Create a subordinate CA from an external CA
This page describes how to create a subordinate certificate authority (CA) that chains up to an external root CA.
If you have an existing public key infrastructure (PKI) hierarchy containing a root CA and subordinate CAs, you can maintain the same root CA and create a subordinate CA in CA Service that chains up to your external root CA. The external root CA's key and operations remains outside of Google Cloud. You can only use the external root CA to issue the subordinate CA certificate to Google Cloud. The subordinate CA is immediately trusted by any workload that trusts the external root CA. You can then use the subordinate CA to issue certificates without needing to reach back to the external root CA at run time.
Before you begin
- Make sure you have the CA Service Operation Manager
(
roles/privateca.caManager
) or the CA Service Admin (roles/privateca.admin
) IAM role. For information, see Configure IAM policies. - Identify the external root CA.
- Define the name, subject, validity period, and key size for the subordinate CA. For information, see Determine CA Settings.
Create a subordinate CA from an external CA
Creating a subordinate CA from an external CA involves the following steps:
Generate the subordinate CA Certificate Signing Request (CSR): The first step is to generate a CSR for the subordinate CA and then download the CSR.
Get the subordinate CA certificate signed by the external root CA: The second step is to submit the CSR to the external root CA for signing. Ensure that you follow the external root CA's specific instructions for submitting CSRs and obtaining signed certificates.
Import the signed subordinate CA certificate into CA Service: The final step is to upload the signed PEM certificate chain using either the Google Cloud CLI or the Google Cloud console.
The following section shows you how to create a subordinate CA from an external root CA.
Create a CSR
Console
Visit the Security > Certificate Authority Service menu in Google Cloud console.
Click the CA manager tab.
Click Create CA.
Select CA type:
- Click Subordinate CA.
- In the Valid for field, enter the duration for which you want the certificates issued by the CA certificate to be valid.
- Click Root CA is external.
- Pick one of the available options for the CA Tier. For more information, see Select the operation tiers.
- Under Regionalization, select a CA location from the list.
- Click Next.
- In the Organization (O) field, enter the name of your company.
- Optional: In the Organization unit (OU) field, enter the company subdivision or business unit.
- Optional: In the Country name field, enter a two letter country code.
- Optional: In the State or province name field, enter the name of your state.
- Optional: In the Locality name field, enter the name of your city.
- In the CA common name (CN) field, enter the CA name.
- In the Pool ID field, enter the CA pool name. You cannot change the CA pool after creating the CA.
- Click Next.
- Choose the key algorithm that best meets your needs. For information about deciding the suitable key algorithm, see Choose a key algorithm.
- Click Next.
The following steps are optional. If you skip these steps, the default settings apply.
- Choose whether you want to use a Google-managed or a self-managed Cloud Storage bucket.
- Choose whether you want to disable the publication of certificate revocation lists (CRLs) and CA certificates to the Cloud Storage bucket.
- Click Next.
If you don't select a self-managed Cloud Storage bucket, CA Service creates a Google-managed bucket in the same location as the CA.
The publication of CRL and CA certificate on a Cloud Storage bucket is enabled by default. To disable these settings, click the toggles.
The following steps are optional.
If you want to add labels to the CA, do the following:
- Click Add item.
- In the Key 1 field, enter the label key.
- In the Value 1 field, enter the label value.
- If you want to add another label, click Add item. Then, add the label key and value as mentioned in steps 2 and 3.
- Click Next.
Carefully review all the settings, then click Create to create the CA.
Download the CSR
- On the Certificate authority page, select the CA you want to activate.
- Click Activate.
In the dialog that opens, click
Download CSR.
gcloud
To create a CA pool for the subordinate CA, run the following command. For more information, see Create a CA pool.
gcloud privateca pools create SUBORDINATE_POOL_ID
Replace SUBORDINATE_POOL_ID with the name of the CA pool.
To create a subordinate CA in the created CA pool, run the following
gcloud
command. Thegcloud
command also creates a CSR and saves it to FILE_NAME file.gcloud privateca subordinates create SUBORDINATE_CA_ID \ --pool=SUBORDINATE_POOL_ID \ --create-csr --csr-output-file=FILE_NAME \ --key-algorithm="ec-p256-sha256" \ --subject="CN=Example Server TLS CA, O=Example LLC"
Replace the following:
- SUBORDINATE_CA_ID: The unique identifier of the subordinate CA.
- SUBORDINATE_POOL_ID: The name of the CA pool.
- FILE_NAME: The name of the file where the PEM-encoded CSR is written.
--key-algorithm
flag takes the cryptographic algorithm that you want to use for creating a managed Cloud HSM key for the CA.--subject
flag takes the X.501 name of the certificate subject.For more information about the
gcloud privateca subordinates create
command, see gcloud privateca subordinates create.
The following statement is returned when the CSR is created:
Created Certificate Authority [projects/my-project-pki/locations/us-west1/caPools/SUBORDINATE_POOL_ID/certificateAuthorities/SUBORDINATE_CA_ID] and saved CSR to FILE_NAME.
To see the exhaustive list of available settings, run the following command:
gcloud privateca subordinates create --help
If you lose the CSR, you can download it again using the following command:
gcloud privateca subordinates get-csr SUBORDINATE_CA_ID \
--pool=SUBORDINATE_POOL_ID
Terraform
To create a CA pool and a subordinate CA in that CA pool, use the following configuration file:
resource "google_privateca_ca_pool" "default" { name = "test-ca-pool" location = "us-central1" tier = "ENTERPRISE" } resource "google_privateca_certificate_authority" "sub-ca" { pool = google_privateca_ca_pool.default.name certificate_authority_id = "my-certificate-authority-sub" location = "us-central1" config { subject_config { subject { organization = "HashiCorp" common_name = "my-subordinate-authority" } subject_alt_name { dns_names = ["hashicorp.com"] } } x509_config { ca_options { is_ca = true # Force the sub CA to only issue leaf certs max_issuer_path_length = 0 } key_usage { base_key_usage { cert_sign = true crl_sign = true } extended_key_usage { } } } } lifetime = "86400s" key_spec { algorithm = "RSA_PKCS1_4096_SHA256" } type = "SUBORDINATE" }
To fetch the CSR, append following configuration.
data "google_privateca_certificate_authority" "sub-ca-csr" { location = "us-central1" pool = google_privateca_ca_pool.default.name certificate_authority_id = google_privateca_certificate_authority.sub-ca.certificate_authority_id } output "csr" { value = data.google_privateca_certificate_authority.sub-ca-csr.pem_csr }
Run
terraform apply
.
Sign the CSR
Pass the generated CSR file to the member of your organization responsible for certificate issuance, and request that they sign it. The specific steps depend on your organization's setup.
You can experiment with a simple root CA using the
following openssl
commands:
Shell
Configure settings for the new root CA.
cat > root.conf <<- EOM
[ req ]
distinguished_name = req_distinguished_name
x509_extensions = v3_ca
prompt = no
[ req_distinguished_name ]
commonName = Sample Root
[ v3_ca ]
subjectKeyIdentifier=hash
basicConstraints=critical, CA:true
EOM
Create the new root CA.
openssl req -x509 -new -nodes -config root.conf -keyout rootCA.key \
-days 3000 -out rootCA.crt -batch
Configure the extensions that must be added to the new subordinate CA certificate.
cat > extensions.conf <<- EOM
basicConstraints=critical,CA:TRUE,pathlen:0
keyUsage=critical,keyCertSign,cRLSign
extendedKeyUsage=critical,serverAuth
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid
EOM
Sign the subordinate CA's CSR with this root.
openssl x509 -req -in FILE_NAME -CA rootCA.crt -CAkey rootCA.key \
-CAcreateserial -out subordinate.crt -days 1095 -sha256 -extfile extensions.conf
Concatenate the entire certificate chain into a single file.
cat subordinate.crt > chain.crt
cat rootCA.crt >> chain.crt
Upload the signed certificate
To activate a subordinate CA using a signed certificate, do the following:
Console
Go to the Certificate Authority Service page in the Google Cloud console.
Click the CA manager tab.
Under Certificate authorities, choose the subordinate CA that you created.
Click
Activate.In the dialog that opens, click Download CSR to download the PEM-encoded CSR file that the issuing CA can sign.
Click Next.
In the Upload Certificate Chain field, click Browse.
Upload the signed certificate file with
.crt
extension.Click Activate.
gcloud
gcloud privateca subordinates activate SUBORDINATE_CA_ID \
--pool=SUBORDINATE_POOL_ID \
--pem-chain ./chain.crt
Replace the following:
- SUBORDINATE_CA_ID: the unique identifier of the subordinate CA that you want to activate.
- SUBORDINATE_POOL_ID: the name of the CA pool that contains the subordinate CA.
The --pem-chain
flag is required. This flag takes the file containing the list of PEM-encoded certificates. The list of certificates starts with the current CA certificate and ends with the root CA certificate.
For more information about the gcloud privateca subordinates activate
command, see gcloud privateca subordinates activate.
The following statement is returned when the signed certificate is uploaded:
Activated certificate authority [SUBORDINATE_CA_ID].
Terraform
- Save signed CA certificate locally as
subordinate.crt
. - Save signer CA certificates locally as
rootCA.crt
. - Remove the configuration for fetching CSR mentioned in the first step as it tries to fetch CSR which is not allowed after CA activation.
Update the subordinate CA configuration with following fields and run
terraform apply
.pem_ca_certificate = file("subordinate.crt") subordinate_config { pem_issuer_chain { pem_certificates = [file("rootCA.crt")] } }
If the issuer chain includes more than one CA, specify the value as
[file("intermediateCA.cert"), file("rootCA.crt")]
.
What's next
- Learn how to request certificates.
- Learn about templates and issuance policies.