Certificate profiles

This topic provides certificate profiles that you can use for various certificate issuance scenarios. You can reference these certificate profiles when creating a certificate or a certificate authority (CA) using the Google Cloud CLI or the Google Cloud console.

Use the gcloud references specified in this document along with the --use-preset-profile flag to utilize the certificate profile that fits your needs.

Unconstrained

Unconstrained certificate profiles add no constraints or limits.

Root unconstrained

Accessible as: root_unconstrained

The following certificate profile has neither extended key usage nor path-length constraints.

This CA can issue any type of certificate, including subordinate CAs. These values are appropriate for a self-signed root CA but you can also use them for an unconstrained subordinate CA.

keyUsage:
  baseKeyUsage:
    certSign: true
    crlSign: true
caOptions:
  isCa: true

Subordinate unconstrained with path length of zero

Accessible as: subordinate_unconstrained_pathlen_0

You can use the following certificate profile to configure a CA that has no Extended Key Usage (EKU) constraints, but has a path-length restriction that doesn't allow the issuing of any subordinate CAs. These values are appropriate for CAs issuing end-entity certificates.

keyUsage:
  baseKeyUsage:
    certSign: true
    crlSign: true
caOptions:
  isCa: true
  maxIssuerPathLength: 0

Mutual TLS

Mutual Transport Layer Security (mTLS) certificates can be used for server TLS, client TLS, or mutual TLS authentication.

Subordinate mTLS

Accessible as: subordinate_mtls_pathlen_0

You can use the following certificate profile to configure a CA that can issue end-entity certificates usable for server TLS, client TLS, or mutual TLS authentication. This certificate profile has a path-length restriction that does not allow further subordinate CAs. These values are appropriate for a subordinate CA but they can also be used for a self-signed CA that directly issues end-entity certificates.

keyUsage:
  baseKeyUsage:
    certSign: true
    crlSign: true
  extendedKeyUsage:
    serverAuth: true
    clientAuth: true
caOptions:
  isCa: true
  maxIssuerPathLength: 0

End-entity mTLS

Accessible as: leaf_mtls

You can use the following certificate profile to configure end-entity certificates that are compatible with client TLS, server TLS, or mTLS. For example, SPIFFE certificates.

keyUsage:
  baseKeyUsage:
    digitalSignature: true
    keyEncipherment: true
  extendedKeyUsage:
    serverAuth: true
    clientAuth: true
caOptions:
  isCa: false

Client TLS

Client TLS certificates are used to authenticate a client.

Subordinate client TLS

Accessible as: subordinate_client_tls_pathlen_0

You can use the following certificate profile to configure a CA that can issue end-entity certificates usable for client TLS. This certificate profile has a path-length restriction that does not allow further subordinate CAs. These values are appropriate for a subordinate CA but they can also be used for a self-signed CA that directly issues end-entity certificates.

keyUsage:
  baseKeyUsage:
    certSign: true
    crlSign: true
  extendedKeyUsage:
    clientAuth: true
caOptions:
  isCa: true
  maxIssuerPathLength: 0

End-entity client TLS

Accessible as: leaf_client_tls

You can use the following certificate profile to configure end-entity certificates that are compatible with client TLS. For example, a client authenticating itself to a TLS firewall.

keyUsage:
  baseKeyUsage:
    digitalSignature: true
    keyEncipherment: true
  extendedKeyUsage:
    clientAuth: true
caOptions:
  isCa: false

Server TLS

Server TLS certificates are used to authenticate a server.

Subordinate server TLS

Accessible as: subordinate_server_tls_pathlen_0

You can use the following certificate profile to configure a CA that can issue end-entity certificates usable for server TLS. This certificate profile has a path-length restriction that does not allow further subordinate CAs. These values are appropriate for a subordinate CA but they can also be used for a self-signed CA that directly issues end-entity certificates.

keyUsage:
  baseKeyUsage:
    certSign: true
    crlSign: true
  extendedKeyUsage:
    serverAuth: true
caOptions:
  isCa: true
  maxIssuerPathLength: 0

End-entity server TLS

Accessible as: leaf_server_tls

You can use the following certificate profile to configure end-entity certificates that are compatible with server TLS.

keyUsage:
  baseKeyUsage:
    digitalSignature: true
    keyEncipherment: true
  extendedKeyUsage:
    serverAuth: true
caOptions:
  isCa: false

Code signing

Digital signatures are used for code authentication.

Subordinate code signing

Accessible as: subordinate_code_signing_pathlen_0

You can use the following certificate profile to configure a CA that can issue end-entity certificates usable for code signing. This certificate profile has a path-length restriction that does not allow further subordinate CAs. These values are appropriate for a subordinate CA but they can also work for a self-signed CA that directly issues end-entity certificates.

keyUsage:
  baseKeyUsage:
    certSign: true
    crlSign: true
  extendedKeyUsage:
    codeSigning: true
caOptions:
  isCa: true
  maxIssuerPathLength: 0

End-entity code signing

Accessible as: leaf_code_signing

You can use the following certificate profile to configure end-entity certificates that are compatible with code signing.

keyUsage:
  baseKeyUsage:
    digitalSignature: true
    contentCommitment: true
  extendedKeyUsage:
    codeSigning: true
caOptions:
  isCa: false

S/MIME

S/MIME is an email-signing protocol that helps improve email security.

Subordinate S/MIME

Accessible as: subordinate_smime_pathlen_0

You can use the following certificate profile to configure a CA that can issue end-entity certificates usable for S/MIME. This certificate profile has a path-length restriction that does not allow further subordinate CAs. These values are appropriate for a subordinate CA but they can also be used for a self-signed CA that directly issues end-entity certificates.

keyUsage:
  baseKeyUsage:
    certSign: true
    crlSign: true
  extendedKeyUsage:
    emailProtection: true
caOptions:
  isCa: true
  maxIssuerPathLength: 0

End-entity S/MIME

Accessible as: leaf_smime

You can use the following certificate profile to configure end-entity certificates that are compatible with S/MIME. S/MIME is often used for end-to-end email integrity or encryption.

keyUsage:
  baseKeyUsage:
    digitalSignature: true
    contentCommitment: true
  extendedKeyUsage:
    emailProtection: true
caOptions:
  isCa: false

What's next