Issue a certificate using the Google Cloud console

This page explains how you can create a CA pool and issue certificates in Certificate Authority Service using the Google Cloud console.

CA Service lets you deploy and manage private certificate authorities (CAs) without managing infrastructure.

Before you begin

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
  2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  3. Make sure that billing is enabled for your Google Cloud project.

  4. Enable the Certificate Authority Service API.

    Enable the API

  5. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  6. Make sure that billing is enabled for your Google Cloud project.

  7. Enable the Certificate Authority Service API.

    Enable the API

Create a CA pool

A CA pool is a collection of multiple CAs. A CA pool provides the ability to rotate trust chains without any outage or downtime for workloads. A CA pool lives in a single Google Cloud location that you cannot change after creation.

To create a CA pool with the default settings, do the following:

  1. Go to the Certificate Authority Service page in the Google Cloud console.

    Go to Certificate Authority Service

  2. Under the CA pool manager tab, click Create pool.

  3. On the Create CA pool page, add a name for the CA pool.

  4. Click Region, and select us-east1 (South Carolina) as the region of the CA pool.

  5. Click Next for each step.

  6. Click Done.

You can see this CA pool in the list of CA pools under the CA pool manager tab.

Create a root CA

A CA pool is empty on creation. You must add a CA to the CA pool to request certificates.

A root CA has a self-signed certificate that resides in the client's trust store. This section explains how you can add a root CA to the CA pool you created.

To add a root CA to your CA pool, do the following:

  1. Click CA manager.
  2. Click Create CA.

    Create a new CA in your CA pool.

  3. Click Region, and select us-east1 (South Carolina) as the region of the CA.

  4. Click Next.

  5. In the Organization (O) field, enter the name of your organization.

  6. In the CA common name (CN) field, enter the name of the CA. Note the CA name because you will need it for requesting a certificate.

  7. In the Pool ID field, enter the name of your CA pool.

  8. Click Next for each step.

  9. Review the details of the CA, and click Create.

Create a certificate

To request a certificate using the CA, do the following:

  1. On the Certificate authority page, click Request a certificate.
  2. Click Enter details.

    Click Enter details to request a certificate.

  3. Under Add domain name, enter the fully qualified domain name of the site you want to secure with this certificate.

  4. Click Next.

  5. Under Configure key size and algorithm, click Continue.

    You will see the generated certificate that you can copy or download. To copy the certificate, click .

    Copy or download the generated certificate.

  6. Click Done.

Clean up

Clean up by revoking the certificate and deleting the CA pool, the CA, and the project you created for this quickstart.

  1. Revoke the certificate.

    1. Click the Private certificate manager tab.
    2. In the list of certificates, click View more in the row of the certificate you want to delete.
    3. Click Revoke.
    4. In the dialog that opens, click Confirm.
  2. Delete the CA.

    You can delete a CA only after you have revoked all the certificates issued by it.

    After you have revoked the certificate, do the following:

    1. In the list of CAs, select the CA you want to delete.
    2. Click Delete. The Delete Certificate Authority dialog appears.
    3. Optional: Select one or both the following checkboxes if the conditions apply to you:
      • Delete this CA, even if there are active certificates

        This option lets you delete a CA with active certificates. Deleting a CA with active certificates might cause websites, applications, or systems relying on those certificates to fail. We recommend that you revoke all active certificates issued by a CA before you delete the CA.

      • Skip the 30 day grace period and delete this CA immediately

        The 30-day grace period allows you time to revoke all certificates issued by this CA and verify that no systems depend on this CA. We recommend that use this option only in non-production or test environments to prevent potential outages and data loss.

    4. Click Confirm.

    The CA state changes to Deleted. The CA is permanently deleted 30 days after you initiate the deletion.

  3. Delete the CA pool.

    You can delete a CA pool only after CA Service permanently deletes the CA.

    After you have deleted the CA in the CA pool, do the following:

    1. Click the CA pool manager tab.
    2. In the list of CA pools, select the CA pool you want to delete.
    3. Click Delete.
    4. Permanently delete a CA pool.
    5. In the dialog box that opens, click Confirm.
  4. To delete the project, do the following:

    1. In the Google Cloud console, go to the Manage resources page.

      Go to Manage resources

    2. In the project list, select the project that you want to delete, and then click Delete.
    3. In the dialog, type the project ID, and then click Shut down to delete the project.

What's next