Quickstart

This page shows you how to get started using Certificate Authority Service by creating a Certificate Authority (CA) and issuing a certificate.

Before you begin

Prerequisites

  1. Sign in to your Google Account.

    If you don't already have one, sign up for a new account.

  2. In the Cloud Console, on the project selector page, select or create a Cloud project.

    Go to the project selector page

  3. Make sure that billing is enabled for your Google Cloud project. Learn how to confirm billing is enabled for your project.

  4. Enable the required API.

    Enable the API

  5. Install and initialize the Cloud SDK.

Locations

A Certificate Authority (CA) lives in a single Cloud location that cannot be changed after creation. We recommend creating your CA in the same (or nearby) location where it will be used.

For a list of supported locations, run the following command:

gcloud beta privateca locations list

One-time set up

Console

If you are using the Google Cloud Console, no additional setup is necessary.

gcloud

A default location can be configured for use in the gcloud beta privateca command group by running the following command:

gcloud config set privateca/location location

REST API

Some scenarios, such as creating a CA with existing Cloud KMS keys or Cloud Storage buckets, require an initialization step to be performed at least once for each project where they are used. This step is done automatically by Google Cloud Console and the gcloud command-line tool, but users directly calling the API will need to do it manually.

To do this, follow the instructions at CA Service Service Agent.

Create a Root CA

Console

  1. Go to the Certificate Authority Service page in the Google Cloud Console.

    Certificate Authority Service

  2. Click the Create CA button

  3. Under Select CA type:

    1. Choose the Root CA type
    2. Choose the Enterprise tier
    3. Pick a location from the Regionalization drop down
    4. Click the Next button
  4. Under Configure CA subject name:

    1. Enter an Organization Name into the Organization (O) field
    2. Enter a Common Name into the CA common name (CN) field
    3. Enter a root-ca-id into the Resource ID field
    4. All other text boxes are optional
    5. Click the Next button
  5. Under Configure CA key size and algorithm:

    1. Choose the RSA PKCS1 4096 key type
    2. Click the Next button
  6. Under Configure CA artifacts:

    1. Click the Next button
  7. Under Add labels (optional):

    1. Click the Next button
  8. Under Review:

    1. Review the configuration for correctness
    2. Click the Create button

gcloud

$ gcloud beta privateca roots create root-ca-id \
    --subject "CN=Common Name, O=Organization Name"

Created Certificate Authority [projects/project-id/locations/location/certificateAuthorities/root-ca-id]

Where:

  • root-ca-id is the resource ID of the root CA, which will be used to refer to this CA in other commands.
  • --subject is the X.500 distinguished name of the Certificate Authority.

    At minimum, the Common Name (CN) and Organization (O) must be specified.

REST API

HTTP method and URL:

POST https://privateca.googleapis.com/v1beta1/projects/project-id/locations/location/certificateAuthorities?certificate_authority_id=root-ca-id

Request JSON body:

{
  "type": "SELF_SIGNED",
  "tier": "ENTERPRISE",
  "lifetime": {
    "seconds": 315576000,
    "nanos": 0
  },
  "config": {
    "subject_config": {
      "subject": {
        "organization": "Organization Name"
      },
      "common_name": "Common Name"
    },
    "reusable_config": {
      "reusable_config_values": {
        "key_usage": {
          "base_key_usage": {
            "cert_sign": true,
            "crl_sign": true
          }
        },
        "ca_options": {
          "is_ca": {
            "value": true
          }
        }
      }
    }
  },
  "key_spec": {
    "algorithm": "RSA_PKCS1_4096_SHA256"
  }
}

To send your request, expand one of these options:

You should receive a JSON response similar to the following:

{
  "name": "projects/project-id/locations/location/operations/operation-uuid",
  "metadata": {...},
  "done": false
}

Create a certificate

We can use the newly created root Certificate Authority to issue a certificate.

Console

  1. Go to the Certificate Authority Service page in the Google Cloud Console.

    Certificate Authority Service

  2. Click on the root-ca-id that was just created.

  3. Click on the Request Certificate tab. You may need to use the horizontal scroll button if this is not visible on your screen.

  4. Click the Enter Details button.

  5. Under Enter details:

    1. Keep the auto-generated Certificate name, or choose a different unique name.
    2. Click the Add Item button under Add domain name.
    3. Enter a domain-name into the FQDN field.
    4. Check Server TLS.
    5. Click the Next button
  6. Under Configure key size and algorithm:

    1. Keep the default algorithm, or choose a different one from the drop down. A new asymmetric key-pair will be generated using the selected algorithm.
    2. Click the Continue button
  7. Under Download signed certificate:

    1. Click Download Certificate Chain to download the pem-encoded certificate chain.
    2. Click Download Private Key to download the associated pem-encoded private key.
    3. Click the Done button

gcloud

  1. Install the Pyca cryptography library by following these steps.

    This is used to generate a new asymmetric key-pair on your local machine.

  2. Run the following command:

    $ gcloud beta privateca certificates create \
        --issuer root-ca-id \
        --dns-san domain-name \
        --generate-key \
        --key-output-file key-file-path \
        --cert-output-file certificate-file-path
    
    Created Certificate [projects/project-id/locations/location/certificateAuthorities/root-ca-id/certificates/certificate-id]
    

    Where:

    • --issuer refers to the resource ID of the root CA that we created.
    • --dns-san is a DNS SubjectAlternativeName to include in the certificate.
    • --generate-key instructs the gcloud tool to generate a new RSA-2048 keypair for this certificate.

      This key is generated and stored on the local machine and is never sent to CA Service.

    • --key-output-file is the path where the generated pem-encoded private key will be written.

    • --cert-output-file is the path where the generated pem-encoded certificate will be written.

REST API

First, follow Using a CSR to get a PEM CSR for requesting a certificate.

HTTP method and URL:

POST https://privateca.googleapis.com/v1beta1/projects/project-id/locations/location/certificateAuthorities/root-ca-id/certificates?certificate_id=certificate-id

Request JSON body:

{
  "lifetime": {
    "seconds": 604800,
    "nanos": 0
  },
  "pem_csr": "PEM_CSR"
}

To send your request, expand one of these options:

You should receive a JSON response similar to the following:

{
  "name": "projects/project-id/locations/location/certificateAuthorities/ca-id/certificates/certificate-id",
  "pemCertificate": "-----BEGIN CERTIFICATE-----...",
  "certificateDescription": {...}
}

Clean up

To avoid incurring charges to your Google Cloud account for the resources used in this quickstart, follow these steps.

What's next