Requesting certificates

This topic describes how you can request a certificate from Certificate Authority Service, as well as how you can view issued certificates.

Overview

There are two ways to request a certificate from Certificate Authority Service:

  1. Generate your own private/public key and submit a Certificate Signing Request (CSR).
  2. Have CA Service create a private/public key for you.

Using a CSR

You would first need to generate a CSR. Once you have done that, continue with the procedure mentioned below.

Console

  1. In the Google Cloud Console, go to the Certificate Authority Service page.

    Go to Certificate Authority Service

  2. Find your CA under the CA Manager tab.

  3. Click the name of the CA you want to issue from.

  4. On the bottom of the CA details page, click Request a certificate.

  5. If you want to use a certificate template, select a template from the dropdown. For more information see Certificate templates.

  6. Click Provide CSR.

  7. Optionally, you can overwrite the automatically generated Certificate name.

  8. Optionally, you can configure validity period for certificate.

  9. Copy and paste your CSR to the Certificate CSR box or upload your CSR using the Browse button.

  10. Click Upload CSR.

  11. Click Next.

  12. Click Download Certificate or copy the certificate chain using the copy icon.

  13. Click Done.

gcloud

gcloud privateca certificates create CERT_NAME \
     --issuer-pool POOL_ID \
     --csr CSR_FILENAME \
     --cert-output-file CERT_FILENAME \
     --validity "P30D"

Using an auto-generated key

Console

You can use Google Cloud Console to generate client or server TLS certificates.

  1. In the Google Cloud Console, go to the Certificate Authority Service page.

    Go to Certificate Authority Service

  2. Find your CA under the CA Manager tab.

  3. Click the name of the CA you want to issue from.

  4. On the bottom of the CA details page, click Request a certificate.

  5. If you want to use a certificate template, select a template from the dropdown. For more information see Certificate templates.

  6. Navigate to Request Certificate tab.

  7. Click Enter details.

  8. Under Enter details:

    1. Keep the auto-generated Certificate name, or choose a different unique name.
    2. Under Add domain name, click Add Item.
    3. Enter a domain-name into the FQDN field.
    4. Check Server TLS and/or Client TLS depending on your use-case.
    5. Click Next.
  9. Under Configure key size and algorithm:

    1. Keep the default algorithm, or choose a different one from the drop down. A new asymmetric key-pair is generated using the selected algorithm. For more information on which key algorithm to use, see Key Sizes and Algorithms.
    2. Click Continue.
  10. Under Download signed certificate:

    1. Select Download Certificate Chain to download the PEM-encoded certificate chain.
    2. Select Download Private Key to download the associated PEM-encoded private key.
    3. Click Done.

gcloud

To use auto-generated key functionality, you need to install the Python Cryptographic Authority (PyCA) library. Please follow the Cloud KMS instructions here to do so.

gcloud privateca certificates create \
  --issuer-pool POOL_ID \
  --generate-key \
  --key-output-file KEY_FILENAME \
  --cert-output-file CERT_FILENAME \
  --dns-san "DNS_NAME" \
  --use-preset-profile "leaf-server-tls"

Where:

  • POOL_ID is the unique identifier of the CA pool.
  • --generate-key flag generates a new RSA-2048 private key on your machine.
  • --key-output-file flag specifies the path where the generated private key file is written (in PEM format).
  • --cert-output-file flag specifies the path where the resulting PEM-encoded certificate chain file is written (ordered from end-entity to root).
  • --dns-san flag specifies one or more comma-separated DNS SANs.
  • --use-preset-profile flag specifies the certificate profile. For more information about certificate profiles, see Certificate profiles.

For more information about the gcloud privateca certificates create command, see gcloud privateca certificates create.

Performing common operations with certificates

This section describes how you can perform certain common operations with certificates.

Issue a certificate from a specific CA in a CA pool

gcloud

To target a specific CA in the CA pool for certificate issuance, add the --ca flag with the CA_ID of the CA that must issue the certificate.

gcloud privateca certificates create \
  --issuer-pool POOL_ID \
  --ca CA_ID \
  --generate-key \
  --key-output-file KEY_FILENAME \
  --cert-output-file CERT_FILENAME \
  --dns-san "DNS_NAME" \
  --use-preset-profile "leaf-server-tls"

Console

The Google Cloud Console only supports certificate issuance from a particular CA. Use the instructions in the Use an Autogenerated Key section or the Use a CSR section to choose the CA that must issue the certificate.

View issued certificates

Console

  1. In the Google Cloud Console, go to the Certificate Authority Service page.

    Go to Certificate Authority Service

  2. Pick your target CA under the CA Manager tab.

  3. Click the CA name

  4. On the bottom of the CA details page, click the View Issued Certificates button to see the list of issued certificates. A custom view with the specified CA and Pool IDs will be displayed.

gcloud

To list all certificates issued by a particular CA in a CA pool, use the following gcloud command:

gcloud privateca certificates list --issuer-pool ISSUER_POOL --ca CA_NAME

For more information about the gcloud privateca certificates list command, see gcloud privateca certificates list.

To list all certificates across all CAs in a given location, use the following gcloud command:

gcloud privateca certificates list --location LOCATION

View details for a single certificate

Console

  1. In the Google Cloud Console, go to the Certificate Authority Service page.

    Go to Certificate Authority Service

  2. Pick your target CA under the CA Manager tab.

  3. Click the CA name.

  4. On the bottom of the CA details page, click View issued certificates to see the list of issued certificates. A custom view with the specified CA and Pool IDs is displayed.

  5. Pick a specific certificate and select the ellipse icon.

  6. Click Download Certificate.

gcloud

To show the full description of a certificate, use the following gcloud command:

gcloud privateca certificates describe CERT_NAME \
    --issuer-pool POOL_ID

For more information about the gcloud privateca certificates describe command, see gcloud privateca certificates describe.

To export the PEM-encoded X.509 certificate chain and to a file, use the following gcloud command:

gcloud privateca certificates export CERT_NAME \
    --issuer-pool POOL_ID \
    --include-chain \
    --output-file certificate-file

For more information about the gcloud privateca certificates export command, see gcloud privateca certificates export.

Reference

Proof-of-possession for certificates

Proof-of-possession of the private key ensures that the requester of a certificate holds the private key for that certificate. Currently, CA Service checks proof-of-possession only if the requester provides a PKCS #10 CSR according to RFC 2986. Proof-of-possession for other forms of certificate requests, such as requests by CertificateConfig is not enforced.

It is the responsibility of client applications that accept certificates to validate if the certificate holder possesses the private key of that certificate. Enforcing proof-of-possession checks during certificate issuance is a form of defense-in-depth to protect again misbehaving clients. The existence of such clients, regardless of whether proof-of-possession is checked by the CA, could constitute a security vulnerability.

What's next