Stay organized with collections Save and categorize content based on your preferences.

Certificate profiles

This topic provides certificate profiles that you can use for various certificate issuance scenarios. You can reference these certificate profiles when creating a certificate or a certificate authority (CA) using the Google Cloud CLI or the Google Cloud console.

Use the gcloud references specified in this document along with the --use-preset-profile flag to utilize the certificate profile that fits your needs.

Unconstrained

Unconstrained certificate profiles add no constraints or limits.

Root unconstrained

Accessible as: root_unconstrained

The following certificate profile has neither extended key usage nor path-length constraints.

This CA can issue any type of certificate, including subordinate CAs. These values are appropriate for a self-signed root CA but you can also use them for an unconstrained subordinate CA.

keyUsage:
  baseKeyUsage:
    certSign: true
    crlSign: true
caOptions:
  isCa: true

Subordinate unconstrained with path length of zero

Accessible as: subordinate_unconstrained_pathlen_0

You can use the following certificate profile to configure a CA that has no Extended Key Usage (EKU) constraints, but has a path-length restriction that doesn't allow the issuing of any subordinate CAs. These values are appropriate for CAs issuing end-entity certificates.

keyUsage:
  baseKeyUsage:
    certSign: true
    crlSign: true
caOptions:
  isCa: true
  maxIssuerPathLength: 0

Mutual TLS

Mutual Transport Layer Security (mTLS) certificates can be used for server TLS, client TLS, or mutual TLS authentication.

Subordinate mTLS

Accessible as: subordinate_mtls_pathlen_0

You can use the following certificate profile to configure a CA that can issue end-entity certificates usable for server TLS, client TLS, or mutual TLS authentication. This certificate profile has a path-length restriction that does not allow further subordinate CAs. These values are appropriate for a subordinate CA but they can also be used for a self-signed CA that directly issues end-entity certificates.

keyUsage:
  baseKeyUsage:
    certSign: true
    crlSign: true
  extendedKeyUsage:
    serverAuth: true
    clientAuth: true
caOptions:
  isCa: true
  maxIssuerPathLength: 0

End-entity mTLS

Accessible as: leaf_mtls

You can use the following certificate profile to configure end-entity certificates that are compatible with client TLS, server TLS, or mTLS. For example, SPIFFE certificates.

keyUsage:
  baseKeyUsage:
    digitalSignature: true
    keyEncipherment: true
  extendedKeyUsage:
    serverAuth: true
    clientAuth: true
caOptions:
  isCa: false

Client TLS

Client TLS certificates are used to authenticate a client.

Subordinate client TLS

Accessible as: subordinate_client_tls_pathlen_0

You can use the following certificate profile to configure a CA that can issue end-entity certificates usable for client TLS. This certificate profile has a path-length restriction that does not allow further subordinate CAs. These values are appropriate for a subordinate CA but they can also be used for a self-signed CA that directly issues end-entity certificates.

keyUsage:
  baseKeyUsage:
    certSign: true
    crlSign: true
  extendedKeyUsage:
    clientAuth: true
caOptions:
  isCa: true
  maxIssuerPathLength: 0

End-entity client TLS

Accessible as: leaf_client_tls

You can use the following certificate profile to configure end-entity certificates that are compatible with client TLS. For example, a client authenticating itself to a TLS firewall.

keyUsage:
  baseKeyUsage:
    digitalSignature: true
    keyEncipherment: true
  extendedKeyUsage:
    clientAuth: true
caOptions:
  isCa: false

Server TLS

Server TLS certificates are used to authenticate a server.

Subordinate server TLS

Accessible as: subordinate_server_tls_pathlen_0

You can use the following certificate profile to configure a CA that can issue end-entity certificates usable for server TLS. This certificate profile has a path-length restriction that does not allow further subordinate CAs. These values are appropriate for a subordinate CA but they can also be used for a self-signed CA that directly issues end-entity certificates.

keyUsage:
  baseKeyUsage:
    certSign: true
    crlSign: true
  extendedKeyUsage:
    serverAuth: true
caOptions:
  isCa: true
  maxIssuerPathLength: 0

End-entity server TLS

Accessible as: leaf_server_tls

You can use the following certificate profile to configure end-entity certificates that are compatible with server TLS.

keyUsage:
  baseKeyUsage:
    digitalSignature: true
    keyEncipherment: true
  extendedKeyUsage:
    serverAuth: true
caOptions:
  isCa: false

Code signing

Digital signatures are used for code authentication.

Subordinate code signing

Accessible as: subordinate_code_signing_pathlen_0

You can use the following certificate profile to configure a CA that can issue end-entity certificates usable for code signing. This certificate profile has a path-length restriction that does not allow further subordinate CAs. These values are appropriate for a subordinate CA but they can also work for a self-signed CA that directly issues end-entity certificates.

keyUsage:
  baseKeyUsage:
    certSign: true
    crlSign: true
  extendedKeyUsage:
    codeSigning: true
caOptions:
  isCa: true
  maxIssuerPathLength: 0

End-entity code signing

Accessible as: leaf_code_signing

You can use the following certificate profile to configure end-entity certificates that are compatible with code signing.

keyUsage:
  baseKeyUsage:
    digitalSignature: true
    contentCommitment: true
  extendedKeyUsage:
    codeSigning: true
caOptions:
  isCa: false

S/MIME

S/MIME is an email-signing protocol that helps improve email security.

Subordinate S/MIME

Accessible as: subordinate_smime_pathlen_0

You can use the following certificate profile to configure a CA that can issue end-entity certificates usable for S/MIME. This certificate profile has a path-length restriction that does not allow further subordinate CAs. These values are appropriate for a subordinate CA but they can also be used for a self-signed CA that directly issues end-entity certificates.

keyUsage:
  baseKeyUsage:
    certSign: true
    crlSign: true
  extendedKeyUsage:
    emailProtection: true
caOptions:
  isCa: true
  maxIssuerPathLength: 0

End-entity S/MIME

Accessible as: leaf_smime

You can use the following certificate profile to configure end-entity certificates that are compatible with S/MIME. S/MIME is often used for end-to-end email integrity or encryption.

keyUsage:
  baseKeyUsage:
    digitalSignature: true
    contentCommitment: true
  extendedKeyUsage:
    emailProtection: true
caOptions:
  isCa: false

What's next