Request a certificate using a certificate template
This page describes how to request a certificate using a certificate template.
Certificate templates let you implement fine-grained policy controls over your certificate issuance. For example, you can use certificate templates to standardize the issuance of server TLS certificates across CA pools in your organization. Or, you can use certificate templates to apply policies at a more granular level, such as to specific users. This is useful in situations when you need to restrict the kinds of certificates that different individuals can issue. You can also reuse templates for common issuance scenarios.
Before you begin
To get the permissions that you need to issue certificates using a certificate template, ask your administrator to grant you the CA Service Certificate Template User (
roles/privateca.templateUser
) IAM role on the certificate template.For more information about the predefined IAM roles for CA Service, see Access control with IAM.
For information about granting an IAM role to a principal, see Grant a single role.
Test certificate issuance
Before using a certificate template to request a signed certificate, we recommend that you verify the certificate template's ability to successfully generate a certificate. Certificate issuance fails when there is a conflict between the CA pool's issuance policies and the certificate template's policies. By testing issuance, you can proactively identify and resolve these conflicts. Note that test certificates are not PEM encoded, they are unsigned, and they incur no charges for generation.
To test certificate issuance using a certificate template, follow these steps:
Console
Go to the Certificate Authority Service page on the Google Cloud console.
Click the Template Manager tab.
Click the certificate template that you want to test. The Template Details page appears.
To create a test request, click Create certificate, and then click Test certificate issuance. The certificate request form appears.
Specify the following details that are required to create a certificate request:
- Region: location of the certificate. This must be the same as the CA pool's location.
- CA pool: the CA pool responsible for issuing the certificate.
- Certificate template: the template that you want to use for certificate issuance.
- Domain: the domain name of the site that you want to secure with a SSL or TLS certificate.
Click Generate certificate.
After the certificate is created, click View. The test or sample certificate is displayed on the same page in a separate panel.
If certificate issuance fails due to conflicts, resolve the conflicts, and submit the test certificate request again.
Issue certificates using a certificate template
To issue a signed certificate using a certificate template, do the following:
Console
Go to the Certificate Authority Service page on the Google Cloud console.
Click the Template Manager tab.
In the Certificate templates page, click the certificate template that you want to use. The Template details page appears.
Click Create certificate.
Select a region. This region must be the same as the region of the CA pool that you intend to use.
Select the CA pool.
To generate a certificate using a Certificate Signing Request (CSR), see Request a certificate using CSR.
To generate a certificate using an auto-generated key, see Request certificate using an auto-generated key.
Generate the certificate
- Click Generate certificate. If the certificate is generated successfully, a message is displayed.
- To see the generated certificate, click View certificate, and then click View.
Optional: Download the signed certificate
- To download the PEM-encoded certificate chain, click Download certificate chain.
- To download the associated PEM-encoded private key, click Download private key.
gcloud
To issue a certificate using a certificate template, add the
--template
flag to the gcloud privateca certificates create
command
in the following format:
--template=projects/PROJECT_ID/locations/LOCATION/certificateTemplates/CERTIFICATE_TEMPLATE
Replace CERTIFICATE_TEMPLATE with the name of the certificate template that you want to use for issuing this certificate. The specified template must be in the same location as the issuing CA pool. See the samples provided for generating test DNS certificates and generating production certificates for more information.
Terraform
To learn how to apply or remove a Terraform configuration, see Basic Terraform commands.
Share a certificate request link
To share a certificate request form link with others in your organization so that they can request a certificate using the same parameters, do the following:
Console
- In the Google Cloud console, go to the CA pool manager tab, and click Share request form link.
- In the Share request form link panel that appears, select the CA pool and the certificate template that you chose to create your request. The certificate request link is displayed.
- Copy the link and share as required.
Resolve policy conflicts
Certificate requests fail with an invalid argument error when there is a conflict between the CA pool's issuance policy and the certificate template. For example, if the same extension (such as the base key usage) is defined in the CA pool's baseline values and the certificate template's predefined values. Or when one policy has extension constraints that excludes a specific extension and the other policy defines a value for that extension in its baseline values.
To view and resolve the policy conflicts, follow these steps:
Console
- Click the Issuance policy troubleshooter link that is displayed with the error message. A troubleshooter page appears where you can compare the baseline values and extension constraints in the CA pool's issuance policy with the baseline values and extension constraints in the certificate template's policy. Notice that the policy conflicts are highlighted.
- Access either the CA pool or the certificate template to update the conflicting values and resolve the conflict.
- After the conflict is resolved, submit the certificate request again.
View certificates issued using a template
To view the certificates issued using a certificate template, do the following:
Console
- In the Google Cloud console, go to the Template Manager tab.
- Click the certificate template that you have used for certificate issuance.
- On the Template Details page, click Certificates. The list of certificates issued using the selected certificate template are displayed.
What's next
- Learn how to view issued certificates.