-managed Cloud Storage bucket.

    2. If you don't select a self-managed Cloud Storage bucket, CA Service creates a Google-managed bucket in the same location as the CA.

  2. Choose whether you want to disable the publication of certificate revocation lists (CRLs) and CA certificates to the Cloud Storage bucket.

    3. The publication of CRL and CA certificate on a Cloud Storage bucket is enabled by default. To disable these settings, click the toggles.

  3. Click Next.
Add labels

The following steps are optional.

If you want to add labels to the CA, do the following:

  1. Click addAdd item.
  2. In the Key 1 field, enter the label key.
  3. In the Value 1 field, enter the label value.
  4. If you want to add another label, click addAdd item. Then, add the label key and value as mentioned in steps 2 and 3.
  5. Click Next.
Review the settings

Carefully review all the settings, then click Create to create the CA.

gcloud

  1. To create a CA pool, run the following command:

    gcloud privateca pools create POOL_ID

    Replace POOL_ID with the name of the CA pool.

    For more information, see Create a CApool.

    For more information about this gcloud command, seegcloud privateca pools create.

  2. Create a new root CA in the CA pool you created.

    gcloud privateca roots create ROOT_CA_ID --pool=POOL_ID \ --key-algorithm=KEY_ALGORITHM \ --subject="CN=my-ca, O=Test LLC"

    Replace the following:

    See Also
    What Is a Root Certificate? - Panda Security

    • ROOT_CA_ID: The name of the CA.
    • POOL_ID: The name of the CA pool.
    • KEY_ALGORITHM: The algorithm to use for creating aCloud KMS key. This flag is optional. If you don't includethis flag, the key algorithm defaults to rsa-pkcs1-4096-sha256. Formore information, see --key-algorithm flag.

    By default, the CA is created in the STAGED state. To enable a CA bydefault, include the --auto-enable flag.

    If you want to use a customer-managed Cloud Storage bucket forpublishing CA certificates and CRLs, add --bucket bucket-nameto the command. Replace bucket-name with thename of the Cloud Storage bucket.

    To see the exhaustive list of settings, run the following command:

    gcloud privateca roots create --help

Terraform

To create a root CA using a Google-owned and Google-managed key, use the following sampleconfiguration:

resource "google_privateca_certificate_authority" "default" { // This example assumes this pool already exists. // Pools cannot be deleted in normal test circ*mstances, so we depend on static pools pool = "my-pool" certificate_authority_id = "my-certificate-authority-hashicorp" location = "us-central1" deletion_protection = false # set to true to prevent destruction of the resource config { subject_config { subject { organization = "HashiCorp" common_name = "my-certificate-authority" } subject_alt_name { dns_names = ["hashicorp.com"] } } x509_config { ca_options { is_ca = true max_issuer_path_length = 10 } key_usage { base_key_usage { digital_signature = true content_commitment = true key_encipherment = false data_encipherment = true key_agreement = true cert_sign = true crl_sign = true decipher_only = true } extended_key_usage { server_auth = true client_auth = false email_protection = true code_signing = true time_stamping = true } } } } lifetime = "86400s" key_spec { algorithm = "RSA_PKCS1_4096_SHA256" }}

To create a root CA using a self-managed key, use the following sampleconfiguration:

resource "google_project_service_identity" "privateca_sa" { provider = google-beta service = "privateca.googleapis.com"}resource "google_kms_crypto_key_iam_binding" "privateca_sa_keyuser_signerverifier" { crypto_key_id = "projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key" role = "roles/cloudkms.signerVerifier" members = [ "serviceAccount:${google_project_service_identity.privateca_sa.email}", ]}resource "google_kms_crypto_key_iam_binding" "privateca_sa_keyuser_viewer" { crypto_key_id = "projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key" role = "roles/viewer" members = [ "serviceAccount:${google_project_service_identity.privateca_sa.email}", ]}resource "google_privateca_certificate_authority" "default" { // This example assumes this pool already exists. // Pools cannot be deleted in normal test circ*mstances, so we depend on static pools pool = "ca-pool" certificate_authority_id = "my-certificate-authority" location = "us-central1" deletion_protection = false # set to true to prevent destruction of the resource key_spec { cloud_kms_key_version = "projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key/cryptoKeyVersions/1" } config { subject_config { subject { organization = "Example, Org." common_name = "Example Authority" } } x509_config { ca_options { # is_ca *MUST* be true for certificate authorities is_ca = true max_issuer_path_length = 10 } key_usage { base_key_usage { # cert_sign and crl_sign *MUST* be true for certificate authorities cert_sign = true crl_sign = true } extended_key_usage { server_auth = false } } } } depends_on = [ google_kms_crypto_key_iam_binding.privateca_sa_keyuser_signerverifier, google_kms_crypto_key_iam_binding.privateca_sa_keyuser_viewer, ]}

Go

To authenticate to CA Service, set up Application Default Credentials. For more information, see Set up authentication for a local development environment. 

import ("context""fmt""io"privateca "cloud.google.com/go/security/privateca/apiv1""cloud.google.com/go/security/privateca/apiv1/privatecapb""google.golang.org/protobuf/types/known/durationpb")// Create Certificate Authority which is the root CA in the given CA Pool. This CA will be// responsible for signing certificates within this pool.func createCa(w io.Writer,projectId string,location string,caPoolId string,caId string,caCommonName string,org string,caDuration int64) error {// projectId := "your_project_id"// location := "us-central1"// For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.// caPoolId := "ca-pool-id"// The CA Pool id under which the CA should be created.// caId := "ca-id"// A unique id/name for the ca.// caCommonName := "ca-name"// A common name for your certificate authority.// org := "ca-org"// The name of your company for your certificate authority.// ca_duration := int64(31536000)// The validity of the certificate authority in seconds.ctx := context.Background()caClient, err := privateca.NewCertificateAuthorityClient(ctx)if err != nil {return fmt.Errorf("NewCertificateAuthorityClient creation failed: %w", err)}defer caClient.Close()// Set the types of Algorithm used to create a cloud KMS key.keySpec := &privatecapb.CertificateAuthority_KeyVersionSpec{KeyVersion: &privatecapb.CertificateAuthority_KeyVersionSpec_Algorithm{Algorithm: privatecapb.CertificateAuthority_RSA_PKCS1_2048_SHA256,},}// Set CA subject config.subjectConfig := &privatecapb.CertificateConfig_SubjectConfig{Subject: &privatecapb.Subject{CommonName: caCommonName,Organization: org,},}// Set the key usage options for X.509 fields.isCa := truex509Parameters := &privatecapb.X509Parameters{KeyUsage: &privatecapb.KeyUsage{BaseKeyUsage: &privatecapb.KeyUsage_KeyUsageOptions{CrlSign: true,CertSign: true,},},CaOptions: &privatecapb.X509Parameters_CaOptions{IsCa: &isCa,},}// Set certificate authority settings.// Type: SELF_SIGNED denotes that this CA is a root CA.ca := &privatecapb.CertificateAuthority{Type: privatecapb.CertificateAuthority_SELF_SIGNED,KeySpec: keySpec,Config: &privatecapb.CertificateConfig{SubjectConfig: subjectConfig,X509Config: x509Parameters,},Lifetime: &durationpb.Duration{Seconds: caDuration,},}fullCaPoolName := fmt.Sprintf("projects/%s/locations/%s/caPools/%s", projectId, location, caPoolId)// Create the CreateCertificateAuthorityRequest.// See https://pkg.go.dev/cloud.google.com/go/security/privateca/apiv1/privatecapb#CreateCertificateAuthorityRequest.req := &privatecapb.CreateCertificateAuthorityRequest{Parent: fullCaPoolName,CertificateAuthorityId: caId,CertificateAuthority: ca,}op, err := caClient.CreateCertificateAuthority(ctx, req)if err != nil {return fmt.Errorf("CreateCertificateAuthority failed: %w", err)}if _, err = op.Wait(ctx); err != nil {return fmt.Errorf("CreateCertificateAuthority failed during wait: %w", err)}fmt.Fprintf(w, "CA %s created", caId)return nil}

Java

To authenticate to CA Service, set up Application Default Credentials. For more information, see Set up authentication for a local development environment. 

import com.google.api.core.ApiFuture;import com.google.cloud.security.privateca.v1.CaPoolName;import com.google.cloud.security.privateca.v1.CertificateAuthority;import com.google.cloud.security.privateca.v1.CertificateAuthority.KeyVersionSpec;import com.google.cloud.security.privateca.v1.CertificateAuthority.SignHashAlgorithm;import com.google.cloud.security.privateca.v1.CertificateAuthorityServiceClient;import com.google.cloud.security.privateca.v1.CertificateConfig;import com.google.cloud.security.privateca.v1.CertificateConfig.SubjectConfig;import com.google.cloud.security.privateca.v1.CreateCertificateAuthorityRequest;import com.google.cloud.security.privateca.v1.KeyUsage;import com.google.cloud.security.privateca.v1.KeyUsage.KeyUsageOptions;import com.google.cloud.security.privateca.v1.Subject;import com.google.cloud.security.privateca.v1.X509Parameters;import com.google.cloud.security.privateca.v1.X509Parameters.CaOptions;import com.google.longrunning.Operation;import com.google.protobuf.Duration;import java.io.IOException;import java.util.concurrent.ExecutionException;public class CreateCertificateAuthority { public static void main(String[] args) throws InterruptedException, ExecutionException, IOException { // TODO(developer): Replace these variables before running the sample. // location: For a list of locations, see: // https://cloud.google.com/certificate-authority-service/docs/locations // poolId: Set it to the CA Pool under which the CA should be created. // certificateAuthorityName: Unique name for the CA. String project = "your-project-id"; String location = "ca-location"; String poolId = "ca-pool-id"; String certificateAuthorityName = "certificate-authority-name"; createCertificateAuthority(project, location, poolId, certificateAuthorityName); } // Create Certificate Authority which is the root CA in the given CA Pool. public static void createCertificateAuthority( String project, String location, String poolId, String certificateAuthorityName) throws InterruptedException, ExecutionException, IOException { // Initialize client that will be used to send requests. This client only needs to be created // once, and can be reused for multiple requests. After completing all of your requests, call // the `certificateAuthorityServiceClient.close()` method on the client to safely // clean up any remaining background resources. try (CertificateAuthorityServiceClient certificateAuthorityServiceClient = CertificateAuthorityServiceClient.create()) { String commonName = "common-name"; String orgName = "org-name"; int caDuration = 100000; // Validity of this CA in seconds. // Set the type of Algorithm. KeyVersionSpec keyVersionSpec = KeyVersionSpec.newBuilder().setAlgorithm(SignHashAlgorithm.RSA_PKCS1_4096_SHA256).build(); // Set CA subject config. SubjectConfig subjectConfig = SubjectConfig.newBuilder() .setSubject( Subject.newBuilder().setCommonName(commonName).setOrganization(orgName).build()) .build(); // Set the key usage options for X.509 fields. X509Parameters x509Parameters = X509Parameters.newBuilder() .setKeyUsage( KeyUsage.newBuilder() .setBaseKeyUsage( KeyUsageOptions.newBuilder().setCrlSign(true).setCertSign(true).build()) .build()) .setCaOptions(CaOptions.newBuilder().setIsCa(true).build()) .build(); // Set certificate authority settings. CertificateAuthority certificateAuthority = CertificateAuthority.newBuilder() // CertificateAuthority.Type.SELF_SIGNED denotes that this CA is a root CA. .setType(CertificateAuthority.Type.SELF_SIGNED) .setKeySpec(keyVersionSpec) .setConfig( CertificateConfig.newBuilder() .setSubjectConfig(subjectConfig) .setX509Config(x509Parameters) .build()) // Set the CA validity duration. .setLifetime(Duration.newBuilder().setSeconds(caDuration).build()) .build(); // Create the CertificateAuthorityRequest. CreateCertificateAuthorityRequest certificateAuthorityRequest = CreateCertificateAuthorityRequest.newBuilder() .setParent(CaPoolName.of(project, location, poolId).toString()) .setCertificateAuthorityId(certificateAuthorityName) .setCertificateAuthority(certificateAuthority) .build(); // Create Certificate Authority. ApiFuture<Operation> futureCall = certificateAuthorityServiceClient .createCertificateAuthorityCallable() .futureCall(certificateAuthorityRequest); Operation response = futureCall.get(); if (response.hasError()) { System.out.println("Error while creating CA !" + response.getError()); return; } System.out.println( "Certificate Authority created successfully : " + certificateAuthorityName); } }}

Python

To authenticate to CA Service, set up Application Default Credentials. For more information, see Set up authentication for a local development environment. 

import google.cloud.security.privateca_v1 as privateca_v1from google.protobuf import duration_pb2def create_certificate_authority( project_id: str, location: str, ca_pool_name: str, ca_name: str, common_name: str, organization: str, ca_duration: int,) -> None: """ Create Certificate Authority which is the root CA in the given CA Pool. This CA will be responsible for signing certificates within this pool. Args: project_id: project ID or project number of the Cloud project you want to use. location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations. ca_pool_name: set it to the CA Pool under which the CA should be created. ca_name: unique name for the CA. common_name: a title for your certificate authority. organization: the name of your company for your certificate authority. ca_duration: the validity of the certificate authority in seconds. """ caServiceClient = privateca_v1.CertificateAuthorityServiceClient() # Set the types of Algorithm used to create a cloud KMS key. key_version_spec = privateca_v1.CertificateAuthority.KeyVersionSpec( algorithm=privateca_v1.CertificateAuthority.SignHashAlgorithm.RSA_PKCS1_4096_SHA256 ) # Set CA subject config. subject_config = privateca_v1.CertificateConfig.SubjectConfig( subject=privateca_v1.Subject(common_name=common_name, organization=organization) ) # Set the key usage options for X.509 fields. x509_parameters = privateca_v1.X509Parameters( key_usage=privateca_v1.KeyUsage( base_key_usage=privateca_v1.KeyUsage.KeyUsageOptions( crl_sign=True, cert_sign=True, ) ), ca_options=privateca_v1.X509Parameters.CaOptions( is_ca=True, ), ) # Set certificate authority settings. certificate_authority = privateca_v1.CertificateAuthority( # CertificateAuthority.Type.SELF_SIGNED denotes that this CA is a root CA. type_=privateca_v1.CertificateAuthority.Type.SELF_SIGNED, key_spec=key_version_spec, config=privateca_v1.CertificateConfig( subject_config=subject_config, x509_config=x509_parameters, ), lifetime=duration_pb2.Duration(seconds=ca_duration), ) ca_pool_path = caServiceClient.ca_pool_path(project_id, location, ca_pool_name) # Create the CertificateAuthorityRequest. request = privateca_v1.CreateCertificateAuthorityRequest( parent=ca_pool_path, certificate_authority_id=ca_name, certificate_authority=certificate_authority, ) operation = caServiceClient.create_certificate_authority(request=request) result = operation.result() print("Operation result:", result)

REST API

  1. Create a root CA.

    HTTP method and URL:

    POST https://privateca.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/caPools/POOL_ID/certificateAuthorities?certificate_authority_id=ROOT_CA_ID

    Request JSON body:

    {"type": "SELF_SIGNED","lifetime": { "seconds": 315576000, "nanos": 0},"config": { "subject_config": { "subject": { "organization": "ORGANIZATION_NAME", "common_name": "COMMON_NAME" } }, "x509_config":{ "ca_options":{ "is_ca":true }, "key_usage":{ "base_key_usage":{ "cert_sign":true, "crl_sign":true } } }},"key_spec":{ "algorithm":"RSA_PKCS1_4096_SHA256"}}

    To send your request, expand one of these options:

    curl (Linux, macOS, or Cloud Shell)

    Save the request body in a file named request.json, and execute the following command: 

    curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://privateca.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/caPools/POOL_ID/certificateAuthorities?certificate_authority_id=ROOT_CA_ID"

    PowerShell (Windows)

    Save the request body in a file named request.json, and execute the following command: 

    $cred = gcloud auth print-access-token
    $headers = @{ "Authorization" = "Bearer $cred" }
    Invoke-WebRequest `
     -Method POST `
     -Headers $headers `
     -ContentType: "application/json; charset=utf-8" `
     -InFile request.json `
     -Uri "https://privateca.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/caPools/POOL_ID/certificateAuthorities?certificate_authority_id=ROOT_CA_ID" | Select-Object -Expand Content

    You should receive a JSON response similar to the following:

    { "name": "projects/PROJECT_ID/locations/LOCATION/operations/operation-UUID", "metadata": {...}, "done": false}

  2. Poll the operation until it has completed.

    HTTP method and URL:

    GET https://privateca.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/operations/operation-UUID

    To send your request, expand one of these options:

    curl (Linux, macOS, or Cloud Shell)

    Execute the following command: 

    curl -X GET \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     "https://privateca.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/operations/operation-UUID"

    PowerShell (Windows)

    Execute the following command: 

    $cred = gcloud auth print-access-token
    $headers = @{ "Authorization" = "Bearer $cred" }
    Invoke-WebRequest `
     -Method GET `
     -Headers $headers `
     -Uri "https://privateca.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/operations/operation-UUID" | Select-Object -Expand Content

    You should receive a JSON response similar to the following:

    { "name": "projects/PROJECT_ID/locations/LOCATION/operations/operation-UUID", "metadata": {...}, "done": true, "response": { "@type": "type.googleapis.com/google.cloud.security.privateca.v1.CertificateAuthority", "name": "...", }}

After you have verified that the CA works as expected, you can enable it tostart issuing load-balanced certificates for the CA pool.

Enable a root CA

gcloud

To enable a root CA, run the following gcloud command:

gcloud privateca roots enable ROOT_CA_ID --pool=POOL_ID

Replace the following:

  • ROOT_CA_ID: The name of the CA.
  • POOL_ID: The name of the CA pool.

Terraform

If you use Terraform to create a root CA, the root CA is enabled on creation. To create a root CA in the STAGED state, setthe desired_state field to STAGED when creating the CA.

You can set the desired_state field to ENABLED or DISABLED after CA creation.

Go

To authenticate to CA Service, set up Application Default Credentials. For more information, see Set up authentication for a local development environment. 

import ("context""fmt""io"privateca "cloud.google.com/go/security/privateca/apiv1""cloud.google.com/go/security/privateca/apiv1/privatecapb")// Enable the Certificate Authority present in the given ca pool.// CA cannot be enabled if it has been already deleted.func enableCa(w io.Writer, projectId string, location string, caPoolId string, caId string) error {// projectId := "your_project_id"// location := "us-central1"// For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.// caPoolId := "ca-pool-id"// The id of the CA pool under which the CA is present.// caId := "ca-id"// The id of the CA to be enabled.ctx := context.Background()caClient, err := privateca.NewCertificateAuthorityClient(ctx)if err != nil {return fmt.Errorf("NewCertificateAuthorityClient creation failed: %w", err)}defer caClient.Close()fullCaName := fmt.Sprintf("projects/%s/locations/%s/caPools/%s/certificateAuthorities/%s",projectId, location, caPoolId, caId)// Create the EnableCertificateAuthorityRequest.// See https://pkg.go.dev/cloud.google.com/go/security/privateca/apiv1/privatecapb#EnableCertificateAuthorityRequest.req := &privatecapb.EnableCertificateAuthorityRequest{Name: fullCaName}op, err := caClient.EnableCertificateAuthority(ctx, req)if err != nil {return fmt.Errorf("EnableCertificateAuthority failed: %w", err)}var caResp *privatecapb.CertificateAuthorityif caResp, err = op.Wait(ctx); err != nil {return fmt.Errorf("EnableCertificateAuthority failed during wait: %w", err)}if caResp.State != privatecapb.CertificateAuthority_ENABLED {return fmt.Errorf("unable to enable Certificate Authority. Current state: %s", caResp.State.String())}fmt.Fprintf(w, "Successfully enabled Certificate Authority: %s.", caId)return nil}

Java

To authenticate to CA Service, set up Application Default Credentials. For more information, see Set up authentication for a local development environment. 

import com.google.api.core.ApiFuture;import com.google.cloud.security.privateca.v1.CertificateAuthority.State;import com.google.cloud.security.privateca.v1.CertificateAuthorityName;import com.google.cloud.security.privateca.v1.CertificateAuthorityServiceClient;import com.google.cloud.security.privateca.v1.EnableCertificateAuthorityRequest;import com.google.longrunning.Operation;import java.io.IOException;import java.util.concurrent.ExecutionException;public class EnableCertificateAuthority { public static void main(String[] args) throws InterruptedException, ExecutionException, IOException { // TODO(developer): Replace these variables before running the sample. // location: For a list of locations, see: // https://cloud.google.com/certificate-authority-service/docs/locations // poolId: The id of the CA pool under which the CA is present. // certificateAuthorityName: The name of the CA to be enabled. String project = "your-project-id"; String location = "ca-location"; String poolId = "ca-pool-id"; String certificateAuthorityName = "certificate-authority-name"; enableCertificateAuthority(project, location, poolId, certificateAuthorityName); } // Enable the Certificate Authority present in the given ca pool. // CA cannot be enabled if it has been already deleted. public static void enableCertificateAuthority( String project, String location, String poolId, String certificateAuthorityName) throws IOException, ExecutionException, InterruptedException { try (CertificateAuthorityServiceClient certificateAuthorityServiceClient = CertificateAuthorityServiceClient.create()) { // Create the Certificate Authority Name. CertificateAuthorityName certificateAuthorityParent = CertificateAuthorityName.newBuilder() .setProject(project) .setLocation(location) .setCaPool(poolId) .setCertificateAuthority(certificateAuthorityName) .build(); // Create the Enable Certificate Authority Request. EnableCertificateAuthorityRequest enableCertificateAuthorityRequest = EnableCertificateAuthorityRequest.newBuilder() .setName(certificateAuthorityParent.toString()) .build(); // Enable the Certificate Authority. ApiFuture<Operation> futureCall = certificateAuthorityServiceClient .enableCertificateAuthorityCallable() .futureCall(enableCertificateAuthorityRequest); Operation response = futureCall.get(); if (response.hasError()) { System.out.println("Error while enabling Certificate Authority !" + response.getError()); return; } // Get the current CA state. State caState = certificateAuthorityServiceClient .getCertificateAuthority(certificateAuthorityParent) .getState(); // Check if the CA is enabled. if (caState == State.ENABLED) { System.out.println("Enabled Certificate Authority : " + certificateAuthorityName); } else { System.out.println( "Cannot enable the Certificate Authority ! Current CA State: " + caState); } } }}

Python

To authenticate to CA Service, set up Application Default Credentials. For more information, see Set up authentication for a local development environment. 

import google.cloud.security.privateca_v1 as privateca_v1def enable_certificate_authority( project_id: str, location: str, ca_pool_name: str, ca_name: str) -> None: """ Enable the Certificate Authority present in the given ca pool. CA cannot be enabled if it has been already deleted. Args: project_id: project ID or project number of the Cloud project you want to use. location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations. ca_pool_name: the name of the CA pool under which the CA is present. ca_name: the name of the CA to be enabled. """ caServiceClient = privateca_v1.CertificateAuthorityServiceClient() ca_path = caServiceClient.certificate_authority_path( project_id, location, ca_pool_name, ca_name ) # Create the Enable Certificate Authority Request. request = privateca_v1.EnableCertificateAuthorityRequest( name=ca_path, ) # Enable the Certificate Authority. operation = caServiceClient.enable_certificate_authority(request=request) operation.result() # Get the current CA state. ca_state = caServiceClient.get_certificate_authority(name=ca_path).state # Check if the CA is enabled. if ca_state == privateca_v1.CertificateAuthority.State.ENABLED: print("Enabled Certificate Authority:", ca_name) else: print("Cannot enable the Certificate Authority ! Current CA State:", ca_state)

REST API

  1. Enable the CA to issue certificates from the CA pool.

    HTTP method and URL:

    POST https://privateca.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/caPools/POOL_ID/certificateAuthorities/ROOT_CA_ID:enable

    To send your request, expand one of these options:

    curl (Linux, macOS, or Cloud Shell)

    Execute the following command: 

    curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d "" \
     "https://privateca.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/caPools/POOL_ID/certificateAuthorities/ROOT_CA_ID:enable"

    PowerShell (Windows)

    Execute the following command: 

    $cred = gcloud auth print-access-token
    $headers = @{ "Authorization" = "Bearer $cred" }
    Invoke-WebRequest `
     -Method POST `
     -Headers $headers `
     -Uri "https://privateca.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/caPools/POOL_ID/certificateAuthorities/ROOT_CA_ID:enable" | Select-Object -Expand Content

    You should receive a JSON response similar to the following:

    { "name": "projects/PROJECT_ID/locations/LOCATION/operations/operation-UUID", "metadata": {...}, "done": false}

  2. Poll the operation until it has completed.

    HTTP method and URL:

    GET https://privateca.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/operations/operation-UUID

    To send your request, expand one of these options:

    curl (Linux, macOS, or Cloud Shell)

    Execute the following command: 

    curl -X GET \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     "https://privateca.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/operations/operation-UUID"

    PowerShell (Windows)

    Execute the following command: 

    $cred = gcloud auth print-access-token
    $headers = @{ "Authorization" = "Bearer $cred" }
    Invoke-WebRequest `
     -Method GET `
     -Headers $headers `
     -Uri "https://privateca.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/operations/operation-UUID" | Select-Object -Expand Content

    You should receive a JSON response similar to the following:

    { "name": "projects/PROJECT_ID/locations/LOCATION/operations/operation-UUID", "metadata": {...}, "done": true, "response": { "@type": "type.googleapis.com/google.cloud.security.privateca.v1.CertificateAuthority", "name": "...", }}

Test a CA

To verify that a CA is able to issue certificates, request a certificate fromthe associated CA pool and explicitly mention the name of the CA you want totest using the --ca flag.

You can use the following methods to request a certificate from a CA pool:

  1. Have CA Service create a private or public key for you.
  2. Generate your own private or public key and submit a Certificate Signing Request (CSR).

It is easier to use an auto-generated private key or public key to request acertificate from a CA in a CA pool. This section provides information ontesting a CA using that method.

To use an auto-generated private key or public key to request a certificatefrom a CA in a CA pool, run the following gcloud command:

gcloud privateca certificates create \ --issuer-pool=POOL_ID \ --ca=ROOT_CA_ID \ --generate-key \ --key-output-file=KEY_FILENAME \ --cert-output-file=CERT_FILENAME \ --dns-san=DNS_NAME

Replace the following:

  • POOL_ID: The name of the CA pool.
  • ROOT_CA_ID: The unique identifier of the CA that you want to test.
  • KEY_FILENAME: The file where the generated key is written in PEM format.
  • CERT_FILENAME: The file where the resulting PEM-encoded certificate chain file is written. The order of the certificate chain is from leaf to root.

  • DNS_NAME: One or more comma-separated DNS Subject Alternative Names (SANs).

    The --generate-key flag generates a new RSA-2048 private key on your machine.

To use a Certificate Signing Request (CSR) to request a certificate from a CA ina CA pool, or for more information about requesting certificates, seeRequest a certificate and view issued certificates.

Clone certificate authorities

To clone an existing CA to renew that CA, or to create a new CA with the sameconfiguration, run the following command:

gcloud privateca roots create NEW_CA_ID --pool=POOL_ID \ --from-ca=EXISTING_CA_ID \ --key-algorithm "ec-p384-sha384"

Replace the following:

  • NEW_CA_ID: The unique identifier of the new CA.
  • POOL_ID: The name of the CA pool in which you wantto create the new CA.

The --from-ca flag is supported for root and subordinate CA creation. Theexisting CA must be in the same CA pool as the new CA.

The --key-algorithm flag copies all CA configuration from the existing CA(except for the Cloud KMS key version and Cloud Storage bucket). However,you can still override any of the configuration values in the new CA byexplicitly providing the appropriate flag. For example, you can stillspecify `--subject SUBJECT to use a new subject.

If you omit the --key-algorithm flag, the algorithm defaults to:

  • rsa-pkcs1-4096-sha256 for root CAs.
  • rsa-pkcs1-2048-sha256 for subordinate CAs.

For more information about this gcloud command, seegcloud privateca roots create.

What's next

  • Learn how to create a subordinate CA.
  • Learn how to request certificates.
  • Learn about templates and issuance policies.

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2024-09-10 UTC.

Create a root certificate authority  |  Certificate Authority Service  |  Google Cloud (2024)
Top Articles
How to Avoid Double Taxation on RSU Sales
How long does Prime Day last? Shop post-Prime Day deals still available now
What Did Bimbo Airhead Reply When Asked
Truist Bank Near Here
Terrorist Usually Avoid Tourist Locations
Paris 2024: Kellie Harrington has 'no more mountains' as double Olympic champion retires
Southside Grill Schuylkill Haven Pa
Get train & bus departures - Android
According To The Wall Street Journal Weegy
You can put a price tag on the value of a personal finance education: $100,000
World Cup Soccer Wiki
Wordscape 5832
About Us | TQL Careers
Jc Post News
Painting Jobs Craigslist
Mzinchaleft
111 Cubic Inch To Cc
Icommerce Agent
Las 12 mejores subastas de carros en Los Ángeles, California - Gossip Vehiculos
Marvon McCray Update: Did He Pass Away Or Is He Still Alive?
CANNABIS ONLINE DISPENSARY Promo Code — $100 Off 2024
Morristown Daily Record Obituary
Where Is George The Pet Collector
Spn 520211
Rimworld Prison Break
All Breed Database
THE FINALS Best Settings and Options Guide
Anonib Oviedo
Divina Rapsing
Hesburgh Library Catalog
4.231 Rounded To The Nearest Hundred
How often should you visit your Barber?
Lincoln Financial Field, section 110, row 4, home of Philadelphia Eagles, Temple Owls, page 1
Kids and Adult Dinosaur Costume
Aladtec Login Denver Health
Six Flags Employee Pay Stubs
Magicseaweed Capitola
World History Kazwire
The TBM 930 Is Another Daher Masterpiece
Ross Dress For Less Hiring Near Me
Sofia With An F Mugshot
Rage Of Harrogath Bugged
Nimbleaf Evolution
Victoria Vesce Playboy
Huntsville Body Rubs
Fine Taladorian Cheese Platter
Tyrone Unblocked Games Bitlife
Twizzlers Strawberry - 6 x 70 gram | bol
Bomgas Cams
Www Extramovies Com
Blippi Park Carlsbad
Ranking 134 college football teams after Week 1, from Georgia to Temple
Latest Posts
Discover thousands of collaborative articles on 2500+ skills
How Do I Get Rid of My Home Equity Loan?
Article information

Author: Kareem Mueller DO

Last Updated:

Views: 6385

Rating: 4.6 / 5 (46 voted)

Reviews: 85% of readers found this page helpful

Author information

Name: Kareem Mueller DO

Birthday: 1997-01-04

Address: Apt. 156 12935 Runolfsdottir Mission, Greenfort, MN 74384-6749

Phone: +16704982844747

Job: Corporate Administration Planner

Hobby: Mountain biking, Jewelry making, Stone skipping, Lacemaking, Knife making, Scrapbooking, Letterboxing

Introduction: My name is Kareem Mueller DO, I am a vivacious, super, thoughtful, excited, handsome, beautiful, combative person who loves writing and wants to share my knowledge and understanding with you.