Quickstart

This page explains how you can get started with using Certificate Authority Service by creating a certificate authority (CA) pool and issuing a certificate.

Before you begin

Prerequisites

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
  2. In the Google Cloud Console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  3. Make sure that billing is enabled for your Cloud project. Learn how to confirm that billing is enabled for your project.

  4. Enable the required API.

    Enable the API

  5. Install and initialize the Cloud SDK.
  6. In the Google Cloud Console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  7. Make sure that billing is enabled for your Cloud project. Learn how to confirm that billing is enabled for your project.

  8. Enable the required API.

    Enable the API

  9. Install and initialize the Cloud SDK.

Locations

A CA pool lives in a single Cloud location that cannot be changed after creation. We recommend creating your CA pool in the same or nearby location where it is planned to be used.

For the list of supported locations, see Locations.

One-time set up

Console

If you are using the Google Cloud Console, no additional setup is necessary.

gcloud

A default location can be configured for use in the gcloud privateca command group by running the following command:

gcloud config set privateca/location LOCATION

REST API

Some scenarios, such as creating a CA with existing Cloud KMS keys or Cloud Storage buckets, require an initialization step to be performed at least once for each project where they are used. This step is done automatically by Google Cloud Console and the gcloud command-line tool, but users directly calling the API must do it manually.

To do this, follow the instructions at CA Service Service Agent.

Create a CA pool with a root CA

A root CA has a self-signed certificate that resides in the client trust store. The following instructions help you create a CA pool that contains a root CA.

Console

  1. Go to the Certificate Authority Service page in the Google Cloud Console.

    Certificate Authority Service

  2. Click Create CA.

  3. Under Select CA type:

    1. Choose Root CA.
    2. Choose the Enterprise tier. For more information about tiers, see Workload-optimized tiers.
    3. Pick a location from the Regionalization drop-down menu.
    4. Click Next.
  4. Under Configure CA subject name:

    1. Enter an ORGANIZATION_NAME into the Organization (O) field.
    2. Enter a COMMON_NAME into the CA common name (CN) field.
    3. Enter a POOL_ID into the Pool ID field.
      1. All other text boxes are optional.
      2. Click Next.
  5. Under Configure CA key size and algorithm:

    1. Choose the RSA PKCS1 4096 key type.
    2. Click Next.
  6. Under Configure CA artifacts:

    1. Click Next.
  7. Under Add labels (optional):

    1. Click Next.
  8. Under Review:

    1. Review the configuration for correctness.
    2. Click Create.

gcloud

  1. Create a CA pool using the following gcloud command:

    gcloud privateca pools create POOL_ID --tier TIER
    

    Where:

    • POOL_ID is the resource ID of the CA pool. This resource ID is used to refer to this CA pool in other commands.
    • TIER is the workload-optimized tier that you want to choose for your CA pool.

    For more information about how to choose a tier, see Workload-optimized tiers.

    For more information about the gcloud privateca pools create command, see gcloud privateca pools create.

  2. Create a root CA in the CA pool using the following command:

    gcloud privateca roots create ROOT_CA_ID --pool POOL_ID\
      --subject "CN=COMMON_NAME, O=ORGANIZATION_NAME"
    

    For more information about the gcloud privateca roots create command, see gcloud privateca roots create.

    The following response is returned when the CA is created.

    Created Certificate Authority [projects/PROJECT_ID/locations/LOCATION/caPools/POOL_ID/certificateAuthorities/ROOT_CA_ID]
    

    Where:

    • PROJECT_ID is the resource ID of the project. This resource ID is used to refer to this project in other commands.
    • LOCATION is the geographical location of your CA pool.
    • POOL_ID is the resource ID of the CA pool. This resource ID is used to refer to this CA pool in other commands.
    • ROOT_CA_ID is the resource ID of the root CA.
    • --subject flag takes the X.500 distinguished name of the CA certificate.

    At minimum, the Common Name (CN) and Organization (O) must be specified.

  3. Enable the root CA.

    At least one CA must be enabled in a CA pool before the pool can issue certificates. gcloud command-line tool prompts you to enable the CA after CA creation.

REST API

  1. Create a CA pool.

    HTTP method and URL:

    POST https://privateca.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/caPools\?ca_pool_id=POOL_ID

    Request JSON body:

    {
    "tier": "ENTERPRISE"
    }
    

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

    {
     "name": "projects/PROJECT_ID/locations/LOCATION/operations/operation-UUID",
     "metadata": {...},
     "done": false
    }
    

  2. Poll the operation until it has completed.

    The operation is complete when the long-running operation's done property is set to true.

    HTTP method and URL:

    GET https://privateca.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/operations/operation-UUID

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

    {
     "name": "projects/PROJECT_ID/locations/LOCATION/operations/operation-UUID",
     "metadata": {...},
     "done": true,
     "response": {
       "@type": "type.googleapis.com/google.cloud.security.privateca.v1.CaPool",
       "name": "...",
       "tier": "ENTERPRISE"
     }
    }
    

  3. Create a root CA.

    HTTP method and URL:

    POST https://privateca.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/caPools/POOL_ID/certificateAuthorities?certificate_authority_id=ROOT_CA_ID

    Request JSON body:

    {
    "type": "SELF_SIGNED",
    "lifetime": {
     "seconds": 315576000,
     "nanos": 0
    },
    "config": {
     "subject_config": {
       "subject": {
         "organization": "ORGANIZATION_NAME",
         "common_name": "COMMON_NAME"
       }
     },
     "x509_config":{
       "ca_options":{
         "is_ca":true
       },
       "key_usage":{
         "base_key_usage":{
           "cert_sign":true,
           "crl_sign":true
         }
       }
     }
    },
    "key_spec":{
     "algorithm":"RSA_PKCS1_4096_SHA256"
    }
    }
    

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

    {
     "name": "projects/PROJECT_ID/locations/LOCATION/operations/operation-UUID",
     "metadata": {...},
     "done": false
    }
    

  4. Poll the operation until it has completed.

    HTTP method and URL:

    GET https://privateca.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/operations/operation-UUID

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

    {
     "name": "projects/PROJECT_ID/locations/LOCATION/operations/operation-UUID",
     "metadata": {...},
     "done": true,
     "response": {
       "@type": "type.googleapis.com/google.cloud.security.privateca.v1.CertificateAuthority",
       "name": "...",
     }
    }
    

  5. Enable the CA to issue certificates from the CA pool.

    HTTP method and URL:

    POST https://privateca.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/caPools/POOL_ID/certificateAuthorities/ROOT_CA_ID:enable

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

    {
     "name": "projects/PROJECT_ID/locations/LOCATION/operations/operation-UUID",
     "metadata": {...},
     "done": false
    }
    

  6. Poll the operation until it has completed.

    HTTP method and URL:

    GET https://privateca.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/operations/operation-UUID

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

    {
     "name": "projects/PROJECT_ID/locations/LOCATION/operations/operation-UUID",
     "metadata": {...},
     "done": true,
     "response": {
       "@type": "type.googleapis.com/google.cloud.security.privateca.v1.CertificateAuthority",
       "name": "...",
     }
    }
    

Create a certificate

You can use the newly created root CA to issue a certificate.

Console

  1. Go to the Certificate Authority Service page in the Google Cloud Console.

    Certificate Authority Service

  2. Click the CA name of the CA that you just created.

  3. Click Request a certificate.

  4. Click Enter Details.

  5. Under Enter details:

    1. Keep the auto-generated Certificate name, or choose a different unique name.
    2. Enter a domain name into the FQDN field.
    3. Check Server TLS.
    4. Click Next.
  6. Under Configure key size and algorithm:

    1. Keep the default algorithm, or choose a different one from the drop-down menu. A new asymmetric key-pair is generated using the selected algorithm.
    2. Click Continue.
  7. Under Download signed certificate:

    1. Click Download Certificate Chain to download the pem-encoded certificate chain.
    2. Click Download Private Key to download the associated pem-encoded private key.
    3. Click Done.

gcloud

  1. Install the Pyca cryptography library using the instructions here: Including the Pyca cryptography library.

    This is used to generate a new asymmetric key-pair on your local machine.

  2. Run the following command:

    gcloud privateca certificates create \
        --issuer-pool POOL_ID \
        --subject "CN=COMMON_NAME,O=ORGANIZATION_NAME" \
        --generate-key \
        --key-output-file KEY_FILE_PATH \
        --cert-output-file CERTIFICATE_FILE_PATH
    
    Created Certificate [projects/PROJECT_ID/locations/LOCATION/caPools/POOL_ID/certificates/CERTIFICATE_ID]
    

    Where:

    • --issuer-pool refers to the resource ID of the CA pool that you created.
    • --subject flag takes the X.500 distinguished name of the certificate.
    • --generate-key instructs the gcloud tool to generate a new RSA-2048 keypair for this certificate.

      This key is generated and stored on the local machine and is never sent to CA Service. This key is sensitive and should be protected in a secure location.

    • --key-output-file is the path where the generated PEM-encoded private key is written.

    • --cert-output-file is the path where the generated PEM-encoded certificate is written.

    For more information about the gcloud privateca certificates create command, see gcloud privateca certificates create.

REST API

  1. Generate a Certificate Signing Request (CSR) using your preferred method, such as openssl.

    Below is a sample CSR, encoded for JSON.

    -----BEGIN CERTIFICATE REQUEST-----\nMIIChTCCAW0CAQAwQDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQ8wDQYDVQQK\nDAZKb29uaXgxEzARBgNVBAMMCmpvb25peC5uZXQwggEiMA0GCSqGSIb3DQEBAQUA\nA4IBDwAwggEKAoIBAQCnyy+5vcRQUBPqAse3ojmWjyUvhcJK6eLRXpp0teEUF5kg\nHb2ov8gYXb9sSim5fnvs09dGYDKibSrL4Siy7lA/NzMzWtKwyQQeLIQq/cLUJVcd\ndItJ0VRcqr+UPkTCii2vrdcocNDChHM1J8chDdl6DkpYieSTqZwlPcWlQBGAINmT\nT3Q0ZarIVM5l74j13WPuToGrhbVOIZXWxWqJjlHbBA8B/VKtSRCzM1qG60y8Pu2f\n6c78Dfg8+CGRzGwnz8aFS0Yf9czT9luNHSadS/RHjvE9FPZCsinz+6mJlXRcphi1\nKaHsDbstUAhse1h5E9Biyr9SFYRHxY7qRv9aSJ/dAgMBAAGgADANBgkqhkiG9w0B\nAQsFAAOCAQEAZz+I9ff1Rf3lTewXRUpA7nr5HVO1ojCR93Pf27tI/hvNH7z7GwnS\noScoJlClxeRqABOCnfmVoRChullb/KmER4BZ/lF0GQpEtbqbjgjkEDpVlBKCb0+L\nHE9psplIz6H9nfFS3Ouoiodk902vrMEh0LyDYNQuqFoyCZuuepUlK3NmtmkexlgT\n0pJg/5FV0iaQ+GiFXSZhTC3drfiM/wDnXGiqpbW9WmebSij5O+3BNYXKBUgqmT3r\nbryFydNq4qSOIbnN/MNb4UoKno3ve7mnGk9lIDf9UMPvhl+bT7C3OLQLGadJroME\npYnKLoZUvRwEdtZpbNL9QhCAm2QiJ6w+6g==\n-----END CERTIFICATE REQUEST-----
    
  2. Request a certificate.

    HTTP method and URL:

    POST https://privateca.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/caPools/POOL_ID/certificates?certificate_id=CERTIFICATE_ID

    Request JSON body:

    {
     "lifetime": {
       "seconds": 3600,
       "nanos": 0
     },
     "pem_csr": "PEM_CSR"
    }
    

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

    {
     "name": "projects/project-id/locations/location/certificateAuthorities/ca-id/certificates/certificate-id",
     "pemCertificate": "-----BEGIN CERTIFICATE-----...",
     "certificateDescription": {...}
    }
    

Clean up

To avoid incurring charges to your Google Cloud account for the resources used on this page, follow these steps.

What's next