Issue a certificate using the Google Cloud CLI

This page explains how you can create a certificate authority (CA) pool and issue a certificate using the Google Cloud CLI.

CA Service lets you deploy and manage private CAs without managing infrastructure.

Before you begin

Install the Google Cloud CLI, then initialize it by running the following command:
```
gcloud init
```
Note: You can run the gcloud CLI in the Google Cloud console without installing the Google Cloud CLI. To run the gcloud CLI in the Google Cloud console, use Cloud Shell.
Create or select a Google Cloud project.

Note: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.
- Create a Google Cloud project:
```
gcloud projects create PROJECT_ID
```
  Replace PROJECT_ID with a name for the Google Cloud project you are creating.
- Select the Google Cloud project that you created:
```
gcloud config set project PROJECT_ID
```
  Replace PROJECT_ID with your Google Cloud project name.

Enable the Certificate Authority Service API:
```
gcloud services enable privateca.googleapis.com
```
Make sure that billing is enabled for your Google Cloud project.
Configure a default location for use in the gcloud commands in this quickstart.
```
gcloud config set privateca/location LOCATION
```
CA Service resources, such as CA pools and CAs live in a single Google Cloud location that you cannot change after creating these resources.

Note: If you skip this step, you must add the --location flag to some of the following commands.

Create a CA pool

A certificate authority (CA) pool is a collection of multiple CAs. A CA pool provides the ability to rotate trust chains without any outage or downtime for workloads.

To create a CA pool in the Enterprise tier, run the following command:

gcloud privateca pools create POOL_ID --tier "enterprise"

Replace POOL_ID with the name of the CA pool.

The names of all CA Service resources must contain only the allowed characters, which are all the letters, numbers, hyphen, and underscore. The maximum allowed length of a name is 63 characters.

Create a root CA

A CA pool is empty on creation. To request certificates from a CA pool, you must add a CA in it.

To create a root CA and add it in the CA pool you created, run the following command:

gcloud privateca roots create CA_ID --pool POOL_ID --subject "CN=Example Prod Root CA, O=Google"

Replace the following:

CA_ID: The name of the root CA.
POOL_ID: The name of the CA pool.

CA Service returns the following command when it creates the root CA:

Created Certificate Authority [projects/PROJECT_ID/locations/LOCATION/caPools/POOL_ID/certificateAuthorities/CA_ID]

Enable the root CA by entering y when prompted by the gcloud CLI.

Now that you have a CA pool with a root CA, you can proceed to creating certificates.

Create a certificate

To use the newly created CA to create a certificate, do the following:

Install the Pyca cryptography library using the pip command.
```
  pip install --user "cryptography>=2.2.0"
```
CA Service uses the Pyca cryptography library to generate and store a new asymmetric key-pair on your local machine. This key is never sent to CA Service.
To allow Google Cloud SDK to use the Pyca cryptography library, you must enable site packages.
macOS or Linux
```
export CLOUDSDK_PYTHON_SITEPACKAGES=1
```
Windows
```
set CLOUDSDK_PYTHON_SITEPACKAGES=1
```

Create a certificate.

  gcloud privateca certificates create \
      --issuer-pool POOL_ID \
      --subject "CN=Example Prod,O=Google" \
      --generate-key \
      --key-output-file=./key \
      --cert-output-file=./cert.pem

Replace POOL_ID with the resource ID of the CA pool you created.

CA Service returns the following response:

  Created Certificate [projects/PROJECT_ID/locations/LOCATION/caPools/POOL_ID/certificates/CERTIFICATE_ID]

Clean up

Clean up by deleting the CA pool, the CA, and the project you created for this quickstart.

Revoke the certificate.
Delete the CA.

You can delete a CA only after you have revoked all the certificates issued by it.
1. Disable the CA.
```
gcloud privateca roots disable CA_ID --pool=POOL_ID
```
  Replace the following:
  - CA_ID: The resource ID of the CA.
  - POOL_ID: The resource ID of the CA pool.
2. Delete the CA.
```
gcloud privateca roots delete CA_ID --pool=POOL_ID
```
The CA state changes to Deleted. CA Service permanently deletes the CA 30 days after you initiate the deletion.
Delete the CA pool.

You can delete a CA pool only after the CA in it is permanently deleted.
```
gcloud privateca pools delete POOL_ID
```
Delete the project.

What's next

Learn more about CA pools.
Learn more about creating a CA pool.
Learn more about creating CAs.
Learn more about requesting certificates.
Learn how you can control the type of certificates a CA pool can issue.