Create a subordinate CA from an external CA

This page describes how to create a subordinate certificate authority (CA) that chains up to an external root CA.

If you have an existing public key infrastructure (PKI) hierarchy containing a root CA and subordinate CAs, you can maintain the same root CA and create a subordinate CA in CA Service that chains up to your external root CA. The external root CA's key and operations remains outside of Google Cloud. You can only use the external root CA to issue the subordinate CA certificate to Google Cloud. The subordinate CA is immediately trusted by any workload that trusts the external root CA. You can then use the subordinate CA to issue certificates without needing to reach back to the external root CA at run time.

Before you begin

  • Make sure you have the CA Service Operation Manager (roles/privateca.caManager) or the CA Service Admin (roles/privateca.admin) IAM role. For information, see Configure IAM policies.
  • Identify the external root CA.
  • Define the name, subject, validity period, and key size for the subordinate CA. For information, see Determine CA Settings.

Create a subordinate CA from an external CA

Creating a subordinate CA from an external CA involves the following steps:

  1. Generate the subordinate CA Certificate Signing Request (CSR): The first step is to generate a CSR for the subordinate CA and then download the CSR.

  2. Get the subordinate CA certificate signed by the external root CA: The second step is to submit the CSR to the external root CA for signing. Ensure that you follow the external root CA's specific instructions for submitting CSRs and obtaining signed certificates.

  3. Import the signed subordinate CA certificate into CA Service: The final step is to upload the signed PEM certificate chain using either the Google Cloud CLI or the Google Cloud console.

The following section shows you how to create a subordinate CA from an external root CA.

Create a CSR

Console

  1. Visit the Security > Certificate Authority Service menu in Google Cloud console.

    Go to Certificate Authority Service

  2. Click the CA manager tab.

  3. Click Create CA.

Select CA type:

  1. Click Subordinate CA.
  2. In the Valid for field, enter the duration for which you want the certificates issued by the CA certificate to be valid.
  3. Click Root CA is external.
  4. Pick one of the available options for the CA Tier. For more information, see Select the operation tiers.
  5. Under Regionalization, select a CA location from the list.
  6. Click Next.
Configure CA subject name
  1. In the Organization (O) field, enter the name of your company.
  2. Optional: In the Organization unit (OU) field, enter the company subdivision or business unit.
  3. Optional: In the Country name field, enter a two letter country code.
  4. Optional: In the State or province name field, enter the name of your state.
  5. Optional: In the Locality name field, enter the name of your city.
  6. In the CA common name (CN) field, enter the CA name.
  7. In the Pool ID field, enter the CA pool name. You cannot change the CA pool after creating the CA.
  8. Click Next.
Configure CA key size and algorithm
  1. Choose the key algorithm that best meets your needs. For information about deciding the suitable key algorithm, see Choose a key algorithm.
  2. Click Next.
Configure CA artifacts

The following steps are optional. If you skip these steps, the default settings apply.

  1. Choose whether you want to use a Google-managed or a self-managed Cloud Storage bucket.

    2. If you don't select a self-managed Cloud Storage bucket, CA Service creates a Google-managed bucket in the same location as the CA.

  2. Choose whether you want to disable the publication of certificate revocation lists (CRLs) and CA certificates to the Cloud Storage bucket.

    3. The publication of CRL and CA certificate on a Cloud Storage bucket is enabled by default. To disable these settings, click the toggles.

  3. Click Next.
Add labels

The following steps are optional.

If you want to add labels to the CA, do the following:

  1. Click Add item.
  2. In the Key 1 field, enter the label key.
  3. In the Value 1 field, enter the label value.
  4. If you want to add another label, click Add item. Then, add the label key and value as mentioned in steps 2 and 3.
  5. Click Next.
Review the settings

Carefully review all the settings, then click Create to create the CA.

Download the CSR

  1. On the Certificate authority page, select the CA you want to activate.
  2. Click Activate.

  3. In the dialog that opens, click Download CSR.

    Download the CSR of the CA.

gcloud

  1. To create a CA pool for the subordinate CA, run the following command. For more information, see Create a CA pool.

    gcloud privateca pools create SUBORDINATE_POOL_ID

    Replace SUBORDINATE_POOL_ID with the name of the CA pool.

  2. To create a subordinate CA in the created CA pool, run the following gcloud command. The gcloud command also creates a CSR and saves it to FILE_NAME file.

    gcloud privateca subordinates create SUBORDINATE_CA_ID \
  --pool=SUBORDINATE_POOL_ID \
  --create-csr --csr-output-file=FILE_NAME \
  --key-algorithm="ec-p256-sha256" \
  --subject="CN=Example Server TLS CA, O=Example LLC"

    Replace the following:

    • SUBORDINATE_CA_ID: The unique identifier of the subordinate CA.
    • SUBORDINATE_POOL_ID: The name of the CA pool.
    • FILE_NAME: The name of the file where the PEM-encoded CSR is written.

    --key-algorithm flag takes the cryptographic algorithm that you want to use for creating a managed Cloud HSM key for the CA.

    --subject flag takes the X.501 name of the certificate subject.

    For more information about the gcloud privateca subordinates create command, see gcloud privateca subordinates create.

The following statement is returned when the CSR is created:

Created Certificate Authority [projects/my-project-pki/locations/us-west1/caPools/SUBORDINATE_POOL_ID/certificateAuthorities/SUBORDINATE_CA_ID] and saved CSR to FILE_NAME.

To see the exhaustive list of available settings, run the following command:

gcloud privateca subordinates create --help

If you lose the CSR, you can download it again using the following command:

gcloud privateca subordinates get-csr SUBORDINATE_CA_ID \
  --pool=SUBORDINATE_POOL_ID

Terraform

  1. To create a CA pool and a subordinate CA in that CA pool, use the following configuration file:

    resource "google_privateca_ca_pool" "default" {
  name     = "test-ca-pool"
  location = "us-central1"
  tier     = "ENTERPRISE"
}

resource "google_privateca_certificate_authority" "sub-ca" {
  pool = google_privateca_ca_pool.default.name
  certificate_authority_id = "my-certificate-authority-sub"
  location = "us-central1"
  config {
    subject_config {
      subject {
        organization = "HashiCorp"
        common_name = "my-subordinate-authority"
      }
      subject_alt_name {
        dns_names = ["hashicorp.com"]
      }
    }
    x509_config {
      ca_options {
        is_ca = true
        # Force the sub CA to only issue leaf certs
        max_issuer_path_length = 0
      }
      key_usage {
        base_key_usage {
          cert_sign = true
          crl_sign = true
        }
        extended_key_usage {
        }
      }
    }
  }
  lifetime = "86400s"
  key_spec {
    algorithm = "RSA_PKCS1_4096_SHA256"
  }
  type = "SUBORDINATE"
}

  2. To fetch the CSR, append following configuration.

    data "google_privateca_certificate_authority" "sub-ca-csr" {
  location = "us-central1"
  pool = google_privateca_ca_pool.default.name
  certificate_authority_id = google_privateca_certificate_authority.sub-ca.certificate_authority_id
}

output "csr" {
  value = data.google_privateca_certificate_authority.sub-ca-csr.pem_csr
}

  3. Run terraform apply.

Sign the CSR

Pass the generated CSR file to the member of your organization responsible for certificate issuance, and request that they sign it. The specific steps depend on your organization's setup.

You can experiment with a simple root CA using the following openssl commands:

Shell

Configure settings for the new root CA.

cat > root.conf <<- EOM
[ req ]
distinguished_name = req_distinguished_name
x509_extensions    = v3_ca
prompt             = no
[ req_distinguished_name ]
commonName = Sample Root
[ v3_ca ]
subjectKeyIdentifier=hash
basicConstraints=critical, CA:true
EOM

Create the new root CA.

openssl req -x509 -new -nodes -config root.conf -keyout rootCA.key \
  -days 3000 -out rootCA.crt -batch

Configure the extensions that must be added to the new subordinate CA certificate.

cat > extensions.conf <<- EOM
basicConstraints=critical,CA:TRUE,pathlen:0
keyUsage=critical,keyCertSign,cRLSign
extendedKeyUsage=critical,serverAuth
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid
EOM

Sign the subordinate CA's CSR with this root.

openssl x509 -req -in FILE_NAME -CA rootCA.crt -CAkey rootCA.key \
  -CAcreateserial -out subordinate.crt -days 1095 -sha256 -extfile extensions.conf

Concatenate the entire certificate chain into a single file.

cat subordinate.crt > chain.crt
cat rootCA.crt >> chain.crt

Upload the signed certificate

To activate a subordinate CA using a signed certificate, do the following:

Console

  1. Go to the Certificate Authority Service page in the Google Cloud console.

    Go to Certificate Authority Service

  2. Click the CA manager tab.

  3. Under Certificate authorities, choose the subordinate CA that you created.

  4. Click Activate.

  5. In the dialog that opens, click Download CSR to download the PEM-encoded CSR file that the issuing CA can sign.

  6. Click Next.

  7. In the Upload Certificate Chain field, click Browse.

  8. Upload the signed certificate file with .crt extension.

  9. Click Activate.

gcloud

gcloud privateca subordinates activate SUBORDINATE_CA_ID \
  --pool=SUBORDINATE_POOL_ID \
  --pem-chain ./chain.crt

Replace the following:

  • SUBORDINATE_CA_ID: the unique identifier of the subordinate CA that you want to activate.
  • SUBORDINATE_POOL_ID: the name of the CA pool that contains the subordinate CA.

The --pem-chain flag is required. This flag takes the file containing the list of PEM-encoded certificates. The list of certificates starts with the current CA certificate and ends with the root CA certificate.

For more information about the gcloud privateca subordinates activate command, see gcloud privateca subordinates activate.

The following statement is returned when the signed certificate is uploaded:

Activated certificate authority [SUBORDINATE_CA_ID].

Terraform

  1. Save signed CA certificate locally as subordinate.crt.
  2. Save signer CA certificates locally as rootCA.crt.
  3. Remove the configuration for fetching CSR mentioned in the first step as it tries to fetch CSR which is not allowed after CA activation.
  4. Update subordinate CA configuration with following fields and run terraform apply
  pem_ca_certificate     = file("subordinate.crt")
  subordinate_config {
    pem_issuer_chain {
        pem_certificates = [file("rootCA.crt")]
    }
  }

What's next