Certificate profiles
This topic provides certificate profiles that you can use for various certificate issuance scenarios. You can reference these certificate profiles when creating a certificate or a certificate authority (CA) using the Google Cloud CLI or the Google Cloud console.
Use the gcloud
references specified in this document along with the --use-preset-profile
flag to utilize the certificate profile that fits your needs.
Unconstrained
Unconstrained certificate profiles add no constraints or limits.
Root unconstrained
Accessible as: root_unconstrained
The following certificate profile has neither extended key usage nor path-length constraints.
This CA can issue any type of certificate, including subordinate CAs. These values are appropriate for a self-signed root CA but you can also use them for an unconstrained subordinate CA.
keyUsage:
baseKeyUsage:
certSign: true
crlSign: true
caOptions:
isCa: true
Subordinate unconstrained with path length of zero
Accessible as: subordinate_unconstrained_pathlen_0
You can use the following certificate profile to configure a CA that has no Extended Key Usage (EKU) constraints, but has a path-length restriction that doesn't allow the issuing of any subordinate CAs. These values are appropriate for CAs issuing end-entity certificates.
keyUsage:
baseKeyUsage:
certSign: true
crlSign: true
caOptions:
isCa: true
maxIssuerPathLength: 0
Mutual TLS
Mutual Transport Layer Security (mTLS) certificates can be used for server TLS, client TLS, or mutual TLS authentication.
Subordinate mTLS
Accessible as: subordinate_mtls_pathlen_0
You can use the following certificate profile to configure a CA that can issue end-entity certificates usable for server TLS, client TLS, or mutual TLS authentication. This certificate profile has a path-length restriction that does not allow further subordinate CAs. These values are appropriate for a subordinate CA but they can also be used for a self-signed CA that directly issues end-entity certificates.
keyUsage:
baseKeyUsage:
certSign: true
crlSign: true
extendedKeyUsage:
serverAuth: true
clientAuth: true
caOptions:
isCa: true
maxIssuerPathLength: 0
End-entity mTLS
Accessible as: leaf_mtls
You can use the following certificate profile to configure end-entity certificates that are compatible with client TLS, server TLS, or mTLS. For example, SPIFFE certificates.
keyUsage:
baseKeyUsage:
digitalSignature: true
keyEncipherment: true
extendedKeyUsage:
serverAuth: true
clientAuth: true
caOptions:
isCa: false
Client TLS
Client TLS certificates are used to authenticate a client.
Subordinate client TLS
Accessible as: subordinate_client_tls_pathlen_0
You can use the following certificate profile to configure a CA that can issue end-entity certificates usable for client TLS. This certificate profile has a path-length restriction that does not allow further subordinate CAs. These values are appropriate for a subordinate CA but they can also be used for a self-signed CA that directly issues end-entity certificates.
keyUsage:
baseKeyUsage:
certSign: true
crlSign: true
extendedKeyUsage:
clientAuth: true
caOptions:
isCa: true
maxIssuerPathLength: 0
End-entity client TLS
Accessible as: leaf_client_tls
You can use the following certificate profile to configure end-entity certificates that are compatible with client TLS. For example, a client authenticating itself to a TLS firewall.
keyUsage:
baseKeyUsage:
digitalSignature: true
keyEncipherment: true
extendedKeyUsage:
clientAuth: true
caOptions:
isCa: false
Server TLS
Server TLS certificates are used to authenticate a server.
Subordinate server TLS
Accessible as: subordinate_server_tls_pathlen_0
You can use the following certificate profile to configure a CA that can issue end-entity certificates usable for server TLS. This certificate profile has a path-length restriction that does not allow further subordinate CAs. These values are appropriate for a subordinate CA but they can also be used for a self-signed CA that directly issues end-entity certificates.
keyUsage:
baseKeyUsage:
certSign: true
crlSign: true
extendedKeyUsage:
serverAuth: true
caOptions:
isCa: true
maxIssuerPathLength: 0
End-entity server TLS
Accessible as: leaf_server_tls
You can use the following certificate profile to configure end-entity certificates that are compatible with server TLS.
keyUsage:
baseKeyUsage:
digitalSignature: true
keyEncipherment: true
extendedKeyUsage:
serverAuth: true
caOptions:
isCa: false
Code signing
Digital signatures are used for code authentication.
Subordinate code signing
Accessible as: subordinate_code_signing_pathlen_0
You can use the following certificate profile to configure a CA that can issue end-entity certificates usable for code signing. This certificate profile has a path-length restriction that does not allow further subordinate CAs. These values are appropriate for a subordinate CA but they can also work for a self-signed CA that directly issues end-entity certificates.
keyUsage:
baseKeyUsage:
certSign: true
crlSign: true
extendedKeyUsage:
codeSigning: true
caOptions:
isCa: true
maxIssuerPathLength: 0
End-entity code signing
Accessible as: leaf_code_signing
You can use the following certificate profile to configure end-entity certificates that are compatible with code signing.
keyUsage:
baseKeyUsage:
digitalSignature: true
contentCommitment: true
extendedKeyUsage:
codeSigning: true
caOptions:
isCa: false
S/MIME
S/MIME is an email-signing protocol that helps improve email security.
Subordinate S/MIME
Accessible as: subordinate_smime_pathlen_0
You can use the following certificate profile to configure a CA that can issue end-entity certificates usable for S/MIME. This certificate profile has a path-length restriction that does not allow further subordinate CAs. These values are appropriate for a subordinate CA but they can also be used for a self-signed CA that directly issues end-entity certificates.
keyUsage:
baseKeyUsage:
certSign: true
crlSign: true
extendedKeyUsage:
emailProtection: true
caOptions:
isCa: true
maxIssuerPathLength: 0
End-entity S/MIME
Accessible as: leaf_smime
You can use the following certificate profile to configure end-entity certificates that are compatible with S/MIME. S/MIME is often used for end-to-end email integrity or encryption.
keyUsage:
baseKeyUsage:
digitalSignature: true
contentCommitment: true
extendedKeyUsage:
emailProtection: true
caOptions:
isCa: false
What's next
- Learn more about certificate templates.
- Learn more about policy controls.
- Learn more about using an issuance policy.