Stay organized with collections Save and categorize content based on your preferences.

Create a certificate by using the Google Cloud CLI

This page explains how you can get started with using Certificate Authority Service by creating a certificate authority (CA) pool and issuing a certificate.

CA Service lets you deploy and manage private CAs without managing infrastructure.

Before you begin

  • Install and initialize the Google Cloud CLI.

  • Create or select a Google Cloud project.

    • Create a Cloud project:

      gcloud projects create PROJECT_ID
    • Select the Cloud project that you created:

      gcloud config set project PROJECT_ID
  • Enable the Certificate Authority Service API:

    gcloud services enable

  • Make sure that billing is enabled for your Cloud project. Learn how to check if billing is enabled on a project.

  • Configure a default location for use in the gcloud commands in this quickstart.

    gcloud config set privateca/location LOCATION

    CA Service resources, such as CA pools and CAs live in a single Google Cloud location that you cannot change after creating these resources.

Create a CA pool

A certificate authority (CA) pool is a collection of multiple CAs. A CA pool provides the ability to rotate trust chains without any outage or downtime for workloads.

To create a CA pool in the Enterprise tier, run the following command:

gcloud privateca pools create POOL_ID --tier "enterprise"

Replace POOL_ID with the name of the CA pool.

The names of all CA Service resources must contain only the allowed characters, which are all the letters, numbers, hyphen, and underscore. The maximum allowed length of a name is 63 characters.

Create a root CA

A CA pool is empty on creation. To request certificates from a CA pool, you must add a CA in it.

To create a root CA and add it in the CA pool you created, run the following command:

gcloud privateca roots create CA_ID --pool POOL_ID --subject "CN=Example Prod Root CA, O=Google"

Replace the following:

  • CA_ID: The name of the root CA.
  • POOL_ID: The name of the CA pool.

CA Service returns the following command when it creates the root CA:

Created Certificate Authority [projects/PROJECT_ID/locations/us-east1/caPools/POOL_ID/certificateAuthorities/CA_ID]

Enable the root CA by entering y when prompted by the gcloud CLI.

Now that you have a CA pool with a root CA, you can proceed to creating certificates.

Create a certificate

To use the newly created CA to create a certificate, do the following:

  1. Install the Pyca cryptography library using the pip command.

      pip install --user "cryptography>=2.2.0"

    CA Service uses the Pyca cryptography library to generate and store a new asymmetric key-pair on your local machine. This key is never sent to CA Service.

  2. To allow Google Cloud SDK to use the Pyca cryptography library, you must enable site packages.

    macOS or Linux



  3. Create a certificate.

      gcloud privateca certificates create \
          --issuer-pool POOL_ID \
          --subject "CN=Example Prod,O=Google" \
          --generate-key \
          --key-output-file=./key \

    Replace POOL_ID with the resource ID of the CA pool you created.

    CA Service returns the following response:

      Created Certificate [projects/PROJECT_ID/locations/LOCATION/caPools/POOL_ID/certificates/CERTIFICATE_ID]

Clean up

Clean up by deleting the CA pool, the CA, and the project you created for this quickstart.

  1. Revoke the certificate.

      To revoke a certificate, run the following command:

        gcloud privateca certificates revoke --certificate CERT_NAME --issuer-pool POOL_ID

      Replace the following:

      • CERT_NAME: The name of the certificate you want to revoke.
      • POOL_ID: The name of the CA pool that issued the certificate.
  2. Delete the CA.

    You can delete a CA only after you have revoked all the certificates issued by it.

    1. Disable the CA.

      gcloud privateca roots disable CA_ID --pool=POOL_ID

      Replace the following:

      • CA_ID: The resource ID of the CA.
      • POOL_ID: The resource ID of the CA pool.
    2. Delete the CA.

      gcloud privateca roots delete CA_ID --pool=POOL_ID

    The CA state changes to Deleted. CA Service permanently deletes the CA 30 days after you initiate the deletion.

  3. Delete the CA pool.

    You can delete a CA pool only after the CA in it is permanently deleted.

    gcloud privateca pools delete POOL_ID
  4. Delete the project.

      Delete a Cloud project:

      gcloud projects delete PROJECT_ID

What's next