Requesting certificates

This topic describes how you can request a certificate from Certificate Authority Service, as well as how you can view issued certificates.

Managing certificates

There are two ways to request a certificate from Certificate Authority Service:

  1. Generate your own private/public key and submit a Certificate Signing Request (CSR).
  2. Have CA Service create a private/public key for you.

Using a CSR

You would first need to generate a CSR. Once you have done that, continue with the procedure mentioned below.

Console

  1. In the Google Cloud Console, go to the Certificate Authority Service page.

    Go to Certificate Authority Service

  2. Find your CA under CAs.

  3. Navigate to Request Certificate tab

  4. Select Provide CSR

  5. Optionally, you can overwrite the automatically generated Certificate name.

  6. Optionally, you can configure validity period for certificate.

  7. Copy paste your CSR to the Certificate CSR box or upload your CSR using the Browse button.

  8. Select Upload CSR.

  9. Select Next.

  10. Select Download Certificate or copy the certificate chain using the copy icon.

  11. Select Done.

gcloud

gcloud beta privateca certificates create CERT_NAME \
     --issuer CA_NAME \
     --csr CSR_FILENAME \
     --cert-output-file CERT_FILENAME \
     --validity "P30D"

Use an auto-generated key

Console

Google Cloud Console can be used to generate client or server TLS certificates.

  1. In the Google Cloud Console, go to the Certificate Authority Service page.

    Go to Certificate Authority Service

  2. Find your CA under CAs.

  3. Navigate to Request Certificate tab.

  4. Select the Enter Details button.

  5. Under Enter details:

    1. Keep the auto-generated Certificate name, or choose a different unique name.
    2. Select the Add Item button under Add domain name.
    3. Enter a domain-name into the FQDN field.
    4. Check Server TLS and/or Client TLS depending on your use-case.
    5. Select the Next button
  6. Under Configure key size and algorithm:

    1. Keep the default algorithm, or choose a different one from the drop down. A new asymmetric key-pair will be generated using the selected algorithm.
    2. Select the Continue button.
  7. Under Download signed certificate:

    1. Select Download Certificate Chain to download the PEM-encoded certificate chain.
    2. Select Download Private Key to download the associated PEM-encoded private key.
    3. Select the Done button.

gcloud

To use auto-generated key functionality, you will need to install the Python Cryptographic Authority (PyCA) library. Please follow the Cloud KMS instructions here to do so.

gcloud beta privateca certificates create \
  --issuer CA_NAME \
  --generate-key \
  --key-output-file KEY_FILENAME \
  --cert-output-file CERT_FILENAME \
  --dns-san "DNS_NAME" \
  --reusable-config "leaf-server-tls"

View issued certificates

Console

  1. In the Google Cloud Console, go to the Certificate Authority Service page.

    Go to Certificate Authority Service

  2. Pick your target CA under CAs.

  3. Navigate to Issued Certificates. You will see a list of issued certificates.

gcloud

To list all certificates issued by a CA:

gcloud beta privateca certificates list --issuer CA_NAME

To list all certificates across all CAs in a given location:

gcloud beta privateca certificates list --location LOCATION

To list all certificates in the current project:

gcloud beta privateca certificates list
 ```

View details for a single certificate

Console

  1. In the Google Cloud Console, go to the Certificate Authority Service page.

    Go to Certificate Authority Service

  2. Pick your target CA under CAs.

  3. Navigate to Issued Certificates. You will see a list of issued certificates.

  4. Pick a specific certificate and select the ellipse icon.

  5. Select Download Certificate.

gcloud

To show the full description of a certificate:

gcloud beta privateca certificates describe CERT_NAME \
    --issuer ISSUER_NAME

To export the PEM-encoded X.509 certificate chain and to a file:

gcloud beta privateca certificates export CERT_NAME \
    --issuer server-tls-1 \
    --include-chain \
    --output-file certificate-file

Reference

Proof-of-possession for certificates

Proof-of-possession of the private key ensures that the requester of a certificate holds the private key for that certificate. Currently, CA Service checks proof-of-possession only if the requester provides a PKCS #10 CSR according to RFC 2986. Proof-of-possession for other forms of certificate requests, such as requests by CertificateConfig is not enforced.

It is the responsibility of client applications that accept certificates to validate if the certificate holder possesses the private key of that certificate. Enforcing proof-of-possession checks during certificate issuance is a form of defense-in-depth to protect again misbehaving clients. The existence of such clients, regardless of whether proof-of-possession is checked by the CA, could constitute a security vulnerability.

See also