Create a certificate by using the console

This page explains how you can use Certificate Authority Service and the Google Cloud console to create certificates.

CA Service lets you deploy and manage private certificate authorities (CAs) without managing infrastructure.

Before you begin

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
  2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  3. Make sure that billing is enabled for your Cloud project. Learn how to check if billing is enabled on a project.

  4. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  5. Make sure that billing is enabled for your Cloud project. Learn how to check if billing is enabled on a project.

Create a CA pool

A CA pool is a collection of multiple CAs. A CA pool provides the ability to rotate trust chains without any outage or downtime for workloads. A CA pool lives in a single Google Cloud location that you cannot change after creation.

To create a CA pool with the default settings, do the following:

  1. Go to the Certificate Authority Service page in the Google Cloud console.

    Go to Certificate Authority Service

  2. Under the CA pool manager tab, click Create pool.

  3. On the Create CA pool page, add a name for the CA pool.

  4. Click Region, and select us-east1 (South Carolina) as the region of the CA pool.

  5. Click Next for each step.

  6. Click Done.

You can see this CA pool in the list of CA pools under the CA pool manager tab.

Create a root CA

A CA pool is empty on creation. You must add a CA to the CA pool to request certificates.

A root CA has a self-signed certificate that resides in the client's trust store. This section explains how you can add a root CA to the CA pool you created.

To add a root CA to your CA pool, do the following:

  1. Click CA manager.
  2. Click Create CA.

    Create a new CA in your CA pool.

  3. Click Region, and select us-east1 (South Carolina) as the region of the CA.

  4. Click Next.

  5. In the Organization (O) field, enter the name of your organization.

  6. In the CA common name (CN) field, enter the name of the CA. Note the CA name because you will need it for requesting a certificate.

  7. In the Pool ID field, enter the name of your CA pool.

  8. Click Next for each step.

  9. Review the details of the CA, and click Create.

Create a certificate

To request a certificate using the CA, do the following:

  1. On the Certificate authority page, click Request a certificate.
  2. Click Enter details.

    Click Enter details to request a certificate.

  3. Under Add domain name, enter the fully qualified domain name of the site you want to secure with this certificate.

  4. Click Next.

  5. Under Configure key size and algorithm, click Continue.

    You will see the generated certificate that you can copy or download. To copy the certificate, click .

    Copy or download the generated certificate.

  6. Click Done.

Clean up

Clean up by revoking the certificate and deleting the CA pool, the CA, and the project you created for this quickstart.

  1. Revoke the certificate.

    1. Click the Private certificate manager tab.
    2. In the list of certificates, click View more in the row of the certificate you want to delete.
    3. Click Revoke.
    4. In the dialog that opens, click Confirm.
  2. Delete the CA.

    You can delete a CA only after you have revoked all the certificates issued by it.

    After you have revoked the certificate, do the following:

    1. Click the CA manager tab.
    2. In the list of CAs, select the CA you want to delete.
    3. Click Disable.
    4. Disable the CA you want to delete.
    5. In the dialog that opens, click Confirm.
    6. Click Delete.
    7. In the dialog that opens, click Confirm.

    The CA state changes to Deleted. The CA is permanently deleted 30 days after you initiate the deletion.

  3. Delete the CA pool.

    You can delete a CA pool only after CA Service permanently deletes the CA.

    After you have deleted the CA in the CA pool, do the following:

    1. Click the CA pool manager tab.
    2. In the list of CA pools, select the CA pool you want to delete.
    3. Click Delete.
    4. Permanently delete a CA pool.
    5. In the dialog box that opens, click Confirm.
  4. To delete the project, do the following:

    1. In the console, go to the Manage resources page.

      Go to Manage resources

    2. In the project list, select the project that you want to delete, and then click Delete.
    3. In the dialog, type the project ID, and then click Shut down to delete the project.

What's next