Issue a certificate using the Google Cloud CLI
This page explains how you can create a certificate authority (CA) pool and issue a certificate using the Google Cloud CLI.
CA Service lets you deploy and manage private CAs without managing infrastructure.
Before you begin
Install the Google Cloud CLI, then initialize it by running the following command:
gcloud init
Create or select a Google Cloud project.
-
Create a Google Cloud project:
gcloud projects create PROJECT_ID
Replace
PROJECT_ID
with a name for the Google Cloud project you are creating. -
Select the Google Cloud project that you created:
gcloud config set project PROJECT_ID
Replace
PROJECT_ID
with your Google Cloud project name.
-
Enable the Certificate Authority Service API:
gcloud services enable privateca.googleapis.com
Make sure that billing is enabled for your Google Cloud project.
Configure a default location for use in the
gcloud
commands in this quickstart.gcloud config set privateca/location LOCATION
CA Service resources, such as CA pools and CAs live in a single Google Cloud location that you cannot change after creating these resources.
Create a CA pool
A certificate authority (CA) pool is a collection of multiple CAs. A CA pool provides the ability to rotate trust chains without any outage or downtime for workloads.
To create a CA pool in the Enterprise tier, run the following command:
gcloud privateca pools create POOL_ID --tier "enterprise"
Replace POOL_ID with the name of the CA pool.
The names of all CA Service resources must contain only the allowed characters, which are all the letters, numbers, hyphen, and underscore. The maximum allowed length of a name is 63 characters.
Create a root CA
A CA pool is empty on creation. To request certificates from a CA pool, you must add a CA in it.
To create a root CA and add it in the CA pool you created, run the following command:
gcloud privateca roots create CA_ID --pool POOL_ID --subject "CN=Example Prod Root CA, O=Google"
Replace the following:
- CA_ID: The name of the root CA.
- POOL_ID: The name of the CA pool.
CA Service returns the following command when it creates the root CA:
Created Certificate Authority [projects/PROJECT_ID/locations/LOCATION/caPools/POOL_ID/certificateAuthorities/CA_ID]
Enable the root CA by entering y
when prompted by the gcloud CLI.
Now that you have a CA pool with a root CA, you can proceed to creating certificates.
Create a certificate
To use the newly created CA to create a certificate, do the following:
Install the Pyca cryptography library using the
pip
command.pip install --user "cryptography>=2.2.0"
CA Service uses the Pyca cryptography library to generate and store a new asymmetric key-pair on your local machine. This key is never sent to CA Service.
To allow Google Cloud SDK to use the Pyca cryptography library, you must enable site packages.
macOS or Linux
export CLOUDSDK_PYTHON_SITEPACKAGES=1
Windows
set CLOUDSDK_PYTHON_SITEPACKAGES=1
Create a certificate.
gcloud privateca certificates create \ --issuer-pool POOL_ID \ --subject "CN=Example Prod,O=Google" \ --generate-key \ --key-output-file=./key \ --cert-output-file=./cert.pem
Replace POOL_ID with the resource ID of the CA pool you created.
CA Service returns the following response:
Created Certificate [projects/PROJECT_ID/locations/LOCATION/caPools/POOL_ID/certificates/CERTIFICATE_ID]
Clean up
Clean up by deleting the CA pool, the CA, and the project you created for this quickstart.
Revoke the certificate.
- CERT_NAME: The name of the certificate you want to revoke.
- POOL_ID: The name of the CA pool that issued the certificate.
To revoke a certificate, run the following command:
gcloud privateca certificates revoke --certificate CERT_NAME --issuer-pool POOL_ID
Replace the following:
Delete the CA.
You can delete a CA only after you have revoked all the certificates issued by it.
Disable the CA.
gcloud privateca roots disable CA_ID --pool=POOL_ID
Replace the following:
- CA_ID: The resource ID of the CA.
- POOL_ID: The resource ID of the CA pool.
Delete the CA.
gcloud privateca roots delete CA_ID --pool=POOL_ID
The CA state changes to
Deleted
. CA Service permanently deletes the CA 30 days after you initiate the deletion.Delete the CA pool.
You can delete a CA pool only after the CA in it is permanently deleted.
gcloud privateca pools delete POOL_ID
Delete the project.
Delete a Google Cloud project:
gcloud projects delete PROJECT_ID
What's next
- Learn more about CA pools.
- Learn more about creating a CA pool.
- Learn more about creating CAs.
- Learn more about requesting certificates.
- Learn how you can control the type of certificates a CA pool can issue.