Create a root certificate authority
This page describes how to create a root certificate authority (CA) in a CA pool.
A root CA is at the top of a public key infrastructure (PKI) hierarchy and is responsible for forming the trust anchor of the PKI. To properly participate and use certificates in a PKI, a device, software, or component needs to trust the PKI. This is accomplished by configuring the device, software, or component to trust the root CA. As a result, all the certificates issued by the root CA are trusted.
Before you begin
- Make sure you have the CA Service Operation Manager
(
roles/privateca.caManager
) or the CA Service Admin (roles/privateca.admin
) IAM role. For information, see Configure IAM policies. - Create a CA pool.
- Determine your CA settings.
Create a root CA
A root CA has a self-signed certificate that you must distribute to the trust stores of your clients. The root CA's certificate is at the top of the certificate chain. No other CA can revoke the CA certificate. The CRL of the root CA applies only to the other certificates the root CA issued, but not to itself.
Console
To create a root CA, do the following.
Go to the Certificate Authority Service page in the Google Cloud console.
Click the CA manager tab.
Click Create CA.
Select CA type
To configure the permanent settings of the CA, such as tier, location, lifetime, and the operational state at creation, do the following:
- Select Root CA.
- In the Valid for field, enter the duration for which you want the certificates issued by the CA certificate to be valid.
- Optional: select a tier for the CA.
- Click Region and in the list, select the location where you want to create the CA. We recommend creating the CA geographically near your application's clients. For more information, see Choosing the best location.
Optional: Select the operational state of the CA to be created in.
Optional: Click Certificate profile. In the list, select the certificate profile that matches the type of certificates you want the CA to issue.
Click Next.
- In the Organization (O) field, enter the name of your company.
- Optional: In the Organization unit (OU) field, enter the company subdivision or business unit.
- Optional: In the Country name field, enter a two letter country code.
- Optional: In the State or province name field, enter the name of your state.
- Optional: In the Locality name field, enter the name of your city.
- In the CA common name (CN) field, enter the CA name.
- In the Pool ID field, enter the CA pool name. You cannot change the CA pool after creating the CA.
- Click Next.
- Choose the key algorithm that best meets your needs. For information about deciding the suitable key algorithm, see Choose a key algorithm.
- Click Next.
The following steps are optional. If you skip these steps, the default settings apply.
- Choose whether you want to use a Google-managed or a self-managed Cloud Storage bucket.
- Choose whether you want to disable the publication of certificate revocation lists (CRLs) and CA certificates to the Cloud Storage bucket.
- Click Next.
If you don't select a self-managed Cloud Storage bucket, CA Service creates a Google-managed bucket in the same location as the CA.
The publication of CRL and CA certificate on a Cloud Storage bucket is enabled by default. To disable these settings, click the toggles.
The following steps are optional.
If you want to add labels to the CA, do the following:
- Click Add item.
- In the Key 1 field, enter the label key.
- In the Value 1 field, enter the label value.
- If you want to add another label, click Add item. Then, add the label key and value as mentioned in steps 2 and 3.
- Click Next.
Carefully review all the settings, then click Create to create the CA.
gcloud
To create a CA pool, run the following command:
gcloud privateca pools create POOL_ID
Replace POOL_ID with the name of the CA pool.
For more information, see Create a CA pool.
For more information about this
gcloud
command, see gcloud privateca pools create.Create a new root CA in the CA pool you created.
gcloud privateca roots create ROOT_CA_ID --pool=POOL_ID \ --key-algorithm=KEY_ALGORITHM \ --subject="CN=my-ca, O=Test LLC"
Replace the following:
- ROOT_CA_ID: The name of the CA.
- POOL_ID: The name of the CA pool.
- KEY_ALGORITHM: The algorithm to use for creating a
Cloud KMS key. This flag is optional. If you don't include
this flag, the key algorithm defaults to
rsa-pkcs1-4096-sha256
. For more information, see --key-algorithm flag.
By default, the CA is created in the
STAGED
state. To enable a CA by default, include the--auto-enable
flag.If you want to use a customer-managed Cloud Storage bucket for publishing CA certificates and CRLs, add
--bucket bucket-name
to the command. Replace bucket-name with the name of the Cloud Storage bucket.To see the exhaustive list of settings, run the following command:
gcloud privateca roots create --help
Terraform
To create a root CA using a Google-owned and Google-managed encryption key, use the following sample configuration:
To create a root CA using a self-managed key, use the following sample configuration:
Go
To authenticate to CA Service, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Java
To authenticate to CA Service, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Python
To authenticate to CA Service, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
REST API
Create a root CA.
HTTP method and URL:
POST https://privateca.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/caPools/POOL_ID/certificateAuthorities?certificate_authority_id=ROOT_CA_ID
Request JSON body:
{ "type": "SELF_SIGNED", "lifetime": { "seconds": 315576000, "nanos": 0 }, "config": { "subject_config": { "subject": { "organization": "ORGANIZATION_NAME", "common_name": "COMMON_NAME" } }, "x509_config":{ "ca_options":{ "is_ca":true }, "key_usage":{ "base_key_usage":{ "cert_sign":true, "crl_sign":true } } } }, "key_spec":{ "algorithm":"RSA_PKCS1_4096_SHA256" } }
To send your request, expand one of these options:
You should receive a JSON response similar to the following:
{ "name": "projects/PROJECT_ID/locations/LOCATION/operations/operation-UUID", "metadata": {...}, "done": false }
Poll the operation until it has completed.
HTTP method and URL:
GET https://privateca.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/operations/operation-UUID
To send your request, expand one of these options:
You should receive a JSON response similar to the following:
{ "name": "projects/PROJECT_ID/locations/LOCATION/operations/operation-UUID", "metadata": {...}, "done": true, "response": { "@type": "type.googleapis.com/google.cloud.security.privateca.v1.CertificateAuthority", "name": "...", } }
After you have verified that the CA works as expected, you can enable it to start issuing load-balanced certificates for the CA pool.
Enable a root CA
gcloud
To enable a root CA, run the following gcloud
command:
gcloud privateca roots enable ROOT_CA_ID --pool=POOL_ID
Replace the following:
- ROOT_CA_ID: The name of the CA.
- POOL_ID: The name of the CA pool.
Terraform
If you use Terraform to create a root CA, the root CA is enabled on creation. To create a root CA in the STAGED
state, set
the desired_state
field to STAGED
when creating the CA.
You can set the desired_state
field to ENABLED
or DISABLED
after CA creation.
Go
To authenticate to CA Service, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Java
To authenticate to CA Service, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Python
To authenticate to CA Service, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
REST API
Enable the CA to issue certificates from the CA pool.
HTTP method and URL:
POST https://privateca.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/caPools/POOL_ID/certificateAuthorities/ROOT_CA_ID:enable
To send your request, expand one of these options:
You should receive a JSON response similar to the following:
{ "name": "projects/PROJECT_ID/locations/LOCATION/operations/operation-UUID", "metadata": {...}, "done": false }
Poll the operation until it has completed.
HTTP method and URL:
GET https://privateca.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/operations/operation-UUID
To send your request, expand one of these options:
You should receive a JSON response similar to the following:
{ "name": "projects/PROJECT_ID/locations/LOCATION/operations/operation-UUID", "metadata": {...}, "done": true, "response": { "@type": "type.googleapis.com/google.cloud.security.privateca.v1.CertificateAuthority", "name": "...", } }
Test a CA
To verify that a CA is able to issue certificates, request a certificate from
the associated CA pool and explicitly mention the name of the CA you want to
test using the --ca
flag.
You can use the following methods to request a certificate from a CA pool:
- Have CA Service create a private or public key for you.
- Generate your own private or public key and submit a Certificate Signing Request (CSR).
It is easier to use an auto-generated private key or public key to request a certificate from a CA in a CA pool. This section provides information on testing a CA using that method.
To use an auto-generated private key or public key to request a certificate
from a CA in a CA pool, run the following gcloud
command:
gcloud privateca certificates create \
--issuer-pool=POOL_ID \
--ca=ROOT_CA_ID \
--generate-key \
--key-output-file=KEY_FILENAME \
--cert-output-file=CERT_FILENAME \
--dns-san=DNS_NAME
Replace the following:
- POOL_ID: The name of the CA pool.
- ROOT_CA_ID: The unique identifier of the CA that you want to test.
- KEY_FILENAME: The file where the generated key is written in PEM format.
- CERT_FILENAME: The file where the resulting PEM-encoded certificate chain file is written. The order of the certificate chain is from leaf to root.
DNS_NAME: One or more comma-separated DNS Subject Alternative Names (SANs).
The
--generate-key
flag generates a new RSA-2048 private key on your machine.
To use a Certificate Signing Request (CSR) to request a certificate from a CA in a CA pool, or for more information about requesting certificates, see Request a certificate and view issued certificates.
Clone certificate authorities
To clone an existing CA to renew that CA, or to create a new CA with the same configuration, run the following command:
gcloud privateca roots create NEW_CA_ID --pool=POOL_ID \
--from-ca=EXISTING_CA_ID \
--key-algorithm "ec-p384-sha384"
Replace the following:
- NEW_CA_ID: The unique identifier of the new CA.
- POOL_ID: The name of the CA pool in which you want to create the new CA.
The --from-ca
flag is supported for root and subordinate CA creation. The
existing CA must be in the same CA pool as the new CA.
The --key-algorithm
flag copies all CA configuration from the existing CA
(except for the Cloud KMS key version and Cloud Storage bucket). However,
you can still override any of the configuration values in the new CA by
explicitly providing the appropriate flag. For example, you can still
specify `--subject SUBJECT to use a new subject.
If you omit the --key-algorithm
flag, the algorithm defaults to:
rsa-pkcs1-4096-sha256
for root CAs.rsa-pkcs1-2048-sha256
for subordinate CAs.
For more information about this gcloud
command, see
gcloud privateca roots create.
What's next
- Learn how to create a subordinate CA.
- Learn how to request certificates.
- Learn about templates and issuance policies.