创建根证书授权机构

本页面介绍如何在 CA 池中创建根证书授权机构 (CA)。

根 CA 位于公钥基础架构 (PKI) 层次结构的顶部,负责形成 PKI 的信任锚。若要在 PKI 中正确参与和使用证书,设备、软件或组件需要信任该 PKI。这是通过将设备、软件或组件配置为信任根 CA 来实现的。 因此,根 CA 颁发的所有证书都是可信的。

准备工作

创建根 CA

根 CA 具有自签名证书,您必须将该证书分发到客户端的信任存储区。根 CA 的证书位于证书链的顶部。其他 CA 都无法撤消此 CA 证书。根 CA 的 CRL 仅适用于根 CA 颁发的其他证书,而不适用于其自身。

控制台

如需创建根 CA,请执行以下操作。

  1. 转到 Google Cloud 控制台中的 Certificate Authority Service 页面。

    转到 Certificate Authority Service

  2. 点击 CA 管理员标签页。

  3. 点击创建 CA

选择 CA 类型

如需配置 CA 的永久性设置(例如层级、位置、生命周期和创建时的操作状态),请执行以下操作:

  1. 选择根 CA
  2. 有效期字段中,输入希望 CA 证书颁发的证书的有效期。
  3. 可选:为 CA 选择层级
  4. 点击区域,然后在列表中选择要创建 CA 的位置。我们建议在地理位置靠近应用客户端的位置创建 CA。如需了解详情,请参阅选择最佳位置

  5. 可选:选择要在哪个 CA 的运行状态。

    选择要在其中创建 CA 的操作状态。

  6. 可选:点击证书配置文件。在列表中,选择与您希望 CA 颁发的证书类型匹配的证书配置文件。

  7. 点击下一步

配置 CA 主题名称
  1. 组织 (O) 字段中,输入贵公司的名称。
  2. 可选:在组织部门 (OU) 字段中,输入公司下级或业务部门。
  3. 可选:在国家/地区名称字段中,输入由两个字母组成的国家/地区代码。
  4. 可选:在州或省/自治区/直辖市名称字段中,输入您所在州的名称。
  5. 可选:在 Locality name(市行政区名称)字段中,输入您所在城市的名称。
  6. CA 通用名称 (CN) 字段中,输入 CA 名称。
  7. 池 ID 字段中,输入 CA 池名称。创建 CA 后便无法更改 CA 池。
  8. 点击下一步
配置 CA 密钥大小和算法
  1. 选择最符合您需求的密钥算法。如需了解如何确定合适的密钥算法,请参阅选择密钥算法
  2. 点击下一步
配置 CA 工件

以下步骤是可选的。如果您跳过这些步骤,系统将应用默认设置。

  1. 选择是使用 Google 管理的 Cloud Storage 存储桶还是自行管理的 Cloud Storage 存储桶。

    2. 如果您未选择自行管理的 Cloud Storage 存储桶,CA Service 会在与 CA 相同的位置创建一个 Google 管理的存储桶。

  2. 选择是否禁止向 Cloud Storage 存储桶发布证书吊销列表 (CRL) 和 CA 证书。

    3. 默认情况下,系统会在 Cloud Storage 存储桶上发布 CRL 和 CA 证书。如需停用这些设置,请点击切换开关。

  3. 点击下一步
添加标签

以下步骤是可选步骤。

如果要为 CA 添加标签,请执行以下操作:

  1. 点击 添加一项
  2. 键 1 字段中,输入标签键。
  3. 值 1 字段中,输入标签值。
  4. 如果您要添加其他标签,请点击 添加一项。然后,添加第 2 步和第 3 步中所述的标签键和值。
  5. 点击下一步
查看设置

仔细检查所有设置,然后点击创建以创建 CA。

gcloud

  1. 如需创建 CA 池,请运行以下命令:

    gcloud privateca pools create POOL_ID

    POOL_ID 替换为 CA 池的名称。

    如需了解详情,请参阅创建 CA 池

    如需详细了解此 gcloud 命令,请参阅 gcloud privatecapool create

  2. 在您创建的 CA 池中创建新的根 CA。

    gcloud privateca roots create ROOT_CA_ID --pool=POOL_ID \
  --key-algorithm=KEY_ALGORITHM \
  --subject="CN=my-ca, O=Test LLC"

    替换以下内容:

    • ROOT_CA_ID:CA 的名称。
    • POOL_ID:CA 池的名称。
    • KEY_ALGORITHM:用于创建 Cloud KMS 密钥的算法。此标志是可选标志。如果您未添加此标志,密钥算法默认为 rsa-pkcs1-4096-sha256。如需了解详情,请参阅 --key-algorithm 标志

    默认情况下,CA 在创建时处于 STAGED 状态。如需默认启用 CA,请添加 --auto-enable 标志。

    如果要使用客户管理的 Cloud Storage 存储桶来发布 CA 证书和 CRL,请在命令中添加 --bucket bucket-name。将 bucket-name 替换为 Cloud Storage 存储桶的名称。

    如需查看完整的设置列表,请运行以下命令:

    gcloud privateca roots create --help

Terraform

如需使用 Google 管理的密钥创建根 CA,请使用以下示例配置:

resource "google_privateca_certificate_authority" "default" {
  // This example assumes this pool already exists.
  // Pools cannot be deleted in normal test circumstances, so we depend on static pools
  pool                     = "my-pool"
  certificate_authority_id = "my-certificate-authority-hashicorp"
  location                 = "us-central1"
  deletion_protection      = false # set to true to prevent destruction of the resource
  config {
    subject_config {
      subject {
        organization = "HashiCorp"
        common_name  = "my-certificate-authority"
      }
      subject_alt_name {
        dns_names = ["hashicorp.com"]
      }
    }
    x509_config {
      ca_options {
        is_ca                  = true
        max_issuer_path_length = 10
      }
      key_usage {
        base_key_usage {
          digital_signature  = true
          content_commitment = true
          key_encipherment   = false
          data_encipherment  = true
          key_agreement      = true
          cert_sign          = true
          crl_sign           = true
          decipher_only      = true
        }
        extended_key_usage {
          server_auth      = true
          client_auth      = false
          email_protection = true
          code_signing     = true
          time_stamping    = true
        }
      }
    }
  }
  lifetime = "86400s"
  key_spec {
    algorithm = "RSA_PKCS1_4096_SHA256"
  }
}

如需使用自行管理的密钥创建根 CA,请使用以下示例配置:

resource "google_project_service_identity" "privateca_sa" {
  provider = google-beta
  service  = "privateca.googleapis.com"
}

resource "google_kms_crypto_key_iam_binding" "privateca_sa_keyuser_signerverifier" {
  crypto_key_id = "projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key"
  role          = "roles/cloudkms.signerVerifier"

  members = [
    "serviceAccount:${google_project_service_identity.privateca_sa.email}",
  ]
}

resource "google_kms_crypto_key_iam_binding" "privateca_sa_keyuser_viewer" {
  crypto_key_id = "projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key"
  role          = "roles/viewer"
  members = [
    "serviceAccount:${google_project_service_identity.privateca_sa.email}",
  ]
}

resource "google_privateca_certificate_authority" "default" {
  // This example assumes this pool already exists.
  // Pools cannot be deleted in normal test circumstances, so we depend on static pools
  pool                     = "ca-pool"
  certificate_authority_id = "my-certificate-authority"
  location                 = "us-central1"
  deletion_protection      = false # set to true to prevent destruction of the resource
  key_spec {
    cloud_kms_key_version = "projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key/cryptoKeyVersions/1"
  }

  config {
    subject_config {
      subject {
        organization = "Example, Org."
        common_name  = "Example Authority"
      }
    }
    x509_config {
      ca_options {
        # is_ca *MUST* be true for certificate authorities
        is_ca                  = true
        max_issuer_path_length = 10
      }
      key_usage {
        base_key_usage {
          # cert_sign and crl_sign *MUST* be true for certificate authorities
          cert_sign = true
          crl_sign  = true
        }
        extended_key_usage {
          server_auth = false
        }
      }
    }
  }

  depends_on = [
    google_kms_crypto_key_iam_binding.privateca_sa_keyuser_signerverifier,
    google_kms_crypto_key_iam_binding.privateca_sa_keyuser_viewer,
  ]
}

Go

如需向 CA Service 进行身份验证,请设置应用默认凭据。如需了解详情,请参阅为本地开发环境设置身份验证

import (
	"context"
	"fmt"
	"io"

	privateca "cloud.google.com/go/security/privateca/apiv1"
	"cloud.google.com/go/security/privateca/apiv1/privatecapb"
	"google.golang.org/protobuf/types/known/durationpb"
)

// Create Certificate Authority which is the root CA in the given CA Pool. This CA will be
// responsible for signing certificates within this pool.
func createCa(
	w io.Writer,
	projectId string,
	location string,
	caPoolId string,
	caId string,
	caCommonName string,
	org string,
	caDuration int64) error {
	// projectId := "your_project_id"
	// location := "us-central1"		// For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.
	// caPoolId := "ca-pool-id"			// The CA Pool id under which the CA should be created.
	// caId := "ca-id"					// A unique id/name for the ca.
	// caCommonName := "ca-name"		// A common name for your certificate authority.
	// org := "ca-org"					// The name of your company for your certificate authority.
	// ca_duration := int64(31536000)	// The validity of the certificate authority in seconds.

	ctx := context.Background()
	caClient, err := privateca.NewCertificateAuthorityClient(ctx)
	if err != nil {
		return fmt.Errorf("NewCertificateAuthorityClient creation failed: %w", err)
	}
	defer caClient.Close()

	// Set the types of Algorithm used to create a cloud KMS key.
	keySpec := &privatecapb.CertificateAuthority_KeyVersionSpec{
		KeyVersion: &privatecapb.CertificateAuthority_KeyVersionSpec_Algorithm{
			Algorithm: privatecapb.CertificateAuthority_RSA_PKCS1_2048_SHA256,
		},
	}

	// Set CA subject config.
	subjectConfig := &privatecapb.CertificateConfig_SubjectConfig{
		Subject: &privatecapb.Subject{
			CommonName:   caCommonName,
			Organization: org,
		},
	}

	// Set the key usage options for X.509 fields.
	isCa := true
	x509Parameters := &privatecapb.X509Parameters{
		KeyUsage: &privatecapb.KeyUsage{
			BaseKeyUsage: &privatecapb.KeyUsage_KeyUsageOptions{
				CrlSign:  true,
				CertSign: true,
			},
		},
		CaOptions: &privatecapb.X509Parameters_CaOptions{
			IsCa: &isCa,
		},
	}

	// Set certificate authority settings.
	// Type: SELF_SIGNED denotes that this CA is a root CA.
	ca := &privatecapb.CertificateAuthority{
		Type:    privatecapb.CertificateAuthority_SELF_SIGNED,
		KeySpec: keySpec,
		Config: &privatecapb.CertificateConfig{
			SubjectConfig: subjectConfig,
			X509Config:    x509Parameters,
		},
		Lifetime: &durationpb.Duration{
			Seconds: caDuration,
		},
	}

	fullCaPoolName := fmt.Sprintf("projects/%s/locations/%s/caPools/%s", projectId, location, caPoolId)

	// Create the CreateCertificateAuthorityRequest.
	// See https://pkg.go.dev/cloud.google.com/go/security/privateca/apiv1/privatecapb#CreateCertificateAuthorityRequest.
	req := &privatecapb.CreateCertificateAuthorityRequest{
		Parent:                 fullCaPoolName,
		CertificateAuthorityId: caId,
		CertificateAuthority:   ca,
	}

	op, err := caClient.CreateCertificateAuthority(ctx, req)
	if err != nil {
		return fmt.Errorf("CreateCertificateAuthority failed: %w", err)
	}

	if _, err = op.Wait(ctx); err != nil {
		return fmt.Errorf("CreateCertificateAuthority failed during wait: %w", err)
	}

	fmt.Fprintf(w, "CA %s created", caId)

	return nil
}

Java

如需向 CA Service 进行身份验证,请设置应用默认凭据。如需了解详情,请参阅为本地开发环境设置身份验证


import com.google.api.core.ApiFuture;
import com.google.cloud.security.privateca.v1.CaPoolName;
import com.google.cloud.security.privateca.v1.CertificateAuthority;
import com.google.cloud.security.privateca.v1.CertificateAuthority.KeyVersionSpec;
import com.google.cloud.security.privateca.v1.CertificateAuthority.SignHashAlgorithm;
import com.google.cloud.security.privateca.v1.CertificateAuthorityServiceClient;
import com.google.cloud.security.privateca.v1.CertificateConfig;
import com.google.cloud.security.privateca.v1.CertificateConfig.SubjectConfig;
import com.google.cloud.security.privateca.v1.CreateCertificateAuthorityRequest;
import com.google.cloud.security.privateca.v1.KeyUsage;
import com.google.cloud.security.privateca.v1.KeyUsage.KeyUsageOptions;
import com.google.cloud.security.privateca.v1.Subject;
import com.google.cloud.security.privateca.v1.X509Parameters;
import com.google.cloud.security.privateca.v1.X509Parameters.CaOptions;
import com.google.longrunning.Operation;
import com.google.protobuf.Duration;
import java.io.IOException;
import java.util.concurrent.ExecutionException;

public class CreateCertificateAuthority {

  public static void main(String[] args)
      throws InterruptedException, ExecutionException, IOException {
    // TODO(developer): Replace these variables before running the sample.
    // location: For a list of locations, see:
    // https://cloud.google.com/certificate-authority-service/docs/locations
    // poolId: Set it to the CA Pool under which the CA should be created.
    // certificateAuthorityName: Unique name for the CA.
    String project = "your-project-id";
    String location = "ca-location";
    String poolId = "ca-pool-id";
    String certificateAuthorityName = "certificate-authority-name";
    createCertificateAuthority(project, location, poolId, certificateAuthorityName);
  }

  // Create Certificate Authority which is the root CA in the given CA Pool.
  public static void createCertificateAuthority(
      String project, String location, String poolId, String certificateAuthorityName)
      throws InterruptedException, ExecutionException, IOException {
    // Initialize client that will be used to send requests. This client only needs to be created
    // once, and can be reused for multiple requests. After completing all of your requests, call
    // the `certificateAuthorityServiceClient.close()` method on the client to safely
    // clean up any remaining background resources.
    try (CertificateAuthorityServiceClient certificateAuthorityServiceClient =
        CertificateAuthorityServiceClient.create()) {

      String commonName = "common-name";
      String orgName = "org-name";
      int caDuration = 100000; // Validity of this CA in seconds.

      // Set the type of Algorithm.
      KeyVersionSpec keyVersionSpec =
          KeyVersionSpec.newBuilder().setAlgorithm(SignHashAlgorithm.RSA_PKCS1_4096_SHA256).build();

      // Set CA subject config.
      SubjectConfig subjectConfig =
          SubjectConfig.newBuilder()
              .setSubject(
                  Subject.newBuilder().setCommonName(commonName).setOrganization(orgName).build())
              .build();

      //  Set the key usage options for X.509 fields.
      X509Parameters x509Parameters =
          X509Parameters.newBuilder()
              .setKeyUsage(
                  KeyUsage.newBuilder()
                      .setBaseKeyUsage(
                          KeyUsageOptions.newBuilder().setCrlSign(true).setCertSign(true).build())
                      .build())
              .setCaOptions(CaOptions.newBuilder().setIsCa(true).build())
              .build();

      // Set certificate authority settings.
      CertificateAuthority certificateAuthority =
          CertificateAuthority.newBuilder()
              // CertificateAuthority.Type.SELF_SIGNED denotes that this CA is a root CA.
              .setType(CertificateAuthority.Type.SELF_SIGNED)
              .setKeySpec(keyVersionSpec)
              .setConfig(
                  CertificateConfig.newBuilder()
                      .setSubjectConfig(subjectConfig)
                      .setX509Config(x509Parameters)
                      .build())
              // Set the CA validity duration.
              .setLifetime(Duration.newBuilder().setSeconds(caDuration).build())
              .build();

      // Create the CertificateAuthorityRequest.
      CreateCertificateAuthorityRequest certificateAuthorityRequest =
          CreateCertificateAuthorityRequest.newBuilder()
              .setParent(CaPoolName.of(project, location, poolId).toString())
              .setCertificateAuthorityId(certificateAuthorityName)
              .setCertificateAuthority(certificateAuthority)
              .build();

      // Create Certificate Authority.
      ApiFuture<Operation> futureCall =
          certificateAuthorityServiceClient
              .createCertificateAuthorityCallable()
              .futureCall(certificateAuthorityRequest);
      Operation response = futureCall.get();

      if (response.hasError()) {
        System.out.println("Error while creating CA !" + response.getError());
        return;
      }

      System.out.println(
          "Certificate Authority created successfully : " + certificateAuthorityName);
    }
  }
}

Python

如需向 CA Service 进行身份验证,请设置应用默认凭据。如需了解详情,请参阅为本地开发环境设置身份验证

import google.cloud.security.privateca_v1 as privateca_v1
from google.protobuf import duration_pb2

def create_certificate_authority(
    project_id: str,
    location: str,
    ca_pool_name: str,
    ca_name: str,
    common_name: str,
    organization: str,
    ca_duration: int,
) -> None:
    """
    Create Certificate Authority which is the root CA in the given CA Pool. This CA will be
    responsible for signing certificates within this pool.

    Args:
        project_id: project ID or project number of the Cloud project you want to use.
        location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.
        ca_pool_name: set it to the CA Pool under which the CA should be created.
        ca_name: unique name for the CA.
        common_name: a title for your certificate authority.
        organization: the name of your company for your certificate authority.
        ca_duration: the validity of the certificate authority in seconds.
    """

    caServiceClient = privateca_v1.CertificateAuthorityServiceClient()

    # Set the types of Algorithm used to create a cloud KMS key.
    key_version_spec = privateca_v1.CertificateAuthority.KeyVersionSpec(
        algorithm=privateca_v1.CertificateAuthority.SignHashAlgorithm.RSA_PKCS1_4096_SHA256
    )

    # Set CA subject config.
    subject_config = privateca_v1.CertificateConfig.SubjectConfig(
        subject=privateca_v1.Subject(common_name=common_name, organization=organization)
    )

    # Set the key usage options for X.509 fields.
    x509_parameters = privateca_v1.X509Parameters(
        key_usage=privateca_v1.KeyUsage(
            base_key_usage=privateca_v1.KeyUsage.KeyUsageOptions(
                crl_sign=True,
                cert_sign=True,
            )
        ),
        ca_options=privateca_v1.X509Parameters.CaOptions(
            is_ca=True,
        ),
    )

    # Set certificate authority settings.
    certificate_authority = privateca_v1.CertificateAuthority(
        # CertificateAuthority.Type.SELF_SIGNED denotes that this CA is a root CA.
        type_=privateca_v1.CertificateAuthority.Type.SELF_SIGNED,
        key_spec=key_version_spec,
        config=privateca_v1.CertificateConfig(
            subject_config=subject_config,
            x509_config=x509_parameters,
        ),
        lifetime=duration_pb2.Duration(seconds=ca_duration),
    )

    ca_pool_path = caServiceClient.ca_pool_path(project_id, location, ca_pool_name)

    # Create the CertificateAuthorityRequest.
    request = privateca_v1.CreateCertificateAuthorityRequest(
        parent=ca_pool_path,
        certificate_authority_id=ca_name,
        certificate_authority=certificate_authority,
    )

    operation = caServiceClient.create_certificate_authority(request=request)
    result = operation.result()

    print("Operation result:", result)

REST API

  1. 创建根 CA。

    HTTP 方法和网址: 

    POST https://privateca.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/caPools/POOL_ID/certificateAuthorities?certificate_authority_id=ROOT_CA_ID

    请求 JSON 正文:

    {
"type": "SELF_SIGNED",
"lifetime": {
 "seconds": 315576000,
 "nanos": 0
},
"config": {
 "subject_config": {
   "subject": {
     "organization": "ORGANIZATION_NAME",
     "common_name": "COMMON_NAME"
   }
 },
 "x509_config":{
   "ca_options":{
     "is_ca":true
   },
   "key_usage":{
     "base_key_usage":{
       "cert_sign":true,
       "crl_sign":true
     }
   }
 }
},
"key_spec":{
 "algorithm":"RSA_PKCS1_4096_SHA256"
}
}

    如需发送您的请求,请展开以下选项之一:

    您应该收到类似以下内容的 JSON 响应:

    {
 "name": "projects/PROJECT_ID/locations/LOCATION/operations/operation-UUID",
 "metadata": {...},
 "done": false
}

  2. 轮询操作,直到完成为止。

    HTTP 方法和网址: 

    GET https://privateca.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/operations/operation-UUID

    如需发送您的请求,请展开以下选项之一:

    您应该收到类似以下内容的 JSON 响应:

    {
 "name": "projects/PROJECT_ID/locations/LOCATION/operations/operation-UUID",
 "metadata": {...},
 "done": true,
 "response": {
   "@type": "type.googleapis.com/google.cloud.security.privateca.v1.CertificateAuthority",
   "name": "...",
 }
}

验证 CA 按预期运行后,您可以使其开始为 CA 池颁发负载均衡证书。

启用根 CA

gcloud

如需启用根 CA,请运行以下 gcloud 命令:

gcloud privateca roots enable ROOT_CA_ID --pool=POOL_ID

替换以下内容:

  • ROOT_CA_ID:CA 的名称。
  • POOL_ID:CA 池的名称。

Terraform

如果您使用 Terraform 创建根 CA,则根 CA 会在创建时启用。如需创建处于 STAGED 状态的根 CA,请在创建 CA 时将 desired_state 字段设置为 STAGED

您可以在创建 CA 后将 desired_state 字段设置为 ENABLEDDISABLED

Go

如需向 CA Service 进行身份验证,请设置应用默认凭据。如需了解详情,请参阅为本地开发环境设置身份验证

import (
	"context"
	"fmt"
	"io"

	privateca "cloud.google.com/go/security/privateca/apiv1"
	"cloud.google.com/go/security/privateca/apiv1/privatecapb"
)

// Enable the Certificate Authority present in the given ca pool.
// CA cannot be enabled if it has been already deleted.
func enableCa(w io.Writer, projectId string, location string, caPoolId string, caId string) error {
	// projectId := "your_project_id"
	// location := "us-central1"	// For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.
	// caPoolId := "ca-pool-id"		// The id of the CA pool under which the CA is present.
	// caId := "ca-id"				// The id of the CA to be enabled.

	ctx := context.Background()
	caClient, err := privateca.NewCertificateAuthorityClient(ctx)
	if err != nil {
		return fmt.Errorf("NewCertificateAuthorityClient creation failed: %w", err)
	}
	defer caClient.Close()

	fullCaName := fmt.Sprintf("projects/%s/locations/%s/caPools/%s/certificateAuthorities/%s",
		projectId, location, caPoolId, caId)

	// Create the EnableCertificateAuthorityRequest.
	// See https://pkg.go.dev/cloud.google.com/go/security/privateca/apiv1/privatecapb#EnableCertificateAuthorityRequest.
	req := &privatecapb.EnableCertificateAuthorityRequest{Name: fullCaName}

	op, err := caClient.EnableCertificateAuthority(ctx, req)
	if err != nil {
		return fmt.Errorf("EnableCertificateAuthority failed: %w", err)
	}

	var caResp *privatecapb.CertificateAuthority
	if caResp, err = op.Wait(ctx); err != nil {
		return fmt.Errorf("EnableCertificateAuthority failed during wait: %w", err)
	}

	if caResp.State != privatecapb.CertificateAuthority_ENABLED {
		return fmt.Errorf("unable to enable Certificate Authority. Current state: %s", caResp.State.String())
	}

	fmt.Fprintf(w, "Successfully enabled Certificate Authority: %s.", caId)
	return nil
}

Java

如需向 CA Service 进行身份验证,请设置应用默认凭据。如需了解详情,请参阅为本地开发环境设置身份验证


import com.google.api.core.ApiFuture;
import com.google.cloud.security.privateca.v1.CertificateAuthority.State;
import com.google.cloud.security.privateca.v1.CertificateAuthorityName;
import com.google.cloud.security.privateca.v1.CertificateAuthorityServiceClient;
import com.google.cloud.security.privateca.v1.EnableCertificateAuthorityRequest;
import com.google.longrunning.Operation;
import java.io.IOException;
import java.util.concurrent.ExecutionException;

public class EnableCertificateAuthority {

  public static void main(String[] args)
      throws InterruptedException, ExecutionException, IOException {
    // TODO(developer): Replace these variables before running the sample.
    // location: For a list of locations, see:
    // https://cloud.google.com/certificate-authority-service/docs/locations
    // poolId: The id of the CA pool under which the CA is present.
    // certificateAuthorityName: The name of the CA to be enabled.
    String project = "your-project-id";
    String location = "ca-location";
    String poolId = "ca-pool-id";
    String certificateAuthorityName = "certificate-authority-name";
    enableCertificateAuthority(project, location, poolId, certificateAuthorityName);
  }

  // Enable the Certificate Authority present in the given ca pool.
  // CA cannot be enabled if it has been already deleted.
  public static void enableCertificateAuthority(
      String project, String location, String poolId, String certificateAuthorityName)
      throws IOException, ExecutionException, InterruptedException {
    try (CertificateAuthorityServiceClient certificateAuthorityServiceClient =
        CertificateAuthorityServiceClient.create()) {
      // Create the Certificate Authority Name.
      CertificateAuthorityName certificateAuthorityParent =
          CertificateAuthorityName.newBuilder()
              .setProject(project)
              .setLocation(location)
              .setCaPool(poolId)
              .setCertificateAuthority(certificateAuthorityName)
              .build();

      // Create the Enable Certificate Authority Request.
      EnableCertificateAuthorityRequest enableCertificateAuthorityRequest =
          EnableCertificateAuthorityRequest.newBuilder()
              .setName(certificateAuthorityParent.toString())
              .build();

      // Enable the Certificate Authority.
      ApiFuture<Operation> futureCall =
          certificateAuthorityServiceClient
              .enableCertificateAuthorityCallable()
              .futureCall(enableCertificateAuthorityRequest);
      Operation response = futureCall.get();

      if (response.hasError()) {
        System.out.println("Error while enabling Certificate Authority !" + response.getError());
        return;
      }

      // Get the current CA state.
      State caState =
          certificateAuthorityServiceClient
              .getCertificateAuthority(certificateAuthorityParent)
              .getState();

      // Check if the CA is enabled.
      if (caState == State.ENABLED) {
        System.out.println("Enabled Certificate Authority : " + certificateAuthorityName);
      } else {
        System.out.println(
            "Cannot enable the Certificate Authority ! Current CA State: " + caState);
      }
    }
  }
}

Python

如需向 CA Service 进行身份验证,请设置应用默认凭据。如需了解详情,请参阅为本地开发环境设置身份验证

import google.cloud.security.privateca_v1 as privateca_v1

def enable_certificate_authority(
    project_id: str, location: str, ca_pool_name: str, ca_name: str
) -> None:
    """
    Enable the Certificate Authority present in the given ca pool.
    CA cannot be enabled if it has been already deleted.

    Args:
        project_id: project ID or project number of the Cloud project you want to use.
        location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.
        ca_pool_name: the name of the CA pool under which the CA is present.
        ca_name: the name of the CA to be enabled.
    """

    caServiceClient = privateca_v1.CertificateAuthorityServiceClient()
    ca_path = caServiceClient.certificate_authority_path(
        project_id, location, ca_pool_name, ca_name
    )

    # Create the Enable Certificate Authority Request.
    request = privateca_v1.EnableCertificateAuthorityRequest(
        name=ca_path,
    )

    # Enable the Certificate Authority.
    operation = caServiceClient.enable_certificate_authority(request=request)
    operation.result()

    # Get the current CA state.
    ca_state = caServiceClient.get_certificate_authority(name=ca_path).state

    # Check if the CA is enabled.
    if ca_state == privateca_v1.CertificateAuthority.State.ENABLED:
        print("Enabled Certificate Authority:", ca_name)
    else:
        print("Cannot enable the Certificate Authority ! Current CA State:", ca_state)

REST API

  1. 启用 CA 以从 CA 池颁发证书。

    HTTP 方法和网址: 

    POST https://privateca.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/caPools/POOL_ID/certificateAuthorities/ROOT_CA_ID:enable

    如需发送您的请求,请展开以下选项之一:

    您应该收到类似以下内容的 JSON 响应:

    {
 "name": "projects/PROJECT_ID/locations/LOCATION/operations/operation-UUID",
 "metadata": {...},
 "done": false
}

  2. 轮询操作,直到完成为止。

    HTTP 方法和网址: 

    GET https://privateca.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/operations/operation-UUID

    如需发送您的请求,请展开以下选项之一:

    您应该收到类似以下内容的 JSON 响应:

    {
 "name": "projects/PROJECT_ID/locations/LOCATION/operations/operation-UUID",
 "metadata": {...},
 "done": true,
 "response": {
   "@type": "type.googleapis.com/google.cloud.security.privateca.v1.CertificateAuthority",
   "name": "...",
 }
}

测试 CA

如需验证 CA 是否能够颁发证书,请向关联的 CA 池请求证书,并使用 --ca 标志明确提及要测试的 CA 的名称。

您可以使用以下方法向 CA 池请求证书:

  1. 让 CA Service 为您创建私钥或公钥。
  2. 生成您自己的私钥或公钥,然后提交证书签名请求 (CSR)。

使用自动生成的私钥或公钥向 CA 池中的 CA 请求证书更为容易。本部分介绍了如何使用该方法测试 CA。

如需使用自动生成的私钥或公钥向 CA 池中的 CA 请求证书,请运行以下 gcloud 命令:

gcloud privateca certificates create \
  --issuer-pool=POOL_ID \
  --ca=ROOT_CA_ID \
  --generate-key \
  --key-output-file=KEY_FILENAME \
  --cert-output-file=CERT_FILENAME \
  --dns-san=DNS_NAME

替换以下内容:

  • POOL_ID:CA 池的名称。
  • ROOT_CA_ID:您要测试的 CA 的唯一标识符。
  • KEY_FILENAME:生成的密钥以 PEM 格式写入的文件。
  • CERT_FILENAME:写入生成的 PEM 编码的证书链文件所在的文件。证书链的顺序为从叶到根。

  • DNS_NAME:一个或多个以英文逗号分隔的 DNS 主题备用名称 (SAN)。

    --generate-key 标志在您的机器上生成新的 RSA-2048 私钥。

如需使用证书签名请求 (CSR) 向 CA 池中的 CA 请求证书,或详细了解如何请求证书,请参阅请求证书并查看已颁发的证书

克隆证书授权机构

如需克隆现有 CA 以续订该 CA,或使用相同的配置创建新 CA,请运行以下命令:

gcloud privateca roots create NEW_CA_ID --pool=POOL_ID \
  --from-ca=EXISTING_CA_ID \
  --key-algorithm "ec-p384-sha384"

替换以下内容:

  • NEW_CA_ID:新 CA 的唯一标识符。
  • POOL_ID:您要在其中创建新 CA 的 CA 池的名称。

创建根 CA 和从属 CA 时支持 --from-ca 标志。现有 CA 必须与新 CA 位于同一 CA 池中。

--key-algorithm 标志会从现有 CA 复制所有 CA 配置(Cloud KMS 密钥版本和 Cloud Storage 存储桶除外)。不过,您仍然可以通过明确提供适当的标志来替换新 CA 中的任何配置值。例如,您仍可指定“--subject SUBJECT”以使用新的正文。

如果您省略 --key-algorithm 标志,则算法默认为:

  • rsa-pkcs1-4096-sha256(针对根 CA)。
  • rsa-pkcs1-2048-sha256(适用于从属 CA)。

如需详细了解此 gcloud 命令,请参阅 gcloud privateca roots create

后续步骤