Requesting certificates

This topic describes how to request a certificate from Certificate Authority Service, as well as how to view issued certificates.

There are two ways to request a certificate from Certificate Authority Service:

  1. Generate your own private/public key and submit a Certificate Signing Request (CSR).
  2. Have CA service create a private/public key for you.

Using a CSR

You would first need to generate a CSR using one of these ways. A sample CSR is provided below.

Console

  1. In the Google Cloud Console, go to the Certificate Authority Service page.

    Go to Certificate Authority Service

  2. Find your CA under CAs.

  3. Navigate to Request Certificate tab

  4. Click on Provide CSR

  5. Optionally, you can overwrite the automatically generated Certificate name.

  6. Optionally, you can configure validity period for certificate.

  7. Copy paste your CSR to the Certificate CSR box or upload your CSR using the Browse button.

  8. Click on Upload CSR.

  9. Click on Next.

  10. Click on Download Certificate or copy the certificate chain using the copy icon.

  11. Click on Done.

gcloud

gcloud beta privateca certificates create CERT_NAME \
     --issuer CA_NAME \
     --csr CSR_FILENAME \
     --cert-output-file CERT_FILENAME \
     --validity "P30D"

Use an auto-generated key

Console

Google Cloud Console can be used to generate client or server TLS certificates.

  1. In the Google Cloud Console, go to the Certificate Authority Service page.

    Go to Certificate Authority Service

  2. Find your CA under CAs.

  3. Navigate to Request Certificate tab.

  4. Click the Enter Details button.

  5. Under Enter details:

    1. Keep the auto-generated Certificate name, or choose a different unique name.
    2. Click the Add Item button under Add domain name.
    3. Enter a domain-name into the FQDN field.
    4. Check Server TLS and/or Client TLS depending on your use-case.
    5. Click the Next button
  6. Under Configure key size and algorithm:

    1. Keep the default algorithm, or choose a different one from the drop down. A new asymmetric key-pair will be generated using the selected algorithm.
    2. Click the Continue button.
  7. Under Download signed certificate:

    1. Click Download Certificate Chain to download the PEM-encoded certificate chain.
    2. Click Download Private Key to download the associated PEM-encoded private key.
    3. Click the Done button.

gcloud

To use auto-generated key functionality, you will need to install the Python Cryptographic Authority (PyCA) library. Please follow the Cloud KMS instructions here to do so.

gcloud beta privateca certificates create \
  --issuer CA_NAME \
  --generate-key \
  --key-output-file KEY_FILENAME \
  --cert-output-file CERT_FILENAME \
  --dns-san "DNS_NAME" \
  --reusable-config "leaf-server-tls"

View issued certificates

Console

  1. In the Google Cloud Console, go to the Certificate Authority Service page.

    Go to Certificate Authority Service

  2. Pick your target CA under CAs.

  3. Navigate to Issued Certificates. You will see a list of issued certificates.

gcloud

To list all certificates issued by a CA:

gcloud beta privateca certificates list --issuer CA_NAME

To list all certificates across all CAs in a given location:

gcloud beta privateca certificates list --location LOCATION

To list all certificates in the current project:

gcloud beta privateca certificates list
 ```

View details for a single certificate

Console

  1. In the Google Cloud Console, go to the Certificate Authority Service page.

    Go to Certificate Authority Service

  2. Pick your target CA under CAs.

  3. Navigate to Issued Certificates. You will see a list of issued certificates.

  4. Pick a specific certificate and click on the ellipse icon.

  5. Click on Download Certificate.

gcloud

To show the full description of a certificate:

gcloud beta privateca certificates describe CERT_NAME \
    --issuer ISSUER_NAME

To export the PEM-encoded X.509 certificate chain and to a file:

gcloud beta privateca certificates export CERT_NAME \
    --issuer server-tls-1 \
    --include-chain \
    --output-file certificate-file

Sample CSR

Sample CSR

-----BEGIN CERTIFICATE REQUEST-----
MIICvDCCAaQCAQAwdzELMAkGA1UEBhMCVVMxDTALBgNVBAgMBFV0YWgxDzANBgNV
BAcMBkxpbmRvbjEWMBQGA1UECgwNRGlnaUNlcnQgSW5jLjERMA8GA1UECwwIRGln
aUNlcnQxHTAbBgNVBAMMFGV4YW1wbGUuZGlnaWNlcnQuY29tMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8+To7d+2kPWeBv/orU3LVbJwDrSQbeKamCmo
wp5bqDxIwV20zqRb7APUOKYoVEFFOEQs6T6gImnIolhbiH6m4zgZ/CPvWBOkZc+c
1Po2EmvBz+AD5sBdT5kzGQA6NbWyZGldxRthNLOs1efOhdnWFuhI162qmcflgpiI
WDuwq4C9f+YkeJhNn9dF5+owm8cOQmDrV8NNdiTqin8q3qYAHHJRW28glJUCZkTZ
wIaSR6crBQ8TbYNE0dc+Caa3DOIkz1EOsHWzTx+n0zKfqcbgXi4DJx+C1bjptYPR
BPZL8DAeWuA8ebudVT44yEp82G96/Ggcf7F33xMxe0yc+Xa6owIDAQABoAAwDQYJ
KoZIhvcNAQEFBQADggEBAB0kcrFccSmFDmxox0Ne01UIqSsDqHgL+XmHTXJwre6D
hJSZwbvEtOK0G3+dr4Fs11WuUNt5qcLsx5a8uk4G6AKHMzuhLsJ7XZjgmQXGECpY
Q4mC3yT3ZoCGpIXbw+iP3lmEEXgaQL0Tx5LFl/okKbKYwIqNiyKWOMj7ZR/wxWg/
ZDGRs55xuoeLDJ/ZRFf9bI+IaCUd1YrfYcHIl3G87Av+r49YVwqRDT0VDV7uLgqn
29XI1PpVUNCPQGn9p/eX6Qo7vpDaPybRtA2R7XLKjQaF9oXWeCUqy1hvJac9QFO2
97Ob1alpHPoZ7mWiEuJwjBPii6a9M9G30nUo39lBi1w=
-----END CERTIFICATE REQUEST-----